blob: 9907a331c94baec2e4fedee19cea4af2d63721f7 [file] [log] [blame]
Michal Vasko086311b2016-01-08 09:53:11 +01001/**
Michal Vasko95ea9ff2021-11-09 12:29:14 +01002 * @file session_server_ssh.c
3 * @author Michal Vasko <mvasko@cesnet.cz>
4 * @brief libnetconf2 SSH server session manipulation functions
Michal Vasko086311b2016-01-08 09:53:11 +01005 *
Michal Vasko95ea9ff2021-11-09 12:29:14 +01006 * @copyright
7 * Copyright (c) 2017 - 2021 CESNET, z.s.p.o.
Michal Vasko086311b2016-01-08 09:53:11 +01008 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +01009 * This source code is licensed under BSD 3-Clause License (the "License").
10 * You may not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +010012 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +010013 * https://opensource.org/licenses/BSD-3-Clause
Michal Vasko086311b2016-01-08 09:53:11 +010014 */
15
16#define _GNU_SOURCE
17
apropp-molex4e903c32020-04-20 03:06:58 -040018#include "config.h" /* Expose HAVE_SHADOW and HAVE_CRYPT */
19
20#ifdef HAVE_SHADOW
21 #include <shadow.h>
22#endif
23#ifdef HAVE_CRYPT
24 #include <crypt.h>
25#endif
Michal Vasko0d81c572022-09-26 10:39:31 +020026#ifdef HAVE_LIBPAM
27 #include <security/pam_appl.h>
28#endif
apropp-molex4e903c32020-04-20 03:06:58 -040029
Michal Vaskob83a3fa2021-05-26 09:53:42 +020030#include <errno.h>
31#include <fcntl.h>
32#include <pwd.h>
Michal Vasko086311b2016-01-08 09:53:11 +010033#include <stdlib.h>
34#include <string.h>
Michal Vasko27252692017-03-21 15:34:13 +010035#include <sys/stat.h>
Michal Vaskob83a3fa2021-05-26 09:53:42 +020036#include <sys/types.h>
Michal Vasko9f6275e2017-10-05 13:50:05 +020037#include <time.h>
Claus Klein22091912020-01-20 13:45:47 +010038#include <unistd.h>
Michal Vasko086311b2016-01-08 09:53:11 +010039
Michal Vasko7a20d2e2021-05-19 16:40:23 +020040#include "compat.h"
41#include "libnetconf.h"
Michal Vasko11d142a2016-01-19 15:58:24 +010042#include "session_server.h"
Michal Vaskoe22c6732016-01-29 11:03:02 +010043#include "session_server_ch.h"
Michal Vasko086311b2016-01-08 09:53:11 +010044
Michal Vaskob83a3fa2021-05-26 09:53:42 +020045#if !defined (HAVE_CRYPT_R)
Mislav Novakovicce9a7ef2017-08-08 13:45:52 +020046pthread_mutex_t crypt_lock = PTHREAD_MUTEX_INITIALIZER;
47#endif
48
Michal Vasko086311b2016-01-08 09:53:11 +010049extern struct nc_server_opts server_opts;
Michal Vaskob05053d2016-01-22 16:12:06 +010050
Michal Vasko4c1fb492017-01-30 14:31:07 +010051static char *
Michal Vaskoddce1212019-05-24 09:58:49 +020052base64der_key_to_tmp_file(const char *in, const char *key_str)
Michal Vasko086311b2016-01-08 09:53:11 +010053{
Michal Vasko4c1fb492017-01-30 14:31:07 +010054 char path[12] = "/tmp/XXXXXX";
55 int fd, written;
Michal Vasko27252692017-03-21 15:34:13 +010056 mode_t umode;
Michal Vasko4c1fb492017-01-30 14:31:07 +010057 FILE *file;
58
59 if (in == NULL) {
60 return NULL;
Michal Vasko086311b2016-01-08 09:53:11 +010061 }
62
mekleob31878b2019-09-09 14:10:47 +020063 umode = umask(0177);
Michal Vasko4c1fb492017-01-30 14:31:07 +010064 fd = mkstemp(path);
Michal Vasko27252692017-03-21 15:34:13 +010065 umask(umode);
Michal Vasko4c1fb492017-01-30 14:31:07 +010066 if (fd == -1) {
67 return NULL;
68 }
69
Michal Vasko3964a832018-09-18 14:37:39 +020070 file = fdopen(fd, "w");
Michal Vasko4c1fb492017-01-30 14:31:07 +010071 if (!file) {
72 close(fd);
73 return NULL;
74 }
75
76 /* write the key into the file */
Michal Vasko68177b72020-04-27 15:46:53 +020077 if (key_str) {
78 written = fwrite("-----BEGIN ", 1, 11, file);
79 written += fwrite(key_str, 1, strlen(key_str), file);
80 written += fwrite(" PRIVATE KEY-----\n", 1, 18, file);
81 written += fwrite(in, 1, strlen(in), file);
82 written += fwrite("\n-----END ", 1, 10, file);
83 written += fwrite(key_str, 1, strlen(key_str), file);
84 written += fwrite(" PRIVATE KEY-----", 1, 17, file);
Michal Vasko4c1fb492017-01-30 14:31:07 +010085
Michal Vasko68177b72020-04-27 15:46:53 +020086 fclose(file);
87 if ((unsigned)written != 11 + strlen(key_str) + 18 + strlen(in) + 10 + strlen(key_str) + 17) {
88 unlink(path);
89 return NULL;
90 }
91 } else {
92 written = fwrite("-----BEGIN PRIVATE KEY-----\n", 1, 28, file);
93 written += fwrite(in, 1, strlen(in), file);
94 written += fwrite("\n-----END PRIVATE KEY-----", 1, 26, file);
95
96 fclose(file);
97 if ((unsigned)written != 28 + strlen(in) + 26) {
98 unlink(path);
99 return NULL;
100 }
Michal Vasko4c1fb492017-01-30 14:31:07 +0100101 }
102
103 return strdup(path);
104}
105
106static int
Michal Vasko7d255882017-02-09 13:35:08 +0100107nc_server_ssh_add_hostkey(const char *name, int16_t idx, struct nc_server_ssh_opts *opts)
Michal Vasko4c1fb492017-01-30 14:31:07 +0100108{
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100109 uint8_t i;
110
Michal Vasko4c1fb492017-01-30 14:31:07 +0100111 if (!name) {
112 ERRARG("name");
Michal Vasko5fcc7142016-02-02 12:21:10 +0100113 return -1;
Michal Vasko7d255882017-02-09 13:35:08 +0100114 } else if (idx > opts->hostkey_count) {
115 ERRARG("idx");
116 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100117 }
Michal Vaskod45e25a2016-01-08 15:48:44 +0100118
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100119 for (i = 0; i < opts->hostkey_count; ++i) {
120 if (!strcmp(opts->hostkeys[i], name)) {
121 ERRARG("name");
122 return -1;
123 }
124 }
125
Michal Vaskoe2713da2016-08-22 16:06:40 +0200126 ++opts->hostkey_count;
127 opts->hostkeys = nc_realloc(opts->hostkeys, opts->hostkey_count * sizeof *opts->hostkeys);
128 if (!opts->hostkeys) {
129 ERRMEM;
130 return -1;
131 }
Michal Vasko7d255882017-02-09 13:35:08 +0100132
133 if (idx < 0) {
134 idx = opts->hostkey_count - 1;
135 }
136 if (idx != opts->hostkey_count - 1) {
137 memmove(opts->hostkeys + idx + 1, opts->hostkeys + idx, opts->hostkey_count - idx);
138 }
Michal Vasko93224072021-11-09 12:14:28 +0100139 opts->hostkeys[idx] = strdup(name);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200140
Michal Vasko5fcc7142016-02-02 12:21:10 +0100141 return 0;
Michal Vaskob05053d2016-01-22 16:12:06 +0100142}
143
144API int
Michal Vasko7d255882017-02-09 13:35:08 +0100145nc_server_ssh_endpt_add_hostkey(const char *endpt_name, const char *name, int16_t idx)
Michal Vaskob05053d2016-01-22 16:12:06 +0100146{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100147 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100148 struct nc_endpt *endpt;
149
Michal Vasko51e514d2016-02-02 15:51:52 +0100150 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100151 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100152 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100153 return -1;
154 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200155
Michal Vasko7d255882017-02-09 13:35:08 +0100156 ret = nc_server_ssh_add_hostkey(name, idx, endpt->opts.ssh);
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200157
Michal Vasko51e514d2016-02-02 15:51:52 +0100158 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100159 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vasko3031aae2016-01-27 16:07:18 +0100160
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100161 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100162}
163
Michal Vasko974410a2018-04-03 09:36:57 +0200164API void
165nc_server_ssh_set_passwd_auth_clb(int (*passwd_auth_clb)(const struct nc_session *session, const char *password, void *user_data),
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200166 void *user_data, void (*free_user_data)(void *user_data))
Michal Vasko974410a2018-04-03 09:36:57 +0200167{
168 server_opts.passwd_auth_clb = passwd_auth_clb;
169 server_opts.passwd_auth_data = user_data;
170 server_opts.passwd_auth_data_free = free_user_data;
171}
172
bhart1bb7cdb2018-07-02 15:03:30 -0500173API void
174nc_server_ssh_set_interactive_auth_clb(int (*interactive_auth_clb)(const struct nc_session *session, ssh_message msg, void *user_data),
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200175 void *user_data, void (*free_user_data)(void *user_data))
bhart1bb7cdb2018-07-02 15:03:30 -0500176{
177 server_opts.interactive_auth_clb = interactive_auth_clb;
178 server_opts.interactive_auth_data = user_data;
179 server_opts.interactive_auth_data_free = free_user_data;
180}
Michal Vasko733c0bd2018-07-03 13:14:40 +0200181
roman41a11e42022-06-22 09:27:08 +0200182API int
183nc_server_ssh_set_pam_conf_path(const char *conf_name, const char *conf_dir)
184{
Michal Vasko0d81c572022-09-26 10:39:31 +0200185#ifdef HAVE_LIBPAM
roman41a11e42022-06-22 09:27:08 +0200186 free(server_opts.conf_name);
187 free(server_opts.conf_dir);
188 server_opts.conf_name = NULL;
189 server_opts.conf_dir = NULL;
190
191 if (conf_dir) {
Michal Vasko0d81c572022-09-26 10:39:31 +0200192# ifdef LIBPAM_HAVE_CONFDIR
roman41a11e42022-06-22 09:27:08 +0200193 server_opts.conf_dir = strdup(conf_dir);
194 if (!(server_opts.conf_dir)) {
195 ERRMEM;
196 return -1;
197 }
Michal Vasko0d81c572022-09-26 10:39:31 +0200198# else
roman41a11e42022-06-22 09:27:08 +0200199 ERR(NULL, "Failed to set PAM config directory because of old version of PAM. "
200 "Put the config file in the system directory (usually /etc/pam.d/).");
201 return -1;
Michal Vasko0d81c572022-09-26 10:39:31 +0200202# endif
roman41a11e42022-06-22 09:27:08 +0200203 }
204
205 if (conf_name) {
206 server_opts.conf_name = strdup(conf_name);
207 if (!(server_opts.conf_name)) {
208 ERRMEM;
209 return -1;
210 }
211 }
212
213 return 0;
Michal Vasko0d81c572022-09-26 10:39:31 +0200214#else
215 (void)conf_name;
216 (void)conf_dir;
217
218 ERR(NULL, "PAM-based SSH authentication is not supported.");
219 return -1;
220#endif
roman41a11e42022-06-22 09:27:08 +0200221}
222
bhart1bb7cdb2018-07-02 15:03:30 -0500223API void
224nc_server_ssh_set_pubkey_auth_clb(int (*pubkey_auth_clb)(const struct nc_session *session, ssh_key key, void *user_data),
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200225 void *user_data, void (*free_user_data)(void *user_data))
bhart1bb7cdb2018-07-02 15:03:30 -0500226{
227 server_opts.pubkey_auth_clb = pubkey_auth_clb;
228 server_opts.pubkey_auth_data = user_data;
229 server_opts.pubkey_auth_data_free = free_user_data;
230}
231
Michal Vaskob05053d2016-01-22 16:12:06 +0100232API int
Michal Vaskoadf30f02019-06-24 09:34:47 +0200233nc_server_ssh_ch_client_endpt_add_hostkey(const char *client_name, const char *endpt_name, const char *name, int16_t idx)
Michal Vaskob05053d2016-01-22 16:12:06 +0100234{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100235 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200236 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +0200237 struct nc_ch_endpt *endpt;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100238
Michal Vasko2e6defd2016-10-07 15:48:15 +0200239 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +0200240 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client);
241 if (!endpt) {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200242 return -1;
243 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200244
Michal Vaskoadf30f02019-06-24 09:34:47 +0200245 ret = nc_server_ssh_add_hostkey(name, idx, endpt->opts.ssh);
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200246
Michal Vasko2e6defd2016-10-07 15:48:15 +0200247 /* UNLOCK */
248 nc_server_ch_client_unlock(client);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200249
250 return ret;
251}
252
Michal Vasko4c1fb492017-01-30 14:31:07 +0100253API void
254nc_server_ssh_set_hostkey_clb(int (*hostkey_clb)(const char *name, void *user_data, char **privkey_path,
Michal Vaskoe49a15f2019-05-27 14:18:36 +0200255 char **privkey_data, NC_SSH_KEY_TYPE *privkey_type), void *user_data, void (*free_user_data)(void *user_data))
Michal Vasko4c1fb492017-01-30 14:31:07 +0100256{
257 if (!hostkey_clb) {
258 ERRARG("hostkey_clb");
259 return;
260 }
261
262 server_opts.hostkey_clb = hostkey_clb;
263 server_opts.hostkey_data = user_data;
264 server_opts.hostkey_data_free = free_user_data;
265}
266
Michal Vaskoe2713da2016-08-22 16:06:40 +0200267static int
Michal Vasko7d255882017-02-09 13:35:08 +0100268nc_server_ssh_del_hostkey(const char *name, int16_t idx, struct nc_server_ssh_opts *opts)
Michal Vaskoe2713da2016-08-22 16:06:40 +0200269{
270 uint8_t i;
271
Michal Vasko7d255882017-02-09 13:35:08 +0100272 if (name && (idx > -1)) {
273 ERRARG("name and idx");
274 return -1;
275 } else if (idx >= opts->hostkey_count) {
276 ERRARG("idx");
277 }
278
279 if (!name && (idx < 0)) {
Michal Vaskoe2713da2016-08-22 16:06:40 +0200280 for (i = 0; i < opts->hostkey_count; ++i) {
Michal Vasko93224072021-11-09 12:14:28 +0100281 free(opts->hostkeys[i]);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200282 }
283 free(opts->hostkeys);
284 opts->hostkeys = NULL;
285 opts->hostkey_count = 0;
Michal Vasko7d255882017-02-09 13:35:08 +0100286 } else if (name) {
Michal Vaskoe2713da2016-08-22 16:06:40 +0200287 for (i = 0; i < opts->hostkey_count; ++i) {
Michal Vasko4c1fb492017-01-30 14:31:07 +0100288 if (!strcmp(opts->hostkeys[i], name)) {
Michal Vasko7d255882017-02-09 13:35:08 +0100289 idx = i;
290 goto remove_idx;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200291 }
292 }
293
Michal Vasko7d255882017-02-09 13:35:08 +0100294 ERRARG("name");
Michal Vaskoe2713da2016-08-22 16:06:40 +0200295 return -1;
Michal Vasko7d255882017-02-09 13:35:08 +0100296 } else {
297remove_idx:
298 --opts->hostkey_count;
Michal Vasko93224072021-11-09 12:14:28 +0100299 free(opts->hostkeys[idx]);
Michal Vasko7d255882017-02-09 13:35:08 +0100300 if (idx < opts->hostkey_count - 1) {
301 memmove(opts->hostkeys + idx, opts->hostkeys + idx + 1, (opts->hostkey_count - idx) * sizeof *opts->hostkeys);
302 }
303 if (!opts->hostkey_count) {
304 free(opts->hostkeys);
305 opts->hostkeys = NULL;
306 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200307 }
308
309 return 0;
310}
311
312API int
Michal Vasko7d255882017-02-09 13:35:08 +0100313nc_server_ssh_endpt_del_hostkey(const char *endpt_name, const char *name, int16_t idx)
Michal Vaskoe2713da2016-08-22 16:06:40 +0200314{
315 int ret;
316 struct nc_endpt *endpt;
317
318 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100319 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200320 if (!endpt) {
321 return -1;
322 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200323
Michal Vasko7d255882017-02-09 13:35:08 +0100324 ret = nc_server_ssh_del_hostkey(name, idx, endpt->opts.ssh);
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200325
Michal Vaskoe2713da2016-08-22 16:06:40 +0200326 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100327 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200328
329 return ret;
330}
331
332API int
Michal Vaskoadf30f02019-06-24 09:34:47 +0200333nc_server_ssh_ch_client_endpt_del_hostkey(const char *client_name, const char *endpt_name, const char *name, int16_t idx)
Michal Vaskoe2713da2016-08-22 16:06:40 +0200334{
335 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200336 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +0200337 struct nc_ch_endpt *endpt;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200338
Michal Vasko2e6defd2016-10-07 15:48:15 +0200339 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +0200340 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client);
341 if (!endpt) {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200342 return -1;
343 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200344
Michal Vaskoadf30f02019-06-24 09:34:47 +0200345 ret = nc_server_ssh_del_hostkey(name, idx, endpt->opts.ssh);
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200346
Michal Vasko2e6defd2016-10-07 15:48:15 +0200347 /* UNLOCK */
348 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100349
350 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100351}
352
353static int
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100354nc_server_ssh_mov_hostkey(const char *key_mov, const char *key_after, struct nc_server_ssh_opts *opts)
355{
356 uint8_t i;
357 int16_t mov_idx = -1, after_idx = -1;
Michal Vasko93224072021-11-09 12:14:28 +0100358 char *bckup;
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100359
360 if (!key_mov) {
361 ERRARG("key_mov");
362 return -1;
363 }
364
365 for (i = 0; i < opts->hostkey_count; ++i) {
366 if (key_after && (after_idx == -1) && !strcmp(opts->hostkeys[i], key_after)) {
367 after_idx = i;
368 }
369 if ((mov_idx == -1) && !strcmp(opts->hostkeys[i], key_mov)) {
370 mov_idx = i;
371 }
372
373 if ((!key_after || (after_idx > -1)) && (mov_idx > -1)) {
374 break;
375 }
376 }
377
378 if (key_after && (after_idx == -1)) {
379 ERRARG("key_after");
380 return -1;
381 }
382 if (mov_idx == -1) {
383 ERRARG("key_mov");
384 return -1;
385 }
386 if ((mov_idx == after_idx) || (mov_idx == after_idx + 1)) {
387 /* nothing to do */
388 return 0;
389 }
390
391 /* finally move the key */
392 bckup = opts->hostkeys[mov_idx];
393 if (mov_idx > after_idx) {
394 memmove(opts->hostkeys + after_idx + 2, opts->hostkeys + after_idx + 1,
395 ((mov_idx - after_idx) - 1) * sizeof *opts->hostkeys);
396 opts->hostkeys[after_idx + 1] = bckup;
397 } else {
398 memmove(opts->hostkeys + mov_idx, opts->hostkeys + mov_idx + 1, (after_idx - mov_idx) * sizeof *opts->hostkeys);
399 opts->hostkeys[after_idx] = bckup;
400 }
401
402 return 0;
403}
404
405API int
406nc_server_ssh_endpt_mov_hostkey(const char *endpt_name, const char *key_mov, const char *key_after)
407{
408 int ret;
409 struct nc_endpt *endpt;
410
411 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100412 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL);
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100413 if (!endpt) {
414 return -1;
415 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200416
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100417 ret = nc_server_ssh_mov_hostkey(key_mov, key_after, endpt->opts.ssh);
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200418
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100419 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100420 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100421
422 return ret;
423}
424
425API int
Michal Vaskoadf30f02019-06-24 09:34:47 +0200426nc_server_ssh_ch_client_endpt_mov_hostkey(const char *client_name, const char *endpt_name, const char *key_mov,
427 const char *key_after)
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100428{
429 int ret;
430 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +0200431 struct nc_ch_endpt *endpt;
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100432
433 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +0200434 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client);
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100435 if (!endpt) {
436 return -1;
437 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200438
Michal Vaskoadf30f02019-06-24 09:34:47 +0200439 ret = nc_server_ssh_mov_hostkey(key_mov, key_after, endpt->opts.ssh);
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200440
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100441 /* UNLOCK */
442 nc_server_ch_client_unlock(client);
443
444 return ret;
445}
446
447static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100448nc_server_ssh_set_auth_methods(int auth_methods, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100449{
roman41a11e42022-06-22 09:27:08 +0200450 if ((auth_methods & NC_SSH_AUTH_INTERACTIVE) && !server_opts.conf_name) {
451 /* path to a configuration file not set */
452 ERR(NULL, "Unable to use Keyboard-Interactive authentication method without setting the name of the PAM configuration file first.");
453 return 1;
454 }
Michal Vaskob05053d2016-01-22 16:12:06 +0100455 opts->auth_methods = auth_methods;
456 return 0;
457}
458
459API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100460nc_server_ssh_endpt_set_auth_methods(const char *endpt_name, int auth_methods)
Michal Vaskob05053d2016-01-22 16:12:06 +0100461{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100462 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100463 struct nc_endpt *endpt;
464
Michal Vasko51e514d2016-02-02 15:51:52 +0100465 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100466 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100467 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100468 return -1;
469 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200470
Michal Vasko2e6defd2016-10-07 15:48:15 +0200471 ret = nc_server_ssh_set_auth_methods(auth_methods, endpt->opts.ssh);
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200472
Michal Vasko51e514d2016-02-02 15:51:52 +0100473 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100474 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vasko3031aae2016-01-27 16:07:18 +0100475
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100476 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100477}
478
479API int
Michal Vaskoadf30f02019-06-24 09:34:47 +0200480nc_server_ssh_ch_client_endpt_set_auth_methods(const char *client_name, const char *endpt_name, int auth_methods)
Michal Vaskob05053d2016-01-22 16:12:06 +0100481{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100482 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200483 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +0200484 struct nc_ch_endpt *endpt;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100485
Michal Vasko2e6defd2016-10-07 15:48:15 +0200486 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +0200487 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client);
488 if (!endpt) {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200489 return -1;
490 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200491
Michal Vaskoadf30f02019-06-24 09:34:47 +0200492 ret = nc_server_ssh_set_auth_methods(auth_methods, endpt->opts.ssh);
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200493
Michal Vasko2e6defd2016-10-07 15:48:15 +0200494 /* UNLOCK */
495 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100496
497 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100498}
499
Michal Vaskoddce1212019-05-24 09:58:49 +0200500API int
501nc_server_ssh_endpt_get_auth_methods(const char *endpt_name)
502{
503 int ret;
504 struct nc_endpt *endpt;
505
506 /* LOCK */
507 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL);
508 if (!endpt) {
509 return -1;
510 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200511
Michal Vaskoddce1212019-05-24 09:58:49 +0200512 ret = endpt->opts.ssh->auth_methods;
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200513
Michal Vaskoddce1212019-05-24 09:58:49 +0200514 /* UNLOCK */
515 pthread_rwlock_unlock(&server_opts.endpt_lock);
516
517 return ret;
518}
519
520API int
Michal Vaskoadf30f02019-06-24 09:34:47 +0200521nc_server_ssh_ch_client_endpt_get_auth_methods(const char *client_name, const char *endpt_name)
Michal Vaskoddce1212019-05-24 09:58:49 +0200522{
523 int ret;
524 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +0200525 struct nc_ch_endpt *endpt;
Michal Vaskoddce1212019-05-24 09:58:49 +0200526
527 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +0200528 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client);
529 if (!endpt) {
Michal Vaskoddce1212019-05-24 09:58:49 +0200530 return -1;
531 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200532
Michal Vaskoadf30f02019-06-24 09:34:47 +0200533 ret = endpt->opts.ssh->auth_methods;
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200534
Michal Vaskoddce1212019-05-24 09:58:49 +0200535 /* UNLOCK */
536 nc_server_ch_client_unlock(client);
537
538 return ret;
539}
540
Michal Vaskob05053d2016-01-22 16:12:06 +0100541static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100542nc_server_ssh_set_auth_attempts(uint16_t auth_attempts, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100543{
Michal Vaskob05053d2016-01-22 16:12:06 +0100544 if (!auth_attempts) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200545 ERRARG("auth_attempts");
Michal Vaskob05053d2016-01-22 16:12:06 +0100546 return -1;
547 }
548
Michal Vaskob05053d2016-01-22 16:12:06 +0100549 opts->auth_attempts = auth_attempts;
Michal Vasko086311b2016-01-08 09:53:11 +0100550 return 0;
551}
552
553API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100554nc_server_ssh_endpt_set_auth_attempts(const char *endpt_name, uint16_t auth_attempts)
Michal Vasko086311b2016-01-08 09:53:11 +0100555{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100556 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100557 struct nc_endpt *endpt;
558
Michal Vasko51e514d2016-02-02 15:51:52 +0100559 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100560 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100561 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100562 return -1;
563 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200564
Michal Vasko2e6defd2016-10-07 15:48:15 +0200565 ret = nc_server_ssh_set_auth_attempts(auth_attempts, endpt->opts.ssh);
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200566
Michal Vasko51e514d2016-02-02 15:51:52 +0100567 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100568 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vasko3031aae2016-01-27 16:07:18 +0100569
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100570 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100571}
572
573API int
Michal Vaskocbad4c52019-06-27 16:30:35 +0200574nc_server_ssh_ch_client_endpt_set_auth_attempts(const char *client_name, const char *endpt_name, uint16_t auth_attempts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100575{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100576 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200577 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +0200578 struct nc_ch_endpt *endpt;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100579
Michal Vasko2e6defd2016-10-07 15:48:15 +0200580 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +0200581 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client);
582 if (!endpt) {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200583 return -1;
584 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200585
Michal Vaskoadf30f02019-06-24 09:34:47 +0200586 ret = nc_server_ssh_set_auth_attempts(auth_attempts, endpt->opts.ssh);
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200587
Michal Vasko2e6defd2016-10-07 15:48:15 +0200588 /* UNLOCK */
589 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100590
591 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100592}
593
594static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100595nc_server_ssh_set_auth_timeout(uint16_t auth_timeout, struct nc_server_ssh_opts *opts)
Michal Vaskob05053d2016-01-22 16:12:06 +0100596{
Michal Vaskob05053d2016-01-22 16:12:06 +0100597 if (!auth_timeout) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200598 ERRARG("auth_timeout");
Michal Vasko086311b2016-01-08 09:53:11 +0100599 return -1;
600 }
601
Michal Vaskob05053d2016-01-22 16:12:06 +0100602 opts->auth_timeout = auth_timeout;
Michal Vasko086311b2016-01-08 09:53:11 +0100603 return 0;
604}
605
606API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100607nc_server_ssh_endpt_set_auth_timeout(const char *endpt_name, uint16_t auth_timeout)
Michal Vasko086311b2016-01-08 09:53:11 +0100608{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100609 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100610 struct nc_endpt *endpt;
611
Michal Vasko51e514d2016-02-02 15:51:52 +0100612 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100613 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_LIBSSH, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100614 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100615 return -1;
616 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200617
Michal Vasko2e6defd2016-10-07 15:48:15 +0200618 ret = nc_server_ssh_set_auth_timeout(auth_timeout, endpt->opts.ssh);
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200619
Michal Vasko51e514d2016-02-02 15:51:52 +0100620 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100621 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vasko3031aae2016-01-27 16:07:18 +0100622
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100623 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100624}
625
626API int
Michal Vaskocbad4c52019-06-27 16:30:35 +0200627nc_server_ssh_ch_client_endpt_set_auth_timeout(const char *client_name, const char *endpt_name, uint16_t auth_timeout)
Michal Vaskob05053d2016-01-22 16:12:06 +0100628{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100629 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200630 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +0200631 struct nc_ch_endpt *endpt;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100632
Michal Vasko2e6defd2016-10-07 15:48:15 +0200633 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +0200634 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_LIBSSH, &client);
635 if (!endpt) {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200636 return -1;
637 }
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200638
Michal Vaskoadf30f02019-06-24 09:34:47 +0200639 ret = nc_server_ssh_set_auth_timeout(auth_timeout, endpt->opts.ssh);
Michal Vaskoc46b3df2021-07-26 09:30:05 +0200640
Michal Vasko2e6defd2016-10-07 15:48:15 +0200641 /* UNLOCK */
642 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100643
644 return ret;
Michal Vaskob05053d2016-01-22 16:12:06 +0100645}
646
647static int
Michal Vasko77367452021-02-16 16:32:18 +0100648_nc_server_ssh_add_authkey(const char *pubkey_path, const char *pubkey_base64, NC_SSH_KEY_TYPE type, const char *username)
Michal Vasko17dfda92016-12-01 14:06:16 +0100649{
Michal Vasko09111892021-07-26 09:30:20 +0200650 int ret = 0;
651
Michal Vaskoa05c7b12017-01-30 14:33:08 +0100652 /* LOCK */
653 pthread_mutex_lock(&server_opts.authkey_lock);
654
Michal Vasko17dfda92016-12-01 14:06:16 +0100655 ++server_opts.authkey_count;
656 server_opts.authkeys = nc_realloc(server_opts.authkeys, server_opts.authkey_count * sizeof *server_opts.authkeys);
657 if (!server_opts.authkeys) {
658 ERRMEM;
Michal Vasko09111892021-07-26 09:30:20 +0200659 ret = -1;
660 goto cleanup;
Michal Vasko17dfda92016-12-01 14:06:16 +0100661 }
Michal Vasko93224072021-11-09 12:14:28 +0100662 server_opts.authkeys[server_opts.authkey_count - 1].path = pubkey_path ? strdup(pubkey_path) : NULL;
663 server_opts.authkeys[server_opts.authkey_count - 1].base64 = pubkey_base64 ? strdup(pubkey_base64) : NULL;
Michal Vasko17dfda92016-12-01 14:06:16 +0100664 server_opts.authkeys[server_opts.authkey_count - 1].type = type;
Michal Vasko93224072021-11-09 12:14:28 +0100665 server_opts.authkeys[server_opts.authkey_count - 1].username = strdup(username);
Michal Vasko17dfda92016-12-01 14:06:16 +0100666
Michal Vasko09111892021-07-26 09:30:20 +0200667cleanup:
Michal Vaskoa05c7b12017-01-30 14:33:08 +0100668 /* UNLOCK */
669 pthread_mutex_unlock(&server_opts.authkey_lock);
Michal Vasko09111892021-07-26 09:30:20 +0200670 return ret;
Michal Vasko17dfda92016-12-01 14:06:16 +0100671}
672
673API int
674nc_server_ssh_add_authkey_path(const char *pubkey_path, const char *username)
Michal Vaskob05053d2016-01-22 16:12:06 +0100675{
Michal Vasko45e53ae2016-04-07 11:46:03 +0200676 if (!pubkey_path) {
677 ERRARG("pubkey_path");
678 return -1;
679 } else if (!username) {
680 ERRARG("username");
Michal Vasko086311b2016-01-08 09:53:11 +0100681 return -1;
682 }
683
Michal Vasko17dfda92016-12-01 14:06:16 +0100684 return _nc_server_ssh_add_authkey(pubkey_path, NULL, 0, username);
Michal Vasko086311b2016-01-08 09:53:11 +0100685}
686
687API int
Michal Vasko17dfda92016-12-01 14:06:16 +0100688nc_server_ssh_add_authkey(const char *pubkey_base64, NC_SSH_KEY_TYPE type, const char *username)
Michal Vasko086311b2016-01-08 09:53:11 +0100689{
Michal Vasko17dfda92016-12-01 14:06:16 +0100690 if (!pubkey_base64) {
691 ERRARG("pubkey_base64");
692 return -1;
693 } else if (!type) {
694 ERRARG("type");
695 return -1;
696 } else if (!username) {
697 ERRARG("username");
Michal Vasko3031aae2016-01-27 16:07:18 +0100698 return -1;
699 }
700
Michal Vasko17dfda92016-12-01 14:06:16 +0100701 return _nc_server_ssh_add_authkey(NULL, pubkey_base64, type, username);
Michal Vasko086311b2016-01-08 09:53:11 +0100702}
703
704API int
Michal Vasko17dfda92016-12-01 14:06:16 +0100705nc_server_ssh_del_authkey(const char *pubkey_path, const char *pubkey_base64, NC_SSH_KEY_TYPE type,
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200706 const char *username)
Michal Vaskob05053d2016-01-22 16:12:06 +0100707{
Michal Vasko086311b2016-01-08 09:53:11 +0100708 uint32_t i;
709 int ret = -1;
710
Michal Vasko17dfda92016-12-01 14:06:16 +0100711 /* LOCK */
712 pthread_mutex_lock(&server_opts.authkey_lock);
713
714 if (!pubkey_path && !pubkey_base64 && !type && !username) {
715 for (i = 0; i < server_opts.authkey_count; ++i) {
Michal Vasko93224072021-11-09 12:14:28 +0100716 free(server_opts.authkeys[i].path);
717 free(server_opts.authkeys[i].base64);
718 free(server_opts.authkeys[i].username);
Michal Vasko086311b2016-01-08 09:53:11 +0100719
Michal Vasko086311b2016-01-08 09:53:11 +0100720 ret = 0;
721 }
Michal Vasko17dfda92016-12-01 14:06:16 +0100722 free(server_opts.authkeys);
723 server_opts.authkeys = NULL;
724 server_opts.authkey_count = 0;
Michal Vasko1a38c862016-01-15 15:50:07 +0100725 } else {
Michal Vasko17dfda92016-12-01 14:06:16 +0100726 for (i = 0; i < server_opts.authkey_count; ++i) {
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200727 if ((!pubkey_path || !strcmp(server_opts.authkeys[i].path, pubkey_path)) &&
728 (!pubkey_base64 || !strcmp(server_opts.authkeys[i].base64, pubkey_base64)) &&
729 (!type || (server_opts.authkeys[i].type == type)) &&
730 (!username || !strcmp(server_opts.authkeys[i].username, username))) {
Michal Vasko93224072021-11-09 12:14:28 +0100731 free(server_opts.authkeys[i].path);
732 free(server_opts.authkeys[i].base64);
733 free(server_opts.authkeys[i].username);
Michal Vasko1a38c862016-01-15 15:50:07 +0100734
Michal Vasko17dfda92016-12-01 14:06:16 +0100735 --server_opts.authkey_count;
736 if (i < server_opts.authkey_count) {
737 memcpy(&server_opts.authkeys[i], &server_opts.authkeys[server_opts.authkey_count],
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200738 sizeof *server_opts.authkeys);
Michal Vasko17dfda92016-12-01 14:06:16 +0100739 } else if (!server_opts.authkey_count) {
740 free(server_opts.authkeys);
741 server_opts.authkeys = NULL;
Michal Vaskoc0256492016-02-02 12:19:06 +0100742 }
Michal Vasko1a38c862016-01-15 15:50:07 +0100743
744 ret = 0;
745 }
746 }
Michal Vasko086311b2016-01-08 09:53:11 +0100747 }
748
Michal Vasko51e514d2016-02-02 15:51:52 +0100749 /* UNLOCK */
Michal Vasko17dfda92016-12-01 14:06:16 +0100750 pthread_mutex_unlock(&server_opts.authkey_lock);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100751
752 return ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100753}
754
755void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100756nc_server_ssh_clear_opts(struct nc_server_ssh_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100757{
Michal Vasko7d255882017-02-09 13:35:08 +0100758 nc_server_ssh_del_hostkey(NULL, -1, opts);
Michal Vaskob05053d2016-01-22 16:12:06 +0100759}
760
Michal Vasko7a866152021-07-22 11:01:13 +0200761#ifdef HAVE_SHADOW
762
Michal Vaskof3c41e32022-09-09 11:22:21 +0200763/**
764 * @brief Get passwd entry for a user.
765 *
766 * @param[in] username Name of the user.
767 * @param[in] pwd_buf Passwd entry buffer.
768 * @param[in,out] buf Passwd entry string buffer.
769 * @param[in,out] buf_size Current @p buf size.
770 * @return Found passwd entry for the user, NULL if none found.
771 */
Michal Vasko7a866152021-07-22 11:01:13 +0200772static struct passwd *
773auth_password_getpwnam(const char *username, struct passwd *pwd_buf, char **buf, size_t *buf_size)
774{
775 struct passwd *pwd = NULL;
776 char *mem;
Jan Kundrátaa323102021-10-08 20:10:50 +0200777 int r = 0;
Michal Vasko7a866152021-07-22 11:01:13 +0200778
779 do {
Jan Kundrátaa323102021-10-08 20:10:50 +0200780 r = getpwnam_r(username, pwd_buf, *buf, *buf_size, &pwd);
Michal Vasko7a866152021-07-22 11:01:13 +0200781 if (pwd) {
782 /* entry found */
783 break;
784 }
785
Jan Kundrátaa323102021-10-08 20:10:50 +0200786 if (r == ERANGE) {
Michal Vasko7a866152021-07-22 11:01:13 +0200787 /* small buffer, enlarge */
788 *buf_size <<= 2;
789 mem = realloc(*buf, *buf_size);
790 if (!mem) {
791 ERRMEM;
792 return NULL;
793 }
794 *buf = mem;
795 }
Jan Kundrátaa323102021-10-08 20:10:50 +0200796 } while (r == ERANGE);
Michal Vasko7a866152021-07-22 11:01:13 +0200797
798 return pwd;
799}
800
Michal Vaskof3c41e32022-09-09 11:22:21 +0200801/**
802 * @brief Get shadow entry for a user.
803 *
804 * @param[in] username Name of the user.
805 * @param[in] spwd_buf Shadow entry buffer.
806 * @param[in,out] buf Shadow entry string buffer.
807 * @param[in,out] buf_size Current @p buf size.
808 * @return Found shadow entry for the user, NULL if none found.
809 */
Michal Vasko7a866152021-07-22 11:01:13 +0200810static struct spwd *
811auth_password_getspnam(const char *username, struct spwd *spwd_buf, char **buf, size_t *buf_size)
812{
813 struct spwd *spwd = NULL;
814 char *mem;
Jan Kundrátaa323102021-10-08 20:10:50 +0200815 int r = 0;
Michal Vasko7a866152021-07-22 11:01:13 +0200816
817 do {
Michal Vasko7a866152021-07-22 11:01:13 +0200818# ifndef __QNXNTO__
Jan Kundrátaa323102021-10-08 20:10:50 +0200819 r = getspnam_r(username, spwd_buf, *buf, *buf_size, &spwd);
Michal Vasko7a866152021-07-22 11:01:13 +0200820# else
821 spwd = getspnam_r(username, spwd_buf, *buf, *buf_size);
822# endif
823 if (spwd) {
824 /* entry found */
825 break;
826 }
827
Jan Kundrátaa323102021-10-08 20:10:50 +0200828 if (r == ERANGE) {
Michal Vasko7a866152021-07-22 11:01:13 +0200829 /* small buffer, enlarge */
830 *buf_size <<= 2;
831 mem = realloc(*buf, *buf_size);
832 if (!mem) {
833 ERRMEM;
834 return NULL;
835 }
836 *buf = mem;
837 }
Jan Kundrátaa323102021-10-08 20:10:50 +0200838 } while (r == ERANGE);
Michal Vasko7a866152021-07-22 11:01:13 +0200839
840 return spwd;
841}
842
Michal Vaskof3c41e32022-09-09 11:22:21 +0200843/**
844 * @brief Get hashed system apssword for a user.
845 *
846 * @param[in] username Name of the user.
847 * @return Hashed password of @p username.
848 */
Michal Vasko086311b2016-01-08 09:53:11 +0100849static char *
850auth_password_get_pwd_hash(const char *username)
851{
852 struct passwd *pwd, pwd_buf;
853 struct spwd *spwd, spwd_buf;
Michal Vasko7a866152021-07-22 11:01:13 +0200854 char *pass_hash = NULL, *buf = NULL;
855 size_t buf_size = 256;
Michal Vasko086311b2016-01-08 09:53:11 +0100856
Michal Vasko7a866152021-07-22 11:01:13 +0200857 buf = malloc(buf_size);
858 if (!buf) {
859 ERRMEM;
860 goto error;
861 }
862
863 pwd = auth_password_getpwnam(username, &pwd_buf, &buf, &buf_size);
Michal Vasko086311b2016-01-08 09:53:11 +0100864 if (!pwd) {
Michal Vasko05532772021-06-03 12:12:38 +0200865 VRB(NULL, "User \"%s\" not found locally.", username);
Michal Vasko7a866152021-07-22 11:01:13 +0200866 goto error;
Michal Vasko086311b2016-01-08 09:53:11 +0100867 }
868
869 if (!strcmp(pwd->pw_passwd, "x")) {
Michal Vasko7a866152021-07-22 11:01:13 +0200870 spwd = auth_password_getspnam(username, &spwd_buf, &buf, &buf_size);
Michal Vasko086311b2016-01-08 09:53:11 +0100871 if (!spwd) {
Michal Vasko05532772021-06-03 12:12:38 +0200872 VRB(NULL, "Failed to retrieve the shadow entry for \"%s\".", username);
Michal Vasko7a866152021-07-22 11:01:13 +0200873 goto error;
Michal Vasko22b4fe72020-11-04 08:52:29 +0100874 } else if ((spwd->sp_expire > -1) && (spwd->sp_expire <= (time(NULL) / (60 * 60 * 24)))) {
Michal Vasko05532772021-06-03 12:12:38 +0200875 WRN(NULL, "User \"%s\" account has expired.", username);
Michal Vasko7a866152021-07-22 11:01:13 +0200876 goto error;
Michal Vasko086311b2016-01-08 09:53:11 +0100877 }
878
879 pass_hash = spwd->sp_pwdp;
880 } else {
881 pass_hash = pwd->pw_passwd;
882 }
883
884 if (!pass_hash) {
Michal Vasko05532772021-06-03 12:12:38 +0200885 ERR(NULL, "No password could be retrieved for \"%s\".", username);
Michal Vasko7a866152021-07-22 11:01:13 +0200886 goto error;
Michal Vasko086311b2016-01-08 09:53:11 +0100887 }
888
889 /* check the hash structure for special meaning */
890 if (!strcmp(pass_hash, "*") || !strcmp(pass_hash, "!")) {
Michal Vasko05532772021-06-03 12:12:38 +0200891 VRB(NULL, "User \"%s\" is not allowed to authenticate using a password.", username);
Michal Vasko7a866152021-07-22 11:01:13 +0200892 goto error;
Michal Vasko086311b2016-01-08 09:53:11 +0100893 }
894 if (!strcmp(pass_hash, "*NP*")) {
Michal Vasko05532772021-06-03 12:12:38 +0200895 VRB(NULL, "Retrieving password for \"%s\" from a NIS+ server not supported.", username);
Michal Vasko7a866152021-07-22 11:01:13 +0200896 goto error;
Michal Vasko086311b2016-01-08 09:53:11 +0100897 }
898
Michal Vasko963f6c02021-07-26 15:55:44 +0200899 pass_hash = strdup(pass_hash);
Michal Vasko7a866152021-07-22 11:01:13 +0200900 free(buf);
Michal Vasko963f6c02021-07-26 15:55:44 +0200901 return pass_hash;
Michal Vasko7a866152021-07-22 11:01:13 +0200902
903error:
904 free(buf);
905 return NULL;
Michal Vasko086311b2016-01-08 09:53:11 +0100906}
907
Michal Vasko7a866152021-07-22 11:01:13 +0200908#else
909
Michal Vaskof3c41e32022-09-09 11:22:21 +0200910/**
911 * @brief Get hashed system password for a user.
912 *
913 * @param[in] username Name of the user.
914 * @return Hashed password of @p username.
915 */
Michal Vasko7a866152021-07-22 11:01:13 +0200916static char *
917auth_password_get_pwd_hash(const char *username)
918{
919 (void)username;
920 return strdup("");
921}
922
923#endif
924
Michal Vaskof3c41e32022-09-09 11:22:21 +0200925/**
926 * @brief Compare hashed password with a cleartext password for a match.
927 *
928 * @param[in] pass_hash Hashed password.
929 * @param[in] pass_clear Cleartext password.
930 * @return 0 on match.
931 * @return non-zero if not a match.
932 */
Michal Vasko086311b2016-01-08 09:53:11 +0100933static int
934auth_password_compare_pwd(const char *pass_hash, const char *pass_clear)
935{
936 char *new_pass_hash;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200937
Michal Vaskof3c41e32022-09-09 11:22:21 +0200938#ifdef HAVE_CRYPT_R
Michal Vasko086311b2016-01-08 09:53:11 +0100939 struct crypt_data cdata;
Mislav Novakovicebf4bd72017-08-02 10:43:41 +0200940#endif
Michal Vasko086311b2016-01-08 09:53:11 +0100941
942 if (!pass_hash[0]) {
943 if (!pass_clear[0]) {
Michal Vasko05532772021-06-03 12:12:38 +0200944 WRN(NULL, "User authentication successful with an empty password!");
Michal Vasko086311b2016-01-08 09:53:11 +0100945 return 0;
946 } else {
947 /* the user did now know he does not need any password,
948 * (which should not be used) so deny authentication */
949 return 1;
950 }
951 }
952
Michal Vaskof3c41e32022-09-09 11:22:21 +0200953#ifdef HAVE_CRYPT_R
Michal Vasko086311b2016-01-08 09:53:11 +0100954 cdata.initialized = 0;
955 new_pass_hash = crypt_r(pass_clear, pass_hash, &cdata);
Mislav Novakovicebf4bd72017-08-02 10:43:41 +0200956#else
Mislav Novakovicce9a7ef2017-08-08 13:45:52 +0200957 pthread_mutex_lock(&crypt_lock);
Mislav Novakovicebf4bd72017-08-02 10:43:41 +0200958 new_pass_hash = crypt(pass_clear, pass_hash);
Mislav Novakovicce9a7ef2017-08-08 13:45:52 +0200959 pthread_mutex_unlock(&crypt_lock);
Mislav Novakovicebf4bd72017-08-02 10:43:41 +0200960#endif
Andrew Langefeld158d6fd2018-06-11 18:51:44 -0500961
962 if (!new_pass_hash) {
963 return 1;
964 }
965
Michal Vasko086311b2016-01-08 09:53:11 +0100966 return strcmp(new_pass_hash, pass_hash);
967}
968
969static void
970nc_sshcb_auth_password(struct nc_session *session, ssh_message msg)
971{
972 char *pass_hash;
Michal Vaskoebba7602018-03-23 13:14:08 +0100973 int auth_ret = 1;
Michal Vasko086311b2016-01-08 09:53:11 +0100974
Michal Vaskoebba7602018-03-23 13:14:08 +0100975 if (server_opts.passwd_auth_clb) {
976 auth_ret = server_opts.passwd_auth_clb(session, ssh_message_auth_password(msg), server_opts.passwd_auth_data);
977 } else {
978 pass_hash = auth_password_get_pwd_hash(session->username);
979 if (pass_hash) {
980 auth_ret = auth_password_compare_pwd(pass_hash, ssh_message_auth_password(msg));
981 free(pass_hash);
982 }
Michal Vasko086311b2016-01-08 09:53:11 +0100983 }
984
Michal Vaskoebba7602018-03-23 13:14:08 +0100985 if (!auth_ret) {
986 session->flags |= NC_SESSION_SSH_AUTHENTICATED;
Michal Vasko05532772021-06-03 12:12:38 +0200987 VRB(session, "User \"%s\" authenticated.", session->username);
Michal Vaskoebba7602018-03-23 13:14:08 +0100988 ssh_message_auth_reply_success(msg, 0);
989 } else {
990 ++session->opts.server.ssh_auth_attempts;
Michal Vasko05532772021-06-03 12:12:38 +0200991 VRB(session, "Failed user \"%s\" authentication attempt (#%d).", session->username,
992 session->opts.server.ssh_auth_attempts);
Michal Vaskoebba7602018-03-23 13:14:08 +0100993 ssh_message_reply_default(msg);
994 }
Michal Vasko086311b2016-01-08 09:53:11 +0100995}
996
Michal Vasko0d81c572022-09-26 10:39:31 +0200997#ifdef HAVE_LIBPAM
998
roman41a11e42022-06-22 09:27:08 +0200999/**
1000 * @brief PAM conversation function, which serves as a callback for exchanging messages between the client and a PAM module.
1001 *
1002 * @param[in] n_messages Number of messages.
1003 * @param[in] msg PAM module's messages.
1004 * @param[out] resp User responses.
1005 * @param[in] appdata_ptr Callback's data.
1006 * @return PAM_SUCCESS on success;
1007 * @return PAM_BUF_ERR on memory allocation error;
1008 * @return PAM_CONV_ERR otherwise.
1009 */
1010static int
1011nc_pam_conv_clb(int n_messages, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
1012{
1013 int i, j, t, r = PAM_SUCCESS, n_answers, n_requests = n_messages;
1014 const char **prompts = NULL;
1015 char *echo = NULL;
1016 const char *name = "Keyboard-Interactive Authentication";
1017 const char *instruction = "Please enter your authentication token";
1018 ssh_message reply = NULL;
1019 struct nc_pam_thread_arg *clb_data = appdata_ptr;
1020 ssh_session libssh_session;
1021 struct timespec ts_timeout;
1022 struct nc_server_ssh_opts *opts;
1023
1024 libssh_session = clb_data->session->ti.libssh.session;
1025 opts = clb_data->session->data;
1026
1027 /* PAM_MAX_NUM_MSG == 32 by default */
1028 if ((n_messages <= 0) || (n_messages >= PAM_MAX_NUM_MSG)) {
1029 ERR(NULL, "Bad number of PAM messages (#%d).", n_messages);
1030 r = PAM_CONV_ERR;
1031 goto cleanup;
1032 }
1033
1034 /* only accepting these 4 types of messages */
1035 for (i = 0; i < n_messages; i++) {
1036 t = msg[i]->msg_style;
1037 if ((t != PAM_PROMPT_ECHO_OFF) && (t != PAM_PROMPT_ECHO_ON) && (t != PAM_TEXT_INFO) && (t != PAM_ERROR_MSG)) {
1038 ERR(NULL, "PAM conversation callback received an unexpected type of message.");
1039 r = PAM_CONV_ERR;
1040 goto cleanup;
1041 }
1042 }
1043
1044 /* display messages with errors and/or some information and count the amount of actual authentication challenges */
1045 for (i = 0; i < n_messages; i++) {
1046 if (msg[i]->msg_style == PAM_TEXT_INFO) {
1047 VRB(NULL, "PAM conversation callback received a message with some information for the client (%s).", msg[i]->msg);
1048 n_requests--;
1049 }
1050 if (msg[i]->msg_style == PAM_ERROR_MSG) {
1051 ERR(NULL, "PAM conversation callback received an error message (%s).", msg[i]->msg);
1052 r = PAM_CONV_ERR;
1053 goto cleanup;
1054 }
1055 }
1056
1057 /* there are no requests left for the user, only messages with some information for the client were sent */
1058 if (n_requests <= 0) {
1059 r = PAM_SUCCESS;
1060 goto cleanup;
1061 }
1062
1063 /* it is the PAM module's responsibility to release both, this array and the responses themselves */
1064 *resp = calloc(n_requests, sizeof **resp);
1065 prompts = calloc(n_requests, sizeof *prompts);
1066 echo = calloc(n_requests, sizeof *echo);
1067 if (!(*resp) || !prompts || !echo) {
1068 ERRMEM;
1069 r = PAM_BUF_ERR;
1070 goto cleanup;
1071 }
1072
1073 /* set the prompts for the user */
1074 j = 0;
1075 for (i = 0; i < n_messages; i++) {
1076 if ((msg[i]->msg_style == PAM_PROMPT_ECHO_ON) || (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF)) {
1077 prompts[j++] = msg[i]->msg;
1078 }
1079 }
1080
1081 /* iterate over all the messages and adjust the echo array accordingly */
1082 j = 0;
1083 for (i = 0; i < n_messages; i++) {
1084 if (msg[i]->msg_style == PAM_PROMPT_ECHO_ON) {
1085 echo[j++] = 1;
1086 }
1087 if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
1088 /* no need to set to 0 because of calloc */
1089 j++;
1090 }
1091 }
1092
1093 /* print all the keyboard-interactive challenges to the user */
1094 r = ssh_message_auth_interactive_request(clb_data->msg, name, instruction, n_requests, prompts, echo);
1095 if (r != SSH_OK) {
1096 ERR(NULL, "Failed to send an authentication request.");
1097 r = PAM_CONV_ERR;
1098 goto cleanup;
1099 }
1100
1101 if (opts->auth_timeout) {
1102 nc_gettimespec_mono_add(&ts_timeout, opts->auth_timeout * 1000);
1103 }
1104
1105 /* get user's replies */
1106 do {
1107 if (!nc_session_is_connected(clb_data->session)) {
1108 ERR(NULL, "Communication SSH socket unexpectedly closed.");
1109 r = PAM_CONV_ERR;
1110 goto cleanup;
1111 }
1112
1113 reply = ssh_message_get(libssh_session);
1114 if (reply) {
1115 break;
1116 }
1117
1118 usleep(NC_TIMEOUT_STEP);
Michal Vasko60d8ffb2022-07-21 11:08:34 +02001119 } while ((opts->auth_timeout) && (nc_difftimespec_mono_cur(&ts_timeout) >= 1));
roman41a11e42022-06-22 09:27:08 +02001120
1121 if (!reply) {
1122 ERR(NULL, "Authentication timeout.");
1123 r = PAM_CONV_ERR;
1124 goto cleanup;
1125 }
1126
1127 /* check if the amount of replies matches the amount of requests */
1128 n_answers = ssh_userauth_kbdint_getnanswers(libssh_session);
1129 if (n_answers != n_requests) {
1130 ERR(NULL, "Expected %d response(s), got %d.", n_requests, n_answers);
1131 r = PAM_CONV_ERR;
1132 goto cleanup;
1133 }
1134
1135 /* give the replies to a PAM module */
1136 for (i = 0; i < n_answers; i++) {
1137 (*resp)[i].resp = strdup(ssh_userauth_kbdint_getanswer(libssh_session, i));
1138 /* it should be the caller's responsibility to free this, however if mem alloc fails,
1139 * it is safer to free the responses here and set them to NULL */
1140 if ((*resp)[i].resp == NULL) {
1141 for (j = 0; j < i; j++) {
1142 free((*resp)[j].resp);
1143 (*resp)[j].resp = NULL;
1144 }
1145 ERRMEM;
1146 r = PAM_BUF_ERR;
1147 goto cleanup;
1148 }
1149 }
1150
1151cleanup:
1152 ssh_message_free(reply);
1153 free(prompts);
1154 free(echo);
1155 return r;
1156}
1157
1158/**
1159 * @brief Handles authentication via Linux PAM.
1160 *
1161 * @param[in] session NETCONF session.
1162 * @param[in] ssh_msg SSH message with a keyboard-interactive authentication request.
1163 * @return PAM_SUCCESS on success;
1164 * @return PAM error otherwise.
1165 */
1166static int
1167nc_pam_auth(struct nc_session *session, ssh_message ssh_msg)
1168{
1169 pam_handle_t *pam_h = NULL;
1170 int ret;
1171 struct nc_pam_thread_arg clb_data;
1172 struct pam_conv conv;
1173
1174 /* structure holding callback's data */
1175 clb_data.msg = ssh_msg;
1176 clb_data.session = session;
1177
1178 /* PAM conversation structure holding the callback and it's data */
1179 conv.conv = nc_pam_conv_clb;
1180 conv.appdata_ptr = &clb_data;
1181
1182 /* initialize PAM and see if the given configuration file exists */
Michal Vasko0d81c572022-09-26 10:39:31 +02001183# ifdef LIBPAM_HAVE_CONFDIR
roman41a11e42022-06-22 09:27:08 +02001184 /* PAM version >= 1.4 */
1185 ret = pam_start_confdir(server_opts.conf_name, session->username, &conv, server_opts.conf_dir, &pam_h);
Michal Vasko0d81c572022-09-26 10:39:31 +02001186# else
roman41a11e42022-06-22 09:27:08 +02001187 /* PAM version < 1.4 */
1188 ret = pam_start(server_opts.conf_name, session->username, &conv, &pam_h);
Michal Vasko0d81c572022-09-26 10:39:31 +02001189# endif
roman41a11e42022-06-22 09:27:08 +02001190 if (ret != PAM_SUCCESS) {
1191 ERR(NULL, "PAM error occurred (%s).\n", pam_strerror(pam_h, ret));
1192 goto cleanup;
1193 }
1194
1195 /* authentication based on the modules listed in the configuration file */
1196 ret = pam_authenticate(pam_h, 0);
1197 if (ret != PAM_SUCCESS) {
1198 if (ret == PAM_ABORT) {
1199 ERR(NULL, "PAM error occurred (%s).\n", pam_strerror(pam_h, ret));
1200 goto cleanup;
1201 } else {
1202 VRB(NULL, "PAM error occurred (%s).\n", pam_strerror(pam_h, ret));
1203 goto cleanup;
1204 }
1205 }
1206
1207 /* correct token entered, check other requirements(the time of the day, expired token, ...) */
1208 ret = pam_acct_mgmt(pam_h, 0);
1209 if ((ret != PAM_SUCCESS) && (ret != PAM_NEW_AUTHTOK_REQD)) {
1210 VRB(NULL, "PAM error occurred (%s).\n", pam_strerror(pam_h, ret));
1211 goto cleanup;
1212 }
1213
1214 /* if a token has expired a new one will be generated */
1215 if (ret == PAM_NEW_AUTHTOK_REQD) {
1216 VRB(NULL, "PAM warning occurred (%s).\n", pam_strerror(pam_h, ret));
1217 ret = pam_chauthtok(pam_h, PAM_CHANGE_EXPIRED_AUTHTOK);
1218 if (ret == PAM_SUCCESS) {
1219 VRB(NULL, "The authentication token of user \"%s\" updated successfully.", session->username);
1220 } else {
1221 ERR(NULL, "PAM error occurred (%s).\n", pam_strerror(pam_h, ret));
1222 goto cleanup;
1223 }
1224 }
1225
1226cleanup:
1227 /* destroy the PAM context */
1228 if (pam_end(pam_h, ret) != PAM_SUCCESS) {
1229 ERR(NULL, "PAM error occurred (%s).\n", pam_strerror(pam_h, ret));
1230 }
1231 return ret;
1232}
1233
Michal Vasko0d81c572022-09-26 10:39:31 +02001234#endif
1235
Michal Vasko086311b2016-01-08 09:53:11 +01001236static void
1237nc_sshcb_auth_kbdint(struct nc_session *session, ssh_message msg)
1238{
bhart3bc2f582018-06-05 12:40:32 -05001239 int auth_ret = 1;
Michal Vasko086311b2016-01-08 09:53:11 +01001240
bhart1bb7cdb2018-07-02 15:03:30 -05001241 if (server_opts.interactive_auth_clb) {
Michal Vasko733c0bd2018-07-03 13:14:40 +02001242 auth_ret = server_opts.interactive_auth_clb(session, msg, server_opts.interactive_auth_data);
Michal Vasko0d81c572022-09-26 10:39:31 +02001243 } else {
1244#ifdef HAVE_LIBPAM
1245 if (nc_pam_auth(session, msg) == PAM_SUCCESS) {
1246 auth_ret = 0;
1247 }
1248#else
1249 ERR(session, "PAM-based SSH authentication is not supported.");
1250#endif
bhart1bb7cdb2018-07-02 15:03:30 -05001251 }
1252
Robert Vargaad7a5532018-08-10 20:40:54 +02001253 /* We have already sent a reply */
1254 if (auth_ret == -1) {
1255 return;
1256 }
1257
bhart1bb7cdb2018-07-02 15:03:30 -05001258 /* Authenticate message based on outcome */
1259 if (!auth_ret) {
1260 session->flags |= NC_SESSION_SSH_AUTHENTICATED;
Michal Vasko05532772021-06-03 12:12:38 +02001261 VRB(session, "User \"%s\" authenticated.", session->username);
bhart1bb7cdb2018-07-02 15:03:30 -05001262 ssh_message_auth_reply_success(msg, 0);
1263 } else {
1264 ++session->opts.server.ssh_auth_attempts;
Michal Vasko05532772021-06-03 12:12:38 +02001265 VRB(session, "Failed user \"%s\" authentication attempt (#%d).", session->username,
1266 session->opts.server.ssh_auth_attempts);
bhart1bb7cdb2018-07-02 15:03:30 -05001267 ssh_message_reply_default(msg);
Michal Vasko086311b2016-01-08 09:53:11 +01001268 }
1269}
1270
Michal Vaskof3c41e32022-09-09 11:22:21 +02001271/**
1272 * @brief Compare SSH key with configured authorized keys and return the username of the matching one, if any.
1273 *
1274 * @param[in] key Presented SSH key to compare.
1275 * @return Authorized key username, NULL if no match was found.
1276 */
Michal Vasko086311b2016-01-08 09:53:11 +01001277static const char *
Michal Vasko17dfda92016-12-01 14:06:16 +01001278auth_pubkey_compare_key(ssh_key key)
Michal Vasko086311b2016-01-08 09:53:11 +01001279{
1280 uint32_t i;
1281 ssh_key pub_key;
Michal Vasko76e3a352016-01-18 09:07:00 +01001282 const char *username = NULL;
Michal Vasko3e9d1682017-02-24 09:50:15 +01001283 int ret = 0;
Michal Vasko086311b2016-01-08 09:53:11 +01001284
Michal Vaskoa05c7b12017-01-30 14:33:08 +01001285 /* LOCK */
1286 pthread_mutex_lock(&server_opts.authkey_lock);
1287
Michal Vasko17dfda92016-12-01 14:06:16 +01001288 for (i = 0; i < server_opts.authkey_count; ++i) {
1289 switch (server_opts.authkeys[i].type) {
1290 case NC_SSH_KEY_UNKNOWN:
1291 ret = ssh_pki_import_pubkey_file(server_opts.authkeys[i].path, &pub_key);
1292 break;
1293 case NC_SSH_KEY_DSA:
1294 ret = ssh_pki_import_pubkey_base64(server_opts.authkeys[i].base64, SSH_KEYTYPE_DSS, &pub_key);
1295 break;
1296 case NC_SSH_KEY_RSA:
1297 ret = ssh_pki_import_pubkey_base64(server_opts.authkeys[i].base64, SSH_KEYTYPE_RSA, &pub_key);
1298 break;
1299 case NC_SSH_KEY_ECDSA:
1300 ret = ssh_pki_import_pubkey_base64(server_opts.authkeys[i].base64, SSH_KEYTYPE_ECDSA, &pub_key);
1301 break;
1302 }
1303
Michal Vasko7abcdeb2016-05-30 15:27:00 +02001304 if (ret == SSH_EOF) {
Michal Vasko05532772021-06-03 12:12:38 +02001305 WRN(NULL, "Failed to import a public key of \"%s\" (File access problem).", server_opts.authkeys[i].username);
Michal Vasko7abcdeb2016-05-30 15:27:00 +02001306 continue;
1307 } else if (ret == SSH_ERROR) {
Michal Vasko05532772021-06-03 12:12:38 +02001308 WRN(NULL, "Failed to import a public key of \"%s\" (SSH error).", server_opts.authkeys[i].username);
Michal Vasko086311b2016-01-08 09:53:11 +01001309 continue;
1310 }
1311
1312 if (!ssh_key_cmp(key, pub_key, SSH_KEY_CMP_PUBLIC)) {
1313 ssh_key_free(pub_key);
1314 break;
1315 }
1316
1317 ssh_key_free(pub_key);
1318 }
1319
Michal Vasko17dfda92016-12-01 14:06:16 +01001320 if (i < server_opts.authkey_count) {
1321 username = server_opts.authkeys[i].username;
Michal Vasko086311b2016-01-08 09:53:11 +01001322 }
1323
Michal Vaskoa05c7b12017-01-30 14:33:08 +01001324 /* UNLOCK */
1325 pthread_mutex_unlock(&server_opts.authkey_lock);
1326
Michal Vasko086311b2016-01-08 09:53:11 +01001327 return username;
1328}
1329
1330static void
1331nc_sshcb_auth_pubkey(struct nc_session *session, ssh_message msg)
1332{
1333 const char *username;
1334 int signature_state;
1335
Michal Vasko733c0bd2018-07-03 13:14:40 +02001336 if (server_opts.pubkey_auth_clb) {
1337 if (server_opts.pubkey_auth_clb(session, ssh_message_auth_pubkey(msg), server_opts.pubkey_auth_data)) {
bhart3bc2f582018-06-05 12:40:32 -05001338 goto fail;
1339 }
Michal Vasko733c0bd2018-07-03 13:14:40 +02001340 } else {
bhart3bc2f582018-06-05 12:40:32 -05001341 if ((username = auth_pubkey_compare_key(ssh_message_auth_pubkey(msg))) == NULL) {
Michal Vasko05532772021-06-03 12:12:38 +02001342 VRB(session, "User \"%s\" tried to use an unknown (unauthorized) public key.", session->username);
bhart3bc2f582018-06-05 12:40:32 -05001343 goto fail;
1344 } else if (strcmp(session->username, username)) {
Michal Vasko05532772021-06-03 12:12:38 +02001345 VRB(session, "User \"%s\" is not the username identified with the presented public key.", session->username);
bhart3bc2f582018-06-05 12:40:32 -05001346 goto fail;
1347 }
Michal Vaskobd13a932016-09-14 09:00:35 +02001348 }
Michal Vaskobd13a932016-09-14 09:00:35 +02001349
Michal Vasko086311b2016-01-08 09:53:11 +01001350 signature_state = ssh_message_auth_publickey_state(msg);
1351 if (signature_state == SSH_PUBLICKEY_STATE_VALID) {
Michal Vasko05532772021-06-03 12:12:38 +02001352 VRB(session, "User \"%s\" authenticated.", session->username);
Michal Vasko086311b2016-01-08 09:53:11 +01001353 session->flags |= NC_SESSION_SSH_AUTHENTICATED;
1354 ssh_message_auth_reply_success(msg, 0);
Michal Vasko086311b2016-01-08 09:53:11 +01001355 } else if (signature_state == SSH_PUBLICKEY_STATE_NONE) {
Michal Vaskobd13a932016-09-14 09:00:35 +02001356 /* accepting only the use of a public key */
1357 ssh_message_auth_reply_pk_ok_simple(msg);
Michal Vasko086311b2016-01-08 09:53:11 +01001358 }
1359
Michal Vaskobd13a932016-09-14 09:00:35 +02001360 return;
1361
1362fail:
Michal Vasko2e6defd2016-10-07 15:48:15 +02001363 ++session->opts.server.ssh_auth_attempts;
Michal Vasko05532772021-06-03 12:12:38 +02001364 VRB(session, "Failed user \"%s\" authentication attempt (#%d).", session->username,
1365 session->opts.server.ssh_auth_attempts);
Michal Vasko086311b2016-01-08 09:53:11 +01001366 ssh_message_reply_default(msg);
1367}
1368
1369static int
Michal Vasko96164bf2016-01-21 15:41:58 +01001370nc_sshcb_channel_open(struct nc_session *session, ssh_message msg)
Michal Vasko086311b2016-01-08 09:53:11 +01001371{
Michal Vasko96164bf2016-01-21 15:41:58 +01001372 ssh_channel chan;
1373
1374 /* first channel request */
1375 if (!session->ti.libssh.channel) {
1376 if (session->status != NC_STATUS_STARTING) {
Michal Vasko9e036d52016-01-08 10:49:26 +01001377 ERRINT;
Michal Vasko086311b2016-01-08 09:53:11 +01001378 return -1;
1379 }
Michal Vasko96164bf2016-01-21 15:41:58 +01001380 chan = ssh_message_channel_request_open_reply_accept(msg);
1381 if (!chan) {
Michal Vasko05532772021-06-03 12:12:38 +02001382 ERR(session, "Failed to create a new SSH channel.");
Michal Vasko96164bf2016-01-21 15:41:58 +01001383 return -1;
1384 }
1385 session->ti.libssh.channel = chan;
Michal Vasko086311b2016-01-08 09:53:11 +01001386
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001387 /* additional channel request */
Michal Vasko96164bf2016-01-21 15:41:58 +01001388 } else {
1389 chan = ssh_message_channel_request_open_reply_accept(msg);
1390 if (!chan) {
Michal Vasko05532772021-06-03 12:12:38 +02001391 ERR(session, "Session %u: failed to create a new SSH channel.", session->id);
Michal Vasko96164bf2016-01-21 15:41:58 +01001392 return -1;
1393 }
1394 /* channel was created and libssh stored it internally in the ssh_session structure, good enough */
Michal Vasko086311b2016-01-08 09:53:11 +01001395 }
1396
Michal Vasko086311b2016-01-08 09:53:11 +01001397 return 0;
1398}
1399
1400static int
1401nc_sshcb_channel_subsystem(struct nc_session *session, ssh_channel channel, const char *subsystem)
1402{
Michal Vasko96164bf2016-01-21 15:41:58 +01001403 struct nc_session *new_session;
Michal Vasko086311b2016-01-08 09:53:11 +01001404
Michal Vasko96164bf2016-01-21 15:41:58 +01001405 if (strcmp(subsystem, "netconf")) {
Michal Vasko05532772021-06-03 12:12:38 +02001406 WRN(session, "Received an unknown subsystem \"%s\" request.", subsystem);
Michal Vasko086311b2016-01-08 09:53:11 +01001407 return -1;
1408 }
1409
Michal Vasko96164bf2016-01-21 15:41:58 +01001410 if (session->ti.libssh.channel == channel) {
1411 /* first channel requested */
1412 if (session->ti.libssh.next || (session->status != NC_STATUS_STARTING)) {
1413 ERRINT;
1414 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +01001415 }
Michal Vasko96164bf2016-01-21 15:41:58 +01001416 if (session->flags & NC_SESSION_SSH_SUBSYS_NETCONF) {
Michal Vasko05532772021-06-03 12:12:38 +02001417 ERR(session, "Subsystem \"netconf\" requested for the second time.");
Michal Vasko96164bf2016-01-21 15:41:58 +01001418 return -1;
1419 }
1420
1421 session->flags |= NC_SESSION_SSH_SUBSYS_NETCONF;
Michal Vasko086311b2016-01-08 09:53:11 +01001422 } else {
Michal Vasko96164bf2016-01-21 15:41:58 +01001423 /* additional channel subsystem request, new session is ready as far as SSH is concerned */
Michal Vasko131120a2018-05-29 15:44:02 +02001424 new_session = nc_new_session(NC_SERVER, 1);
Michal Vasko4eb3c312016-03-01 14:09:37 +01001425 if (!new_session) {
1426 ERRMEM;
1427 return -1;
1428 }
Michal Vasko96164bf2016-01-21 15:41:58 +01001429
1430 /* insert the new session */
1431 if (!session->ti.libssh.next) {
1432 new_session->ti.libssh.next = session;
1433 } else {
1434 new_session->ti.libssh.next = session->ti.libssh.next;
1435 }
1436 session->ti.libssh.next = new_session;
1437
1438 new_session->status = NC_STATUS_STARTING;
Michal Vasko96164bf2016-01-21 15:41:58 +01001439 new_session->ti_type = NC_TI_LIBSSH;
Michal Vasko131120a2018-05-29 15:44:02 +02001440 new_session->io_lock = session->io_lock;
Michal Vasko96164bf2016-01-21 15:41:58 +01001441 new_session->ti.libssh.channel = channel;
1442 new_session->ti.libssh.session = session->ti.libssh.session;
Michal Vasko93224072021-11-09 12:14:28 +01001443 new_session->username = strdup(session->username);
1444 new_session->host = strdup(session->host);
Michal Vasko96164bf2016-01-21 15:41:58 +01001445 new_session->port = session->port;
Michal Vasko93224072021-11-09 12:14:28 +01001446 new_session->ctx = (struct ly_ctx *)session->ctx;
Michal Vasko83d15322018-09-27 09:44:02 +02001447 new_session->flags = NC_SESSION_SSH_AUTHENTICATED | NC_SESSION_SSH_SUBSYS_NETCONF | NC_SESSION_SHAREDCTX;
Michal Vasko086311b2016-01-08 09:53:11 +01001448 }
1449
1450 return 0;
1451}
1452
Michal Vasko96164bf2016-01-21 15:41:58 +01001453int
Michal Vaskob48aa812016-01-18 14:13:09 +01001454nc_sshcb_msg(ssh_session UNUSED(sshsession), ssh_message msg, void *data)
Michal Vasko086311b2016-01-08 09:53:11 +01001455{
1456 const char *str_type, *str_subtype = NULL, *username;
1457 int subtype, type;
1458 struct nc_session *session = (struct nc_session *)data;
Michal Vasko086311b2016-01-08 09:53:11 +01001459
1460 type = ssh_message_type(msg);
1461 subtype = ssh_message_subtype(msg);
1462
1463 switch (type) {
1464 case SSH_REQUEST_AUTH:
1465 str_type = "request-auth";
1466 switch (subtype) {
1467 case SSH_AUTH_METHOD_NONE:
1468 str_subtype = "none";
1469 break;
1470 case SSH_AUTH_METHOD_PASSWORD:
1471 str_subtype = "password";
1472 break;
1473 case SSH_AUTH_METHOD_PUBLICKEY:
1474 str_subtype = "publickey";
1475 break;
1476 case SSH_AUTH_METHOD_HOSTBASED:
1477 str_subtype = "hostbased";
1478 break;
1479 case SSH_AUTH_METHOD_INTERACTIVE:
1480 str_subtype = "interactive";
1481 break;
1482 case SSH_AUTH_METHOD_GSSAPI_MIC:
1483 str_subtype = "gssapi-mic";
1484 break;
1485 }
1486 break;
1487
1488 case SSH_REQUEST_CHANNEL_OPEN:
1489 str_type = "request-channel-open";
1490 switch (subtype) {
1491 case SSH_CHANNEL_SESSION:
1492 str_subtype = "session";
1493 break;
1494 case SSH_CHANNEL_DIRECT_TCPIP:
1495 str_subtype = "direct-tcpip";
1496 break;
1497 case SSH_CHANNEL_FORWARDED_TCPIP:
1498 str_subtype = "forwarded-tcpip";
1499 break;
1500 case (int)SSH_CHANNEL_X11:
1501 str_subtype = "channel-x11";
1502 break;
1503 case SSH_CHANNEL_UNKNOWN:
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001504 /* fallthrough */
Michal Vasko086311b2016-01-08 09:53:11 +01001505 default:
1506 str_subtype = "unknown";
1507 break;
1508 }
1509 break;
1510
1511 case SSH_REQUEST_CHANNEL:
1512 str_type = "request-channel";
1513 switch (subtype) {
1514 case SSH_CHANNEL_REQUEST_PTY:
1515 str_subtype = "pty";
1516 break;
1517 case SSH_CHANNEL_REQUEST_EXEC:
1518 str_subtype = "exec";
1519 break;
1520 case SSH_CHANNEL_REQUEST_SHELL:
1521 str_subtype = "shell";
1522 break;
1523 case SSH_CHANNEL_REQUEST_ENV:
1524 str_subtype = "env";
1525 break;
1526 case SSH_CHANNEL_REQUEST_SUBSYSTEM:
1527 str_subtype = "subsystem";
1528 break;
1529 case SSH_CHANNEL_REQUEST_WINDOW_CHANGE:
1530 str_subtype = "window-change";
1531 break;
1532 case SSH_CHANNEL_REQUEST_X11:
1533 str_subtype = "x11";
1534 break;
1535 case SSH_CHANNEL_REQUEST_UNKNOWN:
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001536 /* fallthrough */
Michal Vasko086311b2016-01-08 09:53:11 +01001537 default:
1538 str_subtype = "unknown";
1539 break;
1540 }
1541 break;
1542
1543 case SSH_REQUEST_SERVICE:
1544 str_type = "request-service";
1545 str_subtype = ssh_message_service_service(msg);
1546 break;
1547
1548 case SSH_REQUEST_GLOBAL:
1549 str_type = "request-global";
1550 switch (subtype) {
1551 case SSH_GLOBAL_REQUEST_TCPIP_FORWARD:
1552 str_subtype = "tcpip-forward";
1553 break;
1554 case SSH_GLOBAL_REQUEST_CANCEL_TCPIP_FORWARD:
1555 str_subtype = "cancel-tcpip-forward";
1556 break;
1557 case SSH_GLOBAL_REQUEST_UNKNOWN:
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001558 /* fallthrough */
Michal Vasko086311b2016-01-08 09:53:11 +01001559 default:
1560 str_subtype = "unknown";
1561 break;
1562 }
1563 break;
1564
1565 default:
1566 str_type = "unknown";
1567 str_subtype = "unknown";
1568 break;
1569 }
1570
Michal Vasko05532772021-06-03 12:12:38 +02001571 VRB(session, "Received an SSH message \"%s\" of subtype \"%s\".", str_type, str_subtype);
Michal Vasko5e0edd82020-07-29 15:26:13 +02001572 if (!session || (session->status == NC_STATUS_CLOSING) || (session->status == NC_STATUS_INVALID)) {
Michal Vaskoce319162016-02-03 15:33:08 +01001573 /* "valid" situation if, for example, receiving some auth or channel request timeouted,
1574 * but we got it now, during session free */
Michal Vasko05532772021-06-03 12:12:38 +02001575 VRB(session, "SSH message arrived on a %s session, the request will be denied.",
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001576 (session && session->status == NC_STATUS_CLOSING ? "closing" : "invalid"));
Michal Vaskoce319162016-02-03 15:33:08 +01001577 ssh_message_reply_default(msg);
1578 return 0;
1579 }
Michal Vasko96164bf2016-01-21 15:41:58 +01001580 session->flags |= NC_SESSION_SSH_NEW_MSG;
Michal Vasko086311b2016-01-08 09:53:11 +01001581
1582 /*
1583 * process known messages
1584 */
1585 if (type == SSH_REQUEST_AUTH) {
1586 if (session->flags & NC_SESSION_SSH_AUTHENTICATED) {
Michal Vasko05532772021-06-03 12:12:38 +02001587 ERR(session, "User \"%s\" authenticated, but requested another authentication.", session->username);
Michal Vasko086311b2016-01-08 09:53:11 +01001588 ssh_message_reply_default(msg);
1589 return 0;
1590 }
1591
Michal Vasko086311b2016-01-08 09:53:11 +01001592 /* save the username, do not let the client change it */
1593 username = ssh_message_auth_user(msg);
1594 if (!session->username) {
1595 if (!username) {
Michal Vasko05532772021-06-03 12:12:38 +02001596 ERR(session, "Denying an auth request without a username.");
Michal Vasko086311b2016-01-08 09:53:11 +01001597 return 1;
1598 }
1599
Michal Vasko93224072021-11-09 12:14:28 +01001600 session->username = strdup(username);
Michal Vasko086311b2016-01-08 09:53:11 +01001601 } else if (username) {
1602 if (strcmp(username, session->username)) {
Michal Vasko05532772021-06-03 12:12:38 +02001603 ERR(session, "User \"%s\" changed its username to \"%s\".", session->username, username);
Michal Vasko086311b2016-01-08 09:53:11 +01001604 session->status = NC_STATUS_INVALID;
Michal Vasko428087d2016-01-14 16:04:28 +01001605 session->term_reason = NC_SESSION_TERM_OTHER;
Michal Vasko086311b2016-01-08 09:53:11 +01001606 return 1;
1607 }
1608 }
1609
1610 if (subtype == SSH_AUTH_METHOD_NONE) {
1611 /* libssh will return the supported auth methods */
1612 return 1;
1613 } else if (subtype == SSH_AUTH_METHOD_PASSWORD) {
1614 nc_sshcb_auth_password(session, msg);
1615 return 0;
1616 } else if (subtype == SSH_AUTH_METHOD_PUBLICKEY) {
1617 nc_sshcb_auth_pubkey(session, msg);
1618 return 0;
1619 } else if (subtype == SSH_AUTH_METHOD_INTERACTIVE) {
1620 nc_sshcb_auth_kbdint(session, msg);
1621 return 0;
1622 }
1623 } else if (session->flags & NC_SESSION_SSH_AUTHENTICATED) {
Michal Vasko0df67562016-01-21 15:50:11 +01001624 if ((type == SSH_REQUEST_CHANNEL_OPEN) && ((enum ssh_channel_type_e)subtype == SSH_CHANNEL_SESSION)) {
Michal Vasko96164bf2016-01-21 15:41:58 +01001625 if (nc_sshcb_channel_open(session, msg)) {
Michal Vasko086311b2016-01-08 09:53:11 +01001626 ssh_message_reply_default(msg);
Michal Vasko086311b2016-01-08 09:53:11 +01001627 }
Michal Vasko086311b2016-01-08 09:53:11 +01001628 return 0;
Michal Vasko96164bf2016-01-21 15:41:58 +01001629
Michal Vasko0df67562016-01-21 15:50:11 +01001630 } else if ((type == SSH_REQUEST_CHANNEL) && ((enum ssh_channel_requests_e)subtype == SSH_CHANNEL_REQUEST_SUBSYSTEM)) {
Michal Vasko96164bf2016-01-21 15:41:58 +01001631 if (nc_sshcb_channel_subsystem(session, ssh_message_channel_request_channel(msg),
1632 ssh_message_channel_request_subsystem(msg))) {
Michal Vasko086311b2016-01-08 09:53:11 +01001633 ssh_message_reply_default(msg);
Michal Vasko96164bf2016-01-21 15:41:58 +01001634 } else {
1635 ssh_message_channel_request_reply_success(msg);
Michal Vasko086311b2016-01-08 09:53:11 +01001636 }
1637 return 0;
1638 }
1639 }
1640
1641 /* we did not process it */
1642 return 1;
1643}
1644
Michal Vasko1a38c862016-01-15 15:50:07 +01001645/* ret 1 on success, 0 on timeout, -1 on error */
Michal Vasko086311b2016-01-08 09:53:11 +01001646static int
Michal Vasko09d700f2022-09-08 10:21:40 +02001647nc_accept_ssh_session_open_netconf_channel(struct nc_session *session, int timeout)
Michal Vasko086311b2016-01-08 09:53:11 +01001648{
Michal Vasko36c7be82017-02-22 13:37:59 +01001649 int ret;
roman6ece9c52022-06-22 09:29:17 +02001650 struct timespec ts_timeout;
Michal Vasko086311b2016-01-08 09:53:11 +01001651
1652 /* message callback is executed twice to give chance for the channel to be
1653 * created if timeout == 0 (it takes 2 messages, channel-open, subsystem-request) */
Michal Vasko7f1c78b2016-01-19 09:52:14 +01001654 if (!timeout) {
Michal Vasko2a7d4732016-01-15 09:24:46 +01001655 if (!nc_session_is_connected(session)) {
Michal Vasko05532772021-06-03 12:12:38 +02001656 ERR(session, "Communication socket unexpectedly closed (libssh).");
Michal Vasko2a7d4732016-01-15 09:24:46 +01001657 return -1;
1658 }
1659
Michal Vasko7f1c78b2016-01-19 09:52:14 +01001660 ret = ssh_execute_message_callbacks(session->ti.libssh.session);
1661 if (ret != SSH_OK) {
Michal Vasko05532772021-06-03 12:12:38 +02001662 ERR(session, "Failed to receive SSH messages on a session (%s).",
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001663 ssh_get_error(session->ti.libssh.session));
Michal Vasko086311b2016-01-08 09:53:11 +01001664 return -1;
1665 }
1666
Michal Vasko7f1c78b2016-01-19 09:52:14 +01001667 if (!session->ti.libssh.channel) {
Michal Vasko7f1c78b2016-01-19 09:52:14 +01001668 return 0;
1669 }
1670
1671 ret = ssh_execute_message_callbacks(session->ti.libssh.session);
1672 if (ret != SSH_OK) {
Michal Vasko05532772021-06-03 12:12:38 +02001673 ERR(session, "Failed to receive SSH messages on a session (%s).",
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001674 ssh_get_error(session->ti.libssh.session));
Michal Vasko7f1c78b2016-01-19 09:52:14 +01001675 return -1;
1676 }
Michal Vasko7f1c78b2016-01-19 09:52:14 +01001677
1678 if (!(session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
1679 /* we did not receive subsystem-request, timeout */
1680 return 0;
1681 }
1682
1683 return 1;
1684 }
1685
Michal Vasko36c7be82017-02-22 13:37:59 +01001686 if (timeout > -1) {
roman6ece9c52022-06-22 09:29:17 +02001687 nc_gettimespec_mono_add(&ts_timeout, timeout);
Michal Vasko36c7be82017-02-22 13:37:59 +01001688 }
Michal Vasko7f1c78b2016-01-19 09:52:14 +01001689 while (1) {
1690 if (!nc_session_is_connected(session)) {
Michal Vasko05532772021-06-03 12:12:38 +02001691 ERR(session, "Communication socket unexpectedly closed (libssh).");
Michal Vasko7f1c78b2016-01-19 09:52:14 +01001692 return -1;
1693 }
1694
Michal Vasko7f1c78b2016-01-19 09:52:14 +01001695 ret = ssh_execute_message_callbacks(session->ti.libssh.session);
1696 if (ret != SSH_OK) {
Michal Vasko05532772021-06-03 12:12:38 +02001697 ERR(session, "Failed to receive SSH messages on a session (%s).",
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001698 ssh_get_error(session->ti.libssh.session));
Michal Vasko7f1c78b2016-01-19 09:52:14 +01001699 return -1;
1700 }
1701
Michal Vasko086311b2016-01-08 09:53:11 +01001702 if (session->ti.libssh.channel && (session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
Michal Vasko1a38c862016-01-15 15:50:07 +01001703 return 1;
Michal Vasko086311b2016-01-08 09:53:11 +01001704 }
1705
Michal Vasko086311b2016-01-08 09:53:11 +01001706 usleep(NC_TIMEOUT_STEP);
Michal Vasko60d8ffb2022-07-21 11:08:34 +02001707 if ((timeout > -1) && (nc_difftimespec_mono_cur(&ts_timeout) < 1)) {
roman6ece9c52022-06-22 09:29:17 +02001708 /* timeout */
1709 ERR(session, "Failed to start \"netconf\" SSH subsystem for too long, disconnecting.");
1710 break;
Michal Vasko36c7be82017-02-22 13:37:59 +01001711 }
Michal Vasko7f1c78b2016-01-19 09:52:14 +01001712 }
Michal Vasko086311b2016-01-08 09:53:11 +01001713
Michal Vasko1a38c862016-01-15 15:50:07 +01001714 return 0;
Michal Vasko086311b2016-01-08 09:53:11 +01001715}
1716
Michal Vaskof3c41e32022-09-09 11:22:21 +02001717/**
1718 * @brief Set hostkeys to be used for an SSH bind.
1719 *
1720 * @param[in] sbind SSH bind to use.
1721 * @param[in] hostkeys Array of hostkeys.
1722 * @param[in] hostkey_count Count of @p hostkeys.
1723 * @return 0 on success.
1724 * @return -1 on error.
1725 */
Michal Vasko4c1fb492017-01-30 14:31:07 +01001726static int
Michal Vasko93224072021-11-09 12:14:28 +01001727nc_ssh_bind_add_hostkeys(ssh_bind sbind, char **hostkeys, uint8_t hostkey_count)
Michal Vasko4c1fb492017-01-30 14:31:07 +01001728{
1729 uint8_t i;
1730 char *privkey_path, *privkey_data;
Michal Vaskoddce1212019-05-24 09:58:49 +02001731 int ret;
Michal Vaskoe49a15f2019-05-27 14:18:36 +02001732 NC_SSH_KEY_TYPE privkey_type;
Michal Vasko4c1fb492017-01-30 14:31:07 +01001733
1734 if (!server_opts.hostkey_clb) {
Michal Vasko05532772021-06-03 12:12:38 +02001735 ERR(NULL, "Callback for retrieving SSH host keys not set.");
Michal Vasko4c1fb492017-01-30 14:31:07 +01001736 return -1;
1737 }
1738
1739 for (i = 0; i < hostkey_count; ++i) {
1740 privkey_path = privkey_data = NULL;
Michal Vaskoddce1212019-05-24 09:58:49 +02001741 if (server_opts.hostkey_clb(hostkeys[i], server_opts.hostkey_data, &privkey_path, &privkey_data, &privkey_type)) {
Michal Vasko05532772021-06-03 12:12:38 +02001742 ERR(NULL, "Host key callback failed.");
Michal Vasko4c1fb492017-01-30 14:31:07 +01001743 return -1;
1744 }
1745
1746 if (privkey_data) {
Michal Vaskoddce1212019-05-24 09:58:49 +02001747 privkey_path = base64der_key_to_tmp_file(privkey_data, nc_keytype2str(privkey_type));
Michal Vasko4c1fb492017-01-30 14:31:07 +01001748 if (!privkey_path) {
Michal Vasko05532772021-06-03 12:12:38 +02001749 ERR(NULL, "Temporarily storing a host key into a file failed (%s).", strerror(errno));
Michal Vasko4c1fb492017-01-30 14:31:07 +01001750 free(privkey_data);
1751 return -1;
1752 }
1753 }
1754
1755 ret = ssh_bind_options_set(sbind, SSH_BIND_OPTIONS_HOSTKEY, privkey_path);
1756
1757 /* cleanup */
1758 if (privkey_data && unlink(privkey_path)) {
Michal Vasko05532772021-06-03 12:12:38 +02001759 WRN(NULL, "Removing a temporary host key file \"%s\" failed (%s).", privkey_path, strerror(errno));
Michal Vasko4c1fb492017-01-30 14:31:07 +01001760 }
Michal Vasko4c1fb492017-01-30 14:31:07 +01001761 free(privkey_data);
1762
1763 if (ret != SSH_OK) {
Michal Vasko05532772021-06-03 12:12:38 +02001764 ERR(NULL, "Failed to set hostkey \"%s\" (%s).", hostkeys[i], privkey_path);
Michal Vasko80075de2017-07-10 11:38:52 +02001765 }
1766 free(privkey_path);
1767
1768 if (ret != SSH_OK) {
Michal Vasko4c1fb492017-01-30 14:31:07 +01001769 return -1;
1770 }
1771 }
1772
1773 return 0;
1774}
1775
Michal Vasko09d700f2022-09-08 10:21:40 +02001776static int
1777nc_accept_ssh_session_auth(struct nc_session *session, const struct nc_server_ssh_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +01001778{
roman6ece9c52022-06-22 09:29:17 +02001779 struct timespec ts_timeout;
roman41a11e42022-06-22 09:27:08 +02001780 ssh_message msg;
Michal Vasko09d700f2022-09-08 10:21:40 +02001781 int libssh_auth_methods = 0;
Michal Vasko086311b2016-01-08 09:53:11 +01001782
Michal Vasko09d700f2022-09-08 10:21:40 +02001783 /* configure accepted auth methods */
Michal Vaskoc61c4492016-01-25 11:13:34 +01001784 if (opts->auth_methods & NC_SSH_AUTH_PUBLICKEY) {
Michal Vasko086311b2016-01-08 09:53:11 +01001785 libssh_auth_methods |= SSH_AUTH_METHOD_PUBLICKEY;
1786 }
Michal Vaskoc61c4492016-01-25 11:13:34 +01001787 if (opts->auth_methods & NC_SSH_AUTH_PASSWORD) {
Michal Vasko086311b2016-01-08 09:53:11 +01001788 libssh_auth_methods |= SSH_AUTH_METHOD_PASSWORD;
1789 }
Michal Vaskoc61c4492016-01-25 11:13:34 +01001790 if (opts->auth_methods & NC_SSH_AUTH_INTERACTIVE) {
Michal Vasko086311b2016-01-08 09:53:11 +01001791 libssh_auth_methods |= SSH_AUTH_METHOD_INTERACTIVE;
1792 }
1793 ssh_set_auth_methods(session->ti.libssh.session, libssh_auth_methods);
1794
Michal Vasko086311b2016-01-08 09:53:11 +01001795 /* authenticate */
Michal Vasko36c7be82017-02-22 13:37:59 +01001796 if (opts->auth_timeout) {
roman6ece9c52022-06-22 09:29:17 +02001797 nc_gettimespec_mono_add(&ts_timeout, opts->auth_timeout * 1000);
Michal Vasko36c7be82017-02-22 13:37:59 +01001798 }
1799 while (1) {
Michal Vasko2a7d4732016-01-15 09:24:46 +01001800 if (!nc_session_is_connected(session)) {
Michal Vasko05532772021-06-03 12:12:38 +02001801 ERR(session, "Communication SSH socket unexpectedly closed.");
Michal Vasko2a7d4732016-01-15 09:24:46 +01001802 return -1;
1803 }
1804
roman41a11e42022-06-22 09:27:08 +02001805 msg = ssh_message_get(session->ti.libssh.session);
1806 if (msg) {
1807 if (nc_sshcb_msg(session->ti.libssh.session, msg, (void *) session)) {
1808 ssh_message_reply_default(msg);
1809 }
1810 ssh_message_free(msg);
Michal Vasko086311b2016-01-08 09:53:11 +01001811 }
1812
Michal Vasko36c7be82017-02-22 13:37:59 +01001813 if (session->flags & NC_SESSION_SSH_AUTHENTICATED) {
1814 break;
1815 }
1816
Michal Vasko145ae672017-02-07 10:57:27 +01001817 if (session->opts.server.ssh_auth_attempts >= opts->auth_attempts) {
Michal Vasko05532772021-06-03 12:12:38 +02001818 ERR(session, "Too many failed authentication attempts of user \"%s\".", session->username);
Michal Vasko145ae672017-02-07 10:57:27 +01001819 return -1;
1820 }
1821
Michal Vasko086311b2016-01-08 09:53:11 +01001822 usleep(NC_TIMEOUT_STEP);
Michal Vasko60d8ffb2022-07-21 11:08:34 +02001823 if ((opts->auth_timeout) && (nc_difftimespec_mono_cur(&ts_timeout) < 1)) {
roman6ece9c52022-06-22 09:29:17 +02001824 /* timeout */
1825 break;
Michal Vasko36c7be82017-02-22 13:37:59 +01001826 }
1827 }
Michal Vasko086311b2016-01-08 09:53:11 +01001828
1829 if (!(session->flags & NC_SESSION_SSH_AUTHENTICATED)) {
1830 /* timeout */
Michal Vaskoc13da702017-02-07 10:57:57 +01001831 if (session->username) {
Michal Vasko05532772021-06-03 12:12:38 +02001832 ERR(session, "User \"%s\" failed to authenticate for too long, disconnecting.", session->username);
Michal Vaskoc13da702017-02-07 10:57:57 +01001833 } else {
Michal Vasko05532772021-06-03 12:12:38 +02001834 ERR(session, "User failed to authenticate for too long, disconnecting.");
Michal Vaskoc13da702017-02-07 10:57:57 +01001835 }
Michal Vasko1a38c862016-01-15 15:50:07 +01001836 return 0;
Michal Vasko086311b2016-01-08 09:53:11 +01001837 }
1838
Michal Vasko09d700f2022-09-08 10:21:40 +02001839 return 1;
1840}
1841
1842int
1843nc_accept_ssh_session(struct nc_session *session, int sock, int timeout)
1844{
1845 ssh_bind sbind = NULL;
1846 struct nc_server_ssh_opts *opts;
1847 int rc = 1, r;
1848 struct timespec ts_timeout;
1849
1850 opts = session->data;
1851
1852 /* other transport-specific data */
1853 session->ti_type = NC_TI_LIBSSH;
1854 session->ti.libssh.session = ssh_new();
1855 if (!session->ti.libssh.session) {
1856 ERR(NULL, "Failed to initialize a new SSH session.");
1857 rc = -1;
1858 goto cleanup;
1859 }
1860
1861 sbind = ssh_bind_new();
1862 if (!sbind) {
1863 ERR(session, "Failed to create an SSH bind.");
1864 rc = -1;
1865 goto cleanup;
1866 }
1867
1868 /* configure host keys */
1869 if (nc_ssh_bind_add_hostkeys(sbind, opts->hostkeys, opts->hostkey_count)) {
1870 rc = -1;
1871 goto cleanup;
1872 }
1873
1874 /* accept new connection on the bind */
1875 if (ssh_bind_accept_fd(sbind, session->ti.libssh.session, sock) == SSH_ERROR) {
1876 ERR(session, "SSH failed to accept a new connection (%s).", ssh_get_error(sbind));
1877 rc = -1;
1878 goto cleanup;
1879 }
1880 sock = -1;
1881
1882 ssh_set_blocking(session->ti.libssh.session, 0);
1883
1884 if (timeout > -1) {
1885 nc_gettimespec_mono_add(&ts_timeout, timeout);
1886 }
1887 while ((r = ssh_handle_key_exchange(session->ti.libssh.session)) == SSH_AGAIN) {
1888 /* this tends to take longer */
1889 usleep(NC_TIMEOUT_STEP * 20);
1890 if ((timeout > -1) && (nc_difftimespec_mono_cur(&ts_timeout) < 1)) {
1891 break;
1892 }
1893 }
1894 if (r == SSH_AGAIN) {
1895 ERR(session, "SSH key exchange timeout.");
1896 rc = 0;
1897 goto cleanup;
1898 } else if (r != SSH_OK) {
1899 ERR(session, "SSH key exchange error (%s).", ssh_get_error(session->ti.libssh.session));
1900 rc = -1;
1901 goto cleanup;
1902 }
1903
1904 /* authenticate */
1905 if ((rc = nc_accept_ssh_session_auth(session, opts)) != 1) {
1906 goto cleanup;
1907 }
1908
roman41a11e42022-06-22 09:27:08 +02001909 /* set the message callback after a successful authentication */
1910 ssh_set_message_callback(session->ti.libssh.session, nc_sshcb_msg, session);
1911
Michal Vasko09d700f2022-09-08 10:21:40 +02001912 /* remember that this session was just set as nc_sshcb_msg() parameter */
1913 session->flags |= NC_SESSION_SSH_MSG_CB;
1914
1915 /* open channel and request 'netconf' subsystem */
1916 if ((rc = nc_accept_ssh_session_open_netconf_channel(session, timeout)) != 1) {
1917 goto cleanup;
Michal Vasko086311b2016-01-08 09:53:11 +01001918 }
1919
Michal Vasko09d700f2022-09-08 10:21:40 +02001920 /* all SSH messages were processed */
Michal Vasko96164bf2016-01-21 15:41:58 +01001921 session->flags &= ~NC_SESSION_SSH_NEW_MSG;
Michal Vasko09d700f2022-09-08 10:21:40 +02001922
1923cleanup:
1924 if (sock > -1) {
1925 close(sock);
1926 }
1927 ssh_bind_free(sbind);
1928 return rc;
Michal Vasko086311b2016-01-08 09:53:11 +01001929}
1930
Michal Vasko71090fc2016-05-24 16:37:28 +02001931API NC_MSG_TYPE
1932nc_session_accept_ssh_channel(struct nc_session *orig_session, struct nc_session **session)
1933{
1934 NC_MSG_TYPE msgtype;
1935 struct nc_session *new_session = NULL;
Michal Vasko9f6275e2017-10-05 13:50:05 +02001936 struct timespec ts_cur;
Michal Vasko71090fc2016-05-24 16:37:28 +02001937
1938 if (!orig_session) {
1939 ERRARG("orig_session");
1940 return NC_MSG_ERROR;
1941 } else if (!session) {
1942 ERRARG("session");
1943 return NC_MSG_ERROR;
1944 }
1945
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001946 if ((orig_session->status == NC_STATUS_RUNNING) && (orig_session->ti_type == NC_TI_LIBSSH) &&
1947 orig_session->ti.libssh.next) {
Michal Vasko71090fc2016-05-24 16:37:28 +02001948 for (new_session = orig_session->ti.libssh.next;
1949 new_session != orig_session;
1950 new_session = new_session->ti.libssh.next) {
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001951 if ((new_session->status == NC_STATUS_STARTING) && new_session->ti.libssh.channel &&
1952 (new_session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
Michal Vasko71090fc2016-05-24 16:37:28 +02001953 /* we found our session */
1954 break;
1955 }
1956 }
1957 if (new_session == orig_session) {
1958 new_session = NULL;
1959 }
1960 }
1961
1962 if (!new_session) {
Michal Vasko05532772021-06-03 12:12:38 +02001963 ERR(orig_session, "Session does not have a NETCONF SSH channel ready.");
Michal Vasko71090fc2016-05-24 16:37:28 +02001964 return NC_MSG_ERROR;
1965 }
1966
1967 /* assign new SID atomically */
Michal Vasko5bd4a3f2021-06-17 16:40:10 +02001968 new_session->id = ATOMIC_INC_RELAXED(server_opts.new_session_id);
Michal Vasko71090fc2016-05-24 16:37:28 +02001969
1970 /* NETCONF handshake */
Michal Vasko131120a2018-05-29 15:44:02 +02001971 msgtype = nc_handshake_io(new_session);
Michal Vasko71090fc2016-05-24 16:37:28 +02001972 if (msgtype != NC_MSG_HELLO) {
1973 return msgtype;
1974 }
1975
roman6ece9c52022-06-22 09:29:17 +02001976 nc_gettimespec_real_add(&ts_cur, 0);
Michal Vasko9f6275e2017-10-05 13:50:05 +02001977 new_session->opts.server.session_start = ts_cur.tv_sec;
roman6ece9c52022-06-22 09:29:17 +02001978 nc_gettimespec_mono_add(&ts_cur, 0);
Michal Vasko9f6275e2017-10-05 13:50:05 +02001979 new_session->opts.server.last_rpc = ts_cur.tv_sec;
Michal Vasko71090fc2016-05-24 16:37:28 +02001980 new_session->status = NC_STATUS_RUNNING;
1981 *session = new_session;
1982
1983 return msgtype;
1984}
1985
1986API NC_MSG_TYPE
Michal Vasko96164bf2016-01-21 15:41:58 +01001987nc_ps_accept_ssh_channel(struct nc_pollsession *ps, struct nc_session **session)
Michal Vasko086311b2016-01-08 09:53:11 +01001988{
Michal Vaskobdcf2362016-07-26 11:35:43 +02001989 uint8_t q_id;
Michal Vasko71090fc2016-05-24 16:37:28 +02001990 NC_MSG_TYPE msgtype;
Michal Vaskoe4300a82017-05-24 10:35:42 +02001991 struct nc_session *new_session = NULL, *cur_session;
Michal Vasko9f6275e2017-10-05 13:50:05 +02001992 struct timespec ts_cur;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001993 uint16_t i;
Michal Vasko086311b2016-01-08 09:53:11 +01001994
Michal Vasko45e53ae2016-04-07 11:46:03 +02001995 if (!ps) {
1996 ERRARG("ps");
Michal Vasko71090fc2016-05-24 16:37:28 +02001997 return NC_MSG_ERROR;
Michal Vasko45e53ae2016-04-07 11:46:03 +02001998 } else if (!session) {
1999 ERRARG("session");
Michal Vasko71090fc2016-05-24 16:37:28 +02002000 return NC_MSG_ERROR;
Michal Vasko086311b2016-01-08 09:53:11 +01002001 }
2002
Michal Vasko48a63ed2016-03-01 09:48:21 +01002003 /* LOCK */
Michal Vasko227f8ff2016-07-26 14:08:59 +02002004 if (nc_ps_lock(ps, &q_id, __func__)) {
Michal Vasko71090fc2016-05-24 16:37:28 +02002005 return NC_MSG_ERROR;
Michal Vaskof04a52a2016-04-07 10:52:10 +02002006 }
Michal Vasko48a63ed2016-03-01 09:48:21 +01002007
Michal Vasko96164bf2016-01-21 15:41:58 +01002008 for (i = 0; i < ps->session_count; ++i) {
fanchanghu3d4e7212017-08-09 09:42:30 +08002009 cur_session = ps->sessions[i]->session;
Michal Vaskob83a3fa2021-05-26 09:53:42 +02002010 if ((cur_session->status == NC_STATUS_RUNNING) && (cur_session->ti_type == NC_TI_LIBSSH) &&
2011 cur_session->ti.libssh.next) {
Michal Vasko96164bf2016-01-21 15:41:58 +01002012 /* an SSH session with more channels */
Michal Vaskoe4300a82017-05-24 10:35:42 +02002013 for (new_session = cur_session->ti.libssh.next;
2014 new_session != cur_session;
Michal Vasko96164bf2016-01-21 15:41:58 +01002015 new_session = new_session->ti.libssh.next) {
Michal Vaskob83a3fa2021-05-26 09:53:42 +02002016 if ((new_session->status == NC_STATUS_STARTING) && new_session->ti.libssh.channel &&
2017 (new_session->flags & NC_SESSION_SSH_SUBSYS_NETCONF)) {
Michal Vasko96164bf2016-01-21 15:41:58 +01002018 /* we found our session */
2019 break;
2020 }
2021 }
Michal Vaskoe4300a82017-05-24 10:35:42 +02002022 if (new_session != cur_session) {
Michal Vasko96164bf2016-01-21 15:41:58 +01002023 break;
2024 }
Michal Vaskofb89d772016-01-08 12:25:35 +01002025
Michal Vasko96164bf2016-01-21 15:41:58 +01002026 new_session = NULL;
2027 }
2028 }
Michal Vaskofb89d772016-01-08 12:25:35 +01002029
Michal Vasko48a63ed2016-03-01 09:48:21 +01002030 /* UNLOCK */
Michal Vasko227f8ff2016-07-26 14:08:59 +02002031 nc_ps_unlock(ps, q_id, __func__);
Michal Vasko48a63ed2016-03-01 09:48:21 +01002032
Michal Vasko96164bf2016-01-21 15:41:58 +01002033 if (!new_session) {
Michal Vasko05532772021-06-03 12:12:38 +02002034 ERR(NULL, "No session with a NETCONF SSH channel ready was found.");
Michal Vasko71090fc2016-05-24 16:37:28 +02002035 return NC_MSG_ERROR;
Michal Vasko96164bf2016-01-21 15:41:58 +01002036 }
2037
2038 /* assign new SID atomically */
Michal Vasko5bd4a3f2021-06-17 16:40:10 +02002039 new_session->id = ATOMIC_INC_RELAXED(server_opts.new_session_id);
Michal Vaskofb89d772016-01-08 12:25:35 +01002040
Michal Vasko086311b2016-01-08 09:53:11 +01002041 /* NETCONF handshake */
Michal Vasko131120a2018-05-29 15:44:02 +02002042 msgtype = nc_handshake_io(new_session);
Michal Vasko71090fc2016-05-24 16:37:28 +02002043 if (msgtype != NC_MSG_HELLO) {
2044 return msgtype;
Michal Vasko086311b2016-01-08 09:53:11 +01002045 }
Michal Vasko48a63ed2016-03-01 09:48:21 +01002046
roman6ece9c52022-06-22 09:29:17 +02002047 nc_gettimespec_real_add(&ts_cur, 0);
Michal Vasko9f6275e2017-10-05 13:50:05 +02002048 new_session->opts.server.session_start = ts_cur.tv_sec;
roman6ece9c52022-06-22 09:29:17 +02002049 nc_gettimespec_mono_add(&ts_cur, 0);
Michal Vasko9f6275e2017-10-05 13:50:05 +02002050 new_session->opts.server.last_rpc = ts_cur.tv_sec;
Michal Vasko086311b2016-01-08 09:53:11 +01002051 new_session->status = NC_STATUS_RUNNING;
Michal Vasko96164bf2016-01-21 15:41:58 +01002052 *session = new_session;
Michal Vasko086311b2016-01-08 09:53:11 +01002053
Michal Vasko71090fc2016-05-24 16:37:28 +02002054 return msgtype;
Michal Vasko086311b2016-01-08 09:53:11 +01002055}