Merge 3.8p1 to the trunk. This builds and runs, but I haven't tested it

extensively yet. ProtocolKeepAlives is now just a compatibility alias for ServerAliveInterval.
author: Colin Watson <cjwatson@debian.org> 2004-03-01 02:25:32 +0000
committer: Colin Watson <cjwatson@debian.org> 2004-03-01 02:25:32 +0000
commit: ea8116a11e3de70036dbc665ccb0d486cf89cac9 (patch)
tree: d73ccdff78d8608e156465af42e6a1b3527fb2d6 /monitor.c
parent: e39b311381a5609cc05acf298c42fba196dc524b (diff)
parent: f5bda272678ec6dccaa5f29379cf60cb855018e8 (diff)
1 files changed, 46 insertions, 17 deletions
diff --git a/monitor.c b/monitor.c
index e5656470d..009dcf182 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.49 2003/08/28 12:54:34 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.55 2004/02/05 05:37:17 dtucker Exp $");
 #include <openssl/dh.h>
@@ -134,6 +134,7 @@ int mm_answer_pam_free_ctx(int, Buffer *);
 int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
+int mm_answer_gss_checkmic(int, Buffer *);
 #endif
 static Authctxt *authctxt;
@@ -193,6 +194,7 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
+    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
 #endif
    {0, 0, NULL}
 };
@@ -272,14 +274,17 @@ monitor_permit_authentications(int permit)
        }
 }
-Authctxt *
+void
-monitor_child_preauth(struct monitor *pmonitor)
+monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 {
        struct mon_table *ent;
        int authenticated = 0;
        debug3("preauth child monitor started");
+        authctxt = _authctxt;
+        memset(authctxt, 0, sizeof(*authctxt));
        if (compat20) {
                mon_dispatch = mon_dispatch_proto20;
@@ -292,8 +297,6 @@ monitor_child_preauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
        }
-        authctxt = authctxt_new();
        /* The first few requests do not require asynchronous access */
        while (!authenticated) {
                authenticated = monitor_read(pmonitor, mon_dispatch, &ent);
@@ -306,11 +309,11 @@ monitor_child_preauth(struct monitor *pmonitor)
                                authenticated = 0;
 #ifdef USE_PAM
                        /* PAM needs to perform account checks after auth */
-                        if (options.use_pam) {
+                        if (options.use_pam && authenticated) {
                                Buffer m;
                                buffer_init(&m);
-                                mm_request_receive_expect(pmonitor->m_sendfd, 
+                                mm_request_receive_expect(pmonitor->m_sendfd,
                                    MONITOR_REQ_PAM_ACCOUNT, &m);
                                authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);
                                buffer_free(&m);
@@ -333,8 +336,6 @@ monitor_child_preauth(struct monitor *pmonitor)
            __func__, authctxt->user);
        mm_get_keystate(pmonitor);
-        return (authctxt);
 }
 static void
@@ -566,6 +567,7 @@ mm_answer_pwnamallow(int socket, Buffer *m)
        if (pwent == NULL) {
                buffer_put_char(m, 0);
+                authctxt->pw = fakepw();
                goto out;
        }
@@ -781,7 +783,7 @@ int
 mm_answer_pam_start(int socket, Buffer *m)
 {
        char *user;
-        
        if (!options.use_pam)
                fatal("UsePAM not set, but ended up in %s anyway", __func__);
@@ -800,7 +802,7 @@ int
 mm_answer_pam_account(int socket, Buffer *m)
 {
        u_int ret;
-        
        if (!options.use_pam)
                fatal("UsePAM not set, but ended up in %s anyway", __func__);
@@ -947,7 +949,7 @@ mm_answer_keyallowed(int socket, Buffer *m)
        debug3("%s: key_from_blob: %p", __func__, key);
-        if (key != NULL && authctxt->pw != NULL) {
+        if (key != NULL && authctxt->valid) {
                switch(type) {
                case MM_USERKEY:
                        allowed = options.pubkey_authentication &&
@@ -1185,7 +1187,7 @@ mm_record_login(Session *s, struct passwd *pw)
                if (getpeername(packet_get_connection_in(),
                        (struct sockaddr *) & from, &fromlen) < 0) {
                        debug("getpeername: %.100s", strerror(errno));
-                        fatal_cleanup();
+                        cleanup_exit(255);
                }
        }
        /* Record that there was a login on that tty from the remote host. */
@@ -1200,7 +1202,6 @@ mm_session_close(Session *s)
        debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid);
        if (s->ttyfd != -1) {
                debug3("%s: tty %s ptyfd %d",  __func__, s->tty, s->ptyfd);
-                fatal_remove_cleanup(session_pty_cleanup2, (void *)s);
                session_pty_cleanup2(s);
        }
        s->used = 0;
@@ -1225,7 +1226,6 @@ mm_answer_pty(int socket, Buffer *m)
        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
        if (res == 0)
                goto error;
-        fatal_add_cleanup(session_pty_cleanup2, (void *)s);
        pty_setowner(authctxt->pw, s->tty);
        buffer_put_int(m, 1);
@@ -1708,6 +1708,7 @@ monitor_init(void)
        mon = xmalloc(sizeof(*mon));
+        mon->m_pid = 0;
        monitor_socketpair(pair);
        mon->m_recvfd = pair[0];
@@ -1784,15 +1785,43 @@ mm_answer_gss_accept_ctx(int socket, Buffer *m)
        gss_release_buffer(&minor, &out);
-        /* Complete - now we can do signing */
        if (major==GSS_S_COMPLETE) {
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
        }
        return (0);
 }
 int
+mm_answer_gss_checkmic(int socket, Buffer *m)
+{
+        gss_buffer_desc gssbuf, mic;
+        OM_uint32 ret;
+        u_int len;
+        gssbuf.value = buffer_get_string(m, &len);
+        gssbuf.length = len;
+        mic.value = buffer_get_string(m, &len);
+        mic.length = len;
+        ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
+        xfree(gssbuf.value);
+        xfree(mic.value);
+        buffer_clear(m);
+        buffer_put_int(m, ret);
+        mm_request_send(socket, MONITOR_ANS_GSSCHECKMIC, m);
+        if (!GSS_ERROR(ret))
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
+        return (0);
+}
+int
 mm_answer_gss_userok(int socket, Buffer *m)
 {
        int authenticated;
@@ -1805,7 +1834,7 @@ mm_answer_gss_userok(int socket, Buffer *m)
        debug3("%s: sending result %d", __func__, authenticated);
        mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m);
-        auth_method="gssapi";
+        auth_method="gssapi-with-mic";
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
author	Colin Watson <cjwatson@debian.org>	2004-03-01 02:25:32 +0000
committer	Colin Watson <cjwatson@debian.org>	2004-03-01 02:25:32 +0000
commit	ea8116a11e3de70036dbc665ccb0d486cf89cac9 (patch)
tree	d73ccdff78d8608e156465af42e6a1b3527fb2d6 /monitor.c
parent	e39b311381a5609cc05acf298c42fba196dc524b (diff)
parent	f5bda272678ec6dccaa5f29379cf60cb855018e8 (diff)