/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
#undef AIX_LOGINFAILED_4ARG
+/* Define if your skeychallenge() function takes 4 arguments (eg NetBSD) */
+#undef SKEYCHALLENGE_4ARG
+
/* Define if you have/want arrays (cluster-wide session managment, not C arrays) */
#undef WITH_IRIX_ARRAY
/* Define if you don't want to use lastlog in session.c */
#undef NO_SSH_LASTLOG
+/* Define if have krb5_init_ets */
+#undef KRB5_INIT_ETS
+
/* Define if you don't want to use utmp */
#undef DISABLE_UTMP
/* getaddrinfo is broken (if present) */
#undef BROKEN_GETADDRINFO
+/* updwtmpx is broken (if present) */
+#undef BROKEN_UPDWTMPX
+
/* Workaround more Linux IPv6 quirks */
#undef DONT_TRY_OTHER_AF
problem = krb5_init_context(&authctxt->krb5_ctx);
if (problem)
return (problem);
+#ifdef KRB5_INIT_ETS
krb5_init_ets(authctxt->krb5_ctx);
+#endif
}
return (0);
}
#endif
krb5_error_code problem;
krb5_ccache ccache = NULL;
+ int len;
if (!authctxt->valid)
return (0);
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
+ len = strlen(authctxt->krb5_ticket_file) + 6;
+ authctxt->krb5_ccname = xmalloc(len);
+ snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+ authctxt->krb5_ticket_file);
+
out:
restore_uid();
extern ServerOptions options;
extern Buffer loginmsg;
extern int compat20;
+extern u_int utmp_len;
#ifdef USE_POSIX_THREADS
#include <pthread.h>
{
pid_t pid;
+ sshpam_thread_status = -1;
switch ((pid = fork())) {
case -1:
error("fork(): %s", strerror(errno));
static int sshpam_cred_established = 0;
static int sshpam_account_status = -1;
static char **sshpam_env = NULL;
-static int *force_pwchange;
+static Authctxt *sshpam_authctxt = NULL;
/* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST
pam_password_change_required(int reqd)
{
debug3("%s %d", __func__, reqd);
- *force_pwchange = reqd;
+ if (sshpam_authctxt == NULL)
+ fatal("%s: PAM authctxt not initialized", __func__);
+ sshpam_authctxt->force_pwchange = reqd;
if (reqd) {
no_port_forwarding_flag |= 2;
no_agent_forwarding_flag |= 2;
debug3("PAM: %s entering", __func__);
+#ifndef USE_POSIX_THREADS
/* Import variables set by do_pam_account */
sshpam_account_status = buffer_get_int(b);
pam_password_change_required(buffer_get_int(b));
}
#endif
}
+#endif
}
/*
sshpam_conv.conv = sshpam_thread_conv;
sshpam_conv.appdata_ptr = ctxt;
+ if (sshpam_authctxt == NULL)
+ fatal("%s: PAM authctxt not initialized", __func__);
+
buffer_init(&buffer);
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&sshpam_conv);
if (compat20) {
if (!do_pam_account())
goto auth_fail;
- if (*force_pwchange) {
+ if (sshpam_authctxt->force_pwchange) {
sshpam_err = pam_chauthtok(sshpam_handle,
PAM_CHANGE_EXPIRED_AUTHTOK);
if (sshpam_err != PAM_SUCCESS)
#ifndef USE_POSIX_THREADS
/* Export variables set by do_pam_account */
buffer_put_int(&buffer, sshpam_account_status);
- buffer_put_int(&buffer, *force_pwchange);
+ buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);
/* Export any environment strings set in child */
for(i = 0; environ[i] != NULL; i++)
}
static int
-sshpam_init(const char *user)
+sshpam_init(Authctxt *authctxt)
{
- extern u_int utmp_len;
extern char *__progname;
- const char *pam_rhost, *pam_user;
+ const char *pam_rhost, *pam_user, *user = authctxt->user;
if (sshpam_handle != NULL) {
/* We already have a PAM context; check if the user matches */
debug("PAM: initializing for \"%s\"", user);
sshpam_err =
pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
+ sshpam_authctxt = authctxt;
+
if (sshpam_err != PAM_SUCCESS) {
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;
return NULL;
/* Initialize PAM */
- if (sshpam_init(authctxt->user) == -1) {
+ if (sshpam_init(authctxt) == -1) {
error("PAM: initialization failed");
return (NULL);
}
ctxt = xmalloc(sizeof *ctxt);
memset(ctxt, 0, sizeof(*ctxt));
- force_pwchange = &(authctxt->force_pwchange);
-
/* Start the authentication thread */
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
error("PAM: failed create sockets: %s", strerror(errno));
xfree(msg);
return (0);
}
- error("PAM: %s", msg);
+ error("PAM: %s for %s%.100s from %.100s", msg,
+ sshpam_authctxt->valid ? "" : "illegal user ",
+ sshpam_authctxt->user,
+ get_remote_name_or_ip(utmp_len, options.use_dns));
/* FALLTHROUGH */
default:
*num = 0;
* This replaces auth-pam.c
*/
void
-start_pam(const char *user)
+start_pam(Authctxt *authctxt)
{
if (!options.use_pam)
fatal("PAM: initialisation requested when UsePAM=no");
- if (sshpam_init(user) == -1)
+ if (sshpam_init(authctxt) == -1)
fatal("PAM: initialisation failed");
}
# define SSHD_PAM_SERVICE __progname
#endif
-void start_pam(const char *);
+void start_pam(Authctxt *);
void finish_pam(void);
u_int do_pam_account(void);
void do_pam_session(void);
krb5_ccache krb5_fwd_ccache;
krb5_principal krb5_user;
char *krb5_ticket_file;
+ char *krb5_ccname;
#endif
#ifdef SESSION_HOOKS
char *session_env_file;
#ifdef USE_PAM
if (options.use_pam)
- PRIVSEP(start_pam(user));
+ PRIVSEP(start_pam(authctxt));
#endif
/*
} else {
#endif
authctxt->pw = PRIVSEP(getpwnamallow(user));
+ authctxt->user = xstrdup(user);
if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
authctxt->valid = 1;
debug2("input_userauth_request: setting up authctxt for %s", user);
#ifdef USE_PAM
if (options.use_pam)
- PRIVSEP(start_pam(authctxt->pw->pw_name));
+ PRIVSEP(start_pam(authctxt));
#endif
} else {
logit("input_userauth_request: illegal user %s", user);
authctxt->pw = fakepw();
#ifdef USE_PAM
if (options.use_pam)
- PRIVSEP(start_pam(user));
+ PRIVSEP(start_pam(authctxt));
#endif
}
#ifdef GSSAPI
#endif
setproctitle("%s%s", authctxt->pw ? user : "unknown",
use_privsep ? " [net]" : "");
- authctxt->user = xstrdup(user);
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
if (use_privsep && (authctxt->attempt == 1))
cleanup_exit(255);
}
+ if (from.ss_family == AF_INET)
+ check_ip_options(socket, ntop);
+
ipv64_normalise_mapped(&from, &fromlen);
if (from.ss_family == AF_INET6)
if (!use_dns)
return xstrdup(ntop);
- if (from.ss_family == AF_INET)
- check_ip_options(socket, ntop);
-
debug3("Trying to reverse map address %.100s.", ntop);
/* Map the IP address to a host name. */
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
# $Id$
+#
+# Copyright (c) 1999-2004 Damien Miller
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT
AC_CONFIG_SRCDIR([ssh.c])
AC_DEFINE(DISABLE_UTMP)
AC_DEFINE(LOCKED_PASSWD_STRING, "*")
AC_DEFINE(SPT_TYPE,SPT_PSTAT)
- case "$host" in
- *-*-hpux11.11*)
- AC_DEFINE(BROKEN_GETADDRINFO);;
- esac
+ check_for_hpux_broken_getaddrinfo=1
LIBS="$LIBS -lsec"
AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
;;
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(BROKEN_SETREUID)
AC_DEFINE(BROKEN_SETREGID)
+ AC_DEFINE(BROKEN_UPDWTMPX)
AC_DEFINE(WITH_ABBREV_NO_TTY)
AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
;;
check_for_openpty_ctty_bug=1
AC_DEFINE(DONT_TRY_OTHER_AF)
AC_DEFINE(PAM_TTY_KLUDGE)
- AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!")
+ AC_DEFINE(LOCKED_PASSWD_PREFIX, "!")
AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
inet6_default_4in6=yes
case `uname -r` in
AC_DEFINE(BROKEN_SAVED_UIDS)
;;
*-*-solaris*)
+ if test "x$withval" != "xno" ; then
+ need_dash_r=1
+ fi
AC_DEFINE(PAM_SUN_CODEBASE)
AC_DEFINE(LOGIN_NEEDS_UTMPX)
AC_DEFINE(LOGIN_NEEDS_TERM)
AC_DEFINE(HAVE_SECUREWARE)
AC_DEFINE(DISABLE_SHADOW)
AC_DEFINE(BROKEN_SAVED_UIDS)
+ AC_DEFINE(SETEUID_BREAKS_SETUID)
+ AC_DEFINE(BROKEN_SETREUID)
+ AC_DEFINE(BROKEN_SETREGID)
AC_DEFINE(WITH_ABBREV_NO_TTY)
AC_CHECK_FUNCS(getluid setluid)
MANTYPE=man
netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \
rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \
- sys/cdefs.h sys/mman.h sys/pstat.h sys/ptms.h sys/select.h sys/stat.h \
- sys/stream.h sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \
- sys/un.h time.h tmpdir.h ttyent.h usersec.h \
- util.h utime.h utmp.h utmpx.h vis.h)
+ sys/cdefs.h sys/mman.h sys/prctl.h sys/pstat.h sys/ptms.h \
+ sys/select.h sys/stat.h sys/stream.h sys/stropts.h \
+ sys/sysmacros.h sys/time.h sys/timers.h sys/un.h time.h tmpdir.h \
+ ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h)
# Checks for libraries.
AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
AC_MSG_RESULT(no)
AC_MSG_ERROR([** Incomplete or missing s/key libraries.])
])
+ AC_MSG_CHECKING(if skeychallenge takes 4 arguments)
+ AC_TRY_COMPILE(
+ [#include <stdio.h>
+ #include <skey.h>],
+ [(void)skeychallenge(NULL,"name","",0);],
+ [AC_MSG_RESULT(yes)
+ AC_DEFINE(SKEYCHALLENGE_4ARG)],
+ [AC_MSG_RESULT(no)]
+ )
fi
]
)
AC_MSG_CHECKING(for libwrap)
AC_TRY_LINK(
[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
#include <tcpd.h>
int deny_severity = 0, allow_severity = 0;
],
getpeereid _getpty getrlimit getttyent glob inet_aton \
inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \
mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \
- pstat readpassphrase realpath recvmsg rresvport_af sendmsg \
+ pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \
setdtablesize setegid setenv seteuid setgroups setlogin setpcred \
setproctitle setregid setreuid setrlimit \
setsid setvbuf sigaction sigvec snprintf socketpair strerror \
strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \
- truncate updwtmpx utimes vhangup vsnprintf waitpid \
+ truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \
)
# IRIX has a const char return value for gai_strerror()
)
fi
+if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
+ AC_MSG_CHECKING(if getaddrinfo seems to work)
+ AC_TRY_RUN(
+ [
+#include <stdio.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#include <errno.h>
+#include <netinet/in.h>
+
+#define TEST_PORT "2222"
+
+int
+main(void)
+{
+ int err, sock;
+ struct addrinfo *gai_ai, *ai, hints;
+ char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = PF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_PASSIVE;
+
+ err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
+ if (err != 0) {
+ fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
+ exit(1);
+ }
+
+ for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
+ if (ai->ai_family != AF_INET6)
+ continue;
+
+ err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
+ sizeof(ntop), strport, sizeof(strport),
+ NI_NUMERICHOST|NI_NUMERICSERV);
+
+ if (err != 0) {
+ if (err == EAI_SYSTEM)
+ perror("getnameinfo EAI_SYSTEM");
+ else
+ fprintf(stderr, "getnameinfo failed: %s\n",
+ gai_strerror(err));
+ exit(2);
+ }
+
+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+ if (sock < 0)
+ perror("socket");
+ if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+ if (errno == EBADF)
+ exit(3);
+ }
+ }
+ exit(0);
+}
+ ],
+ [
+ AC_MSG_RESULT(yes)
+ ],
+ [
+ AC_MSG_RESULT(no)
+ AC_DEFINE(BROKEN_GETADDRINFO)
+ ]
+ )
+fi
+
AC_FUNC_GETPGRP
# Check for PAM libs
LIBS="$LIBS $K5LIBS"
AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS))
+ AC_SEARCH_LIBS(krb5_init_ets, $K5LIBS, AC_DEFINE(KRB5_INIT_ETS))
]
)
# undef HAVE_GAI_STRERROR
#endif
+#if defined(BROKEN_UPDWTMPX) && defined(HAVE_UPDWTMPX)
+# undef HAVE_UPDWTMPX
+#endif
+
#if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY)
# define memmove(s1, s2, n) bcopy((s2), (s1), (n))
#endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */
# define krb5_get_err_text(context,code) error_message(code)
#endif
+#if defined(SKEYCHALLENGE_4ARG)
+# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c,d)
+#else
+# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c)
+#endif
+
/* Maximum number of file descriptors available */
#ifdef HAVE_SYSCONF
# define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX)
#endif
+#ifndef UT_LINESIZE
+# define UT_LINESIZE 8
+#endif
+
/* I hope that the presence of LASTLOG_FILE is enough to detect this */
#if defined(LASTLOG_FILE) && !defined(DISABLE_LASTLOG)
# define USE_LASTLOG
#endif
+#ifdef HAVE_OSF_SIA
+# ifdef USE_SHADOW
+# undef USE_SHADOW
+# endif
+# define CUSTOM_SYS_AUTH_PASSWD 1
+#endif
+
/** end of login recorder definitions */
#endif /* _DEFINES_H */
logit("Cannot initialize krb5 context");
return 0;
}
+#ifdef KRB5_INIT_ETS
krb5_init_ets(krb_context);
+#endif
return 1;
}
#include "auth.h"
#include "kex.h"
#include "dh.h"
+#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */
+#undef TARGET_OS_MAC
#include "zlib.h"
+#define TARGET_OS_MAC 1
+#else
+#include "zlib.h"
+#endif
#include "packet.h"
#include "auth-options.h"
#include "sshpty.h"
char challenge[1024];
u_int success;
- success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1;
+ success = _compat_skeychallenge(&skey, authctxt->user, challenge,
+ sizeof(challenge)) < 0 ? 0 : 1;
buffer_clear(m);
buffer_put_int(m, success);
int
mm_answer_pam_start(int socket, Buffer *m)
{
- char *user;
-
if (!options.use_pam)
fatal("UsePAM not set, but ended up in %s anyway", __func__);
- user = buffer_get_string(m, NULL);
-
- start_pam(user);
-
- xfree(user);
+ start_pam(authctxt);
monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
#include "packet.h"
#include "mac.h"
#include "log.h"
+#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */
+#undef TARGET_OS_MAC
#include "zlib.h"
+#define TARGET_OS_MAC 1
+#else
+#include "zlib.h"
+#endif
#include "monitor.h"
#include "monitor_wrap.h"
#include "xmalloc.h"
#ifdef USE_PAM
void
-mm_start_pam(char *user)
+mm_start_pam(Authctxt *authctxt)
{
Buffer m;
fatal("UsePAM=no, but ended up in %s anyway", __func__);
buffer_init(&m);
- buffer_put_cstring(&m, user);
-
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m);
buffer_free(&m);
#endif
#ifdef USE_PAM
-void mm_start_pam(char *);
+void mm_start_pam(struct Authctxt *);
u_int mm_do_pam_account(void);
void *mm_sshpam_init_ctx(struct Authctxt *);
int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
int tcsendbreak(int, int);
#endif
+#ifndef HAVE_UNSETENV
+void unsetenv(const char *);
+#endif
+
/* wrapper for signal interface */
typedef void (*mysig_t)(int);
mysig_t mysignal(int sig, mysig_t act);
#endif /* !HAVE_STRUCT_ADDRINFO */
#ifndef HAVE_GETADDRINFO
+#ifdef getaddrinfo
+# undef getaddrinfo
+#endif
#define getaddrinfo(a,b,c,d) (ssh_getaddrinfo(a,b,c,d))
int getaddrinfo(const char *, const char *,
const struct addrinfo *, struct addrinfo **);
#include "includes.h"
-#if !defined(HAVE_OSF_SIA)
-
# ifdef HAVE_CRYPT_H
# include <crypt.h>
# endif
return pw_password;
}
-
-#endif /* !defined(HAVE_OSF_SIA) */
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.127 2003/12/16 15:49:51 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.128 2004/03/05 10:53:58 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssKeyEx, oGssDelegateCreds,
- oServerAliveInterval, oServerAliveCountMax,
+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oDeprecated, oUnsupported
} OpCodes;
{ "usersh", oDeprecated },
{ "identityfile", oIdentityFile },
{ "identityfile2", oIdentityFile }, /* alias */
+ { "identitiesonly", oIdentitiesOnly },
{ "hostname", oHostName },
{ "hostkeyalias", oHostKeyAlias },
{ "proxycommand", oProxyCommand },
intptr = &options->enable_ssh_keysign;
goto parse_flag;
+ case oIdentitiesOnly:
+ intptr = &options->identities_only;
+ goto parse_flag;
+
case oServerAliveInterval:
intptr = &options->server_alive_interval;
goto parse_time;
options->smartcard_device = NULL;
options->enable_ssh_keysign = - 1;
options->no_host_authentication_for_localhost = - 1;
+ options->identities_only = - 1;
options->rekey_limit = - 1;
options->verify_host_key_dns = -1;
options->server_alive_interval = -1;
clear_forwardings(options);
if (options->no_host_authentication_for_localhost == - 1)
options->no_host_authentication_for_localhost = 0;
+ if (options->identities_only == -1)
+ options->identities_only = 0;
if (options->enable_ssh_keysign == -1)
options->enable_ssh_keysign = 0;
if (options->rekey_limit == -1)
-/* $OpenBSD: readconf.h,v 1.59 2003/12/16 15:49:51 markus Exp $ */
+/* $OpenBSD: readconf.h,v 1.60 2004/03/05 10:53:58 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
int enable_ssh_keysign;
int rekey_limit;
int no_host_authentication_for_localhost;
+ int identities_only;
int server_alive_interval;
int server_alive_count_max;
} Options;
printf("%s\n", (char *)buffer_ptr(&loginmsg));
buffer_clear(&loginmsg);
}
+ fflush(stdout);
}
void
close(inout[0]);
close(err[0]);
+ /*
+ * Clear loginmsg, since it's the child's responsibility to display
+ * it to the user, otherwise multiple sessions may accumulate
+ * multiple copies of the login messages.
+ */
+ buffer_clear(&loginmsg);
+
/*
* Enter the interactive session. Note: server_loop must be able to
* handle the case that fdin and fdout are the same.
}
#endif
#ifdef KRB5
- if (s->authctxt->krb5_ticket_file)
+ if (s->authctxt->krb5_ccname)
child_set_env(&env, &envsize, "KRB5CCNAME",
- s->authctxt->krb5_ticket_file);
+ s->authctxt->krb5_ccname);
#endif
#ifdef USE_PAM
/*
#include "scard.h"
#endif
+#if defined(HAVE_SYS_PRCTL_H)
+#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
+#endif
+
typedef enum {
AUTH_UNUSED,
AUTH_SOCKET,
setegid(getgid());
setgid(getgid());
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+ /* Disable ptrace on Linux without sgid bit */
+ prctl(PR_SET_DUMPABLE, 0);
+#endif
+
SSLeay_add_all_algorithms();
__progname = ssh_get_progname(av[0]);
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.46 2003/11/23 23:17:34 djm Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.47 2004/03/08 09:38:05 djm Exp $");
#include "openbsd-compat/sys-queue.h"
static void
congreet(int s)
{
- int remote_major, remote_minor, n = 0;
+ int remote_major = 0, remote_minor = 0, n = 0;
char buf[256], *cp;
char remote_version[sizeof buf];
size_t bufsiz;
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $
+.\" $OpenBSD: ssh.1,v 1.182 2004/03/05 10:53:58 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
.It HostKeyAlias
.It HostName
.It IdentityFile
+.It IdentitiesOnly
.It LocalForward
.It LogLevel
.It MACs
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.206 2003/12/16 15:49:51 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.209 2004/03/11 10:21:17 markus Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
static void
usage(void)
{
- fprintf(stderr, "Usage: %s [options] host [command]\n", __progname);
- fprintf(stderr, "Options:\n");
- fprintf(stderr, " -l user Log in using this user name.\n");
- fprintf(stderr, " -n Redirect input from " _PATH_DEVNULL ".\n");
- fprintf(stderr, " -F config Config file (default: ~/%s).\n",
- _PATH_SSH_USER_CONFFILE);
- fprintf(stderr, " -A Enable authentication agent forwarding.\n");
- fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
- fprintf(stderr, " -X Enable X11 connection forwarding.\n");
- fprintf(stderr, " -Y Enable trusted X11 connection forwarding.\n");
- fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
- fprintf(stderr, " -i file Identity for public key authentication "
- "(default: ~/.ssh/identity)\n");
-#ifdef SMARTCARD
- fprintf(stderr, " -I reader Set smartcard reader.\n");
-#endif
- fprintf(stderr, " -t Tty; allocate a tty even if command is given.\n");
- fprintf(stderr, " -T Do not allocate a tty.\n");
- fprintf(stderr, " -v Verbose; display verbose debugging messages.\n");
- fprintf(stderr, " Multiple -v increases verbosity.\n");
- fprintf(stderr, " -V Display version number only.\n");
- fprintf(stderr, " -q Quiet; don't display any warning messages.\n");
- fprintf(stderr, " -f Fork into background after authentication.\n");
- fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n");
-
- fprintf(stderr, " -c cipher Select encryption algorithm\n");
- fprintf(stderr, " -m macs Specify MAC algorithms for protocol version 2.\n");
- fprintf(stderr, " -p port Connect to this port. Server must be on the same port.\n");
- fprintf(stderr, " -L listen-port:host:port Forward local port to remote address\n");
- fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n");
- fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname);
- fprintf(stderr, " forward them to the other side by connecting to host:port.\n");
- fprintf(stderr, " -D port Enable dynamic application-level port forwarding.\n");
- fprintf(stderr, " -C Enable compression.\n");
- fprintf(stderr, " -N Do not execute a shell or command.\n");
- fprintf(stderr, " -g Allow remote hosts to connect to forwarded ports.\n");
- fprintf(stderr, " -1 Force protocol version 1.\n");
- fprintf(stderr, " -2 Force protocol version 2.\n");
- fprintf(stderr, " -4 Use IPv4 only.\n");
- fprintf(stderr, " -6 Use IPv6 only.\n");
- fprintf(stderr, " -o 'option' Process the option as if it was read from a configuration file.\n");
- fprintf(stderr, " -s Invoke command (mandatory) as SSH2 subsystem.\n");
- fprintf(stderr, " -b addr Local IP address.\n");
+ fprintf(stderr,
+"usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
+" [-D port] [-e escape_char] [-F configfile] [-i identity_file]\n"
+" [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]\n"
+" [-p port] [-R port:host:hostport] [user@]hostname [command]\n"
+ );
exit(1);
}
}
/* fallthrough */
case 'V':
- fprintf(stderr,
- "%s, SSH protocols %d.%d/%d.%d, %s\n",
- SSH_VERSION,
- PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1,
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
- SSLeay_version(SSLEAY_VERSION));
+ fprintf(stderr, "%s, %s\n",
+ SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
if (opt == 'V')
exit(0);
break;
xauthdir);
snprintf(cmd, sizeof(cmd),
"%s -f %s generate %s " SSH_X11_PROTO
- " untrusted timeout 120 2>" _PATH_DEVNULL,
+ " untrusted timeout 1200 2>" _PATH_DEVNULL,
options.xauth_location, xauthfile, display);
debug2("x11_get_proto: %s", cmd);
if (system(cmd) == 0)
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.29 2004/03/05 10:53:58 markus Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
It is possible to have
multiple identity files specified in configuration files; all these
identities will be tried in sequence.
+.It Cm IdentitiesOnly
+Specifies that
+.Nm ssh
+should only use the authentication identity files configured in the
+.Nm
+files,
+even if the
+.Nm ssh-agent
+offers more identities.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+This option is intented for situations where
+.Nm ssh-agent
+offers many different identities.
+The default is
+.Dq no .
.It Cm LocalForward
Specifies that a TCP/IP port on the local machine be forwarded over
the secure channel to the specified host and port from the remote machine.
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.134 2004/01/19 21:25:15 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.135 2004/03/05 10:53:58 markus Exp $");
#include "openbsd-compat/sys-queue.h"
break;
}
}
- if (!found) {
+ if (!found && !options.identities_only) {
id = xmalloc(sizeof(*id));
memset(id, 0, sizeof(*id));
id->key = key;
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.286 2004/02/23 12:02:33 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.290 2004/03/11 10:21:17 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
#else
char *__progname;
#endif
-extern char **environ;
/* Server configuration options. */
ServerOptions options;
debug3("privsep user:group %u:%u", (u_int)pw->pw_uid,
(u_int)pw->pw_gid);
#if 0
- /* XXX not ready, to heavy after chroot */
+ /* XXX not ready, too heavy after chroot */
do_setusercontext(pw);
#else
gidset[0] = pw->pw_gid;
static void
usage(void)
{
- fprintf(stderr, "sshd version %s, %s\n",
+ fprintf(stderr, "%s, %s\n",
SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
- fprintf(stderr, "Usage: %s [options]\n", __progname);
- fprintf(stderr, "Options:\n");
- fprintf(stderr, " -f file Configuration file (default %s)\n", _PATH_SERVER_CONFIG_FILE);
- fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n");
- fprintf(stderr, " -i Started from inetd\n");
- fprintf(stderr, " -D Do not fork into daemon mode\n");
- fprintf(stderr, " -t Only test configuration file and keys\n");
- fprintf(stderr, " -q Quiet (no logging)\n");
- fprintf(stderr, " -p port Listen on the specified port (default: 22)\n");
- fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n");
- fprintf(stderr, " -g seconds Grace period for authentication (default: 600)\n");
- fprintf(stderr, " -b bits Size of server RSA key (default: 768 bits)\n");
- fprintf(stderr, " -h file File from which to read host key (default: %s)\n",
- _PATH_HOST_KEY_FILE);
- fprintf(stderr, " -u len Maximum hostname length for utmp recording\n");
- fprintf(stderr, " -4 Use IPv4 only\n");
- fprintf(stderr, " -6 Use IPv6 only\n");
- fprintf(stderr, " -o option Process the option as if it was read from a configuration file.\n");
+ fprintf(stderr,
+"usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n"
+" [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n"
+ );
exit(1);
}
av = saved_argv;
#endif
+ if (geteuid() == 0 && setgroups(0, NULL) == -1)
+ debug("setgroups(): %.200s", strerror(errno));
+
/* Initialize configuration options to their default values. */
initialize_server_options(&options);
SYSLOG_FACILITY_AUTH : options.log_facility,
log_stderr || !inetd_flag);
+#ifdef _AIX
+ /*
+ * Unset KRB5CCNAME, otherwise the user's session may inherit it from
+ * root's environment
+ */
+ unsetenv("KRB5CCNAME");
+#endif /* _AIX */
#ifdef _UNICOS
/* Cray can define user privs drop all prives now!
* Not needed on PRIV_SU systems!
unmounted if desired. */
chdir("/");
-#ifndef HAVE_CYGWIN
-#ifndef GSI /* GSI gets configuration from environment! */
- /* Clear environment */
- environ[0] = NULL;
-#endif
-#endif
-
/* ignore SIGPIPE */
signal(SIGPIPE, SIG_IGN);
}
/* This is the child processing a new connection. */
+ setproctitle("%s", "[accepted]");
/*
* Create a new session and process group since the 4.4BSD
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.29 2004/03/08 10:18:57 dtucker Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
Kerberos servtab which allows the verification of the KDC's identity.
Default is
.Dq no .
+.It Cm KerberosGetAFSToken
+If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire
+an AFS token before accessing the user's home directory.
+Default is
+.Dq no .
.It Cm KerberosOrLocalPasswd
If set then if password authentication through Kerberos fails then
the password will be validated via any additional local mechanism
.Pp
If this option is set to
.Dq without-password
-password authentication is disabled for root.
+password authentication is disabled for root. Note that other authentication
+methods (e.g., keyboard-interactive/PAM) may still allow root to login using
+a password.
.Pp
If this option is set to
.Dq forced-commands-only
-/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */
+/* $OpenBSD: version.h,v 1.41 2004/03/20 10:40:59 markus Exp $ */
#ifdef GSI
#define GSI_VERSION " GSI"
#define MGLUE_VERSION ""
#endif
-#define SSH_VERSION "OpenSSH_3.8p1" \
+#define SSH_VERSION "OpenSSH_3.8.1p1" \
" NCSA_GSSAPI_20040423" \
GSI_VERSION KRB5_VERSION MGLUE_VERSION