Attachment #1483 for bug #1090

Lines 164-169 struct confirm_ctx { Link Here

(-)clientloop.c (-18 / +42 lines)
164	char **env;	164	char **env;
165	};	165	};
166		166
		167	struct channel_reply_ctx {
		168	const char *request_type;
		169	int do_close;
		170	};
		171
167	/XXX/	172	/XXX/
168	extern Kex *xxx_kex;	173	extern Kex *xxx_kex;
169		174
Lines 636-645 client_process_net_input(fd_set *readset Link Here
636	}	641	}
637		642
638	static void	643	static void
639	client_subsystem_reply(int type, u_int32_t seq, void *ctxt)	644	client_handle_reply(int type, u_int32_t seq, void ctxt, void ex_ctx)
640	{	645	{
641	int id;	646	int id;
642	Channel *c;	647	Channel *c;
		648	struct channel_reply_ctx cr = (struct channel_reply_ctx )ex_ctx;
643		649
644	id = packet_get_int();	650	id = packet_get_int();
645	packet_check_eom();	651	packet_check_eom();
Lines 649-660 client_subsystem_reply(int type, u_int32 Link Here
649	return;	655	return;
650	}	656	}
651		657
652	if (type == SSH2_MSG_CHANNEL_SUCCESS)	658	if (type == SSH2_MSG_CHANNEL_SUCCESS) {
653	debug2("Request suceeded on channel %d", id);	659	debug2("%s request accepted on channel %d",
654	else if (type == SSH2_MSG_CHANNEL_FAILURE) {	660	cr->request_type, id);
655	error("Request failed on channel %d", id);	661	} else if (type == SSH2_MSG_CHANNEL_FAILURE) {
656	channel_free(c);	662	error("%s request failed on channel %d",
		663	cr->request_type, id);
		664	/* XXX return a nice error message to mux clients */
		665	if (cr->do_close) {
		666	chan_read_failed(c);
		667	chan_write_failed(c);
		668	}
657	}	669	}
		670	xfree(cr);
		671	}
		672
		673	static void
		674	client_expect_channel_reply(const char *request, int do_close)
		675	{
		676	struct channel_reply_ctx cr = xmalloc(sizeof(cr));
		677
		678	cr->request_type = request;
		679	cr->do_close = do_close;
		680	dispatch_expect_range(SSH2_MSG_CHANNEL_SUCCESS,
		681	SSH2_MSG_CHANNEL_FAILURE, client_handle_reply, (void *)cr);
658	}	682	}
659		683
660	static void	684	static void
Lines 690-696 client_extra_session2_setup(int id, void Link Here
690		714
691	client_session2_setup(id, cctx->want_tty, cctx->want_subsys,	715	client_session2_setup(id, cctx->want_tty, cctx->want_subsys,
692	cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env,	716	cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env,
693	client_subsystem_reply);	717	client_handle_reply);
694		718
695	c->confirm_ctx = NULL;	719	c->confirm_ctx = NULL;
696	buffer_free(&cctx->cmd);	720	buffer_free(&cctx->cmd);
Lines 1947-1953 client_input_global_request(int type, u_ Link Here
1947	void	1971	void
1948	client_session2_setup(int id, int want_tty, int want_subsystem,	1972	client_session2_setup(int id, int want_tty, int want_subsystem,
1949	const char term, struct termios tiop, int in_fd, Buffer cmd, char *env,	1973	const char term, struct termios tiop, int in_fd, Buffer cmd, char *env,
1950	dispatch_fn *subsys_repl)	1974	dispatch_ex_fn *subsys_repl)
1951	{	1975	{
1952	int len;	1976	int len;
1953	Channel *c = NULL;	1977	Channel *c = NULL;
Lines 1965-1971 client_session2_setup(int id, int want_t Link Here
1965	if (ioctl(in_fd, TIOCGWINSZ, &ws) < 0)	1989	if (ioctl(in_fd, TIOCGWINSZ, &ws) < 0)
1966	memset(&ws, 0, sizeof(ws));	1990	memset(&ws, 0, sizeof(ws));
1967		1991
1968	channel_request_start(id, "pty-req", 0);	1992	channel_request_start(id, "pty-req", 1);
		1993	client_expect_channel_reply("PTY allocation", 0);
1969	packet_put_cstring(term != NULL ? term : "");	1994	packet_put_cstring(term != NULL ? term : "");
1970	packet_put_int((u_int)ws.ws_col);	1995	packet_put_int((u_int)ws.ws_col);
1971	packet_put_int((u_int)ws.ws_row);	1996	packet_put_int((u_int)ws.ws_row);
Lines 2021-2041 client_session2_setup(int id, int want_t Link Here
2021	len = 900;	2046	len = 900;
2022	if (want_subsystem) {	2047	if (want_subsystem) {
2023	debug("Sending subsystem: %.s", len, (u_char)buffer_ptr(cmd));	2048	debug("Sending subsystem: %.s", len, (u_char)buffer_ptr(cmd));
2024	channel_request_start(id, "subsystem", subsys_repl != NULL);	2049	channel_request_start(id, "subsystem",
2025	if (subsys_repl != NULL) {	2050	subsys_repl != NULL);
2026	/* register callback for reply */	2051	if (subsys_repl != NULL)
2027	/* XXX we assume that client_loop has already been called */	2052	client_expect_channel_reply("subsystem", 1);
2028	dispatch_set(SSH2_MSG_CHANNEL_FAILURE, subsys_repl);
2029	dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, subsys_repl);
2030	}
2031	} else {	2053	} else {
2032	debug("Sending command: %.s", len, (u_char)buffer_ptr(cmd));	2054	debug("Sending command: %.s", len, (u_char)buffer_ptr(cmd));
2033	channel_request_start(id, "exec", 0);	2055	channel_request_start(id, "exec", 1);
		2056	client_expect_channel_reply("exec", 1);
2034	}	2057	}
2035	packet_put_string(buffer_ptr(cmd), buffer_len(cmd));	2058	packet_put_string(buffer_ptr(cmd), buffer_len(cmd));
2036	packet_send();	2059	packet_send();
2037	} else {	2060	} else {
2038	channel_request_start(id, "shell", 0);	2061	channel_request_start(id, "shell", 1);
		2062	client_expect_channel_reply("shell", 1);
2039	packet_send();	2063	packet_send();
2040	}	2064	}
2041	}	2065	}

Lines 43-49 void client_x11_get_proto(const char *, Link Here

(-)clientloop.h (-1 / +1 lines)
43	char , char );	43	char , char );
44	void client_global_request_reply_fwd(int, u_int32_t, void *);	44	void client_global_request_reply_fwd(int, u_int32_t, void *);
45	void client_session2_setup(int, int, int, const char , struct termios ,	45	void client_session2_setup(int, int, int, const char , struct termios ,
46	int, Buffer , char , dispatch_fn );	46	int, Buffer , char , dispatch_ex_fn );
47	int client_request_tun_fwd(int, int, int);	47	int client_request_tun_fwd(int, int, int);
48		48
49	/* Multiplexing protocol version */	49	/* Multiplexing protocol version */




 */

#include <sys/types.h>
#include <sys/queue.h>

#include <signal.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>

#include "ssh1.h"
#include "ssh2.h"
#include "log.h"
#include "dispatch.h"
#include "packet.h"
#include "xmalloc.h"
#include "compat.h"

#define DISPATCH_MIN	0
#define DISPATCH_MAX	255

struct dispatch_expectation {
	int id_low, id_high;
	dispatch_ex_fn *cb;
	void *ex_ctx;
	TAILQ_ENTRY(dispatch_expectation) entry;
};
TAILQ_HEAD(dispatch_expectations, dispatch_expectation);

dispatch_fn *dispatch[DISPATCH_MAX];
struct dispatch_expectations expected = TAILQ_HEAD_INITIALIZER(expected);

/* ARGSUSED */
void
dispatch_protocol_error(int type, u_int32_t seq, void *ctxt)
{

	packet_send();
	packet_write_wait();
}

/* ARGSUSED */
void
dispatch_protocol_ignore(int type, u_int32_t seq, void *ctxt)
{

{
	dispatch[type] = fn;
}

void
dispatch_expect_range(int id_low, int id_high, dispatch_ex_fn *cb, void *ex_ctx)
{
	struct dispatch_expectation *de;

	if (id_low > id_high)
		fatal("%s: id_low > id_high", __func__);
	de = xmalloc(sizeof(*de));
	de->id_low = id_low;
	de->id_high = id_high;
	de->cb = cb;
	de->ex_ctx = cb != NULL ? ex_ctx : NULL;
	TAILQ_INSERT_TAIL(&expected, de, entry);
}

void
dispatch_expect(int id, dispatch_ex_fn *cb, void *ex_ctx)
{
	dispatch_expect_range(id, id, cb, ex_ctx);
}

void
dispatch_run(int mode, volatile sig_atomic_t *done, void *ctxt)
{
	struct dispatch_expectation *de;

	for (;;) {
		int type;
		u_int32_t seqnr;

			if (type == SSH_MSG_NONE)
				return;
		}
		/* Run any specific expected packets first */
		de = TAILQ_FIRST(&expected);
		if (de != NULL && de->id_low <= type && de->id_high >= type) {
			if (de->cb != NULL)
				de->cb(type, seqnr, ctxt, de->ex_ctx);
			TAILQ_REMOVE(&expected, de, entry);
			bzero(de, sizeof(*de));
			free(de);
		} else if (type > 0 && type < DISPATCH_MAX &&
		    dispatch[type] != NULL)
			(*dispatch[type])(type, seqnr, ctxt);
		else
			packet_disconnect("protocol error: rcvd type %d", type);

Lines 29-38 enum { Link Here

(-)dispatch.h (+3 lines)
29	};	29	};
30		30
31	typedef void dispatch_fn(int, u_int32_t, void *);	31	typedef void dispatch_fn(int, u_int32_t, void *);
		32	typedef void dispatch_ex_fn(int, u_int32_t, void , void );
32		33
33	void dispatch_init(dispatch_fn *);	34	void dispatch_init(dispatch_fn *);
34	void dispatch_set(int, dispatch_fn *);	35	void dispatch_set(int, dispatch_fn *);
35	void dispatch_range(u_int, u_int, dispatch_fn *);	36	void dispatch_range(u_int, u_int, dispatch_fn *);
		37	void dispatch_expect_range(int, int, dispatch_ex_fn , void );
		38	void dispatch_expect(int, dispatch_ex_fn , void );
36	void dispatch_run(int, volatile sig_atomic_t , void );	39	void dispatch_run(int, volatile sig_atomic_t , void );
37	void dispatch_protocol_error(int, u_int32_t, void *);	40	void dispatch_protocol_error(int, u_int32_t, void *);
38	void dispatch_protocol_ignore(int, u_int32_t, void *);	41	void dispatch_protocol_ignore(int, u_int32_t, void *);

Lines 999-1005 mm_session_close(Session *s) Link Here

(-)monitor.c (-1 / +1 lines)
999	debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);	999	debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
1000	session_pty_cleanup2(s);	1000	session_pty_cleanup2(s);
1001	}	1001	}
1002	s->used = 0;	1002	session_unused(s->self);
1003	}	1003	}
1004		1004
1005	int	1005	int




{
	Buffer m;
	char *p, *msg;
	int success = 0, tmp1 = -1, tmp2 = -1;

	/* Kludge: ensure there are fds free to receive the pty/tty */
	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
		error("%s: cannot allocate fds for pty", __func__);
		close(tmp1);
		close(tmp2);
		return 0;
	}
	close(tmp1);
	close(tmp2);

	buffer_init(&m);
	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m);

	buffer_free(&m);

	/* closed dup'ed master */
	if (s->ptymaster != -1 && close(s->ptymaster) < 0)
		error("close(s->ptymaster/%d): %s",
		    s->ptymaster, strerror(errno));

	/* unlink pty from session */
	s->ttyfd = -1;

Lines 105-110 initialize_server_options(ServerOptions Link Here

(-)servconf.c (-5 / +14 lines)
105	options->max_startups_rate = -1;	105	options->max_startups_rate = -1;
106	options->max_startups = -1;	106	options->max_startups = -1;
107	options->max_authtries = -1;	107	options->max_authtries = -1;
		108	options->max_sessions = -1;
108	options->banner = NULL;	109	options->banner = NULL;
109	options->use_dns = -1;	110	options->use_dns = -1;
110	options->client_alive_interval = -1;	111	options->client_alive_interval = -1;
Lines 221-226 fill_default_server_options(ServerOption Link Here
221	options->max_startups_begin = options->max_startups;	222	options->max_startups_begin = options->max_startups;
222	if (options->max_authtries == -1)	223	if (options->max_authtries == -1)
223	options->max_authtries = DEFAULT_AUTH_FAIL_MAX;	224	options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
		225	if (options->max_sessions == -1)
		226	options->max_sessions = DEFAULT_SESSIONS_MAX;
224	if (options->use_dns == -1)	227	if (options->use_dns == -1)
225	options->use_dns = 1;	228	options->use_dns = 1;
226	if (options->client_alive_interval == -1)	229	if (options->client_alive_interval == -1)
Lines 262-268 typedef enum { Link Here
262	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,	265	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
263	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,	266	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
264	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,	267	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
265	sMaxStartups, sMaxAuthTries,	268	sMaxStartups, sMaxAuthTries, sMaxSessions,
266	sBanner, sUseDNS, sHostbasedAuthentication,	269	sBanner, sUseDNS, sHostbasedAuthentication,
267	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	270	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
268	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,	271	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
Lines 353-358 static struct { Link Here
353	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },	356	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
354	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },	357	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
355	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },	358	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
		359	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
356	{ "banner", sBanner, SSHCFG_ALL },	360	{ "banner", sBanner, SSHCFG_ALL },
357	{ "usedns", sUseDNS, SSHCFG_GLOBAL },	361	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
358	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },	362	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
Lines 647-653 process_server_config_line(ServerOptions Link Here
647		651
648	case sServerKeyBits:	652	case sServerKeyBits:
649	intptr = &options->server_key_bits;	653	intptr = &options->server_key_bits;
650	parse_int:	654	parse_int:
651	arg = strdelim(&cp);	655	arg = strdelim(&cp);
652	if (!arg \|\| *arg == '\0')	656	if (!arg \|\| *arg == '\0')
653	fatal("%s line %d: missing integer value.",	657	fatal("%s line %d: missing integer value.",
Lines 659-665 parse_int: Link Here
659		663
660	case sLoginGraceTime:	664	case sLoginGraceTime:
661	intptr = &options->login_grace_time;	665	intptr = &options->login_grace_time;
662	parse_time:	666	parse_time:
663	arg = strdelim(&cp);	667	arg = strdelim(&cp);
664	if (!arg \|\| *arg == '\0')	668	if (!arg \|\| *arg == '\0')
665	fatal("%s line %d: missing time value.",	669	fatal("%s line %d: missing time value.",
Lines 728-734 parse_time: Link Here
728	fatal("%s line %d: too many host keys specified (max %d).",	732	fatal("%s line %d: too many host keys specified (max %d).",
729	filename, linenum, MAX_HOSTKEYS);	733	filename, linenum, MAX_HOSTKEYS);
730	charptr = &options->host_key_files[*intptr];	734	charptr = &options->host_key_files[*intptr];
731	parse_filename:	735	parse_filename:
732	arg = strdelim(&cp);	736	arg = strdelim(&cp);
733	if (!arg \|\| *arg == '\0')	737	if (!arg \|\| *arg == '\0')
734	fatal("%s line %d: missing file name.",	738	fatal("%s line %d: missing file name.",
Lines 771-777 parse_filename: Link Here
771		775
772	case sIgnoreRhosts:	776	case sIgnoreRhosts:
773	intptr = &options->ignore_rhosts;	777	intptr = &options->ignore_rhosts;
774	parse_flag:	778	parse_flag:
775	arg = strdelim(&cp);	779	arg = strdelim(&cp);
776	if (!arg \|\| *arg == '\0')	780	if (!arg \|\| *arg == '\0')
777	fatal("%s line %d: missing yes/no argument.",	781	fatal("%s line %d: missing yes/no argument.",
Lines 1103-1108 parse_flag: Link Here
1103	intptr = &options->max_authtries;	1107	intptr = &options->max_authtries;
1104	goto parse_int;	1108	goto parse_int;
1105		1109
		1110	case sMaxSessions:
		1111	intptr = &options->max_sessions;
		1112	goto parse_int;
		1113
1106	case sBanner:	1114	case sBanner:
1107	charptr = &options->banner;	1115	charptr = &options->banner;
1108	goto parse_filename;	1116	goto parse_filename;
Lines 1329-1334 copy_set_server_options(ServerOptions *d Link Here
1329	M_CP_INTOPT(x11_display_offset);	1337	M_CP_INTOPT(x11_display_offset);
1330	M_CP_INTOPT(x11_forwarding);	1338	M_CP_INTOPT(x11_forwarding);
1331	M_CP_INTOPT(x11_use_localhost);	1339	M_CP_INTOPT(x11_use_localhost);
		1340	M_CP_INTOPT(max_sessions);
1332		1341
1333	M_CP_STROPT(banner);	1342	M_CP_STROPT(banner);
1334	if (preauth)	1343	if (preauth)

Lines 35-40 Link Here

(-)servconf.h (+2 lines)
35	#define PERMIT_YES 3	35	#define PERMIT_YES 3
36		36
37	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */	37	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
		38	#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
38		39
39	/* Magic name for internal sftp-server */	40	/* Magic name for internal sftp-server */
40	#define INTERNAL_SFTP_NAME "internal-sftp"	41	#define INTERNAL_SFTP_NAME "internal-sftp"
Lines 122-127 typedef struct { Link Here
122	int max_startups_rate;	123	int max_startups_rate;
123	int max_startups;	124	int max_startups;
124	int max_authtries;	125	int max_authtries;
		126	int max_sessions;
125	char banner; / SSH-2 banner message */	127	char banner; / SSH-2 banner message */
126	int use_dns;	128	int use_dns;
127	int client_alive_interval; /*	129	int client_alive_interval; /*




void	session_pty_cleanup(Session *);
void	session_proctitle(Session *);
int	session_setup_x11fwd(Session *);
int	do_exec_pty(Session *, const char *);
int	do_exec_no_pty(Session *, const char *);
int	do_exec(Session *, const char *);
void	do_login(Session *, const char *);
void	do_child(Session *, const char *);
void	do_motd(void);

const char *original_command = NULL;

/* data */
static int sessions_first_unused = -1;
static int sessions_nalloc = 0;
static Session *sessions = NULL;

#define SUBSYSTEM_NONE		0
#define SUBSYSTEM_EXT		1

auth_input_request_forwarding(struct passwd * pw)
{
	Channel *nc;
	int sock = -1;
	struct sockaddr_un sunaddr;

	if (auth_sock_name != NULL) {

	temporarily_use_uid(pw);

	/* Allocate a buffer for the socket name, and format the name. */
	auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");
	auth_sock_dir = xmalloc(MAXPATHLEN);
	strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);

	/* Create private directory for socket */
	if (mkdtemp(auth_sock_dir) == NULL) {
		packet_send_debug("Agent forwarding disabled: "
		    "mkdtemp() failed: %.100s", strerror(errno));
		restore_uid();
		xfree(auth_sock_name);
		xfree(auth_sock_dir);
		auth_sock_name = NULL;
		auth_sock_dir = NULL;
		goto authsock_err;
	}

	auth_sock_name = xmalloc(MAXPATHLEN);
	xasprintf(&auth_sock_name, "%s/agent.%ld",
	    auth_sock_dir, (long) getpid());

	/* Create the socket. */
	sock = socket(AF_UNIX, SOCK_STREAM, 0);
	if (sock < 0) {
		error("socket: %.100s", strerror(errno));
		restore_uid();
		goto authsock_err;
	}

	/* Bind it to the name. */
	memset(&sunaddr, 0, sizeof(sunaddr));
	sunaddr.sun_family = AF_UNIX;
	strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path));

	if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
		error("bind: %.100s", strerror(errno));
		restore_uid();
		goto authsock_err;
	}

	/* Restore the privileged uid. */
	restore_uid();

	/* Start listening on the socket. */
	if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
		error("listen: %.100s", strerror(errno));
		goto authsock_err;
	}

	/* Allocate a channel for the authentication agent socket. */
	nc = channel_new("auth socket",

	    0, "auth socket", 1);
	strlcpy(nc->path, auth_sock_name, sizeof(nc->path));
	return 1;

 authsock_err:
	if (auth_sock_name != NULL)
		xfree(auth_sock_name);
	if (auth_sock_dir != NULL) {
		rmdir(auth_sock_dir);
		xfree(auth_sock_dir);
	}
	if (sock != -1)
		close(sock);
	auth_sock_name = NULL;
	auth_sock_dir = NULL;
	return 0;
}

static void

			if (type == SSH_CMSG_EXEC_CMD) {
				command = packet_get_string(&dlen);
				debug("Exec command '%.500s'", command);
				if (do_exec(s, command) != 0)
					cleanup_exit(255);
				xfree(command);
			} else {
				do_exec(s, NULL);

 * will call do_child from the child, and server_loop from the parent after
 * setting up file descriptors and such.
 */
int
do_exec_no_pty(Session *s, const char *command)
{
	pid_t pid;

	int inout[2], err[2];

	/* Uses socket pairs to communicate with the program. */
	if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0) {
		error("%s: socketpair #1: %.100s", __func__, strerror(errno));
		return -1;
	}
	if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) {
		error("%s: socketpair #2: %.100s", __func__, strerror(errno));
		close(inout[0]);
		close(inout[1]);
		return -1;
	}

	if (s == NULL)
		fatal("do_exec_no_pty: no session");

	session_proctitle(s);

	/* Fork the child. */
	switch ((pid = fork())) {
	case -1:
		error("%s: fork: %.100s", __func__, strerror(errno));
		close(inout[0]);
		close(inout[1]);
		close(err[0]);
		close(err[1]);
		return -1;
	case 0:
		is_child = 1;

		/* Child.  Reinitialize the log since the pid has changed. */
		log_init(__progname, options.log_level,
		    options.log_facility, log_stderr);

		/*
		 * Create a new session and process group since the 4.4BSD

		close(err[1]);
		if (dup2(inout[0], 0) < 0)	/* stdin */
			perror("dup2 stdin");
		if (dup2(inout[0], 1) < 0)	/* stdout (same as stdin) */
			perror("dup2 stdout");
		if (dup2(err[0], 2) < 0)	/* stderr */
			perror("dup2 stderr");

		/* Do processing for the child (exec command etc). */
		do_child(s, command);
		/* NOTREACHED */
	default:
		break;
	}

		packet_disconnect("fork failed: %.100s", strerror(errno));
	s->pid = pid;
	/* Set interactive/non-interactive mode. */
	packet_set_interactive(s->display != NULL);

	 * handle the case that fdin and fdout are the same.
	 */
	if (compat20) {
		session_set_fds(s, inout[1], inout[1],
		    s->is_subsystem ? -1 : err[1]);
		if (s->is_subsystem)
			close(err[1]);
	} else {
		server_loop(pid, inout[1], inout[1], err[1]);
		/* server_loop has closed inout[1] and err[1]. */
	}
	return 0;
}

/*

 * setting up file descriptors, controlling tty, updating wtmp, utmp,
 * lastlog, and other such operations.
 */
int
do_exec_pty(Session *s, const char *command)
{
	int fdout, ptyfd, ttyfd, ptymaster;

	ptyfd = s->ptyfd;
	ttyfd = s->ttyfd;

	/*
	 * Create another descriptor of the pty master side for use as the
	 * standard input.  We could use the original descriptor, but this
	 * simplifies code in server_loop.  The descriptor is bidirectional.
	 * Do this before forking (and cleanup in the child) so as to
	 * detect and gracefully fail out-of-fd conditions.
	 */
	if ((fdout = dup(ptyfd)) < 0) {
		error("%s: dup #1: %s", __func__, strerror(errno));
		close(ttyfd);
		close(ptyfd);
		return -1;
	}
	/* we keep a reference to the pty master */
	if ((ptymaster = dup(ptyfd)) < 0) {
		error("%s: dup #2: %s", __func__, strerror(errno));
		close(ttyfd);
		close(ptyfd);
		close(fdout);
		return -1;
	}

	/* Fork the child. */
	switch ((pid = fork())) {
	case -1:
		error("%s: fork: %.100s", __func__, strerror(errno));
		close(fdout);
		close(ptymaster);
		close(ttyfd);
		close(ptyfd);
		return -1;
	case 0:
		is_child = 1;

		close(fdout);
		close(ptymaster);

		/* Child.  Reinitialize the log because the pid has changed. */
		log_init(__progname, options.log_level,
		    options.log_facility, log_stderr);
		/* Close the master side of the pseudo tty. */
		close(ptyfd);


		if (!(options.use_login && command == NULL))
			do_login(s, command);

		/*
		 * Do common processing for the child, such as execing
		 * the command.
		 */
		do_child(s, command);
		/* NOTREACHED */
	default:
		break;
	}
	if (pid < 0)
		packet_disconnect("fork failed: %.100s", strerror(errno));
	s->pid = pid;

	/* Parent.  Close the slave side of the pseudo tty. */
	close(ttyfd);

	/*
	 * Create another descriptor of the pty master side for use as the
	 * standard input.  We could use the original descriptor, but this
	 * simplifies code in server_loop.  The descriptor is bidirectional.
	 */
	fdout = dup(ptyfd);
	if (fdout < 0)
		packet_disconnect("dup #1 failed: %.100s", strerror(errno));

	/* we keep a reference to the pty master */
	ptymaster = dup(ptyfd);
	if (ptymaster < 0)
		packet_disconnect("dup #2 failed: %.100s", strerror(errno));
	s->ptymaster = ptymaster;

	/* Enter interactive session. */
	s->ptymaster = ptymaster;
	packet_set_interactive(1);
	if (compat20) {
		session_set_fds(s, ptyfd, fdout, -1);

		server_loop(pid, ptyfd, fdout, -1);
		/* server_loop _has_ closed ptyfd and fdout. */
	}
	return 0;
}

/*
 * This is called to fork and execute a command.  If another command is
 * to be forced, execute that instead.
 */
int
do_exec(Session *s, const char *command)
{
	int ret;

	if (options.adm_forced_command) {
		original_command = command;
		command = options.adm_forced_command;

	}
#endif
	if (s->ttyfd != -1)
		ret = do_exec_pty(s, command);
	else
		ret = do_exec_no_pty(s, command);

	original_command = NULL;


	 * multiple copies of the login messages.
	 */
	buffer_clear(&loginmsg);

	return ret;
}



	exit(1);
}

void
session_unused(int id)
{
	debug3("%s: session id %d unused", __func__, id);
	if (id >= options.max_sessions ||
	    id >= sessions_nalloc) {
		fatal("%s: insane session id %d (max %d nalloc %d)",
		    __func__, id, options.max_sessions, sessions_nalloc);
	}
	bzero(&sessions[id], sizeof(*sessions));
	sessions[id].self = id;
	sessions[id].used = 0;
	sessions[id].chanid = -1;
	sessions[id].ptyfd = -1;
	sessions[id].ttyfd = -1;
	sessions[id].ptymaster = -1;
	sessions[id].x11_chanids = NULL;
	sessions[id].next_unused = sessions_first_unused;
	sessions_first_unused = id;
}

Session *
session_new(void)
{
	Session *s, *tmp;

	if (sessions_first_unused == -1) {
		if (sessions_nalloc >= options.max_sessions)
			return NULL;
		debug2("%s: allocate (allocated %d max %d)",
		    __func__, sessions_nalloc, options.max_sessions);
		tmp = xrealloc(sessions, sessions_nalloc + 1,
		    sizeof(*sessions));
		if (tmp == NULL) {
			error("%s: cannot allocate %d sessions",
			    __func__, sessions_nalloc + 1);
			return NULL;
		}
		sessions = tmp;
		session_unused(sessions_nalloc++);
	}

	if (sessions_first_unused >= sessions_nalloc ||
	    sessions_first_unused < 0) {
		fatal("%s: insane first_unused %d max %d nalloc %d",
		    __func__, sessions_first_unused, options.max_sessions,
		    sessions_nalloc);
	}

	s = &sessions[sessions_first_unused];
	if (s->used) {
		fatal("%s: session %d already used",
		    __func__, sessions_first_unused);
	}
	sessions_first_unused = s->next_unused;
	s->used = 1;
	s->next_unused = -1;
	debug("session_new: session %d", s->self);

	return s;
}

static void
session_dump(void)
{
	int i;
	for (i = 0; i < sessions_nalloc; i++) {
		Session *s = &sessions[i];

		debug("dump: used %d next_unused %d session %d %p "
		    "channel %d pid %ld",
		    s->used,
		    s->next_unused,
		    s->self,
		    s,
		    s->chanid,

session_by_tty(char *tty)
{
	int i;
	for (i = 0; i < sessions_nalloc; i++) {
		Session *s = &sessions[i];
		if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) {
			debug("session_by_tty: session %d tty %s", i, tty);

session_by_channel(int id)
{
	int i;
	for (i = 0; i < sessions_nalloc; i++) {
		Session *s = &sessions[i];
		if (s->used && s->chanid == id) {
			debug("session_by_channel: session %d channel %d",
			    i, id);
			return s;
		}
	}

{
	int i, j;

	for (i = 0; i < sessions_nalloc; i++) {
		Session *s = &sessions[i];

		if (s->x11_chanids == NULL || !s->used)

{
	int i;
	debug("session_by_pid: pid %ld", (long)pid);
	for (i = 0; i < sessions_nalloc; i++) {
		Session *s = &sessions[i];
		if (s->used && s->pid == pid)
			return s;


	/* Allocate a pty and open it. */
	debug("Allocating pty.");
	if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty,
	    sizeof(s->tty)))) {
		if (s->term)
			xfree(s->term);
		s->term = NULL;

				s->is_subsystem = SUBSYSTEM_EXT;
			}
			debug("subsystem: exec() %s", cmd);
			success = do_exec(s, cmd) == 0;
			success = 1;
			break;
		}
	}

session_shell_req(Session *s)
{
	packet_check_eom();
	return do_exec(s, NULL) == 0;
	return 1;
}

static int
session_exec_req(Session *s)
{
	u_int len, success;

	char *command = packet_get_string(&len);
	packet_check_eom();
	success = do_exec(s, command) == 0;
	xfree(command);
	return success;
}

static int

	packet_get_int();	/* ignored */
	packet_check_eom();

	if (s->ttyfd == -1 || tcsendbreak(s->ttyfd, 0) < 0)
	    tcsendbreak(s->ttyfd, 0) < 0)
		return 0;
	return 1;
}

	 * the pty cleanup, so that another process doesn't get this pty
	 * while we're still cleaning up.
	 */
	if (s->ptymaster != -1 && close(s->ptymaster) < 0)
		error("close(s->ptymaster/%d): %s",
		    s->ptymaster, strerror(errno));

	/* unlink pty from session */
	s->ttyfd = -1;

		xfree(s->auth_data);
	if (s->auth_proto)
		xfree(s->auth_proto);
	s->used = 0;
	if (s->env != NULL) {
		for (i = 0; i < s->num_env; i++) {
			xfree(s->env[i].name);

		xfree(s->env);
	}
	session_proctitle(s);
	session_unused(s->self);
}

void

session_destroy_all(void (*closefunc)(Session *))
{
	int i;
	for (i = 0; i < sessions_nalloc; i++) {
		Session *s = &sessions[i];
		if (s->used) {
			if (closefunc != NULL)

	static char buf[1024];
	int i;
	buf[0] = '\0';
	for (i = 0; i < sessions_nalloc; i++) {
		Session *s = &sessions[i];
		if (s->used && s->ttyfd != -1) {
			if (buf[0] != '\0')

Lines 31-36 typedef struct Session Session; Link Here

(-)session.h (+2 lines)
31	struct Session {	31	struct Session {
32	int used;	32	int used;
33	int self;	33	int self;
		34	int next_unused;
34	struct passwd *pw;	35	struct passwd *pw;
35	Authctxt *authctxt;	36	Authctxt *authctxt;
36	pid_t pid;	37	pid_t pid;
Lines 65-70 void do_authenticated(Authctxt *); Link Here
65	void do_cleanup(Authctxt *);	66	void do_cleanup(Authctxt *);
66		67
67	int session_open(Authctxt *, int);	68	int session_open(Authctxt *, int);
		69	void session_unused(int);
68	int session_input_channel_req(Channel , const char );	70	int session_input_channel_req(Channel , const char );
69	void session_close_by_pid(pid_t, int);	71	void session_close_by_pid(pid_t, int);
70	void session_close_by_channel(int, void *);	72	void session_close_by_channel(int, void *);

Lines 1019-1025 ssh_session(void) Link Here

(-)ssh.c (-1 / +1 lines)
1019	}	1019	}
1020		1020
1021	static void	1021	static void
1022	ssh_subsystem_reply(int type, u_int32_t seq, void *ctxt)	1022	ssh_subsystem_reply(int type, u_int32_t seq, void ctxt, void ex_ctx)
1023	{	1023	{
1024	int id, len;	1024	int id, len;
1025		1025

Lines 39-44 Protocol 2 Link Here

(-)sshd_config (+1 lines)
39	#PermitRootLogin yes	39	#PermitRootLogin yes
40	#StrictModes yes	40	#StrictModes yes
41	#MaxAuthTries 6	41	#MaxAuthTries 6
		42	#MaxSessions 10
42		43
43	#RSAAuthentication yes	44	#RSAAuthentication yes
44	#PubkeyAuthentication yes	45	#PubkeyAuthentication yes

Lines 585-590 connection. Link Here

(-)sshd_config.5 (+3 lines)
585	Once the number of failures reaches half this value,	585	Once the number of failures reaches half this value,
586	additional failures are logged.	586	additional failures are logged.
587	The default is 6.	587	The default is 6.
		588	.It Cm MaxSessions
		589	Specifies the maximum number of open sessions permitted per network connection.
		590	The default is 10.
588	.It Cm MaxStartups	591	.It Cm MaxStartups
589	Specifies the maximum number of concurrent unauthenticated connections to the	592	Specifies the maximum number of concurrent unauthenticated connections to the
590	SSH daemon.	593	SSH daemon.

Return to bug 1090

Lines 24-45 Link Here

(-)dispatch.c (-1 / +50 lines)
24	*/	24	*/
25		25
26	#include <sys/types.h>	26	#include <sys/types.h>
		27	#include <sys/queue.h>
27		28
28	#include <signal.h>	29	#include <signal.h>
29	#include <stdarg.h>	30	#include <stdarg.h>
		31	#include <stdlib.h>
		32	#include <string.h>
30		33
31	#include "ssh1.h"	34	#include "ssh1.h"
32	#include "ssh2.h"	35	#include "ssh2.h"
33	#include "log.h"	36	#include "log.h"
34	#include "dispatch.h"	37	#include "dispatch.h"
35	#include "packet.h"	38	#include "packet.h"
		39	#include "xmalloc.h"
36	#include "compat.h"	40	#include "compat.h"
37		41
38	#define DISPATCH_MIN 0	42	#define DISPATCH_MIN 0
39	#define DISPATCH_MAX 255	43	#define DISPATCH_MAX 255
40		44
		45	struct dispatch_expectation {
		46	int id_low, id_high;
		47	dispatch_ex_fn *cb;
		48	void *ex_ctx;
		49	TAILQ_ENTRY(dispatch_expectation) entry;
		50	};
		51	TAILQ_HEAD(dispatch_expectations, dispatch_expectation);
		52
41	dispatch_fn *dispatch[DISPATCH_MAX];	53	dispatch_fn *dispatch[DISPATCH_MAX];
		54	struct dispatch_expectations expected = TAILQ_HEAD_INITIALIZER(expected);
42		55
		56	/* ARGSUSED */
43	void	57	void
44	dispatch_protocol_error(int type, u_int32_t seq, void *ctxt)	58	dispatch_protocol_error(int type, u_int32_t seq, void *ctxt)
45	{	59	{
Lines 51-56 dispatch_protocol_error(int type, u_int3 Link Here
51	packet_send();	65	packet_send();
52	packet_write_wait();	66	packet_write_wait();
53	}	67	}
		68
		69	/* ARGSUSED */
54	void	70	void
55	dispatch_protocol_ignore(int type, u_int32_t seq, void *ctxt)	71	dispatch_protocol_ignore(int type, u_int32_t seq, void *ctxt)
56	{	72	{
Lines 79-87 dispatch_set(int type, dispatch_fn *fn) Link Here
79	{	95	{
80	dispatch[type] = fn;	96	dispatch[type] = fn;
81	}	97	}
		98
		99	void
		100	dispatch_expect_range(int id_low, int id_high, dispatch_ex_fn cb, void ex_ctx)
		101	{
		102	struct dispatch_expectation *de;
		103
		104	if (id_low > id_high)
		105	fatal("%s: id_low > id_high", __func__);
		106	de = xmalloc(sizeof(*de));
		107	de->id_low = id_low;
		108	de->id_high = id_high;
		109	de->cb = cb;
		110	de->ex_ctx = cb != NULL ? ex_ctx : NULL;
		111	TAILQ_INSERT_TAIL(&expected, de, entry);
		112	}
		113
		114	void
		115	dispatch_expect(int id, dispatch_ex_fn cb, void ex_ctx)
		116	{
		117	dispatch_expect_range(id, id, cb, ex_ctx);
		118	}
		119
82	void	120	void
83	dispatch_run(int mode, volatile sig_atomic_t done, void ctxt)	121	dispatch_run(int mode, volatile sig_atomic_t done, void ctxt)
84	{	122	{
		123	struct dispatch_expectation *de;
		124
85	for (;;) {	125	for (;;) {
86	int type;	126	int type;
87	u_int32_t seqnr;	127	u_int32_t seqnr;
Lines 93-99 dispatch_run(int mode, volatile sig_atom Link Here
93	if (type == SSH_MSG_NONE)	133	if (type == SSH_MSG_NONE)
94	return;	134	return;
95	}	135	}
96	if (type > 0 && type < DISPATCH_MAX && dispatch[type] != NULL)	136	/* Run any specific expected packets first */
		137	de = TAILQ_FIRST(&expected);
		138	if (de != NULL && de->id_low <= type && de->id_high >= type) {
		139	if (de->cb != NULL)
		140	de->cb(type, seqnr, ctxt, de->ex_ctx);
		141	TAILQ_REMOVE(&expected, de, entry);
		142	bzero(de, sizeof(*de));
		143	free(de);
		144	} else if (type > 0 && type < DISPATCH_MAX &&
		145	dispatch[type] != NULL)
97	(*dispatch[type])(type, seqnr, ctxt);	146	(*dispatch[type])(type, seqnr, ctxt);
98	else	147	else
99	packet_disconnect("protocol error: rcvd type %d", type);	148	packet_disconnect("protocol error: rcvd type %d", type);

Lines 653-659 mm_pty_allocate(int ptyfd, int ttyfd, Link Here

(-)monitor_wrap.c (-3 / +15 lines)
653	{	653	{
654	Buffer m;	654	Buffer m;
655	char p, msg;	655	char p, msg;
656	int success = 0;	656	int success = 0, tmp1 = -1, tmp2 = -1;
		657
		658	/* Kludge: ensure there are fds free to receive the pty/tty */
		659	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 \|\|
		660	(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
		661	error("%s: cannot allocate fds for pty", __func__);
		662	close(tmp1);
		663	close(tmp2);
		664	return 0;
		665	}
		666	close(tmp1);
		667	close(tmp2);
657		668
658	buffer_init(&m);	669	buffer_init(&m);
659	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m);	670	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m);
Lines 698-705 mm_session_pty_cleanup2(Session *s) Link Here
698	buffer_free(&m);	709	buffer_free(&m);
699		710
700	/* closed dup'ed master */	711	/* closed dup'ed master */
701	if (close(s->ptymaster) < 0)	712	if (s->ptymaster != -1 && close(s->ptymaster) < 0)
702	error("close(s->ptymaster): %s", strerror(errno));	713	error("close(s->ptymaster/%d): %s",
		714	s->ptymaster, strerror(errno));
703		715
704	/* unlink pty from session */	716	/* unlink pty from session */
705	s->ttyfd = -1;	717	s->ttyfd = -1;