STDMETHODIMP XyOptionsImpl::XyGetString(unsigned field, LPWSTR *value, int *chars)
{
if (!TestOption(field, OPTION_TYPE_STRING, OPTION_MODE_READ)) return E_INVALIDARG;
if (!value && !chars) return S_FALSE;
CStringW tmp;
HRESULT hr = DoGetField(field, &tmp);
if (SUCCEEDED(hr))
{
if (value)
{
*value = static_cast<LPWSTR>(LocalAlloc(LPTR, sizeof(WCHAR)*(tmp.GetLength()+1)));
ASSERT(*value);
memcpy(*value, tmp.GetString(), (tmp.GetLength()+1)*sizeof(WCHAR));
}
if (chars)
{
*chars = tmp.GetLength();
}
}
return hr;
}
static QueryResult UpdateSshdConf(struct SshConf *conf, PCSTR testPrefix,
PCSTR binaryPath, BOOLEAN enable, PSTR *changeDescription,
const JoinProcessOptions *options, LWException **exc)
{
size_t i;
BOOLEAN modified = conf->modified;
PSTR requiredOptions = NULL;
PSTR optionalOptions = NULL;
BOOLEAN supported;
PSTR temp = NULL;
QueryResult result = NotConfigured;
const char *requiredSshdOptions[] = {
"ChallengeResponseAuthentication",
"UsePAM", "PAMAuthenticationViaKBDInt",
"KbdInteractiveAuthentication", NULL};
const char *optionalSshdOptions[] = {"GSSAPIAuthentication",
"GSSAPICleanupCredentials", NULL};
SshdVersion version;
BOOLEAN compromisedOptions = FALSE;
if(changeDescription != NULL)
*changeDescription = NULL;
LW_TRY(exc, GetSshVersion("", &version, binaryPath, &LW_EXC));
if(enable)
{
LW_CLEANUP_CTERR(exc, CTStrdup("", &requiredOptions));
LW_CLEANUP_CTERR(exc, CTStrdup("", &optionalOptions));
for(i = 0; requiredSshdOptions[i] != NULL; i++)
{
PCSTR option = requiredSshdOptions[i];
LW_TRY(exc, supported = TestOption(testPrefix, conf, binaryPath, "-t", option, &LW_EXC));
if(supported)
{
PCSTR value = "yes";
if(IsNewerThanOrEq(&version, 2, 3, 1, -1) &&
IsOlderThanOrEq(&version, 3, 3, -1, -1) &&
(!strcmp(option, "ChallengeResponseAuthentication") ||
!strcmp(option, "PAMAuthenticationViaKBDInt")))
{
value = "no";
compromisedOptions = TRUE;
}
conf->modified = FALSE;
LW_CLEANUP_CTERR(exc, SetOption(conf, option, value));
if(conf->modified)
{
modified = TRUE;
temp = requiredOptions;
requiredOptions = NULL;
CTAllocateStringPrintf(&requiredOptions, "%s\t%s\n", temp, option);
CT_SAFE_FREE_STRING(temp);
}
}
}
for(i = 0; optionalSshdOptions[i] != NULL; i++)
{
PCSTR option = optionalSshdOptions[i];
LW_TRY(exc, supported = TestOption(testPrefix, conf, binaryPath, "-t", option, &LW_EXC));
if(supported)
{
conf->modified = FALSE;
LW_CLEANUP_CTERR(exc, SetOption(conf, option, "yes"));
if(conf->modified)
{
modified = TRUE;
temp = optionalOptions;
optionalOptions = NULL;
LW_CLEANUP_CTERR(exc, CTAllocateStringPrintf(&optionalOptions, "%s\t%s\n", temp, option));
CT_SAFE_FREE_STRING(temp);
}
}
}
result = FullyConfigured;
if(strlen(optionalOptions) > 0)
{
temp = optionalOptions;
optionalOptions = NULL;
LW_CLEANUP_CTERR(exc, CTAllocateStringPrintf(
&optionalOptions,
"The following options will be enabled in %s to provide a better user experience:\n%s",
conf->filename, temp));
CT_SAFE_FREE_STRING(temp);
result = SufficientlyConfigured;
}
if(strlen(requiredOptions) > 0)
{
temp = requiredOptions;
requiredOptions = NULL;
LW_CLEANUP_CTERR(exc, CTAllocateStringPrintf(
&requiredOptions,
"The following options must be enabled in %s:\n%s",
conf->filename, temp));
CT_SAFE_FREE_STRING(temp);
result = NotConfigured;
}
if(changeDescription != NULL)
{
LW_CLEANUP_CTERR(exc, CTAllocateStringPrintf(
changeDescription,
"%s%s",
requiredOptions, optionalOptions));
}
}
else
{
conf->modified = FALSE;
LW_CLEANUP_CTERR(exc, RemoveOption(conf, "GSSAPIAuthentication"));
if(conf->modified)
{
if(changeDescription != NULL)
{
LW_CLEANUP_CTERR(exc, CTAllocateStringPrintf(
changeDescription,
"In %s, GSSAPIAuthentication may optionally be removed.\n",
conf->filename));
}
result = SufficientlyConfigured;
}
else
result = FullyConfigured;
}
if(changeDescription != NULL && *changeDescription == NULL)
LW_CLEANUP_CTERR(exc, CTStrdup("", changeDescription));
if(options != NULL)
{
ModuleState *state = DJGetModuleStateByName(options, "ssh");
if(state->moduleData == (void *)-1)
{
//We already showed a warning
}
else if(compromisedOptions)
{
state->moduleData = (void *)-1;
if (options->warningCallback != NULL)
{
options->warningCallback(options, "Unpatched version of SSH",
"The version of your sshd daemon indicates that it is susceptible to the remote exploit described at http://www.openssh.com/txt/preauth.adv . To avoid exposing your system to this exploit, the 'ChallengeResponseAuthentication' and 'PAMAuthenticationViaKBDInt' options will be set to 'no' instead of 'yes'. As a side effect, all login error messages will appear as 'permission denied' instead of more detailed messages like 'account disabled'. Additionally, password changes on login may not work.\n\
\n\
Even when those options are disabled, your system is still vulnerable to http://www.cert.org/advisories/CA-2003-24.html . We recommend upgrading your version of SSH.");
}
}
STDMETHODIMP XyOptionsImpl::XyGetBin2( unsigned field, void *value, int size )
{
if (!TestOption(field, OPTION_TYPE_BIN, OPTION_MODE_READ)) return E_INVALIDARG;
if (!value) return S_FALSE;
return E_NOTIMPL;
}
STDMETHODIMP XyOptionsImpl::XySetBin(unsigned field, LPVOID value, int size)
{
if (!TestOption(field, OPTION_TYPE_BIN, OPTION_MODE_WRITE)) return E_INVALIDARG;
return E_NOTIMPL;
}
STDMETHODIMP XyOptionsImpl::XySetString(unsigned field, LPWSTR value, int chars)
{
if (!TestOption(field, OPTION_TYPE_STRING, OPTION_MODE_WRITE)) return E_INVALIDARG;
CStringW tmp(value, chars);
return DoSetField(field, &tmp);
}
