diff options
| author | Ben Lindstrom <mouring@eviladmin.org> | 2003-03-21 01:18:09 +0000 |
|---|---|---|
| committer | Ben Lindstrom <mouring@eviladmin.org> | 2003-03-21 01:18:09 +0000 |
| commit | c8c548d24883eaff20ea1665022ee92bd0632e29 (patch) | |
| tree | ae926d0d3ef2d1c08f34c5b5f919451d0d29e7fa | |
| parent | a5a2648b81c9347c241c37e6cba78f1df47e9320 (diff) | |
- (bal) Disable Privsep for Tru64 after pre-authentication due to issues
with SIA. Also, clean up of tru64 support patch by Chris Adams
<cmadams@hiwaay.net>
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | README.privsep | 6 | ||||
| -rw-r--r-- | auth-sia.c | 47 | ||||
| -rw-r--r-- | auth-sia.h | 2 | ||||
| -rw-r--r-- | configure.ac | 3 | ||||
| -rw-r--r-- | session.c | 2 |
6 files changed, 29 insertions, 36 deletions
| @@ -10,6 +10,9 @@ | |||
| 10 | - (bal) scp.c 'limit' conflicts with Cray. Rename to 'limitbw' | 10 | - (bal) scp.c 'limit' conflicts with Cray. Rename to 'limitbw' |
| 11 | - (bal) Collection of Cray patches (bsd-cray.h fix for CRAYT3E and improved | 11 | - (bal) Collection of Cray patches (bsd-cray.h fix for CRAYT3E and improved |
| 12 | guessing rules) | 12 | guessing rules) |
| 13 | - (bal) Disable Privsep for Tru64 after pre-authentication due to issues | ||
| 14 | with SIA. Also, clean up of tru64 support patch by Chris Adams | ||
| 15 | <cmadams@hiwaay.net> | ||
| 13 | 16 | ||
| 14 | 20030318 | 17 | 20030318 |
| 15 | - (tim) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] | 18 | - (tim) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] |
| @@ -1235,4 +1238,4 @@ | |||
| 1235 | save auth method before monitor_reset_key_state(); bugzilla bug #284; | 1238 | save auth method before monitor_reset_key_state(); bugzilla bug #284; |
| 1236 | ok provos@ | 1239 | ok provos@ |
| 1237 | 1240 | ||
| 1238 | $Id: ChangeLog,v 1.2636 2003/03/21 01:05:37 mouring Exp $ | 1241 | $Id: ChangeLog,v 1.2637 2003/03/21 01:18:09 mouring Exp $ |
diff --git a/README.privsep b/README.privsep index ced943f26..e8bf1db34 100644 --- a/README.privsep +++ b/README.privsep | |||
| @@ -43,6 +43,10 @@ It does not function on HP-UX with a trusted system | |||
| 43 | configuration. PAMAuthenticationViaKbdInt does not function with | 43 | configuration. PAMAuthenticationViaKbdInt does not function with |
| 44 | privsep. | 44 | privsep. |
| 45 | 45 | ||
| 46 | On Compaq Tru64 Unix, only the pre-authentication part of privsep is | ||
| 47 | supported. Post-authentication privsep is disabled automatically (so | ||
| 48 | you won't see the additional process mentioned below). | ||
| 49 | |||
| 46 | Note that for a normal interactive login with a shell, enabling privsep | 50 | Note that for a normal interactive login with a shell, enabling privsep |
| 47 | will require 1 additional process per login session. | 51 | will require 1 additional process per login session. |
| 48 | 52 | ||
| @@ -58,4 +62,4 @@ process 1005 is the sshd process listening for new connections. | |||
| 58 | process 6917 is the privileged monitor process, 6919 is the user owned | 62 | process 6917 is the privileged monitor process, 6919 is the user owned |
| 59 | sshd process and 6921 is the shell process. | 63 | sshd process and 6921 is the shell process. |
| 60 | 64 | ||
| 61 | $Id: README.privsep,v 1.10 2002/06/26 00:43:57 stevesk Exp $ | 65 | $Id: README.privsep,v 1.11 2003/03/21 01:18:09 mouring Exp $ |
diff --git a/auth-sia.c b/auth-sia.c index 071e154d8..5c9b3f5de 100644 --- a/auth-sia.c +++ b/auth-sia.c | |||
| @@ -45,27 +45,25 @@ extern ServerOptions options; | |||
| 45 | extern int saved_argc; | 45 | extern int saved_argc; |
| 46 | extern char **saved_argv; | 46 | extern char **saved_argv; |
| 47 | 47 | ||
| 48 | extern int errno; | ||
| 49 | |||
| 50 | int | 48 | int |
| 51 | auth_sia_password(Authctxt *authctxt, char *pass) | 49 | auth_sia_password(Authctxt *authctxt, char *pass) |
| 52 | { | 50 | { |
| 53 | int ret; | 51 | int ret; |
| 54 | SIAENTITY *ent = NULL; | 52 | SIAENTITY *ent = NULL; |
| 55 | const char *host; | 53 | const char *host; |
| 56 | char *user = authctxt->user; | ||
| 57 | 54 | ||
| 58 | host = get_canonical_hostname(options.verify_reverse_mapping); | 55 | host = get_canonical_hostname(options.verify_reverse_mapping); |
| 59 | 56 | ||
| 60 | if (pass[0] == '\0') | 57 | if (!authctxt->user || !pass || pass[0] == '\0') |
| 61 | return(0); | 58 | return(0); |
| 62 | 59 | ||
| 63 | if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, | 60 | if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, |
| 64 | NULL) != SIASUCCESS) | 61 | NULL, 0, NULL) != SIASUCCESS) |
| 65 | return(0); | 62 | return(0); |
| 66 | 63 | ||
| 67 | if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { | 64 | if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { |
| 68 | error("Couldn't authenticate %s from %s", user, host); | 65 | error("Couldn't authenticate %s from %s", authctxt->user, |
| 66 | host); | ||
| 69 | if (ret & SIASTOP) | 67 | if (ret & SIASTOP) |
| 70 | sia_ses_release(&ent); | 68 | sia_ses_release(&ent); |
| 71 | return(0); | 69 | return(0); |
| @@ -77,48 +75,35 @@ auth_sia_password(Authctxt *authctxt, char *pass) | |||
| 77 | } | 75 | } |
| 78 | 76 | ||
| 79 | void | 77 | void |
| 80 | session_setup_sia(char *user, char *tty) | 78 | session_setup_sia(struct passwd *pw, char *tty) |
| 81 | { | 79 | { |
| 82 | struct passwd *pw; | ||
| 83 | SIAENTITY *ent = NULL; | 80 | SIAENTITY *ent = NULL; |
| 84 | const char *host; | 81 | const char *host; |
| 85 | 82 | ||
| 86 | host = get_canonical_hostname (options.verify_reverse_mapping); | 83 | host = get_canonical_hostname(options.verify_reverse_mapping); |
| 87 | 84 | ||
| 88 | if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, | 85 | if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, tty, |
| 89 | NULL) != SIASUCCESS) { | 86 | 0, NULL) != SIASUCCESS) |
| 90 | fatal("sia_ses_init failed"); | 87 | fatal("sia_ses_init failed"); |
| 91 | } | ||
| 92 | 88 | ||
| 93 | if ((pw = getpwnam(user)) == NULL) { | ||
| 94 | sia_ses_release(&ent); | ||
| 95 | fatal("getpwnam: no user: %s", user); | ||
| 96 | } | ||
| 97 | if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { | 89 | if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { |
| 98 | sia_ses_release(&ent); | 90 | sia_ses_release(&ent); |
| 99 | fatal("sia_make_entity_pwd failed"); | 91 | fatal("sia_make_entity_pwd failed"); |
| 100 | } | 92 | } |
| 101 | 93 | ||
| 102 | ent->authtype = SIA_A_NONE; | 94 | ent->authtype = SIA_A_NONE; |
| 103 | if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { | 95 | if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) |
| 104 | fatal("Couldn't establish session for %s from %s", user, | 96 | fatal("Couldn't establish session for %s from %s", |
| 105 | host); | 97 | pw->pw_name, host); |
| 106 | } | ||
| 107 | |||
| 108 | if (setpriority(PRIO_PROCESS, 0, 0) == -1) { | ||
| 109 | sia_ses_release(&ent); | ||
| 110 | fatal("setpriority: %s", strerror (errno)); | ||
| 111 | } | ||
| 112 | 98 | ||
| 113 | if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) { | 99 | if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) |
| 114 | fatal("Couldn't launch session for %s from %s", user, host); | 100 | fatal("Couldn't launch session for %s from %s", pw->pw_name, |
| 115 | } | 101 | host); |
| 116 | 102 | ||
| 117 | sia_ses_release(&ent); | 103 | sia_ses_release(&ent); |
| 118 | 104 | ||
| 119 | if (setreuid(geteuid(), geteuid()) < 0) { | 105 | if (setreuid(geteuid(), geteuid()) < 0) |
| 120 | fatal("setreuid: %s", strerror(errno)); | 106 | fatal("setreuid: %s", strerror(errno)); |
| 121 | } | ||
| 122 | } | 107 | } |
| 123 | 108 | ||
| 124 | #endif /* HAVE_OSF_SIA */ | 109 | #endif /* HAVE_OSF_SIA */ |
diff --git a/auth-sia.h b/auth-sia.h index caa584132..7aecce940 100644 --- a/auth-sia.h +++ b/auth-sia.h | |||
| @@ -27,6 +27,6 @@ | |||
| 27 | #ifdef HAVE_OSF_SIA | 27 | #ifdef HAVE_OSF_SIA |
| 28 | 28 | ||
| 29 | int auth_sia_password(Authctxt *authctxt, char *pass); | 29 | int auth_sia_password(Authctxt *authctxt, char *pass); |
| 30 | void session_setup_sia(char *user, char *tty); | 30 | void session_setup_sia(struct passwd *pw, char *tty); |
| 31 | 31 | ||
| 32 | #endif /* HAVE_OSF_SIA */ | 32 | #endif /* HAVE_OSF_SIA */ |
diff --git a/configure.ac b/configure.ac index aa2f3db2a..47fef0cbe 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $Id: configure.ac,v 1.112 2003/03/21 00:34:34 mouring Exp $ | 1 | # $Id: configure.ac,v 1.113 2003/03/21 01:18:09 mouring Exp $ |
| 2 | 2 | ||
| 3 | AC_INIT | 3 | AC_INIT |
| 4 | AC_CONFIG_SRCDIR([ssh.c]) | 4 | AC_CONFIG_SRCDIR([ssh.c]) |
| @@ -331,6 +331,7 @@ mips-sony-bsd|mips-sony-newsos4) | |||
| 331 | AC_MSG_RESULT(yes) | 331 | AC_MSG_RESULT(yes) |
| 332 | AC_DEFINE(HAVE_OSF_SIA) | 332 | AC_DEFINE(HAVE_OSF_SIA) |
| 333 | AC_DEFINE(DISABLE_LOGIN) | 333 | AC_DEFINE(DISABLE_LOGIN) |
| 334 | AC_DEFINE(DISABLE_FD_PASSING) | ||
| 334 | LIBS="$LIBS -lsecurity -ldb -lm -laud" | 335 | LIBS="$LIBS -lsecurity -ldb -lm -laud" |
| 335 | else | 336 | else |
| 336 | AC_MSG_RESULT(no) | 337 | AC_MSG_RESULT(no) |
| @@ -1321,7 +1321,7 @@ do_child(Session *s, const char *command) | |||
| 1321 | */ | 1321 | */ |
| 1322 | if (!options.use_login) { | 1322 | if (!options.use_login) { |
| 1323 | #ifdef HAVE_OSF_SIA | 1323 | #ifdef HAVE_OSF_SIA |
| 1324 | session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); | 1324 | session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); |
| 1325 | if (!check_quietlogin(s, command)) | 1325 | if (!check_quietlogin(s, command)) |
| 1326 | do_motd(); | 1326 | do_motd(); |
| 1327 | #else /* HAVE_OSF_SIA */ | 1327 | #else /* HAVE_OSF_SIA */ |