📄 monitor.c

📁 OpenSSH 是 SSH （Secure SHell）协议的免费开源实现。它用安全、加密的网络连接工具代替了 telnet、ftp、 rlogin、rsh 和 rcp 工具。OpenSSH 支持
💻 C
📖 第 1 页 / 共 4 页
字号:
		xfree(hostbased_chost);	key_blob = NULL;	key_bloblen = 0;	key_blobtype = MM_NOKEY;	hostbased_cuser = NULL;	hostbased_chost = NULL;}intmm_answer_moduli(int sock, Buffer *m){	DH *dh;	int min, want, max;	min = buffer_get_int(m);	want = buffer_get_int(m);	max = buffer_get_int(m);	debug3("%s: got parameters: %d %d %d",	    __func__, min, want, max);	/* We need to check here, too, in case the child got corrupted */	if (max < min || want < min || max < want)		fatal("%s: bad parameters: %d %d %d",		    __func__, min, want, max);	buffer_clear(m);	dh = choose_dh(min, want, max);	if (dh == NULL) {		buffer_put_char(m, 0);		return (0);	} else {		/* Send first bignum */		buffer_put_char(m, 1);		buffer_put_bignum2(m, dh->p);		buffer_put_bignum2(m, dh->g);		DH_free(dh);	}	mm_request_send(sock, MONITOR_ANS_MODULI, m);	return (0);}intmm_answer_sign(int sock, Buffer *m){	Key *key;	u_char *p;	u_char *signature;	u_int siglen, datlen;	int keyid;	debug3("%s", __func__);	keyid = buffer_get_int(m);	p = buffer_get_string(m, &datlen);	if (datlen != 20)		fatal("%s: data length incorrect: %u", __func__, datlen);	/* save session id, it will be passed on the first call */	if (session_id2_len == 0) {		session_id2_len = datlen;		session_id2 = xmalloc(session_id2_len);		memcpy(session_id2, p, session_id2_len);	}	if ((key = get_hostkey_by_index(keyid)) == NULL)		fatal("%s: no hostkey from index %d", __func__, keyid);	if (key_sign(key, &signature, &siglen, p, datlen) < 0)		fatal("%s: key_sign failed", __func__);	debug3("%s: signature %p(%u)", __func__, signature, siglen);	buffer_clear(m);	buffer_put_string(m, signature, siglen);	xfree(p);	xfree(signature);	mm_request_send(sock, MONITOR_ANS_SIGN, m);	/* Turn on permissions for getpwnam */	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);	return (0);}/* Retrieves the password entry and also checks if the user is permitted */intmm_answer_pwnamallow(int sock, Buffer *m){	char *username;	struct passwd *pwent;	int allowed = 0;	debug3("%s", __func__);	if (authctxt->attempt++ != 0)		fatal("%s: multiple attempts for getpwnam", __func__);	username = buffer_get_string(m, NULL);	pwent = getpwnamallow(username);	authctxt->user = xstrdup(username);	setproctitle("%s [priv]", pwent ? username : "unknown");	xfree(username);	buffer_clear(m);	if (pwent == NULL) {		buffer_put_char(m, 0);		authctxt->pw = fakepw();		goto out;	}	allowed = 1;	authctxt->pw = pwent;	authctxt->valid = 1;	buffer_put_char(m, 1);	buffer_put_string(m, pwent, sizeof(struct passwd));	buffer_put_cstring(m, pwent->pw_name);	buffer_put_cstring(m, "*");	buffer_put_cstring(m, pwent->pw_gecos);#ifdef HAVE_PW_CLASS_IN_PASSWD	buffer_put_cstring(m, pwent->pw_class);#endif	buffer_put_cstring(m, pwent->pw_dir);	buffer_put_cstring(m, pwent->pw_shell); out:	debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);	mm_request_send(sock, MONITOR_ANS_PWNAM, m);	/* For SSHv1 allow authentication now */	if (!compat20)		monitor_permit_authentications(1);	else {		/* Allow service/style information on the auth context */		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);	}#ifdef USE_PAM	if (options.use_pam)		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);#endif#ifdef SSH_AUDIT_EVENTS	monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_COMMAND, 1);#endif	return (0);}int mm_answer_auth2_read_banner(int sock, Buffer *m){	char *banner;	buffer_clear(m);	banner = auth2_read_banner();	buffer_put_cstring(m, banner != NULL ? banner : "");	mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m);	if (banner != NULL)		xfree(banner);	return (0);}intmm_answer_authserv(int sock, Buffer *m){	monitor_permit_authentications(1);	authctxt->service = buffer_get_string(m, NULL);	authctxt->style = buffer_get_string(m, NULL);	debug3("%s: service=%s, style=%s",	    __func__, authctxt->service, authctxt->style);	if (strlen(authctxt->style) == 0) {		xfree(authctxt->style);		authctxt->style = NULL;	}	return (0);}intmm_answer_authpassword(int sock, Buffer *m){	static int call_count;	char *passwd;	int authenticated;	u_int plen;	passwd = buffer_get_string(m, &plen);	/* Only authenticate if the context is valid */	authenticated = options.password_authentication &&	    auth_password(authctxt, passwd);	memset(passwd, 0, strlen(passwd));	xfree(passwd);	buffer_clear(m);	buffer_put_int(m, authenticated);	debug3("%s: sending result %d", __func__, authenticated);	mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m);	call_count++;	if (plen == 0 && call_count == 1)		auth_method = "none";	else		auth_method = "password";	/* Causes monitor loop to terminate if authenticated */	return (authenticated);}#ifdef BSD_AUTHintmm_answer_bsdauthquery(int sock, Buffer *m){	char *name, *infotxt;	u_int numprompts;	u_int *echo_on;	char **prompts;	u_int success;	success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,	    &prompts, &echo_on) < 0 ? 0 : 1;	buffer_clear(m);	buffer_put_int(m, success);	if (success)		buffer_put_cstring(m, prompts[0]);	debug3("%s: sending challenge success: %u", __func__, success);	mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m);	if (success) {		xfree(name);		xfree(infotxt);		xfree(prompts);		xfree(echo_on);	}	return (0);}intmm_answer_bsdauthrespond(int sock, Buffer *m){	char *response;	int authok;	if (authctxt->as == 0)		fatal("%s: no bsd auth session", __func__);	response = buffer_get_string(m, NULL);	authok = options.challenge_response_authentication &&	    auth_userresponse(authctxt->as, response, 0);	authctxt->as = NULL;	debug3("%s: <%s> = <%d>", __func__, response, authok);	xfree(response);	buffer_clear(m);	buffer_put_int(m, authok);	debug3("%s: sending authenticated: %d", __func__, authok);	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);	auth_method = "bsdauth";	return (authok != 0);}#endif#ifdef SKEYintmm_answer_skeyquery(int sock, Buffer *m){	struct skey skey;	char challenge[1024];	u_int success;	success = _compat_skeychallenge(&skey, authctxt->user, challenge,	    sizeof(challenge)) < 0 ? 0 : 1;	buffer_clear(m);	buffer_put_int(m, success);	if (success)		buffer_put_cstring(m, challenge);	debug3("%s: sending challenge success: %u", __func__, success);	mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m);	return (0);}intmm_answer_skeyrespond(int sock, Buffer *m){	char *response;	int authok;	response = buffer_get_string(m, NULL);	authok = (options.challenge_response_authentication &&	    authctxt->valid &&	    skey_haskey(authctxt->pw->pw_name) == 0 &&	    skey_passcheck(authctxt->pw->pw_name, response) != -1);	xfree(response);	buffer_clear(m);	buffer_put_int(m, authok);	debug3("%s: sending authenticated: %d", __func__, authok);	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);	auth_method = "skey";	return (authok != 0);}#endif#ifdef USE_PAMintmm_answer_pam_start(int sock, Buffer *m){	if (!options.use_pam)		fatal("UsePAM not set, but ended up in %s anyway", __func__);	start_pam(authctxt);	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);	return (0);}intmm_answer_pam_account(int sock, Buffer *m){	u_int ret;	if (!options.use_pam)		fatal("UsePAM not set, but ended up in %s anyway", __func__);	ret = do_pam_account();	buffer_put_int(m, ret);	buffer_append(&loginmsg, "\0", 1);	buffer_put_cstring(m, buffer_ptr(&loginmsg));	buffer_clear(&loginmsg);	mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);	return (ret);}static void *sshpam_ctxt, *sshpam_authok;extern KbdintDevice sshpam_device;intmm_answer_pam_init_ctx(int sock, Buffer *m){	debug3("%s", __func__);	authctxt->user = buffer_get_string(m, NULL);	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);	sshpam_authok = NULL;	buffer_clear(m);	if (sshpam_ctxt != NULL) {		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);		buffer_put_int(m, 1);	} else {		buffer_put_int(m, 0);	}	mm_request_send(sock, MONITOR_ANS_PAM_INIT_CTX, m);	return (0);}intmm_answer_pam_query(int sock, Buffer *m){	char *name, *info, **prompts;	u_int num, *echo_on;	int i, ret;	debug3("%s", __func__);	sshpam_authok = NULL;	ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on);	if (ret == 0 && num == 0)		sshpam_authok = sshpam_ctxt;	if (num > 1 || name == NULL || info == NULL)		ret = -1;	buffer_clear(m);	buffer_put_int(m, ret);	buffer_put_cstring(m, name);	xfree(name);	buffer_put_cstring(m, info);	xfree(info);	buffer_put_int(m, num);	for (i = 0; i < num; ++i) {		buffer_put_cstring(m, prompts[i]);		xfree(prompts[i]);		buffer_put_int(m, echo_on[i]);	}	if (prompts != NULL)		xfree(prompts);	if (echo_on != NULL)		xfree(echo_on);	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);	return (0);}intmm_answer_pam_respond(int sock, Buffer *m){	char **resp;	u_int num;	int i, ret;	debug3("%s", __func__);	sshpam_authok = NULL;	num = buffer_get_int(m);	if (num > 0) {		resp = xmalloc(num * sizeof(char *));		for (i = 0; i < num; ++i)			resp[i] = buffer_get_string(m, NULL);		ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);		for (i = 0; i < num; ++i)			xfree(resp[i]);		xfree(resp);	} else {		ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL);	}	buffer_clear(m);	buffer_put_int(m, ret);	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);	auth_method = "keyboard-interactive/pam";	if (ret == 0)		sshpam_authok = sshpam_ctxt;	return (0);}intmm_answer_pam_free_ctx(int sock, Buffer *m){	debug3("%s", __func__);	(sshpam_device.free_ctx)(sshpam_ctxt);	buffer_clear(m);	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);	return (sshpam_authok == sshpam_ctxt);}#endifstatic voidmm_append_debug(Buffer *m){	if (auth_debug_init && buffer_len(&auth_debug)) {		debug3("%s: Appending debug messages for child", __func__);		buffer_append(m, buffer_ptr(&auth_debug),		    buffer_len(&auth_debug));		buffer_clear(&auth_debug);	}}intmm_answer_keyallowed(int sock, Buffer *m){	Key *key;	char *cuser, *chost;	u_char *blob;	u_int bloblen;	enum mm_keytype type = 0;
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -