* New upstream release (LP: #535029).

  - After a transition period of about 10 years, this release disables SSH
    protocol 1 by default.  Clients and servers that need to use the
    legacy protocol must explicitly enable it in ssh_config / sshd_config
    or on the command-line.
  - Remove the libsectok/OpenSC-based smartcard code and add support for
    PKCS#11 tokens.  This support is enabled by default in the Debian
    packaging, since it now doesn't involve additional library
    dependencies (closes: #231472, LP: #16918).
  - Add support for certificate authentication of users and hosts using a
    new, minimal OpenSSH certificate format (closes: #482806).
  - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
  - Add the ability to revoke keys in sshd(8) and ssh(1).  (For the Debian
    package, this overlaps with the key blacklisting facility added in
    openssh 1:4.7p1-9, but with different file formats and slightly
    different scopes; for the moment, I've roughly merged the two.)
  - Various multiplexing improvements, including support for requesting
    port-forwardings via the multiplex protocol (closes: #360151).
  - Allow setting an explicit umask on the sftp-server(8) commandline to
    override whatever default the user has (closes: #496843).
  - Many sftp client improvements, including tab-completion, more options,
    and recursive transfer support for get/put (LP: #33378).  The old
    mget/mput commands never worked properly and have been removed
    (closes: #270399, #428082).
  - Do not prompt for a passphrase if we fail to open a keyfile, and log
    the reason why the open failed to debug (closes: #431538).
  - Prevent sftp from crashing when given a "-" without a command.  Also,
    allow whitespace to follow a "-" (closes: #531561).

1 files changed, 70 insertions, 36 deletions

diff --git a/session.c b/session.c
index 44e0ac5fa..e032de692 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.246 2009/04/17 19:23:06 stevesk Exp $ */
+/* $OpenBSD: session.c,v 1.252 2010/03/07 11:57:13 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -142,9 +142,10 @@ static int sessions_first_unused = -1;
 static int sessions_nalloc = 0;
 static Session *sessions = NULL;
 
-#define SUBSYSTEM_NONE          0
-#define SUBSYSTEM_EXT           1
-#define SUBSYSTEM_INT_SFTP      2
+#define SUBSYSTEM_NONE                  0
+#define SUBSYSTEM_EXT                   1
+#define SUBSYSTEM_INT_SFTP              2
+#define SUBSYSTEM_INT_SFTP_ERROR        3
 
 #ifdef HAVE_LOGIN_CAP
 login_cap_t *lc;
@@ -270,6 +271,8 @@ do_authenticated(Authctxt *authctxt)
         if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
                 channel_permit_all_opens();
 
+        auth_debug_send();
+
         if (compat20)
                 do_authenticated2(authctxt);
         else
@@ -785,17 +788,19 @@ do_exec(Session *s, const char *command)
         if (options.adm_forced_command) {
                 original_command = command;
                 command = options.adm_forced_command;
-                if (IS_INTERNAL_SFTP(command))
-                        s->is_subsystem = SUBSYSTEM_INT_SFTP;
-                else if (s->is_subsystem)
+                if (IS_INTERNAL_SFTP(command)) {
+                        s->is_subsystem = s->is_subsystem ?
+                            SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR;
+                } else if (s->is_subsystem)
                         s->is_subsystem = SUBSYSTEM_EXT;
                 debug("Forced command (config) '%.900s'", command);
         } else if (forced_command) {
                 original_command = command;
                 command = forced_command;
-                if (IS_INTERNAL_SFTP(command))
-                        s->is_subsystem = SUBSYSTEM_INT_SFTP;
-                else if (s->is_subsystem)
+                if (IS_INTERNAL_SFTP(command)) {
+                        s->is_subsystem = s->is_subsystem ?
+                            SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR;
+                } else if (s->is_subsystem)
                         s->is_subsystem = SUBSYSTEM_EXT;
                 debug("Forced command (key option) '%.900s'", command);
         }
@@ -1374,26 +1379,32 @@ static void
 do_nologin(struct passwd *pw)
 {
         FILE *f = NULL;
-        char buf[1024];
+        char buf[1024], *nl, *def_nl = _PATH_NOLOGIN;
+        struct stat sb;
 
 #ifdef HAVE_LOGIN_CAP
-        if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid)
-                f = fopen(login_getcapstr(lc, "nologin", _PATH_NOLOGIN,
-                    _PATH_NOLOGIN), "r");
+        if (login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid)
+                return;
+        nl = login_getcapstr(lc, "nologin", def_nl, def_nl);
 #else
-        if (pw->pw_uid)
-                f = fopen(_PATH_NOLOGIN, "r");
+        if (pw->pw_uid == 0)
+                return;
+        nl = def_nl;
 #endif
-        if (f) {
-                /* /etc/nologin exists.  Print its contents and exit. */
-                logit("User %.100s not allowed because %s exists",
-                    pw->pw_name, _PATH_NOLOGIN);
-                while (fgets(buf, sizeof(buf), f))
-                        fputs(buf, stderr);
-                fclose(f);
-                fflush(NULL);
-                exit(254);
+        if (stat(nl, &sb) == -1) {
+                if (nl != def_nl)
+                        xfree(nl);
+                return;
         }
+
+        /* /etc/nologin exists.  Print its contents if we can and exit. */
+        logit("User %.100s not allowed because %s exists", pw->pw_name, nl);
+        if ((f = fopen(nl, "r")) != NULL) {
+                while (fgets(buf, sizeof(buf), f))
+                        fputs(buf, stderr);
+                fclose(f);
+        }
+        exit(254);
 }
 
 /*
@@ -1521,6 +1532,24 @@ do_setusercontext(struct passwd *pw)
                 }
 # endif /* USE_LIBIAF */
 #endif
+#ifdef HAVE_SETPCRED
+                /*
+                 * If we have a chroot directory, we set all creds except real
+                 * uid which we will need for chroot.  If we don't have a
+                 * chroot directory, we don't override anything.
+                 */
+                {
+                        char **creds = NULL, *chroot_creds[] =
+                            { "REAL_USER=root", NULL };
+
+                        if (options.chroot_directory != NULL &&
+                            strcasecmp(options.chroot_directory, "none") != 0)
+                                creds = chroot_creds;
+
+                        if (setpcred(pw->pw_name, creds) == -1)
+                                fatal("Failed to set process credentials");
+                }
+#endif /* HAVE_SETPCRED */
 
 #ifdef WITH_SELINUX
                 ssh_selinux_setup_exec_context(pw->pw_name);
@@ -1537,10 +1566,6 @@ do_setusercontext(struct passwd *pw)
                         free(chroot_path);
                 }
 
-#ifdef HAVE_SETPCRED
-                if (setpcred(pw->pw_name, (char **)NULL) == -1)
-                        fatal("Failed to set process credentials");
-#endif /* HAVE_SETPCRED */
 #ifdef HAVE_LOGIN_CAP
                 if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
                         perror("unable to set user context (setuser)");
@@ -1783,7 +1808,11 @@ do_child(Session *s, const char *command)
         /* restore SIGPIPE for child */
         signal(SIGPIPE, SIG_DFL);
 
-        if (s->is_subsystem == SUBSYSTEM_INT_SFTP) {
+        if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) {
+                printf("This service allows sftp connections only.\n");
+                fflush(NULL);
+                exit(1);
+        } else if (s->is_subsystem == SUBSYSTEM_INT_SFTP) {
                 extern int optind, optreset;
                 int i;
                 char *p, *args;
@@ -1796,9 +1825,14 @@ do_child(Session *s, const char *command)
                 argv[i] = NULL;
                 optind = optreset = 1;
                 __progname = argv[0];
+#ifdef WITH_SELINUX
+                ssh_selinux_change_context("sftpd_t");
+#endif
                 exit(sftp_server_main(i, argv, s->pw));
         }
 
+        fflush(NULL);
+
         if (options.use_login) {
                 launch_login(pw, hostname);
                 /* NEVERREACHED */
@@ -2109,16 +2143,16 @@ session_subsystem_req(Session *s)
                 if (strcmp(subsys, options.subsystem_name[i]) == 0) {
                         prog = options.subsystem_command[i];
                         cmd = options.subsystem_args[i];
-                        if (!strcmp(INTERNAL_SFTP_NAME, prog)) {
+                        if (strcmp(INTERNAL_SFTP_NAME, prog) == 0) {
                                 s->is_subsystem = SUBSYSTEM_INT_SFTP;
-                        } else if (stat(prog, &st) < 0) {
-                                error("subsystem: cannot stat %s: %s", prog,
-                                    strerror(errno));
-                                break;
+                                debug("subsystem: %s", prog);
                         } else {
+                                if (stat(prog, &st) < 0)
+                                        debug("subsystem: cannot stat %s: %s",
+                                            prog, strerror(errno));
                                 s->is_subsystem = SUBSYSTEM_EXT;
+                                debug("subsystem: exec() %s", cmd);
                         }
-                        debug("subsystem: exec() %s", cmd);
                         success = do_exec(s, cmd) == 0;
                         break;
                 }