1 files changed, 40 insertions, 2 deletions
diff --git a/sshd.c b/sshd.c
index 6b2f59220..d8faaebd5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.393 2012/07/10 02:19:15 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.397 2013/02/11 21:21:58 dtucker Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -363,6 +363,15 @@ grace_alarm_handler(int sig)
        if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
                kill(pmonitor->m_pid, SIGALRM);
+        /*
+         * Try to kill any processes that we have spawned, E.g. authorized
+         * keys command helpers.
+         */
+        if (getpgid(0) == getpid()) {
+                signal(SIGTERM, SIG_IGN);
+                killpg(0, SIGTERM);
+        }
        /* Log error and exit. */
        sigdie("Timeout before authentication for %s", get_remote_ipaddr());
 }
@@ -1332,6 +1341,7 @@ main(int ac, char **av)
        int remote_port;
        char *line;
        int config_s[2] = { -1 , -1 };
+        u_int n;
        u_int64_t ibytes, obytes;
        mode_t new_umask;
        Key *key;
@@ -1554,6 +1564,33 @@ main(int ac, char **av)
        if (options.challenge_response_authentication)
                options.kbd_interactive_authentication = 1;
+        /* Check that options are sensible */
+        if (options.authorized_keys_command_user == NULL &&
+            (options.authorized_keys_command != NULL &&
+            strcasecmp(options.authorized_keys_command, "none") != 0))
+                fatal("AuthorizedKeysCommand set without "
+                    "AuthorizedKeysCommandUser");
+        /*
+         * Check whether there is any path through configured auth methods.
+         * Unfortunately it is not possible to verify this generally before
+         * daemonisation in the presence of Match block, but this catches
+         * and warns for trivial misconfigurations that could break login.
+         */
+        if (options.num_auth_methods != 0) {
+                if ((options.protocol & SSH_PROTO_1))
+                        fatal("AuthenticationMethods is not supported with "
+                            "SSH protocol 1");
+                for (n = 0; n < options.num_auth_methods; n++) {
+                        if (auth2_methods_valid(options.auth_methods[n],
+                            1) == 0)
+                                break;
+                }
+                if (n >= options.num_auth_methods)
+                        fatal("AuthenticationMethods cannot be satisfied by "
+                            "enabled authentication methods");
+        }
        /* set default channel AF */
        channel_set_af(options.address_family);
@@ -1563,7 +1600,8 @@ main(int ac, char **av)
                exit(1);
        }
-        debug("sshd version %.100s", SSH_RELEASE);
+        debug("sshd version %s, %s", SSH_VERSION,
+            SSLeay_version(SSLEAY_VERSION));
        /* Store privilege separation user for later use if required. */
        if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {

diff --git a/sshd.c b/sshd.c index 6b2f59220..d8faaebd5 100644 --- a/sshd.c +++ b/sshd.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: sshd.c,v 1.393 2012/07/10 02:19:15 djm Exp $ */	1	/* $OpenBSD: sshd.c,v 1.397 2013/02/11 21:21:58 dtucker Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -363,6 +363,15 @@ grace_alarm_handler(int sig)
363	if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)	363	if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
364	kill(pmonitor->m_pid, SIGALRM);	364	kill(pmonitor->m_pid, SIGALRM);
365		365
		366	/*
		367	* Try to kill any processes that we have spawned, E.g. authorized
		368	* keys command helpers.
		369	*/
		370	if (getpgid(0) == getpid()) {
		371	signal(SIGTERM, SIG_IGN);
		372	killpg(0, SIGTERM);
		373	}
		374
366	/* Log error and exit. */	375	/* Log error and exit. */
367	sigdie("Timeout before authentication for %s", get_remote_ipaddr());	376	sigdie("Timeout before authentication for %s", get_remote_ipaddr());
368	}	377	}
@@ -1332,6 +1341,7 @@ main(int ac, char **av)
1332	int remote_port;	1341	int remote_port;
1333	char *line;	1342	char *line;
1334	int config_s[2] = { -1 , -1 };	1343	int config_s[2] = { -1 , -1 };
		1344	u_int n;
1335	u_int64_t ibytes, obytes;	1345	u_int64_t ibytes, obytes;
1336	mode_t new_umask;	1346	mode_t new_umask;
1337	Key *key;	1347	Key *key;
@@ -1554,6 +1564,33 @@ main(int ac, char **av)
1554	if (options.challenge_response_authentication)	1564	if (options.challenge_response_authentication)
1555	options.kbd_interactive_authentication = 1;	1565	options.kbd_interactive_authentication = 1;
1556		1566
		1567	/* Check that options are sensible */
		1568	if (options.authorized_keys_command_user == NULL &&
		1569	(options.authorized_keys_command != NULL &&
		1570	strcasecmp(options.authorized_keys_command, "none") != 0))
		1571	fatal("AuthorizedKeysCommand set without "
		1572	"AuthorizedKeysCommandUser");
		1573
		1574	/*
		1575	* Check whether there is any path through configured auth methods.
		1576	* Unfortunately it is not possible to verify this generally before
		1577	* daemonisation in the presence of Match block, but this catches
		1578	* and warns for trivial misconfigurations that could break login.
		1579	*/
		1580	if (options.num_auth_methods != 0) {
		1581	if ((options.protocol & SSH_PROTO_1))
		1582	fatal("AuthenticationMethods is not supported with "
		1583	"SSH protocol 1");
		1584	for (n = 0; n < options.num_auth_methods; n++) {
		1585	if (auth2_methods_valid(options.auth_methods[n],
		1586	1) == 0)
		1587	break;
		1588	}
		1589	if (n >= options.num_auth_methods)
		1590	fatal("AuthenticationMethods cannot be satisfied by "
		1591	"enabled authentication methods");
		1592	}
		1593
1557	/* set default channel AF */	1594	/* set default channel AF */
1558	channel_set_af(options.address_family);	1595	channel_set_af(options.address_family);
1559		1596
@@ -1563,7 +1600,8 @@ main(int ac, char **av)
1563	exit(1);	1600	exit(1);
1564	}	1601	}
1565		1602
1566	debug("sshd version %.100s", SSH_RELEASE);	1603	debug("sshd version %s, %s", SSH_VERSION,
		1604	SSLeay_version(SSLEAY_VERSION));
1567		1605
1568	/* Store privilege separation user for later use if required. */	1606	/* Store privilege separation user for later use if required. */
1569	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {	1607	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {