From 6572db28fdf60cf681ecc365358985ee6e8172d8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Sep 2007 11:52:59 +1000 Subject: - djm@cvs.openbsd.org 2007/08/23 02:49:43 [auth-passwd.c auth.c session.c] unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@ NB. RCS ID sync only for portable --- session.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'session.c') diff --git a/session.c b/session.c index 9a606ef8f..825bf3d0b 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.221 2007/01/21 01:41:54 stevesk Exp $ */ +/* $OpenBSD: session.c,v 1.222 2007/08/23 02:49:43 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved -- cgit v1.2.3 From 6ef50134c257b9e043e4a92821c5688263865d38 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Sep 2007 11:54:24 +1000 Subject: - djm@cvs.openbsd.org 2007/08/23 02:55:51 [auth-passwd.c auth.c session.c] missed include bits from last commit NB. RCS ID sync only for portable --- ChangeLog | 6 +++++- auth-passwd.c | 2 +- auth.c | 2 +- session.c | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 2f3dd8610..2a0cb8fa4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,10 @@ [auth-passwd.c auth.c session.c] unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@ NB. RCS ID sync only for portable + - djm@cvs.openbsd.org 2007/08/23 02:55:51 + [auth-passwd.c auth.c session.c] + missed include bits from last commit + NB. RCS ID sync only for portable 20070914 - (dtucker) [openbsd-compat/bsd-asprintf.c] Plug mem leak in error path. @@ -3201,4 +3205,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4743 2007/09/17 01:52:59 djm Exp $ +$Id: ChangeLog,v 1.4744 2007/09/17 01:54:24 djm Exp $ diff --git a/auth-passwd.c b/auth-passwd.c index 33364363a..6b67a131b 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-passwd.c,v 1.41 2007/08/23 02:49:43 djm Exp $ */ +/* $OpenBSD: auth-passwd.c,v 1.42 2007/08/23 02:55:51 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland diff --git a/auth.c b/auth.c index e4e145c8f..6823330a3 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.76 2007/08/23 02:49:43 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.77 2007/08/23 02:55:51 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * diff --git a/session.c b/session.c index 825bf3d0b..c19c2ac5a 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.222 2007/08/23 02:49:43 djm Exp $ */ +/* $OpenBSD: session.c,v 1.223 2007/08/23 02:55:51 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved -- cgit v1.2.3 From 14b017d6f2277c83856489054e9c6c1428095bbb Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Sep 2007 16:09:15 +1000 Subject: - gilles@cvs.openbsd.org 2007/09/11 15:47:17 [session.c ssh-keygen.c sshlogin.c] use strcspn to properly overwrite '\n' in fgets returned buffer ok pyr@, ray@, millert@, moritz@, chl@ --- ChangeLog | 6 +++++- session.c | 7 ++++--- ssh-keygen.c | 8 +++----- sshlogin.c | 5 ++--- 4 files changed, 14 insertions(+), 12 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 6a200586a..b9a85da00 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,10 @@ [sshpty.c] sort #include NB. RCS ID sync only + - gilles@cvs.openbsd.org 2007/09/11 15:47:17 + [session.c ssh-keygen.c sshlogin.c] + use strcspn to properly overwrite '\n' in fgets returned buffer + ok pyr@, ray@, millert@, moritz@, chl@ 20070914 - (dtucker) [openbsd-compat/bsd-asprintf.c] Plug mem leak in error path. @@ -3238,4 +3242,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4751 2007/09/17 06:07:32 djm Exp $ +$Id: ChangeLog,v 1.4752 2007/09/17 06:09:15 djm Exp $ diff --git a/session.c b/session.c index c19c2ac5a..2b0580b45 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.223 2007/08/23 02:55:51 djm Exp $ */ +/* $OpenBSD: session.c,v 1.224 2007/09/11 15:47:17 gilles Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -897,8 +897,9 @@ read_environment_file(char ***env, u_int *envsize, ; if (!*cp || *cp == '#' || *cp == '\n') continue; - if (strchr(cp, '\n')) - *strchr(cp, '\n') = '\0'; + + cp[strcspn(cp, "\n")] = '\0'; + value = strchr(cp, '='); if (value == NULL) { fprintf(stderr, "Bad line %u in %.100s\n", lineno, diff --git a/ssh-keygen.c b/ssh-keygen.c index 95b0ac850..2b2399c50 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.161 2007/09/09 11:38:01 sobrado Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.162 2007/09/11 15:47:17 gilles Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -141,8 +141,7 @@ ask_filename(struct passwd *pw, const char *prompt) fprintf(stderr, "%s (%s): ", prompt, identity_file); if (fgets(buf, sizeof(buf), stdin) == NULL) exit(1); - if (strchr(buf, '\n')) - *strchr(buf, '\n') = 0; + buf[strcspn(buf, "\n")] = '\0'; if (strcmp(buf, "") != 0) strlcpy(identity_file, buf, sizeof(identity_file)); have_identity = 1; @@ -962,8 +961,7 @@ do_change_comment(struct passwd *pw) key_free(private); exit(1); } - if (strchr(new_comment, '\n')) - *strchr(new_comment, '\n') = 0; + new_comment[strcspn(new_comment, "\n")] = '\0'; } /* Save the file using the new passphrase. */ diff --git a/sshlogin.c b/sshlogin.c index 0059ff8d0..cc35d6024 100644 --- a/sshlogin.c +++ b/sshlogin.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshlogin.c,v 1.25 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: sshlogin.c,v 1.26 2007/09/11 15:47:17 gilles Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -98,8 +98,7 @@ store_lastlog_message(const char *user, uid_t uid) if (last_login_time != 0) { time_string = ctime(&last_login_time); - if (strchr(time_string, '\n')) - *strchr(time_string, '\n') = '\0'; + time_string[strcspn(time_string, "\n")] = '\0'; if (strcmp(hostname, "") == 0) snprintf(buf, sizeof(buf), "Last login: %s\r\n", time_string); -- cgit v1.2.3 From dfc24258a75a06ea8a3f56d99d3669e1a012a1dc Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 10 Feb 2008 22:29:40 +1100 Subject: - markus@cvs.openbsd.org 2008/02/04 21:53:00 [session.c sftp-server.c sftp.h] link sftp-server into sshd; feedback and ok djm@ --- ChangeLog | 5 ++++- session.c | 37 +++++++++++++++++++++++++++++++++---- sftp-server.c | 44 ++++++++++++++++++++++++++------------------ sftp.h | 5 ++++- 4 files changed, 67 insertions(+), 24 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 81ebc742b..0324cbbbd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -68,6 +68,9 @@ explain how to handle local file names containing colons; requested by Tamas TEVESZ ok dtucker + - markus@cvs.openbsd.org 2008/02/04 21:53:00 + [session.c sftp-server.c sftp.h] + link sftp-server into sshd; feedback and ok djm@ 20080119 - (djm) Silence noice from expr in ssh-copy-id; patch from @@ -3596,4 +3599,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4833 2008/02/10 11:28:45 djm Exp $ +$Id: ChangeLog,v 1.4834 2008/02/10 11:29:40 djm Exp $ diff --git a/session.c b/session.c index 2b0580b45..a1319b384 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.224 2007/09/11 15:47:17 gilles Exp $ */ +/* $OpenBSD: session.c,v 1.225 2008/02/04 21:53:00 markus Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -87,6 +87,7 @@ #include "session.h" #include "kex.h" #include "monitor_wrap.h" +#include "sftp.h" #if defined(KRB5) && defined(USE_AFS) #include @@ -132,6 +133,10 @@ const char *original_command = NULL; #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; +#define SUBSYSTEM_NONE 0 +#define SUBSYSTEM_EXT 1 +#define SUBSYSTEM_INT_SFTP 2 + #ifdef HAVE_LOGIN_CAP login_cap_t *lc; #endif @@ -683,10 +688,14 @@ do_exec(Session *s, const char *command) if (options.adm_forced_command) { original_command = command; command = options.adm_forced_command; + if (s->is_subsystem) + s->is_subsystem = SUBSYSTEM_EXT; debug("Forced command (config) '%.900s'", command); } else if (forced_command) { original_command = command; command = forced_command; + if (s->is_subsystem) + s->is_subsystem = SUBSYSTEM_EXT; debug("Forced command (key option) '%.900s'", command); } @@ -1465,12 +1474,13 @@ child_close_fds(void) * environment, closing extra file descriptors, setting the user and group * ids, and executing the command or shell. */ +#define ARGV_MAX 10 void do_child(Session *s, const char *command) { extern char **environ; char **env; - char *argv[10]; + char *argv[ARGV_MAX]; const char *shell, *shell0, *hostname = NULL; struct passwd *pw = s->pw; @@ -1602,6 +1612,22 @@ do_child(Session *s, const char *command) /* restore SIGPIPE for child */ signal(SIGPIPE, SIG_DFL); + if (s->is_subsystem == SUBSYSTEM_INT_SFTP) { + extern int optind, optreset; + int i; + char *p, *args; + + setproctitle("%s@internal-sftp-server", s->pw->pw_name); + args = strdup(command ? command : "sftp-server"); + for (i = 0, (p = strtok(args, " ")); p; (p = strtok(NULL, " "))) + if (i < ARGV_MAX - 1) + argv[i++] = p; + argv[i] = NULL; + optind = optreset = 1; + __progname = argv[0]; + exit(sftp_server_main(i, argv)); + } + if (options.use_login) { launch_login(pw, hostname); /* NEVERREACHED */ @@ -1874,13 +1900,16 @@ session_subsystem_req(Session *s) if (strcmp(subsys, options.subsystem_name[i]) == 0) { prog = options.subsystem_command[i]; cmd = options.subsystem_args[i]; - if (stat(prog, &st) < 0) { + if (!strcmp("internal-sftp", prog)) { + s->is_subsystem = SUBSYSTEM_INT_SFTP; + } else if (stat(prog, &st) < 0) { error("subsystem: cannot stat %s: %s", prog, strerror(errno)); break; + } else { + s->is_subsystem = SUBSYSTEM_EXT; } debug("subsystem: exec() %s", cmd); - s->is_subsystem = 1; do_exec(s, cmd); success = 1; break; diff --git a/sftp-server.c b/sftp-server.c index 5c84c728c..373bd5eda 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.75 2008/01/21 17:24:30 djm Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.76 2008/02/04 21:53:00 markus Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -1110,7 +1110,7 @@ process(void) if (msg_len > SFTP_MAX_MSG_LENGTH) { error("bad message from %s local user %s", client_addr, pw->pw_name); - cleanup_exit(11); + sftp_server_cleanup_exit(11); } if (buf_len < msg_len + 4) return; @@ -1183,18 +1183,22 @@ process(void) break; } /* discard the remaining bytes from the current packet */ - if (buf_len < buffer_len(&iqueue)) - fatal("iqueue grew unexpectedly"); + if (buf_len < buffer_len(&iqueue)) { + error("iqueue grew unexpectedly"); + sftp_server_cleanup_exit(255); + } consumed = buf_len - buffer_len(&iqueue); - if (msg_len < consumed) - fatal("msg_len %d < consumed %d", msg_len, consumed); + if (msg_len < consumed) { + error("msg_len %d < consumed %d", msg_len, consumed); + sftp_server_cleanup_exit(255); + } if (msg_len > consumed) buffer_consume(&iqueue, msg_len - consumed); } /* Cleanup handler that logs active handles upon normal exit */ void -cleanup_exit(int i) +sftp_server_cleanup_exit(int i) { if (pw != NULL && client_addr != NULL) { handle_log_exit(); @@ -1205,7 +1209,7 @@ cleanup_exit(int i) } static void -usage(void) +sftp_server_usage(void) { extern char *__progname; @@ -1215,7 +1219,7 @@ usage(void) } int -main(int argc, char **argv) +sftp_server_main(int argc, char **argv) { fd_set *rset, *wset; int in, out, max, ch, skipargs = 0, log_stderr = 0; @@ -1256,7 +1260,7 @@ main(int argc, char **argv) break; case 'h': default: - usage(); + sftp_server_usage(); } } @@ -1264,15 +1268,19 @@ main(int argc, char **argv) if ((cp = getenv("SSH_CONNECTION")) != NULL) { client_addr = xstrdup(cp); - if ((cp = strchr(client_addr, ' ')) == NULL) - fatal("Malformed SSH_CONNECTION variable: \"%s\"", + if ((cp = strchr(client_addr, ' ')) == NULL) { + error("Malformed SSH_CONNECTION variable: \"%s\"", getenv("SSH_CONNECTION")); + sftp_server_cleanup_exit(255); + } *cp = '\0'; } else client_addr = xstrdup("UNKNOWN"); - if ((pw = getpwuid(getuid())) == NULL) - fatal("No user found for uid %lu", (u_long)getuid()); + if ((pw = getpwuid(getuid())) == NULL) { + error("No user found for uid %lu", (u_long)getuid()); + sftp_server_cleanup_exit(255); + } pw = pwcopy(pw); logit("session opened for local user %s from [%s]", @@ -1320,7 +1328,7 @@ main(int argc, char **argv) if (errno == EINTR) continue; error("select: %s", strerror(errno)); - cleanup_exit(2); + sftp_server_cleanup_exit(2); } /* copy stdin to iqueue */ @@ -1328,10 +1336,10 @@ main(int argc, char **argv) len = read(in, buf, sizeof buf); if (len == 0) { debug("read eof"); - cleanup_exit(0); + sftp_server_cleanup_exit(0); } else if (len < 0) { error("read: %s", strerror(errno)); - cleanup_exit(1); + sftp_server_cleanup_exit(1); } else { buffer_append(&iqueue, buf, len); } @@ -1341,7 +1349,7 @@ main(int argc, char **argv) len = write(out, buffer_ptr(&oqueue), olen); if (len < 0) { error("write: %s", strerror(errno)); - cleanup_exit(1); + sftp_server_cleanup_exit(1); } else { buffer_consume(&oqueue, len); } diff --git a/sftp.h b/sftp.h index 610c0b758..12b9cc056 100644 --- a/sftp.h +++ b/sftp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.h,v 1.5 2006/03/25 22:22:43 djm Exp $ */ +/* $OpenBSD: sftp.h,v 1.6 2008/02/04 21:53:00 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -90,3 +90,6 @@ #define SSH2_FX_CONNECTION_LOST 7 #define SSH2_FX_OP_UNSUPPORTED 8 #define SSH2_FX_MAX 8 + +int sftp_server_main(int, char **); +void sftp_server_cleanup_exit(int) __dead; -- cgit v1.2.3 From d8cb1f184f9acaae02bb4d15ce1e00ffbeeeac88 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 10 Feb 2008 22:40:12 +1100 Subject: - djm@cvs.openbsd.org 2008/02/08 23:24:07 [servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config] [sshd_config.5] add sshd_config ChrootDirectory option to chroot(2) users to a directory and tweak internal sftp server to work with it (no special files in chroot required). ok markus@ --- Makefile.in | 6 +-- servconf.c | 12 +++++- servconf.h | 4 +- session.c | 106 ++++++++++++++++++++++++++++++++++++++++++++++------- sftp-server-main.c | 50 +++++++++++++++++++++++++ sftp-server.c | 10 ++--- sftp.h | 6 ++- sshd_config | 3 +- sshd_config.5 | 54 ++++++++++++++++++++++++++- 9 files changed, 220 insertions(+), 31 deletions(-) create mode 100644 sftp-server-main.c (limited to 'session.c') diff --git a/Makefile.in b/Makefile.in index 2486edc95..1f78ea9cc 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.285 2007/06/11 04:01:42 djm Exp $ +# $Id: Makefile.in,v 1.286 2008/02/10 11:40:12 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -156,8 +156,8 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o - $(LD) -o $@ sftp-server.o sftp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o + $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) diff --git a/servconf.c b/servconf.c index 19c286c18..d38d0bfb1 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.175 2008/01/01 09:27:33 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.176 2008/02/08 23:24:08 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -122,6 +122,7 @@ initialize_server_options(ServerOptions *options) options->permit_tun = -1; options->num_permitted_opens = -1; options->adm_forced_command = NULL; + options->chroot_directory = NULL; } void @@ -291,7 +292,7 @@ typedef enum { sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, - sMatch, sPermitOpen, sForceCommand, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sDeprecated, sUnsupported } ServerOpCodes; @@ -403,6 +404,7 @@ static struct { { "match", sMatch, SSHCFG_ALL }, { "permitopen", sPermitOpen, SSHCFG_ALL }, { "forcecommand", sForceCommand, SSHCFG_ALL }, + { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -1147,6 +1149,7 @@ parse_flag: case sBanner: charptr = &options->banner; goto parse_filename; + /* * These options can contain %X options expanded at * connect time, so that you can specify paths like: @@ -1255,6 +1258,10 @@ parse_flag: options->adm_forced_command = xstrdup(cp + len); return 0; + case sChrootDirectory: + charptr = &options->chroot_directory; + goto parse_filename; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -1363,6 +1370,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) if (preauth) return; M_CP_STROPT(adm_forced_command); + M_CP_STROPT(chroot_directory); } #undef M_CP_INTOPT diff --git a/servconf.h b/servconf.h index 8a5b950ea..81a68be89 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.80 2007/02/19 10:45:58 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.81 2008/02/08 23:24:08 djm Exp $ */ /* * Author: Tatu Ylonen @@ -141,6 +141,8 @@ typedef struct { int permit_tun; int num_permitted_opens; + + char *chroot_directory; } ServerOptions; void initialize_server_options(ServerOptions *); diff --git a/session.c b/session.c index a1319b384..1768c8c2f 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.225 2008/02/04 21:53:00 markus Exp $ */ +/* $OpenBSD: session.c,v 1.226 2008/02/08 23:24:07 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -84,6 +84,7 @@ #include "sshlogin.h" #include "serverloop.h" #include "canohost.h" +#include "misc.h" #include "session.h" #include "kex.h" #include "monitor_wrap.h" @@ -93,6 +94,9 @@ #include #endif +/* Magic name for internal sftp-server */ +#define INTERNAL_SFTP_NAME "internal-sftp" + /* func */ Session *session_new(void); @@ -130,7 +134,7 @@ extern Buffer loginmsg; const char *original_command = NULL; /* data */ -#define MAX_SESSIONS 10 +#define MAX_SESSIONS 20 Session sessions[MAX_SESSIONS]; #define SUBSYSTEM_NONE 0 @@ -688,13 +692,17 @@ do_exec(Session *s, const char *command) if (options.adm_forced_command) { original_command = command; command = options.adm_forced_command; - if (s->is_subsystem) + if (strcmp(INTERNAL_SFTP_NAME, command) == 0) + s->is_subsystem = SUBSYSTEM_INT_SFTP; + else if (s->is_subsystem) s->is_subsystem = SUBSYSTEM_EXT; debug("Forced command (config) '%.900s'", command); } else if (forced_command) { original_command = command; command = forced_command; - if (s->is_subsystem) + if (strcmp(INTERNAL_SFTP_NAME, command) == 0) + s->is_subsystem = SUBSYSTEM_INT_SFTP; + else if (s->is_subsystem) s->is_subsystem = SUBSYSTEM_EXT; debug("Forced command (key option) '%.900s'", command); } @@ -710,7 +718,6 @@ do_exec(Session *s, const char *command) PRIVSEP(audit_run_command(shell)); } #endif - if (s->ttyfd != -1) do_exec_pty(s, command); else @@ -1293,6 +1300,61 @@ do_nologin(struct passwd *pw) } } +/* + * Chroot into a directory after checking it for safety: all path components + * must be root-owned directories with strict permissions. + */ +static void +safely_chroot(const char *path, uid_t uid) +{ + const char *cp; + char component[MAXPATHLEN]; + struct stat st; + + if (*path != '/') + fatal("chroot path does not begin at root"); + if (strlen(path) >= sizeof(component)) + fatal("chroot path too long"); + + /* + * Descend the path, checking that each component is a + * root-owned directory with strict permissions. + */ + for (cp = path; cp != NULL;) { + if ((cp = strchr(cp, '/')) == NULL) + strlcpy(component, path, sizeof(component)); + else { + cp++; + memcpy(component, path, cp - path); + component[cp - path] = '\0'; + } + + debug3("%s: checking '%s'", __func__, component); + + if (stat(component, &st) != 0) + fatal("%s: stat(\"%s\"): %s", __func__, + component, strerror(errno)); + if (st.st_uid != 0 || (st.st_mode & 022) != 0) + fatal("bad ownership or modes for chroot " + "directory %s\"%s\"", + cp == NULL ? "" : "component ", component); + if (!S_ISDIR(st.st_mode)) + fatal("chroot path %s\"%s\" is not a directory", + cp == NULL ? "" : "component ", component); + + } + + if (chdir(path) == -1) + fatal("Unable to chdir to chroot path \"%s\": " + "%s", path, strerror(errno)); + if (chroot(path) == -1) + fatal("chroot(\"%s\"): %s", path, strerror(errno)); + if (chdir("/") == -1) + fatal("%s: chdir(/) after chroot: %s", + __func__, strerror(errno)); + verbose("Changed root directory to \"%s\"", path); +} + /* Set login name, uid, gid, and groups. */ void do_setusercontext(struct passwd *pw) @@ -1324,7 +1386,7 @@ do_setusercontext(struct passwd *pw) } # endif /* USE_PAM */ if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { + (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { perror("unable to set user context"); exit(1); } @@ -1347,13 +1409,13 @@ do_setusercontext(struct passwd *pw) exit(1); } endgrent(); -#ifdef GSSAPI +# ifdef GSSAPI if (options.gss_authentication) { temporarily_use_uid(pw); ssh_gssapi_storecreds(); restore_uid(); } -#endif +# endif # ifdef USE_PAM /* * PAM credentials may take the form of supplementary groups. @@ -1367,15 +1429,33 @@ do_setusercontext(struct passwd *pw) # endif /* USE_PAM */ # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) irix_setusercontext(pw); -# endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ +# endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ # ifdef _AIX aix_usrinfo(pw); # endif /* _AIX */ -#ifdef USE_LIBIAF +# ifdef USE_LIBIAF if (set_id(pw->pw_name) != 0) { exit(1); } -#endif /* USE_LIBIAF */ +# endif /* USE_LIBIAF */ +#endif + + if (options.chroot_directory != NULL && + strcasecmp(options.chroot_directory, "none") != 0) { + char *chroot_path; + + chroot_path = percent_expand(options.chroot_directory, + "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL); + safely_chroot(chroot_path, pw->pw_uid); + free(chroot_path); + } + +#ifdef HAVE_LOGIN_CAP + if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { + perror("unable to set user context (setuser)"); + exit(1); + } +#else /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif @@ -1625,7 +1705,7 @@ do_child(Session *s, const char *command) argv[i] = NULL; optind = optreset = 1; __progname = argv[0]; - exit(sftp_server_main(i, argv)); + exit(sftp_server_main(i, argv, s->pw)); } if (options.use_login) { @@ -1900,7 +1980,7 @@ session_subsystem_req(Session *s) if (strcmp(subsys, options.subsystem_name[i]) == 0) { prog = options.subsystem_command[i]; cmd = options.subsystem_args[i]; - if (!strcmp("internal-sftp", prog)) { + if (!strcmp(INTERNAL_SFTP_NAME, prog)) { s->is_subsystem = SUBSYSTEM_INT_SFTP; } else if (stat(prog, &st) < 0) { error("subsystem: cannot stat %s: %s", prog, diff --git a/sftp-server-main.c b/sftp-server-main.c new file mode 100644 index 000000000..1d2ea6220 --- /dev/null +++ b/sftp-server-main.c @@ -0,0 +1,50 @@ +/* $OpenBSD: */ +/* + * Copyright (c) 2008 Markus Friedl. All rights reserved. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include +#include +#include +#include +#include + +#include "log.h" +#include "sftp.h" +#include "misc.h" + +void +cleanup_exit(int i) +{ + sftp_server_cleanup_exit(i); +} + +int +main(int argc, char **argv) +{ + struct passwd *user_pw; + + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ + sanitise_stdfd(); + + if ((user_pw = getpwuid(getuid())) == NULL) { + fprintf(stderr, "No user found for uid %lu", (u_long)getuid()); + return 1; + } + + return (sftp_server_main(argc, argv, user_pw)); +} diff --git a/sftp-server.c b/sftp-server.c index 373bd5eda..44ccefff8 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.76 2008/02/04 21:53:00 markus Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.77 2008/02/08 23:24:07 djm Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -1219,7 +1219,7 @@ sftp_server_usage(void) } int -sftp_server_main(int argc, char **argv) +sftp_server_main(int argc, char **argv, struct passwd *user_pw) { fd_set *rset, *wset; int in, out, max, ch, skipargs = 0, log_stderr = 0; @@ -1277,11 +1277,7 @@ sftp_server_main(int argc, char **argv) } else client_addr = xstrdup("UNKNOWN"); - if ((pw = getpwuid(getuid())) == NULL) { - error("No user found for uid %lu", (u_long)getuid()); - sftp_server_cleanup_exit(255); - } - pw = pwcopy(pw); + pw = pwcopy(user_pw); logit("session opened for local user %s from [%s]", pw->pw_name, client_addr); diff --git a/sftp.h b/sftp.h index 12b9cc056..0835da6ed 100644 --- a/sftp.h +++ b/sftp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.h,v 1.6 2008/02/04 21:53:00 markus Exp $ */ +/* $OpenBSD: sftp.h,v 1.7 2008/02/08 23:24:07 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -91,5 +91,7 @@ #define SSH2_FX_OP_UNSUPPORTED 8 #define SSH2_FX_MAX 8 -int sftp_server_main(int, char **); +struct passwd; + +int sftp_server_main(int, char **, struct passwd *); void sftp_server_cleanup_exit(int) __dead; diff --git a/sshd_config b/sshd_config index c7094e775..ddfbbe91e 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.76 2007/08/23 03:22:16 djm Exp $ +# $OpenBSD: sshd_config,v 1.77 2008/02/08 23:24:07 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -102,6 +102,7 @@ Protocol 2 #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no +#ChrootDirectory none # no default banner path #Banner none diff --git a/sshd_config.5 b/sshd_config.5 index aa6720dc3..2f83bf2e1 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.79 2008/01/01 09:27:33 dtucker Exp $ -.Dd $Mdocdate: January 1 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.80 2008/02/08 23:24:07 djm Exp $ +.Dd $Mdocdate: February 8 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -173,6 +173,45 @@ All authentication styles from are supported. The default is .Dq yes . +.It Cm ChrootDirectory +Specifies a path to +.Xr chroot 2 +to after authentication. +This path, and all its components, must be root-owned directories that are +not writable by any other user or group. +.Pp +The path may contain the following tokens that are expanded at runtime once +the connecting user has been authenticated: %% is replaced by a literal '%', +%h is replaced by the home directory of the user being authenticated, and +%u is replaced by the username of that user. +.Pp +The +.Cm ChrootDirectory +must contain the necessary files and directories to support the +users' session. +For an interactive session this requires at least a shell, typically +.Xr sh 1 , +and basic +.Pa /dev +nodes such as +.Xr null 4 , +.Xr zero 4 , +.Xr stdin 4 , +.Xr stdout 4 , +.Xr stderr 4 , +.Xr arandom 4 +and +.Xr tty 4 +devices. +For file transfer sessions using +.Dq sftp , +no additional configuration of the environment is necessary if the +in-process sftp server is used (see +.Cm Subsystem +for details. +.Pp +The default is not to +.Xr chroot 2 . .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. @@ -740,11 +779,22 @@ The default is Configures an external subsystem (e.g. file transfer daemon). Arguments should be a subsystem name and a command (with optional arguments) to execute upon subsystem request. +.Pp The command .Xr sftp-server 8 implements the .Dq sftp file transfer subsystem. +.Pp +Alternately the name +.Dq internal-sftp +implements an in-process +.Dq sftp +server. +This may simplify configurations using +.Cm ChrootDirectory +to force a different filesystem root on clients. +.Pp By default no subsystems are defined. Note that this option applies to protocol version 2 only. .It Cm SyslogFacility -- cgit v1.2.3 From 54e3773ccb55500087fc722c79869679700dc318 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 10 Feb 2008 22:48:55 +1100 Subject: - djm@cvs.openbsd.org 2008/02/10 10:54:29 [servconf.c session.c] delay ~ expansion for ChrootDirectory so it expands to the logged-in user's home, rather than the user who starts sshd (probably root) --- ChangeLog | 6 +++++- servconf.c | 11 +++++++++-- session.c | 13 ++++++++----- 3 files changed, 22 insertions(+), 8 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index eb10e1059..e7e1486cd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,6 +78,10 @@ - djm@cvs.openbsd.org 2008/02/10 09:55:37 [sshd_config.5] mantion that "internal-sftp" is useful with ForceCommand too + - djm@cvs.openbsd.org 2008/02/10 10:54:29 + [servconf.c session.c] + delay ~ expansion for ChrootDirectory so it expands to the logged-in user's + home, rather than the user who starts sshd (probably root) 20080119 - (djm) Silence noice from expr in ssh-copy-id; patch from @@ -3606,4 +3610,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4836 2008/02/10 11:47:24 djm Exp $ +$Id: ChangeLog,v 1.4837 2008/02/10 11:48:55 djm Exp $ diff --git a/servconf.c b/servconf.c index d38d0bfb1..9add96ca1 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.176 2008/02/08 23:24:08 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.177 2008/02/10 10:54:28 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1260,7 +1260,14 @@ parse_flag: case sChrootDirectory: charptr = &options->chroot_directory; - goto parse_filename; + + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing file name.", + filename, linenum); + if (*activep && *charptr == NULL) + *charptr = xstrdup(arg); + break; case sDeprecated: logit("%s line %d: Deprecated option %s", diff --git a/session.c b/session.c index 1768c8c2f..545e27fb7 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.226 2008/02/08 23:24:07 djm Exp $ */ +/* $OpenBSD: session.c,v 1.227 2008/02/10 10:54:29 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1359,6 +1359,8 @@ safely_chroot(const char *path, uid_t uid) void do_setusercontext(struct passwd *pw) { + char *chroot_path, *tmp; + #ifndef HAVE_CYGWIN if (getuid() == 0 || geteuid() == 0) #endif /* HAVE_CYGWIN */ @@ -1442,11 +1444,12 @@ do_setusercontext(struct passwd *pw) if (options.chroot_directory != NULL && strcasecmp(options.chroot_directory, "none") != 0) { - char *chroot_path; - - chroot_path = percent_expand(options.chroot_directory, - "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL); + tmp = tilde_expand_filename(options.chroot_directory, + pw->pw_uid); + chroot_path = percent_expand(tmp, "h", pw->pw_dir, + "u", pw->pw_name, (char *)NULL); safely_chroot(chroot_path, pw->pw_uid); + free(tmp); free(chroot_path); } -- cgit v1.2.3 From 76e95daad1f38e0ba8e7bf0554cadd6e3aaf5235 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 7 Mar 2008 18:31:24 +1100 Subject: - djm@cvs.openbsd.org 2008/02/13 22:38:17 [servconf.h session.c sshd.c] rekey arc4random and OpenSSL RNG in postauth child closefrom fds > 2 before shell/command execution ok markus@ --- ChangeLog | 7 ++++++- servconf.h | 5 ++++- session.c | 9 +++++---- sshd.c | 13 +++++++++++-- 4 files changed, 26 insertions(+), 8 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 2c53b309f..341360d2b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,11 @@ [ssh.1 sshd.8 sshd_config.5] bump Mdocdate for pages committed in "febuary", necessary because of a typo in rcs.c; + - djm@cvs.openbsd.org 2008/02/13 22:38:17 + [servconf.h session.c sshd.c] + rekey arc4random and OpenSSL RNG in postauth child + closefrom fds > 2 before shell/command execution + ok markus@ 20080302 - (dtucker) [configure.ac] FreeBSD's glob() doesn't behave the way we expect @@ -3664,4 +3669,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4851 2008/03/07 07:27:58 djm Exp $ +$Id: ChangeLog,v 1.4852 2008/03/07 07:31:24 djm Exp $ diff --git a/servconf.h b/servconf.h index 81a68be89..5b88067db 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.81 2008/02/08 23:24:08 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.82 2008/02/13 22:38:17 djm Exp $ */ /* * Author: Tatu Ylonen @@ -36,6 +36,9 @@ #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ +/* Magic name for internal sftp-server */ +#define INTERNAL_SFTP_NAME "internal-sftp" + typedef struct { u_int num_ports; u_int ports_from_cmdline; diff --git a/session.c b/session.c index 545e27fb7..589a15a6d 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.227 2008/02/10 10:54:29 djm Exp $ */ +/* $OpenBSD: session.c,v 1.228 2008/02/13 22:38:17 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -94,9 +94,6 @@ #include #endif -/* Magic name for internal sftp-server */ -#define INTERNAL_SFTP_NAME "internal-sftp" - /* func */ Session *session_new(void); @@ -491,6 +488,8 @@ do_exec_no_pty(Session *s, const char *command) cray_init_job(s->pw); /* set up cray jid and tmpdir */ #endif + closefrom(STDERR_FILENO + 1); + /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ @@ -611,6 +610,8 @@ do_exec_pty(Session *s, const char *command) # endif #endif + closefrom(STDERR_FILENO + 1); + /* Do common processing for the child, such as execing the command. */ do_child(s, command); /* NOTREACHED */ diff --git a/sshd.c b/sshd.c index 345ee4315..2920b26cf 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.353 2007/12/31 15:27:04 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.354 2008/02/13 22:38:17 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -585,11 +585,12 @@ privsep_preauth_child(void) { u_int32_t rnd[256]; gid_t gidset[1]; - int i; + u_int i; /* Enable challenge-response authentication for privilege separation */ privsep_challenge_enable(); + arc4random_stir(); for (i = 0; i < 256; i++) rnd[i] = arc4random(); RAND_seed(rnd, sizeof(rnd)); @@ -664,6 +665,9 @@ privsep_preauth(Authctxt *authctxt) static void privsep_postauth(Authctxt *authctxt) { + u_int32_t rnd[256]; + u_int i; + #ifdef DISABLE_FD_PASSING if (1) { #else @@ -695,6 +699,11 @@ privsep_postauth(Authctxt *authctxt) /* Demote the private keys to public keys. */ demote_sensitive_data(); + arc4random_stir(); + for (i = 0; i < 256; i++) + rnd[i] = arc4random(); + RAND_seed(rnd, sizeof(rnd)); + /* Drop privileges */ do_setusercontext(authctxt->pw); -- cgit v1.2.3 From 767087b8ec996d690bbbed19279454e017418643 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 7 Mar 2008 18:32:42 +1100 Subject: - markus@cvs.openbsd.org 2008/02/20 15:25:26 [session.c] correct boolean encoding for coredump; der Mouse via dugsong --- ChangeLog | 5 ++++- session.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 831fd37d7..40672c463 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,9 @@ When started in configuration test mode (-t) do not check that sshd is being started with an absolute path. ok djm + - markus@cvs.openbsd.org 2008/02/20 15:25:26 + [session.c] + correct boolean encoding for coredump; der Mouse via dugsong 20080302 - (dtucker) [configure.ac] FreeBSD's glob() doesn't behave the way we expect @@ -3674,4 +3677,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4853 2008/03/07 07:31:47 djm Exp $ +$Id: ChangeLog,v 1.4854 2008/03/07 07:32:42 djm Exp $ diff --git a/session.c b/session.c index 589a15a6d..7a97ae8d6 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.228 2008/02/13 22:38:17 djm Exp $ */ +/* $OpenBSD: session.c,v 1.229 2008/02/20 15:25:26 markus Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -2317,7 +2317,7 @@ session_exit_message(Session *s, int status) channel_request_start(s->chanid, "exit-signal", 0); packet_put_cstring(sig2name(WTERMSIG(status))); #ifdef WCOREDUMP - packet_put_char(WCOREDUMP(status)); + packet_put_char(WCOREDUMP(status)? 1 : 0); #else /* WCOREDUMP */ packet_put_char(0); #endif /* WCOREDUMP */ -- cgit v1.2.3 From 7cb2b56b1c7e5d0824edc507b01cd78a01019590 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 7 Mar 2008 18:33:12 +1100 Subject: - djm@cvs.openbsd.org 2008/02/22 05:58:56 [session.c] closefrom() call was too early, delay it until just before we execute the user's rc files (if any). --- ChangeLog | 6 +++++- session.c | 8 +++----- 2 files changed, 8 insertions(+), 6 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 40672c463..5a8d92bb4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,10 @@ - markus@cvs.openbsd.org 2008/02/20 15:25:26 [session.c] correct boolean encoding for coredump; der Mouse via dugsong + - djm@cvs.openbsd.org 2008/02/22 05:58:56 + [session.c] + closefrom() call was too early, delay it until just before we execute + the user's rc files (if any). 20080302 - (dtucker) [configure.ac] FreeBSD's glob() doesn't behave the way we expect @@ -3677,4 +3681,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4854 2008/03/07 07:32:42 djm Exp $ +$Id: ChangeLog,v 1.4855 2008/03/07 07:33:12 djm Exp $ diff --git a/session.c b/session.c index 7a97ae8d6..3eba513de 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.229 2008/02/20 15:25:26 markus Exp $ */ +/* $OpenBSD: session.c,v 1.230 2008/02/22 05:58:56 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -488,8 +488,6 @@ do_exec_no_pty(Session *s, const char *command) cray_init_job(s->pw); /* set up cray jid and tmpdir */ #endif - closefrom(STDERR_FILENO + 1); - /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ @@ -610,8 +608,6 @@ do_exec_pty(Session *s, const char *command) # endif #endif - closefrom(STDERR_FILENO + 1); - /* Do common processing for the child, such as execing the command. */ do_child(s, command); /* NOTREACHED */ @@ -1345,6 +1341,8 @@ safely_chroot(const char *path, uid_t uid) } + closefrom(STDERR_FILENO + 1); + if (chdir(path) == -1) fatal("Unable to chdir to chroot path \"%s\": " "%s", path, strerror(errno)); -- cgit v1.2.3 From 52358d6df32d9ae923572c43a58159d84b673631 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 11 Mar 2008 22:58:25 +1100 Subject: - (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move pam_open_session and pam_close_session into the privsep monitor, which will ensure that pam_session_close is called as root. Patch from Tomas Mraz. --- ChangeLog | 8 +++++++- auth-pam.c | 6 ++++-- monitor.c | 5 +++++ session.c | 29 ----------------------------- sshd.c | 14 ++++++++++++++ 5 files changed, 30 insertions(+), 32 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 3057c2be5..4bb82cd29 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20080312 + - (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move + pam_open_session and pam_close_session into the privsep monitor, which + will ensure that pam_session_close is called as root. Patch from Tomas + Mraz. + 20080309 - (dtucker) [configure.ac] It turns out gcc's -fstack-protector-all doesn't always work for all platforms and versions, so test what we can and @@ -3712,4 +3718,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4864 2008/03/09 11:50:50 dtucker Exp $ +$Id: ChangeLog,v 1.4865 2008/03/11 11:58:25 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index a07f1fe77..ccdb9937e 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -598,15 +598,17 @@ static struct pam_conv store_conv = { sshpam_store_conv, NULL }; void sshpam_cleanup(void) { - debug("PAM: cleanup"); - if (sshpam_handle == NULL) + if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) return; + debug("PAM: cleanup"); pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); if (sshpam_cred_established) { + debug("PAM: deleting credentials"); pam_setcred(sshpam_handle, PAM_DELETE_CRED); sshpam_cred_established = 0; } if (sshpam_session_open) { + debug("PAM: closing session"); pam_close_session(sshpam_handle, PAM_SILENT); sshpam_session_open = 0; } diff --git a/monitor.c b/monitor.c index 2f23669cd..cc0e0fcac 100644 --- a/monitor.c +++ b/monitor.c @@ -1547,6 +1547,11 @@ mm_answer_term(int sock, Buffer *req) /* The child is terminating */ session_destroy_all(&mm_session_close); +#ifdef USE_PAM + if (options.use_pam) + sshpam_cleanup(); +#endif + while (waitpid(pmonitor->m_pid, &status, 0) == -1) if (errno != EINTR) exit(1); diff --git a/session.c b/session.c index 3eba513de..f5eaa815c 100644 --- a/session.c +++ b/session.c @@ -428,11 +428,6 @@ do_exec_no_pty(Session *s, const char *command) session_proctitle(s); -#if defined(USE_PAM) - if (options.use_pam && !use_privsep) - do_pam_setcred(1); -#endif /* USE_PAM */ - /* Fork the child. */ if ((pid = fork()) == 0) { is_child = 1; @@ -563,14 +558,6 @@ do_exec_pty(Session *s, const char *command) ptyfd = s->ptyfd; ttyfd = s->ttyfd; -#if defined(USE_PAM) - if (options.use_pam) { - do_pam_set_tty(s->tty); - if (!use_privsep) - do_pam_setcred(1); - } -#endif - /* Fork the child. */ if ((pid = fork()) == 0) { is_child = 1; @@ -1373,16 +1360,8 @@ do_setusercontext(struct passwd *pw) # ifdef __bsdi__ setpgid(0, 0); # endif -#ifdef GSSAPI - if (options.gss_authentication) { - temporarily_use_uid(pw); - ssh_gssapi_storecreds(); - restore_uid(); - } -#endif # ifdef USE_PAM if (options.use_pam) { - do_pam_session(); do_pam_setcred(use_privsep); } # endif /* USE_PAM */ @@ -1410,13 +1389,6 @@ do_setusercontext(struct passwd *pw) exit(1); } endgrent(); -# ifdef GSSAPI - if (options.gss_authentication) { - temporarily_use_uid(pw); - ssh_gssapi_storecreds(); - restore_uid(); - } -# endif # ifdef USE_PAM /* * PAM credentials may take the form of supplementary groups. @@ -1424,7 +1396,6 @@ do_setusercontext(struct passwd *pw) * Reestablish them here. */ if (options.use_pam) { - do_pam_session(); do_pam_setcred(use_privsep); } # endif /* USE_PAM */ diff --git a/sshd.c b/sshd.c index 5ea87f0f9..5dfc2b185 100644 --- a/sshd.c +++ b/sshd.c @@ -1847,6 +1847,20 @@ main(int ac, char **av) audit_event(SSH_AUTH_SUCCESS); #endif +#ifdef GSSAPI + if (options.gss_authentication) { + temporarily_use_uid(authctxt->pw); + ssh_gssapi_storecreds(); + restore_uid(); + } +#endif +#ifdef USE_PAM + if (options.use_pam) { + do_pam_setcred(1); + do_pam_session(); + } +#endif + /* * In privilege separation, we fork another child and prepare * file descriptor passing. -- cgit v1.2.3 From a19390067474ab3a8ad806dbf551fd84164e78a4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 15 Mar 2008 17:27:58 +1100 Subject: - (djm) [session.c] Relocate incorrectly-placed closefrom() that was causing crashes when used with ChrootDirectory --- ChangeLog | 4 +++- session.c | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index ad61c0938..e943a8301 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ empty; report and patch from Peter Stuge - (djm) [regress/test-exec.sh] Silence noise from detection of putty commands; report from Peter Stuge + - (djm) [session.c] Relocate incorrectly-placed closefrom() that was causing + crashes when used with ChrootDirectory 20080314 - (tim) [regress/sftp-cmds.sh] s/cd/lcd/ in lls test. Reported by @@ -3763,4 +3765,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4878 2008/03/14 22:25:54 djm Exp $ +$Id: ChangeLog,v 1.4879 2008/03/15 06:27:58 djm Exp $ diff --git a/session.c b/session.c index f5eaa815c..92282f92a 100644 --- a/session.c +++ b/session.c @@ -1328,8 +1328,6 @@ safely_chroot(const char *path, uid_t uid) } - closefrom(STDERR_FILENO + 1); - if (chdir(path) == -1) fatal("Unable to chdir to chroot path \"%s\": " "%s", path, strerror(errno)); @@ -1659,6 +1657,8 @@ do_child(Session *s, const char *command) #endif } + closefrom(STDERR_FILENO + 1); + if (!options.use_login) do_rc_files(s, shell); -- cgit v1.2.3 From b8eb586412f338dcee69639ae375d5f72e26a094 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 27 Mar 2008 07:27:20 +1100 Subject: - (dtucker) Cache selinux status earlier so we know if it's enabled after a chroot. Allows ChrootDirectory to work with selinux support compiled in but not enabled. Using it with selinux enabled will require some selinux support inside the chroot. "looks sane" djm@ --- ChangeLog | 8 +++++++- openbsd-compat/port-linux.c | 4 ++-- openbsd-compat/port-linux.h | 3 ++- session.c | 5 +++++ 4 files changed, 16 insertions(+), 4 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index e943a8301..45429881b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20080327 + - (dtucker) Cache selinux status earlier so we know if it's enabled after a + chroot. Allows ChrootDirectory to work with selinux support compiled in + but not enabled. Using it with selinux enabled will require some selinux + support inside the chroot. "looks sane" djm@ + 20080315 - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are empty; report and patch from Peter Stuge @@ -3765,4 +3771,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4879 2008/03/15 06:27:58 djm Exp $ +$Id: ChangeLog,v 1.4880 2008/03/26 20:27:20 dtucker Exp $ diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index 2f697e7d9..ad262758e 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c @@ -1,4 +1,4 @@ -/* $Id: port-linux.c,v 1.4 2007/06/27 22:48:03 djm Exp $ */ +/* $Id: port-linux.c,v 1.5 2008/03/26 20:27:21 dtucker Exp $ */ /* * Copyright (c) 2005 Daniel Walsh @@ -36,7 +36,7 @@ #include /* Wrapper around is_selinux_enabled() to log its return value once only */ -static int +int ssh_selinux_enabled(void) { static int enabled = -1; diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h index 05e520e1c..5cd39bf83 100644 --- a/openbsd-compat/port-linux.h +++ b/openbsd-compat/port-linux.h @@ -1,4 +1,4 @@ -/* $Id: port-linux.h,v 1.1 2006/04/22 11:26:08 djm Exp $ */ +/* $Id: port-linux.h,v 1.2 2008/03/26 20:27:21 dtucker Exp $ */ /* * Copyright (c) 2006 Damien Miller @@ -20,6 +20,7 @@ #define _PORT_LINUX_H #ifdef WITH_SELINUX +int ssh_selinux_enabled(void); void ssh_selinux_setup_pty(char *, const char *); void ssh_selinux_setup_exec_context(char *); #endif diff --git a/session.c b/session.c index 92282f92a..54621a4c0 100644 --- a/session.c +++ b/session.c @@ -1345,6 +1345,11 @@ do_setusercontext(struct passwd *pw) { char *chroot_path, *tmp; +#ifdef WITH_SELINUX + /* Cache selinux status for later use */ + (void)ssh_selinux_enabled(); +#endif + #ifndef HAVE_CYGWIN if (getuid() == 0 || geteuid() == 0) #endif /* HAVE_CYGWIN */ -- cgit v1.2.3 From a1b48ccf2d7383bc0cdc158324e400dd4f7ce87a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 27 Mar 2008 11:02:02 +1100 Subject: - djm@cvs.openbsd.org 2008/03/25 11:58:02 [session.c sshd_config.5] ignore ~/.ssh/rc if a sshd_config ForceCommand is specified; from dtucker@ ok deraadt@ djm@ --- ChangeLog | 6 +++++- session.c | 7 ++++--- sshd_config.5 | 8 +++++--- 3 files changed, 14 insertions(+), 7 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 876055383..993fe76c1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,10 @@ works now that kernel fd passing has been fixed to accept a bit of sloppiness because of this ABI repair. lots of discussion with kettenis + - djm@cvs.openbsd.org 2008/03/25 11:58:02 + [session.c sshd_config.5] + ignore ~/.ssh/rc if a sshd_config ForceCommand is specified; + from dtucker@ ok deraadt@ djm@ 20080315 - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are @@ -3801,4 +3805,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4886 2008/03/27 00:01:15 djm Exp $ +$Id: ChangeLog,v 1.4887 2008/03/27 00:02:02 djm Exp $ diff --git a/session.c b/session.c index 54621a4c0..3dcf222f5 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.230 2008/02/22 05:58:56 djm Exp $ */ +/* $OpenBSD: session.c,v 1.231 2008/03/25 11:58:02 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1202,8 +1202,9 @@ do_rc_files(Session *s, const char *shell) do_xauth = s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; - /* ignore _PATH_SSH_USER_RC for subsystems */ - if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { + /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ + if (!s->is_subsystem && options.adm_forced_command != NULL && + (stat(_PATH_SSH_USER_RC, &st) >= 0)) { snprintf(cmd, sizeof cmd, "%s -c '%s %s'", shell, _PATH_BSHELL, _PATH_SSH_USER_RC); if (debug_flag) diff --git a/sshd_config.5 b/sshd_config.5 index a2f193470..245ed946f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.83 2008/02/11 07:58:28 jmc Exp $ -.Dd $Mdocdate: February 11 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.84 2008/03/25 11:58:02 djm Exp $ +.Dd $Mdocdate: March 25 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -324,7 +324,9 @@ for more information on patterns. .It Cm ForceCommand Forces the execution of the command specified by .Cm ForceCommand , -ignoring any command supplied by the client. +ignoring any command supplied by the client and +.Pa ~/.ssh/rc +if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a -- cgit v1.2.3 From 55360e1ceb62c341d5c380bf6d94050d17f59930 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 27 Mar 2008 11:02:27 +1100 Subject: - djm@cvs.openbsd.org 2008/03/25 23:01:41 [session.c] last patch had backwards test; spotted by termim AT gmail.com --- ChangeLog | 5 ++++- session.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 993fe76c1..c9b1ec67a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,9 @@ [session.c sshd_config.5] ignore ~/.ssh/rc if a sshd_config ForceCommand is specified; from dtucker@ ok deraadt@ djm@ + - djm@cvs.openbsd.org 2008/03/25 23:01:41 + [session.c] + last patch had backwards test; spotted by termim AT gmail.com 20080315 - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are @@ -3805,4 +3808,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4887 2008/03/27 00:02:02 djm Exp $ +$Id: ChangeLog,v 1.4888 2008/03/27 00:02:27 djm Exp $ diff --git a/session.c b/session.c index 3dcf222f5..6d9e36e46 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.231 2008/03/25 11:58:02 djm Exp $ */ +/* $OpenBSD: session.c,v 1.232 2008/03/25 23:01:41 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1203,7 +1203,7 @@ do_rc_files(Session *s, const char *shell) s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ - if (!s->is_subsystem && options.adm_forced_command != NULL && + if (!s->is_subsystem && options.adm_forced_command == NULL && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { snprintf(cmd, sizeof cmd, "%s -c '%s %s'", shell, _PATH_BSHELL, _PATH_SSH_USER_RC); -- cgit v1.2.3 From 95e80955f27d55c7a02724e72bdcb1a4ca619f25 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 27 Mar 2008 11:03:05 +1100 Subject: - djm@cvs.openbsd.org 2008/03/26 21:28:14 [auth-options.c auth-options.h session.c sshd.8] add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc --- ChangeLog | 5 ++++- auth-options.c | 11 ++++++++++- auth-options.h | 3 ++- session.c | 4 ++-- sshd.8 | 7 +++++-- 5 files changed, 23 insertions(+), 7 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index c9b1ec67a..7da2b8b82 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ - djm@cvs.openbsd.org 2008/03/25 23:01:41 [session.c] last patch had backwards test; spotted by termim AT gmail.com + - djm@cvs.openbsd.org 2008/03/26 21:28:14 + [auth-options.c auth-options.h session.c sshd.8] + add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc 20080315 - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are @@ -3808,4 +3811,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4888 2008/03/27 00:02:27 djm Exp $ +$Id: ChangeLog,v 1.4889 2008/03/27 00:03:05 djm Exp $ diff --git a/auth-options.c b/auth-options.c index ca5e1c931..6e2256961 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-options.c,v 1.41 2008/03/26 21:28:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -42,6 +42,7 @@ int no_port_forwarding_flag = 0; int no_agent_forwarding_flag = 0; int no_x11_forwarding_flag = 0; int no_pty_flag = 0; +int no_user_rc = 0; /* "command=" option. */ char *forced_command = NULL; @@ -61,6 +62,7 @@ auth_clear_options(void) no_port_forwarding_flag = 0; no_pty_flag = 0; no_x11_forwarding_flag = 0; + no_user_rc = 0; while (custom_environment) { struct envstring *ce = custom_environment; custom_environment = ce->next; @@ -121,6 +123,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) opts += strlen(cp); goto next_option; } + cp = "no-user-rc"; + if (strncasecmp(opts, cp, strlen(cp)) == 0) { + auth_debug_add("User rc file execution disabled."); + no_user_rc = 1; + opts += strlen(cp); + goto next_option; + } cp = "command=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { opts += strlen(cp); diff --git a/auth-options.h b/auth-options.h index 853f8b517..14488f72d 100644 --- a/auth-options.h +++ b/auth-options.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-options.h,v 1.17 2008/03/26 21:28:14 djm Exp $ */ /* * Author: Tatu Ylonen @@ -26,6 +26,7 @@ extern int no_port_forwarding_flag; extern int no_agent_forwarding_flag; extern int no_x11_forwarding_flag; extern int no_pty_flag; +extern int no_user_rc; extern char *forced_command; extern struct envstring *custom_environment; extern int forced_tun_device; diff --git a/session.c b/session.c index 6d9e36e46..a77dde38f 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.232 2008/03/25 23:01:41 djm Exp $ */ +/* $OpenBSD: session.c,v 1.233 2008/03/26 21:28:14 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1204,7 +1204,7 @@ do_rc_files(Session *s, const char *shell) /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ if (!s->is_subsystem && options.adm_forced_command == NULL && - (stat(_PATH_SSH_USER_RC, &st) >= 0)) { + !no_user_rc && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { snprintf(cmd, sizeof cmd, "%s -c '%s %s'", shell, _PATH_BSHELL, _PATH_SSH_USER_RC); if (debug_flag) diff --git a/sshd.8 b/sshd.8 index b91ca4fc7..cc44e5471 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.239 2008/02/11 07:58:28 jmc Exp $ -.Dd $Mdocdate: February 11 2008 $ +.\" $OpenBSD: sshd.8,v 1.240 2008/03/26 21:28:14 djm Exp $ +.Dd $Mdocdate: March 26 2008 $ .Dt SSHD 8 .Os .Sh NAME @@ -531,6 +531,9 @@ This might be used, e.g. in connection with the option. .It Cm no-pty Prevents tty allocation (a request to allocate a pty will fail). +.It Cm no-user-rc +Disables execution of +.Pa ~/.ssh/rc . .It Cm no-X11-forwarding Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error. -- cgit v1.2.3 From ff0dd88999c3d5966bbf32b9598a463363aea375 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 19 May 2008 14:55:02 +1000 Subject: - djm@cvs.openbsd.org 2008/04/18 22:01:33 [session.c] remove unneccessary parentheses --- ChangeLog | 5 ++++- session.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index c87b05453..5c720182a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,9 @@ - jmc@cvs.openbsd.org 2008/04/18 17:15:47 [sftp.1] macro fixage; + - djm@cvs.openbsd.org 2008/04/18 22:01:33 + [session.c] + remove unneccessary parentheses 20080403 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- @@ -3893,4 +3896,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4912 2008/05/19 04:54:25 djm Exp $ +$Id: ChangeLog,v 1.4913 2008/05/19 04:55:02 djm Exp $ diff --git a/session.c b/session.c index a77dde38f..f2bcfd061 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.233 2008/03/26 21:28:14 djm Exp $ */ +/* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1204,7 +1204,7 @@ do_rc_files(Session *s, const char *shell) /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ if (!s->is_subsystem && options.adm_forced_command == NULL && - !no_user_rc && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { + !no_user_rc && stat(_PATH_SSH_USER_RC, &st) >= 0) { snprintf(cmd, sizeof cmd, "%s -c '%s %s'", shell, _PATH_BSHELL, _PATH_SSH_USER_RC); if (debug_flag) -- cgit v1.2.3 From 4f755cdc05f5c6dee7cb1894f8d3bcaee33443d0 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 19 May 2008 14:57:41 +1000 Subject: - pyr@cvs.openbsd.org 2008/05/07 05:49:37 [servconf.c servconf.h session.c sshd_config.5] Enable the AllowAgentForwarding option in sshd_config (global and match context), to specify if agents should be permitted on the server. As the man page states: ``Note that disabling Agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.'' ok djm@, ok and a mild frown markus@ --- ChangeLog | 11 ++++++++++- servconf.c | 13 +++++++++++-- servconf.h | 3 ++- session.c | 7 ++++--- sshd_config.5 | 13 +++++++++++-- 5 files changed, 38 insertions(+), 9 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index b7e6098e5..8ee0b0e55 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,15 @@ [ssh-keyscan.1 ssh-keyscan.c] default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by larsnooden AT openoffice.org + - pyr@cvs.openbsd.org 2008/05/07 05:49:37 + [servconf.c servconf.h session.c sshd_config.5] + Enable the AllowAgentForwarding option in sshd_config (global and match + context), to specify if agents should be permitted on the server. + As the man page states: + ``Note that disabling Agent forwarding does not improve security + unless users are also denied shell access, as they can always install + their own forwarders.'' + ok djm@, ok and a mild frown markus@ 20080403 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- @@ -3903,4 +3912,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4915 2008/05/19 04:56:33 djm Exp $ +$Id: ChangeLog,v 1.4916 2008/05/19 04:57:41 djm Exp $ diff --git a/servconf.c b/servconf.c index 9add96ca1..e6d49099b 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.177 2008/02/10 10:54:28 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.178 2008/05/07 05:49:37 pyr Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -99,6 +99,7 @@ initialize_server_options(ServerOptions *options) options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; + options->allow_agent_forwarding = -1; options->num_allow_users = 0; options->num_deny_users = 0; options->num_allow_groups = 0; @@ -223,6 +224,8 @@ fill_default_server_options(ServerOptions *options) options->compression = COMP_DELAYED; if (options->allow_tcp_forwarding == -1) options->allow_tcp_forwarding = 1; + if (options->allow_agent_forwarding == -1) + options->allow_agent_forwarding = 1; if (options->gateway_ports == -1) options->gateway_ports = 0; if (options->max_startups == -1) @@ -293,7 +296,7 @@ typedef enum { sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, - sUsePrivilegeSeparation, + sUsePrivilegeSeparation, sAllowAgentForwarding, sDeprecated, sUnsupported } ServerOpCodes; @@ -379,6 +382,7 @@ static struct { { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, + { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, @@ -1005,6 +1009,10 @@ parse_flag: intptr = &options->allow_tcp_forwarding; goto parse_flag; + case sAllowAgentForwarding: + intptr = &options->allow_agent_forwarding; + goto parse_flag; + case sUsePrivilegeSeparation: intptr = &use_privsep; goto parse_flag; @@ -1368,6 +1376,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(permit_root_login); M_CP_INTOPT(allow_tcp_forwarding); + M_CP_INTOPT(allow_agent_forwarding); M_CP_INTOPT(gateway_ports); M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_forwarding); diff --git a/servconf.h b/servconf.h index 5b88067db..aaf87cd18 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.82 2008/02/13 22:38:17 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.83 2008/05/07 05:49:37 pyr Exp $ */ /* * Author: Tatu Ylonen @@ -101,6 +101,7 @@ typedef struct { int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ int allow_tcp_forwarding; + int allow_agent_forwarding; u_int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; u_int num_deny_users; diff --git a/session.c b/session.c index f2bcfd061..16e455588 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */ +/* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -335,7 +335,8 @@ do_authenticated1(Authctxt *authctxt) break; case SSH_CMSG_AGENT_REQUEST_FORWARDING: - if (no_agent_forwarding_flag || compat13) { + if (!options.allow_agent_forwarding || + no_agent_forwarding_flag || compat13) { debug("Authentication agent forwarding not permitted for this authentication."); break; } @@ -2081,7 +2082,7 @@ session_auth_agent_req(Session *s) { static int called = 0; packet_check_eom(); - if (no_agent_forwarding_flag) { + if (no_agent_forwarding_flag || !options.allow_agent_forwarding) { debug("session_auth_agent_req: no_agent_forwarding_flag"); return 0; } diff --git a/sshd_config.5 b/sshd_config.5 index 6edaa9260..b93c801e3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.87 2008/04/05 02:46:02 djm Exp $ -.Dd $Mdocdate: April 5 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.88 2008/05/07 05:49:37 pyr Exp $ +.Dd $Mdocdate: May 7 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -114,6 +114,15 @@ See in .Xr ssh_config 5 for more information on patterns. +.It Cm AllowAgentForwarding +Specifies whether +.Xr ssh-agent 1 +forwarding is permitted. +The default is +.Dq yes . +Note that disabling Agent forwarding does not improve security +unless users are also denied shell access, as they can always install +their own forwarders. .It Cm AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is -- cgit v1.2.3 From b84886ba3e362f54b70aefcbe1aa10606309b7d7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 19 May 2008 15:05:07 +1000 Subject: - djm@cvs.openbsd.org 2008/05/08 12:02:23 [auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c] [monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c] [ssh.c sshd.c] Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel). Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory. ok markus@ (as part of a larger diff) --- ChangeLog | 15 +++++++++++- auth-options.c | 3 ++- auth1.c | 3 ++- channels.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++-------- channels.h | 26 +++++++++++++++++---- clientloop.c | 10 +++++--- gss-serv.c | 3 ++- monitor.c | 3 ++- monitor_wrap.c | 3 ++- nchan.c | 3 ++- servconf.c | 3 ++- serverloop.c | 6 +++-- session.c | 3 ++- ssh.c | 6 +++-- sshd.c | 3 ++- 15 files changed, 132 insertions(+), 31 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index e7fd87ba8..567222e96 100644 --- a/ChangeLog +++ b/ChangeLog @@ -62,6 +62,19 @@ [bufaux.c buffer.h channels.c packet.c packet.h] avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@ + - djm@cvs.openbsd.org 2008/05/08 12:02:23 + [auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c] + [monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c] + [ssh.c sshd.c] + Implement a channel success/failure status confirmation callback + mechanism. Each channel maintains a queue of callbacks, which will + be drained in order (RFC4253 guarantees confirm messages are not + reordered within an channel). + Also includes a abandonment callback to clean up if a channel is + closed without sending confirmation messages. This probably + shouldn't happen in compliant implementations, but it could be + abused to leak memory. + ok markus@ (as part of a larger diff) 20080403 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- @@ -3922,4 +3935,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4919 2008/05/19 04:59:37 djm Exp $ +$Id: ChangeLog,v 1.4920 2008/05/19 05:05:07 djm Exp $ diff --git a/auth-options.c b/auth-options.c index 6e2256961..3a6c3c0f3 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.41 2008/03/26 21:28:14 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.42 2008/05/08 12:02:23 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -20,6 +20,7 @@ #include #include +#include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "match.h" #include "log.h" diff --git a/auth1.c b/auth1.c index c17cc9133..b5798f634 100644 --- a/auth1.c +++ b/auth1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth1.c,v 1.71 2007/09/21 08:15:29 djm Exp $ */ +/* $OpenBSD: auth1.c,v 1.72 2008/05/08 12:02:23 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -20,6 +20,7 @@ #include #include +#include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "rsa.h" #include "ssh1.h" diff --git a/channels.c b/channels.c index 05c23e59c..b5e28dabf 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.274 2008/05/08 06:59:01 markus Exp $ */ +/* $OpenBSD: channels.c,v 1.275 2008/05/08 12:02:23 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -61,6 +61,7 @@ #include #include +#include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "ssh.h" #include "ssh1.h" @@ -319,10 +320,11 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, c->single_connection = 0; c->detach_user = NULL; c->detach_close = 0; - c->confirm = NULL; - c->confirm_ctx = NULL; + c->open_confirm = NULL; + c->open_confirm_ctx = NULL; c->input_filter = NULL; c->output_filter = NULL; + TAILQ_INIT(&c->status_confirms); debug("channel %d: new [%s]", found, remote_name); return c; } @@ -379,6 +381,7 @@ channel_free(Channel *c) { char *s; u_int i, n; + struct channel_confirm *cc; for (n = 0, i = 0; i < channels_alloc; i++) if (channels[i]) @@ -402,6 +405,13 @@ channel_free(Channel *c) xfree(c->remote_name); c->remote_name = NULL; } + while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { + if (cc->abandon_cb != NULL) + cc->abandon_cb(c, cc->ctx); + TAILQ_REMOVE(&c->status_confirms, cc, entry); + bzero(cc, sizeof(*cc)); + xfree(cc); + } channels[c->self] = NULL; xfree(c); } @@ -660,16 +670,33 @@ channel_request_start(int id, char *service, int wantconfirm) } void -channel_register_confirm(int id, channel_callback_fn *fn, void *ctx) +channel_register_status_confirm(int id, channel_confirm_cb *cb, + channel_confirm_abandon_cb *abandon_cb, void *ctx) +{ + struct channel_confirm *cc; + Channel *c; + + if ((c = channel_lookup(id)) == NULL) + fatal("channel_register_expect: %d: bad id", id); + + cc = xmalloc(sizeof(*cc)); + cc->cb = cb; + cc->abandon_cb = abandon_cb; + cc->ctx = ctx; + TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry); +} + +void +channel_register_open_confirm(int id, channel_callback_fn *fn, void *ctx) { Channel *c = channel_lookup(id); if (c == NULL) { - logit("channel_register_comfirm: %d: bad id", id); + logit("channel_register_open_comfirm: %d: bad id", id); return; } - c->confirm = fn; - c->confirm_ctx = ctx; + c->open_confirm = fn; + c->open_confirm_ctx = ctx; } void @@ -2209,9 +2236,9 @@ channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt) if (compat20) { c->remote_window = packet_get_int(); c->remote_maxpacket = packet_get_int(); - if (c->confirm) { + if (c->open_confirm) { debug2("callback start"); - c->confirm(c->self, c->confirm_ctx); + c->open_confirm(c->self, c->open_confirm_ctx); debug2("callback done"); } debug2("channel %d: open confirm rwindow %u rmax %u", c->self, @@ -2328,6 +2355,34 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt) xfree(host); } +/* ARGSUSED */ +void +channel_input_status_confirm(int type, u_int32_t seq, void *ctxt) +{ + Channel *c; + struct channel_confirm *cc; + int remote_id; + + /* Reset keepalive timeout */ + keep_alive_timeouts = 0; + + remote_id = packet_get_int(); + packet_check_eom(); + + debug2("channel_input_confirm: type %d id %d", type, remote_id); + + if ((c = channel_lookup(remote_id)) == NULL) { + logit("channel_input_success_failure: %d: unknown", remote_id); + return; + } + ; + if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL) + return; + cc->cb(type, c, cc->ctx); + TAILQ_REMOVE(&c->status_confirms, cc, entry); + bzero(cc, sizeof(*cc)); + xfree(cc); +} /* -- tcp forwarding */ diff --git a/channels.h b/channels.h index b632a86af..46cde0309 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.89 2007/06/11 09:14:00 markus Exp $ */ +/* $OpenBSD: channels.h,v 1.90 2008/05/08 12:02:23 djm Exp $ */ /* * Author: Tatu Ylonen @@ -64,6 +64,17 @@ typedef void channel_callback_fn(int, void *); typedef int channel_infilter_fn(struct Channel *, char *, int); typedef u_char *channel_outfilter_fn(struct Channel *, u_char **, u_int *); +/* Channel success/failure callbacks */ +typedef void channel_confirm_cb(int, struct Channel *, void *); +typedef void channel_confirm_abandon_cb(struct Channel *, void *); +struct channel_confirm { + TAILQ_ENTRY(channel_confirm) entry; + channel_confirm_cb *cb; + channel_confirm_abandon_cb *abandon_cb; + void *ctx; +}; +TAILQ_HEAD(channel_confirms, channel_confirm); + struct Channel { int type; /* channel type/state */ int self; /* my own channel identifier */ @@ -104,10 +115,11 @@ struct Channel { char *ctype; /* type */ /* callback */ - channel_callback_fn *confirm; - void *confirm_ctx; + channel_callback_fn *open_confirm; + void *open_confirm_ctx; channel_callback_fn *detach_user; int detach_close; + struct channel_confirms status_confirms; /* filter */ channel_infilter_fn *input_filter; @@ -170,8 +182,11 @@ void channel_stop_listening(void); void channel_send_open(int); void channel_request_start(int, char *, int); void channel_register_cleanup(int, channel_callback_fn *, int); -void channel_register_confirm(int, channel_callback_fn *, void *); -void channel_register_filter(int, channel_infilter_fn *, channel_outfilter_fn *); +void channel_register_open_confirm(int, channel_callback_fn *, void *); +void channel_register_filter(int, channel_infilter_fn *, + channel_outfilter_fn *); +void channel_register_status_confirm(int, channel_confirm_cb *, + channel_confirm_abandon_cb *, void *); void channel_cancel_cleanup(int); int channel_close_fd(int *); void channel_send_window_changes(void); @@ -188,6 +203,7 @@ void channel_input_open_confirmation(int, u_int32_t, void *); void channel_input_open_failure(int, u_int32_t, void *); void channel_input_port_open(int, u_int32_t, void *); void channel_input_window_adjust(int, u_int32_t, void *); +void channel_input_status_confirm(int, u_int32_t, void *); /* file descriptor handling (read/write) */ diff --git a/clientloop.c b/clientloop.c index 8a40bc71e..edd801440 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.188 2008/02/22 20:44:02 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.189 2008/05/08 12:02:23 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -86,6 +86,7 @@ #include #include +#include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "ssh.h" #include "ssh1.h" @@ -700,7 +701,7 @@ client_extra_session2_setup(int id, void *arg) cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env, client_subsystem_reply); - c->confirm_ctx = NULL; + c->open_confirm_ctx = NULL; buffer_free(&cctx->cmd); xfree(cctx->term); if (cctx->env != NULL) { @@ -940,7 +941,8 @@ client_process_control(fd_set *readset) debug3("%s: channel_new: %d", __func__, c->self); channel_send_open(c->self); - channel_register_confirm(c->self, client_extra_session2_setup, cctx); + channel_register_open_confirm(c->self, + client_extra_session2_setup, cctx); } static void @@ -2068,6 +2070,8 @@ client_init_dispatch_20(void) dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req); dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); + dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, &channel_input_status_confirm); + dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &channel_input_status_confirm); dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &client_input_global_request); /* rekeying */ diff --git a/gss-serv.c b/gss-serv.c index bc498fd47..2ec7ea19c 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.21 2007/06/12 08:20:00 djm Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -35,6 +35,7 @@ #include #include +#include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "buffer.h" #include "key.h" diff --git a/monitor.c b/monitor.c index cc0e0fcac..04f6924b6 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.94 2007/10/29 04:08:08 dtucker Exp $ */ +/* $OpenBSD: monitor.c,v 1.95 2008/05/08 12:02:23 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -51,6 +51,7 @@ #include +#include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "ssh.h" #include "key.h" diff --git a/monitor_wrap.c b/monitor_wrap.c index e895f1924..72fd5c83c 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.60 2007/10/29 04:08:08 dtucker Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.61 2008/05/08 12:02:23 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -41,6 +41,7 @@ #include #include +#include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "ssh.h" #include "dh.h" diff --git a/nchan.c b/nchan.c index ad461f4af..0d0faddb3 100644 --- a/nchan.c +++ b/nchan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nchan.c,v 1.57 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: nchan.c,v 1.58 2008/05/08 12:02:23 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -32,6 +32,7 @@ #include #include +#include "openbsd-compat/sys-queue.h" #include "ssh1.h" #include "ssh2.h" #include "buffer.h" diff --git a/servconf.c b/servconf.c index e6d49099b..b8a968aa3 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.178 2008/05/07 05:49:37 pyr Exp $ */ +/* $OpenBSD: servconf.c,v 1.179 2008/05/08 12:02:23 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -24,6 +24,7 @@ #include #include +#include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "ssh.h" #include "log.h" diff --git a/serverloop.c b/serverloop.c index bf3f9c9f0..20991c3ce 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.148 2008/02/22 20:44:02 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.149 2008/05/08 12:02:23 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -56,6 +56,7 @@ #include #include +#include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "packet.h" #include "buffer.h" @@ -1188,8 +1189,9 @@ server_init_dispatch_20(void) dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &server_input_channel_req); dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request); + dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, &channel_input_status_confirm); + dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &channel_input_status_confirm); /* client_alive */ - dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &server_input_keep_alive); dispatch_set(SSH2_MSG_REQUEST_SUCCESS, &server_input_keep_alive); dispatch_set(SSH2_MSG_REQUEST_FAILURE, &server_input_keep_alive); /* rekeying */ diff --git a/session.c b/session.c index 16e455588..ca04a4532 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */ +/* $OpenBSD: session.c,v 1.236 2008/05/08 12:02:23 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -59,6 +59,7 @@ #include #include +#include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "ssh.h" #include "ssh1.h" diff --git a/ssh.c b/ssh.c index 2ed76c9a1..b144a7130 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.309 2008/01/19 20:51:26 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.310 2008/05/08 12:02:23 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -73,6 +73,7 @@ #include #include #include "openbsd-compat/openssl-compat.h" +#include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "ssh.h" @@ -1195,7 +1196,8 @@ ssh_session2_open(void) channel_send_open(c->self); if (!no_shell_flag) - channel_register_confirm(c->self, ssh_session2_setup, NULL); + channel_register_open_confirm(c->self, + ssh_session2_setup, NULL); return c->self; } diff --git a/sshd.c b/sshd.c index 796310b03..aefbaaa42 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.356 2008/04/13 00:22:17 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.357 2008/05/08 12:02:23 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -54,6 +54,7 @@ # include #endif #include "openbsd-compat/sys-tree.h" +#include "openbsd-compat/sys-queue.h" #include #include -- cgit v1.2.3 From 7207f64a23a49a719aad3083c068f50e5034ccb8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 19 May 2008 15:34:50 +1000 Subject: - djm@cvs.openbsd.org 2008/05/08 12:21:16 [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] [sshd_config sshd_config.5] Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions. Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal(). bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com ok markus@ --- ChangeLog | 17 ++- monitor.c | 4 +- monitor_wrap.c | 22 +++- servconf.c | 21 +++- servconf.h | 4 +- session.c | 382 +++++++++++++++++++++++++++++++++++++++------------------ session.h | 4 +- sshd_config | 3 +- sshd_config.5 | 7 +- 9 files changed, 326 insertions(+), 138 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 99dbdaf78..5ea4afcac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -77,6 +77,21 @@ shouldn't happen in compliant implementations, but it could be abused to leak memory. ok markus@ (as part of a larger diff) + - djm@cvs.openbsd.org 2008/05/08 12:21:16 + [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] + [sshd_config sshd_config.5] + Make the maximum number of sessions run-time controllable via + a sshd_config MaxSessions knob. This is useful for disabling + login/shell/subsystem access while leaving port-forwarding working + (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or + simply increasing the number of allows multiplexed sessions. + Because some bozos are sure to configure MaxSessions in excess of the + number of available file descriptors in sshd (which, at peak, might be + as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds + on error paths, and make it fail gracefully on out-of-fd conditions - + sending channel errors instead of than exiting with fatal(). + bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com + ok markus@ 20080403 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- @@ -3937,4 +3952,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4922 2008/05/19 05:28:35 djm Exp $ +$Id: ChangeLog,v 1.4923 2008/05/19 05:34:50 djm Exp $ diff --git a/monitor.c b/monitor.c index 04f6924b6..f872edbb5 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.95 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.96 2008/05/08 12:21:16 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1273,7 +1273,7 @@ mm_session_close(Session *s) debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); session_pty_cleanup2(s); } - s->used = 0; + session_unused(s->self); } int diff --git a/monitor_wrap.c b/monitor_wrap.c index 72fd5c83c..e65fb1279 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.61 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.62 2008/05/08 12:21:16 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -666,7 +666,20 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) { Buffer m; char *p, *msg; - int success = 0; + int success = 0, tmp1 = -1, tmp2 = -1; + + /* Kludge: ensure there are fds free to receive the pty/tty */ + if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || + (tmp2 = dup(pmonitor->m_recvfd)) == -1) { + error("%s: cannot allocate fds for pty", __func__); + if (tmp1 > 0) + close(tmp1); + if (tmp2 > 0) + close(tmp2); + return 0; + } + close(tmp1); + close(tmp2); buffer_init(&m); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m); @@ -711,8 +724,9 @@ mm_session_pty_cleanup2(Session *s) buffer_free(&m); /* closed dup'ed master */ - if (close(s->ptymaster) < 0) - error("close(s->ptymaster): %s", strerror(errno)); + if (s->ptymaster != -1 && close(s->ptymaster) < 0) + error("close(s->ptymaster/%d): %s", + s->ptymaster, strerror(errno)); /* unlink pty from session */ s->ttyfd = -1; diff --git a/servconf.c b/servconf.c index b8a968aa3..94dff1fd6 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.179 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.180 2008/05/08 12:21:16 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -114,6 +114,7 @@ initialize_server_options(ServerOptions *options) options->max_startups_rate = -1; options->max_startups = -1; options->max_authtries = -1; + options->max_sessions = -1; options->banner = NULL; options->use_dns = -1; options->client_alive_interval = -1; @@ -237,6 +238,8 @@ fill_default_server_options(ServerOptions *options) options->max_startups_begin = options->max_startups; if (options->max_authtries == -1) options->max_authtries = DEFAULT_AUTH_FAIL_MAX; + if (options->max_sessions == -1) + options->max_sessions = DEFAULT_SESSIONS_MAX; if (options->use_dns == -1) options->use_dns = 1; if (options->client_alive_interval == -1) @@ -291,7 +294,7 @@ typedef enum { sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, - sMaxStartups, sMaxAuthTries, + sMaxStartups, sMaxAuthTries, sMaxSessions, sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -395,6 +398,7 @@ static struct { { "subsystem", sSubsystem, SSHCFG_GLOBAL }, { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, + { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, @@ -695,7 +699,7 @@ process_server_config_line(ServerOptions *options, char *line, case sServerKeyBits: intptr = &options->server_key_bits; -parse_int: + parse_int: arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: missing integer value.", @@ -707,7 +711,7 @@ parse_int: case sLoginGraceTime: intptr = &options->login_grace_time; -parse_time: + parse_time: arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: missing time value.", @@ -776,7 +780,7 @@ parse_time: fatal("%s line %d: too many host keys specified (max %d).", filename, linenum, MAX_HOSTKEYS); charptr = &options->host_key_files[*intptr]; -parse_filename: + parse_filename: arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: missing file name.", @@ -819,7 +823,7 @@ parse_filename: case sIgnoreRhosts: intptr = &options->ignore_rhosts; -parse_flag: + parse_flag: arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: missing yes/no argument.", @@ -1155,6 +1159,10 @@ parse_flag: intptr = &options->max_authtries; goto parse_int; + case sMaxSessions: + intptr = &options->max_sessions; + goto parse_int; + case sBanner: charptr = &options->banner; goto parse_filename; @@ -1382,6 +1390,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_forwarding); M_CP_INTOPT(x11_use_localhost); + M_CP_INTOPT(max_sessions); M_CP_STROPT(banner); if (preauth) diff --git a/servconf.h b/servconf.h index aaf87cd18..819a028c8 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.83 2008/05/07 05:49:37 pyr Exp $ */ +/* $OpenBSD: servconf.h,v 1.84 2008/05/08 12:21:16 djm Exp $ */ /* * Author: Tatu Ylonen @@ -35,6 +35,7 @@ #define PERMIT_YES 3 #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ +#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ /* Magic name for internal sftp-server */ #define INTERNAL_SFTP_NAME "internal-sftp" @@ -123,6 +124,7 @@ typedef struct { int max_startups_rate; int max_startups; int max_authtries; + int max_sessions; char *banner; /* SSH-2 banner message */ int use_dns; int client_alive_interval; /* diff --git a/session.c b/session.c index ca04a4532..c8ed25234 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.236 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: session.c,v 1.237 2008/05/08 12:21:16 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -102,9 +102,9 @@ void session_set_fds(Session *, int, int, int); void session_pty_cleanup(Session *); void session_proctitle(Session *); int session_setup_x11fwd(Session *); -void do_exec_pty(Session *, const char *); -void do_exec_no_pty(Session *, const char *); -void do_exec(Session *, const char *); +int do_exec_pty(Session *, const char *); +int do_exec_no_pty(Session *, const char *); +int do_exec(Session *, const char *); void do_login(Session *, const char *); #ifdef LOGIN_NEEDS_UTMPX static void do_pre_login(Session *s); @@ -132,8 +132,9 @@ extern Buffer loginmsg; const char *original_command = NULL; /* data */ -#define MAX_SESSIONS 20 -Session sessions[MAX_SESSIONS]; +static int sessions_first_unused = -1; +static int sessions_nalloc = 0; +static Session *sessions = NULL; #define SUBSYSTEM_NONE 0 #define SUBSYSTEM_EXT 1 @@ -167,7 +168,7 @@ static int auth_input_request_forwarding(struct passwd * pw) { Channel *nc; - int sock; + int sock = -1; struct sockaddr_un sunaddr; if (auth_sock_name != NULL) { @@ -179,43 +180,48 @@ auth_input_request_forwarding(struct passwd * pw) temporarily_use_uid(pw); /* Allocate a buffer for the socket name, and format the name. */ - auth_sock_name = xmalloc(MAXPATHLEN); - auth_sock_dir = xmalloc(MAXPATHLEN); - strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN); + auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX"); /* Create private directory for socket */ if (mkdtemp(auth_sock_dir) == NULL) { packet_send_debug("Agent forwarding disabled: " "mkdtemp() failed: %.100s", strerror(errno)); restore_uid(); - xfree(auth_sock_name); xfree(auth_sock_dir); - auth_sock_name = NULL; auth_sock_dir = NULL; - return 0; + goto authsock_err; } - snprintf(auth_sock_name, MAXPATHLEN, "%s/agent.%ld", - auth_sock_dir, (long) getpid()); + + xasprintf(&auth_sock_name, "%s/agent.%ld", + auth_sock_dir, (long) getpid()); /* Create the socket. */ sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock < 0) - packet_disconnect("socket: %.100s", strerror(errno)); + if (sock < 0) { + error("socket: %.100s", strerror(errno)); + restore_uid(); + goto authsock_err; + } /* Bind it to the name. */ memset(&sunaddr, 0, sizeof(sunaddr)); sunaddr.sun_family = AF_UNIX; strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path)); - if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) - packet_disconnect("bind: %.100s", strerror(errno)); + if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) { + error("bind: %.100s", strerror(errno)); + restore_uid(); + goto authsock_err; + } /* Restore the privileged uid. */ restore_uid(); /* Start listening on the socket. */ - if (listen(sock, SSH_LISTEN_BACKLOG) < 0) - packet_disconnect("listen: %.100s", strerror(errno)); + if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { + error("listen: %.100s", strerror(errno)); + goto authsock_err; + } /* Allocate a channel for the authentication agent socket. */ nc = channel_new("auth socket", @@ -224,6 +230,19 @@ auth_input_request_forwarding(struct passwd * pw) 0, "auth socket", 1); strlcpy(nc->path, auth_sock_name, sizeof(nc->path)); return 1; + + authsock_err: + if (auth_sock_name != NULL) + xfree(auth_sock_name); + if (auth_sock_dir != NULL) { + rmdir(auth_sock_dir); + xfree(auth_sock_dir); + } + if (sock != -1) + close(sock); + auth_sock_name = NULL; + auth_sock_dir = NULL; + return 0; } static void @@ -373,10 +392,14 @@ do_authenticated1(Authctxt *authctxt) if (type == SSH_CMSG_EXEC_CMD) { command = packet_get_string(&dlen); debug("Exec command '%.500s'", command); - do_exec(s, command); + if (do_exec(s, command) != 0) + packet_disconnect( + "command execution failed"); xfree(command); } else { - do_exec(s, NULL); + if (do_exec(s, NULL) != 0) + packet_disconnect( + "shell execution failed"); } packet_check_eom(); session_close(s); @@ -401,41 +424,84 @@ do_authenticated1(Authctxt *authctxt) } } +#define USE_PIPES /* * This is called to fork and execute a command when we have no tty. This * will call do_child from the child, and server_loop from the parent after * setting up file descriptors and such. */ -void +int do_exec_no_pty(Session *s, const char *command) { pid_t pid; #ifdef USE_PIPES int pin[2], pout[2], perr[2]; + /* Allocate pipes for communicating with the program. */ - if (pipe(pin) < 0 || pipe(pout) < 0 || pipe(perr) < 0) - packet_disconnect("Could not create pipes: %.100s", - strerror(errno)); -#else /* USE_PIPES */ + if (pipe(pin) < 0) { + error("%s: pipe in: %.100s", __func__, strerror(errno)); + return -1; + } + if (pipe(pout) < 0) { + error("%s: pipe out: %.100s", __func__, strerror(errno)); + close(pin[0]); + close(pin[1]); + return -1; + } + if (pipe(perr) < 0) { + error("%s: pipe err: %.100s", __func__, strerror(errno)); + close(pin[0]); + close(pin[1]); + close(pout[0]); + close(pout[1]); + return -1; + } +#else int inout[2], err[2]; + /* Uses socket pairs to communicate with the program. */ - if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0 || - socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) - packet_disconnect("Could not create socket pairs: %.100s", - strerror(errno)); -#endif /* USE_PIPES */ + if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0) { + error("%s: socketpair #1: %.100s", __func__, strerror(errno)); + return -1; + } + if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) { + error("%s: socketpair #2: %.100s", __func__, strerror(errno)); + close(inout[0]); + close(inout[1]); + return -1; + } +#endif + if (s == NULL) fatal("do_exec_no_pty: no session"); session_proctitle(s); /* Fork the child. */ - if ((pid = fork()) == 0) { + switch ((pid = fork())) { + case -1: + error("%s: fork: %.100s", __func__, strerror(errno)); +#ifdef USE_PIPES + close(pin[0]); + close(pin[1]); + close(pout[0]); + close(pout[1]); + close(perr[0]); + close(perr[1]); +#else + close(inout[0]); + close(inout[1]); + close(err[0]); + close(err[1]); +#endif + return -1; + case 0: is_child = 1; /* Child. Reinitialize the log since the pid has changed. */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); + log_init(__progname, options.log_level, + options.log_facility, log_stderr); /* * Create a new session and process group since the 4.4BSD @@ -465,7 +531,7 @@ do_exec_no_pty(Session *s, const char *command) if (dup2(perr[1], 2) < 0) perror("dup2 stderr"); close(perr[1]); -#else /* USE_PIPES */ +#else /* * Redirect stdin, stdout, and stderr. Stdin and stdout will * use the same socket, as some programs (particularly rdist) @@ -475,11 +541,14 @@ do_exec_no_pty(Session *s, const char *command) close(err[1]); if (dup2(inout[0], 0) < 0) /* stdin */ perror("dup2 stdin"); - if (dup2(inout[0], 1) < 0) /* stdout. Note: same socket as stdin. */ + if (dup2(inout[0], 1) < 0) /* stdout (same as stdin) */ perror("dup2 stdout"); + close(inout[0]); if (dup2(err[0], 2) < 0) /* stderr */ perror("dup2 stderr"); -#endif /* USE_PIPES */ + close(err[0]); +#endif + #ifdef _UNICOS cray_init_job(s->pw); /* set up cray jid and tmpdir */ @@ -488,7 +557,10 @@ do_exec_no_pty(Session *s, const char *command) /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ + default: + break; } + #ifdef _UNICOS signal(WJSIGNAL, cray_job_termination_handler); #endif /* _UNICOS */ @@ -496,11 +568,18 @@ do_exec_no_pty(Session *s, const char *command) if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); #endif - if (pid < 0) - packet_disconnect("fork failed: %.100s", strerror(errno)); + s->pid = pid; /* Set interactive/non-interactive mode. */ packet_set_interactive(s->display != NULL); + + /* + * Clear loginmsg, since it's the child's responsibility to display + * it to the user, otherwise multiple sessions may accumulate + * multiple copies of the login messages. + */ + buffer_clear(&loginmsg); + #ifdef USE_PIPES /* We are the parent. Close the child sides of the pipes. */ close(pin[0]); @@ -518,29 +597,26 @@ do_exec_no_pty(Session *s, const char *command) server_loop(pid, pin[1], pout[0], perr[0]); /* server_loop has closed pin[1], pout[0], and perr[0]. */ } -#else /* USE_PIPES */ +#else /* We are the parent. Close the child sides of the socket pairs. */ close(inout[0]); close(err[0]); - /* - * Clear loginmsg, since it's the child's responsibility to display - * it to the user, otherwise multiple sessions may accumulate - * multiple copies of the login messages. - */ - buffer_clear(&loginmsg); - /* * Enter the interactive session. Note: server_loop must be able to * handle the case that fdin and fdout are the same. */ if (compat20) { - session_set_fds(s, inout[1], inout[1], s->is_subsystem ? -1 : err[1]); + session_set_fds(s, inout[1], inout[1], + s->is_subsystem ? -1 : err[1]); + if (s->is_subsystem) + close(err[1]); } else { server_loop(pid, inout[1], inout[1], err[1]); /* server_loop has closed inout[1] and err[1]. */ } -#endif /* USE_PIPES */ +#endif + return 0; } /* @@ -549,7 +625,7 @@ do_exec_no_pty(Session *s, const char *command) * setting up file descriptors, controlling tty, updating wtmp, utmp, * lastlog, and other such operations. */ -void +int do_exec_pty(Session *s, const char *command) { int fdout, ptyfd, ttyfd, ptymaster; @@ -560,12 +636,46 @@ do_exec_pty(Session *s, const char *command) ptyfd = s->ptyfd; ttyfd = s->ttyfd; + /* + * Create another descriptor of the pty master side for use as the + * standard input. We could use the original descriptor, but this + * simplifies code in server_loop. The descriptor is bidirectional. + * Do this before forking (and cleanup in the child) so as to + * detect and gracefully fail out-of-fd conditions. + */ + if ((fdout = dup(ptyfd)) < 0) { + error("%s: dup #1: %s", __func__, strerror(errno)); + close(ttyfd); + close(ptyfd); + return -1; + } + /* we keep a reference to the pty master */ + if ((ptymaster = dup(ptyfd)) < 0) { + error("%s: dup #2: %s", __func__, strerror(errno)); + close(ttyfd); + close(ptyfd); + close(fdout); + return -1; + } + /* Fork the child. */ - if ((pid = fork()) == 0) { + switch ((pid = fork())) { + case -1: + error("%s: fork: %.100s", __func__, strerror(errno)); + close(fdout); + close(ptymaster); + close(ttyfd); + close(ptyfd); + return -1; + case 0: is_child = 1; + close(fdout); + close(ptymaster); + /* Child. Reinitialize the log because the pid has changed. */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); + log_init(__progname, options.log_level, + options.log_facility, log_stderr); /* Close the master side of the pseudo tty. */ close(ptyfd); @@ -596,11 +706,16 @@ do_exec_pty(Session *s, const char *command) do_pre_login(s); # endif #endif - - /* Do common processing for the child, such as execing the command. */ - do_child(s, command); - /* NOTREACHED */ + /* + * Do common processing for the child, such as execing + * the command. + */ + do_child(s, command); + /* NOTREACHED */ + default: + break; } + #ifdef _UNICOS signal(WJSIGNAL, cray_job_termination_handler); #endif /* _UNICOS */ @@ -608,29 +723,14 @@ do_exec_pty(Session *s, const char *command) if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); #endif - if (pid < 0) - packet_disconnect("fork failed: %.100s", strerror(errno)); + s->pid = pid; /* Parent. Close the slave side of the pseudo tty. */ close(ttyfd); - /* - * Create another descriptor of the pty master side for use as the - * standard input. We could use the original descriptor, but this - * simplifies code in server_loop. The descriptor is bidirectional. - */ - fdout = dup(ptyfd); - if (fdout < 0) - packet_disconnect("dup #1 failed: %.100s", strerror(errno)); - - /* we keep a reference to the pty master */ - ptymaster = dup(ptyfd); - if (ptymaster < 0) - packet_disconnect("dup #2 failed: %.100s", strerror(errno)); - s->ptymaster = ptymaster; - /* Enter interactive session. */ + s->ptymaster = ptymaster; packet_set_interactive(1); if (compat20) { session_set_fds(s, ptyfd, fdout, -1); @@ -638,6 +738,7 @@ do_exec_pty(Session *s, const char *command) server_loop(pid, ptyfd, fdout, -1); /* server_loop _has_ closed ptyfd and fdout. */ } + return 0; } #ifdef LOGIN_NEEDS_UTMPX @@ -672,9 +773,11 @@ do_pre_login(Session *s) * This is called to fork and execute a command. If another command is * to be forced, execute that instead. */ -void +int do_exec(Session *s, const char *command) { + int ret; + if (options.adm_forced_command) { original_command = command; command = options.adm_forced_command; @@ -705,9 +808,9 @@ do_exec(Session *s, const char *command) } #endif if (s->ttyfd != -1) - do_exec_pty(s, command); + ret = do_exec_pty(s, command); else - do_exec_no_pty(s, command); + ret = do_exec_no_pty(s, command); original_command = NULL; @@ -717,6 +820,8 @@ do_exec(Session *s, const char *command) * multiple copies of the login messages. */ buffer_clear(&loginmsg); + + return ret; } /* administrative, login(1)-like work */ @@ -1740,43 +1845,79 @@ do_child(Session *s, const char *command) exit(1); } +void +session_unused(int id) +{ + debug3("%s: session id %d unused", __func__, id); + if (id >= options.max_sessions || + id >= sessions_nalloc) { + fatal("%s: insane session id %d (max %d nalloc %d)", + __func__, id, options.max_sessions, sessions_nalloc); + } + bzero(&sessions[id], sizeof(*sessions)); + sessions[id].self = id; + sessions[id].used = 0; + sessions[id].chanid = -1; + sessions[id].ptyfd = -1; + sessions[id].ttyfd = -1; + sessions[id].ptymaster = -1; + sessions[id].x11_chanids = NULL; + sessions[id].next_unused = sessions_first_unused; + sessions_first_unused = id; +} + Session * session_new(void) { - int i; - static int did_init = 0; - if (!did_init) { - debug("session_new: init"); - for (i = 0; i < MAX_SESSIONS; i++) { - sessions[i].used = 0; + Session *s, *tmp; + + if (sessions_first_unused == -1) { + if (sessions_nalloc >= options.max_sessions) + return NULL; + debug2("%s: allocate (allocated %d max %d)", + __func__, sessions_nalloc, options.max_sessions); + tmp = xrealloc(sessions, sessions_nalloc + 1, + sizeof(*sessions)); + if (tmp == NULL) { + error("%s: cannot allocate %d sessions", + __func__, sessions_nalloc + 1); + return NULL; } - did_init = 1; + sessions = tmp; + session_unused(sessions_nalloc++); } - for (i = 0; i < MAX_SESSIONS; i++) { - Session *s = &sessions[i]; - if (! s->used) { - memset(s, 0, sizeof(*s)); - s->chanid = -1; - s->ptyfd = -1; - s->ttyfd = -1; - s->used = 1; - s->self = i; - s->x11_chanids = NULL; - debug("session_new: session %d", i); - return s; - } + + if (sessions_first_unused >= sessions_nalloc || + sessions_first_unused < 0) { + fatal("%s: insane first_unused %d max %d nalloc %d", + __func__, sessions_first_unused, options.max_sessions, + sessions_nalloc); } - return NULL; + + s = &sessions[sessions_first_unused]; + if (s->used) { + fatal("%s: session %d already used", + __func__, sessions_first_unused); + } + sessions_first_unused = s->next_unused; + s->used = 1; + s->next_unused = -1; + debug("session_new: session %d", s->self); + + return s; } static void session_dump(void) { int i; - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; - debug("dump: used %d session %d %p channel %d pid %ld", + + debug("dump: used %d next_unused %d session %d %p " + "channel %d pid %ld", s->used, + s->next_unused, s->self, s, s->chanid, @@ -1806,7 +1947,7 @@ Session * session_by_tty(char *tty) { int i; - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) { debug("session_by_tty: session %d tty %s", i, tty); @@ -1822,10 +1963,11 @@ static Session * session_by_channel(int id) { int i; - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; if (s->used && s->chanid == id) { - debug("session_by_channel: session %d channel %d", i, id); + debug("session_by_channel: session %d channel %d", + i, id); return s; } } @@ -1839,7 +1981,7 @@ session_by_x11_channel(int id) { int i, j; - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; if (s->x11_chanids == NULL || !s->used) @@ -1862,7 +2004,7 @@ session_by_pid(pid_t pid) { int i; debug("session_by_pid: pid %ld", (long)pid); - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; if (s->used && s->pid == pid) return s; @@ -1918,7 +2060,8 @@ session_pty_req(Session *s) /* Allocate a pty and open it. */ debug("Allocating pty."); - if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)))) { + if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, + sizeof(s->tty)))) { if (s->term) xfree(s->term); s->term = NULL; @@ -1971,8 +2114,7 @@ session_subsystem_req(Session *s) s->is_subsystem = SUBSYSTEM_EXT; } debug("subsystem: exec() %s", cmd); - do_exec(s, cmd); - success = 1; + success = do_exec(s, cmd) == 0; break; } } @@ -2015,19 +2157,19 @@ static int session_shell_req(Session *s) { packet_check_eom(); - do_exec(s, NULL); - return 1; + return do_exec(s, NULL) == 0; } static int session_exec_req(Session *s) { - u_int len; + u_int len, success; + char *command = packet_get_string(&len); packet_check_eom(); - do_exec(s, command); + success = do_exec(s, command) == 0; xfree(command); - return 1; + return success; } static int @@ -2037,8 +2179,7 @@ session_break_req(Session *s) packet_get_int(); /* ignored */ packet_check_eom(); - if (s->ttyfd == -1 || - tcsendbreak(s->ttyfd, 0) < 0) + if (s->ttyfd == -1 || tcsendbreak(s->ttyfd, 0) < 0) return 0; return 1; } @@ -2185,8 +2326,9 @@ session_pty_cleanup2(Session *s) * the pty cleanup, so that another process doesn't get this pty * while we're still cleaning up. */ - if (close(s->ptymaster) < 0) - error("close(s->ptymaster/%d): %s", s->ptymaster, strerror(errno)); + if (s->ptymaster != -1 && close(s->ptymaster) < 0) + error("close(s->ptymaster/%d): %s", + s->ptymaster, strerror(errno)); /* unlink pty from session */ s->ttyfd = -1; @@ -2346,7 +2488,6 @@ session_close(Session *s) xfree(s->auth_data); if (s->auth_proto) xfree(s->auth_proto); - s->used = 0; if (s->env != NULL) { for (i = 0; i < s->num_env; i++) { xfree(s->env[i].name); @@ -2355,6 +2496,7 @@ session_close(Session *s) xfree(s->env); } session_proctitle(s); + session_unused(s->self); } void @@ -2418,7 +2560,7 @@ void session_destroy_all(void (*closefunc)(Session *)) { int i; - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; if (s->used) { if (closefunc != NULL) @@ -2437,7 +2579,7 @@ session_tty_list(void) char *cp; buf[0] = '\0'; - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; if (s->used && s->ttyfd != -1) { diff --git a/session.h b/session.h index ee9338e4f..cbb8e3a32 100644 --- a/session.h +++ b/session.h @@ -1,4 +1,4 @@ -/* $OpenBSD: session.h,v 1.29 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -31,6 +31,7 @@ typedef struct Session Session; struct Session { int used; int self; + int next_unused; struct passwd *pw; Authctxt *authctxt; pid_t pid; @@ -65,6 +66,7 @@ void do_authenticated(Authctxt *); void do_cleanup(Authctxt *); int session_open(Authctxt *, int); +void session_unused(int); int session_input_channel_req(Channel *, const char *); void session_close_by_pid(pid_t, int); void session_close_by_channel(int, void *); diff --git a/sshd_config b/sshd_config index 1f97a9dcc..c5ee7c8a4 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.78 2008/05/07 06:43:35 pyr Exp $ +# $OpenBSD: sshd_config,v 1.79 2008/05/08 12:21:16 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -41,6 +41,7 @@ Protocol 2 #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 +#MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes diff --git a/sshd_config.5 b/sshd_config.5 index 99b5621e7..0d8c140bf 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.89 2008/05/07 08:00:14 jmc Exp $ -.Dd $Mdocdate: May 19 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.90 2008/05/08 12:21:16 djm Exp $ +.Dd $Mdocdate: May 8 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -594,6 +594,9 @@ connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6. +.It Cm MaxSessions +Specifies the maximum number of open sessions permitted per network connection. +The default is 10. .It Cm MaxStartups Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. -- cgit v1.2.3 From 2ff1ca56ebee93d2881e4abaab1b8bc84dad4db8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 19 May 2008 16:04:56 +1000 Subject: - markus@cvs.openbsd.org 2008/05/09 16:16:06 [session.c] re-add the USE_PIPES code and enable it. without pipes shutdown-read from the sshd does not trigger a SIGPIPE when the forked program does a write. ok djm@ (Id sync only, USE_PIPES never left portable OpenSSH) --- ChangeLog | 9 ++++++++- session.c | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index e4cff0070..513fbe243 100644 --- a/ChangeLog +++ b/ChangeLog @@ -120,6 +120,13 @@ - djm@cvs.openbsd.org 2008/05/09 14:26:08 [ssh.c] dingo stole my diff hunk + - markus@cvs.openbsd.org 2008/05/09 16:16:06 + [session.c] + re-add the USE_PIPES code and enable it. + without pipes shutdown-read from the sshd does not trigger + a SIGPIPE when the forked program does a write. + ok djm@ + (Id sync only, USE_PIPES never left portable OpenSSH) 20080403 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- @@ -3980,4 +3987,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4927 2008/05/19 06:02:37 djm Exp $ +$Id: ChangeLog,v 1.4928 2008/05/19 06:04:56 djm Exp $ diff --git a/session.c b/session.c index c8ed25234..b4afed6fd 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.237 2008/05/08 12:21:16 djm Exp $ */ +/* $OpenBSD: session.c,v 1.238 2008/05/09 16:16:06 markus Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved -- cgit v1.2.3 From 6051c94a0a7766111ed16f2936b73098fa354661 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 16 Jun 2008 07:53:16 +1000 Subject: - djm@cvs.openbsd.org 2008/06/14 18:33:43 [session.c] suppress the warning message from chdir(homedir) failures when chrooted (bz#1461); ok dtucker --- ChangeLog | 6 +++++- session.c | 15 ++++++++++----- 2 files changed, 15 insertions(+), 6 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 30e8d2c44..a4ed90296 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,10 @@ - dtucker@cvs.openbsd.org 2008/06/14 17:07:11 [sshd.c] ensure default umask disallows at least group and world write; ok djm@ + - djm@cvs.openbsd.org 2008/06/14 18:33:43 + [session.c] + suppress the warning message from chdir(homedir) failures + when chrooted (bz#1461); ok dtucker 20080614 - (djm) [openbsd-compat/sigact.c] Avoid NULL derefs in ancient sigaction @@ -4379,4 +4383,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5014 2008/06/15 21:50:58 djm Exp $ +$Id: ChangeLog,v 1.5015 2008/06/15 21:53:16 djm Exp $ diff --git a/session.c b/session.c index b4afed6fd..3ea783f63 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.238 2008/05/09 16:16:06 markus Exp $ */ +/* $OpenBSD: session.c,v 1.239 2008/06/14 18:33:43 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1647,6 +1647,7 @@ do_child(Session *s, const char *command) char *argv[ARGV_MAX]; const char *shell, *shell0, *hostname = NULL; struct passwd *pw = s->pw; + int r = 0; /* remove hostkey from the child's memory */ destroy_sensitive_data(); @@ -1762,12 +1763,16 @@ do_child(Session *s, const char *command) /* Change current directory to the user's home directory. */ if (chdir(pw->pw_dir) < 0) { - fprintf(stderr, "Could not chdir to home directory %s: %s\n", - pw->pw_dir, strerror(errno)); + /* Suppress missing homedir warning for chroot case */ #ifdef HAVE_LOGIN_CAP - if (login_getcapbool(lc, "requirehome", 0)) - exit(1); + r = login_getcapbool(lc, "requirehome", 0); #endif + if (r || options.chroot_directory == NULL) + fprintf(stderr, "Could not chdir to home " + "directory %s: %s\n", pw->pw_dir, + strerror(errno)); + if (r) + exit(1); } closefrom(STDERR_FILENO + 1); -- cgit v1.2.3 From d310d51badf6bbd1df56c8a0971d24e2d3e61887 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 16 Jun 2008 07:59:23 +1000 Subject: - djm@cvs.openbsd.org 2008/06/15 20:06:26 [channels.c channels.h session.c] don't call isatty() on a pty master, instead pass a flag down to channel_set_fds() indicating that te fds refer to a tty. Fixes a hang on exit on Solaris (bz#1463) in portable but is actually a generic bug; ok dtucker deraadt markus --- ChangeLog | 8 +++++++- channels.c | 23 +++++++---------------- channels.h | 4 ++-- session.c | 15 +++++++-------- 4 files changed, 23 insertions(+), 27 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 1a3b3b1a8..77d7739dc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,12 @@ - dtucker@cvs.openbsd.org 2008/06/15 16:58:40 [servconf.c sshd_config.5] Allow MaxAuthTries within a Match block. ok djm@ + - djm@cvs.openbsd.org 2008/06/15 20:06:26 + [channels.c channels.h session.c] + don't call isatty() on a pty master, instead pass a flag down to + channel_set_fds() indicating that te fds refer to a tty. Fixes a + hang on exit on Solaris (bz#1463) in portable but is actually + a generic bug; ok dtucker deraadt markus 20080614 - (djm) [openbsd-compat/sigact.c] Avoid NULL derefs in ancient sigaction @@ -4393,4 +4399,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5018 2008/06/15 21:56:20 djm Exp $ +$Id: ChangeLog,v 1.5019 2008/06/15 21:59:23 djm Exp $ diff --git a/channels.c b/channels.c index 04cd6b0a7..b1e544519 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.280 2008/06/12 15:19:17 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.281 2008/06/15 20:06:26 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -221,7 +221,7 @@ channel_lookup(int id) */ static void channel_register_fds(Channel *c, int rfd, int wfd, int efd, - int extusage, int nonblock) + int extusage, int nonblock, int isatty) { /* Update the maximum file descriptor value. */ channel_max_fd = MAX(channel_max_fd, rfd); @@ -237,18 +237,9 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd, c->efd = efd; c->extended_usage = extusage; - /* XXX ugly hack: nonblock is only set by the server */ - if (nonblock && isatty(c->rfd)) { + if ((c->isatty = isatty) != 0) debug2("channel %d: rfd %d isatty", c->self, c->rfd); - c->isatty = 1; - if (!isatty(c->wfd)) { - error("channel %d: wfd %d is not a tty?", - c->self, c->wfd); - } - } else { - c->isatty = 0; - } - c->wfd_isatty = isatty(c->wfd); + c->wfd_isatty = isatty || isatty(c->wfd); /* enable nonblocking mode */ if (nonblock) { @@ -308,7 +299,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, c->ostate = CHAN_OUTPUT_OPEN; c->istate = CHAN_INPUT_OPEN; c->flags = 0; - channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); + channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, 0); c->self = found; c->type = type; c->ctype = ctype; @@ -751,13 +742,13 @@ channel_register_filter(int id, channel_infilter_fn *ifn, void channel_set_fds(int id, int rfd, int wfd, int efd, - int extusage, int nonblock, u_int window_max) + int extusage, int nonblock, int isatty, u_int window_max) { Channel *c = channel_lookup(id); if (c == NULL || c->type != SSH_CHANNEL_LARVAL) fatal("channel_activate for non-larval channel %d.", id); - channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); + channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, isatty); c->type = SSH_CHANNEL_OPEN; c->local_window = c->local_window_max = window_max; packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); diff --git a/channels.h b/channels.h index ec8ea1c40..108b36068 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.95 2008/06/12 15:19:17 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.96 2008/06/15 20:06:26 djm Exp $ */ /* * Author: Tatu Ylonen @@ -188,7 +188,7 @@ struct Channel { Channel *channel_by_id(int); Channel *channel_lookup(int); Channel *channel_new(char *, int, int, int, int, u_int, u_int, int, char *, int); -void channel_set_fds(int, int, int, int, int, int, u_int); +void channel_set_fds(int, int, int, int, int, int, int, u_int); void channel_free(Channel *); void channel_free_all(void); void channel_stop_listening(void); diff --git a/session.c b/session.c index 3ea783f63..d692bc709 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.239 2008/06/14 18:33:43 djm Exp $ */ +/* $OpenBSD: session.c,v 1.240 2008/06/15 20:06:26 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -98,7 +98,7 @@ /* func */ Session *session_new(void); -void session_set_fds(Session *, int, int, int); +void session_set_fds(Session *, int, int, int, int); void session_pty_cleanup(Session *); void session_proctitle(Session *); int session_setup_x11fwd(Session *); @@ -591,7 +591,7 @@ do_exec_no_pty(Session *s, const char *command) close(perr[0]); perr[0] = -1; } - session_set_fds(s, pin[1], pout[0], perr[0]); + session_set_fds(s, pin[1], pout[0], perr[0], 0); } else { /* Enter the interactive session. */ server_loop(pid, pin[1], pout[0], perr[0]); @@ -608,7 +608,7 @@ do_exec_no_pty(Session *s, const char *command) */ if (compat20) { session_set_fds(s, inout[1], inout[1], - s->is_subsystem ? -1 : err[1]); + s->is_subsystem ? -1 : err[1], 0); if (s->is_subsystem) close(err[1]); } else { @@ -733,7 +733,7 @@ do_exec_pty(Session *s, const char *command) s->ptymaster = ptymaster; packet_set_interactive(1); if (compat20) { - session_set_fds(s, ptyfd, fdout, -1); + session_set_fds(s, ptyfd, fdout, -1, 1); } else { server_loop(pid, ptyfd, fdout, -1); /* server_loop _has_ closed ptyfd and fdout. */ @@ -2285,7 +2285,7 @@ session_input_channel_req(Channel *c, const char *rtype) } void -session_set_fds(Session *s, int fdin, int fdout, int fderr) +session_set_fds(Session *s, int fdin, int fdout, int fderr, int isatty) { if (!compat20) fatal("session_set_fds: called for proto != 2.0"); @@ -2298,8 +2298,7 @@ session_set_fds(Session *s, int fdin, int fdout, int fderr) channel_set_fds(s->chanid, fdout, fdin, fderr, fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, - 1, - CHAN_SES_WINDOW_DEFAULT); + 1, isatty, CHAN_SES_WINDOW_DEFAULT); } /* -- cgit v1.2.3 From ed3cdc0a7c6e2a782c1e4a6781f11c1defa494b1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 16 Jun 2008 23:29:18 +1000 Subject: - dtucker@cvs.openbsd.org 2008/06/16 13:22:53 [session.c channels.c] Rename the isatty argument to is_tty so we don't shadow isatty(3). ok markus@ --- ChangeLog | 9 ++++++++- channels.c | 10 +++++----- session.c | 6 +++--- 3 files changed, 16 insertions(+), 9 deletions(-) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 77d7739dc..0cca9d1e9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20080616 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2008/06/16 13:22:53 + [session.c channels.c] + Rename the isatty argument to is_tty so we don't shadow + isatty(3). ok markus@ + 20080615 - (dtucker) [configure.ac] Enable -fno-builtin-memset when using gcc. - OpenBSD CVS Sync @@ -4399,4 +4406,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5019 2008/06/15 21:59:23 djm Exp $ +$Id: ChangeLog,v 1.5020 2008/06/16 13:29:18 dtucker Exp $ diff --git a/channels.c b/channels.c index b1e544519..64c1ce76d 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.281 2008/06/15 20:06:26 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.282 2008/06/16 13:22:53 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -221,7 +221,7 @@ channel_lookup(int id) */ static void channel_register_fds(Channel *c, int rfd, int wfd, int efd, - int extusage, int nonblock, int isatty) + int extusage, int nonblock, int is_tty) { /* Update the maximum file descriptor value. */ channel_max_fd = MAX(channel_max_fd, rfd); @@ -237,7 +237,7 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd, c->efd = efd; c->extended_usage = extusage; - if ((c->isatty = isatty) != 0) + if ((c->isatty = is_tty) != 0) debug2("channel %d: rfd %d isatty", c->self, c->rfd); c->wfd_isatty = isatty || isatty(c->wfd); @@ -742,13 +742,13 @@ channel_register_filter(int id, channel_infilter_fn *ifn, void channel_set_fds(int id, int rfd, int wfd, int efd, - int extusage, int nonblock, int isatty, u_int window_max) + int extusage, int nonblock, int is_tty, u_int window_max) { Channel *c = channel_lookup(id); if (c == NULL || c->type != SSH_CHANNEL_LARVAL) fatal("channel_activate for non-larval channel %d.", id); - channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, isatty); + channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, is_tty); c->type = SSH_CHANNEL_OPEN; c->local_window = c->local_window_max = window_max; packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); diff --git a/session.c b/session.c index d692bc709..93babf957 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.240 2008/06/15 20:06:26 djm Exp $ */ +/* $OpenBSD: session.c,v 1.241 2008/06/16 13:22:53 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -2285,7 +2285,7 @@ session_input_channel_req(Channel *c, const char *rtype) } void -session_set_fds(Session *s, int fdin, int fdout, int fderr, int isatty) +session_set_fds(Session *s, int fdin, int fdout, int fderr, int is_tty) { if (!compat20) fatal("session_set_fds: called for proto != 2.0"); @@ -2298,7 +2298,7 @@ session_set_fds(Session *s, int fdin, int fdout, int fderr, int isatty) channel_set_fds(s->chanid, fdout, fdin, fderr, fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, - 1, isatty, CHAN_SES_WINDOW_DEFAULT); + 1, is_tty, CHAN_SES_WINDOW_DEFAULT); } /* -- cgit v1.2.3