- (djm) Bug #231: UsePrivilegeSeparation turns off Banner.
diff --git a/ChangeLog b/ChangeLog
index c4e583f..92afe6b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
20020513
- (djm) Add --with-superuser-path=xxx configure option to specify what $PATH
the superuser receives.
+ - (djm) Bug #231: UsePrivilegeSeparation turns off Banner.
20020511
- (tim) [configure.ac] applied a rework of djm's OpenSSL search cleanup patch.
@@ -571,4 +572,4 @@
- (stevesk) entropy.c: typo in debug message
- (djm) ssh-keygen -i needs seeded RNG; report from markus@
-$Id: ChangeLog,v 1.2107 2002/05/13 00:48:57 djm Exp $
+$Id: ChangeLog,v 1.2108 2002/05/13 01:07:41 djm Exp $
diff --git a/auth.h b/auth.h
index a336926..f03a26e 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.35 2002/03/19 10:35:39 markus Exp $ */
+/* $OpenBSD: auth.h,v 1.36 2002/05/12 23:53:45 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -136,6 +136,8 @@
void userauth_finish(Authctxt *, int, char *);
int auth_root_allowed(char *);
+char *auth2_read_banner(void);
+
void privsep_challenge_enable(void);
int auth2_challenge(Authctxt *, char *);
diff --git a/auth2.c b/auth2.c
index 61fd0a7..20584ca 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.89 2002/03/19 14:27:39 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.90 2002/05/12 23:53:45 djm Exp $");
#include <openssl/evp.h>
@@ -283,25 +283,45 @@
}
}
-static void
-userauth_banner(void)
+char *
+auth2_read_banner(void)
{
struct stat st;
char *banner = NULL;
off_t len, n;
int fd;
- if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
- return;
- if ((fd = open(options.banner, O_RDONLY)) < 0)
- return;
- if (fstat(fd, &st) < 0)
- goto done;
+ if ((fd = open(options.banner, O_RDONLY)) == -1)
+ return (NULL);
+ if (fstat(fd, &st) == -1) {
+ close(fd);
+ return (NULL);
+ }
len = st.st_size;
banner = xmalloc(len + 1);
- if ((n = read(fd, banner, len)) < 0)
- goto done;
+ n = atomicio(read, fd, banner, len);
+ close(fd);
+
+ if (n != len) {
+ free(banner);
+ return (NULL);
+ }
banner[n] = '\0';
+
+ return (banner);
+}
+
+static void
+userauth_banner(void)
+{
+ char *banner = NULL;
+
+ if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
+ return;
+
+ if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
+ goto done;
+
packet_start(SSH2_MSG_USERAUTH_BANNER);
packet_put_cstring(banner);
packet_put_cstring(""); /* language, unused */
@@ -310,7 +330,6 @@
done:
if (banner)
xfree(banner);
- close(fd);
return;
}
diff --git a/monitor.c b/monitor.c
index a27cf0f..279ec37 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.9 2002/03/30 18:51:15 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.10 2002/05/12 23:53:45 djm Exp $");
#include <openssl/dh.h>
@@ -96,6 +96,7 @@
int mm_answer_moduli(int, Buffer *);
int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
+int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
@@ -147,6 +148,7 @@
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+ {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
@@ -524,9 +526,11 @@
/* For SSHv1 allow authentication now */
if (!compat20)
monitor_permit_authentications(1);
- else
+ else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+ }
#ifdef USE_PAM
monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
@@ -535,6 +539,21 @@
return (0);
}
+int mm_answer_auth2_read_banner(int socket, Buffer *m)
+{
+ char *banner;
+
+ buffer_clear(m);
+ banner = auth2_read_banner();
+ buffer_put_cstring(m, banner != NULL ? banner : "");
+ mm_request_send(socket, MONITOR_ANS_AUTH2_READ_BANNER, m);
+
+ if (banner != NULL)
+ free(banner);
+
+ return (0);
+}
+
int
mm_answer_authserv(int socket, Buffer *m)
{
diff --git a/monitor.h b/monitor.h
index 56ec9d9..b5db999 100644
--- a/monitor.h
+++ b/monitor.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.h,v 1.3 2002/03/26 03:24:01 stevesk Exp $ */
+/* $OpenBSD: monitor.h,v 1.4 2002/05/12 23:53:45 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -33,6 +33,7 @@
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
+ MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD,
MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY,
MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND,
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 0fe5bc1..3801758 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.5 2002/03/25 20:12:10 stevesk Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.6 2002/05/12 23:53:45 djm Exp $");
#include <openssl/bn.h>
#include <openssl/dh.h>
@@ -207,6 +207,24 @@
return (pw);
}
+char* mm_auth2_read_banner(void)
+{
+ Buffer m;
+ char *banner;
+
+ debug3("%s entering", __FUNCTION__);
+
+ buffer_init(&m);
+ mm_request_send(monitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m);
+ buffer_clear(&m);
+
+ mm_request_receive_expect(monitor->m_recvfd, MONITOR_ANS_AUTH2_READ_BANNER, &m);
+ banner = buffer_get_string(&m, NULL);
+ buffer_free(&m);
+
+ return (banner);
+}
+
/* Inform the privileged process about service and style */
void
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 975ba05..ce72124 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.h,v 1.4 2002/03/26 03:24:01 stevesk Exp $ */
+/* $OpenBSD: monitor_wrap.h,v 1.5 2002/05/12 23:53:45 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -44,6 +44,7 @@
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(const char *);
+char* mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
int mm_key_allowed(enum mm_keytype, char *, char *, Key *);
int mm_user_key_allowed(struct passwd *, Key *);