[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] client code for agent forwarding

Subject: Re: [PATCH] client code for agent forwarding
From: Aris Adamantiadis <aris@xxxxxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Mon, 21 Mar 2016 18:34:03 +0100
To: Andreas Schneider <asn@xxxxxxxxxxxxxx>, libssh@xxxxxxxxxx
Hi Andreas,

It's fine for me. Thanks for your work Raf

Aris

On 21/03/16 17:30, Andreas Schneider wrote:
> On Saturday 19 March 2016 21:12:27 Raf D wrote:
>> Updated patch using callback API, and a fix for a double-free.
> Looks fine for me, Aris?
>  
>> Please let me know your thoughts.
>>
>> Signed off-by: Raf D'Halleweyn <raf@xxxxxxxxxx>
>>
>> ---
>>  include/libssh/callbacks.h |   16 ++++++++++++++++
>>  include/libssh/libssh.h    |    4 +++-
>>  include/libssh/session.h   |    3 +++
>>  src/channels.c             |   20 ++++++++++++++++++++
>>  src/messages.c             |   18 ++++++++++++++++++
>>  5 files changed, 60 insertions(+), 1 deletion(-)
>>
>> diff -ru -x debian libssh-0.7.3-orig/include/libssh/callbacks.h
>> libssh-0.7.3/include/libssh/callbacks.h ---
>> libssh-0.7.3-orig/include/libssh/callbacks.h    2016-02-23
>> 02:16:40.000000000 -0500 +++ libssh-0.7.3/include/libssh/callbacks.h   
>> 2016-03-05 23:50:16.986528824 -0500 @@ -125,6 +125,18 @@
>>        const char * originator_address, int originator_port, void
>> *userdata);
>>
>>  /**
>> + * @brief accept auth-agent forwarding channel initiated by other end.
>> + * @param session Current session handler
>> + * @param agent_forward_channel the new channel for agent communication
>> + * @param userdata Userdata to be passed to the callback function.
>> + * @warning the original channel for which forwarding was requested is not
>> + * available
>> + */
>> +typedef void (*ssh_channel_open_request_auth_agent_callback) (ssh_session
>> session, +    ssh_channel agent_forward_channel,
>> +    void *userdata);
>> +
>> +/**
>>   * The structure to replace libssh functions with appropriate callbacks.
>>   */
>>  struct ssh_callbacks_struct {
>> @@ -154,6 +166,10 @@
>>    /** This function will be called when an incoming X11 request is
>> received. */
>>    ssh_channel_open_request_x11_callback channel_open_request_x11_function;
>> +  /** This function will be called when a client receives an auth-agent
>> +   * forwarding channel.
>> +   */
>> +  ssh_channel_open_request_auth_agent_callback
>> channel_open_request_auth_agent_function; };
>>  typedef struct ssh_callbacks_struct *ssh_callbacks;
>>
>> diff -ru -x debian libssh-0.7.3-orig/include/libssh/libssh.h
>> libssh-0.7.3/include/libssh/libssh.h ---
>> libssh-0.7.3-orig/include/libssh/libssh.h    2016-02-23 02:23:19.000000000
>> -0500 +++ libssh-0.7.3/include/libssh/libssh.h    2016-03-05
>> 23:49:28.709888129 -0500 @@ -189,7 +189,8 @@
>>      SSH_CHANNEL_SESSION,
>>      SSH_CHANNEL_DIRECT_TCPIP,
>>      SSH_CHANNEL_FORWARDED_TCPIP,
>> -    SSH_CHANNEL_X11
>> +    SSH_CHANNEL_X11,
>> +    SSH_CHANNEL_FORWARDED_AUTH_AGENT
>>  };
>>
>>  enum ssh_channel_requests_e {
>> @@ -391,6 +392,7 @@
>>  LIBSSH_API int ssh_channel_read_timeout(ssh_channel channel, void *dest,
>> uint32_t count, int is_stderr, int timeout_ms); LIBSSH_API int
>> ssh_channel_read_nonblocking(ssh_channel channel, void *dest, uint32_t
>> count, int is_stderr);
>> +LIBSSH_API int ssh_channel_request_agent_forwarding(ssh_channel channel);
>>  LIBSSH_API int ssh_channel_request_env(ssh_channel channel, const char
>> *name, const char *value); LIBSSH_API int
>> ssh_channel_request_exec(ssh_channel channel, const char *cmd); LIBSSH_API
>> int ssh_channel_request_pty(ssh_channel channel);
>> diff -ru -x debian libssh-0.7.3-orig/include/libssh/session.h
>> libssh-0.7.3/include/libssh/session.h ---
>> libssh-0.7.3-orig/include/libssh/session.h    2016-02-15 07:42:53.000000000
>> -0500 +++ libssh-0.7.3/include/libssh/session.h    2016-03-05
>> 23:49:28.709888129 -0500 @@ -69,6 +69,9 @@
>>  /* Client successfully authenticated */
>>  #define SSH_SESSION_FLAG_AUTHENTICATED 2
>>
>> +/* the channel supports auth-agent forwarding */
>> +#define SSH_SESSION_AUTH_AGENT_FORWARDING 0x4
>> +
>>  /* codes to use with ssh_handle_packets*() */
>>  /* Infinite timeout */
>>  #define SSH_TIMEOUT_INFINITE -1
>> diff -ru -x debian libssh-0.7.3-orig/src/channels.c
>> libssh-0.7.3/src/channels.c --- libssh-0.7.3-orig/src/channels.c   
>> 2016-02-23 02:16:40.000000000 -0500 +++ libssh-0.7.3/src/channels.c   
>> 2016-03-05 23:49:28.713888182 -0500 @@ -1600,6 +1600,26 @@
>>  }
>>
>>  /**
>> + * @brief Request to establish agent forwarding
>> + *
>> + * @param[in]  channel  The channel to send the request.
>> + *
>> + * @return              SSH_OK on success,
>> + *                      SSH_ERROR if an error occurred,
>> + *                      SSH_AGAIN if in nonblocking mode and call has
>> + *                      to be done again.
>> + */
>> +int ssh_channel_request_agent_forwarding(ssh_channel channel) {
>> +  if(channel == NULL) {
>> +      return SSH_ERROR;
>> +  }
>> +
>> +  channel->session->flags |= SSH_SESSION_AUTH_AGENT_FORWARDING;
>> +
>> +  return channel_request(channel, "auth-agent-req@xxxxxxxxxxx", NULL, 0);
>> +}
>> +
>> +/**
>>   * @brief Request a pty with a specific type and size.
>>   *
>>   * @param[in]  channel  The channel to sent the request.
>> diff -ru -x debian libssh-0.7.3-orig/src/messages.c
>> libssh-0.7.3/src/messages.c --- libssh-0.7.3-orig/src/messages.c   
>> 2016-02-23 02:16:40.000000000 -0500 +++ libssh-0.7.3/src/messages.c   
>> 2016-03-05 23:50:57.479052493 -0500 @@ -1070,6 +1070,24 @@
>>      goto end;
>>    }
>>
>> +  if (strcmp(type_c,"auth-agent@xxxxxxxxxxx") == 0) {
>> +    if (! (session->flags & SSH_SESSION_AUTH_AGENT_FORWARDING)) {
>> +      /* do not establish agent forwarding if we didn't offer it! */
>> +      ssh_set_error(session,SSH_FATAL, "Unanounced auth-agent@xxxxxxxxxxx
>> requested, possible server compromise"); +      goto error;
>> +    }
>> +    SSH_LOG(SSH_LOG_WARNING, "Establishing an auth-agent channel");
>> +
>> +    msg->channel_request_open.type = SSH_CHANNEL_FORWARDED_AUTH_AGENT;
>> +    if (ssh_callbacks_exists(session->common.callbacks,
>> channel_open_request_auth_agent_function)) { +      ssh_channel
>> agent_channel = ssh_message_channel_request_open_reply_accept(msg); +     
>> session->common.callbacks->channel_open_request_auth_agent_function(session
>> , +        agent_channel,
>> +        session->common.callbacks->userdata);
>> +    }
>> +    goto error;
>> +  }
>> +
>>    msg->channel_request_open.type = SSH_CHANNEL_UNKNOWN;
>>    goto end;
References:
Re: [PATCH] client code for agent forwarding	Raf D <4287807@xxxxxxxxxx>
Re: [PATCH] client code for agent forwarding	Andreas Schneider <asn@xxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org