Home | History | Annotate | Download | only in openssh
      1 /* $OpenBSD: session.c,v 1.258 2010/11/25 04:10:09 djm Exp $ */
      2 /*
      3  * Copyright (c) 1995 Tatu Ylonen <ylo (at) cs.hut.fi>, Espoo, Finland
      4  *                    All rights reserved
      5  *
      6  * As far as I am concerned, the code I have written for this software
      7  * can be used freely for any purpose.  Any derived versions of this
      8  * software must be clearly marked as such, and if the derived work is
      9  * incompatible with the protocol description in the RFC file, it must be
     10  * called by a name other than "ssh" or "Secure Shell".
     11  *
     12  * SSH2 support by Markus Friedl.
     13  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
     14  *
     15  * Redistribution and use in source and binary forms, with or without
     16  * modification, are permitted provided that the following conditions
     17  * are met:
     18  * 1. Redistributions of source code must retain the above copyright
     19  *    notice, this list of conditions and the following disclaimer.
     20  * 2. Redistributions in binary form must reproduce the above copyright
     21  *    notice, this list of conditions and the following disclaimer in the
     22  *    documentation and/or other materials provided with the distribution.
     23  *
     24  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
     25  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
     26  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
     27  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
     28  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     29  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
     30  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
     31  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     32  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
     33  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     34  */
     35 
     36 #include "includes.h"
     37 
     38 #include <sys/types.h>
     39 #include <sys/param.h>
     40 #ifdef HAVE_SYS_STAT_H
     41 # include <sys/stat.h>
     42 #endif
     43 #include <sys/socket.h>
     44 #include <sys/un.h>
     45 #include <sys/wait.h>
     46 
     47 #include <arpa/inet.h>
     48 
     49 #include <errno.h>
     50 #include <fcntl.h>
     51 #include <grp.h>
     52 #ifdef HAVE_PATHS_H
     53 #include <paths.h>
     54 #endif
     55 #include <pwd.h>
     56 #include <signal.h>
     57 #include <stdarg.h>
     58 #include <stdio.h>
     59 #include <stdlib.h>
     60 #include <string.h>
     61 #include <unistd.h>
     62 
     63 #include "openbsd-compat/sys-queue.h"
     64 #include "xmalloc.h"
     65 #include "ssh.h"
     66 #include "ssh1.h"
     67 #include "ssh2.h"
     68 #include "sshpty.h"
     69 #include "packet.h"
     70 #include "buffer.h"
     71 #include "match.h"
     72 #include "uidswap.h"
     73 #include "compat.h"
     74 #include "channels.h"
     75 #include "key.h"
     76 #include "cipher.h"
     77 #ifdef GSSAPI
     78 #include "ssh-gss.h"
     79 #endif
     80 #include "hostfile.h"
     81 #include "auth.h"
     82 #include "auth-options.h"
     83 #include "pathnames.h"
     84 #include "log.h"
     85 #include "servconf.h"
     86 #include "sshlogin.h"
     87 #include "serverloop.h"
     88 #include "canohost.h"
     89 #include "misc.h"
     90 #include "session.h"
     91 #include "kex.h"
     92 #include "monitor_wrap.h"
     93 #include "sftp.h"
     94 
     95 #if defined(KRB5) && defined(USE_AFS)
     96 #include <kafs.h>
     97 #endif
     98 
     99 #ifdef WITH_SELINUX
    100 #include <selinux/selinux.h>
    101 #endif
    102 
    103 #define IS_INTERNAL_SFTP(c) \
    104 	(!strncmp(c, INTERNAL_SFTP_NAME, sizeof(INTERNAL_SFTP_NAME) - 1) && \
    105 	 (c[sizeof(INTERNAL_SFTP_NAME) - 1] == '\0' || \
    106 	  c[sizeof(INTERNAL_SFTP_NAME) - 1] == ' ' || \
    107 	  c[sizeof(INTERNAL_SFTP_NAME) - 1] == '\t'))
    108 
    109 /* func */
    110 
    111 Session *session_new(void);
    112 void	session_set_fds(Session *, int, int, int, int, int);
    113 void	session_pty_cleanup(Session *);
    114 void	session_proctitle(Session *);
    115 int	session_setup_x11fwd(Session *);
    116 int	do_exec_pty(Session *, const char *);
    117 int	do_exec_no_pty(Session *, const char *);
    118 int	do_exec(Session *, const char *);
    119 void	do_login(Session *, const char *);
    120 #ifdef LOGIN_NEEDS_UTMPX
    121 static void	do_pre_login(Session *s);
    122 #endif
    123 void	do_child(Session *, const char *);
    124 void	do_motd(void);
    125 int	check_quietlogin(Session *, const char *);
    126 
    127 static void do_authenticated1(Authctxt *);
    128 static void do_authenticated2(Authctxt *);
    129 
    130 static int session_pty_req(Session *);
    131 
    132 /* import */
    133 extern ServerOptions options;
    134 extern char *__progname;
    135 extern int log_stderr;
    136 extern int debug_flag;
    137 extern u_int utmp_len;
    138 extern int startup_pipe;
    139 extern void destroy_sensitive_data(void);
    140 extern Buffer loginmsg;
    141 
    142 /* original command from peer. */
    143 const char *original_command = NULL;
    144 
    145 /* data */
    146 static int sessions_first_unused = -1;
    147 static int sessions_nalloc = 0;
    148 static Session *sessions = NULL;
    149 
    150 #define SUBSYSTEM_NONE			0
    151 #define SUBSYSTEM_EXT			1
    152 #define SUBSYSTEM_INT_SFTP		2
    153 #define SUBSYSTEM_INT_SFTP_ERROR	3
    154 
    155 #ifdef HAVE_LOGIN_CAP
    156 login_cap_t *lc;
    157 #endif
    158 
    159 static int is_child = 0;
    160 
    161 /* Name and directory of socket for authentication agent forwarding. */
    162 static char *auth_sock_name = NULL;
    163 static char *auth_sock_dir = NULL;
    164 
    165 /* removes the agent forwarding socket */
    166 
    167 static void
    168 auth_sock_cleanup_proc(struct passwd *pw)
    169 {
    170 	if (auth_sock_name != NULL) {
    171 		temporarily_use_uid(pw);
    172 		unlink(auth_sock_name);
    173 		rmdir(auth_sock_dir);
    174 		auth_sock_name = NULL;
    175 		restore_uid();
    176 	}
    177 }
    178 
    179 static int
    180 auth_input_request_forwarding(struct passwd * pw)
    181 {
    182 	Channel *nc;
    183 	int sock = -1;
    184 	struct sockaddr_un sunaddr;
    185 
    186 	if (auth_sock_name != NULL) {
    187 		error("authentication forwarding requested twice.");
    188 		return 0;
    189 	}
    190 
    191 	/* Temporarily drop privileged uid for mkdir/bind. */
    192 	temporarily_use_uid(pw);
    193 
    194 	/* Allocate a buffer for the socket name, and format the name. */
    195 	auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");
    196 
    197 	/* Create private directory for socket */
    198 	if (mkdtemp(auth_sock_dir) == NULL) {
    199 		packet_send_debug("Agent forwarding disabled: "
    200 		    "mkdtemp() failed: %.100s", strerror(errno));
    201 		restore_uid();
    202 		xfree(auth_sock_dir);
    203 		auth_sock_dir = NULL;
    204 		goto authsock_err;
    205 	}
    206 
    207 	xasprintf(&auth_sock_name, "%s/agent.%ld",
    208 	    auth_sock_dir, (long) getpid());
    209 
    210 	/* Create the socket. */
    211 	sock = socket(AF_UNIX, SOCK_STREAM, 0);
    212 	if (sock < 0) {
    213 		error("socket: %.100s", strerror(errno));
    214 		restore_uid();
    215 		goto authsock_err;
    216 	}
    217 
    218 	/* Bind it to the name. */
    219 	memset(&sunaddr, 0, sizeof(sunaddr));
    220 	sunaddr.sun_family = AF_UNIX;
    221 	strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path));
    222 
    223 	if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
    224 		error("bind: %.100s", strerror(errno));
    225 		restore_uid();
    226 		goto authsock_err;
    227 	}
    228 
    229 	/* Restore the privileged uid. */
    230 	restore_uid();
    231 
    232 	/* Start listening on the socket. */
    233 	if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
    234 		error("listen: %.100s", strerror(errno));
    235 		goto authsock_err;
    236 	}
    237 
    238 	/* Allocate a channel for the authentication agent socket. */
    239 	nc = channel_new("auth socket",
    240 	    SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
    241 	    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
    242 	    0, "auth socket", 1);
    243 	nc->path = xstrdup(auth_sock_name);
    244 	return 1;
    245 
    246  authsock_err:
    247 	if (auth_sock_name != NULL)
    248 		xfree(auth_sock_name);
    249 	if (auth_sock_dir != NULL) {
    250 		rmdir(auth_sock_dir);
    251 		xfree(auth_sock_dir);
    252 	}
    253 	if (sock != -1)
    254 		close(sock);
    255 	auth_sock_name = NULL;
    256 	auth_sock_dir = NULL;
    257 	return 0;
    258 }
    259 
    260 static void
    261 display_loginmsg(void)
    262 {
    263 	if (buffer_len(&loginmsg) > 0) {
    264 		buffer_append(&loginmsg, "\0", 1);
    265 		printf("%s", (char *)buffer_ptr(&loginmsg));
    266 		buffer_clear(&loginmsg);
    267 	}
    268 }
    269 
    270 void
    271 do_authenticated(Authctxt *authctxt)
    272 {
    273 	setproctitle("%s", authctxt->pw->pw_name);
    274 
    275 	/* setup the channel layer */
    276 	if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
    277 		channel_permit_all_opens();
    278 
    279 	auth_debug_send();
    280 
    281 	if (compat20)
    282 		do_authenticated2(authctxt);
    283 	else
    284 		do_authenticated1(authctxt);
    285 
    286 	do_cleanup(authctxt);
    287 }
    288 
    289 /*
    290  * Prepares for an interactive session.  This is called after the user has
    291  * been successfully authenticated.  During this message exchange, pseudo
    292  * terminals are allocated, X11, TCP/IP, and authentication agent forwardings
    293  * are requested, etc.
    294  */
    295 static void
    296 do_authenticated1(Authctxt *authctxt)
    297 {
    298 	Session *s;
    299 	char *command;
    300 	int success, type, screen_flag;
    301 	int enable_compression_after_reply = 0;
    302 	u_int proto_len, data_len, dlen, compression_level = 0;
    303 
    304 	s = session_new();
    305 	if (s == NULL) {
    306 		error("no more sessions");
    307 		return;
    308 	}
    309 	s->authctxt = authctxt;
    310 	s->pw = authctxt->pw;
    311 
    312 	/*
    313 	 * We stay in this loop until the client requests to execute a shell
    314 	 * or a command.
    315 	 */
    316 	for (;;) {
    317 		success = 0;
    318 
    319 		/* Get a packet from the client. */
    320 		type = packet_read();
    321 
    322 		/* Process the packet. */
    323 		switch (type) {
    324 		case SSH_CMSG_REQUEST_COMPRESSION:
    325 			compression_level = packet_get_int();
    326 			packet_check_eom();
    327 			if (compression_level < 1 || compression_level > 9) {
    328 				packet_send_debug("Received invalid compression level %d.",
    329 				    compression_level);
    330 				break;
    331 			}
    332 			if (options.compression == COMP_NONE) {
    333 				debug2("compression disabled");
    334 				break;
    335 			}
    336 			/* Enable compression after we have responded with SUCCESS. */
    337 			enable_compression_after_reply = 1;
    338 			success = 1;
    339 			break;
    340 
    341 		case SSH_CMSG_REQUEST_PTY:
    342 			success = session_pty_req(s);
    343 			break;
    344 
    345 		case SSH_CMSG_X11_REQUEST_FORWARDING:
    346 			s->auth_proto = packet_get_string(&proto_len);
    347 			s->auth_data = packet_get_string(&data_len);
    348 
    349 			screen_flag = packet_get_protocol_flags() &
    350 			    SSH_PROTOFLAG_SCREEN_NUMBER;
    351 			debug2("SSH_PROTOFLAG_SCREEN_NUMBER: %d", screen_flag);
    352 
    353 			if (packet_remaining() == 4) {
    354 				if (!screen_flag)
    355 					debug2("Buggy client: "
    356 					    "X11 screen flag missing");
    357 				s->screen = packet_get_int();
    358 			} else {
    359 				s->screen = 0;
    360 			}
    361 			packet_check_eom();
    362 			success = session_setup_x11fwd(s);
    363 			if (!success) {
    364 				xfree(s->auth_proto);
    365 				xfree(s->auth_data);
    366 				s->auth_proto = NULL;
    367 				s->auth_data = NULL;
    368 			}
    369 			break;
    370 
    371 		case SSH_CMSG_AGENT_REQUEST_FORWARDING:
    372 			if (!options.allow_agent_forwarding ||
    373 			    no_agent_forwarding_flag || compat13) {
    374 				debug("Authentication agent forwarding not permitted for this authentication.");
    375 				break;
    376 			}
    377 			debug("Received authentication agent forwarding request.");
    378 			success = auth_input_request_forwarding(s->pw);
    379 			break;
    380 
    381 		case SSH_CMSG_PORT_FORWARD_REQUEST:
    382 			if (no_port_forwarding_flag) {
    383 				debug("Port forwarding not permitted for this authentication.");
    384 				break;
    385 			}
    386 			if (!options.allow_tcp_forwarding) {
    387 				debug("Port forwarding not permitted.");
    388 				break;
    389 			}
    390 			debug("Received TCP/IP port forwarding request.");
    391 			if (channel_input_port_forward_request(s->pw->pw_uid == 0,
    392 			    options.gateway_ports) < 0) {
    393 				debug("Port forwarding failed.");
    394 				break;
    395 			}
    396 			success = 1;
    397 			break;
    398 
    399 		case SSH_CMSG_MAX_PACKET_SIZE:
    400 			if (packet_set_maxsize(packet_get_int()) > 0)
    401 				success = 1;
    402 			break;
    403 
    404 		case SSH_CMSG_EXEC_SHELL:
    405 		case SSH_CMSG_EXEC_CMD:
    406 			if (type == SSH_CMSG_EXEC_CMD) {
    407 				command = packet_get_string(&dlen);
    408 				debug("Exec command '%.500s'", command);
    409 				if (do_exec(s, command) != 0)
    410 					packet_disconnect(
    411 					    "command execution failed");
    412 				xfree(command);
    413 			} else {
    414 				if (do_exec(s, NULL) != 0)
    415 					packet_disconnect(
    416 					    "shell execution failed");
    417 			}
    418 			packet_check_eom();
    419 			session_close(s);
    420 			return;
    421 
    422 		default:
    423 			/*
    424 			 * Any unknown messages in this phase are ignored,
    425 			 * and a failure message is returned.
    426 			 */
    427 			logit("Unknown packet type received after authentication: %d", type);
    428 		}
    429 		packet_start(success ? SSH_SMSG_SUCCESS : SSH_SMSG_FAILURE);
    430 		packet_send();
    431 		packet_write_wait();
    432 
    433 		/* Enable compression now that we have replied if appropriate. */
    434 		if (enable_compression_after_reply) {
    435 			enable_compression_after_reply = 0;
    436 			packet_start_compression(compression_level);
    437 		}
    438 	}
    439 }
    440 
    441 #define USE_PIPES
    442 /*
    443  * This is called to fork and execute a command when we have no tty.  This
    444  * will call do_child from the child, and server_loop from the parent after
    445  * setting up file descriptors and such.
    446  */
    447 int
    448 do_exec_no_pty(Session *s, const char *command)
    449 {
    450 	pid_t pid;
    451 
    452 #ifdef USE_PIPES
    453 	int pin[2], pout[2], perr[2];
    454 
    455 	if (s == NULL)
    456 		fatal("do_exec_no_pty: no session");
    457 
    458 	/* Allocate pipes for communicating with the program. */
    459 	if (pipe(pin) < 0) {
    460 		error("%s: pipe in: %.100s", __func__, strerror(errno));
    461 		return -1;
    462 	}
    463 	if (pipe(pout) < 0) {
    464 		error("%s: pipe out: %.100s", __func__, strerror(errno));
    465 		close(pin[0]);
    466 		close(pin[1]);
    467 		return -1;
    468 	}
    469 	if (pipe(perr) < 0) {
    470 		error("%s: pipe err: %.100s", __func__,
    471 		    strerror(errno));
    472 		close(pin[0]);
    473 		close(pin[1]);
    474 		close(pout[0]);
    475 		close(pout[1]);
    476 		return -1;
    477 	}
    478 #else
    479 	int inout[2], err[2];
    480 
    481 	if (s == NULL)
    482 		fatal("do_exec_no_pty: no session");
    483 
    484 	/* Uses socket pairs to communicate with the program. */
    485 	if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0) {
    486 		error("%s: socketpair #1: %.100s", __func__, strerror(errno));
    487 		return -1;
    488 	}
    489 	if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) {
    490 		error("%s: socketpair #2: %.100s", __func__,
    491 		    strerror(errno));
    492 		close(inout[0]);
    493 		close(inout[1]);
    494 		return -1;
    495 	}
    496 #endif
    497 
    498 	session_proctitle(s);
    499 
    500 	/* Fork the child. */
    501 	switch ((pid = fork())) {
    502 	case -1:
    503 		error("%s: fork: %.100s", __func__, strerror(errno));
    504 #ifdef USE_PIPES
    505 		close(pin[0]);
    506 		close(pin[1]);
    507 		close(pout[0]);
    508 		close(pout[1]);
    509 		close(perr[0]);
    510 		close(perr[1]);
    511 #else
    512 		close(inout[0]);
    513 		close(inout[1]);
    514 		close(err[0]);
    515 		close(err[1]);
    516 #endif
    517 		return -1;
    518 	case 0:
    519 		is_child = 1;
    520 
    521 		/* Child.  Reinitialize the log since the pid has changed. */
    522 		log_init(__progname, options.log_level,
    523 		    options.log_facility, log_stderr);
    524 
    525 		/*
    526 		 * Create a new session and process group since the 4.4BSD
    527 		 * setlogin() affects the entire process group.
    528 		 */
    529 		if (setsid() < 0)
    530 			error("setsid failed: %.100s", strerror(errno));
    531 
    532 #ifdef USE_PIPES
    533 		/*
    534 		 * Redirect stdin.  We close the parent side of the socket
    535 		 * pair, and make the child side the standard input.
    536 		 */
    537 		close(pin[1]);
    538 		if (dup2(pin[0], 0) < 0)
    539 			perror("dup2 stdin");
    540 		close(pin[0]);
    541 
    542 		/* Redirect stdout. */
    543 		close(pout[0]);
    544 		if (dup2(pout[1], 1) < 0)
    545 			perror("dup2 stdout");
    546 		close(pout[1]);
    547 
    548 		/* Redirect stderr. */
    549 		close(perr[0]);
    550 		if (dup2(perr[1], 2) < 0)
    551 			perror("dup2 stderr");
    552 		close(perr[1]);
    553 #else
    554 		/*
    555 		 * Redirect stdin, stdout, and stderr.  Stdin and stdout will
    556 		 * use the same socket, as some programs (particularly rdist)
    557 		 * seem to depend on it.
    558 		 */
    559 		close(inout[1]);
    560 		close(err[1]);
    561 		if (dup2(inout[0], 0) < 0)	/* stdin */
    562 			perror("dup2 stdin");
    563 		if (dup2(inout[0], 1) < 0)	/* stdout (same as stdin) */
    564 			perror("dup2 stdout");
    565 		close(inout[0]);
    566 		if (dup2(err[0], 2) < 0)	/* stderr */
    567 			perror("dup2 stderr");
    568 		close(err[0]);
    569 #endif
    570 
    571 
    572 #ifdef _UNICOS
    573 		cray_init_job(s->pw); /* set up cray jid and tmpdir */
    574 #endif
    575 
    576 		/* Do processing for the child (exec command etc). */
    577 		do_child(s, command);
    578 		/* NOTREACHED */
    579 	default:
    580 		break;
    581 	}
    582 
    583 #ifdef _UNICOS
    584 	signal(WJSIGNAL, cray_job_termination_handler);
    585 #endif /* _UNICOS */
    586 #ifdef HAVE_CYGWIN
    587 	cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
    588 #endif
    589 
    590 	s->pid = pid;
    591 	/* Set interactive/non-interactive mode. */
    592 	packet_set_interactive(s->display != NULL,
    593 	    options.ip_qos_interactive, options.ip_qos_bulk);
    594 
    595 	/*
    596 	 * Clear loginmsg, since it's the child's responsibility to display
    597 	 * it to the user, otherwise multiple sessions may accumulate
    598 	 * multiple copies of the login messages.
    599 	 */
    600 	buffer_clear(&loginmsg);
    601 
    602 #ifdef USE_PIPES
    603 	/* We are the parent.  Close the child sides of the pipes. */
    604 	close(pin[0]);
    605 	close(pout[1]);
    606 	close(perr[1]);
    607 
    608 	if (compat20) {
    609 		session_set_fds(s, pin[1], pout[0], perr[0],
    610 		    s->is_subsystem, 0);
    611 	} else {
    612 		/* Enter the interactive session. */
    613 		server_loop(pid, pin[1], pout[0], perr[0]);
    614 		/* server_loop has closed pin[1], pout[0], and perr[0]. */
    615 	}
    616 #else
    617 	/* We are the parent.  Close the child sides of the socket pairs. */
    618 	close(inout[0]);
    619 	close(err[0]);
    620 
    621 	/*
    622 	 * Enter the interactive session.  Note: server_loop must be able to
    623 	 * handle the case that fdin and fdout are the same.
    624 	 */
    625 	if (compat20) {
    626 		session_set_fds(s, inout[1], inout[1], err[1],
    627 		    s->is_subsystem, 0);
    628 	} else {
    629 		server_loop(pid, inout[1], inout[1], err[1]);
    630 		/* server_loop has closed inout[1] and err[1]. */
    631 	}
    632 #endif
    633 	return 0;
    634 }
    635 
    636 /*
    637  * This is called to fork and execute a command when we have a tty.  This
    638  * will call do_child from the child, and server_loop from the parent after
    639  * setting up file descriptors, controlling tty, updating wtmp, utmp,
    640  * lastlog, and other such operations.
    641  */
    642 int
    643 do_exec_pty(Session *s, const char *command)
    644 {
    645 	int fdout, ptyfd, ttyfd, ptymaster;
    646 	pid_t pid;
    647 
    648 	if (s == NULL)
    649 		fatal("do_exec_pty: no session");
    650 	ptyfd = s->ptyfd;
    651 	ttyfd = s->ttyfd;
    652 
    653 	/*
    654 	 * Create another descriptor of the pty master side for use as the
    655 	 * standard input.  We could use the original descriptor, but this
    656 	 * simplifies code in server_loop.  The descriptor is bidirectional.
    657 	 * Do this before forking (and cleanup in the child) so as to
    658 	 * detect and gracefully fail out-of-fd conditions.
    659 	 */
    660 	if ((fdout = dup(ptyfd)) < 0) {
    661 		error("%s: dup #1: %s", __func__, strerror(errno));
    662 		close(ttyfd);
    663 		close(ptyfd);
    664 		return -1;
    665 	}
    666 	/* we keep a reference to the pty master */
    667 	if ((ptymaster = dup(ptyfd)) < 0) {
    668 		error("%s: dup #2: %s", __func__, strerror(errno));
    669 		close(ttyfd);
    670 		close(ptyfd);
    671 		close(fdout);
    672 		return -1;
    673 	}
    674 
    675 	/* Fork the child. */
    676 	switch ((pid = fork())) {
    677 	case -1:
    678 		error("%s: fork: %.100s", __func__, strerror(errno));
    679 		close(fdout);
    680 		close(ptymaster);
    681 		close(ttyfd);
    682 		close(ptyfd);
    683 		return -1;
    684 	case 0:
    685 		is_child = 1;
    686 
    687 		close(fdout);
    688 		close(ptymaster);
    689 
    690 		/* Child.  Reinitialize the log because the pid has changed. */
    691 		log_init(__progname, options.log_level,
    692 		    options.log_facility, log_stderr);
    693 		/* Close the master side of the pseudo tty. */
    694 		close(ptyfd);
    695 
    696 		/* Make the pseudo tty our controlling tty. */
    697 		pty_make_controlling_tty(&ttyfd, s->tty);
    698 
    699 		/* Redirect stdin/stdout/stderr from the pseudo tty. */
    700 		if (dup2(ttyfd, 0) < 0)
    701 			error("dup2 stdin: %s", strerror(errno));
    702 		if (dup2(ttyfd, 1) < 0)
    703 			error("dup2 stdout: %s", strerror(errno));
    704 		if (dup2(ttyfd, 2) < 0)
    705 			error("dup2 stderr: %s", strerror(errno));
    706 
    707 		/* Close the extra descriptor for the pseudo tty. */
    708 		close(ttyfd);
    709 
    710 		/* record login, etc. similar to login(1) */
    711 #ifndef HAVE_OSF_SIA
    712 		if (!(options.use_login && command == NULL)) {
    713 #ifdef _UNICOS
    714 			cray_init_job(s->pw); /* set up cray jid and tmpdir */
    715 #endif /* _UNICOS */
    716 			do_login(s, command);
    717 		}
    718 # ifdef LOGIN_NEEDS_UTMPX
    719 		else
    720 			do_pre_login(s);
    721 # endif
    722 #endif
    723 		/*
    724 		 * Do common processing for the child, such as execing
    725 		 * the command.
    726 		 */
    727 		do_child(s, command);
    728 		/* NOTREACHED */
    729 	default:
    730 		break;
    731 	}
    732 
    733 #ifdef _UNICOS
    734 	signal(WJSIGNAL, cray_job_termination_handler);
    735 #endif /* _UNICOS */
    736 #ifdef HAVE_CYGWIN
    737 	cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
    738 #endif
    739 
    740 	s->pid = pid;
    741 
    742 	/* Parent.  Close the slave side of the pseudo tty. */
    743 	close(ttyfd);
    744 
    745 	/* Enter interactive session. */
    746 	s->ptymaster = ptymaster;
    747 	packet_set_interactive(1,
    748 	    options.ip_qos_interactive, options.ip_qos_bulk);
    749 	if (compat20) {
    750 		session_set_fds(s, ptyfd, fdout, -1, 1, 1);
    751 	} else {
    752 		server_loop(pid, ptyfd, fdout, -1);
    753 		/* server_loop _has_ closed ptyfd and fdout. */
    754 	}
    755 	return 0;
    756 }
    757 
    758 #ifdef LOGIN_NEEDS_UTMPX
    759 static void
    760 do_pre_login(Session *s)
    761 {
    762 	socklen_t fromlen;
    763 	struct sockaddr_storage from;
    764 	pid_t pid = getpid();
    765 
    766 	/*
    767 	 * Get IP address of client. If the connection is not a socket, let
    768 	 * the address be 0.0.0.0.
    769 	 */
    770 	memset(&from, 0, sizeof(from));
    771 	fromlen = sizeof(from);
    772 	if (packet_connection_is_on_socket()) {
    773 		if (getpeername(packet_get_connection_in(),
    774 		    (struct sockaddr *)&from, &fromlen) < 0) {
    775 			debug("getpeername: %.100s", strerror(errno));
    776 			cleanup_exit(255);
    777 		}
    778 	}
    779 
    780 	record_utmp_only(pid, s->tty, s->pw->pw_name,
    781 	    get_remote_name_or_ip(utmp_len, options.use_dns),
    782 	    (struct sockaddr *)&from, fromlen);
    783 }
    784 #endif
    785 
    786 /*
    787  * This is called to fork and execute a command.  If another command is
    788  * to be forced, execute that instead.
    789  */
    790 int
    791 do_exec(Session *s, const char *command)
    792 {
    793 	int ret;
    794 
    795 	if (options.adm_forced_command) {
    796 		original_command = command;
    797 		command = options.adm_forced_command;
    798 		if (IS_INTERNAL_SFTP(command)) {
    799 			s->is_subsystem = s->is_subsystem ?
    800 			    SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR;
    801 		} else if (s->is_subsystem)
    802 			s->is_subsystem = SUBSYSTEM_EXT;
    803 		debug("Forced command (config) '%.900s'", command);
    804 	} else if (forced_command) {
    805 		original_command = command;
    806 		command = forced_command;
    807 		if (IS_INTERNAL_SFTP(command)) {
    808 			s->is_subsystem = s->is_subsystem ?
    809 			    SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR;
    810 		} else if (s->is_subsystem)
    811 			s->is_subsystem = SUBSYSTEM_EXT;
    812 		debug("Forced command (key option) '%.900s'", command);
    813 	}
    814 
    815 #ifdef SSH_AUDIT_EVENTS
    816 	if (command != NULL)
    817 		PRIVSEP(audit_run_command(command));
    818 	else if (s->ttyfd == -1) {
    819 		char *shell = s->pw->pw_shell;
    820 
    821 		if (shell[0] == '\0')	/* empty shell means /bin/sh */
    822 			shell =_PATH_BSHELL;
    823 		PRIVSEP(audit_run_command(shell));
    824 	}
    825 #endif
    826 	if (s->ttyfd != -1)
    827 		ret = do_exec_pty(s, command);
    828 	else
    829 		ret = do_exec_no_pty(s, command);
    830 
    831 	original_command = NULL;
    832 
    833 	/*
    834 	 * Clear loginmsg: it's the child's responsibility to display
    835 	 * it to the user, otherwise multiple sessions may accumulate
    836 	 * multiple copies of the login messages.
    837 	 */
    838 	buffer_clear(&loginmsg);
    839 
    840 	return ret;
    841 }
    842 
    843 /* administrative, login(1)-like work */
    844 void
    845 do_login(Session *s, const char *command)
    846 {
    847 	socklen_t fromlen;
    848 	struct sockaddr_storage from;
    849 	struct passwd * pw = s->pw;
    850 	pid_t pid = getpid();
    851 
    852 	/*
    853 	 * Get IP address of client. If the connection is not a socket, let
    854 	 * the address be 0.0.0.0.
    855 	 */
    856 	memset(&from, 0, sizeof(from));
    857 	fromlen = sizeof(from);
    858 	if (packet_connection_is_on_socket()) {
    859 		if (getpeername(packet_get_connection_in(),
    860 		    (struct sockaddr *)&from, &fromlen) < 0) {
    861 			debug("getpeername: %.100s", strerror(errno));
    862 			cleanup_exit(255);
    863 		}
    864 	}
    865 
    866 	/* Record that there was a login on that tty from the remote host. */
    867 	if (!use_privsep)
    868 		record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
    869 		    get_remote_name_or_ip(utmp_len,
    870 		    options.use_dns),
    871 		    (struct sockaddr *)&from, fromlen);
    872 
    873 #ifdef USE_PAM
    874 	/*
    875 	 * If password change is needed, do it now.
    876 	 * This needs to occur before the ~/.hushlogin check.
    877 	 */
    878 	if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) {
    879 		display_loginmsg();
    880 		do_pam_chauthtok();
    881 		s->authctxt->force_pwchange = 0;
    882 		/* XXX - signal [net] parent to enable forwardings */
    883 	}
    884 #endif
    885 
    886 	if (check_quietlogin(s, command))
    887 		return;
    888 
    889 	display_loginmsg();
    890 
    891 	do_motd();
    892 }
    893 
    894 /*
    895  * Display the message of the day.
    896  */
    897 void
    898 do_motd(void)
    899 {
    900 	FILE *f;
    901 	char buf[256];
    902 
    903 	if (options.print_motd) {
    904 #ifdef HAVE_LOGIN_CAP
    905 		f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
    906 		    "/etc/motd"), "r");
    907 #else
    908 		f = fopen("/etc/motd", "r");
    909 #endif
    910 		if (f) {
    911 			while (fgets(buf, sizeof(buf), f))
    912 				fputs(buf, stdout);
    913 			fclose(f);
    914 		}
    915 	}
    916 }
    917 
    918 
    919 /*
    920  * Check for quiet login, either .hushlogin or command given.
    921  */
    922 int
    923 check_quietlogin(Session *s, const char *command)
    924 {
    925 	char buf[256];
    926 	struct passwd *pw = s->pw;
    927 	struct stat st;
    928 
    929 	/* Return 1 if .hushlogin exists or a command given. */
    930 	if (command != NULL)
    931 		return 1;
    932 	snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir);
    933 #ifdef HAVE_LOGIN_CAP
    934 	if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
    935 		return 1;
    936 #else
    937 	if (stat(buf, &st) >= 0)
    938 		return 1;
    939 #endif
    940 	return 0;
    941 }
    942 
    943 /*
    944  * Sets the value of the given variable in the environment.  If the variable
    945  * already exists, its value is overridden.
    946  */
    947 void
    948 child_set_env(char ***envp, u_int *envsizep, const char *name,
    949 	const char *value)
    950 {
    951 	char **env;
    952 	u_int envsize;
    953 	u_int i, namelen;
    954 
    955 	/*
    956 	 * If we're passed an uninitialized list, allocate a single null
    957 	 * entry before continuing.
    958 	 */
    959 	if (*envp == NULL && *envsizep == 0) {
    960 		*envp = xmalloc(sizeof(char *));
    961 		*envp[0] = NULL;
    962 		*envsizep = 1;
    963 	}
    964 
    965 	/*
    966 	 * Find the slot where the value should be stored.  If the variable
    967 	 * already exists, we reuse the slot; otherwise we append a new slot
    968 	 * at the end of the array, expanding if necessary.
    969 	 */
    970 	env = *envp;
    971 	namelen = strlen(name);
    972 	for (i = 0; env[i]; i++)
    973 		if (strncmp(env[i], name, namelen) == 0 && env[i][namelen] == '=')
    974 			break;
    975 	if (env[i]) {
    976 		/* Reuse the slot. */
    977 		xfree(env[i]);
    978 	} else {
    979 		/* New variable.  Expand if necessary. */
    980 		envsize = *envsizep;
    981 		if (i >= envsize - 1) {
    982 			if (envsize >= 1000)
    983 				fatal("child_set_env: too many env vars");
    984 			envsize += 50;
    985 			env = (*envp) = xrealloc(env, envsize, sizeof(char *));
    986 			*envsizep = envsize;
    987 		}
    988 		/* Need to set the NULL pointer at end of array beyond the new slot. */
    989 		env[i + 1] = NULL;
    990 	}
    991 
    992 	/* Allocate space and format the variable in the appropriate slot. */
    993 	env[i] = xmalloc(strlen(name) + 1 + strlen(value) + 1);
    994 	snprintf(env[i], strlen(name) + 1 + strlen(value) + 1, "%s=%s", name, value);
    995 }
    996 
    997 /*
    998  * Reads environment variables from the given file and adds/overrides them
    999  * into the environment.  If the file does not exist, this does nothing.
   1000  * Otherwise, it must consist of empty lines, comments (line starts with '#')
   1001  * and assignments of the form name=value.  No other forms are allowed.
   1002  */
   1003 static void
   1004 read_environment_file(char ***env, u_int *envsize,
   1005 	const char *filename)
   1006 {
   1007 	FILE *f;
   1008 	char buf[4096];
   1009 	char *cp, *value;
   1010 	u_int lineno = 0;
   1011 
   1012 	f = fopen(filename, "r");
   1013 	if (!f)
   1014 		return;
   1015 
   1016 	while (fgets(buf, sizeof(buf), f)) {
   1017 		if (++lineno > 1000)
   1018 			fatal("Too many lines in environment file %s", filename);
   1019 		for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
   1020 			;
   1021 		if (!*cp || *cp == '#' || *cp == '\n')
   1022 			continue;
   1023 
   1024 		cp[strcspn(cp, "\n")] = '\0';
   1025 
   1026 		value = strchr(cp, '=');
   1027 		if (value == NULL) {
   1028 			fprintf(stderr, "Bad line %u in %.100s\n", lineno,
   1029 			    filename);
   1030 			continue;
   1031 		}
   1032 		/*
   1033 		 * Replace the equals sign by nul, and advance value to
   1034 		 * the value string.
   1035 		 */
   1036 		*value = '\0';
   1037 		value++;
   1038 		child_set_env(env, envsize, cp, value);
   1039 	}
   1040 	fclose(f);
   1041 }
   1042 
   1043 #ifdef HAVE_ETC_DEFAULT_LOGIN
   1044 /*
   1045  * Return named variable from specified environment, or NULL if not present.
   1046  */
   1047 static char *
   1048 child_get_env(char **env, const char *name)
   1049 {
   1050 	int i;
   1051 	size_t len;
   1052 
   1053 	len = strlen(name);
   1054 	for (i=0; env[i] != NULL; i++)
   1055 		if (strncmp(name, env[i], len) == 0 && env[i][len] == '=')
   1056 			return(env[i] + len + 1);
   1057 	return NULL;
   1058 }
   1059 
   1060 /*
   1061  * Read /etc/default/login.
   1062  * We pick up the PATH (or SUPATH for root) and UMASK.
   1063  */
   1064 static void
   1065 read_etc_default_login(char ***env, u_int *envsize, uid_t uid)
   1066 {
   1067 	char **tmpenv = NULL, *var;
   1068 	u_int i, tmpenvsize = 0;
   1069 	u_long mask;
   1070 
   1071 	/*
   1072 	 * We don't want to copy the whole file to the child's environment,
   1073 	 * so we use a temporary environment and copy the variables we're
   1074 	 * interested in.
   1075 	 */
   1076 	read_environment_file(&tmpenv, &tmpenvsize, "/etc/default/login");
   1077 
   1078 	if (tmpenv == NULL)
   1079 		return;
   1080 
   1081 	if (uid == 0)
   1082 		var = child_get_env(tmpenv, "SUPATH");
   1083 	else
   1084 		var = child_get_env(tmpenv, "PATH");
   1085 	if (var != NULL)
   1086 		child_set_env(env, envsize, "PATH", var);
   1087 
   1088 	if ((var = child_get_env(tmpenv, "UMASK")) != NULL)
   1089 		if (sscanf(var, "%5lo", &mask) == 1)
   1090 			umask((mode_t)mask);
   1091 
   1092 	for (i = 0; tmpenv[i] != NULL; i++)
   1093 		xfree(tmpenv[i]);
   1094 	xfree(tmpenv);
   1095 }
   1096 #endif /* HAVE_ETC_DEFAULT_LOGIN */
   1097 
   1098 void
   1099 copy_environment(char **source, char ***env, u_int *envsize)
   1100 {
   1101 	char *var_name, *var_val;
   1102 	int i;
   1103 
   1104 	if (source == NULL)
   1105 		return;
   1106 
   1107 	for(i = 0; source[i] != NULL; i++) {
   1108 		var_name = xstrdup(source[i]);
   1109 		if ((var_val = strstr(var_name, "=")) == NULL) {
   1110 			xfree(var_name);
   1111 			continue;
   1112 		}
   1113 		*var_val++ = '\0';
   1114 
   1115 		debug3("Copy environment: %s=%s", var_name, var_val);
   1116 		child_set_env(env, envsize, var_name, var_val);
   1117 
   1118 		xfree(var_name);
   1119 	}
   1120 }
   1121 
   1122 static char **
   1123 do_setup_env(Session *s, const char *shell)
   1124 {
   1125 	char buf[256];
   1126 	u_int i, envsize;
   1127 	char **env, *laddr;
   1128 	struct passwd *pw = s->pw;
   1129 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
   1130 	char *path = NULL;
   1131 #endif
   1132 
   1133 	/* Initialize the environment. */
   1134 	envsize = 100;
   1135 	env = xcalloc(envsize, sizeof(char *));
   1136 	env[0] = NULL;
   1137 
   1138 #ifdef HAVE_CYGWIN
   1139 	/*
   1140 	 * The Windows environment contains some setting which are
   1141 	 * important for a running system. They must not be dropped.
   1142 	 */
   1143 	{
   1144 		char **p;
   1145 
   1146 		p = fetch_windows_environment();
   1147 		copy_environment(p, &env, &envsize);
   1148 		free_windows_environment(p);
   1149 	}
   1150 #endif
   1151 
   1152 #ifdef GSSAPI
   1153 	/* Allow any GSSAPI methods that we've used to alter
   1154 	 * the childs environment as they see fit
   1155 	 */
   1156 	ssh_gssapi_do_child(&env, &envsize);
   1157 #endif
   1158 
   1159 	if (!options.use_login) {
   1160 		/* Set basic environment. */
   1161 		for (i = 0; i < s->num_env; i++)
   1162 			child_set_env(&env, &envsize, s->env[i].name,
   1163 			    s->env[i].val);
   1164 
   1165 		child_set_env(&env, &envsize, "USER", pw->pw_name);
   1166 		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
   1167 #ifdef _AIX
   1168 		child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
   1169 #endif
   1170 		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
   1171 #ifdef HAVE_LOGIN_CAP
   1172 		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
   1173 			child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
   1174 		else
   1175 			child_set_env(&env, &envsize, "PATH", getenv("PATH"));
   1176 #else /* HAVE_LOGIN_CAP */
   1177 # ifndef HAVE_CYGWIN
   1178 		/*
   1179 		 * There's no standard path on Windows. The path contains
   1180 		 * important components pointing to the system directories,
   1181 		 * needed for loading shared libraries. So the path better
   1182 		 * remains intact here.
   1183 		 */
   1184 #  ifdef HAVE_ETC_DEFAULT_LOGIN
   1185 		read_etc_default_login(&env, &envsize, pw->pw_uid);
   1186 		path = child_get_env(env, "PATH");
   1187 #  endif /* HAVE_ETC_DEFAULT_LOGIN */
   1188 		if (path == NULL || *path == '\0') {
   1189 			child_set_env(&env, &envsize, "PATH",
   1190 			    s->pw->pw_uid == 0 ?
   1191 				SUPERUSER_PATH : _PATH_STDPATH);
   1192 		}
   1193 # endif /* HAVE_CYGWIN */
   1194 #endif /* HAVE_LOGIN_CAP */
   1195 
   1196 		snprintf(buf, sizeof buf, "%.200s/%.50s",
   1197 			 _PATH_MAILDIR, pw->pw_name);
   1198 		child_set_env(&env, &envsize, "MAIL", buf);
   1199 
   1200 		/* Normal systems set SHELL by default. */
   1201 		child_set_env(&env, &envsize, "SHELL", shell);
   1202 	}
   1203 	if (getenv("TZ"))
   1204 		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
   1205 
   1206 	/* Set custom environment options from RSA authentication. */
   1207 	if (!options.use_login) {
   1208 		while (custom_environment) {
   1209 			struct envstring *ce = custom_environment;
   1210 			char *str = ce->s;
   1211 
   1212 			for (i = 0; str[i] != '=' && str[i]; i++)
   1213 				;
   1214 			if (str[i] == '=') {
   1215 				str[i] = 0;
   1216 				child_set_env(&env, &envsize, str, str + i + 1);
   1217 			}
   1218 			custom_environment = ce->next;
   1219 			xfree(ce->s);
   1220 			xfree(ce);
   1221 		}
   1222 	}
   1223 
   1224 	/* SSH_CLIENT deprecated */
   1225 	snprintf(buf, sizeof buf, "%.50s %d %d",
   1226 	    get_remote_ipaddr(), get_remote_port(), get_local_port());
   1227 	child_set_env(&env, &envsize, "SSH_CLIENT", buf);
   1228 
   1229 	laddr = get_local_ipaddr(packet_get_connection_in());
   1230 	snprintf(buf, sizeof buf, "%.50s %d %.50s %d",
   1231 	    get_remote_ipaddr(), get_remote_port(), laddr, get_local_port());
   1232 	xfree(laddr);
   1233 	child_set_env(&env, &envsize, "SSH_CONNECTION", buf);
   1234 
   1235 	if (s->ttyfd != -1)
   1236 		child_set_env(&env, &envsize, "SSH_TTY", s->tty);
   1237 	if (s->term)
   1238 		child_set_env(&env, &envsize, "TERM", s->term);
   1239 	if (s->display)
   1240 		child_set_env(&env, &envsize, "DISPLAY", s->display);
   1241 	if (original_command)
   1242 		child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
   1243 		    original_command);
   1244 
   1245 #ifdef _UNICOS
   1246 	if (cray_tmpdir[0] != '\0')
   1247 		child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir);
   1248 #endif /* _UNICOS */
   1249 
   1250 	/*
   1251 	 * Since we clear KRB5CCNAME at startup, if it's set now then it
   1252 	 * must have been set by a native authentication method (eg AIX or
   1253 	 * SIA), so copy it to the child.
   1254 	 */
   1255 	{
   1256 		char *cp;
   1257 
   1258 		if ((cp = getenv("KRB5CCNAME")) != NULL)
   1259 			child_set_env(&env, &envsize, "KRB5CCNAME", cp);
   1260 	}
   1261 
   1262 #ifdef _AIX
   1263 	{
   1264 		char *cp;
   1265 
   1266 		if ((cp = getenv("AUTHSTATE")) != NULL)
   1267 			child_set_env(&env, &envsize, "AUTHSTATE", cp);
   1268 		read_environment_file(&env, &envsize, "/etc/environment");
   1269 	}
   1270 #endif
   1271 #ifdef KRB5
   1272 	if (s->authctxt->krb5_ccname)
   1273 		child_set_env(&env, &envsize, "KRB5CCNAME",
   1274 		    s->authctxt->krb5_ccname);
   1275 #endif
   1276 #ifdef USE_PAM
   1277 	/*
   1278 	 * Pull in any environment variables that may have
   1279 	 * been set by PAM.
   1280 	 */
   1281 	if (options.use_pam) {
   1282 		char **p;
   1283 
   1284 		p = fetch_pam_child_environment();
   1285 		copy_environment(p, &env, &envsize);
   1286 		free_pam_environment(p);
   1287 
   1288 		p = fetch_pam_environment();
   1289 		copy_environment(p, &env, &envsize);
   1290 		free_pam_environment(p);
   1291 	}
   1292 #endif /* USE_PAM */
   1293 
   1294 	if (auth_sock_name != NULL)
   1295 		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
   1296 		    auth_sock_name);
   1297 
   1298 	/* read $HOME/.ssh/environment. */
   1299 	if (options.permit_user_env && !options.use_login) {
   1300 		snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
   1301 		    strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
   1302 		read_environment_file(&env, &envsize, buf);
   1303 	}
   1304 	if (debug_flag) {
   1305 		/* dump the environment */
   1306 		fprintf(stderr, "Environment:\n");
   1307 		for (i = 0; env[i]; i++)
   1308 			fprintf(stderr, "  %.200s\n", env[i]);
   1309 	}
   1310 	return env;
   1311 }
   1312 
   1313 /*
   1314  * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found
   1315  * first in this order).
   1316  */
   1317 static void
   1318 do_rc_files(Session *s, const char *shell)
   1319 {
   1320 	FILE *f = NULL;
   1321 	char cmd[1024];
   1322 	int do_xauth;
   1323 	struct stat st;
   1324 
   1325 	do_xauth =
   1326 	    s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
   1327 
   1328 	/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
   1329 	if (!s->is_subsystem && options.adm_forced_command == NULL &&
   1330 	    !no_user_rc && stat(_PATH_SSH_USER_RC, &st) >= 0) {
   1331 		snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
   1332 		    shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
   1333 		if (debug_flag)
   1334 			fprintf(stderr, "Running %s\n", cmd);
   1335 		f = popen(cmd, "w");
   1336 		if (f) {
   1337 			if (do_xauth)
   1338 				fprintf(f, "%s %s\n", s->auth_proto,
   1339 				    s->auth_data);
   1340 			pclose(f);
   1341 		} else
   1342 			fprintf(stderr, "Could not run %s\n",
   1343 			    _PATH_SSH_USER_RC);
   1344 	} else if (stat(_PATH_SSH_SYSTEM_RC, &st) >= 0) {
   1345 		if (debug_flag)
   1346 			fprintf(stderr, "Running %s %s\n", _PATH_BSHELL,
   1347 			    _PATH_SSH_SYSTEM_RC);
   1348 		f = popen(_PATH_BSHELL " " _PATH_SSH_SYSTEM_RC, "w");
   1349 		if (f) {
   1350 			if (do_xauth)
   1351 				fprintf(f, "%s %s\n", s->auth_proto,
   1352 				    s->auth_data);
   1353 			pclose(f);
   1354 		} else
   1355 			fprintf(stderr, "Could not run %s\n",
   1356 			    _PATH_SSH_SYSTEM_RC);
   1357 	} else if (do_xauth && options.xauth_location != NULL) {
   1358 		/* Add authority data to .Xauthority if appropriate. */
   1359 		if (debug_flag) {
   1360 			fprintf(stderr,
   1361 			    "Running %.500s remove %.100s\n",
   1362 			    options.xauth_location, s->auth_display);
   1363 			fprintf(stderr,
   1364 			    "%.500s add %.100s %.100s %.100s\n",
   1365 			    options.xauth_location, s->auth_display,
   1366 			    s->auth_proto, s->auth_data);
   1367 		}
   1368 		snprintf(cmd, sizeof cmd, "%s -q -",
   1369 		    options.xauth_location);
   1370 		f = popen(cmd, "w");
   1371 		if (f) {
   1372 			fprintf(f, "remove %s\n",
   1373 			    s->auth_display);
   1374 			fprintf(f, "add %s %s %s\n",
   1375 			    s->auth_display, s->auth_proto,
   1376 			    s->auth_data);
   1377 			pclose(f);
   1378 		} else {
   1379 			fprintf(stderr, "Could not run %s\n",
   1380 			    cmd);
   1381 		}
   1382 	}
   1383 }
   1384 
   1385 static void
   1386 do_nologin(struct passwd *pw)
   1387 {
   1388 	FILE *f = NULL;
   1389 	char buf[1024], *nl, *def_nl = _PATH_NOLOGIN;
   1390 	struct stat sb;
   1391 
   1392 #ifdef HAVE_LOGIN_CAP
   1393 	if (login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid)
   1394 		return;
   1395 	nl = login_getcapstr(lc, "nologin", def_nl, def_nl);
   1396 #else
   1397 	if (pw->pw_uid == 0)
   1398 		return;
   1399 	nl = def_nl;
   1400 #endif
   1401 	if (stat(nl, &sb) == -1) {
   1402 		if (nl != def_nl)
   1403 			xfree(nl);
   1404 		return;
   1405 	}
   1406 
   1407 	/* /etc/nologin exists.  Print its contents if we can and exit. */
   1408 	logit("User %.100s not allowed because %s exists", pw->pw_name, nl);
   1409 	if ((f = fopen(nl, "r")) != NULL) {
   1410  		while (fgets(buf, sizeof(buf), f))
   1411  			fputs(buf, stderr);
   1412  		fclose(f);
   1413  	}
   1414 	exit(254);
   1415 }
   1416 
   1417 /*
   1418  * Chroot into a directory after checking it for safety: all path components
   1419  * must be root-owned directories with strict permissions.
   1420  */
   1421 static void
   1422 safely_chroot(const char *path, uid_t uid)
   1423 {
   1424 	const char *cp;
   1425 	char component[MAXPATHLEN];
   1426 	struct stat st;
   1427 
   1428 	if (*path != '/')
   1429 		fatal("chroot path does not begin at root");
   1430 	if (strlen(path) >= sizeof(component))
   1431 		fatal("chroot path too long");
   1432 
   1433 	/*
   1434 	 * Descend the path, checking that each component is a
   1435 	 * root-owned directory with strict permissions.
   1436 	 */
   1437 	for (cp = path; cp != NULL;) {
   1438 		if ((cp = strchr(cp, '/')) == NULL)
   1439 			strlcpy(component, path, sizeof(component));
   1440 		else {
   1441 			cp++;
   1442 			memcpy(component, path, cp - path);
   1443 			component[cp - path] = '\0';
   1444 		}
   1445 
   1446 		debug3("%s: checking '%s'", __func__, component);
   1447 
   1448 		if (stat(component, &st) != 0)
   1449 			fatal("%s: stat(\"%s\"): %s", __func__,
   1450 			    component, strerror(errno));
   1451 		if (st.st_uid != 0 || (st.st_mode & 022) != 0)
   1452 			fatal("bad ownership or modes for chroot "
   1453 			    "directory %s\"%s\"",
   1454 			    cp == NULL ? "" : "component ", component);
   1455 		if (!S_ISDIR(st.st_mode))
   1456 			fatal("chroot path %s\"%s\" is not a directory",
   1457 			    cp == NULL ? "" : "component ", component);
   1458 
   1459 	}
   1460 
   1461 	if (chdir(path) == -1)
   1462 		fatal("Unable to chdir to chroot path \"%s\": "
   1463 		    "%s", path, strerror(errno));
   1464 	if (chroot(path) == -1)
   1465 		fatal("chroot(\"%s\"): %s", path, strerror(errno));
   1466 	if (chdir("/") == -1)
   1467 		fatal("%s: chdir(/) after chroot: %s",
   1468 		    __func__, strerror(errno));
   1469 	verbose("Changed root directory to \"%s\"", path);
   1470 }
   1471 
   1472 /* Set login name, uid, gid, and groups. */
   1473 void
   1474 do_setusercontext(struct passwd *pw)
   1475 {
   1476 	char *chroot_path, *tmp;
   1477 
   1478 	platform_setusercontext(pw);
   1479 
   1480 	if (platform_privileged_uidswap()) {
   1481 #ifdef HAVE_LOGIN_CAP
   1482 		if (setusercontext(lc, pw, pw->pw_uid,
   1483 		    (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
   1484 			perror("unable to set user context");
   1485 			exit(1);
   1486 		}
   1487 #else
   1488 		if (setlogin(pw->pw_name) < 0)
   1489 			error("setlogin failed: %s", strerror(errno));
   1490 		if (setgid(pw->pw_gid) < 0) {
   1491 			perror("setgid");
   1492 			exit(1);
   1493 		}
   1494 		/* Initialize the group list. */
   1495 		if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
   1496 			perror("initgroups");
   1497 			exit(1);
   1498 		}
   1499 #ifndef ANDROID
   1500 		/* FIXME - Android doesn't have this */
   1501 		endgrent();
   1502 #endif
   1503 #endif
   1504 
   1505 		platform_setusercontext_post_groups(pw);
   1506 
   1507 		if (options.chroot_directory != NULL &&
   1508 		    strcasecmp(options.chroot_directory, "none") != 0) {
   1509                         tmp = tilde_expand_filename(options.chroot_directory,
   1510 			    pw->pw_uid);
   1511 			chroot_path = percent_expand(tmp, "h", pw->pw_dir,
   1512 			    "u", pw->pw_name, (char *)NULL);
   1513 			safely_chroot(chroot_path, pw->pw_uid);
   1514 			free(tmp);
   1515 			free(chroot_path);
   1516 		}
   1517 
   1518 #ifdef HAVE_LOGIN_CAP
   1519 		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
   1520 			perror("unable to set user context (setuser)");
   1521 			exit(1);
   1522 		}
   1523 #else
   1524 		/* Permanently switch to the desired uid. */
   1525 		permanently_set_uid(pw);
   1526 #endif
   1527 	}
   1528 
   1529 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
   1530 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
   1531 }
   1532 
   1533 static void
   1534 do_pwchange(Session *s)
   1535 {
   1536 	fflush(NULL);
   1537 	fprintf(stderr, "WARNING: Your password has expired.\n");
   1538 	if (s->ttyfd != -1) {
   1539 		fprintf(stderr,
   1540 		    "You must change your password now and login again!\n");
   1541 #ifdef WITH_SELINUX
   1542 		setexeccon(NULL);
   1543 #endif
   1544 #ifdef PASSWD_NEEDS_USERNAME
   1545 		execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
   1546 		    (char *)NULL);
   1547 #else
   1548 		execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);
   1549 #endif
   1550 		perror("passwd");
   1551 	} else {
   1552 		fprintf(stderr,
   1553 		    "Password change required but no TTY available.\n");
   1554 	}
   1555 	exit(1);
   1556 }
   1557 
   1558 static void
   1559 launch_login(struct passwd *pw, const char *hostname)
   1560 {
   1561 	/* Launch login(1). */
   1562 
   1563 	execl(LOGIN_PROGRAM, "login", "-h", hostname,
   1564 #ifdef xxxLOGIN_NEEDS_TERM
   1565 		    (s->term ? s->term : "unknown"),
   1566 #endif /* LOGIN_NEEDS_TERM */
   1567 #ifdef LOGIN_NO_ENDOPT
   1568 	    "-p", "-f", pw->pw_name, (char *)NULL);
   1569 #else
   1570 	    "-p", "-f", "--", pw->pw_name, (char *)NULL);
   1571 #endif
   1572 
   1573 	/* Login couldn't be executed, die. */
   1574 
   1575 	perror("login");
   1576 	exit(1);
   1577 }
   1578 
   1579 static void
   1580 child_close_fds(void)
   1581 {
   1582 	if (packet_get_connection_in() == packet_get_connection_out())
   1583 		close(packet_get_connection_in());
   1584 	else {
   1585 		close(packet_get_connection_in());
   1586 		close(packet_get_connection_out());
   1587 	}
   1588 	/*
   1589 	 * Close all descriptors related to channels.  They will still remain
   1590 	 * open in the parent.
   1591 	 */
   1592 	/* XXX better use close-on-exec? -markus */
   1593 	channel_close_all();
   1594 
   1595 	/*
   1596 	 * Close any extra file descriptors.  Note that there may still be
   1597 	 * descriptors left by system functions.  They will be closed later.
   1598 	 */
   1599 	endpwent();
   1600 
   1601 	/*
   1602 	 * Close any extra open file descriptors so that we don't have them
   1603 	 * hanging around in clients.  Note that we want to do this after
   1604 	 * initgroups, because at least on Solaris 2.3 it leaves file
   1605 	 * descriptors open.
   1606 	 */
   1607 	closefrom(STDERR_FILENO + 1);
   1608 }
   1609 
   1610 /*
   1611  * Performs common processing for the child, such as setting up the
   1612  * environment, closing extra file descriptors, setting the user and group
   1613  * ids, and executing the command or shell.
   1614  */
   1615 #define ARGV_MAX 10
   1616 void
   1617 do_child(Session *s, const char *command)
   1618 {
   1619 	extern char **environ;
   1620 	char **env;
   1621 	char *argv[ARGV_MAX];
   1622 	const char *shell, *shell0, *hostname = NULL;
   1623 	struct passwd *pw = s->pw;
   1624 	int r = 0;
   1625 
   1626 	/* remove hostkey from the child's memory */
   1627 	destroy_sensitive_data();
   1628 
   1629 	/* Force a password change */
   1630 	if (s->authctxt->force_pwchange) {
   1631 		do_setusercontext(pw);
   1632 		child_close_fds();
   1633 		do_pwchange(s);
   1634 		exit(1);
   1635 	}
   1636 
   1637 	/* login(1) is only called if we execute the login shell */
   1638 	if (options.use_login && command != NULL)
   1639 		options.use_login = 0;
   1640 
   1641 #ifdef _UNICOS
   1642 	cray_setup(pw->pw_uid, pw->pw_name, command);
   1643 #endif /* _UNICOS */
   1644 
   1645 	/*
   1646 	 * Login(1) does this as well, and it needs uid 0 for the "-h"
   1647 	 * switch, so we let login(1) to this for us.
   1648 	 */
   1649 	if (!options.use_login) {
   1650 #ifdef HAVE_OSF_SIA
   1651 		session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty);
   1652 		if (!check_quietlogin(s, command))
   1653 			do_motd();
   1654 #else /* HAVE_OSF_SIA */
   1655 		/* When PAM is enabled we rely on it to do the nologin check */
   1656 		if (!options.use_pam)
   1657 			do_nologin(pw);
   1658 		do_setusercontext(pw);
   1659 		/*
   1660 		 * PAM session modules in do_setusercontext may have
   1661 		 * generated messages, so if this in an interactive
   1662 		 * login then display them too.
   1663 		 */
   1664 		if (!check_quietlogin(s, command))
   1665 			display_loginmsg();
   1666 #endif /* HAVE_OSF_SIA */
   1667 	}
   1668 
   1669 #ifdef USE_PAM
   1670 	if (options.use_pam && !options.use_login && !is_pam_session_open()) {
   1671 		debug3("PAM session not opened, exiting");
   1672 		display_loginmsg();
   1673 		exit(254);
   1674 	}
   1675 #endif
   1676 
   1677 	/*
   1678 	 * Get the shell from the password data.  An empty shell field is
   1679 	 * legal, and means /bin/sh.
   1680 	 */
   1681 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
   1682 
   1683 	/*
   1684 	 * Make sure $SHELL points to the shell from the password file,
   1685 	 * even if shell is overridden from login.conf
   1686 	 */
   1687 	env = do_setup_env(s, shell);
   1688 
   1689 #ifdef HAVE_LOGIN_CAP
   1690 	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
   1691 #endif
   1692 
   1693 	/* we have to stash the hostname before we close our socket. */
   1694 	if (options.use_login)
   1695 		hostname = get_remote_name_or_ip(utmp_len,
   1696 		    options.use_dns);
   1697 	/*
   1698 	 * Close the connection descriptors; note that this is the child, and
   1699 	 * the server will still have the socket open, and it is important
   1700 	 * that we do not shutdown it.  Note that the descriptors cannot be
   1701 	 * closed before building the environment, as we call
   1702 	 * get_remote_ipaddr there.
   1703 	 */
   1704 	child_close_fds();
   1705 
   1706 	/*
   1707 	 * Must take new environment into use so that .ssh/rc,
   1708 	 * /etc/ssh/sshrc and xauth are run in the proper environment.
   1709 	 */
   1710 	environ = env;
   1711 
   1712 #if defined(KRB5) && defined(USE_AFS)
   1713 	/*
   1714 	 * At this point, we check to see if AFS is active and if we have
   1715 	 * a valid Kerberos 5 TGT. If so, it seems like a good idea to see
   1716 	 * if we can (and need to) extend the ticket into an AFS token. If
   1717 	 * we don't do this, we run into potential problems if the user's
   1718 	 * home directory is in AFS and it's not world-readable.
   1719 	 */
   1720 
   1721 	if (options.kerberos_get_afs_token && k_hasafs() &&
   1722 	    (s->authctxt->krb5_ctx != NULL)) {
   1723 		char cell[64];
   1724 
   1725 		debug("Getting AFS token");
   1726 
   1727 		k_setpag();
   1728 
   1729 		if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
   1730 			krb5_afslog(s->authctxt->krb5_ctx,
   1731 			    s->authctxt->krb5_fwd_ccache, cell, NULL);
   1732 
   1733 		krb5_afslog_home(s->authctxt->krb5_ctx,
   1734 		    s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
   1735 	}
   1736 #endif
   1737 
   1738 	/* Change current directory to the user's home directory. */
   1739 	if (chdir(pw->pw_dir) < 0) {
   1740 		/* Suppress missing homedir warning for chroot case */
   1741 #ifdef HAVE_LOGIN_CAP
   1742 		r = login_getcapbool(lc, "requirehome", 0);
   1743 #endif
   1744 		if (r || options.chroot_directory == NULL ||
   1745 		    strcasecmp(options.chroot_directory, "none") == 0)
   1746 			fprintf(stderr, "Could not chdir to home "
   1747 			    "directory %s: %s\n", pw->pw_dir,
   1748 			    strerror(errno));
   1749 		if (r)
   1750 			exit(1);
   1751 	}
   1752 
   1753 	closefrom(STDERR_FILENO + 1);
   1754 
   1755 	if (!options.use_login)
   1756 		do_rc_files(s, shell);
   1757 
   1758 	/* restore SIGPIPE for child */
   1759 	signal(SIGPIPE, SIG_DFL);
   1760 
   1761 	if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) {
   1762 		printf("This service allows sftp connections only.\n");
   1763 		fflush(NULL);
   1764 		exit(1);
   1765 	} else if (s->is_subsystem == SUBSYSTEM_INT_SFTP) {
   1766 		extern int optind, optreset;
   1767 		int i;
   1768 		char *p, *args;
   1769 
   1770 		setproctitle("%s@%s", s->pw->pw_name, INTERNAL_SFTP_NAME);
   1771 		args = xstrdup(command ? command : "sftp-server");
   1772 		for (i = 0, (p = strtok(args, " ")); p; (p = strtok(NULL, " ")))
   1773 			if (i < ARGV_MAX - 1)
   1774 				argv[i++] = p;
   1775 		argv[i] = NULL;
   1776 		optind = optreset = 1;
   1777 		__progname = argv[0];
   1778 #ifdef WITH_SELINUX
   1779 		ssh_selinux_change_context("sftpd_t");
   1780 #endif
   1781 		exit(sftp_server_main(i, argv, s->pw));
   1782 	}
   1783 
   1784 	fflush(NULL);
   1785 
   1786 	if (options.use_login) {
   1787 		launch_login(pw, hostname);
   1788 		/* NEVERREACHED */
   1789 	}
   1790 
   1791 	/* Get the last component of the shell name. */
   1792 	if ((shell0 = strrchr(shell, '/')) != NULL)
   1793 		shell0++;
   1794 	else
   1795 		shell0 = shell;
   1796 
   1797 	/*
   1798 	 * If we have no command, execute the shell.  In this case, the shell
   1799 	 * name to be passed in argv[0] is preceded by '-' to indicate that
   1800 	 * this is a login shell.
   1801 	 */
   1802 	if (!command) {
   1803 		char argv0[256];
   1804 
   1805 		/* Start the shell.  Set initial character to '-'. */
   1806 		argv0[0] = '-';
   1807 
   1808 		if (strlcpy(argv0 + 1, shell0, sizeof(argv0) - 1)
   1809 		    >= sizeof(argv0) - 1) {
   1810 			errno = EINVAL;
   1811 			perror(shell);
   1812 			exit(1);
   1813 		}
   1814 
   1815 		/* Execute the shell. */
   1816 		argv[0] = argv0;
   1817 		argv[1] = NULL;
   1818 		execve(shell, argv, env);
   1819 
   1820 		/* Executing the shell failed. */
   1821 		perror(shell);
   1822 		exit(1);
   1823 	}
   1824 	/*
   1825 	 * Execute the command using the user's shell.  This uses the -c
   1826 	 * option to execute the command.
   1827 	 */
   1828 	argv[0] = (char *) shell0;
   1829 	argv[1] = "-c";
   1830 	argv[2] = (char *) command;
   1831 	argv[3] = NULL;
   1832 	execve(shell, argv, env);
   1833 	perror(shell);
   1834 	exit(1);
   1835 }
   1836 
   1837 void
   1838 session_unused(int id)
   1839 {
   1840 	debug3("%s: session id %d unused", __func__, id);
   1841 	if (id >= options.max_sessions ||
   1842 	    id >= sessions_nalloc) {
   1843 		fatal("%s: insane session id %d (max %d nalloc %d)",
   1844 		    __func__, id, options.max_sessions, sessions_nalloc);
   1845 	}
   1846 	bzero(&sessions[id], sizeof(*sessions));
   1847 	sessions[id].self = id;
   1848 	sessions[id].used = 0;
   1849 	sessions[id].chanid = -1;
   1850 	sessions[id].ptyfd = -1;
   1851 	sessions[id].ttyfd = -1;
   1852 	sessions[id].ptymaster = -1;
   1853 	sessions[id].x11_chanids = NULL;
   1854 	sessions[id].next_unused = sessions_first_unused;
   1855 	sessions_first_unused = id;
   1856 }
   1857 
   1858 Session *
   1859 session_new(void)
   1860 {
   1861 	Session *s, *tmp;
   1862 
   1863 	if (sessions_first_unused == -1) {
   1864 		if (sessions_nalloc >= options.max_sessions)
   1865 			return NULL;
   1866 		debug2("%s: allocate (allocated %d max %d)",
   1867 		    __func__, sessions_nalloc, options.max_sessions);
   1868 		tmp = xrealloc(sessions, sessions_nalloc + 1,
   1869 		    sizeof(*sessions));
   1870 		if (tmp == NULL) {
   1871 			error("%s: cannot allocate %d sessions",
   1872 			    __func__, sessions_nalloc + 1);
   1873 			return NULL;
   1874 		}
   1875 		sessions = tmp;
   1876 		session_unused(sessions_nalloc++);
   1877 	}
   1878 
   1879 	if (sessions_first_unused >= sessions_nalloc ||
   1880 	    sessions_first_unused < 0) {
   1881 		fatal("%s: insane first_unused %d max %d nalloc %d",
   1882 		    __func__, sessions_first_unused, options.max_sessions,
   1883 		    sessions_nalloc);
   1884 	}
   1885 
   1886 	s = &sessions[sessions_first_unused];
   1887 	if (s->used) {
   1888 		fatal("%s: session %d already used",
   1889 		    __func__, sessions_first_unused);
   1890 	}
   1891 	sessions_first_unused = s->next_unused;
   1892 	s->used = 1;
   1893 	s->next_unused = -1;
   1894 	debug("session_new: session %d", s->self);
   1895 
   1896 	return s;
   1897 }
   1898 
   1899 static void
   1900 session_dump(void)
   1901 {
   1902 	int i;
   1903 	for (i = 0; i < sessions_nalloc; i++) {
   1904 		Session *s = &sessions[i];
   1905 
   1906 		debug("dump: used %d next_unused %d session %d %p "
   1907 		    "channel %d pid %ld",
   1908 		    s->used,
   1909 		    s->next_unused,
   1910 		    s->self,
   1911 		    s,
   1912 		    s->chanid,
   1913 		    (long)s->pid);
   1914 	}
   1915 }
   1916 
   1917 int
   1918 session_open(Authctxt *authctxt, int chanid)
   1919 {
   1920 	Session *s = session_new();
   1921 	debug("session_open: channel %d", chanid);
   1922 	if (s == NULL) {
   1923 		error("no more sessions");
   1924 		return 0;
   1925 	}
   1926 	s->authctxt = authctxt;
   1927 	s->pw = authctxt->pw;
   1928 	if (s->pw == NULL || !authctxt->valid)
   1929 		fatal("no user for session %d", s->self);
   1930 	debug("session_open: session %d: link with channel %d", s->self, chanid);
   1931 	s->chanid = chanid;
   1932 	return 1;
   1933 }
   1934 
   1935 Session *
   1936 session_by_tty(char *tty)
   1937 {
   1938 	int i;
   1939 	for (i = 0; i < sessions_nalloc; i++) {
   1940 		Session *s = &sessions[i];
   1941 		if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) {
   1942 			debug("session_by_tty: session %d tty %s", i, tty);
   1943 			return s;
   1944 		}
   1945 	}
   1946 	debug("session_by_tty: unknown tty %.100s", tty);
   1947 	session_dump();
   1948 	return NULL;
   1949 }
   1950 
   1951 static Session *
   1952 session_by_channel(int id)
   1953 {
   1954 	int i;
   1955 	for (i = 0; i < sessions_nalloc; i++) {
   1956 		Session *s = &sessions[i];
   1957 		if (s->used && s->chanid == id) {
   1958 			debug("session_by_channel: session %d channel %d",
   1959 			    i, id);
   1960 			return s;
   1961 		}
   1962 	}
   1963 	debug("session_by_channel: unknown channel %d", id);
   1964 	session_dump();
   1965 	return NULL;
   1966 }
   1967 
   1968 static Session *
   1969 session_by_x11_channel(int id)
   1970 {
   1971 	int i, j;
   1972 
   1973 	for (i = 0; i < sessions_nalloc; i++) {
   1974 		Session *s = &sessions[i];
   1975 
   1976 		if (s->x11_chanids == NULL || !s->used)
   1977 			continue;
   1978 		for (j = 0; s->x11_chanids[j] != -1; j++) {
   1979 			if (s->x11_chanids[j] == id) {
   1980 				debug("session_by_x11_channel: session %d "
   1981 				    "channel %d", s->self, id);
   1982 				return s;
   1983 			}
   1984 		}
   1985 	}
   1986 	debug("session_by_x11_channel: unknown channel %d", id);
   1987 	session_dump();
   1988 	return NULL;
   1989 }
   1990 
   1991 static Session *
   1992 session_by_pid(pid_t pid)
   1993 {
   1994 	int i;
   1995 	debug("session_by_pid: pid %ld", (long)pid);
   1996 	for (i = 0; i < sessions_nalloc; i++) {
   1997 		Session *s = &sessions[i];
   1998 		if (s->used && s->pid == pid)
   1999 			return s;
   2000 	}
   2001 	error("session_by_pid: unknown pid %ld", (long)pid);
   2002 	session_dump();
   2003 	return NULL;
   2004 }
   2005 
   2006 static int
   2007 session_window_change_req(Session *s)
   2008 {
   2009 	s->col = packet_get_int();
   2010 	s->row = packet_get_int();
   2011 	s->xpixel = packet_get_int();
   2012 	s->ypixel = packet_get_int();
   2013 	packet_check_eom();
   2014 	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
   2015 	return 1;
   2016 }
   2017 
   2018 static int
   2019 session_pty_req(Session *s)
   2020 {
   2021 	u_int len;
   2022 	int n_bytes;
   2023 
   2024 	if (no_pty_flag) {
   2025 		debug("Allocating a pty not permitted for this authentication.");
   2026 		return 0;
   2027 	}
   2028 	if (s->ttyfd != -1) {
   2029 		packet_disconnect("Protocol error: you already have a pty.");
   2030 		return 0;
   2031 	}
   2032 
   2033 	s->term = packet_get_string(&len);
   2034 
   2035 	if (compat20) {
   2036 		s->col = packet_get_int();
   2037 		s->row = packet_get_int();
   2038 	} else {
   2039 		s->row = packet_get_int();
   2040 		s->col = packet_get_int();
   2041 	}
   2042 	s->xpixel = packet_get_int();
   2043 	s->ypixel = packet_get_int();
   2044 
   2045 	if (strcmp(s->term, "") == 0) {
   2046 		xfree(s->term);
   2047 		s->term = NULL;
   2048 	}
   2049 
   2050 	/* Allocate a pty and open it. */
   2051 	debug("Allocating pty.");
   2052 	if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty,
   2053 	    sizeof(s->tty)))) {
   2054 		if (s->term)
   2055 			xfree(s->term);
   2056 		s->term = NULL;
   2057 		s->ptyfd = -1;
   2058 		s->ttyfd = -1;
   2059 		error("session_pty_req: session %d alloc failed", s->self);
   2060 		return 0;
   2061 	}
   2062 	debug("session_pty_req: session %d alloc %s", s->self, s->tty);
   2063 
   2064 	/* for SSH1 the tty modes length is not given */
   2065 	if (!compat20)
   2066 		n_bytes = packet_remaining();
   2067 	tty_parse_modes(s->ttyfd, &n_bytes);
   2068 
   2069 	if (!use_privsep)
   2070 		pty_setowner(s->pw, s->tty);
   2071 
   2072 	/* Set window size from the packet. */
   2073 	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
   2074 
   2075 	packet_check_eom();
   2076 	session_proctitle(s);
   2077 	return 1;
   2078 }
   2079 
   2080 static int
   2081 session_subsystem_req(Session *s)
   2082 {
   2083 	struct stat st;
   2084 	u_int len;
   2085 	int success = 0;
   2086 	char *prog, *cmd, *subsys = packet_get_string(&len);
   2087 	u_int i;
   2088 
   2089 	packet_check_eom();
   2090 	logit("subsystem request for %.100s by user %s", subsys,
   2091 	    s->pw->pw_name);
   2092 
   2093 	for (i = 0; i < options.num_subsystems; i++) {
   2094 		if (strcmp(subsys, options.subsystem_name[i]) == 0) {
   2095 			prog = options.subsystem_command[i];
   2096 			cmd = options.subsystem_args[i];
   2097 			if (strcmp(INTERNAL_SFTP_NAME, prog) == 0) {
   2098 				s->is_subsystem = SUBSYSTEM_INT_SFTP;
   2099 				debug("subsystem: %s", prog);
   2100 			} else {
   2101 				if (stat(prog, &st) < 0)
   2102 					debug("subsystem: cannot stat %s: %s",
   2103 					    prog, strerror(errno));
   2104 				s->is_subsystem = SUBSYSTEM_EXT;
   2105 				debug("subsystem: exec() %s", cmd);
   2106 			}
   2107 			success = do_exec(s, cmd) == 0;
   2108 			break;
   2109 		}
   2110 	}
   2111 
   2112 	if (!success)
   2113 		logit("subsystem request for %.100s failed, subsystem not found",
   2114 		    subsys);
   2115 
   2116 	xfree(subsys);
   2117 	return success;
   2118 }
   2119 
   2120 static int
   2121 session_x11_req(Session *s)
   2122 {
   2123 	int success;
   2124 
   2125 	if (s->auth_proto != NULL || s->auth_data != NULL) {
   2126 		error("session_x11_req: session %d: "
   2127 		    "x11 forwarding already active", s->self);
   2128 		return 0;
   2129 	}
   2130 	s->single_connection = packet_get_char();
   2131 	s->auth_proto = packet_get_string(NULL);
   2132 	s->auth_data = packet_get_string(NULL);
   2133 	s->screen = packet_get_int();
   2134 	packet_check_eom();
   2135 
   2136 	success = session_setup_x11fwd(s);
   2137 	if (!success) {
   2138 		xfree(s->auth_proto);
   2139 		xfree(s->auth_data);
   2140 		s->auth_proto = NULL;
   2141 		s->auth_data = NULL;
   2142 	}
   2143 	return success;
   2144 }
   2145 
   2146 static int
   2147 session_shell_req(Session *s)
   2148 {
   2149 	packet_check_eom();
   2150 	return do_exec(s, NULL) == 0;
   2151 }
   2152 
   2153 static int
   2154 session_exec_req(Session *s)
   2155 {
   2156 	u_int len, success;
   2157 
   2158 	char *command = packet_get_string(&len);
   2159 	packet_check_eom();
   2160 	success = do_exec(s, command) == 0;
   2161 	xfree(command);
   2162 	return success;
   2163 }
   2164 
   2165 static int
   2166 session_break_req(Session *s)
   2167 {
   2168 
   2169 	packet_get_int();	/* ignored */
   2170 	packet_check_eom();
   2171 
   2172 	if (s->ttyfd == -1 || tcsendbreak(s->ttyfd, 0) < 0)
   2173 		return 0;
   2174 	return 1;
   2175 }
   2176 
   2177 static int
   2178 session_env_req(Session *s)
   2179 {
   2180 	char *name, *val;
   2181 	u_int name_len, val_len, i;
   2182 
   2183 	name = packet_get_string(&name_len);
   2184 	val = packet_get_string(&val_len);
   2185 	packet_check_eom();
   2186 
   2187 	/* Don't set too many environment variables */
   2188 	if (s->num_env > 128) {
   2189 		debug2("Ignoring env request %s: too many env vars", name);
   2190 		goto fail;
   2191 	}
   2192 
   2193 	for (i = 0; i < options.num_accept_env; i++) {
   2194 		if (match_pattern(name, options.accept_env[i])) {
   2195 			debug2("Setting env %d: %s=%s", s->num_env, name, val);
   2196 			s->env = xrealloc(s->env, s->num_env + 1,
   2197 			    sizeof(*s->env));
   2198 			s->env[s->num_env].name = name;
   2199 			s->env[s->num_env].val = val;
   2200 			s->num_env++;
   2201 			return (1);
   2202 		}
   2203 	}
   2204 	debug2("Ignoring env request %s: disallowed name", name);
   2205 
   2206  fail:
   2207 	xfree(name);
   2208 	xfree(val);
   2209 	return (0);
   2210 }
   2211 
   2212 static int
   2213 session_auth_agent_req(Session *s)
   2214 {
   2215 	static int called = 0;
   2216 	packet_check_eom();
   2217 	if (no_agent_forwarding_flag || !options.allow_agent_forwarding) {
   2218 		debug("session_auth_agent_req: no_agent_forwarding_flag");
   2219 		return 0;
   2220 	}
   2221 	if (called) {
   2222 		return 0;
   2223 	} else {
   2224 		called = 1;
   2225 		return auth_input_request_forwarding(s->pw);
   2226 	}
   2227 }
   2228 
   2229 int
   2230 session_input_channel_req(Channel *c, const char *rtype)
   2231 {
   2232 	int success = 0;
   2233 	Session *s;
   2234 
   2235 	if ((s = session_by_channel(c->self)) == NULL) {
   2236 		logit("session_input_channel_req: no session %d req %.100s",
   2237 		    c->self, rtype);
   2238 		return 0;
   2239 	}
   2240 	debug("session_input_channel_req: session %d req %s", s->self, rtype);
   2241 
   2242 	/*
   2243 	 * a session is in LARVAL state until a shell, a command
   2244 	 * or a subsystem is executed
   2245 	 */
   2246 	if (c->type == SSH_CHANNEL_LARVAL) {
   2247 		if (strcmp(rtype, "shell") == 0) {
   2248 			success = session_shell_req(s);
   2249 		} else if (strcmp(rtype, "exec") == 0) {
   2250 			success = session_exec_req(s);
   2251 		} else if (strcmp(rtype, "pty-req") == 0) {
   2252 			success = session_pty_req(s);
   2253 		} else if (strcmp(rtype, "x11-req") == 0) {
   2254 			success = session_x11_req(s);
   2255 		} else if (strcmp(rtype, "auth-agent-req (at) openssh.com") == 0) {
   2256 			success = session_auth_agent_req(s);
   2257 		} else if (strcmp(rtype, "subsystem") == 0) {
   2258 			success = session_subsystem_req(s);
   2259 		} else if (strcmp(rtype, "env") == 0) {
   2260 			success = session_env_req(s);
   2261 		}
   2262 	}
   2263 	if (strcmp(rtype, "window-change") == 0) {
   2264 		success = session_window_change_req(s);
   2265 	} else if (strcmp(rtype, "break") == 0) {
   2266 		success = session_break_req(s);
   2267 	}
   2268 
   2269 	return success;
   2270 }
   2271 
   2272 void
   2273 session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr,
   2274     int is_tty)
   2275 {
   2276 	if (!compat20)
   2277 		fatal("session_set_fds: called for proto != 2.0");
   2278 	/*
   2279 	 * now that have a child and a pipe to the child,
   2280 	 * we can activate our channel and register the fd's
   2281 	 */
   2282 	if (s->chanid == -1)
   2283 		fatal("no channel for session %d", s->self);
   2284 	channel_set_fds(s->chanid,
   2285 	    fdout, fdin, fderr,
   2286 	    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
   2287 	    1, is_tty, CHAN_SES_WINDOW_DEFAULT);
   2288 }
   2289 
   2290 /*
   2291  * Function to perform pty cleanup. Also called if we get aborted abnormally
   2292  * (e.g., due to a dropped connection).
   2293  */
   2294 void
   2295 session_pty_cleanup2(Session *s)
   2296 {
   2297 	if (s == NULL) {
   2298 		error("session_pty_cleanup: no session");
   2299 		return;
   2300 	}
   2301 	if (s->ttyfd == -1)
   2302 		return;
   2303 
   2304 	debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
   2305 
   2306 	/* Record that the user has logged out. */
   2307 	if (s->pid != 0)
   2308 		record_logout(s->pid, s->tty, s->pw->pw_name);
   2309 
   2310 	/* Release the pseudo-tty. */
   2311 	if (getuid() == 0)
   2312 		pty_release(s->tty);
   2313 
   2314 	/*
   2315 	 * Close the server side of the socket pairs.  We must do this after
   2316 	 * the pty cleanup, so that another process doesn't get this pty
   2317 	 * while we're still cleaning up.
   2318 	 */
   2319 	if (s->ptymaster != -1 && close(s->ptymaster) < 0)
   2320 		error("close(s->ptymaster/%d): %s",
   2321 		    s->ptymaster, strerror(errno));
   2322 
   2323 	/* unlink pty from session */
   2324 	s->ttyfd = -1;
   2325 }
   2326 
   2327 void
   2328 session_pty_cleanup(Session *s)
   2329 {
   2330 	PRIVSEP(session_pty_cleanup2(s));
   2331 }
   2332 
   2333 static char *
   2334 sig2name(int sig)
   2335 {
   2336 #define SSH_SIG(x) if (sig == SIG ## x) return #x
   2337 	SSH_SIG(ABRT);
   2338 	SSH_SIG(ALRM);
   2339 	SSH_SIG(FPE);
   2340 	SSH_SIG(HUP);
   2341 	SSH_SIG(ILL);
   2342 	SSH_SIG(INT);
   2343 	SSH_SIG(KILL);
   2344 	SSH_SIG(PIPE);
   2345 	SSH_SIG(QUIT);
   2346 	SSH_SIG(SEGV);
   2347 	SSH_SIG(TERM);
   2348 	SSH_SIG(USR1);
   2349 	SSH_SIG(USR2);
   2350 #undef	SSH_SIG
   2351 	return "SIG (at) openssh.com";
   2352 }
   2353 
   2354 static void
   2355 session_close_x11(int id)
   2356 {
   2357 	Channel *c;
   2358 
   2359 	if ((c = channel_by_id(id)) == NULL) {
   2360 		debug("session_close_x11: x11 channel %d missing", id);
   2361 	} else {
   2362 		/* Detach X11 listener */
   2363 		debug("session_close_x11: detach x11 channel %d", id);
   2364 		channel_cancel_cleanup(id);
   2365 		if (c->ostate != CHAN_OUTPUT_CLOSED)
   2366 			chan_mark_dead(c);
   2367 	}
   2368 }
   2369 
   2370 static void
   2371 session_close_single_x11(int id, void *arg)
   2372 {
   2373 	Session *s;
   2374 	u_int i;
   2375 
   2376 	debug3("session_close_single_x11: channel %d", id);
   2377 	channel_cancel_cleanup(id);
   2378 	if ((s = session_by_x11_channel(id)) == NULL)
   2379 		fatal("session_close_single_x11: no x11 channel %d", id);
   2380 	for (i = 0; s->x11_chanids[i] != -1; i++) {
   2381 		debug("session_close_single_x11: session %d: "
   2382 		    "closing channel %d", s->self, s->x11_chanids[i]);
   2383 		/*
   2384 		 * The channel "id" is already closing, but make sure we
   2385 		 * close all of its siblings.
   2386 		 */
   2387 		if (s->x11_chanids[i] != id)
   2388 			session_close_x11(s->x11_chanids[i]);
   2389 	}
   2390 	xfree(s->x11_chanids);
   2391 	s->x11_chanids = NULL;
   2392 	if (s->display) {
   2393 		xfree(s->display);
   2394 		s->display = NULL;
   2395 	}
   2396 	if (s->auth_proto) {
   2397 		xfree(s->auth_proto);
   2398 		s->auth_proto = NULL;
   2399 	}
   2400 	if (s->auth_data) {
   2401 		xfree(s->auth_data);
   2402 		s->auth_data = NULL;
   2403 	}
   2404 	if (s->auth_display) {
   2405 		xfree(s->auth_display);
   2406 		s->auth_display = NULL;
   2407 	}
   2408 }
   2409 
   2410 static void
   2411 session_exit_message(Session *s, int status)
   2412 {
   2413 	Channel *c;
   2414 
   2415 	if ((c = channel_lookup(s->chanid)) == NULL)
   2416 		fatal("session_exit_message: session %d: no channel %d",
   2417 		    s->self, s->chanid);
   2418 	debug("session_exit_message: session %d channel %d pid %ld",
   2419 	    s->self, s->chanid, (long)s->pid);
   2420 
   2421 	if (WIFEXITED(status)) {
   2422 		channel_request_start(s->chanid, "exit-status", 0);
   2423 		packet_put_int(WEXITSTATUS(status));
   2424 		packet_send();
   2425 	} else if (WIFSIGNALED(status)) {
   2426 		channel_request_start(s->chanid, "exit-signal", 0);
   2427 		packet_put_cstring(sig2name(WTERMSIG(status)));
   2428 #ifdef WCOREDUMP
   2429 		packet_put_char(WCOREDUMP(status)? 1 : 0);
   2430 #else /* WCOREDUMP */
   2431 		packet_put_char(0);
   2432 #endif /* WCOREDUMP */
   2433 		packet_put_cstring("");
   2434 		packet_put_cstring("");
   2435 		packet_send();
   2436 	} else {
   2437 		/* Some weird exit cause.  Just exit. */
   2438 		packet_disconnect("wait returned status %04x.", status);
   2439 	}
   2440 
   2441 	/* disconnect channel */
   2442 	debug("session_exit_message: release channel %d", s->chanid);
   2443 
   2444 	/*
   2445 	 * Adjust cleanup callback attachment to send close messages when
   2446 	 * the channel gets EOF. The session will be then be closed
   2447 	 * by session_close_by_channel when the childs close their fds.
   2448 	 */
   2449 	channel_register_cleanup(c->self, session_close_by_channel, 1);
   2450 
   2451 	/*
   2452 	 * emulate a write failure with 'chan_write_failed', nobody will be
   2453 	 * interested in data we write.
   2454 	 * Note that we must not call 'chan_read_failed', since there could
   2455 	 * be some more data waiting in the pipe.
   2456 	 */
   2457 	if (c->ostate != CHAN_OUTPUT_CLOSED)
   2458 		chan_write_failed(c);
   2459 }
   2460 
   2461 void
   2462 session_close(Session *s)
   2463 {
   2464 	u_int i;
   2465 
   2466 	debug("session_close: session %d pid %ld", s->self, (long)s->pid);
   2467 	if (s->ttyfd != -1)
   2468 		session_pty_cleanup(s);
   2469 	if (s->term)
   2470 		xfree(s->term);
   2471 	if (s->display)
   2472 		xfree(s->display);
   2473 	if (s->x11_chanids)
   2474 		xfree(s->x11_chanids);
   2475 	if (s->auth_display)
   2476 		xfree(s->auth_display);
   2477 	if (s->auth_data)
   2478 		xfree(s->auth_data);
   2479 	if (s->auth_proto)
   2480 		xfree(s->auth_proto);
   2481 	if (s->env != NULL) {
   2482 		for (i = 0; i < s->num_env; i++) {
   2483 			xfree(s->env[i].name);
   2484 			xfree(s->env[i].val);
   2485 		}
   2486 		xfree(s->env);
   2487 	}
   2488 	session_proctitle(s);
   2489 	session_unused(s->self);
   2490 }
   2491 
   2492 void
   2493 session_close_by_pid(pid_t pid, int status)
   2494 {
   2495 	Session *s = session_by_pid(pid);
   2496 	if (s == NULL) {
   2497 		debug("session_close_by_pid: no session for pid %ld",
   2498 		    (long)pid);
   2499 		return;
   2500 	}
   2501 	if (s->chanid != -1)
   2502 		session_exit_message(s, status);
   2503 	if (s->ttyfd != -1)
   2504 		session_pty_cleanup(s);
   2505 	s->pid = 0;
   2506 }
   2507 
   2508 /*
   2509  * this is called when a channel dies before
   2510  * the session 'child' itself dies
   2511  */
   2512 void
   2513 session_close_by_channel(int id, void *arg)
   2514 {
   2515 	Session *s = session_by_channel(id);
   2516 	u_int i;
   2517 
   2518 	if (s == NULL) {
   2519 		debug("session_close_by_channel: no session for id %d", id);
   2520 		return;
   2521 	}
   2522 	debug("session_close_by_channel: channel %d child %ld",
   2523 	    id, (long)s->pid);
   2524 	if (s->pid != 0) {
   2525 		debug("session_close_by_channel: channel %d: has child", id);
   2526 		/*
   2527 		 * delay detach of session, but release pty, since
   2528 		 * the fd's to the child are already closed
   2529 		 */
   2530 		if (s->ttyfd != -1)
   2531 			session_pty_cleanup(s);
   2532 		return;
   2533 	}
   2534 	/* detach by removing callback */
   2535 	channel_cancel_cleanup(s->chanid);
   2536 
   2537 	/* Close any X11 listeners associated with this session */
   2538 	if (s->x11_chanids != NULL) {
   2539 		for (i = 0; s->x11_chanids[i] != -1; i++) {
   2540 			session_close_x11(s->x11_chanids[i]);
   2541 			s->x11_chanids[i] = -1;
   2542 		}
   2543 	}
   2544 
   2545 	s->chanid = -1;
   2546 	session_close(s);
   2547 }
   2548 
   2549 void
   2550 session_destroy_all(void (*closefunc)(Session *))
   2551 {
   2552 	int i;
   2553 	for (i = 0; i < sessions_nalloc; i++) {
   2554 		Session *s = &sessions[i];
   2555 		if (s->used) {
   2556 			if (closefunc != NULL)
   2557 				closefunc(s);
   2558 			else
   2559 				session_close(s);
   2560 		}
   2561 	}
   2562 }
   2563 
   2564 static char *
   2565 session_tty_list(void)
   2566 {
   2567 	static char buf[1024];
   2568 	int i;
   2569 	char *cp;
   2570 
   2571 	buf[0] = '\0';
   2572 	for (i = 0; i < sessions_nalloc; i++) {
   2573 		Session *s = &sessions[i];
   2574 		if (s->used && s->ttyfd != -1) {
   2575 
   2576 			if (strncmp(s->tty, "/dev/", 5) != 0) {
   2577 				cp = strrchr(s->tty, '/');
   2578 				cp = (cp == NULL) ? s->tty : cp + 1;
   2579 			} else
   2580 				cp = s->tty + 5;
   2581 
   2582 			if (buf[0] != '\0')
   2583 				strlcat(buf, ",", sizeof buf);
   2584 			strlcat(buf, cp, sizeof buf);
   2585 		}
   2586 	}
   2587 	if (buf[0] == '\0')
   2588 		strlcpy(buf, "notty", sizeof buf);
   2589 	return buf;
   2590 }
   2591 
   2592 void
   2593 session_proctitle(Session *s)
   2594 {
   2595 	if (s->pw == NULL)
   2596 		error("no user for session %d", s->self);
   2597 	else
   2598 		setproctitle("%s@%s", s->pw->pw_name, session_tty_list());
   2599 }
   2600 
   2601 int
   2602 session_setup_x11fwd(Session *s)
   2603 {
   2604 	struct stat st;
   2605 	char display[512], auth_display[512];
   2606 	char hostname[MAXHOSTNAMELEN];
   2607 	u_int i;
   2608 
   2609 	if (no_x11_forwarding_flag) {
   2610 		packet_send_debug("X11 forwarding disabled in user configuration file.");
   2611 		return 0;
   2612 	}
   2613 	if (!options.x11_forwarding) {
   2614 		debug("X11 forwarding disabled in server configuration file.");
   2615 		return 0;
   2616 	}
   2617 	if (!options.xauth_location ||
   2618 	    (stat(options.xauth_location, &st) == -1)) {
   2619 		packet_send_debug("No xauth program; cannot forward with spoofing.");
   2620 		return 0;
   2621 	}
   2622 	if (options.use_login) {
   2623 		packet_send_debug("X11 forwarding disabled; "
   2624 		    "not compatible with UseLogin=yes.");
   2625 		return 0;
   2626 	}
   2627 	if (s->display != NULL) {
   2628 		debug("X11 display already set.");
   2629 		return 0;
   2630 	}
   2631 	if (x11_create_display_inet(options.x11_display_offset,
   2632 	    options.x11_use_localhost, s->single_connection,
   2633 	    &s->display_number, &s->x11_chanids) == -1) {
   2634 		debug("x11_create_display_inet failed.");
   2635 		return 0;
   2636 	}
   2637 	for (i = 0; s->x11_chanids[i] != -1; i++) {
   2638 		channel_register_cleanup(s->x11_chanids[i],
   2639 		    session_close_single_x11, 0);
   2640 	}
   2641 
   2642 	/* Set up a suitable value for the DISPLAY variable. */
   2643 	if (gethostname(hostname, sizeof(hostname)) < 0)
   2644 		fatal("gethostname: %.100s", strerror(errno));
   2645 	/*
   2646 	 * auth_display must be used as the displayname when the
   2647 	 * authorization entry is added with xauth(1).  This will be
   2648 	 * different than the DISPLAY string for localhost displays.
   2649 	 */
   2650 	if (options.x11_use_localhost) {
   2651 		snprintf(display, sizeof display, "localhost:%u.%u",
   2652 		    s->display_number, s->screen);
   2653 		snprintf(auth_display, sizeof auth_display, "unix:%u.%u",
   2654 		    s->display_number, s->screen);
   2655 		s->display = xstrdup(display);
   2656 		s->auth_display = xstrdup(auth_display);
   2657 	} else {
   2658 #ifdef IPADDR_IN_DISPLAY
   2659 		struct hostent *he;
   2660 		struct in_addr my_addr;
   2661 
   2662 		he = gethostbyname(hostname);
   2663 		if (he == NULL) {
   2664 			error("Can't get IP address for X11 DISPLAY.");
   2665 			packet_send_debug("Can't get IP address for X11 DISPLAY.");
   2666 			return 0;
   2667 		}
   2668 		memcpy(&my_addr, he->h_addr_list[0], sizeof(struct in_addr));
   2669 		snprintf(display, sizeof display, "%.50s:%u.%u", inet_ntoa(my_addr),
   2670 		    s->display_number, s->screen);
   2671 #else
   2672 		snprintf(display, sizeof display, "%.400s:%u.%u", hostname,
   2673 		    s->display_number, s->screen);
   2674 #endif
   2675 		s->display = xstrdup(display);
   2676 		s->auth_display = xstrdup(display);
   2677 	}
   2678 
   2679 	return 1;
   2680 }
   2681 
   2682 static void
   2683 do_authenticated2(Authctxt *authctxt)
   2684 {
   2685 	server_loop2(authctxt);
   2686 }
   2687 
   2688 void
   2689 do_cleanup(Authctxt *authctxt)
   2690 {
   2691 	static int called = 0;
   2692 
   2693 	debug("do_cleanup");
   2694 
   2695 	/* no cleanup if we're in the child for login shell */
   2696 	if (is_child)
   2697 		return;
   2698 
   2699 	/* avoid double cleanup */
   2700 	if (called)
   2701 		return;
   2702 	called = 1;
   2703 
   2704 	if (authctxt == NULL)
   2705 		return;
   2706 
   2707 #ifdef USE_PAM
   2708 	if (options.use_pam) {
   2709 		sshpam_cleanup();
   2710 		sshpam_thread_cleanup();
   2711 	}
   2712 #endif
   2713 
   2714 	if (!authctxt->authenticated)
   2715 		return;
   2716 
   2717 #ifdef KRB5
   2718 	if (options.kerberos_ticket_cleanup &&
   2719 	    authctxt->krb5_ctx)
   2720 		krb5_cleanup_proc(authctxt);
   2721 #endif
   2722 
   2723 #ifdef GSSAPI
   2724 	if (compat20 && options.gss_cleanup_creds)
   2725 		ssh_gssapi_cleanup_creds();
   2726 #endif
   2727 
   2728 	/* remove agent socket */
   2729 	auth_sock_cleanup_proc(authctxt->pw);
   2730 
   2731 	/*
   2732 	 * Cleanup ptys/utmp only if privsep is disabled,
   2733 	 * or if running in monitor.
   2734 	 */
   2735 	if (!use_privsep || mm_is_monitor())
   2736 		session_destroy_all(session_pty_cleanup2);
   2737 }
   2738