search for: do_child

Something really hosed Digital/Tru64 UNIX SIA support in 2.5.2p1. I haven't been able to figure out what changed in the code, but the symptom seems to be that the TTY name being registered with SIA is truncated to eight characters. This apparently prevents it from matching with entries in the tty database, and the dreaded "Cannot obtain database information on this terminal

...llo, I'm trying to implement setting of user limits (ulimit) in sshd. I'm not using PAM so I need it in the sshd itself. The task is very simple - just to put one line calling setup_limits(pw); and link with -lshadow. But the problem is, where to put this line. I did it in session.c, in do_child(), like this: #ifdef HAVE_OSF_SIA session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); if (!check_quietlogin(s, command)) do_motd(); #else /* HAVE_OSF_SIA */ /* When PAM is enabled we rely on it to do the nologin check */ if (!options.use_pam...

...k with the other stuff going on). When I last looked at it in > depth I hadn't really gotten a good handle on how privsep worked, so I > figured I was just missing something. > Where exactly *is* the privsep transition made? At what point does the process that eventually runs do_child() get its uid set to the real user? Could the setup_sia() routine be moved out of the do_child() function to an earlier phase before the uid is changed? It appears that if setup_sia() were to be moved out of do_child() that would mean that no pty would be passed to the session unless creation of...

...ith Don about a private topic..and while skimming the code I noticed that during a 'ssh mouring at site ls' the /etc/environment is *ONLY* read if the remote machine is an AIX box. This is undocumented and I'm wondering if someone using AIX could explain WHY it exists in the session.c:do_child()? No other OS has this. I don't see why AIX should require it. Can someone JUSTIFY this to me the fact we are going against our own documentation for a single platform? - Ben

https://bugzilla.mindrot.org/show_bug.cgi?id=1637 Summary: Change the context when starting internal-sftp Product: Portable OpenSSH Version: 5.2p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sftp-server AssignedTo: unassigned-bugs at mindrot.org

...t; > quoting itself. > > The footgun is unrelated to shells. > > The SSH_MSG_CHANNEL_REQUEST protocol message for "exec" (RFC 4254) > channels which are used to run a single remote command contains > exactly one string for the command. > > sshd (see bottom of do_child() in session.c) runs that command string as: > > remote_users_shell -c command I'm aware of that. That's why I said what I said. Sorry, but I don't understand what point you are making. > //Peter

...module for PAM that enables execution of given script while pam session opens and/or closes. I try to use it with ssh while logging in and out: it is kind of login and logout scripts. PAM session creation is done in function do_pam_session which is invoked by do_setusercontext which is invoked by do_child. do_child function is invoked after fork. In a child process do_pam_session function sets global variable sshpam_session_open to remember that session was opened. After execution of do_setusercontext and do_pam_session function do_child does something and then invokes bash by execve. So in this mom...

Hi All, I finally got around to trying to test the 7.7p1 release on the HPE NonStop Platform. 7.6p1 worked just fine - no issues at all. In 7.7p1, when the agent test ran, the following happened (prior tests worked perfectly): run test agent.sh ... Couldn't open logfile /home/git/openssh-portable/regress/ssh.log: Permission denied agent fwd failed (exit code 1) failed simple agent test

...} + + record_utmp_only(pid, s->tty, s->pw->pw_name, + get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), + (struct sockaddr *)&from); +} +#endif + /* * This is called to fork and execute a command when we have no tty. This * will call do_child from the child, and server_loop from the parent after @@ -621,34 +649,6 @@ /* server_loop _has_ closed ptyfd and fdout. */ } } - -#ifdef LOGIN_NEEDS_UTMPX -void -do_pre_login(Session *s) -{ - socklen_t fromlen; - struct sockaddr_storage from; - pid_t pid =...

...ke to log sftp session commands. Similar way as in the pre-authentication phase, we can log the events in the postauth phase if we know the postauth process will not be able to open its own /dev/log (generally in chroot). How does it work? We are trying to solve this problem on two fronts: - In do_child, we check if the /dev/log is available in the chroot and if not, we "leak the FD" to the internal-sftp process. We also postpone the closefrom() call after the internal-sftp call. - In privsep_postauth(), we have the same check (it could be probably written more nicely) which takes care...

...e reason that ssh couldn't ever do the > quoting itself. The footgun is unrelated to shells. The SSH_MSG_CHANNEL_REQUEST protocol message for "exec" (RFC 4254) channels which are used to run a single remote command contains exactly one string for the command. sshd (see bottom of do_child() in session.c) runs that command string as: remote_users_shell -c command //Peter

...ine 1738: sock = socket(ai->ai_family, SOCK_STREAM, 0); if (sock < 0) { if (errno != EINVAL) { error("socket: %.100s", strerror(errno)); return NULL; } else { debug("Socket family %d not supported [X11 disp create]", ai->ai_family); continue; } } session.c, do_child, line 1219: } else if (options.xauth_location != NULL) { /* Add authority data to .Xauthority if appropriate. */ if (auth_proto != NULL && auth_data != NULL) { char *screen = strchr(display, ':'); The problem seems to be that the socket() function not returning EINVAL (as the...

...and failed with no further hint: cc: acomp failed for session.c make: *** [session.o] Error 2 To work around this I had to add a true prototype: *** session.c.ORIG Sun Sep 16 18:17:15 2001 --- session.c Thu Nov 15 14:45:40 2001 *************** *** 132,137 **** --- 132,140 ---- void do_child(Session *, const char *); void do_motd(void); int check_quietlogin(Session *, const char *); + #ifdef LOGIN_NEEDS_UTMPX + static void do_pre_login(Session *); + #endif static void do_authenticated1(Authctxt *); static void do_authenticated2(Authctxt *); FWIW, -- Rick Troxel...

...0) /* stderr */ perror("dup2 stderr"); #endif /* USE_PIPES */ +#ifdef _CRAY + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif /* _CRAY */ /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ } +#ifdef _CRAY + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _CRAY */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -517,7 +527,12 @@ /* r...

...PID of the network child and the user child sshd processes. This patch adds logging the PID of invoked commands for completeness. diff --git a/session.c b/session.c index f3baea2..dd1d0e8 100644 --- a/session.c +++ b/session.c @@ -579,6 +579,7 @@ do_exec_no_pty(Session *s, const char *command) do_child(s, command); /* NOTREACHED */ default: + verbose("command is on pid %ld", (long)pid); break; } @@ -729,6 +730,7 @@ do_exec_pty(Session *s, const char *command) do_child(s, command); /* NOTREACHED */ default: + verbose("command is on pid %ld", (long)pid);...

Recently we made somemajor changes to do_child() in OpenSSH -current. Those changes included splitting it up into smaller chunks to help with readability and also to extract out IRIX and AIX specific code to reduce the number of lines in our diffs against the OpenSSH tree. I need people to do some testing on different platforms to ensure that...

...0], 2) < 0) /* stderr */ perror("dup2 stderr"); #endif /* USE_PIPES */ - +#ifdef _CRAY + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ } +#ifdef _CRAY + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _CRAY */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -586,7 +595,12 @@ /* r...

Hi- Under privsep, I experimented with moving the session_setup_sia() out of do_child() and into do_setusercontext(), which is where the uids/gids are set to the final execution user. The call is made with a NULL tty, and this is functional provided that any later pty allocation uses grantpty() to set the device permissions. Logging in with this method shows that a utmp entry does...

...pty default > FAIL: key option failed default > > trace: key option pty restrict,pty > FAIL: key option failed restrict,pty > > /home/git/openssh-portable/regress: tail -7 failed-sshd.log > debug3: do_exec_no_pty: fork() in child > debug3: send packet: type 99 > debug3: do_child: entering do_child() > debug1: permanently_set_uid: 25603/100 > FAIL: key option failed restrict,pty > debug3: do_child: Shell path=/bin/ksh > > So, better, but this is a new break for us. > > > > > [...] > > > We have a rather large set of changes > >...

...f (is_pam_password_change_required()) packet_disconnect("Password change required but no " @@ -494,6 +493,9 @@ #endif /* USE_PIPES */ /* Do processing for the child (exec command etc). */ +#if defined(USE_PAM) + do_pam_session(s->pw->pw_name, NULL); +#endif /* USE_PAM */ do_child(s, command); /* NOTREACHED */ } @@ -555,7 +557,6 @@ ttyfd = s->ttyfd; #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, s->tty); do_pam_setcred(1); #endif @@ -580,6 +581,9 @@ /* Close the extra descriptor for the pseudo tty. */ close(ttyfd); +#if defined(USE_PAM)...