blob: 5b51a934a2c98520aba3119a3a54e87f83f0d2d0 [file] [log] [blame]
Radek Krejciac6d3472015-10-22 15:47:18 +02001/**
Michal Vasko086311b2016-01-08 09:53:11 +01002 * \file session_client_ssh.c
Radek Krejciac6d3472015-10-22 15:47:18 +02003 * \author Radek Krejci <rkrejci@cesnet.cz>
Michal Vasko086311b2016-01-08 09:53:11 +01004 * \author Michal Vasko <mvasko@cesnet.cz>
5 * \brief libnetconf2 - SSH specific client session transport functions
Radek Krejciac6d3472015-10-22 15:47:18 +02006 *
7 * This source is compiled only with libssh.
8 *
9 * Copyright (c) 2015 CESNET, z.s.p.o.
10 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +010011 * This source code is licensed under BSD 3-Clause License (the "License").
12 * You may not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +010014 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +010015 * https://opensource.org/licenses/BSD-3-Clause
Radek Krejciac6d3472015-10-22 15:47:18 +020016 */
17
Michal Vasko7b62fed2015-10-26 15:39:46 +010018#define _GNU_SOURCE
Radek Krejciac6d3472015-10-22 15:47:18 +020019#include <assert.h>
Michal Vasko7b62fed2015-10-26 15:39:46 +010020#include <stdlib.h>
21#include <stddef.h>
22#include <stdio.h>
Radek Krejciac6d3472015-10-22 15:47:18 +020023#include <string.h>
Michal Vasko7b62fed2015-10-26 15:39:46 +010024#include <errno.h>
25#include <fcntl.h>
26#include <termios.h>
27#include <sys/types.h>
28#include <sys/stat.h>
29#include <pwd.h>
Radek Krejciac6d3472015-10-22 15:47:18 +020030#include <unistd.h>
31
Michal Vasko7b62fed2015-10-26 15:39:46 +010032#ifdef ENABLE_DNSSEC
33# include <validator/validator.h>
34# include <validator/resolver.h>
35# include <validator/validator-compat.h>
36#endif
37
Michal Vasko745ff832015-12-08 14:40:29 +010038#include <libssh/libssh.h>
Radek Krejciac6d3472015-10-22 15:47:18 +020039#include <libyang/libyang.h>
40
Michal Vaskoe22c6732016-01-29 11:03:02 +010041#include "session_client.h"
42#include "session_client_ch.h"
Radek Krejciac6d3472015-10-22 15:47:18 +020043#include "libnetconf.h"
44
Michal Vaskoef112d72016-02-18 13:28:25 +010045static int sshauth_hostkey_check(const char *hostname, ssh_session session);
Michal Vasko30e2c872016-02-18 10:03:21 +010046static char *sshauth_password(const char *username, const char *hostname);
47static char *sshauth_interactive(const char *auth_name, const char *instruction, const char *prompt, int echo);
48static char *sshauth_privkey_passphrase(const char* privkey_path);
49
Michal Vaskodaf9a092016-02-09 10:42:05 +010050extern struct nc_client_opts client_opts;
51
Michal Vasko3031aae2016-01-27 16:07:18 +010052static struct nc_client_ssh_opts ssh_opts = {
Michal Vasko30e2c872016-02-18 10:03:21 +010053 .auth_pref = {{NC_SSH_AUTH_INTERACTIVE, 3}, {NC_SSH_AUTH_PASSWORD, 2}, {NC_SSH_AUTH_PUBLICKEY, 1}},
Michal Vaskoef112d72016-02-18 13:28:25 +010054 .auth_hostkey_check = sshauth_hostkey_check,
Michal Vasko30e2c872016-02-18 10:03:21 +010055 .auth_password = sshauth_password,
56 .auth_interactive = sshauth_interactive,
57 .auth_privkey_passphrase = sshauth_privkey_passphrase
Michal Vasko7b62fed2015-10-26 15:39:46 +010058};
Radek Krejciac6d3472015-10-22 15:47:18 +020059
Michal Vasko3031aae2016-01-27 16:07:18 +010060static struct nc_client_ssh_opts ssh_ch_opts = {
Michal Vasko30e2c872016-02-18 10:03:21 +010061 .auth_pref = {{NC_SSH_AUTH_INTERACTIVE, 1}, {NC_SSH_AUTH_PASSWORD, 2}, {NC_SSH_AUTH_PUBLICKEY, 3}},
Michal Vaskoef112d72016-02-18 13:28:25 +010062 .auth_hostkey_check = sshauth_hostkey_check,
Michal Vasko30e2c872016-02-18 10:03:21 +010063 .auth_password = sshauth_password,
64 .auth_interactive = sshauth_interactive,
65 .auth_privkey_passphrase = sshauth_privkey_passphrase
Michal Vasko3031aae2016-01-27 16:07:18 +010066};
67
Michal Vaskoe22c6732016-01-29 11:03:02 +010068static void
69_nc_client_ssh_destroy_opts(struct nc_client_ssh_opts *opts)
Michal Vasko990089e2015-10-27 15:05:25 +010070{
71 int i;
72
Michal Vaskoe22c6732016-01-29 11:03:02 +010073 for (i = 0; i < opts->key_count; ++i) {
74 free(opts->keys[i].pubkey_path);
75 free(opts->keys[i].privkey_path);
Michal Vasko990089e2015-10-27 15:05:25 +010076 }
Michal Vaskoe22c6732016-01-29 11:03:02 +010077 free(opts->keys);
78 free(opts->username);
79}
Michal Vasko990089e2015-10-27 15:05:25 +010080
Michal Vaskob7558c52016-02-26 15:04:19 +010081void
Michal Vaskoe22c6732016-01-29 11:03:02 +010082nc_client_ssh_destroy_opts(void)
83{
84 _nc_client_ssh_destroy_opts(&ssh_opts);
85 _nc_client_ssh_destroy_opts(&ssh_ch_opts);
Michal Vasko990089e2015-10-27 15:05:25 +010086}
87
Michal Vaskoef112d72016-02-18 13:28:25 +010088#ifdef ENABLE_DNSSEC
89
90/* return 0 (DNSSEC + key valid), 1 (unsecure DNS + key valid), 2 (key not found or an error) */
91/* type - 1 (RSA), 2 (DSA), 3 (ECDSA); alg - 1 (SHA1), 2 (SHA-256) */
92static int
Michal Vasko650011a2016-02-25 14:49:29 +010093sshauth_hostkey_hash_dnssec_check(const char *hostname, const unsigned char *sha1hash, int type, int alg) {
Michal Vaskoef112d72016-02-18 13:28:25 +010094 ns_msg handle;
95 ns_rr rr;
96 val_status_t val_status;
97 const unsigned char* rdata;
98 unsigned char buf[4096];
99 int buf_len = 4096;
100 int ret = 0, i, j, len;
101
102 /* class 1 - internet, type 44 - SSHFP */
103 len = val_res_query(NULL, hostname, 1, 44, buf, buf_len, &val_status);
104
105 if ((len < 0) || !val_istrusted(val_status)) {
106 ret = 2;
107 goto finish;
108 }
109
110 if (ns_initparse(buf, len, &handle) < 0) {
111 ERR("Failed to initialize DNSSEC response parser.");
112 ret = 2;
113 goto finish;
114 }
115
116 if ((i = libsres_msg_getflag(handle, ns_f_rcode))) {
117 ERR("DNSSEC query returned %d.", i);
118 ret = 2;
119 goto finish;
120 }
121
122 if (!libsres_msg_getflag(handle, ns_f_ad)) {
123 /* response not secured by DNSSEC */
124 ret = 1;
125 }
126
127 /* query section */
128 if (ns_parserr(&handle, ns_s_qd, 0, &rr)) {
Michal Vasko650011a2016-02-25 14:49:29 +0100129 ERR("DNSSEC query section parser fail.");
Michal Vaskoef112d72016-02-18 13:28:25 +0100130 ret = 2;
131 goto finish;
132 }
133
134 if (strcmp(hostname, ns_rr_name(rr)) || (ns_rr_type(rr) != 44) || (ns_rr_class(rr) != 1)) {
Michal Vasko650011a2016-02-25 14:49:29 +0100135 ERR("DNSSEC query in the answer does not match the original query.");
Michal Vaskoef112d72016-02-18 13:28:25 +0100136 ret = 2;
137 goto finish;
138 }
139
140 /* answer section */
141 i = 0;
142 while (!ns_parserr(&handle, ns_s_an, i, &rr)) {
143 if (ns_rr_type(rr) != 44) {
144 ++i;
145 continue;
146 }
147
148 rdata = ns_rr_rdata(rr);
149 if (rdata[0] != type) {
150 ++i;
151 continue;
152 }
153 if (rdata[1] != alg) {
154 ++i;
155 continue;
156 }
157
158 /* we found the correct SSHFP entry */
159 rdata += 2;
160 for (j = 0; j < 20; ++j) {
161 if (rdata[j] != (unsigned char)sha1hash[j]) {
162 ret = 2;
163 goto finish;
164 }
165 }
166
167 /* server fingerprint is supported by a DNS entry,
168 * we have already determined if DNSSEC was used or not
169 */
170 goto finish;
171 }
172
173 /* no match */
174 ret = 2;
175
176finish:
177 val_free_validator_state();
178 return ret;
179}
180
181#endif /* ENABLE_DNSSEC */
182
183static int
184sshauth_hostkey_check(const char *hostname, ssh_session session)
185{
186 char *hexa;
187 int c, state, ret;
188 ssh_key srv_pubkey;
189 unsigned char *hash_sha1 = NULL;
190 size_t hlen;
191 enum ssh_keytypes_e srv_pubkey_type;
192 char answer[5];
193
194 state = ssh_is_server_known(session);
195
196 ret = ssh_get_publickey(session, &srv_pubkey);
197 if (ret < 0) {
198 ERR("Unable to get server public key.");
199 return -1;
200 }
201
202 srv_pubkey_type = ssh_key_type(srv_pubkey);
203 ret = ssh_get_publickey_hash(srv_pubkey, SSH_PUBLICKEY_HASH_SHA1, &hash_sha1, &hlen);
204 ssh_key_free(srv_pubkey);
205 if (ret < 0) {
206 ERR("Failed to calculate SHA1 hash of the server public key.");
207 return -1;
208 }
209
210 hexa = ssh_get_hexa(hash_sha1, hlen);
211
212 switch (state) {
213 case SSH_SERVER_KNOWN_OK:
214 break; /* ok */
215
216 case SSH_SERVER_KNOWN_CHANGED:
217 ERR("Remote host key changed, the connection will be terminated!");
218 goto fail;
219
220 case SSH_SERVER_FOUND_OTHER:
221 WRN("Remote host key is not known, but a key of another type for this host is known. Continue with caution.");
222 goto hostkey_not_known;
223
224 case SSH_SERVER_FILE_NOT_FOUND:
225 WRN("Could not find the known hosts file.");
226 goto hostkey_not_known;
227
228 case SSH_SERVER_NOT_KNOWN:
229hostkey_not_known:
230#ifdef ENABLE_DNSSEC
231 if ((srv_pubkey_type != SSH_KEYTYPE_UNKNOWN) || (srv_pubkey_type != SSH_KEYTYPE_RSA1)) {
232 if (srv_pubkey_type == SSH_KEYTYPE_DSS) {
Michal Vasko650011a2016-02-25 14:49:29 +0100233 ret = sshauth_hostkey_hash_dnssec_check(hostname, hash_sha1, 2, 1);
Michal Vaskoef112d72016-02-18 13:28:25 +0100234 } else if (srv_pubkey_type == SSH_KEYTYPE_RSA) {
Michal Vasko650011a2016-02-25 14:49:29 +0100235 ret = sshauth_hostkey_hash_dnssec_check(hostname, hash_sha1, 1, 1);
Michal Vaskoef112d72016-02-18 13:28:25 +0100236 } else if (srv_pubkey_type == SSH_KEYTYPE_ECDSA) {
Michal Vasko650011a2016-02-25 14:49:29 +0100237 ret = sshauth_hostkey_hash_dnssec_check(hostname, hash_sha1, 3, 1);
Michal Vaskoef112d72016-02-18 13:28:25 +0100238 }
239
240 /* DNSSEC SSHFP check successful, that's enough */
241 if (!ret) {
242 VRB("DNSSEC SSHFP check successful.");
243 ssh_write_knownhost(session);
244 ssh_clean_pubkey_hash(&hash_sha1);
245 ssh_string_free_char(hexa);
246 return 0;
247 }
248 }
249#endif
250
251 /* try to get result from user */
252 fprintf(stdout, "The authenticity of the host \'%s\' cannot be established.\n", hostname);
253 fprintf(stdout, "%s key fingerprint is %s.\n", ssh_key_type_to_char(srv_pubkey_type), hexa);
254
255#ifdef ENABLE_DNSSEC
256 if (ret == 2) {
257 fprintf(stdout, "No matching host key fingerprint found using DNS.\n");
258 } else if (ret == 1) {
259 fprintf(stdout, "Matching host key fingerprint found using DNS.\n");
260 }
261#endif
262
263 fprintf(stdout, "Are you sure you want to continue connecting (yes/no)? ");
264
265 do {
266 if (fscanf(stdin, "%4s", answer) == EOF) {
267 ERR("fscanf() failed (%s).", strerror(errno));
268 goto fail;
269 }
270 while (((c = getchar()) != EOF) && (c != '\n'));
271
272 fflush(stdin);
273 if (!strcmp("yes", answer)) {
274 /* store the key into the host file */
275 ret = ssh_write_knownhost(session);
276 if (ret != SSH_OK) {
277 WRN("Adding the known host \"%s\" failed (%s).", hostname, ssh_get_error(session));
278 }
279 } else if (!strcmp("no", answer)) {
280 goto fail;
281 } else {
282 fprintf(stdout, "Please type 'yes' or 'no': ");
283 }
284 } while (strcmp(answer, "yes") && strcmp(answer, "no"));
285
286 break;
287
288 case SSH_SERVER_ERROR:
289 ssh_clean_pubkey_hash(&hash_sha1);
290 fprintf(stderr,"%s",ssh_get_error(session));
291 return -1;
292 }
293
294 ssh_clean_pubkey_hash(&hash_sha1);
295 ssh_string_free_char(hexa);
296 return 0;
297
298fail:
299 ssh_clean_pubkey_hash(&hash_sha1);
300 ssh_string_free_char(hexa);
301 return -1;
302}
303
Michal Vasko7b62fed2015-10-26 15:39:46 +0100304static char *
305sshauth_password(const char *username, const char *hostname)
Radek Krejciac6d3472015-10-22 15:47:18 +0200306{
Michal Vasko4eb3c312016-03-01 14:09:37 +0100307 char *buf;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100308 int buflen = 1024, len = 0;
309 char c = 0;
310 struct termios newterm, oldterm;
311 FILE *tty;
Radek Krejciac6d3472015-10-22 15:47:18 +0200312
Michal Vasko7b62fed2015-10-26 15:39:46 +0100313 if (!(tty = fopen("/dev/tty", "r+"))) {
Michal Vaskod083db62016-01-19 10:31:29 +0100314 ERR("Unable to open the current terminal (%s).", strerror(errno));
Michal Vasko7b62fed2015-10-26 15:39:46 +0100315 return NULL;
Radek Krejciac6d3472015-10-22 15:47:18 +0200316 }
317
Michal Vasko7b62fed2015-10-26 15:39:46 +0100318 if (tcgetattr(fileno(tty), &oldterm)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100319 ERR("Unable to get terminal settings (%s).", strerror(errno));
Michal Vasko11d142a2016-01-19 15:58:24 +0100320 fclose(tty);
Michal Vasko7b62fed2015-10-26 15:39:46 +0100321 return NULL;
322 }
Radek Krejciac6d3472015-10-22 15:47:18 +0200323
Michal Vasko7b62fed2015-10-26 15:39:46 +0100324 fprintf(tty, "%s@%s password: ", username, hostname);
325 fflush(tty);
Radek Krejciac6d3472015-10-22 15:47:18 +0200326
Michal Vasko7b62fed2015-10-26 15:39:46 +0100327 /* system("stty -echo"); */
328 newterm = oldterm;
329 newterm.c_lflag &= ~ECHO;
330 newterm.c_lflag &= ~ICANON;
331 tcflush(fileno(tty), TCIFLUSH);
332 if (tcsetattr(fileno(tty), TCSANOW, &newterm)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100333 ERR("Unable to change terminal settings for hiding password (%s).", strerror(errno));
Michal Vasko11d142a2016-01-19 15:58:24 +0100334 fclose(tty);
335 return NULL;
336 }
337
338 buf = malloc(buflen * sizeof *buf);
339 if (!buf) {
340 ERRMEM;
341 fclose(tty);
Michal Vasko7b62fed2015-10-26 15:39:46 +0100342 return NULL;
343 }
344
345 while ((fread(&c, 1, 1, tty) == 1) && (c != '\n')) {
346 if (len >= buflen - 1) {
347 buflen *= 2;
Michal Vasko4eb3c312016-03-01 14:09:37 +0100348 buf = nc_realloc(buf, buflen * sizeof *buf);
349 if (!buf) {
Michal Vaskod083db62016-01-19 10:31:29 +0100350 ERRMEM;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100351
Michal Vasko7b62fed2015-10-26 15:39:46 +0100352 /* restore terminal settings */
353 if (tcsetattr(fileno(tty), TCSANOW, &oldterm) != 0) {
Michal Vaskod083db62016-01-19 10:31:29 +0100354 ERR("Unable to restore terminal settings (%s).", strerror(errno));
Michal Vasko7b62fed2015-10-26 15:39:46 +0100355 }
Michal Vasko11d142a2016-01-19 15:58:24 +0100356 fclose(tty);
Michal Vasko7b62fed2015-10-26 15:39:46 +0100357 return NULL;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100358 }
359 }
360 buf[len++] = c;
361 }
362 buf[len++] = 0; /* terminating null byte */
363
364 /* system ("stty echo"); */
365 if (tcsetattr(fileno(tty), TCSANOW, &oldterm)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100366 ERR("Unable to restore terminal settings (%s).", strerror(errno));
Michal Vasko7b62fed2015-10-26 15:39:46 +0100367 /*
368 * terminal probably still hides input characters, but we have password
369 * and anyway we are unable to set terminal to the previous state, so
370 * just continue
371 */
372 }
373 fprintf(tty, "\n");
374
375 fclose(tty);
376 return buf;
377}
378
379static char *
380sshauth_interactive(const char *auth_name, const char *instruction, const char *prompt, int echo)
381{
382 unsigned int buflen = 8, response_len;
383 char c = 0;
384 struct termios newterm, oldterm;
Michal Vasko4eb3c312016-03-01 14:09:37 +0100385 char *response;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100386 FILE *tty;
387
388 if (!(tty = fopen("/dev/tty", "r+"))) {
Michal Vaskod083db62016-01-19 10:31:29 +0100389 ERR("Unable to open the current terminal (%s).", strerror(errno));
Michal Vasko7b62fed2015-10-26 15:39:46 +0100390 return NULL;
391 }
392
393 if (tcgetattr(fileno(tty), &oldterm) != 0) {
Michal Vaskod083db62016-01-19 10:31:29 +0100394 ERR("Unable to get terminal settings (%s).", strerror(errno));
Michal Vasko11d142a2016-01-19 15:58:24 +0100395 fclose(tty);
Michal Vasko7b62fed2015-10-26 15:39:46 +0100396 return NULL;
397 }
398
399 if (auth_name && (!fwrite(auth_name, sizeof(char), strlen(auth_name), tty)
400 || !fwrite("\n", sizeof(char), 1, tty))) {
401 ERR("Writing the auth method name into stdout failed.");
Michal Vasko11d142a2016-01-19 15:58:24 +0100402 fclose(tty);
Michal Vasko7b62fed2015-10-26 15:39:46 +0100403 return NULL;
404 }
405
406 if (instruction && (!fwrite(instruction, sizeof(char), strlen(instruction), tty)
407 || !fwrite("\n", sizeof(char), 1, tty))) {
408 ERR("Writing the instruction into stdout failed.");
Michal Vasko11d142a2016-01-19 15:58:24 +0100409 fclose(tty);
Michal Vasko7b62fed2015-10-26 15:39:46 +0100410 return NULL;
411 }
412
413 if (!fwrite(prompt, sizeof(char), strlen(prompt), tty)) {
414 ERR("Writing the authentication prompt into stdout failed.");
Michal Vasko11d142a2016-01-19 15:58:24 +0100415 fclose(tty);
Michal Vasko7b62fed2015-10-26 15:39:46 +0100416 return NULL;
417 }
418 fflush(tty);
419 if (!echo) {
420 /* system("stty -echo"); */
421 newterm = oldterm;
422 newterm.c_lflag &= ~ECHO;
423 tcflush(fileno(tty), TCIFLUSH);
424 if (tcsetattr(fileno(tty), TCSANOW, &newterm)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100425 ERR("Unable to change terminal settings for hiding password (%s).", strerror(errno));
Michal Vasko11d142a2016-01-19 15:58:24 +0100426 fclose(tty);
Michal Vasko7b62fed2015-10-26 15:39:46 +0100427 return NULL;
428 }
429 }
430
431 response = malloc(buflen * sizeof *response);
432 response_len = 0;
433 if (!response) {
434 ERRMEM;
435 /* restore terminal settings */
436 if (tcsetattr(fileno(tty), TCSANOW, &oldterm)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100437 ERR("Unable to restore terminal settings (%s).", strerror(errno));
Michal Vasko7b62fed2015-10-26 15:39:46 +0100438 }
Michal Vasko11d142a2016-01-19 15:58:24 +0100439 fclose(tty);
Michal Vasko7b62fed2015-10-26 15:39:46 +0100440 return NULL;
441 }
442
443 while ((fread(&c, 1, 1, tty) == 1) && (c != '\n')) {
444 if (response_len >= buflen - 1) {
445 buflen *= 2;
Michal Vasko4eb3c312016-03-01 14:09:37 +0100446 response = nc_realloc(response, buflen * sizeof *response);
447 if (!response) {
Michal Vaskod083db62016-01-19 10:31:29 +0100448 ERRMEM;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100449
450 /* restore terminal settings */
451 if (tcsetattr(fileno(tty), TCSANOW, &oldterm)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100452 ERR("Unable to restore terminal settings (%s).", strerror(errno));
Michal Vasko7b62fed2015-10-26 15:39:46 +0100453 }
Michal Vasko11d142a2016-01-19 15:58:24 +0100454 fclose(tty);
Michal Vasko7b62fed2015-10-26 15:39:46 +0100455 return NULL;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100456 }
457 }
458 response[response_len++] = c;
459 }
460 /* terminating null byte */
461 response[response_len++] = '\0';
462
463 /* system ("stty echo"); */
464 if (tcsetattr(fileno(tty), TCSANOW, &oldterm)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100465 ERR("Unable to restore terminal settings (%s).", strerror(errno));
Michal Vasko7b62fed2015-10-26 15:39:46 +0100466 /*
467 * terminal probably still hides input characters, but we have password
468 * and anyway we are unable to set terminal to the previous state, so
469 * just continue
470 */
471 }
472
473 fprintf(tty, "\n");
474 fclose(tty);
475 return response;
476}
477
478static char *
Michal Vasko30e2c872016-02-18 10:03:21 +0100479sshauth_privkey_passphrase(const char* privkey_path)
Michal Vasko7b62fed2015-10-26 15:39:46 +0100480{
Michal Vasko4eb3c312016-03-01 14:09:37 +0100481 char c, *buf;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100482 int buflen = 1024, len = 0;
483 struct termios newterm, oldterm;
484 FILE *tty;
485
486 buf = malloc(buflen * sizeof *buf);
487 if (!buf) {
Michal Vaskod083db62016-01-19 10:31:29 +0100488 ERRMEM;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100489 return NULL;
490 }
491
492 if (!(tty = fopen("/dev/tty", "r+"))) {
Michal Vaskod083db62016-01-19 10:31:29 +0100493 ERR("Unable to open the current terminal (%s).", strerror(errno));
Michal Vasko94e7c2d2016-01-21 15:57:57 +0100494 goto fail;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100495 }
496
497 if (tcgetattr(fileno(tty), &oldterm)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100498 ERR("Unable to get terminal settings (%s).", strerror(errno));
Michal Vasko94e7c2d2016-01-21 15:57:57 +0100499 goto fail;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100500 }
501
502 fprintf(tty, "Enter passphrase for the key '%s':", privkey_path);
503 fflush(tty);
504
505 /* system("stty -echo"); */
506 newterm = oldterm;
507 newterm.c_lflag &= ~ECHO;
508 newterm.c_lflag &= ~ICANON;
509 tcflush(fileno(tty), TCIFLUSH);
510 if (tcsetattr(fileno(tty), TCSANOW, &newterm)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100511 ERR("Unable to change terminal settings for hiding password (%s).", strerror(errno));
Michal Vasko94e7c2d2016-01-21 15:57:57 +0100512 goto fail;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100513 }
514
515 while ((fread(&c, 1, 1, tty) == 1) && (c != '\n')) {
516 if (len >= buflen - 1) {
517 buflen *= 2;
Michal Vasko4eb3c312016-03-01 14:09:37 +0100518 buf = nc_realloc(buf, buflen * sizeof *buf);
519 if (!buf) {
Michal Vasko7b62fed2015-10-26 15:39:46 +0100520 ERRMEM;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100521 /* restore terminal settings */
522 if (tcsetattr(fileno(tty), TCSANOW, &oldterm)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100523 ERR("Unable to restore terminal settings (%s).", strerror(errno));
Michal Vasko7b62fed2015-10-26 15:39:46 +0100524 }
Michal Vasko94e7c2d2016-01-21 15:57:57 +0100525 goto fail;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100526 }
Michal Vasko7b62fed2015-10-26 15:39:46 +0100527 }
528 buf[len++] = (char)c;
529 }
530 buf[len++] = 0; /* terminating null byte */
531
532 /* system ("stty echo"); */
533 if (tcsetattr(fileno(tty), TCSANOW, &oldterm)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100534 ERR("Unable to restore terminal settings (%s).", strerror(errno));
Michal Vasko7b62fed2015-10-26 15:39:46 +0100535 /*
536 * terminal probably still hides input characters, but we have password
537 * and anyway we are unable to set terminal to the previous state, so
538 * just continue
539 */
540 }
541 fprintf(tty, "\n");
542
543 fclose(tty);
544 return buf;
Michal Vasko94e7c2d2016-01-21 15:57:57 +0100545
546fail:
547 free(buf);
Michal Vaskode581a82016-01-22 13:15:35 +0100548 if (tty) {
549 fclose(tty);
550 }
Michal Vasko94e7c2d2016-01-21 15:57:57 +0100551 return NULL;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100552}
553
Michal Vaskoef112d72016-02-18 13:28:25 +0100554static void
555_nc_client_ssh_set_auth_hostkey_check_clb(int (*auth_hostkey_check)(const char *hostname, ssh_session session),
556 struct nc_client_ssh_opts *opts)
Michal Vasko7b62fed2015-10-26 15:39:46 +0100557{
Michal Vaskoef112d72016-02-18 13:28:25 +0100558 if (auth_hostkey_check) {
559 opts->auth_hostkey_check = auth_hostkey_check;
560 } else {
561 opts->auth_hostkey_check = sshauth_hostkey_check;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100562 }
Michal Vasko7b62fed2015-10-26 15:39:46 +0100563}
564
Michal Vaskoef112d72016-02-18 13:28:25 +0100565API void
566nc_client_ssh_set_auth_hostkey_check_clb(int (*auth_hostkey_check)(const char *hostname, ssh_session session))
567{
568 _nc_client_ssh_set_auth_hostkey_check_clb(auth_hostkey_check, &ssh_opts);
569}
570
571API void
572nc_client_ssh_ch_set_auth_hostkey_check_clb(int (*auth_hostkey_check)(const char *hostname, ssh_session session))
573{
574 _nc_client_ssh_set_auth_hostkey_check_clb(auth_hostkey_check, &ssh_ch_opts);
575}
576
577
Michal Vasko30e2c872016-02-18 10:03:21 +0100578static void
579_nc_client_ssh_set_auth_password_clb(char *(*auth_password)(const char *username, const char *hostname),
580 struct nc_client_ssh_opts *opts)
581{
582 if (auth_password) {
583 opts->auth_password = auth_password;
584 } else {
585 opts->auth_password = sshauth_password;
586 }
587}
588
589API void
590nc_client_ssh_set_auth_password_clb(char *(*auth_password)(const char *username, const char *hostname))
591{
592 _nc_client_ssh_set_auth_password_clb(auth_password, &ssh_opts);
593}
594
595API void
596nc_client_ssh_ch_set_auth_password_clb(char *(*auth_password)(const char *username, const char *hostname))
597{
598 _nc_client_ssh_set_auth_password_clb(auth_password, &ssh_ch_opts);
599}
600
601static void
602_nc_client_ssh_set_auth_interactive_clb(char *(*auth_interactive)(const char *auth_name, const char *instruction,
603 const char *prompt, int echo),
604 struct nc_client_ssh_opts *opts)
605{
606 if (auth_interactive) {
607 opts->auth_interactive = auth_interactive;
608 } else {
609 opts->auth_interactive = sshauth_interactive;
610 }
611}
612
613API void
614nc_client_ssh_set_auth_interactive_clb(char *(*auth_interactive)(const char *auth_name, const char *instruction,
615 const char *prompt, int echo))
616{
617 _nc_client_ssh_set_auth_interactive_clb(auth_interactive, &ssh_opts);
618}
619
620API void
621nc_client_ssh_ch_set_auth_interactive_clb(char *(*auth_interactive)(const char *auth_name, const char *instruction,
622 const char *prompt, int echo))
623{
624 _nc_client_ssh_set_auth_interactive_clb(auth_interactive, &ssh_ch_opts);
625}
626
627static void
628_nc_client_ssh_set_auth_privkey_passphrase_clb(char *(*auth_privkey_passphrase)(const char *privkey_path),
629 struct nc_client_ssh_opts *opts)
630{
631 if (auth_privkey_passphrase) {
632 opts->auth_privkey_passphrase = auth_privkey_passphrase;
633 } else {
634 opts->auth_privkey_passphrase = sshauth_privkey_passphrase;
635 }
636}
637
638API void
639nc_client_ssh_set_auth_privkey_passphrase_clb(char *(*auth_privkey_passphrase)(const char *privkey_path))
640{
641 _nc_client_ssh_set_auth_privkey_passphrase_clb(auth_privkey_passphrase, &ssh_opts);
642}
643
644API void
645nc_client_ssh_ch_set_auth_privkey_passphrase_clb(char *(*auth_privkey_passphrase)(const char *privkey_path))
646{
647 _nc_client_ssh_set_auth_privkey_passphrase_clb(auth_privkey_passphrase, &ssh_ch_opts);
648}
649
Michal Vasko3031aae2016-01-27 16:07:18 +0100650static int
651_nc_client_ssh_add_keypair(const char *pub_key, const char *priv_key, struct nc_client_ssh_opts *opts)
Michal Vasko7b62fed2015-10-26 15:39:46 +0100652{
653 int i;
654 FILE *key;
655 char line[128];
656
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100657 if (!pub_key || !priv_key) {
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100658 ERRARG;
659 return -1;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100660 }
661
Michal Vasko3031aae2016-01-27 16:07:18 +0100662 for (i = 0; i < opts->key_count; ++i) {
663 if (!strcmp(opts->keys[i].pubkey_path, pub_key) || !strcmp(opts->keys[i].privkey_path, priv_key)) {
664 if (strcmp(opts->keys[i].pubkey_path, pub_key)) {
Michal Vasko7b62fed2015-10-26 15:39:46 +0100665 WRN("Private key \"%s\" found with another public key \"%s\".",
Michal Vasko3031aae2016-01-27 16:07:18 +0100666 priv_key, opts->keys[i].pubkey_path);
Michal Vasko7b62fed2015-10-26 15:39:46 +0100667 continue;
Michal Vasko3031aae2016-01-27 16:07:18 +0100668 } else if (strcmp(opts->keys[i].privkey_path, priv_key)) {
Michal Vasko7b62fed2015-10-26 15:39:46 +0100669 WRN("Public key \"%s\" found with another private key \"%s\".",
Michal Vasko3031aae2016-01-27 16:07:18 +0100670 pub_key, opts->keys[i].privkey_path);
Michal Vasko7b62fed2015-10-26 15:39:46 +0100671 continue;
672 }
673
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100674 ERR("SSH key pair already set.");
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100675 return -1;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100676 }
677 }
678
Michal Vasko3031aae2016-01-27 16:07:18 +0100679 /* add the keys */
680 ++opts->key_count;
Michal Vasko4eb3c312016-03-01 14:09:37 +0100681 opts->keys = nc_realloc(opts->keys, opts->key_count * sizeof *opts->keys);
682 if (!opts->keys) {
683 ERRMEM;
684 return -1;
685 }
Michal Vasko3031aae2016-01-27 16:07:18 +0100686 opts->keys[opts->key_count - 1].pubkey_path = strdup(pub_key);
687 opts->keys[opts->key_count - 1].privkey_path = strdup(priv_key);
688 opts->keys[opts->key_count - 1].privkey_crypt = 0;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100689
Michal Vasko4eb3c312016-03-01 14:09:37 +0100690 if (!opts->keys[opts->key_count - 1].pubkey_path || !opts->keys[opts->key_count - 1].privkey_path) {
691 ERRMEM;
692 return -1;
693 }
694
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100695 /* check encryption */
696 if ((key = fopen(priv_key, "r"))) {
697 /* 1st line - key type */
698 if (!fgets(line, sizeof line, key)) {
Michal Vasko7b62fed2015-10-26 15:39:46 +0100699 fclose(key);
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100700 ERR("fgets() on %s failed.", priv_key);
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100701 return -1;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100702 }
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100703 /* 2nd line - encryption information or key */
704 if (!fgets(line, sizeof line, key)) {
705 fclose(key);
706 ERR("fgets() on %s failed.", priv_key);
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100707 return -1;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100708 }
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100709 fclose(key);
710 if (strcasestr(line, "encrypted")) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100711 opts->keys[opts->key_count - 1].privkey_crypt = 1;
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100712 }
Michal Vasko7b62fed2015-10-26 15:39:46 +0100713 }
714
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100715 return 0;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100716}
717
718API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100719nc_client_ssh_add_keypair(const char *pub_key, const char *priv_key)
Michal Vasko7b62fed2015-10-26 15:39:46 +0100720{
Michal Vasko3031aae2016-01-27 16:07:18 +0100721 return _nc_client_ssh_add_keypair(pub_key, priv_key, &ssh_opts);
722}
723
724API int
725nc_client_ssh_ch_add_keypair(const char *pub_key, const char *priv_key)
726{
727 return _nc_client_ssh_add_keypair(pub_key, priv_key, &ssh_ch_opts);
728}
729
730static int
731_nc_client_ssh_del_keypair(int idx, struct nc_client_ssh_opts *opts)
732{
733 if (idx >= opts->key_count) {
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100734 ERRARG;
735 return -1;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100736 }
737
Michal Vasko3031aae2016-01-27 16:07:18 +0100738 free(opts->keys[idx].pubkey_path);
739 free(opts->keys[idx].privkey_path);
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100740
Michal Vasko3031aae2016-01-27 16:07:18 +0100741 --opts->key_count;
Michal Vaskoc0256492016-02-02 12:19:06 +0100742 if (idx < opts->key_count) {
743 memcpy(&opts->keys[idx], &opts->keys[opts->key_count], sizeof *opts->keys);
744 }
745 if (opts->key_count) {
Michal Vasko4eb3c312016-03-01 14:09:37 +0100746 opts->keys = nc_realloc(opts->keys, opts->key_count * sizeof *opts->keys);
747 if (!opts->keys) {
748 ERRMEM;
749 return -1;
750 }
Michal Vaskoc0256492016-02-02 12:19:06 +0100751 } else {
752 free(opts->keys);
753 opts->keys = NULL;
754 }
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100755
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100756 return 0;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100757}
758
759API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100760nc_client_ssh_del_keypair(int idx)
Michal Vasko7b62fed2015-10-26 15:39:46 +0100761{
Michal Vasko3031aae2016-01-27 16:07:18 +0100762 return _nc_client_ssh_del_keypair(idx, &ssh_opts);
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100763}
764
765API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100766nc_client_ssh_ch_del_keypair(int idx)
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100767{
Michal Vasko3031aae2016-01-27 16:07:18 +0100768 return _nc_client_ssh_del_keypair(idx, &ssh_ch_opts);
769}
770
771static int
772_nc_client_ssh_get_keypair_count(struct nc_client_ssh_opts *opts)
773{
774 return opts->key_count;
775}
776
777API int
778nc_client_ssh_get_keypair_count(void)
779{
780 return _nc_client_ssh_get_keypair_count(&ssh_opts);
781}
782
783API int
784nc_client_ssh_ch_get_keypair_count(void)
785{
786 return _nc_client_ssh_get_keypair_count(&ssh_ch_opts);
787}
788
789static int
790_nc_client_ssh_get_keypair(int idx, const char **pub_key, const char **priv_key, struct nc_client_ssh_opts *opts)
791{
792 if ((idx >= opts->key_count) || (!pub_key && !priv_key)) {
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100793 ERRARG;
794 return -1;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100795 }
796
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100797 if (pub_key) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100798 *pub_key = opts->keys[idx].pubkey_path;
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100799 }
800 if (priv_key) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100801 *priv_key = opts->keys[idx].privkey_path;
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100802 }
803
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100804 return 0;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100805}
806
Michal Vasko3031aae2016-01-27 16:07:18 +0100807API int
808nc_client_ssh_get_keypair(int idx, const char **pub_key, const char **priv_key)
809{
810 return _nc_client_ssh_get_keypair(idx, pub_key, priv_key, &ssh_opts);
811}
812
813API int
814nc_client_ssh_ch_get_keypair(int idx, const char **pub_key, const char **priv_key)
815{
816 return _nc_client_ssh_get_keypair(idx, pub_key, priv_key, &ssh_ch_opts);
817}
818
819static void
820_nc_client_ssh_set_auth_pref(NC_SSH_AUTH_TYPE auth_type, int16_t pref, struct nc_client_ssh_opts *opts)
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100821{
822 if (pref < 0) {
823 pref = -1;
824 }
825
826 if (auth_type == NC_SSH_AUTH_INTERACTIVE) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100827 opts->auth_pref[0].value = pref;
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100828 } else if (auth_type == NC_SSH_AUTH_PASSWORD) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100829 opts->auth_pref[1].value = pref;
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100830 } else if (auth_type == NC_SSH_AUTH_PUBLICKEY) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100831 opts->auth_pref[2].value = pref;
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100832 }
833}
834
Michal Vasko3031aae2016-01-27 16:07:18 +0100835API void
836nc_client_ssh_set_auth_pref(NC_SSH_AUTH_TYPE auth_type, int16_t pref)
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100837{
Michal Vasko3031aae2016-01-27 16:07:18 +0100838 _nc_client_ssh_set_auth_pref(auth_type, pref, &ssh_opts);
839}
840
841API void
842nc_client_ssh_ch_set_auth_pref(NC_SSH_AUTH_TYPE auth_type, int16_t pref)
843{
844 _nc_client_ssh_set_auth_pref(auth_type, pref, &ssh_ch_opts);
845}
846
847static int16_t
848_nc_client_ssh_get_auth_pref(NC_SSH_AUTH_TYPE auth_type, struct nc_client_ssh_opts *opts)
849{
850 int16_t pref = 0;
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100851
852 if (auth_type == NC_SSH_AUTH_INTERACTIVE) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100853 pref = opts->auth_pref[0].value;
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100854 } else if (auth_type == NC_SSH_AUTH_PASSWORD) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100855 pref = opts->auth_pref[1].value;
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100856 } else if (auth_type == NC_SSH_AUTH_PUBLICKEY) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100857 pref = opts->auth_pref[2].value;
Michal Vaskoe9bc8142015-12-04 11:09:35 +0100858 }
859
860 return pref;
861}
862
Michal Vasko3031aae2016-01-27 16:07:18 +0100863API int16_t
864nc_client_ssh_get_auth_pref(NC_SSH_AUTH_TYPE auth_type)
865{
866 return _nc_client_ssh_get_auth_pref(auth_type, &ssh_opts);
867}
868
869API int16_t
870nc_client_ssh_ch_get_auth_pref(NC_SSH_AUTH_TYPE auth_type)
871{
872 return _nc_client_ssh_get_auth_pref(auth_type, &ssh_ch_opts);
873}
874
875static int
876_nc_client_ssh_set_username(const char *username, struct nc_client_ssh_opts *opts)
877{
878 if (opts->username) {
879 free(opts->username);
880 }
881 if (username) {
882 opts->username = strdup(username);
883 if (!opts->username) {
884 ERRMEM;
885 return -1;
886 }
887 } else {
888 opts->username = NULL;
889 }
890
891 return 0;
892}
893
894API int
895nc_client_ssh_set_username(const char *username)
896{
897 return _nc_client_ssh_set_username(username, &ssh_opts);
898}
899
900API int
901nc_client_ssh_ch_set_username(const char *username)
902{
903 return _nc_client_ssh_set_username(username, &ssh_ch_opts);
904}
905
Michal Vaskoe22c6732016-01-29 11:03:02 +0100906static const char *
907_nc_client_ssh_get_username(struct nc_client_ssh_opts *opts)
908{
909 return opts->username;
910}
911
912API const char *
913nc_client_ssh_get_username(void)
914{
915 return _nc_client_ssh_get_username(&ssh_opts);
916}
917
918API const char *
919nc_client_ssh_ch_get_username(void)
920{
921 return _nc_client_ssh_get_username(&ssh_ch_opts);
922}
923
Michal Vasko3031aae2016-01-27 16:07:18 +0100924API int
925nc_client_ssh_ch_add_bind_listen(const char *address, uint16_t port)
926{
927 return nc_client_ch_add_bind_listen(address, port, NC_TI_LIBSSH);
928}
929
930API int
931nc_client_ssh_ch_del_bind(const char *address, uint16_t port)
932{
933 return nc_client_ch_del_bind(address, port, NC_TI_LIBSSH);
934}
935
Michal Vasko8e2f4a62016-02-01 15:59:48 +0100936/* Establish a secure SSH connection and authenticate.
Michal Vasko7b62fed2015-10-26 15:39:46 +0100937 * Host, port, username, and a connected socket is expected to be set.
938 */
939static int
Michal Vasko0190bc32016-03-02 15:47:49 +0100940connect_ssh_session(struct nc_session *session, struct nc_client_ssh_opts *opts, int timeout)
Michal Vasko7b62fed2015-10-26 15:39:46 +0100941{
Michal Vasko0190bc32016-03-02 15:47:49 +0100942 int j, ret_auth, userauthlist, ret, elapsed_usec = 0;
Michal Vasko235efdc2015-12-17 12:05:04 +0100943 NC_SSH_AUTH_TYPE auth;
Michal Vasko0190bc32016-03-02 15:47:49 +0100944 int16_t pref;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100945 const char* prompt;
946 char *s, *answer, echo;
947 ssh_key pubkey, privkey;
948 ssh_session ssh_sess;
949
950 ssh_sess = session->ti.libssh.session;
951
Michal Vasko0190bc32016-03-02 15:47:49 +0100952 while ((ret = ssh_connect(ssh_sess)) == SSH_AGAIN) {
953 usleep(NC_TIMEOUT_STEP);
954 elapsed_usec += NC_TIMEOUT_STEP;
955 if (elapsed_usec / 1000 >= NC_TRANSPORT_TIMEOUT) {
956 break;
957 }
958 }
959 if (ret == SSH_AGAIN) {
960 ERR("SSH connect timeout.");
961 return 0;
962 } else if (ret != SSH_OK) {
963 ERR("Starting the SSH session failed (%s).", ssh_get_error(ssh_sess));
Michal Vasko7b62fed2015-10-26 15:39:46 +0100964 DBG("Error code %d.", ssh_get_error_code(ssh_sess));
Michal Vaskod083db62016-01-19 10:31:29 +0100965 return -1;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100966 }
967
Michal Vaskoef112d72016-02-18 13:28:25 +0100968 if (opts->auth_hostkey_check(session->host, ssh_sess)) {
Michal Vasko7b62fed2015-10-26 15:39:46 +0100969 ERR("Checking the host key failed.");
Michal Vaskod083db62016-01-19 10:31:29 +0100970 return -1;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100971 }
972
Michal Vasko0190bc32016-03-02 15:47:49 +0100973 elapsed_usec = 0;
974 while ((ret_auth = ssh_userauth_none(ssh_sess, NULL)) == SSH_AUTH_AGAIN) {
975 usleep(NC_TIMEOUT_STEP);
976 elapsed_usec += NC_TIMEOUT_STEP;
977 if ((timeout > -1) && (elapsed_usec / 1000 >= timeout)) {
978 break;
979 }
980 }
981 if (ret_auth == SSH_AUTH_AGAIN) {
982 ERR("Request authentication methods timeout.");
983 return 0;
984 } else if (ret_auth == SSH_AUTH_ERROR) {
Michal Vasko7b62fed2015-10-26 15:39:46 +0100985 ERR("Authentication failed (%s).", ssh_get_error(ssh_sess));
Michal Vaskod083db62016-01-19 10:31:29 +0100986 return -1;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100987 }
988
989 /* check what authentication methods are available */
990 userauthlist = ssh_userauth_list(ssh_sess, NULL);
Michal Vasko235efdc2015-12-17 12:05:04 +0100991
992 /* remove those disabled */
Michal Vasko30e2c872016-02-18 10:03:21 +0100993 if (opts->auth_pref[0].value < 0) {
Michal Vasko235efdc2015-12-17 12:05:04 +0100994 VRB("Interactive SSH authentication method was disabled.");
995 userauthlist &= ~SSH_AUTH_METHOD_INTERACTIVE;
Michal Vasko7b62fed2015-10-26 15:39:46 +0100996 }
Michal Vasko30e2c872016-02-18 10:03:21 +0100997 if (opts->auth_pref[1].value < 0) {
Michal Vasko235efdc2015-12-17 12:05:04 +0100998 VRB("Password SSH authentication method was disabled.");
999 userauthlist &= ~SSH_AUTH_METHOD_PASSWORD;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001000 }
Michal Vasko30e2c872016-02-18 10:03:21 +01001001 if (opts->auth_pref[2].value < 0) {
Michal Vasko235efdc2015-12-17 12:05:04 +01001002 VRB("Publickey SSH authentication method was disabled.");
1003 userauthlist &= ~SSH_AUTH_METHOD_PUBLICKEY;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001004 }
1005
Michal Vasko0190bc32016-03-02 15:47:49 +01001006 do {
Michal Vasko235efdc2015-12-17 12:05:04 +01001007 auth = 0;
1008 pref = 0;
1009 if (userauthlist & SSH_AUTH_METHOD_INTERACTIVE) {
1010 auth = NC_SSH_AUTH_INTERACTIVE;
Michal Vasko30e2c872016-02-18 10:03:21 +01001011 pref = opts->auth_pref[0].value;
Michal Vasko235efdc2015-12-17 12:05:04 +01001012 }
Michal Vasko30e2c872016-02-18 10:03:21 +01001013 if ((userauthlist & SSH_AUTH_METHOD_PASSWORD) && (opts->auth_pref[1].value > pref)) {
Michal Vasko235efdc2015-12-17 12:05:04 +01001014 auth = NC_SSH_AUTH_PASSWORD;
Michal Vasko30e2c872016-02-18 10:03:21 +01001015 pref = opts->auth_pref[1].value;
Michal Vasko235efdc2015-12-17 12:05:04 +01001016 }
Michal Vasko30e2c872016-02-18 10:03:21 +01001017 if ((userauthlist & SSH_AUTH_METHOD_PUBLICKEY) && (opts->auth_pref[2].value > pref)) {
Michal Vasko235efdc2015-12-17 12:05:04 +01001018 auth = NC_SSH_AUTH_PUBLICKEY;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001019 }
1020
Michal Vasko235efdc2015-12-17 12:05:04 +01001021 if (!auth) {
Michal Vaskod083db62016-01-19 10:31:29 +01001022 ERR("Unable to authenticate to the remote server (no supported authentication methods left).");
Michal Vasko0190bc32016-03-02 15:47:49 +01001023 return -1;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001024 }
1025
1026 /* found common authentication method */
Michal Vasko235efdc2015-12-17 12:05:04 +01001027 switch (auth) {
Michal Vasko7b62fed2015-10-26 15:39:46 +01001028 case NC_SSH_AUTH_PASSWORD:
Michal Vasko235efdc2015-12-17 12:05:04 +01001029 userauthlist &= ~SSH_AUTH_METHOD_PASSWORD;
1030
Michal Vaskoef578332016-01-25 13:20:09 +01001031 VRB("Password authentication (host \"%s\", user \"%s\").", session->host, session->username);
Michal Vasko30e2c872016-02-18 10:03:21 +01001032 s = opts->auth_password(session->username, session->host);
Michal Vasko0190bc32016-03-02 15:47:49 +01001033
1034 elapsed_usec = 0;
1035 while ((ret_auth = ssh_userauth_password(ssh_sess, session->username, s)) == SSH_AUTH_AGAIN) {
1036 usleep(NC_TIMEOUT_STEP);
1037 elapsed_usec += NC_TIMEOUT_STEP;
1038 if ((timeout > -1) && (elapsed_usec / 1000 >= timeout)) {
1039 break;
1040 }
Michal Vasko7b62fed2015-10-26 15:39:46 +01001041 }
Michal Vasko0190bc32016-03-02 15:47:49 +01001042 memset(s, 0, strlen(s));
Michal Vasko7b62fed2015-10-26 15:39:46 +01001043 free(s);
1044 break;
Michal Vasko0190bc32016-03-02 15:47:49 +01001045
Michal Vasko7b62fed2015-10-26 15:39:46 +01001046 case NC_SSH_AUTH_INTERACTIVE:
Michal Vasko235efdc2015-12-17 12:05:04 +01001047 userauthlist &= ~SSH_AUTH_METHOD_INTERACTIVE;
1048
Michal Vaskod083db62016-01-19 10:31:29 +01001049 VRB("Keyboard-interactive authentication.");
Michal Vasko0190bc32016-03-02 15:47:49 +01001050
1051 elapsed_usec = 0;
1052 while (((ret_auth = ssh_userauth_kbdint(ssh_sess, NULL, NULL)) == SSH_AUTH_INFO)
1053 || (ret_auth == SSH_AUTH_AGAIN)) {
1054 if (ret_auth == SSH_AUTH_AGAIN) {
1055 usleep(NC_TIMEOUT_STEP);
1056 elapsed_usec += NC_TIMEOUT_STEP;
1057 if ((timeout > -1) && (elapsed_usec / 1000 >= timeout)) {
1058 break;
1059 }
1060 continue;
1061 }
1062
Michal Vasko7b62fed2015-10-26 15:39:46 +01001063 for (j = 0; j < ssh_userauth_kbdint_getnprompts(ssh_sess); ++j) {
1064 prompt = ssh_userauth_kbdint_getprompt(ssh_sess, j, &echo);
Michal Vasko0190bc32016-03-02 15:47:49 +01001065 if (!prompt) {
1066 ret_auth = SSH_AUTH_ERROR;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001067 break;
1068 }
Michal Vasko8bf28d12016-02-24 13:29:42 +01001069
1070 /* libssh BUG - echo is always 1 for some reason, assume always 0 */
1071 echo = 0;
1072
Michal Vasko30e2c872016-02-18 10:03:21 +01001073 answer = opts->auth_interactive(ssh_userauth_kbdint_getname(ssh_sess),
1074 ssh_userauth_kbdint_getinstruction(ssh_sess),
1075 prompt, echo);
Michal Vasko7b62fed2015-10-26 15:39:46 +01001076 if (ssh_userauth_kbdint_setanswer(ssh_sess, j, answer) < 0) {
1077 free(answer);
Michal Vasko0190bc32016-03-02 15:47:49 +01001078 ret_auth = SSH_AUTH_ERROR;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001079 break;
1080 }
1081 free(answer);
1082 }
Michal Vasko0190bc32016-03-02 15:47:49 +01001083 if (ret_auth == SSH_AUTH_ERROR) {
1084 break;
1085 }
1086 elapsed_usec = 0;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001087 }
Michal Vasko7b62fed2015-10-26 15:39:46 +01001088 break;
Michal Vasko0190bc32016-03-02 15:47:49 +01001089
Michal Vasko206d3b12015-12-04 11:08:42 +01001090 case NC_SSH_AUTH_PUBLICKEY:
Michal Vasko235efdc2015-12-17 12:05:04 +01001091 userauthlist &= ~SSH_AUTH_METHOD_PUBLICKEY;
1092
Michal Vaskod083db62016-01-19 10:31:29 +01001093 VRB("Publickey athentication.");
Michal Vasko7b62fed2015-10-26 15:39:46 +01001094
1095 /* if publickeys path not provided, we cannot continue */
Michal Vasko30e2c872016-02-18 10:03:21 +01001096 if (!opts->key_count) {
Michal Vasko7b62fed2015-10-26 15:39:46 +01001097 VRB("No key pair specified.");
1098 break;
1099 }
1100
Michal Vasko30e2c872016-02-18 10:03:21 +01001101 for (j = 0; j < opts->key_count; j++) {
Michal Vaskoef578332016-01-25 13:20:09 +01001102 VRB("Trying to authenticate using %spair \"%s\" \"%s\".",
Michal Vasko30e2c872016-02-18 10:03:21 +01001103 opts->keys[j].privkey_crypt ? "password-protected " : "", opts->keys[j].privkey_path,
1104 opts->keys[j].pubkey_path);
Michal Vasko7b62fed2015-10-26 15:39:46 +01001105
Michal Vasko30e2c872016-02-18 10:03:21 +01001106 if (ssh_pki_import_pubkey_file(opts->keys[j].pubkey_path, &pubkey) != SSH_OK) {
1107 WRN("Failed to import the key \"%s\".", opts->keys[j].pubkey_path);
Michal Vasko7b62fed2015-10-26 15:39:46 +01001108 continue;
1109 }
Michal Vasko0190bc32016-03-02 15:47:49 +01001110
1111 elapsed_usec = 0;
1112 while ((ret_auth = ssh_userauth_try_publickey(ssh_sess, NULL, pubkey)) == SSH_AUTH_AGAIN) {
1113 usleep(NC_TIMEOUT_STEP);
1114 elapsed_usec += NC_TIMEOUT_STEP;
1115 if ((timeout > -1) && (elapsed_usec / 1000 >= timeout)) {
1116 ssh_key_free(pubkey);
1117 break;
1118 }
Michal Vasko7b62fed2015-10-26 15:39:46 +01001119 }
Michal Vasko0190bc32016-03-02 15:47:49 +01001120 ssh_key_free(pubkey);
1121
1122 if (ret_auth == SSH_AUTH_DENIED) {
1123 continue;
1124 } else if (ret_auth != SSH_AUTH_SUCCESS) {
Michal Vasko7b62fed2015-10-26 15:39:46 +01001125 break;
1126 }
1127
Michal Vasko30e2c872016-02-18 10:03:21 +01001128 if (opts->keys[j].privkey_crypt) {
1129 s = opts->auth_privkey_passphrase(opts->keys[j].privkey_path);
Michal Vasko7b62fed2015-10-26 15:39:46 +01001130 } else {
1131 s = NULL;
1132 }
1133
Michal Vasko0190bc32016-03-02 15:47:49 +01001134 ret = ssh_pki_import_privkey_file(opts->keys[j].privkey_path, s, NULL, NULL, &privkey);
Michal Vasko7b62fed2015-10-26 15:39:46 +01001135 if (s) {
1136 memset(s, 0, strlen(s));
1137 free(s);
1138 }
Michal Vasko0190bc32016-03-02 15:47:49 +01001139 if (ret != SSH_OK) {
1140 WRN("Failed to import the key \"%s\".", opts->keys[j].privkey_path);
1141 continue;
1142 }
Michal Vasko7b62fed2015-10-26 15:39:46 +01001143
Michal Vasko0190bc32016-03-02 15:47:49 +01001144 elapsed_usec = 0;
1145 while ((ret_auth = ssh_userauth_publickey(ssh_sess, NULL, privkey)) == SSH_AUTH_AGAIN) {
1146 usleep(NC_TIMEOUT_STEP);
1147 elapsed_usec += NC_TIMEOUT_STEP;
1148 if ((timeout > -1) && (elapsed_usec / 1000 >= timeout)) {
1149 ssh_key_free(privkey);
1150 break;
1151 }
1152 }
Michal Vasko7b62fed2015-10-26 15:39:46 +01001153 ssh_key_free(privkey);
1154
Michal Vasko0190bc32016-03-02 15:47:49 +01001155 if (ret_auth != SSH_AUTH_DENIED) {
Michal Vasko7b62fed2015-10-26 15:39:46 +01001156 break;
1157 }
1158 }
1159 break;
1160 }
Michal Vasko7b62fed2015-10-26 15:39:46 +01001161
Michal Vasko0190bc32016-03-02 15:47:49 +01001162 switch (ret_auth) {
1163 case SSH_AUTH_AGAIN:
1164 ERR("Authentication response timeout.");
1165 return 0;
1166 case SSH_AUTH_ERROR:
1167 ERR("Authentication failed (%s).", ssh_get_error(ssh_sess));
1168 return -1;
1169 case SSH_AUTH_DENIED:
1170 WRN("Authentication denied.");
1171 break;
1172 case SSH_AUTH_PARTIAL:
1173 VRB("Partial authentication success.");
1174 break;
1175 case SSH_AUTH_SUCCESS:
1176 VRB("Authentication successful.");
1177 break;
1178 case SSH_AUTH_INFO:
1179 ERRINT;
1180 return -1;
1181 }
1182 } while (ret_auth != SSH_AUTH_SUCCESS);
Michal Vasko7b62fed2015-10-26 15:39:46 +01001183
Michal Vasko0190bc32016-03-02 15:47:49 +01001184 return 1;
Michal Vasko8e2f4a62016-02-01 15:59:48 +01001185}
1186
1187/* Open new SSH channel and request the 'netconf' subsystem.
1188 * SSH connection is expected to be established.
1189 */
1190static int
Michal Vasko0190bc32016-03-02 15:47:49 +01001191open_netconf_channel(struct nc_session *session, int timeout)
Michal Vasko8e2f4a62016-02-01 15:59:48 +01001192{
1193 ssh_session ssh_sess;
Michal Vasko0190bc32016-03-02 15:47:49 +01001194 int ret, elapsed_usec = 0;
Michal Vasko8e2f4a62016-02-01 15:59:48 +01001195
1196 ssh_sess = session->ti.libssh.session;
1197
1198 if (!ssh_is_connected(ssh_sess)) {
1199 ERR("SSH session not connected.");
1200 return -1;
1201 }
1202
1203 if (session->ti.libssh.channel) {
1204 ERR("SSH channel already created.");
1205 return -1;
1206 }
1207
Michal Vasko7b62fed2015-10-26 15:39:46 +01001208 /* open a channel */
1209 session->ti.libssh.channel = ssh_channel_new(ssh_sess);
Michal Vasko0190bc32016-03-02 15:47:49 +01001210 while ((ret = ssh_channel_open_session(session->ti.libssh.channel)) == SSH_AGAIN) {
1211 usleep(NC_TIMEOUT_STEP);
1212 elapsed_usec += NC_TIMEOUT_STEP;
1213 if ((timeout > -1) && (elapsed_usec / 1000 >= timeout)) {
1214 break;
1215 }
1216 }
1217 if (ret == SSH_AGAIN) {
1218 ERR("Opening an SSH channel timeout elapsed.");
Michal Vasko7b62fed2015-10-26 15:39:46 +01001219 ssh_channel_free(session->ti.libssh.channel);
1220 session->ti.libssh.channel = NULL;
Michal Vasko0190bc32016-03-02 15:47:49 +01001221 return 0;
1222 } else if (ret == SSH_ERROR) {
Michal Vaskod083db62016-01-19 10:31:29 +01001223 ERR("Opening an SSH channel failed (%s).", ssh_get_error(ssh_sess));
Michal Vasko0190bc32016-03-02 15:47:49 +01001224 ssh_channel_free(session->ti.libssh.channel);
1225 session->ti.libssh.channel = NULL;
Michal Vaskod083db62016-01-19 10:31:29 +01001226 return -1;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001227 }
1228
1229 /* execute the NETCONF subsystem on the channel */
Michal Vasko0190bc32016-03-02 15:47:49 +01001230 elapsed_usec = 0;
1231 while ((ret = ssh_channel_request_subsystem(session->ti.libssh.channel, "netconf")) == SSH_AGAIN) {
1232 usleep(NC_TIMEOUT_STEP);
1233 elapsed_usec += NC_TIMEOUT_STEP;
1234 if ((timeout > -1) && (elapsed_usec / 1000 >= timeout)) {
1235 break;
1236 }
1237 }
1238 if (ret == SSH_AGAIN) {
1239 ERR("Starting the \"netconf\" SSH subsystem timeout elapsed.");
Michal Vasko7b62fed2015-10-26 15:39:46 +01001240 ssh_channel_free(session->ti.libssh.channel);
1241 session->ti.libssh.channel = NULL;
Michal Vasko0190bc32016-03-02 15:47:49 +01001242 return 0;
1243 } else if (ret == SSH_ERROR) {
Michal Vaskod083db62016-01-19 10:31:29 +01001244 ERR("Starting the \"netconf\" SSH subsystem failed (%s).", ssh_get_error(ssh_sess));
Michal Vasko0190bc32016-03-02 15:47:49 +01001245 ssh_channel_free(session->ti.libssh.channel);
1246 session->ti.libssh.channel = NULL;
Michal Vaskod083db62016-01-19 10:31:29 +01001247 return -1;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001248 }
1249
Michal Vasko0190bc32016-03-02 15:47:49 +01001250 return 1;
Radek Krejciac6d3472015-10-22 15:47:18 +02001251}
1252
Michal Vasko30e2c872016-02-18 10:03:21 +01001253static struct nc_session *
Michal Vasko0190bc32016-03-02 15:47:49 +01001254_nc_connect_libssh(ssh_session ssh_session, struct ly_ctx *ctx, struct nc_client_ssh_opts *opts, int timeout)
Michal Vasko30e2c872016-02-18 10:03:21 +01001255{
1256 char *host = NULL, *username = NULL;
1257 unsigned short port = 0;
1258 int sock;
1259 struct passwd *pw;
1260 struct nc_session *session = NULL;
1261
1262 if (!ssh_session) {
1263 ERRARG;
1264 return NULL;
1265 }
1266
1267 /* prepare session structure */
1268 session = calloc(1, sizeof *session);
1269 if (!session) {
1270 ERRMEM;
1271 return NULL;
1272 }
1273 session->status = NC_STATUS_STARTING;
1274 session->side = NC_CLIENT;
1275
1276 /* transport lock */
1277 session->ti_lock = malloc(sizeof *session->ti_lock);
1278 if (!session->ti_lock) {
1279 ERRMEM;
1280 goto fail;
1281 }
1282 pthread_mutex_init(session->ti_lock, NULL);
1283
1284 session->ti_type = NC_TI_LIBSSH;
1285 session->ti.libssh.session = ssh_session;
1286
1287 /* was port set? */
1288 ssh_options_get_port(ssh_session, (unsigned int *)&port);
1289
1290 if (ssh_options_get(ssh_session, SSH_OPTIONS_HOST, &host) != SSH_OK) {
1291 /*
1292 * There is no file descriptor (detected based on the host, there is no way to check
1293 * the SSH_OPTIONS_FD directly :/), we need to create it. (TCP/IP layer)
1294 */
1295
1296 /* remember host */
1297 host = strdup("localhost");
Michal Vasko4eb3c312016-03-01 14:09:37 +01001298 if (!host) {
1299 ERRMEM;
1300 goto fail;
1301 }
Michal Vasko30e2c872016-02-18 10:03:21 +01001302 ssh_options_set(session->ti.libssh.session, SSH_OPTIONS_HOST, host);
1303
1304 /* create and connect socket */
1305 sock = nc_sock_connect(host, port);
1306 if (sock == -1) {
1307 goto fail;
1308 }
1309 ssh_options_set(session->ti.libssh.session, SSH_OPTIONS_FD, &sock);
Michal Vasko0190bc32016-03-02 15:47:49 +01001310 ssh_set_blocking(session->ti.libssh.session, 0);
Michal Vasko30e2c872016-02-18 10:03:21 +01001311 }
1312
1313 /* was username set? */
1314 ssh_options_get(ssh_session, SSH_OPTIONS_USER, &username);
1315
1316 if (!ssh_is_connected(ssh_session)) {
1317 /*
1318 * We are connected, but not SSH authenticated. (Transport layer)
1319 */
1320
1321 /* remember username */
1322 if (!username) {
1323 if (!opts->username) {
1324 pw = getpwuid(getuid());
1325 if (!pw) {
1326 ERR("Unknown username for the SSH connection (%s).", strerror(errno));
1327 goto fail;
1328 }
1329 username = strdup(pw->pw_name);
1330 } else {
1331 username = strdup(opts->username);
1332 }
Michal Vasko4eb3c312016-03-01 14:09:37 +01001333 if (!username) {
1334 ERRMEM;
1335 goto fail;
1336 }
Michal Vasko30e2c872016-02-18 10:03:21 +01001337 ssh_options_set(session->ti.libssh.session, SSH_OPTIONS_USER, username);
1338 }
1339
1340 /* connect and authenticate SSH session */
1341 session->host = host;
1342 session->username = username;
Michal Vasko0190bc32016-03-02 15:47:49 +01001343 if (connect_ssh_session(session, opts, timeout) != 1) {
Michal Vasko30e2c872016-02-18 10:03:21 +01001344 goto fail;
1345 }
1346 }
1347
1348 /*
1349 * Almost done, open a netconf channel. (Transport layer / application layer)
1350 */
Michal Vasko0190bc32016-03-02 15:47:49 +01001351 if (open_netconf_channel(session, timeout) != 1) {
Michal Vasko30e2c872016-02-18 10:03:21 +01001352 goto fail;
1353 }
1354
1355 /*
1356 * SSH session is established and netconf channel opened, create a NETCONF session. (Application layer)
1357 */
1358
1359 /* assign context (dicionary needed for handshake) */
1360 if (!ctx) {
1361 if (client_opts.schema_searchpath) {
1362 ctx = ly_ctx_new(client_opts.schema_searchpath);
1363 } else {
1364 ctx = ly_ctx_new(SCHEMAS_DIR);
1365 }
1366 } else {
1367 session->flags |= NC_SESSION_SHAREDCTX;
1368 }
1369 session->ctx = ctx;
1370
1371 /* NETCONF handshake */
1372 if (nc_handshake(session)) {
1373 goto fail;
1374 }
1375 session->status = NC_STATUS_RUNNING;
1376
1377 if (nc_ctx_check_and_fill(session) == -1) {
1378 goto fail;
1379 }
1380
1381 /* store information into the dictionary */
1382 if (host) {
1383 session->host = lydict_insert_zc(ctx, host);
1384 }
1385 if (port) {
1386 session->port = port;
1387 }
1388 if (username) {
1389 session->username = lydict_insert_zc(ctx, username);
1390 }
1391
1392 return session;
1393
1394fail:
Michal Vaskoe1a64ec2016-03-01 12:21:58 +01001395 nc_session_free(session, NULL);
Michal Vasko30e2c872016-02-18 10:03:21 +01001396 return NULL;
1397}
1398
Radek Krejciac6d3472015-10-22 15:47:18 +02001399API struct nc_session *
Michal Vasko3031aae2016-01-27 16:07:18 +01001400nc_connect_ssh(const char *host, uint16_t port, struct ly_ctx *ctx)
Radek Krejciac6d3472015-10-22 15:47:18 +02001401{
Michal Vaskoc111ac52015-12-08 14:36:36 +01001402 const int timeout = NC_SSH_TIMEOUT;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001403 int sock;
Michal Vasko55fded62016-02-02 12:19:34 +01001404 uint32_t port_uint;
Michal Vasko3031aae2016-01-27 16:07:18 +01001405 char *username;
Radek Krejciac6d3472015-10-22 15:47:18 +02001406 struct passwd *pw;
1407 struct nc_session *session = NULL;
1408
1409 /* process parameters */
1410 if (!host || strisempty(host)) {
1411 host = "localhost";
1412 }
1413
1414 if (!port) {
1415 port = NC_PORT_SSH;
1416 }
Michal Vasko55fded62016-02-02 12:19:34 +01001417 port_uint = port;
Radek Krejciac6d3472015-10-22 15:47:18 +02001418
Michal Vasko3031aae2016-01-27 16:07:18 +01001419 if (!ssh_opts.username) {
Radek Krejciac6d3472015-10-22 15:47:18 +02001420 pw = getpwuid(getuid());
1421 if (!pw) {
Michal Vasko7b62fed2015-10-26 15:39:46 +01001422 ERR("Unknown username for the SSH connection (%s).", strerror(errno));
1423 return NULL;
Radek Krejciac6d3472015-10-22 15:47:18 +02001424 } else {
1425 username = pw->pw_name;
1426 }
Michal Vasko3031aae2016-01-27 16:07:18 +01001427 } else {
1428 username = ssh_opts.username;
Radek Krejciac6d3472015-10-22 15:47:18 +02001429 }
1430
1431 /* prepare session structure */
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001432 session = calloc(1, sizeof *session);
Radek Krejciac6d3472015-10-22 15:47:18 +02001433 if (!session) {
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001434 ERRMEM;
Radek Krejciac6d3472015-10-22 15:47:18 +02001435 return NULL;
1436 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001437 session->status = NC_STATUS_STARTING;
1438 session->side = NC_CLIENT;
Radek Krejciac6d3472015-10-22 15:47:18 +02001439
Michal Vasko7b62fed2015-10-26 15:39:46 +01001440 /* transport lock */
1441 session->ti_lock = malloc(sizeof *session->ti_lock);
1442 if (!session->ti_lock) {
1443 ERRMEM;
1444 goto fail;
1445 }
1446 pthread_mutex_init(session->ti_lock, NULL);
1447
1448 /* other transport-specific data */
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001449 session->ti_type = NC_TI_LIBSSH;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001450 session->ti.libssh.session = ssh_new();
1451 if (!session->ti.libssh.session) {
1452 ERR("Unable to initialize SSH session.");
1453 goto fail;
1454 }
Radek Krejciac6d3472015-10-22 15:47:18 +02001455
Michal Vasko7b62fed2015-10-26 15:39:46 +01001456 /* set some basic SSH session options */
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001457 ssh_options_set(session->ti.libssh.session, SSH_OPTIONS_HOST, host);
Michal Vasko55fded62016-02-02 12:19:34 +01001458 ssh_options_set(session->ti.libssh.session, SSH_OPTIONS_PORT, &port_uint);
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001459 ssh_options_set(session->ti.libssh.session, SSH_OPTIONS_USER, username);
Michal Vasko7b62fed2015-10-26 15:39:46 +01001460 ssh_options_set(session->ti.libssh.session, SSH_OPTIONS_TIMEOUT, &timeout);
Michal Vasko086311b2016-01-08 09:53:11 +01001461 if (ssh_options_set(session->ti.libssh.session, SSH_OPTIONS_HOSTKEYS,
1462 "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
1463 "ecdsa-sha2-nistp256,ssh-rsa,ssh-dss,ssh-rsa1")) {
1464 /* ecdsa is probably not supported... */
1465 ssh_options_set(session->ti.libssh.session, SSH_OPTIONS_HOSTKEYS, "ssh-ed25519,ssh-rsa,ssh-dss,ssh-rsa1");
1466 }
Michal Vasko7b62fed2015-10-26 15:39:46 +01001467
1468 /* create and assign communication socket */
Michal Vaskof05562c2016-01-20 12:06:43 +01001469 sock = nc_sock_connect(host, port);
Michal Vasko7b62fed2015-10-26 15:39:46 +01001470 if (sock == -1) {
1471 goto fail;
1472 }
1473 ssh_options_set(session->ti.libssh.session, SSH_OPTIONS_FD, &sock);
Michal Vasko0190bc32016-03-02 15:47:49 +01001474 ssh_set_blocking(session->ti.libssh.session, 0);
Michal Vasko7b62fed2015-10-26 15:39:46 +01001475
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001476 /* temporarily, for session connection */
1477 session->host = host;
1478 session->username = username;
Michal Vasko0190bc32016-03-02 15:47:49 +01001479 if ((connect_ssh_session(session, &ssh_opts, NC_TRANSPORT_TIMEOUT) != 1)
1480 || (open_netconf_channel(session, NC_TRANSPORT_TIMEOUT) != 1)) {
Michal Vasko7b62fed2015-10-26 15:39:46 +01001481 goto fail;
Radek Krejciac6d3472015-10-22 15:47:18 +02001482 }
1483
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001484 /* assign context (dicionary needed for handshake) */
1485 if (!ctx) {
Michal Vaskodaf9a092016-02-09 10:42:05 +01001486 if (client_opts.schema_searchpath) {
1487 ctx = ly_ctx_new(client_opts.schema_searchpath);
1488 } else {
1489 ctx = ly_ctx_new(SCHEMAS_DIR);
1490 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001491 } else {
1492 session->flags |= NC_SESSION_SHAREDCTX;
1493 }
1494 session->ctx = ctx;
1495
Radek Krejciac6d3472015-10-22 15:47:18 +02001496 /* NETCONF handshake */
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001497 if (nc_handshake(session)) {
Michal Vasko7b62fed2015-10-26 15:39:46 +01001498 goto fail;
Radek Krejciac6d3472015-10-22 15:47:18 +02001499 }
Michal Vaskoad611702015-12-03 13:41:51 +01001500 session->status = NC_STATUS_RUNNING;
Radek Krejciac6d3472015-10-22 15:47:18 +02001501
Michal Vaskoef578332016-01-25 13:20:09 +01001502 if (nc_ctx_check_and_fill(session) == -1) {
Michal Vasko57eb9402015-12-08 14:38:12 +01001503 goto fail;
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001504 }
1505
1506 /* store information into the dictionary */
1507 session->host = lydict_insert(ctx, host, 0);
1508 session->port = port;
1509 session->username = lydict_insert(ctx, username, 0);
1510
Radek Krejciac6d3472015-10-22 15:47:18 +02001511 return session;
1512
Michal Vasko7b62fed2015-10-26 15:39:46 +01001513fail:
Michal Vaskoe1a64ec2016-03-01 12:21:58 +01001514 nc_session_free(session, NULL);
Radek Krejciac6d3472015-10-22 15:47:18 +02001515 return NULL;
1516}
1517
1518API struct nc_session *
1519nc_connect_libssh(ssh_session ssh_session, struct ly_ctx *ctx)
1520{
Michal Vasko0190bc32016-03-02 15:47:49 +01001521 return _nc_connect_libssh(ssh_session, ctx, &ssh_opts, NC_TRANSPORT_TIMEOUT);
Radek Krejciac6d3472015-10-22 15:47:18 +02001522}
1523
1524API struct nc_session *
Michal Vasko7b62fed2015-10-26 15:39:46 +01001525nc_connect_ssh_channel(struct nc_session *session, struct ly_ctx *ctx)
Radek Krejciac6d3472015-10-22 15:47:18 +02001526{
Michal Vasko7b62fed2015-10-26 15:39:46 +01001527 struct nc_session *new_session, *ptr;
Radek Krejciac6d3472015-10-22 15:47:18 +02001528
Michal Vaskob7c4ff32016-01-21 15:35:54 +01001529 if (!session) {
1530 ERRARG;
1531 return NULL;
1532 }
1533
Michal Vasko7b62fed2015-10-26 15:39:46 +01001534 /* prepare session structure */
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001535 new_session = calloc(1, sizeof *new_session);
Michal Vasko7b62fed2015-10-26 15:39:46 +01001536 if (!new_session) {
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001537 ERRMEM;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001538 return NULL;
1539 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001540 new_session->status = NC_STATUS_STARTING;
1541 new_session->side = NC_CLIENT;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001542
1543 /* share some parameters including the session lock */
1544 new_session->ti_type = NC_TI_LIBSSH;
1545 new_session->ti_lock = session->ti_lock;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001546 new_session->ti.libssh.session = session->ti.libssh.session;
1547
1548 /* create the channel safely */
1549 pthread_mutex_lock(new_session->ti_lock);
1550
1551 /* open a channel */
Michal Vasko0190bc32016-03-02 15:47:49 +01001552 if (open_netconf_channel(new_session, NC_TRANSPORT_TIMEOUT) != 1) {
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001553 goto fail;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001554 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001555
1556 /* assign context (dicionary needed for handshake) */
1557 if (!ctx) {
Michal Vaskodaf9a092016-02-09 10:42:05 +01001558 if (client_opts.schema_searchpath) {
1559 ctx = ly_ctx_new(client_opts.schema_searchpath);
1560 } else {
1561 ctx = ly_ctx_new(SCHEMAS_DIR);
1562 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001563 } else {
Michal Vasko56b5bf72016-01-19 11:20:35 +01001564 new_session->flags |= NC_SESSION_SHAREDCTX;
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001565 }
Michal Vasko56b5bf72016-01-19 11:20:35 +01001566 new_session->ctx = ctx;
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001567
Michal Vasko7b62fed2015-10-26 15:39:46 +01001568 /* NETCONF handshake */
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001569 if (nc_handshake(new_session)) {
1570 goto fail;
Michal Vasko7b62fed2015-10-26 15:39:46 +01001571 }
Michal Vaskoad611702015-12-03 13:41:51 +01001572 new_session->status = NC_STATUS_RUNNING;
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001573
Michal Vasko56b5bf72016-01-19 11:20:35 +01001574 pthread_mutex_unlock(new_session->ti_lock);
1575
Michal Vaskoef578332016-01-25 13:20:09 +01001576 if (nc_ctx_check_and_fill(new_session) == -1) {
Michal Vasko57eb9402015-12-08 14:38:12 +01001577 goto fail;
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001578 }
1579
1580 /* store information into session and the dictionary */
Michal Vasko56b5bf72016-01-19 11:20:35 +01001581 new_session->host = lydict_insert(ctx, session->host, 0);
1582 new_session->port = session->port;
1583 new_session->username = lydict_insert(ctx, session->username, 0);
Michal Vasko7b62fed2015-10-26 15:39:46 +01001584
1585 /* append to the session ring list */
1586 if (!session->ti.libssh.next) {
1587 session->ti.libssh.next = new_session;
1588 new_session->ti.libssh.next = session;
1589 } else {
1590 ptr = session->ti.libssh.next;
1591 session->ti.libssh.next = new_session;
1592 new_session->ti.libssh.next = ptr;
1593 }
1594
1595 return new_session;
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001596
1597fail:
Michal Vaskoe1a64ec2016-03-01 12:21:58 +01001598 nc_session_free(new_session, NULL);
Michal Vasko9e2d3a32015-11-10 13:09:18 +01001599 return NULL;
Radek Krejciac6d3472015-10-22 15:47:18 +02001600}
Michal Vasko80cad7f2015-12-08 14:42:27 +01001601
Michal Vasko3031aae2016-01-27 16:07:18 +01001602struct nc_session *
Michal Vasko0190bc32016-03-02 15:47:49 +01001603nc_accept_callhome_ssh_sock(int sock, const char *host, uint16_t port, struct ly_ctx *ctx, int timeout)
Michal Vasko80cad7f2015-12-08 14:42:27 +01001604{
1605 const int ssh_timeout = NC_SSH_TIMEOUT;
Michal Vasko3031aae2016-01-27 16:07:18 +01001606 struct passwd *pw;
Michal Vasko30e2c872016-02-18 10:03:21 +01001607 struct nc_session *session;
Michal Vasko80cad7f2015-12-08 14:42:27 +01001608 ssh_session sess;
1609
Michal Vasko80cad7f2015-12-08 14:42:27 +01001610 sess = ssh_new();
1611 if (!sess) {
1612 ERR("Unable to initialize an SSH session.");
1613 close(sock);
1614 return NULL;
1615 }
1616
1617 ssh_options_set(sess, SSH_OPTIONS_FD, &sock);
Michal Vasko0190bc32016-03-02 15:47:49 +01001618 ssh_set_blocking(sess, 0);
Michal Vasko3031aae2016-01-27 16:07:18 +01001619 ssh_options_set(sess, SSH_OPTIONS_HOST, host);
Michal Vasko80cad7f2015-12-08 14:42:27 +01001620 ssh_options_set(sess, SSH_OPTIONS_PORT, &port);
1621 ssh_options_set(sess, SSH_OPTIONS_TIMEOUT, &ssh_timeout);
Michal Vasko3031aae2016-01-27 16:07:18 +01001622 if (!ssh_ch_opts.username) {
1623 pw = getpwuid(getuid());
1624 if (!pw) {
1625 ERR("Unknown username for the SSH connection (%s).", strerror(errno));
1626 return NULL;
1627 }
1628 ssh_options_set(sess, SSH_OPTIONS_USER, pw->pw_name);
1629 } else {
1630 ssh_options_set(sess, SSH_OPTIONS_USER, ssh_ch_opts.username);
Michal Vasko80cad7f2015-12-08 14:42:27 +01001631 }
Michal Vasko086311b2016-01-08 09:53:11 +01001632 if (ssh_options_set(sess, SSH_OPTIONS_HOSTKEYS,
1633 "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
1634 "ecdsa-sha2-nistp256,ssh-rsa,ssh-dss,ssh-rsa1")) {
1635 /* ecdsa is probably not supported... */
1636 ssh_options_set(sess, SSH_OPTIONS_HOSTKEYS, "ssh-ed25519,ssh-rsa,ssh-dss,ssh-rsa1");
1637 }
Michal Vasko80cad7f2015-12-08 14:42:27 +01001638
Michal Vasko0190bc32016-03-02 15:47:49 +01001639 session = _nc_connect_libssh(sess, ctx, &ssh_ch_opts, timeout);
Michal Vasko4282fae2016-02-18 10:03:42 +01001640 if (session) {
1641 session->flags |= NC_SESSION_CALLHOME;
1642 }
1643
Michal Vasko30e2c872016-02-18 10:03:21 +01001644 return session;
Michal Vasko80cad7f2015-12-08 14:42:27 +01001645}