Multiple Fixes (#273)
PowerShell/Win32-OpenSSH#1065 Fix: In recent sshd architectural changes, post authentication changes that process user specific changes were missing in authenticated sshd worker. Added missing call. PowerShell/Win32-OpenSSH#1052 Fix: getpwd* functions will now strip off domain of any local user account.
This commit is contained in:
parent
e610a3d6d1
commit
b3a3a5cc66
|
@ -111,6 +111,8 @@ get_passwd(const char *user_utf8, LPWSTR user_sid)
|
|||
int tmp_len = PATH_MAX;
|
||||
PDOMAIN_CONTROLLER_INFOW pdc = NULL;
|
||||
DWORD dsStatus, uname_upn_len = 0, uname_len = 0, udom_len = 0;
|
||||
wchar_t wmachine_name[MAX_COMPUTERNAME_LENGTH + 1];
|
||||
DWORD wmachine_name_len = MAX_COMPUTERNAME_LENGTH + 1;
|
||||
errno_t r = 0;
|
||||
|
||||
errno = 0;
|
||||
|
@ -135,6 +137,14 @@ get_passwd(const char *user_utf8, LPWSTR user_sid)
|
|||
udom_utf16 = NULL;
|
||||
}
|
||||
|
||||
if (udom_utf16) {
|
||||
/* this should never fail */
|
||||
GetComputerNameW(wmachine_name, &wmachine_name_len);
|
||||
/* If this is a local account (domain part and computer name are the same), strip out domain */
|
||||
if (_wcsicmp(udom_utf16, wmachine_name) == 0)
|
||||
udom_utf16 = NULL;
|
||||
}
|
||||
|
||||
if (user_sid == NULL) {
|
||||
NET_API_STATUS status;
|
||||
if ((status = NetUserGetInfo(udom_utf16, uname_utf16, 23, &user_info)) != NERR_Success) {
|
||||
|
|
|
@ -330,6 +330,20 @@ Describe "Tests of sshd_config" -Tags "CI" {
|
|||
Remove-UserFromLocalGroup -UserName $localuser3 -GroupName $denyGroup3
|
||||
|
||||
}
|
||||
|
||||
It "$tC.$tI - Match User block with ForceCommand" -skip:$skip {
|
||||
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog"
|
||||
$matchuser = "matchuser"
|
||||
Add-UserToLocalGroup -UserName $matchuser -Password $password -GroupName $allowGroup1
|
||||
|
||||
$o = ssh -p $port -T -o "UserKnownHostsFile $testknownhosts" $matchuser@$server randomcommand
|
||||
# Match block's ForceCommand returns output of "whoami & set SSH_ORIGINAL_COMMAND"
|
||||
$o[0].Contains($matchuser) | Should Be $true
|
||||
$o[1].Contains("randomcommand") | Should Be $true
|
||||
|
||||
Stop-SSHDTestDaemon
|
||||
Remove-UserFromLocalGroup -UserName $matchuser -GroupName $allowGroup1
|
||||
}
|
||||
#>
|
||||
}
|
||||
}
|
||||
|
|
|
@ -113,6 +113,9 @@ Subsystem sftp sftp-server.exe -l DEBUG3
|
|||
PubkeyAcceptedKeyTypes ssh-ed25519*
|
||||
|
||||
DenyUsers denyuser1 deny*2 denyuse?3,
|
||||
AllowUsers allowuser1 allowu*r2 allow?se?3 allowuser4 localuser1 localu*r2 loc?lu?er3 localadmin
|
||||
AllowUsers allowuser1 allowu*r2 allow?se?3 allowuser4 localuser1 localu*r2 loc?lu?er3 localadmin matchuser
|
||||
DenyGroups denygroup1 denygr*p2 deny?rou?3
|
||||
AllowGroups allowgroup1 allowg*2 allowg?ou?3 Adm*
|
||||
|
||||
Match User matchuser
|
||||
ForceCommand cmd.exe /c "whoami & set SSH_ORIGINAL_COMMAND"
|
||||
|
|
4
sshd.c
4
sshd.c
|
@ -742,7 +742,9 @@ privsep_preauth(Authctxt *authctxt)
|
|||
|
||||
#ifdef FORK_NOT_SUPPORTED
|
||||
if (privsep_auth_child) {
|
||||
authctxt->pw = w32_getpwuid(1);
|
||||
struct passwd* me = getpwuid(geteuid());
|
||||
/* this re-does the user specific config */
|
||||
authctxt->pw = getpwnamallow(xstrdup(me->pw_name));
|
||||
authctxt->valid = 1;
|
||||
return 1;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue