int knet_vty_set_iacs(struct knet_vty *vty) { unsigned char cmdreply[VTY_MAX_BUFFER_SIZE]; unsigned char cmdsga[] = { IAC, WILL, TELOPT_SGA, '\0' }; unsigned char cmdsgareply[] = { IAC, DO, TELOPT_SGA, '\0' }; unsigned char cmdlm[] = { IAC, DONT, TELOPT_LINEMODE, '\0' }; ssize_t readlen; if (check_vty(vty)) return -1; if (knet_vty_set_echo(vty, 0) < 0) return -1; if (knet_vty_write(vty, "%s", cmdsga) < 0) return -1; readlen = knet_vty_read_real(vty, cmdreply, VTY_MAX_BUFFER_SIZE, 0); if (readlen < 0) return readlen; if (memcmp(&cmdreply, &cmdsgareply, readlen)) return -1; if (knet_vty_write(vty, "%s", cmdlm) < 0) return -1; return 0; }
static void *vty_accept_thread(void *arg) { struct knet_vty *vty = (struct knet_vty *)&knet_vtys[*(int *)arg]; char *src_ip[2]; int err; knet_vty_print_banner(vty); if (vty->got_epipe) goto out_clean; src_ip[0] = NULL; err = addrtostr((struct sockaddr *)&vty->src_sa, vty->src_sa_len, src_ip); if (!err) { strncpy(vty->ip, src_ip[0], sizeof(vty->ip)); } else { strcpy(vty->ip, "unknown"); } if (src_ip[0]) addrtostr_free(src_ip); if ((knet_vty_auth_user(vty, NULL) < 0) && (!vty->got_epipe)) { log_info("User failed to authenticate (ip: %s)", vty->ip); goto out_clean; } if (vty->got_epipe) goto out_clean; log_info("User %s connected from %s", vty->username, vty->ip); knet_vty_write(vty, "Welcome %s (%s) on vty(%d)\n\n", vty->username, vty->ip, vty->conn_num); if (vty->got_epipe) goto out_clean; if (knet_vty_set_iacs(vty) < 0) { knet_vty_write(vty, "Unable to set telnet session preferences"); goto out_clean; } if (vty->got_epipe) goto out_clean; knet_vty_cli_bind(vty); out_clean: pthread_mutex_lock(&knet_vty_mutex); knet_vty_close(vty); pthread_mutex_unlock(&knet_vty_mutex); return NULL; }
void knet_vty_exit_node(struct knet_vty *vty) { switch(vty->node) { case NODE_LINK: vty->node = NODE_PEER; break; case NODE_PEER: vty->node = NODE_INTERFACE; break; case NODE_INTERFACE: vty->node = NODE_CONFIG; break; case NODE_CONFIG: pthread_mutex_lock(&knet_vty_mutex); knet_vty_config = -1; pthread_mutex_unlock(&knet_vty_mutex); vty->node = NODE_ROOT; break; case NODE_ROOT: vty->got_epipe = 1; break; default: knet_vty_write(vty, "No idea where to go..%s", telnet_newline); break; } }
void knet_vty_print_banner(struct knet_vty *vty) { if (check_vty(vty)) return; knet_vty_write(vty, "Welcome to " PACKAGE " " PACKAGE_VERSION " (built " __DATE__ " " __TIME__ ")\n"); }
void knet_vty_prompt(struct knet_vty *vty) { char buf[3]; if (vty->user_can_enable) { buf[0] = '#'; } else { buf[0] = '>'; } buf[1] = ' '; buf[2] = 0; knet_vty_write(vty, "%s%s", knet_vty_nodes[vty->node].prompt, buf); }
static int knet_vty_set_echoon(struct knet_vty *vty) { unsigned char cmdreply[VTY_MAX_BUFFER_SIZE]; unsigned char cmdechoon[] = { IAC, WONT, TELOPT_ECHO, '\0' }; unsigned char cmdechoonreply[] = { IAC, DONT, TELOPT_ECHO, '\0' }; ssize_t readlen; if (knet_vty_write(vty, "%s", cmdechoon) < 0) return -1; readlen = knet_vty_read_real(vty, cmdreply, VTY_MAX_BUFFER_SIZE, 0); if (readlen < 0) return readlen; if (memcmp(&cmdreply, &cmdechoonreply, readlen)) return -1; return 0; }
static int knet_vty_group_check(struct knet_vty *vty) { struct group grp; char *buf; size_t buflen; long int initlen; struct group *result; char *gr_mem; int err, i; errno = 0; initlen = sysconf(_SC_GETGR_R_SIZE_MAX); if ((initlen < 0) && (errno == EINVAL)) return -1; if (initlen < 0) initlen = 1024; buflen = (size_t) initlen; buf = malloc(buflen); if (!buf) return -1; while ((err = getgrnam_r(DEFAULTADMGROUP, &grp, buf, buflen, &result)) == ERANGE) { size_t newlen = 2 * buflen; char *newbuf; newbuf = realloc(buf, newlen); if (!newbuf) { err = -1; goto out_clean; } buf = newbuf; } if (err) goto out_clean; if (result == NULL) { errno = EACCES; log_error("No " DEFAULTADMGROUP " group found on the system"); knet_vty_write(vty, "No " DEFAULTADMGROUP " group found on the system\n"); err = -1; goto out_clean; } gr_mem = *grp.gr_mem; i = 0; while(gr_mem != NULL) { if (!strcmp(vty->username, gr_mem)) { vty->user_can_enable = 1; break; } gr_mem = *(grp.gr_mem + i); i++; } out_clean: free(buf); return err; }
static int knet_pam_misc_conv(int num_msg, const struct pam_message **msgm, struct pam_response **response, void *appdata_ptr) { int count = 0; struct pam_response *reply; struct knet_vty *vty = (struct knet_vty *)appdata_ptr; if (num_msg <= 0) return PAM_CONV_ERR; reply = (struct pam_response *) calloc(num_msg, sizeof(struct pam_response)); if (reply == NULL) return PAM_CONV_ERR; for (count=0; count < num_msg; ++count) { unsigned char readbuf[VTY_MAX_BUFFER_SIZE]; char *string=NULL; int nc; memset(readbuf, 0, sizeof(readbuf)); switch (msgm[count]->msg_style) { case PAM_PROMPT_ECHO_OFF: if (knet_vty_set_echo(vty, 0) < 0) { knet_vty_write(vty, "Unable to turn off terminal/telnet echo"); goto failed_conversation; } knet_vty_write(vty, "%s", msgm[count]->msg); nc = knet_vty_read(vty, readbuf, sizeof(readbuf)); if (nc < 0) goto failed_conversation; if (knet_vty_set_echo(vty, 1) < 0) { /* doesn't really make a lot of sense tho.... */ knet_vty_write(vty, "Unable to turn on terminal/telnet echo"); goto failed_conversation; } knet_vty_write(vty, "\n"); readbuf[nc-2] = 0; string = strdup((const char*)readbuf); if (!string) goto failed_conversation; break; case PAM_PROMPT_ECHO_ON: knet_vty_write(vty, "\n%s", msgm[count]->msg); nc = knet_vty_read(vty, readbuf, sizeof(readbuf)); if (nc < 0) goto failed_conversation; readbuf[nc-2] = 0; string = strdup((const char*)readbuf); if (!string) goto failed_conversation; break; case PAM_ERROR_MSG: log_error("Received PAM error message %s", msgm[count]->msg); knet_vty_write(vty, "%s", msgm[count]->msg); break; case PAM_TEXT_INFO: log_error("Received PAM text info: %s", msgm[count]->msg); knet_vty_write(vty, "%s", msgm[count]->msg); break; default: if (!vty->got_epipe) { log_error("Unknown PAM conversation message"); knet_vty_write(vty, "Unknown PAM conversation message"); } goto failed_conversation; } if (string) { reply[count].resp_retcode = 0; reply[count].resp = string; string = NULL; } } *response = reply; reply = NULL; return PAM_SUCCESS; failed_conversation: if (!vty->got_epipe) { log_error("PAM conversation error"); knet_vty_write(vty, "PAM conversation error"); } if (reply) { for (count=0; count < num_msg; ++count) { if (reply[count].resp == NULL) continue; switch (msgm[count]->msg_style) { case PAM_PROMPT_ECHO_ON: case PAM_PROMPT_ECHO_OFF: _pam_overwrite(reply[count].resp); free(reply[count].resp); break; case PAM_BINARY_PROMPT: { void *bt_ptr = reply[count].resp; pam_binary_handler_free(appdata_ptr, bt_ptr); break; } case PAM_ERROR_MSG: case PAM_TEXT_INFO: free(reply[count].resp); } } free(reply); reply = NULL; } return PAM_CONV_ERR; }
static int knet_vty_pam_auth_user(struct knet_vty *vty, const char *user) { pam_handle_t *pamh=NULL; struct pam_conv conv; int err; int retry = 1; conv.conv = knet_pam_misc_conv; conv.appdata_ptr = (void *)vty; retry_auth: err = pam_start("kronosnet", user, &conv, &pamh); if (err != PAM_SUCCESS) { errno = EINVAL; log_error("PAM fatal error: %s", pam_strerror(pamh, err)); knet_vty_write(vty, "PAM fatal error: %s", pam_strerror(pamh, err)); goto out_fatal; } err = pam_authenticate(pamh, 0); if (err != PAM_SUCCESS) { if (vty->got_epipe) { errno = EPIPE; goto out_fatal; } else { errno = EINVAL; goto out_clean; } } if (knet_vty_get_pam_user(vty, pamh) != PAM_SUCCESS) { log_error("PAM: unable to get PAM_USER: %s", pam_strerror(pamh, err)); knet_vty_write(vty, "PAM: unable to get PAM_USER: %s", pam_strerror(pamh, err)); goto out_clean; } err = pam_acct_mgmt(pamh, 0); if (err != PAM_SUCCESS) { log_info("User: %s failed to authenticate on vty(%d) attempt %d", vty->username, vty->conn_num, retry); goto out_clean; } out_clean: if (pamh) { pam_end(pamh, err); pamh = NULL; } if ((err != PAM_SUCCESS) && (retry < AUTH_MAX_RETRY)) { retry++; goto retry_auth; } out_fatal: if (pamh) { pam_end(pamh, err); pamh = NULL; } knet_vty_write(vty, "\n"); return err; }
/* * mainloop is not thread safe as there should only be one */ int knet_vty_main_loop(int debug) { int logfd[2]; int vty_listener6_fd; int vty_listener4_fd; int vty_listener_fd; int vty_accept_fd; struct sockaddr_storage incoming_sa; socklen_t salen; fd_set rfds; int se_result = 0; struct timeval tv; int err = 0; int conn_index, found; signal(SIGTERM, sigterm_handler); signal(SIGINT, sigterm_handler); signal(SIGPIPE, sigpipe_handler); if (pipe(logfd)) { log_error("Unable to create logging pipe"); return -1; } if ((_fdset_cloexec(logfd[0])) || (_fdset_cloexec(logfd[1]))) { log_error("Unable to set FD_CLOEXEC on logfd pipe"); return -1; } memset(&knet_vtys, 0, sizeof(knet_vtys)); for(conn_index = 0; conn_index < KNET_VTY_TOTAL_MAX_CONN; conn_index++) { knet_vtys[conn_index].logfd = logfd[1]; if (debug) { knet_vtys[conn_index].loglevel = KNET_LOG_DEBUG; } else { knet_vtys[conn_index].loglevel = KNET_LOG_INFO; } } if (knet_read_conf() < 0) { log_error("Unable to read config file %s", knet_cfg_head.conffile); return -1; } vty_listener6_fd = knet_vty_init_listener(knet_cfg_head.vty_ipv6, knet_cfg_head.vty_port); if (vty_listener6_fd < 0) { log_error("Unable to setup vty listener for ipv6"); return -1; } vty_listener4_fd = knet_vty_init_listener(knet_cfg_head.vty_ipv4, knet_cfg_head.vty_port); if (vty_listener4_fd < 0) { log_error("Unable to setup vty listener for ipv4"); goto out; } while (se_result >= 0 && !daemon_quit) { FD_ZERO (&rfds); FD_SET (vty_listener6_fd, &rfds); FD_SET (vty_listener4_fd, &rfds); FD_SET (logfd[0], &rfds); tv.tv_sec = 1; tv.tv_usec = 0; se_result = select(FD_SETSIZE, &rfds, 0, 0, &tv); if ((se_result == -1) && (daemon_quit)) { log_info("Got a SIGTERM, requesting CLI threads to exit"); for(conn_index = 0; conn_index < KNET_VTY_TOTAL_MAX_CONN; conn_index++) { if (knet_vtys[conn_index].active) { knet_vty_write(&knet_vtys[conn_index], "%s%sServer is going down..%s%s", telnet_newline, telnet_newline, telnet_newline, telnet_newline); knet_vty_close(&knet_vtys[conn_index]); knet_vtys[conn_index].got_epipe = 1; } } sleep(2); /* give time to all vty to exit */ knet_close_down(); log_info("Have a nice day! Goodbye"); goto out; } if (se_result == -1) { err = se_result; log_error("Unable to select on vty listener socket!"); goto out; } if (se_result == 0) { pthread_mutex_lock(&knet_vty_mutex); for(conn_index = 0; conn_index < KNET_VTY_TOTAL_MAX_CONN; conn_index++) { if ((knet_vtys[conn_index].active) && (!knet_vtys[conn_index].disable_idle)) { knet_vtys[conn_index].idle++; if (knet_vtys[conn_index].idle > KNET_VTY_CLI_TIMEOUT) { knet_vty_close(&knet_vtys[conn_index]); knet_vtys[conn_index].got_epipe = 1; } } } pthread_mutex_unlock(&knet_vty_mutex); continue; } if (FD_ISSET(vty_listener6_fd, &rfds)) { vty_listener_fd = vty_listener6_fd; } else if (FD_ISSET(vty_listener4_fd, &rfds)) { vty_listener_fd = vty_listener4_fd; } else if (FD_ISSET(logfd[0], &rfds)) { struct knet_log_msg msg; size_t bytes_read = 0; size_t len; while (bytes_read < sizeof(struct knet_log_msg)) { len = read(logfd[0], &msg + bytes_read, sizeof(struct knet_log_msg) - bytes_read); if (len <= 0) { break; } bytes_read += len; } if (bytes_read != sizeof(struct knet_log_msg)) continue; switch(msg.msglevel) { case KNET_LOG_WARN: log_warn("(%s) %s", knet_get_subsystem_name(msg.subsystem), msg.msg); break; case KNET_LOG_INFO: log_info("(%s) %s", knet_get_subsystem_name(msg.subsystem), msg.msg); break; case KNET_LOG_DEBUG: log_kdebug("(%s) %s", knet_get_subsystem_name(msg.subsystem), msg.msg); break; case KNET_LOG_ERR: default: log_error("(%s) %s", knet_get_subsystem_name(msg.subsystem), msg.msg); } continue; } else { continue; } memset(&incoming_sa, 0, sizeof(struct sockaddr_storage)); salen = sizeof(struct sockaddr_storage); vty_accept_fd = accept(vty_listener_fd, (struct sockaddr *)&incoming_sa, &salen); if (vty_accept_fd < 0) { log_error("Unable to accept connection to vty"); continue; } // check for ip address access list here against incoming_sa pthread_mutex_lock(&knet_vty_mutex); found = 0; for(conn_index = 0; conn_index <= vty_max_connections; conn_index++) { if (knet_vtys[conn_index].active == 0) { found = 1; break; } } if ((vty_current_connections == vty_max_connections) || (!found)) { errno = ECONNREFUSED; log_error("Too many connections to VTY or no available slots"); close(vty_accept_fd); pthread_mutex_unlock(&knet_vty_mutex); continue; } vty_current_connections++; memset(&knet_vtys[conn_index], 0, sizeof(struct knet_vty)); knet_vtys[conn_index].vty_sock = vty_accept_fd; knet_vtys[conn_index].conn_num = conn_index; memcpy(&knet_vtys[conn_index].src_sa, &incoming_sa, salen); knet_vtys[conn_index].src_sa_len = salen; knet_vtys[conn_index].active = 1; knet_vtys[conn_index].logfd = logfd[1]; if (debug) { knet_vtys[conn_index].loglevel = KNET_LOG_DEBUG; } else { knet_vtys[conn_index].loglevel = KNET_LOG_INFO; } err = pthread_create(&knet_vtys[conn_index].vty_thread, NULL, vty_accept_thread, (void *)&conn_index); if (err < 0) { log_error("Unable to spawn vty thread"); memset(&knet_vtys[conn_index], 0, sizeof(struct knet_vty)); vty_current_connections--; } pthread_mutex_unlock(&knet_vty_mutex); } out: knet_vty_close_listener(vty_listener6_fd); knet_vty_close_listener(vty_listener4_fd); close(logfd[0]); close(logfd[1]); return err; }