*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.178 2002/06/11 23:03:54 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.193 2003/05/15 13:52:10 djm Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
/* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
Default value is AF_UNSPEC means both IPv4 and IPv6. */
-#ifdef IPV4_DEFAULT
-int IPv4or6 = AF_INET;
-#else
int IPv4or6 = AF_UNSPEC;
-#endif
/* Flag indicating whether debug mode is on. This can be set on the command line. */
int debug_flag = 0;
/* # of replies received for global requests */
static int client_global_request_id = 0;
+/* pid of proxycommand child process */
+pid_t proxy_command_pid = 0;
+
/* Prints a help message to the user. This function never returns. */
static void
fprintf(stderr, " -v Verbose; display verbose debugging messages.\n");
fprintf(stderr, " Multiple -v increases verbosity.\n");
fprintf(stderr, " -V Display version number only.\n");
- fprintf(stderr, " -P Don't allocate a privileged port.\n");
fprintf(stderr, " -q Quiet; don't display any warning messages.\n");
fprintf(stderr, " -f Fork into background after authentication.\n");
fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n");
*/
original_real_uid = getuid();
original_effective_uid = geteuid();
+
+ /*
+ * Use uid-swapping to give up root privileges for the duration of
+ * option processing. We will re-instantiate the rights when we are
+ * ready to create the privileged port, and will permanently drop
+ * them when the port has been created (actually, when the connection
+ * has been made, as we may need to create the port several times).
+ */
+ PRIV_END;
#ifdef HAVE_SETRLIMIT
/* If we are installed setuid root be careful to not drop core. */
/* Get user data. */
pw = getpwuid(original_real_uid);
if (!pw) {
- log("You don't exist, go away!");
+ logit("You don't exist, go away!");
exit(1);
}
/* Take a copy of the returned structure. */
pw = pwcopy(pw);
- /*
- * Use uid-swapping to give up root privileges for the duration of
- * option processing. We will re-instantiate the rights when we are
- * ready to create the privileged port, and will permanently drop
- * them when the port has been created (actually, when the connection
- * has been made, as we may need to create the port several times).
- */
- PRIV_END;
-
/*
* Set our umask to something reasonable, as some files are created
* with the default umask. This will make them world-readable but
case 'g':
options.gateway_ports = 1;
break;
- case 'P':
+ case 'P': /* deprecated */
options.use_privileged_port = 0;
break;
case 'a':
/* fallthrough */
case 'V':
fprintf(stderr,
- "%s, SSH protocols %d.%d/%d.%d, OpenSSL 0x%8.8lx\n",
+ "%s, SSH protocols %d.%d/%d.%d, %s\n",
SSH_VERSION,
PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1,
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
- SSLeay());
+ SSLeay_version(SSLEAY_VERSION));
if (opt == 'V')
exit(0);
break;
case 'L':
case 'R':
- if (sscanf(optarg, "%5[0-9]:%255[^:]:%5[0-9]",
+ if (sscanf(optarg, "%5[0123456789]:%255[^:]:%5[0123456789]",
sfwd_port, buf, sfwd_host_port) != 3 &&
- sscanf(optarg, "%5[0-9]/%255[^/]/%5[0-9]",
+ sscanf(optarg, "%5[0123456789]/%255[^/]/%5[0123456789]",
sfwd_port, buf, sfwd_host_port) != 3) {
fprintf(stderr,
"Bad forwarding specification '%s'\n",
av += optind;
if (ac > 0 && !host && **av != '-') {
- if (strchr(*av, '@')) {
+ if (strrchr(*av, '@')) {
p = xstrdup(*av);
- cp = strchr(p, '@');
+ cp = strrchr(p, '@');
if (cp == NULL || cp == p)
usage();
options.user = p;
host = ++cp;
} else
host = *av;
- ac--, av++;
- if (ac > 0) {
- optind = 0;
- optreset = 1;
+ if (ac > 1) {
+ optind = optreset = 1;
goto again;
}
+ ac--, av++;
}
/* Check that we got a host name. */
if (buffer_len(&command) == 0)
tty_flag = 1;
- /* Force no tty*/
+ /* Force no tty */
if (no_tty_flag)
tty_flag = 0;
/* Do not allocate a tty if stdin is not a tty. */
if (!isatty(fileno(stdin)) && !force_tty_flag) {
if (tty_flag)
- log("Pseudo-terminal will not be allocated because stdin is not a terminal.");
+ logit("Pseudo-terminal will not be allocated because stdin is not a terminal.");
tty_flag = 0;
}
if (options.hostname != NULL)
host = options.hostname;
+ if (options.proxy_command != NULL &&
+ strcmp(options.proxy_command, "none") == 0)
+ options.proxy_command = NULL;
+
/* Disable rhosts authentication if not running as root. */
#ifdef HAVE_CYGWIN
/* Ignore uid if running under Windows */
#else
original_effective_uid == 0 && options.use_privileged_port,
#endif
- options.proxy_command) < 0)
+ options.proxy_command) != 0)
exit(1);
/*
if (options.rhosts_rsa_authentication ||
options.hostbased_authentication) {
sensitive_data.nkeys = 3;
- sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key));
+ sensitive_data.keys = xmalloc(sensitive_data.nkeys *
+ sizeof(Key));
PRIV_START;
sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
_PATH_HOST_RSA_KEY_FILE, "", NULL);
PRIV_END;
- if (sensitive_data.keys[0] == NULL &&
+ if (options.hostbased_authentication == 1 &&
+ sensitive_data.keys[0] == NULL &&
sensitive_data.keys[1] == NULL &&
sensitive_data.keys[2] == NULL) {
sensitive_data.keys[1] = key_load_public(
exit_status = compat20 ? ssh_session2() : ssh_session();
packet_close();
+
+ /*
+ * Send SIGHUP to proxy command if used. We don't wait() in
+ * case it hangs and instead rely on init to reap the child
+ */
+ if (proxy_command_pid > 1)
+ kill(proxy_command_pid, SIGHUP);
+
return exit_status;
}
FILE *f;
int got_data = 0, i;
char *display;
+ struct stat st;
*_proto = proto;
*_data = data;
proto[0] = data[0] = '\0';
- if (options.xauth_location && (display = getenv("DISPLAY"))) {
+ if (!options.xauth_location ||
+ (stat(options.xauth_location, &st) == -1)) {
+ debug("No xauth program.");
+ } else {
+ if ((display = getenv("DISPLAY")) == NULL) {
+ debug("x11_get_proto: DISPLAY not set");
+ return;
+ }
/* Try to get Xauthority information for the display. */
if (strncmp(display, "localhost:", 10) == 0)
/*
else
snprintf(line, sizeof line, "%s list %.200s 2>"
_PATH_DEVNULL, options.xauth_location, display);
- debug2("x11_get_proto %s", line);
+ debug2("x11_get_proto: %s", line);
f = popen(line, "r");
if (f && fgets(line, sizeof(line), f) &&
sscanf(line, "%*s %511s %511s", proto, data) == 2)
if (!got_data) {
u_int32_t rand = 0;
+ logit("Warning: No xauth data; using fake authentication data for X11 forwarding.");
strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto);
for (i = 0; i < 16; i++) {
if (i % 4 == 0)
{
if (options.forward_agent) {
/* Clear agent forwarding if we don\'t have an agent. */
- int authfd = ssh_get_authentication_socket();
- if (authfd < 0)
+ if (!ssh_agent_present())
options.forward_agent = 0;
- else
- ssh_close_authentication_socket(authfd);
}
}
if (type == SSH_SMSG_SUCCESS)
packet_start_compression(options.compression_level);
else if (type == SSH_SMSG_FAILURE)
- log("Warning: Remote host refused compression.");
+ logit("Warning: Remote host refused compression.");
else
packet_disconnect("Protocol error waiting for compression response.");
}
interactive = 1;
have_tty = 1;
} else if (type == SSH_SMSG_FAILURE)
- log("Warning: Remote host failed or refused to allocate a pseudo tty.");
+ logit("Warning: Remote host failed or refused to allocate a pseudo tty.");
else
packet_disconnect("Protocol error waiting for pty request response.");
}
if (type == SSH_SMSG_SUCCESS) {
interactive = 1;
} else if (type == SSH_SMSG_FAILURE) {
- log("Warning: Remote host denied X11 forwarding.");
+ logit("Warning: Remote host denied X11 forwarding.");
} else {
packet_disconnect("Protocol error waiting for X11 forwarding");
}
type = packet_read();
packet_check_eom();
if (type != SSH_SMSG_SUCCESS)
- log("Warning: Remote host denied authentication agent forwarding.");
+ logit("Warning: Remote host denied authentication agent forwarding.");
}
/* Initiate port forwardings. */
options.remote_forwards[i].host,
options.remote_forwards[i].host_port);
if (type == SSH2_MSG_REQUEST_FAILURE)
- log("Warning: remote port forwarding failed for listen port %d",
+ logit("Warning: remote port forwarding failed for listen port %d",
options.remote_forwards[i].port);
}
int interactive = 0;
struct termios tio;
- debug("ssh_session2_setup: id %d", id);
+ debug2("ssh_session2_setup: id %d", id);
if (tty_flag) {
struct winsize ws;
c = channel_new(
"session", SSH_CHANNEL_OPENING, in, out, err,
window, packetmax, CHAN_EXTENDED_WRITE,
- xstrdup("client-session"), /*nonblock*/0);
+ "client-session", /*nonblock*/0);
debug3("ssh_session2_open: channel_new: %d", c->self);