search for: mon_dispatch

...TOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef HAVE_OSF_SIA + {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia}, +#endif {0, 0, NULL} }; @@ -307,10 +317,16 @@ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); +#ifdef HAVE_OSF_SIA + monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1); +#endif } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_d...

...TOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef HAVE_OSF_SIA + {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia}, +#endif {0, 0, NULL} }; @@ -307,10 +317,16 @@ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); +#ifdef HAVE_OSF_SIA + monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1); +#endif } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_d...

...TOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef HAVE_OSF_SIA + {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia}, +#endif {0, 0, NULL} }; @@ -307,10 +317,16 @@ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); +#ifdef HAVE_OSF_SIA + monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1); +#endif } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_d...

I think I've found a bug with sshd handling audit events for commands (like scp) over ssh1 connections. Specifically, after updating to a recent FreeBSD 6.x with audit support, I'm getting log messages like these when using scp over ssh1: Sep 12 14:13:16 <auth.info> bm55 sshd[12335]: Accepted rsa for xxx from A.B.C.D port 2981 Sep 12 14:13:16 <auth.crit> bm55 sshd[12335]:

...ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef USE_PAM + {MONITOR_REQ_PAM_CHAUTHTOK, 0, mm_answer_pam_chauthtok}, +#endif {0, 0, NULL} }; @@ -328,6 +335,7 @@ if (!no_pty_flag) { monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_CHAUTHTOK, 1); } for (;;) @@ -746,6 +754,56 @@ xfree(user); return (0); +} + +int +mm_answer_pam_chauthtok(int socket, Buffer *m) +{ + pid_t pid; + int ttyfd...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

...ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef USE_PAM + {MONITOR_REQ_PAM_CHAUTHTOK, 0, mm_answer_pam_chauthtok}, +#endif {0, 0, NULL} }; @@ -328,6 +335,7 @@ if (!no_pty_flag) { monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_CHAUTHTOK, 1); } for (;;) @@ -746,6 +754,49 @@ xfree(user); return (0); +} + +int +mm_answer_pam_chauthtok(int socket, Buffer *m) +{ + pid_t pid; + int ttyfd...

...TOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, +#endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, @@ -602,6 +609,9 @@ else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); +#ifdef WITH_SELINUX + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); +#endif monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } @@ -646,6 +656,25 @@ return (0); } +#ifdef WITH_SELINUX +int +mm_answer_authrole(int sock, Buffer *m) +{ +...

...swer_pam_start}, + {MONITOR_REQ_PAMQUERY, MON_ISAUTH, mm_answer_sshpamquery}, + {MONITOR_REQ_PAMRESPOND, MON_AUTH, mm_answer_sshpamrespond}, + {MONITOR_REQ_PAM_FREE_CTX, 0, mm_answer_sshpam_free_ctx}, +#endif {0, 0, NULL} }; @@ -731,6 +753,100 @@ xfree(user); + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1); + + return (0); +} + +int +mm_answer_sshpam_init_ctx(int socket, Buffer *m) +{ + debug3("%s: entering", __func__); + + if (sshpam_auth_ctxt == NULL) + sshpam_auth_ctxt = sshpam_init_ctx(authctxt); + + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1...

...swer_pam_start}, + {MONITOR_REQ_PAMQUERY, MON_ISAUTH, mm_answer_sshpamquery}, + {MONITOR_REQ_PAMRESPOND, MON_AUTH, mm_answer_sshpamrespond}, + {MONITOR_REQ_PAM_FREE_CTX, 0, mm_answer_sshpam_free_ctx}, +#endif {0, 0, NULL} }; @@ -734,6 +756,100 @@ xfree(user); + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1); + + return (0); +} + +int +mm_answer_sshpam_init_ctx(int socket, Buffer *m) +{ + debug3("%s: entering", __FUNCTION__); + + if (sshpam_auth_ctxt == NULL) + sshpam_auth_ctxt = sshpam_init_ctx(authctxt); + + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CT...

...answer_krb5}, #endif +#ifdef GSSAPI + {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, + {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, + {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, +#endif {0, 0, NULL} }; @@ -320,7 +335,6 @@ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); - } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); @@ -1586,3 +1600,77 @@ mon->m_recvfd = pair[0]; m...

...pe shared between the monitor and child, and making the child wait until the monitor end closes, which it should do after permitting the monitor calls. I believe the pipe close (granting permission to continue) should be at the end of monitor.c:mm_answer_sign, right after the line: monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); Of course, I could be wrong. On the other hand, I have not been able to figure out where to place the pipe read (waiting for permission) call. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- Y...

Hey. I've noticed the following behavior and wondered whether it's possibly a bug or why it behaves like this: When having a SSH connection, than it seems there may be two sshd processes for that, one running as root the other as the user. As far as I know this is because of privilege separation, like e.g.: ??sshd(2931)???sshd(10174)???bash(10180) ?

...e(pmonitor->m_recvfd); + pmonitor->m_recvfd = -1; + monitor_set_child_handler(pmonitor->m_pid); signal(SIGHUP, &monitor_child_handler); signal(SIGTERM, &monitor_child_handler); @@ -454,6 +480,9 @@ monitor_child_postauth(struct monitor *p for (;;) monitor_read(pmonitor, mon_dispatch, NULL); + + close(pmonitor->m_sendfd); + pmonitor->m_sendfd = -1; } void @@ -465,6 +494,45 @@ monitor_sync(struct monitor *pmonitor) } } +static int +monitor_read_log(struct monitor *pmonitor) +{ + Buffer logmsg; + u_int len, level; + char *msg; + + buffer_init(&logmsg); + buffer...

...f_len); xfree(x1_proof); xfree(x2_proof); @@ -2220,7 +2220,7 @@ debug3("%s: sending step2", __func__); mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m); - bzero(x4_s_proof, x4_s_proof_len); + memset(x4_s_proof, 0, x4_s_proof_len); xfree(x4_s_proof); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1); @@ -2254,7 +2254,7 @@ JPAKE_DEBUG_CTX((pctx, "key_confirm done in %s", __func__)); - bzero(x2_s_proof, x2_s_proof_len); + memset(x2_s_proof, 0, x2_s_proof_len); buffer_clear(m); /* pctx->k is sensitive, not sent */ @@ -2288,7 +2288,...

...xfree(x2_proof); @@ -2220,7 +2220,7 @@ debug3("%s: sending step2", __func__); mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m); - bzero(x4_s_proof, x4_s_proof_len); + memset(x4_s_proof, 0, x4_s_proof_len); xfree(x4_s_proof); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1); @@ -2254,7 +2254,7 @@ JPAKE_DEBUG_CTX((pctx, "key_confirm done in %s", __func__)); - bzero(x2_s_proof, x2_s_proof_len); + memset(x2_s_proof, 0, x2_s_proof_len); buffer_clear(m); /* pctx->k is sensitive, not sen...