diff options
Diffstat (limited to 'session.c')
-rw-r--r-- | session.c | 70 |
1 files changed, 60 insertions, 10 deletions
@@ -33,7 +33,7 @@ | |||
33 | */ | 33 | */ |
34 | 34 | ||
35 | #include "includes.h" | 35 | #include "includes.h" |
36 | RCSID("$OpenBSD: session.c,v 1.180 2004/07/28 09:40:29 markus Exp $"); | 36 | RCSID("$OpenBSD: session.c,v 1.181 2004/12/23 17:35:48 markus Exp $"); |
37 | 37 | ||
38 | #include "ssh.h" | 38 | #include "ssh.h" |
39 | #include "ssh1.h" | 39 | #include "ssh1.h" |
@@ -245,6 +245,10 @@ do_authenticated1(Authctxt *authctxt) | |||
245 | u_int proto_len, data_len, dlen, compression_level = 0; | 245 | u_int proto_len, data_len, dlen, compression_level = 0; |
246 | 246 | ||
247 | s = session_new(); | 247 | s = session_new(); |
248 | if (s == NULL) { | ||
249 | error("no more sessions"); | ||
250 | return; | ||
251 | } | ||
248 | s->authctxt = authctxt; | 252 | s->authctxt = authctxt; |
249 | s->pw = authctxt->pw; | 253 | s->pw = authctxt->pw; |
250 | 254 | ||
@@ -661,11 +665,15 @@ do_exec(Session *s, const char *command) | |||
661 | debug("Forced command '%.900s'", command); | 665 | debug("Forced command '%.900s'", command); |
662 | } | 666 | } |
663 | 667 | ||
664 | #ifdef GSSAPI | 668 | #ifdef SSH_AUDIT_EVENTS |
665 | if (options.gss_authentication) { | 669 | if (command != NULL) |
666 | temporarily_use_uid(s->pw); | 670 | PRIVSEP(audit_run_command(command)); |
667 | ssh_gssapi_storecreds(); | 671 | else if (s->ttyfd == -1) { |
668 | restore_uid(); | 672 | char *shell = s->pw->pw_shell; |
673 | |||
674 | if (shell[0] == '\0') /* empty shell means /bin/sh */ | ||
675 | shell =_PATH_BSHELL; | ||
676 | PRIVSEP(audit_run_command(shell)); | ||
669 | } | 677 | } |
670 | #endif | 678 | #endif |
671 | 679 | ||
@@ -979,7 +987,13 @@ do_setup_env(Session *s, const char *shell) | |||
979 | * The Windows environment contains some setting which are | 987 | * The Windows environment contains some setting which are |
980 | * important for a running system. They must not be dropped. | 988 | * important for a running system. They must not be dropped. |
981 | */ | 989 | */ |
982 | copy_environment(environ, &env, &envsize); | 990 | { |
991 | char **p; | ||
992 | |||
993 | p = fetch_windows_environment(); | ||
994 | copy_environment(p, &env, &envsize); | ||
995 | free_windows_environment(p); | ||
996 | } | ||
983 | #endif | 997 | #endif |
984 | 998 | ||
985 | #ifdef GSSAPI | 999 | #ifdef GSSAPI |
@@ -1080,14 +1094,24 @@ do_setup_env(Session *s, const char *shell) | |||
1080 | child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); | 1094 | child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); |
1081 | #endif /* _UNICOS */ | 1095 | #endif /* _UNICOS */ |
1082 | 1096 | ||
1097 | /* | ||
1098 | * Since we clear KRB5CCNAME at startup, if it's set now then it | ||
1099 | * must have been set by a native authentication method (eg AIX or | ||
1100 | * SIA), so copy it to the child. | ||
1101 | */ | ||
1102 | { | ||
1103 | char *cp; | ||
1104 | |||
1105 | if ((cp = getenv("KRB5CCNAME")) != NULL) | ||
1106 | child_set_env(&env, &envsize, "KRB5CCNAME", cp); | ||
1107 | } | ||
1108 | |||
1083 | #ifdef _AIX | 1109 | #ifdef _AIX |
1084 | { | 1110 | { |
1085 | char *cp; | 1111 | char *cp; |
1086 | 1112 | ||
1087 | if ((cp = getenv("AUTHSTATE")) != NULL) | 1113 | if ((cp = getenv("AUTHSTATE")) != NULL) |
1088 | child_set_env(&env, &envsize, "AUTHSTATE", cp); | 1114 | child_set_env(&env, &envsize, "AUTHSTATE", cp); |
1089 | if ((cp = getenv("KRB5CCNAME")) != NULL) | ||
1090 | child_set_env(&env, &envsize, "KRB5CCNAME", cp); | ||
1091 | read_environment_file(&env, &envsize, "/etc/environment"); | 1115 | read_environment_file(&env, &envsize, "/etc/environment"); |
1092 | } | 1116 | } |
1093 | #endif | 1117 | #endif |
@@ -1247,6 +1271,13 @@ do_setusercontext(struct passwd *pw) | |||
1247 | # ifdef __bsdi__ | 1271 | # ifdef __bsdi__ |
1248 | setpgid(0, 0); | 1272 | setpgid(0, 0); |
1249 | # endif | 1273 | # endif |
1274 | #ifdef GSSAPI | ||
1275 | if (options.gss_authentication) { | ||
1276 | temporarily_use_uid(pw); | ||
1277 | ssh_gssapi_storecreds(); | ||
1278 | restore_uid(); | ||
1279 | } | ||
1280 | #endif | ||
1250 | # ifdef USE_PAM | 1281 | # ifdef USE_PAM |
1251 | if (options.use_pam) { | 1282 | if (options.use_pam) { |
1252 | do_pam_session(); | 1283 | do_pam_session(); |
@@ -1277,6 +1308,13 @@ do_setusercontext(struct passwd *pw) | |||
1277 | exit(1); | 1308 | exit(1); |
1278 | } | 1309 | } |
1279 | endgrent(); | 1310 | endgrent(); |
1311 | #ifdef GSSAPI | ||
1312 | if (options.gss_authentication) { | ||
1313 | temporarily_use_uid(pw); | ||
1314 | ssh_gssapi_storecreds(); | ||
1315 | restore_uid(); | ||
1316 | } | ||
1317 | #endif | ||
1280 | # ifdef USE_PAM | 1318 | # ifdef USE_PAM |
1281 | /* | 1319 | /* |
1282 | * PAM credentials may take the form of supplementary groups. | 1320 | * PAM credentials may take the form of supplementary groups. |
@@ -1314,7 +1352,12 @@ do_pwchange(Session *s) | |||
1314 | if (s->ttyfd != -1) { | 1352 | if (s->ttyfd != -1) { |
1315 | fprintf(stderr, | 1353 | fprintf(stderr, |
1316 | "You must change your password now and login again!\n"); | 1354 | "You must change your password now and login again!\n"); |
1355 | #ifdef PASSWD_NEEDS_USERNAME | ||
1356 | execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name, | ||
1357 | (char *)NULL); | ||
1358 | #else | ||
1317 | execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL); | 1359 | execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL); |
1360 | #endif | ||
1318 | perror("passwd"); | 1361 | perror("passwd"); |
1319 | } else { | 1362 | } else { |
1320 | fprintf(stderr, | 1363 | fprintf(stderr, |
@@ -1428,11 +1471,18 @@ do_child(Session *s, const char *command) | |||
1428 | * generated messages, so if this in an interactive | 1471 | * generated messages, so if this in an interactive |
1429 | * login then display them too. | 1472 | * login then display them too. |
1430 | */ | 1473 | */ |
1431 | if (command == NULL) | 1474 | if (!check_quietlogin(s, command)) |
1432 | display_loginmsg(); | 1475 | display_loginmsg(); |
1433 | #endif /* HAVE_OSF_SIA */ | 1476 | #endif /* HAVE_OSF_SIA */ |
1434 | } | 1477 | } |
1435 | 1478 | ||
1479 | #ifdef USE_PAM | ||
1480 | if (options.use_pam && !is_pam_session_open()) { | ||
1481 | display_loginmsg(); | ||
1482 | exit(254); | ||
1483 | } | ||
1484 | #endif | ||
1485 | |||
1436 | /* | 1486 | /* |
1437 | * Get the shell from the password data. An empty shell field is | 1487 | * Get the shell from the password data. An empty shell field is |
1438 | * legal, and means /bin/sh. | 1488 | * legal, and means /bin/sh. |