1 /* $OpenBSD: sshconnect.c,v 1.329 2020/03/13 04:01:56 djm Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * Code to connect to a remote host, and to perform the client side of the 7 * login (authentication) dialog. 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 */ 15 16 #include "includes.h" 17 18 #include <sys/types.h> 19 #include <sys/wait.h> 20 #include <sys/stat.h> 21 #include <sys/socket.h> 22 #ifdef HAVE_SYS_TIME_H 23 # include <sys/time.h> 24 #endif 25 26 #include <net/if.h> 27 #include <netinet/in.h> 28 #include <arpa/inet.h> 29 30 #include <ctype.h> 31 #include <errno.h> 32 #include <fcntl.h> 33 #include <netdb.h> 34 #ifdef HAVE_PATHS_H 35 #include <paths.h> 36 #endif 37 #include <pwd.h> 38 #ifdef HAVE_POLL_H 39 #include <poll.h> 40 #endif 41 #include <signal.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <stdarg.h> 45 #include <string.h> 46 #include <unistd.h> 47 #ifdef HAVE_IFADDRS_H 48 # include <ifaddrs.h> 49 #endif 50 51 #include "xmalloc.h" 52 #include "hostfile.h" 53 #include "ssh.h" 54 #include "sshbuf.h" 55 #include "packet.h" 56 #include "compat.h" 57 #include "sshkey.h" 58 #include "sshconnect.h" 59 #include "log.h" 60 #include "misc.h" 61 #include "readconf.h" 62 #include "atomicio.h" 63 #include "dns.h" 64 #include "monitor_fdpass.h" 65 #include "ssh2.h" 66 #include "version.h" 67 #include "authfile.h" 68 #include "ssherr.h" 69 #include "authfd.h" 70 #include "kex.h" 71 72 struct sshkey *previous_host_key = NULL; 73 74 static int matching_host_key_dns = 0; 75 76 static pid_t proxy_command_pid = 0; 77 78 /* import */ 79 extern int debug_flag; 80 extern Options options; 81 extern char *__progname; 82 83 static int show_other_keys(struct hostkeys *, struct sshkey *); 84 static void warn_changed_key(struct sshkey *); 85 86 /* Expand a proxy command */ 87 static char * 88 expand_proxy_command(const char *proxy_command, const char *user, 89 const char *host, const char *host_arg, int port) 90 { 91 char *tmp, *ret, strport[NI_MAXSERV]; 92 93 snprintf(strport, sizeof strport, "%d", port); 94 xasprintf(&tmp, "exec %s", proxy_command); 95 ret = percent_expand(tmp, 96 "h", host, 97 "n", host_arg, 98 "p", strport, 99 "r", options.user, 100 (char *)NULL); 101 free(tmp); 102 return ret; 103 } 104 105 static void 106 stderr_null(void) 107 { 108 int devnull; 109 110 if ((devnull = open(_PATH_DEVNULL, O_WRONLY)) == -1) { 111 error("Can't open %s for stderr redirection: %s", 112 _PATH_DEVNULL, strerror(errno)); 113 return; 114 } 115 if (devnull == STDERR_FILENO) 116 return; 117 if (dup2(devnull, STDERR_FILENO) == -1) 118 error("Cannot redirect stderr to %s", _PATH_DEVNULL); 119 if (devnull > STDERR_FILENO) 120 close(devnull); 121 } 122 123 /* 124 * Connect to the given ssh server using a proxy command that passes a 125 * a connected fd back to us. 126 */ 127 static int 128 ssh_proxy_fdpass_connect(struct ssh *ssh, const char *host, 129 const char *host_arg, u_short port, const char *proxy_command) 130 { 131 char *command_string; 132 int sp[2], sock; 133 pid_t pid; 134 char *shell; 135 136 if ((shell = getenv("SHELL")) == NULL) 137 shell = _PATH_BSHELL; 138 139 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) == -1) 140 fatal("Could not create socketpair to communicate with " 141 "proxy dialer: %.100s", strerror(errno)); 142 143 command_string = expand_proxy_command(proxy_command, options.user, 144 host, host_arg, port); 145 debug("Executing proxy dialer command: %.500s", command_string); 146 147 /* Fork and execute the proxy command. */ 148 if ((pid = fork()) == 0) { 149 char *argv[10]; 150 151 close(sp[1]); 152 /* Redirect stdin and stdout. */ 153 if (sp[0] != 0) { 154 if (dup2(sp[0], 0) == -1) 155 perror("dup2 stdin"); 156 } 157 if (sp[0] != 1) { 158 if (dup2(sp[0], 1) == -1) 159 perror("dup2 stdout"); 160 } 161 if (sp[0] >= 2) 162 close(sp[0]); 163 164 /* 165 * Stderr is left for non-ControlPersist connections is so 166 * error messages may be printed on the user's terminal. 167 */ 168 if (!debug_flag && options.control_path != NULL && 169 options.control_persist) 170 stderr_null(); 171 172 argv[0] = shell; 173 argv[1] = "-c"; 174 argv[2] = command_string; 175 argv[3] = NULL; 176 177 /* 178 * Execute the proxy command. 179 * Note that we gave up any extra privileges above. 180 */ 181 execv(argv[0], argv); 182 perror(argv[0]); 183 exit(1); 184 } 185 /* Parent. */ 186 if (pid == -1) 187 fatal("fork failed: %.100s", strerror(errno)); 188 close(sp[0]); 189 free(command_string); 190 191 if ((sock = mm_receive_fd(sp[1])) == -1) 192 fatal("proxy dialer did not pass back a connection"); 193 close(sp[1]); 194 195 while (waitpid(pid, NULL, 0) == -1) 196 if (errno != EINTR) 197 fatal("Couldn't wait for child: %s", strerror(errno)); 198 199 /* Set the connection file descriptors. */ 200 if (ssh_packet_set_connection(ssh, sock, sock) == NULL) 201 return -1; /* ssh_packet_set_connection logs error */ 202 203 return 0; 204 } 205 206 /* 207 * Connect to the given ssh server using a proxy command. 208 */ 209 static int 210 ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg, 211 u_short port, const char *proxy_command) 212 { 213 char *command_string; 214 int pin[2], pout[2]; 215 pid_t pid; 216 char *shell; 217 218 if ((shell = getenv("SHELL")) == NULL || *shell == '\0') 219 shell = _PATH_BSHELL; 220 221 /* Create pipes for communicating with the proxy. */ 222 if (pipe(pin) == -1 || pipe(pout) == -1) 223 fatal("Could not create pipes to communicate with the proxy: %.100s", 224 strerror(errno)); 225 226 command_string = expand_proxy_command(proxy_command, options.user, 227 host, host_arg, port); 228 debug("Executing proxy command: %.500s", command_string); 229 230 /* Fork and execute the proxy command. */ 231 if ((pid = fork()) == 0) { 232 char *argv[10]; 233 234 /* Redirect stdin and stdout. */ 235 close(pin[1]); 236 if (pin[0] != 0) { 237 if (dup2(pin[0], 0) == -1) 238 perror("dup2 stdin"); 239 close(pin[0]); 240 } 241 close(pout[0]); 242 if (dup2(pout[1], 1) == -1) 243 perror("dup2 stdout"); 244 /* Cannot be 1 because pin allocated two descriptors. */ 245 close(pout[1]); 246 247 /* 248 * Stderr is left for non-ControlPersist connections is so 249 * error messages may be printed on the user's terminal. 250 */ 251 if (!debug_flag && options.control_path != NULL && 252 options.control_persist) 253 stderr_null(); 254 255 argv[0] = shell; 256 argv[1] = "-c"; 257 argv[2] = command_string; 258 argv[3] = NULL; 259 260 /* Execute the proxy command. Note that we gave up any 261 extra privileges above. */ 262 ssh_signal(SIGPIPE, SIG_DFL); 263 execv(argv[0], argv); 264 perror(argv[0]); 265 exit(1); 266 } 267 /* Parent. */ 268 if (pid == -1) 269 fatal("fork failed: %.100s", strerror(errno)); 270 else 271 proxy_command_pid = pid; /* save pid to clean up later */ 272 273 /* Close child side of the descriptors. */ 274 close(pin[0]); 275 close(pout[1]); 276 277 /* Free the command name. */ 278 free(command_string); 279 280 /* Set the connection file descriptors. */ 281 if (ssh_packet_set_connection(ssh, pout[0], pin[1]) == NULL) 282 return -1; /* ssh_packet_set_connection logs error */ 283 284 return 0; 285 } 286 287 void 288 ssh_kill_proxy_command(void) 289 { 290 /* 291 * Send SIGHUP to proxy command if used. We don't wait() in 292 * case it hangs and instead rely on init to reap the child 293 */ 294 if (proxy_command_pid > 1) 295 kill(proxy_command_pid, SIGHUP); 296 } 297 298 #ifdef HAVE_IFADDRS_H 299 /* 300 * Search a interface address list (returned from getifaddrs(3)) for an 301 * address that matches the desired address family on the specified interface. 302 * Returns 0 and fills in *resultp and *rlenp on success. Returns -1 on failure. 303 */ 304 static int 305 check_ifaddrs(const char *ifname, int af, const struct ifaddrs *ifaddrs, 306 struct sockaddr_storage *resultp, socklen_t *rlenp) 307 { 308 struct sockaddr_in6 *sa6; 309 struct sockaddr_in *sa; 310 struct in6_addr *v6addr; 311 const struct ifaddrs *ifa; 312 int allow_local; 313 314 /* 315 * Prefer addresses that are not loopback or linklocal, but use them 316 * if nothing else matches. 317 */ 318 for (allow_local = 0; allow_local < 2; allow_local++) { 319 for (ifa = ifaddrs; ifa != NULL; ifa = ifa->ifa_next) { 320 if (ifa->ifa_addr == NULL || ifa->ifa_name == NULL || 321 (ifa->ifa_flags & IFF_UP) == 0 || 322 ifa->ifa_addr->sa_family != af || 323 strcmp(ifa->ifa_name, options.bind_interface) != 0) 324 continue; 325 switch (ifa->ifa_addr->sa_family) { 326 case AF_INET: 327 sa = (struct sockaddr_in *)ifa->ifa_addr; 328 if (!allow_local && sa->sin_addr.s_addr == 329 htonl(INADDR_LOOPBACK)) 330 continue; 331 if (*rlenp < sizeof(struct sockaddr_in)) { 332 error("%s: v4 addr doesn't fit", 333 __func__); 334 return -1; 335 } 336 *rlenp = sizeof(struct sockaddr_in); 337 memcpy(resultp, sa, *rlenp); 338 return 0; 339 case AF_INET6: 340 sa6 = (struct sockaddr_in6 *)ifa->ifa_addr; 341 v6addr = &sa6->sin6_addr; 342 if (!allow_local && 343 (IN6_IS_ADDR_LINKLOCAL(v6addr) || 344 IN6_IS_ADDR_LOOPBACK(v6addr))) 345 continue; 346 if (*rlenp < sizeof(struct sockaddr_in6)) { 347 error("%s: v6 addr doesn't fit", 348 __func__); 349 return -1; 350 } 351 *rlenp = sizeof(struct sockaddr_in6); 352 memcpy(resultp, sa6, *rlenp); 353 return 0; 354 } 355 } 356 } 357 return -1; 358 } 359 #endif 360 361 /* 362 * Creates a socket for use as the ssh connection. 363 */ 364 static int 365 ssh_create_socket(struct addrinfo *ai) 366 { 367 int sock, r; 368 struct sockaddr_storage bindaddr; 369 socklen_t bindaddrlen = 0; 370 struct addrinfo hints, *res = NULL; 371 #ifdef HAVE_IFADDRS_H 372 struct ifaddrs *ifaddrs = NULL; 373 #endif 374 char ntop[NI_MAXHOST]; 375 376 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 377 if (sock == -1) { 378 error("socket: %s", strerror(errno)); 379 return -1; 380 } 381 fcntl(sock, F_SETFD, FD_CLOEXEC); 382 383 /* Bind the socket to an alternative local IP address */ 384 if (options.bind_address == NULL && options.bind_interface == NULL) 385 return sock; 386 387 if (options.bind_address != NULL) { 388 memset(&hints, 0, sizeof(hints)); 389 hints.ai_family = ai->ai_family; 390 hints.ai_socktype = ai->ai_socktype; 391 hints.ai_protocol = ai->ai_protocol; 392 hints.ai_flags = AI_PASSIVE; 393 if ((r = getaddrinfo(options.bind_address, NULL, 394 &hints, &res)) != 0) { 395 error("getaddrinfo: %s: %s", options.bind_address, 396 ssh_gai_strerror(r)); 397 goto fail; 398 } 399 if (res == NULL) { 400 error("getaddrinfo: no addrs"); 401 goto fail; 402 } 403 memcpy(&bindaddr, res->ai_addr, res->ai_addrlen); 404 bindaddrlen = res->ai_addrlen; 405 } else if (options.bind_interface != NULL) { 406 #ifdef HAVE_IFADDRS_H 407 if ((r = getifaddrs(&ifaddrs)) != 0) { 408 error("getifaddrs: %s: %s", options.bind_interface, 409 strerror(errno)); 410 goto fail; 411 } 412 bindaddrlen = sizeof(bindaddr); 413 if (check_ifaddrs(options.bind_interface, ai->ai_family, 414 ifaddrs, &bindaddr, &bindaddrlen) != 0) { 415 logit("getifaddrs: %s: no suitable addresses", 416 options.bind_interface); 417 goto fail; 418 } 419 #else 420 error("BindInterface not supported on this platform."); 421 #endif 422 } 423 if ((r = getnameinfo((struct sockaddr *)&bindaddr, bindaddrlen, 424 ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST)) != 0) { 425 error("%s: getnameinfo failed: %s", __func__, 426 ssh_gai_strerror(r)); 427 goto fail; 428 } 429 if (bind(sock, (struct sockaddr *)&bindaddr, bindaddrlen) != 0) { 430 error("bind %s: %s", ntop, strerror(errno)); 431 goto fail; 432 } 433 debug("%s: bound to %s", __func__, ntop); 434 /* success */ 435 goto out; 436 fail: 437 close(sock); 438 sock = -1; 439 out: 440 if (res != NULL) 441 freeaddrinfo(res); 442 #ifdef HAVE_IFADDRS_H 443 if (ifaddrs != NULL) 444 freeifaddrs(ifaddrs); 445 #endif 446 return sock; 447 } 448 449 /* 450 * Opens a TCP/IP connection to the remote server on the given host. 451 * The address of the remote host will be returned in hostaddr. 452 * If port is 0, the default port will be used. 453 * Connection_attempts specifies the maximum number of tries (one per 454 * second). If proxy_command is non-NULL, it specifies the command (with %h 455 * and %p substituted for host and port, respectively) to use to contact 456 * the daemon. 457 */ 458 static int 459 ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop, 460 struct sockaddr_storage *hostaddr, u_short port, int family, 461 int connection_attempts, int *timeout_ms, int want_keepalive) 462 { 463 int on = 1, saved_timeout_ms = *timeout_ms; 464 int oerrno, sock = -1, attempt; 465 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 466 struct addrinfo *ai; 467 468 debug2("%s", __func__); 469 memset(ntop, 0, sizeof(ntop)); 470 memset(strport, 0, sizeof(strport)); 471 472 for (attempt = 0; attempt < connection_attempts; attempt++) { 473 if (attempt > 0) { 474 /* Sleep a moment before retrying. */ 475 sleep(1); 476 debug("Trying again..."); 477 } 478 /* 479 * Loop through addresses for this host, and try each one in 480 * sequence until the connection succeeds. 481 */ 482 for (ai = aitop; ai; ai = ai->ai_next) { 483 if (ai->ai_family != AF_INET && 484 ai->ai_family != AF_INET6) { 485 errno = EAFNOSUPPORT; 486 continue; 487 } 488 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, 489 ntop, sizeof(ntop), strport, sizeof(strport), 490 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 491 oerrno = errno; 492 error("%s: getnameinfo failed", __func__); 493 errno = oerrno; 494 continue; 495 } 496 debug("Connecting to %.200s [%.100s] port %s.", 497 host, ntop, strport); 498 499 /* Create a socket for connecting. */ 500 sock = ssh_create_socket(ai); 501 if (sock < 0) { 502 /* Any error is already output */ 503 errno = 0; 504 continue; 505 } 506 507 *timeout_ms = saved_timeout_ms; 508 if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen, 509 timeout_ms) >= 0) { 510 /* Successful connection. */ 511 memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); 512 break; 513 } else { 514 oerrno = errno; 515 debug("connect to address %s port %s: %s", 516 ntop, strport, strerror(errno)); 517 close(sock); 518 sock = -1; 519 errno = oerrno; 520 } 521 } 522 if (sock != -1) 523 break; /* Successful connection. */ 524 } 525 526 /* Return failure if we didn't get a successful connection. */ 527 if (sock == -1) { 528 error("ssh: connect to host %s port %s: %s", 529 host, strport, errno == 0 ? "failure" : strerror(errno)); 530 return -1; 531 } 532 533 debug("Connection established."); 534 535 /* Set SO_KEEPALIVE if requested. */ 536 if (want_keepalive && 537 setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, 538 sizeof(on)) == -1) 539 error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); 540 541 /* Set the connection. */ 542 if (ssh_packet_set_connection(ssh, sock, sock) == NULL) 543 return -1; /* ssh_packet_set_connection logs error */ 544 545 return 0; 546 } 547 548 int 549 ssh_connect(struct ssh *ssh, const char *host, const char *host_arg, 550 struct addrinfo *addrs, struct sockaddr_storage *hostaddr, u_short port, 551 int family, int connection_attempts, int *timeout_ms, int want_keepalive) 552 { 553 int in, out; 554 555 if (options.proxy_command == NULL) { 556 return ssh_connect_direct(ssh, host, addrs, hostaddr, port, 557 family, connection_attempts, timeout_ms, want_keepalive); 558 } else if (strcmp(options.proxy_command, "-") == 0) { 559 if ((in = dup(STDIN_FILENO)) == -1 || 560 (out = dup(STDOUT_FILENO)) == -1) { 561 if (in >= 0) 562 close(in); 563 error("%s: dup() in/out failed", __func__); 564 return -1; /* ssh_packet_set_connection logs error */ 565 } 566 if ((ssh_packet_set_connection(ssh, in, out)) == NULL) 567 return -1; /* ssh_packet_set_connection logs error */ 568 return 0; 569 } else if (options.proxy_use_fdpass) { 570 return ssh_proxy_fdpass_connect(ssh, host, host_arg, port, 571 options.proxy_command); 572 } 573 return ssh_proxy_connect(ssh, host, host_arg, port, 574 options.proxy_command); 575 } 576 577 /* defaults to 'no' */ 578 static int 579 confirm(const char *prompt, const char *fingerprint) 580 { 581 const char *msg, *again = "Please type 'yes' or 'no': "; 582 const char *again_fp = "Please type 'yes', 'no' or the fingerprint: "; 583 char *p, *cp; 584 int ret = -1; 585 586 if (options.batch_mode) 587 return 0; 588 for (msg = prompt;;msg = fingerprint ? again_fp : again) { 589 cp = p = read_passphrase(msg, RP_ECHO); 590 if (p == NULL) 591 return 0; 592 p += strspn(p, " \t"); /* skip leading whitespace */ 593 p[strcspn(p, " \t\n")] = '\0'; /* remove trailing whitespace */ 594 if (p[0] == '\0' || strcasecmp(p, "no") == 0) 595 ret = 0; 596 else if (strcasecmp(p, "yes") == 0 || (fingerprint != NULL && 597 strcasecmp(p, fingerprint) == 0)) 598 ret = 1; 599 free(cp); 600 if (ret != -1) 601 return ret; 602 } 603 } 604 605 static int 606 check_host_cert(const char *host, const struct sshkey *key) 607 { 608 const char *reason; 609 int r; 610 611 if (sshkey_cert_check_authority(key, 1, 0, host, &reason) != 0) { 612 error("%s", reason); 613 return 0; 614 } 615 if (sshbuf_len(key->cert->critical) != 0) { 616 error("Certificate for %s contains unsupported " 617 "critical options(s)", host); 618 return 0; 619 } 620 if ((r = sshkey_check_cert_sigtype(key, 621 options.ca_sign_algorithms)) != 0) { 622 logit("%s: certificate signature algorithm %s: %s", __func__, 623 (key->cert == NULL || key->cert->signature_type == NULL) ? 624 "(null)" : key->cert->signature_type, ssh_err(r)); 625 return 0; 626 } 627 628 return 1; 629 } 630 631 static int 632 sockaddr_is_local(struct sockaddr *hostaddr) 633 { 634 switch (hostaddr->sa_family) { 635 case AF_INET: 636 return (ntohl(((struct sockaddr_in *)hostaddr)-> 637 sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; 638 case AF_INET6: 639 return IN6_IS_ADDR_LOOPBACK( 640 &(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); 641 default: 642 return 0; 643 } 644 } 645 646 /* 647 * Prepare the hostname and ip address strings that are used to lookup 648 * host keys in known_hosts files. These may have a port number appended. 649 */ 650 void 651 get_hostfile_hostname_ipaddr(char *hostname, struct sockaddr *hostaddr, 652 u_short port, char **hostfile_hostname, char **hostfile_ipaddr) 653 { 654 char ntop[NI_MAXHOST]; 655 socklen_t addrlen; 656 657 switch (hostaddr == NULL ? -1 : hostaddr->sa_family) { 658 case -1: 659 addrlen = 0; 660 break; 661 case AF_INET: 662 addrlen = sizeof(struct sockaddr_in); 663 break; 664 case AF_INET6: 665 addrlen = sizeof(struct sockaddr_in6); 666 break; 667 default: 668 addrlen = sizeof(struct sockaddr); 669 break; 670 } 671 672 /* 673 * We don't have the remote ip-address for connections 674 * using a proxy command 675 */ 676 if (hostfile_ipaddr != NULL) { 677 if (options.proxy_command == NULL) { 678 if (getnameinfo(hostaddr, addrlen, 679 ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) 680 fatal("%s: getnameinfo failed", __func__); 681 *hostfile_ipaddr = put_host_port(ntop, port); 682 } else { 683 *hostfile_ipaddr = xstrdup("<no hostip for proxy " 684 "command>"); 685 } 686 } 687 688 /* 689 * Allow the user to record the key under a different name or 690 * differentiate a non-standard port. This is useful for ssh 691 * tunneling over forwarded connections or if you run multiple 692 * sshd's on different ports on the same machine. 693 */ 694 if (hostfile_hostname != NULL) { 695 if (options.host_key_alias != NULL) { 696 *hostfile_hostname = xstrdup(options.host_key_alias); 697 debug("using hostkeyalias: %s", *hostfile_hostname); 698 } else { 699 *hostfile_hostname = put_host_port(hostname, port); 700 } 701 } 702 } 703 704 /* 705 * check whether the supplied host key is valid, return -1 if the key 706 * is not valid. user_hostfile[0] will not be updated if 'readonly' is true. 707 */ 708 #define RDRW 0 709 #define RDONLY 1 710 #define ROQUIET 2 711 static int 712 check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 713 struct sshkey *host_key, int readonly, 714 char **user_hostfiles, u_int num_user_hostfiles, 715 char **system_hostfiles, u_int num_system_hostfiles) 716 { 717 HostStatus host_status; 718 HostStatus ip_status; 719 struct sshkey *raw_key = NULL; 720 char *ip = NULL, *host = NULL; 721 char hostline[1000], *hostp, *fp, *ra; 722 char msg[1024]; 723 const char *type; 724 const struct hostkey_entry *host_found, *ip_found; 725 int len, cancelled_forwarding = 0, confirmed; 726 int local = sockaddr_is_local(hostaddr); 727 int r, want_cert = sshkey_is_cert(host_key), host_ip_differ = 0; 728 int hostkey_trusted = 0; /* Known or explicitly accepted by user */ 729 struct hostkeys *host_hostkeys, *ip_hostkeys; 730 u_int i; 731 732 /* 733 * Force accepting of the host key for loopback/localhost. The 734 * problem is that if the home directory is NFS-mounted to multiple 735 * machines, localhost will refer to a different machine in each of 736 * them, and the user will get bogus HOST_CHANGED warnings. This 737 * essentially disables host authentication for localhost; however, 738 * this is probably not a real problem. 739 */ 740 if (options.no_host_authentication_for_localhost == 1 && local && 741 options.host_key_alias == NULL) { 742 debug("Forcing accepting of host key for " 743 "loopback/localhost."); 744 return 0; 745 } 746 747 /* 748 * Prepare the hostname and address strings used for hostkey lookup. 749 * In some cases, these will have a port number appended. 750 */ 751 get_hostfile_hostname_ipaddr(hostname, hostaddr, port, &host, &ip); 752 753 /* 754 * Turn off check_host_ip if the connection is to localhost, via proxy 755 * command or if we don't have a hostname to compare with 756 */ 757 if (options.check_host_ip && (local || 758 strcmp(hostname, ip) == 0 || options.proxy_command != NULL)) 759 options.check_host_ip = 0; 760 761 host_hostkeys = init_hostkeys(); 762 for (i = 0; i < num_user_hostfiles; i++) 763 load_hostkeys(host_hostkeys, host, user_hostfiles[i]); 764 for (i = 0; i < num_system_hostfiles; i++) 765 load_hostkeys(host_hostkeys, host, system_hostfiles[i]); 766 767 ip_hostkeys = NULL; 768 if (!want_cert && options.check_host_ip) { 769 ip_hostkeys = init_hostkeys(); 770 for (i = 0; i < num_user_hostfiles; i++) 771 load_hostkeys(ip_hostkeys, ip, user_hostfiles[i]); 772 for (i = 0; i < num_system_hostfiles; i++) 773 load_hostkeys(ip_hostkeys, ip, system_hostfiles[i]); 774 } 775 776 retry: 777 /* Reload these as they may have changed on cert->key downgrade */ 778 want_cert = sshkey_is_cert(host_key); 779 type = sshkey_type(host_key); 780 781 /* 782 * Check if the host key is present in the user's list of known 783 * hosts or in the systemwide list. 784 */ 785 host_status = check_key_in_hostkeys(host_hostkeys, host_key, 786 &host_found); 787 788 /* 789 * Also perform check for the ip address, skip the check if we are 790 * localhost, looking for a certificate, or the hostname was an ip 791 * address to begin with. 792 */ 793 if (!want_cert && ip_hostkeys != NULL) { 794 ip_status = check_key_in_hostkeys(ip_hostkeys, host_key, 795 &ip_found); 796 if (host_status == HOST_CHANGED && 797 (ip_status != HOST_CHANGED || 798 (ip_found != NULL && 799 !sshkey_equal(ip_found->key, host_found->key)))) 800 host_ip_differ = 1; 801 } else 802 ip_status = host_status; 803 804 switch (host_status) { 805 case HOST_OK: 806 /* The host is known and the key matches. */ 807 debug("Host '%.200s' is known and matches the %s host %s.", 808 host, type, want_cert ? "certificate" : "key"); 809 debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", 810 host_found->file, host_found->line); 811 if (want_cert && 812 !check_host_cert(options.host_key_alias == NULL ? 813 hostname : options.host_key_alias, host_key)) 814 goto fail; 815 if (options.check_host_ip && ip_status == HOST_NEW) { 816 if (readonly || want_cert) 817 logit("%s host key for IP address " 818 "'%.128s' not in list of known hosts.", 819 type, ip); 820 else if (!add_host_to_hostfile(user_hostfiles[0], ip, 821 host_key, options.hash_known_hosts)) 822 logit("Failed to add the %s host key for IP " 823 "address '%.128s' to the list of known " 824 "hosts (%.500s).", type, ip, 825 user_hostfiles[0]); 826 else 827 logit("Warning: Permanently added the %s host " 828 "key for IP address '%.128s' to the list " 829 "of known hosts.", type, ip); 830 } else if (options.visual_host_key) { 831 fp = sshkey_fingerprint(host_key, 832 options.fingerprint_hash, SSH_FP_DEFAULT); 833 ra = sshkey_fingerprint(host_key, 834 options.fingerprint_hash, SSH_FP_RANDOMART); 835 if (fp == NULL || ra == NULL) 836 fatal("%s: sshkey_fingerprint fail", __func__); 837 logit("Host key fingerprint is %s\n%s", fp, ra); 838 free(ra); 839 free(fp); 840 } 841 hostkey_trusted = 1; 842 break; 843 case HOST_NEW: 844 if (options.host_key_alias == NULL && port != 0 && 845 port != SSH_DEFAULT_PORT) { 846 debug("checking without port identifier"); 847 if (check_host_key(hostname, hostaddr, 0, host_key, 848 ROQUIET, user_hostfiles, num_user_hostfiles, 849 system_hostfiles, num_system_hostfiles) == 0) { 850 debug("found matching key w/out port"); 851 break; 852 } 853 } 854 if (readonly || want_cert) 855 goto fail; 856 /* The host is new. */ 857 if (options.strict_host_key_checking == 858 SSH_STRICT_HOSTKEY_YES) { 859 /* 860 * User has requested strict host key checking. We 861 * will not add the host key automatically. The only 862 * alternative left is to abort. 863 */ 864 error("No %s host key is known for %.200s and you " 865 "have requested strict checking.", type, host); 866 goto fail; 867 } else if (options.strict_host_key_checking == 868 SSH_STRICT_HOSTKEY_ASK) { 869 char msg1[1024], msg2[1024]; 870 871 if (show_other_keys(host_hostkeys, host_key)) 872 snprintf(msg1, sizeof(msg1), 873 "\nbut keys of different type are already" 874 " known for this host."); 875 else 876 snprintf(msg1, sizeof(msg1), "."); 877 /* The default */ 878 fp = sshkey_fingerprint(host_key, 879 options.fingerprint_hash, SSH_FP_DEFAULT); 880 ra = sshkey_fingerprint(host_key, 881 options.fingerprint_hash, SSH_FP_RANDOMART); 882 if (fp == NULL || ra == NULL) 883 fatal("%s: sshkey_fingerprint fail", __func__); 884 msg2[0] = '\0'; 885 if (options.verify_host_key_dns) { 886 if (matching_host_key_dns) 887 snprintf(msg2, sizeof(msg2), 888 "Matching host key fingerprint" 889 " found in DNS.\n"); 890 else 891 snprintf(msg2, sizeof(msg2), 892 "No matching host key fingerprint" 893 " found in DNS.\n"); 894 } 895 snprintf(msg, sizeof(msg), 896 "The authenticity of host '%.200s (%s)' can't be " 897 "established%s\n" 898 "%s key fingerprint is %s.%s%s\n%s" 899 "Are you sure you want to continue connecting " 900 "(yes/no/[fingerprint])? ", 901 host, ip, msg1, type, fp, 902 options.visual_host_key ? "\n" : "", 903 options.visual_host_key ? ra : "", 904 msg2); 905 free(ra); 906 confirmed = confirm(msg, fp); 907 free(fp); 908 if (!confirmed) 909 goto fail; 910 hostkey_trusted = 1; /* user explicitly confirmed */ 911 } 912 /* 913 * If in "new" or "off" strict mode, add the key automatically 914 * to the local known_hosts file. 915 */ 916 if (options.check_host_ip && ip_status == HOST_NEW) { 917 snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); 918 hostp = hostline; 919 if (options.hash_known_hosts) { 920 /* Add hash of host and IP separately */ 921 r = add_host_to_hostfile(user_hostfiles[0], 922 host, host_key, options.hash_known_hosts) && 923 add_host_to_hostfile(user_hostfiles[0], ip, 924 host_key, options.hash_known_hosts); 925 } else { 926 /* Add unhashed "host,ip" */ 927 r = add_host_to_hostfile(user_hostfiles[0], 928 hostline, host_key, 929 options.hash_known_hosts); 930 } 931 } else { 932 r = add_host_to_hostfile(user_hostfiles[0], host, 933 host_key, options.hash_known_hosts); 934 hostp = host; 935 } 936 937 if (!r) 938 logit("Failed to add the host to the list of known " 939 "hosts (%.500s).", user_hostfiles[0]); 940 else 941 logit("Warning: Permanently added '%.200s' (%s) to the " 942 "list of known hosts.", hostp, type); 943 break; 944 case HOST_REVOKED: 945 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); 946 error("@ WARNING: REVOKED HOST KEY DETECTED! @"); 947 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); 948 error("The %s host key for %s is marked as revoked.", type, host); 949 error("This could mean that a stolen key is being used to"); 950 error("impersonate this host."); 951 952 /* 953 * If strict host key checking is in use, the user will have 954 * to edit the key manually and we can only abort. 955 */ 956 if (options.strict_host_key_checking != 957 SSH_STRICT_HOSTKEY_OFF) { 958 error("%s host key for %.200s was revoked and you have " 959 "requested strict checking.", type, host); 960 goto fail; 961 } 962 goto continue_unsafe; 963 964 case HOST_CHANGED: 965 if (want_cert) { 966 /* 967 * This is only a debug() since it is valid to have 968 * CAs with wildcard DNS matches that don't match 969 * all hosts that one might visit. 970 */ 971 debug("Host certificate authority does not " 972 "match %s in %s:%lu", CA_MARKER, 973 host_found->file, host_found->line); 974 goto fail; 975 } 976 if (readonly == ROQUIET) 977 goto fail; 978 if (options.check_host_ip && host_ip_differ) { 979 char *key_msg; 980 if (ip_status == HOST_NEW) 981 key_msg = "is unknown"; 982 else if (ip_status == HOST_OK) 983 key_msg = "is unchanged"; 984 else 985 key_msg = "has a different value"; 986 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); 987 error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @"); 988 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); 989 error("The %s host key for %s has changed,", type, host); 990 error("and the key for the corresponding IP address %s", ip); 991 error("%s. This could either mean that", key_msg); 992 error("DNS SPOOFING is happening or the IP address for the host"); 993 error("and its host key have changed at the same time."); 994 if (ip_status != HOST_NEW) 995 error("Offending key for IP in %s:%lu", 996 ip_found->file, ip_found->line); 997 } 998 /* The host key has changed. */ 999 warn_changed_key(host_key); 1000 error("Add correct host key in %.100s to get rid of this message.", 1001 user_hostfiles[0]); 1002 error("Offending %s key in %s:%lu", 1003 sshkey_type(host_found->key), 1004 host_found->file, host_found->line); 1005 1006 /* 1007 * If strict host key checking is in use, the user will have 1008 * to edit the key manually and we can only abort. 1009 */ 1010 if (options.strict_host_key_checking != 1011 SSH_STRICT_HOSTKEY_OFF) { 1012 error("%s host key for %.200s has changed and you have " 1013 "requested strict checking.", type, host); 1014 goto fail; 1015 } 1016 1017 continue_unsafe: 1018 /* 1019 * If strict host key checking has not been requested, allow 1020 * the connection but without MITM-able authentication or 1021 * forwarding. 1022 */ 1023 if (options.password_authentication) { 1024 error("Password authentication is disabled to avoid " 1025 "man-in-the-middle attacks."); 1026 options.password_authentication = 0; 1027 cancelled_forwarding = 1; 1028 } 1029 if (options.kbd_interactive_authentication) { 1030 error("Keyboard-interactive authentication is disabled" 1031 " to avoid man-in-the-middle attacks."); 1032 options.kbd_interactive_authentication = 0; 1033 options.challenge_response_authentication = 0; 1034 cancelled_forwarding = 1; 1035 } 1036 if (options.challenge_response_authentication) { 1037 error("Challenge/response authentication is disabled" 1038 " to avoid man-in-the-middle attacks."); 1039 options.challenge_response_authentication = 0; 1040 cancelled_forwarding = 1; 1041 } 1042 if (options.forward_agent) { 1043 error("Agent forwarding is disabled to avoid " 1044 "man-in-the-middle attacks."); 1045 options.forward_agent = 0; 1046 cancelled_forwarding = 1; 1047 } 1048 if (options.forward_x11) { 1049 error("X11 forwarding is disabled to avoid " 1050 "man-in-the-middle attacks."); 1051 options.forward_x11 = 0; 1052 cancelled_forwarding = 1; 1053 } 1054 if (options.num_local_forwards > 0 || 1055 options.num_remote_forwards > 0) { 1056 error("Port forwarding is disabled to avoid " 1057 "man-in-the-middle attacks."); 1058 options.num_local_forwards = 1059 options.num_remote_forwards = 0; 1060 cancelled_forwarding = 1; 1061 } 1062 if (options.tun_open != SSH_TUNMODE_NO) { 1063 error("Tunnel forwarding is disabled to avoid " 1064 "man-in-the-middle attacks."); 1065 options.tun_open = SSH_TUNMODE_NO; 1066 cancelled_forwarding = 1; 1067 } 1068 if (options.exit_on_forward_failure && cancelled_forwarding) 1069 fatal("Error: forwarding disabled due to host key " 1070 "check failure"); 1071 1072 /* 1073 * XXX Should permit the user to change to use the new id. 1074 * This could be done by converting the host key to an 1075 * identifying sentence, tell that the host identifies itself 1076 * by that sentence, and ask the user if he/she wishes to 1077 * accept the authentication. 1078 */ 1079 break; 1080 case HOST_FOUND: 1081 fatal("internal error"); 1082 break; 1083 } 1084 1085 if (options.check_host_ip && host_status != HOST_CHANGED && 1086 ip_status == HOST_CHANGED) { 1087 snprintf(msg, sizeof(msg), 1088 "Warning: the %s host key for '%.200s' " 1089 "differs from the key for the IP address '%.128s'" 1090 "\nOffending key for IP in %s:%lu", 1091 type, host, ip, ip_found->file, ip_found->line); 1092 if (host_status == HOST_OK) { 1093 len = strlen(msg); 1094 snprintf(msg + len, sizeof(msg) - len, 1095 "\nMatching host key in %s:%lu", 1096 host_found->file, host_found->line); 1097 } 1098 if (options.strict_host_key_checking == 1099 SSH_STRICT_HOSTKEY_ASK) { 1100 strlcat(msg, "\nAre you sure you want " 1101 "to continue connecting (yes/no)? ", sizeof(msg)); 1102 if (!confirm(msg, NULL)) 1103 goto fail; 1104 } else if (options.strict_host_key_checking != 1105 SSH_STRICT_HOSTKEY_OFF) { 1106 logit("%s", msg); 1107 error("Exiting, you have requested strict checking."); 1108 goto fail; 1109 } else { 1110 logit("%s", msg); 1111 } 1112 } 1113 1114 if (!hostkey_trusted && options.update_hostkeys) { 1115 debug("%s: hostkey not known or explicitly trusted: " 1116 "disabling UpdateHostkeys", __func__); 1117 options.update_hostkeys = 0; 1118 } 1119 1120 free(ip); 1121 free(host); 1122 if (host_hostkeys != NULL) 1123 free_hostkeys(host_hostkeys); 1124 if (ip_hostkeys != NULL) 1125 free_hostkeys(ip_hostkeys); 1126 return 0; 1127 1128 fail: 1129 if (want_cert && host_status != HOST_REVOKED) { 1130 /* 1131 * No matching certificate. Downgrade cert to raw key and 1132 * search normally. 1133 */ 1134 debug("No matching CA found. Retry with plain key"); 1135 if ((r = sshkey_from_private(host_key, &raw_key)) != 0) 1136 fatal("%s: sshkey_from_private: %s", 1137 __func__, ssh_err(r)); 1138 if ((r = sshkey_drop_cert(raw_key)) != 0) 1139 fatal("Couldn't drop certificate: %s", ssh_err(r)); 1140 host_key = raw_key; 1141 goto retry; 1142 } 1143 sshkey_free(raw_key); 1144 free(ip); 1145 free(host); 1146 if (host_hostkeys != NULL) 1147 free_hostkeys(host_hostkeys); 1148 if (ip_hostkeys != NULL) 1149 free_hostkeys(ip_hostkeys); 1150 return -1; 1151 } 1152 1153 /* returns 0 if key verifies or -1 if key does NOT verify */ 1154 int 1155 verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key) 1156 { 1157 u_int i; 1158 int r = -1, flags = 0; 1159 char valid[64], *fp = NULL, *cafp = NULL; 1160 struct sshkey *plain = NULL; 1161 1162 if ((fp = sshkey_fingerprint(host_key, 1163 options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { 1164 error("%s: fingerprint host key: %s", __func__, ssh_err(r)); 1165 r = -1; 1166 goto out; 1167 } 1168 1169 if (sshkey_is_cert(host_key)) { 1170 if ((cafp = sshkey_fingerprint(host_key->cert->signature_key, 1171 options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { 1172 error("%s: fingerprint CA key: %s", 1173 __func__, ssh_err(r)); 1174 r = -1; 1175 goto out; 1176 } 1177 sshkey_format_cert_validity(host_key->cert, 1178 valid, sizeof(valid)); 1179 debug("Server host certificate: %s %s, serial %llu " 1180 "ID \"%s\" CA %s %s valid %s", 1181 sshkey_ssh_name(host_key), fp, 1182 (unsigned long long)host_key->cert->serial, 1183 host_key->cert->key_id, 1184 sshkey_ssh_name(host_key->cert->signature_key), cafp, 1185 valid); 1186 for (i = 0; i < host_key->cert->nprincipals; i++) { 1187 debug2("Server host certificate hostname: %s", 1188 host_key->cert->principals[i]); 1189 } 1190 } else { 1191 debug("Server host key: %s %s", sshkey_ssh_name(host_key), fp); 1192 } 1193 1194 if (sshkey_equal(previous_host_key, host_key)) { 1195 debug2("%s: server host key %s %s matches cached key", 1196 __func__, sshkey_type(host_key), fp); 1197 r = 0; 1198 goto out; 1199 } 1200 1201 /* Check in RevokedHostKeys file if specified */ 1202 if (options.revoked_host_keys != NULL) { 1203 r = sshkey_check_revoked(host_key, options.revoked_host_keys); 1204 switch (r) { 1205 case 0: 1206 break; /* not revoked */ 1207 case SSH_ERR_KEY_REVOKED: 1208 error("Host key %s %s revoked by file %s", 1209 sshkey_type(host_key), fp, 1210 options.revoked_host_keys); 1211 r = -1; 1212 goto out; 1213 default: 1214 error("Error checking host key %s %s in " 1215 "revoked keys file %s: %s", sshkey_type(host_key), 1216 fp, options.revoked_host_keys, ssh_err(r)); 1217 r = -1; 1218 goto out; 1219 } 1220 } 1221 1222 if (options.verify_host_key_dns) { 1223 /* 1224 * XXX certs are not yet supported for DNS, so downgrade 1225 * them and try the plain key. 1226 */ 1227 if ((r = sshkey_from_private(host_key, &plain)) != 0) 1228 goto out; 1229 if (sshkey_is_cert(plain)) 1230 sshkey_drop_cert(plain); 1231 if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) { 1232 if (flags & DNS_VERIFY_FOUND) { 1233 if (options.verify_host_key_dns == 1 && 1234 flags & DNS_VERIFY_MATCH && 1235 flags & DNS_VERIFY_SECURE) { 1236 r = 0; 1237 goto out; 1238 } 1239 if (flags & DNS_VERIFY_MATCH) { 1240 matching_host_key_dns = 1; 1241 } else { 1242 warn_changed_key(plain); 1243 error("Update the SSHFP RR in DNS " 1244 "with the new host key to get rid " 1245 "of this message."); 1246 } 1247 } 1248 } 1249 } 1250 r = check_host_key(host, hostaddr, options.port, host_key, RDRW, 1251 options.user_hostfiles, options.num_user_hostfiles, 1252 options.system_hostfiles, options.num_system_hostfiles); 1253 1254 out: 1255 sshkey_free(plain); 1256 free(fp); 1257 free(cafp); 1258 if (r == 0 && host_key != NULL) { 1259 sshkey_free(previous_host_key); 1260 r = sshkey_from_private(host_key, &previous_host_key); 1261 } 1262 1263 return r; 1264 } 1265 1266 /* 1267 * Starts a dialog with the server, and authenticates the current user on the 1268 * server. This does not need any extra privileges. The basic connection 1269 * to the server must already have been established before this is called. 1270 * If login fails, this function prints an error and never returns. 1271 * This function does not require super-user privileges. 1272 */ 1273 void 1274 ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, 1275 struct sockaddr *hostaddr, u_short port, struct passwd *pw, int timeout_ms) 1276 { 1277 char *host; 1278 char *server_user, *local_user; 1279 int r; 1280 1281 local_user = xstrdup(pw->pw_name); 1282 server_user = options.user ? options.user : local_user; 1283 1284 /* Convert the user-supplied hostname into all lowercase. */ 1285 host = xstrdup(orighost); 1286 lowercase(host); 1287 1288 /* Exchange protocol version identification strings with the server. */ 1289 if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0) 1290 sshpkt_fatal(ssh, r, "banner exchange"); 1291 1292 /* Put the connection into non-blocking mode. */ 1293 ssh_packet_set_nonblocking(ssh); 1294 1295 /* key exchange */ 1296 /* authenticate user */ 1297 debug("Authenticating to %s:%d as '%s'", host, port, server_user); 1298 ssh_kex2(ssh, host, hostaddr, port); 1299 ssh_userauth2(ssh, local_user, server_user, host, sensitive); 1300 free(local_user); 1301 free(host); 1302 } 1303 1304 /* print all known host keys for a given host, but skip keys of given type */ 1305 static int 1306 show_other_keys(struct hostkeys *hostkeys, struct sshkey *key) 1307 { 1308 int type[] = { 1309 KEY_RSA, 1310 KEY_DSA, 1311 KEY_ECDSA, 1312 KEY_ED25519, 1313 KEY_XMSS, 1314 -1 1315 }; 1316 int i, ret = 0; 1317 char *fp, *ra; 1318 const struct hostkey_entry *found; 1319 1320 for (i = 0; type[i] != -1; i++) { 1321 if (type[i] == key->type) 1322 continue; 1323 if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) 1324 continue; 1325 fp = sshkey_fingerprint(found->key, 1326 options.fingerprint_hash, SSH_FP_DEFAULT); 1327 ra = sshkey_fingerprint(found->key, 1328 options.fingerprint_hash, SSH_FP_RANDOMART); 1329 if (fp == NULL || ra == NULL) 1330 fatal("%s: sshkey_fingerprint fail", __func__); 1331 logit("WARNING: %s key found for host %s\n" 1332 "in %s:%lu\n" 1333 "%s key fingerprint %s.", 1334 sshkey_type(found->key), 1335 found->host, found->file, found->line, 1336 sshkey_type(found->key), fp); 1337 if (options.visual_host_key) 1338 logit("%s", ra); 1339 free(ra); 1340 free(fp); 1341 ret = 1; 1342 } 1343 return ret; 1344 } 1345 1346 static void 1347 warn_changed_key(struct sshkey *host_key) 1348 { 1349 char *fp; 1350 1351 fp = sshkey_fingerprint(host_key, options.fingerprint_hash, 1352 SSH_FP_DEFAULT); 1353 if (fp == NULL) 1354 fatal("%s: sshkey_fingerprint fail", __func__); 1355 1356 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); 1357 error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); 1358 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); 1359 error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); 1360 error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); 1361 error("It is also possible that a host key has just been changed."); 1362 error("The fingerprint for the %s key sent by the remote host is\n%s.", 1363 sshkey_type(host_key), fp); 1364 error("Please contact your system administrator."); 1365 1366 free(fp); 1367 } 1368 1369 /* 1370 * Execute a local command 1371 */ 1372 int 1373 ssh_local_cmd(const char *args) 1374 { 1375 char *shell; 1376 pid_t pid; 1377 int status; 1378 void (*osighand)(int); 1379 1380 if (!options.permit_local_command || 1381 args == NULL || !*args) 1382 return (1); 1383 1384 if ((shell = getenv("SHELL")) == NULL || *shell == '\0') 1385 shell = _PATH_BSHELL; 1386 1387 osighand = ssh_signal(SIGCHLD, SIG_DFL); 1388 pid = fork(); 1389 if (pid == 0) { 1390 ssh_signal(SIGPIPE, SIG_DFL); 1391 debug3("Executing %s -c \"%s\"", shell, args); 1392 execl(shell, shell, "-c", args, (char *)NULL); 1393 error("Couldn't execute %s -c \"%s\": %s", 1394 shell, args, strerror(errno)); 1395 _exit(1); 1396 } else if (pid == -1) 1397 fatal("fork failed: %.100s", strerror(errno)); 1398 while (waitpid(pid, &status, 0) == -1) 1399 if (errno != EINTR) 1400 fatal("Couldn't wait for child: %s", strerror(errno)); 1401 ssh_signal(SIGCHLD, osighand); 1402 1403 if (!WIFEXITED(status)) 1404 return (1); 1405 1406 return (WEXITSTATUS(status)); 1407 } 1408 1409 void 1410 maybe_add_key_to_agent(const char *authfile, struct sshkey *private, 1411 const char *comment, const char *passphrase) 1412 { 1413 int auth_sock = -1, r; 1414 const char *skprovider = NULL; 1415 1416 if (options.add_keys_to_agent == 0) 1417 return; 1418 1419 if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) { 1420 debug3("no authentication agent, not adding key"); 1421 return; 1422 } 1423 1424 if (options.add_keys_to_agent == 2 && 1425 !ask_permission("Add key %s (%s) to agent?", authfile, comment)) { 1426 debug3("user denied adding this key"); 1427 close(auth_sock); 1428 return; 1429 } 1430 if (sshkey_is_sk(private)) 1431 skprovider = options.sk_provider; 1432 if ((r = ssh_add_identity_constrained(auth_sock, private, 1433 comment == NULL ? authfile : comment, 0, 1434 (options.add_keys_to_agent == 3), 0, skprovider)) == 0) 1435 debug("identity added to agent: %s", authfile); 1436 else 1437 debug("could not add identity to agent: %s (%d)", authfile, r); 1438 close(auth_sock); 1439 } 1440