- (djm) Update CygWin support from Corinna Vinschen <vinschen@cygnus.com>
This commit is contained in:
parent
52cbcbf0bb
commit
b70b61f5fe
|
@ -1,4 +1,5 @@
|
||||||
20000916
|
20000916
|
||||||
|
- (djm) Update CygWin support from Corinna Vinschen <vinschen@cygnus.com>
|
||||||
- (djm) Use a real struct sockaddr inside the fake struct sockaddr_storage.
|
- (djm) Use a real struct sockaddr inside the fake struct sockaddr_storage.
|
||||||
Patch from Larry Jones <larry.jones@sdrc.com>
|
Patch from Larry Jones <larry.jones@sdrc.com>
|
||||||
- (djm) Add Steve VanDevender's <stevev@darkwing.uoregon.edu> PAM
|
- (djm) Add Steve VanDevender's <stevev@darkwing.uoregon.edu> PAM
|
||||||
|
|
17
auth1.c
17
auth1.c
|
@ -29,11 +29,6 @@ RCSID("$OpenBSD: auth1.c,v 1.4 2000/09/07 20:27:49 deraadt Exp $");
|
||||||
# include <siad.h>
|
# include <siad.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef HAVE_CYGWIN
|
|
||||||
#include <windows.h>
|
|
||||||
#define is_winnt (GetVersion() < 0x80000000)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* import */
|
/* import */
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
extern char *forced_command;
|
extern char *forced_command;
|
||||||
|
@ -383,16 +378,8 @@ do_authloop(struct passwd * pw)
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef HAVE_CYGWIN
|
#ifdef HAVE_CYGWIN
|
||||||
/*
|
if (authenticated &&
|
||||||
* The only authentication which is able to change the user
|
!check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) {
|
||||||
* context on NT systems is the password authentication. So
|
|
||||||
* we deny all requsts for changing the user context if another
|
|
||||||
* authentication method is used.
|
|
||||||
* This may change in future when a special openssh
|
|
||||||
* subauthentication package is available.
|
|
||||||
*/
|
|
||||||
if (is_winnt && type != SSH_CMSG_AUTH_PASSWORD &&
|
|
||||||
authenticated && geteuid() != pw->pw_uid) {
|
|
||||||
packet_disconnect("Authentication rejected for uid %d.",
|
packet_disconnect("Authentication rejected for uid %d.",
|
||||||
(int) pw->pw_uid);
|
(int) pw->pw_uid);
|
||||||
authenticated = 0;
|
authenticated = 0;
|
||||||
|
|
13
auth2.c
13
auth2.c
|
@ -182,6 +182,15 @@ input_userauth_request(int type, int plen)
|
||||||
authenticated = ssh2_auth_pubkey(pw, service);
|
authenticated = ssh2_auth_pubkey(pw, service);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_CYGWIN
|
||||||
|
if (authenticated && !check_nt_auth(strcmp(method, "password") == 0, pw->pw_uid)) {
|
||||||
|
packet_disconnect("Authentication rejected for uid %d.",
|
||||||
|
(int) pw->pw_uid);
|
||||||
|
authenticated = 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {
|
if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {
|
||||||
authenticated = 0;
|
authenticated = 0;
|
||||||
log("ROOT LOGIN REFUSED FROM %.200s",
|
log("ROOT LOGIN REFUSED FROM %.200s",
|
||||||
|
@ -189,8 +198,8 @@ input_userauth_request(int type, int plen)
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
if (authenticated && !do_pam_account(pw->pw_name, NULL))
|
if (authenticated && !do_pam_account(pw->pw_name, NULL))
|
||||||
authenticated = 0;
|
authenticated = 0;
|
||||||
#endif /* USE_PAM */
|
#endif /* USE_PAM */
|
||||||
|
|
||||||
/* Raise logging level */
|
/* Raise logging level */
|
||||||
|
|
11
authfile.c
11
authfile.c
|
@ -479,12 +479,10 @@ load_private_key(const char *filename, const char *passphrase, Key *key,
|
||||||
if (fd < 0)
|
if (fd < 0)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
#ifndef HAVE_CYGWIN
|
/* check owner and modes. */
|
||||||
/*
|
#ifdef HAVE_CYGWIN
|
||||||
* check owner and modes.
|
if (check_ntsec(filename))
|
||||||
* This won't work on Windows under all circumstances so we drop
|
#endif
|
||||||
* that check for now.
|
|
||||||
*/
|
|
||||||
if (fstat(fd, &st) < 0 ||
|
if (fstat(fd, &st) < 0 ||
|
||||||
(st.st_uid != 0 && st.st_uid != getuid()) ||
|
(st.st_uid != 0 && st.st_uid != getuid()) ||
|
||||||
(st.st_mode & 077) != 0) {
|
(st.st_mode & 077) != 0) {
|
||||||
|
@ -497,7 +495,6 @@ load_private_key(const char *filename, const char *passphrase, Key *key,
|
||||||
error("It is recommended that your private key files are NOT accessible by others.");
|
error("It is recommended that your private key files are NOT accessible by others.");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
switch (key->type) {
|
switch (key->type) {
|
||||||
case KEY_RSA:
|
case KEY_RSA:
|
||||||
if (key->rsa->e != NULL) {
|
if (key->rsa->e != NULL) {
|
||||||
|
|
|
@ -18,6 +18,10 @@
|
||||||
#ifdef HAVE_CYGWIN
|
#ifdef HAVE_CYGWIN
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
#include <io.h>
|
#include <io.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <sys/vfs.h>
|
||||||
|
#include <windows.h>
|
||||||
|
#define is_winnt (GetVersion() < 0x80000000)
|
||||||
|
|
||||||
int binary_open(const char *filename, int flags, mode_t mode)
|
int binary_open(const char *filename, int flags, mode_t mode)
|
||||||
{
|
{
|
||||||
|
@ -31,5 +35,67 @@ int binary_pipe(int fd[2])
|
||||||
setmode (fd[0], O_BINARY);
|
setmode (fd[0], O_BINARY);
|
||||||
setmode (fd[1], O_BINARY);
|
setmode (fd[1], O_BINARY);
|
||||||
}
|
}
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
int check_nt_auth (int pwd_authenticated, uid_t uid)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* The only authentication which is able to change the user
|
||||||
|
* context on NT systems is the password authentication. So
|
||||||
|
* we deny all requsts for changing the user context if another
|
||||||
|
* authentication method is used.
|
||||||
|
* This may change in future when a special openssh
|
||||||
|
* subauthentication package is available.
|
||||||
|
*/
|
||||||
|
if (is_winnt && !pwd_authenticated && geteuid() != uid)
|
||||||
|
return 0;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
int check_ntsec (const char *filename)
|
||||||
|
{
|
||||||
|
char *cygwin;
|
||||||
|
int allow_ntea = 0;
|
||||||
|
int allow_ntsec = 0;
|
||||||
|
struct statfs fsstat;
|
||||||
|
|
||||||
|
/* Windows 95/98/ME don't support file system security at all. */
|
||||||
|
if (!is_winnt)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
/* Evaluate current CYGWIN settings. */
|
||||||
|
if ((cygwin = getenv("CYGWIN")) != NULL) {
|
||||||
|
if (strstr(cygwin, "ntea") && !strstr(cygwin, "nontea"))
|
||||||
|
allow_ntea = 1;
|
||||||
|
if (strstr(cygwin, "ntsec") && !strstr(cygwin, "nontsec"))
|
||||||
|
allow_ntsec = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* `ntea' is an emulation of POSIX attributes. It doesn't support
|
||||||
|
* real file level security as ntsec on NTFS file systems does
|
||||||
|
* but it supports FAT filesystems. `ntea' is minimum requirement
|
||||||
|
* for security checks.
|
||||||
|
*/
|
||||||
|
if (allow_ntea)
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Retrieve file system flags. In Cygwin, file system flags are
|
||||||
|
* copied to f_type which has no meaning in Win32 itself.
|
||||||
|
*/
|
||||||
|
if (statfs(filename, &fsstat))
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Only file systems supporting ACLs are able to set permissions.
|
||||||
|
* `ntsec' is the setting in Cygwin which switches using of NTFS
|
||||||
|
* ACLs to support POSIX permissions on files.
|
||||||
|
*/
|
||||||
|
if (fsstat.f_type & FS_PERSISTENT_ACLS)
|
||||||
|
return allow_ntsec;
|
||||||
|
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
Loading…
Reference in New Issue