Page MenuHomeFreeBSD

openssh: simplify login class restrictions
ClosedPublic

Authored by emaste on Aug 31 2021, 7:50 PM.

Details

Summary

Login class-based restrictions were introduced in 5b400a39b8add453bd7e777b9306ef91f8f1403c, which was adapted for Capsicum but needed a bunch of rework (fc3c19a9fceeea48a9259ac3833a125804342c0e, bd393de91cc39fc04033caa53ada48aa34df9607, e8c56fba2926cfdaf7759edf3d53af8823db9dbc). During an attempt to upstream the work a much simpler approach was suggested; adopt it now in the in-tree OpenSSH to reduce conflicts with future updates.

Submitted by: Yuchiro Naito
Obtained from: https://github.com/openssh/openssh-portable/pull/262

Diff Detail

Repository
R10 FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

emaste created this revision.
emaste added a reviewer: des.
emaste added a reviewer: bdrewery.
crypto/openssh/auth2.c
317
336–338

this should not be deleted

crypto/openssh/monitor.c
716
crypto/openssh/monitor_wrap.c
250
crypto/openssh/sshbuf-getput-basic.c
467

restore accidentally deleted portion

kevans added a subscriber: kevans.

This looks exceedingly reasonable to me.

This revision is now accepted and ready to land.Sep 1 2021, 2:27 AM

Reviewed By: allanjude

crypto/openssh/auth.c
652

I know we didn't change these lines, but it might be worth tagging these endif's to avoid confusion

This revision was automatically updated to reflect the committed changes.
crypto/openssh/auth.c
652

Indeed, but I am trying to reduce diffs against upstream and if we're going to make this change it should happen there.