| sshd.c (301551) | sshd.c (302182) |
|---|---|
| 1/* $OpenBSD: sshd.c,v 1.465 2016/02/15 09:47:49 dtucker Exp $ */ 2/* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * This program is the ssh daemon. It listens for connections from clients, 7 * and performs authentication, executes use commands or shell, and forwards 8 * information to/from the application to the user client over an encrypted --- 29 unchanged lines hidden (view full) --- 38 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 39 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 40 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 41 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 42 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 43 */ 44 45#include "includes.h" | 1/* $OpenBSD: sshd.c,v 1.465 2016/02/15 09:47:49 dtucker Exp $ */ 2/* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * This program is the ssh daemon. It listens for connections from clients, 7 * and performs authentication, executes use commands or shell, and forwards 8 * information to/from the application to the user client over an encrypted --- 29 unchanged lines hidden (view full) --- 38 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 39 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 40 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 41 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 42 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 43 */ 44 45#include "includes.h" |
| 46__RCSID("$FreeBSD: head/crypto/openssh/sshd.c 301551 2016-06-07 16:18:09Z lidl $"); | 46__RCSID("$FreeBSD: head/crypto/openssh/sshd.c 302182 2016-06-24 23:22:42Z gjb $"); |
| 47 48#include <sys/types.h> 49#include <sys/ioctl.h> 50#include <sys/mman.h> 51#include <sys/socket.h> 52#ifdef HAVE_SYS_STAT_H 53# include <sys/stat.h> 54#endif --- 75 unchanged lines hidden (view full) --- 130#include "monitor.h" 131#ifdef GSSAPI 132#include "ssh-gss.h" 133#endif 134#include "monitor_wrap.h" 135#include "ssh-sandbox.h" 136#include "version.h" 137#include "ssherr.h" | 47 48#include <sys/types.h> 49#include <sys/ioctl.h> 50#include <sys/mman.h> 51#include <sys/socket.h> 52#ifdef HAVE_SYS_STAT_H 53# include <sys/stat.h> 54#endif --- 75 unchanged lines hidden (view full) --- 130#include "monitor.h" 131#ifdef GSSAPI 132#include "ssh-gss.h" 133#endif 134#include "monitor_wrap.h" 135#include "ssh-sandbox.h" 136#include "version.h" 137#include "ssherr.h" |
| 138#ifdef USE_BLACKLIST 139#include "blacklist_client.h" 140#endif | |
| 141 142#ifdef LIBWRAP 143#include <tcpd.h> 144#include <syslog.h> 145int allow_severity; 146int deny_severity; 147#endif /* LIBWRAP */ 148 --- 237 unchanged lines hidden (view full) --- 386 * Try to kill any processes that we have spawned, E.g. authorized 387 * keys command helpers. 388 */ 389 if (getpgid(0) == getpid()) { 390 signal(SIGTERM, SIG_IGN); 391 kill(0, SIGTERM); 392 } 393 | 138 139#ifdef LIBWRAP 140#include <tcpd.h> 141#include <syslog.h> 142int allow_severity; 143int deny_severity; 144#endif /* LIBWRAP */ 145 --- 237 unchanged lines hidden (view full) --- 383 * Try to kill any processes that we have spawned, E.g. authorized 384 * keys command helpers. 385 */ 386 if (getpgid(0) == getpid()) { 387 signal(SIGTERM, SIG_IGN); 388 kill(0, SIGTERM); 389 } 390 |
| 394#ifdef USE_BLACKLIST 395 blacklist_notify(1); 396#endif | |
| 397 /* Log error and exit. */ 398 sigdie("Timeout before authentication for %s", get_remote_ipaddr()); 399} 400 401/* 402 * Signal handler for the key regeneration alarm. Note that this 403 * alarm only occurs in the daemon waiting for connections, and it does not 404 * do anything with the private key or random state before forking. --- 245 unchanged lines hidden (view full) --- 650 if ((RAND_bytes((u_char *)rnd, 1)) != 1) 651 fatal("%s: RAND_bytes failed", __func__); 652#endif 653 explicit_bzero(rnd, sizeof(rnd)); 654 655 /* Demote the private keys to public keys. */ 656 demote_sensitive_data(); 657 | 391 /* Log error and exit. */ 392 sigdie("Timeout before authentication for %s", get_remote_ipaddr()); 393} 394 395/* 396 * Signal handler for the key regeneration alarm. Note that this 397 * alarm only occurs in the daemon waiting for connections, and it does not 398 * do anything with the private key or random state before forking. --- 245 unchanged lines hidden (view full) --- 644 if ((RAND_bytes((u_char *)rnd, 1)) != 1) 645 fatal("%s: RAND_bytes failed", __func__); 646#endif 647 explicit_bzero(rnd, sizeof(rnd)); 648 649 /* Demote the private keys to public keys. */ 650 demote_sensitive_data(); 651 |
| 658#ifdef USE_BLACKLIST 659 blacklist_init(); 660#endif 661 | |
| 662 /* Demote the child */ 663 if (getuid() == 0 || geteuid() == 0) { 664 /* Change our root directory */ 665 if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) 666 fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, 667 strerror(errno)); 668 if (chdir("/") == -1) 669 fatal("chdir(\"/\"): %s", strerror(errno)); --- 607 unchanged lines hidden (view full) --- 1277 for (i = 0; i < num_listen_socks; i++) 1278 if (listen_socks[i] > maxfd) 1279 maxfd = listen_socks[i]; 1280 /* pipes connected to unauthenticated childs */ 1281 startup_pipes = xcalloc(options.max_startups, sizeof(int)); 1282 for (i = 0; i < options.max_startups; i++) 1283 startup_pipes[i] = -1; 1284 | 652 /* Demote the child */ 653 if (getuid() == 0 || geteuid() == 0) { 654 /* Change our root directory */ 655 if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) 656 fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, 657 strerror(errno)); 658 if (chdir("/") == -1) 659 fatal("chdir(\"/\"): %s", strerror(errno)); --- 607 unchanged lines hidden (view full) --- 1267 for (i = 0; i < num_listen_socks; i++) 1268 if (listen_socks[i] > maxfd) 1269 maxfd = listen_socks[i]; 1270 /* pipes connected to unauthenticated childs */ 1271 startup_pipes = xcalloc(options.max_startups, sizeof(int)); 1272 for (i = 0; i < options.max_startups; i++) 1273 startup_pipes[i] = -1; 1274 |
| 1285#ifdef USE_BLACKLIST 1286 blacklist_init(); 1287#endif | |
| 1288 /* 1289 * Stay listening for connections until the system crashes or 1290 * the daemon is killed with a signal. 1291 */ 1292 for (;;) { 1293 if (received_sighup) 1294 sighup_restart(); 1295 free(fdset); --- 1418 unchanged lines hidden --- | 1275 /* 1276 * Stay listening for connections until the system crashes or 1277 * the daemon is killed with a signal. 1278 */ 1279 for (;;) { 1280 if (received_sighup) 1281 sighup_restart(); 1282 free(fdset); --- 1418 unchanged lines hidden --- |