Index: /branches/rel_apv_10_7/usr/click/bin/openssh/Makefile =================================================================== --- /branches/rel_apv_10_7/usr/click/bin/openssh/Makefile (revision 38292) +++ /branches/rel_apv_10_7/usr/click/bin/openssh/Makefile (working copy) @@ -16,10 +16,10 @@ all: ./build.sh all clean: - rm -rf openssh-8.8p1 + rm -rf openssh-9.3p2 realclean: git clean -dfx . install: - install -Dm 0755 -t ${ANROOT}/ca/bin/ ${.CURDIR}/openssh-8.8p1/sshd ${.CURDIR}/openssh-8.8p1/ssh ${.CURDIR}/openssh-8.8p1/ssh-keygen + install -Dm 0755 -t ${ANROOT}/ca/bin/ ${.CURDIR}/openssh-9.3p2/sshd ${.CURDIR}/openssh-9.3p2/ssh ${.CURDIR}/openssh-9.3p2/ssh-keygen install -Dm 0755 -t ${ANROOT}/ca/etc/ ${.CURDIR}/sshd_config .endif Index: /branches/rel_apv_10_7/usr/click/bin/openssh/array_patch =================================================================== --- /branches/rel_apv_10_7/usr/click/bin/openssh/array_patch (revision 38292) +++ /branches/rel_apv_10_7/usr/click/bin/openssh/array_patch (working copy) @@ -1,9 +1,280 @@ ---- openssh-8.8p1_original/auth2.c 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/auth2.c 2022-07-21 18:13:05.183434086 +0800 -@@ -59,6 +59,30 @@ - #include "monitor_wrap.h" - #include "digest.h" - +diff -ru1 openssh-9.3p2/Makefile.in openssh-9.3p2-patch/Makefile.in +--- openssh-9.3p2/Makefile.in 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/Makefile.in 2024-05-16 16:14:01.472590569 +0800 +@@ -71,3 +71,3 @@ + +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) synconfigd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) + +@@ -161,4 +161,7 @@ + +-CONFIGFILES=sshd_config.out ssh_config.out moduli.out +-CONFIGFILES_IN=sshd_config ssh_config moduli ++#CONFIGFILES=sshd_config.out ssh_config.out moduli.out ++#CONFIGFILES_IN=sshd_config ssh_config moduli ++ ++INST_BIN=${TARGETS} ++INST_CONF=ssh_config sshd_config moduli + +@@ -187,3 +190,4 @@ + +-all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) ++#all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) ++all: $(CONFIGFILES) $(TARGETS) + +@@ -209,3 +213,6 @@ + sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lldap -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) -L ../../objdir/ -L../../../lib/libexauth -lexauth -L../../../lib/libuinet-atcp/lib/libuinet -luinet_lite -L../../../lib/libuinet-atcp/lib/libuinet_sysctl -luinet_sysctl -L../../../lib/libuinet-atcp/lib/libuinetnv -luinetnv -lrt -lcrypto -L../../../lib/libfastlog -lfastlog ++ ++synconfigd$(EXEEXT): sshd$(EXEEXT) ++ /bin/cp sshd$(EXEEXT) $@ + +diff -ru1 openssh-9.3p2/auth.c openssh-9.3p2-patch/auth.c +--- openssh-9.3p2/auth.c 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/auth.c 2024-05-16 16:13:07.950136203 +0800 +@@ -78,2 +78,33 @@ + ++#include ++#include ++#include ++#include ++#if defined(__linux__) ++#define __printflike(x, y) ++#endif ++#include "click/app/fastlog/fastlog.h" ++#include "click/app/fastlog/logex_def.h" ++ ++#define SSHD_LOGIN_MSGQ_PATH "/var/crash/sshd_login_msgq" ++#define SSHD_LOGIN_MSGQ_LEN 100 ++#if defined(__linux__) ++#define SSHD_MSGQ_MODE (O_RDWR) ++#else ++#define SSHD_MSGQ_MODE (IPC_R | IPC_W | IPC_R>>3 |IPC_W>>3 | IPC_R>>6 | IPC_W>>6) ++#endif ++ ++typedef struct login_msgbuf { ++ long mtype; ++ char mtext [SSHD_LOGIN_MSGQ_LEN]; ++} login_msgbuf; ++ ++typedef struct login_msgbuf_templet{ ++ long type; ++ unsigned long addr; ++ unsigned int port; ++} login_msgbuf_templet; ++ ++ ++ + /* import */ +@@ -856 +887,88 @@ + } ++ ++void ++array_auth_log(struct ssh *ssh, int authenticated, char *method, char *info) ++{ ++ Authctxt *authctxt = ssh->authctxt; ++ /* info is ssh2 */ ++ if (!strncmp(method,"none",4)) { ++ return; ++ } ++ ++ fastlog_logex(AUTH_SSH_LOGIN, 6, ++ authctxt->user, ++ ssh_remote_ipaddr(ssh), ++ ssh_remote_port(ssh), ++ ssh_local_ipaddr(ssh), ++ ssh_local_port(ssh), ++ info); ++} ++ ++void ++push_addr_msg(int pid, unsigned int addr, int port) ++{ ++ int msg_id; ++ key_t msg_key; ++ login_msgbuf envelope; ++ login_msgbuf_templet *letter; ++ if ((msg_key = ftok(SSHD_LOGIN_MSGQ_PATH, 0x02)) == -1) { ++ fastlog_logex(SSHD_LOGIN_MSG_FTOK, 0); ++ } ++ ++bingo: ++ if ((msg_id = msgget(msg_key, IPC_CREAT|SSHD_MSGQ_MODE)) == -1) { ++ if (errno == EINTR) { ++ goto bingo; ++ } else { ++ fastlog_logex(SSHD_LOGIN_MSG_GET, 0); ++ } ++ } ++ letter = (login_msgbuf_templet *)&envelope; ++ letter->type = (long)getpid(); ++ letter->addr = (unsigned long)addr; ++ letter->port = port; ++ ++again: ++ if (msgsnd(msg_id, (void *)&envelope, SSHD_LOGIN_MSGQ_LEN, IPC_NOWAIT) == -1) { ++ if (errno == EINTR) { ++ goto again; ++ } else if (errno == EAGAIN) { ++ msgctl(msg_id, IPC_RMID, NULL); ++ goto bingo; ++ } else { ++ fastlog_logex(SSHD_LOGIN_MSG_SEND, 0); ++ } ++ } ++} ++ ++void ++array_send_addr_info(struct ssh *ssh) ++{ ++ struct in_addr inp; ++ inet_aton(ssh_remote_ipaddr(ssh), &inp); ++ push_addr_msg(getpid(), inp.s_addr, ssh_remote_port(ssh)); ++ return; ++} ++ ++#define CA_SHELL "/ca/bin/ca_shell" ++int ++get_array_user(char *username) ++{ ++ struct passwd *passwd; ++ ++ endpwent(); ++ passwd = getpwent(); ++ ++ while (passwd) { ++ if (strcmp(passwd->pw_shell, CA_SHELL) == 0) { ++ strcpy(username, passwd->pw_name); ++ endpwent(); /* rewind */ ++ return 0; ++ } ++ passwd = getpwent(); ++ } ++ endpwent(); ++ ++ return -1; ++} ++ +diff -ru1 openssh-9.3p2/auth.h openssh-9.3p2-patch/auth.h +--- openssh-9.3p2/auth.h 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/auth.h 2024-05-16 16:13:07.950136203 +0800 +@@ -240,2 +240,4 @@ + ++#define MAX_USER_NAME_SIZE 256 ++ + int sys_auth_passwd(struct ssh *, const char *); +diff -ru1 openssh-9.3p2/auth2-passwd.c openssh-9.3p2-patch/auth2-passwd.c +--- openssh-9.3p2/auth2-passwd.c 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/auth2-passwd.c 2024-05-17 13:48:43.990080453 +0800 +@@ -46,2 +46,28 @@ + #include "servconf.h" ++#include ++ ++/* ++ * authenticate with external server ++ */ ++#include "auth_ext.h" ++#if defined(__linux__) ++#include "auth_ext_cli.h" ++#include "auth_ext_ipc.h" ++#else ++#include "../../ui/exauth/auth_ext_cli.h" ++#include "../../ui/exauth/auth_ext_ipc.h" ++#endif ++ ++extern char ext_user[32]; ++extern int do_exauth; ++extern char ext_ssh_client_IP[32]; ++ ++struct passwd *local_auth_pw = NULL; ++struct passwd *ext_auth_pw = NULL; ++int local_auth_valid = 0; ++int ext_auth_valid = 0; ++int ext_authorize_level = 0; /* 0: enable, 1: config */ ++int ext_authenticated = 0; ++ ++ + +@@ -55,4 +81,9 @@ + int authenticated = 0, r; ++ int local_authenticated = 0; + u_char change; + size_t len = 0; ++ char method_str[80]; ++ Authctxt *authctxt = ssh->authctxt; ++ ++ ext_authenticated = 0; + +@@ -65,7 +96,59 @@ + } ++ ++ /*really do external authentication*/ ++ if (do_exauth) { ++ int ret_value = EXT_AUTH_FAILED; ++ /* ++ * the pw is a mapped user,EX_LOG_ON_MAPPED_USER ++ */ ++ ++ /*get exauth conf from the shared mem*/ ++ memset(method_str, 0, 80); ++ get_aaa_method(method_str); ++ ++ ret_value = external_auth(ext_user, password); ++ if(ret_value == EXT_AUTH_PASS_CONFIG ) { ++ ext_authenticated = 1; ++ ext_authorize_level = 1; ++ } else if (ret_value == EXT_AUTH_PASS_ENABLE) { ++ ext_authenticated = 1; ++ ext_authorize_level = 0; ++ } ++ ++ if(!ext_authenticated){ ++ /*exauth failed*/ ++ if(exauth_priority() == EXAUTH_PRIORITY_HIGH){ ++ /*exauth High priority, check local database*/ ++ if(local_auth_valid){ ++ authctxt->pw = local_auth_pw; ++ } else { ++ /*user not found in local database*/ ++ authctxt->pw = fakepw(); ++ authctxt->valid = 0; ++ } ++ if (change){ ++ logit("password change not supported"); ++ } ++ else if (PRIVSEP(auth_password(ssh, password)) == 1){ ++ local_authenticated = 1; ++ } ++ if(!local_authenticated){ ++ /*local also failed, switch back to external*/ ++ authctxt->pw = ext_auth_pw; ++ authctxt->valid = 1; ++ } ++ } ++ } ++ } else { ++ /*not do exauth, just check local database*/ ++ if (change){ ++ logit("password change not supported"); ++ } ++ else if (PRIVSEP(auth_password(ssh, password)) == 1){ ++ local_authenticated = 1; ++ } ++ ++ } ++ authenticated = ext_authenticated || local_authenticated; + +- if (change) +- logit("password change not supported"); +- else if (PRIVSEP(auth_password(ssh, password)) == 1) +- authenticated = 1; + freezero(password, len); +diff -ru1 openssh-9.3p2/auth2.c openssh-9.3p2-patch/auth2.c +--- openssh-9.3p2/auth2.c 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/auth2.c 2024-05-16 16:13:07.950136203 +0800 +@@ -60,2 +60,26 @@ + +/* ArrayOS external auth support */ +#include "auth_ext.h" +#if defined(__linux__) @@ -29,12 +300,8 @@ + + /* import */ - extern ServerOptions options; - extern struct sshbuf *loginmsg; -@@ -101,6 +125,32 @@ - #define MATCH_PARTIAL 3 /* method matches, submethod can't be checked */ - static int list_starts_with(const char *, const char *, const char *); - +@@ -103,2 +127,28 @@ + +#define USER_LOGIN_SHM_KEY 0xcaf02002 /* Need sync to usr/src/sys/click/app/proxy/proxy_shm.h */ +#define MAXUSERS_LOGIN 100 +#define MAX_USER_NAME_SIZE 256 @@ -62,53 +329,44 @@ +static int user_index; + char * - auth2_read_banner(void) - { -@@ -264,6 +314,7 @@ - char *user = NULL, *service = NULL, *method = NULL, *style = NULL; - int r, authenticated = 0; - double tstart = monotime_double(); +@@ -264,2 +314,3 @@ + double tstart = monotime_double(); + char array_user[MAX_USER_NAME_SIZE] = {'\0'}; - - if (authctxt == NULL) - fatal("input_userauth_request: no authctxt"); -@@ -275,23 +326,115 @@ - debug("userauth-request for user %s service %s method %s", user, service, method); - debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); - + +@@ -275,2 +326,8 @@ + + /* External auth */ + set_ext_user(user); + logit("set_ext_user"); + + login_info_shm_attach(); + - if ((style = strchr(user, ':')) != NULL) - *style++ = 0; - - if (authctxt->attempt++ == 0) { + if ((style = strchr(user, ':')) != NULL) +@@ -281,16 +338,102 @@ + if (authctxt->attempt++ == 0) { + local_auth_valid = 0; + ext_auth_valid = 0; + local_auth_pw = NULL; + ext_auth_pw = NULL; + do_exauth = 0; + - /* setup auth context */ + /* setup auth context */ - authctxt->pw = PRIVSEP(getpwnamallow(ssh, user)); + local_auth_pw = PRIVSEP(getpwnamallow(ssh, user)); - authctxt->user = xstrdup(user); + authctxt->user = xstrdup(user); - if (authctxt->pw && strcmp(service, "ssh-connection")==0) { + if (local_auth_pw && strcmp(service, "ssh-connection")==0) { - authctxt->valid = 1; - debug2_f("setting up authctxt for %s", user); + authctxt->valid = 1; + debug2_f("setting up authctxt for %s", user); + local_auth_valid = 1; + } -+ ++ + if (is_external_auth_on() && options.synconfig == 0) { + if (get_array_user(array_user) != 0) { + strcpy(array_user, EX_LOG_ON_MAPPED_USER); + } + ext_auth_pw = PRIVSEP(getpwnamallow(ssh, array_user)); -+ if (ext_auth_pw && strcmp(service, "ssh-connection")==0 && ++ if (ext_auth_pw && strcmp(service, "ssh-connection")==0 && + strcmp(ext_user, "root") != 0) { + ext_auth_valid = 1; + } @@ -169,7 +427,8 @@ + } + } + } - } else { + } else { + authctxt->valid = 0; - /* Invalid user, fake password information */ - authctxt->pw = fakepw(); + /* @@ -188,16 +447,12 @@ + PRIVSEP(audit_event(ssh, SSH_INVALID_USER)); #endif + } - } + } + #ifdef USE_PAM - if (options.use_pam) - PRIVSEP(start_pam(ssh)); -@@ -326,6 +469,30 @@ - auth2_authctxt_reset_info(authctxt); - authctxt->postponed = 0; - authctxt->server_caused_failure = 0; -+ +@@ -329,2 +472,26 @@ + authctxt->server_caused_failure = 0; ++ + if (user_login_p && user_login_p->passwd_forcemode) { + user_index = get_user_index(authctxt->user); + if ((user_index != -1) && check_user_locked(user_index)) { @@ -216,18 +471,14 @@ + + /* packet_disconnect will exit the process, so need free memory before it */ + ssh_packet_disconnect(ssh, "\nThe user \"%s\" has failed to log in more than %d consecutive times and has been locked.\n" -+ "Please retry after %d seconds or change to another user.\n", ++ "Please retry after %d seconds or change to another user.\n", + p->user[index].name, user_login_p->max_login_retry, (uint32_t)(p->user[index].next_login_time - tv.tv_sec)); + return 0; + } + } - - /* try to authenticate user */ - m = authmethod_lookup(authctxt, method); -@@ -345,6 +512,31 @@ - return r; - } - + +@@ -348,2 +515,27 @@ + +/* + * 0, no need to defend and update timer; + * 1, defended and reset timer; @@ -254,21 +505,13 @@ + + void - userauth_finish(struct ssh *ssh, int authenticated, const char *method, - const char *submethod) -@@ -377,6 +569,7 @@ - - /* Log before sending the reply */ - auth_log(ssh, authenticated, partial, method, submethod); +@@ -389,2 +581,3 @@ + auth_log(ssh, authenticated, partial, method, submethod); + defend_dos_attack(); - - /* Update information exposed to session */ - if (authenticated || partial) -@@ -415,14 +608,59 @@ - (r = sshpkt_send(ssh)) != 0 || - (r = ssh_packet_write_wait(ssh)) != 0) - fatal_fr(r, "send success packet"); -+ + +@@ -427,2 +620,16 @@ + fatal_fr(r, "send success packet"); ++ + /* Log logout information for ArrayOS */ + array_auth_log(ssh, authenticated, method, " passed"); + /*Bug 21899, chenhb, 20090409*/ @@ -282,21 +525,18 @@ + } + } + - /* now we can break out */ - authctxt->success = 1; - ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user); - } else { - /* Allow initial try of "none" auth without failure penalty */ - if (!partial && !authctxt->server_caused_failure && + /* now we can break out */ +@@ -433,4 +640,35 @@ + if (!partial && !authctxt->server_caused_failure && - (authctxt->attempt > 1 || strcmp(method, "none") != 0)) -+ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { - authctxt->failures++; -+ ++ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { + authctxt->failures++; ++ + if (user_login_p && user_login_p->passwd_forcemode) { + if (user_index == -1) { + user_index = user_login_info_add(authctxt->user); + } -+ ++ + if (user_index != -1) { + user_login_p->user[user_index].continuous_fail_count++; + if (user_login_p->user[user_index].continuous_fail_count >= user_login_p->max_login_retry) { @@ -307,9 +547,9 @@ + array_auth_log(ssh, authenticated, method, " failed"); + array_send_addr_info(ssh); + free(methods); -+ ++ + lock_user(ssh, user_index); -+ ++ + return; + } else { + char lock_buf[256]; @@ -319,55 +559,47 @@ + } + } + } -+ ++ + } + - if (authctxt->failures >= options.max_authtries) { - #ifdef SSH_AUDIT_EVENTS - PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES)); -@@ -438,6 +676,8 @@ - (r = sshpkt_send(ssh)) != 0 || - (r = ssh_packet_write_wait(ssh)) != 0) - fatal_fr(r, "send failure packet"); + if (authctxt->failures >= options.max_authtries) { +@@ -450,2 +688,4 @@ + fatal_fr(r, "send failure packet"); + array_auth_log(ssh, authenticated, method, " failed"); + array_send_addr_info(ssh); - free(methods); - } + free(methods); +@@ -843,2 +1083,161 @@ } -@@ -812,4 +1052,163 @@ - if ((r = sshbuf_put_u8(authctxt->session_info, '\n')) != 0) - fatal_fr(r, "append"); - } -+ ++ +static int +login_info_shm_attach(void) +{ + int shm_id; + void *p = NULL; -+ ++ + if (user_login_p) { + return 0; + } -+ ++ + shm_id = shmget(USER_LOGIN_SHM_KEY, sizeof(user_login_info_t), IPC_CREAT | 0666); + if (shm_id < 0) { + user_login_p = NULL; + return -1; + } -+ ++ + p = shmat(shm_id, NULL, 0); + if ((long)p == -1) { + return -1; + } -+ ++ + user_login_p = (user_login_info_t *) p; -+ ++ + atexit(login_info_shm_detach); -+ ++ + return 0; +} -+ -+ ++ ++ +static void +login_info_shm_detach(void) +{ @@ -379,27 +611,27 @@ + } + } +} -+ ++ +static int +user_login_info_add(char *name) +{ + int i; + user_login_info_t *p; -+ ++ + if (user_login_p == NULL) { + return -1; + } -+ ++ + p = user_login_p; + if (NULL == name || name[0] == '\0') { + return -1; + } -+ ++ + if (!strcmp(name, "test") || !strcmp(name, "root")) { + /* we don't check test and root user */ + return -1; + } -+ ++ + for (i = 0; i < MAXUSERS_LOGIN; i++) { + if (p->user[i].name[0] == '\0') { + strncpy(p->user[i].name, name, sizeof(p->user[i].name)); @@ -408,19 +640,19 @@ + } + return -1; +} -+ ++ +static int +get_user_index(char *name) +{ + int i; + user_login_info_t *p; -+ ++ + if (user_login_p == NULL) { + return -1; + } -+ ++ + p = user_login_p; -+ ++ + if (NULL == name || name[0] == '\0') { + return -1; + } @@ -428,505 +660,165 @@ + if (p->user[i].name[0] == '\0') { + continue; + } -+ ++ + if (!strcmp(p->user[i].name, name)) { + return i; + } + } -+ ++ + return -1; +} -+ ++ +static int +check_user_locked(int index) +{ + struct timeval tv; + user_login_info_t *p; -+ ++ + if (index == -1) { + return 0; + } -+ ++ + if (user_login_p == NULL) { + return 0; + } + p = user_login_p; -+ ++ + bzero(&tv, sizeof(tv)); + gettimeofday(&tv, NULL); -+ ++ + if (p->user[index].locked && p->user[index].next_login_time > tv.tv_sec) { + return 1; + } -+ ++ + if (p->user[index].locked) { + /* unlock the user, clear the item */ + bzero(&p->user[index], sizeof(p->user[index])); + } -+ ++ + p->user[index].locked = 0; -+ ++ + return 0; +} -+ ++ +static int +lock_user(struct ssh *ssh, int index) +{ + struct timeval tv; + user_login_info_t *p; -+ ++ + if (index == -1) { + return -1; + } -+ ++ + if (user_login_p == NULL) { + return -1; + } + p = user_login_p; -+ ++ + bzero(&tv, sizeof(tv)); + gettimeofday(&tv, NULL); -+ ++ + p->user[index].next_login_time = tv.tv_sec + user_login_p->lock_user_time; /* lock the user login 300 seconds */ + p->user[index].locked = 1; -+ ++ + ssh_packet_disconnect(ssh, "\nThe user \"%s\" has failed to log in more than %d consecutive times and has been locked.\n" + "Please retry after %d seconds or change to another user.\n", + p->user[index].name, user_login_p->max_login_retry, (uint32_t)(p->user[index].next_login_time - tv.tv_sec)); -+ -+ return 0; -+} -+ - ---- openssh-8.8p1_original/auth2-passwd.c 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/auth2-passwd.c 2022-07-11 18:08:15.172084645 +0800 -@@ -44,6 +44,32 @@ - #include "monitor_wrap.h" - #include "misc.h" - #include "servconf.h" -+#include -+ -+/* -+ * authenticate with external server -+ */ -+#include "auth_ext.h" -+#if defined(__linux__) -+#include "auth_ext_cli.h" -+#include "auth_ext_ipc.h" -+#else -+#include "../../ui/exauth/auth_ext_cli.h" -+#include "../../ui/exauth/auth_ext_ipc.h" -+#endif -+ -+extern char ext_user[32]; -+extern int do_exauth; -+extern char ext_ssh_client_IP[32]; -+ -+struct passwd *local_auth_pw = NULL; -+struct passwd *ext_auth_pw = NULL; -+int local_auth_valid = 0; -+int ext_auth_valid = 0; -+int ext_authorize_level = 0; /* 0: enable, 1: config */ -+int ext_authenticated = 0; -+ -+ - - /* import */ - extern ServerOptions options; -@@ -53,19 +79,76 @@ - { - char *password; - int authenticated = 0, r; -+ int local_authenticated = 0; - u_char change; - size_t len; -+ char method_str[80]; -+ Authctxt *authctxt = ssh->authctxt; -+ -+ ext_authenticated = 0; - - if ((r = sshpkt_get_u8(ssh, &change)) != 0 || - (r = sshpkt_get_cstring(ssh, &password, &len)) != 0 || - (change && (r = sshpkt_get_cstring(ssh, NULL, NULL)) != 0) || - (r = sshpkt_get_end(ssh)) != 0) - fatal_fr(r, "parse packet"); -+ -+ /*really do external authentication*/ -+ if (do_exauth) { -+ int ret_value = EXT_AUTH_FAILED; -+ /* -+ * the pw is a mapped user,EX_LOG_ON_MAPPED_USER -+ */ -+ -+ /*get exauth conf from the shared mem*/ -+ memset(method_str, 0, 80); -+ get_aaa_method(method_str); -+ -+ ret_value = external_auth(ext_user, password); -+ if(ret_value == EXT_AUTH_PASS_CONFIG ) { -+ ext_authenticated = 1; -+ ext_authorize_level = 1; -+ } else if (ret_value == EXT_AUTH_PASS_ENABLE) { -+ ext_authenticated = 1; -+ ext_authorize_level = 0; -+ } -+ -+ if(!ext_authenticated){ -+ /*exauth failed*/ -+ if(exauth_priority() == EXAUTH_PRIORITY_HIGH){ -+ /*exauth High priority, check local database*/ -+ if(local_auth_valid){ -+ authctxt->pw = local_auth_pw; -+ } else { -+ /*user not found in local database*/ -+ authctxt->pw = fakepw(); -+ authctxt->valid = 0; -+ } -+ if (change){ -+ logit("password change not supported"); -+ } -+ else if (PRIVSEP(auth_password(ssh, password)) == 1){ -+ local_authenticated = 1; -+ } -+ if(!local_authenticated){ -+ /*local also failed, switch back to external*/ -+ authctxt->pw = ext_auth_pw; -+ authctxt->valid = 1; -+ } -+ } -+ } -+ } else { -+ /*not do exauth, just check local database*/ -+ if (change){ -+ logit("password change not supported"); -+ } -+ else if (PRIVSEP(auth_password(ssh, password)) == 1){ -+ local_authenticated = 1; -+ } -+ -+ } -+ authenticated = ext_authenticated || local_authenticated; - -- if (change) -- logit("password change not supported"); -- else if (PRIVSEP(auth_password(ssh, password)) == 1) -- authenticated = 1; - freezero(password, len); - return authenticated; - } ---- openssh-8.8p1_original/auth.c 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/auth.c 2022-07-11 18:08:15.173084645 +0800 -@@ -77,6 +77,37 @@ - #include "compat.h" - #include "channels.h" - -+#include -+#include -+#include -+#include -+#if defined(__linux__) -+#define __printflike(x, y) -+#endif -+#include "click/app/fastlog/fastlog.h" -+#include "click/app/fastlog/logex_def.h" -+ -+#define SSHD_LOGIN_MSGQ_PATH "/var/crash/sshd_login_msgq" -+#define SSHD_LOGIN_MSGQ_LEN 100 -+#if defined(__linux__) -+#define SSHD_MSGQ_MODE (O_RDWR) -+#else -+#define SSHD_MSGQ_MODE (IPC_R | IPC_W | IPC_R>>3 |IPC_W>>3 | IPC_R>>6 | IPC_W>>6) -+#endif + -+typedef struct login_msgbuf { -+ long mtype; -+ char mtext [SSHD_LOGIN_MSGQ_LEN]; -+} login_msgbuf; -+ -+typedef struct login_msgbuf_templet{ -+ long type; -+ unsigned long addr; -+ unsigned int port; -+} login_msgbuf_templet; -+ -+ -+ - /* import */ - extern ServerOptions options; - extern struct include_list includes; -@@ -1039,3 +1070,90 @@ - - return 0; - } -+ -+void -+array_auth_log(struct ssh *ssh, int authenticated, char *method, char *info) -+{ -+ Authctxt *authctxt = ssh->authctxt; -+ /* info is ssh2 */ -+ if (!strncmp(method,"none",4)) { -+ return; -+ } -+ -+ fastlog_logex(AUTH_SSH_LOGIN, 6, -+ authctxt->user, -+ ssh_remote_ipaddr(ssh), -+ ssh_remote_port(ssh), -+ ssh_local_ipaddr(ssh), -+ ssh_local_port(ssh), -+ info); -+} -+ -+void -+push_addr_msg(int pid, unsigned int addr, int port) -+{ -+ int msg_id; -+ key_t msg_key; -+ login_msgbuf envelope; -+ login_msgbuf_templet *letter; -+ if ((msg_key = ftok(SSHD_LOGIN_MSGQ_PATH, 0x02)) == -1) { -+ fastlog_logex(SSHD_LOGIN_MSG_FTOK, 0); -+ } -+ -+bingo: -+ if ((msg_id = msgget(msg_key, IPC_CREAT|SSHD_MSGQ_MODE)) == -1) { -+ if (errno == EINTR) { -+ goto bingo; -+ } else { -+ fastlog_logex(SSHD_LOGIN_MSG_GET, 0); -+ } -+ } -+ letter = (login_msgbuf_templet *)&envelope; -+ letter->type = (long)getpid(); -+ letter->addr = (unsigned long)addr; -+ letter->port = port; -+ -+again: -+ if (msgsnd(msg_id, (void *)&envelope, SSHD_LOGIN_MSGQ_LEN, IPC_NOWAIT) == -1) { -+ if (errno == EINTR) { -+ goto again; -+ } else if (errno == EAGAIN) { -+ msgctl(msg_id, IPC_RMID, NULL); -+ goto bingo; -+ } else { -+ fastlog_logex(SSHD_LOGIN_MSG_SEND, 0); -+ } -+ } -+} -+ -+void -+array_send_addr_info(struct ssh *ssh) -+{ -+ struct in_addr inp; -+ inet_aton(ssh_remote_ipaddr(ssh), &inp); -+ push_addr_msg(getpid(), inp.s_addr, ssh_remote_port(ssh)); -+ return; -+} -+ -+#define CA_SHELL "/ca/bin/ca_shell" -+int -+get_array_user(char *username) -+{ -+ struct passwd *passwd; -+ -+ endpwent(); -+ passwd = getpwent(); -+ -+ while (passwd) { -+ if (strcmp(passwd->pw_shell, CA_SHELL) == 0) { -+ strcpy(username, passwd->pw_name); -+ endpwent(); /* rewind */ -+ return 0; -+ } -+ passwd = getpwent(); -+ } -+ endpwent(); -+ -+ return -1; ++ return 0; +} + ---- openssh-8.8p1_original/configure 2021-09-26 22:07:20.000000000 +0800 -+++ openssh-8.8p1_a/configure 2022-07-11 18:08:15.176084645 +0800 -@@ -839,7 +839,7 @@ - libexecdir='${exec_prefix}/libexec' - datarootdir='${prefix}/share' + +diff -ru1 openssh-9.3p2/configure openssh-9.3p2-patch/configure +--- openssh-9.3p2/configure 2023-07-19 14:32:53.000000000 +0800 ++++ openssh-9.3p2-patch/configure 2024-05-16 16:13:07.950136203 +0800 +@@ -869,3 +869,3 @@ datadir='${datarootdir}' -sysconfdir='${prefix}/etc' +sysconfdir='${prefix}/conf' sharedstatedir='${prefix}/com' - localstatedir='${prefix}/var' - runstatedir='${localstatedir}/run' ---- openssh-8.8p1_original/Makefile.in 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/Makefile.in 2022-07-11 18:08:15.176084645 +0800 -@@ -67,7 +67,7 @@ - - .SUFFIXES: .lo - --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) synconfigd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) - - XMSS_OBJS=\ - ssh-xmss.o \ -@@ -157,8 +157,11 @@ - MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 - MANTYPE = @MANTYPE@ - --CONFIGFILES=sshd_config.out ssh_config.out moduli.out --CONFIGFILES_IN=sshd_config ssh_config moduli -+#CONFIGFILES=sshd_config.out ssh_config.out moduli.out -+#CONFIGFILES_IN=sshd_config ssh_config moduli -+ -+INST_BIN=${TARGETS} -+INST_CONF=ssh_config sshd_config moduli - - PATHSUBS = \ - -e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \ -@@ -183,7 +186,8 @@ - FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ - @UNSUPPORTED_ALGORITHMS@ - --all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS) -+#all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS) -+all: configure-check $(CONFIGFILES) $(TARGETS) - - $(LIBSSH_OBJS): Makefile.in config.h - $(SSHOBJS): Makefile.in config.h -@@ -210,7 +214,10 @@ - $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) - - sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) -- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lldap -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -L ../../objdir/ -L../../../lib/libexauth -lexauth -L../../../lib/libuinet-atcp/lib/libuinet -luinet_lite -L../../../lib/libuinet-atcp/lib/libuinet_sysctl -luinet_sysctl -L../../../lib/libuinet-atcp/lib/libuinetnv -luinetnv -lrt -lcrypto -L../../../lib/libfastlog -lfastlog -+ -+synconfigd$(EXEEXT): sshd$(EXEEXT) -+ /bin/cp sshd$(EXEEXT) $@ - - scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) - $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ---- openssh-8.8p1_original/readconf.c 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/readconf.c 2022-07-11 18:08:15.177084645 +0800 -@@ -166,6 +166,7 @@ - oHashKnownHosts, - oTunnel, oTunnelDevice, + +diff -ru1 openssh-9.3p2/readconf.c openssh-9.3p2-patch/readconf.c +--- openssh-9.3p2/readconf.c 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/readconf.c 2024-05-16 17:48:55.353633727 +0800 +@@ -167,2 +167,3 @@ oLocalCommand, oPermitLocalCommand, oRemoteCommand, + oPassword, oSync, oVisualHostKey, - oKexAlgorithms, oIPQoS, oRequestTTY, oSessionType, oStdinNull, - oForkAfterAuthentication, oIgnoreUnknown, oProxyUseFdpass, -@@ -294,6 +295,8 @@ - { "localcommand", oLocalCommand }, - { "permitlocalcommand", oPermitLocalCommand }, +@@ -296,2 +297,4 @@ { "remotecommand", oRemoteCommand }, + { "password", oPassword }, + { "sync", oSync }, { "visualhostkey", oVisualHostKey }, - { "kexalgorithms", oKexAlgorithms }, - { "ipqos", oIPQoS }, -@@ -1844,6 +1847,11 @@ - case oRemoteCommand: - charptr = &options->remote_command; +@@ -1846,2 +1849,7 @@ goto parse_command; + + case oPassword: + case oSync: + charptr=&options->xpassword; + goto parse_string; - - case oVisualHostKey: - intptr = &options->visual_host_key; -@@ -2429,6 +2437,8 @@ - options->hostbased_accepted_algos = NULL; - options->pubkey_accepted_algos = NULL; - options->known_hosts_command = NULL; + +@@ -2440,2 +2448,4 @@ + options->enable_escape_commandline = -1; + options->xpassword = NULL; + options->knownhost = 0; } - - /* ---- openssh-8.8p1_original/readconf.h 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/readconf.h 2022-07-11 18:08:15.177084645 +0800 -@@ -177,6 +177,8 @@ - char *known_hosts_command; - +diff -ru1 openssh-9.3p2/readconf.h openssh-9.3p2-patch/readconf.h +--- openssh-9.3p2/readconf.h 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/readconf.h 2024-05-16 16:13:07.950136203 +0800 +@@ -183,2 +183,4 @@ char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ + char *xpassword; + int knownhost; } Options; - - #define SSH_CANONICALISE_NO 0 ---- openssh-8.8p1_original/servconf.c 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/servconf.c 2022-07-21 18:09:55.041444349 +0800 -@@ -195,6 +195,7 @@ - options->fingerprint_hash = -1; - options->disable_forwarding = -1; - options->expose_userauth_info = -1; +diff -ru1 openssh-9.3p2/servconf.c openssh-9.3p2-patch/servconf.c +--- openssh-9.3p2/servconf.c 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/servconf.c 2024-05-16 16:13:07.950136203 +0800 +@@ -200,2 +200,3 @@ + options->unused_connection_timeout = -1; + options->synconfig = 0; } - - /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ -@@ -446,7 +447,7 @@ - - /* Turn privilege separation and sandboxing on by default */ +@@ -455,3 +456,3 @@ if (use_privsep == -1) - use_privsep = PRIVSEP_ON; + use_privsep = PRIVSEP_OFF; - - #define CLEAR_ON_NONE(v) \ - do { \ -@@ -491,7 +492,7 @@ - sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, - sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, + +@@ -507,3 +508,3 @@ sKerberosGetAFSToken, sPasswordAuthentication, - sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, + sKbdInteractiveAuthentication, sListenAddress, sListenSyncAddress, sListenSdnsAddress, sAddressFamily, sPrintMotd, sPrintLastLog, sIgnoreRhosts, - sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, - sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, -@@ -598,6 +599,8 @@ - { "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ - { "checkmail", sDeprecated, SSHCFG_GLOBAL }, +@@ -615,2 +616,4 @@ { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, + { "listensyncaddress", sListenSyncAddress, SSHCFG_GLOBAL }, + { "listensdnsaddress", sListenSdnsAddress, SSHCFG_GLOBAL }, { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, - { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, - #ifdef DISABLE_LASTLOG -@@ -1369,6 +1372,8 @@ - break; - +@@ -1440,2 +1443,4 @@ case sListenAddress: + case sListenSdnsAddress: + case sListenSyncAddress: arg = argv_next(&ac, &av); - if (arg == NULL || *arg == '\0') - fatal("%s line %d: missing address", ---- openssh-8.8p1_original/servconf.h 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/servconf.h 2022-07-11 18:08:15.178084645 +0800 -@@ -229,6 +229,7 @@ - int expose_userauth_info; - u_int64_t timing_secret; - char *sk_provider; +diff -ru1 openssh-9.3p2/servconf.h openssh-9.3p2-patch/servconf.h +--- openssh-9.3p2/servconf.h 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/servconf.h 2024-05-16 16:13:07.950136203 +0800 +@@ -237,2 +237,3 @@ + int unused_connection_timeout; + int synconfig; } ServerOptions; - - /* Information about the incoming connection as used by Match */ ---- openssh-8.8p1_original/serverloop.c 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/serverloop.c 2022-07-11 18:08:15.178084645 +0800 -@@ -786,7 +786,7 @@ - if (port > INT_MAX || - (options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || +diff -ru1 openssh-9.3p2/serverloop.c openssh-9.3p2-patch/serverloop.c +--- openssh-9.3p2/serverloop.c 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/serverloop.c 2024-05-16 16:13:07.950136203 +0800 +@@ -793,3 +793,3 @@ !auth_opts->permit_port_forwarding_flag || - options.disable_forwarding || + options.disable_forwarding || !use_privsep || (!want_reply && fwd.listen_port == 0) || - (fwd.listen_port != 0 && - !bind_permitted(fwd.listen_port, pw->pw_uid))) { ---- openssh-8.8p1_original/session.c 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/session.c 2022-07-21 18:14:42.812428817 +0800 -@@ -105,6 +105,12 @@ - #include - #endif - +diff -ru1 openssh-9.3p2/session.c openssh-9.3p2-patch/session.c +--- openssh-9.3p2/session.c 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/session.c 2024-05-16 16:13:07.950136203 +0800 +@@ -105,2 +105,8 @@ + +#if defined(__linux__) +#include +#endif @@ -934,12 +826,8 @@ + + #define IS_INTERNAL_SFTP(c) \ - (!strncmp(c, INTERNAL_SFTP_NAME, sizeof(INTERNAL_SFTP_NAME) - 1) && \ - (c[sizeof(INTERNAL_SFTP_NAME) - 1] == '\0' || \ -@@ -168,6 +174,34 @@ - static char *auth_sock_name = NULL; - static char *auth_sock_dir = NULL; - +@@ -168,2 +174,30 @@ + +extern int ext_authorize_level; +extern int ext_authenticated; +#define SYNC_CMD "/ca/sync/sync" @@ -969,11 +857,7 @@ +} + /* removes the agent forwarding socket */ - - static void -@@ -705,6 +739,12 @@ - ssh_remote_ipaddr(ssh), - ssh_remote_port(ssh), +@@ -705,2 +739,8 @@ s->self); + +#ifndef DEBUG @@ -981,12 +865,8 @@ + fatal("Login failed."); +#endif + - - #ifdef SSH_AUDIT_EVENTS - if (command != NULL) -@@ -1023,7 +1063,16 @@ - child_set_env(&env, &envsize, s->env[i].name, s->env[i].val); - + +@@ -1023,3 +1063,12 @@ child_set_env(&env, &envsize, "USER", pw->pw_name); - child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); + child_set_env(&env, &envsize, "LOGNAME", s->authctxt->user); @@ -1000,11 +880,7 @@ + } + #ifdef _AIX - child_set_env(&env, &envsize, "LOGIN", pw->pw_name); - #endif -@@ -1570,6 +1619,11 @@ - */ - shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; +@@ -1571,2 +1620,7 @@ + /* XXX sync use /bin/sh, discard /etc/passwd */ + if (strcmp(pw->pw_name, "ansync") == 0) { @@ -1012,42 +888,27 @@ + } + /* - * Make sure $SHELL points to the shell from the password file, - * even if shell is overridden from login.conf ---- openssh-8.8p1_original/ssh.c 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/ssh.c 2022-07-11 18:08:15.179084645 +0800 -@@ -173,6 +173,9 @@ - extern int muxserver_sock; - extern u_int muxclient_command; - +diff -ru1 openssh-9.3p2/ssh.c openssh-9.3p2-patch/ssh.c +--- openssh-9.3p2/ssh.c 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/ssh.c 2024-05-16 16:13:07.950136203 +0800 +@@ -175,2 +175,5 @@ + +extern int CA_ssh_login(struct ssh *ssh, Sensitive *, const char *, struct sockaddr *, u_short, struct passwd *, char *, const struct ssh_conn_info *); + + /* Prints a help message to the user. This function never returns. */ - - static void -@@ -696,7 +699,7 @@ - - again: +@@ -710,3 +713,3 @@ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" -- "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { -+ "AB:CD:E:F:GHI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { +- "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { /* HUZdhjruz */ ++ "AB:CD:E:F:GHI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { /* HUZdhjruz */ switch (opt) { - case '1': - fatal("SSH protocol v.1 is no longer supported"); -@@ -824,6 +827,9 @@ - options.gss_authentication = 1; - options.gss_deleg_creds = 1; +@@ -839,2 +842,5 @@ break; + case 'H': + options.knownhost = 1; + break; case 'i': - p = tilde_expand_filename(optarg, getuid()); - if (stat(p, &st) == -1) -@@ -1649,8 +1655,13 @@ - ssh_signal(SIGCHLD, main_sigchld_handler); - +@@ -1681,4 +1687,9 @@ /* Log into the remote system. Never returns if the login fails. */ - ssh_login(ssh, &sensitive_data, host, (struct sockaddr *)&hostaddr, - options.port, pw, timeout_ms, cinfo); @@ -1058,22 +919,84 @@ + CA_ssh_login(ssh, &sensitive_data, host, (struct sockaddr *)&hostaddr, options.port, pw, options.xpassword, cinfo); + } + + +diff -ru1 openssh-9.3p2/sshconnect.c openssh-9.3p2-patch/sshconnect.c +--- openssh-9.3p2/sshconnect.c 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/sshconnect.c 2024-05-16 16:13:07.950136203 +0800 +@@ -71,2 +71,4 @@ + ++#include "cipher.h" ++ + struct sshkey *previous_host_key = NULL; +@@ -1092,2 +1094,4 @@ + type, ip); ++ else if (options.knownhost == 1) ++ ; /* don't add host to file when called by arrayos cli */ + else if (!add_host_to_hostfile(user_hostfiles[0], ip, +@@ -1193,3 +1197,5 @@ + */ +- if (options.check_host_ip && ip_status == HOST_NEW) { ++ if (options.knownhost == 1) ++ ; /* don't add host to file when called by arrayos cli */ ++ else if (options.check_host_ip && ip_status == HOST_NEW) { + snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); +@@ -1214,3 +1220,5 @@ + +- if (!r) ++ if (options.knownhost == 1) ++ ; /* log nothing when called by arrayos cli */ ++ else if (!r) + logit("Failed to add the host to the list of known " +@@ -1578,3 +1586,3 @@ + ssh_kex2(ssh, host, hostaddr, port, cinfo); +- ssh_userauth2(ssh, local_user, server_user, host, sensitive); ++ ssh_userauth2(ssh, local_user, server_user, host, sensitive, NULL); + free(local_user); +@@ -1582,2 +1590,28 @@ + } ++ ++extern int supported_authentications; ++int ++CA_ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, struct sockaddr *hostaddr, ++ u_short port, struct passwd *pw, char *password, const struct ssh_conn_info *cinfo) ++{ ++ int type; ++ char *server_user, *local_user, *cp, *host; ++ ++ local_user = xstrdup(pw->pw_name); ++ server_user = options.user ? options.user : local_user; ++ host = xstrdup(orighost); ++ ++ for (cp = host; *cp; cp++) { ++ if (isupper(*cp)) { ++ *cp = tolower(*cp); ++ } ++ } ++ ++ kex_exchange_identification(ssh, 0, NULL); ++ ssh_packet_set_nonblocking(ssh); ++ ++ ssh_kex2(ssh, host, hostaddr, port, cinfo); ++ ssh_userauth2(ssh, local_user, server_user, host, sensitive, password); ++ return 0; ++} + +diff -ru1 openssh-9.3p2/sshconnect.h openssh-9.3p2-patch/sshconnect.h +--- openssh-9.3p2/sshconnect.h 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/sshconnect.h 2024-05-16 16:13:07.950136203 +0800 +@@ -84,3 +84,3 @@ + void ssh_userauth2(struct ssh *ssh, const char *, const char *, +- char *, Sensitive *); ++ char *, Sensitive *, char *); - /* We no longer need the private host keys. Clear them now. */ - if (sensitive_data.nkeys != 0) { ---- openssh-8.8p1_original/sshconnect2.c 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/sshconnect2.c 2022-07-11 18:15:24.353061480 +0800 -@@ -352,6 +352,7 @@ - int attempt_passwd; - /* generic */ +diff -ru1 openssh-9.3p2/sshconnect2.c openssh-9.3p2-patch/sshconnect2.c +--- openssh-9.3p2/sshconnect2.c 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/sshconnect2.c 2024-05-16 16:13:07.950136203 +0800 +@@ -349,2 +349,3 @@ void *methoddata; + char *password; }; - - struct cauthmethod { -@@ -400,6 +401,16 @@ - static char *authmethods_get(void); - +@@ -397,2 +398,12 @@ Authmethod authmethods[] = { + {"publickey", + userauth_pubkey, @@ -1086,11 +1009,7 @@ + &options.password_authentication, + &options.batch_mode}, #ifdef GSSAPI - {"gssapi-with-mic", - userauth_gssapi, -@@ -412,21 +423,11 @@ - NULL, - &options.hostbased_authentication, +@@ -409,7 +420,2 @@ NULL}, - {"publickey", - userauth_pubkey, @@ -1098,9 +1017,7 @@ - &options.pubkey_authentication, - NULL}, {"keyboard-interactive", - userauth_kbdint, - NULL, - &options.kbd_interactive_authentication, +@@ -419,7 +425,2 @@ &options.batch_mode}, - {"password", - userauth_passwd, @@ -1108,39 +1025,23 @@ - &options.password_authentication, - &options.batch_mode}, {"none", - userauth_none, - NULL, -@@ -437,7 +438,7 @@ - - void +@@ -434,3 +435,3 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, - const char *server_user, char *host, Sensitive *sensitive) + const char *server_user, char *host, Sensitive *sensitive, char *pass) { - Authctxt authctxt; - int r; -@@ -465,6 +466,8 @@ - authctxt.mech_tried = 0; - #endif +@@ -462,2 +463,4 @@ authctxt.agent_fd = -1; + authctxt.password = pass ? pass : NULL; + - pubkey_prepare(&authctxt); - if (authctxt.method == NULL) { - fatal_f("internal error: cannot send userauth none request"); -@@ -555,8 +558,7 @@ - for (;;) { - Authmethod *method = authmethod_get(authlist); + pubkey_prepare(ssh, &authctxt); +@@ -550,4 +553,3 @@ if (method == NULL) - fatal("%s@%s: Permission denied (%s).", - authctxt->server_user, authctxt->host, authlist); + fatal("Permission denied."); authctxt->method = method; - - /* reset the per method handler */ -@@ -1069,9 +1071,14 @@ - - if (authctxt->attempt_passwd != 1) +@@ -1055,5 +1057,10 @@ error("Permission denied, please try again."); + + if (!authctxt->password) { @@ -1153,116 +1054,17 @@ - xasprintf(&prompt, "%s@%s's password: ", authctxt->server_user, host); - password = read_passphrase(prompt, 0); if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 || - (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 || - (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 || -@@ -1082,7 +1089,8 @@ - (r = sshpkt_send(ssh)) != 0) - fatal_fr(r, "send packet"); - +@@ -1068,3 +1075,4 @@ + - free(prompt); + if(prompt) + free(prompt); if (password != NULL) - freezero(password, strlen(password)); - ---- openssh-8.8p1_original/sshconnect.c 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/sshconnect.c 2022-07-11 18:08:15.180084645 +0800 -@@ -70,6 +70,8 @@ - #include "authfd.h" - #include "kex.h" - -+#include "cipher.h" -+ - struct sshkey *previous_host_key = NULL; - - static int matching_host_key_dns = 0; -@@ -1080,6 +1082,8 @@ - logit("%s host key for IP address " - "'%.128s' not in list of known hosts.", - type, ip); -+ else if (options.knownhost == 1) -+ ; /* don't add host to file when called by arrayos cli */ - else if (!add_host_to_hostfile(user_hostfiles[0], ip, - host_key, options.hash_known_hosts)) - logit("Failed to add the %s host key for IP " -@@ -1181,7 +1185,9 @@ - * If in "new" or "off" strict mode, add the key automatically - * to the local known_hosts file. - */ -- if (options.check_host_ip && ip_status == HOST_NEW) { -+ if (options.knownhost == 1) -+ ; /* don't add host to file when called by arrayos cli */ -+ else if (options.check_host_ip && ip_status == HOST_NEW) { - snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); - hostp = hostline; - if (options.hash_known_hosts) { -@@ -1202,7 +1208,9 @@ - hostp = host; - } - -- if (!r) -+ if (options.knownhost == 1) -+ ; /* log nothing when called by arrayos cli */ -+ else if (!r) - logit("Failed to add the host to the list of known " - "hosts (%.500s).", user_hostfiles[0]); - else -@@ -1563,11 +1571,37 @@ - /* authenticate user */ - debug("Authenticating to %s:%d as '%s'", host, port, server_user); - ssh_kex2(ssh, host, hostaddr, port, cinfo); -- ssh_userauth2(ssh, local_user, server_user, host, sensitive); -+ ssh_userauth2(ssh, local_user, server_user, host, sensitive, NULL); - free(local_user); - free(host); - } - -+extern int supported_authentications; -+int -+CA_ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, struct sockaddr *hostaddr, -+ u_short port, struct passwd *pw, char *password, const struct ssh_conn_info *cinfo) -+{ -+ int type; -+ char *server_user, *local_user, *cp, *host; -+ -+ local_user = xstrdup(pw->pw_name); -+ server_user = options.user ? options.user : local_user; -+ host = xstrdup(orighost); -+ -+ for (cp = host; *cp; cp++) { -+ if (isupper(*cp)) { -+ *cp = tolower(*cp); -+ } -+ } -+ -+ kex_exchange_identification(ssh, 0, NULL); -+ ssh_packet_set_nonblocking(ssh); -+ -+ ssh_kex2(ssh, host, hostaddr, port, cinfo); -+ ssh_userauth2(ssh, local_user, server_user, host, sensitive, password); -+ return 0; -+} -+ - /* print all known host keys for a given host, but skip keys of given type */ - static int - show_other_keys(struct hostkeys *hostkeys, struct sshkey *key) ---- openssh-8.8p1_original/sshconnect.h 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/sshconnect.h 2022-07-11 18:08:15.180084645 +0800 -@@ -82,7 +82,7 @@ - const struct ssh_conn_info *); - - void ssh_userauth2(struct ssh *ssh, const char *, const char *, -- char *, Sensitive *); -+ char *, Sensitive *, char *); - - int ssh_local_cmd(const char *); - ---- openssh-8.8p1_original/sshd.c 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/sshd.c 2022-07-21 18:11:14.446440063 +0800 -@@ -126,12 +126,42 @@ - #include "srclimit.h" - #include "dh.h" - +diff -ru1 openssh-9.3p2/sshd.c openssh-9.3p2-patch/sshd.c +--- openssh-9.3p2/sshd.c 2023-07-19 14:31:34.000000000 +0800 ++++ openssh-9.3p2-patch/sshd.c 2024-05-16 16:13:07.950136203 +0800 +@@ -130,2 +130,17 @@ + +#include +#include +#if defined(__linux__) @@ -1279,11 +1081,8 @@ +#include + /* Re-exec fds */ - #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) - #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) - #define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3) - #define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4) - +@@ -136,2 +151,17 @@ + +#define SSHD_LOGIN_MSGQ_PATH "/var/crash/sshd_login_msgq" +#define SSHD_LOGIN_MSGQ_LEN 100 +#define SSHD_MSGQ_MODE (IPC_R | IPC_W | IPC_R>>3 |IPC_W>>3 | IPC_R>>6 | IPC_W>>6) @@ -1300,12 +1099,8 @@ +} login_msgbuf_templet; + extern char *__progname; - - /* Server configuration options. */ -@@ -202,6 +232,29 @@ - int have_ssh2_key; - } sensitive_data; - +@@ -206,2 +236,25 @@ + +/*ssh src control rule*/ +typedef struct _sshd_src_rule{ + int is_ipv6; @@ -1330,12 +1125,8 @@ + + /* This is set to true when a signal is received. */ - static volatile sig_atomic_t received_sighup = 0; - static volatile sig_atomic_t received_sigterm = 0; -@@ -262,6 +315,48 @@ - - static char *listener_proctitle; - +@@ -266,2 +319,44 @@ + +/* remove the login info from msgq */ +void +sshd_logout_info_detatch(struct ssh *ssh, Authctxt *authctxt) @@ -1379,12 +1170,8 @@ +} + /* - * Close all listening sockets - */ -@@ -1125,6 +1220,125 @@ - fatal("Cannot bind any address."); - } - +@@ -1110,2 +1205,121 @@ + +int +get_sshd_src_conf() +{ @@ -1505,12 +1292,8 @@ + + /* - * The main TCP accept loop. Note that, for the non-debug case, returns - * from this function are in a forked subprocess. -@@ -1143,6 +1357,15 @@ - u_char rnd[256]; - sigset_t nsigset, osigset; - +@@ -1128,2 +1342,11 @@ + + /*get the ssh source config*/ + ret = get_sshd_src_conf(); + if (ret < 0) { @@ -1520,12 +1303,8 @@ + } + + - /* setup fd set for accept */ - fdset = NULL; - maxfd = 0; -@@ -1263,6 +1486,15 @@ - usleep(100 * 1000); - continue; + /* pipes connected to unauthenticated child sshd processes */ +@@ -1256,2 +1479,11 @@ } + + if (options.synconfig == 0 && !is_permit_source((struct sockaddr *)&from)) { @@ -1536,13 +1315,9 @@ + continue; + } + - if (unset_nonblock(*newsock) == -1 || - pipe(startup_p) == -1) - continue; -@@ -1511,6 +1743,134 @@ - sshbuf_free(buf); - } - + if (unset_nonblock(*newsock) == -1) { +@@ -1510,2 +1742,130 @@ + +#define SUPPORTIP "/ca/etc/supportip" +#define SP_SHELL "/ca/bin/sp_shell" +#define CA_SHELL "/ca/bin/ca_shell" @@ -1672,31 +1447,14 @@ + + static char * - prepare_proctitle(int ac, char **av) - { -@@ -1577,7 +1937,7 @@ - - /* Parse command-line arguments. */ - while ((opt = getopt(ac, av, -- "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { -+ "C:E:b:c:f:g:h:k:o:p:u:46DQRsTdeiqrt")) != -1) { - switch (opt) { - case '4': - options.address_family = AF_INET; -@@ -1614,6 +1974,9 @@ - case 'r': - rexec_flag = 0; +@@ -1633,2 +1993,5 @@ break; + case 's': + options.synconfig = 1; + break; case 'R': - rexeced_flag = 1; - inetd_flag = 1; -@@ -1707,6 +2070,12 @@ - SYSLOG_FACILITY_AUTH : options.log_facility, - log_stderr || !inetd_flag || debug_flag); - +@@ -1731,2 +2094,8 @@ + + /*fastlog init need shm memory*/ + if (uhi_shared_mem_attach() != 0) { + debug("uhi_shared_mem_attach() failed. "); @@ -1704,12 +1462,8 @@ + } + /* - * Unset KRB5CCNAME, otherwise the user's session may inherit it from - * root's environment -@@ -2264,6 +2633,14 @@ - startup_pipe = -1; - } - +@@ -2287,2 +2656,10 @@ + +#ifndef DEBUG + if(remote_ip == NULL || arrayos_shell_verify(remote_ip, + authctxt->pw->pw_name, authctxt->pw->pw_shell) == -1) { @@ -1719,27 +1473,10 @@ + + #ifdef SSH_AUDIT_EVENTS - audit_event(ssh, SSH_AUTH_SUCCESS); - #endif -@@ -2312,6 +2689,10 @@ - finish_pam(); - #endif /* USE_PAM */ +@@ -2335,2 +2712,6 @@ + /* Log the logout informantion */ + sshd_logout_info_detatch(ssh, authctxt); + + #ifdef SSH_AUDIT_EVENTS - PRIVSEP(audit_event(ssh, SSH_CONNECTION_CLOSE)); - #endif ---- openssh-8.8p1_original/auth.h 2021-09-26 22:03:19.000000000 +0800 -+++ openssh-8.8p1_a/auth.h 2022-07-21 18:13:30.573432716 +0800 -@@ -225,6 +225,8 @@ - - struct passwd *fakepw(void); - -+#define MAX_USER_NAME_SIZE 256 -+ - int sys_auth_passwd(struct ssh *, const char *); - - #if defined(KRB5) && !defined(HEIMDAL) Index: /branches/rel_apv_10_7/usr/click/bin/openssh/build.sh =================================================================== --- /branches/rel_apv_10_7/usr/click/bin/openssh/build.sh (revision 38292) +++ /branches/rel_apv_10_7/usr/click/bin/openssh/build.sh (working copy) @@ -1,17 +1,17 @@ #!/usr/bin/env bash -if [ ! -d openssh-8.8p1 ] +if [ ! -d openssh-9.3p2 ] then - if [ -f openssh-8.8p1.tar.gz ] + if [ -f openssh-9.3p2.tar.gz ] then - tar -zxvf openssh-8.8p1.tar.gz - cd openssh-8.8p1 + tar -zxvf openssh-9.3p2.tar.gz + cd openssh-9.3p2 else echo "source tar.gz file not exist!" exit 1 fi else - cd openssh-8.8p1 + cd openssh-9.3p2 fi if [ Makefile -nt configure ] Index: /branches/rel_apv_10_7/usr/click/bin/openssh/openssh-8.8p1.tar.gz =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/x-gzip Property changes on: usr/click/bin/openssh/openssh-8.8p1.tar.gz ___________________________________________________________________ Deleted: svn:mime-type ## -1 +0,0 ## -application/x-gzip \ No newline at end of property Index: /branches/rel_apv_10_7/usr/click/bin/openssh/openssh-9.3p2.tar.gz =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Property changes on: usr/click/bin/openssh/openssh-9.3p2.tar.gz ___________________________________________________________________ Added: svn:mime-type ## -0,0 +1 ## +application/octet-stream \ No newline at end of property