diff options
Diffstat (limited to 'monitor.c')
| -rw-r--r-- | monitor.c | 57 |
1 files changed, 36 insertions, 21 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.237 2023/08/16 16:14:11 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.240 2024/06/06 17:15:25 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -125,8 +125,6 @@ int mm_answer_keyverify(struct ssh *, int, struct sshbuf *); int mm_answer_pty(struct ssh *, int, struct sshbuf *); int mm_answer_pty_cleanup(struct ssh *, int, struct sshbuf *); int mm_answer_term(struct ssh *, int, struct sshbuf *); -int mm_answer_sesskey(struct ssh *, int, struct sshbuf *); -int mm_answer_sessid(struct ssh *, int, struct sshbuf *); #ifdef USE_PAM int mm_answer_pam_start(struct ssh *, int, struct sshbuf *); @@ -163,6 +161,7 @@ static char *auth_submethod = NULL; static u_int session_id2_len = 0; static u_char *session_id2 = NULL; static pid_t monitor_child_pid; +int auth_attempted = 0; struct mon_table { enum monitor_reqtype type; @@ -298,6 +297,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) authenticated = (monitor_read(ssh, pmonitor, mon_dispatch, &ent) == 1); + /* Record that auth was attempted to set exit status later */ + if ((ent->flags & MON_AUTH) != 0) + auth_attempted = 1; + /* Special handling for multiple required authentications */ if (options.num_auth_methods != 0) { if (authenticated && @@ -355,6 +358,7 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) fatal_f("authentication method name unknown"); debug_f("user %s authenticated by privileged process", authctxt->user); + auth_attempted = 0; ssh->authctxt = NULL; ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user); @@ -707,13 +711,39 @@ mm_answer_sign(struct ssh *ssh, int sock, struct sshbuf *m) fatal_fr(r, "assemble %s", #id); \ } while (0) +void +mm_encode_server_options(struct sshbuf *m) +{ + int r; + u_int i; + + /* XXX this leaks raw pointers to the unpriv child processes */ + if ((r = sshbuf_put_string(m, &options, sizeof(options))) != 0) + fatal_fr(r, "assemble options"); + +#define M_CP_STROPT(x) do { \ + if (options.x != NULL && \ + (r = sshbuf_put_cstring(m, options.x)) != 0) \ + fatal_fr(r, "assemble %s", #x); \ + } while (0) +#define M_CP_STRARRAYOPT(x, nx) do { \ + for (i = 0; i < options.nx; i++) { \ + if ((r = sshbuf_put_cstring(m, options.x[i])) != 0) \ + fatal_fr(r, "assemble %s", #x); \ + } \ + } while (0) + /* See comment in servconf.h */ + COPY_MATCH_STRING_OPTS(); +#undef M_CP_STROPT +#undef M_CP_STRARRAYOPT +} + /* Retrieves the password entry and also checks if the user is permitted */ int mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m) { struct passwd *pwent; int r, allowed = 0; - u_int i; debug3_f("entering"); @@ -766,24 +796,9 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m) out: ssh_packet_set_log_preamble(ssh, "%suser %s", authctxt->valid ? "authenticating" : "invalid ", authctxt->user); - if ((r = sshbuf_put_string(m, &options, sizeof(options))) != 0) - fatal_fr(r, "assemble options"); -#define M_CP_STROPT(x) do { \ - if (options.x != NULL && \ - (r = sshbuf_put_cstring(m, options.x)) != 0) \ - fatal_fr(r, "assemble %s", #x); \ - } while (0) -#define M_CP_STRARRAYOPT(x, nx) do { \ - for (i = 0; i < options.nx; i++) { \ - if ((r = sshbuf_put_cstring(m, options.x[i])) != 0) \ - fatal_fr(r, "assemble %s", #x); \ - } \ - } while (0) - /* See comment in servconf.h */ - COPY_MATCH_STRING_OPTS(); -#undef M_CP_STROPT -#undef M_CP_STRARRAYOPT + /* Send active options to unpriv */ + mm_encode_server_options(m); /* Create valid auth method lists */ if (auth2_setup_methods_lists(authctxt) != 0) { |