X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/d514c907d423cff76b7251059ad307c830e006cc..bbe88b6d930d2f3cef8d1c896edaa60fd146e84f:/ssh.c diff --git a/ssh.c b/ssh.c index be9c78b0..21bfc56e 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.177 2002/06/11 04:14:26 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.190 2003/02/06 09:27:29 markus Exp $"); #include #include @@ -146,6 +146,9 @@ int subsystem_flag = 0; /* # of replies received for global requests */ static int client_global_request_id = 0; +/* pid of proxycommand child process */ +pid_t proxy_command_pid = 0; + /* Prints a help message to the user. This function never returns. */ static void @@ -174,7 +177,6 @@ usage(void) fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); fprintf(stderr, " Multiple -v increases verbosity.\n"); fprintf(stderr, " -V Display version number only.\n"); - fprintf(stderr, " -P Don't allocate a privileged port.\n"); fprintf(stderr, " -q Quiet; don't display any warning messages.\n"); fprintf(stderr, " -f Fork into background after authentication.\n"); fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n"); @@ -210,7 +212,7 @@ static void load_public_identity_files(void); int main(int ac, char **av) { - int i, opt, exit_status, cerr; + int i, opt, exit_status; u_short fwd_port, fwd_host_port; char sfwd_port[6], sfwd_host_port[6]; char *p, *cp, buf[256]; @@ -229,6 +231,15 @@ main(int ac, char **av) */ original_real_uid = getuid(); original_effective_uid = geteuid(); + + /* + * Use uid-swapping to give up root privileges for the duration of + * option processing. We will re-instantiate the rights when we are + * ready to create the privileged port, and will permanently drop + * them when the port has been created (actually, when the connection + * has been made, as we may need to create the port several times). + */ + PRIV_END; #ifdef HAVE_SETRLIMIT /* If we are installed setuid root be careful to not drop core. */ @@ -242,21 +253,12 @@ main(int ac, char **av) /* Get user data. */ pw = getpwuid(original_real_uid); if (!pw) { - log("You don't exist, go away!"); + logit("You don't exist, go away!"); exit(1); } /* Take a copy of the returned structure. */ pw = pwcopy(pw); - /* - * Use uid-swapping to give up root privileges for the duration of - * option processing. We will re-instantiate the rights when we are - * ready to create the privileged port, and will permanently drop - * them when the port has been created (actually, when the connection - * has been made, as we may need to create the port several times). - */ - PRIV_END; - /* * Set our umask to something reasonable, as some files are created * with the default umask. This will make them world-readable but @@ -303,7 +305,7 @@ again: case 'g': options.gateway_ports = 1; break; - case 'P': + case 'P': /* deprecated */ options.use_privileged_port = 0; break; case 'a': @@ -493,9 +495,9 @@ again: av += optind; if (ac > 0 && !host && **av != '-') { - if (strchr(*av, '@')) { + if (strrchr(*av, '@')) { p = xstrdup(*av); - cp = strchr(p, '@'); + cp = strrchr(p, '@'); if (cp == NULL || cp == p) usage(); options.user = p; @@ -503,12 +505,11 @@ again: host = ++cp; } else host = *av; - ac--, av++; - if (ac > 0) { - optind = 0; - optreset = 1; + if (ac > 1) { + optind = optreset = 1; goto again; } + ac--, av++; } /* Check that we got a host name. */ @@ -552,13 +553,13 @@ again: if (buffer_len(&command) == 0) tty_flag = 1; - /* Force no tty*/ + /* Force no tty */ if (no_tty_flag) tty_flag = 0; /* Do not allocate a tty if stdin is not a tty. */ if (!isatty(fileno(stdin)) && !force_tty_flag) { if (tty_flag) - log("Pseudo-terminal will not be allocated because stdin is not a terminal."); + logit("Pseudo-terminal will not be allocated because stdin is not a terminal."); tty_flag = 0; } @@ -600,6 +601,10 @@ again: if (options.hostname != NULL) host = options.hostname; + if (options.proxy_command != NULL && + strcmp(options.proxy_command, "none") == 0) + options.proxy_command = NULL; + /* Disable rhosts authentication if not running as root. */ #ifdef HAVE_CYGWIN /* Ignore uid if running under Windows */ @@ -613,14 +618,15 @@ again: } /* Open a connection to the remote host. */ - cerr = ssh_connect(host, &hostaddr, options.port, IPv4or6, + if (ssh_connect(host, &hostaddr, options.port, IPv4or6, options.connection_attempts, #ifdef HAVE_CYGWIN options.use_privileged_port, #else original_effective_uid == 0 && options.use_privileged_port, #endif - options.proxy_command); + options.proxy_command) != 0) + exit(1); /* * If we successfully made the connection, load the host private key @@ -633,10 +639,11 @@ again: sensitive_data.nkeys = 0; sensitive_data.keys = NULL; sensitive_data.external_keysign = 0; - if (!cerr && (options.rhosts_rsa_authentication || - options.hostbased_authentication)) { + if (options.rhosts_rsa_authentication || + options.hostbased_authentication) { sensitive_data.nkeys = 3; - sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key)); + sensitive_data.keys = xmalloc(sensitive_data.nkeys * + sizeof(Key)); PRIV_START; sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, @@ -647,7 +654,8 @@ again: _PATH_HOST_RSA_KEY_FILE, "", NULL); PRIV_END; - if (sensitive_data.keys[0] == NULL && + if (options.hostbased_authentication == 1 && + sensitive_data.keys[0] == NULL && sensitive_data.keys[1] == NULL && sensitive_data.keys[2] == NULL) { sensitive_data.keys[1] = key_load_public( @@ -676,9 +684,6 @@ again: if (mkdir(buf, 0700) < 0) error("Could not create directory '%.200s'.", buf); - if (cerr) - exit(1); - /* load options.identity_files */ load_public_identity_files(); @@ -723,6 +728,14 @@ again: exit_status = compat20 ? ssh_session2() : ssh_session(); packet_close(); + + /* + * Send SIGHUP to proxy command if used. We don't wait() in + * case it hangs and instead rely on init to reap the child + */ + if (proxy_command_pid > 1) + kill(proxy_command_pid, SIGHUP); + return exit_status; } @@ -734,11 +747,19 @@ x11_get_proto(char **_proto, char **_data) FILE *f; int got_data = 0, i; char *display; + struct stat st; *_proto = proto; *_data = data; proto[0] = data[0] = '\0'; - if (options.xauth_location && (display = getenv("DISPLAY"))) { + if (!options.xauth_location || + (stat(options.xauth_location, &st) == -1)) { + debug("No xauth program."); + } else { + if ((display = getenv("DISPLAY")) == NULL) { + debug("x11_get_proto: DISPLAY not set"); + return; + } /* Try to get Xauthority information for the display. */ if (strncmp(display, "localhost:", 10) == 0) /* @@ -753,7 +774,7 @@ x11_get_proto(char **_proto, char **_data) else snprintf(line, sizeof line, "%s list %.200s 2>" _PATH_DEVNULL, options.xauth_location, display); - debug2("x11_get_proto %s", line); + debug2("x11_get_proto: %s", line); f = popen(line, "r"); if (f && fgets(line, sizeof(line), f) && sscanf(line, "%*s %511s %511s", proto, data) == 2) @@ -772,6 +793,7 @@ x11_get_proto(char **_proto, char **_data) if (!got_data) { u_int32_t rand = 0; + logit("Warning: No xauth data; using fake authentication data for X11 forwarding."); strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto); for (i = 0; i < 16; i++) { if (i % 4 == 0) @@ -821,11 +843,8 @@ check_agent_present(void) { if (options.forward_agent) { /* Clear agent forwarding if we don\'t have an agent. */ - int authfd = ssh_get_authentication_socket(); - if (authfd < 0) + if (!ssh_agent_present()) options.forward_agent = 0; - else - ssh_close_authentication_socket(authfd); } } @@ -854,7 +873,7 @@ ssh_session(void) if (type == SSH_SMSG_SUCCESS) packet_start_compression(options.compression_level); else if (type == SSH_SMSG_FAILURE) - log("Warning: Remote host refused compression."); + logit("Warning: Remote host refused compression."); else packet_disconnect("Protocol error waiting for compression response."); } @@ -893,7 +912,7 @@ ssh_session(void) interactive = 1; have_tty = 1; } else if (type == SSH_SMSG_FAILURE) - log("Warning: Remote host failed or refused to allocate a pseudo tty."); + logit("Warning: Remote host failed or refused to allocate a pseudo tty."); else packet_disconnect("Protocol error waiting for pty request response."); } @@ -911,7 +930,7 @@ ssh_session(void) if (type == SSH_SMSG_SUCCESS) { interactive = 1; } else if (type == SSH_SMSG_FAILURE) { - log("Warning: Remote host denied X11 forwarding."); + logit("Warning: Remote host denied X11 forwarding."); } else { packet_disconnect("Protocol error waiting for X11 forwarding"); } @@ -930,7 +949,7 @@ ssh_session(void) type = packet_read(); packet_check_eom(); if (type != SSH_SMSG_SUCCESS) - log("Warning: Remote host denied authentication agent forwarding."); + logit("Warning: Remote host denied authentication agent forwarding."); } /* Initiate port forwardings. */ @@ -998,7 +1017,7 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) options.remote_forwards[i].host, options.remote_forwards[i].host_port); if (type == SSH2_MSG_REQUEST_FAILURE) - log("Warning: remote port forwarding failed for listen port %d", + logit("Warning: remote port forwarding failed for listen port %d", options.remote_forwards[i].port); } @@ -1010,7 +1029,7 @@ ssh_session2_setup(int id, void *arg) int interactive = 0; struct termios tio; - debug("ssh_session2_setup: id %d", id); + debug2("ssh_session2_setup: id %d", id); if (tty_flag) { struct winsize ws;