From 9d86e5d5704092072822336af6d0bee468c25966 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 8 Mar 2009 11:40:27 +1100 Subject: [PATCH] - (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h} openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old version of Cygwin. Patch from vinschen at redhat com. --- ChangeLog | 6 ++ auth-passwd.c | 2 +- auth1.c | 10 +-- auth2-kbdint.c | 4 - auth2-none.c | 4 - auth2-passwd.c | 4 - auth2-pubkey.c | 4 - openbsd-compat/bsd-cygwin_util.c | 124 ------------------------------- openbsd-compat/bsd-cygwin_util.h | 5 +- openbsd-compat/daemon.c | 10 --- session.c | 11 +-- 11 files changed, 12 insertions(+), 172 deletions(-) diff --git a/ChangeLog b/ChangeLog index be302d9b6..ae2cf5119 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20090308 + - (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c + auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h} + openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old + version of Cygwin. Patch from vinschen at redhat com. + 20090307 - (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS diff --git a/auth-passwd.c b/auth-passwd.c index bdfced023..b1c6ce092 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -102,7 +102,7 @@ auth_password(Authctxt *authctxt, const char *password) } #endif #ifdef HAVE_CYGWIN - if (is_winnt) { + { HANDLE hToken = cygwin_logon_user(pw, password); if (hToken == INVALID_HANDLE_VALUE) diff --git a/auth1.c b/auth1.c index b8a255872..1801661fd 100644 --- a/auth1.c +++ b/auth1.c @@ -318,15 +318,7 @@ do_authloop(Authctxt *authctxt) } #endif /* _UNICOS */ -#ifdef HAVE_CYGWIN - if (authenticated && - !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, - authctxt->pw)) { - packet_disconnect("Authentication rejected for uid %d.", - authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid); - authenticated = 0; - } -#else +#ifndef HAVE_CYGWIN /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(meth->name)) { diff --git a/auth2-kbdint.c b/auth2-kbdint.c index a4fc9e6f7..fae67da6e 100644 --- a/auth2-kbdint.c +++ b/auth2-kbdint.c @@ -58,10 +58,6 @@ userauth_kbdint(Authctxt *authctxt) xfree(devs); xfree(lang); -#ifdef HAVE_CYGWIN - if (check_nt_auth(0, authctxt->pw) == 0) - authenticated = 0; -#endif return authenticated; } diff --git a/auth2-none.c b/auth2-none.c index 10accfe55..08f2f935f 100644 --- a/auth2-none.c +++ b/auth2-none.c @@ -61,10 +61,6 @@ userauth_none(Authctxt *authctxt) { none_enabled = 0; packet_check_eom(); -#ifdef HAVE_CYGWIN - if (check_nt_auth(1, authctxt->pw) == 0) - return (0); -#endif if (options.password_authentication) return (PRIVSEP(auth_password(authctxt, ""))); return (0); diff --git a/auth2-passwd.c b/auth2-passwd.c index 421c5c25d..5f1f3635f 100644 --- a/auth2-passwd.c +++ b/auth2-passwd.c @@ -68,10 +68,6 @@ userauth_passwd(Authctxt *authctxt) logit("password change not supported"); else if (PRIVSEP(auth_password(authctxt, password)) == 1) authenticated = 1; -#ifdef HAVE_CYGWIN - if (check_nt_auth(1, authctxt->pw) == 0) - authenticated = 0; -#endif memset(password, 0, len); xfree(password); return authenticated; diff --git a/auth2-pubkey.c b/auth2-pubkey.c index b1e38e5f5..2886f1275 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -170,10 +170,6 @@ done: key_free(key); xfree(pkalg); xfree(pkblob); -#ifdef HAVE_CYGWIN - if (check_nt_auth(0, authctxt->pw) == 0) - authenticated = 0; -#endif return authenticated; } diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c index 38be7e350..e90c1597f 100644 --- a/openbsd-compat/bsd-cygwin_util.c +++ b/openbsd-compat/bsd-cygwin_util.c @@ -39,9 +39,6 @@ #endif #include -#include -#include -#include #include #include @@ -49,11 +46,6 @@ #include #include "xmalloc.h" -#define is_winnt (GetVersion() < 0x80000000) - -#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec")) -#define ntsec_off(c) ((c) && strstr((c),"nontsec")) -#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea")) int binary_open(const char *filename, int flags, ...) @@ -79,128 +71,12 @@ binary_pipe(int fd[2]) return (ret); } -#define HAS_CREATE_TOKEN 1 -#define HAS_NTSEC_BY_DEFAULT 2 -#define HAS_CREATE_TOKEN_WO_NTSEC 3 - -static int -has_capability(int what) -{ - static int inited; - static int has_create_token; - static int has_ntsec_by_default; - static int has_create_token_wo_ntsec; - - /* - * has_capability() basically calls uname() and checks if - * specific capabilities of Cygwin can be evaluated from that. - * This simplifies the calling functions which only have to ask - * for a capability using has_capability() instead of having - * to figure that out by themselves. - */ - if (!inited) { - struct utsname uts; - - if (!uname(&uts)) { - int major_high = 0, major_low = 0, minor = 0; - int api_major_version = 0, api_minor_version = 0; - char *c; - - sscanf(uts.release, "%d.%d.%d", &major_high, - &major_low, &minor); - if ((c = strchr(uts.release, '(')) != NULL) { - sscanf(c + 1, "%d.%d", &api_major_version, - &api_minor_version); - } - if (major_high > 1 || - (major_high == 1 && (major_low > 3 || - (major_low == 3 && minor >= 2)))) - has_create_token = 1; - if (api_major_version > 0 || api_minor_version >= 56) - has_ntsec_by_default = 1; - if (major_high > 1 || - (major_high == 1 && major_low >= 5)) - has_create_token_wo_ntsec = 1; - inited = 1; - } - } - switch (what) { - case HAS_CREATE_TOKEN: - return (has_create_token); - case HAS_NTSEC_BY_DEFAULT: - return (has_ntsec_by_default); - case HAS_CREATE_TOKEN_WO_NTSEC: - return (has_create_token_wo_ntsec); - } - return (0); -} - -int -check_nt_auth(int pwd_authenticated, struct passwd *pw) -{ - /* - * The only authentication which is able to change the user - * context on NT systems is the password authentication. So - * we deny all requsts for changing the user context if another - * authentication method is used. - * - * This doesn't apply to Cygwin versions >= 1.3.2 anymore which - * uses the undocumented NtCreateToken() call to create a user - * token if the process has the appropriate privileges and if - * CYGWIN ntsec setting is on. - */ - static int has_create_token = -1; - - if (pw == NULL) - return 0; - if (is_winnt) { - if (has_create_token < 0) { - char *cygwin = getenv("CYGWIN"); - - has_create_token = 0; - if (has_capability(HAS_CREATE_TOKEN) && - (ntsec_on(cygwin) || - (has_capability(HAS_NTSEC_BY_DEFAULT) && - !ntsec_off(cygwin)) || - has_capability(HAS_CREATE_TOKEN_WO_NTSEC))) - has_create_token = 1; - } - if (has_create_token < 1 && - !pwd_authenticated && geteuid() != pw->pw_uid) - return (0); - } - return (1); -} - int check_ntsec(const char *filename) { return (pathconf(filename, _PC_POSIX_PERMISSIONS)); } -void -register_9x_service(void) -{ - HINSTANCE kerneldll; - DWORD (*RegisterServiceProcess)(DWORD, DWORD); - - /* The service register mechanism in 9x/Me is pretty different from - * NT/2K/XP. In NT/2K/XP we're using a special service starter - * application to register and control sshd as service. This method - * doesn't play nicely with 9x/Me. For that reason we register here - * as service when running under 9x/Me. This function is only called - * by the child sshd when it's going to daemonize. - */ - if (is_winnt) - return; - if (!(kerneldll = LoadLibrary("KERNEL32.DLL"))) - return; - if (!(RegisterServiceProcess = (DWORD (*)(DWORD, DWORD)) - GetProcAddress(kerneldll, "RegisterServiceProcess"))) - return; - RegisterServiceProcess(0, 1); -} - #define NL(x) x, (sizeof (x) - 1) #define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h index 6719b8a49..39b8eb788 100644 --- a/openbsd-compat/bsd-cygwin_util.h +++ b/openbsd-compat/bsd-cygwin_util.h @@ -1,4 +1,4 @@ -/* $Id: bsd-cygwin_util.h,v 1.11 2004/08/30 10:42:08 dtucker Exp $ */ +/* $Id: bsd-cygwin_util.h,v 1.12 2009/03/08 00:40:28 dtucker Exp $ */ /* * Copyright (c) 2000, 2001, Corinna Vinschen @@ -35,7 +35,6 @@ #ifdef HAVE_CYGWIN #undef ERROR -#define is_winnt (GetVersion() < 0x80000000) #include #include @@ -43,9 +42,7 @@ int binary_open(const char *, int , ...); int binary_pipe(int fd[2]); -int check_nt_auth(int, struct passwd *); int check_ntsec(const char *); -void register_9x_service(void); char **fetch_windows_environment(void); void free_windows_environment(char **); diff --git a/openbsd-compat/daemon.c b/openbsd-compat/daemon.c index e3a6886bd..3efe14c68 100644 --- a/openbsd-compat/daemon.c +++ b/openbsd-compat/daemon.c @@ -57,18 +57,8 @@ daemon(int nochdir, int noclose) case -1: return (-1); case 0: -#ifdef HAVE_CYGWIN - register_9x_service(); -#endif break; default: -#ifdef HAVE_CYGWIN - /* - * This sleep avoids a race condition which kills the - * child process if parent is started by a NT/W2K service. - */ - sleep(1); -#endif _exit(0); } diff --git a/session.c b/session.c index f2549e0cd..8e0c54faa 100644 --- a/session.c +++ b/session.c @@ -571,8 +571,7 @@ do_exec_no_pty(Session *s, const char *command) signal(WJSIGNAL, cray_job_termination_handler); #endif /* _UNICOS */ #ifdef HAVE_CYGWIN - if (is_winnt) - cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); + cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); #endif s->pid = pid; @@ -726,8 +725,7 @@ do_exec_pty(Session *s, const char *command) signal(WJSIGNAL, cray_job_termination_handler); #endif /* _UNICOS */ #ifdef HAVE_CYGWIN - if (is_winnt) - cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); + cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); #endif s->pid = pid; @@ -1116,7 +1114,7 @@ do_setup_env(Session *s, const char *shell) u_int i, envsize; char **env, *laddr; struct passwd *pw = s->pw; -#ifndef HAVE_LOGIN_CAP +#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; #endif @@ -1551,9 +1549,6 @@ do_setusercontext(struct passwd *pw) #endif } -#ifdef HAVE_CYGWIN - if (is_winnt) -#endif if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);