Source snapshot from Powershell/openssh-portable:latestw_all

Author: bingbing8

appveyor.yml

@@ -1,4 +1,4 @@
-version: 0.0.24.0.{build}
+version: 1.0.0.0.{build}
 image: Visual Studio 2015
 
 branches:

auth-passwd.c

@@ -41,9 +41,6 @@
 #include <sys/types.h>
 
 #include <pwd.h>
-#ifdef WINDOWS
-#include <logonuser.h>
-#endif
 #include <stdio.h>
 #include <string.h>
 #include <stdarg.h>
@@ -59,6 +56,11 @@
 #include "auth-options.h"
 #include "authfd.h"
 
+#ifdef WINDOWS
+#include "logonuser.h"
+#include "monitor_wrap.h"
+#endif
+
 extern Buffer loginmsg;
 extern ServerOptions options;
 
@@ -228,10 +230,53 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
 }
 
 #elif defined(WINDOWS)
+HANDLE password_auth_token = NULL;
+HANDLE process_custom_lsa_auth(char*, const char*, char*);
+
+void 
+sys_auth_passwd_lsa(Authctxt *authctxt, const char *password)
+{
+	char  *lsa_auth_pkg = NULL;
+	wchar_t *lsa_auth_pkg_w = NULL;
+	int domain_len = 0, lsa_auth_pkg_len = 0;	
+	HKEY reg_key = 0;
+	REGSAM mask = STANDARD_RIGHTS_READ | KEY_QUERY_VALUE | KEY_WOW64_64KEY;
+		
+	if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\OpenSSH", 0, mask, &reg_key) == ERROR_SUCCESS) &&
+		(RegQueryValueExW(reg_key, L"LSAAuthenticationPackage", 0, NULL, NULL, &lsa_auth_pkg_len) == ERROR_SUCCESS)) {
+		lsa_auth_pkg_w = (wchar_t *) malloc(lsa_auth_pkg_len); // lsa_auth_pkg_len includes the null terminating character.
+		if (!lsa_auth_pkg_w)
+			fatal("%s: out of memory", __func__);
+
+		memset(lsa_auth_pkg_w, 0, lsa_auth_pkg_len);
+		if (RegQueryValueExW(reg_key, L"LSAAuthenticationPackage", 0, NULL, (LPBYTE)lsa_auth_pkg_w, &lsa_auth_pkg_len) == ERROR_SUCCESS) {
+			lsa_auth_pkg = utf16_to_utf8(lsa_auth_pkg_w);
+			if (!lsa_auth_pkg)
+				fatal("utf16_to_utf8 failed to convert lsa_auth_pkg_w:%ls", lsa_auth_pkg_w);
+
+			debug("Authenticating using LSA Auth Package:%ls", lsa_auth_pkg_w);
+			password_auth_token = process_custom_lsa_auth(authctxt->pw->pw_name, password, lsa_auth_pkg);
+		}
+	}
+
+done:
+	if (lsa_auth_pkg_w)
+		free(lsa_auth_pkg_w);
+
+	if (lsa_auth_pkg)
+		free(lsa_auth_pkg);
+
+	if (reg_key)
+		RegCloseKey(reg_key);
+}
+
 /*
-* Authenticate on Windows - Call LogonUser and retrieve user token
+* Authenticate on Windows 
+* - Call LogonUser and retrieve user token
+* - If LogonUser fails, then try the LSA (Local Security Authority) authentication.
 */
-int sys_auth_passwd(Authctxt *authctxt, const char *password)
+int 
+sys_auth_passwd(Authctxt *authctxt, const char *password)
 {
 	wchar_t *user_utf16 = NULL, *udom_utf16 = NULL, *pwd_utf16 = NULL, *tmp;
 	HANDLE token = NULL;
@@ -249,25 +294,33 @@ int sys_auth_passwd(Authctxt *authctxt, const char *password)
 	}
 
 	if (LogonUserExExWHelper(user_utf16, udom_utf16, pwd_utf16, LOGON32_LOGON_NETWORK_CLEARTEXT,
-	    LOGON32_PROVIDER_DEFAULT, NULL, &token, NULL, NULL, NULL, NULL) == FALSE) {
-		if (GetLastError() == ERROR_PASSWORD_MUST_CHANGE) 
-			/* 
-			 * TODO - need to add support to force password change
-			 * by sending back SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
-			 */
+	    LOGON32_PROVIDER_DEFAULT, NULL, &token, NULL, NULL, NULL, NULL) == TRUE)
+		password_auth_token = token;
+	else {
+		if (GetLastError() == ERROR_PASSWORD_MUST_CHANGE)
+			/*
+			* TODO - need to add support to force password change
+			* by sending back SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
+			*/
 			error("password for user %s has expired", authctxt->pw->pw_name);
-		else
-			debug("failed to logon user: %ls domain: %ls error:%d", user_utf16, udom_utf16, GetLastError());
-		goto done;
-	}
+		else {
+			debug("Windows authentication failed for user: %ls domain: %ls error:%d", user_utf16, udom_utf16, GetLastError());
 
-	authctxt->auth_token = (void*)(INT_PTR)token;
-	r = 1;
+			/* If LSA authentication package is configured then it will return the auth_token */
+			sys_auth_passwd_lsa(authctxt, password);
+		}
+	}
+			
 done:
+	if (password_auth_token)
+		r = 1;
+
 	if (user_utf16)
 		free(user_utf16);
+
 	if (pwd_utf16)
 		SecureZeroMemory(pwd_utf16, sizeof(wchar_t) * wcslen(pwd_utf16));
+
 	return r;
 }
 #endif   /* WINDOWS */

auth.h

@@ -93,9 +93,6 @@ struct Authctxt {
 
 	/* Information exposed to session */
 	struct sshbuf	*session_info;	/* Auth info for environment */
-#ifdef WINDOWS
-	void		*auth_token;
-#endif
 };
 
 /*

auth2-pubkey.c

@@ -199,13 +199,8 @@ userauth_pubkey(struct ssh *ssh)
 		authenticated = 0;
 
 		if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
-#ifdef WINDOWS
-		    (authctxt->auth_token = mm_auth_pubkey(authctxt->pw->pw_name, 
-		    key, sig, slen, b)) != NULL) {
-#else
 		    PRIVSEP(sshkey_verify(key, sig, slen, sshbuf_ptr(b),
 		    sshbuf_len(b), ssh->compat)) == 0) {
-#endif
 			authenticated = 1;
 		}
 		sshbuf_free(b);

authfd.c

@@ -120,12 +120,7 @@ ssh_get_authentication_socket(int *fdp)
 }
 
 /* Communicate with agent: send request and read reply */
-#ifdef WINDOWS
-/* for Windows we need to access this function from other places to talk to agent*/
-int
-#else /* !WINDOWS */
 static int
-#endif /* !WINDOWS */
 ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
 {
 	int r;

contrib/win32/openssh/FixHostFilePermissions.ps1

@@ -5,14 +5,14 @@ If ($PSVersiontable.PSVersion.Major -le 2) {$PSScriptRoot = Split-Path -Parent $
 Import-Module $PSScriptRoot\OpenSSHUtils -Force
 
 #check sshd config file
-$sshdConfigPath = join-path $PSScriptRoot "sshd_config"
+$sshdConfigPath = join-path $env:ProgramData\ssh "sshd_config"
 if(Test-Path $sshdConfigPath -PathType Leaf)
 {
     Repair-SshdConfigPermission -FilePath $sshdConfigPath @psBoundParameters
 }
 else
 {
-    Write-host "$FilePath does not exist"  -ForegroundColor Yellow
+    Write-host "$sshdConfigPath does not exist"  -ForegroundColor Yellow
 }
 
 #check host keys
@@ -36,7 +36,7 @@ If you choose not to register the keys with ssh-agent, please grant sshd read ac
     Write-Host " "
 }#>
 
-Get-ChildItem $PSScriptRoot\ssh_host_*_key -ErrorAction SilentlyContinue | % {    
+Get-ChildItem $env:ProgramData\ssh\ssh_host_*_key -ErrorAction SilentlyContinue | % {
     Repair-SshdHostKeyPermission -FilePath $_.FullName @psBoundParameters
 }
 

contrib/win32/openssh/OpenSSHBuildHelper.psm1

@@ -344,8 +344,8 @@ function Start-OpenSSHPackage
     $buildDir = Join-Path $repositoryRoot ("bin\" + $folderName + "\" + $Configuration)
     $payload = "sshd.exe", "ssh.exe", "ssh-agent.exe", "ssh-add.exe", "sftp.exe"
     $payload += "sftp-server.exe", "scp.exe", "ssh-shellhost.exe", "ssh-keygen.exe", "ssh-keyscan.exe" 
-    $payload += "sshd_config", "install-sshd.ps1", "uninstall-sshd.ps1"
-    $payload +="FixHostFilePermissions.ps1", "FixUserFilePermissions.ps1", "OpenSSHUtils.psm1", "OpenSSHUtils.psd1", "ssh-add-hostkey.ps1"
+    $payload += "sshd_config_default", "install-sshd.ps1", "uninstall-sshd.ps1"
+    $payload +="FixHostFilePermissions.ps1", "FixUserFilePermissions.ps1", "OpenSSHUtils.psm1", "OpenSSHUtils.psd1"
 
     $packageName = "OpenSSH-Win64"
     if ($NativeHostArch -ieq 'x86') {

contrib/win32/openssh/OpenSSHTestHelper.psm1

@@ -13,6 +13,7 @@ $PubKeyUser = "sshtest_pubkeyuser"
 $PasswdUser = "sshtest_passwduser"
 $OpenSSHTestAccountsPassword = "P@ssw0rd_1"
 $OpenSSHTestAccounts = $Script:SSOUser, $Script:PubKeyUser, $Script:PasswdUser
+$OpenSSHConfigPath = Join-Path $env:ProgramData "ssh"
 
 $Script:TestDataPath = "$env:SystemDrive\OpenSSHTests"
 $Script:E2ETestResultsFile = Join-Path $TestDataPath $E2ETestResultsFileName
@@ -106,7 +107,7 @@ function Set-OpenSSHTestEnvironment
         }        
     }
     else
-    {        
+    {
         if (-not (Test-Path (Join-Path $OpenSSHBinPath ssh.exe) -PathType Leaf))
         {
             Throw "Cannot find OpenSSH binaries under $OpenSSHBinPath. Please specify -OpenSSHBinPath to the OpenSSH installed location"
@@ -162,42 +163,31 @@ WARNING: Following changes will be made to OpenSSH configuration
     }
 
     #Backup existing OpenSSH configuration
-    $backupConfigPath = Join-Path $script:OpenSSHBinPath sshd_config.ori
+    $backupConfigPath = Join-Path $OpenSSHConfigPath sshd_config.ori
     if (-not (Test-Path $backupConfigPath -PathType Leaf)) {
-        Copy-Item (Join-Path $script:OpenSSHBinPath sshd_config) $backupConfigPath -Force
+        Copy-Item (Join-Path $OpenSSHConfigPath sshd_config) $backupConfigPath -Force
     }
-    $targetsshdConfig = Join-Path $script:OpenSSHBinPath sshd_config
+    $targetsshdConfig = Join-Path $OpenSSHConfigPath sshd_config
     # copy new sshd_config
-    if($Script:WindowsInBox -and (Test-Path $targetsshdConfig))
-    {
-        $currentUser = New-Object System.Security.Principal.NTAccount($($env:USERDOMAIN), $($env:USERNAME))
-        Add-PermissionToFileACL -FilePath $targetsshdConfig -User $currentUser -Perm "Read,Write"
-    }
-    
     Copy-Item (Join-Path $Script:E2ETestDirectory sshd_config) $targetsshdConfig -Force
 
     Start-Service ssh-agent
 
     #copy sshtest keys
-    Copy-Item "$($Script:E2ETestDirectory)\sshtest*hostkey*" $script:OpenSSHBinPath -Force  
-    Get-ChildItem "$($script:OpenSSHBinPath)\sshtest*hostkey*"| % {
+    Copy-Item "$($Script:E2ETestDirectory)\sshtest*hostkey*" $OpenSSHConfigPath -Force  
+    Get-ChildItem "$($OpenSSHConfigPath)\sshtest*hostkey*"| % {
         #workaround for the cariggage new line added by git before copy them
         $filePath = "$($_.FullName)"
         $con = (Get-Content $filePath | Out-String).Replace("`r`n","`n")
         Set-Content -Path $filePath -Value "$con"
         if (-not ($_.Name.EndsWith(".pub")))
         {
             Repair-SshdHostKeyPermission -FilePath $_.FullName -confirm:$false
-            if($psversiontable.BuildVersion.Major -gt 6)
-            {                
-                #register private key with agent
-                ssh-add-hostkey.ps1 $_.FullName
-            }
         }        
     }
 
-    #copy ca pubkey to SSHD bin path
-    Copy-Item "$($Script:E2ETestDirectory)\sshtest_ca_userkeys.pub"  $script:OpenSSHBinPath -Force 
+    #copy ca pubkey to ssh config path
+    Copy-Item "$($Script:E2ETestDirectory)\sshtest_ca_userkeys.pub"  $OpenSSHConfigPath -Force 
 
     #copy ca private key to test dir
     $ca_priv_key = (Join-Path $Global:OpenSSHTestInfo["TestDataPath"] sshtest_ca_userkeys)
@@ -462,11 +452,6 @@ function Clear-OpenSSHTestEnvironment
         Throw "Cannot find OpenSSH binaries under $script:OpenSSHBinPath. "
     }
 
-    #unregister test host keys from agent
-    Get-ChildItem "$sshBinPath\sshtest*hostkey*.pub"| % {
-        ssh-add-hostkey.ps1 -Delete_key $_.FullName
-    }
-
     if($Global:OpenSSHTestInfo["EnableAppVerifier"] -and (Test-path $env:windir\System32\appverif.exe))
     {
         # clear all applications in application verifier
@@ -479,14 +464,14 @@ function Clear-OpenSSHTestEnvironment
         Remove-ItemProperty "HKLM:Software\Microsoft\Windows NT\CurrentVersion\AeDebug" -Name Auto -ErrorAction SilentlyContinue -Force | Out-Null
     }
 
-    Remove-Item "$sshBinPath\sshtest*hostkey*" -Force -ErrorAction SilentlyContinue   
-    Remove-Item "$sshBinPath\sshtest*ca_userkeys*" -Force -ErrorAction SilentlyContinue   
+    Remove-Item "$OpenSSHConfigPath\sshtest*hostkey*" -Force -ErrorAction SilentlyContinue
+    Remove-Item "$OpenSSHConfigPath\sshtest*ca_userkeys*" -Force -ErrorAction SilentlyContinue
 
     #Restore sshd_config
-    $backupConfigPath = Join-Path $sshBinPath sshd_config.ori
+    $backupConfigPath = Join-Path $OpenSSHConfigPath sshd_config.ori
     if (Test-Path $backupConfigPath -PathType Leaf) {        
-        Copy-Item $backupConfigPath (Join-Path $sshBinPath sshd_config) -Force -ErrorAction SilentlyContinue
-        Remove-Item (Join-Path $sshBinPath sshd_config.ori) -Force -ErrorAction SilentlyContinue
+        Copy-Item $backupConfigPath (Join-Path $OpenSSHConfigPath sshd_config) -Force -ErrorAction SilentlyContinue
+        Remove-Item (Join-Path $OpenSSHConfigPath sshd_config.ori) -Force -ErrorAction SilentlyContinue
         Restart-Service sshd
     }
 

contrib/win32/openssh/OpenSSHUtils.psm1

@@ -41,8 +41,6 @@ $adminsSid = Get-UserSID -WellKnownSidType ([System.Security.Principal.WellKnown
 # get the everyone
 $everyoneSid = Get-UserSID -WellKnownSidType ([System.Security.Principal.WellKnownSidType]::WorldSid)
 
-$sshdSid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-80-3847866527-469524349-687026318-516638107-1125189541")
-
 $currentUserSid = Get-UserSID -User "$($env:USERDOMAIN)\$($env:USERNAME)"
 
 #Taken from P/Invoke.NET with minor adjustments.
@@ -112,7 +110,7 @@ function Repair-SshdConfigPermission
         [ValidateNotNullOrEmpty()]        
         [string]$FilePath)
 
-        Repair-FilePermission -Owners $systemSid,$adminsSid -FullAccessNeeded $systemSid -ReadAccessNeeded $sshdSid @psBoundParameters
+        Repair-FilePermission -Owners $systemSid,$adminsSid -FullAccessNeeded $systemSid @psBoundParameters
 }
 
 <#
@@ -134,10 +132,10 @@ function Repair-SshdHostKeyPermission
             $PSBoundParameters["FilePath"] = $PSBoundParameters["FilePath"].Replace(".pub", "")
         }
 
-        Repair-FilePermission -Owners $systemSid,$adminsSid -ReadAccessNeeded $sshdSid @psBoundParameters
+        Repair-FilePermission -Owners $systemSid,$adminsSid @psBoundParameters
 
         $PSBoundParameters["FilePath"] += ".pub"
-        Repair-FilePermission -Owners $systemSid,$adminsSid -ReadAccessOK $everyoneSid -ReadAccessNeeded $sshdSid @psBoundParameters
+        Repair-FilePermission -Owners $systemSid,$adminsSid -ReadAccessOK $everyoneSid @psBoundParameters
 }
 
 <#
@@ -175,7 +173,7 @@ function Repair-AuthorizedKeyPermission
         if($profileItem)
         {
             $userSid = $profileItem.PSChildName            
-            Repair-FilePermission -Owners $userSid,$adminsSid,$systemSid -AnyAccessOK $userSid -FullAccessNeeded $systemSid -ReadAccessNeeded $sshdSid @psBoundParameters
+            Repair-FilePermission -Owners $userSid,$adminsSid,$systemSid -AnyAccessOK $userSid -FullAccessNeeded $systemSid @psBoundParameters
 
         }
         else

contrib/win32/openssh/config.h.vs

@@ -102,7 +102,7 @@
 
 /* Define if your platform needs to skip post auth
  file descriptor passing */
-#define DISABLE_FD_PASSING 1
+/* #undef DISABLE_FD_PASSING */
 
 /* Define if you don't want to use lastlog */
 /* #undef DISABLE_LASTLOG */
@@ -1691,7 +1691,9 @@
 
 #define HAVE_MBLEN 1
 
-#define SSHDIR "."
+#define _PATH_PRIVSEP_CHROOT_DIR "."
+#define SSHDIR "__PROGRAMDATA__\\ssh"
 #define _PATH_SFTP_SERVER "sftp-server.exe"
 #define _PATH_SSH_PROGRAM "ssh.exe"
 #define _PATH_LS			"dir"
+#define FORK_NOT_SUPPORTED 1