summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c170
1 files changed, 126 insertions, 44 deletions
diff --git a/sshd.c b/sshd.c
index 11571c010..60b2aaf73 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.537 2019/06/28 13:35:04 deraadt Exp $ */ 1/* $OpenBSD: sshd.c,v 1.549 2020/01/31 23:13:04 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -122,6 +122,7 @@
122#include "auth-options.h" 122#include "auth-options.h"
123#include "version.h" 123#include "version.h"
124#include "ssherr.h" 124#include "ssherr.h"
125#include "sk-api.h"
125 126
126/* Re-exec fds */ 127/* Re-exec fds */
127#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 128#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
@@ -250,6 +251,9 @@ struct sshauthopt *auth_opts = NULL;
250/* sshd_config buffer */ 251/* sshd_config buffer */
251struct sshbuf *cfg; 252struct sshbuf *cfg;
252 253
254/* Included files from the configuration file */
255struct include_list includes = TAILQ_HEAD_INITIALIZER(includes);
256
253/* message to be displayed after login */ 257/* message to be displayed after login */
254struct sshbuf *loginmsg; 258struct sshbuf *loginmsg;
255 259
@@ -261,6 +265,8 @@ void destroy_sensitive_data(void);
261void demote_sensitive_data(void); 265void demote_sensitive_data(void);
262static void do_ssh2_kex(struct ssh *); 266static void do_ssh2_kex(struct ssh *);
263 267
268static char *listener_proctitle;
269
264/* 270/*
265 * Close all listening sockets 271 * Close all listening sockets
266 */ 272 */
@@ -295,10 +301,7 @@ close_startup_pipes(void)
295static void 301static void
296sighup_handler(int sig) 302sighup_handler(int sig)
297{ 303{
298 int save_errno = errno;
299
300 received_sighup = 1; 304 received_sighup = 1;
301 errno = save_errno;
302} 305}
303 306
304/* 307/*
@@ -315,7 +318,7 @@ sighup_restart(void)
315 close_listen_socks(); 318 close_listen_socks();
316 close_startup_pipes(); 319 close_startup_pipes();
317 alarm(0); /* alarm timer persists across exec */ 320 alarm(0); /* alarm timer persists across exec */
318 signal(SIGHUP, SIG_IGN); /* will be restored after exec */ 321 ssh_signal(SIGHUP, SIG_IGN); /* will be restored after exec */
319 execv(saved_argv[0], saved_argv); 322 execv(saved_argv[0], saved_argv);
320 logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], 323 logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
321 strerror(errno)); 324 strerror(errno));
@@ -344,6 +347,8 @@ main_sigchld_handler(int sig)
344 pid_t pid; 347 pid_t pid;
345 int status; 348 int status;
346 349
350 debug("main_sigchld_handler: %s", strsignal(sig));
351
347 while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || 352 while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
348 (pid == -1 && errno == EINTR)) 353 (pid == -1 && errno == EINTR))
349 ; 354 ;
@@ -365,7 +370,7 @@ grace_alarm_handler(int sig)
365 * keys command helpers. 370 * keys command helpers.
366 */ 371 */
367 if (getpgid(0) == getpid()) { 372 if (getpgid(0) == getpid()) {
368 signal(SIGTERM, SIG_IGN); 373 ssh_signal(SIGTERM, SIG_IGN);
369 kill(0, SIGTERM); 374 kill(0, SIGTERM);
370 } 375 }
371 376
@@ -635,6 +640,8 @@ list_hostkey_types(void)
635 case KEY_DSA: 640 case KEY_DSA:
636 case KEY_ECDSA: 641 case KEY_ECDSA:
637 case KEY_ED25519: 642 case KEY_ED25519:
643 case KEY_ECDSA_SK:
644 case KEY_ED25519_SK:
638 case KEY_XMSS: 645 case KEY_XMSS:
639 append_hostkey_type(b, sshkey_ssh_name(key)); 646 append_hostkey_type(b, sshkey_ssh_name(key));
640 break; 647 break;
@@ -654,6 +661,8 @@ list_hostkey_types(void)
654 case KEY_DSA_CERT: 661 case KEY_DSA_CERT:
655 case KEY_ECDSA_CERT: 662 case KEY_ECDSA_CERT:
656 case KEY_ED25519_CERT: 663 case KEY_ED25519_CERT:
664 case KEY_ECDSA_SK_CERT:
665 case KEY_ED25519_SK_CERT:
657 case KEY_XMSS_CERT: 666 case KEY_XMSS_CERT:
658 append_hostkey_type(b, sshkey_ssh_name(key)); 667 append_hostkey_type(b, sshkey_ssh_name(key));
659 break; 668 break;
@@ -678,6 +687,8 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
678 case KEY_DSA_CERT: 687 case KEY_DSA_CERT:
679 case KEY_ECDSA_CERT: 688 case KEY_ECDSA_CERT:
680 case KEY_ED25519_CERT: 689 case KEY_ED25519_CERT:
690 case KEY_ECDSA_SK_CERT:
691 case KEY_ED25519_SK_CERT:
681 case KEY_XMSS_CERT: 692 case KEY_XMSS_CERT:
682 key = sensitive_data.host_certificates[i]; 693 key = sensitive_data.host_certificates[i];
683 break; 694 break;
@@ -687,10 +698,20 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
687 key = sensitive_data.host_pubkeys[i]; 698 key = sensitive_data.host_pubkeys[i];
688 break; 699 break;
689 } 700 }
690 if (key != NULL && key->type == type && 701 if (key == NULL || key->type != type)
691 (key->type != KEY_ECDSA || key->ecdsa_nid == nid)) 702 continue;
703 switch (type) {
704 case KEY_ECDSA:
705 case KEY_ECDSA_SK:
706 case KEY_ECDSA_CERT:
707 case KEY_ECDSA_SK_CERT:
708 if (key->ecdsa_nid != nid)
709 continue;
710 /* FALLTHROUGH */
711 default:
692 return need_private ? 712 return need_private ?
693 sensitive_data.host_keys[i] : key; 713 sensitive_data.host_keys[i] : key;
714 }
694 } 715 }
695 return NULL; 716 return NULL;
696} 717}
@@ -852,30 +873,45 @@ usage(void)
852static void 873static void
853send_rexec_state(int fd, struct sshbuf *conf) 874send_rexec_state(int fd, struct sshbuf *conf)
854{ 875{
855 struct sshbuf *m; 876 struct sshbuf *m = NULL, *inc = NULL;
877 struct include_item *item = NULL;
856 int r; 878 int r;
857 879
858 debug3("%s: entering fd = %d config len %zu", __func__, fd, 880 debug3("%s: entering fd = %d config len %zu", __func__, fd,
859 sshbuf_len(conf)); 881 sshbuf_len(conf));
860 882
883 if ((m = sshbuf_new()) == NULL || (inc = sshbuf_new()) == NULL)
884 fatal("%s: sshbuf_new failed", __func__);
885
886 /* pack includes into a string */
887 TAILQ_FOREACH(item, &includes, entry) {
888 if ((r = sshbuf_put_cstring(inc, item->selector)) != 0 ||
889 (r = sshbuf_put_cstring(inc, item->filename)) != 0 ||
890 (r = sshbuf_put_stringb(inc, item->contents)) != 0)
891 fatal("%s: buffer error: %s", __func__, ssh_err(r));
892 }
893
861 /* 894 /*
862 * Protocol from reexec master to child: 895 * Protocol from reexec master to child:
863 * string configuration 896 * string configuration
864 * string rngseed (only if OpenSSL is not self-seeded) 897 * string included_files[] {
898 * string selector
899 * string filename
900 * string contents
901 * }
902 * string rng_seed (if required)
865 */ 903 */
866 if ((m = sshbuf_new()) == NULL) 904 if ((r = sshbuf_put_stringb(m, conf)) != 0 ||
867 fatal("%s: sshbuf_new failed", __func__); 905 (r = sshbuf_put_stringb(m, inc)) != 0)
868 if ((r = sshbuf_put_stringb(m, conf)) != 0)
869 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 906 fatal("%s: buffer error: %s", __func__, ssh_err(r));
870
871#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) 907#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
872 rexec_send_rng_seed(m); 908 rexec_send_rng_seed(m);
873#endif 909#endif
874
875 if (ssh_msg_send(fd, 0, m) == -1) 910 if (ssh_msg_send(fd, 0, m) == -1)
876 fatal("%s: ssh_msg_send failed", __func__); 911 fatal("%s: ssh_msg_send failed", __func__);
877 912
878 sshbuf_free(m); 913 sshbuf_free(m);
914 sshbuf_free(inc);
879 915
880 debug3("%s: done", __func__); 916 debug3("%s: done", __func__);
881} 917}
@@ -883,14 +919,15 @@ send_rexec_state(int fd, struct sshbuf *conf)
883static void 919static void
884recv_rexec_state(int fd, struct sshbuf *conf) 920recv_rexec_state(int fd, struct sshbuf *conf)
885{ 921{
886 struct sshbuf *m; 922 struct sshbuf *m, *inc;
887 u_char *cp, ver; 923 u_char *cp, ver;
888 size_t len; 924 size_t len;
889 int r; 925 int r;
926 struct include_item *item;
890 927
891 debug3("%s: entering fd = %d", __func__, fd); 928 debug3("%s: entering fd = %d", __func__, fd);
892 929
893 if ((m = sshbuf_new()) == NULL) 930 if ((m = sshbuf_new()) == NULL || (inc = sshbuf_new()) == NULL)
894 fatal("%s: sshbuf_new failed", __func__); 931 fatal("%s: sshbuf_new failed", __func__);
895 if (ssh_msg_recv(fd, m) == -1) 932 if (ssh_msg_recv(fd, m) == -1)
896 fatal("%s: ssh_msg_recv failed", __func__); 933 fatal("%s: ssh_msg_recv failed", __func__);
@@ -898,14 +935,28 @@ recv_rexec_state(int fd, struct sshbuf *conf)
898 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 935 fatal("%s: buffer error: %s", __func__, ssh_err(r));
899 if (ver != 0) 936 if (ver != 0)
900 fatal("%s: rexec version mismatch", __func__); 937 fatal("%s: rexec version mismatch", __func__);
901 if ((r = sshbuf_get_string(m, &cp, &len)) != 0) 938 if ((r = sshbuf_get_string(m, &cp, &len)) != 0 ||
902 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 939 (r = sshbuf_get_stringb(m, inc)) != 0)
903 if (conf != NULL && (r = sshbuf_put(conf, cp, len)))
904 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 940 fatal("%s: buffer error: %s", __func__, ssh_err(r));
941
905#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) 942#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
906 rexec_recv_rng_seed(m); 943 rexec_recv_rng_seed(m);
907#endif 944#endif
908 945
946 if (conf != NULL && (r = sshbuf_put(conf, cp, len)))
947 fatal("%s: buffer error: %s", __func__, ssh_err(r));
948
949 while (sshbuf_len(inc) != 0) {
950 item = xcalloc(1, sizeof(*item));
951 if ((item->contents = sshbuf_new()) == NULL)
952 fatal("%s: sshbuf_new failed", __func__);
953 if ((r = sshbuf_get_cstring(inc, &item->selector, NULL)) != 0 ||
954 (r = sshbuf_get_cstring(inc, &item->filename, NULL)) != 0 ||
955 (r = sshbuf_get_stringb(inc, item->contents)) != 0)
956 fatal("%s: buffer error: %s", __func__, ssh_err(r));
957 TAILQ_INSERT_TAIL(&includes, item, entry);
958 }
959
909 free(cp); 960 free(cp);
910 sshbuf_free(m); 961 sshbuf_free(m);
911 962
@@ -1045,7 +1096,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1045{ 1096{
1046 fd_set *fdset; 1097 fd_set *fdset;
1047 int i, j, ret, maxfd; 1098 int i, j, ret, maxfd;
1048 int startups = 0, listening = 0, lameduck = 0; 1099 int ostartups = -1, startups = 0, listening = 0, lameduck = 0;
1049 int startup_p[2] = { -1 , -1 }; 1100 int startup_p[2] = { -1 , -1 };
1050 char c = 0; 1101 char c = 0;
1051 struct sockaddr_storage from; 1102 struct sockaddr_storage from;
@@ -1070,6 +1121,12 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1070 * the daemon is killed with a signal. 1121 * the daemon is killed with a signal.
1071 */ 1122 */
1072 for (;;) { 1123 for (;;) {
1124 if (ostartups != startups) {
1125 setproctitle("%s [listener] %d of %d-%d startups",
1126 listener_proctitle, startups,
1127 options.max_startups_begin, options.max_startups);
1128 ostartups = startups;
1129 }
1073 if (received_sighup) { 1130 if (received_sighup) {
1074 if (!lameduck) { 1131 if (!lameduck) {
1075 debug("Received SIGHUP; waiting for children"); 1132 debug("Received SIGHUP; waiting for children");
@@ -1157,6 +1214,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1157 if (drop_connection(startups) == 1) { 1214 if (drop_connection(startups) == 1) {
1158 char *laddr = get_local_ipaddr(*newsock); 1215 char *laddr = get_local_ipaddr(*newsock);
1159 char *raddr = get_peer_ipaddr(*newsock); 1216 char *raddr = get_peer_ipaddr(*newsock);
1217 char msg[] = "Exceeded MaxStartups\r\n";
1160 1218
1161 verbose("drop connection #%d from [%s]:%d " 1219 verbose("drop connection #%d from [%s]:%d "
1162 "on [%s]:%d past MaxStartups", startups, 1220 "on [%s]:%d past MaxStartups", startups,
@@ -1164,6 +1222,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1164 laddr, get_local_port(*newsock)); 1222 laddr, get_local_port(*newsock));
1165 free(laddr); 1223 free(laddr);
1166 free(raddr); 1224 free(raddr);
1225 /* best-effort notification to client */
1226 (void)write(*newsock, msg, strlen(msg));
1167 close(*newsock); 1227 close(*newsock);
1168 continue; 1228 continue;
1169 } 1229 }
@@ -1410,6 +1470,17 @@ accumulate_host_timing_secret(struct sshbuf *server_cfg,
1410 sshbuf_free(buf); 1470 sshbuf_free(buf);
1411} 1471}
1412 1472
1473static char *
1474prepare_proctitle(int ac, char **av)
1475{
1476 char *ret = NULL;
1477 int i;
1478
1479 for (i = 0; i < ac; i++)
1480 xextendf(&ret, " ", "%s", av[i]);
1481 return ret;
1482}
1483
1413/* 1484/*
1414 * Main program for the daemon. 1485 * Main program for the daemon.
1415 */ 1486 */
@@ -1562,7 +1633,7 @@ main(int ac, char **av)
1562 case 'o': 1633 case 'o':
1563 line = xstrdup(optarg); 1634 line = xstrdup(optarg);
1564 if (process_server_config_line(&options, line, 1635 if (process_server_config_line(&options, line,
1565 "command-line", 0, NULL, NULL) != 0) 1636 "command-line", 0, NULL, NULL, &includes) != 0)
1566 exit(1); 1637 exit(1);
1567 free(line); 1638 free(line);
1568 break; 1639 break;
@@ -1593,7 +1664,7 @@ main(int ac, char **av)
1593 SYSLOG_LEVEL_INFO : options.log_level, 1664 SYSLOG_LEVEL_INFO : options.log_level,
1594 options.log_facility == SYSLOG_FACILITY_NOT_SET ? 1665 options.log_facility == SYSLOG_FACILITY_NOT_SET ?
1595 SYSLOG_FACILITY_AUTH : options.log_facility, 1666 SYSLOG_FACILITY_AUTH : options.log_facility,
1596 log_stderr || !inetd_flag); 1667 log_stderr || !inetd_flag || debug_flag);
1597 1668
1598 /* 1669 /*
1599 * Unset KRB5CCNAME, otherwise the user's session may inherit it from 1670 * Unset KRB5CCNAME, otherwise the user's session may inherit it from
@@ -1626,12 +1697,11 @@ main(int ac, char **av)
1626 */ 1697 */
1627 (void)atomicio(vwrite, startup_pipe, "\0", 1); 1698 (void)atomicio(vwrite, startup_pipe, "\0", 1);
1628 } 1699 }
1629 } 1700 } else if (strcasecmp(config_file_name, "none") != 0)
1630 else if (strcasecmp(config_file_name, "none") != 0)
1631 load_server_config(config_file_name, cfg); 1701 load_server_config(config_file_name, cfg);
1632 1702
1633 parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, 1703 parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
1634 cfg, NULL); 1704 cfg, &includes, NULL);
1635 1705
1636 /* Fill in default values for those options not explicitly set. */ 1706 /* Fill in default values for those options not explicitly set. */
1637 fill_default_server_options(&options); 1707 fill_default_server_options(&options);
@@ -1723,7 +1793,14 @@ main(int ac, char **av)
1723 &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) 1793 &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR)
1724 do_log2(ll, "Unable to load host key \"%s\": %s", 1794 do_log2(ll, "Unable to load host key \"%s\": %s",
1725 options.host_key_files[i], ssh_err(r)); 1795 options.host_key_files[i], ssh_err(r));
1726 if (r == 0 && (r = sshkey_shield_private(key)) != 0) { 1796 if (sshkey_is_sk(key) &&
1797 key->sk_flags & SSH_SK_USER_PRESENCE_REQD) {
1798 debug("host key %s requires user presence, ignoring",
1799 options.host_key_files[i]);
1800 key->sk_flags &= ~SSH_SK_USER_PRESENCE_REQD;
1801 }
1802 if (r == 0 && key != NULL &&
1803 (r = sshkey_shield_private(key)) != 0) {
1727 do_log2(ll, "Unable to shield host key \"%s\": %s", 1804 do_log2(ll, "Unable to shield host key \"%s\": %s",
1728 options.host_key_files[i], ssh_err(r)); 1805 options.host_key_files[i], ssh_err(r));
1729 sshkey_free(key); 1806 sshkey_free(key);
@@ -1760,6 +1837,8 @@ main(int ac, char **av)
1760 case KEY_DSA: 1837 case KEY_DSA:
1761 case KEY_ECDSA: 1838 case KEY_ECDSA:
1762 case KEY_ED25519: 1839 case KEY_ED25519:
1840 case KEY_ECDSA_SK:
1841 case KEY_ED25519_SK:
1763 case KEY_XMSS: 1842 case KEY_XMSS:
1764 if (have_agent || key != NULL) 1843 if (have_agent || key != NULL)
1765 sensitive_data.have_ssh2_key = 1; 1844 sensitive_data.have_ssh2_key = 1;
@@ -1848,7 +1927,7 @@ main(int ac, char **av)
1848 if (connection_info == NULL) 1927 if (connection_info == NULL)
1849 connection_info = get_connection_info(ssh, 0, 0); 1928 connection_info = get_connection_info(ssh, 0, 0);
1850 connection_info->test = 1; 1929 connection_info->test = 1;
1851 parse_server_match_config(&options, connection_info); 1930 parse_server_match_config(&options, &includes, connection_info);
1852 dump_config(&options); 1931 dump_config(&options);
1853 } 1932 }
1854 1933
@@ -1877,6 +1956,7 @@ main(int ac, char **av)
1877 rexec_argv[rexec_argc] = "-R"; 1956 rexec_argv[rexec_argc] = "-R";
1878 rexec_argv[rexec_argc + 1] = NULL; 1957 rexec_argv[rexec_argc + 1] = NULL;
1879 } 1958 }
1959 listener_proctitle = prepare_proctitle(ac, av);
1880 1960
1881 /* Ensure that umask disallows at least group and world write */ 1961 /* Ensure that umask disallows at least group and world write */
1882 new_umask = umask(0077) | 0022; 1962 new_umask = umask(0077) | 0022;
@@ -1909,7 +1989,7 @@ main(int ac, char **av)
1909 error("chdir(\"/\"): %s", strerror(errno)); 1989 error("chdir(\"/\"): %s", strerror(errno));
1910 1990
1911 /* ignore SIGPIPE */ 1991 /* ignore SIGPIPE */
1912 signal(SIGPIPE, SIG_IGN); 1992 ssh_signal(SIGPIPE, SIG_IGN);
1913 1993
1914 /* Get a connection, either from inetd or a listening TCP socket */ 1994 /* Get a connection, either from inetd or a listening TCP socket */
1915 if (inetd_flag) { 1995 if (inetd_flag) {
@@ -1918,10 +1998,10 @@ main(int ac, char **av)
1918 platform_pre_listen(); 1998 platform_pre_listen();
1919 server_listen(); 1999 server_listen();
1920 2000
1921 signal(SIGHUP, sighup_handler); 2001 ssh_signal(SIGHUP, sighup_handler);
1922 signal(SIGCHLD, main_sigchld_handler); 2002 ssh_signal(SIGCHLD, main_sigchld_handler);
1923 signal(SIGTERM, sigterm_handler); 2003 ssh_signal(SIGTERM, sigterm_handler);
1924 signal(SIGQUIT, sigterm_handler); 2004 ssh_signal(SIGQUIT, sigterm_handler);
1925 2005
1926 /* 2006 /*
1927 * Write out the pid file after the sigterm handler 2007 * Write out the pid file after the sigterm handler
@@ -2011,12 +2091,12 @@ main(int ac, char **av)
2011 * will not restart on SIGHUP since it no longer makes sense. 2091 * will not restart on SIGHUP since it no longer makes sense.
2012 */ 2092 */
2013 alarm(0); 2093 alarm(0);
2014 signal(SIGALRM, SIG_DFL); 2094 ssh_signal(SIGALRM, SIG_DFL);
2015 signal(SIGHUP, SIG_DFL); 2095 ssh_signal(SIGHUP, SIG_DFL);
2016 signal(SIGTERM, SIG_DFL); 2096 ssh_signal(SIGTERM, SIG_DFL);
2017 signal(SIGQUIT, SIG_DFL); 2097 ssh_signal(SIGQUIT, SIG_DFL);
2018 signal(SIGCHLD, SIG_DFL); 2098 ssh_signal(SIGCHLD, SIG_DFL);
2019 signal(SIGINT, SIG_DFL); 2099 ssh_signal(SIGINT, SIG_DFL);
2020 2100
2021 /* 2101 /*
2022 * Register our connection. This turns encryption off because we do 2102 * Register our connection. This turns encryption off because we do
@@ -2077,7 +2157,7 @@ main(int ac, char **av)
2077 * mode; it is just annoying to have the server exit just when you 2157 * mode; it is just annoying to have the server exit just when you
2078 * are about to discover the bug. 2158 * are about to discover the bug.
2079 */ 2159 */
2080 signal(SIGALRM, grace_alarm_handler); 2160 ssh_signal(SIGALRM, grace_alarm_handler);
2081 if (!debug_flag) 2161 if (!debug_flag)
2082 alarm(options.login_grace_time); 2162 alarm(options.login_grace_time);
2083 2163
@@ -2135,7 +2215,7 @@ main(int ac, char **av)
2135 * authentication. 2215 * authentication.
2136 */ 2216 */
2137 alarm(0); 2217 alarm(0);
2138 signal(SIGALRM, SIG_DFL); 2218 ssh_signal(SIGALRM, SIG_DFL);
2139 authctxt->authenticated = 1; 2219 authctxt->authenticated = 1;
2140 if (startup_pipe != -1) { 2220 if (startup_pipe != -1) {
2141 close(startup_pipe); 2221 close(startup_pipe);
@@ -2212,17 +2292,19 @@ sshd_hostkey_sign(struct ssh *ssh, struct sshkey *privkey,
2212 if (use_privsep) { 2292 if (use_privsep) {
2213 if (privkey) { 2293 if (privkey) {
2214 if (mm_sshkey_sign(ssh, privkey, signature, slenp, 2294 if (mm_sshkey_sign(ssh, privkey, signature, slenp,
2215 data, dlen, alg, ssh->compat) < 0) 2295 data, dlen, alg, options.sk_provider,
2296 ssh->compat) < 0)
2216 fatal("%s: privkey sign failed", __func__); 2297 fatal("%s: privkey sign failed", __func__);
2217 } else { 2298 } else {
2218 if (mm_sshkey_sign(ssh, pubkey, signature, slenp, 2299 if (mm_sshkey_sign(ssh, pubkey, signature, slenp,
2219 data, dlen, alg, ssh->compat) < 0) 2300 data, dlen, alg, options.sk_provider,
2301 ssh->compat) < 0)
2220 fatal("%s: pubkey sign failed", __func__); 2302 fatal("%s: pubkey sign failed", __func__);
2221 } 2303 }
2222 } else { 2304 } else {
2223 if (privkey) { 2305 if (privkey) {
2224 if (sshkey_sign(privkey, signature, slenp, data, dlen, 2306 if (sshkey_sign(privkey, signature, slenp, data, dlen,
2225 alg, ssh->compat) < 0) 2307 alg, options.sk_provider, ssh->compat) < 0)
2226 fatal("%s: privkey sign failed", __func__); 2308 fatal("%s: privkey sign failed", __func__);
2227 } else { 2309 } else {
2228 if ((r = ssh_agent_sign(auth_sock, pubkey, 2310 if ((r = ssh_agent_sign(auth_sock, pubkey,