- (bal) Second around of UNICOS patches. A few other things left.

Patches by William L. Jones <jones@mail.utexas.edu>
This commit is contained in:
Ben Lindstrom 2001-08-06 23:29:16 +00:00
parent ff2866cf51
commit 6db66ff387
7 changed files with 162 additions and 53 deletions

View File

@ -98,7 +98,7 @@
[ssh-keygen.c]
allow uploading RSA keys for non-default AUT0 (sha1 over passphrase
like sectok).
- markus@cvs.openbsd.org 2001/08/01 23:38:45
- markus@cvs.openbsd.org 2001/08/01 23:38:45
[scard.c ssh.c]
support finish rsa keys.
free public keys after login -> call finish -> close smartcard.
@ -122,7 +122,7 @@
- jakob@cvs.openbsd.org 2001/08/02 15:43:57
[ssh-agent.c ssh.c ssh-keygen.c]
add /* SMARTCARD */ to #else/#endif. ok markus@
- jakob@cvs.openbsd.org 2001/08/02 16:14:05
- jakob@cvs.openbsd.org 2001/08/02 16:14:05
[scard.c ssh-agent.c ssh.c ssh-keygen.c]
clean up some /* SMARTCARD */. ok markus@
- mpech@cvs.openbsd.org 2001/08/02 18:37:35
@ -148,6 +148,8 @@
[scp.c]
use alarm vs. setitimer for portable; ok markus@
- (bal) ssh-keyscan double -lssh hack due to seed_rng().
- (bal) Second around of UNICOS patches. A few other things left.
Patches by William L. Jones <jones@mail.utexas.edu>
20010803
- (djm) Fix interrupted read in entropy gatherer. Spotted by markus@ on
@ -6258,4 +6260,4 @@
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
$Id: ChangeLog,v 1.1466 2001/08/06 22:56:46 mouring Exp $
$Id: ChangeLog,v 1.1467 2001/08/06 23:29:16 mouring Exp $

View File

@ -1,4 +1,4 @@
# $Id: configure.in,v 1.304 2001/07/24 17:00:14 mouring Exp $
# $Id: configure.in,v 1.305 2001/08/06 23:29:17 mouring Exp $
AC_INIT(ssh.c)
@ -1453,6 +1453,7 @@ if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then
OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig)
OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat)
OSSH_PATH_ENTROPY_PROG(PROG_PS, ps)
OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar)
OSSH_PATH_ENTROPY_PROG(PROG_W, w)
OSSH_PATH_ENTROPY_PROG(PROG_WHO, who)
OSSH_PATH_ENTROPY_PROG(PROG_LAST, last)

View File

@ -163,7 +163,7 @@
#include "log.h"
#include "atomicio.h"
RCSID("$Id: loginrec.c,v 1.33 2001/05/08 20:33:06 mouring Exp $");
RCSID("$Id: loginrec.c,v 1.34 2001/08/06 23:29:17 mouring Exp $");
#ifdef HAVE_UTIL_H
# include <util.h>
@ -616,9 +616,15 @@ construct_utmp(struct logininfo *li,
switch (li->type) {
case LTYPE_LOGIN:
ut->ut_type = USER_PROCESS;
#ifdef _CRAY
cray_set_tmpdir(ut);
#endif
break;
case LTYPE_LOGOUT:
ut->ut_type = DEAD_PROCESS;
#ifdef _CRAY
cray_retain_utmp(ut, li->pid);
#endif
break;
}
# endif

View File

@ -12,18 +12,24 @@
#include <utmp.h>
#include <sys/jtab.h>
#include <signal.h>
#include <sys/priv.h>
#include <sys/secparm.h>
#include <sys/usrv.h>
#include <sys/sysv.h>
#include <sys/sectab.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <pwd.h>
#include <fcntl.h>
#include <errno.h>
#include "bsd-cray.h"
char cray_tmpdir[TPATHSIZ+1]; /* job TMPDIR path */
/*
* Functions.
*/
int cray_setup(uid_t, char *);
void cray_retain_utmp(struct utmp *, int);
void cray_create_tmpdir(int, uid_t, gid_t);
void cray_delete_tmpdir(char *, int , uid_t);
@ -31,17 +37,17 @@ void cray_job_termination_handler (int);
void cray_init_job(struct passwd *);
void cray_set_tmpdir(struct utmp *);
/*
* Orignal written by:
* Wayne Schroeder
* San Diego Supercomputer Center
* schroeder@sdsc.edu
*/
int
void
cray_setup(uid_t uid, char *username)
{
struct udb *p;
extern struct udb *getudb();
extern char *setlimits();
int i, j;
int accts[MAXVIDS];
@ -52,58 +58,83 @@ cray_setup(uid_t uid, char *username)
struct jtab jbuf;
int jid;
if ((jid = getjtab (&jbuf)) < 0) {
debug("getjtab");
return -1;
if ((jid = getjtab (&jbuf)) < 0) fatal("getjtab: no jid");
err = setudb(); /* open and rewind the Cray User DataBase */
if(err != 0) fatal("UDB open failure");
naccts = 0;
p = getudbnam(username);
if (p == NULL) fatal("No UDB entry for %s", username);
if(uid != p->ue_uid)
fatal("UDB etnry %s uid(%d) does not match uid %d\n",
username, p->ue_uid, uid);
for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) {
accts[naccts] = p->ue_acids[j];
naccts++;
}
endudb(); /* close the udb */
if (naccts != 0) {
/* Perhaps someday we'll prompt users who have multiple accounts
to let them pick one (like CRI's login does), but for now just set
the account to the first entry. */
if (acctid(0, accts[0]) < 0)
fatal("System call acctid failed, accts[0]=%d",accts[0]);
}
/* Find all of the accounts for a particular user */
err = setudb(); /* open and rewind the Cray User DataBase */
if(err != 0) {
debug("UDB open failure");
return -1;
}
naccts = 0;
while ((p = getudb()) != UDB_NULL) {
if (p->ue_uid == -1) break;
if(uid == p->ue_uid) {
for(j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) {
accts[naccts] = p->ue_acids[j];
naccts++;
}
}
}
endudb(); /* close the udb */
if (naccts == 0 || accts[0] == 0) {
debug("No Cray accounts found");
return -1;
}
/* Perhaps someday we'll prompt users who have multiple accounts
to let them pick one (like CRI's login does), but for now just set
the account to the first entry. */
if (acctid(0, accts[0]) < 0) {
debug("System call acctid failed, accts[0]=%d",accts[0]);
return -1;
}
/* Now set limits, including CPU time for the (interactive) job and process,
and set up permissions (for chown etc), etc. This is via an internal CRI
routine, setlimits, used by CRI's login. */
/* Now set limits, including CPU time for the (interactive) job and process,
and set up permissions (for chown etc), etc. This is via an internal CRI
routine, setlimits, used by CRI's login. */
pid = getpid();
sr = setlimits(username, C_PROC, pid, UDBRC_INTER);
if (sr != NULL) {
debug("%.200s", sr);
return -1;
}
sr = setlimits(username, C_JOB, jid, UDBRC_INTER);
if (sr != NULL) {
debug("%.200s", sr);
return -1;
}
if (sr != NULL) fatal("%.200s", sr);
return 0;
sr = setlimits(username, C_JOB, jid, UDBRC_INTER);
if (sr != NULL) fatal("%.200s", sr);
}
/*
* The rc.* and /etc/sdaemon methods of starting a program on unicos/unicosmk
* can have pal privileges that sshd can inherit which
* could allow a user to su to root with out a password.
* This subroutine clears all privileges.
*/
void
drop_cray_privs()
{
#if defined(_SC_CRAY_PRIV_SU)
priv_proc_t* privstate;
int result;
extern int priv_set_proc();
extern priv_proc_t* priv_init_proc();
struct usrv usrv;
/*
* If ether of theses two flags are not set
* then don't allow this version of ssh to run.
*/
if (!sysconf(_SC_CRAY_PRIV_SU)) fatal("Not PRIV_SU system.");
if (!sysconf(_SC_CRAY_POSIX_PRIV)) fatal("Not POSIX_PRIV.");
debug ("Dropping privileges.");
memset(&usrv, 0, sizeof(usrv));
if (setusrv(&usrv) < 0)
fatal ("%s(%d): setusrv(): %s\n", __FILE__, __LINE__, strerror(errno));
if ((privstate = priv_init_proc()) != NULL) {
result = priv_set_proc(privstate);
if ( result != 0 ) fatal ("%s(%d): priv_set_proc(): %s\n",
__FILE__, __LINE__, strerror(errno));
priv_free_proc(privstate);
}
debug ("Privileges should be cleared...");
#else
Cray systems must be run with _SC_CRAY_PRIV_SU on!
#endif
}

View File

@ -1,4 +1,4 @@
/* $Id: openbsd-compat.h,v 1.11 2001/07/14 03:22:54 djm Exp $ */
/* $Id: openbsd-compat.h,v 1.12 2001/08/06 23:29:18 mouring Exp $ */
#ifndef _OPENBSD_H
#define _OPENBSD_H
@ -38,4 +38,7 @@
#include "fake-getnameinfo.h"
#include "fake-socket.h"
/* Routines for a single OS platform */
#include "bsd-cray.h"
#endif /* _OPENBSD_H */

7
sshd.c
View File

@ -679,6 +679,13 @@ main(int ac, char **av)
options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility,
!inetd_flag);
#ifdef _CRAY
/* Cray can define user privs drop all prives now!
* Not needed on PRIV_SU systems!
*/
drop_cray_privs();
#endif
seed_rng();
/* Read server configuration options from the configuration file. */

View File

@ -162,6 +162,34 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
}
return 1;
#else /* HAVE_DEV_PTS_AND_PTC */
#ifdef _CRAY
char buf[64];
int i;
int highpty;
#ifdef _SC_CRAY_NPTY
highpty = sysconf(_SC_CRAY_NPTY);
if (highpty == -1)
highpty = 128;
#else
highpty = 128;
#endif
for (i = 0; i < highpty; i++) {
snprintf(buf, sizeof(buf), "/dev/pty/%03d", i);
*ptyfd = open(buf, O_RDWR|O_NOCTTY);
if (*ptyfd < 0) continue;
snprintf(namebuf, namebuflen, "/dev/ttyp%03d", i);
/* Open the slave side. */
*ttyfd = open(namebuf, O_RDWR|O_NOCTTY);
if (*ttyfd < 0) {
error("%.100s: %.100s", namebuf, strerror(errno));
close(*ptyfd);
}
return 1;
}
return 0;
#else
/* BSD-style pty code. */
char buf[64];
int i;
@ -196,6 +224,7 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
return 1;
}
return 0;
#endif /* CRAY */
#endif /* HAVE_DEV_PTS_AND_PTC */
#endif /* HAVE_DEV_PTMX */
#endif /* HAVE__GETPTY */
@ -218,6 +247,35 @@ pty_release(const char *ttyname)
void
pty_make_controlling_tty(int *ttyfd, const char *ttyname)
{
#ifdef _CRAY
int fd;
if (setsid() < 0)
error("setsid: %.100s", strerror(errno));
fd = open(ttyname, O_RDWR|O_NOCTTY);
if (fd >= 0) {
signal(SIGHUP, SIG_IGN);
ioctl(fd, TCVHUP, (char *)0);
signal(SIGHUP, SIG_DFL);
setpgid(0,0);
close(fd);
} else {
error("Failed to disconnect from controlling tty.");
}
debug("Setting controlling tty using TCSETCTTY.\n");
ioctl(*ttyfd, TCSETCTTY, NULL);
fd = open("/dev/tty", O_RDWR);
if (fd < 0)
error("%.100s: %.100s", ttyname, strerror(errno));
close(*ttyfd);
*ttyfd = fd;
#else
int fd;
#ifdef USE_VHANGUP
void *old;
@ -277,6 +335,7 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname)
else {
close(fd);
}
#endif
}
/* Changes the window size associated with the pty. */