From 8aae6ff0d9e3b78204288f1db671ccd60614e10b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 7 Mar 2009 12:01:47 +1100 Subject: - (dtucker) [schnorr.c openbsd-compat/openssl-compat.{c,h}] Add EVP_DigestUpdate to the OLD_EVP compatibility functions and tell schnorr.c to use them. Allows building with older OpenSSL versions. --- openbsd-compat/openssl-compat.c | 9 ++++++++- openbsd-compat/openssl-compat.h | 3 ++- 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'openbsd-compat') diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index 49238ba80..f5435784b 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.c,v 1.6 2008/02/28 08:13:52 dtucker Exp $ */ +/* $Id: openssl-compat.c,v 1.7 2009/03/07 01:01:47 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -47,6 +47,13 @@ ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp) EVP_CIPHER_CTX_cleanup(evp); return 1; } + +int +ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt) +{ + EVP_DigestUpdate(ctx, d, cnt); + return 1; +} #endif #ifdef USE_OPENSSL_ENGINE diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 6a1bed5b2..945a7a300 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.12 2008/02/28 08:22:04 dtucker Exp $ */ +/* $Id: openssl-compat.h,v 1.13 2009/03/07 01:01:47 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -78,6 +78,7 @@ extern const EVP_CIPHER *evp_acss(void); # define EVP_CipherInit(a,b,c,d,e) ssh_EVP_CipherInit((a),(b),(c),(d),(e)) # define EVP_Cipher(a,b,c,d) ssh_EVP_Cipher((a),(b),(c),(d)) # define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a)) +# define EVP_DigestUpdate(a,b,c) ssh_EVP_DigestUpdate((a),(b),(c)) # endif /* SSH_OLD_EVP */ # ifdef USE_OPENSSL_ENGINE -- cgit v1.2.3 From 3e7e15f1bdc2ddd8fe4a389212c6b8db58e2b511 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 7 Mar 2009 22:22:35 +1100 Subject: - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] EVP_DigestUpdate does not exactly match the other OLD_EVP functions (eg in openssl 0.9.6) so add an explicit test for it. --- ChangeLog | 3 +++ configure.ac | 21 +++++++++++++++++++-- openbsd-compat/openssl-compat.c | 4 +++- openbsd-compat/openssl-compat.h | 7 +++++-- 4 files changed, 30 insertions(+), 5 deletions(-) (limited to 'openbsd-compat') diff --git a/ChangeLog b/ChangeLog index 1c982f5d2..be302d9b6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ to use them. Allows building with older OpenSSL versions. - (dtucker) [configure.ac defines.h] Check for in_port_t and typedef if needed. - (dtucker) [configure.ac] Missing comma in type list. + - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] + EVP_DigestUpdate does not exactly match the other OLD_EVP functions (eg + in openssl 0.9.6) so add an explicit test for it. 20090306 - (djm) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index a2cb7a215..51fee9e6b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.417 2009/03/07 07:06:22 dtucker Exp $ +# $Id: configure.ac,v 1.418 2009/03/07 11:22:35 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.417 $) +AC_REVISION($Revision: 1.418 $) AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_HEADER(config.h) @@ -2076,6 +2076,23 @@ int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);} ] ) +AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) +AC_LINK_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main(void) { if(EVP_DigestUpdate(NULL, NULL,0)) exit(0); } + ]])], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + AC_DEFINE(OPENSSL_EVP_DIGESTUPDATE_VOID, 1, + [Define if EVP_DigestUpdate returns void]) + ] +) + # Some systems want crypt() from libcrypt, *not* the version in OpenSSL, # because the system crypt() is more featureful. if test "x$check_for_libcrypt_before" = "x1"; then diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index f5435784b..dd326c00f 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.c,v 1.7 2009/03/07 01:01:47 dtucker Exp $ */ +/* $Id: openssl-compat.c,v 1.8 2009/03/07 11:22:35 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -47,7 +47,9 @@ ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp) EVP_CIPHER_CTX_cleanup(evp); return 1; } +#endif +#ifdef OPENSSL_EVP_DIGESTUPDATE_VOID int ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt) { diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 945a7a300..fcc762867 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.13 2009/03/07 01:01:47 dtucker Exp $ */ +/* $Id: openssl-compat.h,v 1.14 2009/03/07 11:22:35 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -78,9 +78,12 @@ extern const EVP_CIPHER *evp_acss(void); # define EVP_CipherInit(a,b,c,d,e) ssh_EVP_CipherInit((a),(b),(c),(d),(e)) # define EVP_Cipher(a,b,c,d) ssh_EVP_Cipher((a),(b),(c),(d)) # define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a)) -# define EVP_DigestUpdate(a,b,c) ssh_EVP_DigestUpdate((a),(b),(c)) # endif /* SSH_OLD_EVP */ +# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID +# define EVP_DigestUpdate(a,b,c) ssh_EVP_DigestUpdate((a),(b),(c)) +# endif + # ifdef USE_OPENSSL_ENGINE # ifdef SSLeay_add_all_algorithms # undef SSLeay_add_all_algorithms -- cgit v1.2.3 From 9d86e5d5704092072822336af6d0bee468c25966 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 8 Mar 2009 11:40:27 +1100 Subject: - (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h} openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old version of Cygwin. Patch from vinschen at redhat com. --- ChangeLog | 6 ++ auth-passwd.c | 2 +- auth1.c | 10 +--- auth2-kbdint.c | 4 -- auth2-none.c | 4 -- auth2-passwd.c | 4 -- auth2-pubkey.c | 4 -- openbsd-compat/bsd-cygwin_util.c | 124 --------------------------------------- openbsd-compat/bsd-cygwin_util.h | 5 +- openbsd-compat/daemon.c | 10 ---- session.c | 11 +--- 11 files changed, 12 insertions(+), 172 deletions(-) (limited to 'openbsd-compat') diff --git a/ChangeLog b/ChangeLog index be302d9b6..ae2cf5119 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20090308 + - (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c + auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h} + openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old + version of Cygwin. Patch from vinschen at redhat com. + 20090307 - (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS diff --git a/auth-passwd.c b/auth-passwd.c index bdfced023..b1c6ce092 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -102,7 +102,7 @@ auth_password(Authctxt *authctxt, const char *password) } #endif #ifdef HAVE_CYGWIN - if (is_winnt) { + { HANDLE hToken = cygwin_logon_user(pw, password); if (hToken == INVALID_HANDLE_VALUE) diff --git a/auth1.c b/auth1.c index b8a255872..1801661fd 100644 --- a/auth1.c +++ b/auth1.c @@ -318,15 +318,7 @@ do_authloop(Authctxt *authctxt) } #endif /* _UNICOS */ -#ifdef HAVE_CYGWIN - if (authenticated && - !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, - authctxt->pw)) { - packet_disconnect("Authentication rejected for uid %d.", - authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid); - authenticated = 0; - } -#else +#ifndef HAVE_CYGWIN /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(meth->name)) { diff --git a/auth2-kbdint.c b/auth2-kbdint.c index a4fc9e6f7..fae67da6e 100644 --- a/auth2-kbdint.c +++ b/auth2-kbdint.c @@ -58,10 +58,6 @@ userauth_kbdint(Authctxt *authctxt) xfree(devs); xfree(lang); -#ifdef HAVE_CYGWIN - if (check_nt_auth(0, authctxt->pw) == 0) - authenticated = 0; -#endif return authenticated; } diff --git a/auth2-none.c b/auth2-none.c index 10accfe55..08f2f935f 100644 --- a/auth2-none.c +++ b/auth2-none.c @@ -61,10 +61,6 @@ userauth_none(Authctxt *authctxt) { none_enabled = 0; packet_check_eom(); -#ifdef HAVE_CYGWIN - if (check_nt_auth(1, authctxt->pw) == 0) - return (0); -#endif if (options.password_authentication) return (PRIVSEP(auth_password(authctxt, ""))); return (0); diff --git a/auth2-passwd.c b/auth2-passwd.c index 421c5c25d..5f1f3635f 100644 --- a/auth2-passwd.c +++ b/auth2-passwd.c @@ -68,10 +68,6 @@ userauth_passwd(Authctxt *authctxt) logit("password change not supported"); else if (PRIVSEP(auth_password(authctxt, password)) == 1) authenticated = 1; -#ifdef HAVE_CYGWIN - if (check_nt_auth(1, authctxt->pw) == 0) - authenticated = 0; -#endif memset(password, 0, len); xfree(password); return authenticated; diff --git a/auth2-pubkey.c b/auth2-pubkey.c index b1e38e5f5..2886f1275 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -170,10 +170,6 @@ done: key_free(key); xfree(pkalg); xfree(pkblob); -#ifdef HAVE_CYGWIN - if (check_nt_auth(0, authctxt->pw) == 0) - authenticated = 0; -#endif return authenticated; } diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c index 38be7e350..e90c1597f 100644 --- a/openbsd-compat/bsd-cygwin_util.c +++ b/openbsd-compat/bsd-cygwin_util.c @@ -39,9 +39,6 @@ #endif #include -#include -#include -#include #include #include @@ -49,11 +46,6 @@ #include #include "xmalloc.h" -#define is_winnt (GetVersion() < 0x80000000) - -#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec")) -#define ntsec_off(c) ((c) && strstr((c),"nontsec")) -#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea")) int binary_open(const char *filename, int flags, ...) @@ -79,128 +71,12 @@ binary_pipe(int fd[2]) return (ret); } -#define HAS_CREATE_TOKEN 1 -#define HAS_NTSEC_BY_DEFAULT 2 -#define HAS_CREATE_TOKEN_WO_NTSEC 3 - -static int -has_capability(int what) -{ - static int inited; - static int has_create_token; - static int has_ntsec_by_default; - static int has_create_token_wo_ntsec; - - /* - * has_capability() basically calls uname() and checks if - * specific capabilities of Cygwin can be evaluated from that. - * This simplifies the calling functions which only have to ask - * for a capability using has_capability() instead of having - * to figure that out by themselves. - */ - if (!inited) { - struct utsname uts; - - if (!uname(&uts)) { - int major_high = 0, major_low = 0, minor = 0; - int api_major_version = 0, api_minor_version = 0; - char *c; - - sscanf(uts.release, "%d.%d.%d", &major_high, - &major_low, &minor); - if ((c = strchr(uts.release, '(')) != NULL) { - sscanf(c + 1, "%d.%d", &api_major_version, - &api_minor_version); - } - if (major_high > 1 || - (major_high == 1 && (major_low > 3 || - (major_low == 3 && minor >= 2)))) - has_create_token = 1; - if (api_major_version > 0 || api_minor_version >= 56) - has_ntsec_by_default = 1; - if (major_high > 1 || - (major_high == 1 && major_low >= 5)) - has_create_token_wo_ntsec = 1; - inited = 1; - } - } - switch (what) { - case HAS_CREATE_TOKEN: - return (has_create_token); - case HAS_NTSEC_BY_DEFAULT: - return (has_ntsec_by_default); - case HAS_CREATE_TOKEN_WO_NTSEC: - return (has_create_token_wo_ntsec); - } - return (0); -} - -int -check_nt_auth(int pwd_authenticated, struct passwd *pw) -{ - /* - * The only authentication which is able to change the user - * context on NT systems is the password authentication. So - * we deny all requsts for changing the user context if another - * authentication method is used. - * - * This doesn't apply to Cygwin versions >= 1.3.2 anymore which - * uses the undocumented NtCreateToken() call to create a user - * token if the process has the appropriate privileges and if - * CYGWIN ntsec setting is on. - */ - static int has_create_token = -1; - - if (pw == NULL) - return 0; - if (is_winnt) { - if (has_create_token < 0) { - char *cygwin = getenv("CYGWIN"); - - has_create_token = 0; - if (has_capability(HAS_CREATE_TOKEN) && - (ntsec_on(cygwin) || - (has_capability(HAS_NTSEC_BY_DEFAULT) && - !ntsec_off(cygwin)) || - has_capability(HAS_CREATE_TOKEN_WO_NTSEC))) - has_create_token = 1; - } - if (has_create_token < 1 && - !pwd_authenticated && geteuid() != pw->pw_uid) - return (0); - } - return (1); -} - int check_ntsec(const char *filename) { return (pathconf(filename, _PC_POSIX_PERMISSIONS)); } -void -register_9x_service(void) -{ - HINSTANCE kerneldll; - DWORD (*RegisterServiceProcess)(DWORD, DWORD); - - /* The service register mechanism in 9x/Me is pretty different from - * NT/2K/XP. In NT/2K/XP we're using a special service starter - * application to register and control sshd as service. This method - * doesn't play nicely with 9x/Me. For that reason we register here - * as service when running under 9x/Me. This function is only called - * by the child sshd when it's going to daemonize. - */ - if (is_winnt) - return; - if (!(kerneldll = LoadLibrary("KERNEL32.DLL"))) - return; - if (!(RegisterServiceProcess = (DWORD (*)(DWORD, DWORD)) - GetProcAddress(kerneldll, "RegisterServiceProcess"))) - return; - RegisterServiceProcess(0, 1); -} - #define NL(x) x, (sizeof (x) - 1) #define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h index 6719b8a49..39b8eb788 100644 --- a/openbsd-compat/bsd-cygwin_util.h +++ b/openbsd-compat/bsd-cygwin_util.h @@ -1,4 +1,4 @@ -/* $Id: bsd-cygwin_util.h,v 1.11 2004/08/30 10:42:08 dtucker Exp $ */ +/* $Id: bsd-cygwin_util.h,v 1.12 2009/03/08 00:40:28 dtucker Exp $ */ /* * Copyright (c) 2000, 2001, Corinna Vinschen @@ -35,7 +35,6 @@ #ifdef HAVE_CYGWIN #undef ERROR -#define is_winnt (GetVersion() < 0x80000000) #include #include @@ -43,9 +42,7 @@ int binary_open(const char *, int , ...); int binary_pipe(int fd[2]); -int check_nt_auth(int, struct passwd *); int check_ntsec(const char *); -void register_9x_service(void); char **fetch_windows_environment(void); void free_windows_environment(char **); diff --git a/openbsd-compat/daemon.c b/openbsd-compat/daemon.c index e3a6886bd..3efe14c68 100644 --- a/openbsd-compat/daemon.c +++ b/openbsd-compat/daemon.c @@ -57,18 +57,8 @@ daemon(int nochdir, int noclose) case -1: return (-1); case 0: -#ifdef HAVE_CYGWIN - register_9x_service(); -#endif break; default: -#ifdef HAVE_CYGWIN - /* - * This sleep avoids a race condition which kills the - * child process if parent is started by a NT/W2K service. - */ - sleep(1); -#endif _exit(0); } diff --git a/session.c b/session.c index f2549e0cd..8e0c54faa 100644 --- a/session.c +++ b/session.c @@ -571,8 +571,7 @@ do_exec_no_pty(Session *s, const char *command) signal(WJSIGNAL, cray_job_termination_handler); #endif /* _UNICOS */ #ifdef HAVE_CYGWIN - if (is_winnt) - cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); + cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); #endif s->pid = pid; @@ -726,8 +725,7 @@ do_exec_pty(Session *s, const char *command) signal(WJSIGNAL, cray_job_termination_handler); #endif /* _UNICOS */ #ifdef HAVE_CYGWIN - if (is_winnt) - cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); + cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); #endif s->pid = pid; @@ -1116,7 +1114,7 @@ do_setup_env(Session *s, const char *shell) u_int i, envsize; char **env, *laddr; struct passwd *pw = s->pw; -#ifndef HAVE_LOGIN_CAP +#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; #endif @@ -1551,9 +1549,6 @@ do_setusercontext(struct passwd *pw) #endif } -#ifdef HAVE_CYGWIN - if (is_winnt) -#endif if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); -- cgit v1.2.3 From 440089afe071817443c15d8914097a43e0485a89 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 13 Jul 2009 11:38:23 +1000 Subject: - (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so it fits into 16 bits to work around a bug in glibc's resolver where it masks off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob. --- ChangeLog | 5 +++++ openbsd-compat/getrrsetbyname.c | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'openbsd-compat') diff --git a/ChangeLog b/ChangeLog index bf016dca3..f6067e8a0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20090713 + - (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so it + fits into 16 bits to work around a bug in glibc's resolver where it masks + off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob. + 20090712 - (dtucker) [configure.ac] Include sys/param.h for the sys/mount.h test, prevents configure complaining on older BSDs. diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index 785b22569..98876673d 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c @@ -143,7 +143,7 @@ u_int32_t _getlong(register const u_char *); /* ************** */ -#define ANSWER_BUFFER_SIZE 1024*64 +#define ANSWER_BUFFER_SIZE 0xffff struct dns_query { char *name; -- cgit v1.2.3 From b5d5ee1ab0a2df1d5c6aea7ac8dadc4e8782bdd0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 17 Aug 2009 09:40:00 +1000 Subject: - (dtucker) [sshlogin.c openbsd-compat/port-aix.{c,h}] Bug #1595: make PrintLastLog work on AIX. Based in part on a patch from Miguel Sanders. --- ChangeLog | 2 ++ openbsd-compat/port-aix.c | 19 ++++++++++++++----- openbsd-compat/port-aix.h | 4 +++- sshlogin.c | 8 ++++++++ 4 files changed, 27 insertions(+), 6 deletions(-) (limited to 'openbsd-compat') diff --git a/ChangeLog b/ChangeLog index fc42b5785..61ba1ed7b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (dtucker) [configure.ac] Check for headers before libraries for openssl an zlib, which should make the errors slightly more meaningful on platforms where there's separate "-devel" packages for those. + - (dtucker) [sshlogin.c openbsd-compat/port-aix.{c,h}] Bug #1595: make + PrintLastLog work on AIX. Based in part on a patch from Miguel Sanders. 20090729 - (tim) [contrib/cygwin/ssh-user-config] Change script to call correct error diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 5b1cb7387..d9c0876f3 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -57,6 +57,8 @@ #include "port-aix.h" +static char *lastlogin_msg = NULL; + # ifdef HAVE_SETAUTHDB static char old_registry[REGISTRY_SIZE] = ""; # endif @@ -276,23 +278,30 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm, Buffer *loginmsg) { char *msg = NULL; - static int msg_done = 0; int success = 0; aix_setauthdb(user); if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) { success = 1; - if (msg != NULL && loginmsg != NULL && !msg_done) { + if (msg != NULL) { debug("AIX/loginsuccess: msg %s", msg); - buffer_append(loginmsg, msg, strlen(msg)); - xfree(msg); - msg_done = 1; + if (lastlogin_msg == NULL) + lastlogin_msg = msg; } } aix_restoreauthdb(); return (success); } +char * +sys_auth_get_lastlogin_msg(const char *user, uid_t uid) +{ + char *msg = lastlogin_msg; + + lastlogin_msg = NULL; + return msg; +} + # ifdef CUSTOM_FAILED_LOGIN /* * record_failed_login: generic "login failed" interface function diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index ecb9feae8..967bc7235 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.29 2008/03/09 05:36:55 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.30 2009/08/16 23:40:00 dtucker Exp $ */ /* * @@ -87,6 +87,8 @@ void aix_usrinfo(struct passwd *); int sys_auth_allowed_user(struct passwd *, Buffer *); # define CUSTOM_SYS_AUTH_RECORD_LOGIN 1 int sys_auth_record_login(const char *, const char *, const char *, Buffer *); +# define CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG +char *sys_auth_get_lastlogin_msg(const char *, uid_t); # define CUSTOM_FAILED_LOGIN 1 #endif diff --git a/sshlogin.c b/sshlogin.c index dff47b6f7..33bd652fb 100644 --- a/sshlogin.c +++ b/sshlogin.c @@ -93,6 +93,13 @@ store_lastlog_message(const char *user, uid_t uid) if (!options.print_lastlog) return; +# ifdef CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG + time_string = sys_auth_get_lastlogin_msg(user, uid); + if (time_string != NULL) { + buffer_append(&loginmsg, time_string, strlen(time_string)); + xfree(time_string); + } +# else last_login_time = get_last_login_time(uid, user, hostname, sizeof(hostname)); @@ -107,6 +114,7 @@ store_lastlog_message(const char *user, uid_t uid) time_string, hostname); buffer_append(&loginmsg, buf, strlen(buf)); } +# endif /* CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG */ #endif /* NO_SSH_LASTLOG */ } -- cgit v1.2.3 From 82edf23fffc4accf7686da08367e9fd5b5baa487 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 20 Aug 2009 16:20:50 +1000 Subject: - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move the setpcred call on AIX to immediately before the permanently_set_uid(). Ensures that we still have privileges when we call chroot and pam_open_sesson. Based on a patch from David Leonard. --- ChangeLog | 4 ++++ openbsd-compat/port-aix.h | 7 ++++++- session.c | 9 ++++----- 3 files changed, 14 insertions(+), 6 deletions(-) (limited to 'openbsd-compat') diff --git a/ChangeLog b/ChangeLog index 056240f39..58cb16454 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not using it since the type conflicts can cause problems on FreeBSD. Patch from Jonathan Chen. + - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move + the setpcred call on AIX to immediately before the permanently_set_uid(). + Ensures that we still have privileges when we call chroot and + pam_open_sesson. Based on a patch from David Leonard. 20090817 - (dtucker) [configure.ac] Check for headers before libraries for openssl an diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 967bc7235..3ac76ae15 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.30 2009/08/16 23:40:00 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.31 2009/08/20 06:20:50 dtucker Exp $ */ /* * @@ -71,6 +71,11 @@ int passwdexpired(char *, char **); # include #endif +/* for setpcred and friends */ +#ifdef HAVE_USERSEC_H +# include +#endif + /* * According to the setauthdb man page, AIX password registries must be 15 * chars or less plus terminating NUL. diff --git a/session.c b/session.c index cdbf88ab7..f4a363543 100644 --- a/session.c +++ b/session.c @@ -1466,11 +1466,6 @@ do_setusercontext(struct passwd *pw) if (getuid() == 0 || geteuid() == 0) #endif /* HAVE_CYGWIN */ { - -#ifdef HAVE_SETPCRED - if (setpcred(pw->pw_name, (char **)NULL) == -1) - fatal("Failed to set process credentials"); -#endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP # ifdef __bsdi__ setpgid(0, 0); @@ -1538,6 +1533,10 @@ do_setusercontext(struct passwd *pw) free(chroot_path); } +#ifdef HAVE_SETPCRED + if (setpcred(pw->pw_name, (char **)NULL) == -1) + fatal("Failed to set process credentials"); +#endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { perror("unable to set user context (setuser)"); -- cgit v1.2.3