From 0d34d6ceed345dd8d342758ecf0526819181478c Mon Sep 17 00:00:00 2001
From: djm <djm>
Date: Thu, 17 Jun 2004 15:19:03 +0000
Subject: [PATCH]    - djm@cvs.openbsd.org 2004/06/17 15:10:14     
 [clientloop.c misc.h readconf.c readpass.c ssh.c ssh_config.5]      Add
 option for confirmation (ControlMaster=ask) via ssh-askpass before     
 opening shared connections; ok markus@

---
 ChangeLog    |  4 ++++
 clientloop.c | 38 ++++++++++++++++++++++++++++++++++----
 misc.h       |  3 ++-
 readconf.c   |  4 ++--
 readpass.c   |  9 +++++++--
 ssh.c        |  7 +++++--
 ssh_config.5 | 11 ++++++++++-
 7 files changed, 64 insertions(+), 12 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f08d4f82..e7105f67 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,10 @@
    - djm@cvs.openbsd.org 2004/06/17 14:52:48
      [clientloop.c clientloop.h ssh.c]
      support environment passing over shared connections; ok markus@
+   - djm@cvs.openbsd.org 2004/06/17 15:10:14
+     [clientloop.c misc.h readconf.c readpass.c ssh.c ssh_config.5]
+     Add option for confirmation (ControlMaster=ask) via ssh-askpass before 
+     opening shared connections; ok markus@
 
 20040617
  - (dtucker) [regress/scp.sh] diff -N is not portable (but needed for some
diff --git a/clientloop.c b/clientloop.c
index eb320033..8f2f270d 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -59,7 +59,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.126 2004/06/17 14:52:48 djm Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.127 2004/06/17 15:10:13 djm Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -549,7 +549,7 @@ client_extra_session2_setup(int id, void *arg)
 	client_session2_setup(id, cctx->want_tty, cctx->want_subsys, 
 	    cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env,
 	    client_subsystem_reply);
-	
+
 	c->confirm_ctx = NULL;
 	buffer_free(&cctx->cmd);
 	xfree(cctx->term);
@@ -566,7 +566,7 @@ client_process_control(fd_set * readset)
 {
 	Buffer m;
 	Channel *c;
-	int client_fd, new_fd[3], ver, i;
+	int client_fd, new_fd[3], ver, i, allowed;
 	socklen_t addrlen;
 	struct sockaddr_storage addr;
 	struct confirm_ctx *cctx;
@@ -600,23 +600,52 @@ client_process_control(fd_set * readset)
 		close(client_fd);
 		return;
 	}
-	/* XXX: implement use of ssh-askpass to confirm additional channels */
+
+	allowed = 1;
+	if (options.control_master == 2) {
+		char *p, prompt[1024];
+
+		allowed = 0;
+		snprintf(prompt, sizeof(prompt),
+		    "Allow shared connection to %s? ", host);
+		p = read_passphrase(prompt, RP_USE_ASKPASS|RP_ALLOW_EOF);
+		if (p != NULL) {
+			/*
+			 * Accept empty responses and responses consisting
+			 * of the word "yes" as affirmative.
+			 */
+			if (*p == '\0' || *p == '\n' || 
+			    strcasecmp(p, "yes") == 0)
+				allowed = 1;
+			xfree(p);
+		}
+	}
 
 	unset_nonblock(client_fd);
 
 	buffer_init(&m);
 
+	buffer_put_int(&m, allowed);
 	buffer_put_int(&m, getpid());
 	if (ssh_msg_send(client_fd, /* version */0, &m) == -1) {
 		error("%s: client msg_send failed", __func__);
 		close(client_fd);
+		buffer_free(&m);
 		return;
 	}
 	buffer_clear(&m);
 
+	if (!allowed) {
+		error("Refused control connection");
+		close(client_fd);
+		buffer_free(&m);
+		return;
+	}
+
 	if (ssh_msg_recv(client_fd, &m) == -1) {
 		error("%s: client msg_recv failed", __func__);
 		close(client_fd);
+		buffer_free(&m);
 		return;
 	}
 
@@ -670,6 +699,7 @@ client_process_control(fd_set * readset)
 		close(new_fd[0]);
 		close(new_fd[1]);
 		close(new_fd[2]);
+		buffer_free(&m);
 		return;
 	}
 	buffer_free(&m);
diff --git a/misc.h b/misc.h
index 6a4eff13..ffa8d8f2 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: misc.h,v 1.15 2004/06/14 01:44:39 djm Exp $	*/
+/*	$OpenBSD: misc.h,v 1.16 2004/06/17 15:10:14 djm Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -43,5 +43,6 @@ char	*tilde_expand_filename(const char *, uid_t);
 #define RP_ECHO			0x0001
 #define RP_ALLOW_STDIN		0x0002
 #define RP_ALLOW_EOF		0x0004
+#define RP_USE_ASKPASS		0x0008
 
 char	*read_passphrase(const char *, int);
diff --git a/readconf.c b/readconf.c
index 2b1d7cc4..429f6912 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.132 2004/06/13 15:03:02 djm Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.133 2004/06/17 15:10:14 djm Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -772,7 +772,7 @@ parse_int:
 
 	case oControlMaster:
 		intptr = &options->control_master;
-		goto parse_flag;
+		goto parse_yesnoask;
 
 	case oDeprecated:
 		debug("%s line %d: Deprecated option \"%s\"",
diff --git a/readpass.c b/readpass.c
index fc7629c3..eb4f6fdb 100644
--- a/readpass.c
+++ b/readpass.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readpass.c,v 1.29 2004/05/08 00:21:31 djm Exp $");
+RCSID("$OpenBSD: readpass.c,v 1.30 2004/06/17 15:10:14 djm Exp $");
 
 #include "xmalloc.h"
 #include "misc.h"
@@ -103,7 +103,9 @@ read_passphrase(const char *prompt, int flags)
 	int rppflags, use_askpass = 0, ttyfd;
 
 	rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;
-	if (flags & RP_ALLOW_STDIN) {
+	if (flags & RP_USE_ASKPASS)
+		use_askpass = 1;
+	else if (flags & RP_ALLOW_STDIN) {
 		if (!isatty(STDIN_FILENO))
 			use_askpass = 1;
 	} else {
@@ -115,6 +117,9 @@ read_passphrase(const char *prompt, int flags)
 			use_askpass = 1;
 	}
 
+	if ((flags & RP_USE_ASKPASS) && getenv("DISPLAY") == NULL)
+		return (flags & RP_ALLOW_EOF) ? NULL : xstrdup("");
+
 	if (use_askpass && getenv("DISPLAY")) {
 		if (getenv(SSH_ASKPASS_ENV))
 			askpass = getenv(SSH_ASKPASS_ENV);
diff --git a/ssh.c b/ssh.c
index 9b434b93..6f8114d5 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.215 2004/06/17 14:52:48 djm Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.216 2004/06/17 15:10:14 djm Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -1044,7 +1044,7 @@ ssh_control_listener(void)
 	mode_t old_umask;
 	int addr_len;
 
-	if (options.control_path == NULL || options.control_master != 1)
+	if (options.control_path == NULL || options.control_master <= 0)
 		return;
 
 	memset(&addr, '\0', sizeof(addr));
@@ -1266,6 +1266,9 @@ control_client(const char *path)
 		fatal("%s: msg_recv", __func__);
 	if (buffer_get_char(&m) != 0)
 		fatal("%s: wrong version", __func__);
+	/* Connection allowed? */
+	if (buffer_get_int(&m) != 1)
+		fatal("Connection to master denied");
 	control_server_pid = buffer_get_int(&m);
 
 	buffer_clear(&m);
diff --git a/ssh_config.5 b/ssh_config.5
index bab11d31..3e8c1db0 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.36 2004/06/13 15:03:02 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.37 2004/06/17 15:10:14 djm Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -273,6 +273,15 @@ set to
 (the default.)
 These sessions will reuse the master instance's network connection rather
 than initiating new ones.
+Setting this to
+.Dq ask
+will cause
+.Nm ssh
+to listen for control connections, but require confirmation using the
+.Ev SSH_ASKPASS
+program before they are accepted (see
+.Xr ssh-add 1
+for details)
 .It Cm ControlPath
 Specify a the path to the control socket used for connection sharing.
 See
-- 
2.45.2