Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / c9a6d25ba2d32c0558a8c9736f7f188ebaddbcdf / . / src / session_server_ssh.c
blob: 1fa316552480384791633040792af11da3017dff [file] [log] [blame]
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1/**
2 * \file session_server_ssh.c
3 * \author Michal Vasko <mvasko@cesnet.cz>
4 * \brief libnetconf2 SSH server session manipulation functions
5 *
6 * Copyright (c) 2015 CESNET, z.s.p.o.
7 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]8 * This source code is licensed under BSD 3-Clause License (the "License").
9 * You may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +0100[diff] [blame]11 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]12 * https://opensource.org/licenses/BSD-3-Clause
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]13 */
14
15#define _GNU_SOURCE
16
17#include <stdlib.h>
18#include <string.h>
19#include <sys/types.h>
20#include <pwd.h>
21#include <shadow.h>
22#include <crypt.h>
23#include <errno.h>
24
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]25#include "session_server.h"
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]26#include "session_server_ch.h"
27#include "libnetconf.h"
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]28
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]29struct nc_server_ssh_opts ssh_ch_opts = {
30 .auth_methods = NC_SSH_AUTH_PUBLICKEY | NC_SSH_AUTH_PASSWORD | NC_SSH_AUTH_INTERACTIVE,
31 .auth_attempts = 3,
32 .auth_timeout = 10
33};
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]34pthread_mutex_t ssh_ch_opts_lock = PTHREAD_MUTEX_INITIALIZER;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]35extern struct nc_server_opts server_opts;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]36
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]37API int
38nc_server_ssh_add_endpt_listen(const char *name, const char *address, uint16_t port)
39{
40 return nc_server_add_endpt_listen(name, address, port, NC_TI_LIBSSH);
41}
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]42
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]43API int
Michal Vaskoda514772016-02-01 11:32:01 +0100[diff] [blame]44nc_server_ssh_endpt_set_address(const char *endpt_name, const char *address)
45{
46 return nc_server_endpt_set_address_port(endpt_name, address, 0, NC_TI_LIBSSH);
47}
48
49API int
50nc_server_ssh_endpt_set_port(const char *endpt_name, uint16_t port)
51{
52 return nc_server_endpt_set_address_port(endpt_name, NULL, port, NC_TI_LIBSSH);
53}
54
55API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]56nc_server_ssh_del_endpt(const char *name)
57{
58 return nc_server_del_endpt(name, NC_TI_LIBSSH);
59}
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]60
61static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]62nc_server_ssh_set_hostkey(const char *privkey_path, struct nc_server_ssh_opts *opts)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]63{
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]64 if (!privkey_path) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]65 ERRARG;
66 return -1;
67 }
68
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]69 if (!opts->sshbind) {
70 opts->sshbind = ssh_bind_new();
71 if (!opts->sshbind) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]72 ERR("Failed to create a new ssh_bind.");
Michal Vasko5fcc7142016-02-02 12:21:10 +0100[diff] [blame]73 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]74 }
75 }
76
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]77 if (ssh_bind_options_set(opts->sshbind, SSH_BIND_OPTIONS_HOSTKEY, privkey_path) != SSH_OK) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]78 if (eaccess(privkey_path, R_OK)) {
79 ERR("Failed to set host key (%s).", strerror(errno));
80 } else {
81 ERR("Failed to set host key (%s).", ssh_get_error(opts->sshbind));
82 }
Michal Vasko5fcc7142016-02-02 12:21:10 +0100[diff] [blame]83 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]84 }
Michal Vaskod45e25a2016-01-08 15:48:44 +0100[diff] [blame]85
Michal Vasko5fcc7142016-02-02 12:21:10 +0100[diff] [blame]86 return 0;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]87}
88
89API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]90nc_server_ssh_endpt_set_hostkey(const char *endpt_name, const char *privkey_path)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]91{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]92 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]93 struct nc_endpt *endpt;
94
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]95 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]96 endpt = nc_server_endpt_lock(endpt_name, NC_TI_LIBSSH);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]97 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]98 return -1;
99 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]100 ret = nc_server_ssh_set_hostkey(privkey_path, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]101 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]102 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]103
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]104 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]105}
106
107API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]108nc_server_ssh_ch_set_hostkey(const char *privkey_path)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]109{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]110 int ret;
111
112 /* OPTS LOCK */
113 pthread_mutex_lock(&ssh_ch_opts_lock);
114 ret = nc_server_ssh_set_hostkey(privkey_path, &ssh_ch_opts);
115 /* OPTS UNLOCK */
116 pthread_mutex_unlock(&ssh_ch_opts_lock);
117
118 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]119}
120
121static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]122nc_server_ssh_set_banner(const char *banner, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]123{
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]124 if (!banner) {
125 ERRARG;
126 return -1;
127 }
128
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]129 if (!opts->sshbind) {
130 opts->sshbind = ssh_bind_new();
131 if (!opts->sshbind) {
132 ERR("Failed to create a new ssh_bind.");
Michal Vasko5fcc7142016-02-02 12:21:10 +0100[diff] [blame]133 return -1;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]134 }
135 }
136
137 ssh_bind_options_set(opts->sshbind, SSH_BIND_OPTIONS_BANNER, banner);
138
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]139 return 0;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]140}
141
142API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]143nc_server_ssh_endpt_set_banner(const char *endpt_name, const char *banner)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]144{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]145 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]146 struct nc_endpt *endpt;
147
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]148 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]149 endpt = nc_server_endpt_lock(endpt_name, NC_TI_LIBSSH);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]150 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]151 return -1;
152 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]153 ret = nc_server_ssh_set_banner(banner, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]154 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]155 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]156
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]157 return ret;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]158}
159
160API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]161nc_server_ssh_ch_set_banner(const char *banner)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]162{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]163 int ret;
164
165 /* OPTS LOCK */
166 pthread_mutex_lock(&ssh_ch_opts_lock);
167 ret = nc_server_ssh_set_banner(banner, &ssh_ch_opts);
168 /* OPTS UNLOCK */
169 pthread_mutex_unlock(&ssh_ch_opts_lock);
170
171 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]172}
173
174static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]175nc_server_ssh_set_auth_methods(int auth_methods, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]176{
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]177 if (!(auth_methods & NC_SSH_AUTH_PUBLICKEY) && !(auth_methods & NC_SSH_AUTH_PASSWORD)
178 && !(auth_methods & NC_SSH_AUTH_INTERACTIVE)) {
179 ERRARG;
180 return -1;
181 }
182
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]183 opts->auth_methods = auth_methods;
184 return 0;
185}
186
187API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]188nc_server_ssh_endpt_set_auth_methods(const char *endpt_name, int auth_methods)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]189{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]190 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]191 struct nc_endpt *endpt;
192
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]193 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]194 endpt = nc_server_endpt_lock(endpt_name, NC_TI_LIBSSH);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]195 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]196 return -1;
197 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]198 ret = nc_server_ssh_set_auth_methods(auth_methods, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]199 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]200 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]201
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]202 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]203}
204
205API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]206nc_server_ssh_ch_set_auth_methods(int auth_methods)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]207{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]208 int ret;
209
210 /* OPTS LOCK */
211 pthread_mutex_lock(&ssh_ch_opts_lock);
212 ret = nc_server_ssh_set_auth_methods(auth_methods, &ssh_ch_opts);
213 /* OPTS UNLOCK */
214 pthread_mutex_unlock(&ssh_ch_opts_lock);
215
216 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]217}
218
219static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]220nc_server_ssh_set_auth_attempts(uint16_t auth_attempts, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]221{
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]222 if (!auth_attempts) {
223 ERRARG;
224 return -1;
225 }
226
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]227 opts->auth_attempts = auth_attempts;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]228 return 0;
229}
230
231API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]232nc_server_ssh_endpt_set_auth_attempts(const char *endpt_name, uint16_t auth_attempts)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]233{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]234 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]235 struct nc_endpt *endpt;
236
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]237 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]238 endpt = nc_server_endpt_lock(endpt_name, NC_TI_LIBSSH);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]239 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]240 return -1;
241 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]242 ret = nc_server_ssh_set_auth_attempts(auth_attempts, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]243 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]244 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]245
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]246 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]247}
248
249API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]250nc_server_ssh_set_ch_auth_attempts(uint16_t auth_attempts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]251{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]252 int ret;
253
254 /* OPTS LOCK */
255 pthread_mutex_lock(&ssh_ch_opts_lock);
256 ret = nc_server_ssh_set_auth_attempts(auth_attempts, &ssh_ch_opts);
257 /* OPTS UNLOCK */
258 pthread_mutex_unlock(&ssh_ch_opts_lock);
259
260 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]261}
262
263static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]264nc_server_ssh_set_auth_timeout(uint16_t auth_timeout, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]265{
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]266 if (!auth_timeout) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]267 ERRARG;
268 return -1;
269 }
270
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]271 opts->auth_timeout = auth_timeout;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]272 return 0;
273}
274
275API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]276nc_server_ssh_endpt_set_auth_timeout(const char *endpt_name, uint16_t auth_timeout)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]277{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]278 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]279 struct nc_endpt *endpt;
280
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]281 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]282 endpt = nc_server_endpt_lock(endpt_name, NC_TI_LIBSSH);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]283 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]284 return -1;
285 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]286 ret = nc_server_ssh_set_auth_timeout(auth_timeout, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]287 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]288 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]289
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]290 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]291}
292
293API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]294nc_server_ssh_ch_set_auth_timeout(uint16_t auth_timeout)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]295{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]296 int ret;
297
298 /* OPTS LOCK */
299 pthread_mutex_lock(&ssh_ch_opts_lock);
300 ret = nc_server_ssh_set_auth_timeout(auth_timeout, &ssh_ch_opts);
301 /* OPTS UNLOCK */
302 pthread_mutex_unlock(&ssh_ch_opts_lock);
303
304 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]305}
306
307static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]308nc_server_ssh_add_authkey(const char *pubkey_path, const char *username, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]309{
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]310 if (!pubkey_path || !username) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]311 ERRARG;
312 return -1;
313 }
314
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]315 ++opts->authkey_count;
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]316 opts->authkeys = nc_realloc(opts->authkeys, opts->authkey_count * sizeof *opts->authkeys);
317 if (!opts->authkeys) {
318 ERRMEM;
319 return -1;
320 }
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]321 opts->authkeys[opts->authkey_count - 1].path = lydict_insert(server_opts.ctx, pubkey_path, 0);
322 opts->authkeys[opts->authkey_count - 1].username = lydict_insert(server_opts.ctx, username, 0);
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]323
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]324 return 0;
325}
326
327API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]328nc_server_ssh_endpt_add_authkey(const char *endpt_name, const char *pubkey_path, const char *username)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]329{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]330 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]331 struct nc_endpt *endpt;
332
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]333 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]334 endpt = nc_server_endpt_lock(endpt_name, NC_TI_LIBSSH);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]335 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]336 return -1;
337 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]338 ret = nc_server_ssh_add_authkey(pubkey_path, username, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]339 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]340 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]341
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]342 return ret;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]343}
344
345API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]346nc_server_ssh_ch_add_authkey(const char *pubkey_path, const char *username)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]347{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]348 int ret;
349
350 /* OPTS LOCK */
351 pthread_mutex_lock(&ssh_ch_opts_lock);
352 ret = nc_server_ssh_add_authkey(pubkey_path, username, &ssh_ch_opts);
353 /* OPTS UNLOCK */
354 pthread_mutex_unlock(&ssh_ch_opts_lock);
355
356 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]357}
358
359static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]360nc_server_ssh_del_authkey(const char *pubkey_path, const char *username, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]361{
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]362 uint32_t i;
363 int ret = -1;
364
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]365 if (!pubkey_path && !username) {
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]366 for (i = 0; i < opts->authkey_count; ++i) {
367 lydict_remove(server_opts.ctx, opts->authkeys[i].path);
368 lydict_remove(server_opts.ctx, opts->authkeys[i].username);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]369
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]370 ret = 0;
371 }
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]372 free(opts->authkeys);
373 opts->authkeys = NULL;
374 opts->authkey_count = 0;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]375 } else {
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]376 for (i = 0; i < opts->authkey_count; ++i) {
377 if ((!pubkey_path || !strcmp(opts->authkeys[i].path, pubkey_path))
378 && (!username || !strcmp(opts->authkeys[i].username, username))) {
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]379 lydict_remove(server_opts.ctx, opts->authkeys[i].path);
380 lydict_remove(server_opts.ctx, opts->authkeys[i].username);
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]381
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]382 --opts->authkey_count;
Michal Vaskoc0256492016-02-02 12:19:06 +0100[diff] [blame]383 if (i < opts->authkey_count) {
384 memcpy(&opts->authkeys[i], &opts->authkeys[opts->authkey_count], sizeof *opts->authkeys);
385 } else if (!opts->authkey_count) {
386 free(opts->authkeys);
387 opts->authkeys = NULL;
388 }
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]389
390 ret = 0;
391 }
392 }
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]393 }
394
395 return ret;
396}
397
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]398API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]399nc_server_ssh_endpt_del_authkey(const char *endpt_name, const char *pubkey_path, const char *username)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]400{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]401 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]402 struct nc_endpt *endpt;
403
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]404 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]405 endpt = nc_server_endpt_lock(endpt_name, NC_TI_LIBSSH);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]406 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]407 return -1;
408 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]409 ret = nc_server_ssh_del_authkey(pubkey_path, username, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]410 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]411 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]412
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]413 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]414}
415
416API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]417nc_server_ssh_ch_del_authkey(const char *pubkey_path, const char *username)
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]418{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]419 int ret;
420
421 /* OPTS LOCK */
422 pthread_mutex_lock(&ssh_ch_opts_lock);
423 ret = nc_server_ssh_del_authkey(pubkey_path, username, &ssh_ch_opts);
424 /* OPTS UNLOCK */
425 pthread_mutex_unlock(&ssh_ch_opts_lock);
426
427 return ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]428}
429
430void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]431nc_server_ssh_clear_opts(struct nc_server_ssh_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]432{
433 if (opts->sshbind) {
434 ssh_bind_free(opts->sshbind);
435 opts->sshbind = NULL;
436 }
437
438 nc_server_ssh_del_authkey(NULL, NULL, opts);
Michal Vaskob05053d2016-01-22 16:12:06 +0100[diff] [blame]439}
440
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]441API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]442nc_server_ssh_ch_clear_opts(void)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]443{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]444 /* OPTS LOCK */
445 pthread_mutex_lock(&ssh_ch_opts_lock);
446 nc_server_ssh_clear_opts(&ssh_ch_opts);
447 /* OPTS UNLOCK */
448 pthread_mutex_unlock(&ssh_ch_opts_lock);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]449}
450
451static char *
452auth_password_get_pwd_hash(const char *username)
453{
454 struct passwd *pwd, pwd_buf;
455 struct spwd *spwd, spwd_buf;
456 char *pass_hash = NULL, buf[256];
457
458 getpwnam_r(username, &pwd_buf, buf, 256, &pwd);
459 if (!pwd) {
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]460 VRB("User \"%s\" not found locally.", username);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]461 return NULL;
462 }
463
464 if (!strcmp(pwd->pw_passwd, "x")) {
465 getspnam_r(username, &spwd_buf, buf, 256, &spwd);
466 if (!spwd) {
467 VRB("Failed to retrieve the shadow entry for \"%s\".", username);
468 return NULL;
469 }
470
471 pass_hash = spwd->sp_pwdp;
472 } else {
473 pass_hash = pwd->pw_passwd;
474 }
475
476 if (!pass_hash) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]477 ERR("No password could be retrieved for \"%s\".", username);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]478 return NULL;
479 }
480
481 /* check the hash structure for special meaning */
482 if (!strcmp(pass_hash, "*") || !strcmp(pass_hash, "!")) {
483 VRB("User \"%s\" is not allowed to authenticate using a password.", username);
484 return NULL;
485 }
486 if (!strcmp(pass_hash, "*NP*")) {
487 VRB("Retrieving password for \"%s\" from a NIS+ server not supported.", username);
488 return NULL;
489 }
490
491 return strdup(pass_hash);
492}
493
494static int
495auth_password_compare_pwd(const char *pass_hash, const char *pass_clear)
496{
497 char *new_pass_hash;
498 struct crypt_data cdata;
499
500 if (!pass_hash[0]) {
501 if (!pass_clear[0]) {
502 WRN("User authentication successful with an empty password!");
503 return 0;
504 } else {
505 /* the user did now know he does not need any password,
506 * (which should not be used) so deny authentication */
507 return 1;
508 }
509 }
510
511 cdata.initialized = 0;
512 new_pass_hash = crypt_r(pass_clear, pass_hash, &cdata);
513 return strcmp(new_pass_hash, pass_hash);
514}
515
516static void
517nc_sshcb_auth_password(struct nc_session *session, ssh_message msg)
518{
519 char *pass_hash;
520
521 pass_hash = auth_password_get_pwd_hash(session->username);
522 if (pass_hash && !auth_password_compare_pwd(pass_hash, ssh_message_auth_password(msg))) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]523 VRB("User \"%s\" authenticated.", session->username);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]524 ssh_message_auth_reply_success(msg, 0);
525 session->flags |= NC_SESSION_SSH_AUTHENTICATED;
526 free(pass_hash);
527 return;
528 }
529
530 free(pass_hash);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]531 ++session->ssh_auth_attempts;
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]532 VRB("Failed user \"'%s\" authentication attempt (#%d).", session->username, session->ssh_auth_attempts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]533 ssh_message_reply_default(msg);
534}
535
536static void
537nc_sshcb_auth_kbdint(struct nc_session *session, ssh_message msg)
538{
539 char *pass_hash;
540
541 if (!ssh_message_auth_kbdint_is_response(msg)) {
542 const char *prompts[] = {"Password: "};
543 char echo[] = {0};
544
545 ssh_message_auth_interactive_request(msg, "Interactive SSH Authentication", "Type your password:", 1, prompts, echo);
546 } else {
547 if (ssh_userauth_kbdint_getnanswers(session->ti.libssh.session) != 1) {
548 ssh_message_reply_default(msg);
549 return;
550 }
551 pass_hash = auth_password_get_pwd_hash(session->username);
552 if (!pass_hash) {
553 ssh_message_reply_default(msg);
554 return;
555 }
556 if (!auth_password_compare_pwd(pass_hash, ssh_userauth_kbdint_getanswer(session->ti.libssh.session, 0))) {
557 VRB("User \"%s\" authenticated.", session->username);
558 session->flags |= NC_SESSION_SSH_AUTHENTICATED;
559 ssh_message_auth_reply_success(msg, 0);
560 } else {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]561 ++session->ssh_auth_attempts;
562 VRB("Failed user \"%s\" authentication attempt (#%d).", session->username, session->ssh_auth_attempts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]563 ssh_message_reply_default(msg);
564 }
565 }
566}
567
568static const char *
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]569auth_pubkey_compare_key(struct nc_server_ssh_opts *opts, ssh_key key)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]570{
571 uint32_t i;
572 ssh_key pub_key;
Michal Vasko76e3a352016-01-18 09:07:00 +0100[diff] [blame]573 const char *username = NULL;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]574
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]575 for (i = 0; i < opts->authkey_count; ++i) {
576 if (ssh_pki_import_pubkey_file(opts->authkeys[i].path, &pub_key) != SSH_OK) {
577 if (eaccess(opts->authkeys[i].path, R_OK)) {
578 WRN("Failed to import the public key \"%s\" (%s).", opts->authkeys[i].path, strerror(errno));
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]579 } else {
Michal Vaskoe5612cf2016-02-02 15:52:16 +0100[diff] [blame]580 WRN("Failed to import the public key \"%s\" (%s).", opts->authkeys[i].path, ssh_get_error(pub_key));
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]581 }
582 continue;
583 }
584
585 if (!ssh_key_cmp(key, pub_key, SSH_KEY_CMP_PUBLIC)) {
586 ssh_key_free(pub_key);
587 break;
588 }
589
590 ssh_key_free(pub_key);
591 }
592
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]593 if (i < opts->authkey_count) {
594 username = opts->authkeys[i].username;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]595 }
596
597 return username;
598}
599
600static void
601nc_sshcb_auth_pubkey(struct nc_session *session, ssh_message msg)
602{
603 const char *username;
604 int signature_state;
605
606 signature_state = ssh_message_auth_publickey_state(msg);
607 if (signature_state == SSH_PUBLICKEY_STATE_VALID) {
608 VRB("User \"%s\" authenticated.", session->username);
609 session->flags |= NC_SESSION_SSH_AUTHENTICATED;
610 ssh_message_auth_reply_success(msg, 0);
611 return;
612
613 } else if (signature_state == SSH_PUBLICKEY_STATE_NONE) {
Michal Vasko2cc4c682016-03-01 09:16:48 +0100[diff] [blame]614 if ((username = auth_pubkey_compare_key(session->data, ssh_message_auth_pubkey(msg))) == NULL) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]615 VRB("User \"%s\" tried to use an unknown (unauthorized) public key.", session->username);
616
617 } else if (strcmp(session->username, username)) {
618 VRB("User \"%s\" is not the username identified with the presented public key.", session->username);
619
620 } else {
621 /* accepting only the use of a public key */
622 ssh_message_auth_reply_pk_ok_simple(msg);
623 return;
624 }
625 }
626
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]627 ++session->ssh_auth_attempts;
628 VRB("Failed user \"%s\" authentication attempt (#%d).", session->username, session->ssh_auth_attempts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]629 ssh_message_reply_default(msg);
630}
631
632static int
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]633nc_sshcb_channel_open(struct nc_session *session, ssh_message msg)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]634{
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]635 ssh_channel chan;
636
637 /* first channel request */
638 if (!session->ti.libssh.channel) {
639 if (session->status != NC_STATUS_STARTING) {
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]640 ERRINT;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]641 return -1;
642 }
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]643 chan = ssh_message_channel_request_open_reply_accept(msg);
644 if (!chan) {
645 ERR("Failed to create a new SSH channel.");
646 return -1;
647 }
648 session->ti.libssh.channel = chan;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]649
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]650 /* additional channel request */
651 } else {
652 chan = ssh_message_channel_request_open_reply_accept(msg);
653 if (!chan) {
654 ERR("Session %u: failed to create a new SSH channel.", session->id);
655 return -1;
656 }
657 /* channel was created and libssh stored it internally in the ssh_session structure, good enough */
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]658 }
659
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]660 return 0;
661}
662
663static int
664nc_sshcb_channel_subsystem(struct nc_session *session, ssh_channel channel, const char *subsystem)
665{
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]666 struct nc_session *new_session;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]667
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]668 if (strcmp(subsystem, "netconf")) {
669 WRN("Received an unknown subsystem \"%s\" request.", subsystem);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]670 return -1;
671 }
672
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]673 if (session->ti.libssh.channel == channel) {
674 /* first channel requested */
675 if (session->ti.libssh.next || (session->status != NC_STATUS_STARTING)) {
676 ERRINT;
677 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]678 }
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]679 if (session->flags & NC_SESSION_SSH_SUBSYS_NETCONF) {
680 ERR("Session %u: subsystem \"netconf\" requested for the second time.", session->id);
681 return -1;
682 }
683
684 session->flags |= NC_SESSION_SSH_SUBSYS_NETCONF;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]685 } else {
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]686 /* additional channel subsystem request, new session is ready as far as SSH is concerned */
687 new_session = calloc(1, sizeof *new_session);
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]688 if (!new_session) {
689 ERRMEM;
690 return -1;
691 }
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]692
693 /* insert the new session */
694 if (!session->ti.libssh.next) {
695 new_session->ti.libssh.next = session;
696 } else {
697 new_session->ti.libssh.next = session->ti.libssh.next;
698 }
699 session->ti.libssh.next = new_session;
700
701 new_session->status = NC_STATUS_STARTING;
702 new_session->side = NC_SERVER;
703 new_session->ti_type = NC_TI_LIBSSH;
704 new_session->ti_lock = session->ti_lock;
705 new_session->ti.libssh.channel = channel;
706 new_session->ti.libssh.session = session->ti.libssh.session;
707 new_session->username = lydict_insert(server_opts.ctx, session->username, 0);
708 new_session->host = lydict_insert(server_opts.ctx, session->host, 0);
709 new_session->port = session->port;
710 new_session->ctx = server_opts.ctx;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]711 new_session->flags = NC_SESSION_SSH_AUTHENTICATED | NC_SESSION_SSH_SUBSYS_NETCONF | NC_SESSION_SHAREDCTX
712 | (session->flags & NC_SESSION_CALLHOME ? NC_SESSION_CALLHOME : 0);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]713 }
714
715 return 0;
716}
717
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]718int
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]719nc_sshcb_msg(ssh_session UNUSED(sshsession), ssh_message msg, void *data)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]720{
721 const char *str_type, *str_subtype = NULL, *username;
722 int subtype, type;
723 struct nc_session *session = (struct nc_session *)data;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]724
725 type = ssh_message_type(msg);
726 subtype = ssh_message_subtype(msg);
727
728 switch (type) {
729 case SSH_REQUEST_AUTH:
730 str_type = "request-auth";
731 switch (subtype) {
732 case SSH_AUTH_METHOD_NONE:
733 str_subtype = "none";
734 break;
735 case SSH_AUTH_METHOD_PASSWORD:
736 str_subtype = "password";
737 break;
738 case SSH_AUTH_METHOD_PUBLICKEY:
739 str_subtype = "publickey";
740 break;
741 case SSH_AUTH_METHOD_HOSTBASED:
742 str_subtype = "hostbased";
743 break;
744 case SSH_AUTH_METHOD_INTERACTIVE:
745 str_subtype = "interactive";
746 break;
747 case SSH_AUTH_METHOD_GSSAPI_MIC:
748 str_subtype = "gssapi-mic";
749 break;
750 }
751 break;
752
753 case SSH_REQUEST_CHANNEL_OPEN:
754 str_type = "request-channel-open";
755 switch (subtype) {
756 case SSH_CHANNEL_SESSION:
757 str_subtype = "session";
758 break;
759 case SSH_CHANNEL_DIRECT_TCPIP:
760 str_subtype = "direct-tcpip";
761 break;
762 case SSH_CHANNEL_FORWARDED_TCPIP:
763 str_subtype = "forwarded-tcpip";
764 break;
765 case (int)SSH_CHANNEL_X11:
766 str_subtype = "channel-x11";
767 break;
768 case SSH_CHANNEL_UNKNOWN:
769 /* fallthrough */
770 default:
771 str_subtype = "unknown";
772 break;
773 }
774 break;
775
776 case SSH_REQUEST_CHANNEL:
777 str_type = "request-channel";
778 switch (subtype) {
779 case SSH_CHANNEL_REQUEST_PTY:
780 str_subtype = "pty";
781 break;
782 case SSH_CHANNEL_REQUEST_EXEC:
783 str_subtype = "exec";
784 break;
785 case SSH_CHANNEL_REQUEST_SHELL:
786 str_subtype = "shell";
787 break;
788 case SSH_CHANNEL_REQUEST_ENV:
789 str_subtype = "env";
790 break;
791 case SSH_CHANNEL_REQUEST_SUBSYSTEM:
792 str_subtype = "subsystem";
793 break;
794 case SSH_CHANNEL_REQUEST_WINDOW_CHANGE:
795 str_subtype = "window-change";
796 break;
797 case SSH_CHANNEL_REQUEST_X11:
798 str_subtype = "x11";
799 break;
800 case SSH_CHANNEL_REQUEST_UNKNOWN:
801 /* fallthrough */
802 default:
803 str_subtype = "unknown";
804 break;
805 }
806 break;
807
808 case SSH_REQUEST_SERVICE:
809 str_type = "request-service";
810 str_subtype = ssh_message_service_service(msg);
811 break;
812
813 case SSH_REQUEST_GLOBAL:
814 str_type = "request-global";
815 switch (subtype) {
816 case SSH_GLOBAL_REQUEST_TCPIP_FORWARD:
817 str_subtype = "tcpip-forward";
818 break;
819 case SSH_GLOBAL_REQUEST_CANCEL_TCPIP_FORWARD:
820 str_subtype = "cancel-tcpip-forward";
821 break;
822 case SSH_GLOBAL_REQUEST_UNKNOWN:
823 /* fallthrough */
824 default:
825 str_subtype = "unknown";
826 break;
827 }
828 break;
829
830 default:
831 str_type = "unknown";
832 str_subtype = "unknown";
833 break;
834 }
835
836 VRB("Received an SSH message \"%s\" of subtype \"%s\".", str_type, str_subtype);
Michal Vaskoce319162016-02-03 15:33:08 +0100[diff] [blame]837 if ((session->status == NC_STATUS_CLOSING) || (session->status == NC_STATUS_INVALID)) {
838 /* "valid" situation if, for example, receiving some auth or channel request timeouted,
839 * but we got it now, during session free */
840 VRB("SSH message arrived on a %s session, the request will be denied.",
841 (session->status == NC_STATUS_CLOSING ? "closing" : "invalid"));
842 ssh_message_reply_default(msg);
843 return 0;
844 }
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]845 session->flags |= NC_SESSION_SSH_NEW_MSG;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]846
847 /*
848 * process known messages
849 */
850 if (type == SSH_REQUEST_AUTH) {
851 if (session->flags & NC_SESSION_SSH_AUTHENTICATED) {
852 ERR("User \"%s\" authenticated, but requested another authentication.", session->username);
853 ssh_message_reply_default(msg);
854 return 0;
855 }
856
Michal Vasko2cc4c682016-03-01 09:16:48 +0100[diff] [blame]857 if (session->ssh_auth_attempts >= ((struct nc_server_ssh_opts *)session->data)->auth_attempts) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]858 /* too many failed attempts */
859 ssh_message_reply_default(msg);
860 return 0;
861 }
862
863 /* save the username, do not let the client change it */
864 username = ssh_message_auth_user(msg);
865 if (!session->username) {
866 if (!username) {
867 ERR("Denying an auth request without a username.");
868 return 1;
869 }
870
Michal Vasko05ba9df2016-01-13 14:40:27 +0100[diff] [blame]871 session->username = lydict_insert(server_opts.ctx, username, 0);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]872 } else if (username) {
873 if (strcmp(username, session->username)) {
874 ERR("User \"%s\" changed its username to \"%s\".", session->username, username);
875 session->status = NC_STATUS_INVALID;
Michal Vasko428087d2016-01-14 16:04:28 +0100[diff] [blame]876 session->term_reason = NC_SESSION_TERM_OTHER;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]877 return 1;
878 }
879 }
880
881 if (subtype == SSH_AUTH_METHOD_NONE) {
882 /* libssh will return the supported auth methods */
883 return 1;
884 } else if (subtype == SSH_AUTH_METHOD_PASSWORD) {
885 nc_sshcb_auth_password(session, msg);
886 return 0;
887 } else if (subtype == SSH_AUTH_METHOD_PUBLICKEY) {
888 nc_sshcb_auth_pubkey(session, msg);
889 return 0;
890 } else if (subtype == SSH_AUTH_METHOD_INTERACTIVE) {
891 nc_sshcb_auth_kbdint(session, msg);
892 return 0;
893 }
894 } else if (session->flags & NC_SESSION_SSH_AUTHENTICATED) {
Michal Vasko0df67562016-01-21 15:50:11 +0100[diff] [blame]895 if ((type == SSH_REQUEST_CHANNEL_OPEN) && ((enum ssh_channel_type_e)subtype == SSH_CHANNEL_SESSION)) {
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]896 if (nc_sshcb_channel_open(session, msg)) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]897 ssh_message_reply_default(msg);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]898 }
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]899 return 0;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]900
Michal Vasko0df67562016-01-21 15:50:11 +0100[diff] [blame]901 } else if ((type == SSH_REQUEST_CHANNEL) && ((enum ssh_channel_requests_e)subtype == SSH_CHANNEL_REQUEST_SUBSYSTEM)) {
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]902 if (nc_sshcb_channel_subsystem(session, ssh_message_channel_request_channel(msg),
903 ssh_message_channel_request_subsystem(msg))) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]904 ssh_message_reply_default(msg);
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]905 } else {
906 ssh_message_channel_request_reply_success(msg);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]907 }
908 return 0;
909 }
910 }
911
912 /* we did not process it */
913 return 1;
914}
915
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]916/* ret 1 on success, 0 on timeout, -1 on error */
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]917static int
918nc_open_netconf_channel(struct nc_session *session, int timeout)
919{
Michal Vasko62be1ce2016-03-03 13:24:52 +0100[diff] [blame]920 int elapsed_usec = 0, ret;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]921
922 /* message callback is executed twice to give chance for the channel to be
923 * created if timeout == 0 (it takes 2 messages, channel-open, subsystem-request) */
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]924 if (!timeout) {
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]925 if (!nc_session_is_connected(session)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]926 ERR("Communication socket unexpectedly closed (libssh).");
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]927 return -1;
928 }
929
Michal Vasko62be1ce2016-03-03 13:24:52 +0100[diff] [blame]930 ret = nc_timedlock(session->ti_lock, timeout);
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]931 if (ret != 1) {
932 return ret;
933 }
934
935 ret = ssh_execute_message_callbacks(session->ti.libssh.session);
936 if (ret != SSH_OK) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]937 ERR("Failed to receive SSH messages on a session (%s).",
938 ssh_get_error(session->ti.libssh.session));
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]939 pthread_mutex_unlock(session->ti_lock);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]940 return -1;
941 }
942
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]943 if (!session->ti.libssh.channel) {
944 /* we did not receive channel-open, timeout */
945 pthread_mutex_unlock(session->ti_lock);
946 return 0;
947 }
948
949 ret = ssh_execute_message_callbacks(session->ti.libssh.session);
950 if (ret != SSH_OK) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]951 ERR("Failed to receive SSH messages on a session (%s).",
952 ssh_get_error(session->ti.libssh.session));
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]953 pthread_mutex_unlock(session->ti_lock);
954 return -1;
955 }
956 pthread_mutex_unlock(session->ti_lock);
957
958 if (!(session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
959 /* we did not receive subsystem-request, timeout */
960 return 0;
961 }
962
963 return 1;
964 }
965
966 while (1) {
967 if (!nc_session_is_connected(session)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]968 ERR("Communication socket unexpectedly closed (libssh).");
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]969 return -1;
970 }
971
Michal Vasko62be1ce2016-03-03 13:24:52 +0100[diff] [blame]972 ret = nc_timedlock(session->ti_lock, timeout);
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]973 if (ret != 1) {
974 return ret;
975 }
976
977 ret = ssh_execute_message_callbacks(session->ti.libssh.session);
978 if (ret != SSH_OK) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]979 ERR("Failed to receive SSH messages on a session (%s).",
980 ssh_get_error(session->ti.libssh.session));
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]981 pthread_mutex_unlock(session->ti_lock);
982 return -1;
983 }
984
985 pthread_mutex_unlock(session->ti_lock);
986
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]987 if (session->ti.libssh.channel && (session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]988 return 1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]989 }
990
Michal Vasko105bf272016-02-03 15:34:35 +0100[diff] [blame]991 if ((timeout != -1) && (elapsed_usec / 1000 >= timeout)) {
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]992 /* timeout */
Michal Vasko842522c2016-03-01 09:20:13 +0100[diff] [blame]993 ERR("Failed to start \"netconf\" SSH subsystem for too long, disconnecting.");
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]994 break;
995 }
996
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]997 usleep(NC_TIMEOUT_STEP);
Michal Vasko105bf272016-02-03 15:34:35 +0100[diff] [blame]998 elapsed_usec += NC_TIMEOUT_STEP;
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]999 }
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1000
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1001 return 0;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1002}
1003
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1004/* ret 0 - timeout, 1 channel has data, 2 some other channel has data,
1005 * 3 status change, 4 new SSH message, 5 new NETCONF SSH channel, -1 error */
1006int
Michal Vasko62be1ce2016-03-03 13:24:52 +0100[diff] [blame]1007nc_ssh_pollin(struct nc_session *session, int timeout)
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1008{
Michal Vasko62be1ce2016-03-03 13:24:52 +0100[diff] [blame]1009 int ret;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1010 struct nc_session *new;
1011
Michal Vasko62be1ce2016-03-03 13:24:52 +0100[diff] [blame]1012 ret = nc_timedlock(session->ti_lock, timeout);
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1013
1014 if (ret != 1) {
1015 return ret;
1016 }
1017
1018 ret = ssh_execute_message_callbacks(session->ti.libssh.session);
1019 pthread_mutex_unlock(session->ti_lock);
1020
1021 if (ret != SSH_OK) {
1022 ERR("Session %u: failed to receive SSH messages (%s).", session->id,
1023 ssh_get_error(session->ti.libssh.session));
1024 session->status = NC_STATUS_INVALID;
1025 session->term_reason = NC_SESSION_TERM_OTHER;
1026 return 3;
1027 }
1028
1029 /* new SSH message */
1030 if (session->flags & NC_SESSION_SSH_NEW_MSG) {
1031 session->flags &= ~NC_SESSION_SSH_NEW_MSG;
1032 if (session->ti.libssh.next) {
1033 for (new = session->ti.libssh.next; new != session; new = new->ti.libssh.next) {
1034 if ((new->status == NC_STATUS_STARTING) && new->ti.libssh.channel
1035 && (new->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
1036 /* new NETCONF SSH channel */
1037 return 5;
1038 }
1039 }
1040 }
1041
1042 /* just some SSH message */
1043 return 4;
1044 }
1045
1046 /* no new SSH message, maybe NETCONF data? */
1047 ret = ssh_channel_poll_timeout(session->ti.libssh.channel, 0, 0);
1048 /* not this one */
1049 if (!ret) {
1050 return 2;
1051 } else if (ret == SSH_ERROR) {
1052 ERR("Session %u: SSH channel error (%s).", session->id,
1053 ssh_get_error(session->ti.libssh.session));
1054 session->status = NC_STATUS_INVALID;
1055 session->term_reason = NC_SESSION_TERM_OTHER;
1056 return 3;
1057 } else if (ret == SSH_EOF) {
1058 ERR("Session %u: communication channel unexpectedly closed (libssh).",
1059 session->id);
1060 session->status = NC_STATUS_INVALID;
1061 session->term_reason = NC_SESSION_TERM_DROPPED;
1062 return 3;
1063 }
1064
1065 return 1;
1066}
1067
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1068API int
Michal Vasko8f5270d2016-02-29 16:22:25 +0100[diff] [blame]1069nc_connect_callhome_ssh(const char *host, uint16_t port, struct nc_session **session)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1070{
Michal Vasko8f5270d2016-02-29 16:22:25 +0100[diff] [blame]1071 return nc_connect_callhome(host, port, NC_TI_LIBSSH, session);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1072}
1073
1074int
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1075nc_accept_ssh_session(struct nc_session *session, int sock, int timeout)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1076{
1077 struct nc_server_ssh_opts *opts;
Michal Vasko72387da2016-02-02 15:52:41 +0100[diff] [blame]1078 int libssh_auth_methods = 0, elapsed_usec = 0, ret;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1079
Michal Vasko2cc4c682016-03-01 09:16:48 +0100[diff] [blame]1080 opts = session->data;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1081
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1082 /* other transport-specific data */
1083 session->ti_type = NC_TI_LIBSSH;
1084 session->ti.libssh.session = ssh_new();
1085 if (!session->ti.libssh.session) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1086 ERR("Failed to initialize a new SSH session.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1087 close(sock);
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1088 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1089 }
1090
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1091 if (opts->auth_methods & NC_SSH_AUTH_PUBLICKEY) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1092 libssh_auth_methods |= SSH_AUTH_METHOD_PUBLICKEY;
1093 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1094 if (opts->auth_methods & NC_SSH_AUTH_PASSWORD) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1095 libssh_auth_methods |= SSH_AUTH_METHOD_PASSWORD;
1096 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1097 if (opts->auth_methods & NC_SSH_AUTH_INTERACTIVE) {
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1098 libssh_auth_methods |= SSH_AUTH_METHOD_INTERACTIVE;
1099 }
1100 ssh_set_auth_methods(session->ti.libssh.session, libssh_auth_methods);
1101
1102 ssh_set_message_callback(session->ti.libssh.session, nc_sshcb_msg, session);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1103 /* remember that this session was just set as nc_sshcb_msg() parameter */
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1104 session->flags |= NC_SESSION_SSH_MSG_CB;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1105
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1106 if (ssh_bind_accept_fd(opts->sshbind, session->ti.libssh.session, sock) == SSH_ERROR) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1107 ERR("SSH failed to accept a new connection (%s).", ssh_get_error(opts->sshbind));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1108 close(sock);
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1109 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1110 }
1111
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1112 ssh_set_blocking(session->ti.libssh.session, 0);
1113
1114 while ((ret = ssh_handle_key_exchange(session->ti.libssh.session)) == SSH_AGAIN) {
Michal Vaskoe65b4492016-03-03 11:57:51 +0100[diff] [blame]1115 /* this tends to take longer */
1116 usleep(NC_TIMEOUT_STEP * 20);
1117 elapsed_usec += NC_TIMEOUT_STEP * 20;
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1118 if ((timeout > -1) && (elapsed_usec / 1000 >= timeout)) {
1119 break;
1120 }
1121 }
1122 if (ret == SSH_AGAIN) {
1123 ERR("SSH key exchange timeout.");
1124 return 0;
1125 } else if (ret != SSH_OK) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1126 ERR("SSH key exchange error (%s).", ssh_get_error(session->ti.libssh.session));
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1127 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1128 }
1129
1130 /* authenticate */
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1131 elapsed_usec = 0;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1132 do {
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]1133 if (!nc_session_is_connected(session)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1134 ERR("Communication socket unexpectedly closed (libssh).");
Michal Vasko2a7d4732016-01-15 09:24:46 +0100[diff] [blame]1135 return -1;
1136 }
1137
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1138 if (ssh_execute_message_callbacks(session->ti.libssh.session) != SSH_OK) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1139 ERR("Failed to receive SSH messages on a session (%s).",
1140 ssh_get_error(session->ti.libssh.session));
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1141 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1142 }
1143
1144 if (session->flags & NC_SESSION_SSH_AUTHENTICATED) {
1145 break;
1146 }
1147
1148 usleep(NC_TIMEOUT_STEP);
Michal Vasko72387da2016-02-02 15:52:41 +0100[diff] [blame]1149 elapsed_usec += NC_TIMEOUT_STEP;
Michal Vaskoab639942016-02-29 16:23:47 +0100[diff] [blame]1150 } while (!opts->auth_timeout || (elapsed_usec / 1000000 < opts->auth_timeout));
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1151
1152 if (!(session->flags & NC_SESSION_SSH_AUTHENTICATED)) {
1153 /* timeout */
Michal Vasko842522c2016-03-01 09:20:13 +0100[diff] [blame]1154 ERR("Client failed to authenticate for too long, disconnecting.");
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1155 return 0;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1156 }
1157
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1158 /* open channel */
Michal Vaskoab639942016-02-29 16:23:47 +0100[diff] [blame]1159 ret = nc_open_netconf_channel(session, opts->auth_timeout ? (opts->auth_timeout * 1000 - elapsed_usec / 1000) : -1);
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1160 if (ret < 1) {
1161 return ret;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1162 }
1163
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1164 session->flags &= ~NC_SESSION_SSH_NEW_MSG;
1165
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1166 return 1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1167}
1168
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1169API int
1170nc_ps_accept_ssh_channel(struct nc_pollsession *ps, struct nc_session **session)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1171{
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1172 struct nc_session *new_session = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1173 uint16_t i;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1174
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1175 if (!ps || !session) {
1176 ERRARG;
1177 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1178 }
1179
Michal Vasko48a63ed2016-03-01 09:48:21 +0100[diff] [blame]1180 /* LOCK */
1181 pthread_mutex_lock(&ps->lock);
1182
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1183 for (i = 0; i < ps->session_count; ++i) {
1184 if ((ps->sessions[i]->status == NC_STATUS_RUNNING) && (ps->sessions[i]->ti_type == NC_TI_LIBSSH)
1185 && ps->sessions[i]->ti.libssh.next) {
1186 /* an SSH session with more channels */
1187 for (new_session = ps->sessions[i]->ti.libssh.next;
1188 new_session != ps->sessions[i];
1189 new_session = new_session->ti.libssh.next) {
1190 if ((new_session->status == NC_STATUS_STARTING) && new_session->ti.libssh.channel
1191 && (new_session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
1192 /* we found our session */
1193 break;
1194 }
1195 }
1196 if (new_session != ps->sessions[i]) {
1197 break;
1198 }
Michal Vaskofb89d772016-01-08 12:25:35 +0100[diff] [blame]1199
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1200 new_session = NULL;
1201 }
1202 }
Michal Vaskofb89d772016-01-08 12:25:35 +0100[diff] [blame]1203
Michal Vasko48a63ed2016-03-01 09:48:21 +0100[diff] [blame]1204 /* UNLOCK */
1205 pthread_mutex_unlock(&ps->lock);
1206
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1207 if (!new_session) {
1208 ERR("No session with a NETCONF SSH channel ready was found.");
1209 return -1;
1210 }
1211
1212 /* assign new SID atomically */
1213 pthread_spin_lock(&server_opts.sid_lock);
1214 new_session->id = server_opts.new_session_id++;
1215 pthread_spin_unlock(&server_opts.sid_lock);
Michal Vaskofb89d772016-01-08 12:25:35 +0100[diff] [blame]1216
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1217 /* NETCONF handshake */
1218 if (nc_handshake(new_session)) {
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1219 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1220 }
Michal Vasko48a63ed2016-03-01 09:48:21 +0100[diff] [blame]1221
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1222 new_session->status = NC_STATUS_RUNNING;
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1223 *session = new_session;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1224
Michal Vasko96164bf2016-01-21 15:41:58 +0100[diff] [blame]1225 return 0;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1226}