diff options
Diffstat (limited to 'usr/src')
23 files changed, 215 insertions, 335 deletions
diff --git a/usr/src/cmd/ssh/include/config.h b/usr/src/cmd/ssh/include/config.h index 963aee5bb2..978559f2d0 100644 --- a/usr/src/cmd/ssh/include/config.h +++ b/usr/src/cmd/ssh/include/config.h @@ -28,9 +28,6 @@ extern "C" { /* SCO workaround */ /* #undef BROKEN_SYS_TERMIO_H */ -/* Define if you have SecureWare-based protected password database */ -/* #undef HAVE_SECUREWARE */ - /* If your header files don't define LOGIN_PROGRAM, then use this (detected) */ /* from environment and PATH */ #define LOGIN_PROGRAM_FALLBACK "/usr/bin/login" diff --git a/usr/src/cmd/ssh/include/sshconnect.h b/usr/src/cmd/ssh/include/sshconnect.h index 60404e13e5..74eaccfbbc 100644 --- a/usr/src/cmd/ssh/include/sshconnect.h +++ b/usr/src/cmd/ssh/include/sshconnect.h @@ -1,20 +1,4 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ -/* $OpenBSD: sshconnect.h,v 1.17 2002/06/19 00:27:55 deraadt Exp $ */ - -#ifndef _SSHCONNECT_H -#define _SSHCONNECT_H - -#pragma ident "%Z%%M% %I% %E% SMI" - -#ifdef __cplusplus -extern "C" { -#endif - - -/* * Copyright (c) 2000 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -37,6 +21,19 @@ extern "C" { * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ + +/* $OpenBSD: sshconnect.h,v 1.17 2002/06/19 00:27:55 deraadt Exp $ */ + +#ifndef _SSHCONNECT_H +#define _SSHCONNECT_H + +#ifdef __cplusplus +extern "C" { +#endif typedef struct Sensitive Sensitive; struct Sensitive { @@ -46,11 +43,11 @@ struct Sensitive { }; int -ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int, +ssh_connect(const char *, struct sockaddr_storage *, ushort_t, int, int, int, const char *); void -ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *); +ssh_login(Sensitive *, const char *, struct sockaddr *, char *); int verify_host_key(char *, struct sockaddr *, Key *); int accept_host_key(char *, struct sockaddr *, Key *); @@ -67,15 +64,15 @@ void ssh_put_password(char *); /* * Macros to raise/lower permissions. */ -#define PRIV_START do { \ +#define PRIV_START do { \ int save_errno = errno; \ - (void)seteuid(original_effective_uid); \ + (void) seteuid(original_effective_uid); \ errno = save_errno; \ } while (0) -#define PRIV_END do { \ +#define PRIV_END do { \ int save_errno = errno; \ - (void)seteuid(original_real_uid); \ + (void) seteuid(original_real_uid); \ errno = save_errno; \ } while (0) diff --git a/usr/src/cmd/ssh/include/sshlogin.h b/usr/src/cmd/ssh/include/sshlogin.h index 23ced22a9c..e7d2ee7c89 100644 --- a/usr/src/cmd/ssh/include/sshlogin.h +++ b/usr/src/cmd/ssh/include/sshlogin.h @@ -1,15 +1,3 @@ -/* $OpenBSD: sshlogin.h,v 1.4 2002/08/29 15:57:25 stevesk Exp $ */ - -#ifndef _SSHLOGIN_H -#define _SSHLOGIN_H - -#pragma ident "%Z%%M% %I% %E% SMI" - -#ifdef __cplusplus -extern "C" { -#endif - - /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -22,10 +10,19 @@ extern "C" { * called by a name other than "ssh" or "Secure Shell". */ /* - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ +/* $OpenBSD: sshlogin.h,v 1.4 2002/08/29 15:57:25 stevesk Exp $ */ + +#ifndef _SSHLOGIN_H +#define _SSHLOGIN_H + +#ifdef __cplusplus +extern "C" { +#endif + void record_login(pid_t pid, const char *ttyname, const char *progname, const char *user); @@ -36,12 +33,6 @@ record_logout(pid_t pid, const char *ttyname, const char *progname, u_long get_last_login_time(uid_t uid, const char *logname, char *buf, u_int bufsize); -#ifdef LOGIN_NEEDS_UTMPX -void -record_utmp_only(pid_t pid, const char *ttyname, const char *user, - const char *host, struct sockaddr *addr); -#endif - #ifdef __cplusplus } #endif diff --git a/usr/src/cmd/ssh/include/sys-tree.h b/usr/src/cmd/ssh/include/sys-tree.h index 93d55e4a2c..fbd31a8f7c 100644 --- a/usr/src/cmd/ssh/include/sys-tree.h +++ b/usr/src/cmd/ssh/include/sys-tree.h @@ -27,8 +27,6 @@ #ifndef _SYS_TREE_H #define _SYS_TREE_H -#pragma ident "%Z%%M% %I% %E% SMI" - #ifdef __cplusplus extern "C" { #endif @@ -384,8 +382,7 @@ struct type *name##_RB_REMOVE(struct name *, struct type *); \ struct type *name##_RB_INSERT(struct name *, struct type *); \ struct type *name##_RB_FIND(struct name *, struct type *); \ struct type *name##_RB_NEXT(struct name *, struct type *); \ -struct type *name##_RB_MINMAX(struct name *, int); \ - \ +struct type *name##_RB_MINMAX(struct name *, int); /* Main rb operation. * Moves node close to the key of elm to top diff --git a/usr/src/cmd/ssh/include/tildexpand.h b/usr/src/cmd/ssh/include/tildexpand.h index c81ceb9c7b..22e95b7779 100644 --- a/usr/src/cmd/ssh/include/tildexpand.h +++ b/usr/src/cmd/ssh/include/tildexpand.h @@ -1,15 +1,3 @@ -/* $OpenBSD: tildexpand.h,v 1.4 2001/06/26 17:27:25 markus Exp $ */ - -#ifndef _TILDEXPAND_H -#define _TILDEXPAND_H - -#pragma ident "%Z%%M% %I% %E% SMI" - -#ifdef __cplusplus -extern "C" { -#endif - - /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -22,6 +10,15 @@ extern "C" { * called by a name other than "ssh" or "Secure Shell". */ +/* $OpenBSD: tildexpand.h,v 1.4 2001/06/26 17:27:25 markus Exp $ */ + +#ifndef _TILDEXPAND_H +#define _TILDEXPAND_H + +#ifdef __cplusplus +extern "C" { +#endif + char *tilde_expand_filename(const char *, uid_t); #ifdef __cplusplus diff --git a/usr/src/cmd/ssh/libopenbsd-compat/common/getopt.c b/usr/src/cmd/ssh/libopenbsd-compat/common/getopt.c index 2b32420cd8..f69487950f 100644 --- a/usr/src/cmd/ssh/libopenbsd-compat/common/getopt.c +++ b/usr/src/cmd/ssh/libopenbsd-compat/common/getopt.c @@ -89,16 +89,16 @@ BSDgetopt(nargc, nargv, ostr) if (!*place) ++BSDoptind; if (BSDopterr && *ostr != ':') - (void)fprintf(stderr, - "%s: illegal option -- %c\n", __progname, BSDoptopt); + (void) fprintf(stderr, + gettext("%s: illegal option -- %c\n"), __progname, + BSDoptopt); return (BADCH); } if (*++oli != ':') { /* don't need argument */ BSDoptarg = NULL; if (!*place) ++BSDoptind; - } - else { /* need an argument */ + } else { /* need an argument */ if (*place) /* no white space */ BSDoptarg = place; else if (nargc <= ++BSDoptind) { /* no arg */ @@ -106,13 +106,14 @@ BSDgetopt(nargc, nargv, ostr) if (*ostr == ':') return (BADARG); if (BSDopterr) - (void)fprintf(stderr, + (void) fprintf(stderr, "%s: option requires an argument -- %c\n", __progname, BSDoptopt); return (BADCH); - } - else /* white space */ + /* white space */ + } else BSDoptarg = nargv[BSDoptind]; + place = EMSG; ++BSDoptind; } @@ -120,5 +121,3 @@ BSDgetopt(nargc, nargv, ostr) } #endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */ - -#pragma ident "%Z%%M% %I% %E% SMI" diff --git a/usr/src/cmd/ssh/libssh/common/authfd.c b/usr/src/cmd/ssh/libssh/common/authfd.c index 5c5e911f06..43fbfbeb3c 100644 --- a/usr/src/cmd/ssh/libssh/common/authfd.c +++ b/usr/src/cmd/ssh/libssh/common/authfd.c @@ -99,7 +99,7 @@ ssh_get_authentication_socket(void) return -1; /* close on exec */ - if (fcntl(sock, F_SETFD, 1) == -1) { + if (fcntl(sock, F_SETFD, FD_CLOEXEC) == -1) { close(sock); return -1; } diff --git a/usr/src/cmd/ssh/libssh/common/g11n.c b/usr/src/cmd/ssh/libssh/common/g11n.c index ac35a1c8c5..558b410c96 100644 --- a/usr/src/cmd/ssh/libssh/common/g11n.c +++ b/usr/src/cmd/ssh/libssh/common/g11n.c @@ -576,6 +576,9 @@ g11n_langtag_set_locale_set_intersect(char *langtag_set, char **locale_set) char *s; uint_t do_append, n_langtags, n_locales, n_results, max_results; + if (locale_set == NULL) + return (NULL); + /* count lang tags and locales */ for (n_locales = 0, p = locale_set; p && *p; p++) n_locales++; @@ -668,7 +671,7 @@ g11n_srvr_locale_negotiate(char *clnt_langtags, char **srvr_locales) xfree_split_list(results); err: - if (locales != srvr_locales) + if (locales != NULL && locales != srvr_locales) g11n_freelist(locales); return (result); } diff --git a/usr/src/cmd/ssh/libssh/common/readconf.c b/usr/src/cmd/ssh/libssh/common/readconf.c index fe0b7a3ee8..c289e14d6b 100644 --- a/usr/src/cmd/ssh/libssh/common/readconf.c +++ b/usr/src/cmd/ssh/libssh/common/readconf.c @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -1210,14 +1210,13 @@ parse_forward(int long_form, Forward *fwd, const char *fwdspec) break; } - xfree(p); - if (fwd->listen_port == 0 || (fwd->connect_port == 0 && i > 2)) goto fail_free; + xfree(p); return (i); - fail_free: +fail_free: if (p != NULL) xfree(p); if (fwd->connect_host != NULL) diff --git a/usr/src/cmd/ssh/libssh/common/ssh-gss.c b/usr/src/cmd/ssh/libssh/common/ssh-gss.c index 4de5abb1da..37aeb04873 100644 --- a/usr/src/cmd/ssh/libssh/common/ssh-gss.c +++ b/usr/src/cmd/ssh/libssh/common/ssh-gss.c @@ -21,7 +21,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -741,7 +741,7 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *server_host) SSH_GSS_HOSTBASED_SERVICE, server_host); debug3("%s: snprintf() returned %d, expected %d", __func__, ret, - name_buf.length + 1); + name_buf.length); ctx->major = gss_import_name(&ctx->minor, &name_buf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->desired_name); diff --git a/usr/src/cmd/ssh/libssh/common/tildexpand.c b/usr/src/cmd/ssh/libssh/common/tildexpand.c index 6d3850a9ea..5fcd07ebe6 100644 --- a/usr/src/cmd/ssh/libssh/common/tildexpand.c +++ b/usr/src/cmd/ssh/libssh/common/tildexpand.c @@ -9,11 +9,15 @@ * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell". */ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ #include "includes.h" RCSID("$OpenBSD: tildexpand.c,v 1.13 2002/06/23 03:25:50 deraadt Exp $"); -#pragma ident "%Z%%M% %I% %E% SMI" +#include <libgen.h> #include "xmalloc.h" #include "log.h" @@ -27,15 +31,16 @@ char * tilde_expand_filename(const char *filename, uid_t my_uid) { const char *cp; - u_int userlen; + uint_t userlen; char *expanded; struct passwd *pw; + char *pw_dir; char user[100]; int len; /* Return immediately if no tilde. */ if (filename[0] != '~') - return xstrdup(filename); + return (xstrdup(filename)); /* Skip the tilde. */ filename++; @@ -46,30 +51,45 @@ tilde_expand_filename(const char *filename, uid_t my_uid) userlen = cp - filename; /* Something after username. */ else userlen = strlen(filename); /* Nothing after username. */ + + /* This is the ~/xyz case with no ~username specification. */ if (userlen == 0) - pw = getpwuid(my_uid); /* Own home directory. */ + pw = getpwuid(my_uid); else { /* Tilde refers to someone elses home directory. */ - if (userlen > sizeof(user) - 1) + if (userlen > sizeof (user) - 1) fatal("User name after tilde too long."); memcpy(user, filename, userlen); user[userlen] = 0; pw = getpwnam(user); } - if (!pw) - fatal("Unknown user %100s.", user); + + /* Use the HOME variable now. */ + if (pw == NULL) { + debug("User account's password entry not found, trying to use " + "the HOME variable."); + if ((pw_dir = getenv("HOME")) == NULL) { + fatal("User account's password entry not found and " + "the HOME variable not set."); + } + } else { + pw_dir = pw->pw_dir; + } /* If referring to someones home directory, return it now. */ - if (!cp) { + if (cp == NULL) { /* Only home directory specified */ - return xstrdup(pw->pw_dir); + return (xstrdup(pw_dir)); } + /* Build a path combining the specified directory and path. */ - len = strlen(pw->pw_dir) + strlen(cp + 1) + 2; + len = strlen(pw_dir) + strlen(cp + 1) + 2; if (len > MAXPATHLEN) - fatal("Home directory too long (%d > %d", len-1, MAXPATHLEN-1); + fatal("Home directory too long (%d > %d)", len - 1, + MAXPATHLEN - 1); + expanded = xmalloc(len); - snprintf(expanded, len, "%s%s%s", pw->pw_dir, - strcmp(pw->pw_dir, "/") ? "/" : "", cp + 1); - return expanded; + snprintf(expanded, len, "%s%s%s", pw_dir, + strcmp(pw_dir, "/") ? "/" : "", cp + 1); + return (expanded); } diff --git a/usr/src/cmd/ssh/ssh/clientloop.c b/usr/src/cmd/ssh/ssh/clientloop.c index e23f081e6a..bd94ebaa26 100644 --- a/usr/src/cmd/ssh/ssh/clientloop.c +++ b/usr/src/cmd/ssh/ssh/clientloop.c @@ -857,7 +857,7 @@ process_escapes(Buffer *bin, Buffer *bout, Buffer *berr, char *buf, int len) "%c?\n\ Supported escape sequences:\n\ %c. - terminate connection\n\ -%cB - send break\n\ +%cB - send break (SSH protocol 2 only)\n\ %cC - open a command line\n\ %cR - Request rekey (SSH protocol 2 only)\n\ %c^Z - suspend ssh\n\ diff --git a/usr/src/cmd/ssh/ssh/ssh.c b/usr/src/cmd/ssh/ssh/ssh.c index f951618428..d122875470 100644 --- a/usr/src/cmd/ssh/ssh/ssh.c +++ b/usr/src/cmd/ssh/ssh/ssh.c @@ -39,7 +39,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -223,7 +223,7 @@ int main(int ac, char **av) { int i, opt, exit_status; - char *p, *cp, buf[256]; + char *p, *cp, buf[256], *pw_name, *pw_dir; struct stat st; struct passwd *pw; int dummy; @@ -262,14 +262,37 @@ main(int ac, char **av) fatal("setrlimit failed: %.100s", strerror(errno)); } #endif - /* Get user data. */ + /* + * Get user data. It may happen that NIS or LDAP connection breaks down + * during the user's session. We should try to do our best and use the + * HOME and LOGNAME variables. Remember that the SSH client might be the + * only tool available to fix the problem with the naming services. + */ pw = getpwuid(original_real_uid); - if (!pw) { - log("You don't exist, go away!"); - exit(1); + if (pw == NULL) { + if ((pw_dir = getenv("HOME")) == NULL) { + log("User account's password entry not found and HOME " + "not set. Set it manually and try again. " + "Exiting."); + exit(1); + } + log("User account's password entry not found, using " + "the HOME variable."); + + if ((pw_name = getenv("LOGNAME")) == NULL) { + log("Need a local user name but LOGNAME is not set. " + "Set it manually and try again. Exiting."); + exit(1); + } + log("Local user name '%s' set from the LOGNAME variable.", + pw_name); + + pw_dir = xstrdup(pw_dir); + pw_name = xstrdup(pw_name); + } else { + pw_name = xstrdup(pw->pw_name); + pw_dir = xstrdup(pw->pw_dir); } - /* Take a copy of the returned structure. */ - pw = pwcopy(pw); /* * Set our umask to something reasonable, as some files are created @@ -585,7 +608,7 @@ again: fatal("Can't open user config file %.100s: " "%.100s", config, strerror(errno)); } else { - snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, + snprintf(buf, sizeof buf, "%.100s/%.100s", pw_dir, _PATH_SSH_USER_CONFFILE); (void)read_config_file(buf, host, &options); @@ -604,7 +627,7 @@ again: seed_rng(); if (options.user == NULL) - options.user = xstrdup(pw->pw_name); + options.user = xstrdup(pw_name); if (options.hostname != NULL) host = options.hostname; @@ -699,7 +722,9 @@ again: * Now that we are back to our own permissions, create ~/.ssh * directory if it doesn\'t already exist. */ - snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); + snprintf(buf, sizeof buf, "%.100s%s%.100s", pw_dir, + strcmp(pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); + xfree(pw_dir); if (stat(buf, &st) < 0) if (mkdir(buf, 0700) < 0) error("Could not create directory '%.200s'.", buf); @@ -721,7 +746,8 @@ again: signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ /* Log into the remote system. This never returns if the login fails. */ - ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw); + ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw_name); + xfree(pw_name); /* We no longer need the private host keys. Clear them now. */ if (sensitive_data.nkeys != 0) { diff --git a/usr/src/cmd/ssh/ssh/sshconnect.c b/usr/src/cmd/ssh/ssh/sshconnect.c index 98d6831c5b..f7931d6257 100644 --- a/usr/src/cmd/ssh/ssh/sshconnect.c +++ b/usr/src/cmd/ssh/ssh/sshconnect.c @@ -12,7 +12,7 @@ * called by a name other than "ssh" or "Secure Shell". */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -315,7 +315,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr, */ int ssh_connect(const char *host, struct sockaddr_storage * hostaddr, - u_short port, int family, int connection_attempts, + ushort_t port, int family, int connection_attempts, int needpriv, const char *proxy_command) { int gaierr; @@ -966,12 +966,12 @@ accept_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) */ void ssh_login(Sensitive *sensitive, const char *orighost, - struct sockaddr *hostaddr, struct passwd *pw) + struct sockaddr *hostaddr, char *pw_name) { char *host, *cp; char *server_user, *local_user; - local_user = xstrdup(pw->pw_name); + local_user = xstrdup(pw_name); server_user = options.user ? options.user : local_user; /* Convert the user-supplied hostname into all lowercase. */ @@ -1009,6 +1009,9 @@ ssh_login(Sensitive *sensitive, const char *orighost, ssh_kex(host, hostaddr); ssh_userauth1(local_user, server_user, host, sensitive); } + + xfree(host); + xfree(local_user); } void diff --git a/usr/src/cmd/ssh/ssh/sshconnect1.c b/usr/src/cmd/ssh/ssh/sshconnect1.c index bd3b24e39d..19cdd84cb6 100644 --- a/usr/src/cmd/ssh/ssh/sshconnect1.c +++ b/usr/src/cmd/ssh/ssh/sshconnect1.c @@ -1,8 +1,4 @@ /* - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ -/* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -15,12 +11,14 @@ * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell". */ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ #include "includes.h" RCSID("$OpenBSD: sshconnect1.c,v 1.52 2002/08/08 13:50:23 aaron Exp $"); -#pragma ident "%Z%%M% %I% %E% SMI" - #include <openssl/bn.h> #include <openssl/md5.h> @@ -1275,7 +1273,7 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host, goto success; } /* All authentication methods have failed. Exit with an error message. */ - fatal("Permission denied."); + fatal("Permission denied (all authentication methods have failed)."); /* NOTREACHED */ success: diff --git a/usr/src/cmd/ssh/ssh/sshconnect2.c b/usr/src/cmd/ssh/ssh/sshconnect2.c index 77d1bbd690..e485355b6a 100644 --- a/usr/src/cmd/ssh/ssh/sshconnect2.c +++ b/usr/src/cmd/ssh/ssh/sshconnect2.c @@ -1625,7 +1625,6 @@ static char *preferred = NULL; static Authmethod * authmethod_get(char *authlist) { - char *name = NULL; u_int next; @@ -1657,8 +1656,10 @@ authmethod_get(char *authlist) authmethod_is_enabled(current)) { debug3("authmethod_is_enabled %s", name); debug("Next authentication method: %s", name); + xfree(name); return current; } + xfree(name); } } diff --git a/usr/src/cmd/ssh/sshd/auth-passwd.c b/usr/src/cmd/ssh/sshd/auth-passwd.c index af4635bef8..815231d4d4 100644 --- a/usr/src/cmd/ssh/sshd/auth-passwd.c +++ b/usr/src/cmd/ssh/sshd/auth-passwd.c @@ -38,8 +38,6 @@ #include "includes.h" RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $"); -#pragma ident "%Z%%M% %I% %E% SMI" - #include "packet.h" #include "log.h" #include "servconf.h" @@ -57,11 +55,6 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $"); # include <hpsecurity.h> # include <prot.h> # endif -# ifdef HAVE_SECUREWARE -# include <sys/security.h> -# include <sys/audit.h> -# include <prot.h> -# endif /* HAVE_SECUREWARE */ # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) # include <shadow.h> # endif @@ -107,9 +100,6 @@ auth_password(Authctxt *authctxt, const char *password) char *encrypted_password; char *pw_password; char *salt; -#if defined(__hpux) || defined(HAVE_SECUREWARE) - struct pr_passwd *spw; -#endif /* __hpux || HAVE_SECUREWARE */ #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) struct spwd *spw; #endif @@ -192,16 +182,6 @@ auth_password(Authctxt *authctxt, const char *password) pw_password = spw->pwa_passwd; #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ -#ifdef HAVE_SECUREWARE - if ((spw = getprpwnam(pw->pw_name)) != NULL) - pw_password = spw->ufld.fd_encrypt; -#endif /* HAVE_SECUREWARE */ - -#if defined(__hpux) && !defined(HAVE_SECUREWARE) - if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL) - pw_password = spw->ufld.fd_encrypt; -#endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */ - /* Check for users with no password. */ if ((password[0] == '\0') && (pw_password[0] == '\0')) return 1; @@ -217,18 +197,7 @@ auth_password(Authctxt *authctxt, const char *password) else encrypted_password = crypt(password, salt); #else /* HAVE_MD5_PASSWORDS */ -# if defined(__hpux) && !defined(HAVE_SECUREWARE) - if (iscomsec()) - encrypted_password = bigcrypt(password, salt); - else - encrypted_password = crypt(password, salt); -# else -# ifdef HAVE_SECUREWARE - encrypted_password = bigcrypt(password, salt); -# else encrypted_password = crypt(password, salt); -# endif /* HAVE_SECUREWARE */ -# endif /* __hpux && !defined(HAVE_SECUREWARE) */ #endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ diff --git a/usr/src/cmd/ssh/sshd/loginrec.c b/usr/src/cmd/ssh/sshd/loginrec.c index 66adaa3d65..33998b02b9 100644 --- a/usr/src/cmd/ssh/sshd/loginrec.c +++ b/usr/src/cmd/ssh/sshd/loginrec.c @@ -1,8 +1,4 @@ /* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ -/* * Copyright (c) 2000 Andre Lucas. All rights reserved. * Portions copyright (c) 1998 Todd C. Miller * Portions copyright (c) 1996 Jason Downs @@ -33,6 +29,10 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ /** ** loginrec.c: platform-independent login recording and lastlog retrieval @@ -169,8 +169,6 @@ RCSID("$Id: loginrec.c,v 1.44 2002/09/26 00:38:49 tim Exp $"); -#pragma ident "%Z%%M% %I% %E% SMI" - #ifdef HAVE_UTIL_H # include <util.h> #endif @@ -459,28 +457,6 @@ login_write (struct logininfo *li) return 0; } -#ifdef LOGIN_NEEDS_UTMPX -int -login_utmp_only(struct logininfo *li) -{ - li->type = LTYPE_LOGIN; - login_set_current_time(li); -# ifdef USE_UTMP - utmp_write_entry(li); -# endif -# ifdef USE_WTMP - wtmp_write_entry(li); -# endif -# ifdef USE_UTMPX - (void) utmpx_write_entry(li); -# endif -# ifdef USE_WTMPX - (void) wtmpx_write_entry(li); -# endif - return 0; -} -#endif - /** ** getlast_entry: Call low-level functions to retrieve the last login ** time. diff --git a/usr/src/cmd/ssh/sshd/servconf.c b/usr/src/cmd/ssh/sshd/servconf.c index 51e0b9bbe7..6d91626b13 100644 --- a/usr/src/cmd/ssh/sshd/servconf.c +++ b/usr/src/cmd/ssh/sshd/servconf.c @@ -119,7 +119,6 @@ initialize_server_options(ServerOptions *options) options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; - options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; options->num_allow_users = 0; @@ -336,8 +335,6 @@ fill_default_server_options(ServerOptions *options) options->permit_empty_passwd = 0; if (options->permit_user_env == -1) options->permit_user_env = 0; - if (options->use_login == -1) - options->use_login = 0; if (options->compression == -1) options->compression = 1; if (options->allow_tcp_forwarding == -1) @@ -876,8 +873,11 @@ parse_flag: goto parse_flag; case sUseLogin: - intptr = &options->use_login; - goto parse_flag; + log("%s line %d: ignoring UseLogin option value." + " This option is always off.", filename, linenum); + while (arg) + arg = strdelim(&cp); + break; case sCompression: intptr = &options->compression; @@ -930,7 +930,7 @@ parse_flag: log("%s line %d: ignoring UsePrivilegeSeparation option value." " This option is always on.", filename, linenum); while (arg) - arg = strdelim(&cp); + arg = strdelim(&cp); break; case sAllowUsers: diff --git a/usr/src/cmd/ssh/sshd/serverloop.c b/usr/src/cmd/ssh/sshd/serverloop.c index c568b3c19c..4cbb76d875 100644 --- a/usr/src/cmd/ssh/sshd/serverloop.c +++ b/usr/src/cmd/ssh/sshd/serverloop.c @@ -111,8 +111,8 @@ notify_setup(void) { if (pipe(notify_pipe) < 0) { error("pipe(notify_pipe) failed %s", strerror(errno)); - } else if ((fcntl(notify_pipe[0], F_SETFD, 1) == -1) || - (fcntl(notify_pipe[1], F_SETFD, 1) == -1)) { + } else if ((fcntl(notify_pipe[0], F_SETFD, FD_CLOEXEC) == -1) || + (fcntl(notify_pipe[1], F_SETFD, FD_CLOEXEC) == -1)) { error("fcntl(notify_pipe, F_SETFD) failed %s", strerror(errno)); (void) close(notify_pipe[0]); (void) close(notify_pipe[1]); diff --git a/usr/src/cmd/ssh/sshd/session.c b/usr/src/cmd/ssh/sshd/session.c index 529b286597..de5b903eea 100644 --- a/usr/src/cmd/ssh/sshd/session.c +++ b/usr/src/cmd/ssh/sshd/session.c @@ -105,9 +105,6 @@ void do_exec_pty(Session *, const char *); void do_exec_no_pty(Session *, const char *); void do_exec(Session *, const char *); void do_login(Session *, const char *); -#ifdef LOGIN_NEEDS_UTMPX -static void do_pre_login(Session *s); -#endif void do_child(Session *, const char *); void do_motd(void); int check_quietlogin(Session *, const char *); @@ -656,22 +653,10 @@ do_exec_pty(Session *s, const char *command) close(ttyfd); /* record login, etc. similar to login(1) */ -#if !defined(HAVE_OSF_SIA) - if (!(options.use_login && command == NULL)) { -#ifdef _UNICOS - cray_init_job(s->pw); /* set up cray jid and tmpdir */ -#endif /* _UNICOS */ - do_login(s, command); - } -# ifdef LOGIN_NEEDS_UTMPX - else - do_pre_login(s); -# endif -#endif /* !HAVE_OSF_SIA */ + do_login(s, command); /* - * do_pre_login() will have completed the record_login(), so - * close the pipe to the parent so it can re-enter its event + * Close the pipe to the parent so it can re-enter its event * loop and service the ptm; if enough debug messages get * written to the pty before this happens there will be a * deadlock. @@ -728,34 +713,6 @@ do_exec_pty(Session *s, const char *command) } } -#ifdef LOGIN_NEEDS_UTMPX -static void -do_pre_login(Session *s) -{ - socklen_t fromlen; - struct sockaddr_storage from; - pid_t pid = getpid(); - - /* - * Get IP address of client. If the connection is not a socket, let - * the address be 0.0.0.0. - */ - memset(&from, 0, sizeof(from)); - fromlen = sizeof(from); - if (packet_connection_is_on_socket()) { - if (getpeername(packet_get_connection_in(), - (struct sockaddr *) & from, &fromlen) < 0) { - debug("getpeername: %.100s", strerror(errno)); - fatal_cleanup(); - } - } - - record_utmp_only(pid, s->tty, s->pw->pw_name, - get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping), - (struct sockaddr *)&from); -} -#endif - /* * This is called to fork and execute a command. If another command is * to be forced, execute that instead. @@ -1068,47 +1025,45 @@ do_setup_env(Session *s, const char *shell) ssh_gssapi_do_child(xxx_gssctxt, &env,&envsize); #endif - if (!options.use_login) { - /* Set basic environment. */ - child_set_env(&env, &envsize, "USER", pw->pw_name); - child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); - child_set_env(&env, &envsize, "HOME", pw->pw_dir); + /* Set basic environment. */ + child_set_env(&env, &envsize, "USER", pw->pw_name); + child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); + child_set_env(&env, &envsize, "HOME", pw->pw_dir); #ifdef HAVE_LOGIN_CAP - if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) - child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); - else - child_set_env(&env, &envsize, "PATH", getenv("PATH")); + if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) + child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); + else + child_set_env(&env, &envsize, "PATH", getenv("PATH")); #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN - /* - * There's no standard path on Windows. The path contains - * important components pointing to the system directories, - * needed for loading shared libraries. So the path better - * remains intact here. - */ + /* + * There's no standard path on Windows. The path contains + * important components pointing to the system directories, + * needed for loading shared libraries. So the path better + * remains intact here. + */ # ifdef SUPERUSER_PATH - child_set_env(&env, &envsize, "PATH", - s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH); + child_set_env(&env, &envsize, "PATH", + s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH); # else - child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); + child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); # endif /* SUPERUSER_PATH */ # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ - pm_len = strlen(path_maildir); - if (path_maildir[pm_len - 1] == '/' && pm_len > 1) - path_maildir[pm_len - 1] = NULL; - snprintf(buf, sizeof buf, "%.200s/%.50s", - path_maildir, pw->pw_name); - child_set_env(&env, &envsize, "MAIL", buf); + pm_len = strlen(path_maildir); + if (path_maildir[pm_len - 1] == '/' && pm_len > 1) + path_maildir[pm_len - 1] = NULL; + snprintf(buf, sizeof buf, "%.200s/%.50s", + path_maildir, pw->pw_name); + child_set_env(&env, &envsize, "MAIL", buf); - /* Normal systems set SHELL by default. */ - child_set_env(&env, &envsize, "SHELL", shell); + /* Normal systems set SHELL by default. */ + child_set_env(&env, &envsize, "SHELL", shell); #ifdef HAVE_DEFOPEN - deflt_do_setup_env(s, shell, &env, &envsize); + deflt_do_setup_env(s, shell, &env, &envsize); #endif /* HAVE_DEFOPEN */ - } #define PASS_ENV(x) \ if (getenv(x)) \ @@ -1135,21 +1090,19 @@ do_setup_env(Session *s, const char *shell) copy_environment(s->env, &env, &envsize); /* Set custom environment options from RSA authentication. */ - if (!options.use_login) { - while (custom_environment) { - struct envstring *ce = custom_environment; - char *str = ce->s; - - for (i = 0; str[i] != '=' && str[i]; i++) - ; - if (str[i] == '=') { - str[i] = 0; - child_set_env(&env, &envsize, str, str + i + 1); - } - custom_environment = ce->next; - xfree(ce->s); - xfree(ce); + while (custom_environment) { + struct envstring *ce = custom_environment; + char *str = ce->s; + + for (i = 0; str[i] != '=' && str[i]; i++) + ; + if (str[i] == '=') { + str[i] = 0; + child_set_env(&env, &envsize, str, str + i + 1); } + custom_environment = ce->next; + xfree(ce->s); + xfree(ce); } /* SSH_CLIENT deprecated */ @@ -1217,7 +1170,7 @@ do_setup_env(Session *s, const char *shell) auth_sock_name); /* read $HOME/.ssh/environment. */ - if (options.permit_user_env && !options.use_login) { + if (options.permit_user_env) { snprintf(buf, sizeof buf, "%.200s/.ssh/environment", strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); read_environment_file(&env, &envsize, buf); @@ -1427,28 +1380,14 @@ do_child(Session *s, const char *command) extern char **environ; char **env; char *argv[ARGV_MAX]; - const char *shell, *shell0, *hostname = NULL; + const char *shell, *shell0; struct passwd *pw = s->pw; /* remove hostkey from the child's memory */ destroy_sensitive_data(); - /* login(1) is only called if we execute the login shell */ - if (options.use_login && command != NULL) - options.use_login = 0; - -#ifdef _UNICOS - cray_setup(pw->pw_uid, pw->pw_name, command); -#endif /* _UNICOS */ - - /* - * Login(1) does this as well, and it needs uid 0 for the "-h" - * switch, so we let login(1) to this for us. - */ - if (!options.use_login) { - do_nologin(pw); - chroot_if_needed(pw); - } + do_nologin(pw); + chroot_if_needed(pw); /* * Get the shell from the password data. An empty shell field is @@ -1461,10 +1400,6 @@ do_child(Session *s, const char *command) env = do_setup_env(s, shell); - /* we have to stash the hostname before we close our socket. */ - if (options.use_login) - hostname = get_remote_name_or_ip(utmp_len, - options.verify_reverse_mapping); /* * Close the connection descriptors; note that this is the child, and * the server will still have the socket open, and it is important @@ -1533,8 +1468,7 @@ do_child(Session *s, const char *command) strerror(errno)); } - if (!options.use_login) - do_rc_files(s, shell); + do_rc_files(s, shell); /* restore SIGPIPE for child */ signal(SIGPIPE, SIG_DFL); @@ -1562,11 +1496,6 @@ do_child(Session *s, const char *command) exit(sftp_server_main(i, argv, s->pw)); } - if (options.use_login) { - launch_login(pw, hostname); - /* NEVERREACHED */ - } - /* Get the last component of the shell name. */ if ((shell0 = strrchr(shell, '/')) != NULL) shell0++; @@ -2222,7 +2151,7 @@ session_pty_cleanup2(void *session) /* Record that the user has logged out. */ if (s->pid != 0) { - debug3("Recording SSHv2 channel login in utmpx/wtmpx"); + debug3("Recording SSHv2 channel logout in utmpx/wtmpx"); #ifdef ALTPRIVSEP altprivsep_record_logout(s->pid); #endif /* ALTPRIVSEP */ @@ -2490,11 +2419,6 @@ session_setup_x11fwd(Session *s) packet_send_debug("No xauth program; cannot forward with spoofing."); return 0; } - if (options.use_login) { - packet_send_debug("X11 forwarding disabled; " - "not compatible with UseLogin=yes."); - return 0; - } if (s->display != NULL) { debug("X11 display already set."); return 0; diff --git a/usr/src/cmd/ssh/sshd/sshd.c b/usr/src/cmd/ssh/sshd/sshd.c index d3b1f0c940..6172234454 100644 --- a/usr/src/cmd/ssh/sshd/sshd.c +++ b/usr/src/cmd/ssh/sshd/sshd.c @@ -53,10 +53,6 @@ RCSID("$OpenBSD: sshd.c,v 1.260 2002/09/27 10:42:09 mickey Exp $"); #include <openssl/md5.h> #include <openssl/rand.h> -#ifdef HAVE_SECUREWARE -#include <sys/security.h> -#include <prot.h> -#endif #include "ssh.h" #include "ssh1.h" @@ -847,10 +843,6 @@ main(int ac, char **av) (void) g11n_setlocale(LC_ALL, ""); -#ifdef HAVE_SECUREWARE - (void)set_auth_parameters(ac, av); -#endif - init_rng(); /* Save argv. */ @@ -1951,7 +1943,7 @@ prepare_for_ssh2_kex(void) if (locales != NULL) g11n_freelist(locales); - if ((myproposal[PROPOSAL_LANG_STOC] != NULL) || + if ((myproposal[PROPOSAL_LANG_STOC] != NULL) && (strcmp(myproposal[PROPOSAL_LANG_STOC], "")) != 0) myproposal[PROPOSAL_LANG_CTOS] = xstrdup(myproposal[PROPOSAL_LANG_STOC]); @@ -1963,9 +1955,16 @@ prepare_for_ssh2_kex(void) kex = kex_setup(NULL, myproposal, kex_hook); - if (myproposal[PROPOSAL_LANG_STOC] != NULL) + /* + * Note that the my_srv_proposal variable (ie., myproposal) is staticly + * initialized with "" for the language fields; we must not xfree such + * strings. + */ + if (myproposal[PROPOSAL_LANG_STOC] != NULL && + strcmp(myproposal[PROPOSAL_LANG_STOC], "") != 0) xfree(myproposal[PROPOSAL_LANG_STOC]); - if (myproposal[PROPOSAL_LANG_CTOS] != NULL) + if (myproposal[PROPOSAL_LANG_CTOS] != NULL && + strcmp(myproposal[PROPOSAL_LANG_STOC], "") != 0) xfree(myproposal[PROPOSAL_LANG_CTOS]); kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; diff --git a/usr/src/cmd/ssh/sshd/sshlogin.c b/usr/src/cmd/ssh/sshd/sshlogin.c index 396a63ad48..53a3d6e299 100644 --- a/usr/src/cmd/ssh/sshd/sshlogin.c +++ b/usr/src/cmd/ssh/sshd/sshlogin.c @@ -38,15 +38,13 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #include "includes.h" RCSID("$OpenBSD: sshlogin.c,v 1.5 2002/08/29 15:57:25 stevesk Exp $"); -#pragma ident "%Z%%M% %I% %E% SMI" - #include "loginrec.h" #include "log.h" #include "servconf.h" @@ -73,8 +71,8 @@ get_last_login_time(uid_t uid, const char *logname, } /* - * Records that the user has logged in. I these parts of operating systems - * were more standardized. + * Records that the user has logged in. If only these parts of operating + * systems were more standardized. */ void record_login(pid_t pid, const char *ttyname, const char *progname, @@ -114,20 +112,6 @@ record_login(pid_t pid, const char *ttyname, const char *progname, login_free_entry(li); } -#ifdef LOGIN_NEEDS_UTMPX -void -record_utmp_only(pid_t pid, const char *ttyname, const char *user, - const char *host, struct sockaddr * addr) -{ - struct logininfo *li; - - li = login_alloc_entry(pid, user, host, ttyname, NULL); - login_set_addr(li, addr, sizeof(struct sockaddr)); - (void) login_utmp_only(li); - login_free_entry(li); -} -#endif - /* Records that the user has logged out. */ void record_logout(pid_t pid, const char *ttyname, const char *progname, |