OpenSSH 2.3.0p1 port to BSDI BSD/OS

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Sat Feb 17 06:46:37 EST 2001


Could you please port up the latest snapshot
at: http://bass.directhit.com/openssh_snap?

We are coming close to a 2.5.0p1 release so timing
is pretty critical.


Thanks,

- Ben


On Fri, 16 Feb 2001, David J. MacKenzie wrote:

> BSD/OS 4.2 comes with OpenSSH 2.1.1p4, patched to support BSDI's
> authentication library.  However, BSDI's patches have several
> problems:
> 
> 1. They don't run the approval phase, so they can allow users to login
> who aren't supposed to be able to.
> 2. They don't patch configure to automatically detect the BSDI auth
> system, so they're not ready to use in a general portable
> distribution.
> 3. They change the path to krb.h unconditionally, making it unportable.
> 
> Here is a patch derived from BSDI's, updated for OpenSSH 2.3.0p1,
> which fixes those problems, and also fixes a misplaced #ifdef in the
> OpenSSH distribution in bsd-vis.c.
> 
> After applying this patch, run "autoreconf".
> 
> Index: auth1.c
> --- auth1.c	2001/02/13 07:43:16	1.1
> +++ auth1.c	2001/02/13 22:00:06
> @@ -28,6 +28,12 @@
>  #include "auth.h"
>  #include "session.h"
>  
> +#ifdef HAVE_BSD_AUTH_H
> +# include <login_cap.h>
> +# include <bsd_auth.h>
> +static char *bsduser=NULL;	/* XXX -- ugly, but we need the original */
> +#endif
> +
>  /* import */
>  extern ServerOptions options;
>  extern char *forced_command;
> @@ -258,7 +264,10 @@
>  				NULL, password) == SIASUCCESS) {
>  				authenticated = 1;
>  			}
> -#else /* !USE_PAM && !HAVE_OSF_SIA */
> +#elif defined(HAVE_BSD_AUTH_H)
> +			authenticated = auth_userokay(bsduser, NULL, 
> +						"auth-ssh", password);
> +#else /* !USE_PAM && !HAVE_OSF_SIA && !HAVE_BSD_AUTH_H */
>   			/* Try authentication with the password. */
>  			authenticated = auth_password(pw, password);
>  #endif /* USE_PAM */
> @@ -362,6 +371,10 @@
>  		if (authenticated && !do_pam_account(pw->pw_name, client_user))
>  			authenticated = 0;
>  #endif
> +#ifdef HAVE_BSD_AUTH_H
> +		if (authenticated && !auth_approval(NULL, NULL, pw->pw_name, "ssh"))
> +		    authenticated = 0;
> +#endif /* HAVE_BSD_AUTH_H */
>  
>  		if (client_user != NULL) {
>  			xfree(client_user);
> @@ -415,6 +428,15 @@
>  #endif /* AFS */
>  
>  	/* Verify that the user is a valid user. */
> +#ifdef HAVE_BSD_AUTH_H
> +	/* we may have an auth type in the user name we need to strip */
> +	{
> +		char *p;
> +		bsduser = xstrdup(user);
> +		if ((p = strchr(user, ':')) != NULL)
> +			*p = '\0';
> +	}
> +#endif
>  	pw = getpwnam(user);
>  	if (pw && allowed_user(pw)) {
>  		/* Take a copy of the returned structure. */
> @@ -460,7 +482,9 @@
>  	    (sia_validate_user(NULL, saved_argc, saved_argv, 
>  	    get_canonical_hostname(), pw->pw_name, NULL, 0, 
>  		 NULL, "") == SIASUCCESS)) {
> -#else /* !HAVE_OSF_SIA && !USE_PAM */
> +#elif defined(HAVE_BSD_AUTH_H)
> +	    auth_userokay(bsduser, NULL, "auth-ssh", "" )) {
> +#else /* !HAVE_OSF_SIA && !USE_PAM && !HAVE_BSD_AUTH_H */
>   	    auth_password(pw, "")) {
>  #endif /* USE_PAM */
>  		/* Authentication with empty password succeeded. */
> @@ -474,6 +498,13 @@
>  	}
>  	if (pw == NULL)
>  		fatal("internal error, authentication successfull for user '%.100s'", user);
> +
> +#ifdef HAVE_BSD_AUTH_H
> +	if (bsduser != NULL) {
> +		xfree(bsduser);
> +		bsduser = NULL;
> +	}
> +#endif
>  
>  	/* The user has been authenticated and accepted. */
>  	packet_start(SSH_SMSG_SUCCESS);
> Index: auth2.c
> --- auth2.c	2001/02/13 07:43:16	1.1
> +++ auth2.c	2001/02/13 22:00:06
> @@ -56,6 +56,11 @@
>  #include "uidswap.h"
>  #include "auth-options.h"
>  
> +#ifdef HAVE_BSD_AUTH_H
> +# include <login_cap.h>
> +# include <bsd_auth.h>
> +#endif
> +
>  /* import */
>  extern ServerOptions options;
>  extern unsigned char *session_id2;
> @@ -209,7 +214,19 @@
>  		/* setup auth context */
>  		struct passwd *pw = NULL;
>  		setproctitle("%s", user);
> +#ifdef HAVE_BSD_AUTH_H
> +		{
> +			/* user may contain requested auth type */
> +			char *p;
> +			if ((p = strchr(user, ':')) != NULL)
> +				*p = '\0';
> +			pw = getpwnam(user);
> +			if (p != NULL)
> +				*p = ':';
> +		}
> +#else
>  		pw = getpwnam(user);
> +#endif
>  		if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) {
>  			authctxt->pw = pwcopy(pw);
>  			authctxt->valid = 1;
> @@ -254,6 +271,10 @@
>  	if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL))
>  		authenticated = 0;
>  #endif /* USE_PAM */
> +#ifdef HAVE_BSD_AUTH_H
> +	if (authenticated && authctxt->user && !auth_approval(NULL, NULL, authctxt->user, "ssh"))
> +	    authenticated = 0;
> +#endif /* HAVE_BSD_AUTH_H */
>  
>  	/* Log before sending the reply */
>  	userauth_log(authctxt, authenticated, method);
> @@ -353,7 +374,9 @@
>  	return (sia_validate_user(NULL, saved_argc, saved_argv, 
>  		get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER", 
>  			NULL, 0, NULL, "") == SIASUCCESS);
> -#else /* !HAVE_OSF_SIA && !USE_PAM */
> +#elif defined(HAVE_BSD_AUTH_H)
> +	return auth_userokay(authctxt->user?authctxt->user:"NOUSER", NULL, "auth-ssh", "");
> +#else /* !HAVE_OSF_SIA && !USE_PAM && !HAVE_BSD_AUTH_H */
>  	return auth_password(authctxt->pw, "");
>  #endif /* USE_PAM */
>  }
> @@ -380,7 +403,9 @@
>  	    sia_validate_user(NULL, saved_argc, saved_argv, 
>  		 	get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER", 
>  			NULL, 0, NULL, password) == SIASUCCESS)
> -#else /* !USE_PAM && !HAVE_OSF_SIA */
> +#elif defined(HAVE_BSD_AUTH_H)
> +	    auth_userokay(authctxt->user?authctxt->user:"NOUSER", NULL, "auth-ssh", password) != 0)
> +#else /* !USE_PAM && !HAVE_OSF_SIA && !HAVE_BSD_AUTH_H */
>  	    auth_password(authctxt->pw, password) == 1)
>  #endif /* USE_PAM */
>  		authenticated = 1;
> Index: bsd-vis.c
> --- bsd-vis.c	2001/02/13 07:43:16	1.1
> +++ bsd-vis.c	2001/02/13 07:45:46	1.2
> @@ -35,9 +35,9 @@
>  static char rcsid[] = "$OpenBSD: vis.c,v 1.5 2000/07/19 15:25:13 deraadt Exp $";
>  #endif /* LIBC_SCCS and not lint */
>  
> -#ifndef HAVE_VIS
> -
>  #include "includes.h"
> +
> +#ifndef HAVE_VIS
>  
>  #define	isoctal(c)	(((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
>  
> Index: session.c
> --- session.c	2001/02/13 07:43:17	1.1
> +++ session.c	2001/02/13 07:45:46	1.2
> @@ -1155,7 +1155,9 @@
>  		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
>  #ifdef HAVE_LOGIN_CAP
>  		(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH);
> -		child_set_env(&env, &envsize, "PATH", getenv("PATH"));
> +		/* update the path to the one setusercontext set for us */
> +		if (getenv("PATH"))
> +			child_set_env(&env, &envsize, "PATH", getenv("PATH"));
>  #else /* HAVE_LOGIN_CAP */
>  # ifndef HAVE_CYGWIN
>  		/*
> Index: ssh.h
> --- ssh.h	2001/02/13 07:43:17	1.1
> +++ ssh.h	2001/02/13 22:00:07
> @@ -520,7 +520,12 @@
>  ssize_t	atomicio(ssize_t (*f)(), int fd, void *s, size_t n);
>  
>  #ifdef KRB4
> +#ifdef HAVE_BSD_AUTH_H
> +#define DES_DEFS /* prevent BSD/OS krb.h from including kerberosIV/des.h */
> +#include <kerberosIV/krb.h>
> +#else /* !HAVE_BSD_AUTH_H */
>  #include <krb.h>
> +#endif /* HAVE_BSD_AUTH_H */
>  /*
>   * Performs Kerberos v4 mutual authentication with the client. This returns 0
>   * if the client could not be authenticated, and 1 if authentication was
> Index: configure.in
> --- configure.in	2001/02/13 07:43:16	1.1
> +++ configure.in	2001/02/13 22:00:07
> @@ -284,7 +284,7 @@
>  fi
>  
>  # Checks for header files.
> -AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h vis.h)
> +AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h vis.h bsd_auth.h)
>  
>  dnl    Checks for library functions.
>  AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getnameinfo getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strsep strtok_r vsnprintf vhangup vis waitpid _getpty __b64_ntop)
> 






More information about the openssh-unix-dev mailing list