diff options
| author | Damien Miller <djm@mindrot.org> | 2002-05-13 11:07:41 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2002-05-13 11:07:41 +1000 |
| commit | 5ad9fd982037e512355cfd5fe060a554934be243 (patch) | |
| tree | 8c2793a1431a8afd322789c8db95fa577c2fcce6 | |
| parent | 80080753cd577bd670133660428821225304c361 (diff) | |
- (djm) Bug #231: UsePrivilegeSeparation turns off Banner.
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | auth.h | 4 | ||||
| -rw-r--r-- | auth2.c | 43 | ||||
| -rw-r--r-- | monitor.c | 23 | ||||
| -rw-r--r-- | monitor.h | 3 | ||||
| -rw-r--r-- | monitor_wrap.c | 20 | ||||
| -rw-r--r-- | monitor_wrap.h | 3 |
7 files changed, 80 insertions, 19 deletions
@@ -1,6 +1,7 @@ 20020513 - (djm) Add --with-superuser-path=xxx configure option to specify what $PATH the superuser receives. + - (djm) Bug #231: UsePrivilegeSeparation turns off Banner. 20020511 - (tim) [configure.ac] applied a rework of djm's OpenSSL search cleanup patch. @@ -571,4 +572,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2107 2002/05/13 00:48:57 djm Exp $ +$Id: ChangeLog,v 1.2108 2002/05/13 01:07:41 djm Exp $ @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.35 2002/03/19 10:35:39 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.36 2002/05/12 23:53:45 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -136,6 +136,8 @@ void auth_log(Authctxt *, int, char *, char *); void userauth_finish(Authctxt *, int, char *); int auth_root_allowed(char *); +char *auth2_read_banner(void); + void privsep_challenge_enable(void); int auth2_challenge(Authctxt *, char *); @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.89 2002/03/19 14:27:39 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.90 2002/05/12 23:53:45 djm Exp $"); #include <openssl/evp.h> @@ -283,25 +283,45 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) } } -static void -userauth_banner(void) +char * +auth2_read_banner(void) { struct stat st; char *banner = NULL; off_t len, n; int fd; - if (options.banner == NULL || (datafellows & SSH_BUG_BANNER)) - return; - if ((fd = open(options.banner, O_RDONLY)) < 0) - return; - if (fstat(fd, &st) < 0) - goto done; + if ((fd = open(options.banner, O_RDONLY)) == -1) + return (NULL); + if (fstat(fd, &st) == -1) { + close(fd); + return (NULL); + } len = st.st_size; banner = xmalloc(len + 1); - if ((n = read(fd, banner, len)) < 0) - goto done; + n = atomicio(read, fd, banner, len); + close(fd); + + if (n != len) { + free(banner); + return (NULL); + } banner[n] = '\0'; + + return (banner); +} + +static void +userauth_banner(void) +{ + char *banner = NULL; + + if (options.banner == NULL || (datafellows & SSH_BUG_BANNER)) + return; + + if ((banner = PRIVSEP(auth2_read_banner())) == NULL) + goto done; + packet_start(SSH2_MSG_USERAUTH_BANNER); packet_put_cstring(banner); packet_put_cstring(""); /* language, unused */ @@ -310,7 +330,6 @@ userauth_banner(void) done: if (banner) xfree(banner); - close(fd); return; } @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.9 2002/03/30 18:51:15 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.10 2002/05/12 23:53:45 djm Exp $"); #include <openssl/dh.h> @@ -96,6 +96,7 @@ struct { int mm_answer_moduli(int, Buffer *); int mm_answer_sign(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *); +int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); @@ -147,6 +148,7 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, + {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, @@ -524,9 +526,11 @@ mm_answer_pwnamallow(int socket, Buffer *m) /* For SSHv1 allow authentication now */ if (!compat20) monitor_permit_authentications(1); - else + else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); + } #ifdef USE_PAM monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); @@ -535,6 +539,21 @@ mm_answer_pwnamallow(int socket, Buffer *m) return (0); } +int mm_answer_auth2_read_banner(int socket, Buffer *m) +{ + char *banner; + + buffer_clear(m); + banner = auth2_read_banner(); + buffer_put_cstring(m, banner != NULL ? banner : ""); + mm_request_send(socket, MONITOR_ANS_AUTH2_READ_BANNER, m); + + if (banner != NULL) + free(banner); + + return (0); +} + int mm_answer_authserv(int socket, Buffer *m) { @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.3 2002/03/26 03:24:01 stevesk Exp $ */ +/* $OpenBSD: monitor.h,v 1.4 2002/05/12 23:53:45 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -33,6 +33,7 @@ enum monitor_reqtype { MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, + MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, diff --git a/monitor_wrap.c b/monitor_wrap.c index 0fe5bc10..38017582 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.5 2002/03/25 20:12:10 stevesk Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.6 2002/05/12 23:53:45 djm Exp $"); #include <openssl/bn.h> #include <openssl/dh.h> @@ -207,6 +207,24 @@ mm_getpwnamallow(const char *login) return (pw); } +char* mm_auth2_read_banner(void) +{ + Buffer m; + char *banner; + + debug3("%s entering", __FUNCTION__); + + buffer_init(&m); + mm_request_send(monitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m); + buffer_clear(&m); + + mm_request_receive_expect(monitor->m_recvfd, MONITOR_ANS_AUTH2_READ_BANNER, &m); + banner = buffer_get_string(&m, NULL); + buffer_free(&m); + + return (banner); +} + /* Inform the privileged process about service and style */ void diff --git a/monitor_wrap.h b/monitor_wrap.h index 975ba054..ce721247 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.4 2002/03/26 03:24:01 stevesk Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.5 2002/05/12 23:53:45 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -44,6 +44,7 @@ DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); void mm_inform_authserv(char *, char *); struct passwd *mm_getpwnamallow(const char *); +char* mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); int mm_key_allowed(enum mm_keytype, char *, char *, Key *); int mm_user_key_allowed(struct passwd *, Key *); |