summaryrefslogtreecommitdiffstats
path: root/monitor.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--monitor.c57
1 files changed, 36 insertions, 21 deletions
diff --git a/monitor.c b/monitor.c
index b3ed515..9e0e03e 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.237 2023/08/16 16:14:11 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.240 2024/06/06 17:15:25 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -125,8 +125,6 @@ int mm_answer_keyverify(struct ssh *, int, struct sshbuf *);
int mm_answer_pty(struct ssh *, int, struct sshbuf *);
int mm_answer_pty_cleanup(struct ssh *, int, struct sshbuf *);
int mm_answer_term(struct ssh *, int, struct sshbuf *);
-int mm_answer_sesskey(struct ssh *, int, struct sshbuf *);
-int mm_answer_sessid(struct ssh *, int, struct sshbuf *);
#ifdef USE_PAM
int mm_answer_pam_start(struct ssh *, int, struct sshbuf *);
@@ -163,6 +161,7 @@ static char *auth_submethod = NULL;
static u_int session_id2_len = 0;
static u_char *session_id2 = NULL;
static pid_t monitor_child_pid;
+int auth_attempted = 0;
struct mon_table {
enum monitor_reqtype type;
@@ -298,6 +297,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
authenticated = (monitor_read(ssh, pmonitor,
mon_dispatch, &ent) == 1);
+ /* Record that auth was attempted to set exit status later */
+ if ((ent->flags & MON_AUTH) != 0)
+ auth_attempted = 1;
+
/* Special handling for multiple required authentications */
if (options.num_auth_methods != 0) {
if (authenticated &&
@@ -355,6 +358,7 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
fatal_f("authentication method name unknown");
debug_f("user %s authenticated by privileged process", authctxt->user);
+ auth_attempted = 0;
ssh->authctxt = NULL;
ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user);
@@ -707,13 +711,39 @@ mm_answer_sign(struct ssh *ssh, int sock, struct sshbuf *m)
fatal_fr(r, "assemble %s", #id); \
} while (0)
+void
+mm_encode_server_options(struct sshbuf *m)
+{
+ int r;
+ u_int i;
+
+ /* XXX this leaks raw pointers to the unpriv child processes */
+ if ((r = sshbuf_put_string(m, &options, sizeof(options))) != 0)
+ fatal_fr(r, "assemble options");
+
+#define M_CP_STROPT(x) do { \
+ if (options.x != NULL && \
+ (r = sshbuf_put_cstring(m, options.x)) != 0) \
+ fatal_fr(r, "assemble %s", #x); \
+ } while (0)
+#define M_CP_STRARRAYOPT(x, nx) do { \
+ for (i = 0; i < options.nx; i++) { \
+ if ((r = sshbuf_put_cstring(m, options.x[i])) != 0) \
+ fatal_fr(r, "assemble %s", #x); \
+ } \
+ } while (0)
+ /* See comment in servconf.h */
+ COPY_MATCH_STRING_OPTS();
+#undef M_CP_STROPT
+#undef M_CP_STRARRAYOPT
+}
+
/* Retrieves the password entry and also checks if the user is permitted */
int
mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
{
struct passwd *pwent;
int r, allowed = 0;
- u_int i;
debug3_f("entering");
@@ -766,24 +796,9 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
out:
ssh_packet_set_log_preamble(ssh, "%suser %s",
authctxt->valid ? "authenticating" : "invalid ", authctxt->user);
- if ((r = sshbuf_put_string(m, &options, sizeof(options))) != 0)
- fatal_fr(r, "assemble options");
-#define M_CP_STROPT(x) do { \
- if (options.x != NULL && \
- (r = sshbuf_put_cstring(m, options.x)) != 0) \
- fatal_fr(r, "assemble %s", #x); \
- } while (0)
-#define M_CP_STRARRAYOPT(x, nx) do { \
- for (i = 0; i < options.nx; i++) { \
- if ((r = sshbuf_put_cstring(m, options.x[i])) != 0) \
- fatal_fr(r, "assemble %s", #x); \
- } \
- } while (0)
- /* See comment in servconf.h */
- COPY_MATCH_STRING_OPTS();
-#undef M_CP_STROPT
-#undef M_CP_STRARRAYOPT
+ /* Send active options to unpriv */
+ mm_encode_server_options(m);
/* Create valid auth method lists */
if (auth2_setup_methods_lists(authctxt) != 0) {