upstream: Start the process of splitting sshd into separate

binaries. This step splits sshd into a listener and a session binary. More splits are planned. After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs. This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary. feedback/ok markus@ deraadt@ NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out. OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
author: djm@openbsd.org <djm@openbsd.org> 2024-05-17 00:30:23 +0000
committer: Damien Miller <djm@mindrot.org> 2024-05-17 14:41:35 +1000
commit: 03e3de416ed7c34faeb692967737be4a7bbe2eb5 (patch)
tree: 6794217dbc0a1369e9d6e1b0a9f40534596a6648 /auth2-gss.c
parent: 1c0d81357921f8d3bab06841df649edac515ae5b (diff)
1 files changed, 15 insertions, 24 deletions
diff --git a/auth2-gss.c b/auth2-gss.c
index f72a3899..d24287d3 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.34 2023/03/31 04:22:27 djm Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.35 2024/05/17 00:30:23 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -51,6 +51,7 @@
 #define SSH_GSSAPI_MAX_MECHS	2048
 
 extern ServerOptions options;
+extern struct authmethod_cfg methodcfg_gssapi;
 
 static int input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh);
 static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
@@ -116,7 +117,7 @@ userauth_gssapi(struct ssh *ssh, const char *method)
 		return (0);
 	}
 
-	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
+	if (GSS_ERROR(mm_ssh_gssapi_server_ctx(&ctxt, &goid))) {
 		if (ctxt != NULL)
 			ssh_gssapi_delete_ctx(&ctxt);
 		free(doid);
@@ -153,7 +154,7 @@ input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh)
 	size_t len;
 	int r;
 
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+	if (authctxt == NULL)
 		fatal("No authentication or GSSAPI context");
 
 	gssctxt = authctxt->methoddata;
@@ -163,8 +164,8 @@ input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh)
 
 	recv_tok.value = p;
 	recv_tok.length = len;
-	maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
-	    &send_tok, &flags));
+	maj_status = mm_ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
+	    &send_tok, &flags);
 
 	free(p);
 
@@ -217,7 +218,7 @@ input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh)
 	u_char *p;
 	size_t len;
 
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+	if (authctxt == NULL)
 		fatal("No authentication or GSSAPI context");
 
 	gssctxt = authctxt->methoddata;
@@ -228,8 +229,8 @@ input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh)
 	recv_tok.length = len;
 
 	/* Push the error token into GSSAPI to see what it says */
-	maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
-	    &send_tok, NULL));
+	maj_status = mm_ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
+	    &send_tok, NULL);
 
 	free(recv_tok.value);
 
@@ -256,7 +257,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
 	int r, authenticated;
 	const char *displayname;
 
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+	if (authctxt == NULL)
 		fatal("No authentication or GSSAPI context");
 
 	/*
@@ -267,11 +268,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
 	if ((r = sshpkt_get_end(ssh)) != 0)
 		fatal_fr(r, "parse packet");
 
-	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
-
-	if ((!use_privsep || mm_is_monitor()) &&
-	    (displayname = ssh_gssapi_displayname()) != NULL)
-		auth2_record_info(authctxt, "%s", displayname);
+	authenticated = mm_ssh_gssapi_userok(authctxt->user);
 
 	authctxt->postponed = 0;
 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@@ -294,7 +291,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
 	u_char *p;
 	size_t len;
 
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+	if (authctxt == NULL)
 		fatal("No authentication or GSSAPI context");
 
 	gssctxt = authctxt->methoddata;
@@ -312,18 +309,14 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
 		fatal_f("sshbuf_mutable_ptr failed");
 	gssbuf.length = sshbuf_len(b);
 
-	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
-		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+	if (!GSS_ERROR(mm_ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))
+		authenticated = mm_ssh_gssapi_userok(authctxt->user);
 	else
 		logit("GSSAPI MIC check failed");
 
 	sshbuf_free(b);
 	free(mic.value);
 
-	if ((!use_privsep || mm_is_monitor()) &&
-	    (displayname = ssh_gssapi_displayname()) != NULL)
-		auth2_record_info(authctxt, "%s", displayname);
-
 	authctxt->postponed = 0;
 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
@@ -334,10 +327,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
 }
 
 Authmethod method_gssapi = {
-	"gssapi-with-mic",
-	NULL,
+	&methodcfg_gssapi,
 	userauth_gssapi,
-	&options.gss_authentication
 };
 
 #endif /* GSSAPI */
author	djm@openbsd.org <djm@openbsd.org>	2024-05-17 00:30:23 +0000
committer	Damien Miller <djm@mindrot.org>	2024-05-17 14:41:35 +1000
commit	03e3de416ed7c34faeb692967737be4a7bbe2eb5 (patch)
tree	6794217dbc0a1369e9d6e1b0a9f40534596a6648 /auth2-gss.c
parent	1c0d81357921f8d3bab06841df649edac515ae5b (diff)