monitor_wrap.c revision 181107
1/* $OpenBSD: monitor_wrap.c,v 1.54 2006/08/12 20:46:46 miod Exp $ */ 2/* 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28#include "includes.h" 29 30#include <sys/types.h> 31#include <sys/uio.h> 32 33#include <errno.h> 34#include <pwd.h> 35#include <signal.h> 36#include <stdarg.h> 37#include <stdio.h> 38#include <string.h> 39#include <unistd.h> 40 41#include <openssl/bn.h> 42#include <openssl/dh.h> 43 44#include "xmalloc.h" 45#include "ssh.h" 46#include "dh.h" 47#include "buffer.h" 48#include "key.h" 49#include "cipher.h" 50#include "kex.h" 51#include "hostfile.h" 52#include "auth.h" 53#include "auth-options.h" 54#include "packet.h" 55#include "mac.h" 56#include "log.h" 57#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ 58#undef TARGET_OS_MAC 59#include "zlib.h" 60#define TARGET_OS_MAC 1 61#else 62#include "zlib.h" 63#endif 64#include "monitor.h" 65#ifdef GSSAPI 66#include "ssh-gss.h" 67#endif 68#include "monitor_wrap.h" 69#include "atomicio.h" 70#include "monitor_fdpass.h" 71#include "misc.h" 72#include "servconf.h" 73 74#include "channels.h" 75#include "session.h" 76 77/* Imports */ 78extern int compat20; 79extern Newkeys *newkeys[]; 80extern z_stream incoming_stream; 81extern z_stream outgoing_stream; 82extern struct monitor *pmonitor; 83extern Buffer input, output; 84extern Buffer loginmsg; 85extern ServerOptions options; 86 87int 88mm_is_monitor(void) 89{ 90 /* 91 * m_pid is only set in the privileged part, and 92 * points to the unprivileged child. 93 */ 94 return (pmonitor && pmonitor->m_pid > 0); 95} 96 97void 98mm_request_send(int sock, enum monitor_reqtype type, Buffer *m) 99{ 100 u_int mlen = buffer_len(m); 101 u_char buf[5]; 102 103 debug3("%s entering: type %d", __func__, type); 104 105 put_u32(buf, mlen + 1); 106 buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */ 107 if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf)) 108 fatal("%s: write: %s", __func__, strerror(errno)); 109 if (atomicio(vwrite, sock, buffer_ptr(m), mlen) != mlen) 110 fatal("%s: write: %s", __func__, strerror(errno)); 111} 112 113void 114mm_request_receive(int sock, Buffer *m) 115{ 116 u_char buf[4]; 117 u_int msg_len; 118 119 debug3("%s entering", __func__); 120 121 if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { 122 if (errno == EPIPE) 123 cleanup_exit(255); 124 fatal("%s: read: %s", __func__, strerror(errno)); 125 } 126 msg_len = get_u32(buf); 127 if (msg_len > 256 * 1024) 128 fatal("%s: read: bad msg_len %d", __func__, msg_len); 129 buffer_clear(m); 130 buffer_append_space(m, msg_len); 131 if (atomicio(read, sock, buffer_ptr(m), msg_len) != msg_len) 132 fatal("%s: read: %s", __func__, strerror(errno)); 133} 134 135void 136mm_request_receive_expect(int sock, enum monitor_reqtype type, Buffer *m) 137{ 138 u_char rtype; 139 140 debug3("%s entering: type %d", __func__, type); 141 142 mm_request_receive(sock, m); 143 rtype = buffer_get_char(m); 144 if (rtype != type) 145 fatal("%s: read: rtype %d != type %d", __func__, 146 rtype, type); 147} 148 149DH * 150mm_choose_dh(int min, int nbits, int max) 151{ 152 BIGNUM *p, *g; 153 int success = 0; 154 Buffer m; 155 156 buffer_init(&m); 157 buffer_put_int(&m, min); 158 buffer_put_int(&m, nbits); 159 buffer_put_int(&m, max); 160 161 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, &m); 162 163 debug3("%s: waiting for MONITOR_ANS_MODULI", __func__); 164 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_MODULI, &m); 165 166 success = buffer_get_char(&m); 167 if (success == 0) 168 fatal("%s: MONITOR_ANS_MODULI failed", __func__); 169 170 if ((p = BN_new()) == NULL) 171 fatal("%s: BN_new failed", __func__); 172 if ((g = BN_new()) == NULL) 173 fatal("%s: BN_new failed", __func__); 174 buffer_get_bignum2(&m, p); 175 buffer_get_bignum2(&m, g); 176 177 debug3("%s: remaining %d", __func__, buffer_len(&m)); 178 buffer_free(&m); 179 180 return (dh_new_group(g, p)); 181} 182 183int 184mm_key_sign(Key *key, u_char **sigp, u_int *lenp, u_char *data, u_int datalen) 185{ 186 Kex *kex = *pmonitor->m_pkex; 187 Buffer m; 188 189 debug3("%s entering", __func__); 190 191 buffer_init(&m); 192 buffer_put_int(&m, kex->host_key_index(key)); 193 buffer_put_string(&m, data, datalen); 194 195 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, &m); 196 197 debug3("%s: waiting for MONITOR_ANS_SIGN", __func__); 198 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, &m); 199 *sigp = buffer_get_string(&m, lenp); 200 buffer_free(&m); 201 202 return (0); 203} 204 205struct passwd * 206mm_getpwnamallow(const char *username) 207{ 208 Buffer m; 209 struct passwd *pw; 210 u_int pwlen; 211 212 debug3("%s entering", __func__); 213 214 buffer_init(&m); 215 buffer_put_cstring(&m, username); 216 217 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, &m); 218 219 debug3("%s: waiting for MONITOR_ANS_PWNAM", __func__); 220 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PWNAM, &m); 221 222 if (buffer_get_char(&m) == 0) { 223 buffer_free(&m); 224 return (NULL); 225 } 226 pw = buffer_get_string(&m, &pwlen); 227 if (pwlen != sizeof(struct passwd)) 228 fatal("%s: struct passwd size mismatch", __func__); 229 pw->pw_name = buffer_get_string(&m, NULL); 230 pw->pw_passwd = buffer_get_string(&m, NULL); 231 pw->pw_gecos = buffer_get_string(&m, NULL); 232#ifdef HAVE_PW_CLASS_IN_PASSWD 233 pw->pw_class = buffer_get_string(&m, NULL); 234#endif 235 pw->pw_dir = buffer_get_string(&m, NULL); 236 pw->pw_shell = buffer_get_string(&m, NULL); 237 buffer_free(&m); 238 239 return (pw); 240} 241 242char * 243mm_auth2_read_banner(void) 244{ 245 Buffer m; 246 char *banner; 247 248 debug3("%s entering", __func__); 249 250 buffer_init(&m); 251 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m); 252 buffer_clear(&m); 253 254 mm_request_receive_expect(pmonitor->m_recvfd, 255 MONITOR_ANS_AUTH2_READ_BANNER, &m); 256 banner = buffer_get_string(&m, NULL); 257 buffer_free(&m); 258 259 /* treat empty banner as missing banner */ 260 if (strlen(banner) == 0) { 261 xfree(banner); 262 banner = NULL; 263 } 264 return (banner); 265} 266 267/* Inform the privileged process about service and style */ 268 269void 270mm_inform_authserv(char *service, char *style) 271{ 272 Buffer m; 273 274 debug3("%s entering", __func__); 275 276 buffer_init(&m); 277 buffer_put_cstring(&m, service); 278 buffer_put_cstring(&m, style ? style : ""); 279 280 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); 281 282 buffer_free(&m); 283} 284 285/* Do the password authentication */ 286int 287mm_auth_password(Authctxt *authctxt, char *password) 288{ 289 Buffer m; 290 int authenticated = 0; 291 292 debug3("%s entering", __func__); 293 294 buffer_init(&m); 295 buffer_put_cstring(&m, password); 296 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, &m); 297 298 debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __func__); 299 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m); 300 301 authenticated = buffer_get_int(&m); 302 303 buffer_free(&m); 304 305 debug3("%s: user %sauthenticated", 306 __func__, authenticated ? "" : "not "); 307 return (authenticated); 308} 309 310int 311mm_user_key_allowed(struct passwd *pw, Key *key) 312{ 313 return (mm_key_allowed(MM_USERKEY, NULL, NULL, key)); 314} 315 316int 317mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host, 318 Key *key) 319{ 320 return (mm_key_allowed(MM_HOSTKEY, user, host, key)); 321} 322 323int 324mm_auth_rhosts_rsa_key_allowed(struct passwd *pw, char *user, 325 char *host, Key *key) 326{ 327 int ret; 328 329 key->type = KEY_RSA; /* XXX hack for key_to_blob */ 330 ret = mm_key_allowed(MM_RSAHOSTKEY, user, host, key); 331 key->type = KEY_RSA1; 332 return (ret); 333} 334 335static void 336mm_send_debug(Buffer *m) 337{ 338 char *msg; 339 340 while (buffer_len(m)) { 341 msg = buffer_get_string(m, NULL); 342 debug3("%s: Sending debug: %s", __func__, msg); 343 packet_send_debug("%s", msg); 344 xfree(msg); 345 } 346} 347 348int 349mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) 350{ 351 Buffer m; 352 u_char *blob; 353 u_int len; 354 int allowed = 0, have_forced = 0; 355 356 debug3("%s entering", __func__); 357 358 /* Convert the key to a blob and the pass it over */ 359 if (!key_to_blob(key, &blob, &len)) 360 return (0); 361 362 buffer_init(&m); 363 buffer_put_int(&m, type); 364 buffer_put_cstring(&m, user ? user : ""); 365 buffer_put_cstring(&m, host ? host : ""); 366 buffer_put_string(&m, blob, len); 367 xfree(blob); 368 369 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); 370 371 debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__); 372 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m); 373 374 allowed = buffer_get_int(&m); 375 376 /* fake forced command */ 377 auth_clear_options(); 378 have_forced = buffer_get_int(&m); 379 forced_command = have_forced ? xstrdup("true") : NULL; 380 381 /* Send potential debug messages */ 382 mm_send_debug(&m); 383 384 buffer_free(&m); 385 386 return (allowed); 387} 388 389/* 390 * This key verify needs to send the key type along, because the 391 * privileged parent makes the decision if the key is allowed 392 * for authentication. 393 */ 394 395int 396mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) 397{ 398 Buffer m; 399 u_char *blob; 400 u_int len; 401 int verified = 0; 402 403 debug3("%s entering", __func__); 404 405 /* Convert the key to a blob and the pass it over */ 406 if (!key_to_blob(key, &blob, &len)) 407 return (0); 408 409 buffer_init(&m); 410 buffer_put_string(&m, blob, len); 411 buffer_put_string(&m, sig, siglen); 412 buffer_put_string(&m, data, datalen); 413 xfree(blob); 414 415 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); 416 417 debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__); 418 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYVERIFY, &m); 419 420 verified = buffer_get_int(&m); 421 422 buffer_free(&m); 423 424 return (verified); 425} 426 427/* Export key state after authentication */ 428Newkeys * 429mm_newkeys_from_blob(u_char *blob, int blen) 430{ 431 Buffer b; 432 u_int len; 433 Newkeys *newkey = NULL; 434 Enc *enc; 435 Mac *mac; 436 Comp *comp; 437 438 debug3("%s: %p(%d)", __func__, blob, blen); 439#ifdef DEBUG_PK 440 dump_base64(stderr, blob, blen); 441#endif 442 buffer_init(&b); 443 buffer_append(&b, blob, blen); 444 445 newkey = xmalloc(sizeof(*newkey)); 446 enc = &newkey->enc; 447 mac = &newkey->mac; 448 comp = &newkey->comp; 449 450 /* Enc structure */ 451 enc->name = buffer_get_string(&b, NULL); 452 buffer_get(&b, &enc->cipher, sizeof(enc->cipher)); 453 enc->enabled = buffer_get_int(&b); 454 enc->block_size = buffer_get_int(&b); 455 enc->key = buffer_get_string(&b, &enc->key_len); 456 enc->iv = buffer_get_string(&b, &len); 457 if (len != enc->block_size) 458 fatal("%s: bad ivlen: expected %u != %u", __func__, 459 enc->block_size, len); 460 461 if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher) 462 fatal("%s: bad cipher name %s or pointer %p", __func__, 463 enc->name, enc->cipher); 464 465 /* Mac structure */ 466 mac->name = buffer_get_string(&b, NULL); 467 if (mac->name == NULL || mac_init(mac, mac->name) == -1) 468 fatal("%s: can not init mac %s", __func__, mac->name); 469 mac->enabled = buffer_get_int(&b); 470 mac->key = buffer_get_string(&b, &len); 471 if (len > mac->key_len) 472 fatal("%s: bad mac key length: %u > %d", __func__, len, 473 mac->key_len); 474 mac->key_len = len; 475 476 /* Comp structure */ 477 comp->type = buffer_get_int(&b); 478 comp->enabled = buffer_get_int(&b); 479 comp->name = buffer_get_string(&b, NULL); 480 481 len = buffer_len(&b); 482 if (len != 0) 483 error("newkeys_from_blob: remaining bytes in blob %u", len); 484 buffer_free(&b); 485 return (newkey); 486} 487 488int 489mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp) 490{ 491 Buffer b; 492 int len; 493 Enc *enc; 494 Mac *mac; 495 Comp *comp; 496 Newkeys *newkey = newkeys[mode]; 497 498 debug3("%s: converting %p", __func__, newkey); 499 500 if (newkey == NULL) { 501 error("%s: newkey == NULL", __func__); 502 return 0; 503 } 504 enc = &newkey->enc; 505 mac = &newkey->mac; 506 comp = &newkey->comp; 507 508 buffer_init(&b); 509 /* Enc structure */ 510 buffer_put_cstring(&b, enc->name); 511 /* The cipher struct is constant and shared, you export pointer */ 512 buffer_append(&b, &enc->cipher, sizeof(enc->cipher)); 513 buffer_put_int(&b, enc->enabled); 514 buffer_put_int(&b, enc->block_size); 515 buffer_put_string(&b, enc->key, enc->key_len); 516 packet_get_keyiv(mode, enc->iv, enc->block_size); 517 buffer_put_string(&b, enc->iv, enc->block_size); 518 519 /* Mac structure */ 520 buffer_put_cstring(&b, mac->name); 521 buffer_put_int(&b, mac->enabled); 522 buffer_put_string(&b, mac->key, mac->key_len); 523 524 /* Comp structure */ 525 buffer_put_int(&b, comp->type); 526 buffer_put_int(&b, comp->enabled); 527 buffer_put_cstring(&b, comp->name); 528 529 len = buffer_len(&b); 530 if (lenp != NULL) 531 *lenp = len; 532 if (blobp != NULL) { 533 *blobp = xmalloc(len); 534 memcpy(*blobp, buffer_ptr(&b), len); 535 } 536 memset(buffer_ptr(&b), 0, len); 537 buffer_free(&b); 538 return len; 539} 540 541static void 542mm_send_kex(Buffer *m, Kex *kex) 543{ 544 buffer_put_string(m, kex->session_id, kex->session_id_len); 545 buffer_put_int(m, kex->we_need); 546 buffer_put_int(m, kex->hostkey_type); 547 buffer_put_int(m, kex->kex_type); 548 buffer_put_string(m, buffer_ptr(&kex->my), buffer_len(&kex->my)); 549 buffer_put_string(m, buffer_ptr(&kex->peer), buffer_len(&kex->peer)); 550 buffer_put_int(m, kex->flags); 551 buffer_put_cstring(m, kex->client_version_string); 552 buffer_put_cstring(m, kex->server_version_string); 553} 554 555void 556mm_send_keystate(struct monitor *monitor) 557{ 558 Buffer m; 559 u_char *blob, *p; 560 u_int bloblen, plen; 561 u_int32_t seqnr, packets; 562 u_int64_t blocks; 563 564 buffer_init(&m); 565 566 if (!compat20) { 567 u_char iv[24]; 568 u_char *key; 569 u_int ivlen, keylen; 570 571 buffer_put_int(&m, packet_get_protocol_flags()); 572 573 buffer_put_int(&m, packet_get_ssh1_cipher()); 574 575 debug3("%s: Sending ssh1 KEY+IV", __func__); 576 keylen = packet_get_encryption_key(NULL); 577 key = xmalloc(keylen+1); /* add 1 if keylen == 0 */ 578 keylen = packet_get_encryption_key(key); 579 buffer_put_string(&m, key, keylen); 580 memset(key, 0, keylen); 581 xfree(key); 582 583 ivlen = packet_get_keyiv_len(MODE_OUT); 584 packet_get_keyiv(MODE_OUT, iv, ivlen); 585 buffer_put_string(&m, iv, ivlen); 586 ivlen = packet_get_keyiv_len(MODE_OUT); 587 packet_get_keyiv(MODE_IN, iv, ivlen); 588 buffer_put_string(&m, iv, ivlen); 589 goto skip; 590 } else { 591 /* Kex for rekeying */ 592 mm_send_kex(&m, *monitor->m_pkex); 593 } 594 595 debug3("%s: Sending new keys: %p %p", 596 __func__, newkeys[MODE_OUT], newkeys[MODE_IN]); 597 598 /* Keys from Kex */ 599 if (!mm_newkeys_to_blob(MODE_OUT, &blob, &bloblen)) 600 fatal("%s: conversion of newkeys failed", __func__); 601 602 buffer_put_string(&m, blob, bloblen); 603 xfree(blob); 604 605 if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) 606 fatal("%s: conversion of newkeys failed", __func__); 607 608 buffer_put_string(&m, blob, bloblen); 609 xfree(blob); 610 611 packet_get_state(MODE_OUT, &seqnr, &blocks, &packets); 612 buffer_put_int(&m, seqnr); 613 buffer_put_int64(&m, blocks); 614 buffer_put_int(&m, packets); 615 packet_get_state(MODE_IN, &seqnr, &blocks, &packets); 616 buffer_put_int(&m, seqnr); 617 buffer_put_int64(&m, blocks); 618 buffer_put_int(&m, packets); 619 620 debug3("%s: New keys have been sent", __func__); 621 skip: 622 /* More key context */ 623 plen = packet_get_keycontext(MODE_OUT, NULL); 624 p = xmalloc(plen+1); 625 packet_get_keycontext(MODE_OUT, p); 626 buffer_put_string(&m, p, plen); 627 xfree(p); 628 629 plen = packet_get_keycontext(MODE_IN, NULL); 630 p = xmalloc(plen+1); 631 packet_get_keycontext(MODE_IN, p); 632 buffer_put_string(&m, p, plen); 633 xfree(p); 634 635 /* Compression state */ 636 debug3("%s: Sending compression state", __func__); 637 buffer_put_string(&m, &outgoing_stream, sizeof(outgoing_stream)); 638 buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream)); 639 640 /* Network I/O buffers */ 641 buffer_put_string(&m, buffer_ptr(&input), buffer_len(&input)); 642 buffer_put_string(&m, buffer_ptr(&output), buffer_len(&output)); 643 644 mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m); 645 debug3("%s: Finished sending state", __func__); 646 647 buffer_free(&m); 648} 649 650int 651mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) 652{ 653 Buffer m; 654 char *p, *msg; 655 int success = 0; 656 657 buffer_init(&m); 658 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m); 659 660 debug3("%s: waiting for MONITOR_ANS_PTY", __func__); 661 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PTY, &m); 662 663 success = buffer_get_int(&m); 664 if (success == 0) { 665 debug3("%s: pty alloc failed", __func__); 666 buffer_free(&m); 667 return (0); 668 } 669 p = buffer_get_string(&m, NULL); 670 msg = buffer_get_string(&m, NULL); 671 buffer_free(&m); 672 673 strlcpy(namebuf, p, namebuflen); /* Possible truncation */ 674 xfree(p); 675 676 buffer_append(&loginmsg, msg, strlen(msg)); 677 xfree(msg); 678 679 *ptyfd = mm_receive_fd(pmonitor->m_recvfd); 680 *ttyfd = mm_receive_fd(pmonitor->m_recvfd); 681 682 /* Success */ 683 return (1); 684} 685 686void 687mm_session_pty_cleanup2(Session *s) 688{ 689 Buffer m; 690 691 if (s->ttyfd == -1) 692 return; 693 buffer_init(&m); 694 buffer_put_cstring(&m, s->tty); 695 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTYCLEANUP, &m); 696 buffer_free(&m); 697 698 /* closed dup'ed master */ 699 if (close(s->ptymaster) < 0) 700 error("close(s->ptymaster): %s", strerror(errno)); 701 702 /* unlink pty from session */ 703 s->ttyfd = -1; 704} 705 706#ifdef USE_PAM 707void 708mm_start_pam(Authctxt *authctxt) 709{ 710 Buffer m; 711 712 debug3("%s entering", __func__); 713 if (!options.use_pam) 714 fatal("UsePAM=no, but ended up in %s anyway", __func__); 715 716 buffer_init(&m); 717 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m); 718 719 buffer_free(&m); 720} 721 722u_int 723mm_do_pam_account(void) 724{ 725 Buffer m; 726 u_int ret; 727 char *msg; 728 729 debug3("%s entering", __func__); 730 if (!options.use_pam) 731 fatal("UsePAM=no, but ended up in %s anyway", __func__); 732 733 buffer_init(&m); 734 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, &m); 735 736 mm_request_receive_expect(pmonitor->m_recvfd, 737 MONITOR_ANS_PAM_ACCOUNT, &m); 738 ret = buffer_get_int(&m); 739 msg = buffer_get_string(&m, NULL); 740 buffer_append(&loginmsg, msg, strlen(msg)); 741 xfree(msg); 742 743 buffer_free(&m); 744 745 debug3("%s returning %d", __func__, ret); 746 747 return (ret); 748} 749 750void * 751mm_sshpam_init_ctx(Authctxt *authctxt) 752{ 753 Buffer m; 754 int success; 755 756 debug3("%s", __func__); 757 buffer_init(&m); 758 buffer_put_cstring(&m, authctxt->user); 759 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); 760 debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); 761 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); 762 success = buffer_get_int(&m); 763 if (success == 0) { 764 debug3("%s: pam_init_ctx failed", __func__); 765 buffer_free(&m); 766 return (NULL); 767 } 768 buffer_free(&m); 769 return (authctxt); 770} 771 772int 773mm_sshpam_query(void *ctx, char **name, char **info, 774 u_int *num, char ***prompts, u_int **echo_on) 775{ 776 Buffer m; 777 u_int i; 778 int ret; 779 780 debug3("%s", __func__); 781 buffer_init(&m); 782 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m); 783 debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__); 784 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m); 785 ret = buffer_get_int(&m); 786 debug3("%s: pam_query returned %d", __func__, ret); 787 *name = buffer_get_string(&m, NULL); 788 *info = buffer_get_string(&m, NULL); 789 *num = buffer_get_int(&m); 790 if (*num > PAM_MAX_NUM_MSG) 791 fatal("%s: recieved %u PAM messages, expected <= %u", 792 __func__, *num, PAM_MAX_NUM_MSG); 793 *prompts = xcalloc((*num + 1), sizeof(char *)); 794 *echo_on = xcalloc((*num + 1), sizeof(u_int)); 795 for (i = 0; i < *num; ++i) { 796 (*prompts)[i] = buffer_get_string(&m, NULL); 797 (*echo_on)[i] = buffer_get_int(&m); 798 } 799 buffer_free(&m); 800 return (ret); 801} 802 803int 804mm_sshpam_respond(void *ctx, u_int num, char **resp) 805{ 806 Buffer m; 807 u_int i; 808 int ret; 809 810 debug3("%s", __func__); 811 buffer_init(&m); 812 buffer_put_int(&m, num); 813 for (i = 0; i < num; ++i) 814 buffer_put_cstring(&m, resp[i]); 815 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m); 816 debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__); 817 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m); 818 ret = buffer_get_int(&m); 819 debug3("%s: pam_respond returned %d", __func__, ret); 820 buffer_free(&m); 821 return (ret); 822} 823 824void 825mm_sshpam_free_ctx(void *ctxtp) 826{ 827 Buffer m; 828 829 debug3("%s", __func__); 830 buffer_init(&m); 831 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m); 832 debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__); 833 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m); 834 buffer_free(&m); 835} 836#endif /* USE_PAM */ 837 838/* Request process termination */ 839 840void 841mm_terminate(void) 842{ 843 Buffer m; 844 845 buffer_init(&m); 846 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_TERM, &m); 847 buffer_free(&m); 848} 849 850int 851mm_ssh1_session_key(BIGNUM *num) 852{ 853 int rsafail; 854 Buffer m; 855 856 buffer_init(&m); 857 buffer_put_bignum2(&m, num); 858 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSKEY, &m); 859 860 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SESSKEY, &m); 861 862 rsafail = buffer_get_int(&m); 863 buffer_get_bignum2(&m, num); 864 865 buffer_free(&m); 866 867 return (rsafail); 868} 869 870static void 871mm_chall_setup(char **name, char **infotxt, u_int *numprompts, 872 char ***prompts, u_int **echo_on) 873{ 874 *name = xstrdup(""); 875 *infotxt = xstrdup(""); 876 *numprompts = 1; 877 *prompts = xcalloc(*numprompts, sizeof(char *)); 878 *echo_on = xcalloc(*numprompts, sizeof(u_int)); 879 (*echo_on)[0] = 0; 880} 881 882int 883mm_bsdauth_query(void *ctx, char **name, char **infotxt, 884 u_int *numprompts, char ***prompts, u_int **echo_on) 885{ 886 Buffer m; 887 u_int success; 888 char *challenge; 889 890 debug3("%s: entering", __func__); 891 892 buffer_init(&m); 893 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHQUERY, &m); 894 895 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_BSDAUTHQUERY, 896 &m); 897 success = buffer_get_int(&m); 898 if (success == 0) { 899 debug3("%s: no challenge", __func__); 900 buffer_free(&m); 901 return (-1); 902 } 903 904 /* Get the challenge, and format the response */ 905 challenge = buffer_get_string(&m, NULL); 906 buffer_free(&m); 907 908 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 909 (*prompts)[0] = challenge; 910 911 debug3("%s: received challenge: %s", __func__, challenge); 912 913 return (0); 914} 915 916int 917mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses) 918{ 919 Buffer m; 920 int authok; 921 922 debug3("%s: entering", __func__); 923 if (numresponses != 1) 924 return (-1); 925 926 buffer_init(&m); 927 buffer_put_cstring(&m, responses[0]); 928 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHRESPOND, &m); 929 930 mm_request_receive_expect(pmonitor->m_recvfd, 931 MONITOR_ANS_BSDAUTHRESPOND, &m); 932 933 authok = buffer_get_int(&m); 934 buffer_free(&m); 935 936 return ((authok == 0) ? -1 : 0); 937} 938 939#ifdef SKEY 940int 941mm_skey_query(void *ctx, char **name, char **infotxt, 942 u_int *numprompts, char ***prompts, u_int **echo_on) 943{ 944 Buffer m; 945 u_int success; 946 char *challenge; 947 948 debug3("%s: entering", __func__); 949 950 buffer_init(&m); 951 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, &m); 952 953 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY, 954 &m); 955 success = buffer_get_int(&m); 956 if (success == 0) { 957 debug3("%s: no challenge", __func__); 958 buffer_free(&m); 959 return (-1); 960 } 961 962 /* Get the challenge, and format the response */ 963 challenge = buffer_get_string(&m, NULL); 964 buffer_free(&m); 965 966 debug3("%s: received challenge: %s", __func__, challenge); 967 968 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 969 970 xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT); 971 xfree(challenge); 972 973 return (0); 974} 975 976int 977mm_skey_respond(void *ctx, u_int numresponses, char **responses) 978{ 979 Buffer m; 980 int authok; 981 982 debug3("%s: entering", __func__); 983 if (numresponses != 1) 984 return (-1); 985 986 buffer_init(&m); 987 buffer_put_cstring(&m, responses[0]); 988 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYRESPOND, &m); 989 990 mm_request_receive_expect(pmonitor->m_recvfd, 991 MONITOR_ANS_SKEYRESPOND, &m); 992 993 authok = buffer_get_int(&m); 994 buffer_free(&m); 995 996 return ((authok == 0) ? -1 : 0); 997} 998#endif /* SKEY */ 999 1000void 1001mm_ssh1_session_id(u_char session_id[16]) 1002{ 1003 Buffer m; 1004 int i; 1005 1006 debug3("%s entering", __func__); 1007 1008 buffer_init(&m); 1009 for (i = 0; i < 16; i++) 1010 buffer_put_char(&m, session_id[i]); 1011 1012 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSID, &m); 1013 buffer_free(&m); 1014} 1015 1016int 1017mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) 1018{ 1019 Buffer m; 1020 Key *key; 1021 u_char *blob; 1022 u_int blen; 1023 int allowed = 0, have_forced = 0; 1024 1025 debug3("%s entering", __func__); 1026 1027 buffer_init(&m); 1028 buffer_put_bignum2(&m, client_n); 1029 1030 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSAKEYALLOWED, &m); 1031 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSAKEYALLOWED, &m); 1032 1033 allowed = buffer_get_int(&m); 1034 1035 /* fake forced command */ 1036 auth_clear_options(); 1037 have_forced = buffer_get_int(&m); 1038 forced_command = have_forced ? xstrdup("true") : NULL; 1039 1040 if (allowed && rkey != NULL) { 1041 blob = buffer_get_string(&m, &blen); 1042 if ((key = key_from_blob(blob, blen)) == NULL) 1043 fatal("%s: key_from_blob failed", __func__); 1044 *rkey = key; 1045 xfree(blob); 1046 } 1047 mm_send_debug(&m); 1048 buffer_free(&m); 1049 1050 return (allowed); 1051} 1052 1053BIGNUM * 1054mm_auth_rsa_generate_challenge(Key *key) 1055{ 1056 Buffer m; 1057 BIGNUM *challenge; 1058 u_char *blob; 1059 u_int blen; 1060 1061 debug3("%s entering", __func__); 1062 1063 if ((challenge = BN_new()) == NULL) 1064 fatal("%s: BN_new failed", __func__); 1065 1066 key->type = KEY_RSA; /* XXX cheat for key_to_blob */ 1067 if (key_to_blob(key, &blob, &blen) == 0) 1068 fatal("%s: key_to_blob failed", __func__); 1069 key->type = KEY_RSA1; 1070 1071 buffer_init(&m); 1072 buffer_put_string(&m, blob, blen); 1073 xfree(blob); 1074 1075 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m); 1076 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m); 1077 1078 buffer_get_bignum2(&m, challenge); 1079 buffer_free(&m); 1080 1081 return (challenge); 1082} 1083 1084int 1085mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) 1086{ 1087 Buffer m; 1088 u_char *blob; 1089 u_int blen; 1090 int success = 0; 1091 1092 debug3("%s entering", __func__); 1093 1094 key->type = KEY_RSA; /* XXX cheat for key_to_blob */ 1095 if (key_to_blob(key, &blob, &blen) == 0) 1096 fatal("%s: key_to_blob failed", __func__); 1097 key->type = KEY_RSA1; 1098 1099 buffer_init(&m); 1100 buffer_put_string(&m, blob, blen); 1101 buffer_put_string(&m, response, 16); 1102 xfree(blob); 1103 1104 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m); 1105 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m); 1106 1107 success = buffer_get_int(&m); 1108 buffer_free(&m); 1109 1110 return (success); 1111} 1112 1113#ifdef SSH_AUDIT_EVENTS 1114void 1115mm_audit_event(ssh_audit_event_t event) 1116{ 1117 Buffer m; 1118 1119 debug3("%s entering", __func__); 1120 1121 buffer_init(&m); 1122 buffer_put_int(&m, event); 1123 1124 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, &m); 1125 buffer_free(&m); 1126} 1127 1128void 1129mm_audit_run_command(const char *command) 1130{ 1131 Buffer m; 1132 1133 debug3("%s entering command %s", __func__, command); 1134 1135 buffer_init(&m); 1136 buffer_put_cstring(&m, command); 1137 1138 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); 1139 buffer_free(&m); 1140} 1141#endif /* SSH_AUDIT_EVENTS */ 1142 1143#ifdef GSSAPI 1144OM_uint32 1145mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) 1146{ 1147 Buffer m; 1148 OM_uint32 major; 1149 1150 /* Client doesn't get to see the context */ 1151 *ctx = NULL; 1152 1153 buffer_init(&m); 1154 buffer_put_string(&m, goid->elements, goid->length); 1155 1156 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, &m); 1157 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, &m); 1158 1159 major = buffer_get_int(&m); 1160 1161 buffer_free(&m); 1162 return (major); 1163} 1164 1165OM_uint32 1166mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, 1167 gss_buffer_desc *out, OM_uint32 *flags) 1168{ 1169 Buffer m; 1170 OM_uint32 major; 1171 u_int len; 1172 1173 buffer_init(&m); 1174 buffer_put_string(&m, in->value, in->length); 1175 1176 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, &m); 1177 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m); 1178 1179 major = buffer_get_int(&m); 1180 out->value = buffer_get_string(&m, &len); 1181 out->length = len; 1182 if (flags) 1183 *flags = buffer_get_int(&m); 1184 1185 buffer_free(&m); 1186 1187 return (major); 1188} 1189 1190OM_uint32 1191mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 1192{ 1193 Buffer m; 1194 OM_uint32 major; 1195 1196 buffer_init(&m); 1197 buffer_put_string(&m, gssbuf->value, gssbuf->length); 1198 buffer_put_string(&m, gssmic->value, gssmic->length); 1199 1200 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSCHECKMIC, &m); 1201 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSCHECKMIC, 1202 &m); 1203 1204 major = buffer_get_int(&m); 1205 buffer_free(&m); 1206 return(major); 1207} 1208 1209int 1210mm_ssh_gssapi_userok(char *user) 1211{ 1212 Buffer m; 1213 int authenticated = 0; 1214 1215 buffer_init(&m); 1216 1217 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m); 1218 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK, 1219 &m); 1220 1221 authenticated = buffer_get_int(&m); 1222 1223 buffer_free(&m); 1224 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 1225 return (authenticated); 1226} 1227#endif /* GSSAPI */ 1228