blob: 4a5f6627832e5f9f696e672cf08cf9890669502d [file] [log] [blame]
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001/*
Damien Miller95def091999-11-25 00:26:21 +11002 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
Damien Millere4340be2000-09-16 13:29:08 +11005 * This program is the ssh daemon. It listens for connections from clients,
6 * and performs authentication, executes use commands or shell, and forwards
Damien Miller95def091999-11-25 00:26:21 +11007 * information to/from the application to the user client over an encrypted
Damien Millere4340be2000-09-16 13:29:08 +11008 * connection. This can also handle forwarding of X11, TCP/IP, and
9 * authentication agent connections.
Damien Millerefb4afe2000-04-12 18:45:05 +100010 *
Damien Millere4340be2000-09-16 13:29:08 +110011 * As far as I am concerned, the code I have written for this software
12 * can be used freely for any purpose. Any derived versions of this
13 * software must be clearly marked as such, and if the derived work is
14 * incompatible with the protocol description in the RFC file, it must be
15 * called by a name other than "ssh" or "Secure Shell".
16 *
17 * SSH2 implementation:
18 *
19 * Copyright (c) 2000 Markus Friedl. All rights reserved.
20 *
21 * Redistribution and use in source and binary forms, with or without
22 * modification, are permitted provided that the following conditions
23 * are met:
24 * 1. Redistributions of source code must retain the above copyright
25 * notice, this list of conditions and the following disclaimer.
26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in the
28 * documentation and/or other materials provided with the distribution.
29 *
30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller95def091999-11-25 00:26:21 +110040 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +100041
42#include "includes.h"
Damien Miller0bc1bd82000-11-13 22:57:25 +110043RCSID("$OpenBSD: sshd.c,v 1.134 2000/11/12 19:50:38 markus Exp $");
Damien Millerd4a8b7e1999-10-27 13:42:43 +100044
45#include "xmalloc.h"
46#include "rsa.h"
47#include "ssh.h"
48#include "pty.h"
49#include "packet.h"
Damien Millerd4a8b7e1999-10-27 13:42:43 +100050#include "mpaux.h"
51#include "servconf.h"
52#include "uidswap.h"
53#include "compat.h"
Damien Millerb38eff82000-04-01 11:09:21 +100054#include "buffer.h"
55
Damien Millerefb4afe2000-04-12 18:45:05 +100056#include "ssh2.h"
Damien Miller5f056372000-04-16 12:31:48 +100057#include <openssl/dh.h>
58#include <openssl/bn.h>
59#include <openssl/hmac.h>
Damien Millerefb4afe2000-04-12 18:45:05 +100060#include "kex.h"
Damien Miller5f056372000-04-16 12:31:48 +100061#include <openssl/dsa.h>
62#include <openssl/rsa.h>
Damien Millerb38eff82000-04-01 11:09:21 +100063#include "key.h"
Damien Miller874d77b2000-10-14 16:23:11 +110064#include "dh.h"
Damien Millerb38eff82000-04-01 11:09:21 +100065
66#include "auth.h"
Damien Millerefb4afe2000-04-12 18:45:05 +100067#include "myproposal.h"
Damien Millereba71ba2000-04-29 23:57:08 +100068#include "authfile.h"
Damien Millerd4a8b7e1999-10-27 13:42:43 +100069
70#ifdef LIBWRAP
71#include <tcpd.h>
72#include <syslog.h>
73int allow_severity = LOG_INFO;
74int deny_severity = LOG_WARNING;
75#endif /* LIBWRAP */
76
77#ifndef O_NOCTTY
78#define O_NOCTTY 0
79#endif
80
Ben Lindstrom49a79c02000-11-17 03:47:20 +000081#ifdef HAVE___PROGNAME
82extern char *__progname;
83#else
84char *__progname;
85#endif
86
Damien Millerd4a8b7e1999-10-27 13:42:43 +100087/* Server configuration options. */
88ServerOptions options;
89
90/* Name of the server configuration file. */
91char *config_file_name = SERVER_CONFIG_FILE;
92
Damien Miller4af51302000-04-16 11:18:38 +100093/*
Damien Miller34132e52000-01-14 15:45:46 +110094 * Flag indicating whether IPv4 or IPv6. This can be set on the command line.
95 * Default value is AF_UNSPEC means both IPv4 and IPv6.
96 */
Damien Miller7d80e342000-01-19 14:36:49 +110097#ifdef IPV4_DEFAULT
98int IPv4or6 = AF_INET;
99#else
Damien Miller34132e52000-01-14 15:45:46 +1100100int IPv4or6 = AF_UNSPEC;
Damien Miller7d80e342000-01-19 14:36:49 +1100101#endif
Damien Miller34132e52000-01-14 15:45:46 +1100102
Damien Miller95def091999-11-25 00:26:21 +1100103/*
104 * Debug mode flag. This can be set on the command line. If debug
105 * mode is enabled, extra debugging output will be sent to the system
106 * log, the daemon will not go to background, and will exit after processing
107 * the first connection.
108 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000109int debug_flag = 0;
110
111/* Flag indicating that the daemon is being started from inetd. */
112int inetd_flag = 0;
113
Damien Miller5ce662a1999-11-11 17:57:39 +1100114/* debug goes to stderr unless inetd_flag is set */
115int log_stderr = 0;
116
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000117/* argv[0] without path. */
118char *av0;
119
120/* Saved arguments to main(). */
121char **saved_argv;
Damien Millerb8c656e2000-06-28 15:22:41 +1000122int saved_argc;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000123
Damien Miller5428f641999-11-25 11:54:57 +1100124/*
Damien Miller34132e52000-01-14 15:45:46 +1100125 * The sockets that the server is listening; this is used in the SIGHUP
126 * signal handler.
Damien Miller5428f641999-11-25 11:54:57 +1100127 */
Damien Miller34132e52000-01-14 15:45:46 +1100128#define MAX_LISTEN_SOCKS 16
129int listen_socks[MAX_LISTEN_SOCKS];
130int num_listen_socks = 0;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000131
Damien Miller5428f641999-11-25 11:54:57 +1100132/*
133 * the client's version string, passed by sshd2 in compat mode. if != NULL,
134 * sshd will skip the version-number exchange
135 */
Damien Miller95def091999-11-25 00:26:21 +1100136char *client_version_string = NULL;
Damien Millerb38eff82000-04-01 11:09:21 +1000137char *server_version_string = NULL;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000138
Damien Miller5428f641999-11-25 11:54:57 +1100139/*
140 * Any really sensitive data in the application is contained in this
141 * structure. The idea is that this structure could be locked into memory so
142 * that the pages do not get written into swap. However, there are some
143 * problems. The private key contains BIGNUMs, and we do not (in principle)
144 * have access to the internals of them, and locking just the structure is
145 * not very useful. Currently, memory locking is not implemented.
146 */
Damien Miller95def091999-11-25 00:26:21 +1100147struct {
Damien Miller0bc1bd82000-11-13 22:57:25 +1100148 Key *server_key; /* empheral server key */
149 Key *ssh1_host_key; /* ssh1 host key */
150 Key **host_keys; /* all private host keys */
151 int have_ssh1_key;
152 int have_ssh2_key;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000153} sensitive_data;
154
Damien Miller5428f641999-11-25 11:54:57 +1100155/*
156 * Flag indicating whether the current session key has been used. This flag
157 * is set whenever the key is used, and cleared when the key is regenerated.
158 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000159int key_used = 0;
160
161/* This is set to true when SIGHUP is received. */
162int received_sighup = 0;
163
Damien Millerb38eff82000-04-01 11:09:21 +1000164/* session identifier, used by RSA-auth */
165unsigned char session_id[16];
166
Damien Millereba71ba2000-04-29 23:57:08 +1000167/* same for ssh2 */
168unsigned char *session_id2 = NULL;
169int session_id2_len = 0;
170
Damien Miller942da032000-08-18 13:59:06 +1000171/* record remote hostname or ip */
172unsigned int utmp_len = MAXHOSTNAMELEN;
173
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000174/* Prototypes for various functions defined later in this file. */
Damien Millerb38eff82000-04-01 11:09:21 +1000175void do_ssh1_kex();
Damien Millerefb4afe2000-04-12 18:45:05 +1000176void do_ssh2_kex();
Damien Miller98c7ad62000-03-09 21:27:49 +1100177
Damien Miller874d77b2000-10-14 16:23:11 +1100178void ssh_dh1_server(Kex *, Buffer *_kexinit, Buffer *);
179void ssh_dhgex_server(Kex *, Buffer *_kexinit, Buffer *);
180
Damien Miller98c7ad62000-03-09 21:27:49 +1100181/*
Damien Miller34132e52000-01-14 15:45:46 +1100182 * Close all listening sockets
183 */
184void
185close_listen_socks(void)
186{
187 int i;
188 for (i = 0; i < num_listen_socks; i++)
189 close(listen_socks[i]);
190 num_listen_socks = -1;
191}
192
193/*
Damien Miller95def091999-11-25 00:26:21 +1100194 * Signal handler for SIGHUP. Sshd execs itself when it receives SIGHUP;
195 * the effect is to reread the configuration file (and to regenerate
196 * the server key).
197 */
Damien Miller4af51302000-04-16 11:18:38 +1000198void
Damien Miller95def091999-11-25 00:26:21 +1100199sighup_handler(int sig)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000200{
Damien Miller95def091999-11-25 00:26:21 +1100201 received_sighup = 1;
202 signal(SIGHUP, sighup_handler);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000203}
204
Damien Miller95def091999-11-25 00:26:21 +1100205/*
206 * Called from the main program after receiving SIGHUP.
207 * Restarts the server.
208 */
Damien Miller4af51302000-04-16 11:18:38 +1000209void
Damien Miller95def091999-11-25 00:26:21 +1100210sighup_restart()
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000211{
Damien Miller95def091999-11-25 00:26:21 +1100212 log("Received SIGHUP; restarting.");
Damien Miller34132e52000-01-14 15:45:46 +1100213 close_listen_socks();
Damien Miller95def091999-11-25 00:26:21 +1100214 execv(saved_argv[0], saved_argv);
215 log("RESTART FAILED: av0='%s', error: %s.", av0, strerror(errno));
216 exit(1);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000217}
218
Damien Miller95def091999-11-25 00:26:21 +1100219/*
220 * Generic signal handler for terminating signals in the master daemon.
221 * These close the listen socket; not closing it seems to cause "Address
222 * already in use" problems on some machines, which is inconvenient.
223 */
Damien Miller4af51302000-04-16 11:18:38 +1000224void
Damien Miller95def091999-11-25 00:26:21 +1100225sigterm_handler(int sig)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000226{
Damien Miller95def091999-11-25 00:26:21 +1100227 log("Received signal %d; terminating.", sig);
Damien Miller34132e52000-01-14 15:45:46 +1100228 close_listen_socks();
Damien Miller6f83b8e2000-05-02 09:23:45 +1000229 unlink(options.pid_file);
Damien Miller95def091999-11-25 00:26:21 +1100230 exit(255);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000231}
232
Damien Miller95def091999-11-25 00:26:21 +1100233/*
234 * SIGCHLD handler. This is called whenever a child dies. This will then
235 * reap any zombies left by exited c.
236 */
Damien Miller4af51302000-04-16 11:18:38 +1000237void
Damien Miller95def091999-11-25 00:26:21 +1100238main_sigchld_handler(int sig)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000239{
Damien Miller95def091999-11-25 00:26:21 +1100240 int save_errno = errno;
241 int status;
Damien Miller431f66b1999-11-21 18:31:57 +1100242
Damien Miller95def091999-11-25 00:26:21 +1100243 while (waitpid(-1, &status, WNOHANG) > 0)
244 ;
Damien Miller431f66b1999-11-21 18:31:57 +1100245
Damien Miller95def091999-11-25 00:26:21 +1100246 signal(SIGCHLD, main_sigchld_handler);
247 errno = save_errno;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000248}
249
Damien Miller95def091999-11-25 00:26:21 +1100250/*
251 * Signal handler for the alarm after the login grace period has expired.
252 */
Damien Miller4af51302000-04-16 11:18:38 +1000253void
Damien Miller95def091999-11-25 00:26:21 +1100254grace_alarm_handler(int sig)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000255{
Damien Miller95def091999-11-25 00:26:21 +1100256 /* Close the connection. */
257 packet_close();
258
259 /* Log error and exit. */
260 fatal("Timeout before authentication for %s.", get_remote_ipaddr());
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000261}
262
Damien Miller95def091999-11-25 00:26:21 +1100263/*
Damien Miller95def091999-11-25 00:26:21 +1100264 * Signal handler for the key regeneration alarm. Note that this
265 * alarm only occurs in the daemon waiting for connections, and it does not
266 * do anything with the private key or random state before forking.
267 * Thus there should be no concurrency control/asynchronous execution
268 * problems.
269 */
Damien Millereba71ba2000-04-29 23:57:08 +1000270/* XXX do we really want this work to be done in a signal handler ? -m */
Damien Miller4af51302000-04-16 11:18:38 +1000271void
Damien Miller0bc1bd82000-11-13 22:57:25 +1100272generate_empheral_server_key(void)
273{
274 log("Generating %s%d bit RSA key.", sensitive_data.server_key ? "new " : "",
275 options.server_key_bits);
276 if (sensitive_data.server_key != NULL)
277 key_free(sensitive_data.server_key);
278 sensitive_data.server_key = key_generate(KEY_RSA1, options.server_key_bits);
279 arc4random_stir();
280 log("RSA key generation complete.");
281}
282void
Damien Miller95def091999-11-25 00:26:21 +1100283key_regeneration_alarm(int sig)
284{
285 int save_errno = errno;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000286
Damien Miller95def091999-11-25 00:26:21 +1100287 /* Check if we should generate a new key. */
288 if (key_used) {
289 /* This should really be done in the background. */
Damien Miller0bc1bd82000-11-13 22:57:25 +1100290 generate_empheral_server_key();
Damien Miller95def091999-11-25 00:26:21 +1100291 key_used = 0;
Damien Miller95def091999-11-25 00:26:21 +1100292 }
293 /* Reschedule the alarm. */
294 signal(SIGALRM, key_regeneration_alarm);
295 alarm(options.key_regeneration_time);
296 errno = save_errno;
297}
298
Damien Millerb38eff82000-04-01 11:09:21 +1000299void
300sshd_exchange_identification(int sock_in, int sock_out)
301{
Damien Miller78928792000-04-12 20:17:38 +1000302 int i, mismatch;
Damien Millerb38eff82000-04-01 11:09:21 +1000303 int remote_major, remote_minor;
Damien Miller78928792000-04-12 20:17:38 +1000304 int major, minor;
Damien Millerb38eff82000-04-01 11:09:21 +1000305 char *s;
306 char buf[256]; /* Must not be larger than remote_version. */
307 char remote_version[256]; /* Must be at least as big as buf. */
308
Damien Miller78928792000-04-12 20:17:38 +1000309 if ((options.protocol & SSH_PROTO_1) &&
310 (options.protocol & SSH_PROTO_2)) {
311 major = PROTOCOL_MAJOR_1;
312 minor = 99;
313 } else if (options.protocol & SSH_PROTO_2) {
314 major = PROTOCOL_MAJOR_2;
315 minor = PROTOCOL_MINOR_2;
316 } else {
317 major = PROTOCOL_MAJOR_1;
318 minor = PROTOCOL_MINOR_1;
319 }
320 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
Damien Millerb38eff82000-04-01 11:09:21 +1000321 server_version_string = xstrdup(buf);
322
323 if (client_version_string == NULL) {
324 /* Send our protocol version identification. */
325 if (atomicio(write, sock_out, server_version_string, strlen(server_version_string))
326 != strlen(server_version_string)) {
327 log("Could not write ident string to %s.", get_remote_ipaddr());
328 fatal_cleanup();
329 }
330
331 /* Read other side\'s version identification. */
332 for (i = 0; i < sizeof(buf) - 1; i++) {
Damien Millerbf7f4662000-06-23 10:16:38 +1000333 if (atomicio(read, sock_in, &buf[i], 1) != 1) {
Damien Millerb38eff82000-04-01 11:09:21 +1000334 log("Did not receive ident string from %s.", get_remote_ipaddr());
335 fatal_cleanup();
336 }
337 if (buf[i] == '\r') {
338 buf[i] = '\n';
339 buf[i + 1] = 0;
Damien Miller874d77b2000-10-14 16:23:11 +1100340 /* Kludge for F-Secure Macintosh < 1.0.2 */
341 if (i == 12 &&
342 strncmp(buf, "SSH-1.5-W1.0", 12) == 0)
343 break;
Damien Millerb38eff82000-04-01 11:09:21 +1000344 continue;
Damien Millerb38eff82000-04-01 11:09:21 +1000345 }
346 if (buf[i] == '\n') {
347 /* buf[i] == '\n' */
348 buf[i + 1] = 0;
349 break;
350 }
351 }
352 buf[sizeof(buf) - 1] = 0;
353 client_version_string = xstrdup(buf);
354 }
355
356 /*
357 * Check that the versions match. In future this might accept
358 * several versions and set appropriate flags to handle them.
359 */
360 if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
361 &remote_major, &remote_minor, remote_version) != 3) {
Damien Miller4af51302000-04-16 11:18:38 +1000362 s = "Protocol mismatch.\n";
Damien Millerb38eff82000-04-01 11:09:21 +1000363 (void) atomicio(write, sock_out, s, strlen(s));
364 close(sock_in);
365 close(sock_out);
366 log("Bad protocol version identification '%.100s' from %s",
367 client_version_string, get_remote_ipaddr());
368 fatal_cleanup();
369 }
370 debug("Client protocol version %d.%d; client software version %.100s",
371 remote_major, remote_minor, remote_version);
372
Damien Millerefb4afe2000-04-12 18:45:05 +1000373 compat_datafellows(remote_version);
374
Damien Miller78928792000-04-12 20:17:38 +1000375 mismatch = 0;
Damien Millerb38eff82000-04-01 11:09:21 +1000376 switch(remote_major) {
377 case 1:
Damien Millereba71ba2000-04-29 23:57:08 +1000378 if (remote_minor == 99) {
379 if (options.protocol & SSH_PROTO_2)
380 enable_compat20();
381 else
382 mismatch = 1;
383 break;
384 }
Damien Miller78928792000-04-12 20:17:38 +1000385 if (!(options.protocol & SSH_PROTO_1)) {
386 mismatch = 1;
387 break;
388 }
Damien Millerb38eff82000-04-01 11:09:21 +1000389 if (remote_minor < 3) {
Damien Miller37023962000-07-11 17:31:38 +1000390 packet_disconnect("Your ssh version is too old and "
Damien Millerb38eff82000-04-01 11:09:21 +1000391 "is no longer supported. Please install a newer version.");
392 } else if (remote_minor == 3) {
393 /* note that this disables agent-forwarding */
394 enable_compat13();
395 }
Damien Miller78928792000-04-12 20:17:38 +1000396 break;
Damien Millerefb4afe2000-04-12 18:45:05 +1000397 case 2:
Damien Miller78928792000-04-12 20:17:38 +1000398 if (options.protocol & SSH_PROTO_2) {
Damien Millerefb4afe2000-04-12 18:45:05 +1000399 enable_compat20();
400 break;
401 }
402 /* FALLTHROUGH */
Damien Miller4af51302000-04-16 11:18:38 +1000403 default:
Damien Miller78928792000-04-12 20:17:38 +1000404 mismatch = 1;
Damien Millerb38eff82000-04-01 11:09:21 +1000405 break;
406 }
Damien Millerefb4afe2000-04-12 18:45:05 +1000407 chop(server_version_string);
408 chop(client_version_string);
Damien Miller78928792000-04-12 20:17:38 +1000409 debug("Local version string %.200s", server_version_string);
410
411 if (mismatch) {
412 s = "Protocol major versions differ.\n";
413 (void) atomicio(write, sock_out, s, strlen(s));
414 close(sock_in);
415 close(sock_out);
416 log("Protocol major versions differ for %s: %.200s vs. %.200s",
417 get_remote_ipaddr(),
418 server_version_string, client_version_string);
419 fatal_cleanup();
420 }
Damien Millereba71ba2000-04-29 23:57:08 +1000421 if (compat20)
422 packet_set_ssh2_format();
423}
424
425
Damien Miller0bc1bd82000-11-13 22:57:25 +1100426/* Destroy the host and server keys. They will no longer be needed. */
Damien Millereba71ba2000-04-29 23:57:08 +1000427void
428destroy_sensitive_data(void)
429{
Damien Miller0bc1bd82000-11-13 22:57:25 +1100430 int i;
431
432 if (sensitive_data.server_key) {
433 key_free(sensitive_data.server_key);
434 sensitive_data.server_key = NULL;
435 }
436 for(i = 0; i < options.num_host_key_files; i++) {
437 if (sensitive_data.host_keys[i]) {
438 key_free(sensitive_data.host_keys[i]);
439 sensitive_data.host_keys[i] = NULL;
440 }
441 }
442 sensitive_data.ssh1_host_key = NULL;
443}
444Key *
445load_private_key_autodetect(const char *filename)
446{
447 struct stat st;
448 int type;
449 Key *public, *private;
450
451 if (stat(filename, &st) < 0) {
452 perror(filename);
453 return NULL;
454 }
455 /*
456 * try to load the public key. right now this only works for RSA1,
457 * since SSH2 keys are fully encrypted
458 */
459 type = KEY_RSA1;
460 public = key_new(type);
461 if (!load_public_key(filename, public, NULL)) {
462 /* ok, so we will assume this is 'some' key */
463 type = KEY_UNSPEC;
464 }
465 key_free(public);
466
467 /* Ok, try key with empty passphrase */
468 private = key_new(type);
469 if (load_private_key(filename, "", private, NULL)) {
470 debug("load_private_key_autodetect: type %d %s",
471 private->type, key_type(private));
472 return private;
473 }
474 key_free(private);
475 return NULL;
476}
477
478char *
479list_hostkey_types(void)
480{
481 static char buf[1024];
482 int i;
483 buf[0] = '\0';
484 for(i = 0; i < options.num_host_key_files; i++) {
485 Key *key = sensitive_data.host_keys[i];
486 if (key == NULL)
487 continue;
488 switch(key->type) {
489 case KEY_RSA:
490 case KEY_DSA:
491 strlcat(buf, key_ssh_name(key), sizeof buf);
492 strlcat(buf, ",", sizeof buf);
493 break;
494 }
495 }
496 i = strlen(buf);
497 if (i > 0 && buf[i-1] == ',')
498 buf[i-1] = '\0';
499 debug("list_hostkey_types: %s", buf);
500 return buf;
501}
502
503Key *
504get_hostkey_by_type(int type)
505{
506 int i;
507 for(i = 0; i < options.num_host_key_files; i++) {
508 Key *key = sensitive_data.host_keys[i];
509 if (key != NULL && key->type == type)
510 return key;
511 }
512 return NULL;
Damien Millerb38eff82000-04-01 11:09:21 +1000513}
514
Damien Miller942da032000-08-18 13:59:06 +1000515/*
516 * returns 1 if connection should be dropped, 0 otherwise.
517 * dropping starts at connection #max_startups_begin with a probability
518 * of (max_startups_rate/100). the probability increases linearly until
519 * all connections are dropped for startups > max_startups
520 */
521int
522drop_connection(int startups)
523{
524 double p, r;
525
526 if (startups < options.max_startups_begin)
527 return 0;
528 if (startups >= options.max_startups)
529 return 1;
530 if (options.max_startups_rate == 100)
531 return 1;
532
533 p = 100 - options.max_startups_rate;
534 p *= startups - options.max_startups_begin;
535 p /= (double) (options.max_startups - options.max_startups_begin);
536 p += options.max_startups_rate;
537 p /= 100.0;
538 r = arc4random() / (double) UINT_MAX;
539
540 debug("drop_connection: p %g, r %g", p, r);
541 return (r < p) ? 1 : 0;
542}
543
Damien Miller37023962000-07-11 17:31:38 +1000544int *startup_pipes = NULL; /* options.max_startup sized array of fd ints */
545int startup_pipe; /* in child */
546
Damien Miller95def091999-11-25 00:26:21 +1100547/*
548 * Main program for the daemon.
549 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000550int
551main(int ac, char **av)
552{
Damien Miller95def091999-11-25 00:26:21 +1100553 extern char *optarg;
554 extern int optind;
Damien Miller37023962000-07-11 17:31:38 +1000555 int opt, sock_in = 0, sock_out = 0, newsock, j, i, fdsetsz, on = 1;
Damien Miller166fca82000-04-20 07:42:21 +1000556 pid_t pid;
Damien Miller34132e52000-01-14 15:45:46 +1100557 socklen_t fromlen;
Damien Millereba71ba2000-04-29 23:57:08 +1000558 int silent = 0;
Damien Miller34132e52000-01-14 15:45:46 +1100559 fd_set *fdset;
560 struct sockaddr_storage from;
Damien Miller95def091999-11-25 00:26:21 +1100561 const char *remote_ip;
562 int remote_port;
Damien Miller95def091999-11-25 00:26:21 +1100563 FILE *f;
564 struct linger linger;
Damien Miller34132e52000-01-14 15:45:46 +1100565 struct addrinfo *ai;
566 char ntop[NI_MAXHOST], strport[NI_MAXSERV];
567 int listen_sock, maxfd;
Damien Miller37023962000-07-11 17:31:38 +1000568 int startup_p[2];
569 int startups = 0;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000570
Ben Lindstrom49a79c02000-11-17 03:47:20 +0000571 __progname = get_progname(av[0]);
Damien Millerf9b625c2000-07-09 22:42:32 +1000572 init_rng();
573
Damien Miller95def091999-11-25 00:26:21 +1100574 /* Save argv[0]. */
Damien Millerb8c656e2000-06-28 15:22:41 +1000575 saved_argc = ac;
Damien Miller95def091999-11-25 00:26:21 +1100576 saved_argv = av;
577 if (strchr(av[0], '/'))
578 av0 = strrchr(av[0], '/') + 1;
579 else
580 av0 = av[0];
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000581
Damien Miller95def091999-11-25 00:26:21 +1100582 /* Initialize configuration options to their default values. */
583 initialize_server_options(&options);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000584
Damien Miller95def091999-11-25 00:26:21 +1100585 /* Parse command-line arguments. */
Damien Miller942da032000-08-18 13:59:06 +1000586 while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:diqQ46")) != EOF) {
Damien Miller95def091999-11-25 00:26:21 +1100587 switch (opt) {
Damien Miller34132e52000-01-14 15:45:46 +1100588 case '4':
589 IPv4or6 = AF_INET;
590 break;
591 case '6':
592 IPv4or6 = AF_INET6;
593 break;
Damien Miller95def091999-11-25 00:26:21 +1100594 case 'f':
595 config_file_name = optarg;
596 break;
597 case 'd':
Damien Millere4340be2000-09-16 13:29:08 +1100598 if (0 == debug_flag) {
599 debug_flag = 1;
600 options.log_level = SYSLOG_LEVEL_DEBUG1;
601 } else if (options.log_level < SYSLOG_LEVEL_DEBUG3) {
602 options.log_level++;
603 } else {
604 fprintf(stderr, "Too high debugging level.\n");
605 exit(1);
606 }
Damien Miller95def091999-11-25 00:26:21 +1100607 break;
608 case 'i':
609 inetd_flag = 1;
610 break;
611 case 'Q':
Damien Millereba71ba2000-04-29 23:57:08 +1000612 silent = 1;
Damien Miller95def091999-11-25 00:26:21 +1100613 break;
614 case 'q':
615 options.log_level = SYSLOG_LEVEL_QUIET;
616 break;
617 case 'b':
618 options.server_key_bits = atoi(optarg);
619 break;
620 case 'p':
Damien Miller34132e52000-01-14 15:45:46 +1100621 options.ports_from_cmdline = 1;
Damien Millere4340be2000-09-16 13:29:08 +1100622 if (options.num_ports >= MAX_PORTS) {
623 fprintf(stderr, "too many ports.\n");
624 exit(1);
625 }
Damien Miller34132e52000-01-14 15:45:46 +1100626 options.ports[options.num_ports++] = atoi(optarg);
Damien Miller95def091999-11-25 00:26:21 +1100627 break;
628 case 'g':
629 options.login_grace_time = atoi(optarg);
630 break;
631 case 'k':
632 options.key_regeneration_time = atoi(optarg);
633 break;
634 case 'h':
Damien Miller0bc1bd82000-11-13 22:57:25 +1100635 if (options.num_host_key_files >= MAX_HOSTKEYS) {
636 fprintf(stderr, "too many host keys.\n");
637 exit(1);
638 }
639 options.host_key_files[options.num_host_key_files++] = optarg;
Damien Miller95def091999-11-25 00:26:21 +1100640 break;
641 case 'V':
642 client_version_string = optarg;
643 /* only makes sense with inetd_flag, i.e. no listen() */
644 inetd_flag = 1;
645 break;
Damien Miller942da032000-08-18 13:59:06 +1000646 case 'u':
647 utmp_len = atoi(optarg);
648 break;
Damien Miller95def091999-11-25 00:26:21 +1100649 case '?':
650 default:
651 fprintf(stderr, "sshd version %s\n", SSH_VERSION);
652 fprintf(stderr, "Usage: %s [options]\n", av0);
653 fprintf(stderr, "Options:\n");
Damien Miller5428f641999-11-25 11:54:57 +1100654 fprintf(stderr, " -f file Configuration file (default %s)\n", SERVER_CONFIG_FILE);
Damien Millere4340be2000-09-16 13:29:08 +1100655 fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n");
Damien Miller95def091999-11-25 00:26:21 +1100656 fprintf(stderr, " -i Started from inetd\n");
657 fprintf(stderr, " -q Quiet (no logging)\n");
658 fprintf(stderr, " -p port Listen on the specified port (default: 22)\n");
659 fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n");
660 fprintf(stderr, " -g seconds Grace period for authentication (default: 300)\n");
661 fprintf(stderr, " -b bits Size of server RSA key (default: 768 bits)\n");
662 fprintf(stderr, " -h file File from which to read host key (default: %s)\n",
Damien Miller34132e52000-01-14 15:45:46 +1100663 HOST_KEY_FILE);
Damien Miller942da032000-08-18 13:59:06 +1000664 fprintf(stderr, " -u len Maximum hostname length for utmp recording\n");
Damien Miller34132e52000-01-14 15:45:46 +1100665 fprintf(stderr, " -4 Use IPv4 only\n");
666 fprintf(stderr, " -6 Use IPv6 only\n");
Damien Miller95def091999-11-25 00:26:21 +1100667 exit(1);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000668 }
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000669 }
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000670
Damien Miller34132e52000-01-14 15:45:46 +1100671 /*
672 * Force logging to stderr until we have loaded the private host
673 * key (unless started from inetd)
674 */
675 log_init(av0,
676 options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
677 options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility,
Damien Millereba71ba2000-04-29 23:57:08 +1000678 !silent && !inetd_flag);
Damien Miller34132e52000-01-14 15:45:46 +1100679
Damien Miller95def091999-11-25 00:26:21 +1100680 /* Read server configuration options from the configuration file. */
681 read_server_config(&options, config_file_name);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000682
Damien Miller95def091999-11-25 00:26:21 +1100683 /* Fill in default values for those options not explicitly set. */
684 fill_default_server_options(&options);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000685
Damien Miller95def091999-11-25 00:26:21 +1100686 /* Check that there are no remaining arguments. */
687 if (optind < ac) {
688 fprintf(stderr, "Extra argument %s.\n", av[optind]);
689 exit(1);
690 }
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000691
Damien Miller95def091999-11-25 00:26:21 +1100692 debug("sshd version %.100s", SSH_VERSION);
Damien Miller2ccf6611999-11-15 15:25:10 +1100693
Damien Miller0bc1bd82000-11-13 22:57:25 +1100694 /* load private host keys */
695 sensitive_data.host_keys = xmalloc(options.num_host_key_files*sizeof(Key*));
696 sensitive_data.server_key = NULL;
697 sensitive_data.ssh1_host_key = NULL;
698 sensitive_data.have_ssh1_key = 0;
699 sensitive_data.have_ssh2_key = 0;
Damien Millereba71ba2000-04-29 23:57:08 +1000700
Damien Miller0bc1bd82000-11-13 22:57:25 +1100701 for(i = 0; i < options.num_host_key_files; i++) {
702 Key *key = load_private_key_autodetect(options.host_key_files[i]);
703 if (key == NULL) {
704 error("Could not load host key: %.200s: %.100s",
705 options.host_key_files[i], strerror(errno));
706 continue;
707 }
708 switch(key->type){
709 case KEY_RSA1:
710 sensitive_data.ssh1_host_key = key;
711 sensitive_data.have_ssh1_key = 1;
712 break;
713 case KEY_RSA:
714 case KEY_DSA:
715 sensitive_data.have_ssh2_key = 1;
716 break;
717 }
718 sensitive_data.host_keys[i] = key;
719 }
720 if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
721 log("Disabling protocol version 1. Could not load host key");
Damien Millereba71ba2000-04-29 23:57:08 +1000722 options.protocol &= ~SSH_PROTO_1;
723 }
Damien Miller0bc1bd82000-11-13 22:57:25 +1100724 if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
725 log("Disabling protocol version 2. Could not load host key");
726 options.protocol &= ~SSH_PROTO_2;
Damien Millereba71ba2000-04-29 23:57:08 +1000727 }
728 if (! options.protocol & (SSH_PROTO_1|SSH_PROTO_2)) {
729 if (silent == 0)
730 fprintf(stderr, "sshd: no hostkeys available -- exiting.\n");
731 log("sshd: no hostkeys available -- exiting.\n");
Damien Miller95def091999-11-25 00:26:21 +1100732 exit(1);
733 }
Damien Miller95def091999-11-25 00:26:21 +1100734
Damien Millereba71ba2000-04-29 23:57:08 +1000735 /* Check certain values for sanity. */
736 if (options.protocol & SSH_PROTO_1) {
737 if (options.server_key_bits < 512 ||
738 options.server_key_bits > 32768) {
739 fprintf(stderr, "Bad server key size.\n");
740 exit(1);
741 }
742 /*
743 * Check that server and host key lengths differ sufficiently. This
744 * is necessary to make double encryption work with rsaref. Oh, I
745 * hate software patents. I dont know if this can go? Niels
746 */
747 if (options.server_key_bits >
Damien Miller0bc1bd82000-11-13 22:57:25 +1100748 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) - SSH_KEY_BITS_RESERVED &&
Damien Millereba71ba2000-04-29 23:57:08 +1000749 options.server_key_bits <
Damien Miller0bc1bd82000-11-13 22:57:25 +1100750 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
Damien Millereba71ba2000-04-29 23:57:08 +1000751 options.server_key_bits =
Damien Miller0bc1bd82000-11-13 22:57:25 +1100752 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED;
Damien Millereba71ba2000-04-29 23:57:08 +1000753 debug("Forcing server key to %d bits to make it differ from host key.",
754 options.server_key_bits);
755 }
756 }
757
Damien Miller78315eb2000-09-29 23:01:36 +1100758#ifdef HAVE_SCO_PROTECTED_PW
759 (void) set_auth_parameters(ac, av);
760#endif
761
Damien Millereba71ba2000-04-29 23:57:08 +1000762 /* Initialize the log (it is reinitialized below in case we forked). */
Damien Miller95def091999-11-25 00:26:21 +1100763 if (debug_flag && !inetd_flag)
764 log_stderr = 1;
765 log_init(av0, options.log_level, options.log_facility, log_stderr);
766
Damien Millereba71ba2000-04-29 23:57:08 +1000767 /*
768 * If not in debugging mode, and not started from inetd, disconnect
769 * from the controlling terminal, and fork. The original process
770 * exits.
771 */
Damien Miller95def091999-11-25 00:26:21 +1100772 if (!debug_flag && !inetd_flag) {
773#ifdef TIOCNOTTY
774 int fd;
775#endif /* TIOCNOTTY */
776 if (daemon(0, 0) < 0)
777 fatal("daemon() failed: %.200s", strerror(errno));
778
779 /* Disconnect from the controlling tty. */
780#ifdef TIOCNOTTY
781 fd = open("/dev/tty", O_RDWR | O_NOCTTY);
782 if (fd >= 0) {
783 (void) ioctl(fd, TIOCNOTTY, NULL);
784 close(fd);
785 }
786#endif /* TIOCNOTTY */
787 }
788 /* Reinitialize the log (because of the fork above). */
789 log_init(av0, options.log_level, options.log_facility, log_stderr);
790
Damien Miller95def091999-11-25 00:26:21 +1100791 /* Initialize the random number generator. */
792 arc4random_stir();
793
794 /* Chdir to the root directory so that the current disk can be
795 unmounted if desired. */
796 chdir("/");
797
Damien Miller95def091999-11-25 00:26:21 +1100798 /* Start listening for a socket, unless started from inetd. */
799 if (inetd_flag) {
800 int s1, s2;
801 s1 = dup(0); /* Make sure descriptors 0, 1, and 2 are in use. */
802 s2 = dup(s1);
803 sock_in = dup(0);
804 sock_out = dup(1);
Damien Miller994cf142000-07-21 10:19:44 +1000805 startup_pipe = -1;
Damien Millereba71ba2000-04-29 23:57:08 +1000806 /*
807 * We intentionally do not close the descriptors 0, 1, and 2
808 * as our code for setting the descriptors won\'t work if
809 * ttyfd happens to be one of those.
810 */
Damien Miller95def091999-11-25 00:26:21 +1100811 debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);
Damien Miller0bc1bd82000-11-13 22:57:25 +1100812 if (options.protocol & SSH_PROTO_1)
813 generate_empheral_server_key();
Damien Miller95def091999-11-25 00:26:21 +1100814 } else {
Damien Miller34132e52000-01-14 15:45:46 +1100815 for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
816 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
817 continue;
818 if (num_listen_socks >= MAX_LISTEN_SOCKS)
819 fatal("Too many listen sockets. "
820 "Enlarge MAX_LISTEN_SOCKS");
821 if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
822 ntop, sizeof(ntop), strport, sizeof(strport),
823 NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
824 error("getnameinfo failed");
825 continue;
826 }
827 /* Create socket for listening. */
828 listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
829 if (listen_sock < 0) {
830 /* kernel may not support ipv6 */
831 verbose("socket: %.100s", strerror(errno));
832 continue;
833 }
834 if (fcntl(listen_sock, F_SETFL, O_NONBLOCK) < 0) {
835 error("listen_sock O_NONBLOCK: %s", strerror(errno));
836 close(listen_sock);
837 continue;
838 }
839 /*
840 * Set socket options. We try to make the port
841 * reusable and have it close as fast as possible
842 * without waiting in unnecessary wait states on
843 * close.
844 */
845 setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
846 (void *) &on, sizeof(on));
847 linger.l_onoff = 1;
848 linger.l_linger = 5;
849 setsockopt(listen_sock, SOL_SOCKET, SO_LINGER,
850 (void *) &linger, sizeof(linger));
Damien Miller95def091999-11-25 00:26:21 +1100851
Damien Miller34132e52000-01-14 15:45:46 +1100852 debug("Bind to port %s on %s.", strport, ntop);
Damien Miller95def091999-11-25 00:26:21 +1100853
Damien Miller34132e52000-01-14 15:45:46 +1100854 /* Bind the socket to the desired port. */
Damien Miller3c7eeb22000-03-03 22:35:33 +1100855 if ((bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) &&
856 (!ai->ai_next)) {
Damien Miller34132e52000-01-14 15:45:46 +1100857 error("Bind to port %s on %s failed: %.200s.",
858 strport, ntop, strerror(errno));
859 close(listen_sock);
860 continue;
861 }
862 listen_socks[num_listen_socks] = listen_sock;
863 num_listen_socks++;
Damien Miller95def091999-11-25 00:26:21 +1100864
Damien Miller34132e52000-01-14 15:45:46 +1100865 /* Start listening on the port. */
866 log("Server listening on %s port %s.", ntop, strport);
867 if (listen(listen_sock, 5) < 0)
868 fatal("listen: %.100s", strerror(errno));
869
Damien Miller95def091999-11-25 00:26:21 +1100870 }
Damien Miller34132e52000-01-14 15:45:46 +1100871 freeaddrinfo(options.listen_addrs);
872
873 if (!num_listen_socks)
874 fatal("Cannot bind any address.");
875
Damien Miller95def091999-11-25 00:26:21 +1100876 if (!debug_flag) {
Damien Miller5428f641999-11-25 11:54:57 +1100877 /*
878 * Record our pid in /etc/sshd_pid to make it easier
879 * to kill the correct sshd. We don\'t want to do
880 * this before the bind above because the bind will
881 * fail if there already is a daemon, and this will
882 * overwrite any old pid in the file.
883 */
Damien Millerbac2d8a2000-09-05 16:13:06 +1100884 f = fopen(options.pid_file, "wb");
Damien Miller95def091999-11-25 00:26:21 +1100885 if (f) {
886 fprintf(f, "%u\n", (unsigned int) getpid());
887 fclose(f);
888 }
889 }
Damien Millereba71ba2000-04-29 23:57:08 +1000890 if (options.protocol & SSH_PROTO_1) {
Damien Miller0bc1bd82000-11-13 22:57:25 +1100891 generate_empheral_server_key();
Damien Miller95def091999-11-25 00:26:21 +1100892
Damien Millereba71ba2000-04-29 23:57:08 +1000893 /* Schedule server key regeneration alarm. */
894 signal(SIGALRM, key_regeneration_alarm);
895 alarm(options.key_regeneration_time);
896 }
Damien Miller95def091999-11-25 00:26:21 +1100897
898 /* Arrange to restart on SIGHUP. The handler needs listen_sock. */
899 signal(SIGHUP, sighup_handler);
Damien Miller37023962000-07-11 17:31:38 +1000900
Damien Miller95def091999-11-25 00:26:21 +1100901 signal(SIGTERM, sigterm_handler);
902 signal(SIGQUIT, sigterm_handler);
903
904 /* Arrange SIGCHLD to be caught. */
905 signal(SIGCHLD, main_sigchld_handler);
906
Damien Miller34132e52000-01-14 15:45:46 +1100907 /* setup fd set for listen */
Damien Miller37023962000-07-11 17:31:38 +1000908 fdset = NULL;
Damien Miller34132e52000-01-14 15:45:46 +1100909 maxfd = 0;
910 for (i = 0; i < num_listen_socks; i++)
911 if (listen_socks[i] > maxfd)
912 maxfd = listen_socks[i];
Damien Miller37023962000-07-11 17:31:38 +1000913 /* pipes connected to unauthenticated childs */
914 startup_pipes = xmalloc(options.max_startups * sizeof(int));
915 for (i = 0; i < options.max_startups; i++)
916 startup_pipes[i] = -1;
Damien Miller34132e52000-01-14 15:45:46 +1100917
Damien Miller5428f641999-11-25 11:54:57 +1100918 /*
919 * Stay listening for connections until the system crashes or
920 * the daemon is killed with a signal.
921 */
Damien Miller95def091999-11-25 00:26:21 +1100922 for (;;) {
923 if (received_sighup)
924 sighup_restart();
Damien Miller37023962000-07-11 17:31:38 +1000925 if (fdset != NULL)
926 xfree(fdset);
927 fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask);
928 fdset = (fd_set *)xmalloc(fdsetsz);
Damien Miller34132e52000-01-14 15:45:46 +1100929 memset(fdset, 0, fdsetsz);
Damien Miller37023962000-07-11 17:31:38 +1000930
Damien Miller34132e52000-01-14 15:45:46 +1100931 for (i = 0; i < num_listen_socks; i++)
932 FD_SET(listen_socks[i], fdset);
Damien Miller37023962000-07-11 17:31:38 +1000933 for (i = 0; i < options.max_startups; i++)
934 if (startup_pipes[i] != -1)
935 FD_SET(startup_pipes[i], fdset);
936
937 /* Wait in select until there is a connection. */
Damien Miller34132e52000-01-14 15:45:46 +1100938 if (select(maxfd + 1, fdset, NULL, NULL, NULL) < 0) {
939 if (errno != EINTR)
940 error("select: %.100s", strerror(errno));
Damien Miller50945fa1999-12-09 10:31:37 +1100941 continue;
Damien Miller34132e52000-01-14 15:45:46 +1100942 }
Damien Miller37023962000-07-11 17:31:38 +1000943 for (i = 0; i < options.max_startups; i++)
944 if (startup_pipes[i] != -1 &&
945 FD_ISSET(startup_pipes[i], fdset)) {
946 /*
947 * the read end of the pipe is ready
948 * if the child has closed the pipe
949 * after successfull authentication
950 * or if the child has died
951 */
952 close(startup_pipes[i]);
953 startup_pipes[i] = -1;
954 startups--;
955 }
Damien Miller34132e52000-01-14 15:45:46 +1100956 for (i = 0; i < num_listen_socks; i++) {
957 if (!FD_ISSET(listen_socks[i], fdset))
Damien Miller95def091999-11-25 00:26:21 +1100958 continue;
Damien Miller37023962000-07-11 17:31:38 +1000959 fromlen = sizeof(from);
960 newsock = accept(listen_socks[i], (struct sockaddr *)&from,
961 &fromlen);
962 if (newsock < 0) {
963 if (errno != EINTR && errno != EWOULDBLOCK)
964 error("accept: %.100s", strerror(errno));
965 continue;
966 }
967 if (fcntl(newsock, F_SETFL, 0) < 0) {
968 error("newsock del O_NONBLOCK: %s", strerror(errno));
969 continue;
970 }
Damien Miller942da032000-08-18 13:59:06 +1000971 if (drop_connection(startups) == 1) {
972 debug("drop connection #%d", startups);
Damien Miller37023962000-07-11 17:31:38 +1000973 close(newsock);
974 continue;
975 }
976 if (pipe(startup_p) == -1) {
977 close(newsock);
978 continue;
979 }
980
981 for (j = 0; j < options.max_startups; j++)
982 if (startup_pipes[j] == -1) {
983 startup_pipes[j] = startup_p[0];
984 if (maxfd < startup_p[0])
985 maxfd = startup_p[0];
986 startups++;
987 break;
988 }
989
Damien Miller5428f641999-11-25 11:54:57 +1100990 /*
Damien Miller37023962000-07-11 17:31:38 +1000991 * Got connection. Fork a child to handle it, unless
992 * we are in debugging mode.
Damien Miller5428f641999-11-25 11:54:57 +1100993 */
Damien Miller37023962000-07-11 17:31:38 +1000994 if (debug_flag) {
Damien Miller5428f641999-11-25 11:54:57 +1100995 /*
Damien Miller37023962000-07-11 17:31:38 +1000996 * In debugging mode. Close the listening
997 * socket, and start processing the
998 * connection without forking.
Damien Miller5428f641999-11-25 11:54:57 +1100999 */
Damien Miller37023962000-07-11 17:31:38 +10001000 debug("Server will not fork when running in debugging mode.");
Damien Miller34132e52000-01-14 15:45:46 +11001001 close_listen_socks();
Damien Miller95def091999-11-25 00:26:21 +11001002 sock_in = newsock;
1003 sock_out = newsock;
Damien Miller4d97ba22000-07-11 18:15:50 +10001004 startup_pipe = -1;
Damien Miller182ee6e2000-07-12 09:45:27 +10001005 pid = getpid();
Damien Miller95def091999-11-25 00:26:21 +11001006 break;
Damien Miller37023962000-07-11 17:31:38 +10001007 } else {
1008 /*
1009 * Normal production daemon. Fork, and have
1010 * the child process the connection. The
1011 * parent continues listening.
1012 */
1013 if ((pid = fork()) == 0) {
1014 /*
1015 * Child. Close the listening and max_startup
1016 * sockets. Start using the accepted socket.
1017 * Reinitialize logging (since our pid has
1018 * changed). We break out of the loop to handle
1019 * the connection.
1020 */
1021 startup_pipe = startup_p[1];
1022 for (j = 0; j < options.max_startups; j++)
1023 if (startup_pipes[j] != -1)
1024 close(startup_pipes[j]);
1025 close_listen_socks();
1026 sock_in = newsock;
1027 sock_out = newsock;
1028 log_init(av0, options.log_level, options.log_facility, log_stderr);
1029 break;
1030 }
Damien Miller95def091999-11-25 00:26:21 +11001031 }
Damien Miller37023962000-07-11 17:31:38 +10001032
1033 /* Parent. Stay in the loop. */
1034 if (pid < 0)
1035 error("fork: %.100s", strerror(errno));
1036 else
1037 debug("Forked child %d.", pid);
1038
1039 close(startup_p[1]);
1040
1041 /* Mark that the key has been used (it was "given" to the child). */
1042 key_used = 1;
1043
1044 arc4random_stir();
1045
1046 /* Close the new socket (the child is now taking care of it). */
1047 close(newsock);
Damien Miller95def091999-11-25 00:26:21 +11001048 }
Damien Miller34132e52000-01-14 15:45:46 +11001049 /* child process check (or debug mode) */
1050 if (num_listen_socks < 0)
1051 break;
Damien Miller95def091999-11-25 00:26:21 +11001052 }
1053 }
1054
1055 /* This is the child processing a new connection. */
1056
Damien Miller5428f641999-11-25 11:54:57 +11001057 /*
1058 * Disable the key regeneration alarm. We will not regenerate the
1059 * key since we are no longer in a position to give it to anyone. We
1060 * will not restart on SIGHUP since it no longer makes sense.
1061 */
Damien Miller95def091999-11-25 00:26:21 +11001062 alarm(0);
1063 signal(SIGALRM, SIG_DFL);
1064 signal(SIGHUP, SIG_DFL);
1065 signal(SIGTERM, SIG_DFL);
1066 signal(SIGQUIT, SIG_DFL);
1067 signal(SIGCHLD, SIG_DFL);
Damien Miller4e0f5e12000-08-29 11:05:50 +11001068 signal(SIGINT, SIG_DFL);
Damien Miller95def091999-11-25 00:26:21 +11001069
Damien Miller5428f641999-11-25 11:54:57 +11001070 /*
1071 * Set socket options for the connection. We want the socket to
1072 * close as fast as possible without waiting for anything. If the
1073 * connection is not a socket, these will do nothing.
1074 */
1075 /* setsockopt(sock_in, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
Damien Miller95def091999-11-25 00:26:21 +11001076 linger.l_onoff = 1;
1077 linger.l_linger = 5;
1078 setsockopt(sock_in, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger));
1079
Damien Miller5428f641999-11-25 11:54:57 +11001080 /*
1081 * Register our connection. This turns encryption off because we do
1082 * not have a key.
1083 */
Damien Miller95def091999-11-25 00:26:21 +11001084 packet_set_connection(sock_in, sock_out);
1085
1086 remote_port = get_remote_port();
1087 remote_ip = get_remote_ipaddr();
1088
1089 /* Check whether logins are denied from this host. */
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001090#ifdef LIBWRAP
Damien Miller34132e52000-01-14 15:45:46 +11001091 /* XXX LIBWRAP noes not know about IPv6 */
Damien Miller95def091999-11-25 00:26:21 +11001092 {
1093 struct request_info req;
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001094
Damien Miller95def091999-11-25 00:26:21 +11001095 request_init(&req, RQ_DAEMON, av0, RQ_FILE, sock_in, NULL);
1096 fromhost(&req);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001097
Damien Miller95def091999-11-25 00:26:21 +11001098 if (!hosts_access(&req)) {
1099 close(sock_in);
1100 close(sock_out);
1101 refuse(&req);
1102 }
Damien Miller34132e52000-01-14 15:45:46 +11001103/*XXX IPv6 verbose("Connection from %.500s port %d", eval_client(&req), remote_port); */
Damien Miller95def091999-11-25 00:26:21 +11001104 }
Damien Miller34132e52000-01-14 15:45:46 +11001105#endif /* LIBWRAP */
Damien Miller95def091999-11-25 00:26:21 +11001106 /* Log the connection. */
1107 verbose("Connection from %.500s port %d", remote_ip, remote_port);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001108
Damien Miller5428f641999-11-25 11:54:57 +11001109 /*
1110 * We don\'t want to listen forever unless the other side
1111 * successfully authenticates itself. So we set up an alarm which is
1112 * cleared after successful authentication. A limit of zero
1113 * indicates no limit. Note that we don\'t set the alarm in debugging
1114 * mode; it is just annoying to have the server exit just when you
1115 * are about to discover the bug.
1116 */
Damien Miller95def091999-11-25 00:26:21 +11001117 signal(SIGALRM, grace_alarm_handler);
1118 if (!debug_flag)
1119 alarm(options.login_grace_time);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001120
Damien Millerb38eff82000-04-01 11:09:21 +10001121 sshd_exchange_identification(sock_in, sock_out);
Damien Miller5428f641999-11-25 11:54:57 +11001122 /*
1123 * Check that the connection comes from a privileged port. Rhosts-
1124 * and Rhosts-RSA-Authentication only make sense from priviledged
1125 * programs. Of course, if the intruder has root access on his local
1126 * machine, he can connect from any port. So do not use these
1127 * authentication methods from machines that you do not trust.
1128 */
Damien Miller95def091999-11-25 00:26:21 +11001129 if (remote_port >= IPPORT_RESERVED ||
1130 remote_port < IPPORT_RESERVED / 2) {
Damien Miller0bc1bd82000-11-13 22:57:25 +11001131 debug("Rhosts Authentication methods disabled, "
1132 "originating port not trusted.");
Damien Miller95def091999-11-25 00:26:21 +11001133 options.rhosts_authentication = 0;
1134 options.rhosts_rsa_authentication = 0;
1135 }
Damien Miller34132e52000-01-14 15:45:46 +11001136#ifdef KRB4
1137 if (!packet_connection_is_ipv4() &&
1138 options.kerberos_authentication) {
1139 debug("Kerberos Authentication disabled, only available for IPv4.");
1140 options.kerberos_authentication = 0;
1141 }
1142#endif /* KRB4 */
1143
Damien Miller95def091999-11-25 00:26:21 +11001144 packet_set_nonblocking();
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001145
Damien Miller396691a2000-01-20 22:44:08 +11001146 /* perform the key exchange */
Damien Miller396691a2000-01-20 22:44:08 +11001147 /* authenticate user and start session */
Damien Millerefb4afe2000-04-12 18:45:05 +10001148 if (compat20) {
1149 do_ssh2_kex();
1150 do_authentication2();
1151 } else {
1152 do_ssh1_kex();
1153 do_authentication();
1154 }
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001155
1156#ifdef KRB4
Damien Miller95def091999-11-25 00:26:21 +11001157 /* Cleanup user's ticket cache file. */
1158 if (options.kerberos_ticket_cleanup)
1159 (void) dest_tkt();
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001160#endif /* KRB4 */
1161
Damien Miller95def091999-11-25 00:26:21 +11001162 /* The connection has been terminated. */
1163 verbose("Closing connection to %.100s", remote_ip);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001164
Damien Millerbeb4ba51999-12-28 15:09:35 +11001165#ifdef USE_PAM
Damien Millere72b7af1999-12-30 15:08:44 +11001166 finish_pam();
Damien Millerbeb4ba51999-12-28 15:09:35 +11001167#endif /* USE_PAM */
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001168
Damien Miller95def091999-11-25 00:26:21 +11001169 packet_close();
1170 exit(0);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001171}
1172
Damien Miller95def091999-11-25 00:26:21 +11001173/*
Damien Miller396691a2000-01-20 22:44:08 +11001174 * SSH1 key exchange
Damien Miller95def091999-11-25 00:26:21 +11001175 */
Damien Miller2ccf6611999-11-15 15:25:10 +11001176void
Damien Millerb38eff82000-04-01 11:09:21 +10001177do_ssh1_kex()
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001178{
Damien Miller95def091999-11-25 00:26:21 +11001179 int i, len;
Damien Miller396691a2000-01-20 22:44:08 +11001180 int plen, slen;
Damien Miller95def091999-11-25 00:26:21 +11001181 BIGNUM *session_key_int;
1182 unsigned char session_key[SSH_SESSION_KEY_LENGTH];
Damien Miller396691a2000-01-20 22:44:08 +11001183 unsigned char cookie[8];
Damien Miller95def091999-11-25 00:26:21 +11001184 unsigned int cipher_type, auth_mask, protocol_flags;
Damien Miller95def091999-11-25 00:26:21 +11001185 u_int32_t rand = 0;
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001186
Damien Miller5428f641999-11-25 11:54:57 +11001187 /*
1188 * Generate check bytes that the client must send back in the user
1189 * packet in order for it to be accepted; this is used to defy ip
1190 * spoofing attacks. Note that this only works against somebody
1191 * doing IP spoofing from a remote machine; any machine on the local
1192 * network can still see outgoing packets and catch the random
1193 * cookie. This only affects rhosts authentication, and this is one
1194 * of the reasons why it is inherently insecure.
1195 */
Damien Miller95def091999-11-25 00:26:21 +11001196 for (i = 0; i < 8; i++) {
1197 if (i % 4 == 0)
1198 rand = arc4random();
Damien Miller396691a2000-01-20 22:44:08 +11001199 cookie[i] = rand & 0xff;
Damien Miller95def091999-11-25 00:26:21 +11001200 rand >>= 8;
1201 }
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001202
Damien Miller5428f641999-11-25 11:54:57 +11001203 /*
1204 * Send our public key. We include in the packet 64 bits of random
1205 * data that must be matched in the reply in order to prevent IP
1206 * spoofing.
1207 */
Damien Miller95def091999-11-25 00:26:21 +11001208 packet_start(SSH_SMSG_PUBLIC_KEY);
1209 for (i = 0; i < 8; i++)
Damien Miller396691a2000-01-20 22:44:08 +11001210 packet_put_char(cookie[i]);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001211
Damien Miller95def091999-11-25 00:26:21 +11001212 /* Store our public server RSA key. */
Damien Miller0bc1bd82000-11-13 22:57:25 +11001213 packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n));
1214 packet_put_bignum(sensitive_data.server_key->rsa->e);
1215 packet_put_bignum(sensitive_data.server_key->rsa->n);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001216
Damien Miller95def091999-11-25 00:26:21 +11001217 /* Store our public host RSA key. */
Damien Miller0bc1bd82000-11-13 22:57:25 +11001218 packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
1219 packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
1220 packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001221
Damien Miller95def091999-11-25 00:26:21 +11001222 /* Put protocol flags. */
1223 packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001224
Damien Miller95def091999-11-25 00:26:21 +11001225 /* Declare which ciphers we support. */
Damien Miller874d77b2000-10-14 16:23:11 +11001226 packet_put_int(cipher_mask_ssh1(0));
Damien Miller95def091999-11-25 00:26:21 +11001227
1228 /* Declare supported authentication types. */
1229 auth_mask = 0;
1230 if (options.rhosts_authentication)
1231 auth_mask |= 1 << SSH_AUTH_RHOSTS;
1232 if (options.rhosts_rsa_authentication)
1233 auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
1234 if (options.rsa_authentication)
1235 auth_mask |= 1 << SSH_AUTH_RSA;
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001236#ifdef KRB4
Damien Miller95def091999-11-25 00:26:21 +11001237 if (options.kerberos_authentication)
1238 auth_mask |= 1 << SSH_AUTH_KERBEROS;
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001239#endif
1240#ifdef AFS
Damien Miller95def091999-11-25 00:26:21 +11001241 if (options.kerberos_tgt_passing)
1242 auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
1243 if (options.afs_token_passing)
1244 auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001245#endif
Damien Miller95def091999-11-25 00:26:21 +11001246#ifdef SKEY
1247 if (options.skey_authentication == 1)
1248 auth_mask |= 1 << SSH_AUTH_TIS;
1249#endif
1250 if (options.password_authentication)
1251 auth_mask |= 1 << SSH_AUTH_PASSWORD;
1252 packet_put_int(auth_mask);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001253
Damien Miller95def091999-11-25 00:26:21 +11001254 /* Send the packet and wait for it to be sent. */
1255 packet_send();
1256 packet_write_wait();
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001257
Damien Miller0bc1bd82000-11-13 22:57:25 +11001258 debug("Sent %d bit server key and %d bit host key.",
1259 BN_num_bits(sensitive_data.server_key->rsa->n),
1260 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001261
Damien Miller95def091999-11-25 00:26:21 +11001262 /* Read clients reply (cipher type and session key). */
1263 packet_read_expect(&plen, SSH_CMSG_SESSION_KEY);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001264
Damien Miller50945fa1999-12-09 10:31:37 +11001265 /* Get cipher type and check whether we accept this. */
Damien Miller95def091999-11-25 00:26:21 +11001266 cipher_type = packet_get_char();
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001267
Damien Miller874d77b2000-10-14 16:23:11 +11001268 if (!(cipher_mask_ssh1(0) & (1 << cipher_type)))
Damien Miller50945fa1999-12-09 10:31:37 +11001269 packet_disconnect("Warning: client selects unsupported cipher.");
1270
Damien Miller95def091999-11-25 00:26:21 +11001271 /* Get check bytes from the packet. These must match those we
1272 sent earlier with the public key packet. */
1273 for (i = 0; i < 8; i++)
Damien Miller396691a2000-01-20 22:44:08 +11001274 if (cookie[i] != packet_get_char())
Damien Miller95def091999-11-25 00:26:21 +11001275 packet_disconnect("IP Spoofing check bytes do not match.");
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001276
Damien Miller95def091999-11-25 00:26:21 +11001277 debug("Encryption type: %.200s", cipher_name(cipher_type));
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001278
Damien Miller95def091999-11-25 00:26:21 +11001279 /* Get the encrypted integer. */
1280 session_key_int = BN_new();
1281 packet_get_bignum(session_key_int, &slen);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001282
Damien Miller95def091999-11-25 00:26:21 +11001283 protocol_flags = packet_get_int();
1284 packet_set_protocol_flags(protocol_flags);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001285
Damien Miller95def091999-11-25 00:26:21 +11001286 packet_integrity_check(plen, 1 + 8 + slen + 4, SSH_CMSG_SESSION_KEY);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001287
Damien Miller5428f641999-11-25 11:54:57 +11001288 /*
1289 * Decrypt it using our private server key and private host key (key
1290 * with larger modulus first).
1291 */
Damien Miller0bc1bd82000-11-13 22:57:25 +11001292 if (BN_cmp(sensitive_data.server_key->rsa->n, sensitive_data.ssh1_host_key->rsa->n) > 0) {
Damien Miller95def091999-11-25 00:26:21 +11001293 /* Private key has bigger modulus. */
Damien Miller0bc1bd82000-11-13 22:57:25 +11001294 if (BN_num_bits(sensitive_data.server_key->rsa->n) <
1295 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
1296 fatal("do_connection: %s: server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
1297 get_remote_ipaddr(),
1298 BN_num_bits(sensitive_data.server_key->rsa->n),
1299 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
1300 SSH_KEY_BITS_RESERVED);
Damien Miller95def091999-11-25 00:26:21 +11001301 }
1302 rsa_private_decrypt(session_key_int, session_key_int,
Damien Miller0bc1bd82000-11-13 22:57:25 +11001303 sensitive_data.server_key->rsa);
Damien Miller95def091999-11-25 00:26:21 +11001304 rsa_private_decrypt(session_key_int, session_key_int,
Damien Miller0bc1bd82000-11-13 22:57:25 +11001305 sensitive_data.ssh1_host_key->rsa);
Damien Miller95def091999-11-25 00:26:21 +11001306 } else {
1307 /* Host key has bigger modulus (or they are equal). */
Damien Miller0bc1bd82000-11-13 22:57:25 +11001308 if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) <
1309 BN_num_bits(sensitive_data.server_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
1310 fatal("do_connection: %s: host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d",
1311 get_remote_ipaddr(),
1312 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
1313 BN_num_bits(sensitive_data.server_key->rsa->n),
1314 SSH_KEY_BITS_RESERVED);
Damien Miller95def091999-11-25 00:26:21 +11001315 }
1316 rsa_private_decrypt(session_key_int, session_key_int,
Damien Miller0bc1bd82000-11-13 22:57:25 +11001317 sensitive_data.ssh1_host_key->rsa);
Damien Miller95def091999-11-25 00:26:21 +11001318 rsa_private_decrypt(session_key_int, session_key_int,
Damien Miller0bc1bd82000-11-13 22:57:25 +11001319 sensitive_data.server_key->rsa);
Damien Miller95def091999-11-25 00:26:21 +11001320 }
Damien Miller356a0b01999-11-08 15:30:59 +11001321
Damien Miller396691a2000-01-20 22:44:08 +11001322 compute_session_id(session_id, cookie,
Damien Miller0bc1bd82000-11-13 22:57:25 +11001323 sensitive_data.ssh1_host_key->rsa->n,
1324 sensitive_data.server_key->rsa->n);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001325
Damien Miller396691a2000-01-20 22:44:08 +11001326 /* Destroy the private and public keys. They will no longer be needed. */
Damien Millereba71ba2000-04-29 23:57:08 +10001327 destroy_sensitive_data();
Damien Miller396691a2000-01-20 22:44:08 +11001328
Damien Miller5428f641999-11-25 11:54:57 +11001329 /*
1330 * Extract session key from the decrypted integer. The key is in the
1331 * least significant 256 bits of the integer; the first byte of the
1332 * key is in the highest bits.
1333 */
Damien Miller95def091999-11-25 00:26:21 +11001334 BN_mask_bits(session_key_int, sizeof(session_key) * 8);
1335 len = BN_num_bytes(session_key_int);
1336 if (len < 0 || len > sizeof(session_key))
1337 fatal("do_connection: bad len from %s: session_key_int %d > sizeof(session_key) %d",
Damien Miller0bc1bd82000-11-13 22:57:25 +11001338 get_remote_ipaddr(),
1339 len, sizeof(session_key));
Damien Miller95def091999-11-25 00:26:21 +11001340 memset(session_key, 0, sizeof(session_key));
1341 BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001342
Damien Miller396691a2000-01-20 22:44:08 +11001343 /* Destroy the decrypted integer. It is no longer needed. */
1344 BN_clear_free(session_key_int);
1345
Damien Miller95def091999-11-25 00:26:21 +11001346 /* Xor the first 16 bytes of the session key with the session id. */
1347 for (i = 0; i < 16; i++)
1348 session_key[i] ^= session_id[i];
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001349
Damien Miller95def091999-11-25 00:26:21 +11001350 /* Set the session key. From this on all communications will be encrypted. */
1351 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001352
Damien Miller95def091999-11-25 00:26:21 +11001353 /* Destroy our copy of the session key. It is no longer needed. */
1354 memset(session_key, 0, sizeof(session_key));
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001355
Damien Miller95def091999-11-25 00:26:21 +11001356 debug("Received session key; encryption turned on.");
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001357
Damien Miller95def091999-11-25 00:26:21 +11001358 /* Send an acknowledgement packet. Note that this packet is sent encrypted. */
1359 packet_start(SSH_SMSG_SUCCESS);
1360 packet_send();
1361 packet_write_wait();
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001362}
Damien Millerefb4afe2000-04-12 18:45:05 +10001363
1364/*
1365 * SSH2 key exchange: diffie-hellman-group1-sha1
1366 */
1367void
1368do_ssh2_kex()
1369{
1370 Buffer *server_kexinit;
1371 Buffer *client_kexinit;
Damien Miller874d77b2000-10-14 16:23:11 +11001372 int payload_len;
Damien Millerefb4afe2000-04-12 18:45:05 +10001373 int i;
Damien Millerefb4afe2000-04-12 18:45:05 +10001374 Kex *kex;
Damien Millerefb4afe2000-04-12 18:45:05 +10001375 char *cprop[PROPOSAL_MAX];
Damien Millerefb4afe2000-04-12 18:45:05 +10001376
1377/* KEXINIT */
1378
Damien Miller78928792000-04-12 20:17:38 +10001379 if (options.ciphers != NULL) {
Damien Miller4af51302000-04-16 11:18:38 +10001380 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
Damien Miller78928792000-04-12 20:17:38 +10001381 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
1382 }
Damien Miller0bc1bd82000-11-13 22:57:25 +11001383 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
1384
Damien Millerb1715dc2000-05-30 13:44:51 +10001385 server_kexinit = kex_init(myproposal);
Damien Millerefb4afe2000-04-12 18:45:05 +10001386 client_kexinit = xmalloc(sizeof(*client_kexinit));
1387 buffer_init(client_kexinit);
Damien Millerefb4afe2000-04-12 18:45:05 +10001388
Damien Millerb1715dc2000-05-30 13:44:51 +10001389 /* algorithm negotiation */
1390 kex_exchange_kexinit(server_kexinit, client_kexinit, cprop);
1391 kex = kex_choose_conf(cprop, myproposal, 1);
1392 for (i = 0; i < PROPOSAL_MAX; i++)
1393 xfree(cprop[i]);
Damien Millerefb4afe2000-04-12 18:45:05 +10001394
Damien Miller874d77b2000-10-14 16:23:11 +11001395 switch (kex->kex_type) {
1396 case DH_GRP1_SHA1:
1397 ssh_dh1_server(kex, client_kexinit, server_kexinit);
1398 break;
1399 case DH_GEX_SHA1:
1400 ssh_dhgex_server(kex, client_kexinit, server_kexinit);
1401 break;
1402 default:
1403 fatal("Unsupported key exchange %d", kex->kex_type);
1404 }
Damien Millerefb4afe2000-04-12 18:45:05 +10001405
Damien Miller874d77b2000-10-14 16:23:11 +11001406 debug("send SSH2_MSG_NEWKEYS.");
1407 packet_start(SSH2_MSG_NEWKEYS);
1408 packet_send();
1409 packet_write_wait();
1410 debug("done: send SSH2_MSG_NEWKEYS.");
1411
1412 debug("Wait SSH2_MSG_NEWKEYS.");
1413 packet_read_expect(&payload_len, SSH2_MSG_NEWKEYS);
1414 debug("GOT SSH2_MSG_NEWKEYS.");
1415
1416#ifdef DEBUG_KEXDH
1417 /* send 1st encrypted/maced/compressed message */
1418 packet_start(SSH2_MSG_IGNORE);
1419 packet_put_cstring("markus");
1420 packet_send();
1421 packet_write_wait();
1422#endif
1423
1424 debug("done: KEX2.");
1425}
1426
1427/*
1428 * SSH2 key exchange
1429 */
1430
1431/* diffie-hellman-group1-sha1 */
1432
1433void
1434ssh_dh1_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit)
1435{
1436#ifdef DEBUG_KEXDH
1437 int i;
1438#endif
1439 int payload_len, dlen;
1440 int slen;
1441 unsigned char *signature = NULL;
1442 unsigned char *server_host_key_blob = NULL;
1443 unsigned int sbloblen;
1444 unsigned int klen, kout;
1445 unsigned char *kbuf;
1446 unsigned char *hash;
1447 BIGNUM *shared_secret = 0;
1448 DH *dh;
1449 BIGNUM *dh_client_pub = 0;
Damien Miller0bc1bd82000-11-13 22:57:25 +11001450 Key *hostkey;
1451
1452 hostkey = get_hostkey_by_type(kex->hostkey_type);
1453 if (hostkey == NULL)
1454 fatal("Unsupported hostkey type %d", kex->hostkey_type);
Damien Miller874d77b2000-10-14 16:23:11 +11001455
1456/* KEXDH */
Damien Millerefb4afe2000-04-12 18:45:05 +10001457 debug("Wait SSH2_MSG_KEXDH_INIT.");
1458 packet_read_expect(&payload_len, SSH2_MSG_KEXDH_INIT);
1459
1460 /* key, cert */
1461 dh_client_pub = BN_new();
1462 if (dh_client_pub == NULL)
1463 fatal("dh_client_pub == NULL");
1464 packet_get_bignum2(dh_client_pub, &dlen);
1465
1466#ifdef DEBUG_KEXDH
1467 fprintf(stderr, "\ndh_client_pub= ");
Damien Miller62cee002000-09-23 17:15:56 +11001468 BN_print_fp(stderr, dh_client_pub);
Damien Millerefb4afe2000-04-12 18:45:05 +10001469 fprintf(stderr, "\n");
1470 debug("bits %d", BN_num_bits(dh_client_pub));
1471#endif
1472
1473 /* generate DH key */
Damien Miller78928792000-04-12 20:17:38 +10001474 dh = dh_new_group1(); /* XXX depends on 'kex' */
Damien Millerefb4afe2000-04-12 18:45:05 +10001475
1476#ifdef DEBUG_KEXDH
1477 fprintf(stderr, "\np= ");
Damien Miller62cee002000-09-23 17:15:56 +11001478 BN_print_fp(stderr, dh->p);
Damien Millerefb4afe2000-04-12 18:45:05 +10001479 fprintf(stderr, "\ng= ");
Damien Miller62cee002000-09-23 17:15:56 +11001480 bn_print(dh->g);
Damien Millerefb4afe2000-04-12 18:45:05 +10001481 fprintf(stderr, "\npub= ");
Damien Miller62cee002000-09-23 17:15:56 +11001482 BN_print_fp(stderr, dh->pub_key);
Damien Millerefb4afe2000-04-12 18:45:05 +10001483 fprintf(stderr, "\n");
Damien Miller62cee002000-09-23 17:15:56 +11001484 DHparams_print_fp(stderr, dh);
Damien Millerefb4afe2000-04-12 18:45:05 +10001485#endif
Damien Miller78928792000-04-12 20:17:38 +10001486 if (!dh_pub_is_valid(dh, dh_client_pub))
1487 packet_disconnect("bad client public DH value");
Damien Millerefb4afe2000-04-12 18:45:05 +10001488
1489 klen = DH_size(dh);
1490 kbuf = xmalloc(klen);
1491 kout = DH_compute_key(kbuf, dh_client_pub, dh);
1492
1493#ifdef DEBUG_KEXDH
1494 debug("shared secret: len %d/%d", klen, kout);
1495 fprintf(stderr, "shared secret == ");
1496 for (i = 0; i< kout; i++)
1497 fprintf(stderr, "%02x", (kbuf[i])&0xff);
1498 fprintf(stderr, "\n");
1499#endif
1500 shared_secret = BN_new();
1501
1502 BN_bin2bn(kbuf, kout, shared_secret);
1503 memset(kbuf, 0, klen);
1504 xfree(kbuf);
1505
Damien Millereba71ba2000-04-29 23:57:08 +10001506 /* XXX precompute? */
Damien Miller0bc1bd82000-11-13 22:57:25 +11001507 key_to_blob(hostkey, &server_host_key_blob, &sbloblen);
Damien Millerefb4afe2000-04-12 18:45:05 +10001508
1509 /* calc H */ /* XXX depends on 'kex' */
1510 hash = kex_hash(
1511 client_version_string,
1512 server_version_string,
1513 buffer_ptr(client_kexinit), buffer_len(client_kexinit),
1514 buffer_ptr(server_kexinit), buffer_len(server_kexinit),
1515 (char *)server_host_key_blob, sbloblen,
1516 dh_client_pub,
1517 dh->pub_key,
1518 shared_secret
1519 );
1520 buffer_free(client_kexinit);
1521 buffer_free(server_kexinit);
1522 xfree(client_kexinit);
1523 xfree(server_kexinit);
1524#ifdef DEBUG_KEXDH
Damien Miller4af51302000-04-16 11:18:38 +10001525 fprintf(stderr, "hash == ");
1526 for (i = 0; i< 20; i++)
1527 fprintf(stderr, "%02x", (hash[i])&0xff);
1528 fprintf(stderr, "\n");
Damien Millerefb4afe2000-04-12 18:45:05 +10001529#endif
Damien Millereba71ba2000-04-29 23:57:08 +10001530 /* save session id := H */
1531 /* XXX hashlen depends on KEX */
1532 session_id2_len = 20;
1533 session_id2 = xmalloc(session_id2_len);
1534 memcpy(session_id2, hash, session_id2_len);
1535
Damien Millerefb4afe2000-04-12 18:45:05 +10001536 /* sign H */
Damien Millereba71ba2000-04-29 23:57:08 +10001537 /* XXX hashlen depends on KEX */
Damien Miller0bc1bd82000-11-13 22:57:25 +11001538 key_sign(hostkey, &signature, &slen, hash, 20);
Damien Millereba71ba2000-04-29 23:57:08 +10001539
1540 destroy_sensitive_data();
Damien Millerefb4afe2000-04-12 18:45:05 +10001541
1542 /* send server hostkey, DH pubkey 'f' and singed H */
1543 packet_start(SSH2_MSG_KEXDH_REPLY);
1544 packet_put_string((char *)server_host_key_blob, sbloblen);
Damien Millere247cc42000-05-07 12:03:14 +10001545 packet_put_bignum2(dh->pub_key); /* f */
Damien Millerefb4afe2000-04-12 18:45:05 +10001546 packet_put_string((char *)signature, slen);
1547 packet_send();
Damien Miller8bb73be2000-04-19 16:26:12 +10001548 xfree(signature);
Damien Millereba71ba2000-04-29 23:57:08 +10001549 xfree(server_host_key_blob);
Damien Millerefb4afe2000-04-12 18:45:05 +10001550 packet_write_wait();
1551
1552 kex_derive_keys(kex, hash, shared_secret);
1553 packet_set_kex(kex);
1554
1555 /* have keys, free DH */
1556 DH_free(dh);
Damien Miller874d77b2000-10-14 16:23:11 +11001557}
Damien Millerefb4afe2000-04-12 18:45:05 +10001558
Damien Miller874d77b2000-10-14 16:23:11 +11001559/* diffie-hellman-group-exchange-sha1 */
1560
1561void
1562ssh_dhgex_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit)
1563{
1564#ifdef DEBUG_KEXDH
1565 int i;
1566#endif
1567 int payload_len, dlen;
1568 int slen, nbits;
1569 unsigned char *signature = NULL;
1570 unsigned char *server_host_key_blob = NULL;
1571 unsigned int sbloblen;
1572 unsigned int klen, kout;
1573 unsigned char *kbuf;
1574 unsigned char *hash;
1575 BIGNUM *shared_secret = 0;
1576 DH *dh;
1577 BIGNUM *dh_client_pub = 0;
Damien Miller0bc1bd82000-11-13 22:57:25 +11001578 Key *hostkey;
1579
1580 hostkey = get_hostkey_by_type(kex->hostkey_type);
1581 if (hostkey == NULL)
1582 fatal("Unsupported hostkey type %d", kex->hostkey_type);
Damien Miller874d77b2000-10-14 16:23:11 +11001583
1584/* KEXDHGEX */
1585 debug("Wait SSH2_MSG_KEX_DH_GEX_REQUEST.");
1586 packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_REQUEST);
1587 nbits = packet_get_int();
1588 dh = choose_dh(nbits);
1589
1590 debug("Sending SSH2_MSG_KEX_DH_GEX_GROUP.");
1591 packet_start(SSH2_MSG_KEX_DH_GEX_GROUP);
1592 packet_put_bignum2(dh->p);
1593 packet_put_bignum2(dh->g);
Damien Millerefb4afe2000-04-12 18:45:05 +10001594 packet_send();
1595 packet_write_wait();
Damien Millerefb4afe2000-04-12 18:45:05 +10001596
Damien Miller874d77b2000-10-14 16:23:11 +11001597 debug("Wait SSH2_MSG_KEX_DH_GEX_INIT.");
1598 packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_INIT);
1599
1600 /* key, cert */
1601 dh_client_pub = BN_new();
1602 if (dh_client_pub == NULL)
1603 fatal("dh_client_pub == NULL");
1604 packet_get_bignum2(dh_client_pub, &dlen);
Damien Millerefb4afe2000-04-12 18:45:05 +10001605
Damien Miller78928792000-04-12 20:17:38 +10001606#ifdef DEBUG_KEXDH
Damien Miller874d77b2000-10-14 16:23:11 +11001607 fprintf(stderr, "\ndh_client_pub= ");
1608 BN_print_fp(stderr, dh_client_pub);
1609 fprintf(stderr, "\n");
1610 debug("bits %d", BN_num_bits(dh_client_pub));
Damien Miller78928792000-04-12 20:17:38 +10001611#endif
Damien Miller874d77b2000-10-14 16:23:11 +11001612
1613#ifdef DEBUG_KEXDH
1614 fprintf(stderr, "\np= ");
1615 BN_print_fp(stderr, dh->p);
1616 fprintf(stderr, "\ng= ");
1617 bn_print(dh->g);
1618 fprintf(stderr, "\npub= ");
1619 BN_print_fp(stderr, dh->pub_key);
1620 fprintf(stderr, "\n");
1621 DHparams_print_fp(stderr, dh);
1622#endif
1623 if (!dh_pub_is_valid(dh, dh_client_pub))
1624 packet_disconnect("bad client public DH value");
1625
1626 klen = DH_size(dh);
1627 kbuf = xmalloc(klen);
1628 kout = DH_compute_key(kbuf, dh_client_pub, dh);
1629
1630#ifdef DEBUG_KEXDH
1631 debug("shared secret: len %d/%d", klen, kout);
1632 fprintf(stderr, "shared secret == ");
1633 for (i = 0; i< kout; i++)
1634 fprintf(stderr, "%02x", (kbuf[i])&0xff);
1635 fprintf(stderr, "\n");
1636#endif
1637 shared_secret = BN_new();
1638
1639 BN_bin2bn(kbuf, kout, shared_secret);
1640 memset(kbuf, 0, klen);
1641 xfree(kbuf);
1642
1643 /* XXX precompute? */
Damien Miller0bc1bd82000-11-13 22:57:25 +11001644 key_to_blob(hostkey, &server_host_key_blob, &sbloblen);
Damien Miller874d77b2000-10-14 16:23:11 +11001645
1646 /* calc H */ /* XXX depends on 'kex' */
1647 hash = kex_hash_gex(
1648 client_version_string,
1649 server_version_string,
1650 buffer_ptr(client_kexinit), buffer_len(client_kexinit),
1651 buffer_ptr(server_kexinit), buffer_len(server_kexinit),
1652 (char *)server_host_key_blob, sbloblen,
1653 nbits, dh->p, dh->g,
1654 dh_client_pub,
1655 dh->pub_key,
1656 shared_secret
1657 );
1658 buffer_free(client_kexinit);
1659 buffer_free(server_kexinit);
1660 xfree(client_kexinit);
1661 xfree(server_kexinit);
1662#ifdef DEBUG_KEXDH
1663 fprintf(stderr, "hash == ");
1664 for (i = 0; i< 20; i++)
1665 fprintf(stderr, "%02x", (hash[i])&0xff);
1666 fprintf(stderr, "\n");
1667#endif
1668 /* save session id := H */
1669 /* XXX hashlen depends on KEX */
1670 session_id2_len = 20;
1671 session_id2 = xmalloc(session_id2_len);
1672 memcpy(session_id2, hash, session_id2_len);
1673
1674 /* sign H */
1675 /* XXX hashlen depends on KEX */
Damien Miller0bc1bd82000-11-13 22:57:25 +11001676 key_sign(hostkey, &signature, &slen, hash, 20);
Damien Miller874d77b2000-10-14 16:23:11 +11001677
1678 destroy_sensitive_data();
1679
1680 /* send server hostkey, DH pubkey 'f' and singed H */
1681 packet_start(SSH2_MSG_KEX_DH_GEX_REPLY);
1682 packet_put_string((char *)server_host_key_blob, sbloblen);
1683 packet_put_bignum2(dh->pub_key); /* f */
1684 packet_put_string((char *)signature, slen);
1685 packet_send();
1686 xfree(signature);
1687 xfree(server_host_key_blob);
1688 packet_write_wait();
1689
1690 kex_derive_keys(kex, hash, shared_secret);
1691 packet_set_kex(kex);
1692
1693 /* have keys, free DH */
1694 DH_free(dh);
Damien Millerefb4afe2000-04-12 18:45:05 +10001695}