search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / extcap / sshdig.c
blob4cfae8c9afc53dd22ff15fb789fc97cc4b02e63b
1 /* sshdig.c
2 * sshdig is extcap tool used to capture events on a remote host via SSH
3 *
4 * Copied from sshdump.c, copyright 2015, Dario Lombardo
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 #include "config.h"
14 #define WS_LOG_DOMAIN "sshdig"
15
16 #include <extcap/extcap-base.h>
17 #include <extcap/ssh-base.h>
18 #include <wsutil/application_flavor.h>
19 #include <wsutil/interface.h>
20 #include <wsutil/file_util.h>
21 #include <wsutil/strtoi.h>
22 #include <wsutil/filesystem.h>
23 #include <wsutil/privileges.h>
24 #include <wsutil/please_report_bug.h>
25 #include <wsutil/wslog.h>
26
27 #include <errno.h>
28 #include <string.h>
29 #include <fcntl.h>
30
31 #include <cli_main.h>
32
33 static char* sshdig_extcap_interface;
34 #define DEFAULT_SSHDIG_EXTCAP_INTERFACE "sshdig"
35
36 #define SSHDIG_VERSION_MAJOR "1"
37 #define SSHDIG_VERSION_MINOR "0"
38 #define SSHDIG_VERSION_RELEASE "0"
39
40 #define SSH_READ_BLOCK_SIZE 256
41
42 enum {
43 EXTCAP_BASE_OPTIONS_ENUM,
44 OPT_HELP,
45 OPT_VERSION,
46 OPT_REMOTE_HOST,
47 OPT_REMOTE_PORT,
48 OPT_REMOTE_USERNAME,
49 OPT_REMOTE_PASSWORD,
50 OPT_REMOTE_CAPTURE_COMMAND_SELECT,
51 OPT_REMOTE_CAPTURE_COMMAND,
52 OPT_SSHKEY,
53 OPT_SSHKEY_PASSPHRASE,
54 OPT_PROXYCOMMAND,
55 OPT_SSH_SHA1,
56 OPT_REMOTE_COUNT,
57 OPT_REMOTE_PRIV,
58 OPT_REMOTE_PRIV_USER,
59 OPT_REMOTE_MODERN_BPF
60 };
61
62 static struct ws_option longopts[] = {
63 EXTCAP_BASE_OPTIONS,
64 { "help", ws_no_argument, NULL, OPT_HELP},
65 { "version", ws_no_argument, NULL, OPT_VERSION},
66 SSH_BASE_OPTIONS,
67 { "remote-capture-command-select", ws_required_argument, NULL, OPT_REMOTE_CAPTURE_COMMAND_SELECT},
68 { "remote-capture-command", ws_required_argument, NULL, OPT_REMOTE_CAPTURE_COMMAND},
69 { "remote-priv", ws_required_argument, NULL, OPT_REMOTE_PRIV },
70 { "remote-priv-user", ws_required_argument, NULL, OPT_REMOTE_PRIV_USER },
71 { "remote-modern-bpf", ws_no_argument, NULL, OPT_REMOTE_MODERN_BPF },
72 { 0, 0, 0, 0}
73 };
74
75 static int ssh_loop_read(ssh_channel channel, FILE* fp)
76 {
77 int nbytes;
78 int ret = EXIT_SUCCESS;
79 char buffer[SSH_READ_BLOCK_SIZE];
80
81 /* read from stdin until data are available */
82 while (ssh_channel_is_open(channel) && !ssh_channel_is_eof(channel)) {
83 nbytes = ssh_channel_read(channel, buffer, SSH_READ_BLOCK_SIZE, 0);
84 if (nbytes < 0) {
85 ws_warning("Error reading from channel");
86 goto end;
87 }
88 if (nbytes == 0) {
89 break;
90 }
91 if (fwrite(buffer, 1, nbytes, fp) != (unsigned)nbytes) {
92 ws_warning("Error writing to fifo");
93 ret = EXIT_FAILURE;
94 goto end;
95 }
96 fflush(fp);
97 }
98
99 /* read loop finished... maybe something wrong happened. Read from stderr */
100 while (ssh_channel_is_open(channel) && !ssh_channel_is_eof(channel)) {
101 nbytes = ssh_channel_read(channel, buffer, SSH_READ_BLOCK_SIZE, 1);
102 if (nbytes < 0) {
103 ws_warning("Error reading from channel");
104 goto end;
105 }
106 if (fwrite(buffer, 1, nbytes, stderr) != (unsigned)nbytes) {
107 ws_warning("Error writing to stderr");
108 break;
109 }
110 }
111
112 end:
113 if (ssh_channel_send_eof(channel) != SSH_OK) {
114 ws_warning("Error sending EOF in ssh channel");
115 ret = EXIT_FAILURE;
116 }
117 return ret;
118 }
119
120 static ssh_channel run_ssh_command(ssh_session sshs, const char* capture_command_select,
121 const char* capture_command, const char* privilege,
122 const char* cfilter, const uint32_t count, bool modern_bpf)
123 {
124 char* cmdline = NULL;
125 ssh_channel channel;
126 char* quoted_filter = NULL;
127 char* count_str = NULL;
128 unsigned int remote_port = 22;
129
130 channel = ssh_channel_new(sshs);
131 if (!channel) {
132 ws_warning("Can't create channel");
133 return NULL;
134 }
135
136 if (ssh_channel_open_session(channel) != SSH_OK) {
137 ws_warning("Can't open session");
138 ssh_channel_free(channel);
139 return NULL;
140 }
141
142 ssh_options_get_port(sshs, &remote_port);
143
144 if (capture_command_select == NULL || !g_strcmp0(capture_command_select, "other")) {
145 if (capture_command && *capture_command) {
146 cmdline = g_strdup(capture_command);
147 ws_debug("Remote capture command has disabled other options");
148 } else {
149 capture_command_select = "sysdig";
150 }
151 }
152
153 /* escape parameters to go save with the shell */
154 if (!g_strcmp0(capture_command_select, "sysdig")) {
155 quoted_filter = g_shell_quote(cfilter ? cfilter : "");
156 if (count > 0)
157 count_str = ws_strdup_printf("--numevents=%u", count);
158
159 cmdline = ws_strdup_printf("%s sysdig --unbuffered %s --write=- %s %s",
160 privilege,
161 modern_bpf ? " --modern-bpf" : "",
162 count_str ? count_str : "",
163 quoted_filter);
164 }
165
166 ws_debug("Running: %s", cmdline);
167 if (ssh_channel_request_exec(channel, cmdline) != SSH_OK) {
168 ws_warning("Can't request exec");
169 ssh_channel_close(channel);
170 ssh_channel_free(channel);
171 channel = NULL;
172 }
173
174 g_free(quoted_filter);
175 g_free(cmdline);
176 g_free(count_str);
177
178 return channel;
179 }
180
181 static int ssh_open_remote_connection(const ssh_params_t* params, const char* cfilter,
182 const char* capture_command_select, const char* capture_command, const char* privilege,
183 const uint32_t count, const char* fifo, bool modern_bpf)
184 {
185 ssh_session sshs = NULL;
186 ssh_channel channel = NULL;
187 FILE* fp = stdout;
188 int ret = EXIT_FAILURE;
189 char* err_info = NULL;
190
191 if (g_strcmp0(fifo, "-")) {
192 /* Open or create the output file */
193 fp = fopen(fifo, "wb");
194 if (fp == NULL) {
195 ws_warning("Error creating output file: %s (%s)", fifo, g_strerror(errno));
196 return EXIT_FAILURE;
197 }
198 }
199
200 sshs = create_ssh_connection(params, &err_info);
201
202 if (!sshs) {
203 ws_warning("Error creating connection.");
204 goto cleanup;
205 }
206
207 channel = run_ssh_command(sshs, capture_command_select, capture_command, privilege, cfilter, count, modern_bpf);
208
209 if (!channel) {
210 ws_warning("Can't run ssh command.");
211 goto cleanup;
212 }
213
214 /* read from channel and write into fp */
215 if (ssh_loop_read(channel, fp) != EXIT_SUCCESS) {
216 ws_warning("Error in read loop.");
217 ret = EXIT_FAILURE;
218 goto cleanup;
219 }
220
221 ret = EXIT_SUCCESS;
222 cleanup:
223 if (err_info)
224 ws_warning("%s", err_info);
225 g_free(err_info);
226
227 /* clean up and exit */
228 ssh_cleanup(&sshs, &channel);
229
230 if (g_strcmp0(fifo, "-"))
231 fclose(fp);
232 return ret;
233 }
234
235 static int list_config(char *interface)
236 {
237 unsigned inc = 0;
238
239 if (!interface) {
240 ws_warning("ERROR: No interface specified.");
241 return EXIT_FAILURE;
242 }
243
244 if (g_strcmp0(interface, sshdig_extcap_interface)) {
245 ws_warning("ERROR: interface must be %s", sshdig_extcap_interface);
246 return EXIT_FAILURE;
247 }
248
249 printf("arg {number=%u}{call=--remote-host}{display=Remote SSH server address}"
250 "{type=string}{tooltip=The remote SSH host. It can be both "
251 "an IP address or a hostname}{required=true}{group=Server}\n", inc++);
252 printf("arg {number=%u}{call=--remote-port}{display=Remote SSH server port}"
253 "{type=unsigned}{default=22}{tooltip=The remote SSH host port (1-65535)}"
254 "{range=1,65535}{group=Server}\n", inc++);
255 printf("arg {number=%u}{call=--remote-username}{display=Remote SSH server username}"
256 "{type=string}{tooltip=The remote SSH username. If not provided, "
257 "the current user will be used}{group=Authentication}\n", inc++);
258 printf("arg {number=%u}{call=--remote-password}{display=Remote SSH server password}"
259 "{type=password}{tooltip=The SSH password, used when other methods (SSH agent "
260 "or key files) are unavailable.}{group=Authentication}\n", inc++);
261 printf("arg {number=%u}{call=--sshkey}{display=Path to SSH private key}"
262 "{type=fileselect}{tooltip=The path on the local filesystem of the private SSH key (OpenSSH format)}"
263 "{mustexist=true}{group=Authentication}\n", inc++);
264 printf("arg {number=%u}{call=--sshkey-passphrase}{display=SSH key passphrase}"
265 "{type=password}{tooltip=Passphrase to unlock the SSH private key}{group=Authentication}\n",
266 inc++);
267 printf("arg {number=%u}{call=--proxycommand}{display=ProxyCommand}"
268 "{type=string}{tooltip=The command to use as proxy for the SSH connection}"
269 "{group=Authentication}\n", inc++);
270 printf("arg {number=%u}{call=--ssh-sha1}{display=Support SHA-1 keys (deprecated)}"
271 "{type=boolflag}{tooltip=Support keys and key exchange algorithms using SHA-1 (deprecated)}{group=Authentication}"
272 "\n", inc++);
273 printf("arg {number=%u}{call=--remote-capture-command-select}{display=Remote capture command selection}"
274 "{type=radio}{tooltip=The remote capture command to build a command line for}{group=Capture}\n", inc);
275 printf("value {arg=%u}{value=sysdig}{display=sysdig}\n", inc);
276 // XXX Add falcodump?
277 printf("value {arg=%u}{value=other}{display=Other:}\n", inc++);
278 printf("arg {number=%u}{call=--remote-capture-command}{display=Remote capture command}"
279 "{type=string}{tooltip=The remote command used to capture}{group=Capture}\n", inc++);
280 printf("arg {number=%u}{call=--remote-priv}{display=Gain capture privilege on the remote machine}"
281 "{type=radio}{tooltip=Optionally prepend the capture command with sudo or doas on the remote machine}"
282 "{group=Capture}\n", inc);
283 printf("value {arg=%u}{value=none}{display=none}{default=true}\n", inc);
284 printf("value {arg=%u}{value=sudo}{display=sudo}\n", inc);
285 printf("value {arg=%u}{value=doas -n}{display=doas}\n", inc++);
286 printf("arg {number=%u}{call=--remote-priv-user}{display=Privileged user name for sudo or doas}"
287 "{type=string}{tooltip=User name of privileged user to execute the capture command on the remote machine}"
288 "{group=Capture}\n", inc++);
289 printf("{group=Capture}\n");
290 printf("arg {number=%u}{call=--remote-count}{display=Packets to capture}"
291 "{type=unsigned}{default=0}{tooltip=The number of remote packets to capture. (Default: inf)}"
292 "{group=Capture}\n", inc++);
293 printf("arg {number=%u}{call=--remote-modern-bpf}{display=Use eBPF}{type=boolflag}{default=true}"
294 "{tooltip=Use eBPF for capture. With this no kernel module is required}{group=Capture}\n", inc++);
295
296 extcap_config_debug(&inc);
297
298 return EXIT_SUCCESS;
299 }
300
301 int main(int argc, char *argv[])
302 {
303 char* err_msg;
304 int result;
305 int option_idx = 0;
306 ssh_params_t* ssh_params = ssh_params_new();
307 char* remote_capture_command_select = NULL;
308 char* remote_capture_command = NULL;
309 uint32_t count = 0;
310 int ret = EXIT_FAILURE;
311 extcap_parameters* extcap_conf = g_new0(extcap_parameters, 1);
312 char* help_url;
313 char* help_header = NULL;
314 char* priv = NULL;
315 char* priv_user = NULL;
316 char* interface_description = g_strdup("SSH remote syscall capture");
317 bool modern_bpf = 0;
318
319 /* Set the program name. */
320 g_set_prgname("sshdig");
321
322 /* Initialize log handler early so we can have proper logging during startup. */
323 extcap_log_init();
324
325 sshdig_extcap_interface = g_path_get_basename(argv[0]);
326 if (g_str_has_suffix(sshdig_extcap_interface, ".exe")) {
327 sshdig_extcap_interface[strlen(sshdig_extcap_interface) - 4] = '\0';
328 }
329
330 /*
331 * Get credential information for later use.
332 */
333 init_process_policies();
334
335 /*
336 * Attempt to get the pathname of the directory containing the
337 * executable file.
338 */
339 err_msg = configuration_init(argv[0]);
340 set_application_flavor(APPLICATION_FLAVOR_STRATOSHARK);
341 if (err_msg != NULL) {
342 ws_warning("Can't get pathname of directory containing the extcap program: %s.",
343 err_msg);
344 g_free(err_msg);
345 }
346
347 help_url = data_file_url("sshdig.html");
348 extcap_base_set_util_info(extcap_conf, argv[0], SSHDIG_VERSION_MAJOR, SSHDIG_VERSION_MINOR,
349 SSHDIG_VERSION_RELEASE, help_url);
350 g_free(help_url);
351 add_libssh_info(extcap_conf);
352 if (g_strcmp0(sshdig_extcap_interface, DEFAULT_SSHDIG_EXTCAP_INTERFACE)) {
353 char* temp = interface_description;
354 interface_description = ws_strdup_printf("%s, custom version", interface_description);
355 g_free(temp);
356 }
357 extcap_base_register_interface(extcap_conf, sshdig_extcap_interface, interface_description, 147, "Remote capture dependent DLT");
358 g_free(interface_description);
359
360 help_header = ws_strdup_printf(
361 " %s --extcap-interfaces\n"
362 " %s --extcap-interface=%s --extcap-dlts\n"
363 " %s --extcap-interface=%s --extcap-config\n"
364 " %s --extcap-interface=%s --remote-host myhost --remote-port 22222 "
365 "--fifo=FILENAME --capture\n", argv[0], argv[0], sshdig_extcap_interface, argv[0],
366 sshdig_extcap_interface, argv[0], sshdig_extcap_interface);
367 extcap_help_add_header(extcap_conf, help_header);
368 g_free(help_header);
369 extcap_help_add_option(extcap_conf, "--help", "print this help");
370 extcap_help_add_option(extcap_conf, "--version", "print the version");
371 extcap_help_add_option(extcap_conf, "--remote-host <host>", "the remote SSH host");
372 extcap_help_add_option(extcap_conf, "--remote-port <port>", "the remote SSH port");
373 extcap_help_add_option(extcap_conf, "--remote-username <username>", "the remote SSH username");
374 extcap_help_add_option(extcap_conf, "--remote-password <password>", "the remote SSH password. If not specified, ssh-agent and ssh-key are used");
375 extcap_help_add_option(extcap_conf, "--sshkey <private key path>", "the path of the SSH key (OpenSSH format)");
376 extcap_help_add_option(extcap_conf, "--sshkey-passphrase <private key passphrase>", "the passphrase to unlock private SSH key");
377 extcap_help_add_option(extcap_conf, "--proxycommand <proxy command>", "the command to use as proxy for the SSH connection");
378 extcap_help_add_option(extcap_conf, "--ssh-sha1", "support keys and key exchange using SHA-1 (deprecated)");
379 extcap_help_add_option(extcap_conf, "--remote-capture-command-select <selection>", "sysdig or other remote capture command");
380 extcap_help_add_option(extcap_conf, "--remote-capture-command <capture command>", "the remote capture command");
381 extcap_help_add_option(extcap_conf, "--remote-priv <selection>", "none, sudo or doas");
382 extcap_help_add_option(extcap_conf, "--remote-priv-user <username>", "privileged user name");
383 extcap_help_add_option(extcap_conf, "--remote-count <count>", "the number of packets to capture");
384 extcap_help_add_option(extcap_conf, "--remote-modern-bpf", "use eBPF");
385
386 ws_opterr = 0;
387 ws_optind = 0;
388
389 if (argc == 1) {
390 extcap_help_print(extcap_conf);
391 goto end;
392 }
393
394 while ((result = ws_getopt_long(argc, argv, ":", longopts, &option_idx)) != -1) {
395
396 switch (result) {
397
398 case OPT_HELP:
399 extcap_help_print(extcap_conf);
400 ret = EXIT_SUCCESS;
401 goto end;
402
403 case OPT_VERSION:
404 extcap_version_print(extcap_conf);
405 ret = EXIT_SUCCESS;
406 goto end;
407
408 case OPT_REMOTE_HOST:
409 g_free(ssh_params->host);
410 ssh_params->host = g_strdup(ws_optarg);
411 break;
412
413 case OPT_REMOTE_PORT:
414 if (!ws_strtou16(ws_optarg, NULL, &ssh_params->port) || ssh_params->port == 0) {
415 ws_warning("Invalid port: %s", ws_optarg);
416 goto end;
417 }
418 break;
419
420 case OPT_REMOTE_USERNAME:
421 g_free(ssh_params->username);
422 ssh_params->username = g_strdup(ws_optarg);
423 break;
424
425 case OPT_REMOTE_PASSWORD:
426 g_free(ssh_params->password);
427 ssh_params->password = g_strdup(ws_optarg);
428 memset(ws_optarg, 'X', strlen(ws_optarg));
429 break;
430
431 case OPT_SSHKEY:
432 g_free(ssh_params->sshkey_path);
433 ssh_params->sshkey_path = g_strdup(ws_optarg);
434 break;
435
436 case OPT_SSHKEY_PASSPHRASE:
437 g_free(ssh_params->sshkey_passphrase);
438 ssh_params->sshkey_passphrase = g_strdup(ws_optarg);
439 memset(ws_optarg, 'X', strlen(ws_optarg));
440 break;
441
442 case OPT_PROXYCOMMAND:
443 g_free(ssh_params->proxycommand);
444 ssh_params->proxycommand = g_strdup(ws_optarg);
445 break;
446
447 case OPT_SSH_SHA1:
448 ssh_params->ssh_sha1 = true;
449 break;
450
451 case OPT_REMOTE_CAPTURE_COMMAND_SELECT:
452 g_free(remote_capture_command_select);
453 remote_capture_command_select = g_strdup(ws_optarg);
454 break;
455
456 case OPT_REMOTE_CAPTURE_COMMAND:
457 g_free(remote_capture_command);
458 remote_capture_command = g_strdup(ws_optarg);
459 break;
460
461 case OPT_REMOTE_PRIV:
462 g_free(priv);
463 priv = g_strdup(ws_optarg);
464 break;
465
466 case OPT_REMOTE_PRIV_USER:
467 g_free(priv_user);
468 priv_user = g_strdup(ws_optarg);
469 break;
470
471 case OPT_REMOTE_COUNT:
472 if (!ws_strtou32(ws_optarg, NULL, &count)) {
473 ws_warning("Invalid value for count: %s", ws_optarg);
474 goto end;
475 }
476 break;
477 case OPT_REMOTE_MODERN_BPF:
478 modern_bpf = true;
479 break;
480
481 case ':':
482 /* missing option argument */
483 ws_warning("Option '%s' requires an argument", argv[ws_optind - 1]);
484 break;
485
486 default:
487 if (!extcap_base_parse_options(extcap_conf, result - EXTCAP_OPT_LIST_INTERFACES, ws_optarg)) {
488 ws_warning("Invalid option: %s", argv[ws_optind - 1]);
489 goto end;
490 }
491 }
492 }
493
494 extcap_cmdline_debug(argv, argc);
495
496 if (extcap_base_handle_interface(extcap_conf)) {
497 ret = EXIT_SUCCESS;
498 goto end;
499 }
500
501 if (extcap_conf->show_config) {
502 ret = list_config(extcap_conf->interface);
503 goto end;
504 }
505
506 err_msg = ws_init_sockets();
507 if (err_msg != NULL) {
508 ws_warning("ERROR: %s", err_msg);
509 g_free(err_msg);
510 ws_warning("%s", please_report_bug());
511 goto end;
512 }
513
514 if (extcap_conf->capture) {
515 char* privilege;
516
517 if (!ssh_params->host) {
518 ws_warning("Missing parameter: --remote-host");
519 goto end;
520 }
521
522 if ((priv) && g_strcmp0(priv, "none") && strlen(g_strstrip(priv))) {
523 if ((priv_user) && strlen(g_strstrip(priv_user)))
524 /* Both sudo and doas use the same command line option */
525 privilege = g_strconcat(priv, " -u ", priv_user, NULL);
526 else
527 privilege = g_strdup(priv);
528 } else {
529 privilege = g_strdup("");
530 }
531
532 ssh_params_set_log_level(ssh_params, extcap_conf->debug);
533 ret = ssh_open_remote_connection(ssh_params, extcap_conf->capture_filter,
534 remote_capture_command_select, remote_capture_command,
535 privilege, count, extcap_conf->fifo, modern_bpf);
536 g_free(privilege);
537 } else {
538 ws_debug("You should not come here... maybe some parameter missing?");
539 ret = EXIT_FAILURE;
540 }
541
542 end:
543 /* clean up stuff */
544 ssh_params_free(ssh_params);
545 g_free(remote_capture_command_select);
546 g_free(remote_capture_command);
547 g_free(priv);
548 g_free(priv_user);
549 extcap_base_cleanup(&extcap_conf);
550 return ret;
551 }
Metzes wireshark repo