Either this never made it to the list or no one cares about Tru64. This
is the last time I'll send this patch to the list. If no one steps up and
finishes it or provides me with enough information to fix any remaining
bugs (one being complaint that 'ssh site cmd' does not work right).
If there is no activity on this for a week. I'll post it to bugzilla and
will ignore any request for me to fix Tru64.
I do thank everyone that has privately contributed help in regards to
testing and such.
This patch may apply to 3.4p1, but I'd perfer testing to be done on -cvs.
- Ben
diff -ur openssh-3.4p1/auth-sia.c openssh-3.4p1+/auth-sia.c
--- openssh-3.4p1/auth-sia.c Fri Apr 12 11:36:08 2002
+++ openssh-3.4p1+/auth-sia.c Mon Jul 22 23:34:37 2002
@@ -41,9 +41,11 @@
#include <unistd.h>
#include <string.h>
+/* import */
extern ServerOptions options;
extern int saved_argc;
extern char **saved_argv;
+extern int use_privsep;
extern int errno;
@@ -77,7 +79,7 @@
}
void
-session_setup_sia(char *user, char *tty)
+setup_sia(char *user, char *tty)
{
struct passwd *pw;
SIAENTITY *ent = NULL;
@@ -86,9 +88,8 @@
host = get_canonical_hostname (options.verify_reverse_mapping);
if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0,
- NULL) != SIASUCCESS) {
+ NULL) != SIASUCCESS)
fatal("sia_ses_init failed");
- }
if ((pw = getpwnam(user)) == NULL) {
sia_ses_release(&ent);
@@ -100,25 +101,24 @@
}
ent->authtype = SIA_A_NONE;
- if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) {
+ if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
fatal("Couldn't establish session for %s from %s", user,
host);
- }
if (setpriority(PRIO_PROCESS, 0, 0) == -1) {
sia_ses_release(&ent);
fatal("setpriority: %s", strerror (errno));
}
- if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) {
+ if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
fatal("Couldn't launch session for %s from %s", user, host);
- }
-
+
sia_ses_release(&ent);
- if (setreuid(geteuid(), geteuid()) < 0) {
- fatal("setreuid: %s", strerror(errno));
+ /* XXX: Should this be be around a if (!use_privsep) ? */
+ if (!use_privsep) {
+ if (setreuid(geteuid(), geteuid()) < 0)
+ fatal("setreuid: %s", strerror(errno));
}
}
-
#endif /* HAVE_OSF_SIA */
diff -ur openssh-3.4p1/auth-sia.h openssh-3.4p1+/auth-sia.h
--- openssh-3.4p1/auth-sia.h Fri Apr 12 11:36:08 2002
+++ openssh-3.4p1+/auth-sia.h Sun Jul 21 22:53:14 2002
@@ -27,6 +27,6 @@
#ifdef HAVE_OSF_SIA
int auth_sia_password(Authctxt *authctxt, char *pass);
-void session_setup_sia(char *user, char *tty);
+void setup_sia(char *user, char *tty);
#endif /* HAVE_OSF_SIA */
diff -ur openssh-3.4p1/monitor.c openssh-3.4p1+/monitor.c
--- openssh-3.4p1/monitor.c Wed Jun 26 09:27:11 2002
+++ openssh-3.4p1+/monitor.c Sun Jul 21 22:53:14 2002
@@ -120,6 +120,10 @@
int mm_answer_pam_start(int, Buffer *);
#endif
+#ifdef HAVE_OSF_SIA
+int mm_answer_setup_sia(int, Buffer *);
+#endif
+
static Authctxt *authctxt;
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
@@ -176,6 +180,9 @@
{MONITOR_REQ_PTY, 0, mm_answer_pty},
{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
{MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef HAVE_OSF_SIA
+ {MONITOR_REQ_SETUP_SIA, 0, mm_answer_setup_sia},
+#endif
{0, 0, NULL}
};
@@ -206,6 +213,9 @@
{MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
{MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
{MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef HAVE_OSF_SIA
+ {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia},
+#endif
{0, 0, NULL}
};
@@ -307,10 +317,16 @@
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef HAVE_OSF_SIA
+ monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1);
+#endif
} else {
mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef HAVE_OSF_SIA
+ monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1);
+#endif
}
if (!no_pty_flag) {
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -717,6 +733,22 @@
return (authok != 0);
}
+#endif
+
+#ifdef HAVE_OSF_SIA
+int
+mm_answer_setup_sia(int socket, Buffer *m)
+{
+ char *user, *tty;
+
+ user = buffer_get_string(m, NULL);
+ tty = buffer_get_string(m, NULL);
+
+ setup_sia(user, tty);
+
+ xfree(user);
+ xfree(tty);
+}
#endif
#ifdef USE_PAM
diff -ur openssh-3.4p1/monitor.h openssh-3.4p1+/monitor.h
--- openssh-3.4p1/monitor.h Tue Jun 11 12:42:49 2002
+++ openssh-3.4p1+/monitor.h Sun Jul 21 22:53:14 2002
@@ -50,6 +50,7 @@
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
MONITOR_REQ_PAM_START,
+ MONITOR_REQ_SETUP_SIA,
MONITOR_REQ_TERM
};
diff -ur openssh-3.4p1/monitor_wrap.c openssh-3.4p1+/monitor_wrap.c
--- openssh-3.4p1/monitor_wrap.c Thu Jun 20 20:43:43 2002
+++ openssh-3.4p1+/monitor_wrap.c Sun Jul 21 22:53:14 2002
@@ -649,6 +649,24 @@
s->ttyfd = -1;
}
+#ifdef HAVE_OSF_SIA
+void
+mm_setup_sia(char *name, char *tty)
+{
+ Buffer m;
+
+ debug3("%s entering", __func__);
+
+ buffer_init(&m);
+ buffer_put_cstring(&m, name);
+ buffer_put_cstring(&m, tty);
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SETUP_SIA, &m);
+
+ buffer_free(&m);
+}
+#endif
+
#ifdef USE_PAM
void
mm_start_pam(char *user)
diff -ur openssh-3.4p1/monitor_wrap.h openssh-3.4p1+/monitor_wrap.h
--- openssh-3.4p1/monitor_wrap.h Sun May 12 21:07:42 2002
+++ openssh-3.4p1+/monitor_wrap.h Sun Jul 21 22:53:14 2002
@@ -59,6 +59,10 @@
void mm_start_pam(char *);
#endif
+#ifdef HAVE_OSF_SIA
+void mm_setup_sia(char *, char *);
+#endif
+
void mm_terminate(void);
int mm_pty_allocate(int *, int *, char *, int);
void mm_session_pty_cleanup2(void *);
diff -ur openssh-3.4p1/session.c openssh-3.4p1+/session.c
--- openssh-3.4p1/session.c Wed Jun 26 09:51:06 2002
+++ openssh-3.4p1+/session.c Sun Jul 21 23:26:49 2002
@@ -57,6 +57,7 @@
#include "canohost.h"
#include "session.h"
#include "monitor_wrap.h"
+#include "auth-sia.h"
#ifdef HAVE_CYGWIN
#include <windows.h>
@@ -1269,7 +1270,7 @@
*/
if (!options.use_login) {
#ifdef HAVE_OSF_SIA
- session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty);
+ PRIVSEP(setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty));
if (!check_quietlogin(s, command))
do_motd();
#else /* HAVE_OSF_SIA */
Hey Ben, I pulled the latest snap shot (20020801) and got your patch to apply with only one chunk rejected. I have been able to login with the new code using the OpenSSH client, ssh.com 3.1.0 and putty 0.52. "It works for me." Any other data points you are interested in? Thanks for the work you put into this. Keith -----Original Message----- From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] Sent: Sunday, August 11, 2002 5:38 PM To: OpenSSH Development Subject: OSF/1 or Tru64 patch for Privsep Either this never made it to the list or no one cares about Tru64. This is the last time I'll send this patch to the list. If no one steps up and finishes it or provides me with enough information to fix any remaining bugs (one being complaint that 'ssh site cmd' does not work right). If there is no activity on this for a week. I'll post it to bugzilla and will ignore any request for me to fix Tru64. I do thank everyone that has privately contributed help in regards to testing and such. This patch may apply to 3.4p1, but I'd perfer testing to be done on -cvs. - Ben
HAVE_OSF_SIA yes X11 forward yes remote command execution fails with "buffer_put_cstring: s == NULL" I am looking into where things failing at. -----Original Message----- From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] Sent: Monday, August 12, 2002 11:08 AM To: SCHINCKE, KEITH (JSC-SM) (LM) Cc: OpenSSH Development Subject: RE: OSF/1 or Tru64 patch for Privsep try everything... X11 forward, port forwarding, executing remote commands. Everything needs to be tested.. Also check to ensure HAVE_OSF_SIA is set in your config.h. - Ben On Mon, 12 Aug 2002, SCHINCKE, KEITH (JSC-SM) (LM) wrote:> Hey Ben, > > I pulled the latest snap shot (20020801) and got your patch to apply with > only one chunk rejected. > > I have been able to login with the new code using the OpenSSH client, > ssh.com 3.1.0 and putty 0.52. > > "It works for me." > > Any other data points you are interested in? > > Thanks for the work you put into this. > > Keith > > -----Original Message----- > From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] > Sent: Sunday, August 11, 2002 5:38 PM > To: OpenSSH Development > Subject: OSF/1 or Tru64 patch for Privsep > > > > Either this never made it to the list or no one cares about Tru64. This > is the last time I'll send this patch to the list. If no one steps up and > finishes it or provides me with enough information to fix any remaining > bugs (one being complaint that 'ssh site cmd' does not work right). > > If there is no activity on this for a week. I'll post it to bugzilla and > will ignore any request for me to fix Tru64. > > I do thank everyone that has privately contributed help in regards to > testing and such. > > This patch may apply to 3.4p1, but I'd perfer testing to be done on -cvs. > > - Ben >
Remote execution works with privsep turned off. Ok, I have traced some things down to where the program stops. session.c:do_child() calls the privsep wrapper for setup_sia (mm_setup_sia is actuall called) s->ttyfd is -1 so NULL passed in as the tty. monitor_wrap.c:mm_setup_sia calls buffer_put_cstring(&m, tty) bufaux.c:buffer_put_cstring calls fatal() when s is NULL. I am still new to looking at the code but why not do 'buffer_put_string(&m,tty,strlen(tty));' in monitor_wrap.c:mm_setup_sia? -----Original Message----- From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] Sent: Monday, August 12, 2002 1:31 PM To: SCHINCKE, KEITH (JSC-SM) (LM) Cc: OpenSSH Development Subject: RE: OSF/1 or Tru64 patch for Privsep Every also test w/ and w/out Privsep so we don't break the non-privsep case. (That would be a *REAL* shame if we did. <weak smile>) - Ben On Mon, 12 Aug 2002, SCHINCKE, KEITH (JSC-SM) (LM) wrote:> HAVE_OSF_SIA yes > X11 forward yes > remote command execution fails with "buffer_put_cstring: s == NULL" > > I am looking into where things failing at. > > -----Original Message----- > From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] > Sent: Monday, August 12, 2002 11:08 AM > To: SCHINCKE, KEITH (JSC-SM) (LM) > Cc: OpenSSH Development > Subject: RE: OSF/1 or Tru64 patch for Privsep > > > > try everything... X11 forward, port forwarding, executing remote commands. > > Everything needs to be tested.. Also check to ensure HAVE_OSF_SIA is set > in your config.h. > > - Ben > > On Mon, 12 Aug 2002, SCHINCKE, KEITH (JSC-SM) (LM) wrote: > > > Hey Ben, > > > > I pulled the latest snap shot (20020801) and got your patch to applywith> > only one chunk rejected. > > > > I have been able to login with the new code using the OpenSSH client, > > ssh.com 3.1.0 and putty 0.52. > > > > "It works for me." > > > > Any other data points you are interested in? > > > > Thanks for the work you put into this. > > > > Keith > > > > -----Original Message----- > > From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] > > Sent: Sunday, August 11, 2002 5:38 PM > > To: OpenSSH Development > > Subject: OSF/1 or Tru64 patch for Privsep > > > > > > > > Either this never made it to the list or no one cares about Tru64. This > > is the last time I'll send this patch to the list. If no one steps upand> > finishes it or provides me with enough information to fix any remaining > > bugs (one being complaint that 'ssh site cmd' does not work right). > > > > If there is no activity on this for a week. I'll post it to bugzillaand> > will ignore any request for me to fix Tru64. > > > > I do thank everyone that has privately contributed help in regards to > > testing and such. > > > > This patch may apply to 3.4p1, but I'd perfer testing to be done on-cvs.> > > > - Ben > > >
On Tue, 2002-08-13 at 01:50, SCHINCKE, KEITH (JSC-SM) (LM) wrote:> Hey Ben, > > I pulled the latest snap shot (20020801) and got your patch to apply with > only one chunk rejected. > > I have been able to login with the new code using the OpenSSH client, > ssh.com 3.1.0 and putty 0.52. > > "It works for me." > > Any other data points you are interested in?If you could run the regression tests in regress/ You do need Berkeley make though. -d