The unified diff between revisions [87286233..] and [01038174..] is displayed below. It can also be downloaded as a raw diff.
#
#
# add_file "cli-agentfwd.c"
# content [970dda02c4f758fb121942b5c1ae6c3c5d189bb0]
#
# patch "agentfwd.h"
# from [d415bcbe4d67d0f57c710e93553625e9e112ccda]
# to [ee7a6c5ecc5939fe1268167232c23b58344b4724]
#
# patch "auth.h"
# from [aac1a55d01be93e35ab5b0281b9760f8c8ec79d1]
# to [ad64e0b3fc182fa9ea318a3cd3669be02c45f152]
#
# patch "cli-authpubkey.c"
# from [f4b6c66351e60851c73405d8ecf4676557f0da30]
# to [c2ec1861daf3323fba805162c5a897b178ce5321]
#
# patch "cli-runopts.c"
# from [79955079fc49e1b252055d125874535d52b5914b]
# to [a1d1f08f68d663e0bc424d959edbb5b7984c7b79]
#
# patch "cli-session.c"
# from [e088b599dbdbd93930ff21e6bebe7dcbfbf66ed3]
# to [900aedf08a78cebf2e08b01281896b4267d6de29]
#
# patch "dbutil.c"
# from [9440c0ae5ca45076f63b0f295585bfaeb82dd57c]
# to [3cf3cf117764893cf88d11c31f3fcd1a42876a99]
#
# patch "dbutil.h"
# from [3806a1758a9a15ee7a1e3b75e3a49c0d27a7343a]
# to [896cdf1cc239d1049283ef0d49390f4b22c566e5]
#
# patch "options.h"
# from [072d78418e9cbade0d6a42530afa806c781237bd]
# to [7199663c0aa87aa718f6375b5d575fba55f4823b]
#
# patch "random.c"
# from [6b27327c1fd2cc9eca918be77a997c93404ab00d]
# to [f82dcd969805bc52c1c8033dbcc04e1dabfc8eca]
#
# patch "runopts.h"
# from [866a99e2213c6a2602a649a2915471ef4b39770a]
# to [e45bd018fe32329b6fc2aa6c4c9a60d56f9a86e0]
#
# patch "ssh.h"
# from [b63c0c60a29e5dec39b53218d20fe30cfd00a60e]
# to [eaed86a5824b07a81ed770ea0f08ea8eaabc800e]
#
# patch "svr-agentfwd.c"
# from [52fb70ca2c0319136708574134161a70c180517e]
# to [4c686d351feecba37348ea3a9e0117a2425ae490]
#
============================================================
--- cli-agentfwd.c 970dda02c4f758fb121942b5c1ae6c3c5d189bb0
+++ cli-agentfwd.c 970dda02c4f758fb121942b5c1ae6c3c5d189bb0
@@ -0,0 +1,245 @@
+/*
+ * Dropbear - a SSH2 server
+ *
+ * Copyright (c) 2005 Matt Johnston
+ * All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE. */
+
+/* The basic protocol use to communicate with the agent is defined in
+ * draft-ylonen-ssh-protocol-00.txt, with the ssh2 extensions defined through
+ * openssh's implementation. */
+
+#include "includes.h"
+
+#ifdef ENABLE_CLI_AGENTFWD
+
+#include "agentfwd.h"
+#include "session.h"
+#include "ssh.h"
+#include "dbutil.h"
+#include "chansession.h"
+#include "channel.h"
+#include "packet.h"
+#include "buffer.h"
+#include "random.h"
+#include "listener.h"
+#include "runopts.h"
+#include "atomicio.h"
+#include "signkey.h"
+#include "auth.h"
+
+static int new_agent_chan(struct Channel * channel);
+
+const struct ChanType chan_cli_agent = {
+ 0, /* sepfds */
+ "auth-agent@openssh.com",
+ new_agent_chan,
+ NULL,
+ NULL,
+ NULL
+};
+
+static int connect_agent() {
+
+ int fd = -1;
+ char* agent_sock = NULL;
+
+ agent_sock = getenv("SSH_AUTH_SOCK");
+ if (agent_sock == NULL)
+ return -1;
+
+ fd = connect_unix(agent_sock);
+
+ return fd;
+}
+
+// handle a request for a connection to the locally running ssh-agent
+// or forward.
+static int new_agent_chan(struct Channel * channel) {
+
+ int fd = -1;
+
+ if (!cli_opts.agent_fwd)
+ return SSH_OPEN_ADMINISTRATIVELY_PROHIBITED;
+
+ fd = connect_agent();
+
+ setnonblocking(fd);
+
+ ses.maxfd = MAX(ses.maxfd, fd);
+
+ channel->infd = fd;
+ channel->outfd = fd;
+
+ // success
+ return 0;
+}
+
+/* Sends a request to the agent, returning a newly allocated buffer
+ * with the response */
+/* Packet format (from draft-ylonen)
+ 4 bytes Length, msb first. Does not include length itself.
+ 1 byte Packet type. The value 255 is reserved for future extensions.
+ data Any data, depending on packet type. Encoding as in the ssh packet
+ protocol.
+
+ In this case, data is always empty
+*/
+static buffer * agent_request(int fd, unsigned char type) {
+
+ buffer * payload = NULL;
+ buffer * inbuf = NULL;
+ size_t readlen = 0;
+ ssize_t ret;
+
+ payload = buf_new(4 + 1);
+
+ buf_putint(payload, 1);
+ buf_putbyte(payload, type);
+
+ ret = atomicio(write, fd, buf_getptr(payload, payload->len), payload->len);
+ if ((size_t)ret != payload->len) {
+ TRACE(("write failed for agent_request"))
+ goto out;
+ }
+
+ buf_free(payload);
+ payload = NULL;
+
+ /* Now we read the response */
+ inbuf = buf_new(4);
+ ret = atomicio(read, fd, buf_getwriteptr(inbuf, 4), 4);
+ if (ret != 4) {
+ TRACE(("read of length failed for agent_request"))
+ goto out;
+ }
+
+ readlen = buf_getint(inbuf);
+ if (readlen > MAX_AGENT_REPLY) {
+ TRACE(("agent reply is too big"));
+ goto out;
+ }
+
+ buf_resize(inbuf, readlen);
+ ret = atomicio(read, fd, buf_getwriteptr(inbuf, readlen), readlen);
+ if ((size_t)ret != readlen) {
+ TRACE(("read of data failed for agent_request"))
+ goto out;
+ }
+
+out:
+ if (payload)
+ buf_free(payload);
+
+ return inbuf;
+}
+
+static SignKeyList * agent_get_key_list(int fd)
+{
+ buffer * inbuf = NULL;
+ unsigned int num = 0;
+ unsigned char packet_type;
+ unsigned int i;
+ struct SignKeyList *retkey = NULL, *key = NULL;
+ int ret;
+
+ inbuf = agent_request(fd, SSH2_AGENTC_REQUEST_IDENTITIES);
+ if (!inbuf) {
+ goto out;
+ }
+
+ /* The reply has a format of:
+ * byte packet_type
+ * int num_keys
+ *
+ * string keyblob1
+ * string comment1
+ * ...
+ * string keyblob(n)
+ * string comment(n)
+ */
+ packet_type = buf_getbyte(inbuf);
+ if (packet_type != SSH2_AGENT_IDENTITIES_ANSWER) {
+ goto out;
+ }
+
+ num = buf_getint(inbuf);
+ for (i = 0; i < num; i++) {
+ sign_key * pubkey = NULL;
+ char key_type = DROPBEAR_SIGNKEY_ANY;
+ struct SignKeyList *nextkey = NULL;
+
+ nextkey = (struct SignKeyList*)m_malloc(sizeof(struct SignKeyList));
+ if (key)
+ key->next = nextkey;
+ else
+ retkey = nextkey;
+ key = nextkey;
+
+ pubkey = new_sign_key();
+ ret = buf_get_pub_key(inbuf, pubkey, &key_type);
+ if (ret != DROPBEAR_SUCCESS) {
+ /* This is slack, properly would cleanup vars etc */
+ dropbear_exit("Bad pubkey received from agent");
+ }
+
+ key->key = pubkey;
+ key->next = NULL;
+ key->type = key_type;
+ key->source = SIGNKEY_SOURCE_AGENT;
+
+ /* We'll ignore the comment */
+ buf_eatstring(inbuf);
+ }
+
+out:
+ if (inbuf) {
+ buf_free(inbuf);
+ inbuf = NULL;
+ }
+
+ return retkey;
+}
+
+/* return DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
+SignKeyList * load_agent_keys()
+{
+
+ SignKeyList * ret_list;
+ int fd;
+ fd = connect_agent();
+ if (fd < 0) {
+ dropbear_log(LOG_INFO, "Failed to connect to agent");
+ return NULL;
+ }
+
+ ret_list = agent_get_key_list(fd);
+ close(fd);
+}
+
+// general procedure:
+// - get the list of keys from the agent
+// - foreach, send a dummy userauth_pubkey message to the server and see
+// if it lets us in
+// - if it does, sign and auth
+// - if not, repeat.
+//
+
+#endif
============================================================
--- agentfwd.h d415bcbe4d67d0f57c710e93553625e9e112ccda
+++ agentfwd.h ee7a6c5ecc5939fe1268167232c23b58344b4724
@@ -29,15 +29,24 @@
#include "chansession.h"
#include "channel.h"
+/* An agent reply can be reasonably large, as it can
+ * contain a list of all public keys held by the agent.
+ * 10000 is arbitrary */
+#define MAX_AGENT_REPLY 10000
+
int agentreq(struct ChanSess * chansess);
void agentsetauth(struct ChanSess *chansess);
void agentcleanup(struct ChanSess * chansess);
void agentset(struct ChanSess *chansess);
+SignKeyList * load_agent_keys();
+
#ifdef __hpux
#define seteuid(a) setresuid(-1, (a), -1)
#define setegid(a) setresgid(-1, (a), -1)
#endif
+extern const struct ChanSess chan_cli_agent;
+
#endif /* DROPBEAR_AGENTFWD */
#endif /* _AGENTFWD_H_ */
============================================================
--- auth.h aac1a55d01be93e35ab5b0281b9760f8c8ec79d1
+++ auth.h ad64e0b3fc182fa9ea318a3cd3669be02c45f152
@@ -84,6 +84,10 @@ struct AuthState {
};
+/* Sources for signing keys */
+#define SIGNKEY_SOURCE_RAW_FILE 1
+#define SIGNKEY_SOURCE_AGENT 21
+
struct SignKeyList;
/* A singly linked list of signing keys */
struct SignKeyList {
@@ -91,6 +95,7 @@ struct SignKeyList {
sign_key *key;
int type; /* The type of key */
struct SignKeyList *next;
+ int source;
/* filename? or the buffer? for encrypted keys, so we can later get
* the private key portion */
============================================================
--- cli-authpubkey.c f4b6c66351e60851c73405d8ecf4676557f0da30
+++ cli-authpubkey.c c2ec1861daf3323fba805162c5a897b178ce5321
@@ -172,6 +172,13 @@ int cli_auth_pubkey() {
TRACE(("enter cli_auth_pubkey"))
+ if (cli_opts.pubkeys == NULL &&
+ cli_opts.agent_fwd &&
+ !cli_opts.agent_keys_loaded) {
+ /* get the list of available keys from the agent */
+ load_agent_keys(&cli_opts.pubkeys);
+ }
+
if (cli_opts.privkeys != NULL) {
/* Send a trial request */
send_msg_userauth_pubkey(cli_opts.privkeys->key,
============================================================
--- cli-runopts.c 79955079fc49e1b252055d125874535d52b5914b
+++ cli-runopts.c a1d1f08f68d663e0bc424d959edbb5b7984c7b79
@@ -52,6 +52,9 @@ static void printhelp() {
#ifdef ENABLE_CLI_PUBKEY_AUTH
"-i <identityfile> (multiple allowed)\n"
#endif
+#ifdef ENABLE_CLI_AGENTFWD
+ "-A Enable agent auth forwarding\n"
+#endif
#ifdef ENABLE_CLI_LOCALTCPFWD
"-L <listenport:remotehost:remoteport> Local port forwarding\n"
#endif
@@ -97,6 +100,10 @@ void cli_getopts(int argc, char ** argv)
#ifdef ENABLE_CLI_REMOTETCPFWD
cli_opts.remotefwds = NULL;
#endif
+#ifdef ENABLE_CLI_AGENTFWD
+ cli_opts.agent_fwd = 0;
+ cli_opts.agent_keys_loaded = 0;
+#endif
opts.nolocaltcp = 0;
opts.noremotetcp = 0;
/* not yet
@@ -180,6 +187,11 @@ void cli_getopts(int argc, char ** argv)
printhelp();
exit(EXIT_SUCCESS);
break;
+#ifdef ENABLE_CLI_AGENTFWD
+ case 'A':
+ cli_opts.agent_fwd = 1;
+ break;
+#endif
#ifdef DEBUG_TRACE
case 'v':
debug_trace = 1;
@@ -288,6 +300,7 @@ static void loadidentityfile(const char*
nextkey->key = key;
nextkey->next = cli_opts.privkeys;
nextkey->type = keytype;
+ nextkey->source = SIGNKEY_SOURCE_RAW_FILE;
cli_opts.privkeys = nextkey;
}
}
============================================================
--- cli-session.c e088b599dbdbd93930ff21e6bebe7dcbfbf66ed3
+++ cli-session.c 900aedf08a78cebf2e08b01281896b4267d6de29
@@ -73,6 +73,9 @@ static const struct ChanType *cli_chanty
#ifdef ENABLE_CLI_REMOTETCPFWD
&cli_chan_tcpremote,
#endif
+#ifdef ENABLE_CLI_AGENTFWD
+ &cli_chan_agent,
+#endif
NULL /* Null termination */
};
============================================================
--- dbutil.c 9440c0ae5ca45076f63b0f295585bfaeb82dd57c
+++ dbutil.c 3cf3cf117764893cf88d11c31f3fcd1a42876a99
@@ -252,6 +252,23 @@ int dropbear_listen(const char* address,
return nsock;
}
+/* Connect to a given unix socket. The socket is not non-blocking */
+#ifdef ENABLE_CONNECT_UNIX
+int connect_unix(const char* addr)
+{
+ struct sockaddr_un egdsock;
+ int fd = -1;
+
+ memset((void*)&egdsock, 0x0, sizeof(egdsock));
+ egdsock.sun_family = AF_UNIX;
+ strlcpy(egdsock.sun_path, addr, sizeof(egdsock.sun_path));
+
+ fd = socket(PF_UNIX, SOCK_STREAM, 0);
+
+ return fd;
+}
+#endif
+
/* Connect via TCP to a host. Connection will try ipv4 or ipv6, will
* return immediately if nonblocking is set. On failure, if errstring
* wasn't null, it will be a newly malloced error message */
@@ -297,15 +314,7 @@ int connect_remote(const char* remotehos
}
if (nonblocking) {
- if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0) {
- close(sock);
- sock = -1;
- if (errstring != NULL && *errstring == NULL) {
- *errstring = m_strdup("Failed non-blocking");
- }
- TRACE(("Failed non-blocking: %s", strerror(errno)))
- continue;
- }
+ setnonblocking(sock);
}
if (connect(sock, res->ai_addr, res->ai_addrlen) < 0) {
============================================================
--- dbutil.h 3806a1758a9a15ee7a1e3b75e3a49c0d27a7343a
+++ dbutil.h 896cdf1cc239d1049283ef0d49390f4b22c566e5
@@ -48,6 +48,9 @@ int dropbear_listen(const char* address,
unsigned char * getaddrstring(struct sockaddr_storage* addr, int withport);
int dropbear_listen(const char* address, const char* port,
int *socks, unsigned int sockcount, char **errstring, int *maxfd);
+#ifdef ENABLE_CONNECT_UNIX
+int connect_unix(const char* addr);
+#endif
int connect_remote(const char* remotehost, const char* remoteport,
int nonblocking, char ** errstring);
char* getaddrhostname(struct sockaddr_storage * addr);
============================================================
--- options.h 072d78418e9cbade0d6a42530afa806c781237bd
+++ options.h 7199663c0aa87aa718f6375b5d575fba55f4823b
@@ -59,7 +59,8 @@ etc) slower (perhaps by 50%). Recommende
#define ENABLE_SVR_REMOTETCPFWD
/* Enable Authentication Agent Forwarding - server only for now */
-#define ENABLE_AGENTFWD
+#define ENABLE_SVR_AGENTFWD
+#define ENABLE_CLI_AGENTFWD
/* Encryption - at least one required.
* RFC Draft requires 3DES, and recommends Blowfish, AES128 & Twofish128 */
@@ -318,6 +319,10 @@ etc) slower (perhaps by 50%). Recommende
#define DISABLE_AGENTFWD
#endif
+#if defined(DROPBEAR_PRNGD_SOCKET) || defined(ENABLE_CLI_AGENTFWD)
+#define ENABLE_CONNECT_UNIX
+#endif
+
#if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD)
#define ENABLE_CLI_ANYTCPFWD
#endif
============================================================
--- random.c 6b27327c1fd2cc9eca918be77a997c93404ab00d
+++ random.c f82dcd969805bc52c1c8033dbcc04e1dabfc8eca
@@ -68,12 +68,8 @@ static void readrand(unsigned char* buf,
#endif
#ifdef DROPBEAR_PRNGD_SOCKET
- memset((void*)&egdsock, 0x0, sizeof(egdsock));
- egdsock.sun_family = AF_UNIX;
- strlcpy(egdsock.sun_path, DROPBEAR_PRNGD_SOCKET,
- sizeof(egdsock.sun_path));
+ readfd = connect_unix(DROPBEAR_PRNGD_SOCKET);
- readfd = socket(PF_UNIX, SOCK_STREAM, 0);
if (readfd < 0) {
dropbear_exit("couldn't open random device");
}
============================================================
--- runopts.h 866a99e2213c6a2602a649a2915471ef4b39770a
+++ runopts.h e45bd018fe32329b6fc2aa6c4c9a60d56f9a86e0
@@ -103,6 +103,11 @@ typedef struct cli_runopts {
#ifdef ENABLE_CLI_LOCALTCPFWD
struct TCPFwdList * localfwds;
#endif
+#ifdef ENABLE_CLI_AGENTFWD
+ int agent_fwd;
+ int agent_keys_loaded; /* whether pubkeys has been populated with a
+ list of keys held by the agent */
+#endif
/* XXX TODO */
} cli_runopts;
============================================================
--- ssh.h b63c0c60a29e5dec39b53218d20fe30cfd00a60e
+++ ssh.h eaed86a5824b07a81ed770ea0f08ea8eaabc800e
@@ -94,3 +94,14 @@
#define SSH_SIGNKEY_DSS_LEN 7
#define SSH_SIGNKEY_RSA "ssh-rsa"
#define SSH_SIGNKEY_RSA_LEN 7
+
+/* Agent commands. These aren't part of the spec, and are defined
+ * only on the openssh implementation. */
+#define SSH_AGENT_FAILURE 5
+#define SSH_AGENT_SUCCESS 6
+#define SSH2_AGENTC_REQUEST_IDENTITIES 11
+#define SSH2_AGENT_IDENTITIES_ANSWER 12
+#define SSH2_AGENTC_SIGN_REQUEST 13
+#define SSH2_AGENT_SIGN_RESPONSE 14
+
+#define SSH2_AGENT_FAILURE 30
============================================================
--- svr-agentfwd.c 52fb70ca2c0319136708574134161a70c180517e
+++ svr-agentfwd.c 4c686d351feecba37348ea3a9e0117a2425ae490
@@ -176,7 +176,7 @@ void agentcleanup(struct ChanSess * chan
}
-static const struct ChanType chan_agent = {
+static const struct ChanType chan_svr_agent = {
0, /* sepfds */
"auth-agent@openssh.com",
NULL,
@@ -189,7 +189,7 @@ static int send_msg_channel_open_agent(i
/* helper for accepting an agent request */
static int send_msg_channel_open_agent(int fd) {
- if (send_msg_channel_open_init(fd, &chan_agent) == DROPBEAR_SUCCESS) {
+ if (send_msg_channel_open_init(fd, &chan_svr_agent) == DROPBEAR_SUCCESS) {
encrypt_packet();
return DROPBEAR_SUCCESS;
} else {