Tru64 and OSF/1 Privsep patch

Ben Lindstrom mouring at etoh.eviladmin.org
Fri Aug 2 06:47:07 EST 2002


Ok.. I need wider testing for this. I'm getting reports back it works
mostly.  'ssh site ls'  fails, but they can login with Privsep enbled.

Can I get those who are using Tru64 or OSF/1 that have SIA enabled to
test?  This should apple to either -cvs or the current snapshot (I would
perfer not to use 3.4p1 due to bugs).

I'm going on a trip next week and will be around very spotty at best.  As
a result I'm not dead sure when the final date for commits are for 3.5,
but I still shooting for 3.5 release or first thing when the tree opens
back up for 3.6.

Again for testing.  Please submit an incremental patch to solve
additional problems, and if you can't ensure there is ssh and sshd debug
information and an short description of the problem.

- Ben


diff -ur openssh-3.4p1/auth-sia.c openssh-3.4p1+/auth-sia.c
--- openssh-3.4p1/auth-sia.c	Fri Apr 12 11:36:08 2002
+++ openssh-3.4p1+/auth-sia.c	Mon Jul 22 23:34:37 2002
@@ -41,9 +41,11 @@
 #include <unistd.h>
 #include <string.h>

+/* import */
 extern ServerOptions options;
 extern int saved_argc;
 extern char **saved_argv;
+extern int use_privsep;

 extern int errno;

@@ -77,7 +79,7 @@
 }

 void
-session_setup_sia(char *user, char *tty)
+setup_sia(char *user, char *tty)
 {
 	struct passwd *pw;
 	SIAENTITY *ent = NULL;
@@ -86,9 +88,8 @@
 	host = get_canonical_hostname (options.verify_reverse_mapping);

 	if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0,
-	    NULL) != SIASUCCESS) {
+	    NULL) != SIASUCCESS)
 		fatal("sia_ses_init failed");
-	}

 	if ((pw = getpwnam(user)) == NULL) {
 		sia_ses_release(&ent);
@@ -100,25 +101,24 @@
 	}

 	ent->authtype = SIA_A_NONE;
-	if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) {
+	if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
 		fatal("Couldn't establish session for %s from %s", user,
 		    host);
-	}

 	if (setpriority(PRIO_PROCESS, 0, 0) == -1) {
 		sia_ses_release(&ent);
 		fatal("setpriority: %s", strerror (errno));
 	}

-	if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) {
+	if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
 		fatal("Couldn't launch session for %s from %s", user, host);
-	}
-
+
 	sia_ses_release(&ent);

-	if (setreuid(geteuid(), geteuid()) < 0) {
-		fatal("setreuid: %s", strerror(errno));
+	/* XXX: Should this be be around a if (!use_privsep) ? */
+	if (!use_privsep) {
+		if (setreuid(geteuid(), geteuid()) < 0)
+			fatal("setreuid: %s", strerror(errno));
 	}
 }
-
 #endif /* HAVE_OSF_SIA */
diff -ur openssh-3.4p1/auth-sia.h openssh-3.4p1+/auth-sia.h
--- openssh-3.4p1/auth-sia.h	Fri Apr 12 11:36:08 2002
+++ openssh-3.4p1+/auth-sia.h	Sun Jul 21 22:53:14 2002
@@ -27,6 +27,6 @@
 #ifdef HAVE_OSF_SIA

 int	auth_sia_password(Authctxt *authctxt, char *pass);
-void	session_setup_sia(char *user, char *tty);
+void	setup_sia(char *user, char *tty);

 #endif /* HAVE_OSF_SIA */
diff -ur openssh-3.4p1/monitor.c openssh-3.4p1+/monitor.c
--- openssh-3.4p1/monitor.c	Wed Jun 26 09:27:11 2002
+++ openssh-3.4p1+/monitor.c	Sun Jul 21 22:53:14 2002
@@ -120,6 +120,10 @@
 int mm_answer_pam_start(int, Buffer *);
 #endif

+#ifdef HAVE_OSF_SIA
+int mm_answer_setup_sia(int, Buffer *);
+#endif
+
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;	/* used for ssh1 rsa auth */

@@ -176,6 +180,9 @@
     {MONITOR_REQ_PTY, 0, mm_answer_pty},
     {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
     {MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef HAVE_OSF_SIA
+    {MONITOR_REQ_SETUP_SIA, 0, mm_answer_setup_sia},
+#endif
     {0, 0, NULL}
 };

@@ -206,6 +213,9 @@
     {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
     {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
     {MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef HAVE_OSF_SIA
+    {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia},
+#endif
     {0, 0, NULL}
 };

@@ -307,10 +317,16 @@
 		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef HAVE_OSF_SIA
+		monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1);
+#endif

 	} else {
 		mon_dispatch = mon_dispatch_postauth15;
 		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef HAVE_OSF_SIA
+		monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1);
+#endif
 	}
 	if (!no_pty_flag) {
 		monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -717,6 +733,22 @@

 	return (authok != 0);
 }
+#endif
+
+#ifdef HAVE_OSF_SIA
+int
+mm_answer_setup_sia(int socket, Buffer *m)
+{
+	char *user, *tty;
+
+	user = buffer_get_string(m, NULL);
+	tty = buffer_get_string(m, NULL);
+
+	setup_sia(user, tty);
+
+	xfree(user);
+	xfree(tty);
+}
 #endif

 #ifdef USE_PAM
diff -ur openssh-3.4p1/monitor.h openssh-3.4p1+/monitor.h
--- openssh-3.4p1/monitor.h	Tue Jun 11 12:42:49 2002
+++ openssh-3.4p1+/monitor.h	Sun Jul 21 22:53:14 2002
@@ -50,6 +50,7 @@
 	MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
 	MONITOR_REQ_PAM_START,
+	MONITOR_REQ_SETUP_SIA,
 	MONITOR_REQ_TERM
 };

diff -ur openssh-3.4p1/monitor_wrap.c openssh-3.4p1+/monitor_wrap.c
--- openssh-3.4p1/monitor_wrap.c	Thu Jun 20 20:43:43 2002
+++ openssh-3.4p1+/monitor_wrap.c	Sun Jul 21 22:53:14 2002
@@ -649,6 +649,24 @@
 	s->ttyfd = -1;
 }

+#ifdef HAVE_OSF_SIA
+void
+mm_setup_sia(char *name, char *tty)
+{
+	Buffer m;
+
+	debug3("%s entering", __func__);
+
+	buffer_init(&m);
+	buffer_put_cstring(&m, name);
+	buffer_put_cstring(&m, tty);
+
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SETUP_SIA, &m);
+
+	buffer_free(&m);
+}
+#endif
+
 #ifdef USE_PAM
 void
 mm_start_pam(char *user)
diff -ur openssh-3.4p1/monitor_wrap.h openssh-3.4p1+/monitor_wrap.h
--- openssh-3.4p1/monitor_wrap.h	Sun May 12 21:07:42 2002
+++ openssh-3.4p1+/monitor_wrap.h	Sun Jul 21 22:53:14 2002
@@ -59,6 +59,10 @@
 void mm_start_pam(char *);
 #endif

+#ifdef HAVE_OSF_SIA
+void mm_setup_sia(char *, char *);
+#endif
+
 void mm_terminate(void);
 int mm_pty_allocate(int *, int *, char *, int);
 void mm_session_pty_cleanup2(void *);
diff -ur openssh-3.4p1/session.c openssh-3.4p1+/session.c
--- openssh-3.4p1/session.c	Wed Jun 26 09:51:06 2002
+++ openssh-3.4p1+/session.c	Sun Jul 21 23:26:49 2002
@@ -57,6 +57,7 @@
 #include "canohost.h"
 #include "session.h"
 #include "monitor_wrap.h"
+#include "auth-sia.h"

 #ifdef HAVE_CYGWIN
 #include <windows.h>
@@ -1269,7 +1270,7 @@
 	 */
 	if (!options.use_login) {
 #ifdef HAVE_OSF_SIA
-		session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty);
+		PRIVSEP(setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty));
 		if (!check_quietlogin(s, command))
 			do_motd();
 #else /* HAVE_OSF_SIA */




More information about the openssh-unix-dev mailing list