1
0
mirror of http://galexander.org/git/simplesshd.git synced 2025-01-22 04:50:54 +00:00
simplesshd/dropbear/svr-runopts.c
2020-12-28 16:40:37 -05:00

673 lines
17 KiB
C

/*
* Dropbear - a SSH2 server
*
* Copyright (c) 2002,2003 Matt Johnston
* All rights reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE. */
#include "includes.h"
#include "runopts.h"
#include "signkey.h"
#include "buffer.h"
#include "dbutil.h"
#include "algo.h"
#include "ecdsa.h"
#include <grp.h>
svr_runopts svr_opts; /* GLOBAL */
static void printhelp(const char * progname);
static void addportandaddress(const char* spec);
static void loadhostkey(const char *keyfile, int fatal_duplicate);
static void addhostkey(const char *keyfile);
static void printhelp(const char * progname) {
fprintf(stderr, "Dropbear server v%s https://matt.ucc.asn.au/dropbear/dropbear.html\n"
"Usage: %s [options]\n"
"-b bannerfile Display the contents of bannerfile"
" before user login\n"
" (default: none)\n"
"-r keyfile Specify hostkeys (repeatable)\n"
" defaults: \n"
#if DROPBEAR_DSS
" - dss %s\n"
#endif
#if DROPBEAR_RSA
" - rsa %s\n"
#endif
#if DROPBEAR_ECDSA
" - ecdsa %s\n"
#endif
#if DROPBEAR_ED25519
" - ed25519 %s\n"
#endif
#if DROPBEAR_DELAY_HOSTKEY
"-R Create hostkeys as required\n"
#endif
"-F Don't fork into background\n"
#ifdef DISABLE_SYSLOG
"(Syslog support not compiled in, using stderr)\n"
#else
"-E Log to stderr rather than syslog\n"
#endif
#if DO_MOTD
"-m Don't display the motd on login\n"
#endif
"-w Disallow root logins\n"
#ifdef HAVE_GETGROUPLIST
"-G Restrict logins to members of specified group\n"
#endif
#if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
"-s Disable password logins\n"
"-g Disable password logins for root\n"
"-B Allow blank password logins\n"
#endif
"-T Maximum authentication tries (default %d)\n"
#if DROPBEAR_SVR_LOCALTCPFWD
"-j Disable local port forwarding\n"
#endif
#if DROPBEAR_SVR_REMOTETCPFWD
"-k Disable remote port forwarding\n"
"-a Allow connections to forwarded ports from any host\n"
"-c command Force executed command\n"
#endif
"-p [address:]port\n"
" Listen on specified tcp port (and optionally address),\n"
" up to %d can be specified\n"
" (default port is %s if none specified)\n"
"-P PidFile Create pid file PidFile\n"
" (default %s)\n"
#if INETD_MODE
"-i Start for inetd\n"
#endif
"-W <receive_window_buffer> (default %d, larger may be faster, max 1MB)\n"
"-K <keepalive> (0 is never, default %d, in seconds)\n"
"-I <idle_timeout> (0 is never, default %d, in seconds)\n"
#if DROPBEAR_PLUGIN
"-A <authplugin>[,<options>]\n"
" Enable external public key auth through <authplugin>\n"
#endif
"-V Version\n"
#if DEBUG_TRACE
"-v verbose (compiled with DEBUG_TRACE)\n"
#endif
,DROPBEAR_VERSION, progname,
#if DROPBEAR_DSS
DSS_PRIV_FILENAME,
#endif
#if DROPBEAR_RSA
RSA_PRIV_FILENAME,
#endif
#if DROPBEAR_ECDSA
ECDSA_PRIV_FILENAME,
#endif
#if DROPBEAR_ED25519
ED25519_PRIV_FILENAME,
#endif
MAX_AUTH_TRIES,
DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE,
DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT);
}
void svr_getopts(int argc, char ** argv) {
unsigned int i, j;
char ** next = NULL;
int nextisport = 0;
char* recv_window_arg = NULL;
char* keepalive_arg = NULL;
char* idle_timeout_arg = NULL;
char* maxauthtries_arg = NULL;
char* keyfile = NULL;
char c;
#if DROPBEAR_PLUGIN
char* pubkey_plugin = NULL;
#endif
/* see printhelp() for options */
svr_opts.bannerfile = NULL;
svr_opts.banner = NULL;
svr_opts.forced_command = NULL;
svr_opts.forkbg = 1;
svr_opts.norootlogin = 0;
#ifdef HAVE_GETGROUPLIST
svr_opts.restrict_group = NULL;
svr_opts.restrict_group_gid = 0;
#endif
svr_opts.noauthpass = 0;
svr_opts.norootpass = 0;
svr_opts.allowblankpass = 0;
svr_opts.maxauthtries = MAX_AUTH_TRIES;
svr_opts.inetdmode = 0;
svr_opts.portcount = 0;
svr_opts.hostkey = NULL;
svr_opts.delay_hostkey = 0;
svr_opts.pidfile = DROPBEAR_PIDFILE;
#if DROPBEAR_SVR_LOCALTCPFWD
svr_opts.nolocaltcp = 0;
#endif
#if DROPBEAR_SVR_REMOTETCPFWD
svr_opts.noremotetcp = 0;
#endif
#if DROPBEAR_PLUGIN
svr_opts.pubkey_plugin = NULL;
svr_opts.pubkey_plugin_options = NULL;
#endif
#ifndef DISABLE_ZLIB
opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
#endif
/* not yet
opts.ipv4 = 1;
opts.ipv6 = 1;
*/
#if DO_MOTD
svr_opts.domotd = 1;
#endif
#ifndef DISABLE_SYSLOG
opts.usingsyslog = 1;
#endif
opts.recv_window = DEFAULT_RECV_WINDOW;
opts.keepalive_secs = DEFAULT_KEEPALIVE;
opts.idle_timeout_secs = DEFAULT_IDLE_TIMEOUT;
#if DROPBEAR_SVR_REMOTETCPFWD
opts.listen_fwd_all = 0;
#endif
for (i = 1; i < (unsigned int)argc; i++) {
if (argv[i][0] != '-' || argv[i][1] == '\0')
dropbear_exit("Invalid argument: %s", argv[i]);
for (j = 1; (c = argv[i][j]) != '\0' && !next && !nextisport; j++) {
switch (c) {
case 'b':
next = &svr_opts.bannerfile;
break;
case 'c':
next = &svr_opts.forced_command;
break;
case 'd':
case 'r':
next = &keyfile;
break;
case 'R':
svr_opts.delay_hostkey = 1;
break;
case 'F':
svr_opts.forkbg = 0;
break;
#ifndef DISABLE_SYSLOG
case 'E':
opts.usingsyslog = 0;
break;
#endif
#if DROPBEAR_SVR_LOCALTCPFWD
case 'j':
svr_opts.nolocaltcp = 1;
break;
#endif
#if DROPBEAR_SVR_REMOTETCPFWD
case 'k':
svr_opts.noremotetcp = 1;
break;
case 'a':
opts.listen_fwd_all = 1;
break;
#endif
#if INETD_MODE
case 'i':
svr_opts.inetdmode = 1;
break;
#endif
case 'p':
nextisport = 1;
break;
case 'P':
next = &svr_opts.pidfile;
break;
#if DO_MOTD
/* motd is displayed by default, -m turns it off */
case 'm':
svr_opts.domotd = 0;
break;
#endif
case 'w':
svr_opts.norootlogin = 1;
break;
#ifdef HAVE_GETGROUPLIST
case 'G':
next = &svr_opts.restrict_group;
break;
#endif
case 'W':
next = &recv_window_arg;
break;
case 'K':
next = &keepalive_arg;
break;
case 'I':
next = &idle_timeout_arg;
break;
case 'T':
next = &maxauthtries_arg;
break;
#if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
case 's':
svr_opts.noauthpass = 1;
break;
case 'g':
svr_opts.norootpass = 1;
break;
case 'B':
svr_opts.allowblankpass = 1;
break;
#endif
case 'h':
printhelp(argv[0]);
exit(EXIT_SUCCESS);
break;
case 'u':
/* backwards compatibility with old urandom option */
break;
#if DROPBEAR_PLUGIN
case 'A':
next = &pubkey_plugin;
break;
#endif
#if DEBUG_TRACE
case 'v':
debug_trace = 1;
break;
#endif
case 'V':
print_version();
exit(EXIT_SUCCESS);
break;
default:
fprintf(stderr, "Invalid option -%c\n", c);
printhelp(argv[0]);
exit(EXIT_FAILURE);
break;
}
}
if (!next && !nextisport)
continue;
if (c == '\0') {
i++;
j = 0;
if (!argv[i]) {
dropbear_exit("Missing argument");
}
}
if (nextisport) {
addportandaddress(&argv[i][j]);
nextisport = 0;
} else if (next) {
*next = &argv[i][j];
if (*next == NULL) {
dropbear_exit("Invalid null argument");
}
next = NULL;
if (keyfile) {
addhostkey(keyfile);
keyfile = NULL;
}
}
}
/* Set up listening ports */
if (svr_opts.portcount == 0) {
svr_opts.ports[0] = m_strdup(DROPBEAR_DEFPORT);
svr_opts.addresses[0] = m_strdup(DROPBEAR_DEFADDRESS);
svr_opts.portcount = 1;
}
if (svr_opts.bannerfile) {
struct stat buf;
if (stat(svr_opts.bannerfile, &buf) != 0) {
dropbear_exit("Error opening banner file '%s'",
svr_opts.bannerfile);
}
if (buf.st_size > MAX_BANNER_SIZE) {
dropbear_exit("Banner file too large, max is %d bytes",
MAX_BANNER_SIZE);
}
svr_opts.banner = buf_new(buf.st_size);
if (buf_readfile(svr_opts.banner, svr_opts.bannerfile)!=DROPBEAR_SUCCESS) {
dropbear_exit("Error reading banner file '%s'",
svr_opts.bannerfile);
}
buf_setpos(svr_opts.banner, 0);
}
#ifdef HAVE_GETGROUPLIST
if (svr_opts.restrict_group) {
struct group *restrictedgroup = getgrnam(svr_opts.restrict_group);
if (restrictedgroup){
svr_opts.restrict_group_gid = restrictedgroup->gr_gid;
} else {
dropbear_exit("Cannot restrict logins to group '%s' as the group does not exist", svr_opts.restrict_group);
}
}
#endif
if (recv_window_arg) {
opts.recv_window = atol(recv_window_arg);
if (opts.recv_window == 0 || opts.recv_window > MAX_RECV_WINDOW) {
dropbear_exit("Bad recv window '%s'", recv_window_arg);
}
}
if (maxauthtries_arg) {
unsigned int val = 0;
if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE
|| val == 0) {
dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg);
}
svr_opts.maxauthtries = val;
}
if (keepalive_arg) {
unsigned int val;
if (m_str_to_uint(keepalive_arg, &val) == DROPBEAR_FAILURE) {
dropbear_exit("Bad keepalive '%s'", keepalive_arg);
}
opts.keepalive_secs = val;
}
if (idle_timeout_arg) {
unsigned int val;
if (m_str_to_uint(idle_timeout_arg, &val) == DROPBEAR_FAILURE) {
dropbear_exit("Bad idle_timeout '%s'", idle_timeout_arg);
}
opts.idle_timeout_secs = val;
}
if (svr_opts.forced_command) {
dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command);
}
#if DROPBEAR_PLUGIN
if (pubkey_plugin) {
char *args = strchr(pubkey_plugin, ',');
if (args) {
*args='\0';
++args;
}
svr_opts.pubkey_plugin = pubkey_plugin;
svr_opts.pubkey_plugin_options = args;
}
#endif
}
static void addportandaddress(const char* spec) {
char *spec_copy = NULL, *myspec = NULL, *port = NULL, *address = NULL;
if (svr_opts.portcount < DROPBEAR_MAX_PORTS) {
/* We don't free it, it becomes part of the runopt state */
spec_copy = m_strdup(spec);
myspec = spec_copy;
if (myspec[0] == '[') {
myspec++;
port = strchr(myspec, ']');
if (!port) {
/* Unmatched [ -> exit */
dropbear_exit("Bad listen address");
}
port[0] = '\0';
port++;
if (port[0] != ':') {
/* Missing port -> exit */
dropbear_exit("Missing port");
}
} else {
/* search for ':', that separates address and port */
port = strrchr(myspec, ':');
}
if (!port) {
/* no ':' -> the whole string specifies just a port */
port = myspec;
} else {
/* Split the address/port */
port[0] = '\0';
port++;
address = myspec;
}
if (!address) {
/* no address given -> fill in the default address */
address = DROPBEAR_DEFADDRESS;
}
if (port[0] == '\0') {
/* empty port -> exit */
dropbear_exit("Bad port");
}
svr_opts.ports[svr_opts.portcount] = m_strdup(port);
svr_opts.addresses[svr_opts.portcount] = m_strdup(address);
svr_opts.portcount++;
m_free(spec_copy);
}
}
static void disablekey(int type) {
int i;
TRACE(("Disabling key type %d", type))
for (i = 0; sigalgs[i].name != NULL; i++) {
if (sigalgs[i].val == type) {
sigalgs[i].usable = 0;
break;
}
}
}
static void loadhostkey_helper(const char *name, void** src, void** dst, int fatal_duplicate) {
if (*dst) {
if (fatal_duplicate) {
dropbear_exit("Only one %s key can be specified", name);
}
} else {
*dst = *src;
*src = NULL;
}
}
/* Must be called after syslog/etc is working */
static void loadhostkey(const char *keyfile, int fatal_duplicate) {
sign_key * read_key = new_sign_key();
enum signkey_type type = DROPBEAR_SIGNKEY_ANY;
if (readhostkey(keyfile, read_key, &type) == DROPBEAR_FAILURE) {
if (!svr_opts.delay_hostkey) {
dropbear_log(LOG_WARNING, "Failed loading %s", keyfile);
}
}
#if DROPBEAR_RSA
if (type == DROPBEAR_SIGNKEY_RSA) {
loadhostkey_helper("RSA", (void**)&read_key->rsakey, (void**)&svr_opts.hostkey->rsakey, fatal_duplicate);
}
#endif
#if DROPBEAR_DSS
if (type == DROPBEAR_SIGNKEY_DSS) {
loadhostkey_helper("DSS", (void**)&read_key->dsskey, (void**)&svr_opts.hostkey->dsskey, fatal_duplicate);
}
#endif
#if DROPBEAR_ECDSA
#if DROPBEAR_ECC_256
if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256) {
loadhostkey_helper("ECDSA256", (void**)&read_key->ecckey256, (void**)&svr_opts.hostkey->ecckey256, fatal_duplicate);
}
#endif
#if DROPBEAR_ECC_384
if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP384) {
loadhostkey_helper("ECDSA384", (void**)&read_key->ecckey384, (void**)&svr_opts.hostkey->ecckey384, fatal_duplicate);
}
#endif
#if DROPBEAR_ECC_521
if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) {
loadhostkey_helper("ECDSA521", (void**)&read_key->ecckey521, (void**)&svr_opts.hostkey->ecckey521, fatal_duplicate);
}
#endif
#endif /* DROPBEAR_ECDSA */
#if DROPBEAR_ED25519
if (type == DROPBEAR_SIGNKEY_ED25519) {
loadhostkey_helper("ed25519", (void**)&read_key->ed25519key, (void**)&svr_opts.hostkey->ed25519key, fatal_duplicate);
}
#endif
sign_key_free(read_key);
TRACE(("leave loadhostkey"))
}
static void addhostkey(const char *keyfile) {
if (svr_opts.num_hostkey_files >= MAX_HOSTKEYS) {
dropbear_exit("Too many hostkeys");
}
svr_opts.hostkey_files[svr_opts.num_hostkey_files] = m_strdup(keyfile);
svr_opts.num_hostkey_files++;
}
void load_all_hostkeys() {
int i;
int any_keys = 0;
#if DROPBEAR_ECDSA
int loaded_any_ecdsa = 0;
#endif
svr_opts.hostkey = new_sign_key();
for (i = 0; i < svr_opts.num_hostkey_files; i++) {
char *hostkey_file = svr_opts.hostkey_files[i];
loadhostkey(hostkey_file, 1);
m_free(hostkey_file);
}
/* Only load default host keys if a host key is not specified by the user */
if (svr_opts.num_hostkey_files == 0) {
#if DROPBEAR_RSA
loadhostkey(RSA_PRIV_FILENAME, 0);
#endif
#if DROPBEAR_DSS
loadhostkey(DSS_PRIV_FILENAME, 0);
#endif
#if DROPBEAR_ECDSA
loadhostkey(ECDSA_PRIV_FILENAME, 0);
#endif
#if DROPBEAR_ED25519
loadhostkey(ED25519_PRIV_FILENAME, 0);
#endif
}
#if DROPBEAR_RSA
if (!svr_opts.delay_hostkey && !svr_opts.hostkey->rsakey) {
disablekey(DROPBEAR_SIGNKEY_RSA);
} else {
any_keys = 1;
}
#endif
#if DROPBEAR_DSS
if (!svr_opts.delay_hostkey && !svr_opts.hostkey->dsskey) {
disablekey(DROPBEAR_SIGNKEY_DSS);
} else {
any_keys = 1;
}
#endif
#if DROPBEAR_ECDSA
/* We want to advertise a single ecdsa algorithm size.
- If there is a ecdsa hostkey at startup we choose that that size.
- If we generate at runtime we choose the default ecdsa size.
- Otherwise no ecdsa keys will be advertised */
/* check if any keys were loaded at startup */
loaded_any_ecdsa =
0
#if DROPBEAR_ECC_256
|| svr_opts.hostkey->ecckey256
#endif
#if DROPBEAR_ECC_384
|| svr_opts.hostkey->ecckey384
#endif
#if DROPBEAR_ECC_521
|| svr_opts.hostkey->ecckey521
#endif
;
any_keys |= loaded_any_ecdsa;
/* Or an ecdsa key could be generated at runtime */
any_keys |= svr_opts.delay_hostkey;
/* At most one ecdsa key size will be left enabled */
#if DROPBEAR_ECC_256
if (!svr_opts.hostkey->ecckey256
&& (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 256 )) {
disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256);
}
#endif
#if DROPBEAR_ECC_384
if (!svr_opts.hostkey->ecckey384
&& (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 384 )) {
disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384);
}
#endif
#if DROPBEAR_ECC_521
if (!svr_opts.hostkey->ecckey521
&& (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 521 )) {
disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521);
}
#endif
#endif /* DROPBEAR_ECDSA */
#if DROPBEAR_ED25519
if (!svr_opts.delay_hostkey && !svr_opts.hostkey->ed25519key) {
disablekey(DROPBEAR_SIGNKEY_ED25519);
} else {
any_keys = 1;
}
#endif
if (!any_keys) {
dropbear_exit("No hostkeys available. 'dropbear -R' may be useful or run dropbearkey.");
}
}