monitor_wrap.c revision 147005
1/* 2 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27#include "includes.h" 28RCSID("$OpenBSD: monitor_wrap.c,v 1.39 2004/07/17 05:31:41 dtucker Exp $"); 29RCSID("$FreeBSD: head/crypto/openssh/monitor_wrap.c 147005 2005-06-05 15:46:09Z des $"); 30 31#include <openssl/bn.h> 32#include <openssl/dh.h> 33 34#include "ssh.h" 35#include "dh.h" 36#include "kex.h" 37#include "auth.h" 38#include "auth-options.h" 39#include "buffer.h" 40#include "bufaux.h" 41#include "packet.h" 42#include "mac.h" 43#include "log.h" 44#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ 45#undef TARGET_OS_MAC 46#include "zlib.h" 47#define TARGET_OS_MAC 1 48#else 49#include "zlib.h" 50#endif 51#include "monitor.h" 52#include "monitor_wrap.h" 53#include "xmalloc.h" 54#include "atomicio.h" 55#include "monitor_fdpass.h" 56#include "getput.h" 57#include "servconf.h" 58 59#include "auth.h" 60#include "channels.h" 61#include "session.h" 62 63#ifdef GSSAPI 64#include "ssh-gss.h" 65#endif 66 67/* Imports */ 68extern int compat20; 69extern Newkeys *newkeys[]; 70extern z_stream incoming_stream; 71extern z_stream outgoing_stream; 72extern struct monitor *pmonitor; 73extern Buffer input, output; 74extern Buffer loginmsg; 75extern ServerOptions options; 76extern Buffer loginmsg; 77 78int 79mm_is_monitor(void) 80{ 81 /* 82 * m_pid is only set in the privileged part, and 83 * points to the unprivileged child. 84 */ 85 return (pmonitor && pmonitor->m_pid > 0); 86} 87 88void 89mm_request_send(int sock, enum monitor_reqtype type, Buffer *m) 90{ 91 u_int mlen = buffer_len(m); 92 u_char buf[5]; 93 94 debug3("%s entering: type %d", __func__, type); 95 96 PUT_32BIT(buf, mlen + 1); 97 buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */ 98 if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf)) 99 fatal("%s: write", __func__); 100 if (atomicio(vwrite, sock, buffer_ptr(m), mlen) != mlen) 101 fatal("%s: write", __func__); 102} 103 104void 105mm_request_receive(int sock, Buffer *m) 106{ 107 u_char buf[4]; 108 u_int msg_len; 109 ssize_t res; 110 111 debug3("%s entering", __func__); 112 113 res = atomicio(read, sock, buf, sizeof(buf)); 114 if (res != sizeof(buf)) { 115 if (res == 0) 116 cleanup_exit(255); 117 fatal("%s: read: %ld", __func__, (long)res); 118 } 119 msg_len = GET_32BIT(buf); 120 if (msg_len > 256 * 1024) 121 fatal("%s: read: bad msg_len %d", __func__, msg_len); 122 buffer_clear(m); 123 buffer_append_space(m, msg_len); 124 res = atomicio(read, sock, buffer_ptr(m), msg_len); 125 if (res != msg_len) 126 fatal("%s: read: %ld != msg_len", __func__, (long)res); 127} 128 129void 130mm_request_receive_expect(int sock, enum monitor_reqtype type, Buffer *m) 131{ 132 u_char rtype; 133 134 debug3("%s entering: type %d", __func__, type); 135 136 mm_request_receive(sock, m); 137 rtype = buffer_get_char(m); 138 if (rtype != type) 139 fatal("%s: read: rtype %d != type %d", __func__, 140 rtype, type); 141} 142 143DH * 144mm_choose_dh(int min, int nbits, int max) 145{ 146 BIGNUM *p, *g; 147 int success = 0; 148 Buffer m; 149 150 buffer_init(&m); 151 buffer_put_int(&m, min); 152 buffer_put_int(&m, nbits); 153 buffer_put_int(&m, max); 154 155 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, &m); 156 157 debug3("%s: waiting for MONITOR_ANS_MODULI", __func__); 158 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_MODULI, &m); 159 160 success = buffer_get_char(&m); 161 if (success == 0) 162 fatal("%s: MONITOR_ANS_MODULI failed", __func__); 163 164 if ((p = BN_new()) == NULL) 165 fatal("%s: BN_new failed", __func__); 166 if ((g = BN_new()) == NULL) 167 fatal("%s: BN_new failed", __func__); 168 buffer_get_bignum2(&m, p); 169 buffer_get_bignum2(&m, g); 170 171 debug3("%s: remaining %d", __func__, buffer_len(&m)); 172 buffer_free(&m); 173 174 return (dh_new_group(g, p)); 175} 176 177int 178mm_key_sign(Key *key, u_char **sigp, u_int *lenp, u_char *data, u_int datalen) 179{ 180 Kex *kex = *pmonitor->m_pkex; 181 Buffer m; 182 183 debug3("%s entering", __func__); 184 185 buffer_init(&m); 186 buffer_put_int(&m, kex->host_key_index(key)); 187 buffer_put_string(&m, data, datalen); 188 189 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, &m); 190 191 debug3("%s: waiting for MONITOR_ANS_SIGN", __func__); 192 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, &m); 193 *sigp = buffer_get_string(&m, lenp); 194 buffer_free(&m); 195 196 return (0); 197} 198 199struct passwd * 200mm_getpwnamallow(const char *username) 201{ 202 Buffer m; 203 struct passwd *pw; 204 u_int pwlen; 205 206 debug3("%s entering", __func__); 207 208 buffer_init(&m); 209 buffer_put_cstring(&m, username); 210 211 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, &m); 212 213 debug3("%s: waiting for MONITOR_ANS_PWNAM", __func__); 214 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PWNAM, &m); 215 216 if (buffer_get_char(&m) == 0) { 217 buffer_free(&m); 218 return (NULL); 219 } 220 pw = buffer_get_string(&m, &pwlen); 221 if (pwlen != sizeof(struct passwd)) 222 fatal("%s: struct passwd size mismatch", __func__); 223 pw->pw_name = buffer_get_string(&m, NULL); 224 pw->pw_passwd = buffer_get_string(&m, NULL); 225 pw->pw_gecos = buffer_get_string(&m, NULL); 226#ifdef HAVE_PW_CLASS_IN_PASSWD 227 pw->pw_class = buffer_get_string(&m, NULL); 228#endif 229 pw->pw_dir = buffer_get_string(&m, NULL); 230 pw->pw_shell = buffer_get_string(&m, NULL); 231 buffer_free(&m); 232 233 return (pw); 234} 235 236char * 237mm_auth2_read_banner(void) 238{ 239 Buffer m; 240 char *banner; 241 242 debug3("%s entering", __func__); 243 244 buffer_init(&m); 245 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m); 246 buffer_clear(&m); 247 248 mm_request_receive_expect(pmonitor->m_recvfd, 249 MONITOR_ANS_AUTH2_READ_BANNER, &m); 250 banner = buffer_get_string(&m, NULL); 251 buffer_free(&m); 252 253 /* treat empty banner as missing banner */ 254 if (strlen(banner) == 0) { 255 xfree(banner); 256 banner = NULL; 257 } 258 return (banner); 259} 260 261/* Inform the privileged process about service and style */ 262 263void 264mm_inform_authserv(char *service, char *style) 265{ 266 Buffer m; 267 268 debug3("%s entering", __func__); 269 270 buffer_init(&m); 271 buffer_put_cstring(&m, service); 272 buffer_put_cstring(&m, style ? style : ""); 273 274 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); 275 276 buffer_free(&m); 277} 278 279/* Do the password authentication */ 280int 281mm_auth_password(Authctxt *authctxt, char *password) 282{ 283 Buffer m; 284 int authenticated = 0; 285 286 debug3("%s entering", __func__); 287 288 buffer_init(&m); 289 buffer_put_cstring(&m, password); 290 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, &m); 291 292 debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __func__); 293 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m); 294 295 authenticated = buffer_get_int(&m); 296 297 buffer_free(&m); 298 299 debug3("%s: user %sauthenticated", 300 __func__, authenticated ? "" : "not "); 301 return (authenticated); 302} 303 304int 305mm_user_key_allowed(struct passwd *pw, Key *key) 306{ 307 return (mm_key_allowed(MM_USERKEY, NULL, NULL, key)); 308} 309 310int 311mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host, 312 Key *key) 313{ 314 return (mm_key_allowed(MM_HOSTKEY, user, host, key)); 315} 316 317int 318mm_auth_rhosts_rsa_key_allowed(struct passwd *pw, char *user, 319 char *host, Key *key) 320{ 321 int ret; 322 323 key->type = KEY_RSA; /* XXX hack for key_to_blob */ 324 ret = mm_key_allowed(MM_RSAHOSTKEY, user, host, key); 325 key->type = KEY_RSA1; 326 return (ret); 327} 328 329static void 330mm_send_debug(Buffer *m) 331{ 332 char *msg; 333 334 while (buffer_len(m)) { 335 msg = buffer_get_string(m, NULL); 336 debug3("%s: Sending debug: %s", __func__, msg); 337 packet_send_debug("%s", msg); 338 xfree(msg); 339 } 340} 341 342int 343mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) 344{ 345 Buffer m; 346 u_char *blob; 347 u_int len; 348 int allowed = 0, have_forced = 0; 349 350 debug3("%s entering", __func__); 351 352 /* Convert the key to a blob and the pass it over */ 353 if (!key_to_blob(key, &blob, &len)) 354 return (0); 355 356 buffer_init(&m); 357 buffer_put_int(&m, type); 358 buffer_put_cstring(&m, user ? user : ""); 359 buffer_put_cstring(&m, host ? host : ""); 360 buffer_put_string(&m, blob, len); 361 xfree(blob); 362 363 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); 364 365 debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__); 366 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m); 367 368 allowed = buffer_get_int(&m); 369 370 /* fake forced command */ 371 auth_clear_options(); 372 have_forced = buffer_get_int(&m); 373 forced_command = have_forced ? xstrdup("true") : NULL; 374 375 /* Send potential debug messages */ 376 mm_send_debug(&m); 377 378 buffer_free(&m); 379 380 return (allowed); 381} 382 383/* 384 * This key verify needs to send the key type along, because the 385 * privileged parent makes the decision if the key is allowed 386 * for authentication. 387 */ 388 389int 390mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) 391{ 392 Buffer m; 393 u_char *blob; 394 u_int len; 395 int verified = 0; 396 397 debug3("%s entering", __func__); 398 399 /* Convert the key to a blob and the pass it over */ 400 if (!key_to_blob(key, &blob, &len)) 401 return (0); 402 403 buffer_init(&m); 404 buffer_put_string(&m, blob, len); 405 buffer_put_string(&m, sig, siglen); 406 buffer_put_string(&m, data, datalen); 407 xfree(blob); 408 409 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); 410 411 debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__); 412 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYVERIFY, &m); 413 414 verified = buffer_get_int(&m); 415 416 buffer_free(&m); 417 418 return (verified); 419} 420 421/* Export key state after authentication */ 422Newkeys * 423mm_newkeys_from_blob(u_char *blob, int blen) 424{ 425 Buffer b; 426 u_int len; 427 Newkeys *newkey = NULL; 428 Enc *enc; 429 Mac *mac; 430 Comp *comp; 431 432 debug3("%s: %p(%d)", __func__, blob, blen); 433#ifdef DEBUG_PK 434 dump_base64(stderr, blob, blen); 435#endif 436 buffer_init(&b); 437 buffer_append(&b, blob, blen); 438 439 newkey = xmalloc(sizeof(*newkey)); 440 enc = &newkey->enc; 441 mac = &newkey->mac; 442 comp = &newkey->comp; 443 444 /* Enc structure */ 445 enc->name = buffer_get_string(&b, NULL); 446 buffer_get(&b, &enc->cipher, sizeof(enc->cipher)); 447 enc->enabled = buffer_get_int(&b); 448 enc->block_size = buffer_get_int(&b); 449 enc->key = buffer_get_string(&b, &enc->key_len); 450 enc->iv = buffer_get_string(&b, &len); 451 if (len != enc->block_size) 452 fatal("%s: bad ivlen: expected %u != %u", __func__, 453 enc->block_size, len); 454 455 if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher) 456 fatal("%s: bad cipher name %s or pointer %p", __func__, 457 enc->name, enc->cipher); 458 459 /* Mac structure */ 460 mac->name = buffer_get_string(&b, NULL); 461 if (mac->name == NULL || mac_init(mac, mac->name) == -1) 462 fatal("%s: can not init mac %s", __func__, mac->name); 463 mac->enabled = buffer_get_int(&b); 464 mac->key = buffer_get_string(&b, &len); 465 if (len > mac->key_len) 466 fatal("%s: bad mac key length: %u > %d", __func__, len, 467 mac->key_len); 468 mac->key_len = len; 469 470 /* Comp structure */ 471 comp->type = buffer_get_int(&b); 472 comp->enabled = buffer_get_int(&b); 473 comp->name = buffer_get_string(&b, NULL); 474 475 len = buffer_len(&b); 476 if (len != 0) 477 error("newkeys_from_blob: remaining bytes in blob %u", len); 478 buffer_free(&b); 479 return (newkey); 480} 481 482int 483mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp) 484{ 485 Buffer b; 486 int len; 487 Enc *enc; 488 Mac *mac; 489 Comp *comp; 490 Newkeys *newkey = newkeys[mode]; 491 492 debug3("%s: converting %p", __func__, newkey); 493 494 if (newkey == NULL) { 495 error("%s: newkey == NULL", __func__); 496 return 0; 497 } 498 enc = &newkey->enc; 499 mac = &newkey->mac; 500 comp = &newkey->comp; 501 502 buffer_init(&b); 503 /* Enc structure */ 504 buffer_put_cstring(&b, enc->name); 505 /* The cipher struct is constant and shared, you export pointer */ 506 buffer_append(&b, &enc->cipher, sizeof(enc->cipher)); 507 buffer_put_int(&b, enc->enabled); 508 buffer_put_int(&b, enc->block_size); 509 buffer_put_string(&b, enc->key, enc->key_len); 510 packet_get_keyiv(mode, enc->iv, enc->block_size); 511 buffer_put_string(&b, enc->iv, enc->block_size); 512 513 /* Mac structure */ 514 buffer_put_cstring(&b, mac->name); 515 buffer_put_int(&b, mac->enabled); 516 buffer_put_string(&b, mac->key, mac->key_len); 517 518 /* Comp structure */ 519 buffer_put_int(&b, comp->type); 520 buffer_put_int(&b, comp->enabled); 521 buffer_put_cstring(&b, comp->name); 522 523 len = buffer_len(&b); 524 if (lenp != NULL) 525 *lenp = len; 526 if (blobp != NULL) { 527 *blobp = xmalloc(len); 528 memcpy(*blobp, buffer_ptr(&b), len); 529 } 530 memset(buffer_ptr(&b), 0, len); 531 buffer_free(&b); 532 return len; 533} 534 535static void 536mm_send_kex(Buffer *m, Kex *kex) 537{ 538 buffer_put_string(m, kex->session_id, kex->session_id_len); 539 buffer_put_int(m, kex->we_need); 540 buffer_put_int(m, kex->hostkey_type); 541 buffer_put_int(m, kex->kex_type); 542 buffer_put_string(m, buffer_ptr(&kex->my), buffer_len(&kex->my)); 543 buffer_put_string(m, buffer_ptr(&kex->peer), buffer_len(&kex->peer)); 544 buffer_put_int(m, kex->flags); 545 buffer_put_cstring(m, kex->client_version_string); 546 buffer_put_cstring(m, kex->server_version_string); 547} 548 549void 550mm_send_keystate(struct monitor *monitor) 551{ 552 Buffer m; 553 u_char *blob, *p; 554 u_int bloblen, plen; 555 u_int32_t seqnr, packets; 556 u_int64_t blocks; 557 558 buffer_init(&m); 559 560 if (!compat20) { 561 u_char iv[24]; 562 u_char *key; 563 u_int ivlen, keylen; 564 565 buffer_put_int(&m, packet_get_protocol_flags()); 566 567 buffer_put_int(&m, packet_get_ssh1_cipher()); 568 569 debug3("%s: Sending ssh1 KEY+IV", __func__); 570 keylen = packet_get_encryption_key(NULL); 571 key = xmalloc(keylen+1); /* add 1 if keylen == 0 */ 572 keylen = packet_get_encryption_key(key); 573 buffer_put_string(&m, key, keylen); 574 memset(key, 0, keylen); 575 xfree(key); 576 577 ivlen = packet_get_keyiv_len(MODE_OUT); 578 packet_get_keyiv(MODE_OUT, iv, ivlen); 579 buffer_put_string(&m, iv, ivlen); 580 ivlen = packet_get_keyiv_len(MODE_OUT); 581 packet_get_keyiv(MODE_IN, iv, ivlen); 582 buffer_put_string(&m, iv, ivlen); 583 goto skip; 584 } else { 585 /* Kex for rekeying */ 586 mm_send_kex(&m, *monitor->m_pkex); 587 } 588 589 debug3("%s: Sending new keys: %p %p", 590 __func__, newkeys[MODE_OUT], newkeys[MODE_IN]); 591 592 /* Keys from Kex */ 593 if (!mm_newkeys_to_blob(MODE_OUT, &blob, &bloblen)) 594 fatal("%s: conversion of newkeys failed", __func__); 595 596 buffer_put_string(&m, blob, bloblen); 597 xfree(blob); 598 599 if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) 600 fatal("%s: conversion of newkeys failed", __func__); 601 602 buffer_put_string(&m, blob, bloblen); 603 xfree(blob); 604 605 packet_get_state(MODE_OUT, &seqnr, &blocks, &packets); 606 buffer_put_int(&m, seqnr); 607 buffer_put_int64(&m, blocks); 608 buffer_put_int(&m, packets); 609 packet_get_state(MODE_IN, &seqnr, &blocks, &packets); 610 buffer_put_int(&m, seqnr); 611 buffer_put_int64(&m, blocks); 612 buffer_put_int(&m, packets); 613 614 debug3("%s: New keys have been sent", __func__); 615 skip: 616 /* More key context */ 617 plen = packet_get_keycontext(MODE_OUT, NULL); 618 p = xmalloc(plen+1); 619 packet_get_keycontext(MODE_OUT, p); 620 buffer_put_string(&m, p, plen); 621 xfree(p); 622 623 plen = packet_get_keycontext(MODE_IN, NULL); 624 p = xmalloc(plen+1); 625 packet_get_keycontext(MODE_IN, p); 626 buffer_put_string(&m, p, plen); 627 xfree(p); 628 629 /* Compression state */ 630 debug3("%s: Sending compression state", __func__); 631 buffer_put_string(&m, &outgoing_stream, sizeof(outgoing_stream)); 632 buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream)); 633 634 /* Network I/O buffers */ 635 buffer_put_string(&m, buffer_ptr(&input), buffer_len(&input)); 636 buffer_put_string(&m, buffer_ptr(&output), buffer_len(&output)); 637 638 mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m); 639 debug3("%s: Finished sending state", __func__); 640 641 buffer_free(&m); 642} 643 644int 645mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen) 646{ 647 Buffer m; 648 char *p, *msg; 649 int success = 0; 650 651 buffer_init(&m); 652 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m); 653 654 debug3("%s: waiting for MONITOR_ANS_PTY", __func__); 655 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PTY, &m); 656 657 success = buffer_get_int(&m); 658 if (success == 0) { 659 debug3("%s: pty alloc failed", __func__); 660 buffer_free(&m); 661 return (0); 662 } 663 p = buffer_get_string(&m, NULL); 664 msg = buffer_get_string(&m, NULL); 665 buffer_free(&m); 666 667 strlcpy(namebuf, p, namebuflen); /* Possible truncation */ 668 xfree(p); 669 670 buffer_append(&loginmsg, msg, strlen(msg)); 671 xfree(msg); 672 673 *ptyfd = mm_receive_fd(pmonitor->m_recvfd); 674 *ttyfd = mm_receive_fd(pmonitor->m_recvfd); 675 676 /* Success */ 677 return (1); 678} 679 680void 681mm_session_pty_cleanup2(Session *s) 682{ 683 Buffer m; 684 685 if (s->ttyfd == -1) 686 return; 687 buffer_init(&m); 688 buffer_put_cstring(&m, s->tty); 689 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTYCLEANUP, &m); 690 buffer_free(&m); 691 692 /* closed dup'ed master */ 693 if (close(s->ptymaster) < 0) 694 error("close(s->ptymaster): %s", strerror(errno)); 695 696 /* unlink pty from session */ 697 s->ttyfd = -1; 698} 699 700#ifdef USE_PAM 701void 702mm_start_pam(Authctxt *authctxt) 703{ 704 Buffer m; 705 706 debug3("%s entering", __func__); 707 if (!options.use_pam) 708 fatal("UsePAM=no, but ended up in %s anyway", __func__); 709 710 buffer_init(&m); 711 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m); 712 713 buffer_free(&m); 714} 715 716u_int 717mm_do_pam_account(void) 718{ 719 Buffer m; 720 u_int ret; 721 char *msg; 722 723 debug3("%s entering", __func__); 724 if (!options.use_pam) 725 fatal("UsePAM=no, but ended up in %s anyway", __func__); 726 727 buffer_init(&m); 728 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, &m); 729 730 mm_request_receive_expect(pmonitor->m_recvfd, 731 MONITOR_ANS_PAM_ACCOUNT, &m); 732 ret = buffer_get_int(&m); 733 msg = buffer_get_string(&m, NULL); 734 buffer_append(&loginmsg, msg, strlen(msg)); 735 xfree(msg); 736 737 buffer_free(&m); 738 739 debug3("%s returning %d", __func__, ret); 740 741 return (ret); 742} 743 744void * 745mm_sshpam_init_ctx(Authctxt *authctxt) 746{ 747 Buffer m; 748 int success; 749 750 debug3("%s", __func__); 751 buffer_init(&m); 752 buffer_put_cstring(&m, authctxt->user); 753 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); 754 debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); 755 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); 756 success = buffer_get_int(&m); 757 if (success == 0) { 758 debug3("%s: pam_init_ctx failed", __func__); 759 buffer_free(&m); 760 return (NULL); 761 } 762 buffer_free(&m); 763 return (authctxt); 764} 765 766int 767mm_sshpam_query(void *ctx, char **name, char **info, 768 u_int *num, char ***prompts, u_int **echo_on) 769{ 770 Buffer m; 771 int i, ret; 772 773 debug3("%s", __func__); 774 buffer_init(&m); 775 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m); 776 debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__); 777 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m); 778 ret = buffer_get_int(&m); 779 debug3("%s: pam_query returned %d", __func__, ret); 780 *name = buffer_get_string(&m, NULL); 781 *info = buffer_get_string(&m, NULL); 782 *num = buffer_get_int(&m); 783 *prompts = xmalloc((*num + 1) * sizeof(char *)); 784 *echo_on = xmalloc((*num + 1) * sizeof(u_int)); 785 for (i = 0; i < *num; ++i) { 786 (*prompts)[i] = buffer_get_string(&m, NULL); 787 (*echo_on)[i] = buffer_get_int(&m); 788 } 789 buffer_free(&m); 790 return (ret); 791} 792 793int 794mm_sshpam_respond(void *ctx, u_int num, char **resp) 795{ 796 Buffer m; 797 int i, ret; 798 799 debug3("%s", __func__); 800 buffer_init(&m); 801 buffer_put_int(&m, num); 802 for (i = 0; i < num; ++i) 803 buffer_put_cstring(&m, resp[i]); 804 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m); 805 debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__); 806 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m); 807 ret = buffer_get_int(&m); 808 debug3("%s: pam_respond returned %d", __func__, ret); 809 buffer_free(&m); 810 return (ret); 811} 812 813void 814mm_sshpam_free_ctx(void *ctxtp) 815{ 816 Buffer m; 817 818 debug3("%s", __func__); 819 buffer_init(&m); 820 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m); 821 debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__); 822 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m); 823 buffer_free(&m); 824} 825#endif /* USE_PAM */ 826 827/* Request process termination */ 828 829void 830mm_terminate(void) 831{ 832 Buffer m; 833 834 buffer_init(&m); 835 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_TERM, &m); 836 buffer_free(&m); 837} 838 839int 840mm_ssh1_session_key(BIGNUM *num) 841{ 842 int rsafail; 843 Buffer m; 844 845 buffer_init(&m); 846 buffer_put_bignum2(&m, num); 847 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSKEY, &m); 848 849 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SESSKEY, &m); 850 851 rsafail = buffer_get_int(&m); 852 buffer_get_bignum2(&m, num); 853 854 buffer_free(&m); 855 856 return (rsafail); 857} 858 859static void 860mm_chall_setup(char **name, char **infotxt, u_int *numprompts, 861 char ***prompts, u_int **echo_on) 862{ 863 *name = xstrdup(""); 864 *infotxt = xstrdup(""); 865 *numprompts = 1; 866 *prompts = xmalloc(*numprompts * sizeof(char *)); 867 *echo_on = xmalloc(*numprompts * sizeof(u_int)); 868 (*echo_on)[0] = 0; 869} 870 871int 872mm_bsdauth_query(void *ctx, char **name, char **infotxt, 873 u_int *numprompts, char ***prompts, u_int **echo_on) 874{ 875 Buffer m; 876 u_int success; 877 char *challenge; 878 879 debug3("%s: entering", __func__); 880 881 buffer_init(&m); 882 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHQUERY, &m); 883 884 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_BSDAUTHQUERY, 885 &m); 886 success = buffer_get_int(&m); 887 if (success == 0) { 888 debug3("%s: no challenge", __func__); 889 buffer_free(&m); 890 return (-1); 891 } 892 893 /* Get the challenge, and format the response */ 894 challenge = buffer_get_string(&m, NULL); 895 buffer_free(&m); 896 897 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 898 (*prompts)[0] = challenge; 899 900 debug3("%s: received challenge: %s", __func__, challenge); 901 902 return (0); 903} 904 905int 906mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses) 907{ 908 Buffer m; 909 int authok; 910 911 debug3("%s: entering", __func__); 912 if (numresponses != 1) 913 return (-1); 914 915 buffer_init(&m); 916 buffer_put_cstring(&m, responses[0]); 917 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHRESPOND, &m); 918 919 mm_request_receive_expect(pmonitor->m_recvfd, 920 MONITOR_ANS_BSDAUTHRESPOND, &m); 921 922 authok = buffer_get_int(&m); 923 buffer_free(&m); 924 925 return ((authok == 0) ? -1 : 0); 926} 927 928#ifdef SKEY 929int 930mm_skey_query(void *ctx, char **name, char **infotxt, 931 u_int *numprompts, char ***prompts, u_int **echo_on) 932{ 933 Buffer m; 934 int len; 935 u_int success; 936 char *p, *challenge; 937 938 debug3("%s: entering", __func__); 939 940 buffer_init(&m); 941 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, &m); 942 943 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY, 944 &m); 945 success = buffer_get_int(&m); 946 if (success == 0) { 947 debug3("%s: no challenge", __func__); 948 buffer_free(&m); 949 return (-1); 950 } 951 952 /* Get the challenge, and format the response */ 953 challenge = buffer_get_string(&m, NULL); 954 buffer_free(&m); 955 956 debug3("%s: received challenge: %s", __func__, challenge); 957 958 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 959 960 len = strlen(challenge) + strlen(SKEY_PROMPT) + 1; 961 p = xmalloc(len); 962 strlcpy(p, challenge, len); 963 strlcat(p, SKEY_PROMPT, len); 964 (*prompts)[0] = p; 965 xfree(challenge); 966 967 return (0); 968} 969 970int 971mm_skey_respond(void *ctx, u_int numresponses, char **responses) 972{ 973 Buffer m; 974 int authok; 975 976 debug3("%s: entering", __func__); 977 if (numresponses != 1) 978 return (-1); 979 980 buffer_init(&m); 981 buffer_put_cstring(&m, responses[0]); 982 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYRESPOND, &m); 983 984 mm_request_receive_expect(pmonitor->m_recvfd, 985 MONITOR_ANS_SKEYRESPOND, &m); 986 987 authok = buffer_get_int(&m); 988 buffer_free(&m); 989 990 return ((authok == 0) ? -1 : 0); 991} 992#endif /* SKEY */ 993 994void 995mm_ssh1_session_id(u_char session_id[16]) 996{ 997 Buffer m; 998 int i; 999 1000 debug3("%s entering", __func__); 1001 1002 buffer_init(&m); 1003 for (i = 0; i < 16; i++) 1004 buffer_put_char(&m, session_id[i]); 1005 1006 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSID, &m); 1007 buffer_free(&m); 1008} 1009 1010int 1011mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) 1012{ 1013 Buffer m; 1014 Key *key; 1015 u_char *blob; 1016 u_int blen; 1017 int allowed = 0, have_forced = 0; 1018 1019 debug3("%s entering", __func__); 1020 1021 buffer_init(&m); 1022 buffer_put_bignum2(&m, client_n); 1023 1024 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSAKEYALLOWED, &m); 1025 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSAKEYALLOWED, &m); 1026 1027 allowed = buffer_get_int(&m); 1028 1029 /* fake forced command */ 1030 auth_clear_options(); 1031 have_forced = buffer_get_int(&m); 1032 forced_command = have_forced ? xstrdup("true") : NULL; 1033 1034 if (allowed && rkey != NULL) { 1035 blob = buffer_get_string(&m, &blen); 1036 if ((key = key_from_blob(blob, blen)) == NULL) 1037 fatal("%s: key_from_blob failed", __func__); 1038 *rkey = key; 1039 xfree(blob); 1040 } 1041 mm_send_debug(&m); 1042 buffer_free(&m); 1043 1044 return (allowed); 1045} 1046 1047BIGNUM * 1048mm_auth_rsa_generate_challenge(Key *key) 1049{ 1050 Buffer m; 1051 BIGNUM *challenge; 1052 u_char *blob; 1053 u_int blen; 1054 1055 debug3("%s entering", __func__); 1056 1057 if ((challenge = BN_new()) == NULL) 1058 fatal("%s: BN_new failed", __func__); 1059 1060 key->type = KEY_RSA; /* XXX cheat for key_to_blob */ 1061 if (key_to_blob(key, &blob, &blen) == 0) 1062 fatal("%s: key_to_blob failed", __func__); 1063 key->type = KEY_RSA1; 1064 1065 buffer_init(&m); 1066 buffer_put_string(&m, blob, blen); 1067 xfree(blob); 1068 1069 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m); 1070 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m); 1071 1072 buffer_get_bignum2(&m, challenge); 1073 buffer_free(&m); 1074 1075 return (challenge); 1076} 1077 1078int 1079mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) 1080{ 1081 Buffer m; 1082 u_char *blob; 1083 u_int blen; 1084 int success = 0; 1085 1086 debug3("%s entering", __func__); 1087 1088 key->type = KEY_RSA; /* XXX cheat for key_to_blob */ 1089 if (key_to_blob(key, &blob, &blen) == 0) 1090 fatal("%s: key_to_blob failed", __func__); 1091 key->type = KEY_RSA1; 1092 1093 buffer_init(&m); 1094 buffer_put_string(&m, blob, blen); 1095 buffer_put_string(&m, response, 16); 1096 xfree(blob); 1097 1098 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m); 1099 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m); 1100 1101 success = buffer_get_int(&m); 1102 buffer_free(&m); 1103 1104 return (success); 1105} 1106 1107#ifdef SSH_AUDIT_EVENTS 1108void 1109mm_audit_event(ssh_audit_event_t event) 1110{ 1111 Buffer m; 1112 1113 debug3("%s entering", __func__); 1114 1115 buffer_init(&m); 1116 buffer_put_int(&m, event); 1117 1118 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, &m); 1119 buffer_free(&m); 1120} 1121 1122void 1123mm_audit_run_command(const char *command) 1124{ 1125 Buffer m; 1126 1127 debug3("%s entering command %s", __func__, command); 1128 1129 buffer_init(&m); 1130 buffer_put_cstring(&m, command); 1131 1132 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); 1133 buffer_free(&m); 1134} 1135#endif /* SSH_AUDIT_EVENTS */ 1136 1137#ifdef GSSAPI 1138OM_uint32 1139mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) 1140{ 1141 Buffer m; 1142 OM_uint32 major; 1143 1144 /* Client doesn't get to see the context */ 1145 *ctx = NULL; 1146 1147 buffer_init(&m); 1148 buffer_put_string(&m, goid->elements, goid->length); 1149 1150 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, &m); 1151 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, &m); 1152 1153 major = buffer_get_int(&m); 1154 1155 buffer_free(&m); 1156 return (major); 1157} 1158 1159OM_uint32 1160mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, 1161 gss_buffer_desc *out, OM_uint32 *flags) 1162{ 1163 Buffer m; 1164 OM_uint32 major; 1165 u_int len; 1166 1167 buffer_init(&m); 1168 buffer_put_string(&m, in->value, in->length); 1169 1170 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, &m); 1171 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m); 1172 1173 major = buffer_get_int(&m); 1174 out->value = buffer_get_string(&m, &len); 1175 out->length = len; 1176 if (flags) 1177 *flags = buffer_get_int(&m); 1178 1179 buffer_free(&m); 1180 1181 return (major); 1182} 1183 1184OM_uint32 1185mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 1186{ 1187 Buffer m; 1188 OM_uint32 major; 1189 1190 buffer_init(&m); 1191 buffer_put_string(&m, gssbuf->value, gssbuf->length); 1192 buffer_put_string(&m, gssmic->value, gssmic->length); 1193 1194 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSCHECKMIC, &m); 1195 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSCHECKMIC, 1196 &m); 1197 1198 major = buffer_get_int(&m); 1199 buffer_free(&m); 1200 return(major); 1201} 1202 1203int 1204mm_ssh_gssapi_userok(char *user) 1205{ 1206 Buffer m; 1207 int authenticated = 0; 1208 1209 buffer_init(&m); 1210 1211 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m); 1212 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK, 1213 &m); 1214 1215 authenticated = buffer_get_int(&m); 1216 1217 buffer_free(&m); 1218 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 1219 return (authenticated); 1220} 1221#endif /* GSSAPI */ 1222