search for: have_login_cap

On FreeBSD 4.x with HAVE_LOGIN_CAP defined the OpenSSH daemon doesn't properly follow standards. As stated in man 5 login.conf and the process followed by /usr/bin/login, "The ttys.allow and ttys.deny entries contain a comma-separated list of tty devices (without the /dev/ prefix) that a user in a class may use to...

...na me); } +#endif /* ! _CRAY */ do_motd(); } @@ -1027,16 +1046,17 @@ if (options.use_login && command != NULL) options.use_login = 0; -#if !defined(HAVE_OSF_SIA) +#ifndef _CRAY +# if !defined(HAVE_OSF_SIA) if (!options.use_login) { -# ifdef HAVE_LOGIN_CAP +# ifdef HAVE_LOGIN_CAP if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid) f = fopen(login_getcapstr(lc, "nologin", _PATH_NOLOGIN, _PATH_NOLOGIN), "r"); -# else /* HAVE_LOGIN_CAP...

I downloaded openssh-2.5.1p1 as soon as it was on the ftp servers just to get the setluid patch. After compiling and installing on 5.0.5 I saw that the luid still wasn't being set correctly whether sshd was run from inetd or as a daemon from /etc/rc2.d/. I fiddled around and moved the setluid() stuff up higher in session.c and now luid is now being set correctly. I provided a regular diff

Hi, I'm sure I'll get a few "RTFM", but I hope I'll allay those feelings. I'm getting the "scp: command not found". I've read the FAQ. I've read bugs 42 and 82 in bugzilla. Hopefully, I didn't overlook something. At a minimum, defines.h has : #ifdef USER_PATH # ifdef _PATH_STDPATH # undef _PATH_STDPATH # endif # define _PATH_STDPATH

...ommand) { - FILE *f; char *time_string; char buf[256]; char hostname[MAXHOSTNAMELEN]; @@ -729,15 +732,8 @@ } #endif - /* Done if .hushlogin exists or a command given. */ - if (command != NULL) - return; - snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir); -#ifdef HAVE_LOGIN_CAP - if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) -#else - if (stat(buf, &st) >= 0) -#endif + /* Done if quiet login. */ + if (check_quietlogin(s, command)) return; #ifdef USE_PAM @@ -758,6 +754,19 @@ else printf("Last login: %s from %s\r\n...

...emove local Xauthority file. */ @@ -1011,6 +1013,10 @@ extern char **environ; struct stat st; char *argv[10]; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ #ifdef WITH_IRIX_PROJECT prid_t projid; #endif /* WITH_IRIX_PROJECT */ @@ -1076,6 +1082,26 @@ # else /* HAVE_LOGIN_CAP */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); +# ifdef CHROOT + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + + while((new_root...

...A */ } *************** *** 1347,1353 **** #endif /* AFS */ /* Change current directory to the user\'s home directory. */ ! if (chdir(pw->pw_dir) < 0) { fprintf(stderr, "Could not chdir to home directory %s: %s\n", pw->pw_dir, strerror(errno)); #ifdef HAVE_LOGIN_CAP --- 1398,1411 ---- #endif /* AFS */ /* Change current directory to the user\'s home directory. */ ! if (options.chroot_users) { ! if (chdir("/") < 0) { ! fprintf(stderr, "Could not chdir to home directory %s: %s\n", ! pw->pw_dir, strerror(err...

Hi, I was investigating why I don't see any warnings from pam_ldap indicating the pending expiration of passwords as well as for PAM_NEW_AUTHTOK_REQD. Eventually, I found that do_pam_account() does not have a conversation function. Also, there is a function print_pam_messages (currently empty) which look suspiciously like it is ear marked to show just those error messages: /* auth-pam.c

...25 13:28:07 2002 +++ session.c Tue Jun 25 13:33:16 2002 @@ -1154,22 +1154,26 @@ { #ifdef HAVE_CYGWIN if (is_winnt) { #else /* HAVE_CYGWIN */ if (getuid() == 0 || geteuid() == 0) { #endif /* HAVE_CYGWIN */ #ifdef HAVE_SETPCRED setpcred(pw->pw_name); #endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP - if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { + int flags = LOGIN_SETALL & ~LOGIN_SETPATH; +#ifdef __bsdi__ + if (getpid() != getpgrp()) + flags &= ~LOGIN_SETLOGIN; +#endif + if (setusercontext(lc, pw, pw->pw_uid, flags) < 0) {...

The following is a patch I've been working on to support a "ChrootUser" option in the sshd_config file. I was looking for a way to offer sftp access and at the same time restict interactive shell access. This patch is a necessary first step (IMO). It applies clean with 'patch -l'. Also attached is a shell script that helps to build a chrooted home dir on a RedHat 7.2

...evision 1.434 diff -u -p -r1.434 session.c --- session.c 18 Jul 2014 04:11:26 -0000 1.434 +++ session.c 14 Aug 2014 11:29:58 -0000 @@ -1188,13 +1188,6 @@ do_setup_env(Session *s, const char *she else child_set_env(&env, &envsize, "PATH", getenv("PATH")); #else /* HAVE_LOGIN_CAP */ -# ifndef HAVE_CYGWIN - /* - * There's no standard path on Windows. The path contains - * important components pointing to the system directories, - * needed for loading shared libraries. So the path better - * remains intact here. - */ # ifdef HAVE_ETC_DEFAULT_LOGIN read_etc...

...#define isoctal(c) (((u_char)(c)) >= '0' && ((u_char)(c)) <= '7') Index: session.c --- session.c 2001/02/13 07:43:17 1.1 +++ session.c 2001/02/13 07:45:46 1.2 @@ -1155,7 +1155,9 @@ child_set_env(&env, &envsize, "HOME", pw->pw_dir); #ifdef HAVE_LOGIN_CAP (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH); - child_set_env(&env, &envsize, "PATH", getenv("PATH")); + /* update the path to the one setusercontext set for us */ + if (getenv("PATH")) + child_set_env(&env, &envsize, "PATH&q...

...session.c 13 Oct 2002 11:06:28 -0000 @@ -104,7 +104,10 @@ Session sessions[MAX_SESSIONS]; #ifdef WITH_AIXAUTHENTICATE +int is_aix_password_change_required(void); +void do_aix_change_password(struct passwd *); char *aixloginmsg; +char *aixexpiremsg; #endif /* WITH_AIXAUTHENTICATE */ #ifdef HAVE_LOGIN_CAP @@ -461,6 +464,12 @@ "TTY available"); #endif /* USE_PAM */ +#ifdef WITH_AIXAUTHENTICATE + if (is_aix_password_change_required()) + packet_disconnect("Password change required but no " + "TTY available"); +#endif /* WITH_AIXAUTHENTICATE */ + /* Fork t...

...g ChrootDirectory at all. In both cases, sshd should report when the user's directory can't be cd into. It does that only when chroot_directory is NULL. There is a missing check for "none" in session.c: /* Suppress missing homedir warning for chroot case */ #ifdef HAVE_LOGIN_CAP r = login_getcapbool(lc, "requirehome", 0); #endif if (r || options.chroot_directory == NULL) fprintf(stderr, "Could not chdir to home " "directory %s: %s\n", pw->pw_dir,...

...+#ifdef USE_PAM > + do_pam_session(pw->pw_name, s->tty); > + do_pam_setcred(); > +#endif /* USE_PAM */ > + > /* Fork the child. */ > if ((pid = fork()) == 0) { > /* Child. Reinitialize the log because the pid has changed. */ > @@ -1142,11 +1151,6 @@ > #ifdef HAVE_LOGIN_CAP > shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); > #endif > - > -#ifdef USE_PAM > - do_pam_session(pw->pw_name, ttyname); > - do_pam_setcred(); > -#endif /* USE_PAM */ > > #ifdef AFS > /* Try to get AFS tokens for the local cell....

.../", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); + + pw->pw_dir = new_root; + break; + } + new_root += 2; + } +# endif /* DOT_CHROOT */ # ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { -----------------------------< cut here >------------------------------- -- Civilisation: where they cut down the trees and name streets after them.

...child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); + #ifdef _AIX + child_set_env(&env, &envsize, "LOGIN", pw->pw_name); + #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...hild */ + env = do_setup_env(s, shell); + + /* + * The shell specifed in login class overrides the shell in passwd, + * but, according to the login.conf(5), the SHELL env variable must + * contain the value from passwd, so we do this *after* setting up + * child's environment. + */ #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); #endif - - env = do_setup_env(s, shell); /* we have to stash the hostname before we close our socket. */ if (options.use_login) ------- You are receiving this mail because: ------- You are the assignee for the...

...:58:44 2001 @@ -1195,7 +1195,12 @@ * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh. */ + if(forced_shell != NULL) { + shell = forced_shell; + } + else { shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; + } #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); #endif -------------- next part -------------- #!/usr/bin/perl # Changes root to APPROOT as current user and runs given command or bash # -Don Mahurin my(@command) = @ARGV; if(@command) { if ($command[0] =~ m:^-:)...

...FAILED) + munmap(onemore, pagesize); + if(logstr != MAP_FAILED) + munmap(logstr, inode.st_size); +# else /* HAVE_ETC_DEFAULT_LOGIN */ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); +# endif /* HAVE_ETC_DEFAULT_LOGIN */ # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */