Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / bd13a93fd6d876e4730709a1c13ab5eec532f906 / . / src / session_server_ssh.c
blob: 74516aaaab7f7c7a74e55c0d12c60d0d18b16cd7 [file] [log] [blame]
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1/**
2 * \file session_server_ssh.c
3 * \author Michal Vasko <mvasko@cesnet.cz>
4 * \brief libnetconf2 SSH server session manipulation functions
5 *
6 * Copyright (c) 2015 CESNET, z.s.p.o.
7 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]8 * This source code is licensed under BSD 3-Clause License (the "License").
9 * You may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +0100[diff] [blame]11 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]12 * https://opensource.org/licenses/BSD-3-Clause
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]13 */
14
15#define _GNU_SOURCE
16
17#include <stdlib.h>
18#include <string.h>
19#include <sys/types.h>
20#include <pwd.h>
21#include <shadow.h>
22#include <crypt.h>
23#include <errno.h>
24
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]25#include "session_server.h"
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]26#include "session_server_ch.h"
27#include "libnetconf.h"
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]28
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]29struct nc_server_ssh_opts ssh_ch_opts = {
30 .auth_methods = NC_SSH_AUTH_PUBLICKEY | NC_SSH_AUTH_PASSWORD | NC_SSH_AUTH_INTERACTIVE,
31 .auth_attempts = 3,
32 .auth_timeout = 10
33};
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]34pthread_mutex_t ssh_ch_opts_lock = PTHREAD_MUTEX_INITIALIZER;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]35extern struct nc_server_opts server_opts;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]36
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]37API int
Michal Vaskoda514772016-02-01 11:32:01 +0100[diff] [blame]38nc_server_ssh_endpt_set_address(const char *endpt_name, const char *address)
39{
40 return nc_server_endpt_set_address_port(endpt_name, address, 0, NC_TI_LIBSSH);
41}
42
43API int
44nc_server_ssh_endpt_set_port(const char *endpt_name, uint16_t port)
45{
46 return nc_server_endpt_set_address_port(endpt_name, NULL, port, NC_TI_LIBSSH);
47}
48
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]49static int
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]50nc_server_ssh_add_hostkey(const char *privkey_path, struct nc_server_ssh_opts *opts)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]51{
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]52 if (!privkey_path) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]53 ERRARG("privkey_path");
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]54 return -1;
55 }
56
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]57 if (eaccess(privkey_path, R_OK)) {
58 ERR("Host key \"%s\" cannot be read (%s).", privkey_path, strerror(errno));
Michal Vasko5fcc7142016-02-02 12:21:10 +0100[diff] [blame]59 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]60 }
Michal Vaskod45e25a2016-01-08 15:48:44 +0100[diff] [blame]61
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]62 ++opts->hostkey_count;
63 opts->hostkeys = nc_realloc(opts->hostkeys, opts->hostkey_count * sizeof *opts->hostkeys);
64 if (!opts->hostkeys) {
65 ERRMEM;
66 return -1;
67 }
68 opts->hostkeys[opts->hostkey_count - 1] = lydict_insert(server_opts.ctx, privkey_path, 0);
69
Michal Vasko5fcc7142016-02-02 12:21:10 +0100[diff] [blame]70 return 0;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]71}
72
73API int
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]74nc_server_ssh_endpt_add_hostkey(const char *endpt_name, const char *privkey_path)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]75{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]76 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]77 struct nc_endpt *endpt;
78
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]79 /* LOCK */
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]80 endpt = nc_server_endpt_lock(endpt_name, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]81 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]82 return -1;
83 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]84 ret = nc_server_ssh_add_hostkey(privkey_path, endpt->ssh_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]85 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]86 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]87
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]88 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]89}
90
91API int
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]92nc_server_ssh_ch_add_hostkey(const char *privkey_path)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]93{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]94 int ret;
95
96 /* OPTS LOCK */
97 pthread_mutex_lock(&ssh_ch_opts_lock);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]98 ret = nc_server_ssh_add_hostkey(privkey_path, &ssh_ch_opts);
99 /* OPTS UNLOCK */
100 pthread_mutex_unlock(&ssh_ch_opts_lock);
101
102 return ret;
103}
104
105static int
106nc_server_ssh_del_hostkey(const char *privkey_path, struct nc_server_ssh_opts *opts)
107{
108 uint8_t i;
109
110 if (!privkey_path) {
111 for (i = 0; i < opts->hostkey_count; ++i) {
112 lydict_remove(server_opts.ctx, opts->hostkeys[i]);
113 }
114 free(opts->hostkeys);
115 opts->hostkeys = NULL;
116 opts->hostkey_count = 0;
117 } else {
118 for (i = 0; i < opts->hostkey_count; ++i) {
119 if (!strcmp(opts->hostkeys[i], privkey_path)) {
120 --opts->hostkey_count;
121 lydict_remove(server_opts.ctx, opts->hostkeys[i]);
122 if (i < opts->hostkey_count - 1) {
123 memmove(opts->hostkeys + i, opts->hostkeys + i + 1, (opts->hostkey_count - i) * sizeof *opts->hostkeys);
124 }
125 return 0;
126 }
127 }
128
129 ERR("Host key \"%s\" not found.", privkey_path);
130 return -1;
131 }
132
133 return 0;
134}
135
136API int
137nc_server_ssh_endpt_del_hostkey(const char *endpt_name, const char *privkey_path)
138{
139 int ret;
140 struct nc_endpt *endpt;
141
142 /* LOCK */
143 endpt = nc_server_endpt_lock(endpt_name, NULL);
144 if (!endpt) {
145 return -1;
146 }
147 ret = nc_server_ssh_del_hostkey(privkey_path, endpt->ssh_opts);
148 /* UNLOCK */
149 nc_server_endpt_unlock(endpt);
150
151 return ret;
152}
153
154API int
155nc_server_ssh_ch_del_hostkey(const char *privkey_path)
156{
157 int ret;
158
159 /* OPTS LOCK */
160 pthread_mutex_lock(&ssh_ch_opts_lock);
161 ret = nc_server_ssh_del_hostkey(privkey_path, &ssh_ch_opts);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]162 /* OPTS UNLOCK */
163 pthread_mutex_unlock(&ssh_ch_opts_lock);
164
165 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]166}
167
168static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]169nc_server_ssh_set_banner(const char *banner, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]170{
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]171 if (!banner) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]172 ERRARG("banner");
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]173 return -1;
174 }
175
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]176 if (opts->banner) {
177 lydict_remove(server_opts.ctx, opts->banner);
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]178 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]179 opts->banner = lydict_insert(server_opts.ctx, banner, 0);
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]180 return 0;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]181}
182
183API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]184nc_server_ssh_endpt_set_banner(const char *endpt_name, const char *banner)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]185{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]186 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]187 struct nc_endpt *endpt;
188
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]189 /* LOCK */
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]190 endpt = nc_server_endpt_lock(endpt_name, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]191 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]192 return -1;
193 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]194 ret = nc_server_ssh_set_banner(banner, endpt->ssh_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]195 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]196 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]197
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]198 return ret;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]199}
200
201API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]202nc_server_ssh_ch_set_banner(const char *banner)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]203{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]204 int ret;
205
206 /* OPTS LOCK */
207 pthread_mutex_lock(&ssh_ch_opts_lock);
208 ret = nc_server_ssh_set_banner(banner, &ssh_ch_opts);
209 /* OPTS UNLOCK */
210 pthread_mutex_unlock(&ssh_ch_opts_lock);
211
212 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]213}
214
215static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]216nc_server_ssh_set_auth_methods(int auth_methods, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]217{
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]218 if (!(auth_methods & NC_SSH_AUTH_PUBLICKEY) && !(auth_methods & NC_SSH_AUTH_PASSWORD)
219 && !(auth_methods & NC_SSH_AUTH_INTERACTIVE)) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]220 ERRARG("auth_methods");
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]221 return -1;
222 }
223
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]224 opts->auth_methods = auth_methods;
225 return 0;
226}
227
228API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]229nc_server_ssh_endpt_set_auth_methods(const char *endpt_name, int auth_methods)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]230{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]231 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]232 struct nc_endpt *endpt;
233
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]234 /* LOCK */
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]235 endpt = nc_server_endpt_lock(endpt_name, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]236 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]237 return -1;
238 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]239 ret = nc_server_ssh_set_auth_methods(auth_methods, endpt->ssh_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]240 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]241 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]242
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]243 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]244}
245
246API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]247nc_server_ssh_ch_set_auth_methods(int auth_methods)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]248{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]249 int ret;
250
251 /* OPTS LOCK */
252 pthread_mutex_lock(&ssh_ch_opts_lock);
253 ret = nc_server_ssh_set_auth_methods(auth_methods, &ssh_ch_opts);
254 /* OPTS UNLOCK */
255 pthread_mutex_unlock(&ssh_ch_opts_lock);
256
257 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]258}
259
260static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]261nc_server_ssh_set_auth_attempts(uint16_t auth_attempts, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]262{
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]263 if (!auth_attempts) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]264 ERRARG("auth_attempts");
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]265 return -1;
266 }
267
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]268 opts->auth_attempts = auth_attempts;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]269 return 0;
270}
271
272API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]273nc_server_ssh_endpt_set_auth_attempts(const char *endpt_name, uint16_t auth_attempts)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]274{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]275 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]276 struct nc_endpt *endpt;
277
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]278 /* LOCK */
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]279 endpt = nc_server_endpt_lock(endpt_name, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]280 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]281 return -1;
282 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]283 ret = nc_server_ssh_set_auth_attempts(auth_attempts, endpt->ssh_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]284 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]285 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]286
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]287 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]288}
289
290API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]291nc_server_ssh_set_ch_auth_attempts(uint16_t auth_attempts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]292{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]293 int ret;
294
295 /* OPTS LOCK */
296 pthread_mutex_lock(&ssh_ch_opts_lock);
297 ret = nc_server_ssh_set_auth_attempts(auth_attempts, &ssh_ch_opts);
298 /* OPTS UNLOCK */
299 pthread_mutex_unlock(&ssh_ch_opts_lock);
300
301 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]302}
303
304static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]305nc_server_ssh_set_auth_timeout(uint16_t auth_timeout, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]306{
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]307 if (!auth_timeout) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]308 ERRARG("auth_timeout");
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]309 return -1;
310 }
311
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]312 opts->auth_timeout = auth_timeout;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]313 return 0;
314}
315
316API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]317nc_server_ssh_endpt_set_auth_timeout(const char *endpt_name, uint16_t auth_timeout)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]318{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]319 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]320 struct nc_endpt *endpt;
321
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]322 /* LOCK */
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]323 endpt = nc_server_endpt_lock(endpt_name, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]324 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]325 return -1;
326 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]327 ret = nc_server_ssh_set_auth_timeout(auth_timeout, endpt->ssh_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]328 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]329 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]330
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]331 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]332}
333
334API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]335nc_server_ssh_ch_set_auth_timeout(uint16_t auth_timeout)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]336{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]337 int ret;
338
339 /* OPTS LOCK */
340 pthread_mutex_lock(&ssh_ch_opts_lock);
341 ret = nc_server_ssh_set_auth_timeout(auth_timeout, &ssh_ch_opts);
342 /* OPTS UNLOCK */
343 pthread_mutex_unlock(&ssh_ch_opts_lock);
344
345 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]346}
347
348static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]349nc_server_ssh_add_authkey(const char *pubkey_path, const char *username, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]350{
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]351 if (!pubkey_path) {
352 ERRARG("pubkey_path");
353 return -1;
354 } else if (!username) {
355 ERRARG("username");
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]356 return -1;
357 }
358
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]359 ++opts->authkey_count;
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]360 opts->authkeys = nc_realloc(opts->authkeys, opts->authkey_count * sizeof *opts->authkeys);
361 if (!opts->authkeys) {
362 ERRMEM;
363 return -1;
364 }
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]365 opts->authkeys[opts->authkey_count - 1].path = lydict_insert(server_opts.ctx, pubkey_path, 0);
366 opts->authkeys[opts->authkey_count - 1].username = lydict_insert(server_opts.ctx, username, 0);
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]367
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]368 return 0;
369}
370
371API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]372nc_server_ssh_endpt_add_authkey(const char *endpt_name, const char *pubkey_path, const char *username)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]373{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]374 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]375 struct nc_endpt *endpt;
376
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]377 /* LOCK */
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]378 endpt = nc_server_endpt_lock(endpt_name, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]379 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]380 return -1;
381 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]382 ret = nc_server_ssh_add_authkey(pubkey_path, username, endpt->ssh_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]383 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]384 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]385
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]386 return ret;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]387}
388
389API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]390nc_server_ssh_ch_add_authkey(const char *pubkey_path, const char *username)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]391{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]392 int ret;
393
394 /* OPTS LOCK */
395 pthread_mutex_lock(&ssh_ch_opts_lock);
396 ret = nc_server_ssh_add_authkey(pubkey_path, username, &ssh_ch_opts);
397 /* OPTS UNLOCK */
398 pthread_mutex_unlock(&ssh_ch_opts_lock);
399
400 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]401}
402
403static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]404nc_server_ssh_del_authkey(const char *pubkey_path, const char *username, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]405{
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]406 uint32_t i;
407 int ret = -1;
408
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]409 if (!pubkey_path && !username) {
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]410 for (i = 0; i < opts->authkey_count; ++i) {
411 lydict_remove(server_opts.ctx, opts->authkeys[i].path);
412 lydict_remove(server_opts.ctx, opts->authkeys[i].username);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]413
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]414 ret = 0;
415 }
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]416 free(opts->authkeys);
417 opts->authkeys = NULL;
418 opts->authkey_count = 0;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]419 } else {
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]420 for (i = 0; i < opts->authkey_count; ++i) {
421 if ((!pubkey_path || !strcmp(opts->authkeys[i].path, pubkey_path))
422 && (!username || !strcmp(opts->authkeys[i].username, username))) {
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]423 lydict_remove(server_opts.ctx, opts->authkeys[i].path);
424 lydict_remove(server_opts.ctx, opts->authkeys[i].username);
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]425
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]426 --opts->authkey_count;
Michal Vaskoc0256492016-02-02 12:19:06 +0100[diff] [blame]427 if (i < opts->authkey_count) {
428 memcpy(&opts->authkeys[i], &opts->authkeys[opts->authkey_count], sizeof *opts->authkeys);
429 } else if (!opts->authkey_count) {
430 free(opts->authkeys);
431 opts->authkeys = NULL;
432 }
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]433
434 ret = 0;
435 }
436 }
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]437 }
438
439 return ret;
440}
441
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]442API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]443nc_server_ssh_endpt_del_authkey(const char *endpt_name, const char *pubkey_path, const char *username)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]444{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]445 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]446 struct nc_endpt *endpt;
447
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]448 /* LOCK */
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]449 endpt = nc_server_endpt_lock(endpt_name, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]450 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]451 return -1;
452 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]453 ret = nc_server_ssh_del_authkey(pubkey_path, username, endpt->ssh_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]454 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]455 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]456
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]457 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]458}
459
460API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]461nc_server_ssh_ch_del_authkey(const char *pubkey_path, const char *username)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]462{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]463 int ret;
464
465 /* OPTS LOCK */
466 pthread_mutex_lock(&ssh_ch_opts_lock);
467 ret = nc_server_ssh_del_authkey(pubkey_path, username, &ssh_ch_opts);
468 /* OPTS UNLOCK */
469 pthread_mutex_unlock(&ssh_ch_opts_lock);
470
471 return ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]472}
473
474void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]475nc_server_ssh_clear_opts(struct nc_server_ssh_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]476{
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]477 nc_server_ssh_del_hostkey(NULL, opts);
478 if (opts->banner) {
479 lydict_remove(server_opts.ctx, opts->banner);
480 opts->banner = NULL;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]481 }
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]482 nc_server_ssh_del_authkey(NULL, NULL, opts);
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]483}
484
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]485API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]486nc_server_ssh_ch_clear_opts(void)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]487{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]488 /* OPTS LOCK */
489 pthread_mutex_lock(&ssh_ch_opts_lock);
490 nc_server_ssh_clear_opts(&ssh_ch_opts);
491 /* OPTS UNLOCK */
492 pthread_mutex_unlock(&ssh_ch_opts_lock);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]493}
494
495static char *
496auth_password_get_pwd_hash(const char *username)
497{
498 struct passwd *pwd, pwd_buf;
499 struct spwd *spwd, spwd_buf;
500 char *pass_hash = NULL, buf[256];
501
502 getpwnam_r(username, &pwd_buf, buf, 256, &pwd);
503 if (!pwd) {
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]504 VRB("User \"%s\" not found locally.", username);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]505 return NULL;
506 }
507
508 if (!strcmp(pwd->pw_passwd, "x")) {
509 getspnam_r(username, &spwd_buf, buf, 256, &spwd);
510 if (!spwd) {
511 VRB("Failed to retrieve the shadow entry for \"%s\".", username);
512 return NULL;
513 }
514
515 pass_hash = spwd->sp_pwdp;
516 } else {
517 pass_hash = pwd->pw_passwd;
518 }
519
520 if (!pass_hash) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]521 ERR("No password could be retrieved for \"%s\".", username);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]522 return NULL;
523 }
524
525 /* check the hash structure for special meaning */
526 if (!strcmp(pass_hash, "*") || !strcmp(pass_hash, "!")) {
527 VRB("User \"%s\" is not allowed to authenticate using a password.", username);
528 return NULL;
529 }
530 if (!strcmp(pass_hash, "*NP*")) {
531 VRB("Retrieving password for \"%s\" from a NIS+ server not supported.", username);
532 return NULL;
533 }
534
535 return strdup(pass_hash);
536}
537
538static int
539auth_password_compare_pwd(const char *pass_hash, const char *pass_clear)
540{
541 char *new_pass_hash;
542 struct crypt_data cdata;
543
544 if (!pass_hash[0]) {
545 if (!pass_clear[0]) {
546 WRN("User authentication successful with an empty password!");
547 return 0;
548 } else {
549 /* the user did now know he does not need any password,
550 * (which should not be used) so deny authentication */
551 return 1;
552 }
553 }
554
555 cdata.initialized = 0;
556 new_pass_hash = crypt_r(pass_clear, pass_hash, &cdata);
557 return strcmp(new_pass_hash, pass_hash);
558}
559
560static void
561nc_sshcb_auth_password(struct nc_session *session, ssh_message msg)
562{
563 char *pass_hash;
564
565 pass_hash = auth_password_get_pwd_hash(session->username);
566 if (pass_hash && !auth_password_compare_pwd(pass_hash, ssh_message_auth_password(msg))) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]567 VRB("User \"%s\" authenticated.", session->username);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]568 ssh_message_auth_reply_success(msg, 0);
569 session->flags |= NC_SESSION_SSH_AUTHENTICATED;
570 free(pass_hash);
571 return;
572 }
573
574 free(pass_hash);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]575 ++session->ssh_auth_attempts;
Michal Vasko296fee82016-05-04 08:57:31 +0200[diff] [blame]576 VRB("Failed user \"%s\" authentication attempt (#%d).", session->username, session->ssh_auth_attempts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]577 ssh_message_reply_default(msg);
578}
579
580static void
581nc_sshcb_auth_kbdint(struct nc_session *session, ssh_message msg)
582{
583 char *pass_hash;
584
585 if (!ssh_message_auth_kbdint_is_response(msg)) {
586 const char *prompts[] = {"Password: "};
587 char echo[] = {0};
588
589 ssh_message_auth_interactive_request(msg, "Interactive SSH Authentication", "Type your password:", 1, prompts, echo);
590 } else {
591 if (ssh_userauth_kbdint_getnanswers(session->ti.libssh.session) != 1) {
592 ssh_message_reply_default(msg);
593 return;
594 }
595 pass_hash = auth_password_get_pwd_hash(session->username);
596 if (!pass_hash) {
597 ssh_message_reply_default(msg);
598 return;
599 }
600 if (!auth_password_compare_pwd(pass_hash, ssh_userauth_kbdint_getanswer(session->ti.libssh.session, 0))) {
601 VRB("User \"%s\" authenticated.", session->username);
602 session->flags |= NC_SESSION_SSH_AUTHENTICATED;
603 ssh_message_auth_reply_success(msg, 0);
604 } else {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]605 ++session->ssh_auth_attempts;
606 VRB("Failed user \"%s\" authentication attempt (#%d).", session->username, session->ssh_auth_attempts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]607 ssh_message_reply_default(msg);
608 }
Radek Krejcifb533742016-03-04 15:12:54 +0100[diff] [blame]609 free(pass_hash);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]610 }
611}
612
613static const char *
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]614auth_pubkey_compare_key(struct nc_server_ssh_opts *opts, ssh_key key)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]615{
616 uint32_t i;
617 ssh_key pub_key;
Michal Vasko76e3a352016-01-18 09:07:00 +0100[diff] [blame]618 const char *username = NULL;
Michal Vasko7abcdeb2016-05-30 15:27:00 +0200[diff] [blame]619 int ret;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]620
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]621 for (i = 0; i < opts->authkey_count; ++i) {
Michal Vasko7abcdeb2016-05-30 15:27:00 +0200[diff] [blame]622 ret = ssh_pki_import_pubkey_file(opts->authkeys[i].path, &pub_key);
623 if (ret == SSH_EOF) {
624 WRN("Failed to import the public key \"%s\" (File access problem).", opts->authkeys[i].path);
625 continue;
626 } else if (ret == SSH_ERROR) {
627 WRN("Failed to import the public key \"%s\" (SSH error).", opts->authkeys[i].path);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]628 continue;
629 }
630
631 if (!ssh_key_cmp(key, pub_key, SSH_KEY_CMP_PUBLIC)) {
632 ssh_key_free(pub_key);
633 break;
634 }
635
636 ssh_key_free(pub_key);
637 }
638
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]639 if (i < opts->authkey_count) {
640 username = opts->authkeys[i].username;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]641 }
642
643 return username;
644}
645
646static void
647nc_sshcb_auth_pubkey(struct nc_session *session, ssh_message msg)
648{
649 const char *username;
650 int signature_state;
651
Michal Vaskobd13a932016-09-14 09:00:35 +0200[diff] [blame^]652 if ((username = auth_pubkey_compare_key(session->data, ssh_message_auth_pubkey(msg))) == NULL) {
653 VRB("User \"%s\" tried to use an unknown (unauthorized) public key.", session->username);
654 goto fail;
655 } else if (strcmp(session->username, username)) {
656 VRB("User \"%s\" is not the username identified with the presented public key.", session->username);
657 free(username);
658 goto fail;
659 }
660 free(username);
661
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]662 signature_state = ssh_message_auth_publickey_state(msg);
663 if (signature_state == SSH_PUBLICKEY_STATE_VALID) {
664 VRB("User \"%s\" authenticated.", session->username);
665 session->flags |= NC_SESSION_SSH_AUTHENTICATED;
666 ssh_message_auth_reply_success(msg, 0);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]667 } else if (signature_state == SSH_PUBLICKEY_STATE_NONE) {
Michal Vaskobd13a932016-09-14 09:00:35 +0200[diff] [blame^]668 /* accepting only the use of a public key */
669 ssh_message_auth_reply_pk_ok_simple(msg);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]670 }
671
Michal Vaskobd13a932016-09-14 09:00:35 +0200[diff] [blame^]672 return;
673
674fail:
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]675 ++session->ssh_auth_attempts;
676 VRB("Failed user \"%s\" authentication attempt (#%d).", session->username, session->ssh_auth_attempts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]677 ssh_message_reply_default(msg);
678}
679
680static int
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]681nc_sshcb_channel_open(struct nc_session *session, ssh_message msg)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]682{
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]683 ssh_channel chan;
684
685 /* first channel request */
686 if (!session->ti.libssh.channel) {
687 if (session->status != NC_STATUS_STARTING) {
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]688 ERRINT;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]689 return -1;
690 }
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]691 chan = ssh_message_channel_request_open_reply_accept(msg);
692 if (!chan) {
693 ERR("Failed to create a new SSH channel.");
694 return -1;
695 }
696 session->ti.libssh.channel = chan;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]697
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]698 /* additional channel request */
699 } else {
700 chan = ssh_message_channel_request_open_reply_accept(msg);
701 if (!chan) {
702 ERR("Session %u: failed to create a new SSH channel.", session->id);
703 return -1;
704 }
705 /* channel was created and libssh stored it internally in the ssh_session structure, good enough */
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]706 }
707
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]708 return 0;
709}
710
711static int
712nc_sshcb_channel_subsystem(struct nc_session *session, ssh_channel channel, const char *subsystem)
713{
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]714 struct nc_session *new_session;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]715
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]716 if (strcmp(subsystem, "netconf")) {
717 WRN("Received an unknown subsystem \"%s\" request.", subsystem);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]718 return -1;
719 }
720
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]721 if (session->ti.libssh.channel == channel) {
722 /* first channel requested */
723 if (session->ti.libssh.next || (session->status != NC_STATUS_STARTING)) {
724 ERRINT;
725 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]726 }
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]727 if (session->flags & NC_SESSION_SSH_SUBSYS_NETCONF) {
728 ERR("Session %u: subsystem \"netconf\" requested for the second time.", session->id);
729 return -1;
730 }
731
732 session->flags |= NC_SESSION_SSH_SUBSYS_NETCONF;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]733 } else {
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]734 /* additional channel subsystem request, new session is ready as far as SSH is concerned */
735 new_session = calloc(1, sizeof *new_session);
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]736 if (!new_session) {
737 ERRMEM;
738 return -1;
739 }
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]740
741 /* insert the new session */
742 if (!session->ti.libssh.next) {
743 new_session->ti.libssh.next = session;
744 } else {
745 new_session->ti.libssh.next = session->ti.libssh.next;
746 }
747 session->ti.libssh.next = new_session;
748
749 new_session->status = NC_STATUS_STARTING;
750 new_session->side = NC_SERVER;
751 new_session->ti_type = NC_TI_LIBSSH;
752 new_session->ti_lock = session->ti_lock;
753 new_session->ti.libssh.channel = channel;
754 new_session->ti.libssh.session = session->ti.libssh.session;
755 new_session->username = lydict_insert(server_opts.ctx, session->username, 0);
756 new_session->host = lydict_insert(server_opts.ctx, session->host, 0);
757 new_session->port = session->port;
758 new_session->ctx = server_opts.ctx;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]759 new_session->flags = NC_SESSION_SSH_AUTHENTICATED | NC_SESSION_SSH_SUBSYS_NETCONF | NC_SESSION_SHAREDCTX
760 | (session->flags & NC_SESSION_CALLHOME ? NC_SESSION_CALLHOME : 0);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]761 }
762
763 return 0;
764}
765
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]766int
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]767nc_sshcb_msg(ssh_session UNUSED(sshsession), ssh_message msg, void *data)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]768{
769 const char *str_type, *str_subtype = NULL, *username;
770 int subtype, type;
771 struct nc_session *session = (struct nc_session *)data;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]772
773 type = ssh_message_type(msg);
774 subtype = ssh_message_subtype(msg);
775
776 switch (type) {
777 case SSH_REQUEST_AUTH:
778 str_type = "request-auth";
779 switch (subtype) {
780 case SSH_AUTH_METHOD_NONE:
781 str_subtype = "none";
782 break;
783 case SSH_AUTH_METHOD_PASSWORD:
784 str_subtype = "password";
785 break;
786 case SSH_AUTH_METHOD_PUBLICKEY:
787 str_subtype = "publickey";
788 break;
789 case SSH_AUTH_METHOD_HOSTBASED:
790 str_subtype = "hostbased";
791 break;
792 case SSH_AUTH_METHOD_INTERACTIVE:
793 str_subtype = "interactive";
794 break;
795 case SSH_AUTH_METHOD_GSSAPI_MIC:
796 str_subtype = "gssapi-mic";
797 break;
798 }
799 break;
800
801 case SSH_REQUEST_CHANNEL_OPEN:
802 str_type = "request-channel-open";
803 switch (subtype) {
804 case SSH_CHANNEL_SESSION:
805 str_subtype = "session";
806 break;
807 case SSH_CHANNEL_DIRECT_TCPIP:
808 str_subtype = "direct-tcpip";
809 break;
810 case SSH_CHANNEL_FORWARDED_TCPIP:
811 str_subtype = "forwarded-tcpip";
812 break;
813 case (int)SSH_CHANNEL_X11:
814 str_subtype = "channel-x11";
815 break;
816 case SSH_CHANNEL_UNKNOWN:
817 /* fallthrough */
818 default:
819 str_subtype = "unknown";
820 break;
821 }
822 break;
823
824 case SSH_REQUEST_CHANNEL:
825 str_type = "request-channel";
826 switch (subtype) {
827 case SSH_CHANNEL_REQUEST_PTY:
828 str_subtype = "pty";
829 break;
830 case SSH_CHANNEL_REQUEST_EXEC:
831 str_subtype = "exec";
832 break;
833 case SSH_CHANNEL_REQUEST_SHELL:
834 str_subtype = "shell";
835 break;
836 case SSH_CHANNEL_REQUEST_ENV:
837 str_subtype = "env";
838 break;
839 case SSH_CHANNEL_REQUEST_SUBSYSTEM:
840 str_subtype = "subsystem";
841 break;
842 case SSH_CHANNEL_REQUEST_WINDOW_CHANGE:
843 str_subtype = "window-change";
844 break;
845 case SSH_CHANNEL_REQUEST_X11:
846 str_subtype = "x11";
847 break;
848 case SSH_CHANNEL_REQUEST_UNKNOWN:
849 /* fallthrough */
850 default:
851 str_subtype = "unknown";
852 break;
853 }
854 break;
855
856 case SSH_REQUEST_SERVICE:
857 str_type = "request-service";
858 str_subtype = ssh_message_service_service(msg);
859 break;
860
861 case SSH_REQUEST_GLOBAL:
862 str_type = "request-global";
863 switch (subtype) {
864 case SSH_GLOBAL_REQUEST_TCPIP_FORWARD:
865 str_subtype = "tcpip-forward";
866 break;
867 case SSH_GLOBAL_REQUEST_CANCEL_TCPIP_FORWARD:
868 str_subtype = "cancel-tcpip-forward";
869 break;
870 case SSH_GLOBAL_REQUEST_UNKNOWN:
871 /* fallthrough */
872 default:
873 str_subtype = "unknown";
874 break;
875 }
876 break;
877
878 default:
879 str_type = "unknown";
880 str_subtype = "unknown";
881 break;
882 }
883
884 VRB("Received an SSH message \"%s\" of subtype \"%s\".", str_type, str_subtype);
Michal Vaskoce319162016-02-03 15:33:08 +0100[diff] [blame]885 if ((session->status == NC_STATUS_CLOSING) || (session->status == NC_STATUS_INVALID)) {
886 /* "valid" situation if, for example, receiving some auth or channel request timeouted,
887 * but we got it now, during session free */
888 VRB("SSH message arrived on a %s session, the request will be denied.",
889 (session->status == NC_STATUS_CLOSING ? "closing" : "invalid"));
890 ssh_message_reply_default(msg);
891 return 0;
892 }
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]893 session->flags |= NC_SESSION_SSH_NEW_MSG;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]894
895 /*
896 * process known messages
897 */
898 if (type == SSH_REQUEST_AUTH) {
899 if (session->flags & NC_SESSION_SSH_AUTHENTICATED) {
900 ERR("User \"%s\" authenticated, but requested another authentication.", session->username);
901 ssh_message_reply_default(msg);
902 return 0;
903 }
904
Michal Vasko2cc4c682016-03-01 09:16:48 +0100[diff] [blame]905 if (session->ssh_auth_attempts >= ((struct nc_server_ssh_opts *)session->data)->auth_attempts) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]906 /* too many failed attempts */
907 ssh_message_reply_default(msg);
908 return 0;
909 }
910
911 /* save the username, do not let the client change it */
912 username = ssh_message_auth_user(msg);
913 if (!session->username) {
914 if (!username) {
915 ERR("Denying an auth request without a username.");
916 return 1;
917 }
918
Michal Vasko05ba9df2016-01-13 14:40:27 +0100[diff] [blame]919 session->username = lydict_insert(server_opts.ctx, username, 0);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]920 } else if (username) {
921 if (strcmp(username, session->username)) {
922 ERR("User \"%s\" changed its username to \"%s\".", session->username, username);
923 session->status = NC_STATUS_INVALID;
Michal Vasko428087d2016-01-14 16:04:28 +0100[diff] [blame]924 session->term_reason = NC_SESSION_TERM_OTHER;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]925 return 1;
926 }
927 }
928
929 if (subtype == SSH_AUTH_METHOD_NONE) {
930 /* libssh will return the supported auth methods */
931 return 1;
932 } else if (subtype == SSH_AUTH_METHOD_PASSWORD) {
933 nc_sshcb_auth_password(session, msg);
934 return 0;
935 } else if (subtype == SSH_AUTH_METHOD_PUBLICKEY) {
936 nc_sshcb_auth_pubkey(session, msg);
937 return 0;
938 } else if (subtype == SSH_AUTH_METHOD_INTERACTIVE) {
939 nc_sshcb_auth_kbdint(session, msg);
940 return 0;
941 }
942 } else if (session->flags & NC_SESSION_SSH_AUTHENTICATED) {
Michal Vasko0df67562016-01-21 15:50:11 +0100[diff] [blame]943 if ((type == SSH_REQUEST_CHANNEL_OPEN) && ((enum ssh_channel_type_e)subtype == SSH_CHANNEL_SESSION)) {
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]944 if (nc_sshcb_channel_open(session, msg)) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]945 ssh_message_reply_default(msg);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]946 }
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]947 return 0;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]948
Michal Vasko0df67562016-01-21 15:50:11 +0100[diff] [blame]949 } else if ((type == SSH_REQUEST_CHANNEL) && ((enum ssh_channel_requests_e)subtype == SSH_CHANNEL_REQUEST_SUBSYSTEM)) {
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]950 if (nc_sshcb_channel_subsystem(session, ssh_message_channel_request_channel(msg),
951 ssh_message_channel_request_subsystem(msg))) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]952 ssh_message_reply_default(msg);
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]953 } else {
954 ssh_message_channel_request_reply_success(msg);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]955 }
956 return 0;
957 }
958 }
959
960 /* we did not process it */
961 return 1;
962}
963
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]964/* ret 1 on success, 0 on timeout, -1 on error */
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]965static int
966nc_open_netconf_channel(struct nc_session *session, int timeout)
967{
Michal Vasko62be1ce2016-03-03 13:24:52 +0100[diff] [blame]968 int elapsed_usec = 0, ret;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]969
970 /* message callback is executed twice to give chance for the channel to be
971 * created if timeout == 0 (it takes 2 messages, channel-open, subsystem-request) */
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]972 if (!timeout) {
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]973 if (!nc_session_is_connected(session)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]974 ERR("Communication socket unexpectedly closed (libssh).");
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]975 return -1;
976 }
977
Michal Vasko62be1ce2016-03-03 13:24:52 +0100[diff] [blame]978 ret = nc_timedlock(session->ti_lock, timeout);
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]979 if (ret != 1) {
980 return ret;
981 }
982
983 ret = ssh_execute_message_callbacks(session->ti.libssh.session);
984 if (ret != SSH_OK) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]985 ERR("Failed to receive SSH messages on a session (%s).",
986 ssh_get_error(session->ti.libssh.session));
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]987 pthread_mutex_unlock(session->ti_lock);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]988 return -1;
989 }
990
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]991 if (!session->ti.libssh.channel) {
992 /* we did not receive channel-open, timeout */
993 pthread_mutex_unlock(session->ti_lock);
994 return 0;
995 }
996
997 ret = ssh_execute_message_callbacks(session->ti.libssh.session);
998 if (ret != SSH_OK) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]999 ERR("Failed to receive SSH messages on a session (%s).",
1000 ssh_get_error(session->ti.libssh.session));
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1001 pthread_mutex_unlock(session->ti_lock);
1002 return -1;
1003 }
1004 pthread_mutex_unlock(session->ti_lock);
1005
1006 if (!(session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
1007 /* we did not receive subsystem-request, timeout */
1008 return 0;
1009 }
1010
1011 return 1;
1012 }
1013
1014 while (1) {
1015 if (!nc_session_is_connected(session)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1016 ERR("Communication socket unexpectedly closed (libssh).");
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1017 return -1;
1018 }
1019
Michal Vasko62be1ce2016-03-03 13:24:52 +0100[diff] [blame]1020 ret = nc_timedlock(session->ti_lock, timeout);
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1021 if (ret != 1) {
1022 return ret;
1023 }
1024
1025 ret = ssh_execute_message_callbacks(session->ti.libssh.session);
1026 if (ret != SSH_OK) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1027 ERR("Failed to receive SSH messages on a session (%s).",
1028 ssh_get_error(session->ti.libssh.session));
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1029 pthread_mutex_unlock(session->ti_lock);
1030 return -1;
1031 }
1032
1033 pthread_mutex_unlock(session->ti_lock);
1034
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1035 if (session->ti.libssh.channel && (session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1036 return 1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1037 }
1038
Michal Vasko105bf272016-02-03 15:34:35 +0100[diff] [blame]1039 if ((timeout != -1) && (elapsed_usec / 1000 >= timeout)) {
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1040 /* timeout */
Michal Vasko842522c2016-03-01 09:20:13 +0100[diff] [blame]1041 ERR("Failed to start \"netconf\" SSH subsystem for too long, disconnecting.");
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1042 break;
1043 }
1044
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1045 usleep(NC_TIMEOUT_STEP);
Michal Vasko105bf272016-02-03 15:34:35 +0100[diff] [blame]1046 elapsed_usec += NC_TIMEOUT_STEP;
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1047 }
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1048
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1049 return 0;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1050}
1051
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1052int
Michal Vasko62be1ce2016-03-03 13:24:52 +0100[diff] [blame]1053nc_ssh_pollin(struct nc_session *session, int timeout)
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1054{
Michal Vasko62be1ce2016-03-03 13:24:52 +0100[diff] [blame]1055 int ret;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1056 struct nc_session *new;
1057
Michal Vasko62be1ce2016-03-03 13:24:52 +0100[diff] [blame]1058 ret = nc_timedlock(session->ti_lock, timeout);
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1059
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1060 if (ret < 0) {
1061 return NC_PSPOLL_ERROR;
1062 } else if (!ret) {
1063 return NC_PSPOLL_TIMEOUT;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1064 }
1065
1066 ret = ssh_execute_message_callbacks(session->ti.libssh.session);
1067 pthread_mutex_unlock(session->ti_lock);
1068
1069 if (ret != SSH_OK) {
1070 ERR("Session %u: failed to receive SSH messages (%s).", session->id,
1071 ssh_get_error(session->ti.libssh.session));
1072 session->status = NC_STATUS_INVALID;
1073 session->term_reason = NC_SESSION_TERM_OTHER;
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1074 return NC_PSPOLL_SESSION_TERM | NC_PSPOLL_SESSION_ERROR;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1075 }
1076
1077 /* new SSH message */
1078 if (session->flags & NC_SESSION_SSH_NEW_MSG) {
1079 session->flags &= ~NC_SESSION_SSH_NEW_MSG;
1080 if (session->ti.libssh.next) {
1081 for (new = session->ti.libssh.next; new != session; new = new->ti.libssh.next) {
1082 if ((new->status == NC_STATUS_STARTING) && new->ti.libssh.channel
1083 && (new->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
1084 /* new NETCONF SSH channel */
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1085 return NC_PSPOLL_SSH_CHANNEL;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1086 }
1087 }
1088 }
1089
1090 /* just some SSH message */
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1091 return NC_PSPOLL_SSH_MSG;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1092 }
1093
1094 /* no new SSH message, maybe NETCONF data? */
1095 ret = ssh_channel_poll_timeout(session->ti.libssh.channel, 0, 0);
1096 /* not this one */
1097 if (!ret) {
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1098 return NC_PSPOLL_PENDING;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1099 } else if (ret == SSH_ERROR) {
1100 ERR("Session %u: SSH channel error (%s).", session->id,
1101 ssh_get_error(session->ti.libssh.session));
1102 session->status = NC_STATUS_INVALID;
1103 session->term_reason = NC_SESSION_TERM_OTHER;
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1104 return NC_PSPOLL_SESSION_TERM | NC_PSPOLL_SESSION_ERROR;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1105 } else if (ret == SSH_EOF) {
1106 ERR("Session %u: communication channel unexpectedly closed (libssh).",
1107 session->id);
1108 session->status = NC_STATUS_INVALID;
1109 session->term_reason = NC_SESSION_TERM_DROPPED;
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1110 return NC_PSPOLL_SESSION_TERM | NC_PSPOLL_SESSION_ERROR;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1111 }
1112
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1113 return NC_PSPOLL_RPC;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1114}
1115
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1116API NC_MSG_TYPE
Michal Vasko8f5270d2016-02-29 16:22:25 +0100[diff] [blame]1117nc_connect_callhome_ssh(const char *host, uint16_t port, struct nc_session **session)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1118{
Michal Vasko8f5270d2016-02-29 16:22:25 +0100[diff] [blame]1119 return nc_connect_callhome(host, port, NC_TI_LIBSSH, session);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1120}
1121
1122int
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1123nc_accept_ssh_session(struct nc_session *session, int sock, int timeout)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1124{
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1125 ssh_bind sbind;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1126 struct nc_server_ssh_opts *opts;
Michal Vasko72387da2016-02-02 15:52:41 +0100[diff] [blame]1127 int libssh_auth_methods = 0, elapsed_usec = 0, ret;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1128 uint8_t i;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1129
Michal Vasko2cc4c682016-03-01 09:16:48 +0100[diff] [blame]1130 opts = session->data;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1131
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1132 /* other transport-specific data */
1133 session->ti_type = NC_TI_LIBSSH;
1134 session->ti.libssh.session = ssh_new();
1135 if (!session->ti.libssh.session) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1136 ERR("Failed to initialize a new SSH session.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1137 close(sock);
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1138 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1139 }
1140
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1141 if (opts->auth_methods & NC_SSH_AUTH_PUBLICKEY) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1142 libssh_auth_methods |= SSH_AUTH_METHOD_PUBLICKEY;
1143 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1144 if (opts->auth_methods & NC_SSH_AUTH_PASSWORD) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1145 libssh_auth_methods |= SSH_AUTH_METHOD_PASSWORD;
1146 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1147 if (opts->auth_methods & NC_SSH_AUTH_INTERACTIVE) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1148 libssh_auth_methods |= SSH_AUTH_METHOD_INTERACTIVE;
1149 }
1150 ssh_set_auth_methods(session->ti.libssh.session, libssh_auth_methods);
1151
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1152 sbind = ssh_bind_new();
1153 if (!sbind) {
1154 ERR("Failed to create an SSH bind.");
1155 close(sock);
1156 return -1;
1157 }
1158 for (i = 0; i < opts->hostkey_count; ++i) {
1159 if (ssh_bind_options_set(sbind, SSH_BIND_OPTIONS_HOSTKEY, opts->hostkeys[i]) != SSH_OK) {
1160 ERR("Failed to set hostkey \"%s\" (%s).", opts->hostkeys[i], ssh_get_error(sbind));
1161 close(sock);
1162 ssh_bind_free(sbind);
1163 return -1;
1164 }
1165 }
1166 if (opts->banner) {
1167 ssh_bind_options_set(sbind, SSH_BIND_OPTIONS_BANNER, opts->banner);
1168 }
1169
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1170 ssh_set_message_callback(session->ti.libssh.session, nc_sshcb_msg, session);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1171 /* remember that this session was just set as nc_sshcb_msg() parameter */
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1172 session->flags |= NC_SESSION_SSH_MSG_CB;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1173
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1174 if (ssh_bind_accept_fd(sbind, session->ti.libssh.session, sock) == SSH_ERROR) {
1175 ERR("SSH failed to accept a new connection (%s).", ssh_get_error(sbind));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1176 close(sock);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1177 ssh_bind_free(sbind);
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1178 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1179 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1180 ssh_bind_free(sbind);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1181
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1182 ssh_set_blocking(session->ti.libssh.session, 0);
1183
1184 while ((ret = ssh_handle_key_exchange(session->ti.libssh.session)) == SSH_AGAIN) {
Michal Vaskoe65b4492016-03-03 11:57:51 +0100[diff] [blame]1185 /* this tends to take longer */
1186 usleep(NC_TIMEOUT_STEP * 20);
1187 elapsed_usec += NC_TIMEOUT_STEP * 20;
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1188 if ((timeout > -1) && (elapsed_usec / 1000 >= timeout)) {
1189 break;
1190 }
1191 }
1192 if (ret == SSH_AGAIN) {
1193 ERR("SSH key exchange timeout.");
1194 return 0;
1195 } else if (ret != SSH_OK) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1196 ERR("SSH key exchange error (%s).", ssh_get_error(session->ti.libssh.session));
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1197 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1198 }
1199
1200 /* authenticate */
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1201 elapsed_usec = 0;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1202 do {
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]1203 if (!nc_session_is_connected(session)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1204 ERR("Communication socket unexpectedly closed (libssh).");
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]1205 return -1;
1206 }
1207
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1208 if (ssh_execute_message_callbacks(session->ti.libssh.session) != SSH_OK) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1209 ERR("Failed to receive SSH messages on a session (%s).",
1210 ssh_get_error(session->ti.libssh.session));
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1211 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1212 }
1213
1214 if (session->flags & NC_SESSION_SSH_AUTHENTICATED) {
1215 break;
1216 }
1217
1218 usleep(NC_TIMEOUT_STEP);
Michal Vasko72387da2016-02-02 15:52:41 +0100[diff] [blame]1219 elapsed_usec += NC_TIMEOUT_STEP;
Michal Vaskoab639942016-02-29 16:23:47 +0100[diff] [blame]1220 } while (!opts->auth_timeout || (elapsed_usec / 1000000 < opts->auth_timeout));
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1221
1222 if (!(session->flags & NC_SESSION_SSH_AUTHENTICATED)) {
1223 /* timeout */
Michal Vasko842522c2016-03-01 09:20:13 +0100[diff] [blame]1224 ERR("Client failed to authenticate for too long, disconnecting.");
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1225 return 0;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1226 }
1227
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1228 /* open channel */
Michal Vaskoab639942016-02-29 16:23:47 +0100[diff] [blame]1229 ret = nc_open_netconf_channel(session, opts->auth_timeout ? (opts->auth_timeout * 1000 - elapsed_usec / 1000) : -1);
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1230 if (ret < 1) {
1231 return ret;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1232 }
1233
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1234 session->flags &= ~NC_SESSION_SSH_NEW_MSG;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1235 return 1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1236}
1237
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1238API NC_MSG_TYPE
1239nc_session_accept_ssh_channel(struct nc_session *orig_session, struct nc_session **session)
1240{
1241 NC_MSG_TYPE msgtype;
1242 struct nc_session *new_session = NULL;
1243
1244 if (!orig_session) {
1245 ERRARG("orig_session");
1246 return NC_MSG_ERROR;
1247 } else if (!session) {
1248 ERRARG("session");
1249 return NC_MSG_ERROR;
1250 }
1251
1252 if ((orig_session->status == NC_STATUS_RUNNING) && (orig_session->ti_type == NC_TI_LIBSSH)
1253 && orig_session->ti.libssh.next) {
1254 for (new_session = orig_session->ti.libssh.next;
1255 new_session != orig_session;
1256 new_session = new_session->ti.libssh.next) {
1257 if ((new_session->status == NC_STATUS_STARTING) && new_session->ti.libssh.channel
1258 && (new_session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
1259 /* we found our session */
1260 break;
1261 }
1262 }
1263 if (new_session == orig_session) {
1264 new_session = NULL;
1265 }
1266 }
1267
1268 if (!new_session) {
1269 ERR("Session does not have a NETCONF SSH channel ready.");
1270 return NC_MSG_ERROR;
1271 }
1272
1273 /* assign new SID atomically */
1274 pthread_spin_lock(&server_opts.sid_lock);
1275 new_session->id = server_opts.new_session_id++;
1276 pthread_spin_unlock(&server_opts.sid_lock);
1277
1278 /* NETCONF handshake */
1279 msgtype = nc_handshake(new_session);
1280 if (msgtype != NC_MSG_HELLO) {
1281 return msgtype;
1282 }
1283
Michal Vasko2f975cf2016-07-28 15:47:00 +0200[diff] [blame]1284 new_session->session_start = new_session->last_rpc = time(NULL);
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1285 new_session->status = NC_STATUS_RUNNING;
1286 *session = new_session;
1287
1288 return msgtype;
1289}
1290
1291API NC_MSG_TYPE
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1292nc_ps_accept_ssh_channel(struct nc_pollsession *ps, struct nc_session **session)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1293{
Michal Vaskobdcf2362016-07-26 11:35:43 +0200[diff] [blame]1294 uint8_t q_id;
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1295 NC_MSG_TYPE msgtype;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1296 struct nc_session *new_session = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1297 uint16_t i;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1298
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]1299 if (!ps) {
1300 ERRARG("ps");
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1301 return NC_MSG_ERROR;
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]1302 } else if (!session) {
1303 ERRARG("session");
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1304 return NC_MSG_ERROR;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1305 }
1306
Michal Vasko48a63ed2016-03-01 09:48:21 +0100[diff] [blame]1307 /* LOCK */
Michal Vasko227f8ff2016-07-26 14:08:59 +0200[diff] [blame]1308 if (nc_ps_lock(ps, &q_id, __func__)) {
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1309 return NC_MSG_ERROR;
Michal Vaskof04a52a2016-04-07 10:52:10 +0200[diff] [blame]1310 }
Michal Vasko48a63ed2016-03-01 09:48:21 +0100[diff] [blame]1311
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1312 for (i = 0; i < ps->session_count; ++i) {
1313 if ((ps->sessions[i]->status == NC_STATUS_RUNNING) && (ps->sessions[i]->ti_type == NC_TI_LIBSSH)
1314 && ps->sessions[i]->ti.libssh.next) {
1315 /* an SSH session with more channels */
1316 for (new_session = ps->sessions[i]->ti.libssh.next;
1317 new_session != ps->sessions[i];
1318 new_session = new_session->ti.libssh.next) {
1319 if ((new_session->status == NC_STATUS_STARTING) && new_session->ti.libssh.channel
1320 && (new_session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
1321 /* we found our session */
1322 break;
1323 }
1324 }
1325 if (new_session != ps->sessions[i]) {
1326 break;
1327 }
Michal Vaskofb89d772016-01-08 12:25:35 +0100[diff] [blame]1328
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1329 new_session = NULL;
1330 }
1331 }
Michal Vaskofb89d772016-01-08 12:25:35 +0100[diff] [blame]1332
Michal Vasko48a63ed2016-03-01 09:48:21 +0100[diff] [blame]1333 /* UNLOCK */
Michal Vasko227f8ff2016-07-26 14:08:59 +0200[diff] [blame]1334 nc_ps_unlock(ps, q_id, __func__);
Michal Vasko48a63ed2016-03-01 09:48:21 +0100[diff] [blame]1335
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1336 if (!new_session) {
1337 ERR("No session with a NETCONF SSH channel ready was found.");
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1338 return NC_MSG_ERROR;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1339 }
1340
1341 /* assign new SID atomically */
1342 pthread_spin_lock(&server_opts.sid_lock);
1343 new_session->id = server_opts.new_session_id++;
1344 pthread_spin_unlock(&server_opts.sid_lock);
Michal Vaskofb89d772016-01-08 12:25:35 +0100[diff] [blame]1345
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1346 /* NETCONF handshake */
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1347 msgtype = nc_handshake(new_session);
1348 if (msgtype != NC_MSG_HELLO) {
1349 return msgtype;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1350 }
Michal Vasko48a63ed2016-03-01 09:48:21 +0100[diff] [blame]1351
Michal Vasko2f975cf2016-07-28 15:47:00 +0200[diff] [blame]1352 new_session->session_start = new_session->last_rpc = time(NULL);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1353 new_session->status = NC_STATUS_RUNNING;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1354 *session = new_session;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1355
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]1356 return msgtype;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1357}