Commit Graph

411 Commits

Author SHA1 Message Date
Damien Miller f80c3deaaf - djm@cvs.openbsd.org 2010/11/25 04:10:09
[session.c]
     replace close() loop for fds 3->64 with closefrom();
     ok markus deraadt dtucker
2010-12-01 12:02:59 +11:00
Darren Tucker d995712383 - (dtucker) [platform.c session.c] Move the getluid call out of session.c and
into the platform-specific code  Only affects SCO, tested by and ok tim@.
2010-11-24 10:09:13 +11:00
Damien Miller 0dac6fb6b2 - djm@cvs.openbsd.org 2010/11/13 23:27:51
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h]
     [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5]
     allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
     hardcoding lowdelay/throughput.

     bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
2010-11-20 15:19:38 +11:00
Darren Tucker b12fe272a0 - (dtucker) [platform.c platform.h session.c] Move the Cygwin special-case
check into platform.c
2010-11-05 14:47:01 +11:00
Darren Tucker cc12418e18 - (dtucker) [platform.c session.c] Move PAM credential establishment for the
non-LOGIN_CAP case into platform.c.
2010-11-05 13:32:52 +11:00
Darren Tucker 0b2ee6452c - (dtucker) [platform.c session.c] Move irix setusercontext fragment into
platform.c.
2010-11-05 13:29:25 +11:00
Darren Tucker 676b912e78 - (dtucker) platform.c session.c] Move aix_usrinfo frament into platform.c. 2010-11-05 13:11:04 +11:00
Darren Tucker 7a8afe3186 - (dtucker) platform.c session.c] Move the USE_LIBIAF fragment into
platform.c
2010-11-05 13:07:24 +11:00
Darren Tucker 728d8371a1 - (dtucker) [platform.c session.c] Move the PAM credential establishment for
the LOGIN_CAP case into platform.c.
2010-11-05 13:00:05 +11:00
Darren Tucker 44a97be0cc - (dtucker) [platform.c session.c] Move the BSDI setpgrp into platform.c. 2010-11-05 12:45:18 +11:00
Darren Tucker 4db380701d - (dtucker) [platform.c session.c] Move the AIX setpcred+chroot hack into
platform.c
2010-11-05 12:41:13 +11:00
Darren Tucker 920612e45a - (dtucker) [platform.c platform.h session.c] Add a platform hook to run
after the user's groups are established and move the selinux calls into it.
2010-11-05 12:36:15 +11:00
Darren Tucker 97528353c2 - (dtucker) [configure.ac platform.{c,h} session.c
openbsd-compat/port-solaris.{c,h}] Bug #1824: Add Solaris Project support.
   Patch from cory.erickson at csu mnscu edu with a bit of rework from me.
   ok djm@
2010-11-05 12:03:05 +11:00
Damien Miller 8853ca5fc4 - djm@cvs.openbsd.org 2010/06/25 07:20:04
[channels.c session.c]
     bz#1750: fix requirement for /dev/null inside ChrootDirectory for
     internal-sftp accidentally introduced in r1.253 by removing the code
     that opens and dup /dev/null to stderr and modifying the channels code
     to read stderr but discard it instead; ok markus@
2010-06-26 10:00:14 +10:00
Damien Miller 1b2b61e6f8 - djm@cvs.openbsd.org 2010/06/22 04:59:12
[session.c]
     include the user name on "subsystem request for ..." log messages;
     bz#1571; ok dtucker@
2010-06-26 09:47:43 +10:00
Damien Miller 7aa46ec393 - djm@cvs.openbsd.org 2010/06/18 03:16:03
[session.c]
     Missing check for chroot_director == "none" (we already checked against
     NULL); bz#1564 from Jan.Pechanec AT Sun.COM
2010-06-26 09:37:57 +10:00
Damien Miller 22a29880bb - djm@cvs.openbsd.org 2010/04/23 22:42:05
[session.c]
     set stderr to /dev/null for subsystems rather than just closing it.
     avoids hangs if a subsystem or shell initialisation writes to stderr.
     bz#1750; ok markus@
2010-05-10 11:53:54 +10:00
Damien Miller 8b90642fcf - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms -
set up SELinux execution context before chroot() call. From Russell
   Coker via Colin watson; bz#1726 ok dtucker@
2010-03-26 11:04:09 +11:00
Darren Tucker cd70e1b813 - dtucker@cvs.openbsd.org 2010/03/07 11:57:13
[auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
     Hold authentication debug messages until after successful authentication.
     Fixes an info leak of environment variables specified in authorized_keys,
     reported by Jacob Appelbaum.  ok djm@
2010-03-07 23:05:17 +11:00
Darren Tucker ac0c4c9c1d - (dtucker) [session.c] Also initialize creds to NULL for handing to
setpcred.
2010-03-07 13:32:16 +11:00
Darren Tucker c738e6c646 - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and
do not set real uid, since that's needed for the chroot, and will be set
   by permanently_set_uid.
2010-03-07 13:21:12 +11:00
Darren Tucker 09aa4c000e - dtucker@cvs.openbsd.org 2010/01/12 08:33:17
[session.c]
     Add explicit stat so we reliably detect nologin with bad perms.
     ok djm markus
2010-01-12 19:51:48 +11:00
Darren Tucker 1b0c2455da - dtucker@cvs.openbsd.org 2010/01/12 01:31:05
[session.c]
     Do not allow logins if /etc/nologin exists but is not readable by the user
     logging in.  Noted by Jan.Pechanec at Sun, ok djm@ deraadt@
2010-01-12 19:45:26 +11:00
Darren Tucker c3dc404113 - dtucker@cvs.openbsd.org 2009/11/20 00:15:41
[session.c]
     Warn but do not fail if stat()ing the subsystem binary fails.  This helps
     with chrootdirectory+forcecommand=sftp-server and restricted shells.
     bz #1599, ok djm.
2010-01-08 17:09:50 +11:00
Darren Tucker d6b06a9f39 - djm@cvs.openbsd.org 2009/11/19 23:39:50
[session.c]
     bz#1606: error when an attempt is made to connect to a server
     with ForceCommand=internal-sftp with a shell session (i.e. not a
     subsystem session). Avoids stuck client when attempting to ssh to such a
     service. ok dtucker@
2010-01-08 17:09:11 +11:00
Darren Tucker 4d6656b103 - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux
is enabled set the security context to "sftpd_t" before running the
   internal sftp server   Based on a patch from jchadima at redhat.
2009-10-24 15:04:12 +11:00
Darren Tucker 695ed397a5 - djm@cvs.openbsd.org 2009/10/06 04:46:40
[session.c]
     bz#1596: fflush(NULL) before exec() to ensure that everying (motd
     in particular) has made it out before the streams go away.
2009-10-07 09:02:18 +11:00
Darren Tucker 82edf23fff - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move
the setpcred call on AIX to immediately before the permanently_set_uid().
   Ensures that we still have privileges when we call chroot and
   pam_open_sesson.  Based on a patch from David Leonard.
2009-08-20 16:20:50 +10:00
Darren Tucker 43e7a358ff - (dtucker) [auth2-jpake.c auth2.c canohost.h session.c] Whitespace and
header-order changes to reduce diff vs OpenBSD.
2009-06-21 19:50:08 +10:00
Darren Tucker ac46a915e8 - stevesk@cvs.openbsd.org 2009/04/17 19:23:06
[session.c]
     use INTERNAL_SFTP_NAME for setproctitle() of in-process sftp-server;
     ok djm@ markus@
2009-06-21 17:55:23 +10:00
Darren Tucker 9d86e5d570 - (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c
auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h}
   openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old
   version of Cygwin.  Patch from vinschen at redhat com.
2009-03-08 11:40:27 +11:00
Damien Miller a1c1b6c86d - djm@cvs.openbsd.org 2009/01/22 09:46:01
[channels.c channels.h session.c]
     make Channel->path an allocated string, saving a few bytes here and
     there and fixing bz#1380 in the process; ok markus@
2009-01-28 16:29:49 +11:00
Darren Tucker 63917bd0da - tobias@cvs.openbsd.org 2008/11/09 12:34:47
[session.c ssh.1]
     typo fixed (overriden -> overridden)
     ok espie, jmc
2008-11-11 16:33:48 +11:00
Damien Miller d58f56000c - millert@cvs.openbsd.org 2008/10/02 14:39:35
[session.c]
     Convert an unchecked strdup to xstrdup.  OK deraadt@
2008-11-03 19:20:49 +11:00
Damien Miller ad793d59a9 - djm@cvs.openbsd.org 2008/08/21 04:09:57
[session.c]
     allow ForceCommand internal-sftp with arguments. based on patch from
     michael.barabanov AT gmail.com; ok markus@
2008-11-03 19:17:57 +11:00
Darren Tucker ed3cdc0a7c - dtucker@cvs.openbsd.org 2008/06/16 13:22:53
[session.c channels.c]
     Rename the isatty argument to is_tty so we don't shadow
     isatty(3).  ok markus@
2008-06-16 23:29:18 +10:00
Damien Miller d310d51bad - djm@cvs.openbsd.org 2008/06/15 20:06:26
[channels.c channels.h session.c]
     don't call isatty() on a pty master, instead pass a flag down to
     channel_set_fds() indicating that te fds refer to a tty. Fixes a
     hang on exit on Solaris (bz#1463) in portable but is actually
     a generic bug; ok dtucker deraadt markus
2008-06-16 07:59:23 +10:00
Damien Miller 6051c94a0a - djm@cvs.openbsd.org 2008/06/14 18:33:43
[session.c]
     suppress the warning message from chdir(homedir) failures
     when chrooted (bz#1461); ok dtucker
2008-06-16 07:53:16 +10:00
Damien Miller 2ff1ca56eb - markus@cvs.openbsd.org 2008/05/09 16:16:06
[session.c]
     re-add the USE_PIPES code and enable it.
     without pipes shutdown-read from the sshd does not trigger
     a SIGPIPE when the forked program does a write.
     ok djm@
     (Id sync only, USE_PIPES never left portable OpenSSH)
2008-05-19 16:04:56 +10:00
Damien Miller 7207f64a23 - djm@cvs.openbsd.org 2008/05/08 12:21:16
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
     [sshd_config sshd_config.5]
     Make the maximum number of sessions run-time controllable via
     a sshd_config MaxSessions knob. This is useful for disabling
     login/shell/subsystem access while leaving port-forwarding working
     (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
     simply increasing the number of allows multiplexed sessions.
     Because some bozos are sure to configure MaxSessions in excess of the
     number of available file descriptors in sshd (which, at peak, might be
     as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
     on error paths, and make it fail gracefully on out-of-fd conditions -
     sending channel errors instead of than exiting with fatal().
     bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
     ok markus@
2008-05-19 15:34:50 +10:00
Damien Miller b84886ba3e - djm@cvs.openbsd.org 2008/05/08 12:02:23
[auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c]
     [monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c]
     [ssh.c sshd.c]
     Implement a channel success/failure status confirmation callback
     mechanism. Each channel maintains a queue of callbacks, which will
     be drained in order (RFC4253 guarantees confirm messages are not
     reordered within an channel).
     Also includes a abandonment callback to clean up if a channel is
     closed without sending confirmation messages. This probably
     shouldn't happen in compliant implementations, but it could be
     abused to leak memory.
     ok markus@ (as part of a larger diff)
2008-05-19 15:05:07 +10:00
Damien Miller 4f755cdc05 - pyr@cvs.openbsd.org 2008/05/07 05:49:37
[servconf.c servconf.h session.c sshd_config.5]
     Enable the AllowAgentForwarding option in sshd_config (global and match
     context), to specify if agents should be permitted on the server.
     As the man page states:
     ``Note that disabling Agent forwarding does not improve security
     unless users are also denied shell access, as they can always install
     their own forwarders.''
     ok djm@, ok and a mild frown markus@
2008-05-19 14:57:41 +10:00
Damien Miller ff0dd88999 - djm@cvs.openbsd.org 2008/04/18 22:01:33
[session.c]
     remove unneccessary parentheses
2008-05-19 14:55:02 +10:00
Damien Miller 95e80955f2 - djm@cvs.openbsd.org 2008/03/26 21:28:14
[auth-options.c auth-options.h session.c sshd.8]
     add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc
2008-03-27 11:03:05 +11:00
Damien Miller 55360e1ceb - djm@cvs.openbsd.org 2008/03/25 23:01:41
[session.c]
     last patch had backwards test; spotted by termim AT gmail.com
2008-03-27 11:02:27 +11:00
Damien Miller a1b48ccf2d - djm@cvs.openbsd.org 2008/03/25 11:58:02
[session.c sshd_config.5]
     ignore ~/.ssh/rc if a sshd_config ForceCommand is specified;
     from dtucker@ ok deraadt@ djm@
2008-03-27 11:02:02 +11:00
Darren Tucker b8eb586412 - (dtucker) Cache selinux status earlier so we know if it's enabled after a
chroot.  Allows ChrootDirectory to work with selinux support compiled in
   but not enabled.  Using it with selinux enabled will require some selinux
   support inside the chroot.  "looks sane" djm@
2008-03-27 07:27:20 +11:00
Damien Miller a193900674 - (djm) [session.c] Relocate incorrectly-placed closefrom() that was causing
crashes when used with ChrootDirectory
2008-03-15 17:27:58 +11:00
Darren Tucker 52358d6df3 - (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move
pam_open_session and pam_close_session into the privsep monitor, which
   will ensure that pam_session_close is called as root.  Patch from Tomas
   Mraz.
2008-03-11 22:58:25 +11:00
Damien Miller 7cb2b56b1c - djm@cvs.openbsd.org 2008/02/22 05:58:56
[session.c]
     closefrom() call was too early, delay it until just before we execute
     the user's rc files (if any).
2008-03-07 18:33:12 +11:00