Strona główna Odkrywaj Pomoc
Zaloguj się
HSD
/
putty
kopia lustrzana https://git.tartarus.org/simon/putty.git
Obserwuj 1
Polub 0
Forkuj 0
Pliki
Drzewo: 6ec424059c
Gałęzie Tagi
putty
/
unix
/
uppity.c

uppity.c 32 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974 
  1. /*
    2. 

  2.  * SSH server for Unix: main program.
    3. 

  3.  *
    4. 

  4.  * ======================================================================
    5. 

  5.  *
    6. 

  6.  * This server is NOT SECURE!
    7. 

  7.  *
    8. 

  8.  * DO NOT DEPLOY IT IN A HOSTILE-FACING ENVIRONMENT!
    9. 

  9.  *
    10. 

  10.  * Its purpose is to speak the server end of everything PuTTY speaks
    11. 

  11.  * on the client side, so that I can test that I haven't broken PuTTY
    12. 

  12.  * when I reorganise its code, even things like RSA key exchange or
    13. 

  13.  * chained auth methods which it's hard to find a server that speaks
    14. 

  14.  * at all.
    15. 

  15.  *
    16. 

  16.  * It has no interaction with the OS's authentication system: the
    17. 

  17.  * authentications it will accept are configurable by command-line
    18. 

  18.  * option, and once you authenticate, it will run the connection
    19. 

  19.  * protocol - including all subprocesses and shells - under the same
    20. 

  20.  * Unix user id you started it under.
    21. 

  21.  *
    22. 

  22.  * It really is only suitable for testing the actual SSH protocol.
    23. 

  23.  * Don't use it for anything more serious!
    24. 

  24.  *
    25. 

  25.  * ======================================================================
    26. 

  26.  */
    27. 

  27. 

  28. #include <stdio.h>
    29. 

  29. #include <stdlib.h>
    30. 

  30. #include <errno.h>
    31. 

  31. #include <assert.h>
    32. 

  32. #include <stdarg.h>
    33. 

  33. #include <signal.h>
    34. 

  34. #include <unistd.h>
    35. 

  35. #include <fcntl.h>
    36. 

  36. #include <termios.h>
    37. 

  37. #include <pwd.h>
    38. 

  38. #include <sys/ioctl.h>
    39. 

  39. #include <sys/time.h>
    40. 

  40. 

  41. #include "putty.h"
    42. 

  42. #include "mpint.h"
    43. 

  43. #include "ssh.h"
    44. 

  44. #include "ssh/server.h"
    45. 

  45. 

  46. void modalfatalbox(const char *p, ...)
    47. 

  47. {
    48. 

  48.     va_list ap;
    49. 

  49.     fprintf(stderr, "FATAL ERROR: ");
    50. 

  50.     va_start(ap, p);
    51. 

  51.     vfprintf(stderr, p, ap);
    52. 

  52.     va_end(ap);
    53. 

  53.     fputc('\n', stderr);
    54. 

  54.     exit(1);
    55. 

  55. }
    56. 

  56. void nonfatal(const char *p, ...)
    57. 

  57. {
    58. 

  58.     va_list ap;
    59. 

  59.     fprintf(stderr, "ERROR: ");
    60. 

  60.     va_start(ap, p);
    61. 

  61.     vfprintf(stderr, p, ap);
    62. 

  62.     va_end(ap);
    63. 

  63.     fputc('\n', stderr);
    64. 

  64. }
    65. 

  65. 

  66. char *platform_default_s(const char *name)
    67. 

  67. {
    68. 

  68.     return NULL;
    69. 

  69. }
    70. 

  70. 

  71. bool platform_default_b(const char *name, bool def)
    72. 

  72. {
    73. 

  73.     return def;
    74. 

  74. }
    75. 

  75. 

  76. int platform_default_i(const char *name, int def)
    77. 

  77. {
    78. 

  78.     return def;
    79. 

  79. }
    80. 

  80. 

  81. FontSpec *platform_default_fontspec(const char *name)
    82. 

  82. {
    83. 

  83.     return fontspec_new_default();
    84. 

  84. }
    85. 

  85. 

  86. Filename *platform_default_filename(const char *name)
    87. 

  87. {
    88. 

  88.     return filename_from_str("");
    89. 

  89. }
    90. 

  90. 

  91. char *x_get_default(const char *key)
    92. 

  92. {
    93. 

  93.     return NULL;                       /* this is a stub */
    94. 

  94. }
    95. 

  95. 

  96. void old_keyfile_warning(void) { }
    97. 

  97. 

  98. void timer_change_notify(unsigned long next)
    99. 

  99. {
    100. 

  100. }
    101. 

  101. 

  102. char *platform_get_x_display(void) { return NULL; }
    103. 

  103. 

  104. void make_unix_sftp_filehandle_key(void *data, size_t size)
    105. 

  105. {
    106. 

  106.     random_read(data, size);
    107. 

  107. }
    108. 

  108. 

  109. static bool verbose;
    110. 

  110. 

  111. struct server_config;
    112. 

  112. 

  113. struct AuthPolicyShared {
    114. 

  114.     struct AuthPolicy_ssh1_pubkey *ssh1keys;
    115. 

  115.     struct AuthPolicy_ssh2_pubkey *ssh2keys;
    116. 

  116. };
    117. 

  117. 

  118. struct AuthPolicy {
    119. 

  119.     struct AuthPolicyShared *shared;
    120. 

  120.     int kbdint_state;
    121. 

  121. };
    122. 

  122. 

  123. struct server_instance {
    124. 

  124.     unsigned id;
    125. 

  125.     AuthPolicy ap;
    126. 

  126.     LogPolicy logpolicy;
    127. 

  127.     struct server_config *cfg;
    128. 

  128. };
    129. 

  129. 

  130. struct server_config {
    131. 

  131.     unsigned config_id;
    132. 

  132. 

  133.     Conf *conf;
    134. 

  134.     const SshServerConfig *ssc;
    135. 

  135. 

  136.     ssh_key **hostkeys;
    137. 

  137.     int nhostkeys;
    138. 

  138. 

  139.     RSAKey *hostkey1;
    140. 

  140. 

  141.     unsigned auth_methods;
    142. 

  142. 

  143.     struct AuthPolicyShared *ap_shared;
    144. 

  144. 

  145.     Socket *listening_socket;
    146. 

  146.     Plug listening_plug;
    147. 

  147. };
    148. 

  148. 

  149. static unsigned next_id = 0;
    150. 

  150. 

  151. static void log_to_stderr(unsigned id, const char *msg)
    152. 

  152. {
    153. 

  153.     if (id != (unsigned)-1)
    154. 

  154.         fprintf(stderr, "conn#%u: ", id);
    155. 

  155.     fputs(msg, stderr);
    156. 

  156.     fputc('\n', stderr);
    157. 

  157.     fflush(stderr);
    158. 

  158. }
    159. 

  159. 

  160. static void server_eventlog(LogPolicy *lp, const char *event)
    161. 

  161. {
    162. 

  162.     struct server_instance *inst = container_of(
    163. 

  163.         lp, struct server_instance, logpolicy);
    164. 

  164.     if (verbose)
    165. 

  165.         log_to_stderr(inst->id, event);
    166. 

  166. }
    167. 

  167. 

  168. static void server_logging_error(LogPolicy *lp, const char *event)
    169. 

  169. {
    170. 

  170.     struct server_instance *inst = container_of(
    171. 

  171.         lp, struct server_instance, logpolicy);
    172. 

  172.     log_to_stderr(inst->id, event);    /* unconditional */
    173. 

  173. }
    174. 

  174. 

  175. static int server_askappend(
    176. 

  176.     LogPolicy *lp, Filename *filename,
    177. 

  177.     void (*callback)(void *ctx, int result), void *ctx)
    178. 

  178. {
    179. 

  179.     return 2; /* always overwrite (FIXME: could make this a cmdline option) */
    180. 

  180. }
    181. 

  181. 

  182. static const LogPolicyVtable server_logpolicy_vt = {
    183. 

  183.     .eventlog = server_eventlog,
    184. 

  184.     .askappend = server_askappend,
    185. 

  185.     .logging_error = server_logging_error,
    186. 

  186.     .verbose = null_lp_verbose_no,
    187. 

  187. };
    188. 

  188. 

  189. struct AuthPolicy_ssh1_pubkey {
    190. 

  190.     RSAKey key;
    191. 

  191.     struct AuthPolicy_ssh1_pubkey *next;
    192. 

  192. };
    193. 

  193. struct AuthPolicy_ssh2_pubkey {
    194. 

  194.     ptrlen public_blob;
    195. 

  195.     struct AuthPolicy_ssh2_pubkey *next;
    196. 

  196. };
    197. 

  197. 

  198. unsigned auth_methods(AuthPolicy *ap)
    199. 

  199. {
    200. 

  200.     struct server_instance *inst = container_of(
    201. 

  201.         ap, struct server_instance, ap);
    202. 

  202.     return inst->cfg->auth_methods;
    203. 

  203. }
    204. 

  204. bool auth_none(AuthPolicy *ap, ptrlen username)
    205. 

  205. {
    206. 

  206.     struct server_instance *inst = container_of(
    207. 

  207.         ap, struct server_instance, ap);
    208. 

  208.     if (inst->cfg->auth_methods & AUTHMETHOD_NONE)
    209. 

  209.         return true;
    210. 

  210.     return false;
    211. 

  211. }
    212. 

  212. int auth_password(AuthPolicy *ap, ptrlen username, ptrlen password,
    213. 

  213.                   ptrlen *new_password_opt)
    214. 

  214. {
    215. 

  215.     const char *PHONY_GOOD_PASSWORD = "weasel";
    216. 

  216.     const char *PHONY_BAD_PASSWORD = "ferret";
    217. 

  217. 

  218.     if (!new_password_opt) {
    219. 

  219.         /* Accept login with our preconfigured good password */
    220. 

  220.         if (ptrlen_eq_string(password, PHONY_GOOD_PASSWORD))
    221. 

  221.             return 1;
    222. 

  222.         /* Don't outright reject the bad password, but insist on a change */
    223. 

  223.         if (ptrlen_eq_string(password, PHONY_BAD_PASSWORD))
    224. 

  224.             return 2;
    225. 

  225.         /* Reject anything else */
    226. 

  226.         return 0;
    227. 

  227.     } else {
    228. 

  228.         /* In a password-change request, expect the bad password as input */
    229. 

  229.         if (!ptrlen_eq_string(password, PHONY_BAD_PASSWORD))
    230. 

  230.             return 0;
    231. 

  231.         /* Accept a request to change it to the good password */
    232. 

  232.         if (ptrlen_eq_string(*new_password_opt, PHONY_GOOD_PASSWORD))
    233. 

  233.             return 1;
    234. 

  234.         /* Outright reject a request to change it to the same password
    235. 

  235.          * as it already 'was' */
    236. 

  236.         if (ptrlen_eq_string(*new_password_opt, PHONY_BAD_PASSWORD))
    237. 

  237.             return 0;
    238. 

  238.         /* Anything else, pretend the new pw wasn't good enough, and
    239. 

  239.          * re-request a change */
    240. 

  240.         return 2;
    241. 

  241.     }
    242. 

  242. }
    243. 

  243. bool auth_publickey(AuthPolicy *ap, ptrlen username, ptrlen public_blob)
    244. 

  244. {
    245. 

  245.     struct AuthPolicy_ssh2_pubkey *iter;
    246. 

  246.     for (iter = ap->shared->ssh2keys; iter; iter = iter->next) {
    247. 

  247.         if (ptrlen_eq_ptrlen(public_blob, iter->public_blob))
    248. 

  248.             return true;
    249. 

  249.     }
    250. 

  250.     return false;
    251. 

  251. }
    252. 

  252. RSAKey *auth_publickey_ssh1(
    253. 

  253.     AuthPolicy *ap, ptrlen username, mp_int *rsa_modulus)
    254. 

  254. {
    255. 

  255.     struct AuthPolicy_ssh1_pubkey *iter;
    256. 

  256.     for (iter = ap->shared->ssh1keys; iter; iter = iter->next) {
    257. 

  257.         if (mp_cmp_eq(rsa_modulus, iter->key.modulus))
    258. 

  258.             return &iter->key;
    259. 

  259.     }
    260. 

  260.     return NULL;
    261. 

  261. }
    262. 

  262. AuthKbdInt *auth_kbdint_prompts(AuthPolicy *ap, ptrlen username)
    263. 

  263. {
    264. 

  264.     AuthKbdInt *aki;
    265. 

  265. 

  266.     switch (ap->kbdint_state) {
    267. 

  267.       case 0:
    268. 

  268.         aki = snew(AuthKbdInt);
    269. 

  269.         aki->title = dupstr("Initial double prompt");
    270. 

  270.         aki->instruction =
    271. 

  271.             dupstr("First prompt should echo, second should not");
    272. 

  272.         aki->nprompts = 2;
    273. 

  273.         aki->prompts = snewn(aki->nprompts, AuthKbdIntPrompt);
    274. 

  274.         aki->prompts[0].prompt = dupstr("Echoey prompt: ");
    275. 

  275.         aki->prompts[0].echo = true;
    276. 

  276.         aki->prompts[1].prompt = dupstr("Silent prompt: ");
    277. 

  277.         aki->prompts[1].echo = false;
    278. 

  278.         return aki;
    279. 

  279.       case 1: {
    280. 

  280.         struct server_instance *inst = container_of(
    281. 

  281.             ap, struct server_instance, ap);
    282. 

  282.         aki = snew(AuthKbdInt);
    283. 

  283.         if (inst->cfg->ssc->stunt_allow_trivial_ki_auth) {
    284. 

  284.             aki->title = dupstr("");
    285. 

  285.             aki->instruction = dupstr("");
    286. 

  286.         } else {
    287. 

  287.             aki->title = dupstr("Zero-prompt step");
    288. 

  288.             aki->instruction = dupstr("Shouldn't see any prompts this time");
    289. 

  289.         }
    290. 

  290.         aki->nprompts = 0;
    291. 

  291.         aki->prompts = NULL;
    292. 

  292.         return aki;
    293. 

  293.       }
    294. 

  294.       default:
    295. 

  295.         ap->kbdint_state = 0;
    296. 

  296.         return NULL;
    297. 

  297.     }
    298. 

  298. }
    299. 

  299. int auth_kbdint_responses(AuthPolicy *ap, const ptrlen *responses)
    300. 

  300. {
    301. 

  301.     switch (ap->kbdint_state) {
    302. 

  302.       case 0:
    303. 

  303.         if (ptrlen_eq_string(responses[0], "stoat") &&
    304. 

  304.             ptrlen_eq_string(responses[1], "weasel")) {
    305. 

  305.             ap->kbdint_state++;
    306. 

  306.             return 0;                  /* those are the expected responses */
    307. 

  307.         } else {
    308. 

  308.             ap->kbdint_state = 0;
    309. 

  309.             return -1;
    310. 

  310.         }
    311. 

  311.         break;
    312. 

  312.       case 1:
    313. 

  313.         return +1;                     /* succeed after the zero-prompt step */
    314. 

  314.       default:
    315. 

  315.         ap->kbdint_state = 0;
    316. 

  316.         return -1;
    317. 

  317.     }
    318. 

  318. }
    319. 

  319. char *auth_ssh1int_challenge(AuthPolicy *ap, unsigned method, ptrlen username)
    320. 

  320. {
    321. 

  321.     /* FIXME: test returning a challenge string without \n, and ensure
    322. 

  322.      * it gets printed as a prompt in its own right, without PuTTY
    323. 

  323.      * making up a "Response: " prompt to follow it */
    324. 

  324.     return dupprintf("This is a dummy %s challenge!\n",
    325. 

  325.                      (method == AUTHMETHOD_TIS ? "TIS" : "CryptoCard"));
    326. 

  326. }
    327. 

  327. bool auth_ssh1int_response(AuthPolicy *ap, ptrlen response)
    328. 

  328. {
    329. 

  329.     return ptrlen_eq_string(response, "otter");
    330. 

  330. }
    331. 

  331. bool auth_successful(AuthPolicy *ap, ptrlen username, unsigned method)
    332. 

  332. {
    333. 

  333.     return true;
    334. 

  334. }
    335. 

  335. 

  336. static void safety_warning(FILE *fp)
    337. 

  337. {
    338. 

  338.     fputs("  =================================================\n"
    339. 

  339.           "     THIS SSH SERVER IS NOT WRITTEN TO BE SECURE!\n"
    340. 

  340.           "  DO NOT DEPLOY IT IN A HOSTILE-FACING ENVIRONMENT!\n"
    341. 

  341.           "  =================================================\n", fp);
    342. 

  342. }
    343. 

  343. 

  344. static void show_help(FILE *fp)
    345. 

  345. {
    346. 

  346.     safety_warning(fp);
    347. 

  347.     fputs("\n"
    348. 

  348.           "usage:   uppity [options] [--and <options>...]\n"
    349. 

  349.           "options: --listen [PORT|PATH] listen to a port on localhost, or Unix socket\n"
    350. 

  350.           "         --listen-once        (with --listen) stop after one "
    351. 

  351.           "connection\n"
    352. 

  352.           "         --hostkey KEY        SSH host key (need at least one)\n"
    353. 

  353.           "         --rsakexkey KEY      key for SSH-2 RSA key exchange "
    354. 

  354.           "(in SSH-1 format)\n"
    355. 

  355.           "         --userkey KEY        public key"
    356. 

  356.           " acceptable for user authentication\n"
    357. 

  357.           "         --sessiondir DIR     cwd for session subprocess (default $HOME)\n"
    358. 

  358.           "         --bannertext TEXT    send TEXT as SSH-2 auth banner\n"
    359. 

  359.           "         --bannerfile FILE    send contents of FILE as SSH-2 auth "
    360. 

  360.           "banner\n"
    361. 

  361.           "         --kexinit-kex STR    override list of SSH-2 KEX methods\n"
    362. 

  362.           "         --kexinit-hostkey STR  override list of SSH-2 host key "
    363. 

  363.           "types\n"
    364. 

  364.           "         --kexinit-cscipher STR override list of SSH-2 "
    365. 

  365.           "client->server ciphers\n"
    366. 

  366.           "         --kexinit-sccipher STR override list of SSH-2 "
    367. 

  367.           "server->client ciphers\n"
    368. 

  368.           "         --kexinit-csmac STR    override list of SSH-2 "
    369. 

  369.           "client->server MACs\n"
    370. 

  370.           "         --kexinit-scmac STR    override list of SSH-2 "
    371. 

  371.           "server->client MACs\n"
    372. 

  372.           "         --kexinit-cscomp STR   override list of SSH-2 "
    373. 

  373.           "c->s compression types\n"
    374. 

  374.           "         --kexinit-sccomp STR   override list of SSH-2 "
    375. 

  375.           "s->c compression types\n"
    376. 

  376.           "         --ssh1-ciphers STR     override list of SSH-1 ciphers\n"
    377. 

  377.           "         --ssh1-no-compression  forbid compression in SSH-1\n"
    378. 

  378.           "         --deny-auth METHOD   forbid a userauth method\n"
    379. 

  379.           "         --allow-auth METHOD  allow a userauth method\n"
    380. 

  380.           "                 (METHOD = none/password/publickey/kbdint/tis/"
    381. 

  381.           "cryptocard)\n"
    382. 

  382.           "         --exitsignum         send buggy numeric \"exit-signal\" "
    383. 

  383.           "message\n"
    384. 

  384.           "         --verbose            print event log messages to standard "
    385. 

  385.           "error\n"
    386. 

  386.           "         --sshlog FILE        write SSH packet log to FILE\n"
    387. 

  387.           "         --sshrawlog FILE     write SSH packets + raw data log"
    388. 

  388.           " to FILE\n"
    389. 

  389.           "         --and                run a separate server on another port\n"
    390. 

  390.           "also:    uppity --help        show this text\n"
    391. 

  391.           "         uppity --version     show version information\n"
    392. 

  392.           "\n", fp);
    393. 

  393.     safety_warning(fp);
    394. 

  394. }
    395. 

  395. 

  396. static void show_version_and_exit(void)
    397. 

  397. {
    398. 

  398.     char *buildinfo_text = buildinfo("\n");
    399. 

  399.     printf("%s: %s\n%s\n", appname, ver, buildinfo_text);
    400. 

  400.     sfree(buildinfo_text);
    401. 

  401.     exit(0);
    402. 

  402. }
    403. 

  403. 

  404. const bool buildinfo_gtk_relevant = false;
    405. 

  405. 

  406. static bool listening = false, listen_once = false;
    407. 

  407. static bool finished = false;
    408. 

  408. void server_instance_terminated(LogPolicy *lp)
    409. 

  409. {
    410. 

  410.     struct server_instance *inst = container_of(
    411. 

  411.         lp, struct server_instance, logpolicy);
    412. 

  412. 

  413.     if (listening && !listen_once) {
    414. 

  414.         log_to_stderr(inst->id, "connection terminated");
    415. 

  415.     } else {
    416. 

  416.         finished = true;
    417. 

  417.     }
    418. 

  418. 

  419.     sfree(inst);
    420. 

  420. }
    421. 

  421. 

  422. static bool longoptarg(const char *arg, const char *expected,
    423. 

  423.                        const char **val, int *argcp, char ***argvp)
    424. 

  424. {
    425. 

  425.     int len = strlen(expected);
    426. 

  426.     if (memcmp(arg, expected, len))
    427. 

  427.         return false;
    428. 

  428.     if (arg[len] == '=') {
    429. 

  429.         *val = arg + len + 1;
    430. 

  430.         return true;
    431. 

  431.     } else if (arg[len] == '\0') {
    432. 

  432.         if (--*argcp > 0) {
    433. 

  433.             *val = *++*argvp;
    434. 

  434.             return true;
    435. 

  435.         } else {
    436. 

  436.             fprintf(stderr, "%s: option %s expects an argument\n",
    437. 

  437.                     appname, expected);
    438. 

  438.             exit(1);
    439. 

  439.         }
    440. 

  440.     }
    441. 

  441.     return false;
    442. 

  442. }
    443. 

  443. 

  444. static bool longoptnoarg(const char *arg, const char *expected)
    445. 

  445. {
    446. 

  446.     int len = strlen(expected);
    447. 

  447.     if (memcmp(arg, expected, len))
    448. 

  448.         return false;
    449. 

  449.     if (arg[len] == '=') {
    450. 

  450.         fprintf(stderr, "%s: option %s expects no argument\n",
    451. 

  451.                 appname, expected);
    452. 

  452.         exit(1);
    453. 

  453.     } else if (arg[len] == '\0') {
    454. 

  454.         return true;
    455. 

  455.     }
    456. 

  456.     return false;
    457. 

  457. }
    458. 

  458. 

  459. static Plug *server_conn_plug(
    460. 

  460.     struct server_config *cfg, struct server_instance **inst_out)
    461. 

  461. {
    462. 

  462.     struct server_instance *inst = snew(struct server_instance);
    463. 

  463. 

  464.     memset(inst, 0, sizeof(*inst));
    465. 

  465. 

  466.     inst->id = next_id++;
    467. 

  467.     inst->ap.shared = cfg->ap_shared;
    468. 

  468.     if (cfg->ssc->stunt_allow_trivial_ki_auth)
    469. 

  469.         inst->ap.kbdint_state = 1;
    470. 

  470.     inst->logpolicy.vt = &server_logpolicy_vt;
    471. 

  471.     inst->cfg = cfg;
    472. 

  472. 

  473.     if (inst_out)
    474. 

  474.         *inst_out = inst;
    475. 

  475. 

  476.     return ssh_server_plug(
    477. 

  477.         cfg->conf, cfg->ssc, cfg->hostkeys, cfg->nhostkeys, cfg->hostkey1,
    478. 

  478.         &inst->ap, &inst->logpolicy, &unix_live_sftpserver_vt);
    479. 

  479. }
    480. 

  480. 

  481. static void server_log(Plug *plug, Socket *s, PlugLogType type, SockAddr *addr,
    482. 

  482.                        int port, const char *error_msg, int error_code)
    483. 

  483. {
    484. 

  484.     log_to_stderr((unsigned)-1, error_msg);
    485. 

  485. }
    486. 

  486. 

  487. static void server_closing(Plug *plug, PlugCloseType type,
    488. 

  488.                            const char *error_msg)
    489. 

  489. {
    490. 

  490.     if (type != PLUGCLOSE_NORMAL)
    491. 

  491.         log_to_stderr((unsigned)-1, error_msg);
    492. 

  492. }
    493. 

  493. 

  494. static int server_accepting(Plug *p, accept_fn_t constructor, accept_ctx_t ctx)
    495. 

  495. {
    496. 

  496.     struct server_config *cfg = container_of(
    497. 

  497.         p, struct server_config, listening_plug);
    498. 

  498.     Socket *s;
    499. 

  499.     const char *err;
    500. 

  500. 

  501.     struct server_instance *inst;
    502. 

  502. 

  503.     if (listen_once) {
    504. 

  504.         if (!cfg->listening_socket) /* in case of rapid double-accept */
    505. 

  505.             return 1;
    506. 

  506.         sk_close(cfg->listening_socket);
    507. 

  507.         cfg->listening_socket = NULL;
    508. 

  508.     }
    509. 

  509. 

  510.     unsigned old_next_id = next_id;
    511. 

  511. 

  512.     Plug *plug = server_conn_plug(cfg, &inst);
    513. 

  513.     s = constructor(ctx, plug);
    514. 

  514.     if ((err = sk_socket_error(s)) != NULL)
    515. 

  515.         return 1;
    516. 

  516. 

  517.     SocketEndpointInfo *pi = sk_peer_info(s);
    518. 

  518. 

  519.     if (pi->addressfamily != ADDRTYPE_LOCAL && !sk_peer_trusted(s)) {
    520. 

  520.         fprintf(stderr, "rejected connection to serv#%u "
    521. 

  521.                 "from %s (untrustworthy peer)\n",
    522. 

  522.                 cfg->config_id, pi->log_text);
    523. 

  523.         sk_free_endpoint_info(pi);
    524. 

  524.         sk_close(s);
    525. 

  525.         next_id = old_next_id;
    526. 

  526.         return 1;
    527. 

  527.     }
    528. 

  528. 

  529.     char *msg = dupprintf("new connection to serv#%u from %s",
    530. 

  530.                           cfg->config_id, pi->log_text);
    531. 

  531.     log_to_stderr(inst->id, msg);
    532. 

  532.     sfree(msg);
    533. 

  533.     sk_free_endpoint_info(pi);
    534. 

  534. 

  535.     sk_set_frozen(s, false);
    536. 

  536.     ssh_server_start(plug, s);
    537. 

  537.     return 0;
    538. 

  538. }
    539. 

  539. 

  540. static const PlugVtable server_plugvt = {
    541. 

  541.     .log = server_log,
    542. 

  542.     .closing = server_closing,
    543. 

  543.     .accepting = server_accepting,
    544. 

  544. };
    545. 

  545. 

  546. static unsigned auth_method_from_name(const char *name)
    547. 

  547. {
    548. 

  548.     if (!strcmp(name, "none"))
    549. 

  549.         return AUTHMETHOD_NONE;
    550. 

  550.     if (!strcmp(name, "tis"))
    551. 

  551.         return AUTHMETHOD_TIS;
    552. 

  552.     if (!strcmp(name, "cryptocard") || !strcmp(name, "ccard"))
    553. 

  553.         return AUTHMETHOD_CRYPTOCARD;
    554. 

  554.     if (!strcmp(name, "keyboard-interactive") || !strcmp(name, "k-i") ||
    555. 

  555.         !strcmp(name, "kbdint")  || !strcmp(name, "ki"))
    556. 

  556.         return AUTHMETHOD_KBDINT;
    557. 

  557.     if (!strcmp(name, "publickey") || !strcmp(name, "pubkey") ||
    558. 

  558.         !strcmp(name, "pk"))
    559. 

  559.         return AUTHMETHOD_PUBLICKEY;
    560. 

  560.     if (!strcmp(name, "password") || !strcmp(name, "pw"))
    561. 

  561.         return AUTHMETHOD_PASSWORD;
    562. 

  562.     return 0;
    563. 

  563. }
    564. 

  564. 

  565. struct cmdline_instance {
    566. 

  566.     int listen_port;
    567. 

  567.     const char *listen_socket;
    568. 

  568.     ssh_key **hostkeys;
    569. 

  569.     size_t nhostkeys, hostkeysize;
    570. 

  570.     RSAKey *hostkey1;
    571. 

  571.     unsigned auth_methods;
    572. 

  572.     struct AuthPolicyShared aps;
    573. 

  573.     SshServerConfig ssc;
    574. 

  574.     Conf *conf;
    575. 

  575. };
    576. 

  576. 

  577. static void init_cmdline_instance(struct cmdline_instance *ci)
    578. 

  578. {
    579. 

  579.     ci->listen_port = -1;
    580. 

  580.     ci->listen_socket = NULL;
    581. 

  581. 

  582.     ci->hostkeys = NULL;
    583. 

  583.     ci->nhostkeys = ci->hostkeysize = 0;
    584. 

  584.     ci->hostkey1 = NULL;
    585. 

  585. 

  586.     ci->conf = make_ssh_server_conf();
    587. 

  587. 

  588.     ci->aps.ssh1keys = NULL;
    589. 

  589.     ci->aps.ssh2keys = NULL;
    590. 

  590. 

  591.     memset(&ci->ssc, 0, sizeof(ci->ssc));
    592. 

  592. 

  593.     ci->ssc.application_name = "Uppity";
    594. 

  594.     ci->ssc.session_starting_dir = getenv("HOME");
    595. 

  595.     ci->ssc.ssh1_cipher_mask = SSH1_SUPPORTED_CIPHER_MASK;
    596. 

  596.     ci->ssc.ssh1_allow_compression = true;
    597. 

  597. 

  598.     ci->auth_methods = (AUTHMETHOD_PUBLICKEY | AUTHMETHOD_PASSWORD |
    599. 

  599.                         AUTHMETHOD_KBDINT | AUTHMETHOD_TIS |
    600. 

  600.                         AUTHMETHOD_CRYPTOCARD);
    601. 

  601. }
    602. 

  602. 

  603. static void cmdline_instance_start(struct cmdline_instance *ci)
    604. 

  604. {
    605. 

  605.     static unsigned next_server_config_id = 0;
    606. 

  606. 

  607.     struct server_config *scfg = snew(struct server_config);
    608. 

  608.     scfg->config_id = next_server_config_id++;
    609. 

  609.     scfg->conf = ci->conf;
    610. 

  610.     scfg->ssc = &ci->ssc;
    611. 

  611.     scfg->hostkeys = ci->hostkeys;
    612. 

  612.     scfg->nhostkeys = ci->nhostkeys;
    613. 

  613.     scfg->hostkey1 = ci->hostkey1;
    614. 

  614.     scfg->ap_shared = &ci->aps;
    615. 

  615.     scfg->auth_methods = ci->auth_methods;
    616. 

  616. 

  617.     if (ci->listen_port >= 0 || ci->listen_socket) {
    618. 

  618.         listening = true;
    619. 

  619.         scfg->listening_plug.vt = &server_plugvt;
    620. 

  620.         char *msg;
    621. 

  621.         if (ci->listen_port >= 0) {
    622. 

  622.             scfg->listening_socket = sk_newlistener(
    623. 

  623.                 NULL, ci->listen_port, &scfg->listening_plug, true,
    624. 

  624.                 ADDRTYPE_UNSPEC);
    625. 

  625.             msg = dupprintf("serv#%u: listening on port %d",
    626. 

  626.                             scfg->config_id, ci->listen_port);
    627. 

  627.         } else {
    628. 

  628.             SockAddr *addr = unix_sock_addr(ci->listen_socket);
    629. 

  629.             scfg->listening_socket = new_unix_listener(
    630. 

  630.                 addr, &scfg->listening_plug);
    631. 

  631.             msg = dupprintf("serv#%u: listening on Unix socket %s",
    632. 

  632.                             scfg->config_id, ci->listen_socket);
    633. 

  633.         }
    634. 

  634. 

  635.         log_to_stderr(-1, msg);
    636. 

  636.         sfree(msg);
    637. 

  637.     } else {
    638. 

  638.         struct server_instance *inst;
    639. 

  639.         Plug *plug = server_conn_plug(scfg, &inst);
    640. 

  640.         ssh_server_start(plug, make_fd_socket(0, 1, -1, NULL, 0, plug));
    641. 

  641.         log_to_stderr(inst->id, "speaking SSH on stdio");
    642. 

  642.     }
    643. 

  643. }
    644. 

  644. 

  645. int main(int argc, char **argv)
    646. 

  646. {
    647. 

  647.     size_t ninstances = 0, instancessize = 8;
    648. 

  648.     struct cmdline_instance *instances = snewn(
    649. 

  649.         instancessize, struct cmdline_instance);
    650. 

  650.     struct cmdline_instance *ci = &instances[ninstances++];
    651. 

  651.     init_cmdline_instance(ci);
    652. 

  652. 

  653.     enable_dit();
    654. 

  654. 

  655.     if (argc <= 1) {
    656. 

  656.         /*
    657. 

  657.          * We're going to terminate with an error message below,
    658. 

  658.          * because there are no host keys. But we'll display the help
    659. 

  659.          * as additional standard-error output, if nothing else so
    660. 

  660.          * that people see the giant safety warning.
    661. 

  661.          */
    662. 

  662.         show_help(stderr);
    663. 

  663.         fputc('\n', stderr);
    664. 

  664.     }
    665. 

  665. 

  666.     while (--argc > 0) {
    667. 

  667.         const char *arg = *++argv;
    668. 

  668.         const char *val;
    669. 

  669. 

  670.         if (!strcmp(arg, "--help")) {
    671. 

  671.             show_help(stdout);
    672. 

  672.             exit(0);
    673. 

  673.         } else if (longoptnoarg(arg, "--version")) {
    674. 

  674.             show_version_and_exit();
    675. 

  675.         } else if (longoptnoarg(arg, "--verbose") || !strcmp(arg, "-v")) {
    676. 

  676.             verbose = true;
    677. 

  677.         } else if (longoptnoarg(arg, "--and")) {
    678. 

  678.             sgrowarray(instances, instancessize, ninstances);
    679. 

  679.             ci = &instances[ninstances++];
    680. 

  680.             init_cmdline_instance(ci);
    681. 

  681.         } else if (longoptarg(arg, "--listen", &val, &argc, &argv)) {
    682. 

  682.             if (val[0] == '/') {
    683. 

  683.                 ci->listen_port = -1;
    684. 

  684.                 ci->listen_socket = val;
    685. 

  685.             } else {
    686. 

  686.                 ci->listen_port = atoi(val);
    687. 

  687.                 ci->listen_socket = NULL;
    688. 

  688.             }
    689. 

  689.         } else if (!strcmp(arg, "--listen-once")) {
    690. 

  690.             listen_once = true;
    691. 

  691.         } else if (longoptarg(arg, "--hostkey", &val, &argc, &argv)) {
    692. 

  692.             Filename *keyfile;
    693. 

  693.             int keytype;
    694. 

  694.             const char *error;
    695. 

  695. 

  696.             keyfile = filename_from_str(val);
    697. 

  697.             keytype = key_type(keyfile);
    698. 

  698. 

  699.             if (keytype == SSH_KEYTYPE_SSH2) {
    700. 

  700.                 ssh2_userkey *uk;
    701. 

  701.                 ssh_key *key;
    702. 

  702.                 uk = ppk_load_f(keyfile, NULL, &error);
    703. 

  703.                 filename_free(keyfile);
    704. 

  704.                 if (!uk || !uk->key) {
    705. 

  705.                     fprintf(stderr, "%s: unable to load host key '%s': "
    706. 

  706.                             "%s\n", appname, val, error);
    707. 

  707.                     exit(1);
    708. 

  708.                 }
    709. 

  709.                 char *invalid = ssh_key_invalid(uk->key, 0);
    710. 

  710.                 if (invalid) {
    711. 

  711.                     fprintf(stderr, "%s: host key '%s' is unusable: "
    712. 

  712.                             "%s\n", appname, val, invalid);
    713. 

  713.                     exit(1);
    714. 

  714.                 }
    715. 

  715.                 key = uk->key;
    716. 

  716.                 sfree(uk->comment);
    717. 

  717.                 sfree(uk);
    718. 

  718. 

  719.                 for (int i = 0; i < ci->nhostkeys; i++)
    720. 

  720.                     if (ssh_key_alg(ci->hostkeys[i]) == ssh_key_alg(key)) {
    721. 

  721.                         fprintf(stderr, "%s: host key '%s' duplicates key "
    722. 

  722.                                 "type %s\n", appname, val,
    723. 

  723.                                 ssh_key_alg(key)->ssh_id);
    724. 

  724.                         exit(1);
    725. 

  725.                     }
    726. 

  726. 

  727.                 sgrowarray(ci->hostkeys, ci->hostkeysize, ci->nhostkeys);
    728. 

  728.                 ci->hostkeys[ci->nhostkeys++] = key;
    729. 

  729.             } else if (keytype == SSH_KEYTYPE_SSH1) {
    730. 

  730.                 if (ci->hostkey1) {
    731. 

  731.                     fprintf(stderr, "%s: host key '%s' is a redundant "
    732. 

  732.                             "SSH-1 host key\n", appname, val);
    733. 

  733.                     exit(1);
    734. 

  734.                 }
    735. 

  735.                 ci->hostkey1 = snew(RSAKey);
    736. 

  736.                 if (!rsa1_load_f(keyfile, ci->hostkey1, NULL, &error)) {
    737. 

  737.                     fprintf(stderr, "%s: unable to load host key '%s': "
    738. 

  738.                             "%s\n", appname, val, error);
    739. 

  739.                     exit(1);
    740. 

  740.                 }
    741. 

  741.             } else {
    742. 

  742.                 fprintf(stderr, "%s: '%s' is not loadable as a "
    743. 

  743.                         "private key (%s)", appname, val,
    744. 

  744.                         key_type_to_str(keytype));
    745. 

  745.                 exit(1);
    746. 

  746.             }
    747. 

  747.         } else if (longoptarg(arg, "--rsakexkey", &val, &argc, &argv)) {
    748. 

  748.             Filename *keyfile;
    749. 

  749.             int keytype;
    750. 

  750.             const char *error;
    751. 

  751. 

  752.             keyfile = filename_from_str(val);
    753. 

  753.             keytype = key_type(keyfile);
    754. 

  754. 

  755.             if (keytype != SSH_KEYTYPE_SSH1) {
    756. 

  756.                 fprintf(stderr, "%s: '%s' is not loadable as an SSH-1 format "
    757. 

  757.                         "private key (%s)", appname, val,
    758. 

  758.                         key_type_to_str(keytype));
    759. 

  759.                 exit(1);
    760. 

  760.             }
    761. 

  761. 

  762.             if (ci->ssc.rsa_kex_key) {
    763. 

  763.                 freersakey(ci->ssc.rsa_kex_key);
    764. 

  764.             } else {
    765. 

  765.                 ci->ssc.rsa_kex_key = snew(RSAKey);
    766. 

  766.             }
    767. 

  767. 

  768.             if (!rsa1_load_f(keyfile, ci->ssc.rsa_kex_key, NULL, &error)) {
    769. 

  769.                 fprintf(stderr, "%s: unable to load RSA kex key '%s': "
    770. 

  770.                         "%s\n", appname, val, error);
    771. 

  771.                 exit(1);
    772. 

  772.             }
    773. 

  773. 

  774.             ci->ssc.rsa_kex_key->sshk.vt = &ssh_rsa;
    775. 

  775.         } else if (longoptarg(arg, "--userkey", &val, &argc, &argv)) {
    776. 

  776.             Filename *keyfile;
    777. 

  777.             int keytype;
    778. 

  778.             const char *error;
    779. 

  779. 

  780.             keyfile = filename_from_str(val);
    781. 

  781.             keytype = key_type(keyfile);
    782. 

  782. 

  783.             if (keytype == SSH_KEYTYPE_SSH2_PUBLIC_RFC4716 ||
    784. 

  784.                 keytype == SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH) {
    785. 

  785.                 strbuf *sb = strbuf_new();
    786. 

  786.                 struct AuthPolicy_ssh2_pubkey *node;
    787. 

  787.                 void *blob;
    788. 

  788. 

  789.                 if (!ppk_loadpub_f(keyfile, NULL, BinarySink_UPCAST(sb),
    790. 

  790.                                    NULL, &error)) {
    791. 

  791.                     fprintf(stderr, "%s: unable to load user key '%s': "
    792. 

  792.                             "%s\n", appname, val, error);
    793. 

  793.                     exit(1);
    794. 

  794.                 }
    795. 

  795. 

  796.                 node = snew_plus(struct AuthPolicy_ssh2_pubkey, sb->len);
    797. 

  797.                 blob = snew_plus_get_aux(node);
    798. 

  798.                 memcpy(blob, sb->u, sb->len);
    799. 

  799.                 node->public_blob = make_ptrlen(blob, sb->len);
    800. 

  800. 

  801.                 node->next = ci->aps.ssh2keys;
    802. 

  802.                 ci->aps.ssh2keys = node;
    803. 

  803. 

  804.                 strbuf_free(sb);
    805. 

  805.             } else if (keytype == SSH_KEYTYPE_SSH1_PUBLIC) {
    806. 

  806.                 strbuf *sb = strbuf_new();
    807. 

  807.                 BinarySource src[1];
    808. 

  808.                 struct AuthPolicy_ssh1_pubkey *node;
    809. 

  809. 

  810.                 if (!rsa1_loadpub_f(keyfile, BinarySink_UPCAST(sb),
    811. 

  811.                                     NULL, &error)) {
    812. 

  812.                     fprintf(stderr, "%s: unable to load user key '%s': "
    813. 

  813.                             "%s\n", appname, val, error);
    814. 

  814.                     exit(1);
    815. 

  815.                 }
    816. 

  816. 

  817.                 node = snew(struct AuthPolicy_ssh1_pubkey);
    818. 

  818.                 BinarySource_BARE_INIT(src, sb->u, sb->len);
    819. 

  819.                 get_rsa_ssh1_pub(src, &node->key, RSA_SSH1_EXPONENT_FIRST);
    820. 

  820. 

  821.                 node->next = ci->aps.ssh1keys;
    822. 

  822.                 ci->aps.ssh1keys = node;
    823. 

  823. 

  824.                 strbuf_free(sb);
    825. 

  825.             } else {
    826. 

  826.                 fprintf(stderr, "%s: '%s' is not loadable as a public key "
    827. 

  827.                         "(%s)\n", appname, val, key_type_to_str(keytype));
    828. 

  828.                 exit(1);
    829. 

  829.             }
    830. 

  830.         } else if (longoptarg(arg, "--bannerfile", &val, &argc, &argv)) {
    831. 

  831.             FILE *fp = fopen(val, "r");
    832. 

  832.             if (!fp) {
    833. 

  833.                 fprintf(stderr, "%s: %s: open: %s\n", appname,
    834. 

  834.                         val, strerror(errno));
    835. 

  835.                 exit(1);
    836. 

  836.             }
    837. 

  837.             strbuf *sb = strbuf_new();
    838. 

  838.             if (!read_file_into(BinarySink_UPCAST(sb), fp)) {
    839. 

  839.                 fprintf(stderr, "%s: %s: read: %s\n", appname,
    840. 

  840.                         val, strerror(errno));
    841. 

  841.                 exit(1);
    842. 

  842.             }
    843. 

  843.             fclose(fp);
    844. 

  844.             ci->ssc.banner = ptrlen_from_strbuf(sb);
    845. 

  845.         } else if (longoptarg(arg, "--bannertext", &val, &argc, &argv)) {
    846. 

  846.             ci->ssc.banner = ptrlen_from_asciz(val);
    847. 

  847.         } else if (longoptarg(arg, "--sessiondir", &val, &argc, &argv)) {
    848. 

  848.             ci->ssc.session_starting_dir = val;
    849. 

  849.         } else if (longoptarg(arg, "--kexinit-kex", &val, &argc, &argv)) {
    850. 

  850.             ci->ssc.kex_override[KEXLIST_KEX] = ptrlen_from_asciz(val);
    851. 

  851.         } else if (longoptarg(arg, "--kexinit-hostkey", &val, &argc, &argv)) {
    852. 

  852.             ci->ssc.kex_override[KEXLIST_HOSTKEY] = ptrlen_from_asciz(val);
    853. 

  853.         } else if (longoptarg(arg, "--kexinit-cscipher", &val, &argc, &argv)) {
    854. 

  854.             ci->ssc.kex_override[KEXLIST_CSCIPHER] = ptrlen_from_asciz(val);
    855. 

  855.         } else if (longoptarg(arg, "--kexinit-csmac", &val, &argc, &argv)) {
    856. 

  856.             ci->ssc.kex_override[KEXLIST_CSMAC] = ptrlen_from_asciz(val);
    857. 

  857.         } else if (longoptarg(arg, "--kexinit-cscomp", &val, &argc, &argv)) {
    858. 

  858.             ci->ssc.kex_override[KEXLIST_CSCOMP] = ptrlen_from_asciz(val);
    859. 

  859.         } else if (longoptarg(arg, "--kexinit-sccipher", &val, &argc, &argv)) {
    860. 

  860.             ci->ssc.kex_override[KEXLIST_SCCIPHER] = ptrlen_from_asciz(val);
    861. 

  861.         } else if (longoptarg(arg, "--kexinit-scmac", &val, &argc, &argv)) {
    862. 

  862.             ci->ssc.kex_override[KEXLIST_SCMAC] = ptrlen_from_asciz(val);
    863. 

  863.         } else if (longoptarg(arg, "--kexinit-sccomp", &val, &argc, &argv)) {
    864. 

  864.             ci->ssc.kex_override[KEXLIST_SCCOMP] = ptrlen_from_asciz(val);
    865. 

  865.         } else if (longoptarg(arg, "--allow-auth", &val, &argc, &argv)) {
    866. 

  866.             unsigned method = auth_method_from_name(val);
    867. 

  867.             if (!method) {
    868. 

  868.                 fprintf(stderr, "%s: unrecognised auth method '%s'\n",
    869. 

  869.                         appname, val);
    870. 

  870.                 exit(1);
    871. 

  871.             }
    872. 

  872.             ci->auth_methods |= method;
    873. 

  873.         } else if (longoptarg(arg, "--deny-auth", &val, &argc, &argv)) {
    874. 

  874.             unsigned method = auth_method_from_name(val);
    875. 

  875.             if (!method) {
    876. 

  876.                 fprintf(stderr, "%s: unrecognised auth method '%s'\n",
    877. 

  877.                         appname, val);
    878. 

  878.                 exit(1);
    879. 

  879.             }
    880. 

  880.             ci->auth_methods &= ~method;
    881. 

  881.         } else if (longoptarg(arg, "--ssh1-ciphers", &val, &argc, &argv)) {
    882. 

  882.             ptrlen list = ptrlen_from_asciz(val);
    883. 

  883.             ptrlen word;
    884. 

  884.             unsigned long mask = 0;
    885. 

  885.             while (word = ptrlen_get_word(&list, ","), word.len != 0) {
    886. 

  886. 

  887. #define SSH1_CIPHER_CASE(bitpos, name)                  \
    888. 

  888.                 if (ptrlen_eq_string(word, name)) {     \
    889. 

  889.                     mask |= 1U << bitpos;               \
    890. 

  890.                     continue;                           \
    891. 

  891.                 }
    892. 

  892.                 SSH1_SUPPORTED_CIPHER_LIST(SSH1_CIPHER_CASE);
    893. 

  893. #undef SSH1_CIPHER_CASE
    894. 

  894. 

  895.                 fprintf(stderr, "%s: unrecognised SSH-1 cipher '%.*s'\n",
    896. 

  896.                         appname, PTRLEN_PRINTF(word));
    897. 

  897.                 exit(1);
    898. 

  898.             }
    899. 

  899.             ci->ssc.ssh1_cipher_mask = mask;
    900. 

  900.         } else if (longoptnoarg(arg, "--ssh1-no-compression")) {
    901. 

  901.             ci->ssc.ssh1_allow_compression = false;
    902. 

  902.         } else if (longoptnoarg(arg, "--exitsignum")) {
    903. 

  903.             ci->ssc.exit_signal_numeric = true;
    904. 

  904.         } else if (longoptarg(arg, "--sshlog", &val, &argc, &argv) ||
    905. 

  905.                    longoptarg(arg, "-sshlog", &val, &argc, &argv)) {
    906. 

  906.             Filename *logfile = filename_from_str(val);
    907. 

  907.             conf_set_filename(ci->conf, CONF_logfilename, logfile);
    908. 

  908.             filename_free(logfile);
    909. 

  909.             conf_set_int(ci->conf, CONF_logtype, LGTYP_PACKETS);
    910. 

  910.             conf_set_int(ci->conf, CONF_logxfovr, LGXF_OVR);
    911. 

  911.         } else if (longoptarg(arg, "--sshrawlog", &val, &argc, &argv) ||
    912. 

  912.                    longoptarg(arg, "-sshrawlog", &val, &argc, &argv)) {
    913. 

  913.             Filename *logfile = filename_from_str(val);
    914. 

  914.             conf_set_filename(ci->conf, CONF_logfilename, logfile);
    915. 

  915.             filename_free(logfile);
    916. 

  916.             conf_set_int(ci->conf, CONF_logtype, LGTYP_SSHRAW);
    917. 

  917.             conf_set_int(ci->conf, CONF_logxfovr, LGXF_OVR);
    918. 

  918.         } else if (!strcmp(arg, "--pretend-to-accept-any-pubkey")) {
    919. 

  919.             ci->ssc.stunt_pretend_to_accept_any_pubkey = true;
    920. 

  920.         } else if (!strcmp(arg, "--open-unconditional-agent-socket")) {
    921. 

  921.             ci->ssc.stunt_open_unconditional_agent_socket = true;
    922. 

  922.         } else if (!strcmp(arg, "--allow-none-auth")) {
    923. 

  923.             /* backwards-compatibility synonym for --allow-auth=none */
    924. 

  924.             ci->auth_methods |= AUTHMETHOD_NONE;
    925. 

  925.         } else if (!strcmp(arg, "--allow-trivial-ki-auth")) {
    926. 

  926.             ci->ssc.stunt_allow_trivial_ki_auth = true;
    927. 

  927.         } else if (!strcmp(arg, "--return-success-to-pubkey-offer")) {
    928. 

  928.             ci->ssc.stunt_return_success_to_pubkey_offer = true;
    929. 

  929.         } else if (!strcmp(arg, "--close-after-banner")) {
    930. 

  930.             ci->ssc.stunt_close_after_banner = true;
    931. 

  931.         } else {
    932. 

  932.             fprintf(stderr, "%s: unrecognised option '%s'\n", appname, arg);
    933. 

  933.             exit(1);
    934. 

  934.         }
    935. 

  935.     }
    936. 

  936. 

  937.     if (ninstances > 1 && listen_once) {
    938. 

  938.         fprintf(stderr, "%s: cannot listen once only with multiple server "
    939. 

  939.                 "instances\n", appname);
    940. 

  940.         exit(1);
    941. 

  941.     }
    942. 

  942.     for (size_t i = 0; i < ninstances; i++) {
    943. 

  943.         ci = &instances[i];
    944. 

  944.         if (ci->nhostkeys == 0 && !ci->hostkey1) {
    945. 

  945.             fprintf(stderr, "%s: specify at least one host key\n", appname);
    946. 

  946.             exit(1);
    947. 

  947.         }
    948. 

  948.         if (ninstances > 1 && !(ci->listen_port >= 0 || ci->listen_socket)) {
    949. 

  949.             fprintf(stderr, "%s: cannot talk to stdio with multiple server "
    950. 

  950.                     "instances\n", appname);
    951. 

  951.             exit(1);
    952. 

  952.         }
    953. 

  953.     }
    954. 

  954. 

  955.     random_ref();
    956. 

  956. 

  957.     /*
    958. 

  958.      * Block SIGPIPE, so that we'll get EPIPE individually on
    959. 

  959.      * particular network connections that go wrong.
    960. 

  960.      */
    961. 

  961.     putty_signal(SIGPIPE, SIG_IGN);
    962. 

  962. 

  963.     sk_init();
    964. 

  964.     uxsel_init();
    965. 

  965. 

  966.     for (size_t i = 0; i < ninstances; i++)
    967. 

  967.         cmdline_instance_start(&instances[i]);
    968. 

  968. 

  969.     cli_main_loop(cliloop_no_pw_setup, cliloop_no_pw_check,
    970. 

  970.                   cliloop_always_continue, NULL);
    971. 

  971. 

  972.     return 0;
    973. 

  973. }
    974. 

  974.