Bugzilla – Attachment 235 Details for
Bug 463
PrintLastLog doesn't work in privsep mode
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Generate login message as part of login recording.
openssh-loginmsg5.patch (text/plain), 12.65 KB, created by
Darren Tucker
on 2003-02-22 16:01:39 AEDT
(
hide
)
Description:
Generate login message as part of login recording.
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2003-02-22 16:01:39 AEDT
Size:
12.65 KB
patch
obsolete
>Index: auth-passwd.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-passwd.c,v >retrieving revision 1.51 >diff -u -r1.51 auth-passwd.c >--- auth-passwd.c 29 Jan 2003 23:20:57 -0000 1.51 >+++ auth-passwd.c 22 Feb 2003 03:04:42 -0000 >@@ -81,9 +81,6 @@ > #endif /* !USE_PAM && !HAVE_OSF_SIA */ > > extern ServerOptions options; >-#ifdef WITH_AIXAUTHENTICATE >-extern char *aixloginmsg; >-#endif > > /* > * Tries to authenticate the user using password. Returns true if >@@ -147,16 +144,8 @@ > } > # endif > # ifdef WITH_AIXAUTHENTICATE >- authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); >- >- if (authsuccess) >- /* We don't have a pty yet, so just label the line as "ssh" */ >- if (loginsuccess(authctxt->user, >- get_canonical_hostname(options.verify_reverse_mapping), >- "ssh", &aixloginmsg) < 0) >- aixloginmsg = NULL; >- >- return(authsuccess); >+ /* XXX: should loop until reenter == 0 */ >+ return(authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); > # endif > # ifdef KRB4 > if (options.kerberos_authentication == 1) { >Index: loginrec.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/loginrec.c,v >retrieving revision 1.46 >diff -u -r1.46 loginrec.c >--- loginrec.c 7 Jan 2003 05:46:58 -0000 1.46 >+++ loginrec.c 22 Feb 2003 03:04:42 -0000 >@@ -162,6 +162,7 @@ > #include "loginrec.h" > #include "log.h" > #include "atomicio.h" >+#include "buffer.h" > > RCSID("$Id: loginrec.c,v 1.46 2003/01/07 05:46:58 djm Exp $"); > >@@ -202,6 +203,8 @@ > /* pick the shortest string */ > #define MIN_SIZEOF(s1,s2) ( sizeof(s1) < sizeof(s2) ? sizeof(s1) : sizeof(s2) ) > >+extern Buffer login_message; >+ > /** > ** platform-independent login functions > **/ >@@ -439,6 +442,14 @@ > #endif > #ifdef USE_WTMPX > wtmpx_write_entry(li); >+#endif >+#ifdef WITH_AIXAUTHENTICATE >+ if (li->type == LTYPE_LOGIN) { >+ char *msg; >+ >+ if (loginsuccess(li->username,li->hostname,li->line, &msg) >= 0) >+ buffer_append(&login_message, msg, strlen(msg)); >+ } > #endif > return 0; > } >Index: monitor.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v >retrieving revision 1.33 >diff -u -r1.33 monitor.c >--- monitor.c 9 Nov 2002 15:47:49 -0000 1.33 >+++ monitor.c 22 Feb 2003 03:04:42 -0000 >@@ -110,6 +110,7 @@ > int mm_answer_pty(int, Buffer *); > int mm_answer_pty_cleanup(int, Buffer *); > int mm_answer_term(int, Buffer *); >+int mm_answer_getloginmsg(int, Buffer *); > int mm_answer_rsa_keyallowed(int, Buffer *); > int mm_answer_rsa_challenge(int, Buffer *); > int mm_answer_rsa_response(int, Buffer *); >@@ -183,6 +184,7 @@ > {MONITOR_REQ_PTY, 0, mm_answer_pty}, > {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, > {MONITOR_REQ_TERM, 0, mm_answer_term}, >+ {MONITOR_REQ_LOGINMSG, 0, mm_answer_getloginmsg}, > {0, 0, NULL} > }; > >@@ -219,6 +221,7 @@ > {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, > {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, > {MONITOR_REQ_TERM, 0, mm_answer_term}, >+ {MONITOR_REQ_LOGINMSG, 0, mm_answer_getloginmsg}, > {0, 0, NULL} > }; > >@@ -328,6 +331,7 @@ > if (!no_pty_flag) { > monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); > monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); >+ monitor_permit(mon_dispatch, MONITOR_REQ_LOGINMSG, 1); > } > > for (;;) >@@ -1101,6 +1105,22 @@ > mm_session_close(s); > buffer_put_int(m, 0); > mm_request_send(socket, MONITOR_ANS_PTY, m); >+ return (0); >+} >+ >+int >+mm_answer_getloginmsg(int socket, Buffer *m) >+{ >+ char *msg; >+ >+ debug3("%s entering", __func__); >+ >+ /* retrieve stored login message */ >+ msg = get_login_message(); >+ >+ buffer_clear(m); >+ buffer_put_string(m, msg, strlen(msg)); >+ mm_request_send(socket, MONITOR_ANS_LOGINMSG, m); > return (0); > } > >Index: monitor.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.h,v >retrieving revision 1.10 >diff -u -r1.10 monitor.h >--- monitor.h 27 Sep 2002 03:26:02 -0000 1.10 >+++ monitor.h 22 Feb 2003 03:04:42 -0000 >@@ -43,6 +43,7 @@ > MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY, > MONITOR_REQ_KEYEXPORT, > MONITOR_REQ_PTY, MONITOR_ANS_PTY, >+ MONITOR_REQ_LOGINMSG, MONITOR_ANS_LOGINMSG, > MONITOR_REQ_PTYCLEANUP, > MONITOR_REQ_SESSKEY, MONITOR_ANS_SESSKEY, > MONITOR_REQ_SESSID, >Index: monitor_wrap.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.c,v >retrieving revision 1.21 >diff -u -r1.21 monitor_wrap.c >--- monitor_wrap.c 23 Dec 2002 02:06:20 -0000 1.21 >+++ monitor_wrap.c 22 Feb 2003 03:04:42 -0000 >@@ -648,6 +648,25 @@ > s->ttyfd = -1; > } > >+char * >+mm_get_login_message(void) >+{ >+ Buffer m; >+ char *msg; >+ >+ debug3("%s entering", __func__); >+ >+ buffer_init(&m); >+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LOGINMSG, &m); >+ >+ debug3("%s waiting for MONITOR_ANS_LOGINMSG", __func__); >+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_LOGINMSG, &m); >+ msg = buffer_get_string(&m, NULL); >+ buffer_free(&m); >+ >+ return(msg); >+} >+ > #ifdef USE_PAM > void > mm_start_pam(char *user) >Index: monitor_wrap.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.h,v >retrieving revision 1.9 >diff -u -r1.9 monitor_wrap.h >--- monitor_wrap.h 27 Sep 2002 03:26:04 -0000 1.9 >+++ monitor_wrap.h 22 Feb 2003 03:04:42 -0000 >@@ -62,6 +62,7 @@ > void mm_terminate(void); > int mm_pty_allocate(int *, int *, char *, int); > void mm_session_pty_cleanup2(void *); >+char *mm_get_login_message(void); > > /* SSHv1 interfaces */ > void mm_ssh1_session_id(u_char *); >Index: session.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v >retrieving revision 1.228 >diff -u -r1.228 session.c >--- session.c 9 Jan 2003 22:53:12 -0000 1.228 >+++ session.c 22 Feb 2003 03:04:42 -0000 >@@ -95,6 +95,7 @@ > extern u_int utmp_len; > extern int startup_pipe; > extern void destroy_sensitive_data(void); >+extern Buffer login_message; > > /* original command from peer. */ > const char *original_command = NULL; >@@ -103,10 +104,6 @@ > #define MAX_SESSIONS 10 > Session sessions[MAX_SESSIONS]; > >-#ifdef WITH_AIXAUTHENTICATE >-char *aixloginmsg; >-#endif /* WITH_AIXAUTHENTICATE */ >- > #ifdef HAVE_LOGIN_CAP > login_cap_t *lc; > #endif >@@ -719,7 +716,6 @@ > void > do_login(Session *s, const char *command) > { >- char *time_string; > socklen_t fromlen; > struct sockaddr_storage from; > struct passwd * pw = s->pw; >@@ -764,23 +760,9 @@ > if (!is_pam_password_change_required()) > print_pam_messages(); > #endif /* USE_PAM */ >-#ifdef WITH_AIXAUTHENTICATE >- if (aixloginmsg && *aixloginmsg) >- printf("%s\n", aixloginmsg); >-#endif /* WITH_AIXAUTHENTICATE */ >- >-#ifndef NO_SSH_LASTLOG >- if (options.print_lastlog && s->last_login_time != 0) { >- time_string = ctime(&s->last_login_time); >- if (strchr(time_string, '\n')) >- *strchr(time_string, '\n') = 0; >- if (strcmp(s->hostname, "") == 0) >- printf("Last login: %s\r\n", time_string); >- else >- printf("Last login: %s from %s\r\n", time_string, >- s->hostname); >- } >-#endif /* NO_SSH_LASTLOG */ >+ >+ /* print login messages */ >+ printf("%s", get_login_message()); > > do_motd(); > } >@@ -1597,12 +1579,6 @@ > packet_disconnect("Protocol error: you already have a pty."); > return 0; > } >- /* Get the time and hostname when the user last logged in. */ >- if (options.print_lastlog) { >- s->hostname[0] = '\0'; >- s->last_login_time = get_last_login_time(s->pw->pw_uid, >- s->pw->pw_name, s->hostname, sizeof(s->hostname)); >- } > > s->term = packet_get_string(&len); > >@@ -1633,6 +1609,15 @@ > return 0; > } > debug("session_pty_req: session %d alloc %s", s->self, s->tty); >+ >+ /* copy login_message from monitor to display after fork */ >+ if (use_privsep) { >+ char *msg; >+ >+ msg = PRIVSEP(get_login_message()); >+ buffer_clear(&login_message); >+ buffer_append(&login_message, msg, strlen(msg)); >+ } > > /* for SSH1 the tty modes length is not given */ > if (!compat20) >Index: session.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.h,v >retrieving revision 1.23 >diff -u -r1.23 session.h >--- session.h 4 Jul 2002 00:14:18 -0000 1.23 >+++ session.h 22 Feb 2003 03:04:42 -0000 >@@ -39,9 +39,6 @@ > int ptyfd, ttyfd, ptymaster; > u_int row, col, xpixel, ypixel; > char tty[TTYSZ]; >- /* last login */ >- char hostname[MAXHOSTNAMELEN]; >- time_t last_login_time; > /* X11 */ > u_int display_number; > char *display; >Index: sshd.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd.c,v >retrieving revision 1.233 >diff -u -r1.233 sshd.c >--- sshd.c 9 Jan 2003 22:53:12 -0000 1.233 >+++ sshd.c 22 Feb 2003 03:04:42 -0000 >@@ -205,6 +205,9 @@ > extern struct monitor *pmonitor; > extern int use_privsep; > >+/* Buffer that will collect authentication messages for display after login */ >+Buffer login_message; >+ > /* Prototypes for various functions defined later in this file. */ > void destroy_sensitive_data(void); > void demote_sensitive_data(void); >@@ -1501,6 +1504,9 @@ > if (use_privsep) > if ((authctxt = privsep_preauth()) != NULL) > goto authenticated; >+ >+ /* prepare buffer to collect authentication messages */ >+ buffer_init(&login_message); > > /* perform the key exchange */ > /* authenticate user and start session */ >Index: sshlogin.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshlogin.c,v >retrieving revision 1.9 >diff -u -r1.9 sshlogin.c >--- sshlogin.c 1 Jan 2003 23:43:56 -0000 1.9 >+++ sshlogin.c 22 Feb 2003 03:26:00 -0000 >@@ -42,6 +42,13 @@ > RCSID("$OpenBSD: sshlogin.c,v 1.5 2002/08/29 15:57:25 stevesk Exp $"); > > #include "loginrec.h" >+#include "xmalloc.h" >+#include "buffer.h" >+#include "log.h" >+#include "servconf.h" >+ >+extern Buffer login_message; >+extern ServerOptions options; > > /* > * Returns the time when the user last logged in. Returns 0 if the >@@ -60,19 +67,63 @@ > } > > /* >- * Records that the user has logged in. I these parts of operating systems >- * were more standardized. >+ * Retrieves login_message. Returns empty string if no message exists. >+ */ >+char * >+get_login_message(void) >+{ >+ buffer_append(&login_message, "", 1); /* null terminate string */ >+ return(buffer_ptr(&login_message)); >+} >+ >+/* >+ * Generate and store last login message. This must be done before >+ * login_login() is called and lastlog is updated. >+ */ >+void >+store_lastlog_message(const char *user, uid_t uid) >+{ >+#if !defined(NO_SSH_LASTLOG) >+ if (options.print_lastlog) { >+ char *time_string, lasthost[MAXHOSTNAMELEN], buf[256]; >+ time_t last_login_time; >+ >+ last_login_time = get_last_login_time(uid, user, lasthost, >+ sizeof(lasthost)); >+ >+ if (last_login_time != 0) { >+ time_string = ctime(&last_login_time); >+ if (strchr(time_string, '\n')) >+ *strchr(time_string, '\n') = 0; >+ if (strcmp(lasthost, "") == 0) >+ snprintf(buf, sizeof(buf), >+ "Last login: %s\r\n", >+ time_string); >+ else >+ snprintf(buf, sizeof(buf), >+ "Last login: %s from %s\r\n", >+ time_string, lasthost); >+ buffer_append(&login_message, buf, strlen(buf)); >+ } >+ } >+#endif >+} >+ >+/* >+ * Records that the user has logged in. I wish these parts of operating >+ * systems were more standardized. > */ > void > record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, > const char *host, struct sockaddr * addr, socklen_t addrlen) > { >- struct logininfo *li; >+ struct logininfo *li; > >- li = login_alloc_entry(pid, user, host, ttyname); >- login_set_addr(li, addr, addrlen); >- login_login(li); >- login_free_entry(li); >+ store_lastlog_message(user, uid); /* save previous before writing new */ >+ li = login_alloc_entry(pid, user, host, ttyname); >+ login_set_addr(li, addr, addrlen); >+ login_login(li); >+ login_free_entry(li); > } > > #ifdef LOGIN_NEEDS_UTMPX >Index: sshlogin.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshlogin.h,v >retrieving revision 1.9 >diff -u -r1.9 sshlogin.h >--- sshlogin.h 1 Jan 2003 23:43:56 -0000 1.9 >+++ sshlogin.h 22 Feb 2003 03:04:42 -0000 >@@ -19,10 +19,15 @@ > const char *, struct sockaddr *, socklen_t); > void record_logout(pid_t, const char *, const char *); > u_long get_last_login_time(uid_t, const char *, char *, u_int); >+char *get_login_message(void); > > #ifdef LOGIN_NEEDS_UTMPX > void record_utmp_only(pid_t, const char *, const char *, const char *, > struct sockaddr *, socklen_t); >+#endif >+ >+#ifdef WITH_AIXAUTHENTICATE >+# include <login.h> > #endif > > #endif
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=235">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 463
:
235
|
287
|
288
|
676
|
677