ssh.h revision 57467
1/* 2 * 3 * ssh.h 4 * 5 * Author: Tatu Ylonen <ylo@cs.hut.fi> 6 * 7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8 * All rights reserved 9 * 10 * Created: Fri Mar 17 17:09:37 1995 ylo 11 * 12 * Generic header file for ssh. 13 * 14 * $FreeBSD: head/crypto/openssh/ssh.h 57467 2000-02-25 04:41:06Z peter $ 15 */ 16 17/* RCSID("$Id: ssh.h,v 1.33 2000/02/01 22:32:53 d Exp $"); */ 18 19#ifndef SSH_H 20#define SSH_H 21 22#include "rsa.h" 23#include "cipher.h" 24 25/* 26 * The default cipher used if IDEA is not supported by the remote host. It is 27 * recommended that this be one of the mandatory ciphers (DES, 3DES), though 28 * that is not required. 29 */ 30#define SSH_FALLBACK_CIPHER SSH_CIPHER_3DES 31 32/* Cipher used for encrypting authentication files. */ 33#define SSH_AUTHFILE_CIPHER SSH_CIPHER_3DES 34 35/* Default port number. */ 36#define SSH_DEFAULT_PORT 22 37 38/* Maximum number of TCP/IP ports forwarded per direction. */ 39#define SSH_MAX_FORWARDS_PER_DIRECTION 100 40 41/* 42 * Maximum number of RSA authentication identity files that can be specified 43 * in configuration files or on the command line. 44 */ 45#define SSH_MAX_IDENTITY_FILES 100 46 47/* 48 * Major protocol version. Different version indicates major incompatiblity 49 * that prevents communication. 50 */ 51#define PROTOCOL_MAJOR 1 52 53/* 54 * Minor protocol version. Different version indicates minor incompatibility 55 * that does not prevent interoperation. 56 */ 57#define PROTOCOL_MINOR 5 58 59/* 60 * Name for the service. The port named by this service overrides the 61 * default port if present. 62 */ 63#define SSH_SERVICE_NAME "ssh" 64 65#define ETCDIR "/etc" 66#define PIDDIR "/var/run" 67 68/* 69 * System-wide file containing host keys of known hosts. This file should be 70 * world-readable. 71 */ 72#define SSH_SYSTEM_HOSTFILE ETCDIR "/ssh_known_hosts" 73 74/* 75 * Of these, ssh_host_key must be readable only by root, whereas ssh_config 76 * should be world-readable. 77 */ 78#define HOST_KEY_FILE ETCDIR "/ssh_host_key" 79#define SERVER_CONFIG_FILE ETCDIR "/sshd_config" 80#define HOST_CONFIG_FILE ETCDIR "/ssh_config" 81 82#define SSH_PROGRAM "/usr/bin/ssh" 83 84/* 85 * The process id of the daemon listening for connections is saved here to 86 * make it easier to kill the correct daemon when necessary. 87 */ 88#define SSH_DAEMON_PID_FILE PIDDIR "/sshd.pid" 89 90/* 91 * The directory in user\'s home directory in which the files reside. The 92 * directory should be world-readable (though not all files are). 93 */ 94#define SSH_USER_DIR ".ssh" 95 96/* 97 * Per-user file containing host keys of known hosts. This file need not be 98 * readable by anyone except the user him/herself, though this does not 99 * contain anything particularly secret. 100 */ 101#define SSH_USER_HOSTFILE "~/.ssh/known_hosts" 102 103/* 104 * Name of the default file containing client-side authentication key. This 105 * file should only be readable by the user him/herself. 106 */ 107#define SSH_CLIENT_IDENTITY ".ssh/identity" 108 109/* 110 * Configuration file in user\'s home directory. This file need not be 111 * readable by anyone but the user him/herself, but does not contain anything 112 * particularly secret. If the user\'s home directory resides on an NFS 113 * volume where root is mapped to nobody, this may need to be world-readable. 114 */ 115#define SSH_USER_CONFFILE ".ssh/config" 116 117/* 118 * File containing a list of those rsa keys that permit logging in as this 119 * user. This file need not be readable by anyone but the user him/herself, 120 * but does not contain anything particularly secret. If the user\'s home 121 * directory resides on an NFS volume where root is mapped to nobody, this 122 * may need to be world-readable. (This file is read by the daemon which is 123 * running as root.) 124 */ 125#define SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys" 126 127/* 128 * Per-user and system-wide ssh "rc" files. These files are executed with 129 * /bin/sh before starting the shell or command if they exist. They will be 130 * passed "proto cookie" as arguments if X11 forwarding with spoofing is in 131 * use. xauth will be run if neither of these exists. 132 */ 133#define SSH_USER_RC ".ssh/rc" 134#define SSH_SYSTEM_RC ETCDIR "/sshrc" 135 136/* 137 * Ssh-only version of /etc/hosts.equiv. Additionally, the daemon may use 138 * ~/.rhosts and /etc/hosts.equiv if rhosts authentication is enabled. 139 */ 140#define SSH_HOSTS_EQUIV ETCDIR "/shosts.equiv" 141 142/* 143 * Name of the environment variable containing the pathname of the 144 * authentication socket. 145 */ 146#define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCK" 147 148/* 149 * Name of the environment variable containing the pathname of the 150 * authentication socket. 151 */ 152#define SSH_AGENTPID_ENV_NAME "SSH_AGENT_PID" 153 154/* 155 * Default path to ssh-askpass used by ssh-add, 156 * environment variable for overwriting the default location 157 */ 158#define SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" 159#define SSH_ASKPASS_ENV "SSH_ASKPASS" 160 161/* 162 * Force host key length and server key length to differ by at least this 163 * many bits. This is to make double encryption with rsaref work. 164 */ 165#define SSH_KEY_BITS_RESERVED 128 166 167/* 168 * Length of the session key in bytes. (Specified as 256 bits in the 169 * protocol.) 170 */ 171#define SSH_SESSION_KEY_LENGTH 32 172 173/* Name of Kerberos service for SSH to use. */ 174#define KRB4_SERVICE_NAME "rcmd" 175 176/* 177 * Authentication methods. New types can be added, but old types should not 178 * be removed for compatibility. The maximum allowed value is 31. 179 */ 180#define SSH_AUTH_RHOSTS 1 181#define SSH_AUTH_RSA 2 182#define SSH_AUTH_PASSWORD 3 183#define SSH_AUTH_RHOSTS_RSA 4 184#define SSH_AUTH_TIS 5 185#define SSH_AUTH_KERBEROS 6 186#define SSH_PASS_KERBEROS_TGT 7 187 /* 8 to 15 are reserved */ 188#define SSH_PASS_AFS_TOKEN 21 189 190/* Protocol flags. These are bit masks. */ 191#define SSH_PROTOFLAG_SCREEN_NUMBER 1 /* X11 forwarding includes screen */ 192#define SSH_PROTOFLAG_HOST_IN_FWD_OPEN 2 /* forwarding opens contain host */ 193 194/* 195 * Definition of message types. New values can be added, but old values 196 * should not be removed or without careful consideration of the consequences 197 * for compatibility. The maximum value is 254; value 255 is reserved for 198 * future extension. 199 */ 200/* Message name */ /* msg code */ /* arguments */ 201#define SSH_MSG_NONE 0 /* no message */ 202#define SSH_MSG_DISCONNECT 1 /* cause (string) */ 203#define SSH_SMSG_PUBLIC_KEY 2 /* ck,msk,srvk,hostk */ 204#define SSH_CMSG_SESSION_KEY 3 /* key (BIGNUM) */ 205#define SSH_CMSG_USER 4 /* user (string) */ 206#define SSH_CMSG_AUTH_RHOSTS 5 /* user (string) */ 207#define SSH_CMSG_AUTH_RSA 6 /* modulus (BIGNUM) */ 208#define SSH_SMSG_AUTH_RSA_CHALLENGE 7 /* int (BIGNUM) */ 209#define SSH_CMSG_AUTH_RSA_RESPONSE 8 /* int (BIGNUM) */ 210#define SSH_CMSG_AUTH_PASSWORD 9 /* pass (string) */ 211#define SSH_CMSG_REQUEST_PTY 10 /* TERM, tty modes */ 212#define SSH_CMSG_WINDOW_SIZE 11 /* row,col,xpix,ypix */ 213#define SSH_CMSG_EXEC_SHELL 12 /* */ 214#define SSH_CMSG_EXEC_CMD 13 /* cmd (string) */ 215#define SSH_SMSG_SUCCESS 14 /* */ 216#define SSH_SMSG_FAILURE 15 /* */ 217#define SSH_CMSG_STDIN_DATA 16 /* data (string) */ 218#define SSH_SMSG_STDOUT_DATA 17 /* data (string) */ 219#define SSH_SMSG_STDERR_DATA 18 /* data (string) */ 220#define SSH_CMSG_EOF 19 /* */ 221#define SSH_SMSG_EXITSTATUS 20 /* status (int) */ 222#define SSH_MSG_CHANNEL_OPEN_CONFIRMATION 21 /* channel (int) */ 223#define SSH_MSG_CHANNEL_OPEN_FAILURE 22 /* channel (int) */ 224#define SSH_MSG_CHANNEL_DATA 23 /* ch,data (int,str) */ 225#define SSH_MSG_CHANNEL_CLOSE 24 /* channel (int) */ 226#define SSH_MSG_CHANNEL_CLOSE_CONFIRMATION 25 /* channel (int) */ 227/* SSH_CMSG_X11_REQUEST_FORWARDING 26 OBSOLETE */ 228#define SSH_SMSG_X11_OPEN 27 /* channel (int) */ 229#define SSH_CMSG_PORT_FORWARD_REQUEST 28 /* p,host,hp (i,s,i) */ 230#define SSH_MSG_PORT_OPEN 29 /* ch,h,p (i,s,i) */ 231#define SSH_CMSG_AGENT_REQUEST_FORWARDING 30 /* */ 232#define SSH_SMSG_AGENT_OPEN 31 /* port (int) */ 233#define SSH_MSG_IGNORE 32 /* string */ 234#define SSH_CMSG_EXIT_CONFIRMATION 33 /* */ 235#define SSH_CMSG_X11_REQUEST_FORWARDING 34 /* proto,data (s,s) */ 236#define SSH_CMSG_AUTH_RHOSTS_RSA 35 /* user,mod (s,mpi) */ 237#define SSH_MSG_DEBUG 36 /* string */ 238#define SSH_CMSG_REQUEST_COMPRESSION 37 /* level 1-9 (int) */ 239#define SSH_CMSG_MAX_PACKET_SIZE 38 /* size 4k-1024k (int) */ 240#define SSH_CMSG_AUTH_TIS 39 /* we use this for s/key */ 241#define SSH_SMSG_AUTH_TIS_CHALLENGE 40 /* challenge (string) */ 242#define SSH_CMSG_AUTH_TIS_RESPONSE 41 /* response (string) */ 243#define SSH_CMSG_AUTH_KERBEROS 42 /* (KTEXT) */ 244#define SSH_SMSG_AUTH_KERBEROS_RESPONSE 43 /* (KTEXT) */ 245#define SSH_CMSG_HAVE_KERBEROS_TGT 44 /* credentials (s) */ 246#define SSH_CMSG_HAVE_AFS_TOKEN 65 /* token (s) */ 247 248/*------------ definitions for login.c -------------*/ 249 250/* 251 * Returns the time when the user last logged in. Returns 0 if the 252 * information is not available. This must be called before record_login. 253 * The host from which the user logged in is stored in buf. 254 */ 255unsigned long 256get_last_login_time(uid_t uid, const char *logname, 257 char *buf, unsigned int bufsize); 258 259/* 260 * Records that the user has logged in. This does many things normally done 261 * by login(1). 262 */ 263void 264record_login(int pid, const char *ttyname, const char *user, uid_t uid, 265 const char *host, struct sockaddr *addr); 266 267/* 268 * Records that the user has logged out. This does many thigs normally done 269 * by login(1) or init. 270 */ 271void record_logout(int pid, const char *ttyname); 272 273/*------------ definitions for sshconnect.c ----------*/ 274 275/* 276 * Opens a TCP/IP connection to the remote server on the given host. If port 277 * is 0, the default port will be used. If anonymous is zero, a privileged 278 * port will be allocated to make the connection. This requires super-user 279 * privileges if anonymous is false. Connection_attempts specifies the 280 * maximum number of tries, one per second. This returns true on success, 281 * and zero on failure. If the connection is successful, this calls 282 * packet_set_connection for the connection. 283 */ 284int 285ssh_connect(const char *host, struct sockaddr_storage * hostaddr, 286 u_short port, int connection_attempts, 287 int anonymous, uid_t original_real_uid, 288 const char *proxy_command); 289 290/* 291 * Starts a dialog with the server, and authenticates the current user on the 292 * server. This does not need any extra privileges. The basic connection to 293 * the server must already have been established before this is called. If 294 * login fails, this function prints an error and never returns. This 295 * initializes the random state, and leaves it initialized (it will also have 296 * references from the packet module). 297 */ 298 299void 300ssh_login(int host_key_valid, RSA * host_key, const char *host, 301 struct sockaddr * hostaddr, uid_t original_real_uid); 302 303/*------------ Definitions for various authentication methods. -------*/ 304 305/* 306 * Tries to authenticate the user using the .rhosts file. Returns true if 307 * authentication succeeds. If ignore_rhosts is non-zero, this will not 308 * consider .rhosts and .shosts (/etc/hosts.equiv will still be used). 309 */ 310int auth_rhosts(struct passwd * pw, const char *client_user); 311 312/* 313 * Tries to authenticate the user using the .rhosts file and the host using 314 * its host key. Returns true if authentication succeeds. 315 */ 316int 317auth_rhosts_rsa(struct passwd * pw, const char *client_user, 318 BIGNUM * client_host_key_e, BIGNUM * client_host_key_n); 319 320/* 321 * Tries to authenticate the user using password. Returns true if 322 * authentication succeeds. 323 */ 324int auth_password(struct passwd * pw, const char *password); 325 326/* 327 * Performs the RSA authentication dialog with the client. This returns 0 if 328 * the client could not be authenticated, and 1 if authentication was 329 * successful. This may exit if there is a serious protocol violation. 330 */ 331int auth_rsa(struct passwd * pw, BIGNUM * client_n); 332 333/* 334 * Parses an RSA key (number of bits, e, n) from a string. Moves the pointer 335 * over the key. Skips any whitespace at the beginning and at end. 336 */ 337int auth_rsa_read_key(char **cpp, unsigned int *bitsp, BIGNUM * e, BIGNUM * n); 338 339/* 340 * Returns the name of the machine at the other end of the socket. The 341 * returned string should be freed by the caller. 342 */ 343char *get_remote_hostname(int socket); 344 345/* 346 * Return the canonical name of the host in the other side of the current 347 * connection (as returned by packet_get_connection). The host name is 348 * cached, so it is efficient to call this several times. 349 */ 350const char *get_canonical_hostname(void); 351 352/* 353 * Returns the remote IP address as an ascii string. The value need not be 354 * freed by the caller. 355 */ 356const char *get_remote_ipaddr(void); 357 358/* Returns the port number of the peer of the socket. */ 359int get_peer_port(int sock); 360 361/* Returns the port number of the remote/local host. */ 362int get_remote_port(void); 363int get_local_port(void); 364 365 366/* 367 * Tries to match the host name (which must be in all lowercase) against the 368 * comma-separated sequence of subpatterns (each possibly preceded by ! to 369 * indicate negation). Returns true if there is a positive match; zero 370 * otherwise. 371 */ 372int match_hostname(const char *host, const char *pattern, unsigned int len); 373 374/* 375 * Checks whether the given host is already in the list of our known hosts. 376 * Returns HOST_OK if the host is known and has the specified key, HOST_NEW 377 * if the host is not known, and HOST_CHANGED if the host is known but used 378 * to have a different host key. The host must be in all lowercase. 379 */ 380typedef enum { 381 HOST_OK, HOST_NEW, HOST_CHANGED 382} HostStatus; 383HostStatus 384check_host_in_hostfile(const char *filename, const char *host, 385 BIGNUM * e, BIGNUM * n, BIGNUM * ke, BIGNUM * kn); 386 387/* 388 * Appends an entry to the host file. Returns false if the entry could not 389 * be appended. 390 */ 391int 392add_host_to_hostfile(const char *filename, const char *host, 393 BIGNUM * e, BIGNUM * n); 394 395/* 396 * Performs the RSA authentication challenge-response dialog with the client, 397 * and returns true (non-zero) if the client gave the correct answer to our 398 * challenge; returns zero if the client gives a wrong answer. 399 */ 400int auth_rsa_challenge_dialog(BIGNUM * e, BIGNUM * n); 401 402/* 403 * Reads a passphrase from /dev/tty with echo turned off. Returns the 404 * passphrase (allocated with xmalloc). Exits if EOF is encountered. If 405 * from_stdin is true, the passphrase will be read from stdin instead. 406 */ 407char *read_passphrase(const char *prompt, int from_stdin); 408 409/* 410 * Saves the authentication (private) key in a file, encrypting it with 411 * passphrase. The identification of the file (lowest 64 bits of n) will 412 * precede the key to provide identification of the key without needing a 413 * passphrase. 414 */ 415int 416save_private_key(const char *filename, const char *passphrase, 417 RSA * private_key, const char *comment); 418 419/* 420 * Loads the public part of the key file (public key and comment). Returns 0 421 * if an error occurred; zero if the public key was successfully read. The 422 * comment of the key is returned in comment_return if it is non-NULL; the 423 * caller must free the value with xfree. 424 */ 425int 426load_public_key(const char *filename, RSA * pub, 427 char **comment_return); 428 429/* 430 * Loads the private key from the file. Returns 0 if an error is encountered 431 * (file does not exist or is not readable, or passphrase is bad). This 432 * initializes the private key. The comment of the key is returned in 433 * comment_return if it is non-NULL; the caller must free the value with 434 * xfree. 435 */ 436int 437load_private_key(const char *filename, const char *passphrase, 438 RSA * private_key, char **comment_return); 439 440/*------------ Definitions for logging. -----------------------*/ 441 442/* Supported syslog facilities and levels. */ 443typedef enum { 444 SYSLOG_FACILITY_DAEMON, 445 SYSLOG_FACILITY_USER, 446 SYSLOG_FACILITY_AUTH, 447 SYSLOG_FACILITY_LOCAL0, 448 SYSLOG_FACILITY_LOCAL1, 449 SYSLOG_FACILITY_LOCAL2, 450 SYSLOG_FACILITY_LOCAL3, 451 SYSLOG_FACILITY_LOCAL4, 452 SYSLOG_FACILITY_LOCAL5, 453 SYSLOG_FACILITY_LOCAL6, 454 SYSLOG_FACILITY_LOCAL7 455} SyslogFacility; 456 457typedef enum { 458 SYSLOG_LEVEL_QUIET, 459 SYSLOG_LEVEL_FATAL, 460 SYSLOG_LEVEL_ERROR, 461 SYSLOG_LEVEL_INFO, 462 SYSLOG_LEVEL_VERBOSE, 463 SYSLOG_LEVEL_DEBUG 464} LogLevel; 465/* Initializes logging. */ 466void log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr); 467 468/* Logging implementation, depending on server or client */ 469void do_log(LogLevel level, const char *fmt, va_list args); 470 471/* name to facility/level */ 472SyslogFacility log_facility_number(char *name); 473LogLevel log_level_number(char *name); 474 475/* Output a message to syslog or stderr */ 476void fatal(const char *fmt,...) __attribute__((format(printf, 1, 2))); 477void error(const char *fmt,...) __attribute__((format(printf, 1, 2))); 478void log(const char *fmt,...) __attribute__((format(printf, 1, 2))); 479void verbose(const char *fmt,...) __attribute__((format(printf, 1, 2))); 480void debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); 481 482/* same as fatal() but w/o logging */ 483void fatal_cleanup(void); 484 485/* 486 * Registers a cleanup function to be called by fatal()/fatal_cleanup() 487 * before exiting. It is permissible to call fatal_remove_cleanup for the 488 * function itself from the function. 489 */ 490void fatal_add_cleanup(void (*proc) (void *context), void *context); 491 492/* Removes a cleanup function to be called at fatal(). */ 493void fatal_remove_cleanup(void (*proc) (void *context), void *context); 494 495/*---------------- definitions for channels ------------------*/ 496 497/* Sets specific protocol options. */ 498void channel_set_options(int hostname_in_open); 499 500/* 501 * Allocate a new channel object and set its type and socket. Remote_name 502 * must have been allocated with xmalloc; this will free it when the channel 503 * is freed. 504 */ 505int channel_allocate(int type, int sock, char *remote_name); 506 507/* Free the channel and close its socket. */ 508void channel_free(int channel); 509 510/* Add any bits relevant to channels in select bitmasks. */ 511void channel_prepare_select(fd_set * readset, fd_set * writeset); 512 513/* 514 * After select, perform any appropriate operations for channels which have 515 * events pending. 516 */ 517void channel_after_select(fd_set * readset, fd_set * writeset); 518 519/* If there is data to send to the connection, send some of it now. */ 520void channel_output_poll(void); 521 522/* 523 * This is called when a packet of type CHANNEL_DATA has just been received. 524 * The message type has already been consumed, but channel number and data is 525 * still there. 526 */ 527void channel_input_data(int payload_len); 528 529/* Returns true if no channel has too much buffered data. */ 530int channel_not_very_much_buffered_data(void); 531 532/* This is called after receiving CHANNEL_CLOSE. */ 533void channel_input_close(void); 534 535/* This is called after receiving CHANNEL_CLOSE_CONFIRMATION. */ 536void channel_input_close_confirmation(void); 537 538/* This is called after receiving CHANNEL_OPEN_CONFIRMATION. */ 539void channel_input_open_confirmation(void); 540 541/* This is called after receiving CHANNEL_OPEN_FAILURE from the other side. */ 542void channel_input_open_failure(void); 543 544/* This closes any sockets that are listening for connections; this removes 545 any unix domain sockets. */ 546void channel_stop_listening(void); 547 548/* 549 * Closes the sockets of all channels. This is used to close extra file 550 * descriptors after a fork. 551 */ 552void channel_close_all(void); 553 554/* Returns the maximum file descriptor number used by the channels. */ 555int channel_max_fd(void); 556 557/* Returns true if there is still an open channel over the connection. */ 558int channel_still_open(void); 559 560/* 561 * Returns a string containing a list of all open channels. The list is 562 * suitable for displaying to the user. It uses crlf instead of newlines. 563 * The caller should free the string with xfree. 564 */ 565char *channel_open_message(void); 566 567/* 568 * Initiate forwarding of connections to local port "port" through the secure 569 * channel to host:port from remote side. This never returns if there was an 570 * error. 571 */ 572void 573channel_request_local_forwarding(u_short port, const char *host, 574 u_short remote_port, int gateway_ports); 575 576/* 577 * Initiate forwarding of connections to port "port" on remote host through 578 * the secure channel to host:port from local side. This never returns if 579 * there was an error. This registers that open requests for that port are 580 * permitted. 581 */ 582void 583channel_request_remote_forwarding(u_short port, const char *host, 584 u_short remote_port); 585 586/* 587 * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually 588 * called by the server, because the user could connect to any port anyway, 589 * and the server has no way to know but to trust the client anyway. 590 */ 591void channel_permit_all_opens(void); 592 593/* 594 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 595 * listening for the port, and sends back a success reply (or disconnect 596 * message if there was an error). This never returns if there was an error. 597 */ 598void channel_input_port_forward_request(int is_root); 599 600/* 601 * This is called after receiving PORT_OPEN message. This attempts to 602 * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION 603 * or CHANNEL_OPEN_FAILURE. 604 */ 605void channel_input_port_open(int payload_len); 606 607/* 608 * Creates a port for X11 connections, and starts listening for it. Returns 609 * the display name, or NULL if an error was encountered. 610 */ 611char *x11_create_display(int screen); 612 613/* 614 * Creates an internet domain socket for listening for X11 connections. 615 * Returns a suitable value for the DISPLAY variable, or NULL if an error 616 * occurs. 617 */ 618char *x11_create_display_inet(int screen, int x11_display_offset); 619 620/* 621 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 622 * the remote channel number. We should do whatever we want, and respond 623 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 624 */ 625void x11_input_open(int payload_len); 626 627/* 628 * Requests forwarding of X11 connections. This should be called on the 629 * client only. 630 */ 631void x11_request_forwarding(void); 632 633/* 634 * Requests forwarding for X11 connections, with authentication spoofing. 635 * This should be called in the client only. 636 */ 637void x11_request_forwarding_with_spoofing(const char *proto, const char *data); 638 639/* Sends a message to the server to request authentication fd forwarding. */ 640void auth_request_forwarding(void); 641 642/* 643 * Returns the name of the forwarded authentication socket. Returns NULL if 644 * there is no forwarded authentication socket. The returned value points to 645 * a static buffer. 646 */ 647char *auth_get_socket_name(void); 648 649/* 650 * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. 651 * This starts forwarding authentication requests. 652 */ 653void auth_input_request_forwarding(struct passwd * pw); 654 655/* This is called to process an SSH_SMSG_AGENT_OPEN message. */ 656void auth_input_open_request(void); 657 658/* 659 * Returns true if the given string matches the pattern (which may contain ? 660 * and * as wildcards), and zero if it does not match. 661 */ 662int match_pattern(const char *s, const char *pattern); 663 664/* 665 * Expands tildes in the file name. Returns data allocated by xmalloc. 666 * Warning: this calls getpw*. 667 */ 668char *tilde_expand_filename(const char *filename, uid_t my_uid); 669 670/* 671 * Performs the interactive session. This handles data transmission between 672 * the client and the program. Note that the notion of stdin, stdout, and 673 * stderr in this function is sort of reversed: this function writes to stdin 674 * (of the child program), and reads from stdout and stderr (of the child 675 * program). 676 */ 677void server_loop(int pid, int fdin, int fdout, int fderr); 678 679/* Client side main loop for the interactive session. */ 680int client_loop(int have_pty, int escape_char); 681 682/* Linked list of custom environment strings (see auth-rsa.c). */ 683struct envstring { 684 struct envstring *next; 685 char *s; 686}; 687 688/* 689 * Ensure all of data on socket comes through. f==read || f==write 690 */ 691ssize_t atomicio(ssize_t (*f)(), int fd, void *s, size_t n); 692 693#ifdef KRB4 694#include <krb.h> 695/* 696 * Performs Kerberos v4 mutual authentication with the client. This returns 0 697 * if the client could not be authenticated, and 1 if authentication was 698 * successful. This may exit if there is a serious protocol violation. 699 */ 700int auth_krb4(const char *server_user, KTEXT auth, char **client); 701int krb4_init(uid_t uid); 702void krb4_cleanup_proc(void *ignore); 703int auth_krb4_password(struct passwd * pw, const char *password); 704 705#ifdef AFS 706#include <kafs.h> 707 708/* Accept passed Kerberos v4 ticket-granting ticket and AFS tokens. */ 709int auth_kerberos_tgt(struct passwd * pw, const char *string); 710int auth_afs_token(struct passwd * pw, const char *token_string); 711 712int creds_to_radix(CREDENTIALS * creds, unsigned char *buf); 713int radix_to_creds(const char *buf, CREDENTIALS * creds); 714#endif /* AFS */ 715 716#endif /* KRB4 */ 717 718#ifdef SKEY 719#include <skey.h> 720char *skey_fake_keyinfo(char *username); 721int auth_skey_password(struct passwd * pw, const char *password); 722#endif /* SKEY */ 723 724/* AF_UNSPEC or AF_INET or AF_INET6 */ 725extern int IPv4or6; 726 727#endif /* SSH_H */ 728