From bb922da6d00a22e5a9e680eccf80990e70bfedd7 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Fri, 19 Aug 2016 03:18:06 +0000
Subject: [PATCH] remove UseLogin option and support for having /bin/login
 manage login sessions; ok deraadt markus dtucker

---
 usr.bin/ssh/monitor.c     |   5 +-
 usr.bin/ssh/servconf.c    |  14 ++---
 usr.bin/ssh/servconf.h    |   3 +-
 usr.bin/ssh/session.c     | 109 ++++++++++++--------------------------
 usr.bin/ssh/sshd.8        |   7 +--
 usr.bin/ssh/sshd.c        |   4 +-
 usr.bin/ssh/sshd_config.5 |  26 +--------
 7 files changed, 45 insertions(+), 123 deletions(-)

diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c
index e4a97b214c6..f253d0a7c27 100644
--- a/usr.bin/ssh/monitor.c
+++ b/usr.bin/ssh/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.162 2016/08/13 17:47:41 markus Exp $ */
+/* $OpenBSD: monitor.c,v 1.163 2016/08/19 03:18:06 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1121,9 +1121,6 @@ mm_record_login(Session *s, struct passwd *pw)
 	socklen_t fromlen;
 	struct sockaddr_storage from;
 
-	if (options.use_login)
-		return;
-
 	/*
 	 * Get IP address of client. If the connection is not a socket, let
 	 * the address be 0.0.0.0.
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index bfefae28aac..469f4d2d3df 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.293 2016/08/15 12:27:56 naddy Exp $ */
+/* $OpenBSD: servconf.c,v 1.294 2016/08/19 03:18:06 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -110,7 +110,6 @@ initialize_server_options(ServerOptions *options)
 	options->challenge_response_authentication = -1;
 	options->permit_empty_passwd = -1;
 	options->permit_user_env = -1;
-	options->use_login = -1;
 	options->compression = -1;
 	options->rekey_limit = -1;
 	options->rekey_interval = -1;
@@ -264,8 +263,6 @@ fill_default_server_options(ServerOptions *options)
 		options->permit_empty_passwd = 0;
 	if (options->permit_user_env == -1)
 		options->permit_user_env = 0;
-	if (options->use_login == -1)
-		options->use_login = 0;
 	if (options->compression == -1)
 		options->compression = COMP_DELAYED;
 	if (options->rekey_limit == -1)
@@ -367,7 +364,7 @@ typedef enum {
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
-	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
+	sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
@@ -462,7 +459,7 @@ static struct {
 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
-	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
+	{ "uselogin", sDeprecated, SSHCFG_GLOBAL },
 	{ "compression", sCompression, SSHCFG_GLOBAL },
 	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
@@ -1231,10 +1228,6 @@ process_server_config_line(ServerOptions *options, char *line,
 		intptr = &options->permit_user_env;
 		goto parse_flag;
 
-	case sUseLogin:
-		intptr = &options->use_login;
-		goto parse_flag;
-
 	case sCompression:
 		intptr = &options->compression;
 		multistate_ptr = multistate_compression;
@@ -2202,7 +2195,6 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
 	dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
-	dump_cfg_fmtint(sUseLogin, o->use_login);
 	dump_cfg_fmtint(sCompression, o->compression);
 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index 3f595e4361d..74230a1b07e 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.121 2016/08/15 12:27:56 naddy Exp $ */
+/* $OpenBSD: servconf.h,v 1.122 2016/08/19 03:18:06 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -121,7 +121,6 @@ typedef struct {
 	int     permit_empty_passwd;	/* If false, do not permit empty
 					 * passwords. */
 	int     permit_user_env;	/* If true, read ~/.ssh/environment */
-	int     use_login;	/* If true, login(1) is used */
 	int     compression;	/* If true, compression is allowed */
 	int	allow_tcp_forwarding; /* One of FORWARD_* */
 	int	allow_streamlocal_forwarding; /* One of FORWARD_* */
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c
index 268d1171de5..d6250783c9d 100644
--- a/usr.bin/ssh/session.c
+++ b/usr.bin/ssh/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.283 2016/08/13 17:47:41 markus Exp $ */
+/* $OpenBSD: session.c,v 1.284 2016/08/19 03:18:06 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -505,7 +505,7 @@ do_exec_pty(Session *s, const char *command)
 		close(ttyfd);
 
 		/* record login, etc. similar to login(1) */
-		if (!(options.use_login && command == NULL))
+		if (command != NULL)
 			do_login(s, command);
 
 		/*
@@ -804,46 +804,41 @@ do_setup_env(Session *s, const char *shell)
 	ssh_gssapi_do_child(&env, &envsize);
 #endif
 
-	if (!options.use_login) {
-		/* Set basic environment. */
-		for (i = 0; i < s->num_env; i++)
-			child_set_env(&env, &envsize, s->env[i].name,
-			    s->env[i].val);
+	/* Set basic environment. */
+	for (i = 0; i < s->num_env; i++)
+		child_set_env(&env, &envsize, s->env[i].name, s->env[i].val);
 
-		child_set_env(&env, &envsize, "USER", pw->pw_name);
-		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
-		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
-		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
-			child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
-		else
-			child_set_env(&env, &envsize, "PATH", getenv("PATH"));
+	child_set_env(&env, &envsize, "USER", pw->pw_name);
+	child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
+	child_set_env(&env, &envsize, "HOME", pw->pw_dir);
+	if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
+		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+	else
+		child_set_env(&env, &envsize, "PATH", getenv("PATH"));
 
-		snprintf(buf, sizeof buf, "%.200s/%.50s",
-			 _PATH_MAILDIR, pw->pw_name);
-		child_set_env(&env, &envsize, "MAIL", buf);
+	snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name);
+	child_set_env(&env, &envsize, "MAIL", buf);
+
+	/* Normal systems set SHELL by default. */
+	child_set_env(&env, &envsize, "SHELL", shell);
 
-		/* Normal systems set SHELL by default. */
-		child_set_env(&env, &envsize, "SHELL", shell);
-	}
 	if (getenv("TZ"))
 		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
 
 	/* Set custom environment options from RSA authentication. */
-	if (!options.use_login) {
-		while (custom_environment) {
-			struct envstring *ce = custom_environment;
-			char *str = ce->s;
-
-			for (i = 0; str[i] != '=' && str[i]; i++)
-				;
-			if (str[i] == '=') {
-				str[i] = 0;
-				child_set_env(&env, &envsize, str, str + i + 1);
-			}
-			custom_environment = ce->next;
-			free(ce->s);
-			free(ce);
+	while (custom_environment) {
+		struct envstring *ce = custom_environment;
+		char *str = ce->s;
+
+		for (i = 0; str[i] != '=' && str[i]; i++)
+			;
+		if (str[i] == '=') {
+			str[i] = 0;
+			child_set_env(&env, &envsize, str, str + i + 1);
 		}
+		custom_environment = ce->next;
+		free(ce->s);
+		free(ce);
 	}
 
 	/* SSH_CLIENT deprecated */
@@ -878,7 +873,7 @@ do_setup_env(Session *s, const char *shell)
 		    auth_sock_name);
 
 	/* read $HOME/.ssh/environment. */
-	if (options.permit_user_env && !options.use_login) {
+	if (options.permit_user_env) {
 		snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
 		    pw->pw_dir);
 		read_environment_file(&env, &envsize, buf);
@@ -1107,20 +1102,6 @@ do_pwchange(Session *s)
 	exit(1);
 }
 
-static void
-launch_login(struct passwd *pw, const char *hostname)
-{
-	/* Launch login(1). */
-
-	execl("/usr/bin/login", "login", "-h", hostname,
-	    "-p", "-f", "--", pw->pw_name, (char *)NULL);
-
-	/* Login couldn't be executed, die. */
-
-	perror("login");
-	exit(1);
-}
-
 static void
 child_close_fds(void)
 {
@@ -1168,11 +1149,10 @@ child_close_fds(void)
 void
 do_child(Session *s, const char *command)
 {
-	struct ssh *ssh = active_state;	/* XXX */
 	extern char **environ;
 	char **env;
 	char *argv[ARGV_MAX];
-	const char *shell, *shell0, *hostname = NULL;
+	const char *shell, *shell0;
 	struct passwd *pw = s->pw;
 	int r = 0;
 
@@ -1187,18 +1167,12 @@ do_child(Session *s, const char *command)
 		exit(1);
 	}
 
-	/* login(1) is only called if we execute the login shell */
-	if (options.use_login && command != NULL)
-		options.use_login = 0;
-
 	/*
 	 * Login(1) does this as well, and it needs uid 0 for the "-h"
 	 * switch, so we let login(1) to this for us.
 	 */
-	if (!options.use_login) {
-		do_nologin(pw);
-		do_setusercontext(pw);
-	}
+	do_nologin(pw);
+	do_setusercontext(pw);
 
 	/*
 	 * Get the shell from the password data.  An empty shell field is
@@ -1214,10 +1188,6 @@ do_child(Session *s, const char *command)
 
 	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
 
-	/* we have to stash the hostname before we close our socket. */
-	if (options.use_login)
-		hostname = session_get_remote_name_or_ip(ssh, utmp_len,
-		    options.use_dns);
 	/*
 	 * Close the connection descriptors; note that this is the child, and
 	 * the server will still have the socket open, and it is important
@@ -1274,8 +1244,7 @@ do_child(Session *s, const char *command)
 
 	closefrom(STDERR_FILENO + 1);
 
-	if (!options.use_login)
-		do_rc_files(s, shell);
+	do_rc_files(s, shell);
 
 	/* restore SIGPIPE for child */
 	signal(SIGPIPE, SIG_DFL);
@@ -1302,11 +1271,6 @@ do_child(Session *s, const char *command)
 
 	fflush(NULL);
 
-	if (options.use_login) {
-		launch_login(pw, hostname);
-		/* NEVERREACHED */
-	}
-
 	/* Get the last component of the shell name. */
 	if ((shell0 = strrchr(shell, '/')) != NULL)
 		shell0++;
@@ -2113,11 +2077,6 @@ session_setup_x11fwd(Session *s)
 		packet_send_debug("No xauth program; cannot forward with spoofing.");
 		return 0;
 	}
-	if (options.use_login) {
-		packet_send_debug("X11 forwarding disabled; "
-		    "not compatible with UseLogin=yes.");
-		return 0;
-	}
 	if (s->display != NULL) {
 		debug("X11 display already set.");
 		return 0;
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index 140c94ab209..c8996ce6aa5 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.285 2016/08/15 12:32:04 naddy Exp $
-.Dd $Mdocdate: August 15 2016 $
+.\" $OpenBSD: sshd.8,v 1.286 2016/08/19 03:18:06 djm Exp $
+.Dd $Mdocdate: August 19 2016 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -477,9 +477,6 @@ Environment processing is disabled by default and is
 controlled via the
 .Cm PermitUserEnvironment
 option.
-This option is automatically disabled if
-.Cm UseLogin
-is enabled.
 .It Cm from="pattern-list"
 Specifies that in addition to public key authentication, either the canonical
 name of the remote host or its IP address must be present in the
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index 91c2d27ba3d..2a2d149ad02 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.473 2016/08/15 12:27:56 naddy Exp $ */
+/* $OpenBSD: sshd.c,v 1.474 2016/08/19 03:18:07 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -601,7 +601,7 @@ privsep_preauth(Authctxt *authctxt)
 static void
 privsep_postauth(Authctxt *authctxt)
 {
-	if (authctxt->pw->pw_uid == 0 || options.use_login) {
+	if (authctxt->pw->pw_uid == 0) {
 		/* File descriptor passing is broken or root login */
 		use_privsep = 0;
 		goto skip;
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index 9fc633020df..e34b13152ad 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.229 2016/08/15 12:32:04 naddy Exp $
-.Dd $Mdocdate: August 15 2016 $
+.\" $OpenBSD: sshd_config.5,v 1.230 2016/08/19 03:18:07 djm Exp $
+.Dd $Mdocdate: August 19 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1490,25 +1490,6 @@ and
 .Cm Match
 .Cm Host
 directives.
-.It Cm UseLogin
-Specifies whether
-.Xr login 1
-is used for interactive login sessions.
-The default is
-.Dq no .
-Note that
-.Xr login 1
-is never used for remote command execution.
-Note also, that if this is enabled,
-.Cm X11Forwarding
-will be disabled because
-.Xr login 1
-does not know how to handle
-.Xr xauth 1
-cookies.
-If
-.Cm UsePrivilegeSeparation
-is specified, it will be disabled after authentication.
 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Xr sshd 8
@@ -1573,9 +1554,6 @@ setting.
 .Pp
 Note that disabling X11 forwarding does not prevent users from
 forwarding X11 traffic, as users can always install their own forwarders.
-X11 forwarding is automatically disabled if
-.Cm UseLogin
-is enabled.
 .It Cm X11UseLocalhost
 Specifies whether
 .Xr sshd 8
-- 
2.20.1