- int type;
- int authenticated = 0;
- int authentication_failures = 0;
- char *password = NULL;
- struct passwd *pw, pwcopy;
- char *client_user = NULL;
- unsigned int client_host_key_bits;
- BIGNUM *client_host_key_e, *client_host_key_n;
-
-#ifdef AFS
- /* If machine has AFS, set process authentication group. */
- if (k_hasafs()) {
- k_setpag();
- k_unlog();
- }
-#endif /* AFS */
-
- /* Verify that the user is a valid user. */
- pw = getpwnam(user);
- if (!pw || !allowed_user(pw))
- eat_packets_and_disconnect(user);
-
- /* Take a copy of the returned structure. */
- memset(&pwcopy, 0, sizeof(pwcopy));
- pwcopy.pw_name = xstrdup(pw->pw_name);
- pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
- pwcopy.pw_uid = pw->pw_uid;
- pwcopy.pw_gid = pw->pw_gid;
- pwcopy.pw_dir = xstrdup(pw->pw_dir);
- pwcopy.pw_shell = xstrdup(pw->pw_shell);
- pw = &pwcopy;
-
-#ifdef HAVE_LIBPAM
- if (PAM_SUCCESS != pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh))
- {
- packet_start(SSH_SMSG_FAILURE);
- packet_send();
- packet_write_wait();
- packet_disconnect("PAM initialisation failed.");
- }
-
- fatal_add_cleanup(&pam_cleanup_proc, NULL);
-#endif
-
- /* If we are not running as root, the user must have the same uid as the
- server. */
- if (getuid() != 0 && pw->pw_uid != getuid())
- packet_disconnect("Cannot change user when server not running as root.");
-
- debug("Attempting authentication for %.100s.", user);
-
- /* If the user has no password, accept authentication immediately. */
- if (options.password_authentication &&
-#ifdef KRB4
- (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
-#endif /* KRB4 */
- auth_password(pw, ""))
- {
- /* Authentication with empty password succeeded. */
- debug("Login for user %.100s accepted without authentication.", user);
- /* authentication_type = SSH_AUTH_PASSWORD; */
- authenticated = 1;
- /* Success packet will be sent after loop below. */
- }
- else
- {
- /* Indicate that authentication is needed. */
- packet_start(SSH_SMSG_FAILURE);
- packet_send();
- packet_write_wait();
- }
-
- /* Loop until the user has been authenticated or the connection is closed. */
- while (!authenticated)
- {
- int plen;
- /* Get a packet from the client. */
- type = packet_read(&plen);
-
- /* Process the packet. */
- switch (type)
- {
-
-#ifdef AFS
- case SSH_CMSG_HAVE_KERBEROS_TGT:
- if (!options.kerberos_tgt_passing)
- {
- /* packet_get_all(); */
- log("Kerberos tgt passing disabled.");
- break;
- }
- else {
- /* Accept Kerberos tgt. */
- int dlen;
- char *tgt = packet_get_string(&dlen);
- packet_integrity_check(plen, 4 + dlen, type);
- if (!auth_kerberos_tgt(pw, tgt))
- debug("Kerberos tgt REFUSED for %s", user);
- xfree(tgt);
- }
- continue;
-
- case SSH_CMSG_HAVE_AFS_TOKEN:
- if (!options.afs_token_passing || !k_hasafs()) {
- /* packet_get_all(); */
- log("AFS token passing disabled.");
- break;
- }
- else {
- /* Accept AFS token. */
- int dlen;
- char *token_string = packet_get_string(&dlen);
- packet_integrity_check(plen, 4 + dlen, type);
- if (!auth_afs_token(user, pw->pw_uid, token_string))
- debug("AFS token REFUSED for %s", user);
- xfree(token_string);
- continue;
- }
-#endif /* AFS */
-
-#ifdef KRB4
- case SSH_CMSG_AUTH_KERBEROS:
- if (!options.kerberos_authentication)
- {
- /* packet_get_all(); */
- log("Kerberos authentication disabled.");
- break;
- }
- else {
- /* Try Kerberos v4 authentication. */
- KTEXT_ST auth;
- char *tkt_user = NULL;
- char *kdata = packet_get_string((unsigned int *)&auth.length);
- packet_integrity_check(plen, 4 + auth.length, type);
-
- if (auth.length < MAX_KTXT_LEN)
- memcpy(auth.dat, kdata, auth.length);
- xfree(kdata);
-
- if (auth_krb4(user, &auth, &tkt_user)) {
- /* Client has successfully authenticated to us. */
- log("Kerberos authentication accepted %s for account "
- "%s from %s", tkt_user, user, get_canonical_hostname());
- /* authentication_type = SSH_AUTH_KERBEROS; */
- authenticated = 1;
- xfree(tkt_user);
- }
- else {
- log("Kerberos authentication failed for account "
- "%s from %s", user, get_canonical_hostname());
- }
- }
- break;
-#endif /* KRB4 */
-
- case SSH_CMSG_AUTH_RHOSTS:
- if (!options.rhosts_authentication)
- {
- log("Rhosts authentication disabled.");
- break;
- }
-
- /* Rhosts authentication (also uses /etc/hosts.equiv). */
- if (!privileged_port)
- {
- log("Rhosts authentication not available for connections from unprivileged port.");
- break;
- }
-
- /* Get client user name. Note that we just have to trust the client;
- this is one reason why rhosts authentication is insecure.
- (Another is IP-spoofing on a local network.) */
- {
- int dlen;
- client_user = packet_get_string(&dlen);
- packet_integrity_check(plen, 4 + dlen, type);
- }
-
- /* Try to authenticate using /etc/hosts.equiv and .rhosts. */
- if (auth_rhosts(pw, client_user, options.ignore_rhosts,
- options.strict_modes))
- {
- /* Authentication accepted. */
- log("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.",
- user, client_user, get_canonical_hostname());
- authenticated = 1;
-#ifndef HAVE_LIBPAM
- xfree(client_user);
-#endif /* HAVE_LIBPAM */
- break;
- }
- log("Rhosts authentication failed for %.100s, remote %.100s.",
- user, client_user);
-#ifndef HAVE_LIBPAM
- xfree(client_user);
-#endif /* HAVE_LIBPAM */
- break;
-
- case SSH_CMSG_AUTH_RHOSTS_RSA:
- if (!options.rhosts_rsa_authentication)
- {
- log("Rhosts with RSA authentication disabled.");
- break;
- }
-
- /* Rhosts authentication (also uses /etc/hosts.equiv) with RSA
- host authentication. */
- if (!privileged_port)
- {
- log("Rhosts authentication not available for connections from unprivileged port.");
- break;
- }
-
- {
- int ulen, elen, nlen;
- /* Get client user name. Note that we just have to trust
- the client; root on the client machine can claim to be
- any user. */
- client_user = packet_get_string(&ulen);
-
- /* Get the client host key. */
- client_host_key_e = BN_new();
- client_host_key_n = BN_new();
- client_host_key_bits = packet_get_int();
- packet_get_bignum(client_host_key_e, &elen);
- packet_get_bignum(client_host_key_n, &nlen);
-
- packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);
- }
-
- /* Try to authenticate using /etc/hosts.equiv and .rhosts. */
- if (auth_rhosts_rsa(pw, client_user,
- client_host_key_bits, client_host_key_e,
- client_host_key_n, options.ignore_rhosts,
- options.strict_modes))
- {
- /* Authentication accepted. */
- authenticated = 1;
-#ifndef HAVE_LIBPAM
- xfree(client_user);
-#endif /* HAVE_LIBPAM */
- BN_clear_free(client_host_key_e);
- BN_clear_free(client_host_key_n);
- break;
- }
- log("Rhosts authentication failed for %.100s, remote %.100s.",
- user, client_user);
-#ifndef HAVE_LIBPAM
- xfree(client_user);
-#endif /* HAVE_LIBPAM */
- BN_clear_free(client_host_key_e);
- BN_clear_free(client_host_key_n);
- break;
-
- case SSH_CMSG_AUTH_RSA:
- if (!options.rsa_authentication)
- {
- log("RSA authentication disabled.");
- break;
- }
-
- /* RSA authentication requested. */
- {
- int nlen;
- BIGNUM *n;
- n = BN_new();
- packet_get_bignum(n, &nlen);
-
- packet_integrity_check(plen, nlen, type);
-
- if (auth_rsa(pw, n, options.strict_modes))
- {
- /* Successful authentication. */
- BN_clear_free(n);
- log("RSA authentication for %.100s accepted.", user);
- authenticated = 1;
- break;
- }
- BN_clear_free(n);
- log("RSA authentication for %.100s failed.", user);
- }
- break;
-
- case SSH_CMSG_AUTH_PASSWORD:
- if (!options.password_authentication)
- {
- log("Password authentication disabled.");
- break;
- }
-
- /* Password authentication requested. */
- /* Read user password. It is in plain text, but was transmitted
- over the encrypted channel so it is not visible to an outside
- observer. */
- {
- int passw_len;
- password = packet_get_string(&passw_len);
- packet_integrity_check(plen, 4 + passw_len, type);
- }
-
-#ifdef HAVE_LIBPAM
- pampasswd = password;
-
- if (PAM_SUCCESS == pam_authenticate((pam_handle_t *)pamh, 0))
- {
- log("PAM Password authentication accepted for %.100s.", user);
- authenticated = 1;
- break;
- } else
- {
- log("PAM Password authentication for %.100s failed.", user);
- break;
- }
-#else /* HAVE_LIBPAM */
- /* Try authentication with the password. */
- if (auth_password(pw, password))
- {
- /* Successful authentication. */
- /* Clear the password from memory. */
- memset(password, 0, strlen(password));
- xfree(password);
- log("Password authentication for %.100s accepted.", user);
- authenticated = 1;
- break;
- }
- log("Password authentication for %.100s failed.", user);
- memset(password, 0, strlen(password));
- xfree(password);
- break;
-#endif /* HAVE_LIBPAM */
-
- case SSH_CMSG_AUTH_TIS:
- /* TIS Authentication is unsupported */
- log("TIS authentication disabled.");
- break;
-
- default:
- /* Any unknown messages will be ignored (and failure returned)
- during authentication. */
- log("Unknown message during authentication: type %d", type);
- break; /* Respond with a failure message. */
+ extern char *optarg;
+ extern int optind;
+ int opt, sock_in = 0, sock_out = 0, newsock, j, i, fdsetsz, on = 1;
+ pid_t pid;
+ socklen_t fromlen;
+ int silent = 0;
+ fd_set *fdset;
+ struct sockaddr_storage from;
+ const char *remote_ip;
+ int remote_port;
+ FILE *f;
+ struct linger linger;
+ struct addrinfo *ai;
+ char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+ int listen_sock, maxfd;
+ int startup_p[2];
+ int startups = 0;
+
+ init_rng();
+
+ /* Save argv[0]. */
+ saved_argc = ac;
+ saved_argv = av;
+ if (strchr(av[0], '/'))
+ av0 = strrchr(av[0], '/') + 1;
+ else
+ av0 = av[0];
+
+ /* Initialize configuration options to their default values. */
+ initialize_server_options(&options);
+
+ /* Parse command-line arguments. */
+ while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:diqQ46")) != EOF) {
+ switch (opt) {
+ case '4':
+ IPv4or6 = AF_INET;
+ break;
+ case '6':
+ IPv4or6 = AF_INET6;
+ break;
+ case 'f':
+ config_file_name = optarg;
+ break;
+ case 'd':
+ debug_flag = 1;
+ options.log_level = SYSLOG_LEVEL_DEBUG;
+ break;
+ case 'i':
+ inetd_flag = 1;
+ break;
+ case 'Q':
+ silent = 1;
+ break;
+ case 'q':
+ options.log_level = SYSLOG_LEVEL_QUIET;
+ break;
+ case 'b':
+ options.server_key_bits = atoi(optarg);
+ break;
+ case 'p':
+ options.ports_from_cmdline = 1;
+ if (options.num_ports >= MAX_PORTS)
+ fatal("too many ports.\n");
+ options.ports[options.num_ports++] = atoi(optarg);
+ break;
+ case 'g':
+ options.login_grace_time = atoi(optarg);
+ break;
+ case 'k':
+ options.key_regeneration_time = atoi(optarg);
+ break;
+ case 'h':
+ options.host_key_file = optarg;
+ break;
+ case 'V':
+ client_version_string = optarg;
+ /* only makes sense with inetd_flag, i.e. no listen() */
+ inetd_flag = 1;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "sshd version %s\n", SSH_VERSION);
+ fprintf(stderr, "Usage: %s [options]\n", av0);
+ fprintf(stderr, "Options:\n");
+ fprintf(stderr, " -f file Configuration file (default %s)\n", SERVER_CONFIG_FILE);
+ fprintf(stderr, " -d Debugging mode\n");
+ fprintf(stderr, " -i Started from inetd\n");
+ fprintf(stderr, " -q Quiet (no logging)\n");
+ fprintf(stderr, " -p port Listen on the specified port (default: 22)\n");
+ fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n");
+ fprintf(stderr, " -g seconds Grace period for authentication (default: 300)\n");
+ fprintf(stderr, " -b bits Size of server RSA key (default: 768 bits)\n");
+ fprintf(stderr, " -h file File from which to read host key (default: %s)\n",
+ HOST_KEY_FILE);
+ fprintf(stderr, " -4 Use IPv4 only\n");
+ fprintf(stderr, " -6 Use IPv6 only\n");
+ exit(1);
+ }