| sshd.c (8261034302887f4881dff0801d3ad535d52c38e5) | sshd.c (fe5fd0173b1983e53ba8dbafb3229b37444e7986) |
|---|---|
| 1/* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Created: Fri Mar 17 17:09:28 1995 ylo 6 * This program is the ssh daemon. It listens for connections from clients, and 7 * performs authentication, executes use commands or shell, and forwards 8 * information to/from the application to the user client over an encrypted --- 23 unchanged lines hidden (view full) --- 32#ifdef LIBWRAP 33#include <tcpd.h> 34#include <syslog.h> 35int allow_severity = LOG_INFO; 36int deny_severity = LOG_WARNING; 37#endif /* LIBWRAP */ 38 39#ifdef __FreeBSD__ | 1/* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Created: Fri Mar 17 17:09:28 1995 ylo 6 * This program is the ssh daemon. It listens for connections from clients, and 7 * performs authentication, executes use commands or shell, and forwards 8 * information to/from the application to the user client over an encrypted --- 23 unchanged lines hidden (view full) --- 32#ifdef LIBWRAP 33#include <tcpd.h> 34#include <syslog.h> 35int allow_severity = LOG_INFO; 36int deny_severity = LOG_WARNING; 37#endif /* LIBWRAP */ 38 39#ifdef __FreeBSD__ |
| 40#include <libutil.h> 41#include <syslog.h> | |
| 42#define LOGIN_CAP | 40#define LOGIN_CAP |
| 41#define _PATH_CHPASS "/usr/bin/passwd" |
|
| 43#endif /* __FreeBSD__ */ 44 45#ifdef LOGIN_CAP 46#include <login_cap.h> 47#endif /* LOGIN_CAP */ 48 49#ifndef O_NOCTTY 50#define O_NOCTTY 0 51#endif 52 | 42#endif /* __FreeBSD__ */ 43 44#ifdef LOGIN_CAP 45#include <login_cap.h> 46#endif /* LOGIN_CAP */ 47 48#ifndef O_NOCTTY 49#define O_NOCTTY 0 50#endif 51 |
| 52#ifdef KRB5 53#include <krb5.h> 54krb5_context ssh_context = NULL; 55krb5_principal tkt_client = NULL; /* Principal from the received ticket. 56Also is used as an indication of succesful krb5 authentization. */ 57#endif /* KRB5 */ 58 59 |
|
| 53/* Local Xauthority file. */ 54static char *xauthfile = NULL; 55 56/* Server configuration options. */ 57ServerOptions options; 58 59/* Name of the server configuration file. */ 60char *config_file_name = SERVER_CONFIG_FILE; --- 83 unchanged lines hidden (view full) --- 144struct magic_connection { 145 struct timeval connections_begin; 146 unsigned int connections_this_period; 147} *magic_connections; 148/* Magic number, too! TODO: this doesn't have to be static. */ 149const size_t MAGIC_CONNECTIONS_SIZE = 1; 150 151static __inline int | 60/* Local Xauthority file. */ 61static char *xauthfile = NULL; 62 63/* Server configuration options. */ 64ServerOptions options; 65 66/* Name of the server configuration file. */ 67char *config_file_name = SERVER_CONFIG_FILE; --- 83 unchanged lines hidden (view full) --- 151struct magic_connection { 152 struct timeval connections_begin; 153 unsigned int connections_this_period; 154} *magic_connections; 155/* Magic number, too! TODO: this doesn't have to be static. */ 156const size_t MAGIC_CONNECTIONS_SIZE = 1; 157 158static __inline int |
| 152magic_hash(struct sockaddr_storage *sa) { | 159magic_hash(struct sockaddr *sa) { |
| 153 154 return 0; 155} 156 157static __inline struct timeval 158timevaldiff(struct timeval *tv1, struct timeval *tv2) { 159 struct timeval diff; 160 int carry; --- 136 unchanged lines hidden (view full) --- 297 return "password"; 298 case SSH_CMSG_AUTH_RSA: 299 return "rsa"; 300 case SSH_CMSG_AUTH_RHOSTS_RSA: 301 return "rhosts-rsa"; 302 case SSH_CMSG_AUTH_RHOSTS: 303 return "rhosts"; 304#ifdef KRB4 | 160 161 return 0; 162} 163 164static __inline struct timeval 165timevaldiff(struct timeval *tv1, struct timeval *tv2) { 166 struct timeval diff; 167 int carry; --- 136 unchanged lines hidden (view full) --- 304 return "password"; 305 case SSH_CMSG_AUTH_RSA: 306 return "rsa"; 307 case SSH_CMSG_AUTH_RHOSTS_RSA: 308 return "rhosts-rsa"; 309 case SSH_CMSG_AUTH_RHOSTS: 310 return "rhosts"; 311#ifdef KRB4 |
| 305 case SSH_CMSG_AUTH_KERBEROS: 306 return "kerberos"; | 312 case SSH_CMSG_AUTH_KRB4: 313 return "kerberosV4"; |
| 307#endif | 314#endif |
| 315#ifdef KRB5 316 case SSH_CMSG_AUTH_KRB5: 317 return "kerberosV5"; 318#endif /* KRB5 */ |
|
| 308#ifdef SKEY 309 case SSH_CMSG_AUTH_TIS_RESPONSE: 310 return "s/key"; 311#endif 312 } 313 snprintf(buf, sizeof buf, "bad-auth-msg-%d", type); 314 return buf; 315} --- 402 unchanged lines hidden (view full) --- 718 error("newsock del O_NONBLOCK: %s", strerror(errno)); 719 continue; 720 } 721 if (options.connections_per_period != 0) { 722 struct timeval diff, connections_end; 723 struct magic_connection *mc; 724 725 (void)gettimeofday(&connections_end, NULL); | 319#ifdef SKEY 320 case SSH_CMSG_AUTH_TIS_RESPONSE: 321 return "s/key"; 322#endif 323 } 324 snprintf(buf, sizeof buf, "bad-auth-msg-%d", type); 325 return buf; 326} --- 402 unchanged lines hidden (view full) --- 729 error("newsock del O_NONBLOCK: %s", strerror(errno)); 730 continue; 731 } 732 if (options.connections_per_period != 0) { 733 struct timeval diff, connections_end; 734 struct magic_connection *mc; 735 736 (void)gettimeofday(&connections_end, NULL); |
| 726 mc = &magic_connections[magic_hash(&from)]; | 737 mc = &magic_connections[magic_hash((struct sockaddr *)0)]; |
| 727 diff = timevaldiff(&mc->connections_begin, &connections_end); 728 if (diff.tv_sec >= options.connections_period) { 729 /* 730 * Slide the window forward only after completely 731 * leaving it. 732 */ 733 mc->connections_begin = connections_end; 734 mc->connections_this_period = 1; --- 208 unchanged lines hidden (view full) --- 943 */ 944 if (remote_port >= IPPORT_RESERVED || 945 remote_port < IPPORT_RESERVED / 2) { 946 options.rhosts_authentication = 0; 947 options.rhosts_rsa_authentication = 0; 948 } 949#ifdef KRB4 950 if (!packet_connection_is_ipv4() && | 738 diff = timevaldiff(&mc->connections_begin, &connections_end); 739 if (diff.tv_sec >= options.connections_period) { 740 /* 741 * Slide the window forward only after completely 742 * leaving it. 743 */ 744 mc->connections_begin = connections_end; 745 mc->connections_this_period = 1; --- 208 unchanged lines hidden (view full) --- 954 */ 955 if (remote_port >= IPPORT_RESERVED || 956 remote_port < IPPORT_RESERVED / 2) { 957 options.rhosts_authentication = 0; 958 options.rhosts_rsa_authentication = 0; 959 } 960#ifdef KRB4 961 if (!packet_connection_is_ipv4() && |
| 951 options.kerberos_authentication) { | 962 options.krb4_authentication) { |
| 952 debug("Kerberos Authentication disabled, only available for IPv4."); | 963 debug("Kerberos Authentication disabled, only available for IPv4."); |
| 953 options.kerberos_authentication = 0; | 964 options.krb4_authentication = 0; |
| 954 } 955#endif /* KRB4 */ 956 957 packet_set_nonblocking(); 958 959 /* perform the key exchange */ 960 do_ssh_kex(); 961 962 /* authenticate user and start session */ 963 do_authentication(); 964 965#ifdef KRB4 966 /* Cleanup user's ticket cache file. */ | 965 } 966#endif /* KRB4 */ 967 968 packet_set_nonblocking(); 969 970 /* perform the key exchange */ 971 do_ssh_kex(); 972 973 /* authenticate user and start session */ 974 do_authentication(); 975 976#ifdef KRB4 977 /* Cleanup user's ticket cache file. */ |
| 967 if (options.kerberos_ticket_cleanup) | 978 if (options.krb4_ticket_cleanup) |
| 968 (void) dest_tkt(); 969#endif /* KRB4 */ 970 971 /* Cleanup user's local Xauthority file. */ 972 if (xauthfile) 973 xauthfile_cleanup_proc(NULL); 974 975 /* The connection has been terminated. */ --- 61 unchanged lines hidden (view full) --- 1037 auth_mask = 0; 1038 if (options.rhosts_authentication) 1039 auth_mask |= 1 << SSH_AUTH_RHOSTS; 1040 if (options.rhosts_rsa_authentication) 1041 auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; 1042 if (options.rsa_authentication) 1043 auth_mask |= 1 << SSH_AUTH_RSA; 1044#ifdef KRB4 | 979 (void) dest_tkt(); 980#endif /* KRB4 */ 981 982 /* Cleanup user's local Xauthority file. */ 983 if (xauthfile) 984 xauthfile_cleanup_proc(NULL); 985 986 /* The connection has been terminated. */ --- 61 unchanged lines hidden (view full) --- 1048 auth_mask = 0; 1049 if (options.rhosts_authentication) 1050 auth_mask |= 1 << SSH_AUTH_RHOSTS; 1051 if (options.rhosts_rsa_authentication) 1052 auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; 1053 if (options.rsa_authentication) 1054 auth_mask |= 1 << SSH_AUTH_RSA; 1055#ifdef KRB4 |
| 1045 if (options.kerberos_authentication) 1046 auth_mask |= 1 << SSH_AUTH_KERBEROS; | 1056 if (options.krb4_authentication) 1057 auth_mask |= 1 << SSH_AUTH_KRB4; |
| 1047#endif | 1058#endif |
| 1059#ifdef KRB5 1060 if (options.krb5_authentication) { 1061 auth_mask |= 1 << SSH_AUTH_KRB5; 1062 /* compatibility with MetaCentre ssh */ 1063 auth_mask |= 1 << SSH_AUTH_KRB4; 1064 } 1065 if (options.krb5_tgt_passing) 1066 auth_mask |= 1 << SSH_PASS_KRB5_TGT; 1067#endif /* KRB5 */ 1068 |
|
| 1048#ifdef AFS | 1069#ifdef AFS |
| 1049 if (options.kerberos_tgt_passing) 1050 auth_mask |= 1 << SSH_PASS_KERBEROS_TGT; | 1070 if (options.krb4_tgt_passing) 1071 auth_mask |= 1 << SSH_PASS_KRB4_TGT; |
| 1051 if (options.afs_token_passing) 1052 auth_mask |= 1 << SSH_PASS_AFS_TOKEN; 1053#endif 1054#ifdef SKEY 1055 if (options.skey_authentication == 1) 1056 auth_mask |= 1 << SSH_AUTH_TIS; 1057#endif 1058 if (options.password_authentication) --- 182 unchanged lines hidden (view full) --- 1241 if (match_pattern(grp->gr_name, options.allow_groups[i])) 1242 break; 1243 /* i < options.num_allow_groups iff we break for 1244 loop */ 1245 if (i >= options.num_allow_groups) 1246 return 0; 1247 } 1248 } | 1072 if (options.afs_token_passing) 1073 auth_mask |= 1 << SSH_PASS_AFS_TOKEN; 1074#endif 1075#ifdef SKEY 1076 if (options.skey_authentication == 1) 1077 auth_mask |= 1 << SSH_AUTH_TIS; 1078#endif 1079 if (options.password_authentication) --- 182 unchanged lines hidden (view full) --- 1262 if (match_pattern(grp->gr_name, options.allow_groups[i])) 1263 break; 1264 /* i < options.num_allow_groups iff we break for 1265 loop */ 1266 if (i >= options.num_allow_groups) 1267 return 0; 1268 } 1269 } |
| 1270#ifndef __FreeBSD__ /* FreeBSD handle it later */ |
|
| 1249 /* Fail if the account's expiration time has passed. */ 1250 if (pw->pw_expire != 0) { 1251 struct timeval tv; 1252 1253 (void)gettimeofday(&tv, NULL); 1254 if (tv.tv_sec >= pw->pw_expire) 1255 return 0; 1256 } | 1271 /* Fail if the account's expiration time has passed. */ 1272 if (pw->pw_expire != 0) { 1273 struct timeval tv; 1274 1275 (void)gettimeofday(&tv, NULL); 1276 if (tv.tv_sec >= pw->pw_expire) 1277 return 0; 1278 } |
| 1279#endif /* !__FreeBSD__ */ |
|
| 1257 /* We found no reason not to let this user try to log on... */ 1258 return 1; 1259} 1260 1261/* 1262 * Performs authentication of an incoming connection. Session key has already 1263 * been exchanged and encryption is enabled. 1264 */ 1265void 1266do_authentication() 1267{ 1268 struct passwd *pw, pwcopy; 1269 int plen, ulen; 1270 char *user; | 1280 /* We found no reason not to let this user try to log on... */ 1281 return 1; 1282} 1283 1284/* 1285 * Performs authentication of an incoming connection. Session key has already 1286 * been exchanged and encryption is enabled. 1287 */ 1288void 1289do_authentication() 1290{ 1291 struct passwd *pw, pwcopy; 1292 int plen, ulen; 1293 char *user; |
| 1294#ifdef LOGIN_CAP 1295 login_cap_t *lc; 1296 char *hosts; 1297 const char *from_host, *from_ip; 1298 int denied; 1299#endif /* LOGIN_CAP */ |
|
| 1271 1272 /* Get the name of the user that we wish to log in as. */ 1273 packet_read_expect(&plen, SSH_CMSG_USER); 1274 1275 /* Get the user name. */ 1276 user = packet_get_string(&ulen); 1277 packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER); 1278 --- 32 unchanged lines hidden (view full) --- 1311 */ 1312 if (getuid() != 0 && pw->pw_uid != getuid()) 1313 packet_disconnect("Cannot change user when server not running as root."); 1314 1315 debug("Attempting authentication for %.100s.", pw->pw_name); 1316 1317 /* If the user has no password, accept authentication immediately. */ 1318 if (options.password_authentication && | 1300 1301 /* Get the name of the user that we wish to log in as. */ 1302 packet_read_expect(&plen, SSH_CMSG_USER); 1303 1304 /* Get the user name. */ 1305 user = packet_get_string(&ulen); 1306 packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER); 1307 --- 32 unchanged lines hidden (view full) --- 1340 */ 1341 if (getuid() != 0 && pw->pw_uid != getuid()) 1342 packet_disconnect("Cannot change user when server not running as root."); 1343 1344 debug("Attempting authentication for %.100s.", pw->pw_name); 1345 1346 /* If the user has no password, accept authentication immediately. */ 1347 if (options.password_authentication && |
| 1348#ifdef KRB5 1349 !options.krb5_authentication && 1350#endif /* KRB5 */ |
|
| 1319#ifdef KRB4 | 1351#ifdef KRB4 |
| 1320 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && | 1352 (!options.krb4_authentication || options.krb4_or_local_passwd) && |
| 1321#endif /* KRB4 */ 1322 auth_password(pw, "")) { 1323 /* Authentication with empty password succeeded. */ 1324 log("Login for user %s from %.100s, accepted without authentication.", 1325 pw->pw_name, get_remote_ipaddr()); 1326 } else { 1327 /* Loop until the user has been authenticated or the 1328 connection is closed, do_authloop() returns only if --- 4 unchanged lines hidden (view full) --- 1333 /* Check if the user is logging in as root and root logins are disallowed. */ 1334 if (pw->pw_uid == 0 && !options.permit_root_login) { 1335 if (forced_command) 1336 log("Root login accepted for forced command."); 1337 else 1338 packet_disconnect("ROOT LOGIN REFUSED FROM %.200s", 1339 get_canonical_hostname()); 1340 } | 1353#endif /* KRB4 */ 1354 auth_password(pw, "")) { 1355 /* Authentication with empty password succeeded. */ 1356 log("Login for user %s from %.100s, accepted without authentication.", 1357 pw->pw_name, get_remote_ipaddr()); 1358 } else { 1359 /* Loop until the user has been authenticated or the 1360 connection is closed, do_authloop() returns only if --- 4 unchanged lines hidden (view full) --- 1365 /* Check if the user is logging in as root and root logins are disallowed. */ 1366 if (pw->pw_uid == 0 && !options.permit_root_login) { 1367 if (forced_command) 1368 log("Root login accepted for forced command."); 1369 else 1370 packet_disconnect("ROOT LOGIN REFUSED FROM %.200s", 1371 get_canonical_hostname()); 1372 } |
| 1373 1374#ifdef LOGIN_CAP 1375 lc = login_getpwclass(pw); 1376 if (lc == NULL) 1377 lc = login_getclassbyname(NULL, pw); 1378 from_host = get_canonical_hostname(); 1379 from_ip = get_remote_ipaddr(); 1380 1381 denied = 0; 1382 if ((hosts = login_getcapstr(lc, "host.deny", NULL, NULL)) != NULL) { 1383 denied = match_hostname(from_host, hosts, strlen(hosts)); 1384 if (!denied) 1385 denied = match_hostname(from_ip, hosts, strlen(hosts)); 1386 } 1387 if (!denied && 1388 (hosts = login_getcapstr(lc, "host.allow", NULL, NULL)) != NULL) { 1389 denied = !match_hostname(from_host, hosts, strlen(hosts)); 1390 if (denied) 1391 denied = !match_hostname(from_ip, hosts, strlen(hosts)); 1392 } 1393 login_close(lc); 1394 if (denied) { 1395 log("Denied connection for %.200s from %.200s [%.200s].", 1396 pw->pw_name, from_host, from_ip); 1397 packet_disconnect("Sorry, you are not allowed to connect."); 1398 } 1399#endif /* LOGIN_CAP */ 1400 1401 if (pw->pw_uid == 0) 1402 log("ROOT LOGIN as '%.100s' from %.100s", 1403 pw->pw_name, get_canonical_hostname()); 1404 |
|
| 1341 /* The user has been authenticated and accepted. */ 1342 packet_start(SSH_SMSG_SUCCESS); 1343 packet_send(); 1344 packet_write_wait(); 1345 1346 /* Perform session preparation. */ 1347 do_authenticated(pw); 1348} --- 13 unchanged lines hidden (view full) --- 1362 unsigned int bits; 1363 BIGNUM *client_host_key_e, *client_host_key_n; 1364 BIGNUM *n; 1365 char *client_user, *password; 1366 char user[1024]; 1367 int plen, dlen, nlen, ulen, elen; 1368 int type = 0; 1369 void (*authlog) (const char *fmt,...) = verbose; | 1405 /* The user has been authenticated and accepted. */ 1406 packet_start(SSH_SMSG_SUCCESS); 1407 packet_send(); 1408 packet_write_wait(); 1409 1410 /* Perform session preparation. */ 1411 do_authenticated(pw); 1412} --- 13 unchanged lines hidden (view full) --- 1426 unsigned int bits; 1427 BIGNUM *client_host_key_e, *client_host_key_n; 1428 BIGNUM *n; 1429 char *client_user, *password; 1430 char user[1024]; 1431 int plen, dlen, nlen, ulen, elen; 1432 int type = 0; 1433 void (*authlog) (const char *fmt,...) = verbose; |
| 1434#ifdef HAVE_LIBPAM 1435 int pam_retval; 1436#endif /* HAVE_LIBPAM */ 1437#if 0 1438#ifdef KRB5 1439 { 1440 krb5_error_code ret; 1441 1442 ret = krb5_init_context(&ssh_context); 1443 if (ret) 1444 verbose("Error while initializing Kerberos V5."); 1445 krb5_init_ets(ssh_context); 1446 1447 } 1448#endif /* KRB5 */ 1449#endif |
|
| 1370 1371 /* Indicate that authentication is needed. */ 1372 packet_start(SSH_SMSG_FAILURE); 1373 packet_send(); 1374 packet_write_wait(); 1375 1376 for (attempt = 1;; attempt++) { 1377 int authenticated = 0; 1378 strlcpy(user, "", sizeof user); 1379 1380 /* Get a packet from the client. */ 1381 type = packet_read(&plen); 1382 1383 /* Process the packet. */ 1384 switch (type) { 1385#ifdef AFS | 1450 1451 /* Indicate that authentication is needed. */ 1452 packet_start(SSH_SMSG_FAILURE); 1453 packet_send(); 1454 packet_write_wait(); 1455 1456 for (attempt = 1;; attempt++) { 1457 int authenticated = 0; 1458 strlcpy(user, "", sizeof user); 1459 1460 /* Get a packet from the client. */ 1461 type = packet_read(&plen); 1462 1463 /* Process the packet. */ 1464 switch (type) { 1465#ifdef AFS |
| 1386 case SSH_CMSG_HAVE_KERBEROS_TGT: 1387 if (!options.kerberos_tgt_passing) { | 1466 case SSH_CMSG_HAVE_KRB4_TGT: 1467 if (!options.krb4_tgt_passing) { |
| 1388 /* packet_get_all(); */ | 1468 /* packet_get_all(); */ |
| 1389 verbose("Kerberos tgt passing disabled."); | 1469 verbose("Kerberos v4 tgt passing disabled."); |
| 1390 break; 1391 } else { | 1470 break; 1471 } else { |
| 1392 /* Accept Kerberos tgt. */ | 1472 /* Accept Kerberos v4 tgt. */ |
| 1393 char *tgt = packet_get_string(&dlen); 1394 packet_integrity_check(plen, 4 + dlen, type); | 1473 char *tgt = packet_get_string(&dlen); 1474 packet_integrity_check(plen, 4 + dlen, type); |
| 1395 if (!auth_kerberos_tgt(pw, tgt)) 1396 verbose("Kerberos tgt REFUSED for %s", pw->pw_name); | 1475 if (!auth_krb4_tgt(pw, tgt)) 1476 verbose("Kerberos v4 tgt REFUSED for %s", pw->pw_name); |
| 1397 xfree(tgt); 1398 } 1399 continue; 1400 1401 case SSH_CMSG_HAVE_AFS_TOKEN: 1402 if (!options.afs_token_passing || !k_hasafs()) { 1403 /* packet_get_all(); */ 1404 verbose("AFS token passing disabled."); --- 4 unchanged lines hidden (view full) --- 1409 packet_integrity_check(plen, 4 + dlen, type); 1410 if (!auth_afs_token(pw, token_string)) 1411 verbose("AFS token REFUSED for %s", pw->pw_name); 1412 xfree(token_string); 1413 } 1414 continue; 1415#endif /* AFS */ 1416#ifdef KRB4 | 1477 xfree(tgt); 1478 } 1479 continue; 1480 1481 case SSH_CMSG_HAVE_AFS_TOKEN: 1482 if (!options.afs_token_passing || !k_hasafs()) { 1483 /* packet_get_all(); */ 1484 verbose("AFS token passing disabled."); --- 4 unchanged lines hidden (view full) --- 1489 packet_integrity_check(plen, 4 + dlen, type); 1490 if (!auth_afs_token(pw, token_string)) 1491 verbose("AFS token REFUSED for %s", pw->pw_name); 1492 xfree(token_string); 1493 } 1494 continue; 1495#endif /* AFS */ 1496#ifdef KRB4 |
| 1417 case SSH_CMSG_AUTH_KERBEROS: 1418 if (!options.kerberos_authentication) { | 1497 case SSH_CMSG_AUTH_KRB4: 1498 if (!options.krb4_authentication) { |
| 1419 /* packet_get_all(); */ | 1499 /* packet_get_all(); */ |
| 1420 verbose("Kerberos authentication disabled."); | 1500 verbose("Kerberos v4 authentication disabled."); |
| 1421 break; 1422 } else { 1423 /* Try Kerberos v4 authentication. */ 1424 KTEXT_ST auth; 1425 char *tkt_user = NULL; 1426 char *kdata = packet_get_string((unsigned int *) &auth.length); 1427 packet_integrity_check(plen, 4 + auth.length, type); 1428 --- 5 unchanged lines hidden (view full) --- 1434 1435 if (authenticated) { 1436 snprintf(user, sizeof user, " tktuser %s", tkt_user); 1437 xfree(tkt_user); 1438 } 1439 } 1440 break; 1441#endif /* KRB4 */ | 1501 break; 1502 } else { 1503 /* Try Kerberos v4 authentication. */ 1504 KTEXT_ST auth; 1505 char *tkt_user = NULL; 1506 char *kdata = packet_get_string((unsigned int *) &auth.length); 1507 packet_integrity_check(plen, 4 + auth.length, type); 1508 --- 5 unchanged lines hidden (view full) --- 1514 1515 if (authenticated) { 1516 snprintf(user, sizeof user, " tktuser %s", tkt_user); 1517 xfree(tkt_user); 1518 } 1519 } 1520 break; 1521#endif /* KRB4 */ |
| 1522#ifdef KRB5 1523 case SSH_CMSG_AUTH_KRB5: 1524 if (!options.krb5_authentication) { 1525 verbose("Kerberos v5 authentication disabled."); 1526 break; 1527 } else { 1528 krb5_data k5data; 1529#if 0 1530 if (krb5_init_context(&ssh_context)) { 1531 verbose("Error while initializing Kerberos V5."); 1532 break; 1533 } 1534 krb5_init_ets(ssh_context); 1535#endif 1536 1537 k5data.data = packet_get_string(&k5data.length); 1538 packet_integrity_check(plen, 4 + k5data.length, type); 1539 if (auth_krb5(pw->pw_name, &k5data, &tkt_client)) { 1540 /* pw->name is passed just for logging purposes 1541 * */ 1542 /* authorize client against .k5login */ 1543 if (krb5_kuserok(ssh_context, 1544 tkt_client, 1545 pw->pw_name)) 1546 authenticated = 1; 1547 } 1548 xfree(k5data.data); 1549 } 1550 break; 1551#endif /* KRB5 */ |
|
| 1442 1443 case SSH_CMSG_AUTH_RHOSTS: 1444 if (!options.rhosts_authentication) { 1445 verbose("Rhosts authentication disabled."); 1446 break; 1447 } 1448 /* 1449 * Get client user name. Note that we just have to --- 453 unchanged lines hidden (view full) --- 1903 packet_integrity_check(plen, 4 + dlen, type); 1904 } 1905 if (have_pty) 1906 do_exec_pty(command, ptyfd, ttyfd, ttyname, pw, term, display, proto, data); 1907 else 1908 do_exec_no_pty(command, pw, display, proto, data); 1909 xfree(command); 1910 return; | 1552 1553 case SSH_CMSG_AUTH_RHOSTS: 1554 if (!options.rhosts_authentication) { 1555 verbose("Rhosts authentication disabled."); 1556 break; 1557 } 1558 /* 1559 * Get client user name. Note that we just have to --- 453 unchanged lines hidden (view full) --- 2013 packet_integrity_check(plen, 4 + dlen, type); 2014 } 2015 if (have_pty) 2016 do_exec_pty(command, ptyfd, ttyfd, ttyname, pw, term, display, proto, data); 2017 else 2018 do_exec_no_pty(command, pw, display, proto, data); 2019 xfree(command); 2020 return; |
| 2021#ifdef KRB5 2022 case SSH_CMSG_HAVE_KRB5_TGT: 2023 /* Passing krb5 ticket */ 2024 if (!options.krb5_tgt_passing 2025 /*|| !options.krb5_authentication */) { |
|
| 1911 | 2026 |
| 2027 } 2028 2029 if (tkt_client == NULL) { 2030 /* passing tgt without krb5 authentication */ 2031 } 2032 2033 { 2034 krb5_data tgt; 2035 tgt.data = packet_get_string(&tgt.length); 2036 2037 if (!auth_krb5_tgt(pw->pw_name, &tgt, tkt_client)) { 2038 verbose ("Kerberos V5 TGT refused for %.100s", pw->pw_name); 2039 xfree(tgt.data); 2040 goto fail; 2041 } 2042 xfree(tgt.data); 2043 2044 break; 2045 } 2046#endif /* KRB5 */ 2047 |
|
| 1912 default: 1913 /* 1914 * Any unknown messages in this phase are ignored, 1915 * and a failure message is returned. 1916 */ 1917 log("Unknown packet type received after authentication: %d", type); 1918 goto fail; 1919 } --- 161 unchanged lines hidden (view full) --- 2081 int quiet_login; 2082 struct sockaddr_storage from; 2083 socklen_t fromlen; 2084 struct pty_cleanup_context cleanup_context; 2085#ifdef LOGIN_CAP 2086 login_cap_t *lc; 2087 char *fname; 2088#endif /* LOGIN_CAP */ | 2048 default: 2049 /* 2050 * Any unknown messages in this phase are ignored, 2051 * and a failure message is returned. 2052 */ 2053 log("Unknown packet type received after authentication: %d", type); 2054 goto fail; 2055 } --- 161 unchanged lines hidden (view full) --- 2217 int quiet_login; 2218 struct sockaddr_storage from; 2219 socklen_t fromlen; 2220 struct pty_cleanup_context cleanup_context; 2221#ifdef LOGIN_CAP 2222 login_cap_t *lc; 2223 char *fname; 2224#endif /* LOGIN_CAP */ |
| 2225#ifdef __FreeBSD__ 2226#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ 2227 struct timeval tv; 2228 time_t warntime = DEFAULT_WARN; 2229#endif /* __FreeBSD__ */ |
|
| 2089 2090 /* Get remote host name. */ 2091 hostname = get_canonical_hostname(); 2092 2093 /* 2094 * Get the time when the user last logged in. Buf will be set to 2095 * contain the hostname the last login was from. 2096 */ --- 55 unchanged lines hidden (view full) --- 2152 quiet_login = stat(line, &st) >= 0; 2153#ifdef LOGIN_CAP 2154 lc = login_getpwclass(pw); 2155 if (lc == NULL) 2156 lc = login_getclassbyname(NULL, pw); 2157 quiet_login = login_getcapbool(lc, "hushlogin", quiet_login); 2158#endif /* LOGIN_CAP */ 2159 | 2230 2231 /* Get remote host name. */ 2232 hostname = get_canonical_hostname(); 2233 2234 /* 2235 * Get the time when the user last logged in. Buf will be set to 2236 * contain the hostname the last login was from. 2237 */ --- 55 unchanged lines hidden (view full) --- 2293 quiet_login = stat(line, &st) >= 0; 2294#ifdef LOGIN_CAP 2295 lc = login_getpwclass(pw); 2296 if (lc == NULL) 2297 lc = login_getclassbyname(NULL, pw); 2298 quiet_login = login_getcapbool(lc, "hushlogin", quiet_login); 2299#endif /* LOGIN_CAP */ 2300 |
| 2301#ifdef __FreeBSD__ 2302 if (pw->pw_change || pw->pw_expire) 2303 (void)gettimeofday(&tv, NULL); 2304#ifdef LOGIN_CAP 2305 warntime = login_getcaptime(lc, "warnpassword", 2306 DEFAULT_WARN, DEFAULT_WARN); 2307#endif /* LOGIN_CAP */ |
|
| 2160 /* | 2308 /* |
| 2309 * If the password change time is set and has passed, give the 2310 * user a password expiry notice and chance to change it. 2311 */ 2312 if (pw->pw_change != 0) { 2313 if (tv.tv_sec >= pw->pw_change) { 2314 (void)printf( 2315 "Sorry -- your password has expired.\n"); 2316 log("%s Password expired - forcing change", 2317 pw->pw_name); 2318 command = _PATH_CHPASS; 2319 } else if (pw->pw_change - tv.tv_sec < warntime && 2320 !quiet_login) 2321 (void)printf( 2322 "Warning: your password expires on %s", 2323 ctime(&pw->pw_change)); 2324 } 2325#ifdef LOGIN_CAP 2326 warntime = login_getcaptime(lc, "warnexpire", 2327 DEFAULT_WARN, DEFAULT_WARN); 2328#endif /* LOGIN_CAP */ 2329 if (pw->pw_expire) { 2330 if (tv.tv_sec >= pw->pw_expire) { 2331 (void)printf( 2332 "Sorry -- your account has expired.\n"); 2333 log( 2334 "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s", 2335 pw->pw_name, hostname, ttyname); 2336 exit(254); 2337 } else if (pw->pw_expire - tv.tv_sec < warntime && 2338 !quiet_login) 2339 (void)printf( 2340 "Warning: your account expires on %s", 2341 ctime(&pw->pw_expire)); 2342 } 2343#endif /* __FreeBSD__ */ 2344 2345 /* |
|
| 2161 * If the user has logged in before, display the time of last 2162 * login. However, don't display anything extra if a command 2163 * has been specified (so that ssh can be used to execute 2164 * commands on a remote machine without users knowing they 2165 * are going to another machine). Login(1) will do this for 2166 * us as well, so check if login(1) is used 2167 */ 2168 if (command == NULL && last_login_time != 0 && !quiet_login && --- 29 unchanged lines hidden (view full) --- 2198 * it was disabled in server options or login(1) will be 2199 * used. Note that some machines appear to print it in 2200 * /etc/profile or similar. 2201 */ 2202 if (command == NULL && options.print_motd && !quiet_login && 2203 !options.use_login) { 2204#ifdef LOGIN_CAP 2205 fname = login_getcapstr(lc, "welcome", NULL, NULL); | 2346 * If the user has logged in before, display the time of last 2347 * login. However, don't display anything extra if a command 2348 * has been specified (so that ssh can be used to execute 2349 * commands on a remote machine without users knowing they 2350 * are going to another machine). Login(1) will do this for 2351 * us as well, so check if login(1) is used 2352 */ 2353 if (command == NULL && last_login_time != 0 && !quiet_login && --- 29 unchanged lines hidden (view full) --- 2383 * it was disabled in server options or login(1) will be 2384 * used. Note that some machines appear to print it in 2385 * /etc/profile or similar. 2386 */ 2387 if (command == NULL && options.print_motd && !quiet_login && 2388 !options.use_login) { 2389#ifdef LOGIN_CAP 2390 fname = login_getcapstr(lc, "welcome", NULL, NULL); |
| 2206 login_close(lc); | |
| 2207 if (fname == NULL || (f = fopen(fname, "r")) == NULL) 2208 f = fopen("/etc/motd", "r"); | 2391 if (fname == NULL || (f = fopen(fname, "r")) == NULL) 2392 f = fopen("/etc/motd", "r"); |
| 2209#else /* LOGIN_CAP */ | 2393#else /* !LOGIN_CAP */ |
| 2210 f = fopen("/etc/motd", "r"); 2211#endif /* LOGIN_CAP */ 2212 /* Print /etc/motd if it exists. */ 2213 if (f) { 2214 while (fgets(line, sizeof(line), f)) 2215 fputs(line, stdout); 2216 fclose(f); 2217 } 2218 } | 2394 f = fopen("/etc/motd", "r"); 2395#endif /* LOGIN_CAP */ 2396 /* Print /etc/motd if it exists. */ 2397 if (f) { 2398 while (fgets(line, sizeof(line), f)) 2399 fputs(line, stdout); 2400 fclose(f); 2401 } 2402 } |
| 2403#ifdef LOGIN_CAP 2404 login_close(lc); 2405#endif /* LOGIN_CAP */ |
|
| 2219 2220 /* Do common processing for the child, such as execing the command. */ 2221 do_child(command, pw, term, display, auth_proto, auth_data, ttyname); 2222 /* NOTREACHED */ 2223 } 2224 if (pid < 0) 2225 packet_disconnect("fork failed: %.100s", strerror(errno)); 2226 /* Parent. Close the slave side of the pseudo tty. */ --- 131 unchanged lines hidden (view full) --- 2358 const char *display, const char *auth_proto, 2359 const char *auth_data, const char *ttyname) 2360{ 2361 char *shell; 2362 const char *cp = NULL; 2363 char buf[256]; 2364 FILE *f; 2365 unsigned int envsize, i; | 2406 2407 /* Do common processing for the child, such as execing the command. */ 2408 do_child(command, pw, term, display, auth_proto, auth_data, ttyname); 2409 /* NOTREACHED */ 2410 } 2411 if (pid < 0) 2412 packet_disconnect("fork failed: %.100s", strerror(errno)); 2413 /* Parent. Close the slave side of the pseudo tty. */ --- 131 unchanged lines hidden (view full) --- 2545 const char *display, const char *auth_proto, 2546 const char *auth_data, const char *ttyname) 2547{ 2548 char *shell; 2549 const char *cp = NULL; 2550 char buf[256]; 2551 FILE *f; 2552 unsigned int envsize, i; |
| 2366 char **env; | 2553 char **env = NULL; |
| 2367 extern char **environ; 2368 struct stat st; 2369 char *argv[10]; 2370#ifdef LOGIN_CAP 2371 login_cap_t *lc; 2372 2373 lc = login_getpwclass(pw); 2374 if (lc == NULL) 2375 lc = login_getclassbyname(NULL, pw); | 2554 extern char **environ; 2555 struct stat st; 2556 char *argv[10]; 2557#ifdef LOGIN_CAP 2558 login_cap_t *lc; 2559 2560 lc = login_getpwclass(pw); 2561 if (lc == NULL) 2562 lc = login_getclassbyname(NULL, pw); |
| 2376#endif /* LOGIN_CAP */ 2377 | 2563 if (pw->pw_uid != 0) 2564 auth_checknologin(lc); 2565#else /* !LOGIN_CAP */ |
| 2378 f = fopen("/etc/nologin", "r"); | 2566 f = fopen("/etc/nologin", "r"); |
| 2379#ifdef __FreeBSD__ 2380 if (f == NULL) 2381 f = fopen("/var/run/nologin", "r"); 2382#endif /* __FreeBSD__ */ | |
| 2383 if (f) { 2384 /* /etc/nologin exists. Print its contents and exit. */ | 2567 if (f) { 2568 /* /etc/nologin exists. Print its contents and exit. */ |
| 2385#ifdef LOGIN_CAP 2386 /* On FreeBSD, etc., allow overriding nologin via login.conf. */ 2387 if (!login_getcapbool(lc, "ignorenologin", 0)) { 2388#else /* LOGIN_CAP */ 2389 if (1) { 2390#endif /* LOGIN_CAP */ 2391 while (fgets(buf, sizeof(buf), f)) 2392 fputs(buf, stderr); 2393 fclose(f); 2394 if (pw->pw_uid != 0) 2395 exit(254); 2396 } | 2569 while (fgets(buf, sizeof(buf), f)) 2570 fputs(buf, stderr); 2571 fclose(f); 2572 if (pw->pw_uid != 0) 2573 exit(254); |
| 2397 2398 } | 2574 2575 } |
| 2576#endif /* LOGIN_CAP */ 2577 2578#ifdef LOGIN_CAP 2579 if (options.use_login) 2580#endif /* LOGIN_CAP */ |
|
| 2399 /* Set login name in the kernel. */ 2400 if (setlogin(pw->pw_name) < 0) 2401 error("setlogin failed: %s", strerror(errno)); 2402 2403 /* Set uid, gid, and groups. */ 2404 /* Login(1) does this as well, and it needs uid 0 for the "-h" 2405 switch, so we let login(1) to this for us. */ 2406 if (!options.use_login) { 2407#ifdef LOGIN_CAP | 2581 /* Set login name in the kernel. */ 2582 if (setlogin(pw->pw_name) < 0) 2583 error("setlogin failed: %s", strerror(errno)); 2584 2585 /* Set uid, gid, and groups. */ 2586 /* Login(1) does this as well, and it needs uid 0 for the "-h" 2587 switch, so we let login(1) to this for us. */ 2588 if (!options.use_login) { 2589#ifdef LOGIN_CAP |
| 2408 if (setclasscontext(pw->pw_class, LOGIN_SETPRIORITY | 2409 LOGIN_SETRESOURCES | LOGIN_SETUMASK) == -1) { 2410 perror("setclasscontext"); 2411 exit(1); 2412 } 2413#endif /* LOGIN_CAP */ | 2590 char **tmpenv; 2591 2592 /* Initialize temp environment */ 2593 envsize = 64; 2594 env = xmalloc(envsize * sizeof(char *)); 2595 env[0] = NULL; 2596 2597 child_set_env(&env, &envsize, "PATH", 2598 (pw->pw_uid == 0) ? 2599 _PATH_STDPATH : _PATH_DEFPATH); 2600 2601 snprintf(buf, sizeof buf, "%.200s/%.50s", 2602 _PATH_MAILDIR, pw->pw_name); 2603 child_set_env(&env, &envsize, "MAIL", buf); 2604 2605 if (getenv("TZ")) 2606 child_set_env(&env, &envsize, "TZ", getenv("TZ")); 2607 2608 /* Save parent environment */ 2609 tmpenv = environ; 2610 environ = env; 2611 2612 if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETALL) < 0) 2613 fatal("setusercontext failed: %s", strerror(errno)); 2614 2615 /* Restore parent environment */ 2616 env = environ; 2617 environ = tmpenv; 2618 2619 for (envsize = 0; env[envsize] != NULL; ++envsize) 2620 ; 2621 envsize = (envsize < 100) ? 100 : envsize + 16; 2622 env = xrealloc(env, envsize * sizeof(char *)); 2623 2624#else /* !LOGIN_CAP */ 2625 |
| 2414 if (getuid() == 0 || geteuid() == 0) { 2415 if (setgid(pw->pw_gid) < 0) { 2416 perror("setgid"); 2417 exit(1); 2418 } 2419 /* Initialize the group list. */ 2420 if (initgroups(pw->pw_name, pw->pw_gid) < 0) { 2421 perror("initgroups"); 2422 exit(1); 2423 } 2424 endgrent(); 2425 2426 /* Permanently switch to the desired uid. */ 2427 permanently_set_uid(pw->pw_uid); 2428 } 2429 if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) 2430 fatal("Failed to set uids to %d.", (int) pw->pw_uid); | 2626 if (getuid() == 0 || geteuid() == 0) { 2627 if (setgid(pw->pw_gid) < 0) { 2628 perror("setgid"); 2629 exit(1); 2630 } 2631 /* Initialize the group list. */ 2632 if (initgroups(pw->pw_name, pw->pw_gid) < 0) { 2633 perror("initgroups"); 2634 exit(1); 2635 } 2636 endgrent(); 2637 2638 /* Permanently switch to the desired uid. */ 2639 permanently_set_uid(pw->pw_uid); 2640 } 2641 if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) 2642 fatal("Failed to set uids to %d.", (int) pw->pw_uid); |
| 2643#endif /* LOGIN_CAP */ |
|
| 2431 } 2432 /* 2433 * Get the shell from the password data. An empty shell field is 2434 * legal, and means /bin/sh. 2435 */ | 2644 } 2645 /* 2646 * Get the shell from the password data. An empty shell field is 2647 * legal, and means /bin/sh. 2648 */ |
| 2649 shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; |
|
| 2436#ifdef LOGIN_CAP | 2650#ifdef LOGIN_CAP |
| 2437 shell = pw->pw_shell; | |
| 2438 shell = login_getcapstr(lc, "shell", shell, shell); | 2651 shell = login_getcapstr(lc, "shell", shell, shell); |
| 2439 if (shell[0] == '\0') 2440 shell = _PATH_BSHELL; 2441#else /* LOGIN_CAP */ 2442 shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; | |
| 2443#endif /* LOGIN_CAP */ 2444 2445#ifdef AFS 2446 /* Try to get AFS tokens for the local cell. */ 2447 if (k_hasafs()) { 2448 char cell[64]; 2449 2450 if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) 2451 krb_afslog(cell, 0); 2452 2453 krb_afslog(0, 0); 2454 } 2455#endif /* AFS */ 2456 2457 /* Initialize the environment. */ | 2652#endif /* LOGIN_CAP */ 2653 2654#ifdef AFS 2655 /* Try to get AFS tokens for the local cell. */ 2656 if (k_hasafs()) { 2657 char cell[64]; 2658 2659 if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) 2660 krb_afslog(cell, 0); 2661 2662 krb_afslog(0, 0); 2663 } 2664#endif /* AFS */ 2665 2666 /* Initialize the environment. */ |
| 2458 envsize = 100; 2459 env = xmalloc(envsize * sizeof(char *)); 2460 env[0] = NULL; | 2667 if (env == NULL) { 2668 envsize = 100; 2669 env = xmalloc(envsize * sizeof(char *)); 2670 env[0] = NULL; 2671 } |
| 2461 2462 if (!options.use_login) { 2463 /* Set basic environment. */ 2464 child_set_env(&env, &envsize, "USER", pw->pw_name); 2465 child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); 2466 child_set_env(&env, &envsize, "HOME", pw->pw_dir); | 2672 2673 if (!options.use_login) { 2674 /* Set basic environment. */ 2675 child_set_env(&env, &envsize, "USER", pw->pw_name); 2676 child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); 2677 child_set_env(&env, &envsize, "HOME", pw->pw_dir); |
| 2467#ifdef LOGIN_CAP 2468 child_set_env(&env, &envsize, "PATH", 2469 login_getpath(lc, "path", _PATH_STDPATH)); 2470#else /* LOGIN_CAP */ | 2678#ifndef LOGIN_CAP |
| 2471 child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); | 2679 child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); |
| 2472#endif /* LOGIN_CAP */ | |
| 2473 2474 snprintf(buf, sizeof buf, "%.200s/%.50s", 2475 _PATH_MAILDIR, pw->pw_name); 2476 child_set_env(&env, &envsize, "MAIL", buf); | 2680 2681 snprintf(buf, sizeof buf, "%.200s/%.50s", 2682 _PATH_MAILDIR, pw->pw_name); 2683 child_set_env(&env, &envsize, "MAIL", buf); |
| 2684#endif /* !LOGIN_CAP */ |
|
| 2477 2478 /* Normal systems set SHELL by default. */ 2479 child_set_env(&env, &envsize, "SHELL", shell); 2480 } | 2685 2686 /* Normal systems set SHELL by default. */ 2687 child_set_env(&env, &envsize, "SHELL", shell); 2688 } |
| 2689#ifdef LOGIN_CAP 2690 if (options.use_login) 2691#endif /* LOGIN_CAP */ |
|
| 2481 if (getenv("TZ")) 2482 child_set_env(&env, &envsize, "TZ", getenv("TZ")); 2483 2484 /* Set custom environment options from RSA authentication. */ 2485 while (custom_environment) { 2486 struct envstring *ce = custom_environment; 2487 char *s = ce->s; 2488 int i; --- 22 unchanged lines hidden (view full) --- 2511 { 2512 extern char *ticket; 2513 2514 if (ticket) 2515 child_set_env(&env, &envsize, "KRBTKFILE", ticket); 2516 } 2517#endif /* KRB4 */ 2518 | 2692 if (getenv("TZ")) 2693 child_set_env(&env, &envsize, "TZ", getenv("TZ")); 2694 2695 /* Set custom environment options from RSA authentication. */ 2696 while (custom_environment) { 2697 struct envstring *ce = custom_environment; 2698 char *s = ce->s; 2699 int i; --- 22 unchanged lines hidden (view full) --- 2722 { 2723 extern char *ticket; 2724 2725 if (ticket) 2726 child_set_env(&env, &envsize, "KRBTKFILE", ticket); 2727 } 2728#endif /* KRB4 */ 2729 |
| 2730#ifdef KRB5 2731 { 2732 extern krb5_ccache mem_ccache; 2733 2734 if (mem_ccache) { 2735 krb5_error_code problem; 2736 krb5_ccache ccache; 2737#ifdef AFS 2738 if (k_hasafs()) 2739 krb5_afslog(ssh_context, mem_ccache, NULL, NULL); 2740#endif /* AFS */ 2741 2742 problem = krb5_cc_default(ssh_context, &ccache); 2743 if (problem) {} 2744 else { 2745 problem = krb5_cc_copy_cache(ssh_context, mem_ccache, ccache); 2746 if (problem) {} 2747 } 2748 2749 krb5_cc_close(ssh_context, ccache); 2750 } 2751 2752 krb5_cleanup_proc(NULL); 2753 } 2754#endif /* KRB5 */ 2755 |
|
| 2519 if (xauthfile) 2520 child_set_env(&env, &envsize, "XAUTHORITY", xauthfile); 2521 if (auth_get_socket_name() != NULL) 2522 child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME, 2523 auth_get_socket_name()); 2524 2525 /* read $HOME/.ssh/environment. */ 2526 if (!options.use_login) { --- 27 unchanged lines hidden (view full) --- 2554 channel_close_all(); 2555 2556 /* 2557 * Close any extra file descriptors. Note that there may still be 2558 * descriptors left by system functions. They will be closed later. 2559 */ 2560 endpwent(); 2561 | 2756 if (xauthfile) 2757 child_set_env(&env, &envsize, "XAUTHORITY", xauthfile); 2758 if (auth_get_socket_name() != NULL) 2759 child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME, 2760 auth_get_socket_name()); 2761 2762 /* read $HOME/.ssh/environment. */ 2763 if (!options.use_login) { --- 27 unchanged lines hidden (view full) --- 2791 channel_close_all(); 2792 2793 /* 2794 * Close any extra file descriptors. Note that there may still be 2795 * descriptors left by system functions. They will be closed later. 2796 */ 2797 endpwent(); 2798 |
| 2562#ifdef LOGIN_CAP 2563 login_close(lc); 2564#endif /* LOGIN_CAP */ 2565 | |
| 2566 /* 2567 * Close any extra open file descriptors so that we don\'t have them 2568 * hanging around in clients. Note that we want to do this after 2569 * initgroups, because at least on Solaris 2.3 it leaves file 2570 * descriptors open. 2571 */ 2572 for (i = 3; i < getdtablesize(); i++) 2573 close(i); 2574 2575 /* Change current directory to the user\'s home directory. */ | 2799 /* 2800 * Close any extra open file descriptors so that we don\'t have them 2801 * hanging around in clients. Note that we want to do this after 2802 * initgroups, because at least on Solaris 2.3 it leaves file 2803 * descriptors open. 2804 */ 2805 for (i = 3; i < getdtablesize(); i++) 2806 close(i); 2807 2808 /* Change current directory to the user\'s home directory. */ |
| 2576 if (chdir(pw->pw_dir) < 0) | 2809 if ( 2810#ifdef __FreeBSD__ 2811 !*pw->pw_dir || 2812#endif /* __FreeBSD__ */ 2813 chdir(pw->pw_dir) < 0 2814 ) { 2815#ifdef __FreeBSD__ 2816 int quiet_login = 0; 2817#endif /* __FreeBSD__ */ 2818#ifdef LOGIN_CAP 2819 if (login_getcapbool(lc, "requirehome", 0)) { 2820 (void)printf("Home directory not available\n"); 2821 log("LOGIN %.200s REFUSED (HOMEDIR) ON TTY %.200s", 2822 pw->pw_name, ttyname); 2823 exit(254); 2824 } 2825#endif /* LOGIN_CAP */ 2826#ifdef __FreeBSD__ 2827 if (chdir("/") < 0) { 2828 (void)printf("Cannot find root directory\n"); 2829 log("LOGIN %.200s REFUSED (ROOTDIR) ON TTY %.200s", 2830 pw->pw_name, ttyname); 2831 exit(254); 2832 } 2833#ifdef LOGIN_CAP 2834 quiet_login = login_getcapbool(lc, "hushlogin", 0); 2835#endif /* LOGIN_CAP */ 2836 if (!quiet_login || *pw->pw_dir) 2837 (void)printf( 2838 "No home directory.\nLogging in with home = \"/\".\n"); 2839 2840#else /* !__FreeBSD__ */ 2841 |
| 2577 fprintf(stderr, "Could not chdir to home directory %s: %s\n", 2578 pw->pw_dir, strerror(errno)); | 2842 fprintf(stderr, "Could not chdir to home directory %s: %s\n", 2843 pw->pw_dir, strerror(errno)); |
| 2844#endif /* __FreeBSD__ */ 2845 } 2846#ifdef LOGIN_CAP 2847 login_close(lc); 2848#endif /* LOGIN_CAP */ |
|
| 2579 2580 /* 2581 * Must take new environment into use so that .ssh/rc, /etc/sshrc and 2582 * xauth are run in the proper environment. 2583 */ 2584 environ = env; 2585 2586 /* 2587 * Run $HOME/.ssh/rc, /etc/sshrc, or xauth (whichever is found first 2588 * in this order). 2589 */ 2590 if (!options.use_login) { | 2849 2850 /* 2851 * Must take new environment into use so that .ssh/rc, /etc/sshrc and 2852 * xauth are run in the proper environment. 2853 */ 2854 environ = env; 2855 2856 /* 2857 * Run $HOME/.ssh/rc, /etc/sshrc, or xauth (whichever is found first 2858 * in this order). 2859 */ 2860 if (!options.use_login) { |
| 2591#ifdef __FreeBSD__ 2592 /* 2593 * If the password change time is set and has passed, give the 2594 * user a password expiry notice and chance to change it. 2595 */ 2596 if (pw->pw_change != 0) { 2597 struct timeval tv; 2598 2599 (void)gettimeofday(&tv, NULL); 2600 if (tv.tv_sec >= pw->pw_change) { 2601 (void)printf( 2602 "Sorry -- your password has expired.\n"); 2603 syslog(LOG_INFO, 2604 "%s Password expired - forcing change", 2605 pw->pw_name); 2606 if (system("/usr/bin/passwd") != 0) 2607 perror("/usr/bin/passwd"); 2608 } 2609 } 2610#endif /* __FreeBSD__ */ | |
| 2611 if (stat(SSH_USER_RC, &st) >= 0) { 2612 if (debug_flag) 2613 fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC); 2614 2615 f = popen("/bin/sh " SSH_USER_RC, "w"); 2616 if (f) { 2617 if (auth_proto != NULL && auth_data != NULL) 2618 fprintf(f, "%s %s\n", auth_proto, auth_data); --- 51 unchanged lines hidden (view full) --- 2670 * in server options. 2671 */ 2672 if (ttyname && options.check_mail) { 2673 char *mailbox; 2674 struct stat mailstat; 2675 mailbox = getenv("MAIL"); 2676 if (mailbox != NULL) { 2677 if (stat(mailbox, &mailstat) != 0 || mailstat.st_size == 0) | 2861 if (stat(SSH_USER_RC, &st) >= 0) { 2862 if (debug_flag) 2863 fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC); 2864 2865 f = popen("/bin/sh " SSH_USER_RC, "w"); 2866 if (f) { 2867 if (auth_proto != NULL && auth_data != NULL) 2868 fprintf(f, "%s %s\n", auth_proto, auth_data); --- 51 unchanged lines hidden (view full) --- 2920 * in server options. 2921 */ 2922 if (ttyname && options.check_mail) { 2923 char *mailbox; 2924 struct stat mailstat; 2925 mailbox = getenv("MAIL"); 2926 if (mailbox != NULL) { 2927 if (stat(mailbox, &mailstat) != 0 || mailstat.st_size == 0) |
| 2928#ifdef __FreeBSD__ 2929 ; 2930#else /* !__FreeBSD__ */ |
|
| 2678 printf("No mail.\n"); | 2931 printf("No mail.\n"); |
| 2932#endif /* __FreeBSD__ */ |
|
| 2679 else if (mailstat.st_mtime < mailstat.st_atime) 2680 printf("You have mail.\n"); 2681 else 2682 printf("You have new mail.\n"); 2683 } 2684 } 2685 /* Start the shell. Set initial character to '-'. */ 2686 buf[0] = '-'; --- 36 unchanged lines hidden --- | 2933 else if (mailstat.st_mtime < mailstat.st_atime) 2934 printf("You have mail.\n"); 2935 else 2936 printf("You have new mail.\n"); 2937 } 2938 } 2939 /* Start the shell. Set initial character to '-'. */ 2940 buf[0] = '-'; --- 36 unchanged lines hidden --- |