xauth_location support; pr 1234

8 files changed, 72 insertions, 45 deletions

diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index 15b8e6e1711..527e7951fbf 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: readconf.c,v 1.33 2000/05/29 20:20:46 markus Exp $");
+RCSID("$Id: readconf.c,v 1.34 2000/05/31 06:36:40 markus Exp $");
 
 #include "ssh.h"
 #include "cipher.h"
@@ -92,7 +92,7 @@ typedef enum {
 	oBadOption,
 	oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
 	oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
-	oSkeyAuthentication,
+	oSkeyAuthentication, oXAuthLocation,
 #ifdef KRB4
 	oKerberosAuthentication,
 #endif /* KRB4 */
@@ -116,6 +116,7 @@ static struct {
 } keywords[] = {
 	{ "forwardagent", oForwardAgent },
 	{ "forwardx11", oForwardX11 },
+	{ "xauthlocation", oXAuthLocation },
 	{ "gatewayports", oGatewayPorts },
 	{ "useprivilegedport", oUsePrivilegedPort },
 	{ "rhostsauthentication", oRhostsAuthentication },
@@ -396,6 +397,10 @@ parse_flag:
 		}
 		break;
 
+	case oXAuthLocation:
+		charptr=&options->xauth_location;
+		goto parse_string;
+
 	case oUser:
 		charptr = &options->user;
 parse_string:
@@ -644,6 +649,7 @@ initialize_options(Options * options)
 	memset(options, 'X', sizeof(*options));
 	options->forward_agent = -1;
 	options->forward_x11 = -1;
+	options->xauth_location = NULL;
 	options->gateway_ports = -1;
 	options->use_privileged_port = -1;
 	options->rhosts_authentication = -1;
@@ -700,6 +706,10 @@ fill_default_options(Options * options)
 		options->forward_agent = 0;
 	if (options->forward_x11 == -1)
 		options->forward_x11 = 0;
+#ifdef XAUTH_PATH
+	if (options->xauth_location == NULL)
+		options->xauth_location == XAUTH_PATH;
+#endif /* XAUTH_PATH */
 	if (options->gateway_ports == -1)
 		options->gateway_ports = 0;
 	if (options->use_privileged_port == -1)
diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h
index 7ee91571186..5e802a0c880 100644
--- a/usr.bin/ssh/readconf.h
+++ b/usr.bin/ssh/readconf.h
@@ -13,7 +13,7 @@
  *
  */
 
-/* RCSID("$Id: readconf.h,v 1.18 2000/05/08 17:12:15 markus Exp $"); */
+/* RCSID("$Id: readconf.h,v 1.19 2000/05/31 06:36:40 markus Exp $"); */
 
 #ifndef READCONF_H
 #define READCONF_H
@@ -30,6 +30,7 @@ typedef struct {
 typedef struct {
 	int     forward_agent;	/* Forward authentication agent. */
 	int     forward_x11;	/* Forward X11 display. */
+	char   *xauth_location;	/* Location for xauth program */
 	int     gateway_ports;	/* Allow remote connects to forwarded ports. */
 	int     use_privileged_port;	/* Don't use privileged port if false. */
 	int     rhosts_authentication;	/* Try rhosts authentication. */
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 4e3e5cc7967..aaf54a09db4 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: servconf.c,v 1.41 2000/05/22 18:42:01 markus Exp $");
+RCSID("$Id: servconf.c,v 1.42 2000/05/31 06:36:40 markus Exp $");
 
 #include "ssh.h"
 #include "servconf.h"
@@ -44,6 +44,7 @@ initialize_server_options(ServerOptions *options)
 	options->check_mail = -1;
 	options->x11_forwarding = -1;
 	options->x11_display_offset = -1;
+	options->xauth_location = NULL;
 	options->strict_modes = -1;
 	options->keepalives = -1;
 	options->log_facility = (SyslogFacility) - 1;
@@ -109,6 +110,10 @@ fill_default_server_options(ServerOptions *options)
 		options->x11_forwarding = 0;
 	if (options->x11_display_offset == -1)
 		options->x11_display_offset = 10;
+#ifdef XAUTH_PATH
+	if (options->xauth_location == NULL)
+		options->xauth_location = XAUTH_PATH;
+#endif /* XAUTH_PATH */
 	if (options->strict_modes == -1)
 		options->strict_modes = 1;
 	if (options->keepalives == -1)
@@ -177,7 +182,7 @@ typedef enum {
 	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
 	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
-	sGatewayPorts, sDSAAuthentication
+	sGatewayPorts, sDSAAuthentication, sXAuthLocation
 } ServerOpCodes;
 
 /* Textual representation of the tokens. */
@@ -219,6 +224,7 @@ static struct {
 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
 	{ "x11forwarding", sX11Forwarding },
 	{ "x11displayoffset", sX11DisplayOffset },
+	{ "xauthlocation", sXAuthLocation },
 	{ "strictmodes", sStrictModes },
 	{ "permitemptypasswords", sEmptyPasswd },
 	{ "uselogin", sUseLogin },
@@ -365,6 +371,7 @@ parse_int:
 		case sHostDSAKeyFile:
 			charptr = (opcode == sHostKeyFile ) ?
 			    &options->host_key_file : &options->host_dsa_key_file;
+parse_filename:
 			cp = strtok(NULL, WHITESPACE);
 			if (!cp) {
 				fprintf(stderr, "%s line %d: missing file name.\n",
@@ -377,15 +384,7 @@ parse_int:
 
 		case sPidFile:
 			charptr = &options->pid_file;
-			cp = strtok(NULL, WHITESPACE);
-			if (!cp) {
-				fprintf(stderr, "%s line %d: missing file name.\n",
-				    filename, linenum);
-				exit(1);
-			}
-			if (*charptr == NULL)
-				*charptr = tilde_expand_filename(cp, getuid());
-			break;
+			goto parse_filename;
 
 		case sRandomSeedFile:
 			fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
@@ -508,6 +507,10 @@ parse_flag:
 			intptr = &options->x11_display_offset;
 			goto parse_int;
 
+		case sXAuthLocation:
+			charptr = &options->xauth_location;
+			goto parse_filename;
+			
 		case sStrictModes:
 			intptr = &options->strict_modes;
 			goto parse_flag;
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index 4fa6deea6f5..22b3501b739 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -13,7 +13,7 @@
  *
  */
 
-/* RCSID("$Id: servconf.h,v 1.22 2000/05/06 17:45:37 markus Exp $"); */
+/* RCSID("$Id: servconf.h,v 1.23 2000/05/31 06:36:40 markus Exp $"); */
 
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -47,6 +47,7 @@ typedef struct {
 	int     x11_forwarding;	/* If true, permit inet (spoofing) X11 fwd. */
 	int     x11_display_offset;	/* What DISPLAY number to start
 					 * searching at */
+	char   *xauth_location;	/* Location of xauth program */
 	int     strict_modes;	/* If true, require string home dir modes. */
 	int     keepalives;	/* If true, set SO_KEEPALIVE. */
 	char   *ciphers;	/* Ciphers in order of preference. */
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c
index ce46f1d5a74..cfbe932ca27 100644
--- a/usr.bin/ssh/session.c
+++ b/usr.bin/ssh/session.c
@@ -8,7 +8,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.15 2000/05/30 17:23:37 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.16 2000/05/31 06:36:40 markus Exp $");
 
 #include "xmalloc.h"
 #include "ssh.h"
@@ -248,7 +248,10 @@ do_authenticated(struct passwd * pw)
 				packet_send_debug("X11 forwarding disabled in server configuration file.");
 				break;
 			}
-#ifdef XAUTH_PATH
+			if (!options.xauth_location) {
+				packet_send_debug("No xauth program; cannot forward with spoofing.");
+				break;
+			}
 			if (no_x11_forwarding_flag) {
 				packet_send_debug("X11 forwarding not permitted for this authentication.");
 				break;
@@ -289,10 +292,6 @@ do_authenticated(struct passwd * pw)
 			fatal_add_cleanup(xauthfile_cleanup_proc, NULL);
 			success = 1;
 			break;
-#else /* XAUTH_PATH */
-			packet_send_debug("No xauth program; cannot forward with spoofing.");
-			break;
-#endif /* XAUTH_PATH */
 
 		case SSH_CMSG_AGENT_REQUEST_FORWARDING:
 			if (no_agent_forwarding_flag || compat13) {
@@ -740,6 +739,7 @@ do_child(const char *command, struct passwd * pw, const char *term,
 {
 	const char *shell, *cp = NULL;
 	char buf[256];
+	char cmd[1024];
 	FILE *f;
 	unsigned int envsize, i;
 	char **env;
@@ -948,23 +948,24 @@ do_child(const char *command, struct passwd * pw, const char *term,
 				pclose(f);
 			} else
 				fprintf(stderr, "Could not run %s\n", SSH_SYSTEM_RC);
-		}
-#ifdef XAUTH_PATH
-		else {
+		} else if (options.xauth_location != NULL) {
 			/* Add authority data to .Xauthority if appropriate. */
 			if (auth_proto != NULL && auth_data != NULL) {
 				char *screen = strchr(display, ':');
 				if (debug_flag) {
 					fprintf(stderr,
 					    "Running %.100s add %.100s %.100s %.100s\n",
-					    XAUTH_PATH, display, auth_proto, auth_data);
+					    options.xauth_location, display,
+					    auth_proto, auth_data);
 					if (screen != NULL)
 						fprintf(stderr,
 						    "Adding %.*s/unix%s %s %s\n",
 						    screen-display, display,
 						    screen, auth_proto, auth_data);
 				}
-				f = popen(XAUTH_PATH " -q -", "w");
+				snprintf(cmd, sizeof cmd, "%s -q -",
+				    options.xauth_location);
+				f = popen(cmd, "w");
 				if (f) {
 					fprintf(f, "add %s %s %s\n", display,
 					    auth_proto, auth_data);
@@ -973,13 +974,12 @@ do_child(const char *command, struct passwd * pw, const char *term,
 						    screen-display, display,
 						    screen, auth_proto, auth_data);
 					pclose(f);
-				} else
-					fprintf(stderr, "Could not run %s -q -\n",
-					    XAUTH_PATH);
+				} else {
+					fprintf(stderr, "Could not run %s\n",
+					    cmd);
+				}
 			}
 		}
-#endif /* XAUTH_PATH */
-
 		/* Get the last component of the shell name. */
 		cp = strrchr(shell, '/');
 		if (cp)
diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index d069ce18184..e3152117c10 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: ssh.1,v 1.54 2000/05/29 20:20:46 markus Exp $
+.\" $Id: ssh.1,v 1.55 2000/05/31 06:36:40 markus Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSH 1
@@ -940,6 +940,12 @@ The argument must be
 .Dq yes
 or
 .Dq no .
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
 .Sh ENVIRONMENT
 .Nm
 will normally set the following environment variables:
diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c
index f343b41a7b6..73afbfda4b5 100644
--- a/usr.bin/ssh/ssh.c
+++ b/usr.bin/ssh/ssh.c
@@ -11,7 +11,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: ssh.c,v 1.54 2000/05/30 17:32:06 markus Exp $");
+RCSID("$Id: ssh.c,v 1.55 2000/05/31 06:36:40 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/dsa.h>
@@ -669,17 +669,17 @@ x11_get_proto(char *proto, int proto_len, char *data, int data_len)
 	FILE *f;
 	int got_data = 0, i;
 
-#ifdef XAUTH_PATH
-	/* Try to get Xauthority information for the display. */
-	snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
-		 XAUTH_PATH, getenv("DISPLAY"));
-	f = popen(line, "r");
-	if (f && fgets(line, sizeof(line), f) &&
-	    sscanf(line, "%*s %s %s", proto, data) == 2)
-		got_data = 1;
-	if (f)
-		pclose(f);
-#endif /* XAUTH_PATH */
+	if (options.xauth_location) {
+		/* Try to get Xauthority information for the display. */
+		snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
+		    options.xauth_location, getenv("DISPLAY"));
+		f = popen(line, "r");
+		if (f && fgets(line, sizeof(line), f) &&
+		    sscanf(line, "%*s %s %s", proto, data) == 2)
+			got_data = 1;
+		if (f)
+			pclose(f);
+	}
 	/*
 	 * If we didn't get authentication data, just make up some
 	 * data.  The forwarding code will check the validity of the
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index 3fb255af05f..10820311890 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: sshd.8,v 1.51 2000/05/08 17:42:31 hugh Exp $
+.\" $Id: sshd.8,v 1.52 2000/05/31 06:36:40 markus Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSHD 8
@@ -569,6 +569,12 @@ The default is
 .Dq no .
 Note that disabling X11 forwarding does not improve security in any
 way, as users can always install their own forwarders.
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
 .El
 .Sh LOGIN PROCESS
 When a user successfully logs in,