- markus@cvs.openbsd.org 2001/04/17 19:34:25
[session.c]
move auth_approval to do_authenticated().
do_child(): nuke hostkeys from memory
don't source .ssh/rc for subsystems.
diff --git a/session.c b/session.c
index 4580c30..3960c9f 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.73 2001/04/16 08:19:31 djm Exp $");
+RCSID("$OpenBSD: session.c,v 1.74 2001/04/17 19:34:25 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -140,8 +140,8 @@
extern int log_stderr;
extern int debug_flag;
extern u_int utmp_len;
-
extern int startup_pipe;
+extern void destroy_sensitive_data(void);
/* Local Xauthority file. */
static char *xauthfile;
@@ -179,6 +179,12 @@
error("unable to get login class");
return;
}
+#ifdef BSD_AUTH
+ if (auth_approval(NULL, lc, authctxt->pw->pw_name, "ssh") <= 0) {
+ packet_disconnect("Approval failure for %s",
+ authctxt->pw->pw_name);
+ }
+#endif
#endif
/* setup the channel layer */
if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
@@ -1050,6 +1056,9 @@
#endif /* WITH_IRIX_ARRAY */
#endif /* WITH_IRIX_JOBS */
+ /* remove hostkey from the child's memory */
+ destroy_sensitive_data();
+
/* login(1) is only called if we execute the login shell */
if (options.use_login && command != NULL)
options.use_login = 0;
@@ -1097,13 +1106,6 @@
perror("unable to set user context");
exit(1);
}
-#ifdef BSD_AUTH
- if (auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
- error("approval failure for %s", pw->pw_name);
- fprintf(stderr, "Approval failure");
- exit(1);
- }
-#endif
# else /* HAVE_LOGIN_CAP */
#if defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
/* Sets login uid for accounting */
@@ -1389,7 +1391,8 @@
* in this order).
*/
if (!options.use_login) {
- if (stat(_PATH_SSH_USER_RC, &st) >= 0) {
+ /* ignore _PATH_SSH_USER_RC for subsystems */
+ if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
if (debug_flag)
fprintf(stderr, "Running %s %s\n", _PATH_BSHELL,
_PATH_SSH_USER_RC);