1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1 |
/* $OpenBSD: ssh.c,v 1.318 2008/07/02 13:47:39 djm Exp $ */
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
2 |
/*
|
3 |
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
|
4 |
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
|
5 |
* All rights reserved
|
|
6 |
* Ssh client program. This program can be used to log into a remote machine.
|
|
7 |
* The software supports strong authentication, encryption, and forwarding
|
|
8 |
* of X11, TCP/IP, and authentication connections.
|
|
9 |
*
|
|
10 |
* As far as I am concerned, the code I have written for this software
|
|
11 |
* can be used freely for any purpose. Any derived versions of this
|
|
12 |
* software must be clearly marked as such, and if the derived work is
|
|
13 |
* incompatible with the protocol description in the RFC file, it must be
|
|
14 |
* called by a name other than "ssh" or "Secure Shell".
|
|
15 |
*
|
|
16 |
* Copyright (c) 1999 Niels Provos. All rights reserved.
|
|
17 |
* Copyright (c) 2000, 2001, 2002, 2003 Markus Friedl. All rights reserved.
|
|
18 |
*
|
|
19 |
* Modified to work with SSL by Niels Provos <provos@citi.umich.edu>
|
|
20 |
* in Canada (German citizen).
|
|
21 |
*
|
|
22 |
* Redistribution and use in source and binary forms, with or without
|
|
23 |
* modification, are permitted provided that the following conditions
|
|
24 |
* are met:
|
|
25 |
* 1. Redistributions of source code must retain the above copyright
|
|
26 |
* notice, this list of conditions and the following disclaimer.
|
|
27 |
* 2. Redistributions in binary form must reproduce the above copyright
|
|
28 |
* notice, this list of conditions and the following disclaimer in the
|
|
29 |
* documentation and/or other materials provided with the distribution.
|
|
30 |
*
|
|
31 |
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
32 |
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
33 |
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
34 |
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
35 |
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
36 |
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
37 |
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
38 |
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
39 |
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
40 |
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
41 |
*/
|
|
42 |
||
43 |
#include "includes.h" |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
44 |
|
45 |
#include <sys/types.h> |
|
46 |
#ifdef HAVE_SYS_STAT_H
|
|
47 |
# include <sys/stat.h>
|
|
48 |
#endif
|
|
49 |
#include <sys/resource.h> |
|
50 |
#include <sys/ioctl.h> |
|
51 |
#include <sys/socket.h> |
|
52 |
||
53 |
#include <ctype.h> |
|
54 |
#include <errno.h> |
|
55 |
#include <fcntl.h> |
|
56 |
#include <netdb.h> |
|
57 |
#ifdef HAVE_PATHS_H
|
|
58 |
#include <paths.h> |
|
59 |
#endif
|
|
60 |
#include <pwd.h> |
|
61 |
#include <signal.h> |
|
62 |
#include <stdarg.h> |
|
63 |
#include <stddef.h> |
|
64 |
#include <stdio.h> |
|
65 |
#include <stdlib.h> |
|
66 |
#include <string.h> |
|
67 |
#include <unistd.h> |
|
68 |
||
69 |
#include <netinet/in.h> |
|
70 |
#include <arpa/inet.h> |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
71 |
|
72 |
#include <openssl/evp.h> |
|
73 |
#include <openssl/err.h> |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
74 |
#include "openbsd-compat/openssl-compat.h" |
75 |
#include "openbsd-compat/sys-queue.h" |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
76 |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
77 |
#include "xmalloc.h" |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
78 |
#include "ssh.h" |
79 |
#include "ssh1.h" |
|
80 |
#include "ssh2.h" |
|
81 |
#include "compat.h" |
|
82 |
#include "cipher.h" |
|
83 |
#include "packet.h" |
|
84 |
#include "buffer.h" |
|
85 |
#include "channels.h" |
|
86 |
#include "key.h" |
|
87 |
#include "authfd.h" |
|
88 |
#include "authfile.h" |
|
89 |
#include "pathnames.h" |
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
90 |
#include "dispatch.h" |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
91 |
#include "clientloop.h" |
92 |
#include "log.h" |
|
93 |
#include "readconf.h" |
|
94 |
#include "sshconnect.h" |
|
95 |
#include "misc.h" |
|
96 |
#include "kex.h" |
|
97 |
#include "mac.h" |
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
98 |
#include "sshpty.h" |
99 |
#include "match.h" |
|
100 |
#include "msg.h" |
|
101 |
#include "uidswap.h" |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
102 |
#include "version.h" |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
103 |
|
104 |
#ifdef SMARTCARD
|
|
105 |
#include "scard.h" |
|
106 |
#endif
|
|
107 |
||
108 |
extern char *__progname; |
|
109 |
||
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
110 |
/* Flag indicating whether debug mode is on. May be set on the command line. */
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
111 |
int debug_flag = 0; |
112 |
||
113 |
/* Flag indicating whether a tty should be allocated */
|
|
114 |
int tty_flag = 0; |
|
115 |
int no_tty_flag = 0; |
|
116 |
int force_tty_flag = 0; |
|
117 |
||
118 |
/* don't exec a shell */
|
|
119 |
int no_shell_flag = 0; |
|
120 |
||
121 |
/*
|
|
122 |
* Flag indicating that nothing should be read from stdin. This can be set
|
|
123 |
* on the command line.
|
|
124 |
*/
|
|
125 |
int stdin_null_flag = 0; |
|
126 |
||
127 |
/*
|
|
128 |
* Flag indicating that ssh should fork after authentication. This is useful
|
|
129 |
* so that the passphrase can be entered manually, and then ssh goes to the
|
|
130 |
* background.
|
|
131 |
*/
|
|
132 |
int fork_after_authentication_flag = 0; |
|
133 |
||
134 |
/*
|
|
135 |
* General data structure for command line options and options configurable
|
|
136 |
* in configuration files. See readconf.h.
|
|
137 |
*/
|
|
138 |
Options options; |
|
139 |
||
140 |
/* optional user configfile */
|
|
141 |
char *config = NULL; |
|
142 |
||
143 |
/*
|
|
144 |
* Name of the host we are connecting to. This is the name given on the
|
|
145 |
* command line, or the HostName specified for the user-supplied name in a
|
|
146 |
* configuration file.
|
|
147 |
*/
|
|
148 |
char *host; |
|
149 |
||
150 |
/* socket address the host resolves to */
|
|
151 |
struct sockaddr_storage hostaddr; |
|
152 |
||
153 |
/* Private host keys. */
|
|
154 |
Sensitive sensitive_data; |
|
155 |
||
156 |
/* Original real UID. */
|
|
157 |
uid_t original_real_uid; |
|
158 |
uid_t original_effective_uid; |
|
159 |
||
160 |
/* command to be executed */
|
|
161 |
Buffer command; |
|
162 |
||
163 |
/* Should we execute a command or invoke a subsystem? */
|
|
164 |
int subsystem_flag = 0; |
|
165 |
||
166 |
/* # of replies received for global requests */
|
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
167 |
static int remote_forward_confirms_received = 0; |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
168 |
|
169 |
/* pid of proxycommand child process */
|
|
170 |
pid_t proxy_command_pid = 0; |
|
171 |
||
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
172 |
/* mux.c */
|
173 |
extern int muxserver_sock; |
|
174 |
extern u_int muxclient_command; |
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
175 |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
176 |
/* Prints a help message to the user. This function never returns. */
|
177 |
||
178 |
static void |
|
179 |
usage(void) |
|
180 |
{
|
|
181 |
fprintf(stderr, |
|
18
by Colin Watson
* Resynchronise with Debian. Remaining changes: |
182 |
"usage: ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" |
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
183 |
" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n" |
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
184 |
" [-i identity_file] [-L [bind_address:]port:host:hostport]\n" |
185 |
" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" |
|
186 |
" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
187 |
" [-w local_tun[:remote_tun]] [user@]hostname [command]\n" |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
188 |
);
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
189 |
exit(255); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
190 |
}
|
191 |
||
192 |
static int ssh_session(void); |
|
193 |
static int ssh_session2(void); |
|
194 |
static void load_public_identity_files(void); |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
195 |
|
196 |
/* from muxclient.c */
|
|
197 |
void muxclient(const char *); |
|
198 |
void muxserver_listen(void); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
199 |
|
200 |
/*
|
|
201 |
* Main program for the ssh client.
|
|
202 |
*/
|
|
203 |
int
|
|
204 |
main(int ac, char **av) |
|
205 |
{
|
|
206 |
int i, opt, exit_status; |
|
207 |
char *p, *cp, *line, buf[256]; |
|
208 |
struct stat st; |
|
209 |
struct passwd *pw; |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
210 |
int dummy, timeout_ms; |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
211 |
extern int optind, optreset; |
212 |
extern char *optarg; |
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
213 |
struct servent *sp; |
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
214 |
Forward fwd; |
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
215 |
|
216 |
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
|
217 |
sanitise_stdfd(); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
218 |
|
219 |
__progname = ssh_get_progname(av[0]); |
|
220 |
init_rng(); |
|
221 |
||
222 |
/*
|
|
223 |
* Save the original real uid. It will be needed later (uid-swapping
|
|
224 |
* may clobber the real uid).
|
|
225 |
*/
|
|
226 |
original_real_uid = getuid(); |
|
227 |
original_effective_uid = geteuid(); |
|
228 |
||
229 |
/*
|
|
230 |
* Use uid-swapping to give up root privileges for the duration of
|
|
231 |
* option processing. We will re-instantiate the rights when we are
|
|
232 |
* ready to create the privileged port, and will permanently drop
|
|
233 |
* them when the port has been created (actually, when the connection
|
|
234 |
* has been made, as we may need to create the port several times).
|
|
235 |
*/
|
|
236 |
PRIV_END; |
|
237 |
||
238 |
#ifdef HAVE_SETRLIMIT
|
|
239 |
/* If we are installed setuid root be careful to not drop core. */
|
|
240 |
if (original_real_uid != original_effective_uid) { |
|
241 |
struct rlimit rlim; |
|
242 |
rlim.rlim_cur = rlim.rlim_max = 0; |
|
243 |
if (setrlimit(RLIMIT_CORE, &rlim) < 0) |
|
244 |
fatal("setrlimit failed: %.100s", strerror(errno)); |
|
245 |
}
|
|
246 |
#endif
|
|
247 |
/* Get user data. */
|
|
248 |
pw = getpwuid(original_real_uid); |
|
249 |
if (!pw) { |
|
250 |
logit("You don't exist, go away!"); |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
251 |
exit(255); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
252 |
}
|
253 |
/* Take a copy of the returned structure. */
|
|
254 |
pw = pwcopy(pw); |
|
255 |
||
256 |
/*
|
|
257 |
* Set our umask to something reasonable, as some files are created
|
|
258 |
* with the default umask. This will make them world-readable but
|
|
259 |
* writable only by the owner, which is ok for all files for which we
|
|
260 |
* don't set the modes explicitly.
|
|
261 |
*/
|
|
262 |
umask(022); |
|
263 |
||
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
264 |
/*
|
265 |
* Initialize option structure to indicate that no values have been
|
|
266 |
* set.
|
|
267 |
*/
|
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
268 |
initialize_options(&options); |
269 |
||
270 |
/* Parse command-line arguments. */
|
|
271 |
host = NULL; |
|
272 |
||
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
273 |
again: |
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
274 |
while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" |
275 |
"ACD:F:I:KL:MNO:PR:S:TVw:XY")) != -1) { |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
276 |
switch (opt) { |
277 |
case '1': |
|
278 |
options.protocol = SSH_PROTO_1; |
|
279 |
break; |
|
280 |
case '2': |
|
281 |
options.protocol = SSH_PROTO_2; |
|
282 |
break; |
|
283 |
case '4': |
|
284 |
options.address_family = AF_INET; |
|
285 |
break; |
|
286 |
case '6': |
|
287 |
options.address_family = AF_INET6; |
|
288 |
break; |
|
289 |
case 'n': |
|
290 |
stdin_null_flag = 1; |
|
291 |
break; |
|
292 |
case 'f': |
|
293 |
fork_after_authentication_flag = 1; |
|
294 |
stdin_null_flag = 1; |
|
295 |
break; |
|
296 |
case 'x': |
|
297 |
options.forward_x11 = 0; |
|
298 |
break; |
|
299 |
case 'X': |
|
300 |
options.forward_x11 = 1; |
|
301 |
break; |
|
302 |
case 'Y': |
|
303 |
options.forward_x11 = 1; |
|
304 |
options.forward_x11_trusted = 1; |
|
305 |
break; |
|
306 |
case 'g': |
|
307 |
options.gateway_ports = 1; |
|
308 |
break; |
|
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
309 |
case 'O': |
310 |
if (strcmp(optarg, "check") == 0) |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
311 |
muxclient_command = SSHMUX_COMMAND_ALIVE_CHECK; |
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
312 |
else if (strcmp(optarg, "exit") == 0) |
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
313 |
muxclient_command = SSHMUX_COMMAND_TERMINATE; |
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
314 |
else
|
315 |
fatal("Invalid multiplex command."); |
|
316 |
break; |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
317 |
case 'P': /* deprecated */ |
318 |
options.use_privileged_port = 0; |
|
319 |
break; |
|
320 |
case 'a': |
|
321 |
options.forward_agent = 0; |
|
322 |
break; |
|
323 |
case 'A': |
|
324 |
options.forward_agent = 1; |
|
325 |
break; |
|
326 |
case 'k': |
|
327 |
options.gss_deleg_creds = 0; |
|
328 |
break; |
|
18
by Colin Watson
* Resynchronise with Debian. Remaining changes: |
329 |
case 'K': |
1.13.2
by Colin Watson
Import upstream version 4.7p1 |
330 |
options.gss_authentication = 1; |
18
by Colin Watson
* Resynchronise with Debian. Remaining changes: |
331 |
options.gss_deleg_creds = 1; |
332 |
break; |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
333 |
case 'i': |
334 |
if (stat(optarg, &st) < 0) { |
|
335 |
fprintf(stderr, "Warning: Identity file %s " |
|
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
336 |
"not accessible: %s.\n", optarg, |
337 |
strerror(errno)); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
338 |
break; |
339 |
}
|
|
340 |
if (options.num_identity_files >= |
|
341 |
SSH_MAX_IDENTITY_FILES) |
|
342 |
fatal("Too many identity files specified " |
|
343 |
"(max %d)", SSH_MAX_IDENTITY_FILES); |
|
344 |
options.identity_files[options.num_identity_files++] = |
|
345 |
xstrdup(optarg); |
|
346 |
break; |
|
347 |
case 'I': |
|
348 |
#ifdef SMARTCARD
|
|
349 |
options.smartcard_device = xstrdup(optarg); |
|
350 |
#else
|
|
351 |
fprintf(stderr, "no support for smartcards.\n"); |
|
352 |
#endif
|
|
353 |
break; |
|
354 |
case 't': |
|
355 |
if (tty_flag) |
|
356 |
force_tty_flag = 1; |
|
357 |
tty_flag = 1; |
|
358 |
break; |
|
359 |
case 'v': |
|
360 |
if (debug_flag == 0) { |
|
361 |
debug_flag = 1; |
|
362 |
options.log_level = SYSLOG_LEVEL_DEBUG1; |
|
363 |
} else { |
|
364 |
if (options.log_level < SYSLOG_LEVEL_DEBUG3) |
|
365 |
options.log_level++; |
|
366 |
break; |
|
367 |
}
|
|
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
368 |
/* FALLTHROUGH */
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
369 |
case 'V': |
370 |
fprintf(stderr, "%s, %s\n", |
|
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
371 |
SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
372 |
if (opt == 'V') |
373 |
exit(0); |
|
374 |
break; |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
375 |
case 'w': |
376 |
if (options.tun_open == -1) |
|
377 |
options.tun_open = SSH_TUNMODE_DEFAULT; |
|
378 |
options.tun_local = a2tun(optarg, &options.tun_remote); |
|
379 |
if (options.tun_local == SSH_TUNID_ERR) { |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
380 |
fprintf(stderr, |
381 |
"Bad tun device '%s'\n", optarg); |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
382 |
exit(255); |
383 |
}
|
|
384 |
break; |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
385 |
case 'q': |
2
by Colin Watson
* Nathaniel McCallum: |
386 |
if (options.log_level == SYSLOG_LEVEL_QUIET) { |
387 |
options.log_level = SYSLOG_LEVEL_SILENT; |
|
388 |
}
|
|
389 |
else if (options.log_level != SYSLOG_LEVEL_SILENT) { |
|
390 |
options.log_level = SYSLOG_LEVEL_QUIET; |
|
391 |
}
|
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
392 |
break; |
393 |
case 'e': |
|
394 |
if (optarg[0] == '^' && optarg[2] == 0 && |
|
395 |
(u_char) optarg[1] >= 64 && |
|
396 |
(u_char) optarg[1] < 128) |
|
397 |
options.escape_char = (u_char) optarg[1] & 31; |
|
398 |
else if (strlen(optarg) == 1) |
|
399 |
options.escape_char = (u_char) optarg[0]; |
|
400 |
else if (strcmp(optarg, "none") == 0) |
|
401 |
options.escape_char = SSH_ESCAPECHAR_NONE; |
|
402 |
else { |
|
403 |
fprintf(stderr, "Bad escape character '%s'.\n", |
|
404 |
optarg); |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
405 |
exit(255); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
406 |
}
|
407 |
break; |
|
408 |
case 'c': |
|
409 |
if (ciphers_valid(optarg)) { |
|
410 |
/* SSH2 only */
|
|
411 |
options.ciphers = xstrdup(optarg); |
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
412 |
options.cipher = SSH_CIPHER_INVALID; |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
413 |
} else { |
414 |
/* SSH1 only */
|
|
415 |
options.cipher = cipher_number(optarg); |
|
416 |
if (options.cipher == -1) { |
|
417 |
fprintf(stderr, |
|
418 |
"Unknown cipher type '%s'\n", |
|
419 |
optarg); |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
420 |
exit(255); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
421 |
}
|
422 |
if (options.cipher == SSH_CIPHER_3DES) |
|
423 |
options.ciphers = "3des-cbc"; |
|
424 |
else if (options.cipher == SSH_CIPHER_BLOWFISH) |
|
425 |
options.ciphers = "blowfish-cbc"; |
|
426 |
else
|
|
427 |
options.ciphers = (char *)-1; |
|
428 |
}
|
|
429 |
break; |
|
430 |
case 'm': |
|
431 |
if (mac_valid(optarg)) |
|
432 |
options.macs = xstrdup(optarg); |
|
433 |
else { |
|
434 |
fprintf(stderr, "Unknown mac type '%s'\n", |
|
435 |
optarg); |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
436 |
exit(255); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
437 |
}
|
438 |
break; |
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
439 |
case 'M': |
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
440 |
if (options.control_master == SSHCTL_MASTER_YES) |
441 |
options.control_master = SSHCTL_MASTER_ASK; |
|
442 |
else
|
|
443 |
options.control_master = SSHCTL_MASTER_YES; |
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
444 |
break; |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
445 |
case 'p': |
446 |
options.port = a2port(optarg); |
|
447 |
if (options.port == 0) { |
|
448 |
fprintf(stderr, "Bad port '%s'\n", optarg); |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
449 |
exit(255); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
450 |
}
|
451 |
break; |
|
452 |
case 'l': |
|
453 |
options.user = optarg; |
|
454 |
break; |
|
455 |
||
456 |
case 'L': |
|
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
457 |
if (parse_forward(&fwd, optarg)) |
458 |
add_local_forward(&options, &fwd); |
|
459 |
else { |
|
460 |
fprintf(stderr, |
|
461 |
"Bad local forwarding specification '%s'\n", |
|
462 |
optarg); |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
463 |
exit(255); |
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
464 |
}
|
465 |
break; |
|
466 |
||
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
467 |
case 'R': |
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
468 |
if (parse_forward(&fwd, optarg)) { |
469 |
add_remote_forward(&options, &fwd); |
|
470 |
} else { |
|
471 |
fprintf(stderr, |
|
472 |
"Bad remote forwarding specification "
|
|
473 |
"'%s'\n", optarg); |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
474 |
exit(255); |
475 |
}
|
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
476 |
break; |
477 |
||
478 |
case 'D': |
|
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
479 |
cp = p = xstrdup(optarg); |
480 |
memset(&fwd, '\0', sizeof(fwd)); |
|
481 |
fwd.connect_host = "socks"; |
|
482 |
if ((fwd.listen_host = hpdelim(&cp)) == NULL) { |
|
483 |
fprintf(stderr, "Bad dynamic forwarding " |
|
484 |
"specification '%.100s'\n", optarg); |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
485 |
exit(255); |
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
486 |
}
|
487 |
if (cp != NULL) { |
|
488 |
fwd.listen_port = a2port(cp); |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
489 |
fwd.listen_host = |
490 |
cleanhostname(fwd.listen_host); |
|
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
491 |
} else { |
492 |
fwd.listen_port = a2port(fwd.listen_host); |
|
4
by Colin Watson
* Add /usr/games to the default $PATH for non-privileged users. |
493 |
fwd.listen_host = NULL; |
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
494 |
}
|
495 |
||
496 |
if (fwd.listen_port == 0) { |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
497 |
fprintf(stderr, "Bad dynamic port '%s'\n", |
498 |
optarg); |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
499 |
exit(255); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
500 |
}
|
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
501 |
add_local_forward(&options, &fwd); |
502 |
xfree(p); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
503 |
break; |
504 |
||
505 |
case 'C': |
|
506 |
options.compression = 1; |
|
507 |
break; |
|
508 |
case 'N': |
|
509 |
no_shell_flag = 1; |
|
510 |
no_tty_flag = 1; |
|
511 |
break; |
|
512 |
case 'T': |
|
513 |
no_tty_flag = 1; |
|
514 |
break; |
|
515 |
case 'o': |
|
516 |
dummy = 1; |
|
517 |
line = xstrdup(optarg); |
|
518 |
if (process_config_line(&options, host ? host : "", |
|
519 |
line, "command-line", 0, &dummy) != 0) |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
520 |
exit(255); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
521 |
xfree(line); |
522 |
break; |
|
523 |
case 's': |
|
524 |
subsystem_flag = 1; |
|
525 |
break; |
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
526 |
case 'S': |
527 |
if (options.control_path != NULL) |
|
528 |
free(options.control_path); |
|
529 |
options.control_path = xstrdup(optarg); |
|
530 |
break; |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
531 |
case 'b': |
532 |
options.bind_address = optarg; |
|
533 |
break; |
|
534 |
case 'F': |
|
535 |
config = optarg; |
|
536 |
break; |
|
537 |
default: |
|
538 |
usage(); |
|
539 |
}
|
|
540 |
}
|
|
541 |
||
542 |
ac -= optind; |
|
543 |
av += optind; |
|
544 |
||
545 |
if (ac > 0 && !host && **av != '-') { |
|
546 |
if (strrchr(*av, '@')) { |
|
547 |
p = xstrdup(*av); |
|
548 |
cp = strrchr(p, '@'); |
|
549 |
if (cp == NULL || cp == p) |
|
550 |
usage(); |
|
551 |
options.user = p; |
|
552 |
*cp = '\0'; |
|
553 |
host = ++cp; |
|
554 |
} else |
|
555 |
host = *av; |
|
556 |
if (ac > 1) { |
|
557 |
optind = optreset = 1; |
|
558 |
goto again; |
|
559 |
}
|
|
560 |
ac--, av++; |
|
561 |
}
|
|
562 |
||
563 |
/* Check that we got a host name. */
|
|
564 |
if (!host) |
|
565 |
usage(); |
|
566 |
||
567 |
SSLeay_add_all_algorithms(); |
|
568 |
ERR_load_crypto_strings(); |
|
569 |
||
570 |
/* Initialize the command to execute on remote host. */
|
|
571 |
buffer_init(&command); |
|
572 |
||
573 |
/*
|
|
574 |
* Save the command to execute on the remote host in a buffer. There
|
|
575 |
* is no limit on the length of the command, except by the maximum
|
|
576 |
* packet size. Also sets the tty flag if there is no command.
|
|
577 |
*/
|
|
578 |
if (!ac) { |
|
579 |
/* No command specified - execute shell on a tty. */
|
|
580 |
tty_flag = 1; |
|
581 |
if (subsystem_flag) { |
|
582 |
fprintf(stderr, |
|
583 |
"You must specify a subsystem to invoke.\n"); |
|
584 |
usage(); |
|
585 |
}
|
|
586 |
} else { |
|
587 |
/* A command has been specified. Store it into the buffer. */
|
|
588 |
for (i = 0; i < ac; i++) { |
|
589 |
if (i) |
|
590 |
buffer_append(&command, " ", 1); |
|
591 |
buffer_append(&command, av[i], strlen(av[i])); |
|
592 |
}
|
|
593 |
}
|
|
594 |
||
595 |
/* Cannot fork to background if no command. */
|
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
596 |
if (fork_after_authentication_flag && buffer_len(&command) == 0 && |
597 |
!no_shell_flag) |
|
598 |
fatal("Cannot fork into background without a command " |
|
599 |
"to execute."); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
600 |
|
601 |
/* Allocate a tty by default if no command specified. */
|
|
602 |
if (buffer_len(&command) == 0) |
|
603 |
tty_flag = 1; |
|
604 |
||
605 |
/* Force no tty */
|
|
606 |
if (no_tty_flag) |
|
607 |
tty_flag = 0; |
|
608 |
/* Do not allocate a tty if stdin is not a tty. */
|
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
609 |
if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { |
22
by Colin Watson
* Fix ordering of SYSLOG_LEVEL_QUIET and SYSLOG_LEVEL_FATAL. |
610 |
if (tty_flag && options.log_level > SYSLOG_LEVEL_QUIET) |
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
611 |
logit("Pseudo-terminal will not be allocated because " |
612 |
"stdin is not a terminal."); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
613 |
tty_flag = 0; |
614 |
}
|
|
615 |
||
616 |
/*
|
|
617 |
* Initialize "log" output. Since we are the client all output
|
|
618 |
* actually goes to stderr.
|
|
619 |
*/
|
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
620 |
log_init(av[0], |
621 |
options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
622 |
SYSLOG_FACILITY_USER, 1); |
623 |
||
624 |
/*
|
|
625 |
* Read per-user configuration file. Ignore the system wide config
|
|
626 |
* file if the user specifies a config file on the command line.
|
|
627 |
*/
|
|
628 |
if (config != NULL) { |
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
629 |
if (!read_config_file(config, host, &options, 0)) |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
630 |
fatal("Can't open user config file %.100s: " |
631 |
"%.100s", config, strerror(errno)); |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
632 |
} else { |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
633 |
snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, |
634 |
_PATH_SSH_USER_CONFFILE); |
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
635 |
(void)read_config_file(buf, host, &options, 1); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
636 |
|
637 |
/* Read systemwide configuration file after use config. */
|
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
638 |
(void)read_config_file(_PATH_HOST_CONFIG_FILE, host, |
639 |
&options, 0); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
640 |
}
|
641 |
||
642 |
/* Fill configuration defaults. */
|
|
643 |
fill_default_options(&options); |
|
644 |
||
645 |
channel_set_af(options.address_family); |
|
646 |
||
647 |
/* reinit */
|
|
648 |
log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); |
|
649 |
||
650 |
seed_rng(); |
|
651 |
||
652 |
if (options.user == NULL) |
|
653 |
options.user = xstrdup(pw->pw_name); |
|
654 |
||
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
655 |
/* Get default port if port has not been set. */
|
656 |
if (options.port == 0) { |
|
657 |
sp = getservbyname(SSH_SERVICE_NAME, "tcp"); |
|
658 |
options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; |
|
659 |
}
|
|
660 |
||
661 |
if (options.local_command != NULL) { |
|
662 |
char thishost[NI_MAXHOST]; |
|
663 |
||
664 |
if (gethostname(thishost, sizeof(thishost)) == -1) |
|
665 |
fatal("gethostname: %s", strerror(errno)); |
|
666 |
snprintf(buf, sizeof(buf), "%d", options.port); |
|
667 |
debug3("expanding LocalCommand: %s", options.local_command); |
|
668 |
cp = options.local_command; |
|
669 |
options.local_command = percent_expand(cp, "d", pw->pw_dir, |
|
670 |
"h", options.hostname? options.hostname : host, |
|
671 |
"l", thishost, "n", host, "r", options.user, "p", buf, |
|
672 |
"u", pw->pw_name, (char *)NULL); |
|
673 |
debug3("expanded LocalCommand: %s", options.local_command); |
|
674 |
xfree(cp); |
|
675 |
}
|
|
676 |
||
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
677 |
if (options.hostname != NULL) |
678 |
host = options.hostname; |
|
679 |
||
680 |
/* force lowercase for hostkey matching */
|
|
681 |
if (options.host_key_alias != NULL) { |
|
682 |
for (p = options.host_key_alias; *p; p++) |
|
683 |
if (isupper(*p)) |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
684 |
*p = (char)tolower(*p); |
685 |
}
|
|
686 |
||
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
687 |
if (options.proxy_command != NULL && |
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
688 |
strcmp(options.proxy_command, "none") == 0) { |
689 |
xfree(options.proxy_command); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
690 |
options.proxy_command = NULL; |
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
691 |
}
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
692 |
if (options.control_path != NULL && |
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
693 |
strcmp(options.control_path, "none") == 0) { |
694 |
xfree(options.control_path); |
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
695 |
options.control_path = NULL; |
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
696 |
}
|
1.2.1
by Martin Pitt
Import upstream version 4.2p1 |
697 |
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
698 |
if (options.control_path != NULL) { |
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
699 |
char thishost[NI_MAXHOST]; |
700 |
||
701 |
if (gethostname(thishost, sizeof(thishost)) == -1) |
|
702 |
fatal("gethostname: %s", strerror(errno)); |
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
703 |
snprintf(buf, sizeof(buf), "%d", options.port); |
704 |
cp = tilde_expand_filename(options.control_path, |
|
705 |
original_real_uid); |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
706 |
xfree(options.control_path); |
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
707 |
options.control_path = percent_expand(cp, "p", buf, "h", host, |
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
708 |
"r", options.user, "l", thishost, (char *)NULL); |
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
709 |
xfree(cp); |
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
710 |
}
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
711 |
if (muxclient_command != 0 && options.control_path == NULL) |
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
712 |
fatal("No ControlPath specified for \"-O\" command"); |
713 |
if (options.control_path != NULL) |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
714 |
muxclient(options.control_path); |
715 |
||
716 |
timeout_ms = options.connection_timeout * 1000; |
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
717 |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
718 |
/* Open a connection to the remote host. */
|
719 |
if (ssh_connect(host, &hostaddr, options.port, |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
720 |
options.address_family, options.connection_attempts, &timeout_ms, |
721 |
options.tcp_keep_alive, |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
722 |
#ifdef HAVE_CYGWIN
|
723 |
options.use_privileged_port, |
|
724 |
#else
|
|
725 |
original_effective_uid == 0 && options.use_privileged_port, |
|
726 |
#endif
|
|
727 |
options.proxy_command) != 0) |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
728 |
exit(255); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
729 |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
730 |
if (timeout_ms > 0) |
731 |
debug3("timeout: %d ms remain after connect", timeout_ms); |
|
732 |
||
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
733 |
/*
|
734 |
* If we successfully made the connection, load the host private key
|
|
735 |
* in case we will need it later for combined rsa-rhosts
|
|
736 |
* authentication. This must be done before releasing extra
|
|
737 |
* privileges, because the file is only readable by root.
|
|
738 |
* If we cannot access the private keys, load the public keys
|
|
739 |
* instead and try to execute the ssh-keysign helper instead.
|
|
740 |
*/
|
|
741 |
sensitive_data.nkeys = 0; |
|
742 |
sensitive_data.keys = NULL; |
|
743 |
sensitive_data.external_keysign = 0; |
|
744 |
if (options.rhosts_rsa_authentication || |
|
745 |
options.hostbased_authentication) { |
|
746 |
sensitive_data.nkeys = 3; |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
747 |
sensitive_data.keys = xcalloc(sensitive_data.nkeys, |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
748 |
sizeof(Key)); |
749 |
||
750 |
PRIV_START; |
|
751 |
sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
752 |
_PATH_HOST_KEY_FILE, "", NULL, NULL); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
753 |
sensitive_data.keys[1] = key_load_private_type(KEY_DSA, |
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
754 |
_PATH_HOST_DSA_KEY_FILE, "", NULL, NULL); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
755 |
sensitive_data.keys[2] = key_load_private_type(KEY_RSA, |
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
756 |
_PATH_HOST_RSA_KEY_FILE, "", NULL, NULL); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
757 |
PRIV_END; |
758 |
||
759 |
if (options.hostbased_authentication == 1 && |
|
760 |
sensitive_data.keys[0] == NULL && |
|
761 |
sensitive_data.keys[1] == NULL && |
|
762 |
sensitive_data.keys[2] == NULL) { |
|
763 |
sensitive_data.keys[1] = key_load_public( |
|
764 |
_PATH_HOST_DSA_KEY_FILE, NULL); |
|
765 |
sensitive_data.keys[2] = key_load_public( |
|
766 |
_PATH_HOST_RSA_KEY_FILE, NULL); |
|
767 |
sensitive_data.external_keysign = 1; |
|
768 |
}
|
|
769 |
}
|
|
770 |
/*
|
|
771 |
* Get rid of any extra privileges that we may have. We will no
|
|
772 |
* longer need them. Also, extra privileges could make it very hard
|
|
773 |
* to read identity files and other non-world-readable files from the
|
|
774 |
* user's home directory if it happens to be on a NFS volume where
|
|
775 |
* root is mapped to nobody.
|
|
776 |
*/
|
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
777 |
if (original_effective_uid == 0) { |
778 |
PRIV_START; |
|
779 |
permanently_set_uid(pw); |
|
780 |
}
|
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
781 |
|
782 |
/*
|
|
783 |
* Now that we are back to our own permissions, create ~/.ssh
|
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
784 |
* directory if it doesn't already exist.
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
785 |
*/
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
786 |
snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, |
787 |
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
788 |
if (stat(buf, &st) < 0) |
789 |
if (mkdir(buf, 0700) < 0) |
|
790 |
error("Could not create directory '%.200s'.", buf); |
|
791 |
||
792 |
/* load options.identity_files */
|
|
793 |
load_public_identity_files(); |
|
794 |
||
795 |
/* Expand ~ in known host file names. */
|
|
796 |
/* XXX mem-leaks: */
|
|
797 |
options.system_hostfile = |
|
798 |
tilde_expand_filename(options.system_hostfile, original_real_uid); |
|
799 |
options.user_hostfile = |
|
800 |
tilde_expand_filename(options.user_hostfile, original_real_uid); |
|
801 |
options.system_hostfile2 = |
|
802 |
tilde_expand_filename(options.system_hostfile2, original_real_uid); |
|
803 |
options.user_hostfile2 = |
|
804 |
tilde_expand_filename(options.user_hostfile2, original_real_uid); |
|
805 |
||
806 |
signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ |
|
807 |
||
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
808 |
/* Log into the remote system. Never returns if the login fails. */
|
809 |
ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, |
|
810 |
pw, timeout_ms); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
811 |
|
812 |
/* We no longer need the private host keys. Clear them now. */
|
|
813 |
if (sensitive_data.nkeys != 0) { |
|
814 |
for (i = 0; i < sensitive_data.nkeys; i++) { |
|
815 |
if (sensitive_data.keys[i] != NULL) { |
|
816 |
/* Destroys contents safely */
|
|
817 |
debug3("clear hostkey %d", i); |
|
818 |
key_free(sensitive_data.keys[i]); |
|
819 |
sensitive_data.keys[i] = NULL; |
|
820 |
}
|
|
821 |
}
|
|
822 |
xfree(sensitive_data.keys); |
|
823 |
}
|
|
824 |
for (i = 0; i < options.num_identity_files; i++) { |
|
825 |
if (options.identity_files[i]) { |
|
826 |
xfree(options.identity_files[i]); |
|
827 |
options.identity_files[i] = NULL; |
|
828 |
}
|
|
829 |
if (options.identity_keys[i]) { |
|
830 |
key_free(options.identity_keys[i]); |
|
831 |
options.identity_keys[i] = NULL; |
|
832 |
}
|
|
833 |
}
|
|
834 |
||
835 |
exit_status = compat20 ? ssh_session2() : ssh_session(); |
|
836 |
packet_close(); |
|
837 |
||
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
838 |
if (options.control_path != NULL && muxserver_sock != -1) |
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
839 |
unlink(options.control_path); |
840 |
||
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
841 |
/*
|
842 |
* Send SIGHUP to proxy command if used. We don't wait() in
|
|
843 |
* case it hangs and instead rely on init to reap the child
|
|
844 |
*/
|
|
845 |
if (proxy_command_pid > 1) |
|
846 |
kill(proxy_command_pid, SIGHUP); |
|
847 |
||
848 |
return exit_status; |
|
849 |
}
|
|
850 |
||
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
851 |
/* Callback for remote forward global requests */
|
852 |
static void |
|
853 |
ssh_confirm_remote_forward(int type, u_int32_t seq, void *ctxt) |
|
854 |
{
|
|
855 |
Forward *rfwd = (Forward *)ctxt; |
|
856 |
||
857 |
debug("remote forward %s for: listen %d, connect %s:%d", |
|
858 |
type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", |
|
859 |
rfwd->listen_port, rfwd->connect_host, rfwd->connect_port); |
|
860 |
if (type == SSH2_MSG_REQUEST_FAILURE) { |
|
861 |
if (options.exit_on_forward_failure) |
|
862 |
fatal("Error: remote port forwarding failed for " |
|
863 |
"listen port %d", rfwd->listen_port); |
|
864 |
else
|
|
865 |
logit("Warning: remote port forwarding failed for " |
|
866 |
"listen port %d", rfwd->listen_port); |
|
867 |
}
|
|
868 |
if (++remote_forward_confirms_received == options.num_remote_forwards) { |
|
869 |
debug("All remote forwarding requests processed"); |
|
870 |
if (fork_after_authentication_flag) { |
|
871 |
fork_after_authentication_flag = 0; |
|
872 |
if (daemon(1, 1) < 0) |
|
873 |
fatal("daemon() failed: %.200s", |
|
874 |
strerror(errno)); |
|
875 |
}
|
|
876 |
}
|
|
877 |
}
|
|
878 |
||
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
879 |
static void |
880 |
ssh_init_forwarding(void) |
|
881 |
{
|
|
882 |
int success = 0; |
|
883 |
int i; |
|
884 |
||
885 |
/* Initiate local TCP/IP port forwardings. */
|
|
886 |
for (i = 0; i < options.num_local_forwards; i++) { |
|
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
887 |
debug("Local connections to %.200s:%d forwarded to remote " |
888 |
"address %.200s:%d", |
|
889 |
(options.local_forwards[i].listen_host == NULL) ? |
|
890 |
(options.gateway_ports ? "*" : "LOCALHOST") : |
|
891 |
options.local_forwards[i].listen_host, |
|
892 |
options.local_forwards[i].listen_port, |
|
893 |
options.local_forwards[i].connect_host, |
|
894 |
options.local_forwards[i].connect_port); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
895 |
success += channel_setup_local_fwd_listener( |
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
896 |
options.local_forwards[i].listen_host, |
897 |
options.local_forwards[i].listen_port, |
|
898 |
options.local_forwards[i].connect_host, |
|
899 |
options.local_forwards[i].connect_port, |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
900 |
options.gateway_ports); |
901 |
}
|
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
902 |
if (i > 0 && success != i && options.exit_on_forward_failure) |
903 |
fatal("Could not request local forwarding."); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
904 |
if (i > 0 && success == 0) |
905 |
error("Could not request local forwarding."); |
|
906 |
||
907 |
/* Initiate remote TCP/IP port forwardings. */
|
|
908 |
for (i = 0; i < options.num_remote_forwards; i++) { |
|
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
909 |
debug("Remote connections from %.200s:%d forwarded to " |
910 |
"local address %.200s:%d", |
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
911 |
(options.remote_forwards[i].listen_host == NULL) ? |
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
912 |
"LOCALHOST" : options.remote_forwards[i].listen_host, |
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
913 |
options.remote_forwards[i].listen_port, |
914 |
options.remote_forwards[i].connect_host, |
|
915 |
options.remote_forwards[i].connect_port); |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
916 |
if (channel_request_remote_forwarding( |
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
917 |
options.remote_forwards[i].listen_host, |
918 |
options.remote_forwards[i].listen_port, |
|
919 |
options.remote_forwards[i].connect_host, |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
920 |
options.remote_forwards[i].connect_port) < 0) { |
921 |
if (options.exit_on_forward_failure) |
|
922 |
fatal("Could not request remote forwarding."); |
|
923 |
else
|
|
924 |
logit("Warning: Could not request remote " |
|
925 |
"forwarding."); |
|
926 |
}
|
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
927 |
client_register_global_confirm(ssh_confirm_remote_forward, |
928 |
&options.remote_forwards[i]); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
929 |
}
|
1.13.2
by Colin Watson
Import upstream version 4.7p1 |
930 |
|
931 |
/* Initiate tunnel forwarding. */
|
|
932 |
if (options.tun_open != SSH_TUNMODE_NO) { |
|
933 |
if (client_request_tun_fwd(options.tun_open, |
|
934 |
options.tun_local, options.tun_remote) == -1) { |
|
935 |
if (options.exit_on_forward_failure) |
|
936 |
fatal("Could not request tunnel forwarding."); |
|
937 |
else
|
|
938 |
error("Could not request tunnel forwarding."); |
|
939 |
}
|
|
940 |
}
|
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
941 |
}
|
942 |
||
943 |
static void |
|
944 |
check_agent_present(void) |
|
945 |
{
|
|
946 |
if (options.forward_agent) { |
|
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
947 |
/* Clear agent forwarding if we don't have an agent. */
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
948 |
if (!ssh_agent_present()) |
949 |
options.forward_agent = 0; |
|
950 |
}
|
|
951 |
}
|
|
952 |
||
953 |
static int |
|
954 |
ssh_session(void) |
|
955 |
{
|
|
956 |
int type; |
|
957 |
int interactive = 0; |
|
958 |
int have_tty = 0; |
|
959 |
struct winsize ws; |
|
960 |
char *cp; |
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
961 |
const char *display; |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
962 |
|
963 |
/* Enable compression if requested. */
|
|
964 |
if (options.compression) { |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
965 |
debug("Requesting compression at level %d.", |
966 |
options.compression_level); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
967 |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
968 |
if (options.compression_level < 1 || |
969 |
options.compression_level > 9) |
|
970 |
fatal("Compression level must be from 1 (fast) to " |
|
971 |
"9 (slow, best)."); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
972 |
|
973 |
/* Send the request. */
|
|
974 |
packet_start(SSH_CMSG_REQUEST_COMPRESSION); |
|
975 |
packet_put_int(options.compression_level); |
|
976 |
packet_send(); |
|
977 |
packet_write_wait(); |
|
978 |
type = packet_read(); |
|
979 |
if (type == SSH_SMSG_SUCCESS) |
|
980 |
packet_start_compression(options.compression_level); |
|
981 |
else if (type == SSH_SMSG_FAILURE) |
|
982 |
logit("Warning: Remote host refused compression."); |
|
983 |
else
|
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
984 |
packet_disconnect("Protocol error waiting for " |
985 |
"compression response."); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
986 |
}
|
987 |
/* Allocate a pseudo tty if appropriate. */
|
|
988 |
if (tty_flag) { |
|
989 |
debug("Requesting pty."); |
|
990 |
||
991 |
/* Start the packet. */
|
|
992 |
packet_start(SSH_CMSG_REQUEST_PTY); |
|
993 |
||
994 |
/* Store TERM in the packet. There is no limit on the
|
|
995 |
length of the string. */
|
|
996 |
cp = getenv("TERM"); |
|
997 |
if (!cp) |
|
998 |
cp = ""; |
|
999 |
packet_put_cstring(cp); |
|
1000 |
||
1001 |
/* Store window size in the packet. */
|
|
1002 |
if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0) |
|
1003 |
memset(&ws, 0, sizeof(ws)); |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
1004 |
packet_put_int((u_int)ws.ws_row); |
1005 |
packet_put_int((u_int)ws.ws_col); |
|
1006 |
packet_put_int((u_int)ws.ws_xpixel); |
|
1007 |
packet_put_int((u_int)ws.ws_ypixel); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1008 |
|
1009 |
/* Store tty modes in the packet. */
|
|
1010 |
tty_make_modes(fileno(stdin), NULL); |
|
1011 |
||
1012 |
/* Send the packet, and wait for it to leave. */
|
|
1013 |
packet_send(); |
|
1014 |
packet_write_wait(); |
|
1015 |
||
1016 |
/* Read response from the server. */
|
|
1017 |
type = packet_read(); |
|
1018 |
if (type == SSH_SMSG_SUCCESS) { |
|
1019 |
interactive = 1; |
|
1020 |
have_tty = 1; |
|
1021 |
} else if (type == SSH_SMSG_FAILURE) |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1022 |
logit("Warning: Remote host failed or refused to " |
1023 |
"allocate a pseudo tty."); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1024 |
else
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1025 |
packet_disconnect("Protocol error waiting for pty " |
1026 |
"request response."); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1027 |
}
|
1028 |
/* Request X11 forwarding if enabled and DISPLAY is set. */
|
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
1029 |
display = getenv("DISPLAY"); |
1030 |
if (options.forward_x11 && display != NULL) { |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1031 |
char *proto, *data; |
1032 |
/* Get reasonable local authentication information. */
|
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
1033 |
client_x11_get_proto(display, options.xauth_location, |
1034 |
options.forward_x11_trusted, &proto, &data); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1035 |
/* Request forwarding with authentication spoofing. */
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1036 |
debug("Requesting X11 forwarding with authentication " |
1037 |
"spoofing."); |
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
1038 |
x11_request_forwarding_with_spoofing(0, display, proto, data); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1039 |
|
1040 |
/* Read response from the server. */
|
|
1041 |
type = packet_read(); |
|
1042 |
if (type == SSH_SMSG_SUCCESS) { |
|
1043 |
interactive = 1; |
|
1044 |
} else if (type == SSH_SMSG_FAILURE) { |
|
1045 |
logit("Warning: Remote host denied X11 forwarding."); |
|
1046 |
} else { |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1047 |
packet_disconnect("Protocol error waiting for X11 " |
1048 |
"forwarding"); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1049 |
}
|
1050 |
}
|
|
1051 |
/* Tell the packet module whether this is an interactive session. */
|
|
1052 |
packet_set_interactive(interactive); |
|
1053 |
||
1054 |
/* Request authentication agent forwarding if appropriate. */
|
|
1055 |
check_agent_present(); |
|
1056 |
||
1057 |
if (options.forward_agent) { |
|
1058 |
debug("Requesting authentication agent forwarding."); |
|
1059 |
auth_request_forwarding(); |
|
1060 |
||
1061 |
/* Read response from the server. */
|
|
1062 |
type = packet_read(); |
|
1063 |
packet_check_eom(); |
|
1064 |
if (type != SSH_SMSG_SUCCESS) |
|
1065 |
logit("Warning: Remote host denied authentication agent forwarding."); |
|
1066 |
}
|
|
1067 |
||
1068 |
/* Initiate port forwardings. */
|
|
1069 |
ssh_init_forwarding(); |
|
1070 |
||
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1071 |
/* Execute a local command */
|
1072 |
if (options.local_command != NULL && |
|
1073 |
options.permit_local_command) |
|
1074 |
ssh_local_cmd(options.local_command); |
|
1075 |
||
1076 |
/*
|
|
1077 |
* If requested and we are not interested in replies to remote
|
|
1078 |
* forwarding requests, then let ssh continue in the background.
|
|
1079 |
*/
|
|
1080 |
if (fork_after_authentication_flag && |
|
1081 |
(!options.exit_on_forward_failure || |
|
1082 |
options.num_remote_forwards == 0)) { |
|
1083 |
fork_after_authentication_flag = 0; |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1084 |
if (daemon(1, 1) < 0) |
1085 |
fatal("daemon() failed: %.200s", strerror(errno)); |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1086 |
}
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1087 |
|
1088 |
/*
|
|
1089 |
* If a command was specified on the command line, execute the
|
|
1090 |
* command now. Otherwise request the server to start a shell.
|
|
1091 |
*/
|
|
1092 |
if (buffer_len(&command) > 0) { |
|
1093 |
int len = buffer_len(&command); |
|
1094 |
if (len > 900) |
|
1095 |
len = 900; |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1096 |
debug("Sending command: %.*s", len, |
1097 |
(u_char *)buffer_ptr(&command)); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1098 |
packet_start(SSH_CMSG_EXEC_CMD); |
1099 |
packet_put_string(buffer_ptr(&command), buffer_len(&command)); |
|
1100 |
packet_send(); |
|
1101 |
packet_write_wait(); |
|
1102 |
} else { |
|
1103 |
debug("Requesting shell."); |
|
1104 |
packet_start(SSH_CMSG_EXEC_SHELL); |
|
1105 |
packet_send(); |
|
1106 |
packet_write_wait(); |
|
1107 |
}
|
|
1108 |
||
1109 |
/* Enter the interactive session. */
|
|
1110 |
return client_loop(have_tty, tty_flag ? |
|
1111 |
options.escape_char : SSH_ESCAPECHAR_NONE, 0); |
|
1112 |
}
|
|
1113 |
||
1114 |
/* request pty/x11/agent/tcpfwd/shell for channel */
|
|
1115 |
static void |
|
1116 |
ssh_session2_setup(int id, void *arg) |
|
1117 |
{
|
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
1118 |
extern char **environ; |
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
1119 |
const char *display; |
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
1120 |
int interactive = tty_flag; |
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
1121 |
|
1122 |
display = getenv("DISPLAY"); |
|
1123 |
if (options.forward_x11 && display != NULL) { |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1124 |
char *proto, *data; |
1125 |
/* Get reasonable local authentication information. */
|
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
1126 |
client_x11_get_proto(display, options.xauth_location, |
1127 |
options.forward_x11_trusted, &proto, &data); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1128 |
/* Request forwarding with authentication spoofing. */
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1129 |
debug("Requesting X11 forwarding with authentication " |
1130 |
"spoofing."); |
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
1131 |
x11_request_forwarding_with_spoofing(id, display, proto, data); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1132 |
interactive = 1; |
1133 |
/* XXX wait for reply */
|
|
1134 |
}
|
|
1135 |
||
1136 |
check_agent_present(); |
|
1137 |
if (options.forward_agent) { |
|
1138 |
debug("Requesting authentication agent forwarding."); |
|
1139 |
channel_request_start(id, "auth-agent-req@openssh.com", 0); |
|
1140 |
packet_send(); |
|
1141 |
}
|
|
1142 |
||
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
1143 |
client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), |
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1144 |
NULL, fileno(stdin), &command, environ); |
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
1145 |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1146 |
packet_set_interactive(interactive); |
1147 |
}
|
|
1148 |
||
1149 |
/* open new channel for a session */
|
|
1150 |
static int |
|
1151 |
ssh_session2_open(void) |
|
1152 |
{
|
|
1153 |
Channel *c; |
|
1154 |
int window, packetmax, in, out, err; |
|
1155 |
||
1156 |
if (stdin_null_flag) { |
|
1157 |
in = open(_PATH_DEVNULL, O_RDONLY); |
|
1158 |
} else { |
|
1159 |
in = dup(STDIN_FILENO); |
|
1160 |
}
|
|
1161 |
out = dup(STDOUT_FILENO); |
|
1162 |
err = dup(STDERR_FILENO); |
|
1163 |
||
1164 |
if (in < 0 || out < 0 || err < 0) |
|
1165 |
fatal("dup() in/out/err failed"); |
|
1166 |
||
1167 |
/* enable nonblocking unless tty */
|
|
1168 |
if (!isatty(in)) |
|
1169 |
set_nonblock(in); |
|
1170 |
if (!isatty(out)) |
|
1171 |
set_nonblock(out); |
|
1172 |
if (!isatty(err)) |
|
1173 |
set_nonblock(err); |
|
1174 |
||
1175 |
window = CHAN_SES_WINDOW_DEFAULT; |
|
1176 |
packetmax = CHAN_SES_PACKET_DEFAULT; |
|
1177 |
if (tty_flag) { |
|
1178 |
window >>= 1; |
|
1179 |
packetmax >>= 1; |
|
1180 |
}
|
|
1181 |
c = channel_new( |
|
1182 |
"session", SSH_CHANNEL_OPENING, in, out, err, |
|
1183 |
window, packetmax, CHAN_EXTENDED_WRITE, |
|
1184 |
"client-session", /*nonblock*/0); |
|
1185 |
||
1186 |
debug3("ssh_session2_open: channel_new: %d", c->self); |
|
1187 |
||
1188 |
channel_send_open(c->self); |
|
1189 |
if (!no_shell_flag) |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1190 |
channel_register_open_confirm(c->self, |
1191 |
ssh_session2_setup, NULL); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1192 |
|
1193 |
return c->self; |
|
1194 |
}
|
|
1195 |
||
1196 |
static int |
|
1197 |
ssh_session2(void) |
|
1198 |
{
|
|
1199 |
int id = -1; |
|
1200 |
||
1201 |
/* XXX should be pre-session */
|
|
1202 |
ssh_init_forwarding(); |
|
1203 |
||
1204 |
if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) |
|
1205 |
id = ssh_session2_open(); |
|
1206 |
||
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1207 |
/* If we don't expect to open a new session, then disallow it */
|
1208 |
if (options.control_master == SSHCTL_MASTER_NO) { |
|
1209 |
debug("Requesting no-more-sessions@openssh.com"); |
|
1210 |
packet_start(SSH2_MSG_GLOBAL_REQUEST); |
|
1211 |
packet_put_cstring("no-more-sessions@openssh.com"); |
|
1212 |
packet_put_char(0); |
|
1213 |
packet_send(); |
|
1214 |
}
|
|
1215 |
||
1.6.1
by Colin Watson
Import upstream version 4.3p2 |
1216 |
/* Execute a local command */
|
1217 |
if (options.local_command != NULL && |
|
1218 |
options.permit_local_command) |
|
1219 |
ssh_local_cmd(options.local_command); |
|
1220 |
||
1.13.2
by Colin Watson
Import upstream version 4.7p1 |
1221 |
/* Start listening for multiplex clients */
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1222 |
muxserver_listen(); |
1.13.2
by Colin Watson
Import upstream version 4.7p1 |
1223 |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1224 |
/* If requested, let ssh continue in the background. */
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1225 |
if (fork_after_authentication_flag) { |
1226 |
fork_after_authentication_flag = 0; |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1227 |
if (daemon(1, 1) < 0) |
1228 |
fatal("daemon() failed: %.200s", strerror(errno)); |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1229 |
}
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1230 |
|
1231 |
return client_loop(tty_flag, tty_flag ? |
|
1232 |
options.escape_char : SSH_ESCAPECHAR_NONE, id); |
|
1233 |
}
|
|
1234 |
||
1235 |
static void |
|
1236 |
load_public_identity_files(void) |
|
1237 |
{
|
|
41
by Colin Watson
* Resynchronise with Debian. Remaining changes: |
1238 |
char *filename, *cp, thishost[NI_MAXHOST], *fp; |
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1239 |
char *pwdir = NULL, *pwname = NULL; |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1240 |
int i = 0; |
1241 |
Key *public; |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
1242 |
struct passwd *pw; |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1243 |
#ifdef SMARTCARD
|
1244 |
Key **keys; |
|
1245 |
||
1246 |
if (options.smartcard_device != NULL && |
|
1247 |
options.num_identity_files < SSH_MAX_IDENTITY_FILES && |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
1248 |
(keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) { |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1249 |
int count = 0; |
1250 |
for (i = 0; keys[i] != NULL; i++) { |
|
1251 |
count++; |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1252 |
memmove(&options.identity_files[1], |
1253 |
&options.identity_files[0], |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1254 |
sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1)); |
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1255 |
memmove(&options.identity_keys[1], |
1256 |
&options.identity_keys[0], |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1257 |
sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); |
1258 |
options.num_identity_files++; |
|
1259 |
options.identity_keys[0] = keys[i]; |
|
1260 |
options.identity_files[0] = sc_get_key_label(keys[i]); |
|
1261 |
}
|
|
1262 |
if (options.num_identity_files > SSH_MAX_IDENTITY_FILES) |
|
1263 |
options.num_identity_files = SSH_MAX_IDENTITY_FILES; |
|
1264 |
i = count; |
|
1265 |
xfree(keys); |
|
1266 |
}
|
|
1267 |
#endif /* SMARTCARD */ |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
1268 |
if ((pw = getpwuid(original_real_uid)) == NULL) |
1269 |
fatal("load_public_identity_files: getpwuid failed"); |
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1270 |
pwname = xstrdup(pw->pw_name); |
1271 |
pwdir = xstrdup(pw->pw_dir); |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
1272 |
if (gethostname(thishost, sizeof(thishost)) == -1) |
1273 |
fatal("load_public_identity_files: gethostname: %s", |
|
1274 |
strerror(errno)); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1275 |
for (; i < options.num_identity_files; i++) { |
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
1276 |
cp = tilde_expand_filename(options.identity_files[i], |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1277 |
original_real_uid); |
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1278 |
filename = percent_expand(cp, "d", pwdir, |
1279 |
"u", pwname, "l", thishost, "h", host, |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
1280 |
"r", options.user, (char *)NULL); |
1281 |
xfree(cp); |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1282 |
public = key_load_public(filename, NULL); |
1283 |
debug("identity file %s type %d", filename, |
|
1284 |
public ? public->type : -1); |
|
41
by Colin Watson
* Resynchronise with Debian. Remaining changes: |
1285 |
if (public && blacklisted_key(public, &fp) == 1) { |
1286 |
if (options.use_blacklisted_keys) |
|
1287 |
logit("Public key %s blacklisted (see " |
|
1288 |
"ssh-vulnkey(1)); continuing anyway", fp); |
|
1289 |
else
|
|
1290 |
logit("Public key %s blacklisted (see " |
|
1291 |
"ssh-vulnkey(1)); refusing to send it", |
|
1292 |
fp); |
|
1293 |
xfree(fp); |
|
1294 |
if (!options.use_blacklisted_keys) { |
|
1295 |
key_free(public); |
|
1296 |
xfree(filename); |
|
1297 |
filename = NULL; |
|
1298 |
public = NULL; |
|
1299 |
}
|
|
1300 |
}
|
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1301 |
xfree(options.identity_files[i]); |
1302 |
options.identity_files[i] = filename; |
|
1303 |
options.identity_keys[i] = public; |
|
1304 |
}
|
|
1.13.3
by Colin Watson
Import upstream version 5.1p1 |
1305 |
bzero(pwname, strlen(pwname)); |
1306 |
xfree(pwname); |
|
1307 |
bzero(pwdir, strlen(pwdir)); |
|
1308 |
xfree(pwdir); |
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
1309 |
}
|