*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.283 2003/12/09 17:29:04 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.291 2004/05/09 01:19:28 djm Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
#include "rsa.h"
#include "sshpty.h"
#include "packet.h"
-#include "mpaux.h"
#include "log.h"
#include "servconf.h"
#include "uidswap.h"
/* variables used for privilege separation */
int use_privsep;
-struct monitor *pmonitor;
+struct monitor *pmonitor = NULL;
/* message to be displayed after login */
Buffer loginmsg;
{
/* XXX no idea how fix this signal handler */
+ if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
+ kill(pmonitor->m_pid, SIGALRM);
+
/* Log error and exit. */
fatal("Timeout before authentication for %s", get_remote_ipaddr());
}
debug3("privsep user:group %u:%u", (u_int)pw->pw_uid,
(u_int)pw->pw_gid);
#if 0
- /* XXX not ready, to heavy after chroot */
+ /* XXX not ready, too heavy after chroot */
do_setusercontext(pw);
#else
gidset[0] = pw->pw_gid;
debug2("Network child is on pid %ld", (long)pid);
close(pmonitor->m_recvfd);
+ pmonitor->m_pid = pid;
monitor_child_preauth(authctxt, pmonitor);
close(pmonitor->m_sendfd);
static void
usage(void)
{
- fprintf(stderr, "sshd version %s, %s\n",
+ fprintf(stderr, "%s, %s\n",
SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
- fprintf(stderr, "Usage: %s [options]\n", __progname);
- fprintf(stderr, "Options:\n");
- fprintf(stderr, " -f file Configuration file (default %s)\n", _PATH_SERVER_CONFIG_FILE);
- fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n");
- fprintf(stderr, " -i Started from inetd\n");
- fprintf(stderr, " -D Do not fork into daemon mode\n");
- fprintf(stderr, " -t Only test configuration file and keys\n");
- fprintf(stderr, " -q Quiet (no logging)\n");
- fprintf(stderr, " -p port Listen on the specified port (default: 22)\n");
- fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n");
- fprintf(stderr, " -g seconds Grace period for authentication (default: 600)\n");
- fprintf(stderr, " -b bits Size of server RSA key (default: 768 bits)\n");
- fprintf(stderr, " -h file File from which to read host key (default: %s)\n",
- _PATH_HOST_KEY_FILE);
- fprintf(stderr, " -u len Maximum hostname length for utmp recording\n");
- fprintf(stderr, " -4 Use IPv4 only\n");
- fprintf(stderr, " -6 Use IPv6 only\n");
- fprintf(stderr, " -o option Process the option as if it was read from a configuration file.\n");
+ fprintf(stderr,
+"usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n"
+" [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n"
+ );
exit(1);
}
av = saved_argv;
#endif
+ if (geteuid() == 0 && setgroups(0, NULL) == -1)
+ debug("setgroups(): %.200s", strerror(errno));
+
/* Initialize configuration options to their default values. */
initialize_server_options(&options);
SYSLOG_FACILITY_AUTH : options.log_facility,
log_stderr || !inetd_flag);
+#ifdef _AIX
+ /*
+ * Unset KRB5CCNAME, otherwise the user's session may inherit it from
+ * root's environment
+ */
+ unsetenv("KRB5CCNAME");
+#endif /* _AIX */
#ifdef _UNICOS
- /* Cray can define user privs drop all prives now!
+ /* Cray can define user privs drop all privs now!
* Not needed on PRIV_SU systems!
*/
drop_cray_privs();
verbose("socket: %.100s", strerror(errno));
continue;
}
+ if (fcntl(listen_sock, F_SETFL, O_NONBLOCK) < 0) {
+ error("listen_sock O_NONBLOCK: %s", strerror(errno));
+ close(listen_sock);
+ continue;
+ }
/*
* Set socket options.
* Allow local port reuse in TIME_WAIT.
error("accept: %.100s", strerror(errno));
continue;
}
+ if (fcntl(newsock, F_SETFL, 0) < 0) {
+ error("newsock del O_NONBLOCK: %s", strerror(errno));
+ close(newsock);
+ continue;
+ }
if (drop_connection(startups) == 1) {
debug("drop connection #%d", startups);
close(newsock);
}
/* This is the child processing a new connection. */
+ setproctitle("%s", "[accepted]");
/*
* Create a new session and process group since the 4.4BSD
signal(SIGCHLD, SIG_DFL);
signal(SIGINT, SIG_DFL);
- /* Set keepalives if requested. */
- if (options.keepalives &&
+ /* Set SO_KEEPALIVE if requested. */
+ if (options.tcp_keep_alive &&
setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
sizeof(on)) < 0)
error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
BN_bn2bin(session_key_int,
session_key + sizeof(session_key) - len);
- compute_session_id(session_id, cookie,
- sensitive_data.ssh1_host_key->rsa->n,
- sensitive_data.server_key->rsa->n);
+ derive_ssh1_session_id(
+ sensitive_data.ssh1_host_key->rsa->n,
+ sensitive_data.server_key->rsa->n,
+ cookie, session_id);
/*
* Xor the first 16 bytes of the session key with the
* session id.