diff options
Diffstat (limited to 'ssh.c')
-rw-r--r-- | ssh.c | 77 |
1 files changed, 50 insertions, 27 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh.c,v 1.346 2010/08/12 21:49:44 djm Exp $ */ | 1 | /* $OpenBSD: ssh.c,v 1.356 2011/01/06 22:23:53 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -183,9 +183,6 @@ int subsystem_flag = 0; | |||
183 | /* # of replies received for global requests */ | 183 | /* # of replies received for global requests */ |
184 | static int remote_forward_confirms_received = 0; | 184 | static int remote_forward_confirms_received = 0; |
185 | 185 | ||
186 | /* pid of proxycommand child process */ | ||
187 | pid_t proxy_command_pid = 0; | ||
188 | |||
189 | /* mux.c */ | 186 | /* mux.c */ |
190 | extern int muxserver_sock; | 187 | extern int muxserver_sock; |
191 | extern u_int muxclient_command; | 188 | extern u_int muxclient_command; |
@@ -224,7 +221,7 @@ int | |||
224 | main(int ac, char **av) | 221 | main(int ac, char **av) |
225 | { | 222 | { |
226 | int i, r, opt, exit_status, use_syslog; | 223 | int i, r, opt, exit_status, use_syslog; |
227 | char *p, *cp, *line, *argv0, buf[MAXPATHLEN]; | 224 | char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg; |
228 | struct stat st; | 225 | struct stat st; |
229 | struct passwd *pw; | 226 | struct passwd *pw; |
230 | int dummy, timeout_ms; | 227 | int dummy, timeout_ms; |
@@ -601,7 +598,7 @@ main(int ac, char **av) | |||
601 | if (!host) | 598 | if (!host) |
602 | usage(); | 599 | usage(); |
603 | 600 | ||
604 | SSLeay_add_all_algorithms(); | 601 | OpenSSL_add_all_algorithms(); |
605 | ERR_load_crypto_strings(); | 602 | ERR_load_crypto_strings(); |
606 | 603 | ||
607 | /* Initialize the command to execute on remote host. */ | 604 | /* Initialize the command to execute on remote host. */ |
@@ -696,6 +693,8 @@ main(int ac, char **av) | |||
696 | options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; | 693 | options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; |
697 | } | 694 | } |
698 | 695 | ||
696 | /* preserve host name given on command line for %n expansion */ | ||
697 | host_arg = host; | ||
699 | if (options.hostname != NULL) { | 698 | if (options.hostname != NULL) { |
700 | host = percent_expand(options.hostname, | 699 | host = percent_expand(options.hostname, |
701 | "h", host, (char *)NULL); | 700 | "h", host, (char *)NULL); |
@@ -710,7 +709,7 @@ main(int ac, char **av) | |||
710 | debug3("expanding LocalCommand: %s", options.local_command); | 709 | debug3("expanding LocalCommand: %s", options.local_command); |
711 | cp = options.local_command; | 710 | cp = options.local_command; |
712 | options.local_command = percent_expand(cp, "d", pw->pw_dir, | 711 | options.local_command = percent_expand(cp, "d", pw->pw_dir, |
713 | "h", host, "l", thishost, "n", host, "r", options.user, | 712 | "h", host, "l", thishost, "n", host_arg, "r", options.user, |
714 | "p", buf, "u", pw->pw_name, (char *)NULL); | 713 | "p", buf, "u", pw->pw_name, (char *)NULL); |
715 | debug3("expanded LocalCommand: %s", options.local_command); | 714 | debug3("expanded LocalCommand: %s", options.local_command); |
716 | xfree(cp); | 715 | xfree(cp); |
@@ -782,34 +781,53 @@ main(int ac, char **av) | |||
782 | sensitive_data.external_keysign = 0; | 781 | sensitive_data.external_keysign = 0; |
783 | if (options.rhosts_rsa_authentication || | 782 | if (options.rhosts_rsa_authentication || |
784 | options.hostbased_authentication) { | 783 | options.hostbased_authentication) { |
785 | sensitive_data.nkeys = 5; | 784 | sensitive_data.nkeys = 7; |
786 | sensitive_data.keys = xcalloc(sensitive_data.nkeys, | 785 | sensitive_data.keys = xcalloc(sensitive_data.nkeys, |
787 | sizeof(Key)); | 786 | sizeof(Key)); |
787 | for (i = 0; i < sensitive_data.nkeys; i++) | ||
788 | sensitive_data.keys[i] = NULL; | ||
788 | 789 | ||
789 | PRIV_START; | 790 | PRIV_START; |
790 | sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, | 791 | sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, |
791 | _PATH_HOST_KEY_FILE, "", NULL, NULL); | 792 | _PATH_HOST_KEY_FILE, "", NULL, NULL); |
792 | sensitive_data.keys[1] = key_load_private_cert(KEY_DSA, | 793 | sensitive_data.keys[1] = key_load_private_cert(KEY_DSA, |
793 | _PATH_HOST_DSA_KEY_FILE, "", NULL); | 794 | _PATH_HOST_DSA_KEY_FILE, "", NULL); |
794 | sensitive_data.keys[2] = key_load_private_cert(KEY_RSA, | 795 | #ifdef OPENSSL_HAS_ECC |
796 | sensitive_data.keys[2] = key_load_private_cert(KEY_ECDSA, | ||
797 | _PATH_HOST_ECDSA_KEY_FILE, "", NULL); | ||
798 | #endif | ||
799 | sensitive_data.keys[3] = key_load_private_cert(KEY_RSA, | ||
795 | _PATH_HOST_RSA_KEY_FILE, "", NULL); | 800 | _PATH_HOST_RSA_KEY_FILE, "", NULL); |
796 | sensitive_data.keys[3] = key_load_private_type(KEY_DSA, | 801 | sensitive_data.keys[4] = key_load_private_type(KEY_DSA, |
797 | _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL); | 802 | _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL); |
798 | sensitive_data.keys[4] = key_load_private_type(KEY_RSA, | 803 | #ifdef OPENSSL_HAS_ECC |
804 | sensitive_data.keys[5] = key_load_private_type(KEY_ECDSA, | ||
805 | _PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL); | ||
806 | #endif | ||
807 | sensitive_data.keys[6] = key_load_private_type(KEY_RSA, | ||
799 | _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL); | 808 | _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL); |
800 | PRIV_END; | 809 | PRIV_END; |
801 | 810 | ||
802 | if (options.hostbased_authentication == 1 && | 811 | if (options.hostbased_authentication == 1 && |
803 | sensitive_data.keys[0] == NULL && | 812 | sensitive_data.keys[0] == NULL && |
804 | sensitive_data.keys[3] == NULL && | 813 | sensitive_data.keys[4] == NULL && |
805 | sensitive_data.keys[4] == NULL) { | 814 | sensitive_data.keys[5] == NULL && |
815 | sensitive_data.keys[6] == NULL) { | ||
806 | sensitive_data.keys[1] = key_load_cert( | 816 | sensitive_data.keys[1] = key_load_cert( |
807 | _PATH_HOST_DSA_KEY_FILE); | 817 | _PATH_HOST_DSA_KEY_FILE); |
818 | #ifdef OPENSSL_HAS_ECC | ||
808 | sensitive_data.keys[2] = key_load_cert( | 819 | sensitive_data.keys[2] = key_load_cert( |
820 | _PATH_HOST_ECDSA_KEY_FILE); | ||
821 | #endif | ||
822 | sensitive_data.keys[3] = key_load_cert( | ||
809 | _PATH_HOST_RSA_KEY_FILE); | 823 | _PATH_HOST_RSA_KEY_FILE); |
810 | sensitive_data.keys[3] = key_load_public( | ||
811 | _PATH_HOST_DSA_KEY_FILE, NULL); | ||
812 | sensitive_data.keys[4] = key_load_public( | 824 | sensitive_data.keys[4] = key_load_public( |
825 | _PATH_HOST_DSA_KEY_FILE, NULL); | ||
826 | #ifdef OPENSSL_HAS_ECC | ||
827 | sensitive_data.keys[5] = key_load_public( | ||
828 | _PATH_HOST_ECDSA_KEY_FILE, NULL); | ||
829 | #endif | ||
830 | sensitive_data.keys[6] = key_load_public( | ||
813 | _PATH_HOST_RSA_KEY_FILE, NULL); | 831 | _PATH_HOST_RSA_KEY_FILE, NULL); |
814 | sensitive_data.external_keysign = 1; | 832 | sensitive_data.external_keysign = 1; |
815 | } | 833 | } |
@@ -832,10 +850,19 @@ main(int ac, char **av) | |||
832 | */ | 850 | */ |
833 | r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir, | 851 | r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir, |
834 | strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); | 852 | strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); |
835 | if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) | 853 | if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) { |
854 | #ifdef WITH_SELINUX | ||
855 | char *scon; | ||
856 | |||
857 | matchpathcon(buf, 0700, &scon); | ||
858 | setfscreatecon(scon); | ||
859 | #endif | ||
836 | if (mkdir(buf, 0700) < 0) | 860 | if (mkdir(buf, 0700) < 0) |
837 | error("Could not create directory '%.200s'.", buf); | 861 | error("Could not create directory '%.200s'.", buf); |
838 | 862 | #ifdef WITH_SELINUX | |
863 | setfscreatecon(NULL); | ||
864 | #endif | ||
865 | } | ||
839 | /* load options.identity_files */ | 866 | /* load options.identity_files */ |
840 | load_public_identity_files(); | 867 | load_public_identity_files(); |
841 | 868 | ||
@@ -855,7 +882,7 @@ main(int ac, char **av) | |||
855 | 882 | ||
856 | /* Log into the remote system. Never returns if the login fails. */ | 883 | /* Log into the remote system. Never returns if the login fails. */ |
857 | ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, | 884 | ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, |
858 | pw, timeout_ms); | 885 | options.port, pw, timeout_ms); |
859 | 886 | ||
860 | if (packet_connection_is_on_socket()) { | 887 | if (packet_connection_is_on_socket()) { |
861 | verbose("Authenticated to %s ([%s]:%d).", host, | 888 | verbose("Authenticated to %s ([%s]:%d).", host, |
@@ -893,12 +920,8 @@ main(int ac, char **av) | |||
893 | if (options.control_path != NULL && muxserver_sock != -1) | 920 | if (options.control_path != NULL && muxserver_sock != -1) |
894 | unlink(options.control_path); | 921 | unlink(options.control_path); |
895 | 922 | ||
896 | /* | 923 | /* Kill ProxyCommand if it is running. */ |
897 | * Send SIGHUP to proxy command if used. We don't wait() in | 924 | ssh_kill_proxy_command(); |
898 | * case it hangs and instead rely on init to reap the child | ||
899 | */ | ||
900 | if (proxy_command_pid > 1) | ||
901 | kill(proxy_command_pid, SIGHUP); | ||
902 | 925 | ||
903 | return exit_status; | 926 | return exit_status; |
904 | } | 927 | } |
@@ -930,6 +953,7 @@ control_persist_detach(void) | |||
930 | tty_flag = otty_flag; | 953 | tty_flag = otty_flag; |
931 | close(muxserver_sock); | 954 | close(muxserver_sock); |
932 | muxserver_sock = -1; | 955 | muxserver_sock = -1; |
956 | options.control_master = SSHCTL_MASTER_NO; | ||
933 | muxclient(options.control_path); | 957 | muxclient(options.control_path); |
934 | /* muxclient() doesn't return on success. */ | 958 | /* muxclient() doesn't return on success. */ |
935 | fatal("Failed to connect to new control master"); | 959 | fatal("Failed to connect to new control master"); |
@@ -1202,7 +1226,8 @@ ssh_session(void) | |||
1202 | } | 1226 | } |
1203 | } | 1227 | } |
1204 | /* Tell the packet module whether this is an interactive session. */ | 1228 | /* Tell the packet module whether this is an interactive session. */ |
1205 | packet_set_interactive(interactive); | 1229 | packet_set_interactive(interactive, |
1230 | options.ip_qos_interactive, options.ip_qos_bulk); | ||
1206 | 1231 | ||
1207 | /* Request authentication agent forwarding if appropriate. */ | 1232 | /* Request authentication agent forwarding if appropriate. */ |
1208 | check_agent_present(); | 1233 | check_agent_present(); |
@@ -1300,8 +1325,6 @@ ssh_session2_setup(int id, int success, void *arg) | |||
1300 | 1325 | ||
1301 | client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), | 1326 | client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), |
1302 | NULL, fileno(stdin), &command, environ); | 1327 | NULL, fileno(stdin), &command, environ); |
1303 | |||
1304 | packet_set_interactive(interactive); | ||
1305 | } | 1328 | } |
1306 | 1329 | ||
1307 | /* open new channel for a session */ | 1330 | /* open new channel for a session */ |