diff options
Diffstat (limited to 'sshd.c')
-rw-r--r-- | sshd.c | 55 |
1 files changed, 53 insertions, 2 deletions
@@ -254,6 +254,11 @@ Buffer loginmsg; | |||
254 | /* Unprivileged user */ | 254 | /* Unprivileged user */ |
255 | struct passwd *privsep_pw = NULL; | 255 | struct passwd *privsep_pw = NULL; |
256 | 256 | ||
257 | #ifdef OOM_ADJUST | ||
258 | /* Linux out-of-memory killer adjustment */ | ||
259 | static char oom_adj_save[8]; | ||
260 | #endif | ||
261 | |||
257 | /* Prototypes for various functions defined later in this file. */ | 262 | /* Prototypes for various functions defined later in this file. */ |
258 | void destroy_sensitive_data(void); | 263 | void destroy_sensitive_data(void); |
259 | void demote_sensitive_data(void); | 264 | void demote_sensitive_data(void); |
@@ -313,6 +318,7 @@ sighup_restart(void) | |||
313 | close_listen_socks(); | 318 | close_listen_socks(); |
314 | close_startup_pipes(); | 319 | close_startup_pipes(); |
315 | alarm(0); /* alarm timer persists across exec */ | 320 | alarm(0); /* alarm timer persists across exec */ |
321 | signal(SIGHUP, SIG_IGN); /* will be restored after exec */ | ||
316 | execv(saved_argv[0], saved_argv); | 322 | execv(saved_argv[0], saved_argv); |
317 | logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], | 323 | logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], |
318 | strerror(errno)); | 324 | strerror(errno)); |
@@ -420,7 +426,8 @@ sshd_exchange_identification(int sock_in, int sock_out) | |||
420 | minor = PROTOCOL_MINOR_1; | 426 | minor = PROTOCOL_MINOR_1; |
421 | } | 427 | } |
422 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, | 428 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, |
423 | SSH_VERSION, newline); | 429 | options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, |
430 | newline); | ||
424 | server_version_string = xstrdup(buf); | 431 | server_version_string = xstrdup(buf); |
425 | 432 | ||
426 | /* Send our protocol version identification. */ | 433 | /* Send our protocol version identification. */ |
@@ -908,6 +915,31 @@ recv_rexec_state(int fd, Buffer *conf) | |||
908 | debug3("%s: done", __func__); | 915 | debug3("%s: done", __func__); |
909 | } | 916 | } |
910 | 917 | ||
918 | #ifdef OOM_ADJUST | ||
919 | /* | ||
920 | * If requested in the environment, tell the Linux kernel's out-of-memory | ||
921 | * killer to avoid sshd. The old state will be restored when forking child | ||
922 | * processes. | ||
923 | */ | ||
924 | static void | ||
925 | oom_adjust_startup(void) | ||
926 | { | ||
927 | const char *oom_adj = getenv("SSHD_OOM_ADJUST"); | ||
928 | |||
929 | if (!oom_adj || !*oom_adj) | ||
930 | return; | ||
931 | oom_adj_get(oom_adj_save, sizeof(oom_adj_save)); | ||
932 | oom_adj_set(oom_adj); | ||
933 | } | ||
934 | |||
935 | static void | ||
936 | oom_restore(void) | ||
937 | { | ||
938 | if (oom_adj_save[0]) | ||
939 | oom_adj_set(oom_adj_save); | ||
940 | } | ||
941 | #endif | ||
942 | |||
911 | /* Accept a connection from inetd */ | 943 | /* Accept a connection from inetd */ |
912 | static void | 944 | static void |
913 | server_accept_inetd(int *sock_in, int *sock_out) | 945 | server_accept_inetd(int *sock_in, int *sock_out) |
@@ -1325,7 +1357,12 @@ main(int ac, char **av) | |||
1325 | /* ignored */ | 1357 | /* ignored */ |
1326 | break; | 1358 | break; |
1327 | case 'q': | 1359 | case 'q': |
1328 | options.log_level = SYSLOG_LEVEL_QUIET; | 1360 | if (options.log_level == SYSLOG_LEVEL_QUIET) { |
1361 | options.log_level = SYSLOG_LEVEL_SILENT; | ||
1362 | } | ||
1363 | else if (options.log_level != SYSLOG_LEVEL_SILENT) { | ||
1364 | options.log_level = SYSLOG_LEVEL_QUIET; | ||
1365 | } | ||
1329 | break; | 1366 | break; |
1330 | case 'b': | 1367 | case 'b': |
1331 | options.server_key_bits = (int)strtonum(optarg, 256, | 1368 | options.server_key_bits = (int)strtonum(optarg, 256, |
@@ -1518,6 +1555,11 @@ main(int ac, char **av) | |||
1518 | sensitive_data.host_keys[i] = NULL; | 1555 | sensitive_data.host_keys[i] = NULL; |
1519 | continue; | 1556 | continue; |
1520 | } | 1557 | } |
1558 | if (reject_blacklisted_key(key, 1) == 1) { | ||
1559 | key_free(key); | ||
1560 | sensitive_data.host_keys[i] = NULL; | ||
1561 | continue; | ||
1562 | } | ||
1521 | switch (key->type) { | 1563 | switch (key->type) { |
1522 | case KEY_RSA1: | 1564 | case KEY_RSA1: |
1523 | sensitive_data.ssh1_host_key = key; | 1565 | sensitive_data.ssh1_host_key = key; |
@@ -1665,6 +1707,11 @@ main(int ac, char **av) | |||
1665 | /* ignore SIGPIPE */ | 1707 | /* ignore SIGPIPE */ |
1666 | signal(SIGPIPE, SIG_IGN); | 1708 | signal(SIGPIPE, SIG_IGN); |
1667 | 1709 | ||
1710 | #ifdef OOM_ADJUST | ||
1711 | /* Adjust out-of-memory killer */ | ||
1712 | oom_adjust_startup(); | ||
1713 | #endif | ||
1714 | |||
1668 | /* Get a connection, either from inetd or a listening TCP socket */ | 1715 | /* Get a connection, either from inetd or a listening TCP socket */ |
1669 | if (inetd_flag) { | 1716 | if (inetd_flag) { |
1670 | server_accept_inetd(&sock_in, &sock_out); | 1717 | server_accept_inetd(&sock_in, &sock_out); |
@@ -1703,6 +1750,10 @@ main(int ac, char **av) | |||
1703 | /* This is the child processing a new connection. */ | 1750 | /* This is the child processing a new connection. */ |
1704 | setproctitle("%s", "[accepted]"); | 1751 | setproctitle("%s", "[accepted]"); |
1705 | 1752 | ||
1753 | #ifdef OOM_ADJUST | ||
1754 | oom_restore(); | ||
1755 | #endif | ||
1756 | |||
1706 | /* | 1757 | /* |
1707 | * Create a new session and process group since the 4.4BSD | 1758 | * Create a new session and process group since the 4.4BSD |
1708 | * setlogin() affects the entire process group. We don't | 1759 | * setlogin() affects the entire process group. We don't |