xref: /openssh-portable/session.c (revision 4d28fa78)
1 /* $OpenBSD: session.c,v 1.316 2019/06/28 13:35:04 deraadt Exp $ */
2 /*
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  *
6  * As far as I am concerned, the code I have written for this software
7  * can be used freely for any purpose.  Any derived versions of this
8  * software must be clearly marked as such, and if the derived work is
9  * incompatible with the protocol description in the RFC file, it must be
10  * called by a name other than "ssh" or "Secure Shell".
11  *
12  * SSH2 support by Markus Friedl.
13  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
14  *
15  * Redistribution and use in source and binary forms, with or without
16  * modification, are permitted provided that the following conditions
17  * are met:
18  * 1. Redistributions of source code must retain the above copyright
19  *    notice, this list of conditions and the following disclaimer.
20  * 2. Redistributions in binary form must reproduce the above copyright
21  *    notice, this list of conditions and the following disclaimer in the
22  *    documentation and/or other materials provided with the distribution.
23  *
24  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
25  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
26  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
27  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
28  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
29  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
30  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
31  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
32  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
33  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 #include "includes.h"
37 
38 #include <sys/types.h>
39 #include <sys/param.h>
40 #ifdef HAVE_SYS_STAT_H
41 # include <sys/stat.h>
42 #endif
43 #include <sys/socket.h>
44 #include <sys/un.h>
45 #include <sys/wait.h>
46 
47 #include <arpa/inet.h>
48 
49 #include <ctype.h>
50 #include <errno.h>
51 #include <fcntl.h>
52 #include <grp.h>
53 #include <netdb.h>
54 #ifdef HAVE_PATHS_H
55 #include <paths.h>
56 #endif
57 #include <pwd.h>
58 #include <signal.h>
59 #include <stdarg.h>
60 #include <stdio.h>
61 #include <stdlib.h>
62 #include <string.h>
63 #include <unistd.h>
64 #include <limits.h>
65 
66 #include "openbsd-compat/sys-queue.h"
67 #include "xmalloc.h"
68 #include "ssh.h"
69 #include "ssh2.h"
70 #include "sshpty.h"
71 #include "packet.h"
72 #include "sshbuf.h"
73 #include "ssherr.h"
74 #include "match.h"
75 #include "uidswap.h"
76 #include "compat.h"
77 #include "channels.h"
78 #include "sshkey.h"
79 #include "cipher.h"
80 #ifdef GSSAPI
81 #include "ssh-gss.h"
82 #endif
83 #include "hostfile.h"
84 #include "auth.h"
85 #include "auth-options.h"
86 #include "authfd.h"
87 #include "pathnames.h"
88 #include "log.h"
89 #include "misc.h"
90 #include "servconf.h"
91 #include "sshlogin.h"
92 #include "serverloop.h"
93 #include "canohost.h"
94 #include "session.h"
95 #include "kex.h"
96 #include "monitor_wrap.h"
97 #include "sftp.h"
98 #include "atomicio.h"
99 
100 #if defined(KRB5) && defined(USE_AFS)
101 #include <kafs.h>
102 #endif
103 
104 #ifdef WITH_SELINUX
105 #include <selinux/selinux.h>
106 #endif
107 
108 #define IS_INTERNAL_SFTP(c) \
109 	(!strncmp(c, INTERNAL_SFTP_NAME, sizeof(INTERNAL_SFTP_NAME) - 1) && \
110 	 (c[sizeof(INTERNAL_SFTP_NAME) - 1] == '\0' || \
111 	  c[sizeof(INTERNAL_SFTP_NAME) - 1] == ' ' || \
112 	  c[sizeof(INTERNAL_SFTP_NAME) - 1] == '\t'))
113 
114 /* func */
115 
116 Session *session_new(void);
117 void	session_set_fds(struct ssh *, Session *, int, int, int, int, int);
118 void	session_pty_cleanup(Session *);
119 void	session_proctitle(Session *);
120 int	session_setup_x11fwd(struct ssh *, Session *);
121 int	do_exec_pty(struct ssh *, Session *, const char *);
122 int	do_exec_no_pty(struct ssh *, Session *, const char *);
123 int	do_exec(struct ssh *, Session *, const char *);
124 void	do_login(struct ssh *, Session *, const char *);
125 void	do_child(struct ssh *, Session *, const char *);
126 void	do_motd(void);
127 int	check_quietlogin(Session *, const char *);
128 
129 static void do_authenticated2(struct ssh *, Authctxt *);
130 
131 static int session_pty_req(struct ssh *, Session *);
132 
133 /* import */
134 extern ServerOptions options;
135 extern char *__progname;
136 extern int debug_flag;
137 extern u_int utmp_len;
138 extern int startup_pipe;
139 extern void destroy_sensitive_data(void);
140 extern struct sshbuf *loginmsg;
141 extern struct sshauthopt *auth_opts;
142 extern char *tun_fwd_ifnames; /* serverloop.c */
143 
144 /* original command from peer. */
145 const char *original_command = NULL;
146 
147 /* data */
148 static int sessions_first_unused = -1;
149 static int sessions_nalloc = 0;
150 static Session *sessions = NULL;
151 
152 #define SUBSYSTEM_NONE			0
153 #define SUBSYSTEM_EXT			1
154 #define SUBSYSTEM_INT_SFTP		2
155 #define SUBSYSTEM_INT_SFTP_ERROR	3
156 
157 #ifdef HAVE_LOGIN_CAP
158 login_cap_t *lc;
159 #endif
160 
161 static int is_child = 0;
162 static int in_chroot = 0;
163 
164 /* File containing userauth info, if ExposeAuthInfo set */
165 static char *auth_info_file = NULL;
166 
167 /* Name and directory of socket for authentication agent forwarding. */
168 static char *auth_sock_name = NULL;
169 static char *auth_sock_dir = NULL;
170 
171 /* removes the agent forwarding socket */
172 
173 static void
auth_sock_cleanup_proc(struct passwd * pw)174 auth_sock_cleanup_proc(struct passwd *pw)
175 {
176 	if (auth_sock_name != NULL) {
177 		temporarily_use_uid(pw);
178 		unlink(auth_sock_name);
179 		rmdir(auth_sock_dir);
180 		auth_sock_name = NULL;
181 		restore_uid();
182 	}
183 }
184 
185 static int
auth_input_request_forwarding(struct ssh * ssh,struct passwd * pw)186 auth_input_request_forwarding(struct ssh *ssh, struct passwd * pw)
187 {
188 	Channel *nc;
189 	int sock = -1;
190 
191 	if (auth_sock_name != NULL) {
192 		error("authentication forwarding requested twice.");
193 		return 0;
194 	}
195 
196 	/* Temporarily drop privileged uid for mkdir/bind. */
197 	temporarily_use_uid(pw);
198 
199 	/* Allocate a buffer for the socket name, and format the name. */
200 	auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");
201 
202 	/* Create private directory for socket */
203 	if (mkdtemp(auth_sock_dir) == NULL) {
204 		ssh_packet_send_debug(ssh, "Agent forwarding disabled: "
205 		    "mkdtemp() failed: %.100s", strerror(errno));
206 		restore_uid();
207 		free(auth_sock_dir);
208 		auth_sock_dir = NULL;
209 		goto authsock_err;
210 	}
211 
212 	xasprintf(&auth_sock_name, "%s/agent.%ld",
213 	    auth_sock_dir, (long) getpid());
214 
215 	/* Start a Unix listener on auth_sock_name. */
216 	sock = unix_listener(auth_sock_name, SSH_LISTEN_BACKLOG, 0);
217 
218 	/* Restore the privileged uid. */
219 	restore_uid();
220 
221 	/* Check for socket/bind/listen failure. */
222 	if (sock < 0)
223 		goto authsock_err;
224 
225 	/* Allocate a channel for the authentication agent socket. */
226 	nc = channel_new(ssh, "auth socket",
227 	    SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
228 	    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
229 	    0, "auth socket", 1);
230 	nc->path = xstrdup(auth_sock_name);
231 	return 1;
232 
233  authsock_err:
234 	free(auth_sock_name);
235 	if (auth_sock_dir != NULL) {
236 		temporarily_use_uid(pw);
237 		rmdir(auth_sock_dir);
238 		restore_uid();
239 		free(auth_sock_dir);
240 	}
241 	if (sock != -1)
242 		close(sock);
243 	auth_sock_name = NULL;
244 	auth_sock_dir = NULL;
245 	return 0;
246 }
247 
248 static void
display_loginmsg(void)249 display_loginmsg(void)
250 {
251 	int r;
252 
253 	if (sshbuf_len(loginmsg) == 0)
254 		return;
255 	if ((r = sshbuf_put_u8(loginmsg, 0)) != 0)
256 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
257 	printf("%s", (char *)sshbuf_ptr(loginmsg));
258 	sshbuf_reset(loginmsg);
259 }
260 
261 static void
prepare_auth_info_file(struct passwd * pw,struct sshbuf * info)262 prepare_auth_info_file(struct passwd *pw, struct sshbuf *info)
263 {
264 	int fd = -1, success = 0;
265 
266 	if (!options.expose_userauth_info || info == NULL)
267 		return;
268 
269 	temporarily_use_uid(pw);
270 	auth_info_file = xstrdup("/tmp/sshauth.XXXXXXXXXXXXXXX");
271 	if ((fd = mkstemp(auth_info_file)) == -1) {
272 		error("%s: mkstemp: %s", __func__, strerror(errno));
273 		goto out;
274 	}
275 	if (atomicio(vwrite, fd, sshbuf_mutable_ptr(info),
276 	    sshbuf_len(info)) != sshbuf_len(info)) {
277 		error("%s: write: %s", __func__, strerror(errno));
278 		goto out;
279 	}
280 	if (close(fd) != 0) {
281 		error("%s: close: %s", __func__, strerror(errno));
282 		goto out;
283 	}
284 	success = 1;
285  out:
286 	if (!success) {
287 		if (fd != -1)
288 			close(fd);
289 		free(auth_info_file);
290 		auth_info_file = NULL;
291 	}
292 	restore_uid();
293 }
294 
295 static void
set_fwdpermit_from_authopts(struct ssh * ssh,const struct sshauthopt * opts)296 set_fwdpermit_from_authopts(struct ssh *ssh, const struct sshauthopt *opts)
297 {
298 	char *tmp, *cp, *host;
299 	int port;
300 	size_t i;
301 
302 	if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) {
303 		channel_clear_permission(ssh, FORWARD_USER, FORWARD_LOCAL);
304 		for (i = 0; i < auth_opts->npermitopen; i++) {
305 			tmp = cp = xstrdup(auth_opts->permitopen[i]);
306 			/* This shouldn't fail as it has already been checked */
307 			if ((host = hpdelim(&cp)) == NULL)
308 				fatal("%s: internal error: hpdelim", __func__);
309 			host = cleanhostname(host);
310 			if (cp == NULL || (port = permitopen_port(cp)) < 0)
311 				fatal("%s: internal error: permitopen port",
312 				    __func__);
313 			channel_add_permission(ssh,
314 			    FORWARD_USER, FORWARD_LOCAL, host, port);
315 			free(tmp);
316 		}
317 	}
318 	if ((options.allow_tcp_forwarding & FORWARD_REMOTE) != 0) {
319 		channel_clear_permission(ssh, FORWARD_USER, FORWARD_REMOTE);
320 		for (i = 0; i < auth_opts->npermitlisten; i++) {
321 			tmp = cp = xstrdup(auth_opts->permitlisten[i]);
322 			/* This shouldn't fail as it has already been checked */
323 			if ((host = hpdelim(&cp)) == NULL)
324 				fatal("%s: internal error: hpdelim", __func__);
325 			host = cleanhostname(host);
326 			if (cp == NULL || (port = permitopen_port(cp)) < 0)
327 				fatal("%s: internal error: permitlisten port",
328 				    __func__);
329 			channel_add_permission(ssh,
330 			    FORWARD_USER, FORWARD_REMOTE, host, port);
331 			free(tmp);
332 		}
333 	}
334 }
335 
336 void
do_authenticated(struct ssh * ssh,Authctxt * authctxt)337 do_authenticated(struct ssh *ssh, Authctxt *authctxt)
338 {
339 	setproctitle("%s", authctxt->pw->pw_name);
340 
341 	auth_log_authopts("active", auth_opts, 0);
342 
343 	/* setup the channel layer */
344 	/* XXX - streamlocal? */
345 	set_fwdpermit_from_authopts(ssh, auth_opts);
346 
347 	if (!auth_opts->permit_port_forwarding_flag ||
348 	    options.disable_forwarding) {
349 		channel_disable_admin(ssh, FORWARD_LOCAL);
350 		channel_disable_admin(ssh, FORWARD_REMOTE);
351 	} else {
352 		if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
353 			channel_disable_admin(ssh, FORWARD_LOCAL);
354 		else
355 			channel_permit_all(ssh, FORWARD_LOCAL);
356 		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0)
357 			channel_disable_admin(ssh, FORWARD_REMOTE);
358 		else
359 			channel_permit_all(ssh, FORWARD_REMOTE);
360 	}
361 	auth_debug_send(ssh);
362 
363 	prepare_auth_info_file(authctxt->pw, authctxt->session_info);
364 
365 	do_authenticated2(ssh, authctxt);
366 
367 	do_cleanup(ssh, authctxt);
368 }
369 
370 /* Check untrusted xauth strings for metacharacters */
371 static int
xauth_valid_string(const char * s)372 xauth_valid_string(const char *s)
373 {
374 	size_t i;
375 
376 	for (i = 0; s[i] != '\0'; i++) {
377 		if (!isalnum((u_char)s[i]) &&
378 		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
379 		    s[i] != '-' && s[i] != '_')
380 			return 0;
381 	}
382 	return 1;
383 }
384 
385 #define USE_PIPES 1
386 /*
387  * This is called to fork and execute a command when we have no tty.  This
388  * will call do_child from the child, and server_loop from the parent after
389  * setting up file descriptors and such.
390  */
391 int
do_exec_no_pty(struct ssh * ssh,Session * s,const char * command)392 do_exec_no_pty(struct ssh *ssh, Session *s, const char *command)
393 {
394 	pid_t pid;
395 #ifdef USE_PIPES
396 	int pin[2], pout[2], perr[2];
397 
398 	if (s == NULL)
399 		fatal("do_exec_no_pty: no session");
400 
401 	/* Allocate pipes for communicating with the program. */
402 	if (pipe(pin) == -1) {
403 		error("%s: pipe in: %.100s", __func__, strerror(errno));
404 		return -1;
405 	}
406 	if (pipe(pout) == -1) {
407 		error("%s: pipe out: %.100s", __func__, strerror(errno));
408 		close(pin[0]);
409 		close(pin[1]);
410 		return -1;
411 	}
412 	if (pipe(perr) == -1) {
413 		error("%s: pipe err: %.100s", __func__,
414 		    strerror(errno));
415 		close(pin[0]);
416 		close(pin[1]);
417 		close(pout[0]);
418 		close(pout[1]);
419 		return -1;
420 	}
421 #else
422 	int inout[2], err[2];
423 
424 	if (s == NULL)
425 		fatal("do_exec_no_pty: no session");
426 
427 	/* Uses socket pairs to communicate with the program. */
428 	if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) == -1) {
429 		error("%s: socketpair #1: %.100s", __func__, strerror(errno));
430 		return -1;
431 	}
432 	if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) == -1) {
433 		error("%s: socketpair #2: %.100s", __func__,
434 		    strerror(errno));
435 		close(inout[0]);
436 		close(inout[1]);
437 		return -1;
438 	}
439 #endif
440 
441 	session_proctitle(s);
442 
443 	/* Fork the child. */
444 	switch ((pid = fork())) {
445 	case -1:
446 		error("%s: fork: %.100s", __func__, strerror(errno));
447 #ifdef USE_PIPES
448 		close(pin[0]);
449 		close(pin[1]);
450 		close(pout[0]);
451 		close(pout[1]);
452 		close(perr[0]);
453 		close(perr[1]);
454 #else
455 		close(inout[0]);
456 		close(inout[1]);
457 		close(err[0]);
458 		close(err[1]);
459 #endif
460 		return -1;
461 	case 0:
462 		is_child = 1;
463 
464 		/*
465 		 * Create a new session and process group since the 4.4BSD
466 		 * setlogin() affects the entire process group.
467 		 */
468 		if (setsid() == -1)
469 			error("setsid failed: %.100s", strerror(errno));
470 
471 #ifdef USE_PIPES
472 		/*
473 		 * Redirect stdin.  We close the parent side of the socket
474 		 * pair, and make the child side the standard input.
475 		 */
476 		close(pin[1]);
477 		if (dup2(pin[0], 0) == -1)
478 			perror("dup2 stdin");
479 		close(pin[0]);
480 
481 		/* Redirect stdout. */
482 		close(pout[0]);
483 		if (dup2(pout[1], 1) == -1)
484 			perror("dup2 stdout");
485 		close(pout[1]);
486 
487 		/* Redirect stderr. */
488 		close(perr[0]);
489 		if (dup2(perr[1], 2) == -1)
490 			perror("dup2 stderr");
491 		close(perr[1]);
492 #else
493 		/*
494 		 * Redirect stdin, stdout, and stderr.  Stdin and stdout will
495 		 * use the same socket, as some programs (particularly rdist)
496 		 * seem to depend on it.
497 		 */
498 		close(inout[1]);
499 		close(err[1]);
500 		if (dup2(inout[0], 0) == -1)	/* stdin */
501 			perror("dup2 stdin");
502 		if (dup2(inout[0], 1) == -1)	/* stdout (same as stdin) */
503 			perror("dup2 stdout");
504 		close(inout[0]);
505 		if (dup2(err[0], 2) == -1)	/* stderr */
506 			perror("dup2 stderr");
507 		close(err[0]);
508 #endif
509 
510 		/* Do processing for the child (exec command etc). */
511 		do_child(ssh, s, command);
512 		/* NOTREACHED */
513 	default:
514 		break;
515 	}
516 
517 #ifdef HAVE_CYGWIN
518 	cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
519 #endif
520 
521 	s->pid = pid;
522 	/* Set interactive/non-interactive mode. */
523 	ssh_packet_set_interactive(ssh, s->display != NULL,
524 	    options.ip_qos_interactive, options.ip_qos_bulk);
525 
526 	/*
527 	 * Clear loginmsg, since it's the child's responsibility to display
528 	 * it to the user, otherwise multiple sessions may accumulate
529 	 * multiple copies of the login messages.
530 	 */
531 	sshbuf_reset(loginmsg);
532 
533 #ifdef USE_PIPES
534 	/* We are the parent.  Close the child sides of the pipes. */
535 	close(pin[0]);
536 	close(pout[1]);
537 	close(perr[1]);
538 
539 	session_set_fds(ssh, s, pin[1], pout[0], perr[0],
540 	    s->is_subsystem, 0);
541 #else
542 	/* We are the parent.  Close the child sides of the socket pairs. */
543 	close(inout[0]);
544 	close(err[0]);
545 
546 	/*
547 	 * Enter the interactive session.  Note: server_loop must be able to
548 	 * handle the case that fdin and fdout are the same.
549 	 */
550 	session_set_fds(ssh, s, inout[1], inout[1], err[1],
551 	    s->is_subsystem, 0);
552 #endif
553 	return 0;
554 }
555 
556 /*
557  * This is called to fork and execute a command when we have a tty.  This
558  * will call do_child from the child, and server_loop from the parent after
559  * setting up file descriptors, controlling tty, updating wtmp, utmp,
560  * lastlog, and other such operations.
561  */
562 int
do_exec_pty(struct ssh * ssh,Session * s,const char * command)563 do_exec_pty(struct ssh *ssh, Session *s, const char *command)
564 {
565 	int fdout, ptyfd, ttyfd, ptymaster;
566 	pid_t pid;
567 
568 	if (s == NULL)
569 		fatal("do_exec_pty: no session");
570 	ptyfd = s->ptyfd;
571 	ttyfd = s->ttyfd;
572 
573 	/*
574 	 * Create another descriptor of the pty master side for use as the
575 	 * standard input.  We could use the original descriptor, but this
576 	 * simplifies code in server_loop.  The descriptor is bidirectional.
577 	 * Do this before forking (and cleanup in the child) so as to
578 	 * detect and gracefully fail out-of-fd conditions.
579 	 */
580 	if ((fdout = dup(ptyfd)) == -1) {
581 		error("%s: dup #1: %s", __func__, strerror(errno));
582 		close(ttyfd);
583 		close(ptyfd);
584 		return -1;
585 	}
586 	/* we keep a reference to the pty master */
587 	if ((ptymaster = dup(ptyfd)) == -1) {
588 		error("%s: dup #2: %s", __func__, strerror(errno));
589 		close(ttyfd);
590 		close(ptyfd);
591 		close(fdout);
592 		return -1;
593 	}
594 
595 	/* Fork the child. */
596 	switch ((pid = fork())) {
597 	case -1:
598 		error("%s: fork: %.100s", __func__, strerror(errno));
599 		close(fdout);
600 		close(ptymaster);
601 		close(ttyfd);
602 		close(ptyfd);
603 		return -1;
604 	case 0:
605 		is_child = 1;
606 
607 		close(fdout);
608 		close(ptymaster);
609 
610 		/* Close the master side of the pseudo tty. */
611 		close(ptyfd);
612 
613 		/* Make the pseudo tty our controlling tty. */
614 		pty_make_controlling_tty(&ttyfd, s->tty);
615 
616 		/* Redirect stdin/stdout/stderr from the pseudo tty. */
617 		if (dup2(ttyfd, 0) == -1)
618 			error("dup2 stdin: %s", strerror(errno));
619 		if (dup2(ttyfd, 1) == -1)
620 			error("dup2 stdout: %s", strerror(errno));
621 		if (dup2(ttyfd, 2) == -1)
622 			error("dup2 stderr: %s", strerror(errno));
623 
624 		/* Close the extra descriptor for the pseudo tty. */
625 		close(ttyfd);
626 
627 		/* record login, etc. similar to login(1) */
628 #ifndef HAVE_OSF_SIA
629 		do_login(ssh, s, command);
630 #endif
631 		/*
632 		 * Do common processing for the child, such as execing
633 		 * the command.
634 		 */
635 		do_child(ssh, s, command);
636 		/* NOTREACHED */
637 	default:
638 		break;
639 	}
640 
641 #ifdef HAVE_CYGWIN
642 	cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
643 #endif
644 
645 	s->pid = pid;
646 
647 	/* Parent.  Close the slave side of the pseudo tty. */
648 	close(ttyfd);
649 
650 	/* Enter interactive session. */
651 	s->ptymaster = ptymaster;
652 	ssh_packet_set_interactive(ssh, 1,
653 	    options.ip_qos_interactive, options.ip_qos_bulk);
654 	session_set_fds(ssh, s, ptyfd, fdout, -1, 1, 1);
655 	return 0;
656 }
657 
658 /*
659  * This is called to fork and execute a command.  If another command is
660  * to be forced, execute that instead.
661  */
662 int
do_exec(struct ssh * ssh,Session * s,const char * command)663 do_exec(struct ssh *ssh, Session *s, const char *command)
664 {
665 	int ret;
666 	const char *forced = NULL, *tty = NULL;
667 	char session_type[1024];
668 
669 	if (options.adm_forced_command) {
670 		original_command = command;
671 		command = options.adm_forced_command;
672 		forced = "(config)";
673 	} else if (auth_opts->force_command != NULL) {
674 		original_command = command;
675 		command = auth_opts->force_command;
676 		forced = "(key-option)";
677 	}
678 	s->forced = 0;
679 	if (forced != NULL) {
680 		s->forced = 1;
681 		if (IS_INTERNAL_SFTP(command)) {
682 			s->is_subsystem = s->is_subsystem ?
683 			    SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR;
684 		} else if (s->is_subsystem)
685 			s->is_subsystem = SUBSYSTEM_EXT;
686 		snprintf(session_type, sizeof(session_type),
687 		    "forced-command %s '%.900s'", forced, command);
688 	} else if (s->is_subsystem) {
689 		snprintf(session_type, sizeof(session_type),
690 		    "subsystem '%.900s'", s->subsys);
691 	} else if (command == NULL) {
692 		snprintf(session_type, sizeof(session_type), "shell");
693 	} else {
694 		/* NB. we don't log unforced commands to preserve privacy */
695 		snprintf(session_type, sizeof(session_type), "command");
696 	}
697 
698 	if (s->ttyfd != -1) {
699 		tty = s->tty;
700 		if (strncmp(tty, "/dev/", 5) == 0)
701 			tty += 5;
702 	}
703 
704 	verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
705 	    session_type,
706 	    tty == NULL ? "" : " on ",
707 	    tty == NULL ? "" : tty,
708 	    s->pw->pw_name,
709 	    ssh_remote_ipaddr(ssh),
710 	    ssh_remote_port(ssh),
711 	    s->self);
712 
713 #ifdef SSH_AUDIT_EVENTS
714 	if (command != NULL)
715 		PRIVSEP(audit_run_command(command));
716 	else if (s->ttyfd == -1) {
717 		char *shell = s->pw->pw_shell;
718 
719 		if (shell[0] == '\0')	/* empty shell means /bin/sh */
720 			shell =_PATH_BSHELL;
721 		PRIVSEP(audit_run_command(shell));
722 	}
723 #endif
724 	if (s->ttyfd != -1)
725 		ret = do_exec_pty(ssh, s, command);
726 	else
727 		ret = do_exec_no_pty(ssh, s, command);
728 
729 	original_command = NULL;
730 
731 	/*
732 	 * Clear loginmsg: it's the child's responsibility to display
733 	 * it to the user, otherwise multiple sessions may accumulate
734 	 * multiple copies of the login messages.
735 	 */
736 	sshbuf_reset(loginmsg);
737 
738 	return ret;
739 }
740 
741 /* administrative, login(1)-like work */
742 void
do_login(struct ssh * ssh,Session * s,const char * command)743 do_login(struct ssh *ssh, Session *s, const char *command)
744 {
745 	socklen_t fromlen;
746 	struct sockaddr_storage from;
747 	struct passwd * pw = s->pw;
748 	pid_t pid = getpid();
749 
750 	/*
751 	 * Get IP address of client. If the connection is not a socket, let
752 	 * the address be 0.0.0.0.
753 	 */
754 	memset(&from, 0, sizeof(from));
755 	fromlen = sizeof(from);
756 	if (ssh_packet_connection_is_on_socket(ssh)) {
757 		if (getpeername(ssh_packet_get_connection_in(ssh),
758 		    (struct sockaddr *)&from, &fromlen) == -1) {
759 			debug("getpeername: %.100s", strerror(errno));
760 			cleanup_exit(255);
761 		}
762 	}
763 
764 	/* Record that there was a login on that tty from the remote host. */
765 	if (!use_privsep)
766 		record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
767 		    session_get_remote_name_or_ip(ssh, utmp_len,
768 		    options.use_dns),
769 		    (struct sockaddr *)&from, fromlen);
770 
771 #ifdef USE_PAM
772 	/*
773 	 * If password change is needed, do it now.
774 	 * This needs to occur before the ~/.hushlogin check.
775 	 */
776 	if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) {
777 		display_loginmsg();
778 		do_pam_chauthtok();
779 		s->authctxt->force_pwchange = 0;
780 		/* XXX - signal [net] parent to enable forwardings */
781 	}
782 #endif
783 
784 	if (check_quietlogin(s, command))
785 		return;
786 
787 	display_loginmsg();
788 
789 	do_motd();
790 }
791 
792 /*
793  * Display the message of the day.
794  */
795 void
do_motd(void)796 do_motd(void)
797 {
798 	FILE *f;
799 	char buf[256];
800 
801 	if (options.print_motd) {
802 #ifdef HAVE_LOGIN_CAP
803 		f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
804 		    "/etc/motd"), "r");
805 #else
806 		f = fopen("/etc/motd", "r");
807 #endif
808 		if (f) {
809 			while (fgets(buf, sizeof(buf), f))
810 				fputs(buf, stdout);
811 			fclose(f);
812 		}
813 	}
814 }
815 
816 
817 /*
818  * Check for quiet login, either .hushlogin or command given.
819  */
820 int
check_quietlogin(Session * s,const char * command)821 check_quietlogin(Session *s, const char *command)
822 {
823 	char buf[256];
824 	struct passwd *pw = s->pw;
825 	struct stat st;
826 
827 	/* Return 1 if .hushlogin exists or a command given. */
828 	if (command != NULL)
829 		return 1;
830 	snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir);
831 #ifdef HAVE_LOGIN_CAP
832 	if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
833 		return 1;
834 #else
835 	if (stat(buf, &st) >= 0)
836 		return 1;
837 #endif
838 	return 0;
839 }
840 
841 /*
842  * Reads environment variables from the given file and adds/overrides them
843  * into the environment.  If the file does not exist, this does nothing.
844  * Otherwise, it must consist of empty lines, comments (line starts with '#')
845  * and assignments of the form name=value.  No other forms are allowed.
846  * If whitelist is not NULL, then it is interpreted as a pattern list and
847  * only variable names that match it will be accepted.
848  */
849 static void
read_environment_file(char *** env,u_int * envsize,const char * filename,const char * whitelist)850 read_environment_file(char ***env, u_int *envsize,
851 	const char *filename, const char *whitelist)
852 {
853 	FILE *f;
854 	char *line = NULL, *cp, *value;
855 	size_t linesize = 0;
856 	u_int lineno = 0;
857 
858 	f = fopen(filename, "r");
859 	if (!f)
860 		return;
861 
862 	while (getline(&line, &linesize, f) != -1) {
863 		if (++lineno > 1000)
864 			fatal("Too many lines in environment file %s", filename);
865 		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
866 			;
867 		if (!*cp || *cp == '#' || *cp == '\n')
868 			continue;
869 
870 		cp[strcspn(cp, "\n")] = '\0';
871 
872 		value = strchr(cp, '=');
873 		if (value == NULL) {
874 			fprintf(stderr, "Bad line %u in %.100s\n", lineno,
875 			    filename);
876 			continue;
877 		}
878 		/*
879 		 * Replace the equals sign by nul, and advance value to
880 		 * the value string.
881 		 */
882 		*value = '\0';
883 		value++;
884 		if (whitelist != NULL &&
885 		    match_pattern_list(cp, whitelist, 0) != 1)
886 			continue;
887 		child_set_env(env, envsize, cp, value);
888 	}
889 	free(line);
890 	fclose(f);
891 }
892 
893 #ifdef HAVE_ETC_DEFAULT_LOGIN
894 /*
895  * Return named variable from specified environment, or NULL if not present.
896  */
897 static char *
child_get_env(char ** env,const char * name)898 child_get_env(char **env, const char *name)
899 {
900 	int i;
901 	size_t len;
902 
903 	len = strlen(name);
904 	for (i=0; env[i] != NULL; i++)
905 		if (strncmp(name, env[i], len) == 0 && env[i][len] == '=')
906 			return(env[i] + len + 1);
907 	return NULL;
908 }
909 
910 /*
911  * Read /etc/default/login.
912  * We pick up the PATH (or SUPATH for root) and UMASK.
913  */
914 static void
read_etc_default_login(char *** env,u_int * envsize,uid_t uid)915 read_etc_default_login(char ***env, u_int *envsize, uid_t uid)
916 {
917 	char **tmpenv = NULL, *var;
918 	u_int i, tmpenvsize = 0;
919 	u_long mask;
920 
921 	/*
922 	 * We don't want to copy the whole file to the child's environment,
923 	 * so we use a temporary environment and copy the variables we're
924 	 * interested in.
925 	 */
926 	read_environment_file(&tmpenv, &tmpenvsize, "/etc/default/login",
927 	    options.permit_user_env_whitelist);
928 
929 	if (tmpenv == NULL)
930 		return;
931 
932 	if (uid == 0)
933 		var = child_get_env(tmpenv, "SUPATH");
934 	else
935 		var = child_get_env(tmpenv, "PATH");
936 	if (var != NULL)
937 		child_set_env(env, envsize, "PATH", var);
938 
939 	if ((var = child_get_env(tmpenv, "UMASK")) != NULL)
940 		if (sscanf(var, "%5lo", &mask) == 1)
941 			umask((mode_t)mask);
942 
943 	for (i = 0; tmpenv[i] != NULL; i++)
944 		free(tmpenv[i]);
945 	free(tmpenv);
946 }
947 #endif /* HAVE_ETC_DEFAULT_LOGIN */
948 
949 static void
copy_environment_blacklist(char ** source,char *** env,u_int * envsize,const char * blacklist)950 copy_environment_blacklist(char **source, char ***env, u_int *envsize,
951     const char *blacklist)
952 {
953 	char *var_name, *var_val;
954 	int i;
955 
956 	if (source == NULL)
957 		return;
958 
959 	for(i = 0; source[i] != NULL; i++) {
960 		var_name = xstrdup(source[i]);
961 		if ((var_val = strstr(var_name, "=")) == NULL) {
962 			free(var_name);
963 			continue;
964 		}
965 		*var_val++ = '\0';
966 
967 		if (blacklist == NULL ||
968 		    match_pattern_list(var_name, blacklist, 0) != 1) {
969 			debug3("Copy environment: %s=%s", var_name, var_val);
970 			child_set_env(env, envsize, var_name, var_val);
971 		}
972 
973 		free(var_name);
974 	}
975 }
976 
977 void
copy_environment(char ** source,char *** env,u_int * envsize)978 copy_environment(char **source, char ***env, u_int *envsize)
979 {
980 	copy_environment_blacklist(source, env, envsize, NULL);
981 }
982 
983 static char **
do_setup_env(struct ssh * ssh,Session * s,const char * shell)984 do_setup_env(struct ssh *ssh, Session *s, const char *shell)
985 {
986 	char buf[256];
987 	size_t n;
988 	u_int i, envsize;
989 	char *ocp, *cp, *value, **env, *laddr;
990 	struct passwd *pw = s->pw;
991 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
992 	char *path = NULL;
993 #endif
994 
995 	/* Initialize the environment. */
996 	envsize = 100;
997 	env = xcalloc(envsize, sizeof(char *));
998 	env[0] = NULL;
999 
1000 #ifdef HAVE_CYGWIN
1001 	/*
1002 	 * The Windows environment contains some setting which are
1003 	 * important for a running system. They must not be dropped.
1004 	 */
1005 	{
1006 		char **p;
1007 
1008 		p = fetch_windows_environment();
1009 		copy_environment(p, &env, &envsize);
1010 		free_windows_environment(p);
1011 	}
1012 #endif
1013 
1014 #ifdef GSSAPI
1015 	/* Allow any GSSAPI methods that we've used to alter
1016 	 * the childs environment as they see fit
1017 	 */
1018 	ssh_gssapi_do_child(&env, &envsize);
1019 #endif
1020 
1021 	/* Set basic environment. */
1022 	for (i = 0; i < s->num_env; i++)
1023 		child_set_env(&env, &envsize, s->env[i].name, s->env[i].val);
1024 
1025 	child_set_env(&env, &envsize, "USER", pw->pw_name);
1026 	child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
1027 #ifdef _AIX
1028 	child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
1029 #endif
1030 	child_set_env(&env, &envsize, "HOME", pw->pw_dir);
1031 #ifdef HAVE_LOGIN_CAP
1032 	if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
1033 		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
1034 	else
1035 		child_set_env(&env, &envsize, "PATH", getenv("PATH"));
1036 #else /* HAVE_LOGIN_CAP */
1037 # ifndef HAVE_CYGWIN
1038 	/*
1039 	 * There's no standard path on Windows. The path contains
1040 	 * important components pointing to the system directories,
1041 	 * needed for loading shared libraries. So the path better
1042 	 * remains intact here.
1043 	 */
1044 #  ifdef HAVE_ETC_DEFAULT_LOGIN
1045 	read_etc_default_login(&env, &envsize, pw->pw_uid);
1046 	path = child_get_env(env, "PATH");
1047 #  endif /* HAVE_ETC_DEFAULT_LOGIN */
1048 	if (path == NULL || *path == '\0') {
1049 		child_set_env(&env, &envsize, "PATH",
1050 		    s->pw->pw_uid == 0 ?  SUPERUSER_PATH : _PATH_STDPATH);
1051 	}
1052 # endif /* HAVE_CYGWIN */
1053 #endif /* HAVE_LOGIN_CAP */
1054 
1055 	if (!options.use_pam) {
1056 		snprintf(buf, sizeof buf, "%.200s/%.50s",
1057 		    _PATH_MAILDIR, pw->pw_name);
1058 		child_set_env(&env, &envsize, "MAIL", buf);
1059 	}
1060 
1061 	/* Normal systems set SHELL by default. */
1062 	child_set_env(&env, &envsize, "SHELL", shell);
1063 
1064 	if (getenv("TZ"))
1065 		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
1066 	if (s->term)
1067 		child_set_env(&env, &envsize, "TERM", s->term);
1068 	if (s->display)
1069 		child_set_env(&env, &envsize, "DISPLAY", s->display);
1070 
1071 	/*
1072 	 * Since we clear KRB5CCNAME at startup, if it's set now then it
1073 	 * must have been set by a native authentication method (eg AIX or
1074 	 * SIA), so copy it to the child.
1075 	 */
1076 	{
1077 		char *cp;
1078 
1079 		if ((cp = getenv("KRB5CCNAME")) != NULL)
1080 			child_set_env(&env, &envsize, "KRB5CCNAME", cp);
1081 	}
1082 
1083 #ifdef _AIX
1084 	{
1085 		char *cp;
1086 
1087 		if ((cp = getenv("AUTHSTATE")) != NULL)
1088 			child_set_env(&env, &envsize, "AUTHSTATE", cp);
1089 		read_environment_file(&env, &envsize, "/etc/environment",
1090 		    options.permit_user_env_whitelist);
1091 	}
1092 #endif
1093 #ifdef KRB5
1094 	if (s->authctxt->krb5_ccname)
1095 		child_set_env(&env, &envsize, "KRB5CCNAME",
1096 		    s->authctxt->krb5_ccname);
1097 #endif
1098 	if (auth_sock_name != NULL)
1099 		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
1100 		    auth_sock_name);
1101 
1102 
1103 	/* Set custom environment options from pubkey authentication. */
1104 	if (options.permit_user_env) {
1105 		for (n = 0 ; n < auth_opts->nenv; n++) {
1106 			ocp = xstrdup(auth_opts->env[n]);
1107 			cp = strchr(ocp, '=');
1108 			if (*cp == '=') {
1109 				*cp = '\0';
1110 				/* Apply PermitUserEnvironment whitelist */
1111 				if (options.permit_user_env_whitelist == NULL ||
1112 				    match_pattern_list(ocp,
1113 				    options.permit_user_env_whitelist, 0) == 1)
1114 					child_set_env(&env, &envsize,
1115 					    ocp, cp + 1);
1116 			}
1117 			free(ocp);
1118 		}
1119 	}
1120 
1121 	/* read $HOME/.ssh/environment. */
1122 	if (options.permit_user_env) {
1123 		snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
1124 		    pw->pw_dir);
1125 		read_environment_file(&env, &envsize, buf,
1126 		    options.permit_user_env_whitelist);
1127 	}
1128 
1129 #ifdef USE_PAM
1130 	/*
1131 	 * Pull in any environment variables that may have
1132 	 * been set by PAM.
1133 	 */
1134 	if (options.use_pam) {
1135 		char **p;
1136 
1137 		/*
1138 		 * Don't allow PAM-internal env vars to leak
1139 		 * back into the session environment.
1140 		 */
1141 #define PAM_ENV_BLACKLIST  "SSH_AUTH_INFO*,SSH_CONNECTION*"
1142 		p = fetch_pam_child_environment();
1143 		copy_environment_blacklist(p, &env, &envsize,
1144 		    PAM_ENV_BLACKLIST);
1145 		free_pam_environment(p);
1146 
1147 		p = fetch_pam_environment();
1148 		copy_environment_blacklist(p, &env, &envsize,
1149 		    PAM_ENV_BLACKLIST);
1150 		free_pam_environment(p);
1151 	}
1152 #endif /* USE_PAM */
1153 
1154 	/* Environment specified by admin */
1155 	for (i = 0; i < options.num_setenv; i++) {
1156 		cp = xstrdup(options.setenv[i]);
1157 		if ((value = strchr(cp, '=')) == NULL) {
1158 			/* shouldn't happen; vars are checked in servconf.c */
1159 			fatal("Invalid config SetEnv: %s", options.setenv[i]);
1160 		}
1161 		*value++ = '\0';
1162 		child_set_env(&env, &envsize, cp, value);
1163 	}
1164 
1165 	/* SSH_CLIENT deprecated */
1166 	snprintf(buf, sizeof buf, "%.50s %d %d",
1167 	    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1168 	    ssh_local_port(ssh));
1169 	child_set_env(&env, &envsize, "SSH_CLIENT", buf);
1170 
1171 	laddr = get_local_ipaddr(ssh_packet_get_connection_in(ssh));
1172 	snprintf(buf, sizeof buf, "%.50s %d %.50s %d",
1173 	    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1174 	    laddr, ssh_local_port(ssh));
1175 	free(laddr);
1176 	child_set_env(&env, &envsize, "SSH_CONNECTION", buf);
1177 
1178 	if (tun_fwd_ifnames != NULL)
1179 		child_set_env(&env, &envsize, "SSH_TUNNEL", tun_fwd_ifnames);
1180 	if (auth_info_file != NULL)
1181 		child_set_env(&env, &envsize, "SSH_USER_AUTH", auth_info_file);
1182 	if (s->ttyfd != -1)
1183 		child_set_env(&env, &envsize, "SSH_TTY", s->tty);
1184 	if (original_command)
1185 		child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
1186 		    original_command);
1187 
1188 	if (debug_flag) {
1189 		/* dump the environment */
1190 		fprintf(stderr, "Environment:\n");
1191 		for (i = 0; env[i]; i++)
1192 			fprintf(stderr, "  %.200s\n", env[i]);
1193 	}
1194 	return env;
1195 }
1196 
1197 /*
1198  * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found
1199  * first in this order).
1200  */
1201 static void
do_rc_files(struct ssh * ssh,Session * s,const char * shell)1202 do_rc_files(struct ssh *ssh, Session *s, const char *shell)
1203 {
1204 	FILE *f = NULL;
1205 	char cmd[1024];
1206 	int do_xauth;
1207 	struct stat st;
1208 
1209 	do_xauth =
1210 	    s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
1211 
1212 	/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
1213 	if (!s->is_subsystem && options.adm_forced_command == NULL &&
1214 	    auth_opts->permit_user_rc && options.permit_user_rc &&
1215 	    stat(_PATH_SSH_USER_RC, &st) >= 0) {
1216 		snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
1217 		    shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
1218 		if (debug_flag)
1219 			fprintf(stderr, "Running %s\n", cmd);
1220 		f = popen(cmd, "w");
1221 		if (f) {
1222 			if (do_xauth)
1223 				fprintf(f, "%s %s\n", s->auth_proto,
1224 				    s->auth_data);
1225 			pclose(f);
1226 		} else
1227 			fprintf(stderr, "Could not run %s\n",
1228 			    _PATH_SSH_USER_RC);
1229 	} else if (stat(_PATH_SSH_SYSTEM_RC, &st) >= 0) {
1230 		if (debug_flag)
1231 			fprintf(stderr, "Running %s %s\n", _PATH_BSHELL,
1232 			    _PATH_SSH_SYSTEM_RC);
1233 		f = popen(_PATH_BSHELL " " _PATH_SSH_SYSTEM_RC, "w");
1234 		if (f) {
1235 			if (do_xauth)
1236 				fprintf(f, "%s %s\n", s->auth_proto,
1237 				    s->auth_data);
1238 			pclose(f);
1239 		} else
1240 			fprintf(stderr, "Could not run %s\n",
1241 			    _PATH_SSH_SYSTEM_RC);
1242 	} else if (do_xauth && options.xauth_location != NULL) {
1243 		/* Add authority data to .Xauthority if appropriate. */
1244 		if (debug_flag) {
1245 			fprintf(stderr,
1246 			    "Running %.500s remove %.100s\n",
1247 			    options.xauth_location, s->auth_display);
1248 			fprintf(stderr,
1249 			    "%.500s add %.100s %.100s %.100s\n",
1250 			    options.xauth_location, s->auth_display,
1251 			    s->auth_proto, s->auth_data);
1252 		}
1253 		snprintf(cmd, sizeof cmd, "%s -q -",
1254 		    options.xauth_location);
1255 		f = popen(cmd, "w");
1256 		if (f) {
1257 			fprintf(f, "remove %s\n",
1258 			    s->auth_display);
1259 			fprintf(f, "add %s %s %s\n",
1260 			    s->auth_display, s->auth_proto,
1261 			    s->auth_data);
1262 			pclose(f);
1263 		} else {
1264 			fprintf(stderr, "Could not run %s\n",
1265 			    cmd);
1266 		}
1267 	}
1268 }
1269 
1270 static void
do_nologin(struct passwd * pw)1271 do_nologin(struct passwd *pw)
1272 {
1273 	FILE *f = NULL;
1274 	char buf[1024], *nl, *def_nl = _PATH_NOLOGIN;
1275 	struct stat sb;
1276 
1277 #ifdef HAVE_LOGIN_CAP
1278 	if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0)
1279 		return;
1280 	nl = login_getcapstr(lc, "nologin", def_nl, def_nl);
1281 #else
1282 	if (pw->pw_uid == 0)
1283 		return;
1284 	nl = def_nl;
1285 #endif
1286 	if (stat(nl, &sb) == -1) {
1287 		if (nl != def_nl)
1288 			free(nl);
1289 		return;
1290 	}
1291 
1292 	/* /etc/nologin exists.  Print its contents if we can and exit. */
1293 	logit("User %.100s not allowed because %s exists", pw->pw_name, nl);
1294 	if ((f = fopen(nl, "r")) != NULL) {
1295 		while (fgets(buf, sizeof(buf), f))
1296 			fputs(buf, stderr);
1297 		fclose(f);
1298 	}
1299 	exit(254);
1300 }
1301 
1302 /*
1303  * Chroot into a directory after checking it for safety: all path components
1304  * must be root-owned directories with strict permissions.
1305  */
1306 static void
safely_chroot(const char * path,uid_t uid)1307 safely_chroot(const char *path, uid_t uid)
1308 {
1309 	const char *cp;
1310 	char component[PATH_MAX];
1311 	struct stat st;
1312 
1313 	if (!path_absolute(path))
1314 		fatal("chroot path does not begin at root");
1315 	if (strlen(path) >= sizeof(component))
1316 		fatal("chroot path too long");
1317 
1318 	/*
1319 	 * Descend the path, checking that each component is a
1320 	 * root-owned directory with strict permissions.
1321 	 */
1322 	for (cp = path; cp != NULL;) {
1323 		if ((cp = strchr(cp, '/')) == NULL)
1324 			strlcpy(component, path, sizeof(component));
1325 		else {
1326 			cp++;
1327 			memcpy(component, path, cp - path);
1328 			component[cp - path] = '\0';
1329 		}
1330 
1331 		debug3("%s: checking '%s'", __func__, component);
1332 
1333 		if (stat(component, &st) != 0)
1334 			fatal("%s: stat(\"%s\"): %s", __func__,
1335 			    component, strerror(errno));
1336 		if (st.st_uid != 0 || (st.st_mode & 022) != 0)
1337 			fatal("bad ownership or modes for chroot "
1338 			    "directory %s\"%s\"",
1339 			    cp == NULL ? "" : "component ", component);
1340 		if (!S_ISDIR(st.st_mode))
1341 			fatal("chroot path %s\"%s\" is not a directory",
1342 			    cp == NULL ? "" : "component ", component);
1343 
1344 	}
1345 
1346 	if (chdir(path) == -1)
1347 		fatal("Unable to chdir to chroot path \"%s\": "
1348 		    "%s", path, strerror(errno));
1349 	if (chroot(path) == -1)
1350 		fatal("chroot(\"%s\"): %s", path, strerror(errno));
1351 	if (chdir("/") == -1)
1352 		fatal("%s: chdir(/) after chroot: %s",
1353 		    __func__, strerror(errno));
1354 	verbose("Changed root directory to \"%s\"", path);
1355 }
1356 
1357 /* Set login name, uid, gid, and groups. */
1358 void
do_setusercontext(struct passwd * pw)1359 do_setusercontext(struct passwd *pw)
1360 {
1361 	char uidstr[32], *chroot_path, *tmp;
1362 
1363 	platform_setusercontext(pw);
1364 
1365 	if (platform_privileged_uidswap()) {
1366 #ifdef HAVE_LOGIN_CAP
1367 		if (setusercontext(lc, pw, pw->pw_uid,
1368 		    (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
1369 			perror("unable to set user context");
1370 			exit(1);
1371 		}
1372 #else
1373 		if (setlogin(pw->pw_name) < 0)
1374 			error("setlogin failed: %s", strerror(errno));
1375 		if (setgid(pw->pw_gid) < 0) {
1376 			perror("setgid");
1377 			exit(1);
1378 		}
1379 		/* Initialize the group list. */
1380 		if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
1381 			perror("initgroups");
1382 			exit(1);
1383 		}
1384 		endgrent();
1385 #endif
1386 
1387 		platform_setusercontext_post_groups(pw);
1388 
1389 		if (!in_chroot && options.chroot_directory != NULL &&
1390 		    strcasecmp(options.chroot_directory, "none") != 0) {
1391                         tmp = tilde_expand_filename(options.chroot_directory,
1392 			    pw->pw_uid);
1393 			snprintf(uidstr, sizeof(uidstr), "%llu",
1394 			    (unsigned long long)pw->pw_uid);
1395 			chroot_path = percent_expand(tmp, "h", pw->pw_dir,
1396 			    "u", pw->pw_name, "U", uidstr, (char *)NULL);
1397 			safely_chroot(chroot_path, pw->pw_uid);
1398 			free(tmp);
1399 			free(chroot_path);
1400 			/* Make sure we don't attempt to chroot again */
1401 			free(options.chroot_directory);
1402 			options.chroot_directory = NULL;
1403 			in_chroot = 1;
1404 		}
1405 
1406 #ifdef HAVE_LOGIN_CAP
1407 		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
1408 			perror("unable to set user context (setuser)");
1409 			exit(1);
1410 		}
1411 		/*
1412 		 * FreeBSD's setusercontext() will not apply the user's
1413 		 * own umask setting unless running with the user's UID.
1414 		 */
1415 		(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK);
1416 #else
1417 # ifdef USE_LIBIAF
1418 		/*
1419 		 * In a chroot environment, the set_id() will always fail;
1420 		 * typically because of the lack of necessary authentication
1421 		 * services and runtime such as ./usr/lib/libiaf.so,
1422 		 * ./usr/lib/libpam.so.1, and ./etc/passwd We skip it in the
1423 		 * internal sftp chroot case.  We'll lose auditing and ACLs but
1424 		 * permanently_set_uid will take care of the rest.
1425 		 */
1426 		if (!in_chroot && set_id(pw->pw_name) != 0)
1427 			fatal("set_id(%s) Failed", pw->pw_name);
1428 # endif /* USE_LIBIAF */
1429 		/* Permanently switch to the desired uid. */
1430 		permanently_set_uid(pw);
1431 #endif
1432 	} else if (options.chroot_directory != NULL &&
1433 	    strcasecmp(options.chroot_directory, "none") != 0) {
1434 		fatal("server lacks privileges to chroot to ChrootDirectory");
1435 	}
1436 
1437 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
1438 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
1439 }
1440 
1441 static void
do_pwchange(Session * s)1442 do_pwchange(Session *s)
1443 {
1444 	fflush(NULL);
1445 	fprintf(stderr, "WARNING: Your password has expired.\n");
1446 	if (s->ttyfd != -1) {
1447 		fprintf(stderr,
1448 		    "You must change your password now and login again!\n");
1449 #ifdef WITH_SELINUX
1450 		setexeccon(NULL);
1451 #endif
1452 #ifdef PASSWD_NEEDS_USERNAME
1453 		execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
1454 		    (char *)NULL);
1455 #else
1456 		execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);
1457 #endif
1458 		perror("passwd");
1459 	} else {
1460 		fprintf(stderr,
1461 		    "Password change required but no TTY available.\n");
1462 	}
1463 	exit(1);
1464 }
1465 
1466 static void
child_close_fds(struct ssh * ssh)1467 child_close_fds(struct ssh *ssh)
1468 {
1469 	extern int auth_sock;
1470 
1471 	if (auth_sock != -1) {
1472 		close(auth_sock);
1473 		auth_sock = -1;
1474 	}
1475 
1476 	if (ssh_packet_get_connection_in(ssh) ==
1477 	    ssh_packet_get_connection_out(ssh))
1478 		close(ssh_packet_get_connection_in(ssh));
1479 	else {
1480 		close(ssh_packet_get_connection_in(ssh));
1481 		close(ssh_packet_get_connection_out(ssh));
1482 	}
1483 	/*
1484 	 * Close all descriptors related to channels.  They will still remain
1485 	 * open in the parent.
1486 	 */
1487 	/* XXX better use close-on-exec? -markus */
1488 	channel_close_all(ssh);
1489 
1490 	/*
1491 	 * Close any extra file descriptors.  Note that there may still be
1492 	 * descriptors left by system functions.  They will be closed later.
1493 	 */
1494 	endpwent();
1495 
1496 	/*
1497 	 * Close any extra open file descriptors so that we don't have them
1498 	 * hanging around in clients.  Note that we want to do this after
1499 	 * initgroups, because at least on Solaris 2.3 it leaves file
1500 	 * descriptors open.
1501 	 */
1502 	closefrom(STDERR_FILENO + 1);
1503 }
1504 
1505 /*
1506  * Performs common processing for the child, such as setting up the
1507  * environment, closing extra file descriptors, setting the user and group
1508  * ids, and executing the command or shell.
1509  */
1510 #define ARGV_MAX 10
1511 void
do_child(struct ssh * ssh,Session * s,const char * command)1512 do_child(struct ssh *ssh, Session *s, const char *command)
1513 {
1514 	extern char **environ;
1515 	char **env, *argv[ARGV_MAX], remote_id[512];
1516 	const char *shell, *shell0;
1517 	struct passwd *pw = s->pw;
1518 	int r = 0;
1519 
1520 	sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
1521 
1522 	/* remove hostkey from the child's memory */
1523 	destroy_sensitive_data();
1524 	ssh_packet_clear_keys(ssh);
1525 
1526 	/* Force a password change */
1527 	if (s->authctxt->force_pwchange) {
1528 		do_setusercontext(pw);
1529 		child_close_fds(ssh);
1530 		do_pwchange(s);
1531 		exit(1);
1532 	}
1533 
1534 	/*
1535 	 * Login(1) does this as well, and it needs uid 0 for the "-h"
1536 	 * switch, so we let login(1) to this for us.
1537 	 */
1538 #ifdef HAVE_OSF_SIA
1539 	session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty);
1540 	if (!check_quietlogin(s, command))
1541 		do_motd();
1542 #else /* HAVE_OSF_SIA */
1543 	/* When PAM is enabled we rely on it to do the nologin check */
1544 	if (!options.use_pam)
1545 		do_nologin(pw);
1546 	do_setusercontext(pw);
1547 	/*
1548 	 * PAM session modules in do_setusercontext may have
1549 	 * generated messages, so if this in an interactive
1550 	 * login then display them too.
1551 	 */
1552 	if (!check_quietlogin(s, command))
1553 		display_loginmsg();
1554 #endif /* HAVE_OSF_SIA */
1555 
1556 #ifdef USE_PAM
1557 	if (options.use_pam && !is_pam_session_open()) {
1558 		debug3("PAM session not opened, exiting");
1559 		display_loginmsg();
1560 		exit(254);
1561 	}
1562 #endif
1563 
1564 	/*
1565 	 * Get the shell from the password data.  An empty shell field is
1566 	 * legal, and means /bin/sh.
1567 	 */
1568 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
1569 
1570 	/*
1571 	 * Make sure $SHELL points to the shell from the password file,
1572 	 * even if shell is overridden from login.conf
1573 	 */
1574 	env = do_setup_env(ssh, s, shell);
1575 
1576 #ifdef HAVE_LOGIN_CAP
1577 	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
1578 #endif
1579 
1580 	/*
1581 	 * Close the connection descriptors; note that this is the child, and
1582 	 * the server will still have the socket open, and it is important
1583 	 * that we do not shutdown it.  Note that the descriptors cannot be
1584 	 * closed before building the environment, as we call
1585 	 * ssh_remote_ipaddr there.
1586 	 */
1587 	child_close_fds(ssh);
1588 
1589 	/*
1590 	 * Must take new environment into use so that .ssh/rc,
1591 	 * /etc/ssh/sshrc and xauth are run in the proper environment.
1592 	 */
1593 	environ = env;
1594 
1595 #if defined(KRB5) && defined(USE_AFS)
1596 	/*
1597 	 * At this point, we check to see if AFS is active and if we have
1598 	 * a valid Kerberos 5 TGT. If so, it seems like a good idea to see
1599 	 * if we can (and need to) extend the ticket into an AFS token. If
1600 	 * we don't do this, we run into potential problems if the user's
1601 	 * home directory is in AFS and it's not world-readable.
1602 	 */
1603 
1604 	if (options.kerberos_get_afs_token && k_hasafs() &&
1605 	    (s->authctxt->krb5_ctx != NULL)) {
1606 		char cell[64];
1607 
1608 		debug("Getting AFS token");
1609 
1610 		k_setpag();
1611 
1612 		if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
1613 			krb5_afslog(s->authctxt->krb5_ctx,
1614 			    s->authctxt->krb5_fwd_ccache, cell, NULL);
1615 
1616 		krb5_afslog_home(s->authctxt->krb5_ctx,
1617 		    s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
1618 	}
1619 #endif
1620 
1621 	/* Change current directory to the user's home directory. */
1622 	if (chdir(pw->pw_dir) == -1) {
1623 		/* Suppress missing homedir warning for chroot case */
1624 #ifdef HAVE_LOGIN_CAP
1625 		r = login_getcapbool(lc, "requirehome", 0);
1626 #endif
1627 		if (r || !in_chroot) {
1628 			fprintf(stderr, "Could not chdir to home "
1629 			    "directory %s: %s\n", pw->pw_dir,
1630 			    strerror(errno));
1631 		}
1632 		if (r)
1633 			exit(1);
1634 	}
1635 
1636 	closefrom(STDERR_FILENO + 1);
1637 
1638 	do_rc_files(ssh, s, shell);
1639 
1640 	/* restore SIGPIPE for child */
1641 	signal(SIGPIPE, SIG_DFL);
1642 
1643 	if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) {
1644 		error("Connection from %s: refusing non-sftp session",
1645 		    remote_id);
1646 		printf("This service allows sftp connections only.\n");
1647 		fflush(NULL);
1648 		exit(1);
1649 	} else if (s->is_subsystem == SUBSYSTEM_INT_SFTP) {
1650 		extern int optind, optreset;
1651 		int i;
1652 		char *p, *args;
1653 
1654 		setproctitle("%s@%s", s->pw->pw_name, INTERNAL_SFTP_NAME);
1655 		args = xstrdup(command ? command : "sftp-server");
1656 		for (i = 0, (p = strtok(args, " ")); p; (p = strtok(NULL, " ")))
1657 			if (i < ARGV_MAX - 1)
1658 				argv[i++] = p;
1659 		argv[i] = NULL;
1660 		optind = optreset = 1;
1661 		__progname = argv[0];
1662 #ifdef WITH_SELINUX
1663 		ssh_selinux_change_context("sftpd_t");
1664 #endif
1665 		exit(sftp_server_main(i, argv, s->pw));
1666 	}
1667 
1668 	fflush(NULL);
1669 
1670 	/* Get the last component of the shell name. */
1671 	if ((shell0 = strrchr(shell, '/')) != NULL)
1672 		shell0++;
1673 	else
1674 		shell0 = shell;
1675 
1676 	/*
1677 	 * If we have no command, execute the shell.  In this case, the shell
1678 	 * name to be passed in argv[0] is preceded by '-' to indicate that
1679 	 * this is a login shell.
1680 	 */
1681 	if (!command) {
1682 		char argv0[256];
1683 
1684 		/* Start the shell.  Set initial character to '-'. */
1685 		argv0[0] = '-';
1686 
1687 		if (strlcpy(argv0 + 1, shell0, sizeof(argv0) - 1)
1688 		    >= sizeof(argv0) - 1) {
1689 			errno = EINVAL;
1690 			perror(shell);
1691 			exit(1);
1692 		}
1693 
1694 		/* Execute the shell. */
1695 		argv[0] = argv0;
1696 		argv[1] = NULL;
1697 		execve(shell, argv, env);
1698 
1699 		/* Executing the shell failed. */
1700 		perror(shell);
1701 		exit(1);
1702 	}
1703 	/*
1704 	 * Execute the command using the user's shell.  This uses the -c
1705 	 * option to execute the command.
1706 	 */
1707 	argv[0] = (char *) shell0;
1708 	argv[1] = "-c";
1709 	argv[2] = (char *) command;
1710 	argv[3] = NULL;
1711 	execve(shell, argv, env);
1712 	perror(shell);
1713 	exit(1);
1714 }
1715 
1716 void
session_unused(int id)1717 session_unused(int id)
1718 {
1719 	debug3("%s: session id %d unused", __func__, id);
1720 	if (id >= options.max_sessions ||
1721 	    id >= sessions_nalloc) {
1722 		fatal("%s: insane session id %d (max %d nalloc %d)",
1723 		    __func__, id, options.max_sessions, sessions_nalloc);
1724 	}
1725 	memset(&sessions[id], 0, sizeof(*sessions));
1726 	sessions[id].self = id;
1727 	sessions[id].used = 0;
1728 	sessions[id].chanid = -1;
1729 	sessions[id].ptyfd = -1;
1730 	sessions[id].ttyfd = -1;
1731 	sessions[id].ptymaster = -1;
1732 	sessions[id].x11_chanids = NULL;
1733 	sessions[id].next_unused = sessions_first_unused;
1734 	sessions_first_unused = id;
1735 }
1736 
1737 Session *
session_new(void)1738 session_new(void)
1739 {
1740 	Session *s, *tmp;
1741 
1742 	if (sessions_first_unused == -1) {
1743 		if (sessions_nalloc >= options.max_sessions)
1744 			return NULL;
1745 		debug2("%s: allocate (allocated %d max %d)",
1746 		    __func__, sessions_nalloc, options.max_sessions);
1747 		tmp = xrecallocarray(sessions, sessions_nalloc,
1748 		    sessions_nalloc + 1, sizeof(*sessions));
1749 		if (tmp == NULL) {
1750 			error("%s: cannot allocate %d sessions",
1751 			    __func__, sessions_nalloc + 1);
1752 			return NULL;
1753 		}
1754 		sessions = tmp;
1755 		session_unused(sessions_nalloc++);
1756 	}
1757 
1758 	if (sessions_first_unused >= sessions_nalloc ||
1759 	    sessions_first_unused < 0) {
1760 		fatal("%s: insane first_unused %d max %d nalloc %d",
1761 		    __func__, sessions_first_unused, options.max_sessions,
1762 		    sessions_nalloc);
1763 	}
1764 
1765 	s = &sessions[sessions_first_unused];
1766 	if (s->used) {
1767 		fatal("%s: session %d already used",
1768 		    __func__, sessions_first_unused);
1769 	}
1770 	sessions_first_unused = s->next_unused;
1771 	s->used = 1;
1772 	s->next_unused = -1;
1773 	debug("session_new: session %d", s->self);
1774 
1775 	return s;
1776 }
1777 
1778 static void
session_dump(void)1779 session_dump(void)
1780 {
1781 	int i;
1782 	for (i = 0; i < sessions_nalloc; i++) {
1783 		Session *s = &sessions[i];
1784 
1785 		debug("dump: used %d next_unused %d session %d %p "
1786 		    "channel %d pid %ld",
1787 		    s->used,
1788 		    s->next_unused,
1789 		    s->self,
1790 		    s,
1791 		    s->chanid,
1792 		    (long)s->pid);
1793 	}
1794 }
1795 
1796 int
session_open(Authctxt * authctxt,int chanid)1797 session_open(Authctxt *authctxt, int chanid)
1798 {
1799 	Session *s = session_new();
1800 	debug("session_open: channel %d", chanid);
1801 	if (s == NULL) {
1802 		error("no more sessions");
1803 		return 0;
1804 	}
1805 	s->authctxt = authctxt;
1806 	s->pw = authctxt->pw;
1807 	if (s->pw == NULL || !authctxt->valid)
1808 		fatal("no user for session %d", s->self);
1809 	debug("session_open: session %d: link with channel %d", s->self, chanid);
1810 	s->chanid = chanid;
1811 	return 1;
1812 }
1813 
1814 Session *
session_by_tty(char * tty)1815 session_by_tty(char *tty)
1816 {
1817 	int i;
1818 	for (i = 0; i < sessions_nalloc; i++) {
1819 		Session *s = &sessions[i];
1820 		if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) {
1821 			debug("session_by_tty: session %d tty %s", i, tty);
1822 			return s;
1823 		}
1824 	}
1825 	debug("session_by_tty: unknown tty %.100s", tty);
1826 	session_dump();
1827 	return NULL;
1828 }
1829 
1830 static Session *
session_by_channel(int id)1831 session_by_channel(int id)
1832 {
1833 	int i;
1834 	for (i = 0; i < sessions_nalloc; i++) {
1835 		Session *s = &sessions[i];
1836 		if (s->used && s->chanid == id) {
1837 			debug("session_by_channel: session %d channel %d",
1838 			    i, id);
1839 			return s;
1840 		}
1841 	}
1842 	debug("session_by_channel: unknown channel %d", id);
1843 	session_dump();
1844 	return NULL;
1845 }
1846 
1847 static Session *
session_by_x11_channel(int id)1848 session_by_x11_channel(int id)
1849 {
1850 	int i, j;
1851 
1852 	for (i = 0; i < sessions_nalloc; i++) {
1853 		Session *s = &sessions[i];
1854 
1855 		if (s->x11_chanids == NULL || !s->used)
1856 			continue;
1857 		for (j = 0; s->x11_chanids[j] != -1; j++) {
1858 			if (s->x11_chanids[j] == id) {
1859 				debug("session_by_x11_channel: session %d "
1860 				    "channel %d", s->self, id);
1861 				return s;
1862 			}
1863 		}
1864 	}
1865 	debug("session_by_x11_channel: unknown channel %d", id);
1866 	session_dump();
1867 	return NULL;
1868 }
1869 
1870 static Session *
session_by_pid(pid_t pid)1871 session_by_pid(pid_t pid)
1872 {
1873 	int i;
1874 	debug("session_by_pid: pid %ld", (long)pid);
1875 	for (i = 0; i < sessions_nalloc; i++) {
1876 		Session *s = &sessions[i];
1877 		if (s->used && s->pid == pid)
1878 			return s;
1879 	}
1880 	error("session_by_pid: unknown pid %ld", (long)pid);
1881 	session_dump();
1882 	return NULL;
1883 }
1884 
1885 static int
session_window_change_req(struct ssh * ssh,Session * s)1886 session_window_change_req(struct ssh *ssh, Session *s)
1887 {
1888 	int r;
1889 
1890 	if ((r = sshpkt_get_u32(ssh, &s->col)) != 0 ||
1891 	    (r = sshpkt_get_u32(ssh, &s->row)) != 0 ||
1892 	    (r = sshpkt_get_u32(ssh, &s->xpixel)) != 0 ||
1893 	    (r = sshpkt_get_u32(ssh, &s->ypixel)) != 0 ||
1894 	    (r = sshpkt_get_end(ssh)) != 0)
1895 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
1896 	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
1897 	return 1;
1898 }
1899 
1900 static int
session_pty_req(struct ssh * ssh,Session * s)1901 session_pty_req(struct ssh *ssh, Session *s)
1902 {
1903 	int r;
1904 
1905 	if (!auth_opts->permit_pty_flag || !options.permit_tty) {
1906 		debug("Allocating a pty not permitted for this connection.");
1907 		return 0;
1908 	}
1909 	if (s->ttyfd != -1) {
1910 		ssh_packet_disconnect(ssh, "Protocol error: you already have a pty.");
1911 		return 0;
1912 	}
1913 
1914 	if ((r = sshpkt_get_cstring(ssh, &s->term, NULL)) != 0 ||
1915 	    (r = sshpkt_get_u32(ssh, &s->col)) != 0 ||
1916 	    (r = sshpkt_get_u32(ssh, &s->row)) != 0 ||
1917 	    (r = sshpkt_get_u32(ssh, &s->xpixel)) != 0 ||
1918 	    (r = sshpkt_get_u32(ssh, &s->ypixel)) != 0)
1919 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
1920 
1921 	if (strcmp(s->term, "") == 0) {
1922 		free(s->term);
1923 		s->term = NULL;
1924 	}
1925 
1926 	/* Allocate a pty and open it. */
1927 	debug("Allocating pty.");
1928 	if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty,
1929 	    sizeof(s->tty)))) {
1930 		free(s->term);
1931 		s->term = NULL;
1932 		s->ptyfd = -1;
1933 		s->ttyfd = -1;
1934 		error("session_pty_req: session %d alloc failed", s->self);
1935 		return 0;
1936 	}
1937 	debug("session_pty_req: session %d alloc %s", s->self, s->tty);
1938 
1939 	ssh_tty_parse_modes(ssh, s->ttyfd);
1940 
1941 	if ((r = sshpkt_get_end(ssh)) != 0)
1942 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
1943 
1944 	if (!use_privsep)
1945 		pty_setowner(s->pw, s->tty);
1946 
1947 	/* Set window size from the packet. */
1948 	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
1949 
1950 	session_proctitle(s);
1951 	return 1;
1952 }
1953 
1954 static int
session_subsystem_req(struct ssh * ssh,Session * s)1955 session_subsystem_req(struct ssh *ssh, Session *s)
1956 {
1957 	struct stat st;
1958 	int r, success = 0;
1959 	char *prog, *cmd;
1960 	u_int i;
1961 
1962 	if ((r = sshpkt_get_cstring(ssh, &s->subsys, NULL)) != 0 ||
1963 	    (r = sshpkt_get_end(ssh)) != 0)
1964 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
1965 	debug2("subsystem request for %.100s by user %s", s->subsys,
1966 	    s->pw->pw_name);
1967 
1968 	for (i = 0; i < options.num_subsystems; i++) {
1969 		if (strcmp(s->subsys, options.subsystem_name[i]) == 0) {
1970 			prog = options.subsystem_command[i];
1971 			cmd = options.subsystem_args[i];
1972 			if (strcmp(INTERNAL_SFTP_NAME, prog) == 0) {
1973 				s->is_subsystem = SUBSYSTEM_INT_SFTP;
1974 				debug("subsystem: %s", prog);
1975 			} else {
1976 				if (stat(prog, &st) == -1)
1977 					debug("subsystem: cannot stat %s: %s",
1978 					    prog, strerror(errno));
1979 				s->is_subsystem = SUBSYSTEM_EXT;
1980 				debug("subsystem: exec() %s", cmd);
1981 			}
1982 			success = do_exec(ssh, s, cmd) == 0;
1983 			break;
1984 		}
1985 	}
1986 
1987 	if (!success)
1988 		logit("subsystem request for %.100s by user %s failed, "
1989 		    "subsystem not found", s->subsys, s->pw->pw_name);
1990 
1991 	return success;
1992 }
1993 
1994 static int
session_x11_req(struct ssh * ssh,Session * s)1995 session_x11_req(struct ssh *ssh, Session *s)
1996 {
1997 	int r, success;
1998 	u_char single_connection = 0;
1999 
2000 	if (s->auth_proto != NULL || s->auth_data != NULL) {
2001 		error("session_x11_req: session %d: "
2002 		    "x11 forwarding already active", s->self);
2003 		return 0;
2004 	}
2005 	if ((r = sshpkt_get_u8(ssh, &single_connection)) != 0 ||
2006 	    (r = sshpkt_get_cstring(ssh, &s->auth_proto, NULL)) != 0 ||
2007 	    (r = sshpkt_get_cstring(ssh, &s->auth_data, NULL)) != 0 ||
2008 	    (r = sshpkt_get_u32(ssh, &s->screen)) != 0 ||
2009 	    (r = sshpkt_get_end(ssh)) != 0)
2010 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
2011 
2012 	s->single_connection = single_connection;
2013 
2014 	if (xauth_valid_string(s->auth_proto) &&
2015 	    xauth_valid_string(s->auth_data))
2016 		success = session_setup_x11fwd(ssh, s);
2017 	else {
2018 		success = 0;
2019 		error("Invalid X11 forwarding data");
2020 	}
2021 	if (!success) {
2022 		free(s->auth_proto);
2023 		free(s->auth_data);
2024 		s->auth_proto = NULL;
2025 		s->auth_data = NULL;
2026 	}
2027 	return success;
2028 }
2029 
2030 static int
session_shell_req(struct ssh * ssh,Session * s)2031 session_shell_req(struct ssh *ssh, Session *s)
2032 {
2033 	int r;
2034 
2035 	if ((r = sshpkt_get_end(ssh)) != 0)
2036 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
2037 	return do_exec(ssh, s, NULL) == 0;
2038 }
2039 
2040 static int
session_exec_req(struct ssh * ssh,Session * s)2041 session_exec_req(struct ssh *ssh, Session *s)
2042 {
2043 	u_int success;
2044 	int r;
2045 	char *command = NULL;
2046 
2047 	if ((r = sshpkt_get_cstring(ssh, &command, NULL)) != 0 ||
2048 	    (r = sshpkt_get_end(ssh)) != 0)
2049 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
2050 
2051 	success = do_exec(ssh, s, command) == 0;
2052 	free(command);
2053 	return success;
2054 }
2055 
2056 static int
session_break_req(struct ssh * ssh,Session * s)2057 session_break_req(struct ssh *ssh, Session *s)
2058 {
2059 	int r;
2060 
2061 	if ((r = sshpkt_get_u32(ssh, NULL)) != 0 || /* ignore */
2062 	    (r = sshpkt_get_end(ssh)) != 0)
2063 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
2064 
2065 	if (s->ptymaster == -1 || tcsendbreak(s->ptymaster, 0) == -1)
2066 		return 0;
2067 	return 1;
2068 }
2069 
2070 static int
session_env_req(struct ssh * ssh,Session * s)2071 session_env_req(struct ssh *ssh, Session *s)
2072 {
2073 	char *name, *val;
2074 	u_int i;
2075 	int r;
2076 
2077 	if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0 ||
2078 	    (r = sshpkt_get_cstring(ssh, &val, NULL)) != 0 ||
2079 	    (r = sshpkt_get_end(ssh)) != 0)
2080 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
2081 
2082 	/* Don't set too many environment variables */
2083 	if (s->num_env > 128) {
2084 		debug2("Ignoring env request %s: too many env vars", name);
2085 		goto fail;
2086 	}
2087 
2088 	for (i = 0; i < options.num_accept_env; i++) {
2089 		if (match_pattern(name, options.accept_env[i])) {
2090 			debug2("Setting env %d: %s=%s", s->num_env, name, val);
2091 			s->env = xrecallocarray(s->env, s->num_env,
2092 			    s->num_env + 1, sizeof(*s->env));
2093 			s->env[s->num_env].name = name;
2094 			s->env[s->num_env].val = val;
2095 			s->num_env++;
2096 			return (1);
2097 		}
2098 	}
2099 	debug2("Ignoring env request %s: disallowed name", name);
2100 
2101  fail:
2102 	free(name);
2103 	free(val);
2104 	return (0);
2105 }
2106 
2107 /*
2108  * Conversion of signals from ssh channel request names.
2109  * Subset of signals from RFC 4254 section 6.10C, with SIGINFO as
2110  * local extension.
2111  */
2112 static int
name2sig(char * name)2113 name2sig(char *name)
2114 {
2115 #define SSH_SIG(x) if (strcmp(name, #x) == 0) return SIG ## x
2116 	SSH_SIG(HUP);
2117 	SSH_SIG(INT);
2118 	SSH_SIG(KILL);
2119 	SSH_SIG(QUIT);
2120 	SSH_SIG(TERM);
2121 	SSH_SIG(USR1);
2122 	SSH_SIG(USR2);
2123 #undef	SSH_SIG
2124 #ifdef SIGINFO
2125 	if (strcmp(name, "INFO@openssh.com") == 0)
2126 		return SIGINFO;
2127 #endif
2128 	return -1;
2129 }
2130 
2131 static int
session_signal_req(struct ssh * ssh,Session * s)2132 session_signal_req(struct ssh *ssh, Session *s)
2133 {
2134 	char *signame = NULL;
2135 	int r, sig, success = 0;
2136 
2137 	if ((r = sshpkt_get_cstring(ssh, &signame, NULL)) != 0 ||
2138 	    (r = sshpkt_get_end(ssh)) != 0) {
2139 		error("%s: parse packet: %s", __func__, ssh_err(r));
2140 		goto out;
2141 	}
2142 	if ((sig = name2sig(signame)) == -1) {
2143 		error("%s: unsupported signal \"%s\"", __func__, signame);
2144 		goto out;
2145 	}
2146 	if (s->pid <= 0) {
2147 		error("%s: no pid for session %d", __func__, s->self);
2148 		goto out;
2149 	}
2150 	if (s->forced || s->is_subsystem) {
2151 		error("%s: refusing to send signal %s to %s session", __func__,
2152 		    signame, s->forced ? "forced-command" : "subsystem");
2153 		goto out;
2154 	}
2155 	if (!use_privsep || mm_is_monitor()) {
2156 		error("%s: session signalling requires privilege separation",
2157 		    __func__);
2158 		goto out;
2159 	}
2160 
2161 	debug("%s: signal %s, killpg(%ld, %d)", __func__, signame,
2162 	    (long)s->pid, sig);
2163 	temporarily_use_uid(s->pw);
2164 	r = killpg(s->pid, sig);
2165 	restore_uid();
2166 	if (r != 0) {
2167 		error("%s: killpg(%ld, %d): %s", __func__, (long)s->pid,
2168 		    sig, strerror(errno));
2169 		goto out;
2170 	}
2171 
2172 	/* success */
2173 	success = 1;
2174  out:
2175 	free(signame);
2176 	return success;
2177 }
2178 
2179 static int
session_auth_agent_req(struct ssh * ssh,Session * s)2180 session_auth_agent_req(struct ssh *ssh, Session *s)
2181 {
2182 	static int called = 0;
2183 	int r;
2184 
2185 	if ((r = sshpkt_get_end(ssh)) != 0)
2186 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
2187 	if (!auth_opts->permit_agent_forwarding_flag ||
2188 	    !options.allow_agent_forwarding) {
2189 		debug("%s: agent forwarding disabled", __func__);
2190 		return 0;
2191 	}
2192 	if (called) {
2193 		return 0;
2194 	} else {
2195 		called = 1;
2196 		return auth_input_request_forwarding(ssh, s->pw);
2197 	}
2198 }
2199 
2200 int
session_input_channel_req(struct ssh * ssh,Channel * c,const char * rtype)2201 session_input_channel_req(struct ssh *ssh, Channel *c, const char *rtype)
2202 {
2203 	int success = 0;
2204 	Session *s;
2205 
2206 	if ((s = session_by_channel(c->self)) == NULL) {
2207 		logit("%s: no session %d req %.100s", __func__, c->self, rtype);
2208 		return 0;
2209 	}
2210 	debug("%s: session %d req %s", __func__, s->self, rtype);
2211 
2212 	/*
2213 	 * a session is in LARVAL state until a shell, a command
2214 	 * or a subsystem is executed
2215 	 */
2216 	if (c->type == SSH_CHANNEL_LARVAL) {
2217 		if (strcmp(rtype, "shell") == 0) {
2218 			success = session_shell_req(ssh, s);
2219 		} else if (strcmp(rtype, "exec") == 0) {
2220 			success = session_exec_req(ssh, s);
2221 		} else if (strcmp(rtype, "pty-req") == 0) {
2222 			success = session_pty_req(ssh, s);
2223 		} else if (strcmp(rtype, "x11-req") == 0) {
2224 			success = session_x11_req(ssh, s);
2225 		} else if (strcmp(rtype, "auth-agent-req@openssh.com") == 0) {
2226 			success = session_auth_agent_req(ssh, s);
2227 		} else if (strcmp(rtype, "subsystem") == 0) {
2228 			success = session_subsystem_req(ssh, s);
2229 		} else if (strcmp(rtype, "env") == 0) {
2230 			success = session_env_req(ssh, s);
2231 		}
2232 	}
2233 	if (strcmp(rtype, "window-change") == 0) {
2234 		success = session_window_change_req(ssh, s);
2235 	} else if (strcmp(rtype, "break") == 0) {
2236 		success = session_break_req(ssh, s);
2237 	} else if (strcmp(rtype, "signal") == 0) {
2238 		success = session_signal_req(ssh, s);
2239 	}
2240 
2241 	return success;
2242 }
2243 
2244 void
session_set_fds(struct ssh * ssh,Session * s,int fdin,int fdout,int fderr,int ignore_fderr,int is_tty)2245 session_set_fds(struct ssh *ssh, Session *s,
2246     int fdin, int fdout, int fderr, int ignore_fderr, int is_tty)
2247 {
2248 	/*
2249 	 * now that have a child and a pipe to the child,
2250 	 * we can activate our channel and register the fd's
2251 	 */
2252 	if (s->chanid == -1)
2253 		fatal("no channel for session %d", s->self);
2254 	channel_set_fds(ssh, s->chanid,
2255 	    fdout, fdin, fderr,
2256 	    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
2257 	    1, is_tty, CHAN_SES_WINDOW_DEFAULT);
2258 }
2259 
2260 /*
2261  * Function to perform pty cleanup. Also called if we get aborted abnormally
2262  * (e.g., due to a dropped connection).
2263  */
2264 void
session_pty_cleanup2(Session * s)2265 session_pty_cleanup2(Session *s)
2266 {
2267 	if (s == NULL) {
2268 		error("%s: no session", __func__);
2269 		return;
2270 	}
2271 	if (s->ttyfd == -1)
2272 		return;
2273 
2274 	debug("%s: session %d release %s", __func__, s->self, s->tty);
2275 
2276 	/* Record that the user has logged out. */
2277 	if (s->pid != 0)
2278 		record_logout(s->pid, s->tty, s->pw->pw_name);
2279 
2280 	/* Release the pseudo-tty. */
2281 	if (getuid() == 0)
2282 		pty_release(s->tty);
2283 
2284 	/*
2285 	 * Close the server side of the socket pairs.  We must do this after
2286 	 * the pty cleanup, so that another process doesn't get this pty
2287 	 * while we're still cleaning up.
2288 	 */
2289 	if (s->ptymaster != -1 && close(s->ptymaster) == -1)
2290 		error("close(s->ptymaster/%d): %s",
2291 		    s->ptymaster, strerror(errno));
2292 
2293 	/* unlink pty from session */
2294 	s->ttyfd = -1;
2295 }
2296 
2297 void
session_pty_cleanup(Session * s)2298 session_pty_cleanup(Session *s)
2299 {
2300 	PRIVSEP(session_pty_cleanup2(s));
2301 }
2302 
2303 static char *
sig2name(int sig)2304 sig2name(int sig)
2305 {
2306 #define SSH_SIG(x) if (sig == SIG ## x) return #x
2307 	SSH_SIG(ABRT);
2308 	SSH_SIG(ALRM);
2309 	SSH_SIG(FPE);
2310 	SSH_SIG(HUP);
2311 	SSH_SIG(ILL);
2312 	SSH_SIG(INT);
2313 	SSH_SIG(KILL);
2314 	SSH_SIG(PIPE);
2315 	SSH_SIG(QUIT);
2316 	SSH_SIG(SEGV);
2317 	SSH_SIG(TERM);
2318 	SSH_SIG(USR1);
2319 	SSH_SIG(USR2);
2320 #undef	SSH_SIG
2321 	return "SIG@openssh.com";
2322 }
2323 
2324 static void
session_close_x11(struct ssh * ssh,int id)2325 session_close_x11(struct ssh *ssh, int id)
2326 {
2327 	Channel *c;
2328 
2329 	if ((c = channel_by_id(ssh, id)) == NULL) {
2330 		debug("%s: x11 channel %d missing", __func__, id);
2331 	} else {
2332 		/* Detach X11 listener */
2333 		debug("%s: detach x11 channel %d", __func__, id);
2334 		channel_cancel_cleanup(ssh, id);
2335 		if (c->ostate != CHAN_OUTPUT_CLOSED)
2336 			chan_mark_dead(ssh, c);
2337 	}
2338 }
2339 
2340 static void
session_close_single_x11(struct ssh * ssh,int id,void * arg)2341 session_close_single_x11(struct ssh *ssh, int id, void *arg)
2342 {
2343 	Session *s;
2344 	u_int i;
2345 
2346 	debug3("%s: channel %d", __func__, id);
2347 	channel_cancel_cleanup(ssh, id);
2348 	if ((s = session_by_x11_channel(id)) == NULL)
2349 		fatal("%s: no x11 channel %d", __func__, id);
2350 	for (i = 0; s->x11_chanids[i] != -1; i++) {
2351 		debug("%s: session %d: closing channel %d",
2352 		    __func__, s->self, s->x11_chanids[i]);
2353 		/*
2354 		 * The channel "id" is already closing, but make sure we
2355 		 * close all of its siblings.
2356 		 */
2357 		if (s->x11_chanids[i] != id)
2358 			session_close_x11(ssh, s->x11_chanids[i]);
2359 	}
2360 	free(s->x11_chanids);
2361 	s->x11_chanids = NULL;
2362 	free(s->display);
2363 	s->display = NULL;
2364 	free(s->auth_proto);
2365 	s->auth_proto = NULL;
2366 	free(s->auth_data);
2367 	s->auth_data = NULL;
2368 	free(s->auth_display);
2369 	s->auth_display = NULL;
2370 }
2371 
2372 static void
session_exit_message(struct ssh * ssh,Session * s,int status)2373 session_exit_message(struct ssh *ssh, Session *s, int status)
2374 {
2375 	Channel *c;
2376 	int r;
2377 
2378 	if ((c = channel_lookup(ssh, s->chanid)) == NULL)
2379 		fatal("%s: session %d: no channel %d",
2380 		    __func__, s->self, s->chanid);
2381 	debug("%s: session %d channel %d pid %ld",
2382 	    __func__, s->self, s->chanid, (long)s->pid);
2383 
2384 	if (WIFEXITED(status)) {
2385 		channel_request_start(ssh, s->chanid, "exit-status", 0);
2386 		if ((r = sshpkt_put_u32(ssh, WEXITSTATUS(status))) != 0 ||
2387 		    (r = sshpkt_send(ssh)) != 0)
2388 			sshpkt_fatal(ssh, r, "%s: exit reply", __func__);
2389 	} else if (WIFSIGNALED(status)) {
2390 		channel_request_start(ssh, s->chanid, "exit-signal", 0);
2391 #ifndef WCOREDUMP
2392 # define WCOREDUMP(x) (0)
2393 #endif
2394 		if ((r = sshpkt_put_cstring(ssh, sig2name(WTERMSIG(status)))) != 0 ||
2395 		    (r = sshpkt_put_u8(ssh, WCOREDUMP(status)? 1 : 0)) != 0 ||
2396 		    (r = sshpkt_put_cstring(ssh, "")) != 0 ||
2397 		    (r = sshpkt_put_cstring(ssh, "")) != 0 ||
2398 		    (r = sshpkt_send(ssh)) != 0)
2399 			sshpkt_fatal(ssh, r, "%s: exit reply", __func__);
2400 	} else {
2401 		/* Some weird exit cause.  Just exit. */
2402 		ssh_packet_disconnect(ssh, "wait returned status %04x.", status);
2403 	}
2404 
2405 	/* disconnect channel */
2406 	debug("%s: release channel %d", __func__, s->chanid);
2407 
2408 	/*
2409 	 * Adjust cleanup callback attachment to send close messages when
2410 	 * the channel gets EOF. The session will be then be closed
2411 	 * by session_close_by_channel when the childs close their fds.
2412 	 */
2413 	channel_register_cleanup(ssh, c->self, session_close_by_channel, 1);
2414 
2415 	/*
2416 	 * emulate a write failure with 'chan_write_failed', nobody will be
2417 	 * interested in data we write.
2418 	 * Note that we must not call 'chan_read_failed', since there could
2419 	 * be some more data waiting in the pipe.
2420 	 */
2421 	if (c->ostate != CHAN_OUTPUT_CLOSED)
2422 		chan_write_failed(ssh, c);
2423 }
2424 
2425 void
session_close(struct ssh * ssh,Session * s)2426 session_close(struct ssh *ssh, Session *s)
2427 {
2428 	u_int i;
2429 
2430 	verbose("Close session: user %s from %.200s port %d id %d",
2431 	    s->pw->pw_name,
2432 	    ssh_remote_ipaddr(ssh),
2433 	    ssh_remote_port(ssh),
2434 	    s->self);
2435 
2436 	if (s->ttyfd != -1)
2437 		session_pty_cleanup(s);
2438 	free(s->term);
2439 	free(s->display);
2440 	free(s->x11_chanids);
2441 	free(s->auth_display);
2442 	free(s->auth_data);
2443 	free(s->auth_proto);
2444 	free(s->subsys);
2445 	if (s->env != NULL) {
2446 		for (i = 0; i < s->num_env; i++) {
2447 			free(s->env[i].name);
2448 			free(s->env[i].val);
2449 		}
2450 		free(s->env);
2451 	}
2452 	session_proctitle(s);
2453 	session_unused(s->self);
2454 }
2455 
2456 void
session_close_by_pid(struct ssh * ssh,pid_t pid,int status)2457 session_close_by_pid(struct ssh *ssh, pid_t pid, int status)
2458 {
2459 	Session *s = session_by_pid(pid);
2460 	if (s == NULL) {
2461 		debug("%s: no session for pid %ld", __func__, (long)pid);
2462 		return;
2463 	}
2464 	if (s->chanid != -1)
2465 		session_exit_message(ssh, s, status);
2466 	if (s->ttyfd != -1)
2467 		session_pty_cleanup(s);
2468 	s->pid = 0;
2469 }
2470 
2471 /*
2472  * this is called when a channel dies before
2473  * the session 'child' itself dies
2474  */
2475 void
session_close_by_channel(struct ssh * ssh,int id,void * arg)2476 session_close_by_channel(struct ssh *ssh, int id, void *arg)
2477 {
2478 	Session *s = session_by_channel(id);
2479 	u_int i;
2480 
2481 	if (s == NULL) {
2482 		debug("%s: no session for id %d", __func__, id);
2483 		return;
2484 	}
2485 	debug("%s: channel %d child %ld", __func__, id, (long)s->pid);
2486 	if (s->pid != 0) {
2487 		debug("%s: channel %d: has child, ttyfd %d",
2488 		    __func__, id, s->ttyfd);
2489 		/*
2490 		 * delay detach of session, but release pty, since
2491 		 * the fd's to the child are already closed
2492 		 */
2493 		if (s->ttyfd != -1)
2494 			session_pty_cleanup(s);
2495 		return;
2496 	}
2497 	/* detach by removing callback */
2498 	channel_cancel_cleanup(ssh, s->chanid);
2499 
2500 	/* Close any X11 listeners associated with this session */
2501 	if (s->x11_chanids != NULL) {
2502 		for (i = 0; s->x11_chanids[i] != -1; i++) {
2503 			session_close_x11(ssh, s->x11_chanids[i]);
2504 			s->x11_chanids[i] = -1;
2505 		}
2506 	}
2507 
2508 	s->chanid = -1;
2509 	session_close(ssh, s);
2510 }
2511 
2512 void
session_destroy_all(struct ssh * ssh,void (* closefunc)(Session *))2513 session_destroy_all(struct ssh *ssh, void (*closefunc)(Session *))
2514 {
2515 	int i;
2516 	for (i = 0; i < sessions_nalloc; i++) {
2517 		Session *s = &sessions[i];
2518 		if (s->used) {
2519 			if (closefunc != NULL)
2520 				closefunc(s);
2521 			else
2522 				session_close(ssh, s);
2523 		}
2524 	}
2525 }
2526 
2527 static char *
session_tty_list(void)2528 session_tty_list(void)
2529 {
2530 	static char buf[1024];
2531 	int i;
2532 	char *cp;
2533 
2534 	buf[0] = '\0';
2535 	for (i = 0; i < sessions_nalloc; i++) {
2536 		Session *s = &sessions[i];
2537 		if (s->used && s->ttyfd != -1) {
2538 
2539 			if (strncmp(s->tty, "/dev/", 5) != 0) {
2540 				cp = strrchr(s->tty, '/');
2541 				cp = (cp == NULL) ? s->tty : cp + 1;
2542 			} else
2543 				cp = s->tty + 5;
2544 
2545 			if (buf[0] != '\0')
2546 				strlcat(buf, ",", sizeof buf);
2547 			strlcat(buf, cp, sizeof buf);
2548 		}
2549 	}
2550 	if (buf[0] == '\0')
2551 		strlcpy(buf, "notty", sizeof buf);
2552 	return buf;
2553 }
2554 
2555 void
session_proctitle(Session * s)2556 session_proctitle(Session *s)
2557 {
2558 	if (s->pw == NULL)
2559 		error("no user for session %d", s->self);
2560 	else
2561 		setproctitle("%s@%s", s->pw->pw_name, session_tty_list());
2562 }
2563 
2564 int
session_setup_x11fwd(struct ssh * ssh,Session * s)2565 session_setup_x11fwd(struct ssh *ssh, Session *s)
2566 {
2567 	struct stat st;
2568 	char display[512], auth_display[512];
2569 	char hostname[NI_MAXHOST];
2570 	u_int i;
2571 
2572 	if (!auth_opts->permit_x11_forwarding_flag) {
2573 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
2574 		return 0;
2575 	}
2576 	if (!options.x11_forwarding) {
2577 		debug("X11 forwarding disabled in server configuration file.");
2578 		return 0;
2579 	}
2580 	if (options.xauth_location == NULL ||
2581 	    (stat(options.xauth_location, &st) == -1)) {
2582 		ssh_packet_send_debug(ssh, "No xauth program; cannot forward X11.");
2583 		return 0;
2584 	}
2585 	if (s->display != NULL) {
2586 		debug("X11 display already set.");
2587 		return 0;
2588 	}
2589 	if (x11_create_display_inet(ssh, options.x11_display_offset,
2590 	    options.x11_use_localhost, s->single_connection,
2591 	    &s->display_number, &s->x11_chanids) == -1) {
2592 		debug("x11_create_display_inet failed.");
2593 		return 0;
2594 	}
2595 	for (i = 0; s->x11_chanids[i] != -1; i++) {
2596 		channel_register_cleanup(ssh, s->x11_chanids[i],
2597 		    session_close_single_x11, 0);
2598 	}
2599 
2600 	/* Set up a suitable value for the DISPLAY variable. */
2601 	if (gethostname(hostname, sizeof(hostname)) == -1)
2602 		fatal("gethostname: %.100s", strerror(errno));
2603 	/*
2604 	 * auth_display must be used as the displayname when the
2605 	 * authorization entry is added with xauth(1).  This will be
2606 	 * different than the DISPLAY string for localhost displays.
2607 	 */
2608 	if (options.x11_use_localhost) {
2609 		snprintf(display, sizeof display, "localhost:%u.%u",
2610 		    s->display_number, s->screen);
2611 		snprintf(auth_display, sizeof auth_display, "unix:%u.%u",
2612 		    s->display_number, s->screen);
2613 		s->display = xstrdup(display);
2614 		s->auth_display = xstrdup(auth_display);
2615 	} else {
2616 #ifdef IPADDR_IN_DISPLAY
2617 		struct hostent *he;
2618 		struct in_addr my_addr;
2619 
2620 		he = gethostbyname(hostname);
2621 		if (he == NULL) {
2622 			error("Can't get IP address for X11 DISPLAY.");
2623 			ssh_packet_send_debug(ssh, "Can't get IP address for X11 DISPLAY.");
2624 			return 0;
2625 		}
2626 		memcpy(&my_addr, he->h_addr_list[0], sizeof(struct in_addr));
2627 		snprintf(display, sizeof display, "%.50s:%u.%u", inet_ntoa(my_addr),
2628 		    s->display_number, s->screen);
2629 #else
2630 		snprintf(display, sizeof display, "%.400s:%u.%u", hostname,
2631 		    s->display_number, s->screen);
2632 #endif
2633 		s->display = xstrdup(display);
2634 		s->auth_display = xstrdup(display);
2635 	}
2636 
2637 	return 1;
2638 }
2639 
2640 static void
do_authenticated2(struct ssh * ssh,Authctxt * authctxt)2641 do_authenticated2(struct ssh *ssh, Authctxt *authctxt)
2642 {
2643 	server_loop2(ssh, authctxt);
2644 }
2645 
2646 void
do_cleanup(struct ssh * ssh,Authctxt * authctxt)2647 do_cleanup(struct ssh *ssh, Authctxt *authctxt)
2648 {
2649 	static int called = 0;
2650 
2651 	debug("do_cleanup");
2652 
2653 	/* no cleanup if we're in the child for login shell */
2654 	if (is_child)
2655 		return;
2656 
2657 	/* avoid double cleanup */
2658 	if (called)
2659 		return;
2660 	called = 1;
2661 
2662 	if (authctxt == NULL)
2663 		return;
2664 
2665 #ifdef USE_PAM
2666 	if (options.use_pam) {
2667 		sshpam_cleanup();
2668 		sshpam_thread_cleanup();
2669 	}
2670 #endif
2671 
2672 	if (!authctxt->authenticated)
2673 		return;
2674 
2675 #ifdef KRB5
2676 	if (options.kerberos_ticket_cleanup &&
2677 	    authctxt->krb5_ctx)
2678 		krb5_cleanup_proc(authctxt);
2679 #endif
2680 
2681 #ifdef GSSAPI
2682 	if (options.gss_cleanup_creds)
2683 		ssh_gssapi_cleanup_creds();
2684 #endif
2685 
2686 	/* remove agent socket */
2687 	auth_sock_cleanup_proc(authctxt->pw);
2688 
2689 	/* remove userauth info */
2690 	if (auth_info_file != NULL) {
2691 		temporarily_use_uid(authctxt->pw);
2692 		unlink(auth_info_file);
2693 		restore_uid();
2694 		free(auth_info_file);
2695 		auth_info_file = NULL;
2696 	}
2697 
2698 	/*
2699 	 * Cleanup ptys/utmp only if privsep is disabled,
2700 	 * or if running in monitor.
2701 	 */
2702 	if (!use_privsep || mm_is_monitor())
2703 		session_destroy_all(ssh, session_pty_cleanup2);
2704 }
2705 
2706 /* Return a name for the remote host that fits inside utmp_size */
2707 
2708 const char *
session_get_remote_name_or_ip(struct ssh * ssh,u_int utmp_size,int use_dns)2709 session_get_remote_name_or_ip(struct ssh *ssh, u_int utmp_size, int use_dns)
2710 {
2711 	const char *remote = "";
2712 
2713 	if (utmp_size > 0)
2714 		remote = auth_get_canonical_hostname(ssh, use_dns);
2715 	if (utmp_size == 0 || strlen(remote) > utmp_size)
2716 		remote = ssh_remote_ipaddr(ssh);
2717 	return remote;
2718 }
2719 
2720