diff options
| author | Colin Watson <cjwatson@debian.org> | 2018-04-03 08:20:28 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2018-04-03 08:20:28 +0100 |
| commit | ed6ae9c1a014a08ff5db3d768f01f2e427eeb476 (patch) | |
| tree | 601025e307745d351946c01ab13f419ddb6dae29 /session.c | |
| parent | 62f54f20bf351468e0124f63cc2902ee40d9b0e9 (diff) | |
| parent | a0349a1cc4a18967ad1dbff5389bcdf9da098814 (diff) | |
Import openssh_7.7p1.orig.tar.gz
Diffstat (limited to 'session.c')
| -rw-r--r-- | session.c | 120 |
1 files changed, 64 insertions, 56 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: session.c,v 1.292 2017/09/12 06:32:07 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.294 2018/03/03 03:15:51 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 4 | * All rights reserved | 4 | * All rights reserved |
| @@ -140,6 +140,8 @@ extern u_int utmp_len; | |||
| 140 | extern int startup_pipe; | 140 | extern int startup_pipe; |
| 141 | extern void destroy_sensitive_data(void); | 141 | extern void destroy_sensitive_data(void); |
| 142 | extern Buffer loginmsg; | 142 | extern Buffer loginmsg; |
| 143 | extern struct sshauthopt *auth_opts; | ||
| 144 | char *tun_fwd_ifnames; /* serverloop.c */ | ||
| 143 | 145 | ||
| 144 | /* original command from peer. */ | 146 | /* original command from peer. */ |
| 145 | const char *original_command = NULL; | 147 | const char *original_command = NULL; |
| @@ -287,14 +289,42 @@ prepare_auth_info_file(struct passwd *pw, struct sshbuf *info) | |||
| 287 | restore_uid(); | 289 | restore_uid(); |
| 288 | } | 290 | } |
| 289 | 291 | ||
| 292 | static void | ||
| 293 | set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts) | ||
| 294 | { | ||
| 295 | char *tmp, *cp, *host; | ||
| 296 | int port; | ||
| 297 | size_t i; | ||
| 298 | |||
| 299 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) | ||
| 300 | return; | ||
| 301 | channel_clear_permitted_opens(ssh); | ||
| 302 | for (i = 0; i < auth_opts->npermitopen; i++) { | ||
| 303 | tmp = cp = xstrdup(auth_opts->permitopen[i]); | ||
| 304 | /* This shouldn't fail as it has already been checked */ | ||
| 305 | if ((host = hpdelim(&cp)) == NULL) | ||
| 306 | fatal("%s: internal error: hpdelim", __func__); | ||
| 307 | host = cleanhostname(host); | ||
| 308 | if (cp == NULL || (port = permitopen_port(cp)) < 0) | ||
| 309 | fatal("%s: internal error: permitopen port", | ||
| 310 | __func__); | ||
| 311 | channel_add_permitted_opens(ssh, host, port); | ||
| 312 | free(tmp); | ||
| 313 | } | ||
| 314 | } | ||
| 315 | |||
| 290 | void | 316 | void |
| 291 | do_authenticated(struct ssh *ssh, Authctxt *authctxt) | 317 | do_authenticated(struct ssh *ssh, Authctxt *authctxt) |
| 292 | { | 318 | { |
| 293 | setproctitle("%s", authctxt->pw->pw_name); | 319 | setproctitle("%s", authctxt->pw->pw_name); |
| 294 | 320 | ||
| 321 | auth_log_authopts("active", auth_opts, 0); | ||
| 322 | |||
| 295 | /* setup the channel layer */ | 323 | /* setup the channel layer */ |
| 296 | /* XXX - streamlocal? */ | 324 | /* XXX - streamlocal? */ |
| 297 | if (no_port_forwarding_flag || options.disable_forwarding || | 325 | set_permitopen_from_authopts(ssh, auth_opts); |
| 326 | if (!auth_opts->permit_port_forwarding_flag || | ||
| 327 | options.disable_forwarding || | ||
| 298 | (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) | 328 | (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) |
| 299 | channel_disable_adm_local_opens(ssh); | 329 | channel_disable_adm_local_opens(ssh); |
| 300 | else | 330 | else |
| @@ -334,7 +364,6 @@ int | |||
| 334 | do_exec_no_pty(struct ssh *ssh, Session *s, const char *command) | 364 | do_exec_no_pty(struct ssh *ssh, Session *s, const char *command) |
| 335 | { | 365 | { |
| 336 | pid_t pid; | 366 | pid_t pid; |
| 337 | |||
| 338 | #ifdef USE_PIPES | 367 | #ifdef USE_PIPES |
| 339 | int pin[2], pout[2], perr[2]; | 368 | int pin[2], pout[2], perr[2]; |
| 340 | 369 | ||
| @@ -450,11 +479,6 @@ do_exec_no_pty(struct ssh *ssh, Session *s, const char *command) | |||
| 450 | close(err[0]); | 479 | close(err[0]); |
| 451 | #endif | 480 | #endif |
| 452 | 481 | ||
| 453 | |||
| 454 | #ifdef _UNICOS | ||
| 455 | cray_init_job(s->pw); /* set up cray jid and tmpdir */ | ||
| 456 | #endif | ||
| 457 | |||
| 458 | /* Do processing for the child (exec command etc). */ | 482 | /* Do processing for the child (exec command etc). */ |
| 459 | do_child(ssh, s, command); | 483 | do_child(ssh, s, command); |
| 460 | /* NOTREACHED */ | 484 | /* NOTREACHED */ |
| @@ -462,9 +486,6 @@ do_exec_no_pty(struct ssh *ssh, Session *s, const char *command) | |||
| 462 | break; | 486 | break; |
| 463 | } | 487 | } |
| 464 | 488 | ||
| 465 | #ifdef _UNICOS | ||
| 466 | signal(WJSIGNAL, cray_job_termination_handler); | ||
| 467 | #endif /* _UNICOS */ | ||
| 468 | #ifdef HAVE_CYGWIN | 489 | #ifdef HAVE_CYGWIN |
| 469 | cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); | 490 | cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); |
| 470 | #endif | 491 | #endif |
| @@ -576,9 +597,6 @@ do_exec_pty(struct ssh *ssh, Session *s, const char *command) | |||
| 576 | close(ttyfd); | 597 | close(ttyfd); |
| 577 | 598 | ||
| 578 | /* record login, etc. similar to login(1) */ | 599 | /* record login, etc. similar to login(1) */ |
| 579 | #ifdef _UNICOS | ||
| 580 | cray_init_job(s->pw); /* set up cray jid and tmpdir */ | ||
| 581 | #endif /* _UNICOS */ | ||
| 582 | #ifndef HAVE_OSF_SIA | 600 | #ifndef HAVE_OSF_SIA |
| 583 | do_login(ssh, s, command); | 601 | do_login(ssh, s, command); |
| 584 | #endif | 602 | #endif |
| @@ -592,9 +610,6 @@ do_exec_pty(struct ssh *ssh, Session *s, const char *command) | |||
| 592 | break; | 610 | break; |
| 593 | } | 611 | } |
| 594 | 612 | ||
| 595 | #ifdef _UNICOS | ||
| 596 | signal(WJSIGNAL, cray_job_termination_handler); | ||
| 597 | #endif /* _UNICOS */ | ||
| 598 | #ifdef HAVE_CYGWIN | 613 | #ifdef HAVE_CYGWIN |
| 599 | cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); | 614 | cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); |
| 600 | #endif | 615 | #endif |
| @@ -656,9 +671,9 @@ do_exec(struct ssh *ssh, Session *s, const char *command) | |||
| 656 | original_command = command; | 671 | original_command = command; |
| 657 | command = options.adm_forced_command; | 672 | command = options.adm_forced_command; |
| 658 | forced = "(config)"; | 673 | forced = "(config)"; |
| 659 | } else if (forced_command) { | 674 | } else if (auth_opts->force_command != NULL) { |
| 660 | original_command = command; | 675 | original_command = command; |
| 661 | command = forced_command; | 676 | command = auth_opts->force_command; |
| 662 | forced = "(key-option)"; | 677 | forced = "(key-option)"; |
| 663 | } | 678 | } |
| 664 | if (forced != NULL) { | 679 | if (forced != NULL) { |
| @@ -961,8 +976,9 @@ static char ** | |||
| 961 | do_setup_env(struct ssh *ssh, Session *s, const char *shell) | 976 | do_setup_env(struct ssh *ssh, Session *s, const char *shell) |
| 962 | { | 977 | { |
| 963 | char buf[256]; | 978 | char buf[256]; |
| 979 | size_t n; | ||
| 964 | u_int i, envsize; | 980 | u_int i, envsize; |
| 965 | char **env, *laddr; | 981 | char *ocp, *cp, **env, *laddr; |
| 966 | struct passwd *pw = s->pw; | 982 | struct passwd *pw = s->pw; |
| 967 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) | 983 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) |
| 968 | char *path = NULL; | 984 | char *path = NULL; |
| @@ -1037,20 +1053,17 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
| 1037 | if (getenv("TZ")) | 1053 | if (getenv("TZ")) |
| 1038 | child_set_env(&env, &envsize, "TZ", getenv("TZ")); | 1054 | child_set_env(&env, &envsize, "TZ", getenv("TZ")); |
| 1039 | 1055 | ||
| 1040 | /* Set custom environment options from RSA authentication. */ | 1056 | /* Set custom environment options from pubkey authentication. */ |
| 1041 | while (custom_environment) { | 1057 | if (options.permit_user_env) { |
| 1042 | struct envstring *ce = custom_environment; | 1058 | for (n = 0 ; n < auth_opts->nenv; n++) { |
| 1043 | char *str = ce->s; | 1059 | ocp = xstrdup(auth_opts->env[n]); |
| 1044 | 1060 | cp = strchr(ocp, '='); | |
| 1045 | for (i = 0; str[i] != '=' && str[i]; i++) | 1061 | if (*cp == '=') { |
| 1046 | ; | 1062 | *cp = '\0'; |
| 1047 | if (str[i] == '=') { | 1063 | child_set_env(&env, &envsize, ocp, cp + 1); |
| 1048 | str[i] = 0; | 1064 | } |
| 1049 | child_set_env(&env, &envsize, str, str + i + 1); | 1065 | free(ocp); |
| 1050 | } | 1066 | } |
| 1051 | custom_environment = ce->next; | ||
| 1052 | free(ce->s); | ||
| 1053 | free(ce); | ||
| 1054 | } | 1067 | } |
| 1055 | 1068 | ||
| 1056 | /* SSH_CLIENT deprecated */ | 1069 | /* SSH_CLIENT deprecated */ |
| @@ -1066,6 +1079,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
| 1066 | free(laddr); | 1079 | free(laddr); |
| 1067 | child_set_env(&env, &envsize, "SSH_CONNECTION", buf); | 1080 | child_set_env(&env, &envsize, "SSH_CONNECTION", buf); |
| 1068 | 1081 | ||
| 1082 | if (tun_fwd_ifnames != NULL) | ||
| 1083 | child_set_env(&env, &envsize, "SSH_TUNNEL", tun_fwd_ifnames); | ||
| 1069 | if (auth_info_file != NULL) | 1084 | if (auth_info_file != NULL) |
| 1070 | child_set_env(&env, &envsize, "SSH_USER_AUTH", auth_info_file); | 1085 | child_set_env(&env, &envsize, "SSH_USER_AUTH", auth_info_file); |
| 1071 | if (s->ttyfd != -1) | 1086 | if (s->ttyfd != -1) |
| @@ -1078,11 +1093,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
| 1078 | child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", | 1093 | child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", |
| 1079 | original_command); | 1094 | original_command); |
| 1080 | 1095 | ||
| 1081 | #ifdef _UNICOS | ||
| 1082 | if (cray_tmpdir[0] != '\0') | ||
| 1083 | child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); | ||
| 1084 | #endif /* _UNICOS */ | ||
| 1085 | |||
| 1086 | /* | 1096 | /* |
| 1087 | * Since we clear KRB5CCNAME at startup, if it's set now then it | 1097 | * Since we clear KRB5CCNAME at startup, if it's set now then it |
| 1088 | * must have been set by a native authentication method (eg AIX or | 1098 | * must have been set by a native authentication method (eg AIX or |
| @@ -1155,7 +1165,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
| 1155 | * first in this order). | 1165 | * first in this order). |
| 1156 | */ | 1166 | */ |
| 1157 | static void | 1167 | static void |
| 1158 | do_rc_files(Session *s, const char *shell) | 1168 | do_rc_files(struct ssh *ssh, Session *s, const char *shell) |
| 1159 | { | 1169 | { |
| 1160 | FILE *f = NULL; | 1170 | FILE *f = NULL; |
| 1161 | char cmd[1024]; | 1171 | char cmd[1024]; |
| @@ -1167,7 +1177,7 @@ do_rc_files(Session *s, const char *shell) | |||
| 1167 | 1177 | ||
| 1168 | /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ | 1178 | /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ |
| 1169 | if (!s->is_subsystem && options.adm_forced_command == NULL && | 1179 | if (!s->is_subsystem && options.adm_forced_command == NULL && |
| 1170 | !no_user_rc && options.permit_user_rc && | 1180 | auth_opts->permit_user_rc && options.permit_user_rc && |
| 1171 | stat(_PATH_SSH_USER_RC, &st) >= 0) { | 1181 | stat(_PATH_SSH_USER_RC, &st) >= 0) { |
| 1172 | snprintf(cmd, sizeof cmd, "%s -c '%s %s'", | 1182 | snprintf(cmd, sizeof cmd, "%s -c '%s %s'", |
| 1173 | shell, _PATH_BSHELL, _PATH_SSH_USER_RC); | 1183 | shell, _PATH_BSHELL, _PATH_SSH_USER_RC); |
| @@ -1248,10 +1258,10 @@ do_nologin(struct passwd *pw) | |||
| 1248 | /* /etc/nologin exists. Print its contents if we can and exit. */ | 1258 | /* /etc/nologin exists. Print its contents if we can and exit. */ |
| 1249 | logit("User %.100s not allowed because %s exists", pw->pw_name, nl); | 1259 | logit("User %.100s not allowed because %s exists", pw->pw_name, nl); |
| 1250 | if ((f = fopen(nl, "r")) != NULL) { | 1260 | if ((f = fopen(nl, "r")) != NULL) { |
| 1251 | while (fgets(buf, sizeof(buf), f)) | 1261 | while (fgets(buf, sizeof(buf), f)) |
| 1252 | fputs(buf, stderr); | 1262 | fputs(buf, stderr); |
| 1253 | fclose(f); | 1263 | fclose(f); |
| 1254 | } | 1264 | } |
| 1255 | exit(254); | 1265 | exit(254); |
| 1256 | } | 1266 | } |
| 1257 | 1267 | ||
| @@ -1483,10 +1493,6 @@ do_child(struct ssh *ssh, Session *s, const char *command) | |||
| 1483 | exit(1); | 1493 | exit(1); |
| 1484 | } | 1494 | } |
| 1485 | 1495 | ||
| 1486 | #ifdef _UNICOS | ||
| 1487 | cray_setup(pw->pw_uid, pw->pw_name, command); | ||
| 1488 | #endif /* _UNICOS */ | ||
| 1489 | |||
| 1490 | /* | 1496 | /* |
| 1491 | * Login(1) does this as well, and it needs uid 0 for the "-h" | 1497 | * Login(1) does this as well, and it needs uid 0 for the "-h" |
| 1492 | * switch, so we let login(1) to this for us. | 1498 | * switch, so we let login(1) to this for us. |
| @@ -1591,7 +1597,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) | |||
| 1591 | 1597 | ||
| 1592 | closefrom(STDERR_FILENO + 1); | 1598 | closefrom(STDERR_FILENO + 1); |
| 1593 | 1599 | ||
| 1594 | do_rc_files(s, shell); | 1600 | do_rc_files(ssh, s, shell); |
| 1595 | 1601 | ||
| 1596 | /* restore SIGPIPE for child */ | 1602 | /* restore SIGPIPE for child */ |
| 1597 | signal(SIGPIPE, SIG_DFL); | 1603 | signal(SIGPIPE, SIG_DFL); |
| @@ -1854,8 +1860,8 @@ session_pty_req(struct ssh *ssh, Session *s) | |||
| 1854 | u_int len; | 1860 | u_int len; |
| 1855 | int n_bytes; | 1861 | int n_bytes; |
| 1856 | 1862 | ||
| 1857 | if (no_pty_flag || !options.permit_tty) { | 1863 | if (!auth_opts->permit_pty_flag || !options.permit_tty) { |
| 1858 | debug("Allocating a pty not permitted for this authentication."); | 1864 | debug("Allocating a pty not permitted for this connection."); |
| 1859 | return 0; | 1865 | return 0; |
| 1860 | } | 1866 | } |
| 1861 | if (s->ttyfd != -1) { | 1867 | if (s->ttyfd != -1) { |
| @@ -2043,9 +2049,11 @@ static int | |||
| 2043 | session_auth_agent_req(struct ssh *ssh, Session *s) | 2049 | session_auth_agent_req(struct ssh *ssh, Session *s) |
| 2044 | { | 2050 | { |
| 2045 | static int called = 0; | 2051 | static int called = 0; |
| 2052 | |||
| 2046 | packet_check_eom(); | 2053 | packet_check_eom(); |
| 2047 | if (no_agent_forwarding_flag || !options.allow_agent_forwarding) { | 2054 | if (!auth_opts->permit_agent_forwarding_flag || |
| 2048 | debug("session_auth_agent_req: no_agent_forwarding_flag"); | 2055 | !options.allow_agent_forwarding) { |
| 2056 | debug("%s: agent forwarding disabled", __func__); | ||
| 2049 | return 0; | 2057 | return 0; |
| 2050 | } | 2058 | } |
| 2051 | if (called) { | 2059 | if (called) { |
| @@ -2423,8 +2431,8 @@ session_setup_x11fwd(struct ssh *ssh, Session *s) | |||
| 2423 | char hostname[NI_MAXHOST]; | 2431 | char hostname[NI_MAXHOST]; |
| 2424 | u_int i; | 2432 | u_int i; |
| 2425 | 2433 | ||
| 2426 | if (no_x11_forwarding_flag) { | 2434 | if (!auth_opts->permit_x11_forwarding_flag) { |
| 2427 | packet_send_debug("X11 forwarding disabled in user configuration file."); | 2435 | packet_send_debug("X11 forwarding disabled by key options."); |
| 2428 | return 0; | 2436 | return 0; |
| 2429 | } | 2437 | } |
| 2430 | if (!options.x11_forwarding) { | 2438 | if (!options.x11_forwarding) { |
| @@ -2433,7 +2441,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s) | |||
| 2433 | } | 2441 | } |
| 2434 | if (options.xauth_location == NULL || | 2442 | if (options.xauth_location == NULL || |
| 2435 | (stat(options.xauth_location, &st) == -1)) { | 2443 | (stat(options.xauth_location, &st) == -1)) { |
| 2436 | packet_send_debug("No xauth program; cannot forward with spoofing."); | 2444 | packet_send_debug("No xauth program; cannot forward X11."); |
| 2437 | return 0; | 2445 | return 0; |
| 2438 | } | 2446 | } |
| 2439 | if (s->display != NULL) { | 2447 | if (s->display != NULL) { |