changeset 500:d588e3ea557a agent-client

propagate from branch 'au.asn.ucc.matt.dropbear' (head 4fb35083f0f46ea667e7043e7d4314aecd3df46c) to branch 'au.asn.ucc.matt.dropbear.cli-agent' (head 833d0adef6cdbf43ea75283524c665e70b0ee1ee)
author Matt Johnston <matt@ucc.asn.au>
date Tue, 23 Sep 2008 16:05:04 +0000
parents f3ca5ebc319a (current diff) 33d5e9fb0f78 (diff)
children 568638be7203
files auth.h cli-runopts.c cli-session.c dbutil.c dbutil.h options.h runopts.h svr-agentfwd.c
diffstat 13 files changed, 324 insertions(+), 17 deletions(-) [+]
line wrap: on
line diff
--- a/agentfwd.h	Tue Sep 23 16:02:51 2008 +0000
+++ b/agentfwd.h	Tue Sep 23 16:05:04 2008 +0000
@@ -29,15 +29,24 @@
 #include "chansession.h"
 #include "channel.h"
 
+/* An agent reply can be reasonably large, as it can
+ * contain a list of all public keys held by the agent.
+ * 10000 is arbitrary */
+#define MAX_AGENT_REPLY  10000
+
 int agentreq(struct ChanSess * chansess);
 void agentsetauth(struct ChanSess *chansess);
 void agentcleanup(struct ChanSess * chansess);
 void agentset(struct ChanSess *chansess);
 
+SignKeyList * load_agent_keys();
+
 #ifdef __hpux
 #define seteuid(a)       setresuid(-1, (a), -1)
 #define setegid(a)       setresgid(-1, (a), -1)
 #endif
 
+extern const struct ChanSess chan_cli_agent;
+
 #endif /* DROPBEAR_AGENTFWD */
 #endif /* _AGENTFWD_H_ */
--- a/auth.h	Tue Sep 23 16:02:51 2008 +0000
+++ b/auth.h	Tue Sep 23 16:05:04 2008 +0000
@@ -123,6 +123,10 @@
 
 };
 
+/* Sources for signing keys */
+#define SIGNKEY_SOURCE_RAW_FILE 1
+#define SIGNKEY_SOURCE_AGENT 21
+
 struct SignKeyList;
 /* A singly linked list of signing keys */
 struct SignKeyList {
@@ -130,6 +134,7 @@
 	sign_key *key;
 	int type; /* The type of key */
 	struct SignKeyList *next;
+	int source;
 	/* filename? or the buffer? for encrypted keys, so we can later get
 	 * the private key portion */
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/cli-agentfwd.c	Tue Sep 23 16:05:04 2008 +0000
@@ -0,0 +1,245 @@
+/*
+ * Dropbear - a SSH2 server
+ * 
+ * Copyright (c) 2005 Matt Johnston
+ * All rights reserved.
+ * 
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * 
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE. */
+
+/* The basic protocol use to communicate with the agent is defined in
+ * draft-ylonen-ssh-protocol-00.txt, with the ssh2 extensions defined through
+ * openssh's implementation. */
+
+#include "includes.h"
+
+#ifdef ENABLE_CLI_AGENTFWD
+
+#include "agentfwd.h"
+#include "session.h"
+#include "ssh.h"
+#include "dbutil.h"
+#include "chansession.h"
+#include "channel.h"
+#include "packet.h"
+#include "buffer.h"
+#include "random.h"
+#include "listener.h"
+#include "runopts.h"
+#include "atomicio.h"
+#include "signkey.h"
+#include "auth.h"
+
+static int new_agent_chan(struct Channel * channel);
+
+const struct ChanType chan_cli_agent = {
+	0, /* sepfds */
+	"[email protected]",
+	new_agent_chan,
+	NULL,
+	NULL,
+	NULL
+};
+
+static int connect_agent() {
+
+	int fd = -1;
+	char* agent_sock = NULL;
+
+	agent_sock = getenv("SSH_AUTH_SOCK");
+	if (agent_sock == NULL)
+		return -1;
+
+	fd = connect_unix(agent_sock);
+
+	return fd;
+}
+
+// handle a request for a connection to the locally running ssh-agent
+// or forward.
+static int new_agent_chan(struct Channel * channel) {
+
+	int fd = -1;
+
+	if (!cli_opts.agent_fwd)
+		return SSH_OPEN_ADMINISTRATIVELY_PROHIBITED;
+
+	fd = connect_agent();
+
+	setnonblocking(fd);
+
+	ses.maxfd = MAX(ses.maxfd, fd);
+
+	channel->infd = fd;
+	channel->outfd = fd;
+
+	// success
+	return 0;
+}
+
+/* Sends a request to the agent, returning a newly allocated buffer
+ * with the response */
+/* Packet format (from draft-ylonen)
+   4 bytes     Length, msb first.  Does not include length itself.
+   1 byte      Packet type.  The value 255 is reserved for future extensions.
+   data        Any data, depending on packet type.  Encoding as in the ssh packet
+   protocol.
+
+ In this case, data is always empty
+*/
+static buffer * agent_request(int fd, unsigned char type) {
+
+	buffer * payload = NULL;
+	buffer * inbuf = NULL;
+	size_t readlen = 0;
+	ssize_t ret;
+
+	payload = buf_new(4 + 1);
+
+	buf_putint(payload, 1);
+	buf_putbyte(payload, type);
+
+	ret = atomicio(write, fd, buf_getptr(payload, payload->len), payload->len);
+	if ((size_t)ret != payload->len) {
+		TRACE(("write failed for agent_request"))
+		goto out;
+	}
+
+	buf_free(payload);
+	payload = NULL;
+
+	/* Now we read the response */
+	inbuf = buf_new(4);
+	ret = atomicio(read, fd, buf_getwriteptr(inbuf, 4), 4);
+	if (ret != 4) {
+		TRACE(("read of length failed for agent_request"))
+		goto out;
+	}
+
+	readlen = buf_getint(inbuf);
+	if (readlen > MAX_AGENT_REPLY) {
+		TRACE(("agent reply is too big"));
+		goto out;
+	}
+
+	buf_resize(inbuf, readlen);
+	ret = atomicio(read, fd, buf_getwriteptr(inbuf, readlen), readlen);
+	if ((size_t)ret != readlen) {
+		TRACE(("read of data failed for agent_request"))
+		goto out;
+	}
+
+out:
+	if (payload)
+		buf_free(payload);
+
+	return inbuf;
+}
+
+static SignKeyList * agent_get_key_list(int fd)
+{
+	buffer * inbuf = NULL;
+	unsigned int num = 0;
+	unsigned char packet_type;
+	unsigned int i;
+	struct SignKeyList *retkey = NULL, *key = NULL;
+	int ret;
+
+	inbuf = agent_request(fd, SSH2_AGENTC_REQUEST_IDENTITIES);
+	if (!inbuf) {
+		goto out;
+	}
+
+	/* The reply has a format of:
+	 * byte     packet_type
+	 * int      num_keys
+	 *
+	 * string    keyblob1
+	 * string    comment1
+	 * ...
+	 * string    keyblob(n)
+	 * string    comment(n)
+	 */
+	packet_type = buf_getbyte(inbuf);
+	if (packet_type != SSH2_AGENT_IDENTITIES_ANSWER) {
+		goto out;
+	}
+
+	num = buf_getint(inbuf);
+	for (i = 0; i < num; i++) {
+		sign_key * pubkey = NULL;
+		char key_type = DROPBEAR_SIGNKEY_ANY;
+		struct SignKeyList *nextkey = NULL;
+
+		nextkey = (struct SignKeyList*)m_malloc(sizeof(struct SignKeyList));
+		if (key)
+			key->next = nextkey;
+		else
+			retkey = nextkey;
+		key = nextkey;
+
+		pubkey = new_sign_key();
+		ret = buf_get_pub_key(inbuf, pubkey, &key_type);
+		if (ret != DROPBEAR_SUCCESS) {
+			/* This is slack, properly would cleanup vars etc */
+			dropbear_exit("Bad pubkey received from agent");
+		}
+
+		key->key = pubkey;
+		key->next = NULL;
+		key->type = key_type;
+		key->source = SIGNKEY_SOURCE_AGENT;
+
+		/* We'll ignore the comment */
+		buf_eatstring(inbuf);
+	}
+
+out:
+	if (inbuf) {
+		buf_free(inbuf);
+		inbuf = NULL;
+	}
+
+	return retkey;
+}
+
+/* return DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
+SignKeyList * load_agent_keys()
+{
+
+	SignKeyList * ret_list;
+	int fd;
+	fd = connect_agent();
+	if (fd < 0) {
+		dropbear_log(LOG_INFO, "Failed to connect to agent");
+		return NULL;
+	}
+
+	ret_list =  agent_get_key_list(fd);
+	close(fd);
+}
+	
+// general procedure:
+// - get the list of keys from the agent
+// - foreach, send a dummy userauth_pubkey message to the server and see
+// if it lets us in
+// - if it does, sign and auth
+// - if not, repeat.
+//
+
+#endif
--- a/cli-authpubkey.c	Tue Sep 23 16:02:51 2008 +0000
+++ b/cli-authpubkey.c	Tue Sep 23 16:05:04 2008 +0000
@@ -173,6 +173,13 @@
 
 	TRACE(("enter cli_auth_pubkey"))
 
+	if (cli_opts.pubkeys == NULL && 
+			cli_opts.agent_fwd &&
+			!cli_opts.agent_keys_loaded) {
+		/* get the list of available keys from the agent */
+		load_agent_keys(&cli_opts.pubkeys);
+	}
+
 	if (cli_opts.privkeys != NULL) {
 		/* Send a trial request */
 		send_msg_userauth_pubkey(cli_opts.privkeys->key,
--- a/cli-runopts.c	Tue Sep 23 16:02:51 2008 +0000
+++ b/cli-runopts.c	Tue Sep 23 16:05:04 2008 +0000
@@ -62,6 +62,9 @@
 #ifdef ENABLE_CLI_PUBKEY_AUTH
 					"-i <identityfile>   (multiple allowed)\n"
 #endif
+#ifdef ENABLE_CLI_AGENTFWD
+					"-A    Enable agent auth forwarding\n"
+#endif
 #ifdef ENABLE_CLI_LOCALTCPFWD
 					"-L <listenport:remotehost:remoteport> Local port forwarding\n"
 					"-g    Allow remote hosts to connect to forwarded ports\n"
@@ -128,6 +131,10 @@
 #ifdef ENABLE_CLI_REMOTETCPFWD
 	cli_opts.remotefwds = NULL;
 #endif
+#ifdef ENABLE_CLI_AGENTFWD
+	cli_opts.agent_fwd = 0;
+	cli_opts.agent_keys_loaded = 0;
+#endif
 #ifdef ENABLE_CLI_PROXYCMD
 	cli_opts.proxycmd = NULL;
 #endif
@@ -257,6 +264,11 @@
 				case 'K':
 					next = &keepalive_arg;
 					break;
+#ifdef ENABLE_CLI_AGENTFWD
+				case 'A':
+					cli_opts.agent_fwd = 1;
+					break;
+#endif
 #ifdef DEBUG_TRACE
 				case 'v':
 					debug_trace = 1;
@@ -393,6 +405,7 @@
 		nextkey->key = key;
 		nextkey->next = cli_opts.privkeys;
 		nextkey->type = keytype;
+		nextkey->source = SIGNKEY_SOURCE_RAW_FILE;
 		cli_opts.privkeys = nextkey;
 	}
 }
--- a/cli-session.c	Tue Sep 23 16:02:51 2008 +0000
+++ b/cli-session.c	Tue Sep 23 16:05:04 2008 +0000
@@ -71,6 +71,9 @@
 #ifdef ENABLE_CLI_REMOTETCPFWD
 	&cli_chan_tcpremote,
 #endif
+#ifdef ENABLE_CLI_AGENTFWD
+	&cli_chan_agent,
+#endif
 	NULL /* Null termination */
 };
 
--- a/dbutil.c	Tue Sep 23 16:02:51 2008 +0000
+++ b/dbutil.c	Tue Sep 23 16:05:04 2008 +0000
@@ -295,6 +295,23 @@
 	return nsock;
 }
 
+/* Connect to a given unix socket. The socket is not non-blocking */
+#ifdef ENABLE_CONNECT_UNIX
+int connect_unix(const char* addr)
+{
+	struct sockaddr_un egdsock;
+	int fd = -1;
+
+	memset((void*)&egdsock, 0x0, sizeof(egdsock));
+	egdsock.sun_family = AF_UNIX;
+	strlcpy(egdsock.sun_path, addr, sizeof(egdsock.sun_path));
+
+	fd = socket(PF_UNIX, SOCK_STREAM, 0);
+
+	return fd;
+}
+#endif
+
 /* Connect via TCP to a host. Connection will try ipv4 or ipv6, will
  * return immediately if nonblocking is set. On failure, if errstring
  * wasn't null, it will be a newly malloced error message */
@@ -341,15 +358,7 @@
 		}
 
 		if (nonblocking) {
-			if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0) {
-				close(sock);
-				sock = -1;
-				if (errstring != NULL && *errstring == NULL) {
-					*errstring = m_strdup("Failed non-blocking");
-				}
-				TRACE(("Failed non-blocking: %s", strerror(errno)))
-				continue;
-			}
+			setnonblocking(sock);
 		}
 
 		if (connect(sock, res->ai_addr, res->ai_addrlen) < 0) {
--- a/dbutil.h	Tue Sep 23 16:02:51 2008 +0000
+++ b/dbutil.h	Tue Sep 23 16:05:04 2008 +0000
@@ -52,6 +52,9 @@
 int spawn_command(void(*exec_fn)(void *user_data), void *exec_data,
 		int *writefd, int *readfd, int *errfd, pid_t *pid);
 void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell);
+#ifdef ENABLE_CONNECT_UNIX
+int connect_unix(const char* addr);
+#endif
 int connect_remote(const char* remotehost, const char* remoteport,
 		int nonblocking, char ** errstring);
 char* getaddrhostname(struct sockaddr_storage * addr);
--- a/options.h	Tue Sep 23 16:02:51 2008 +0000
+++ b/options.h	Tue Sep 23 16:05:04 2008 +0000
@@ -68,7 +68,8 @@
 #define ENABLE_SVR_REMOTETCPFWD
 
 /* Enable Authentication Agent Forwarding - server only for now */
-#define ENABLE_AGENTFWD
+#define ENABLE_SVR_AGENTFWD
+#define ENABLE_CLI_AGENTFWD
 
 /* Enable "Netcat mode". TODO describe here. */
 #define ENABLE_CLI_NETCAT
--- a/random.c	Tue Sep 23 16:02:51 2008 +0000
+++ b/random.c	Tue Sep 23 16:05:04 2008 +0000
@@ -69,12 +69,8 @@
 #endif
 
 #ifdef DROPBEAR_PRNGD_SOCKET
-	memset((void*)&egdsock, 0x0, sizeof(egdsock));
-	egdsock.sun_family = AF_UNIX;
-	strlcpy(egdsock.sun_path, DROPBEAR_PRNGD_SOCKET,
-			sizeof(egdsock.sun_path));
+	readfd = connect_unix(DROPBEAR_PRNGD_SOCKET);
 
-	readfd = socket(PF_UNIX, SOCK_STREAM, 0);
 	if (readfd < 0) {
 		dropbear_exit("couldn't open random device");
 	}
--- a/runopts.h	Tue Sep 23 16:02:51 2008 +0000
+++ b/runopts.h	Tue Sep 23 16:05:04 2008 +0000
@@ -119,6 +119,11 @@
 #ifdef ENABLE_CLI_LOCALTCPFWD
 	struct TCPFwdList * localfwds;
 #endif
+#ifdef ENABLE_CLI_AGENTFWD
+	int agent_fwd;
+	int agent_keys_loaded; /* whether pubkeys has been populated with a 
+							  list of keys held by the agent */
+#endif
 
 #ifdef ENABLE_CLI_NETCAT
 	char *netcat_host;
--- a/ssh.h	Tue Sep 23 16:02:51 2008 +0000
+++ b/ssh.h	Tue Sep 23 16:05:04 2008 +0000
@@ -105,3 +105,14 @@
 #define SSH_SIGNKEY_DSS_LEN 7
 #define SSH_SIGNKEY_RSA "ssh-rsa"
 #define SSH_SIGNKEY_RSA_LEN 7
+
+/* Agent commands. These aren't part of the spec, and are defined
+ * only on the openssh implementation. */
+#define SSH_AGENT_FAILURE			5
+#define SSH_AGENT_SUCCESS			6
+#define SSH2_AGENTC_REQUEST_IDENTITIES		11
+#define SSH2_AGENT_IDENTITIES_ANSWER		12
+#define SSH2_AGENTC_SIGN_REQUEST		13
+#define SSH2_AGENT_SIGN_RESPONSE		14
+
+#define SSH2_AGENT_FAILURE			30
--- a/svr-agentfwd.c	Tue Sep 23 16:02:51 2008 +0000
+++ b/svr-agentfwd.c	Tue Sep 23 16:05:04 2008 +0000
@@ -181,7 +181,7 @@
 
 }
 
-static const struct ChanType chan_agent = {
+static const struct ChanType chan_svr_agent = {
 	0, /* sepfds */
 	"[email protected]",
 	NULL,
@@ -194,7 +194,7 @@
 /* helper for accepting an agent request */
 static int send_msg_channel_open_agent(int fd) {
 
-	if (send_msg_channel_open_init(fd, &chan_agent) == DROPBEAR_SUCCESS) {
+	if (send_msg_channel_open_init(fd, &chan_svr_agent) == DROPBEAR_SUCCESS) {
 		encrypt_packet();
 		return DROPBEAR_SUCCESS;
 	} else {