PSARC/2009/155 ChrootDirectory option for SunSSH server

5043377 provide chroot capability in SunSSH
6809398 default PATH in SunSSH should contain "/bin"
6810759 remove md5crypt.c from SunSSH since it's not used
6813038 Subsystem keyword in sshd_config doesn't accept subsystem's options
6772676 ssh default XAuthLocation should be /usr/X11/bin/xauth

5 files changed, 48 insertions, 39 deletions

diff --git a/usr/src/cmd/ssh/include/config.h b/usr/src/cmd/ssh/include/config.h
index c770bbcc99..963aee5bb2 100644
--- a/usr/src/cmd/ssh/include/config.h
+++ b/usr/src/cmd/ssh/include/config.h
@@ -289,7 +289,7 @@ extern "C" {
 #define	HAVE_GETPAGESIZE 1
 
 /* Define if xauth is found in your path */
-#define	XAUTH_PATH "/usr/openwin/bin/xauth"
+#define	XAUTH_PATH "/usr/X11/bin/xauth"
 
 /* Define if rsh is found in your path */
 #define	RSH_PATH "/usr/bin/rsh"
@@ -352,8 +352,13 @@ extern "C" {
 /* Define if you need to use IP address instead of hostname in $DISPLAY */
 /* #undef IPADDR_IN_DISPLAY */
 
-/* Specify default $PATH */
-#define	USER_PATH "/usr/bin"
+/*
+ * Specify the default $PATH. While /bin is a symbolic link to /usr/bin in
+ * Solaris, to include both of them there may help when users use
+ * ChrootDirectory options with plain SSH connections, without their own shell
+ * profiles.
+ */
+#define	USER_PATH "/usr/bin:/bin"
 
 /* Specify location of ssh.pid */
 #define	_PATH_SSH_PIDDIR "/var/run"
diff --git a/usr/src/cmd/ssh/include/misc.h b/usr/src/cmd/ssh/include/misc.h
index 16f2210291..c626301f84 100644
--- a/usr/src/cmd/ssh/include/misc.h
+++ b/usr/src/cmd/ssh/include/misc.h
@@ -10,7 +10,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -19,8 +19,6 @@
 
 /*	$OpenBSD: misc.h,v 1.12 2002/03/19 10:49:35 markus Exp $	*/
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -35,6 +33,7 @@ char	*cleanhostname(char *);
 char	*hpdelim(char **);
 char	*colon(char *);
 long	 convtime(const char *);
+char	*percent_expand(const char *, ...);
 char	*tohex(const void *, size_t);
 void	 sanitise_stdfd(void);
 int	 get_yes_no_flag(int *option, const char *arg, const char *filename,
diff --git a/usr/src/cmd/ssh/include/servconf.h b/usr/src/cmd/ssh/include/servconf.h
index 2199a1b172..f222b8596d 100644
--- a/usr/src/cmd/ssh/include/servconf.h
+++ b/usr/src/cmd/ssh/include/servconf.h
@@ -11,7 +11,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 /*
- * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -40,9 +40,12 @@ extern "C" {
 #define	PERMIT_NO_PASSWD	2
 #define	PERMIT_YES		3
 
+/* Magic name for internal sftp-server */
+#define	INTERNAL_SFTP_NAME	"internal-sftp"
+
 typedef struct {
-	u_int num_ports;
-	u_int ports_from_cmdline;
+	u_int	num_ports;
+	u_int	ports_from_cmdline;
 	u_short ports[MAX_PORTS];	/* Port number to listen on. */
 	char   *listen_addr;		/* Address on which the server listens. */
 	struct addrinfo *listen_addrs;	/* Addresses on which the server listens. */
@@ -116,18 +119,20 @@ typedef struct {
 	int     use_login;	/* If true, login(1) is used */
 	int     compression;	/* If true, compression is allowed */
 	int	allow_tcp_forwarding;
-	u_int num_allow_users;
+
+	u_int	num_allow_users;
 	char   *allow_users[MAX_ALLOW_USERS];
-	u_int num_deny_users;
+	u_int	num_deny_users;
 	char   *deny_users[MAX_DENY_USERS];
-	u_int num_allow_groups;
+	u_int	num_allow_groups;
 	char   *allow_groups[MAX_ALLOW_GROUPS];
-	u_int num_deny_groups;
+	u_int	num_deny_groups;
 	char   *deny_groups[MAX_DENY_GROUPS];
 
-	u_int num_subsystems;
+	u_int	num_subsystems;
 	char   *subsystem_name[MAX_SUBSYSTEMS];
 	char   *subsystem_command[MAX_SUBSYSTEMS];
+	char   *subsystem_args[MAX_SUBSYSTEMS];
 
 	int	max_startups_begin;
 	int	max_startups_rate;
@@ -157,6 +162,7 @@ typedef struct {
 
 	int	lookup_client_hostnames;
 	int	use_openssl_engine;
+	char   *chroot_directory;
 
 }       ServerOptions;
 
@@ -164,6 +170,7 @@ void	 initialize_server_options(ServerOptions *);
 void	 read_server_config(ServerOptions *, const char *);
 void	 fill_default_server_options(ServerOptions *);
 int	 process_server_config_line(ServerOptions *, char *, const char *, int);
+int	 chroot_requested(char *chroot_directory);
 
 #ifdef __cplusplus
 }
diff --git a/usr/src/cmd/ssh/include/sftp.h b/usr/src/cmd/ssh/include/sftp.h
index e82483807f..e35cbdedf1 100644
--- a/usr/src/cmd/ssh/include/sftp.h
+++ b/usr/src/cmd/ssh/include/sftp.h
@@ -1,15 +1,3 @@
-/*	$OpenBSD: sftp.h,v 1.4 2002/02/13 00:59:23 djm Exp $	*/
-
-#ifndef	_SFTP_H
-#define	_SFTP_H
-
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -34,10 +22,19 @@ extern "C" {
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+/*	$OpenBSD: sftp.h,v 1.4 2002/02/13 00:59:23 djm Exp $	*/
+
 /*
  * draft-ietf-secsh-filexfer-01.txt
  */
 
+#ifndef	_SFTP_H
+#define	_SFTP_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* version */
 #define	SSH2_FILEXFER_VERSION		3
 
@@ -101,6 +98,10 @@ extern "C" {
 #define SSH2_FX_OP_UNSUPPORTED		8
 #define SSH2_FX_MAX			8
 
+struct passwd;
+
+int	sftp_server_main(int, char **, struct passwd *);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/usr/src/cmd/ssh/include/uidswap.h b/usr/src/cmd/ssh/include/uidswap.h
index 5c01d6107f..5444f02d32 100644
--- a/usr/src/cmd/ssh/include/uidswap.h
+++ b/usr/src/cmd/ssh/include/uidswap.h
@@ -1,15 +1,3 @@
-/*	$OpenBSD: uidswap.h,v 1.9 2001/06/26 17:27:25 markus Exp $	*/
-
-#ifndef	_UIDSWAP_H
-#define	_UIDSWAP_H
-
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -22,9 +10,18 @@ extern "C" {
  * called by a name other than "ssh" or "Secure Shell".
  */
 
+/*	$OpenBSD: uidswap.h,v 1.9 2001/06/26 17:27:25 markus Exp $	*/
+
+#ifndef	_UIDSWAP_H
+#define	_UIDSWAP_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 void	 temporarily_use_uid(struct passwd *);
 void	 restore_uid(void);
-void	 permanently_set_uid(struct passwd *);
+void	 permanently_set_uid(struct passwd *, char *);
 
 #ifdef __cplusplus
 }