- (bal) Second around of UNICOS patches. A few other things left.

Patches by William L. Jones <jones@mail.utexas.edu>
This commit is contained in:
Ben Lindstrom 2001-08-06 23:29:16 +00:00
parent ff2866cf51
commit 6db66ff387
7 changed files with 162 additions and 53 deletions

View File

@ -98,7 +98,7 @@
[ssh-keygen.c] [ssh-keygen.c]
allow uploading RSA keys for non-default AUT0 (sha1 over passphrase allow uploading RSA keys for non-default AUT0 (sha1 over passphrase
like sectok). like sectok).
- markus@cvs.openbsd.org 2001/08/01 23:38:45 - markus@cvs.openbsd.org 2001/08/01 23:38:45
[scard.c ssh.c] [scard.c ssh.c]
support finish rsa keys. support finish rsa keys.
free public keys after login -> call finish -> close smartcard. free public keys after login -> call finish -> close smartcard.
@ -122,7 +122,7 @@
- jakob@cvs.openbsd.org 2001/08/02 15:43:57 - jakob@cvs.openbsd.org 2001/08/02 15:43:57
[ssh-agent.c ssh.c ssh-keygen.c] [ssh-agent.c ssh.c ssh-keygen.c]
add /* SMARTCARD */ to #else/#endif. ok markus@ add /* SMARTCARD */ to #else/#endif. ok markus@
- jakob@cvs.openbsd.org 2001/08/02 16:14:05 - jakob@cvs.openbsd.org 2001/08/02 16:14:05
[scard.c ssh-agent.c ssh.c ssh-keygen.c] [scard.c ssh-agent.c ssh.c ssh-keygen.c]
clean up some /* SMARTCARD */. ok markus@ clean up some /* SMARTCARD */. ok markus@
- mpech@cvs.openbsd.org 2001/08/02 18:37:35 - mpech@cvs.openbsd.org 2001/08/02 18:37:35
@ -148,6 +148,8 @@
[scp.c] [scp.c]
use alarm vs. setitimer for portable; ok markus@ use alarm vs. setitimer for portable; ok markus@
- (bal) ssh-keyscan double -lssh hack due to seed_rng(). - (bal) ssh-keyscan double -lssh hack due to seed_rng().
- (bal) Second around of UNICOS patches. A few other things left.
Patches by William L. Jones <jones@mail.utexas.edu>
20010803 20010803
- (djm) Fix interrupted read in entropy gatherer. Spotted by markus@ on - (djm) Fix interrupted read in entropy gatherer. Spotted by markus@ on
@ -6258,4 +6260,4 @@
- Wrote replacements for strlcpy and mkdtemp - Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1 - Released 1.0pre1
$Id: ChangeLog,v 1.1466 2001/08/06 22:56:46 mouring Exp $ $Id: ChangeLog,v 1.1467 2001/08/06 23:29:16 mouring Exp $

View File

@ -1,4 +1,4 @@
# $Id: configure.in,v 1.304 2001/07/24 17:00:14 mouring Exp $ # $Id: configure.in,v 1.305 2001/08/06 23:29:17 mouring Exp $
AC_INIT(ssh.c) AC_INIT(ssh.c)
@ -1453,6 +1453,7 @@ if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then
OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig) OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig)
OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat) OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat)
OSSH_PATH_ENTROPY_PROG(PROG_PS, ps) OSSH_PATH_ENTROPY_PROG(PROG_PS, ps)
OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar)
OSSH_PATH_ENTROPY_PROG(PROG_W, w) OSSH_PATH_ENTROPY_PROG(PROG_W, w)
OSSH_PATH_ENTROPY_PROG(PROG_WHO, who) OSSH_PATH_ENTROPY_PROG(PROG_WHO, who)
OSSH_PATH_ENTROPY_PROG(PROG_LAST, last) OSSH_PATH_ENTROPY_PROG(PROG_LAST, last)

View File

@ -163,7 +163,7 @@
#include "log.h" #include "log.h"
#include "atomicio.h" #include "atomicio.h"
RCSID("$Id: loginrec.c,v 1.33 2001/05/08 20:33:06 mouring Exp $"); RCSID("$Id: loginrec.c,v 1.34 2001/08/06 23:29:17 mouring Exp $");
#ifdef HAVE_UTIL_H #ifdef HAVE_UTIL_H
# include <util.h> # include <util.h>
@ -616,9 +616,15 @@ construct_utmp(struct logininfo *li,
switch (li->type) { switch (li->type) {
case LTYPE_LOGIN: case LTYPE_LOGIN:
ut->ut_type = USER_PROCESS; ut->ut_type = USER_PROCESS;
#ifdef _CRAY
cray_set_tmpdir(ut);
#endif
break; break;
case LTYPE_LOGOUT: case LTYPE_LOGOUT:
ut->ut_type = DEAD_PROCESS; ut->ut_type = DEAD_PROCESS;
#ifdef _CRAY
cray_retain_utmp(ut, li->pid);
#endif
break; break;
} }
# endif # endif

View File

@ -12,18 +12,24 @@
#include <utmp.h> #include <utmp.h>
#include <sys/jtab.h> #include <sys/jtab.h>
#include <signal.h> #include <signal.h>
#include <sys/priv.h>
#include <sys/secparm.h>
#include <sys/usrv.h>
#include <sys/sysv.h>
#include <sys/sectab.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <stdlib.h> #include <stdlib.h>
#include <pwd.h> #include <pwd.h>
#include <fcntl.h> #include <fcntl.h>
#include <errno.h> #include <errno.h>
#include "bsd-cray.h"
char cray_tmpdir[TPATHSIZ+1]; /* job TMPDIR path */ char cray_tmpdir[TPATHSIZ+1]; /* job TMPDIR path */
/* /*
* Functions. * Functions.
*/ */
int cray_setup(uid_t, char *);
void cray_retain_utmp(struct utmp *, int); void cray_retain_utmp(struct utmp *, int);
void cray_create_tmpdir(int, uid_t, gid_t); void cray_create_tmpdir(int, uid_t, gid_t);
void cray_delete_tmpdir(char *, int , uid_t); void cray_delete_tmpdir(char *, int , uid_t);
@ -31,17 +37,17 @@ void cray_job_termination_handler (int);
void cray_init_job(struct passwd *); void cray_init_job(struct passwd *);
void cray_set_tmpdir(struct utmp *); void cray_set_tmpdir(struct utmp *);
/* /*
* Orignal written by: * Orignal written by:
* Wayne Schroeder * Wayne Schroeder
* San Diego Supercomputer Center * San Diego Supercomputer Center
* schroeder@sdsc.edu * schroeder@sdsc.edu
*/ */
int void
cray_setup(uid_t uid, char *username) cray_setup(uid_t uid, char *username)
{ {
struct udb *p; struct udb *p;
extern struct udb *getudb();
extern char *setlimits(); extern char *setlimits();
int i, j; int i, j;
int accts[MAXVIDS]; int accts[MAXVIDS];
@ -52,58 +58,83 @@ cray_setup(uid_t uid, char *username)
struct jtab jbuf; struct jtab jbuf;
int jid; int jid;
if ((jid = getjtab (&jbuf)) < 0) { if ((jid = getjtab (&jbuf)) < 0) fatal("getjtab: no jid");
debug("getjtab");
return -1;
}
/* Find all of the accounts for a particular user */ err = setudb(); /* open and rewind the Cray User DataBase */
err = setudb(); /* open and rewind the Cray User DataBase */ if(err != 0) fatal("UDB open failure");
if(err != 0) {
debug("UDB open failure");
return -1;
}
naccts = 0; naccts = 0;
while ((p = getudb()) != UDB_NULL) { p = getudbnam(username);
if (p->ue_uid == -1) break; if (p == NULL) fatal("No UDB entry for %s", username);
if(uid == p->ue_uid) { if(uid != p->ue_uid)
for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) { fatal("UDB etnry %s uid(%d) does not match uid %d\n",
accts[naccts] = p->ue_acids[j]; username, p->ue_uid, uid);
naccts++; for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) {
} accts[naccts] = p->ue_acids[j];
} naccts++;
}
endudb(); /* close the udb */
if (naccts == 0 || accts[0] == 0) {
debug("No Cray accounts found");
return -1;
} }
endudb(); /* close the udb */
if (naccts != 0) {
/* Perhaps someday we'll prompt users who have multiple accounts
to let them pick one (like CRI's login does), but for now just set
the account to the first entry. */
if (acctid(0, accts[0]) < 0)
fatal("System call acctid failed, accts[0]=%d",accts[0]);
}
/* Perhaps someday we'll prompt users who have multiple accounts /* Now set limits, including CPU time for the (interactive) job and process,
to let them pick one (like CRI's login does), but for now just set and set up permissions (for chown etc), etc. This is via an internal CRI
the account to the first entry. */ routine, setlimits, used by CRI's login. */
if (acctid(0, accts[0]) < 0) {
debug("System call acctid failed, accts[0]=%d",accts[0]);
return -1;
}
/* Now set limits, including CPU time for the (interactive) job and process,
and set up permissions (for chown etc), etc. This is via an internal CRI
routine, setlimits, used by CRI's login. */
pid = getpid(); pid = getpid();
sr = setlimits(username, C_PROC, pid, UDBRC_INTER); sr = setlimits(username, C_PROC, pid, UDBRC_INTER);
if (sr != NULL) { if (sr != NULL) fatal("%.200s", sr);
debug("%.200s", sr);
return -1;
}
sr = setlimits(username, C_JOB, jid, UDBRC_INTER);
if (sr != NULL) {
debug("%.200s", sr);
return -1;
}
return 0; sr = setlimits(username, C_JOB, jid, UDBRC_INTER);
if (sr != NULL) fatal("%.200s", sr);
}
/*
* The rc.* and /etc/sdaemon methods of starting a program on unicos/unicosmk
* can have pal privileges that sshd can inherit which
* could allow a user to su to root with out a password.
* This subroutine clears all privileges.
*/
void
drop_cray_privs()
{
#if defined(_SC_CRAY_PRIV_SU)
priv_proc_t* privstate;
int result;
extern int priv_set_proc();
extern priv_proc_t* priv_init_proc();
struct usrv usrv;
/*
* If ether of theses two flags are not set
* then don't allow this version of ssh to run.
*/
if (!sysconf(_SC_CRAY_PRIV_SU)) fatal("Not PRIV_SU system.");
if (!sysconf(_SC_CRAY_POSIX_PRIV)) fatal("Not POSIX_PRIV.");
debug ("Dropping privileges.");
memset(&usrv, 0, sizeof(usrv));
if (setusrv(&usrv) < 0)
fatal ("%s(%d): setusrv(): %s\n", __FILE__, __LINE__, strerror(errno));
if ((privstate = priv_init_proc()) != NULL) {
result = priv_set_proc(privstate);
if ( result != 0 ) fatal ("%s(%d): priv_set_proc(): %s\n",
__FILE__, __LINE__, strerror(errno));
priv_free_proc(privstate);
}
debug ("Privileges should be cleared...");
#else
Cray systems must be run with _SC_CRAY_PRIV_SU on!
#endif
} }

View File

@ -1,4 +1,4 @@
/* $Id: openbsd-compat.h,v 1.11 2001/07/14 03:22:54 djm Exp $ */ /* $Id: openbsd-compat.h,v 1.12 2001/08/06 23:29:18 mouring Exp $ */
#ifndef _OPENBSD_H #ifndef _OPENBSD_H
#define _OPENBSD_H #define _OPENBSD_H
@ -38,4 +38,7 @@
#include "fake-getnameinfo.h" #include "fake-getnameinfo.h"
#include "fake-socket.h" #include "fake-socket.h"
/* Routines for a single OS platform */
#include "bsd-cray.h"
#endif /* _OPENBSD_H */ #endif /* _OPENBSD_H */

7
sshd.c
View File

@ -679,6 +679,13 @@ main(int ac, char **av)
options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility, options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility,
!inetd_flag); !inetd_flag);
#ifdef _CRAY
/* Cray can define user privs drop all prives now!
* Not needed on PRIV_SU systems!
*/
drop_cray_privs();
#endif
seed_rng(); seed_rng();
/* Read server configuration options from the configuration file. */ /* Read server configuration options from the configuration file. */

View File

@ -162,6 +162,34 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
} }
return 1; return 1;
#else /* HAVE_DEV_PTS_AND_PTC */ #else /* HAVE_DEV_PTS_AND_PTC */
#ifdef _CRAY
char buf[64];
int i;
int highpty;
#ifdef _SC_CRAY_NPTY
highpty = sysconf(_SC_CRAY_NPTY);
if (highpty == -1)
highpty = 128;
#else
highpty = 128;
#endif
for (i = 0; i < highpty; i++) {
snprintf(buf, sizeof(buf), "/dev/pty/%03d", i);
*ptyfd = open(buf, O_RDWR|O_NOCTTY);
if (*ptyfd < 0) continue;
snprintf(namebuf, namebuflen, "/dev/ttyp%03d", i);
/* Open the slave side. */
*ttyfd = open(namebuf, O_RDWR|O_NOCTTY);
if (*ttyfd < 0) {
error("%.100s: %.100s", namebuf, strerror(errno));
close(*ptyfd);
}
return 1;
}
return 0;
#else
/* BSD-style pty code. */ /* BSD-style pty code. */
char buf[64]; char buf[64];
int i; int i;
@ -196,6 +224,7 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
return 1; return 1;
} }
return 0; return 0;
#endif /* CRAY */
#endif /* HAVE_DEV_PTS_AND_PTC */ #endif /* HAVE_DEV_PTS_AND_PTC */
#endif /* HAVE_DEV_PTMX */ #endif /* HAVE_DEV_PTMX */
#endif /* HAVE__GETPTY */ #endif /* HAVE__GETPTY */
@ -218,6 +247,35 @@ pty_release(const char *ttyname)
void void
pty_make_controlling_tty(int *ttyfd, const char *ttyname) pty_make_controlling_tty(int *ttyfd, const char *ttyname)
{ {
#ifdef _CRAY
int fd;
if (setsid() < 0)
error("setsid: %.100s", strerror(errno));
fd = open(ttyname, O_RDWR|O_NOCTTY);
if (fd >= 0) {
signal(SIGHUP, SIG_IGN);
ioctl(fd, TCVHUP, (char *)0);
signal(SIGHUP, SIG_DFL);
setpgid(0,0);
close(fd);
} else {
error("Failed to disconnect from controlling tty.");
}
debug("Setting controlling tty using TCSETCTTY.\n");
ioctl(*ttyfd, TCSETCTTY, NULL);
fd = open("/dev/tty", O_RDWR);
if (fd < 0)
error("%.100s: %.100s", ttyname, strerror(errno));
close(*ttyfd);
*ttyfd = fd;
#else
int fd; int fd;
#ifdef USE_VHANGUP #ifdef USE_VHANGUP
void *old; void *old;
@ -277,6 +335,7 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname)
else { else {
close(fd); close(fd);
} }
#endif
} }
/* Changes the window size associated with the pty. */ /* Changes the window size associated with the pty. */