From 83b581862a1dbb06fc859959f829dde2654aef3c Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 19 Aug 2016 03:18:06 +0000 Subject: upstream commit remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712 --- monitor.c | 5 +- servconf.c | 14 ++--- servconf.h | 3 +- session.c | 171 +++++++++++++++++++++------------------------------------- sshd.8 | 7 +-- sshd.c | 4 +- sshd_config.5 | 26 +-------- 7 files changed, 72 insertions(+), 158 deletions(-) diff --git a/monitor.c b/monitor.c index 59b05a98f..a86b77936 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.162 2016/08/13 17:47:41 markus Exp $ */ +/* $OpenBSD: monitor.c,v 1.163 2016/08/19 03:18:06 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1395,9 +1395,6 @@ mm_record_login(Session *s, struct passwd *pw) socklen_t fromlen; struct sockaddr_storage from; - if (options.use_login) - return; - /* * Get IP address of client. If the connection is not a socket, let * the address be 0.0.0.0. diff --git a/servconf.c b/servconf.c index 9bd659c41..8a4a7091a 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.293 2016/08/15 12:27:56 naddy Exp $ */ +/* $OpenBSD: servconf.c,v 1.294 2016/08/19 03:18:06 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -120,7 +120,6 @@ initialize_server_options(ServerOptions *options) options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; - options->use_login = -1; options->compression = -1; options->rekey_limit = -1; options->rekey_interval = -1; @@ -281,8 +280,6 @@ fill_default_server_options(ServerOptions *options) options->permit_empty_passwd = 0; if (options->permit_user_env == -1) options->permit_user_env = 0; - if (options->use_login == -1) - options->use_login = 0; if (options->compression == -1) options->compression = COMP_DELAYED; if (options->rekey_limit == -1) @@ -397,7 +394,7 @@ typedef enum { sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, - sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, + sPermitUserEnvironment, sAllowTcpForwarding, sCompression, sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, @@ -508,7 +505,7 @@ static struct { { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, - { "uselogin", sUseLogin, SSHCFG_GLOBAL }, + { "uselogin", sDeprecated, SSHCFG_GLOBAL }, { "compression", sCompression, SSHCFG_GLOBAL }, { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, @@ -1283,10 +1280,6 @@ process_server_config_line(ServerOptions *options, char *line, intptr = &options->permit_user_env; goto parse_flag; - case sUseLogin: - intptr = &options->use_login; - goto parse_flag; - case sCompression: intptr = &options->compression; multistate_ptr = multistate_compression; @@ -2261,7 +2254,6 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); - dump_cfg_fmtint(sUseLogin, o->use_login); dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); dump_cfg_fmtint(sUseDNS, o->use_dns); diff --git a/servconf.h b/servconf.h index 16b1467d2..8af460f5a 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.121 2016/08/15 12:27:56 naddy Exp $ */ +/* $OpenBSD: servconf.h,v 1.122 2016/08/19 03:18:06 djm Exp $ */ /* * Author: Tatu Ylonen @@ -121,7 +121,6 @@ typedef struct { int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int permit_user_env; /* If true, read ~/.ssh/environment */ - int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ int allow_tcp_forwarding; /* One of FORWARD_* */ int allow_streamlocal_forwarding; /* One of FORWARD_* */ diff --git a/session.c b/session.c index 9bad653fc..fcfa80000 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.283 2016/08/13 17:47:41 markus Exp $ */ +/* $OpenBSD: session.c,v 1.284 2016/08/19 03:18:06 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -544,7 +544,7 @@ do_exec_pty(Session *s, const char *command) /* record login, etc. similar to login(1) */ #ifndef HAVE_OSF_SIA - if (!(options.use_login && command == NULL)) { + if (command != NULL) { #ifdef _UNICOS cray_init_job(s->pw); /* set up cray jid and tmpdir */ #endif /* _UNICOS */ @@ -1019,69 +1019,63 @@ do_setup_env(Session *s, const char *shell) ssh_gssapi_do_child(&env, &envsize); #endif - if (!options.use_login) { - /* Set basic environment. */ - for (i = 0; i < s->num_env; i++) - child_set_env(&env, &envsize, s->env[i].name, - s->env[i].val); + /* Set basic environment. */ + for (i = 0; i < s->num_env; i++) + child_set_env(&env, &envsize, s->env[i].name, s->env[i].val); - child_set_env(&env, &envsize, "USER", pw->pw_name); - child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); + child_set_env(&env, &envsize, "USER", pw->pw_name); + child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); #ifdef _AIX - child_set_env(&env, &envsize, "LOGIN", pw->pw_name); + child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif - child_set_env(&env, &envsize, "HOME", pw->pw_dir); + child_set_env(&env, &envsize, "HOME", pw->pw_dir); #ifdef HAVE_LOGIN_CAP - if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) - child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); - else - child_set_env(&env, &envsize, "PATH", getenv("PATH")); + if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) + child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); + else + child_set_env(&env, &envsize, "PATH", getenv("PATH")); #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN - /* - * There's no standard path on Windows. The path contains - * important components pointing to the system directories, - * needed for loading shared libraries. So the path better - * remains intact here. - */ + /* + * There's no standard path on Windows. The path contains + * important components pointing to the system directories, + * needed for loading shared libraries. So the path better + * remains intact here. + */ # ifdef HAVE_ETC_DEFAULT_LOGIN - read_etc_default_login(&env, &envsize, pw->pw_uid); - path = child_get_env(env, "PATH"); + read_etc_default_login(&env, &envsize, pw->pw_uid); + path = child_get_env(env, "PATH"); # endif /* HAVE_ETC_DEFAULT_LOGIN */ - if (path == NULL || *path == '\0') { - child_set_env(&env, &envsize, "PATH", - s->pw->pw_uid == 0 ? - SUPERUSER_PATH : _PATH_STDPATH); - } + if (path == NULL || *path == '\0') { + child_set_env(&env, &envsize, "PATH", + s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH); + } # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ - snprintf(buf, sizeof buf, "%.200s/%.50s", - _PATH_MAILDIR, pw->pw_name); - child_set_env(&env, &envsize, "MAIL", buf); + snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); + child_set_env(&env, &envsize, "MAIL", buf); + + /* Normal systems set SHELL by default. */ + child_set_env(&env, &envsize, "SHELL", shell); - /* Normal systems set SHELL by default. */ - child_set_env(&env, &envsize, "SHELL", shell); - } if (getenv("TZ")) child_set_env(&env, &envsize, "TZ", getenv("TZ")); /* Set custom environment options from RSA authentication. */ - if (!options.use_login) { - while (custom_environment) { - struct envstring *ce = custom_environment; - char *str = ce->s; - - for (i = 0; str[i] != '=' && str[i]; i++) - ; - if (str[i] == '=') { - str[i] = 0; - child_set_env(&env, &envsize, str, str + i + 1); - } - custom_environment = ce->next; - free(ce->s); - free(ce); + while (custom_environment) { + struct envstring *ce = custom_environment; + char *str = ce->s; + + for (i = 0; str[i] != '=' && str[i]; i++) + ; + if (str[i] == '=') { + str[i] = 0; + child_set_env(&env, &envsize, str, str + i + 1); } + custom_environment = ce->next; + free(ce->s); + free(ce); } /* SSH_CLIENT deprecated */ @@ -1143,7 +1137,7 @@ do_setup_env(Session *s, const char *shell) * Pull in any environment variables that may have * been set by PAM. */ - if (options.use_pam && !options.use_login) { + if (options.use_pam) { char **p; p = fetch_pam_child_environment(); @@ -1161,7 +1155,7 @@ do_setup_env(Session *s, const char *shell) auth_sock_name); /* read $HOME/.ssh/environment. */ - if (options.permit_user_env && !options.use_login) { + if (options.permit_user_env) { snprintf(buf, sizeof buf, "%.200s/.ssh/environment", strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); read_environment_file(&env, &envsize, buf); @@ -1442,27 +1436,6 @@ do_pwchange(Session *s) exit(1); } -static void -launch_login(struct passwd *pw, const char *hostname) -{ - /* Launch login(1). */ - - execl(LOGIN_PROGRAM, "login", "-h", hostname, -#ifdef xxxLOGIN_NEEDS_TERM - (s->term ? s->term : "unknown"), -#endif /* LOGIN_NEEDS_TERM */ -#ifdef LOGIN_NO_ENDOPT - "-p", "-f", pw->pw_name, (char *)NULL); -#else - "-p", "-f", "--", pw->pw_name, (char *)NULL); -#endif - - /* Login couldn't be executed, die. */ - - perror("login"); - exit(1); -} - static void child_close_fds(void) { @@ -1510,11 +1483,10 @@ child_close_fds(void) void do_child(Session *s, const char *command) { - struct ssh *ssh = active_state; /* XXX */ extern char **environ; char **env; char *argv[ARGV_MAX]; - const char *shell, *shell0, *hostname = NULL; + const char *shell, *shell0; struct passwd *pw = s->pw; int r = 0; @@ -1529,10 +1501,6 @@ do_child(Session *s, const char *command) exit(1); } - /* login(1) is only called if we execute the login shell */ - if (options.use_login && command != NULL) - options.use_login = 0; - #ifdef _UNICOS cray_setup(pw->pw_uid, pw->pw_name, command); #endif /* _UNICOS */ @@ -1541,28 +1509,26 @@ do_child(Session *s, const char *command) * Login(1) does this as well, and it needs uid 0 for the "-h" * switch, so we let login(1) to this for us. */ - if (!options.use_login) { #ifdef HAVE_OSF_SIA - session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); - if (!check_quietlogin(s, command)) - do_motd(); + session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); + if (!check_quietlogin(s, command)) + do_motd(); #else /* HAVE_OSF_SIA */ - /* When PAM is enabled we rely on it to do the nologin check */ - if (!options.use_pam) - do_nologin(pw); - do_setusercontext(pw); - /* - * PAM session modules in do_setusercontext may have - * generated messages, so if this in an interactive - * login then display them too. - */ - if (!check_quietlogin(s, command)) - display_loginmsg(); + /* When PAM is enabled we rely on it to do the nologin check */ + if (!options.use_pam) + do_nologin(pw); + do_setusercontext(pw); + /* + * PAM session modules in do_setusercontext may have + * generated messages, so if this in an interactive + * login then display them too. + */ + if (!check_quietlogin(s, command)) + display_loginmsg(); #endif /* HAVE_OSF_SIA */ - } #ifdef USE_PAM - if (options.use_pam && !options.use_login && !is_pam_session_open()) { + if (options.use_pam && !is_pam_session_open()) { debug3("PAM session not opened, exiting"); display_loginmsg(); exit(254); @@ -1585,10 +1551,6 @@ do_child(Session *s, const char *command) shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); #endif - /* we have to stash the hostname before we close our socket. */ - if (options.use_login) - hostname = session_get_remote_name_or_ip(ssh, utmp_len, - options.use_dns); /* * Close the connection descriptors; note that this is the child, and * the server will still have the socket open, and it is important @@ -1647,8 +1609,7 @@ do_child(Session *s, const char *command) closefrom(STDERR_FILENO + 1); - if (!options.use_login) - do_rc_files(s, shell); + do_rc_files(s, shell); /* restore SIGPIPE for child */ signal(SIGPIPE, SIG_DFL); @@ -1678,11 +1639,6 @@ do_child(Session *s, const char *command) fflush(NULL); - if (options.use_login) { - launch_login(pw, hostname); - /* NEVERREACHED */ - } - /* Get the last component of the shell name. */ if ((shell0 = strrchr(shell, '/')) != NULL) shell0++; @@ -2502,11 +2458,6 @@ session_setup_x11fwd(Session *s) packet_send_debug("No xauth program; cannot forward with spoofing."); return 0; } - if (options.use_login) { - packet_send_debug("X11 forwarding disabled; " - "not compatible with UseLogin=yes."); - return 0; - } if (s->display != NULL) { debug("X11 display already set."); return 0; diff --git a/sshd.8 b/sshd.8 index 148a8b923..4cf8fee48 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.285 2016/08/15 12:32:04 naddy Exp $ -.Dd $Mdocdate: August 15 2016 $ +.\" $OpenBSD: sshd.8,v 1.286 2016/08/19 03:18:06 djm Exp $ +.Dd $Mdocdate: August 19 2016 $ .Dt SSHD 8 .Os .Sh NAME @@ -504,9 +504,6 @@ Environment processing is disabled by default and is controlled via the .Cm PermitUserEnvironment option. -This option is automatically disabled if -.Cm UseLogin -is enabled. .It Cm from="pattern-list" Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the diff --git a/sshd.c b/sshd.c index fd89acbb9..a561c7b3e 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.473 2016/08/15 12:27:56 naddy Exp $ */ +/* $OpenBSD: sshd.c,v 1.474 2016/08/19 03:18:07 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -629,7 +629,7 @@ privsep_postauth(Authctxt *authctxt) #ifdef DISABLE_FD_PASSING if (1) { #else - if (authctxt->pw->pw_uid == 0 || options.use_login) { + if (authctxt->pw->pw_uid == 0) { #endif /* File descriptor passing is broken or root login */ use_privsep = 0; diff --git a/sshd_config.5 b/sshd_config.5 index d1a5d1d33..fe3b23d6e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.229 2016/08/15 12:32:04 naddy Exp $ -.Dd $Mdocdate: August 15 2016 $ +.\" $OpenBSD: sshd_config.5,v 1.230 2016/08/19 03:18:07 djm Exp $ +.Dd $Mdocdate: August 19 2016 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1489,25 +1489,6 @@ and .Cm Match .Cm Host directives. -.It Cm UseLogin -Specifies whether -.Xr login 1 -is used for interactive login sessions. -The default is -.Dq no . -Note that -.Xr login 1 -is never used for remote command execution. -Note also, that if this is enabled, -.Cm X11Forwarding -will be disabled because -.Xr login 1 -does not know how to handle -.Xr xauth 1 -cookies. -If -.Cm UsePrivilegeSeparation -is specified, it will be disabled after authentication. .It Cm UsePAM Enables the Pluggable Authentication Module interface. If set to @@ -1596,9 +1577,6 @@ setting. .Pp Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own forwarders. -X11 forwarding is automatically disabled if -.Cm UseLogin -is enabled. .It Cm X11UseLocalhost Specifies whether .Xr sshd 8 -- cgit v1.2.3