upstream: plumb ssh_conn_info through to sshconnect.c; feedback/ok

markus@

OpenBSD-Commit-ID: e8d14a09cda3f1dc55df08f8a4889beff74e68b0
This commit is contained in:
djm@openbsd.org 2020-12-20 23:40:19 +00:00 committed by Damien Miller
parent 729b05f59d
commit 0f504f592d
4 changed files with 57 additions and 53 deletions

35
ssh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.545 2020/12/20 23:38:00 djm Exp $ */ /* $OpenBSD: ssh.c,v 1.546 2020/12/20 23:40:19 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -227,15 +227,6 @@ tilde_expand_paths(char **paths, u_int num_paths)
} }
} }
#define DEFAULT_CLIENT_PERCENT_EXPAND_ARGS \
"C", cinfo->conn_hash_hex, \
"L", cinfo->shorthost, \
"i", cinfo->uidstr, \
"k", cinfo->keyalias, \
"l", cinfo->thishost, \
"n", cinfo->host_arg, \
"p", cinfo->portstr
/* /*
* Expands the set of percent_expand options used by the majority of keywords * Expands the set of percent_expand options used by the majority of keywords
* in the client that support percent expansion. * in the client that support percent expansion.
@ -246,13 +237,7 @@ default_client_percent_expand(const char *str,
const struct ssh_conn_info *cinfo) const struct ssh_conn_info *cinfo)
{ {
return percent_expand(str, return percent_expand(str,
/* values from statics above */ DEFAULT_CLIENT_PERCENT_EXPAND_ARGS(cinfo),
DEFAULT_CLIENT_PERCENT_EXPAND_ARGS,
/* values from arguments */
"d", cinfo->homedir,
"h", cinfo->remhost,
"r", cinfo->remuser,
"u", cinfo->locuser,
(char *)NULL); (char *)NULL);
} }
@ -268,13 +253,7 @@ default_client_percent_dollar_expand(const char *str,
char *ret; char *ret;
ret = percent_dollar_expand(str, ret = percent_dollar_expand(str,
/* values from statics above */ DEFAULT_CLIENT_PERCENT_EXPAND_ARGS(cinfo),
DEFAULT_CLIENT_PERCENT_EXPAND_ARGS,
/* values from arguments */
"d", cinfo->homedir,
"h", cinfo->remhost,
"r", cinfo->remuser,
"u", cinfo->locuser,
(char *)NULL); (char *)NULL);
if (ret == NULL) if (ret == NULL)
fatal("invalid environment variable expansion"); fatal("invalid environment variable expansion");
@ -1670,7 +1649,7 @@ main(int ac, char **av)
/* Log into the remote system. Never returns if the login fails. */ /* Log into the remote system. Never returns if the login fails. */
ssh_login(ssh, &sensitive_data, host, (struct sockaddr *)&hostaddr, ssh_login(ssh, &sensitive_data, host, (struct sockaddr *)&hostaddr,
options.port, pw, timeout_ms); options.port, pw, timeout_ms, cinfo);
if (ssh_packet_connection_is_on_socket(ssh)) { if (ssh_packet_connection_is_on_socket(ssh)) {
verbose("Authenticated to %s ([%s]:%d).", host, verbose("Authenticated to %s ([%s]:%d).", host,
@ -2088,11 +2067,7 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
debug3("expanding LocalCommand: %s", options.local_command); debug3("expanding LocalCommand: %s", options.local_command);
cp = options.local_command; cp = options.local_command;
options.local_command = percent_expand(cp, options.local_command = percent_expand(cp,
DEFAULT_CLIENT_PERCENT_EXPAND_ARGS, DEFAULT_CLIENT_PERCENT_EXPAND_ARGS(cinfo),
"d", cinfo->homedir,
"h", cinfo->remhost,
"r", cinfo->remuser,
"u", cinfo->locuser,
"T", tun_fwd_ifname == NULL ? "NONE" : tun_fwd_ifname, "T", tun_fwd_ifname == NULL ? "NONE" : tun_fwd_ifname,
(char *)NULL); (char *)NULL);
debug3("expanded LocalCommand: %s", options.local_command); debug3("expanded LocalCommand: %s", options.local_command);

View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.c,v 1.347 2020/12/20 23:38:00 djm Exp $ */ /* $OpenBSD: sshconnect.c,v 1.348 2020/12/20 23:40:19 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -873,8 +873,9 @@ other_hostkeys_message(const char *host, const char *ip,
#define RDONLY 1 #define RDONLY 1
#define ROQUIET 2 #define ROQUIET 2
static int static int
check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
struct sshkey *host_key, int readonly, struct sockaddr *hostaddr, u_short port,
struct sshkey *host_key, int readonly, int clobber_port,
char **user_hostfiles, u_int num_user_hostfiles, char **user_hostfiles, u_int num_user_hostfiles,
char **system_hostfiles, u_int num_system_hostfiles) char **system_hostfiles, u_int num_system_hostfiles)
{ {
@ -912,7 +913,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
* Prepare the hostname and address strings used for hostkey lookup. * Prepare the hostname and address strings used for hostkey lookup.
* In some cases, these will have a port number appended. * In some cases, these will have a port number appended.
*/ */
get_hostfile_hostname_ipaddr(hostname, hostaddr, port, &host, &ip); get_hostfile_hostname_ipaddr(hostname, hostaddr,
clobber_port ? 0 : port, &host, &ip);
/* /*
* Turn off check_host_ip if the connection is to localhost, via proxy * Turn off check_host_ip if the connection is to localhost, via proxy
@ -1021,10 +1023,11 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
break; break;
case HOST_NEW: case HOST_NEW:
if (options.host_key_alias == NULL && port != 0 && if (options.host_key_alias == NULL && port != 0 &&
port != SSH_DEFAULT_PORT) { port != SSH_DEFAULT_PORT && !clobber_port) {
debug("checking without port identifier"); debug("checking without port identifier");
if (check_host_key(hostname, hostaddr, 0, host_key, if (check_host_key(hostname, cinfo, hostaddr, 0,
ROQUIET, user_hostfiles, num_user_hostfiles, host_key, ROQUIET, 1,
user_hostfiles, num_user_hostfiles,
system_hostfiles, num_system_hostfiles) == 0) { system_hostfiles, num_system_hostfiles) == 0) {
debug("found matching key w/out port"); debug("found matching key w/out port");
break; break;
@ -1338,7 +1341,8 @@ fail:
/* returns 0 if key verifies or -1 if key does NOT verify */ /* returns 0 if key verifies or -1 if key does NOT verify */
int int
verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key) verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key,
const struct ssh_conn_info *cinfo)
{ {
u_int i; u_int i;
int r = -1, flags = 0; int r = -1, flags = 0;
@ -1432,8 +1436,8 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key)
} }
} }
} }
r = check_host_key(host, hostaddr, options.port, host_key, RDRW, r = check_host_key(host, cinfo, hostaddr, options.port, host_key,
options.user_hostfiles, options.num_user_hostfiles, RDRW, 0, options.user_hostfiles, options.num_user_hostfiles,
options.system_hostfiles, options.num_system_hostfiles); options.system_hostfiles, options.num_system_hostfiles);
out: out:
@ -1457,7 +1461,8 @@ out:
*/ */
void void
ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
struct sockaddr *hostaddr, u_short port, struct passwd *pw, int timeout_ms) struct sockaddr *hostaddr, u_short port, struct passwd *pw, int timeout_ms,
const struct ssh_conn_info *cinfo)
{ {
char *host; char *host;
char *server_user, *local_user; char *server_user, *local_user;
@ -1480,7 +1485,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
/* key exchange */ /* key exchange */
/* authenticate user */ /* authenticate user */
debug("Authenticating to %s:%d as '%s'", host, port, server_user); debug("Authenticating to %s:%d as '%s'", host, port, server_user);
ssh_kex2(ssh, host, hostaddr, port); ssh_kex2(ssh, host, hostaddr, port, cinfo);
ssh_userauth2(ssh, local_user, server_user, host, sensitive); ssh_userauth2(ssh, local_user, server_user, host, sensitive);
free(local_user); free(local_user);
free(host); free(host);

View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.h,v 1.44 2020/12/17 23:26:11 djm Exp $ */ /* $OpenBSD: sshconnect.h,v 1.45 2020/12/20 23:40:19 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -46,6 +46,22 @@ struct ssh_conn_info {
struct addrinfo; struct addrinfo;
struct ssh; struct ssh;
struct hostkeys;
struct ssh_conn_info;
/* default argument for client percent expansions */
#define DEFAULT_CLIENT_PERCENT_EXPAND_ARGS(conn_info) \
"C", conn_info->conn_hash_hex, \
"L", conn_info->shorthost, \
"i", conn_info->uidstr, \
"k", conn_info->keyalias, \
"l", conn_info->thishost, \
"n", conn_info->host_arg, \
"p", conn_info->portstr, \
"d", conn_info->homedir, \
"h", conn_info->remhost, \
"r", conn_info->remuser, \
"u", conn_info->locuser
int ssh_connect(struct ssh *, const char *, const char *, int ssh_connect(struct ssh *, const char *, const char *,
struct addrinfo *, struct sockaddr_storage *, u_short, struct addrinfo *, struct sockaddr_storage *, u_short,
@ -53,14 +69,17 @@ int ssh_connect(struct ssh *, const char *, const char *,
void ssh_kill_proxy_command(void); void ssh_kill_proxy_command(void);
void ssh_login(struct ssh *, Sensitive *, const char *, void ssh_login(struct ssh *, Sensitive *, const char *,
struct sockaddr *, u_short, struct passwd *, int); struct sockaddr *, u_short, struct passwd *, int,
const struct ssh_conn_info *);
int verify_host_key(char *, struct sockaddr *, struct sshkey *); int verify_host_key(char *, struct sockaddr *, struct sshkey *,
const struct ssh_conn_info *);
void get_hostfile_hostname_ipaddr(char *, struct sockaddr *, u_short, void get_hostfile_hostname_ipaddr(char *, struct sockaddr *, u_short,
char **, char **); char **, char **);
void ssh_kex2(struct ssh *ssh, char *, struct sockaddr *, u_short); void ssh_kex2(struct ssh *ssh, char *, struct sockaddr *, u_short,
const struct ssh_conn_info *);
void ssh_userauth2(struct ssh *ssh, const char *, const char *, void ssh_userauth2(struct ssh *ssh, const char *, const char *,
char *, Sensitive *); char *, Sensitive *);

View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect2.c,v 1.337 2020/12/20 23:36:51 djm Exp $ */ /* $OpenBSD: sshconnect2.c,v 1.338 2020/12/20 23:40:19 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved.
@ -92,13 +92,15 @@ extern Options options;
u_char *session_id2 = NULL; u_char *session_id2 = NULL;
u_int session_id2_len = 0; u_int session_id2_len = 0;
char *xxx_host; static char *xxx_host;
struct sockaddr *xxx_hostaddr; static struct sockaddr *xxx_hostaddr;
static const struct ssh_conn_info *xxx_conn_info;
static int static int
verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
{ {
if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1) if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
xxx_conn_info) == -1)
fatal("Host key verification failed."); fatal("Host key verification failed.");
return 0; return 0;
} }
@ -116,7 +118,8 @@ first_alg(const char *algs)
} }
static char * static char *
order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port,
const struct ssh_conn_info *cinfo)
{ {
char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL; char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL; char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
@ -208,7 +211,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
} }
void void
ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
const struct ssh_conn_info *cinfo)
{ {
char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
char *s, *all_key; char *s, *all_key;
@ -216,6 +220,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
xxx_host = host; xxx_host = host;
xxx_hostaddr = hostaddr; xxx_hostaddr = hostaddr;
xxx_conn_info = cinfo;
/* /*
* If the user has not specified HostkeyAlgorithms, or has only * If the user has not specified HostkeyAlgorithms, or has only
@ -250,7 +255,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
/* Query known_hosts and prefer algorithms that appear there */ /* Query known_hosts and prefer algorithms that appear there */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal( compat_pkalg_proposal(
order_hostkeyalgs(host, hostaddr, port)); order_hostkeyalgs(host, hostaddr, port, cinfo));
} else { } else {
/* Use specified HostkeyAlgorithms exactly */ /* Use specified HostkeyAlgorithms exactly */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =