diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | contrib/cygwin/ssh-host-config | 11 | ||||
| -rw-r--r-- | openbsd-compat/bsd-cygwin_util.c | 72 |
3 files changed, 71 insertions, 17 deletions
| @@ -36,6 +36,9 @@ | |||
| 36 | [scp.c] | 36 | [scp.c] |
| 37 | check exit status from ssh, and exit(1) if ssh fails; bug#369; | 37 | check exit status from ssh, and exit(1) if ssh fails; bug#369; |
| 38 | binder@arago.de | 38 | binder@arago.de |
| 39 | - (bal) Update ssh-host-config and minor rewrite of bsd-cygwin_util.c | ||
| 40 | ntsec now default if cygwin version beginning w/ version 56. Patch | ||
| 41 | by Corinna Vinschen <vinschen@redhat.com> | ||
| 39 | 42 | ||
| 40 | 20021021 | 43 | 20021021 |
| 41 | - (djm) Bug #400: Kill ssh-rand-helper children on timeout, patch from | 44 | - (djm) Bug #400: Kill ssh-rand-helper children on timeout, patch from |
| @@ -813,4 +816,4 @@ | |||
| 813 | save auth method before monitor_reset_key_state(); bugzilla bug #284; | 816 | save auth method before monitor_reset_key_state(); bugzilla bug #284; |
| 814 | ok provos@ | 817 | ok provos@ |
| 815 | 818 | ||
| 816 | $Id: ChangeLog,v 1.2509 2002/11/09 15:54:08 mouring Exp $ | 819 | $Id: ChangeLog,v 1.2510 2002/11/09 15:59:27 mouring Exp $ |
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 4df5aa969..2c6db51e5 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config | |||
| @@ -378,6 +378,8 @@ then | |||
| 378 | # This is the sshd server system-wide configuration file. See | 378 | # This is the sshd server system-wide configuration file. See |
| 379 | # sshd_config(5) for more information. | 379 | # sshd_config(5) for more information. |
| 380 | 380 | ||
| 381 | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | ||
| 382 | |||
| 381 | # The strategy used for options in the default sshd_config shipped with | 383 | # The strategy used for options in the default sshd_config shipped with |
| 382 | # OpenSSH is to specify options with their default value where | 384 | # OpenSSH is to specify options with their default value where |
| 383 | # possible, but leave them commented. Uncommented options change a | 385 | # possible, but leave them commented. Uncommented options change a |
| @@ -394,7 +396,7 @@ Port $port_number | |||
| 394 | #HostKey ${SYSCONFDIR}/ssh_host_rsa_key | 396 | #HostKey ${SYSCONFDIR}/ssh_host_rsa_key |
| 395 | #HostKey ${SYSCONFDIR}/ssh_host_dsa_key | 397 | #HostKey ${SYSCONFDIR}/ssh_host_dsa_key |
| 396 | 398 | ||
| 397 | # Lifetime and size of ephemeral version 1 server ke | 399 | # Lifetime and size of ephemeral version 1 server key |
| 398 | #KeyRegenerationInterval 3600 | 400 | #KeyRegenerationInterval 3600 |
| 399 | #ServerKeyBits 768 | 401 | #ServerKeyBits 768 |
| 400 | 402 | ||
| @@ -405,7 +407,7 @@ Port $port_number | |||
| 405 | 407 | ||
| 406 | # Authentication: | 408 | # Authentication: |
| 407 | 409 | ||
| 408 | #LoginGraceTime 600 | 410 | #LoginGraceTime 120 |
| 409 | #PermitRootLogin yes | 411 | #PermitRootLogin yes |
| 410 | # The following setting overrides permission checks on host key files | 412 | # The following setting overrides permission checks on host key files |
| 411 | # and directories. For security reasons set this to "yes" when running | 413 | # and directories. For security reasons set this to "yes" when running |
| @@ -414,11 +416,11 @@ StrictModes no | |||
| 414 | 416 | ||
| 415 | #RSAAuthentication yes | 417 | #RSAAuthentication yes |
| 416 | #PubkeyAuthentication yes | 418 | #PubkeyAuthentication yes |
| 417 | #AuthorizedKeysFile %h/.ssh/authorized_keys | 419 | #AuthorizedKeysFile .ssh/authorized_keys |
| 418 | 420 | ||
| 419 | # rhosts authentication should not be used | 421 | # rhosts authentication should not be used |
| 420 | #RhostsAuthentication no | 422 | #RhostsAuthentication no |
| 421 | # Don't read ~/.rhosts and ~/.shosts files | 423 | # Don't read the user's ~/.rhosts and ~/.shosts files |
| 422 | #IgnoreRhosts yes | 424 | #IgnoreRhosts yes |
| 423 | # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts | 425 | # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts |
| 424 | #RhostsRSAAuthentication no | 426 | #RhostsRSAAuthentication no |
| @@ -443,6 +445,7 @@ StrictModes no | |||
| 443 | #KeepAlive yes | 445 | #KeepAlive yes |
| 444 | #UseLogin no | 446 | #UseLogin no |
| 445 | UsePrivilegeSeparation $privsep_used | 447 | UsePrivilegeSeparation $privsep_used |
| 448 | #PermitUserEnvironment no | ||
| 446 | #Compression yes | 449 | #Compression yes |
| 447 | 450 | ||
| 448 | #MaxStartups 10 | 451 | #MaxStartups 10 |
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c index 2396a6e6b..0fa5964bc 100644 --- a/openbsd-compat/bsd-cygwin_util.c +++ b/openbsd-compat/bsd-cygwin_util.c | |||
| @@ -31,7 +31,7 @@ | |||
| 31 | 31 | ||
| 32 | #include "includes.h" | 32 | #include "includes.h" |
| 33 | 33 | ||
| 34 | RCSID("$Id: bsd-cygwin_util.c,v 1.8 2002/04/15 22:00:52 stevesk Exp $"); | 34 | RCSID("$Id: bsd-cygwin_util.c,v 1.9 2002/11/09 15:59:29 mouring Exp $"); |
| 35 | 35 | ||
| 36 | #ifdef HAVE_CYGWIN | 36 | #ifdef HAVE_CYGWIN |
| 37 | 37 | ||
| @@ -43,6 +43,7 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.8 2002/04/15 22:00:52 stevesk Exp $"); | |||
| 43 | #define is_winnt (GetVersion() < 0x80000000) | 43 | #define is_winnt (GetVersion() < 0x80000000) |
| 44 | 44 | ||
| 45 | #define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec")) | 45 | #define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec")) |
| 46 | #define ntsec_off(c) ((c) && strstr((c),"nontsec")) | ||
| 46 | #define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea")) | 47 | #define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea")) |
| 47 | 48 | ||
| 48 | #if defined(open) && open == binary_open | 49 | #if defined(open) && open == binary_open |
| @@ -74,6 +75,56 @@ int binary_pipe(int fd[2]) | |||
| 74 | return ret; | 75 | return ret; |
| 75 | } | 76 | } |
| 76 | 77 | ||
| 78 | #define HAS_CREATE_TOKEN 1 | ||
| 79 | #define HAS_NTSEC_BY_DEFAULT 2 | ||
| 80 | |||
| 81 | static int has_capability(int what) | ||
| 82 | { | ||
| 83 | /* has_capability() basically calls uname() and checks if | ||
| 84 | specific capabilities of Cygwin can be evaluated from that. | ||
| 85 | This simplifies the calling functions which only have to ask | ||
| 86 | for a capability using has_capability() instead of having | ||
| 87 | to figure that out by themselves. */ | ||
| 88 | static int inited; | ||
| 89 | static int has_create_token; | ||
| 90 | static int has_ntsec_by_default; | ||
| 91 | |||
| 92 | if (!inited) { | ||
| 93 | struct utsname uts; | ||
| 94 | char *c; | ||
| 95 | |||
| 96 | if (!uname(&uts)) { | ||
| 97 | int major_high = 0; | ||
| 98 | int major_low = 0; | ||
| 99 | int minor = 0; | ||
| 100 | int api_major_version = 0; | ||
| 101 | int api_minor_version = 0; | ||
| 102 | char *c; | ||
| 103 | |||
| 104 | sscanf(uts.release, "%d.%d.%d", &major_high, | ||
| 105 | &major_low, &minor); | ||
| 106 | c = strchr(uts.release, '('); | ||
| 107 | if (c) | ||
| 108 | sscanf(c + 1, "%d.%d", &api_major_version, | ||
| 109 | &api_minor_version); | ||
| 110 | if (major_high > 1 || | ||
| 111 | (major_high == 1 && (major_low > 3 || | ||
| 112 | (major_low == 3 && minor >= 2)))) | ||
| 113 | has_create_token = 1; | ||
| 114 | if (api_major_version > 0 || api_minor_version >= 56) | ||
| 115 | has_ntsec_by_default = 1; | ||
| 116 | inited = 1; | ||
| 117 | } | ||
| 118 | } | ||
| 119 | switch (what) { | ||
| 120 | case HAS_CREATE_TOKEN: | ||
| 121 | return has_create_token; | ||
| 122 | case HAS_NTSEC_BY_DEFAULT: | ||
| 123 | return has_ntsec_by_default; | ||
| 124 | } | ||
| 125 | return 0; | ||
| 126 | } | ||
| 127 | |||
| 77 | int check_nt_auth(int pwd_authenticated, struct passwd *pw) | 128 | int check_nt_auth(int pwd_authenticated, struct passwd *pw) |
| 78 | { | 129 | { |
| 79 | /* | 130 | /* |
| @@ -93,19 +144,14 @@ int check_nt_auth(int pwd_authenticated, struct passwd *pw) | |||
| 93 | return 0; | 144 | return 0; |
| 94 | if (is_winnt) { | 145 | if (is_winnt) { |
| 95 | if (has_create_token < 0) { | 146 | if (has_create_token < 0) { |
| 96 | struct utsname uts; | ||
| 97 | int major_high = 0, major_low = 0, minor = 0; | ||
| 98 | char *cygwin = getenv("CYGWIN"); | 147 | char *cygwin = getenv("CYGWIN"); |
| 99 | 148 | ||
| 100 | has_create_token = 0; | 149 | has_create_token = 0; |
| 101 | if (ntsec_on(cygwin) && !uname(&uts)) { | 150 | if (has_capability(HAS_CREATE_TOKEN) && |
| 102 | sscanf(uts.release, "%d.%d.%d", | 151 | (ntsec_on(cygwin) || |
| 103 | &major_high, &major_low, &minor); | 152 | (has_capability(HAS_NTSEC_BY_DEFAULT) && |
| 104 | if (major_high > 1 || | 153 | !ntsec_off(cygwin)))) |
| 105 | (major_high == 1 && (major_low > 3 || | 154 | has_create_token = 1; |
| 106 | (major_low == 3 && minor >= 2)))) | ||
| 107 | has_create_token = 1; | ||
| 108 | } | ||
| 109 | } | 155 | } |
| 110 | if (has_create_token < 1 && | 156 | if (has_create_token < 1 && |
| 111 | !pwd_authenticated && geteuid() != pw->pw_uid) | 157 | !pwd_authenticated && geteuid() != pw->pw_uid) |
| @@ -128,7 +174,9 @@ int check_ntsec(const char *filename) | |||
| 128 | /* Evaluate current CYGWIN settings. */ | 174 | /* Evaluate current CYGWIN settings. */ |
| 129 | cygwin = getenv("CYGWIN"); | 175 | cygwin = getenv("CYGWIN"); |
| 130 | allow_ntea = ntea_on(cygwin); | 176 | allow_ntea = ntea_on(cygwin); |
| 131 | allow_ntsec = ntsec_on(cygwin); | 177 | allow_ntsec = ntsec_on(cygwin) || |
| 178 | (has_capability(HAS_NTSEC_BY_DEFAULT) && | ||
| 179 | !ntsec_off(cygwin)); | ||
| 132 | 180 | ||
| 133 | /* | 181 | /* |
| 134 | * `ntea' is an emulation of POSIX attributes. It doesn't support | 182 | * `ntea' is an emulation of POSIX attributes. It doesn't support |