- extern char *optarg;
- extern int optind;
- int opt, aux, sock_in, sock_out, newsock, i, pid, on = 1;
- int remote_major, remote_minor;
- int silentrsa = 0;
- struct sockaddr_in sin;
- char buf[100]; /* Must not be larger than remote_version. */
- char remote_version[100]; /* Must be at least as big as buf. */
- int remote_port;
- char *comment;
- FILE *f;
- struct linger linger;
-
- /* Save argv[0]. */
- saved_argv = av;
- if (strchr(av[0], '/'))
- av0 = strrchr(av[0], '/') + 1;
- else
- av0 = av[0];
-
- /* Initialize configuration options to their default values. */
- initialize_server_options(&options);
-
- /* Parse command-line arguments. */
- while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqQ")) != EOF)
- {
- switch (opt)
- {
- case 'f':
- config_file_name = optarg;
- break;
- case 'd':
- debug_flag = 1;
- options.log_level = SYSLOG_LEVEL_DEBUG;
- break;
- case 'i':
- inetd_flag = 1;
- break;
- case 'Q':
- silentrsa = 1;
- break;
- case 'q':
- options.log_level = SYSLOG_LEVEL_QUIET;
- break;
- case 'b':
- options.server_key_bits = atoi(optarg);
- break;
- case 'p':
- options.port = atoi(optarg);
- break;
- case 'g':
- options.login_grace_time = atoi(optarg);
- break;
- case 'k':
- options.key_regeneration_time = atoi(optarg);
- break;
- case 'h':
- options.host_key_file = optarg;
- break;
- case '?':
- default:
- fprintf(stderr, "sshd version %s\n", SSH_VERSION);
- fprintf(stderr, "Usage: %s [options]\n", av0);
- fprintf(stderr, "Options:\n");
- fprintf(stderr, " -f file Configuration file (default %s/sshd_config)\n", ETCDIR);
- fprintf(stderr, " -d Debugging mode\n");
- fprintf(stderr, " -i Started from inetd\n");
- fprintf(stderr, " -q Quiet (no logging)\n");
- fprintf(stderr, " -p port Listen on the specified port (default: 22)\n");
- fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n");
- fprintf(stderr, " -g seconds Grace period for authentication (default: 300)\n");
- fprintf(stderr, " -b bits Size of server RSA key (default: 768 bits)\n");
- fprintf(stderr, " -h file File from which to read host key (default: %s)\n",
- HOST_KEY_FILE);
- exit(1);
- }
- }
-
- /* check if RSA support exists */
- if (rsa_alive() == 0) {
- if (silentrsa == 0)
- printf("sshd: no RSA support in libssl and libcrypto -- exiting. See ssl(8)\n");
- log("no RSA support in libssl and libcrypto -- exiting. See ssl(8)");
- exit(1);
- }
-
- /* Read server configuration options from the configuration file. */
- read_server_config(&options, config_file_name);
-
- /* Fill in default values for those options not explicitly set. */
- fill_default_server_options(&options);
-
- /* Check certain values for sanity. */
- if (options.server_key_bits < 512 ||
- options.server_key_bits > 32768)
- {
- fprintf(stderr, "Bad server key size.\n");
- exit(1);
- }
- if (options.port < 1 || options.port > 65535)
- {
- fprintf(stderr, "Bad port number.\n");
- exit(1);
- }
-
- /* Check that there are no remaining arguments. */
- if (optind < ac)
- {
- fprintf(stderr, "Extra argument %s.\n", av[optind]);
- exit(1);
- }
-
- /* Force logging to stderr while loading the private host key
- unless started from inetd */
- log_init(av0, options.log_level, options.log_facility, !inetd_flag);
-
- debug("sshd version %.100s", SSH_VERSION);
-
- sensitive_data.host_key = RSA_new();
- errno = 0;
- /* Load the host key. It must have empty passphrase. */
- if (!load_private_key(options.host_key_file, "",
- sensitive_data.host_key, &comment))
- {
- error("Could not load host key: %.200s: %.100s",
- options.host_key_file, strerror(errno));
- exit(1);
- }
- xfree(comment);
-
- /* Initialize the log (it is reinitialized below in case we forked). */
- if (debug_flag && !inetd_flag)
- log_stderr = 1;
- log_init(av0, options.log_level, options.log_facility, log_stderr);
-
- /* If not in debugging mode, and not started from inetd, disconnect from
- the controlling terminal, and fork. The original process exits. */
- if (!debug_flag && !inetd_flag)
- {
-#ifdef TIOCNOTTY
- int fd;
-#endif /* TIOCNOTTY */
- if (daemon(0, 0) < 0)
- fatal("daemon() failed: %.200s", strerror(errno));
-
- /* Disconnect from the controlling tty. */
-#ifdef TIOCNOTTY
- fd = open("/dev/tty", O_RDWR|O_NOCTTY);
- if (fd >= 0)
- {
- (void)ioctl(fd, TIOCNOTTY, NULL);
- close(fd);
- }
-#endif /* TIOCNOTTY */
- }
-
- /* Reinitialize the log (because of the fork above). */
- log_init(av0, options.log_level, options.log_facility, log_stderr);
-
- /* Check that server and host key lengths differ sufficiently. This is
- necessary to make double encryption work with rsaref. Oh, I hate
- software patents. I dont know if this can go? Niels */
- if (options.server_key_bits >
- BN_num_bits(sensitive_data.host_key->n) - SSH_KEY_BITS_RESERVED &&
- options.server_key_bits <
- BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED)
- {
- options.server_key_bits =
- BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED;
- debug("Forcing server key to %d bits to make it differ from host key.",
- options.server_key_bits);
- }
-
- /* Do not display messages to stdout in RSA code. */
- rsa_set_verbose(0);
-
- /* Initialize the random number generator. */
- arc4random_stir();
-
- /* Chdir to the root directory so that the current disk can be unmounted
- if desired. */
- chdir("/");
-
- /* Close connection cleanly after attack. */
- cipher_attack_detected = packet_disconnect;
-
- /* Start listening for a socket, unless started from inetd. */
- if (inetd_flag)
- {
- int s1, s2;
- s1 = dup(0); /* Make sure descriptors 0, 1, and 2 are in use. */
- s2 = dup(s1);
- sock_in = dup(0);
- sock_out = dup(1);
- /* We intentionally do not close the descriptors 0, 1, and 2 as our
- code for setting the descriptors won\'t work if ttyfd happens to
- be one of those. */
- debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);
-
- public_key = RSA_new();
- sensitive_data.private_key = RSA_new();
- /* Generate an rsa key. */
- log("Generating %d bit RSA key.", options.server_key_bits);
- rsa_generate_key(sensitive_data.private_key, public_key,
- options.server_key_bits);
- arc4random_stir();
- log("RSA key generation complete.");
- }
- else
- {
- /* Create socket for listening. */
- listen_sock = socket(AF_INET, SOCK_STREAM, 0);
- if (listen_sock < 0)
- fatal("socket: %.100s", strerror(errno));
-
- /* Set socket options. We try to make the port reusable and have it
- close as fast as possible without waiting in unnecessary wait states
- on close. */
- setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
- sizeof(on));
- linger.l_onoff = 1;
- linger.l_linger = 5;
- setsockopt(listen_sock, SOL_SOCKET, SO_LINGER, (void *)&linger,
- sizeof(linger));
-
- /* Initialize the socket address. */
- memset(&sin, 0, sizeof(sin));
- sin.sin_family = AF_INET;
- sin.sin_addr = options.listen_addr;
- sin.sin_port = htons(options.port);
-
- /* Bind the socket to the desired port. */
- if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
- {
- error("bind: %.100s", strerror(errno));
- shutdown(listen_sock, SHUT_RDWR);
- close(listen_sock);
- fatal("Bind to port %d failed.", options.port);