- (bal) Update ssh-host-config and minor rewrite of bsd-cygwin_util.c
ntsec now default if cygwin version beginning w/ version 56. Patch by Corinna Vinschen <vinschen@redhat.com>
This commit is contained in:
parent
007eb912ea
commit
224313cdae
|
@ -36,6 +36,9 @@
|
||||||
[scp.c]
|
[scp.c]
|
||||||
check exit status from ssh, and exit(1) if ssh fails; bug#369;
|
check exit status from ssh, and exit(1) if ssh fails; bug#369;
|
||||||
binder@arago.de
|
binder@arago.de
|
||||||
|
- (bal) Update ssh-host-config and minor rewrite of bsd-cygwin_util.c
|
||||||
|
ntsec now default if cygwin version beginning w/ version 56. Patch
|
||||||
|
by Corinna Vinschen <vinschen@redhat.com>
|
||||||
|
|
||||||
20021021
|
20021021
|
||||||
- (djm) Bug #400: Kill ssh-rand-helper children on timeout, patch from
|
- (djm) Bug #400: Kill ssh-rand-helper children on timeout, patch from
|
||||||
|
@ -813,4 +816,4 @@
|
||||||
save auth method before monitor_reset_key_state(); bugzilla bug #284;
|
save auth method before monitor_reset_key_state(); bugzilla bug #284;
|
||||||
ok provos@
|
ok provos@
|
||||||
|
|
||||||
$Id: ChangeLog,v 1.2509 2002/11/09 15:54:08 mouring Exp $
|
$Id: ChangeLog,v 1.2510 2002/11/09 15:59:27 mouring Exp $
|
||||||
|
|
|
@ -378,6 +378,8 @@ then
|
||||||
# This is the sshd server system-wide configuration file. See
|
# This is the sshd server system-wide configuration file. See
|
||||||
# sshd_config(5) for more information.
|
# sshd_config(5) for more information.
|
||||||
|
|
||||||
|
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||||
|
|
||||||
# The strategy used for options in the default sshd_config shipped with
|
# The strategy used for options in the default sshd_config shipped with
|
||||||
# OpenSSH is to specify options with their default value where
|
# OpenSSH is to specify options with their default value where
|
||||||
# possible, but leave them commented. Uncommented options change a
|
# possible, but leave them commented. Uncommented options change a
|
||||||
|
@ -394,7 +396,7 @@ Port $port_number
|
||||||
#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
|
#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
|
||||||
#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
|
#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
|
||||||
|
|
||||||
# Lifetime and size of ephemeral version 1 server ke
|
# Lifetime and size of ephemeral version 1 server key
|
||||||
#KeyRegenerationInterval 3600
|
#KeyRegenerationInterval 3600
|
||||||
#ServerKeyBits 768
|
#ServerKeyBits 768
|
||||||
|
|
||||||
|
@ -405,7 +407,7 @@ Port $port_number
|
||||||
|
|
||||||
# Authentication:
|
# Authentication:
|
||||||
|
|
||||||
#LoginGraceTime 600
|
#LoginGraceTime 120
|
||||||
#PermitRootLogin yes
|
#PermitRootLogin yes
|
||||||
# The following setting overrides permission checks on host key files
|
# The following setting overrides permission checks on host key files
|
||||||
# and directories. For security reasons set this to "yes" when running
|
# and directories. For security reasons set this to "yes" when running
|
||||||
|
@ -414,11 +416,11 @@ StrictModes no
|
||||||
|
|
||||||
#RSAAuthentication yes
|
#RSAAuthentication yes
|
||||||
#PubkeyAuthentication yes
|
#PubkeyAuthentication yes
|
||||||
#AuthorizedKeysFile %h/.ssh/authorized_keys
|
#AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
# rhosts authentication should not be used
|
# rhosts authentication should not be used
|
||||||
#RhostsAuthentication no
|
#RhostsAuthentication no
|
||||||
# Don't read ~/.rhosts and ~/.shosts files
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
#IgnoreRhosts yes
|
#IgnoreRhosts yes
|
||||||
# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
|
# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
|
||||||
#RhostsRSAAuthentication no
|
#RhostsRSAAuthentication no
|
||||||
|
@ -443,6 +445,7 @@ StrictModes no
|
||||||
#KeepAlive yes
|
#KeepAlive yes
|
||||||
#UseLogin no
|
#UseLogin no
|
||||||
UsePrivilegeSeparation $privsep_used
|
UsePrivilegeSeparation $privsep_used
|
||||||
|
#PermitUserEnvironment no
|
||||||
#Compression yes
|
#Compression yes
|
||||||
|
|
||||||
#MaxStartups 10
|
#MaxStartups 10
|
||||||
|
|
|
@ -31,7 +31,7 @@
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
|
|
||||||
RCSID("$Id: bsd-cygwin_util.c,v 1.8 2002/04/15 22:00:52 stevesk Exp $");
|
RCSID("$Id: bsd-cygwin_util.c,v 1.9 2002/11/09 15:59:29 mouring Exp $");
|
||||||
|
|
||||||
#ifdef HAVE_CYGWIN
|
#ifdef HAVE_CYGWIN
|
||||||
|
|
||||||
|
@ -43,6 +43,7 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.8 2002/04/15 22:00:52 stevesk Exp $");
|
||||||
#define is_winnt (GetVersion() < 0x80000000)
|
#define is_winnt (GetVersion() < 0x80000000)
|
||||||
|
|
||||||
#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec"))
|
#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec"))
|
||||||
|
#define ntsec_off(c) ((c) && strstr((c),"nontsec"))
|
||||||
#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
|
#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
|
||||||
|
|
||||||
#if defined(open) && open == binary_open
|
#if defined(open) && open == binary_open
|
||||||
|
@ -74,6 +75,56 @@ int binary_pipe(int fd[2])
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#define HAS_CREATE_TOKEN 1
|
||||||
|
#define HAS_NTSEC_BY_DEFAULT 2
|
||||||
|
|
||||||
|
static int has_capability(int what)
|
||||||
|
{
|
||||||
|
/* has_capability() basically calls uname() and checks if
|
||||||
|
specific capabilities of Cygwin can be evaluated from that.
|
||||||
|
This simplifies the calling functions which only have to ask
|
||||||
|
for a capability using has_capability() instead of having
|
||||||
|
to figure that out by themselves. */
|
||||||
|
static int inited;
|
||||||
|
static int has_create_token;
|
||||||
|
static int has_ntsec_by_default;
|
||||||
|
|
||||||
|
if (!inited) {
|
||||||
|
struct utsname uts;
|
||||||
|
char *c;
|
||||||
|
|
||||||
|
if (!uname(&uts)) {
|
||||||
|
int major_high = 0;
|
||||||
|
int major_low = 0;
|
||||||
|
int minor = 0;
|
||||||
|
int api_major_version = 0;
|
||||||
|
int api_minor_version = 0;
|
||||||
|
char *c;
|
||||||
|
|
||||||
|
sscanf(uts.release, "%d.%d.%d", &major_high,
|
||||||
|
&major_low, &minor);
|
||||||
|
c = strchr(uts.release, '(');
|
||||||
|
if (c)
|
||||||
|
sscanf(c + 1, "%d.%d", &api_major_version,
|
||||||
|
&api_minor_version);
|
||||||
|
if (major_high > 1 ||
|
||||||
|
(major_high == 1 && (major_low > 3 ||
|
||||||
|
(major_low == 3 && minor >= 2))))
|
||||||
|
has_create_token = 1;
|
||||||
|
if (api_major_version > 0 || api_minor_version >= 56)
|
||||||
|
has_ntsec_by_default = 1;
|
||||||
|
inited = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
switch (what) {
|
||||||
|
case HAS_CREATE_TOKEN:
|
||||||
|
return has_create_token;
|
||||||
|
case HAS_NTSEC_BY_DEFAULT:
|
||||||
|
return has_ntsec_by_default;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
int check_nt_auth(int pwd_authenticated, struct passwd *pw)
|
int check_nt_auth(int pwd_authenticated, struct passwd *pw)
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
|
@ -93,19 +144,14 @@ int check_nt_auth(int pwd_authenticated, struct passwd *pw)
|
||||||
return 0;
|
return 0;
|
||||||
if (is_winnt) {
|
if (is_winnt) {
|
||||||
if (has_create_token < 0) {
|
if (has_create_token < 0) {
|
||||||
struct utsname uts;
|
|
||||||
int major_high = 0, major_low = 0, minor = 0;
|
|
||||||
char *cygwin = getenv("CYGWIN");
|
char *cygwin = getenv("CYGWIN");
|
||||||
|
|
||||||
has_create_token = 0;
|
has_create_token = 0;
|
||||||
if (ntsec_on(cygwin) && !uname(&uts)) {
|
if (has_capability(HAS_CREATE_TOKEN) &&
|
||||||
sscanf(uts.release, "%d.%d.%d",
|
(ntsec_on(cygwin) ||
|
||||||
&major_high, &major_low, &minor);
|
(has_capability(HAS_NTSEC_BY_DEFAULT) &&
|
||||||
if (major_high > 1 ||
|
!ntsec_off(cygwin))))
|
||||||
(major_high == 1 && (major_low > 3 ||
|
has_create_token = 1;
|
||||||
(major_low == 3 && minor >= 2))))
|
|
||||||
has_create_token = 1;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
if (has_create_token < 1 &&
|
if (has_create_token < 1 &&
|
||||||
!pwd_authenticated && geteuid() != pw->pw_uid)
|
!pwd_authenticated && geteuid() != pw->pw_uid)
|
||||||
|
@ -128,7 +174,9 @@ int check_ntsec(const char *filename)
|
||||||
/* Evaluate current CYGWIN settings. */
|
/* Evaluate current CYGWIN settings. */
|
||||||
cygwin = getenv("CYGWIN");
|
cygwin = getenv("CYGWIN");
|
||||||
allow_ntea = ntea_on(cygwin);
|
allow_ntea = ntea_on(cygwin);
|
||||||
allow_ntsec = ntsec_on(cygwin);
|
allow_ntsec = ntsec_on(cygwin) ||
|
||||||
|
(has_capability(HAS_NTSEC_BY_DEFAULT) &&
|
||||||
|
!ntsec_off(cygwin));
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* `ntea' is an emulation of POSIX attributes. It doesn't support
|
* `ntea' is an emulation of POSIX attributes. It doesn't support
|
||||||
|
|
Loading…
Reference in New Issue