- (bal) Update ssh-host-config and minor rewrite of bsd-cygwin_util.c
ntsec now default if cygwin version beginning w/ version 56. Patch
by Corinna Vinschen <vinschen@redhat.com>
diff --git a/ChangeLog b/ChangeLog
index f947b35..af7ba9e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -36,6 +36,9 @@
[scp.c]
check exit status from ssh, and exit(1) if ssh fails; bug#369;
binder@arago.de
+ - (bal) Update ssh-host-config and minor rewrite of bsd-cygwin_util.c
+ ntsec now default if cygwin version beginning w/ version 56. Patch
+ by Corinna Vinschen <vinschen@redhat.com>
20021021
- (djm) Bug #400: Kill ssh-rand-helper children on timeout, patch from
@@ -813,4 +816,4 @@
save auth method before monitor_reset_key_state(); bugzilla bug #284;
ok provos@
-$Id: ChangeLog,v 1.2509 2002/11/09 15:54:08 mouring Exp $
+$Id: ChangeLog,v 1.2510 2002/11/09 15:59:27 mouring Exp $
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 4df5aa9..2c6db51 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -378,6 +378,8 @@
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
@@ -394,7 +396,7 @@
#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
-# Lifetime and size of ephemeral version 1 server ke
+# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768
@@ -405,7 +407,7 @@
# Authentication:
-#LoginGraceTime 600
+#LoginGraceTime 120
#PermitRootLogin yes
# The following setting overrides permission checks on host key files
# and directories. For security reasons set this to "yes" when running
@@ -414,11 +416,11 @@
#RSAAuthentication yes
#PubkeyAuthentication yes
-#AuthorizedKeysFile %h/.ssh/authorized_keys
+#AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used
#RhostsAuthentication no
-# Don't read ~/.rhosts and ~/.shosts files
+# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
#RhostsRSAAuthentication no
@@ -443,6 +445,7 @@
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation $privsep_used
+#PermitUserEnvironment no
#Compression yes
#MaxStartups 10
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index 2396a6e..0fa5964 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -31,7 +31,7 @@
#include "includes.h"
-RCSID("$Id: bsd-cygwin_util.c,v 1.8 2002/04/15 22:00:52 stevesk Exp $");
+RCSID("$Id: bsd-cygwin_util.c,v 1.9 2002/11/09 15:59:29 mouring Exp $");
#ifdef HAVE_CYGWIN
@@ -43,6 +43,7 @@
#define is_winnt (GetVersion() < 0x80000000)
#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec"))
+#define ntsec_off(c) ((c) && strstr((c),"nontsec"))
#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
#if defined(open) && open == binary_open
@@ -74,6 +75,56 @@
return ret;
}
+#define HAS_CREATE_TOKEN 1
+#define HAS_NTSEC_BY_DEFAULT 2
+
+static int has_capability(int what)
+{
+ /* has_capability() basically calls uname() and checks if
+ specific capabilities of Cygwin can be evaluated from that.
+ This simplifies the calling functions which only have to ask
+ for a capability using has_capability() instead of having
+ to figure that out by themselves. */
+ static int inited;
+ static int has_create_token;
+ static int has_ntsec_by_default;
+
+ if (!inited) {
+ struct utsname uts;
+ char *c;
+
+ if (!uname(&uts)) {
+ int major_high = 0;
+ int major_low = 0;
+ int minor = 0;
+ int api_major_version = 0;
+ int api_minor_version = 0;
+ char *c;
+
+ sscanf(uts.release, "%d.%d.%d", &major_high,
+ &major_low, &minor);
+ c = strchr(uts.release, '(');
+ if (c)
+ sscanf(c + 1, "%d.%d", &api_major_version,
+ &api_minor_version);
+ if (major_high > 1 ||
+ (major_high == 1 && (major_low > 3 ||
+ (major_low == 3 && minor >= 2))))
+ has_create_token = 1;
+ if (api_major_version > 0 || api_minor_version >= 56)
+ has_ntsec_by_default = 1;
+ inited = 1;
+ }
+ }
+ switch (what) {
+ case HAS_CREATE_TOKEN:
+ return has_create_token;
+ case HAS_NTSEC_BY_DEFAULT:
+ return has_ntsec_by_default;
+ }
+ return 0;
+}
+
int check_nt_auth(int pwd_authenticated, struct passwd *pw)
{
/*
@@ -93,19 +144,14 @@
return 0;
if (is_winnt) {
if (has_create_token < 0) {
- struct utsname uts;
- int major_high = 0, major_low = 0, minor = 0;
char *cygwin = getenv("CYGWIN");
has_create_token = 0;
- if (ntsec_on(cygwin) && !uname(&uts)) {
- sscanf(uts.release, "%d.%d.%d",
- &major_high, &major_low, &minor);
- if (major_high > 1 ||
- (major_high == 1 && (major_low > 3 ||
- (major_low == 3 && minor >= 2))))
- has_create_token = 1;
- }
+ if (has_capability(HAS_CREATE_TOKEN) &&
+ (ntsec_on(cygwin) ||
+ (has_capability(HAS_NTSEC_BY_DEFAULT) &&
+ !ntsec_off(cygwin))))
+ has_create_token = 1;
}
if (has_create_token < 1 &&
!pwd_authenticated && geteuid() != pw->pw_uid)
@@ -128,7 +174,9 @@
/* Evaluate current CYGWIN settings. */
cygwin = getenv("CYGWIN");
allow_ntea = ntea_on(cygwin);
- allow_ntsec = ntsec_on(cygwin);
+ allow_ntsec = ntsec_on(cygwin) ||
+ (has_capability(HAS_NTSEC_BY_DEFAULT) &&
+ !ntsec_off(cygwin));
/*
* `ntea' is an emulation of POSIX attributes. It doesn't support