OpenSSH 2.3.0p1 port to BSDI BSD/OS
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Sat Feb 17 06:46:37 EST 2001
Could you please port up the latest snapshot
at: http://bass.directhit.com/openssh_snap?
We are coming close to a 2.5.0p1 release so timing
is pretty critical.
Thanks,
- Ben
On Fri, 16 Feb 2001, David J. MacKenzie wrote:
> BSD/OS 4.2 comes with OpenSSH 2.1.1p4, patched to support BSDI's
> authentication library. However, BSDI's patches have several
> problems:
>
> 1. They don't run the approval phase, so they can allow users to login
> who aren't supposed to be able to.
> 2. They don't patch configure to automatically detect the BSDI auth
> system, so they're not ready to use in a general portable
> distribution.
> 3. They change the path to krb.h unconditionally, making it unportable.
>
> Here is a patch derived from BSDI's, updated for OpenSSH 2.3.0p1,
> which fixes those problems, and also fixes a misplaced #ifdef in the
> OpenSSH distribution in bsd-vis.c.
>
> After applying this patch, run "autoreconf".
>
> Index: auth1.c
> --- auth1.c 2001/02/13 07:43:16 1.1
> +++ auth1.c 2001/02/13 22:00:06
> @@ -28,6 +28,12 @@
> #include "auth.h"
> #include "session.h"
>
> +#ifdef HAVE_BSD_AUTH_H
> +# include <login_cap.h>
> +# include <bsd_auth.h>
> +static char *bsduser=NULL; /* XXX -- ugly, but we need the original */
> +#endif
> +
> /* import */
> extern ServerOptions options;
> extern char *forced_command;
> @@ -258,7 +264,10 @@
> NULL, password) == SIASUCCESS) {
> authenticated = 1;
> }
> -#else /* !USE_PAM && !HAVE_OSF_SIA */
> +#elif defined(HAVE_BSD_AUTH_H)
> + authenticated = auth_userokay(bsduser, NULL,
> + "auth-ssh", password);
> +#else /* !USE_PAM && !HAVE_OSF_SIA && !HAVE_BSD_AUTH_H */
> /* Try authentication with the password. */
> authenticated = auth_password(pw, password);
> #endif /* USE_PAM */
> @@ -362,6 +371,10 @@
> if (authenticated && !do_pam_account(pw->pw_name, client_user))
> authenticated = 0;
> #endif
> +#ifdef HAVE_BSD_AUTH_H
> + if (authenticated && !auth_approval(NULL, NULL, pw->pw_name, "ssh"))
> + authenticated = 0;
> +#endif /* HAVE_BSD_AUTH_H */
>
> if (client_user != NULL) {
> xfree(client_user);
> @@ -415,6 +428,15 @@
> #endif /* AFS */
>
> /* Verify that the user is a valid user. */
> +#ifdef HAVE_BSD_AUTH_H
> + /* we may have an auth type in the user name we need to strip */
> + {
> + char *p;
> + bsduser = xstrdup(user);
> + if ((p = strchr(user, ':')) != NULL)
> + *p = '\0';
> + }
> +#endif
> pw = getpwnam(user);
> if (pw && allowed_user(pw)) {
> /* Take a copy of the returned structure. */
> @@ -460,7 +482,9 @@
> (sia_validate_user(NULL, saved_argc, saved_argv,
> get_canonical_hostname(), pw->pw_name, NULL, 0,
> NULL, "") == SIASUCCESS)) {
> -#else /* !HAVE_OSF_SIA && !USE_PAM */
> +#elif defined(HAVE_BSD_AUTH_H)
> + auth_userokay(bsduser, NULL, "auth-ssh", "" )) {
> +#else /* !HAVE_OSF_SIA && !USE_PAM && !HAVE_BSD_AUTH_H */
> auth_password(pw, "")) {
> #endif /* USE_PAM */
> /* Authentication with empty password succeeded. */
> @@ -474,6 +498,13 @@
> }
> if (pw == NULL)
> fatal("internal error, authentication successfull for user '%.100s'", user);
> +
> +#ifdef HAVE_BSD_AUTH_H
> + if (bsduser != NULL) {
> + xfree(bsduser);
> + bsduser = NULL;
> + }
> +#endif
>
> /* The user has been authenticated and accepted. */
> packet_start(SSH_SMSG_SUCCESS);
> Index: auth2.c
> --- auth2.c 2001/02/13 07:43:16 1.1
> +++ auth2.c 2001/02/13 22:00:06
> @@ -56,6 +56,11 @@
> #include "uidswap.h"
> #include "auth-options.h"
>
> +#ifdef HAVE_BSD_AUTH_H
> +# include <login_cap.h>
> +# include <bsd_auth.h>
> +#endif
> +
> /* import */
> extern ServerOptions options;
> extern unsigned char *session_id2;
> @@ -209,7 +214,19 @@
> /* setup auth context */
> struct passwd *pw = NULL;
> setproctitle("%s", user);
> +#ifdef HAVE_BSD_AUTH_H
> + {
> + /* user may contain requested auth type */
> + char *p;
> + if ((p = strchr(user, ':')) != NULL)
> + *p = '\0';
> + pw = getpwnam(user);
> + if (p != NULL)
> + *p = ':';
> + }
> +#else
> pw = getpwnam(user);
> +#endif
> if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) {
> authctxt->pw = pwcopy(pw);
> authctxt->valid = 1;
> @@ -254,6 +271,10 @@
> if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL))
> authenticated = 0;
> #endif /* USE_PAM */
> +#ifdef HAVE_BSD_AUTH_H
> + if (authenticated && authctxt->user && !auth_approval(NULL, NULL, authctxt->user, "ssh"))
> + authenticated = 0;
> +#endif /* HAVE_BSD_AUTH_H */
>
> /* Log before sending the reply */
> userauth_log(authctxt, authenticated, method);
> @@ -353,7 +374,9 @@
> return (sia_validate_user(NULL, saved_argc, saved_argv,
> get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER",
> NULL, 0, NULL, "") == SIASUCCESS);
> -#else /* !HAVE_OSF_SIA && !USE_PAM */
> +#elif defined(HAVE_BSD_AUTH_H)
> + return auth_userokay(authctxt->user?authctxt->user:"NOUSER", NULL, "auth-ssh", "");
> +#else /* !HAVE_OSF_SIA && !USE_PAM && !HAVE_BSD_AUTH_H */
> return auth_password(authctxt->pw, "");
> #endif /* USE_PAM */
> }
> @@ -380,7 +403,9 @@
> sia_validate_user(NULL, saved_argc, saved_argv,
> get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER",
> NULL, 0, NULL, password) == SIASUCCESS)
> -#else /* !USE_PAM && !HAVE_OSF_SIA */
> +#elif defined(HAVE_BSD_AUTH_H)
> + auth_userokay(authctxt->user?authctxt->user:"NOUSER", NULL, "auth-ssh", password) != 0)
> +#else /* !USE_PAM && !HAVE_OSF_SIA && !HAVE_BSD_AUTH_H */
> auth_password(authctxt->pw, password) == 1)
> #endif /* USE_PAM */
> authenticated = 1;
> Index: bsd-vis.c
> --- bsd-vis.c 2001/02/13 07:43:16 1.1
> +++ bsd-vis.c 2001/02/13 07:45:46 1.2
> @@ -35,9 +35,9 @@
> static char rcsid[] = "$OpenBSD: vis.c,v 1.5 2000/07/19 15:25:13 deraadt Exp $";
> #endif /* LIBC_SCCS and not lint */
>
> -#ifndef HAVE_VIS
> -
> #include "includes.h"
> +
> +#ifndef HAVE_VIS
>
> #define isoctal(c) (((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
>
> Index: session.c
> --- session.c 2001/02/13 07:43:17 1.1
> +++ session.c 2001/02/13 07:45:46 1.2
> @@ -1155,7 +1155,9 @@
> child_set_env(&env, &envsize, "HOME", pw->pw_dir);
> #ifdef HAVE_LOGIN_CAP
> (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH);
> - child_set_env(&env, &envsize, "PATH", getenv("PATH"));
> + /* update the path to the one setusercontext set for us */
> + if (getenv("PATH"))
> + child_set_env(&env, &envsize, "PATH", getenv("PATH"));
> #else /* HAVE_LOGIN_CAP */
> # ifndef HAVE_CYGWIN
> /*
> Index: ssh.h
> --- ssh.h 2001/02/13 07:43:17 1.1
> +++ ssh.h 2001/02/13 22:00:07
> @@ -520,7 +520,12 @@
> ssize_t atomicio(ssize_t (*f)(), int fd, void *s, size_t n);
>
> #ifdef KRB4
> +#ifdef HAVE_BSD_AUTH_H
> +#define DES_DEFS /* prevent BSD/OS krb.h from including kerberosIV/des.h */
> +#include <kerberosIV/krb.h>
> +#else /* !HAVE_BSD_AUTH_H */
> #include <krb.h>
> +#endif /* HAVE_BSD_AUTH_H */
> /*
> * Performs Kerberos v4 mutual authentication with the client. This returns 0
> * if the client could not be authenticated, and 1 if authentication was
> Index: configure.in
> --- configure.in 2001/02/13 07:43:16 1.1
> +++ configure.in 2001/02/13 22:00:07
> @@ -284,7 +284,7 @@
> fi
>
> # Checks for header files.
> -AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h vis.h)
> +AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h vis.h bsd_auth.h)
>
> dnl Checks for library functions.
> AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getnameinfo getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strsep strtok_r vsnprintf vhangup vis waitpid _getpty __b64_ntop)
>
More information about the openssh-unix-dev
mailing list