-/* $OpenBSD: sshd.c,v 1.351 2007/05/22 10:18:52 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.355 2008/02/14 13:10:31 mbalmer Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
#include <openssl/bn.h>
#include <openssl/md5.h>
#include <openssl/rand.h>
+#include "openbsd-compat/openssl-compat.h"
+
#ifdef HAVE_SECUREWARE
#include <sys/security.h>
#include <prot.h>
#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
-int allow_severity = LOG_INFO;
-int deny_severity = LOG_WARNING;
+int allow_severity;
+int deny_severity;
#endif /* LIBWRAP */
#ifndef O_NOCTTY
{
u_int32_t rnd[256];
gid_t gidset[1];
- int i;
+ u_int i;
/* Enable challenge-response authentication for privilege separation */
privsep_challenge_enable();
+ arc4random_stir();
for (i = 0; i < 256; i++)
rnd[i] = arc4random();
RAND_seed(rnd, sizeof(rnd));
static void
privsep_postauth(Authctxt *authctxt)
{
+ u_int32_t rnd[256];
+ u_int i;
+
#ifdef DISABLE_FD_PASSING
if (1) {
#else
/* Demote the private keys to public keys. */
demote_sensitive_data();
+ arc4random_stir();
+ for (i = 0; i < 256; i++)
+ rnd[i] = arc4random();
+ RAND_seed(rnd, sizeof(rnd));
+
/* Drop privileges */
do_setusercontext(authctxt->pw);
ntop, sizeof(ntop), strport, sizeof(strport),
NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
error("getnameinfo failed: %.100s",
- (ret != EAI_SYSTEM) ? gai_strerror(ret) :
- strerror(errno));
+ ssh_gai_strerror(ret));
continue;
}
/* Create socket for listening. */
&on, sizeof(on)) == -1)
error("setsockopt SO_REUSEADDR: %s", strerror(errno));
+#ifdef IPV6_V6ONLY
+ /* Only communicate in IPv6 over AF_INET6 sockets. */
+ if (ai->ai_family == AF_INET6) {
+ if (setsockopt(listen_sock, IPPROTO_IPV6, IPV6_V6ONLY,
+ &on, sizeof(on)) == -1)
+ error("setsockopt IPV6_V6ONLY: %s",
+ strerror(errno));
+ }
+#endif
+
debug("Bind to port %s on %s.", strport, ntop);
/* Bind the socket to the desired port. */
}
if (rexeced_flag || inetd_flag)
rexec_flag = 0;
- if (rexec_flag && (av[0] == NULL || *av[0] != '/'))
+ if (!test_flag && (rexec_flag && (av[0] == NULL || *av[0] != '/')))
fatal("sshd re-exec requires execution with an absolute path");
if (rexeced_flag)
closefrom(REEXEC_MIN_FREE_FD);
/* Get a connection, either from inetd or a listening TCP socket */
if (inetd_flag) {
server_accept_inetd(&sock_in, &sock_out);
-
- if ((options.protocol & SSH_PROTO_1) &&
- sensitive_data.server_key == NULL)
- generate_ephemeral_server_key();
} else {
server_listen();
audit_connection_from(remote_ip, remote_port);
#endif
#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
/* Check whether logins are denied from this host. */
if (packet_connection_is_on_socket()) {
struct request_info req;
sshd_exchange_identification(sock_in, sock_out);
+ /* In inetd mode, generate ephemeral key only for proto 1 connections */
+ if (!compat20 && inetd_flag && sensitive_data.server_key == NULL)
+ generate_ephemeral_server_key();
+
packet_set_nonblocking();
/* allocate authentication context */
audit_event(SSH_AUTH_SUCCESS);
#endif
+#ifdef GSSAPI
+ if (options.gss_authentication) {
+ temporarily_use_uid(authctxt->pw);
+ ssh_gssapi_storecreds();
+ restore_uid();
+ }
+#endif
+#ifdef USE_PAM
+ if (options.use_pam) {
+ do_pam_setcred(1);
+ do_pam_session();
+ }
+#endif
+
/*
* In privilege separation, we fork another child and prepare
* file descriptor passing.
andersk / gssapi-openssh.git / blobdiff