summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--monitor.c5
-rw-r--r--servconf.c14
-rw-r--r--servconf.h3
-rw-r--r--session.c171
-rw-r--r--sshd.87
-rw-r--r--sshd.c4
-rw-r--r--sshd_config.526
7 files changed, 72 insertions, 158 deletions
diff --git a/monitor.c b/monitor.c
index 59b05a98f..a86b77936 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.162 2016/08/13 17:47:41 markus Exp $ */ 1/* $OpenBSD: monitor.c,v 1.163 2016/08/19 03:18:06 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1395,9 +1395,6 @@ mm_record_login(Session *s, struct passwd *pw)
1395 socklen_t fromlen; 1395 socklen_t fromlen;
1396 struct sockaddr_storage from; 1396 struct sockaddr_storage from;
1397 1397
1398 if (options.use_login)
1399 return;
1400
1401 /* 1398 /*
1402 * Get IP address of client. If the connection is not a socket, let 1399 * Get IP address of client. If the connection is not a socket, let
1403 * the address be 0.0.0.0. 1400 * the address be 0.0.0.0.
diff --git a/servconf.c b/servconf.c
index 9bd659c41..8a4a7091a 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.293 2016/08/15 12:27:56 naddy Exp $ */ 2/* $OpenBSD: servconf.c,v 1.294 2016/08/19 03:18:06 djm Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -120,7 +120,6 @@ initialize_server_options(ServerOptions *options)
120 options->challenge_response_authentication = -1; 120 options->challenge_response_authentication = -1;
121 options->permit_empty_passwd = -1; 121 options->permit_empty_passwd = -1;
122 options->permit_user_env = -1; 122 options->permit_user_env = -1;
123 options->use_login = -1;
124 options->compression = -1; 123 options->compression = -1;
125 options->rekey_limit = -1; 124 options->rekey_limit = -1;
126 options->rekey_interval = -1; 125 options->rekey_interval = -1;
@@ -281,8 +280,6 @@ fill_default_server_options(ServerOptions *options)
281 options->permit_empty_passwd = 0; 280 options->permit_empty_passwd = 0;
282 if (options->permit_user_env == -1) 281 if (options->permit_user_env == -1)
283 options->permit_user_env = 0; 282 options->permit_user_env = 0;
284 if (options->use_login == -1)
285 options->use_login = 0;
286 if (options->compression == -1) 283 if (options->compression == -1)
287 options->compression = COMP_DELAYED; 284 options->compression = COMP_DELAYED;
288 if (options->rekey_limit == -1) 285 if (options->rekey_limit == -1)
@@ -397,7 +394,7 @@ typedef enum {
397 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 394 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
398 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 395 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
399 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, 396 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
400 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 397 sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
401 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 398 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
402 sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, 399 sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
403 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, 400 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
@@ -508,7 +505,7 @@ static struct {
508 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 505 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
509 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 506 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
510 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 507 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
511 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 508 { "uselogin", sDeprecated, SSHCFG_GLOBAL },
512 { "compression", sCompression, SSHCFG_GLOBAL }, 509 { "compression", sCompression, SSHCFG_GLOBAL },
513 { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, 510 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
514 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 511 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
@@ -1283,10 +1280,6 @@ process_server_config_line(ServerOptions *options, char *line,
1283 intptr = &options->permit_user_env; 1280 intptr = &options->permit_user_env;
1284 goto parse_flag; 1281 goto parse_flag;
1285 1282
1286 case sUseLogin:
1287 intptr = &options->use_login;
1288 goto parse_flag;
1289
1290 case sCompression: 1283 case sCompression:
1291 intptr = &options->compression; 1284 intptr = &options->compression;
1292 multistate_ptr = multistate_compression; 1285 multistate_ptr = multistate_compression;
@@ -2261,7 +2254,6 @@ dump_config(ServerOptions *o)
2261 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 2254 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2262 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 2255 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2263 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 2256 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2264 dump_cfg_fmtint(sUseLogin, o->use_login);
2265 dump_cfg_fmtint(sCompression, o->compression); 2257 dump_cfg_fmtint(sCompression, o->compression);
2266 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); 2258 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2267 dump_cfg_fmtint(sUseDNS, o->use_dns); 2259 dump_cfg_fmtint(sUseDNS, o->use_dns);
diff --git a/servconf.h b/servconf.h
index 16b1467d2..8af460f5a 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.121 2016/08/15 12:27:56 naddy Exp $ */ 1/* $OpenBSD: servconf.h,v 1.122 2016/08/19 03:18:06 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -121,7 +121,6 @@ typedef struct {
121 int permit_empty_passwd; /* If false, do not permit empty 121 int permit_empty_passwd; /* If false, do not permit empty
122 * passwords. */ 122 * passwords. */
123 int permit_user_env; /* If true, read ~/.ssh/environment */ 123 int permit_user_env; /* If true, read ~/.ssh/environment */
124 int use_login; /* If true, login(1) is used */
125 int compression; /* If true, compression is allowed */ 124 int compression; /* If true, compression is allowed */
126 int allow_tcp_forwarding; /* One of FORWARD_* */ 125 int allow_tcp_forwarding; /* One of FORWARD_* */
127 int allow_streamlocal_forwarding; /* One of FORWARD_* */ 126 int allow_streamlocal_forwarding; /* One of FORWARD_* */
diff --git a/session.c b/session.c
index 9bad653fc..fcfa80000 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.283 2016/08/13 17:47:41 markus Exp $ */ 1/* $OpenBSD: session.c,v 1.284 2016/08/19 03:18:06 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -544,7 +544,7 @@ do_exec_pty(Session *s, const char *command)
544 544
545 /* record login, etc. similar to login(1) */ 545 /* record login, etc. similar to login(1) */
546#ifndef HAVE_OSF_SIA 546#ifndef HAVE_OSF_SIA
547 if (!(options.use_login && command == NULL)) { 547 if (command != NULL) {
548#ifdef _UNICOS 548#ifdef _UNICOS
549 cray_init_job(s->pw); /* set up cray jid and tmpdir */ 549 cray_init_job(s->pw); /* set up cray jid and tmpdir */
550#endif /* _UNICOS */ 550#endif /* _UNICOS */
@@ -1019,69 +1019,63 @@ do_setup_env(Session *s, const char *shell)
1019 ssh_gssapi_do_child(&env, &envsize); 1019 ssh_gssapi_do_child(&env, &envsize);
1020#endif 1020#endif
1021 1021
1022 if (!options.use_login) { 1022 /* Set basic environment. */
1023 /* Set basic environment. */ 1023 for (i = 0; i < s->num_env; i++)
1024 for (i = 0; i < s->num_env; i++) 1024 child_set_env(&env, &envsize, s->env[i].name, s->env[i].val);
1025 child_set_env(&env, &envsize, s->env[i].name,
1026 s->env[i].val);
1027 1025
1028 child_set_env(&env, &envsize, "USER", pw->pw_name); 1026 child_set_env(&env, &envsize, "USER", pw->pw_name);
1029 child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); 1027 child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
1030#ifdef _AIX 1028#ifdef _AIX
1031 child_set_env(&env, &envsize, "LOGIN", pw->pw_name); 1029 child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
1032#endif 1030#endif
1033 child_set_env(&env, &envsize, "HOME", pw->pw_dir); 1031 child_set_env(&env, &envsize, "HOME", pw->pw_dir);
1034#ifdef HAVE_LOGIN_CAP 1032#ifdef HAVE_LOGIN_CAP
1035 if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) 1033 if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
1036 child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); 1034 child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
1037 else 1035 else
1038 child_set_env(&env, &envsize, "PATH", getenv("PATH")); 1036 child_set_env(&env, &envsize, "PATH", getenv("PATH"));
1039#else /* HAVE_LOGIN_CAP */ 1037#else /* HAVE_LOGIN_CAP */
1040# ifndef HAVE_CYGWIN 1038# ifndef HAVE_CYGWIN
1041 /* 1039 /*
1042 * There's no standard path on Windows. The path contains 1040 * There's no standard path on Windows. The path contains
1043 * important components pointing to the system directories, 1041 * important components pointing to the system directories,
1044 * needed for loading shared libraries. So the path better 1042 * needed for loading shared libraries. So the path better
1045 * remains intact here. 1043 * remains intact here.
1046 */ 1044 */
1047# ifdef HAVE_ETC_DEFAULT_LOGIN 1045# ifdef HAVE_ETC_DEFAULT_LOGIN
1048 read_etc_default_login(&env, &envsize, pw->pw_uid); 1046 read_etc_default_login(&env, &envsize, pw->pw_uid);
1049 path = child_get_env(env, "PATH"); 1047 path = child_get_env(env, "PATH");
1050# endif /* HAVE_ETC_DEFAULT_LOGIN */ 1048# endif /* HAVE_ETC_DEFAULT_LOGIN */
1051 if (path == NULL || *path == '\0') { 1049 if (path == NULL || *path == '\0') {
1052 child_set_env(&env, &envsize, "PATH", 1050 child_set_env(&env, &envsize, "PATH",
1053 s->pw->pw_uid == 0 ? 1051 s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH);
1054 SUPERUSER_PATH : _PATH_STDPATH); 1052 }
1055 }
1056# endif /* HAVE_CYGWIN */ 1053# endif /* HAVE_CYGWIN */
1057#endif /* HAVE_LOGIN_CAP */ 1054#endif /* HAVE_LOGIN_CAP */
1058 1055
1059 snprintf(buf, sizeof buf, "%.200s/%.50s", 1056 snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name);
1060 _PATH_MAILDIR, pw->pw_name); 1057 child_set_env(&env, &envsize, "MAIL", buf);
1061 child_set_env(&env, &envsize, "MAIL", buf); 1058
1059 /* Normal systems set SHELL by default. */
1060 child_set_env(&env, &envsize, "SHELL", shell);
1062 1061
1063 /* Normal systems set SHELL by default. */
1064 child_set_env(&env, &envsize, "SHELL", shell);
1065 }
1066 if (getenv("TZ")) 1062 if (getenv("TZ"))
1067 child_set_env(&env, &envsize, "TZ", getenv("TZ")); 1063 child_set_env(&env, &envsize, "TZ", getenv("TZ"));
1068 1064
1069 /* Set custom environment options from RSA authentication. */ 1065 /* Set custom environment options from RSA authentication. */
1070 if (!options.use_login) { 1066 while (custom_environment) {
1071 while (custom_environment) { 1067 struct envstring *ce = custom_environment;
1072 struct envstring *ce = custom_environment; 1068 char *str = ce->s;
1073 char *str = ce->s; 1069
1074 1070 for (i = 0; str[i] != '=' && str[i]; i++)
1075 for (i = 0; str[i] != '=' && str[i]; i++) 1071 ;
1076 ; 1072 if (str[i] == '=') {
1077 if (str[i] == '=') { 1073 str[i] = 0;
1078 str[i] = 0; 1074 child_set_env(&env, &envsize, str, str + i + 1);
1079 child_set_env(&env, &envsize, str, str + i + 1);
1080 }
1081 custom_environment = ce->next;
1082 free(ce->s);
1083 free(ce);
1084 } 1075 }
1076 custom_environment = ce->next;
1077 free(ce->s);
1078 free(ce);
1085 } 1079 }
1086 1080
1087 /* SSH_CLIENT deprecated */ 1081 /* SSH_CLIENT deprecated */
@@ -1143,7 +1137,7 @@ do_setup_env(Session *s, const char *shell)
1143 * Pull in any environment variables that may have 1137 * Pull in any environment variables that may have
1144 * been set by PAM. 1138 * been set by PAM.
1145 */ 1139 */
1146 if (options.use_pam && !options.use_login) { 1140 if (options.use_pam) {
1147 char **p; 1141 char **p;
1148 1142
1149 p = fetch_pam_child_environment(); 1143 p = fetch_pam_child_environment();
@@ -1161,7 +1155,7 @@ do_setup_env(Session *s, const char *shell)
1161 auth_sock_name); 1155 auth_sock_name);
1162 1156
1163 /* read $HOME/.ssh/environment. */ 1157 /* read $HOME/.ssh/environment. */
1164 if (options.permit_user_env && !options.use_login) { 1158 if (options.permit_user_env) {
1165 snprintf(buf, sizeof buf, "%.200s/.ssh/environment", 1159 snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
1166 strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); 1160 strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
1167 read_environment_file(&env, &envsize, buf); 1161 read_environment_file(&env, &envsize, buf);
@@ -1443,27 +1437,6 @@ do_pwchange(Session *s)
1443} 1437}
1444 1438
1445static void 1439static void
1446launch_login(struct passwd *pw, const char *hostname)
1447{
1448 /* Launch login(1). */
1449
1450 execl(LOGIN_PROGRAM, "login", "-h", hostname,
1451#ifdef xxxLOGIN_NEEDS_TERM
1452 (s->term ? s->term : "unknown"),
1453#endif /* LOGIN_NEEDS_TERM */
1454#ifdef LOGIN_NO_ENDOPT
1455 "-p", "-f", pw->pw_name, (char *)NULL);
1456#else
1457 "-p", "-f", "--", pw->pw_name, (char *)NULL);
1458#endif
1459
1460 /* Login couldn't be executed, die. */
1461
1462 perror("login");
1463 exit(1);
1464}
1465
1466static void
1467child_close_fds(void) 1440child_close_fds(void)
1468{ 1441{
1469 extern int auth_sock; 1442 extern int auth_sock;
@@ -1510,11 +1483,10 @@ child_close_fds(void)
1510void 1483void
1511do_child(Session *s, const char *command) 1484do_child(Session *s, const char *command)
1512{ 1485{
1513 struct ssh *ssh = active_state; /* XXX */
1514 extern char **environ; 1486 extern char **environ;
1515 char **env; 1487 char **env;
1516 char *argv[ARGV_MAX]; 1488 char *argv[ARGV_MAX];
1517 const char *shell, *shell0, *hostname = NULL; 1489 const char *shell, *shell0;
1518 struct passwd *pw = s->pw; 1490 struct passwd *pw = s->pw;
1519 int r = 0; 1491 int r = 0;
1520 1492
@@ -1529,10 +1501,6 @@ do_child(Session *s, const char *command)
1529 exit(1); 1501 exit(1);
1530 } 1502 }
1531 1503
1532 /* login(1) is only called if we execute the login shell */
1533 if (options.use_login && command != NULL)
1534 options.use_login = 0;
1535
1536#ifdef _UNICOS 1504#ifdef _UNICOS
1537 cray_setup(pw->pw_uid, pw->pw_name, command); 1505 cray_setup(pw->pw_uid, pw->pw_name, command);
1538#endif /* _UNICOS */ 1506#endif /* _UNICOS */
@@ -1541,28 +1509,26 @@ do_child(Session *s, const char *command)
1541 * Login(1) does this as well, and it needs uid 0 for the "-h" 1509 * Login(1) does this as well, and it needs uid 0 for the "-h"
1542 * switch, so we let login(1) to this for us. 1510 * switch, so we let login(1) to this for us.
1543 */ 1511 */
1544 if (!options.use_login) {
1545#ifdef HAVE_OSF_SIA 1512#ifdef HAVE_OSF_SIA
1546 session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); 1513 session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty);
1547 if (!check_quietlogin(s, command)) 1514 if (!check_quietlogin(s, command))
1548 do_motd(); 1515 do_motd();
1549#else /* HAVE_OSF_SIA */ 1516#else /* HAVE_OSF_SIA */
1550 /* When PAM is enabled we rely on it to do the nologin check */ 1517 /* When PAM is enabled we rely on it to do the nologin check */
1551 if (!options.use_pam) 1518 if (!options.use_pam)
1552 do_nologin(pw); 1519 do_nologin(pw);
1553 do_setusercontext(pw); 1520 do_setusercontext(pw);
1554 /* 1521 /*
1555 * PAM session modules in do_setusercontext may have 1522 * PAM session modules in do_setusercontext may have
1556 * generated messages, so if this in an interactive 1523 * generated messages, so if this in an interactive
1557 * login then display them too. 1524 * login then display them too.
1558 */ 1525 */
1559 if (!check_quietlogin(s, command)) 1526 if (!check_quietlogin(s, command))
1560 display_loginmsg(); 1527 display_loginmsg();
1561#endif /* HAVE_OSF_SIA */ 1528#endif /* HAVE_OSF_SIA */
1562 }
1563 1529
1564#ifdef USE_PAM 1530#ifdef USE_PAM
1565 if (options.use_pam && !options.use_login && !is_pam_session_open()) { 1531 if (options.use_pam && !is_pam_session_open()) {
1566 debug3("PAM session not opened, exiting"); 1532 debug3("PAM session not opened, exiting");
1567 display_loginmsg(); 1533 display_loginmsg();
1568 exit(254); 1534 exit(254);
@@ -1585,10 +1551,6 @@ do_child(Session *s, const char *command)
1585 shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); 1551 shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
1586#endif 1552#endif
1587 1553
1588 /* we have to stash the hostname before we close our socket. */
1589 if (options.use_login)
1590 hostname = session_get_remote_name_or_ip(ssh, utmp_len,
1591 options.use_dns);
1592 /* 1554 /*
1593 * Close the connection descriptors; note that this is the child, and 1555 * Close the connection descriptors; note that this is the child, and
1594 * the server will still have the socket open, and it is important 1556 * the server will still have the socket open, and it is important
@@ -1647,8 +1609,7 @@ do_child(Session *s, const char *command)
1647 1609
1648 closefrom(STDERR_FILENO + 1); 1610 closefrom(STDERR_FILENO + 1);
1649 1611
1650 if (!options.use_login) 1612 do_rc_files(s, shell);
1651 do_rc_files(s, shell);
1652 1613
1653 /* restore SIGPIPE for child */ 1614 /* restore SIGPIPE for child */
1654 signal(SIGPIPE, SIG_DFL); 1615 signal(SIGPIPE, SIG_DFL);
@@ -1678,11 +1639,6 @@ do_child(Session *s, const char *command)
1678 1639
1679 fflush(NULL); 1640 fflush(NULL);
1680 1641
1681 if (options.use_login) {
1682 launch_login(pw, hostname);
1683 /* NEVERREACHED */
1684 }
1685
1686 /* Get the last component of the shell name. */ 1642 /* Get the last component of the shell name. */
1687 if ((shell0 = strrchr(shell, '/')) != NULL) 1643 if ((shell0 = strrchr(shell, '/')) != NULL)
1688 shell0++; 1644 shell0++;
@@ -2502,11 +2458,6 @@ session_setup_x11fwd(Session *s)
2502 packet_send_debug("No xauth program; cannot forward with spoofing."); 2458 packet_send_debug("No xauth program; cannot forward with spoofing.");
2503 return 0; 2459 return 0;
2504 } 2460 }
2505 if (options.use_login) {
2506 packet_send_debug("X11 forwarding disabled; "
2507 "not compatible with UseLogin=yes.");
2508 return 0;
2509 }
2510 if (s->display != NULL) { 2461 if (s->display != NULL) {
2511 debug("X11 display already set."); 2462 debug("X11 display already set.");
2512 return 0; 2463 return 0;
diff --git a/sshd.8 b/sshd.8
index 148a8b923..4cf8fee48 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd.8,v 1.285 2016/08/15 12:32:04 naddy Exp $ 36.\" $OpenBSD: sshd.8,v 1.286 2016/08/19 03:18:06 djm Exp $
37.Dd $Mdocdate: August 15 2016 $ 37.Dd $Mdocdate: August 19 2016 $
38.Dt SSHD 8 38.Dt SSHD 8
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -504,9 +504,6 @@ Environment processing is disabled by default and is
504controlled via the 504controlled via the
505.Cm PermitUserEnvironment 505.Cm PermitUserEnvironment
506option. 506option.
507This option is automatically disabled if
508.Cm UseLogin
509is enabled.
510.It Cm from="pattern-list" 507.It Cm from="pattern-list"
511Specifies that in addition to public key authentication, either the canonical 508Specifies that in addition to public key authentication, either the canonical
512name of the remote host or its IP address must be present in the 509name of the remote host or its IP address must be present in the
diff --git a/sshd.c b/sshd.c
index fd89acbb9..a561c7b3e 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.473 2016/08/15 12:27:56 naddy Exp $ */ 1/* $OpenBSD: sshd.c,v 1.474 2016/08/19 03:18:07 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -629,7 +629,7 @@ privsep_postauth(Authctxt *authctxt)
629#ifdef DISABLE_FD_PASSING 629#ifdef DISABLE_FD_PASSING
630 if (1) { 630 if (1) {
631#else 631#else
632 if (authctxt->pw->pw_uid == 0 || options.use_login) { 632 if (authctxt->pw->pw_uid == 0) {
633#endif 633#endif
634 /* File descriptor passing is broken or root login */ 634 /* File descriptor passing is broken or root login */
635 use_privsep = 0; 635 use_privsep = 0;
diff --git a/sshd_config.5 b/sshd_config.5
index d1a5d1d33..fe3b23d6e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.229 2016/08/15 12:32:04 naddy Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.230 2016/08/19 03:18:07 djm Exp $
37.Dd $Mdocdate: August 15 2016 $ 37.Dd $Mdocdate: August 19 2016 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -1489,25 +1489,6 @@ and
1489.Cm Match 1489.Cm Match
1490.Cm Host 1490.Cm Host
1491directives. 1491directives.
1492.It Cm UseLogin
1493Specifies whether
1494.Xr login 1
1495is used for interactive login sessions.
1496The default is
1497.Dq no .
1498Note that
1499.Xr login 1
1500is never used for remote command execution.
1501Note also, that if this is enabled,
1502.Cm X11Forwarding
1503will be disabled because
1504.Xr login 1
1505does not know how to handle
1506.Xr xauth 1
1507cookies.
1508If
1509.Cm UsePrivilegeSeparation
1510is specified, it will be disabled after authentication.
1511.It Cm UsePAM 1492.It Cm UsePAM
1512Enables the Pluggable Authentication Module interface. 1493Enables the Pluggable Authentication Module interface.
1513If set to 1494If set to
@@ -1596,9 +1577,6 @@ setting.
1596.Pp 1577.Pp
1597Note that disabling X11 forwarding does not prevent users from 1578Note that disabling X11 forwarding does not prevent users from
1598forwarding X11 traffic, as users can always install their own forwarders. 1579forwarding X11 traffic, as users can always install their own forwarders.
1599X11 forwarding is automatically disabled if
1600.Cm UseLogin
1601is enabled.
1602.It Cm X11UseLocalhost 1580.It Cm X11UseLocalhost
1603Specifies whether 1581Specifies whether
1604.Xr sshd 8 1582.Xr sshd 8