summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c33
1 files changed, 30 insertions, 3 deletions
diff --git a/monitor.c b/monitor.c
index 531c4f9a8..dbe29f128 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.131 2014/02/02 03:44:31 djm Exp $ */ 1/* $OpenBSD: monitor.c,v 1.135 2014/07/15 15:54:14 millert Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -40,9 +40,10 @@
40#endif 40#endif
41#include <pwd.h> 41#include <pwd.h>
42#include <signal.h> 42#include <signal.h>
43#include <stdarg.h>
44#include <stdlib.h> 43#include <stdlib.h>
45#include <string.h> 44#include <string.h>
45#include <stdarg.h>
46#include <stdio.h>
46#include <unistd.h> 47#include <unistd.h>
47#ifdef HAVE_POLL_H 48#ifdef HAVE_POLL_H
48#include <poll.h> 49#include <poll.h>
@@ -56,7 +57,9 @@
56#include <skey.h> 57#include <skey.h>
57#endif 58#endif
58 59
60#ifdef WITH_OPENSSL
59#include <openssl/dh.h> 61#include <openssl/dh.h>
62#endif
60 63
61#include "openbsd-compat/sys-queue.h" 64#include "openbsd-compat/sys-queue.h"
62#include "atomicio.h" 65#include "atomicio.h"
@@ -84,6 +87,7 @@
84#include "sshlogin.h" 87#include "sshlogin.h"
85#include "canohost.h" 88#include "canohost.h"
86#include "log.h" 89#include "log.h"
90#include "misc.h"
87#include "servconf.h" 91#include "servconf.h"
88#include "monitor.h" 92#include "monitor.h"
89#include "monitor_mm.h" 93#include "monitor_mm.h"
@@ -92,7 +96,6 @@
92#endif 96#endif
93#include "monitor_wrap.h" 97#include "monitor_wrap.h"
94#include "monitor_fdpass.h" 98#include "monitor_fdpass.h"
95#include "misc.h"
96#include "compat.h" 99#include "compat.h"
97#include "ssh2.h" 100#include "ssh2.h"
98#include "roaming.h" 101#include "roaming.h"
@@ -185,7 +188,10 @@ int mm_answer_audit_command(int, Buffer *);
185static int monitor_read_log(struct monitor *); 188static int monitor_read_log(struct monitor *);
186 189
187static Authctxt *authctxt; 190static Authctxt *authctxt;
191
192#ifdef WITH_SSH1
188static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ 193static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
194#endif
189 195
190/* local state for key verify */ 196/* local state for key verify */
191static u_char *key_blob = NULL; 197static u_char *key_blob = NULL;
@@ -215,7 +221,9 @@ struct mon_table {
215#define MON_PERMIT 0x1000 /* Request is permitted */ 221#define MON_PERMIT 0x1000 /* Request is permitted */
216 222
217struct mon_table mon_dispatch_proto20[] = { 223struct mon_table mon_dispatch_proto20[] = {
224#ifdef WITH_OPENSSL
218 {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, 225 {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
226#endif
219 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 227 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
220 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 228 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
221 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 229 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -252,7 +260,9 @@ struct mon_table mon_dispatch_proto20[] = {
252}; 260};
253 261
254struct mon_table mon_dispatch_postauth20[] = { 262struct mon_table mon_dispatch_postauth20[] = {
263#ifdef WITH_OPENSSL
255 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 264 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
265#endif
256 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 266 {MONITOR_REQ_SIGN, 0, mm_answer_sign},
257 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 267 {MONITOR_REQ_PTY, 0, mm_answer_pty},
258 {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, 268 {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
@@ -265,6 +275,7 @@ struct mon_table mon_dispatch_postauth20[] = {
265}; 275};
266 276
267struct mon_table mon_dispatch_proto15[] = { 277struct mon_table mon_dispatch_proto15[] = {
278#ifdef WITH_SSH1
268 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 279 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
269 {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, 280 {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
270 {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, 281 {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -292,10 +303,12 @@ struct mon_table mon_dispatch_proto15[] = {
292#ifdef SSH_AUDIT_EVENTS 303#ifdef SSH_AUDIT_EVENTS
293 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 304 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
294#endif 305#endif
306#endif /* WITH_SSH1 */
295 {0, 0, NULL} 307 {0, 0, NULL}
296}; 308};
297 309
298struct mon_table mon_dispatch_postauth15[] = { 310struct mon_table mon_dispatch_postauth15[] = {
311#ifdef WITH_SSH1
299 {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, 312 {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
300 {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, 313 {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
301 {MONITOR_REQ_TERM, 0, mm_answer_term}, 314 {MONITOR_REQ_TERM, 0, mm_answer_term},
@@ -303,6 +316,7 @@ struct mon_table mon_dispatch_postauth15[] = {
303 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 316 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
304 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, 317 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
305#endif 318#endif
319#endif /* WITH_SSH1 */
306 {0, 0, NULL} 320 {0, 0, NULL}
307}; 321};
308 322
@@ -457,6 +471,9 @@ monitor_child_postauth(struct monitor *pmonitor)
457 signal(SIGHUP, &monitor_child_handler); 471 signal(SIGHUP, &monitor_child_handler);
458 signal(SIGTERM, &monitor_child_handler); 472 signal(SIGTERM, &monitor_child_handler);
459 signal(SIGINT, &monitor_child_handler); 473 signal(SIGINT, &monitor_child_handler);
474#ifdef SIGXFSZ
475 signal(SIGXFSZ, SIG_IGN);
476#endif
460 477
461 if (compat20) { 478 if (compat20) {
462 mon_dispatch = mon_dispatch_postauth20; 479 mon_dispatch = mon_dispatch_postauth20;
@@ -630,6 +647,7 @@ monitor_reset_key_state(void)
630 hostbased_chost = NULL; 647 hostbased_chost = NULL;
631} 648}
632 649
650#ifdef WITH_OPENSSL
633int 651int
634mm_answer_moduli(int sock, Buffer *m) 652mm_answer_moduli(int sock, Buffer *m)
635{ 653{
@@ -664,6 +682,7 @@ mm_answer_moduli(int sock, Buffer *m)
664 mm_request_send(sock, MONITOR_ANS_MODULI, m); 682 mm_request_send(sock, MONITOR_ANS_MODULI, m);
665 return (0); 683 return (0);
666} 684}
685#endif
667 686
668extern AuthenticationConnection *auth_conn; 687extern AuthenticationConnection *auth_conn;
669 688
@@ -1166,6 +1185,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
1166 cuser, chost); 1185 cuser, chost);
1167 auth_method = "hostbased"; 1186 auth_method = "hostbased";
1168 break; 1187 break;
1188#ifdef WITH_SSH1
1169 case MM_RSAHOSTKEY: 1189 case MM_RSAHOSTKEY:
1170 key->type = KEY_RSA1; /* XXX */ 1190 key->type = KEY_RSA1; /* XXX */
1171 allowed = options.rhosts_rsa_authentication && 1191 allowed = options.rhosts_rsa_authentication &&
@@ -1175,6 +1195,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
1175 auth_clear_options(); 1195 auth_clear_options();
1176 auth_method = "rsa"; 1196 auth_method = "rsa";
1177 break; 1197 break;
1198#endif
1178 default: 1199 default:
1179 fatal("%s: unknown key type %d", __func__, type); 1200 fatal("%s: unknown key type %d", __func__, type);
1180 break; 1201 break;
@@ -1511,6 +1532,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m)
1511 return (0); 1532 return (0);
1512} 1533}
1513 1534
1535#ifdef WITH_SSH1
1514int 1536int
1515mm_answer_sesskey(int sock, Buffer *m) 1537mm_answer_sesskey(int sock, Buffer *m)
1516{ 1538{
@@ -1688,6 +1710,7 @@ mm_answer_rsa_response(int sock, Buffer *m)
1688 1710
1689 return (success); 1711 return (success);
1690} 1712}
1713#endif
1691 1714
1692int 1715int
1693mm_answer_term(int sock, Buffer *req) 1716mm_answer_term(int sock, Buffer *req)
@@ -1792,6 +1815,8 @@ monitor_apply_keystate(struct monitor *pmonitor)
1792 if (options.compression) 1815 if (options.compression)
1793 mm_init_compression(pmonitor->m_zlib); 1816 mm_init_compression(pmonitor->m_zlib);
1794 1817
1818 packet_set_postauth();
1819
1795 if (options.rekey_limit || options.rekey_interval) 1820 if (options.rekey_limit || options.rekey_interval)
1796 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 1821 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
1797 (time_t)options.rekey_interval); 1822 (time_t)options.rekey_interval);
@@ -1828,11 +1853,13 @@ mm_get_kex(Buffer *m)
1828 timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0) 1853 timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0)
1829 fatal("mm_get_get: internal error: bad session id"); 1854 fatal("mm_get_get: internal error: bad session id");
1830 kex->we_need = buffer_get_int(m); 1855 kex->we_need = buffer_get_int(m);
1856#ifdef WITH_OPENSSL
1831 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 1857 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
1832 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; 1858 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1833 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 1859 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1834 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 1860 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
1835 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 1861 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
1862#endif
1836 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 1863 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
1837 kex->server = 1; 1864 kex->server = 1;
1838 kex->hostkey_type = buffer_get_int(m); 1865 kex->hostkey_type = buffer_get_int(m);