View | Details | Raw Unified | Return to bug 1442
Collapse All | Expand All

(-)readconf.c (+9 lines)
Lines 112-117 Link Here
112
	oBadOption,
112
	oBadOption,
113
	oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
113
	oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114
	oExitOnForwardFailure,
114
	oExitOnForwardFailure,
115
	oRequestTempHomedir,
115
	oPasswordAuthentication, oRSAAuthentication,
116
	oPasswordAuthentication, oRSAAuthentication,
116
	oChallengeResponseAuthentication, oXAuthLocation,
117
	oChallengeResponseAuthentication, oXAuthLocation,
117
	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
118
	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
Lines 143-148 Link Here
143
	{ "forwardx11", oForwardX11 },
144
	{ "forwardx11", oForwardX11 },
144
	{ "forwardx11trusted", oForwardX11Trusted },
145
	{ "forwardx11trusted", oForwardX11Trusted },
145
	{ "exitonforwardfailure", oExitOnForwardFailure },
146
	{ "exitonforwardfailure", oExitOnForwardFailure },
147
	{ "requesttemphomedir", oRequestTempHomedir },
146
	{ "xauthlocation", oXAuthLocation },
148
	{ "xauthlocation", oXAuthLocation },
147
	{ "gatewayports", oGatewayPorts },
149
	{ "gatewayports", oGatewayPorts },
148
	{ "useprivilegedport", oUsePrivilegedPort },
150
	{ "useprivilegedport", oUsePrivilegedPort },
Lines 402-407 Link Here
402
		intptr = &options->exit_on_forward_failure;
404
		intptr = &options->exit_on_forward_failure;
403
		goto parse_flag;
405
		goto parse_flag;
404
406
407
	case oRequestTempHomedir:
408
		intptr = &options->request_temp_homedir;
409
		goto parse_flag;
410
405
	case oUsePrivilegedPort:
411
	case oUsePrivilegedPort:
406
		intptr = &options->use_privileged_port;
412
		intptr = &options->use_privileged_port;
407
		goto parse_flag;
413
		goto parse_flag;
Lines 1003-1008 Link Here
1003
	options->forward_x11 = -1;
1009
	options->forward_x11 = -1;
1004
	options->forward_x11_trusted = -1;
1010
	options->forward_x11_trusted = -1;
1005
	options->exit_on_forward_failure = -1;
1011
	options->exit_on_forward_failure = -1;
1012
	options->request_temp_homedir = -1;
1006
	options->xauth_location = NULL;
1013
	options->xauth_location = NULL;
1007
	options->gateway_ports = -1;
1014
	options->gateway_ports = -1;
1008
	options->use_privileged_port = -1;
1015
	options->use_privileged_port = -1;
Lines 1085-1090 Link Here
1085
		options->forward_x11_trusted = 0;
1092
		options->forward_x11_trusted = 0;
1086
	if (options->exit_on_forward_failure == -1)
1093
	if (options->exit_on_forward_failure == -1)
1087
		options->exit_on_forward_failure = 0;
1094
		options->exit_on_forward_failure = 0;
1095
	if (options->request_temp_homedir == -1)
1096
		options->request_temp_homedir = 0;
1088
	if (options->xauth_location == NULL)
1097
	if (options->xauth_location == NULL)
1089
		options->xauth_location = _PATH_XAUTH;
1098
		options->xauth_location = _PATH_XAUTH;
1090
	if (options->gateway_ports == -1)
1099
	if (options->gateway_ports == -1)
(-)readconf.h (+1 lines)
Lines 33-38 Link Here
33
	int     forward_x11;	/* Forward X11 display. */
33
	int     forward_x11;	/* Forward X11 display. */
34
	int     forward_x11_trusted;	/* Trust Forward X11 display. */
34
	int     forward_x11_trusted;	/* Trust Forward X11 display. */
35
	int     exit_on_forward_failure;	/* Exit if bind(2) fails for -L/-R */
35
	int     exit_on_forward_failure;	/* Exit if bind(2) fails for -L/-R */
36
	int     request_temp_homedir;	/* Override homedir with a temporary one */
36
	char   *xauth_location;	/* Location for xauth program */
37
	char   *xauth_location;	/* Location for xauth program */
37
	int     gateway_ports;	/* Allow remote connects to forwarded ports. */
38
	int     gateway_ports;	/* Allow remote connects to forwarded ports. */
38
	int     use_privileged_port;	/* Don't use privileged port if false. */
39
	int     use_privileged_port;	/* Don't use privileged port if false. */
(-)servconf.c (-1 / +10 lines)
Lines 71-76 Link Here
71
	options->ignore_rhosts = -1;
71
	options->ignore_rhosts = -1;
72
	options->ignore_user_known_hosts = -1;
72
	options->ignore_user_known_hosts = -1;
73
	options->print_motd = -1;
73
	options->print_motd = -1;
74
	options->permit_temp_home = -1;
74
	options->print_lastlog = -1;
75
	options->print_lastlog = -1;
75
	options->x11_forwarding = -1;
76
	options->x11_forwarding = -1;
76
	options->x11_display_offset = -1;
77
	options->x11_display_offset = -1;
Lines 167-172 Link Here
167
		options->ignore_user_known_hosts = 0;
168
		options->ignore_user_known_hosts = 0;
168
	if (options->print_motd == -1)
169
	if (options->print_motd == -1)
169
		options->print_motd = 1;
170
		options->print_motd = 1;
171
	if (options->permit_temp_home == -1)
172
		options->permit_temp_home = 0;
170
	if (options->print_lastlog == -1)
173
	if (options->print_lastlog == -1)
171
		options->print_lastlog = 1;
174
		options->print_lastlog = 1;
172
	if (options->x11_forwarding == -1)
175
	if (options->x11_forwarding == -1)
Lines 280-286 Link Here
280
	sKerberosTgtPassing, sChallengeResponseAuthentication,
283
	sKerberosTgtPassing, sChallengeResponseAuthentication,
281
	sPasswordAuthentication, sKbdInteractiveAuthentication,
284
	sPasswordAuthentication, sKbdInteractiveAuthentication,
282
	sListenAddress, sAddressFamily,
285
	sListenAddress, sAddressFamily,
283
	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
286
	sPrintMotd, sPermitTempHome, sPrintLastLog, sIgnoreRhosts,
284
	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
287
	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
285
	sStrictModes, sEmptyPasswd, sTCPKeepAlive,
288
	sStrictModes, sEmptyPasswd, sTCPKeepAlive,
286
	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
289
	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
Lines 364-369 Link Here
364
	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
367
	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
365
	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
368
	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
366
	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
369
	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
370
	{ "permittemphomedir", sPermitTempHome, SSHCFG_ALL },
367
	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
371
	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
368
	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
372
	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
369
	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
373
	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
Lines 895-900 Link Here
895
		intptr = &options->print_motd;
899
		intptr = &options->print_motd;
896
		goto parse_flag;
900
		goto parse_flag;
897
901
902
	case sPermitTempHome:
903
		intptr = &options->permit_temp_home;
904
		goto parse_flag;
905
898
	case sPrintLastLog:
906
	case sPrintLastLog:
899
		intptr = &options->print_lastlog;
907
		intptr = &options->print_lastlog;
900
		goto parse_flag;
908
		goto parse_flag;
Lines 1366-1371 Link Here
1366
	M_CP_INTOPT(hostbased_authentication);
1374
	M_CP_INTOPT(hostbased_authentication);
1367
	M_CP_INTOPT(kbd_interactive_authentication);
1375
	M_CP_INTOPT(kbd_interactive_authentication);
1368
	M_CP_INTOPT(permit_root_login);
1376
	M_CP_INTOPT(permit_root_login);
1377
	M_CP_INTOPT(permit_temp_home);
1369
1378
1370
	M_CP_INTOPT(allow_tcp_forwarding);
1379
	M_CP_INTOPT(allow_tcp_forwarding);
1371
	M_CP_INTOPT(gateway_ports);
1380
	M_CP_INTOPT(gateway_ports);
(-)servconf.h (+1 lines)
Lines 55-60 Link Here
55
	int     ignore_user_known_hosts;	/* Ignore ~/.ssh/known_hosts
55
	int     ignore_user_known_hosts;	/* Ignore ~/.ssh/known_hosts
56
						 * for RhostsRsaAuth */
56
						 * for RhostsRsaAuth */
57
	int     print_motd;	/* If true, print /etc/motd. */
57
	int     print_motd;	/* If true, print /etc/motd. */
58
	int			permit_temp_home; /* If true, allow client override HOME */
58
	int	print_lastlog;	/* If true, print lastlog */
59
	int	print_lastlog;	/* If true, print lastlog */
59
	int     x11_forwarding;	/* If true, permit inet (spoofing) X11 fwd. */
60
	int     x11_forwarding;	/* If true, permit inet (spoofing) X11 fwd. */
60
	int     x11_display_offset;	/* What DISPLAY number to start
61
	int     x11_display_offset;	/* What DISPLAY number to start
(-)serverloop.c (+5 lines)
Lines 1136-1141 Link Here
1136
		success = channel_cancel_rport_listener(cancel_address,
1136
		success = channel_cancel_rport_listener(cancel_address,
1137
		    cancel_port);
1137
		    cancel_port);
1138
		xfree(cancel_address);
1138
		xfree(cancel_address);
1139
	} else if ((strcmp(rtype, "ssh-tmphomedir@openssh.com")) == 0) {
1140
		if (options.permit_temp_home)
1141
			success = tmp_homedir_req(the_authctxt->pw);
1142
		else
1143
			packet_send_debug("Server has disabled temp homedirs.");
1139
	}
1144
	}
1140
	if (want_reply) {
1145
	if (want_reply) {
1141
		packet_start(success ?
1146
		packet_start(success ?
(-)session.c (-1 / +53 lines)
Lines 147-152 Link Here
147
147
148
static int is_child = 0;
148
static int is_child = 0;
149
149
150
/* tmp homedir handler */
151
static char *tmp_home_dir = NULL;
152
153
int
154
tmp_homedir_req(struct passwd *pw)
155
{
156
	temporarily_use_uid(pw);
157
	tmp_home_dir = xmalloc(MAXPATHLEN);
158
	strlcpy(tmp_home_dir, "/tmp/ssh-tmphome-XXXXXXXXXX", MAXPATHLEN);
159
160
	if (mkdtemp(tmp_home_dir) == NULL) {
161
		packet_send_debug("Temp homedir request failed: "
162
				"mkdtemp() failed: %.100s", strerror(errno));
163
		restore_uid();
164
		xfree(tmp_home_dir);
165
		tmp_home_dir = NULL;
166
		return 0;
167
	} else {
168
		if (chmod(tmp_home_dir, (mode_t) 0500) < 0 )
169
			packet_send_debug("chmod %.100s 0500 failed: %.100s",
170
					tmp_home_dir, strerror(errno));
171
		pw->pw_dir = tmp_home_dir;
172
		restore_uid();
173
		return 1;
174
	}
175
}
176
177
static void
178
tmp_homedir_cleanup(struct passwd *pw)
179
{
180
	if (tmp_home_dir != NULL) {
181
		temporarily_use_uid(pw);
182
		if (rmdir(tmp_home_dir) != 0)
183
			debug("Cleanup of tmp homedir: %.100s failed: "
184
					"rmdir() failed: %.100s", tmp_home_dir, strerror(errno));
185
		xfree(tmp_home_dir);
186
		tmp_home_dir = NULL;
187
		restore_uid();
188
	}
189
}
190
150
/* Name and directory of socket for authentication agent forwarding. */
191
/* Name and directory of socket for authentication agent forwarding. */
151
static char *auth_sock_name = NULL;
192
static char *auth_sock_name = NULL;
152
static char *auth_sock_dir = NULL;
193
static char *auth_sock_dir = NULL;
Lines 311-316 Link Here
311
			success = session_pty_req(s);
352
			success = session_pty_req(s);
312
			break;
353
			break;
313
354
355
		case SSH_CMSG_TMPHOMEDIR:
356
			success = tmp_homedir_req(s->pw);
357
			break;
358
314
		case SSH_CMSG_X11_REQUEST_FORWARDING:
359
		case SSH_CMSG_X11_REQUEST_FORWARDING:
315
			s->auth_proto = packet_get_string(&proto_len);
360
			s->auth_proto = packet_get_string(&proto_len);
316
			s->auth_data = packet_get_string(&data_len);
361
			s->auth_data = packet_get_string(&data_len);
Lines 1049-1054 Link Here
1049
	ssh_gssapi_do_child(&env, &envsize);
1094
	ssh_gssapi_do_child(&env, &envsize);
1050
#endif
1095
#endif
1051
1096
1097
	if (tmp_home_dir) {
1098
		pw->pw_dir = tmp_home_dir;
1099
		debug("homedir: %s", pw->pw_dir);
1100
	}
1101
1052
	if (!options.use_login) {
1102
	if (!options.use_login) {
1053
		/* Set basic environment. */
1103
		/* Set basic environment. */
1054
		for (i = 0; i < s->num_env; i++)
1104
		for (i = 0; i < s->num_env; i++)
Lines 1690-1696 Link Here
1690
	}
1740
	}
1691
1741
1692
	if (!options.use_login)
1742
	if (!options.use_login)
1693
		do_rc_files(s, shell);
1743
		if (!tmp_home_dir)
1744
			do_rc_files(s, shell);
1694
1745
1695
	/* restore SIGPIPE for child */
1746
	/* restore SIGPIPE for child */
1696
	signal(SIGPIPE, SIG_DFL);
1747
	signal(SIGPIPE, SIG_DFL);
Lines 2617-2622 Link Here
2617
2668
2618
	/* remove agent socket */
2669
	/* remove agent socket */
2619
	auth_sock_cleanup_proc(authctxt->pw);
2670
	auth_sock_cleanup_proc(authctxt->pw);
2671
	tmp_homedir_cleanup(authctxt->pw);
2620
2672
2621
	/*
2673
	/*
2622
	 * Cleanup ptys/utmp only if privsep is disabled,
2674
	 * Cleanup ptys/utmp only if privsep is disabled,
(-)session.h (+1 lines)
Lines 78-81 Link Here
78
void	 child_set_env(char ***envp, u_int *envsizep, const char *name,
78
void	 child_set_env(char ***envp, u_int *envsizep, const char *name,
79
		       const char *value);
79
		       const char *value);
80
80
81
int		tmp_homedir_req(struct passwd *);
81
#endif
82
#endif
(-)ssh.c (+20 lines)
Lines 902-907 Link Here
902
	char *cp;
902
	char *cp;
903
	const char *display;
903
	const char *display;
904
904
905
  /* Protocol 1 homedir override */
906
	if (options.request_temp_homedir) {
907
		packet_start(SSH_CMSG_TMPHOMEDIR);
908
		packet_send();
909
		packet_write_wait();
910
		type = packet_read();
911
		if (type == SSH_SMSG_FAILURE)
912
			logit("Warning: Remote host refused tmphomedir.");
913
		else if (type != SSH_SMSG_SUCCESS)
914
			packet_disconnect("Protocol error waiting for tmphomedir response.");
915
	}
916
905
	/* Enable compression if requested. */
917
	/* Enable compression if requested. */
906
	if (options.compression) {
918
	if (options.compression) {
907
		debug("Requesting compression at level %d.", options.compression_level);
919
		debug("Requesting compression at level %d.", options.compression_level);
Lines 1144-1149 Link Here
1144
	if (options.forward_agent) {
1156
	if (options.forward_agent) {
1145
		debug("Requesting authentication agent forwarding.");
1157
		debug("Requesting authentication agent forwarding.");
1146
		channel_request_start(id, "auth-agent-req@openssh.com", 0);
1158
		channel_request_start(id, "auth-agent-req@openssh.com", 0);
1159
		packet_send();
1160
	}
1161
1162
	if (options.request_temp_homedir) {
1163
		debug("Requesting temp homedir.");
1164
		packet_start(SSH2_MSG_GLOBAL_REQUEST);
1165
		packet_put_cstring("ssh-tmphomedir@openssh.com");
1166
		packet_put_char(0);
1147
		packet_send();
1167
		packet_send();
1148
	}
1168
	}
1149
1169
(-)ssh1.h (+1 lines)
Lines 68-73 Link Here
68
#define SSH_SMSG_AUTH_KERBEROS_RESPONSE		43	/* (KTEXT) */
68
#define SSH_SMSG_AUTH_KERBEROS_RESPONSE		43	/* (KTEXT) */
69
#define SSH_CMSG_HAVE_KERBEROS_TGT		44	/* credentials (s) */
69
#define SSH_CMSG_HAVE_KERBEROS_TGT		44	/* credentials (s) */
70
#define SSH_CMSG_HAVE_AFS_TOKEN			65	/* token (s) */
70
#define SSH_CMSG_HAVE_AFS_TOKEN			65	/* token (s) */
71
#define SSH_CMSG_TMPHOMEDIR			 68  /* tmphomedir flag */
71
72
72
/* protocol version 1.5 overloads some version 1.3 message types */
73
/* protocol version 1.5 overloads some version 1.3 message types */
73
#define SSH_MSG_CHANNEL_INPUT_EOF	SSH_MSG_CHANNEL_CLOSE
74
#define SSH_MSG_CHANNEL_INPUT_EOF	SSH_MSG_CHANNEL_CLOSE
(-)ssh_config.5 (+4 lines)
Lines 812-817 Link Here
812
.Cm GatewayPorts
812
.Cm GatewayPorts
813
option is enabled (see
813
option is enabled (see
814
.Xr sshd_config 5 ) .
814
.Xr sshd_config 5 ) .
815
.It Cm RequestTempHomedir
816
Specifies whether the server should override the user home directory with a temporary one. The server must support this option.
817
The default is
818
.Dq no .
815
.It Cm RhostsRSAAuthentication
819
.It Cm RhostsRSAAuthentication
816
Specifies whether to try rhosts based authentication with RSA host
820
Specifies whether to try rhosts based authentication with RSA host
817
authentication.
821
authentication.
(-)sshd_config (+1 lines)
Lines 102-107 Link Here
102
#PidFile /var/run/sshd.pid
102
#PidFile /var/run/sshd.pid
103
#MaxStartups 10
103
#MaxStartups 10
104
#PermitTunnel no
104
#PermitTunnel no
105
#PermitTempHome no
105
#ChrootDirectory none
106
#ChrootDirectory none
106
107
107
# no default banner path
108
# no default banner path
(-)sshd_config.5 (+5 lines)
Lines 569-574 Link Here
569
.Cm PasswordAuthentication ,
569
.Cm PasswordAuthentication ,
570
.Cm PermitOpen ,
570
.Cm PermitOpen ,
571
.Cm PermitRootLogin ,
571
.Cm PermitRootLogin ,
572
.Cm PermitTempHomedir ,
572
.Cm RhostsRSAAuthentication ,
573
.Cm RhostsRSAAuthentication ,
573
.Cm RSAAuthentication ,
574
.Cm RSAAuthentication ,
574
.Cm X11DisplayOffset ,
575
.Cm X11DisplayOffset ,
Lines 670-675 Link Here
670
If this option is set to
671
If this option is set to
671
.Dq no ,
672
.Dq no ,
672
root is not allowed to log in.
673
root is not allowed to log in.
674
.It Cm PermitTempHomedir
675
Specifies whether clients can request a temp homedir on the server.
676
The default is
677
.Dq no
673
.It Cm PermitTunnel
678
.It Cm PermitTunnel
674
Specifies whether
679
Specifies whether
675
.Xr tun 4
680
.Xr tun 4

Return to bug 1442