Skip to content

Commit

Permalink
Source snapshot from Powershell/openssh-portable:latestw_all
Browse files Browse the repository at this point in the history
  • Loading branch information
bingbing8 committed Jan 20, 2018
1 parent 1ad6c95 commit c4d0727
Show file tree
Hide file tree
Showing 66 changed files with 1,945 additions and 1,070 deletions.
2 changes: 1 addition & 1 deletion appveyor.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
version: 0.0.24.0.{build}
version: 1.0.0.0.{build}
image: Visual Studio 2015

branches:
Expand Down
87 changes: 70 additions & 17 deletions auth-passwd.c
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,6 @@
#include <sys/types.h>

#include <pwd.h>
#ifdef WINDOWS
#include <logonuser.h>
#endif
#include <stdio.h>
#include <string.h>
#include <stdarg.h>
Expand All @@ -59,6 +56,11 @@
#include "auth-options.h"
#include "authfd.h"

#ifdef WINDOWS
#include "logonuser.h"
#include "monitor_wrap.h"
#endif

extern Buffer loginmsg;
extern ServerOptions options;

Expand Down Expand Up @@ -228,10 +230,53 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
}

#elif defined(WINDOWS)
HANDLE password_auth_token = NULL;
HANDLE process_custom_lsa_auth(char*, const char*, char*);

void
sys_auth_passwd_lsa(Authctxt *authctxt, const char *password)
{
char *lsa_auth_pkg = NULL;
wchar_t *lsa_auth_pkg_w = NULL;
int domain_len = 0, lsa_auth_pkg_len = 0;
HKEY reg_key = 0;
REGSAM mask = STANDARD_RIGHTS_READ | KEY_QUERY_VALUE | KEY_WOW64_64KEY;

if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\OpenSSH", 0, mask, &reg_key) == ERROR_SUCCESS) &&
(RegQueryValueExW(reg_key, L"LSAAuthenticationPackage", 0, NULL, NULL, &lsa_auth_pkg_len) == ERROR_SUCCESS)) {
lsa_auth_pkg_w = (wchar_t *) malloc(lsa_auth_pkg_len); // lsa_auth_pkg_len includes the null terminating character.
if (!lsa_auth_pkg_w)
fatal("%s: out of memory", __func__);

memset(lsa_auth_pkg_w, 0, lsa_auth_pkg_len);
if (RegQueryValueExW(reg_key, L"LSAAuthenticationPackage", 0, NULL, (LPBYTE)lsa_auth_pkg_w, &lsa_auth_pkg_len) == ERROR_SUCCESS) {
lsa_auth_pkg = utf16_to_utf8(lsa_auth_pkg_w);
if (!lsa_auth_pkg)
fatal("utf16_to_utf8 failed to convert lsa_auth_pkg_w:%ls", lsa_auth_pkg_w);

debug("Authenticating using LSA Auth Package:%ls", lsa_auth_pkg_w);
password_auth_token = process_custom_lsa_auth(authctxt->pw->pw_name, password, lsa_auth_pkg);
}
}

done:
if (lsa_auth_pkg_w)
free(lsa_auth_pkg_w);

if (lsa_auth_pkg)
free(lsa_auth_pkg);

if (reg_key)
RegCloseKey(reg_key);
}

/*
* Authenticate on Windows - Call LogonUser and retrieve user token
* Authenticate on Windows
* - Call LogonUser and retrieve user token
* - If LogonUser fails, then try the LSA (Local Security Authority) authentication.
*/
int sys_auth_passwd(Authctxt *authctxt, const char *password)
int
sys_auth_passwd(Authctxt *authctxt, const char *password)
{
wchar_t *user_utf16 = NULL, *udom_utf16 = NULL, *pwd_utf16 = NULL, *tmp;
HANDLE token = NULL;
Expand All @@ -249,25 +294,33 @@ int sys_auth_passwd(Authctxt *authctxt, const char *password)
}

if (LogonUserExExWHelper(user_utf16, udom_utf16, pwd_utf16, LOGON32_LOGON_NETWORK_CLEARTEXT,
LOGON32_PROVIDER_DEFAULT, NULL, &token, NULL, NULL, NULL, NULL) == FALSE) {
if (GetLastError() == ERROR_PASSWORD_MUST_CHANGE)
/*
* TODO - need to add support to force password change
* by sending back SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
*/
LOGON32_PROVIDER_DEFAULT, NULL, &token, NULL, NULL, NULL, NULL) == TRUE)
password_auth_token = token;
else {
if (GetLastError() == ERROR_PASSWORD_MUST_CHANGE)
/*
* TODO - need to add support to force password change
* by sending back SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
*/
error("password for user %s has expired", authctxt->pw->pw_name);
else
debug("failed to logon user: %ls domain: %ls error:%d", user_utf16, udom_utf16, GetLastError());
goto done;
}
else {
debug("Windows authentication failed for user: %ls domain: %ls error:%d", user_utf16, udom_utf16, GetLastError());

authctxt->auth_token = (void*)(INT_PTR)token;
r = 1;
/* If LSA authentication package is configured then it will return the auth_token */
sys_auth_passwd_lsa(authctxt, password);
}
}

done:
if (password_auth_token)
r = 1;

if (user_utf16)
free(user_utf16);

if (pwd_utf16)
SecureZeroMemory(pwd_utf16, sizeof(wchar_t) * wcslen(pwd_utf16));

return r;
}
#endif /* WINDOWS */
3 changes: 0 additions & 3 deletions auth.h
Original file line number Diff line number Diff line change
Expand Up @@ -93,9 +93,6 @@ struct Authctxt {

/* Information exposed to session */
struct sshbuf *session_info; /* Auth info for environment */
#ifdef WINDOWS
void *auth_token;
#endif
};

/*
Expand Down
5 changes: 0 additions & 5 deletions auth2-pubkey.c
Original file line number Diff line number Diff line change
Expand Up @@ -199,13 +199,8 @@ userauth_pubkey(struct ssh *ssh)
authenticated = 0;

if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
#ifdef WINDOWS
(authctxt->auth_token = mm_auth_pubkey(authctxt->pw->pw_name,
key, sig, slen, b)) != NULL) {
#else
PRIVSEP(sshkey_verify(key, sig, slen, sshbuf_ptr(b),
sshbuf_len(b), ssh->compat)) == 0) {
#endif
authenticated = 1;
}
sshbuf_free(b);
Expand Down
5 changes: 0 additions & 5 deletions authfd.c
Original file line number Diff line number Diff line change
Expand Up @@ -120,12 +120,7 @@ ssh_get_authentication_socket(int *fdp)
}

/* Communicate with agent: send request and read reply */
#ifdef WINDOWS
/* for Windows we need to access this function from other places to talk to agent*/
int
#else /* !WINDOWS */
static int
#endif /* !WINDOWS */
ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
{
int r;
Expand Down
6 changes: 3 additions & 3 deletions contrib/win32/openssh/FixHostFilePermissions.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,14 @@ If ($PSVersiontable.PSVersion.Major -le 2) {$PSScriptRoot = Split-Path -Parent $
Import-Module $PSScriptRoot\OpenSSHUtils -Force

#check sshd config file
$sshdConfigPath = join-path $PSScriptRoot "sshd_config"
$sshdConfigPath = join-path $env:ProgramData\ssh "sshd_config"
if(Test-Path $sshdConfigPath -PathType Leaf)
{
Repair-SshdConfigPermission -FilePath $sshdConfigPath @psBoundParameters
}
else
{
Write-host "$FilePath does not exist" -ForegroundColor Yellow
Write-host "$sshdConfigPath does not exist" -ForegroundColor Yellow
}

#check host keys
Expand All @@ -36,7 +36,7 @@ If you choose not to register the keys with ssh-agent, please grant sshd read ac
Write-Host " "
}#>

Get-ChildItem $PSScriptRoot\ssh_host_*_key -ErrorAction SilentlyContinue | % {
Get-ChildItem $env:ProgramData\ssh\ssh_host_*_key -ErrorAction SilentlyContinue | % {
Repair-SshdHostKeyPermission -FilePath $_.FullName @psBoundParameters
}

Expand Down
4 changes: 2 additions & 2 deletions contrib/win32/openssh/OpenSSHBuildHelper.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -344,8 +344,8 @@ function Start-OpenSSHPackage
$buildDir = Join-Path $repositoryRoot ("bin\" + $folderName + "\" + $Configuration)
$payload = "sshd.exe", "ssh.exe", "ssh-agent.exe", "ssh-add.exe", "sftp.exe"
$payload += "sftp-server.exe", "scp.exe", "ssh-shellhost.exe", "ssh-keygen.exe", "ssh-keyscan.exe"
$payload += "sshd_config", "install-sshd.ps1", "uninstall-sshd.ps1"
$payload +="FixHostFilePermissions.ps1", "FixUserFilePermissions.ps1", "OpenSSHUtils.psm1", "OpenSSHUtils.psd1", "ssh-add-hostkey.ps1"
$payload += "sshd_config_default", "install-sshd.ps1", "uninstall-sshd.ps1"
$payload +="FixHostFilePermissions.ps1", "FixUserFilePermissions.ps1", "OpenSSHUtils.psm1", "OpenSSHUtils.psd1"

$packageName = "OpenSSH-Win64"
if ($NativeHostArch -ieq 'x86') {
Expand Down
43 changes: 14 additions & 29 deletions contrib/win32/openssh/OpenSSHTestHelper.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ $PubKeyUser = "sshtest_pubkeyuser"
$PasswdUser = "sshtest_passwduser"
$OpenSSHTestAccountsPassword = "P@ssw0rd_1"
$OpenSSHTestAccounts = $Script:SSOUser, $Script:PubKeyUser, $Script:PasswdUser
$OpenSSHConfigPath = Join-Path $env:ProgramData "ssh"

$Script:TestDataPath = "$env:SystemDrive\OpenSSHTests"
$Script:E2ETestResultsFile = Join-Path $TestDataPath $E2ETestResultsFileName
Expand Down Expand Up @@ -106,7 +107,7 @@ function Set-OpenSSHTestEnvironment
}
}
else
{
{
if (-not (Test-Path (Join-Path $OpenSSHBinPath ssh.exe) -PathType Leaf))
{
Throw "Cannot find OpenSSH binaries under $OpenSSHBinPath. Please specify -OpenSSHBinPath to the OpenSSH installed location"
Expand Down Expand Up @@ -162,42 +163,31 @@ WARNING: Following changes will be made to OpenSSH configuration
}

#Backup existing OpenSSH configuration
$backupConfigPath = Join-Path $script:OpenSSHBinPath sshd_config.ori
$backupConfigPath = Join-Path $OpenSSHConfigPath sshd_config.ori
if (-not (Test-Path $backupConfigPath -PathType Leaf)) {
Copy-Item (Join-Path $script:OpenSSHBinPath sshd_config) $backupConfigPath -Force
Copy-Item (Join-Path $OpenSSHConfigPath sshd_config) $backupConfigPath -Force
}
$targetsshdConfig = Join-Path $script:OpenSSHBinPath sshd_config
$targetsshdConfig = Join-Path $OpenSSHConfigPath sshd_config
# copy new sshd_config
if($Script:WindowsInBox -and (Test-Path $targetsshdConfig))
{
$currentUser = New-Object System.Security.Principal.NTAccount($($env:USERDOMAIN), $($env:USERNAME))
Add-PermissionToFileACL -FilePath $targetsshdConfig -User $currentUser -Perm "Read,Write"
}

Copy-Item (Join-Path $Script:E2ETestDirectory sshd_config) $targetsshdConfig -Force

Start-Service ssh-agent

#copy sshtest keys
Copy-Item "$($Script:E2ETestDirectory)\sshtest*hostkey*" $script:OpenSSHBinPath -Force
Get-ChildItem "$($script:OpenSSHBinPath)\sshtest*hostkey*"| % {
Copy-Item "$($Script:E2ETestDirectory)\sshtest*hostkey*" $OpenSSHConfigPath -Force
Get-ChildItem "$($OpenSSHConfigPath)\sshtest*hostkey*"| % {
#workaround for the cariggage new line added by git before copy them
$filePath = "$($_.FullName)"
$con = (Get-Content $filePath | Out-String).Replace("`r`n","`n")
Set-Content -Path $filePath -Value "$con"
if (-not ($_.Name.EndsWith(".pub")))
{
Repair-SshdHostKeyPermission -FilePath $_.FullName -confirm:$false
if($psversiontable.BuildVersion.Major -gt 6)
{
#register private key with agent
ssh-add-hostkey.ps1 $_.FullName
}
}
}

#copy ca pubkey to SSHD bin path
Copy-Item "$($Script:E2ETestDirectory)\sshtest_ca_userkeys.pub" $script:OpenSSHBinPath -Force
#copy ca pubkey to ssh config path
Copy-Item "$($Script:E2ETestDirectory)\sshtest_ca_userkeys.pub" $OpenSSHConfigPath -Force

#copy ca private key to test dir
$ca_priv_key = (Join-Path $Global:OpenSSHTestInfo["TestDataPath"] sshtest_ca_userkeys)
Expand Down Expand Up @@ -462,11 +452,6 @@ function Clear-OpenSSHTestEnvironment
Throw "Cannot find OpenSSH binaries under $script:OpenSSHBinPath. "
}

#unregister test host keys from agent
Get-ChildItem "$sshBinPath\sshtest*hostkey*.pub"| % {
ssh-add-hostkey.ps1 -Delete_key $_.FullName
}

if($Global:OpenSSHTestInfo["EnableAppVerifier"] -and (Test-path $env:windir\System32\appverif.exe))
{
# clear all applications in application verifier
Expand All @@ -479,14 +464,14 @@ function Clear-OpenSSHTestEnvironment
Remove-ItemProperty "HKLM:Software\Microsoft\Windows NT\CurrentVersion\AeDebug" -Name Auto -ErrorAction SilentlyContinue -Force | Out-Null
}

Remove-Item "$sshBinPath\sshtest*hostkey*" -Force -ErrorAction SilentlyContinue
Remove-Item "$sshBinPath\sshtest*ca_userkeys*" -Force -ErrorAction SilentlyContinue
Remove-Item "$OpenSSHConfigPath\sshtest*hostkey*" -Force -ErrorAction SilentlyContinue
Remove-Item "$OpenSSHConfigPath\sshtest*ca_userkeys*" -Force -ErrorAction SilentlyContinue

#Restore sshd_config
$backupConfigPath = Join-Path $sshBinPath sshd_config.ori
$backupConfigPath = Join-Path $OpenSSHConfigPath sshd_config.ori
if (Test-Path $backupConfigPath -PathType Leaf) {
Copy-Item $backupConfigPath (Join-Path $sshBinPath sshd_config) -Force -ErrorAction SilentlyContinue
Remove-Item (Join-Path $sshBinPath sshd_config.ori) -Force -ErrorAction SilentlyContinue
Copy-Item $backupConfigPath (Join-Path $OpenSSHConfigPath sshd_config) -Force -ErrorAction SilentlyContinue
Remove-Item (Join-Path $OpenSSHConfigPath sshd_config.ori) -Force -ErrorAction SilentlyContinue
Restart-Service sshd
}

Expand Down
10 changes: 4 additions & 6 deletions contrib/win32/openssh/OpenSSHUtils.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,6 @@ $adminsSid = Get-UserSID -WellKnownSidType ([System.Security.Principal.WellKnown
# get the everyone
$everyoneSid = Get-UserSID -WellKnownSidType ([System.Security.Principal.WellKnownSidType]::WorldSid)

$sshdSid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-80-3847866527-469524349-687026318-516638107-1125189541")

$currentUserSid = Get-UserSID -User "$($env:USERDOMAIN)\$($env:USERNAME)"

#Taken from P/Invoke.NET with minor adjustments.
Expand Down Expand Up @@ -112,7 +110,7 @@ function Repair-SshdConfigPermission
[ValidateNotNullOrEmpty()]
[string]$FilePath)

Repair-FilePermission -Owners $systemSid,$adminsSid -FullAccessNeeded $systemSid -ReadAccessNeeded $sshdSid @psBoundParameters
Repair-FilePermission -Owners $systemSid,$adminsSid -FullAccessNeeded $systemSid @psBoundParameters
}

<#
Expand All @@ -134,10 +132,10 @@ function Repair-SshdHostKeyPermission
$PSBoundParameters["FilePath"] = $PSBoundParameters["FilePath"].Replace(".pub", "")
}

Repair-FilePermission -Owners $systemSid,$adminsSid -ReadAccessNeeded $sshdSid @psBoundParameters
Repair-FilePermission -Owners $systemSid,$adminsSid @psBoundParameters

$PSBoundParameters["FilePath"] += ".pub"
Repair-FilePermission -Owners $systemSid,$adminsSid -ReadAccessOK $everyoneSid -ReadAccessNeeded $sshdSid @psBoundParameters
Repair-FilePermission -Owners $systemSid,$adminsSid -ReadAccessOK $everyoneSid @psBoundParameters
}

<#
Expand Down Expand Up @@ -175,7 +173,7 @@ function Repair-AuthorizedKeyPermission
if($profileItem)
{
$userSid = $profileItem.PSChildName
Repair-FilePermission -Owners $userSid,$adminsSid,$systemSid -AnyAccessOK $userSid -FullAccessNeeded $systemSid -ReadAccessNeeded $sshdSid @psBoundParameters
Repair-FilePermission -Owners $userSid,$adminsSid,$systemSid -AnyAccessOK $userSid -FullAccessNeeded $systemSid @psBoundParameters

}
else
Expand Down
6 changes: 4 additions & 2 deletions contrib/win32/openssh/config.h.vs
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@

/* Define if your platform needs to skip post auth
file descriptor passing */
#define DISABLE_FD_PASSING 1
/* #undef DISABLE_FD_PASSING */

/* Define if you don't want to use lastlog */
/* #undef DISABLE_LASTLOG */
Expand Down Expand Up @@ -1691,7 +1691,9 @@

#define HAVE_MBLEN 1

#define SSHDIR "."
#define _PATH_PRIVSEP_CHROOT_DIR "."
#define SSHDIR "__PROGRAMDATA__\\ssh"
#define _PATH_SFTP_SERVER "sftp-server.exe"
#define _PATH_SSH_PROGRAM "ssh.exe"
#define _PATH_LS "dir"
#define FORK_NOT_SUPPORTED 1
Loading

0 comments on commit c4d0727

Please sign in to comment.