diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2002-06-11 15:59:02 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2002-06-11 15:59:02 +0000 |
commit | 8bb6f36c8fab33f7ca59b9c56e11d54caf36f965 (patch) | |
tree | 43640e011ff7a6a2a12f9aab2d728422f4d4b5b9 | |
parent | 914d03758be46488705950cf6d476855a702a13e (diff) |
- markus@cvs.openbsd.org 2002/06/10 22:28:41
[channels.c channels.h session.c]
move creation of agent socket to session.c; no need for uidswapping
in channel.c.
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | channels.c | 106 | ||||
-rw-r--r-- | channels.h | 5 | ||||
-rw-r--r-- | session.c | 95 |
4 files changed, 98 insertions, 114 deletions
@@ -25,6 +25,10 @@ | |||
25 | [ssh_config] | 25 | [ssh_config] |
26 | update defaults for RhostsRSAAuthentication and RhostsAuthentication | 26 | update defaults for RhostsRSAAuthentication and RhostsAuthentication |
27 | here too (all options commented out with default value). | 27 | here too (all options commented out with default value). |
28 | - markus@cvs.openbsd.org 2002/06/10 22:28:41 | ||
29 | [channels.c channels.h session.c] | ||
30 | move creation of agent socket to session.c; no need for uidswapping | ||
31 | in channel.c. | ||
28 | 32 | ||
29 | 20020609 | 33 | 20020609 |
30 | - (bal) OpenBSD CVS Sync | 34 | - (bal) OpenBSD CVS Sync |
@@ -890,4 +894,4 @@ | |||
890 | - (stevesk) entropy.c: typo in debug message | 894 | - (stevesk) entropy.c: typo in debug message |
891 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ | 895 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ |
892 | 896 | ||
893 | $Id: ChangeLog,v 1.2206 2002/06/11 15:55:01 mouring Exp $ | 897 | $Id: ChangeLog,v 1.2207 2002/06/11 15:59:02 mouring Exp $ |
diff --git a/channels.c b/channels.c index 7ce1a076a..d34411e18 100644 --- a/channels.c +++ b/channels.c | |||
@@ -39,14 +39,13 @@ | |||
39 | */ | 39 | */ |
40 | 40 | ||
41 | #include "includes.h" | 41 | #include "includes.h" |
42 | RCSID("$OpenBSD: channels.c,v 1.174 2002/06/09 13:32:01 markus Exp $"); | 42 | RCSID("$OpenBSD: channels.c,v 1.175 2002/06/10 22:28:41 markus Exp $"); |
43 | 43 | ||
44 | #include "ssh.h" | 44 | #include "ssh.h" |
45 | #include "ssh1.h" | 45 | #include "ssh1.h" |
46 | #include "ssh2.h" | 46 | #include "ssh2.h" |
47 | #include "packet.h" | 47 | #include "packet.h" |
48 | #include "xmalloc.h" | 48 | #include "xmalloc.h" |
49 | #include "uidswap.h" | ||
50 | #include "log.h" | 49 | #include "log.h" |
51 | #include "misc.h" | 50 | #include "misc.h" |
52 | #include "channels.h" | 51 | #include "channels.h" |
@@ -129,10 +128,6 @@ static u_int x11_fake_data_len; | |||
129 | 128 | ||
130 | #define NUM_SOCKS 10 | 129 | #define NUM_SOCKS 10 |
131 | 130 | ||
132 | /* Name and directory of socket for authentication agent forwarding. */ | ||
133 | static char *auth_sock_name = NULL; | ||
134 | static char *auth_sock_dir = NULL; | ||
135 | |||
136 | /* AF_UNSPEC or AF_INET or AF_INET6 */ | 131 | /* AF_UNSPEC or AF_INET or AF_INET6 */ |
137 | static int IPv4or6 = AF_UNSPEC; | 132 | static int IPv4or6 = AF_UNSPEC; |
138 | 133 | ||
@@ -2704,105 +2699,6 @@ auth_request_forwarding(void) | |||
2704 | packet_write_wait(); | 2699 | packet_write_wait(); |
2705 | } | 2700 | } |
2706 | 2701 | ||
2707 | /* | ||
2708 | * Returns the name of the forwarded authentication socket. Returns NULL if | ||
2709 | * there is no forwarded authentication socket. The returned value points to | ||
2710 | * a static buffer. | ||
2711 | */ | ||
2712 | |||
2713 | char * | ||
2714 | auth_get_socket_name(void) | ||
2715 | { | ||
2716 | return auth_sock_name; | ||
2717 | } | ||
2718 | |||
2719 | /* removes the agent forwarding socket */ | ||
2720 | |||
2721 | void | ||
2722 | auth_sock_cleanup_proc(void *_pw) | ||
2723 | { | ||
2724 | struct passwd *pw = _pw; | ||
2725 | |||
2726 | if (auth_sock_name) { | ||
2727 | temporarily_use_uid(pw); | ||
2728 | unlink(auth_sock_name); | ||
2729 | rmdir(auth_sock_dir); | ||
2730 | auth_sock_name = NULL; | ||
2731 | restore_uid(); | ||
2732 | } | ||
2733 | } | ||
2734 | |||
2735 | /* | ||
2736 | * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. | ||
2737 | * This starts forwarding authentication requests. | ||
2738 | */ | ||
2739 | |||
2740 | int | ||
2741 | auth_input_request_forwarding(struct passwd * pw) | ||
2742 | { | ||
2743 | Channel *nc; | ||
2744 | int sock; | ||
2745 | struct sockaddr_un sunaddr; | ||
2746 | |||
2747 | if (auth_get_socket_name() != NULL) { | ||
2748 | error("authentication forwarding requested twice."); | ||
2749 | return 0; | ||
2750 | } | ||
2751 | |||
2752 | /* Temporarily drop privileged uid for mkdir/bind. */ | ||
2753 | temporarily_use_uid(pw); | ||
2754 | |||
2755 | /* Allocate a buffer for the socket name, and format the name. */ | ||
2756 | auth_sock_name = xmalloc(MAXPATHLEN); | ||
2757 | auth_sock_dir = xmalloc(MAXPATHLEN); | ||
2758 | strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); | ||
2759 | |||
2760 | /* Create private directory for socket */ | ||
2761 | if (mkdtemp(auth_sock_dir) == NULL) { | ||
2762 | packet_send_debug("Agent forwarding disabled: " | ||
2763 | "mkdtemp() failed: %.100s", strerror(errno)); | ||
2764 | restore_uid(); | ||
2765 | xfree(auth_sock_name); | ||
2766 | xfree(auth_sock_dir); | ||
2767 | auth_sock_name = NULL; | ||
2768 | auth_sock_dir = NULL; | ||
2769 | return 0; | ||
2770 | } | ||
2771 | snprintf(auth_sock_name, MAXPATHLEN, "%s/agent.%d", | ||
2772 | auth_sock_dir, (int) getpid()); | ||
2773 | |||
2774 | /* delete agent socket on fatal() */ | ||
2775 | fatal_add_cleanup(auth_sock_cleanup_proc, pw); | ||
2776 | |||
2777 | /* Create the socket. */ | ||
2778 | sock = socket(AF_UNIX, SOCK_STREAM, 0); | ||
2779 | if (sock < 0) | ||
2780 | packet_disconnect("socket: %.100s", strerror(errno)); | ||
2781 | |||
2782 | /* Bind it to the name. */ | ||
2783 | memset(&sunaddr, 0, sizeof(sunaddr)); | ||
2784 | sunaddr.sun_family = AF_UNIX; | ||
2785 | strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path)); | ||
2786 | |||
2787 | if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) | ||
2788 | packet_disconnect("bind: %.100s", strerror(errno)); | ||
2789 | |||
2790 | /* Restore the privileged uid. */ | ||
2791 | restore_uid(); | ||
2792 | |||
2793 | /* Start listening on the socket. */ | ||
2794 | if (listen(sock, 5) < 0) | ||
2795 | packet_disconnect("listen: %.100s", strerror(errno)); | ||
2796 | |||
2797 | /* Allocate a channel for the authentication agent socket. */ | ||
2798 | nc = channel_new("auth socket", | ||
2799 | SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1, | ||
2800 | CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, | ||
2801 | 0, xstrdup("auth socket"), 1); | ||
2802 | strlcpy(nc->path, auth_sock_name, sizeof(nc->path)); | ||
2803 | return 1; | ||
2804 | } | ||
2805 | |||
2806 | /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ | 2702 | /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ |
2807 | 2703 | ||
2808 | void | 2704 | void |
diff --git a/channels.h b/channels.h index bd31c4558..9ceff3e73 100644 --- a/channels.h +++ b/channels.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: channels.h,v 1.67 2002/03/26 22:50:39 markus Exp $ */ | 1 | /* $OpenBSD: channels.h,v 1.68 2002/06/10 22:28:41 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -213,9 +213,6 @@ void deny_input_open(int, u_int32_t, void *); | |||
213 | /* agent forwarding */ | 213 | /* agent forwarding */ |
214 | 214 | ||
215 | void auth_request_forwarding(void); | 215 | void auth_request_forwarding(void); |
216 | char *auth_get_socket_name(void); | ||
217 | void auth_sock_cleanup_proc(void *); | ||
218 | int auth_input_request_forwarding(struct passwd *); | ||
219 | void auth_input_open_request(int, u_int32_t, void *); | 216 | void auth_input_open_request(int, u_int32_t, void *); |
220 | 217 | ||
221 | /* channel close */ | 218 | /* channel close */ |
@@ -33,7 +33,7 @@ | |||
33 | */ | 33 | */ |
34 | 34 | ||
35 | #include "includes.h" | 35 | #include "includes.h" |
36 | RCSID("$OpenBSD: session.c,v 1.135 2002/05/16 22:09:59 stevesk Exp $"); | 36 | RCSID("$OpenBSD: session.c,v 1.136 2002/06/10 22:28:41 markus Exp $"); |
37 | 37 | ||
38 | #include "ssh.h" | 38 | #include "ssh.h" |
39 | #include "ssh1.h" | 39 | #include "ssh1.h" |
@@ -111,6 +111,93 @@ char *aixloginmsg; | |||
111 | login_cap_t *lc; | 111 | login_cap_t *lc; |
112 | #endif | 112 | #endif |
113 | 113 | ||
114 | /* Name and directory of socket for authentication agent forwarding. */ | ||
115 | static char *auth_sock_name = NULL; | ||
116 | static char *auth_sock_dir = NULL; | ||
117 | |||
118 | /* removes the agent forwarding socket */ | ||
119 | |||
120 | static void | ||
121 | auth_sock_cleanup_proc(void *_pw) | ||
122 | { | ||
123 | struct passwd *pw = _pw; | ||
124 | |||
125 | if (auth_sock_name != NULL) { | ||
126 | temporarily_use_uid(pw); | ||
127 | unlink(auth_sock_name); | ||
128 | rmdir(auth_sock_dir); | ||
129 | auth_sock_name = NULL; | ||
130 | restore_uid(); | ||
131 | } | ||
132 | } | ||
133 | |||
134 | static int | ||
135 | auth_input_request_forwarding(struct passwd * pw) | ||
136 | { | ||
137 | Channel *nc; | ||
138 | int sock; | ||
139 | struct sockaddr_un sunaddr; | ||
140 | |||
141 | if (auth_sock_name != NULL) { | ||
142 | error("authentication forwarding requested twice."); | ||
143 | return 0; | ||
144 | } | ||
145 | |||
146 | /* Temporarily drop privileged uid for mkdir/bind. */ | ||
147 | temporarily_use_uid(pw); | ||
148 | |||
149 | /* Allocate a buffer for the socket name, and format the name. */ | ||
150 | auth_sock_name = xmalloc(MAXPATHLEN); | ||
151 | auth_sock_dir = xmalloc(MAXPATHLEN); | ||
152 | strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); | ||
153 | |||
154 | /* Create private directory for socket */ | ||
155 | if (mkdtemp(auth_sock_dir) == NULL) { | ||
156 | packet_send_debug("Agent forwarding disabled: " | ||
157 | "mkdtemp() failed: %.100s", strerror(errno)); | ||
158 | restore_uid(); | ||
159 | xfree(auth_sock_name); | ||
160 | xfree(auth_sock_dir); | ||
161 | auth_sock_name = NULL; | ||
162 | auth_sock_dir = NULL; | ||
163 | return 0; | ||
164 | } | ||
165 | snprintf(auth_sock_name, MAXPATHLEN, "%s/agent.%d", | ||
166 | auth_sock_dir, (int) getpid()); | ||
167 | |||
168 | /* delete agent socket on fatal() */ | ||
169 | fatal_add_cleanup(auth_sock_cleanup_proc, pw); | ||
170 | |||
171 | /* Create the socket. */ | ||
172 | sock = socket(AF_UNIX, SOCK_STREAM, 0); | ||
173 | if (sock < 0) | ||
174 | packet_disconnect("socket: %.100s", strerror(errno)); | ||
175 | |||
176 | /* Bind it to the name. */ | ||
177 | memset(&sunaddr, 0, sizeof(sunaddr)); | ||
178 | sunaddr.sun_family = AF_UNIX; | ||
179 | strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path)); | ||
180 | |||
181 | if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) | ||
182 | packet_disconnect("bind: %.100s", strerror(errno)); | ||
183 | |||
184 | /* Restore the privileged uid. */ | ||
185 | restore_uid(); | ||
186 | |||
187 | /* Start listening on the socket. */ | ||
188 | if (listen(sock, 5) < 0) | ||
189 | packet_disconnect("listen: %.100s", strerror(errno)); | ||
190 | |||
191 | /* Allocate a channel for the authentication agent socket. */ | ||
192 | nc = channel_new("auth socket", | ||
193 | SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1, | ||
194 | CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, | ||
195 | 0, xstrdup("auth socket"), 1); | ||
196 | strlcpy(nc->path, auth_sock_name, sizeof(nc->path)); | ||
197 | return 1; | ||
198 | } | ||
199 | |||
200 | |||
114 | void | 201 | void |
115 | do_authenticated(Authctxt *authctxt) | 202 | do_authenticated(Authctxt *authctxt) |
116 | { | 203 | { |
@@ -141,7 +228,7 @@ do_authenticated(Authctxt *authctxt) | |||
141 | do_authenticated1(authctxt); | 228 | do_authenticated1(authctxt); |
142 | 229 | ||
143 | /* remove agent socket */ | 230 | /* remove agent socket */ |
144 | if (auth_get_socket_name()) | 231 | if (auth_sock_name != NULL) |
145 | auth_sock_cleanup_proc(authctxt->pw); | 232 | auth_sock_cleanup_proc(authctxt->pw); |
146 | #ifdef KRB4 | 233 | #ifdef KRB4 |
147 | if (options.kerberos_ticket_cleanup) | 234 | if (options.kerberos_ticket_cleanup) |
@@ -948,9 +1035,9 @@ do_setup_env(Session *s, const char *shell) | |||
948 | copy_environment(fetch_pam_environment(), &env, &envsize); | 1035 | copy_environment(fetch_pam_environment(), &env, &envsize); |
949 | #endif /* USE_PAM */ | 1036 | #endif /* USE_PAM */ |
950 | 1037 | ||
951 | if (auth_get_socket_name() != NULL) | 1038 | if (auth_sock_name != NULL) |
952 | child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME, | 1039 | child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME, |
953 | auth_get_socket_name()); | 1040 | auth_sock_name); |
954 | 1041 | ||
955 | /* read $HOME/.ssh/environment. */ | 1042 | /* read $HOME/.ssh/environment. */ |
956 | if (!options.use_login) { | 1043 | if (!options.use_login) { |