- (bal) Disable Privsep for Tru64 after pre-authentication due to issues

   with SIA.  Also, clean up of tru64 support patch by Chris Adams
   <cmadams@hiwaay.net>

diff --git a/ChangeLog b/ChangeLog
index 830136ac7ca9afe07b640c5837e2ebeb322f1231..93b0c99db88ef362c28f3af810321a57d7883be2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,9 @@
  - (bal) scp.c 'limit' conflicts with Cray.  Rename to 'limitbw'
  - (bal) Collection of Cray patches (bsd-cray.h fix for CRAYT3E and improved
    guessing rules)
+ - (bal) Disable Privsep for Tru64 after pre-authentication due to issues
+   with SIA.  Also, clean up of tru64 support patch by Chris Adams
+   <cmadams@hiwaay.net>
 
 20030318
  - (tim) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
@@ -1235,4 +1238,4 @@
      save auth method before monitor_reset_key_state(); bugzilla bug #284;
      ok provos@
 
-$Id: ChangeLog,v 1.2636 2003/03/21 01:05:37 mouring Exp $
+$Id: ChangeLog,v 1.2637 2003/03/21 01:18:09 mouring Exp $

diff --git a/README.privsep b/README.privsep
index ced943f262fe16a7217db65a5595410ec784de55..e8bf1db34c8af6cae2d24e98d67dc51694b02b77 100644 (file)
--- a/README.privsep
+++ b/README.privsep
@@ -43,6 +43,10 @@ It does not function on HP-UX with a trusted system
 configuration.  PAMAuthenticationViaKbdInt does not function with
 privsep.
 
+On Compaq Tru64 Unix, only the pre-authentication part of privsep is
+supported.  Post-authentication privsep is disabled automatically (so
+you won't see the additional process mentioned below).
+
 Note that for a normal interactive login with a shell, enabling privsep
 will require 1 additional process per login session.
 
@@ -58,4 +62,4 @@ process 1005 is the sshd process listening for new connections.
 process 6917 is the privileged monitor process, 6919 is the user owned
 sshd process and 6921 is the shell process.
 
-$Id: README.privsep,v 1.10 2002/06/26 00:43:57 stevesk Exp $
+$Id: README.privsep,v 1.11 2003/03/21 01:18:09 mouring Exp $

diff --git a/auth-sia.c b/auth-sia.c
index 071e154d82f273aa648cd4d87b5d5a5c32400caa..5c9b3f5de24bfc694baf735230429f964987d486 100644 (file)
--- a/auth-sia.c
+++ b/auth-sia.c
@@ -45,27 +45,25 @@ extern ServerOptions options;
 extern int saved_argc;
 extern char **saved_argv;
 
-extern int errno;
-
 int
 auth_sia_password(Authctxt *authctxt, char *pass)
 {
        int ret;
        SIAENTITY *ent = NULL;
        const char *host;
-       char *user = authctxt->user;
 
        host = get_canonical_hostname(options.verify_reverse_mapping);
 
-       if (pass[0] == '\0')
+       if (!authctxt->user || !pass || pass[0] == '\0')
                return(0);
 
-       if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0,
-           NULL) != SIASUCCESS)
+       if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user,
+           NULL, 0, NULL) != SIASUCCESS)
                return(0);
 
        if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
-               error("Couldn't authenticate %s from %s", user, host);
+               error("Couldn't authenticate %s from %s", authctxt->user,
+                   host);
                if (ret & SIASTOP)
                        sia_ses_release(&ent);
                return(0);
@@ -77,48 +75,35 @@ auth_sia_password(Authctxt *authctxt, char *pass)
 }
 
 void
-session_setup_sia(char *user, char *tty)
+session_setup_sia(struct passwd *pw, char *tty)
 {
-       struct passwd *pw;
        SIAENTITY *ent = NULL;
        const char *host;
 
-       host = get_canonical_hostname (options.verify_reverse_mapping);
+       host = get_canonical_hostname(options.verify_reverse_mapping);
 
-       if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0,
-           NULL) != SIASUCCESS) {
+       if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, tty,
+           0, NULL) != SIASUCCESS)
                fatal("sia_ses_init failed");
-       }
 
-       if ((pw = getpwnam(user)) == NULL) {
-               sia_ses_release(&ent);
-               fatal("getpwnam: no user: %s", user);
-       }
        if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
                sia_ses_release(&ent);
                fatal("sia_make_entity_pwd failed");
        }
 
        ent->authtype = SIA_A_NONE;
-       if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) {
-               fatal("Couldn't establish session for %s from %s", user,
-                   host);
-       }
-
-       if (setpriority(PRIO_PROCESS, 0, 0) == -1) {
-               sia_ses_release(&ent);
-               fatal("setpriority: %s", strerror (errno));
-       }
+       if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
+               fatal("Couldn't establish session for %s from %s",
+                   pw->pw_name, host);
 
-       if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) {
-               fatal("Couldn't launch session for %s from %s", user, host);
-       }
+       if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
+               fatal("Couldn't launch session for %s from %s", pw->pw_name,
+                   host);
        
        sia_ses_release(&ent);
 
-       if (setreuid(geteuid(), geteuid()) < 0) {
+       if (setreuid(geteuid(), geteuid()) < 0)
                fatal("setreuid: %s", strerror(errno));
-       }
 }
 
 #endif /* HAVE_OSF_SIA */

diff --git a/auth-sia.h b/auth-sia.h
index caa584132d3133d6ba6f40758c6d6354663ca6a8..7aecce940af115c74538b8f7ad49d29768e93a99 100644 (file)
--- a/auth-sia.h
+++ b/auth-sia.h
@@ -27,6 +27,6 @@
 #ifdef HAVE_OSF_SIA
 
 int    auth_sia_password(Authctxt *authctxt, char *pass);
-void   session_setup_sia(char *user, char *tty);
+void   session_setup_sia(struct passwd *pw, char *tty);
 
 #endif /* HAVE_OSF_SIA */

diff --git a/configure.ac b/configure.ac
index aa2f3db2af0dd7358888397e28df27a71fd157be..47fef0cbeccf08844003d8e84967c88e22ade3db 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.112 2003/03/21 00:34:34 mouring Exp $
+# $Id: configure.ac,v 1.113 2003/03/21 01:18:09 mouring Exp $
 
 AC_INIT
 AC_CONFIG_SRCDIR([ssh.c])
@@ -331,6 +331,7 @@ mips-sony-bsd|mips-sony-newsos4)
                        AC_MSG_RESULT(yes)
                        AC_DEFINE(HAVE_OSF_SIA)
                        AC_DEFINE(DISABLE_LOGIN)
+                       AC_DEFINE(DISABLE_FD_PASSING)
                        LIBS="$LIBS -lsecurity -ldb -lm -laud"
                else
                        AC_MSG_RESULT(no)

diff --git a/session.c b/session.c
index ce9db27ef09a90fcd12c9f94afa428b7f6ae6800..c75fea9669330b60fff51c01ede0c957099a008d 100644 (file)
--- a/session.c
+++ b/session.c
@@ -1321,7 +1321,7 @@ do_child(Session *s, const char *command)
         */
        if (!options.use_login) {
 #ifdef HAVE_OSF_SIA
-               session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty);
+               session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty);
                if (!check_quietlogin(s, command))
                        do_motd();
 #else /* HAVE_OSF_SIA */