lshd.c 23.9 KB
Newer Older
Niels Möller's avatar
Niels Möller committed
1
2
3
/* lshd.c
 *
 * main server program.
4
5
 *
 * $Id$ */
Niels Möller's avatar
Niels Möller committed
6

7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
/* lsh, an implementation of the ssh protocol
 *
 * Copyright (C) 1998 Niels Mller
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
Niels Möller's avatar
Niels Möller committed
23
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
24
 */
Niels Möller's avatar
Niels Möller committed
25

26
#include "algorithms.h"
27
28
#include "alist.h"
#include "atoms.h"
29
#include "channel.h"
30
#include "channel_commands.h"
31
#include "charset.h"
32
#include "compress.h"
33
#include "connection_commands.h"
34
#include "crypto.h"
35
#include "daemon.h"
36
#include "dsa.h"
37
#include "format.h"
38
#include "handshake.h"
Niels Möller's avatar
Niels Möller committed
39
#include "io.h"
40
#include "io_commands.h"
41
#include "lookup_verifier.h"
42
#include "randomness.h"
Niels Möller's avatar
Niels Möller committed
43
#include "reaper.h"
Niels Möller's avatar
Niels Möller committed
44
#include "server.h"
45
#include "server_authorization.h"
46
#include "server_keyexchange.h"
47
48
#include "server_pty.h"
#include "server_session.h"
49
#include "sexp.h"
Balázs Scheidler's avatar
Balázs Scheidler committed
50
#include "sexp_commands.h"
51
#include "spki_commands.h"
52
#include "srp.h"
Niels Möller's avatar
Niels Möller committed
53
#include "ssh.h"
54
55
#include "tcpforward.h"
#include "tcpforward_commands.h"
56
#include "tcpforward_commands.h"
57
#include "server_userauth.h"
58
#include "version.h"
59
60
61
#include "werror.h"
#include "xalloc.h"

62
#include "lsh_argp.h"
63

64
/* Forward declarations */
65
66
struct command options2local;
#define OPTIONS2LOCAL (&options2local.super)
67

68
struct command options2keyfile;
69
70
#define OPTIONS2KEYFILE (&options2keyfile.super)

71
struct command options2signature_algorithms;
72
#define OPTIONS2SIGNATURE_ALGORITHMS \
73
  (&options2signature_algorithms.super)
74

75
76
77
78
79
80
81
82
83
84
85
86
#include "lshd.c.x"

#include <assert.h>

#include <errno.h>
#include <locale.h>
#include <stdio.h>
#include <string.h>

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
87
#if HAVE_UNISTD_H
88
#include <unistd.h>
89
#endif
90

91
92
/* Option parsing */

93
94
95
96
97
const char *argp_program_version
= "lshd-" VERSION ", secsh protocol version " SERVER_PROTOCOL_VERSION;

const char *argp_program_bug_address = BUG_ADDRESS;

Niels Möller's avatar
Niels Möller committed
98
99
100
101
102
103
/* The definition of SBINDIR is currently broken */
#if 0
# define KERBEROS_HELPER SBINDIR "/lsh-krb-checkpw"
#else
# define KERBEROS_HELPER PREFIX "/sbin/lsh-krb-checkpw"
#endif
104

105
#define OPT_NO 0x400
106
107
#define OPT_SSH1_FALLBACK 0x200
#define OPT_INTERFACE 0x201
108

109
#define OPT_TCPIP_FORWARD 0x202
110
#define OPT_NO_TCPIP_FORWARD (OPT_TCPIP_FORWARD | OPT_NO)
111
112
#define OPT_PTY 0x203
#define OPT_NO_PTY (OPT_PTY | OPT_NO)
113
114
#define OPT_SUBSYSTEMS 0x204
#define OPT_NO_SUBSYSTEMS (OPT_SUBSYSTEMS | OPT_NO)
115

116
#define OPT_DAEMONIC 0x205
117
#define OPT_NO_DAEMONIC (OPT_DAEMONIC | OPT_NO)
118
#define OPT_PIDFILE 0x206
119
120
#define OPT_NO_PIDFILE (OPT_PIDFILE | OPT_NO)
#define OPT_CORE 0x207
121
122
#define OPT_SYSLOG 0x208
#define OPT_NO_SYSLOG (OPT_SYSLOG | OPT_NO)
123

124
125
126
127
128
129
#define OPT_SRP 0x210
#define OPT_NO_SRP (OPT_SRP | OPT_NO)
#define OPT_DH 0x211
#define OPT_NO_DH (OPT_DH | OPT_NO)

#define OPT_PUBLICKEY 0x220
130
#define OPT_NO_PUBLICKEY (OPT_PUBLICKEY | OPT_NO)
131
#define OPT_PASSWORD 0x221
132
133
#define OPT_NO_PASSWORD (OPT_PASSWORD | OPT_NO)

134
#define OPT_ROOT_LOGIN 0x222
135
136
#define OPT_NO_ROOT_LOGIN (OPT_ROOT_LOGIN | OPT_NO)

137
138
139
#define OPT_KERBEROS_PASSWD 0x223
#define OPT_NO_KERBEROS_PASSWD (OPT_KERBEROS_PASSWD | OPT_NO)

140
141
#define OPT_PASSWORD_HELPER 0x224

142
143
#define OPT_LOGIN_SHELL 0x225

144
145
146
147
148
/* GABA:
   (class
     (name lshd_options)
     (super algorithms_options)
     (vars
149
       (backend object io_backend)
150
151
       (e object exception_handler)
       
152
       (reaper object reap)
153
       (random object randomness_with_poll)
154
       
155
       (signature_algorithms object alist)
156
157
158
159
160
       (style . sexp_argp_state)
       (interface . "char *")
       (port . "char *")
       (hostkey . "char *")
       (local object address_info)
161

162
163
164
165
166
167
       (with_srp_keyexchange . int)
       (with_dh_keyexchange . int)

       ;; (kexinit object make_kexinit)
       (kex_algorithms object int_list)
       
168
169
       (with_publickey . int)
       (with_password . int)
170
       (allow_root . int)
171
       (pw_helper . "const char *")
172
       (login_shell . "const char *")
173
       
174
       (with_tcpip_forward . int)
175
       (with_pty . int)
176
       (subsystems . "const char **")
177
       
178
179
180
       (userauth_methods object int_list)
       (userauth_algorithms object alist)
       
181
182
       (sshd1 object ssh1_fallback)
       (daemonic . int)
183
       (no_syslog . int)
184
185
186
187
       (corefile . int)
       (pid_file . "const char *")
       ; -1 means use pid file iff we're in daemonic mode
       (use_pid_file . int)))
188
189
*/

190
191
192
193
194
195
static void
do_exc_lshd_handler(struct exception_handler *s,
		    const struct exception *e)
{
  switch(e->type)
    {
196
    case EXC_RESOLVE:
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
    case EXC_SEXP_SYNTAX:
    case EXC_SPKI_TYPE:
    case EXC_RANDOMNESS_LOW_ENTROPY:
      werror("lshd: %z\n", e->msg);
      exit(EXIT_FAILURE);
    default:
      EXCEPTION_RAISE(s->parent, e);
    }
}

static struct exception_handler *
make_lshd_exception_handler(struct exception_handler *parent,
			    const char *context)
{
  return make_exception_handler(do_exc_lshd_handler, parent, context);
}

Niels Möller's avatar
Niels Möller committed
214
static struct lshd_options *
215
make_lshd_options(struct io_backend *backend)
216
{
Niels Möller's avatar
Niels Möller committed
217
  NEW(lshd_options, self);
218

219
  init_algorithms_options(&self->super, all_symmetric_algorithms());
220
221

  self->backend = backend;
222
223
  self->e = make_lshd_exception_handler(&default_exception_handler,
					HANDLER_CONTEXT);
224
  self->reaper = make_reaper(backend);
225
  self->random = make_default_random(self->reaper, self->e);
226

227
  self->signature_algorithms = all_signature_algorithms(&self->random->super);
228
229
  self->style = SEXP_TRANSPORT;
  self->interface = NULL;
230
231
232
233
234

  /* Default behaviour is to lookup the "ssh" service, and fall back
   * to port 22 if that fails. */
  self->port = NULL;
  
235
236
237
238
  /* FIXME: this should perhaps use sysconfdir */  
  self->hostkey = "/etc/lsh_host_key";
  self->local = NULL;

239
240
241
242
243
  self->with_dh_keyexchange = 1;
  self->with_srp_keyexchange = 0;

  self->kex_algorithms = NULL;
  
244
245
  self->with_publickey = 1;
  self->with_password = 1;
246
  self->with_tcpip_forward = 1;
247
  self->with_pty = 1;
248
249
  self->subsystems = NULL;
  
250
  self->allow_root = 0;
251
  self->pw_helper = NULL;
252
  self->login_shell = NULL;
253
  
254
255
  self->userauth_methods = NULL;
  self->userauth_algorithms = NULL;
256
257
  
  self->sshd1 = NULL;
258
  self->daemonic = 0;
259
260
  self->no_syslog = 0;
  
261
262
263
264
  /* FIXME: Make the default a configure time option? */
  self->pid_file = "/var/run/lshd.pid";
  self->use_pid_file = -1;
  self->corefile = 0;
265
266
267
268
  
  return self;
}

Niels Möller's avatar
Niels Möller committed
269
/* Port to listen on */
270
271
272
273
274
DEFINE_COMMAND(options2local)
     (struct command *s UNUSED,
      struct lsh_object *a,
      struct command_continuation *c,
      struct exception_handler *e UNUSED)
Niels Möller's avatar
Niels Möller committed
275
276
{
  CAST(lshd_options, options, a);
277
  COMMAND_RETURN(c, options->local);
Niels Möller's avatar
Niels Möller committed
278
279
280
}

/* alist of signature algorithms */
281
282
283
284
285
DEFINE_COMMAND(options2signature_algorithms)
     (struct command *s UNUSED,
      struct lsh_object *a,
      struct command_continuation *c,
      struct exception_handler *e UNUSED)
Niels Möller's avatar
Niels Möller committed
286
287
{
  CAST(lshd_options, options, a);
288
  COMMAND_RETURN(c, options->signature_algorithms);
Niels Möller's avatar
Niels Möller committed
289
290
291
}

/* Read server's private key */
292
293
294
295
296
297

DEFINE_COMMAND(options2keyfile)
     (struct command *ignored UNUSED,
      struct lsh_object *a,
      struct command_continuation *c,
      struct exception_handler *e)
Niels Möller's avatar
Niels Möller committed
298
299
300
{
  CAST(lshd_options, options, a);
  
301
  struct lsh_fd *f;
Niels Möller's avatar
Niels Möller committed
302
303
304
305
306
307
308
309
310
311
312
313
314
315

  f = io_read_file(options->backend, options->hostkey, e);

  if (f)
    COMMAND_RETURN(c, f);
  else
    {
      werror("Failed to open '%z' (errno = %i): %z.\n",
	     options->hostkey, errno, STRERROR(errno));
      EXCEPTION_RAISE(e, make_io_exception(EXC_IO_OPEN_READ, NULL, errno, NULL));
    }
}


316
317
318
319
320
static const struct argp_option
main_options[] =
{
  /* Name, key, arg-name, flags, doc, group */
  { "interface", OPT_INTERFACE, "interface", 0,
321
    "Listen on this network interface.", 0 }, 
322
323
  { "port", 'p', "Port", 0, "Listen on this port.", 0 },
  { "host-key", 'h', "Key file", 0, "Location of the server's private key.", 0},
324
325
326
327
#if WITH_SSH1_FALLBACK
  { "ssh1-fallback", OPT_SSH1_FALLBACK, "File name", OPTION_ARG_OPTIONAL,
    "Location of the sshd1 program, for falling back to version 1 of the Secure Shell protocol.", 0 },
#endif /* WITH_SSH1_FALLBACK */
328

329
  { NULL, 0, NULL, 0, "Keyexchange options:", 0 },
330
331
332
333
334
335
336
337
#if WITH_SRP
  { "srp-keyexchange", OPT_SRP, NULL, 0, "Enable experimental SRP support.", 0 },
  { "no-srp-keyexchange", OPT_NO_SRP, NULL, 0, "Disable experimental SRP support (default).", 0 },
#endif /* WITH_SRP */

  { "dh-keyexchange", OPT_DH, NULL, 0, "Enable DH support (default).", 0 },
  { "no-dh-keyexchange", OPT_NO_DH, NULL, 0, "Disable DH support.", 0 },
  
338
  { NULL, 0, NULL, 0, "User authentication options:", 0 },
339

340
341
342
343
344
345
346
347
348
  { "password", OPT_PASSWORD, NULL, 0,
    "Enable password user authentication (default).", 0},
  { "no-password", OPT_NO_PASSWORD, NULL, 0,
    "Disable password user authentication.", 0},

  { "publickey", OPT_PUBLICKEY, NULL, 0,
    "Enable publickey user authentication (default).", 0},
  { "no-publickey", OPT_NO_PUBLICKEY, NULL, 0,
    "Disable publickey user authentication.", 0},
349
350
351
352
353

  { "root-login", OPT_ROOT_LOGIN, NULL, 0,
    "Allow root to login.", 0 },
  { "no-root-login", OPT_NO_ROOT_LOGIN, NULL, 0,
    "Don't allow root to login (default).", 0 },
354

355
356
357
358
  { "login-shell", OPT_LOGIN_SHELL, "Program", 0,
    "Use this program as the login shell for all users. "
    "(Experimental)", 0 },
  
359
360
361
  { "kerberos-passwords", OPT_KERBEROS_PASSWD, NULL, 0,
    "Recognize kerberos passwords, using the helper program "
    "\"" KERBEROS_HELPER "\". This option is experimental.", 0 },
362
  { "no-kerberos-passwords", OPT_NO_KERBEROS_PASSWD, NULL, 0,
Niels Möller's avatar
Niels Möller committed
363
    "Don't recognize kerberos passwords (default behaviour).", 0 },
364

365
366
  { "password-helper", OPT_PASSWORD_HELPER, "Program", 0,
    "Use the named helper program for password verification. "
367
    "(Experimental).", 0 },
368

369
  { NULL, 0, NULL, 0, "Offered services:", 0 },
370

371
372
373
374
#if WITH_PTY_SUPPORT
  { "pty-support", OPT_PTY, NULL, 0, "Enable pty allocation (default).", 0 },
  { "no-pty-support", OPT_NO_PTY, NULL, 0, "Disable pty allocation.", 0 },
#endif /* WITH_PTY_SUPPORT */
375
376
377
378

  { "subsystems", OPT_SUBSYSTEMS, "List of subsystem names and programs", 0,
    "For example `sftp=/usr/sbin/sftp-server,foosystem=/usr/bin/foo' "
    "(experimental).", 0},
379
  
380
381
  { NULL, 0, NULL, 0, "Daemonic behaviour", 0 },
  { "daemonic", OPT_DAEMONIC, NULL, 0, "Run in the background, redirect stdio to /dev/null, and chdir to /.", 0 },
382
  { "no-daemonic", OPT_NO_DAEMONIC, NULL, 0, "Run in the foreground, with messages to stderr (default).", 0 },
383
384
  { "pid-file", OPT_PIDFILE, "file name", 0, "Create a pid file. When running in daemonic mode, "
    "the default is /var/run/lshd.pid.", 0 },
385
  { "no-pid-file", OPT_NO_PIDFILE, NULL, 0, "Don't use any pid file. Default in non-daemonic mode.", 0 },
386
  { "enable-core", OPT_CORE, NULL, 0, "Dump core on fatal errors (disabled by default).", 0 },
387
388
  { "no-syslog", OPT_NO_SYSLOG, NULL, 0, "Don't use syslog (by default, syslog is used "
    "when running in daemonic mode).", 0 },
389
390
391
392
393
394
395
396
397
398
399
400
  { NULL, 0, NULL, 0, NULL, 0 }
};

static const struct argp_child
main_argp_children[] =
{
  { &sexp_input_argp, 0, "", 0 },
  { &algorithms_argp, 0, "", 0 },
  { &werror_argp, 0, "", 0 },
  { NULL, 0, NULL, 0}
};

401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
/* NOTE: Modifies the argument string. */
static const char **
parse_subsystem_list(char *arg)
{
  const char **subsystems;
  char *separator;
  unsigned length;
  unsigned i;
  
  /* First count the number of elements. */
  for (length = 1, i = 0; arg[i]; i++)
    if (arg[i] == ',')
      length++;

  subsystems = lsh_space_alloc((length * 2 + 1) * sizeof(*subsystems));

  for (i = 0; ; i++)
    {
      subsystems[2*i] = arg;

      separator = strchr(arg, '=');

      if (!separator)
	goto fail;

      *separator = '\0';

      subsystems[2*i+1] = arg = separator + 1;
      
      separator = strchr(arg, ',');

      if (i == (length - 1))
	break;
      
      if (!separator)
	goto fail;

      *separator = '\0';
      arg = separator + 1;
    }
  if (separator)
    {
    fail:
      lsh_space_free(subsystems);
      return NULL;
    }
  return subsystems;
}

450
451
452
453
454
455
456
457
458
459
460
461
static error_t
main_argp_parser(int key, char *arg, struct argp_state *state)
{
  CAST(lshd_options, self, state->input);
  
  switch(key)
    {
    default:
      return ARGP_ERR_UNKNOWN;
    case ARGP_KEY_INIT:
      state->child_inputs[0] = &self->style;
      state->child_inputs[1] = &self->super;
462
      state->child_inputs[2] = NULL;
463
464
      break;
    case ARGP_KEY_END:
465
      {
466
	struct user_db *user_db = NULL;
467
468
	
	if (self->with_password || self->with_publickey || self->with_srp_keyexchange)
469
	  user_db = make_unix_user_db(self->backend, self->reaper,
470
471
				      self->pw_helper, self->login_shell,
				      self->allow_root);
472
	  
473
474
475
476
477
478
479
480
481
482
483
	if (self->with_dh_keyexchange || self->with_srp_keyexchange)
	  {
	    int i = 0;
	    self->kex_algorithms 
	      = alloc_int_list(self->with_dh_keyexchange + self->with_srp_keyexchange);
	    
	    if (self->with_dh_keyexchange)
	      {
		LIST(self->kex_algorithms)[i++] = ATOM_DIFFIE_HELLMAN_GROUP1_SHA1;
		ALIST_SET(self->super.algorithms,
			  ATOM_DIFFIE_HELLMAN_GROUP1_SHA1,
484
485
			  &make_dh_server(make_dh1(&self->random->super))
			  ->super);
486
487
488
489
	      }
#if WITH_SRP	    
	    if (self->with_srp_keyexchange)
	      {
490
		assert(user_db);
491
		LIST(self->kex_algorithms)[i++] = ATOM_SRP_RING1_SHA1_LOCAL;
492
		ALIST_SET(self->super.algorithms,
493
			  ATOM_SRP_RING1_SHA1_LOCAL,
494
495
			  &make_srp_server(make_srp1(&self->random->super),
					   user_db)
496
			  ->super);
497
498
499
500
501
502
503
	      }
#endif /* WITH_SRP */
	  }
	else
	  argp_error(state, "All keyexchange algorithms disabled.");

	if (self->port)
504
	  self->local = make_address_info_c(self->interface, self->port, 0);
505
	else
506
	  self->local = make_address_info_c(self->interface, "ssh", 22);
507
      
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
	if (!self->local)
	  argp_error(state, "Invalid interface, port or service, %s:%s'.",
		     self->interface ? self->interface : "ANY",
		     self->port);

	if (self->use_pid_file < 0)
	  self->use_pid_file = self->daemonic;

	if (self->with_password || self->with_publickey)
	  {
	    int i = 0;
	    
	    self->userauth_methods
	      = alloc_int_list(self->with_password + self->with_publickey);
	    self->userauth_algorithms = make_alist(0, -1);
	    
	    if (self->with_password)
	      {
		LIST(self->userauth_methods)[i++] = ATOM_PASSWORD;
		ALIST_SET(self->userauth_algorithms,
528
			  ATOM_PASSWORD,
529
			  &make_userauth_password(user_db)->super);
530
531
532
	      }
	    if (self->with_publickey)
	      {
533
534
535
536
537
		/* FIXME: Doesn't use spki */
		struct lookup_verifier *key_db
		  = make_authorization_db(ssh_format("authorized_keys_sha1"),
					  &sha1_algorithm);
		
538
539
540
		LIST(self->userauth_methods)[i++] = ATOM_PUBLICKEY;
		ALIST_SET(self->userauth_algorithms,
			  ATOM_PUBLICKEY,
541
			  &make_userauth_publickey
542
543
544
545
			  (user_db,
			   make_alist(2,
				      ATOM_SSH_DSS, key_db,
				      ATOM_SSH_RSA, key_db,
546
547
				      -1))
			  ->super);
548
549
	      }
	  }
550
551
552
553
554
555
        if (self->with_srp_keyexchange)
          ALIST_SET(self->userauth_algorithms,
                    ATOM_NONE,
                    &server_userauth_none.super);

        if (!self->userauth_algorithms->size)
556
	  argp_error(state, "All user authentication methods disabled.");
557

558
559
	break;
      }
560
561
562
563
564
565
566
567
568
569
570
    case 'p':
      self->port = arg;
      break;

    case 'h':
      self->hostkey = arg;
      break;

    case OPT_INTERFACE:
      self->interface = arg;
      break;
571

572
573
574
575
576
#if WITH_SSH1_FALLBACK
    case OPT_SSH1_FALLBACK:
      self->sshd1 = make_ssh1_fallback(arg ? arg : SSHD1);
      break;
#endif
Niels Möller's avatar
Niels Möller committed
577

578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
    case OPT_SRP:
      self->with_srp_keyexchange = 1;
      break;

    case OPT_NO_SRP:
      self->with_srp_keyexchange = 0;
      break;
      
    case OPT_DH:
      self->with_dh_keyexchange = 1;
      break;

    case OPT_NO_DH:
      self->with_dh_keyexchange = 0;
      break;
      
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
    case OPT_PASSWORD:
      self->with_password = 1;
      break;
      
    case OPT_NO_PASSWORD:
      self->with_password = 0;
      break;

    case OPT_PUBLICKEY:
      self->with_publickey = 1;
      break;
      
    case OPT_NO_PUBLICKEY:
      self->with_publickey = 0;
      break;
609
610
611
612

    case OPT_ROOT_LOGIN:
      self->allow_root = 1;
      break;
613
614

    case OPT_KERBEROS_PASSWD:
615
      self->pw_helper = KERBEROS_HELPER;
616
617
618
619
620
      break;

    case OPT_NO_KERBEROS_PASSWD:
      self->pw_helper = NULL;
      break;
621
622
623
624

    case OPT_PASSWORD_HELPER:
      self->pw_helper = arg;
      break;
625
626
627
628

    case OPT_LOGIN_SHELL:
      self->login_shell = arg;
      break;
629
      
630
#if WITH_TCP_FORWARD
631
632
633
634
635
636
637
    case OPT_TCPIP_FORWARD:
      self->with_tcpip_forward = 1;
      break;

    case OPT_NO_TCPIP_FORWARD:
      self->with_tcpip_forward = 0;
      break;
638
639
640
641
642
643
644
645
646
647
#endif /* WITH_TCP_FORWARD */
      
#if WITH_PTY_SUPPORT
    case OPT_PTY:
      self->with_pty = 1;
      break;
    case OPT_NO_PTY:
      self->with_pty = 0;
      break;
#endif /* WITH_PTY_SUPPORT */
648
649
650
651
652
653
654
655
656
657
658

    case OPT_SUBSYSTEMS:
      self->subsystems = parse_subsystem_list(arg);
      if (!self->subsystems)
	argp_error(state, "Invalid subsystem list.");
      break;

    case OPT_NO_SUBSYSTEMS:
      self->subsystems = NULL;
      break;
      
659
660
661
    case OPT_DAEMONIC:
      self->daemonic = 1;
      break;
662
      
663
664
665
666
    case OPT_NO_DAEMONIC:
      self->daemonic = 0;
      break;

667
668
669
670
    case OPT_NO_SYSLOG:
      self->no_syslog = 1;
      break;
      
671
672
673
674
675
676
677
678
679
680
681
682
    case OPT_PIDFILE:
      self->pid_file = arg;
      self->use_pid_file = 1;
      break;

    case OPT_NO_PIDFILE:
      self->use_pid_file = 0;
      break;

    case OPT_CORE:
      self->corefile = 1;
      break;
683
684
685
    }
  return 0;
}
Niels Möller's avatar
Niels Möller committed
686

Niels Möller's avatar
Niels Möller committed
687
688
689
690
691
692
static const struct argp
main_argp =
{ main_options, main_argp_parser, 
  NULL,
  "Server for the ssh-2 protocol.",
  main_argp_children,
693
  NULL, NULL
Niels Möller's avatar
Niels Möller committed
694
695
};

696

697
698
/* GABA:
   (expr
699
     (name make_lshd_listen)
700
     (params
701
       (backend object io_backend)
702
       (handshake object handshake_info)
703
       (init object make_kexinit)
704
       (services object command) )
705
     (expr (lambda (options)
706
707
708
709
710
711
712
713
714
715
716
717
             (let ((keys 
		    (spki_read_hostkeys (options2signature_algorithms options)
			                (options2keyfile options))))
	       (listen_callback
	         (lambda (lv)
    		   (services (connection_handshake
    				  handshake
    				  (kexinit_filter init keys)
    				  keys 
    				  (log_peer lv))))
		 backend
		 (options2local options))))))
718
719
*/

720

721
/* Invoked when starting the ssh-connection service */
722
723
/* GABA:
   (expr
724
     (name make_lshd_connection_service)
725
     (params
726
727
       (hooks object object_list))
     (expr
728
729
730
731
       (lambda (connection)
         ((progn hooks)
	    ; We have to initialize the connection
	    ; before adding handlers.
732
733
734
	    (init_connection_service
	      ; Disconnect if connection->user is NULL
	      (connection_require_userauth connection)))))))
735
736
*/

737
#if WITH_GCOV
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
/* FIXME: Perhaps move to daemon.c? */
/* Catch SIGTERM and call exit(). That way, profiling info is written
 * properly when the process is terminated. */

static volatile sig_atomic_t terminate;

static void terminate_handler(int signum)
{
  assert(signum == SIGTERM);

  terminate = 1;
}

static void
do_terminate_callback(struct lsh_callback *s UNUSED)
{
754
  gc_final();
755
756
757
  exit(0);
}

758
static struct lsh_callback
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
terminate_callback =
{ STATIC_HEADER, do_terminate_callback };

static void
install_terminate_handler(struct io_backend *backend)
{
  struct sigaction term;
  memset(&term, 0, sizeof(term));

  term.sa_handler = terminate_handler;
  sigemptyset(&term.sa_mask);
  term.sa_flags = 0;

  if (sigaction(SIGTERM, &term, NULL) < 0)
    {
      werror ("Failed to install SIGTERM handler (errno = %i): %z\n",
	      errno, STRERROR(errno));
      exit(EXIT_FAILURE);
    }
  io_signal_handler(backend, &terminate, &terminate_callback);
}
780
#endif /* WITH_GCOV */
781

Niels Möller's avatar
Niels Möller committed
782
783
int main(int argc, char **argv)
{
784
  struct lshd_options *options;
785
786

  struct io_backend *backend = make_io_backend();
787

788
#if WITH_GCOV
789
  install_terminate_handler(backend);
790
#endif
791
  
Niels Möller's avatar
Niels Möller committed
792
793
794
  /* For filtering messages. Could perhaps also be used when converting
   * strings to and from UTF8. */
  setlocale(LC_CTYPE, "");
795

796
797
  /* FIXME: Choose character set depending on the locale */
  set_local_charset(CHARSET_LATIN1);
798

799
  options = make_lshd_options(backend);
800
  
Niels Möller's avatar
Niels Möller committed
801
  trace("Parsing options...\n");
Niels Möller's avatar
Niels Möller committed
802
  argp_parse(&main_argp, argc, argv, 0, NULL, options);
Niels Möller's avatar
Niels Möller committed
803
  trace("Parsing options...\n");  
804

805
806
807
808
809
  if (!options->corefile && !daemon_disable_core())
    {
      werror("Disabling of core dumps failed.\n");
      return EXIT_FAILURE;
    }
810

811
  if (options->daemonic && !options->no_syslog)
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
    {
#if HAVE_SYSLOG
      set_error_syslog("lshd");
#else /* !HAVE_SYSLOG */
      werror("lshd: No syslog. Further messages will be directed to /dev/null.\n");
#endif /* !HAVE_SYSLOG */
    }

  if (options->daemonic)
    switch (daemon_init())
      {
      case 0:
	werror("lshd: Spawning into background failed.\n");
	return EXIT_FAILURE;
      case DAEMON_INETD:
	werror("lshd: spawning from inetd not yet supported.\n");
	return EXIT_FAILURE;
      case DAEMON_INIT:
      case DAEMON_NORMAL:
	break;
      default:
	fatal("Internal error\n");
      }
835
836
837
838
839
840
  
  if (options->use_pid_file && !daemon_pidfile(options->pid_file))
    {
      werror("lshd seems to be running already.\n");
      return EXIT_FAILURE;
    }
841

842
843
844
845
846
847
848
  /* NOTE: We have to do this *after* forking into the background,
   * because otherwise we won't be able to waitpid() on the background
   * process. */

  /* Start background poll */
  RANDOM_POLL_BACKGROUND(options->random->poller);
	
849
  {
850
851
    /* Commands to be invoked on the connection */
    struct object_list *connection_hooks;
852
853
    struct command *session_setup;
    
854
855
    /* Supported channel requests */
    struct alist *supported_channel_requests
856
      = make_alist(2,
857
858
		   ATOM_SHELL, make_shell_handler(backend),
		   ATOM_EXEC, make_exec_handler(backend),
859
860
		   -1);
    
861
862
863
#if WITH_PTY_SUPPORT
    if (options->with_pty)
      ALIST_SET(supported_channel_requests,
864
		ATOM_PTY_REQ, &pty_request_handler.super);
865
866
#endif /* WITH_PTY_SUPPORT */

867
868
869
870
871
872
    if (options->subsystems)
      ALIST_SET(supported_channel_requests,
		ATOM_SUBSYSTEM,
		&make_subsystem_handler(backend,
					options->subsystems)->super);
		
873
874
    session_setup = make_install_fix_channel_open_handler
      (ATOM_SESSION, make_open_session(supported_channel_requests));
875
    
876
#if WITH_TCP_FORWARD
877
    if (options->with_tcpip_forward)
878
      connection_hooks = make_object_list
879
880
	(4,
	 session_setup,
Niels Möller's avatar
Niels Möller committed
881
	 make_tcpip_forward_hook(backend),
882
883
884
885
	 make_install_fix_global_request_handler
	 (ATOM_CANCEL_TCPIP_FORWARD, &tcpip_cancel_forward),
	 make_direct_tcpip_hook(backend),
	 -1);
886
887
    else
#endif
888
889
      connection_hooks
	= make_object_list (1, session_setup, -1);
890
    {
891
892
893
      /* FIXME: We should check that we have at least one host key. We
       * should also extract the host-key algorithms for which we have
       * keys, instead of hardcoding ssh-dss below. */
894

895
896
      CAST_SUBTYPE(command, connection_service,
		   make_lshd_connection_service(connection_hooks));
897
      CAST_SUBTYPE(command, server_listen, 		   
898
899
		   make_lshd_listen
		   (backend,
900
901
902
903
		    make_handshake_info(CONNECTION_SERVER,
					"lsh - a free ssh",
					NULL,
					SSH_MAX_PACKET,
904
					&options->random->super,
905
906
					options->super.algorithms,
					options->sshd1),
907
		    make_simple_kexinit
908
		    (&options->random->super,
909
910
911
912
913
914
		     options->kex_algorithms,
		     options->super.hostkey_algorithms,
		     options->super.crypto_algorithms,
		     options->super.mac_algorithms,
		     options->super.compression_algorithms,
		     make_int_list(0, -1)),
915
916
		    make_offer_service
		    (make_alist
917
		     (1,
918
919
920
921
922
923
924
		      ATOM_SSH_USERAUTH,
		      make_userauth_service(options->userauth_methods,
					    options->userauth_algorithms,
					    make_alist(1, ATOM_SSH_CONNECTION,
						       connection_service,-1)),
		      -1))));
      
925
      COMMAND_CALL(server_listen, options,
926
		   &discard_continuation,
927
928
		   make_report_exception_handler
		   (make_report_exception_info(EXC_IO, EXC_IO, "lshd: "),
929
		    options->e,
930
		    HANDLER_CONTEXT));
931
    }
932
  }
Niels Möller's avatar
Niels Möller committed
933
  
934
  io_run(backend);
Niels Möller's avatar
Niels Möller committed
935

936
  gc_final();
937
  
Niels Möller's avatar
Niels Möller committed
938
939
  return 0;
}