Multiple Fixes (#273)

PowerShell/Win32-OpenSSH#1065
Fix: In recent sshd architectural changes, post authentication changes that process user specific changes were missing in authenticated sshd worker. Added missing call.
PowerShell/Win32-OpenSSH#1052
Fix: getpwd* functions will now strip off domain of any local user account.
This commit is contained in:
Manoj Ampalam 2018-02-21 10:09:18 -08:00 committed by GitHub
parent e610a3d6d1
commit b3a3a5cc66
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 31 additions and 2 deletions

View File

@ -111,6 +111,8 @@ get_passwd(const char *user_utf8, LPWSTR user_sid)
int tmp_len = PATH_MAX;
PDOMAIN_CONTROLLER_INFOW pdc = NULL;
DWORD dsStatus, uname_upn_len = 0, uname_len = 0, udom_len = 0;
wchar_t wmachine_name[MAX_COMPUTERNAME_LENGTH + 1];
DWORD wmachine_name_len = MAX_COMPUTERNAME_LENGTH + 1;
errno_t r = 0;
errno = 0;
@ -135,6 +137,14 @@ get_passwd(const char *user_utf8, LPWSTR user_sid)
udom_utf16 = NULL;
}
if (udom_utf16) {
/* this should never fail */
GetComputerNameW(wmachine_name, &wmachine_name_len);
/* If this is a local account (domain part and computer name are the same), strip out domain */
if (_wcsicmp(udom_utf16, wmachine_name) == 0)
udom_utf16 = NULL;
}
if (user_sid == NULL) {
NET_API_STATUS status;
if ((status = NetUserGetInfo(udom_utf16, uname_utf16, 23, &user_info)) != NERR_Success) {

View File

@ -330,6 +330,20 @@ Describe "Tests of sshd_config" -Tags "CI" {
Remove-UserFromLocalGroup -UserName $localuser3 -GroupName $denyGroup3
}
It "$tC.$tI - Match User block with ForceCommand" -skip:$skip {
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog"
$matchuser = "matchuser"
Add-UserToLocalGroup -UserName $matchuser -Password $password -GroupName $allowGroup1
$o = ssh -p $port -T -o "UserKnownHostsFile $testknownhosts" $matchuser@$server randomcommand
# Match block's ForceCommand returns output of "whoami & set SSH_ORIGINAL_COMMAND"
$o[0].Contains($matchuser) | Should Be $true
$o[1].Contains("randomcommand") | Should Be $true
Stop-SSHDTestDaemon
Remove-UserFromLocalGroup -UserName $matchuser -GroupName $allowGroup1
}
#>
}
}

View File

@ -113,6 +113,9 @@ Subsystem sftp sftp-server.exe -l DEBUG3
PubkeyAcceptedKeyTypes ssh-ed25519*
DenyUsers denyuser1 deny*2 denyuse?3,
AllowUsers allowuser1 allowu*r2 allow?se?3 allowuser4 localuser1 localu*r2 loc?lu?er3 localadmin
AllowUsers allowuser1 allowu*r2 allow?se?3 allowuser4 localuser1 localu*r2 loc?lu?er3 localadmin matchuser
DenyGroups denygroup1 denygr*p2 deny?rou?3
AllowGroups allowgroup1 allowg*2 allowg?ou?3 Adm*
Match User matchuser
ForceCommand cmd.exe /c "whoami & set SSH_ORIGINAL_COMMAND"

4
sshd.c
View File

@ -742,7 +742,9 @@ privsep_preauth(Authctxt *authctxt)
#ifdef FORK_NOT_SUPPORTED
if (privsep_auth_child) {
authctxt->pw = w32_getpwuid(1);
struct passwd* me = getpwuid(geteuid());
/* this re-does the user specific config */
authctxt->pw = getpwnamallow(xstrdup(me->pw_name));
authctxt->valid = 1;
return 1;
}