--- openssh-3.8p1/auth.h.immunix 2004-02-21 15:22:05.000000000 -0800 +++ openssh-3.8p1/auth.h 2004-09-09 15:08:08.385513456 -0700 @@ -68,6 +68,9 @@ char *krb5_ticket_file; #endif void *methoddata; + /* Immunix */ + unsigned int subdomain_token; + /* /Immunix */ }; /* * Every authentication method has to handle authentication requests for --- openssh-3.8p1/sshd.c.immunix 2004-09-09 15:08:08.351518624 -0700 +++ openssh-3.8p1/sshd.c 2004-09-09 15:46:45.455265312 -0700 @@ -92,6 +92,10 @@ int deny_severity = LOG_WARNING; #endif /* LIBWRAP */ +/* IMMUNIX */ +#include +/* /IMMUNIX */ + #ifndef O_NOCTTY #define O_NOCTTY 0 #endif @@ -597,6 +601,10 @@ gid_t gidset[1]; struct passwd *pw; int i; + /* IMMUNIX */ + int retval; + unsigned int magic_token = 0; + /* /IMMUNIX */ /* Enable challenge-response authentication for privilege separation */ privsep_challenge_enable(); @@ -605,6 +613,18 @@ rnd[i] = arc4random(); RAND_seed(rnd, sizeof(rnd)); + /* IMMUNIX */ + debug2("about to enter pre-auth privsep"); + /* privsep child should exit(), so don't need to change_hat back out. */ + /* this means we can wipe the token from our memory */ + retval = change_hat ("PRIVSEP", magic_token); + if (retval < 0) { + logit("change_hat into PRIVSEP failed: %s\n", + strerror(errno)); + change_hat(NULL, magic_token); /* bleagh */ + } + /* /IMMUNIX */ + /* Demote the private keys to public keys. */ demote_sensitive_data(); @@ -670,6 +690,18 @@ close(pmonitor->m_sendfd); + /* IMMUNIX */ + /* leave the monitor's hat */ + debug2("leaving the monitors hat in privsep_preauth (pid %ld)", + pid); + if (change_hat (NULL, authctxt->subdomain_token) == -1) + logit("change_hat out of monitor's hat failed: %s\n", + strerror(errno)); + /* wipe the monitor's token from child's memory */ + authctxt->subdomain_token = 0; + /* privsep_preath_child will do a new change_hat */ + /* IMMUNIX */ + /* Demote the child */ if (getuid() == 0 || geteuid() == 0) privsep_preauth_child(); @@ -870,6 +902,10 @@ Authctxt *authctxt; int ret, key_used = 0; char *port; + /* Immunix */ + int retval; + unsigned int magic_token = 0; + /* /Immunix */ #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); @@ -1484,6 +1520,15 @@ signal(SIGCHLD, SIG_DFL); signal(SIGINT, SIG_DFL); + /* IMMUNIX */ + magic_token = arc4random(); + if (magic_token == 0) + logit("Unable to get random token for subdomain"); + + retval = change_hat ("PRIVSEP_MONITOR", magic_token); + if (retval < 0) change_hat(NULL, magic_token); /* XXX */ + /* /IMMUNIX */ + /* Set SO_KEEPALIVE if requested. */ if (options.tcp_keep_alive && setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, @@ -1544,6 +1589,10 @@ /* XXX global for cleanup, access from other modules */ the_authctxt = authctxt; + + /* Immunix - save subdomain token */ + authctxt->subdomain_token = magic_token; + /* /Immunix */ if (use_privsep) if (privsep_preauth(authctxt) == 1) @@ -1568,17 +1617,34 @@ } authenticated: + /* Immunix - save subdomain token. the preauth child monitor zeros + * it out */ + authctxt->subdomain_token = magic_token; + /* /Immunix */ /* * In privilege separation, we fork another child and prepare * file descriptor passing. */ if (use_privsep) { + /* Immunix - clear sensitive data -- XXX only do it in the child */ + /* magic_token = 0; */ + /* /Immunix */ privsep_postauth(authctxt); /* the monitor process [priv] will not return */ if (!compat20) destroy_sensitive_data(); } + /* IMMUNIX */ + /* leave the monitor's hat */ + debug2("About to change_hat out of monitor into authenticated right before do_authenticated"); + if (change_hat (NULL, magic_token) == -1) + logit("change_hat out of monitor's hat failed: %s\n", + strerror(errno)); + retval = change_hat ("AUTHENTICATED", magic_token); + if (retval < 0) change_hat(NULL, magic_token); /* XXX */ + /* /IMMUNIX */ + /* Start session. */ do_authenticated(authctxt); --- openssh-3.8p1/session.c.immunix 2004-02-23 05:01:27.000000000 -0800 +++ openssh-3.8p1/session.c 2004-09-09 15:43:48.518163840 -0700 @@ -66,6 +66,10 @@ #include "ssh-gss.h" #endif +/* IMMUNIX */ +#include +/* /IMMUNIX */ + /* func */ Session *session_new(void); @@ -1383,6 +1387,9 @@ char *argv[10]; const char *shell, *shell0, *hostname = NULL; struct passwd *pw = s->pw; + /* Immunix */ + int retval; + /* /Immunix */ /* remove hostkey from the child's memory */ destroy_sensitive_data(); @@ -1489,6 +1496,23 @@ #endif } + /* IMMUNIX */ + change_hat(NULL, s->authctxt->subdomain_token); + + /* try to changehat to a user specific hat */ + retval = change_hat(pw->pw_name, s->authctxt->subdomain_token); + if (retval >= 0) goto done_changehat; + + /* try to change_hat to a default EXEC hat */ + retval = change_hat("EXEC", s->authctxt->subdomain_token); + if (retval < 0) change_hat(NULL, s->authctxt->subdomain_token); + + /* note: there is no need to undo the change_hat() because this + function does not return - ever. */ + done_changehat: + + /* /IMMUNIX */ + if (!options.use_login) do_rc_files(s, shell); --- openssh-3.8p1/Makefile.in.immunix 2004-02-17 19:35:11.000000000 -0800 +++ openssh-3.8p1/Makefile.in 2004-09-09 15:08:08.388513000 -0700 @@ -43,6 +43,7 @@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ +LIBS+=-limmunix LIBPAM=@LIBPAM@ LIBWRAP=@LIBWRAP@ AR=@AR@