*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.73 2001/04/16 08:19:31 djm Exp $");
+RCSID("$OpenBSD: session.c,v 1.78 2001/05/31 10:30:16 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
#include "uidswap.h"
#include "compat.h"
#include "channels.h"
-#include "nchan.h"
#include "bufaux.h"
#include "auth.h"
#include "auth-options.h"
void do_exec_pty(Session *s, const char *command);
void do_exec_no_pty(Session *s, const char *command);
void do_login(Session *s, const char *command);
+#ifdef LOGIN_NEEDS_UTMPX
+void do_pre_login(Session *s);
+#endif
void do_child(Session *s, const char *command);
void do_motd(void);
int check_quietlogin(Session *s, const char *command);
extern int log_stderr;
extern int debug_flag;
extern u_int utmp_len;
-
extern int startup_pipe;
+extern void destroy_sensitive_data(void);
/* Local Xauthority file. */
static char *xauthfile;
error("unable to get login class");
return;
}
+#ifdef BSD_AUTH
+ if (auth_approval(NULL, lc, authctxt->pw->pw_name, "ssh") <= 0) {
+ packet_disconnect("Approval failure for %s",
+ authctxt->pw->pw_name);
+ }
+#endif
#endif
/* setup the channel layer */
if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
int success, type, fd, n_bytes, plen, screen_flag, have_pty = 0;
int compression_level = 0, enable_compression_after_reply = 0;
u_int proto_len, data_len, dlen;
+ struct stat st;
s = session_new();
s->pw = authctxt->pw;
packet_send_debug("X11 forwarding disabled in server configuration file.");
break;
}
- if (!options.xauth_location) {
+ if (!options.xauth_location ||
+ (stat(options.xauth_location, &st) == -1)) {
packet_send_debug("No xauth program; cannot forward with spoofing.");
break;
}
#ifndef HAVE_OSF_SIA
if (!(options.use_login && command == NULL))
do_login(s, command);
+# ifdef LOGIN_NEEDS_UTMPX
+ else
+ do_pre_login(s);
+# endif
#endif
/* Do common processing for the child, such as execing the command. */
}
}
+#ifdef LOGIN_NEEDS_UTMPX
+void
+do_pre_login(Session *s)
+{
+ socklen_t fromlen;
+ struct sockaddr_storage from;
+ pid_t pid = getpid();
+
+ /*
+ * Get IP address of client. If the connection is not a socket, let
+ * the address be 0.0.0.0.
+ */
+ memset(&from, 0, sizeof(from));
+ if (packet_connection_is_on_socket()) {
+ fromlen = sizeof(from);
+ if (getpeername(packet_get_connection_in(),
+ (struct sockaddr *) & from, &fromlen) < 0) {
+ debug("getpeername: %.100s", strerror(errno));
+ fatal_cleanup();
+ }
+ }
+
+ record_utmp_only(pid, s->tty, s->pw->pw_name,
+ get_remote_name_or_ip(utmp_len, options.reverse_mapping_check),
+ (struct sockaddr *)&from);
+}
+#endif
+
/* administrative, login(1)-like work */
void
do_login(Session *s, const char *command)
#endif /* WITH_IRIX_ARRAY */
#endif /* WITH_IRIX_JOBS */
+ /* remove hostkey from the child's memory */
+ destroy_sensitive_data();
+
/* login(1) is only called if we execute the login shell */
if (options.use_login && command != NULL)
options.use_login = 0;
perror("unable to set user context");
exit(1);
}
-#ifdef BSD_AUTH
- if (auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
- error("approval failure for %s", pw->pw_name);
- fprintf(stderr, "Approval failure");
- exit(1);
- }
-#endif
# else /* HAVE_LOGIN_CAP */
#if defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
/* Sets login uid for accounting */
* in this order).
*/
if (!options.use_login) {
- if (stat(_PATH_SSH_USER_RC, &st) >= 0) {
+ /* ignore _PATH_SSH_USER_RC for subsystems */
+ if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
+ snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
+ shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
if (debug_flag)
- fprintf(stderr, "Running %s %s\n", _PATH_BSHELL,
- _PATH_SSH_USER_RC);
- f = popen(_PATH_BSHELL " " _PATH_SSH_USER_RC, "w");
+ fprintf(stderr, "Running %s\n", cmd);
+ f = popen(cmd, "w");
if (f) {
if (do_xauth)
fprintf(f, "%s %s\n", s->auth_proto,
s->auth_data);
pclose(f);
} else
- fprintf(stderr, "Could not run %s\n",
+ fprintf(stderr, "Could not run %s\n",
_PATH_SSH_USER_RC);
} else if (stat(_PATH_SSH_SYSTEM_RC, &st) >= 0) {
if (debug_flag)
fprintf(stderr, "Running %s %s\n", _PATH_BSHELL,
_PATH_SSH_SYSTEM_RC);
-
f = popen(_PATH_BSHELL " " _PATH_SSH_SYSTEM_RC, "w");
if (f) {
if (do_xauth)
/* Launch login(1). */
execl(LOGIN_PROGRAM, "login", "-h", hostname,
+#ifdef LOGIN_NEEDS_TERM
+ s->term? s->term : "unknown",
+#endif
"-p", "-f", "--", pw->pw_name, NULL);
/* Login couldn't be executed, die. */
session_x11_req(Session *s)
{
int fd;
+ struct stat st;
if (no_x11_forwarding_flag) {
debug("X11 forwarding disabled in user configuration file.");
return 0;
debug("X11 forwarding disabled in server configuration file.");
return 0;
}
+ if (!options.xauth_location ||
+ (stat(options.xauth_location, &st) == -1)) {
+ packet_send_debug("No xauth program; cannot forward with spoofing.");
+ return 0;
+ }
if (xauthfile != NULL) {
debug("X11 fwd already started.");
return 0;