guacamole-spice-protocol/src/protocols/ssh/ssh_client.c

585 lines
19 KiB
C
Raw Normal View History

/*
* Copyright (C) 2013 Glyptodon LLC
2013-05-18 03:47:05 +00:00
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
2013-05-18 03:47:05 +00:00
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
2013-05-18 03:47:05 +00:00
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
2014-01-01 22:44:28 +00:00
#include "config.h"
2013-05-18 03:47:05 +00:00
2014-01-01 22:44:28 +00:00
#include "client.h"
#include "sftp.h"
#include "ssh_key.h"
2014-06-11 17:06:18 +00:00
#include "terminal.h"
#ifdef ENABLE_SSH_AGENT
#include "ssh_agent.h"
#endif
#include <libssh2.h>
#include <libssh2_sftp.h>
#include <guacamole/client.h>
#include <guacamole/protocol.h>
#include <guacamole/socket.h>
#include <openssl/err.h>
2014-06-11 17:06:18 +00:00
#include <openssl/ssl.h>
2014-01-01 22:44:28 +00:00
#ifdef LIBSSH2_USES_GCRYPT
#include <gcrypt.h>
#endif
2014-01-01 22:44:28 +00:00
#include <errno.h>
#include <netdb.h>
#include <netinet/in.h>
#include <pthread.h>
2014-06-11 17:06:18 +00:00
#include <stdbool.h>
#include <stddef.h>
2013-05-18 03:47:05 +00:00
#include <stdio.h>
2014-06-11 17:06:18 +00:00
#include <stdlib.h>
2013-05-18 05:53:13 +00:00
#include <string.h>
2014-04-11 20:45:19 +00:00
#include <sys/select.h>
#include <sys/socket.h>
2014-06-11 17:06:18 +00:00
#include <sys/time.h>
2013-05-20 08:23:21 +00:00
void* ssh_input_thread(void* data) {
guac_client* client = (guac_client*) data;
ssh_guac_client_data* client_data = (ssh_guac_client_data*) client->data;
char buffer[8192];
int bytes_read;
/* Write all data read */
while ((bytes_read = guac_terminal_read_stdin(client_data->term, buffer, sizeof(buffer))) > 0) {
pthread_mutex_lock(&(client_data->term_channel_lock));
libssh2_channel_write(client_data->term_channel, buffer, bytes_read);
pthread_mutex_unlock(&(client_data->term_channel_lock));
}
2013-05-20 08:23:21 +00:00
return NULL;
}
2013-12-02 00:31:11 +00:00
static int __sign_callback(LIBSSH2_SESSION* session,
unsigned char** sig, size_t* sig_len,
const unsigned char* data, size_t data_len, void **abstract) {
ssh_key* key = (ssh_key*) abstract;
2014-04-11 20:45:19 +00:00
int length;
2013-12-02 00:31:11 +00:00
/* Allocate space for signature */
*sig = malloc(4096);
/* Sign with key */
2014-04-11 20:45:19 +00:00
length = ssh_key_sign(key, (const char*) data, data_len, *sig);
if (length < 0)
2013-12-02 00:31:11 +00:00
return 1;
2014-04-11 20:45:19 +00:00
*sig_len = length;
2013-12-02 00:31:11 +00:00
return 0;
}
2013-12-02 00:31:11 +00:00
/**
* Callback for the keyboard-interactive authentication method. Currently
* suports just one prompt for the password.
*/
static void __kbd_callback(const char *name, int name_len,
const char *instruction, int instruction_len,
int num_prompts,
const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,
LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses,
2014-07-17 18:49:24 +00:00
void **abstract) {
guac_client* client = (guac_client*) *abstract;
ssh_guac_client_data* client_data = (ssh_guac_client_data*) client->data;
if (num_prompts == 1) {
responses[0].text = strdup(client_data->password);
responses[0].length = strlen(client_data->password);
}
2014-07-17 18:49:24 +00:00
else
guac_client_log(client, GUAC_LOG_WARNING,
"Unsupported number of keyboard-interactive prompts: %i",
num_prompts);
2013-12-02 00:31:11 +00:00
2014-07-17 18:49:24 +00:00
}
static LIBSSH2_SESSION* __guac_ssh_create_session(guac_client* client,
int* socket_fd) {
2013-12-02 00:26:41 +00:00
int retval;
int fd;
2013-12-02 00:26:41 +00:00
struct addrinfo* addresses;
struct addrinfo* current_address;
char connected_address[1024];
char connected_port[64];
2014-07-17 18:49:24 +00:00
char *user_authlist;
ssh_guac_client_data* client_data = (ssh_guac_client_data*) client->data;
2013-12-02 00:26:41 +00:00
struct addrinfo hints = {
.ai_family = AF_UNSPEC,
.ai_socktype = SOCK_STREAM,
.ai_protocol = IPPROTO_TCP
};
/* Get socket */
fd = socket(AF_INET, SOCK_STREAM, 0);
2013-12-02 00:26:41 +00:00
/* Get addresses connection */
if ((retval = getaddrinfo(client_data->hostname, client_data->port,
&hints, &addresses))) {
2014-03-22 02:47:42 +00:00
guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR, "Error parsing given address or port: %s",
2013-12-02 00:26:41 +00:00
gai_strerror(retval));
return NULL;
}
/* Attempt connection to each address until success */
current_address = addresses;
while (current_address != NULL) {
int retval;
/* Resolve hostname */
if ((retval = getnameinfo(current_address->ai_addr,
current_address->ai_addrlen,
connected_address, sizeof(connected_address),
connected_port, sizeof(connected_port),
NI_NUMERICHOST | NI_NUMERICSERV)))
guac_client_log(client, GUAC_LOG_DEBUG, "Unable to resolve host: %s", gai_strerror(retval));
2013-12-02 00:26:41 +00:00
/* Connect */
if (connect(fd, current_address->ai_addr,
current_address->ai_addrlen) == 0) {
guac_client_log(client, GUAC_LOG_DEBUG, "Successfully connected to "
2013-12-02 00:26:41 +00:00
"host %s, port %s", connected_address, connected_port);
/* Done if successful connect */
break;
}
/* Otherwise log information regarding bind failure */
else
guac_client_log(client, GUAC_LOG_DEBUG, "Unable to connect to "
2013-12-02 00:26:41 +00:00
"host %s, port %s: %s",
connected_address, connected_port, strerror(errno));
current_address = current_address->ai_next;
}
2013-12-02 00:26:41 +00:00
/* If unable to connect to anything, fail */
if (current_address == NULL) {
2014-03-22 02:47:42 +00:00
guac_client_abort(client, GUAC_PROTOCOL_STATUS_UPSTREAM_ERROR, "Unable to connect to any addresses.");
return NULL;
}
2013-12-02 17:23:31 +00:00
/* Free addrinfo */
freeaddrinfo(addresses);
/* Open SSH session */
2013-12-02 01:05:55 +00:00
LIBSSH2_SESSION* session = libssh2_session_init_ex(NULL, NULL,
NULL, client);
if (session == NULL) {
2014-03-22 02:47:42 +00:00
guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR, "Session allocation failed.");
return NULL;
}
/* Perform handshake */
if (libssh2_session_handshake(session, fd)) {
2014-03-22 02:47:42 +00:00
guac_client_abort(client, GUAC_PROTOCOL_STATUS_UPSTREAM_ERROR, "SSH handshake failed.");
return NULL;
}
/* Save file descriptor */
if (socket_fd != NULL)
*socket_fd = fd;
2014-07-17 18:49:24 +00:00
/* Get list of suported authentication methods */
user_authlist = libssh2_userauth_list(session, client_data->username, strlen(client_data->username));
guac_client_log(client, GUAC_LOG_DEBUG, "Supported authentication methods: %s", user_authlist);
2013-10-31 06:19:11 +00:00
/* Authenticate with key if available */
if (client_data->key != NULL) {
2014-07-17 18:49:24 +00:00
/* Check if public key auth is suported on the server */
if (strstr(user_authlist, "publickey") == NULL) {
guac_client_abort(client, GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
"Public key authentication not suported");
return NULL;
}
2013-12-02 00:31:11 +00:00
if (!libssh2_userauth_publickey(session, client_data->username,
(unsigned char*) client_data->key->public_key,
client_data->key->public_key_length,
__sign_callback, (void**) client_data->key))
2013-10-31 06:19:11 +00:00
return session;
else {
2013-12-02 00:31:11 +00:00
char* error_message;
libssh2_session_last_error(session, &error_message, NULL, 0);
2014-03-22 02:47:42 +00:00
guac_client_abort(client, GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
2013-12-02 00:31:11 +00:00
"Public key authentication failed: %s", error_message);
2013-10-31 06:19:11 +00:00
return NULL;
}
}
/* Authenticate with password */
2014-07-17 18:49:24 +00:00
if (strstr(user_authlist, "password") != NULL) {
guac_client_log(client, GUAC_LOG_DEBUG, "Using password authentication method");
2014-07-17 18:49:24 +00:00
retval = libssh2_userauth_password(session, client_data->username, client_data->password);
}
else if (strstr(user_authlist, "keyboard-interactive") != NULL) {
guac_client_log(client, GUAC_LOG_DEBUG, "Using keyboard-interactive authentication method");
2014-07-17 18:49:24 +00:00
retval = libssh2_userauth_keyboard_interactive(session, client_data->username, &__kbd_callback);
}
else {
guac_client_abort(client, GUAC_PROTOCOL_STATUS_CLIENT_BAD_TYPE, "No known authentication methods");
return NULL;
}
if (retval == 0)
2013-10-31 06:19:11 +00:00
return session;
2014-07-17 18:49:24 +00:00
2013-10-31 06:19:11 +00:00
else {
char* error_message;
libssh2_session_last_error(session, &error_message, NULL, 0);
2014-03-22 02:47:42 +00:00
guac_client_abort(client, GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
"Password authentication failed: %s", error_message);
return NULL;
}
}
#ifdef LIBSSH2_USES_GCRYPT
GCRY_THREAD_OPTION_PTHREAD_IMPL;
#endif
/**
* Array of mutexes, used by OpenSSL.
*/
static pthread_mutex_t* __openssl_locks;
/**
* Called by OpenSSL when locking or unlocking the Nth mutex.
*/
static void __openssl_locking_callback(int mode, int n, const char* file, int line){
if (mode & CRYPTO_LOCK)
pthread_mutex_lock(&(__openssl_locks[n]));
else if (mode & CRYPTO_UNLOCK)
pthread_mutex_unlock(&(__openssl_locks[n]));
}
/**
* Called by OpenSSL when determining the current thread ID.
*/
static unsigned long __openssl_id_callback() {
return (unsigned long) pthread_self();
}
/**
* Creates the given number of mutexes, such that OpenSSL will have at least
* this number of mutexes at its disposal.
*/
static void __openssl_init_locks(int count) {
int i;
__openssl_locks = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks());
for (i=0; i<count; i++)
pthread_mutex_init(&(__openssl_locks[i]), NULL);
}
/**
* Frees the given number of mutexes.
*/
static void __openssl_free_locks(int count) {
int i;
for (i=0; i<count; i++)
pthread_mutex_destroy(&(__openssl_locks[i]));
}
2013-05-18 05:53:13 +00:00
void* ssh_client_thread(void* data) {
guac_client* client = (guac_client*) data;
2013-05-20 08:23:21 +00:00
ssh_guac_client_data* client_data = (ssh_guac_client_data*) client->data;
char name[1024];
2013-05-20 08:23:21 +00:00
guac_socket* socket = client->socket;
char buffer[8192];
int bytes_read = -1234;
2013-05-20 08:23:21 +00:00
int socket_fd;
2013-05-20 08:23:21 +00:00
pthread_t input_thread;
2013-05-18 05:53:13 +00:00
#ifdef LIBSSH2_USES_GCRYPT
/* Init threadsafety in libgcrypt */
gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
if (!gcry_check_version(GCRYPT_VERSION)) {
guac_client_log(client, GUAC_LOG_ERROR, "libgcrypt version mismatch.");
return NULL;
}
#endif
/* Init threadsafety in OpenSSL */
__openssl_init_locks(CRYPTO_num_locks());
CRYPTO_set_id_callback(__openssl_id_callback);
CRYPTO_set_locking_callback(__openssl_locking_callback);
/* Init OpenSSL */
2014-05-27 19:34:05 +00:00
SSL_library_init();
ERR_load_crypto_strings();
2013-12-02 00:56:36 +00:00
libssh2_init(0);
2013-05-18 05:53:13 +00:00
/* Get username */
2014-03-22 02:47:42 +00:00
if (client_data->username[0] == 0)
guac_terminal_prompt(client_data->term, "Login as: ",
client_data->username, sizeof(client_data->username), true);
2013-05-18 05:53:13 +00:00
/* Send new name */
snprintf(name, sizeof(name)-1, "%s@%s", client_data->username, client_data->hostname);
guac_protocol_send_name(socket, name);
2013-10-31 06:19:11 +00:00
/* If key specified, import */
if (client_data->key_base64[0] != 0) {
guac_client_log(client, GUAC_LOG_DEBUG,
"Attempting private key import (WITHOUT passphrase)");
2013-10-31 06:19:11 +00:00
/* Attempt to read key without passphrase */
2013-12-02 00:56:36 +00:00
client_data->key = ssh_key_alloc(client_data->key_base64,
strlen(client_data->key_base64), "");
2013-10-31 06:19:11 +00:00
/* On failure, attempt with passphrase */
2013-12-02 00:56:36 +00:00
if (client_data->key == NULL) {
2013-10-31 06:19:11 +00:00
/* Log failure of initial attempt */
guac_client_log(client, GUAC_LOG_DEBUG,
"Initial import failed: %s", ssh_key_error());
guac_client_log(client, GUAC_LOG_DEBUG,
"Re-attempting private key import (WITH passphrase)");
2013-10-31 06:19:11 +00:00
/* Prompt for passphrase if missing */
2014-03-22 02:47:42 +00:00
if (client_data->key_passphrase[0] == 0)
guac_terminal_prompt(client_data->term, "Key passphrase: ",
client_data->key_passphrase, sizeof(client_data->key_passphrase), false);
2013-10-31 06:19:11 +00:00
/* Import key with passphrase */
2013-12-02 00:56:36 +00:00
client_data->key = ssh_key_alloc(client_data->key_base64,
strlen(client_data->key_base64),
client_data->key_passphrase);
/* If still failing, give up */
if (client_data->key == NULL) {
guac_client_abort(client,
GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED,
"Auth key import failed: %s", ssh_key_error());
2013-10-31 06:19:11 +00:00
return NULL;
}
} /* end decrypt key with passphrase */
2013-05-20 08:23:21 +00:00
2013-12-02 00:56:36 +00:00
/* Success */
guac_client_log(client, GUAC_LOG_INFO, "Auth key successfully imported.");
2013-12-02 00:56:36 +00:00
2013-10-31 06:19:11 +00:00
} /* end if key given */
/* Otherwise, get password if not provided */
2014-03-22 02:47:42 +00:00
else if (client_data->password[0] == 0)
guac_terminal_prompt(client_data->term, "Password: ",
client_data->password, sizeof(client_data->password), false);
2013-05-22 18:54:28 +00:00
/* Clear screen */
guac_terminal_printf(client_data->term, "\x1B[H\x1B[J");
2013-05-22 18:54:28 +00:00
2013-05-20 08:23:21 +00:00
/* Open SSH session */
client_data->session = __guac_ssh_create_session(client, &socket_fd);
2013-05-20 08:23:21 +00:00
if (client_data->session == NULL) {
2014-03-22 02:47:42 +00:00
/* Already aborted within __guac_ssh_create_session() */
2013-05-20 08:23:21 +00:00
return NULL;
}
pthread_mutex_init(&client_data->term_channel_lock, NULL);
2013-05-20 08:23:21 +00:00
/* Open channel for terminal */
2014-03-22 02:47:42 +00:00
client_data->term_channel = libssh2_channel_open_session(client_data->session);
2013-05-20 08:23:21 +00:00
if (client_data->term_channel == NULL) {
2014-03-22 02:47:42 +00:00
guac_client_abort(client, GUAC_PROTOCOL_STATUS_UPSTREAM_ERROR, "Unable to open terminal channel.");
2013-05-18 05:53:13 +00:00
return NULL;
2013-05-20 08:23:21 +00:00
}
2013-05-18 05:53:13 +00:00
#ifdef ENABLE_SSH_AGENT
2013-12-02 10:07:17 +00:00
/* Start SSH agent forwarding, if enabled */
if (client_data->enable_agent) {
libssh2_session_callback_set(client_data->session,
LIBSSH2_CALLBACK_AUTH_AGENT, (void*) ssh_auth_agent_callback);
/* Request agent forwarding */
if (libssh2_channel_request_auth_agent(client_data->term_channel))
guac_client_log(client, GUAC_LOG_ERROR, "Agent forwarding request failed");
2013-12-02 10:07:17 +00:00
else
guac_client_log(client, GUAC_LOG_INFO, "Agent forwarding enabled.");
2013-12-02 10:07:17 +00:00
}
client_data->auth_agent = NULL;
#endif
/* Start SFTP session as well, if enabled */
if (client_data->enable_sftp) {
2014-05-07 00:14:40 +00:00
/* Init handlers for Guacamole-specific console codes */
client_data->term->upload_path_handler = guac_sftp_set_upload_path;
client_data->term->file_download_handler = guac_sftp_download_file;
/* Create SSH session specific for SFTP */
guac_client_log(client, GUAC_LOG_DEBUG, "Reconnecting for SFTP...");
client_data->sftp_ssh_session = __guac_ssh_create_session(client, NULL);
2014-03-22 02:47:42 +00:00
if (client_data->sftp_ssh_session == NULL) {
/* Already aborted within __guac_ssh_create_session() */
return NULL;
}
/* Request SFTP */
2014-03-22 02:47:42 +00:00
client_data->sftp_session = libssh2_sftp_init(client_data->sftp_ssh_session);
if (client_data->sftp_session == NULL) {
2014-03-22 02:47:42 +00:00
guac_client_abort(client, GUAC_PROTOCOL_STATUS_UPSTREAM_ERROR, "Unable to start SFTP session.");
return NULL;
}
/* Set file handler */
client->file_handler = guac_sftp_file_handler;
2013-10-19 01:20:46 +00:00
/* Expose filesystem */
client_data->sftp_filesystem = guac_sftp_expose_filesystem(client);
guac_client_log(client, GUAC_LOG_DEBUG, "SFTP session initialized");
}
2013-05-20 08:23:21 +00:00
/* Request PTY */
2014-03-22 02:47:42 +00:00
if (libssh2_channel_request_pty_ex(client_data->term_channel, "linux", sizeof("linux")-1, NULL, 0,
client_data->term->term_width, client_data->term->term_height, 0, 0)) {
guac_client_abort(client, GUAC_PROTOCOL_STATUS_UPSTREAM_ERROR, "Unable to allocate PTY.");
2013-05-20 08:23:21 +00:00
return NULL;
}
/* Request shell */
if (libssh2_channel_shell(client_data->term_channel)) {
2014-03-22 02:47:42 +00:00
guac_client_abort(client, GUAC_PROTOCOL_STATUS_UPSTREAM_ERROR, "Unable to associate shell with PTY.");
2013-05-20 08:23:21 +00:00
return NULL;
}
/* Logged in */
guac_client_log(client, GUAC_LOG_INFO, "SSH connection successful.");
2013-05-20 08:23:21 +00:00
/* Start input thread */
if (pthread_create(&(input_thread), NULL, ssh_input_thread, (void*) client)) {
2014-03-22 02:47:42 +00:00
guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR, "Unable to start input thread");
2013-05-20 08:23:21 +00:00
return NULL;
}
/* Set non-blocking */
libssh2_session_set_blocking(client_data->session, 0);
2013-05-20 08:23:21 +00:00
/* While data available, write to terminal */
bytes_read = 0;
for (;;) {
/* Track total amount of data read */
int total_read = 0;
pthread_mutex_lock(&(client_data->term_channel_lock));
/* Stop reading at EOF */
if (libssh2_channel_eof(client_data->term_channel)) {
pthread_mutex_unlock(&(client_data->term_channel_lock));
break;
}
/* Read terminal data */
bytes_read = libssh2_channel_read(client_data->term_channel,
buffer, sizeof(buffer));
2013-05-20 08:23:21 +00:00
pthread_mutex_unlock(&(client_data->term_channel_lock));
2013-05-26 06:05:58 +00:00
/* Attempt to write data received. Exit on failure. */
if (bytes_read > 0) {
int written = guac_terminal_write_stdout(client_data->term, buffer, bytes_read);
2013-05-26 06:05:58 +00:00
if (written < 0)
break;
total_read += bytes_read;
}
else if (bytes_read < 0 && bytes_read != LIBSSH2_ERROR_EAGAIN)
break;
2013-12-03 17:21:47 +00:00
#ifdef ENABLE_SSH_AGENT
/* If agent open, handle any agent packets */
if (client_data->auth_agent != NULL) {
bytes_read = ssh_auth_agent_read(client_data->auth_agent);
if (bytes_read > 0)
total_read += bytes_read;
else if (bytes_read < 0 && bytes_read != LIBSSH2_ERROR_EAGAIN)
client_data->auth_agent = NULL;
}
2013-12-03 17:21:47 +00:00
#endif
/* Wait for more data if reads turn up empty */
if (total_read == 0) {
fd_set fds;
struct timeval timeout;
FD_ZERO(&fds);
FD_SET(socket_fd, &fds);
/* Wait for one second */
timeout.tv_sec = 1;
timeout.tv_usec = 0;
if (select(socket_fd+1, &fds, NULL, NULL, &timeout) < 0)
break;
2013-05-26 06:05:58 +00:00
}
2013-05-20 08:23:21 +00:00
}
2013-05-18 05:53:13 +00:00
/* Kill client and Wait for input thread to die */
guac_client_stop(client);
pthread_join(input_thread, NULL);
__openssl_free_locks(CRYPTO_num_locks());
pthread_mutex_destroy(&client_data->term_channel_lock);
guac_client_log(client, GUAC_LOG_INFO, "SSH connection ended.");
2013-05-18 03:47:05 +00:00
return NULL;
}