changeset 560:52d7301e46bd agent-client

Agent forwarding works
author Matt Johnston <matt@ucc.asn.au>
date Thu, 30 Jul 2009 15:14:33 +0000
parents 7f66b8e40f2d
children 541ebf5bf0f6
files agentfwd.h chansession.h cli-agentfwd.c cli-authpubkey.c cli-chansession.c cli-session.c dbclient.1 debug.h signkey.c svr-agentfwd.c svr-chansession.c
diffstat 11 files changed, 49 insertions(+), 24 deletions(-) [+]
line wrap: on
line diff
--- a/agentfwd.h	Wed Jul 29 02:58:33 2009 +0000
+++ b/agentfwd.h	Thu Jul 30 15:14:33 2009 +0000
@@ -35,14 +35,16 @@
  * 10000 is arbitrary */
 #define MAX_AGENT_REPLY  10000
 
-int agentreq(struct ChanSess * chansess);
-void agentcleanup(struct ChanSess * chansess);
-void agentset(struct ChanSess *chansess);
+int svr_agentreq(struct ChanSess * chansess);
+void svr_agentcleanup(struct ChanSess * chansess);
+void svr_agentset(struct ChanSess *chansess);
 
 /* client functions */
-void load_agent_keys(m_list * ret_list);
+void cli_load_agent_keys(m_list * ret_list);
 void agent_buf_sign(buffer *sigblob, sign_key *key, 
     const unsigned char *data, unsigned int len);
+void cli_setup_agent(struct Channel *channel);
+
 
 #ifdef __hpux
 #define seteuid(a)       setresuid(-1, (a), -1)
--- a/chansession.h	Wed Jul 29 02:58:33 2009 +0000
+++ b/chansession.h	Thu Jul 30 15:14:33 2009 +0000
@@ -81,6 +81,7 @@
 #ifdef ENABLE_CLI_NETCAT
 void cli_send_netcat_request();
 #endif
+void cli_start_send_channel_request(struct Channel *channel, unsigned char *type);
 
 void svr_chansessinitialise();
 extern const struct ChanType svrchansess;
--- a/cli-agentfwd.c	Wed Jul 29 02:58:33 2009 +0000
+++ b/cli-agentfwd.c	Thu Jul 30 15:14:33 2009 +0000
@@ -226,10 +226,20 @@
 	}
 }
 
+void cli_setup_agent(struct Channel *channel) {
+	if (!getenv("SSH_AUTH_SOCK")) {
+		return;
+	}
+	
+	cli_start_send_channel_request(channel, "[email protected]");
+	/* Don't want replies */
+	buf_putbyte(ses.writepayload, 0);
+	encrypt_packet();
+}
+
 /* Returned keys are prepended to ret_list, which will
    be updated. */
-void load_agent_keys(m_list *ret_list)
-{
+void cli_load_agent_keys(m_list *ret_list) {
 	/* agent_fd will be closed after successful auth */
 	cli_opts.agent_fd = connect_agent();
 	if (cli_opts.agent_fd < 0) {
--- a/cli-authpubkey.c	Wed Jul 29 02:58:33 2009 +0000
+++ b/cli-authpubkey.c	Thu Jul 30 15:14:33 2009 +0000
@@ -187,10 +187,9 @@
 
 	TRACE(("enter cli_auth_pubkey"))
 
-	if (cli_opts.agent_fwd &&
-			!cli_opts.agent_keys_loaded) {
+	if (!cli_opts.agent_keys_loaded) {
 		/* get the list of available keys from the agent */
-		load_agent_keys(cli_opts.privkeys);
+		cli_load_agent_keys(cli_opts.privkeys);
 		cli_opts.agent_keys_loaded = 1;
 	}
 
--- a/cli-chansession.c	Wed Jul 29 02:58:33 2009 +0000
+++ b/cli-chansession.c	Thu Jul 30 15:14:33 2009 +0000
@@ -33,13 +33,12 @@
 #include "runopts.h"
 #include "termcodes.h"
 #include "chansession.h"
+#include "agentfwd.h"
 
 static void cli_closechansess(struct Channel *channel);
 static int cli_initchansess(struct Channel *channel);
 static void cli_chansessreq(struct Channel *channel);
 
-static void start_channel_request(struct Channel *channel, unsigned char *type);
-
 static void send_chansess_pty_req(struct Channel *channel);
 static void send_chansess_shell_req(struct Channel *channel);
 
@@ -92,7 +91,7 @@
 
 }
 
-static void start_channel_request(struct Channel *channel, 
+void cli_start_send_channel_request(struct Channel *channel, 
 		unsigned char *type) {
 
 	CHECKCLEARTOWRITE();
@@ -287,7 +286,7 @@
 
 	TRACE(("enter send_chansess_pty_req"))
 
-	start_channel_request(channel, "pty-req");
+	cli_start_send_channel_request(channel, "pty-req");
 
 	/* Don't want replies */
 	buf_putbyte(ses.writepayload, 0);
@@ -330,7 +329,7 @@
 		reqtype = "shell";
 	}
 
-	start_channel_request(channel, reqtype);
+	cli_start_send_channel_request(channel, reqtype);
 
 	/* XXX TODO */
 	buf_putbyte(ses.writepayload, 0); /* Don't want replies */
@@ -361,6 +360,12 @@
 
 	cli_init_stdpipe_sess(channel);
 
+#ifdef ENABLE_CLI_AGENTFWD
+	if (cli_opts.agent_fwd) {
+		cli_setup_agent(channel);
+	}
+#endif
+
 	if (cli_opts.wantpty) {
 		send_chansess_pty_req(channel);
 	}
--- a/cli-session.c	Wed Jul 29 02:58:33 2009 +0000
+++ b/cli-session.c	Thu Jul 30 15:14:33 2009 +0000
@@ -235,7 +235,7 @@
 				cli_send_netcat_request();
 			} else 
 #endif
-				if (!cli_opts.no_cmd) {
+			if (!cli_opts.no_cmd) {
 				cli_send_chansess_request();
 			}
 			TRACE(("leave cli_sessionloop: running"))
--- a/dbclient.1	Wed Jul 29 02:58:33 2009 +0000
+++ b/dbclient.1	Thu Jul 30 15:14:33 2009 +0000
@@ -82,6 +82,11 @@
 Always accept hostkeys if they are unknown. If a hostkey mismatch occurs the
 connection will abort as normal.
 .TP
+.B \-A
+Forward agent connections to the remote host. dbclient will use any
+OpenSSH-style agent program if available ($SSH_AUTH_SOCK will be set) for
+public key authentication.  Forwarding is only enabled if -A is specified.
+.TP
 .B \-W \fIwindowsize
 Specify the per-channel receive window buffer size. Increasing this 
 may improve network performance at the expense of memory use. Use -h to see the
--- a/debug.h	Wed Jul 29 02:58:33 2009 +0000
+++ b/debug.h	Thu Jul 30 15:14:33 2009 +0000
@@ -39,7 +39,7 @@
  * Caution: Don't use this in an unfriendly environment (ie unfirewalled),
  * since the printing may not sanitise strings etc. This will add a reasonable
  * amount to your executable size. */
-#define DEBUG_TRACE
+/*#define DEBUG_TRACE*/
 
 /* All functions writing to the cleartext payload buffer call
  * CHECKCLEARTOWRITE() before writing. This is only really useful if you're
--- a/signkey.c	Wed Jul 29 02:58:33 2009 +0000
+++ b/signkey.c	Thu Jul 30 15:14:33 2009 +0000
@@ -84,7 +84,6 @@
 #endif
 
 	TRACE(("signkey_type_from_name unexpected key type."))
-	printhex("Key type", name, namelen);
 
 	return DROPBEAR_SIGNKEY_NONE;
 }
--- a/svr-agentfwd.c	Wed Jul 29 02:58:33 2009 +0000
+++ b/svr-agentfwd.c	Thu Jul 30 15:14:33 2009 +0000
@@ -49,10 +49,12 @@
 
 /* Handles client requests to start agent forwarding, sets up listening socket.
  * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
-int agentreq(struct ChanSess * chansess) {
+int svr_agentreq(struct ChanSess * chansess) {
 
 	int fd;
 
+	TRACE(("enter svr_agentreq"))
+
 	if (!svr_pubkey_allows_agentfwd()) {
 		return DROPBEAR_FAILURE;
 	}
@@ -89,10 +91,12 @@
 	}
 
 	return DROPBEAR_SUCCESS;
+	TRACE(("success"))
 
 fail:
+	TRACE(("fail"))
 	/* cleanup */
-	agentcleanup(chansess);
+	svr_agentcleanup(chansess);
 
 	return DROPBEAR_FAILURE;
 }
@@ -118,7 +122,7 @@
 
 /* set up the environment variable pointing to the socket. This is called
  * just before command/shell execution, after dropping priveleges */
-void agentset(struct ChanSess * chansess) {
+void svr_agentset(struct ChanSess * chansess) {
 
 	char *path = NULL;
 	int len;
@@ -137,7 +141,7 @@
 }
 
 /* close the socket, remove the socket-file */
-void agentcleanup(struct ChanSess * chansess) {
+void svr_agentcleanup(struct ChanSess * chansess) {
 
 	char *path = NULL;
 	uid_t uid;
--- a/svr-chansession.c	Wed Jul 29 02:58:33 2009 +0000
+++ b/svr-chansession.c	Thu Jul 30 15:14:33 2009 +0000
@@ -287,7 +287,7 @@
 #endif
 
 #ifndef DISABLE_AGENTFWD
-	agentcleanup(chansess);
+	svr_agentcleanup(chansess);
 #endif
 
 	/* clear child pid entries */
@@ -346,7 +346,7 @@
 #endif
 #ifndef DISABLE_AGENTFWD
 	} else if (strcmp(type, "[email protected]") == 0) {
-		ret = agentreq(chansess);
+		ret = svr_agentreq(chansess);
 #endif
 	} else if (strcmp(type, "signal") == 0) {
 		ret = sessionsignal(chansess);
@@ -894,7 +894,7 @@
 #endif
 #ifndef DISABLE_AGENTFWD
 	/* set up agent env variable */
-	agentset(chansess);
+	svr_agentset(chansess);
 #endif
 
 	usershell = m_strdup(get_user_shell());