- (tim) [configure.ac] Bug #1149. Changes in QNX section only. Patch by

[openssh.git] / sshd.c

diff --git a/sshd.c b/sshd.c
index e9125a2294f73327e7017b6a72c37523e7914f74..def90d827a2b34ef465f5db723e007ea979f464c 100644 (file)
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.312 2005/07/25 11:59:40 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.318 2005/12/24 02:27:41 djm Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -633,16 +633,8 @@ privsep_postauth(Authctxt *authctxt)
        if (authctxt->pw->pw_uid == 0 || options.use_login) {
 #endif
                /* File descriptor passing is broken or root login */
-               monitor_apply_keystate(pmonitor);
                use_privsep = 0;
-               return;
-       }
-
-       /* Authentication complete */
-       alarm(0);
-       if (startup_pipe != -1) {
-               close(startup_pipe);
-               startup_pipe = -1;
+               goto skip;
        }
 
        /* New socket pair */
@@ -669,6 +661,7 @@ privsep_postauth(Authctxt *authctxt)
        /* Drop privileges */
        do_setusercontext(authctxt->pw);
 
+ skip:
        /* It is safe now to apply the key state */
        monitor_apply_keystate(pmonitor);
 
@@ -924,6 +917,9 @@ main(int ac, char **av)
        if (geteuid() == 0 && setgroups(0, NULL) == -1)
                debug("setgroups(): %.200s", strerror(errno));
 
+       /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+       sanitise_stdfd();
+
        /* Initialize configuration options to their default values. */
        initialize_server_options(&options);
 
@@ -1648,7 +1644,12 @@ main(int ac, char **av)
                debug("get_remote_port failed");
                cleanup_exit(255);
        }
-       remote_ip = get_remote_ipaddr();
+
+       /*
+        * We use get_canonical_hostname with usedns = 0 instead of
+        * get_remote_ipaddr here so IP options will be checked.
+        */
+       remote_ip = get_canonical_hostname(0);
 
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
@@ -1674,10 +1675,10 @@ main(int ac, char **av)
        verbose("Connection from %.500s port %d", remote_ip, remote_port);
 
        /*
-        * We don\'t want to listen forever unless the other side
+        * We don't want to listen forever unless the other side
         * successfully authenticates itself.  So we set up an alarm which is
         * cleared after successful authentication.  A limit of zero
-        * indicates no limit. Note that we don\'t set the alarm in debugging
+        * indicates no limit. Note that we don't set the alarm in debugging
         * mode; it is just annoying to have the server exit just when you
         * are about to discover the bug.
         */
@@ -1724,6 +1725,17 @@ main(int ac, char **av)
        }
 
  authenticated:
+       /*
+        * Cancel the alarm we set to limit the time taken for
+        * authentication.
+        */
+       alarm(0);
+       signal(SIGALRM, SIG_DFL);
+       if (startup_pipe != -1) {
+               close(startup_pipe);
+               startup_pipe = -1;
+       }
+
 #ifdef SSH_AUDIT_EVENTS
        audit_event(SSH_AUTH_SUCCESS);
 #endif