mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 01:48:00 +00:00
1d323d5c80
This server is NOT SECURE! If anyone is reading this commit message, DO NOT DEPLOY IT IN A HOSTILE-FACING ENVIRONMENT! Its purpose is to speak the server end of everything PuTTY speaks on the client side, so that I can test that I haven't broken PuTTY when I reorganise its code, even things like RSA key exchange or chained auth methods which it's hard to find a server that speaks at all. (For this reason, it's declared with [UT] in the Recipe file, so that it falls into the same category as programs like testbn, which won't be installed by 'make install'.) Working title is 'Uppity', partly for 'Universal PuTTY Protocol Interaction Test Yoke', but mostly because it looks quite like the word 'PuTTY' with part of it reversed. (Apparently 'test yoke' is a very rarely used term meaning something not altogether unlike 'test harness', which is a bit of a stretch, but it'll do.) It doesn't actually _support_ everything I want yet. At the moment, it's a proof of concept only. But it has most of the machinery present, and the parts it's missing - such as chained auth methods - should be easy enough to add because I've built in the required flexibility, in the form of an AuthPolicy object which can request them if it wants to. However, the current AuthPolicy object is entirely trivial, and will let in any user with the password "weasel". (Another way in which this is not a production-ready server is that it also has no interaction with the OS's authentication system. In particular, it will not only let in any user with the same password, but it won't even change uid - it will open shells and forwardings under whatever user id you started it up as.) Currently, the program can only speak the SSH protocol on its standard I/O channels (using the new FdSocket facility), so if you want it to listen on a network port, you'll have to run it from some kind of separate listening program similar to inetd. For my own tests, I'm not even doing that: I'm just having PuTTY spawn it as a local proxy process, which also conveniently eliminates the risk of anyone hostile connecting to it. The bulk of the actual code reorganisation is already done by previous commits, so this change is _mostly_ just dropping in a new set of server-specific source files alongside the client-specific ones I created recently. The remaining changes in the shared SSH code are numerous, but all minor: - a few extra parameters to BPP and PPL constructors (e.g. 'are you in server mode?'), and pass both sets of SSH-1 protocol flags from the login to the connection layer - in server mode, unconditionally send our version string _before_ waiting for the remote one - a new hook in the SSH-1 BPP to handle enabling compression in server mode, where the message exchange works the other way round - new code in the SSH-2 BPP to do _deferred_ compression the other way round (the non-deferred version is still nicely symmetric) - in the SSH-2 transport layer, some adjustments to do key derivation either way round (swapping round the identifying letters in the various hash preimages, and making sure to list the KEXINITs in the right order) - also in the SSH-2 transport layer, an if statement that controls whether we send SERVICE_REQUEST and wait for SERVICE_ACCEPT, or vice versa - new ConnectionLayer methods for opening outgoing channels for X and agent forwardings - new functions in portfwd.c to establish listening sockets suitable for remote-to-local port forwarding (i.e. not under the direction of a Conf the way it's done on the client side).
530 lines
15 KiB
C
530 lines
15 KiB
C
/*
|
|
* SSH server for Unix: main program.
|
|
*
|
|
* ======================================================================
|
|
*
|
|
* This server is NOT SECURE!
|
|
*
|
|
* DO NOT DEPLOY IT IN A HOSTILE-FACING ENVIRONMENT!
|
|
*
|
|
* Its purpose is to speak the server end of everything PuTTY speaks
|
|
* on the client side, so that I can test that I haven't broken PuTTY
|
|
* when I reorganise its code, even things like RSA key exchange or
|
|
* chained auth methods which it's hard to find a server that speaks
|
|
* at all.
|
|
*
|
|
* It has no interaction with the OS's authentication system: the
|
|
* authentications it will accept are configurable by command-line
|
|
* option, and once you authenticate, it will run the connection
|
|
* protocol - including all subprocesses and shells - under the same
|
|
* Unix user id you started it under.
|
|
*
|
|
* It really is only suitable for testing the actual SSH protocol.
|
|
* Don't use it for anything more serious!
|
|
*
|
|
* ======================================================================
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <errno.h>
|
|
#include <assert.h>
|
|
#include <stdarg.h>
|
|
#include <signal.h>
|
|
#include <unistd.h>
|
|
#include <fcntl.h>
|
|
#include <termios.h>
|
|
#include <pwd.h>
|
|
#include <sys/ioctl.h>
|
|
#include <sys/time.h>
|
|
#ifndef HAVE_NO_SYS_SELECT_H
|
|
#include <sys/select.h>
|
|
#endif
|
|
|
|
#define PUTTY_DO_GLOBALS /* actually _define_ globals */
|
|
#include "putty.h"
|
|
#include "ssh.h"
|
|
#include "sshserver.h"
|
|
|
|
const char *const appname = "uppity";
|
|
|
|
void modalfatalbox(const char *p, ...)
|
|
{
|
|
va_list ap;
|
|
fprintf(stderr, "FATAL ERROR: ");
|
|
va_start(ap, p);
|
|
vfprintf(stderr, p, ap);
|
|
va_end(ap);
|
|
fputc('\n', stderr);
|
|
exit(1);
|
|
}
|
|
void nonfatal(const char *p, ...)
|
|
{
|
|
va_list ap;
|
|
fprintf(stderr, "ERROR: ");
|
|
va_start(ap, p);
|
|
vfprintf(stderr, p, ap);
|
|
va_end(ap);
|
|
fputc('\n', stderr);
|
|
}
|
|
|
|
char *platform_default_s(const char *name)
|
|
{
|
|
return NULL;
|
|
}
|
|
|
|
int platform_default_i(const char *name, int def)
|
|
{
|
|
return def;
|
|
}
|
|
|
|
FontSpec *platform_default_fontspec(const char *name)
|
|
{
|
|
return fontspec_new("");
|
|
}
|
|
|
|
Filename *platform_default_filename(const char *name)
|
|
{
|
|
return filename_from_str("");
|
|
}
|
|
|
|
char *x_get_default(const char *key)
|
|
{
|
|
return NULL; /* this is a stub */
|
|
}
|
|
|
|
/*
|
|
* Our selects are synchronous, so these functions are empty stubs.
|
|
*/
|
|
uxsel_id *uxsel_input_add(int fd, int rwx) { return NULL; }
|
|
void uxsel_input_remove(uxsel_id *id) { }
|
|
|
|
void old_keyfile_warning(void) { }
|
|
|
|
void timer_change_notify(unsigned long next)
|
|
{
|
|
}
|
|
|
|
char *platform_get_x_display(void) { return NULL; }
|
|
|
|
static int verbose;
|
|
|
|
static void log_to_stderr(const char *msg)
|
|
{
|
|
/*
|
|
* FIXME: in multi-connection proper-socket mode, prefix this with
|
|
* a connection id of some kind. We'll surely pass this in to
|
|
* sshserver.c by way of constructing a distinct LogPolicy per
|
|
* instance and making its containing structure contain the id -
|
|
* but we'll also have to arrange for those LogPolicy structs to
|
|
* be freed when the server instance terminates.
|
|
*
|
|
* For now, though, we only have one server instance, so no need.
|
|
*/
|
|
|
|
fputs(msg, stderr);
|
|
fputc('\n', stderr);
|
|
fflush(stderr);
|
|
}
|
|
|
|
static void server_eventlog(LogPolicy *lp, const char *event)
|
|
{
|
|
if (verbose)
|
|
log_to_stderr(event);
|
|
}
|
|
|
|
static void server_logging_error(LogPolicy *lp, const char *event)
|
|
{
|
|
log_to_stderr(event); /* unconditional */
|
|
}
|
|
|
|
static int server_askappend(
|
|
LogPolicy *lp, Filename *filename,
|
|
void (*callback)(void *ctx, int result), void *ctx)
|
|
{
|
|
return 2; /* always overwrite (FIXME: could make this a cmdline option) */
|
|
}
|
|
|
|
static const LogPolicyVtable server_logpolicy_vt = {
|
|
server_eventlog,
|
|
server_askappend,
|
|
server_logging_error,
|
|
};
|
|
LogPolicy server_logpolicy[1] = {{ &server_logpolicy_vt }};
|
|
|
|
struct AuthPolicy_ssh1_pubkey {
|
|
struct RSAKey key;
|
|
struct AuthPolicy_ssh1_pubkey *next;
|
|
};
|
|
struct AuthPolicy_ssh2_pubkey {
|
|
ptrlen public_blob;
|
|
struct AuthPolicy_ssh2_pubkey *next;
|
|
};
|
|
|
|
struct AuthPolicy {
|
|
struct AuthPolicy_ssh1_pubkey *ssh1keys;
|
|
struct AuthPolicy_ssh2_pubkey *ssh2keys;
|
|
};
|
|
unsigned auth_methods(AuthPolicy *ap)
|
|
{
|
|
return AUTHMETHOD_PUBLICKEY | AUTHMETHOD_PASSWORD;
|
|
}
|
|
int auth_none(AuthPolicy *ap, ptrlen username)
|
|
{
|
|
return FALSE;
|
|
}
|
|
int auth_password(AuthPolicy *ap, ptrlen username, ptrlen password)
|
|
{
|
|
return ptrlen_eq_string(password, "weasel");
|
|
}
|
|
int auth_publickey(AuthPolicy *ap, ptrlen username, ptrlen public_blob)
|
|
{
|
|
struct AuthPolicy_ssh2_pubkey *iter;
|
|
for (iter = ap->ssh2keys; iter; iter = iter->next) {
|
|
if (ptrlen_eq_ptrlen(public_blob, iter->public_blob))
|
|
return TRUE;
|
|
}
|
|
return FALSE;
|
|
}
|
|
struct RSAKey *auth_publickey_ssh1(
|
|
AuthPolicy *ap, ptrlen username, Bignum rsa_modulus)
|
|
{
|
|
struct AuthPolicy_ssh1_pubkey *iter;
|
|
for (iter = ap->ssh1keys; iter; iter = iter->next) {
|
|
if (!bignum_cmp(rsa_modulus, iter->key.modulus))
|
|
return &iter->key;
|
|
}
|
|
return NULL;
|
|
}
|
|
int auth_successful(AuthPolicy *ap, ptrlen username, unsigned method)
|
|
{
|
|
return TRUE;
|
|
}
|
|
|
|
static void show_help_and_exit(void)
|
|
{
|
|
printf("usage: uppity [options]\n");
|
|
printf("options: --hostkey KEY SSH host key (need at least one)\n");
|
|
printf(" --userkey KEY public key"
|
|
" acceptable for user authentication\n");
|
|
printf("also: uppity --help show this text\n");
|
|
printf(" uppity --version show version information\n");
|
|
exit(0);
|
|
}
|
|
|
|
static void show_version_and_exit(void)
|
|
{
|
|
char *buildinfo_text = buildinfo("\n");
|
|
printf("uppity: %s\n%s\n", ver, buildinfo_text);
|
|
sfree(buildinfo_text);
|
|
exit(0);
|
|
}
|
|
|
|
const int buildinfo_gtk_relevant = FALSE;
|
|
|
|
static int finished = FALSE;
|
|
void server_instance_terminated(void)
|
|
{
|
|
/* FIXME: change policy here if we're running in a listening loop */
|
|
finished = TRUE;
|
|
}
|
|
|
|
static int longoptarg(const char *arg, const char *expected,
|
|
const char **val, int *argcp, char ***argvp)
|
|
{
|
|
int len = strlen(expected);
|
|
if (memcmp(arg, expected, len))
|
|
return FALSE;
|
|
if (arg[len] == '=') {
|
|
*val = arg + len + 1;
|
|
return TRUE;
|
|
} else if (arg[len] == '\0') {
|
|
if (--*argcp > 0) {
|
|
*val = *++*argvp;
|
|
return TRUE;
|
|
} else {
|
|
fprintf(stderr, "uppity: option %s expects an argument\n",
|
|
expected);
|
|
exit(1);
|
|
}
|
|
}
|
|
return FALSE;
|
|
}
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
int *fdlist;
|
|
int fd;
|
|
int i, fdcount, fdsize, fdstate;
|
|
unsigned long now;
|
|
|
|
ssh_key **hostkeys = NULL;
|
|
int nhostkeys = 0, hostkeysize = 0;
|
|
struct RSAKey *hostkey1 = NULL;
|
|
|
|
AuthPolicy ap;
|
|
|
|
Conf *conf = conf_new();
|
|
load_open_settings(NULL, conf);
|
|
|
|
ap.ssh1keys = NULL;
|
|
ap.ssh2keys = NULL;
|
|
|
|
while (--argc > 0) {
|
|
const char *arg = *++argv;
|
|
const char *val;
|
|
|
|
if (!strcmp(arg, "--help")) {
|
|
show_help_and_exit();
|
|
} else if (!strcmp(arg, "--version")) {
|
|
show_version_and_exit();
|
|
} else if (!strcmp(arg, "--verbose") || !strcmp(arg, "-v")) {
|
|
verbose = TRUE;
|
|
} else if (longoptarg(arg, "--hostkey", &val, &argc, &argv)) {
|
|
Filename *keyfile;
|
|
int keytype;
|
|
const char *error;
|
|
|
|
keyfile = filename_from_str(val);
|
|
keytype = key_type(keyfile);
|
|
|
|
if (keytype == SSH_KEYTYPE_SSH2) {
|
|
struct ssh2_userkey *uk;
|
|
ssh_key *key;
|
|
uk = ssh2_load_userkey(keyfile, NULL, &error);
|
|
filename_free(keyfile);
|
|
if (!uk || !uk->key) {
|
|
fprintf(stderr, "uppity: unable to load host key '%s': "
|
|
"%s\n", val, error);
|
|
exit(1);
|
|
}
|
|
key = uk->key;
|
|
sfree(uk->comment);
|
|
sfree(uk);
|
|
|
|
for (i = 0; i < nhostkeys; i++)
|
|
if (ssh_key_alg(hostkeys[i]) == ssh_key_alg(key)) {
|
|
fprintf(stderr, "uppity: host key '%s' duplicates key "
|
|
"type %s\n", val, ssh_key_alg(key)->ssh_id);
|
|
exit(1);
|
|
}
|
|
|
|
if (nhostkeys >= hostkeysize) {
|
|
hostkeysize = nhostkeys * 5 / 4 + 16;
|
|
hostkeys = sresize(hostkeys, hostkeysize, ssh_key *);
|
|
}
|
|
hostkeys[nhostkeys++] = key;
|
|
} else if (keytype == SSH_KEYTYPE_SSH1) {
|
|
if (hostkey1) {
|
|
fprintf(stderr, "uppity: host key '%s' is a redundant "
|
|
"SSH-1 host key\n", val);
|
|
exit(1);
|
|
}
|
|
hostkey1 = snew(struct RSAKey);
|
|
if (!rsa_ssh1_loadkey(keyfile, hostkey1, NULL, &error)) {
|
|
fprintf(stderr, "uppity: unable to load host key '%s': "
|
|
"%s\n", val, error);
|
|
exit(1);
|
|
}
|
|
} else {
|
|
fprintf(stderr, "uppity: '%s' is not loadable as a "
|
|
"private key (%s)", val, key_type_to_str(keytype));
|
|
exit(1);
|
|
}
|
|
} else if (longoptarg(arg, "--userkey", &val, &argc, &argv)) {
|
|
Filename *keyfile;
|
|
int keytype;
|
|
const char *error;
|
|
|
|
keyfile = filename_from_str(val);
|
|
keytype = key_type(keyfile);
|
|
|
|
if (keytype == SSH_KEYTYPE_SSH2_PUBLIC_RFC4716 ||
|
|
keytype == SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH) {
|
|
strbuf *sb = strbuf_new();
|
|
struct AuthPolicy_ssh2_pubkey *node;
|
|
void *blob;
|
|
|
|
if (!ssh2_userkey_loadpub(keyfile, NULL, BinarySink_UPCAST(sb),
|
|
NULL, &error)) {
|
|
fprintf(stderr, "uppity: unable to load user key '%s': "
|
|
"%s\n", val, error);
|
|
exit(1);
|
|
}
|
|
|
|
node = snew_plus(struct AuthPolicy_ssh2_pubkey, sb->len);
|
|
blob = snew_plus_get_aux(node);
|
|
memcpy(blob, sb->u, sb->len);
|
|
node->public_blob = make_ptrlen(blob, sb->len);
|
|
|
|
node->next = ap.ssh2keys;
|
|
ap.ssh2keys = node;
|
|
|
|
strbuf_free(sb);
|
|
} else if (keytype == SSH_KEYTYPE_SSH1_PUBLIC) {
|
|
strbuf *sb = strbuf_new();
|
|
BinarySource src[1];
|
|
struct AuthPolicy_ssh1_pubkey *node;
|
|
|
|
if (!rsa_ssh1_loadpub(keyfile, BinarySink_UPCAST(sb),
|
|
NULL, &error)) {
|
|
fprintf(stderr, "uppity: unable to load user key '%s': "
|
|
"%s\n", val, error);
|
|
exit(1);
|
|
}
|
|
|
|
node = snew(struct AuthPolicy_ssh1_pubkey);
|
|
BinarySource_BARE_INIT(src, sb->u, sb->len);
|
|
get_rsa_ssh1_pub(src, &node->key, RSA_SSH1_EXPONENT_FIRST);
|
|
|
|
node->next = ap.ssh1keys;
|
|
ap.ssh1keys = node;
|
|
|
|
strbuf_free(sb);
|
|
} else {
|
|
fprintf(stderr, "uppity: '%s' is not loadable as a public key "
|
|
"(%s)\n", val, key_type_to_str(keytype));
|
|
exit(1);
|
|
}
|
|
} else if (longoptarg(arg, "--sshlog", &val, &argc, &argv) ||
|
|
longoptarg(arg, "-sshlog", &val, &argc, &argv)) {
|
|
Filename *logfile = filename_from_str(val);
|
|
conf_set_filename(conf, CONF_logfilename, logfile);
|
|
filename_free(logfile);
|
|
conf_set_int(conf, CONF_logtype, LGTYP_PACKETS);
|
|
conf_set_int(conf, CONF_logxfovr, LGXF_OVR);
|
|
} else if (longoptarg(arg, "--sshrawlog", &val, &argc, &argv) ||
|
|
longoptarg(arg, "-sshrawlog", &val, &argc, &argv)) {
|
|
Filename *logfile = filename_from_str(val);
|
|
conf_set_filename(conf, CONF_logfilename, logfile);
|
|
filename_free(logfile);
|
|
conf_set_int(conf, CONF_logtype, LGTYP_SSHRAW);
|
|
conf_set_int(conf, CONF_logxfovr, LGXF_OVR);
|
|
} else {
|
|
fprintf(stderr, "uppity: unrecognised option '%s'\n", arg);
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
if (nhostkeys == 0 && !hostkey1) {
|
|
fprintf(stderr, "uppity: specify at least one host key\n");
|
|
exit(1);
|
|
}
|
|
|
|
fdlist = NULL;
|
|
fdcount = fdsize = 0;
|
|
|
|
random_ref();
|
|
|
|
/*
|
|
* Block SIGPIPE, so that we'll get EPIPE individually on
|
|
* particular network connections that go wrong.
|
|
*/
|
|
putty_signal(SIGPIPE, SIG_IGN);
|
|
|
|
sk_init();
|
|
uxsel_init();
|
|
|
|
{
|
|
Plug *plug = ssh_server_plug(
|
|
conf, hostkeys, nhostkeys, hostkey1, &ap, server_logpolicy);
|
|
ssh_server_start(plug, make_fd_socket(0, 1, -1, plug));
|
|
}
|
|
|
|
now = GETTICKCOUNT();
|
|
|
|
while (!finished) {
|
|
fd_set rset, wset, xset;
|
|
int maxfd;
|
|
int rwx;
|
|
int ret;
|
|
unsigned long next;
|
|
|
|
FD_ZERO(&rset);
|
|
FD_ZERO(&wset);
|
|
FD_ZERO(&xset);
|
|
maxfd = 0;
|
|
|
|
/* Count the currently active fds. */
|
|
i = 0;
|
|
for (fd = first_fd(&fdstate, &rwx); fd >= 0;
|
|
fd = next_fd(&fdstate, &rwx)) i++;
|
|
|
|
/* Expand the fdlist buffer if necessary. */
|
|
if (i > fdsize) {
|
|
fdsize = i + 16;
|
|
fdlist = sresize(fdlist, fdsize, int);
|
|
}
|
|
|
|
/*
|
|
* Add all currently open fds to the select sets, and store
|
|
* them in fdlist as well.
|
|
*/
|
|
fdcount = 0;
|
|
for (fd = first_fd(&fdstate, &rwx); fd >= 0;
|
|
fd = next_fd(&fdstate, &rwx)) {
|
|
fdlist[fdcount++] = fd;
|
|
if (rwx & 1)
|
|
FD_SET_MAX(fd, maxfd, rset);
|
|
if (rwx & 2)
|
|
FD_SET_MAX(fd, maxfd, wset);
|
|
if (rwx & 4)
|
|
FD_SET_MAX(fd, maxfd, xset);
|
|
}
|
|
|
|
if (toplevel_callback_pending()) {
|
|
struct timeval tv;
|
|
tv.tv_sec = 0;
|
|
tv.tv_usec = 0;
|
|
ret = select(maxfd, &rset, &wset, &xset, &tv);
|
|
} else if (run_timers(now, &next)) {
|
|
do {
|
|
unsigned long then;
|
|
long ticks;
|
|
struct timeval tv;
|
|
|
|
then = now;
|
|
now = GETTICKCOUNT();
|
|
if (now - then > next - then)
|
|
ticks = 0;
|
|
else
|
|
ticks = next - now;
|
|
tv.tv_sec = ticks / 1000;
|
|
tv.tv_usec = ticks % 1000 * 1000;
|
|
ret = select(maxfd, &rset, &wset, &xset, &tv);
|
|
if (ret == 0)
|
|
now = next;
|
|
else
|
|
now = GETTICKCOUNT();
|
|
} while (ret < 0 && errno == EINTR);
|
|
} else {
|
|
ret = select(maxfd, &rset, &wset, &xset, NULL);
|
|
}
|
|
|
|
if (ret < 0 && errno == EINTR)
|
|
continue;
|
|
|
|
if (ret < 0) {
|
|
perror("select");
|
|
exit(1);
|
|
}
|
|
|
|
for (i = 0; i < fdcount; i++) {
|
|
fd = fdlist[i];
|
|
/*
|
|
* We must process exceptional notifications before
|
|
* ordinary readability ones, or we may go straight
|
|
* past the urgent marker.
|
|
*/
|
|
if (FD_ISSET(fd, &xset))
|
|
select_result(fd, 4);
|
|
if (FD_ISSET(fd, &rset))
|
|
select_result(fd, 1);
|
|
if (FD_ISSET(fd, &wset))
|
|
select_result(fd, 2);
|
|
}
|
|
|
|
run_toplevel_callbacks();
|
|
}
|
|
}
|