search for: session_setup_sia

Hi- Under privsep, I experimented with moving the session_setup_sia() out of do_child() and into do_setusercontext(), which is where the uids/gids are set to the final execution user. The call is made with a NULL tty, and this is functional provided that any later pty allocation uses grantpty() to set the device permissions. Logging in with this method shows that...

cvs code from this morning (about 9am PST) breaks on slackware 7.1 w/ gcc 2.95.2.1 with an undefined reference to session_setup_sia in session.o. this seems to be the culprit here: #ifdef HAVE_OSF_SIA #else /* HAVE_OSF_SIA */ session_setup_sia(pw->pw_name, ttyname); since i have no idea what that's trying to accomplish (and seems to be a bit backwards to me from looking at the rest of the code dealing...

...eanup patch from a while back that I submitted too late for > 3.4p1 and didn't resend after that I guess. The other defines > DISABLE_FD_PASSING when SIA is enabled, which effectively turns off > post-auth privsep. So if DISABLE_FD_PASSING turns privsep off, does that mean that session_setup_sia() will be run directly by do_child(), which at that point will be effective uid 0? > Note that I haven't been able to try it with the > latest snapshot, as I'm not at my devel box and I don't have the correct > version of autoconf installed at the moment (need the old o...

...LL, pass, ent)) != SIASUCCESS) { - error("Couldn't authenticate %s from %s", user, host); + error("Couldn't authenticate %s from %s", authctxt->user, + host); if (ret & SIASTOP) sia_ses_release(&ent); return(0); @@ -77,48 +75,35 @@ } void -session_setup_sia(char *user, char *tty) +session_setup_sia(struct passwd *pw, char *tty) { - struct passwd *pw; SIAENTITY *ent = NULL; const char *host; - host = get_canonical_hostname (options.verify_reverse_mapping); + host = get_canonical_hostname(options.verify_reverse_mapping); - if (sia_ses_init(&amp...

...in session_new(). Thus you may possibly also need to add: s->tty[0] = '\0'; into the session initialisation in session_new(), or maybe set it before the call to do_child() in do_exec_no_pty(). On further thought, perhaps the call to sia_ses_init should be left alone and the call to session_setup_sia() in session.c changed from: session_setup_sia(pw->pw_name, s->tty); to: session_setup_sia(pw->pw_name, s->ttyfd != -1 ? s->tty : NULL); Can someone who knows the code better than I do shed some light on the correct solution here. - Mike -- Mike Battersby <mi...

...following: 1) preserve context between the password authentication and the session setup phases. This is necessary because the Heimdal SIA module stores Kerberos context information as mechanism-specific data in ent->mech[]. 2) Allow for the KRB5CCNAME environment variable (potentially set in session_setup_sia()) to be propagated to the session environment. Caveat: I have only tested this with the BSD and Heimdal KRB5 modules, not with OSFC2 or any other SIA module. To do: * clean up the Kerberos credentials cache at session exit. Unfortunately SIA is not invoked at this time, so this cannot be done...

I have tried this with openssh-2.5.2p2 and openssh-SNAP-20010501. I have noticed that with a .hushlogin file in my home directory I still get messages. With the .hushlogin file I get these messages: Last successful login for ricardo: Tue May 1 08:06:00 2001 from blah.mnsu.edu Last unsuccessful login for ricardo: Tue May 1 08:05:21 2001 from blah.mnsu.edu Without the .hushlogin file I get

...- Ben Index: auth-sia.c =================================================================== RCS file: /var/cvs/openssh/auth-sia.c,v retrieving revision 1.7 diff -u -r1.7 auth-sia.c --- auth-sia.c 12 Apr 2002 15:36:08 -0000 1.7 +++ auth-sia.c 29 Jun 2002 03:19:18 -0000 @@ -77,7 +77,7 @@ } void -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -86,9 +86,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { +...

A while back, I sent in a patch that added Digital Unix SIA authentication to OpenSSH. Well, I just figured out that it didn't handle everything correctly (locked accounts could still log in). I thought I had checked that, but I guess I missed it. Anyway, here is a patch against OpenSSH 2.2.0p1 that fixes this. -- Chris Adams <cmadams at hiwaay.net> Systems and Network Administrator

...patch: Index: auth-sia.c =================================================================== RCS file: /var/cvs/openssh/auth-sia.c,v retrieving revision 1.7 diff -u -r1.7 auth-sia.c --- auth-sia.c 12 Apr 2002 15:36:08 -0000 1.7 +++ auth-sia.c 28 Jun 2002 20:29:00 -0000 @@ -77,7 +77,7 @@ } void -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -86,9 +86,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { +...

...+++ openssh-3.4p1+/auth-sia.c Mon Jul 22 23:34:37 2002 @@ -41,9 +41,11 @@ #include <unistd.h> #include <string.h> +/* import */ extern ServerOptions options; extern int saved_argc; extern char **saved_argv; +extern int use_privsep; extern int errno; @@ -77,7 +79,7 @@ } void -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -86,9 +88,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { +...

...imits (ulimit) in sshd. I'm not using PAM so I need it in the sshd itself. The task is very simple - just to put one line calling setup_limits(pw); and link with -lshadow. But the problem is, where to put this line. I did it in session.c, in do_child(), like this: #ifdef HAVE_OSF_SIA session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); if (!check_quietlogin(s, command)) do_motd(); #else /* HAVE_OSF_SIA */ /* When PAM is enabled we rely on it to do the nologin check */ if (!options.use_pam) { do_nologin(pw); setup_lim...

Something really hosed Digital/Tru64 UNIX SIA support in 2.5.2p1. I haven't been able to figure out what changed in the code, but the symptom seems to be that the TTY name being registered with SIA is truncated to eight characters. This apparently prevents it from matching with entries in the tty database, and the dreaded "Cannot obtain database information on this terminal

Is anyone maintaining the OSF_SIA support in openssh? This seems to be an obvious bug triggered if you try to connect as a non-existant user. >From auth1.c line 459 #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, "") == SIASUCCESS)) { #else /*

...+++ openssh-3.4p1+/auth-sia.c Mon Jul 22 23:34:37 2002 @@ -41,9 +41,11 @@ #include <unistd.h> #include <string.h> +/* import */ extern ServerOptions options; extern int saved_argc; extern char **saved_argv; +extern int use_privsep; extern int errno; @@ -77,7 +79,7 @@ } void -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -86,9 +88,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { +...

...def _AIX { char *cp; @@ -1151,6 +1174,7 @@ * Login(1) does this as well, and it needs uid 0 for the "-h" * switch, so we let login(1) to this for us. */ +#ifndef _CRAY if (!options.use_login) { #ifdef HAVE_OSF_SIA session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); @@ -1164,6 +1188,9 @@ do_setusercontext(pw); #endif /* HAVE_OSF_SIA */ } +#else + cray_setup(pw->pw_uid, pw->pw_name, command); +#endif /* _CRAY */ /* * Get the shell from the password dat...

...-1041,7 +1050,7 @@ exit(254); } } -#endif /* USE_PAM */ +#endif /* USE_PAM || HAVE_OSF_SIA */ /* Set login name, uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" @@ -1049,6 +1058,8 @@ if (!options.use_login) { #ifdef HAVE_OSF_SIA session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); + if (! check_quietlogin(s, command)) + do_motd(); #else /* HAVE_OSF_SIA */ #ifdef HAVE_CYGWIN if (is_winnt) { @@ -2027,4 +2038,27 @@ server_loop2(); if (xauthfile) xauthfile_cleanup_proc(NULL); +} + +/* + * Check for quiet login...

OpenSSH 3.3 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.2.3: ============================

Hi All. OpenSSH 4.1 will be released in the next couple of weeks and we invite interested parties to test a snapshot. The changes since 4.0 are mostly bugfixes, for a detailed list see http://bugzilla.mindrot.org/show_bug.cgi?id=994 Running the regression tests supplied with Portable does not require installation and is a simply: $ ./configure && make tests Testing on suitable