- markus@cvs.openbsd.org 2003/02/16 17:30:33

     [monitor.c monitor_wrap.c]
     fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@

diff --git a/ChangeLog b/ChangeLog
index 2fdcb2782966e47a588456a5a3018ff4bf6cbdf4..79594ab20da937f18784c5d177e900e22a1708d7 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -67,6 +67,10 @@
      [kex.c kexdh.c kexgex.c kex.h sshconnect2.c sshd.c ssh-keyscan.c]
      split kex into client and server code, no need to link
      server code into the client; ok provos@
+   - markus@cvs.openbsd.org 2003/02/16 17:30:33
+     [monitor.c monitor_wrap.c]
+     fix permitrootlogin forced-commands-only for privsep; bux #387; 
+     ok provos@
 
 20030211
  - (djm) Cygwin needs libcrypt too. Patch from vinschen@redhat.com
@@ -1167,4 +1171,4 @@
      save auth method before monitor_reset_key_state(); bugzilla bug #284;
      ok provos@
 
-$Id: ChangeLog,v 1.2612 2003/02/24 01:03:03 djm Exp $
+$Id: ChangeLog,v 1.2613 2003/02/24 01:03:38 djm Exp $

diff --git a/monitor.c b/monitor.c
index 07d1728ec4bf50fed2f8a571d216b983a94c6ef1..694cd630a25746675011d5aa40d56f3de71c8e91 100644 (file)
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.31 2003/02/04 09:33:22 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.32 2003/02/16 17:30:33 markus Exp $");
 
 #include <openssl/dh.h>
 
@@ -826,6 +826,7 @@ mm_answer_keyallowed(int socket, Buffer *m)
 
        buffer_clear(m);
        buffer_put_int(m, allowed);
+       buffer_put_int(m, forced_command != NULL);
 
        mm_append_debug(m);
 
@@ -1188,6 +1189,7 @@ mm_answer_rsa_keyallowed(int socket, Buffer *m)
        }
        buffer_clear(m);
        buffer_put_int(m, allowed);
+       buffer_put_int(m, forced_command != NULL);
 
        /* clear temporarily storage (used by generate challenge) */
        monitor_reset_key_state();

diff --git a/monitor_wrap.c b/monitor_wrap.c
index 551bbc15a45c52c340a524a26f033a2663bbf561..1395a32f4933855564582480a4aff51c8ee76637 100644 (file)
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -25,7 +25,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.21 2003/02/04 09:33:22 markus Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.22 2003/02/16 17:30:33 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/dh.h>
@@ -34,6 +34,7 @@ RCSID("$OpenBSD: monitor_wrap.c,v 1.21 2003/02/04 09:33:22 markus Exp $");
 #include "dh.h"
 #include "kex.h"
 #include "auth.h"
+#include "auth-options.h"
 #include "buffer.h"
 #include "bufaux.h"
 #include "packet.h"
@@ -312,7 +313,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
        Buffer m;
        u_char *blob;
        u_int len;
-       int allowed = 0;
+       int allowed = 0, have_forced = 0;
 
        debug3("%s entering", __func__);
 
@@ -334,6 +335,11 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
 
        allowed = buffer_get_int(&m);
 
+       /* fake forced command */
+       auth_clear_options();
+       have_forced = buffer_get_int(&m);
+       forced_command = have_forced ? xstrdup("true") : NULL;
+
        /* Send potential debug messages */
        mm_send_debug(&m);
 
@@ -853,7 +859,7 @@ mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
        Key *key;
        u_char *blob;
        u_int blen;
-       int allowed = 0;
+       int allowed = 0, have_forced = 0;
 
        debug3("%s entering", __func__);
 
@@ -865,6 +871,11 @@ mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
 
        allowed = buffer_get_int(&m);
 
+       /* fake forced command */
+       auth_clear_options();
+       have_forced = buffer_get_int(&m);
+       forced_command = have_forced ? xstrdup("true") : NULL;
+
        if (allowed && rkey != NULL) {
                blob = buffer_get_string(&m, &blen);
                if ((key = key_from_blob(blob, blen)) == NULL)