summaryrefslogtreecommitdiffstats
path: root/plugins/check_ssh.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/check_ssh.c')
-rw-r--r--plugins/check_ssh.c105
1 files changed, 64 insertions, 41 deletions
diff --git a/plugins/check_ssh.c b/plugins/check_ssh.c
index 9d0d7cde..911f6787 100644
--- a/plugins/check_ssh.c
+++ b/plugins/check_ssh.c
@@ -57,9 +57,18 @@ static process_arguments_wrapper process_arguments(int /*argc*/, char ** /*argv*
57static void print_help(void); 57static void print_help(void);
58void print_usage(void); 58void print_usage(void);
59 59
60static int ssh_connect(mp_check *overall, char *haddr, int hport, char *remote_version, char *remote_protocol); 60static int ssh_connect(mp_check *overall, char *haddr, int hport, char *remote_version,
61 char *remote_protocol);
61 62
62int main(int argc, char **argv) { 63int main(int argc, char **argv) {
64#ifdef __OpenBSD__
65 /* - rpath is required to read --extra-opts (given up later)
66 * - inet is required for sockets
67 * - unix is required for Unix domain sockets
68 * - dns is required for name lookups */
69 pledge("stdio rpath inet unix dns", NULL);
70#endif // __OpenBSD__
71
63 setlocale(LC_ALL, ""); 72 setlocale(LC_ALL, "");
64 bindtextdomain(PACKAGE, LOCALEDIR); 73 bindtextdomain(PACKAGE, LOCALEDIR);
65 textdomain(PACKAGE); 74 textdomain(PACKAGE);
@@ -73,6 +82,10 @@ int main(int argc, char **argv) {
73 usage4(_("Could not parse arguments")); 82 usage4(_("Could not parse arguments"));
74 } 83 }
75 84
85#ifdef __OpenBSD__
86 pledge("stdio inet unix dns", NULL);
87#endif // __OpenBSD__
88
76 check_ssh_config config = tmp_config.config; 89 check_ssh_config config = tmp_config.config;
77 90
78 mp_check overall = mp_check_init(); 91 mp_check overall = mp_check_init();
@@ -85,7 +98,8 @@ int main(int argc, char **argv) {
85 alarm(socket_timeout); 98 alarm(socket_timeout);
86 99
87 /* ssh_connect exits if error is found */ 100 /* ssh_connect exits if error is found */
88 ssh_connect(&overall, config.server_name, config.port, config.remote_version, config.remote_protocol); 101 ssh_connect(&overall, config.server_name, config.port, config.remote_version,
102 config.remote_protocol);
89 103
90 alarm(0); 104 alarm(0);
91 105
@@ -96,19 +110,20 @@ int main(int argc, char **argv) {
96 110
97/* process command-line arguments */ 111/* process command-line arguments */
98process_arguments_wrapper process_arguments(int argc, char **argv) { 112process_arguments_wrapper process_arguments(int argc, char **argv) {
99 static struct option longopts[] = {{"help", no_argument, 0, 'h'}, 113 static struct option longopts[] = {
100 {"version", no_argument, 0, 'V'}, 114 {"help", no_argument, 0, 'h'},
101 {"host", required_argument, 0, 'H'}, /* backward compatibility */ 115 {"version", no_argument, 0, 'V'},
102 {"hostname", required_argument, 0, 'H'}, 116 {"host", required_argument, 0, 'H'}, /* backward compatibility */
103 {"port", required_argument, 0, 'p'}, 117 {"hostname", required_argument, 0, 'H'},
104 {"use-ipv4", no_argument, 0, '4'}, 118 {"port", required_argument, 0, 'p'},
105 {"use-ipv6", no_argument, 0, '6'}, 119 {"use-ipv4", no_argument, 0, '4'},
106 {"timeout", required_argument, 0, 't'}, 120 {"use-ipv6", no_argument, 0, '6'},
107 {"verbose", no_argument, 0, 'v'}, 121 {"timeout", required_argument, 0, 't'},
108 {"remote-version", required_argument, 0, 'r'}, 122 {"verbose", no_argument, 0, 'v'},
109 {"remote-protocol", required_argument, 0, 'P'}, 123 {"remote-version", required_argument, 0, 'r'},
110 {"output-format", required_argument, 0, output_format_index}, 124 {"remote-protocol", required_argument, 0, 'P'},
111 {0, 0, 0, 0}}; 125 {"output-format", required_argument, 0, output_format_index},
126 {0, 0, 0, 0}};
112 127
113 process_arguments_wrapper result = { 128 process_arguments_wrapper result = {
114 .config = check_ssh_config_init(), 129 .config = check_ssh_config_init(),
@@ -158,11 +173,7 @@ process_arguments_wrapper process_arguments(int argc, char **argv) {
158 address_family = AF_INET; 173 address_family = AF_INET;
159 break; 174 break;
160 case '6': 175 case '6':
161#ifdef USE_IPV6
162 address_family = AF_INET6; 176 address_family = AF_INET6;
163#else
164 usage4(_("IPv6 support not available"));
165#endif
166 break; 177 break;
167 case 'r': /* remote version */ 178 case 'r': /* remote version */
168 result.config.remote_version = optarg; 179 result.config.remote_version = optarg;
@@ -228,7 +239,8 @@ process_arguments_wrapper process_arguments(int argc, char **argv) {
228 * 239 *
229 *-----------------------------------------------------------------------*/ 240 *-----------------------------------------------------------------------*/
230 241
231int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_version, char *desired_remote_protocol) { 242int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_version,
243 char *desired_remote_protocol) {
232 struct timeval tv; 244 struct timeval tv;
233 gettimeofday(&tv, NULL); 245 gettimeofday(&tv, NULL);
234 246
@@ -238,32 +250,34 @@ int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_
238 mp_subcheck connection_sc = mp_subcheck_init(); 250 mp_subcheck connection_sc = mp_subcheck_init();
239 if (result != STATE_OK) { 251 if (result != STATE_OK) {
240 connection_sc = mp_set_subcheck_state(connection_sc, STATE_CRITICAL); 252 connection_sc = mp_set_subcheck_state(connection_sc, STATE_CRITICAL);
241 xasprintf(&connection_sc.output, "Failed to establish TCP connection to Host %s and Port %d", haddr, hport); 253 xasprintf(&connection_sc.output,
254 "Failed to establish TCP connection to Host %s and Port %d", haddr, hport);
242 mp_add_subcheck_to_check(overall, connection_sc); 255 mp_add_subcheck_to_check(overall, connection_sc);
243 return result; 256 return result;
244 } 257 }
245 258
246 char *output = (char *)calloc(BUFF_SZ + 1, sizeof(char)); 259 char *output = (char *)calloc(BUFF_SZ + 1, sizeof(char));
247 char *buffer = NULL; 260 char *buffer = NULL;
248 size_t recv_ret = 0; 261 ssize_t recv_ret = 0;
249 char *version_control_string = NULL; 262 char *version_control_string = NULL;
250 size_t byte_offset = 0; 263 size_t byte_offset = 0;
251 while ((version_control_string == NULL) && 264 while ((version_control_string == NULL) &&
252 (recv_ret = recv(socket, output + byte_offset, (unsigned long)(BUFF_SZ - byte_offset), 0) > 0)) { 265 (recv_ret = recv(socket, output + byte_offset, (unsigned long)(BUFF_SZ - byte_offset),
266 0) > 0)) {
253 267
254 if (strchr(output, '\n')) { /* we've got at least one full line, start parsing*/ 268 if (strchr(output, '\n')) { /* we've got at least one full line, start parsing*/
255 byte_offset = 0; 269 byte_offset = 0;
256 270
257 char *index = NULL; 271 char *index = NULL;
258 unsigned long len = 0;
259 while ((index = strchr(output + byte_offset, '\n')) != NULL) { 272 while ((index = strchr(output + byte_offset, '\n')) != NULL) {
260 /*Partition the buffer so that this line is a separate string, 273 /*Partition the buffer so that this line is a separate string,
261 * by replacing the newline with NUL*/ 274 * by replacing the newline with NUL*/
262 output[(index - output)] = '\0'; 275 output[(index - output)] = '\0';
263 len = strlen(output + byte_offset); 276 size_t len = strlen(output + byte_offset);
264 277
265 if ((len >= 4) && (strncmp(output + byte_offset, "SSH-", 4) == 0)) { 278 if ((len >= 4) && (strncmp(output + byte_offset, "SSH-", 4) == 0)) {
266 /*if the string starts with SSH-, this _should_ be a valid version control string*/ 279 /*if the string starts with SSH-, this _should_ be a valid version control
280 * string*/
267 version_control_string = output + byte_offset; 281 version_control_string = output + byte_offset;
268 break; 282 break;
269 } 283 }
@@ -273,21 +287,23 @@ int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_
273 } 287 }
274 288
275 if (version_control_string == NULL) { 289 if (version_control_string == NULL) {
276 /* move unconsumed data to beginning of buffer, null rest */ 290 /* move unconsumed data to beginning of buffer */
277 memmove((void *)output, (void *)(output + byte_offset + 1), BUFF_SZ - len + 1); 291 memmove((void *)output, (void *)(output + byte_offset), BUFF_SZ - byte_offset);
278 memset(output + byte_offset + 1, 0, BUFF_SZ - byte_offset + 1);
279 292
280 /*start reading from end of current line chunk on next recv*/ 293 /*start reading from end of current line chunk on next recv*/
281 byte_offset = strlen(output); 294 byte_offset = strlen(output);
295
296 /* NUL the rest of the buffer */
297 memset(output + byte_offset, 0, BUFF_SZ - byte_offset);
282 } 298 }
283 } else { 299 } else {
284 byte_offset += recv_ret; 300 byte_offset += (size_t)recv_ret;
285 } 301 }
286 } 302 }
287 303
288 if (recv_ret < 0) { 304 if (recv_ret < 0) {
289 connection_sc = mp_set_subcheck_state(connection_sc, STATE_CRITICAL); 305 connection_sc = mp_set_subcheck_state(connection_sc, STATE_CRITICAL);
290 xasprintf(&connection_sc.output, "%s", "SSH CRITICAL - %s", strerror(errno)); 306 xasprintf(&connection_sc.output, "%s - %s", "SSH CRITICAL - ", strerror(errno));
291 mp_add_subcheck_to_check(overall, connection_sc); 307 mp_add_subcheck_to_check(overall, connection_sc);
292 return OK; 308 return OK;
293 } 309 }
@@ -333,7 +349,8 @@ int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_
333 * "1.x" (e.g., "1.5" or "1.3")." 349 * "1.x" (e.g., "1.5" or "1.3")."
334 * - RFC 4253:5 350 * - RFC 4253:5
335 */ 351 */
336 char *ssh_server = ssh_proto + strspn(ssh_proto, "0123456789.") + 1; /* (+1 for the '-' separating protoversion from softwareversion) */ 352 char *ssh_server = ssh_proto + strspn(ssh_proto, "0123456789.") +
353 1; /* (+1 for the '-' separating protoversion from softwareversion) */
337 354
338 /* If there's a space in the version string, whatever's after the space is a comment 355 /* If there's a space in the version string, whatever's after the space is a comment
339 * (which is NOT part of the server name/version)*/ 356 * (which is NOT part of the server name/version)*/
@@ -345,13 +362,15 @@ int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_
345 mp_subcheck protocol_validity_sc = mp_subcheck_init(); 362 mp_subcheck protocol_validity_sc = mp_subcheck_init();
346 if (strlen(ssh_proto) == 0 || strlen(ssh_server) == 0) { 363 if (strlen(ssh_proto) == 0 || strlen(ssh_server) == 0) {
347 protocol_validity_sc = mp_set_subcheck_state(protocol_validity_sc, STATE_CRITICAL); 364 protocol_validity_sc = mp_set_subcheck_state(protocol_validity_sc, STATE_CRITICAL);
348 xasprintf(&protocol_validity_sc.output, "Invalid protocol version control string %s", version_control_string); 365 xasprintf(&protocol_validity_sc.output, "Invalid protocol version control string %s",
366 version_control_string);
349 mp_add_subcheck_to_check(overall, protocol_validity_sc); 367 mp_add_subcheck_to_check(overall, protocol_validity_sc);
350 return OK; 368 return OK;
351 } 369 }
352 370
353 protocol_validity_sc = mp_set_subcheck_state(protocol_validity_sc, STATE_OK); 371 protocol_validity_sc = mp_set_subcheck_state(protocol_validity_sc, STATE_OK);
354 xasprintf(&protocol_validity_sc.output, "Valid protocol version control string %s", version_control_string); 372 xasprintf(&protocol_validity_sc.output, "Valid protocol version control string %s",
373 version_control_string);
355 mp_add_subcheck_to_check(overall, protocol_validity_sc); 374 mp_add_subcheck_to_check(overall, protocol_validity_sc);
356 375
357 ssh_proto[strspn(ssh_proto, "0123456789. ")] = 0; 376 ssh_proto[strspn(ssh_proto, "0123456789. ")] = 0;
@@ -366,8 +385,8 @@ int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_
366 if (desired_remote_version && strcmp(desired_remote_version, ssh_server)) { 385 if (desired_remote_version && strcmp(desired_remote_version, ssh_server)) {
367 mp_subcheck remote_version_sc = mp_subcheck_init(); 386 mp_subcheck remote_version_sc = mp_subcheck_init();
368 remote_version_sc = mp_set_subcheck_state(remote_version_sc, STATE_CRITICAL); 387 remote_version_sc = mp_set_subcheck_state(remote_version_sc, STATE_CRITICAL);
369 xasprintf(&remote_version_sc.output, _("%s (protocol %s) version mismatch, expected '%s'"), ssh_server, ssh_proto, 388 xasprintf(&remote_version_sc.output, _("%s (protocol %s) version mismatch, expected '%s'"),
370 desired_remote_version); 389 ssh_server, ssh_proto, desired_remote_version);
371 close(socket); 390 close(socket);
372 mp_add_subcheck_to_check(overall, remote_version_sc); 391 mp_add_subcheck_to_check(overall, remote_version_sc);
373 return OK; 392 return OK;
@@ -385,11 +404,13 @@ int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_
385 404
386 if (desired_remote_protocol && strcmp(desired_remote_protocol, ssh_proto)) { 405 if (desired_remote_protocol && strcmp(desired_remote_protocol, ssh_proto)) {
387 protocol_version_sc = mp_set_subcheck_state(protocol_version_sc, STATE_CRITICAL); 406 protocol_version_sc = mp_set_subcheck_state(protocol_version_sc, STATE_CRITICAL);
388 xasprintf(&protocol_version_sc.output, _("%s (protocol %s) protocol version mismatch, expected '%s'"), ssh_server, ssh_proto, 407 xasprintf(&protocol_version_sc.output,
389 desired_remote_protocol); 408 _("%s (protocol %s) protocol version mismatch, expected '%s'"), ssh_server,
409 ssh_proto, desired_remote_protocol);
390 } else { 410 } else {
391 protocol_version_sc = mp_set_subcheck_state(protocol_version_sc, STATE_OK); 411 protocol_version_sc = mp_set_subcheck_state(protocol_version_sc, STATE_OK);
392 xasprintf(&protocol_version_sc.output, "SSH server version: %s (protocol version: %s)", ssh_server, ssh_proto); 412 xasprintf(&protocol_version_sc.output, "SSH server version: %s (protocol version: %s)",
413 ssh_server, ssh_proto);
393 } 414 }
394 415
395 mp_add_subcheck_to_check(overall, protocol_version_sc); 416 mp_add_subcheck_to_check(overall, protocol_version_sc);
@@ -422,7 +443,8 @@ void print_help(void) {
422 printf(UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT); 443 printf(UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
423 444
424 printf(" %s\n", "-r, --remote-version=STRING"); 445 printf(" %s\n", "-r, --remote-version=STRING");
425 printf(" %s\n", _("Alert if string doesn't match expected server version (ex: OpenSSH_3.9p1)")); 446 printf(" %s\n",
447 _("Alert if string doesn't match expected server version (ex: OpenSSH_3.9p1)"));
426 448
427 printf(" %s\n", "-P, --remote-protocol=STRING"); 449 printf(" %s\n", "-P, --remote-protocol=STRING");
428 printf(" %s\n", _("Alert if protocol doesn't match expected protocol version (ex: 2.0)")); 450 printf(" %s\n", _("Alert if protocol doesn't match expected protocol version (ex: 2.0)"));
@@ -435,5 +457,6 @@ void print_help(void) {
435 457
436void print_usage(void) { 458void print_usage(void) {
437 printf("%s\n", _("Usage:")); 459 printf("%s\n", _("Usage:"));
438 printf("%s [-4|-6] [-t <timeout>] [-r <remote version>] [-p <port>] --hostname <host>\n", progname); 460 printf("%s [-4|-6] [-t <timeout>] [-r <remote version>] [-p <port>] --hostname <host>\n",
461 progname);
439} 462}