diff options
-rw-r--r-- | agentfwd.h | 9 | ||||
-rw-r--r-- | auth.h | 5 | ||||
-rw-r--r-- | cli-agentfwd.c | 245 | ||||
-rw-r--r-- | cli-authpubkey.c | 7 | ||||
-rw-r--r-- | cli-runopts.c | 13 | ||||
-rw-r--r-- | cli-session.c | 3 | ||||
-rw-r--r-- | dbutil.c | 27 | ||||
-rw-r--r-- | dbutil.h | 3 | ||||
-rw-r--r-- | options.h | 7 | ||||
-rw-r--r-- | random.c | 6 | ||||
-rw-r--r-- | runopts.h | 5 | ||||
-rw-r--r-- | ssh.h | 11 | ||||
-rw-r--r-- | svr-agentfwd.c | 4 |
13 files changed, 328 insertions, 17 deletions
@@ -29,15 +29,24 @@ #include "chansession.h" #include "channel.h" +/* An agent reply can be reasonably large, as it can + * contain a list of all public keys held by the agent. + * 10000 is arbitrary */ +#define MAX_AGENT_REPLY 10000 + int agentreq(struct ChanSess * chansess); void agentsetauth(struct ChanSess *chansess); void agentcleanup(struct ChanSess * chansess); void agentset(struct ChanSess *chansess); +SignKeyList * load_agent_keys(); + #ifdef __hpux #define seteuid(a) setresuid(-1, (a), -1) #define setegid(a) setresgid(-1, (a), -1) #endif +extern const struct ChanSess chan_cli_agent; + #endif /* DROPBEAR_AGENTFWD */ #endif /* _AGENTFWD_H_ */ @@ -96,6 +96,10 @@ struct AuthState { }; +/* Sources for signing keys */ +#define SIGNKEY_SOURCE_RAW_FILE 1 +#define SIGNKEY_SOURCE_AGENT 21 + struct SignKeyList; /* A singly linked list of signing keys */ struct SignKeyList { @@ -103,6 +107,7 @@ struct SignKeyList { sign_key *key; int type; /* The type of key */ struct SignKeyList *next; + int source; /* filename? or the buffer? for encrypted keys, so we can later get * the private key portion */ diff --git a/cli-agentfwd.c b/cli-agentfwd.c new file mode 100644 index 0000000..f0fe385 --- /dev/null +++ b/cli-agentfwd.c @@ -0,0 +1,245 @@ +/* + * Dropbear - a SSH2 server + * + * Copyright (c) 2005 Matt Johnston + * All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. */ + +/* The basic protocol use to communicate with the agent is defined in + * draft-ylonen-ssh-protocol-00.txt, with the ssh2 extensions defined through + * openssh's implementation. */ + +#include "includes.h" + +#ifdef ENABLE_CLI_AGENTFWD + +#include "agentfwd.h" +#include "session.h" +#include "ssh.h" +#include "dbutil.h" +#include "chansession.h" +#include "channel.h" +#include "packet.h" +#include "buffer.h" +#include "random.h" +#include "listener.h" +#include "runopts.h" +#include "atomicio.h" +#include "signkey.h" +#include "auth.h" + +static int new_agent_chan(struct Channel * channel); + +const struct ChanType chan_cli_agent = { + 0, /* sepfds */ + "auth-agent@openssh.com", + new_agent_chan, + NULL, + NULL, + NULL +}; + +static int connect_agent() { + + int fd = -1; + char* agent_sock = NULL; + + agent_sock = getenv("SSH_AUTH_SOCK"); + if (agent_sock == NULL) + return -1; + + fd = connect_unix(agent_sock); + + return fd; +} + +// handle a request for a connection to the locally running ssh-agent +// or forward. +static int new_agent_chan(struct Channel * channel) { + + int fd = -1; + + if (!cli_opts.agent_fwd) + return SSH_OPEN_ADMINISTRATIVELY_PROHIBITED; + + fd = connect_agent(); + + setnonblocking(fd); + + ses.maxfd = MAX(ses.maxfd, fd); + + channel->infd = fd; + channel->outfd = fd; + + // success + return 0; +} + +/* Sends a request to the agent, returning a newly allocated buffer + * with the response */ +/* Packet format (from draft-ylonen) + 4 bytes Length, msb first. Does not include length itself. + 1 byte Packet type. The value 255 is reserved for future extensions. + data Any data, depending on packet type. Encoding as in the ssh packet + protocol. + + In this case, data is always empty +*/ +static buffer * agent_request(int fd, unsigned char type) { + + buffer * payload = NULL; + buffer * inbuf = NULL; + size_t readlen = 0; + ssize_t ret; + + payload = buf_new(4 + 1); + + buf_putint(payload, 1); + buf_putbyte(payload, type); + + ret = atomicio(write, fd, buf_getptr(payload, payload->len), payload->len); + if ((size_t)ret != payload->len) { + TRACE(("write failed for agent_request")) + goto out; + } + + buf_free(payload); + payload = NULL; + + /* Now we read the response */ + inbuf = buf_new(4); + ret = atomicio(read, fd, buf_getwriteptr(inbuf, 4), 4); + if (ret != 4) { + TRACE(("read of length failed for agent_request")) + goto out; + } + + readlen = buf_getint(inbuf); + if (readlen > MAX_AGENT_REPLY) { + TRACE(("agent reply is too big")); + goto out; + } + + buf_resize(inbuf, readlen); + ret = atomicio(read, fd, buf_getwriteptr(inbuf, readlen), readlen); + if ((size_t)ret != readlen) { + TRACE(("read of data failed for agent_request")) + goto out; + } + +out: + if (payload) + buf_free(payload); + + return inbuf; +} + +static SignKeyList * agent_get_key_list(int fd) +{ + buffer * inbuf = NULL; + unsigned int num = 0; + unsigned char packet_type; + unsigned int i; + struct SignKeyList *retkey = NULL, *key = NULL; + int ret; + + inbuf = agent_request(fd, SSH2_AGENTC_REQUEST_IDENTITIES); + if (!inbuf) { + goto out; + } + + /* The reply has a format of: + * byte packet_type + * int num_keys + * + * string keyblob1 + * string comment1 + * ... + * string keyblob(n) + * string comment(n) + */ + packet_type = buf_getbyte(inbuf); + if (packet_type != SSH2_AGENT_IDENTITIES_ANSWER) { + goto out; + } + + num = buf_getint(inbuf); + for (i = 0; i < num; i++) { + sign_key * pubkey = NULL; + char key_type = DROPBEAR_SIGNKEY_ANY; + struct SignKeyList *nextkey = NULL; + + nextkey = (struct SignKeyList*)m_malloc(sizeof(struct SignKeyList)); + if (key) + key->next = nextkey; + else + retkey = nextkey; + key = nextkey; + + pubkey = new_sign_key(); + ret = buf_get_pub_key(inbuf, pubkey, &key_type); + if (ret != DROPBEAR_SUCCESS) { + /* This is slack, properly would cleanup vars etc */ + dropbear_exit("Bad pubkey received from agent"); + } + + key->key = pubkey; + key->next = NULL; + key->type = key_type; + key->source = SIGNKEY_SOURCE_AGENT; + + /* We'll ignore the comment */ + buf_eatstring(inbuf); + } + +out: + if (inbuf) { + buf_free(inbuf); + inbuf = NULL; + } + + return retkey; +} + +/* return DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ +SignKeyList * load_agent_keys() +{ + + SignKeyList * ret_list; + int fd; + fd = connect_agent(); + if (fd < 0) { + dropbear_log(LOG_INFO, "Failed to connect to agent"); + return NULL; + } + + ret_list = agent_get_key_list(fd); + close(fd); +} + +// general procedure: +// - get the list of keys from the agent +// - foreach, send a dummy userauth_pubkey message to the server and see +// if it lets us in +// - if it does, sign and auth +// - if not, repeat. +// + +#endif diff --git a/cli-authpubkey.c b/cli-authpubkey.c index 9d36bc3..2cc92f7 100644 --- a/cli-authpubkey.c +++ b/cli-authpubkey.c @@ -172,6 +172,13 @@ int cli_auth_pubkey() { TRACE(("enter cli_auth_pubkey")) + if (cli_opts.pubkeys == NULL && + cli_opts.agent_fwd && + !cli_opts.agent_keys_loaded) { + /* get the list of available keys from the agent */ + load_agent_keys(&cli_opts.pubkeys); + } + if (cli_opts.privkeys != NULL) { /* Send a trial request */ send_msg_userauth_pubkey(cli_opts.privkeys->key, diff --git a/cli-runopts.c b/cli-runopts.c index 54d4875..c2134a6 100644 --- a/cli-runopts.c +++ b/cli-runopts.c @@ -53,6 +53,9 @@ static void printhelp() { #ifdef ENABLE_CLI_PUBKEY_AUTH "-i <identityfile> (multiple allowed)\n" #endif +#ifdef ENABLE_CLI_AGENTFWD + "-A Enable agent auth forwarding\n" +#endif #ifdef ENABLE_CLI_LOCALTCPFWD "-L <listenport:remotehost:remoteport> Local port forwarding\n" "-g Allow remote hosts to connect to forwarded ports\n" @@ -99,6 +102,10 @@ void cli_getopts(int argc, char ** argv) { #ifdef ENABLE_CLI_REMOTETCPFWD cli_opts.remotefwds = NULL; #endif +#ifdef ENABLE_CLI_AGENTFWD + cli_opts.agent_fwd = 0; + cli_opts.agent_keys_loaded = 0; +#endif /* not yet opts.ipv4 = 1; opts.ipv6 = 1; @@ -183,6 +190,11 @@ void cli_getopts(int argc, char ** argv) { printhelp(); exit(EXIT_SUCCESS); break; +#ifdef ENABLE_CLI_AGENTFWD + case 'A': + cli_opts.agent_fwd = 1; + break; +#endif #ifdef DEBUG_TRACE case 'v': debug_trace = 1; @@ -291,6 +303,7 @@ static void loadidentityfile(const char* filename) { nextkey->key = key; nextkey->next = cli_opts.privkeys; nextkey->type = keytype; + nextkey->source = SIGNKEY_SOURCE_RAW_FILE; cli_opts.privkeys = nextkey; } } diff --git a/cli-session.c b/cli-session.c index 35510fa..4f1e597 100644 --- a/cli-session.c +++ b/cli-session.c @@ -71,6 +71,9 @@ static const struct ChanType *cli_chantypes[] = { #ifdef ENABLE_CLI_REMOTETCPFWD &cli_chan_tcpremote, #endif +#ifdef ENABLE_CLI_AGENTFWD + &cli_chan_agent, +#endif NULL /* Null termination */ }; @@ -295,6 +295,23 @@ int dropbear_listen(const char* address, const char* port, return nsock; } +/* Connect to a given unix socket. The socket is not non-blocking */ +#ifdef ENABLE_CONNECT_UNIX +int connect_unix(const char* addr) +{ + struct sockaddr_un egdsock; + int fd = -1; + + memset((void*)&egdsock, 0x0, sizeof(egdsock)); + egdsock.sun_family = AF_UNIX; + strlcpy(egdsock.sun_path, addr, sizeof(egdsock.sun_path)); + + fd = socket(PF_UNIX, SOCK_STREAM, 0); + + return fd; +} +#endif + /* Connect via TCP to a host. Connection will try ipv4 or ipv6, will * return immediately if nonblocking is set. On failure, if errstring * wasn't null, it will be a newly malloced error message */ @@ -340,15 +357,7 @@ int connect_remote(const char* remotehost, const char* remoteport, } if (nonblocking) { - if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0) { - close(sock); - sock = -1; - if (errstring != NULL && *errstring == NULL) { - *errstring = m_strdup("Failed non-blocking"); - } - TRACE(("Failed non-blocking: %s", strerror(errno))) - continue; - } + setnonblocking(sock); } if (connect(sock, res->ai_addr, res->ai_addrlen) < 0) { @@ -49,6 +49,9 @@ char * stripcontrol(const char * text); unsigned char * getaddrstring(struct sockaddr_storage* addr, int withport); int dropbear_listen(const char* address, const char* port, int *socks, unsigned int sockcount, char **errstring, int *maxfd); +#ifdef ENABLE_CONNECT_UNIX +int connect_unix(const char* addr); +#endif int connect_remote(const char* remotehost, const char* remoteport, int nonblocking, char ** errstring); char* getaddrhostname(struct sockaddr_storage * addr); @@ -59,7 +59,8 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */ #define ENABLE_SVR_REMOTETCPFWD /* Enable Authentication Agent Forwarding - server only for now */ -#define ENABLE_AGENTFWD +#define ENABLE_SVR_AGENTFWD +#define ENABLE_CLI_AGENTFWD /* Encryption - at least one required. * RFC Draft requires 3DES and recommends AES128 for interoperability. @@ -349,6 +350,10 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */ #define DISABLE_AGENTFWD #endif +#if defined(DROPBEAR_PRNGD_SOCKET) || defined(ENABLE_CLI_AGENTFWD) +#define ENABLE_CONNECT_UNIX +#endif + #if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) #define ENABLE_CLI_ANYTCPFWD #endif @@ -68,12 +68,8 @@ static void readrand(unsigned char* buf, unsigned int buflen) { #endif #ifdef DROPBEAR_PRNGD_SOCKET - memset((void*)&egdsock, 0x0, sizeof(egdsock)); - egdsock.sun_family = AF_UNIX; - strlcpy(egdsock.sun_path, DROPBEAR_PRNGD_SOCKET, - sizeof(egdsock.sun_path)); + readfd = connect_unix(DROPBEAR_PRNGD_SOCKET); - readfd = socket(PF_UNIX, SOCK_STREAM, 0); if (readfd < 0) { dropbear_exit("couldn't open random device"); } @@ -110,6 +110,11 @@ typedef struct cli_runopts { #ifdef ENABLE_CLI_LOCALTCPFWD struct TCPFwdList * localfwds; #endif +#ifdef ENABLE_CLI_AGENTFWD + int agent_fwd; + int agent_keys_loaded; /* whether pubkeys has been populated with a + list of keys held by the agent */ +#endif } cli_runopts; @@ -105,3 +105,14 @@ #define SSH_SIGNKEY_DSS_LEN 7 #define SSH_SIGNKEY_RSA "ssh-rsa" #define SSH_SIGNKEY_RSA_LEN 7 + +/* Agent commands. These aren't part of the spec, and are defined + * only on the openssh implementation. */ +#define SSH_AGENT_FAILURE 5 +#define SSH_AGENT_SUCCESS 6 +#define SSH2_AGENTC_REQUEST_IDENTITIES 11 +#define SSH2_AGENT_IDENTITIES_ANSWER 12 +#define SSH2_AGENTC_SIGN_REQUEST 13 +#define SSH2_AGENT_SIGN_RESPONSE 14 + +#define SSH2_AGENT_FAILURE 30 diff --git a/svr-agentfwd.c b/svr-agentfwd.c index 5127158..f4909d5 100644 --- a/svr-agentfwd.c +++ b/svr-agentfwd.c @@ -176,7 +176,7 @@ void agentcleanup(struct ChanSess * chansess) { } -static const struct ChanType chan_agent = { +static const struct ChanType chan_svr_agent = { 0, /* sepfds */ "auth-agent@openssh.com", NULL, @@ -189,7 +189,7 @@ static const struct ChanType chan_agent = { /* helper for accepting an agent request */ static int send_msg_channel_open_agent(int fd) { - if (send_msg_channel_open_init(fd, &chan_agent) == DROPBEAR_SUCCESS) { + if (send_msg_channel_open_init(fd, &chan_svr_agent) == DROPBEAR_SUCCESS) { encrypt_packet(); return DROPBEAR_SUCCESS; } else { |