diff options
author | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
commit | 978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch) | |
tree | 89400a44e42d84937deba7864e4964d6c7734da5 /monitor_wrap.c | |
parent | 87c685b8c6a49814fd782288097b3093f975aa72 (diff) | |
parent | 3a7e89697ca363de0f64e0d5704c57219294e41c (diff) |
* New upstream release (http://www.openssh.org/txt/release-5.9).
- Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
- Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
- The pre-authentication sshd(8) privilege separation slave process now
logs via a socket shared with the master process, avoiding the need to
maintain /dev/log inside the chroot (closes: #75043, #429243,
#599240).
- ssh(1) now warns when a server refuses X11 forwarding (closes:
#504757).
- sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace (closes: #76312). The authorized_keys2
fallback is deprecated but documented (closes: #560156).
- ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
ToS/DSCP (closes: #498297).
- ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add
- < /path/to/key" (closes: #229124).
- Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
- Say "required" rather than "recommended" in unprotected-private-key
warning (LP: #663455).
Diffstat (limited to 'monitor_wrap.c')
-rw-r--r-- | monitor_wrap.c | 46 |
1 files changed, 42 insertions, 4 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c index d69e4cce7..f46be660d 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor_wrap.c,v 1.70 2010/08/31 11:54:45 djm Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.c,v 1.73 2011/06/17 21:44:31 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -88,6 +88,32 @@ extern struct monitor *pmonitor; | |||
88 | extern Buffer loginmsg; | 88 | extern Buffer loginmsg; |
89 | extern ServerOptions options; | 89 | extern ServerOptions options; |
90 | 90 | ||
91 | void | ||
92 | mm_log_handler(LogLevel level, const char *msg, void *ctx) | ||
93 | { | ||
94 | Buffer log_msg; | ||
95 | struct monitor *mon = (struct monitor *)ctx; | ||
96 | |||
97 | if (mon->m_log_sendfd == -1) | ||
98 | fatal("%s: no log channel", __func__); | ||
99 | |||
100 | buffer_init(&log_msg); | ||
101 | /* | ||
102 | * Placeholder for packet length. Will be filled in with the actual | ||
103 | * packet length once the packet has been constucted. This saves | ||
104 | * fragile math. | ||
105 | */ | ||
106 | buffer_put_int(&log_msg, 0); | ||
107 | |||
108 | buffer_put_int(&log_msg, level); | ||
109 | buffer_put_cstring(&log_msg, msg); | ||
110 | put_u32(buffer_ptr(&log_msg), buffer_len(&log_msg) - 4); | ||
111 | if (atomicio(vwrite, mon->m_log_sendfd, buffer_ptr(&log_msg), | ||
112 | buffer_len(&log_msg)) != buffer_len(&log_msg)) | ||
113 | fatal("%s: write: %s", __func__, strerror(errno)); | ||
114 | buffer_free(&log_msg); | ||
115 | } | ||
116 | |||
91 | int | 117 | int |
92 | mm_is_monitor(void) | 118 | mm_is_monitor(void) |
93 | { | 119 | { |
@@ -211,7 +237,7 @@ mm_getpwnamallow(const char *username) | |||
211 | { | 237 | { |
212 | Buffer m; | 238 | Buffer m; |
213 | struct passwd *pw; | 239 | struct passwd *pw; |
214 | u_int len; | 240 | u_int len, i; |
215 | ServerOptions *newopts; | 241 | ServerOptions *newopts; |
216 | 242 | ||
217 | debug3("%s entering", __func__); | 243 | debug3("%s entering", __func__); |
@@ -245,8 +271,20 @@ out: | |||
245 | newopts = buffer_get_string(&m, &len); | 271 | newopts = buffer_get_string(&m, &len); |
246 | if (len != sizeof(*newopts)) | 272 | if (len != sizeof(*newopts)) |
247 | fatal("%s: option block size mismatch", __func__); | 273 | fatal("%s: option block size mismatch", __func__); |
248 | if (newopts->banner != NULL) | 274 | |
249 | newopts->banner = buffer_get_string(&m, NULL); | 275 | #define M_CP_STROPT(x) do { \ |
276 | if (newopts->x != NULL) \ | ||
277 | newopts->x = buffer_get_string(&m, NULL); \ | ||
278 | } while (0) | ||
279 | #define M_CP_STRARRAYOPT(x, nx) do { \ | ||
280 | for (i = 0; i < newopts->nx; i++) \ | ||
281 | newopts->x[i] = buffer_get_string(&m, NULL); \ | ||
282 | } while (0) | ||
283 | /* See comment in servconf.h */ | ||
284 | COPY_MATCH_STRING_OPTS(); | ||
285 | #undef M_CP_STROPT | ||
286 | #undef M_CP_STRARRAYOPT | ||
287 | |||
250 | copy_set_server_options(&options, newopts, 1); | 288 | copy_set_server_options(&options, newopts, 1); |
251 | xfree(newopts); | 289 | xfree(newopts); |
252 | 290 | ||