--- session.c.orig Mon Jun 5 12:53:40 2000 +++ session.c Tue Jun 20 16:20:37 2000 @@ -27,6 +27,18 @@ #include "ssh2.h" #include "auth.h" +#ifdef __FreeBSD__ +#include +#include +#include +#include +#define LOGIN_CAP +#endif /* __FreeBSD__ */ + +#ifdef LOGIN_CAP +#include +#endif /* LOGIN_CAP */ + /* types */ #define TTYSZ 64 @@ -401,6 +413,13 @@ log_init(__progname, options.log_level, options.log_facility, log_stderr); /* + * Using login and executing a specific "command" are mutually + * exclusive, so turn off use_login if there's a command. + */ + if (command != NULL) + options.use_login = 0; + + /* * Create a new session and process group since the 4.4BSD * setlogin() affects the entire process group. */ @@ -502,6 +521,10 @@ struct sockaddr_storage from; struct stat st; time_t last_login_time; +#ifdef LOGIN_CAP + login_cap_t *lc; + char *fname; +#endif /* LOGIN_CAP */ if (s == NULL) fatal("do_exec_pty: no session"); @@ -511,15 +534,6 @@ /* Get remote host name. */ hostname = get_canonical_hostname(); - /* - * Get the time when the user last logged in. Buf will be set to - * contain the hostname the last login was from. - */ - if (!options.use_login) { - last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, - buf, sizeof(buf)); - } - /* Fork the child. */ if ((pid = fork()) == 0) { pid = getpid(); @@ -528,6 +542,22 @@ changed. */ log_init(__progname, options.log_level, options.log_facility, log_stderr); + /* + * Using login and executing a specific "command" are mutually + * exclusive, so turn off use_login if there's a command. + */ + if (command != NULL) + options.use_login = 0; + + /* + * Get the time when the user last logged in. Buf will be set + * to * contain the hostname the last login was from. + */ + if (!options.use_login) { + last_login_time = get_last_login_time(pw->pw_uid, + pw->pw_name, buf, sizeof(buf)); + } + /* Close the master side of the pseudo tty. */ close(ptyfd); @@ -571,6 +601,12 @@ /* Check if .hushlogin exists. */ snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir); quiet_login = stat(line, &st) >= 0; +#ifdef LOGIN_CAP + lc = login_getpwclass(pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, pw); + quiet_login = login_getcapbool(lc, "hushlogin", quiet_login); +#endif /* LOGIN_CAP */ /* * If the user has logged in before, display the time of last @@ -594,6 +630,20 @@ else printf("Last login: %s from %s\r\n", time_string, buf); } +#ifdef LOGIN_CAP + if (command == NULL && !quiet_login && !options.use_login) { + fname = login_getcapstr(lc, "copyright", NULL, NULL); + if (fname != NULL && (f = fopen(fname, "r")) != NULL) { + while (fgets(line, sizeof(line), f) != NULL) + fputs(line, stdout); + fclose(f); + } else + (void)printf("%s\n\t%s %s\n", + "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", + "The Regents of the University of California. ", + "All rights reserved."); + } +#endif /* LOGIN_CAP */ /* * Print /etc/motd unless a command was specified or printing * it was disabled in server options or login(1) will be @@ -603,7 +653,18 @@ if (command == NULL && options.print_motd && !quiet_login && !options.use_login) { /* Print /etc/motd if it exists. */ +#ifdef LOGIN_CAP + fname = login_getcapstr(lc, "welcome", NULL, NULL); + login_close(lc); + if (fname != NULL) { + f = fopen(fname, "r"); + if (f == NULL) + f = fopen("/etc/motd", "r"); + } else + f = fopen("/etc/motd", "r"); +#else /* LOGIN_CAP */ f = fopen("/etc/motd", "r"); +#endif /* LOGIN_CAP */ if (f) { while (fgets(line, sizeof(line), f)) fputs(line, stdout); @@ -746,13 +807,29 @@ extern char **environ; struct stat st; char *argv[10]; +#ifdef LOGIN_CAP + login_cap_t *lc; + + lc = login_getpwclass(pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, pw); + #endif /* LOGIN_CAP */ /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) options.use_login = 0; f = fopen("/etc/nologin", "r"); +#ifdef __FreeBSD__ + if (f == NULL) + f = fopen("/var/run/nologin", "r"); +#endif /* __FreeBSD__ */ +#ifdef LOGIN_CAP + /* on FreeBSD, etc., allow overriding nologin via login.conf. */ + if (f != NULL && !login_getcapbool(lc, "ignorenologin", 0)) { +#else /* LOGIN_CAP */ if (f) { +#endif /* LOGIN_CAP */ /* /etc/nologin exists. Print its contents and exit. */ while (fgets(buf, sizeof(buf), f)) fputs(buf, stderr); @@ -768,6 +845,13 @@ /* Login(1) does this as well, and it needs uid 0 for the "-h" switch, so we let login(1) to this for us. */ if (!options.use_login) { +#ifdef LOGIN_CAP + if (setclasscontext(pw->pw_class, LOGIN_SETPRIORITY | + LOGIN_SETRESOURCES | LOGIN_SETUMASK) == -1) { + perror("setclasscontext"); + exit(1); + } +#endif /* LOGIN_CAP */ if (getuid() == 0 || geteuid() == 0) { if (setgid(pw->pw_gid) < 0) { perror("setgid"); @@ -790,7 +874,14 @@ * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh. */ +#ifdef LOGIN_CAP + shell = pw->pw_shell; + shell = login_getcapstr(lc, "shell", shell, shell); + if (shell[0] == '\0') + shell = _PATH_BSHELL; +#else /* LOGIN_CAP */ shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; +#endif /* LOGIN_CAP */ #ifdef AFS /* Try to get AFS tokens for the local cell. */ @@ -814,7 +905,12 @@ child_set_env(&env, &envsize, "USER", pw->pw_name); child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); child_set_env(&env, &envsize, "HOME", pw->pw_dir); +#ifdef LOGIN_CAP + child_set_env(&env, &envsize, "PATH", + login_getpath(lc, "path", _PATH_STDPATH)); +#else /* LOGIN_CAP */ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); +#endif /* LOGIN_CAP */ snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); @@ -904,6 +1000,9 @@ * descriptors left by system functions. They will be closed later. */ endpwent(); +#ifdef LOGIN_CAP + login_close(lc); +#endif /* LOGIN_CAP */ /* * Close any extra open file descriptors so that we don\'t have them @@ -911,7 +1010,7 @@ * initgroups, because at least on Solaris 2.3 it leaves file * descriptors open. */ - for (i = 3; i < 64; i++) + for (i = 3; i < getdtablesize(); i++) close(i); /* Change current directory to the user\'s home directory. */ @@ -930,7 +1029,27 @@ * in this order). */ if (!options.use_login) { - if (stat(SSH_USER_RC, &st) >= 0) { +#ifdef __FreeBSD__ + /* + * If the password change time is set and has passed, give the + * user a password expiry notice and chance to change it. + */ + if (pw->pw_change != 0) { + struct timeval tv; + + (void)gettimeofday(&tv, NULL); + if (tv.tv_sec >= pw->pw_change) { + (void)printf( + "Sorry -- your password has expired.\n"); + syslog(LOG_INFO, + "%s Password expired - forcing change", + pw->pw_name); + if (system("/usr/bin/passwd") != 0) + perror("/usr/bin/passwd"); + } + } +#endif /* __FreeBSD__ */ + if (stat(SSH_USER_RC, &st) >= 0) { if (debug_flag) fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC);