monitoring-plugins/monitoring-plugins-2.3.1-check_ssh.patch

From e56255ee2f2887551e15aba2410138238efab030 Mon Sep 17 00:00:00 2001
From: Anton Lofgren <alofgren@op5.com>
Date: Mon, 21 Oct 2013 08:18:30 +0200
Subject: [PATCH 1/4] check_ssh: properly parse a delayed version control
 string

This resolves an issue with SSH servers which do not respond with their
version control string as the first thing in the SSH protocol version
exchange phase after connection establishment.

This patch also makes sure that we disregard a potential comment in the
version exchange string to avoid nonsense mismatches. In the future, we
might want to add the capability to match against a user specified comment.

In addition, the patch largely improves the communication towards the
server, which adds better protocol adherence.

Of course, new test cases are added to support the trigger and guard
against regressions of the bugs solved by this patch.

This fixes op5#7945 (https://bugs.op5.com/view.php?id=7945)

Signed-off-by: Anton Lofgren <alofgren@op5.com>
---
 plugins/check_ssh.c   | 122 +++++++++++++++++++++++++++++-------------
 plugins/t/check_ssh.t |  97 ++++++++++++++++++++++++++-------
 2 files changed, 164 insertions(+), 55 deletions(-)

diff --git a/plugins/check_ssh.c b/plugins/check_ssh.c
index 3658965e5..fc2ceb78b 100644
--- a/plugins/check_ssh.c
+++ b/plugins/check_ssh.c
@@ -215,8 +215,13 @@ ssh_connect (char *haddr, int hport, char *remote_version, char *remote_protocol
 {
 	int sd;
 	int result;
+	int len = 0;
+	ssize_t byte_offset = 0;
+	ssize_t recv_ret = 0;
+	char *version_control_string = NULL;
 	char *output = NULL;
 	char *buffer = NULL;
+	char *tmp= NULL, *saveptr = NULL;
 	char *ssh_proto = NULL;
 	char *ssh_server = NULL;
 	static char *rev_no = VERSION;
@@ -231,51 +236,94 @@ ssh_connect (char *haddr, int hport, char *remote_version, char *remote_protocol
 		return result;
 
 	output = (char *) malloc (BUFF_SZ + 1);
-	memset (output, 0, BUFF_SZ + 1);
-	recv (sd, output, BUFF_SZ, 0);
-	if (strncmp (output, "SSH", 3)) {
-		printf (_("Server answer: %s"), output);
-		close(sd);
+	memset(output, 0, BUFF_SZ+1);
+	while (!version_control_string && (recv_ret = recv(sd, output+byte_offset, BUFF_SZ - byte_offset, 0)) > 0) {
+		if (strchr(output, '\n')) { /* we've got at least one full line, start parsing*/
+			byte_offset = 0;
+			while (strchr(output+byte_offset, '\n') != NULL) {
+				/*Partition the buffer so that this line is a separate string,
+				 * by replacing the newline with NUL*/
+				output[(strchr(output+byte_offset, '\n')-output)]= '\0';
+				len = strlen(output+byte_offset);
+				if (len >= 4) {
+					/*if the string starts with SSH-, this _should_ be a valid version control string*/
+					if (strncmp (output+byte_offset, "SSH-", 4) == 0) {
+						version_control_string = output+byte_offset;
+						break;
+					}
+				}
+
+				/*the start of the next line (if one exists) will be after the current one (+ NUL)*/
+				byte_offset+=len+1;
+			}
+			if(!version_control_string) {
+				/* move unconsumed data to beginning of buffer, null rest */
+				memmove((void *)output, (void *)output+byte_offset+1, BUFF_SZ - len+1);
+				memset(output+byte_offset+1, 0, BUFF_SZ-byte_offset+1);
+
+				/*start reading from end of current line chunk on next recv*/
+				byte_offset = strlen(output);
+			}
+		}
+		else {
+			byte_offset += recv_ret;
+		}
+	}
+	tmp = NULL;
+	if (recv_ret < 0) {
+		printf("SSH CRITICAL - %s", strerror(errno));
+		exit(STATE_CRITICAL);
+	}
+	if (!version_control_string) {
+		printf("SSH CRITICAL - No version control string received");
+		exit(STATE_CRITICAL);
+	}
+	strip (version_control_string);
+	if (verbose)
+		printf ("%s\n", version_control_string);
+	ssh_proto = version_control_string + 4;
+	ssh_server = ssh_proto + strspn (ssh_proto, "-0123456789.");
+
+	/* If there's a space in the version string, whatever's after the space is a comment
+	 * (which is NOT part of the server name/version)*/
+	tmp = strchr(ssh_server, ' ');
+	if (tmp) {
+		ssh_server[tmp - ssh_server] = '\0';
+	}
+	if (strlen(ssh_proto) == 0 || strlen(ssh_server) == 0) {
+		printf(_("SSH CRITICAL - Invalid protocol version control string %s\n"), version_control_string);
 		exit (STATE_CRITICAL);
 	}
-	else {
-		strip (output);
-		if (verbose)
-			printf ("%s\n", output);
-		ssh_proto = output + 4;
-		ssh_server = ssh_proto + strspn (ssh_proto, "-0123456789. ");
-		ssh_proto[strspn (ssh_proto, "0123456789. ")] = 0;
-
-		xasprintf (&buffer, "SSH-%s-check_ssh_%s\r\n", ssh_proto, rev_no);
-		send (sd, buffer, strlen (buffer), MSG_DONTWAIT);
-		if (verbose)
-			printf ("%s\n", buffer);
-
-		if (remote_version && strcmp(remote_version, ssh_server)) {
-			printf
-				(_("SSH CRITICAL - %s (protocol %s) version mismatch, expected '%s'\n"),
-				 ssh_server, ssh_proto, remote_version);
-			close(sd);
-			exit (STATE_CRITICAL);
-		}
+	ssh_proto[strspn (ssh_proto, "0123456789. ")] = 0;
 
-		if (remote_protocol && strcmp(remote_protocol, ssh_proto)) {
-			printf
-				(_("SSH CRITICAL - %s (protocol %s) protocol version mismatch, expected '%s'\n"),
-				 ssh_server, ssh_proto, remote_protocol);
-			close(sd);
-			exit (STATE_CRITICAL);
-		}
+	xasprintf (&buffer, "SSH-%s-check_ssh_%s\r\n", ssh_proto, rev_no);
+	send (sd, buffer, strlen (buffer), MSG_DONTWAIT);
+	if (verbose)
+		printf ("%s\n", buffer);
 
-		elapsed_time = (double)deltime(tv) / 1.0e6;
+	if (remote_version && strcmp(remote_version, ssh_server)) {
+		printf
+			(_("SSH CRITICAL - %s (protocol %s) version mismatch, expected '%s'\n"),
+			 ssh_server, ssh_proto, remote_version);
+		close(sd);
+		exit (STATE_CRITICAL);
+	}
 
+	if (remote_protocol && strcmp(remote_protocol, ssh_proto)) {
 		printf
-			(_("SSH OK - %s (protocol %s) | %s\n"),
-			 ssh_server, ssh_proto, fperfdata("time", elapsed_time, "s",
-			 FALSE, 0, FALSE, 0, TRUE, 0, TRUE, (int)socket_timeout));
+			(_("SSH CRITICAL - %s (protocol %s) protocol version mismatch, expected '%s'\n"),
+			 ssh_server, ssh_proto, remote_protocol);
 		close(sd);
-		exit (STATE_OK);
+		exit (STATE_CRITICAL);
 	}
+	elapsed_time = (double)deltime(tv) / 1.0e6;
+
+	printf
+		(_("SSH OK - %s (protocol %s) | %s\n"),
+		 ssh_server, ssh_proto, fperfdata("time", elapsed_time, "s",
+			 FALSE, 0, FALSE, 0, TRUE, 0, TRUE, (int)socket_timeout));
+	close(sd);
+	exit (STATE_OK);
 }
 
 
diff --git a/plugins/check_ssh.c b/plugins/check_ssh.c
index fc2ceb78b..7b576895f 100644
--- a/plugins/check_ssh.c
+++ b/plugins/check_ssh.c
@@ -278,11 +278,35 @@ ssh_connect (char *haddr, int hport, char *remote_version, char *remote_protocol
 		printf("SSH CRITICAL - No version control string received");
 		exit(STATE_CRITICAL);
 	}
+	/*
+	 * "When the connection has been established, both sides MUST send an
+	 * identification string.  This identification string MUST be
+	 *
+	 * SSH-protoversion-softwareversion SP comments CR LF"
+	 *		- RFC 4253:4.2
+	 */
 	strip (version_control_string);
 	if (verbose)
 		printf ("%s\n", version_control_string);
 	ssh_proto = version_control_string + 4;
-	ssh_server = ssh_proto + strspn (ssh_proto, "-0123456789.");
+
+	/*
+	 * We assume the protoversion is of the form Major.Minor, although
+	 * this is not _strictly_ required. See
+	 *
+	 * "Both the 'protoversion' and 'softwareversion' strings MUST consist of
+	 * printable US-ASCII characters, with the exception of whitespace
+	 * characters and the minus sign (-)"
+	 *		- RFC 4253:4.2
+	 * and,
+	 *
+	 * "As stated earlier, the 'protoversion' specified for this protocol is
+	 * "2.0".  Earlier versions of this protocol have not been formally
+	 * documented, but it is widely known that they use 'protoversion' of
+	 * "1.x" (e.g., "1.5" or "1.3")."
+	 *		- RFC 4253:5
+	 */
+	ssh_server = ssh_proto + strspn (ssh_proto, "0123456789.") + 1; /* (+1 for the '-' separating protoversion from softwareversion) */
 
 	/* If there's a space in the version string, whatever's after the space is a comment
 	 * (which is NOT part of the server name/version)*/


From 59bed139e84fd6342d4203ebebca28bf2f4dcc82 Mon Sep 17 00:00:00 2001
From: Anton Lofgren <alofgren@op5.com>
Date: Fri, 30 Jan 2015 10:52:20 +0100
Subject: [PATCH 4/4] check_ssh: Fix a typo in "remote-protocol parameter

remote-protcol -> remote-protocol

Signed-off-by: Anton Lofgren <alofgren@op5.com>
---
 plugins/check_ssh.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/check_ssh.c b/plugins/check_ssh.c
index 7b576895f..f12f34051 100644
--- a/plugins/check_ssh.c
+++ b/plugins/check_ssh.c
@@ -106,7 +106,7 @@ process_arguments (int argc, char **argv)
 		{"timeout", required_argument, 0, 't'},
 		{"verbose", no_argument, 0, 'v'},
 		{"remote-version", required_argument, 0, 'r'},
-		{"remote-protcol", required_argument, 0, 'P'},
+		{"remote-protocol", required_argument, 0, 'P'},
 		{0, 0, 0, 0}
 	};
- recommend syslog for monitoring-plugins-log, as people probably want to analize logs generated by (r)syslog or journald Renamed patches: - renamed monitoring-plugins-1.4.6-no_chown.patch to monitoring-plugins-1.4.6-Makefile_-_no_chown.patch to make it easier to detect the patched file - renamed monitoring-plugins-2.1.1-check_logfile.patch to monitoring-plugins-2.1.1-check_log_-_quoting.patch to make it easier to detect the patched file and reason for the patch New patches: - add monitoring-plugins-2.3.1-check_snmp_segfaults.patch: check_snmp will segfaults at line 489 if number of lines returned by SNMPD is greater than number of defined thresholds -> https://github.com/monitoring-plugins/monitoring-plugins/pull/1589 - added monitoring-plugins-2.3.1_-_check_snmp_hang_on_STDERR_workaround.patch: When the MIBs are not quite right, snmpget outputs lots of errors on STDERR before getting down to business. If this is enough to fill the pipe buffer, snmpget hangs waiting for it to be cleared, which it never will be because check_snmp is waiting for snmpget to output something on STDOUT. This simple fix from s2156945 for this is to read STDERR before STDOUT. cmd_run_array from utils_cmd.c is also used by plugins/check_by_ssh and plugins/negate but you're likely to get lots of errors or lots of output, not both at the same time. The real fix is probably to do a select() and read from both as they come in. https://github.com/monitoring-plugins/monitoring-plugins/issues/1706 - added monitoring-plugins-2.3.1-check_dhcp_-_detect_rogue_dhcp_servers.patch: feature enhancement from Patrick Cervicek for check_dhcp, which allows to detect rogue DHCP servers. Use it with the "-x" flag, example: OBS-URL: https://build.opensuse.org/package/show/server:monitoring/monitoring-plugins?expand=0&rev=90 2021-11-19 14:47:30 +01:00			`From e56255ee2f2887551e15aba2410138238efab030 Mon Sep 17 00:00:00 2001`
			`From: Anton Lofgren <alofgren@op5.com>`
			`Date: Mon, 21 Oct 2013 08:18:30 +0200`
			`Subject: [PATCH 1/4] check_ssh: properly parse a delayed version control`
			`string`

			`This resolves an issue with SSH servers which do not respond with their`
			`version control string as the first thing in the SSH protocol version`
			`exchange phase after connection establishment.`

			`This patch also makes sure that we disregard a potential comment in the`
			`version exchange string to avoid nonsense mismatches. In the future, we`
			`might want to add the capability to match against a user specified comment.`

			`In addition, the patch largely improves the communication towards the`
			`server, which adds better protocol adherence.`

			`Of course, new test cases are added to support the trigger and guard`
			`against regressions of the bugs solved by this patch.`

			`This fixes op5#7945 (https://bugs.op5.com/view.php?id=7945)`

			`Signed-off-by: Anton Lofgren <alofgren@op5.com>`
			`---`
			`plugins/check_ssh.c \| 122 +++++++++++++++++++++++++++++-------------`
			`plugins/t/check_ssh.t \| 97 ++++++++++++++++++++++++++-------`
			`2 files changed, 164 insertions(+), 55 deletions(-)`

			`diff --git a/plugins/check_ssh.c b/plugins/check_ssh.c`
			`index 3658965e5..fc2ceb78b 100644`
			`--- a/plugins/check_ssh.c`
			`+++ b/plugins/check_ssh.c`
			`@@ -215,8 +215,13 @@ ssh_connect (char haddr, int hport, char remote_version, char *remote_protocol`
			`{`
			`int sd;`
			`int result;`
			`+ int len = 0;`
			`+ ssize_t byte_offset = 0;`
			`+ ssize_t recv_ret = 0;`
			`+ char *version_control_string = NULL;`
			`char *output = NULL;`
			`char *buffer = NULL;`
			`+ char tmp= NULL, saveptr = NULL;`
			`char *ssh_proto = NULL;`
			`char *ssh_server = NULL;`
			`static char *rev_no = VERSION;`
			`@@ -231,51 +236,94 @@ ssh_connect (char haddr, int hport, char remote_version, char *remote_protocol`
			`return result;`

			`output = (char *) malloc (BUFF_SZ + 1);`
			`- memset (output, 0, BUFF_SZ + 1);`
			`- recv (sd, output, BUFF_SZ, 0);`
			`- if (strncmp (output, "SSH", 3)) {`
			`- printf (_("Server answer: %s"), output);`
			`- close(sd);`
			`+ memset(output, 0, BUFF_SZ+1);`
			`+ while (!version_control_string && (recv_ret = recv(sd, output+byte_offset, BUFF_SZ - byte_offset, 0)) > 0) {`
			`+ if (strchr(output, '\n')) { /* we've got at least one full line, start parsing*/`
			`+ byte_offset = 0;`
			`+ while (strchr(output+byte_offset, '\n') != NULL) {`
			`+ /*Partition the buffer so that this line is a separate string,`
			`+ * by replacing the newline with NUL*/`
			`+ output[(strchr(output+byte_offset, '\n')-output)]= '\0';`
			`+ len = strlen(output+byte_offset);`
			`+ if (len >= 4) {`
			`+ /if the string starts with SSH-, this _should_ be a valid version control string/`
			`+ if (strncmp (output+byte_offset, "SSH-", 4) == 0) {`
			`+ version_control_string = output+byte_offset;`
			`+ break;`
			`+ }`
			`+ }`
			`+`
			`+ /the start of the next line (if one exists) will be after the current one (+ NUL)/`
			`+ byte_offset+=len+1;`
			`+ }`
			`+ if(!version_control_string) {`
			`+ /* move unconsumed data to beginning of buffer, null rest */`
			`+ memmove((void )output, (void )output+byte_offset+1, BUFF_SZ - len+1);`
			`+ memset(output+byte_offset+1, 0, BUFF_SZ-byte_offset+1);`
			`+`
			`+ /start reading from end of current line chunk on next recv/`
			`+ byte_offset = strlen(output);`
			`+ }`
			`+ }`
			`+ else {`
			`+ byte_offset += recv_ret;`
			`+ }`
			`+ }`
			`+ tmp = NULL;`
			`+ if (recv_ret < 0) {`
			`+ printf("SSH CRITICAL - %s", strerror(errno));`
			`+ exit(STATE_CRITICAL);`
			`+ }`
			`+ if (!version_control_string) {`
			`+ printf("SSH CRITICAL - No version control string received");`
			`+ exit(STATE_CRITICAL);`
			`+ }`
			`+ strip (version_control_string);`
			`+ if (verbose)`
			`+ printf ("%s\n", version_control_string);`
			`+ ssh_proto = version_control_string + 4;`
			`+ ssh_server = ssh_proto + strspn (ssh_proto, "-0123456789.");`
			`+`
			`+ /* If there's a space in the version string, whatever's after the space is a comment`
			`+ * (which is NOT part of the server name/version)*/`
			`+ tmp = strchr(ssh_server, ' ');`
			`+ if (tmp) {`
			`+ ssh_server[tmp - ssh_server] = '\0';`
			`+ }`
			`+ if (strlen(ssh_proto) == 0 \|\| strlen(ssh_server) == 0) {`
			`+ printf(_("SSH CRITICAL - Invalid protocol version control string %s\n"), version_control_string);`
			`exit (STATE_CRITICAL);`
			`}`
			`- else {`
			`- strip (output);`
			`- if (verbose)`
			`- printf ("%s\n", output);`
			`- ssh_proto = output + 4;`
			`- ssh_server = ssh_proto + strspn (ssh_proto, "-0123456789. ");`
			`- ssh_proto[strspn (ssh_proto, "0123456789. ")] = 0;`
			`-`
			`- xasprintf (&buffer, "SSH-%s-check_ssh_%s\r\n", ssh_proto, rev_no);`
			`- send (sd, buffer, strlen (buffer), MSG_DONTWAIT);`
			`- if (verbose)`
			`- printf ("%s\n", buffer);`
			`-`
			`- if (remote_version && strcmp(remote_version, ssh_server)) {`
			`- printf`
			`- (_("SSH CRITICAL - %s (protocol %s) version mismatch, expected '%s'\n"),`
			`- ssh_server, ssh_proto, remote_version);`
			`- close(sd);`
			`- exit (STATE_CRITICAL);`
			`- }`
			`+ ssh_proto[strspn (ssh_proto, "0123456789. ")] = 0;`

			`- if (remote_protocol && strcmp(remote_protocol, ssh_proto)) {`
			`- printf`
			`- (_("SSH CRITICAL - %s (protocol %s) protocol version mismatch, expected '%s'\n"),`
			`- ssh_server, ssh_proto, remote_protocol);`
			`- close(sd);`
			`- exit (STATE_CRITICAL);`
			`- }`
			`+ xasprintf (&buffer, "SSH-%s-check_ssh_%s\r\n", ssh_proto, rev_no);`
			`+ send (sd, buffer, strlen (buffer), MSG_DONTWAIT);`
			`+ if (verbose)`
			`+ printf ("%s\n", buffer);`

			`- elapsed_time = (double)deltime(tv) / 1.0e6;`
			`+ if (remote_version && strcmp(remote_version, ssh_server)) {`
			`+ printf`
			`+ (_("SSH CRITICAL - %s (protocol %s) version mismatch, expected '%s'\n"),`
			`+ ssh_server, ssh_proto, remote_version);`
			`+ close(sd);`
			`+ exit (STATE_CRITICAL);`
			`+ }`

			`+ if (remote_protocol && strcmp(remote_protocol, ssh_proto)) {`
			`printf`
			`- (_("SSH OK - %s (protocol %s) \| %s\n"),`
			`- ssh_server, ssh_proto, fperfdata("time", elapsed_time, "s",`
			`- FALSE, 0, FALSE, 0, TRUE, 0, TRUE, (int)socket_timeout));`
			`+ (_("SSH CRITICAL - %s (protocol %s) protocol version mismatch, expected '%s'\n"),`
			`+ ssh_server, ssh_proto, remote_protocol);`
			`close(sd);`
			`- exit (STATE_OK);`
			`+ exit (STATE_CRITICAL);`
			`}`
			`+ elapsed_time = (double)deltime(tv) / 1.0e6;`
			`+`
			`+ printf`
			`+ (_("SSH OK - %s (protocol %s) \| %s\n"),`
			`+ ssh_server, ssh_proto, fperfdata("time", elapsed_time, "s",`
			`+ FALSE, 0, FALSE, 0, TRUE, 0, TRUE, (int)socket_timeout));`
			`+ close(sd);`
			`+ exit (STATE_OK);`
			`}`


			`diff --git a/plugins/check_ssh.c b/plugins/check_ssh.c`
			`index fc2ceb78b..7b576895f 100644`
			`--- a/plugins/check_ssh.c`
			`+++ b/plugins/check_ssh.c`
			`@@ -278,11 +278,35 @@ ssh_connect (char haddr, int hport, char remote_version, char *remote_protocol`
			`printf("SSH CRITICAL - No version control string received");`
			`exit(STATE_CRITICAL);`
			`}`
			`+ /*`
			`+ * "When the connection has been established, both sides MUST send an`
			`+ * identification string. This identification string MUST be`
			`+ *`
			`+ * SSH-protoversion-softwareversion SP comments CR LF"`
			`+ * - RFC 4253:4.2`
			`+ */`
			`strip (version_control_string);`
			`if (verbose)`
			`printf ("%s\n", version_control_string);`
			`ssh_proto = version_control_string + 4;`
			`- ssh_server = ssh_proto + strspn (ssh_proto, "-0123456789.");`
			`+`
			`+ /*`
			`+ * We assume the protoversion is of the form Major.Minor, although`
			`+ * this is not _strictly_ required. See`
			`+ *`
			`+ * "Both the 'protoversion' and 'softwareversion' strings MUST consist of`
			`+ * printable US-ASCII characters, with the exception of whitespace`
			`+ * characters and the minus sign (-)"`
			`+ * - RFC 4253:4.2`
			`+ * and,`
			`+ *`
			`+ * "As stated earlier, the 'protoversion' specified for this protocol is`
			`+ * "2.0". Earlier versions of this protocol have not been formally`
			`+ * documented, but it is widely known that they use 'protoversion' of`
			`+ * "1.x" (e.g., "1.5" or "1.3")."`
			`+ * - RFC 4253:5`
			`+ */`
			`+ ssh_server = ssh_proto + strspn (ssh_proto, "0123456789.") + 1; /* (+1 for the '-' separating protoversion from softwareversion) */`

			`/* If there's a space in the version string, whatever's after the space is a comment`
			`* (which is NOT part of the server name/version)*/`


			`From 59bed139e84fd6342d4203ebebca28bf2f4dcc82 Mon Sep 17 00:00:00 2001`
			`From: Anton Lofgren <alofgren@op5.com>`
			`Date: Fri, 30 Jan 2015 10:52:20 +0100`
			`Subject: [PATCH 4/4] check_ssh: Fix a typo in "remote-protocol parameter`

			`remote-protcol -> remote-protocol`

			`Signed-off-by: Anton Lofgren <alofgren@op5.com>`
			`---`
			`plugins/check_ssh.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/plugins/check_ssh.c b/plugins/check_ssh.c`
			`index 7b576895f..f12f34051 100644`
			`--- a/plugins/check_ssh.c`
			`+++ b/plugins/check_ssh.c`
			`@@ -106,7 +106,7 @@ process_arguments (int argc, char **argv)`
			`{"timeout", required_argument, 0, 't'},`
			`{"verbose", no_argument, 0, 'v'},`
			`{"remote-version", required_argument, 0, 'r'},`
			`- {"remote-protcol", required_argument, 0, 'P'},`
			`+ {"remote-protocol", required_argument, 0, 'P'},`
			`{0, 0, 0, 0}`
			`};`