case '?':
default:
fprintf(stderr, "sshd version %s\n", SSH_VERSION);
-#ifdef RSAREF
- fprintf(stderr, "Compiled with RSAref.\n");
-#endif
fprintf(stderr, "Usage: %s [options]\n", av0);
fprintf(stderr, "Options:\n");
fprintf(stderr, " -f file Configuration file (default %s)\n", SERVER_CONFIG_FILE);
debug("Bind to port %s on %s.", strport, ntop);
/* Bind the socket to the desired port. */
- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+ if ((bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) &&
+ (!ai->ai_next)) {
error("Bind to port %s on %s failed: %.200s.",
strport, ntop, strerror(errno));
close(listen_sock);
{
struct group *grp;
int i;
+#ifdef WITH_AIXAUTHENTICATE
+ char *loginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
if (!pw)
return 0;
}
}
+
+#ifdef WITH_AIXAUTHENTICATE
+ if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
+ return 0;
+#endif /* WITH_AIXAUTHENTICATE */
+
/* We found no reason not to let this user try to log on... */
return 1;
}
setproctitle("%s", user);
+#ifdef WITH_AIXAUTHENTICATE
+ char *loginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
+
#ifdef AFS
/* If machine has AFS, set process authentication group. */
if (k_hasafs()) {
get_canonical_hostname());
}
/* The user has been authenticated and accepted. */
+#ifdef WITH_AIXAUTHENTICATE
+ loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+#endif /* WITH_AIXAUTHENTICATE */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
if (authenticated) {
#ifdef USE_PAM
- if (!do_pam_account(pw->pw_name, client_user))
- {
+ if (!do_pam_account(pw->pw_name, client_user)) {
if (client_user != NULL)
xfree(client_user);
return;
}
- if (client_user != NULL)
+ if (client_user != NULL) {
xfree(client_user);
+ client_user = NULL;
+ }
if (attempt > AUTH_FAIL_MAX)
packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
+#ifdef WITH_AIXAUTHENTICATE
+ if (strncmp(get_authname(type),"password",
+ strlen(get_authname(type))) == 0)
+ loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
}
/* NOTREACHED */
abort();
}
}
+struct pty_cleanup_context {
+ const char *ttyname;
+ int pid;
+};
+
+/*
+ * Function to perform cleanup if we get aborted abnormally (e.g., due to a
+ * dropped connection).
+ */
+void
+pty_cleanup_proc(void *context)
+{
+ struct pty_cleanup_context *cu = context;
+
+ debug("pty_cleanup_proc called");
+
+ /* Record that the user has logged out. */
+ record_logout(cu->pid, cu->ttyname);
+
+ /* Release the pseudo-tty. */
+ pty_release(cu->ttyname);
+}
+
+/* simple cleanup: chown tty slave back to root */
+static void
+pty_release_proc(void *tty)
+{
+ char *ttyname = tty;
+ pty_release(ttyname);
+}
+
/*
* Prepares for an interactive session. This is called after the user has
* been successfully authenticated. During this message exchange, pseudo
int have_pty = 0, ptyfd = -1, ttyfd = -1, xauthfd = -1;
int row, col, xpixel, ypixel, screen;
char ttyname[64];
- char *command, *term = NULL, *display = NULL, *proto = NULL,
- *data = NULL;
- struct group *grp;
- gid_t tty_gid;
- mode_t tty_mode;
+ char *command, *term = NULL, *display = NULL, *proto = NULL, *data = NULL;
int n_bytes;
/*
error("Failed to allocate pty.");
goto fail;
}
- /* Determine the group to make the owner of the tty. */
- grp = getgrnam("tty");
- if (grp) {
- tty_gid = grp->gr_gid;
- tty_mode = S_IRUSR | S_IWUSR | S_IWGRP;
- } else {
- tty_gid = pw->pw_gid;
- tty_mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
- }
-
- /* Change ownership of the tty. */
- if (chown(ttyname, pw->pw_uid, tty_gid) < 0)
- fatal("chown(%.100s, %d, %d) failed: %.100s",
- ttyname, pw->pw_uid, tty_gid, strerror(errno));
- if (chmod(ttyname, tty_mode) < 0)
- fatal("chmod(%.100s, 0%o) failed: %.100s",
- ttyname, tty_mode, strerror(errno));
+ fatal_add_cleanup(pty_release_proc, (void *)ttyname);
+ pty_setowner(pw, ttyname);
/* Get TERM from the packet. Note that the value may be of arbitrary length. */
term = packet_get_string(&dlen);
packet_integrity_check(dlen, strlen(term), type);
- /* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
+
/* Remaining bytes */
n_bytes = plen - (4 + dlen + 4 * 4);
- if (strcmp(term, "") == 0)
+ if (strcmp(term, "") == 0) {
+ xfree(term);
term = NULL;
+ }
/* Get window size from the packet. */
row = packet_get_int();
/* Indicate that we now have a pty. */
have_pty = 1;
-
-#ifdef USE_PAM
- /* do the pam_open_session since we have the pty */
- do_pam_session(pw->pw_name, ttyname);
-#endif /* USE_PAM */
-
break;
case SSH_CMSG_X11_REQUEST_FORWARDING:
packet_set_interactive(have_pty || display != NULL,
options.keepalives);
-#ifdef USE_PAM
- do_pam_setcred();
-#endif /* USE_PAM */
if (forced_command != NULL)
goto do_forced_command;
debug("Forking shell.");
packet_set_interactive(have_pty || display != NULL,
options.keepalives);
-#ifdef USE_PAM
- do_pam_setcred();
-#endif /* USE_PAM */
if (forced_command != NULL)
goto do_forced_command;
/* Get command from the packet. */
setproctitle("%s@notty", pw->pw_name);
+#ifdef USE_PAM
+ do_pam_setcred();
+#endif /* USE_PAM */
+
/* Fork the child. */
if ((pid = fork()) == 0) {
/* Child. Reinitialize the log since the pid has changed. */
#endif /* USE_PIPES */
}
-struct pty_cleanup_context {
- const char *ttyname;
- int pid;
-};
-
-/*
- * Function to perform cleanup if we get aborted abnormally (e.g., due to a
- * dropped connection).
- */
-void
-pty_cleanup_proc(void *context)
-{
- struct pty_cleanup_context *cu = context;
-
- debug("pty_cleanup_proc called");
-
- /* Record that the user has logged out. */
- record_logout(cu->pid, cu->ttyname);
-
- /* Release the pseudo-tty. */
- pty_release(cu->ttyname);
-}
-
/*
* This is called to fork and execute a command when we have a tty. This
* will call do_child from the child, and server_loop from the parent after
}
setproctitle("%s@%s", pw->pw_name, strrchr(ttyname, '/') + 1);
+#ifdef USE_PAM
+ do_pam_session(pw->pw_name, ttyname);
+ do_pam_setcred();
+#endif /* USE_PAM */
+
/* Fork the child. */
if ((pid = fork()) == 0) {
pid = getpid();
/* Parent. Close the slave side of the pseudo tty. */
close(ttyfd);
+ /*
+ * Add a cleanup function to clear the utmp entry and record logout
+ * time in case we call fatal() (e.g., the connection gets closed).
+ */
+ cleanup_context.pid = pid;
+ cleanup_context.ttyname = ttyname;
+ fatal_add_cleanup(pty_cleanup_proc, (void *) &cleanup_context);
+ fatal_remove_cleanup(pty_release_proc, (void *) ttyname);
+
/*
* Create another descriptor of the pty master side for use as the
* standard input. We could use the original descriptor, but this
if (fdout < 0)
packet_disconnect("dup failed: %.100s", strerror(errno));
- /*
- * Add a cleanup function to clear the utmp entry and record logout
- * time in case we call fatal() (e.g., the connection gets closed).
- */
- cleanup_context.pid = pid;
- cleanup_context.ttyname = ttyname;
- fatal_add_cleanup(pty_cleanup_proc, (void *) &cleanup_context);
-
/* Enter interactive session. */
server_loop(pid, ptyfd, fdout, -1);
/* server_loop has not closed ptyfd and fdout. */
if (display)
child_set_env(&env, &envsize, "DISPLAY", display);
+#ifdef _AIX
+ {
+ char *authstate,*krb5cc;
+
+ if ((authstate = getenv("AUTHSTATE")) != NULL)
+ child_set_env(&env,&envsize,"AUTHSTATE",authstate);
+
+ if ((krb5cc = getenv("KRB5CCNAME")) != NULL)
+ child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc);
+ }
+#endif
+
#ifdef KRB4
{
extern char *ticket;
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
auth_get_socket_name());
+ read_environment_file(&env,&envsize,"/etc/environment");
+
/* read $HOME/.ssh/environment. */
if (!options.use_login) {
snprintf(buf, sizeof buf, "%.200s/.ssh/environment", pw->pw_dir);