- (djm) Bug #231: UsePrivilegeSeparation turns off Banner.
This commit is contained in:
Damien Miller
parent
80080753cd
commit
5ad9fd9820
|
|
@ -1,6 +1,7 @@
|
|||
20020513
|
||||
- (djm) Add --with-superuser-path=xxx configure option to specify what $PATH
|
||||
the superuser receives.
|
||||
- (djm) Bug #231: UsePrivilegeSeparation turns off Banner.
|
||||
|
||||
20020511
|
||||
- (tim) [configure.ac] applied a rework of djm's OpenSSL search cleanup patch.
|
||||
|
|
@ -571,4 +572,4 @@
|
|||
- (stevesk) entropy.c: typo in debug message
|
||||
- (djm) ssh-keygen -i needs seeded RNG; report from markus@
|
||||
|
||||
$Id: ChangeLog,v 1.2107 2002/05/13 00:48:57 djm Exp $
|
||||
$Id: ChangeLog,v 1.2108 2002/05/13 01:07:41 djm Exp $
|
||||
|
|
|
|||
4
auth.h
4
auth.h
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: auth.h,v 1.35 2002/03/19 10:35:39 markus Exp $ */
|
||||
/* $OpenBSD: auth.h,v 1.36 2002/05/12 23:53:45 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
|
|
@ -136,6 +136,8 @@ void auth_log(Authctxt *, int, char *, char *);
|
|||
void userauth_finish(Authctxt *, int, char *);
|
||||
int auth_root_allowed(char *);
|
||||
|
||||
char *auth2_read_banner(void);
|
||||
|
||||
void privsep_challenge_enable(void);
|
||||
|
||||
int auth2_challenge(Authctxt *, char *);
|
||||
|
|
|
|||
43
auth2.c
43
auth2.c
|
|
@ -23,7 +23,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2.c,v 1.89 2002/03/19 14:27:39 markus Exp $");
|
||||
RCSID("$OpenBSD: auth2.c,v 1.90 2002/05/12 23:53:45 djm Exp $");
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
|
|
@ -283,25 +283,45 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
|
|||
}
|
||||
}
|
||||
|
||||
static void
|
||||
userauth_banner(void)
|
||||
char *
|
||||
auth2_read_banner(void)
|
||||
{
|
||||
struct stat st;
|
||||
char *banner = NULL;
|
||||
off_t len, n;
|
||||
int fd;
|
||||
|
||||
if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
|
||||
return;
|
||||
if ((fd = open(options.banner, O_RDONLY)) < 0)
|
||||
return;
|
||||
if (fstat(fd, &st) < 0)
|
||||
goto done;
|
||||
if ((fd = open(options.banner, O_RDONLY)) == -1)
|
||||
return (NULL);
|
||||
if (fstat(fd, &st) == -1) {
|
||||
close(fd);
|
||||
return (NULL);
|
||||
}
|
||||
len = st.st_size;
|
||||
banner = xmalloc(len + 1);
|
||||
if ((n = read(fd, banner, len)) < 0)
|
||||
goto done;
|
||||
n = atomicio(read, fd, banner, len);
|
||||
close(fd);
|
||||
|
||||
if (n != len) {
|
||||
free(banner);
|
||||
return (NULL);
|
||||
}
|
||||
banner[n] = '\0';
|
||||
|
||||
return (banner);
|
||||
}
|
||||
|
||||
static void
|
||||
userauth_banner(void)
|
||||
{
|
||||
char *banner = NULL;
|
||||
|
||||
if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
|
||||
return;
|
||||
|
||||
if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
|
||||
goto done;
|
||||
|
||||
packet_start(SSH2_MSG_USERAUTH_BANNER);
|
||||
packet_put_cstring(banner);
|
||||
packet_put_cstring(""); /* language, unused */
|
||||
|
|
@ -310,7 +330,6 @@ userauth_banner(void)
|
|||
done:
|
||||
if (banner)
|
||||
xfree(banner);
|
||||
close(fd);
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
|||
23
monitor.c
23
monitor.c
|
|
@ -25,7 +25,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: monitor.c,v 1.9 2002/03/30 18:51:15 markus Exp $");
|
||||
RCSID("$OpenBSD: monitor.c,v 1.10 2002/05/12 23:53:45 djm Exp $");
|
||||
|
||||
#include <openssl/dh.h>
|
||||
|
||||
|
|
@ -96,6 +96,7 @@ struct {
|
|||
int mm_answer_moduli(int, Buffer *);
|
||||
int mm_answer_sign(int, Buffer *);
|
||||
int mm_answer_pwnamallow(int, Buffer *);
|
||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||
int mm_answer_authserv(int, Buffer *);
|
||||
int mm_answer_authpassword(int, Buffer *);
|
||||
int mm_answer_bsdauthquery(int, Buffer *);
|
||||
|
|
@ -147,6 +148,7 @@ struct mon_table mon_dispatch_proto20[] = {
|
|||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
|
||||
|
|
@ -524,9 +526,11 @@ mm_answer_pwnamallow(int socket, Buffer *m)
|
|||
/* For SSHv1 allow authentication now */
|
||||
if (!compat20)
|
||||
monitor_permit_authentications(1);
|
||||
else
|
||||
else {
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
}
|
||||
|
||||
#ifdef USE_PAM
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
|
||||
|
|
@ -535,6 +539,21 @@ mm_answer_pwnamallow(int socket, Buffer *m)
|
|||
return (0);
|
||||
}
|
||||
|
||||
int mm_answer_auth2_read_banner(int socket, Buffer *m)
|
||||
{
|
||||
char *banner;
|
||||
|
||||
buffer_clear(m);
|
||||
banner = auth2_read_banner();
|
||||
buffer_put_cstring(m, banner != NULL ? banner : "");
|
||||
mm_request_send(socket, MONITOR_ANS_AUTH2_READ_BANNER, m);
|
||||
|
||||
if (banner != NULL)
|
||||
free(banner);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
mm_answer_authserv(int socket, Buffer *m)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: monitor.h,v 1.3 2002/03/26 03:24:01 stevesk Exp $ */
|
||||
/* $OpenBSD: monitor.h,v 1.4 2002/05/12 23:53:45 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
|
|
@ -33,6 +33,7 @@ enum monitor_reqtype {
|
|||
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
|
||||
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
|
||||
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
|
||||
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
|
||||
MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD,
|
||||
MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY,
|
||||
MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND,
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: monitor_wrap.c,v 1.5 2002/03/25 20:12:10 stevesk Exp $");
|
||||
RCSID("$OpenBSD: monitor_wrap.c,v 1.6 2002/05/12 23:53:45 djm Exp $");
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/dh.h>
|
||||
|
|
@ -207,6 +207,24 @@ mm_getpwnamallow(const char *login)
|
|||
return (pw);
|
||||
}
|
||||
|
||||
char* mm_auth2_read_banner(void)
|
||||
{
|
||||
Buffer m;
|
||||
char *banner;
|
||||
|
||||
debug3("%s entering", __FUNCTION__);
|
||||
|
||||
buffer_init(&m);
|
||||
mm_request_send(monitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m);
|
||||
buffer_clear(&m);
|
||||
|
||||
mm_request_receive_expect(monitor->m_recvfd, MONITOR_ANS_AUTH2_READ_BANNER, &m);
|
||||
banner = buffer_get_string(&m, NULL);
|
||||
buffer_free(&m);
|
||||
|
||||
return (banner);
|
||||
}
|
||||
|
||||
/* Inform the privileged process about service and style */
|
||||
|
||||
void
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: monitor_wrap.h,v 1.4 2002/03/26 03:24:01 stevesk Exp $ */
|
||||
/* $OpenBSD: monitor_wrap.h,v 1.5 2002/05/12 23:53:45 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
|
|
@ -44,6 +44,7 @@ DH *mm_choose_dh(int, int, int);
|
|||
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
|
||||
void mm_inform_authserv(char *, char *);
|
||||
struct passwd *mm_getpwnamallow(const char *);
|
||||
char* mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct Authctxt *, char *);
|
||||
int mm_key_allowed(enum mm_keytype, char *, char *, Key *);
|
||||
int mm_user_key_allowed(struct passwd *, Key *);
|
||||
|
|
|
|||
Loading…
Reference in New Issue