summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
Diffstat (limited to 'session.c')
-rw-r--r--session.c120
1 files changed, 64 insertions, 56 deletions
diff --git a/session.c b/session.c
index 4bccb62d1e4d..58826db1698a 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.292 2017/09/12 06:32:07 djm Exp $ */
+/* $OpenBSD: session.c,v 1.294 2018/03/03 03:15:51 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -140,6 +140,8 @@ extern u_int utmp_len;
extern int startup_pipe;
extern void destroy_sensitive_data(void);
extern Buffer loginmsg;
+extern struct sshauthopt *auth_opts;
+char *tun_fwd_ifnames; /* serverloop.c */
/* original command from peer. */
const char *original_command = NULL;
@@ -287,14 +289,42 @@ prepare_auth_info_file(struct passwd *pw, struct sshbuf *info)
restore_uid();
}
+static void
+set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts)
+{
+ char *tmp, *cp, *host;
+ int port;
+ size_t i;
+
+ if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
+ return;
+ channel_clear_permitted_opens(ssh);
+ for (i = 0; i < auth_opts->npermitopen; i++) {
+ tmp = cp = xstrdup(auth_opts->permitopen[i]);
+ /* This shouldn't fail as it has already been checked */
+ if ((host = hpdelim(&cp)) == NULL)
+ fatal("%s: internal error: hpdelim", __func__);
+ host = cleanhostname(host);
+ if (cp == NULL || (port = permitopen_port(cp)) < 0)
+ fatal("%s: internal error: permitopen port",
+ __func__);
+ channel_add_permitted_opens(ssh, host, port);
+ free(tmp);
+ }
+}
+
void
do_authenticated(struct ssh *ssh, Authctxt *authctxt)
{
setproctitle("%s", authctxt->pw->pw_name);
+ auth_log_authopts("active", auth_opts, 0);
+
/* setup the channel layer */
/* XXX - streamlocal? */
- if (no_port_forwarding_flag || options.disable_forwarding ||
+ set_permitopen_from_authopts(ssh, auth_opts);
+ if (!auth_opts->permit_port_forwarding_flag ||
+ options.disable_forwarding ||
(options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
channel_disable_adm_local_opens(ssh);
else
@@ -334,7 +364,6 @@ int
do_exec_no_pty(struct ssh *ssh, Session *s, const char *command)
{
pid_t pid;
-
#ifdef USE_PIPES
int pin[2], pout[2], perr[2];
@@ -450,11 +479,6 @@ do_exec_no_pty(struct ssh *ssh, Session *s, const char *command)
close(err[0]);
#endif
-
-#ifdef _UNICOS
- cray_init_job(s->pw); /* set up cray jid and tmpdir */
-#endif
-
/* Do processing for the child (exec command etc). */
do_child(ssh, s, command);
/* NOTREACHED */
@@ -462,9 +486,6 @@ do_exec_no_pty(struct ssh *ssh, Session *s, const char *command)
break;
}
-#ifdef _UNICOS
- signal(WJSIGNAL, cray_job_termination_handler);
-#endif /* _UNICOS */
#ifdef HAVE_CYGWIN
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
#endif
@@ -576,9 +597,6 @@ do_exec_pty(struct ssh *ssh, Session *s, const char *command)
close(ttyfd);
/* record login, etc. similar to login(1) */
-#ifdef _UNICOS
- cray_init_job(s->pw); /* set up cray jid and tmpdir */
-#endif /* _UNICOS */
#ifndef HAVE_OSF_SIA
do_login(ssh, s, command);
#endif
@@ -592,9 +610,6 @@ do_exec_pty(struct ssh *ssh, Session *s, const char *command)
break;
}
-#ifdef _UNICOS
- signal(WJSIGNAL, cray_job_termination_handler);
-#endif /* _UNICOS */
#ifdef HAVE_CYGWIN
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
#endif
@@ -656,9 +671,9 @@ do_exec(struct ssh *ssh, Session *s, const char *command)
original_command = command;
command = options.adm_forced_command;
forced = "(config)";
- } else if (forced_command) {
+ } else if (auth_opts->force_command != NULL) {
original_command = command;
- command = forced_command;
+ command = auth_opts->force_command;
forced = "(key-option)";
}
if (forced != NULL) {
@@ -961,8 +976,9 @@ static char **
do_setup_env(struct ssh *ssh, Session *s, const char *shell)
{
char buf[256];
+ size_t n;
u_int i, envsize;
- char **env, *laddr;
+ char *ocp, *cp, **env, *laddr;
struct passwd *pw = s->pw;
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL;
@@ -1037,20 +1053,17 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
if (getenv("TZ"))
child_set_env(&env, &envsize, "TZ", getenv("TZ"));
- /* Set custom environment options from RSA authentication. */
- while (custom_environment) {
- struct envstring *ce = custom_environment;
- char *str = ce->s;
-
- for (i = 0; str[i] != '=' && str[i]; i++)
- ;
- if (str[i] == '=') {
- str[i] = 0;
- child_set_env(&env, &envsize, str, str + i + 1);
+ /* Set custom environment options from pubkey authentication. */
+ if (options.permit_user_env) {
+ for (n = 0 ; n < auth_opts->nenv; n++) {
+ ocp = xstrdup(auth_opts->env[n]);
+ cp = strchr(ocp, '=');
+ if (*cp == '=') {
+ *cp = '\0';
+ child_set_env(&env, &envsize, ocp, cp + 1);
+ }
+ free(ocp);
}
- custom_environment = ce->next;
- free(ce->s);
- free(ce);
}
/* SSH_CLIENT deprecated */
@@ -1066,6 +1079,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
free(laddr);
child_set_env(&env, &envsize, "SSH_CONNECTION", buf);
+ if (tun_fwd_ifnames != NULL)
+ child_set_env(&env, &envsize, "SSH_TUNNEL", tun_fwd_ifnames);
if (auth_info_file != NULL)
child_set_env(&env, &envsize, "SSH_USER_AUTH", auth_info_file);
if (s->ttyfd != -1)
@@ -1078,11 +1093,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
original_command);
-#ifdef _UNICOS
- if (cray_tmpdir[0] != '\0')
- child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir);
-#endif /* _UNICOS */
-
/*
* Since we clear KRB5CCNAME at startup, if it's set now then it
* must have been set by a native authentication method (eg AIX or
@@ -1155,7 +1165,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
* first in this order).
*/
static void
-do_rc_files(Session *s, const char *shell)
+do_rc_files(struct ssh *ssh, Session *s, const char *shell)
{
FILE *f = NULL;
char cmd[1024];
@@ -1167,7 +1177,7 @@ do_rc_files(Session *s, const char *shell)
/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
if (!s->is_subsystem && options.adm_forced_command == NULL &&
- !no_user_rc && options.permit_user_rc &&
+ auth_opts->permit_user_rc && options.permit_user_rc &&
stat(_PATH_SSH_USER_RC, &st) >= 0) {
snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
@@ -1248,10 +1258,10 @@ do_nologin(struct passwd *pw)
/* /etc/nologin exists. Print its contents if we can and exit. */
logit("User %.100s not allowed because %s exists", pw->pw_name, nl);
if ((f = fopen(nl, "r")) != NULL) {
- while (fgets(buf, sizeof(buf), f))
- fputs(buf, stderr);
- fclose(f);
- }
+ while (fgets(buf, sizeof(buf), f))
+ fputs(buf, stderr);
+ fclose(f);
+ }
exit(254);
}
@@ -1483,10 +1493,6 @@ do_child(struct ssh *ssh, Session *s, const char *command)
exit(1);
}
-#ifdef _UNICOS
- cray_setup(pw->pw_uid, pw->pw_name, command);
-#endif /* _UNICOS */
-
/*
* Login(1) does this as well, and it needs uid 0 for the "-h"
* switch, so we let login(1) to this for us.
@@ -1591,7 +1597,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
closefrom(STDERR_FILENO + 1);
- do_rc_files(s, shell);
+ do_rc_files(ssh, s, shell);
/* restore SIGPIPE for child */
signal(SIGPIPE, SIG_DFL);
@@ -1854,8 +1860,8 @@ session_pty_req(struct ssh *ssh, Session *s)
u_int len;
int n_bytes;
- if (no_pty_flag || !options.permit_tty) {
- debug("Allocating a pty not permitted for this authentication.");
+ if (!auth_opts->permit_pty_flag || !options.permit_tty) {
+ debug("Allocating a pty not permitted for this connection.");
return 0;
}
if (s->ttyfd != -1) {
@@ -2043,9 +2049,11 @@ static int
session_auth_agent_req(struct ssh *ssh, Session *s)
{
static int called = 0;
+
packet_check_eom();
- if (no_agent_forwarding_flag || !options.allow_agent_forwarding) {
- debug("session_auth_agent_req: no_agent_forwarding_flag");
+ if (!auth_opts->permit_agent_forwarding_flag ||
+ !options.allow_agent_forwarding) {
+ debug("%s: agent forwarding disabled", __func__);
return 0;
}
if (called) {
@@ -2423,8 +2431,8 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
char hostname[NI_MAXHOST];
u_int i;
- if (no_x11_forwarding_flag) {
- packet_send_debug("X11 forwarding disabled in user configuration file.");
+ if (!auth_opts->permit_x11_forwarding_flag) {
+ packet_send_debug("X11 forwarding disabled by key options.");
return 0;
}
if (!options.x11_forwarding) {
@@ -2433,7 +2441,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
}
if (options.xauth_location == NULL ||
(stat(options.xauth_location, &st) == -1)) {
- packet_send_debug("No xauth program; cannot forward with spoofing.");
+ packet_send_debug("No xauth program; cannot forward X11.");
return 0;
}
if (s->display != NULL) {
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 20:19:51 +0000