- (djm) Update CygWin support from Corinna Vinschen <vinschen@cygnus.com>
This commit is contained in:
parent
52cbcbf0bb
commit
b70b61f5fe
|
@ -1,4 +1,5 @@
|
|||
20000916
|
||||
- (djm) Update CygWin support from Corinna Vinschen <vinschen@cygnus.com>
|
||||
- (djm) Use a real struct sockaddr inside the fake struct sockaddr_storage.
|
||||
Patch from Larry Jones <larry.jones@sdrc.com>
|
||||
- (djm) Add Steve VanDevender's <stevev@darkwing.uoregon.edu> PAM
|
||||
|
|
17
auth1.c
17
auth1.c
|
@ -29,11 +29,6 @@ RCSID("$OpenBSD: auth1.c,v 1.4 2000/09/07 20:27:49 deraadt Exp $");
|
|||
# include <siad.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_CYGWIN
|
||||
#include <windows.h>
|
||||
#define is_winnt (GetVersion() < 0x80000000)
|
||||
#endif
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
extern char *forced_command;
|
||||
|
@ -383,16 +378,8 @@ do_authloop(struct passwd * pw)
|
|||
}
|
||||
|
||||
#ifdef HAVE_CYGWIN
|
||||
/*
|
||||
* The only authentication which is able to change the user
|
||||
* context on NT systems is the password authentication. So
|
||||
* we deny all requsts for changing the user context if another
|
||||
* authentication method is used.
|
||||
* This may change in future when a special openssh
|
||||
* subauthentication package is available.
|
||||
*/
|
||||
if (is_winnt && type != SSH_CMSG_AUTH_PASSWORD &&
|
||||
authenticated && geteuid() != pw->pw_uid) {
|
||||
if (authenticated &&
|
||||
!check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) {
|
||||
packet_disconnect("Authentication rejected for uid %d.",
|
||||
(int) pw->pw_uid);
|
||||
authenticated = 0;
|
||||
|
|
13
auth2.c
13
auth2.c
|
@ -182,6 +182,15 @@ input_userauth_request(int type, int plen)
|
|||
authenticated = ssh2_auth_pubkey(pw, service);
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef HAVE_CYGWIN
|
||||
if (authenticated && !check_nt_auth(strcmp(method, "password") == 0, pw->pw_uid)) {
|
||||
packet_disconnect("Authentication rejected for uid %d.",
|
||||
(int) pw->pw_uid);
|
||||
authenticated = 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {
|
||||
authenticated = 0;
|
||||
log("ROOT LOGIN REFUSED FROM %.200s",
|
||||
|
@ -189,8 +198,8 @@ input_userauth_request(int type, int plen)
|
|||
}
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (authenticated && !do_pam_account(pw->pw_name, NULL))
|
||||
authenticated = 0;
|
||||
if (authenticated && !do_pam_account(pw->pw_name, NULL))
|
||||
authenticated = 0;
|
||||
#endif /* USE_PAM */
|
||||
|
||||
/* Raise logging level */
|
||||
|
|
11
authfile.c
11
authfile.c
|
@ -479,12 +479,10 @@ load_private_key(const char *filename, const char *passphrase, Key *key,
|
|||
if (fd < 0)
|
||||
return 0;
|
||||
|
||||
#ifndef HAVE_CYGWIN
|
||||
/*
|
||||
* check owner and modes.
|
||||
* This won't work on Windows under all circumstances so we drop
|
||||
* that check for now.
|
||||
*/
|
||||
/* check owner and modes. */
|
||||
#ifdef HAVE_CYGWIN
|
||||
if (check_ntsec(filename))
|
||||
#endif
|
||||
if (fstat(fd, &st) < 0 ||
|
||||
(st.st_uid != 0 && st.st_uid != getuid()) ||
|
||||
(st.st_mode & 077) != 0) {
|
||||
|
@ -497,7 +495,6 @@ load_private_key(const char *filename, const char *passphrase, Key *key,
|
|||
error("It is recommended that your private key files are NOT accessible by others.");
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
switch (key->type) {
|
||||
case KEY_RSA:
|
||||
if (key->rsa->e != NULL) {
|
||||
|
|
|
@ -18,6 +18,10 @@
|
|||
#ifdef HAVE_CYGWIN
|
||||
#include <fcntl.h>
|
||||
#include <io.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/vfs.h>
|
||||
#include <windows.h>
|
||||
#define is_winnt (GetVersion() < 0x80000000)
|
||||
|
||||
int binary_open(const char *filename, int flags, mode_t mode)
|
||||
{
|
||||
|
@ -31,5 +35,67 @@ int binary_pipe(int fd[2])
|
|||
setmode (fd[0], O_BINARY);
|
||||
setmode (fd[1], O_BINARY);
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
int check_nt_auth (int pwd_authenticated, uid_t uid)
|
||||
{
|
||||
/*
|
||||
* The only authentication which is able to change the user
|
||||
* context on NT systems is the password authentication. So
|
||||
* we deny all requsts for changing the user context if another
|
||||
* authentication method is used.
|
||||
* This may change in future when a special openssh
|
||||
* subauthentication package is available.
|
||||
*/
|
||||
if (is_winnt && !pwd_authenticated && geteuid() != uid)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int check_ntsec (const char *filename)
|
||||
{
|
||||
char *cygwin;
|
||||
int allow_ntea = 0;
|
||||
int allow_ntsec = 0;
|
||||
struct statfs fsstat;
|
||||
|
||||
/* Windows 95/98/ME don't support file system security at all. */
|
||||
if (!is_winnt)
|
||||
return 0;
|
||||
|
||||
/* Evaluate current CYGWIN settings. */
|
||||
if ((cygwin = getenv("CYGWIN")) != NULL) {
|
||||
if (strstr(cygwin, "ntea") && !strstr(cygwin, "nontea"))
|
||||
allow_ntea = 1;
|
||||
if (strstr(cygwin, "ntsec") && !strstr(cygwin, "nontsec"))
|
||||
allow_ntsec = 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* `ntea' is an emulation of POSIX attributes. It doesn't support
|
||||
* real file level security as ntsec on NTFS file systems does
|
||||
* but it supports FAT filesystems. `ntea' is minimum requirement
|
||||
* for security checks.
|
||||
*/
|
||||
if (allow_ntea)
|
||||
return 1;
|
||||
|
||||
/*
|
||||
* Retrieve file system flags. In Cygwin, file system flags are
|
||||
* copied to f_type which has no meaning in Win32 itself.
|
||||
*/
|
||||
if (statfs(filename, &fsstat))
|
||||
return 1;
|
||||
|
||||
/*
|
||||
* Only file systems supporting ACLs are able to set permissions.
|
||||
* `ntsec' is the setting in Cygwin which switches using of NTFS
|
||||
* ACLs to support POSIX permissions on files.
|
||||
*/
|
||||
if (fsstat.f_type & FS_PERSISTENT_ACLS)
|
||||
return allow_ntsec;
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
|
Loading…
Reference in New Issue