summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c218
1 files changed, 141 insertions, 77 deletions
diff --git a/sshd.c b/sshd.c
index 51a1aaf6e..fd95b681b 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.492 2017/09/12 06:32:07 djm Exp $ */ 1/* $OpenBSD: sshd.c,v 1.506 2018/03/03 03:15:51 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -119,6 +119,7 @@
119#endif 119#endif
120#include "monitor_wrap.h" 120#include "monitor_wrap.h"
121#include "ssh-sandbox.h" 121#include "ssh-sandbox.h"
122#include "auth-options.h"
122#include "version.h" 123#include "version.h"
123#include "ssherr.h" 124#include "ssherr.h"
124 125
@@ -144,7 +145,12 @@ char *config_file_name = _PATH_SERVER_CONFIG_FILE;
144 */ 145 */
145int debug_flag = 0; 146int debug_flag = 0;
146 147
147/* Flag indicating that the daemon should only test the configuration and keys. */ 148/*
149 * Indicating that the daemon should only test the configuration and keys.
150 * If test_flag > 1 ("-T" flag), then sshd will also dump the effective
151 * configuration, optionally using connection information provided by the
152 * "-C" flag.
153 */
148int test_flag = 0; 154int test_flag = 0;
149 155
150/* Flag indicating that the daemon is being started from inetd. */ 156/* Flag indicating that the daemon is being started from inetd. */
@@ -227,6 +233,9 @@ static int privsep_chroot = 1;
227/* global authentication context */ 233/* global authentication context */
228Authctxt *the_authctxt = NULL; 234Authctxt *the_authctxt = NULL;
229 235
236/* global key/cert auth options. XXX move to permanent ssh->authctxt? */
237struct sshauthopt *auth_opts = NULL;
238
230/* sshd_config buffer */ 239/* sshd_config buffer */
231Buffer cfg; 240Buffer cfg;
232 241
@@ -278,7 +287,6 @@ sighup_handler(int sig)
278 int save_errno = errno; 287 int save_errno = errno;
279 288
280 received_sighup = 1; 289 received_sighup = 1;
281 signal(SIGHUP, sighup_handler);
282 errno = save_errno; 290 errno = save_errno;
283} 291}
284 292
@@ -328,8 +336,6 @@ main_sigchld_handler(int sig)
328 while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || 336 while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
329 (pid < 0 && errno == EINTR)) 337 (pid < 0 && errno == EINTR))
330 ; 338 ;
331
332 signal(SIGCHLD, main_sigchld_handler);
333 errno = save_errno; 339 errno = save_errno;
334} 340}
335 341
@@ -441,16 +447,12 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
441 logit("Client version \"%.100s\" uses unsafe RSA signature " 447 logit("Client version \"%.100s\" uses unsafe RSA signature "
442 "scheme; disabling use of RSA keys", remote_version); 448 "scheme; disabling use of RSA keys", remote_version);
443 } 449 }
444 if ((ssh->compat & SSH_BUG_DERIVEKEY) != 0) {
445 fatal("Client version \"%.100s\" uses unsafe key agreement; "
446 "refusing connection", remote_version);
447 }
448 450
449 chop(server_version_string); 451 chop(server_version_string);
450 debug("Local version string %.200s", server_version_string); 452 debug("Local version string %.200s", server_version_string);
451 453
452 if (remote_major != 2 || 454 if (remote_major != 2 &&
453 (remote_major == 1 && remote_minor != 99)) { 455 !(remote_major == 1 && remote_minor == 99)) {
454 s = "Protocol major versions differ.\n"; 456 s = "Protocol major versions differ.\n";
455 (void) atomicio(vwrite, sock_out, s, strlen(s)); 457 (void) atomicio(vwrite, sock_out, s, strlen(s));
456 close(sock_in); 458 close(sock_in);
@@ -467,7 +469,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
467void 469void
468destroy_sensitive_data(void) 470destroy_sensitive_data(void)
469{ 471{
470 int i; 472 u_int i;
471 473
472 for (i = 0; i < options.num_host_key_files; i++) { 474 for (i = 0; i < options.num_host_key_files; i++) {
473 if (sensitive_data.host_keys[i]) { 475 if (sensitive_data.host_keys[i]) {
@@ -486,7 +488,7 @@ void
486demote_sensitive_data(void) 488demote_sensitive_data(void)
487{ 489{
488 struct sshkey *tmp; 490 struct sshkey *tmp;
489 int i; 491 u_int i;
490 492
491 for (i = 0; i < options.num_host_key_files; i++) { 493 for (i = 0; i < options.num_host_key_files; i++) {
492 if (sensitive_data.host_keys[i]) { 494 if (sensitive_data.host_keys[i]) {
@@ -685,7 +687,7 @@ list_hostkey_types(void)
685 Buffer b; 687 Buffer b;
686 const char *p; 688 const char *p;
687 char *ret; 689 char *ret;
688 int i; 690 u_int i;
689 struct sshkey *key; 691 struct sshkey *key;
690 692
691 buffer_init(&b); 693 buffer_init(&b);
@@ -707,6 +709,7 @@ list_hostkey_types(void)
707 case KEY_DSA: 709 case KEY_DSA:
708 case KEY_ECDSA: 710 case KEY_ECDSA:
709 case KEY_ED25519: 711 case KEY_ED25519:
712 case KEY_XMSS:
710 if (buffer_len(&b) > 0) 713 if (buffer_len(&b) > 0)
711 buffer_append(&b, ",", 1); 714 buffer_append(&b, ",", 1);
712 p = key_ssh_name(key); 715 p = key_ssh_name(key);
@@ -728,6 +731,7 @@ list_hostkey_types(void)
728 case KEY_DSA_CERT: 731 case KEY_DSA_CERT:
729 case KEY_ECDSA_CERT: 732 case KEY_ECDSA_CERT:
730 case KEY_ED25519_CERT: 733 case KEY_ED25519_CERT:
734 case KEY_XMSS_CERT:
731 if (buffer_len(&b) > 0) 735 if (buffer_len(&b) > 0)
732 buffer_append(&b, ",", 1); 736 buffer_append(&b, ",", 1);
733 p = key_ssh_name(key); 737 p = key_ssh_name(key);
@@ -745,7 +749,7 @@ list_hostkey_types(void)
745static struct sshkey * 749static struct sshkey *
746get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh) 750get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
747{ 751{
748 int i; 752 u_int i;
749 struct sshkey *key; 753 struct sshkey *key;
750 754
751 for (i = 0; i < options.num_host_key_files; i++) { 755 for (i = 0; i < options.num_host_key_files; i++) {
@@ -754,6 +758,7 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
754 case KEY_DSA_CERT: 758 case KEY_DSA_CERT:
755 case KEY_ECDSA_CERT: 759 case KEY_ECDSA_CERT:
756 case KEY_ED25519_CERT: 760 case KEY_ED25519_CERT:
761 case KEY_XMSS_CERT:
757 key = sensitive_data.host_certificates[i]; 762 key = sensitive_data.host_certificates[i];
758 break; 763 break;
759 default: 764 default:
@@ -785,7 +790,7 @@ get_hostkey_private_by_type(int type, int nid, struct ssh *ssh)
785struct sshkey * 790struct sshkey *
786get_hostkey_by_index(int ind) 791get_hostkey_by_index(int ind)
787{ 792{
788 if (ind < 0 || ind >= options.num_host_key_files) 793 if (ind < 0 || (u_int)ind >= options.num_host_key_files)
789 return (NULL); 794 return (NULL);
790 return (sensitive_data.host_keys[ind]); 795 return (sensitive_data.host_keys[ind]);
791} 796}
@@ -793,7 +798,7 @@ get_hostkey_by_index(int ind)
793struct sshkey * 798struct sshkey *
794get_hostkey_public_by_index(int ind, struct ssh *ssh) 799get_hostkey_public_by_index(int ind, struct ssh *ssh)
795{ 800{
796 if (ind < 0 || ind >= options.num_host_key_files) 801 if (ind < 0 || (u_int)ind >= options.num_host_key_files)
797 return (NULL); 802 return (NULL);
798 return (sensitive_data.host_pubkeys[ind]); 803 return (sensitive_data.host_pubkeys[ind]);
799} 804}
@@ -801,7 +806,7 @@ get_hostkey_public_by_index(int ind, struct ssh *ssh)
801int 806int
802get_hostkey_index(struct sshkey *key, int compare, struct ssh *ssh) 807get_hostkey_index(struct sshkey *key, int compare, struct ssh *ssh)
803{ 808{
804 int i; 809 u_int i;
805 810
806 for (i = 0; i < options.num_host_key_files; i++) { 811 for (i = 0; i < options.num_host_key_files; i++) {
807 if (key_is_cert(key)) { 812 if (key_is_cert(key)) {
@@ -830,7 +835,8 @@ notify_hostkeys(struct ssh *ssh)
830{ 835{
831 struct sshbuf *buf; 836 struct sshbuf *buf;
832 struct sshkey *key; 837 struct sshkey *key;
833 int i, nkeys, r; 838 u_int i, nkeys;
839 int r;
834 char *fp; 840 char *fp;
835 841
836 /* Some clients cannot cope with the hostkeys message, skip those. */ 842 /* Some clients cannot cope with the hostkeys message, skip those. */
@@ -861,7 +867,7 @@ notify_hostkeys(struct ssh *ssh)
861 packet_put_string(sshbuf_ptr(buf), sshbuf_len(buf)); 867 packet_put_string(sshbuf_ptr(buf), sshbuf_len(buf));
862 nkeys++; 868 nkeys++;
863 } 869 }
864 debug3("%s: sent %d hostkeys", __func__, nkeys); 870 debug3("%s: sent %u hostkeys", __func__, nkeys);
865 if (nkeys == 0) 871 if (nkeys == 0)
866 fatal("%s: no hostkeys", __func__); 872 fatal("%s: no hostkeys", __func__);
867 packet_send(); 873 packet_send();
@@ -1014,13 +1020,13 @@ server_accept_inetd(int *sock_in, int *sock_out)
1014 * Listen for TCP connections 1020 * Listen for TCP connections
1015 */ 1021 */
1016static void 1022static void
1017server_listen(void) 1023listen_on_addrs(struct listenaddr *la)
1018{ 1024{
1019 int ret, listen_sock, on = 1; 1025 int ret, listen_sock;
1020 struct addrinfo *ai; 1026 struct addrinfo *ai;
1021 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 1027 char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1022 1028
1023 for (ai = options.listen_addrs; ai; ai = ai->ai_next) { 1029 for (ai = la->addrs; ai; ai = ai->ai_next) {
1024 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 1030 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1025 continue; 1031 continue;
1026 if (num_listen_socks >= MAX_LISTEN_SOCKS) 1032 if (num_listen_socks >= MAX_LISTEN_SOCKS)
@@ -1050,13 +1056,13 @@ server_listen(void)
1050 close(listen_sock); 1056 close(listen_sock);
1051 continue; 1057 continue;
1052 } 1058 }
1053 /* 1059 /* Socket options */
1054 * Set socket options. 1060 set_reuseaddr(listen_sock);
1055 * Allow local port reuse in TIME_WAIT. 1061 if (la->rdomain != NULL &&
1056 */ 1062 set_rdomain(listen_sock, la->rdomain) == -1) {
1057 if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, 1063 close(listen_sock);
1058 &on, sizeof(on)) == -1) 1064 continue;
1059 error("setsockopt SO_REUSEADDR: %s", strerror(errno)); 1065 }
1060 1066
1061 /* Only communicate in IPv6 over AF_INET6 sockets. */ 1067 /* Only communicate in IPv6 over AF_INET6 sockets. */
1062 if (ai->ai_family == AF_INET6) 1068 if (ai->ai_family == AF_INET6)
@@ -1078,9 +1084,28 @@ server_listen(void)
1078 if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0) 1084 if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0)
1079 fatal("listen on [%s]:%s: %.100s", 1085 fatal("listen on [%s]:%s: %.100s",
1080 ntop, strport, strerror(errno)); 1086 ntop, strport, strerror(errno));
1081 logit("Server listening on %s port %s.", ntop, strport); 1087 logit("Server listening on %s port %s%s%s.",
1088 ntop, strport,
1089 la->rdomain == NULL ? "" : " rdomain ",
1090 la->rdomain == NULL ? "" : la->rdomain);
1091 }
1092}
1093
1094static void
1095server_listen(void)
1096{
1097 u_int i;
1098
1099 for (i = 0; i < options.num_listen_addrs; i++) {
1100 listen_on_addrs(&options.listen_addrs[i]);
1101 freeaddrinfo(options.listen_addrs[i].addrs);
1102 free(options.listen_addrs[i].rdomain);
1103 memset(&options.listen_addrs[i], 0,
1104 sizeof(options.listen_addrs[i]));
1082 } 1105 }
1083 freeaddrinfo(options.listen_addrs); 1106 free(options.listen_addrs);
1107 options.listen_addrs = NULL;
1108 options.num_listen_addrs = 0;
1084 1109
1085 if (!num_listen_socks) 1110 if (!num_listen_socks)
1086 fatal("Cannot bind any address."); 1111 fatal("Cannot bind any address.");
@@ -1348,6 +1373,46 @@ check_ip_options(struct ssh *ssh)
1348#endif /* IP_OPTIONS */ 1373#endif /* IP_OPTIONS */
1349} 1374}
1350 1375
1376/* Set the routing domain for this process */
1377static void
1378set_process_rdomain(struct ssh *ssh, const char *name)
1379{
1380#if defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
1381 if (name == NULL)
1382 return; /* default */
1383
1384 if (strcmp(name, "%D") == 0) {
1385 /* "expands" to routing domain of connection */
1386 if ((name = ssh_packet_rdomain_in(ssh)) == NULL)
1387 return;
1388 }
1389 /* NB. We don't pass 'ssh' to sys_set_process_rdomain() */
1390 return sys_set_process_rdomain(name);
1391#elif defined(__OpenBSD__)
1392 int rtable, ortable = getrtable();
1393 const char *errstr;
1394
1395 if (name == NULL)
1396 return; /* default */
1397
1398 if (strcmp(name, "%D") == 0) {
1399 /* "expands" to routing domain of connection */
1400 if ((name = ssh_packet_rdomain_in(ssh)) == NULL)
1401 return;
1402 }
1403
1404 rtable = (int)strtonum(name, 0, 255, &errstr);
1405 if (errstr != NULL) /* Shouldn't happen */
1406 fatal("Invalid routing domain \"%s\": %s", name, errstr);
1407 if (rtable != ortable && setrtable(rtable) != 0)
1408 fatal("Unable to set routing domain %d: %s",
1409 rtable, strerror(errno));
1410 debug("%s: set routing domain %d (was %d)", __func__, rtable, ortable);
1411#else /* defined(__OpenBSD__) */
1412 fatal("Unable to set routing domain: not supported in this platform");
1413#endif
1414}
1415
1351/* 1416/*
1352 * Main program for the daemon. 1417 * Main program for the daemon.
1353 */ 1418 */
@@ -1357,20 +1422,19 @@ main(int ac, char **av)
1357 struct ssh *ssh = NULL; 1422 struct ssh *ssh = NULL;
1358 extern char *optarg; 1423 extern char *optarg;
1359 extern int optind; 1424 extern int optind;
1360 int r, opt, i, j, on = 1, already_daemon; 1425 int r, opt, on = 1, already_daemon, remote_port;
1361 int sock_in = -1, sock_out = -1, newsock = -1; 1426 int sock_in = -1, sock_out = -1, newsock = -1;
1362 const char *remote_ip; 1427 const char *remote_ip, *rdomain;
1363 int remote_port;
1364 char *fp, *line, *laddr, *logfile = NULL; 1428 char *fp, *line, *laddr, *logfile = NULL;
1365 int config_s[2] = { -1 , -1 }; 1429 int config_s[2] = { -1 , -1 };
1366 u_int n; 1430 u_int i, j;
1367 u_int64_t ibytes, obytes; 1431 u_int64_t ibytes, obytes;
1368 mode_t new_umask; 1432 mode_t new_umask;
1369 struct sshkey *key; 1433 struct sshkey *key;
1370 struct sshkey *pubkey; 1434 struct sshkey *pubkey;
1371 int keytype; 1435 int keytype;
1372 Authctxt *authctxt; 1436 Authctxt *authctxt;
1373 struct connection_info *connection_info = get_connection_info(0, 0); 1437 struct connection_info *connection_info = NULL;
1374 1438
1375 ssh_malloc_init(); /* must be called before any mallocs */ 1439 ssh_malloc_init(); /* must be called before any mallocs */
1376 1440
@@ -1383,7 +1447,7 @@ main(int ac, char **av)
1383 saved_argc = ac; 1447 saved_argc = ac;
1384 rexec_argc = ac; 1448 rexec_argc = ac;
1385 saved_argv = xcalloc(ac + 1, sizeof(*saved_argv)); 1449 saved_argv = xcalloc(ac + 1, sizeof(*saved_argv));
1386 for (i = 0; i < ac; i++) 1450 for (i = 0; (int)i < ac; i++)
1387 saved_argv[i] = xstrdup(av[i]); 1451 saved_argv[i] = xstrdup(av[i]);
1388 saved_argv[i] = NULL; 1452 saved_argv[i] = NULL;
1389 1453
@@ -1416,12 +1480,8 @@ main(int ac, char **av)
1416 config_file_name = optarg; 1480 config_file_name = optarg;
1417 break; 1481 break;
1418 case 'c': 1482 case 'c':
1419 if (options.num_host_cert_files >= MAX_HOSTCERTS) { 1483 servconf_add_hostcert("[command-line]", 0,
1420 fprintf(stderr, "too many host certificates.\n"); 1484 &options, optarg);
1421 exit(1);
1422 }
1423 options.host_cert_files[options.num_host_cert_files++] =
1424 derelativise_path(optarg);
1425 break; 1485 break;
1426 case 'd': 1486 case 'd':
1427 if (debug_flag == 0) { 1487 if (debug_flag == 0) {
@@ -1480,12 +1540,8 @@ main(int ac, char **av)
1480 /* protocol 1, ignored */ 1540 /* protocol 1, ignored */
1481 break; 1541 break;
1482 case 'h': 1542 case 'h':
1483 if (options.num_host_key_files >= MAX_HOSTKEYS) { 1543 servconf_add_hostkey("[command-line]", 0,
1484 fprintf(stderr, "too many host keys.\n"); 1544 &options, optarg);
1485 exit(1);
1486 }
1487 options.host_key_files[options.num_host_key_files++] =
1488 derelativise_path(optarg);
1489 break; 1545 break;
1490 case 't': 1546 case 't':
1491 test_flag = 1; 1547 test_flag = 1;
@@ -1494,6 +1550,7 @@ main(int ac, char **av)
1494 test_flag = 2; 1550 test_flag = 2;
1495 break; 1551 break;
1496 case 'C': 1552 case 'C':
1553 connection_info = get_connection_info(0, 0);
1497 if (parse_server_match_testspec(connection_info, 1554 if (parse_server_match_testspec(connection_info,
1498 optarg) == -1) 1555 optarg) == -1)
1499 exit(1); 1556 exit(1);
@@ -1552,24 +1609,13 @@ main(int ac, char **av)
1552 if (getenv("KRB5CCNAME") != NULL) 1609 if (getenv("KRB5CCNAME") != NULL)
1553 (void) unsetenv("KRB5CCNAME"); 1610 (void) unsetenv("KRB5CCNAME");
1554 1611
1555#ifdef _UNICOS
1556 /* Cray can define user privs drop all privs now!
1557 * Not needed on PRIV_SU systems!
1558 */
1559 drop_cray_privs();
1560#endif
1561
1562 sensitive_data.have_ssh2_key = 0; 1612 sensitive_data.have_ssh2_key = 0;
1563 1613
1564 /* 1614 /*
1565 * If we're doing an extended config test, make sure we have all of 1615 * If we're not doing an extended test do not silently ignore connection
1566 * the parameters we need. If we're not doing an extended test, 1616 * test params.
1567 * do not silently ignore connection test params.
1568 */ 1617 */
1569 if (test_flag >= 2 && server_match_spec_complete(connection_info) == 0) 1618 if (test_flag < 2 && connection_info != NULL)
1570 fatal("user, host and addr are all required when testing "
1571 "Match configs");
1572 if (test_flag < 2 && server_match_spec_complete(connection_info) >= 0)
1573 fatal("Config test connection parameter (-C) provided without " 1619 fatal("Config test connection parameter (-C) provided without "
1574 "test mode (-T)"); 1620 "test mode (-T)");
1575 1621
@@ -1611,12 +1657,12 @@ main(int ac, char **av)
1611 * and warns for trivial misconfigurations that could break login. 1657 * and warns for trivial misconfigurations that could break login.
1612 */ 1658 */
1613 if (options.num_auth_methods != 0) { 1659 if (options.num_auth_methods != 0) {
1614 for (n = 0; n < options.num_auth_methods; n++) { 1660 for (i = 0; i < options.num_auth_methods; i++) {
1615 if (auth2_methods_valid(options.auth_methods[n], 1661 if (auth2_methods_valid(options.auth_methods[i],
1616 1) == 0) 1662 1) == 0)
1617 break; 1663 break;
1618 } 1664 }
1619 if (n >= options.num_auth_methods) 1665 if (i >= options.num_auth_methods)
1620 fatal("AuthenticationMethods cannot be satisfied by " 1666 fatal("AuthenticationMethods cannot be satisfied by "
1621 "enabled authentication methods"); 1667 "enabled authentication methods");
1622 } 1668 }
@@ -1642,10 +1688,8 @@ main(int ac, char **av)
1642 fatal("Privilege separation user %s does not exist", 1688 fatal("Privilege separation user %s does not exist",
1643 SSH_PRIVSEP_USER); 1689 SSH_PRIVSEP_USER);
1644 } else { 1690 } else {
1645 explicit_bzero(privsep_pw->pw_passwd,
1646 strlen(privsep_pw->pw_passwd));
1647 privsep_pw = pwcopy(privsep_pw); 1691 privsep_pw = pwcopy(privsep_pw);
1648 free(privsep_pw->pw_passwd); 1692 freezero(privsep_pw->pw_passwd, strlen(privsep_pw->pw_passwd));
1649 privsep_pw->pw_passwd = xstrdup("*"); 1693 privsep_pw->pw_passwd = xstrdup("*");
1650 } 1694 }
1651 endpwent(); 1695 endpwent();
@@ -1697,6 +1741,7 @@ main(int ac, char **av)
1697 case KEY_DSA: 1741 case KEY_DSA:
1698 case KEY_ECDSA: 1742 case KEY_ECDSA:
1699 case KEY_ED25519: 1743 case KEY_ED25519:
1744 case KEY_XMSS:
1700 if (have_agent || key != NULL) 1745 if (have_agent || key != NULL)
1701 sensitive_data.have_ssh2_key = 1; 1746 sensitive_data.have_ssh2_key = 1;
1702 break; 1747 break;
@@ -1752,7 +1797,7 @@ main(int ac, char **av)
1752 continue; 1797 continue;
1753 } 1798 }
1754 sensitive_data.host_certificates[j] = key; 1799 sensitive_data.host_certificates[j] = key;
1755 debug("host certificate: #%d type %d %s", j, key->type, 1800 debug("host certificate: #%u type %d %s", j, key->type,
1756 key_type(key)); 1801 key_type(key));
1757 } 1802 }
1758 1803
@@ -1776,8 +1821,13 @@ main(int ac, char **av)
1776 } 1821 }
1777 1822
1778 if (test_flag > 1) { 1823 if (test_flag > 1) {
1779 if (server_match_spec_complete(connection_info) == 1) 1824 /*
1780 parse_server_match_config(&options, connection_info); 1825 * If no connection info was provided by -C then use
1826 * use a blank one that will cause no predicate to match.
1827 */
1828 if (connection_info == NULL)
1829 connection_info = get_connection_info(0, 0);
1830 parse_server_match_config(&options, connection_info);
1781 dump_config(&options); 1831 dump_config(&options);
1782 } 1832 }
1783 1833
@@ -1796,8 +1846,10 @@ main(int ac, char **av)
1796 debug("setgroups() failed: %.200s", strerror(errno)); 1846 debug("setgroups() failed: %.200s", strerror(errno));
1797 1847
1798 if (rexec_flag) { 1848 if (rexec_flag) {
1849 if (rexec_argc < 0)
1850 fatal("rexec_argc %d < 0", rexec_argc);
1799 rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *)); 1851 rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
1800 for (i = 0; i < rexec_argc; i++) { 1852 for (i = 0; i < (u_int)rexec_argc; i++) {
1801 debug("rexec_argv[%d]='%s'", i, saved_argv[i]); 1853 debug("rexec_argv[%d]='%s'", i, saved_argv[i]);
1802 rexec_argv[i] = saved_argv[i]; 1854 rexec_argv[i] = saved_argv[i];
1803 } 1855 }
@@ -1970,6 +2022,9 @@ main(int ac, char **av)
1970 cleanup_exit(255); 2022 cleanup_exit(255);
1971 } 2023 }
1972 2024
2025 if (options.routing_domain != NULL)
2026 set_process_rdomain(ssh, options.routing_domain);
2027
1973 /* 2028 /*
1974 * The rest of the code depends on the fact that 2029 * The rest of the code depends on the fact that
1975 * ssh_remote_ipaddr() caches the remote ip, even if 2030 * ssh_remote_ipaddr() caches the remote ip, even if
@@ -1981,10 +2036,15 @@ main(int ac, char **av)
1981 audit_connection_from(remote_ip, remote_port); 2036 audit_connection_from(remote_ip, remote_port);
1982#endif 2037#endif
1983 2038
2039 rdomain = ssh_packet_rdomain_in(ssh);
2040
1984 /* Log the connection. */ 2041 /* Log the connection. */
1985 laddr = get_local_ipaddr(sock_in); 2042 laddr = get_local_ipaddr(sock_in);
1986 verbose("Connection from %s port %d on %s port %d", 2043 verbose("Connection from %s port %d on %s port %d%s%s%s",
1987 remote_ip, remote_port, laddr, ssh_local_port(ssh)); 2044 remote_ip, remote_port, laddr, ssh_local_port(ssh),
2045 rdomain == NULL ? "" : " rdomain \"",
2046 rdomain == NULL ? "" : rdomain,
2047 rdomain == NULL ? "" : "\"");
1988 free(laddr); 2048 free(laddr);
1989 2049
1990 /* 2050 /*
@@ -2010,6 +2070,10 @@ main(int ac, char **av)
2010 /* XXX global for cleanup, access from other modules */ 2070 /* XXX global for cleanup, access from other modules */
2011 the_authctxt = authctxt; 2071 the_authctxt = authctxt;
2012 2072
2073 /* Set default key authentication options */
2074 if ((auth_opts = sshauthopt_new_with_keys_defaults()) == NULL)
2075 fatal("allocation failed");
2076
2013 /* prepare buffer to collect messages to display to user after login */ 2077 /* prepare buffer to collect messages to display to user after login */
2014 buffer_init(&loginmsg); 2078 buffer_init(&loginmsg);
2015 auth_debug_reset(); 2079 auth_debug_reset();
@@ -2066,7 +2130,7 @@ main(int ac, char **av)
2066#ifdef USE_PAM 2130#ifdef USE_PAM
2067 if (options.use_pam) { 2131 if (options.use_pam) {
2068 do_pam_setcred(1); 2132 do_pam_setcred(1);
2069 do_pam_session(); 2133 do_pam_session(ssh);
2070 } 2134 }
2071#endif 2135#endif
2072 2136
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-07 23:37:17 +0000