From 5a9d0eaba699968ae29bf560e4546d09edcb440d Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Thu, 4 Jul 2002 00:12:53 +0000 Subject: - deraadt@cvs.openbsd.org 2002/06/30 21:54:16 [auth2.c session.c sshd.c] lint asks that we use names that do not overlap --- auth2.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'auth2.c') diff --git a/auth2.c b/auth2.c index 6dfd91f74..eea381d95 100644 --- a/auth2.c +++ b/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.93 2002/05/31 11:35:15 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.94 2002/06/30 21:54:16 deraadt Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -102,7 +102,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt) { Authctxt *authctxt = ctxt; u_int len; - int accept = 0; + int acceptit = 0; char *service = packet_get_string(&len); packet_check_eom(); @@ -111,14 +111,14 @@ input_service_request(int type, u_int32_t seq, void *ctxt) if (strcmp(service, "ssh-userauth") == 0) { if (!authctxt->success) { - accept = 1; + acceptit = 1; /* now we can handle user-auth requests */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); } } /* XXX all other service requests are denied */ - if (accept) { + if (acceptit) { packet_start(SSH2_MSG_SERVICE_ACCEPT); packet_put_cstring(service); packet_send(); -- cgit v1.2.3 From e06eb68226061e1b6e369f4aebe3b3c07ce1f2c7 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Thu, 4 Jul 2002 00:27:21 +0000 Subject: - (bal) Failed password attempts don't increment counter on AIX. Bug #145 --- ChangeLog | 5 +++-- auth.c | 8 ++++++++ auth1.c | 6 ------ auth2.c | 6 ------ 4 files changed, 11 insertions(+), 14 deletions(-) (limited to 'auth2.c') diff --git a/ChangeLog b/ChangeLog index 1e5ce7adf..e9021d452 100644 --- a/ChangeLog +++ b/ChangeLog @@ -56,7 +56,8 @@ /etc/ssh/ssh_config and exit if HostbasedAuthentication is disabled globally. based on discussions with deraadt, itojun and sommerfeld; ok itojun@ - + - (bal) Failed password attempts don't increment counter on AIX. Bug #145 + 20020702 - (djm) Use PAM_MSG_MEMBER for PAM_TEXT_INFO messages, use xmalloc & friends consistently. Spotted by Solar Designer @@ -1264,4 +1265,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2329 2002/07/04 00:19:40 mouring Exp $ +$Id: ChangeLog,v 1.2330 2002/07/04 00:27:21 mouring Exp $ diff --git a/auth.c b/auth.c index 066b50d6b..693826a93 100644 --- a/auth.c +++ b/auth.c @@ -256,6 +256,14 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) get_remote_ipaddr(), get_remote_port(), info); + +#ifdef WITH_AIXAUTHENTICATE + if (authenticated == 0 && strcmp(method, "password") == 0) + loginfailed(authctxt->user, + get_canonical_hostname(options.verify_reverse_mapping), + "ssh"); +#endif /* WITH_AIXAUTHENTICATE */ + } /* diff --git a/auth1.c b/auth1.c index 2ebc8d039..769fa306f 100644 --- a/auth1.c +++ b/auth1.c @@ -323,12 +323,6 @@ do_authloop(Authctxt *authctxt) return; if (authctxt->failures++ > AUTH_FAIL_MAX) { -#ifdef WITH_AIXAUTHENTICATE - /* XXX: privsep */ - loginfailed(authctxt->user, - get_canonical_hostname(options.verify_reverse_mapping), - "ssh"); -#endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } diff --git a/auth2.c b/auth2.c index eea381d95..3b47a6d0a 100644 --- a/auth2.c +++ b/auth2.c @@ -232,12 +232,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) authctxt->success = 1; } else { if (authctxt->failures++ > AUTH_FAIL_MAX) { -#ifdef WITH_AIXAUTHENTICATE - /* XXX: privsep */ - loginfailed(authctxt->user, - get_canonical_hostname(options.verify_reverse_mapping), - "ssh"); -#endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } methods = authmethods_get(); -- cgit v1.2.3 From de6f2de8ad528cd8cdfb4b4dc5de9e7ba086c957 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 4 Sep 2002 16:37:26 +1000 Subject: - markus@cvs.openbsd.org 2002/08/22 21:33:58 [auth1.c auth2.c] auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325 --- ChangeLog | 6 +++++- auth1.c | 5 +++-- auth2.c | 5 +++-- 3 files changed, 11 insertions(+), 5 deletions(-) (limited to 'auth2.c') diff --git a/ChangeLog b/ChangeLog index 1c00c95ca..07699b017 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,10 @@ - stevesk@cvs.openbsd.org 2002/08/22 20:57:19 [ssh-agent.c] shutdown(SHUT_RDWR) not needed before close here; ok markus@ + - markus@cvs.openbsd.org 2002/08/22 21:33:58 + [auth1.c auth2.c] + auth_root_allowed() is handled by the monitor in the privsep case, + so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325 20020820 - OpenBSD CVS Sync @@ -1564,4 +1568,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2433 2002/09/04 06:33:31 djm Exp $ +$Id: ChangeLog,v 1.2434 2002/09/04 06:37:26 djm Exp $ diff --git a/auth1.c b/auth1.c index 769fa306f..17342a658 100644 --- a/auth1.c +++ b/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.41 2002/06/19 00:27:55 deraadt Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.42 2002/08/22 21:33:58 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -301,7 +301,8 @@ do_authloop(Authctxt *authctxt) } #else /* Special handling for root */ - if (authenticated && authctxt->pw->pw_uid == 0 && + if (!use_privsep && + authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(get_authname(type))) authenticated = 0; #endif diff --git a/auth2.c b/auth2.c index 3b47a6d0a..1cb9769ff 100644 --- a/auth2.c +++ b/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.94 2002/06/30 21:54:16 deraadt Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.95 2002/08/22 21:33:58 markus Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -205,7 +205,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) authctxt->user); /* Special handling for root */ - if (authenticated && authctxt->pw->pw_uid == 0 && + if (!use_privsep && + authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(method)) authenticated = 0; -- cgit v1.2.3 From 81ed518b9b888502cc57b23c02c47634ca508748 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Wed, 25 Sep 2002 17:38:46 -0700 Subject: Cray fixes (bug 367) based on patch from Wendy Palm @ cray. This does not include the deattack.c fixes. --- ChangeLog | 4 +++- acconfig.h | 5 ++++- auth1.c | 9 +++++++++ auth2.c | 11 +++++++++++ configure.ac | 7 ++++--- defines.h | 14 +++++++------- includes.h | 8 ++++++++ loginrec.c | 6 +++--- openbsd-compat/bsd-cray.c | 4 ++-- openbsd-compat/bsd-cray.h | 4 ++-- serverloop.c | 2 ++ session.c | 27 ++++++++++++++++++++++++++- sshd.c | 2 +- sshpty.c | 8 ++++---- 14 files changed, 86 insertions(+), 25 deletions(-) (limited to 'auth2.c') diff --git a/ChangeLog b/ChangeLog index a42c010af..24074d183 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20020925 - (bal) Fix issue where successfull login does not clear failure counts in AIX. Patch by dtucker@zip.com.au ok by djm + - (tim) Cray fixes (bug 367) based on patch from Wendy Palm @ cray. + This does not include the deattack.c fixes. 20020923 - (djm) OpenBSD CVS Sync @@ -719,4 +721,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2481 2002/09/25 23:14:14 mouring Exp $ +$Id: ChangeLog,v 1.2482 2002/09/26 00:38:46 tim Exp $ diff --git a/acconfig.h b/acconfig.h index f8fc650d7..3e058f3ea 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.144 2002/07/14 20:36:50 tim Exp $ */ +/* $Id: acconfig.h,v 1.145 2002/09/26 00:38:48 tim Exp $ */ #ifndef _CONFIG_H #define _CONFIG_H @@ -150,6 +150,9 @@ /* Define if you don't want to use lastlog */ #undef DISABLE_LASTLOG +/* Define if you don't want to use lastlog in session.c */ +#undef NO_SSH_LASTLOG + /* Define if you don't want to use utmp */ #undef DISABLE_UTMP diff --git a/auth1.c b/auth1.c index 4d2b92a22..676c8a667 100644 --- a/auth1.c +++ b/auth1.c @@ -304,6 +304,15 @@ do_authloop(Authctxt *authctxt) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); +#ifdef _UNICOS + if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated) + cray_login_failure(authctxt->user, IA_UDBERR); + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _UNICOS */ + #ifdef HAVE_CYGWIN if (authenticated && !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) { diff --git a/auth2.c b/auth2.c index 1cb9769ff..17c58552a 100644 --- a/auth2.c +++ b/auth2.c @@ -216,6 +216,13 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) authenticated = 0; #endif /* USE_PAM */ +#ifdef _UNICOS + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _UNICOS */ + /* Log before sending the reply */ auth_log(authctxt, authenticated, method, " ssh2"); @@ -235,6 +242,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } +#ifdef _UNICOS + if (strcmp(method, "password") == 0) + cray_login_failure(authctxt->user, IA_UDBERR); +#endif /* _UNICOS */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); diff --git a/configure.ac b/configure.ac index f88d993e6..5fe50e56b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.88 2002/09/23 23:54:12 tim Exp $ +# $Id: configure.ac,v 1.89 2002/09/26 00:38:47 tim Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -303,6 +303,7 @@ mips-sony-bsd|mips-sony-newsos4) no_libnsl=1 AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_FD_PASSING) + AC_DEFINE(NO_SSH_LASTLOG) LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal" LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" MANTYPE=cat @@ -376,14 +377,14 @@ AC_ARG_WITH(libs, # Checks for header files. AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \ - getopt.h glob.h lastlog.h limits.h login.h \ + getopt.h glob.h ia.h lastlog.h limits.h login.h \ login_cap.h maillock.h netdb.h netgroup.h \ netinet/in_systm.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \ sys/mman.h sys/select.h sys/stat.h \ sys/stropts.h sys/sysmacros.h sys/time.h \ - sys/un.h time.h ttyent.h usersec.h \ + sys/un.h time.h tmpdir.h ttyent.h usersec.h \ util.h utime.h utmp.h utmpx.h) # Checks for libraries. diff --git a/defines.h b/defines.h index 42b12e9a4..ab19a077c 100644 --- a/defines.h +++ b/defines.h @@ -1,7 +1,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.95 2002/08/21 02:54:12 mouring Exp $ */ +/* $Id: defines.h,v 1.96 2002/09/26 00:38:48 tim Exp $ */ /* Constants */ @@ -124,7 +124,7 @@ typedef char int8_t; # if (SIZEOF_SHORT_INT == 2) typedef short int int16_t; # else -# if defined(_CRAY) && !defined(_CRAYSV2) +# ifdef _UNICOS # if (SIZEOF_SHORT_INT == 4) typedef short int16_t; # else @@ -132,16 +132,16 @@ typedef long int16_t; # endif # else # error "16 bit int type not found." -# endif /* _CRAY */ +# endif /* _UNICOS */ # endif # if (SIZEOF_INT == 4) typedef int int32_t; # else -# if defined(_CRAY) && !defined(_CRAYSV2) +# ifdef _UNICOS typedef long int32_t; # else # error "32 bit int type not found." -# endif /* _CRAY */ +# endif /* _UNICOS */ # endif #endif @@ -161,7 +161,7 @@ typedef unsigned char u_int8_t; # if (SIZEOF_SHORT_INT == 2) typedef unsigned short int u_int16_t; # else -# if defined(_CRAY) && !defined(_CRAYSV2) +# ifdef _UNICOS # if (SIZEOF_SHORT_INT == 4) typedef unsigned short u_int16_t; # else @@ -174,7 +174,7 @@ typedef unsigned long u_int16_t; # if (SIZEOF_INT == 4) typedef unsigned int u_int32_t; # else -# if defined(_CRAY) && !defined(_CRAYSV2) +# ifdef _UNICOS typedef unsigned long u_int32_t; # else # error "32 bit int type not found." diff --git a/includes.h b/includes.h index f6aa2ae67..d7b875c52 100644 --- a/includes.h +++ b/includes.h @@ -149,6 +149,14 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } # include #endif +#ifdef HAVE_IA_H +# include +#endif + +#ifdef HAVE_TMPDIR_H +# include +#endif + #include /* For OPENSSL_VERSION_NUMBER */ #include "defines.h" diff --git a/loginrec.c b/loginrec.c index 6dc608a4e..02c3106a3 100644 --- a/loginrec.c +++ b/loginrec.c @@ -163,7 +163,7 @@ #include "log.h" #include "atomicio.h" -RCSID("$Id: loginrec.c,v 1.43 2002/07/22 23:34:25 mouring Exp $"); +RCSID("$Id: loginrec.c,v 1.44 2002/09/26 00:38:49 tim Exp $"); #ifdef HAVE_UTIL_H # include @@ -622,13 +622,13 @@ construct_utmp(struct logininfo *li, switch (li->type) { case LTYPE_LOGIN: ut->ut_type = USER_PROCESS; -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS cray_set_tmpdir(ut); #endif break; case LTYPE_LOGOUT: ut->ut_type = DEAD_PROCESS; -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS cray_retain_utmp(ut, li->pid); #endif break; diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c index 8a14b0807..edb3112b3 100644 --- a/openbsd-compat/bsd-cray.c +++ b/openbsd-compat/bsd-cray.c @@ -1,5 +1,5 @@ /* - * $Id: bsd-cray.c,v 1.7 2002/07/23 21:00:18 mouring Exp $ + * $Id: bsd-cray.c,v 1.8 2002/09/26 00:38:51 tim Exp $ * * bsd-cray.c * @@ -34,7 +34,7 @@ * on UNICOS systems. * */ -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS #include #include diff --git a/openbsd-compat/bsd-cray.h b/openbsd-compat/bsd-cray.h index 0b75b2268..8868b4364 100644 --- a/openbsd-compat/bsd-cray.h +++ b/openbsd-compat/bsd-cray.h @@ -1,5 +1,5 @@ /* - * $Id: bsd-cray.h,v 1.4 2002/07/23 21:00:18 mouring Exp $ + * $Id: bsd-cray.h,v 1.5 2002/09/26 00:38:51 tim Exp $ * * bsd-cray.h * @@ -37,7 +37,7 @@ #ifndef _BSD_CRAY_H #define _BSD_CRAY_H -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS void cray_init_job(struct passwd *); /* init cray job */ void cray_job_termination_handler(int); /* process end of job signal */ void cray_login_failure(char *username, int errcode); diff --git a/serverloop.c b/serverloop.c index 5112de680..58e20dfb9 100644 --- a/serverloop.c +++ b/serverloop.c @@ -144,7 +144,9 @@ sigchld_handler(int sig) int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; +#ifndef _UNICOS mysignal(SIGCHLD, sigchld_handler); +#endif notify_parent(); errno = save_errno; } diff --git a/session.c b/session.c index 0ccd2006d..9074525a4 100644 --- a/session.c +++ b/session.c @@ -512,10 +512,17 @@ do_exec_no_pty(Session *s, const char *command) perror("dup2 stderr"); #endif /* USE_PIPES */ +#ifdef _UNICOS + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif + /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ } +#ifdef _UNICOS + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _UNICOS */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -603,8 +610,12 @@ do_exec_pty(Session *s, const char *command) /* record login, etc. similar to login(1) */ #ifndef HAVE_OSF_SIA - if (!(options.use_login && command == NULL)) + if (!(options.use_login && command == NULL)) { +#ifdef _UNICOS + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif /* _UNICOS */ do_login(s, command); + } # ifdef LOGIN_NEEDS_UTMPX else do_pre_login(s); @@ -615,6 +626,9 @@ do_exec_pty(Session *s, const char *command) do_child(s, command); /* NOTREACHED */ } +#ifdef _UNICOS + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _UNICOS */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -755,6 +769,7 @@ do_login(Session *s, const char *command) printf("%s\n", aixloginmsg); #endif /* WITH_AIXAUTHENTICATE */ +#ifndef NO_SSH_LASTLOG if (options.print_lastlog && s->last_login_time != 0) { time_string = ctime(&s->last_login_time); if (strchr(time_string, '\n')) @@ -765,6 +780,7 @@ do_login(Session *s, const char *command) printf("Last login: %s from %s\r\n", time_string, s->hostname); } +#endif /* NO_SSH_LASTLOG */ do_motd(); } @@ -1024,6 +1040,11 @@ do_setup_env(Session *s, const char *shell) child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", original_command); +#ifdef _UNICOS + if (cray_tmpdir[0] != '\0') + child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); +#endif /* _UNICOS */ + #ifdef _AIX { char *cp; @@ -1275,6 +1296,10 @@ do_child(Session *s, const char *command) if (options.use_login && command != NULL) options.use_login = 0; +#ifdef _UNICOS + cray_setup(pw->pw_uid, pw->pw_name, command); +#endif /* _UNICOS */ + /* * Login(1) does this as well, and it needs uid 0 for the "-h" * switch, so we let login(1) to this for us. diff --git a/sshd.c b/sshd.c index 17f001669..37026dc2e 100644 --- a/sshd.c +++ b/sshd.c @@ -940,7 +940,7 @@ main(int ac, char **av) SYSLOG_FACILITY_AUTH : options.log_facility, !inetd_flag); -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS /* Cray can define user privs drop all prives now! * Not needed on PRIV_SU systems! */ diff --git a/sshpty.c b/sshpty.c index e3027ca2e..28d0e310c 100644 --- a/sshpty.c +++ b/sshpty.c @@ -162,7 +162,7 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen) } return 1; #else /* HAVE_DEV_PTS_AND_PTC */ -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS char buf[64]; int i; int highpty; @@ -268,7 +268,7 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname) void *old; #endif /* USE_VHANGUP */ -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS if (setsid() < 0) error("setsid: %.100s", strerror(errno)); @@ -290,7 +290,7 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname) error("%.100s: %.100s", ttyname, strerror(errno)); close(*ttyfd); *ttyfd = fd; -#else /* _CRAY */ +#else /* _UNICOS */ /* First disconnect from the old controlling tty. */ #ifdef TIOCNOTTY @@ -345,7 +345,7 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname) strerror(errno)); else close(fd); -#endif /* _CRAY */ +#endif /* _UNICOS */ } /* Changes the window size associated with the pty. */ -- cgit v1.2.3