Say "hi" to the latest in the OpenSSH series, version 2.9!

Happy birthday to:	rwatson

1 files changed, 311 insertions, 212 deletions

diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c
index f671726..b9a56c9 100644
--- a/crypto/openssh/ssh.c
+++ b/crypto/openssh/ssh.c
@@ -39,25 +39,35 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.69 2000/10/27 07:32:19 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.116 2001/04/17 12:55:04 markus Exp $");
 
 #include <openssl/evp.h>
-#include <openssl/dsa.h>
-#include <openssl/rsa.h>
+#include <openssl/err.h>
 
-#include "xmalloc.h"
 #include "ssh.h"
+#include "ssh1.h"
+#include "ssh2.h"
+#include "compat.h"
+#include "cipher.h"
+#include "xmalloc.h"
 #include "packet.h"
 #include "buffer.h"
-#include "readconf.h"
 #include "uidswap.h"
-
-#include "ssh2.h"
-#include "compat.h"
 #include "channels.h"
 #include "key.h"
 #include "authfd.h"
 #include "authfile.h"
+#include "pathnames.h"
+#include "clientloop.h"
+#include "log.h"
+#include "readconf.h"
+#include "sshconnect.h"
+#include "tildexpand.h"
+#include "dispatch.h"
+#include "misc.h"
+#include "kex.h"
+#include "mac.h"
+#include "sshtty.h"
 
 extern char *__progname;
 
@@ -70,10 +80,11 @@ int debug_flag = 0;
 
 /* Flag indicating whether a tty should be allocated */
 int tty_flag = 0;
+int no_tty_flag = 0;
+int force_tty_flag = 0;
 
 /* don't exec a shell */
 int no_shell_flag = 0;
-int no_tty_flag = 0;
 
 /*
  * Flag indicating that nothing should be read from stdin.  This can be set
@@ -112,14 +123,11 @@ struct sockaddr_storage hostaddr;
  */
 volatile int received_window_change_signal = 0;
 
-/* Value of argv[0] (set in the main program). */
-char *av0;
-
-/* Flag indicating whether we have a valid host private key loaded. */
-int host_private_key_loaded = 0;
-
-/* Host private key. */
-RSA *host_private_key = NULL;
+/* Private host keys. */
+struct {
+	Key     **keys;
+	int	nkeys;
+} sensitive_data;
 
 /* Original real UID. */
 uid_t original_real_uid;
@@ -127,23 +135,27 @@ uid_t original_real_uid;
 /* command to be executed */
 Buffer command;
 
+/* Should we execute a command or invoke a subsystem? */
+int subsystem_flag = 0;
+
 /* Prints a help message to the user.  This function never returns. */
 
 void
-usage()
+usage(void)
 {
-	fprintf(stderr, "Usage: %s [options] host [command]\n", av0);
+	fprintf(stderr, "Usage: %s [options] host [command]\n", __progname);
 	fprintf(stderr, "Options:\n");
 	fprintf(stderr, "  -l user     Log in using this user name.\n");
-	fprintf(stderr, "  -n          Redirect input from /dev/null.\n");
+	fprintf(stderr, "  -n          Redirect input from " _PATH_DEVNULL ".\n");
 	fprintf(stderr, "  -A          Enable authentication agent forwarding.\n");
 	fprintf(stderr, "  -a          Disable authentication agent forwarding.\n");
 #ifdef AFS
 	fprintf(stderr, "  -k          Disable Kerberos ticket and AFS token forwarding.\n");
 #endif				/* AFS */
-        fprintf(stderr, "  -X          Enable X11 connection forwarding.\n");
+	fprintf(stderr, "  -X          Enable X11 connection forwarding.\n");
 	fprintf(stderr, "  -x          Disable X11 connection forwarding.\n");
-	fprintf(stderr, "  -i file     Identity for RSA authentication (default: ~/.ssh/identity).\n");
+	fprintf(stderr, "  -i file     Identity for public key authentication "
+	    "(default: ~/.ssh/identity)\n");
 	fprintf(stderr, "  -t          Tty; allocate a tty even if command is given.\n");
 	fprintf(stderr, "  -T          Do not allocate a tty.\n");
 	fprintf(stderr, "  -v          Verbose; display verbose debugging messages.\n");
@@ -155,20 +167,22 @@ usage()
 	fprintf(stderr, "  -e char     Set escape character; ``none'' = disable (default: ~).\n");
 
 	fprintf(stderr, "  -c cipher   Select encryption algorithm: "
-			"``3des'', "
-			"``blowfish''\n");
+	    "``3des'', ``blowfish''\n");
+	fprintf(stderr, "  -m macs     Specify MAC algorithms for protocol version 2.\n");
 	fprintf(stderr, "  -p port     Connect to this port.  Server must be on the same port.\n");
 	fprintf(stderr, "  -L listen-port:host:port   Forward local port to remote address\n");
 	fprintf(stderr, "  -R listen-port:host:port   Forward remote port to local address\n");
-	fprintf(stderr, "              These cause %s to listen for connections on a port, and\n", av0);
+	fprintf(stderr, "              These cause %s to listen for connections on a port, and\n", __progname);
 	fprintf(stderr, "              forward them to the other side by connecting to host:port.\n");
 	fprintf(stderr, "  -C          Enable compression.\n");
 	fprintf(stderr, "  -N          Do not execute a shell or command.\n");
 	fprintf(stderr, "  -g          Allow remote hosts to connect to forwarded ports.\n");
+	fprintf(stderr, "  -1          Force protocol version 1.\n");
+	fprintf(stderr, "  -2          Force protocol version 2.\n");
 	fprintf(stderr, "  -4          Use IPv4 only.\n");
 	fprintf(stderr, "  -6          Use IPv6 only.\n");
-	fprintf(stderr, "  -2          Force protocol version 2.\n");
 	fprintf(stderr, "  -o 'option' Process the option as if it was read from a configuration file.\n");
+	fprintf(stderr, "  -s          Invoke command (mandatory) as SSH2 subsystem.\n");
 	exit(1);
 }
 
@@ -210,8 +224,9 @@ rsh_connect(char *host, char *user, Buffer * command)
 	exit(1);
 }
 
-int ssh_session(void);
-int ssh_session2(void);
+int	ssh_session(void);
+int	ssh_session2(void);
+void	load_public_identity_files(void);
 
 /*
  * Main program for the ssh client.
@@ -223,7 +238,7 @@ main(int ac, char **av)
 	u_short fwd_port, fwd_host_port;
 	char *optarg, *cp, buf[256];
 	struct stat st;
-	struct passwd *pw, pwcopy;
+	struct passwd *pw;
 	int dummy;
 	uid_t original_effective_uid;
 
@@ -241,6 +256,15 @@ main(int ac, char **av)
 		if (setrlimit(RLIMIT_CORE, &rlim) < 0)
 			fatal("setrlimit failed: %.100s", strerror(errno));
 	}
+	/* Get user data. */
+	pw = getpwuid(original_real_uid);
+	if (!pw) {
+		log("You don't exist, go away!");
+		exit(1);
+	}
+	/* Take a copy of the returned structure. */
+	pw = pwcopy(pw);
+
 	/*
 	 * Use uid-swapping to give up root privileges for the duration of
 	 * option processing.  We will re-instantiate the rights when we are
@@ -248,7 +272,7 @@ main(int ac, char **av)
 	 * them when the port has been created (actually, when the connection
 	 * has been made, as we may need to create the port several times).
 	 */
-	temporarily_use_uid(original_real_uid);
+	temporarily_use_uid(pw);
 
 	/*
 	 * Set our umask to something reasonable, as some files are created
@@ -258,24 +282,12 @@ main(int ac, char **av)
 	 */
 	umask(022);
 
-	/* Save our own name. */
-	av0 = av[0];
-
 	/* Initialize option structure to indicate that no values have been set. */
 	initialize_options(&options);
 
 	/* Parse command-line arguments. */
 	host = NULL;
 
-	/* If program name is not one of the standard names, use it as host name. */
-	if (strchr(av0, '/'))
-		cp = strrchr(av0, '/') + 1;
-	else
-		cp = av0;
-	if (strcmp(cp, "rsh") && strcmp(cp, "ssh") && strcmp(cp, "rlogin") &&
-	    strcmp(cp, "slogin") && strcmp(cp, "remsh"))
-		host = cp;
-
 	for (optind = 1; optind < ac; optind++) {
 		if (av[optind][0] != '-') {
 			if (host)
@@ -293,7 +305,7 @@ main(int ac, char **av)
 		opt = av[optind][1];
 		if (!opt)
 			usage();
-		if (strchr("eilcpLRo", opt)) {	/* options with arguments */
+		if (strchr("eilcmpLRDo", opt)) {   /* options with arguments */
 			optarg = av[optind] + 2;
 			if (strcmp(optarg, "") == 0) {
 				if (optind >= ac - 1)
@@ -306,6 +318,9 @@ main(int ac, char **av)
 			optarg = NULL;
 		}
 		switch (opt) {
+		case '1':
+			options.protocol = SSH_PROTO_1;
+			break;
 		case '2':
 			options.protocol = SSH_PROTO_2;
 			break;
@@ -349,16 +364,17 @@ main(int ac, char **av)
 		case 'i':
 			if (stat(optarg, &st) < 0) {
 				fprintf(stderr, "Warning: Identity file %s does not exist.\n",
-					optarg);
+				    optarg);
 				break;
 			}
 			if (options.num_identity_files >= SSH_MAX_IDENTITY_FILES)
 				fatal("Too many identity files specified (max %d)",
-				      SSH_MAX_IDENTITY_FILES);
-			options.identity_files[options.num_identity_files++] =
-				xstrdup(optarg);
+				    SSH_MAX_IDENTITY_FILES);
+			options.identity_files[options.num_identity_files++] = xstrdup(optarg);
 			break;
 		case 't':
+			if (tty_flag)
+				force_tty_flag = 1;
 			tty_flag = 1;
 			break;
 		case 'v':
@@ -369,15 +385,16 @@ main(int ac, char **av)
 				options.log_level++;
 				break;
 			} else {
-				fatal("Too high debugging level.\n");
+				fatal("Too high debugging level.");
 			}
 			/* fallthrough */
 		case 'V':
-			fprintf(stderr, "SSH Version %s, protocol versions %d.%d/%d.%d.\n",
+			fprintf(stderr,
+			    "%s, SSH protocols %d.%d/%d.%d, OpenSSL 0x%8.8lx\n",
 			    SSH_VERSION,
 			    PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1,
-			    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2);
-			fprintf(stderr, "Compiled with SSL (0x%8.8lx).\n", SSLeay());
+			    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+			    SSLeay());
 			if (opt == 'V')
 				exit(0);
 			break;
@@ -386,10 +403,10 @@ main(int ac, char **av)
 			break;
 		case 'e':
 			if (optarg[0] == '^' && optarg[2] == 0 &&
-			    (unsigned char) optarg[1] >= 64 && (unsigned char) optarg[1] < 128)
-				options.escape_char = (unsigned char) optarg[1] & 31;
+			    (u_char) optarg[1] >= 64 && (u_char) optarg[1] < 128)
+				options.escape_char = (u_char) optarg[1] & 31;
 			else if (strlen(optarg) == 1)
-				options.escape_char = (unsigned char) optarg[0];
+				options.escape_char = (u_char) optarg[0];
 			else if (strcmp(optarg, "none") == 0)
 				options.escape_char = -2;
 			else {
@@ -404,16 +421,34 @@ main(int ac, char **av)
 				options.cipher = SSH_CIPHER_ILLEGAL;
 			} else {
 				/* SSH1 only */
-				Cipher *c = cipher_by_name(optarg);
-				if (c == NULL || c->number < 0) {
+				options.cipher = cipher_number(optarg);
+				if (options.cipher == -1) {
 					fprintf(stderr, "Unknown cipher type '%s'\n", optarg);
 					exit(1);
 				}
-				options.cipher = c->number;
+				if (options.cipher == SSH_CIPHER_3DES) {
+					options.ciphers = "3des-cbc";
+				} else if (options.cipher == SSH_CIPHER_BLOWFISH) {
+					options.ciphers = "blowfish-cbc";
+				} else {
+					options.ciphers = (char *)-1;
+				}
+			}
+			break;
+		case 'm':
+			if (mac_valid(optarg))
+				options.macs = xstrdup(optarg);
+			else {
+				fprintf(stderr, "Unknown mac type '%s'\n", optarg);
+				exit(1);
 			}
 			break;
 		case 'p':
-			options.port = atoi(optarg);
+			options.port = a2port(optarg);
+			if (options.port == 0) {
+				fprintf(stderr, "Bad port '%s'\n", optarg);
+				exit(1);
+			}
 			break;
 		case 'l':
 			options.user = optarg;
@@ -440,6 +475,16 @@ main(int ac, char **av)
 			}
 			add_local_forward(&options, fwd_port, buf, fwd_host_port);
 			break;
+
+		case 'D':
+			fwd_port = a2port(optarg);
+			if (fwd_port == 0) {
+				fprintf(stderr, "Bad dynamic port '%s'\n", optarg);
+				exit(1);
+			}
+			add_local_forward(&options, fwd_port, "socks4", 0);
+			break;
+
 		case 'C':
 			options.compression = 1;
 			break;
@@ -456,6 +501,9 @@ main(int ac, char **av)
 					 "command-line", 0, &dummy) != 0)
 				exit(1);
 			break;
+		case 's':
+			subsystem_flag = 1;
+			break;
 		default:
 			usage();
 		}
@@ -466,6 +514,7 @@ main(int ac, char **av)
 		usage();
 
 	SSLeay_add_all_algorithms();
+	ERR_load_crypto_strings();
 
 	/* Initialize the command to execute on remote host. */
 	buffer_init(&command);
@@ -478,6 +527,10 @@ main(int ac, char **av)
 	if (optind == ac) {
 		/* No command specified - execute shell on a tty. */
 		tty_flag = 1;
+		if (subsystem_flag) {
+			fprintf(stderr, "You must specify a subsystem to invoke.\n");
+			usage();
+		}
 	} else {
 		/* A command has been specified.  Store it into the
 		   buffer. */
@@ -496,63 +549,35 @@ main(int ac, char **av)
 	if (buffer_len(&command) == 0)
 		tty_flag = 1;
 
+	/* Force no tty*/
+	if (no_tty_flag)
+		tty_flag = 0;
 	/* Do not allocate a tty if stdin is not a tty. */
-	if (!isatty(fileno(stdin))) {
+	if (!isatty(fileno(stdin)) && !force_tty_flag) {
 		if (tty_flag)
-			fprintf(stderr, "Pseudo-terminal will not be allocated because stdin is not a terminal.\n");
+			log("Pseudo-terminal will not be allocated because stdin is not a terminal.");
 		tty_flag = 0;
 	}
-	/* force */
-	if (no_tty_flag)
-		tty_flag = 0;
 
-	/* Get user data. */
-	pw = getpwuid(original_real_uid);
-	if (!pw) {
-		fprintf(stderr, "You don't exist, go away!\n");
-		exit(1);
-	}
-	/* Take a copy of the returned structure. */
-	memset(&pwcopy, 0, sizeof(pwcopy));
-	pwcopy.pw_name = xstrdup(pw->pw_name);
-	pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
-	pwcopy.pw_uid = pw->pw_uid;
-	pwcopy.pw_gid = pw->pw_gid;
-	pwcopy.pw_class = xstrdup(pw->pw_class);
-	pwcopy.pw_dir = xstrdup(pw->pw_dir);
-	pwcopy.pw_shell = xstrdup(pw->pw_shell);
-	pw = &pwcopy;
-
-	/* Initialize "log" output.  Since we are the client all output
-	   actually goes to the terminal. */
-	log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 0);
+	/*
+	 * Initialize "log" output.  Since we are the client all output
+	 * actually goes to stderr.
+	 */
+	log_init(av[0], options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
+	    SYSLOG_FACILITY_USER, 1);
 
 	/* Read per-user configuration file. */
-	snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, SSH_USER_CONFFILE);
+	snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_CONFFILE);
 	read_config_file(buf, host, &options);
 
 	/* Read systemwide configuration file. */
-	read_config_file(HOST_CONFIG_FILE, host, &options);
+	read_config_file(_PATH_HOST_CONFIG_FILE, host, &options);
 
 	/* Fill configuration defaults. */
 	fill_default_options(&options);
 
 	/* reinit */
-	log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 0);
-
-	/* check if RSA support exists */
-	if ((options.protocol & SSH_PROTO_1) &&
-	    rsa_alive() == 0) {
-		log("%s: no RSA support in libssl and libcrypto.  See ssl(8).",
-		    __progname);
-		log("Disabling protocol version 1");
-		options.protocol &= ~ (SSH_PROTO_1|SSH_PROTO_1_PREFERRED);
-	}
-	if (! options.protocol & (SSH_PROTO_1|SSH_PROTO_2)) {
-		fprintf(stderr, "%s: No protocol version available.\n",
-		    __progname);
- 		exit(1);
-	}
+	log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1);
 
 	if (options.user == NULL)
 		options.user = xstrdup(pw->pw_name);
@@ -562,8 +587,9 @@ main(int ac, char **av)
 
 	/* Disable rhosts authentication if not running as root. */
 	if (original_effective_uid != 0 || !options.use_privileged_port) {
+		debug("Rhosts Authentication disabled, "
+		    "originating port will not be trusted.");
 		options.rhosts_authentication = 0;
-		options.rhosts_rsa_authentication = 0;
 	}
 	/*
 	 * If using rsh has been selected, exec it now (without trying
@@ -577,7 +603,7 @@ main(int ac, char **av)
 		restore_uid();
 
 		/* Switch to the original uid permanently. */
-		permanently_set_uid(original_real_uid);
+		permanently_set_uid(pw);
 
 		/* Execute rsh. */
 		rsh_connect(host, options.user, &command);
@@ -586,17 +612,12 @@ main(int ac, char **av)
 	/* Restore our superuser privileges. */
 	restore_uid();
 
-	/*
-	 * Open a connection to the remote host.  This needs root privileges
-	 * if rhosts_{rsa_}authentication is enabled.
-	 */
+	/* Open a connection to the remote host. */
 
 	ok = ssh_connect(host, &hostaddr, options.port,
-			 options.connection_attempts,
-			 !options.rhosts_authentication &&
-			 !options.rhosts_rsa_authentication,
-			 original_real_uid,
-			 options.proxy_command);
+	    options.connection_attempts,
+	    original_effective_uid != 0 || !options.use_privileged_port,
+	    pw, options.proxy_command);
 
 	/*
 	 * If we successfully made the connection, load the host private key
@@ -604,13 +625,18 @@ main(int ac, char **av)
 	 * authentication. This must be done before releasing extra
 	 * privileges, because the file is only readable by root.
 	 */
-	if (ok && (options.protocol & SSH_PROTO_1)) {
-		Key k;
-		host_private_key = RSA_new();
-		k.type = KEY_RSA;
-		k.rsa = host_private_key;
-		if (load_private_key(HOST_KEY_FILE, "", &k, NULL))
-			host_private_key_loaded = 1;
+	sensitive_data.nkeys = 0;
+	sensitive_data.keys = NULL;
+	if (ok && (options.rhosts_rsa_authentication ||
+	    options.hostbased_authentication)) {
+		sensitive_data.nkeys = 3;
+		sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key));
+		sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
+		    _PATH_HOST_KEY_FILE, "", NULL);
+		sensitive_data.keys[1] = key_load_private_type(KEY_DSA,
+		    _PATH_HOST_DSA_KEY_FILE, "", NULL);
+		sensitive_data.keys[2] = key_load_private_type(KEY_RSA,
+		    _PATH_HOST_RSA_KEY_FILE, "", NULL);
 	}
 	/*
 	 * Get rid of any extra privileges that we may have.  We will no
@@ -627,13 +653,13 @@ main(int ac, char **av)
 	 * process, read the private hostkey and impersonate the host.
 	 * OpenBSD does not allow ptracing of setuid processes.
 	 */
-	permanently_set_uid(original_real_uid);
+	permanently_set_uid(pw);
 
 	/*
 	 * Now that we are back to our own permissions, create ~/.ssh
 	 * directory if it doesn\'t already exist.
 	 */
-	snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, SSH_USER_DIR);
+	snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_DIR);
 	if (stat(buf, &st) < 0)
 		if (mkdir(buf, 0700) < 0)
 			error("Could not create directory '%.200s'.", buf);
@@ -654,31 +680,36 @@ main(int ac, char **av)
 		}
 		exit(1);
 	}
-	/* Expand ~ in options.identity_files. */
-	/* XXX mem-leaks */
-	for (i = 0; i < options.num_identity_files; i++)
-		options.identity_files[i] =
-			tilde_expand_filename(options.identity_files[i], original_real_uid);
-	for (i = 0; i < options.num_identity_files2; i++)
-		options.identity_files2[i] =
-			tilde_expand_filename(options.identity_files2[i], original_real_uid);
+	/* load options.identity_files */
+	load_public_identity_files();
+
 	/* Expand ~ in known host file names. */
-	options.system_hostfile = tilde_expand_filename(options.system_hostfile,
-	    original_real_uid);
-	options.user_hostfile = tilde_expand_filename(options.user_hostfile,
-	    original_real_uid);
-	options.system_hostfile2 = tilde_expand_filename(options.system_hostfile2,
-	    original_real_uid);
-	options.user_hostfile2 = tilde_expand_filename(options.user_hostfile2,
-	    original_real_uid);
+	/* XXX mem-leaks: */
+	options.system_hostfile =
+	    tilde_expand_filename(options.system_hostfile, original_real_uid);
+	options.user_hostfile =
+	    tilde_expand_filename(options.user_hostfile, original_real_uid);
+	options.system_hostfile2 =
+	    tilde_expand_filename(options.system_hostfile2, original_real_uid);
+	options.user_hostfile2 =
+	    tilde_expand_filename(options.user_hostfile2, original_real_uid);
 
 	/* Log into the remote system.  This never returns if the login fails. */
-	ssh_login(host_private_key_loaded, host_private_key,
-		  host, (struct sockaddr *)&hostaddr, original_real_uid);
-
-	/* We no longer need the host private key.  Clear it now. */
-	if (host_private_key_loaded)
-		RSA_free(host_private_key);	/* Destroys contents safely */
+	ssh_login(sensitive_data.keys, sensitive_data.nkeys,
+	    host, (struct sockaddr *)&hostaddr, pw);
+
+	/* We no longer need the private host keys.  Clear them now. */
+	if (sensitive_data.nkeys != 0) {
+		for (i = 0; i < sensitive_data.nkeys; i++) {
+			if (sensitive_data.keys[i] != NULL) {
+				/* Destroys contents safely */
+				debug3("clear hostkey %d", i);
+				key_free(sensitive_data.keys[i]);
+				sensitive_data.keys[i] = NULL;
+			}
+		}
+		xfree(sensitive_data.keys);
+	}
 
 	exit_status = compat20 ? ssh_session2() : ssh_session();
 	packet_close();
@@ -694,7 +725,7 @@ x11_get_proto(char *proto, int proto_len, char *data, int data_len)
 
 	if (options.xauth_location) {
 		/* Try to get Xauthority information for the display. */
-		snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
+		snprintf(line, sizeof line, "%.100s list %.200s 2>" _PATH_DEVNULL,
 		    options.xauth_location, getenv("DISPLAY"));
 		f = popen(line, "r");
 		if (f && fgets(line, sizeof(line), f) &&
@@ -724,16 +755,61 @@ x11_get_proto(char *proto, int proto_len, char *data, int data_len)
 	}
 }
 
+void
+ssh_init_forwarding(void)
+{
+	int success = 0;
+	int i;
+
+	/* Initiate local TCP/IP port forwardings. */
+	for (i = 0; i < options.num_local_forwards; i++) {
+		debug("Connections to local port %d forwarded to remote address %.200s:%d",
+		    options.local_forwards[i].port,
+		    options.local_forwards[i].host,
+		    options.local_forwards[i].host_port);
+		success += channel_request_local_forwarding(
+		    options.local_forwards[i].port,
+		    options.local_forwards[i].host,
+		    options.local_forwards[i].host_port,
+		    options.gateway_ports);
+	}
+	if (i > 0 && success == 0)
+		error("Could not request local forwarding.");
+
+	/* Initiate remote TCP/IP port forwardings. */
+	for (i = 0; i < options.num_remote_forwards; i++) {
+		debug("Connections to remote port %d forwarded to local address %.200s:%d",
+		    options.remote_forwards[i].port,
+		    options.remote_forwards[i].host,
+		    options.remote_forwards[i].host_port);
+		channel_request_remote_forwarding(
+		    options.remote_forwards[i].port,
+		    options.remote_forwards[i].host,
+		    options.remote_forwards[i].host_port);
+	}
+}
+
+void
+check_agent_present(void)
+{
+	if (options.forward_agent) {
+		/* Clear agent forwarding if we don\'t have an agent. */
+		int authfd = ssh_get_authentication_socket();
+		if (authfd < 0)
+			options.forward_agent = 0;
+		else
+			ssh_close_authentication_socket(authfd);
+	}
+}
+
 int
 ssh_session(void)
 {
 	int type;
-	int i;
 	int plen;
 	int interactive = 0;
 	int have_tty = 0;
 	struct winsize ws;
-	int authfd;
 	char *cp;
 
 	/* Enable compression if requested. */
@@ -779,7 +855,7 @@ ssh_session(void)
 		packet_put_int(ws.ws_ypixel);
 
 		/* Store tty modes in the packet. */
-		tty_make_modes(fileno(stdin));
+		tty_make_modes(fileno(stdin), NULL);
 
 		/* Send the packet, and wait for it to leave. */
 		packet_send();
@@ -815,16 +891,11 @@ ssh_session(void)
 		}
 	}
 	/* Tell the packet module whether this is an interactive session. */
-	packet_set_interactive(interactive, options.keepalives);
-
-	/* Clear agent forwarding if we don\'t have an agent. */
-	authfd = ssh_get_authentication_socket();
-	if (authfd < 0)
-		options.forward_agent = 0;
-	else
-		ssh_close_authentication_socket(authfd);
+	packet_set_interactive(interactive);
 
 	/* Request authentication agent forwarding if appropriate. */
+	check_agent_present();
+
 	if (options.forward_agent) {
 		debug("Requesting authentication agent forwarding.");
 		auth_request_forwarding();
@@ -835,28 +906,9 @@ ssh_session(void)
 		if (type != SSH_SMSG_SUCCESS)
 			log("Warning: Remote host denied authentication agent forwarding.");
 	}
-	/* Initiate local TCP/IP port forwardings. */
-	for (i = 0; i < options.num_local_forwards; i++) {
-		debug("Connections to local port %d forwarded to remote address %.200s:%d",
-		      options.local_forwards[i].port,
-		      options.local_forwards[i].host,
-		      options.local_forwards[i].host_port);
-		channel_request_local_forwarding(options.local_forwards[i].port,
-						 options.local_forwards[i].host,
-						 options.local_forwards[i].host_port,
-						 options.gateway_ports);
-	}
 
-	/* Initiate remote TCP/IP port forwardings. */
-	for (i = 0; i < options.num_remote_forwards; i++) {
-		debug("Connections to remote port %d forwarded to local address %.200s:%d",
-		      options.remote_forwards[i].port,
-		      options.remote_forwards[i].host,
-		      options.remote_forwards[i].host_port);
-		channel_request_remote_forwarding(options.remote_forwards[i].port,
-						  options.remote_forwards[i].host,
-						  options.remote_forwards[i].host_port);
-	}
+	/* Initiate port forwardings. */
+	ssh_init_forwarding();
 
 	/* If requested, let ssh continue in the background. */
 	if (fork_after_authentication_flag)
@@ -888,32 +940,28 @@ ssh_session(void)
 }
 
 void
-init_local_fwd(void)
+client_subsystem_reply(int type, int plen, void *ctxt)
 {
-	int i;
-	/* Initiate local TCP/IP port forwardings. */
-	for (i = 0; i < options.num_local_forwards; i++) {
-		debug("Connections to local port %d forwarded to remote address %.200s:%d",
-		      options.local_forwards[i].port,
-		      options.local_forwards[i].host,
-		      options.local_forwards[i].host_port);
-		channel_request_local_forwarding(options.local_forwards[i].port,
-						 options.local_forwards[i].host,
-						 options.local_forwards[i].host_port,
-						 options.gateway_ports);
-	}
-}
+	int id, len;
 
-extern void client_set_session_ident(int id);
+	id = packet_get_int();
+	len = buffer_len(&command);
+	if (len > 900)
+		len = 900;
+	packet_done();
+	if (type == SSH2_MSG_CHANNEL_FAILURE)
+		fatal("Request for subsystem '%.*s' failed on channel %d",
+		    len, buffer_ptr(&command), id);
+}
 
 void
-client_init(int id, void *arg)
+ssh_session2_callback(int id, void *arg)
 {
 	int len;
-	debug("client_init id %d arg %d", id, (int)arg);
+	int interactive = 0;
+	struct termios tio;
 
-	if (no_shell_flag)
-		goto done;
+	debug("client_init id %d arg %ld", id, (long)arg);
 
 	if (tty_flag) {
 		struct winsize ws;
@@ -931,8 +979,10 @@ client_init(int id, void *arg)
 		packet_put_int(ws.ws_row);
 		packet_put_int(ws.ws_xpixel);
 		packet_put_int(ws.ws_ypixel);
-		packet_put_cstring("");		/* XXX: encode terminal modes */
+		tio = get_saved_tio();
+		tty_make_modes(/*ignored*/ 0, &tio);
 		packet_send();
+		interactive = 1;
 		/* XXX wait for reply */
 	}
 	if (options.forward_x11 &&
@@ -943,34 +993,51 @@ client_init(int id, void *arg)
 		/* Request forwarding with authentication spoofing. */
 		debug("Requesting X11 forwarding with authentication spoofing.");
 		x11_request_forwarding_with_spoofing(id, proto, data);
+		interactive = 1;
 		/* XXX wait for reply */
 	}
 
+	check_agent_present();
+	if (options.forward_agent) {
+		debug("Requesting authentication agent forwarding.");
+		channel_request_start(id, "auth-agent-req@openssh.com", 0);
+		packet_send();
+	}
+
 	len = buffer_len(&command);
 	if (len > 0) {
 		if (len > 900)
 			len = 900;
-		debug("Sending command: %.*s", len, buffer_ptr(&command));
-		channel_request_start(id, "exec", 0);
-		packet_put_string(buffer_ptr(&command), len);
+		if (subsystem_flag) {
+			debug("Sending subsystem: %.*s", len, buffer_ptr(&command));
+			channel_request_start(id, "subsystem", /*want reply*/ 1);
+			/* register callback for reply */
+			/* XXX we asume that client_loop has already been called */
+			dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &client_subsystem_reply);
+			dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, &client_subsystem_reply);
+		} else {
+			debug("Sending command: %.*s", len, buffer_ptr(&command));
+			channel_request_start(id, "exec", 0);
+		}
+		packet_put_string(buffer_ptr(&command), buffer_len(&command));
 		packet_send();
 	} else {
 		channel_request(id, "shell", 0);
 	}
 	/* channel_callback(id, SSH2_MSG_OPEN_CONFIGMATION, client_init, 0); */
-done:
+
 	/* register different callback, etc. XXX */
-	client_set_session_ident(id);
+	packet_set_interactive(interactive);
 }
 
 int
-ssh_session2(void)
+ssh_session2_command(void)
 {
-	int window, packetmax, id;
+	int id, window, packetmax;
 	int in, out, err;
 
 	if (stdin_null_flag) {
-		in = open("/dev/null", O_RDONLY);
+		in = open(_PATH_DEVNULL, O_RDONLY);
 	} else {
 		in = dup(STDIN_FILENO);
 	}
@@ -988,14 +1055,6 @@ ssh_session2(void)
 	if (!isatty(err))
 		set_nonblock(err);
 
-	/* should be pre-session */
-	init_local_fwd();
-	
-	/* If requested, let ssh continue in the background. */
-	if (fork_after_authentication_flag)
-		if (daemon(1, 1) < 0)
-			fatal("daemon() failed: %.200s", strerror(errno));
-
 	window = CHAN_SES_WINDOW_DEFAULT;
 	packetmax = CHAN_SES_PACKET_DEFAULT;
 	if (!tty_flag) {
@@ -1007,8 +1066,48 @@ ssh_session2(void)
 	    window, packetmax, CHAN_EXTENDED_WRITE,
 	    xstrdup("client-session"), /*nonblock*/0);
 
+debug("channel_new: %d", id);
+
 	channel_open(id);
-	channel_register_callback(id, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, client_init, (void *)0);
+	channel_register_callback(id, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION,
+	     ssh_session2_callback, (void *)0);
+
+	return id;
+}
+
+int
+ssh_session2(void)
+{
+	int id;
+
+	/* XXX should be pre-session */
+	ssh_init_forwarding();
+
+	id = no_shell_flag ? -1 : ssh_session2_command();
+
+	/* If requested, let ssh continue in the background. */
+	if (fork_after_authentication_flag)
+		if (daemon(1, 1) < 0)
+			fatal("daemon() failed: %.200s", strerror(errno));
 
 	return client_loop(tty_flag, tty_flag ? options.escape_char : -1, id);
 }
+
+void
+load_public_identity_files(void)
+{
+	char *filename;
+	Key *public;
+	int i;
+
+	for (i = 0; i < options.num_identity_files; i++) {
+		filename = tilde_expand_filename(options.identity_files[i],
+		    original_real_uid);
+		public = key_load_public(filename, NULL);
+		debug("identity file %s type %d", filename,
+		    public ? public->type : -1);
+		xfree(options.identity_files[i]);
+		options.identity_files[i] = filename;
+		options.identity_keys[i] = public;
+	}
+}