summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c55
1 files changed, 53 insertions, 2 deletions
diff --git a/sshd.c b/sshd.c
index 2b2cc81a5..248ad2976 100644
--- a/sshd.c
+++ b/sshd.c
@@ -254,6 +254,11 @@ Buffer loginmsg;
254/* Unprivileged user */ 254/* Unprivileged user */
255struct passwd *privsep_pw = NULL; 255struct passwd *privsep_pw = NULL;
256 256
257#ifdef OOM_ADJUST
258/* Linux out-of-memory killer adjustment */
259static char oom_adj_save[8];
260#endif
261
257/* Prototypes for various functions defined later in this file. */ 262/* Prototypes for various functions defined later in this file. */
258void destroy_sensitive_data(void); 263void destroy_sensitive_data(void);
259void demote_sensitive_data(void); 264void demote_sensitive_data(void);
@@ -313,6 +318,7 @@ sighup_restart(void)
313 close_listen_socks(); 318 close_listen_socks();
314 close_startup_pipes(); 319 close_startup_pipes();
315 alarm(0); /* alarm timer persists across exec */ 320 alarm(0); /* alarm timer persists across exec */
321 signal(SIGHUP, SIG_IGN); /* will be restored after exec */
316 execv(saved_argv[0], saved_argv); 322 execv(saved_argv[0], saved_argv);
317 logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], 323 logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
318 strerror(errno)); 324 strerror(errno));
@@ -420,7 +426,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
420 minor = PROTOCOL_MINOR_1; 426 minor = PROTOCOL_MINOR_1;
421 } 427 }
422 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, 428 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
423 SSH_VERSION, newline); 429 options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
430 newline);
424 server_version_string = xstrdup(buf); 431 server_version_string = xstrdup(buf);
425 432
426 /* Send our protocol version identification. */ 433 /* Send our protocol version identification. */
@@ -908,6 +915,31 @@ recv_rexec_state(int fd, Buffer *conf)
908 debug3("%s: done", __func__); 915 debug3("%s: done", __func__);
909} 916}
910 917
918#ifdef OOM_ADJUST
919/*
920 * If requested in the environment, tell the Linux kernel's out-of-memory
921 * killer to avoid sshd. The old state will be restored when forking child
922 * processes.
923 */
924static void
925oom_adjust_startup(void)
926{
927 const char *oom_adj = getenv("SSHD_OOM_ADJUST");
928
929 if (!oom_adj || !*oom_adj)
930 return;
931 oom_adj_get(oom_adj_save, sizeof(oom_adj_save));
932 oom_adj_set(oom_adj);
933}
934
935static void
936oom_restore(void)
937{
938 if (oom_adj_save[0])
939 oom_adj_set(oom_adj_save);
940}
941#endif
942
911/* Accept a connection from inetd */ 943/* Accept a connection from inetd */
912static void 944static void
913server_accept_inetd(int *sock_in, int *sock_out) 945server_accept_inetd(int *sock_in, int *sock_out)
@@ -1325,7 +1357,12 @@ main(int ac, char **av)
1325 /* ignored */ 1357 /* ignored */
1326 break; 1358 break;
1327 case 'q': 1359 case 'q':
1328 options.log_level = SYSLOG_LEVEL_QUIET; 1360 if (options.log_level == SYSLOG_LEVEL_QUIET) {
1361 options.log_level = SYSLOG_LEVEL_SILENT;
1362 }
1363 else if (options.log_level != SYSLOG_LEVEL_SILENT) {
1364 options.log_level = SYSLOG_LEVEL_QUIET;
1365 }
1329 break; 1366 break;
1330 case 'b': 1367 case 'b':
1331 options.server_key_bits = (int)strtonum(optarg, 256, 1368 options.server_key_bits = (int)strtonum(optarg, 256,
@@ -1518,6 +1555,11 @@ main(int ac, char **av)
1518 sensitive_data.host_keys[i] = NULL; 1555 sensitive_data.host_keys[i] = NULL;
1519 continue; 1556 continue;
1520 } 1557 }
1558 if (reject_blacklisted_key(key, 1) == 1) {
1559 key_free(key);
1560 sensitive_data.host_keys[i] = NULL;
1561 continue;
1562 }
1521 switch (key->type) { 1563 switch (key->type) {
1522 case KEY_RSA1: 1564 case KEY_RSA1:
1523 sensitive_data.ssh1_host_key = key; 1565 sensitive_data.ssh1_host_key = key;
@@ -1665,6 +1707,11 @@ main(int ac, char **av)
1665 /* ignore SIGPIPE */ 1707 /* ignore SIGPIPE */
1666 signal(SIGPIPE, SIG_IGN); 1708 signal(SIGPIPE, SIG_IGN);
1667 1709
1710#ifdef OOM_ADJUST
1711 /* Adjust out-of-memory killer */
1712 oom_adjust_startup();
1713#endif
1714
1668 /* Get a connection, either from inetd or a listening TCP socket */ 1715 /* Get a connection, either from inetd or a listening TCP socket */
1669 if (inetd_flag) { 1716 if (inetd_flag) {
1670 server_accept_inetd(&sock_in, &sock_out); 1717 server_accept_inetd(&sock_in, &sock_out);
@@ -1703,6 +1750,10 @@ main(int ac, char **av)
1703 /* This is the child processing a new connection. */ 1750 /* This is the child processing a new connection. */
1704 setproctitle("%s", "[accepted]"); 1751 setproctitle("%s", "[accepted]");
1705 1752
1753#ifdef OOM_ADJUST
1754 oom_restore();
1755#endif
1756
1706 /* 1757 /*
1707 * Create a new session and process group since the 4.4BSD 1758 * Create a new session and process group since the 4.4BSD
1708 * setlogin() affects the entire process group. We don't 1759 * setlogin() affects the entire process group. We don't