summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--contrib/cygwin/ssh-host-config11
-rw-r--r--openbsd-compat/bsd-cygwin_util.c72
3 files changed, 71 insertions, 17 deletions
diff --git a/ChangeLog b/ChangeLog
index f947b3505..af7ba9e79 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -36,6 +36,9 @@
36 [scp.c] 36 [scp.c]
37 check exit status from ssh, and exit(1) if ssh fails; bug#369; 37 check exit status from ssh, and exit(1) if ssh fails; bug#369;
38 binder@arago.de 38 binder@arago.de
39 - (bal) Update ssh-host-config and minor rewrite of bsd-cygwin_util.c
40 ntsec now default if cygwin version beginning w/ version 56. Patch
41 by Corinna Vinschen <vinschen@redhat.com>
39 42
4020021021 4320021021
41 - (djm) Bug #400: Kill ssh-rand-helper children on timeout, patch from 44 - (djm) Bug #400: Kill ssh-rand-helper children on timeout, patch from
@@ -813,4 +816,4 @@
813 save auth method before monitor_reset_key_state(); bugzilla bug #284; 816 save auth method before monitor_reset_key_state(); bugzilla bug #284;
814 ok provos@ 817 ok provos@
815 818
816$Id: ChangeLog,v 1.2509 2002/11/09 15:54:08 mouring Exp $ 819$Id: ChangeLog,v 1.2510 2002/11/09 15:59:27 mouring Exp $
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 4df5aa969..2c6db51e5 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -378,6 +378,8 @@ then
378# This is the sshd server system-wide configuration file. See 378# This is the sshd server system-wide configuration file. See
379# sshd_config(5) for more information. 379# sshd_config(5) for more information.
380 380
381# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
382
381# The strategy used for options in the default sshd_config shipped with 383# The strategy used for options in the default sshd_config shipped with
382# OpenSSH is to specify options with their default value where 384# OpenSSH is to specify options with their default value where
383# possible, but leave them commented. Uncommented options change a 385# possible, but leave them commented. Uncommented options change a
@@ -394,7 +396,7 @@ Port $port_number
394#HostKey ${SYSCONFDIR}/ssh_host_rsa_key 396#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
395#HostKey ${SYSCONFDIR}/ssh_host_dsa_key 397#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
396 398
397# Lifetime and size of ephemeral version 1 server ke 399# Lifetime and size of ephemeral version 1 server key
398#KeyRegenerationInterval 3600 400#KeyRegenerationInterval 3600
399#ServerKeyBits 768 401#ServerKeyBits 768
400 402
@@ -405,7 +407,7 @@ Port $port_number
405 407
406# Authentication: 408# Authentication:
407 409
408#LoginGraceTime 600 410#LoginGraceTime 120
409#PermitRootLogin yes 411#PermitRootLogin yes
410# The following setting overrides permission checks on host key files 412# The following setting overrides permission checks on host key files
411# and directories. For security reasons set this to "yes" when running 413# and directories. For security reasons set this to "yes" when running
@@ -414,11 +416,11 @@ StrictModes no
414 416
415#RSAAuthentication yes 417#RSAAuthentication yes
416#PubkeyAuthentication yes 418#PubkeyAuthentication yes
417#AuthorizedKeysFile %h/.ssh/authorized_keys 419#AuthorizedKeysFile .ssh/authorized_keys
418 420
419# rhosts authentication should not be used 421# rhosts authentication should not be used
420#RhostsAuthentication no 422#RhostsAuthentication no
421# Don't read ~/.rhosts and ~/.shosts files 423# Don't read the user's ~/.rhosts and ~/.shosts files
422#IgnoreRhosts yes 424#IgnoreRhosts yes
423# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts 425# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
424#RhostsRSAAuthentication no 426#RhostsRSAAuthentication no
@@ -443,6 +445,7 @@ StrictModes no
443#KeepAlive yes 445#KeepAlive yes
444#UseLogin no 446#UseLogin no
445UsePrivilegeSeparation $privsep_used 447UsePrivilegeSeparation $privsep_used
448#PermitUserEnvironment no
446#Compression yes 449#Compression yes
447 450
448#MaxStartups 10 451#MaxStartups 10
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index 2396a6e6b..0fa5964bc 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -31,7 +31,7 @@
31 31
32#include "includes.h" 32#include "includes.h"
33 33
34RCSID("$Id: bsd-cygwin_util.c,v 1.8 2002/04/15 22:00:52 stevesk Exp $"); 34RCSID("$Id: bsd-cygwin_util.c,v 1.9 2002/11/09 15:59:29 mouring Exp $");
35 35
36#ifdef HAVE_CYGWIN 36#ifdef HAVE_CYGWIN
37 37
@@ -43,6 +43,7 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.8 2002/04/15 22:00:52 stevesk Exp $");
43#define is_winnt (GetVersion() < 0x80000000) 43#define is_winnt (GetVersion() < 0x80000000)
44 44
45#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec")) 45#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec"))
46#define ntsec_off(c) ((c) && strstr((c),"nontsec"))
46#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea")) 47#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
47 48
48#if defined(open) && open == binary_open 49#if defined(open) && open == binary_open
@@ -74,6 +75,56 @@ int binary_pipe(int fd[2])
74 return ret; 75 return ret;
75} 76}
76 77
78#define HAS_CREATE_TOKEN 1
79#define HAS_NTSEC_BY_DEFAULT 2
80
81static int has_capability(int what)
82{
83 /* has_capability() basically calls uname() and checks if
84 specific capabilities of Cygwin can be evaluated from that.
85 This simplifies the calling functions which only have to ask
86 for a capability using has_capability() instead of having
87 to figure that out by themselves. */
88 static int inited;
89 static int has_create_token;
90 static int has_ntsec_by_default;
91
92 if (!inited) {
93 struct utsname uts;
94 char *c;
95
96 if (!uname(&uts)) {
97 int major_high = 0;
98 int major_low = 0;
99 int minor = 0;
100 int api_major_version = 0;
101 int api_minor_version = 0;
102 char *c;
103
104 sscanf(uts.release, "%d.%d.%d", &major_high,
105 &major_low, &minor);
106 c = strchr(uts.release, '(');
107 if (c)
108 sscanf(c + 1, "%d.%d", &api_major_version,
109 &api_minor_version);
110 if (major_high > 1 ||
111 (major_high == 1 && (major_low > 3 ||
112 (major_low == 3 && minor >= 2))))
113 has_create_token = 1;
114 if (api_major_version > 0 || api_minor_version >= 56)
115 has_ntsec_by_default = 1;
116 inited = 1;
117 }
118 }
119 switch (what) {
120 case HAS_CREATE_TOKEN:
121 return has_create_token;
122 case HAS_NTSEC_BY_DEFAULT:
123 return has_ntsec_by_default;
124 }
125 return 0;
126}
127
77int check_nt_auth(int pwd_authenticated, struct passwd *pw) 128int check_nt_auth(int pwd_authenticated, struct passwd *pw)
78{ 129{
79 /* 130 /*
@@ -93,19 +144,14 @@ int check_nt_auth(int pwd_authenticated, struct passwd *pw)
93 return 0; 144 return 0;
94 if (is_winnt) { 145 if (is_winnt) {
95 if (has_create_token < 0) { 146 if (has_create_token < 0) {
96 struct utsname uts;
97 int major_high = 0, major_low = 0, minor = 0;
98 char *cygwin = getenv("CYGWIN"); 147 char *cygwin = getenv("CYGWIN");
99 148
100 has_create_token = 0; 149 has_create_token = 0;
101 if (ntsec_on(cygwin) && !uname(&uts)) { 150 if (has_capability(HAS_CREATE_TOKEN) &&
102 sscanf(uts.release, "%d.%d.%d", 151 (ntsec_on(cygwin) ||
103 &major_high, &major_low, &minor); 152 (has_capability(HAS_NTSEC_BY_DEFAULT) &&
104 if (major_high > 1 || 153 !ntsec_off(cygwin))))
105 (major_high == 1 && (major_low > 3 || 154 has_create_token = 1;
106 (major_low == 3 && minor >= 2))))
107 has_create_token = 1;
108 }
109 } 155 }
110 if (has_create_token < 1 && 156 if (has_create_token < 1 &&
111 !pwd_authenticated && geteuid() != pw->pw_uid) 157 !pwd_authenticated && geteuid() != pw->pw_uid)
@@ -128,7 +174,9 @@ int check_ntsec(const char *filename)
128 /* Evaluate current CYGWIN settings. */ 174 /* Evaluate current CYGWIN settings. */
129 cygwin = getenv("CYGWIN"); 175 cygwin = getenv("CYGWIN");
130 allow_ntea = ntea_on(cygwin); 176 allow_ntea = ntea_on(cygwin);
131 allow_ntsec = ntsec_on(cygwin); 177 allow_ntsec = ntsec_on(cygwin) ||
178 (has_capability(HAS_NTSEC_BY_DEFAULT) &&
179 !ntsec_off(cygwin));
132 180
133 /* 181 /*
134 * `ntea' is an emulation of POSIX attributes. It doesn't support 182 * `ntea' is an emulation of POSIX attributes. It doesn't support