1/* $OpenBSD: monitor.c,v 1.145 2015/02/20 22:17:21 djm Exp $ */ 2/* 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28#include "includes.h" 29 30#include <sys/types.h> 31#include <sys/socket.h> 32#include "openbsd-compat/sys-tree.h" 33#include <sys/wait.h> 34 35#include <errno.h> 36#include <fcntl.h> 37#ifdef HAVE_PATHS_H 38#include <paths.h> 39#endif 40#include <pwd.h> 41#include <signal.h> 42#ifdef HAVE_STDINT_H 43#include <stdint.h> 44#endif 45#include <stdlib.h> 46#include <string.h> 47#include <stdarg.h> 48#include <stdio.h> 49#include <unistd.h> 50#ifdef HAVE_POLL_H 51#include <poll.h> 52#else 53# ifdef HAVE_SYS_POLL_H 54# include <sys/poll.h> 55# endif 56#endif 57 58#ifdef SKEY 59#include <skey.h> 60#endif 61 62#ifdef WITH_OPENSSL 63#include <openssl/dh.h> 64#endif 65 66#include "openbsd-compat/sys-queue.h" 67#include "atomicio.h" 68#include "xmalloc.h" 69#include "ssh.h" 70#include "key.h" 71#include "buffer.h" 72#include "hostfile.h" 73#include "auth.h" 74#include "cipher.h" 75#include "kex.h" 76#include "dh.h" 77#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ 78#undef TARGET_OS_MAC 79#include "zlib.h" 80#define TARGET_OS_MAC 1 81#else 82#include "zlib.h" 83#endif 84#include "packet.h" 85#include "auth-options.h" 86#include "sshpty.h" 87#include "channels.h" 88#include "session.h" 89#include "sshlogin.h" 90#include "canohost.h" 91#include "log.h" 92#include "misc.h" 93#include "servconf.h" 94#include "monitor.h" 95#include "monitor_mm.h" 96#ifdef GSSAPI 97#include "ssh-gss.h" 98#endif 99#include "monitor_wrap.h" 100#include "monitor_fdpass.h" 101#include "compat.h" 102#include "ssh2.h" 103#include "roaming.h" 104#include "authfd.h" 105#include "match.h" 106#include "ssherr.h" 107 108#ifdef GSSAPI 109static Gssctxt *gsscontext = NULL; 110#endif 111 112/* Imports */ 113extern ServerOptions options; 114extern u_int utmp_len; 115extern u_char session_id[]; 116extern Buffer auth_debug; 117extern int auth_debug_init; 118extern Buffer loginmsg; 119 120/* State exported from the child */ 121static struct sshbuf *child_state; 122 123/* Functions on the monitor that answer unprivileged requests */ 124 125int mm_answer_moduli(int, Buffer *); 126int mm_answer_sign(int, Buffer *); 127int mm_answer_pwnamallow(int, Buffer *); 128int mm_answer_auth2_read_banner(int, Buffer *); 129int mm_answer_authserv(int, Buffer *); 130int mm_answer_authpassword(int, Buffer *); 131int mm_answer_bsdauthquery(int, Buffer *); 132int mm_answer_bsdauthrespond(int, Buffer *); 133int mm_answer_skeyquery(int, Buffer *); 134int mm_answer_skeyrespond(int, Buffer *); 135int mm_answer_keyallowed(int, Buffer *); 136int mm_answer_keyverify(int, Buffer *); 137int mm_answer_pty(int, Buffer *); 138int mm_answer_pty_cleanup(int, Buffer *); 139int mm_answer_term(int, Buffer *); 140int mm_answer_rsa_keyallowed(int, Buffer *); 141int mm_answer_rsa_challenge(int, Buffer *); 142int mm_answer_rsa_response(int, Buffer *); 143int mm_answer_sesskey(int, Buffer *); 144int mm_answer_sessid(int, Buffer *); 145 146#ifdef USE_PAM 147int mm_answer_pam_start(int, Buffer *); 148int mm_answer_pam_account(int, Buffer *); 149int mm_answer_pam_init_ctx(int, Buffer *); 150int mm_answer_pam_query(int, Buffer *); 151int mm_answer_pam_respond(int, Buffer *); 152int mm_answer_pam_free_ctx(int, Buffer *); 153#endif 154 155#ifdef GSSAPI 156int mm_answer_gss_setup_ctx(int, Buffer *); 157int mm_answer_gss_accept_ctx(int, Buffer *); 158int mm_answer_gss_userok(int, Buffer *); 159int mm_answer_gss_checkmic(int, Buffer *); 160#endif 161 162#ifdef SSH_AUDIT_EVENTS 163int mm_answer_audit_event(int, Buffer *); 164int mm_answer_audit_command(int, Buffer *); 165#endif 166 167static int monitor_read_log(struct monitor *); 168 169static Authctxt *authctxt; 170 171#ifdef WITH_SSH1 172static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ 173#endif 174 175/* local state for key verify */ 176static u_char *key_blob = NULL; 177static u_int key_bloblen = 0; 178static int key_blobtype = MM_NOKEY; 179static char *hostbased_cuser = NULL; 180static char *hostbased_chost = NULL; 181static char *auth_method = "unknown"; 182static char *auth_submethod = NULL; 183static u_int session_id2_len = 0; 184static u_char *session_id2 = NULL; 185static pid_t monitor_child_pid; 186 187struct mon_table { 188 enum monitor_reqtype type; 189 int flags; 190 int (*f)(int, Buffer *); 191}; 192 193#define MON_ISAUTH 0x0004 /* Required for Authentication */ 194#define MON_AUTHDECIDE 0x0008 /* Decides Authentication */ 195#define MON_ONCE 0x0010 /* Disable after calling */ 196#define MON_ALOG 0x0020 /* Log auth attempt without authenticating */ 197 198#define MON_AUTH (MON_ISAUTH|MON_AUTHDECIDE) 199 200#define MON_PERMIT 0x1000 /* Request is permitted */ 201 202struct mon_table mon_dispatch_proto20[] = { 203#ifdef WITH_OPENSSL 204 {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, 205#endif 206 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 207 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 208 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 209 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 210 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 211#ifdef USE_PAM 212 {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, 213 {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, 214 {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, 215 {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, 216 {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, 217 {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, 218#endif 219#ifdef SSH_AUDIT_EVENTS 220 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 221#endif 222#ifdef BSD_AUTH 223 {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, 224 {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond}, 225#endif 226#ifdef SKEY 227 {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, 228 {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, 229#endif 230 {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, 231 {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, 232#ifdef GSSAPI 233 {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, 234 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 235 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 236 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 237#endif 238 {0, 0, NULL} 239}; 240 241struct mon_table mon_dispatch_postauth20[] = { 242#ifdef WITH_OPENSSL 243 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 244#endif 245 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 246 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 247 {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, 248 {MONITOR_REQ_TERM, 0, mm_answer_term}, 249#ifdef SSH_AUDIT_EVENTS 250 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 251 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, 252#endif 253 {0, 0, NULL} 254}; 255 256struct mon_table mon_dispatch_proto15[] = { 257#ifdef WITH_SSH1 258 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 259 {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, 260 {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, 261 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 262 {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_rsa_keyallowed}, 263 {MONITOR_REQ_KEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_keyallowed}, 264 {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge}, 265 {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response}, 266#ifdef BSD_AUTH 267 {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, 268 {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond}, 269#endif 270#ifdef SKEY 271 {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, 272 {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, 273#endif 274#ifdef USE_PAM 275 {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, 276 {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, 277 {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, 278 {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, 279 {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, 280 {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, 281#endif 282#ifdef SSH_AUDIT_EVENTS 283 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 284#endif 285#endif /* WITH_SSH1 */ 286 {0, 0, NULL} 287}; 288 289struct mon_table mon_dispatch_postauth15[] = { 290#ifdef WITH_SSH1 291 {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, 292 {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, 293 {MONITOR_REQ_TERM, 0, mm_answer_term}, 294#ifdef SSH_AUDIT_EVENTS 295 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 296 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, 297#endif 298#endif /* WITH_SSH1 */ 299 {0, 0, NULL} 300}; 301 302struct mon_table *mon_dispatch; 303 304/* Specifies if a certain message is allowed at the moment */ 305 306static void 307monitor_permit(struct mon_table *ent, enum monitor_reqtype type, int permit) 308{ 309 while (ent->f != NULL) { 310 if (ent->type == type) { 311 ent->flags &= ~MON_PERMIT; 312 ent->flags |= permit ? MON_PERMIT : 0; 313 return; 314 } 315 ent++; 316 } 317} 318 319static void 320monitor_permit_authentications(int permit) 321{ 322 struct mon_table *ent = mon_dispatch; 323 324 while (ent->f != NULL) { 325 if (ent->flags & MON_AUTH) { 326 ent->flags &= ~MON_PERMIT; 327 ent->flags |= permit ? MON_PERMIT : 0; 328 } 329 ent++; 330 } 331} 332 333void 334monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 335{ 336 struct mon_table *ent; 337 int authenticated = 0, partial = 0; 338 339 debug3("preauth child monitor started"); 340 341 close(pmonitor->m_recvfd); 342 close(pmonitor->m_log_sendfd); 343 pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; 344 345 authctxt = _authctxt; 346 memset(authctxt, 0, sizeof(*authctxt)); 347 348 authctxt->loginmsg = &loginmsg; 349 350 if (compat20) { 351 mon_dispatch = mon_dispatch_proto20; 352 353 /* Permit requests for moduli and signatures */ 354 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 355 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 356 } else { 357 mon_dispatch = mon_dispatch_proto15; 358 359 monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1); 360 } 361 362 /* The first few requests do not require asynchronous access */ 363 while (!authenticated) { 364 partial = 0; 365 auth_method = "unknown"; 366 auth_submethod = NULL; 367 authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); 368 369 /* Special handling for multiple required authentications */ 370 if (options.num_auth_methods != 0) { 371 if (!compat20) 372 fatal("AuthenticationMethods is not supported" 373 "with SSH protocol 1"); 374 if (authenticated && 375 !auth2_update_methods_lists(authctxt, 376 auth_method, auth_submethod)) { 377 debug3("%s: method %s: partial", __func__, 378 auth_method); 379 authenticated = 0; 380 partial = 1; 381 } 382 } 383 384 if (authenticated) { 385 if (!(ent->flags & MON_AUTHDECIDE)) 386 fatal("%s: unexpected authentication from %d", 387 __func__, ent->type); 388 if (authctxt->pw->pw_uid == 0 && 389 !auth_root_allowed(auth_method)) 390 authenticated = 0; 391#ifdef USE_PAM 392 /* PAM needs to perform account checks after auth */ 393 if (options.use_pam && authenticated) { 394 Buffer m; 395 396 buffer_init(&m); 397 mm_request_receive_expect(pmonitor->m_sendfd, 398 MONITOR_REQ_PAM_ACCOUNT, &m); 399 authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m); 400 buffer_free(&m); 401 } 402#endif 403 } 404 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { 405 auth_log(authctxt, authenticated, partial, 406 auth_method, auth_submethod); 407 if (!authenticated) 408 authctxt->failures++; 409 } 410 } 411 412 if (!authctxt->valid) 413 fatal("%s: authenticated invalid user", __func__); 414 if (strcmp(auth_method, "unknown") == 0) 415 fatal("%s: authentication method name unknown", __func__); 416 417 debug("%s: %s has been authenticated by privileged process", 418 __func__, authctxt->user); 419 420 mm_get_keystate(pmonitor); 421 422 /* Drain any buffered messages from the child */ 423 while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) 424 ; 425 426 close(pmonitor->m_sendfd); 427 close(pmonitor->m_log_recvfd); 428 pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; 429} 430 431static void 432monitor_set_child_handler(pid_t pid) 433{ 434 monitor_child_pid = pid; 435} 436 437static void 438monitor_child_handler(int sig) 439{ 440 kill(monitor_child_pid, sig); 441} 442 443void 444monitor_child_postauth(struct monitor *pmonitor) 445{ 446 close(pmonitor->m_recvfd); 447 pmonitor->m_recvfd = -1; 448 449 monitor_set_child_handler(pmonitor->m_pid); 450 signal(SIGHUP, &monitor_child_handler); 451 signal(SIGTERM, &monitor_child_handler); 452 signal(SIGINT, &monitor_child_handler); 453#ifdef SIGXFSZ 454 signal(SIGXFSZ, SIG_IGN); 455#endif 456 457 if (compat20) { 458 mon_dispatch = mon_dispatch_postauth20; 459 460 /* Permit requests for moduli and signatures */ 461 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 462 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 463 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 464 } else { 465 mon_dispatch = mon_dispatch_postauth15; 466 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 467 } 468 if (!no_pty_flag) { 469 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 470 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); 471 } 472 473 for (;;) 474 monitor_read(pmonitor, mon_dispatch, NULL); 475} 476 477void 478monitor_sync(struct monitor *pmonitor) 479{ 480 if (options.compression) { 481 /* The member allocation is not visible, so sync it */ 482 mm_share_sync(&pmonitor->m_zlib, &pmonitor->m_zback); 483 } 484} 485 486/* Allocation functions for zlib */ 487static void * 488mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) 489{ 490 size_t len = (size_t) size * ncount; 491 void *address; 492 493 if (len == 0 || ncount > SIZE_MAX / size) 494 fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size); 495 496 address = mm_malloc(mm, len); 497 498 return (address); 499} 500 501static void 502mm_zfree(struct mm_master *mm, void *address) 503{ 504 mm_free(mm, address); 505} 506 507static int 508monitor_read_log(struct monitor *pmonitor) 509{ 510 Buffer logmsg; 511 u_int len, level; 512 char *msg; 513 514 buffer_init(&logmsg); 515 516 /* Read length */ 517 buffer_append_space(&logmsg, 4); 518 if (atomicio(read, pmonitor->m_log_recvfd, 519 buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg)) { 520 if (errno == EPIPE) { 521 buffer_free(&logmsg); 522 debug("%s: child log fd closed", __func__); 523 close(pmonitor->m_log_recvfd); 524 pmonitor->m_log_recvfd = -1; 525 return -1; 526 } 527 fatal("%s: log fd read: %s", __func__, strerror(errno)); 528 } 529 len = buffer_get_int(&logmsg); 530 if (len <= 4 || len > 8192) 531 fatal("%s: invalid log message length %u", __func__, len); 532 533 /* Read severity, message */ 534 buffer_clear(&logmsg); 535 buffer_append_space(&logmsg, len); 536 if (atomicio(read, pmonitor->m_log_recvfd, 537 buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg)) 538 fatal("%s: log fd read: %s", __func__, strerror(errno)); 539 540 /* Log it */ 541 level = buffer_get_int(&logmsg); 542 msg = buffer_get_string(&logmsg, NULL); 543 if (log_level_name(level) == NULL) 544 fatal("%s: invalid log level %u (corrupted message?)", 545 __func__, level); 546 do_log2(level, "%s [preauth]", msg); 547 548 buffer_free(&logmsg); 549 free(msg); 550 551 return 0; 552} 553 554int 555monitor_read(struct monitor *pmonitor, struct mon_table *ent, 556 struct mon_table **pent) 557{ 558 Buffer m; 559 int ret; 560 u_char type; 561 struct pollfd pfd[2]; 562 563 for (;;) { 564 memset(&pfd, 0, sizeof(pfd)); 565 pfd[0].fd = pmonitor->m_sendfd; 566 pfd[0].events = POLLIN; 567 pfd[1].fd = pmonitor->m_log_recvfd; 568 pfd[1].events = pfd[1].fd == -1 ? 0 : POLLIN; 569 if (poll(pfd, pfd[1].fd == -1 ? 1 : 2, -1) == -1) { 570 if (errno == EINTR || errno == EAGAIN) 571 continue; 572 fatal("%s: poll: %s", __func__, strerror(errno)); 573 } 574 if (pfd[1].revents) { 575 /* 576 * Drain all log messages before processing next 577 * monitor request. 578 */ 579 monitor_read_log(pmonitor); 580 continue; 581 } 582 if (pfd[0].revents) 583 break; /* Continues below */ 584 } 585 586 buffer_init(&m); 587 588 mm_request_receive(pmonitor->m_sendfd, &m); 589 type = buffer_get_char(&m); 590 591 debug3("%s: checking request %d", __func__, type); 592 593 while (ent->f != NULL) { 594 if (ent->type == type) 595 break; 596 ent++; 597 } 598 599 if (ent->f != NULL) { 600 if (!(ent->flags & MON_PERMIT)) 601 fatal("%s: unpermitted request %d", __func__, 602 type); 603 ret = (*ent->f)(pmonitor->m_sendfd, &m); 604 buffer_free(&m); 605 606 /* The child may use this request only once, disable it */ 607 if (ent->flags & MON_ONCE) { 608 debug2("%s: %d used once, disabling now", __func__, 609 type); 610 ent->flags &= ~MON_PERMIT; 611 } 612 613 if (pent != NULL) 614 *pent = ent; 615 616 return ret; 617 } 618 619 fatal("%s: unsupported request: %d", __func__, type); 620 621 /* NOTREACHED */ 622 return (-1); 623} 624 625/* allowed key state */ 626static int 627monitor_allowed_key(u_char *blob, u_int bloblen) 628{ 629 /* make sure key is allowed */ 630 if (key_blob == NULL || key_bloblen != bloblen || 631 timingsafe_bcmp(key_blob, blob, key_bloblen)) 632 return (0); 633 return (1); 634} 635 636static void 637monitor_reset_key_state(void) 638{ 639 /* reset state */ 640 free(key_blob); 641 free(hostbased_cuser); 642 free(hostbased_chost); 643 key_blob = NULL; 644 key_bloblen = 0; 645 key_blobtype = MM_NOKEY; 646 hostbased_cuser = NULL; 647 hostbased_chost = NULL; 648} 649 650#ifdef WITH_OPENSSL 651int 652mm_answer_moduli(int sock, Buffer *m) 653{ 654 DH *dh; 655 int min, want, max; 656 657 min = buffer_get_int(m); 658 want = buffer_get_int(m); 659 max = buffer_get_int(m); 660 661 debug3("%s: got parameters: %d %d %d", 662 __func__, min, want, max); 663 /* We need to check here, too, in case the child got corrupted */ 664 if (max < min || want < min || max < want) 665 fatal("%s: bad parameters: %d %d %d", 666 __func__, min, want, max); 667 668 buffer_clear(m); 669 670 dh = choose_dh(min, want, max); 671 if (dh == NULL) { 672 buffer_put_char(m, 0); 673 return (0); 674 } else { 675 /* Send first bignum */ 676 buffer_put_char(m, 1); 677 buffer_put_bignum2(m, dh->p); 678 buffer_put_bignum2(m, dh->g); 679 680 DH_free(dh); 681 } 682 mm_request_send(sock, MONITOR_ANS_MODULI, m); 683 return (0); 684} 685#endif 686 687int 688mm_answer_sign(int sock, Buffer *m) 689{ 690 struct ssh *ssh = active_state; /* XXX */ 691 extern int auth_sock; /* XXX move to state struct? */ 692 struct sshkey *key; 693 struct sshbuf *sigbuf; 694 u_char *p; 695 u_char *signature; 696 size_t datlen, siglen; 697 int r, keyid, is_proof = 0; 698 const char proof_req[] = "hostkeys-prove-00@openssh.com"; 699 700 debug3("%s", __func__); 701 702 if ((r = sshbuf_get_u32(m, &keyid)) != 0 || 703 (r = sshbuf_get_string(m, &p, &datlen)) != 0) 704 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 705 706 /* 707 * Supported KEX types use SHA1 (20 bytes), SHA256 (32 bytes), 708 * SHA384 (48 bytes) and SHA512 (64 bytes). 709 * 710 * Otherwise, verify the signature request is for a hostkey 711 * proof. 712 * 713 * XXX perform similar check for KEX signature requests too? 714 * it's not trivial, since what is signed is the hash, rather 715 * than the full kex structure... 716 */ 717 if (datlen != 20 && datlen != 32 && datlen != 48 && datlen != 64) { 718 /* 719 * Construct expected hostkey proof and compare it to what 720 * the client sent us. 721 */ 722 if (session_id2_len == 0) /* hostkeys is never first */ 723 fatal("%s: bad data length: %zu", __func__, datlen); 724 if ((key = get_hostkey_public_by_index(keyid, ssh)) == NULL) 725 fatal("%s: no hostkey for index %d", __func__, keyid); 726 if ((sigbuf = sshbuf_new()) == NULL) 727 fatal("%s: sshbuf_new", __func__); 728 if ((r = sshbuf_put_cstring(sigbuf, proof_req)) != 0 || 729 (r = sshbuf_put_string(sigbuf, session_id2, 730 session_id2_len) != 0) || 731 (r = sshkey_puts(key, sigbuf)) != 0) 732 fatal("%s: couldn't prepare private key " 733 "proof buffer: %s", __func__, ssh_err(r)); 734 if (datlen != sshbuf_len(sigbuf) || 735 memcmp(p, sshbuf_ptr(sigbuf), sshbuf_len(sigbuf)) != 0) 736 fatal("%s: bad data length: %zu, hostkey proof len %zu", 737 __func__, datlen, sshbuf_len(sigbuf)); 738 sshbuf_free(sigbuf); 739 is_proof = 1; 740 } 741 742 /* save session id, it will be passed on the first call */ 743 if (session_id2_len == 0) { 744 session_id2_len = datlen; 745 session_id2 = xmalloc(session_id2_len); 746 memcpy(session_id2, p, session_id2_len); 747 } 748 749 if ((key = get_hostkey_by_index(keyid)) != NULL) { 750 if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, 751 datafellows)) != 0) 752 fatal("%s: sshkey_sign failed: %s", 753 __func__, ssh_err(r)); 754 } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL && 755 auth_sock > 0) { 756 if ((r = ssh_agent_sign(auth_sock, key, &signature, &siglen, 757 p, datlen, datafellows)) != 0) { 758 fatal("%s: ssh_agent_sign failed: %s", 759 __func__, ssh_err(r)); 760 } 761 } else 762 fatal("%s: no hostkey from index %d", __func__, keyid); 763 764 debug3("%s: %s signature %p(%zu)", __func__, 765 is_proof ? "KEX" : "hostkey proof", signature, siglen); 766 767 sshbuf_reset(m); 768 if ((r = sshbuf_put_string(m, signature, siglen)) != 0) 769 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 770 771 free(p); 772 free(signature); 773 774 mm_request_send(sock, MONITOR_ANS_SIGN, m); 775 776 /* Turn on permissions for getpwnam */ 777 monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); 778 779 return (0); 780} 781 782/* Retrieves the password entry and also checks if the user is permitted */ 783 784int 785mm_answer_pwnamallow(int sock, Buffer *m) 786{ 787 char *username; 788 struct passwd *pwent; 789 int allowed = 0; 790 u_int i; 791 792 debug3("%s", __func__); 793 794 if (authctxt->attempt++ != 0) 795 fatal("%s: multiple attempts for getpwnam", __func__); 796 797 username = buffer_get_string(m, NULL); 798 799 pwent = getpwnamallow(username); 800 801 authctxt->user = xstrdup(username); 802 setproctitle("%s [priv]", pwent ? username : "unknown"); 803 free(username); 804 805 buffer_clear(m); 806 807 if (pwent == NULL) { 808 buffer_put_char(m, 0); 809 authctxt->pw = fakepw(); 810 goto out; 811 } 812 813 allowed = 1; 814 authctxt->pw = pwent; 815 authctxt->valid = 1; 816 817 buffer_put_char(m, 1); 818 buffer_put_string(m, pwent, sizeof(struct passwd)); 819 buffer_put_cstring(m, pwent->pw_name); 820 buffer_put_cstring(m, "*"); 821#ifdef HAVE_STRUCT_PASSWD_PW_GECOS 822 buffer_put_cstring(m, pwent->pw_gecos); 823#endif 824#ifdef HAVE_STRUCT_PASSWD_PW_CLASS 825 buffer_put_cstring(m, pwent->pw_class); 826#endif 827 buffer_put_cstring(m, pwent->pw_dir); 828 buffer_put_cstring(m, pwent->pw_shell); 829 830 out: 831 buffer_put_string(m, &options, sizeof(options)); 832 833#define M_CP_STROPT(x) do { \ 834 if (options.x != NULL) \ 835 buffer_put_cstring(m, options.x); \ 836 } while (0) 837#define M_CP_STRARRAYOPT(x, nx) do { \ 838 for (i = 0; i < options.nx; i++) \ 839 buffer_put_cstring(m, options.x[i]); \ 840 } while (0) 841 /* See comment in servconf.h */ 842 COPY_MATCH_STRING_OPTS(); 843#undef M_CP_STROPT 844#undef M_CP_STRARRAYOPT 845 846 /* Create valid auth method lists */ 847 if (compat20 && auth2_setup_methods_lists(authctxt) != 0) { 848 /* 849 * The monitor will continue long enough to let the child 850 * run to it's packet_disconnect(), but it must not allow any 851 * authentication to succeed. 852 */ 853 debug("%s: no valid authentication method lists", __func__); 854 } 855 856 debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); 857 mm_request_send(sock, MONITOR_ANS_PWNAM, m); 858 859 /* For SSHv1 allow authentication now */ 860 if (!compat20) 861 monitor_permit_authentications(1); 862 else { 863 /* Allow service/style information on the auth context */ 864 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 865 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 866 } 867#ifdef USE_PAM 868 if (options.use_pam) 869 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); 870#endif 871 872 return (0); 873} 874 875int mm_answer_auth2_read_banner(int sock, Buffer *m) 876{ 877 char *banner; 878 879 buffer_clear(m); 880 banner = auth2_read_banner(); 881 buffer_put_cstring(m, banner != NULL ? banner : ""); 882 mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m); 883 free(banner); 884 885 return (0); 886} 887 888int 889mm_answer_authserv(int sock, Buffer *m) 890{ 891 monitor_permit_authentications(1); 892 893 authctxt->service = buffer_get_string(m, NULL); 894 authctxt->style = buffer_get_string(m, NULL); 895 debug3("%s: service=%s, style=%s", 896 __func__, authctxt->service, authctxt->style); 897 898 if (strlen(authctxt->style) == 0) { 899 free(authctxt->style); 900 authctxt->style = NULL; 901 } 902 903 return (0); 904} 905 906int 907mm_answer_authpassword(int sock, Buffer *m) 908{ 909 static int call_count; 910 char *passwd; 911 int authenticated; 912 u_int plen; 913 914 passwd = buffer_get_string(m, &plen); 915#if !defined(ANDROID) 916 /* Only authenticate if the context is valid */ 917 authenticated = options.password_authentication && 918 auth_password(authctxt, passwd); 919#else 920 /* no password authentication in Android. */ 921 authenticated = 0; 922#endif 923 explicit_bzero(passwd, strlen(passwd)); 924 free(passwd); 925 926 buffer_clear(m); 927 buffer_put_int(m, authenticated); 928 929 debug3("%s: sending result %d", __func__, authenticated); 930 mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m); 931 932 call_count++; 933 if (plen == 0 && call_count == 1) 934 auth_method = "none"; 935 else 936 auth_method = "password"; 937 938 /* Causes monitor loop to terminate if authenticated */ 939 return (authenticated); 940} 941 942#ifdef BSD_AUTH 943int 944mm_answer_bsdauthquery(int sock, Buffer *m) 945{ 946 char *name, *infotxt; 947 u_int numprompts; 948 u_int *echo_on; 949 char **prompts; 950 u_int success; 951 952 success = bsdauth_query(authctxt, &name, &infotxt, &numprompts, 953 &prompts, &echo_on) < 0 ? 0 : 1; 954 955 buffer_clear(m); 956 buffer_put_int(m, success); 957 if (success) 958 buffer_put_cstring(m, prompts[0]); 959 960 debug3("%s: sending challenge success: %u", __func__, success); 961 mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m); 962 963 if (success) { 964 free(name); 965 free(infotxt); 966 free(prompts); 967 free(echo_on); 968 } 969 970 return (0); 971} 972 973int 974mm_answer_bsdauthrespond(int sock, Buffer *m) 975{ 976 char *response; 977 int authok; 978 979 if (authctxt->as == 0) 980 fatal("%s: no bsd auth session", __func__); 981 982 response = buffer_get_string(m, NULL); 983 authok = options.challenge_response_authentication && 984 auth_userresponse(authctxt->as, response, 0); 985 authctxt->as = NULL; 986 debug3("%s: <%s> = <%d>", __func__, response, authok); 987 free(response); 988 989 buffer_clear(m); 990 buffer_put_int(m, authok); 991 992 debug3("%s: sending authenticated: %d", __func__, authok); 993 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); 994 995 if (compat20) { 996 auth_method = "keyboard-interactive"; 997 auth_submethod = "bsdauth"; 998 } else 999 auth_method = "bsdauth"; 1000 1001 return (authok != 0); 1002} 1003#endif 1004 1005#ifdef SKEY 1006int 1007mm_answer_skeyquery(int sock, Buffer *m) 1008{ 1009 struct skey skey; 1010 char challenge[1024]; 1011 u_int success; 1012 1013 success = _compat_skeychallenge(&skey, authctxt->user, challenge, 1014 sizeof(challenge)) < 0 ? 0 : 1; 1015 1016 buffer_clear(m); 1017 buffer_put_int(m, success); 1018 if (success) 1019 buffer_put_cstring(m, challenge); 1020 1021 debug3("%s: sending challenge success: %u", __func__, success); 1022 mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m); 1023 1024 return (0); 1025} 1026 1027int 1028mm_answer_skeyrespond(int sock, Buffer *m) 1029{ 1030 char *response; 1031 int authok; 1032 1033 response = buffer_get_string(m, NULL); 1034 1035 authok = (options.challenge_response_authentication && 1036 authctxt->valid && 1037 skey_haskey(authctxt->pw->pw_name) == 0 && 1038 skey_passcheck(authctxt->pw->pw_name, response) != -1); 1039 1040 free(response); 1041 1042 buffer_clear(m); 1043 buffer_put_int(m, authok); 1044 1045 debug3("%s: sending authenticated: %d", __func__, authok); 1046 mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m); 1047 1048 auth_method = "skey"; 1049 1050 return (authok != 0); 1051} 1052#endif 1053 1054#ifdef USE_PAM 1055int 1056mm_answer_pam_start(int sock, Buffer *m) 1057{ 1058 if (!options.use_pam) 1059 fatal("UsePAM not set, but ended up in %s anyway", __func__); 1060 1061 start_pam(authctxt); 1062 1063 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); 1064 1065 return (0); 1066} 1067 1068int 1069mm_answer_pam_account(int sock, Buffer *m) 1070{ 1071 u_int ret; 1072 1073 if (!options.use_pam) 1074 fatal("UsePAM not set, but ended up in %s anyway", __func__); 1075 1076 ret = do_pam_account(); 1077 1078 buffer_put_int(m, ret); 1079 buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg)); 1080 1081 mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m); 1082 1083 return (ret); 1084} 1085 1086static void *sshpam_ctxt, *sshpam_authok; 1087extern KbdintDevice sshpam_device; 1088 1089int 1090mm_answer_pam_init_ctx(int sock, Buffer *m) 1091{ 1092 1093 debug3("%s", __func__); 1094 authctxt->user = buffer_get_string(m, NULL); 1095 sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); 1096 sshpam_authok = NULL; 1097 buffer_clear(m); 1098 if (sshpam_ctxt != NULL) { 1099 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1); 1100 buffer_put_int(m, 1); 1101 } else { 1102 buffer_put_int(m, 0); 1103 } 1104 mm_request_send(sock, MONITOR_ANS_PAM_INIT_CTX, m); 1105 return (0); 1106} 1107 1108int 1109mm_answer_pam_query(int sock, Buffer *m) 1110{ 1111 char *name = NULL, *info = NULL, **prompts = NULL; 1112 u_int i, num = 0, *echo_on = 0; 1113 int ret; 1114 1115 debug3("%s", __func__); 1116 sshpam_authok = NULL; 1117 ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on); 1118 if (ret == 0 && num == 0) 1119 sshpam_authok = sshpam_ctxt; 1120 if (num > 1 || name == NULL || info == NULL) 1121 ret = -1; 1122 buffer_clear(m); 1123 buffer_put_int(m, ret); 1124 buffer_put_cstring(m, name); 1125 free(name); 1126 buffer_put_cstring(m, info); 1127 free(info); 1128 buffer_put_int(m, num); 1129 for (i = 0; i < num; ++i) { 1130 buffer_put_cstring(m, prompts[i]); 1131 free(prompts[i]); 1132 buffer_put_int(m, echo_on[i]); 1133 } 1134 free(prompts); 1135 free(echo_on); 1136 auth_method = "keyboard-interactive"; 1137 auth_submethod = "pam"; 1138 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); 1139 return (0); 1140} 1141 1142int 1143mm_answer_pam_respond(int sock, Buffer *m) 1144{ 1145 char **resp; 1146 u_int i, num; 1147 int ret; 1148 1149 debug3("%s", __func__); 1150 sshpam_authok = NULL; 1151 num = buffer_get_int(m); 1152 if (num > 0) { 1153 resp = xcalloc(num, sizeof(char *)); 1154 for (i = 0; i < num; ++i) 1155 resp[i] = buffer_get_string(m, NULL); 1156 ret = (sshpam_device.respond)(sshpam_ctxt, num, resp); 1157 for (i = 0; i < num; ++i) 1158 free(resp[i]); 1159 free(resp); 1160 } else { 1161 ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL); 1162 } 1163 buffer_clear(m); 1164 buffer_put_int(m, ret); 1165 mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); 1166 auth_method = "keyboard-interactive"; 1167 auth_submethod = "pam"; 1168 if (ret == 0) 1169 sshpam_authok = sshpam_ctxt; 1170 return (0); 1171} 1172 1173int 1174mm_answer_pam_free_ctx(int sock, Buffer *m) 1175{ 1176 1177 debug3("%s", __func__); 1178 (sshpam_device.free_ctx)(sshpam_ctxt); 1179 buffer_clear(m); 1180 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); 1181 auth_method = "keyboard-interactive"; 1182 auth_submethod = "pam"; 1183 return (sshpam_authok == sshpam_ctxt); 1184} 1185#endif 1186 1187int 1188mm_answer_keyallowed(int sock, Buffer *m) 1189{ 1190 Key *key; 1191 char *cuser, *chost; 1192 u_char *blob; 1193 u_int bloblen; 1194 enum mm_keytype type = 0; 1195 int allowed = 0; 1196 1197 debug3("%s entering", __func__); 1198 1199 type = buffer_get_int(m); 1200 cuser = buffer_get_string(m, NULL); 1201 chost = buffer_get_string(m, NULL); 1202 blob = buffer_get_string(m, &bloblen); 1203 1204 key = key_from_blob(blob, bloblen); 1205 1206 if ((compat20 && type == MM_RSAHOSTKEY) || 1207 (!compat20 && type != MM_RSAHOSTKEY)) 1208 fatal("%s: key type and protocol mismatch", __func__); 1209 1210 debug3("%s: key_from_blob: %p", __func__, key); 1211 1212 if (key != NULL && authctxt->valid) { 1213 /* These should not make it past the privsep child */ 1214 if (key_type_plain(key->type) == KEY_RSA && 1215 (datafellows & SSH_BUG_RSASIGMD5) != 0) 1216 fatal("%s: passed a SSH_BUG_RSASIGMD5 key", __func__); 1217 1218 switch (type) { 1219 case MM_USERKEY: 1220 allowed = options.pubkey_authentication && 1221 !auth2_userkey_already_used(authctxt, key) && 1222 match_pattern_list(sshkey_ssh_name(key), 1223 options.pubkey_key_types, 1224 strlen(options.pubkey_key_types), 0) == 1 && 1225 user_key_allowed(authctxt->pw, key); 1226 pubkey_auth_info(authctxt, key, NULL); 1227 auth_method = "publickey"; 1228 if (options.pubkey_authentication && allowed != 1) 1229 auth_clear_options(); 1230 break; 1231 case MM_HOSTKEY: 1232 allowed = options.hostbased_authentication && 1233 match_pattern_list(sshkey_ssh_name(key), 1234 options.hostbased_key_types, 1235 strlen(options.hostbased_key_types), 0) == 1 && 1236 hostbased_key_allowed(authctxt->pw, 1237 cuser, chost, key); 1238 pubkey_auth_info(authctxt, key, 1239 "client user \"%.100s\", client host \"%.100s\"", 1240 cuser, chost); 1241 auth_method = "hostbased"; 1242 break; 1243#ifdef WITH_SSH1 1244 case MM_RSAHOSTKEY: 1245 key->type = KEY_RSA1; /* XXX */ 1246 allowed = options.rhosts_rsa_authentication && 1247 auth_rhosts_rsa_key_allowed(authctxt->pw, 1248 cuser, chost, key); 1249 if (options.rhosts_rsa_authentication && allowed != 1) 1250 auth_clear_options(); 1251 auth_method = "rsa"; 1252 break; 1253#endif 1254 default: 1255 fatal("%s: unknown key type %d", __func__, type); 1256 break; 1257 } 1258 } 1259 if (key != NULL) 1260 key_free(key); 1261 1262 /* clear temporarily storage (used by verify) */ 1263 monitor_reset_key_state(); 1264 1265 if (allowed) { 1266 /* Save temporarily for comparison in verify */ 1267 key_blob = blob; 1268 key_bloblen = bloblen; 1269 key_blobtype = type; 1270 hostbased_cuser = cuser; 1271 hostbased_chost = chost; 1272 } else { 1273 /* Log failed attempt */ 1274 auth_log(authctxt, 0, 0, auth_method, NULL); 1275 free(blob); 1276 free(cuser); 1277 free(chost); 1278 } 1279 1280 debug3("%s: key %p is %s", 1281 __func__, key, allowed ? "allowed" : "not allowed"); 1282 1283 buffer_clear(m); 1284 buffer_put_int(m, allowed); 1285 buffer_put_int(m, forced_command != NULL); 1286 1287 mm_request_send(sock, MONITOR_ANS_KEYALLOWED, m); 1288 1289 if (type == MM_RSAHOSTKEY) 1290 monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed); 1291 1292 return (0); 1293} 1294 1295static int 1296monitor_valid_userblob(u_char *data, u_int datalen) 1297{ 1298 Buffer b; 1299 char *p, *userstyle; 1300 u_int len; 1301 int fail = 0; 1302 1303 buffer_init(&b); 1304 buffer_append(&b, data, datalen); 1305 1306 if (datafellows & SSH_OLD_SESSIONID) { 1307 p = buffer_ptr(&b); 1308 len = buffer_len(&b); 1309 if ((session_id2 == NULL) || 1310 (len < session_id2_len) || 1311 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) 1312 fail++; 1313 buffer_consume(&b, session_id2_len); 1314 } else { 1315 p = buffer_get_string(&b, &len); 1316 if ((session_id2 == NULL) || 1317 (len != session_id2_len) || 1318 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) 1319 fail++; 1320 free(p); 1321 } 1322 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 1323 fail++; 1324 p = buffer_get_cstring(&b, NULL); 1325 xasprintf(&userstyle, "%s%s%s", authctxt->user, 1326 authctxt->style ? ":" : "", 1327 authctxt->style ? authctxt->style : ""); 1328 if (strcmp(userstyle, p) != 0) { 1329 logit("wrong user name passed to monitor: expected %s != %.100s", 1330 userstyle, p); 1331 fail++; 1332 } 1333 free(userstyle); 1334 free(p); 1335 buffer_skip_string(&b); 1336 if (datafellows & SSH_BUG_PKAUTH) { 1337 if (!buffer_get_char(&b)) 1338 fail++; 1339 } else { 1340 p = buffer_get_cstring(&b, NULL); 1341 if (strcmp("publickey", p) != 0) 1342 fail++; 1343 free(p); 1344 if (!buffer_get_char(&b)) 1345 fail++; 1346 buffer_skip_string(&b); 1347 } 1348 buffer_skip_string(&b); 1349 if (buffer_len(&b) != 0) 1350 fail++; 1351 buffer_free(&b); 1352 return (fail == 0); 1353} 1354 1355static int 1356monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, 1357 char *chost) 1358{ 1359 Buffer b; 1360 char *p, *userstyle; 1361 u_int len; 1362 int fail = 0; 1363 1364 buffer_init(&b); 1365 buffer_append(&b, data, datalen); 1366 1367 p = buffer_get_string(&b, &len); 1368 if ((session_id2 == NULL) || 1369 (len != session_id2_len) || 1370 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) 1371 fail++; 1372 free(p); 1373 1374 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 1375 fail++; 1376 p = buffer_get_cstring(&b, NULL); 1377 xasprintf(&userstyle, "%s%s%s", authctxt->user, 1378 authctxt->style ? ":" : "", 1379 authctxt->style ? authctxt->style : ""); 1380 if (strcmp(userstyle, p) != 0) { 1381 logit("wrong user name passed to monitor: expected %s != %.100s", 1382 userstyle, p); 1383 fail++; 1384 } 1385 free(userstyle); 1386 free(p); 1387 buffer_skip_string(&b); /* service */ 1388 p = buffer_get_cstring(&b, NULL); 1389 if (strcmp(p, "hostbased") != 0) 1390 fail++; 1391 free(p); 1392 buffer_skip_string(&b); /* pkalg */ 1393 buffer_skip_string(&b); /* pkblob */ 1394 1395 /* verify client host, strip trailing dot if necessary */ 1396 p = buffer_get_string(&b, NULL); 1397 if (((len = strlen(p)) > 0) && p[len - 1] == '.') 1398 p[len - 1] = '\0'; 1399 if (strcmp(p, chost) != 0) 1400 fail++; 1401 free(p); 1402 1403 /* verify client user */ 1404 p = buffer_get_string(&b, NULL); 1405 if (strcmp(p, cuser) != 0) 1406 fail++; 1407 free(p); 1408 1409 if (buffer_len(&b) != 0) 1410 fail++; 1411 buffer_free(&b); 1412 return (fail == 0); 1413} 1414 1415int 1416mm_answer_keyverify(int sock, Buffer *m) 1417{ 1418 Key *key; 1419 u_char *signature, *data, *blob; 1420 u_int signaturelen, datalen, bloblen; 1421 int verified = 0; 1422 int valid_data = 0; 1423 1424 blob = buffer_get_string(m, &bloblen); 1425 signature = buffer_get_string(m, &signaturelen); 1426 data = buffer_get_string(m, &datalen); 1427 1428 if (hostbased_cuser == NULL || hostbased_chost == NULL || 1429 !monitor_allowed_key(blob, bloblen)) 1430 fatal("%s: bad key, not previously allowed", __func__); 1431 1432 key = key_from_blob(blob, bloblen); 1433 if (key == NULL) 1434 fatal("%s: bad public key blob", __func__); 1435 1436 switch (key_blobtype) { 1437 case MM_USERKEY: 1438 valid_data = monitor_valid_userblob(data, datalen); 1439 break; 1440 case MM_HOSTKEY: 1441 valid_data = monitor_valid_hostbasedblob(data, datalen, 1442 hostbased_cuser, hostbased_chost); 1443 break; 1444 default: 1445 valid_data = 0; 1446 break; 1447 } 1448 if (!valid_data) 1449 fatal("%s: bad signature data blob", __func__); 1450 1451 verified = key_verify(key, signature, signaturelen, data, datalen); 1452 debug3("%s: key %p signature %s", 1453 __func__, key, (verified == 1) ? "verified" : "unverified"); 1454 1455 /* If auth was successful then record key to ensure it isn't reused */ 1456 if (verified == 1) 1457 auth2_record_userkey(authctxt, key); 1458 else 1459 key_free(key); 1460 1461 free(blob); 1462 free(signature); 1463 free(data); 1464 1465 auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; 1466 1467 monitor_reset_key_state(); 1468 1469 buffer_clear(m); 1470 buffer_put_int(m, verified); 1471 mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m); 1472 1473 return (verified == 1); 1474} 1475 1476static void 1477mm_record_login(Session *s, struct passwd *pw) 1478{ 1479 socklen_t fromlen; 1480 struct sockaddr_storage from; 1481 1482 /* 1483 * Get IP address of client. If the connection is not a socket, let 1484 * the address be 0.0.0.0. 1485 */ 1486 memset(&from, 0, sizeof(from)); 1487 fromlen = sizeof(from); 1488 if (packet_connection_is_on_socket()) { 1489 if (getpeername(packet_get_connection_in(), 1490 (struct sockaddr *)&from, &fromlen) < 0) { 1491 debug("getpeername: %.100s", strerror(errno)); 1492 cleanup_exit(255); 1493 } 1494 } 1495 /* Record that there was a login on that tty from the remote host. */ 1496 record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid, 1497 get_remote_name_or_ip(utmp_len, options.use_dns), 1498 (struct sockaddr *)&from, fromlen); 1499} 1500 1501static void 1502mm_session_close(Session *s) 1503{ 1504 debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid); 1505 if (s->ttyfd != -1) { 1506 debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); 1507 session_pty_cleanup2(s); 1508 } 1509 session_unused(s->self); 1510} 1511 1512int 1513mm_answer_pty(int sock, Buffer *m) 1514{ 1515 extern struct monitor *pmonitor; 1516 Session *s; 1517 int res, fd0; 1518 1519 debug3("%s entering", __func__); 1520 1521 buffer_clear(m); 1522 s = session_new(); 1523 if (s == NULL) 1524 goto error; 1525 s->authctxt = authctxt; 1526 s->pw = authctxt->pw; 1527 s->pid = pmonitor->m_pid; 1528 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 1529 if (res == 0) 1530 goto error; 1531 pty_setowner(authctxt->pw, s->tty); 1532 1533 buffer_put_int(m, 1); 1534 buffer_put_cstring(m, s->tty); 1535 1536 /* We need to trick ttyslot */ 1537 if (dup2(s->ttyfd, 0) == -1) 1538 fatal("%s: dup2", __func__); 1539 1540 mm_record_login(s, authctxt->pw); 1541 1542 /* Now we can close the file descriptor again */ 1543 close(0); 1544 1545 /* send messages generated by record_login */ 1546 buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg)); 1547 buffer_clear(&loginmsg); 1548 1549 mm_request_send(sock, MONITOR_ANS_PTY, m); 1550 1551 if (mm_send_fd(sock, s->ptyfd) == -1 || 1552 mm_send_fd(sock, s->ttyfd) == -1) 1553 fatal("%s: send fds failed", __func__); 1554 1555 /* make sure nothing uses fd 0 */ 1556 if ((fd0 = open(_PATH_DEVNULL, O_RDONLY)) < 0) 1557 fatal("%s: open(/dev/null): %s", __func__, strerror(errno)); 1558 if (fd0 != 0) 1559 error("%s: fd0 %d != 0", __func__, fd0); 1560 1561 /* slave is not needed */ 1562 close(s->ttyfd); 1563 s->ttyfd = s->ptyfd; 1564 /* no need to dup() because nobody closes ptyfd */ 1565 s->ptymaster = s->ptyfd; 1566 1567 debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ttyfd); 1568 1569 return (0); 1570 1571 error: 1572 if (s != NULL) 1573 mm_session_close(s); 1574 buffer_put_int(m, 0); 1575 mm_request_send(sock, MONITOR_ANS_PTY, m); 1576 return (0); 1577} 1578 1579int 1580mm_answer_pty_cleanup(int sock, Buffer *m) 1581{ 1582 Session *s; 1583 char *tty; 1584 1585 debug3("%s entering", __func__); 1586 1587 tty = buffer_get_string(m, NULL); 1588 if ((s = session_by_tty(tty)) != NULL) 1589 mm_session_close(s); 1590 buffer_clear(m); 1591 free(tty); 1592 return (0); 1593} 1594 1595#ifdef WITH_SSH1 1596int 1597mm_answer_sesskey(int sock, Buffer *m) 1598{ 1599 BIGNUM *p; 1600 int rsafail; 1601 1602 /* Turn off permissions */ 1603 monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 0); 1604 1605 if ((p = BN_new()) == NULL) 1606 fatal("%s: BN_new", __func__); 1607 1608 buffer_get_bignum2(m, p); 1609 1610 rsafail = ssh1_session_key(p); 1611 1612 buffer_clear(m); 1613 buffer_put_int(m, rsafail); 1614 buffer_put_bignum2(m, p); 1615 1616 BN_clear_free(p); 1617 1618 mm_request_send(sock, MONITOR_ANS_SESSKEY, m); 1619 1620 /* Turn on permissions for sessid passing */ 1621 monitor_permit(mon_dispatch, MONITOR_REQ_SESSID, 1); 1622 1623 return (0); 1624} 1625 1626int 1627mm_answer_sessid(int sock, Buffer *m) 1628{ 1629 int i; 1630 1631 debug3("%s entering", __func__); 1632 1633 if (buffer_len(m) != 16) 1634 fatal("%s: bad ssh1 session id", __func__); 1635 for (i = 0; i < 16; i++) 1636 session_id[i] = buffer_get_char(m); 1637 1638 /* Turn on permissions for getpwnam */ 1639 monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); 1640 1641 return (0); 1642} 1643 1644int 1645mm_answer_rsa_keyallowed(int sock, Buffer *m) 1646{ 1647 BIGNUM *client_n; 1648 Key *key = NULL; 1649 u_char *blob = NULL; 1650 u_int blen = 0; 1651 int allowed = 0; 1652 1653 debug3("%s entering", __func__); 1654 1655 auth_method = "rsa"; 1656 if (options.rsa_authentication && authctxt->valid) { 1657 if ((client_n = BN_new()) == NULL) 1658 fatal("%s: BN_new", __func__); 1659 buffer_get_bignum2(m, client_n); 1660 allowed = auth_rsa_key_allowed(authctxt->pw, client_n, &key); 1661 BN_clear_free(client_n); 1662 } 1663 buffer_clear(m); 1664 buffer_put_int(m, allowed); 1665 buffer_put_int(m, forced_command != NULL); 1666 1667 /* clear temporarily storage (used by generate challenge) */ 1668 monitor_reset_key_state(); 1669 1670 if (allowed && key != NULL) { 1671 key->type = KEY_RSA; /* cheat for key_to_blob */ 1672 if (key_to_blob(key, &blob, &blen) == 0) 1673 fatal("%s: key_to_blob failed", __func__); 1674 buffer_put_string(m, blob, blen); 1675 1676 /* Save temporarily for comparison in verify */ 1677 key_blob = blob; 1678 key_bloblen = blen; 1679 key_blobtype = MM_RSAUSERKEY; 1680 } 1681 if (key != NULL) 1682 key_free(key); 1683 1684 mm_request_send(sock, MONITOR_ANS_RSAKEYALLOWED, m); 1685 1686 monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed); 1687 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 0); 1688 return (0); 1689} 1690 1691int 1692mm_answer_rsa_challenge(int sock, Buffer *m) 1693{ 1694 Key *key = NULL; 1695 u_char *blob; 1696 u_int blen; 1697 1698 debug3("%s entering", __func__); 1699 1700 if (!authctxt->valid) 1701 fatal("%s: authctxt not valid", __func__); 1702 blob = buffer_get_string(m, &blen); 1703 if (!monitor_allowed_key(blob, blen)) 1704 fatal("%s: bad key, not previously allowed", __func__); 1705 if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY) 1706 fatal("%s: key type mismatch", __func__); 1707 if ((key = key_from_blob(blob, blen)) == NULL) 1708 fatal("%s: received bad key", __func__); 1709 if (key->type != KEY_RSA) 1710 fatal("%s: received bad key type %d", __func__, key->type); 1711 key->type = KEY_RSA1; 1712 if (ssh1_challenge) 1713 BN_clear_free(ssh1_challenge); 1714 ssh1_challenge = auth_rsa_generate_challenge(key); 1715 1716 buffer_clear(m); 1717 buffer_put_bignum2(m, ssh1_challenge); 1718 1719 debug3("%s sending reply", __func__); 1720 mm_request_send(sock, MONITOR_ANS_RSACHALLENGE, m); 1721 1722 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1); 1723 1724 free(blob); 1725 key_free(key); 1726 return (0); 1727} 1728 1729int 1730mm_answer_rsa_response(int sock, Buffer *m) 1731{ 1732 Key *key = NULL; 1733 u_char *blob, *response; 1734 u_int blen, len; 1735 int success; 1736 1737 debug3("%s entering", __func__); 1738 1739 if (!authctxt->valid) 1740 fatal("%s: authctxt not valid", __func__); 1741 if (ssh1_challenge == NULL) 1742 fatal("%s: no ssh1_challenge", __func__); 1743 1744 blob = buffer_get_string(m, &blen); 1745 if (!monitor_allowed_key(blob, blen)) 1746 fatal("%s: bad key, not previously allowed", __func__); 1747 if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY) 1748 fatal("%s: key type mismatch: %d", __func__, key_blobtype); 1749 if ((key = key_from_blob(blob, blen)) == NULL) 1750 fatal("%s: received bad key", __func__); 1751 response = buffer_get_string(m, &len); 1752 if (len != 16) 1753 fatal("%s: received bad response to challenge", __func__); 1754 success = auth_rsa_verify_response(key, ssh1_challenge, response); 1755 1756 free(blob); 1757 key_free(key); 1758 free(response); 1759 1760 auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa"; 1761 1762 /* reset state */ 1763 BN_clear_free(ssh1_challenge); 1764 ssh1_challenge = NULL; 1765 monitor_reset_key_state(); 1766 1767 buffer_clear(m); 1768 buffer_put_int(m, success); 1769 mm_request_send(sock, MONITOR_ANS_RSARESPONSE, m); 1770 1771 return (success); 1772} 1773#endif 1774 1775int 1776mm_answer_term(int sock, Buffer *req) 1777{ 1778 extern struct monitor *pmonitor; 1779 int res, status; 1780 1781 debug3("%s: tearing down sessions", __func__); 1782 1783 /* The child is terminating */ 1784 session_destroy_all(&mm_session_close); 1785 1786#ifdef USE_PAM 1787 if (options.use_pam) 1788 sshpam_cleanup(); 1789#endif 1790 1791 while (waitpid(pmonitor->m_pid, &status, 0) == -1) 1792 if (errno != EINTR) 1793 exit(1); 1794 1795 res = WIFEXITED(status) ? WEXITSTATUS(status) : 1; 1796 1797 /* Terminate process */ 1798 exit(res); 1799} 1800 1801#ifdef SSH_AUDIT_EVENTS 1802/* Report that an audit event occurred */ 1803int 1804mm_answer_audit_event(int socket, Buffer *m) 1805{ 1806 ssh_audit_event_t event; 1807 1808 debug3("%s entering", __func__); 1809 1810 event = buffer_get_int(m); 1811 switch(event) { 1812 case SSH_AUTH_FAIL_PUBKEY: 1813 case SSH_AUTH_FAIL_HOSTBASED: 1814 case SSH_AUTH_FAIL_GSSAPI: 1815 case SSH_LOGIN_EXCEED_MAXTRIES: 1816 case SSH_LOGIN_ROOT_DENIED: 1817 case SSH_CONNECTION_CLOSE: 1818 case SSH_INVALID_USER: 1819 audit_event(event); 1820 break; 1821 default: 1822 fatal("Audit event type %d not permitted", event); 1823 } 1824 1825 return (0); 1826} 1827 1828int 1829mm_answer_audit_command(int socket, Buffer *m) 1830{ 1831 u_int len; 1832 char *cmd; 1833 1834 debug3("%s entering", __func__); 1835 cmd = buffer_get_string(m, &len); 1836 /* sanity check command, if so how? */ 1837 audit_run_command(cmd); 1838 free(cmd); 1839 return (0); 1840} 1841#endif /* SSH_AUDIT_EVENTS */ 1842 1843void 1844monitor_apply_keystate(struct monitor *pmonitor) 1845{ 1846 struct ssh *ssh = active_state; /* XXX */ 1847 struct kex *kex; 1848 int r; 1849 1850 debug3("%s: packet_set_state", __func__); 1851 if ((r = ssh_packet_set_state(ssh, child_state)) != 0) 1852 fatal("%s: packet_set_state: %s", __func__, ssh_err(r)); 1853 sshbuf_free(child_state); 1854 child_state = NULL; 1855 1856 if ((kex = ssh->kex) != 0) { 1857 /* XXX set callbacks */ 1858#ifdef WITH_OPENSSL 1859 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 1860 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; 1861 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 1862 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 1863# ifdef OPENSSL_HAS_ECC 1864 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 1865# endif 1866#endif /* WITH_OPENSSL */ 1867 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 1868 kex->load_host_public_key=&get_hostkey_public_by_type; 1869 kex->load_host_private_key=&get_hostkey_private_by_type; 1870 kex->host_key_index=&get_hostkey_index; 1871 kex->sign = sshd_hostkey_sign; 1872 } 1873 1874 /* Update with new address */ 1875 if (options.compression) { 1876 ssh_packet_set_compress_hooks(ssh, pmonitor->m_zlib, 1877 (ssh_packet_comp_alloc_func *)mm_zalloc, 1878 (ssh_packet_comp_free_func *)mm_zfree); 1879 } 1880} 1881 1882/* This function requries careful sanity checking */ 1883 1884void 1885mm_get_keystate(struct monitor *pmonitor) 1886{ 1887 debug3("%s: Waiting for new keys", __func__); 1888 1889 if ((child_state = sshbuf_new()) == NULL) 1890 fatal("%s: sshbuf_new failed", __func__); 1891 mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, 1892 child_state); 1893 debug3("%s: GOT new keys", __func__); 1894} 1895 1896 1897/* XXX */ 1898 1899#define FD_CLOSEONEXEC(x) do { \ 1900 if (fcntl(x, F_SETFD, FD_CLOEXEC) == -1) \ 1901 fatal("fcntl(%d, F_SETFD)", x); \ 1902} while (0) 1903 1904static void 1905monitor_openfds(struct monitor *mon, int do_logfds) 1906{ 1907 int pair[2]; 1908 1909 if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) 1910 fatal("%s: socketpair: %s", __func__, strerror(errno)); 1911 FD_CLOSEONEXEC(pair[0]); 1912 FD_CLOSEONEXEC(pair[1]); 1913 mon->m_recvfd = pair[0]; 1914 mon->m_sendfd = pair[1]; 1915 1916 if (do_logfds) { 1917 if (pipe(pair) == -1) 1918 fatal("%s: pipe: %s", __func__, strerror(errno)); 1919 FD_CLOSEONEXEC(pair[0]); 1920 FD_CLOSEONEXEC(pair[1]); 1921 mon->m_log_recvfd = pair[0]; 1922 mon->m_log_sendfd = pair[1]; 1923 } else 1924 mon->m_log_recvfd = mon->m_log_sendfd = -1; 1925} 1926 1927#define MM_MEMSIZE 65536 1928 1929struct monitor * 1930monitor_init(void) 1931{ 1932 struct ssh *ssh = active_state; /* XXX */ 1933 struct monitor *mon; 1934 1935 mon = xcalloc(1, sizeof(*mon)); 1936 1937 monitor_openfds(mon, 1); 1938 1939 /* Used to share zlib space across processes */ 1940 if (options.compression) { 1941 mon->m_zback = mm_create(NULL, MM_MEMSIZE); 1942 mon->m_zlib = mm_create(mon->m_zback, 20 * MM_MEMSIZE); 1943 1944 /* Compression needs to share state across borders */ 1945 ssh_packet_set_compress_hooks(ssh, mon->m_zlib, 1946 (ssh_packet_comp_alloc_func *)mm_zalloc, 1947 (ssh_packet_comp_free_func *)mm_zfree); 1948 } 1949 1950 return mon; 1951} 1952 1953void 1954monitor_reinit(struct monitor *mon) 1955{ 1956 monitor_openfds(mon, 0); 1957} 1958 1959#ifdef GSSAPI 1960int 1961mm_answer_gss_setup_ctx(int sock, Buffer *m) 1962{ 1963 gss_OID_desc goid; 1964 OM_uint32 major; 1965 u_int len; 1966 1967 goid.elements = buffer_get_string(m, &len); 1968 goid.length = len; 1969 1970 major = ssh_gssapi_server_ctx(&gsscontext, &goid); 1971 1972 free(goid.elements); 1973 1974 buffer_clear(m); 1975 buffer_put_int(m, major); 1976 1977 mm_request_send(sock, MONITOR_ANS_GSSSETUP, m); 1978 1979 /* Now we have a context, enable the step */ 1980 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1); 1981 1982 return (0); 1983} 1984 1985int 1986mm_answer_gss_accept_ctx(int sock, Buffer *m) 1987{ 1988 gss_buffer_desc in; 1989 gss_buffer_desc out = GSS_C_EMPTY_BUFFER; 1990 OM_uint32 major, minor; 1991 OM_uint32 flags = 0; /* GSI needs this */ 1992 u_int len; 1993 1994 in.value = buffer_get_string(m, &len); 1995 in.length = len; 1996 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 1997 free(in.value); 1998 1999 buffer_clear(m); 2000 buffer_put_int(m, major); 2001 buffer_put_string(m, out.value, out.length); 2002 buffer_put_int(m, flags); 2003 mm_request_send(sock, MONITOR_ANS_GSSSTEP, m); 2004 2005 gss_release_buffer(&minor, &out); 2006 2007 if (major == GSS_S_COMPLETE) { 2008 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2009 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2010 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2011 } 2012 return (0); 2013} 2014 2015int 2016mm_answer_gss_checkmic(int sock, Buffer *m) 2017{ 2018 gss_buffer_desc gssbuf, mic; 2019 OM_uint32 ret; 2020 u_int len; 2021 2022 gssbuf.value = buffer_get_string(m, &len); 2023 gssbuf.length = len; 2024 mic.value = buffer_get_string(m, &len); 2025 mic.length = len; 2026 2027 ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); 2028 2029 free(gssbuf.value); 2030 free(mic.value); 2031 2032 buffer_clear(m); 2033 buffer_put_int(m, ret); 2034 2035 mm_request_send(sock, MONITOR_ANS_GSSCHECKMIC, m); 2036 2037 if (!GSS_ERROR(ret)) 2038 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2039 2040 return (0); 2041} 2042 2043int 2044mm_answer_gss_userok(int sock, Buffer *m) 2045{ 2046 int authenticated; 2047 2048 authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); 2049 2050 buffer_clear(m); 2051 buffer_put_int(m, authenticated); 2052 2053 debug3("%s: sending result %d", __func__, authenticated); 2054 mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); 2055 2056 auth_method = "gssapi-with-mic"; 2057 2058 /* Monitor loop will terminate if authenticated */ 2059 return (authenticated); 2060} 2061#endif /* GSSAPI */ 2062 2063