X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/c023a130651f79edf9205ef4a067d4158026a651..6d8216ff13019a82c3c9e3a97fe7f7a3ba39d1e6:/monitor.c diff --git a/monitor.c b/monitor.c index 894523da..f872edbb 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.77 2006/03/30 11:40:21 dtucker Exp $ */ +/* $OpenBSD: monitor.c,v 1.96 2008/05/08 12:21:16 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -28,12 +28,22 @@ #include "includes.h" #include +#include +#include +#include "openbsd-compat/sys-tree.h" #include +#include +#include #ifdef HAVE_PATHS_H #include #endif +#include #include +#include +#include +#include +#include #ifdef SKEY #include @@ -41,8 +51,14 @@ #include +#include "openbsd-compat/sys-queue.h" +#include "xmalloc.h" #include "ssh.h" +#include "key.h" +#include "buffer.h" +#include "hostfile.h" #include "auth.h" +#include "cipher.h" #include "kex.h" #include "dh.h" #ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ @@ -63,17 +79,16 @@ #include "servconf.h" #include "monitor.h" #include "monitor_mm.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" #include "monitor_fdpass.h" -#include "xmalloc.h" #include "misc.h" -#include "buffer.h" -#include "bufaux.h" #include "compat.h" #include "ssh2.h" #ifdef GSSAPI -#include "ssh-gss.h" static Gssctxt *gsscontext = NULL; #endif @@ -272,7 +287,7 @@ struct mon_table mon_dispatch_postauth15[] = { {MONITOR_REQ_TERM, 0, mm_answer_term}, #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, - {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command}, + {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, #endif {0, 0, NULL} }; @@ -336,7 +351,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) /* The first few requests do not require asynchronous access */ while (!authenticated) { auth_method = "unknown"; - authenticated = monitor_read(pmonitor, mon_dispatch, &ent); + authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); if (authenticated) { if (!(ent->flags & MON_AUTHDECIDE)) fatal("%s: unexpected authentication from %d", @@ -395,6 +410,7 @@ monitor_child_postauth(struct monitor *pmonitor) monitor_set_child_handler(pmonitor->m_pid); signal(SIGHUP, &monitor_child_handler); signal(SIGTERM, &monitor_child_handler); + signal(SIGINT, &monitor_child_handler); if (compat20) { mon_dispatch = mon_dispatch_postauth20; @@ -630,6 +646,9 @@ mm_answer_pwnamallow(int sock, Buffer *m) buffer_put_cstring(m, pwent->pw_shell); out: + buffer_put_string(m, &options, sizeof(options)); + if (options.banner != NULL) + buffer_put_cstring(m, options.banner); debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); mm_request_send(sock, MONITOR_ANS_PWNAM, m); @@ -646,9 +665,6 @@ mm_answer_pwnamallow(int sock, Buffer *m) if (options.use_pam) monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); #endif -#ifdef SSH_AUDIT_EVENTS - monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_COMMAND, 1); -#endif return (0); } @@ -909,6 +925,7 @@ mm_answer_pam_query(int sock, Buffer *m) xfree(prompts); if (echo_on != NULL) xfree(echo_on); + auth_method = "keyboard-interactive/pam"; mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); return (0); } @@ -924,7 +941,7 @@ mm_answer_pam_respond(int sock, Buffer *m) sshpam_authok = NULL; num = buffer_get_int(m); if (num > 0) { - resp = xmalloc(num * sizeof(char *)); + resp = xcalloc(num, sizeof(char *)); for (i = 0; i < num; ++i) resp[i] = buffer_get_string(m, NULL); ret = (sshpam_device.respond)(sshpam_ctxt, num, resp); @@ -951,6 +968,7 @@ mm_answer_pam_free_ctx(int sock, Buffer *m) (sshpam_device.free_ctx)(sshpam_ctxt); buffer_clear(m); mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); + auth_method = "keyboard-interactive/pam"; return (sshpam_authok == sshpam_ctxt); } #endif @@ -1204,7 +1222,7 @@ mm_answer_keyverify(int sock, Buffer *m) verified = key_verify(key, signature, signaturelen, data, datalen); debug3("%s: key %p signature %s", - __func__, key, verified ? "verified" : "unverified"); + __func__, key, (verified == 1) ? "verified" : "unverified"); key_free(key); xfree(blob); @@ -1219,7 +1237,7 @@ mm_answer_keyverify(int sock, Buffer *m) buffer_put_int(m, verified); mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m); - return (verified); + return (verified == 1); } static void @@ -1252,10 +1270,10 @@ mm_session_close(Session *s) { debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid); if (s->ttyfd != -1) { - debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); + debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); session_pty_cleanup2(s); } - s->used = 0; + session_unused(s->self); } int @@ -1297,8 +1315,9 @@ mm_answer_pty(int sock, Buffer *m) mm_request_send(sock, MONITOR_ANS_PTY, m); - mm_send_fd(sock, s->ptyfd); - mm_send_fd(sock, s->ttyfd); + if (mm_send_fd(sock, s->ptyfd) == -1 || + mm_send_fd(sock, s->ttyfd) == -1) + fatal("%s: send fds failed", __func__); /* make sure nothing uses fd 0 */ if ((fd0 = open(_PATH_DEVNULL, O_RDONLY)) < 0) @@ -1312,7 +1331,7 @@ mm_answer_pty(int sock, Buffer *m) /* no need to dup() because nobody closes ptyfd */ s->ptymaster = s->ptyfd; - debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ttyfd); + debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ttyfd); return (0); @@ -1529,6 +1548,11 @@ mm_answer_term(int sock, Buffer *req) /* The child is terminating */ session_destroy_all(&mm_session_close); +#ifdef USE_PAM + if (options.use_pam) + sshpam_cleanup(); +#endif + while (waitpid(pmonitor->m_pid, &status, 0) == -1) if (errno != EINTR) exit(1);