X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/91885a4d5370e317c337cdc779bfdd654d921a1a..0daa6547440ce987e35650166f45fb0b22635c40:/sshd.c diff --git a/sshd.c b/sshd.c index cbe31608..bc458488 100644 --- a/sshd.c +++ b/sshd.c @@ -15,8 +15,10 @@ * called by a name other than "ssh" or "Secure Shell". * * SSH2 implementation: + * Privilege Separation: * - * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. + * Copyright (c) 2002 Niels Provos. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -40,11 +42,16 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.228 2002/02/27 21:23:13 stevesk Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.268 2003/06/04 10:23:48 djm Exp $"); #include #include #include +#include +#ifdef HAVE_SECUREWARE +#include +#include +#endif #include "ssh.h" #include "ssh1.h" @@ -105,11 +112,7 @@ char *config_file_name = _PATH_SERVER_CONFIG_FILE; * Flag indicating whether IPv4 or IPv6. This can be set on the command line. * Default value is AF_UNSPEC means both IPv4 and IPv6. */ -#ifdef IPV4_DEFAULT -int IPv4or6 = AF_INET; -#else int IPv4or6 = AF_UNSPEC; -#endif /* * Debug mode flag. This can be set on the command line. If debug @@ -195,15 +198,8 @@ int *startup_pipes = NULL; int startup_pipe; /* in child */ /* variables used for privilege separation */ -#define MM_MEMSIZE 65536 -struct mm_master *mm_zback; -struct mm_master *mm_zlib; - -extern int use_privsep; -/* Socket for the child to receive a fd */ -extern int mm_recvfd; -/* Socket for the parent to send a fd */ -int mm_sendfd; +int use_privsep; +struct monitor *pmonitor; /* Prototypes for various functions defined later in this file. */ void destroy_sensitive_data(void); @@ -219,6 +215,7 @@ static void close_listen_socks(void) { int i; + for (i = 0; i < num_listen_socks; i++) close(listen_socks[i]); num_listen_socks = -1; @@ -228,6 +225,7 @@ static void close_startup_pipes(void) { int i; + if (startup_pipes) for (i = 0; i < options.max_startups; i++) if (startup_pipes[i] != -1) @@ -256,11 +254,12 @@ sighup_handler(int sig) static void sighup_restart(void) { - log("Received SIGHUP; restarting."); + logit("Received SIGHUP; restarting."); close_listen_socks(); close_startup_pipes(); execv(saved_argv[0], saved_argv); - log("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], strerror(errno)); + logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], + strerror(errno)); exit(1); } @@ -281,9 +280,11 @@ static void main_sigchld_handler(int sig) { int save_errno = errno; + pid_t pid; int status; - while (waitpid(-1, &status, WNOHANG) > 0) + while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || + (pid < 0 && errno == EINTR)) ; signal(SIGCHLD, main_sigchld_handler); @@ -298,11 +299,8 @@ grace_alarm_handler(int sig) { /* XXX no idea how fix this signal handler */ - /* Close the connection. */ - packet_close(); - /* Log error and exit. */ - fatal("Timeout before authentication for %s.", get_remote_ipaddr()); + fatal("Timeout before authentication for %s", get_remote_ipaddr()); } /* @@ -315,7 +313,7 @@ grace_alarm_handler(int sig) static void generate_ephemeral_server_key(void) { - u_int32_t rand = 0; + u_int32_t rnd = 0; int i; verbose("Generating %s%d bit RSA key.", @@ -328,9 +326,9 @@ generate_ephemeral_server_key(void) for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { if (i % 4 == 0) - rand = arc4random(); - sensitive_data.ssh1_cookie[i] = rand & 0xff; - rand >>= 8; + rnd = arc4random(); + sensitive_data.ssh1_cookie[i] = rnd & 0xff; + rnd >>= 8; } arc4random_stir(); } @@ -339,6 +337,7 @@ static void key_regeneration_alarm(int sig) { int save_errno = errno; + signal(SIGALRM, SIG_DFL); errno = save_errno; key_do_regen = 1; @@ -370,17 +369,18 @@ sshd_exchange_identification(int sock_in, int sock_out) if (client_version_string == NULL) { /* Send our protocol version identification. */ - if (atomicio(write, sock_out, server_version_string, strlen(server_version_string)) + if (atomicio(write, sock_out, server_version_string, + strlen(server_version_string)) != strlen(server_version_string)) { - log("Could not write ident string to %s", get_remote_ipaddr()); + logit("Could not write ident string to %s", get_remote_ipaddr()); fatal_cleanup(); } - /* Read other side's version identification. */ + /* Read other sides version identification. */ memset(buf, 0, sizeof(buf)); for (i = 0; i < sizeof(buf) - 1; i++) { if (atomicio(read, sock_in, &buf[i], 1) != 1) { - log("Did not receive identification string from %s", + logit("Did not receive identification string from %s", get_remote_ipaddr()); fatal_cleanup(); } @@ -411,7 +411,7 @@ sshd_exchange_identification(int sock_in, int sock_out) (void) atomicio(write, sock_out, s, strlen(s)); close(sock_in); close(sock_out); - log("Bad protocol version identification '%.100s' from %s", + logit("Bad protocol version identification '%.100s' from %s", client_version_string, get_remote_ipaddr()); fatal_cleanup(); } @@ -420,8 +420,14 @@ sshd_exchange_identification(int sock_in, int sock_out) compat_datafellows(remote_version); + if (datafellows & SSH_BUG_PROBE) { + logit("probed from %s with %s. Don't panic.", + get_remote_ipaddr(), client_version_string); + fatal_cleanup(); + } + if (datafellows & SSH_BUG_SCANNER) { - log("scanned from %s with %s. Don't panic.", + logit("scanned from %s with %s. Don't panic.", get_remote_ipaddr(), client_version_string); fatal_cleanup(); } @@ -466,14 +472,13 @@ sshd_exchange_identification(int sock_in, int sock_out) (void) atomicio(write, sock_out, s, strlen(s)); close(sock_in); close(sock_out); - log("Protocol major versions differ for %s: %.200s vs. %.200s", + logit("Protocol major versions differ for %s: %.200s vs. %.200s", get_remote_ipaddr(), server_version_string, client_version_string); fatal_cleanup(); } } - /* Destroy the host and server keys. They will no longer be needed. */ void destroy_sensitive_data(void) @@ -506,57 +511,169 @@ demote_sensitive_data(void) key_free(sensitive_data.server_key); sensitive_data.server_key = tmp; } + for (i = 0; i < options.num_host_key_files; i++) { if (sensitive_data.host_keys[i]) { tmp = key_demote(sensitive_data.host_keys[i]); key_free(sensitive_data.host_keys[i]); sensitive_data.host_keys[i] = tmp; + if (tmp->type == KEY_RSA1) + sensitive_data.ssh1_host_key = tmp; } } /* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */ } -void -privsep_postauth(Authctxt *authctxt) +static void +privsep_preauth_child(void) { + u_int32_t rnd[256]; + gid_t gidset[1]; + struct passwd *pw; + int i; + + /* Enable challenge-response authentication for privilege separation */ + privsep_challenge_enable(); + + for (i = 0; i < 256; i++) + rnd[i] = arc4random(); + RAND_seed(rnd, sizeof(rnd)); + + /* Demote the private keys to public keys. */ + demote_sensitive_data(); + + if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) + fatal("Privilege separation user %s does not exist", + SSH_PRIVSEP_USER); + memset(pw->pw_passwd, 0, strlen(pw->pw_passwd)); + endpwent(); + + /* Change our root directory */ + if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) + fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, + strerror(errno)); + if (chdir("/") == -1) + fatal("chdir(\"/\"): %s", strerror(errno)); + + /* Drop our privileges */ + debug3("privsep user:group %u:%u", (u_int)pw->pw_uid, + (u_int)pw->pw_gid); +#if 0 + /* XXX not ready, to heavy after chroot */ + do_setusercontext(pw); +#else + gidset[0] = pw->pw_gid; + if (setgroups(1, gidset) < 0) + fatal("setgroups: %.100s", strerror(errno)); + permanently_set_uid(pw); +#endif +} + +static Authctxt * +privsep_preauth(void) +{ + Authctxt *authctxt = NULL; + int status; pid_t pid; - if (0) { - /* File descriptor passing is broken */ - mm_apply_keystate(mm_zlib); + /* Set up unprivileged child process to deal with network data */ + pmonitor = monitor_init(); + /* Store a pointer to the kex for later rekeying */ + pmonitor->m_pkex = &xxx_kex; + + pid = fork(); + if (pid == -1) { + fatal("fork of unprivileged child failed"); + } else if (pid != 0) { + fatal_remove_cleanup((void (*) (void *)) packet_close, NULL); + + debug2("Network child is on pid %ld", (long)pid); + + close(pmonitor->m_recvfd); + authctxt = monitor_child_preauth(pmonitor); + close(pmonitor->m_sendfd); + + /* Sync memory */ + monitor_sync(pmonitor); + + /* Wait for the child's exit status */ + while (waitpid(pid, &status, 0) < 0) + if (errno != EINTR) + break; + + /* Reinstall, since the child has finished */ + fatal_add_cleanup((void (*) (void *)) packet_close, NULL); + + return (authctxt); + } else { + /* child */ + + close(pmonitor->m_sendfd); + + /* Demote the child */ + if (getuid() == 0 || geteuid() == 0) + privsep_preauth_child(); + setproctitle("%s", "[net]"); + } + return (NULL); +} + +static void +privsep_postauth(Authctxt *authctxt) +{ + extern Authctxt *x_authctxt; + + /* XXX - Remote port forwarding */ + x_authctxt = authctxt; + +#ifdef DISABLE_FD_PASSING + if (1) { +#else + if (authctxt->pw->pw_uid == 0 || options.use_login) { +#endif + /* File descriptor passing is broken or root login */ + monitor_apply_keystate(pmonitor); use_privsep = 0; return; } - pid = fork(); - if (pid == -1) + /* Authentication complete */ + alarm(0); + if (startup_pipe != -1) { + close(startup_pipe); + startup_pipe = -1; + } + + /* New socket pair */ + monitor_reinit(pmonitor); + + pmonitor->m_pid = fork(); + if (pmonitor->m_pid == -1) fatal("fork of unprivileged child failed"); - else if (pid != 0) { - debug2("User child is on pid %d", pid); - close(mm_recvfd); - monitor_child_postauth(mm_sendfd); + else if (pmonitor->m_pid != 0) { + fatal_remove_cleanup((void (*) (void *)) packet_close, NULL); - /* Teardown? */ + debug2("User child is on pid %ld", (long)pmonitor->m_pid); + close(pmonitor->m_recvfd); + monitor_child_postauth(pmonitor); + + /* NEVERREACHED */ exit(0); } - close(mm_sendfd); + close(pmonitor->m_sendfd); /* Demote the private keys to public keys. */ demote_sensitive_data(); /* Drop privileges */ - if (seteuid(authctxt->pw->pw_uid) == -1) - fatal("%s: seteuid", __FUNCTION__); - if (setuid(authctxt->pw->pw_uid) == -1) - fatal("%s: setuid", __FUNCTION__); + do_setusercontext(authctxt->pw); /* It is safe now to apply the key state */ - mm_apply_keystate(mm_zlib); + monitor_apply_keystate(pmonitor); } - static char * list_hostkey_types(void) { @@ -586,10 +703,11 @@ list_hostkey_types(void) return p; } -static Key * +Key * get_hostkey_by_type(int type) { int i; + for (i = 0; i < options.num_host_key_files; i++) { Key *key = sensitive_data.host_keys[i]; if (key != NULL && key->type == type) @@ -610,6 +728,7 @@ int get_hostkey_index(Key *key) { int i; + for (i = 0; i < options.num_host_key_files; i++) { if (key == sensitive_data.host_keys[i]) return (i); @@ -687,23 +806,33 @@ main(int ac, char **av) const char *remote_ip; int remote_port; FILE *f; - struct linger linger; struct addrinfo *ai; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; int listen_sock, maxfd; int startup_p[2]; int startups = 0; Authctxt *authctxt; - int sp[2]; Key *key; int ret, key_used = 0; +#ifdef HAVE_SECUREWARE + (void)set_auth_parameters(ac, av); +#endif __progname = get_progname(av[0]); init_rng(); - /* Save argv. */ + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ saved_argc = ac; - saved_argv = av; + saved_argv = xmalloc(sizeof(*saved_argv) * (ac + 1)); + for (i = 0; i < ac; i++) + saved_argv[i] = xstrdup(av[i]); + saved_argv[i] = NULL; + +#ifndef HAVE_SETPROCTITLE + /* Prepare for later setproctitle emulation */ + compat_init_setproctitle(ac, av); + av = saved_argv; +#endif /* Initialize configuration options to their default values. */ initialize_server_options(&options); @@ -790,6 +919,10 @@ main(int ac, char **av) break; case 'u': utmp_len = atoi(optarg); + if (utmp_len > MAXHOSTNAMELEN) { + fprintf(stderr, "Invalid utmp length.\n"); + exit(1); + } break; case 'o': if (process_server_config_line(&options, optarg, @@ -814,9 +947,9 @@ main(int ac, char **av) SYSLOG_LEVEL_INFO : options.log_level, options.log_facility == SYSLOG_FACILITY_NOT_SET ? SYSLOG_FACILITY_AUTH : options.log_facility, - !inetd_flag); + log_stderr || !inetd_flag); -#ifdef _CRAY +#ifdef _UNICOS /* Cray can define user privs drop all prives now! * Not needed on PRIV_SU systems! */ @@ -840,7 +973,8 @@ main(int ac, char **av) debug("sshd version %.100s", SSH_VERSION); /* load private host keys */ - sensitive_data.host_keys = xmalloc(options.num_host_key_files*sizeof(Key*)); + sensitive_data.host_keys = xmalloc(options.num_host_key_files * + sizeof(Key *)); for (i = 0; i < options.num_host_key_files; i++) sensitive_data.host_keys[i] = NULL; sensitive_data.server_key = NULL; @@ -871,15 +1005,15 @@ main(int ac, char **av) key_type(key)); } if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { - log("Disabling protocol version 1. Could not load host key"); + logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; } if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { - log("Disabling protocol version 2. Could not load host key"); + logit("Disabling protocol version 2. Could not load host key"); options.protocol &= ~SSH_PROTO_2; } if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { - log("sshd: no hostkeys available -- exiting."); + logit("sshd: no hostkeys available -- exiting."); exit(1); } @@ -896,23 +1030,54 @@ main(int ac, char **av) * hate software patents. I dont know if this can go? Niels */ if (options.server_key_bits > - BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) - SSH_KEY_BITS_RESERVED && - options.server_key_bits < - BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) { + BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) - + SSH_KEY_BITS_RESERVED && options.server_key_bits < + BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + + SSH_KEY_BITS_RESERVED) { options.server_key_bits = - BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED; + BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + + SSH_KEY_BITS_RESERVED; debug("Forcing server key to %d bits to make it differ from host key.", options.server_key_bits); } } + if (use_privsep) { + struct passwd *pw; + struct stat st; + + if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) + fatal("Privilege separation user %s does not exist", + SSH_PRIVSEP_USER); + if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || + (S_ISDIR(st.st_mode) == 0)) + fatal("Missing privilege separation directory: %s", + _PATH_PRIVSEP_CHROOT_DIR); + +#ifdef HAVE_CYGWIN + if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) && + (st.st_uid != getuid () || + (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) +#else + if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) +#endif + fatal("%s must be owned by root and not group or " + "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); + } + /* Configuration looks good, so exit if in test mode. */ if (test_flag) exit(0); -#ifdef HAVE_SCO_PROTECTED_PW - (void) set_auth_parameters(ac, av); -#endif + /* + * Clear out any supplemental groups we may have inherited. This + * prevents inadvertent creation of files with bad modes (in the + * portable version at least, it's certainly possible for PAM + * to create a file, and we can't control the code in every + * module which might be used). + */ + if (setgroups(0, NULL) < 0) + debug("setgroups() failed: %.200s", strerror(errno)); /* Initialize the log (it is reinitialized below in case we forked). */ if (debug_flag && !inetd_flag) @@ -983,7 +1148,8 @@ main(int ac, char **av) continue; } /* Create socket for listening. */ - listen_sock = socket(ai->ai_family, SOCK_STREAM, 0); + listen_sock = socket(ai->ai_family, ai->ai_socktype, + ai->ai_protocol); if (listen_sock < 0) { /* kernel may not support ipv6 */ verbose("socket: %.100s", strerror(errno)); @@ -995,17 +1161,12 @@ main(int ac, char **av) continue; } /* - * Set socket options. We try to make the port - * reusable and have it close as fast as possible - * without waiting in unnecessary wait states on - * close. + * Set socket options. + * Allow local port reuse in TIME_WAIT. */ - setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, - &on, sizeof(on)); - linger.l_onoff = 1; - linger.l_linger = 5; - setsockopt(listen_sock, SOL_SOCKET, SO_LINGER, - &linger, sizeof(linger)); + if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, + &on, sizeof(on)) == -1) + error("setsockopt SO_REUSEADDR: %s", strerror(errno)); debug("Bind to port %s on %s.", strport, ntop); @@ -1021,7 +1182,7 @@ main(int ac, char **av) num_listen_socks++; /* Start listening on the port. */ - log("Server listening on %s port %s.", ntop, strport); + logit("Server listening on %s port %s.", ntop, strport); if (listen(listen_sock, 5) < 0) fatal("listen: %.100s", strerror(errno)); @@ -1057,7 +1218,7 @@ main(int ac, char **av) */ f = fopen(options.pid_file, "wb"); if (f) { - fprintf(f, "%u\n", (u_int) getpid()); + fprintf(f, "%ld\n", (long) getpid()); fclose(f); } } @@ -1097,7 +1258,7 @@ main(int ac, char **av) if (ret < 0 && errno != EINTR) error("select: %.100s", strerror(errno)); if (received_sigterm) { - log("Received signal %d; terminating.", + logit("Received signal %d; terminating.", (int) received_sigterm); close_listen_socks(); unlink(options.pid_file); @@ -1204,7 +1365,7 @@ main(int ac, char **av) if (pid < 0) error("fork: %.100s", strerror(errno)); else - debug("Forked child %d.", pid); + debug("Forked child %ld.", (long)pid); close(startup_p[1]); @@ -1212,7 +1373,7 @@ main(int ac, char **av) if ((options.protocol & SSH_PROTO_1) && key_used == 0) { /* Schedule server key regeneration alarm. */ - signal(SIGALRM, key_regeneration_alarm); + mysignal(SIGALRM, key_regeneration_alarm); alarm(options.key_regeneration_time); key_used = 1; } @@ -1230,6 +1391,21 @@ main(int ac, char **av) /* This is the child processing a new connection. */ + /* + * Create a new session and process group since the 4.4BSD + * setlogin() affects the entire process group. We don't + * want the child to be able to affect the parent. + */ +#if !defined(SSHD_ACQUIRES_CTTY) + /* + * If setsid is called, on some platforms sshd will later acquire a + * controlling terminal which will result in "could not set + * controlling tty" errors. + */ + if (!debug_flag && !inetd_flag && setsid() < 0) + error("setsid: %.100s", strerror(errno)); +#endif + /* * Disable the key regeneration alarm. We will not regenerate the * key since we are no longer in a position to give it to anyone. We @@ -1243,16 +1419,6 @@ main(int ac, char **av) signal(SIGCHLD, SIG_DFL); signal(SIGINT, SIG_DFL); - /* - * Set socket options for the connection. We want the socket to - * close as fast as possible without waiting for anything. If the - * connection is not a socket, these will do nothing. - */ - /* setsockopt(sock_in, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */ - linger.l_onoff = 1; - linger.l_linger = 5; - setsockopt(sock_in, SOL_SOCKET, SO_LINGER, &linger, sizeof(linger)); - /* Set keepalives if requested. */ if (options.keepalives && setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, @@ -1296,14 +1462,14 @@ main(int ac, char **av) * mode; it is just annoying to have the server exit just when you * are about to discover the bug. */ - signal(SIGALRM, grace_alarm_handler); + mysignal(SIGALRM, grace_alarm_handler); if (!debug_flag) alarm(options.login_grace_time); sshd_exchange_identification(sock_in, sock_out); /* * Check that the connection comes from a privileged port. - * Rhosts-Authentication only makes sense from priviledged + * Rhosts-Authentication only makes sense from privileged * programs. Of course, if the intruder has root access on his local * machine, he can connect from any port. So do not use these * authentication methods from machines that you do not trust. @@ -1332,87 +1498,103 @@ main(int ac, char **av) packet_set_nonblocking(); - if (!use_privsep) - goto skip_privilegeseparation; - - /* Set up unprivileged child process to deal with network data */ - monitor_socketpair(sp); - mm_recvfd = sp[0]; - mm_sendfd = sp[1]; - - /* Used to share zlib space across processes */ - mm_zback = mm_create(NULL, MM_MEMSIZE); - mm_zlib = mm_create(mm_zback, 20 * MM_MEMSIZE); - - /* Compression needs to share state across borders */ - mm_init_compression(mm_zlib); - - pid = fork(); - if (pid == -1) - fatal("fork of unprivileged child failed"); - else if (pid != 0) { - debug2("Network child is on pid %d", pid); - authctxt = monitor_child_preauth(mm_sendfd); - - /* The member allocation is not visible, so sync it */ - mm_share_sync(&mm_zlib, &mm_zback); - goto authenticated; - } else { - /* Demote the private keys to public keys. */ - demote_sensitive_data(); - - /* Change our root directory - /var/empty is standard*/ - if (chroot("/var/empty") == -1) - fatal("chroot(/var/empty)"); - if (chdir("/") == -1) - fatal("chdir(/)"); - - /* Drop our privileges */ - seteuid(32767); /* XXX - Niels */ - setuid(32767); - } - - skip_privilegeseparation: + if (use_privsep) + if ((authctxt = privsep_preauth()) != NULL) + goto authenticated; /* perform the key exchange */ /* authenticate user and start session */ if (compat20) { do_ssh2_kex(); authctxt = do_authentication2(); - if (use_privsep) - mm_send_keystate(mm_recvfd); } else { do_ssh1_kex(); authctxt = do_authentication(); } - - /* If we use privilege separation, the unprivileged child exits */ - if (use_privsep) + /* + * If we use privilege separation, the unprivileged child transfers + * the current keystate and exits + */ + if (use_privsep) { + mm_send_keystate(pmonitor); exit(0); + } authenticated: - /* + /* * In privilege separation, we fork another child and prepare * file descriptor passing. */ - if (use_privsep) + if (use_privsep) { privsep_postauth(authctxt); + /* the monitor process [priv] will not return */ + if (!compat20) + destroy_sensitive_data(); + } /* Perform session preparation. */ do_authenticated(authctxt); + /* The connection has been terminated. */ + verbose("Closing connection to %.100s", remote_ip); + #ifdef USE_PAM - finish_pam(); + if (options.use_pam) + finish_pam(); #endif /* USE_PAM */ packet_close(); if (use_privsep) - mm_terminate(mm_recvfd); + mm_terminate(); exit(0); } +/* + * Decrypt session_key_int using our private server key and private host key + * (key with larger modulus first). + */ +int +ssh1_session_key(BIGNUM *session_key_int) +{ + int rsafail = 0; + + if (BN_cmp(sensitive_data.server_key->rsa->n, sensitive_data.ssh1_host_key->rsa->n) > 0) { + /* Server key has bigger modulus. */ + if (BN_num_bits(sensitive_data.server_key->rsa->n) < + BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) { + fatal("do_connection: %s: server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d", + get_remote_ipaddr(), + BN_num_bits(sensitive_data.server_key->rsa->n), + BN_num_bits(sensitive_data.ssh1_host_key->rsa->n), + SSH_KEY_BITS_RESERVED); + } + if (rsa_private_decrypt(session_key_int, session_key_int, + sensitive_data.server_key->rsa) <= 0) + rsafail++; + if (rsa_private_decrypt(session_key_int, session_key_int, + sensitive_data.ssh1_host_key->rsa) <= 0) + rsafail++; + } else { + /* Host key has bigger modulus (or they are equal). */ + if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) < + BN_num_bits(sensitive_data.server_key->rsa->n) + SSH_KEY_BITS_RESERVED) { + fatal("do_connection: %s: host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d", + get_remote_ipaddr(), + BN_num_bits(sensitive_data.ssh1_host_key->rsa->n), + BN_num_bits(sensitive_data.server_key->rsa->n), + SSH_KEY_BITS_RESERVED); + } + if (rsa_private_decrypt(session_key_int, session_key_int, + sensitive_data.ssh1_host_key->rsa) < 0) + rsafail++; + if (rsa_private_decrypt(session_key_int, session_key_int, + sensitive_data.server_key->rsa) < 0) + rsafail++; + } + return (rsafail); +} /* * SSH1 key exchange */ @@ -1425,7 +1607,7 @@ do_ssh1_kex(void) u_char session_key[SSH_SESSION_KEY_LENGTH]; u_char cookie[8]; u_int cipher_type, auth_mask, protocol_flags; - u_int32_t rand = 0; + u_int32_t rnd = 0; /* * Generate check bytes that the client must send back in the user @@ -1438,9 +1620,9 @@ do_ssh1_kex(void) */ for (i = 0; i < 8; i++) { if (i % 4 == 0) - rand = arc4random(); - cookie[i] = rand & 0xff; - rand >>= 8; + rnd = arc4random(); + cookie[i] = rnd & 0xff; + rnd >>= 8; } /* @@ -1528,43 +1710,9 @@ do_ssh1_kex(void) packet_set_protocol_flags(protocol_flags); packet_check_eom(); - /* - * Decrypt it using our private server key and private host key (key - * with larger modulus first). - */ - if (BN_cmp(sensitive_data.server_key->rsa->n, sensitive_data.ssh1_host_key->rsa->n) > 0) { - /* Server key has bigger modulus. */ - if (BN_num_bits(sensitive_data.server_key->rsa->n) < - BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) { - fatal("do_connection: %s: server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d", - get_remote_ipaddr(), - BN_num_bits(sensitive_data.server_key->rsa->n), - BN_num_bits(sensitive_data.ssh1_host_key->rsa->n), - SSH_KEY_BITS_RESERVED); - } - if (rsa_private_decrypt(session_key_int, session_key_int, - sensitive_data.server_key->rsa) <= 0) - rsafail++; - if (rsa_private_decrypt(session_key_int, session_key_int, - sensitive_data.ssh1_host_key->rsa) <= 0) - rsafail++; - } else { - /* Host key has bigger modulus (or they are equal). */ - if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) < - BN_num_bits(sensitive_data.server_key->rsa->n) + SSH_KEY_BITS_RESERVED) { - fatal("do_connection: %s: host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d", - get_remote_ipaddr(), - BN_num_bits(sensitive_data.ssh1_host_key->rsa->n), - BN_num_bits(sensitive_data.server_key->rsa->n), - SSH_KEY_BITS_RESERVED); - } - if (rsa_private_decrypt(session_key_int, session_key_int, - sensitive_data.ssh1_host_key->rsa) < 0) - rsafail++; - if (rsa_private_decrypt(session_key_int, session_key_int, - sensitive_data.server_key->rsa) < 0) - rsafail++; - } + /* Decrypt session_key_int using host/server keys */ + rsafail = PRIVSEP(ssh1_session_key(session_key_int)); + /* * Extract session key from the decrypted integer. The key is in the * least significant 256 bits of the integer; the first byte of the @@ -1599,7 +1747,7 @@ do_ssh1_kex(void) u_char *buf = xmalloc(bytes); MD5_CTX md; - log("do_connection: generating a fake encryption key"); + logit("do_connection: generating a fake encryption key"); BN_bn2bin(session_key_int, buf); MD5_Init(&md); MD5_Update(&md, buf, bytes); @@ -1615,6 +1763,11 @@ do_ssh1_kex(void) for (i = 0; i < 16; i++) session_id[i] = session_key[i] ^ session_key[i + 16]; } + /* Destroy the private and public keys. No longer. */ + destroy_sensitive_data(); + + if (use_privsep) + mm_ssh1_session_id(session_id); /* Destroy the decrypted integer. It is no longer needed. */ BN_clear_free(session_key_int); @@ -1627,7 +1780,7 @@ do_ssh1_kex(void) debug("Received session key; encryption turned on."); - /* Send an acknowledgement packet. Note that this packet is sent encrypted. */ + /* Send an acknowledgment packet. Note that this packet is sent encrypted. */ packet_start(SSH_SMSG_SUCCESS); packet_send(); packet_write_wait(); @@ -1654,10 +1807,16 @@ do_ssh2_kex(void) myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; } + if (!options.compression) { + myproposal[PROPOSAL_COMP_ALGS_CTOS] = + myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; + } myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); /* start key exchange */ kex = kex_setup(myproposal); + kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; + kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string;