int main( )
{
struct airport a ;
int i, pri, curtime, endtime ;
double expectarrive, expectdepart ;
struct plane temp ;
system ( "cls" ) ;
initairport ( &a );
start ( &endtime, &expectarrive, &expectdepart ) ;
for ( curtime = 1 ; curtime <= endtime ; curtime++ )
{
pri = randomnumber ( expectarrive ) ;
for ( i = 1 ; i <= pri ; i++ )
{
newplane ( &a, curtime, ARRIVE ) ;
if ( apfull ( a, 'l' ) )
refuse ( &a, ARRIVE ) ;
else
apaddqueue( &a, 'l' ) ;
}
pri = randomnumber ( expectdepart ) ;
for ( i = 1 ; i <= pri ; i++ )
{
newplane ( &a, curtime, DEPART ) ;
if ( apfull ( a, 't' ) )
refuse ( &a, DEPART ) ;
else
apaddqueue ( &a, 't' ) ;
}
if ( ! ( apempty ( a, 'l' ) ) )
{
temp = apdelqueue ( &a, 'l' ) ;
land ( &a, temp, curtime ) ;
}
else
{
if ( ! ( apempty ( a, 't' ) ) )
{
temp = apdelqueue ( &a, 't' ) ;
fly ( &a, temp, curtime ) ;
}
else
idle ( &a, curtime ) ;
}
}
conclude ( &a, endtime ) ;
return 0 ;
}
/* dispose of local addresses */
int
cat_mail(dest *dp, message *mp)
{
Biobuf *fp;
char *rcvr, *cp;
Mlock *l;
String *tmp, *s;
int i, n;
s = unescapespecial(s_clone(dp->repl1));
if (nflg) {
if(!xflg)
print("cat >> %s\n", s_to_c(s));
else
print("%s\n", s_to_c(dp->addr));
s_free(s);
return 0;
}
for(i = 0;; i++){
l = syslock(s_to_c(s));
if(l == 0)
return refuse(dp, mp, "can't lock mail file", 0, 0);
fp = sysopen(s_to_c(s), "al", MBOXMODE);
if(fp)
break;
tmp = s_append(0, s_to_c(s));
s_append(tmp, ".tmp");
fp = sysopen(s_to_c(tmp), "al", MBOXMODE);
if(fp){
syslog(0, "mail", "error: used %s", s_to_c(tmp));
s_free(tmp);
break;
}
s_free(tmp);
sysunlock(l);
if(i >= 5)
return refuse(dp, mp, "mail file cannot be opened", 0, 0);
sleep(1000);
}
s_free(s);
n = m_print(mp, fp, (char *)0, 1);
if (Bprint(fp, "\n") < 0 || Bflush(fp) < 0 || n < 0){
sysclose(fp);
sysunlock(l);
return refuse(dp, mp, "error writing mail file", 0, 0);
}
sysclose(fp);
sysunlock(l);
rcvr = s_to_c(dp->addr);
if(cp = strrchr(rcvr, '!'))
rcvr = cp+1;
logdelivery(dp, rcvr, mp);
return 0;
}
// Called when the schedd initially connects to the transferd to finish
// the registration process.
int
TransferD::setup_transfer_request_handler(int /*cmd*/, Stream *sock)
{
ReliSock *rsock = (ReliSock*)sock;
MyString sock_id;
dprintf(D_ALWAYS, "Got TRANSFER_CONTROL_CHANNEL!\n");
rsock->decode();
///////////////////////////////////////////////////////////////
// make sure we are authenticated
///////////////////////////////////////////////////////////////
if( ! rsock->triedAuthentication() ) {
CondorError errstack;
if( ! SecMan::authenticate_sock(rsock, WRITE, &errstack) ) {
// we failed to authenticate, we should bail out now
// since we don't know what user is trying to perform
// this action.
// TODO: it'd be nice to print out what failed, but we
// need better error propagation for that...
errstack.push( "TransferD::setup_transfer_request_handler()", 42,
"Failure to register transferd - Authentication failed" );
dprintf( D_ALWAYS, "setup_transfer_request_handler() "
"aborting: %s\n",
errstack.getFullText().c_str() );
refuse(rsock);
return CLOSE_STREAM;
}
}
rsock->decode();
///////////////////////////////////////////////////////////////
// Register this socket with a socket handler to handle incoming requests
///////////////////////////////////////////////////////////////
sock_id += "<TreqChannel-Socket>";
char* _sock_id = strdup( sock_id.Value() ); //de-const
// register the handler for any future transfer requests on this socket.
daemonCore->Register_Socket((Sock*)rsock, _sock_id,
(SocketHandlercpp)&TransferD::accept_transfer_request_handler,
"TransferD::accept_transfer_request_handler", this, ALLOW);
free( _sock_id );
dprintf(D_ALWAYS, "Treq channel established.\n");
dprintf(D_ALWAYS, "Accepting Transfer Requests.\n");
return KEEP_STREAM;
}
// This handler is called when a client wishes to write files from the
// transferd's storage.
int
TransferD::write_files_handler(int cmd, Stream *sock)
{
ReliSock *rsock = (ReliSock*)sock;
MyString capability;
int protocol = FTP_UNKNOWN;
TransferRequest *treq = NULL;
MyString fquser;
static int transfer_reaper_id = -1;
ThreadArg *thread_arg;
int tid;
ClassAd reqad;
ClassAd respad;
cmd = cmd; // quiet the compiler.
dprintf(D_ALWAYS, "Got TRANSFERD_WRITE_FILES!\n");
/////////////////////////////////////////////////////////////////////////
// make sure we are authenticated
/////////////////////////////////////////////////////////////////////////
if( ! rsock->triedAuthentication() ) {
CondorError errstack;
if( ! SecMan::authenticate_sock(rsock, WRITE, &errstack) ) {
// we failed to authenticate, we should bail out now
// since we don't know what user is trying to perform
// this action.
// TODO: it'd be nice to print out what failed, but we
// need better error propagation for that...
errstack.push( "TransferD::setup_transfer_request_handler()", 42,
"Failure to register transferd - Authentication failed" );
dprintf( D_ALWAYS, "setup_transfer_request_handler() "
"aborting: %s\n",
errstack.getFullText() );
refuse( rsock );
return CLOSE_STREAM;
}
}
fquser = rsock->getFullyQualifiedUser();
/////////////////////////////////////////////////////////////////////////
// Check to see if the capability the client tells us is something that
// we have knowledge of. We ONLY check the capability and not the
// identity of the person in question. This allows people of different
// identities to write files here as long as they had the right
// capability. While this might not sound secure, they STILL had to have
// authenticated as someone this daemon trusts.
// Similarly, check the protocol it wants to use as well as ensure that
// the direction the transfer request was supposed to be is being honored.
/////////////////////////////////////////////////////////////////////////
rsock->decode();
// soak the request ad from the client about what it wants to transfer
reqad.initFromStream(*rsock);
rsock->end_of_message();
reqad.LookupString(ATTR_TREQ_CAPABILITY, capability);
rsock->encode();
// do I know of such a capability?
if (m_treqs.lookup(capability, treq) != 0) {
// didn't find it. Log it and tell them to leave and close up shop
respad.Assign(ATTR_TREQ_INVALID_REQUEST, TRUE);
respad.Assign(ATTR_TREQ_INVALID_REASON, "Invalid capability!");
respad.put(*rsock);
rsock->end_of_message();
dprintf(D_ALWAYS, "Client identity '%s' tried to write some files "
"using capability '%s', but there was no such capability. "
"Access denied.\n", fquser.Value(), capability.Value());
return CLOSE_STREAM;
}
reqad.LookupInteger(ATTR_TREQ_FTP, protocol);
// am I willing to use this protocol?
switch(protocol) {
case FTP_CFTP: // FileTrans protocol, I'm happy.
break;
default:
respad.Assign(ATTR_TREQ_INVALID_REQUEST, TRUE);
respad.Assign(ATTR_TREQ_INVALID_REASON,
"Invalid file transfer protocol!");
respad.put(*rsock);
rsock->end_of_message();
dprintf(D_ALWAYS, "Client identity '%s' tried to write some files "
"using protocol '%d', but I don't support that protocol. "
"Access denied.\n", fquser.Value(), protocol);
return CLOSE_STREAM;
}
// nsure that this transfer request was of the uploading variety
if (treq->get_direction() != FTPD_UPLOAD) {
respad.Assign(ATTR_TREQ_INVALID_REQUEST, TRUE);
respad.Assign(ATTR_TREQ_INVALID_REASON,
"Transfer Request was not an uploading request!");
respad.put(*rsock);
rsock->end_of_message();
dprintf(D_ALWAYS, "Client identity '%s' tried to write some files "
"to a transfer request that wasn't expecting to be written. "
"Access denied.\n", fquser.Value());
}
/////////////////////////////////////////////////////////////////////////
// Tell the client everything was ok.
/////////////////////////////////////////////////////////////////////////
respad.Assign(ATTR_TREQ_INVALID_REQUEST, FALSE);
respad.put(*rsock);
rsock->end_of_message();
/////////////////////////////////////////////////////////////////////////
// Set up a thread (a process under unix) to read ALL of the job files
// for all of the ads in the TransferRequest.
/////////////////////////////////////////////////////////////////////////
// now create a thread, passing in the sock, which uses the file transfer
// object to accept the files.
if (transfer_reaper_id == -1) {
// only set this up ONCE so each and every thread gets one.
transfer_reaper_id = daemonCore->Register_Reaper(
"write_files_reaper",
(ReaperHandlercpp) &TransferD::write_files_reaper,
"write_files_reaper",
this
);
}
thread_arg = new ThreadArg(protocol, treq);
// Start a new thread (process on Unix) to do the work
tid = daemonCore->Create_Thread(
(ThreadStartFunc)&TransferD::write_files_thread,
(void *)thread_arg,
rsock,
transfer_reaper_id
);
if (tid == FALSE) {
// XXX How do I handle this failure?
}
// associate the tid with the request so I can deal with it propery in
// the reaper
m_client_to_transferd_threads.insert(tid, treq);
// The stream is inherited to the thread, who does the transfer and
// finishes the protocol, but in the parent, I'm closing it.
return CLOSE_STREAM;
}
int main(int argc, char *argv[])
{
struct request_info request;
char path[MAXPATHNAMELEN];
/* Attempt to prevent the creation of world-writable files. */
#ifdef DAEMON_UMASK
umask(DAEMON_UMASK);
#endif
/*
* If argv[0] is an absolute path name, ignore REAL_DAEMON_DIR, and strip
* argv[0] to its basename.
*/
if (argv[0][0] == '/') {
strlcpy(path, argv[0], sizeof path);
argv[0] = strrchr(argv[0], '/') + 1;
} else {
snprintf(path, sizeof path, "%s/%s", REAL_DAEMON_DIR, argv[0]);
}
/*
* Open a channel to the syslog daemon. Older versions of openlog()
* require only two arguments.
*/
#ifdef LOG_MAIL
(void) openlog(argv[0], LOG_PID, FACILITY);
#else
(void) openlog(argv[0], LOG_PID);
#endif
/*
* Find out the endpoint addresses of this conversation. Host name
* lookups and double checks will be done on demand.
*/
request_init(&request, RQ_DAEMON, argv[0], RQ_FILE, STDIN_FILENO, 0);
fromhost(&request);
/*
* Optionally look up and double check the remote host name. Sites
* concerned with security may choose to refuse connections from hosts
* that pretend to have someone elses host name.
*/
#ifdef PARANOID
if (STR_EQ(eval_hostname(request.client), paranoid))
refuse(&request);
#endif
/*
* The BSD rlogin and rsh daemons that came out after 4.3 BSD disallow
* socket options at the IP level. They do so for a good reason.
* Unfortunately, we cannot use this with SunOS 4.1.x because the
* getsockopt() system call can panic the system.
*/
#ifdef KILL_IP_OPTIONS
fix_options(&request);
#endif
/*
* Check whether this host can access the service in argv[0]. The
* access-control code invokes optional shell commands as specified in
* the access-control tables.
*/
#ifdef HOSTS_ACCESS
if (!hosts_access(&request))
refuse(&request);
#endif
/* Report request and invoke the real daemon program. */
syslog(allow_severity, "connect from %s", eval_client(&request));
closelog();
(void) execv(path, argv);
syslog(LOG_ERR, "error: cannot execute %s: %m", path);
clean_exit(&request);
/* NOTREACHED */
}
/* wait for incoming connection requests */
void wait_for_connections(void){
struct sockaddr_in6 myname6;
struct sockaddr_in6 src_sin;
socklen_t socklen = sizeof(src_sin);
struct sockaddr *remoteaddr = (struct sockaddr *)&src_sin;
int rc;
int sock, new_sd;
pid_t pid;
int flag=1;
int max_fd = 0;
int i = 0, j = 0;
fd_set fdread;
struct timeval timeout;
int retval;
#ifdef HAVE_LIBWRAP
struct request_info req;
#endif
int rval;
struct addrinfo addrinfo;
struct addrinfo *res, *r;
memset(&addrinfo, 0, sizeof(addrinfo));
addrinfo.ai_family=AF_UNSPEC;
addrinfo.ai_socktype=SOCK_STREAM;
addrinfo.ai_protocol=IPPROTO_TCP;
if(!server_address || !strlen(server_address)) {
server_address = NULL;
addrinfo.ai_flags=AI_PASSIVE;
}
if (rval = getaddrinfo(server_address, server_port, &addrinfo, &res) != 0) {
syslog(LOG_ERR,"Invalid server_address (%d: %s)",errno,strerror(errno));
exit(STATE_CRITICAL);
}
else {
for (r=res; r; r = r->ai_next){
if (r->ai_family != AF_INET && r->ai_family != AF_INET6)
continue;
if (num_listen_socks >= MAX_LISTEN_SOCKS){
syslog(LOG_ERR,"Too many listen sockets. Enlarge MAX_LISTEN_SOCKS\n");
exit(STATE_UNKNOWN);
}
sock = socket(r->ai_family, r->ai_socktype, r->ai_protocol);
if (sock < 0)
/* kernel may not support ipv6 */
continue;
/* socket should be non-blocking */
fcntl(sock,F_SETFL,O_NONBLOCK);
/* set the reuse address flag so we don't get errors when restarting */
flag=1;
if(setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(char *)&flag,sizeof(flag))<0){
syslog(LOG_ERR,"Could not set reuse address option on socket!\n");
exit(STATE_UNKNOWN);
}
#ifdef IPV6_V6ONLY
/* Only communicate in IPv6 over AF_INET6 sockets. */
flag=1;
if (r->ai_family == AF_INET6)
if(setsockopt(sock,IPPROTO_IPV6,IPV6_V6ONLY,(char *)&flag,sizeof(flag))<0) {
syslog(LOG_ERR,"Could not set IPV6_V6ONLY option on socket!\n");
exit(STATE_UNKNOWN);
}
#endif
if(bind(sock, r->ai_addr, r->ai_addrlen) < 0) {
syslog(LOG_ERR,"Network server bind failure (%d: %s)\n",errno,strerror(errno));
(void) close(sock);
exit(STATE_CRITICAL);
}
listen_socks[num_listen_socks] = sock;
num_listen_socks++;
if (listen(sock, 5) < 0){
syslog(LOG_ERR,"Network server listen failure (%d: %s)\n",errno,strerror(errno));
exit(STATE_CRITICAL);
}
if(sock > max_fd)
max_fd = sock;
}
freeaddrinfo(res);
if(num_listen_socks == 0) {
exit(STATE_CRITICAL);
}
}
/* log warning about command arguments */
#ifdef ENABLE_COMMAND_ARGUMENTS
if(allow_arguments==TRUE)
syslog(LOG_NOTICE,"Warning: Daemon is configured to accept command arguments from clients!");
#endif
syslog(LOG_INFO,"Listening for connections on port %s\n",server_port);
if(allowed_hosts)
syslog(LOG_INFO,"Allowing connections from: %s\n",allowed_hosts);
/* listen for connection requests - fork() if we get one */
while(1){
/* wait for a connection request */
/* wait until there's something to do */
FD_ZERO(&fdread);
for(i=0; i < num_listen_socks; i++)
FD_SET(listen_socks[i],&fdread);
timeout.tv_sec=0;
timeout.tv_usec=500000;
retval=select(max_fd+1,&fdread,NULL,NULL,&timeout);
/* bail out if necessary */
if(sigrestart==TRUE || sigshutdown==TRUE)
break;
/* error */
if(retval<0)
continue;
/* accept a new connection request */
for (i = 0; i < num_listen_socks; i++){
if (!FD_ISSET(listen_socks[i], &fdread))
continue;
new_sd=accept(listen_socks[i], remoteaddr, &socklen);
/* some kind of error occurred... */
if(new_sd<0){
/* bail out if necessary */
if(sigrestart==TRUE || sigshutdown==TRUE)
break;
/* retry */
if(errno==EWOULDBLOCK || errno==EINTR)
continue;
/* socket is nonblocking and we don't have a connection yet */
if(errno==EAGAIN)
continue;
/* fix for HP-UX 11.0 - just retry */
if(errno==ENOBUFS)
continue;
}
/* bail out if necessary */
if(sigrestart==TRUE || sigshutdown==TRUE)
break;
/* child process should handle the connection */
pid=fork();
if(pid==0){
/* fork again so we don't create zombies */
pid=fork();
if(pid==0){
/* hey, there was an error... */
if(new_sd<0){
/* log error to syslog facility */
syslog(LOG_ERR,"Network server accept failure (%d: %s)",errno,strerror(errno));
/* close sockets prioer to exiting */
for(j=0; j < num_listen_socks; j++)
close(listen_socks[j]);
return;
}
/* handle siOAgnals */
signal(SIGQUIT,child_sighandler);
signal(SIGTERM,child_sighandler);
signal(SIGHUP,child_sighandler);
/* grandchild does not need to listen for connections, so close the sockets */
for(j=0; j < num_listen_socks; j++)
close(listen_socks[j]);
/* log info to syslog facility */
if(debug==TRUE)
syslog(LOG_DEBUG,"Connection from %s port %d",get_ip_str(remoteaddr, buf, BUFLEN),get_port(remoteaddr));
/* is this is a blessed machine? */
if(allowed_hosts){
if(!is_an_allowed_host(remoteaddr)){
/* log error to syslog facility */
syslog(LOG_ERR,"Host %s is not allowed to talk to us!",get_ip_str(remoteaddr, buf, BUFLEN));
/* log info to syslog facility */
if(debug==TRUE)
syslog(LOG_DEBUG,"Connection from %s closed.",get_ip_str(remoteaddr, buf, BUFLEN));
/* close socket prior to exiting */
close(new_sd);
exit(STATE_OK);
}
else{
/* log info to syslog facility */
if(debug==TRUE)
syslog(LOG_DEBUG,"Host address is in allowed_hosts");
}
}
#ifdef HAVE_LIBWRAP
/* Check whether or not connections are allowed from this host */
request_init(&req,RQ_DAEMON,"nrpe",RQ_FILE,new_sd,0);
fromhost(&req);
if(!hosts_access(&req)){
syslog(LOG_DEBUG,"Connection refused by TCP wrapper");
/* refuse the connection */
refuse(&req);
close(new_sd);
/* should not be reached */
syslog(LOG_ERR,"libwrap refuse() returns!");
exit(STATE_CRITICAL);
}
#endif
/* handle the client connection */
handle_connection(new_sd);
/* log info to syslog facility */
if(debug==TRUE)
syslog(LOG_DEBUG,"Connection from %s closed.",get_ip_str(remoteaddr, buf, BUFLEN));
/* close socket prior to exiting */
close(new_sd);
exit(STATE_OK);
}
/* first child returns immediately, grandchild is inherited by INIT process -> no zombies... */
else
exit(STATE_OK);
}
/* parent ... */
else{
/* parent doesn't need the new connection */
close(new_sd);
/* parent waits for first child to exit */
waitpid(pid,NULL,0);
}
}
}
/* close the sockets we're listening on */
for(j=0; j < num_listen_socks; j++)
close(listen_socks[j]);
return;
}
void handleAccept(int i)
{
struct sockaddr addr;
struct sockaddr_in *sin;
unsigned char address[4];
char addressText[64];
int j;
int addrlen;
int index = -1;
int o;
SOCKET nfd;
addrlen = sizeof(addr);
nfd = accept(seFds[i], &addr, &addrlen);
if (nfd == INVALID_SOCKET) {
log(-1, i, logAcceptFailed);
return;
}
#ifndef WIN32
if (nfd > maxfd) {
maxfd = nfd;
}
#endif /* WIN32 */
j = 1;
ioctlsocket(nfd, FIONBIO, &j);
j = 0;
#ifndef WIN32
setsockopt(nfd, SOL_SOCKET, SO_LINGER, &j, sizeof(j));
#endif
for (j = 0; (j < coTotal); j++) {
if (coClosed[j]) {
index = j;
break;
}
}
if (index == -1) {
o = coTotal;
coTotal *= 2;
if (!SAFE_REALLOC(&reFds, sizeof(int) * o,
sizeof(SOCKET) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&loFds, sizeof(int) * o,
sizeof(SOCKET) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&coInputRPos,
sizeof(int) * o, sizeof(int) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&coInputWPos,
sizeof(int) * o, sizeof(int) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&coOutputRPos,
sizeof(int) * o, sizeof(int) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&coOutputWPos, sizeof(int) * o,
sizeof(int) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&coClosed, sizeof(int) * o,
sizeof(int) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&coClosing, sizeof(int) * o,
sizeof(int) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&reClosed, sizeof(int) * o,
sizeof(int) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&loClosed, sizeof(int) * o,
sizeof(int) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&coLog, sizeof(int) * o,
sizeof(int) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&coSe, sizeof(int) * o,
sizeof(int) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&coBytesInput, sizeof(int) * o,
sizeof(int) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&reAddresses, 4 * o,
4 * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&coBytesOutput, sizeof(int) * o,
sizeof(int) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&coInput, sizeof(char *) * o,
sizeof(char *) * coTotal))
{
goto shortage;
}
if (!SAFE_REALLOC(&coOutput, sizeof(char *) * o,
sizeof(char *) * coTotal))
{
goto shortage;
}
for (j = o; (j < coTotal); j++) {
coClosed[j] = 1;
coInput[j] = (char *)
malloc(sizeof(char) * bufferSpace);
if (!coInput[j]) {
int k;
for (k = o; (k < j); k++) {
free(coInput[k]);
free(coOutput[k]);
}
goto shortage;
}
coOutput[j] = (char *)
malloc(sizeof(char) * bufferSpace);
if (!coOutput[j]) {
int k;
free(coInput[j]);
for (k = o; (k < j); k++) {
free(coInput[k]);
free(coOutput[k]);
}
goto shortage;
}
}
index = o;
}
coInputRPos[index] = 0;
coInputWPos[index] = 0;
coOutputRPos[index] = 0;
coOutputWPos[index] = 0;
coClosed[index] = 0;
coClosing[index] = 0;
reClosed[index] = 0;
loClosed[index] = 0;
reFds[index] = nfd;
coBytesInput[index] = 0;
coBytesOutput[index] = 0;
coLog[index] = 0;
coSe[index] = i;
sin = (struct sockaddr_in *) &addr;
memcpy(address, &(sin->sin_addr.s_addr), 4);
memcpy(reAddresses + index * 4, address, 4);
/* Now, do we want to accept this connection?
Format it for comparison to a pattern. */
sprintf(addressText, "%d.%d.%d.%d",
address[0], address[1], address[2], address[3]);
/* 1. Check global allow rules. If there are no
global allow rules, it's presumed OK at
this step. If there are any, and it doesn't
match at least one, kick it out. */
if (globalAllowRules) {
int good = 0;
for (j = 0; (j < globalAllowRules); j++) {
if (match(addressText, allowRules[j])) {
good = 1;
break;
}
}
if (!good) {
refuse(index, logNotAllowed);
return;
}
}
/* 2. Check global deny rules. If it matches
any of the global deny rules, kick it out. */
if (globalDenyRules) {
for (j = 0; (j < globalDenyRules); j++) {
if (match(addressText, denyRules[j])) {
refuse(index, logDenied);
}
}
}
/* 3. Check allow rules specific to this forwarding rule.
If there are none, it's OK. If there are any,
it must match at least one. */
if (seAllowRulesTotal[i]) {
int good = 0;
for (j = 0; (j < seAllowRulesTotal[i]); j++) {
if (match(addressText,
allowRules[seAllowRules[i] + j])) {
good = 1;
break;
}
}
if (!good) {
refuse(index, logNotAllowed);
return;
}
}
/* 2. Check deny rules specific to this forwarding rule. If
it matches any of the deny rules, kick it out. */
if (seDenyRulesTotal[i]) {
for (j = 0; (j < seDenyRulesTotal[i]); j++) {
if (match(addressText,
denyRules[seDenyRules[i] + j])) {
refuse(index, logDenied);
}
}
}
/* Now open a connection to the local server.
This, too, is nonblocking. Why wait
for anything when you don't have to? */
openLocalFd(i, index);
return;
shortage:
fprintf(stderr, "rinetd: not enough memory to "
"add slots. Currently %d slots.\n", o);
/* Go back to the previous total number of slots */
coTotal = o;
}
MainWindow::MainWindow(QWidget *parent) :
QMainWindow(parent),
ui(new Ui::MainWindow),
m_server(new NetworkServer(this)),
m_ipList(),
m_bgm(this)
{
ui->setupUi(this);
m_bgm.setMedia(QUrl::fromLocalFile("./Music/thestonemasons.wav"));
m_bgm.setVolume(50);
m_bgm.play();
connect(&m_bgm, SIGNAL(stateChanged(QMediaPlayer::State)), &m_bgm, SLOT(play()));
setFixedSize(width(), height());
m_gobang = new Gobang(this);
m_startMenu = new StartMenu(this);
m_waitWidget = new waitWidget(this);
setCursor(QCursor(QPixmap(":/Pic/arrows.png"), 1, 1));
m_gobang->hide();
m_waitWidget->hide();
m_startMenu->show();
currentWidget = m_startMenu;
m_server->listen();
m_server->getIP();
m_waitWidget->ui->ipLabel->setText("您的IP是:" + m_server->Sadress);
m_timer.setInterval(1000);
currentState = m_server->readWriteSocket->state();
m_time1.setInterval(200); m_time1.start();
connect(&m_time1, SIGNAL(timeout()), this, SLOT(checkState()));
m_timer.start();
connect(&m_timer, SIGNAL(timeout()), this, SLOT(checkUnactive()));
connect(m_startMenu->ui->startServer, SIGNAL(clicked()), this, SLOT(setWaiting()));
connect(m_startMenu->ui->startServer, SIGNAL(clicked()), m_gobang, SLOT(setHost()));
connect(m_startMenu->ui->startServer, SIGNAL(clicked()), m_server, SLOT(closeListen()));
connect(m_startMenu->ui->startServer, SIGNAL(clicked()), m_server, SLOT(initServer()));
connect(m_startMenu->ui->startClient, SIGNAL(clicked()), this, SLOT(connectHost()));
connect(m_startMenu->ui->startClient, SIGNAL(clicked()), m_server, SLOT(closeListen()));
connect(m_waitWidget->ui->ok, SIGNAL(clicked()), this, SLOT(broadcast()));
connect(m_waitWidget->ui->ok, SIGNAL(clicked()), m_waitWidget->ui->setBox, SLOT(hide()));
connect(m_waitWidget->ui->ok, SIGNAL(clicked()), m_waitWidget->ui->waitLabel, SLOT(show()));
connect(m_waitWidget->ui->back, SIGNAL(clicked()), m_server, SLOT(closeWrite()));
connect(m_waitWidget->ui->back, SIGNAL(clicked()), m_server, SLOT(listen()));
connect(m_waitWidget->ui->back, SIGNAL(clicked()), this, SLOT(setStart()));
connect(m_gobang, SIGNAL(sendSignal(int, Step)), m_server, SLOT(sendMessage(int, Step)));
connect(m_server, SIGNAL(setPieces(Step)), m_gobang, SLOT(setPieces(const Step&)));
connect(m_server, SIGNAL(findPlayer(QString)), this, SLOT(findPlayer(QString)));
connect(m_server, SIGNAL(changeCamp(int)), m_gobang, SLOT(changeCamp(int)));
connect(m_server, SIGNAL(recall(int)), m_gobang, SLOT(recallDone(int)));
connect(m_server, SIGNAL(reStart()), m_gobang, SLOT(reStart()));
connect(m_server, SIGNAL(agreeRecall()), m_gobang, SLOT(on_recall()));
connect(m_server, SIGNAL(askForRecall()), m_gobang, SLOT(forRecall()));
connect(m_server, SIGNAL(agreeExit()), this, SLOT(setStart()));
connect(m_server, SIGNAL(agreeExit()), m_gobang, SLOT(on_exit()));
connect(m_server, SIGNAL(refuse()), m_gobang, SLOT(on_refuse()));
connect(m_server, SIGNAL(agreeExit()), m_server, SLOT(listen()));
connect(m_server, SIGNAL(askForExit()), m_gobang, SLOT(forExit()));
connect(m_server, SIGNAL(changeState(int, int, int)), m_gobang, SLOT(changeCurrentState(int, int, int)));
connect(m_server->listenSocket, SIGNAL(newConnection()), this, SLOT(setGobang()));
connect(m_server->listenSocket, SIGNAL(newConnection()), m_server, SLOT(closeWrite()));
connect(m_server->listenSocket, SIGNAL(newConnection()), m_server, SLOT(closeListen()));
}
/* wait for incoming connection requests */
void wait_for_connections(void){
struct sockaddr_in myname;
struct sockaddr_in *nptr;
struct sockaddr addr;
int rc;
int sock, new_sd;
socklen_t addrlen;
pid_t pid;
int flag=1;
fd_set fdread;
struct timeval timeout;
int retval;
#ifdef HAVE_LIBWRAP
struct request_info req;
#endif
/* create a socket for listening */
sock=socket(AF_INET,SOCK_STREAM,0);
/* exit if we couldn't create the socket */
if(sock<0){
syslog(LOG_ERR,"Network server socket failure (%d: %s)",errno,strerror(errno));
exit(STATE_CRITICAL);
}
/* socket should be non-blocking */
fcntl(sock,F_SETFL,O_NONBLOCK);
/* set the reuse address flag so we don't get errors when restarting */
flag=1;
if(setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(char *)&flag,sizeof(flag))<0){
syslog(LOG_ERR,"Could not set reuse address option on socket!\n");
exit(STATE_UNKNOWN);
}
myname.sin_family=AF_INET;
myname.sin_port=htons(server_port);
bzero(&myname.sin_zero,8);
/* what address should we bind to? */
if(!strlen(server_address))
myname.sin_addr.s_addr=INADDR_ANY;
else if(!my_inet_aton(server_address,&myname.sin_addr)){
syslog(LOG_ERR,"Server address is not a valid IP address\n");
exit(STATE_CRITICAL);
}
/* bind the address to the Internet socket */
if(bind(sock,(struct sockaddr *)&myname,sizeof(myname))<0){
syslog(LOG_ERR,"Network server bind failure (%d: %s)\n",errno,strerror(errno));
exit(STATE_CRITICAL);
}
/* open the socket for listening */
if(listen(sock,5)<0){
syslog(LOG_ERR,"Network server listen failure (%d: %s)\n",errno,strerror(errno));
exit(STATE_CRITICAL);
}
/* log warning about command arguments */
#ifdef ENABLE_COMMAND_ARGUMENTS
if(allow_arguments==TRUE)
syslog(LOG_NOTICE,"Warning: Daemon is configured to accept command arguments from clients!");
#ifdef ENABLE_BASH_COMMAND_SUBSTITUTION
if(TRUE==allow_bash_command_substitution) {
if(TRUE==allow_arguments)
syslog(LOG_NOTICE,"Warning: Daemon is configured to accept command arguments with bash command substitutions!");
else
syslog(LOG_NOTICE,"Warning: Daemon is configured to accept command arguments with bash command substitutions, but is not configured to accept command argements from clients. Enable command arguments if you wish to allow command arguments with bash command substitutions.");
}
#endif
#endif
syslog(LOG_INFO,"Listening for connections on port %d\n",htons(myname.sin_port));
if(allowed_hosts)
syslog(LOG_INFO,"Allowing connections from: %s\n",allowed_hosts);
/* listen for connection requests - fork() if we get one */
while(1){
/* wait for a connection request */
while(1){
/* wait until there's something to do */
FD_ZERO(&fdread);
FD_SET(sock,&fdread);
timeout.tv_sec=0;
timeout.tv_usec=500000;
retval=select(sock+1,&fdread,NULL,&fdread,&timeout);
/* bail out if necessary */
if(sigrestart==TRUE || sigshutdown==TRUE)
break;
/* error */
if(retval<0)
continue;
/* accept a new connection request */
new_sd=accept(sock,0,0);
/* some kind of error occurred... */
if(new_sd<0){
/* bail out if necessary */
if(sigrestart==TRUE || sigshutdown==TRUE)
break;
/* retry */
if(errno==EWOULDBLOCK || errno==EINTR)
continue;
/* socket is nonblocking and we don't have a connection yet */
if(errno==EAGAIN)
continue;
/* fix for HP-UX 11.0 - just retry */
if(errno==ENOBUFS)
continue;
/* else handle the error later */
break;
}
/* connection was good */
break;
}
/* bail out if necessary */
if(sigrestart==TRUE || sigshutdown==TRUE)
break;
/* child process should handle the connection */
pid=fork();
if(pid==0){
/* fork again so we don't create zombies */
pid=fork();
if(pid==0){
/* hey, there was an error... */
if(new_sd<0){
/* log error to syslog facility */
syslog(LOG_ERR,"Network server accept failure (%d: %s)",errno,strerror(errno));
/* close socket prioer to exiting */
close(sock);
return;
}
/* handle signals */
signal(SIGQUIT,child_sighandler);
signal(SIGTERM,child_sighandler);
signal(SIGHUP,child_sighandler);
/* grandchild does not need to listen for connections, so close the socket */
close(sock);
/* find out who just connected... */
addrlen=sizeof(addr);
rc=getpeername(new_sd,&addr,&addrlen);
if(rc<0){
/* log error to syslog facility */
syslog(LOG_ERR,"Error: Network server getpeername() failure (%d: %s)",errno,strerror(errno));
/* close socket prior to exiting */
close(new_sd);
return;
}
nptr=(struct sockaddr_in *)&addr;
/* log info to syslog facility */
if(debug==TRUE)
syslog(LOG_DEBUG,"Connection from %s port %d",inet_ntoa(nptr->sin_addr),nptr->sin_port);
/* is this is a blessed machine? */
if(allowed_hosts){
switch(nptr->sin_family) {
case AF_INET:
if(!is_an_allowed_host(nptr->sin_addr)) {
/* log error to syslog facility */
syslog(LOG_ERR,"Host %s is not allowed to talk to us!",inet_ntoa(nptr->sin_addr));
/* log info to syslog facility */
if ( debug==TRUE )
syslog(LOG_DEBUG,"Connection from %s closed.",inet_ntoa(nptr->sin_addr));
/* close socket prior to exiting */
close(new_sd);
exit(STATE_OK);
} else {
/* log info to syslog facility */
if(debug==TRUE)
syslog(LOG_DEBUG,"Host address is in allowed_hosts");
}
break;
case AF_INET6:
syslog(LOG_DEBUG,"Connection from %s closed. We don't support AF_INET6 addreess family in ACL\n", inet_ntoa(nptr->sin_addr));
break;
}
}
#ifdef HAVE_LIBWRAP
/* Check whether or not connections are allowed from this host */
request_init(&req,RQ_DAEMON,"nrpe",RQ_FILE,new_sd,0);
fromhost(&req);
if(!hosts_access(&req)){
syslog(LOG_DEBUG,"Connection refused by TCP wrapper");
/* refuse the connection */
refuse(&req);
close(new_sd);
/* should not be reached */
syslog(LOG_ERR,"libwrap refuse() returns!");
exit(STATE_CRITICAL);
}
#endif
/* handle the client connection */
handle_connection(new_sd);
/* log info to syslog facility */
if(debug==TRUE)
syslog(LOG_DEBUG,"Connection from %s closed.",inet_ntoa(nptr->sin_addr));
/* close socket prior to exiting */
close(new_sd);
exit(STATE_OK);
}
/* first child returns immediately, grandchild is inherited by INIT process -> no zombies... */
else
exit(STATE_OK);
}
/* parent ... */
else{
/* parent doesn't need the new connection */
close(new_sd);
/* parent waits for first child to exit */
waitpid(pid,NULL,0);
}
}
/* close the socket we're listening on */
close(sock);
return;
}
static void handleAccept(ServerInfo const *srv)
{
ConnectionInfo *cnx = findAvailableConnection();
if (!cnx) {
return;
}
struct sockaddr addr;
struct in_addr address;
#if HAVE_SOCKLEN_T
socklen_t addrlen;
#else
int addrlen;
#endif
addrlen = sizeof(addr);
SOCKET nfd = accept(srv->fd, &addr, &addrlen);
if (nfd == INVALID_SOCKET) {
syslog(LOG_ERR, "accept(%d): %m", srv->fd);
logEvent(NULL, srv, logAcceptFailed);
return;
}
#if _WIN32
u_long ioctltmp;
#else
int ioctltmp;
#endif
ioctlsocket(nfd, FIONBIO, &ioctltmp);
#ifndef _WIN32
int tmp = 0;
setsockopt(nfd, SOL_SOCKET, SO_LINGER, &tmp, sizeof(tmp));
#endif
cnx->local.fd = INVALID_SOCKET;
cnx->local.recvPos = cnx->local.sentPos = 0;
cnx->local.recvBytes = cnx->local.sentBytes = 0;
cnx->remote.fd = nfd;
cnx->remote.recvPos = cnx->remote.sentPos = 0;
cnx->remote.recvBytes = cnx->remote.sentBytes = 0;
cnx->coClosing = 0;
cnx->coLog = logUnknownError;
cnx->server = srv;
struct sockaddr_in *sin = (struct sockaddr_in *) &addr;
cnx->reAddresses.s_addr = address.s_addr = sin->sin_addr.s_addr;
char const *addressText = inet_ntoa(address);
/* 1. Check global allow rules. If there are no
global allow rules, it's presumed OK at
this step. If there are any, and it doesn't
match at least one, kick it out. */
int good = 1;
for (int j = 0; j < globalRulesCount; ++j) {
if (allRules[j].type == allowRule) {
good = 0;
if (match(addressText, allRules[j].pattern)) {
good = 1;
break;
}
}
}
if (!good) {
refuse(cnx, logNotAllowed);
return;
}
/* 2. Check global deny rules. If it matches
any of the global deny rules, kick it out. */
for (int j = 0; j < globalRulesCount; ++j) {
if (allRules[j].type == denyRule
&& match(addressText, allRules[j].pattern)) {
refuse(cnx, logDenied);
}
}
/* 3. Check allow rules specific to this forwarding rule.
If there are none, it's OK. If there are any,
it must match at least one. */
good = 1;
for (int j = 0; j < srv->rulesCount; ++j) {
if (allRules[srv->rulesStart + j].type == allowRule) {
good = 0;
if (match(addressText,
allRules[srv->rulesStart + j].pattern)) {
good = 1;
break;
}
}
}
if (!good) {
refuse(cnx, logNotAllowed);
return;
}
/* 4. Check deny rules specific to this forwarding rule. If
it matches any of the deny rules, kick it out. */
for (int j = 0; j < srv->rulesCount; ++j) {
if (allRules[srv->rulesStart + j].type == denyRule
&& match(addressText, allRules[srv->rulesStart + j].pattern)) {
refuse(cnx, logDenied);
}
}
/* Now open a connection to the local server.
This, too, is nonblocking. Why wait
for anything when you don't have to? */
struct sockaddr_in saddr;
cnx->local.fd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if (cnx->local.fd == INVALID_SOCKET) {
syslog(LOG_ERR, "socket(): %m");
closesocket(cnx->remote.fd);
cnx->remote.fd = INVALID_SOCKET;
logEvent(cnx, srv, logLocalSocketFailed);
return;
}
#if 0 // You don't need bind(2) on a socket you'll use for connect(2).
/* Bind the local socket */
saddr.sin_family = AF_INET;
saddr.sin_port = INADDR_ANY;
saddr.sin_addr.s_addr = 0;
if (bind(cnx->local.fd, (struct sockaddr *) &saddr, sizeof(saddr)) == SOCKET_ERROR) {
closesocket(cnx->local.fd);
closesocket(cnx->remote.fd);
cnx->remote.fd = INVALID_SOCKET;
cnx->local.fd = INVALID_SOCKET;
logEvent(cnx, srv, logLocalBindFailed);
return;
}
#endif
memset(&saddr, 0, sizeof(struct sockaddr_in));
saddr.sin_family = AF_INET;
memcpy(&saddr.sin_addr, &srv->localAddr, sizeof(struct in_addr));
saddr.sin_port = srv->localPort;
#ifndef _WIN32
#ifdef __linux__
tmp = 0;
setsockopt(cnx->local.fd, SOL_SOCKET, SO_LINGER, &tmp, sizeof(tmp));
#else
tmp = 1024;
setsockopt(cnx->local.fd, SOL_SOCKET, SO_SNDBUF, &tmp, sizeof(tmp));
#endif /* __linux__ */
#endif /* _WIN32 */
ioctltmp = 1;
ioctlsocket(cnx->local.fd, FIONBIO, &ioctltmp);
if (connect(cnx->local.fd, (struct sockaddr *)&saddr,
sizeof(struct sockaddr_in)) == SOCKET_ERROR)
{
if ((GetLastError() != WSAEINPROGRESS) &&
(GetLastError() != WSAEWOULDBLOCK))
{
PERROR("rinetd: connect");
closesocket(cnx->local.fd);
closesocket(cnx->remote.fd);
cnx->remote.fd = INVALID_SOCKET;
cnx->local.fd = INVALID_SOCKET;
logEvent(cnx, srv, logLocalConnectFailed);
return;
}
}
#ifndef _WIN32
if (cnx->local.fd > maxfd) {
maxfd = cnx->local.fd;
}
if (cnx->remote.fd > maxfd) {
maxfd = cnx->remote.fd;
}
#endif /* _WIN32 */
logEvent(cnx, srv, logOpened);
}
/*
* Main program for the daemon.
*/
int
main(int ac, char **av)
{
extern char *optarg;
extern int optind;
int opt, sock_in = 0, sock_out = 0, newsock, j, i, fdsetsz, on = 1;
pid_t pid;
socklen_t fromlen;
fd_set *fdset;
struct sockaddr_storage from;
const char *remote_ip;
int remote_port;
FILE *f;
struct linger linger;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
int listen_sock, maxfd;
int startup_p[2];
int startups = 0;
Authctxt *authctxt;
Key *key;
int ret, key_used = 0;
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);
#endif
__progname = get_progname(av[0]);
init_rng();
/* Save argv. */
saved_argc = ac;
saved_argv = av;
/* Initialize configuration options to their default values. */
initialize_server_options(&options);
/* Parse command-line arguments. */
while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:o:dDeiqtQ46:S")) != -1) {
switch (opt) {
case '4':
IPv4or6 = AF_INET;
break;
case '6':
IPv4or6 = AF_INET6;
break;
case 'f':
config_file_name = optarg;
break;
case 'd':
if (0 == debug_flag) {
debug_flag = 1;
options.log_level = SYSLOG_LEVEL_DEBUG1;
} else if (options.log_level < SYSLOG_LEVEL_DEBUG3) {
options.log_level++;
} else {
fprintf(stderr, "Too high debugging level.\n");
exit(1);
}
break;
case 'D':
no_daemon_flag = 1;
break;
case 'e':
log_stderr = 1;
break;
case 'i':
inetd_flag = 1;
break;
case 'Q':
/* ignored */
break;
case 'q':
options.log_level = SYSLOG_LEVEL_QUIET;
break;
case 'b':
options.server_key_bits = atoi(optarg);
break;
case 'p':
options.ports_from_cmdline = 1;
if (options.num_ports >= MAX_PORTS) {
fprintf(stderr, "too many ports.\n");
exit(1);
}
options.ports[options.num_ports++] = a2port(optarg);
if (options.ports[options.num_ports-1] == 0) {
fprintf(stderr, "Bad port number.\n");
exit(1);
}
break;
case 'g':
if ((options.login_grace_time = convtime(optarg)) == -1) {
fprintf(stderr, "Invalid login grace time.\n");
exit(1);
}
break;
case 'k':
if ((options.key_regeneration_time = convtime(optarg)) == -1) {
fprintf(stderr, "Invalid key regeneration interval.\n");
exit(1);
}
break;
case 'h':
if (options.num_host_key_files >= MAX_HOSTKEYS) {
fprintf(stderr, "too many host keys.\n");
exit(1);
}
options.host_key_files[options.num_host_key_files++] = optarg;
break;
case 'V':
client_version_string = optarg;
/* only makes sense with inetd_flag, i.e. no listen() */
inetd_flag = 1;
break;
case 't':
test_flag = 1;
break;
case 'u':
utmp_len = atoi(optarg);
break;
case 'o':
if (process_server_config_line(&options, optarg,
"command-line", 0) != 0)
exit(1);
break;
case 'S':
protocol = IPPROTO_SCTP;
break;
case '?':
default:
usage();
break;
}
}
SSLeay_add_all_algorithms();
channel_set_af(IPv4or6);
/*
* Force logging to stderr until we have loaded the private host
* key (unless started from inetd)
*/
log_init(__progname,
options.log_level == SYSLOG_LEVEL_NOT_SET ?
SYSLOG_LEVEL_INFO : options.log_level,
options.log_facility == SYSLOG_FACILITY_NOT_SET ?
SYSLOG_FACILITY_AUTH : options.log_facility,
!inetd_flag);
#ifdef _CRAY
/* Cray can define user privs drop all prives now!
* Not needed on PRIV_SU systems!
*/
drop_cray_privs();
#endif
seed_rng();
/* Read server configuration options from the configuration file. */
read_server_config(&options, config_file_name);
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
/* Check that there are no remaining arguments. */
if (optind < ac) {
fprintf(stderr, "Extra argument %s.\n", av[optind]);
exit(1);
}
debug("sshd version %.100s", SSH_VERSION);
/* load private host keys */
sensitive_data.host_keys = xmalloc(options.num_host_key_files*sizeof(Key*));
for (i = 0; i < options.num_host_key_files; i++)
sensitive_data.host_keys[i] = NULL;
sensitive_data.server_key = NULL;
sensitive_data.ssh1_host_key = NULL;
sensitive_data.have_ssh1_key = 0;
sensitive_data.have_ssh2_key = 0;
for (i = 0; i < options.num_host_key_files; i++) {
key = key_load_private(options.host_key_files[i], "", NULL);
sensitive_data.host_keys[i] = key;
if (key == NULL) {
error("Could not load host key: %s",
options.host_key_files[i]);
sensitive_data.host_keys[i] = NULL;
continue;
}
switch (key->type) {
case KEY_RSA1:
sensitive_data.ssh1_host_key = key;
sensitive_data.have_ssh1_key = 1;
break;
case KEY_RSA:
case KEY_DSA:
sensitive_data.have_ssh2_key = 1;
break;
}
debug("private host key: #%d type %d %s", i, key->type,
key_type(key));
}
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
log("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
log("Disabling protocol version 2. Could not load host key");
options.protocol &= ~SSH_PROTO_2;
}
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
log("sshd: no hostkeys available -- exiting.");
exit(1);
}
/* Check certain values for sanity. */
if (options.protocol & SSH_PROTO_1) {
if (options.server_key_bits < 512 ||
options.server_key_bits > 32768) {
fprintf(stderr, "Bad server key size.\n");
exit(1);
}
/*
* Check that server and host key lengths differ sufficiently. This
* is necessary to make double encryption work with rsaref. Oh, I
* hate software patents. I dont know if this can go? Niels
*/
if (options.server_key_bits >
BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) -
SSH_KEY_BITS_RESERVED && options.server_key_bits <
BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
SSH_KEY_BITS_RESERVED) {
options.server_key_bits =
BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
SSH_KEY_BITS_RESERVED;
debug("Forcing server key to %d bits to make it differ from host key.",
options.server_key_bits);
}
}
if (use_privsep) {
struct passwd *pw;
struct stat st;
if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL)
fatal("Privilege separation user %s does not exist",
SSH_PRIVSEP_USER);
if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||
(S_ISDIR(st.st_mode) == 0))
fatal("Missing privilege separation directory: %s",
_PATH_PRIVSEP_CHROOT_DIR);
if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
fatal("Bad owner or mode for %s",
_PATH_PRIVSEP_CHROOT_DIR);
}
/* Configuration looks good, so exit if in test mode. */
if (test_flag)
exit(0);
/*
* Clear out any supplemental groups we may have inherited. This
* prevents inadvertent creation of files with bad modes (in the
* portable version at least, it's certainly possible for PAM
* to create a file, and we can't control the code in every
* module which might be used).
*/
if (setgroups(0, NULL) < 0)
debug("setgroups() failed: %.200s", strerror(errno));
/* Initialize the log (it is reinitialized below in case we forked). */
if (debug_flag && !inetd_flag)
log_stderr = 1;
log_init(__progname, options.log_level, options.log_facility, log_stderr);
/*
* If not in debugging mode, and not started from inetd, disconnect
* from the controlling terminal, and fork. The original process
* exits.
*/
if (!(debug_flag || inetd_flag || no_daemon_flag)) {
#ifdef TIOCNOTTY
int fd;
#endif /* TIOCNOTTY */
if (daemon(0, 0) < 0)
fatal("daemon() failed: %.200s", strerror(errno));
/* Disconnect from the controlling tty. */
#ifdef TIOCNOTTY
fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);
if (fd >= 0) {
(void) ioctl(fd, TIOCNOTTY, NULL);
close(fd);
}
#endif /* TIOCNOTTY */
}
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
/* Initialize the random number generator. */
arc4random_stir();
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
chdir("/");
/* ignore SIGPIPE */
signal(SIGPIPE, SIG_IGN);
/* Start listening for a socket, unless started from inetd. */
if (inetd_flag) {
int s1;
s1 = dup(0); /* Make sure descriptors 0, 1, and 2 are in use. */
dup(s1);
sock_in = dup(0);
sock_out = dup(1);
startup_pipe = -1;
/*
* We intentionally do not close the descriptors 0, 1, and 2
* as our code for setting the descriptors won\'t work if
* ttyfd happens to be one of those.
*/
debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);
if (options.protocol & SSH_PROTO_1)
generate_ephemeral_server_key();
} else {
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
continue;
if (num_listen_socks >= MAX_LISTEN_SOCKS)
fatal("Too many listen sockets. "
"Enlarge MAX_LISTEN_SOCKS");
if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
ntop, sizeof(ntop), strport, sizeof(strport),
NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
error("getnameinfo failed");
continue;
}
/* Create socket for listening. */
listen_sock = socket(ai->ai_family, SOCK_STREAM, protocol);
if (listen_sock < 0) {
/* kernel may not support ipv6 */
verbose("socket: %.100s", strerror(errno));
continue;
}
if (fcntl(listen_sock, F_SETFL, O_NONBLOCK) < 0) {
error("listen_sock O_NONBLOCK: %s", strerror(errno));
close(listen_sock);
continue;
}
/*
* Set socket options. We try to make the port
* reusable and have it close as fast as possible
* without waiting in unnecessary wait states on
* close.
*/
setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
&on, sizeof(on));
linger.l_onoff = 1;
linger.l_linger = 5;
setsockopt(listen_sock, SOL_SOCKET, SO_LINGER,
&linger, sizeof(linger));
debug("Bind to port %s on %s.", strport, ntop);
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
if (!ai->ai_next)
error("Bind to port %s on %s failed: %.200s.",
strport, ntop, strerror(errno));
close(listen_sock);
continue;
}
listen_socks[num_listen_socks] = listen_sock;
num_listen_socks++;
/* Start listening on the port. */
log("Server listening on %s port %s.", ntop, strport);
if (listen(listen_sock, 5) < 0)
fatal("listen: %.100s", strerror(errno));
}
freeaddrinfo(options.listen_addrs);
if (!num_listen_socks)
fatal("Cannot bind any address.");
if (options.protocol & SSH_PROTO_1)
generate_ephemeral_server_key();
/*
* Arrange to restart on SIGHUP. The handler needs
* listen_sock.
*/
signal(SIGHUP, sighup_handler);
signal(SIGTERM, sigterm_handler);
signal(SIGQUIT, sigterm_handler);
/* Arrange SIGCHLD to be caught. */
signal(SIGCHLD, main_sigchld_handler);
/* Write out the pid file after the sigterm handler is setup */
if (!debug_flag) {
/*
* Record our pid in /var/run/sshd.pid to make it
* easier to kill the correct sshd. We don't want to
* do this before the bind above because the bind will
* fail if there already is a daemon, and this will
* overwrite any old pid in the file.
*/
f = fopen(options.pid_file, "wb");
if (f) {
fprintf(f, "%ld\n", (long) getpid());
fclose(f);
}
}
/* setup fd set for listen */
fdset = NULL;
maxfd = 0;
for (i = 0; i < num_listen_socks; i++)
if (listen_socks[i] > maxfd)
maxfd = listen_socks[i];
/* pipes connected to unauthenticated childs */
startup_pipes = xmalloc(options.max_startups * sizeof(int));
for (i = 0; i < options.max_startups; i++)
startup_pipes[i] = -1;
/*
* Stay listening for connections until the system crashes or
* the daemon is killed with a signal.
*/
for (;;) {
if (received_sighup)
sighup_restart();
if (fdset != NULL)
xfree(fdset);
fdsetsz = howmany(maxfd+1, NFDBITS) * sizeof(fd_mask);
fdset = (fd_set *)xmalloc(fdsetsz);
memset(fdset, 0, fdsetsz);
for (i = 0; i < num_listen_socks; i++)
FD_SET(listen_socks[i], fdset);
for (i = 0; i < options.max_startups; i++)
if (startup_pipes[i] != -1)
FD_SET(startup_pipes[i], fdset);
/* Wait in select until there is a connection. */
ret = select(maxfd+1, fdset, NULL, NULL, NULL);
if (ret < 0 && errno != EINTR)
error("select: %.100s", strerror(errno));
if (received_sigterm) {
log("Received signal %d; terminating.",
(int) received_sigterm);
close_listen_socks();
unlink(options.pid_file);
exit(255);
}
if (key_used && key_do_regen) {
generate_ephemeral_server_key();
key_used = 0;
key_do_regen = 0;
}
if (ret < 0)
continue;
for (i = 0; i < options.max_startups; i++)
if (startup_pipes[i] != -1 &&
FD_ISSET(startup_pipes[i], fdset)) {
/*
* the read end of the pipe is ready
* if the child has closed the pipe
* after successful authentication
* or if the child has died
*/
close(startup_pipes[i]);
startup_pipes[i] = -1;
startups--;
}
for (i = 0; i < num_listen_socks; i++) {
if (!FD_ISSET(listen_socks[i], fdset))
continue;
fromlen = sizeof(from);
newsock = accept(listen_socks[i], (struct sockaddr *)&from,
&fromlen);
if (newsock < 0) {
if (errno != EINTR && errno != EWOULDBLOCK)
error("accept: %.100s", strerror(errno));
continue;
}
if (fcntl(newsock, F_SETFL, 0) < 0) {
error("newsock del O_NONBLOCK: %s", strerror(errno));
close(newsock);
continue;
}
if (drop_connection(startups) == 1) {
debug("drop connection #%d", startups);
close(newsock);
continue;
}
if (pipe(startup_p) == -1) {
close(newsock);
continue;
}
for (j = 0; j < options.max_startups; j++)
if (startup_pipes[j] == -1) {
startup_pipes[j] = startup_p[0];
if (maxfd < startup_p[0])
maxfd = startup_p[0];
startups++;
break;
}
/*
* Got connection. Fork a child to handle it, unless
* we are in debugging mode.
*/
if (debug_flag) {
/*
* In debugging mode. Close the listening
* socket, and start processing the
* connection without forking.
*/
debug("Server will not fork when running in debugging mode.");
close_listen_socks();
sock_in = newsock;
sock_out = newsock;
startup_pipe = -1;
pid = getpid();
break;
} else {
/*
* Normal production daemon. Fork, and have
* the child process the connection. The
* parent continues listening.
*/
if ((pid = fork()) == 0) {
/*
* Child. Close the listening and max_startup
* sockets. Start using the accepted socket.
* Reinitialize logging (since our pid has
* changed). We break out of the loop to handle
* the connection.
*/
startup_pipe = startup_p[1];
close_startup_pipes();
close_listen_socks();
sock_in = newsock;
sock_out = newsock;
log_init(__progname, options.log_level, options.log_facility, log_stderr);
break;
}
}
/* Parent. Stay in the loop. */
if (pid < 0)
error("fork: %.100s", strerror(errno));
else
debug("Forked child %ld.", (long)pid);
close(startup_p[1]);
/* Mark that the key has been used (it was "given" to the child). */
if ((options.protocol & SSH_PROTO_1) &&
key_used == 0) {
/* Schedule server key regeneration alarm. */
signal(SIGALRM, key_regeneration_alarm);
alarm(options.key_regeneration_time);
key_used = 1;
}
arc4random_stir();
/* Close the new socket (the child is now taking care of it). */
close(newsock);
}
/* child process check (or debug mode) */
if (num_listen_socks < 0)
break;
}
}
/* This is the child processing a new connection. */
/*
* Create a new session and process group since the 4.4BSD
* setlogin() affects the entire process group. We don't
* want the child to be able to affect the parent.
*/
#if 0
/* XXX: this breaks Solaris */
if (!debug_flag && !inetd_flag && setsid() < 0)
error("setsid: %.100s", strerror(errno));
#endif
/*
* Disable the key regeneration alarm. We will not regenerate the
* key since we are no longer in a position to give it to anyone. We
* will not restart on SIGHUP since it no longer makes sense.
*/
alarm(0);
signal(SIGALRM, SIG_DFL);
signal(SIGHUP, SIG_DFL);
signal(SIGTERM, SIG_DFL);
signal(SIGQUIT, SIG_DFL);
signal(SIGCHLD, SIG_DFL);
signal(SIGINT, SIG_DFL);
/*
* Set socket options for the connection. We want the socket to
* close as fast as possible without waiting for anything. If the
* connection is not a socket, these will do nothing.
*/
/* setsockopt(sock_in, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
linger.l_onoff = 1;
linger.l_linger = 5;
setsockopt(sock_in, SOL_SOCKET, SO_LINGER, &linger, sizeof(linger));
/* Set keepalives if requested. */
if (options.keepalives &&
setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
sizeof(on)) < 0)
error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
/*
* Register our connection. This turns encryption off because we do
* not have a key.
*/
packet_set_connection(sock_in, sock_out);
remote_port = get_remote_port();
remote_ip = get_remote_ipaddr();
#ifdef LIBWRAP
/* Check whether logins are denied from this host. */
{
struct request_info req;
request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
fromhost(&req);
if (!hosts_access(&req)) {
debug("Connection refused by tcp wrapper");
refuse(&req);
/* NOTREACHED */
fatal("libwrap refuse returns");
}
}
#endif /* LIBWRAP */
/* Log the connection. */
verbose("Connection from %.500s port %d", remote_ip, remote_port);
/*
* We don\'t want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
* cleared after successful authentication. A limit of zero
* indicates no limit. Note that we don\'t set the alarm in debugging
* mode; it is just annoying to have the server exit just when you
* are about to discover the bug.
*/
signal(SIGALRM, grace_alarm_handler);
if (!debug_flag)
alarm(options.login_grace_time);
sshd_exchange_identification(sock_in, sock_out);
/*
* Check that the connection comes from a privileged port.
* Rhosts-Authentication only makes sense from privileged
* programs. Of course, if the intruder has root access on his local
* machine, he can connect from any port. So do not use these
* authentication methods from machines that you do not trust.
*/
if (options.rhosts_authentication &&
(remote_port >= IPPORT_RESERVED ||
remote_port < IPPORT_RESERVED / 2)) {
debug("Rhosts Authentication disabled, "
"originating port %d not trusted.", remote_port);
options.rhosts_authentication = 0;
}
#if defined(KRB4) && !defined(KRB5)
if (!packet_connection_is_ipv4() &&
options.kerberos_authentication) {
debug("Kerberos Authentication disabled, only available for IPv4.");
options.kerberos_authentication = 0;
}
#endif /* KRB4 && !KRB5 */
#ifdef AFS
/* If machine has AFS, set process authentication group. */
if (k_hasafs()) {
k_setpag();
k_unlog();
}
#endif /* AFS */
packet_set_nonblocking();
if (use_privsep)
if ((authctxt = privsep_preauth()) != NULL)
goto authenticated;
/* perform the key exchange */
/* authenticate user and start session */
if (compat20) {
do_ssh2_kex();
authctxt = do_authentication2();
} else {
do_ssh1_kex();
authctxt = do_authentication();
}
/*
* If we use privilege separation, the unprivileged child transfers
* the current keystate and exits
*/
if (use_privsep) {
mm_send_keystate(pmonitor);
exit(0);
}
authenticated:
/*
* In privilege separation, we fork another child and prepare
* file descriptor passing.
*/
if (use_privsep) {
privsep_postauth(authctxt);
/* the monitor process [priv] will not return */
if (!compat20)
destroy_sensitive_data();
}
/* Perform session preparation. */
do_authenticated(authctxt);
/* The connection has been terminated. */
verbose("Closing connection to %.100s", remote_ip);
#ifdef USE_PAM
finish_pam();
#endif /* USE_PAM */
packet_close();
if (use_privsep)
mm_terminate();
exit(0);
}
int main(int ac, char **av)
{
extern char *optarg;
extern int optind;
int opt, sock_in, sock_out, newsock, i, pid = 0, on = 1;
socklen_t aux;
int remote_major, remote_minor;
int perm_denied = 0;
int ret;
fd_set fdset;
#ifdef HAVE_IPV6_SMTH
struct sockaddr_in6 sin;
#else
struct sockaddr_in sin;
#endif
char buf[100]; /* Must not be larger than remote_version. */
char remote_version[100]; /* Must be at least as big as buf. */
char addr[STRLEN];
char *comment;
char *ssh_remote_version_string = NULL;
FILE *f;
#if defined(SO_LINGER) && defined(ENABLE_SO_LINGER)
struct linger linger;
#endif /* SO_LINGER */
int done;
chdir(BBSHOME);
/* Save argv[0]. */
saved_argv = av;
if (strchr(av[0], '/'))
av0 = strrchr(av[0], '/') + 1;
else
av0 = av[0];
/* Prevent core dumps to avoid revealing sensitive information. */
signals_prevent_core();
/* Set SIGPIPE to be ignored. */
signal(SIGPIPE, SIG_IGN);
/* Initialize configuration options to their default values. */
initialize_server_options(&options);
addr[0]=0;
/* Parse command-line arguments. */
while ((opt = getopt(ac, av, "f:a:p:b:k:h:g:diqV:")) != EOF) {
switch (opt) {
case 'f':
config_file_name = optarg;
break;
case 'd':
debug_flag = 1;
break;
case 'i':
inetd_flag = 1;
break;
case 'q':
options.quiet_mode = 1;
break;
case 'b':
options.server_key_bits = atoi(optarg);
break;
case 'a':
if(optarg[0])
snprintf(addr,STRLEN,"%s",optarg);
break;
case 'p':
if(isdigit(optarg[0]))
options.port=atoi(optarg);
break;
case 'g':
options.login_grace_time = atoi(optarg);
break;
case 'k':
options.key_regeneration_time = atoi(optarg);
break;
case 'h':
options.host_key_file = optarg;
break;
case 'V':
ssh_remote_version_string = optarg;
break;
case '?':
default:
#ifdef F_SECURE_COMMERCIAL
#endif /* F_SECURE_COMMERCIAL */
fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE);
fprintf(stderr, "Usage: %s [options]\n", av0);
fprintf(stderr, "Options:\n");
fprintf(stderr, " -f file Configuration file (default %s/sshd_config)\n", ETCDIR);
fprintf(stderr, " -d Debugging mode\n");
fprintf(stderr, " -i Started from inetd\n");
fprintf(stderr, " -q Quiet (no logging)\n");
fprintf(stderr, " -a addr Bind to the specified address (default: all)\n");
fprintf(stderr, " -p port Listen on the specified port (default: 22)\n");
fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n");
fprintf(stderr, " -g seconds Grace period for authentication (default: 300)\n");
fprintf(stderr, " -b bits Size of server RSA key (default: 768 bits)\n");
fprintf(stderr, " -h file File from which to read host key (default: %s)\n", HOST_KEY_FILE);
fprintf(stderr, " -V str Remote version string already read from the socket\n");
exit(1);
}
}
/* Read server configuration options from the configuration file. */
read_server_config(&options, config_file_name);
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
/* Check certain values for sanity. */
if (options.server_key_bits < 512 || options.server_key_bits > 32768) {
fprintf(stderr, "fatal: Bad server key size.\n");
exit(1);
}
if (options.port < 1 || options.port > 65535) {
fprintf(stderr, "fatal: Bad port number.\n");
exit(1);
}
if (options.umask != -1) {
umask(options.umask);
}
/* Check that there are no remaining arguments. */
if (optind < ac) {
fprintf(stderr, "fatal: Extra argument %.100s.\n", av[optind]);
exit(1);
}
/* Initialize the log (it is reinitialized below in case we forked). */
log_init(av0, debug_flag && !inetd_flag, debug_flag || options.fascist_logging, options.quiet_mode, options.log_facility);
debug("sshd version %.100s [%.100s]", SSH_VERSION, HOSTTYPE);
/* Load the host key. It must have empty passphrase. */
done = load_private_key(geteuid(), options.host_key_file, "", &sensitive_data.host_key, &comment);
if (!done) {
if (debug_flag) {
fprintf(stderr, "Could not load host key: %.200s\n", options.host_key_file);
fprintf(stderr, "fatal: Please check that you have sufficient permissions and the file exists.\n");
} else {
log_init(av0, !inetd_flag, 1, 0, options.log_facility);
error("fatal: Could not load host key: %.200s. Check path and permissions.", options.host_key_file);
}
exit(1);
}
xfree(comment);
/* If not in debugging mode, and not started from inetd, disconnect from
the controlling terminal, and fork. The original process exits. */
if (!debug_flag && !inetd_flag)
#ifdef HAVE_DAEMON
if (daemon(0, 0) < 0)
error("daemon: %.100s", strerror(errno));
chdir(BBSHOME);
#else /* HAVE_DAEMON */
{
#ifdef TIOCNOTTY
int fd;
#endif /* TIOCNOTTY */
/* Fork, and have the parent exit. The child becomes the server. */
if (fork())
exit(0);
/* Redirect stdin, stdout, and stderr to /dev/null. */
freopen("/dev/null", "r", stdin);
freopen("/dev/null", "w", stdout);
freopen("/dev/null", "w", stderr);
/* Disconnect from the controlling tty. */
#ifdef TIOCNOTTY
fd = open("/dev/tty", O_RDWR | O_NOCTTY);
if (fd >= 0) {
(void) ioctl(fd, TIOCNOTTY, NULL);
close(fd);
}
#endif /* TIOCNOTTY */
#ifdef HAVE_SETSID
#ifdef ultrix
setpgrp(0, 0);
#else /* ultrix */
if (setsid() < 0)
error("setsid: %.100s", strerror(errno));
#endif
#endif /* HAVE_SETSID */
}
#endif /* HAVE_DAEMON */
/* Reinitialize the log (because of the fork above). */
log_init(av0, debug_flag && !inetd_flag, debug_flag || options.fascist_logging, options.quiet_mode, options.log_facility);
/* Check that server and host key lengths differ sufficiently. This is
necessary to make double encryption work with rsaref. Oh, I hate
software patents. */
if (options.server_key_bits > sensitive_data.host_key.bits - SSH_KEY_BITS_RESERVED && options.server_key_bits < sensitive_data.host_key.bits + SSH_KEY_BITS_RESERVED) {
options.server_key_bits = sensitive_data.host_key.bits + SSH_KEY_BITS_RESERVED;
debug("Forcing server key to %d bits to make it differ from host key.", options.server_key_bits);
}
/* Initialize memory allocation so that any freed MP_INT data will be
zeroed. */
rsa_set_mp_memory_allocation();
/* Do not display messages to stdout in RSA code. */
rsa_set_verbose(debug_flag);
/* Initialize the random number generator. */
debug("Initializing random number generator; seed file %.200s", options.random_seed_file);
random_initialize(&sensitive_data.random_state, geteuid(), options.random_seed_file);
/* Chdir to the root directory so that the current disk can be unmounted
if desired. */
idle_timeout = options.idle_timeout;
/* Start listening for a socket, unless started from inetd. */
if (inetd_flag) {
int s1, s2;
s1 = dup(0); /* Make sure descriptors 0, 1, and 2 are in use. */
s2 = dup(s1);
sock_in = dup(0);
sock_out = dup(1);
/* We intentionally do not close the descriptors 0, 1, and 2 as our
code for setting the descriptors won\'t work if ttyfd happens to
be one of those. */
debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);
/* Generate an rsa key. */
log_msg("Generating %d bit RSA key.", options.server_key_bits);
rsa_generate_key(&sensitive_data.private_key, &public_key, &sensitive_data.random_state, options.server_key_bits);
random_save(&sensitive_data.random_state, geteuid(), options.random_seed_file);
log_msg("RSA key generation complete.");
} else {
/* Create socket for listening. */
#ifdef HAVE_IPV6_SMTH
listen_sock = socket(AF_INET6, SOCK_STREAM, 0);
#else
listen_sock = socket(AF_INET, SOCK_STREAM, 0);
#endif
if (listen_sock < 0)
fatal("socket: %.100s", strerror(errno));
/* Set socket options. We try to make the port reusable and have it
close as fast as possible without waiting in unnecessary wait states
on close. */
setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, (void *) &on, sizeof(on));
#if defined(SO_LINGER) && defined(ENABLE_SO_LINGER)
linger.l_onoff = 1;
linger.l_linger = 15;
setsockopt(listen_sock, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger));
#endif /* SO_LINGER */
/* Initialize the socket address. */
memset(&sin, 0, sizeof(sin));
#ifdef HAVE_IPV6_SMTH
sin.sin6_family = AF_INET6;
if ( inet_pton(AF_INET6, addr, &(sin.sin6_addr)) <= 0 )
sin.sin6_addr = in6addr_any;
sin.sin6_port = htons(options.port);
#else
sin.sin_family = AF_INET;
if ( inet_pton(AF_INET, addr, &(sin.sin_addr)) <= 0 )
sin.sin_addr.s_addr = htonl(INADDR_ANY);
sin.sin_port = htons(options.port);
#endif
/* Bind the socket to the desired port. */
if (bind(listen_sock, (struct sockaddr *) &sin, sizeof(sin)) < 0) {
error("bind: %.100s", strerror(errno));
shutdown(listen_sock, 2);
close(listen_sock);
fatal("Bind to port %d failed: %.200s.", options.port, strerror(errno));
}
/* COMMAN : setuid to bbs */
if(setgid(BBSGID)==-1)
exit(8);
if(setuid(BBSUID)==-1)
exit(8);
#if 0 /* etnlegend, 2006.10.31 ... */
if (!debug_flag) {
/* Record our pid in /etc/sshd_pid to make it easier to kill the
correct sshd. We don\'t want to do this before the bind above
because the bind will fail if there already is a daemon, and this
will overwrite any old pid in the file. */
f = fopen(options.pid_file, "w");
if (f) {
fprintf(f, "%u\n", (unsigned int) getpid());
fclose(f);
}
}
#endif
/* Start listening on the port. */
log_msg("Server listening on port %d.", options.port);
if (listen(listen_sock, 5) < 0)
fatal("listen: %.100s", strerror(errno));
/* Generate an rsa key. */
log_msg("Generating %d bit RSA key.", options.server_key_bits);
rsa_generate_key(&sensitive_data.private_key, &public_key, &sensitive_data.random_state, options.server_key_bits);
random_save(&sensitive_data.random_state, geteuid(), options.random_seed_file);
log_msg("RSA key generation complete.");
/* Schedule server key regeneration alarm. */
signal(SIGALRM, key_regeneration_alarm);
alarm(options.key_regeneration_time);
/* Arrange to restart on SIGHUP. The handler needs listen_sock. */
signal(SIGHUP, sighup_handler);
signal(SIGTERM, sigterm_handler);
signal(SIGQUIT, sigterm_handler);
/* AIX sends SIGDANGER when memory runs low. The default action is
to terminate the process. This sometimes makes it difficult to
log in and fix the problem. */
#ifdef SIGDANGER
signal(SIGDANGER, sigdanger_handler);
#endif /* SIGDANGER */
/* Arrange SIGCHLD to be caught. */
signal(SIGCHLD, main_sigchld_handler);
if(!debug_flag){
if(!addr[0])
sprintf(buf,"var/sshbbsd.%d.pid",options.port);
else
sprintf(buf,"var/sshbbsd.%d_%s.pid",options.port,addr);
if((f=fopen(buf,"w"))){
fprintf(f,"%d\n",(int)getpid());
fclose(f);
}
}
/* Stay listening for connections until the system crashes or the
daemon is killed with a signal. */
for (;;) {
if (received_sighup)
sighup_restart();
/* Wait in select until there is a connection. */
FD_ZERO(&fdset);
FD_SET(listen_sock, &fdset);
ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL);
if (ret < 0 || !FD_ISSET(listen_sock, &fdset)) {
if (errno == EINTR)
continue;
error("select: %.100s", strerror(errno));
continue;
}
aux = sizeof(sin);
newsock = accept(listen_sock, (struct sockaddr *) &sin, &aux);
if (newsock < 0) {
if (errno == EINTR)
continue;
error("accept: %.100s", strerror(errno));
continue;
}
/* Got connection. Fork a child to handle it, unless we are in
debugging mode. */
if (debug_flag) {
/* In debugging mode. Close the listening socket, and start
processing the connection without forking. */
debug("Server will not fork when running in debugging mode.");
close(listen_sock);
sock_in = newsock;
sock_out = newsock;
pid = getpid();
#ifdef LIBWRAP
{
struct request_info req;
signal(SIGCHLD, SIG_DFL);
request_init(&req, RQ_DAEMON, av0, RQ_FILE, newsock, NULL);
fromhost(&req);
if (!hosts_access(&req))
refuse(&req);
syslog(allow_severity, "connect from %s", eval_client(&req));
}
#endif /* LIBWRAP */
break;
} else {
#ifdef CHECK_IP_LINK
#ifdef HAVE_IPV6_SMTH
if (check_IP_lists(sin.sin6_addr)==0)
#else
if (check_IP_lists(sin.sin_addr.s_addr)==0)
#endif
#endif
/* Normal production daemon. Fork, and have the child process
the connection. The parent continues listening. */
if ((pid = fork()) == 0) {
/* Child. Close the listening socket, and start using
the accepted socket. Reinitialize logging (since our
pid has changed). We break out of the loop to handle
the connection. */
close(listen_sock);
sock_in = newsock;
sock_out = newsock;
#ifdef LIBWRAP
{
struct request_info req;
signal(SIGCHLD, SIG_DFL);
request_init(&req, RQ_DAEMON, av0, RQ_FILE, newsock, NULL);
fromhost(&req);
if (!hosts_access(&req))
refuse(&req);
syslog(allow_severity, "connect from %s", eval_client(&req));
}
#endif /* LIBWRAP */
log_init(av0, debug_flag && !inetd_flag, options.fascist_logging || debug_flag, options.quiet_mode, options.log_facility);
break;
}
}
/* Parent. Stay in the loop. */
if (pid < 0)
error("fork: %.100s", strerror(errno));
else
debug("Forked child %d.", pid);
/* Mark that the key has been used (it was "given" to the child). */
key_used = 1;
random_acquire_light_environmental_noise(&sensitive_data.random_state);
/* Close the new socket (the child is now taking care of it). */
close(newsock);
}
}
/* This is the child processing a new connection. */
/* Disable the key regeneration alarm. We will not regenerate the key
since we are no longer in a position to give it to anyone. We will
not restart on SIGHUP since it no longer makes sense. */
alarm(0);
signal(SIGALRM, SIG_DFL);
signal(SIGHUP, SIG_DFL);
signal(SIGTERM, SIG_DFL);
signal(SIGQUIT, SIG_DFL);
signal(SIGCHLD, SIG_DFL);
/* Set socket options for the connection. We want the socket to close
as fast as possible without waiting for anything. If the connection
is not a socket, these will do nothing. */
/* setsockopt(sock_in, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
#if defined(SO_LINGER) && defined(ENABLE_SO_LINGER)
linger.l_onoff = 1;
linger.l_linger = 15;
setsockopt(sock_in, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger));
#endif /* SO_LINGER */
/* Register our connection. This turns encryption off because we do not
have a key. */
packet_set_connection(sock_in, sock_out, &sensitive_data.random_state);
/* Log the connection. */
log_msg("Connection from %.100s port %d", get_remote_ipaddr(), get_remote_port());
/* Check whether logins are denied from this host. */
{
const char *hostname = get_canonical_hostname();
const char *ipaddr = get_remote_ipaddr();
int i;
if (options.num_deny_hosts > 0) {
for (i = 0; i < options.num_deny_hosts; i++)
if (match_host(hostname, ipaddr, options.deny_hosts[i]))
perm_denied = 1;
}
if ((!perm_denied) && options.num_allow_hosts > 0) {
for (i = 0; i < options.num_allow_hosts; i++)
if (match_host(hostname, ipaddr, options.allow_hosts[i]))
break;
if (i >= options.num_allow_hosts)
perm_denied = 1;
}
if (perm_denied && options.silent_deny) {
close(sock_in);
close(sock_out);
exit(0);
}
}
/* We don't want to listen forever unless the other side successfully
authenticates itself. So we set up an alarm which is cleared after
successful authentication. A limit of zero indicates no limit.
Note that we don't set the alarm in debugging mode; it is just annoying
to have the server exit just when you are about to discover the bug. */
signal(SIGALRM, grace_alarm_handler);
if (!debug_flag)
alarm(options.login_grace_time);
if (ssh_remote_version_string == NULL) {
/* Send our protocol version identification. */
snprintf(buf, sizeof(buf), "SSH-%d.%d-%.50s", PROTOCOL_MAJOR, PROTOCOL_MINOR, SSH_VERSION);
strcat(buf, "\n");
if (write(sock_out, buf, strlen(buf)) != strlen(buf))
fatal_severity(SYSLOG_SEVERITY_INFO, "Could not write ident string.");
}
if (ssh_remote_version_string == NULL) {
/* Read other side\'s version identification. */
for (i = 0; i < sizeof(buf) - 1; i++) {
if (read(sock_in, &buf[i], 1) != 1)
fatal_severity(SYSLOG_SEVERITY_INFO, "Did not receive ident string.");
if (buf[i] == '\r') {
buf[i] = '\n';
buf[i + 1] = 0;
break;
}
if (buf[i] == '\n') {
/* buf[i] == '\n' */
buf[i + 1] = 0;
break;
}
}
buf[sizeof(buf) - 1] = 0;
} else {
strncpy(buf, ssh_remote_version_string, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
}
/* Check that the versions match. In future this might accept several
versions and set appropriate flags to handle them. */
if (sscanf(buf, "SSH-%d.%d-%[^\n]\n", &remote_major, &remote_minor, remote_version) != 3) {
const char *s = "Protocol mismatch.\n";
(void) write(sock_out, s, strlen(s));
close(sock_in);
close(sock_out);
fatal_severity(SYSLOG_SEVERITY_INFO, "Bad protocol version identification: %.100s", buf);
}
debug("Client protocol version %d.%d; client software version %.100s", remote_major, remote_minor, remote_version);
switch (check_emulation(remote_major, remote_minor, NULL, NULL)) {
case EMULATE_MAJOR_VERSION_MISMATCH:
{
const char *s = "Protocol major versions differ.\n";
(void) write(sock_out, s, strlen(s));
close(sock_in);
close(sock_out);
fatal_severity(SYSLOG_SEVERITY_INFO, "Protocol major versions differ: %d vs. %d", PROTOCOL_MAJOR, remote_major);
}
break;
case EMULATE_VERSION_TOO_OLD:
packet_disconnect("Your ssh version is too old and is no " "longer supported. Please install a newer version.");
break;
case EMULATE_VERSION_NEWER:
packet_disconnect("This server does not support your " "new ssh version.");
break;
case EMULATE_VERSION_OK:
break;
default:
fatal("Unexpected return value from check_emulation.");
}
if (perm_denied) {
const char *hostname = get_canonical_hostname();
log_msg("Connection from %.200s not allowed.\n", hostname);
packet_disconnect("Sorry, you are not allowed to connect.");
/*NOTREACHED*/}
packet_set_nonblocking();
/* Handle the connection. We pass as argument whether the connection
came from a privileged port. */
do_connection(get_remote_port() < 1024);
/* The connection has been terminated. */
log_msg("Closing connection to %.100s", get_remote_ipaddr());
packet_close();
exit(0);
}
