diff options
author | Colin Watson <cjwatson@debian.org> | 2003-09-01 02:05:26 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2003-09-01 02:05:26 +0000 |
commit | 6d5a72bc1d98a42ba42f082e50a22e911c1d82d3 (patch) | |
tree | 1bf23174bdb6fc71e2846dda0eca195a418484e7 /ssh.c | |
parent | 2ee26b431f98cf1dc0e4fb9809ad1e0c879b8c08 (diff) | |
parent | 58657d96514cd6f16d82add8d6f4adbb36765758 (diff) |
Debian release 3.5p1-1.
Diffstat (limited to 'ssh.c')
-rw-r--r-- | ssh.c | 60 |
1 files changed, 39 insertions, 21 deletions
@@ -40,7 +40,7 @@ | |||
40 | */ | 40 | */ |
41 | 41 | ||
42 | #include "includes.h" | 42 | #include "includes.h" |
43 | RCSID("$OpenBSD: ssh.c,v 1.179 2002/06/12 01:09:52 markus Exp $"); | 43 | RCSID("$OpenBSD: ssh.c,v 1.186 2002/09/19 01:58:18 djm Exp $"); |
44 | 44 | ||
45 | #include <openssl/evp.h> | 45 | #include <openssl/evp.h> |
46 | #include <openssl/err.h> | 46 | #include <openssl/err.h> |
@@ -146,6 +146,9 @@ int subsystem_flag = 0; | |||
146 | /* # of replies received for global requests */ | 146 | /* # of replies received for global requests */ |
147 | static int client_global_request_id = 0; | 147 | static int client_global_request_id = 0; |
148 | 148 | ||
149 | /* pid of proxycommand child process */ | ||
150 | pid_t proxy_command_pid = 0; | ||
151 | |||
149 | /* Prints a help message to the user. This function never returns. */ | 152 | /* Prints a help message to the user. This function never returns. */ |
150 | 153 | ||
151 | static void | 154 | static void |
@@ -174,7 +177,6 @@ usage(void) | |||
174 | fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); | 177 | fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); |
175 | fprintf(stderr, " Multiple -v increases verbosity.\n"); | 178 | fprintf(stderr, " Multiple -v increases verbosity.\n"); |
176 | fprintf(stderr, " -V Display version number only.\n"); | 179 | fprintf(stderr, " -V Display version number only.\n"); |
177 | fprintf(stderr, " -P Don't allocate a privileged port.\n"); | ||
178 | fprintf(stderr, " -q Quiet; don't display any warning messages.\n"); | 180 | fprintf(stderr, " -q Quiet; don't display any warning messages.\n"); |
179 | fprintf(stderr, " -f Fork into background after authentication.\n"); | 181 | fprintf(stderr, " -f Fork into background after authentication.\n"); |
180 | fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n"); | 182 | fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n"); |
@@ -229,6 +231,15 @@ main(int ac, char **av) | |||
229 | */ | 231 | */ |
230 | original_real_uid = getuid(); | 232 | original_real_uid = getuid(); |
231 | original_effective_uid = geteuid(); | 233 | original_effective_uid = geteuid(); |
234 | |||
235 | /* | ||
236 | * Use uid-swapping to give up root privileges for the duration of | ||
237 | * option processing. We will re-instantiate the rights when we are | ||
238 | * ready to create the privileged port, and will permanently drop | ||
239 | * them when the port has been created (actually, when the connection | ||
240 | * has been made, as we may need to create the port several times). | ||
241 | */ | ||
242 | PRIV_END; | ||
232 | 243 | ||
233 | #ifdef HAVE_SETRLIMIT | 244 | #ifdef HAVE_SETRLIMIT |
234 | /* If we are installed setuid root be careful to not drop core. */ | 245 | /* If we are installed setuid root be careful to not drop core. */ |
@@ -249,15 +260,6 @@ main(int ac, char **av) | |||
249 | pw = pwcopy(pw); | 260 | pw = pwcopy(pw); |
250 | 261 | ||
251 | /* | 262 | /* |
252 | * Use uid-swapping to give up root privileges for the duration of | ||
253 | * option processing. We will re-instantiate the rights when we are | ||
254 | * ready to create the privileged port, and will permanently drop | ||
255 | * them when the port has been created (actually, when the connection | ||
256 | * has been made, as we may need to create the port several times). | ||
257 | */ | ||
258 | PRIV_END; | ||
259 | |||
260 | /* | ||
261 | * Set our umask to something reasonable, as some files are created | 263 | * Set our umask to something reasonable, as some files are created |
262 | * with the default umask. This will make them world-readable but | 264 | * with the default umask. This will make them world-readable but |
263 | * writable only by the owner, which is ok for all files for which we | 265 | * writable only by the owner, which is ok for all files for which we |
@@ -303,7 +305,7 @@ again: | |||
303 | case 'g': | 305 | case 'g': |
304 | options.gateway_ports = 1; | 306 | options.gateway_ports = 1; |
305 | break; | 307 | break; |
306 | case 'P': | 308 | case 'P': /* deprecated */ |
307 | options.use_privileged_port = 0; | 309 | options.use_privileged_port = 0; |
308 | break; | 310 | break; |
309 | case 'a': | 311 | case 'a': |
@@ -557,7 +559,7 @@ again: | |||
557 | if (buffer_len(&command) == 0) | 559 | if (buffer_len(&command) == 0) |
558 | tty_flag = 1; | 560 | tty_flag = 1; |
559 | 561 | ||
560 | /* Force no tty*/ | 562 | /* Force no tty */ |
561 | if (no_tty_flag) | 563 | if (no_tty_flag) |
562 | tty_flag = 0; | 564 | tty_flag = 0; |
563 | /* Do not allocate a tty if stdin is not a tty. */ | 565 | /* Do not allocate a tty if stdin is not a tty. */ |
@@ -642,7 +644,8 @@ again: | |||
642 | if (options.rhosts_rsa_authentication || | 644 | if (options.rhosts_rsa_authentication || |
643 | options.hostbased_authentication) { | 645 | options.hostbased_authentication) { |
644 | sensitive_data.nkeys = 3; | 646 | sensitive_data.nkeys = 3; |
645 | sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key)); | 647 | sensitive_data.keys = xmalloc(sensitive_data.nkeys * |
648 | sizeof(Key)); | ||
646 | 649 | ||
647 | PRIV_START; | 650 | PRIV_START; |
648 | sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, | 651 | sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, |
@@ -653,7 +656,8 @@ again: | |||
653 | _PATH_HOST_RSA_KEY_FILE, "", NULL); | 656 | _PATH_HOST_RSA_KEY_FILE, "", NULL); |
654 | PRIV_END; | 657 | PRIV_END; |
655 | 658 | ||
656 | if (sensitive_data.keys[0] == NULL && | 659 | if (options.hostbased_authentication == 1 && |
660 | sensitive_data.keys[0] == NULL && | ||
657 | sensitive_data.keys[1] == NULL && | 661 | sensitive_data.keys[1] == NULL && |
658 | sensitive_data.keys[2] == NULL) { | 662 | sensitive_data.keys[2] == NULL) { |
659 | sensitive_data.keys[1] = key_load_public( | 663 | sensitive_data.keys[1] = key_load_public( |
@@ -726,6 +730,14 @@ again: | |||
726 | 730 | ||
727 | exit_status = compat20 ? ssh_session2() : ssh_session(); | 731 | exit_status = compat20 ? ssh_session2() : ssh_session(); |
728 | packet_close(); | 732 | packet_close(); |
733 | |||
734 | /* | ||
735 | * Send SIGHUP to proxy command if used. We don't wait() in | ||
736 | * case it hangs and instead rely on init to reap the child | ||
737 | */ | ||
738 | if (proxy_command_pid > 1) | ||
739 | kill(proxy_command_pid, SIGHUP); | ||
740 | |||
729 | return exit_status; | 741 | return exit_status; |
730 | } | 742 | } |
731 | 743 | ||
@@ -737,11 +749,19 @@ x11_get_proto(char **_proto, char **_data) | |||
737 | FILE *f; | 749 | FILE *f; |
738 | int got_data = 0, i; | 750 | int got_data = 0, i; |
739 | char *display; | 751 | char *display; |
752 | struct stat st; | ||
740 | 753 | ||
741 | *_proto = proto; | 754 | *_proto = proto; |
742 | *_data = data; | 755 | *_data = data; |
743 | proto[0] = data[0] = '\0'; | 756 | proto[0] = data[0] = '\0'; |
744 | if (options.xauth_location && (display = getenv("DISPLAY"))) { | 757 | if (!options.xauth_location || |
758 | (stat(options.xauth_location, &st) == -1)) { | ||
759 | debug("No xauth program."); | ||
760 | } else { | ||
761 | if ((display = getenv("DISPLAY")) == NULL) { | ||
762 | debug("x11_get_proto: DISPLAY not set"); | ||
763 | return; | ||
764 | } | ||
745 | /* Try to get Xauthority information for the display. */ | 765 | /* Try to get Xauthority information for the display. */ |
746 | if (strncmp(display, "localhost:", 10) == 0) | 766 | if (strncmp(display, "localhost:", 10) == 0) |
747 | /* | 767 | /* |
@@ -756,7 +776,7 @@ x11_get_proto(char **_proto, char **_data) | |||
756 | else | 776 | else |
757 | snprintf(line, sizeof line, "%s list %.200s 2>" | 777 | snprintf(line, sizeof line, "%s list %.200s 2>" |
758 | _PATH_DEVNULL, options.xauth_location, display); | 778 | _PATH_DEVNULL, options.xauth_location, display); |
759 | debug2("x11_get_proto %s", line); | 779 | debug2("x11_get_proto: %s", line); |
760 | f = popen(line, "r"); | 780 | f = popen(line, "r"); |
761 | if (f && fgets(line, sizeof(line), f) && | 781 | if (f && fgets(line, sizeof(line), f) && |
762 | sscanf(line, "%*s %511s %511s", proto, data) == 2) | 782 | sscanf(line, "%*s %511s %511s", proto, data) == 2) |
@@ -775,6 +795,7 @@ x11_get_proto(char **_proto, char **_data) | |||
775 | if (!got_data) { | 795 | if (!got_data) { |
776 | u_int32_t rand = 0; | 796 | u_int32_t rand = 0; |
777 | 797 | ||
798 | log("Warning: No xauth data; using fake authentication data for X11 forwarding."); | ||
778 | strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto); | 799 | strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto); |
779 | for (i = 0; i < 16; i++) { | 800 | for (i = 0; i < 16; i++) { |
780 | if (i % 4 == 0) | 801 | if (i % 4 == 0) |
@@ -824,11 +845,8 @@ check_agent_present(void) | |||
824 | { | 845 | { |
825 | if (options.forward_agent) { | 846 | if (options.forward_agent) { |
826 | /* Clear agent forwarding if we don\'t have an agent. */ | 847 | /* Clear agent forwarding if we don\'t have an agent. */ |
827 | int authfd = ssh_get_authentication_socket(); | 848 | if (!ssh_agent_present()) |
828 | if (authfd < 0) | ||
829 | options.forward_agent = 0; | 849 | options.forward_agent = 0; |
830 | else | ||
831 | ssh_close_authentication_socket(authfd); | ||
832 | } | 850 | } |
833 | } | 851 | } |
834 | 852 | ||