- (bal) Update ssh-host-config and minor rewrite of bsd-cygwin_util.c

ntsec now default if cygwin version beginning w/ version 56.  Patch
   by Corinna Vinschen <vinschen@redhat.com>

ChangeLog

@@ -36,6 +36,9 @@
      [scp.c]
      check exit status from ssh, and exit(1) if ssh fails; bug#369; 
      binder@arago.de
+ - (bal) Update ssh-host-config and minor rewrite of bsd-cygwin_util.c
+   ntsec now default if cygwin version beginning w/ version 56.  Patch
+   by Corinna Vinschen <vinschen@redhat.com> 
 
 20021021
  - (djm) Bug #400: Kill ssh-rand-helper children on timeout, patch from 
@@ -813,4 +816,4 @@
      save auth method before monitor_reset_key_state(); bugzilla bug #284;
      ok provos@
 
-$Id: ChangeLog,v 1.2509 2002/11/09 15:54:08 mouring Exp $
+$Id: ChangeLog,v 1.2510 2002/11/09 15:59:27 mouring Exp $

contrib/cygwin/ssh-host-config

@@ -378,6 +378,8 @@ then
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options change a
@@ -394,7 +396,7 @@ Port $port_number
 #HostKey ${SYSCONFDIR}/ssh_host_rsa_key
 #HostKey ${SYSCONFDIR}/ssh_host_dsa_key
 
-# Lifetime and size of ephemeral version 1 server ke
+# Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 3600
 #ServerKeyBits 768
 
@@ -405,7 +407,7 @@ Port $port_number
 
 # Authentication:
 
-#LoginGraceTime 600
+#LoginGraceTime 120
 #PermitRootLogin yes
 # The following setting overrides permission checks on host key files
 # and directories. For security reasons set this to "yes" when running
@@ -414,11 +416,11 @@ StrictModes no
 
 #RSAAuthentication yes
 #PubkeyAuthentication yes
-#AuthorizedKeysFile     %h/.ssh/authorized_keys
+#AuthorizedKeysFile     .ssh/authorized_keys
 
 # rhosts authentication should not be used
 #RhostsAuthentication no
-# Don't read ~/.rhosts and ~/.shosts files
+# Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
 #RhostsRSAAuthentication no
@@ -443,6 +445,7 @@ StrictModes no
 #KeepAlive yes
 #UseLogin no
 UsePrivilegeSeparation $privsep_used
+#PermitUserEnvironment no
 #Compression yes
 
 #MaxStartups 10

openbsd-compat/bsd-cygwin_util.c

@@ -31,7 +31,7 @@
 
 #include "includes.h"
 
-RCSID("$Id: bsd-cygwin_util.c,v 1.8 2002/04/15 22:00:52 stevesk Exp $");
+RCSID("$Id: bsd-cygwin_util.c,v 1.9 2002/11/09 15:59:29 mouring Exp $");
 
 #ifdef HAVE_CYGWIN
 
@@ -43,6 +43,7 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.8 2002/04/15 22:00:52 stevesk Exp $");
 #define is_winnt       (GetVersion() < 0x80000000)
 
 #define ntsec_on(c)	((c) && strstr((c),"ntsec") && !strstr((c),"nontsec"))
+#define ntsec_off(c)	((c) && strstr((c),"nontsec"))
 #define ntea_on(c)	((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
 
 #if defined(open) && open == binary_open
@@ -74,6 +75,56 @@ int binary_pipe(int fd[2])
 	return ret;
 }
 
+#define HAS_CREATE_TOKEN 1
+#define HAS_NTSEC_BY_DEFAULT 2
+
+static int has_capability(int what)
+{
+	/* has_capability() basically calls uname() and checks if
+	   specific capabilities of Cygwin can be evaluated from that.
+	   This simplifies the calling functions which only have to ask
+	   for a capability using has_capability() instead of having
+	   to figure that out by themselves. */
+	static int inited;
+	static int has_create_token;
+	static int has_ntsec_by_default;
+
+	if (!inited) {
+		struct utsname uts;
+		char *c;
+		
+		if (!uname(&uts)) {
+			int major_high = 0;
+			int major_low = 0;
+			int minor = 0;
+			int api_major_version = 0;
+			int api_minor_version = 0;
+			char *c;
+
+			sscanf(uts.release, "%d.%d.%d", &major_high,
+			       &major_low, &minor);
+			c = strchr(uts.release, '(');
+			if (c)
+				sscanf(c + 1, "%d.%d", &api_major_version,
+				       &api_minor_version);
+			if (major_high > 1 ||
+			    (major_high == 1 && (major_low > 3 ||
+			     (major_low == 3 && minor >= 2))))
+				has_create_token = 1;
+			if (api_major_version > 0 || api_minor_version >= 56)
+				has_ntsec_by_default = 1;
+			inited = 1;
+		}
+	}
+	switch (what) {
+	case HAS_CREATE_TOKEN:
+		return has_create_token;
+	case HAS_NTSEC_BY_DEFAULT:
+		return has_ntsec_by_default;
+	}
+	return 0;
+}
+
 int check_nt_auth(int pwd_authenticated, struct passwd *pw)
 {
 	/*
@@ -93,20 +144,15 @@ int check_nt_auth(int pwd_authenticated, struct passwd *pw)
 		return 0;
 	if (is_winnt) {
 		if (has_create_token < 0) {
-			struct utsname uts;
-		        int major_high = 0, major_low = 0, minor = 0;
 			char *cygwin = getenv("CYGWIN");
 
 			has_create_token = 0;
-			if (ntsec_on(cygwin) && !uname(&uts)) {
+			if (has_capability(HAS_CREATE_TOKEN) &&
-				sscanf(uts.release, "%d.%d.%d",
+			    (ntsec_on(cygwin) ||
-				       &major_high, &major_low, &minor);
+			     (has_capability(HAS_NTSEC_BY_DEFAULT) &&
-				if (major_high > 1 ||
+			      !ntsec_off(cygwin))))
-				    (major_high == 1 && (major_low > 3 ||
-				     (major_low == 3 && minor >= 2))))
 				has_create_token = 1;
 		}
-		}
 		if (has_create_token < 1 &&
 		    !pwd_authenticated && geteuid() != pw->pw_uid)
 			return 0;
@@ -128,7 +174,9 @@ int check_ntsec(const char *filename)
 	/* Evaluate current CYGWIN settings. */
 	cygwin = getenv("CYGWIN");
 	allow_ntea = ntea_on(cygwin);
-	allow_ntsec = ntsec_on(cygwin);
+	allow_ntsec = ntsec_on(cygwin) ||
+		      (has_capability(HAS_NTSEC_BY_DEFAULT) &&
+		       !ntsec_off(cygwin));
 
 	/*
 	 * `ntea' is an emulation of POSIX attributes. It doesn't support