* New upstream release (closes: #395507, #397961, #420035). Important

  changes not previously backported to 4.3p2:
  - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
    + On portable OpenSSH, fix a GSSAPI authentication abort that could be
      used to determine the validity of usernames on some platforms.
    + Implemented conditional configuration in sshd_config(5) using the
      "Match" directive. This allows some configuration options to be
      selectively overridden if specific criteria (based on user, group,
      hostname and/or address) are met. So far a useful subset of
      post-authentication options are supported and more are expected to
      be added in future releases.
    + Add support for Diffie-Hellman group exchange key agreement with a
      final hash of SHA256.
    + Added a "ForceCommand" directive to sshd_config(5). Similar to the
      command="..." option accepted in ~/.ssh/authorized_keys, this forces
      the execution of the specified command regardless of what the user
      requested. This is very useful in conjunction with the new "Match"
      option.
    + Add a "PermitOpen" directive to sshd_config(5). This mirrors the
      permitopen="..." authorized_keys option, allowing fine-grained
      control over the port-forwardings that a user is allowed to
      establish.
    + Add optional logging of transactions to sftp-server(8).
    + ssh(1) will now record port numbers for hosts stored in
      ~/.ssh/known_hosts when a non-standard port has been requested
      (closes: #50612).
    + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
      non-zero exit code) when requested port forwardings could not be
      established.
    + Extend sshd_config(5) "SubSystem" declarations to allow the
      specification of command-line arguments.
    + Replacement of all integer overflow susceptible invocations of
      malloc(3) and realloc(3) with overflow-checking equivalents.
    + Many manpage fixes and improvements.
    + Add optional support for OpenSSL hardware accelerators (engines),
      enabled using the --with-ssl-engine configure option.
    + Tokens in configuration files may be double-quoted in order to
      contain spaces (closes: #319639).
    + Move a debug() call out of a SIGCHLD handler, fixing a hang when the
      session exits very quickly (closes: #307890).
    + Fix some incorrect buffer allocation calculations (closes: #410599).
    + ssh-add doesn't ask for a passphrase if key file permissions are too
      liberal (closes: #103677).
    + Likewise, ssh doesn't ask either (closes: #99675).
  - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
    + sshd now allows the enabling and disabling of authentication methods
      on a per user, group, host and network basis via the Match directive
      in sshd_config.
    + Fixed an inconsistent check for a terminal when displaying scp
      progress meter (closes: #257524).
    + Fix "hang on exit" when background processes are running at the time
      of exit on a ttyful/login session (closes: #88337).
* Update to current GSSAPI patch from
  http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
  install ChangeLog.gssapi.

1 files changed, 71 insertions, 33 deletions

diff --git a/session.c b/session.c
index 73fcb6453..160cb4ecc 100644
--- a/session.c
+++ b/session.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: session.c,v 1.221 2007/01/21 01:41:54 stevesk Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -33,12 +34,35 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.191 2005/12/24 02:27:41 djm Exp $");
 
+#include <sys/types.h>
+#include <sys/param.h>
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/wait.h>
+
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <grp.h>
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "xmalloc.h"
 #include "ssh.h"
 #include "ssh1.h"
 #include "ssh2.h"
-#include "xmalloc.h"
 #include "sshpty.h"
 #include "packet.h"
 #include "buffer.h"
@@ -46,7 +70,12 @@ RCSID("$OpenBSD: session.c,v 1.191 2005/12/24 02:27:41 djm Exp $");
 #include "uidswap.h"
 #include "compat.h"
 #include "channels.h"
-#include "bufaux.h"
+#include "key.h"
+#include "cipher.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
+#include "hostfile.h"
 #include "auth.h"
 #include "auth-options.h"
 #include "pathnames.h"
@@ -59,16 +88,10 @@ RCSID("$OpenBSD: session.c,v 1.191 2005/12/24 02:27:41 djm Exp $");
 #include "kex.h"
 #include "monitor_wrap.h"
 
-#include "selinux.h"
-
 #if defined(KRB5) && defined(USE_AFS)
 #include <kafs.h>
 #endif
 
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-
 /* func */
 
 Session *session_new(void);
@@ -177,7 +200,7 @@ auth_input_request_forwarding(struct passwd * pw)
         sunaddr.sun_family = AF_UNIX;
         strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path));
 
-        if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
+        if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0)
                 packet_disconnect("bind: %.100s", strerror(errno));
 
         /* Restore the privileged uid. */
@@ -324,7 +347,11 @@ do_authenticated1(Authctxt *authctxt)
                                 break;
                         }
                         debug("Received TCP/IP port forwarding request.");
-                        channel_input_port_forward_request(s->pw->pw_uid == 0, options.gateway_ports);
+                        if (channel_input_port_forward_request(s->pw->pw_uid == 0,
+                            options.gateway_ports) < 0) {
+                                debug("Port forwarding failed.");
+                                break;
+                        }
                         success = 1;
                         break;
 
@@ -634,7 +661,7 @@ do_pre_login(Session *s)
         fromlen = sizeof(from);
         if (packet_connection_is_on_socket()) {
                 if (getpeername(packet_get_connection_in(),
-                    (struct sockaddr *) & from, &fromlen) < 0) {
+                    (struct sockaddr *)&from, &fromlen) < 0) {
                         debug("getpeername: %.100s", strerror(errno));
                         cleanup_exit(255);
                 }
@@ -653,10 +680,14 @@ do_pre_login(Session *s)
 void
 do_exec(Session *s, const char *command)
 {
-        if (forced_command) {
+        if (options.adm_forced_command) {
+                original_command = command;
+                command = options.adm_forced_command;
+                debug("Forced command (config) '%.900s'", command);
+        } else if (forced_command) {
                 original_command = command;
                 command = forced_command;
-                debug("Forced command '%.900s'", command);
+                debug("Forced command (key option) '%.900s'", command);
         }
 
 #ifdef SSH_AUDIT_EVENTS
@@ -828,7 +859,7 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
                         if (envsize >= 1000)
                                 fatal("child_set_env: too many env vars");
                         envsize += 50;
-                        env = (*envp) = xrealloc(env, envsize * sizeof(char *));
+                        env = (*envp) = xrealloc(env, envsize, sizeof(char *));
                         *envsizep = envsize;
                 }
                 /* Need to set the NULL pointer at end of array beyond the new slot. */
@@ -969,12 +1000,15 @@ do_setup_env(Session *s, const char *shell)
 {
         char buf[256];
         u_int i, envsize;
-        char **env, *laddr, *path = NULL;
+        char **env, *laddr;
         struct passwd *pw = s->pw;
+#ifndef HAVE_LOGIN_CAP
+        char *path = NULL;
+#endif
 
         /* Initialize the environment. */
         envsize = 100;
-        env = xmalloc(envsize * sizeof(char *));
+        env = xcalloc(envsize, sizeof(char *));
         env[0] = NULL;
 
 #ifdef HAVE_CYGWIN
@@ -1343,7 +1377,9 @@ do_setusercontext(struct passwd *pw)
         if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
                 fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
 
-        setup_selinux_exec_context(pw->pw_name);
+#ifdef WITH_SELINUX
+        ssh_selinux_setup_exec_context(pw->pw_name);
+#endif
 }
 
 static void
@@ -1563,7 +1599,7 @@ do_child(Session *s, const char *command)
                 do_rc_files(s, shell);
 
         /* restore SIGPIPE for child */
-        signal(SIGPIPE,  SIG_DFL);
+        signal(SIGPIPE, SIG_DFL);
 
         if (options.use_login) {
                 launch_login(pw, hostname);
@@ -1827,7 +1863,7 @@ session_subsystem_req(Session *s)
         struct stat st;
         u_int len;
         int success = 0;
-        char *cmd, *subsys = packet_get_string(&len);
+        char *prog, *cmd, *subsys = packet_get_string(&len);
         u_int i;
 
         packet_check_eom();
@@ -1835,9 +1871,10 @@ session_subsystem_req(Session *s)
 
         for (i = 0; i < options.num_subsystems; i++) {
                 if (strcmp(subsys, options.subsystem_name[i]) == 0) {
-                        cmd = options.subsystem_command[i];
-                        if (stat(cmd, &st) < 0) {
-                                error("subsystem: cannot stat %s: %s", cmd,
+                        prog = options.subsystem_command[i];
+                        cmd = options.subsystem_args[i];
+                        if (stat(prog, &st) < 0) {
+                                error("subsystem: cannot stat %s: %s", prog,
                                     strerror(errno));
                                 break;
                         }
@@ -1934,8 +1971,8 @@ session_env_req(Session *s)
         for (i = 0; i < options.num_accept_env; i++) {
                 if (match_pattern(name, options.accept_env[i])) {
                         debug2("Setting env %d: %s=%s", s->num_env, name, val);
-                        s->env = xrealloc(s->env, sizeof(*s->env) *
-                            (s->num_env + 1));
+                        s->env = xrealloc(s->env, s->num_env + 1,
+                            sizeof(*s->env));
                         s->env[s->num_env].name = name;
                         s->env[s->num_env].val = val;
                         s->num_env++;
@@ -1990,7 +2027,7 @@ session_input_channel_req(Channel *c, const char *rtype)
                 } else if (strcmp(rtype, "exec") == 0) {
                         success = session_exec_req(s);
                 } else if (strcmp(rtype, "pty-req") == 0) {
-                        success =  session_pty_req(s);
+                        success = session_pty_req(s);
                 } else if (strcmp(rtype, "x11-req") == 0) {
                         success = session_x11_req(s);
                 } else if (strcmp(rtype, "auth-agent-req@openssh.com") == 0) {
@@ -2115,7 +2152,7 @@ session_close_single_x11(int id, void *arg)
 
         debug3("session_close_single_x11: channel %d", id);
         channel_cancel_cleanup(id);
-        if ((s  = session_by_x11_channel(id)) == NULL)
+        if ((s = session_by_x11_channel(id)) == NULL)
                 fatal("session_close_single_x11: no x11 channel %d", id);
         for (i = 0; s->x11_chanids[i] != -1; i++) {
                 debug("session_close_single_x11: session %d: "
@@ -2183,7 +2220,7 @@ session_exit_message(Session *s, int status)
 
         /*
          * Adjust cleanup callback attachment to send close messages when
-         * the channel gets EOF. The session will be then be closed 
+         * the channel gets EOF. The session will be then be closed
          * by session_close_by_channel when the childs close their fds.
          */
         channel_register_cleanup(c->self, session_close_by_channel, 1);
@@ -2219,12 +2256,13 @@ session_close(Session *s)
         if (s->auth_proto)
                 xfree(s->auth_proto);
         s->used = 0;
-        for (i = 0; i < s->num_env; i++) {
-                xfree(s->env[i].name);
-                xfree(s->env[i].val);
-        }
-        if (s->env != NULL)
+        if (s->env != NULL) {
+                for (i = 0; i < s->num_env; i++) {
+                        xfree(s->env[i].name);
+                        xfree(s->env[i].val);
+                }
                 xfree(s->env);
+        }
         session_proctitle(s);
 }