1.2.3-1 package for Debian GNU/Linux released

Thu Apr 20 22:53:43 EST 2000

On 15 Apr 2000, Philip Hands wrote:

Attached is the diff that I have applied so far. Executive summary:

- You can set the SSH_PAM_SERVICE thru CFLAGS
- use vhangup in pty.c
- use '+' in ssh-agent getopt

> > 3. Why the excision of the BUF code in scp.c?
> 
> http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=53697

Forgive my ignorance, but why should writes larger than PIPE_BUF
size cause failures? Is it a problem with atomicity?

In any case, I won't merge the removal of all the buffer code as a
solution - I would rather add a hack to the allocation routine.

Keeping the diff size down is good for quality as well as my own
sanity. The OpenBSD team do a great job of auditing and cleaning up
the code, I don't want to go fudging that up :)

> > 4. I would prefer the shadow password checking to occur during
> > password auth - I consider the other forms of auth to be totally
> > seperate, but I can see your reasoning.
> 
> Yeah, it's a shame that we need to mix them up, but without this you
> don't get account expiry, locked accounts etc. which leaves ssh as a
> loophole.
> 
> > If you move this code to a seperate function in auth-passwd.c which
> > could be called before or during password auth I will include it.
> 
> OK.

You should grab a copy of the test release at
http://violet.ibs.com.au/openssh/files/test/ It tracks a few large
changes to the OpenBSD tree, including the splitting of auth code into
a seperate file.

> BTW you might want to quickly scan the (embarrassingly vast) list of
> bugs reported against Debian ssh:
> 
>   http://www.debian.org/Bugs/db/pa/lssh.html
> 
> I've been rather busy with the day job lately, so have not been doing
> much about these.  At first glance, many of them are pretty valid
> upstream problems, so if you want to deal with some of them direct,
> mail me the numbers and I'll mark them as forwarded (so we don't end
> up duplicating effort).

I too have been pretty busy with Other Things, but I will try to look
at these as time permits. It would be appreciated if you could forward
any particularly pernicious bugs to me direct, esp any security
problems.

-d

-- 
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-------------- next part --------------
Index: auth-pam.c
===================================================================
RCS file: /var/cvs/openssh/auth-pam.c,v
retrieving revision 1.2
diff -u -r1.2 auth-pam.c

--- auth-pam.c	2000/01/26 23:55:38	1.2
+++ auth-pam.c	2000/04/20 12:40:33
@@ -215,7 +215,8 @@
 
 	debug("Starting up PAM with username \"%.200s\"", pw->pw_name);
 
-	pam_retval = pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh);
+	pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, 
+		(pam_handle_t**)&pamh);
 	if (pam_retval != PAM_SUCCESS)
 		fatal("PAM initialisation failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
 
Index: configure.in
===================================================================
RCS file: /var/cvs/openssh/configure.in,v
retrieving revision 1.109
diff -u -r1.109 configure.in
--- configure.in	2000/04/16 02:31:50	1.109
+++ configure.in	2000/04/20 12:40:35
@@ -110,7 +110,7 @@
 AC_CHECK_HEADERS(bstring.h endian.h lastlog.h login.h maillock.h netdb.h netgroup.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h util.h utmp.h utmpx.h)
 
 # Checks for library functions.
-AC_CHECK_FUNCS(arc4random bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt mkdtemp openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf _getpty)
+AC_CHECK_FUNCS(arc4random bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt mkdtemp openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf vhangup _getpty)
 
 AC_CHECK_FUNC(login, 
 	[AC_DEFINE(HAVE_LOGIN)],
Index: pty.c
===================================================================
RCS file: /var/cvs/openssh/pty.c,v
retrieving revision 1.18
diff -u -r1.18 pty.c
--- pty.c	2000/04/16 01:18:44	1.18
+++ pty.c	2000/04/20 12:40:36
@@ -201,6 +201,9 @@
 pty_make_controlling_tty(int *ttyfd, const char *ttyname)
 {
 	int fd;
+#ifdef HAVE_VHANGUP
+	void *old;
+#endif /* HAVE_VHANGUP */
 
 	/* First disconnect from the old controlling tty. */
 #ifdef TIOCNOTTY
@@ -232,12 +235,22 @@
 	 */
 	ioctl(*ttyfd, TIOCSCTTY, NULL);
 #endif /* TIOCSCTTY */
+#ifdef HAVE_VHANGUP
+	old = signal(SIGHUP, SIG_IGN);
+	vhangup();
+	signal(SIGHUP, old);
+#endif /* HAVE_VHANGUP */
 	fd = open(ttyname, O_RDWR);
-	if (fd < 0)
+	if (fd < 0) {
 		error("%.100s: %.100s", ttyname, strerror(errno));
-	else
+	} else {
+#ifdef HAVE_VHANGUP
+		close(*ttyfd);
+		*ttyfd = fd;
+#else /* HAVE_VHANGUP */
 		close(fd);
-
+#endif /* HAVE_VHANGUP */
+	}
 	/* Verify that we now have a controlling tty. */
 	fd = open("/dev/tty", O_WRONLY);
 	if (fd < 0)
Index: ssh-agent.c
===================================================================
RCS file: /var/cvs/openssh/ssh-agent.c,v
retrieving revision 1.21
diff -u -r1.21 ssh-agent.c
--- ssh-agent.c	2000/04/19 21:42:22	1.21
+++ ssh-agent.c	2000/04/20 12:40:37
@@ -511,7 +511,7 @@
 			__progname);
 		exit(1);
 	}
-	while ((ch = getopt(ac, av, "cks")) != -1) {
+	while ((ch = getopt(ac, av, "+cks")) != -1) {
 		switch (ch) {
 		case 'c':
 			if (s_flag)
Index: ssh.h
===================================================================
RCS file: /var/cvs/openssh/ssh.h,v
retrieving revision 1.33
diff -u -r1.33 ssh.h
--- ssh.h	2000/04/19 21:42:22	1.33
+++ ssh.h	2000/04/20 12:40:39
@@ -71,6 +71,10 @@
  */
 #define SSH_SERVICE_NAME	"ssh"
 
+#if defined(HAVE_PAM) && !defined(SSHD_PAM_SERVICE)
+#define SSHD_PAM_SERVICE       "sshd"
+#endif
+
 #ifndef ETCDIR
 #define ETCDIR			"/etc"
 #endif /* ETCDIR */
