summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c65
1 files changed, 64 insertions, 1 deletions
diff --git a/sshd.c b/sshd.c
index df6d1e374..85b679d5e 100644
--- a/sshd.c
+++ b/sshd.c
@@ -86,6 +86,10 @@ RCSID("$OpenBSD: sshd.c,v 1.318 2005/12/24 02:27:41 djm Exp $");
86#include "monitor_wrap.h" 86#include "monitor_wrap.h"
87#include "monitor_fdpass.h" 87#include "monitor_fdpass.h"
88 88
89#ifdef USE_SECURITY_SESSION_API
90#include <Security/AuthSession.h>
91#endif
92
89#ifdef LIBWRAP 93#ifdef LIBWRAP
90#include <tcpd.h> 94#include <tcpd.h>
91#include <syslog.h> 95#include <syslog.h>
@@ -1129,6 +1133,7 @@ main(int ac, char **av)
1129 options.protocol &= ~SSH_PROTO_1; 1133 options.protocol &= ~SSH_PROTO_1;
1130 } 1134 }
1131#ifndef GSSAPI 1135#ifndef GSSAPI
1136 /* The GSSAPI key exchange can run without a host key */
1132 if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { 1137 if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
1133 logit("Disabling protocol version 2. Could not load host key"); 1138 logit("Disabling protocol version 2. Could not load host key");
1134 options.protocol &= ~SSH_PROTO_2; 1139 options.protocol &= ~SSH_PROTO_2;
@@ -1681,6 +1686,60 @@ main(int ac, char **av)
1681 /* Log the connection. */ 1686 /* Log the connection. */
1682 verbose("Connection from %.500s port %d", remote_ip, remote_port); 1687 verbose("Connection from %.500s port %d", remote_ip, remote_port);
1683 1688
1689#ifdef USE_SECURITY_SESSION_API
1690 /*
1691 * Create a new security session for use by the new user login if
1692 * the current session is the root session or we are not launched
1693 * by inetd (eg: debugging mode or server mode). We do not
1694 * necessarily need to create a session if we are launched from
1695 * inetd because Panther xinetd will create a session for us.
1696 *
1697 * The only case where this logic will fail is if there is an
1698 * inetd running in a non-root session which is not creating
1699 * new sessions for us. Then all the users will end up in the
1700 * same session (bad).
1701 *
1702 * When the client exits, the session will be destroyed for us
1703 * automatically.
1704 *
1705 * We must create the session before any credentials are stored
1706 * (including AFS pags, which happens a few lines below).
1707 */
1708 {
1709 OSStatus err = 0;
1710 SecuritySessionId sid = 0;
1711 SessionAttributeBits sattrs = 0;
1712
1713 err = SessionGetInfo(callerSecuritySession, &sid, &sattrs);
1714 if (err)
1715 error("SessionGetInfo() failed with error %.8X",
1716 (unsigned) err);
1717 else
1718 debug("Current Session ID is %.8X / Session Attributes are %.8X",
1719 (unsigned) sid, (unsigned) sattrs);
1720
1721 if (inetd_flag && !(sattrs & sessionIsRoot))
1722 debug("Running in inetd mode in a non-root session... "
1723 "assuming inetd created the session for us.");
1724 else {
1725 debug("Creating new security session...");
1726 err = SessionCreate(0, sessionHasTTY | sessionIsRemote);
1727 if (err)
1728 error("SessionCreate() failed with error %.8X",
1729 (unsigned) err);
1730
1731 err = SessionGetInfo(callerSecuritySession, &sid,
1732 &sattrs);
1733 if (err)
1734 error("SessionGetInfo() failed with error %.8X",
1735 (unsigned) err);
1736 else
1737 debug("New Session ID is %.8X / Session Attributes are %.8X",
1738 (unsigned) sid, (unsigned) sattrs);
1739 }
1740 }
1741#endif
1742
1684 /* 1743 /*
1685 * We don't want to listen forever unless the other side 1744 * We don't want to listen forever unless the other side
1686 * successfully authenticates itself. So we set up an alarm which is 1745 * successfully authenticates itself. So we set up an alarm which is
@@ -2051,7 +2110,10 @@ do_ssh2_kex(void)
2051 if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) 2110 if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
2052 orig = NULL; 2111 orig = NULL;
2053 2112
2054 gss = ssh_gssapi_server_mechanisms(); 2113 if (options.gss_keyex)
2114 gss = ssh_gssapi_server_mechanisms();
2115 else
2116 gss = NULL;
2055 2117
2056 if (gss && orig) { 2118 if (gss && orig) {
2057 int len = strlen(orig) + strlen(gss) + 2; 2119 int len = strlen(orig) + strlen(gss) + 2;
@@ -2084,6 +2146,7 @@ do_ssh2_kex(void)
2084 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2146 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2085#ifdef GSSAPI 2147#ifdef GSSAPI
2086 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; 2148 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
2149 kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
2087#endif 2150#endif
2088 kex->server = 1; 2151 kex->server = 1;
2089 kex->client_version_string=client_version_string; 2152 kex->client_version_string=client_version_string;