Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 1a38c86fe3e84edcaca8b5ded7a9eec7f57cc9d1 / . / src / session_server_ssh.c
blob: 6b9f07d058ac21bc96eb616517d74046ed339acd [file] [log] [blame]
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1/**
2 * \file session_server_ssh.c
3 * \author Michal Vasko <mvasko@cesnet.cz>
4 * \brief libnetconf2 SSH server session manipulation functions
5 *
6 * Copyright (c) 2015 CESNET, z.s.p.o.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
16 * distribution.
17 * 3. Neither the name of the Company nor the names of its contributors
18 * may be used to endorse or promote products derived from this
19 * software without specific prior written permission.
20 *
21 */
22
23#define _GNU_SOURCE
24
25#include <stdlib.h>
26#include <string.h>
27#include <sys/types.h>
28#include <pwd.h>
29#include <shadow.h>
30#include <crypt.h>
31#include <errno.h>
32
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]33#include "libnetconf.h"
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]34
35extern struct nc_server_opts server_opts;
36static struct nc_ssh_server_opts ssh_opts = {
37 .auth_methods = NC_SSH_AUTH_PUBLICKEY | NC_SSH_AUTH_PASSWORD | NC_SSH_AUTH_INTERACTIVE,
38 .auth_attempts = 3,
39 .auth_timeout = 10
40};
41
42API int
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]43nc_ssh_server_set_hostkey(const char *privkey_path)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]44{
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]45 if (!privkey_path) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]46 ERRARG;
47 return -1;
48 }
49
50 if (!ssh_opts.sshbind) {
51 ssh_opts.sshbind = ssh_bind_new();
52 if (!ssh_opts.sshbind) {
Michal Vaskod45e25a2016-01-08 15:48:44 +0100[diff] [blame]53 ERR("%s: failed to create a new ssh_bind.", __func__);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]54 return -1;
55 }
56 }
57
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]58 if (ssh_bind_options_set(ssh_opts.sshbind, SSH_BIND_OPTIONS_HOSTKEY, privkey_path) != SSH_OK) {
Michal Vaskod45e25a2016-01-08 15:48:44 +0100[diff] [blame]59 ERR("%s: failed to set host key (%s).", __func__, ssh_get_error(ssh_opts.sshbind));
60 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]61 }
Michal Vaskod45e25a2016-01-08 15:48:44 +0100[diff] [blame]62
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]63 return 0;
64}
65
66API int
67nc_ssh_server_set_banner(const char *banner)
68{
69 if (!banner) {
70 ERRARG;
71 return -1;
72 }
73
74 if (!ssh_opts.sshbind) {
75 ssh_opts.sshbind = ssh_bind_new();
76 if (!ssh_opts.sshbind) {
77 ERR("%s: failed to create a new ssh_bind", __func__);
78 return -1;
79 }
80 }
81
82 ssh_bind_options_set(ssh_opts.sshbind, SSH_BIND_OPTIONS_BANNER, banner);
83 return 0;
84}
85
86API int
87nc_ssh_server_set_auth_methods(int auth_methods)
88{
89 if (!(auth_methods & NC_SSH_AUTH_PUBLICKEY) && !(auth_methods & NC_SSH_AUTH_PASSWORD)
90 && !(auth_methods & NC_SSH_AUTH_INTERACTIVE)) {
91 ERRARG;
92 return -1;
93 }
94
95 ssh_opts.auth_methods = auth_methods;
96 return 0;
97}
98
99API int
100nc_ssh_server_set_auth_attempts(uint16_t auth_attempts)
101{
102 if (!auth_attempts) {
103 ERRARG;
104 return -1;
105 }
106
107 ssh_opts.auth_attempts = auth_attempts;
108 return 0;
109}
110
111API int
112nc_ssh_server_set_auth_timeout(uint16_t auth_timeout)
113{
114 if (!auth_timeout) {
115 ERRARG;
116 return -1;
117 }
118
119 ssh_opts.auth_timeout = auth_timeout;
120 return 0;
121}
122
123API int
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]124nc_ssh_server_add_authkey(const char *pubkey_path, const char *username)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]125{
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]126 if (!pubkey_path || !username) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]127 ERRARG;
128 return -1;
129 }
130
131 ++ssh_opts.authkey_count;
132 ssh_opts.authkeys = realloc(ssh_opts.authkeys, ssh_opts.authkey_count * sizeof *ssh_opts.authkeys);
133
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]134 ssh_opts.authkeys[ssh_opts.authkey_count - 1].path = strdup(pubkey_path);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]135 ssh_opts.authkeys[ssh_opts.authkey_count - 1].username = strdup(username);
136
137 return 0;
138}
139
140API int
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]141nc_ssh_server_del_authkey(const char *pubkey_path, const char *username)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]142{
143 uint32_t i;
144 int ret = -1;
145
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]146 if (!pubkey_path && !username) {
147 for (i = 0; i < ssh_opts.authkey_count; ++i) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]148 free(ssh_opts.authkeys[i].path);
149 free(ssh_opts.authkeys[i].username);
150
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]151 ret = 0;
152 }
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]153 free(ssh_opts.authkeys);
154 ssh_opts.authkeys = NULL;
155 ssh_opts.authkey_count = 0;
156 } else {
157 for (i = 0; i < ssh_opts.authkey_count; ++i) {
158 if ((!pubkey_path || !strcmp(ssh_opts.authkeys[i].path, pubkey_path))
159 && (!username || !strcmp(ssh_opts.authkeys[i].username, username))) {
160 free(ssh_opts.authkeys[i].path);
161 free(ssh_opts.authkeys[i].username);
162
163 --ssh_opts.authkey_count;
164 memmove(&ssh_opts.authkeys[i], &ssh_opts.authkeys[i + 1], (ssh_opts.authkey_count - i) * sizeof *ssh_opts.authkeys);
165
166 ret = 0;
167 }
168 }
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]169 }
170
171 return ret;
172}
173
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]174API void
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]175nc_ssh_server_free_opts(void)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]176{
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]177 if (ssh_opts.sshbind) {
178 ssh_bind_free(ssh_opts.sshbind);
179 }
180
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]181 nc_ssh_server_del_authkey(NULL, NULL);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]182}
183
184static char *
185auth_password_get_pwd_hash(const char *username)
186{
187 struct passwd *pwd, pwd_buf;
188 struct spwd *spwd, spwd_buf;
189 char *pass_hash = NULL, buf[256];
190
191 getpwnam_r(username, &pwd_buf, buf, 256, &pwd);
192 if (!pwd) {
193 VRB("User '%s' not found locally.", username);
194 return NULL;
195 }
196
197 if (!strcmp(pwd->pw_passwd, "x")) {
198 getspnam_r(username, &spwd_buf, buf, 256, &spwd);
199 if (!spwd) {
200 VRB("Failed to retrieve the shadow entry for \"%s\".", username);
201 return NULL;
202 }
203
204 pass_hash = spwd->sp_pwdp;
205 } else {
206 pass_hash = pwd->pw_passwd;
207 }
208
209 if (!pass_hash) {
210 ERR("%s: no password could be retrieved for \"%s\".", __func__, username);
211 return NULL;
212 }
213
214 /* check the hash structure for special meaning */
215 if (!strcmp(pass_hash, "*") || !strcmp(pass_hash, "!")) {
216 VRB("User \"%s\" is not allowed to authenticate using a password.", username);
217 return NULL;
218 }
219 if (!strcmp(pass_hash, "*NP*")) {
220 VRB("Retrieving password for \"%s\" from a NIS+ server not supported.", username);
221 return NULL;
222 }
223
224 return strdup(pass_hash);
225}
226
227static int
228auth_password_compare_pwd(const char *pass_hash, const char *pass_clear)
229{
230 char *new_pass_hash;
231 struct crypt_data cdata;
232
233 if (!pass_hash[0]) {
234 if (!pass_clear[0]) {
235 WRN("User authentication successful with an empty password!");
236 return 0;
237 } else {
238 /* the user did now know he does not need any password,
239 * (which should not be used) so deny authentication */
240 return 1;
241 }
242 }
243
244 cdata.initialized = 0;
245 new_pass_hash = crypt_r(pass_clear, pass_hash, &cdata);
246 return strcmp(new_pass_hash, pass_hash);
247}
248
249static void
250nc_sshcb_auth_password(struct nc_session *session, ssh_message msg)
251{
252 char *pass_hash;
253
254 pass_hash = auth_password_get_pwd_hash(session->username);
255 if (pass_hash && !auth_password_compare_pwd(pass_hash, ssh_message_auth_password(msg))) {
256 VRB("User '%s' authenticated.", session->username);
257 ssh_message_auth_reply_success(msg, 0);
258 session->flags |= NC_SESSION_SSH_AUTHENTICATED;
259 free(pass_hash);
260 return;
261 }
262
263 free(pass_hash);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]264 ++session->ssh_auth_attempts;
265 VRB("Failed user '%s' authentication attempt (#%d).", session->username, session->ssh_auth_attempts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]266 ssh_message_reply_default(msg);
267}
268
269static void
270nc_sshcb_auth_kbdint(struct nc_session *session, ssh_message msg)
271{
272 char *pass_hash;
273
274 if (!ssh_message_auth_kbdint_is_response(msg)) {
275 const char *prompts[] = {"Password: "};
276 char echo[] = {0};
277
278 ssh_message_auth_interactive_request(msg, "Interactive SSH Authentication", "Type your password:", 1, prompts, echo);
279 } else {
280 if (ssh_userauth_kbdint_getnanswers(session->ti.libssh.session) != 1) {
281 ssh_message_reply_default(msg);
282 return;
283 }
284 pass_hash = auth_password_get_pwd_hash(session->username);
285 if (!pass_hash) {
286 ssh_message_reply_default(msg);
287 return;
288 }
289 if (!auth_password_compare_pwd(pass_hash, ssh_userauth_kbdint_getanswer(session->ti.libssh.session, 0))) {
290 VRB("User \"%s\" authenticated.", session->username);
291 session->flags |= NC_SESSION_SSH_AUTHENTICATED;
292 ssh_message_auth_reply_success(msg, 0);
293 } else {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]294 ++session->ssh_auth_attempts;
295 VRB("Failed user \"%s\" authentication attempt (#%d).", session->username, session->ssh_auth_attempts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]296 ssh_message_reply_default(msg);
297 }
298 }
299}
300
301static const char *
302auth_pubkey_compare_key(ssh_key key)
303{
304 uint32_t i;
305 ssh_key pub_key;
306 char *username = NULL;
307
308 for (i = 0; i < ssh_opts.authkey_count; ++i) {
309 if (ssh_pki_import_pubkey_file(ssh_opts.authkeys[i].path, &pub_key) != SSH_OK) {
310 if (eaccess(ssh_opts.authkeys[i].path, R_OK)) {
311 VRB("%s: failed to import the public key \"%s\" (%s)", __func__, ssh_opts.authkeys[i].path, strerror(errno));
312 } else {
313 VRB("%s: failed to import the public key \"%s\" (%s)", __func__, ssh_opts.authkeys[i].path, ssh_get_error(pub_key));
314 }
315 continue;
316 }
317
318 if (!ssh_key_cmp(key, pub_key, SSH_KEY_CMP_PUBLIC)) {
319 ssh_key_free(pub_key);
320 break;
321 }
322
323 ssh_key_free(pub_key);
324 }
325
326 if (i < ssh_opts.authkey_count) {
327 username = ssh_opts.authkeys[i].username;
328 }
329
330 return username;
331}
332
333static void
334nc_sshcb_auth_pubkey(struct nc_session *session, ssh_message msg)
335{
336 const char *username;
337 int signature_state;
338
339 signature_state = ssh_message_auth_publickey_state(msg);
340 if (signature_state == SSH_PUBLICKEY_STATE_VALID) {
341 VRB("User \"%s\" authenticated.", session->username);
342 session->flags |= NC_SESSION_SSH_AUTHENTICATED;
343 ssh_message_auth_reply_success(msg, 0);
344 return;
345
346 } else if (signature_state == SSH_PUBLICKEY_STATE_NONE) {
347 if ((username = auth_pubkey_compare_key(ssh_message_auth_pubkey(msg))) == NULL) {
348 VRB("User \"%s\" tried to use an unknown (unauthorized) public key.", session->username);
349
350 } else if (strcmp(session->username, username)) {
351 VRB("User \"%s\" is not the username identified with the presented public key.", session->username);
352
353 } else {
354 /* accepting only the use of a public key */
355 ssh_message_auth_reply_pk_ok_simple(msg);
356 return;
357 }
358 }
359
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]360 ++session->ssh_auth_attempts;
361 VRB("Failed user \"%s\" authentication attempt (#%d).", session->username, session->ssh_auth_attempts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]362 ssh_message_reply_default(msg);
363}
364
365static int
366nc_sshcb_channel_open(struct nc_session *session, ssh_channel channel)
367{
368 while (session->ti.libssh.next) {
369 if (session->status == NC_STATUS_STARTING) {
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]370 ERRINT;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]371 return -1;
372 }
373 session = session->ti.libssh.next;
374 }
375
376 if ((session->status != NC_STATUS_STARTING) || session->ti.libssh.channel) {
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]377 ERRINT;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]378 return -1;
379 }
380
381 session->ti.libssh.channel = channel;
382
383 return 0;
384}
385
386static int
387nc_sshcb_channel_subsystem(struct nc_session *session, ssh_channel channel, const char *subsystem)
388{
389 while (session && (session->ti.libssh.channel != channel)) {
390 session = session->ti.libssh.next;
391 }
392
393 if (!session) {
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]394 ERRINT;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]395 return -1;
396 }
397
398 if (!strcmp(subsystem, "netconf")) {
399 if (session->flags & NC_SESSION_SSH_SUBSYS_NETCONF) {
400 WRN("Client \"%s\" requested subsystem 'netconf' for the second time.", session->username);
401 } else {
402 session->flags |= NC_SESSION_SSH_SUBSYS_NETCONF;
403 }
404 } else {
405 WRN("Client \"%s\" requested an unknown subsystem '%s'.", session->username, subsystem);
406 return -1;
407 }
408
409 return 0;
410}
411
412static int
413nc_sshcb_msg(ssh_session sshsession, ssh_message msg, void *data)
414{
415 const char *str_type, *str_subtype = NULL, *username;
416 int subtype, type;
417 struct nc_session *session = (struct nc_session *)data;
418 (void)sshsession;
419
420 type = ssh_message_type(msg);
421 subtype = ssh_message_subtype(msg);
422
423 switch (type) {
424 case SSH_REQUEST_AUTH:
425 str_type = "request-auth";
426 switch (subtype) {
427 case SSH_AUTH_METHOD_NONE:
428 str_subtype = "none";
429 break;
430 case SSH_AUTH_METHOD_PASSWORD:
431 str_subtype = "password";
432 break;
433 case SSH_AUTH_METHOD_PUBLICKEY:
434 str_subtype = "publickey";
435 break;
436 case SSH_AUTH_METHOD_HOSTBASED:
437 str_subtype = "hostbased";
438 break;
439 case SSH_AUTH_METHOD_INTERACTIVE:
440 str_subtype = "interactive";
441 break;
442 case SSH_AUTH_METHOD_GSSAPI_MIC:
443 str_subtype = "gssapi-mic";
444 break;
445 }
446 break;
447
448 case SSH_REQUEST_CHANNEL_OPEN:
449 str_type = "request-channel-open";
450 switch (subtype) {
451 case SSH_CHANNEL_SESSION:
452 str_subtype = "session";
453 break;
454 case SSH_CHANNEL_DIRECT_TCPIP:
455 str_subtype = "direct-tcpip";
456 break;
457 case SSH_CHANNEL_FORWARDED_TCPIP:
458 str_subtype = "forwarded-tcpip";
459 break;
460 case (int)SSH_CHANNEL_X11:
461 str_subtype = "channel-x11";
462 break;
463 case SSH_CHANNEL_UNKNOWN:
464 /* fallthrough */
465 default:
466 str_subtype = "unknown";
467 break;
468 }
469 break;
470
471 case SSH_REQUEST_CHANNEL:
472 str_type = "request-channel";
473 switch (subtype) {
474 case SSH_CHANNEL_REQUEST_PTY:
475 str_subtype = "pty";
476 break;
477 case SSH_CHANNEL_REQUEST_EXEC:
478 str_subtype = "exec";
479 break;
480 case SSH_CHANNEL_REQUEST_SHELL:
481 str_subtype = "shell";
482 break;
483 case SSH_CHANNEL_REQUEST_ENV:
484 str_subtype = "env";
485 break;
486 case SSH_CHANNEL_REQUEST_SUBSYSTEM:
487 str_subtype = "subsystem";
488 break;
489 case SSH_CHANNEL_REQUEST_WINDOW_CHANGE:
490 str_subtype = "window-change";
491 break;
492 case SSH_CHANNEL_REQUEST_X11:
493 str_subtype = "x11";
494 break;
495 case SSH_CHANNEL_REQUEST_UNKNOWN:
496 /* fallthrough */
497 default:
498 str_subtype = "unknown";
499 break;
500 }
501 break;
502
503 case SSH_REQUEST_SERVICE:
504 str_type = "request-service";
505 str_subtype = ssh_message_service_service(msg);
506 break;
507
508 case SSH_REQUEST_GLOBAL:
509 str_type = "request-global";
510 switch (subtype) {
511 case SSH_GLOBAL_REQUEST_TCPIP_FORWARD:
512 str_subtype = "tcpip-forward";
513 break;
514 case SSH_GLOBAL_REQUEST_CANCEL_TCPIP_FORWARD:
515 str_subtype = "cancel-tcpip-forward";
516 break;
517 case SSH_GLOBAL_REQUEST_UNKNOWN:
518 /* fallthrough */
519 default:
520 str_subtype = "unknown";
521 break;
522 }
523 break;
524
525 default:
526 str_type = "unknown";
527 str_subtype = "unknown";
528 break;
529 }
530
531 VRB("Received an SSH message \"%s\" of subtype \"%s\".", str_type, str_subtype);
532
533 /*
534 * process known messages
535 */
536 if (type == SSH_REQUEST_AUTH) {
537 if (session->flags & NC_SESSION_SSH_AUTHENTICATED) {
538 ERR("User \"%s\" authenticated, but requested another authentication.", session->username);
539 ssh_message_reply_default(msg);
540 return 0;
541 }
542
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]543 if (session->ssh_auth_attempts >= ssh_opts.auth_attempts) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]544 /* too many failed attempts */
545 ssh_message_reply_default(msg);
546 return 0;
547 }
548
549 /* save the username, do not let the client change it */
550 username = ssh_message_auth_user(msg);
551 if (!session->username) {
552 if (!username) {
553 ERR("Denying an auth request without a username.");
554 return 1;
555 }
556
Michal Vasko05ba9df2016-01-13 14:40:27 +0100[diff] [blame]557 session->username = lydict_insert(server_opts.ctx, username, 0);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]558 } else if (username) {
559 if (strcmp(username, session->username)) {
560 ERR("User \"%s\" changed its username to \"%s\".", session->username, username);
561 session->status = NC_STATUS_INVALID;
Michal Vasko428087d2016-01-14 16:04:28 +0100[diff] [blame]562 session->term_reason = NC_SESSION_TERM_OTHER;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]563 return 1;
564 }
565 }
566
567 if (subtype == SSH_AUTH_METHOD_NONE) {
568 /* libssh will return the supported auth methods */
569 return 1;
570 } else if (subtype == SSH_AUTH_METHOD_PASSWORD) {
571 nc_sshcb_auth_password(session, msg);
572 return 0;
573 } else if (subtype == SSH_AUTH_METHOD_PUBLICKEY) {
574 nc_sshcb_auth_pubkey(session, msg);
575 return 0;
576 } else if (subtype == SSH_AUTH_METHOD_INTERACTIVE) {
577 nc_sshcb_auth_kbdint(session, msg);
578 return 0;
579 }
580 } else if (session->flags & NC_SESSION_SSH_AUTHENTICATED) {
581 if ((type == SSH_REQUEST_CHANNEL_OPEN) && (subtype == (int)SSH_CHANNEL_SESSION)) {
582 ssh_channel chan;
583 if ((chan = ssh_message_channel_request_open_reply_accept(msg)) == NULL) {
584 ssh_message_reply_default(msg);
585 return 0;
586 }
587 nc_sshcb_channel_open(session, chan);
588 return 0;
589 } else if ((type == SSH_REQUEST_CHANNEL) && (subtype == (int)SSH_CHANNEL_REQUEST_SUBSYSTEM)) {
590 if (!nc_sshcb_channel_subsystem(session, ssh_message_channel_request_channel(msg),
591 ssh_message_channel_request_subsystem(msg))) {
592 ssh_message_channel_request_reply_success(msg);
593 } else {
594 ssh_message_reply_default(msg);
595 }
596 return 0;
597 }
598 }
599
600 /* we did not process it */
601 return 1;
602}
603
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]604/* ret 1 on success, 0 on timeout, -1 on error */
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]605static int
606nc_open_netconf_channel(struct nc_session *session, int timeout)
607{
608 int elapsed = 0;
609
610 /* message callback is executed twice to give chance for the channel to be
611 * created if timeout == 0 (it takes 2 messages, channel-open, subsystem-request) */
612 do {
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]613 if (!nc_session_is_connected(session)) {
614 ERR("%s: communication channel unexpectedly closed (libssh).", __func__);
615 return -1;
616 }
617
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]618 if (ssh_execute_message_callbacks(session->ti.libssh.session) != SSH_OK) {
619 ERR("%s: failed to receive new messages on the SSH session (%s)",
620 __func__, ssh_get_error(session->ti.libssh.session));
621 return -1;
622 }
623
624 if (session->ti.libssh.channel && (session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]625 return 1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]626 }
627
628 usleep(NC_TIMEOUT_STEP);
629 elapsed += NC_TIMEOUT_STEP;
630 if ((timeout > NC_TIMEOUT_STEP) && (elapsed >= timeout)) {
631 break;
632 }
633
634 if (ssh_execute_message_callbacks(session->ti.libssh.session) != SSH_OK) {
635 ERR("%s: failed to receive new messages on the SSH session (%s)",
636 __func__, ssh_get_error(session->ti.libssh.session));
637 return -1;
638 }
639
640 if (session->ti.libssh.channel && (session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]641 return 1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]642 }
643
644 usleep(NC_TIMEOUT_STEP);
645 elapsed += NC_TIMEOUT_STEP;
646 } while ((timeout == -1) || (timeout && (elapsed < timeout)));
647
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]648 return 0;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]649}
650
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]651int
652nc_accept_ssh_session(struct nc_session *session, int sock, int timeout)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]653{
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]654 int libssh_auth_methods = 0, elapsed = 0, ret;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]655
656 /* other transport-specific data */
657 session->ti_type = NC_TI_LIBSSH;
658 session->ti.libssh.session = ssh_new();
659 if (!session->ti.libssh.session) {
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]660 ERR("%s: failed to initialize an SSH session.", __func__);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]661 close(sock);
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]662 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]663 }
664
665 if (ssh_opts.auth_methods & NC_SSH_AUTH_PUBLICKEY) {
666 libssh_auth_methods |= SSH_AUTH_METHOD_PUBLICKEY;
667 }
668 if (ssh_opts.auth_methods & NC_SSH_AUTH_PASSWORD) {
669 libssh_auth_methods |= SSH_AUTH_METHOD_PASSWORD;
670 }
671 if (ssh_opts.auth_methods & NC_SSH_AUTH_INTERACTIVE) {
672 libssh_auth_methods |= SSH_AUTH_METHOD_INTERACTIVE;
673 }
674 ssh_set_auth_methods(session->ti.libssh.session, libssh_auth_methods);
675
676 ssh_set_message_callback(session->ti.libssh.session, nc_sshcb_msg, session);
677
678 if (ssh_bind_accept_fd(ssh_opts.sshbind, session->ti.libssh.session, sock) == SSH_ERROR) {
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]679 ERR("%s: SSH failed to accept a new connection (%s).", __func__, ssh_get_error(ssh_opts.sshbind));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]680 close(sock);
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]681 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]682 }
683
684 if (ssh_handle_key_exchange(session->ti.libssh.session) != SSH_OK) {
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]685 ERR("%s: SSH key exchange error (%s).", __func__, ssh_get_error(session->ti.libssh.session));
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]686 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]687 }
688
689 /* authenticate */
690 do {
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]691 if (!nc_session_is_connected(session)) {
692 ERR("%s: communication channel unexpectedly closed (libssh).", __func__);
693 return -1;
694 }
695
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]696 if (ssh_execute_message_callbacks(session->ti.libssh.session) != SSH_OK) {
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]697 ERR("%s: failed to receive new messages on the SSH session (%s).",
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]698 __func__, ssh_get_error(session->ti.libssh.session));
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]699 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]700 }
701
702 if (session->flags & NC_SESSION_SSH_AUTHENTICATED) {
703 break;
704 }
705
706 usleep(NC_TIMEOUT_STEP);
707 elapsed += NC_TIMEOUT_STEP;
708 } while ((timeout == -1) || (timeout && (elapsed < timeout)));
709
710 if (!(session->flags & NC_SESSION_SSH_AUTHENTICATED)) {
711 /* timeout */
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]712 return 0;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]713 }
714
715 if (timeout > 0) {
716 timeout -= elapsed;
717 }
718
719 /* open channel */
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]720 ret = nc_open_netconf_channel(session, timeout);
721 if (ret < 1) {
722 return ret;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]723 }
724
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame^]725 return 1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]726}
727
728API struct nc_session *
729nc_accept_ssh_channel(struct nc_session *session, int timeout)
730{
731 struct nc_session *new_session;
732 int ret;
733
Michal Vaskofb89d772016-01-08 12:25:35 +0100[diff] [blame]734 new_session = calloc(1, sizeof *new_session);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]735 new_session->ti.libssh.session = session->ti.libssh.session;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]736 ret = nc_open_netconf_channel(new_session, timeout);
737 if (ret) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]738 goto fail;
739 }
740
Michal Vaskofb89d772016-01-08 12:25:35 +0100[diff] [blame]741 /* new channel was requested and opened, fill in the whole session now */
742 for (; session->ti.libssh.next; session = session->ti.libssh.next);
743 session->ti.libssh.next = new_session;
744
745 new_session->status = NC_STATUS_STARTING;
746 new_session->side = NC_SERVER;
747 new_session->ti_type = NC_TI_LIBSSH;
748 new_session->ti_lock = session->ti_lock;
749 new_session->flags = NC_SESSION_SSH_AUTHENTICATED | NC_SESSION_SHAREDCTX;
Michal Vasko05ba9df2016-01-13 14:40:27 +0100[diff] [blame]750 new_session->ctx = server_opts.ctx;
Michal Vaskofb89d772016-01-08 12:25:35 +0100[diff] [blame]751
Michal Vasko05ba9df2016-01-13 14:40:27 +0100[diff] [blame]752 new_session->username = lydict_insert(server_opts.ctx, session->username, 0);
753 new_session->host = lydict_insert(server_opts.ctx, session->host, 0);
Michal Vaskofb89d772016-01-08 12:25:35 +0100[diff] [blame]754 new_session->port = session->port;
755
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]756 /* NETCONF handshake */
757 if (nc_handshake(new_session)) {
758 goto fail;
759 }
760 new_session->status = NC_STATUS_RUNNING;
761
762 return new_session;
763
764fail:
765 nc_session_free(new_session);
766
767 return NULL;
768}