- djm@cvs.openbsd.org 2008/05/08 12:21:16

[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
     [sshd_config sshd_config.5]
     Make the maximum number of sessions run-time controllable via
     a sshd_config MaxSessions knob. This is useful for disabling
     login/shell/subsystem access while leaving port-forwarding working
     (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
     simply increasing the number of allows multiplexed sessions.
     Because some bozos are sure to configure MaxSessions in excess of the
     number of available file descriptors in sshd (which, at peak, might be
     as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
     on error paths, and make it fail gracefully on out-of-fd conditions -
     sending channel errors instead of than exiting with fatal().
     bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
     ok markus@
This commit is contained in:
Damien Miller 2008-05-19 15:34:50 +10:00
parent 9417831ece
commit 7207f64a23
9 changed files with 326 additions and 138 deletions

View File

@ -77,6 +77,21 @@
shouldn't happen in compliant implementations, but it could be shouldn't happen in compliant implementations, but it could be
abused to leak memory. abused to leak memory.
ok markus@ (as part of a larger diff) ok markus@ (as part of a larger diff)
- djm@cvs.openbsd.org 2008/05/08 12:21:16
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
[sshd_config sshd_config.5]
Make the maximum number of sessions run-time controllable via
a sshd_config MaxSessions knob. This is useful for disabling
login/shell/subsystem access while leaving port-forwarding working
(MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the
number of available file descriptors in sshd (which, at peak, might be
as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
on error paths, and make it fail gracefully on out-of-fd conditions -
sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
20080403 20080403
- (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
@ -3937,4 +3952,4 @@
OpenServer 6 and add osr5bigcrypt support so when someone migrates OpenServer 6 and add osr5bigcrypt support so when someone migrates
passwords between UnixWare and OpenServer they will still work. OK dtucker@ passwords between UnixWare and OpenServer they will still work. OK dtucker@
$Id: ChangeLog,v 1.4922 2008/05/19 05:28:35 djm Exp $ $Id: ChangeLog,v 1.4923 2008/05/19 05:34:50 djm Exp $

View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.95 2008/05/08 12:02:23 djm Exp $ */ /* $OpenBSD: monitor.c,v 1.96 2008/05/08 12:21:16 djm Exp $ */
/* /*
* Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org> * Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -1273,7 +1273,7 @@ mm_session_close(Session *s)
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
session_pty_cleanup2(s); session_pty_cleanup2(s);
} }
s->used = 0; session_unused(s->self);
} }
int int

View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor_wrap.c,v 1.61 2008/05/08 12:02:23 djm Exp $ */ /* $OpenBSD: monitor_wrap.c,v 1.62 2008/05/08 12:21:16 djm Exp $ */
/* /*
* Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org> * Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -666,7 +666,20 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
{ {
Buffer m; Buffer m;
char *p, *msg; char *p, *msg;
int success = 0; int success = 0, tmp1 = -1, tmp2 = -1;
/* Kludge: ensure there are fds free to receive the pty/tty */
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error("%s: cannot allocate fds for pty", __func__);
if (tmp1 > 0)
close(tmp1);
if (tmp2 > 0)
close(tmp2);
return 0;
}
close(tmp1);
close(tmp2);
buffer_init(&m); buffer_init(&m);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m);
@ -711,8 +724,9 @@ mm_session_pty_cleanup2(Session *s)
buffer_free(&m); buffer_free(&m);
/* closed dup'ed master */ /* closed dup'ed master */
if (close(s->ptymaster) < 0) if (s->ptymaster != -1 && close(s->ptymaster) < 0)
error("close(s->ptymaster): %s", strerror(errno)); error("close(s->ptymaster/%d): %s",
s->ptymaster, strerror(errno));
/* unlink pty from session */ /* unlink pty from session */
s->ttyfd = -1; s->ttyfd = -1;

View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.c,v 1.179 2008/05/08 12:02:23 djm Exp $ */ /* $OpenBSD: servconf.c,v 1.180 2008/05/08 12:21:16 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -114,6 +114,7 @@ initialize_server_options(ServerOptions *options)
options->max_startups_rate = -1; options->max_startups_rate = -1;
options->max_startups = -1; options->max_startups = -1;
options->max_authtries = -1; options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL; options->banner = NULL;
options->use_dns = -1; options->use_dns = -1;
options->client_alive_interval = -1; options->client_alive_interval = -1;
@ -237,6 +238,8 @@ fill_default_server_options(ServerOptions *options)
options->max_startups_begin = options->max_startups; options->max_startups_begin = options->max_startups;
if (options->max_authtries == -1) if (options->max_authtries == -1)
options->max_authtries = DEFAULT_AUTH_FAIL_MAX; options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
if (options->max_sessions == -1)
options->max_sessions = DEFAULT_SESSIONS_MAX;
if (options->use_dns == -1) if (options->use_dns == -1)
options->use_dns = 1; options->use_dns = 1;
if (options->client_alive_interval == -1) if (options->client_alive_interval == -1)
@ -291,7 +294,7 @@ typedef enum {
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxStartups, sMaxAuthTries, sMaxSessions,
sBanner, sUseDNS, sHostbasedAuthentication, sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@ -395,6 +398,7 @@ static struct {
{ "subsystem", sSubsystem, SSHCFG_GLOBAL }, { "subsystem", sSubsystem, SSHCFG_GLOBAL },
{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL },
{ "usedns", sUseDNS, SSHCFG_GLOBAL }, { "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
@ -1155,6 +1159,10 @@ parse_flag:
intptr = &options->max_authtries; intptr = &options->max_authtries;
goto parse_int; goto parse_int;
case sMaxSessions:
intptr = &options->max_sessions;
goto parse_int;
case sBanner: case sBanner:
charptr = &options->banner; charptr = &options->banner;
goto parse_filename; goto parse_filename;
@ -1382,6 +1390,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding); M_CP_INTOPT(x11_forwarding);
M_CP_INTOPT(x11_use_localhost); M_CP_INTOPT(x11_use_localhost);
M_CP_INTOPT(max_sessions);
M_CP_STROPT(banner); M_CP_STROPT(banner);
if (preauth) if (preauth)

View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.83 2008/05/07 05:49:37 pyr Exp $ */ /* $OpenBSD: servconf.h,v 1.84 2008/05/08 12:21:16 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -35,6 +35,7 @@
#define PERMIT_YES 3 #define PERMIT_YES 3
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
/* Magic name for internal sftp-server */ /* Magic name for internal sftp-server */
#define INTERNAL_SFTP_NAME "internal-sftp" #define INTERNAL_SFTP_NAME "internal-sftp"
@ -123,6 +124,7 @@ typedef struct {
int max_startups_rate; int max_startups_rate;
int max_startups; int max_startups;
int max_authtries; int max_authtries;
int max_sessions;
char *banner; /* SSH-2 banner message */ char *banner; /* SSH-2 banner message */
int use_dns; int use_dns;
int client_alive_interval; /* int client_alive_interval; /*

380
session.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: session.c,v 1.236 2008/05/08 12:02:23 djm Exp $ */ /* $OpenBSD: session.c,v 1.237 2008/05/08 12:21:16 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -102,9 +102,9 @@ void session_set_fds(Session *, int, int, int);
void session_pty_cleanup(Session *); void session_pty_cleanup(Session *);
void session_proctitle(Session *); void session_proctitle(Session *);
int session_setup_x11fwd(Session *); int session_setup_x11fwd(Session *);
void do_exec_pty(Session *, const char *); int do_exec_pty(Session *, const char *);
void do_exec_no_pty(Session *, const char *); int do_exec_no_pty(Session *, const char *);
void do_exec(Session *, const char *); int do_exec(Session *, const char *);
void do_login(Session *, const char *); void do_login(Session *, const char *);
#ifdef LOGIN_NEEDS_UTMPX #ifdef LOGIN_NEEDS_UTMPX
static void do_pre_login(Session *s); static void do_pre_login(Session *s);
@ -132,8 +132,9 @@ extern Buffer loginmsg;
const char *original_command = NULL; const char *original_command = NULL;
/* data */ /* data */
#define MAX_SESSIONS 20 static int sessions_first_unused = -1;
Session sessions[MAX_SESSIONS]; static int sessions_nalloc = 0;
static Session *sessions = NULL;
#define SUBSYSTEM_NONE 0 #define SUBSYSTEM_NONE 0
#define SUBSYSTEM_EXT 1 #define SUBSYSTEM_EXT 1
@ -167,7 +168,7 @@ static int
auth_input_request_forwarding(struct passwd * pw) auth_input_request_forwarding(struct passwd * pw)
{ {
Channel *nc; Channel *nc;
int sock; int sock = -1;
struct sockaddr_un sunaddr; struct sockaddr_un sunaddr;
if (auth_sock_name != NULL) { if (auth_sock_name != NULL) {
@ -179,43 +180,48 @@ auth_input_request_forwarding(struct passwd * pw)
temporarily_use_uid(pw); temporarily_use_uid(pw);
/* Allocate a buffer for the socket name, and format the name. */ /* Allocate a buffer for the socket name, and format the name. */
auth_sock_name = xmalloc(MAXPATHLEN); auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");
auth_sock_dir = xmalloc(MAXPATHLEN);
strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);
/* Create private directory for socket */ /* Create private directory for socket */
if (mkdtemp(auth_sock_dir) == NULL) { if (mkdtemp(auth_sock_dir) == NULL) {
packet_send_debug("Agent forwarding disabled: " packet_send_debug("Agent forwarding disabled: "
"mkdtemp() failed: %.100s", strerror(errno)); "mkdtemp() failed: %.100s", strerror(errno));
restore_uid(); restore_uid();
xfree(auth_sock_name);
xfree(auth_sock_dir); xfree(auth_sock_dir);
auth_sock_name = NULL;
auth_sock_dir = NULL; auth_sock_dir = NULL;
return 0; goto authsock_err;
} }
snprintf(auth_sock_name, MAXPATHLEN, "%s/agent.%ld",
xasprintf(&auth_sock_name, "%s/agent.%ld",
auth_sock_dir, (long) getpid()); auth_sock_dir, (long) getpid());
/* Create the socket. */ /* Create the socket. */
sock = socket(AF_UNIX, SOCK_STREAM, 0); sock = socket(AF_UNIX, SOCK_STREAM, 0);
if (sock < 0) if (sock < 0) {
packet_disconnect("socket: %.100s", strerror(errno)); error("socket: %.100s", strerror(errno));
restore_uid();
goto authsock_err;
}
/* Bind it to the name. */ /* Bind it to the name. */
memset(&sunaddr, 0, sizeof(sunaddr)); memset(&sunaddr, 0, sizeof(sunaddr));
sunaddr.sun_family = AF_UNIX; sunaddr.sun_family = AF_UNIX;
strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path)); strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path));
if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
packet_disconnect("bind: %.100s", strerror(errno)); error("bind: %.100s", strerror(errno));
restore_uid();
goto authsock_err;
}
/* Restore the privileged uid. */ /* Restore the privileged uid. */
restore_uid(); restore_uid();
/* Start listening on the socket. */ /* Start listening on the socket. */
if (listen(sock, SSH_LISTEN_BACKLOG) < 0) if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
packet_disconnect("listen: %.100s", strerror(errno)); error("listen: %.100s", strerror(errno));
goto authsock_err;
}
/* Allocate a channel for the authentication agent socket. */ /* Allocate a channel for the authentication agent socket. */
nc = channel_new("auth socket", nc = channel_new("auth socket",
@ -224,6 +230,19 @@ auth_input_request_forwarding(struct passwd * pw)
0, "auth socket", 1); 0, "auth socket", 1);
strlcpy(nc->path, auth_sock_name, sizeof(nc->path)); strlcpy(nc->path, auth_sock_name, sizeof(nc->path));
return 1; return 1;
authsock_err:
if (auth_sock_name != NULL)
xfree(auth_sock_name);
if (auth_sock_dir != NULL) {
rmdir(auth_sock_dir);
xfree(auth_sock_dir);
}
if (sock != -1)
close(sock);
auth_sock_name = NULL;
auth_sock_dir = NULL;
return 0;
} }
static void static void
@ -373,10 +392,14 @@ do_authenticated1(Authctxt *authctxt)
if (type == SSH_CMSG_EXEC_CMD) { if (type == SSH_CMSG_EXEC_CMD) {
command = packet_get_string(&dlen); command = packet_get_string(&dlen);
debug("Exec command '%.500s'", command); debug("Exec command '%.500s'", command);
do_exec(s, command); if (do_exec(s, command) != 0)
packet_disconnect(
"command execution failed");
xfree(command); xfree(command);
} else { } else {
do_exec(s, NULL); if (do_exec(s, NULL) != 0)
packet_disconnect(
"shell execution failed");
} }
packet_check_eom(); packet_check_eom();
session_close(s); session_close(s);
@ -401,41 +424,84 @@ do_authenticated1(Authctxt *authctxt)
} }
} }
#define USE_PIPES
/* /*
* This is called to fork and execute a command when we have no tty. This * This is called to fork and execute a command when we have no tty. This
* will call do_child from the child, and server_loop from the parent after * will call do_child from the child, and server_loop from the parent after
* setting up file descriptors and such. * setting up file descriptors and such.
*/ */
void int
do_exec_no_pty(Session *s, const char *command) do_exec_no_pty(Session *s, const char *command)
{ {
pid_t pid; pid_t pid;
#ifdef USE_PIPES #ifdef USE_PIPES
int pin[2], pout[2], perr[2]; int pin[2], pout[2], perr[2];
/* Allocate pipes for communicating with the program. */ /* Allocate pipes for communicating with the program. */
if (pipe(pin) < 0 || pipe(pout) < 0 || pipe(perr) < 0) if (pipe(pin) < 0) {
packet_disconnect("Could not create pipes: %.100s", error("%s: pipe in: %.100s", __func__, strerror(errno));
strerror(errno)); return -1;
#else /* USE_PIPES */ }
if (pipe(pout) < 0) {
error("%s: pipe out: %.100s", __func__, strerror(errno));
close(pin[0]);
close(pin[1]);
return -1;
}
if (pipe(perr) < 0) {
error("%s: pipe err: %.100s", __func__, strerror(errno));
close(pin[0]);
close(pin[1]);
close(pout[0]);
close(pout[1]);
return -1;
}
#else
int inout[2], err[2]; int inout[2], err[2];
/* Uses socket pairs to communicate with the program. */ /* Uses socket pairs to communicate with the program. */
if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0 || if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0) {
socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) error("%s: socketpair #1: %.100s", __func__, strerror(errno));
packet_disconnect("Could not create socket pairs: %.100s", return -1;
strerror(errno)); }
#endif /* USE_PIPES */ if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) {
error("%s: socketpair #2: %.100s", __func__, strerror(errno));
close(inout[0]);
close(inout[1]);
return -1;
}
#endif
if (s == NULL) if (s == NULL)
fatal("do_exec_no_pty: no session"); fatal("do_exec_no_pty: no session");
session_proctitle(s); session_proctitle(s);
/* Fork the child. */ /* Fork the child. */
if ((pid = fork()) == 0) { switch ((pid = fork())) {
case -1:
error("%s: fork: %.100s", __func__, strerror(errno));
#ifdef USE_PIPES
close(pin[0]);
close(pin[1]);
close(pout[0]);
close(pout[1]);
close(perr[0]);
close(perr[1]);
#else
close(inout[0]);
close(inout[1]);
close(err[0]);
close(err[1]);
#endif
return -1;
case 0:
is_child = 1; is_child = 1;
/* Child. Reinitialize the log since the pid has changed. */ /* Child. Reinitialize the log since the pid has changed. */
log_init(__progname, options.log_level, options.log_facility, log_stderr); log_init(__progname, options.log_level,
options.log_facility, log_stderr);
/* /*
* Create a new session and process group since the 4.4BSD * Create a new session and process group since the 4.4BSD
@ -465,7 +531,7 @@ do_exec_no_pty(Session *s, const char *command)
if (dup2(perr[1], 2) < 0) if (dup2(perr[1], 2) < 0)
perror("dup2 stderr"); perror("dup2 stderr");
close(perr[1]); close(perr[1]);
#else /* USE_PIPES */ #else
/* /*
* Redirect stdin, stdout, and stderr. Stdin and stdout will * Redirect stdin, stdout, and stderr. Stdin and stdout will
* use the same socket, as some programs (particularly rdist) * use the same socket, as some programs (particularly rdist)
@ -475,11 +541,14 @@ do_exec_no_pty(Session *s, const char *command)
close(err[1]); close(err[1]);
if (dup2(inout[0], 0) < 0) /* stdin */ if (dup2(inout[0], 0) < 0) /* stdin */
perror("dup2 stdin"); perror("dup2 stdin");
if (dup2(inout[0], 1) < 0) /* stdout. Note: same socket as stdin. */ if (dup2(inout[0], 1) < 0) /* stdout (same as stdin) */
perror("dup2 stdout"); perror("dup2 stdout");
close(inout[0]);
if (dup2(err[0], 2) < 0) /* stderr */ if (dup2(err[0], 2) < 0) /* stderr */
perror("dup2 stderr"); perror("dup2 stderr");
#endif /* USE_PIPES */ close(err[0]);
#endif
#ifdef _UNICOS #ifdef _UNICOS
cray_init_job(s->pw); /* set up cray jid and tmpdir */ cray_init_job(s->pw); /* set up cray jid and tmpdir */
@ -488,7 +557,10 @@ do_exec_no_pty(Session *s, const char *command)
/* Do processing for the child (exec command etc). */ /* Do processing for the child (exec command etc). */
do_child(s, command); do_child(s, command);
/* NOTREACHED */ /* NOTREACHED */
default:
break;
} }
#ifdef _UNICOS #ifdef _UNICOS
signal(WJSIGNAL, cray_job_termination_handler); signal(WJSIGNAL, cray_job_termination_handler);
#endif /* _UNICOS */ #endif /* _UNICOS */
@ -496,11 +568,18 @@ do_exec_no_pty(Session *s, const char *command)
if (is_winnt) if (is_winnt)
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
#endif #endif
if (pid < 0)
packet_disconnect("fork failed: %.100s", strerror(errno));
s->pid = pid; s->pid = pid;
/* Set interactive/non-interactive mode. */ /* Set interactive/non-interactive mode. */
packet_set_interactive(s->display != NULL); packet_set_interactive(s->display != NULL);
/*
* Clear loginmsg, since it's the child's responsibility to display
* it to the user, otherwise multiple sessions may accumulate
* multiple copies of the login messages.
*/
buffer_clear(&loginmsg);
#ifdef USE_PIPES #ifdef USE_PIPES
/* We are the parent. Close the child sides of the pipes. */ /* We are the parent. Close the child sides of the pipes. */
close(pin[0]); close(pin[0]);
@ -518,29 +597,26 @@ do_exec_no_pty(Session *s, const char *command)
server_loop(pid, pin[1], pout[0], perr[0]); server_loop(pid, pin[1], pout[0], perr[0]);
/* server_loop has closed pin[1], pout[0], and perr[0]. */ /* server_loop has closed pin[1], pout[0], and perr[0]. */
} }
#else /* USE_PIPES */ #else
/* We are the parent. Close the child sides of the socket pairs. */ /* We are the parent. Close the child sides of the socket pairs. */
close(inout[0]); close(inout[0]);
close(err[0]); close(err[0]);
/*
* Clear loginmsg, since it's the child's responsibility to display
* it to the user, otherwise multiple sessions may accumulate
* multiple copies of the login messages.
*/
buffer_clear(&loginmsg);
/* /*
* Enter the interactive session. Note: server_loop must be able to * Enter the interactive session. Note: server_loop must be able to
* handle the case that fdin and fdout are the same. * handle the case that fdin and fdout are the same.
*/ */
if (compat20) { if (compat20) {
session_set_fds(s, inout[1], inout[1], s->is_subsystem ? -1 : err[1]); session_set_fds(s, inout[1], inout[1],
s->is_subsystem ? -1 : err[1]);
if (s->is_subsystem)
close(err[1]);
} else { } else {
server_loop(pid, inout[1], inout[1], err[1]); server_loop(pid, inout[1], inout[1], err[1]);
/* server_loop has closed inout[1] and err[1]. */ /* server_loop has closed inout[1] and err[1]. */
} }
#endif /* USE_PIPES */ #endif
return 0;
} }
/* /*
@ -549,7 +625,7 @@ do_exec_no_pty(Session *s, const char *command)
* setting up file descriptors, controlling tty, updating wtmp, utmp, * setting up file descriptors, controlling tty, updating wtmp, utmp,
* lastlog, and other such operations. * lastlog, and other such operations.
*/ */
void int
do_exec_pty(Session *s, const char *command) do_exec_pty(Session *s, const char *command)
{ {
int fdout, ptyfd, ttyfd, ptymaster; int fdout, ptyfd, ttyfd, ptymaster;
@ -560,12 +636,46 @@ do_exec_pty(Session *s, const char *command)
ptyfd = s->ptyfd; ptyfd = s->ptyfd;
ttyfd = s->ttyfd; ttyfd = s->ttyfd;
/*
* Create another descriptor of the pty master side for use as the
* standard input. We could use the original descriptor, but this
* simplifies code in server_loop. The descriptor is bidirectional.
* Do this before forking (and cleanup in the child) so as to
* detect and gracefully fail out-of-fd conditions.
*/
if ((fdout = dup(ptyfd)) < 0) {
error("%s: dup #1: %s", __func__, strerror(errno));
close(ttyfd);
close(ptyfd);
return -1;
}
/* we keep a reference to the pty master */
if ((ptymaster = dup(ptyfd)) < 0) {
error("%s: dup #2: %s", __func__, strerror(errno));
close(ttyfd);
close(ptyfd);
close(fdout);
return -1;
}
/* Fork the child. */ /* Fork the child. */
if ((pid = fork()) == 0) { switch ((pid = fork())) {
case -1:
error("%s: fork: %.100s", __func__, strerror(errno));
close(fdout);
close(ptymaster);
close(ttyfd);
close(ptyfd);
return -1;
case 0:
is_child = 1; is_child = 1;
close(fdout);
close(ptymaster);
/* Child. Reinitialize the log because the pid has changed. */ /* Child. Reinitialize the log because the pid has changed. */
log_init(__progname, options.log_level, options.log_facility, log_stderr); log_init(__progname, options.log_level,
options.log_facility, log_stderr);
/* Close the master side of the pseudo tty. */ /* Close the master side of the pseudo tty. */
close(ptyfd); close(ptyfd);
@ -596,11 +706,16 @@ do_exec_pty(Session *s, const char *command)
do_pre_login(s); do_pre_login(s);
# endif # endif
#endif #endif
/*
/* Do common processing for the child, such as execing the command. */ * Do common processing for the child, such as execing
* the command.
*/
do_child(s, command); do_child(s, command);
/* NOTREACHED */ /* NOTREACHED */
default:
break;
} }
#ifdef _UNICOS #ifdef _UNICOS
signal(WJSIGNAL, cray_job_termination_handler); signal(WJSIGNAL, cray_job_termination_handler);
#endif /* _UNICOS */ #endif /* _UNICOS */
@ -608,29 +723,14 @@ do_exec_pty(Session *s, const char *command)
if (is_winnt) if (is_winnt)
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
#endif #endif
if (pid < 0)
packet_disconnect("fork failed: %.100s", strerror(errno));
s->pid = pid; s->pid = pid;
/* Parent. Close the slave side of the pseudo tty. */ /* Parent. Close the slave side of the pseudo tty. */
close(ttyfd); close(ttyfd);
/*
* Create another descriptor of the pty master side for use as the
* standard input. We could use the original descriptor, but this
* simplifies code in server_loop. The descriptor is bidirectional.
*/
fdout = dup(ptyfd);
if (fdout < 0)
packet_disconnect("dup #1 failed: %.100s", strerror(errno));
/* we keep a reference to the pty master */
ptymaster = dup(ptyfd);
if (ptymaster < 0)
packet_disconnect("dup #2 failed: %.100s", strerror(errno));
s->ptymaster = ptymaster;
/* Enter interactive session. */ /* Enter interactive session. */
s->ptymaster = ptymaster;
packet_set_interactive(1); packet_set_interactive(1);
if (compat20) { if (compat20) {
session_set_fds(s, ptyfd, fdout, -1); session_set_fds(s, ptyfd, fdout, -1);
@ -638,6 +738,7 @@ do_exec_pty(Session *s, const char *command)
server_loop(pid, ptyfd, fdout, -1); server_loop(pid, ptyfd, fdout, -1);
/* server_loop _has_ closed ptyfd and fdout. */ /* server_loop _has_ closed ptyfd and fdout. */
} }
return 0;
} }
#ifdef LOGIN_NEEDS_UTMPX #ifdef LOGIN_NEEDS_UTMPX
@ -672,9 +773,11 @@ do_pre_login(Session *s)
* This is called to fork and execute a command. If another command is * This is called to fork and execute a command. If another command is
* to be forced, execute that instead. * to be forced, execute that instead.
*/ */
void int
do_exec(Session *s, const char *command) do_exec(Session *s, const char *command)
{ {
int ret;
if (options.adm_forced_command) { if (options.adm_forced_command) {
original_command = command; original_command = command;
command = options.adm_forced_command; command = options.adm_forced_command;
@ -705,9 +808,9 @@ do_exec(Session *s, const char *command)
} }
#endif #endif
if (s->ttyfd != -1) if (s->ttyfd != -1)
do_exec_pty(s, command); ret = do_exec_pty(s, command);
else else
do_exec_no_pty(s, command); ret = do_exec_no_pty(s, command);
original_command = NULL; original_command = NULL;
@ -717,6 +820,8 @@ do_exec(Session *s, const char *command)
* multiple copies of the login messages. * multiple copies of the login messages.
*/ */
buffer_clear(&loginmsg); buffer_clear(&loginmsg);
return ret;
} }
/* administrative, login(1)-like work */ /* administrative, login(1)-like work */
@ -1740,43 +1845,79 @@ do_child(Session *s, const char *command)
exit(1); exit(1);
} }
void
session_unused(int id)
{
debug3("%s: session id %d unused", __func__, id);
if (id >= options.max_sessions ||
id >= sessions_nalloc) {
fatal("%s: insane session id %d (max %d nalloc %d)",
__func__, id, options.max_sessions, sessions_nalloc);
}
bzero(&sessions[id], sizeof(*sessions));
sessions[id].self = id;
sessions[id].used = 0;
sessions[id].chanid = -1;
sessions[id].ptyfd = -1;
sessions[id].ttyfd = -1;
sessions[id].ptymaster = -1;
sessions[id].x11_chanids = NULL;
sessions[id].next_unused = sessions_first_unused;
sessions_first_unused = id;
}
Session * Session *
session_new(void) session_new(void)
{ {
int i; Session *s, *tmp;
static int did_init = 0;
if (!did_init) { if (sessions_first_unused == -1) {
debug("session_new: init"); if (sessions_nalloc >= options.max_sessions)
for (i = 0; i < MAX_SESSIONS; i++) {
sessions[i].used = 0;
}
did_init = 1;
}
for (i = 0; i < MAX_SESSIONS; i++) {
Session *s = &sessions[i];
if (! s->used) {
memset(s, 0, sizeof(*s));
s->chanid = -1;
s->ptyfd = -1;
s->ttyfd = -1;
s->used = 1;
s->self = i;
s->x11_chanids = NULL;
debug("session_new: session %d", i);
return s;
}
}
return NULL; return NULL;
debug2("%s: allocate (allocated %d max %d)",
__func__, sessions_nalloc, options.max_sessions);
tmp = xrealloc(sessions, sessions_nalloc + 1,
sizeof(*sessions));
if (tmp == NULL) {
error("%s: cannot allocate %d sessions",
__func__, sessions_nalloc + 1);
return NULL;
}
sessions = tmp;
session_unused(sessions_nalloc++);
}
if (sessions_first_unused >= sessions_nalloc ||
sessions_first_unused < 0) {
fatal("%s: insane first_unused %d max %d nalloc %d",
__func__, sessions_first_unused, options.max_sessions,
sessions_nalloc);
}
s = &sessions[sessions_first_unused];
if (s->used) {
fatal("%s: session %d already used",
__func__, sessions_first_unused);
}
sessions_first_unused = s->next_unused;
s->used = 1;
s->next_unused = -1;
debug("session_new: session %d", s->self);
return s;
} }
static void static void
session_dump(void) session_dump(void)
{ {
int i; int i;
for (i = 0; i < MAX_SESSIONS; i++) { for (i = 0; i < sessions_nalloc; i++) {
Session *s = &sessions[i]; Session *s = &sessions[i];
debug("dump: used %d session %d %p channel %d pid %ld",
debug("dump: used %d next_unused %d session %d %p "
"channel %d pid %ld",
s->used, s->used,
s->next_unused,
s->self, s->self,
s, s,
s->chanid, s->chanid,
@ -1806,7 +1947,7 @@ Session *
session_by_tty(char *tty) session_by_tty(char *tty)
{ {
int i; int i;
for (i = 0; i < MAX_SESSIONS; i++) { for (i = 0; i < sessions_nalloc; i++) {
Session *s = &sessions[i]; Session *s = &sessions[i];
if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) { if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) {
debug("session_by_tty: session %d tty %s", i, tty); debug("session_by_tty: session %d tty %s", i, tty);
@ -1822,10 +1963,11 @@ static Session *
session_by_channel(int id) session_by_channel(int id)
{ {
int i; int i;
for (i = 0; i < MAX_SESSIONS; i++) { for (i = 0; i < sessions_nalloc; i++) {
Session *s = &sessions[i]; Session *s = &sessions[i];
if (s->used && s->chanid == id) { if (s->used && s->chanid == id) {
debug("session_by_channel: session %d channel %d", i, id); debug("session_by_channel: session %d channel %d",
i, id);
return s; return s;
} }
} }
@ -1839,7 +1981,7 @@ session_by_x11_channel(int id)
{ {
int i, j; int i, j;
for (i = 0; i < MAX_SESSIONS; i++) { for (i = 0; i < sessions_nalloc; i++) {
Session *s = &sessions[i]; Session *s = &sessions[i];
if (s->x11_chanids == NULL || !s->used) if (s->x11_chanids == NULL || !s->used)
@ -1862,7 +2004,7 @@ session_by_pid(pid_t pid)
{ {
int i; int i;
debug("session_by_pid: pid %ld", (long)pid); debug("session_by_pid: pid %ld", (long)pid);
for (i = 0; i < MAX_SESSIONS; i++) { for (i = 0; i < sessions_nalloc; i++) {
Session *s = &sessions[i]; Session *s = &sessions[i];
if (s->used && s->pid == pid) if (s->used && s->pid == pid)
return s; return s;
@ -1918,7 +2060,8 @@ session_pty_req(Session *s)
/* Allocate a pty and open it. */ /* Allocate a pty and open it. */
debug("Allocating pty."); debug("Allocating pty.");
if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)))) { if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty,
sizeof(s->tty)))) {
if (s->term) if (s->term)
xfree(s->term); xfree(s->term);
s->term = NULL; s->term = NULL;
@ -1971,8 +2114,7 @@ session_subsystem_req(Session *s)
s->is_subsystem = SUBSYSTEM_EXT; s->is_subsystem = SUBSYSTEM_EXT;
} }
debug("subsystem: exec() %s", cmd); debug("subsystem: exec() %s", cmd);
do_exec(s, cmd); success = do_exec(s, cmd) == 0;
success = 1;
break; break;
} }
} }
@ -2015,19 +2157,19 @@ static int
session_shell_req(Session *s) session_shell_req(Session *s)
{ {
packet_check_eom(); packet_check_eom();
do_exec(s, NULL); return do_exec(s, NULL) == 0;
return 1;
} }
static int static int
session_exec_req(Session *s) session_exec_req(Session *s)
{ {
u_int len; u_int len, success;
char *command = packet_get_string(&len); char *command = packet_get_string(&len);
packet_check_eom(); packet_check_eom();
do_exec(s, command); success = do_exec(s, command) == 0;
xfree(command); xfree(command);
return 1; return success;
} }
static int static int
@ -2037,8 +2179,7 @@ session_break_req(Session *s)
packet_get_int(); /* ignored */ packet_get_int(); /* ignored */
packet_check_eom(); packet_check_eom();
if (s->ttyfd == -1 || if (s->ttyfd == -1 || tcsendbreak(s->ttyfd, 0) < 0)
tcsendbreak(s->ttyfd, 0) < 0)
return 0; return 0;
return 1; return 1;
} }
@ -2185,8 +2326,9 @@ session_pty_cleanup2(Session *s)
* the pty cleanup, so that another process doesn't get this pty * the pty cleanup, so that another process doesn't get this pty
* while we're still cleaning up. * while we're still cleaning up.
*/ */
if (close(s->ptymaster) < 0) if (s->ptymaster != -1 && close(s->ptymaster) < 0)
error("close(s->ptymaster/%d): %s", s->ptymaster, strerror(errno)); error("close(s->ptymaster/%d): %s",
s->ptymaster, strerror(errno));
/* unlink pty from session */ /* unlink pty from session */
s->ttyfd = -1; s->ttyfd = -1;
@ -2346,7 +2488,6 @@ session_close(Session *s)
xfree(s->auth_data); xfree(s->auth_data);
if (s->auth_proto) if (s->auth_proto)
xfree(s->auth_proto); xfree(s->auth_proto);
s->used = 0;
if (s->env != NULL) { if (s->env != NULL) {
for (i = 0; i < s->num_env; i++) { for (i = 0; i < s->num_env; i++) {
xfree(s->env[i].name); xfree(s->env[i].name);
@ -2355,6 +2496,7 @@ session_close(Session *s)
xfree(s->env); xfree(s->env);
} }
session_proctitle(s); session_proctitle(s);
session_unused(s->self);
} }
void void
@ -2418,7 +2560,7 @@ void
session_destroy_all(void (*closefunc)(Session *)) session_destroy_all(void (*closefunc)(Session *))
{ {
int i; int i;
for (i = 0; i < MAX_SESSIONS; i++) { for (i = 0; i < sessions_nalloc; i++) {
Session *s = &sessions[i]; Session *s = &sessions[i];
if (s->used) { if (s->used) {
if (closefunc != NULL) if (closefunc != NULL)
@ -2437,7 +2579,7 @@ session_tty_list(void)
char *cp; char *cp;
buf[0] = '\0'; buf[0] = '\0';
for (i = 0; i < MAX_SESSIONS; i++) { for (i = 0; i < sessions_nalloc; i++) {
Session *s = &sessions[i]; Session *s = &sessions[i];
if (s->used && s->ttyfd != -1) { if (s->used && s->ttyfd != -1) {

View File

@ -1,4 +1,4 @@
/* $OpenBSD: session.h,v 1.29 2006/08/03 03:34:42 deraadt Exp $ */ /* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */
/* /*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -31,6 +31,7 @@ typedef struct Session Session;
struct Session { struct Session {
int used; int used;
int self; int self;
int next_unused;
struct passwd *pw; struct passwd *pw;
Authctxt *authctxt; Authctxt *authctxt;
pid_t pid; pid_t pid;
@ -65,6 +66,7 @@ void do_authenticated(Authctxt *);
void do_cleanup(Authctxt *); void do_cleanup(Authctxt *);
int session_open(Authctxt *, int); int session_open(Authctxt *, int);
void session_unused(int);
int session_input_channel_req(Channel *, const char *); int session_input_channel_req(Channel *, const char *);
void session_close_by_pid(pid_t, int); void session_close_by_pid(pid_t, int);
void session_close_by_channel(int, void *); void session_close_by_channel(int, void *);

View File

@ -1,4 +1,4 @@
# $OpenBSD: sshd_config,v 1.78 2008/05/07 06:43:35 pyr Exp $ # $OpenBSD: sshd_config,v 1.79 2008/05/08 12:21:16 djm Exp $
# This is the sshd server system-wide configuration file. See # This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information. # sshd_config(5) for more information.
@ -41,6 +41,7 @@ Protocol 2
#PermitRootLogin yes #PermitRootLogin yes
#StrictModes yes #StrictModes yes
#MaxAuthTries 6 #MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes #RSAAuthentication yes
#PubkeyAuthentication yes #PubkeyAuthentication yes

View File

@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.89 2008/05/07 08:00:14 jmc Exp $ .\" $OpenBSD: sshd_config.5,v 1.90 2008/05/08 12:21:16 djm Exp $
.Dd $Mdocdate: May 19 2008 $ .Dd $Mdocdate: May 8 2008 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -594,6 +594,9 @@ connection.
Once the number of failures reaches half this value, Once the number of failures reaches half this value,
additional failures are logged. additional failures are logged.
The default is 6. The default is 6.
.It Cm MaxSessions
Specifies the maximum number of open sessions permitted per network connection.
The default is 10.
.It Cm MaxStartups .It Cm MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the Specifies the maximum number of concurrent unauthenticated connections to the
SSH daemon. SSH daemon.