OpenSSH 2.3.0p1 port to BSDI BSD/OS

David J. MacKenzie djm at web.us.uu.net
Sat Feb 17 05:14:25 EST 2001


BSD/OS 4.2 comes with OpenSSH 2.1.1p4, patched to support BSDI's
authentication library.  However, BSDI's patches have several
problems:

1. They don't run the approval phase, so they can allow users to login
who aren't supposed to be able to.
2. They don't patch configure to automatically detect the BSDI auth
system, so they're not ready to use in a general portable
distribution.
3. They change the path to krb.h unconditionally, making it unportable.

Here is a patch derived from BSDI's, updated for OpenSSH 2.3.0p1,
which fixes those problems, and also fixes a misplaced #ifdef in the
OpenSSH distribution in bsd-vis.c.

After applying this patch, run "autoreconf".

Index: auth1.c
--- auth1.c	2001/02/13 07:43:16	1.1
+++ auth1.c	2001/02/13 22:00:06
@@ -28,6 +28,12 @@
 #include "auth.h"
 #include "session.h"
 
+#ifdef HAVE_BSD_AUTH_H
+# include <login_cap.h>
+# include <bsd_auth.h>
+static char *bsduser=NULL;	/* XXX -- ugly, but we need the original */
+#endif
+
 /* import */
 extern ServerOptions options;
 extern char *forced_command;
@@ -258,7 +264,10 @@
 				NULL, password) == SIASUCCESS) {
 				authenticated = 1;
 			}
-#else /* !USE_PAM && !HAVE_OSF_SIA */
+#elif defined(HAVE_BSD_AUTH_H)
+			authenticated = auth_userokay(bsduser, NULL, 
+						"auth-ssh", password);
+#else /* !USE_PAM && !HAVE_OSF_SIA && !HAVE_BSD_AUTH_H */
  			/* Try authentication with the password. */
 			authenticated = auth_password(pw, password);
 #endif /* USE_PAM */
@@ -362,6 +371,10 @@
 		if (authenticated && !do_pam_account(pw->pw_name, client_user))
 			authenticated = 0;
 #endif
+#ifdef HAVE_BSD_AUTH_H
+		if (authenticated && !auth_approval(NULL, NULL, pw->pw_name, "ssh"))
+		    authenticated = 0;
+#endif /* HAVE_BSD_AUTH_H */
 
 		if (client_user != NULL) {
 			xfree(client_user);
@@ -415,6 +428,15 @@
 #endif /* AFS */
 
 	/* Verify that the user is a valid user. */
+#ifdef HAVE_BSD_AUTH_H
+	/* we may have an auth type in the user name we need to strip */
+	{
+		char *p;
+		bsduser = xstrdup(user);
+		if ((p = strchr(user, ':')) != NULL)
+			*p = '\0';
+	}
+#endif
 	pw = getpwnam(user);
 	if (pw && allowed_user(pw)) {
 		/* Take a copy of the returned structure. */
@@ -460,7 +482,9 @@
 	    (sia_validate_user(NULL, saved_argc, saved_argv, 
 	    get_canonical_hostname(), pw->pw_name, NULL, 0, 
 		 NULL, "") == SIASUCCESS)) {
-#else /* !HAVE_OSF_SIA && !USE_PAM */
+#elif defined(HAVE_BSD_AUTH_H)
+	    auth_userokay(bsduser, NULL, "auth-ssh", "" )) {
+#else /* !HAVE_OSF_SIA && !USE_PAM && !HAVE_BSD_AUTH_H */
  	    auth_password(pw, "")) {
 #endif /* USE_PAM */
 		/* Authentication with empty password succeeded. */
@@ -474,6 +498,13 @@
 	}
 	if (pw == NULL)
 		fatal("internal error, authentication successfull for user '%.100s'", user);
+
+#ifdef HAVE_BSD_AUTH_H
+	if (bsduser != NULL) {
+		xfree(bsduser);
+		bsduser = NULL;
+	}
+#endif
 
 	/* The user has been authenticated and accepted. */
 	packet_start(SSH_SMSG_SUCCESS);
Index: auth2.c
--- auth2.c	2001/02/13 07:43:16	1.1
+++ auth2.c	2001/02/13 22:00:06
@@ -56,6 +56,11 @@
 #include "uidswap.h"
 #include "auth-options.h"
 
+#ifdef HAVE_BSD_AUTH_H
+# include <login_cap.h>
+# include <bsd_auth.h>
+#endif
+
 /* import */
 extern ServerOptions options;
 extern unsigned char *session_id2;
@@ -209,7 +214,19 @@
 		/* setup auth context */
 		struct passwd *pw = NULL;
 		setproctitle("%s", user);
+#ifdef HAVE_BSD_AUTH_H
+		{
+			/* user may contain requested auth type */
+			char *p;
+			if ((p = strchr(user, ':')) != NULL)
+				*p = '\0';
+			pw = getpwnam(user);
+			if (p != NULL)
+				*p = ':';
+		}
+#else
 		pw = getpwnam(user);
+#endif
 		if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) {
 			authctxt->pw = pwcopy(pw);
 			authctxt->valid = 1;
@@ -254,6 +271,10 @@
 	if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL))
 		authenticated = 0;
 #endif /* USE_PAM */
+#ifdef HAVE_BSD_AUTH_H
+	if (authenticated && authctxt->user && !auth_approval(NULL, NULL, authctxt->user, "ssh"))
+	    authenticated = 0;
+#endif /* HAVE_BSD_AUTH_H */
 
 	/* Log before sending the reply */
 	userauth_log(authctxt, authenticated, method);
@@ -353,7 +374,9 @@
 	return (sia_validate_user(NULL, saved_argc, saved_argv, 
 		get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER", 
 			NULL, 0, NULL, "") == SIASUCCESS);
-#else /* !HAVE_OSF_SIA && !USE_PAM */
+#elif defined(HAVE_BSD_AUTH_H)
+	return auth_userokay(authctxt->user?authctxt->user:"NOUSER", NULL, "auth-ssh", "");
+#else /* !HAVE_OSF_SIA && !USE_PAM && !HAVE_BSD_AUTH_H */
 	return auth_password(authctxt->pw, "");
 #endif /* USE_PAM */
 }
@@ -380,7 +403,9 @@
 	    sia_validate_user(NULL, saved_argc, saved_argv, 
 		 	get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER", 
 			NULL, 0, NULL, password) == SIASUCCESS)
-#else /* !USE_PAM && !HAVE_OSF_SIA */
+#elif defined(HAVE_BSD_AUTH_H)
+	    auth_userokay(authctxt->user?authctxt->user:"NOUSER", NULL, "auth-ssh", password) != 0)
+#else /* !USE_PAM && !HAVE_OSF_SIA && !HAVE_BSD_AUTH_H */
 	    auth_password(authctxt->pw, password) == 1)
 #endif /* USE_PAM */
 		authenticated = 1;
Index: bsd-vis.c
--- bsd-vis.c	2001/02/13 07:43:16	1.1
+++ bsd-vis.c	2001/02/13 07:45:46	1.2
@@ -35,9 +35,9 @@
 static char rcsid[] = "$OpenBSD: vis.c,v 1.5 2000/07/19 15:25:13 deraadt Exp $";
 #endif /* LIBC_SCCS and not lint */
 
-#ifndef HAVE_VIS
-
 #include "includes.h"
+
+#ifndef HAVE_VIS
 
 #define	isoctal(c)	(((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
 
Index: session.c
--- session.c	2001/02/13 07:43:17	1.1
+++ session.c	2001/02/13 07:45:46	1.2
@@ -1155,7 +1155,9 @@
 		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
 #ifdef HAVE_LOGIN_CAP
 		(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH);
-		child_set_env(&env, &envsize, "PATH", getenv("PATH"));
+		/* update the path to the one setusercontext set for us */
+		if (getenv("PATH"))
+			child_set_env(&env, &envsize, "PATH", getenv("PATH"));
 #else /* HAVE_LOGIN_CAP */
 # ifndef HAVE_CYGWIN
 		/*
Index: ssh.h
--- ssh.h	2001/02/13 07:43:17	1.1
+++ ssh.h	2001/02/13 22:00:07
@@ -520,7 +520,12 @@
 ssize_t	atomicio(ssize_t (*f)(), int fd, void *s, size_t n);
 
 #ifdef KRB4
+#ifdef HAVE_BSD_AUTH_H
+#define DES_DEFS /* prevent BSD/OS krb.h from including kerberosIV/des.h */
+#include <kerberosIV/krb.h>
+#else /* !HAVE_BSD_AUTH_H */
 #include <krb.h>
+#endif /* HAVE_BSD_AUTH_H */
 /*
  * Performs Kerberos v4 mutual authentication with the client. This returns 0
  * if the client could not be authenticated, and 1 if authentication was
Index: configure.in
--- configure.in	2001/02/13 07:43:16	1.1
+++ configure.in	2001/02/13 22:00:07
@@ -284,7 +284,7 @@
 fi
 
 # Checks for header files.
-AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h vis.h)
+AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h vis.h bsd_auth.h)
 
 dnl    Checks for library functions.
 AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getnameinfo getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strsep strtok_r vsnprintf vhangup vis waitpid _getpty __b64_ntop)





More information about the openssh-unix-dev mailing list