Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1 | /** |
| 2 | * \file session_server_ssh.c |
| 3 | * \author Michal Vasko <mvasko@cesnet.cz> |
| 4 | * \brief libnetconf2 SSH server session manipulation functions |
| 5 | * |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 6 | * Copyright (c) 2017 CESNET, z.s.p.o. |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 7 | * |
Radek Krejci | 9b81f5b | 2016-02-24 13:14:49 +0100 | [diff] [blame] | 8 | * This source code is licensed under BSD 3-Clause License (the "License"). |
| 9 | * You may not use this file except in compliance with the License. |
| 10 | * You may obtain a copy of the License at |
Michal Vasko | afd416b | 2016-02-25 14:51:46 +0100 | [diff] [blame] | 11 | * |
Radek Krejci | 9b81f5b | 2016-02-24 13:14:49 +0100 | [diff] [blame] | 12 | * https://opensource.org/licenses/BSD-3-Clause |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 13 | */ |
| 14 | |
| 15 | #define _GNU_SOURCE |
| 16 | |
apropp-molex | 4e903c3 | 2020-04-20 03:06:58 -0400 | [diff] [blame] | 17 | #include "config.h" /* Expose HAVE_SHADOW and HAVE_CRYPT */ |
| 18 | |
| 19 | #ifdef HAVE_SHADOW |
| 20 | #include <shadow.h> |
| 21 | #endif |
| 22 | #ifdef HAVE_CRYPT |
| 23 | #include <crypt.h> |
| 24 | #endif |
| 25 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 26 | #include <stdlib.h> |
| 27 | #include <string.h> |
| 28 | #include <sys/types.h> |
Michal Vasko | 2725269 | 2017-03-21 15:34:13 +0100 | [diff] [blame] | 29 | #include <sys/stat.h> |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 30 | #include <pwd.h> |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 31 | #include <errno.h> |
Michal Vasko | 9f6275e | 2017-10-05 13:50:05 +0200 | [diff] [blame] | 32 | #include <time.h> |
Claus Klein | 2209191 | 2020-01-20 13:45:47 +0100 | [diff] [blame] | 33 | #include <fcntl.h> |
| 34 | #include <unistd.h> |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 35 | |
Michal Vasko | 11d142a | 2016-01-19 15:58:24 +0100 | [diff] [blame] | 36 | #include "session_server.h" |
Michal Vasko | e22c673 | 2016-01-29 11:03:02 +0100 | [diff] [blame] | 37 | #include "session_server_ch.h" |
| 38 | #include "libnetconf.h" |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 39 | |
Mislav Novakovic | ce9a7ef | 2017-08-08 13:45:52 +0200 | [diff] [blame] | 40 | #if !defined(HAVE_CRYPT_R) |
| 41 | pthread_mutex_t crypt_lock = PTHREAD_MUTEX_INITIALIZER; |
| 42 | #endif |
| 43 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 44 | extern struct nc_server_opts server_opts; |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 45 | |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 46 | static char * |
Michal Vasko | ddce121 | 2019-05-24 09:58:49 +0200 | [diff] [blame] | 47 | base64der_key_to_tmp_file(const char *in, const char *key_str) |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 48 | { |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 49 | char path[12] = "/tmp/XXXXXX"; |
| 50 | int fd, written; |
Michal Vasko | 2725269 | 2017-03-21 15:34:13 +0100 | [diff] [blame] | 51 | mode_t umode; |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 52 | FILE *file; |
| 53 | |
| 54 | if (in == NULL) { |
| 55 | return NULL; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 56 | } |
| 57 | |
mekleo | b31878b | 2019-09-09 14:10:47 +0200 | [diff] [blame] | 58 | umode = umask(0177); |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 59 | fd = mkstemp(path); |
Michal Vasko | 2725269 | 2017-03-21 15:34:13 +0100 | [diff] [blame] | 60 | umask(umode); |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 61 | if (fd == -1) { |
| 62 | return NULL; |
| 63 | } |
| 64 | |
Michal Vasko | 3964a83 | 2018-09-18 14:37:39 +0200 | [diff] [blame] | 65 | file = fdopen(fd, "w"); |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 66 | if (!file) { |
| 67 | close(fd); |
| 68 | return NULL; |
| 69 | } |
| 70 | |
| 71 | /* write the key into the file */ |
Michal Vasko | 68177b7 | 2020-04-27 15:46:53 +0200 | [diff] [blame] | 72 | if (key_str) { |
| 73 | written = fwrite("-----BEGIN ", 1, 11, file); |
| 74 | written += fwrite(key_str, 1, strlen(key_str), file); |
| 75 | written += fwrite(" PRIVATE KEY-----\n", 1, 18, file); |
| 76 | written += fwrite(in, 1, strlen(in), file); |
| 77 | written += fwrite("\n-----END ", 1, 10, file); |
| 78 | written += fwrite(key_str, 1, strlen(key_str), file); |
| 79 | written += fwrite(" PRIVATE KEY-----", 1, 17, file); |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 80 | |
Michal Vasko | 68177b7 | 2020-04-27 15:46:53 +0200 | [diff] [blame] | 81 | fclose(file); |
| 82 | if ((unsigned)written != 11 + strlen(key_str) + 18 + strlen(in) + 10 + strlen(key_str) + 17) { |
| 83 | unlink(path); |
| 84 | return NULL; |
| 85 | } |
| 86 | } else { |
| 87 | written = fwrite("-----BEGIN PRIVATE KEY-----\n", 1, 28, file); |
| 88 | written += fwrite(in, 1, strlen(in), file); |
| 89 | written += fwrite("\n-----END PRIVATE KEY-----", 1, 26, file); |
| 90 | |
| 91 | fclose(file); |
| 92 | if ((unsigned)written != 28 + strlen(in) + 26) { |
| 93 | unlink(path); |
| 94 | return NULL; |
| 95 | } |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 96 | } |
| 97 | |
| 98 | return strdup(path); |
| 99 | } |
| 100 | |
| 101 | static int |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 102 | nc_server_ssh_add_hostkey(const char *name, int16_t idx, struct nc_server_ssh_opts *opts) |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 103 | { |
Michal Vasko | fbfe8b6 | 2017-02-14 10:22:30 +0100 | [diff] [blame] | 104 | uint8_t i; |
| 105 | |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 106 | if (!name) { |
| 107 | ERRARG("name"); |
Michal Vasko | 5fcc714 | 2016-02-02 12:21:10 +0100 | [diff] [blame] | 108 | return -1; |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 109 | } else if (idx > opts->hostkey_count) { |
| 110 | ERRARG("idx"); |
| 111 | return -1; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 112 | } |
Michal Vasko | d45e25a | 2016-01-08 15:48:44 +0100 | [diff] [blame] | 113 | |
Michal Vasko | fbfe8b6 | 2017-02-14 10:22:30 +0100 | [diff] [blame] | 114 | for (i = 0; i < opts->hostkey_count; ++i) { |
| 115 | if (!strcmp(opts->hostkeys[i], name)) { |
| 116 | ERRARG("name"); |
| 117 | return -1; |
| 118 | } |
| 119 | } |
| 120 | |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 121 | ++opts->hostkey_count; |
| 122 | opts->hostkeys = nc_realloc(opts->hostkeys, opts->hostkey_count * sizeof *opts->hostkeys); |
| 123 | if (!opts->hostkeys) { |
| 124 | ERRMEM; |
| 125 | return -1; |
| 126 | } |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 127 | |
| 128 | if (idx < 0) { |
| 129 | idx = opts->hostkey_count - 1; |
| 130 | } |
| 131 | if (idx != opts->hostkey_count - 1) { |
| 132 | memmove(opts->hostkeys + idx + 1, opts->hostkeys + idx, opts->hostkey_count - idx); |
| 133 | } |
| 134 | opts->hostkeys[idx] = lydict_insert(server_opts.ctx, name, 0); |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 135 | |
Michal Vasko | 5fcc714 | 2016-02-02 12:21:10 +0100 | [diff] [blame] | 136 | return 0; |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 137 | } |
| 138 | |
| 139 | API int |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 140 | nc_server_ssh_endpt_add_hostkey(const char *endpt_name, const char *name, int16_t idx) |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 141 | { |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 142 | int ret; |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 143 | struct nc_endpt *endpt; |
| 144 | |
Michal Vasko | 51e514d | 2016-02-02 15:51:52 +0100 | [diff] [blame] | 145 | /* LOCK */ |
Michal Vasko | ade892d | 2017-02-22 13:40:35 +0100 | [diff] [blame] | 146 | endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL); |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 147 | if (!endpt) { |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 148 | return -1; |
| 149 | } |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 150 | ret = nc_server_ssh_add_hostkey(name, idx, endpt->opts.ssh); |
Michal Vasko | 51e514d | 2016-02-02 15:51:52 +0100 | [diff] [blame] | 151 | /* UNLOCK */ |
Michal Vasko | ade892d | 2017-02-22 13:40:35 +0100 | [diff] [blame] | 152 | pthread_rwlock_unlock(&server_opts.endpt_lock); |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 153 | |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 154 | return ret; |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 155 | } |
| 156 | |
Michal Vasko | 974410a | 2018-04-03 09:36:57 +0200 | [diff] [blame] | 157 | API void |
| 158 | nc_server_ssh_set_passwd_auth_clb(int (*passwd_auth_clb)(const struct nc_session *session, const char *password, void *user_data), |
| 159 | void *user_data, void (*free_user_data)(void *user_data)) |
| 160 | { |
| 161 | server_opts.passwd_auth_clb = passwd_auth_clb; |
| 162 | server_opts.passwd_auth_data = user_data; |
| 163 | server_opts.passwd_auth_data_free = free_user_data; |
| 164 | } |
| 165 | |
bhart | 1bb7cdb | 2018-07-02 15:03:30 -0500 | [diff] [blame] | 166 | API void |
| 167 | nc_server_ssh_set_interactive_auth_clb(int (*interactive_auth_clb)(const struct nc_session *session, ssh_message msg, void *user_data), |
| 168 | void *user_data, void (*free_user_data)(void *user_data)) |
| 169 | { |
| 170 | server_opts.interactive_auth_clb = interactive_auth_clb; |
| 171 | server_opts.interactive_auth_data = user_data; |
| 172 | server_opts.interactive_auth_data_free = free_user_data; |
| 173 | } |
Michal Vasko | 733c0bd | 2018-07-03 13:14:40 +0200 | [diff] [blame] | 174 | |
bhart | 1bb7cdb | 2018-07-02 15:03:30 -0500 | [diff] [blame] | 175 | API void |
| 176 | nc_server_ssh_set_pubkey_auth_clb(int (*pubkey_auth_clb)(const struct nc_session *session, ssh_key key, void *user_data), |
| 177 | void *user_data, void (*free_user_data)(void *user_data)) |
| 178 | { |
| 179 | server_opts.pubkey_auth_clb = pubkey_auth_clb; |
| 180 | server_opts.pubkey_auth_data = user_data; |
| 181 | server_opts.pubkey_auth_data_free = free_user_data; |
| 182 | } |
| 183 | |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 184 | API int |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 185 | nc_server_ssh_ch_client_endpt_add_hostkey(const char *client_name, const char *endpt_name, const char *name, int16_t idx) |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 186 | { |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 187 | int ret; |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 188 | struct nc_ch_client *client; |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 189 | struct nc_ch_endpt *endpt; |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 190 | |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 191 | /* LOCK */ |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 192 | endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client); |
| 193 | if (!endpt) { |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 194 | return -1; |
| 195 | } |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 196 | ret = nc_server_ssh_add_hostkey(name, idx, endpt->opts.ssh); |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 197 | /* UNLOCK */ |
| 198 | nc_server_ch_client_unlock(client); |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 199 | |
| 200 | return ret; |
| 201 | } |
| 202 | |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 203 | API void |
| 204 | nc_server_ssh_set_hostkey_clb(int (*hostkey_clb)(const char *name, void *user_data, char **privkey_path, |
Michal Vasko | e49a15f | 2019-05-27 14:18:36 +0200 | [diff] [blame] | 205 | char **privkey_data, NC_SSH_KEY_TYPE *privkey_type), void *user_data, void (*free_user_data)(void *user_data)) |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 206 | { |
| 207 | if (!hostkey_clb) { |
| 208 | ERRARG("hostkey_clb"); |
| 209 | return; |
| 210 | } |
| 211 | |
| 212 | server_opts.hostkey_clb = hostkey_clb; |
| 213 | server_opts.hostkey_data = user_data; |
| 214 | server_opts.hostkey_data_free = free_user_data; |
| 215 | } |
| 216 | |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 217 | static int |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 218 | nc_server_ssh_del_hostkey(const char *name, int16_t idx, struct nc_server_ssh_opts *opts) |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 219 | { |
| 220 | uint8_t i; |
| 221 | |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 222 | if (name && (idx > -1)) { |
| 223 | ERRARG("name and idx"); |
| 224 | return -1; |
| 225 | } else if (idx >= opts->hostkey_count) { |
| 226 | ERRARG("idx"); |
| 227 | } |
| 228 | |
| 229 | if (!name && (idx < 0)) { |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 230 | for (i = 0; i < opts->hostkey_count; ++i) { |
| 231 | lydict_remove(server_opts.ctx, opts->hostkeys[i]); |
| 232 | } |
| 233 | free(opts->hostkeys); |
| 234 | opts->hostkeys = NULL; |
| 235 | opts->hostkey_count = 0; |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 236 | } else if (name) { |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 237 | for (i = 0; i < opts->hostkey_count; ++i) { |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 238 | if (!strcmp(opts->hostkeys[i], name)) { |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 239 | idx = i; |
| 240 | goto remove_idx; |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 241 | } |
| 242 | } |
| 243 | |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 244 | ERRARG("name"); |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 245 | return -1; |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 246 | } else { |
| 247 | remove_idx: |
| 248 | --opts->hostkey_count; |
| 249 | lydict_remove(server_opts.ctx, opts->hostkeys[idx]); |
| 250 | if (idx < opts->hostkey_count - 1) { |
| 251 | memmove(opts->hostkeys + idx, opts->hostkeys + idx + 1, (opts->hostkey_count - idx) * sizeof *opts->hostkeys); |
| 252 | } |
| 253 | if (!opts->hostkey_count) { |
| 254 | free(opts->hostkeys); |
| 255 | opts->hostkeys = NULL; |
| 256 | } |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 257 | } |
| 258 | |
| 259 | return 0; |
| 260 | } |
| 261 | |
| 262 | API int |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 263 | nc_server_ssh_endpt_del_hostkey(const char *endpt_name, const char *name, int16_t idx) |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 264 | { |
| 265 | int ret; |
| 266 | struct nc_endpt *endpt; |
| 267 | |
| 268 | /* LOCK */ |
Michal Vasko | ade892d | 2017-02-22 13:40:35 +0100 | [diff] [blame] | 269 | endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL); |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 270 | if (!endpt) { |
| 271 | return -1; |
| 272 | } |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 273 | ret = nc_server_ssh_del_hostkey(name, idx, endpt->opts.ssh); |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 274 | /* UNLOCK */ |
Michal Vasko | ade892d | 2017-02-22 13:40:35 +0100 | [diff] [blame] | 275 | pthread_rwlock_unlock(&server_opts.endpt_lock); |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 276 | |
| 277 | return ret; |
| 278 | } |
| 279 | |
| 280 | API int |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 281 | nc_server_ssh_ch_client_endpt_del_hostkey(const char *client_name, const char *endpt_name, const char *name, int16_t idx) |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 282 | { |
| 283 | int ret; |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 284 | struct nc_ch_client *client; |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 285 | struct nc_ch_endpt *endpt; |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 286 | |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 287 | /* LOCK */ |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 288 | endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client); |
| 289 | if (!endpt) { |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 290 | return -1; |
| 291 | } |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 292 | ret = nc_server_ssh_del_hostkey(name, idx, endpt->opts.ssh); |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 293 | /* UNLOCK */ |
| 294 | nc_server_ch_client_unlock(client); |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 295 | |
| 296 | return ret; |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 297 | } |
| 298 | |
| 299 | static int |
Michal Vasko | fbfe8b6 | 2017-02-14 10:22:30 +0100 | [diff] [blame] | 300 | nc_server_ssh_mov_hostkey(const char *key_mov, const char *key_after, struct nc_server_ssh_opts *opts) |
| 301 | { |
| 302 | uint8_t i; |
| 303 | int16_t mov_idx = -1, after_idx = -1; |
| 304 | const char *bckup; |
| 305 | |
| 306 | if (!key_mov) { |
| 307 | ERRARG("key_mov"); |
| 308 | return -1; |
| 309 | } |
| 310 | |
| 311 | for (i = 0; i < opts->hostkey_count; ++i) { |
| 312 | if (key_after && (after_idx == -1) && !strcmp(opts->hostkeys[i], key_after)) { |
| 313 | after_idx = i; |
| 314 | } |
| 315 | if ((mov_idx == -1) && !strcmp(opts->hostkeys[i], key_mov)) { |
| 316 | mov_idx = i; |
| 317 | } |
| 318 | |
| 319 | if ((!key_after || (after_idx > -1)) && (mov_idx > -1)) { |
| 320 | break; |
| 321 | } |
| 322 | } |
| 323 | |
| 324 | if (key_after && (after_idx == -1)) { |
| 325 | ERRARG("key_after"); |
| 326 | return -1; |
| 327 | } |
| 328 | if (mov_idx == -1) { |
| 329 | ERRARG("key_mov"); |
| 330 | return -1; |
| 331 | } |
| 332 | if ((mov_idx == after_idx) || (mov_idx == after_idx + 1)) { |
| 333 | /* nothing to do */ |
| 334 | return 0; |
| 335 | } |
| 336 | |
| 337 | /* finally move the key */ |
| 338 | bckup = opts->hostkeys[mov_idx]; |
| 339 | if (mov_idx > after_idx) { |
| 340 | memmove(opts->hostkeys + after_idx + 2, opts->hostkeys + after_idx + 1, |
| 341 | ((mov_idx - after_idx) - 1) * sizeof *opts->hostkeys); |
| 342 | opts->hostkeys[after_idx + 1] = bckup; |
| 343 | } else { |
| 344 | memmove(opts->hostkeys + mov_idx, opts->hostkeys + mov_idx + 1, (after_idx - mov_idx) * sizeof *opts->hostkeys); |
| 345 | opts->hostkeys[after_idx] = bckup; |
| 346 | } |
| 347 | |
| 348 | return 0; |
| 349 | } |
| 350 | |
| 351 | API int |
| 352 | nc_server_ssh_endpt_mov_hostkey(const char *endpt_name, const char *key_mov, const char *key_after) |
| 353 | { |
| 354 | int ret; |
| 355 | struct nc_endpt *endpt; |
| 356 | |
| 357 | /* LOCK */ |
Michal Vasko | ade892d | 2017-02-22 13:40:35 +0100 | [diff] [blame] | 358 | endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL); |
Michal Vasko | fbfe8b6 | 2017-02-14 10:22:30 +0100 | [diff] [blame] | 359 | if (!endpt) { |
| 360 | return -1; |
| 361 | } |
| 362 | ret = nc_server_ssh_mov_hostkey(key_mov, key_after, endpt->opts.ssh); |
| 363 | /* UNLOCK */ |
Michal Vasko | ade892d | 2017-02-22 13:40:35 +0100 | [diff] [blame] | 364 | pthread_rwlock_unlock(&server_opts.endpt_lock); |
Michal Vasko | fbfe8b6 | 2017-02-14 10:22:30 +0100 | [diff] [blame] | 365 | |
| 366 | return ret; |
| 367 | } |
| 368 | |
| 369 | API int |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 370 | nc_server_ssh_ch_client_endpt_mov_hostkey(const char *client_name, const char *endpt_name, const char *key_mov, |
| 371 | const char *key_after) |
Michal Vasko | fbfe8b6 | 2017-02-14 10:22:30 +0100 | [diff] [blame] | 372 | { |
| 373 | int ret; |
| 374 | struct nc_ch_client *client; |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 375 | struct nc_ch_endpt *endpt; |
Michal Vasko | fbfe8b6 | 2017-02-14 10:22:30 +0100 | [diff] [blame] | 376 | |
| 377 | /* LOCK */ |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 378 | endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client); |
Michal Vasko | fbfe8b6 | 2017-02-14 10:22:30 +0100 | [diff] [blame] | 379 | if (!endpt) { |
| 380 | return -1; |
| 381 | } |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 382 | ret = nc_server_ssh_mov_hostkey(key_mov, key_after, endpt->opts.ssh); |
Michal Vasko | fbfe8b6 | 2017-02-14 10:22:30 +0100 | [diff] [blame] | 383 | /* UNLOCK */ |
| 384 | nc_server_ch_client_unlock(client); |
| 385 | |
| 386 | return ret; |
| 387 | } |
| 388 | |
| 389 | static int |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 390 | nc_server_ssh_set_auth_methods(int auth_methods, struct nc_server_ssh_opts *opts) |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 391 | { |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 392 | opts->auth_methods = auth_methods; |
| 393 | return 0; |
| 394 | } |
| 395 | |
| 396 | API int |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 397 | nc_server_ssh_endpt_set_auth_methods(const char *endpt_name, int auth_methods) |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 398 | { |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 399 | int ret; |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 400 | struct nc_endpt *endpt; |
| 401 | |
Michal Vasko | 51e514d | 2016-02-02 15:51:52 +0100 | [diff] [blame] | 402 | /* LOCK */ |
Michal Vasko | ade892d | 2017-02-22 13:40:35 +0100 | [diff] [blame] | 403 | endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL); |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 404 | if (!endpt) { |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 405 | return -1; |
| 406 | } |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 407 | ret = nc_server_ssh_set_auth_methods(auth_methods, endpt->opts.ssh); |
Michal Vasko | 51e514d | 2016-02-02 15:51:52 +0100 | [diff] [blame] | 408 | /* UNLOCK */ |
Michal Vasko | ade892d | 2017-02-22 13:40:35 +0100 | [diff] [blame] | 409 | pthread_rwlock_unlock(&server_opts.endpt_lock); |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 410 | |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 411 | return ret; |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 412 | } |
| 413 | |
| 414 | API int |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 415 | nc_server_ssh_ch_client_endpt_set_auth_methods(const char *client_name, const char *endpt_name, int auth_methods) |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 416 | { |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 417 | int ret; |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 418 | struct nc_ch_client *client; |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 419 | struct nc_ch_endpt *endpt; |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 420 | |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 421 | /* LOCK */ |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 422 | endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client); |
| 423 | if (!endpt) { |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 424 | return -1; |
| 425 | } |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 426 | ret = nc_server_ssh_set_auth_methods(auth_methods, endpt->opts.ssh); |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 427 | /* UNLOCK */ |
| 428 | nc_server_ch_client_unlock(client); |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 429 | |
| 430 | return ret; |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 431 | } |
| 432 | |
Michal Vasko | ddce121 | 2019-05-24 09:58:49 +0200 | [diff] [blame] | 433 | API int |
| 434 | nc_server_ssh_endpt_get_auth_methods(const char *endpt_name) |
| 435 | { |
| 436 | int ret; |
| 437 | struct nc_endpt *endpt; |
| 438 | |
| 439 | /* LOCK */ |
| 440 | endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL); |
| 441 | if (!endpt) { |
| 442 | return -1; |
| 443 | } |
| 444 | ret = endpt->opts.ssh->auth_methods; |
| 445 | /* UNLOCK */ |
| 446 | pthread_rwlock_unlock(&server_opts.endpt_lock); |
| 447 | |
| 448 | return ret; |
| 449 | } |
| 450 | |
| 451 | API int |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 452 | nc_server_ssh_ch_client_endpt_get_auth_methods(const char *client_name, const char *endpt_name) |
Michal Vasko | ddce121 | 2019-05-24 09:58:49 +0200 | [diff] [blame] | 453 | { |
| 454 | int ret; |
| 455 | struct nc_ch_client *client; |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 456 | struct nc_ch_endpt *endpt; |
Michal Vasko | ddce121 | 2019-05-24 09:58:49 +0200 | [diff] [blame] | 457 | |
| 458 | /* LOCK */ |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 459 | endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client); |
| 460 | if (!endpt) { |
Michal Vasko | ddce121 | 2019-05-24 09:58:49 +0200 | [diff] [blame] | 461 | return -1; |
| 462 | } |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 463 | ret = endpt->opts.ssh->auth_methods; |
Michal Vasko | ddce121 | 2019-05-24 09:58:49 +0200 | [diff] [blame] | 464 | /* UNLOCK */ |
| 465 | nc_server_ch_client_unlock(client); |
| 466 | |
| 467 | return ret; |
| 468 | } |
| 469 | |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 470 | static int |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 471 | nc_server_ssh_set_auth_attempts(uint16_t auth_attempts, struct nc_server_ssh_opts *opts) |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 472 | { |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 473 | if (!auth_attempts) { |
Michal Vasko | 45e53ae | 2016-04-07 11:46:03 +0200 | [diff] [blame] | 474 | ERRARG("auth_attempts"); |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 475 | return -1; |
| 476 | } |
| 477 | |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 478 | opts->auth_attempts = auth_attempts; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 479 | return 0; |
| 480 | } |
| 481 | |
| 482 | API int |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 483 | nc_server_ssh_endpt_set_auth_attempts(const char *endpt_name, uint16_t auth_attempts) |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 484 | { |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 485 | int ret; |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 486 | struct nc_endpt *endpt; |
| 487 | |
Michal Vasko | 51e514d | 2016-02-02 15:51:52 +0100 | [diff] [blame] | 488 | /* LOCK */ |
Michal Vasko | ade892d | 2017-02-22 13:40:35 +0100 | [diff] [blame] | 489 | endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL); |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 490 | if (!endpt) { |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 491 | return -1; |
| 492 | } |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 493 | ret = nc_server_ssh_set_auth_attempts(auth_attempts, endpt->opts.ssh); |
Michal Vasko | 51e514d | 2016-02-02 15:51:52 +0100 | [diff] [blame] | 494 | /* UNLOCK */ |
Michal Vasko | ade892d | 2017-02-22 13:40:35 +0100 | [diff] [blame] | 495 | pthread_rwlock_unlock(&server_opts.endpt_lock); |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 496 | |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 497 | return ret; |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 498 | } |
| 499 | |
| 500 | API int |
Michal Vasko | cbad4c5 | 2019-06-27 16:30:35 +0200 | [diff] [blame] | 501 | nc_server_ssh_ch_client_endpt_set_auth_attempts(const char *client_name, const char *endpt_name, uint16_t auth_attempts) |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 502 | { |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 503 | int ret; |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 504 | struct nc_ch_client *client; |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 505 | struct nc_ch_endpt *endpt; |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 506 | |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 507 | /* LOCK */ |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 508 | endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client); |
| 509 | if (!endpt) { |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 510 | return -1; |
| 511 | } |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 512 | ret = nc_server_ssh_set_auth_attempts(auth_attempts, endpt->opts.ssh); |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 513 | /* UNLOCK */ |
| 514 | nc_server_ch_client_unlock(client); |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 515 | |
| 516 | return ret; |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 517 | } |
| 518 | |
| 519 | static int |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 520 | nc_server_ssh_set_auth_timeout(uint16_t auth_timeout, struct nc_server_ssh_opts *opts) |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 521 | { |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 522 | if (!auth_timeout) { |
Michal Vasko | 45e53ae | 2016-04-07 11:46:03 +0200 | [diff] [blame] | 523 | ERRARG("auth_timeout"); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 524 | return -1; |
| 525 | } |
| 526 | |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 527 | opts->auth_timeout = auth_timeout; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 528 | return 0; |
| 529 | } |
| 530 | |
| 531 | API int |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 532 | nc_server_ssh_endpt_set_auth_timeout(const char *endpt_name, uint16_t auth_timeout) |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 533 | { |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 534 | int ret; |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 535 | struct nc_endpt *endpt; |
| 536 | |
Michal Vasko | 51e514d | 2016-02-02 15:51:52 +0100 | [diff] [blame] | 537 | /* LOCK */ |
Michal Vasko | ade892d | 2017-02-22 13:40:35 +0100 | [diff] [blame] | 538 | endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL); |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 539 | if (!endpt) { |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 540 | return -1; |
| 541 | } |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 542 | ret = nc_server_ssh_set_auth_timeout(auth_timeout, endpt->opts.ssh); |
Michal Vasko | 51e514d | 2016-02-02 15:51:52 +0100 | [diff] [blame] | 543 | /* UNLOCK */ |
Michal Vasko | ade892d | 2017-02-22 13:40:35 +0100 | [diff] [blame] | 544 | pthread_rwlock_unlock(&server_opts.endpt_lock); |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 545 | |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 546 | return ret; |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 547 | } |
| 548 | |
| 549 | API int |
Michal Vasko | cbad4c5 | 2019-06-27 16:30:35 +0200 | [diff] [blame] | 550 | nc_server_ssh_ch_client_endpt_set_auth_timeout(const char *client_name, const char *endpt_name, uint16_t auth_timeout) |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 551 | { |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 552 | int ret; |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 553 | struct nc_ch_client *client; |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 554 | struct nc_ch_endpt *endpt; |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 555 | |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 556 | /* LOCK */ |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 557 | endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client); |
| 558 | if (!endpt) { |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 559 | return -1; |
| 560 | } |
Michal Vasko | adf30f0 | 2019-06-24 09:34:47 +0200 | [diff] [blame] | 561 | ret = nc_server_ssh_set_auth_timeout(auth_timeout, endpt->opts.ssh); |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 562 | /* UNLOCK */ |
| 563 | nc_server_ch_client_unlock(client); |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 564 | |
| 565 | return ret; |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 566 | } |
| 567 | |
| 568 | static int |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 569 | _nc_server_ssh_add_authkey(const char *pubkey_path, const char *pubkey_base64, NC_SSH_KEY_TYPE type, |
| 570 | const char *username) |
| 571 | { |
Michal Vasko | a05c7b1 | 2017-01-30 14:33:08 +0100 | [diff] [blame] | 572 | /* LOCK */ |
| 573 | pthread_mutex_lock(&server_opts.authkey_lock); |
| 574 | |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 575 | ++server_opts.authkey_count; |
| 576 | server_opts.authkeys = nc_realloc(server_opts.authkeys, server_opts.authkey_count * sizeof *server_opts.authkeys); |
| 577 | if (!server_opts.authkeys) { |
| 578 | ERRMEM; |
| 579 | return -1; |
| 580 | } |
| 581 | server_opts.authkeys[server_opts.authkey_count - 1].path = lydict_insert(server_opts.ctx, pubkey_path, 0); |
| 582 | server_opts.authkeys[server_opts.authkey_count - 1].base64 = lydict_insert(server_opts.ctx, pubkey_base64, 0); |
| 583 | server_opts.authkeys[server_opts.authkey_count - 1].type = type; |
| 584 | server_opts.authkeys[server_opts.authkey_count - 1].username = lydict_insert(server_opts.ctx, username, 0); |
| 585 | |
Michal Vasko | a05c7b1 | 2017-01-30 14:33:08 +0100 | [diff] [blame] | 586 | /* UNLOCK */ |
| 587 | pthread_mutex_unlock(&server_opts.authkey_lock); |
| 588 | |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 589 | return 0; |
| 590 | } |
| 591 | |
| 592 | API int |
| 593 | nc_server_ssh_add_authkey_path(const char *pubkey_path, const char *username) |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 594 | { |
Michal Vasko | 45e53ae | 2016-04-07 11:46:03 +0200 | [diff] [blame] | 595 | if (!pubkey_path) { |
| 596 | ERRARG("pubkey_path"); |
| 597 | return -1; |
| 598 | } else if (!username) { |
| 599 | ERRARG("username"); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 600 | return -1; |
| 601 | } |
| 602 | |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 603 | return _nc_server_ssh_add_authkey(pubkey_path, NULL, 0, username); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 604 | } |
| 605 | |
| 606 | API int |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 607 | nc_server_ssh_add_authkey(const char *pubkey_base64, NC_SSH_KEY_TYPE type, const char *username) |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 608 | { |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 609 | if (!pubkey_base64) { |
| 610 | ERRARG("pubkey_base64"); |
| 611 | return -1; |
| 612 | } else if (!type) { |
| 613 | ERRARG("type"); |
| 614 | return -1; |
| 615 | } else if (!username) { |
| 616 | ERRARG("username"); |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 617 | return -1; |
| 618 | } |
| 619 | |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 620 | return _nc_server_ssh_add_authkey(NULL, pubkey_base64, type, username); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 621 | } |
| 622 | |
| 623 | API int |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 624 | nc_server_ssh_del_authkey(const char *pubkey_path, const char *pubkey_base64, NC_SSH_KEY_TYPE type, |
| 625 | const char *username) |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 626 | { |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 627 | uint32_t i; |
| 628 | int ret = -1; |
| 629 | |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 630 | /* LOCK */ |
| 631 | pthread_mutex_lock(&server_opts.authkey_lock); |
| 632 | |
| 633 | if (!pubkey_path && !pubkey_base64 && !type && !username) { |
| 634 | for (i = 0; i < server_opts.authkey_count; ++i) { |
| 635 | lydict_remove(server_opts.ctx, server_opts.authkeys[i].path); |
| 636 | lydict_remove(server_opts.ctx, server_opts.authkeys[i].base64); |
| 637 | lydict_remove(server_opts.ctx, server_opts.authkeys[i].username); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 638 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 639 | ret = 0; |
| 640 | } |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 641 | free(server_opts.authkeys); |
| 642 | server_opts.authkeys = NULL; |
| 643 | server_opts.authkey_count = 0; |
Michal Vasko | 1a38c86 | 2016-01-15 15:50:07 +0100 | [diff] [blame] | 644 | } else { |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 645 | for (i = 0; i < server_opts.authkey_count; ++i) { |
| 646 | if ((!pubkey_path || !strcmp(server_opts.authkeys[i].path, pubkey_path)) |
Michal Vasko | e846aee | 2019-03-28 08:38:41 +0100 | [diff] [blame] | 647 | && (!pubkey_base64 || !strcmp(server_opts.authkeys[i].base64, pubkey_base64)) |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 648 | && (!type || (server_opts.authkeys[i].type == type)) |
| 649 | && (!username || !strcmp(server_opts.authkeys[i].username, username))) { |
| 650 | lydict_remove(server_opts.ctx, server_opts.authkeys[i].path); |
| 651 | lydict_remove(server_opts.ctx, server_opts.authkeys[i].base64); |
| 652 | lydict_remove(server_opts.ctx, server_opts.authkeys[i].username); |
Michal Vasko | 1a38c86 | 2016-01-15 15:50:07 +0100 | [diff] [blame] | 653 | |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 654 | --server_opts.authkey_count; |
| 655 | if (i < server_opts.authkey_count) { |
| 656 | memcpy(&server_opts.authkeys[i], &server_opts.authkeys[server_opts.authkey_count], |
| 657 | sizeof *server_opts.authkeys); |
| 658 | } else if (!server_opts.authkey_count) { |
| 659 | free(server_opts.authkeys); |
| 660 | server_opts.authkeys = NULL; |
Michal Vasko | c025649 | 2016-02-02 12:19:06 +0100 | [diff] [blame] | 661 | } |
Michal Vasko | 1a38c86 | 2016-01-15 15:50:07 +0100 | [diff] [blame] | 662 | |
| 663 | ret = 0; |
| 664 | } |
| 665 | } |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 666 | } |
| 667 | |
Michal Vasko | 51e514d | 2016-02-02 15:51:52 +0100 | [diff] [blame] | 668 | /* UNLOCK */ |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 669 | pthread_mutex_unlock(&server_opts.authkey_lock); |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 670 | |
| 671 | return ret; |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 672 | } |
| 673 | |
| 674 | void |
Michal Vasko | c6b9c7b | 2016-01-28 11:10:08 +0100 | [diff] [blame] | 675 | nc_server_ssh_clear_opts(struct nc_server_ssh_opts *opts) |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 676 | { |
Michal Vasko | 7d25588 | 2017-02-09 13:35:08 +0100 | [diff] [blame] | 677 | nc_server_ssh_del_hostkey(NULL, -1, opts); |
Michal Vasko | b05053d | 2016-01-22 16:12:06 +0100 | [diff] [blame] | 678 | } |
| 679 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 680 | static char * |
| 681 | auth_password_get_pwd_hash(const char *username) |
| 682 | { |
apropp-molex | 4e903c3 | 2020-04-20 03:06:58 -0400 | [diff] [blame] | 683 | #ifdef HAVE_SHADOW |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 684 | struct passwd *pwd, pwd_buf; |
| 685 | struct spwd *spwd, spwd_buf; |
| 686 | char *pass_hash = NULL, buf[256]; |
| 687 | |
| 688 | getpwnam_r(username, &pwd_buf, buf, 256, &pwd); |
| 689 | if (!pwd) { |
Michal Vasko | 11d142a | 2016-01-19 15:58:24 +0100 | [diff] [blame] | 690 | VRB("User \"%s\" not found locally.", username); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 691 | return NULL; |
| 692 | } |
| 693 | |
| 694 | if (!strcmp(pwd->pw_passwd, "x")) { |
apropp-molex | 4e903c3 | 2020-04-20 03:06:58 -0400 | [diff] [blame] | 695 | #ifndef __QNXNTO__ |
| 696 | getspnam_r(username, &spwd_buf, buf, 256, &spwd); |
| 697 | #else |
| 698 | spwd = getspnam_r(username, &spwd_buf, buf, 256); |
| 699 | #endif |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 700 | if (!spwd) { |
| 701 | VRB("Failed to retrieve the shadow entry for \"%s\".", username); |
| 702 | return NULL; |
| 703 | } |
| 704 | |
| 705 | pass_hash = spwd->sp_pwdp; |
| 706 | } else { |
| 707 | pass_hash = pwd->pw_passwd; |
| 708 | } |
| 709 | |
| 710 | if (!pass_hash) { |
Michal Vasko | d083db6 | 2016-01-19 10:31:29 +0100 | [diff] [blame] | 711 | ERR("No password could be retrieved for \"%s\".", username); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 712 | return NULL; |
| 713 | } |
| 714 | |
| 715 | /* check the hash structure for special meaning */ |
| 716 | if (!strcmp(pass_hash, "*") || !strcmp(pass_hash, "!")) { |
| 717 | VRB("User \"%s\" is not allowed to authenticate using a password.", username); |
| 718 | return NULL; |
| 719 | } |
| 720 | if (!strcmp(pass_hash, "*NP*")) { |
| 721 | VRB("Retrieving password for \"%s\" from a NIS+ server not supported.", username); |
| 722 | return NULL; |
| 723 | } |
| 724 | |
| 725 | return strdup(pass_hash); |
Claus Klein | 2209191 | 2020-01-20 13:45:47 +0100 | [diff] [blame] | 726 | #else |
| 727 | return strdup(""); |
| 728 | #endif |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 729 | } |
| 730 | |
| 731 | static int |
| 732 | auth_password_compare_pwd(const char *pass_hash, const char *pass_clear) |
| 733 | { |
| 734 | char *new_pass_hash; |
Mislav Novakovic | ebf4bd7 | 2017-08-02 10:43:41 +0200 | [diff] [blame] | 735 | #if defined(HAVE_CRYPT_R) |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 736 | struct crypt_data cdata; |
Mislav Novakovic | ebf4bd7 | 2017-08-02 10:43:41 +0200 | [diff] [blame] | 737 | #endif |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 738 | |
| 739 | if (!pass_hash[0]) { |
| 740 | if (!pass_clear[0]) { |
| 741 | WRN("User authentication successful with an empty password!"); |
| 742 | return 0; |
| 743 | } else { |
| 744 | /* the user did now know he does not need any password, |
| 745 | * (which should not be used) so deny authentication */ |
| 746 | return 1; |
| 747 | } |
| 748 | } |
| 749 | |
Mislav Novakovic | ebf4bd7 | 2017-08-02 10:43:41 +0200 | [diff] [blame] | 750 | #if defined(HAVE_CRYPT_R) |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 751 | cdata.initialized = 0; |
| 752 | new_pass_hash = crypt_r(pass_clear, pass_hash, &cdata); |
Mislav Novakovic | ebf4bd7 | 2017-08-02 10:43:41 +0200 | [diff] [blame] | 753 | #else |
Mislav Novakovic | ce9a7ef | 2017-08-08 13:45:52 +0200 | [diff] [blame] | 754 | pthread_mutex_lock(&crypt_lock); |
Mislav Novakovic | ebf4bd7 | 2017-08-02 10:43:41 +0200 | [diff] [blame] | 755 | new_pass_hash = crypt(pass_clear, pass_hash); |
Mislav Novakovic | ce9a7ef | 2017-08-08 13:45:52 +0200 | [diff] [blame] | 756 | pthread_mutex_unlock(&crypt_lock); |
Mislav Novakovic | ebf4bd7 | 2017-08-02 10:43:41 +0200 | [diff] [blame] | 757 | #endif |
Andrew Langefeld | 158d6fd | 2018-06-11 18:51:44 -0500 | [diff] [blame] | 758 | |
| 759 | if (!new_pass_hash) { |
| 760 | return 1; |
| 761 | } |
| 762 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 763 | return strcmp(new_pass_hash, pass_hash); |
| 764 | } |
| 765 | |
| 766 | static void |
| 767 | nc_sshcb_auth_password(struct nc_session *session, ssh_message msg) |
| 768 | { |
| 769 | char *pass_hash; |
Michal Vasko | ebba760 | 2018-03-23 13:14:08 +0100 | [diff] [blame] | 770 | int auth_ret = 1; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 771 | |
Michal Vasko | ebba760 | 2018-03-23 13:14:08 +0100 | [diff] [blame] | 772 | if (server_opts.passwd_auth_clb) { |
| 773 | auth_ret = server_opts.passwd_auth_clb(session, ssh_message_auth_password(msg), server_opts.passwd_auth_data); |
| 774 | } else { |
| 775 | pass_hash = auth_password_get_pwd_hash(session->username); |
| 776 | if (pass_hash) { |
| 777 | auth_ret = auth_password_compare_pwd(pass_hash, ssh_message_auth_password(msg)); |
| 778 | free(pass_hash); |
| 779 | } |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 780 | } |
| 781 | |
Michal Vasko | ebba760 | 2018-03-23 13:14:08 +0100 | [diff] [blame] | 782 | if (!auth_ret) { |
| 783 | session->flags |= NC_SESSION_SSH_AUTHENTICATED; |
| 784 | VRB("User \"%s\" authenticated.", session->username); |
| 785 | ssh_message_auth_reply_success(msg, 0); |
| 786 | } else { |
| 787 | ++session->opts.server.ssh_auth_attempts; |
| 788 | VRB("Failed user \"%s\" authentication attempt (#%d).", session->username, session->opts.server.ssh_auth_attempts); |
| 789 | ssh_message_reply_default(msg); |
| 790 | } |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 791 | } |
| 792 | |
| 793 | static void |
| 794 | nc_sshcb_auth_kbdint(struct nc_session *session, ssh_message msg) |
| 795 | { |
bhart | 3bc2f58 | 2018-06-05 12:40:32 -0500 | [diff] [blame] | 796 | int auth_ret = 1; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 797 | char *pass_hash; |
| 798 | |
bhart | 1bb7cdb | 2018-07-02 15:03:30 -0500 | [diff] [blame] | 799 | if (server_opts.interactive_auth_clb) { |
Michal Vasko | 733c0bd | 2018-07-03 13:14:40 +0200 | [diff] [blame] | 800 | auth_ret = server_opts.interactive_auth_clb(session, msg, server_opts.interactive_auth_data); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 801 | } else { |
bhart | 1bb7cdb | 2018-07-02 15:03:30 -0500 | [diff] [blame] | 802 | if (!ssh_message_auth_kbdint_is_response(msg)) { |
| 803 | const char *prompts[] = {"Password: "}; |
| 804 | char echo[] = {0}; |
| 805 | |
| 806 | ssh_message_auth_interactive_request(msg, "Interactive SSH Authentication", "Type your password:", 1, prompts, echo); |
Robert Varga | ad7a553 | 2018-08-10 20:40:54 +0200 | [diff] [blame] | 807 | auth_ret = -1; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 808 | } else { |
bhart | 1bb7cdb | 2018-07-02 15:03:30 -0500 | [diff] [blame] | 809 | if (ssh_userauth_kbdint_getnanswers(session->ti.libssh.session) != 1) {// failed session |
| 810 | ssh_message_reply_default(msg); |
| 811 | return; |
| 812 | } |
bhart | 3bc2f58 | 2018-06-05 12:40:32 -0500 | [diff] [blame] | 813 | pass_hash = auth_password_get_pwd_hash(session->username);// get hashed password |
| 814 | if (pass_hash) { |
Robert Varga | ad7a553 | 2018-08-10 20:40:54 +0200 | [diff] [blame] | 815 | /* Normalize auth_password_compare_pwd result to 0 or 1 */ |
| 816 | auth_ret = !!auth_password_compare_pwd(pass_hash, ssh_userauth_kbdint_getanswer(session->ti.libssh.session, 0)); |
bhart | 3bc2f58 | 2018-06-05 12:40:32 -0500 | [diff] [blame] | 817 | free(pass_hash);// free hashed password |
| 818 | } |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 819 | } |
bhart | 1bb7cdb | 2018-07-02 15:03:30 -0500 | [diff] [blame] | 820 | } |
| 821 | |
Robert Varga | ad7a553 | 2018-08-10 20:40:54 +0200 | [diff] [blame] | 822 | /* We have already sent a reply */ |
| 823 | if (auth_ret == -1) { |
| 824 | return; |
| 825 | } |
| 826 | |
bhart | 1bb7cdb | 2018-07-02 15:03:30 -0500 | [diff] [blame] | 827 | /* Authenticate message based on outcome */ |
| 828 | if (!auth_ret) { |
| 829 | session->flags |= NC_SESSION_SSH_AUTHENTICATED; |
| 830 | VRB("User \"%s\" authenticated.", session->username); |
| 831 | ssh_message_auth_reply_success(msg, 0); |
| 832 | } else { |
| 833 | ++session->opts.server.ssh_auth_attempts; |
| 834 | VRB("Failed user \"%s\" authentication attempt (#%d).", session->username, session->opts.server.ssh_auth_attempts); |
| 835 | ssh_message_reply_default(msg); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 836 | } |
| 837 | } |
| 838 | |
| 839 | static const char * |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 840 | auth_pubkey_compare_key(ssh_key key) |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 841 | { |
| 842 | uint32_t i; |
| 843 | ssh_key pub_key; |
Michal Vasko | 76e3a35 | 2016-01-18 09:07:00 +0100 | [diff] [blame] | 844 | const char *username = NULL; |
Michal Vasko | 3e9d168 | 2017-02-24 09:50:15 +0100 | [diff] [blame] | 845 | int ret = 0; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 846 | |
Michal Vasko | a05c7b1 | 2017-01-30 14:33:08 +0100 | [diff] [blame] | 847 | /* LOCK */ |
| 848 | pthread_mutex_lock(&server_opts.authkey_lock); |
| 849 | |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 850 | for (i = 0; i < server_opts.authkey_count; ++i) { |
| 851 | switch (server_opts.authkeys[i].type) { |
| 852 | case NC_SSH_KEY_UNKNOWN: |
| 853 | ret = ssh_pki_import_pubkey_file(server_opts.authkeys[i].path, &pub_key); |
| 854 | break; |
| 855 | case NC_SSH_KEY_DSA: |
| 856 | ret = ssh_pki_import_pubkey_base64(server_opts.authkeys[i].base64, SSH_KEYTYPE_DSS, &pub_key); |
| 857 | break; |
| 858 | case NC_SSH_KEY_RSA: |
| 859 | ret = ssh_pki_import_pubkey_base64(server_opts.authkeys[i].base64, SSH_KEYTYPE_RSA, &pub_key); |
| 860 | break; |
| 861 | case NC_SSH_KEY_ECDSA: |
| 862 | ret = ssh_pki_import_pubkey_base64(server_opts.authkeys[i].base64, SSH_KEYTYPE_ECDSA, &pub_key); |
| 863 | break; |
| 864 | } |
| 865 | |
Michal Vasko | 7abcdeb | 2016-05-30 15:27:00 +0200 | [diff] [blame] | 866 | if (ret == SSH_EOF) { |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 867 | WRN("Failed to import a public key of \"%s\" (File access problem).", server_opts.authkeys[i].username); |
Michal Vasko | 7abcdeb | 2016-05-30 15:27:00 +0200 | [diff] [blame] | 868 | continue; |
| 869 | } else if (ret == SSH_ERROR) { |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 870 | WRN("Failed to import a public key of \"%s\" (SSH error).", server_opts.authkeys[i].username); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 871 | continue; |
| 872 | } |
| 873 | |
| 874 | if (!ssh_key_cmp(key, pub_key, SSH_KEY_CMP_PUBLIC)) { |
| 875 | ssh_key_free(pub_key); |
| 876 | break; |
| 877 | } |
| 878 | |
| 879 | ssh_key_free(pub_key); |
| 880 | } |
| 881 | |
Michal Vasko | 17dfda9 | 2016-12-01 14:06:16 +0100 | [diff] [blame] | 882 | if (i < server_opts.authkey_count) { |
| 883 | username = server_opts.authkeys[i].username; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 884 | } |
| 885 | |
Michal Vasko | a05c7b1 | 2017-01-30 14:33:08 +0100 | [diff] [blame] | 886 | /* UNLOCK */ |
| 887 | pthread_mutex_unlock(&server_opts.authkey_lock); |
| 888 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 889 | return username; |
| 890 | } |
| 891 | |
| 892 | static void |
| 893 | nc_sshcb_auth_pubkey(struct nc_session *session, ssh_message msg) |
| 894 | { |
| 895 | const char *username; |
| 896 | int signature_state; |
| 897 | |
Michal Vasko | 733c0bd | 2018-07-03 13:14:40 +0200 | [diff] [blame] | 898 | if (server_opts.pubkey_auth_clb) { |
| 899 | if (server_opts.pubkey_auth_clb(session, ssh_message_auth_pubkey(msg), server_opts.pubkey_auth_data)) { |
bhart | 3bc2f58 | 2018-06-05 12:40:32 -0500 | [diff] [blame] | 900 | goto fail; |
| 901 | } |
Michal Vasko | 733c0bd | 2018-07-03 13:14:40 +0200 | [diff] [blame] | 902 | } else { |
bhart | 3bc2f58 | 2018-06-05 12:40:32 -0500 | [diff] [blame] | 903 | if ((username = auth_pubkey_compare_key(ssh_message_auth_pubkey(msg))) == NULL) { |
| 904 | VRB("User \"%s\" tried to use an unknown (unauthorized) public key.", session->username); |
| 905 | goto fail; |
| 906 | } else if (strcmp(session->username, username)) { |
| 907 | VRB("User \"%s\" is not the username identified with the presented public key.", session->username); |
| 908 | goto fail; |
| 909 | } |
Michal Vasko | bd13a93 | 2016-09-14 09:00:35 +0200 | [diff] [blame] | 910 | } |
Michal Vasko | bd13a93 | 2016-09-14 09:00:35 +0200 | [diff] [blame] | 911 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 912 | signature_state = ssh_message_auth_publickey_state(msg); |
| 913 | if (signature_state == SSH_PUBLICKEY_STATE_VALID) { |
| 914 | VRB("User \"%s\" authenticated.", session->username); |
| 915 | session->flags |= NC_SESSION_SSH_AUTHENTICATED; |
| 916 | ssh_message_auth_reply_success(msg, 0); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 917 | } else if (signature_state == SSH_PUBLICKEY_STATE_NONE) { |
Michal Vasko | bd13a93 | 2016-09-14 09:00:35 +0200 | [diff] [blame] | 918 | /* accepting only the use of a public key */ |
| 919 | ssh_message_auth_reply_pk_ok_simple(msg); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 920 | } |
| 921 | |
Michal Vasko | bd13a93 | 2016-09-14 09:00:35 +0200 | [diff] [blame] | 922 | return; |
| 923 | |
| 924 | fail: |
Michal Vasko | 2e6defd | 2016-10-07 15:48:15 +0200 | [diff] [blame] | 925 | ++session->opts.server.ssh_auth_attempts; |
| 926 | VRB("Failed user \"%s\" authentication attempt (#%d).", session->username, session->opts.server.ssh_auth_attempts); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 927 | ssh_message_reply_default(msg); |
| 928 | } |
| 929 | |
| 930 | static int |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 931 | nc_sshcb_channel_open(struct nc_session *session, ssh_message msg) |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 932 | { |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 933 | ssh_channel chan; |
| 934 | |
| 935 | /* first channel request */ |
| 936 | if (!session->ti.libssh.channel) { |
| 937 | if (session->status != NC_STATUS_STARTING) { |
Michal Vasko | 9e036d5 | 2016-01-08 10:49:26 +0100 | [diff] [blame] | 938 | ERRINT; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 939 | return -1; |
| 940 | } |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 941 | chan = ssh_message_channel_request_open_reply_accept(msg); |
| 942 | if (!chan) { |
| 943 | ERR("Failed to create a new SSH channel."); |
| 944 | return -1; |
| 945 | } |
| 946 | session->ti.libssh.channel = chan; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 947 | |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 948 | /* additional channel request */ |
| 949 | } else { |
| 950 | chan = ssh_message_channel_request_open_reply_accept(msg); |
| 951 | if (!chan) { |
| 952 | ERR("Session %u: failed to create a new SSH channel.", session->id); |
| 953 | return -1; |
| 954 | } |
| 955 | /* channel was created and libssh stored it internally in the ssh_session structure, good enough */ |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 956 | } |
| 957 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 958 | return 0; |
| 959 | } |
| 960 | |
| 961 | static int |
| 962 | nc_sshcb_channel_subsystem(struct nc_session *session, ssh_channel channel, const char *subsystem) |
| 963 | { |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 964 | struct nc_session *new_session; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 965 | |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 966 | if (strcmp(subsystem, "netconf")) { |
| 967 | WRN("Received an unknown subsystem \"%s\" request.", subsystem); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 968 | return -1; |
| 969 | } |
| 970 | |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 971 | if (session->ti.libssh.channel == channel) { |
| 972 | /* first channel requested */ |
| 973 | if (session->ti.libssh.next || (session->status != NC_STATUS_STARTING)) { |
| 974 | ERRINT; |
| 975 | return -1; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 976 | } |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 977 | if (session->flags & NC_SESSION_SSH_SUBSYS_NETCONF) { |
| 978 | ERR("Session %u: subsystem \"netconf\" requested for the second time.", session->id); |
| 979 | return -1; |
| 980 | } |
| 981 | |
| 982 | session->flags |= NC_SESSION_SSH_SUBSYS_NETCONF; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 983 | } else { |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 984 | /* additional channel subsystem request, new session is ready as far as SSH is concerned */ |
Michal Vasko | 131120a | 2018-05-29 15:44:02 +0200 | [diff] [blame] | 985 | new_session = nc_new_session(NC_SERVER, 1); |
Michal Vasko | 4eb3c31 | 2016-03-01 14:09:37 +0100 | [diff] [blame] | 986 | if (!new_session) { |
| 987 | ERRMEM; |
| 988 | return -1; |
| 989 | } |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 990 | |
| 991 | /* insert the new session */ |
| 992 | if (!session->ti.libssh.next) { |
| 993 | new_session->ti.libssh.next = session; |
| 994 | } else { |
| 995 | new_session->ti.libssh.next = session->ti.libssh.next; |
| 996 | } |
| 997 | session->ti.libssh.next = new_session; |
| 998 | |
| 999 | new_session->status = NC_STATUS_STARTING; |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1000 | new_session->ti_type = NC_TI_LIBSSH; |
Michal Vasko | 131120a | 2018-05-29 15:44:02 +0200 | [diff] [blame] | 1001 | new_session->io_lock = session->io_lock; |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1002 | new_session->ti.libssh.channel = channel; |
| 1003 | new_session->ti.libssh.session = session->ti.libssh.session; |
| 1004 | new_session->username = lydict_insert(server_opts.ctx, session->username, 0); |
| 1005 | new_session->host = lydict_insert(server_opts.ctx, session->host, 0); |
| 1006 | new_session->port = session->port; |
| 1007 | new_session->ctx = server_opts.ctx; |
Michal Vasko | 83d1532 | 2018-09-27 09:44:02 +0200 | [diff] [blame] | 1008 | new_session->flags = NC_SESSION_SSH_AUTHENTICATED | NC_SESSION_SSH_SUBSYS_NETCONF | NC_SESSION_SHAREDCTX; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1009 | } |
| 1010 | |
| 1011 | return 0; |
| 1012 | } |
| 1013 | |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1014 | int |
Michal Vasko | b48aa81 | 2016-01-18 14:13:09 +0100 | [diff] [blame] | 1015 | nc_sshcb_msg(ssh_session UNUSED(sshsession), ssh_message msg, void *data) |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1016 | { |
| 1017 | const char *str_type, *str_subtype = NULL, *username; |
| 1018 | int subtype, type; |
| 1019 | struct nc_session *session = (struct nc_session *)data; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1020 | |
| 1021 | type = ssh_message_type(msg); |
| 1022 | subtype = ssh_message_subtype(msg); |
| 1023 | |
| 1024 | switch (type) { |
| 1025 | case SSH_REQUEST_AUTH: |
| 1026 | str_type = "request-auth"; |
| 1027 | switch (subtype) { |
| 1028 | case SSH_AUTH_METHOD_NONE: |
| 1029 | str_subtype = "none"; |
| 1030 | break; |
| 1031 | case SSH_AUTH_METHOD_PASSWORD: |
| 1032 | str_subtype = "password"; |
| 1033 | break; |
| 1034 | case SSH_AUTH_METHOD_PUBLICKEY: |
| 1035 | str_subtype = "publickey"; |
| 1036 | break; |
| 1037 | case SSH_AUTH_METHOD_HOSTBASED: |
| 1038 | str_subtype = "hostbased"; |
| 1039 | break; |
| 1040 | case SSH_AUTH_METHOD_INTERACTIVE: |
| 1041 | str_subtype = "interactive"; |
| 1042 | break; |
| 1043 | case SSH_AUTH_METHOD_GSSAPI_MIC: |
| 1044 | str_subtype = "gssapi-mic"; |
| 1045 | break; |
| 1046 | } |
| 1047 | break; |
| 1048 | |
| 1049 | case SSH_REQUEST_CHANNEL_OPEN: |
| 1050 | str_type = "request-channel-open"; |
| 1051 | switch (subtype) { |
| 1052 | case SSH_CHANNEL_SESSION: |
| 1053 | str_subtype = "session"; |
| 1054 | break; |
| 1055 | case SSH_CHANNEL_DIRECT_TCPIP: |
| 1056 | str_subtype = "direct-tcpip"; |
| 1057 | break; |
| 1058 | case SSH_CHANNEL_FORWARDED_TCPIP: |
| 1059 | str_subtype = "forwarded-tcpip"; |
| 1060 | break; |
| 1061 | case (int)SSH_CHANNEL_X11: |
| 1062 | str_subtype = "channel-x11"; |
| 1063 | break; |
| 1064 | case SSH_CHANNEL_UNKNOWN: |
| 1065 | /* fallthrough */ |
| 1066 | default: |
| 1067 | str_subtype = "unknown"; |
| 1068 | break; |
| 1069 | } |
| 1070 | break; |
| 1071 | |
| 1072 | case SSH_REQUEST_CHANNEL: |
| 1073 | str_type = "request-channel"; |
| 1074 | switch (subtype) { |
| 1075 | case SSH_CHANNEL_REQUEST_PTY: |
| 1076 | str_subtype = "pty"; |
| 1077 | break; |
| 1078 | case SSH_CHANNEL_REQUEST_EXEC: |
| 1079 | str_subtype = "exec"; |
| 1080 | break; |
| 1081 | case SSH_CHANNEL_REQUEST_SHELL: |
| 1082 | str_subtype = "shell"; |
| 1083 | break; |
| 1084 | case SSH_CHANNEL_REQUEST_ENV: |
| 1085 | str_subtype = "env"; |
| 1086 | break; |
| 1087 | case SSH_CHANNEL_REQUEST_SUBSYSTEM: |
| 1088 | str_subtype = "subsystem"; |
| 1089 | break; |
| 1090 | case SSH_CHANNEL_REQUEST_WINDOW_CHANGE: |
| 1091 | str_subtype = "window-change"; |
| 1092 | break; |
| 1093 | case SSH_CHANNEL_REQUEST_X11: |
| 1094 | str_subtype = "x11"; |
| 1095 | break; |
| 1096 | case SSH_CHANNEL_REQUEST_UNKNOWN: |
| 1097 | /* fallthrough */ |
| 1098 | default: |
| 1099 | str_subtype = "unknown"; |
| 1100 | break; |
| 1101 | } |
| 1102 | break; |
| 1103 | |
| 1104 | case SSH_REQUEST_SERVICE: |
| 1105 | str_type = "request-service"; |
| 1106 | str_subtype = ssh_message_service_service(msg); |
| 1107 | break; |
| 1108 | |
| 1109 | case SSH_REQUEST_GLOBAL: |
| 1110 | str_type = "request-global"; |
| 1111 | switch (subtype) { |
| 1112 | case SSH_GLOBAL_REQUEST_TCPIP_FORWARD: |
| 1113 | str_subtype = "tcpip-forward"; |
| 1114 | break; |
| 1115 | case SSH_GLOBAL_REQUEST_CANCEL_TCPIP_FORWARD: |
| 1116 | str_subtype = "cancel-tcpip-forward"; |
| 1117 | break; |
| 1118 | case SSH_GLOBAL_REQUEST_UNKNOWN: |
| 1119 | /* fallthrough */ |
| 1120 | default: |
| 1121 | str_subtype = "unknown"; |
| 1122 | break; |
| 1123 | } |
| 1124 | break; |
| 1125 | |
| 1126 | default: |
| 1127 | str_type = "unknown"; |
| 1128 | str_subtype = "unknown"; |
| 1129 | break; |
| 1130 | } |
| 1131 | |
| 1132 | VRB("Received an SSH message \"%s\" of subtype \"%s\".", str_type, str_subtype); |
Michal Vasko | ce31916 | 2016-02-03 15:33:08 +0100 | [diff] [blame] | 1133 | if ((session->status == NC_STATUS_CLOSING) || (session->status == NC_STATUS_INVALID)) { |
| 1134 | /* "valid" situation if, for example, receiving some auth or channel request timeouted, |
| 1135 | * but we got it now, during session free */ |
| 1136 | VRB("SSH message arrived on a %s session, the request will be denied.", |
| 1137 | (session->status == NC_STATUS_CLOSING ? "closing" : "invalid")); |
| 1138 | ssh_message_reply_default(msg); |
| 1139 | return 0; |
| 1140 | } |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1141 | session->flags |= NC_SESSION_SSH_NEW_MSG; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1142 | |
| 1143 | /* |
| 1144 | * process known messages |
| 1145 | */ |
| 1146 | if (type == SSH_REQUEST_AUTH) { |
| 1147 | if (session->flags & NC_SESSION_SSH_AUTHENTICATED) { |
| 1148 | ERR("User \"%s\" authenticated, but requested another authentication.", session->username); |
| 1149 | ssh_message_reply_default(msg); |
| 1150 | return 0; |
| 1151 | } |
| 1152 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1153 | /* save the username, do not let the client change it */ |
| 1154 | username = ssh_message_auth_user(msg); |
| 1155 | if (!session->username) { |
| 1156 | if (!username) { |
| 1157 | ERR("Denying an auth request without a username."); |
| 1158 | return 1; |
| 1159 | } |
| 1160 | |
Michal Vasko | 05ba9df | 2016-01-13 14:40:27 +0100 | [diff] [blame] | 1161 | session->username = lydict_insert(server_opts.ctx, username, 0); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1162 | } else if (username) { |
| 1163 | if (strcmp(username, session->username)) { |
| 1164 | ERR("User \"%s\" changed its username to \"%s\".", session->username, username); |
| 1165 | session->status = NC_STATUS_INVALID; |
Michal Vasko | 428087d | 2016-01-14 16:04:28 +0100 | [diff] [blame] | 1166 | session->term_reason = NC_SESSION_TERM_OTHER; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1167 | return 1; |
| 1168 | } |
| 1169 | } |
| 1170 | |
| 1171 | if (subtype == SSH_AUTH_METHOD_NONE) { |
| 1172 | /* libssh will return the supported auth methods */ |
| 1173 | return 1; |
| 1174 | } else if (subtype == SSH_AUTH_METHOD_PASSWORD) { |
| 1175 | nc_sshcb_auth_password(session, msg); |
| 1176 | return 0; |
| 1177 | } else if (subtype == SSH_AUTH_METHOD_PUBLICKEY) { |
| 1178 | nc_sshcb_auth_pubkey(session, msg); |
| 1179 | return 0; |
| 1180 | } else if (subtype == SSH_AUTH_METHOD_INTERACTIVE) { |
| 1181 | nc_sshcb_auth_kbdint(session, msg); |
| 1182 | return 0; |
| 1183 | } |
| 1184 | } else if (session->flags & NC_SESSION_SSH_AUTHENTICATED) { |
Michal Vasko | 0df6756 | 2016-01-21 15:50:11 +0100 | [diff] [blame] | 1185 | if ((type == SSH_REQUEST_CHANNEL_OPEN) && ((enum ssh_channel_type_e)subtype == SSH_CHANNEL_SESSION)) { |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1186 | if (nc_sshcb_channel_open(session, msg)) { |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1187 | ssh_message_reply_default(msg); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1188 | } |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1189 | return 0; |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1190 | |
Michal Vasko | 0df6756 | 2016-01-21 15:50:11 +0100 | [diff] [blame] | 1191 | } else if ((type == SSH_REQUEST_CHANNEL) && ((enum ssh_channel_requests_e)subtype == SSH_CHANNEL_REQUEST_SUBSYSTEM)) { |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1192 | if (nc_sshcb_channel_subsystem(session, ssh_message_channel_request_channel(msg), |
| 1193 | ssh_message_channel_request_subsystem(msg))) { |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1194 | ssh_message_reply_default(msg); |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1195 | } else { |
| 1196 | ssh_message_channel_request_reply_success(msg); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1197 | } |
| 1198 | return 0; |
| 1199 | } |
| 1200 | } |
| 1201 | |
| 1202 | /* we did not process it */ |
| 1203 | return 1; |
| 1204 | } |
| 1205 | |
Michal Vasko | 1a38c86 | 2016-01-15 15:50:07 +0100 | [diff] [blame] | 1206 | /* ret 1 on success, 0 on timeout, -1 on error */ |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1207 | static int |
| 1208 | nc_open_netconf_channel(struct nc_session *session, int timeout) |
| 1209 | { |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1210 | int ret; |
| 1211 | struct timespec ts_timeout, ts_cur; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1212 | |
| 1213 | /* message callback is executed twice to give chance for the channel to be |
| 1214 | * created if timeout == 0 (it takes 2 messages, channel-open, subsystem-request) */ |
Michal Vasko | 7f1c78b | 2016-01-19 09:52:14 +0100 | [diff] [blame] | 1215 | if (!timeout) { |
Michal Vasko | 2a7d473 | 2016-01-15 09:24:46 +0100 | [diff] [blame] | 1216 | if (!nc_session_is_connected(session)) { |
Michal Vasko | d083db6 | 2016-01-19 10:31:29 +0100 | [diff] [blame] | 1217 | ERR("Communication socket unexpectedly closed (libssh)."); |
Michal Vasko | 2a7d473 | 2016-01-15 09:24:46 +0100 | [diff] [blame] | 1218 | return -1; |
| 1219 | } |
| 1220 | |
Michal Vasko | 7f1c78b | 2016-01-19 09:52:14 +0100 | [diff] [blame] | 1221 | ret = ssh_execute_message_callbacks(session->ti.libssh.session); |
| 1222 | if (ret != SSH_OK) { |
Michal Vasko | d083db6 | 2016-01-19 10:31:29 +0100 | [diff] [blame] | 1223 | ERR("Failed to receive SSH messages on a session (%s).", |
| 1224 | ssh_get_error(session->ti.libssh.session)); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1225 | return -1; |
| 1226 | } |
| 1227 | |
Michal Vasko | 7f1c78b | 2016-01-19 09:52:14 +0100 | [diff] [blame] | 1228 | if (!session->ti.libssh.channel) { |
Michal Vasko | 7f1c78b | 2016-01-19 09:52:14 +0100 | [diff] [blame] | 1229 | return 0; |
| 1230 | } |
| 1231 | |
| 1232 | ret = ssh_execute_message_callbacks(session->ti.libssh.session); |
| 1233 | if (ret != SSH_OK) { |
Michal Vasko | d083db6 | 2016-01-19 10:31:29 +0100 | [diff] [blame] | 1234 | ERR("Failed to receive SSH messages on a session (%s).", |
| 1235 | ssh_get_error(session->ti.libssh.session)); |
Michal Vasko | 7f1c78b | 2016-01-19 09:52:14 +0100 | [diff] [blame] | 1236 | return -1; |
| 1237 | } |
Michal Vasko | 7f1c78b | 2016-01-19 09:52:14 +0100 | [diff] [blame] | 1238 | |
| 1239 | if (!(session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) { |
| 1240 | /* we did not receive subsystem-request, timeout */ |
| 1241 | return 0; |
| 1242 | } |
| 1243 | |
| 1244 | return 1; |
| 1245 | } |
| 1246 | |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1247 | if (timeout > -1) { |
Michal Vasko | e852c8b | 2017-10-05 10:02:20 +0200 | [diff] [blame] | 1248 | nc_gettimespec_mono(&ts_timeout); |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1249 | nc_addtimespec(&ts_timeout, timeout); |
| 1250 | } |
Michal Vasko | 7f1c78b | 2016-01-19 09:52:14 +0100 | [diff] [blame] | 1251 | while (1) { |
| 1252 | if (!nc_session_is_connected(session)) { |
Michal Vasko | d083db6 | 2016-01-19 10:31:29 +0100 | [diff] [blame] | 1253 | ERR("Communication socket unexpectedly closed (libssh)."); |
Michal Vasko | 7f1c78b | 2016-01-19 09:52:14 +0100 | [diff] [blame] | 1254 | return -1; |
| 1255 | } |
| 1256 | |
Michal Vasko | 7f1c78b | 2016-01-19 09:52:14 +0100 | [diff] [blame] | 1257 | ret = ssh_execute_message_callbacks(session->ti.libssh.session); |
| 1258 | if (ret != SSH_OK) { |
Michal Vasko | d083db6 | 2016-01-19 10:31:29 +0100 | [diff] [blame] | 1259 | ERR("Failed to receive SSH messages on a session (%s).", |
| 1260 | ssh_get_error(session->ti.libssh.session)); |
Michal Vasko | 7f1c78b | 2016-01-19 09:52:14 +0100 | [diff] [blame] | 1261 | return -1; |
| 1262 | } |
| 1263 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1264 | if (session->ti.libssh.channel && (session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) { |
Michal Vasko | 1a38c86 | 2016-01-15 15:50:07 +0100 | [diff] [blame] | 1265 | return 1; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1266 | } |
| 1267 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1268 | usleep(NC_TIMEOUT_STEP); |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1269 | if (timeout > -1) { |
Michal Vasko | e852c8b | 2017-10-05 10:02:20 +0200 | [diff] [blame] | 1270 | nc_gettimespec_mono(&ts_cur); |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1271 | if (nc_difftimespec(&ts_cur, &ts_timeout) < 1) { |
| 1272 | /* timeout */ |
| 1273 | ERR("Failed to start \"netconf\" SSH subsystem for too long, disconnecting."); |
| 1274 | break; |
| 1275 | } |
| 1276 | } |
Michal Vasko | 7f1c78b | 2016-01-19 09:52:14 +0100 | [diff] [blame] | 1277 | } |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1278 | |
Michal Vasko | 1a38c86 | 2016-01-15 15:50:07 +0100 | [diff] [blame] | 1279 | return 0; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1280 | } |
| 1281 | |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 1282 | static int |
| 1283 | nc_ssh_bind_add_hostkeys(ssh_bind sbind, const char **hostkeys, uint8_t hostkey_count) |
| 1284 | { |
| 1285 | uint8_t i; |
| 1286 | char *privkey_path, *privkey_data; |
Michal Vasko | ddce121 | 2019-05-24 09:58:49 +0200 | [diff] [blame] | 1287 | int ret; |
Michal Vasko | e49a15f | 2019-05-27 14:18:36 +0200 | [diff] [blame] | 1288 | NC_SSH_KEY_TYPE privkey_type; |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 1289 | |
| 1290 | if (!server_opts.hostkey_clb) { |
| 1291 | ERR("Callback for retrieving SSH host keys not set."); |
| 1292 | return -1; |
| 1293 | } |
| 1294 | |
| 1295 | for (i = 0; i < hostkey_count; ++i) { |
| 1296 | privkey_path = privkey_data = NULL; |
Michal Vasko | ddce121 | 2019-05-24 09:58:49 +0200 | [diff] [blame] | 1297 | if (server_opts.hostkey_clb(hostkeys[i], server_opts.hostkey_data, &privkey_path, &privkey_data, &privkey_type)) { |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 1298 | ERR("Host key callback failed."); |
| 1299 | return -1; |
| 1300 | } |
| 1301 | |
| 1302 | if (privkey_data) { |
Michal Vasko | ddce121 | 2019-05-24 09:58:49 +0200 | [diff] [blame] | 1303 | privkey_path = base64der_key_to_tmp_file(privkey_data, nc_keytype2str(privkey_type)); |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 1304 | if (!privkey_path) { |
| 1305 | ERR("Temporarily storing a host key into a file failed (%s).", strerror(errno)); |
| 1306 | free(privkey_data); |
| 1307 | return -1; |
| 1308 | } |
| 1309 | } |
| 1310 | |
| 1311 | ret = ssh_bind_options_set(sbind, SSH_BIND_OPTIONS_HOSTKEY, privkey_path); |
| 1312 | |
| 1313 | /* cleanup */ |
| 1314 | if (privkey_data && unlink(privkey_path)) { |
| 1315 | WRN("Removing a temporary host key file \"%s\" failed (%s).", privkey_path, strerror(errno)); |
| 1316 | } |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 1317 | free(privkey_data); |
| 1318 | |
| 1319 | if (ret != SSH_OK) { |
Michal Vasko | 80075de | 2017-07-10 11:38:52 +0200 | [diff] [blame] | 1320 | ERR("Failed to set hostkey \"%s\" (%s).", hostkeys[i], privkey_path); |
| 1321 | } |
| 1322 | free(privkey_path); |
| 1323 | |
| 1324 | if (ret != SSH_OK) { |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 1325 | return -1; |
| 1326 | } |
| 1327 | } |
| 1328 | |
| 1329 | return 0; |
| 1330 | } |
| 1331 | |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1332 | int |
Michal Vasko | 0190bc3 | 2016-03-02 15:47:49 +0100 | [diff] [blame] | 1333 | nc_accept_ssh_session(struct nc_session *session, int sock, int timeout) |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 1334 | { |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 1335 | ssh_bind sbind; |
Michal Vasko | 3031aae | 2016-01-27 16:07:18 +0100 | [diff] [blame] | 1336 | struct nc_server_ssh_opts *opts; |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1337 | int libssh_auth_methods = 0, ret; |
| 1338 | struct timespec ts_timeout, ts_cur; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1339 | |
Michal Vasko | 2cc4c68 | 2016-03-01 09:16:48 +0100 | [diff] [blame] | 1340 | opts = session->data; |
Michal Vasko | c61c449 | 2016-01-25 11:13:34 +0100 | [diff] [blame] | 1341 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1342 | /* other transport-specific data */ |
| 1343 | session->ti_type = NC_TI_LIBSSH; |
| 1344 | session->ti.libssh.session = ssh_new(); |
| 1345 | if (!session->ti.libssh.session) { |
Michal Vasko | d083db6 | 2016-01-19 10:31:29 +0100 | [diff] [blame] | 1346 | ERR("Failed to initialize a new SSH session."); |
Michal Vasko | c14e3c8 | 2016-01-11 16:14:30 +0100 | [diff] [blame] | 1347 | close(sock); |
Michal Vasko | 9e036d5 | 2016-01-08 10:49:26 +0100 | [diff] [blame] | 1348 | return -1; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1349 | } |
| 1350 | |
Michal Vasko | c61c449 | 2016-01-25 11:13:34 +0100 | [diff] [blame] | 1351 | if (opts->auth_methods & NC_SSH_AUTH_PUBLICKEY) { |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1352 | libssh_auth_methods |= SSH_AUTH_METHOD_PUBLICKEY; |
| 1353 | } |
Michal Vasko | c61c449 | 2016-01-25 11:13:34 +0100 | [diff] [blame] | 1354 | if (opts->auth_methods & NC_SSH_AUTH_PASSWORD) { |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1355 | libssh_auth_methods |= SSH_AUTH_METHOD_PASSWORD; |
| 1356 | } |
Michal Vasko | c61c449 | 2016-01-25 11:13:34 +0100 | [diff] [blame] | 1357 | if (opts->auth_methods & NC_SSH_AUTH_INTERACTIVE) { |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1358 | libssh_auth_methods |= SSH_AUTH_METHOD_INTERACTIVE; |
| 1359 | } |
| 1360 | ssh_set_auth_methods(session->ti.libssh.session, libssh_auth_methods); |
| 1361 | |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 1362 | sbind = ssh_bind_new(); |
| 1363 | if (!sbind) { |
| 1364 | ERR("Failed to create an SSH bind."); |
| 1365 | close(sock); |
| 1366 | return -1; |
| 1367 | } |
Michal Vasko | 4c1fb49 | 2017-01-30 14:31:07 +0100 | [diff] [blame] | 1368 | |
| 1369 | if (nc_ssh_bind_add_hostkeys(sbind, opts->hostkeys, opts->hostkey_count)) { |
| 1370 | close(sock); |
| 1371 | ssh_bind_free(sbind); |
| 1372 | return -1; |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 1373 | } |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 1374 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1375 | ssh_set_message_callback(session->ti.libssh.session, nc_sshcb_msg, session); |
Michal Vasko | c61c449 | 2016-01-25 11:13:34 +0100 | [diff] [blame] | 1376 | /* remember that this session was just set as nc_sshcb_msg() parameter */ |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1377 | session->flags |= NC_SESSION_SSH_MSG_CB; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1378 | |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 1379 | if (ssh_bind_accept_fd(sbind, session->ti.libssh.session, sock) == SSH_ERROR) { |
| 1380 | ERR("SSH failed to accept a new connection (%s).", ssh_get_error(sbind)); |
Michal Vasko | c14e3c8 | 2016-01-11 16:14:30 +0100 | [diff] [blame] | 1381 | close(sock); |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 1382 | ssh_bind_free(sbind); |
Michal Vasko | 9e036d5 | 2016-01-08 10:49:26 +0100 | [diff] [blame] | 1383 | return -1; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1384 | } |
Michal Vasko | e2713da | 2016-08-22 16:06:40 +0200 | [diff] [blame] | 1385 | ssh_bind_free(sbind); |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1386 | |
Michal Vasko | 0190bc3 | 2016-03-02 15:47:49 +0100 | [diff] [blame] | 1387 | ssh_set_blocking(session->ti.libssh.session, 0); |
| 1388 | |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1389 | if (timeout > -1) { |
Michal Vasko | e852c8b | 2017-10-05 10:02:20 +0200 | [diff] [blame] | 1390 | nc_gettimespec_mono(&ts_timeout); |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1391 | nc_addtimespec(&ts_timeout, timeout); |
| 1392 | } |
Michal Vasko | 0190bc3 | 2016-03-02 15:47:49 +0100 | [diff] [blame] | 1393 | while ((ret = ssh_handle_key_exchange(session->ti.libssh.session)) == SSH_AGAIN) { |
Michal Vasko | e65b449 | 2016-03-03 11:57:51 +0100 | [diff] [blame] | 1394 | /* this tends to take longer */ |
| 1395 | usleep(NC_TIMEOUT_STEP * 20); |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1396 | if (timeout > -1) { |
Michal Vasko | e852c8b | 2017-10-05 10:02:20 +0200 | [diff] [blame] | 1397 | nc_gettimespec_mono(&ts_cur); |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1398 | if (nc_difftimespec(&ts_cur, &ts_timeout) < 1) { |
| 1399 | break; |
| 1400 | } |
Michal Vasko | 0190bc3 | 2016-03-02 15:47:49 +0100 | [diff] [blame] | 1401 | } |
| 1402 | } |
| 1403 | if (ret == SSH_AGAIN) { |
| 1404 | ERR("SSH key exchange timeout."); |
| 1405 | return 0; |
| 1406 | } else if (ret != SSH_OK) { |
Michal Vasko | d083db6 | 2016-01-19 10:31:29 +0100 | [diff] [blame] | 1407 | ERR("SSH key exchange error (%s).", ssh_get_error(session->ti.libssh.session)); |
Michal Vasko | 9e036d5 | 2016-01-08 10:49:26 +0100 | [diff] [blame] | 1408 | return -1; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1409 | } |
| 1410 | |
| 1411 | /* authenticate */ |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1412 | if (opts->auth_timeout) { |
Michal Vasko | e852c8b | 2017-10-05 10:02:20 +0200 | [diff] [blame] | 1413 | nc_gettimespec_mono(&ts_timeout); |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1414 | nc_addtimespec(&ts_timeout, opts->auth_timeout * 1000); |
| 1415 | } |
| 1416 | while (1) { |
Michal Vasko | 2a7d473 | 2016-01-15 09:24:46 +0100 | [diff] [blame] | 1417 | if (!nc_session_is_connected(session)) { |
Michal Vasko | c13da70 | 2017-02-07 10:57:57 +0100 | [diff] [blame] | 1418 | ERR("Communication SSH socket unexpectedly closed."); |
Michal Vasko | 2a7d473 | 2016-01-15 09:24:46 +0100 | [diff] [blame] | 1419 | return -1; |
| 1420 | } |
| 1421 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1422 | if (ssh_execute_message_callbacks(session->ti.libssh.session) != SSH_OK) { |
Michal Vasko | d083db6 | 2016-01-19 10:31:29 +0100 | [diff] [blame] | 1423 | ERR("Failed to receive SSH messages on a session (%s).", |
| 1424 | ssh_get_error(session->ti.libssh.session)); |
Michal Vasko | 9e036d5 | 2016-01-08 10:49:26 +0100 | [diff] [blame] | 1425 | return -1; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1426 | } |
| 1427 | |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1428 | if (session->flags & NC_SESSION_SSH_AUTHENTICATED) { |
| 1429 | break; |
| 1430 | } |
| 1431 | |
Michal Vasko | 145ae67 | 2017-02-07 10:57:27 +0100 | [diff] [blame] | 1432 | if (session->opts.server.ssh_auth_attempts >= opts->auth_attempts) { |
| 1433 | ERR("Too many failed authentication attempts of user \"%s\".", session->username); |
| 1434 | return -1; |
| 1435 | } |
| 1436 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1437 | usleep(NC_TIMEOUT_STEP); |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1438 | if (opts->auth_timeout) { |
Michal Vasko | e852c8b | 2017-10-05 10:02:20 +0200 | [diff] [blame] | 1439 | nc_gettimespec_mono(&ts_cur); |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1440 | if (nc_difftimespec(&ts_cur, &ts_timeout) < 1) { |
| 1441 | /* timeout */ |
| 1442 | break; |
| 1443 | } |
| 1444 | } |
| 1445 | } |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1446 | |
| 1447 | if (!(session->flags & NC_SESSION_SSH_AUTHENTICATED)) { |
| 1448 | /* timeout */ |
Michal Vasko | c13da70 | 2017-02-07 10:57:57 +0100 | [diff] [blame] | 1449 | if (session->username) { |
| 1450 | ERR("User \"%s\" failed to authenticate for too long, disconnecting.", session->username); |
| 1451 | } else { |
| 1452 | ERR("User failed to authenticate for too long, disconnecting."); |
| 1453 | } |
Michal Vasko | 1a38c86 | 2016-01-15 15:50:07 +0100 | [diff] [blame] | 1454 | return 0; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1455 | } |
| 1456 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1457 | /* open channel */ |
Michal Vasko | 36c7be8 | 2017-02-22 13:37:59 +0100 | [diff] [blame] | 1458 | ret = nc_open_netconf_channel(session, timeout); |
Michal Vasko | 1a38c86 | 2016-01-15 15:50:07 +0100 | [diff] [blame] | 1459 | if (ret < 1) { |
| 1460 | return ret; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1461 | } |
| 1462 | |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1463 | session->flags &= ~NC_SESSION_SSH_NEW_MSG; |
Michal Vasko | 1a38c86 | 2016-01-15 15:50:07 +0100 | [diff] [blame] | 1464 | return 1; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1465 | } |
| 1466 | |
Michal Vasko | 71090fc | 2016-05-24 16:37:28 +0200 | [diff] [blame] | 1467 | API NC_MSG_TYPE |
| 1468 | nc_session_accept_ssh_channel(struct nc_session *orig_session, struct nc_session **session) |
| 1469 | { |
| 1470 | NC_MSG_TYPE msgtype; |
| 1471 | struct nc_session *new_session = NULL; |
Michal Vasko | 9f6275e | 2017-10-05 13:50:05 +0200 | [diff] [blame] | 1472 | struct timespec ts_cur; |
Michal Vasko | 71090fc | 2016-05-24 16:37:28 +0200 | [diff] [blame] | 1473 | |
| 1474 | if (!orig_session) { |
| 1475 | ERRARG("orig_session"); |
| 1476 | return NC_MSG_ERROR; |
| 1477 | } else if (!session) { |
| 1478 | ERRARG("session"); |
| 1479 | return NC_MSG_ERROR; |
| 1480 | } |
| 1481 | |
| 1482 | if ((orig_session->status == NC_STATUS_RUNNING) && (orig_session->ti_type == NC_TI_LIBSSH) |
| 1483 | && orig_session->ti.libssh.next) { |
| 1484 | for (new_session = orig_session->ti.libssh.next; |
| 1485 | new_session != orig_session; |
| 1486 | new_session = new_session->ti.libssh.next) { |
| 1487 | if ((new_session->status == NC_STATUS_STARTING) && new_session->ti.libssh.channel |
| 1488 | && (new_session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) { |
| 1489 | /* we found our session */ |
| 1490 | break; |
| 1491 | } |
| 1492 | } |
| 1493 | if (new_session == orig_session) { |
| 1494 | new_session = NULL; |
| 1495 | } |
| 1496 | } |
| 1497 | |
| 1498 | if (!new_session) { |
| 1499 | ERR("Session does not have a NETCONF SSH channel ready."); |
| 1500 | return NC_MSG_ERROR; |
| 1501 | } |
| 1502 | |
| 1503 | /* assign new SID atomically */ |
Michal Vasko | 69a3ff6 | 2018-11-09 09:31:48 +0100 | [diff] [blame] | 1504 | new_session->id = ATOMIC_INC(&server_opts.new_session_id); |
Michal Vasko | 71090fc | 2016-05-24 16:37:28 +0200 | [diff] [blame] | 1505 | |
| 1506 | /* NETCONF handshake */ |
Michal Vasko | 131120a | 2018-05-29 15:44:02 +0200 | [diff] [blame] | 1507 | msgtype = nc_handshake_io(new_session); |
Michal Vasko | 71090fc | 2016-05-24 16:37:28 +0200 | [diff] [blame] | 1508 | if (msgtype != NC_MSG_HELLO) { |
| 1509 | return msgtype; |
| 1510 | } |
| 1511 | |
Michal Vasko | 9f6275e | 2017-10-05 13:50:05 +0200 | [diff] [blame] | 1512 | nc_gettimespec_real(&ts_cur); |
| 1513 | new_session->opts.server.session_start = ts_cur.tv_sec; |
| 1514 | nc_gettimespec_mono(&ts_cur); |
| 1515 | new_session->opts.server.last_rpc = ts_cur.tv_sec; |
Michal Vasko | 71090fc | 2016-05-24 16:37:28 +0200 | [diff] [blame] | 1516 | new_session->status = NC_STATUS_RUNNING; |
| 1517 | *session = new_session; |
| 1518 | |
| 1519 | return msgtype; |
| 1520 | } |
| 1521 | |
| 1522 | API NC_MSG_TYPE |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1523 | nc_ps_accept_ssh_channel(struct nc_pollsession *ps, struct nc_session **session) |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1524 | { |
Michal Vasko | bdcf236 | 2016-07-26 11:35:43 +0200 | [diff] [blame] | 1525 | uint8_t q_id; |
Michal Vasko | 71090fc | 2016-05-24 16:37:28 +0200 | [diff] [blame] | 1526 | NC_MSG_TYPE msgtype; |
Michal Vasko | e4300a8 | 2017-05-24 10:35:42 +0200 | [diff] [blame] | 1527 | struct nc_session *new_session = NULL, *cur_session; |
Michal Vasko | 9f6275e | 2017-10-05 13:50:05 +0200 | [diff] [blame] | 1528 | struct timespec ts_cur; |
Michal Vasko | c61c449 | 2016-01-25 11:13:34 +0100 | [diff] [blame] | 1529 | uint16_t i; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1530 | |
Michal Vasko | 45e53ae | 2016-04-07 11:46:03 +0200 | [diff] [blame] | 1531 | if (!ps) { |
| 1532 | ERRARG("ps"); |
Michal Vasko | 71090fc | 2016-05-24 16:37:28 +0200 | [diff] [blame] | 1533 | return NC_MSG_ERROR; |
Michal Vasko | 45e53ae | 2016-04-07 11:46:03 +0200 | [diff] [blame] | 1534 | } else if (!session) { |
| 1535 | ERRARG("session"); |
Michal Vasko | 71090fc | 2016-05-24 16:37:28 +0200 | [diff] [blame] | 1536 | return NC_MSG_ERROR; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1537 | } |
| 1538 | |
Michal Vasko | 48a63ed | 2016-03-01 09:48:21 +0100 | [diff] [blame] | 1539 | /* LOCK */ |
Michal Vasko | 227f8ff | 2016-07-26 14:08:59 +0200 | [diff] [blame] | 1540 | if (nc_ps_lock(ps, &q_id, __func__)) { |
Michal Vasko | 71090fc | 2016-05-24 16:37:28 +0200 | [diff] [blame] | 1541 | return NC_MSG_ERROR; |
Michal Vasko | f04a52a | 2016-04-07 10:52:10 +0200 | [diff] [blame] | 1542 | } |
Michal Vasko | 48a63ed | 2016-03-01 09:48:21 +0100 | [diff] [blame] | 1543 | |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1544 | for (i = 0; i < ps->session_count; ++i) { |
fanchanghu | 3d4e721 | 2017-08-09 09:42:30 +0800 | [diff] [blame] | 1545 | cur_session = ps->sessions[i]->session; |
Michal Vasko | e4300a8 | 2017-05-24 10:35:42 +0200 | [diff] [blame] | 1546 | if ((cur_session->status == NC_STATUS_RUNNING) && (cur_session->ti_type == NC_TI_LIBSSH) |
| 1547 | && cur_session->ti.libssh.next) { |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1548 | /* an SSH session with more channels */ |
Michal Vasko | e4300a8 | 2017-05-24 10:35:42 +0200 | [diff] [blame] | 1549 | for (new_session = cur_session->ti.libssh.next; |
| 1550 | new_session != cur_session; |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1551 | new_session = new_session->ti.libssh.next) { |
| 1552 | if ((new_session->status == NC_STATUS_STARTING) && new_session->ti.libssh.channel |
| 1553 | && (new_session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) { |
| 1554 | /* we found our session */ |
| 1555 | break; |
| 1556 | } |
| 1557 | } |
Michal Vasko | e4300a8 | 2017-05-24 10:35:42 +0200 | [diff] [blame] | 1558 | if (new_session != cur_session) { |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1559 | break; |
| 1560 | } |
Michal Vasko | fb89d77 | 2016-01-08 12:25:35 +0100 | [diff] [blame] | 1561 | |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1562 | new_session = NULL; |
| 1563 | } |
| 1564 | } |
Michal Vasko | fb89d77 | 2016-01-08 12:25:35 +0100 | [diff] [blame] | 1565 | |
Michal Vasko | 48a63ed | 2016-03-01 09:48:21 +0100 | [diff] [blame] | 1566 | /* UNLOCK */ |
Michal Vasko | 227f8ff | 2016-07-26 14:08:59 +0200 | [diff] [blame] | 1567 | nc_ps_unlock(ps, q_id, __func__); |
Michal Vasko | 48a63ed | 2016-03-01 09:48:21 +0100 | [diff] [blame] | 1568 | |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1569 | if (!new_session) { |
| 1570 | ERR("No session with a NETCONF SSH channel ready was found."); |
Michal Vasko | 71090fc | 2016-05-24 16:37:28 +0200 | [diff] [blame] | 1571 | return NC_MSG_ERROR; |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1572 | } |
| 1573 | |
| 1574 | /* assign new SID atomically */ |
Michal Vasko | 69a3ff6 | 2018-11-09 09:31:48 +0100 | [diff] [blame] | 1575 | new_session->id = ATOMIC_INC(&server_opts.new_session_id); |
Michal Vasko | fb89d77 | 2016-01-08 12:25:35 +0100 | [diff] [blame] | 1576 | |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1577 | /* NETCONF handshake */ |
Michal Vasko | 131120a | 2018-05-29 15:44:02 +0200 | [diff] [blame] | 1578 | msgtype = nc_handshake_io(new_session); |
Michal Vasko | 71090fc | 2016-05-24 16:37:28 +0200 | [diff] [blame] | 1579 | if (msgtype != NC_MSG_HELLO) { |
| 1580 | return msgtype; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1581 | } |
Michal Vasko | 48a63ed | 2016-03-01 09:48:21 +0100 | [diff] [blame] | 1582 | |
Michal Vasko | 9f6275e | 2017-10-05 13:50:05 +0200 | [diff] [blame] | 1583 | nc_gettimespec_real(&ts_cur); |
| 1584 | new_session->opts.server.session_start = ts_cur.tv_sec; |
| 1585 | nc_gettimespec_mono(&ts_cur); |
| 1586 | new_session->opts.server.last_rpc = ts_cur.tv_sec; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1587 | new_session->status = NC_STATUS_RUNNING; |
Michal Vasko | 96164bf | 2016-01-21 15:41:58 +0100 | [diff] [blame] | 1588 | *session = new_session; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1589 | |
Michal Vasko | 71090fc | 2016-05-24 16:37:28 +0200 | [diff] [blame] | 1590 | return msgtype; |
Michal Vasko | 086311b | 2016-01-08 09:53:11 +0100 | [diff] [blame] | 1591 | } |