diff -u -N -p Makefile.in Makefile.in --- Makefile.in 2006-02-21 02:19:07.000000000 +1000 +++ Makefile.in 2006-02-21 02:28:45.000000000 +1000 @@ -86,7 +86,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - audit.o audit-bsm.o + audit.o audit-bsm.o hook.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 diff -u -N -p auth.c auth.c --- auth.c 2005-09-01 02:59:49.000000000 +1000 +++ auth.c 2006-02-21 02:20:08.000000000 +1000 @@ -52,6 +52,7 @@ RCSID("$OpenBSD: auth.c,v 1.60 2005/06/1 #include "packet.h" #include "loginrec.h" #include "monitor_wrap.h" +#include "hook.h" /* import */ extern ServerOptions options; @@ -322,6 +323,7 @@ auth_root_allowed(char *method) break; } logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); + execute_hook("ROOT_LOGIN_REFUSED",get_remote_ipaddr()); return 0; } @@ -503,6 +505,7 @@ getpwnamallow(const char *user) #ifdef SSH_AUDIT_EVENTS audit_event(SSH_INVALID_USER); #endif /* SSH_AUDIT_EVENTS */ + execute_hook("AUTH_INVALID_USER",get_remote_ipaddr()); return (NULL); } if (!allowed_user(pw)) diff -u -N -p hook.c hook.c --- hook.c 1970-01-01 10:00:00.000000000 +1000 +++ hook.c 2006-02-21 02:20:04.000000000 +1000 @@ -0,0 +1,48 @@ +#include "includes.h" + +RCSID("$OpenBSD: hook.c,v 1.60 2006/02/20 02:44:32 Freman Exp $"); + +#include "xmalloc.h" +#include "match.h" +#include "groupaccess.h" +#include "log.h" +#include "servconf.h" + +extern ServerOptions options; + +static void +local_do_shell(char *path, char *type, char *host) +{ + int status; + char *shell; + pid_t pid; + + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(errno)); + + if (pid == 0) { + /* XXX: child has pipe fds to ssh subproc open - issue? */ + debug3("Executing %s -c \"%s %s %s\"", path,type,host); + execl(path,path,type,host,(char *)NULL); + fprintf(stderr, "Couldn't execute \"%s\": %s\n", path, + strerror(errno)); + _exit(1); + } + while (waitpid(pid, &status, 0) == -1) + if (errno != EINTR) + fatal("Couldn't wait for child: %s", strerror(errno)); + if (!WIFEXITED(status)) + error("Command exited abormally"); + else if (WEXITSTATUS(status)) + error("Command exited with status %d", WEXITSTATUS(status)); +} + + +void +execute_hook (char *type, char *host) +{ + if (options.hook != NULL) + local_do_shell(options.hook,type,host); +} + diff -u -N -p hook.h hook.h --- hook.h 1970-01-01 10:00:00.000000000 +1000 +++ hook.h 2006-02-21 02:20:04.000000000 +1000 @@ -0,0 +1,28 @@ +/* $OpenBSD: hook.h,v 1.51 2006/02/20 02:40:36 Freman Exp $ */ + +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +void execute_hook (char *type, char *host); diff -u -N -p servconf.c servconf.c --- servconf.c 2005-08-12 22:11:37.000000000 +1000 +++ servconf.c 2006-02-21 02:19:58.000000000 +1000 @@ -94,6 +94,7 @@ initialize_server_options(ServerOptions options->max_startups_rate = -1; options->max_startups = -1; options->max_authtries = -1; + options->hook = NULL; options->banner = NULL; options->use_dns = -1; options->client_alive_interval = -1; @@ -266,7 +267,7 @@ typedef enum { sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, - sMaxStartups, sMaxAuthTries, + sMaxStartups, sMaxAuthTries,sHook, sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -363,6 +364,7 @@ static struct { { "subsystem", sSubsystem }, { "maxstartups", sMaxStartups }, { "maxauthtries", sMaxAuthTries }, + { "hook", sHook}, { "banner", sBanner }, { "usedns", sUseDNS }, { "verifyreversemapping", sDeprecated }, @@ -925,6 +927,10 @@ parse_flag: intptr = &options->max_authtries; goto parse_int; + case sHook: + charptr = &options->hook; + goto parse_filename; + case sBanner: charptr = &options->banner; goto parse_filename; diff -u -N -p servconf.h servconf.h --- servconf.h 2005-01-20 09:57:56.000000000 +1000 +++ servconf.h 2006-02-21 02:19:58.000000000 +1000 @@ -120,6 +120,7 @@ typedef struct { int max_startups; int max_authtries; char *banner; /* SSH-2 banner message */ + char *hook; /* Fremans hook patch */ int use_dns; int client_alive_interval; /* * poke the client this often to