diff options
| author |   djm <djm@openbsd.org> | 2002-05-12 23:53:45 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2002-05-12 23:53:45 +0000 |
| commit | afce23d71403fb9762eb109cca932e5ff4b19b3d (patch) | |
| tree | e8626ba582389ffccf9d8509c721f248c83e860c | |
| parent | The %s and %+ conversions are also extensions. (diff) | |
| download | wireguard-openbsd-afce23d71403fb9762eb109cca932e5ff4b19b3d.tar.xz wireguard-openbsd-afce23d71403fb9762eb109cca932e5ff4b19b3d.zip | |
Fix sshd Banner option for privsep; ok markus@ provos@
| -rw-r--r-- | usr.bin/ssh/auth.h | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/auth2.c | 43 | ||||
| -rw-r--r-- | usr.bin/ssh/monitor.c | 23 | ||||
| -rw-r--r-- | usr.bin/ssh/monitor.h | 3 | ||||
| -rw-r--r-- | usr.bin/ssh/monitor_wrap.c | 20 | ||||
| -rw-r--r-- | usr.bin/ssh/monitor_wrap.h | 3 |
6 files changed, 78 insertions, 18 deletions
diff --git a/usr.bin/ssh/auth.h b/usr.bin/ssh/auth.h index e6f6609df9b..8ae67603f90 100644 --- a/usr.bin/ssh/auth.h +++ b/usr.bin/ssh/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.35 2002/03/19 10:35:39 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.36 2002/05/12 23:53:45 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -133,6 +133,8 @@ void auth_log(Authctxt *, int, char *, char *); void userauth_finish(Authctxt *, int, char *); int auth_root_allowed(char *); +char *auth2_read_banner(void); + void privsep_challenge_enable(void); int auth2_challenge(Authctxt *, char *); diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c index c5004b39ee7..12537de575a 100644 --- a/usr.bin/ssh/auth2.c +++ b/usr.bin/ssh/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.89 2002/03/19 14:27:39 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.90 2002/05/12 23:53:45 djm Exp $"); #include <openssl/evp.h> @@ -261,25 +261,45 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) } } -static void -userauth_banner(void) +char * +auth2_read_banner(void) { struct stat st; char *banner = NULL; off_t len, n; int fd; - if (options.banner == NULL || (datafellows & SSH_BUG_BANNER)) - return; - if ((fd = open(options.banner, O_RDONLY)) < 0) - return; - if (fstat(fd, &st) < 0) - goto done; + if ((fd = open(options.banner, O_RDONLY)) == -1) + return (NULL); + if (fstat(fd, &st) == -1) { + close(fd); + return (NULL); + } len = st.st_size; banner = xmalloc(len + 1); - if ((n = read(fd, banner, len)) < 0) - goto done; + n = atomicio(read, fd, banner, len); + close(fd); + + if (n != len) { + free(banner); + return (NULL); + } banner[n] = '\0'; + + return (banner); +} + +static void +userauth_banner(void) +{ + char *banner = NULL; + + if (options.banner == NULL || (datafellows & SSH_BUG_BANNER)) + return; + + if ((banner = PRIVSEP(auth2_read_banner())) == NULL) + goto done; + packet_start(SSH2_MSG_USERAUTH_BANNER); packet_put_cstring(banner); packet_put_cstring(""); /* language, unused */ @@ -288,7 +308,6 @@ userauth_banner(void) done: if (banner) xfree(banner); - close(fd); return; } diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c index 417e6bf0ce2..5d3132d4453 100644 --- a/usr.bin/ssh/monitor.c +++ b/usr.bin/ssh/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.9 2002/03/30 18:51:15 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.10 2002/05/12 23:53:45 djm Exp $"); #include <openssl/dh.h> @@ -96,6 +96,7 @@ struct { int mm_answer_moduli(int, Buffer *); int mm_answer_sign(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *); +int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); @@ -143,6 +144,7 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, + {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, @@ -505,10 +507,27 @@ mm_answer_pwnamallow(int socket, Buffer *m) /* For SSHv1 allow authentication now */ if (!compat20) monitor_permit_authentications(1); - else + else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); + } + + + return (0); +} + +int mm_answer_auth2_read_banner(int socket, Buffer *m) +{ + char *banner; + + buffer_clear(m); + banner = auth2_read_banner(); + buffer_put_cstring(m, banner != NULL ? banner : ""); + mm_request_send(socket, MONITOR_ANS_AUTH2_READ_BANNER, m); + if (banner != NULL) + free(banner); return (0); } diff --git a/usr.bin/ssh/monitor.h b/usr.bin/ssh/monitor.h index dd79e83381c..ab0782b87ea 100644 --- a/usr.bin/ssh/monitor.h +++ b/usr.bin/ssh/monitor.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.3 2002/03/26 03:24:01 stevesk Exp $ */ +/* $OpenBSD: monitor.h,v 1.4 2002/05/12 23:53:45 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -33,6 +33,7 @@ enum monitor_reqtype { MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, + MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, diff --git a/usr.bin/ssh/monitor_wrap.c b/usr.bin/ssh/monitor_wrap.c index 37d38059cd3..7d91c50090c 100644 --- a/usr.bin/ssh/monitor_wrap.c +++ b/usr.bin/ssh/monitor_wrap.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.5 2002/03/25 20:12:10 stevesk Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.6 2002/05/12 23:53:45 djm Exp $"); #include <openssl/bn.h> #include <openssl/dh.h> @@ -205,6 +205,24 @@ mm_getpwnamallow(const char *login) return (pw); } +char* mm_auth2_read_banner(void) +{ + Buffer m; + char *banner; + + debug3("%s entering", __FUNCTION__); + + buffer_init(&m); + mm_request_send(monitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m); + buffer_clear(&m); + + mm_request_receive_expect(monitor->m_recvfd, MONITOR_ANS_AUTH2_READ_BANNER, &m); + banner = buffer_get_string(&m, NULL); + buffer_free(&m); + + return (banner); +} + /* Inform the privileged process about service and style */ void diff --git a/usr.bin/ssh/monitor_wrap.h b/usr.bin/ssh/monitor_wrap.h index 3676d41cfea..739b054d1f2 100644 --- a/usr.bin/ssh/monitor_wrap.h +++ b/usr.bin/ssh/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.4 2002/03/26 03:24:01 stevesk Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.5 2002/05/12 23:53:45 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -44,6 +44,7 @@ DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); void mm_inform_authserv(char *, char *); struct passwd *mm_getpwnamallow(const char *); +char* mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); int mm_key_allowed(enum mm_keytype, char *, char *, Key *); int mm_user_key_allowed(struct passwd *, Key *); |