20020513
- (djm) Add --with-superuser-path=xxx configure option to specify what $PATH
the superuser receives.
+ - (djm) Bug #231: UsePrivilegeSeparation turns off Banner.
20020511
- (tim) [configure.ac] applied a rework of djm's OpenSSL search cleanup patch.
-/* $OpenBSD: auth.h,v 1.35 2002/03/19 10:35:39 markus Exp $ */
+/* $OpenBSD: auth.h,v 1.36 2002/05/12 23:53:45 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
void userauth_finish(Authctxt *, int, char *);
int auth_root_allowed(char *);
+char *auth2_read_banner(void);
+
void privsep_challenge_enable(void);
int auth2_challenge(Authctxt *, char *);
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.89 2002/03/19 14:27:39 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.90 2002/05/12 23:53:45 djm Exp $");
#include <openssl/evp.h>
}
}
-static void
-userauth_banner(void)
+char *
+auth2_read_banner(void)
{
struct stat st;
char *banner = NULL;
off_t len, n;
int fd;
- if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
- return;
- if ((fd = open(options.banner, O_RDONLY)) < 0)
- return;
- if (fstat(fd, &st) < 0)
- goto done;
+ if ((fd = open(options.banner, O_RDONLY)) == -1)
+ return (NULL);
+ if (fstat(fd, &st) == -1) {
+ close(fd);
+ return (NULL);
+ }
len = st.st_size;
banner = xmalloc(len + 1);
- if ((n = read(fd, banner, len)) < 0)
- goto done;
+ n = atomicio(read, fd, banner, len);
+ close(fd);
+
+ if (n != len) {
+ free(banner);
+ return (NULL);
+ }
banner[n] = '\0';
+
+ return (banner);
+}
+
+static void
+userauth_banner(void)
+{
+ char *banner = NULL;
+
+ if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
+ return;
+
+ if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
+ goto done;
+
packet_start(SSH2_MSG_USERAUTH_BANNER);
packet_put_cstring(banner);
packet_put_cstring(""); /* language, unused */
done:
if (banner)
xfree(banner);
- close(fd);
return;
}
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.9 2002/03/30 18:51:15 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.10 2002/05/12 23:53:45 djm Exp $");
#include <openssl/dh.h>
int mm_answer_moduli(int, Buffer *);
int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
+int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+ {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
/* For SSHv1 allow authentication now */
if (!compat20)
monitor_permit_authentications(1);
- else
+ else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+ }
#ifdef USE_PAM
monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
return (0);
}
+int mm_answer_auth2_read_banner(int socket, Buffer *m)
+{
+ char *banner;
+
+ buffer_clear(m);
+ banner = auth2_read_banner();
+ buffer_put_cstring(m, banner != NULL ? banner : "");
+ mm_request_send(socket, MONITOR_ANS_AUTH2_READ_BANNER, m);
+
+ if (banner != NULL)
+ free(banner);
+
+ return (0);
+}
+
int
mm_answer_authserv(int socket, Buffer *m)
{
-/* $OpenBSD: monitor.h,v 1.3 2002/03/26 03:24:01 stevesk Exp $ */
+/* $OpenBSD: monitor.h,v 1.4 2002/05/12 23:53:45 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
+ MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD,
MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY,
MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND,
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.5 2002/03/25 20:12:10 stevesk Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.6 2002/05/12 23:53:45 djm Exp $");
#include <openssl/bn.h>
#include <openssl/dh.h>
return (pw);
}
+char* mm_auth2_read_banner(void)
+{
+ Buffer m;
+ char *banner;
+
+ debug3("%s entering", __FUNCTION__);
+
+ buffer_init(&m);
+ mm_request_send(monitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m);
+ buffer_clear(&m);
+
+ mm_request_receive_expect(monitor->m_recvfd, MONITOR_ANS_AUTH2_READ_BANNER, &m);
+ banner = buffer_get_string(&m, NULL);
+ buffer_free(&m);
+
+ return (banner);
+}
+
/* Inform the privileged process about service and style */
void
-/* $OpenBSD: monitor_wrap.h,v 1.4 2002/03/26 03:24:01 stevesk Exp $ */
+/* $OpenBSD: monitor_wrap.h,v 1.5 2002/05/12 23:53:45 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(const char *);
+char* mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
int mm_key_allowed(enum mm_keytype, char *, char *, Key *);
int mm_user_key_allowed(struct passwd *, Key *);