search for: sia_ses_release

...n(0); ! if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, NULL) != SIASUCCESS) return(0); ! if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { error("couldn't authenticate %s from %s", user, host); if (ret & SIASTOP) ! sia_ses_release(&ent); return(0); } - sia_ses_release(&ent); return(1); } --- 34,50 ---- if (!user || !pass) return(0); ! if (sia_ses_init(&__sia_ent, saved_argc, saved_argv, host, user, NULL, 0, NULL) != SIASUCCESS) return(0); ! if ((ret = sia_ses_authent(N...

...+ char *user; + char *pass; +{ + SIAENTITY *ent = NULL; + int ret; + + if (sia_ses_init (&ent, saved_argc, saved_argv, + get_canonical_hostname(), user, NULL, 0, NULL) != SIASUCCESS) + return 0; + if ((ret = sia_ses_authent (NULL, pass, ent)) != SIASUCCESS) { + if (ret & SIASTOP) + sia_ses_release (&ent); + return 0; + } + if (sia_ses_estab (NULL, ent) != SIASUCCESS) + return 0; + sia_ses_release (&ent); + return 1; +} + +#endif /* HAVE_OSF_SIA */ diff -urN openssh-2.2.0p1-dist/auth1.c openssh-2.2.0p1/auth1.c --- openssh-2.2.0p1-dist/auth1.c Tue Aug 22 19:46:23 2000 +++ openssh-2.2...

...any other SIA module. To do: * clean up the Kerberos credentials cache at session exit. Unfortunately SIA is not invoked at this time, so this cannot be done in the SIA module. * review what happens if authentication succeeds but session_setup_sia() is not invoked for some reason. Currently the sia_ses_release() clean-up code will not be invoked in this case. For most SIA modules this shouldn't matter, as resources will be released at process exit; but it would be nice to get it right anyway. -------------- next part -------------- diff -aruN openssh-3.7.1p2.orig/auth-passwd.c openssh-3.7.1p2/auth-pa...

...> if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { > - error("Couldn't authenticate %s from %s", user, host); > + error("Couldn't authenticate %s from %s", authctxt->user, > + host); > if (ret & SIASTOP) > sia_ses_release(&ent); > return(0); > @@ -77,48 +75,35 @@ > } > > void > -session_setup_sia(char *user, char *tty) > +session_setup_sia(struct passwd *pw, char *tty) > { > - struct passwd *pw; > SIAENTITY *ent = NULL; > const char *host; >...

..., 0, NULL) != SIASUCCESS) return(0); if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { - error("Couldn't authenticate %s from %s", user, host); + error("Couldn't authenticate %s from %s", authctxt->user, + host); if (ret & SIASTOP) sia_ses_release(&ent); return(0); @@ -77,48 +75,35 @@ } void -session_setup_sia(char *user, char *tty) +session_setup_sia(struct passwd *pw, char *tty) { - struct passwd *pw; SIAENTITY *ent = NULL; const char *host; - host = get_canonical_hostname (options.verify_reverse_mapping); + host = get_ca...

...everse_mapping_check); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) - fatal("sia_ses_init failed"); + NULL) != SIASUCCESS) { + error("sia_ses_init failed"); + exit(1); + } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); - fatal("getpwnam(%s) failed: %s", user, strerror(errno)); + error("getpwnam(%s) failed: %s", user, strerror(errno)); + exit(1); } if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { sia_ses_release(&ent); - fatal("sia_make_entity_pwd failed");...

Is anyone maintaining the OSF_SIA support in openssh? This seems to be an obvious bug triggered if you try to connect as a non-existant user. >From auth1.c line 459 #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, "") == SIASUCCESS)) { #else /*

...86,9 +86,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); @@ -100,25 +99,22 @@ } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) fatal("Couldn't establish session for %s from %s", user, host); - } if (setpriority(PR...

...86,9 +86,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); @@ -100,25 +99,22 @@ } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) fatal("Couldn't establish session for %s from %s", user, host); - } if (setpriority(PR...

...86,9 +88,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); @@ -100,25 +101,24 @@ } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) fatal("Couldn't establish session for %s from %s", user, host); - } if (setpriority(P...

...86,9 +88,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); @@ -100,25 +101,24 @@ } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) fatal("Couldn't establish session for %s from %s", user, host); - } if (setpriority(P...

http://bugzilla.mindrot.org/show_bug.cgi?id=445 ------- Additional Comments From simon at sxw.org.uk 2003-05-21 00:49 ------- The existing code only handles the situation where Kerberos credentials are created by the OpenSSH's krb5 code. What would appear to be happening under OSF/1 is that one of the calls used to verify the users login is, as a by-product, creating the credentials

....c openssh-3.7p1/auth-sia.c --- openssh-3.7p1-dist/auth-sia.c Mon Jun 2 19:25:48 2003 +++ openssh-3.7p1/auth-sia.c Tue Sep 16 14:02:56 2003 @@ -80,6 +80,7 @@ { SIAENTITY *ent = NULL; const char *host; + uid_t uid; host = get_canonical_hostname(options.use_dns); @@ -103,8 +104,11 @@ sia_ses_release(&ent); - if (setreuid(geteuid(), geteuid()) < 0) - fatal("setreuid: %s", strerror(errno)); + uid = geteuid(); + if (setuid(0) < 0) + fatal("setuid: %s", strerror(errno)); + if (setuid(uid) < 0) + fatal("setuid: %s", strerror(errno)); } #endif /* H...

There have been a few recent commits to portable OpenSSH that require testing. It would be appreciated if you could grab the 20031118 (or later) snapshot and give it a try on your platforms of choice. Ideally, "giving it a try" means running the regress tests, in addition to casual (non-production) use and reporting your experiences back to the list. The more platforms and compile-time