upstream commit

remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker

Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712

7 files changed, 72 insertions, 158 deletions

diff --git a/monitor.c b/monitor.c
index 59b05a98f..a86b77936 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.162 2016/08/13 17:47:41 markus Exp $ */
+/* $OpenBSD: monitor.c,v 1.163 2016/08/19 03:18:06 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1395,9 +1395,6 @@ mm_record_login(Session *s, struct passwd *pw)
         socklen_t fromlen;
         struct sockaddr_storage from;
 
-        if (options.use_login)
-                return;
-
         /*
          * Get IP address of client. If the connection is not a socket, let
          * the address be 0.0.0.0.
diff --git a/servconf.c b/servconf.c
index 9bd659c41..8a4a7091a 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.293 2016/08/15 12:27:56 naddy Exp $ */
+/* $OpenBSD: servconf.c,v 1.294 2016/08/19 03:18:06 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -120,7 +120,6 @@ initialize_server_options(ServerOptions *options)
         options->challenge_response_authentication = -1;
         options->permit_empty_passwd = -1;
         options->permit_user_env = -1;
-        options->use_login = -1;
         options->compression = -1;
         options->rekey_limit = -1;
         options->rekey_interval = -1;
@@ -281,8 +280,6 @@ fill_default_server_options(ServerOptions *options)
                 options->permit_empty_passwd = 0;
         if (options->permit_user_env == -1)
                 options->permit_user_env = 0;
-        if (options->use_login == -1)
-                options->use_login = 0;
         if (options->compression == -1)
                 options->compression = COMP_DELAYED;
         if (options->rekey_limit == -1)
@@ -397,7 +394,7 @@ typedef enum {
         sPrintMotd, sPrintLastLog, sIgnoreRhosts,
         sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
         sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
-        sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
+        sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
         sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
         sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
         sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
@@ -508,7 +505,7 @@ static struct {
         { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
         { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
         { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
-        { "uselogin", sUseLogin, SSHCFG_GLOBAL },
+        { "uselogin", sDeprecated, SSHCFG_GLOBAL },
         { "compression", sCompression, SSHCFG_GLOBAL },
         { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
         { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
@@ -1283,10 +1280,6 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->permit_user_env;
                 goto parse_flag;
 
-        case sUseLogin:
-                intptr = &options->use_login;
-                goto parse_flag;
-
         case sCompression:
                 intptr = &options->compression;
                 multistate_ptr = multistate_compression;
@@ -2261,7 +2254,6 @@ dump_config(ServerOptions *o)
         dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
         dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
         dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
-        dump_cfg_fmtint(sUseLogin, o->use_login);
         dump_cfg_fmtint(sCompression, o->compression);
         dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
         dump_cfg_fmtint(sUseDNS, o->use_dns);
diff --git a/servconf.h b/servconf.h
index 16b1467d2..8af460f5a 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.121 2016/08/15 12:27:56 naddy Exp $ */
+/* $OpenBSD: servconf.h,v 1.122 2016/08/19 03:18:06 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -121,7 +121,6 @@ typedef struct {
         int     permit_empty_passwd;    /* If false, do not permit empty
                                          * passwords. */
         int     permit_user_env;        /* If true, read ~/.ssh/environment */
-        int     use_login;      /* If true, login(1) is used */
         int     compression;    /* If true, compression is allowed */
         int     allow_tcp_forwarding; /* One of FORWARD_* */
         int     allow_streamlocal_forwarding; /* One of FORWARD_* */
diff --git a/session.c b/session.c
index 9bad653fc..fcfa80000 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.283 2016/08/13 17:47:41 markus Exp $ */
+/* $OpenBSD: session.c,v 1.284 2016/08/19 03:18:06 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -544,7 +544,7 @@ do_exec_pty(Session *s, const char *command)
 
                 /* record login, etc. similar to login(1) */
 #ifndef HAVE_OSF_SIA
-                if (!(options.use_login && command == NULL)) {
+                if (command != NULL) {
 #ifdef _UNICOS
                         cray_init_job(s->pw); /* set up cray jid and tmpdir */
 #endif /* _UNICOS */
@@ -1019,69 +1019,63 @@ do_setup_env(Session *s, const char *shell)
         ssh_gssapi_do_child(&env, &envsize);
 #endif
 
-        if (!options.use_login) {
-                /* Set basic environment. */
-                for (i = 0; i < s->num_env; i++)
-                        child_set_env(&env, &envsize, s->env[i].name,
-                            s->env[i].val);
+        /* Set basic environment. */
+        for (i = 0; i < s->num_env; i++)
+                child_set_env(&env, &envsize, s->env[i].name, s->env[i].val);
 
-                child_set_env(&env, &envsize, "USER", pw->pw_name);
-                child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
+        child_set_env(&env, &envsize, "USER", pw->pw_name);
+        child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
 #ifdef _AIX
-                child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
+        child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
 #endif
-                child_set_env(&env, &envsize, "HOME", pw->pw_dir);
+        child_set_env(&env, &envsize, "HOME", pw->pw_dir);
 #ifdef HAVE_LOGIN_CAP
-                if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
-                        child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
-                else
-                        child_set_env(&env, &envsize, "PATH", getenv("PATH"));
+        if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
+                child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+        else
+                child_set_env(&env, &envsize, "PATH", getenv("PATH"));
 #else /* HAVE_LOGIN_CAP */
 # ifndef HAVE_CYGWIN
-                /*
-                 * There's no standard path on Windows. The path contains
-                 * important components pointing to the system directories,
-                 * needed for loading shared libraries. So the path better
-                 * remains intact here.
-                 */
+        /*
+         * There's no standard path on Windows. The path contains
+         * important components pointing to the system directories,
+         * needed for loading shared libraries. So the path better
+         * remains intact here.
+         */
 #  ifdef HAVE_ETC_DEFAULT_LOGIN
-                read_etc_default_login(&env, &envsize, pw->pw_uid);
-                path = child_get_env(env, "PATH");
+        read_etc_default_login(&env, &envsize, pw->pw_uid);
+        path = child_get_env(env, "PATH");
 #  endif /* HAVE_ETC_DEFAULT_LOGIN */
-                if (path == NULL || *path == '\0') {
-                        child_set_env(&env, &envsize, "PATH",
-                            s->pw->pw_uid == 0 ?
-                                SUPERUSER_PATH : _PATH_STDPATH);
-                }
+        if (path == NULL || *path == '\0') {
+                child_set_env(&env, &envsize, "PATH",
+                    s->pw->pw_uid == 0 ?  SUPERUSER_PATH : _PATH_STDPATH);
+        }
 # endif /* HAVE_CYGWIN */
 #endif /* HAVE_LOGIN_CAP */
 
-                snprintf(buf, sizeof buf, "%.200s/%.50s",
-                         _PATH_MAILDIR, pw->pw_name);
-                child_set_env(&env, &envsize, "MAIL", buf);
+        snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name);
+        child_set_env(&env, &envsize, "MAIL", buf);
+
+        /* Normal systems set SHELL by default. */
+        child_set_env(&env, &envsize, "SHELL", shell);
 
-                /* Normal systems set SHELL by default. */
-                child_set_env(&env, &envsize, "SHELL", shell);
-        }
         if (getenv("TZ"))
                 child_set_env(&env, &envsize, "TZ", getenv("TZ"));
 
         /* Set custom environment options from RSA authentication. */
-        if (!options.use_login) {
-                while (custom_environment) {
-                        struct envstring *ce = custom_environment;
-                        char *str = ce->s;
-
-                        for (i = 0; str[i] != '=' && str[i]; i++)
-                                ;
-                        if (str[i] == '=') {
-                                str[i] = 0;
-                                child_set_env(&env, &envsize, str, str + i + 1);
-                        }
-                        custom_environment = ce->next;
-                        free(ce->s);
-                        free(ce);
+        while (custom_environment) {
+                struct envstring *ce = custom_environment;
+                char *str = ce->s;
+
+                for (i = 0; str[i] != '=' && str[i]; i++)
+                        ;
+                if (str[i] == '=') {
+                        str[i] = 0;
+                        child_set_env(&env, &envsize, str, str + i + 1);
                 }
+                custom_environment = ce->next;
+                free(ce->s);
+                free(ce);
         }
 
         /* SSH_CLIENT deprecated */
@@ -1143,7 +1137,7 @@ do_setup_env(Session *s, const char *shell)
          * Pull in any environment variables that may have
          * been set by PAM.
          */
-        if (options.use_pam && !options.use_login) {
+        if (options.use_pam) {
                 char **p;
 
                 p = fetch_pam_child_environment();
@@ -1161,7 +1155,7 @@ do_setup_env(Session *s, const char *shell)
                     auth_sock_name);
 
         /* read $HOME/.ssh/environment. */
-        if (options.permit_user_env && !options.use_login) {
+        if (options.permit_user_env) {
                 snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
                     strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
                 read_environment_file(&env, &envsize, buf);
@@ -1443,27 +1437,6 @@ do_pwchange(Session *s)
 }
 
 static void
-launch_login(struct passwd *pw, const char *hostname)
-{
-        /* Launch login(1). */
-
-        execl(LOGIN_PROGRAM, "login", "-h", hostname,
-#ifdef xxxLOGIN_NEEDS_TERM
-                    (s->term ? s->term : "unknown"),
-#endif /* LOGIN_NEEDS_TERM */
-#ifdef LOGIN_NO_ENDOPT
-            "-p", "-f", pw->pw_name, (char *)NULL);
-#else
-            "-p", "-f", "--", pw->pw_name, (char *)NULL);
-#endif
-
-        /* Login couldn't be executed, die. */
-
-        perror("login");
-        exit(1);
-}
-
-static void
 child_close_fds(void)
 {
         extern int auth_sock;
@@ -1510,11 +1483,10 @@ child_close_fds(void)
 void
 do_child(Session *s, const char *command)
 {
-        struct ssh *ssh = active_state; /* XXX */
         extern char **environ;
         char **env;
         char *argv[ARGV_MAX];
-        const char *shell, *shell0, *hostname = NULL;
+        const char *shell, *shell0;
         struct passwd *pw = s->pw;
         int r = 0;
 
@@ -1529,10 +1501,6 @@ do_child(Session *s, const char *command)
                 exit(1);
         }
 
-        /* login(1) is only called if we execute the login shell */
-        if (options.use_login && command != NULL)
-                options.use_login = 0;
-
 #ifdef _UNICOS
         cray_setup(pw->pw_uid, pw->pw_name, command);
 #endif /* _UNICOS */
@@ -1541,28 +1509,26 @@ do_child(Session *s, const char *command)
          * Login(1) does this as well, and it needs uid 0 for the "-h"
          * switch, so we let login(1) to this for us.
          */
-        if (!options.use_login) {
 #ifdef HAVE_OSF_SIA
-                session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty);
-                if (!check_quietlogin(s, command))
-                        do_motd();
+        session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty);
+        if (!check_quietlogin(s, command))
+                do_motd();
 #else /* HAVE_OSF_SIA */
-                /* When PAM is enabled we rely on it to do the nologin check */
-                if (!options.use_pam)
-                        do_nologin(pw);
-                do_setusercontext(pw);
-                /*
-                 * PAM session modules in do_setusercontext may have
-                 * generated messages, so if this in an interactive
-                 * login then display them too.
-                 */
-                if (!check_quietlogin(s, command))
-                        display_loginmsg();
+        /* When PAM is enabled we rely on it to do the nologin check */
+        if (!options.use_pam)
+                do_nologin(pw);
+        do_setusercontext(pw);
+        /*
+         * PAM session modules in do_setusercontext may have
+         * generated messages, so if this in an interactive
+         * login then display them too.
+         */
+        if (!check_quietlogin(s, command))
+                display_loginmsg();
 #endif /* HAVE_OSF_SIA */
-        }
 
 #ifdef USE_PAM
-        if (options.use_pam && !options.use_login && !is_pam_session_open()) {
+        if (options.use_pam && !is_pam_session_open()) {
                 debug3("PAM session not opened, exiting");
                 display_loginmsg();
                 exit(254);
@@ -1585,10 +1551,6 @@ do_child(Session *s, const char *command)
         shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
 #endif
 
-        /* we have to stash the hostname before we close our socket. */
-        if (options.use_login)
-                hostname = session_get_remote_name_or_ip(ssh, utmp_len,
-                    options.use_dns);
         /*
          * Close the connection descriptors; note that this is the child, and
          * the server will still have the socket open, and it is important
@@ -1647,8 +1609,7 @@ do_child(Session *s, const char *command)
 
         closefrom(STDERR_FILENO + 1);
 
-        if (!options.use_login)
-                do_rc_files(s, shell);
+        do_rc_files(s, shell);
 
         /* restore SIGPIPE for child */
         signal(SIGPIPE, SIG_DFL);
@@ -1678,11 +1639,6 @@ do_child(Session *s, const char *command)
 
         fflush(NULL);
 
-        if (options.use_login) {
-                launch_login(pw, hostname);
-                /* NEVERREACHED */
-        }
-
         /* Get the last component of the shell name. */
         if ((shell0 = strrchr(shell, '/')) != NULL)
                 shell0++;
@@ -2502,11 +2458,6 @@ session_setup_x11fwd(Session *s)
                 packet_send_debug("No xauth program; cannot forward with spoofing.");
                 return 0;
         }
-        if (options.use_login) {
-                packet_send_debug("X11 forwarding disabled; "
-                    "not compatible with UseLogin=yes.");
-                return 0;
-        }
         if (s->display != NULL) {
                 debug("X11 display already set.");
                 return 0;
diff --git a/sshd.8 b/sshd.8
index 148a8b923..4cf8fee48 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.285 2016/08/15 12:32:04 naddy Exp $
-.Dd $Mdocdate: August 15 2016 $
+.\" $OpenBSD: sshd.8,v 1.286 2016/08/19 03:18:06 djm Exp $
+.Dd $Mdocdate: August 19 2016 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -504,9 +504,6 @@ Environment processing is disabled by default and is
 controlled via the
 .Cm PermitUserEnvironment
 option.
-This option is automatically disabled if
-.Cm UseLogin
-is enabled.
 .It Cm from="pattern-list"
 Specifies that in addition to public key authentication, either the canonical
 name of the remote host or its IP address must be present in the
diff --git a/sshd.c b/sshd.c
index fd89acbb9..a561c7b3e 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.473 2016/08/15 12:27:56 naddy Exp $ */
+/* $OpenBSD: sshd.c,v 1.474 2016/08/19 03:18:07 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -629,7 +629,7 @@ privsep_postauth(Authctxt *authctxt)
 #ifdef DISABLE_FD_PASSING
         if (1) {
 #else
-        if (authctxt->pw->pw_uid == 0 || options.use_login) {
+        if (authctxt->pw->pw_uid == 0) {
 #endif
                 /* File descriptor passing is broken or root login */
                 use_privsep = 0;
diff --git a/sshd_config.5 b/sshd_config.5
index d1a5d1d33..fe3b23d6e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.229 2016/08/15 12:32:04 naddy Exp $
-.Dd $Mdocdate: August 15 2016 $
+.\" $OpenBSD: sshd_config.5,v 1.230 2016/08/19 03:18:07 djm Exp $
+.Dd $Mdocdate: August 19 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1489,25 +1489,6 @@ and
 .Cm Match
 .Cm Host
 directives.
-.It Cm UseLogin
-Specifies whether
-.Xr login 1
-is used for interactive login sessions.
-The default is
-.Dq no .
-Note that
-.Xr login 1
-is never used for remote command execution.
-Note also, that if this is enabled,
-.Cm X11Forwarding
-will be disabled because
-.Xr login 1
-does not know how to handle
-.Xr xauth 1
-cookies.
-If
-.Cm UsePrivilegeSeparation
-is specified, it will be disabled after authentication.
 .It Cm UsePAM
 Enables the Pluggable Authentication Module interface.
 If set to
@@ -1596,9 +1577,6 @@ setting.
 .Pp
 Note that disabling X11 forwarding does not prevent users from
 forwarding X11 traffic, as users can always install their own forwarders.
-X11 forwarding is automatically disabled if
-.Cm UseLogin
-is enabled.
 .It Cm X11UseLocalhost
 Specifies whether
 .Xr sshd 8