=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/monitor.c,v retrieving revision 1.34.2.1 retrieving revision 1.34.2.2 diff -u -r1.34.2.1 -r1.34.2.2 --- src/usr.bin/ssh/monitor.c 2003/09/16 20:50:43 1.34.2.1 +++ src/usr.bin/ssh/monitor.c 2004/03/04 18:18:15 1.34.2.2 @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.34.2.1 2003/09/16 20:50:43 brad Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.34.2.2 2004/03/04 18:18:15 brad Exp $"); #include @@ -125,6 +125,7 @@ int mm_answer_gss_setup_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); +int mm_answer_gss_checkmic(int, Buffer *); #endif static Authctxt *authctxt; @@ -176,6 +177,7 @@ {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, + {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, #endif {0, 0, NULL} }; @@ -247,14 +249,17 @@ } } -Authctxt * -monitor_child_preauth(struct monitor *pmonitor) +void +monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) { struct mon_table *ent; int authenticated = 0; debug3("preauth child monitor started"); + authctxt = _authctxt; + memset(authctxt, 0, sizeof(*authctxt)); + if (compat20) { mon_dispatch = mon_dispatch_proto20; @@ -267,8 +272,6 @@ monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1); } - authctxt = authctxt_new(); - /* The first few requests do not require asynchronous access */ while (!authenticated) { authenticated = monitor_read(pmonitor, mon_dispatch, &ent); @@ -296,8 +299,6 @@ __func__, authctxt->user); mm_get_keystate(pmonitor); - - return (authctxt); } static void @@ -529,6 +530,7 @@ if (pwent == NULL) { buffer_put_char(m, 0); + authctxt->pw = fakepw(); goto out; } @@ -769,7 +771,7 @@ debug3("%s: key_from_blob: %p", __func__, key); - if (key != NULL && authctxt->pw != NULL) { + if (key != NULL && authctxt->valid) { switch(type) { case MM_USERKEY: allowed = options.pubkey_authentication && @@ -1007,7 +1009,7 @@ if (getpeername(packet_get_connection_in(), (struct sockaddr *) & from, &fromlen) < 0) { debug("getpeername: %.100s", strerror(errno)); - fatal_cleanup(); + cleanup_exit(255); } } /* Record that there was a login on that tty from the remote host. */ @@ -1022,7 +1024,6 @@ debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid); if (s->ttyfd != -1) { debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); - fatal_remove_cleanup(session_pty_cleanup2, (void *)s); session_pty_cleanup2(s); } s->used = 0; @@ -1047,7 +1048,6 @@ res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); if (res == 0) goto error; - fatal_add_cleanup(session_pty_cleanup2, (void *)s); pty_setowner(authctxt->pw, s->tty); buffer_put_int(m, 1); @@ -1525,6 +1525,7 @@ mon = xmalloc(sizeof(*mon)); + mon->m_pid = 0; monitor_socketpair(pair); mon->m_recvfd = pair[0]; @@ -1601,15 +1602,43 @@ gss_release_buffer(&minor, &out); - /* Complete - now we can do signing */ if (major==GSS_S_COMPLETE) { monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); } return (0); } int +mm_answer_gss_checkmic(int socket, Buffer *m) +{ + gss_buffer_desc gssbuf, mic; + OM_uint32 ret; + u_int len; + + gssbuf.value = buffer_get_string(m, &len); + gssbuf.length = len; + mic.value = buffer_get_string(m, &len); + mic.length = len; + + ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); + + xfree(gssbuf.value); + xfree(mic.value); + + buffer_clear(m); + buffer_put_int(m, ret); + + mm_request_send(socket, MONITOR_ANS_GSSCHECKMIC, m); + + if (!GSS_ERROR(ret)) + monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); + + return (0); +} + +int mm_answer_gss_userok(int socket, Buffer *m) { int authenticated; @@ -1622,7 +1651,7 @@ debug3("%s: sending result %d", __func__, authenticated); mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m); - auth_method="gssapi"; + auth_method="gssapi-with-mic"; /* Monitor loop will terminate if authenticated */ return (authenticated);