summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
Diffstat (limited to 'session.c')
-rw-r--r--session.c120
1 files changed, 64 insertions, 56 deletions
diff --git a/session.c b/session.c
index d40afe4f7..ff301c983 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.292 2017/09/12 06:32:07 djm Exp $ */ 1/* $OpenBSD: session.c,v 1.294 2018/03/03 03:15:51 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -140,6 +140,8 @@ extern u_int utmp_len;
140extern int startup_pipe; 140extern int startup_pipe;
141extern void destroy_sensitive_data(void); 141extern void destroy_sensitive_data(void);
142extern Buffer loginmsg; 142extern Buffer loginmsg;
143extern struct sshauthopt *auth_opts;
144char *tun_fwd_ifnames; /* serverloop.c */
143 145
144/* original command from peer. */ 146/* original command from peer. */
145const char *original_command = NULL; 147const char *original_command = NULL;
@@ -287,14 +289,42 @@ prepare_auth_info_file(struct passwd *pw, struct sshbuf *info)
287 restore_uid(); 289 restore_uid();
288} 290}
289 291
292static void
293set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts)
294{
295 char *tmp, *cp, *host;
296 int port;
297 size_t i;
298
299 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
300 return;
301 channel_clear_permitted_opens(ssh);
302 for (i = 0; i < auth_opts->npermitopen; i++) {
303 tmp = cp = xstrdup(auth_opts->permitopen[i]);
304 /* This shouldn't fail as it has already been checked */
305 if ((host = hpdelim(&cp)) == NULL)
306 fatal("%s: internal error: hpdelim", __func__);
307 host = cleanhostname(host);
308 if (cp == NULL || (port = permitopen_port(cp)) < 0)
309 fatal("%s: internal error: permitopen port",
310 __func__);
311 channel_add_permitted_opens(ssh, host, port);
312 free(tmp);
313 }
314}
315
290void 316void
291do_authenticated(struct ssh *ssh, Authctxt *authctxt) 317do_authenticated(struct ssh *ssh, Authctxt *authctxt)
292{ 318{
293 setproctitle("%s", authctxt->pw->pw_name); 319 setproctitle("%s", authctxt->pw->pw_name);
294 320
321 auth_log_authopts("active", auth_opts, 0);
322
295 /* setup the channel layer */ 323 /* setup the channel layer */
296 /* XXX - streamlocal? */ 324 /* XXX - streamlocal? */
297 if (no_port_forwarding_flag || options.disable_forwarding || 325 set_permitopen_from_authopts(ssh, auth_opts);
326 if (!auth_opts->permit_port_forwarding_flag ||
327 options.disable_forwarding ||
298 (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) 328 (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
299 channel_disable_adm_local_opens(ssh); 329 channel_disable_adm_local_opens(ssh);
300 else 330 else
@@ -334,7 +364,6 @@ int
334do_exec_no_pty(struct ssh *ssh, Session *s, const char *command) 364do_exec_no_pty(struct ssh *ssh, Session *s, const char *command)
335{ 365{
336 pid_t pid; 366 pid_t pid;
337
338#ifdef USE_PIPES 367#ifdef USE_PIPES
339 int pin[2], pout[2], perr[2]; 368 int pin[2], pout[2], perr[2];
340 369
@@ -450,11 +479,6 @@ do_exec_no_pty(struct ssh *ssh, Session *s, const char *command)
450 close(err[0]); 479 close(err[0]);
451#endif 480#endif
452 481
453
454#ifdef _UNICOS
455 cray_init_job(s->pw); /* set up cray jid and tmpdir */
456#endif
457
458 /* Do processing for the child (exec command etc). */ 482 /* Do processing for the child (exec command etc). */
459 do_child(ssh, s, command); 483 do_child(ssh, s, command);
460 /* NOTREACHED */ 484 /* NOTREACHED */
@@ -462,9 +486,6 @@ do_exec_no_pty(struct ssh *ssh, Session *s, const char *command)
462 break; 486 break;
463 } 487 }
464 488
465#ifdef _UNICOS
466 signal(WJSIGNAL, cray_job_termination_handler);
467#endif /* _UNICOS */
468#ifdef HAVE_CYGWIN 489#ifdef HAVE_CYGWIN
469 cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); 490 cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
470#endif 491#endif
@@ -576,9 +597,6 @@ do_exec_pty(struct ssh *ssh, Session *s, const char *command)
576 close(ttyfd); 597 close(ttyfd);
577 598
578 /* record login, etc. similar to login(1) */ 599 /* record login, etc. similar to login(1) */
579#ifdef _UNICOS
580 cray_init_job(s->pw); /* set up cray jid and tmpdir */
581#endif /* _UNICOS */
582#ifndef HAVE_OSF_SIA 600#ifndef HAVE_OSF_SIA
583 do_login(ssh, s, command); 601 do_login(ssh, s, command);
584#endif 602#endif
@@ -592,9 +610,6 @@ do_exec_pty(struct ssh *ssh, Session *s, const char *command)
592 break; 610 break;
593 } 611 }
594 612
595#ifdef _UNICOS
596 signal(WJSIGNAL, cray_job_termination_handler);
597#endif /* _UNICOS */
598#ifdef HAVE_CYGWIN 613#ifdef HAVE_CYGWIN
599 cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); 614 cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
600#endif 615#endif
@@ -656,9 +671,9 @@ do_exec(struct ssh *ssh, Session *s, const char *command)
656 original_command = command; 671 original_command = command;
657 command = options.adm_forced_command; 672 command = options.adm_forced_command;
658 forced = "(config)"; 673 forced = "(config)";
659 } else if (forced_command) { 674 } else if (auth_opts->force_command != NULL) {
660 original_command = command; 675 original_command = command;
661 command = forced_command; 676 command = auth_opts->force_command;
662 forced = "(key-option)"; 677 forced = "(key-option)";
663 } 678 }
664 if (forced != NULL) { 679 if (forced != NULL) {
@@ -961,8 +976,9 @@ static char **
961do_setup_env(struct ssh *ssh, Session *s, const char *shell) 976do_setup_env(struct ssh *ssh, Session *s, const char *shell)
962{ 977{
963 char buf[256]; 978 char buf[256];
979 size_t n;
964 u_int i, envsize; 980 u_int i, envsize;
965 char **env, *laddr; 981 char *ocp, *cp, **env, *laddr;
966 struct passwd *pw = s->pw; 982 struct passwd *pw = s->pw;
967#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) 983#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
968 char *path = NULL; 984 char *path = NULL;
@@ -1037,20 +1053,17 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
1037 if (getenv("TZ")) 1053 if (getenv("TZ"))
1038 child_set_env(&env, &envsize, "TZ", getenv("TZ")); 1054 child_set_env(&env, &envsize, "TZ", getenv("TZ"));
1039 1055
1040 /* Set custom environment options from RSA authentication. */ 1056 /* Set custom environment options from pubkey authentication. */
1041 while (custom_environment) { 1057 if (options.permit_user_env) {
1042 struct envstring *ce = custom_environment; 1058 for (n = 0 ; n < auth_opts->nenv; n++) {
1043 char *str = ce->s; 1059 ocp = xstrdup(auth_opts->env[n]);
1044 1060 cp = strchr(ocp, '=');
1045 for (i = 0; str[i] != '=' && str[i]; i++) 1061 if (*cp == '=') {
1046 ; 1062 *cp = '\0';
1047 if (str[i] == '=') { 1063 child_set_env(&env, &envsize, ocp, cp + 1);
1048 str[i] = 0; 1064 }
1049 child_set_env(&env, &envsize, str, str + i + 1); 1065 free(ocp);
1050 } 1066 }
1051 custom_environment = ce->next;
1052 free(ce->s);
1053 free(ce);
1054 } 1067 }
1055 1068
1056 /* SSH_CLIENT deprecated */ 1069 /* SSH_CLIENT deprecated */
@@ -1066,6 +1079,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
1066 free(laddr); 1079 free(laddr);
1067 child_set_env(&env, &envsize, "SSH_CONNECTION", buf); 1080 child_set_env(&env, &envsize, "SSH_CONNECTION", buf);
1068 1081
1082 if (tun_fwd_ifnames != NULL)
1083 child_set_env(&env, &envsize, "SSH_TUNNEL", tun_fwd_ifnames);
1069 if (auth_info_file != NULL) 1084 if (auth_info_file != NULL)
1070 child_set_env(&env, &envsize, "SSH_USER_AUTH", auth_info_file); 1085 child_set_env(&env, &envsize, "SSH_USER_AUTH", auth_info_file);
1071 if (s->ttyfd != -1) 1086 if (s->ttyfd != -1)
@@ -1078,11 +1093,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
1078 child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", 1093 child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
1079 original_command); 1094 original_command);
1080 1095
1081#ifdef _UNICOS
1082 if (cray_tmpdir[0] != '\0')
1083 child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir);
1084#endif /* _UNICOS */
1085
1086 /* 1096 /*
1087 * Since we clear KRB5CCNAME at startup, if it's set now then it 1097 * Since we clear KRB5CCNAME at startup, if it's set now then it
1088 * must have been set by a native authentication method (eg AIX or 1098 * must have been set by a native authentication method (eg AIX or
@@ -1155,7 +1165,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
1155 * first in this order). 1165 * first in this order).
1156 */ 1166 */
1157static void 1167static void
1158do_rc_files(Session *s, const char *shell) 1168do_rc_files(struct ssh *ssh, Session *s, const char *shell)
1159{ 1169{
1160 FILE *f = NULL; 1170 FILE *f = NULL;
1161 char cmd[1024]; 1171 char cmd[1024];
@@ -1167,7 +1177,7 @@ do_rc_files(Session *s, const char *shell)
1167 1177
1168 /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ 1178 /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
1169 if (!s->is_subsystem && options.adm_forced_command == NULL && 1179 if (!s->is_subsystem && options.adm_forced_command == NULL &&
1170 !no_user_rc && options.permit_user_rc && 1180 auth_opts->permit_user_rc && options.permit_user_rc &&
1171 stat(_PATH_SSH_USER_RC, &st) >= 0) { 1181 stat(_PATH_SSH_USER_RC, &st) >= 0) {
1172 snprintf(cmd, sizeof cmd, "%s -c '%s %s'", 1182 snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
1173 shell, _PATH_BSHELL, _PATH_SSH_USER_RC); 1183 shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
@@ -1248,10 +1258,10 @@ do_nologin(struct passwd *pw)
1248 /* /etc/nologin exists. Print its contents if we can and exit. */ 1258 /* /etc/nologin exists. Print its contents if we can and exit. */
1249 logit("User %.100s not allowed because %s exists", pw->pw_name, nl); 1259 logit("User %.100s not allowed because %s exists", pw->pw_name, nl);
1250 if ((f = fopen(nl, "r")) != NULL) { 1260 if ((f = fopen(nl, "r")) != NULL) {
1251 while (fgets(buf, sizeof(buf), f)) 1261 while (fgets(buf, sizeof(buf), f))
1252 fputs(buf, stderr); 1262 fputs(buf, stderr);
1253 fclose(f); 1263 fclose(f);
1254 } 1264 }
1255 exit(254); 1265 exit(254);
1256} 1266}
1257 1267
@@ -1483,10 +1493,6 @@ do_child(struct ssh *ssh, Session *s, const char *command)
1483 exit(1); 1493 exit(1);
1484 } 1494 }
1485 1495
1486#ifdef _UNICOS
1487 cray_setup(pw->pw_uid, pw->pw_name, command);
1488#endif /* _UNICOS */
1489
1490 /* 1496 /*
1491 * Login(1) does this as well, and it needs uid 0 for the "-h" 1497 * Login(1) does this as well, and it needs uid 0 for the "-h"
1492 * switch, so we let login(1) to this for us. 1498 * switch, so we let login(1) to this for us.
@@ -1591,7 +1597,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
1591 1597
1592 closefrom(STDERR_FILENO + 1); 1598 closefrom(STDERR_FILENO + 1);
1593 1599
1594 do_rc_files(s, shell); 1600 do_rc_files(ssh, s, shell);
1595 1601
1596 /* restore SIGPIPE for child */ 1602 /* restore SIGPIPE for child */
1597 signal(SIGPIPE, SIG_DFL); 1603 signal(SIGPIPE, SIG_DFL);
@@ -1854,8 +1860,8 @@ session_pty_req(struct ssh *ssh, Session *s)
1854 u_int len; 1860 u_int len;
1855 int n_bytes; 1861 int n_bytes;
1856 1862
1857 if (no_pty_flag || !options.permit_tty) { 1863 if (!auth_opts->permit_pty_flag || !options.permit_tty) {
1858 debug("Allocating a pty not permitted for this authentication."); 1864 debug("Allocating a pty not permitted for this connection.");
1859 return 0; 1865 return 0;
1860 } 1866 }
1861 if (s->ttyfd != -1) { 1867 if (s->ttyfd != -1) {
@@ -2043,9 +2049,11 @@ static int
2043session_auth_agent_req(struct ssh *ssh, Session *s) 2049session_auth_agent_req(struct ssh *ssh, Session *s)
2044{ 2050{
2045 static int called = 0; 2051 static int called = 0;
2052
2046 packet_check_eom(); 2053 packet_check_eom();
2047 if (no_agent_forwarding_flag || !options.allow_agent_forwarding) { 2054 if (!auth_opts->permit_agent_forwarding_flag ||
2048 debug("session_auth_agent_req: no_agent_forwarding_flag"); 2055 !options.allow_agent_forwarding) {
2056 debug("%s: agent forwarding disabled", __func__);
2049 return 0; 2057 return 0;
2050 } 2058 }
2051 if (called) { 2059 if (called) {
@@ -2423,8 +2431,8 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
2423 char hostname[NI_MAXHOST]; 2431 char hostname[NI_MAXHOST];
2424 u_int i; 2432 u_int i;
2425 2433
2426 if (no_x11_forwarding_flag) { 2434 if (!auth_opts->permit_x11_forwarding_flag) {
2427 packet_send_debug("X11 forwarding disabled in user configuration file."); 2435 packet_send_debug("X11 forwarding disabled by key options.");
2428 return 0; 2436 return 0;
2429 } 2437 }
2430 if (!options.x11_forwarding) { 2438 if (!options.x11_forwarding) {
@@ -2433,7 +2441,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
2433 } 2441 }
2434 if (options.xauth_location == NULL || 2442 if (options.xauth_location == NULL ||
2435 (stat(options.xauth_location, &st) == -1)) { 2443 (stat(options.xauth_location, &st) == -1)) {
2436 packet_send_debug("No xauth program; cannot forward with spoofing."); 2444 packet_send_debug("No xauth program; cannot forward X11.");
2437 return 0; 2445 return 0;
2438 } 2446 }
2439 if (s->display != NULL) { 2447 if (s->display != NULL) {