diff options
Diffstat (limited to 'session.c')
-rw-r--r-- | session.c | 120 |
1 files changed, 64 insertions, 56 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.292 2017/09/12 06:32:07 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.294 2018/03/03 03:15:51 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -140,6 +140,8 @@ extern u_int utmp_len; | |||
140 | extern int startup_pipe; | 140 | extern int startup_pipe; |
141 | extern void destroy_sensitive_data(void); | 141 | extern void destroy_sensitive_data(void); |
142 | extern Buffer loginmsg; | 142 | extern Buffer loginmsg; |
143 | extern struct sshauthopt *auth_opts; | ||
144 | char *tun_fwd_ifnames; /* serverloop.c */ | ||
143 | 145 | ||
144 | /* original command from peer. */ | 146 | /* original command from peer. */ |
145 | const char *original_command = NULL; | 147 | const char *original_command = NULL; |
@@ -287,14 +289,42 @@ prepare_auth_info_file(struct passwd *pw, struct sshbuf *info) | |||
287 | restore_uid(); | 289 | restore_uid(); |
288 | } | 290 | } |
289 | 291 | ||
292 | static void | ||
293 | set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts) | ||
294 | { | ||
295 | char *tmp, *cp, *host; | ||
296 | int port; | ||
297 | size_t i; | ||
298 | |||
299 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) | ||
300 | return; | ||
301 | channel_clear_permitted_opens(ssh); | ||
302 | for (i = 0; i < auth_opts->npermitopen; i++) { | ||
303 | tmp = cp = xstrdup(auth_opts->permitopen[i]); | ||
304 | /* This shouldn't fail as it has already been checked */ | ||
305 | if ((host = hpdelim(&cp)) == NULL) | ||
306 | fatal("%s: internal error: hpdelim", __func__); | ||
307 | host = cleanhostname(host); | ||
308 | if (cp == NULL || (port = permitopen_port(cp)) < 0) | ||
309 | fatal("%s: internal error: permitopen port", | ||
310 | __func__); | ||
311 | channel_add_permitted_opens(ssh, host, port); | ||
312 | free(tmp); | ||
313 | } | ||
314 | } | ||
315 | |||
290 | void | 316 | void |
291 | do_authenticated(struct ssh *ssh, Authctxt *authctxt) | 317 | do_authenticated(struct ssh *ssh, Authctxt *authctxt) |
292 | { | 318 | { |
293 | setproctitle("%s", authctxt->pw->pw_name); | 319 | setproctitle("%s", authctxt->pw->pw_name); |
294 | 320 | ||
321 | auth_log_authopts("active", auth_opts, 0); | ||
322 | |||
295 | /* setup the channel layer */ | 323 | /* setup the channel layer */ |
296 | /* XXX - streamlocal? */ | 324 | /* XXX - streamlocal? */ |
297 | if (no_port_forwarding_flag || options.disable_forwarding || | 325 | set_permitopen_from_authopts(ssh, auth_opts); |
326 | if (!auth_opts->permit_port_forwarding_flag || | ||
327 | options.disable_forwarding || | ||
298 | (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) | 328 | (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) |
299 | channel_disable_adm_local_opens(ssh); | 329 | channel_disable_adm_local_opens(ssh); |
300 | else | 330 | else |
@@ -334,7 +364,6 @@ int | |||
334 | do_exec_no_pty(struct ssh *ssh, Session *s, const char *command) | 364 | do_exec_no_pty(struct ssh *ssh, Session *s, const char *command) |
335 | { | 365 | { |
336 | pid_t pid; | 366 | pid_t pid; |
337 | |||
338 | #ifdef USE_PIPES | 367 | #ifdef USE_PIPES |
339 | int pin[2], pout[2], perr[2]; | 368 | int pin[2], pout[2], perr[2]; |
340 | 369 | ||
@@ -450,11 +479,6 @@ do_exec_no_pty(struct ssh *ssh, Session *s, const char *command) | |||
450 | close(err[0]); | 479 | close(err[0]); |
451 | #endif | 480 | #endif |
452 | 481 | ||
453 | |||
454 | #ifdef _UNICOS | ||
455 | cray_init_job(s->pw); /* set up cray jid and tmpdir */ | ||
456 | #endif | ||
457 | |||
458 | /* Do processing for the child (exec command etc). */ | 482 | /* Do processing for the child (exec command etc). */ |
459 | do_child(ssh, s, command); | 483 | do_child(ssh, s, command); |
460 | /* NOTREACHED */ | 484 | /* NOTREACHED */ |
@@ -462,9 +486,6 @@ do_exec_no_pty(struct ssh *ssh, Session *s, const char *command) | |||
462 | break; | 486 | break; |
463 | } | 487 | } |
464 | 488 | ||
465 | #ifdef _UNICOS | ||
466 | signal(WJSIGNAL, cray_job_termination_handler); | ||
467 | #endif /* _UNICOS */ | ||
468 | #ifdef HAVE_CYGWIN | 489 | #ifdef HAVE_CYGWIN |
469 | cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); | 490 | cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); |
470 | #endif | 491 | #endif |
@@ -576,9 +597,6 @@ do_exec_pty(struct ssh *ssh, Session *s, const char *command) | |||
576 | close(ttyfd); | 597 | close(ttyfd); |
577 | 598 | ||
578 | /* record login, etc. similar to login(1) */ | 599 | /* record login, etc. similar to login(1) */ |
579 | #ifdef _UNICOS | ||
580 | cray_init_job(s->pw); /* set up cray jid and tmpdir */ | ||
581 | #endif /* _UNICOS */ | ||
582 | #ifndef HAVE_OSF_SIA | 600 | #ifndef HAVE_OSF_SIA |
583 | do_login(ssh, s, command); | 601 | do_login(ssh, s, command); |
584 | #endif | 602 | #endif |
@@ -592,9 +610,6 @@ do_exec_pty(struct ssh *ssh, Session *s, const char *command) | |||
592 | break; | 610 | break; |
593 | } | 611 | } |
594 | 612 | ||
595 | #ifdef _UNICOS | ||
596 | signal(WJSIGNAL, cray_job_termination_handler); | ||
597 | #endif /* _UNICOS */ | ||
598 | #ifdef HAVE_CYGWIN | 613 | #ifdef HAVE_CYGWIN |
599 | cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); | 614 | cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); |
600 | #endif | 615 | #endif |
@@ -656,9 +671,9 @@ do_exec(struct ssh *ssh, Session *s, const char *command) | |||
656 | original_command = command; | 671 | original_command = command; |
657 | command = options.adm_forced_command; | 672 | command = options.adm_forced_command; |
658 | forced = "(config)"; | 673 | forced = "(config)"; |
659 | } else if (forced_command) { | 674 | } else if (auth_opts->force_command != NULL) { |
660 | original_command = command; | 675 | original_command = command; |
661 | command = forced_command; | 676 | command = auth_opts->force_command; |
662 | forced = "(key-option)"; | 677 | forced = "(key-option)"; |
663 | } | 678 | } |
664 | if (forced != NULL) { | 679 | if (forced != NULL) { |
@@ -961,8 +976,9 @@ static char ** | |||
961 | do_setup_env(struct ssh *ssh, Session *s, const char *shell) | 976 | do_setup_env(struct ssh *ssh, Session *s, const char *shell) |
962 | { | 977 | { |
963 | char buf[256]; | 978 | char buf[256]; |
979 | size_t n; | ||
964 | u_int i, envsize; | 980 | u_int i, envsize; |
965 | char **env, *laddr; | 981 | char *ocp, *cp, **env, *laddr; |
966 | struct passwd *pw = s->pw; | 982 | struct passwd *pw = s->pw; |
967 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) | 983 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) |
968 | char *path = NULL; | 984 | char *path = NULL; |
@@ -1037,20 +1053,17 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
1037 | if (getenv("TZ")) | 1053 | if (getenv("TZ")) |
1038 | child_set_env(&env, &envsize, "TZ", getenv("TZ")); | 1054 | child_set_env(&env, &envsize, "TZ", getenv("TZ")); |
1039 | 1055 | ||
1040 | /* Set custom environment options from RSA authentication. */ | 1056 | /* Set custom environment options from pubkey authentication. */ |
1041 | while (custom_environment) { | 1057 | if (options.permit_user_env) { |
1042 | struct envstring *ce = custom_environment; | 1058 | for (n = 0 ; n < auth_opts->nenv; n++) { |
1043 | char *str = ce->s; | 1059 | ocp = xstrdup(auth_opts->env[n]); |
1044 | 1060 | cp = strchr(ocp, '='); | |
1045 | for (i = 0; str[i] != '=' && str[i]; i++) | 1061 | if (*cp == '=') { |
1046 | ; | 1062 | *cp = '\0'; |
1047 | if (str[i] == '=') { | 1063 | child_set_env(&env, &envsize, ocp, cp + 1); |
1048 | str[i] = 0; | 1064 | } |
1049 | child_set_env(&env, &envsize, str, str + i + 1); | 1065 | free(ocp); |
1050 | } | 1066 | } |
1051 | custom_environment = ce->next; | ||
1052 | free(ce->s); | ||
1053 | free(ce); | ||
1054 | } | 1067 | } |
1055 | 1068 | ||
1056 | /* SSH_CLIENT deprecated */ | 1069 | /* SSH_CLIENT deprecated */ |
@@ -1066,6 +1079,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
1066 | free(laddr); | 1079 | free(laddr); |
1067 | child_set_env(&env, &envsize, "SSH_CONNECTION", buf); | 1080 | child_set_env(&env, &envsize, "SSH_CONNECTION", buf); |
1068 | 1081 | ||
1082 | if (tun_fwd_ifnames != NULL) | ||
1083 | child_set_env(&env, &envsize, "SSH_TUNNEL", tun_fwd_ifnames); | ||
1069 | if (auth_info_file != NULL) | 1084 | if (auth_info_file != NULL) |
1070 | child_set_env(&env, &envsize, "SSH_USER_AUTH", auth_info_file); | 1085 | child_set_env(&env, &envsize, "SSH_USER_AUTH", auth_info_file); |
1071 | if (s->ttyfd != -1) | 1086 | if (s->ttyfd != -1) |
@@ -1078,11 +1093,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
1078 | child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", | 1093 | child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", |
1079 | original_command); | 1094 | original_command); |
1080 | 1095 | ||
1081 | #ifdef _UNICOS | ||
1082 | if (cray_tmpdir[0] != '\0') | ||
1083 | child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); | ||
1084 | #endif /* _UNICOS */ | ||
1085 | |||
1086 | /* | 1096 | /* |
1087 | * Since we clear KRB5CCNAME at startup, if it's set now then it | 1097 | * Since we clear KRB5CCNAME at startup, if it's set now then it |
1088 | * must have been set by a native authentication method (eg AIX or | 1098 | * must have been set by a native authentication method (eg AIX or |
@@ -1155,7 +1165,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
1155 | * first in this order). | 1165 | * first in this order). |
1156 | */ | 1166 | */ |
1157 | static void | 1167 | static void |
1158 | do_rc_files(Session *s, const char *shell) | 1168 | do_rc_files(struct ssh *ssh, Session *s, const char *shell) |
1159 | { | 1169 | { |
1160 | FILE *f = NULL; | 1170 | FILE *f = NULL; |
1161 | char cmd[1024]; | 1171 | char cmd[1024]; |
@@ -1167,7 +1177,7 @@ do_rc_files(Session *s, const char *shell) | |||
1167 | 1177 | ||
1168 | /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ | 1178 | /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ |
1169 | if (!s->is_subsystem && options.adm_forced_command == NULL && | 1179 | if (!s->is_subsystem && options.adm_forced_command == NULL && |
1170 | !no_user_rc && options.permit_user_rc && | 1180 | auth_opts->permit_user_rc && options.permit_user_rc && |
1171 | stat(_PATH_SSH_USER_RC, &st) >= 0) { | 1181 | stat(_PATH_SSH_USER_RC, &st) >= 0) { |
1172 | snprintf(cmd, sizeof cmd, "%s -c '%s %s'", | 1182 | snprintf(cmd, sizeof cmd, "%s -c '%s %s'", |
1173 | shell, _PATH_BSHELL, _PATH_SSH_USER_RC); | 1183 | shell, _PATH_BSHELL, _PATH_SSH_USER_RC); |
@@ -1248,10 +1258,10 @@ do_nologin(struct passwd *pw) | |||
1248 | /* /etc/nologin exists. Print its contents if we can and exit. */ | 1258 | /* /etc/nologin exists. Print its contents if we can and exit. */ |
1249 | logit("User %.100s not allowed because %s exists", pw->pw_name, nl); | 1259 | logit("User %.100s not allowed because %s exists", pw->pw_name, nl); |
1250 | if ((f = fopen(nl, "r")) != NULL) { | 1260 | if ((f = fopen(nl, "r")) != NULL) { |
1251 | while (fgets(buf, sizeof(buf), f)) | 1261 | while (fgets(buf, sizeof(buf), f)) |
1252 | fputs(buf, stderr); | 1262 | fputs(buf, stderr); |
1253 | fclose(f); | 1263 | fclose(f); |
1254 | } | 1264 | } |
1255 | exit(254); | 1265 | exit(254); |
1256 | } | 1266 | } |
1257 | 1267 | ||
@@ -1483,10 +1493,6 @@ do_child(struct ssh *ssh, Session *s, const char *command) | |||
1483 | exit(1); | 1493 | exit(1); |
1484 | } | 1494 | } |
1485 | 1495 | ||
1486 | #ifdef _UNICOS | ||
1487 | cray_setup(pw->pw_uid, pw->pw_name, command); | ||
1488 | #endif /* _UNICOS */ | ||
1489 | |||
1490 | /* | 1496 | /* |
1491 | * Login(1) does this as well, and it needs uid 0 for the "-h" | 1497 | * Login(1) does this as well, and it needs uid 0 for the "-h" |
1492 | * switch, so we let login(1) to this for us. | 1498 | * switch, so we let login(1) to this for us. |
@@ -1591,7 +1597,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) | |||
1591 | 1597 | ||
1592 | closefrom(STDERR_FILENO + 1); | 1598 | closefrom(STDERR_FILENO + 1); |
1593 | 1599 | ||
1594 | do_rc_files(s, shell); | 1600 | do_rc_files(ssh, s, shell); |
1595 | 1601 | ||
1596 | /* restore SIGPIPE for child */ | 1602 | /* restore SIGPIPE for child */ |
1597 | signal(SIGPIPE, SIG_DFL); | 1603 | signal(SIGPIPE, SIG_DFL); |
@@ -1854,8 +1860,8 @@ session_pty_req(struct ssh *ssh, Session *s) | |||
1854 | u_int len; | 1860 | u_int len; |
1855 | int n_bytes; | 1861 | int n_bytes; |
1856 | 1862 | ||
1857 | if (no_pty_flag || !options.permit_tty) { | 1863 | if (!auth_opts->permit_pty_flag || !options.permit_tty) { |
1858 | debug("Allocating a pty not permitted for this authentication."); | 1864 | debug("Allocating a pty not permitted for this connection."); |
1859 | return 0; | 1865 | return 0; |
1860 | } | 1866 | } |
1861 | if (s->ttyfd != -1) { | 1867 | if (s->ttyfd != -1) { |
@@ -2043,9 +2049,11 @@ static int | |||
2043 | session_auth_agent_req(struct ssh *ssh, Session *s) | 2049 | session_auth_agent_req(struct ssh *ssh, Session *s) |
2044 | { | 2050 | { |
2045 | static int called = 0; | 2051 | static int called = 0; |
2052 | |||
2046 | packet_check_eom(); | 2053 | packet_check_eom(); |
2047 | if (no_agent_forwarding_flag || !options.allow_agent_forwarding) { | 2054 | if (!auth_opts->permit_agent_forwarding_flag || |
2048 | debug("session_auth_agent_req: no_agent_forwarding_flag"); | 2055 | !options.allow_agent_forwarding) { |
2056 | debug("%s: agent forwarding disabled", __func__); | ||
2049 | return 0; | 2057 | return 0; |
2050 | } | 2058 | } |
2051 | if (called) { | 2059 | if (called) { |
@@ -2423,8 +2431,8 @@ session_setup_x11fwd(struct ssh *ssh, Session *s) | |||
2423 | char hostname[NI_MAXHOST]; | 2431 | char hostname[NI_MAXHOST]; |
2424 | u_int i; | 2432 | u_int i; |
2425 | 2433 | ||
2426 | if (no_x11_forwarding_flag) { | 2434 | if (!auth_opts->permit_x11_forwarding_flag) { |
2427 | packet_send_debug("X11 forwarding disabled in user configuration file."); | 2435 | packet_send_debug("X11 forwarding disabled by key options."); |
2428 | return 0; | 2436 | return 0; |
2429 | } | 2437 | } |
2430 | if (!options.x11_forwarding) { | 2438 | if (!options.x11_forwarding) { |
@@ -2433,7 +2441,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s) | |||
2433 | } | 2441 | } |
2434 | if (options.xauth_location == NULL || | 2442 | if (options.xauth_location == NULL || |
2435 | (stat(options.xauth_location, &st) == -1)) { | 2443 | (stat(options.xauth_location, &st) == -1)) { |
2436 | packet_send_debug("No xauth program; cannot forward with spoofing."); | 2444 | packet_send_debug("No xauth program; cannot forward X11."); |
2437 | return 0; | 2445 | return 0; |
2438 | } | 2446 | } |
2439 | if (s->display != NULL) { | 2447 | if (s->display != NULL) { |