lshd.c 28.4 KB
Newer Older
Niels Möller's avatar
Niels Möller committed
1
2
/* lshd.c
 *
3
 * Main server program.
4
 *
5
 */
Niels Möller's avatar
Niels Möller committed
6

7
8
/* lsh, an implementation of the ssh protocol
 *
9
 * Copyright (C) 1998 Niels Mller
10
11
12
13
14
15
16
17
18
19
20
21
22
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
Niels Möller's avatar
Niels Möller committed
23
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
24
 */
Niels Möller's avatar
Niels Möller committed
25

26
#include "algorithms.h"
27
28
#include "alist.h"
#include "atoms.h"
29
#include "channel.h"
30
#include "channel_commands.h"
31
#include "charset.h"
32
#include "compress.h"
33
#include "connection_commands.h"
34
#include "crypto.h"
35
#include "daemon.h"
36
#include "environ.h"
37
#include "format.h"
38
#include "handshake.h"
Niels Möller's avatar
Niels Möller committed
39
#include "io.h"
40
#include "io_commands.h"
41
#include "lookup_verifier.h"
42
#include "randomness.h"
Niels Möller's avatar
Niels Möller committed
43
#include "reaper.h"
Niels Möller's avatar
Niels Möller committed
44
#include "server.h"
45
#include "server_authorization.h"
46
#include "server_keyexchange.h"
47
48
#include "server_pty.h"
#include "server_session.h"
Niels Möller's avatar
Niels Möller committed
49
#include "spki.h"
50
#include "srp.h"
Niels Möller's avatar
Niels Möller committed
51
#include "ssh.h"
52
53
#include "tcpforward.h"
#include "tcpforward_commands.h"
54
#include "tcpforward_commands.h"
55
#include "server_userauth.h"
56
#include "version.h"
57
58
59
#include "werror.h"
#include "xalloc.h"

60
#include "lsh_argp.h"
61
62
63
64
65
66
67
68

#include "lshd.c.x"

#include <assert.h>

#include <errno.h>
#include <locale.h>
#include <stdio.h>
69
/* #include <string.h> */
70
71
72
73

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
74
75
76
77
78
79
#if TIME_WITH_SYS_TIME && HAVE_SYS_TIME_H
#include <sys/time.h>
#endif
#if HAVE_SYS_RESOURCE_H
#include <sys/resource.h>
#endif
80
#if HAVE_UNISTD_H
81
#include <unistd.h>
82
#endif
83

84

85
86
/* Option parsing */

87
88
89
90
91
const char *argp_program_version
= "lshd-" VERSION ", secsh protocol version " SERVER_PROTOCOL_VERSION;

const char *argp_program_bug_address = BUG_ADDRESS;

92
#define OPT_NO 0x400
93
94
#define OPT_SSH1_FALLBACK 0x200
#define OPT_INTERFACE 0x201
95

96
#define OPT_TCPIP_FORWARD 0x202
97
#define OPT_NO_TCPIP_FORWARD (OPT_TCPIP_FORWARD | OPT_NO)
98
99
#define OPT_PTY 0x203
#define OPT_NO_PTY (OPT_PTY | OPT_NO)
100
101
#define OPT_SUBSYSTEMS 0x204
#define OPT_NO_SUBSYSTEMS (OPT_SUBSYSTEMS | OPT_NO)
102

103
#define OPT_DAEMONIC 0x205
104
#define OPT_NO_DAEMONIC (OPT_DAEMONIC | OPT_NO)
105
#define OPT_PIDFILE 0x206
106
107
#define OPT_NO_PIDFILE (OPT_PIDFILE | OPT_NO)
#define OPT_CORE 0x207
108
109
#define OPT_SYSLOG 0x208
#define OPT_NO_SYSLOG (OPT_SYSLOG | OPT_NO)
110
111
#define OPT_X11_FORWARD 0x209
#define OPT_NO_X11_FORWARD (OPT_X11_FORWARD |OPT_NO)
112

113
114
115
116
117
118
#define OPT_SRP 0x210
#define OPT_NO_SRP (OPT_SRP | OPT_NO)
#define OPT_DH 0x211
#define OPT_NO_DH (OPT_DH | OPT_NO)

#define OPT_PUBLICKEY 0x220
119
#define OPT_NO_PUBLICKEY (OPT_PUBLICKEY | OPT_NO)
120
#define OPT_PASSWORD 0x221
121
122
#define OPT_NO_PASSWORD (OPT_PASSWORD | OPT_NO)

123
#define OPT_ROOT_LOGIN 0x222
124
125
#define OPT_NO_ROOT_LOGIN (OPT_ROOT_LOGIN | OPT_NO)

126
127
128
#define OPT_KERBEROS_PASSWD 0x223
#define OPT_NO_KERBEROS_PASSWD (OPT_KERBEROS_PASSWD | OPT_NO)

129
130
#define OPT_PASSWORD_HELPER 0x224

131
132
#define OPT_LOGIN_SHELL 0x225

133
134
135
136
137
#define OPT_TCPWRAPPERS 0x226
#define OPT_NO_TCPWRAPPERS 0x227

#define OPT_TCPWRAP_GOAWAY_MSG 0x228

138
139
140
141
142
/* GABA:
   (class
     (name lshd_options)
     (super algorithms_options)
     (vars
143
144
       (e object exception_handler)
       
145
       (reaper object reaper)
146
       (random object randomness)
147
       
148
       (signature_algorithms object alist)
149
150
       ;; Addresses to bind
       (local object sockaddr_list)
151
152
       (port . "char *")
       (hostkey . "char *")
153
154
       (tcp_wrapper_name . "char *")
       (tcp_wrapper_message . "char *")
155

156
157
158
159
160
161
       (with_srp_keyexchange . int)
       (with_dh_keyexchange . int)

       ;; (kexinit object make_kexinit)
       (kex_algorithms object int_list)
       
162
163
       (with_publickey . int)
       (with_password . int)
164
       (allow_root . int)
165
       (pw_helper . "const char *")
166
       (login_shell . "const char *")
167
       
168
       (with_tcpip_forward . int)
169
       (with_x11_forward . int)
170
       (with_pty . int)
171
       (subsystems . "const char **")
172
       
173
174
175
       (userauth_methods object int_list)
       (userauth_algorithms object alist)
       
176
177
       (sshd1 object ssh1_fallback)
       (daemonic . int)
178
       (no_syslog . int)
179
180
181
       (corefile . int)
       (pid_file . "const char *")
       ; -1 means use pid file iff we're in daemonic mode
182
       (use_pid_file . int)))
183
184
*/

185
186
187
188
189
190
static void
do_exc_lshd_handler(struct exception_handler *s,
		    const struct exception *e)
{
  switch(e->type)
    {
191
    case EXC_RESOLVE:
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
    case EXC_RANDOMNESS_LOW_ENTROPY:
      werror("lshd: %z\n", e->msg);
      exit(EXIT_FAILURE);
    default:
      EXCEPTION_RAISE(s->parent, e);
    }
}

static struct exception_handler *
make_lshd_exception_handler(struct exception_handler *parent,
			    const char *context)
{
  return make_exception_handler(do_exc_lshd_handler, parent, context);
}

Niels Möller's avatar
Niels Möller committed
207
static struct lshd_options *
208
make_lshd_options(void)
209
{
Niels Möller's avatar
Niels Möller committed
210
  NEW(lshd_options, self);
211

212
  init_algorithms_options(&self->super, all_symmetric_algorithms());
213

214
215
  self->e = make_lshd_exception_handler(&default_exception_handler,
					HANDLER_CONTEXT);
216
  self->reaper = make_reaper();
217
  self->random = make_system_random();
218

219
220
  /* OK to initialize with NULL */
  self->signature_algorithms = all_signature_algorithms(self->random);
221

222
223
  self->local = NULL;
  
224
225
226
227
  /* Default behaviour is to lookup the "ssh" service, and fall back
   * to port 22 if that fails. */
  self->port = NULL;
  
228
229
  /* FIXME: this should perhaps use sysconfdir */  
  self->hostkey = "/etc/lsh_host_key";
230
  
231
232
233
234
235
  self->with_dh_keyexchange = 1;
  self->with_srp_keyexchange = 0;

  self->kex_algorithms = NULL;
  
236
237
  self->with_publickey = 1;
  self->with_password = 1;
238
  self->with_tcpip_forward = 1;
239
240
  /* Experimental, so disabled by default. */
  self->with_x11_forward = 0;
241
  self->with_pty = 1;
242
243
  self->subsystems = NULL;
  
244
245
246
  self->tcp_wrapper_name = "lshd";
  self->tcp_wrapper_message = NULL;

247
  self->allow_root = 0;
248
  self->pw_helper = NULL;
249
  self->login_shell = NULL;
250
  
251
252
  self->userauth_methods = NULL;
  self->userauth_algorithms = NULL;
253
254
  
  self->sshd1 = NULL;
255
  self->daemonic = 0;
256
257
  self->no_syslog = 0;
  
258
259
260
261
  /* FIXME: Make the default a configure time option? */
  self->pid_file = "/var/run/lshd.pid";
  self->use_pid_file = -1;
  self->corefile = 0;
262

263
264
265
  return self;
}

266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
/* GABA:
   (class
     (name pid_file_resource)
     (super resource)
     (vars
       (file . "const char *")))
*/

static void
do_kill_pid_file(struct resource *s)
{
  CAST(pid_file_resource, self, s);
  if (self->super.alive)
    {
      self->super.alive = 0;
      if (unlink(self->file) < 0)
282
	werror("Unlinking pidfile failed %e\n", errno);
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
    }
}

static struct resource *
make_pid_file_resource(const char *file)
{
  NEW(pid_file_resource, self);
  init_resource(&self->super, do_kill_pid_file);
  self->file = file;

  return &self->super;
}

/* GABA:
   (class
     (name sighup_close_callback)
     (super lsh_callback)
     (vars
301
       (resource object resource)))
302
303
304
305
306
307
308
309
310
*/

static void
do_sighup_close_callback(struct lsh_callback *s)
{
  CAST(sighup_close_callback, self, s);
  unsigned nfiles;
  
  werror("SIGHUP received.\n");
311
  KILL_RESOURCE(self->resource);
312
313
314
315
316
317
318
319
320
  
  nfiles = io_nfiles();

  if (nfiles)
    werror("Waiting for active connections to terminate, "
	   "%i files still open.\n", nfiles);
}

static struct lsh_callback *
321
make_sighup_close_callback(struct resource *resource)
322
323
324
{
  NEW(sighup_close_callback, self);
  self->super.f = do_sighup_close_callback;
325
  self->resource = resource;
326
327
328
329

  return &self->super;
}

330
331
332
333
334
static const struct argp_option
main_options[] =
{
  /* Name, key, arg-name, flags, doc, group */
  { "interface", OPT_INTERFACE, "interface", 0,
335
    "Listen on this network interface.", 0 }, 
336
337
  { "port", 'p', "Port", 0, "Listen on this port.", 0 },
  { "host-key", 'h', "Key file", 0, "Location of the server's private key.", 0},
338
339
340
341
#if WITH_SSH1_FALLBACK
  { "ssh1-fallback", OPT_SSH1_FALLBACK, "File name", OPTION_ARG_OPTIONAL,
    "Location of the sshd1 program, for falling back to version 1 of the Secure Shell protocol.", 0 },
#endif /* WITH_SSH1_FALLBACK */
342

343
344
345
346
347
348
349
350
#if WITH_TCPWRAPPERS
  { NULL, 0, NULL, 0, "Connection filtering:", 0 },
  { "tcpwrappers", OPT_TCPWRAPPERS, "name", 0, "Set service name for tcp wrappers (default lshd)", 0 },
  { "no-tcpwrappers", OPT_NO_TCPWRAPPERS, NULL, 0, "Disable wrappers", 0 },
  { "tcpwrappers-msg", OPT_TCPWRAP_GOAWAY_MSG, "'Message'", 0, "Message sent to clients " 
    "who aren't allowed to connect. A newline will be added.", 0 },
#endif /* WITH_TCPWRAPPERS */

351
  { NULL, 0, NULL, 0, "Keyexchange options:", 0 },
352
353
354
355
356
357
358
359
#if WITH_SRP
  { "srp-keyexchange", OPT_SRP, NULL, 0, "Enable experimental SRP support.", 0 },
  { "no-srp-keyexchange", OPT_NO_SRP, NULL, 0, "Disable experimental SRP support (default).", 0 },
#endif /* WITH_SRP */

  { "dh-keyexchange", OPT_DH, NULL, 0, "Enable DH support (default).", 0 },
  { "no-dh-keyexchange", OPT_NO_DH, NULL, 0, "Disable DH support.", 0 },
  
360
  { NULL, 0, NULL, 0, "User authentication options:", 0 },
361

362
363
364
365
366
367
368
369
370
  { "password", OPT_PASSWORD, NULL, 0,
    "Enable password user authentication (default).", 0},
  { "no-password", OPT_NO_PASSWORD, NULL, 0,
    "Disable password user authentication.", 0},

  { "publickey", OPT_PUBLICKEY, NULL, 0,
    "Enable publickey user authentication (default).", 0},
  { "no-publickey", OPT_NO_PUBLICKEY, NULL, 0,
    "Disable publickey user authentication.", 0},
371
372
373
374
375

  { "root-login", OPT_ROOT_LOGIN, NULL, 0,
    "Allow root to login.", 0 },
  { "no-root-login", OPT_NO_ROOT_LOGIN, NULL, 0,
    "Don't allow root to login (default).", 0 },
376

377
378
379
380
  { "login-shell", OPT_LOGIN_SHELL, "Program", 0,
    "Use this program as the login shell for all users. "
    "(Experimental)", 0 },
  
381
382
  { "kerberos-passwords", OPT_KERBEROS_PASSWD, NULL, 0,
    "Recognize kerberos passwords, using the helper program "
383
    "\"" PATH_KERBEROS_HELPER "\". This option is experimental.", 0 },
384
  { "no-kerberos-passwords", OPT_NO_KERBEROS_PASSWD, NULL, 0,
Niels Möller's avatar
Niels Möller committed
385
    "Don't recognize kerberos passwords (default behaviour).", 0 },
386

387
388
  { "password-helper", OPT_PASSWORD_HELPER, "Program", 0,
    "Use the named helper program for password verification. "
389
    "(Experimental).", 0 },
390

391
  { NULL, 0, NULL, 0, "Offered services:", 0 },
392

393
394
395
396
#if WITH_PTY_SUPPORT
  { "pty-support", OPT_PTY, NULL, 0, "Enable pty allocation (default).", 0 },
  { "no-pty-support", OPT_NO_PTY, NULL, 0, "Disable pty allocation.", 0 },
#endif /* WITH_PTY_SUPPORT */
397
398
399
400
401
402
403
404
405
406
407
408
409
#if WITH_TCP_FORWARD
  { "tcpip-forward", OPT_TCPIP_FORWARD, NULL, 0,
    "Enable tcpip forwarding (default).", 0 },
  { "no-tcpip-forward", OPT_NO_TCPIP_FORWARD, NULL, 0,
    "Disable tcpip forwarding.", 0 },
#endif /* WITH_TCP_FORWARD */
#if WITH_X11_FORWARD
  { "x11-forward", OPT_X11_FORWARD, NULL, 0,
    "Enable x11 forwarding.", 0 },
  { "no-x11-forward", OPT_NO_X11_FORWARD, NULL, 0,
    "Disable x11 forwarding (default).", 0 },
#endif /* WITH_X11_FORWARD */
  
410
411
412
  { "subsystems", OPT_SUBSYSTEMS, "List of subsystem names and programs", 0,
    "For example `sftp=/usr/sbin/sftp-server,foosystem=/usr/bin/foo' "
    "(experimental).", 0},
413
  
414
415
  { NULL, 0, NULL, 0, "Daemonic behaviour", 0 },
  { "daemonic", OPT_DAEMONIC, NULL, 0, "Run in the background, redirect stdio to /dev/null, and chdir to /.", 0 },
416
  { "no-daemonic", OPT_NO_DAEMONIC, NULL, 0, "Run in the foreground, with messages to stderr (default).", 0 },
417
418
  { "pid-file", OPT_PIDFILE, "file name", 0, "Create a pid file. When running in daemonic mode, "
    "the default is /var/run/lshd.pid.", 0 },
419
  { "no-pid-file", OPT_NO_PIDFILE, NULL, 0, "Don't use any pid file. Default in non-daemonic mode.", 0 },
420
  { "enable-core", OPT_CORE, NULL, 0, "Dump core on fatal errors (disabled by default).", 0 },
421
422
  { "no-syslog", OPT_NO_SYSLOG, NULL, 0, "Don't use syslog (by default, syslog is used "
    "when running in daemonic mode).", 0 },
423
424
425
426
427
428
429
430
431
432
433
  { NULL, 0, NULL, 0, NULL, 0 }
};

static const struct argp_child
main_argp_children[] =
{
  { &algorithms_argp, 0, "", 0 },
  { &werror_argp, 0, "", 0 },
  { NULL, 0, NULL, 0}
};

434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
/* NOTE: Modifies the argument string. */
static const char **
parse_subsystem_list(char *arg)
{
  const char **subsystems;
  char *separator;
  unsigned length;
  unsigned i;
  
  /* First count the number of elements. */
  for (length = 1, i = 0; arg[i]; i++)
    if (arg[i] == ',')
      length++;

  subsystems = lsh_space_alloc((length * 2 + 1) * sizeof(*subsystems));

  for (i = 0; ; i++)
    {
      subsystems[2*i] = arg;

      separator = strchr(arg, '=');

      if (!separator)
	goto fail;

      *separator = '\0';

      subsystems[2*i+1] = arg = separator + 1;
      
      separator = strchr(arg, ',');

      if (i == (length - 1))
	break;
      
      if (!separator)
	goto fail;

      *separator = '\0';
      arg = separator + 1;
    }
  if (separator)
    {
    fail:
      lsh_space_free(subsystems);
      return NULL;
    }
  return subsystems;
}

483
484
485
/* NOTE: On success, modifies interface destructively. */
static int
parse_interface(char *interface, const char **host, const char **port)
486
{
487
  *port = NULL;
488
489
490
491
  
  if (interface[0] == '[')
    {
      /* A literal address */
492
      char *end;
493
494
495
496
      interface++;
      
      end = strchr(interface, ']');
      if (!end)
497
	return 0;
498
499
500
501

      switch (end[1])
	{
	case ':':
502
	  *port = end + 2;
503
504
505
506
	  break;
	case 0:
	  break;
	default:
507
	  return 0;
508
	}
509
510
511
512

      *host = interface;
      *end = 0;
      return 1;
513
514
515
    }
  else
    {
516
      char *end = strchr(interface, ':');
517
518
      if (end)
	{
519
520
	  *port = end + 1;
	  *end = 0;
521
	}
522
523
      *host = interface;
      return 1;
524
525
526
    }
}

527
528
529
530
531
532
533
534
535
536
static error_t
main_argp_parser(int key, char *arg, struct argp_state *state)
{
  CAST(lshd_options, self, state->input);
  
  switch(key)
    {
    default:
      return ARGP_ERR_UNKNOWN;
    case ARGP_KEY_INIT:
Niels Möller's avatar
Niels Möller committed
537
538
      state->child_inputs[0] = &self->super;
      state->child_inputs[1] = NULL;
539
540
      break;
    case ARGP_KEY_END:
541
      {
542
	struct user_db *user_db = NULL;
543
	
544
545
	if (!self->random)
	  argp_failure( state, EXIT_FAILURE, 0,  "No randomness generator available.");
546
547
	
       	if (self->with_password || self->with_publickey || self->with_srp_keyexchange)
548
	  user_db = make_unix_user_db(self->reaper,
549
550
				      self->pw_helper, self->login_shell,
				      self->allow_root);
551
	  
552
553
554
555
556
557
558
559
560
561
562
	if (self->with_dh_keyexchange || self->with_srp_keyexchange)
	  {
	    int i = 0;
	    self->kex_algorithms 
	      = alloc_int_list(self->with_dh_keyexchange + self->with_srp_keyexchange);
	    
	    if (self->with_dh_keyexchange)
	      {
		LIST(self->kex_algorithms)[i++] = ATOM_DIFFIE_HELLMAN_GROUP1_SHA1;
		ALIST_SET(self->super.algorithms,
			  ATOM_DIFFIE_HELLMAN_GROUP1_SHA1,
563
			  &make_dh_server(make_dh1(self->random))
564
			  ->super);
565
566
567
568
	      }
#if WITH_SRP	    
	    if (self->with_srp_keyexchange)
	      {
569
		assert(user_db);
570
		LIST(self->kex_algorithms)[i++] = ATOM_SRP_RING1_SHA1_LOCAL;
571
		ALIST_SET(self->super.algorithms,
572
			  ATOM_SRP_RING1_SHA1_LOCAL,
573
			  &make_srp_server(make_srp1(self->random),
574
					   user_db)
575
			  ->super);
576
577
578
579
580
581
582
	      }
#endif /* WITH_SRP */
	  }
	else
	  argp_error(state, "All keyexchange algorithms disabled.");

	if (!self->local)
583
584
585
	  {
	    /* Default interface */

586
587
588
589
	    if (!(self->port
		  ? io_resolv_address(NULL, self->port, 0, &self->local)
		  : io_resolv_address(NULL, "ssh", 22, &self->local)))
		
590
591
592
593
594
	      argp_failure(state, EXIT_FAILURE, 0,
			   "Strange. Could not resolve the ANY address.");
	  }
	assert(self->local);
	
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
	if (self->use_pid_file < 0)
	  self->use_pid_file = self->daemonic;

	if (self->with_password || self->with_publickey)
	  {
	    int i = 0;
	    
	    self->userauth_methods
	      = alloc_int_list(self->with_password + self->with_publickey);
	    self->userauth_algorithms = make_alist(0, -1);
	    
	    if (self->with_password)
	      {
		LIST(self->userauth_methods)[i++] = ATOM_PASSWORD;
		ALIST_SET(self->userauth_algorithms,
610
			  ATOM_PASSWORD,
611
			  &make_userauth_password(user_db)->super);
612
613
614
	      }
	    if (self->with_publickey)
	      {
615
616
617
		/* FIXME: Doesn't use spki */
		struct lookup_verifier *key_db
		  = make_authorization_db(ssh_format("authorized_keys_sha1"),
618
					  &crypto_sha1_algorithm);
619
		
620
621
622
		LIST(self->userauth_methods)[i++] = ATOM_PUBLICKEY;
		ALIST_SET(self->userauth_algorithms,
			  ATOM_PUBLICKEY,
623
			  &make_userauth_publickey
624
625
626
627
			  (user_db,
			   make_alist(2,
				      ATOM_SSH_DSS, key_db,
				      ATOM_SSH_RSA, key_db,
628
629
				      -1))
			  ->super);
630
631
	      }
	  }
632
633
634
635
636
637
        if (self->with_srp_keyexchange)
          ALIST_SET(self->userauth_algorithms,
                    ATOM_NONE,
                    &server_userauth_none.super);

        if (!self->userauth_algorithms->size)
638
	  argp_error(state, "All user authentication methods disabled.");
639

640
641
	break;
      }
642
    case 'p':
643
644
      /* FIXME: Interpret multiple -p:s as a request to listen on
       * several ports. */
645
646
647
648
649
650
651
652
      self->port = arg;
      break;

    case 'h':
      self->hostkey = arg;
      break;

    case OPT_INTERFACE:
653
      {
654
655
	const char *host;
	const char *port;
656

657
658
659
	/* On success, modifies arg destructively. */
	if (!parse_interface(arg, &host, &port))
	  argp_error(state, "Invalid interface, port or service: %s.", arg);
660

661
662
663
664
665
666
667
668
669
	if (!port)
	  port = self->port;
	
	if (!(port
	      ? io_resolv_address(host, port, 0, &self->local)
	      : io_resolv_address(host, "ssh", 22, &self->local)))
	  argp_failure(state, EXIT_FAILURE, 0,
		       "Address %s:%s could not be resolved.\n",
		       host, port ? port : "ssh");
670
671
      }
	
672
      break;
673

674
675
676
677
678
#if WITH_SSH1_FALLBACK
    case OPT_SSH1_FALLBACK:
      self->sshd1 = make_ssh1_fallback(arg ? arg : SSHD1);
      break;
#endif
Niels Möller's avatar
Niels Möller committed
679

680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
    case OPT_SRP:
      self->with_srp_keyexchange = 1;
      break;

    case OPT_NO_SRP:
      self->with_srp_keyexchange = 0;
      break;
      
    case OPT_DH:
      self->with_dh_keyexchange = 1;
      break;

    case OPT_NO_DH:
      self->with_dh_keyexchange = 0;
      break;
      
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
    case OPT_PASSWORD:
      self->with_password = 1;
      break;
      
    case OPT_NO_PASSWORD:
      self->with_password = 0;
      break;

    case OPT_PUBLICKEY:
      self->with_publickey = 1;
      break;
      
    case OPT_NO_PUBLICKEY:
      self->with_publickey = 0;
      break;
711
712
713
714

    case OPT_ROOT_LOGIN:
      self->allow_root = 1;
      break;
715
716

    case OPT_KERBEROS_PASSWD:
717
      self->pw_helper = PATH_KERBEROS_HELPER;
718
719
720
721
722
      break;

    case OPT_NO_KERBEROS_PASSWD:
      self->pw_helper = NULL;
      break;
723
724
725
726

    case OPT_PASSWORD_HELPER:
      self->pw_helper = arg;
      break;
727
728
729
730

    case OPT_LOGIN_SHELL:
      self->login_shell = arg;
      break;
731
      
732
#if WITH_TCP_FORWARD
733
734
735
736
737
738
739
    case OPT_TCPIP_FORWARD:
      self->with_tcpip_forward = 1;
      break;

    case OPT_NO_TCPIP_FORWARD:
      self->with_tcpip_forward = 0;
      break;
740
#endif /* WITH_TCP_FORWARD */
741
742
743
744
745
746
747
748
#if WITH_X11_FORWARD
    case OPT_X11_FORWARD:
      self->with_x11_forward = 1;
      break;
    case OPT_NO_X11_FORWARD:
      self->with_x11_forward = 0;
      break;
#endif /* WITH_X11_FORWARD */
749
750
751
752
753
754
755
756
757
      
#if WITH_PTY_SUPPORT
    case OPT_PTY:
      self->with_pty = 1;
      break;
    case OPT_NO_PTY:
      self->with_pty = 0;
      break;
#endif /* WITH_PTY_SUPPORT */
758

759
760
761
762
763
764
765
766
767
768
769
770
771
772
#if WITH_TCPWRAPPERS
    case OPT_TCPWRAPPERS:
      self->tcp_wrapper_name = arg; /* Name given */
      break;
    case OPT_NO_TCPWRAPPERS:
      self->tcp_wrapper_name = NULL; /* Disable by giving name NULL */
      break;
      
    case OPT_TCPWRAP_GOAWAY_MSG:
      self->tcp_wrapper_message = arg;
      break;

#endif /* WITH_TCPWRAPPERS */

773
774
775
776
777
778
779
780
781
782
    case OPT_SUBSYSTEMS:
      self->subsystems = parse_subsystem_list(arg);
      if (!self->subsystems)
	argp_error(state, "Invalid subsystem list.");
      break;

    case OPT_NO_SUBSYSTEMS:
      self->subsystems = NULL;
      break;
      
783
784
785
    case OPT_DAEMONIC:
      self->daemonic = 1;
      break;
786
      
787
788
789
790
    case OPT_NO_DAEMONIC:
      self->daemonic = 0;
      break;

791
792
793
794
    case OPT_NO_SYSLOG:
      self->no_syslog = 1;
      break;
      
795
796
797
798
799
800
801
802
803
804
805
806
    case OPT_PIDFILE:
      self->pid_file = arg;
      self->use_pid_file = 1;
      break;

    case OPT_NO_PIDFILE:
      self->use_pid_file = 0;
      break;

    case OPT_CORE:
      self->corefile = 1;
      break;
807
808
809
    }
  return 0;
}
Niels Möller's avatar
Niels Möller committed
810

Niels Möller's avatar
Niels Möller committed
811
812
813
814
815
816
static const struct argp
main_argp =
{ main_options, main_argp_parser, 
  NULL,
  "Server for the ssh-2 protocol.",
  main_argp_children,
817
  NULL, NULL
Niels Möller's avatar
Niels Möller committed
818
819
};

820

821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
/* GABA:
   (expr
     (name lshd_listen_callback)
     (params
       (handshake object handshake_info)
       (kexinit object make_kexinit)
       (keys object alist)
       (logger object command)
       (services object command) )
     (expr (lambda (lv)
    	      (services (connection_handshake
	                   handshake
			   kexinit
			   keys 
			   (logger lv))))))
*/

838

839
/* Invoked when starting the ssh-connection service */
840
841
/* GABA:
   (expr
842
     (name lshd_connection_service)
843
     (params
844
845
       (hooks object object_list))
     (expr
846
847
848
849
       (lambda (connection)
         ((progn hooks)
	    ; We have to initialize the connection
	    ; before adding handlers.
850
851
852
	    (init_connection_service
	      ; Disconnect if connection->user is NULL
	      (connection_require_userauth connection)))))))
853
854
*/

855
856
857
static void
do_terminate_callback(struct lsh_callback *s UNUSED)
{
858
  io_final();
859
860
861
862
863
864

  /* If we're using GCOV, just call exit(). That way, profiling info
   * is written properly when the process is terminated. */
#if !WITH_GCOV
  kill(getpid(), SIGKILL);
#endif
865
866
867
  exit(0);
}

868
static struct lsh_callback
869
sigterm_handler = { STATIC_HEADER, do_terminate_callback };
870
871

static void
872
install_signal_handlers(struct resource *resource)
873
{
874
875
  io_signal_handler(SIGTERM, &sigterm_handler);
  io_signal_handler(SIGHUP,
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
		    make_sighup_close_callback(resource));
}

static struct command *
make_lshd_connection_service(struct lshd_options *options)
{
  /* Commands to be invoked on the connection */
  /* FIXME: Use a queue instead. */
  struct object_list *connection_hooks;
  struct command *session_setup;
    
  /* Supported channel requests */
  struct alist *supported_channel_requests
    = make_alist(2,
		 ATOM_SHELL, &shell_request_handler,
		 ATOM_EXEC, &exec_request_handler,
		 -1);
    
#if WITH_PTY_SUPPORT
  if (options->with_pty)
    {
      ALIST_SET(supported_channel_requests,
		ATOM_PTY_REQ, &pty_request_handler.super);
      ALIST_SET(supported_channel_requests,
		ATOM_WINDOW_CHANGE, &window_change_request_handler.super);
    }
#endif /* WITH_PTY_SUPPORT */

#if WITH_X11_FORWARD
  if (options->with_x11_forward)
    ALIST_SET(supported_channel_requests,
	      ATOM_X11_REQ, &x11_req_handler.super);
#endif /* WITH_X11_FORWARD */
  
  if (options->subsystems)
    ALIST_SET(supported_channel_requests,
	      ATOM_SUBSYSTEM,
	      &make_subsystem_handler(options->subsystems)->super);
  
  session_setup = make_install_fix_channel_open_handler
    (ATOM_SESSION, make_open_session(supported_channel_requests));
  
#if WITH_TCP_FORWARD
  if (options->with_tcpip_forward)
    connection_hooks = make_object_list
      (4,
       session_setup,
       make_tcpip_forward_hook(),
       make_install_fix_global_request_handler
       (ATOM_CANCEL_TCPIP_FORWARD, &tcpip_cancel_forward),
       make_direct_tcpip_hook(),
       -1);
  else
#endif
    connection_hooks
      = make_object_list (1, session_setup, -1);

  {
    CAST_SUBTYPE(command, connection_service,
		 lshd_connection_service(connection_hooks));
    return connection_service;
  }
}

static struct io_callback *
make_lshd_listen_callback(struct lshd_options *options,
			  struct alist *keys,
			  struct command *service)
{
  struct int_list *hostkey_algorithms;
  struct make_kexinit *kexinit;
  struct command *logger;
  
  /* Include only hostkey algorithms that we have keys for. */
  hostkey_algorithms
    = filter_algorithms(keys,
			options->super.hostkey_algorithms);
  
  if (!hostkey_algorithms)
    {
      werror("No hostkey algorithms advertised.\n");
      hostkey_algorithms = make_int_list(1, ATOM_NONE, -1);
    }
  
  kexinit = make_simple_kexinit(options->random,
				options->kex_algorithms,
				hostkey_algorithms,
				options->super.crypto_algorithms,
				options->super.mac_algorithms,
				options->super.compression_algorithms,
				make_int_list(0, -1));

968
#if WITH_TCPWRAPPERS
969
970
971
972
973
974
  if (options->tcp_wrapper_name)
    logger = make_tcp_wrapper
      (make_string(options->tcp_wrapper_name),
       make_string(options->tcp_wrapper_message
		   ? options->tcp_wrapper_message : ""));
  else
975
#endif /* WITH_TCPWRAPPERS */
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
    logger = &io_log_peer_command;
  
  {
    CAST_SUBTYPE(command, server_callback,
		 lshd_listen_callback
		 (make_handshake_info(CONNECTION_SERVER,
					"lsh - a free ssh",
					NULL,
					SSH_MAX_PACKET,
					options->random,
					options->super.algorithms,
					options->sshd1),
		  kexinit,
		  keys,
		  logger,
		  make_offer_service
		  (make_alist
		   (1,
		    ATOM_SSH_USERAUTH,
		    make_userauth_service(options->userauth_methods,
					  options->userauth_algorithms,
					  make_alist(1, ATOM_SSH_CONNECTION,
						     service,-1)),
		    -1))));

    return make_listen_callback(server_callback, options->e);
  }
1003
}
1004

1005
1006
int
main(int argc, char **argv)
Niels Möller's avatar
Niels Möller committed
1007
{
1008
  struct lshd_options *options;
1009

1010
1011
1012
1013
1014
1015
1016
1017
1018
  /* Resources that should be killed when SIGHUP is received,
   * or when the program exits. */
  struct resource_list *resources = make_resource_list();

  /* Hostkeys */
  struct alist *keys = make_alist(0, -1);

  struct resource *fds;
  
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
#if HAVE_SETRLIMIT && HAVE_SYS_RESOURCE_H
  /* Try to increase max number of open files, ignore any error */

  struct rlimit r;

  r.rlim_max = RLIM_INFINITY;
  r.rlim_cur = RLIM_INFINITY;

  setrlimit(RLIMIT_NOFILE, &r);
#endif

1030
1031
1032
1033
  /* Not strictly needed for gc, but makes sure the
   * resource list is killed properly by gc_final. */
  gc_global(&resources->super);
  
1034
  io_init();
1035
  
Niels Möller's avatar
Niels Möller committed
1036
1037
1038
  /* For filtering messages. Could perhaps also be used when converting
   * strings to and from UTF8. */
  setlocale(LC_CTYPE, "");
1039

1040
1041
  /* FIXME: Choose character set depending on the locale */
  set_local_charset(CHARSET_LATIN1);
1042

1043
  install_signal_handlers(&resources->super);
1044

1045
  options = make_lshd_options();
1046
1047
1048

  if (!options)
    return EXIT_FAILURE;
1049
  
Niels Möller's avatar
Niels Möller committed
1050
  trace("Parsing options...\n");
Niels Möller's avatar
Niels Möller committed
1051
  argp_parse(&main_argp, argc, argv, 0, NULL, options);
Niels Möller's avatar
Niels Möller committed
1052
  trace("Parsing options... done\n");  
1053

1054
1055
1056
1057
1058
1059
1060
1061
1062
  if (options->daemonic && !options->no_syslog)
    {
#if HAVE_SYSLOG
      set_error_syslog("lshd");
#else /* !HAVE_SYSLOG */
      werror("lshd: No syslog. Further messages will be directed to /dev/null.\n");
#endif /* !HAVE_SYSLOG */
    }
  
1063
1064
1065
1066
1067
  if (!options->corefile && !daemon_disable_core())
    {
      werror("Disabling of core dumps failed.\n");
      return EXIT_FAILURE;
    }
1068

1069
1070
1071
1072
1073
  if (!options->random) 
    {
      werror("Failed to initialize randomness generator.\n");
      return EXIT_FAILURE;
    }
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089

  if (!read_host_key(options->hostkey, options->signature_algorithms, keys))
    return EXIT_FAILURE;

  fds = io_listen_list(options->local,
		       make_lshd_listen_callback
		       (options, keys,
			make_lshd_connection_service(options)),
		       options->e);
  if (!fds)
    {
      werror("Could not bind any address.\n");
      return EXIT_FAILURE;
    }

  remember_resource(resources, fds);
1090
  
1091
  if (options->daemonic)
1092
    {
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
      if (options->no_syslog)
        {
          /* Just put process into the background. --no-syslog is an
           * inappropriate name */
          switch (fork())
            {
            case 0:
              /* Child */
              /* FIXME: Should we create a new process group, close our tty
               * and stdio, etc? */
              trace("forked into background. New pid: %i.\n", getpid());
              break;
              
            case -1:
              /* Error */
1108
              werror("background_process: fork failed %e\n", errno);
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
              break;
              
            default:
              /* Parent */
              _exit(EXIT_SUCCESS);
            }
        }
      else
        {
          switch (daemon_init())
            {
            case 0:
              werror("lshd: Spawning into background failed.\n");
              return EXIT_FAILURE;
            case DAEMON_INETD:
              werror("lshd: spawning from inetd not yet supported.\n");
              return EXIT_FAILURE;
            case DAEMON_INIT:
            case DAEMON_NORMAL:
              break;
            default:
              fatal("Internal error\n");
            }
        }
    }
1134
  
1135
  if (options->use_pid_file)
1136
    {
1137
      if (daemon_pidfile(options->pid_file))
1138
	remember_resource(resources, 
1139
1140
1141
1142
1143
1144
			  make_pid_file_resource(options->pid_file));
      else
	{
	  werror("lshd seems to be running already.\n");
	  return EXIT_FAILURE;
	}
1145
    }
Niels Möller's avatar
Niels Möller committed
1146
  
1147
  io_run();
Niels Möller's avatar
Niels Möller committed
1148

1149
  io_final();
1150
  
Niels Möller's avatar
Niels Möller committed
1151
1152
  return 0;
}