search for: mm_master

Linux 2.2 (and probably others) have a deficient mmap which has caused a number of problems (e.g. bug #285). A workaround is in development, but it would be helpful to have a configure test to detect the bad mmaps(). Any takers? -d

...pfd[1].revents) { + /* + * Drain all log messages before processing next + * monitor request. + */ + monitor_read_log(pmonitor); + continue; + } + if (pfd[0].revents) + break; /* Continues below */ + } buffer_init(&m); @@ -1851,17 +1940,30 @@ mm_init_compression(struct mm_master *mm } while (0) static void -monitor_socketpair(int *pair) +monitor_openfds(struct monitor *mon, int do_logfds) { #ifdef HAVE_SOCKETPAIR - if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) - fatal("%s: socketpair", __func__); + int pair[2]; + + if (socketpair(AF_UNIX, SOCK_STRE...

...r_mm.c 2006-01-07 18:39:36.000000000 +0000 @@ -35,6 +35,8 @@ RCSID("$OpenBSD: monitor_mm.c,v 1.9 2004 #include "log.h" #include "monitor_mm.h" +#ifdef USE_PRIVSEP + static int mm_compare(struct mm_share *a, struct mm_share *b) { @@ -343,3 +345,5 @@ mm_memvalid(struct mm_master *mm, void * if (end > (void *)((u_char *)mm->address + mm->size)) fatal("mm_memvalid: address too large: %p", address); } + +#endif --- openssh-4.2p1/monitor_wrap.c~ 2005-07-17 08:53:31.000000000 +0100 +++ openssh-4.2p1/monitor_wrap.c 2006-01-07 18:40:15.000000000 +0000 @@...

...) { error("This platform does not support both privilege " "separation and compression"); --- work.i386/openssh-3.3p1/monitor_mm.c- Tue Jun 25 23:42:02 2002 +++ work.i386/openssh-3.3p1/monitor_mm.c Tue Jun 25 23:43:11 2002 @@ -71,6 +71,9 @@ { void *address; struct mm_master *mm; +#if defined(HAVE_MMAP) && !defined(MAP_ANON) + int fd; +#endif if (mmalloc == NULL) mm = xmalloc(sizeof(struct mm_master)); @@ -87,6 +90,13 @@ #if defined(HAVE_MMAP) && defined(MAP_ANON) address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1,...

...E(WITH_IRIX_JOBS)]) AC_DEFINE(BROKEN_INET_NTOA) AC_DEFINE(WITH_ABBREV_NO_TTY) + AC_DEFINE(HAVE_MMAP_DEV_ZERO) ;; *-*-linux*) no_dev_ptmx=1 --- ./monitor_mm.c Tue Jun 25 20:29:03 2002 +++ ../openssh-3.4p1/./monitor_mm.c Wed Jun 26 17:54:29 2002 @@ -71,6 +71,9 @@ { void *address; struct mm_master *mm; +#if defined(HAVE_MMAP_DEV_ZERO) + int fd_zero; +#endif if (mmalloc == NULL) mm = xmalloc(sizeof(struct mm_master)); @@ -84,7 +87,16 @@ */ mm->mmalloc = mmalloc; -#ifdef HAVE_MMAP_ANON_SHARED +#if defined(HAVE_MMAP_DEV_ZERO) + fd_zero = open ("/dev/zero", O_RDWR);...

..._mm.h Thu Sep 12 04:43:31 2002 +++ openssh-3.7.1p2/monitor_mm.h Sat Oct 4 22:45:11 2003 @@ -29,6 +29,7 @@ #define _MM_H_ #include "openbsd-compat/sys-tree.h" +#ifndef DISABLE_PRIVSEP struct mm_share { RB_ENTRY(mm_share) next; void *address; @@ -63,4 +64,5 @@ void mm_free(struct mm_master *, void *); void mm_memvalid(struct mm_master *, void *, size_t); +#endif /* DISABLE_PRIVSEP */ #endif /* _MM_H_ */ diff -adurN openssh-3.7.1p2.privsep/monitor_wrap.h openssh-3.7.1p2/monitor_wrap.h --- openssh-3.7.1p2.privsep/monitor_wrap.h Tue Sep 2 16:51:17 2003 +++ openssh-3.7.1p2/monitor_w...

...-- snip snip --- monitor.h.orig Tue Jun 4 18:49:51 2002 +++ monitor.h Tue Jun 4 18:49:58 2002 @@ -50,7 +50,7 @@ MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, MONITOR_REQ_PAM_START, - MONITOR_REQ_TERM, + MONITOR_REQ_TERM }; struct mm_master; --- log.h.orig Tue Jun 4 17:51:55 2002 +++ log.h Tue Jun 4 17:52:03 2002 @@ -33,7 +33,7 @@ SYSLOG_FACILITY_LOCAL5, SYSLOG_FACILITY_LOCAL6, SYSLOG_FACILITY_LOCAL7, - SYSLOG_FACILITY_NOT_SET = -1, + SYSLOG_FACILITY_NOT_SET = -1 } SyslogFacility; typedef enum { @@ -45,7 +45,7 @@ S...

...but still not perfect (on platforms where size_t is larger than u_int). This patch should fix it, although I can't test it: --- openssh-3.5p1/monitor.c-orig Fri Sep 27 05:26:02 2002 +++ openssh-3.5p1/monitor.c Mon Nov 4 18:06:24 2002 @@ -1551,7 +1551,7 @@ void * mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) { - size_t len = size * ncount; + size_t len = (size_t) size * ncount; void *address; if (len == 0 || ncount > SIZE_T_MAX / size) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watchin...

...========================================= RCS file: /usr/local/src/security/openssh/cvs/openssh/monitor.c,v retrieving revision 1.147 diff -u -p -r1.147 monitor.c --- monitor.c 29 May 2011 11:39:38 -0000 1.147 +++ monitor.c 3 Jun 2011 01:05:31 -0000 @@ -1853,13 +1853,8 @@ mm_init_compression(struct mm_master *mm static void monitor_socketpair(int *pair) { -#ifdef HAVE_SOCKETPAIR if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) fatal("%s: socketpair", __func__); -#else - fatal("%s: UsePrivilegeSeparation=yes not supported", - __func__); -#endif FD_CLOSEONEXEC(pair[0...

...char **); +/* auth_krb5 */ +#ifdef KRB5 +/* auth and reply are really krb5_data objects, but we don't want to + * include all of the krb5 headers here */ +int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply); +#endif + /* zlib allocation hooks */ void *mm_zalloc(struct mm_master *, u_int, u_int); --- openssh-3.4p1/servconf.c.krb Tue Jul 23 15:15:43 2002 +++ openssh-3.4p1/servconf.c Tue Jul 23 15:15:43 2002 @@ -17,7 +17,7 @@ #endif #if defined(KRB5) #ifdef HEIMDAL -#include <krb.h> +#include <krb5.h> #else /* Bodge - but then, so is using the kerberos IV KE...

..._skey_respond(void *, u_int, char **); +/* pam */ +void *mm_pam_init_ctx(struct Authctxt *); +int mm_pam_query(void *, char **, char **, u_int *, char ***, u_int **); +int mm_pam_respond(void *, u_int, char **); +void mm_pam_free_ctx(void *); + /* zlib allocation hooks */ void *mm_zalloc(struct mm_master *, u_int, u_int); Index: servconf.c =================================================================== RCS file: /var/cvs/openssh/servconf.c,v retrieving revision 1.86 diff -u -r1.86 servconf.c --- servconf.c 23 Apr 2002 11:04:52 -0000 1.86 +++ servconf.c 24 Apr 2002 01:03:20 -0000 @@ -55,10 +55,6...

nuqneH, I've tried using TIS authsrv authentication via bsd auth and found it quite limited. The most important restriction it does not log ip and fqdn of the remote peer, nor the application name, to the authentication server. It does not matter much for TIS authsrv, but since other applications do provide such information, our authsrv version uses it for extra authentication restrictions.

...void *, u_int, char **); +/* pam */ +void *mm_sshpam_init_ctx(struct Authctxt *); +int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); +int mm_sshpam_respond(void *, u_int, char **); +void mm_sshpam_free_ctx(void *); + /* zlib allocation hooks */ void *mm_zalloc(struct mm_master *, u_int, u_int); Index: servconf.c =================================================================== RCS file: /var/cvs/openssh/servconf.c,v retrieving revision 1.93 diff -u -r1.93 servconf.c --- servconf.c 25 Jun 2002 03:22:04 -0000 1.93 +++ servconf.c 2 Jul 2002 02:19:36 -0000 @@ -55,10 +55,6...

...void *, u_int, char **); +/* pam */ +void *mm_sshpam_init_ctx(struct Authctxt *); +int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); +int mm_sshpam_respond(void *, u_int, char **); +void mm_sshpam_free_ctx(void *); + /* zlib allocation hooks */ void *mm_zalloc(struct mm_master *, u_int, u_int); Index: servconf.c =================================================================== RCS file: /var/cvs/openssh/servconf.c,v retrieving revision 1.92 diff -u -r1.92 servconf.c --- servconf.c 23 Jun 2002 21:29:24 -0000 1.92 +++ servconf.c 25 Jun 2002 01:42:15 -0000 @@ -55,10 +55,6...

...00 @@ -31,7 +31,7 @@ extern int use_privsep; #define PRIVSEP(x) (use_privsep ? mm_##x : x) -enum mm_keytype {MM_NOKEY, MM_HOSTKEY, MM_USERKEY, MM_RSAHOSTKEY, MM_RSAUSERKEY}; +enum mm_keytype {MM_NOKEY, MM_HOSTKEY, MM_CERTKEY, MM_USERKEY, MM_RSAHOSTKEY, MM_RSAUSERKEY}; struct monitor; struct mm_master; @@ -46,6 +46,7 @@ int mm_auth_password(struct Authctxt *, char *); int mm_key_allowed(enum mm_keytype, char *, char *, Key *); int mm_user_key_allowed(struct passwd *, Key *); +int mm_user_cert_key_allowed(struct passwd *, Key *); int mm_hostbased_key_allowed(struct passwd *, char *, char *, K...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |