X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/6031af8d4551b54f8c0980018704ef4dcec344d4..383546c4b6c84ea01336f570806c6f03bfd5394b:/ssh.c diff --git a/ssh.c b/ssh.c index 89ced97e..a7fe1408 100644 --- a/ssh.c +++ b/ssh.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.109 2001/04/11 10:59:01 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.127 2001/06/26 20:14:11 markus Exp $"); #include #include @@ -67,6 +67,12 @@ RCSID("$OpenBSD: ssh.c,v 1.109 2001/04/11 10:59:01 markus Exp $"); #include "misc.h" #include "kex.h" #include "mac.h" +#include "sshtty.h" + +#ifdef SMARTCARD +#include +#include "scard.h" +#endif #ifdef HAVE___PROGNAME extern char *__progname; @@ -130,8 +136,11 @@ struct sockaddr_storage hostaddr; */ volatile int received_window_change_signal = 0; -/* Host private key. */ -Key *host_private_key = NULL; +/* Private host keys. */ +struct { + Key **keys; + int nkeys; +} sensitive_data; /* Original real UID. */ uid_t original_real_uid; @@ -142,9 +151,14 @@ Buffer command; /* Should we execute a command or invoke a subsystem? */ int subsystem_flag = 0; +#ifdef SMARTCARD +/* Smartcard reader id */ +int sc_reader_num = -1; +#endif + /* Prints a help message to the user. This function never returns. */ -void +static void usage(void) { fprintf(stderr, "Usage: %s [options] host [command]\n", __progname); @@ -152,12 +166,12 @@ usage(void) fprintf(stderr, " -l user Log in using this user name.\n"); fprintf(stderr, " -n Redirect input from " _PATH_DEVNULL ".\n"); fprintf(stderr, " -A Enable authentication agent forwarding.\n"); - fprintf(stderr, " -a Disable authentication agent forwarding.\n"); + fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); #ifdef AFS fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n"); #endif /* AFS */ fprintf(stderr, " -X Enable X11 connection forwarding.\n"); - fprintf(stderr, " -x Disable X11 connection forwarding.\n"); + fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); fprintf(stderr, " -i file Identity for public key authentication " "(default: ~/.ssh/identity)\n"); fprintf(stderr, " -t Tty; allocate a tty even if command is given.\n"); @@ -170,17 +184,13 @@ usage(void) fprintf(stderr, " -f Fork into background after authentication.\n"); fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n"); - fprintf(stderr, " -c cipher Select encryption algorithm: " - "``3des'', ``blowfish''\n"); + fprintf(stderr, " -c cipher Select encryption algorithm\n"); fprintf(stderr, " -m macs Specify MAC algorithms for protocol version 2.\n"); fprintf(stderr, " -p port Connect to this port. Server must be on the same port.\n"); fprintf(stderr, " -L listen-port:host:port Forward local port to remote address\n"); fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n"); fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname); fprintf(stderr, " forward them to the other side by connecting to host:port.\n"); - fprintf(stderr, " -D port Dynamically forward local port to multiple remote addresses.\n"); - fprintf(stderr, " Allows SSH to act as an application-layer proxy.\n"); - fprintf(stderr, " Protocols Supported: SOCKS4\n"); fprintf(stderr, " -C Enable compression.\n"); fprintf(stderr, " -N Do not execute a shell or command.\n"); fprintf(stderr, " -g Allow remote hosts to connect to forwarded ports.\n"); @@ -190,6 +200,7 @@ usage(void) fprintf(stderr, " -6 Use IPv6 only.\n"); fprintf(stderr, " -o 'option' Process the option as if it was read from a configuration file.\n"); fprintf(stderr, " -s Invoke command (mandatory) as SSH2 subsystem.\n"); + fprintf(stderr, " -b addr Local IP address.\n"); exit(1); } @@ -197,7 +208,7 @@ usage(void) * Connects to the given host using rsh (or prints an error message and exits * if rsh is not available). This function never returns. */ -void +static void rsh_connect(char *host, char *user, Buffer * command) { char *args[10]; @@ -231,9 +242,9 @@ rsh_connect(char *host, char *user, Buffer * command) exit(1); } -int ssh_session(void); -int ssh_session2(void); -void load_public_identity_files(void); +static int ssh_session(void); +static int ssh_session2(void); +static void load_public_identity_files(void); /* * Main program for the ssh client. @@ -243,7 +254,7 @@ main(int ac, char **av) { int i, opt, optind, exit_status, ok; u_short fwd_port, fwd_host_port; - char *optarg, *cp, *endofnumber, buf[256]; + char *optarg, *p, *cp, buf[256]; struct stat st; struct passwd *pw; int dummy; @@ -304,10 +315,12 @@ main(int ac, char **av) if (av[optind][0] != '-') { if (host) break; - if ((cp = strchr(av[optind], '@'))) { - if(cp == av[optind]) + if (strchr(av[optind], '@')) { + p = xstrdup(av[optind]); + cp = strchr(p, '@'); + if(cp == NULL || cp == p) usage(); - options.user = av[optind]; + options.user = p; *cp = '\0'; host = ++cp; } else @@ -317,7 +330,7 @@ main(int ac, char **av) opt = av[optind][1]; if (!opt) usage(); - if (strchr("eilcmpLRDo", opt)) { /* options with arguments */ + if (strchr("eilcmpbILRDo", opt)) { /* options with arguments */ optarg = av[optind] + 2; if (strcmp(optarg, "") == 0) { if (optind >= ac - 1) @@ -384,6 +397,13 @@ main(int ac, char **av) SSH_MAX_IDENTITY_FILES); options.identity_files[options.num_identity_files++] = xstrdup(optarg); break; + case 'I': +#ifdef SMARTCARD + sc_reader_num = atoi(optarg); +#else + fprintf(stderr, "no support for smartcards.\n"); +#endif + break; case 't': if (tty_flag) force_tty_flag = 1; @@ -420,7 +440,7 @@ main(int ac, char **av) else if (strlen(optarg) == 1) options.escape_char = (u_char) optarg[0]; else if (strcmp(optarg, "none") == 0) - options.escape_char = -2; + options.escape_char = SSH_ESCAPECHAR_NONE; else { fprintf(stderr, "Bad escape character '%s'.\n", optarg); exit(1); @@ -456,8 +476,8 @@ main(int ac, char **av) } break; case 'p': - options.port = strtol(optarg, &endofnumber, 0); - if (optarg == endofnumber) { + options.port = a2port(optarg); + if (options.port == 0) { fprintf(stderr, "Bad port '%s'\n", optarg); exit(1); } @@ -489,9 +509,9 @@ main(int ac, char **av) break; case 'D': - fwd_port = strtol(optarg, &endofnumber, 0); - if (optarg == endofnumber) { - fprintf(stderr, "Bad port '%s'\n", optarg); + fwd_port = a2port(optarg); + if (fwd_port == 0) { + fprintf(stderr, "Bad dynamic port '%s'\n", optarg); exit(1); } add_local_forward(&options, fwd_port, "socks4", 0); @@ -516,6 +536,9 @@ main(int ac, char **av) case 's': subsystem_flag = 1; break; + case 'b': + options.bind_address = optarg; + break; default: usage(); } @@ -540,7 +563,7 @@ main(int ac, char **av) /* No command specified - execute shell on a tty. */ tty_flag = 1; if (subsystem_flag) { - fprintf(stderr, "You must specify a subsystem to invoke."); + fprintf(stderr, "You must specify a subsystem to invoke.\n"); usage(); } } else { @@ -575,7 +598,8 @@ main(int ac, char **av) * Initialize "log" output. Since we are the client all output * actually goes to stderr. */ - log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + log_init(av[0], options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, + SYSLOG_FACILITY_USER, 1); /* Read per-user configuration file. */ snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_CONFFILE); @@ -644,9 +668,18 @@ main(int ac, char **av) * authentication. This must be done before releasing extra * privileges, because the file is only readable by root. */ - if (ok && (options.protocol & SSH_PROTO_1)) { - host_private_key = key_load_private_type(KEY_RSA1, + sensitive_data.nkeys = 0; + sensitive_data.keys = NULL; + if (ok && (options.rhosts_rsa_authentication || + options.hostbased_authentication)) { + sensitive_data.nkeys = 3; + sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key)); + sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, _PATH_HOST_KEY_FILE, "", NULL); + sensitive_data.keys[1] = key_load_private_type(KEY_DSA, + _PATH_HOST_DSA_KEY_FILE, "", NULL); + sensitive_data.keys[2] = key_load_private_type(KEY_RSA, + _PATH_HOST_RSA_KEY_FILE, "", NULL); } /* * Get rid of any extra privileges that we may have. We will no @@ -705,18 +738,28 @@ main(int ac, char **av) tilde_expand_filename(options.user_hostfile2, original_real_uid); /* Log into the remote system. This never returns if the login fails. */ - ssh_login(host_private_key, host, (struct sockaddr *)&hostaddr, pw); - - /* We no longer need the host private key. Clear it now. */ - if (host_private_key != NULL) - key_free(host_private_key); /* Destroys contents safely */ + ssh_login(sensitive_data.keys, sensitive_data.nkeys, + host, (struct sockaddr *)&hostaddr, pw); + + /* We no longer need the private host keys. Clear them now. */ + if (sensitive_data.nkeys != 0) { + for (i = 0; i < sensitive_data.nkeys; i++) { + if (sensitive_data.keys[i] != NULL) { + /* Destroys contents safely */ + debug3("clear hostkey %d", i); + key_free(sensitive_data.keys[i]); + sensitive_data.keys[i] = NULL; + } + } + xfree(sensitive_data.keys); + } exit_status = compat20 ? ssh_session2() : ssh_session(); packet_close(); return exit_status; } -void +static void x11_get_proto(char *proto, int proto_len, char *data, int data_len) { char line[512]; @@ -755,7 +798,7 @@ x11_get_proto(char *proto, int proto_len, char *data, int data_len) } } -void +static void ssh_init_forwarding(void) { int success = 0; @@ -789,7 +832,7 @@ ssh_init_forwarding(void) } } -void +static void check_agent_present(void) { if (options.forward_agent) { @@ -802,7 +845,7 @@ check_agent_present(void) } } -int +static int ssh_session(void) { int type; @@ -844,7 +887,7 @@ ssh_session(void) cp = getenv("TERM"); if (!cp) cp = ""; - packet_put_string(cp, strlen(cp)); + packet_put_cstring(cp); /* Store window size in the packet. */ if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0) @@ -855,7 +898,7 @@ ssh_session(void) packet_put_int(ws.ws_ypixel); /* Store tty modes in the packet. */ - tty_make_modes(fileno(stdin)); + tty_make_modes(fileno(stdin), NULL); /* Send the packet, and wait for it to leave. */ packet_send(); @@ -936,10 +979,11 @@ ssh_session(void) } /* Enter the interactive session. */ - return client_loop(have_tty, tty_flag ? options.escape_char : -1, 0); + return client_loop(have_tty, tty_flag ? + options.escape_char : SSH_ESCAPECHAR_NONE, 0); } -void +static void client_subsystem_reply(int type, int plen, void *ctxt) { int id, len; @@ -954,11 +998,12 @@ client_subsystem_reply(int type, int plen, void *ctxt) len, buffer_ptr(&command), id); } -void +static void ssh_session2_callback(int id, void *arg) { int len; int interactive = 0; + struct termios tio; debug("client_init id %d arg %ld", id, (long)arg); @@ -978,7 +1023,8 @@ ssh_session2_callback(int id, void *arg) packet_put_int(ws.ws_row); packet_put_int(ws.ws_xpixel); packet_put_int(ws.ws_ypixel); - packet_put_cstring(""); /* XXX: encode terminal modes */ + tio = get_saved_tio(); + tty_make_modes(/*ignored*/ 0, &tio); packet_send(); interactive = 1; /* XXX wait for reply */ @@ -1028,11 +1074,11 @@ ssh_session2_callback(int id, void *arg) packet_set_interactive(interactive); } -int +static int ssh_session2_command(void) { - int id, window, packetmax; - int in, out, err; + Channel *c; + int window, packetmax, in, out, err; if (stdin_null_flag) { in = open(_PATH_DEVNULL, O_RDONLY); @@ -1059,21 +1105,23 @@ ssh_session2_command(void) window *= 2; packetmax *=2; } - id = channel_new( + c = channel_new( "session", SSH_CHANNEL_OPENING, in, out, err, window, packetmax, CHAN_EXTENDED_WRITE, xstrdup("client-session"), /*nonblock*/0); + if (c == NULL) + fatal("ssh_session2_command: channel_new failed"); -debug("channel_new: %d", id); + debug3("ssh_session2_command: channel_new: %d", c->self); - channel_open(id); - channel_register_callback(id, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, + channel_send_open(c->self); + channel_register_callback(c->self, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, ssh_session2_callback, (void *)0); - return id; + return c->self; } -int +static int ssh_session2(void) { int id; @@ -1088,10 +1136,11 @@ ssh_session2(void) if (daemon(1, 1) < 0) fatal("daemon() failed: %.200s", strerror(errno)); - return client_loop(tty_flag, tty_flag ? options.escape_char : -1, id); + return client_loop(tty_flag, tty_flag ? + options.escape_char : SSH_ESCAPECHAR_NONE, id); } -void +static void load_public_identity_files(void) { char *filename; @@ -1108,4 +1157,32 @@ load_public_identity_files(void) options.identity_files[i] = filename; options.identity_keys[i] = public; } +#ifdef SMARTCARD + if (sc_reader_num != -1 && + options.num_identity_files + 1 < SSH_MAX_IDENTITY_FILES && + (public = sc_get_key(sc_reader_num)) != NULL ) { + Key *new; + + /* XXX ssh1 vs ssh2 */ + new = key_new(KEY_RSA); + new->flags = KEY_FLAG_EXT; + BN_copy(new->rsa->n, public->rsa->n); + BN_copy(new->rsa->e, public->rsa->e); + RSA_set_method(new->rsa, sc_get_engine()); + i = options.num_identity_files++; + options.identity_keys[i] = new; + options.identity_files[i] = xstrdup("smartcard rsa key");; + + new = key_new(KEY_RSA1); + new->flags = KEY_FLAG_EXT; + BN_copy(new->rsa->n, public->rsa->n); + BN_copy(new->rsa->e, public->rsa->e); + RSA_set_method(new->rsa, sc_get_engine()); + i = options.num_identity_files++; + options.identity_keys[i] = new; + options.identity_files[i] = xstrdup("smartcard rsa1 key");; + + key_free(public); + } +#endif }