From 42f71286cde4107ce6327244cc3c6442c5dc66a6 Mon Sep 17 00:00:00 2001 From: Mark Murray Date: Thu, 24 Feb 2000 15:29:42 +0000 Subject: [PATCH] Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) --- crypto/openssh/includes.h | 29 +++++- crypto/openssh/login.c | 5 + crypto/openssh/pty.c | 5 + crypto/openssh/servconf.c | 76 ++++++++------ crypto/openssh/servconf.h | 7 ++ crypto/openssh/ssh.c | 5 + crypto/openssh/ssh.h | 5 +- crypto/openssh/ssh_config | 2 + crypto/openssh/sshconnect.c | 4 + crypto/openssh/sshd.8 | 31 +++++- crypto/openssh/sshd.c | 201 ++++++++++++++++++++++++++++++++++-- crypto/openssh/sshd_config | 11 +- 12 files changed, 328 insertions(+), 53 deletions(-) diff --git a/crypto/openssh/includes.h b/crypto/openssh/includes.h index 68690e3a53f8..a20318c4976e 100644 --- a/crypto/openssh/includes.h +++ b/crypto/openssh/includes.h @@ -11,6 +11,7 @@ * * This file includes most of the needed system headers. * + * $FreeBSD$ */ #ifndef INCLUDES_H @@ -24,12 +25,12 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } #include #include #include -#include #include #include #include #include #include +#include #include #include @@ -38,7 +39,6 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } #include #include -#include #include #include #include @@ -66,4 +66,29 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } */ #define USE_PIPES 1 +#if defined(__FreeBSD__) && __FreeBSD__ <= 3 +/* + * Data types. + */ +typedef u_char sa_family_t; +typedef u_int32_t socklen_t; + +/* + * bsd-api-new-02a: protocol-independent placeholder for socket addresses + */ +#define _SS_MAXSIZE 128 +#define _SS_ALIGNSIZE (sizeof(int64_t)) +#define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_char) * 2) +#define _SS_PAD2SIZE (_SS_MAXSIZE - sizeof(u_char) * 2 - \ + _SS_PAD1SIZE - _SS_ALIGNSIZE) + +struct sockaddr_storage { + u_char ss_len; /* address length */ + sa_family_t ss_family; /* address family */ + char __ss_pad1[_SS_PAD1SIZE]; + int64_t __ss_align; /* force desired structure storage alignment */ + char __ss_pad2[_SS_PAD2SIZE]; +}; +#endif + #endif /* INCLUDES_H */ diff --git a/crypto/openssh/login.c b/crypto/openssh/login.c index 574a9cc88c6d..55480de881d3 100644 --- a/crypto/openssh/login.c +++ b/crypto/openssh/login.c @@ -15,12 +15,17 @@ * login the current system has. Also, we want to be able to execute commands * on a tty. * + * $FreeBSD$ */ #include "includes.h" RCSID("$Id: login.c,v 1.11 2000/01/04 00:07:59 markus Exp $"); +#ifdef __FreeBSD__ +#include +#else #include +#endif /* __FreeBSD__ */ #include #include "ssh.h" diff --git a/crypto/openssh/pty.c b/crypto/openssh/pty.c index 86da668286b2..c3545291f147 100644 --- a/crypto/openssh/pty.c +++ b/crypto/openssh/pty.c @@ -11,12 +11,17 @@ * * Allocating a pseudo-terminal, and making it the controlling tty. * + * $FreeBSD$ */ #include "includes.h" RCSID("$Id: pty.c,v 1.12 2000/02/15 16:52:58 markus Exp $"); +#ifdef __FreeBSD__ +#include +#else #include +#endif #include "pty.h" #include "ssh.h" diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index eb1b20e72d81..6ae36e639be7 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -9,6 +9,7 @@ * * Created: Mon Aug 21 15:48:58 1995 ylo * + * $FreeBSD$ */ #include "includes.h" @@ -67,6 +68,8 @@ initialize_server_options(ServerOptions *options) options->num_deny_users = 0; options->num_allow_groups = 0; options->num_deny_groups = 0; + options->connections_per_period = 0; + options->connections_period = 0; } void @@ -159,7 +162,7 @@ typedef enum { sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, - sIgnoreUserKnownHosts + sIgnoreUserKnownHosts, sConnectionsPerPeriod } ServerOpCodes; /* Textual representation of the tokens. */ @@ -207,6 +210,7 @@ static struct { { "denyusers", sDenyUsers }, { "allowgroups", sAllowGroups }, { "denygroups", sDenyGroups }, + { "connectionsperperiod", sConnectionsPerPeriod }, { NULL, 0 } }; @@ -316,7 +320,11 @@ read_server_config(ServerOptions *options, const char *filename) filename, linenum); exit(1); } - value = atoi(cp); + if (sscanf(cp, " %d ", &value) != 1) { + fprintf(stderr, "%s line %d: invalid integer value.\n", + filename, linenum); + exit(1); + } if (*intptr == -1) *intptr = value; break; @@ -506,63 +514,65 @@ read_server_config(ServerOptions *options, const char *filename) case sAllowUsers: while ((cp = strtok(NULL, WHITESPACE))) { - if (options->num_allow_users >= MAX_ALLOW_USERS) { - fprintf(stderr, "%s line %d: too many allow users.\n", - filename, linenum); - exit(1); - } + if (options->num_allow_users >= MAX_ALLOW_USERS) + fatal("%.200s line %d: too many allow users.\n", filename, + linenum); options->allow_users[options->num_allow_users++] = xstrdup(cp); } break; case sDenyUsers: while ((cp = strtok(NULL, WHITESPACE))) { - if (options->num_deny_users >= MAX_DENY_USERS) { - fprintf(stderr, "%s line %d: too many deny users.\n", - filename, linenum); - exit(1); - } + if (options->num_deny_users >= MAX_DENY_USERS) + fatal("%.200s line %d: too many deny users.\n", filename, + linenum); options->deny_users[options->num_deny_users++] = xstrdup(cp); } break; case sAllowGroups: while ((cp = strtok(NULL, WHITESPACE))) { - if (options->num_allow_groups >= MAX_ALLOW_GROUPS) { - fprintf(stderr, "%s line %d: too many allow groups.\n", - filename, linenum); - exit(1); - } + if (options->num_allow_groups >= MAX_ALLOW_GROUPS) + fatal("%.200s line %d: too many allow groups.\n", filename, + linenum); options->allow_groups[options->num_allow_groups++] = xstrdup(cp); } break; case sDenyGroups: while ((cp = strtok(NULL, WHITESPACE))) { - if (options->num_deny_groups >= MAX_DENY_GROUPS) { - fprintf(stderr, "%s line %d: too many deny groups.\n", - filename, linenum); - exit(1); - } + if (options->num_deny_groups >= MAX_DENY_GROUPS) + fatal("%.200s line %d: too many deny groups.\n", filename, + linenum); options->deny_groups[options->num_deny_groups++] = xstrdup(cp); } break; + case sConnectionsPerPeriod: + cp = strtok(NULL, WHITESPACE); + if (cp == NULL) + fatal("%.200s line %d: missing (>= 0) number argument.\n", + filename, linenum); + if (sscanf(cp, " %u/%u ", &options->connections_per_period, + &options->connections_period) != 2) + fatal("%.200s line %d: invalid numerical argument(s).\n", + filename, linenum); + if (options->connections_per_period != 0 && + options->connections_period == 0) + fatal("%.200s line %d: invalid connections period.\n", + filename, linenum); + break; + default: - fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n", + fatal("%.200s line %d: Missing handler for opcode %s (%d)\n", filename, linenum, cp, opcode); - exit(1); - } - if (strtok(NULL, WHITESPACE) != NULL) { - fprintf(stderr, "%s line %d: garbage at end of line.\n", - filename, linenum); - exit(1); } + if (strtok(NULL, WHITESPACE) != NULL) + fatal("%.200s line %d: garbage at end of line.\n", filename, + linenum); } fclose(f); - if (bad_options > 0) { - fprintf(stderr, "%s: terminating, %d bad configuration options\n", + if (bad_options > 0) + fatal("%.200s: terminating, %d bad configuration options\n", filename, bad_options); - exit(1); - } } diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h index dd4caf741bb9..e21e7ab1e780 100644 --- a/crypto/openssh/servconf.h +++ b/crypto/openssh/servconf.h @@ -11,6 +11,7 @@ * * Definitions for server configuration data and for the functions reading it. * + * $FreeBSD$ */ /* RCSID("$Id: servconf.h,v 1.15 2000/01/04 00:08:00 markus Exp $"); */ @@ -87,6 +88,12 @@ typedef struct { char *allow_groups[MAX_ALLOW_GROUPS]; unsigned int num_deny_groups; char *deny_groups[MAX_DENY_GROUPS]; + unsigned int connections_per_period; /* + * If not 0, number of sshd + * connections accepted per + * connections_period. + */ + unsigned int connections_period; } ServerOptions; /* * Initializes the server options to special values that indicate that they diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c index f42fcb6a384a..81ce2ecb1545 100644 --- a/crypto/openssh/ssh.c +++ b/crypto/openssh/ssh.c @@ -8,6 +8,8 @@ * of X11, TCP/IP, and authentication connections. * * Modified to work with SSL by Niels Provos in Canada. + * + * $FreeBSD$ */ #include "includes.h" @@ -131,6 +133,9 @@ rsh_connect(char *host, char *user, Buffer * command) log("Using rsh. WARNING: Connection will not be encrypted."); /* Build argument list for rsh. */ i = 0; +#ifndef _PATH_RSH +#define _PATH_RSH "/usr/bin/rsh" +#endif args[i++] = _PATH_RSH; /* host may have to come after user on some systems */ args[i++] = host; diff --git a/crypto/openssh/ssh.h b/crypto/openssh/ssh.h index 47872ce8986d..b7ae4fe1836c 100644 --- a/crypto/openssh/ssh.h +++ b/crypto/openssh/ssh.h @@ -11,6 +11,7 @@ * * Generic header file for ssh. * + * $FreeBSD$ */ /* RCSID("$Id: ssh.h,v 1.33 2000/02/01 22:32:53 d Exp $"); */ @@ -61,7 +62,7 @@ */ #define SSH_SERVICE_NAME "ssh" -#define ETCDIR "/etc" +#define ETCDIR "__PREFIX__/etc" #define PIDDIR "/var/run" /* @@ -78,7 +79,7 @@ #define SERVER_CONFIG_FILE ETCDIR "/sshd_config" #define HOST_CONFIG_FILE ETCDIR "/ssh_config" -#define SSH_PROGRAM "/usr/bin/ssh" +#define SSH_PROGRAM "__PREFIX__/bin/ssh" /* * The process id of the daemon listening for connections is saved here to diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config index 9fb064deb964..6d823f5ced36 100644 --- a/crypto/openssh/ssh_config +++ b/crypto/openssh/ssh_config @@ -1,6 +1,8 @@ # This is ssh client systemwide configuration file. This file provides # defaults for users, and the values can be changed in per-user configuration # files or on the command line. +# +# $FreeBSD$ # Configuration data is parsed as follows: # 1. command line options diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c index 62a842fc1401..98308dcd8d33 100644 --- a/crypto/openssh/sshconnect.c +++ b/crypto/openssh/sshconnect.c @@ -5,6 +5,8 @@ * Created: Sat Mar 18 22:15:47 1995 ylo * Code to connect to a remote host, and to perform the client side of the * login (authentication) dialog. + * + * $FreeBSD$ */ #include "includes.h" @@ -1085,9 +1087,11 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) case AF_INET: local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; break; +#ifdef INET6 case AF_INET6: local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); break; +#endif default: local = 0; break; diff --git a/crypto/openssh/sshd.8 b/crypto/openssh/sshd.8 index 7aa9cf4b0cee..93ee16b8cd0f 100644 --- a/crypto/openssh/sshd.8 +++ b/crypto/openssh/sshd.8 @@ -10,6 +10,7 @@ .\" Created: Sat Apr 22 21:55:14 1995 ylo .\" .\" $Id: sshd.8,v 1.33 2000/02/21 14:19:09 deraadt Exp $ +.\" $FreeBSD$ .\" .Dd September 25, 1999 .Dt SSHD 8 @@ -228,6 +229,31 @@ Specifies whether should check for new mail for interactive logins. The default is .Dq no . +.It Cm ConnectionsPerPeriod +This keyword allows for rate-limiting of connections, and +is followed by two numbers in the format +.Dq n/s , +where +.Ar n +is the number of connections from a certain address group +accepted per period of +.Ar s +seconds. Any connection after the number +.Ar n +connection in the period of +.Ar s +seconds will be dropped, and an informational message will be logged. +A connection will belong to a certain group, of which there are 13 +by default, according to its IP address. +The default for this keyword is +.Dq 0/0 , +and rate-limiting can be explicitly turned off by using an +.Ar n +parameter of +.Ql 0 +and any +.Ar s +parameter. .It Cm DenyGroups This keyword can be followed by a number of group names, separated by spaces. Users whose primary group matches one of the patterns @@ -466,8 +492,9 @@ section). If the login is on a tty, records login time. .It Checks -.Pa /etc/nologin ; -if it exists, prints contents and quits +.Pa /etc/nologin and +.Pa /var/run/nologin ; +if one exists, it prints the contents and quits (unless root). .It Changes to run with normal user privileges. diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index 6cea307ebbd3..03ccbf74681b 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -8,6 +8,8 @@ * information to/from the application to the user client over an encrypted * connection. This can also handle forwarding of X11, TCP/IP, and authentication * agent connections. + * + * $FreeBSD$ */ #include "includes.h" @@ -24,6 +26,8 @@ RCSID("$OpenBSD: sshd.c,v 1.88 2000/02/15 16:52:57 markus Exp $"); #include "servconf.h" #include "uidswap.h" #include "compat.h" +#include +#include #ifdef LIBWRAP #include @@ -32,6 +36,16 @@ int allow_severity = LOG_INFO; int deny_severity = LOG_WARNING; #endif /* LIBWRAP */ +#ifdef __FreeBSD__ +#include +#include +#define LOGIN_CAP +#endif /* __FreeBSD__ */ + +#ifdef LOGIN_CAP +#include +#endif /* LOGIN_CAP */ + #ifndef O_NOCTTY #define O_NOCTTY 0 #endif @@ -126,6 +140,32 @@ int received_sighup = 0; the private key. */ RSA *public_key; +/* These are used to implement connections_per_period. */ +struct magic_connection { + struct timeval connections_begin; + unsigned int connections_this_period; +} *magic_connections; +/* Magic number, too! TODO: this doesn't have to be static. */ +const size_t MAGIC_CONNECTIONS_SIZE = 1; + +static __inline int +magic_hash(struct sockaddr *sa) { + + return 0; +} + +static __inline struct timeval +timevaldiff(struct timeval *tv1, struct timeval *tv2) { + struct timeval diff; + int carry; + + carry = tv1->tv_usec > tv2->tv_usec; + diff.tv_sec = tv2->tv_sec - tv1->tv_sec - (carry ? 0 : 1); + diff.tv_usec = tv2->tv_usec - tv1->tv_usec + (carry ? 1000000 : 0); + + return diff; +} + /* Prototypes for various functions defined later in this file. */ void do_ssh_kex(); void do_authentication(); @@ -321,6 +361,7 @@ main(int ac, char **av) extern int optind; int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, pid, on = 1; socklen_t fromlen; + int connections_per_period_exceeded = 0; int remote_major, remote_minor; int silentrsa = 0; fd_set *fdset; @@ -640,6 +681,12 @@ main(int ac, char **av) fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask); fdset = (fd_set *)xmalloc(fdsetsz); + /* Initialize the magic_connections table. It's magical! */ + magic_connections = calloc(MAGIC_CONNECTIONS_SIZE, + sizeof(struct magic_connection)); + if (magic_connections == NULL) + fatal("calloc: %s", strerror(errno)); + /* * Stay listening for connections until the system crashes or * the daemon is killed with a signal. @@ -671,9 +718,31 @@ main(int ac, char **av) error("newsock del O_NONBLOCK: %s", strerror(errno)); continue; } + if (options.connections_per_period != 0) { + struct timeval diff, connections_end; + struct magic_connection *mc; + + (void)gettimeofday(&connections_end, NULL); + mc = &magic_connections[magic_hash(ai->ai_addr)]; + diff = timevaldiff(&mc->connections_begin, &connections_end); + if (diff.tv_sec >= options.connections_period) { + /* + * Slide the window forward only after completely + * leaving it. + */ + mc->connections_begin = connections_end; + mc->connections_this_period = 1; + } else { + if (++mc->connections_this_period > + options.connections_per_period) + connections_per_period_exceeded = 1; + } + } + /* - * Got connection. Fork a child to handle it, unless - * we are in debugging mode. + * Got connection. Fork a child to handle it unless + * we are in debugging mode or the maximum number of + * connections per period has been exceeded. */ if (debug_flag) { /* @@ -687,6 +756,12 @@ main(int ac, char **av) sock_out = newsock; pid = getpid(); break; + } else if (connections_per_period_exceeded) { + log("Connection rate limit of %u/%us has been exceeded; " + "dropping connection from %s.", + options.connections_per_period, options.connections_period, + ntop); + connections_per_period_exceeded = 0; } else { /* * Normal production daemon. Fork, and have @@ -1171,6 +1246,14 @@ allowed_user(struct passwd * pw) return 0; } } + /* Fail if the account's expiration time has passed. */ + if (pw->pw_expire != 0) { + struct timeval tv; + + (void)gettimeofday(&tv, NULL); + if (tv.tv_sec >= pw->pw_expire) + return 0; + } /* We found no reason not to let this user try to log on... */ return 1; } @@ -1217,6 +1300,9 @@ do_authentication() pwcopy.pw_gid = pw->pw_gid; pwcopy.pw_dir = xstrdup(pw->pw_dir); pwcopy.pw_shell = xstrdup(pw->pw_shell); + pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_expire = pw->pw_expire; + pwcopy.pw_change = pw->pw_change; pw = &pwcopy; /* @@ -1996,6 +2082,10 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd, struct sockaddr_storage from; socklen_t fromlen; struct pty_cleanup_context cleanup_context; +#ifdef LOGIN_CAP + login_cap_t *lc; + char *fname; +#endif /* LOGIN_CAP */ /* Get remote host name. */ hostname = get_canonical_hostname(); @@ -2060,6 +2150,12 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd, /* Check if .hushlogin exists. */ snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir); quiet_login = stat(line, &st) >= 0; +#ifdef LOGIN_CAP + lc = login_getpwclass(pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, pw); + quiet_login = login_getcapbool(lc, "hushlogin", quiet_login); +#endif /* LOGIN_CAP */ /* * If the user has logged in before, display the time of last @@ -2083,6 +2179,20 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd, else printf("Last login: %s from %s\r\n", time_string, buf); } +#ifdef LOGIN_CAP + if (command == NULL && !quiet_login && !options.use_login) { + fname = login_getcapstr(lc, "copyright", NULL, NULL); + if (fname != NULL && (f = fopen(fname, "r")) != NULL) { + while (fgets(line, sizeof(line), f) != NULL) + fputs(line, stdout); + fclose(f); + } else + (void)printf("%s\n\t%s %s\n", + "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", + "The Regents of the University of California. ", + "All rights reserved."); + } +#endif /* LOGIN_CAP */ /* * Print /etc/motd unless a command was specified or printing * it was disabled in server options or login(1) will be @@ -2091,14 +2201,22 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd, */ if (command == NULL && options.print_motd && !quiet_login && !options.use_login) { - /* Print /etc/motd if it exists. */ +#ifdef LOGIN_CAP + fname = login_getcapstr(lc, "welcome", NULL, NULL); + login_close(lc); + if (fname == NULL || (f = fopen(fname, "r")) == NULL) + f = fopen("/etc/motd", "r"); +#else /* LOGIN_CAP */ f = fopen("/etc/motd", "r"); +#endif /* LOGIN_CAP */ + /* Print /etc/motd if it exists. */ if (f) { while (fgets(line, sizeof(line), f)) fputs(line, stdout); fclose(f); } } + /* Do common processing for the child, such as execing the command. */ do_child(command, pw, term, display, auth_proto, auth_data, ttyname); /* NOTREACHED */ @@ -2240,7 +2358,8 @@ do_child(const char *command, struct passwd * pw, const char *term, const char *display, const char *auth_proto, const char *auth_data, const char *ttyname) { - const char *shell, *cp = NULL; + char *shell; + const char *cp = NULL; char buf[256]; FILE *f; unsigned int envsize, i; @@ -2248,15 +2367,34 @@ do_child(const char *command, struct passwd * pw, const char *term, extern char **environ; struct stat st; char *argv[10]; +#ifdef LOGIN_CAP + login_cap_t *lc; + + lc = login_getpwclass(pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, pw); +#endif /* LOGIN_CAP */ f = fopen("/etc/nologin", "r"); +#ifdef __FreeBSD__ + if (f == NULL) + f = fopen("/var/run/nologin", "r"); +#endif /* __FreeBSD__ */ if (f) { /* /etc/nologin exists. Print its contents and exit. */ - while (fgets(buf, sizeof(buf), f)) - fputs(buf, stderr); - fclose(f); - if (pw->pw_uid != 0) - exit(254); +#ifdef LOGIN_CAP + /* On FreeBSD, etc., allow overriding nologin via login.conf. */ + if (!login_getcapbool(lc, "ignorenologin", 0)) { +#else /* LOGIN_CAP */ + if (1) { +#endif /* LOGIN_CAP */ + while (fgets(buf, sizeof(buf), f)) + fputs(buf, stderr); + fclose(f); + if (pw->pw_uid != 0) + exit(254); + } + } /* Set login name in the kernel. */ if (setlogin(pw->pw_name) < 0) @@ -2266,6 +2404,13 @@ do_child(const char *command, struct passwd * pw, const char *term, /* Login(1) does this as well, and it needs uid 0 for the "-h" switch, so we let login(1) to this for us. */ if (!options.use_login) { +#ifdef LOGIN_CAP + if (setclasscontext(pw->pw_class, LOGIN_SETPRIORITY | + LOGIN_SETRESOURCES | LOGIN_SETUMASK) == -1) { + perror("setclasscontext"); + exit(1); + } +#endif /* LOGIN_CAP */ if (getuid() == 0 || geteuid() == 0) { if (setgid(pw->pw_gid) < 0) { perror("setgid"); @@ -2288,7 +2433,14 @@ do_child(const char *command, struct passwd * pw, const char *term, * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh. */ +#ifdef LOGIN_CAP + shell = pw->pw_shell; + shell = login_getcapstr(lc, "shell", shell, shell); + if (shell[0] == '\0') + shell = _PATH_BSHELL; +#else /* LOGIN_CAP */ shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; +#endif /* LOGIN_CAP */ #ifdef AFS /* Try to get AFS tokens for the local cell. */ @@ -2312,7 +2464,12 @@ do_child(const char *command, struct passwd * pw, const char *term, child_set_env(&env, &envsize, "USER", pw->pw_name); child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); child_set_env(&env, &envsize, "HOME", pw->pw_dir); +#ifdef LOGIN_CAP + child_set_env(&env, &envsize, "PATH", + login_getpath(lc, "path", _PATH_STDPATH)); +#else /* LOGIN_CAP */ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); +#endif /* LOGIN_CAP */ snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); @@ -2402,13 +2559,17 @@ do_child(const char *command, struct passwd * pw, const char *term, */ endpwent(); +#ifdef LOGIN_CAP + login_close(lc); +#endif /* LOGIN_CAP */ + /* * Close any extra open file descriptors so that we don\'t have them * hanging around in clients. Note that we want to do this after * initgroups, because at least on Solaris 2.3 it leaves file * descriptors open. */ - for (i = 3; i < 64; i++) + for (i = 3; i < getdtablesize(); i++) close(i); /* Change current directory to the user\'s home directory. */ @@ -2427,6 +2588,26 @@ do_child(const char *command, struct passwd * pw, const char *term, * in this order). */ if (!options.use_login) { +#ifdef __FreeBSD__ + /* + * If the password change time is set and has passed, give the + * user a password expiry notice and chance to change it. + */ + if (pw->pw_change != 0) { + struct timeval tv; + + (void)gettimeofday(&tv, NULL); + if (tv.tv_sec >= pw->pw_change) { + (void)printf( + "Sorry -- your password has expired.\n"); + syslog(LOG_INFO, + "%s Password expired - forcing change", + pw->pw_name); + if (system("/usr/bin/passwd") != 0) + perror("/usr/bin/passwd"); + } + } +#endif /* __FreeBSD__ */ if (stat(SSH_USER_RC, &st) >= 0) { if (debug_flag) fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC); diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 0d4038420774..74652fdeb429 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -1,14 +1,17 @@ # This is ssh server systemwide configuration file. +# +# $FreeBSD$ Port 22 #ListenAddress 0.0.0.0 #ListenAddress :: -HostKey /etc/ssh_host_key +HostKey __PREFIX__/etc/ssh_host_key ServerKeyBits 768 -LoginGraceTime 600 +LoginGraceTime 60 KeyRegenerationInterval 3600 -PermitRootLogin yes -# +PermitRootLogin no +# Rate-limit sshd connections to 5 connections per 10 seconds +ConnectionsPerPeriod 5/10 # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication