X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/f2107e976cca78fb5e84777027c8ae235967a279..aa2eae64b7a74e7293a673f5dc101189b5342668:/sshd.c diff --git a/sshd.c b/sshd.c index ac62cb50..8a68a537 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,13 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.298 2004/07/11 17:48:47 deraadt Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.321 2006/02/10 01:44:27 stevesk Exp $"); + +#include +#include +#include + +#include #include #include @@ -111,12 +117,6 @@ ServerOptions options; /* Name of the server configuration file. */ char *config_file_name = _PATH_SERVER_CONFIG_FILE; -/* - * Flag indicating whether IPv4 or IPv6. This can be set on the command line. - * Default value is AF_UNSPEC means both IPv4 and IPv6. - */ -int IPv4or6 = AF_UNSPEC; - /* * Debug mode flag. This can be set on the command line. If debug * mode is enabled, extra debugging output will be sent to the system @@ -210,12 +210,12 @@ int startup_pipe; /* in child */ int use_privsep; struct monitor *pmonitor = NULL; -/* message to be displayed after login */ -Buffer loginmsg; - /* global authentication context */ Authctxt *the_authctxt = NULL; +/* message to be displayed after login */ +Buffer loginmsg; + /* Prototypes for various functions defined later in this file. */ void destroy_sensitive_data(void); void demote_sensitive_data(void); @@ -364,7 +364,8 @@ key_regeneration_alarm(int sig) static void sshd_exchange_identification(int sock_in, int sock_out) { - int i, mismatch; + u_int i; + int mismatch; int remote_major, remote_minor; int major, minor; char *s; @@ -638,16 +639,8 @@ privsep_postauth(Authctxt *authctxt) if (authctxt->pw->pw_uid == 0 || options.use_login) { #endif /* File descriptor passing is broken or root login */ - monitor_apply_keystate(pmonitor); use_privsep = 0; - return; - } - - /* Authentication complete */ - alarm(0); - if (startup_pipe != -1) { - close(startup_pipe); - startup_pipe = -1; + goto skip; } /* New socket pair */ @@ -659,6 +652,7 @@ privsep_postauth(Authctxt *authctxt) else if (pmonitor->m_pid != 0) { debug2("User child is on pid %ld", (long)pmonitor->m_pid); close(pmonitor->m_recvfd); + buffer_clear(&loginmsg); monitor_child_postauth(pmonitor); /* NEVERREACHED */ @@ -673,8 +667,15 @@ privsep_postauth(Authctxt *authctxt) /* Drop privileges */ do_setusercontext(authctxt->pw); + skip: /* It is safe now to apply the key state */ monitor_apply_keystate(pmonitor); + + /* + * Tell the packet layer that authentication was successful, since + * this information is not part of the key state. + */ + packet_set_authenticated(); } static char * @@ -749,7 +750,7 @@ get_hostkey_index(Key *key) static int drop_connection(int startups) { - double p, r; + int p, r; if (startups < options.max_startups_begin) return 0; @@ -760,12 +761,11 @@ drop_connection(int startups) p = 100 - options.max_startups_rate; p *= startups - options.max_startups_begin; - p /= (double) (options.max_startups - options.max_startups_begin); + p /= options.max_startups - options.max_startups_begin; p += options.max_startups_rate; - p /= 100.0; - r = arc4random() / (double) UINT_MAX; + r = arc4random() % 100; - debug("drop_connection: p %g, r %g", p, r); + debug("drop_connection: p %d, r %d", p, r); return (r < p) ? 1 : 0; } @@ -773,7 +773,7 @@ static void usage(void) { fprintf(stderr, "%s, %s\n", - SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); + SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); fprintf(stderr, "usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n" " [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n" @@ -799,6 +799,7 @@ send_rexec_state(int fd, Buffer *conf) * bignum iqmp " * bignum p " * bignum q " + * string rngseed (only if OpenSSL is not self-seeded) */ buffer_init(&m); buffer_put_cstring(&m, buffer_ptr(conf)); @@ -815,6 +816,10 @@ send_rexec_state(int fd, Buffer *conf) } else buffer_put_int(&m, 0); +#ifndef OPENSSL_PRNG_ONLY + rexec_send_rng_seed(&m); +#endif + if (ssh_msg_send(fd, 0, &m) == -1) fatal("%s: ssh_msg_send failed", __func__); @@ -857,6 +862,11 @@ recv_rexec_state(int fd, Buffer *conf) rsa_generate_additional_parameters( sensitive_data.server_key->rsa); } + +#ifndef OPENSSL_PRNG_ONLY + rexec_recv_rng_seed(&m); +#endif + buffer_free(&m); debug3("%s: done", __func__); @@ -883,7 +893,7 @@ main(int ac, char **av) char ntop[NI_MAXHOST], strport[NI_MAXSERV]; char *line; int listen_sock, maxfd; - int startup_p[2], config_s[2]; + int startup_p[2] = { -1 , -1 }, config_s[2] = { -1 , -1 }; int startups = 0; Key *key; Authctxt *authctxt; @@ -913,6 +923,9 @@ main(int ac, char **av) if (geteuid() == 0 && setgroups(0, NULL) == -1) debug("setgroups(): %.200s", strerror(errno)); + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ + sanitise_stdfd(); + /* Initialize configuration options to their default values. */ initialize_server_options(&options); @@ -920,10 +933,10 @@ main(int ac, char **av) while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:dDeiqrtQR46")) != -1) { switch (opt) { case '4': - IPv4or6 = AF_INET; + options.address_family = AF_INET; break; case '6': - IPv4or6 = AF_INET6; + options.address_family = AF_INET6; break; case 'f': config_file_name = optarg; @@ -1024,7 +1037,6 @@ main(int ac, char **av) closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); SSLeay_add_all_algorithms(); - channel_set_af(IPv4or6); /* * Force logging to stderr until we have loaded the private host @@ -1037,13 +1049,13 @@ main(int ac, char **av) SYSLOG_FACILITY_AUTH : options.log_facility, log_stderr || !inetd_flag); -#ifdef _AIX /* * Unset KRB5CCNAME, otherwise the user's session may inherit it from * root's environment - */ - unsetenv("KRB5CCNAME"); -#endif /* _AIX */ + */ + if (getenv("KRB5CCNAME") != NULL) + unsetenv("KRB5CCNAME"); + #ifdef _UNICOS /* Cray can define user privs drop all privs now! * Not needed on PRIV_SU systems! @@ -1051,8 +1063,6 @@ main(int ac, char **av) drop_cray_privs(); #endif - seed_rng(); - sensitive_data.server_key = NULL; sensitive_data.ssh1_host_key = NULL; sensitive_data.have_ssh1_key = 0; @@ -1071,16 +1081,21 @@ main(int ac, char **av) if (!rexec_flag) buffer_free(&cfg); + seed_rng(); + /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); + /* set default channel AF */ + channel_set_af(options.address_family); + /* Check that there are no remaining arguments. */ if (optind < ac) { fprintf(stderr, "Extra argument %s.\n", av[optind]); exit(1); } - debug("sshd version %.100s", SSH_VERSION); + debug("sshd version %.100s", SSH_RELEASE); /* load private host keys */ sensitive_data.host_keys = xmalloc(options.num_host_key_files * @@ -1196,7 +1211,7 @@ main(int ac, char **av) } /* Initialize the log (it is reinitialized below in case we forked). */ - if (debug_flag && !inetd_flag) + if (debug_flag && (!inetd_flag || rexeced_flag)) log_stderr = 1; log_init(__progname, options.log_level, options.log_facility, log_stderr); @@ -1272,10 +1287,12 @@ main(int ac, char **av) if (num_listen_socks >= MAX_LISTEN_SOCKS) fatal("Too many listen sockets. " "Enlarge MAX_LISTEN_SOCKS"); - if (getnameinfo(ai->ai_addr, ai->ai_addrlen, + if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), strport, sizeof(strport), - NI_NUMERICHOST|NI_NUMERICSERV) != 0) { - error("getnameinfo failed"); + NI_NUMERICHOST|NI_NUMERICSERV)) != 0) { + error("getnameinfo failed: %.100s", + (ret != EAI_SYSTEM) ? gai_strerror(ret) : + strerror(errno)); continue; } /* Create socket for listening. */ @@ -1506,7 +1523,8 @@ main(int ac, char **av) sock_in = newsock; sock_out = newsock; log_init(__progname, options.log_level, options.log_facility, log_stderr); - close(config_s[0]); + if (rexec_flag) + close(config_s[0]); break; } } @@ -1548,6 +1566,21 @@ main(int ac, char **av) /* This is the child processing a new connection. */ setproctitle("%s", "[accepted]"); + /* + * Create a new session and process group since the 4.4BSD + * setlogin() affects the entire process group. We don't + * want the child to be able to affect the parent. + */ +#if !defined(SSHD_ACQUIRES_CTTY) + /* + * If setsid is called, on some platforms sshd will later acquire a + * controlling terminal which will result in "could not set + * controlling tty" errors. + */ + if (!debug_flag && !inetd_flag && setsid() < 0) + error("setsid: %.100s", strerror(errno)); +#endif + if (rexec_flag) { int fd; @@ -1562,7 +1595,8 @@ main(int ac, char **av) dup2(config_s[1], REEXEC_CONFIG_PASS_FD); close(config_s[1]); - close(startup_pipe); + if (startup_pipe != -1) + close(startup_pipe); execv(rexec_argv[0], rexec_argv); @@ -1587,21 +1621,6 @@ main(int ac, char **av) sock_in, sock_out, newsock, startup_pipe, config_s[0]); } - /* - * Create a new session and process group since the 4.4BSD - * setlogin() affects the entire process group. We don't - * want the child to be able to affect the parent. - */ -#if !defined(SSHD_ACQUIRES_CTTY) - /* - * If setsid is called, on some platforms sshd will later acquire a - * controlling terminal which will result in "could not set - * controlling tty" errors. - */ - if (!debug_flag && !inetd_flag && setsid() < 0) - error("setsid: %.100s", strerror(errno)); -#endif - /* * Disable the key regeneration alarm. We will not regenerate the * key since we are no longer in a position to give it to anyone. We @@ -1615,21 +1634,32 @@ main(int ac, char **av) signal(SIGCHLD, SIG_DFL); signal(SIGINT, SIG_DFL); - /* Set SO_KEEPALIVE if requested. */ - if (options.tcp_keep_alive && - setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, - sizeof(on)) < 0) - error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); - /* * Register our connection. This turns encryption off because we do * not have a key. */ packet_set_connection(sock_in, sock_out); + packet_set_server(); + + /* Set SO_KEEPALIVE if requested. */ + if (options.tcp_keep_alive && packet_connection_is_on_socket() && + setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0) + error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); + + if ((remote_port = get_remote_port()) < 0) { + debug("get_remote_port failed"); + cleanup_exit(255); + } - remote_port = get_remote_port(); - remote_ip = get_remote_ipaddr(); + /* + * We use get_canonical_hostname with usedns = 0 instead of + * get_remote_ipaddr here so IP options will be checked. + */ + remote_ip = get_canonical_hostname(0); +#ifdef SSH_AUDIT_EVENTS + audit_connection_from(remote_ip, remote_port); +#endif #ifdef LIBWRAP /* Check whether logins are denied from this host. */ if (packet_connection_is_on_socket()) { @@ -1651,10 +1681,10 @@ main(int ac, char **av) verbose("Connection from %.500s port %d", remote_ip, remote_port); /* - * We don\'t want to listen forever unless the other side + * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is * cleared after successful authentication. A limit of zero - * indicates no limit. Note that we don\'t set the alarm in debugging + * indicates no limit. Note that we don't set the alarm in debugging * mode; it is just annoying to have the server exit just when you * are about to discover the bug. */ @@ -1666,16 +1696,18 @@ main(int ac, char **av) packet_set_nonblocking(); - /* prepare buffers to collect authentication messages */ - buffer_init(&loginmsg); - /* allocate authentication context */ authctxt = xmalloc(sizeof(*authctxt)); memset(authctxt, 0, sizeof(*authctxt)); + authctxt->loginmsg = &loginmsg; + /* XXX global for cleanup, access from other modules */ the_authctxt = authctxt; + /* prepare buffer to collect messages to display to user after login */ + buffer_init(&loginmsg); + if (use_privsep) if (privsep_preauth(authctxt) == 1) goto authenticated; @@ -1699,6 +1731,21 @@ main(int ac, char **av) } authenticated: + /* + * Cancel the alarm we set to limit the time taken for + * authentication. + */ + alarm(0); + signal(SIGALRM, SIG_DFL); + if (startup_pipe != -1) { + close(startup_pipe); + startup_pipe = -1; + } + +#ifdef SSH_AUDIT_EVENTS + audit_event(SSH_AUTH_SUCCESS); +#endif + /* * In privilege separation, we fork another child and prepare * file descriptor passing. @@ -1721,6 +1768,10 @@ main(int ac, char **av) finish_pam(); #endif /* USE_PAM */ +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_CONNECTION_CLOSE)); +#endif + packet_close(); if (use_privsep) @@ -1885,7 +1936,7 @@ do_ssh1_kex(void) if (!rsafail) { BN_mask_bits(session_key_int, sizeof(session_key) * 8); len = BN_num_bytes(session_key_int); - if (len < 0 || len > sizeof(session_key)) { + if (len < 0 || (u_int)len > sizeof(session_key)) { error("do_connection: bad session key len from %s: " "session_key_int %d > sizeof(session_key) %lu", get_remote_ipaddr(), len, (u_long)sizeof(session_key)); @@ -1972,10 +2023,14 @@ do_ssh2_kex(void) myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; } - if (!options.compression) { + if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; + } else if (options.compression == COMP_DELAYED) { + myproposal[PROPOSAL_COMP_ALGS_CTOS] = + myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com"; } + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); /* start key exchange */ @@ -2012,5 +2067,10 @@ cleanup_exit(int i) { if (the_authctxt) do_cleanup(the_authctxt); +#ifdef SSH_AUDIT_EVENTS + /* done after do_cleanup so it can cancel the PAM auth 'thread' */ + if (!use_privsep || mm_is_monitor()) + audit_event(SSH_CONNECTION_ABANDON); +#endif _exit(i); }