31 #include "../misc/network.h"
32 #include "../misc/plugutils.h"
41 #include <arpa/inet.h>
46 #include <glib/gstdio.h>
47 #include <gvm/base/logging.h>
48 #include <gvm/base/networking.h>
49 #include <gvm/base/prefs.h>
50 #include <gvm/util/kb.h>
51 #include <netinet/in.h>
55 #include <sys/select.h>
56 #include <sys/socket.h>
58 #include <sys/types.h>
62 #define DIM(v) (sizeof (v) / sizeof ((v)[0]))
63 #define DIMof(type, member) DIM (((type *) 0)->member)
67 #error Oops, libssh ABI changed
74 #define G_LOG_DOMAIN "lib nasl"
116 #define MAX_SSH_SESSIONS 10
127 g_string_append (gstr,
",");
128 g_string_append (gstr, str);
138 static int initialized;
139 static int last = 9000;
168 static unsigned short
172 int type = KB_TYPE_INT;
173 unsigned short port, *port_aux = NULL;
175 value = prefs_get (
"auth_port_ssh");
176 if (value && (port = (
unsigned short) strtoul (value, NULL, 10)) > 0)
180 "Services/ssh", &type, NULL, 0);
186 if (type == KB_TYPE_INT && port > 0)
239 const char *key_type, *csciphers, *scciphers, *s;
240 char ip_str[INET6_ADDRSTRLEN];
242 unsigned int tbl_slot;
244 int forced_sock = -1;
260 g_message (
"Function %s called from %s: "
261 "Failed to allocate a new SSH session",
266 if ((s = getenv (
"OPENVAS_LIBSSH_DEBUG")))
271 int intval = atoi (s);
273 ssh_options_set (
session, SSH_OPTIONS_LOG_VERBOSITY, &intval);
277 if (ssh_options_set (
session, SSH_OPTIONS_HOST, ip_str))
279 g_message (
"Function %s called from %s: "
280 "Failed to set SSH hostname '%s': %s",
287 if (ssh_options_set (
session, SSH_OPTIONS_KNOWNHOSTS,
"/dev/null"))
289 g_message (
"Function %s called from %s: "
290 "Failed to disable SSH known_hosts: %s",
299 if (key_type && ssh_options_set (
session, SSH_OPTIONS_HOSTKEYS, key_type))
301 g_message (
"Function %s called from %s: "
302 "Failed to set SSH key type '%s': %s",
304 key_type, ssh_get_error (
session));
311 && ssh_options_set (
session, SSH_OPTIONS_CIPHERS_C_S, csciphers))
313 g_message (
"Function %s called from %s: "
314 "Failed to set SSH client to server ciphers '%s': %s",
316 csciphers, ssh_get_error (
session));
322 && ssh_options_set (
session, SSH_OPTIONS_CIPHERS_S_C, scciphers))
324 g_message (
"Function %s called from %s: "
325 "Failed to set SSH server to client ciphers '%s': %s",
327 scciphers, ssh_get_error (
session));
334 unsigned int my_port = port;
336 if (ssh_options_set (
session, SSH_OPTIONS_PORT, &my_port))
338 g_message (
"Function %s called from %s: "
339 "Failed to set SSH port for '%s' to %d: %s",
341 ip_str, port, ssh_get_error (
session));
351 g_message (
"Setting SSH fd for '%s' to %d (NASL sock=%d)", ip_str,
353 if (ssh_options_set (
session, SSH_OPTIONS_FD, &my_fd))
355 g_message (
"Function %s called from %s: "
356 "Failed to set SSH fd for '%s' to %d (NASL sock=%d): %s",
373 g_message (
"No space left in SSH session table");
386 g_message (
"Connecting to SSH server '%s' (port %d, sock %d)", ip_str, port,
391 g_message (
"Failed to connect to SSH server '%s'"
392 " (port %d, sock %d, f=%d): %s",
393 ip_str, port,
sock, forced_sock, ssh_get_error (
session));
394 if (forced_sock != -1)
416 forced_sock != -1 ? forced_sock : ssh_get_fd (
session);
433 unsigned int tbl_slot;
437 nasl_perror (lexic,
"Invalid SSH session id %d passed to %s",
521 unsigned int tbl_slot;
559 unsigned int tbl_slot;
629 rc = ssh_userauth_none (
session, NULL);
630 if (rc == SSH_AUTH_SUCCESS)
632 g_message (
"SSH authentication succeeded using the none method - "
633 "should not happen; very old server?");
638 else if (rc == SSH_AUTH_DENIED)
640 methods = ssh_userauth_list (
session, NULL);
645 g_message (
"SSH server did not return a list of authentication methods"
647 methods = (SSH_AUTH_METHOD_NONE | SSH_AUTH_METHOD_PASSWORD
648 | SSH_AUTH_METHOD_PUBLICKEY | SSH_AUTH_METHOD_HOSTBASED
649 | SSH_AUTH_METHOD_INTERACTIVE);
654 fputs (
"SSH available authentication methods:", stderr);
655 if ((methods & SSH_AUTH_METHOD_NONE))
656 fputs (
" none", stderr);
657 if ((methods & SSH_AUTH_METHOD_PASSWORD))
658 fputs (
" password", stderr);
659 if ((methods & SSH_AUTH_METHOD_PUBLICKEY))
660 fputs (
" publickey", stderr);
661 if ((methods & SSH_AUTH_METHOD_HOSTBASED))
662 fputs (
" hostbased", stderr);
663 if ((methods & SSH_AUTH_METHOD_INTERACTIVE))
664 fputs (
" keyboard-interactive", stderr);
665 fputs (
"\n", stderr);
723 username = kb_item_get_str (kb,
"Secret/SSH/login");
725 if (username && *username
726 && ssh_options_set (
session, SSH_OPTIONS_USER, username))
728 g_message (
"Function %s called from %s: "
729 "Failed to set SSH username '%s': %s",
731 username, ssh_get_error (
session));
804 char *password = NULL;
805 char *privkeystr = NULL;
806 char *privkeypass = NULL;
825 if (!password && !privkeystr && !privkeypass)
827 password = kb_item_get_str (kb,
"Secret/SSH/password");
828 privkeystr = kb_item_get_str (kb,
"Secret/SSH/privatekey");
829 privkeypass = kb_item_get_str (kb,
"Secret/SSH/passphrase");
849 if (password && (methods & SSH_AUTH_METHOD_PASSWORD))
851 rc = ssh_userauth_password (
session, NULL, password);
852 if (rc == SSH_AUTH_SUCCESS)
859 g_message (
"SSH password authentication failed for session"
865 if (password && (methods & SSH_AUTH_METHOD_INTERACTIVE))
869 while ((rc = ssh_userauth_kbdint (
session, NULL, NULL)) == SSH_AUTH_INFO)
874 int found_prompt = 0;
878 s = ssh_userauth_kbdint_getname (
session);
880 g_message (
"SSH kbdint name='%s'", s);
881 s = ssh_userauth_kbdint_getinstruction (
session);
883 g_message (
"SSH kbdint instruction='%s'", s);
885 nprompt = ssh_userauth_kbdint_getnprompts (
session);
886 for (n = 0; n < nprompt; n++)
888 s = ssh_userauth_kbdint_getprompt (
session, n, &echoflag);
890 g_message (
"SSH kbdint prompt='%s'%s", s,
891 echoflag ?
"" :
" [hide input]");
892 if (s && *s && !echoflag && !found_prompt)
895 rc = ssh_userauth_kbdint_setanswer (
session, n, password);
896 if (rc != SSH_AUTH_SUCCESS)
899 g_message (
"SSH keyboard-interactive authentication "
900 "failed at prompt %d for session %d: %s",
907 if (rc == SSH_AUTH_SUCCESS)
915 "SSH keyboard-interactive authentication failed for session %d"
922 if (privkeystr && *privkeystr && (methods & SSH_AUTH_METHOD_PUBLICKEY))
926 if (ssh_pki_import_privkey_base64 (privkeystr, privkeypass, NULL, NULL,
930 g_message (
"SSH public key authentication failed for "
934 else if (ssh_userauth_try_publickey (
session, NULL, key)
938 g_message (
"SSH public key authentication failed for "
942 else if (ssh_userauth_publickey (
session, NULL, key) == SSH_AUTH_SUCCESS)
953 g_message (
"SSH authentication failed for session %d: %s",
session_id,
954 "No more authentication methods to try");
959 g_free (privkeypass);
997 const char *s = NULL;
1024 if (methods & SSH_AUTH_METHOD_INTERACTIVE)
1028 while ((rc = ssh_userauth_kbdint (
session, NULL, NULL)) == SSH_AUTH_INFO)
1032 int found_prompt = 0;
1036 s = ssh_userauth_kbdint_getname (
session);
1038 g_message (
"SSH kbdint name='%s'", s);
1039 s = ssh_userauth_kbdint_getinstruction (
session);
1041 g_message (
"SSH kbdint instruction='%s'", s);
1044 nprompt = ssh_userauth_kbdint_getnprompts (
session);
1045 for (n = 0; n < nprompt; n++)
1047 s = ssh_userauth_kbdint_getprompt (
session, n, &echoflag);
1049 g_message (
"SSH kbdint prompt='%s'%s", s,
1050 echoflag ?
"" :
" [hide input]");
1051 if (s && *s && !echoflag && !found_prompt)
1057 "SSH keyboard-interactive authentication failed for session %d"
1071 retc->
size = strlen (s);
1108 const char *password = NULL;
1124 rc = ssh_userauth_kbdint_setanswer (
session, 0, password);
1129 g_message (
"SSH keyboard-interactive authentication "
1130 "failed at prompt %d for session %d: %s",
1139 while ((rc = ssh_userauth_kbdint (
session, NULL, NULL)) == SSH_AUTH_INFO)
1141 ssh_userauth_kbdint_getnprompts (
session);
1143 if (rc == SSH_AUTH_SUCCESS)
1148 if (rc != SSH_AUTH_SUCCESS)
1160 retc->
x.
i_val = retc_val;
1169 g_message (
"exec_ssh_cmd: Timeout");
1189 int to_stdout,
int to_stderr, GString *response,
1190 GString *compat_buf)
1201 g_message (
"Function %s called from %s: ssh_channel_new failed: %s",
1207 if (ssh_channel_open_session (
channel))
1211 g_message (
"ssh_channel_open_session failed: %s",
1218 g_message (
"ssh_channel_request_pty failed: %s", ssh_get_error (
session));
1220 if (ssh_channel_request_exec (
channel, cmd))
1224 g_message (
"ssh_channel_request_exec failed for '%s': %s", cmd,
1230 signal (SIGALRM, _exit);
1233 if ((rc = ssh_channel_read_timeout (
channel, buffer,
sizeof (buffer), 1,
1238 g_string_append_len (response, buffer, rc);
1240 g_string_append_len (compat_buf, buffer, rc);
1242 if (rc == SSH_ERROR)
1248 if ((rc = ssh_channel_read_timeout (
channel, buffer,
sizeof (buffer), 0,
1253 g_string_append_len (response, buffer, rc);
1255 if (rc == SSH_ERROR)
1325 GString *response, *compat_buf;
1329 int to_stdout, to_stderr, compat_mode, compat_buf_inuse;
1341 g_message (
"Function %s called from %s: No command passed",
1349 if (to_stdout == -1 && to_stderr == -1)
1354 else if (to_stdout == 0 && to_stderr == 0)
1366 memset (&compat_buf,
'\0',
sizeof (compat_buf));
1370 response = g_string_sized_new (512);
1373 compat_buf = g_string_sized_new (512);
1374 compat_buf_inuse = 1;
1377 compat_buf_inuse = 0;
1380 response, compat_buf);
1381 if (rc == SSH_ERROR)
1383 if (compat_buf_inuse)
1384 g_string_free (compat_buf, TRUE);
1385 g_string_free (response, TRUE);
1390 if (compat_buf_inuse)
1392 len = compat_buf->len;
1393 p = g_string_free (compat_buf, FALSE);
1396 g_string_append_len (response, p, len);
1402 len = response->len;
1403 p = g_string_free (response, FALSE);
1406 g_message (
"Function %s called from %s: memory problem: %s",
1457 banner = ssh_get_issue_banner (
session);
1462 retc->
x.
str_val = g_strdup (banner);
1463 retc->
size = strlen (banner);
1464 ssh_string_free_char (banner);
1500 banner = ssh_get_serverbanner (
session);
1505 retc->
x.
str_val = g_strdup (banner);
1506 retc->
size = strlen (banner);
1540 sstring = ssh_get_pubkey (
session);
1545 retc->
x.
str_val = ssh_string_to_char (sstring);
1546 retc->
size = ssh_string_len (sstring);
1547 ssh_string_free (sstring);
1590 buffer = g_string_sized_new (128);
1591 if ((methods & SSH_AUTH_METHOD_NONE))
1593 if ((methods & SSH_AUTH_METHOD_PASSWORD))
1595 if ((methods & SSH_AUTH_METHOD_PUBLICKEY))
1597 if ((methods & SSH_AUTH_METHOD_HOSTBASED))
1599 if ((methods & SSH_AUTH_METHOD_INTERACTIVE))
1601 g_string_append_c (buffer, 0x00);
1602 p = g_string_free (buffer, FALSE);
1608 retc->
size = strlen (p);
1616 g_message (
"request_ssh_shell: Timeout");
1634 if (ssh_channel_request_pty (
channel))
1636 if (ssh_channel_change_pty_size (
channel, 80, 24))
1638 if (ssh_channel_request_shell (
channel))
1641 signal (SIGALRM, _exit);
1675 if (ssh_channel_open_session (
channel))
1677 g_message (
"Function %s called from %s: ssh_channel_open_session: %s",
1686 g_message (
"Function %s called from %s: request_ssh_shell: %s",
1715 if (!ssh_channel_is_open (
channel) || ssh_channel_is_eof (
channel))
1718 if ((rc = ssh_channel_read_nonblocking (
channel, buffer,
sizeof (buffer), 1))
1720 g_string_append_len (response, buffer, rc);
1721 if (rc == SSH_ERROR)
1723 if ((rc = ssh_channel_read_nonblocking (
channel, buffer,
sizeof (buffer), 0))
1725 g_string_append_len (response, buffer, rc);
1726 if (rc == SSH_ERROR)
1758 response = g_string_new (NULL);
1762 retc->
size = response->len;
1763 retc->
x.
str_val = g_string_free (response, FALSE);
1795 g_message (
"ssh_shell_write: No shell channel found");
1802 g_message (
"Function %s called from %s: No command passed",
1807 if (ssh_channel_write (
channel, cmd, len) != len)