From 6b7d17dd279e090963431a91da8e463e80a3413e Mon Sep 17 00:00:00 2001 From: Manoj Ampalam Date: Wed, 21 Sep 2016 13:49:57 -0700 Subject: [PATCH] Minor fixes to agent updates --- auth-passwd.c | 21 +++++++++---------- contrib/win32/win32compat/pwd.c | 5 +++-- .../win32compat/ssh-agent/authagent-request.c | 18 +++++++++------- .../win32/win32compat/ssh-agent/connection.c | 1 + 4 files changed, 25 insertions(+), 20 deletions(-) diff --git a/auth-passwd.c b/auth-passwd.c index 2e53b1b..1401e96 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -155,23 +155,23 @@ warn_expiry(Authctxt *authctxt, auth_session_t *as) #ifdef HAVE_LOGIN_CAP if (authctxt->valid) { pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS, - TWO_WEEKS); + TWO_WEEKS); acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS, - TWO_WEEKS); + TWO_WEEKS); } #endif if (pwtimeleft != 0 && pwtimeleft < pwwarntime) { daysleft = pwtimeleft / DAY + 1; snprintf(buf, sizeof(buf), - "Your password will expire in %lld day%s.\n", - daysleft, daysleft == 1 ? "" : "s"); + "Your password will expire in %lld day%s.\n", + daysleft, daysleft == 1 ? "" : "s"); buffer_append(&loginmsg, buf, strlen(buf)); } if (actimeleft != 0 && actimeleft < acwarntime) { daysleft = actimeleft / DAY + 1; snprintf(buf, sizeof(buf), - "Your account will expire in %lld day%s.\n", - daysleft, daysleft == 1 ? "" : "s"); + "Your account will expire in %lld day%s.\n", + daysleft, daysleft == 1 ? "" : "s"); buffer_append(&loginmsg, buf, strlen(buf)); } } @@ -184,7 +184,7 @@ sys_auth_passwd(Authctxt *authctxt, const char *password) static int expire_checked = 0; as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh", - (char *)password); + (char *)password); if (as == NULL) return (0); if (auth_getstate(as) & AUTH_PWEXPIRED) { @@ -192,8 +192,7 @@ sys_auth_passwd(Authctxt *authctxt, const char *password) disable_forwarding(); authctxt->force_pwchange = 1; return (1); - } - else { + } else { if (!expire_checked) { expire_checked = 1; warn_expiry(authctxt, as); @@ -258,13 +257,13 @@ sys_auth_passwd(Authctxt *authctxt, const char *password) /* Encrypt the candidate password using the proper salt. */ encrypted_password = xcrypt(password, - (pw_password[0] && pw_password[1]) ? pw_password : "xx"); + (pw_password[0] && pw_password[1]) ? pw_password : "xx"); /* * Authentication is accepted if the encrypted passwords * are identical. */ return encrypted_password != NULL && - strcmp(encrypted_password, pw_password) == 0; + strcmp(encrypted_password, pw_password) == 0; } #endif diff --git a/contrib/win32/win32compat/pwd.c b/contrib/win32/win32compat/pwd.c index d30d732..e311d0f 100644 --- a/contrib/win32/win32compat/pwd.c +++ b/contrib/win32/win32compat/pwd.c @@ -165,7 +165,7 @@ char *GetHomeDirFromToken(char *userName, HANDLE token) RegCloseKey(reg_key); { /* retrieve and set env variables. */ - /* TODO - Get away with fixed limits and dynamically allocated required memory*/ + /* TODO - Get away with fixed limits and dynamically allocate required memory, cleanup this logic*/ #define MAX_VALUE_LEN 1000 #define MAX_DATA_LEN 2000 #define MAX_EXPANDED_DATA_LEN 5000 @@ -176,7 +176,8 @@ char *GetHomeDirFromToken(char *userName, HANDLE token) int i; LONG ret; - ImpersonateLoggedOnUser(token); + if (ImpersonateLoggedOnUser(token) == FALSE) + debug("Failed to impersonate user token, %d", GetLastError()); SET_USER_ENV(FOLDERID_LocalAppData, L"LOCALAPPDATA"); SET_USER_ENV(FOLDERID_Profile, L"USERPROFILE"); SET_USER_ENV(FOLDERID_RoamingAppData, L"APPDATA"); diff --git a/contrib/win32/win32compat/ssh-agent/authagent-request.c b/contrib/win32/win32compat/ssh-agent/authagent-request.c index 1989fa6..68c17f4 100644 --- a/contrib/win32/win32compat/ssh-agent/authagent-request.c +++ b/contrib/win32/win32compat/ssh-agent/authagent-request.c @@ -201,7 +201,7 @@ generate_user_token(wchar_t* user) { &token, "as, &subStatus) != STATUS_SUCCESS) { - debug("LsaLogonUser failed"); + debug("LsaLogonUser failed %d", ret); goto done; } @@ -256,12 +256,16 @@ int process_passwordauth_request(struct sshbuf* request, struct sshbuf* response *tmp = L'\0'; } - if (LogonUserW(userW, domW, pwdW, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &token) == FALSE || - (FALSE == GetNamedPipeClientProcessId(con->connection, &client_pid)) || - ((client_proc = OpenProcess(PROCESS_DUP_HANDLE, FALSE, client_pid)) == NULL) || - (FALSE == DuplicateHandle(GetCurrentProcess(), token, client_proc, &dup_token, TOKEN_QUERY | TOKEN_IMPERSONATE, FALSE, DUPLICATE_SAME_ACCESS)) || - (sshbuf_put_u32(response, dup_token) != 0)) { - debug("failed to authenticate user"); + if (LogonUserW(userW, domW, pwdW, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &token) == FALSE) { + debug("failed to logon user"); + goto done; + } + + if ((FALSE == GetNamedPipeClientProcessId(con->connection, &client_pid)) || + ((client_proc = OpenProcess(PROCESS_DUP_HANDLE, FALSE, client_pid)) == NULL) || + (FALSE == DuplicateHandle(GetCurrentProcess(), token, client_proc, &dup_token, TOKEN_QUERY | TOKEN_IMPERSONATE, FALSE, DUPLICATE_SAME_ACCESS)) || + (sshbuf_put_u32(response, dup_token) != 0)) { + debug("failed to duplicate user token"); goto done; } diff --git a/contrib/win32/win32compat/ssh-agent/connection.c b/contrib/win32/win32compat/ssh-agent/connection.c index 82c93cf..b45a005 100644 --- a/contrib/win32/win32compat/ssh-agent/connection.c +++ b/contrib/win32/win32compat/ssh-agent/connection.c @@ -167,6 +167,7 @@ done: return r; } +/* TODO - move this to common header*/ #define SSH_AGENT_AUTHENTICATE 100 static int