From af63951c5764672986576fdcd64f7fb931586c93 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 11 Jun 2003 22:51:32 +1000 Subject: - (djm) Put licenses on substantial header files --- defines.h | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) (limited to 'defines.h') diff --git a/defines.h b/defines.h index da1bef320..ec610d0db 100644 --- a/defines.h +++ b/defines.h @@ -1,7 +1,31 @@ +/* + * Copyright (c) 1999-2003 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.98 2003/04/28 23:30:43 mouring Exp $ */ +/* $Id: defines.h,v 1.99 2003/06/11 12:51:32 djm Exp $ */ /* Constants */ -- cgit v1.2.3 From f315224d7c7ced4f012ddaef1a6b4f4bf7883b25 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 7 Aug 2003 15:58:28 +1000 Subject: - (dtucker) [defines.h] Bug #336: Add CMSG_DATA and CMSG_FIRSTHDR macros if not already defined (eg Linux with some versions of libc5), based on those from OpenBSD. --- ChangeLog | 7 +++++-- defines.h | 20 +++++++++++++++++++- 2 files changed, 24 insertions(+), 3 deletions(-) (limited to 'defines.h') diff --git a/ChangeLog b/ChangeLog index 0f2f798e1..513799d3d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,7 +2,10 @@ - (dtucker) [session.c] Have session_break_req not attempt to send a break if TIOCSBRK and TIOCCBRK are not defined (eg Cygwin). - (dtucker) [canohost.c] Bug #336: Only check ip options if IP_OPTIONS is - defined (eg really old Linux). + defined (fixes compile error on really old Linuxes). + - (dtucker) [defines.h] Bug #336: Add CMSG_DATA and CMSG_FIRSTHDR macros if + not already defined (eg Linux with some versions of libc5), based on those + from OpenBSD. 20030802 - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags. @@ -791,4 +794,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2881 2003/08/07 03:29:04 dtucker Exp $ +$Id: ChangeLog,v 1.2882 2003/08/07 05:58:28 dtucker Exp $ diff --git a/defines.h b/defines.h index ec610d0db..3679ea549 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.99 2003/06/11 12:51:32 djm Exp $ */ +/* $Id: defines.h,v 1.100 2003/08/07 05:58:28 dtucker Exp $ */ /* Constants */ @@ -577,4 +577,22 @@ struct winsize { /** end of login recorder definitions */ +#ifndef CMSG_DATA +/* given pointer to struct cmsghdr, return pointer to data */ +#define CMSG_DATA(cmsg) \ + ((u_char *)(cmsg) + (((u_int)(sizeof(struct cmsghdr)) \ + (sizeof(int) - 1)) &~ (sizeof(int) - 1))) +#endif /* CMSG_DATA */ + +#ifndef CMSG_FIRSTHDR +/* + * RFC 2292 requires to check msg_controllen, in case that the kernel returns + * an empty list for some reasons. + */ +# define CMSG_FIRSTHDR(mhdr) \ + ((mhdr)->msg_controllen >= sizeof(struct cmsghdr) ? \ + (struct cmsghdr *)(mhdr)->msg_control : \ + (struct cmsghdr *)NULL) +#endif /* CMSG_FIRSTHDR */ + #endif /* _DEFINES_H */ -- cgit v1.2.3 From 8e3653d2f330a96b4aefaccac3f1031749aebd53 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 21 Aug 2003 16:49:41 +1000 Subject: - (dtucker) [defines.h] Put CMSG_DATA, CMSG_FIRSTHDR with other CMSG* macros, change CMSG_DATA to use __CMSG_ALIGN (and thus work properly), reformat for consistency. --- ChangeLog | 5 ++++- defines.h | 37 ++++++++++++++++++------------------- 2 files changed, 22 insertions(+), 20 deletions(-) (limited to 'defines.h') diff --git a/ChangeLog b/ChangeLog index 097b08f16..cf88cca4c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - markus@cvs.openbsd.org 2003/08/14 16:08:58 [ssh-keygen.c] exit after primetest, ok djm@ + - (dtucker) [defines.h] Put CMSG_DATA, CMSG_FIRSTHDR with other CMSG* macros, + change CMSG_DATA to use __CMSG_ALIGN (and thus work properly), reformat for + consistency. 20030813 - (dtucker) [session.c] Remove #ifdef TIOCSBRK kludge. @@ -840,4 +843,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2894 2003/08/21 06:44:07 dtucker Exp $ +$Id: ChangeLog,v 1.2895 2003/08/21 06:49:41 dtucker Exp $ diff --git a/defines.h b/defines.h index 3679ea549..b2ea15d9f 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.100 2003/08/07 05:58:28 dtucker Exp $ */ +/* $Id: defines.h,v 1.101 2003/08/21 06:49:41 dtucker Exp $ */ /* Constants */ @@ -437,6 +437,23 @@ struct winsize { #define CMSG_SPACE(len) (__CMSG_ALIGN(sizeof(struct cmsghdr)) + __CMSG_ALIGN(len)) #endif +/* given pointer to struct cmsghdr, return pointer to data */ +#ifndef CMSG_DATA +#define CMSG_DATA(cmsg) ((u_char *)(cmsg) + __CMSG_ALIGN(sizeof(struct cmsghdr))) +#endif /* CMSG_DATA */ + +/* + * RFC 2292 requires to check msg_controllen, in case that the kernel returns + * an empty list for some reasons. + */ +#ifndef CMSG_FIRSTHDR +#define CMSG_FIRSTHDR(mhdr) \ + ((mhdr)->msg_controllen >= sizeof(struct cmsghdr) ? \ + (struct cmsghdr *)(mhdr)->msg_control : \ + (struct cmsghdr *)NULL) +#endif /* CMSG_FIRSTHDR */ + + /* Function replacement / compatibility hacks */ #if !defined(HAVE_GETADDRINFO) && (defined(HAVE_OGETADDRINFO) || defined(HAVE_NGETADDRINFO)) @@ -577,22 +594,4 @@ struct winsize { /** end of login recorder definitions */ -#ifndef CMSG_DATA -/* given pointer to struct cmsghdr, return pointer to data */ -#define CMSG_DATA(cmsg) \ - ((u_char *)(cmsg) + (((u_int)(sizeof(struct cmsghdr)) \ - (sizeof(int) - 1)) &~ (sizeof(int) - 1))) -#endif /* CMSG_DATA */ - -#ifndef CMSG_FIRSTHDR -/* - * RFC 2292 requires to check msg_controllen, in case that the kernel returns - * an empty list for some reasons. - */ -# define CMSG_FIRSTHDR(mhdr) \ - ((mhdr)->msg_controllen >= sizeof(struct cmsghdr) ? \ - (struct cmsghdr *)(mhdr)->msg_control : \ - (struct cmsghdr *)NULL) -#endif /* CMSG_FIRSTHDR */ - #endif /* _DEFINES_H */ -- cgit v1.2.3 From 49aaf4ad522c6b599ec13f75f8a6b7eab6942143 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 26 Aug 2003 11:58:16 +1000 Subject: - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson. --- ChangeLog | 5 ++++- Makefile.in | 5 +++-- acconfig.h | 5 ++++- auth-krb5.c | 3 --- auth-pam.c | 25 ++++++++++++++++++++++++- auth-pam.h | 3 ++- configure.ac | 28 +++++++++++++++++++++++++++- defines.h | 6 +++++- gss-serv-krb5.c | 37 +++++++++++++++++++++++++++++++++++++ session.c | 24 ++++++++++++------------ ssh-gss.h | 12 ++++++++++++ sshconnect1.c | 3 --- sshconnect2.c | 3 --- 13 files changed, 130 insertions(+), 29 deletions(-) (limited to 'defines.h') diff --git a/ChangeLog b/ChangeLog index 142af1b06..042334b01 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself. + - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h + configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c + sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson. 20030825 - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from @@ -882,4 +885,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2907 2003/08/26 01:49:55 dtucker Exp $ +$Id: ChangeLog,v 1.2908 2003/08/26 01:58:16 dtucker Exp $ diff --git a/Makefile.in b/Makefile.in index cffefece6..eba34f341 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.240 2003/08/02 13:51:38 dtucker Exp $ +# $Id: Makefile.in,v 1.241 2003/08/26 01:58:16 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -68,7 +68,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ key.o dispatch.o kex.o mac.o uuencode.o misc.o \ rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ - entropy.o scard-opensc.o + entropy.o scard-opensc.o gss-genr.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o @@ -82,6 +82,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \ kexdhs.o kexgexs.o \ auth-krb5.o auth2-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-sia.o md5crypt.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out diff --git a/acconfig.h b/acconfig.h index 0e04c65b2..c83a45619 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.161 2003/08/25 01:51:19 dtucker Exp $ */ +/* $Id: acconfig.h,v 1.162 2003/08/26 01:58:16 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -232,6 +232,9 @@ /* Define if compiler implements __func__ */ #undef HAVE___func__ +/* Define this is you want GSSAPI support in the version 2 protocol */ +#undef GSSAPI + /* Define if you want Kerberos 5 support */ #undef KRB5 diff --git a/auth-krb5.c b/auth-krb5.c index b04c6649b..b9eeb5ba6 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -42,9 +42,6 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $"); #ifdef KRB5 #include -#ifndef HEIMDAL -#define krb5_get_err_text(context,code) error_message(code) -#endif /* !HEIMDAL */ extern ServerOptions options; diff --git a/auth-pam.c b/auth-pam.c index c0b6ded12..08b88f0dd 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.67 2003/08/25 03:08:49 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.68 2003/08/26 01:58:16 dtucker Exp $"); #ifdef USE_PAM #include @@ -650,6 +650,29 @@ do_pam_chauthtok(void) pam_strerror(sshpam_handle, sshpam_err)); } +/* + * Set a PAM environment string. We need to do this so that the session + * modules can handle things like Kerberos/GSI credentials that appear + * during the ssh authentication process. + */ + +int +do_pam_putenv(char *name, char *value) +{ + char *compound; + int ret = 1; + +#ifdef HAVE_PAM_PUTENV + compound = xmalloc(strlen(name)+strlen(value)+2); + if (compound) { + sprintf(compound,"%s=%s",name,value); + ret = pam_putenv(sshpam_handle,compound); + xfree(compound); + } +#endif + return (ret); +} + void print_pam_messages(void) { diff --git a/auth-pam.h b/auth-pam.h index 7f7c16d2e..03868312c 100644 --- a/auth-pam.h +++ b/auth-pam.h @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.19 2003/08/25 03:08:49 djm Exp $ */ +/* $Id: auth-pam.h,v 1.20 2003/08/26 01:58:16 dtucker Exp $ */ /* * Copyright (c) 2000 Damien Miller. All rights reserved. @@ -38,6 +38,7 @@ void do_pam_session(const char *, const char *); void do_pam_setcred(int ); int is_pam_password_change_required(void); void do_pam_chauthtok(void); +int do_pam_putenv(char *, char *); void print_pam_messages(void); char ** fetch_pam_environment(void); void free_pam_environment(char **); diff --git a/configure.ac b/configure.ac index 600155ccd..bbc00e703 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.142 2003/08/25 03:27:40 dtucker Exp $ +# $Id: configure.ac,v 1.143 2003/08/26 01:58:16 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -831,6 +831,7 @@ AC_ARG_WITH(pam, AC_CHECK_LIB(dl, dlopen, , ) AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing])) AC_CHECK_FUNCS(pam_getenvlist) + AC_CHECK_FUNCS(pam_putenv) disable_shadow=yes PAM_MSG="yes" @@ -1946,6 +1947,31 @@ AC_ARG_WITH(kerberos5, fi AC_SEARCH_LIBS(dn_expand, resolv) + AC_CHECK_LIB(gssapi,gss_init_sec_context, + [ AC_DEFINE(GSSAPI) + K5LIBS="-lgssapi $K5LIBS" ], + [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context, + [ AC_DEFINE(GSSAPI) + K5LIBS="-lgssapi_krb5 $K5LIBS" ], + AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), + $K5LIBS) + ], + $K5LIBS) + + AC_CHECK_HEADER(gssapi.h, , + [ unset ac_cv_header_gssapi_h + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + AC_CHECK_HEADERS(gssapi.h, , + AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail]) + ) + ] + ) + + oldCPP="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + AC_CHECK_HEADER(gssapi_krb5.h, , + [ CPPFLAGS="$oldCPP" ]) + KRB5=yes fi ] diff --git a/defines.h b/defines.h index b2ea15d9f..7bff839cc 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.101 2003/08/21 06:49:41 dtucker Exp $ */ +/* $Id: defines.h,v 1.102 2003/08/26 01:58:16 dtucker Exp $ */ /* Constants */ @@ -521,6 +521,10 @@ struct winsize { # define __func__ "" #endif +#if defined(KRB5) && !defined(HEIMDAL) +# define krb5_get_err_text(context,code) error_message(code) +#endif + /* * Define this to use pipes instead of socketpairs for communicating with the * client program. Socketpairs do not seem to work on all systems. diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index d86872258..f48e09911 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -38,7 +38,11 @@ extern ServerOptions options; +#ifdef HEIMDAL #include +#else +#include +#endif static krb5_context krb_context = NULL; @@ -113,11 +117,39 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) if (ssh_gssapi_krb5_init() == 0) return; +#ifdef HEIMDAL if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { logit("krb5_cc_gen_new(): %.100s", krb5_get_err_text(krb_context, problem)); return; } +#else + { + int tmpfd; + char ccname[40]; + + snprintf(ccname, sizeof(ccname), + "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid()); + + if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) { + logit("mkstemp(): %.100s", strerror(errno)); + problem = errno; + return; + } + if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) { + logit("fchmod(): %.100s", strerror(errno)); + close(tmpfd); + problem = errno; + return; + } + close(tmpfd); + if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) { + logit("krb5_cc_resolve(): %.100s", + krb5_get_err_text(krb_context, problem)); + return; + } + } +#endif /* #ifdef HEIMDAL */ if ((problem = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { @@ -148,6 +180,11 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) client->store.envvar = "KRB5CCNAME"; client->store.envval = xstrdup(client->store.filename); +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv(client->store.envvar,client->store.envval); +#endif + krb5_cc_close(krb_context, ccache); return; diff --git a/session.c b/session.c index 3593a3ff5..6ba0233e5 100644 --- a/session.c +++ b/session.c @@ -418,6 +418,12 @@ do_exec_no_pty(Session *s, const char *command) session_proctitle(s); +#ifdef GSSAPI + temporarily_use_uid(s->pw); + ssh_gssapi_storecreds(); + restore_uid(); +#endif + #if defined(USE_PAM) if (options.use_pam) { do_pam_session(s->pw->pw_name, NULL); @@ -428,12 +434,6 @@ do_exec_no_pty(Session *s, const char *command) } #endif /* USE_PAM */ -#ifdef GSSAPI - temporarily_use_uid(s->pw); - ssh_gssapi_storecreds(); - restore_uid(); -#endif - /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); @@ -553,6 +553,12 @@ do_exec_pty(Session *s, const char *command) ptyfd = s->ptyfd; ttyfd = s->ttyfd; +#ifdef GSSAPI + temporarily_use_uid(s->pw); + ssh_gssapi_storecreds(); + restore_uid(); +#endif + #if defined(USE_PAM) if (options.use_pam) { do_pam_session(s->pw->pw_name, s->tty); @@ -560,12 +566,6 @@ do_exec_pty(Session *s, const char *command) } #endif -#ifdef GSSAPI - temporarily_use_uid(s->pw); - ssh_gssapi_storecreds(); - restore_uid(); -#endif - /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); diff --git a/ssh-gss.h b/ssh-gss.h index 263e51b94..6b58adb3a 100644 --- a/ssh-gss.h +++ b/ssh-gss.h @@ -31,6 +31,18 @@ #include +#ifdef KRB5 +#ifndef HEIMDAL +#include + +/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ + +#ifndef GSS_C_NT_HOSTBASED_SERVICE +#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name +#endif /* GSS_C_NT_... */ +#endif /* !HEIMDAL */ +#endif /* KRB5 */ + /* draft-ietf-secsh-gsskeyex-06 */ #define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60 #define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61 diff --git a/sshconnect1.c b/sshconnect1.c index 5e1802b10..5935e8b77 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -20,9 +20,6 @@ RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $"); #ifdef KRB5 #include -#ifndef HEIMDAL -#define krb5_get_err_text(context,code) error_message(code) -#endif /* !HEIMDAL */ #endif #include "ssh.h" diff --git a/sshconnect2.c b/sshconnect2.c index c71ad506b..549853907 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -27,9 +27,6 @@ RCSID("$OpenBSD: sshconnect2.c,v 1.121 2003/08/22 10:56:09 markus Exp $"); #ifdef KRB5 #include -#ifndef HEIMDAL -#define krb5_get_err_text(context,code) error_message(code) -#endif /* !HEIMDAL */ #endif #include "openbsd-compat/sys-queue.h" -- cgit v1.2.3 From e1a790d0d165ff70acb502fbfc72bd55cd2b8fb1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 16 Sep 2003 11:52:19 +1000 Subject: - (dtucker) [acconfig.h configure.ac defines.h session.c] Bug #252: Retrieve PATH (or SUPATH) and UMASK from /etc/default/login on platforms that have it (eg Solaris, Reliant Unix). Patch from Robert.Dahlem at siemens.com. ok djm@ --- ChangeLog | 7 +++++- acconfig.h | 5 +++- configure.ac | 45 ++++++++++++++++++++++++++-------- defines.h | 6 ++++- session.c | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++++------ 5 files changed, 123 insertions(+), 20 deletions(-) (limited to 'defines.h') diff --git a/ChangeLog b/ChangeLog index 3f1a4cfec..6a32bc1a0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20030916 + - (dtucker) [acconfig.h configure.ac defines.h session.c] Bug #252: Retrieve + PATH (or SUPATH) and UMASK from /etc/default/login on platforms that have it + (eg Solaris, Reliant Unix). Patch from Robert.Dahlem at siemens.com. ok djm@ + 20030914 - (dtucker) [Makefile regress/Makefile] Fix portability issues preventing the regression tests from running with Solaris' make. Patch from Brian @@ -1093,4 +1098,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2991 2003/09/14 03:16:55 dtucker Exp $ +$Id: ChangeLog,v 1.2992 2003/09/16 01:52:19 dtucker Exp $ diff --git a/acconfig.h b/acconfig.h index ea8fcb0b4..9bfb9b6c9 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.165 2003/09/08 21:35:17 tim Exp $ */ +/* $Id: acconfig.h,v 1.166 2003/09/16 01:52:19 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -359,6 +359,9 @@ /* Define in your struct dirent expects you to allocate extra space for d_name */ #undef BROKEN_ONE_BYTE_DIRENT_D_NAME +/* Define if your system has /etc/default/login */ +#undef HAVE_ETC_DEFAULT_LOGIN + /* Define if your getopt(3) defines and uses optreset */ #undef HAVE_GETOPT_OPTRESET diff --git a/configure.ac b/configure.ac index 3d5389cce..ab630115b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.153 2003/09/13 01:15:15 tim Exp $ +# $Id: configure.ac,v 1.154 2003/09/16 01:52:19 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -250,6 +250,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") # Pushing STREAMS modules will cause sshd to acquire a controlling tty. AC_DEFINE(SSHD_ACQUIRES_CTTY) + external_path_file=/etc/default/login # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) @@ -286,6 +287,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(USE_PIPES) AC_DEFINE(IP_TOS_IS_BROKEN) AC_DEFINE(SSHD_ACQUIRES_CTTY) + external_path_file=/etc/default/login # /usr/ucblib/libucb.a no longer needed on ReliantUNIX # Attention: always take care to bind libsocket and libnsl before libc, # otherwise you will find lots of "SIOCGPGRP errno 22" on syslog @@ -2180,30 +2182,48 @@ else ) fi +# check for /etc/default/login and use it if present. +AC_CHECK_FILE("/etc/default/login", [ external_path_file=/etc/default/login ]) + +if test "x$external_path_file" = "x/etc/default/login"; then + AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN) +fi + dnl BSD systems use /etc/login.conf so --with-default-path= has no effect if test $ac_cv_func_login_getcapbool = "yes" -a \ $ac_cv_header_login_cap_h = "yes" ; then - USES_LOGIN_CONF=yes + external_path_file=/etc/login.conf fi + # Whether to mess with the default path SERVER_PATH_MSG="(default)" AC_ARG_WITH(default-path, [ --with-default-path= Specify default \$PATH environment for server], [ - if test "$USES_LOGIN_CONF" = "yes" ; then + if test "x$external_path_file" = "x/etc/login.conf" ; then AC_MSG_WARN([ --with-default-path=PATH has no effect on this system. Edit /etc/login.conf instead.]) elif test "x$withval" != "xno" ; then + if ! test -z "$external_path_file" ; then + AC_MSG_WARN([ +--with-default-path=PATH will only be used if PATH is not defined in +$external_path_file .]) + fi user_path="$withval" SERVER_PATH_MSG="$withval" fi ], - [ if test "$USES_LOGIN_CONF" = "yes" ; then - AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf]) + [ if test "x$external_path_file" = "x/etc/login.conf" ; then + AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf]) else - AC_TRY_RUN( - [ + if ! test -z "$external_path_file" ; then + AC_MSG_WARN([ +If PATH is defined in $external_path_file, ensure the path to scp is included, +otherwise scp will not work.]) + fi + AC_TRY_RUN( + [ /* find out what STDPATH is */ #include #ifdef HAVE_PATHS_H @@ -2257,7 +2277,7 @@ main() fi fi ] ) -if test "$USES_LOGIN_CONF" != "yes" ; then +if test "x$external_path_file" != "x/etc/login.conf" ; then AC_DEFINE_UNQUOTED(USER_PATH, "$user_path") AC_SUBST(user_path) fi @@ -2627,10 +2647,15 @@ echo " Askpass program: $E" echo " Manual pages: $F" echo " PID file: $G" echo " Privilege separation chroot path: $H" -if test "$USES_LOGIN_CONF" = "yes" ; then -echo " At runtime, sshd will use the path defined in /etc/login.conf" +if test "x$external_path_file" = "x/etc/login.conf" ; then +echo " At runtime, sshd will use the path defined in $external_path_file" +echo " Make sure the path to scp is present, otherwise scp will not work" else echo " sshd default user PATH: $I" + if ! test -z "$external_path_file"; then +echo " (If PATH is set in $external_path_file it will be used instead. If" +echo " used, ensure the path to scp is present, otherwise scp will not work.)" + fi fi if test ! -z "$superuser_path" ; then echo " sshd superuser user PATH: $J" diff --git a/defines.h b/defines.h index 7bff839cc..e662966fb 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.102 2003/08/26 01:58:16 dtucker Exp $ */ +/* $Id: defines.h,v 1.103 2003/09/16 01:52:19 dtucker Exp $ */ /* Constants */ @@ -321,6 +321,10 @@ struct winsize { # define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" #endif +#ifndef SUPERUSER_PATH +# define SUPERUSER_PATH _PATH_STDPATH +#endif + #ifndef _PATH_DEVNULL # define _PATH_DEVNULL "/dev/null" #endif diff --git a/session.c b/session.c index 35328ecbb..4497f5c0b 100644 --- a/session.c +++ b/session.c @@ -801,6 +801,16 @@ child_set_env(char ***envp, u_int *envsizep, const char *name, u_int i, namelen; char **env; + /* + * If we're passed an uninitialized list, allocate a single null + * entry before continuing. + */ + if (*envp == NULL && *envsizep == 0) { + *envp = xmalloc(sizeof(char *)); + *envp[0] = NULL; + *envsizep = 1; + } + /* * Find the slot where the value should be stored. If the variable * already exists, we reuse the slot; otherwise we append a new slot @@ -877,6 +887,59 @@ read_environment_file(char ***env, u_int *envsize, fclose(f); } +#ifdef HAVE_ETC_DEFAULT_LOGIN +/* + * Return named variable from specified environment, or NULL if not present. + */ +static char * +child_get_env(char **env, const char *name) +{ + int i; + size_t len; + + len = strlen(name); + for (i=0; env[i] != NULL; i++) + if (strncmp(name, env[i], len) == 0 && env[i][len] == '=') + return(env[i] + len + 1); + return NULL; +} + +/* + * Read /etc/default/login. + * We pick up the PATH (or SUPATH for root) and UMASK. + */ +static void +read_etc_default_login(char ***env, u_int *envsize, uid_t uid) +{ + char **tmpenv = NULL, *var; + u_int i; + size_t tmpenvsize = 0; + mode_t mask; + + /* + * We don't want to copy the whole file to the child's environment, + * so we use a temporary environment and copy the variables we're + * interested in. + */ + read_environment_file(&tmpenv, &tmpenvsize, "/etc/default/login"); + + if (uid == 0) + var = child_get_env(tmpenv, "SUPATH"); + else + var = child_get_env(tmpenv, "PATH"); + if (var != NULL) + child_set_env(env, envsize, "PATH", var); + + if ((var = child_get_env(tmpenv, "UMASK")) != NULL) + if (sscanf(var, "%5lo", &mask) == 1) + umask(mask); + + for (i = 0; tmpenv[i] != NULL; i++) + xfree(tmpenv[i]); + xfree(tmpenv); +} +#endif /* HAVE_ETC_DEFAULT_LOGIN */ + void copy_environment(char **source, char ***env, u_int *envsize) { char *var_name, *var_val; @@ -905,7 +968,7 @@ do_setup_env(Session *s, const char *shell) { char buf[256]; u_int i, envsize; - char **env, *laddr; + char **env, *laddr, *path = NULL; struct passwd *pw = s->pw; /* Initialize the environment. */ @@ -949,12 +1012,15 @@ do_setup_env(Session *s, const char *shell) * needed for loading shared libraries. So the path better * remains intact here. */ -# ifdef SUPERUSER_PATH - child_set_env(&env, &envsize, "PATH", - s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH); -# else - child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); -# endif /* SUPERUSER_PATH */ +# ifdef HAVE_ETC_DEFAULT_LOGIN + read_etc_default_login(&env, &envsize, pw->pw_uid); + path = child_get_env(env, "PATH"); +# endif /* HAVE_ETC_DEFAULT_LOGIN */ + if (path == NULL || *path == '\0') { + child_set_env(&env, &envsize, "PATH", + s->pw->pw_uid == 0 ? + SUPERUSER_PATH : _PATH_STDPATH); + } # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ -- cgit v1.2.3