lshd.c 28.8 KB
Newer Older
Niels Möller's avatar
Niels Möller committed
1
2
3
/* lshd.c
 *
 * main server program.
4
5
 *
 * $Id$ */
Niels Möller's avatar
Niels Möller committed
6

7
8
/* lsh, an implementation of the ssh protocol
 *
9
 * Copyright (C) 1998 Niels Mller
10
11
12
13
14
15
16
17
18
19
20
21
22
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
Niels Möller's avatar
Niels Möller committed
23
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
24
 */
Niels Möller's avatar
Niels Möller committed
25

26
#include "algorithms.h"
27
28
#include "alist.h"
#include "atoms.h"
29
#include "channel.h"
30
#include "channel_commands.h"
31
#include "charset.h"
32
#include "compress.h"
33
#include "connection_commands.h"
34
#include "crypto.h"
35
#include "daemon.h"
36
#include "format.h"
37
#include "handshake.h"
Niels Möller's avatar
Niels Möller committed
38
#include "io.h"
39
#include "io_commands.h"
40
#include "lookup_verifier.h"
41
#include "randomness.h"
Niels Möller's avatar
Niels Möller committed
42
#include "reaper.h"
Niels Möller's avatar
Niels Möller committed
43
#include "server.h"
44
#include "server_authorization.h"
45
#include "server_keyexchange.h"
46
47
#include "server_pty.h"
#include "server_session.h"
Niels Möller's avatar
Niels Möller committed
48
#include "spki.h"
49
#include "srp.h"
Niels Möller's avatar
Niels Möller committed
50
#include "ssh.h"
51
52
#include "tcpforward.h"
#include "tcpforward_commands.h"
53
#include "tcpforward_commands.h"
54
#include "server_userauth.h"
55
#include "version.h"
56
57
58
#include "werror.h"
#include "xalloc.h"

59
#include "lsh_argp.h"
60

61
/* Forward declarations */
62
63
struct command options2local;
#define OPTIONS2LOCAL (&options2local.super)
64

65
66
struct command options2keys;
#define OPTIONS2KEYS (&options2keys.super)
67

68
69
70
struct command options2tcp_wrapper;
#define OPTIONS2TCP_WRAPPER (&options2tcp_wrapper.super)

71
72
struct command_2 close_on_sighup;
#define CLOSE_ON_SIGHUP (&close_on_sighup.super.super)
73

74
75
76
77
78
79
80
#include "lshd.c.x"

#include <assert.h>

#include <errno.h>
#include <locale.h>
#include <stdio.h>
81
/* #include <string.h> */
82
83
84
85

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
86
87
88
89
90
91
#if TIME_WITH_SYS_TIME && HAVE_SYS_TIME_H
#include <sys/time.h>
#endif
#if HAVE_SYS_RESOURCE_H
#include <sys/resource.h>
#endif
92
#if HAVE_UNISTD_H
93
#include <unistd.h>
94
#endif
95

96

97
98
/* Option parsing */

99
100
101
102
103
const char *argp_program_version
= "lshd-" VERSION ", secsh protocol version " SERVER_PROTOCOL_VERSION;

const char *argp_program_bug_address = BUG_ADDRESS;

Niels Möller's avatar
Niels Möller committed
104
105
106
107
108
109
/* The definition of SBINDIR is currently broken */
#if 0
# define KERBEROS_HELPER SBINDIR "/lsh-krb-checkpw"
#else
# define KERBEROS_HELPER PREFIX "/sbin/lsh-krb-checkpw"
#endif
110

111
#define OPT_NO 0x400
112
113
#define OPT_SSH1_FALLBACK 0x200
#define OPT_INTERFACE 0x201
114

115
#define OPT_TCPIP_FORWARD 0x202
116
#define OPT_NO_TCPIP_FORWARD (OPT_TCPIP_FORWARD | OPT_NO)
117
118
#define OPT_PTY 0x203
#define OPT_NO_PTY (OPT_PTY | OPT_NO)
119
120
#define OPT_SUBSYSTEMS 0x204
#define OPT_NO_SUBSYSTEMS (OPT_SUBSYSTEMS | OPT_NO)
121

122
#define OPT_DAEMONIC 0x205
123
#define OPT_NO_DAEMONIC (OPT_DAEMONIC | OPT_NO)
124
#define OPT_PIDFILE 0x206
125
126
#define OPT_NO_PIDFILE (OPT_PIDFILE | OPT_NO)
#define OPT_CORE 0x207
127
128
#define OPT_SYSLOG 0x208
#define OPT_NO_SYSLOG (OPT_SYSLOG | OPT_NO)
129
130
#define OPT_X11_FORWARD 0x209
#define OPT_NO_X11_FORWARD (OPT_X11_FORWARD |OPT_NO)
131

132
133
134
135
136
137
#define OPT_SRP 0x210
#define OPT_NO_SRP (OPT_SRP | OPT_NO)
#define OPT_DH 0x211
#define OPT_NO_DH (OPT_DH | OPT_NO)

#define OPT_PUBLICKEY 0x220
138
#define OPT_NO_PUBLICKEY (OPT_PUBLICKEY | OPT_NO)
139
#define OPT_PASSWORD 0x221
140
141
#define OPT_NO_PASSWORD (OPT_PASSWORD | OPT_NO)

142
#define OPT_ROOT_LOGIN 0x222
143
144
#define OPT_NO_ROOT_LOGIN (OPT_ROOT_LOGIN | OPT_NO)

145
146
147
#define OPT_KERBEROS_PASSWD 0x223
#define OPT_NO_KERBEROS_PASSWD (OPT_KERBEROS_PASSWD | OPT_NO)

148
149
#define OPT_PASSWORD_HELPER 0x224

150
151
#define OPT_LOGIN_SHELL 0x225

152
153
154
155
156
#define OPT_TCPWRAPPERS 0x226
#define OPT_NO_TCPWRAPPERS 0x227

#define OPT_TCPWRAP_GOAWAY_MSG 0x228

157
158
159
160
161
/* GABA:
   (class
     (name lshd_options)
     (super algorithms_options)
     (vars
162
163
       (e object exception_handler)
       
164
       (reaper object reaper)
165
       (random object randomness)
166
       
167
       (signature_algorithms object alist)
168
169
170
171
       (interface . "char *")
       (port . "char *")
       (hostkey . "char *")
       (local object address_info)
172
173
       (tcp_wrapper_name . "char *")
       (tcp_wrapper_message . "char *")
174

175
176
177
178
179
180
       (with_srp_keyexchange . int)
       (with_dh_keyexchange . int)

       ;; (kexinit object make_kexinit)
       (kex_algorithms object int_list)
       
181
182
       (with_publickey . int)
       (with_password . int)
183
       (allow_root . int)
184
       (pw_helper . "const char *")
185
       (login_shell . "const char *")
186
       
187
       (with_tcpip_forward . int)
188
       (with_x11_forward . int)
189
       (with_pty . int)
190
       (subsystems . "const char **")
191
       
192
193
194
       (userauth_methods object int_list)
       (userauth_algorithms object alist)
       
195
196
       (sshd1 object ssh1_fallback)
       (daemonic . int)
197
       (no_syslog . int)
198
199
200
       (corefile . int)
       (pid_file . "const char *")
       ; -1 means use pid file iff we're in daemonic mode
201
202
203
204
       (use_pid_file . int)
       ; Resources that should be killed when SIGHUP is received,
       ; or when the program exits.
       (resources object resource_list)))
205
206
*/

207
208
209
210
211
212
static void
do_exc_lshd_handler(struct exception_handler *s,
		    const struct exception *e)
{
  switch(e->type)
    {
213
    case EXC_RESOLVE:
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
    case EXC_RANDOMNESS_LOW_ENTROPY:
      werror("lshd: %z\n", e->msg);
      exit(EXIT_FAILURE);
    default:
      EXCEPTION_RAISE(s->parent, e);
    }
}

static struct exception_handler *
make_lshd_exception_handler(struct exception_handler *parent,
			    const char *context)
{
  return make_exception_handler(do_exc_lshd_handler, parent, context);
}

Niels Möller's avatar
Niels Möller committed
229
static struct lshd_options *
230
make_lshd_options(void)
231
{
Niels Möller's avatar
Niels Möller committed
232
  NEW(lshd_options, self);
233

234
  init_algorithms_options(&self->super, all_symmetric_algorithms());
235

236
237
  self->e = make_lshd_exception_handler(&default_exception_handler,
					HANDLER_CONTEXT);
238
  self->reaper = make_reaper();
239
  self->random = make_system_random();
240

241
  self->signature_algorithms = all_signature_algorithms(self->random); /* OK to initialize with NULL */
242

243
  self->interface = NULL;
244
245
246
247
248

  /* Default behaviour is to lookup the "ssh" service, and fall back
   * to port 22 if that fails. */
  self->port = NULL;
  
249
250
251
252
  /* FIXME: this should perhaps use sysconfdir */  
  self->hostkey = "/etc/lsh_host_key";
  self->local = NULL;

253
254
255
256
257
  self->with_dh_keyexchange = 1;
  self->with_srp_keyexchange = 0;

  self->kex_algorithms = NULL;
  
258
259
  self->with_publickey = 1;
  self->with_password = 1;
260
  self->with_tcpip_forward = 1;
261
262
  /* Experimental, so disabled by default. */
  self->with_x11_forward = 0;
263
  self->with_pty = 1;
264
265
  self->subsystems = NULL;
  
266
267
268
  self->tcp_wrapper_name = "lshd";
  self->tcp_wrapper_message = NULL;

269
  self->allow_root = 0;
270
  self->pw_helper = NULL;
271
  self->login_shell = NULL;
272
  
273
274
  self->userauth_methods = NULL;
  self->userauth_algorithms = NULL;
275
276
  
  self->sshd1 = NULL;
277
  self->daemonic = 0;
278
279
  self->no_syslog = 0;
  
280
281
282
283
  /* FIXME: Make the default a configure time option? */
  self->pid_file = "/var/run/lshd.pid";
  self->use_pid_file = -1;
  self->corefile = 0;
284
285
286
287
288
289

  self->resources = make_resource_list();
  /* Not strictly needed for gc, but makes sure the
   * resource list is killed properly by gc_final. */
  gc_global(&self->resources->super);

290
291
292
  return self;
}

Niels Möller's avatar
Niels Möller committed
293
/* Port to listen on */
294
295
296
297
298
DEFINE_COMMAND(options2local)
     (struct command *s UNUSED,
      struct lsh_object *a,
      struct command_continuation *c,
      struct exception_handler *e UNUSED)
Niels Möller's avatar
Niels Möller committed
299
300
{
  CAST(lshd_options, options, a);
301
  /* FIXME: Call bind already here? */
302
  COMMAND_RETURN(c, options->local);
Niels Möller's avatar
Niels Möller committed
303
304
305
}

/* alist of signature algorithms */
306
307
308
309
310
DEFINE_COMMAND(options2signature_algorithms)
     (struct command *s UNUSED,
      struct lsh_object *a,
      struct command_continuation *c,
      struct exception_handler *e UNUSED)
Niels Möller's avatar
Niels Möller committed
311
312
{
  CAST(lshd_options, options, a);
313
  COMMAND_RETURN(c, options->signature_algorithms);
Niels Möller's avatar
Niels Möller committed
314
315
}

316

317
318
/* FIXME: Call read_host_key directly from main instead. */
DEFINE_COMMAND(options2keys)
319
320
321
     (struct command *ignored UNUSED,
      struct lsh_object *a,
      struct command_continuation *c,
322
      struct exception_handler *e UNUSED)
Niels Möller's avatar
Niels Möller committed
323
324
325
{
  CAST(lshd_options, options, a);

326
327
328
  struct alist *keys = make_alist(0, -1);
  read_host_key(options->hostkey, options->signature_algorithms, keys);
  COMMAND_RETURN(c, keys);
Niels Möller's avatar
Niels Möller committed
329
330
}

331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
/* GABA:
   (class
     (name pid_file_resource)
     (super resource)
     (vars
       (file . "const char *")))
*/

static void
do_kill_pid_file(struct resource *s)
{
  CAST(pid_file_resource, self, s);
  if (self->super.alive)
    {
      self->super.alive = 0;
      if (unlink(self->file) < 0)
347
	werror("Unlinking pidfile failed %e\n", errno);
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
    }
}

static struct resource *
make_pid_file_resource(const char *file)
{
  NEW(pid_file_resource, self);
  init_resource(&self->super, do_kill_pid_file);
  self->file = file;

  return &self->super;
}

/* GABA:
   (class
     (name sighup_close_callback)
     (super lsh_callback)
     (vars
       (resources object resource_list)))
*/

static void
do_sighup_close_callback(struct lsh_callback *s)
{
  CAST(sighup_close_callback, self, s);
  unsigned nfiles;
  
  werror("SIGHUP received.\n");
  KILL_RESOURCE_LIST(self->resources);
  
  nfiles = io_nfiles();

  if (nfiles)
    werror("Waiting for active connections to terminate, "
	   "%i files still open.\n", nfiles);
}

static struct lsh_callback *
make_sighup_close_callback(struct lshd_options *options)
{
  NEW(sighup_close_callback, self);
  self->super.f = do_sighup_close_callback;
  self->resources = options->resources;

  return &self->super;
}

/* (close_on_sighup options file) */
DEFINE_COMMAND2(close_on_sighup)
     (struct command_2 *ignored UNUSED,
      struct lsh_object *a1,
      struct lsh_object *a2,
      struct command_continuation *c,
      struct exception_handler *e UNUSED)
{
  CAST(lshd_options, options, a1);
  CAST(lsh_fd, fd, a2);

  remember_resource(options->resources, &fd->super);

  COMMAND_RETURN(c, a2);
}
Niels Möller's avatar
Niels Möller committed
410

411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435

DEFINE_COMMAND(options2tcp_wrapper)
     (struct command *s UNUSED,
      struct lsh_object *a,
      struct command_continuation *c,
      struct exception_handler *e UNUSED)
{
#if WITH_TCPWRAPPERS
  CAST(lshd_options, options, a);

  if (options->tcp_wrapper_name) 
    COMMAND_RETURN(c, 
		   make_tcp_wrapper(
				    make_string(options->tcp_wrapper_name),
				    options->tcp_wrapper_message ? 
				    ssh_format("%lz\n", options->tcp_wrapper_message ) :
				    ssh_format("")
				    )
		   ); 
  else
#endif /* WITH_TCPWRAPPERS */
    COMMAND_RETURN(c, &io_log_peer_command);
}


436
437
438
439
440
static const struct argp_option
main_options[] =
{
  /* Name, key, arg-name, flags, doc, group */
  { "interface", OPT_INTERFACE, "interface", 0,
441
    "Listen on this network interface.", 0 }, 
442
443
  { "port", 'p', "Port", 0, "Listen on this port.", 0 },
  { "host-key", 'h', "Key file", 0, "Location of the server's private key.", 0},
444
445
446
447
#if WITH_SSH1_FALLBACK
  { "ssh1-fallback", OPT_SSH1_FALLBACK, "File name", OPTION_ARG_OPTIONAL,
    "Location of the sshd1 program, for falling back to version 1 of the Secure Shell protocol.", 0 },
#endif /* WITH_SSH1_FALLBACK */
448

449
450
451
452
453
454
455
456
#if WITH_TCPWRAPPERS
  { NULL, 0, NULL, 0, "Connection filtering:", 0 },
  { "tcpwrappers", OPT_TCPWRAPPERS, "name", 0, "Set service name for tcp wrappers (default lshd)", 0 },
  { "no-tcpwrappers", OPT_NO_TCPWRAPPERS, NULL, 0, "Disable wrappers", 0 },
  { "tcpwrappers-msg", OPT_TCPWRAP_GOAWAY_MSG, "'Message'", 0, "Message sent to clients " 
    "who aren't allowed to connect. A newline will be added.", 0 },
#endif /* WITH_TCPWRAPPERS */

457
  { NULL, 0, NULL, 0, "Keyexchange options:", 0 },
458
459
460
461
462
463
464
465
#if WITH_SRP
  { "srp-keyexchange", OPT_SRP, NULL, 0, "Enable experimental SRP support.", 0 },
  { "no-srp-keyexchange", OPT_NO_SRP, NULL, 0, "Disable experimental SRP support (default).", 0 },
#endif /* WITH_SRP */

  { "dh-keyexchange", OPT_DH, NULL, 0, "Enable DH support (default).", 0 },
  { "no-dh-keyexchange", OPT_NO_DH, NULL, 0, "Disable DH support.", 0 },
  
466
  { NULL, 0, NULL, 0, "User authentication options:", 0 },
467

468
469
470
471
472
473
474
475
476
  { "password", OPT_PASSWORD, NULL, 0,
    "Enable password user authentication (default).", 0},
  { "no-password", OPT_NO_PASSWORD, NULL, 0,
    "Disable password user authentication.", 0},

  { "publickey", OPT_PUBLICKEY, NULL, 0,
    "Enable publickey user authentication (default).", 0},
  { "no-publickey", OPT_NO_PUBLICKEY, NULL, 0,
    "Disable publickey user authentication.", 0},
477
478
479
480
481

  { "root-login", OPT_ROOT_LOGIN, NULL, 0,
    "Allow root to login.", 0 },
  { "no-root-login", OPT_NO_ROOT_LOGIN, NULL, 0,
    "Don't allow root to login (default).", 0 },
482

483
484
485
486
  { "login-shell", OPT_LOGIN_SHELL, "Program", 0,
    "Use this program as the login shell for all users. "
    "(Experimental)", 0 },
  
487
488
489
  { "kerberos-passwords", OPT_KERBEROS_PASSWD, NULL, 0,
    "Recognize kerberos passwords, using the helper program "
    "\"" KERBEROS_HELPER "\". This option is experimental.", 0 },
490
  { "no-kerberos-passwords", OPT_NO_KERBEROS_PASSWD, NULL, 0,
Niels Möller's avatar
Niels Möller committed
491
    "Don't recognize kerberos passwords (default behaviour).", 0 },
492

493
494
  { "password-helper", OPT_PASSWORD_HELPER, "Program", 0,
    "Use the named helper program for password verification. "
495
    "(Experimental).", 0 },
496

497
  { NULL, 0, NULL, 0, "Offered services:", 0 },
498

499
500
501
502
#if WITH_PTY_SUPPORT
  { "pty-support", OPT_PTY, NULL, 0, "Enable pty allocation (default).", 0 },
  { "no-pty-support", OPT_NO_PTY, NULL, 0, "Disable pty allocation.", 0 },
#endif /* WITH_PTY_SUPPORT */
503
504
505
506
507
508
509
510
511
512
513
514
515
#if WITH_TCP_FORWARD
  { "tcpip-forward", OPT_TCPIP_FORWARD, NULL, 0,
    "Enable tcpip forwarding (default).", 0 },
  { "no-tcpip-forward", OPT_NO_TCPIP_FORWARD, NULL, 0,
    "Disable tcpip forwarding.", 0 },
#endif /* WITH_TCP_FORWARD */
#if WITH_X11_FORWARD
  { "x11-forward", OPT_X11_FORWARD, NULL, 0,
    "Enable x11 forwarding.", 0 },
  { "no-x11-forward", OPT_NO_X11_FORWARD, NULL, 0,
    "Disable x11 forwarding (default).", 0 },
#endif /* WITH_X11_FORWARD */
  
516
517
518
  { "subsystems", OPT_SUBSYSTEMS, "List of subsystem names and programs", 0,
    "For example `sftp=/usr/sbin/sftp-server,foosystem=/usr/bin/foo' "
    "(experimental).", 0},
519
  
520
521
  { NULL, 0, NULL, 0, "Daemonic behaviour", 0 },
  { "daemonic", OPT_DAEMONIC, NULL, 0, "Run in the background, redirect stdio to /dev/null, and chdir to /.", 0 },
522
  { "no-daemonic", OPT_NO_DAEMONIC, NULL, 0, "Run in the foreground, with messages to stderr (default).", 0 },
523
524
  { "pid-file", OPT_PIDFILE, "file name", 0, "Create a pid file. When running in daemonic mode, "
    "the default is /var/run/lshd.pid.", 0 },
525
  { "no-pid-file", OPT_NO_PIDFILE, NULL, 0, "Don't use any pid file. Default in non-daemonic mode.", 0 },
526
  { "enable-core", OPT_CORE, NULL, 0, "Dump core on fatal errors (disabled by default).", 0 },
527
528
  { "no-syslog", OPT_NO_SYSLOG, NULL, 0, "Don't use syslog (by default, syslog is used "
    "when running in daemonic mode).", 0 },
529
530
531
532
533
534
535
536
537
538
539
  { NULL, 0, NULL, 0, NULL, 0 }
};

static const struct argp_child
main_argp_children[] =
{
  { &algorithms_argp, 0, "", 0 },
  { &werror_argp, 0, "", 0 },
  { NULL, 0, NULL, 0}
};

540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
/* NOTE: Modifies the argument string. */
static const char **
parse_subsystem_list(char *arg)
{
  const char **subsystems;
  char *separator;
  unsigned length;
  unsigned i;
  
  /* First count the number of elements. */
  for (length = 1, i = 0; arg[i]; i++)
    if (arg[i] == ',')
      length++;

  subsystems = lsh_space_alloc((length * 2 + 1) * sizeof(*subsystems));

  for (i = 0; ; i++)
    {
      subsystems[2*i] = arg;

      separator = strchr(arg, '=');

      if (!separator)
	goto fail;

      *separator = '\0';

      subsystems[2*i+1] = arg = separator + 1;
      
      separator = strchr(arg, ',');

      if (i == (length - 1))
	break;
      
      if (!separator)
	goto fail;

      *separator = '\0';
      arg = separator + 1;
    }
  if (separator)
    {
    fail:
      lsh_space_free(subsystems);
      return NULL;
    }
  return subsystems;
}

589
590
591
592
593
594
595
596
597
598
static error_t
main_argp_parser(int key, char *arg, struct argp_state *state)
{
  CAST(lshd_options, self, state->input);
  
  switch(key)
    {
    default:
      return ARGP_ERR_UNKNOWN;
    case ARGP_KEY_INIT:
Niels Möller's avatar
Niels Möller committed
599
600
      state->child_inputs[0] = &self->super;
      state->child_inputs[1] = NULL;
601
602
      break;
    case ARGP_KEY_END:
603
      {
604
	struct user_db *user_db = NULL;
605
	
606
607
	if (!self->random)
	  argp_failure( state, EXIT_FAILURE, 0,  "No randomness generator available.");
608
609
	
       	if (self->with_password || self->with_publickey || self->with_srp_keyexchange)
610
	  user_db = make_unix_user_db(self->reaper,
611
612
				      self->pw_helper, self->login_shell,
				      self->allow_root);
613
	  
614
615
616
617
618
619
620
621
622
623
624
	if (self->with_dh_keyexchange || self->with_srp_keyexchange)
	  {
	    int i = 0;
	    self->kex_algorithms 
	      = alloc_int_list(self->with_dh_keyexchange + self->with_srp_keyexchange);
	    
	    if (self->with_dh_keyexchange)
	      {
		LIST(self->kex_algorithms)[i++] = ATOM_DIFFIE_HELLMAN_GROUP1_SHA1;
		ALIST_SET(self->super.algorithms,
			  ATOM_DIFFIE_HELLMAN_GROUP1_SHA1,
625
			  &make_dh_server(make_dh1(self->random))
626
			  ->super);
627
628
629
630
	      }
#if WITH_SRP	    
	    if (self->with_srp_keyexchange)
	      {
631
		assert(user_db);
632
		LIST(self->kex_algorithms)[i++] = ATOM_SRP_RING1_SHA1_LOCAL;
633
		ALIST_SET(self->super.algorithms,
634
			  ATOM_SRP_RING1_SHA1_LOCAL,
635
			  &make_srp_server(make_srp1(self->random),
636
					   user_db)
637
			  ->super);
638
639
640
641
642
643
644
	      }
#endif /* WITH_SRP */
	  }
	else
	  argp_error(state, "All keyexchange algorithms disabled.");

	if (self->port)
645
	  self->local = make_address_info_c(self->interface, self->port, 0);
646
	else
647
	  self->local = make_address_info_c(self->interface, "ssh", 22);
648
      
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
	if (!self->local)
	  argp_error(state, "Invalid interface, port or service, %s:%s'.",
		     self->interface ? self->interface : "ANY",
		     self->port);

	if (self->use_pid_file < 0)
	  self->use_pid_file = self->daemonic;

	if (self->with_password || self->with_publickey)
	  {
	    int i = 0;
	    
	    self->userauth_methods
	      = alloc_int_list(self->with_password + self->with_publickey);
	    self->userauth_algorithms = make_alist(0, -1);
	    
	    if (self->with_password)
	      {
		LIST(self->userauth_methods)[i++] = ATOM_PASSWORD;
		ALIST_SET(self->userauth_algorithms,
669
			  ATOM_PASSWORD,
670
			  &make_userauth_password(user_db)->super);
671
672
673
	      }
	    if (self->with_publickey)
	      {
674
675
676
		/* FIXME: Doesn't use spki */
		struct lookup_verifier *key_db
		  = make_authorization_db(ssh_format("authorized_keys_sha1"),
677
					  &crypto_sha1_algorithm);
678
		
679
680
681
		LIST(self->userauth_methods)[i++] = ATOM_PUBLICKEY;
		ALIST_SET(self->userauth_algorithms,
			  ATOM_PUBLICKEY,
682
			  &make_userauth_publickey
683
684
685
686
			  (user_db,
			   make_alist(2,
				      ATOM_SSH_DSS, key_db,
				      ATOM_SSH_RSA, key_db,
687
688
				      -1))
			  ->super);
689
690
	      }
	  }
691
692
693
694
695
696
        if (self->with_srp_keyexchange)
          ALIST_SET(self->userauth_algorithms,
                    ATOM_NONE,
                    &server_userauth_none.super);

        if (!self->userauth_algorithms->size)
697
	  argp_error(state, "All user authentication methods disabled.");
698

699
700
	break;
      }
701
702
703
704
705
706
707
708
709
710
711
    case 'p':
      self->port = arg;
      break;

    case 'h':
      self->hostkey = arg;
      break;

    case OPT_INTERFACE:
      self->interface = arg;
      break;
712

713
714
715
716
717
#if WITH_SSH1_FALLBACK
    case OPT_SSH1_FALLBACK:
      self->sshd1 = make_ssh1_fallback(arg ? arg : SSHD1);
      break;
#endif
Niels Möller's avatar
Niels Möller committed
718

719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
    case OPT_SRP:
      self->with_srp_keyexchange = 1;
      break;

    case OPT_NO_SRP:
      self->with_srp_keyexchange = 0;
      break;
      
    case OPT_DH:
      self->with_dh_keyexchange = 1;
      break;

    case OPT_NO_DH:
      self->with_dh_keyexchange = 0;
      break;
      
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
    case OPT_PASSWORD:
      self->with_password = 1;
      break;
      
    case OPT_NO_PASSWORD:
      self->with_password = 0;
      break;

    case OPT_PUBLICKEY:
      self->with_publickey = 1;
      break;
      
    case OPT_NO_PUBLICKEY:
      self->with_publickey = 0;
      break;
750
751
752
753

    case OPT_ROOT_LOGIN:
      self->allow_root = 1;
      break;
754
755

    case OPT_KERBEROS_PASSWD:
756
      self->pw_helper = KERBEROS_HELPER;
757
758
759
760
761
      break;

    case OPT_NO_KERBEROS_PASSWD:
      self->pw_helper = NULL;
      break;
762
763
764
765

    case OPT_PASSWORD_HELPER:
      self->pw_helper = arg;
      break;
766
767
768
769

    case OPT_LOGIN_SHELL:
      self->login_shell = arg;
      break;
770
      
771
#if WITH_TCP_FORWARD
772
773
774
775
776
777
778
    case OPT_TCPIP_FORWARD:
      self->with_tcpip_forward = 1;
      break;

    case OPT_NO_TCPIP_FORWARD:
      self->with_tcpip_forward = 0;
      break;
779
#endif /* WITH_TCP_FORWARD */
780
781
782
783
784
785
786
787
#if WITH_X11_FORWARD
    case OPT_X11_FORWARD:
      self->with_x11_forward = 1;
      break;
    case OPT_NO_X11_FORWARD:
      self->with_x11_forward = 0;
      break;
#endif /* WITH_X11_FORWARD */
788
789
790
791
792
793
794
795
796
      
#if WITH_PTY_SUPPORT
    case OPT_PTY:
      self->with_pty = 1;
      break;
    case OPT_NO_PTY:
      self->with_pty = 0;
      break;
#endif /* WITH_PTY_SUPPORT */
797

798
799
800
801
802
803
804
805
806
807
808
809
810
811
#if WITH_TCPWRAPPERS
    case OPT_TCPWRAPPERS:
      self->tcp_wrapper_name = arg; /* Name given */
      break;
    case OPT_NO_TCPWRAPPERS:
      self->tcp_wrapper_name = NULL; /* Disable by giving name NULL */
      break;
      
    case OPT_TCPWRAP_GOAWAY_MSG:
      self->tcp_wrapper_message = arg;
      break;

#endif /* WITH_TCPWRAPPERS */

812
813
814
815
816
817
818
819
820
821
    case OPT_SUBSYSTEMS:
      self->subsystems = parse_subsystem_list(arg);
      if (!self->subsystems)
	argp_error(state, "Invalid subsystem list.");
      break;

    case OPT_NO_SUBSYSTEMS:
      self->subsystems = NULL;
      break;
      
822
823
824
    case OPT_DAEMONIC:
      self->daemonic = 1;
      break;
825
      
826
827
828
829
    case OPT_NO_DAEMONIC:
      self->daemonic = 0;
      break;

830
831
832
833
    case OPT_NO_SYSLOG:
      self->no_syslog = 1;
      break;
      
834
835
836
837
838
839
840
841
842
843
844
845
    case OPT_PIDFILE:
      self->pid_file = arg;
      self->use_pid_file = 1;
      break;

    case OPT_NO_PIDFILE:
      self->use_pid_file = 0;
      break;

    case OPT_CORE:
      self->corefile = 1;
      break;
846
847
848
    }
  return 0;
}
Niels Möller's avatar
Niels Möller committed
849

Niels Möller's avatar
Niels Möller committed
850
851
852
853
854
855
static const struct argp
main_argp =
{ main_options, main_argp_parser, 
  NULL,
  "Server for the ssh-2 protocol.",
  main_argp_children,
856
  NULL, NULL
Niels Möller's avatar
Niels Möller committed
857
858
};

859

860
861
/* GABA:
   (expr
862
     (name make_lshd_listen)
863
     (params
864
       (handshake object handshake_info)
865
       (init object make_kexinit)
866
       (services object command) )
867
     (expr (lambda (options)
868
             (let ((keys (options2keys options)))
869
	       (close_on_sighup options
870
	         (listen
871
872
873
874
875
	           (lambda (lv)
    	             (services (connection_handshake
    	           		  handshake
    	           		  (kexinit_filter init keys)
    	           		  keys 
876
				  (options2tcp_wrapper options lv))))
877
	           (bind (options2local options)) ))))))
878
879
*/

880

881
/* Invoked when starting the ssh-connection service */
882
883
/* GABA:
   (expr
884
     (name make_lshd_connection_service)
885
     (params
886
887
       (hooks object object_list))
     (expr
888
889
890
891
       (lambda (connection)
         ((progn hooks)
	    ; We have to initialize the connection
	    ; before adding handlers.
892
893
894
	    (init_connection_service
	      ; Disconnect if connection->user is NULL
	      (connection_require_userauth connection)))))))
895
896
*/

897
898
899
static void
do_terminate_callback(struct lsh_callback *s UNUSED)
{
900
  io_final();
901
902
903
904
905
906

  /* If we're using GCOV, just call exit(). That way, profiling info
   * is written properly when the process is terminated. */
#if !WITH_GCOV
  kill(getpid(), SIGKILL);
#endif
907
908
909
  exit(0);
}

910
static struct lsh_callback
911
sigterm_handler = { STATIC_HEADER, do_terminate_callback };
912
913

static void
914
install_signal_handlers(struct lshd_options *options)
915
{
916
917
918
  io_signal_handler(SIGTERM, &sigterm_handler);
  io_signal_handler(SIGHUP,
		    make_sighup_close_callback(options));
919
}
920

921
922
int
main(int argc, char **argv)
Niels Möller's avatar
Niels Möller committed
923
{
924
  struct lshd_options *options;
925

926
927
928
929
930
931
932
933
934
935
936
#if HAVE_SETRLIMIT && HAVE_SYS_RESOURCE_H
  /* Try to increase max number of open files, ignore any error */

  struct rlimit r;

  r.rlim_max = RLIM_INFINITY;
  r.rlim_cur = RLIM_INFINITY;

  setrlimit(RLIMIT_NOFILE, &r);
#endif

937
  io_init();
938
  
Niels Möller's avatar
Niels Möller committed
939
940
941
  /* For filtering messages. Could perhaps also be used when converting
   * strings to and from UTF8. */
  setlocale(LC_CTYPE, "");
942

943
944
  /* FIXME: Choose character set depending on the locale */
  set_local_charset(CHARSET_LATIN1);
945

946

947
  options = make_lshd_options();
948
949
950

  if (!options)
    return EXIT_FAILURE;
951
952

  install_signal_handlers(options);
953
  
Niels Möller's avatar
Niels Möller committed
954
  trace("Parsing options...\n");
Niels Möller's avatar
Niels Möller committed
955
  argp_parse(&main_argp, argc, argv, 0, NULL, options);
Niels Möller's avatar
Niels Möller committed
956
  trace("Parsing options... done\n");  
957

958
959
960
961
962
  if (!options->corefile && !daemon_disable_core())
    {
      werror("Disabling of core dumps failed.\n");
      return EXIT_FAILURE;
    }
963

964
965
966
967
968
969
  if (!options->random) 
    {
      werror("Failed to initialize randomness generator.\n");
      return EXIT_FAILURE;
    }
  
970
  if (options->daemonic)
971
    {
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
      if (options->no_syslog)
        {
          /* Just put process into the background. --no-syslog is an
           * inappropriate name */
          switch (fork())
            {
            case 0:
              /* Child */
              /* FIXME: Should we create a new process group, close our tty
               * and stdio, etc? */
              trace("forked into background. New pid: %i.\n", getpid());
              break;
              
            case -1:
              /* Error */
987
              werror("background_process: fork failed %e\n", errno);
988
989
990
991
992
993
994
995
996
              break;
              
            default:
              /* Parent */
              _exit(EXIT_SUCCESS);
            }
        }
      else
        {
997
#if HAVE_SYSLOG
998
          set_error_syslog("lshd");
999
#else /* !HAVE_SYSLOG */
1000
          werror("lshd: No syslog. Further messages will be directed to /dev/null.\n");
1001
1002
#endif /* !HAVE_SYSLOG */

1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
          switch (daemon_init())
            {
            case 0:
              werror("lshd: Spawning into background failed.\n");
              return EXIT_FAILURE;
            case DAEMON_INETD:
              werror("lshd: spawning from inetd not yet supported.\n");
              return EXIT_FAILURE;
            case DAEMON_INIT:
            case DAEMON_NORMAL:
              break;
            default:
              fatal("Internal error\n");
            }
        }
    }
1019
  
1020
  if (options->use_pid_file)
1021
    {
1022
1023
1024
1025
1026
1027
1028
1029
      if (daemon_pidfile(options->pid_file))
	remember_resource(options->resources, 
			  make_pid_file_resource(options->pid_file));
      else
	{
	  werror("lshd seems to be running already.\n");
	  return EXIT_FAILURE;
	}
1030
    }
1031
  {
1032
    /* Commands to be invoked on the connection */
1033
    /* FIXME: Use a queue instead. */
1034
    struct object_list *connection_hooks;
1035
1036
    struct command *session_setup;
    
1037
1038
    /* Supported channel requests */
    struct alist *supported_channel_requests
1039
      = make_alist(2,
Niels Möller's avatar
Niels Möller committed
1040
1041
		   ATOM_SHELL, &shell_request_handler,
		   ATOM_EXEC, &exec_request_handler,
1042
1043
		   -1);
    
1044
1045
#if WITH_PTY_SUPPORT
    if (options->with_pty)
1046
1047
1048
1049
      {
        ALIST_SET(supported_channel_requests,
                  ATOM_PTY_REQ, &pty_request_handler.super);
        ALIST_SET(supported_channel_requests,
Niels Möller's avatar
Niels Möller committed
1050
                  ATOM_WINDOW_CHANGE, &window_change_request_handler.super);
1051
      }
1052
1053
#endif /* WITH_PTY_SUPPORT */

1054
1055
1056
1057
1058
1059
#if WITH_X11_FORWARD
      if (options->with_x11_forward)
        ALIST_SET(supported_channel_requests,
		  ATOM_X11_REQ, &x11_req_handler.super);
#endif /* WITH_X11_FORWARD */

1060
1061
1062
    if (options->subsystems)
      ALIST_SET(supported_channel_requests,
		ATOM_SUBSYSTEM,
1063
		&make_subsystem_handler(options->subsystems)->super);
1064
		
1065
1066
    session_setup = make_install_fix_channel_open_handler
      (ATOM_SESSION, make_open_session(supported_channel_requests));
1067
    
1068
#if WITH_TCP_FORWARD
1069
    if (options->with_tcpip_forward)
1070
      connection_hooks = make_object_list
1071
1072
	(4,
	 session_setup,
1073
	 make_tcpip_forward_hook(),
1074
1075
	 make_install_fix_global_request_handler
	 (ATOM_CANCEL_TCPIP_FORWARD, &tcpip_cancel_forward),
1076
	 make_direct_tcpip_hook(),
1077
	 -1);
1078
1079
    else
#endif
1080
1081
      connection_hooks
	= make_object_list (1, session_setup, -1);
1082
    {
1083
1084
      CAST_SUBTYPE(command, connection_service,
		   make_lshd_connection_service(connection_hooks));
1085
      CAST_SUBTYPE(command, server_listen, 		   
1086
		   make_lshd_listen
1087
		   (make_handshake_info(CONNECTION_SERVER,
1088
1089
1090
					"lsh - a free ssh",
					NULL,
					SSH_MAX_PACKET,
1091
					options->random,
1092
1093
					options->super.algorithms,
					options->sshd1),
1094
		    make_simple_kexinit
1095
		    (options->random,
1096
1097
1098
1099
1100
1101
		     options->kex_algorithms,
		     options->super.hostkey_algorithms,
		     options->super.crypto_algorithms,
		     options->super.mac_algorithms,
		     options->super.compression_algorithms,
		     make_int_list(0, -1)),
1102
1103
		    make_offer_service
		    (make_alist
1104
		     (1,
1105
1106
1107
1108
1109
1110
		      ATOM_SSH_USERAUTH,
		      make_userauth_service(options->userauth_methods,
					    options->userauth_algorithms,
					    make_alist(1, ATOM_SSH_CONNECTION,
						       connection_service,-1)),
		      -1))));
1111
1112
1113
1114
1115

      static const struct report_exception_info report =
	STATIC_REPORT_EXCEPTION_INFO(EXC_IO, EXC_IO,
				     "lshd: ");
	    
1116
      
1117
      COMMAND_CALL(server_listen, options,
1118
		   &discard_continuation,
1119
		   make_report_exception_handler
1120
		   (&report,
1121
		    options->e,
1122
		    HANDLER_CONTEXT));
1123
    }
1124
  }
Niels Möller's avatar
Niels Möller committed
1125
  
1126
  io_run();
Niels Möller's avatar
Niels Möller committed
1127

1128
  io_final();
1129
  
Niels Möller's avatar
Niels Möller committed
1130
1131
  return 0;
}