summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2009-03-08 11:40:27 +1100
committerDarren Tucker <dtucker@zip.com.au>2009-03-08 11:40:27 +1100
commit9d86e5d5704092072822336af6d0bee468c25966 (patch)
treebca452252bba17e05b91a6e215cfcbc5ab533408
parent3e7e15f1bdc2ddd8fe4a389212c6b8db58e2b511 (diff)
- (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c
auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h} openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old version of Cygwin. Patch from vinschen at redhat com.
-rw-r--r--ChangeLog6
-rw-r--r--auth-passwd.c2
-rw-r--r--auth1.c10
-rw-r--r--auth2-kbdint.c4
-rw-r--r--auth2-none.c4
-rw-r--r--auth2-passwd.c4
-rw-r--r--auth2-pubkey.c4
-rw-r--r--openbsd-compat/bsd-cygwin_util.c124
-rw-r--r--openbsd-compat/bsd-cygwin_util.h5
-rw-r--r--openbsd-compat/daemon.c10
-rw-r--r--session.c11
11 files changed, 12 insertions, 172 deletions
diff --git a/ChangeLog b/ChangeLog
index be302d9b6..ae2cf5119 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
120090308
2 - (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c
3 auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h}
4 openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old
5 version of Cygwin. Patch from vinschen at redhat com.
6
120090307 720090307
2 - (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it 8 - (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it
3 exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS 9 exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS
diff --git a/auth-passwd.c b/auth-passwd.c
index bdfced023..b1c6ce092 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -102,7 +102,7 @@ auth_password(Authctxt *authctxt, const char *password)
102 } 102 }
103#endif 103#endif
104#ifdef HAVE_CYGWIN 104#ifdef HAVE_CYGWIN
105 if (is_winnt) { 105 {
106 HANDLE hToken = cygwin_logon_user(pw, password); 106 HANDLE hToken = cygwin_logon_user(pw, password);
107 107
108 if (hToken == INVALID_HANDLE_VALUE) 108 if (hToken == INVALID_HANDLE_VALUE)
diff --git a/auth1.c b/auth1.c
index b8a255872..1801661fd 100644
--- a/auth1.c
+++ b/auth1.c
@@ -318,15 +318,7 @@ do_authloop(Authctxt *authctxt)
318 } 318 }
319#endif /* _UNICOS */ 319#endif /* _UNICOS */
320 320
321#ifdef HAVE_CYGWIN 321#ifndef HAVE_CYGWIN
322 if (authenticated &&
323 !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
324 authctxt->pw)) {
325 packet_disconnect("Authentication rejected for uid %d.",
326 authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
327 authenticated = 0;
328 }
329#else
330 /* Special handling for root */ 322 /* Special handling for root */
331 if (authenticated && authctxt->pw->pw_uid == 0 && 323 if (authenticated && authctxt->pw->pw_uid == 0 &&
332 !auth_root_allowed(meth->name)) { 324 !auth_root_allowed(meth->name)) {
diff --git a/auth2-kbdint.c b/auth2-kbdint.c
index a4fc9e6f7..fae67da6e 100644
--- a/auth2-kbdint.c
+++ b/auth2-kbdint.c
@@ -58,10 +58,6 @@ userauth_kbdint(Authctxt *authctxt)
58 58
59 xfree(devs); 59 xfree(devs);
60 xfree(lang); 60 xfree(lang);
61#ifdef HAVE_CYGWIN
62 if (check_nt_auth(0, authctxt->pw) == 0)
63 authenticated = 0;
64#endif
65 return authenticated; 61 return authenticated;
66} 62}
67 63
diff --git a/auth2-none.c b/auth2-none.c
index 10accfe55..08f2f935f 100644
--- a/auth2-none.c
+++ b/auth2-none.c
@@ -61,10 +61,6 @@ userauth_none(Authctxt *authctxt)
61{ 61{
62 none_enabled = 0; 62 none_enabled = 0;
63 packet_check_eom(); 63 packet_check_eom();
64#ifdef HAVE_CYGWIN
65 if (check_nt_auth(1, authctxt->pw) == 0)
66 return (0);
67#endif
68 if (options.password_authentication) 64 if (options.password_authentication)
69 return (PRIVSEP(auth_password(authctxt, ""))); 65 return (PRIVSEP(auth_password(authctxt, "")));
70 return (0); 66 return (0);
diff --git a/auth2-passwd.c b/auth2-passwd.c
index 421c5c25d..5f1f3635f 100644
--- a/auth2-passwd.c
+++ b/auth2-passwd.c
@@ -68,10 +68,6 @@ userauth_passwd(Authctxt *authctxt)
68 logit("password change not supported"); 68 logit("password change not supported");
69 else if (PRIVSEP(auth_password(authctxt, password)) == 1) 69 else if (PRIVSEP(auth_password(authctxt, password)) == 1)
70 authenticated = 1; 70 authenticated = 1;
71#ifdef HAVE_CYGWIN
72 if (check_nt_auth(1, authctxt->pw) == 0)
73 authenticated = 0;
74#endif
75 memset(password, 0, len); 71 memset(password, 0, len);
76 xfree(password); 72 xfree(password);
77 return authenticated; 73 return authenticated;
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index b1e38e5f5..2886f1275 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -170,10 +170,6 @@ done:
170 key_free(key); 170 key_free(key);
171 xfree(pkalg); 171 xfree(pkalg);
172 xfree(pkblob); 172 xfree(pkblob);
173#ifdef HAVE_CYGWIN
174 if (check_nt_auth(0, authctxt->pw) == 0)
175 authenticated = 0;
176#endif
177 return authenticated; 173 return authenticated;
178} 174}
179 175
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index 38be7e350..e90c1597f 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -39,9 +39,6 @@
39#endif 39#endif
40 40
41#include <sys/types.h> 41#include <sys/types.h>
42#include <sys/stat.h>
43#include <sys/utsname.h>
44#include <sys/vfs.h>
45 42
46#include <fcntl.h> 43#include <fcntl.h>
47#include <stdlib.h> 44#include <stdlib.h>
@@ -49,11 +46,6 @@
49#include <windows.h> 46#include <windows.h>
50 47
51#include "xmalloc.h" 48#include "xmalloc.h"
52#define is_winnt (GetVersion() < 0x80000000)
53
54#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec"))
55#define ntsec_off(c) ((c) && strstr((c),"nontsec"))
56#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
57 49
58int 50int
59binary_open(const char *filename, int flags, ...) 51binary_open(const char *filename, int flags, ...)
@@ -79,128 +71,12 @@ binary_pipe(int fd[2])
79 return (ret); 71 return (ret);
80} 72}
81 73
82#define HAS_CREATE_TOKEN 1
83#define HAS_NTSEC_BY_DEFAULT 2
84#define HAS_CREATE_TOKEN_WO_NTSEC 3
85
86static int
87has_capability(int what)
88{
89 static int inited;
90 static int has_create_token;
91 static int has_ntsec_by_default;
92 static int has_create_token_wo_ntsec;
93
94 /*
95 * has_capability() basically calls uname() and checks if
96 * specific capabilities of Cygwin can be evaluated from that.
97 * This simplifies the calling functions which only have to ask
98 * for a capability using has_capability() instead of having
99 * to figure that out by themselves.
100 */
101 if (!inited) {
102 struct utsname uts;
103
104 if (!uname(&uts)) {
105 int major_high = 0, major_low = 0, minor = 0;
106 int api_major_version = 0, api_minor_version = 0;
107 char *c;
108
109 sscanf(uts.release, "%d.%d.%d", &major_high,
110 &major_low, &minor);
111 if ((c = strchr(uts.release, '(')) != NULL) {
112 sscanf(c + 1, "%d.%d", &api_major_version,
113 &api_minor_version);
114 }
115 if (major_high > 1 ||
116 (major_high == 1 && (major_low > 3 ||
117 (major_low == 3 && minor >= 2))))
118 has_create_token = 1;
119 if (api_major_version > 0 || api_minor_version >= 56)
120 has_ntsec_by_default = 1;
121 if (major_high > 1 ||
122 (major_high == 1 && major_low >= 5))
123 has_create_token_wo_ntsec = 1;
124 inited = 1;
125 }
126 }
127 switch (what) {
128 case HAS_CREATE_TOKEN:
129 return (has_create_token);
130 case HAS_NTSEC_BY_DEFAULT:
131 return (has_ntsec_by_default);
132 case HAS_CREATE_TOKEN_WO_NTSEC:
133 return (has_create_token_wo_ntsec);
134 }
135 return (0);
136}
137
138int
139check_nt_auth(int pwd_authenticated, struct passwd *pw)
140{
141 /*
142 * The only authentication which is able to change the user
143 * context on NT systems is the password authentication. So
144 * we deny all requsts for changing the user context if another
145 * authentication method is used.
146 *
147 * This doesn't apply to Cygwin versions >= 1.3.2 anymore which
148 * uses the undocumented NtCreateToken() call to create a user
149 * token if the process has the appropriate privileges and if
150 * CYGWIN ntsec setting is on.
151 */
152 static int has_create_token = -1;
153
154 if (pw == NULL)
155 return 0;
156 if (is_winnt) {
157 if (has_create_token < 0) {
158 char *cygwin = getenv("CYGWIN");
159
160 has_create_token = 0;
161 if (has_capability(HAS_CREATE_TOKEN) &&
162 (ntsec_on(cygwin) ||
163 (has_capability(HAS_NTSEC_BY_DEFAULT) &&
164 !ntsec_off(cygwin)) ||
165 has_capability(HAS_CREATE_TOKEN_WO_NTSEC)))
166 has_create_token = 1;
167 }
168 if (has_create_token < 1 &&
169 !pwd_authenticated && geteuid() != pw->pw_uid)
170 return (0);
171 }
172 return (1);
173}
174
175int 74int
176check_ntsec(const char *filename) 75check_ntsec(const char *filename)
177{ 76{
178 return (pathconf(filename, _PC_POSIX_PERMISSIONS)); 77 return (pathconf(filename, _PC_POSIX_PERMISSIONS));
179} 78}
180 79
181void
182register_9x_service(void)
183{
184 HINSTANCE kerneldll;
185 DWORD (*RegisterServiceProcess)(DWORD, DWORD);
186
187 /* The service register mechanism in 9x/Me is pretty different from
188 * NT/2K/XP. In NT/2K/XP we're using a special service starter
189 * application to register and control sshd as service. This method
190 * doesn't play nicely with 9x/Me. For that reason we register here
191 * as service when running under 9x/Me. This function is only called
192 * by the child sshd when it's going to daemonize.
193 */
194 if (is_winnt)
195 return;
196 if (!(kerneldll = LoadLibrary("KERNEL32.DLL")))
197 return;
198 if (!(RegisterServiceProcess = (DWORD (*)(DWORD, DWORD))
199 GetProcAddress(kerneldll, "RegisterServiceProcess")))
200 return;
201 RegisterServiceProcess(0, 1);
202}
203
204#define NL(x) x, (sizeof (x) - 1) 80#define NL(x) x, (sizeof (x) - 1)
205#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) 81#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0]))
206 82
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h
index 6719b8a49..39b8eb788 100644
--- a/openbsd-compat/bsd-cygwin_util.h
+++ b/openbsd-compat/bsd-cygwin_util.h
@@ -1,4 +1,4 @@
1/* $Id: bsd-cygwin_util.h,v 1.11 2004/08/30 10:42:08 dtucker Exp $ */ 1/* $Id: bsd-cygwin_util.h,v 1.12 2009/03/08 00:40:28 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com> 4 * Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com>
@@ -35,7 +35,6 @@
35#ifdef HAVE_CYGWIN 35#ifdef HAVE_CYGWIN
36 36
37#undef ERROR 37#undef ERROR
38#define is_winnt (GetVersion() < 0x80000000)
39 38
40#include <windows.h> 39#include <windows.h>
41#include <sys/cygwin.h> 40#include <sys/cygwin.h>
@@ -43,9 +42,7 @@
43 42
44int binary_open(const char *, int , ...); 43int binary_open(const char *, int , ...);
45int binary_pipe(int fd[2]); 44int binary_pipe(int fd[2]);
46int check_nt_auth(int, struct passwd *);
47int check_ntsec(const char *); 45int check_ntsec(const char *);
48void register_9x_service(void);
49char **fetch_windows_environment(void); 46char **fetch_windows_environment(void);
50void free_windows_environment(char **); 47void free_windows_environment(char **);
51 48
diff --git a/openbsd-compat/daemon.c b/openbsd-compat/daemon.c
index e3a6886bd..3efe14c68 100644
--- a/openbsd-compat/daemon.c
+++ b/openbsd-compat/daemon.c
@@ -57,18 +57,8 @@ daemon(int nochdir, int noclose)
57 case -1: 57 case -1:
58 return (-1); 58 return (-1);
59 case 0: 59 case 0:
60#ifdef HAVE_CYGWIN
61 register_9x_service();
62#endif
63 break; 60 break;
64 default: 61 default:
65#ifdef HAVE_CYGWIN
66 /*
67 * This sleep avoids a race condition which kills the
68 * child process if parent is started by a NT/W2K service.
69 */
70 sleep(1);
71#endif
72 _exit(0); 62 _exit(0);
73 } 63 }
74 64
diff --git a/session.c b/session.c
index f2549e0cd..8e0c54faa 100644
--- a/session.c
+++ b/session.c
@@ -571,8 +571,7 @@ do_exec_no_pty(Session *s, const char *command)
571 signal(WJSIGNAL, cray_job_termination_handler); 571 signal(WJSIGNAL, cray_job_termination_handler);
572#endif /* _UNICOS */ 572#endif /* _UNICOS */
573#ifdef HAVE_CYGWIN 573#ifdef HAVE_CYGWIN
574 if (is_winnt) 574 cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
575 cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
576#endif 575#endif
577 576
578 s->pid = pid; 577 s->pid = pid;
@@ -726,8 +725,7 @@ do_exec_pty(Session *s, const char *command)
726 signal(WJSIGNAL, cray_job_termination_handler); 725 signal(WJSIGNAL, cray_job_termination_handler);
727#endif /* _UNICOS */ 726#endif /* _UNICOS */
728#ifdef HAVE_CYGWIN 727#ifdef HAVE_CYGWIN
729 if (is_winnt) 728 cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
730 cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
731#endif 729#endif
732 730
733 s->pid = pid; 731 s->pid = pid;
@@ -1116,7 +1114,7 @@ do_setup_env(Session *s, const char *shell)
1116 u_int i, envsize; 1114 u_int i, envsize;
1117 char **env, *laddr; 1115 char **env, *laddr;
1118 struct passwd *pw = s->pw; 1116 struct passwd *pw = s->pw;
1119#ifndef HAVE_LOGIN_CAP 1117#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
1120 char *path = NULL; 1118 char *path = NULL;
1121#endif 1119#endif
1122 1120
@@ -1551,9 +1549,6 @@ do_setusercontext(struct passwd *pw)
1551#endif 1549#endif
1552 } 1550 }
1553 1551
1554#ifdef HAVE_CYGWIN
1555 if (is_winnt)
1556#endif
1557 if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) 1552 if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
1558 fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); 1553 fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
1559 1554