*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.313 2005/09/13 23:40:07 djm Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.318 2005/12/24 02:27:41 djm Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
if (authctxt->pw->pw_uid == 0 || options.use_login) {
#endif
/* File descriptor passing is broken or root login */
- monitor_apply_keystate(pmonitor);
use_privsep = 0;
- return;
- }
-
- /* Authentication complete */
- alarm(0);
- if (startup_pipe != -1) {
- close(startup_pipe);
- startup_pipe = -1;
+ goto skip;
}
/* New socket pair */
/* Drop privileges */
do_setusercontext(authctxt->pw);
+ skip:
/* It is safe now to apply the key state */
monitor_apply_keystate(pmonitor);
debug("get_remote_port failed");
cleanup_exit(255);
}
- remote_ip = get_remote_ipaddr();
+
+ /*
+ * We use get_canonical_hostname with usedns = 0 instead of
+ * get_remote_ipaddr here so IP options will be checked.
+ */
+ remote_ip = get_canonical_hostname(0);
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
verbose("Connection from %.500s port %d", remote_ip, remote_port);
/*
- * We don\'t want to listen forever unless the other side
+ * We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
* cleared after successful authentication. A limit of zero
- * indicates no limit. Note that we don\'t set the alarm in debugging
+ * indicates no limit. Note that we don't set the alarm in debugging
* mode; it is just annoying to have the server exit just when you
* are about to discover the bug.
*/
}
authenticated:
+ /*
+ * Cancel the alarm we set to limit the time taken for
+ * authentication.
+ */
+ alarm(0);
+ signal(SIGALRM, SIG_DFL);
+ if (startup_pipe != -1) {
+ close(startup_pipe);
+ startup_pipe = -1;
+ }
+
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_AUTH_SUCCESS);
#endif