diff options
author | Darren Tucker <dtucker@zip.com.au> | 2009-03-08 11:40:27 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2009-03-08 11:40:27 +1100 |
commit | 9d86e5d5704092072822336af6d0bee468c25966 (patch) | |
tree | bca452252bba17e05b91a6e215cfcbc5ab533408 | |
parent | 3e7e15f1bdc2ddd8fe4a389212c6b8db58e2b511 (diff) |
- (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c
auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h}
openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old
version of Cygwin. Patch from vinschen at redhat com.
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | auth-passwd.c | 2 | ||||
-rw-r--r-- | auth1.c | 10 | ||||
-rw-r--r-- | auth2-kbdint.c | 4 | ||||
-rw-r--r-- | auth2-none.c | 4 | ||||
-rw-r--r-- | auth2-passwd.c | 4 | ||||
-rw-r--r-- | auth2-pubkey.c | 4 | ||||
-rw-r--r-- | openbsd-compat/bsd-cygwin_util.c | 124 | ||||
-rw-r--r-- | openbsd-compat/bsd-cygwin_util.h | 5 | ||||
-rw-r--r-- | openbsd-compat/daemon.c | 10 | ||||
-rw-r--r-- | session.c | 11 |
11 files changed, 12 insertions, 172 deletions
@@ -1,3 +1,9 @@ | |||
1 | 20090308 | ||
2 | - (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c | ||
3 | auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h} | ||
4 | openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old | ||
5 | version of Cygwin. Patch from vinschen at redhat com. | ||
6 | |||
1 | 20090307 | 7 | 20090307 |
2 | - (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it | 8 | - (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it |
3 | exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS | 9 | exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS |
diff --git a/auth-passwd.c b/auth-passwd.c index bdfced023..b1c6ce092 100644 --- a/auth-passwd.c +++ b/auth-passwd.c | |||
@@ -102,7 +102,7 @@ auth_password(Authctxt *authctxt, const char *password) | |||
102 | } | 102 | } |
103 | #endif | 103 | #endif |
104 | #ifdef HAVE_CYGWIN | 104 | #ifdef HAVE_CYGWIN |
105 | if (is_winnt) { | 105 | { |
106 | HANDLE hToken = cygwin_logon_user(pw, password); | 106 | HANDLE hToken = cygwin_logon_user(pw, password); |
107 | 107 | ||
108 | if (hToken == INVALID_HANDLE_VALUE) | 108 | if (hToken == INVALID_HANDLE_VALUE) |
@@ -318,15 +318,7 @@ do_authloop(Authctxt *authctxt) | |||
318 | } | 318 | } |
319 | #endif /* _UNICOS */ | 319 | #endif /* _UNICOS */ |
320 | 320 | ||
321 | #ifdef HAVE_CYGWIN | 321 | #ifndef HAVE_CYGWIN |
322 | if (authenticated && | ||
323 | !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, | ||
324 | authctxt->pw)) { | ||
325 | packet_disconnect("Authentication rejected for uid %d.", | ||
326 | authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid); | ||
327 | authenticated = 0; | ||
328 | } | ||
329 | #else | ||
330 | /* Special handling for root */ | 322 | /* Special handling for root */ |
331 | if (authenticated && authctxt->pw->pw_uid == 0 && | 323 | if (authenticated && authctxt->pw->pw_uid == 0 && |
332 | !auth_root_allowed(meth->name)) { | 324 | !auth_root_allowed(meth->name)) { |
diff --git a/auth2-kbdint.c b/auth2-kbdint.c index a4fc9e6f7..fae67da6e 100644 --- a/auth2-kbdint.c +++ b/auth2-kbdint.c | |||
@@ -58,10 +58,6 @@ userauth_kbdint(Authctxt *authctxt) | |||
58 | 58 | ||
59 | xfree(devs); | 59 | xfree(devs); |
60 | xfree(lang); | 60 | xfree(lang); |
61 | #ifdef HAVE_CYGWIN | ||
62 | if (check_nt_auth(0, authctxt->pw) == 0) | ||
63 | authenticated = 0; | ||
64 | #endif | ||
65 | return authenticated; | 61 | return authenticated; |
66 | } | 62 | } |
67 | 63 | ||
diff --git a/auth2-none.c b/auth2-none.c index 10accfe55..08f2f935f 100644 --- a/auth2-none.c +++ b/auth2-none.c | |||
@@ -61,10 +61,6 @@ userauth_none(Authctxt *authctxt) | |||
61 | { | 61 | { |
62 | none_enabled = 0; | 62 | none_enabled = 0; |
63 | packet_check_eom(); | 63 | packet_check_eom(); |
64 | #ifdef HAVE_CYGWIN | ||
65 | if (check_nt_auth(1, authctxt->pw) == 0) | ||
66 | return (0); | ||
67 | #endif | ||
68 | if (options.password_authentication) | 64 | if (options.password_authentication) |
69 | return (PRIVSEP(auth_password(authctxt, ""))); | 65 | return (PRIVSEP(auth_password(authctxt, ""))); |
70 | return (0); | 66 | return (0); |
diff --git a/auth2-passwd.c b/auth2-passwd.c index 421c5c25d..5f1f3635f 100644 --- a/auth2-passwd.c +++ b/auth2-passwd.c | |||
@@ -68,10 +68,6 @@ userauth_passwd(Authctxt *authctxt) | |||
68 | logit("password change not supported"); | 68 | logit("password change not supported"); |
69 | else if (PRIVSEP(auth_password(authctxt, password)) == 1) | 69 | else if (PRIVSEP(auth_password(authctxt, password)) == 1) |
70 | authenticated = 1; | 70 | authenticated = 1; |
71 | #ifdef HAVE_CYGWIN | ||
72 | if (check_nt_auth(1, authctxt->pw) == 0) | ||
73 | authenticated = 0; | ||
74 | #endif | ||
75 | memset(password, 0, len); | 71 | memset(password, 0, len); |
76 | xfree(password); | 72 | xfree(password); |
77 | return authenticated; | 73 | return authenticated; |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index b1e38e5f5..2886f1275 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -170,10 +170,6 @@ done: | |||
170 | key_free(key); | 170 | key_free(key); |
171 | xfree(pkalg); | 171 | xfree(pkalg); |
172 | xfree(pkblob); | 172 | xfree(pkblob); |
173 | #ifdef HAVE_CYGWIN | ||
174 | if (check_nt_auth(0, authctxt->pw) == 0) | ||
175 | authenticated = 0; | ||
176 | #endif | ||
177 | return authenticated; | 173 | return authenticated; |
178 | } | 174 | } |
179 | 175 | ||
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c index 38be7e350..e90c1597f 100644 --- a/openbsd-compat/bsd-cygwin_util.c +++ b/openbsd-compat/bsd-cygwin_util.c | |||
@@ -39,9 +39,6 @@ | |||
39 | #endif | 39 | #endif |
40 | 40 | ||
41 | #include <sys/types.h> | 41 | #include <sys/types.h> |
42 | #include <sys/stat.h> | ||
43 | #include <sys/utsname.h> | ||
44 | #include <sys/vfs.h> | ||
45 | 42 | ||
46 | #include <fcntl.h> | 43 | #include <fcntl.h> |
47 | #include <stdlib.h> | 44 | #include <stdlib.h> |
@@ -49,11 +46,6 @@ | |||
49 | #include <windows.h> | 46 | #include <windows.h> |
50 | 47 | ||
51 | #include "xmalloc.h" | 48 | #include "xmalloc.h" |
52 | #define is_winnt (GetVersion() < 0x80000000) | ||
53 | |||
54 | #define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec")) | ||
55 | #define ntsec_off(c) ((c) && strstr((c),"nontsec")) | ||
56 | #define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea")) | ||
57 | 49 | ||
58 | int | 50 | int |
59 | binary_open(const char *filename, int flags, ...) | 51 | binary_open(const char *filename, int flags, ...) |
@@ -79,128 +71,12 @@ binary_pipe(int fd[2]) | |||
79 | return (ret); | 71 | return (ret); |
80 | } | 72 | } |
81 | 73 | ||
82 | #define HAS_CREATE_TOKEN 1 | ||
83 | #define HAS_NTSEC_BY_DEFAULT 2 | ||
84 | #define HAS_CREATE_TOKEN_WO_NTSEC 3 | ||
85 | |||
86 | static int | ||
87 | has_capability(int what) | ||
88 | { | ||
89 | static int inited; | ||
90 | static int has_create_token; | ||
91 | static int has_ntsec_by_default; | ||
92 | static int has_create_token_wo_ntsec; | ||
93 | |||
94 | /* | ||
95 | * has_capability() basically calls uname() and checks if | ||
96 | * specific capabilities of Cygwin can be evaluated from that. | ||
97 | * This simplifies the calling functions which only have to ask | ||
98 | * for a capability using has_capability() instead of having | ||
99 | * to figure that out by themselves. | ||
100 | */ | ||
101 | if (!inited) { | ||
102 | struct utsname uts; | ||
103 | |||
104 | if (!uname(&uts)) { | ||
105 | int major_high = 0, major_low = 0, minor = 0; | ||
106 | int api_major_version = 0, api_minor_version = 0; | ||
107 | char *c; | ||
108 | |||
109 | sscanf(uts.release, "%d.%d.%d", &major_high, | ||
110 | &major_low, &minor); | ||
111 | if ((c = strchr(uts.release, '(')) != NULL) { | ||
112 | sscanf(c + 1, "%d.%d", &api_major_version, | ||
113 | &api_minor_version); | ||
114 | } | ||
115 | if (major_high > 1 || | ||
116 | (major_high == 1 && (major_low > 3 || | ||
117 | (major_low == 3 && minor >= 2)))) | ||
118 | has_create_token = 1; | ||
119 | if (api_major_version > 0 || api_minor_version >= 56) | ||
120 | has_ntsec_by_default = 1; | ||
121 | if (major_high > 1 || | ||
122 | (major_high == 1 && major_low >= 5)) | ||
123 | has_create_token_wo_ntsec = 1; | ||
124 | inited = 1; | ||
125 | } | ||
126 | } | ||
127 | switch (what) { | ||
128 | case HAS_CREATE_TOKEN: | ||
129 | return (has_create_token); | ||
130 | case HAS_NTSEC_BY_DEFAULT: | ||
131 | return (has_ntsec_by_default); | ||
132 | case HAS_CREATE_TOKEN_WO_NTSEC: | ||
133 | return (has_create_token_wo_ntsec); | ||
134 | } | ||
135 | return (0); | ||
136 | } | ||
137 | |||
138 | int | ||
139 | check_nt_auth(int pwd_authenticated, struct passwd *pw) | ||
140 | { | ||
141 | /* | ||
142 | * The only authentication which is able to change the user | ||
143 | * context on NT systems is the password authentication. So | ||
144 | * we deny all requsts for changing the user context if another | ||
145 | * authentication method is used. | ||
146 | * | ||
147 | * This doesn't apply to Cygwin versions >= 1.3.2 anymore which | ||
148 | * uses the undocumented NtCreateToken() call to create a user | ||
149 | * token if the process has the appropriate privileges and if | ||
150 | * CYGWIN ntsec setting is on. | ||
151 | */ | ||
152 | static int has_create_token = -1; | ||
153 | |||
154 | if (pw == NULL) | ||
155 | return 0; | ||
156 | if (is_winnt) { | ||
157 | if (has_create_token < 0) { | ||
158 | char *cygwin = getenv("CYGWIN"); | ||
159 | |||
160 | has_create_token = 0; | ||
161 | if (has_capability(HAS_CREATE_TOKEN) && | ||
162 | (ntsec_on(cygwin) || | ||
163 | (has_capability(HAS_NTSEC_BY_DEFAULT) && | ||
164 | !ntsec_off(cygwin)) || | ||
165 | has_capability(HAS_CREATE_TOKEN_WO_NTSEC))) | ||
166 | has_create_token = 1; | ||
167 | } | ||
168 | if (has_create_token < 1 && | ||
169 | !pwd_authenticated && geteuid() != pw->pw_uid) | ||
170 | return (0); | ||
171 | } | ||
172 | return (1); | ||
173 | } | ||
174 | |||
175 | int | 74 | int |
176 | check_ntsec(const char *filename) | 75 | check_ntsec(const char *filename) |
177 | { | 76 | { |
178 | return (pathconf(filename, _PC_POSIX_PERMISSIONS)); | 77 | return (pathconf(filename, _PC_POSIX_PERMISSIONS)); |
179 | } | 78 | } |
180 | 79 | ||
181 | void | ||
182 | register_9x_service(void) | ||
183 | { | ||
184 | HINSTANCE kerneldll; | ||
185 | DWORD (*RegisterServiceProcess)(DWORD, DWORD); | ||
186 | |||
187 | /* The service register mechanism in 9x/Me is pretty different from | ||
188 | * NT/2K/XP. In NT/2K/XP we're using a special service starter | ||
189 | * application to register and control sshd as service. This method | ||
190 | * doesn't play nicely with 9x/Me. For that reason we register here | ||
191 | * as service when running under 9x/Me. This function is only called | ||
192 | * by the child sshd when it's going to daemonize. | ||
193 | */ | ||
194 | if (is_winnt) | ||
195 | return; | ||
196 | if (!(kerneldll = LoadLibrary("KERNEL32.DLL"))) | ||
197 | return; | ||
198 | if (!(RegisterServiceProcess = (DWORD (*)(DWORD, DWORD)) | ||
199 | GetProcAddress(kerneldll, "RegisterServiceProcess"))) | ||
200 | return; | ||
201 | RegisterServiceProcess(0, 1); | ||
202 | } | ||
203 | |||
204 | #define NL(x) x, (sizeof (x) - 1) | 80 | #define NL(x) x, (sizeof (x) - 1) |
205 | #define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) | 81 | #define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) |
206 | 82 | ||
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h index 6719b8a49..39b8eb788 100644 --- a/openbsd-compat/bsd-cygwin_util.h +++ b/openbsd-compat/bsd-cygwin_util.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: bsd-cygwin_util.h,v 1.11 2004/08/30 10:42:08 dtucker Exp $ */ | 1 | /* $Id: bsd-cygwin_util.h,v 1.12 2009/03/08 00:40:28 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com> | 4 | * Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com> |
@@ -35,7 +35,6 @@ | |||
35 | #ifdef HAVE_CYGWIN | 35 | #ifdef HAVE_CYGWIN |
36 | 36 | ||
37 | #undef ERROR | 37 | #undef ERROR |
38 | #define is_winnt (GetVersion() < 0x80000000) | ||
39 | 38 | ||
40 | #include <windows.h> | 39 | #include <windows.h> |
41 | #include <sys/cygwin.h> | 40 | #include <sys/cygwin.h> |
@@ -43,9 +42,7 @@ | |||
43 | 42 | ||
44 | int binary_open(const char *, int , ...); | 43 | int binary_open(const char *, int , ...); |
45 | int binary_pipe(int fd[2]); | 44 | int binary_pipe(int fd[2]); |
46 | int check_nt_auth(int, struct passwd *); | ||
47 | int check_ntsec(const char *); | 45 | int check_ntsec(const char *); |
48 | void register_9x_service(void); | ||
49 | char **fetch_windows_environment(void); | 46 | char **fetch_windows_environment(void); |
50 | void free_windows_environment(char **); | 47 | void free_windows_environment(char **); |
51 | 48 | ||
diff --git a/openbsd-compat/daemon.c b/openbsd-compat/daemon.c index e3a6886bd..3efe14c68 100644 --- a/openbsd-compat/daemon.c +++ b/openbsd-compat/daemon.c | |||
@@ -57,18 +57,8 @@ daemon(int nochdir, int noclose) | |||
57 | case -1: | 57 | case -1: |
58 | return (-1); | 58 | return (-1); |
59 | case 0: | 59 | case 0: |
60 | #ifdef HAVE_CYGWIN | ||
61 | register_9x_service(); | ||
62 | #endif | ||
63 | break; | 60 | break; |
64 | default: | 61 | default: |
65 | #ifdef HAVE_CYGWIN | ||
66 | /* | ||
67 | * This sleep avoids a race condition which kills the | ||
68 | * child process if parent is started by a NT/W2K service. | ||
69 | */ | ||
70 | sleep(1); | ||
71 | #endif | ||
72 | _exit(0); | 62 | _exit(0); |
73 | } | 63 | } |
74 | 64 | ||
@@ -571,8 +571,7 @@ do_exec_no_pty(Session *s, const char *command) | |||
571 | signal(WJSIGNAL, cray_job_termination_handler); | 571 | signal(WJSIGNAL, cray_job_termination_handler); |
572 | #endif /* _UNICOS */ | 572 | #endif /* _UNICOS */ |
573 | #ifdef HAVE_CYGWIN | 573 | #ifdef HAVE_CYGWIN |
574 | if (is_winnt) | 574 | cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); |
575 | cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); | ||
576 | #endif | 575 | #endif |
577 | 576 | ||
578 | s->pid = pid; | 577 | s->pid = pid; |
@@ -726,8 +725,7 @@ do_exec_pty(Session *s, const char *command) | |||
726 | signal(WJSIGNAL, cray_job_termination_handler); | 725 | signal(WJSIGNAL, cray_job_termination_handler); |
727 | #endif /* _UNICOS */ | 726 | #endif /* _UNICOS */ |
728 | #ifdef HAVE_CYGWIN | 727 | #ifdef HAVE_CYGWIN |
729 | if (is_winnt) | 728 | cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); |
730 | cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); | ||
731 | #endif | 729 | #endif |
732 | 730 | ||
733 | s->pid = pid; | 731 | s->pid = pid; |
@@ -1116,7 +1114,7 @@ do_setup_env(Session *s, const char *shell) | |||
1116 | u_int i, envsize; | 1114 | u_int i, envsize; |
1117 | char **env, *laddr; | 1115 | char **env, *laddr; |
1118 | struct passwd *pw = s->pw; | 1116 | struct passwd *pw = s->pw; |
1119 | #ifndef HAVE_LOGIN_CAP | 1117 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) |
1120 | char *path = NULL; | 1118 | char *path = NULL; |
1121 | #endif | 1119 | #endif |
1122 | 1120 | ||
@@ -1551,9 +1549,6 @@ do_setusercontext(struct passwd *pw) | |||
1551 | #endif | 1549 | #endif |
1552 | } | 1550 | } |
1553 | 1551 | ||
1554 | #ifdef HAVE_CYGWIN | ||
1555 | if (is_winnt) | ||
1556 | #endif | ||
1557 | if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) | 1552 | if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) |
1558 | fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); | 1553 | fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); |
1559 | 1554 | ||