search for: monitor_permit

...9 @@ {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef HAVE_OSF_SIA + {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia}, +#endif {0, 0, NULL} }; @@ -307,10 +317,16 @@ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); +#ifdef HAVE_OSF_SIA + monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1); +#endif } else { mon_dispatch = mon_dispatch_postauth15; monitor...

...9 @@ {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef HAVE_OSF_SIA + {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia}, +#endif {0, 0, NULL} }; @@ -307,10 +317,16 @@ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); +#ifdef HAVE_OSF_SIA + monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1); +#endif } else { mon_dispatch = mon_dispatch_postauth15; monitor...

...t actually work as it tries to enable it in the monitor_dispatch table (which doesn't even have a REQ_AUDIT_COMMAND in either version 1.5 or 2.0) when it needs to be enabled in the monitor_postauth table instead. So, you can either make it MON_PERMIT like above or you can fix it to not do the monitor_permit() on the passed in table, but do it on the appropriate postauth table instead. I'm using the above patch for now, but if you fix openssh I'll go with the vendor's fix once it makes it into FreeBSD of course. I don't know if the better fix is the patch above to get ssh1 in sync w...

...9 @@ {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef HAVE_OSF_SIA + {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia}, +#endif {0, 0, NULL} }; @@ -307,10 +317,16 @@ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); +#ifdef HAVE_OSF_SIA + monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1); +#endif } else { mon_dispatch = mon_dispatch_postauth15; monitor...

...R_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef USE_PAM + {MONITOR_REQ_PAM_CHAUTHTOK, 0, mm_answer_pam_chauthtok}, +#endif {0, 0, NULL} }; @@ -328,6 +335,7 @@ if (!no_pty_flag) { monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_CHAUTHTOK, 1); } for (;;) @@ -746,6 +754,56 @@ xfree(user); return (0); +} + +int +mm_answer_pam_chauthtok(int socket, Buffer *m) +{ + pid_t pid...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

...R_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef USE_PAM + {MONITOR_REQ_PAM_CHAUTHTOK, 0, mm_answer_pam_chauthtok}, +#endif {0, 0, NULL} }; @@ -328,6 +335,7 @@ if (!no_pty_flag) { monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_CHAUTHTOK, 1); } for (;;) @@ -746,6 +754,49 @@ xfree(user); return (0); +} + +int +mm_answer_pam_chauthtok(int socket, Buffer *m) +{ + pid_t pid...

...INUX + {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, +#endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, @@ -602,6 +609,9 @@ else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); +#ifdef WITH_SELINUX + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); +#endif monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } @@ -646,6 +656,25 @@ return (0); } +#ifdef WITH_SELINUX +int +mm_answer_authrole(int sock, Buf...

...MON_ONCE, mm_answer_pam_start}, + {MONITOR_REQ_PAMQUERY, MON_ISAUTH, mm_answer_sshpamquery}, + {MONITOR_REQ_PAMRESPOND, MON_AUTH, mm_answer_sshpamrespond}, + {MONITOR_REQ_PAM_FREE_CTX, 0, mm_answer_sshpam_free_ctx}, +#endif {0, 0, NULL} }; @@ -731,6 +753,100 @@ xfree(user); + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1); + + return (0); +} + +int +mm_answer_sshpam_init_ctx(int socket, Buffer *m) +{ + debug3("%s: entering", __func__); + + if (sshpam_auth_ctxt == NULL) + sshpam_auth_ctxt = sshpam_init_ctx(authctxt); + + monitor_permit(mon_dispatch, MONITOR_REQ_PA...

...MON_ONCE, mm_answer_pam_start}, + {MONITOR_REQ_PAMQUERY, MON_ISAUTH, mm_answer_sshpamquery}, + {MONITOR_REQ_PAMRESPOND, MON_AUTH, mm_answer_sshpamrespond}, + {MONITOR_REQ_PAM_FREE_CTX, 0, mm_answer_sshpam_free_ctx}, +#endif {0, 0, NULL} }; @@ -734,6 +756,100 @@ xfree(user); + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1); + + return (0); +} + +int +mm_answer_sshpam_init_ctx(int socket, Buffer *m) +{ + debug3("%s: entering", __FUNCTION__); + + if (sshpam_auth_ctxt == NULL) + sshpam_auth_ctxt = sshpam_init_ctx(authctxt); + + monitor_permit(mon_dispatch, MONITOR_RE...

...setting up a pipe shared between the monitor and child, and making the child wait until the monitor end closes, which it should do after permitting the monitor calls. I believe the pipe close (granting permission to continue) should be at the end of monitor.c:mm_answer_sign, right after the line: monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); Of course, I could be wrong. On the other hand, I have not been able to figure out where to place the pipe read (waiting for permission) call. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail becau...

...E|MON_AUTH, mm_answer_krb5}, #endif +#ifdef GSSAPI + {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, + {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, + {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, +#endif {0, 0, NULL} }; @@ -320,7 +335,6 @@ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); - } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); @@ -1586,3 +1600,77 @@ mon->m_recvfd =...

...oof, 0, x2_proof_len); xfree(x1_proof); xfree(x2_proof); @@ -2220,7 +2220,7 @@ debug3("%s: sending step2", __func__); mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m); - bzero(x4_s_proof, x4_s_proof_len); + memset(x4_s_proof, 0, x4_s_proof_len); xfree(x4_s_proof); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1); @@ -2254,7 +2254,7 @@ JPAKE_DEBUG_CTX((pctx, "key_confirm done in %s", __func__)); - bzero(x2_s_proof, x2_s_proof_len); + memset(x2_s_proof, 0, x2_s_proof_len); buffer_clear(m); /* pctx->k is sensitive, not sent */ @@ -...

...proof); xfree(x2_proof); @@ -2220,7 +2220,7 @@ debug3("%s: sending step2", __func__); mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m); - bzero(x4_s_proof, x4_s_proof_len); + memset(x4_s_proof, 0, x4_s_proof_len); xfree(x4_s_proof); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1); @@ -2254,7 +2254,7 @@ JPAKE_DEBUG_CTX((pctx, "key_confirm done in %s", __func__)); - bzero(x2_s_proof, x2_s_proof_len); + memset(x2_s_proof, 0, x2_s_proof_len); buffer_clear(m); /* pctx->k is sensi...