Commit c8a2bf14 authored by Dag-Erling Smørgrav's avatar Dag-Erling Smørgrav
Browse files

Vendor import of OpenSSH 7.7p1.

parent 20adc8f2
This diff is collapsed.
5317f294d63a876bfc861e19773b1575f96f027d remove libssh from makefiles
a337e886a49f96701ccbc4832bed086a68abfa85 Makefile changes
f2c9feb26963615c4fece921906cf72e248b61ee more Makefile
fa728823ba21c4b45212750e1d3a4b2086fd1a62 more Makefile refactoring
Old upstream tree:
321065a95a7ccebdd5fd08482a1e19afbf524e35 Update DH groups
d4f699a421504df35254cf1c6f1a7c304fb907ca Remove 1k bit groups
aafe246655b53b52bc32c8a24002bc262f4230f7 Remove intermediate moduli
......
This diff is collapsed.
......@@ -13,7 +13,7 @@ OpenSSL)
Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
http://www.gzip.org/zlib/
libcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0)
libcrypto (LibreSSL or OpenSSL >= 1.0.1 < 1.1.0)
LibreSSL http://www.libressl.org/ ; or
OpenSSL http://www.openssl.org/
......@@ -91,7 +91,7 @@ http://nlnetlabs.nl/projects/ldns/
Autoconf:
If you modify configure.ac or configure doesn't exist (eg if you checked
the code out of CVS yourself) then you will need autoconf-2.69 to rebuild
the code out of git yourself) then you will need autoconf-2.69 to rebuild
the automatically generated files by running "autoreconf". Earlier
versions may also work but this is not guaranteed.
......@@ -103,6 +103,13 @@ Native BSM support is known to exist in Solaris from at least 2.5.1,
FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
implementation (http://www.openbsm.org).
makedepend:
https://www.x.org/archive/individual/util/
If you are making significant changes to the code you may need to rebuild
the dependency (.depend) file using "make depend", which requires the
"makedepend" tool from the X11 distribution.
2. Building / Installation
--------------------------
......@@ -162,13 +169,11 @@ also be enabled in sshd_config (refer to the UsePAM directive).
--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
support and to specify a PRNGd socket. Use this if your Unix lacks
/dev/random and you don't want to use OpenSSH's builtin entropy
collection support.
/dev/random.
--with-prngd-port=portnum allows you to enable EGD or PRNGD support
and to specify a EGD localhost TCP port. Use this if your Unix lacks
/dev/random and you don't want to use OpenSSH's builtin entropy
collection support.
/dev/random.
--with-lastlog=FILE will specify the location of the lastlog file.
./configure searches a few locations for lastlog, but may not find
......@@ -204,8 +209,7 @@ created.
--with-xauth=PATH specifies the location of the xauth binary
--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
libraries
are installed.
libraries are installed.
--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
......
# $Id: Makefile.in,v 1.365 2014/08/30 06:23:07 djm Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
......@@ -54,16 +52,25 @@ AR=@AR@
AWK=@AWK@
RANLIB=@RANLIB@
INSTALL=@INSTALL@
PERL=@PERL@
SED=@SED@
ENT=@ENT@
XAUTH_PATH=@XAUTH_PATH@
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
xmss_commons.o \
xmss_fast.o \
xmss_hash.o \
xmss_hash_address.o \
xmss_wots.o
LIBOPENSSH_OBJS=\
ssh_api.o \
ssherr.o \
......@@ -73,7 +80,8 @@ LIBOPENSSH_OBJS=\
sshbuf-misc.o \
sshbuf-getput-crypto.o \
krl.o \
bitmap.o
bitmap.o \
${XMSS_OBJS}
LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
authfd.o authfile.o bufaux.o bufbn.o bufec.o buffer.o \
......@@ -88,7 +96,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
ssh-pkcs11.o smult_curve25519_ref.o \
poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
......@@ -218,13 +226,6 @@ $(CONFIGFILES): $(CONFIGFILES_IN)
moduli:
echo
# special case target for umac128
umac128.o: umac.c
$(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \
-DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \
-Dumac_update=umac128_update -Dumac_final=umac128_final \
-Dumac_delete=umac128_delete -Dumac_ctx=umac128_ctx
clean: regressclean
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
rm -f *.out core survey
......@@ -298,9 +299,21 @@ catman-do:
>$$base.0 ; \
done
distprep: catman-do
depend: depend-rebuild
rm -f .depend.bak
depend-rebuild:
rm -f config.h
touch config.h
makedepend -w1000 -Y. -f .depend *.c 2>/dev/null
rm -f config.h
depend-check: depend-rebuild
cmp .depend .depend.bak || (echo .depend stale && exit 1)
distprep: catman-do depend-check
$(AUTORECONF)
-rm -rf autom4te.cache
-rm -rf autom4te.cache .depend.bak
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
......@@ -310,14 +323,13 @@ check-config:
-$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
install-files:
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
$(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
(umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
$(MKDIR_P) $(DESTDIR)$(bindir)
$(MKDIR_P) $(DESTDIR)$(sbindir)
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)1
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
......@@ -345,9 +357,7 @@ install-files:
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
install-sysconf:
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
fi
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
else \
......@@ -375,9 +385,6 @@ host-key: ssh-keygen$(EXEEXT)
fi
host-key-force: ssh-keygen$(EXEEXT) ssh$(EXEEXT)
if ./ssh -Q protocol-version | grep '^1$$' >/dev/null; then \
./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""; \
fi
./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N ""
......@@ -421,28 +428,16 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
regress-prep:
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
[ -d `pwd`/regress/unittests/test_helper ] || \
mkdir -p `pwd`/regress/unittests/test_helper
[ -d `pwd`/regress/unittests/sshbuf ] || \
mkdir -p `pwd`/regress/unittests/sshbuf
[ -d `pwd`/regress/unittests/sshkey ] || \
mkdir -p `pwd`/regress/unittests/sshkey
[ -d `pwd`/regress/unittests/bitmap ] || \
mkdir -p `pwd`/regress/unittests/bitmap
[ -d `pwd`/regress/unittests/conversion ] || \
mkdir -p `pwd`/regress/unittests/conversion
[ -d `pwd`/regress/unittests/hostkeys ] || \
mkdir -p `pwd`/regress/unittests/hostkeys
[ -d `pwd`/regress/unittests/kex ] || \
mkdir -p `pwd`/regress/unittests/kex
[ -d `pwd`/regress/unittests/match ] || \
mkdir -p `pwd`/regress/unittests/match
[ -d `pwd`/regress/unittests/utf8 ] || \
mkdir -p `pwd`/regress/unittests/utf8
[ -d `pwd`/regress/misc/kexfuzz ] || \
mkdir -p `pwd`/regress/misc/kexfuzz
$(MKDIR_P) `pwd`/regress/unittests/test_helper
$(MKDIR_P) `pwd`/regress/unittests/sshbuf
$(MKDIR_P) `pwd`/regress/unittests/sshkey
$(MKDIR_P) `pwd`/regress/unittests/bitmap
$(MKDIR_P) `pwd`/regress/unittests/conversion
$(MKDIR_P) `pwd`/regress/unittests/hostkeys
$(MKDIR_P) `pwd`/regress/unittests/kex
$(MKDIR_P) `pwd`/regress/unittests/match
$(MKDIR_P) `pwd`/regress/unittests/utf8
$(MKDIR_P) `pwd`/regress/misc/kexfuzz
[ -f `pwd`/regress/Makefile ] || \
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
......@@ -582,6 +577,8 @@ regress-binaries: regress/modpipe$(EXEEXT) \
regress/unittests/utf8/test_utf8$(EXEEXT) \
regress/misc/kexfuzz/kexfuzz$(EXEEXT)
REGRESSTMP = "$(PWD)/regress"
tests interop-tests t-exec unit: regress-prep regress-binaries $(TARGETS)
BUILDDIR=`pwd`; \
TEST_SSH_SCP="$${BUILDDIR}/scp"; \
......@@ -605,7 +602,7 @@ tests interop-tests t-exec unit: regress-prep regress-binaries $(TARGETS)
.OBJDIR="$${BUILDDIR}/regress" \
.CURDIR="`pwd`" \
BUILDDIR="$${BUILDDIR}" \
OBJ="$${BUILDDIR}/regress/" \
OBJ="$(REGRESSTMP)" \
PATH="$${BUILDDIR}:$${PATH}" \
TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
TEST_MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
......@@ -650,3 +647,5 @@ package: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \
sh buildpkg.sh; \
fi
# @DEPEND@
......@@ -295,10 +295,14 @@ has completed.
string[] hostkeys
Upon receiving this message, a client should check which of the
supplied host keys are present in known_hosts. For keys that are
not present, it should send a "hostkeys-prove@openssh.com" message
to request the server prove ownership of the private half of the
key.
supplied host keys are present in known_hosts.
Note that the server may send key types that the client does not
support. The client should disgregard such keys if they are received.
If the client identifies any keys that are not present for the host,
it should send a "hostkeys-prove@openssh.com" message to request the
server prove ownership of the private half of the key.
byte SSH_MSG_GLOBAL_REQUEST
string "hostkeys-prove-00@openssh.com"
......@@ -454,4 +458,4 @@ respond with a SSH_FXP_STATUS message.
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
$OpenBSD: PROTOCOL,v 1.31 2017/05/26 01:40:07 djm Exp $
$OpenBSD: PROTOCOL,v 1.32 2018/02/19 00:55:02 djm Exp $
......@@ -100,9 +100,9 @@ DSA certificate
ECDSA certificate
string "ecdsa-sha2-nistp256-v01@openssh.com" |
"ecdsa-sha2-nistp384-v01@openssh.com" |
"ecdsa-sha2-nistp521-v01@openssh.com"
string "ecdsa-sha2-nistp256-cert-v01@openssh.com" |
"ecdsa-sha2-nistp384-cert-v01@openssh.com" |
"ecdsa-sha2-nistp521-cert-v01@openssh.com"
string nonce
string curve
string public_key
......@@ -291,4 +291,4 @@ permit-user-rc empty Flag indicating that execution of
of this script will not be permitted if
this option is not present.
$OpenBSD: PROTOCOL.certkeys,v 1.12 2017/05/31 04:29:44 djm Exp $
$OpenBSD: PROTOCOL.certkeys,v 1.13 2017/11/03 02:32:19 djm Exp $
See https://www.openssh.com/releasenotes.html#7.6p1 for the release notes.
See https://www.openssh.com/releasenotes.html#7.7p1 for the release notes.
Please read https://www.openssh.com/report.html for bug reporting
instructions and note that we do not use Github for bug reporting or
patch/pull-request management.
- A Japanese translation of this document and of the release notes is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
- available at https://www.unixuser.org/~haruyama/security/openssh/index.html
- Thanks to HARUYAMA Seigo <haruyama@unixuser.org>
This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other
......@@ -22,7 +22,7 @@ This port consists of the re-introduction of autoconf support, PAM
support, EGD[1]/PRNGD[2] support and replacements for OpenBSD library
functions that are (regrettably) absent from other unices. This port
has been best tested on AIX, Cygwin, HP-UX, Linux, MacOS/X,
NetBSD, OpenBSD, OpenServer, Solaris, Unicos, and UnixWare.
NetBSD, OpenBSD, OpenServer, Solaris and UnixWare.
This version actively tracks changes in the OpenBSD CVS repository.
......@@ -56,11 +56,11 @@ References -
[0] https://www.openssh.com/
[1] http://www.lothar.com/tech/crypto/
[2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
[3] http://www.gzip.org/zlib/
[4] http://www.openssl.org/
[5] http://www.openpam.org
http://www.kernel.org/pub/linux/libs/pam/
[2] http://prngd.sourceforge.net/
[3] https://www.zlib.net/
[4] https://www.openssl.org/
[5] https://www.openpam.org
https://www.kernel.org/pub/linux/libs/pam/
(PAM also is standard on Solaris and HP-UX 11)
[6] http://thrysoee.dk/editline/ (portable version)
[7] http://man.openbsd.org/style.9
[6] https://thrysoee.dk/editline/ (portable version)
[7] https://man.openbsd.org/style.9
......@@ -34,8 +34,8 @@ privsep user and chroot directory:
PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD,
HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
part of privsep is supported. Post-authentication privsep is disabled
On Cygwin, Tru64 Unix and OpenServer only the pre-authentication part
of privsep is supported. Post-authentication privsep is disabled
automatically (so you won't see the additional process mentioned below).
Note that for a normal interactive login with a shell, enabling privsep
......
This diff is collapsed.
/* $OpenBSD: auth-options.h,v 1.23 2017/05/31 10:54:00 markus Exp $ */
/* $OpenBSD: auth-options.h,v 1.26 2018/03/12 00:52:01 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
* Copyright (c) 2018 Damien Miller <djm@mindrot.org>
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef AUTH_OPTIONS_H
#define AUTH_OPTIONS_H
/* Linked list of custom environment strings */
struct envstring {
struct envstring *next;
char *s;
struct passwd;
struct sshkey;
/*
* sshauthopt represents key options parsed from authorized_keys or
* from certificate extensions/options.
*/
struct sshauthopt {
/* Feature flags */
int permit_port_forwarding_flag;
int permit_agent_forwarding_flag;
int permit_x11_forwarding_flag;
int permit_pty_flag;
int permit_user_rc;
/* "restrict" keyword was invoked */
int restricted;
/* key/principal expiry date */
uint64_t valid_before;
/* Certificate-related options */
int cert_authority;
char *cert_principals;
int force_tun_device;
char *force_command;
/* Custom environment */
size_t nenv;
char **env;
/* Permitted port forwardings */
size_t npermitopen;
char **permitopen;
/*
* Permitted host/addresses (comma-separated)
* Caller must check source address matches both lists (if present).
*/
char *required_from_host_cert;
char *required_from_host_keys;
};
/* Flags that may be set in authorized_keys options. */
extern int no_port_forwarding_flag;
extern int no_agent_forwarding_flag;
extern int no_x11_forwarding_flag;
extern int no_pty_flag;
extern int no_user_rc;
extern char *forced_command;
extern struct envstring *custom_environment;
extern int forced_tun_device;
extern int key_is_cert_authority;
extern char *authorized_principals;
int auth_parse_options(struct passwd *, char *, const char *, u_long);
void auth_clear_options(void);
int auth_cert_options(struct sshkey *, struct passwd *, const char **);
struct sshauthopt *sshauthopt_new(void);
struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
void sshauthopt_free(struct sshauthopt *opts);
struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
/*
* Parse authorized_keys options. Returns an options structure on success
* or NULL on failure. Will set errstr on failure.
*/
struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
/*
* Parse certification options to a struct sshauthopt.
* Returns options on success or NULL on failure.
*/
struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
/*
* Merge key options.
*/
struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
const struct sshauthopt *additional, const char **errstrp);
#endif
......@@ -287,18 +287,27 @@ sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags)
void
sshpam_password_change_required(int reqd)
{
extern struct sshauthopt *auth_opts;
static int saved_port, saved_agent, saved_x11;
debug3("%s %d", __func__, reqd);
if (sshpam_authctxt == NULL)
fatal("%s: PAM authctxt not initialized", __func__);
sshpam_authctxt->force_pwchange = reqd;
if (reqd) {
no_port_forwarding_flag |= 2;
no_agent_forwarding_flag |= 2;
no_x11_forwarding_flag |= 2;
saved_port = auth_opts->permit_port_forwarding_flag;
saved_agent = auth_opts->permit_agent_forwarding_flag;
saved_x11 = auth_opts->permit_x11_forwarding_flag;
auth_opts->permit_port_forwarding_flag = 0;
auth_opts->permit_agent_forwarding_flag = 0;
auth_opts->permit_x11_forwarding_flag = 0;
} else {
no_port_forwarding_flag &= ~2;
no_agent_forwarding_flag &= ~2;
no_x11_forwarding_flag &= ~2;
if (saved_port)
auth_opts->permit_port_forwarding_flag = saved_port;
if (saved_agent)
auth_opts->permit_agent_forwarding_flag = saved_agent;
if (saved_x11)
auth_opts->permit_x11_forwarding_flag = saved_x11;
}
}
......@@ -1077,7 +1086,7 @@ do_pam_chauthtok(void)
}
void
do_pam_session(void)
do_pam_session(struct ssh *ssh)
{
debug3("PAM: opening session");
......@@ -1093,7 +1102,7 @@ do_pam_session(void)
sshpam_session_open = 1;
else {
sshpam_session_open = 0;
disable_forwarding();
auth_restrict_session(ssh);
error("PAM: pam_open_session(): %s",
pam_strerror(sshpam_handle, sshpam_err));
}
......
......@@ -25,10 +25,12 @@
#include "includes.h"
#ifdef USE_PAM
struct ssh;
void start_pam(Authctxt *);
void finish_pam(void);
u_int do_pam_account(void);
void do_pam_session(void);
void do_pam_session(struct ssh *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
int do_pam_putenv(char *, char *);
......
/* $OpenBSD: auth-passwd.c,v 1.45 2016/07/21 01:39:35 dtucker Exp $ */
/* $OpenBSD: auth-passwd.c,v 1.46 2018/03/03 03:15:51 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -68,22 +68,15 @@ extern login_cap_t *lc;
#define MAX_PASSWORD_LEN 1024
void
disable_forwarding(void)
{
no_port_forwarding_flag = 1;
no_agent_forwarding_flag = 1;
no_x11_forwarding_flag = 1;
}
/*
* Tries to authenticate the user using password. Returns true if
* authentication succeeds.
*/
int
auth_password(Authctxt *authctxt, const char *password)
auth_password(struct ssh *ssh, const char *password)
{
struct passwd * pw = authctxt->pw;
Authctxt *authctxt = ssh->authctxt;
struct passwd *pw = authctxt->pw;
int result, ok = authctxt->valid;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
static int expire_checked = 0;
......@@ -128,9 +121,9 @@ auth_password(Authctxt *authctxt, const char *password)
authctxt->force_pwchange = 1;
}
#endif
result = sys_auth_passwd(authctxt, password);
result = sys_auth_passwd(ssh, password);
if (authctxt->force_pwchange)
disable_forwarding();
auth_restrict_session(ssh);
return (result && ok);
}
......@@ -170,19 +163,19 @@ warn_expiry(Authctxt *authctxt, auth_session_t *as)
}
int
sys_auth_passwd(Authctxt *authctxt, const char *password)
sys_auth_passwd(struct ssh *ssh, const char *password)
{
struct passwd *pw = authctxt->pw;
Authctxt *authctxt = ssh->authctxt;
auth_session_t *as;
static int expire_checked = 0;
as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
as = auth_usercheck(authctxt->pw->pw_name, authctxt->style, "auth-ssh",
(char *)password);
if (as == NULL)
return (0);
if (auth_getstate(as) & AUTH_PWEXPIRED) {
auth_close(as);
disable_forwarding();
auth_restrict_session(ssh);
authctxt->force_pwchange = 1;
return (1);
} else {
......@@ -195,8 +188,9 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
}
#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
int
sys_auth_passwd(Authctxt *authctxt, const char *password)
sys_auth_passwd(struct ssh *ssh, const char *password)
{
Authctxt *authctxt = ssh->authctxt;
struct passwd *pw = authctxt->pw;
char *encrypted_password, *salt = NULL;
......
......@@ -36,6 +36,7 @@
#include <string.h>
#include "ssh.h"
#include "ssh_api.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
......@@ -50,11 +51,12 @@ extern int saved_argc;
extern char **saved_argv;
int
sys_auth_passwd(Authctxt *authctxt, const char *pass)
sys_auth_passwd(struct ssh *ssh, const char *pass)
{
int ret;