d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Vendor import of OpenSSH 4.6p1 for posterity's sake

Browse Source
This commit is contained in:
Dag-Erling Smørgrav 2008-07-23 09:15:38 +00:00
parent 024ab8dd1d
commit 24cf82b14a
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor-crypto/openssh/dist/; revision=180740
100 changed files with 39928 additions and 257 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

214
ChangeLog
View File

@ -1,3 +1,214 @@
20070306
- (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2007/03/01 16:19:33
[sshd_config.5]
sort the `match' keywords;
- djm@cvs.openbsd.org 2007/03/06 10:13:14
[version.h]
openssh-4.6; "please" deraadt@
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] crank spec files for release
- (djm) [README] correct link to release notes
- (djm) Release 4.6p1
20070304
- (djm) [configure.ac] add a --without-openssl-header-check option to
configure, as some platforms (OS X) ship OpenSSL headers whose version
does not match that of the shipping library. ok dtucker@
- (dtucker) [openbsd-compat/openssl-compat.h] Bug #1291: Work around a
bug in OpenSSL 0.9.8e that prevents aes256-ctr, aes192-ctr and arcfour256
ciphers from working correctly (disconnects with "Bad packet length"
errors) as found by Ben Harris. ok djm@
20070303
- (dtucker) [regress/agent-ptrace.sh] Make ttrace gdb error a little more
general to cover newer gdb versions on HP-UX.
20070302
- (dtucker) [configure.ac] For Cygwin, read files in textmode (which allows
CRLF as well as LF lineendings) and write in binary mode. Patch from
vinschen at redhat.com.
- (dtucker) [INSTALL] Update to autoconf-2.61.
20070301
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2007/03/01 10:28:02
[auth2.c sshd_config.5 servconf.c]
Remove ChallengeResponseAuthentication support inside a Match
block as its interaction with KbdInteractive makes it difficult to
support. Also, relocate the CR/kbdint option special-case code into
servconf. "please commit" djm@, ok markus@ for the relocation.
- (tim) [buildpkg.sh.in openssh.xml.in] Clean up Solaris 10 smf(5) bits.
"Looks sane" dtucker@
20070228
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2007/02/28 00:55:30
[ssh-agent.c]
Remove expired keys periodically so they don't remain in memory when
the agent is entirely idle, as noted by David R. Piegdon. This is the
simple fix, a more efficient one will be done later. With markus,
deraadt, with & ok djm.
20070225
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2007/02/20 10:25:14
[clientloop.c]
set maximum packet and window sizes the same for multiplexed clients
as normal connections; ok markus@
- dtucker@cvs.openbsd.org 2007/02/21 11:00:05
[sshd.c]
Clear alarm() before restarting sshd on SIGHUP. Without this, if there's
a SIGALRM pending (for SSH1 key regeneration) when sshd is SIGHUP'ed, the
newly exec'ed sshd will get the SIGALRM and not have a handler for it,
and the default action will terminate the listening sshd. Analysis and
patch from andrew at gaul.org.
- dtucker@cvs.openbsd.org 2007/02/22 12:58:40
[servconf.c]
Check activep so Match and GatewayPorts work together; ok markus@
- ray@cvs.openbsd.org 2007/02/24 03:30:11
[moduli.c]
- strlen returns size_t, not int.
- Pass full buffer size to fgets.
OK djm@, millert@, and moritz@.
20070219
- (dtucker) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2007/01/10 13:23:22
[ssh_config.5]
do not use a list for SYNOPSIS;
this is actually part of a larger report sent by eric s. raymond
and forwarded by brad, but i only read half of it. spotted by brad.
- jmc@cvs.openbsd.org 2007/01/12 20:20:41
[ssh-keygen.1 ssh-keygen.c]
more secsh -> rfc 4716 updates;
spotted by wiz@netbsd
ok markus
- dtucker@cvs.openbsd.org 2007/01/17 23:22:52
[readconf.c]
Honour activep for times (eg ServerAliveInterval) while parsing
ssh_config and ~/.ssh/config so they work properly with Host directives.
From mario.lorenz@wincor-nixdorf.com via bz #1275. ok markus@
- stevesk@cvs.openbsd.org 2007/01/21 01:41:54
[auth-skey.c kex.c ssh-keygen.c session.c clientloop.c]
spaces
- stevesk@cvs.openbsd.org 2007/01/21 01:45:35
[readconf.c]
spaces
- djm@cvs.openbsd.org 2007/01/22 11:32:50
[sftp-client.c]
return error from do_upload() when a write fails. fixes bz#1252: zero
exit status from sftp when uploading to a full device. report from
jirkat AT atlas.cz; ok dtucker@
- djm@cvs.openbsd.org 2007/01/22 13:06:21
[scp.c]
fix detection of whether we should show progress meter or not: scp
tested isatty(stderr) but wrote the progress meter to stdout. This patch
makes it test stdout. bz#1265 reported by junkmail AT bitsculpture.com;
of dtucker@
- stevesk@cvs.openbsd.org 2007/02/14 14:32:00
[bufbn.c]
typos in comments; ok jmc@
- dtucker@cvs.openbsd.org 2007/02/19 10:45:58
[monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5]
Teach Match how handle config directives that are used before
authentication. This allows configurations such as permitting password
authentication from the local net only while requiring pubkey from
offsite. ok djm@, man page bits ok jmc@
- (dtucker) [contrib/findssl.sh] Add "which" as a shell function since some
platforms don't have it. Patch from dleonard at vintela.com.
- (dtucker) [openbsd-compat/getrrsetbyname.c] Don't attempt to calloc
an array for signatures when there are none since "calloc(0, n) returns
NULL on some platforms (eg Tru64), which is explicitly permitted by
POSIX. Diagnosis and patch by svallet genoscope.cns.fr.
20070128
- (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52)
when closing a tty session when a background process still holds tty
fds open. Great detective work and patch by Marc Aurele La France,
slightly tweaked by me; ok dtucker@
20070123
- (dtucker) [openbsd-compat/bsd-snprintf.c] Static declarations for public
library interfaces aren't very helpful. Fix up the DOPR_OUTCH macro
so it works properly and modify its callers so that they don't pre or
post decrement arguments that are conditionally evaluated. While there,
put SNPRINTF_CONST back as it prevents build failures in some
configurations. ok djm@ (for most of it)
20070122
- (djm) [ssh-rand-helper.8] manpage nits;
from dleonard AT vintela.com (bz#1529)
20070117
- (dtucker) [packet.c] Re-remove in_systm.h since it's already in includes.h
and multiple including it causes problems on old IRIXes. (It snuck back
in during a sync.) Found (again) by Georg Schwarz.
20070114
- (dtucker) [ssh-keygen.c] av -> argv to match earlier sync.
- (djm) [openbsd-compat/bsd-snprintf.c] Fix integer overflow in return
value of snprintf replacement, similar to bugs in various libc
implementations. This overflow is not exploitable in OpenSSH.
While I'm fiddling with it, make it a fair bit faster by inlining the
append-char routine; ok dtucker@
20070105
- (djm) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2006/11/14 19:41:04
[ssh-keygen.c]
use argc and argv not some made up short form
- ray@cvs.openbsd.org 2006/11/23 01:35:11
[misc.c sftp.c]
Don't access buf[strlen(buf) - 1] for zero-length strings.
``ok by me'' djm@.
- markus@cvs.openbsd.org 2006/12/11 21:25:46
[ssh-keygen.1 ssh.1]
add rfc 4716 (public key format); ok jmc
- djm@cvs.openbsd.org 2006/12/12 03:58:42
[channels.c compat.c compat.h]
bz #1019: some ssh.com versions apparently can't cope with the
remote port forwarding bind_address being a hostname, so send
them an address for cases where they are not explicitly
specified (wildcard or localhost bind). reported by daveroth AT
acm.org; ok dtucker@ deraadt@
- dtucker@cvs.openbsd.org 2006/12/13 08:34:39
[servconf.c]
Make PermitOpen work with multiple values like the man pages says.
bz #1267 with details from peter at dmtz.com, with & ok djm@
- dtucker@cvs.openbsd.org 2006/12/14 10:01:14
[servconf.c]
Make "PermitOpen all" first-match within a block to match the way other
options work. ok markus@ djm@
- jmc@cvs.openbsd.org 2007/01/02 09:57:25
[sshd_config.5]
do not use lists for SYNOPSIS;
from eric s. raymond via brad
- stevesk@cvs.openbsd.org 2007/01/03 00:53:38
[ssh-keygen.c]
remove small dead code; arnaud.lacombe.1@ulaval.ca via Coverity scan
- stevesk@cvs.openbsd.org 2007/01/03 03:01:40
[auth2-chall.c channels.c dns.c sftp.c ssh-keygen.c ssh.c]
spaces
- stevesk@cvs.openbsd.org 2007/01/03 04:09:15
[sftp.c]
ARGSUSED for lint
- stevesk@cvs.openbsd.org 2007/01/03 07:22:36
[sftp-server.c]
spaces
20061205
- (djm) [auth.c] Fix NULL pointer dereference in fakepw(). Crash would
occur if the server did not have the privsep user and an invalid user
tried to login and both privsep and krb5 auth are disabled; ok dtucker@
- (djm) [bsd-asprintf.c] Better test for bad vsnprintf lengths; ok dtucker@
20061108
- (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2006/11/07 13:02:07
[dh.c]
BN_hex2bn returns int; from dtucker@
20061107
- (dtucker) [sshd.c] Use privsep_pw if we have it, but only require it
if we absolutely need it. Pointed out by Corinna, ok djm@
@ -13,7 +224,6 @@
dtucker@
- (dtucker) [README contrib/{caldera,redhat,contrib}/openssh.spec] Bump
versions.
- (dtucker) [dh.c] Type fix for BN_hex2bn; ok markus@
- (dtucker) Release 4.5p1.
20061105
@ -2606,4 +2816,4 @@
OpenServer 6 and add osr5bigcrypt support so when someone migrates
passwords between UnixWare and OpenServer they will still work. OK dtucker@
$Id: ChangeLog,v 1.4588.2.1 2006/11/07 13:02:59 dtucker Exp $
$Id: ChangeLog,v 1.4635.2.1 2007/03/06 10:27:55 djm Exp $

7
INSTALL
View File

@ -70,8 +70,9 @@ http://sourceforge.net/projects/libedit/
Autoconf:
If you modify configure.ac or configure doesn't exist (eg if you checked
the code out of CVS yourself) then you will need autoconf-2.60 to rebuild
the automatically generated files by running "autoreconf".
the code out of CVS yourself) then you will need autoconf-2.61 to rebuild
the automatically generated files by running "autoreconf". Earlier
version may also work but this is not guaranteed.
http://www.gnu.org/software/autoconf/
@ -250,4 +251,4 @@ Please refer to the "reporting bugs" section of the webpage at
http://www.openssh.com/
$Id: INSTALL,v 1.76 2006/09/17 12:55:52 dtucker Exp $
$Id: INSTALL,v 1.77 2007/03/02 06:53:41 dtucker Exp $

4
README
View File

@ -1,4 +1,4 @@
See http://www.openssh.com/txt/release-4.5 for the release notes.
See http://www.openssh.com/txt/release-4.6 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@ -62,4 +62,4 @@ References -
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
$Id: README,v 1.64 2006/11/07 12:25:45 dtucker Exp $
$Id: README,v 1.64.4.1 2007/03/06 10:27:56 djm Exp $

6
auth-skey.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-skey.c,v 1.26 2006/08/05 08:28:24 dtucker Exp $ */
/* $OpenBSD: auth-skey.c,v 1.27 2007/01/21 01:41:54 stevesk Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -59,8 +59,8 @@ skey_query(void *ctx, char **name, char **infotxt,
sizeof(challenge)) == -1)
return -1;
*name = xstrdup("");
*infotxt = xstrdup("");
*name = xstrdup("");
*infotxt = xstrdup("");
*numprompts = 1;
*prompts = xcalloc(*numprompts, sizeof(char *));
*echo_on = xcalloc(*numprompts, sizeof(u_int));

4
auth.c
View File

@ -569,8 +569,8 @@ fakepw(void)
fake.pw_passwd =
"$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
fake.pw_gecos = "NOUSER";
fake.pw_uid = privsep_pw->pw_uid;
fake.pw_gid = privsep_pw->pw_gid;
fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
#ifdef HAVE_PW_CLASS_IN_PASSWD
fake.pw_class = "";
#endif

4
auth2-chall.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-chall.c,v 1.31 2006/08/05 08:28:24 dtucker Exp $ */
/* $OpenBSD: auth2-chall.c,v 1.32 2007/01/03 03:01:40 stevesk Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2001 Per Allansson. All rights reserved.
@ -206,7 +206,7 @@ auth2_challenge_stop(Authctxt *authctxt)
{
/* unregister callback */
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
if (authctxt->kbdintctxt != NULL) {
if (authctxt->kbdintctxt != NULL) {
kbdint_free(authctxt->kbdintctxt);
authctxt->kbdintctxt = NULL;
}

6
auth2.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2.c,v 1.113 2006/08/03 03:34:41 deraadt Exp $ */
/* $OpenBSD: auth2.c,v 1.114 2007/03/01 10:28:02 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -96,10 +96,6 @@ int user_key_allowed(struct passwd *, Key *);
void
do_authentication2(Authctxt *authctxt)
{
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
dispatch_init(&dispatch_protocol_error);
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);

8
bufbn.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: bufbn.c,v 1.4 2006/11/06 21:25:28 markus Exp $*/
/* $OpenBSD: bufbn.c,v 1.5 2007/02/14 14:32:00 stevesk Exp $*/
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -93,7 +93,7 @@ buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
}
/*
* Retrieves an BIGNUM from the buffer.
* Retrieves a BIGNUM from the buffer.
*/
int
buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
@ -101,7 +101,7 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
u_int bits, bytes;
u_char buf[2], *bin;
/* Get the number for bits. */
/* Get the number of bits. */
if (buffer_get_ret(buffer, (char *) buf, 2) == -1) {
error("buffer_get_bignum_ret: invalid length");
return (-1);
@ -137,7 +137,7 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value)
}
/*
* Stores an BIGNUM in the buffer in SSH2 format.
* Stores a BIGNUM in the buffer in SSH2 format.
*/
int
buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)

16
buildpkg.sh.in
View File

@ -48,7 +48,7 @@ PKG_REQUEST_LOCAL=../pkg-request.local
#
OPENSSHD=opensshd.init
OPENSSH_MANIFEST=openssh.xml
OPENSSH_FMRI=svc:/site/openssh:default
OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default
PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@
PATH_USERADD_PROG=@PATH_USERADD_PROG@
@ -202,8 +202,9 @@ then
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
chmod 744 $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
cp ${OPENSSH_MANIFEST} $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site
chmod 644 $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${OPENSSH_MANIFEST}
cat ${OPENSSH_MANIFEST} | sed "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
> $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
chmod 644 $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
else
mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
@ -334,9 +335,8 @@ then
then
svccfg delete -f $OPENSSH_FMRI
fi
# NOTE, if manifest enables sshd by default, this will actually
# start the daemon, which may not be what the user wants.
svccfg import ${TEST_DIR}/var/svc/manifest/site/$OPENSSH_MANIFEST
# NOTE, The manifest disables sshd by default.
svccfg import ${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
else
if [ "\${USE_SYM_LINKS}" = yes ]
then
@ -428,8 +428,6 @@ if [ "\${POST_INS_START}" = "yes" ]
then
if [ $DO_SMF -eq 1 ]
then
# See svccfg import note above. The service may already
# be started.
svcadm enable $OPENSSH_FMRI
else
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
@ -544,7 +542,7 @@ PRE_INS_STOP=no
POST_INS_START=no
# determine if should restart the daemon
if [ -s ${piddir}/sshd.pid ] && \
/usr/bin/svcs $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
/usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
then
ans=\`ckyorn -d n \
-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?

31
channels.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.c,v 1.266 2006/08/29 10:40:18 djm Exp $ */
/* $OpenBSD: channels.c,v 1.268 2007/01/03 03:01:40 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1052,7 +1052,7 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
if (have < nmethods + 2)
return 0;
/* look for method: "NO AUTHENTICATION REQUIRED" */
for (found = 0, i = 2 ; i < nmethods + 2; i++) {
for (found = 0, i = 2; i < nmethods + 2; i++) {
if (p[i] == SSH_SOCKS5_NOAUTH) {
found = 1;
break;
@ -1449,10 +1449,11 @@ channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset)
int len;
if (c->rfd != -1 &&
FD_ISSET(c->rfd, readset)) {
(c->detach_close || FD_ISSET(c->rfd, readset))) {
errno = 0;
len = read(c->rfd, buf, sizeof(buf));
if (len < 0 && (errno == EINTR || errno == EAGAIN))
if (len < 0 && (errno == EINTR ||
(errno == EAGAIN && !(c->isatty && c->detach_close))))
return 1;
#ifndef PTY_ZEROREAD
if (len <= 0) {
@ -1604,11 +1605,12 @@ channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset)
c->local_consumed += len;
}
} else if (c->extended_usage == CHAN_EXTENDED_READ &&
FD_ISSET(c->efd, readset)) {
(c->detach_close || FD_ISSET(c->efd, readset))) {
len = read(c->efd, buf, sizeof(buf));
debug2("channel %d: read %d from efd %d",
c->self, len, c->efd);
if (len < 0 && (errno == EINTR || errno == EAGAIN))
if (len < 0 && (errno == EINTR ||
(errno == EAGAIN && !c->detach_close)))
return 1;
if (len <= 0) {
debug2("channel %d: closing read-efd %d",
@ -2525,11 +2527,18 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
/* Send the forward request to the remote side. */
if (compat20) {
const char *address_to_bind;
if (listen_host == NULL)
address_to_bind = "localhost";
else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0)
address_to_bind = "";
else
if (listen_host == NULL) {
if (datafellows & SSH_BUG_RFWD_ADDR)
address_to_bind = "127.0.0.1";
else
address_to_bind = "localhost";
} else if (*listen_host == '\0' ||
strcmp(listen_host, "*") == 0) {
if (datafellows & SSH_BUG_RFWD_ADDR)
address_to_bind = "0.0.0.0";
else
address_to_bind = "";
} else
address_to_bind = listen_host;
packet_start(SSH2_MSG_GLOBAL_REQUEST);

16
clientloop.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.c,v 1.176 2006/10/11 12:38:03 markus Exp $ */
/* $OpenBSD: clientloop.c,v 1.178 2007/02/20 10:25:14 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -707,7 +707,7 @@ client_process_control(fd_set *readset)
{
Buffer m;
Channel *c;
int client_fd, new_fd[3], ver, allowed;
int client_fd, new_fd[3], ver, allowed, window, packetmax;
socklen_t addrlen;
struct sockaddr_storage addr;
struct confirm_ctx *cctx;
@ -900,9 +900,15 @@ client_process_control(fd_set *readset)
set_nonblock(client_fd);
window = CHAN_SES_WINDOW_DEFAULT;
packetmax = CHAN_SES_PACKET_DEFAULT;
if (cctx->want_tty) {
window >>= 1;
packetmax >>= 1;
}
c = channel_new("session", SSH_CHANNEL_OPENING,
new_fd[0], new_fd[1], new_fd[2],
CHAN_SES_WINDOW_DEFAULT, CHAN_SES_PACKET_DEFAULT,
new_fd[0], new_fd[1], new_fd[2], window, packetmax,
CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
/* XXX */
@ -1757,7 +1763,7 @@ client_request_agent(const char *request_type, int rchan)
error("Warning: this is probably a break-in attempt by a malicious server.");
return NULL;
}
sock = ssh_get_authentication_socket();
sock = ssh_get_authentication_socket();
if (sock < 0)
return NULL;
c = channel_new("authentication agent connection",

5
compat.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: compat.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: compat.c,v 1.77 2006/12/12 03:58:42 djm Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
*
@ -133,7 +133,8 @@ compat_datafellows(const char *version)
{ "2.3.*", SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5|
SSH_BUG_FIRSTKEX },
{ "2.4", SSH_OLD_SESSIONID }, /* Van Dyke */
{ "2.*", SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX },
{ "2.*", SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX|
SSH_BUG_RFWD_ADDR },
{ "3.0.*", SSH_BUG_DEBUG },
{ "3.0 SecureCRT*", SSH_OLD_SESSIONID },
{ "1.7 SecureFX*", SSH_OLD_SESSIONID },

3
compat.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: compat.h,v 1.40 2006/03/25 22:22:43 djm Exp $ */
/* $OpenBSD: compat.h,v 1.41 2006/12/12 03:58:42 djm Exp $ */
/*
* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
@ -56,6 +56,7 @@
#define SSH_BUG_PROBE 0x00400000
#define SSH_BUG_FIRSTKEX 0x00800000
#define SSH_OLD_FORWARD_ADDR 0x01000000
#define SSH_BUG_RFWD_ADDR 0x02000000
void enable_compat13(void);
void enable_compat20(void);

1340
config.h.in Normal file
View File

File diff suppressed because it is too large Load Diff

29392
configure vendored Executable file
View File

File diff suppressed because it is too large Load Diff

27
configure.ac
View File

@ -1,4 +1,4 @@
# $Id: configure.ac,v 1.370 2006/10/06 23:07:21 dtucker Exp $
# $Id: configure.ac,v 1.372 2007/03/05 00:51:27 djm Exp $
#
# Copyright (c) 1999-2004 Damien Miller
#
@ -15,7 +15,7 @@
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
AC_REVISION($Revision: 1.370 $)
AC_REVISION($Revision: 1.372 $)
AC_CONFIG_SRCDIR([ssh.c])
AC_CONFIG_HEADER(config.h)
@ -360,7 +360,7 @@ int main(void) { exit(0); }
;;
*-*-cygwin*)
check_for_libcrypt_later=1
LIBS="$LIBS /usr/lib/textmode.o"
LIBS="$LIBS /usr/lib/textreadmode.o"
AC_DEFINE(HAVE_CYGWIN, 1, [Define if you are on Cygwin])
AC_DEFINE(USE_PIPES, 1, [Use PIPES instead of a socketpair()])
AC_DEFINE(DISABLE_SHADOW, 1,
@ -1857,6 +1857,14 @@ int main(void) {
]
)
AC_ARG_WITH(openssl-header-check,
[ --without-openssl-header-check Disable OpenSSL version consistency check],
[ if test "x$withval" = "xno" ; then
openssl_check_nonfatal=1
fi
]
)
# Sanity check OpenSSL headers
AC_MSG_CHECKING([whether OpenSSL's headers match the library])
AC_RUN_IFELSE(
@ -1870,9 +1878,18 @@ int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
],
[
AC_MSG_RESULT(no)
AC_MSG_ERROR([Your OpenSSL headers do not match your library.
Check config.log for details.
if test "x$openssl_check_nonfatal" = "x"; then
AC_MSG_ERROR([Your OpenSSL headers do not match your
library. Check config.log for details.
If you are sure your installation is consistent, you can disable the check
by running "./configure --without-openssl-header-check".
Also see contrib/findssl.sh for help identifying header/library mismatches.
])
else
AC_MSG_WARN([Your OpenSSL headers do not match your
library. Check config.log for details.
Also see contrib/findssl.sh for help identifying header/library mismatches.])
fi
],
[
AC_MSG_WARN([cross compiling: not checking])

15
contrib/Makefile Normal file
View File

@ -0,0 +1,15 @@
all:
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
gnome-ssh-askpass1: gnome-ssh-askpass1.c
$(CC) `gnome-config --cflags gnome gnomeui` \
gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
`gnome-config --libs gnome gnomeui`
gnome-ssh-askpass2: gnome-ssh-askpass2.c
$(CC) `pkg-config --cflags gtk+-2.0` \
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
`pkg-config --libs gtk+-2.0`
clean:
rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass

70
contrib/README Normal file
View File

@ -0,0 +1,70 @@
Other patches and addons for OpenSSH. Please send submissions to
djm@mindrot.org
Externally maintained
---------------------
SSH Proxy Command -- connect.c
Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand
which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
https CONNECT style proxy server. His page for connect.c has extensive
documentation on its use as well as compiled versions for Win32.
http://www.taiyo.co.jp/~gotoh/ssh/connect.html
X11 SSH Askpass:
Jim Knoble <jmknoble@pobox.com> has written an excellent X11
passphrase requester. This is highly recommended:
http://www.jmknoble.net/software/x11-ssh-askpass/
In this directory
-----------------
ssh-copy-id:
Phil Hands' <phil@hands.com> shell script to automate the process of adding
your public key to a remote machine's ~/.ssh/authorized_keys file.
gnome-ssh-askpass[12]:
A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or
"make gnome-ssh-askpass2" to build.
sshd.pam.generic:
A generic PAM config file which may be useful on your system. YMMV
sshd.pam.freebsd:
A PAM config file which works with FreeBSD's PAM port. Contributed by
Dominik Brettnacher <domi@saargate.de>
findssl.sh:
Search for all instances of OpenSSL headers and libraries and print their
versions. This is intended to help diagnose OpenSSH's "OpenSSL headers do not
match your library" errors.
aix:
Files to build an AIX native (installp or SMIT installable) package.
caldera:
RPM spec file and scripts for building Caldera OpenLinuix packages
cygwin:
Support files for Cygwin
hpux:
Support files for HP-UX
redhat:
RPM spec file and scripts for building Redhat packages
suse:
RPM spec file and scripts for building SuSE packages

50
contrib/aix/README Normal file
View File

@ -0,0 +1,50 @@
Overview:
This directory contains files to build an AIX native (installp or SMIT
installable) openssh package.
Directions:
(optional) create config.local in your build dir
./configure [options]
contrib/aix/buildbff.sh
The file config.local or the environment is read to set the following options
(default first):
PERMIT_ROOT_LOGIN=[no|yes]
X11_FORWARDING=[no|yes]
AIX_SRC=[no|yes]
Acknowledgements:
The contents of this directory are based on Ben Lindstrom's Solaris
buildpkg.sh. Ben also supplied inventory.sh.
Jim Abbey's (GPL'ed) lppbuild-2.1 was used to learn how to build .bff's
and for comparison with the output from this script, however no code
from lppbuild is included and it is not required for operation.
SRC support based on examples provided by Sandor Sklar and Maarten Kreuger.
PrivSep account handling fixes contributed by W. Earl Allen.
Other notes:
The script treats all packages as USR packages (not ROOT+USR when
appropriate). It seems to work, though......
If there are any patches to this that have not yet been integrated they
may be found at http://www.zip.com.au/~dtucker/openssh/.
Disclaimer:
It is hoped that it is useful but there is no warranty. If it breaks
you get to keep both pieces.
- Darren Tucker (dtucker at zip dot com dot au)
2002/03/01
$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $

381
contrib/aix/buildbff.sh Executable file
View File

@ -0,0 +1,381 @@
#!/bin/sh
#
# buildbff.sh: Create AIX SMIT-installable OpenSSH packages
# $Id$
#
# Author: Darren Tucker (dtucker at zip dot com dot au)
# This file is placed in the public domain and comes with absolutely
# no warranty.
#
# Based originally on Ben Lindstrom's buildpkg.sh for Solaris
#
#
# Tunable configuration settings
# create a "config.local" in your build directory or set
# environment variables to override these.
#
[ -z "$PERMIT_ROOT_LOGIN" ] && PERMIT_ROOT_LOGIN=no
[ -z "$X11_FORWARDING" ] && X11_FORWARDING=no
[ -z "$AIX_SRC" ] && AIX_SRC=no
umask 022
startdir=`pwd`
perl -v >/dev/null || (echo perl required; exit 1)
# Path to inventory.sh: same place as buildbff.sh
if echo $0 | egrep '^/'
then
inventory=`dirname $0`/inventory.sh # absolute path
else
inventory=`pwd`/`dirname $0`/inventory.sh # relative path
fi
#
# We still support running from contrib/aix, but this is deprecated
#
if pwd | egrep 'contrib/aix$'
then
echo "Changing directory to `pwd`/../.."
echo "Please run buildbff.sh from your build directory in future."
cd ../..
contribaix=1
fi
if [ ! -f Makefile ]
then
echo "Makefile not found (did you run configure?)"
exit 1
fi
#
# Directories used during build:
# current dir = $objdir directory you ran ./configure in.
# $objdir/$PKGDIR/ directory package files are constructed in
# $objdir/$PKGDIR/root/ package root ($FAKE_ROOT)
#
objdir=`pwd`
PKGNAME=openssh
PKGDIR=package
#
# Collect local configuration settings to override defaults
#
if [ -s ./config.local ]
then
echo Reading local settings from config.local
. ./config.local
fi
#
# Fill in some details from Makefile, like prefix and sysconfdir
# the eval also expands variables like sysconfdir=${prefix}/etc
# provided they are eval'ed in the correct order
#
for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir mansubdir sysconfdir piddir srcdir
do
eval $confvar=`grep "^$confvar=" $objdir/Makefile | cut -d = -f 2`
done
#
# Collect values of privsep user and privsep path
# currently only found in config.h
#
for confvar in SSH_PRIVSEP_USER PRIVSEP_PATH
do
eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' $objdir/config.h`
done
# Set privsep defaults if not defined
if [ -z "$SSH_PRIVSEP_USER" ]
then
SSH_PRIVSEP_USER=sshd
fi
if [ -z "$PRIVSEP_PATH" ]
then
PRIVSEP_PATH=/var/empty
fi
# Clean package build directory
rm -rf $objdir/$PKGDIR
FAKE_ROOT=$objdir/$PKGDIR/root
mkdir -p $FAKE_ROOT
# Start by faking root install
echo "Faking root install..."
cd $objdir
make install-nokeys DESTDIR=$FAKE_ROOT
if [ $? -gt 0 ]
then
echo "Fake root install failed, stopping."
exit 1
fi
#
# Copy informational files to include in package
#
cp $srcdir/LICENCE $objdir/$PKGDIR/
cp $srcdir/README* $objdir/$PKGDIR/
#
# Extract common info requires for the 'info' part of the package.
# AIX requires 4-part version numbers
#
VERSION=`./ssh -V 2>&1 | cut -f 1 -d , | cut -f 2 -d _`
MAJOR=`echo $VERSION | cut -f 1 -d p | cut -f 1 -d .`
MINOR=`echo $VERSION | cut -f 1 -d p | cut -f 2 -d .`
PATCH=`echo $VERSION | cut -f 1 -d p | cut -f 3 -d .`
PORTABLE=`echo $VERSION | awk 'BEGIN{FS="p"}{print $2}'`
[ "$PATCH" = "" ] && PATCH=0
[ "$PORTABLE" = "" ] && PORTABLE=0
BFFVERSION=`printf "%d.%d.%d.%d" $MAJOR $MINOR $PATCH $PORTABLE`
echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)"
#
# Set ssh and sshd parameters as per config.local
#
if [ "${PERMIT_ROOT_LOGIN}" = no ]
then
perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
$FAKE_ROOT/${sysconfdir}/sshd_config
fi
if [ "${X11_FORWARDING}" = yes ]
then
perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
$FAKE_ROOT/${sysconfdir}/sshd_config
fi
# Rename config files; postinstall script will copy them if necessary
for cfgfile in ssh_config sshd_config ssh_prng_cmds
do
mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default
done
#
# Generate lpp control files.
# working dir is $FAKE_ROOT but files are generated in dir above
# and moved into place just before creation of .bff
#
cd $FAKE_ROOT
echo Generating LPP control files
find . ! -name . -print >../openssh.al
$inventory >../openssh.inventory
cat <<EOD >../openssh.copyright
This software is distributed under a BSD-style license.
For the full text of the license, see /usr/lpp/openssh/LICENCE
EOD
#
# openssh.size file allows filesystem expansion as required
# generate list of directories containing files
# then calculate disk usage for each directory and store in openssh.size
#
files=`find . -type f -print`
dirs=`for file in $files; do dirname $file; done | sort -u`
for dir in $dirs
do
du $dir
done > ../openssh.size
#
# Create postinstall script
#
cat <<EOF >>../openssh.post_i
#!/bin/sh
echo Creating configs from defaults if necessary.
for cfgfile in ssh_config sshd_config ssh_prng_cmds
do
if [ ! -f $sysconfdir/\$cfgfile ]
then
echo "Creating \$cfgfile from default"
cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile
else
echo "\$cfgfile already exists."
fi
done
echo
# Create PrivilegeSeparation user and group if not present
echo Checking for PrivilegeSeparation user and group.
if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
then
echo "PrivSep group $SSH_PRIVSEP_USER already exists."
else
echo "Creating PrivSep group $SSH_PRIVSEP_USER."
mkgroup -A $SSH_PRIVSEP_USER
fi
# Create user if required
if lsuser "$SSH_PRIVSEP_USER" >/dev/null
then
echo "PrivSep user $SSH_PRIVSEP_USER already exists."
else
echo "Creating PrivSep user $SSH_PRIVSEP_USER."
mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
fi
if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
then
echo UsePrivilegeSeparation not enabled, privsep directory not required.
else
# create chroot directory if required
if [ -d $PRIVSEP_PATH ]
then
echo "PrivSep chroot directory $PRIVSEP_PATH already exists."
else
echo "Creating PrivSep chroot directory $PRIVSEP_PATH."
mkdir $PRIVSEP_PATH
chown 0 $PRIVSEP_PATH
chgrp 0 $PRIVSEP_PATH
chmod 755 $PRIVSEP_PATH
fi
fi
echo
# Generate keys unless they already exist
echo Creating host keys if required.
if [ -f "$sysconfdir/ssh_host_key" ] ; then
echo "$sysconfdir/ssh_host_key already exists, skipping."
else
$bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N ""
fi
if [ -f $sysconfdir/ssh_host_dsa_key ] ; then
echo "$sysconfdir/ssh_host_dsa_key already exists, skipping."
else
$bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N ""
fi
if [ -f $sysconfdir/ssh_host_rsa_key ] ; then
echo "$sysconfdir/ssh_host_rsa_key already exists, skipping."
else
$bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N ""
fi
echo
# Set startup command depending on SRC support
if [ "$AIX_SRC" = "yes" ]
then
echo Creating SRC sshd subsystem.
rmssys -s sshd 2>&1 >/dev/null
mkssys -s sshd -p "$sbindir/sshd" -a '-D' -u 0 -S -n 15 -f 9 -R -G tcpip
startupcmd="start $sbindir/sshd \\\"\\\$src_running\\\""
oldstartcmd="$sbindir/sshd"
else
startupcmd="$sbindir/sshd"
oldstartcmd="start $sbindir/sshd \\\"$src_running\\\""
fi
# If migrating to or from SRC, change previous startup command
# otherwise add to rc.tcpip
if egrep "^\$oldstartcmd" /etc/rc.tcpip >/dev/null
then
if sed "s|^\$oldstartcmd|\$startupcmd|g" /etc/rc.tcpip >/etc/rc.tcpip.new
then
chmod 0755 /etc/rc.tcpip.new
mv /etc/rc.tcpip /etc/rc.tcpip.old && \
mv /etc/rc.tcpip.new /etc/rc.tcpip
else
echo "Updating /etc/rc.tcpip failed, please check."
fi
else
# Add to system startup if required
if grep "^\$startupcmd" /etc/rc.tcpip >/dev/null
then
echo "sshd found in rc.tcpip, not adding."
else
echo "Adding sshd to rc.tcpip"
echo >>/etc/rc.tcpip
echo "# Start sshd" >>/etc/rc.tcpip
echo "\$startupcmd" >>/etc/rc.tcpip
fi
fi
EOF
#
# Create liblpp.a and move control files into it
#
echo Creating liblpp.a
(
cd ..
for i in openssh.al openssh.copyright openssh.inventory openssh.post_i openssh.size LICENCE README*
do
ar -r liblpp.a $i
rm $i
done
)
#
# Create lpp_name
#
# This will end up looking something like:
# 4 R I OpenSSH {
# OpenSSH 3.0.2.1 1 N U en_US OpenSSH 3.0.2p1 Portable for AIX
# [
# %
# /usr/local/bin 8073
# /usr/local/etc 189
# /usr/local/libexec 185
# /usr/local/man/man1 145
# /usr/local/man/man8 83
# /usr/local/sbin 2105
# /usr/local/share 3
# %
# ]
# }
echo Creating lpp_name
cat <<EOF >../lpp_name
4 R I $PKGNAME {
$PKGNAME $BFFVERSION 1 N U en_US OpenSSH $VERSION Portable for AIX
[
%
EOF
for i in $bindir $sysconfdir $libexecdir $mandir/${mansubdir}1 $mandir/${mansubdir}8 $sbindir $datadir /usr/lpp/openssh
do
# get size in 512 byte blocks
if [ -d $FAKE_ROOT/$i ]
then
size=`du $FAKE_ROOT/$i | awk '{print $1}'`
echo "$i $size" >>../lpp_name
fi
done
echo '%' >>../lpp_name
echo ']' >>../lpp_name
echo '}' >>../lpp_name
#
# Move pieces into place
#
mkdir -p usr/lpp/openssh
mv ../liblpp.a usr/lpp/openssh
mv ../lpp_name .
#
# Now invoke backup to create .bff file
# note: lpp_name needs to be the first file so we generate the
# file list on the fly and feed it to backup using -i
#
echo Creating $PKGNAME-$VERSION.bff with backup...
rm -f $PKGNAME-$VERSION.bff
(
echo "./lpp_name"
find . ! -name lpp_name -a ! -name . -print
) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist
#
# Move package into final location and clean up
#
mv ../$PKGNAME-$VERSION.bff $startdir
cd $startdir
rm -rf $objdir/$PKGDIR
echo $0: done.

63
contrib/aix/inventory.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/sh
#
# inventory.sh
# $Id$
#
# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
# This file is placed into the public domain.
#
# This will produce an AIX package inventory file, which looks like:
#
# /usr/local/bin:
# class=apply,inventory,openssh
# owner=root
# group=system
# mode=755
# type=DIRECTORY
# /usr/local/bin/slogin:
# class=apply,inventory,openssh
# owner=root
# group=system
# mode=777
# type=SYMLINK
# target=ssh
# /usr/local/share/Ssh.bin:
# class=apply,inventory,openssh
# owner=root
# group=system
# mode=644
# type=FILE
# size=VOLATILE
# checksum=VOLATILE
find . ! -name . -print | perl -ne '{
chomp;
if ( -l $_ ) {
($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=lstat;
} else {
($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=stat;
}
# Start to display inventory information
$name = $_;
$name =~ s|^.||; # Strip leading dot from path
print "$name:\n";
print "\tclass=apply,inventory,openssh\n";
print "\towner=root\n";
print "\tgroup=system\n";
printf "\tmode=%lo\n", $mod & 07777; # Mask perm bits
if ( -l $_ ) {
# Entry is SymLink
print "\ttype=SYMLINK\n";
printf "\ttarget=%s\n", readlink($_);
} elsif ( -f $_ ) {
# Entry is File
print "\ttype=FILE\n";
print "\tsize=$sz\n";
print "\tchecksum=VOLATILE\n";
} elsif ( -d $_ ) {
# Entry is Directory
print "\ttype=DIRECTORY\n";
}
}'

20
contrib/aix/pam.conf Normal file
View File

@ -0,0 +1,20 @@
#
# PAM configuration file /etc/pam.conf
# Example for OpenSSH on AIX 5.2
#
# Authentication Management
sshd auth required /usr/lib/security/pam_aix
OTHER auth required /usr/lib/security/pam_aix
# Account Management
sshd account required /usr/lib/security/pam_aix
OTHER account required /usr/lib/security/pam_aix
# Password Management
sshd password required /usr/lib/security/pam_aix
OTHER password required /usr/lib/security/pam_aix
# Session Management
sshd session required /usr/lib/security/pam_aix
OTHER session required /usr/lib/security/pam_aix

360
contrib/caldera/openssh.spec Normal file
View File

@ -0,0 +1,360 @@
# Some of this will need re-evaluation post-LSB. The SVIdir is there
# because the link appeared broken. The rest is for easy compilation,
# the tradeoff open to discussion. (LC957)
%define SVIdir /etc/rc.d/init.d
%{!?_defaultdocdir:%define _defaultdocdir %{_prefix}/share/doc/packages}
%{!?SVIcdir:%define SVIcdir /etc/sysconfig/daemons}
%define _mandir %{_prefix}/share/man/en
%define _sysconfdir /etc/ssh
%define _libexecdir %{_libdir}/ssh
# Do we want to disable root_login? (1=yes 0=no)
%define no_root_login 0
#old cvs stuff. please update before use. may be deprecated.
%define use_stable 1
%if %{use_stable}
%define version 4.6p1
%define cvs %{nil}
%define release 1
%else
%define version 4.1p1
%define cvs cvs20050315
%define release 0r1
%endif
%define xsa x11-ssh-askpass
%define askpass %{xsa}-1.2.4.1
# OpenSSH privilege separation requires a user & group ID
%define sshd_uid 67
%define sshd_gid 67
Name : openssh
Version : %{version}%{cvs}
Release : %{release}
Group : System/Network
Summary : OpenSSH free Secure Shell (SSH) implementation.
Summary(de) : OpenSSH - freie Implementation der Secure Shell (SSH).
Summary(es) : OpenSSH implementación libre de Secure Shell (SSH).
Summary(fr) : Implémentation libre du shell sécurisé OpenSSH (SSH).
Summary(it) : Implementazione gratuita OpenSSH della Secure Shell.
Summary(pt) : Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH).
Summary(pt_BR) : Implementação livre OpenSSH do protocolo Secure Shell (SSH).
Copyright : BSD
Packager : Raymund Will <ray@caldera.de>
URL : http://www.openssh.com/
Obsoletes : ssh, ssh-clients, openssh-clients
BuildRoot : /tmp/%{name}-%{version}
BuildRequires : XFree86-imake
# %{use_stable}==1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
# %{use_stable}==0: :pserver:cvs@bass.directhit.com:/cvs/openssh_cvs
Source0: see-above:/.../openssh-%{version}.tar.gz
%if %{use_stable}
Source1: see-above:/.../openssh-%{version}.tar.gz.sig
%endif
Source2: http://www.jmknoble.net/software/%{xsa}/%{askpass}.tar.gz
Source3: http://www.openssh.com/faq.html
%Package server
Group : System/Network
Requires : openssh = %{version}
Obsoletes : ssh-server
Summary : OpenSSH Secure Shell protocol server (sshd).
Summary(de) : OpenSSH Secure Shell Protocol-Server (sshd).
Summary(es) : Servidor del protocolo OpenSSH Secure Shell (sshd).
Summary(fr) : Serveur de protocole du shell sécurisé OpenSSH (sshd).
Summary(it) : Server OpenSSH per il protocollo Secure Shell (sshd).
Summary(pt) : Servidor do protocolo 'Secure Shell' OpenSSH (sshd).
Summary(pt_BR) : Servidor do protocolo Secure Shell OpenSSH (sshd).
%Package askpass
Group : System/Network
Requires : openssh = %{version}
URL : http://www.jmknoble.net/software/x11-ssh-askpass/
Obsoletes : ssh-extras
Summary : OpenSSH X11 pass-phrase dialog.
Summary(de) : OpenSSH X11 Passwort-Dialog.
Summary(es) : Aplicación de petición de frase clave OpenSSH X11.
Summary(fr) : Dialogue pass-phrase X11 d'OpenSSH.
Summary(it) : Finestra di dialogo X11 per la frase segreta di OpenSSH.
Summary(pt) : Diálogo de pedido de senha para X11 do OpenSSH.
Summary(pt_BR) : Diálogo de pedido de senha para X11 do OpenSSH.
%Description
OpenSSH (Secure Shell) provides access to a remote system. It replaces
telnet, rlogin, rexec, and rsh, and provides secure encrypted
communications between two untrusted hosts over an insecure network.
X11 connections and arbitrary TCP/IP ports can also be forwarded over
the secure channel.
%Description -l de
OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es ersetzt
telnet, rlogin, rexec und rsh und stellt eine sichere, verschlüsselte
Verbindung zwischen zwei nicht vertrauenswürdigen Hosts über eine unsicheres
Netzwerk her. X11 Verbindungen und beliebige andere TCP/IP Ports können ebenso
über den sicheren Channel weitergeleitet werden.
%Description -l es
OpenSSH (Secure Shell) proporciona acceso a sistemas remotos. Reemplaza a
telnet, rlogin, rexec, y rsh, y proporciona comunicaciones seguras encriptadas
entre dos equipos entre los que no se ha establecido confianza a través de una
red insegura. Las conexiones X11 y puertos TCP/IP arbitrarios también pueden
ser canalizadas sobre el canal seguro.
%Description -l fr
OpenSSH (Secure Shell) fournit un accès à un système distant. Il remplace
telnet, rlogin, rexec et rsh, tout en assurant des communications cryptées
securisées entre deux hôtes non fiabilisés sur un réseau non sécurisé. Des
connexions X11 et des ports TCP/IP arbitraires peuvent également être
transmis sur le canal sécurisé.
%Description -l it
OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto.
Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni sicure
e crittate tra due host non fidati su una rete non sicura. Le connessioni
X11 ad una porta TCP/IP arbitraria possono essere inoltrate attraverso
un canale sicuro.
%Description -l pt
OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e cifradas
entre duas máquinas sem confiança mútua sobre uma rede insegura.
Ligações X11 e portos TCP/IP arbitrários também poder ser reenviados
pelo canal seguro.
%Description -l pt_BR
O OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e criptografadas
entre duas máquinas sem confiança mútua sobre uma rede insegura.
Ligações X11 e portas TCP/IP arbitrárias também podem ser reenviadas
pelo canal seguro.
%Description server
This package installs the sshd, the server portion of OpenSSH.
%Description -l de server
Dieses Paket installiert den sshd, den Server-Teil der OpenSSH.
%Description -l es server
Este paquete instala sshd, la parte servidor de OpenSSH.
%Description -l fr server
Ce paquetage installe le 'sshd', partie serveur de OpenSSH.
%Description -l it server
Questo pacchetto installa sshd, il server di OpenSSH.
%Description -l pt server
Este pacote intala o sshd, o servidor do OpenSSH.
%Description -l pt_BR server
Este pacote intala o sshd, o servidor do OpenSSH.
%Description askpass
This package contains an X11-based pass-phrase dialog used per
default by ssh-add(1). It is based on %{askpass}
by Jim Knoble <jmknoble@pobox.com>.
%Prep
%setup %([ -z "%{cvs}" ] || echo "-n %{name}_cvs") -a2
%if ! %{use_stable}
autoreconf
%endif
%Build
CFLAGS="$RPM_OPT_FLAGS" \
%configure \
--with-pam \
--with-tcp-wrappers \
--with-privsep-path=%{_var}/empty/sshd \
#leave this line for easy edits.
%__make CFLAGS="$RPM_OPT_FLAGS"
cd %{askpass}
%configure \
#leave this line for easy edits.
xmkmf
%__make includes
%__make
%Install
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
make install DESTDIR=%{buildroot}
%makeinstall -C %{askpass} \
BINDIR=%{_libexecdir} \
MANPATH=%{_mandir} \
DESTDIR=%{buildroot}
# OpenLinux specific configuration
mkdir -p %{buildroot}{/etc/pam.d,%{SVIcdir},%{SVIdir}}
mkdir -p %{buildroot}%{_var}/empty/sshd
# enabling X11 forwarding on the server is convenient and okay,
# on the client side it's a potential security risk!
%__perl -pi -e 's:#X11Forwarding no:X11Forwarding yes:g' \
%{buildroot}%{_sysconfdir}/sshd_config
%if %{no_root_login}
%__perl -pi -e 's:#PermitRootLogin yes:PermitRootLogin no:g' \
%{buildroot}%{_sysconfdir}/sshd_config
%endif
install -m644 contrib/caldera/sshd.pam %{buildroot}/etc/pam.d/sshd
# FIXME: disabled, find out why this doesn't work with nis
%__perl -pi -e 's:(.*pam_limits.*):#$1:' \
%{buildroot}/etc/pam.d/sshd
install -m 0755 contrib/caldera/sshd.init %{buildroot}%{SVIdir}/sshd
# the last one is needless, but more future-proof
find %{buildroot}%{SVIdir} -type f -exec \
%__perl -pi -e 's:\@SVIdir\@:%{SVIdir}:g;\
s:\@sysconfdir\@:%{_sysconfdir}:g; \
s:/usr/sbin:%{_sbindir}:g'\
\{\} \;
cat <<-EoD > %{buildroot}%{SVIcdir}/sshd
IDENT=sshd
DESCRIPTIVE="OpenSSH secure shell daemon"
# This service will be marked as 'skipped' on boot if there
# is no host key. Use ssh-host-keygen to generate one
ONBOOT="yes"
OPTIONS=""
EoD
SKG=%{buildroot}%{_sbindir}/ssh-host-keygen
install -m 0755 contrib/caldera/ssh-host-keygen $SKG
# Fix up some path names in the keygen toy^Hol
%__perl -pi -e 's:\@sysconfdir\@:%{_sysconfdir}:g; \
s:\@sshkeygen\@:%{_bindir}/ssh-keygen:g' \
%{buildroot}%{_sbindir}/ssh-host-keygen
# This looks terrible. Expect it to change.
# install remaining docs
DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}"
mkdir -p $DocD/%{askpass}
cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO $DocD
install -p -m 0444 %{SOURCE3} $DocD/faq.html
cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass}
%if %{use_stable}
cp -p %{askpass}/%{xsa}.man $DocD/%{askpass}/%{xsa}.1
%else
cp -p %{askpass}/%{xsa}.man %{buildroot}%{_mandir}man1/%{xsa}.1
ln -s %{xsa}.1 %{buildroot}%{_mandir}man1/ssh-askpass.1
%endif
find %{buildroot}%{_mandir} -type f -not -name '*.gz' -print0 | xargs -0r %__gzip -9nf
rm %{buildroot}%{_mandir}/man1/slogin.1 && \
ln -s %{_mandir}/man1/ssh.1.gz \
%{buildroot}%{_mandir}/man1/slogin.1.gz
%Clean
#%{rmDESTDIR}
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
%Post
# Generate host key when none is present to get up and running,
# both client and server require this for host-based auth!
# ssh-host-keygen checks for existing keys.
/usr/sbin/ssh-host-keygen
: # to protect the rpm database
%pre server
%{_sbindir}/groupadd -g %{sshd_gid} sshd 2>/dev/null || :
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
-c "SSH Daemon virtual user" -g sshd sshd 2>/dev/null || :
: # to protect the rpm database
%Post server
if [ -x %{LSBinit}-install ]; then
%{LSBinit}-install sshd
else
lisa --SysV-init install sshd S55 2:3:4:5 K45 0:1:6
fi
! %{SVIdir}/sshd status || %{SVIdir}/sshd restart
: # to protect the rpm database
%PreUn server
[ "$1" = 0 ] || exit 0
! %{SVIdir}/sshd status || %{SVIdir}/sshd stop
if [ -x %{LSBinit}-remove ]; then
%{LSBinit}-remove sshd
else
lisa --SysV-init remove sshd $1
fi
: # to protect the rpm database
%Files
%defattr(-,root,root)
%dir %{_sysconfdir}
%config %{_sysconfdir}/ssh_config
%{_bindir}/scp
%{_bindir}/sftp
%{_bindir}/ssh
%{_bindir}/slogin
%{_bindir}/ssh-add
%attr(2755,root,nobody) %{_bindir}/ssh-agent
%{_bindir}/ssh-keygen
%{_bindir}/ssh-keyscan
%dir %{_libexecdir}
%attr(4711,root,root) %{_libexecdir}/ssh-keysign
%{_sbindir}/ssh-host-keygen
%dir %{_defaultdocdir}/%{name}-%{version}
%{_defaultdocdir}/%{name}-%{version}/CREDITS
%{_defaultdocdir}/%{name}-%{version}/ChangeLog
%{_defaultdocdir}/%{name}-%{version}/LICENCE
%{_defaultdocdir}/%{name}-%{version}/OVERVIEW
%{_defaultdocdir}/%{name}-%{version}/README*
%{_defaultdocdir}/%{name}-%{version}/TODO
%{_defaultdocdir}/%{name}-%{version}/faq.html
%{_mandir}/man1/*
%{_mandir}/man8/ssh-keysign.8.gz
%{_mandir}/man5/ssh_config.5.gz
%Files server
%defattr(-,root,root)
%dir %{_var}/empty/sshd
%config %{SVIdir}/sshd
%config /etc/pam.d/sshd
%config %{_sysconfdir}/moduli
%config %{_sysconfdir}/sshd_config
%config %{SVIcdir}/sshd
%{_libexecdir}/sftp-server
%{_sbindir}/sshd
%{_mandir}/man5/sshd_config.5.gz
%{_mandir}/man8/sftp-server.8.gz
%{_mandir}/man8/sshd.8.gz
%Files askpass
%defattr(-,root,root)
%{_libexecdir}/ssh-askpass
%{_libexecdir}/x11-ssh-askpass
%{_defaultdocdir}/%{name}-%{version}/%{askpass}
%ChangeLog
* Mon Jan 01 1998 ...
Template Version: 1.31
$Id: openssh.spec,v 1.60 2007/03/06 10:23:27 djm Exp $

36
contrib/caldera/ssh-host-keygen Executable file
View File

@ -0,0 +1,36 @@
#! /bin/sh
#
# $Id: ssh-host-keygen,v 1.2 2003/11/21 12:48:57 djm Exp $
#
# This script is normally run only *once* for a given host
# (in a given period of time) -- on updates/upgrades/recovery
# the ssh_host_key* files _should_ be retained! Otherwise false
# "man-in-the-middle-attack" alerts will frighten unsuspecting
# clients...
keydir=@sysconfdir@
keygen=@sshkeygen@
if [ -f $keydir/ssh_host_key -o \
-f $keydir/ssh_host_key.pub ]; then
echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key."
else
echo "Generating 1024 bit SSH1 RSA host key."
$keygen -b 1024 -t rsa1 -f $keydir/ssh_host_key -C '' -N ''
fi
if [ -f $keydir/ssh_host_rsa_key -o \
-f $keydir/ssh_host_rsa_key.pub ]; then
echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key."
else
echo "Generating 1024 bit SSH2 RSA host key."
$keygen -b 1024 -t rsa -f $keydir/ssh_host_rsa_key -C '' -N ''
fi
if [ -f $keydir/ssh_host_dsa_key -o \
-f $keydir/ssh_host_dsa_key.pub ]; then
echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key."
else
echo "Generating SSH2 DSA host key."
$keygen -t dsa -f $keydir/ssh_host_dsa_key -C '' -N ''
fi

125
contrib/caldera/sshd.init Executable file
View File

@ -0,0 +1,125 @@
#! /bin/bash
#
# $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $
#
### BEGIN INIT INFO
# Provides:
# Required-Start: $network
# Required-Stop:
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
# Description: sshd
# Bring up/down the OpenSSH secure shell daemon.
### END INIT INFO
#
# Written by Miquel van Smoorenburg <miquels@drinkel.ow.org>.
# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
# Modified for OpenLinux by Raymund Will <ray@caldera.de>
NAME=sshd
DAEMON=/usr/sbin/$NAME
# Hack-Alert(TM)! This is necessary to get around the 'reload'-problem
# created by recent OpenSSH daemon/ssd combinations. See Caldera internal
# PR [linux/8278] for details...
PIDF=/var/run/$NAME.pid
NAME=$DAEMON
_status() {
[ -z "$1" ] || local pidf="$1"
local ret=-1
local pid
if [ -n "$pidf" ] && [ -r "$pidf" ]; then
pid=$(head -1 $pidf)
else
pid=$(pidof $NAME)
fi
if [ ! -e $SVIlock ]; then
# no lock-file => not started == stopped?
ret=3
elif [ -n "$pidf" -a ! -f "$pidf" ] || [ -z "$pid" ]; then
# pid-file given but not present or no pid => died, but was not stopped
ret=2
elif [ -r /proc/$pid/cmdline ] &&
echo -ne $NAME'\000' | cmp -s - /proc/$pid/cmdline; then
# pid-file given and present or pid found => check process...
# but don't compare exe, as this will fail after an update!
# compares OK => all's well, that ends well...
ret=0
else
# no such process or exe does not match => stale pid-file or process died
# just recently...
ret=1
fi
return $ret
}
# Source function library (and set vital variables).
. @SVIdir@/functions
case "$1" in
start)
[ ! -e $SVIlock ] || exit 0
[ -x $DAEMON ] || exit 5
SVIemptyConfig @sysconfdir@/sshd_config && exit 6
if [ ! \( -f @sysconfdir@/ssh_host_key -a \
-f @sysconfdir@/ssh_host_key.pub \) -a \
! \( -f @sysconfdir@/ssh_host_rsa_key -a \
-f @sysconfdir@/ssh_host_rsa_key.pub \) -a \
! \( -f @sysconfdir@/ssh_host_dsa_key -a \
-f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then
echo "$SVIsubsys: host key not initialized: skipped!"
echo "$SVIsubsys: use ssh-host-keygen to generate one!"
exit 6
fi
echo -n "Starting $SVIsubsys services: "
ssd -S -x $DAEMON -n $NAME -- $OPTIONS
ret=$?
echo "."
touch $SVIlock
;;
stop)
[ -e $SVIlock ] || exit 0
echo -n "Stopping $SVIsubsys services: "
ssd -K -p $PIDF -n $NAME
ret=$?
echo "."
rm -f $SVIlock
;;
force-reload|reload)
[ -e $SVIlock ] || exit 0
echo "Reloading $SVIsubsys configuration files: "
ssd -K --signal 1 -q -p $PIDF -n $NAME
ret=$?
echo "done."
;;
restart)
$0 stop
$0 start
ret=$?
;;
status)
_status $PIDF
ret=$?
;;
*)
echo "Usage: $SVIscript {[re]start|stop|[force-]reload|status}"
ret=2
;;
esac
exit $ret

8
contrib/caldera/sshd.pam Normal file
View File

@ -0,0 +1,8 @@
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nodelay
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session required /lib/security/pam_pwdb.so
session required /lib/security/pam_limits.so

56
contrib/cygwin/Makefile Normal file
View File

@ -0,0 +1,56 @@
srcdir=../..
prefix=/usr
exec_prefix=$(prefix)
bindir=$(prefix)/bin
datadir=$(prefix)/share
docdir=$(datadir)/doc
sshdocdir=$(docdir)/openssh
cygdocdir=$(docdir)/Cygwin
sysconfdir=/etc
defaultsdir=$(sysconfdir)/defaults/etc
PRIVSEP_PATH=/var/empty
INSTALL=/usr/bin/install -c
DESTDIR=
all:
@echo
@echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'"
@echo "Be sure having DESTDIR set correctly!"
@echo
move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config
$(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir)
mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir)
mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir)
remove-empty-dir:
rm -rf $(DESTDIR)$(PRIVSEP_PATH)
install-sshdoc:
$(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
$(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard
$(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff
$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
$(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG
install-cygwindoc: README
$(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir)
$(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README
install-doc: install-sshdoc install-cygwindoc
install-scripts: ssh-host-config ssh-user-config
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
$(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config
$(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config
cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts
@echo "Cygwin specific configuration finished."

233
contrib/cygwin/README Normal file
View File

@ -0,0 +1,233 @@
This package describes important Cygwin specific stuff concerning OpenSSH.
The binary package is usually built for recent Cygwin versions and might
not run on older versions. Please check http://cygwin.com/ for information
about current Cygwin releases.
Build instructions are at the end of the file.
===========================================================================
Important change since 3.7.1p2-2:
The ssh-host-config file doesn't create the /etc/ssh_config and
/etc/sshd_config files from builtin here-scripts anymore, but it uses
skeleton files installed in /etc/defaults/etc.
Also it now tries hard to create appropriate permissions on files.
Same applies for ssh-user-config.
After creating the sshd service with ssh-host-config, it's advisable to
call ssh-user-config for all affected users, also already exising user
configurations. In the latter case, file and directory permissions are
checked and changed, if requireed to match the host configuration.
Important note for Windows 2003 Server users:
---------------------------------------------
2003 Server has a funny new feature. When starting services under SYSTEM
account, these services have nearly all user rights which SYSTEM holds...
except for the "Create a token object" right, which is needed to allow
public key authentication :-(
There's no way around this, except for creating a substitute account which
has the appropriate privileges. Basically, this account should be member
of the administrators group, plus it should have the following user rights:
Create a token object
Logon as a service
Replace a process level token
Increase Quota
The ssh-host-config script asks you, if it should create such an account,
called "sshd_server". If you say "no" here, you're on your own. Please
follow the instruction in ssh-host-config exactly if possible. Note that
ssh-user-config sets the permissions on 2003 Server machines dependent of
whether a sshd_server account exists or not.
===========================================================================
===========================================================================
Important change since 3.4p1-2:
This version adds privilege separation as default setting, see
/usr/doc/openssh/README.privsep. According to that document the
privsep feature requires a non-privileged account called 'sshd'.
The new ssh-host-config file which is part of this version asks
to create 'sshd' as local user if you want to use privilege
separation. If you confirm, it creates that NT user and adds
the necessary entry to /etc/passwd.
On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
since that feature doesn't make any sense on a system which doesn't
differ between privileged and unprivileged users.
The new ssh-host-config script also adds the /var/empty directory
needed by privilege separation. When creating the /var/empty directory
by yourself, please note that in contrast to the README.privsep document
the owner sshould not be "root" but the user which is running sshd. So,
in the standard configuration this is SYSTEM. The ssh-host-config script
chowns /var/empty accordingly.
===========================================================================
===========================================================================
Important change since 3.0.1p1-2:
This version introduces the ability to register sshd as service on
Windows 9x/Me systems. This is done only when the options -D and/or
-d are not given.
===========================================================================
===========================================================================
Important change since 2.9p2:
Since Cygwin is able to switch user context without password beginning
with version 1.3.2, OpenSSH now allows to do so when it's running under
a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
allow that feature.
===========================================================================
===========================================================================
Important change since 2.3.0p1:
When using `ntea' or `ntsec' you now have to care for the ownership
and permission bits of your host key files and your private key files.
The host key files have to be owned by the NT account which starts
sshd. The user key files have to be owned by the user. The permission
bits of the private key files (host and user) have to be at least
rw------- (0600)!
Note that this is forced under `ntsec' only if the files are on a NTFS
filesystem (which is recommended) due to the lack of any basic security
features of the FAT/FAT32 filesystems.
===========================================================================
If you are installing OpenSSH the first time, you can generate global config
files and server keys by running
/usr/bin/ssh-host-config
Note that this binary archive doesn't contain default config files in /etc.
That files are only created if ssh-host-config is started.
If you are updating your installation you may run the above ssh-host-config
as well to move your configuration files to the new location and to
erase the files at the old location.
To support testing and unattended installation ssh-host-config got
some options:
usage: ssh-host-config [OPTION]...
Options:
--debug -d Enable shell's debug output.
--yes -y Answer all questions with "yes" automatically.
--no -n Answer all questions with "no" automatically.
--cygwin -c <options> Use "options" as value for CYGWIN environment var.
--port -p <n> sshd listens on port n.
--pwd -w <passwd> Use "pwd" as password for user 'sshd_server'.
Additionally ssh-host-config now asks if it should install sshd as a
service when running under NT/W2K. This requires cygrunsrv installed.
You can create the private and public keys for a user now by running
/usr/bin/ssh-user-config
under the users account.
To support testing and unattended installation ssh-user-config got
some options as well:
usage: ssh-user-config [OPTION]...
Options:
--debug -d Enable shell's debug output.
--yes -y Answer all questions with "yes" automatically.
--no -n Answer all questions with "no" automatically.
--passphrase -p word Use "word" as passphrase automatically.
Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
(results in very slow deamon startup!) or from the command line (recommended
on 9X/ME).
If you start sshd as deamon via cygrunsrv.exe you MUST give the
"-D" option to sshd. Otherwise the service can't get started at all.
If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
following line to your inetd.conf file:
ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
Moreover you'll have to add the following line to your
${SYSTEMROOT}/system32/drivers/etc/services file:
ssh 22/tcp #SSH daemon
Please note that OpenSSH does never use the value of $HOME to
search for the users configuration files! It always uses the
value of the pw_dir field in /etc/passwd as the home directory.
If no home diretory is set in /etc/passwd, the root directory
is used instead!
You may use all features of the CYGWIN=ntsec setting the same
way as they are used by Cygwin's login(1) port:
The pw_gecos field may contain an additional field, that begins
with (upper case!) "U-", followed by the domain and the username
separated by a backslash.
CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
BTW: The field separator in pw_gecos is the comma.
The username in pw_name itself may be any nice name:
domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
Now you may use `domuser' as your login name with telnet!
This is possible additionally for local users, if you don't like
your NT login name ;-) You only have to leave out the domain:
locuser::1104:513:John Doe,U-user,S-1-5-21-...
Note that the CYGWIN=ntsec setting is required for public key authentication.
SSH2 server and user keys are generated by the `ssh-*-config' scripts
as well.
If you want to build from source, the following options to
configure are used for the Cygwin binary distribution:
--prefix=/usr \
--sysconfdir=/etc \
--libexecdir='${sbindir}' \
--localstatedir=/var \
--datadir='${prefix}/share' \
--mandir='${datadir}/man' \
--infodir='${datadir}/info'
--with-tcp-wrappers
If you want to create a Cygwin package, equivalent to the one
in the Cygwin binary distribution, install like this:
mkdir /tmp/cygwin-ssh
cd ${builddir}
make install DESTDIR=/tmp/cygwin-ssh
cd ${srcdir}/contrib/cygwin
make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
cd /tmp/cygwin-ssh
find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
You must have installed the following packages to be able to build OpenSSH:
- zlib
- openssl-devel
- minires-devel
If you want to build with --with-tcp-wrappers, you also need the package
- tcp_wrappers
Please send requests, error reports etc. to cygwin@cygwin.com.
Have fun,
Corinna Vinschen
Cygwin Developer
Red Hat Inc.

611
contrib/cygwin/ssh-host-config Normal file
View File

@ -0,0 +1,611 @@
#!/bin/bash
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
progname=$0
auto_answer=""
port_number=22
privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no
request()
{
if [ "${auto_answer}" = "yes" ]
then
echo "$1 (yes/no) yes"
return 0
elif [ "${auto_answer}" = "no" ]
then
echo "$1 (yes/no) no"
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read -e answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "${option}" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-c | --cygwin )
cygwin_value="$1"
shift
;;
-p | --port )
port_number=$1
shift
;;
-w | --pwd )
password_value="$1"
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
echo " --port -p <n> sshd listens on port n."
echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
echo
exit 1
;;
esac
done
# Check if running on NT
_sys="`uname`"
_nt=`expr "${_sys}" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ ${_nt} -gt 0 ]
then
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if ps -ef | grep -v grep | grep -q ssh
then
echo
echo "There are still ssh processes running. Please shut them down first."
echo
exit 1
fi
# Check for ${SYSCONFDIR} directory
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
echo
echo "${SYSCONFDIR} is existant but not a directory."
echo "Cannot create global configuration files."
echo
exit 1
fi
# Create it if necessary
if [ ! -e "${SYSCONFDIR}" ]
then
mkdir "${SYSCONFDIR}"
if [ ! -e "${SYSCONFDIR}" ]
then
echo
echo "Creating ${SYSCONFDIR} directory failed"
echo
exit 1
fi
fi
# Create /var/log and /var/log/lastlog if not already existing
if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ]
then
echo
echo "${LOCALSTATEDIR}/log is existant but not a directory."
echo "Cannot create ssh host configuration."
echo
exit 1
fi
if [ ! -e ${LOCALSTATEDIR}/log ]
then
mkdir -p ${LOCALSTATEDIR}/log
fi
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
echo
echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file."
echo "Cannot create ssh host configuration."
echo
exit 1
fi
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
then
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
chmod 644 ${LOCALSTATEDIR}/log/lastlog
fi
# Create /var/empty file used as chroot jail for privilege separation
if [ -f ${LOCALSTATEDIR}/empty ]
then
echo "Creating ${LOCALSTATEDIR}/empty failed!"
else
mkdir -p ${LOCALSTATEDIR}/empty
if [ ${_nt} -gt 0 ]
then
chmod 755 ${LOCALSTATEDIR}/empty
fi
fi
# First generate host keys if not already existing
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_key"
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi
# Check if ssh_config exists. If yes, ask for overwriting
if [ -f "${SYSCONFDIR}/ssh_config" ]
then
if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
then
rm -f "${SYSCONFDIR}/ssh_config"
if [ -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
fi
fi
fi
# Create default ssh_config from skeleton file in /etc/defaults/etc
if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Generating ${SYSCONFDIR}/ssh_config file"
cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
if [ "${port_number}" != "22" ]
then
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
fi
fi
# Check if sshd_config exists. If yes, ask for overwriting
if [ -f "${SYSCONFDIR}/sshd_config" ]
then
if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
then
rm -f "${SYSCONFDIR}/sshd_config"
if [ -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
fi
else
grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
fi
fi
# Prior to creating or modifying sshd_config, care for privilege separation
if [ "${privsep_configured}" != "yes" ]
then
if [ ${_nt} -gt 0 ]
then
echo "Privilege separation is set to yes by default since OpenSSH 3.3."
echo "However, this requires a non-privileged account called 'sshd'."
echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
echo
if request "Should privilege separation be used?"
then
privsep_used=yes
grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
if [ "${sshd_in_passwd}" != "yes" ]
then
if [ "${sshd_in_sam}" != "yes" ]
then
echo "Warning: The following function requires administrator privileges!"
if request "Should this script create a local user 'sshd' on this machine?"
then
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
if [ "${sshd_in_sam}" != "yes" ]
then
echo "Warning: Creating the user 'sshd' failed!"
fi
fi
fi
if [ "${sshd_in_sam}" != "yes" ]
then
echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
echo " Privilege separation set to 'no' again!"
echo " Check your ${SYSCONFDIR}/sshd_config file!"
privsep_used=no
else
mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
fi
fi
else
privsep_used=no
fi
else
# On 9x don't use privilege separation. Since security isn't
# available it just adds useless additional processes.
privsep_used=no
fi
fi
# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option
if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Generating ${SYSCONFDIR}/sshd_config file"
sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
s/^#Port 22/Port ${port_number}/
s/^#StrictModes yes/StrictModes no/" \
< ${SYSCONFDIR}/defaults/etc/sshd_config \
> ${SYSCONFDIR}/sshd_config
elif [ "${privsep_configured}" != "yes" ]
then
echo >> ${SYSCONFDIR}/sshd_config
echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
fi
# Care for services file
_my_etcdir="/ssh-host-config.$$"
if [ ${_nt} -gt 0 ]
then
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
_services="${_my_etcdir}/services"
# On NT, 27 spaces, no space after the hash
_spaces=" #"
else
_win_etcdir="${WINDIR}"
_services="${_my_etcdir}/SERVICES"
# On 9x, 18 spaces (95 is very touchy), a space after the hash
_spaces=" # "
fi
_serv_tmp="${_my_etcdir}/srv.out.$$"
mount -t -f "${_win_etcdir}" "${_my_etcdir}"
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`
# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
then
if mv "${_serv_tmp}" "${_services}"
then
echo "Removing sshd from ${_wservices}"
else
echo "Removing sshd from ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
echo "Removing sshd from ${_wservices} failed!"
fi
fi
# Add ssh 22/tcp and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
then
if mv "${_serv_tmp}" "${_services}"
then
echo "Added ssh to ${_wservices}"
else
echo "Adding ssh to ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
echo "WARNING: Adding ssh to ${_wservices} failed!"
fi
fi
umount "${_my_etcdir}"
# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
if [ -f "${_inetcnf}" ]
then
# Check if ssh service is already in use as sshd
with_comment=1
grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
# Remove sshd line from inetd.conf
if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
then
grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if mv "${_inetcnf_tmp}" "${_inetcnf}"
then
echo "Removed sshd from ${_inetcnf}"
else
echo "Removing sshd from ${_inetcnf} failed!"
fi
rm -f "${_inetcnf_tmp}"
else
echo "Removing sshd from ${_inetcnf} failed!"
fi
fi
# Add ssh line to inetd.conf
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
then
if [ "${with_comment}" -eq 0 ]
then
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
else
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
fi
echo "Added ssh to ${_inetcnf}"
fi
fi
# On NT ask if sshd should be installed as service
if [ ${_nt} -gt 0 ]
then
# But only if it is not already installed
if ! cygrunsrv -Q sshd > /dev/null 2>&1
then
echo
echo
echo "Warning: The following functions require administrator privileges!"
echo
echo "Do you want to install sshd as service?"
if request "(Say \"no\" if it's already installed as service)"
then
if [ $_nt2003 -gt 0 ]
then
grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
if [ "${sshd_server_in_passwd}" = "yes" ]
then
# Drop sshd_server from passwd since it could have wrong settings
grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
rm -f ${SYSCONFDIR}/passwd
mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
chmod g-w,o-w ${SYSCONFDIR}/passwd
fi
net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
if [ "${sshd_server_in_sam}" != "yes" ]
then
echo
echo "You appear to be running Windows 2003 Server or later. On 2003 and"
echo "later systems, it's not possible to use the LocalSystem account"
echo "if sshd should allow passwordless logon (e. g. public key authentication)."
echo "If you want to enable that functionality, it's required to create a new"
echo "account 'sshd_server' with special privileges, which is then used to run"
echo "the sshd service under."
echo
echo "Should this script create a new local account 'sshd_server' which has"
if request "the required privileges?"
then
_admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
if [ -z "${_admingroup}" ]
then
echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
exit 1
fi
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
while [ "${sshd_server_in_sam}" != "yes" ]
do
if [ -n "${password_value}" ]
then
_password="${password_value}"
# Allow to ask for password if first try fails
password_value=""
else
echo
echo "Please enter a password for new user 'sshd_server'. Please be sure that"
echo "this password matches the password rules given on your system."
echo -n "Entering no password will exit the configuration. PASSWORD="
read -e _password
if [ -z "${_password}" ]
then
echo
echo "Exiting configuration. No user sshd_server has been created,"
echo "no sshd service installed."
exit 1
fi
fi
net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
if [ "${sshd_server_in_sam}" != "yes" ]
then
echo "Creating the user 'sshd_server' failed! Reason:"
cat /tmp/nu.$$
rm /tmp/nu.$$
fi
done
net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
if [ "${sshd_server_in_admingroup}" != "yes" ]
then
echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
echo "Please add sshd_server to local group ${_admingroup} before"
echo "starting the sshd service!"
echo
fi
passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
if [ "${passwd_has_expiry_flags}" != "yes" ]
then
echo
echo "WARNING: User sshd_server has password expiry set to system default."
echo "Please check that password never expires or set it to your needs."
elif ! passwd -e sshd_server
then
echo
echo "WARNING: Setting password expiry for user sshd_server failed!"
echo "Please check that password never expires or set it to your needs."
fi
editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
editrights -a SeCreateTokenPrivilege -u sshd_server &&
editrights -a SeTcbPrivilege -u sshd_server &&
editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
editrights -a SeDenyNetworkLogonRight -u sshd_server &&
editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
editrights -a SeServiceLogonRight -u sshd_server &&
sshd_server_got_all_rights="yes"
if [ "${sshd_server_got_all_rights}" != "yes" ]
then
echo
echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
echo "Can't create sshd service!"
exit 1
fi
echo
echo "User 'sshd_server' has been created with password '${_password}'."
echo "If you change the password, please keep in mind to change the password"
echo "for the sshd service, too."
echo
echo "Also keep in mind that the user sshd_server needs read permissions on all"
echo "users' .ssh/authorized_keys file to allow public key authentication for"
echo "these users!. (Re-)running ssh-user-config for each user will set the"
echo "required permissions correctly."
echo
fi
fi
if [ "${sshd_server_in_sam}" = "yes" ]
then
mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
fi
fi
if [ -n "${cygwin_value}" ]
then
_cygwin="${cygwin_value}"
else
echo
echo "Which value should the environment variable CYGWIN have when"
echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
echo "able to change user context without password."
echo -n "Default is \"ntsec\". CYGWIN="
read -e _cygwin
fi
[ -z "${_cygwin}" ] && _cygwin="ntsec"
if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
then
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
then
echo
echo "The service has been installed under sshd_server account."
echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
fi
else
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
then
echo
echo "The service has been installed under LocalSystem account."
echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
fi
fi
fi
# Now check if sshd has been successfully installed. This allows to
# set the ownership of the affected files correctly.
if cygrunsrv -Q sshd > /dev/null 2>&1
then
if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
then
_user="sshd_server"
else
_user="system"
fi
chown "${_user}" ${SYSCONFDIR}/ssh*
chown "${_user}".544 ${LOCALSTATEDIR}/empty
chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
then
chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
fi
fi
if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
then
echo
echo "Warning: It appears that you have user mode mounts (\"Just me\""
echo "chosen during install.) Any daemons installed as services will"
echo "fail to function unless system mounts are used. To change this,"
echo "re-run setup.exe and choose \"All users\"."
echo
echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
fi
fi
fi
echo
echo "Host configuration finished. Have fun!"

250
contrib/cygwin/ssh-user-config Normal file
View File

@ -0,0 +1,250 @@
#!/bin/sh
#
# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Directory where the config files are stored
SYSCONFDIR=/etc
progname=$0
auto_answer=""
auto_passphrase="no"
passphrase=""
request()
{
if [ "${auto_answer}" = "yes" ]
then
return 0
elif [ "${auto_answer}" = "no" ]
then
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check if running on NT
_sys="`uname -a`"
_nt=`expr "$_sys" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ $_nt -gt 0 ]
then
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-p | --passphrase )
with_passphrase="yes"
passphrase=$1
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH user configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --passphrase -p word Use \"word\" as passphrase automatically."
echo
exit 1
;;
esac
done
# Ask user if user identity should be generated
if [ ! -f ${SYSCONFDIR}/passwd ]
then
echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file"
echo 'first using mkpasswd. Check if it contains an entry for you and'
echo 'please care for the home directory in your entry as well.'
exit 1
fi
uid=`id -u`
pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd`
if [ "X${pwdhome}" = "X" ]
then
echo "There is no home directory set for you in ${SYSCONFDIR}/passwd."
echo 'Setting $HOME is not sufficient!'
exit 1
fi
if [ ! -d "${pwdhome}" ]
then
echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory"
echo 'but it is not a valid directory. Cannot create user identity files.'
exit 1
fi
# If home is the root dir, set home to empty string to avoid error messages
# in subsequent parts of that script.
if [ "X${pwdhome}" = "X/" ]
then
# But first raise a warning!
echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
if request "Would you like to proceed anyway?"
then
pwdhome=''
else
exit 1
fi
fi
if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
then
echo
echo 'WARNING: group and other have been revoked write permission to your home'
echo " directory ${pwdhome}."
echo ' This is required by OpenSSH to allow public key authentication using'
echo ' the key files stored in your .ssh subdirectory.'
echo ' Revert this change ONLY if you know what you are doing!'
echo
fi
if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
then
echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
exit 1
fi
if [ ! -e "${pwdhome}/.ssh" ]
then
mkdir "${pwdhome}/.ssh"
if [ ! -e "${pwdhome}/.ssh" ]
then
echo "Creating users ${pwdhome}/.ssh directory failed"
exit 1
fi
fi
if [ $_nt -gt 0 ]
then
_user="system"
if [ $_nt2003 -gt 0 ]
then
grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server"
fi
if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh"
then
echo "${pwdhome}/.ssh couldn't be given the correct permissions."
echo "Please try to solve this problem first."
exit 1
fi
fi
if [ ! -f "${pwdhome}/.ssh/identity" ]
then
if request "Shall I create an SSH1 RSA identity file for you?"
then
echo "Generating ${pwdhome}/.ssh/identity"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null
else
ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
fi
if request "Do you want to use this identity to login to this machine?"
then
echo "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
then
if request "Shall I create an SSH2 RSA identity file for you?"
then
echo "Generating ${pwdhome}/.ssh/id_rsa"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
else
ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
fi
if request "Do you want to use this identity to login to this machine?"
then
echo "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
then
if request "Shall I create an SSH2 DSA identity file for you?"
then
echo "Generating ${pwdhome}/.ssh/id_dsa"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
else
ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
fi
if request "Do you want to use this identity to login to this machine?"
then
echo "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ]
then
if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
then
echo
echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
echo "failed. Please care for the correct permissions. The minimum requirement"
echo "is, the owner and ${_user} both need read permissions."
echo
fi
fi
echo
echo "Configuration finished. Have fun!"

186
contrib/findssl.sh Executable file
View File

@ -0,0 +1,186 @@
#!/bin/sh
#
# $Id$
#
# findssl.sh
# Search for all instances of OpenSSL headers and libraries
# and print their versions.
# Intended to help diagnose OpenSSH's "OpenSSL headers do not
# match your library" errors.
#
# Written by Darren Tucker (dtucker at zip dot com dot au)
# This file is placed in the public domain.
#
# Release history:
# 2002-07-27: Initial release.
# 2002-08-04: Added public domain notice.
# 2003-06-24: Incorporated readme, set library paths. First cvs version.
# 2004-12-13: Add traps to cleanup temp files, from Amarendra Godbole.
#
# "OpenSSL headers do not match your library" are usually caused by
# OpenSSH's configure picking up an older version of OpenSSL headers
# or libraries. You can use the following # procedure to help identify
# the cause.
#
# The output of configure will tell you the versions of the OpenSSL
# headers and libraries that were picked up, for example:
#
# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002)
# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)
# checking whether OpenSSL's headers match the library... no
# configure: error: Your OpenSSL headers do not match your library
#
# Now run findssl.sh. This should identify the headers and libraries
# present and their versions. You should be able to identify the
# libraries and headers used and adjust your CFLAGS or remove incorrect
# versions. The output will show OpenSSL's internal version identifier
# and should look something like:
# $ ./findssl.sh
# Searching for OpenSSL header files.
# 0x0090604fL /usr/include/openssl/opensslv.h
# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h
#
# Searching for OpenSSL shared library files.
# 0x0090602fL /lib/libcrypto.so.0.9.6b
# 0x0090602fL /lib/libcrypto.so.2
# 0x0090581fL /usr/lib/libcrypto.so.0
# 0x0090602fL /usr/lib/libcrypto.so
# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a
# 0x0090600fL /usr/lib/libcrypto.so.0.9.6
# 0x0090600fL /usr/lib/libcrypto.so.1
#
# Searching for OpenSSL static library files.
# 0x0090602fL /usr/lib/libcrypto.a
# 0x0090604fL /usr/local/ssl/lib/libcrypto.a
#
# In this example, I gave configure no extra flags, so it's picking up
# the OpenSSL header from /usr/include/openssl (90604f) and the library
# from /usr/lib/ (90602f).
#
# Adjust these to suit your compiler.
# You may also need to set the *LIB*PATH environment variables if
# DEFAULT_LIBPATH is not correct for your system.
#
CC=gcc
STATIC=-static
#
# Cleanup on interrupt
#
trap 'rm -f conftest.c' INT HUP TERM
#
# Set up conftest C source
#
rm -f findssl.log
cat >conftest.c <<EOD
#include <stdio.h>
int main(){printf("0x%08xL\n", SSLeay());}
EOD
#
# Set default library paths if not already set
#
DEFAULT_LIBPATH=/usr/lib:/usr/local/lib
LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH}
LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH}
LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH}
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
# not all platforms have a 'which' command
if which ls >/dev/null 2>/dev/null; then
: which is defined
else
which () {
saveIFS="$IFS"
IFS=:
for p in $PATH; do
if test -x "$p/$1" -a -f "$p/$1"; then
IFS="$saveIFS"
echo "$p/$1"
return 0
fi
done
IFS="$saveIFS"
return 1
}
fi
#
# Search for OpenSSL headers and print versions
#
echo Searching for OpenSSL header files.
if [ -x "`which locate`" ]
then
headers=`locate opensslv.h`
else
headers=`find / -name opensslv.h -print 2>/dev/null`
fi
for header in $headers
do
ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header`
echo "$ver $header"
done
echo
#
# Search for shared libraries.
# Relies on shared libraries looking like "libcrypto.s*"
#
echo Searching for OpenSSL shared library files.
if [ -x "`which locate`" ]
then
libraries=`locate libcrypto.s`
else
libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null`
fi
for lib in $libraries
do
(echo "Trying libcrypto $lib" >>findssl.log
dir=`dirname $lib`
LIBPATH="$dir:$LIBPATH"
LD_LIBRARY_PATH="$dir:$LIBPATH"
LIBRARY_PATH="$dir:$LIBPATH"
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
${CC} -o conftest conftest.c $lib 2>>findssl.log
if [ -x ./conftest ]
then
ver=`./conftest 2>/dev/null`
rm -f ./conftest
echo "$ver $lib"
fi)
done
echo
#
# Search for static OpenSSL libraries and print versions
#
echo Searching for OpenSSL static library files.
if [ -x "`which locate`" ]
then
libraries=`locate libcrypto.a`
else
libraries=`find / -name libcrypto.a -print 2>/dev/null`
fi
for lib in $libraries
do
libdir=`dirname $lib`
echo "Trying libcrypto $lib" >>findssl.log
${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log
if [ -x ./conftest ]
then
ver=`./conftest 2>/dev/null`
rm -f ./conftest
echo "$ver $lib"
fi
done
#
# Clean up
#
rm -f conftest.c

171
contrib/gnome-ssh-askpass1.c Normal file
View File

@ -0,0 +1,171 @@
/*
* Copyright (c) 2000-2002 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* This is a simple GNOME SSH passphrase grabber. To use it, set the
* environment variable SSH_ASKPASS to point to the location of
* gnome-ssh-askpass before calling "ssh-add < /dev/null".
*
* There is only two run-time options: if you set the environment variable
* "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
* the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
* pointer will be grabbed too. These may have some benefit to security if
* you don't trust your X server. We grab the keyboard always.
*/
/*
* Compile with:
*
* cc `gnome-config --cflags gnome gnomeui` \
* gnome-ssh-askpass1.c -o gnome-ssh-askpass \
* `gnome-config --libs gnome gnomeui`
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <gnome.h>
#include <X11/Xlib.h>
#include <gdk/gdkx.h>
void
report_failed_grab (void)
{
GtkWidget *err;
err = gnome_message_box_new("Could not grab keyboard or mouse.\n"
"A malicious client may be eavesdropping on your session.",
GNOME_MESSAGE_BOX_ERROR, "EXIT", NULL);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_object_set(GTK_OBJECT(err), "type", GTK_WINDOW_POPUP, NULL);
gnome_dialog_run_and_close(GNOME_DIALOG(err));
}
int
passphrase_dialog(char *message)
{
char *passphrase;
char **messages;
int result, i, grab_server, grab_pointer;
GtkWidget *dialog, *entry, *label;
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK,
GNOME_STOCK_BUTTON_CANCEL, NULL);
messages = g_strsplit(message, "\\n", 0);
if (messages)
for(i = 0; messages[i]; i++) {
label = gtk_label_new(messages[i]);
gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox),
label, FALSE, FALSE, 0);
}
entry = gtk_entry_new();
gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE,
FALSE, 0);
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
gtk_widget_grab_focus(entry);
/* Center window and prepare for grab */
gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL);
gnome_dialog_set_default(GNOME_DIALOG(dialog), 0);
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE);
gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE);
gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox),
GNOME_PAD);
gtk_widget_show_all(dialog);
/* Grab focus */
if (grab_server)
XGrabServer(GDK_DISPLAY());
if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0,
NULL, NULL, GDK_CURRENT_TIME))
goto nograb;
if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME))
goto nograbkb;
/* Make <enter> close dialog */
gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry));
/* Run dialog */
result = gnome_dialog_run(GNOME_DIALOG(dialog));
/* Ungrab */
if (grab_server)
XUngrabServer(GDK_DISPLAY());
if (grab_pointer)
gdk_pointer_ungrab(GDK_CURRENT_TIME);
gdk_keyboard_ungrab(GDK_CURRENT_TIME);
gdk_flush();
/* Report passphrase if user selected OK */
passphrase = gtk_entry_get_text(GTK_ENTRY(entry));
if (result == 0)
puts(passphrase);
/* Zero passphrase in memory */
memset(passphrase, '\0', strlen(passphrase));
gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
gnome_dialog_close(GNOME_DIALOG(dialog));
return (result == 0 ? 0 : -1);
/* At least one grab failed - ungrab what we got, and report
the failure to the user. Note that XGrabServer() cannot
fail. */
nograbkb:
gdk_pointer_ungrab(GDK_CURRENT_TIME);
nograb:
if (grab_server)
XUngrabServer(GDK_DISPLAY());
gnome_dialog_close(GNOME_DIALOG(dialog));
report_failed_grab();
return (-1);
}
int
main(int argc, char **argv)
{
char *message;
int result;
gnome_init("GNOME ssh-askpass", "0.1", argc, argv);
if (argc == 2)
message = argv[1];
else
message = "Enter your OpenSSH passphrase:";
setvbuf(stdout, 0, _IONBF, 0);
result = passphrase_dialog(message);
return (result);
}

220
contrib/gnome-ssh-askpass2.c Normal file
View File

@ -0,0 +1,220 @@
/*
* Copyright (c) 2000-2002 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */
/*
* This is a simple GNOME SSH passphrase grabber. To use it, set the
* environment variable SSH_ASKPASS to point to the location of
* gnome-ssh-askpass before calling "ssh-add < /dev/null".
*
* There is only two run-time options: if you set the environment variable
* "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
* the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
* pointer will be grabbed too. These may have some benefit to security if
* you don't trust your X server. We grab the keyboard always.
*/
#define GRAB_TRIES 16
#define GRAB_WAIT 250 /* milliseconds */
/*
* Compile with:
*
* cc -Wall `pkg-config --cflags gtk+-2.0` \
* gnome-ssh-askpass2.c -o gnome-ssh-askpass \
* `pkg-config --libs gtk+-2.0`
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <X11/Xlib.h>
#include <gtk/gtk.h>
#include <gdk/gdkx.h>
static void
report_failed_grab (const char *what)
{
GtkWidget *err;
err = gtk_message_dialog_new(NULL, 0,
GTK_MESSAGE_ERROR,
GTK_BUTTONS_CLOSE,
"Could not grab %s. "
"A malicious client may be eavesdropping "
"on your session.", what);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
TRUE);
gtk_dialog_run(GTK_DIALOG(err));
gtk_widget_destroy(err);
}
static void
ok_dialog(GtkWidget *entry, gpointer dialog)
{
g_return_if_fail(GTK_IS_DIALOG(dialog));
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
}
static int
passphrase_dialog(char *message)
{
const char *failed;
char *passphrase, *local;
int result, grab_tries, grab_server, grab_pointer;
GtkWidget *dialog, *entry;
GdkGrabStatus status;
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
grab_tries = 0;
dialog = gtk_message_dialog_new(NULL, 0,
GTK_MESSAGE_QUESTION,
GTK_BUTTONS_OK_CANCEL,
"%s",
message);
entry = gtk_entry_new();
gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
FALSE, 0);
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
gtk_widget_grab_focus(entry);
gtk_widget_show(entry);
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label),
TRUE);
/* Make <enter> close dialog */
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
g_signal_connect(G_OBJECT(entry), "activate",
G_CALLBACK(ok_dialog), dialog);
/* Grab focus */
gtk_widget_show_now(dialog);
if (grab_pointer) {
for(;;) {
status = gdk_pointer_grab(
(GTK_WIDGET(dialog))->window, TRUE, 0, NULL,
NULL, GDK_CURRENT_TIME);
if (status == GDK_GRAB_SUCCESS)
break;
usleep(GRAB_WAIT * 1000);
if (++grab_tries > GRAB_TRIES) {
failed = "mouse";
goto nograb;
}
}
}
for(;;) {
status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window,
FALSE, GDK_CURRENT_TIME);
if (status == GDK_GRAB_SUCCESS)
break;
usleep(GRAB_WAIT * 1000);
if (++grab_tries > GRAB_TRIES) {
failed = "keyboard";
goto nograbkb;
}
}
if (grab_server) {
gdk_x11_grab_server();
}
result = gtk_dialog_run(GTK_DIALOG(dialog));
/* Ungrab */
if (grab_server)
XUngrabServer(GDK_DISPLAY());
if (grab_pointer)
gdk_pointer_ungrab(GDK_CURRENT_TIME);
gdk_keyboard_ungrab(GDK_CURRENT_TIME);
gdk_flush();
/* Report passphrase if user selected OK */
passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
if (result == GTK_RESPONSE_OK) {
local = g_locale_from_utf8(passphrase, strlen(passphrase),
NULL, NULL, NULL);
if (local != NULL) {
puts(local);
memset(local, '\0', strlen(local));
g_free(local);
} else {
puts(passphrase);
}
}
/* Zero passphrase in memory */
memset(passphrase, '\b', strlen(passphrase));
gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
memset(passphrase, '\0', strlen(passphrase));
g_free(passphrase);
gtk_widget_destroy(dialog);
return (result == GTK_RESPONSE_OK ? 0 : -1);
/* At least one grab failed - ungrab what we got, and report
the failure to the user. Note that XGrabServer() cannot
fail. */
nograbkb:
gdk_pointer_ungrab(GDK_CURRENT_TIME);
nograb:
if (grab_server)
XUngrabServer(GDK_DISPLAY());
gtk_widget_destroy(dialog);
report_failed_grab(failed);
return (-1);
}
int
main(int argc, char **argv)
{
char *message;
int result;
gtk_init(&argc, &argv);
if (argc > 1) {
message = g_strjoinv(" ", argv + 1);
} else {
message = g_strdup("Enter your OpenSSH passphrase:");
}
setvbuf(stdout, 0, _IONBF, 0);
result = passphrase_dialog(message);
g_free(message);
return (result);
}

45
contrib/hpux/README Normal file
View File

@ -0,0 +1,45 @@
README for OpenSSH HP-UX contrib files
Kevin Steves <stevesk@pobox.com>
sshd: configuration file for sshd.rc
sshd.rc: SSH startup script
egd: configuration file for egd.rc
egd.rc: EGD (entropy gathering daemon) startup script
To install:
sshd.rc:
o Verify paths in sshd.rc match your local installation
(WHAT_PATH and WHAT_PID)
o Customize sshd if needed (SSHD_ARGS)
o Install:
# cp sshd /etc/rc.config.d
# chmod 444 /etc/rc.config.d/sshd
# cp sshd.rc /sbin/init.d
# chmod 555 /sbin/init.d/sshd.rc
# ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K100sshd
# ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S900sshd
egd.rc:
o Verify egd.pl path in egd.rc matches your local installation
(WHAT_PATH)
o Customize egd if needed (EGD_ARGS and EGD_LOG)
o Add pseudo account:
# groupadd egd
# useradd -g egd egd
# mkdir -p /etc/opt/egd
# chown egd:egd /etc/opt/egd
# chmod 711 /etc/opt/egd
o Install:
# cp egd /etc/rc.config.d
# chmod 444 /etc/rc.config.d/egd
# cp egd.rc /sbin/init.d
# chmod 555 /sbin/init.d/egd.rc
# ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd
# ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd

15
contrib/hpux/egd Normal file
View File

@ -0,0 +1,15 @@
# EGD_START: Set to 1 to start entropy gathering daemon
# EGD_ARGS: Command line arguments to pass to egd
# EGD_LOG: EGD stdout and stderr log file (default /etc/opt/egd/egd.log)
#
# To configure the egd environment:
# groupadd egd
# useradd -g egd egd
# mkdir -p /etc/opt/egd
# chown egd:egd /etc/opt/egd
# chmod 711 /etc/opt/egd
EGD_START=1
EGD_ARGS='/etc/opt/egd/entropy'
EGD_LOG=

98
contrib/hpux/egd.rc Executable file
View File

@ -0,0 +1,98 @@
#!/sbin/sh
#
# egd.rc: EGD start-up and shutdown script
#
# Allowed exit values:
# 0 = success; causes "OK" to show up in checklist.
# 1 = failure; causes "FAIL" to show up in checklist.
# 2 = skip; causes "N/A" to show up in the checklist.
# Use this value if execution of this script is overridden
# by the use of a control variable, or if this script is not
# appropriate to execute for some other reason.
# 3 = reboot; causes the system to be rebooted after execution.
# Input and output:
# stdin is redirected from /dev/null
#
# stdout and stderr are redirected to the /etc/rc.log file
# during checklist mode, or to the console in raw mode.
umask 022
PATH=/usr/sbin:/usr/bin:/sbin
export PATH
WHAT='EGD (entropy gathering daemon)'
WHAT_PATH=/opt/perl/bin/egd.pl
WHAT_CONFIG=/etc/rc.config.d/egd
WHAT_LOG=/etc/opt/egd/egd.log
# NOTE: If your script executes in run state 0 or state 1, then /usr might
# not be available. Do not attempt to access commands or files in
# /usr unless your script executes in run state 2 or greater. Other
# file systems typically not mounted until run state 2 include /var
# and /opt.
rval=0
# Check the exit value of a command run by this script. If non-zero, the
# exit code is echoed to the log file and the return value of this script
# is set to indicate failure.
set_return() {
x=$?
if [ $x -ne 0 ]; then
echo "EXIT CODE: $x"
rval=1 # script FAILed
fi
}
case $1 in
'start_msg')
echo "Starting $WHAT"
;;
'stop_msg')
echo "Stopping $WHAT"
;;
'start')
if [ -f $WHAT_CONFIG ] ; then
. $WHAT_CONFIG
else
echo "ERROR: $WHAT_CONFIG defaults file MISSING"
fi
if [ "$EGD_START" -eq 1 -a -x $WHAT_PATH ]; then
EGD_LOG=${EGD_LOG:-$WHAT_LOG}
su egd -c "nohup $WHAT_PATH $EGD_ARGS >$EGD_LOG 2>&1" &&
echo $WHAT started
set_return
else
rval=2
fi
;;
'stop')
pid=`ps -fuegd | awk '$1 == "egd" { print $2 }'`
if [ "X$pid" != "X" ]; then
if kill "$pid"; then
echo "$WHAT stopped"
else
rval=1
echo "Unable to stop $WHAT"
fi
fi
set_return
;;
*)
echo "usage: $0 {start|stop|start_msg|stop_msg}"
rval=1
;;
esac
exit $rval

5
contrib/hpux/sshd Normal file
View File

@ -0,0 +1,5 @@
# SSHD_START: Set to 1 to start SSH daemon
# SSHD_ARGS: Command line arguments to pass to sshd
#
SSHD_START=1
SSHD_ARGS=

90
contrib/hpux/sshd.rc Executable file
View File

@ -0,0 +1,90 @@
#!/sbin/sh
#
# sshd.rc: SSH daemon start-up and shutdown script
#
# Allowed exit values:
# 0 = success; causes "OK" to show up in checklist.
# 1 = failure; causes "FAIL" to show up in checklist.
# 2 = skip; causes "N/A" to show up in the checklist.
# Use this value if execution of this script is overridden
# by the use of a control variable, or if this script is not
# appropriate to execute for some other reason.
# 3 = reboot; causes the system to be rebooted after execution.
# Input and output:
# stdin is redirected from /dev/null
#
# stdout and stderr are redirected to the /etc/rc.log file
# during checklist mode, or to the console in raw mode.
PATH=/usr/sbin:/usr/bin:/sbin
export PATH
WHAT='OpenSSH'
WHAT_PATH=/opt/openssh/sbin/sshd
WHAT_PID=/var/run/sshd.pid
WHAT_CONFIG=/etc/rc.config.d/sshd
# NOTE: If your script executes in run state 0 or state 1, then /usr might
# not be available. Do not attempt to access commands or files in
# /usr unless your script executes in run state 2 or greater. Other
# file systems typically not mounted until run state 2 include /var
# and /opt.
rval=0
# Check the exit value of a command run by this script. If non-zero, the
# exit code is echoed to the log file and the return value of this script
# is set to indicate failure.
set_return() {
x=$?
if [ $x -ne 0 ]; then
echo "EXIT CODE: $x"
rval=1 # script FAILed
fi
}
case $1 in
'start_msg')
echo "Starting $WHAT"
;;
'stop_msg')
echo "Stopping $WHAT"
;;
'start')
if [ -f $WHAT_CONFIG ] ; then
. $WHAT_CONFIG
else
echo "ERROR: $WHAT_CONFIG defaults file MISSING"
fi
if [ "$SSHD_START" -eq 1 -a -x "$WHAT_PATH" ]; then
$WHAT_PATH $SSHD_ARGS && echo "$WHAT started"
set_return
else
rval=2
fi
;;
'stop')
if kill `cat $WHAT_PID`; then
echo "$WHAT stopped"
else
rval=1
echo "Unable to stop $WHAT"
fi
set_return
;;
*)
echo "usage: $0 {start|stop|start_msg|stop_msg}"
rval=1
;;
esac
exit $rval

1
contrib/redhat/gnome-ssh-askpass.csh Normal file
View File

@ -0,0 +1 @@
setenv SSH_ASKPASS /usr/libexec/openssh/gnome-ssh-askpass

2
contrib/redhat/gnome-ssh-askpass.sh Executable file
View File

@ -0,0 +1,2 @@
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
export SSH_ASKPASS

804
contrib/redhat/openssh.spec Normal file
View File

@ -0,0 +1,804 @@
%define ver 4.6p1
%define rel 1
# OpenSSH privilege separation requires a user & group ID
%define sshd_uid 74
%define sshd_gid 74
# Version of ssh-askpass
%define aversion 1.2.4.1
# Do we want to disable building of x11-askpass? (1=yes 0=no)
%define no_x11_askpass 0
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
%define no_gnome_askpass 0
# Do we want to link against a static libcrypto? (1=yes 0=no)
%define static_libcrypto 0
# Do we want smartcard support (1=yes 0=no)
%define scard 0
# Use GTK2 instead of GNOME in gnome-ssh-askpass
%define gtk2 1
# Is this build for RHL 6.x?
%define build6x 0
# Do we want kerberos5 support (1=yes 0=no)
%define kerberos5 1
# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_x11_askpass:%define no_x11_askpass 1}
%{?skip_gnome_askpass:%define no_gnome_askpass 1}
# Add option to build without GTK2 for older platforms with only GTK+.
# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
# rpm -ba|--rebuild --define 'no_gtk2 1'
%{?no_gtk2:%define gtk2 0}
# Is this a build for RHL 6.x or earlier?
%{?build_6x:%define build6x 1}
# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
%if %{build6x}
%define _sysconfdir /etc
%endif
# Options for static OpenSSL link:
# rpm -ba|--rebuild --define "static_openssl 1"
%{?static_openssl:%define static_libcrypto 1}
# Options for Smartcard support: (needs libsectok and openssl-engine)
# rpm -ba|--rebuild --define "smartcard 1"
%{?smartcard:%define scard 1}
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
%define rescue 0
%{?build_rescue:%define rescue 1}
# Turn off some stuff for resuce builds
%if %{rescue}
%define kerberos5 0
%endif
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
Name: openssh
Version: %{ver}
%if %{rescue}
Release: %{rel}rescue
%else
Release: %{rel}
%endif
URL: http://www.openssh.com/portable.html
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
Obsoletes: ssh
%if %{build6x}
PreReq: initscripts >= 5.00
%else
PreReq: initscripts >= 5.20
%endif
BuildPreReq: perl, openssl-devel, tcp_wrappers
BuildPreReq: /bin/login
%if ! %{build6x}
BuildPreReq: glibc-devel, pam
%else
BuildPreReq: /usr/include/security/pam_appl.h
%endif
%if ! %{no_x11_askpass}
BuildPreReq: XFree86-devel
%endif
%if ! %{no_gnome_askpass}
BuildPreReq: pkgconfig
%endif
%if %{kerberos5}
BuildPreReq: krb5-devel
BuildPreReq: krb5-libs
%endif
%package clients
Summary: OpenSSH clients.
Requires: openssh = %{version}-%{release}
Group: Applications/Internet
Obsoletes: ssh-clients
%package server
Summary: The OpenSSH server daemon.
Group: System Environment/Daemons
Obsoletes: ssh-server
PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9
%if ! %{build6x}
Requires: /etc/pam.d/system-auth
%endif
%package askpass
Summary: A passphrase dialog for OpenSSH and X.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras
%package askpass-gnome
Summary: A passphrase dialog for OpenSSH, X, and GNOME.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras
%description
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features, as well as removing
all patented algorithms to separate libraries.
This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.
%description clients
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package includes
the clients necessary to make encrypted connections to SSH servers.
You'll also need to install the openssh package on OpenSSH clients.
%description server
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server. You also need to have the openssh
package installed.
%description askpass
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH.
%description askpass-gnome
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
environment.
%prep
%if ! %{no_x11_askpass}
%setup -q -a 1
%else
%setup -q
%endif
%build
%if %{rescue}
CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
%endif
%if %{kerberos5}
K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
echo K5DIR=$K5DIR
%endif
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/openssh \
--datadir=%{_datadir}/openssh \
--with-tcp-wrappers \
--with-rsh=%{_bindir}/rsh \
--with-default-path=/usr/local/bin:/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/sshd \
--with-md5-passwords \
%if %{scard}
--with-smartcard \
%endif
%if %{rescue}
--without-pam \
%else
--with-pam \
%endif
%if %{kerberos5}
--with-kerberos5=$K5DIR \
%endif
%if %{static_libcrypto}
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
%endif
make
%if ! %{no_x11_askpass}
pushd x11-ssh-askpass-%{aversion}
%configure --libexecdir=%{_libexecdir}/openssh
xmkmf -a
make
popd
%endif
# Define a variable to toggle gnome1/gtk2 building. This is necessary
# because RPM doesn't handle nested %if statements.
%if %{gtk2}
gtk2=yes
%else
gtk2=no
%endif
%if ! %{no_gnome_askpass}
pushd contrib
if [ $gtk2 = yes ] ; then
make gnome-ssh-askpass2
mv gnome-ssh-askpass2 gnome-ssh-askpass
else
make gnome-ssh-askpass1
mv gnome-ssh-askpass1 gnome-ssh-askpass
fi
popd
%endif
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
make install DESTDIR=$RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
%if %{build6x}
install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
%else
install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
%endif
install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
%if ! %{no_x11_askpass}
install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
%endif
%if ! %{no_gnome_askpass}
install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
%endif
%if ! %{scard}
rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
%endif
%if ! %{no_gnome_askpass}
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
%endif
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
%clean
rm -rf $RPM_BUILD_ROOT
%triggerun server -- ssh-server
if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
touch /var/run/sshd.restart
fi
%triggerun server -- openssh-server < 2.5.0p1
# Count the number of HostKey and HostDsaKey statements we have.
gawk 'BEGIN {IGNORECASE=1}
/^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
END {exit sawhostkey}' /etc/ssh/sshd_config
# And if we only found one, we know the client was relying on the old default
# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying
# one nullifies the default, which would have loaded both.
if [ $? -eq 1 ] ; then
echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
fi
%triggerpostun server -- ssh-server
if [ "$1" != 0 ] ; then
/sbin/chkconfig --add sshd
if test -f /var/run/sshd.restart ; then
rm -f /var/run/sshd.restart
/sbin/service sshd start > /dev/null 2>&1 || :
fi
fi
%pre server
%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
-g sshd -M -r sshd 2>/dev/null || :
%post server
/sbin/chkconfig --add sshd
%postun server
/sbin/service sshd condrestart > /dev/null 2>&1 || :
%preun server
if [ "$1" = 0 ]
then
/sbin/service sshd stop > /dev/null 2>&1 || :
/sbin/chkconfig --del sshd
fi
%files
%defattr(-,root,root)
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING*
%attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%if ! %{rescue}
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/openssh
%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%endif
%if %{scard}
%attr(0755,root,root) %dir %{_datadir}/openssh
%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
%endif
%files clients
%defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/ssh
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%attr(-,root,root) %{_bindir}/slogin
%attr(-,root,root) %{_mandir}/man1/slogin.1*
%if ! %{rescue}
%attr(2755,root,nobody) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
%endif
%if ! %{rescue}
%files server
%defattr(-,root,root)
%dir %attr(0111,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
%endif
%if ! %{no_x11_askpass}
%files askpass
%defattr(-,root,root)
%doc x11-ssh-askpass-%{aversion}/README
%doc x11-ssh-askpass-%{aversion}/ChangeLog
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
%endif
%if ! %{no_gnome_askpass}
%files askpass-gnome
%defattr(-,root,root)
%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
%endif
%changelog
* Mon Jun 2 2003 Damien Miller <djm@mindrot.org>
- Remove noip6 option. This may be controlled at run-time in client config
file using new AddressFamily directive
* Mon May 12 2003 Damien Miller <djm@mindrot.org>
- Don't install profile.d scripts when not building with GNOME/GTK askpass
(patch from bet@rahul.net)
* Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
* Mon Sep 30 2002 Damien Miller <djm@mindrot.org>
- Use contrib/ Makefile for building askpass programs
* Fri Jun 21 2002 Damien Miller <djm@mindrot.org>
- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
- Add new {ssh,sshd}_config.5 manpages
- Add new ssh-keysign program and remove setuid from ssh client
* Fri May 10 2002 Damien Miller <djm@mindrot.org>
- Merge in spec changes from RedHat, reorgansie a little
- Add Privsep user, group and directory
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2
- bump and grind (through the build system)
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1
- require sharutils for building (mindrot #137)
- require db1-devel only when building for 6.x (#55105), which probably won't
work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck
- require pam-devel by file (not by package name) again
- add Markus's patch to compile with OpenSSL 0.9.5a (from
http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're
building for 6.x
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0
- update to 3.1p1
* Tue Mar 5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305
- update to SNAP-20020305
- drop debug patch, fixed upstream
* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220
- update to SNAP-20020220 for testing purposes (you've been warned, if there's
anything to be warned about, gss patches won't apply, I don't mind)
* Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3
- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key
exchange, authentication, and named key support
* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2
- remove dependency on db1-devel, which has just been swallowed up whole
by gnome-libs-devel
* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
- adjust build dependencies so that build6x actually works right (fix
from Hugo van der Kooij)
* Tue Dec 4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1
- update to 3.0.2p1
* Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1
- update to 3.0.1p1
* Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to current CVS (not for use in distribution)
* Thu Nov 8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1
- merge some of Damien Miller <djm@mindrot.org> changes from the upstream
3.0p1 spec file and init script
* Wed Nov 7 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 3.0p1
- update to x11-ssh-askpass 1.2.4.1
- change build dependency on a file from pam-devel to the pam-devel package
- replace primes with moduli
* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9
- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs
* Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8
- Merge changes to rescue build from current sysadmin survival cd
* Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7
- fix scp's server's reporting of file sizes, and build with the proper
preprocessor define to get large-file capable open(), stat(), etc.
(sftp has been doing this correctly all along) (#51827)
- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247)
- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298)
- mark profile.d scriptlets as config files (#42337)
- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug
- change a couple of log() statements to debug() statements (#50751)
- pull cvs patch to add -t flag to sshd (#28611)
- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221)
* Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6
- add db1-devel as a BuildPrerequisite (noted by Hans Ecke)
* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com>
- pull cvs patch to fix remote port forwarding with protocol 2
* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com>
- pull cvs patch to add session initialization to no-pty sessions
- pull cvs patch to not cut off challengeresponse auth needlessly
- refuse to do X11 forwarding if xauth isn't there, handy if you enable
it by default on a system that doesn't have X installed (#49263)
* Wed Aug 8 2001 Nalin Dahyabhai <nalin@redhat.com>
- don't apply patches to code we don't intend to build (spotted by Matt Galgoci)
* Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com>
- pass OPTIONS correctly to initlog (#50151)
* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- switch to x11-ssh-askpass 1.2.2
* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
- rebuild in new environment
* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- disable the gssapi patch
* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.9p2
- refresh to a new version of the gssapi patch
* Thu Jun 7 2001 Nalin Dahyabhai <nalin@redhat.com>
- change Copyright: BSD to License: BSD
- add Markus Friedl's unverified patch for the cookie file deletion problem
so that we can verify it
- drop patch to check if xauth is present (was folded into cookie patch)
- don't apply gssapi patches for the errata candidate
- clear supplemental groups list at startup
* Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- fix an error parsing the new default sshd_config
- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not
dealing with comments right
* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house,
to be removed before the next beta cycle because it's a big departure
from the upstream version
* Thu May 3 2001 Nalin Dahyabhai <nalin@redhat.com>
- finish marking strings in the init script for translation
- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd
at startup (change merged from openssh.com init script, originally by
Pekka Savola)
- refuse to do X11 forwarding if xauth isn't there, handy if you enable
it by default on a system that doesn't have X installed
* Wed May 2 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.9
- drop various patches that came from or went upstream or to or from CVS
* Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com>
- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer)
* Sun Apr 8 2001 Preston Brown <pbrown@redhat.com>
- remove explicit openssl requirement, fixes builddistro issue
- make initscript stop() function wait until sshd really dead to avoid
races in condrestart
* Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com>
- mention that challengereponse supports PAM, so disabling password doesn't
limit users to pubkey and rsa auth (#34378)
- bypass the daemon() function in the init script and call initlog directly,
because daemon() won't start a daemon it detects is already running (like
open connections)
- require the version of openssl we had when we were built
* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com>
- make do_pam_setcred() smart enough to know when to establish creds and
when to reinitialize them
- add in a couple of other fixes from Damien for inclusion in the errata
* Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.5.2p2
- call setcred() again after initgroups, because the "creds" could actually
be group memberships
* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation)
- don't enable challenge-response by default until we find a way to not
have too many userauth requests (we may make up to six pubkey and up to
three password attempts as it is)
- remove build dependency on rsh to match openssh.com's packages more closely
* Sat Mar 3 2001 Nalin Dahyabhai <nalin@redhat.com>
- remove dependency on openssl -- would need to be too precise
* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
- rebuild in new environment
* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
- Revert the patch to move pam_open_session.
- Init script and spec file changes from Pekka Savola. (#28750)
- Patch sftp to recognize '-o protocol' arguments. (#29540)
* Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com>
- Chuck the closing patch.
- Add a trigger to add host keys for protocol 2 to the config file, now that
configuration file syntax requires us to specify it with HostKey if we
specify any other HostKey values, which we do.
* Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com>
- Redo patch to move pam_open_session after the server setuid()s to the user.
- Rework the nopam patch to use be picked up by autoconf.
* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com>
- Update for 2.5.1p1.
- Add init script mods from Pekka Savola.
- Tweak the init script to match the CVS contrib script more closely.
- Redo patch to ssh-add to try to adding both identity and id_dsa to also try
adding id_rsa.
* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com>
- Update for 2.5.0p1.
- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass
- Resync with parts of Damien Miller's openssh.spec from CVS, including
update of x11 askpass to 1.2.0.
- Only require openssl (don't prereq) because we generate keys in the init
script now.
* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com>
- Don't open a PAM session until we've forked and become the user (#25690).
- Apply Andrew Bartlett's patch for letting pam_authenticate() know which
host the user is attempting a login from.
- Resync with parts of Damien Miller's openssh.spec from CVS.
- Don't expose KbdInt responses in debug messages (from CVS).
- Detect and handle errors in rsa_{public,private}_decrypt (from CVS).
* Wed Feb 7 2001 Trond Eivind Glomsrxd <teg@redhat.com>
- i18n-tweak to initscript.
* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
- More gettextizing.
- Close all files after going into daemon mode (needs more testing).
- Extract patch from CVS to handle auth banners (in the client).
- Extract patch from CVS to handle compat weirdness.
* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
- Finish with the gettextizing.
* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com>
- Fix a bug in auth2-pam.c (#23877)
- Gettextize the init script.
* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com>
- Incorporate a switch for using PAM configs for 6.x, just in case.
* Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com>
- Incorporate Bero's changes for a build specifically for rescue CDs.
* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com>
- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has
succeeded, to allow public-key authentication after a failure with "none"
authentication. (#21268)
* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to x11-askpass 1.1.1. (#21301)
- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290)
* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com>
- Merge multiple PAM text messages into subsequent prompts when possible when
doing keyboard-interactive authentication.
* Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com>
- Disable the built-in MD5 password support. We're using PAM.
- Take a crack at doing keyboard-interactive authentication with PAM, and
enable use of it in the default client configuration so that the client
will try it when the server disallows password authentication.
- Build with debugging flags. Build root policies strip all binaries anyway.
* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com>
- Use DESTDIR instead of %%makeinstall.
- Remove /usr/X11R6/bin from the path-fixing patch.
* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
- Add the primes file from the latest snapshot to the main package (#20884).
- Add the dev package to the prereq list (#19984).
- Remove the default path and mimic login's behavior in the server itself.
* Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com>
- Resync with conditional options in Damien Miller's .spec file for an errata.
- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh.
* Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to OpenSSH 2.3.0p1.
- Update to x11-askpass 1.1.0.
- Enable keyboard-interactive authentication.
* Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to ssh-askpass-x11 1.0.3.
- Change authentication related messages to be private (#19966).
* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com>
- Patch ssh-keygen to be able to list signatures for DSA public key files
it generates.
* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com>
- Add BuildPreReq on /usr/include/security/pam_appl.h to be sure we always
build PAM authentication in.
- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed.
- Clean out no-longer-used patches.
- Patch ssh-add to try to add both identity and id_dsa, and to error only
when neither exists.
* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update x11-askpass to 1.0.2. (#17835)
- Add BuildPreReqs for /bin/login and /usr/bin/rsh so that configure will
always find them in the right place. (#17909)
- Set the default path to be the same as the one supplied by /bin/login, but
add /usr/X11R6/bin. (#17909)
- Try to handle obsoletion of ssh-server more cleanly. Package names
are different, but init script name isn't. (#17865)
* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.2.0p1. (#17835)
- Tweak the init script to allow proper restarting. (#18023)
* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 20000823 snapshot.
- Change subpackage requirements from %%{version} to %%{version}-%%{release}
- Back out the pipe patch.
* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.1.1p4, which includes fixes for config file parsing problems.
- Move the init script back.
- Add Damien's quick fix for wackiness.
* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok().
* Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com>
- Move condrestart to server postun.
- Move key generation to init script.
- Actually use the right patch for moving the key generation to the init script.
- Clean up the init script a bit.
* Wed Jul 5 2000 Nalin Dahyabhai <nalin@redhat.com>
- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard.
* Sun Jul 2 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.1.1p2.
- Use of strtok() considered harmful.
* Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com>
- Get the build root out of the man pages.
* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
- Add and use condrestart support in the init script.
- Add newer initscripts as a prereq.
* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
- Build in new environment (release 2)
- Move -clients subpackage to Applications/Internet group
* Fri Jun 9 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.2.1p1
* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com>
- Patch to build with neither RSA nor RSAref.
- Miscellaneous FHS-compliance tweaks.
- Fix for possibly-compressed man pages.
* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
- Updated for new location
- Updated for new gnome-ssh-askpass build
* Sun Dec 26 1999 Damien Miller <djm@mindrot.org>
- Added Jim Knoble's <jmknoble@pobox.com> askpass
* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
- Added 'Obsoletes' directives
* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
- Use make install
- Subpackages
* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
- Added links for slogin
- Fixed perms on manpages
* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
- Renamed init script
* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
- Back to old binary names
* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
- Use autoconf
- New binary names
* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.

163
contrib/redhat/sshd.init Executable file
View File

@ -0,0 +1,163 @@
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
RETVAL=0
prog="sshd"
# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n $"Generating SSH1 RSA host key: "
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA1_KEY.pub
fi
success $"RSA1 key generation"
echo
else
failure $"RSA1 key generation"
echo
exit 1
fi
fi
}
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n $"Generating SSH2 RSA host key: "
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA_KEY.pub
fi
success $"RSA key generation"
echo
else
failure $"RSA key generation"
echo
exit 1
fi
fi
}
do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n $"Generating SSH2 DSA host key: "
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $DSA_KEY.pub
fi
success $"DSA key generation"
echo
else
failure $"DSA key generation"
echo
exit 1
fi
fi
}
do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ ! "$RETVAL" = 0 ]; then
failure $"Configuration file or keys are invalid"
echo
fi
}
start()
{
# Create keys if necessary
do_rsa1_keygen
do_rsa_keygen
do_dsa_keygen
echo -n $"Starting $prog:"
initlog -c "$SSHD $OPTIONS" && success || failure
RETVAL=$?
[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
echo
}
stop()
{
echo -n $"Stopping $prog:"
killproc $SSHD -TERM
RETVAL=$?
[ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
echo
}
reload()
{
echo -n $"Reloading $prog:"
killproc $SSHD -HUP
RETVAL=$?
echo
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
if [ "$RETVAL" = 0 ] ; then
stop
# avoid race
sleep 3
start
fi
fi
;;
status)
status $SSHD
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL

172
contrib/redhat/sshd.init.old Executable file
View File

@ -0,0 +1,172 @@
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
RETVAL=0
prog="sshd"
# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid
my_success() {
local msg
if [ $# -gt 1 ]; then
msg="$2"
else
msg="done"
fi
case "`type -type success`" in
function)
success "$1"
;;
*)
echo -n "${msg}"
;;
esac
}
my_failure() {
local msg
if [ $# -gt 1 ]; then
msg="$2"
else
msg="FAILED"
fi
case "`type -type failure`" in
function)
failure "$1"
;;
*)
echo -n "${msg}"
;;
esac
}
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n "Generating SSH1 RSA host key: "
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
my_success "RSA1 key generation"
echo
else
my_failure "RSA1 key generation"
echo
exit 1
fi
fi
}
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n "Generating SSH2 RSA host key: "
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
my_success "RSA key generation"
echo
else
my_failure "RSA key generation"
echo
exit 1
fi
fi
}
do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n "Generating SSH2 DSA host key: "
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
my_success "DSA key generation"
echo
else
my_failure "DSA key generation"
echo
exit 1
fi
fi
}
do_restart_sanity_check() {
$SSHD -t
RETVAL=$?
if [ ! "$RETVAL" = 0 ]; then
my_failure "Configuration file or keys"
echo
fi
}
case "$1" in
start)
# Create keys if necessary
do_rsa1_keygen;
do_rsa_keygen;
do_dsa_keygen;
echo -n "Starting sshd: "
if [ ! -f $PID_FILE ] ; then
sshd $OPTIONS
RETVAL=$?
if [ "$RETVAL" = "0" ] ; then
my_success "sshd startup" "sshd"
touch /var/lock/subsys/sshd
else
my_failure "sshd startup" ""
fi
fi
echo
;;
stop)
echo -n "Shutting down sshd: "
if [ -f $PID_FILE ] ; then
killproc sshd
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
fi
echo
;;
restart)
do_restart_sanity_check
$0 stop
$0 start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
$0 stop
$0 start
RETVAL=$?
fi
;;
status)
status sshd
RETVAL=$?
;;
*)
echo "Usage: sshd {start|stop|restart|status|condrestart}"
exit 1
;;
esac
exit $RETVAL

6
contrib/redhat/sshd.pam Normal file
View File

@ -0,0 +1,6 @@
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

8
contrib/redhat/sshd.pam.old Normal file
View File

@ -0,0 +1,8 @@
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nodelay
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session required /lib/security/pam_pwdb.so
session required /lib/security/pam_limits.so

30
contrib/solaris/README Executable file
View File

@ -0,0 +1,30 @@
The following is a new package build script for Solaris. This is being
introduced into OpenSSH 3.0 and above in hopes of simplifying the build
process. As of 3.1p2 the script should work on all platforms that have
SVR4 style package tools.
The build process is called a 'dummy install'.. Which means the software does
a "make install-nokeys DESTDIR=[fakeroot]". This way all manpages should
be handled correctly and key are defered until the first time the sshd
is started.
Directions:
1. make -F Makefile.in distprep (Only if you are getting from the CVS tree)
2. ./configure --with-pam [..any other options you want..]
3. look at the top of buildpkg.sh for the configurable options and put
any changes you want in openssh-config.local. Additional customizations
can be done to the build process by creating one or more of the following
scripts that will be sourced by buildpkg.sh.
pkg_post_make_install_fixes.sh pkg-post-prototype-edit.sh
pkg-preinstall.local pkg-postinstall.local pkg-preremove.local
pkg-postremove.local pkg-request.local
4. Run "make package"
If all goes well you should have a solaris package ready to be installed.
If you have any problems with this script please post them to
openssh-unix-dev@mindrot.org and I will try to assist you as best as I can.
- Ben Lindstrom

50
contrib/ssh-copy-id Normal file
View File

@ -0,0 +1,50 @@
#!/bin/sh
# Shell script to install your identity.pub on a remote machine
# Takes the remote machine name as an argument.
# Obviously, the remote machine must accept password authentication,
# or one of the other keys in your ssh-agent, for this to work.
ID_FILE="${HOME}/.ssh/identity.pub"
if [ "-i" = "$1" ]; then
shift
# check if we have 2 parameters left, if so the first is the new ID file
if [ -n "$2" ]; then
if expr "$1" : ".*\.pub" ; then
ID_FILE="$1"
else
ID_FILE="$1.pub"
fi
shift # and this should leave $1 as the target name
fi
else
if [ x$SSH_AUTH_SOCK != x ] ; then
GET_ID="$GET_ID ssh-add -L"
fi
fi
if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
GET_ID="cat ${ID_FILE}"
fi
if [ -z "`eval $GET_ID`" ]; then
echo "$0: ERROR: No identities found" >&2
exit 1
fi
if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
exit 1
fi
{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
cat <<EOF
Now try logging into the machine, with "ssh '$1'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
EOF

67
contrib/ssh-copy-id.1 Normal file
View File

@ -0,0 +1,67 @@
.ig \" -*- nroff -*-
Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/>
Permission is granted to make and distribute verbatim copies of
this manual provided the copyright notice and this permission notice
are preserved on all copies.
Permission is granted to copy and distribute modified versions of this
manual under the conditions for verbatim copying, provided that the
entire resulting derived work is distributed under the terms of a
permission notice identical to this one.
Permission is granted to copy and distribute translations of this
manual into another language, under the above conditions for modified
versions, except that this permission notice may be included in
translations approved by the Free Software Foundation instead of in
the original English.
..
.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH"
.SH NAME
ssh-copy-id \- install your identity.pub in a remote machine's authorized_keys
.SH SYNOPSIS
.B ssh-copy-id [-i [identity_file]]
.I "[user@]machine"
.br
.SH DESCRIPTION
.BR ssh-copy-id
is a script that uses ssh to log into a remote machine (presumably
using a login password, so password authentication should be enabled,
unless you've done some clever use of multiple identities)
.PP
It also changes the permissions of the remote user's home,
.BR ~/.ssh ,
and
.B ~/.ssh/authorized_keys
to remove group writability (which would otherwise prevent you from logging in, if the remote
.B sshd
has
.B StrictModes
set in its configuration).
.PP
If the
.B -i
option is given then the identity file (defaults to
.BR ~/.ssh/identity.pub )
is used, regardless of whether there are any keys in your
.BR ssh-agent .
Otherwise, if this:
.PP
.B " ssh-add -L"
.PP
provides any output, it uses that in preference to the identity file.
.PP
If the
.B -i
option is used, or the
.B ssh-add
produced no output, then it uses the contents of the identity
file. Once it has one or more fingerprints (by whatever means) it
uses ssh to append them to
.B ~/.ssh/authorized_keys
on the remote machine (creating the file, and directory, if necessary)
.SH "SEE ALSO"
.BR ssh (1),
.BR ssh-agent (1),
.BR sshd (8)

5
contrib/sshd.pam.freebsd Normal file
View File

@ -0,0 +1,5 @@
sshd auth required pam_unix.so try_first_pass
sshd account required pam_unix.so
sshd password required pam_permit.so
sshd session required pam_permit.so

8
contrib/sshd.pam.generic Normal file
View File

@ -0,0 +1,8 @@
#%PAM-1.0
auth required /lib/security/pam_unix.so shadow nodelay
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_unix.so shadow nullok use_authtok
session required /lib/security/pam_unix.so
session required /lib/security/pam_limits.so

249
contrib/suse/openssh.spec Normal file
View File

@ -0,0 +1,249 @@
# Default values for additional components
%define build_x11_askpass 1
# Define the UID/GID to use for privilege separation
%define sshd_gid 65
%define sshd_uid 71
# The version of x11-ssh-askpass to use
%define xversion 1.2.4.1
# Allow the ability to override defaults with -D skip_xxx=1
%{?skip_x11_askpass:%define build_x11_askpass 0}
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
Version: 4.6p1
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
Source1: x11-ssh-askpass-%{xversion}.tar.gz
License: BSD
Group: Productivity/Networking/SSH
BuildRoot: %{_tmppath}/openssh-%{version}-buildroot
PreReq: openssl
Obsoletes: ssh
Provides: ssh
#
# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
# building prerequisites -- stuff for
# OpenSSL (openssl-devel),
# TCP Wrappers (nkitb),
# and Gnome (glibdev, gtkdev, and gnlibsd)
#
BuildPrereq: openssl
BuildPrereq: nkitb
#BuildPrereq: glibdev
#BuildPrereq: gtkdev
#BuildPrereq: gnlibsd
%package askpass
Summary: A passphrase dialog for OpenSSH and the X window System.
Group: Productivity/Networking/SSH
Requires: openssh = %{version}
Obsoletes: ssh-extras
Provides: openssh:${_libdir}/ssh/ssh-askpass
%if %{build_x11_askpass}
BuildPrereq: XFree86-devel
%endif
%description
Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
up to date in terms of security and features, as well as removing all
patented algorithms to seperate libraries (OpenSSL).
This package includes all files necessary for both the OpenSSH
client and server.
%description askpass
Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
up to date in terms of security and features, as well as removing all
patented algorithms to seperate libraries (OpenSSL).
This package contains an X Window System passphrase dialog for OpenSSH.
%changelog
* Wed Oct 26 2005 Iain Morgan <imorgan@nas.nasa.gov>
- Removed accidental inclusion of --without-zlib-version-check
* Tue Oct 25 2005 Iain Morgan <imorgan@nas.nasa.gov>
- Overhaul to deal with newer versions of SuSE and OpenSSH
* Mon Jun 12 2000 Damien Miller <djm@mindrot.org>
- Glob manpages to catch compressed files
* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
- Updated for new location
- Updated for new gnome-ssh-askpass build
* Sun Dec 26 1999 Chris Saia <csaia@wtower.com>
- Made symlink to gnome-ssh-askpass called ssh-askpass
* Wed Nov 24 1999 Chris Saia <csaia@wtower.com>
- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and
/var/adm/fillup-templates/rc.config.sshd, since Damien merged these into
his released tarfile
- Changed permissions on ssh_config in the install procedure to 644 from 600
even though it was correct in the %files section and thus right in the RPMs
- Postinstall script for the server now only prints "Generating SSH host
key..." if we need to actually do this, in order to eliminate a confusing
message if an SSH host key is already in place
- Marked all manual pages as %doc(umentation)
* Mon Nov 22 1999 Chris Saia <csaia@wtower.com>
- Added flag to configure daemon with TCP Wrappers support
- Added building prerequisites (works in RPM 3.0 and newer)
* Thu Nov 18 1999 Chris Saia <csaia@wtower.com>
- Made this package correct for SuSE.
- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly
with SuSE, and lib_pwdb.so isn't installed by default.
* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
- Added 'Obsoletes' directives
* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
- Use make install
- Subpackages
* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
- Added links for slogin
- Fixed perms on manpages
* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
- Renamed init script
* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
- Back to old binary names
* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
- Use autoconf
- New binary names
* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
%prep
%if %{build_x11_askpass}
%setup -q -a 1
%else
%setup -q
%endif
%build
CFLAGS="$RPM_OPT_FLAGS" \
%configure --prefix=/usr \
--sysconfdir=%{_sysconfdir}/ssh \
--mandir=%{_mandir} \
--with-privsep-path=/var/lib/empty \
--with-pam \
--with-tcp-wrappers \
--libexecdir=%{_libdir}/ssh
make
%if %{build_x11_askpass}
cd x11-ssh-askpass-%{xversion}
%configure --mandir=/usr/X11R6/man \
--libexecdir=%{_libdir}/ssh
xmkmf -a
make
cd ..
%endif
%install
rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT/
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/init.d/
install -d $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/etc/init.d/sshd
install -m744 contrib/suse/sysconfig.ssh \
$RPM_BUILD_ROOT/var/adm/fillup-templates
%if %{build_x11_askpass}
cd x11-ssh-askpass-%{xversion}
make install install.man BINDIR=%{_libdir}/ssh DESTDIR=$RPM_BUILD_ROOT/
rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin
%endif
%clean
rm -rf $RPM_BUILD_ROOT
%pre
/usr/sbin/groupadd -g %{sshd_gid} -o -r sshd 2> /dev/null || :
/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || :
%post
if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then
echo "Generating SSH RSA host key..."
/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2
fi
if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then
echo "Generating SSH DSA host key..."
/usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2
fi
%{fillup_and_insserv -n -s -y ssh sshd START_SSHD}
%run_permissions
%verifyscript
%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh
%preun
%stop_on_removal sshd
%postun
%restart_on_update sshd
%{insserv_cleanup}
%files
%defattr(-,root,root)
%doc ChangeLog OVERVIEW README*
%doc RFC.nroff TODO CREDITS LICENCE
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0755,root,root) %config /etc/init.d/sshd
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0755,root,root) %{_bindir}/scp
%attr(0755,root,root) %{_bindir}/ssh
%attr(-,root,root) %{_bindir}/slogin
%attr(0755,root,root) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %dir %{_libdir}/ssh
%attr(0755,root,root) %{_libdir}/ssh/sftp-server
%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign
%attr(0644,root,root) %doc %{_mandir}/man1/scp.1*
%attr(0644,root,root) %doc %{_mandir}/man1/sftp.1*
%attr(-,root,root) %doc %{_mandir}/man1/slogin.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keygen.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keyscan.1*
%attr(0644,root,root) %doc %{_mandir}/man5/ssh_config.5*
%attr(0644,root,root) %doc %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %doc %{_mandir}/man8/sftp-server.8*
%attr(0644,root,root) %doc %{_mandir}/man8/ssh-keysign.8*
%attr(0644,root,root) %doc %{_mandir}/man8/sshd.8*
%attr(0644,root,root) /var/adm/fillup-templates/sysconfig.ssh
%if %{build_x11_askpass}
%files askpass
%defattr(-,root,root)
%doc x11-ssh-askpass-%{xversion}/README
%doc x11-ssh-askpass-%{xversion}/ChangeLog
%doc x11-ssh-askpass-%{xversion}/SshAskpass*.ad
%attr(0755,root,root) %{_libdir}/ssh/ssh-askpass
%attr(0755,root,root) %{_libdir}/ssh/x11-ssh-askpass
%attr(0644,root,root) %doc /usr/X11R6/man/man1/ssh-askpass.1x*
%attr(0644,root,root) %doc /usr/X11R6/man/man1/x11-ssh-askpass.1x*
%attr(0644,root,root) %config /usr/X11R6/lib/X11/app-defaults/SshAskpass
%endif

5
contrib/suse/rc.config.sshd Normal file
View File

@ -0,0 +1,5 @@
#
# Start the Secure Shell (SSH) Daemon?
#
START_SSHD="yes"

133
contrib/suse/rc.sshd Normal file
View File

@ -0,0 +1,133 @@
#! /bin/sh
# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
#
# Author: Jiri Smid <feedback@suse.de>
#
# /etc/init.d/sshd
#
# and symbolic its link
#
# /usr/sbin/rcsshd
#
### BEGIN INIT INFO
# Provides: sshd
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: Start the sshd daemon
### END INIT INFO
SSHD_BIN=/usr/sbin/sshd
test -x $SSHD_BIN || exit 5
SSHD_SYSCONFIG=/etc/sysconfig/ssh
test -r $SSHD_SYSCONFIG || exit 6
. $SSHD_SYSCONFIG
SSHD_PIDFILE=/var/run/sshd.init.pid
. /etc/rc.status
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
# First reset status of this service
rc_reset
case "$1" in
start)
if ! test -f /etc/ssh/ssh_host_key ; then
echo Generating /etc/ssh/ssh_host_key.
ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N ''
fi
if ! test -f /etc/ssh/ssh_host_dsa_key ; then
echo Generating /etc/ssh/ssh_host_dsa_key.
ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ''
fi
if ! test -f /etc/ssh/ssh_host_rsa_key ; then
echo Generating /etc/ssh/ssh_host_rsa_key.
ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N ''
fi
echo -n "Starting SSH daemon"
## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.
startproc -f -p $SSHD_PIDFILE /usr/sbin/sshd $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down SSH daemon"
## Stop daemon with killproc(8) and if this fails
## set echo the echo return value.
killproc -p $SSHD_PIDFILE -TERM /usr/sbin/sshd
# Remember status and be verbose
rc_status -v
;;
try-restart)
## Stop the service and if this succeeds (i.e. the
## service was running before), start it again.
$0 status >/dev/null && $0 restart
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload|reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
echo -n "Reload service sshd"
killproc -p $SSHD_PIDFILE -HUP /usr/sbin/sshd
rc_status -v
;;
status)
echo -n "Checking for service sshd "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Status has a slightly different for the status command:
# 0 - service running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running
checkproc -p $SSHD_PIDFILE /usr/sbin/sshd
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload,
## give out the argument which is required for a reload.
test /etc/ssh/sshd_config -nt $SSHD_PIDFILE && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit

9
contrib/suse/sysconfig.ssh Normal file
View File

@ -0,0 +1,9 @@
## Path: Network/Remote access/SSH
## Description: SSH server settings
## Type: string
## Default: ""
## ServiceRestart: sshd
#
# Options for sshd
#
SSHD_OPTS=""

2
dh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dh.c,v 1.43 2006/11/06 21:25:28 markus Exp $ */
/* $OpenBSD: dh.c,v 1.44 2006/11/07 13:02:07 markus Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
*

4
dns.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dns.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: dns.c,v 1.24 2007/01/03 03:01:40 stevesk Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
@ -217,7 +217,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
if (fingerprints->rri_nrdatas)
*flags |= DNS_VERIFY_FOUND;
for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
/*
* Extract the key from the answer. Ignore any badly
* formatted fingerprints.

4
kex.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kex.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: kex.c,v 1.77 2007/01/21 01:41:54 stevesk Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@ -552,7 +552,7 @@ dump_digest(char *msg, u_char *digest, int len)
u_int i;
fprintf(stderr, "%s\n", msg);
for (i = 0; i< len; i++) {
for (i = 0; i < len; i++) {
fprintf(stderr, "%02x", digest[i]);
if (i%32 == 31)
fprintf(stderr, "\n");

4
misc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: misc.c,v 1.64 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: misc.c,v 1.65 2006/11/23 01:35:11 ray Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
@ -616,6 +616,8 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
u_long *lineno)
{
while (fgets(buf, bufsz, f) != NULL) {
if (buf[0] == '\0')
continue;
(*lineno)++;
if (buf[strlen(buf) - 1] == '\n' || feof(f)) {
return 0;

8
moduli.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: moduli.c,v 1.19 2006/11/06 21:25:28 markus Exp $ */
/* $OpenBSD: moduli.c,v 1.20 2007/02/24 03:30:11 ray Exp $ */
/*
* Copyright 1994 Phil Karn <karn@qualcomm.com>
* Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
@ -490,11 +490,9 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
res = 0;
lp = xmalloc(QLINESIZE + 1);
while (fgets(lp, QLINESIZE, in) != NULL) {
int ll = strlen(lp);
while (fgets(lp, QLINESIZE + 1, in) != NULL) {
count_in++;
if (ll < 14 || *lp == '!' || *lp == '#') {
if (strlen(lp) < 14 || *lp == '!' || *lp == '#') {
debug2("%10u: comment or short line", count_in);
continue;
}

5
monitor.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.89 2006/11/07 10:31:31 markus Exp $ */
/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -642,6 +642,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
#endif
buffer_put_cstring(m, pwent->pw_dir);
buffer_put_cstring(m, pwent->pw_shell);
buffer_put_string(m, &options, sizeof(options));
if (options.banner != NULL)
buffer_put_cstring(m, options.banner);
out:
debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);

20
monitor_wrap.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor_wrap.c,v 1.54 2006/08/12 20:46:46 miod Exp $ */
/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -73,6 +73,7 @@
#include "channels.h"
#include "session.h"
#include "servconf.h"
/* Imports */
extern int compat20;
@ -207,7 +208,8 @@ mm_getpwnamallow(const char *username)
{
Buffer m;
struct passwd *pw;
u_int pwlen;
u_int len;
ServerOptions *newopts;
debug3("%s entering", __func__);
@ -223,8 +225,8 @@ mm_getpwnamallow(const char *username)
buffer_free(&m);
return (NULL);
}
pw = buffer_get_string(&m, &pwlen);
if (pwlen != sizeof(struct passwd))
pw = buffer_get_string(&m, &len);
if (len != sizeof(struct passwd))
fatal("%s: struct passwd size mismatch", __func__);
pw->pw_name = buffer_get_string(&m, NULL);
pw->pw_passwd = buffer_get_string(&m, NULL);
@ -234,6 +236,16 @@ mm_getpwnamallow(const char *username)
#endif
pw->pw_dir = buffer_get_string(&m, NULL);
pw->pw_shell = buffer_get_string(&m, NULL);
/* copy options block as a Match directive may have changed some */
newopts = buffer_get_string(&m, &len);
if (len != sizeof(*newopts))
fatal("%s: option block size mismatch", __func__);
if (newopts->banner != NULL)
newopts->banner = buffer_get_string(&m, NULL);
copy_set_server_options(&options, newopts, 1);
xfree(newopts);
buffer_free(&m);
return (pw);

5
openbsd-compat/bsd-asprintf.c
View File

@ -39,7 +39,8 @@
#define INIT_SZ 128
int vasprintf(char **str, const char *fmt, va_list ap)
int
vasprintf(char **str, const char *fmt, va_list ap)
{
int ret = -1;
va_list ap2;
@ -53,7 +54,7 @@ int vasprintf(char **str, const char *fmt, va_list ap)
ret = vsnprintf(string, INIT_SZ, fmt, ap2);
if (ret >= 0 && ret < INIT_SZ) { /* succeeded with initial alloc */
*str = string;
} else if (ret == INT_MAX) { /* shouldn't happen */
} else if (ret == INT_MAX || ret < 0) { /* Bad length */
goto fail;
} else { /* bigger than initial, realloc allowing for nul */
len = (size_t)ret + 1;

175
openbsd-compat/bsd-snprintf.c
View File

@ -85,6 +85,11 @@
*
* Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
* if the C library has some snprintf functions already.
*
* Damien Miller (djm@mindrot.org) Jan 2007
* Fix integer overflows in return value.
* Make formatting quite a bit faster by inlining dopr_outch()
*
**************************************************************/
#include "includes.h"
@ -112,6 +117,8 @@
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <limits.h>
#include <errno.h>
#ifdef HAVE_LONG_DOUBLE
# define LDOUBLE long double
@ -159,17 +166,28 @@
# define MAX(p,q) (((p) >= (q)) ? (p) : (q))
#endif
static size_t dopr(char *buffer, size_t maxlen, const char *format,
va_list args_in);
static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
char *value, int flags, int min, int max);
static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
LLONG value, int base, int min, int max, int flags);
static void fmtfp(char *buffer, size_t *currlen, size_t maxlen,
LDOUBLE fvalue, int min, int max, int flags);
static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
#define DOPR_OUTCH(buf, pos, buflen, thechar) \
do { \
if (pos + 1 >= INT_MAX) { \
errno = ERANGE; \
return -1; \
} \
if (pos < buflen) \
buf[pos] = thechar; \
(pos)++; \
} while (0)
static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
static int dopr(char *buffer, size_t maxlen, const char *format,
va_list args_in);
static int fmtstr(char *buffer, size_t *currlen, size_t maxlen,
char *value, int flags, int min, int max);
static int fmtint(char *buffer, size_t *currlen, size_t maxlen,
LLONG value, int base, int min, int max, int flags);
static int fmtfp(char *buffer, size_t *currlen, size_t maxlen,
LDOUBLE fvalue, int min, int max, int flags);
static int
dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
{
char ch;
LLONG value;
@ -198,8 +216,8 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
case DP_S_DEFAULT:
if (ch == '%')
state = DP_S_FLAGS;
else
dopr_outch (buffer, &currlen, maxlen, ch);
else
DOPR_OUTCH(buffer, currlen, maxlen, ch);
ch = *format++;
break;
case DP_S_FLAGS:
@ -298,7 +316,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
value = va_arg (args, LLONG);
else
value = va_arg (args, int);
fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
if (fmtint(buffer, &currlen, maxlen,
value, 10, min, max, flags) == -1)
return -1;
break;
case 'o':
flags |= DP_F_UNSIGNED;
@ -310,7 +330,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
value = (long)va_arg (args, unsigned LLONG);
else
value = (long)va_arg (args, unsigned int);
fmtint (buffer, &currlen, maxlen, value, 8, min, max, flags);
if (fmtint(buffer, &currlen, maxlen, value,
8, min, max, flags) == -1)
return -1;
break;
case 'u':
flags |= DP_F_UNSIGNED;
@ -322,7 +344,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
value = (LLONG)va_arg (args, unsigned LLONG);
else
value = (long)va_arg (args, unsigned int);
fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
if (fmtint(buffer, &currlen, maxlen, value,
10, min, max, flags) == -1)
return -1;
break;
case 'X':
flags |= DP_F_UP;
@ -336,15 +360,18 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
value = (LLONG)va_arg (args, unsigned LLONG);
else
value = (long)va_arg (args, unsigned int);
fmtint (buffer, &currlen, maxlen, value, 16, min, max, flags);
if (fmtint(buffer, &currlen, maxlen, value,
16, min, max, flags) == -1)
return -1;
break;
case 'f':
if (cflags == DP_C_LDOUBLE)
fvalue = va_arg (args, LDOUBLE);
else
fvalue = va_arg (args, double);
/* um, floating point? */
fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
if (fmtfp(buffer, &currlen, maxlen, fvalue,
min, max, flags) == -1)
return -1;
break;
case 'E':
flags |= DP_F_UP;
@ -353,7 +380,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
fvalue = va_arg (args, LDOUBLE);
else
fvalue = va_arg (args, double);
fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
if (fmtfp(buffer, &currlen, maxlen, fvalue,
min, max, flags) == -1)
return -1;
break;
case 'G':
flags |= DP_F_UP;
@ -362,10 +391,13 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
fvalue = va_arg (args, LDOUBLE);
else
fvalue = va_arg (args, double);
fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
if (fmtfp(buffer, &currlen, maxlen, fvalue,
min, max, flags) == -1)
return -1;
break;
case 'c':
dopr_outch (buffer, &currlen, maxlen, va_arg (args, int));
DOPR_OUTCH(buffer, currlen, maxlen,
va_arg (args, int));
break;
case 's':
strvalue = va_arg (args, char *);
@ -374,11 +406,15 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
max = strlen(strvalue);
}
if (min > 0 && max >= 0 && min > max) max = min;
fmtstr (buffer, &currlen, maxlen, strvalue, flags, min, max);
if (fmtstr(buffer, &currlen, maxlen,
strvalue, flags, min, max) == -1)
return -1;
break;
case 'p':
strvalue = va_arg (args, void *);
fmtint (buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags);
if (fmtint(buffer, &currlen, maxlen,
(long) strvalue, 16, min, max, flags) == -1)
return -1;
break;
case 'n':
if (cflags == DP_C_SHORT) {
@ -400,7 +436,7 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
}
break;
case '%':
dopr_outch (buffer, &currlen, maxlen, ch);
DOPR_OUTCH(buffer, currlen, maxlen, ch);
break;
case 'w':
/* not supported yet, treat as next char */
@ -429,11 +465,12 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
buffer[maxlen - 1] = '\0';
}
return currlen;
return currlen < INT_MAX ? (int)currlen : -1;
}
static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
char *value, int flags, int min, int max)
static int
fmtstr(char *buffer, size_t *currlen, size_t maxlen,
char *value, int flags, int min, int max)
{
int padlen, strln; /* amount to pad */
int cnt = 0;
@ -453,24 +490,27 @@ static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
padlen = -padlen; /* Left Justify */
while ((padlen > 0) && (cnt < max)) {
dopr_outch (buffer, currlen, maxlen, ' ');
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
--padlen;
++cnt;
}
while (*value && (cnt < max)) {
dopr_outch (buffer, currlen, maxlen, *value++);
DOPR_OUTCH(buffer, *currlen, maxlen, *value);
*value++;
++cnt;
}
while ((padlen < 0) && (cnt < max)) {
dopr_outch (buffer, currlen, maxlen, ' ');
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
++padlen;
++cnt;
}
return 0;
}
/* Have to handle DP_F_NUM (ie 0x and 0 alternates) */
static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
static int
fmtint(char *buffer, size_t *currlen, size_t maxlen,
LLONG value, int base, int min, int max, int flags)
{
int signvalue = 0;
@ -527,31 +567,34 @@ static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
/* Spaces */
while (spadlen > 0) {
dopr_outch (buffer, currlen, maxlen, ' ');
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
--spadlen;
}
/* Sign */
if (signvalue)
dopr_outch (buffer, currlen, maxlen, signvalue);
DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
/* Zeros */
if (zpadlen > 0) {
while (zpadlen > 0) {
dopr_outch (buffer, currlen, maxlen, '0');
DOPR_OUTCH(buffer, *currlen, maxlen, '0');
--zpadlen;
}
}
/* Digits */
while (place > 0)
dopr_outch (buffer, currlen, maxlen, convert[--place]);
while (place > 0) {
--place;
DOPR_OUTCH(buffer, *currlen, maxlen, convert[place]);
}
/* Left Justified spaces */
while (spadlen < 0) {
dopr_outch (buffer, currlen, maxlen, ' ');
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
++spadlen;
}
return 0;
}
static LDOUBLE abs_val(LDOUBLE value)
@ -564,13 +607,13 @@ static LDOUBLE abs_val(LDOUBLE value)
return result;
}
static LDOUBLE POW10(int exp)
static LDOUBLE POW10(int val)
{
LDOUBLE result = 1;
while (exp) {
while (val) {
result *= 10;
exp--;
val--;
}
return result;
@ -604,7 +647,10 @@ static double my_modf(double x0, double *iptr)
}
if (i == 100) {
/* yikes! the number is beyond what we can handle. What do we do? */
/*
* yikes! the number is beyond what we can handle.
* What do we do?
*/
(*iptr) = 0;
return 0;
}
@ -623,8 +669,9 @@ static double my_modf(double x0, double *iptr)
}
static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
LDOUBLE fvalue, int min, int max, int flags)
static int
fmtfp (char *buffer, size_t *currlen, size_t maxlen,
LDOUBLE fvalue, int min, int max, int flags)
{
int signvalue = 0;
double ufvalue;
@ -729,24 +776,26 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
if ((flags & DP_F_ZERO) && (padlen > 0)) {
if (signvalue) {
dopr_outch (buffer, currlen, maxlen, signvalue);
DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
--padlen;
signvalue = 0;
}
while (padlen > 0) {
dopr_outch (buffer, currlen, maxlen, '0');
DOPR_OUTCH(buffer, *currlen, maxlen, '0');
--padlen;
}
}
while (padlen > 0) {
dopr_outch (buffer, currlen, maxlen, ' ');
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
--padlen;
}
if (signvalue)
dopr_outch (buffer, currlen, maxlen, signvalue);
DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
while (iplace > 0)
dopr_outch (buffer, currlen, maxlen, iconvert[--iplace]);
while (iplace > 0) {
--iplace;
DOPR_OUTCH(buffer, *currlen, maxlen, iconvert[iplace]);
}
#ifdef DEBUG_SNPRINTF
printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen);
@ -757,41 +806,38 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
* char to print out.
*/
if (max > 0) {
dopr_outch (buffer, currlen, maxlen, '.');
DOPR_OUTCH(buffer, *currlen, maxlen, '.');
while (zpadlen > 0) {
dopr_outch (buffer, currlen, maxlen, '0');
DOPR_OUTCH(buffer, *currlen, maxlen, '0');
--zpadlen;
}
while (fplace > 0)
dopr_outch (buffer, currlen, maxlen, fconvert[--fplace]);
while (fplace > 0) {
--fplace;
DOPR_OUTCH(buffer, *currlen, maxlen, fconvert[fplace]);
}
}
while (padlen < 0) {
dopr_outch (buffer, currlen, maxlen, ' ');
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
++padlen;
}
}
static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
{
if (*currlen < maxlen) {
buffer[(*currlen)] = c;
}
(*currlen)++;
return 0;
}
#endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */
#if !defined(HAVE_VSNPRINTF)
int vsnprintf (char *str, size_t count, const char *fmt, va_list args)
int
vsnprintf (char *str, size_t count, const char *fmt, va_list args)
{
return dopr(str, count, fmt, args);
}
#endif
#if !defined(HAVE_SNPRINTF)
int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
int
snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
{
size_t ret;
va_list ap;
@ -802,4 +848,3 @@ int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
return ret;
}
#endif

10
openbsd-compat/getrrsetbyname.c
View File

@ -303,10 +303,12 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
}
/* allocate memory for signatures */
rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
if (rrset->rri_sigs == NULL) {
result = ERRSET_NOMEMORY;
goto fail;
if (rrset->rri_nsigs > 0) {
rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
if (rrset->rri_sigs == NULL) {
result = ERRSET_NOMEMORY;
goto fail;
}
}
/* copy answers & signatures */

7
openbsd-compat/openssl-compat.h
View File

@ -1,4 +1,4 @@
/* $Id: openssl-compat.h,v 1.6 2006/02/22 11:24:47 dtucker Exp $ */
/* $Id: openssl-compat.h,v 1.7 2007/03/05 07:25:20 dtucker Exp $ */
/*
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@ -46,6 +46,11 @@ extern const EVP_CIPHER *evp_acss(void);
# endif
#endif
/* OpenSSL 0.9.8e returns cipher key len not context key len */
#if (OPENSSL_VERSION_NUMBER == 0x0090805fL)
# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len)
#endif
/*
* We overload some of the OpenSSL crypto functions with ssh_* equivalents
* which cater for older and/or less featureful OpenSSL version.

5
openssh.xml.in
View File

@ -23,6 +23,9 @@
type='service'
version='1'>
<!--
We default to disabled so administrator can decide to enable or not.
-->
<create_default_instance enabled='false'/>
<single_instance/>
@ -53,7 +56,7 @@
<exec_method
name='start'
type='method'
exec='/lib/svc/method/site/opensshd start'
exec='/lib/svc/method/site/__SYSVINIT_NAME__ start'
timeout_seconds='60'>
<method_context/>
</exec_method>

1
packet.c
View File

@ -47,7 +47,6 @@
# include <sys/time.h>
#endif
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <arpa/inet.h>

6
readconf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.c,v 1.159 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: readconf.c,v 1.161 2007/01/21 01:45:35 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -364,7 +364,7 @@ process_config_line(Options *options, const char *host,
if ((value = convtime(arg)) == -1)
fatal("%s line %d: invalid time value.",
filename, linenum);
if (*intptr == -1)
if (*activep && *intptr == -1)
*intptr = value;
break;
@ -545,7 +545,7 @@ process_config_line(Options *options, const char *host,
if (*intptr >= SSH_MAX_IDENTITY_FILES)
fatal("%.200s line %d: Too many identity files specified (max %d).",
filename, linenum, SSH_MAX_IDENTITY_FILES);
charptr = &options->identity_files[*intptr];
charptr = &options->identity_files[*intptr];
*charptr = xstrdup(arg);
*intptr = *intptr + 1;
}

2
regress/agent-ptrace.sh
View File

@ -41,7 +41,7 @@ EOF
if [ $? -ne 0 ]; then
fail "gdb failed: exit code $?"
fi
egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace attach: Permission denied.|procfs:.*: Invalid argument.' >/dev/null ${OBJ}/gdb.out
egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.' >/dev/null ${OBJ}/gdb.out
r=$?
rm -f ${OBJ}/gdb.out
if [ $r -ne 0 ]; then

144
scp.0 Normal file
View File

@ -0,0 +1,144 @@
SCP(1) OpenBSD Reference Manual SCP(1)
NAME
scp - secure copy (remote file copy program)
SYNOPSIS
scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
[-l limit] [-o ssh_option] [-P port] [-S program]
[[user@]host1:]file1 [...] [[user@]host2:]file2
DESCRIPTION
scp copies files between hosts on a network. It uses ssh(1) for data
transfer, and uses the same authentication and provides the same security
as ssh(1). Unlike rcp(1), scp will ask for passwords or passphrases if
they are needed for authentication.
Any file name may contain a host and user specification to indicate that
the file is to be copied to/from that host. Copies between two remote
hosts are permitted.
The options are as follows:
-1 Forces scp to use protocol 1.
-2 Forces scp to use protocol 2.
-4 Forces scp to use IPv4 addresses only.
-6 Forces scp to use IPv6 addresses only.
-B Selects batch mode (prevents asking for passwords or passphras-
es).
-C Compression enable. Passes the -C flag to ssh(1) to enable com-
pression.
-c cipher
Selects the cipher to use for encrypting the data transfer. This
option is directly passed to ssh(1).
-F ssh_config
Specifies an alternative per-user configuration file for ssh.
This option is directly passed to ssh(1).
-i identity_file
Selects the file from which the identity (private key) for RSA
authentication is read. This option is directly passed to
ssh(1).
-l limit
Limits the used bandwidth, specified in Kbit/s.
-o ssh_option
Can be used to pass options to ssh in the format used in
ssh_config(5). This is useful for specifying options for which
there is no separate scp command-line flag. For full details of
the options listed below, and their possible values, see
ssh_config(5).
AddressFamily
BatchMode
BindAddress
ChallengeResponseAuthentication
CheckHostIP
Cipher
Ciphers
Compression
CompressionLevel
ConnectionAttempts
ConnectTimeout
ControlMaster
ControlPath
GlobalKnownHostsFile
GSSAPIAuthentication
GSSAPIDelegateCredentials
HashKnownHosts
Host
HostbasedAuthentication
HostKeyAlgorithms
HostKeyAlias
HostName
IdentityFile
IdentitiesOnly
KbdInteractiveDevices
LogLevel
MACs
NoHostAuthenticationForLocalhost
NumberOfPasswordPrompts
PasswordAuthentication
Port
PreferredAuthentications
Protocol
ProxyCommand
PubkeyAuthentication
RekeyLimit
RhostsRSAAuthentication
RSAAuthentication
SendEnv
ServerAliveInterval
ServerAliveCountMax
SmartcardDevice
StrictHostKeyChecking
TCPKeepAlive
UsePrivilegedPort
User
UserKnownHostsFile
VerifyHostKeyDNS
-P port
Specifies the port to connect to on the remote host. Note that
this option is written with a capital `P', because -p is already
reserved for preserving the times and modes of the file in
rcp(1).
-p Preserves modification times, access times, and modes from the
original file.
-q Disables the progress meter.
-r Recursively copy entire directories.
-S program
Name of program to use for the encrypted connection. The program
must understand ssh(1) options.
-v Verbose mode. Causes scp and ssh(1) to print debugging messages
about their progress. This is helpful in debugging connection,
authentication, and configuration problems.
The scp utility exits 0 on success, and >0 if an error occurs.
SEE ALSO
rcp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
ssh_config(5), sshd(8)
HISTORY
scp is based on the rcp(1) program in BSD source code from the Regents of
the University of California.
AUTHORS
Timo Rinne <tri@iki.fi>
Tatu Ylonen <ylo@cs.hut.fi>
OpenBSD 4.1 September 25, 1999 3

4
scp.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: scp.c,v 1.155 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: scp.c,v 1.156 2007/01/22 13:06:21 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@ -380,7 +380,7 @@ main(int argc, char **argv)
if ((pwd = getpwuid(userid = getuid())) == NULL)
fatal("unknown user %u", (u_int) userid);
if (!isatty(STDERR_FILENO))
if (!isatty(STDOUT_FILENO))
showprogress = 0;
remin = STDIN_FILENO;

100
servconf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */
/* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -325,14 +325,14 @@ static struct {
{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL },
{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL },
{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
{ "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL },
{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },
{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
#ifdef KRB5
{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL },
{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
#ifdef USE_AFS
@ -341,7 +341,7 @@ static struct {
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
#else
{ "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
@ -349,14 +349,14 @@ static struct {
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
@ -389,7 +389,7 @@ static struct {
{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
{ "banner", sBanner, SSHCFG_GLOBAL },
{ "banner", sBanner, SSHCFG_ALL },
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@ -968,7 +968,7 @@ process_server_config_line(ServerOptions *options, char *line,
else
fatal("%s line %d: Bad yes/no/clientspecified "
"argument: %s", filename, linenum, arg);
if (*intptr == -1)
if (*activep && *intptr == -1)
*intptr = value;
break;
@ -1220,13 +1220,16 @@ process_server_config_line(ServerOptions *options, char *line,
if (!arg || *arg == '\0')
fatal("%s line %d: missing PermitOpen specification",
filename, linenum);
n = options->num_permitted_opens; /* modified later */
if (strcmp(arg, "any") == 0) {
if (*activep) {
if (*activep && n == -1) {
channel_clear_adm_permitted_opens();
options->num_permitted_opens = 0;
}
break;
}
if (*activep && n == -1)
channel_clear_adm_permitted_opens();
for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
p = hpdelim(&arg);
if (p == NULL)
@ -1236,11 +1239,9 @@ process_server_config_line(ServerOptions *options, char *line,
if (arg == NULL || (port = a2port(arg)) == 0)
fatal("%s line %d: bad port number in "
"PermitOpen", filename, linenum);
if (*activep && options->num_permitted_opens == -1) {
channel_clear_adm_permitted_opens();
if (*activep && n == -1)
options->num_permitted_opens =
channel_add_adm_permitted_opens(p, port);
}
}
break;
@ -1316,30 +1317,55 @@ parse_server_match_config(ServerOptions *options, const char *user,
initialize_server_options(&mo);
parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
copy_set_server_options(options, &mo);
copy_set_server_options(options, &mo, 0);
}
/* Copy any (supported) values that are set */
/* Helper macros */
#define M_CP_INTOPT(n) do {\
if (src->n != -1) \
dst->n = src->n; \
} while (0)
#define M_CP_STROPT(n) do {\
if (src->n != NULL) { \
if (dst->n != NULL) \
xfree(dst->n); \
dst->n = src->n; \
} \
} while(0)
/*
* Copy any supported values that are set.
*
* If the preauth flag is set, we do not bother copying the the string or
* array values that are not used pre-authentication, because any that we
* do use must be explictly sent in mm_getpwnamallow().
*/
void
copy_set_server_options(ServerOptions *dst, ServerOptions *src)
copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
{
if (src->allow_tcp_forwarding != -1)
dst->allow_tcp_forwarding = src->allow_tcp_forwarding;
if (src->gateway_ports != -1)
dst->gateway_ports = src->gateway_ports;
if (src->adm_forced_command != NULL) {
if (dst->adm_forced_command != NULL)
xfree(dst->adm_forced_command);
dst->adm_forced_command = src->adm_forced_command;
}
if (src->x11_display_offset != -1)
dst->x11_display_offset = src->x11_display_offset;
if (src->x11_forwarding != -1)
dst->x11_forwarding = src->x11_forwarding;
if (src->x11_use_localhost != -1)
dst->x11_use_localhost = src->x11_use_localhost;
M_CP_INTOPT(password_authentication);
M_CP_INTOPT(gss_authentication);
M_CP_INTOPT(rsa_authentication);
M_CP_INTOPT(pubkey_authentication);
M_CP_INTOPT(kerberos_authentication);
M_CP_INTOPT(hostbased_authentication);
M_CP_INTOPT(kbd_interactive_authentication);
M_CP_INTOPT(allow_tcp_forwarding);
M_CP_INTOPT(gateway_ports);
M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding);
M_CP_INTOPT(x11_use_localhost);
M_CP_STROPT(banner);
if (preauth)
return;
M_CP_STROPT(adm_forced_command);
}
#undef M_CP_INTOPT
#undef M_CP_STROPT
void
parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
const char *user, const char *host, const char *address)
@ -1361,4 +1387,8 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
if (bad_options > 0)
fatal("%s: terminating, %d bad configuration options",
filename, bad_options);
/* challenge-response is implemented via keyboard interactive */
if (options->challenge_response_authentication == 1)
options->kbd_interactive_authentication = 1;
}

4
servconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */
/* $OpenBSD: servconf.h,v 1.80 2007/02/19 10:45:58 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -152,6 +152,6 @@ void parse_server_config(ServerOptions *, const char *, Buffer *,
const char *, const char *, const char *);
void parse_server_match_config(ServerOptions *, const char *, const char *,
const char *);
void copy_set_server_options(ServerOptions *, ServerOptions *);
void copy_set_server_options(ServerOptions *, ServerOptions *, int);
#endif /* SERVCONF_H */

20
serverloop.c
View File

@ -280,6 +280,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
struct timeval tv, *tvp;
int ret;
int client_alive_scheduled = 0;
int program_alive_scheduled = 0;
/*
* if using client_alive, set the max timeout accordingly,
@ -317,6 +318,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
* the client, try to get some more data from the program.
*/
if (packet_not_very_much_data_to_write()) {
program_alive_scheduled = child_terminated;
if (!fdout_eof)
FD_SET(fdout, *readsetp);
if (!fderr_eof)
@ -362,8 +364,16 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
memset(*writesetp, 0, *nallocp);
if (errno != EINTR)
error("select: %.100s", strerror(errno));
} else if (ret == 0 && client_alive_scheduled)
client_alive_check();
} else {
if (ret == 0 && client_alive_scheduled)
client_alive_check();
if (!compat20 && program_alive_scheduled && fdin_is_tty) {
if (!fdout_eof)
FD_SET(fdout, *readsetp);
if (!fderr_eof)
FD_SET(fderr, *readsetp);
}
}
notify_done(*readsetp);
}
@ -407,7 +417,8 @@ process_input(fd_set *readset)
if (!fdout_eof && FD_ISSET(fdout, readset)) {
errno = 0;
len = read(fdout, buf, sizeof(buf));
if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
if (len < 0 && (errno == EINTR ||
(errno == EAGAIN && !child_terminated))) {
/* do nothing */
#ifndef PTY_ZEROREAD
} else if (len <= 0) {
@ -425,7 +436,8 @@ process_input(fd_set *readset)
if (!fderr_eof && FD_ISSET(fderr, readset)) {
errno = 0;
len = read(fderr, buf, sizeof(buf));
if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
if (len < 0 && (errno == EINTR ||
(errno == EAGAIN && !child_terminated))) {
/* do nothing */
#ifndef PTY_ZEROREAD
} else if (len <= 0) {

6
session.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: session.c,v 1.220 2006/10/09 23:36:11 djm Exp $ */
/* $OpenBSD: session.c,v 1.221 2007/01/21 01:41:54 stevesk Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -2027,7 +2027,7 @@ session_input_channel_req(Channel *c, const char *rtype)
} else if (strcmp(rtype, "exec") == 0) {
success = session_exec_req(s);
} else if (strcmp(rtype, "pty-req") == 0) {
success = session_pty_req(s);
success = session_pty_req(s);
} else if (strcmp(rtype, "x11-req") == 0) {
success = session_x11_req(s);
} else if (strcmp(rtype, "auth-agent-req@openssh.com") == 0) {
@ -2152,7 +2152,7 @@ session_close_single_x11(int id, void *arg)
debug3("session_close_single_x11: channel %d", id);
channel_cancel_cleanup(id);
if ((s = session_by_x11_channel(id)) == NULL)
if ((s = session_by_x11_channel(id)) == NULL)
fatal("session_close_single_x11: no x11 channel %d", id);
for (i = 0; s->x11_chanids[i] != -1; i++) {
debug("session_close_single_x11: session %d: "

3
sftp-client.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-client.c,v 1.75 2006/10/22 02:25:50 djm Exp $ */
/* $OpenBSD: sftp-client.c,v 1.76 2007/01/22 11:32:50 djm Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@ -1140,6 +1140,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
close(local_fd);
xfree(data);
xfree(ack);
status = -1;
goto done;
}
debug3("In write loop, ack for %u %u bytes at %llu",

46
sftp-server.0 Normal file
View File

@ -0,0 +1,46 @@
SFTP-SERVER(8) OpenBSD System Manager's Manual SFTP-SERVER(8)
NAME
sftp-server - SFTP server subsystem
SYNOPSIS
sftp-server [-f log_facility] [-l log_level]
DESCRIPTION
sftp-server is a program that speaks the server side of SFTP protocol to
stdout and expects client requests from stdin. sftp-server is not in-
tended to be called directly, but from sshd(8) using the Subsystem op-
tion.
Command-line flags to sftp-server should be specified in the Subsystem
declaration. See sshd_config(5) for more information.
Valid options are:
-f log_facility
Specifies the facility code that is used when logging messages
from sftp-server. The possible values are: DAEMON, USER, AUTH,
LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
-l log_level
Specifies which messages will be logged by sftp-server. The pos-
sible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DE-
BUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log transactions that
sftp-server performs on behalf of the client. DEBUG and DEBUG1
are equivalent. DEBUG2 and DEBUG3 each specify higher levels of
debugging output. The default is ERROR.
SEE ALSO
sftp(1), ssh(1), sshd_config(5), sshd(8)
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
filexfer-00.txt, January 2001, work in progress material.
HISTORY
sftp-server first appeared in OpenBSD 2.8.
AUTHORS
Markus Friedl <markus@openbsd.org>
OpenBSD 4.1 August 30, 2000 1

4
sftp-server.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-server.c,v 1.70 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: sftp-server.c,v 1.71 2007/01/03 07:22:36 stevesk Exp $ */
/*
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
*
@ -663,7 +663,7 @@ process_fstat(void)
debug("request %u: fstat \"%s\" (handle %u)",
id, handle_to_name(handle), handle);
fd = handle_to_fd(handle);
if (fd >= 0) {
if (fd >= 0) {
ret = fstat(fd, &st);
if (ret < 0) {
status = errno_to_portable(errno);

266
sftp.0 Normal file
View File

@ -0,0 +1,266 @@
SFTP(1) OpenBSD Reference Manual SFTP(1)
NAME
sftp - secure file transfer program
SYNOPSIS
sftp [-1Cv] [-B buffer_size] [-b batchfile] [-F ssh_config]
[-o ssh_option] [-P sftp_server_path] [-R num_requests] [-S program]
[-s subsystem | sftp_server] host
sftp [[user@]host[:file [file]]]
sftp [[user@]host[:dir[/]]]
sftp -b batchfile [user@]host
DESCRIPTION
sftp is an interactive file transfer program, similar to ftp(1), which
performs all operations over an encrypted ssh(1) transport. It may also
use many features of ssh, such as public key authentication and compres-
sion. sftp connects and logs into the specified host, then enters an in-
teractive command mode.
The second usage format will retrieve files automatically if a non-inter-
active authentication method is used; otherwise it will do so after suc-
cessful interactive authentication.
The third usage format allows sftp to start in a remote directory.
The final usage format allows for automated sessions using the -b option.
In such cases, it is necessary to configure non-interactive authentica-
tion to obviate the need to enter a password at connection time (see
sshd(8) and ssh-keygen(1) for details). The options are as follows:
-1 Specify the use of protocol version 1.
-B buffer_size
Specify the size of the buffer that sftp uses when transferring
files. Larger buffers require fewer round trips at the cost of
higher memory consumption. The default is 32768 bytes.
-b batchfile
Batch mode reads a series of commands from an input batchfile in-
stead of stdin. Since it lacks user interaction it should be
used in conjunction with non-interactive authentication. A
batchfile of `-' may be used to indicate standard input. sftp
will abort if any of the following commands fail: get, put,
rename, ln, rm, mkdir, chdir, ls, lchdir, chmod, chown, chgrp,
lpwd and lmkdir. Termination on error can be suppressed on a
command by command basis by prefixing the command with a `-'
character (for example, -rm /tmp/blah*).
-C Enables compression (via ssh's -C flag).
-F ssh_config
Specifies an alternative per-user configuration file for ssh(1).
This option is directly passed to ssh(1).
-o ssh_option
Can be used to pass options to ssh in the format used in
ssh_config(5). This is useful for specifying options for which
there is no separate sftp command-line flag. For example, to
specify an alternate port use: sftp -oPort=24. For full details
of the options listed below, and their possible values, see
ssh_config(5).
AddressFamily
BatchMode
BindAddress
ChallengeResponseAuthentication
CheckHostIP
Cipher
Ciphers
Compression
CompressionLevel
ConnectionAttempts
ConnectTimeout
ControlMaster
ControlPath
GlobalKnownHostsFile
GSSAPIAuthentication
GSSAPIDelegateCredentials
HashKnownHosts
Host
HostbasedAuthentication
HostKeyAlgorithms
HostKeyAlias
HostName
IdentityFile
IdentitiesOnly
KbdInteractiveDevices
LogLevel
MACs
NoHostAuthenticationForLocalhost
NumberOfPasswordPrompts
PasswordAuthentication
Port
PreferredAuthentications
Protocol
ProxyCommand
PubkeyAuthentication
RekeyLimit
RhostsRSAAuthentication
RSAAuthentication
SendEnv
ServerAliveInterval
ServerAliveCountMax
SmartcardDevice
StrictHostKeyChecking
TCPKeepAlive
UsePrivilegedPort
User
UserKnownHostsFile
VerifyHostKeyDNS
-P sftp_server_path
Connect directly to a local sftp server (rather than via ssh(1)).
This option may be useful in debugging the client and server.
-R num_requests
Specify how many requests may be outstanding at any one time.
Increasing this may slightly improve file transfer speed but will
increase memory usage. The default is 16 outstanding requests.
-S program
Name of the program to use for the encrypted connection. The
program must understand ssh(1) options.
-s subsystem | sftp_server
Specifies the SSH2 subsystem or the path for an sftp server on
the remote host. A path is useful for using sftp over protocol
version 1, or when the remote sshd(8) does not have an sftp sub-
system configured.
-v Raise logging level. This option is also passed to ssh.
INTERACTIVE COMMANDS
Once in interactive mode, sftp understands a set of commands similar to
those of ftp(1). Commands are case insensitive. Pathnames that contain
spaces must be enclosed in quotes. Any special characters contained
within pathnames that are recognized by glob(3) must be escaped with
backslashes (`\').
bye Quit sftp.
cd path
Change remote directory to path.
chgrp grp path
Change group of file path to grp. path may contain glob(3) char-
acters and may match multiple files. grp must be a numeric GID.
chmod mode path
Change permissions of file path to mode. path may contain
glob(3) characters and may match multiple files.
chown own path
Change owner of file path to own. path may contain glob(3) char-
acters and may match multiple files. own must be a numeric UID.
exit Quit sftp.
get [-P] remote-path [local-path]
Retrieve the remote-path and store it on the local machine. If
the local path name is not specified, it is given the same name
it has on the remote machine. remote-path may contain glob(3)
characters and may match multiple files. If it does and local-
path is specified, then local-path must specify a directory. If
the -P flag is specified, then full file permissions and access
times are copied too.
help Display help text.
lcd path
Change local directory to path.
lls [ls-options [path]]
Display local directory listing of either path or current direc-
tory if path is not specified. ls-options may contain any flags
supported by the local system's ls(1) command. path may contain
glob(3) characters and may match multiple files.
lmkdir path
Create local directory specified by path.
ln oldpath newpath
Create a symbolic link from oldpath to newpath.
lpwd Print local working directory.
ls [-1aflnrSt] [path]
Display a remote directory listing of either path or the current
directory if path is not specified. path may contain glob(3)
characters and may match multiple files.
The following flags are recognized and alter the behaviour of ls
accordingly:
-1 Produce single columnar output.
-a List files beginning with a dot (`.').
-f Do not sort the listing. The default sort order is lexi-
cographical.
-l Display additional details including permissions and own-
ership information.
-n Produce a long listing with user and group information
presented numerically.
-r Reverse the sort order of the listing.
-S Sort the listing by file size.
-t Sort the listing by last modification time.
lumask umask
Set local umask to umask.
mkdir path
Create remote directory specified by path.
progress
Toggle display of progress meter.
put [-P] local-path [remote-path]
Upload local-path and store it on the remote machine. If the re-
mote path name is not specified, it is given the same name it has
on the local machine. local-path may contain glob(3) characters
and may match multiple files. If it does and remote-path is
specified, then remote-path must specify a directory. If the -P
flag is specified, then the file's full permission and access
time are copied too.
pwd Display remote working directory.
quit Quit sftp.
rename oldpath newpath
Rename remote file from oldpath to newpath.
rm path
Delete remote file specified by path.
rmdir path
Remove remote directory specified by path.
symlink oldpath newpath
Create a symbolic link from oldpath to newpath.
version
Display the sftp protocol version.
! command
Execute command in local shell.
! Escape to local shell.
? Synonym for help.
SEE ALSO
ftp(1), ls(1), scp(1), ssh(1), ssh-add(1), ssh-keygen(1), glob(3),
ssh_config(5), sftp-server(8), sshd(8)
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
filexfer-00.txt, January 2001, work in progress material.
OpenBSD 4.1 February 4, 2001 4

10
sftp.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp.c,v 1.93 2006/09/30 17:48:22 ray Exp $ */
/* $OpenBSD: sftp.c,v 1.96 2007/01/03 04:09:15 stevesk Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@ -166,6 +166,7 @@ static const struct CMD cmds[] = {
int interactive_loop(int fd_in, int fd_out, char *file1, char *file2);
/* ARGSUSED */
static void
killchild(int signo)
{
@ -177,6 +178,7 @@ killchild(int signo)
_exit(1);
}
/* ARGSUSED */
static void
cmd_interrupt(int signo)
{
@ -298,11 +300,11 @@ static char *
path_append(char *p1, char *p2)
{
char *ret;
int len = strlen(p1) + strlen(p2) + 2;
size_t len = strlen(p1) + strlen(p2) + 2;
ret = xmalloc(len);
strlcpy(ret, p1, len);
if (p1[strlen(p1) - 1] != '/')
if (p1[0] != '\0' && p1[strlen(p1) - 1] != '/')
strlcat(ret, "/", len);
strlcat(ret, p2, len);
@ -1566,7 +1568,7 @@ main(int argc, char **argv)
fprintf(stderr, "Missing username\n");
usage();
}
addargs(&args, "-l%s",userhost);
addargs(&args, "-l%s", userhost);
}
if ((cp = colon(host)) != NULL) {

102
ssh-add.0 Normal file
View File

@ -0,0 +1,102 @@
SSH-ADD(1) OpenBSD Reference Manual SSH-ADD(1)
NAME
ssh-add - adds RSA or DSA identities to the authentication agent
SYNOPSIS
ssh-add [-cDdLlXx] [-t life] [file ...]
ssh-add -s reader
ssh-add -e reader
DESCRIPTION
ssh-add adds RSA or DSA identities to the authentication agent,
ssh-agent(1). When run without arguments, it adds the files
~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity. Alternative file names
can be given on the command line. If any file requires a passphrase,
ssh-add asks for the passphrase from the user. The passphrase is read
from the user's tty. ssh-add retries the last passphrase if multiple
identity files are given.
The authentication agent must be running and the SSH_AUTH_SOCK environ-
ment variable must contain the name of its socket for ssh-add to work.
The options are as follows:
-c Indicates that added identities should be subject to confirmation
before being used for authentication. Confirmation is performed
by the SSH_ASKPASS program mentioned below. Successful confirma-
tion is signaled by a zero exit status from the SSH_ASKPASS pro-
gram, rather than text entered into the requester.
-D Deletes all identities from the agent.
-d Instead of adding the identity, removes the identity from the
agent.
-e reader
Remove key in smartcard reader.
-L Lists public key parameters of all identities currently repre-
sented by the agent.
-l Lists fingerprints of all identities currently represented by the
agent.
-s reader
Add key in smartcard reader.
-t life
Set a maximum lifetime when adding identities to an agent. The
lifetime may be specified in seconds or in a time format speci-
fied in sshd_config(5).
-X Unlock the agent.
-x Lock the agent with a password.
ENVIRONMENT
DISPLAY and SSH_ASKPASS
If ssh-add needs a passphrase, it will read the passphrase from
the current terminal if it was run from a terminal. If ssh-add
does not have a terminal associated with it but DISPLAY and
SSH_ASKPASS are set, it will execute the program specified by
SSH_ASKPASS and open an X11 window to read the passphrase. This
is particularly useful when calling ssh-add from a .xsession or
related script. (Note that on some machines it may be necessary
to redirect the input from /dev/null to make this work.)
SSH_AUTH_SOCK
Identifies the path of a unix-domain socket used to communicate
with the agent.
FILES
~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of
the user.
~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of
the user.
~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of
the user.
Identity files should not be readable by anyone but the user. Note that
ssh-add ignores identity files if they are accessible by others.
DIAGNOSTICS
Exit status is 0 on success, 1 if the specified command fails, and 2 if
ssh-add is unable to contact the authentication agent.
SEE ALSO
ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8)
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
de Raadt and Dug Song removed many bugs, re-added newer features and cre-
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.1 September 25, 1999 2

117
ssh-agent.0 Normal file
View File

@ -0,0 +1,117 @@
SSH-AGENT(1) OpenBSD Reference Manual SSH-AGENT(1)
NAME
ssh-agent - authentication agent
SYNOPSIS
ssh-agent [-a bind_address] [-c | -s] [-t life] [-d] [command [args ...]]
ssh-agent [-c | -s] -k
DESCRIPTION
ssh-agent is a program to hold private keys used for public key authenti-
cation (RSA, DSA). The idea is that ssh-agent is started in the begin-
ning of an X-session or a login session, and all other windows or pro-
grams are started as clients to the ssh-agent program. Through use of
environment variables the agent can be located and automatically used for
authentication when logging in to other machines using ssh(1).
The options are as follows:
-a bind_address
Bind the agent to the unix-domain socket bind_address. The de-
fault is /tmp/ssh-XXXXXXXXXX/agent.<ppid>.
-c Generate C-shell commands on stdout. This is the default if
SHELL looks like it's a csh style of shell.
-s Generate Bourne shell commands on stdout. This is the default if
SHELL does not look like it's a csh style of shell.
-k Kill the current agent (given by the SSH_AGENT_PID environment
variable).
-t life
Set a default value for the maximum lifetime of identities added
to the agent. The lifetime may be specified in seconds or in a
time format specified in sshd_config(5). A lifetime specified
for an identity with ssh-add(1) overrides this value. Without
this option the default maximum lifetime is forever.
-d Debug mode. When this option is specified ssh-agent will not
fork.
If a commandline is given, this is executed as a subprocess of the agent.
When the command dies, so does the agent.
The agent initially does not have any private keys. Keys are added using
ssh-add(1). When executed without arguments, ssh-add(1) adds the files
~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity. If the identity has a
passphrase, ssh-add(1) asks for the passphrase (using a small X11 appli-
cation if running under X11, or from the terminal if running without X).
It then sends the identity to the agent. Several identities can be
stored in the agent; the agent can automatically use any of these identi-
ties. ssh-add -l displays the identities currently held by the agent.
The idea is that the agent is run in the user's local PC, laptop, or ter-
minal. Authentication data need not be stored on any other machine, and
authentication passphrases never go over the network. However, the con-
nection to the agent is forwarded over SSH remote logins, and the user
can thus use the privileges given by the identities anywhere in the net-
work in a secure way.
There are two main ways to get an agent set up: The first is that the
agent starts a new subcommand into which some environment variables are
exported, eg ssh-agent xterm &. The second is that the agent prints the
needed shell commands (either sh(1) or csh(1) syntax can be generated)
which can be evalled in the calling shell, eg eval `ssh-agent -s` for
Bourne-type shells such as sh(1) or ksh(1) and eval `ssh-agent -c` for
csh(1) and derivatives.
Later ssh(1) looks at these variables and uses them to establish a con-
nection to the agent.
The agent will never send a private key over its request channel. In-
stead, operations that require a private key will be performed by the
agent, and the result will be returned to the requester. This way, pri-
vate keys are not exposed to clients using the agent.
A unix-domain socket is created and the name of this socket is stored in
the SSH_AUTH_SOCK environment variable. The socket is made accessible
only to the current user. This method is easily abused by root or anoth-
er instance of the same user.
The SSH_AGENT_PID environment variable holds the agent's process ID.
The agent exits automatically when the command given on the command line
terminates.
FILES
~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of
the user.
~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of
the user.
~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of
the user.
/tmp/ssh-XXXXXXXXXX/agent.<ppid>
Unix-domain sockets used to contain the connection to the authen-
tication agent. These sockets should only be readable by the
owner. The sockets should get automatically removed when the
agent exits.
SEE ALSO
ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
de Raadt and Dug Song removed many bugs, re-added newer features and cre-
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.1 September 25, 1999 2

24
ssh-agent.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-agent.c,v 1.153 2006/10/06 02:29:19 djm Exp $ */
/* $OpenBSD: ssh-agent.c,v 1.154 2007/02/28 00:55:30 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -434,6 +434,7 @@ reaper(void)
for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
nxt = TAILQ_NEXT(id, next);
if (id->death != 0 && now >= id->death) {
debug("expiring key '%s'", id->comment);
TAILQ_REMOVE(&tab->idlist, id, next);
free_identity(id);
tab->nentries--;
@ -698,9 +699,6 @@ process_message(SocketEntry *e)
u_int msg_len, type;
u_char *cp;
/* kill dead keys */
reaper();
if (buffer_len(&e->input) < 5)
return; /* Incomplete message. */
cp = buffer_ptr(&e->input);
@ -1016,7 +1014,7 @@ int
main(int ac, char **av)
{
int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0;
int sock, fd, ch;
int sock, fd, ch, result, saved_errno;
u_int nalloc;
char *shell, *format, *pidstr, *agentsocket = NULL;
fd_set *readsetp = NULL, *writesetp = NULL;
@ -1029,6 +1027,7 @@ main(int ac, char **av)
extern char *optarg;
pid_t pid;
char pidstrbuf[1 + 3 * sizeof pid];
struct timeval tv;
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
@ -1242,13 +1241,18 @@ main(int ac, char **av)
nalloc = 0;
while (1) {
tv.tv_sec = 10;
tv.tv_usec = 0;
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc);
if (select(max_fd + 1, readsetp, writesetp, NULL, NULL) < 0) {
if (errno == EINTR)
result = select(max_fd + 1, readsetp, writesetp, NULL, &tv);
saved_errno = errno;
reaper(); /* remove expired keys */
if (result < 0) {
if (saved_errno == EINTR)
continue;
fatal("select: %s", strerror(errno));
}
after_select(readsetp, writesetp);
fatal("select: %s", strerror(saved_errno));
} else if (result > 0)
after_select(readsetp, writesetp);
}
/* NOTREACHED */
}

287
ssh-keygen.0 Normal file
View File

@ -0,0 +1,287 @@
SSH-KEYGEN(1) OpenBSD Reference Manual SSH-KEYGEN(1)
NAME
ssh-keygen - authentication key generation, management and conversion
SYNOPSIS
ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
[-f output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
ssh-keygen -i [-f input_keyfile]
ssh-keygen -e [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -l [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D reader
ssh-keygen -F hostname [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -U reader [-f input_keyfile]
ssh-keygen -r hostname [-f input_keyfile] [-g]
ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
ssh-keygen -T output_file -f input_file [-v] [-a num_trials] [-W
generator]
DESCRIPTION
ssh-keygen generates, manages and converts authentication keys for
ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1
and RSA or DSA keys for use by SSH protocol version 2. The type of key
to be generated is specified with the -t option. If invoked without any
arguments, ssh-keygen will generate an RSA key for use in SSH protocol 2
connections.
ssh-keygen is also used to generate groups for use in Diffie-Hellman
group exchange (DH-GEX). See the MODULI GENERATION section for details.
Normally each user wishing to use SSH with RSA or DSA authentication runs
this once to create the authentication key in ~/.ssh/identity,
~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the system administrator
may use this to generate host keys, as seen in /etc/rc.
Normally this program generates the key and asks for a file in which to
store the private key. The public key is stored in a file with the same
name but ``.pub'' appended. The program also asks for a passphrase. The
passphrase may be empty to indicate no passphrase (host keys must have an
empty passphrase), or it may be a string of arbitrary length. A
passphrase is similar to a password, except it can be a phrase with a se-
ries of words, punctuation, numbers, whitespace, or any string of charac-
ters you want. Good passphrases are 10-30 characters long, are not sim-
ple sentences or otherwise easily guessable (English prose has only 1-2
bits of entropy per character, and provides very bad passphrases), and
contain a mix of upper and lowercase letters, numbers, and non-alphanu-
meric characters. The passphrase can be changed later by using the -p
option.
There is no way to recover a lost passphrase. If the passphrase is lost
or forgotten, a new key must be generated and copied to the corresponding
public key to other machines.
For RSA1 keys, there is also a comment field in the key file that is only
for convenience to the user to help identify the key. The comment can
tell what the key is for, or whatever is useful. The comment is initial-
ized to ``user@host'' when the key is created, but can be changed using
the -c option.
After a key is generated, instructions below detail where the keys should
be placed to be activated.
The options are as follows:
-a trials
Specifies the number of primality tests to perform when screening
DH-GEX candidates using the -T command.
-B Show the bubblebabble digest of specified private or public key
file.
-b bits
Specifies the number of bits in the key to create. For RSA keys,
the minimum size is 768 bits and the default is 2048 bits. Gen-
erally, 2048 bits is considered sufficient. DSA keys must be ex-
actly 1024 bits as specified by FIPS 186-2.
-C comment
Provides a new comment.
-c Requests changing the comment in the private and public key
files. This operation is only supported for RSA1 keys. The pro-
gram will prompt for the file containing the private keys, for
the passphrase if the key has one, and for the new comment.
-D reader
Download the RSA public key stored in the smartcard in reader.
-e This option will read a private or public OpenSSH key file and
print the key in RFC 4716 SSH Public Key File Format to stdout.
This option allows exporting keys for use by several commercial
SSH implementations.
-F hostname
Search for the specified hostname in a known_hosts file, listing
any occurrences found. This option is useful to find hashed host
names or addresses and may also be used in conjunction with the
-H option to print found keys in a hashed format.
-f filename
Specifies the filename of the key file.
-G output_file
Generate candidate primes for DH-GEX. These primes must be
screened for safety (using the -T option) before use.
-g Use generic DNS format when printing fingerprint resource records
using the -r command.
-H Hash a known_hosts file. This replaces all hostnames and ad-
dresses with hashed representations within the specified file;
the original content is moved to a file with a .old suffix.
These hashes may be used normally by ssh and sshd, but they do
not reveal identifying information should the file's contents be
disclosed. This option will not modify existing hashed hostnames
and is therefore safe to use on files that mix hashed and non-
hashed names.
-i This option will read an unencrypted private (or public) key file
in SSH2-compatible format and print an OpenSSH compatible private
(or public) key to stdout. ssh-keygen also reads the RFC 4716
SSH Public Key File Format. This option allows importing keys
from several commercial SSH implementations.
-l Show fingerprint of specified public key file. Private RSA1 keys
are also supported. For RSA and DSA keys ssh-keygen tries to
find the matching public key file and prints its fingerprint.
-M memory
Specify the amount of memory to use (in megabytes) when generat-
ing candidate moduli for DH-GEX.
-N new_passphrase
Provides the new passphrase.
-P passphrase
Provides the (old) passphrase.
-p Requests changing the passphrase of a private key file instead of
creating a new private key. The program will prompt for the file
containing the private key, for the old passphrase, and twice for
the new passphrase.
-q Silence ssh-keygen. Used by /etc/rc when creating a new key.
-R hostname
Removes all keys belonging to hostname from a known_hosts file.
This option is useful to delete hashed hosts (see the -H option
above).
-r hostname
Print the SSHFP fingerprint resource record named hostname for
the specified public key file.
-S start
Specify start point (in hex) when generating candidate moduli for
DH-GEX.
-T output_file
Test DH group exchange candidate primes (generated using the -G
option) for safety.
-t type
Specifies the type of key to create. The possible values are
``rsa1'' for protocol version 1 and ``rsa'' or ``dsa'' for proto-
col version 2.
-U reader
Upload an existing RSA private key into the smartcard in reader.
-v Verbose mode. Causes ssh-keygen to print debugging messages
about its progress. This is helpful for debugging moduli genera-
tion. Multiple -v options increase the verbosity. The maximum
is 3.
-W generator
Specify desired generator when testing candidate moduli for DH-
GEX.
-y This option will read a private OpenSSH format file and print an
OpenSSH public key to stdout.
MODULI GENERATION
ssh-keygen may be used to generate groups for the Diffie-Hellman Group
Exchange (DH-GEX) protocol. Generating these groups is a two-step pro-
cess: first, candidate primes are generated using a fast, but memory in-
tensive process. These candidate primes are then tested for suitability
(a CPU-intensive process).
Generation of primes is performed using the -G option. The desired
length of the primes may be specified by the -b option. For example:
# ssh-keygen -G moduli-2048.candidates -b 2048
By default, the search for primes begins at a random point in the desired
length range. This may be overridden using the -S option, which speci-
fies a different start point (in hex).
Once a set of candidates have been generated, they must be tested for
suitability. This may be performed using the -T option. In this mode
ssh-keygen will read candidates from standard input (or a file specified
using the -f option). For example:
# ssh-keygen -T moduli-2048 -f moduli-2048.candidates
By default, each candidate will be subjected to 100 primality tests.
This may be overridden using the -a option. The DH generator value will
be chosen automatically for the prime under consideration. If a specific
generator is desired, it may be requested using the -W option. Valid
generator values are 2, 3, and 5.
Screened DH groups may be installed in /etc/moduli. It is important that
this file contains moduli of a range of bit lengths and that both ends of
a connection share common moduli.
FILES
~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of
the user. This file should not be readable by anyone but the us-
er. It is possible to specify a passphrase when generating the
key; that passphrase will be used to encrypt the private part of
this file using 3DES. This file is not automatically accessed by
ssh-keygen but it is offered as the default file for the private
key. ssh(1) will read this file when a login attempt is made.
~/.ssh/identity.pub
Contains the protocol version 1 RSA public key for authentica-
tion. The contents of this file should be added to
~/.ssh/authorized_keys on all machines where the user wishes to
log in using RSA authentication. There is no need to keep the
contents of this file secret.
~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of
the user. This file should not be readable by anyone but the us-
er. It is possible to specify a passphrase when generating the
key; that passphrase will be used to encrypt the private part of
this file using 3DES. This file is not automatically accessed by
ssh-keygen but it is offered as the default file for the private
key. ssh(1) will read this file when a login attempt is made.
~/.ssh/id_dsa.pub
Contains the protocol version 2 DSA public key for authentica-
tion. The contents of this file should be added to
~/.ssh/authorized_keys on all machines where the user wishes to
log in using public key authentication. There is no need to keep
the contents of this file secret.
~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of
the user. This file should not be readable by anyone but the us-
er. It is possible to specify a passphrase when generating the
key; that passphrase will be used to encrypt the private part of
this file using 3DES. This file is not automatically accessed by
ssh-keygen but it is offered as the default file for the private
key. ssh(1) will read this file when a login attempt is made.
~/.ssh/id_rsa.pub
Contains the protocol version 2 RSA public key for authentica-
tion. The contents of this file should be added to
~/.ssh/authorized_keys on all machines where the user wishes to
log in using public key authentication. There is no need to keep
the contents of this file secret.
/etc/moduli
Contains Diffie-Hellman groups used for DH-GEX. The file format
is described in moduli(5).
SEE ALSO
ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8)
The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
de Raadt and Dug Song removed many bugs, re-added newer features and
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.1 September 25, 1999 5

17
ssh-keygen.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $
.\" $OpenBSD: ssh-keygen.1,v 1.74 2007/01/12 20:20:41 jmc Exp $
.\"
.\" -*- nroff -*-
.\"
@ -205,8 +205,8 @@ Download the RSA public key stored in the smartcard in
.Ar reader .
.It Fl e
This option will read a private or public OpenSSH key file and
print the key in a
.Sq SECSH Public Key File Format
print the key in
RFC 4716 SSH Public Key File Format
to stdout.
This option allows exporting keys for use by several commercial
SSH implementations.
@ -253,7 +253,7 @@ in SSH2-compatible format and print an OpenSSH compatible private
(or public) key to stdout.
.Nm
also reads the
.Sq SECSH Public Key File Format .
RFC 4716 SSH Public Key File Format.
This option allows importing keys from several commercial
SSH implementations.
.It Fl l
@ -450,12 +450,9 @@ The file format is described in
.Xr moduli 5 ,
.Xr sshd 8
.Rs
.%A J. Galbraith
.%A R. Thayer
.%T "SECSH Public Key File Format"
.%N draft-ietf-secsh-publickeyfile-01.txt
.%D March 2001
.%O work in progress material
.%R RFC 4716
.%T "The Secure Shell (SSH) Public Key File Format"
.%D 2006
.Re
.Sh AUTHORS
OpenSSH is a derivative of the original and free

31
ssh-keygen.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.155 2006/11/06 21:25:28 markus Exp $ */
/* $OpenBSD: ssh-keygen.c,v 1.160 2007/01/21 01:41:54 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -241,7 +241,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
buffer_init(&b);
buffer_append(&b, blob, blen);
magic = buffer_get_int(&b);
magic = buffer_get_int(&b);
if (magic != SSH_COM_PRIVATE_KEY_MAGIC) {
error("bad magic 0x%x != 0x%x", magic, SSH_COM_PRIVATE_KEY_MAGIC);
buffer_free(&b);
@ -253,7 +253,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
i2 = buffer_get_int(&b);
i3 = buffer_get_int(&b);
i4 = buffer_get_int(&b);
debug("ignore (%d %d %d %d)", i1,i2,i3,i4);
debug("ignore (%d %d %d %d)", i1, i2, i3, i4);
if (strcmp(cipher, "none") != 0) {
error("unsupported cipher %s", cipher);
xfree(cipher);
@ -284,7 +284,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
buffer_get_bignum_bits(&b, key->dsa->priv_key);
break;
case KEY_RSA:
e = buffer_get_char(&b);
e = buffer_get_char(&b);
debug("e %lx", e);
if (e < 30) {
e <<= 8;
@ -346,9 +346,8 @@ get_line(FILE *fp, char *line, size_t len)
line[pos++] = c;
line[pos] = '\0';
}
if (c == EOF)
return -1;
return pos;
/* We reached EOF */
return -1;
}
static void
@ -554,7 +553,7 @@ do_fingerprint(struct passwd *pw)
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
;
if (!*cp || *cp == '\n' || *cp == '#')
continue ;
continue;
i = strtol(cp, &ep, 10);
if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) {
int quoted = 0;
@ -1017,13 +1016,13 @@ usage(void)
#ifdef SMARTCARD
fprintf(stderr, " -D reader Download public key from smartcard.\n");
#endif /* SMARTCARD */
fprintf(stderr, " -e Convert OpenSSH to IETF SECSH key file.\n");
fprintf(stderr, " -e Convert OpenSSH to RFC 4716 key file.\n");
fprintf(stderr, " -F hostname Find hostname in known hosts file.\n");
fprintf(stderr, " -f filename Filename of the key file.\n");
fprintf(stderr, " -G file Generate candidates for DH-GEX moduli.\n");
fprintf(stderr, " -g Use generic DNS resource record format.\n");
fprintf(stderr, " -H Hash names in known_hosts file.\n");
fprintf(stderr, " -i Convert IETF SECSH to OpenSSH key file.\n");
fprintf(stderr, " -i Convert RFC 4716 to OpenSSH key file.\n");
fprintf(stderr, " -l Show fingerprint of key file.\n");
fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
fprintf(stderr, " -N phrase Provide new passphrase.\n");
@ -1049,7 +1048,7 @@ usage(void)
* Main program for key management.
*/
int
main(int ac, char **av)
main(int argc, char **argv)
{
char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
char out_file[MAXPATHLEN], *reader_id = NULL;
@ -1071,10 +1070,10 @@ main(int ac, char **av)
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
__progname = ssh_get_progname(argv[0]);
SSLeay_add_all_algorithms();
log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
init_rng();
seed_rng();
@ -1090,7 +1089,7 @@ main(int ac, char **av)
exit(1);
}
while ((opt = getopt(ac, av,
while ((opt = getopt(argc, argv,
"degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
switch (opt) {
case 'b':
@ -1223,9 +1222,9 @@ main(int ac, char **av)
}
/* reinit */
log_init(av[0], log_level, SYSLOG_FACILITY_USER, 1);
log_init(argv[0], log_level, SYSLOG_FACILITY_USER, 1);
if (optind < ac) {
if (optind < argc) {
printf("Too many arguments.\n");
usage();
}

107
ssh-keyscan.0 Normal file
View File

@ -0,0 +1,107 @@
SSH-KEYSCAN(1) OpenBSD Reference Manual SSH-KEYSCAN(1)
NAME
ssh-keyscan - gather ssh public keys
SYNOPSIS
ssh-keyscan [-46Hv] [-f file] [-p port] [-T timeout] [-t type]
[host | addrlist namelist] [...]
DESCRIPTION
ssh-keyscan is a utility for gathering the public ssh host keys of a num-
ber of hosts. It was designed to aid in building and verifying
ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable
for use by shell and perl scripts.
ssh-keyscan uses non-blocking socket I/O to contact as many hosts as pos-
sible in parallel, so it is very efficient. The keys from a domain of
1,000 hosts can be collected in tens of seconds, even when some of those
hosts are down or do not run ssh. For scanning, one does not need login
access to the machines that are being scanned, nor does the scanning pro-
cess involve any encryption.
The options are as follows:
-4 Forces ssh-keyscan to use IPv4 addresses only.
-6 Forces ssh-keyscan to use IPv6 addresses only.
-f file
Read hosts or addrlist namelist pairs from this file, one per
line. If - is supplied instead of a filename, ssh-keyscan will
read hosts or addrlist namelist pairs from the standard input.
-H Hash all hostnames and addresses in the output. Hashed names may
be used normally by ssh and sshd, but they do not reveal identi-
fying information should the file's contents be disclosed.
-p port
Port to connect to on the remote host.
-T timeout
Set the timeout for connection attempts. If timeout seconds have
elapsed since a connection was initiated to a host or since the
last time anything was read from that host, then the connection
is closed and the host in question considered unavailable. De-
fault is 5 seconds.
-t type
Specifies the type of the key to fetch from the scanned hosts.
The possible values are ``rsa1'' for protocol version 1 and
``rsa'' or ``dsa'' for protocol version 2. Multiple values may
be specified by separating them with commas. The default is
``rsa1''.
-v Verbose mode. Causes ssh-keyscan to print debugging messages
about its progress.
SECURITY
If an ssh_known_hosts file is constructed using ssh-keyscan without veri-
fying the keys, users will be vulnerable to man in the middle attacks.
On the other hand, if the security model allows such a risk, ssh-keyscan
can help in the detection of tampered keyfiles or man in the middle at-
tacks which have begun after the ssh_known_hosts file was created.
FILES
Input format:
1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
Output format for rsa1 keys:
host-or-namelist bits exponent modulus
Output format for rsa and dsa keys:
host-or-namelist keytype base64-encoded-key
Where keytype is either ``ssh-rsa'' or ``ssh-dss''.
/etc/ssh/ssh_known_hosts
EXAMPLES
Print the rsa1 host key for machine hostname:
$ ssh-keyscan hostname
Find all hosts from the file ssh_hosts which have new or different keys
from those in the sorted file ssh_known_hosts:
$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \
sort -u - ssh_known_hosts | diff ssh_known_hosts -
SEE ALSO
ssh(1), sshd(8)
AUTHORS
David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne
Davison <wayned@users.sourceforge.net> added support for protocol version
2.
BUGS
It generates "Connection closed by remote host" messages on the consoles
of all the machines it scans if the server is older than version 2.9.
This is because it opens a connection to the ssh port, reads the public
key, and drops the connection as soon as it gets the key.
OpenBSD 4.1 January 1, 1996 2

42
ssh-keysign.0 Normal file
View File

@ -0,0 +1,42 @@
SSH-KEYSIGN(8) OpenBSD System Manager's Manual SSH-KEYSIGN(8)
NAME
ssh-keysign - ssh helper program for host-based authentication
SYNOPSIS
ssh-keysign
DESCRIPTION
ssh-keysign is used by ssh(1) to access the local host keys and generate
the digital signature required during host-based authentication with SSH
protocol version 2.
ssh-keysign is disabled by default and can only be enabled in the global
client configuration file /etc/ssh/ssh_config by setting EnableSSHKeysign
to ``yes''.
ssh-keysign is not intended to be invoked by the user, but from ssh(1).
See ssh(1) and sshd(8) for more information about host-based authentica-
tion.
FILES
/etc/ssh/ssh_config
Controls whether ssh-keysign is enabled.
/etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys used to
generate the digital signature. They should be owned by root,
readable only by root, and not accessible to others. Since they
are readable only by root, ssh-keysign must be set-uid root if
host-based authentication is used.
SEE ALSO
ssh(1), ssh-keygen(1), ssh_config(5), sshd(8)
HISTORY
ssh-keysign first appeared in OpenBSD 3.2.
AUTHORS
Markus Friedl <markus@openbsd.org>
OpenBSD 4.1 May 24, 2002 1

51
ssh-rand-helper.0 Normal file
View File

@ -0,0 +1,51 @@
SSH-RAND-HELPER(8) OpenBSD System Manager's Manual SSH-RAND-HELPER(8)
NAME
ssh-rand-helper - random number gatherer for OpenSSH
SYNOPSIS
ssh-rand-hlper [-vxXh] [-b bytes]
DESCRIPTION
ssh-rand-helper is a small helper program used by ssh(1), ssh-add(1),
ssh-agent(1), ssh-keygen(1), ssh-keyscan(1) and sshd(8) to gather random
numbers of cryptographic quality if the openssl(4) library has not been
configured to provide them itself.
Normally ssh-rand-helper will generate a strong random seed and provide
it to the calling program via standard output. If standard output is a
tty, ssh-rand-helper will instead print the seed in hexidecimal format
unless told otherwise.
ssh-rand-helper will by default gather random numbers from the system
commands listed in /etc/ssh/ssh_prng_cmds. The output of each of the
commands listed will be hashed and used to generate a random seed for the
calling program. ssh-rand-helper will also store seed files in
~/.ssh/prng_seed between executions.
Alternately, ssh-rand-helper may be configured at build time to collect
random numbers from a EGD/PRNGd server via a unix domain or localhost tcp
socket.
This program is not intended to be run by the end-user, so the few com-
mandline options are for debugging purposes only.
-b bytes
Specify the number of random bytes to include in the output.
-x Output a hexidecimal instead of a binary seed.
-X Force output of a binary seed, even if standard output is a tty
-v Turn on debugging message. Multiple -v options will increase the
debugging level.
-h Display a summary of options.
AUTHORS
Damien Miller <djm@mindrot.org>
SEE ALSO
ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
OpenBSD 4.1 April 14, 2002 1

6
ssh-rand-helper.8
View File

@ -1,4 +1,4 @@
.\" $Id: ssh-rand-helper.8,v 1.2 2003/11/21 12:48:56 djm Exp $
.\" $Id: ssh-rand-helper.8,v 1.3 2007/01/22 01:44:53 djm Exp $
.\"
.\" Copyright (c) 2002 Damien Miller. All rights reserved.
.\"
@ -27,7 +27,7 @@
.Os
.Sh NAME
.Nm ssh-rand-helper
.Nd Random number gatherer for OpenSSH
.Nd random number gatherer for OpenSSH
.Sh SYNOPSIS
.Nm ssh-rand-hlper
.Op Fl vxXh
@ -82,7 +82,7 @@ Force output of a binary seed, even if standard output is a tty
Turn on debugging message. Multiple
.Fl v
options will increase the debugging level.
.Fl h
.It Fl h
Display a summary of options.
.El
.Sh AUTHORS

832
ssh.0 Normal file
View File

@ -0,0 +1,832 @@
SSH(1) OpenBSD Reference Manual SSH(1)
NAME
ssh - OpenSSH SSH client (remote login program)
SYNOPSIS
ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-e escape_char] [-F configfile]
[-i identity_file] [-L [bind_address:]port:host:hostport]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-R [bind_address:]port:host:hostport] [-S ctl_path]
[-w local_tun[:remote_tun]] [user@]hostname [command]
DESCRIPTION
ssh (SSH client) is a program for logging into a remote machine and for
executing commands on a remote machine. It is intended to replace rlogin
and rsh, and provide secure encrypted communications between two untrust-
ed hosts over an insecure network. X11 connections and arbitrary TCP
ports can also be forwarded over the secure channel.
ssh connects and logs into the specified hostname (with optional user
name). The user must prove his/her identity to the remote machine using
one of several methods depending on the protocol version used (see be-
low).
If command is specified, it is executed on the remote host instead of a
login shell.
The options are as follows:
-1 Forces ssh to try protocol version 1 only.
-2 Forces ssh to try protocol version 2 only.
-4 Forces ssh to use IPv4 addresses only.
-6 Forces ssh to use IPv6 addresses only.
-A Enables forwarding of the authentication agent connection. This
can also be specified on a per-host basis in a configuration
file.
Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
agent's Unix-domain socket) can access the local agent through
the forwarded connection. An attacker cannot obtain key material
from the agent, however they can perform operations on the keys
that enable them to authenticate using the identities loaded into
the agent.
-a Disables forwarding of the authentication agent connection.
-b bind_address
Use bind_address on the local machine as the source address of
the connection. Only useful on systems with more than one ad-
dress.
-C Requests compression of all data (including stdin, stdout,
stderr, and data for forwarded X11 and TCP connections). The
compression algorithm is the same used by gzip(1), and the
``level'' can be controlled by the CompressionLevel option for
protocol version 1. Compression is desirable on modem lines and
other slow connections, but will only slow down things on fast
networks. The default value can be set on a host-by-host basis
in the configuration files; see the Compression option.
-c cipher_spec
Selects the cipher specification for encrypting the session.
Protocol version 1 allows specification of a single cipher. The
supported values are ``3des'', ``blowfish'', and ``des''. 3des
(triple-des) is an encrypt-decrypt-encrypt triple with three dif-
ferent keys. It is believed to be secure. blowfish is a fast
block cipher; it appears very secure and is much faster than
3des. des is only supported in the ssh client for interoperabil-
ity with legacy protocol 1 implementations that do not support
the 3des cipher. Its use is strongly discouraged due to crypto-
graphic weaknesses. The default is ``3des''.
For protocol version 2, cipher_spec is a comma-separated list of
ciphers listed in order of preference. The supported ciphers
are: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr,
aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, blow-
fish-cbc, and cast128-cbc. The default is:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr
-D [bind_address:]port
Specifies a local ``dynamic'' application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server. Only root can forward privileged ports. Dy-
namic port forwardings can also be specified in the configuration
file.
IPv6 addresses can be specified with an alternative syntax:
[bind_address/]port or by enclosing the address in square brack-
ets. Only the superuser can forward privileged ports. By de-
fault, the local port is bound in accordance with the
GatewayPorts setting. However, an explicit bind_address may be
used to bind the connection to a specific address. The
bind_address of ``localhost'' indicates that the listening port
be bound for local use only, while an empty address or `*' indi-
cates that the port should be available from all interfaces.
-e escape_char
Sets the escape character for sessions with a pty (default: `~').
The escape character is only recognized at the beginning of a
line. The escape character followed by a dot (`.') closes the
connection; followed by control-Z suspends the connection; and
followed by itself sends the escape character once. Setting the
character to ``none'' disables any escapes and makes the session
fully transparent.
-F configfile
Specifies an alternative per-user configuration file. If a con-
figuration file is given on the command line, the system-wide
configuration file (/etc/ssh/ssh_config) will be ignored. The
default for the per-user configuration file is ~/.ssh/config.
-f Requests ssh to go to background just before command execution.
This is useful if ssh is going to ask for passwords or passphras-
es, but the user wants it in the background. This implies -n.
The recommended way to start X11 programs at a remote site is
with something like ssh -f host xterm.
-g Allows remote hosts to connect to local forwarded ports.
-I smartcard_device
Specify the device ssh should use to communicate with a smartcard
used for storing the user's private RSA key. This option is only
available if support for smartcard devices is compiled in (de-
fault is no support).
-i identity_file
Selects a file from which the identity (private key) for RSA or
DSA authentication is read. The default is ~/.ssh/identity for
protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro-
tocol version 2. Identity files may also be specified on a per-
host basis in the configuration file. It is possible to have
multiple -i options (and multiple identities specified in config-
uration files).
-k Disables forwarding (delegation) of GSSAPI credentials to the
server.
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. This
works by allocating a socket to listen to port on the local side,
optionally bound to the specified bind_address. Whenever a con-
nection is made to this port, the connection is forwarded over
the secure channel, and a connection is made to host port
hostport from the remote machine. Port forwardings can also be
specified in the configuration file. IPv6 addresses can be spec-
ified with an alternative syntax: [bind_address/]port/host/host-
port or by enclosing the address in square brackets. Only the
superuser can forward privileged ports. By default, the local
port is bound in accordance with the GatewayPorts setting. How-
ever, an explicit bind_address may be used to bind the connection
to a specific address. The bind_address of ``localhost'' indi-
cates that the listening port be bound for local use only, while
an empty address or `*' indicates that the port should be avail-
able from all interfaces.
-l login_name
Specifies the user to log in as on the remote machine. This also
may be specified on a per-host basis in the configuration file.
-M Places the ssh client into ``master'' mode for connection shar-
ing. Multiple -M options places ssh into ``master'' mode with
confirmation required before slave connections are accepted. Re-
fer to the description of ControlMaster in ssh_config(5) for de-
tails.
-m mac_spec
Additionally, for protocol version 2 a comma-separated list of
MAC (message authentication code) algorithms can be specified in
order of preference. See the MACs keyword for more information.
-N Do not execute a remote command. This is useful for just for-
warding ports (protocol version 2 only).
-n Redirects stdin from /dev/null (actually, prevents reading from
stdin). This must be used when ssh is run in the background. A
common trick is to use this to run X11 programs on a remote ma-
chine. For example, ssh -n shadows.cs.hut.fi emacs & will start
an emacs on shadows.cs.hut.fi, and the X11 connection will be au-
tomatically forwarded over an encrypted channel. The ssh program
will be put in the background. (This does not work if ssh needs
to ask for a password or passphrase; see also the -f option.)
-O ctl_cmd
Control an active connection multiplexing master process. When
the -O option is specified, the ctl_cmd argument is interpreted
and passed to the master process. Valid commands are: ``check''
(check that the master process is running) and ``exit'' (request
the master to exit).
-o option
Can be used to give options in the format used in the configura-
tion file. This is useful for specifying options for which there
is no separate command-line flag. For full details of the op-
tions listed below, and their possible values, see ssh_config(5).
AddressFamily
BatchMode
BindAddress
ChallengeResponseAuthentication
CheckHostIP
Cipher
Ciphers
ClearAllForwardings
Compression
CompressionLevel
ConnectionAttempts
ConnectTimeout
ControlMaster
ControlPath
DynamicForward
EscapeChar
ExitOnForwardFailure
ForwardAgent
ForwardX11
ForwardX11Trusted
GatewayPorts
GlobalKnownHostsFile
GSSAPIAuthentication
GSSAPIDelegateCredentials
HashKnownHosts
Host
HostbasedAuthentication
HostKeyAlgorithms
HostKeyAlias
HostName
IdentityFile
IdentitiesOnly
KbdInteractiveDevices
LocalCommand
LocalForward
LogLevel
MACs
NoHostAuthenticationForLocalhost
NumberOfPasswordPrompts
PasswordAuthentication
PermitLocalCommand
Port
PreferredAuthentications
Protocol
ProxyCommand
PubkeyAuthentication
RekeyLimit
RemoteForward
RhostsRSAAuthentication
RSAAuthentication
SendEnv
ServerAliveInterval
ServerAliveCountMax
SmartcardDevice
StrictHostKeyChecking
TCPKeepAlive
Tunnel
TunnelDevice
UsePrivilegedPort
User
UserKnownHostsFile
VerifyHostKeyDNS
XAuthLocation
-p port
Port to connect to on the remote host. This can be specified on
a per-host basis in the configuration file.
-q Quiet mode. Causes all warning and diagnostic messages to be
suppressed.
-R [bind_address:]port:host:hostport
Specifies that the given port on the remote (server) host is to
be forwarded to the given host and port on the local side. This
works by allocating a socket to listen to port on the remote
side, and whenever a connection is made to this port, the connec-
tion is forwarded over the secure channel, and a connection is
made to host port hostport from the local machine.
Port forwardings can also be specified in the configuration file.
Privileged ports can be forwarded only when logging in as root on
the remote machine. IPv6 addresses can be specified by enclosing
the address in square braces or using an alternative syntax:
[bind_address/]host/port/hostport.
By default, the listening socket on the server will be bound to
the loopback interface only. This may be overriden by specifying
a bind_address. An empty bind_address, or the address `*', indi-
cates that the remote socket should listen on all interfaces.
Specifying a remote bind_address will only succeed if the serv-
er's GatewayPorts option is enabled (see sshd_config(5)).
-S ctl_path
Specifies the location of a control socket for connection shar-
ing. Refer to the description of ControlPath and ControlMaster
in ssh_config(5) for details.
-s May be used to request invocation of a subsystem on the remote
system. Subsystems are a feature of the SSH2 protocol which fa-
cilitate the use of SSH as a secure transport for other applica-
tions (eg. sftp(1)). The subsystem is specified as the remote
command.
-T Disable pseudo-tty allocation.
-t Force pseudo-tty allocation. This can be used to execute arbi-
trary screen-based programs on a remote machine, which can be
very useful, e.g. when implementing menu services. Multiple -t
options force tty allocation, even if ssh has no local tty.
-V Display the version number and exit.
-v Verbose mode. Causes ssh to print debugging messages about its
progress. This is helpful in debugging connection, authentica-
tion, and configuration problems. Multiple -v options increase
the verbosity. The maximum is 3.
-w local_tun[:remote_tun]
Requests tunnel device forwarding with the specified tun(4) de-
vices between the client (local_tun) and the server (remote_tun).
The devices may be specified by numerical ID or the keyword
``any'', which uses the next available tunnel device. If
remote_tun is not specified, it defaults to ``any''. See also
the Tunnel and TunnelDevice directives in ssh_config(5). If the
Tunnel directive is unset, it is set to the default tunnel mode,
which is ``point-to-point''.
-X Enables X11 forwarding. This can also be specified on a per-host
basis in a configuration file.
X11 forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
user's X authorization database) can access the local X11 display
through the forwarded connection. An attacker may then be able
to perform activities such as keystroke monitoring.
For this reason, X11 forwarding is subjected to X11 SECURITY ex-
tension restrictions by default. Please refer to the ssh -Y op-
tion and the ForwardX11Trusted directive in ssh_config(5) for
more information.
-x Disables X11 forwarding.
-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not
subjected to the X11 SECURITY extension controls.
ssh may additionally obtain configuration data from a per-user configura-
tion file and a system-wide configuration file. The file format and con-
figuration options are described in ssh_config(5).
ssh exits with the exit status of the remote command or with 255 if an
error occurred.
AUTHENTICATION
The OpenSSH SSH client supports SSH protocols 1 and 2. Protocol 2 is the
default, with ssh falling back to protocol 1 if it detects protocol 2 is
unsupported. These settings may be altered using the Protocol option in
ssh_config(5), or enforced using the -1 and -2 options (see above). Both
protocols support similar authentication methods, but protocol 2 is pre-
ferred since it provides additional mechanisms for confidentiality (the
traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and
integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a
strong mechanism for ensuring the integrity of the connection.
The methods available for authentication are: GSSAPI-based authentica-
tion, host-based authentication, public key authentication, challenge-re-
sponse authentication, and password authentication. Authentication meth-
ods are tried in the order specified above, though protocol 2 has a con-
figuration option to change the default order: PreferredAuthentications.
Host-based authentication works as follows: If the machine the user logs
in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
machine, and the user names are the same on both sides, or if the files
~/.rhosts or ~/.shosts exist in the user's home directory on the remote
machine and contain a line containing the name of the client machine and
the name of the user on that machine, the user is considered for login.
Additionally, the server must be able to verify the client's host key
(see the description of /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts,
below) for login to be permitted. This authentication method closes se-
curity holes due to IP spoofing, DNS spoofing, and routing spoofing.
[Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the
rlogin/rsh protocol in general, are inherently insecure and should be
disabled if security is desired.]
Public key authentication works as follows: The scheme is based on pub-
lic-key cryptography, using cryptosystems where encryption and decryption
are done using separate keys, and it is unfeasible to derive the decryp-
tion key from the encryption key. The idea is that each user creates a
public/private key pair for authentication purposes. The server knows
the public key, and only the user knows the private key. ssh implements
public key authentication protocol automatically, using either the RSA or
DSA algorithms. Protocol 1 is restricted to using only RSA keys, but
protocol 2 may use either. The HISTORY section of ssl(8) contains a
brief discussion of the two algorithms.
The file ~/.ssh/authorized_keys lists the public keys that are permitted
for logging in. When the user logs in, the ssh program tells the server
which key pair it would like to use for authentication. The client
proves that it has access to the private key and the server checks that
the corresponding public key is authorized to accept the account.
The user creates his/her key pair by running ssh-keygen(1). This stores
the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
2 DSA), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), or
~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home directory. The us-
er should then copy the public key to ~/.ssh/authorized_keys in his/her
home directory on the remote machine. The authorized_keys file corre-
sponds to the conventional ~/.rhosts file, and has one key per line,
though the lines can be very long. After this, the user can log in with-
out giving the password.
The most convenient way to use public key authentication may be with an
authentication agent. See ssh-agent(1) for more information.
Challenge-response authentication works as follows: The server sends an
arbitrary "challenge" text, and prompts for a response. Protocol 2 al-
lows multiple challenges and responses; protocol 1 is restricted to just
one challenge/response. Examples of challenge-response authentication
include BSD Authentication (see login.conf(5)) and PAM (some non-OpenBSD
systems).
Finally, if other authentication methods fail, ssh prompts the user for a
password. The password is sent to the remote host for checking; however,
since all communications are encrypted, the password cannot be seen by
someone listening on the network.
ssh automatically maintains and checks a database containing identifica-
tion for all hosts it has ever been used with. Host keys are stored in
~/.ssh/known_hosts in the user's home directory. Additionally, the file
/etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any
new hosts are automatically added to the user's file. If a host's iden-
tification ever changes, ssh warns about this and disables password au-
thentication to prevent server spoofing or man-in-the-middle attacks,
which could otherwise be used to circumvent the encryption. The
StrictHostKeyChecking option can be used to control logins to machines
whose host key is not known or has changed.
When the user's identity has been accepted by the server, the server ei-
ther executes the given command, or logs into the machine and gives the
user a normal shell on the remote machine. All communication with the
remote command or shell will be automatically encrypted.
If a pseudo-terminal has been allocated (normal login session), the user
may use the escape characters noted below.
If no pseudo-tty has been allocated, the session is transparent and can
be used to reliably transfer binary data. On most systems, setting the
escape character to ``none'' will also make the session transparent even
if a tty is used.
The session terminates when the command or shell on the remote machine
exits and all X11 and TCP connections have been closed.
ESCAPE CHARACTERS
When a pseudo-terminal has been requested, ssh supports a number of func-
tions through the use of an escape character.
A single tilde character can be sent as ~~ or by following the tilde by a
character other than those described below. The escape character must
always follow a newline to be interpreted as special. The escape charac-
ter can be changed in configuration files using the EscapeChar configura-
tion directive or on the command line by the -e option.
The supported escapes (assuming the default `~') are:
~. Disconnect.
~^Z Background ssh.
~# List forwarded connections.
~& Background ssh at logout when waiting for forwarded connection /
X11 sessions to terminate.
~? Display a list of escape characters.
~B Send a BREAK to the remote system (only useful for SSH protocol
version 2 and if the peer supports it).
~C Open command line. Currently this allows the addition of port
forwardings using the -L and -R options (see above). It also al-
lows the cancellation of existing remote port-forwardings using
-KR[bind_address:]port. !command allows the user to execute a
local command if the PermitLocalCommand option is enabled in
ssh_config(5). Basic help is available, using the -h option.
~R Request rekeying of the connection (only useful for SSH protocol
version 2 and if the peer supports it).
TCP FORWARDING
Forwarding of arbitrary TCP connections over the secure channel can be
specified either on the command line or in a configuration file. One
possible application of TCP forwarding is a secure connection to a mail
server; another is going through firewalls.
In the example below, we look at encrypting communication between an IRC
client and server, even though the IRC server does not directly support
encrypted communications. This works as follows: the user connects to
the remote host using ssh, specifying a port to be used to forward con-
nections to the remote server. After that it is possible to start the
service which is to be encrypted on the client machine, connecting to the
same local port, and ssh will encrypt and forward the connection.
The following example tunnels an IRC session from client machine
``127.0.0.1'' (localhost) to remote server ``server.example.com'':
$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
$ irc -c '#users' -p 1234 pinky 127.0.0.1
This tunnels a connection to IRC server ``server.example.com'', joining
channel ``#users'', nickname ``pinky'', using port 1234. It doesn't mat-
ter which port is used, as long as it's greater than 1023 (remember, only
root can open sockets on privileged ports) and doesn't conflict with any
ports already in use. The connection is forwarded to port 6667 on the
remote server, since that's the standard port for IRC services.
The -f option backgrounds ssh and the remote command ``sleep 10'' is
specified to allow an amount of time (10 seconds, in the example) to
start the service which is to be tunnelled. If no connections are made
within the time specified, ssh will exit.
X11 FORWARDING
If the ForwardX11 variable is set to ``yes'' (or see the description of
the -X, -x, and -Y options above) and the user is using X11 (the DISPLAY
environment variable is set), the connection to the X11 display is auto-
matically forwarded to the remote side in such a way that any X11 pro-
grams started from the shell (or command) will go through the encrypted
channel, and the connection to the real X server will be made from the
local machine. The user should not manually set DISPLAY. Forwarding of
X11 connections can be configured on the command line or in configuration
files.
The DISPLAY value set by ssh will point to the server machine, but with a
display number greater than zero. This is normal, and happens because
ssh creates a ``proxy'' X server on the server machine for forwarding the
connections over the encrypted channel.
ssh will also automatically set up Xauthority data on the server machine.
For this purpose, it will generate a random authorization cookie, store
it in Xauthority on the server, and verify that any forwarded connections
carry this cookie and replace it by the real cookie when the connection
is opened. The real authentication cookie is never sent to the server
machine (and no cookies are sent in the plain).
If the ForwardAgent variable is set to ``yes'' (or see the description of
the -A and -a options above) and the user is using an authentication
agent, the connection to the agent is automatically forwarded to the re-
mote side.
VERIFYING HOST KEYS
When connecting to a server for the first time, a fingerprint of the
server's public key is presented to the user (unless the option
StrictHostKeyChecking has been disabled). Fingerprints can be determined
using ssh-keygen(1):
$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
If the fingerprint is already known, it can be matched and verified, and
the key can be accepted. If the fingerprint is unknown, an alternative
method of verification is available: SSH fingerprints verified by DNS.
An additional resource record (RR), SSHFP, is added to a zonefile and the
connecting client is able to match the fingerprint with that of the key
presented.
In this example, we are connecting a client to a server,
``host.example.com''. The SSHFP resource records should first be added
to the zonefile for host.example.com:
$ ssh-keygen -r host.example.com.
The output lines will have to be added to the zonefile. To check that
the zone is answering fingerprint queries:
$ dig -t SSHFP host.example.com
Finally the client connects:
$ ssh -o "VerifyHostKeyDNS ask" host.example.com
[...]
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
See the VerifyHostKeyDNS option in ssh_config(5) for more information.
SSH-BASED VIRTUAL PRIVATE NETWORKS
ssh contains support for Virtual Private Network (VPN) tunnelling using
the tun(4) network pseudo-device, allowing two networks to be joined se-
curely. The sshd_config(5) configuration option PermitTunnel controls
whether the server supports this, and at what level (layer 2 or 3 traf-
fic).
The following example would connect client network 10.0.50.0/24 with re-
mote network 10.0.99.0/24 using a point-to-point connection from 10.1.1.1
to 10.1.1.2, provided that the SSH server running on the gateway to the
remote network, at 192.168.1.15, allows it.
On the client:
# ssh -f -w 0:1 192.168.1.15 true
# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
# route add 10.0.99.0/24 10.1.1.2
On the server:
# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
# route add 10.0.50.0/24 10.1.1.1
Client access may be more finely tuned via the /root/.ssh/authorized_keys
file (see below) and the PermitRootLogin server option. The following
entry would permit connections on tun(4) device 1 from user ``jane'' and
on tun device 2 from user ``john'', if PermitRootLogin is set to
``forced-commands-only'':
tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
Since an SSH-based setup entails a fair amount of overhead, it may be
more suited to temporary setups, such as for wireless VPNs. More perma-
nent VPNs are better provided by tools such as ipsecctl(8) and
isakmpd(8).
ENVIRONMENT
ssh will normally set the following environment variables:
DISPLAY The DISPLAY variable indicates the location of the
X11 server. It is automatically set by ssh to
point to a value of the form ``hostname:n'', where
``hostname'' indicates the host where the shell
runs, and `n' is an integer >= 1. ssh uses this
special value to forward X11 connections over the
secure channel. The user should normally not set
DISPLAY explicitly, as that will render the X11
connection insecure (and will require the user to
manually copy any required authorization cookies).
HOME Set to the path of the user's home directory.
LOGNAME Synonym for USER; set for compatibility with sys-
tems that use this variable.
MAIL Set to the path of the user's mailbox.
PATH Set to the default PATH, as specified when compil-
ing ssh.
SSH_ASKPASS If ssh needs a passphrase, it will read the
passphrase from the current terminal if it was run
from a terminal. If ssh does not have a terminal
associated with it but DISPLAY and SSH_ASKPASS are
set, it will execute the program specified by
SSH_ASKPASS and open an X11 window to read the
passphrase. This is particularly useful when call-
ing ssh from a .xsession or related script. (Note
that on some machines it may be necessary to redi-
rect the input from /dev/null to make this work.)
SSH_AUTH_SOCK Identifies the path of a UNIX-domain socket used to
communicate with the agent.
SSH_CONNECTION Identifies the client and server ends of the con-
nection. The variable contains four space-separat-
ed values: client IP address, client port number,
server IP address, and server port number.
SSH_ORIGINAL_COMMAND This variable contains the original command line if
a forced command is executed. It can be used to
extract the original arguments.
SSH_TTY This is set to the name of the tty (path to the de-
vice) associated with the current shell or command.
If the current session has no tty, this variable is
not set.
TZ This variable is set to indicate the present time
zone if it was set when the daemon was started
(i.e. the daemon passes the value on to new connec-
tions).
USER Set to the name of the user logging in.
Additionally, ssh reads ~/.ssh/environment, and adds lines of the format
``VARNAME=value'' to the environment if the file exists and users are al-
lowed to change their environment. For more information, see the
PermitUserEnvironment option in sshd_config(5).
FILES
~/.rhosts
This file is used for host-based authentication (see above). On
some machines this file may need to be world-readable if the us-
er's home directory is on an NFS partition, because sshd(8) reads
it as root. Additionally, this file must be owned by the user,
and must not have write permissions for anyone else. The recom-
mended permission for most machines is read/write for the user,
and not accessible by others.
~/.shosts
This file is used in exactly the same way as .rhosts, but allows
host-based authentication without permitting login with
rlogin/rsh.
~/.ssh/authorized_keys
Lists the public keys (RSA/DSA) that can be used for logging in
as this user. The format of this file is described in the
sshd(8) manual page. This file is not highly sensitive, but the
recommended permissions are read/write for the user, and not ac-
cessible by others.
~/.ssh/config
This is the per-user configuration file. The file format and
configuration options are described in ssh_config(5). Because of
the potential for abuse, this file must have strict permissions:
read/write for the user, and not accessible by others.
~/.ssh/environment
Contains additional definitions for environment variables; see
ENVIRONMENT, above.
~/.ssh/identity
~/.ssh/id_dsa
~/.ssh/id_rsa
Contains the private key for authentication. These files contain
sensitive data and should be readable by the user but not acces-
sible by others (read/write/execute). ssh will simply ignore a
private key file if it is accessible by others. It is possible
to specify a passphrase when generating the key which will be
used to encrypt the sensitive part of this file using 3DES.
~/.ssh/identity.pub
~/.ssh/id_dsa.pub
~/.ssh/id_rsa.pub
Contains the public key for authentication. These files are not
sensitive and can (but need not) be readable by anyone.
~/.ssh/known_hosts
Contains a list of host keys for all hosts the user has logged
into that are not already in the systemwide list of known host
keys. See sshd(8) for further details of the format of this
file.
~/.ssh/rc
Commands in this file are executed by ssh when the user logs in,
just before the user's shell (or command) is started. See the
sshd(8) manual page for more information.
/etc/hosts.equiv
This file is for host-based authentication (see above). It
should only be writable by root.
/etc/shosts.equiv
This file is used in exactly the same way as hosts.equiv, but al-
lows host-based authentication without permitting login with
rlogin/rsh.
/etc/ssh/ssh_config
Systemwide configuration file. The file format and configuration
options are described in ssh_config(5).
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_rsa_key
These three files contain the private parts of the host keys and
are used for host-based authentication. If protocol version 1 is
used, ssh must be setuid root, since the host key is readable on-
ly by root. For protocol version 2, ssh uses ssh-keysign(8) to
access the host keys, eliminating the requirement that ssh be se-
tuid root when host-based authentication is used. By default ssh
is not setuid root.
/etc/ssh/ssh_known_hosts
Systemwide list of known host keys. This file should be prepared
by the system administrator to contain the public host keys of
all machines in the organization. It should be world-readable.
See sshd(8) for further details of the format of this file.
/etc/ssh/sshrc
Commands in this file are executed by ssh when the user logs in,
just before the user's shell (or command) is started. See the
sshd(8) manual page for more information.
SEE ALSO
scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1),
tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8)
The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, 2006.
The Secure Shell (SSH) Protocol Architecture, RFC 4251, 2006.
The Secure Shell (SSH) Authentication Protocol, RFC 4252, 2006.
The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, 2006.
The Secure Shell (SSH) Connection Protocol, RFC 4254, 2006.
Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC
4255, 2006.
Generic Message Exchange Authentication for the Secure Shell Protocol
(SSH), RFC 4256, 2006.
The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, 2006.
The Secure Shell (SSH) Transport Layer Encryption Modes, RFC 4344, 2006.
Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer
Protocol, RFC 4345, 2006.
Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer
Protocol, RFC 4419, 2006.
The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
de Raadt and Dug Song removed many bugs, re-added newer features and
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.1 September 25, 1999 13

7
ssh.1
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.265 2006/10/28 18:08:10 otto Exp $
.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
@ -1418,6 +1418,11 @@ manual page for more information.
.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
.%D 2006
.Re
.Rs
.%R RFC 4716
.%T "The Secure Shell (SSH) Public Key File Format"
.%D 2006
.Re
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.

4
ssh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.294 2006/10/06 02:29:19 djm Exp $ */
/* $OpenBSD: ssh.c,v 1.295 2007/01/03 03:01:40 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -614,7 +614,7 @@ main(int ac, char **av)
if (!read_config_file(config, host, &options, 0))
fatal("Can't open user config file %.100s: "
"%.100s", config, strerror(errno));
} else {
} else {
snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
_PATH_SSH_USER_CONFFILE);
(void)read_config_file(buf, host, &options, 1);

645
ssh_config.0 Normal file
View File

@ -0,0 +1,645 @@
SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5)
NAME
ssh_config - OpenSSH SSH client configuration files
SYNOPSIS
~/.ssh/config
/etc/ssh/ssh_config
DESCRIPTION
ssh(1) obtains configuration data from the following sources in the fol-
lowing order:
1. command-line options
2. user's configuration file (~/.ssh/config)
3. system-wide configuration file (/etc/ssh/ssh_config)
For each parameter, the first obtained value will be used. The configu-
ration files contain sections separated by ``Host'' specifications, and
that section is only applied for hosts that match one of the patterns
given in the specification. The matched host name is the one given on
the command line.
Since the first obtained value for each parameter is used, more host-spe-
cific declarations should be given near the beginning of the file, and
general defaults at the end.
The configuration file has the following format:
Empty lines and lines starting with `#' are comments. Otherwise a line
is of the format ``keyword arguments''. Configuration options may be
separated by whitespace or optional whitespace and exactly one `='; the
latter format is useful to avoid the need to quote whitespace when speci-
fying configuration options using the ssh, scp, and sftp -o option. Ar-
guments may optionally be enclosed in double quotes (") in order to rep-
resent arguments containing spaces.
The possible keywords and their meanings are as follows (note that key-
words are case-insensitive and arguments are case-sensitive):
Host Restricts the following declarations (up to the next Host key-
word) to be only for those hosts that match one of the patterns
given after the keyword. A single `*' as a pattern can be used
to provide global defaults for all hosts. The host is the
hostname argument given on the command line (i.e. the name is not
converted to a canonicalized host name before matching).
See PATTERNS for more information on patterns.
AddressFamily
Specifies which address family to use when connecting. Valid ar-
guments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' (use
IPv6 only).
BatchMode
If set to ``yes'', passphrase/password querying will be disabled.
This option is useful in scripts and other batch jobs where no
user is present to supply the password. The argument must be
``yes'' or ``no''. The default is ``no''.
BindAddress
Use the specified address on the local machine as the source ad-
dress of the connection. Only useful on systems with more than
one address. Note that this option does not work if
UsePrivilegedPort is set to ``yes''.
ChallengeResponseAuthentication
Specifies whether to use challenge-response authentication. The
argument to this keyword must be ``yes'' or ``no''. The default
is ``yes''.
CheckHostIP
If this flag is set to ``yes'', ssh(1) will additionally check
the host IP address in the known_hosts file. This allows ssh to
detect if a host key changed due to DNS spoofing. If the option
is set to ``no'', the check will not be executed. The default is
``yes''.
Cipher Specifies the cipher to use for encrypting the session in proto-
col version 1. Currently, ``blowfish'', ``3des'', and ``des''
are supported. des is only supported in the ssh(1) client for
interoperability with legacy protocol 1 implementations that do
not support the 3des cipher. Its use is strongly discouraged due
to cryptographic weaknesses. The default is ``3des''.
Ciphers
Specifies the ciphers allowed for protocol version 2 in order of
preference. Multiple ciphers must be comma-separated. The sup-
ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'',
``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
and ``cast128-cbc''. The default is:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr
ClearAllForwardings
Specifies that all local, remote, and dynamic port forwardings
specified in the configuration files or on the command line be
cleared. This option is primarily useful when used from the
ssh(1) command line to clear port forwardings set in configura-
tion files, and is automatically set by scp(1) and sftp(1). The
argument must be ``yes'' or ``no''. The default is ``no''.
Compression
Specifies whether to use compression. The argument must be
``yes'' or ``no''. The default is ``no''.
CompressionLevel
Specifies the compression level to use if compression is enabled.
The argument must be an integer from 1 (fast) to 9 (slow, best).
The default level is 6, which is good for most applications. The
meaning of the values is the same as in gzip(1). Note that this
option applies to protocol version 1 only.
ConnectionAttempts
Specifies the number of tries (one per second) to make before ex-
iting. The argument must be an integer. This may be useful in
scripts if the connection sometimes fails. The default is 1.
ConnectTimeout
Specifies the timeout (in seconds) used when connecting to the
SSH server, instead of using the default system TCP timeout.
This value is used only when the target is down or really un-
reachable, not when it refuses the connection.
ControlMaster
Enables the sharing of multiple sessions over a single network
connection. When set to ``yes'', ssh(1) will listen for connec-
tions on a control socket specified using the ControlPath argu-
ment. Additional sessions can connect to this socket using the
same ControlPath with ControlMaster set to ``no'' (the default).
These sessions will try to reuse the master instance's network
connection rather than initiating new ones, but will fall back to
connecting normally if the control socket does not exist, or is
not listening.
Setting this to ``ask'' will cause ssh to listen for control con-
nections, but require confirmation using the SSH_ASKPASS program
before they are accepted (see ssh-add(1) for details). If the
ControlPath cannot be opened, ssh will continue without connect-
ing to a master instance.
X11 and ssh-agent(1) forwarding is supported over these multi-
plexed connections, however the display and agent forwarded will
be the one belonging to the master connection i.e. it is not pos-
sible to forward multiple displays or agents.
Two additional options allow for opportunistic multiplexing: try
to use a master connection but fall back to creating a new one if
one does not already exist. These options are: ``auto'' and
``autoask''. The latter requires confirmation like the ``ask''
option.
ControlPath
Specify the path to the control socket used for connection shar-
ing as described in the ControlMaster section above or the string
``none'' to disable connection sharing. In the path, `%l' will
be substituted by the local host name, `%h' will be substituted
by the target host name, `%p' the port, and `%r' by the remote
login username. It is recommended that any ControlPath used for
opportunistic connection sharing include at least %h, %p, and %r.
This ensures that shared connections are uniquely identified.
DynamicForward
Specifies that a TCP port on the local machine be forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine.
The argument must be [bind_address:]port. IPv6 addresses can be
specified by enclosing addresses in square brackets or by using
an alternative syntax: [bind_address/]port. By default, the lo-
cal port is bound in accordance with the GatewayPorts setting.
However, an explicit bind_address may be used to bind the connec-
tion to a specific address. The bind_address of ``localhost''
indicates that the listening port be bound for local use only,
while an empty address or `*' indicates that the port should be
available from all interfaces.
Currently the SOCKS4 and SOCKS5 protocols are supported, and
ssh(1) will act as a SOCKS server. Multiple forwardings may be
specified, and additional forwardings can be given on the command
line. Only the superuser can forward privileged ports.
EnableSSHKeysign
Setting this option to ``yes'' in the global client configuration
file /etc/ssh/ssh_config enables the use of the helper program
ssh-keysign(8) during HostbasedAuthentication. The argument must
be ``yes'' or ``no''. The default is ``no''. This option should
be placed in the non-hostspecific section. See ssh-keysign(8)
for more information.
EscapeChar
Sets the escape character (default: `~'). The escape character
can also be set on the command line. The argument should be a
single character, `^' followed by a letter, or ``none'' to dis-
able the escape character entirely (making the connection trans-
parent for binary data).
ExitOnForwardFailure
Specifies whether ssh(1) should terminate the connection if it
cannot set up all requested dynamic, local, and remote port for-
wardings. The argument must be ``yes'' or ``no''. The default
is ``no''.
ForwardAgent
Specifies whether the connection to the authentication agent (if
any) will be forwarded to the remote machine. The argument must
be ``yes'' or ``no''. The default is ``no''.
Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
agent's Unix-domain socket) can access the local agent through
the forwarded connection. An attacker cannot obtain key material
from the agent, however they can perform operations on the keys
that enable them to authenticate using the identities loaded into
the agent.
ForwardX11
Specifies whether X11 connections will be automatically redirect-
ed over the secure channel and DISPLAY set. The argument must be
``yes'' or ``no''. The default is ``no''.
X11 forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
user's X11 authorization database) can access the local X11 dis-
play through the forwarded connection. An attacker may then be
able to perform activities such as keystroke monitoring if the
ForwardX11Trusted option is also enabled.
ForwardX11Trusted
If this option is set to ``yes'', remote X11 clients will have
full access to the original X11 display.
If this option is set to ``no'', remote X11 clients will be con-
sidered untrusted and prevented from stealing or tampering with
data belonging to trusted X11 clients. Furthermore, the xauth(1)
token used for the session will be set to expire after 20 min-
utes. Remote clients will be refused access after this time.
The default is ``no''.
See the X11 SECURITY extension specification for full details on
the restrictions imposed on untrusted clients.
GatewayPorts
Specifies whether remote hosts are allowed to connect to local
forwarded ports. By default, ssh(1) binds local port forwardings
to the loopback address. This prevents other remote hosts from
connecting to forwarded ports. GatewayPorts can be used to spec-
ify that ssh should bind local port forwardings to the wildcard
address, thus allowing remote hosts to connect to forwarded
ports. The argument must be ``yes'' or ``no''. The default is
``no''.
GlobalKnownHostsFile
Specifies a file to use for the global host key database instead
of /etc/ssh/ssh_known_hosts.
GSSAPIAuthentication
Specifies whether user authentication based on GSSAPI is allowed.
The default is ``no''. Note that this option applies to protocol
version 2 only.
GSSAPIDelegateCredentials
Forward (delegate) credentials to the server. The default is
``no''. Note that this option applies to protocol version 2 on-
ly.
HashKnownHosts
Indicates that ssh(1) should hash host names and addresses when
they are added to ~/.ssh/known_hosts. These hashed names may be
used normally by ssh(1) and sshd(8), but they do not reveal iden-
tifying information should the file's contents be disclosed. The
default is ``no''. Note that existing names and addresses in
known hosts files will not be converted automatically, but may be
manually hashed using ssh-keygen(1).
HostbasedAuthentication
Specifies whether to try rhosts based authentication with public
key authentication. The argument must be ``yes'' or ``no''. The
default is ``no''. This option applies to protocol version 2 on-
ly and is similar to RhostsRSAAuthentication.
HostKeyAlgorithms
Specifies the protocol version 2 host key algorithms that the
client wants to use in order of preference. The default for this
option is: ``ssh-rsa,ssh-dss''.
HostKeyAlias
Specifies an alias that should be used instead of the real host
name when looking up or saving the host key in the host key
database files. This option is useful for tunneling SSH connec-
tions or for multiple servers running on a single host.
HostName
Specifies the real host name to log into. This can be used to
specify nicknames or abbreviations for hosts. The default is the
name given on the command line. Numeric IP addresses are also
permitted (both on the command line and in HostName specifica-
tions).
IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity
files configured in the ssh_config files, even if ssh-agent(1)
offers more identities. The argument to this keyword must be
``yes'' or ``no''. This option is intended for situations where
ssh-agent offers many different identities. The default is
``no''.
IdentityFile
Specifies a file from which the user's RSA or DSA authentication
identity is read. The default is ~/.ssh/identity for protocol
version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver-
sion 2. Additionally, any identities represented by the authen-
tication agent will be used for authentication.
The file name may use the tilde syntax to refer to a user's home
directory or one of the following escape characters: `%d' (local
user's home directory), `%u' (local user name), `%l' (local host
name), `%h' (remote host name) or `%r' (remote user name).
It is possible to have multiple identity files specified in con-
figuration files; all these identities will be tried in sequence.
KbdInteractiveDevices
Specifies the list of methods to use in keyboard-interactive au-
thentication. Multiple method names must be comma-separated.
The default is to use the server specified list. The methods
available vary depending on what the server supports. For an
OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'',
and ``skey''.
LocalCommand
Specifies a command to execute on the local machine after suc-
cessfully connecting to the server. The command string extends
to the end of the line, and is executed with /bin/sh. This di-
rective is ignored unless PermitLocalCommand has been enabled.
LocalForward
Specifies that a TCP port on the local machine be forwarded over
the secure channel to the specified host and port from the remote
machine. The first argument must be [bind_address:]port and the
second argument must be host:hostport. IPv6 addresses can be
specified by enclosing addresses in square brackets or by using
an alternative syntax: [bind_address/]port and host/hostport.
Multiple forwardings may be specified, and additional forwardings
can be given on the command line. Only the superuser can forward
privileged ports. By default, the local port is bound in accor-
dance with the GatewayPorts setting. However, an explicit
bind_address may be used to bind the connection to a specific ad-
dress. The bind_address of ``localhost'' indicates that the lis-
tening port be bound for local use only, while an empty address
or `*' indicates that the port should be available from all in-
terfaces.
LogLevel
Gives the verbosity level that is used when logging messages from
ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, VER-
BOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
higher levels of verbose output.
MACs Specifies the MAC (message authentication code) algorithms in or-
der of preference. The MAC algorithm is used in protocol version
2 for data integrity protection. Multiple algorithms must be
comma-separated. The default is: ``hmac-md5,hmac-sha1,hmac-
ripemd160,hmac-sha1-96,hmac-md5-96''.
NoHostAuthenticationForLocalhost
This option can be used if the home directory is shared across
machines. In this case localhost will refer to a different ma-
chine on each of the machines and the user will get many warnings
about changed host keys. However, this option disables host au-
thentication for localhost. The argument to this keyword must be
``yes'' or ``no''. The default is to check the host key for lo-
calhost.
NumberOfPasswordPrompts
Specifies the number of password prompts before giving up. The
argument to this keyword must be an integer. The default is 3.
PasswordAuthentication
Specifies whether to use password authentication. The argument
to this keyword must be ``yes'' or ``no''. The default is
``yes''.
PermitLocalCommand
Allow local command execution via the LocalCommand option or us-
ing the !command escape sequence in ssh(1). The argument must be
``yes'' or ``no''. The default is ``no''.
Port Specifies the port number to connect on the remote host. The de-
fault is 22.
PreferredAuthentications
Specifies the order in which the client should try protocol 2 au-
thentication methods. This allows a client to prefer one method
(e.g. keyboard-interactive) over another method (e.g. password)
The default for this option is: ``gssapi-with-mic,hostbased,
publickey, keyboard-interactive, password''.
Protocol
Specifies the protocol versions ssh(1) should support in order of
preference. The possible values are `1' and `2'. Multiple ver-
sions must be comma-separated. The default is ``2,1''. This
means that ssh tries version 2 and falls back to version 1 if
version 2 is not available.
ProxyCommand
Specifies the command to use to connect to the server. The com-
mand string extends to the end of the line, and is executed with
/bin/sh. In the command string, `%h' will be substituted by the
host name to connect and `%p' by the port. The command can be
basically anything, and should read from its standard input and
write to its standard output. It should eventually connect an
sshd(8) server running on some machine, or execute sshd -i some-
where. Host key management will be done using the HostName of
the host being connected (defaulting to the name typed by the us-
er). Setting the command to ``none'' disables this option en-
tirely. Note that CheckHostIP is not available for connects with
a proxy command.
This directive is useful in conjunction with nc(1) and its proxy
support. For example, the following directive would connect via
an HTTP proxy at 192.0.2.0:
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
PubkeyAuthentication
Specifies whether to try public key authentication. The argument
to this keyword must be ``yes'' or ``no''. The default is
``yes''. This option applies to protocol version 2 only.
RekeyLimit
Specifies the maximum amount of data that may be transmitted be-
fore the session key is renegotiated. The argument is the number
of bytes, with an optional suffix of `K', `M', or `G' to indicate
Kilobytes, Megabytes, or Gigabytes, respectively. The default is
between `1G' and `4G', depending on the cipher. This option ap-
plies to protocol version 2 only.
RemoteForward
Specifies that a TCP port on the remote machine be forwarded over
the secure channel to the specified host and port from the local
machine. The first argument must be [bind_address:]port and the
second argument must be host:hostport. IPv6 addresses can be
specified by enclosing addresses in square brackets or by using
an alternative syntax: [bind_address/]port and host/hostport.
Multiple forwardings may be specified, and additional forwardings
can be given on the command line. Only the superuser can forward
privileged ports.
If the bind_address is not specified, the default is to only bind
to loopback addresses. If the bind_address is `*' or an empty
string, then the forwarding is requested to listen on all inter-
faces. Specifying a remote bind_address will only succeed if the
server's GatewayPorts option is enabled (see sshd_config(5)).
RhostsRSAAuthentication
Specifies whether to try rhosts based authentication with RSA
host authentication. The argument must be ``yes'' or ``no''.
The default is ``no''. This option applies to protocol version 1
only and requires ssh(1) to be setuid root.
RSAAuthentication
Specifies whether to try RSA authentication. The argument to
this keyword must be ``yes'' or ``no''. RSA authentication will
only be attempted if the identity file exists, or an authentica-
tion agent is running. The default is ``yes''. Note that this
option applies to protocol version 1 only.
SendEnv
Specifies what variables from the local environ(7) should be sent
to the server. Note that environment passing is only supported
for protocol 2. The server must also support it, and the server
must be configured to accept these environment variables. Refer
to AcceptEnv in sshd_config(5) for how to configure the server.
Variables are specified by name, which may contain wildcard char-
acters. Multiple environment variables may be separated by
whitespace or spread across multiple SendEnv directives. The de-
fault is not to send any environment variables.
See PATTERNS for more information on patterns.
ServerAliveCountMax
Sets the number of server alive messages (see below) which may be
sent without ssh(1) receiving any messages back from the server.
If this threshold is reached while server alive messages are be-
ing sent, ssh will disconnect from the server, terminating the
session. It is important to note that the use of server alive
messages is very different from TCPKeepAlive (below). The server
alive messages are sent through the encrypted channel and there-
fore will not be spoofable. The TCP keepalive option enabled by
TCPKeepAlive is spoofable. The server alive mechanism is valu-
able when the client or server depend on knowing when a connec-
tion has become inactive.
The default value is 3. If, for example, ServerAliveInterval
(see below) is set to 15 and ServerAliveCountMax is left at the
default, if the server becomes unresponsive, ssh will disconnect
after approximately 45 seconds. This option applies to protocol
version 2 only.
ServerAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the server, ssh(1) will send a message through
the encrypted channel to request a response from the server. The
default is 0, indicating that these messages will not be sent to
the server. This option applies to protocol version 2 only.
SmartcardDevice
Specifies which smartcard device to use. The argument to this
keyword is the device ssh(1) should use to communicate with a
smartcard used for storing the user's private RSA key. By de-
fault, no device is specified and smartcard support is not acti-
vated.
StrictHostKeyChecking
If this flag is set to ``yes'', ssh(1) will never automatically
add host keys to the ~/.ssh/known_hosts file, and refuses to con-
nect to hosts whose host key has changed. This provides maximum
protection against trojan horse attacks, though it can be annoy-
ing when the /etc/ssh/ssh_known_hosts file is poorly maintained
or when connections to new hosts are frequently made. This op-
tion forces the user to manually add all new hosts. If this flag
is set to ``no'', ssh will automatically add new host keys to the
user known hosts files. If this flag is set to ``ask'', new host
keys will be added to the user known host files only after the
user has confirmed that is what they really want to do, and ssh
will refuse to connect to hosts whose host key has changed. The
host keys of known hosts will be verified automatically in all
cases. The argument must be ``yes'', ``no'', or ``ask''. The
default is ``ask''.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
to the other side. If they are sent, death of the connection or
crash of one of the machines will be properly noticed. However,
this means that connections will die if the route is down tem-
porarily, and some people find it annoying.
The default is ``yes'' (to send TCP keepalive messages), and the
client will notice if the network goes down or the remote host
dies. This is important in scripts, and many users want it too.
To disable TCP keepalive messages, the value should be set to
``no''.
Tunnel Request tun(4) device forwarding between the client and the serv-
er. The argument must be ``yes'', ``point-to-point'' (layer 3),
``ethernet'' (layer 2), or ``no''. Specifying ``yes'' requests
the default tunnel mode, which is ``point-to-point''. The de-
fault is ``no''.
TunnelDevice
Specifies the tun(4) devices to open on the client (local_tun)
and the server (remote_tun).
The argument must be local_tun[:remote_tun]. The devices may be
specified by numerical ID or the keyword ``any'', which uses the
next available tunnel device. If remote_tun is not specified, it
defaults to ``any''. The default is ``any:any''.
UsePrivilegedPort
Specifies whether to use a privileged port for outgoing connec-
tions. The argument must be ``yes'' or ``no''. The default is
``no''. If set to ``yes'', ssh(1) must be setuid root. Note
that this option must be set to ``yes'' for
RhostsRSAAuthentication with older servers.
User Specifies the user to log in as. This can be useful when a dif-
ferent user name is used on different machines. This saves the
trouble of having to remember to give the user name on the com-
mand line.
UserKnownHostsFile
Specifies a file to use for the user host key database instead of
~/.ssh/known_hosts.
VerifyHostKeyDNS
Specifies whether to verify the remote key using DNS and SSHFP
resource records. If this option is set to ``yes'', the client
will implicitly trust keys that match a secure fingerprint from
DNS. Insecure fingerprints will be handled as if this option was
set to ``ask''. If this option is set to ``ask'', information on
fingerprint match will be displayed, but the user will still need
to confirm new host keys according to the StrictHostKeyChecking
option. The argument must be ``yes'', ``no'', or ``ask''. The
default is ``no''. Note that this option applies to protocol
version 2 only.
See also VERIFYING HOST KEYS in ssh(1).
XAuthLocation
Specifies the full pathname of the xauth(1) program. The default
is /usr/X11R6/bin/xauth.
PATTERNS
A pattern consists of zero or more non-whitespace characters, `*' (a
wildcard that matches zero or more characters), or `?' (a wildcard that
matches exactly one character). For example, to specify a set of decla-
rations for any host in the ``.co.uk'' set of domains, the following pat-
tern could be used:
Host *.co.uk
The following pattern would match any host in the 192.168.0.[0-9] network
range:
Host 192.168.0.?
A pattern-list is a comma-separated list of patterns. Patterns within
pattern-lists may be negated by preceding them with an exclamation mark
(`!'). For example, to allow a key to be used from anywhere within an
organisation except from the ``dialup'' pool, the following entry (in au-
thorized_keys) could be used:
from="!*.dialup.example.com,*.example.com"
FILES
~/.ssh/config
This is the per-user configuration file. The format of this file
is described above. This file is used by the SSH client. Be-
cause of the potential for abuse, this file must have strict per-
missions: read/write for the user, and not accessible by others.
/etc/ssh/ssh_config
Systemwide configuration file. This file provides defaults for
those values that are not specified in the user's configuration
file, and for those users who do not have a configuration file.
This file must be world-readable.
SEE ALSO
ssh(1)
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
de Raadt and Dug Song removed many bugs, re-added newer features and cre-
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.1 September 25, 1999 10

8
ssh_config.5
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.97 2006/07/27 08:00:50 jmc Exp $
.\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
@ -42,10 +42,8 @@
.Nm ssh_config
.Nd OpenSSH SSH client configuration files
.Sh SYNOPSIS
.Bl -tag -width Ds -compact
.It Pa ~/.ssh/config
.It Pa /etc/ssh/ssh_config
.El
.Nm ~/.ssh/config
.Nm /etc/ssh/ssh_config
.Sh DESCRIPTION
.Xr ssh 1
obtains configuration data from the following sources in

544
sshd.0 Normal file
View File

@ -0,0 +1,544 @@
SSHD(8) OpenBSD System Manager's Manual SSHD(8)
NAME
sshd - OpenSSH SSH daemon
SYNOPSIS
sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]
DESCRIPTION
sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
programs replace rlogin and rsh, and provide secure encrypted communica-
tions between two untrusted hosts over an insecure network.
sshd listens for connections from clients. It is normally started at
boot from /etc/rc. It forks a new daemon for each incoming connection.
The forked daemons handle key exchange, encryption, authentication, com-
mand execution, and data exchange.
sshd can be configured using command-line options or a configuration file
(by default sshd_config(5)); command-line options override values speci-
fied in the configuration file. sshd rereads its configuration file when
it receives a hangup signal, SIGHUP, by executing itself with the name
and options it was started with, e.g. /usr/sbin/sshd.
The options are as follows:
-4 Forces sshd to use IPv4 addresses only.
-6 Forces sshd to use IPv6 addresses only.
-b bits
Specifies the number of bits in the ephemeral protocol version 1
server key (default 768).
-D When this option is specified, sshd will not detach and does not
become a daemon. This allows easy monitoring of sshd.
-d Debug mode. The server sends verbose debug output to the system
log, and does not put itself in the background. The server also
will not fork and will only process one connection. This option
is only intended for debugging for the server. Multiple -d op-
tions increase the debugging level. Maximum is 3.
-e When this option is specified, sshd will send the output to the
standard error instead of the system log.
-f configuration_file
Specifies the name of the configuration file. The default is
/etc/ssh/sshd_config. sshd refuses to start if there is no con-
figuration file.
-g login_grace_time
Gives the grace time for clients to authenticate themselves (de-
fault 120 seconds). If the client fails to authenticate the user
within this many seconds, the server disconnects and exits. A
value of zero indicates no limit.
-h host_key_file
Specifies a file from which a host key is read. This option must
be given if sshd is not run as root (as the normal host key files
are normally not readable by anyone but root). The default is
/etc/ssh/ssh_host_key for protocol version 1, and
/etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro-
tocol version 2. It is possible to have multiple host key files
for the different protocol versions and host key algorithms.
-i Specifies that sshd is being run from inetd(8). sshd is normally
not run from inetd because it needs to generate the server key
before it can respond to the client, and this may take tens of
seconds. Clients would have to wait too long if the key was re-
generated every time. However, with small key sizes (e.g. 512)
using sshd from inetd may be feasible.
-k key_gen_time
Specifies how often the ephemeral protocol version 1 server key
is regenerated (default 3600 seconds, or one hour). The motiva-
tion for regenerating the key fairly often is that the key is not
stored anywhere, and after about an hour it becomes impossible to
recover the key for decrypting intercepted communications even if
the machine is cracked into or physically seized. A value of ze-
ro indicates that the key will never be regenerated.
-o option
Can be used to give options in the format used in the configura-
tion file. This is useful for specifying options for which there
is no separate command-line flag. For full details of the op-
tions, and their values, see sshd_config(5).
-p port
Specifies the port on which the server listens for connections
(default 22). Multiple port options are permitted. Ports speci-
fied in the configuration file with the Port option are ignored
when a command-line port is specified. Ports specified using the
ListenAddress option override command-line ports.
-q Quiet mode. Nothing is sent to the system log. Normally the be-
ginning, authentication, and termination of each connection is
logged.
-t Test mode. Only check the validity of the configuration file and
sanity of the keys. This is useful for updating sshd reliably as
configuration options may change.
-u len This option is used to specify the size of the field in the utmp
structure that holds the remote host name. If the resolved host
name is longer than len, the dotted decimal value will be used
instead. This allows hosts with very long host names that over-
flow this field to still be uniquely identified. Specifying -u0
indicates that only dotted decimal addresses should be put into
the utmp file. -u0 may also be used to prevent sshd from making
DNS requests unless the authentication mechanism or configuration
requires it. Authentication mechanisms that may require DNS in-
clude RhostsRSAAuthentication, HostbasedAuthentication, and using
a from="pattern-list" option in a key file. Configuration op-
tions that require DNS include using a USER@HOST pattern in
AllowUsers or DenyUsers.
AUTHENTICATION
The OpenSSH SSH daemon supports SSH protocols 1 and 2. Both protocols
are supported by default, though this can be changed via the Protocol op-
tion in sshd_config(5). Protocol 2 supports both RSA and DSA keys; pro-
tocol 1 only supports RSA keys. For both protocols, each host has a
host-specific key, normally 2048 bits, used to identify the host.
Forward security for protocol 1 is provided through an additional server
key, normally 768 bits, generated when the server starts. This key is
normally regenerated every hour if it has been used, and is never stored
on disk. Whenever a client connects, the daemon responds with its public
host and server keys. The client compares the RSA host key against its
own database to verify that it has not changed. The client then gener-
ates a 256-bit random number. It encrypts this random number using both
the host key and the server key, and sends the encrypted number to the
server. Both sides then use this random number as a session key which is
used to encrypt all further communications in the session. The rest of
the session is encrypted using a conventional cipher, currently Blowfish
or 3DES, with 3DES being used by default. The client selects the encryp-
tion algorithm to use from those offered by the server.
For protocol 2, forward security is provided through a Diffie-Hellman key
agreement. This key agreement results in a shared session key. The rest
of the session is encrypted using a symmetric cipher, currently 128-bit
AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The
client selects the encryption algorithm to use from those offered by the
server. Additionally, session integrity is provided through a crypto-
graphic message authentication code (hmac-sha1 or hmac-md5).
Finally, the server and the client enter an authentication dialog. The
client tries to authenticate itself using host-based authentication, pub-
lic key authentication, challenge-response authentication, or password
authentication.
Regardless of the authentication type, the account is checked to ensure
that it is accessible. An account is not accessible if it is locked,
listed in DenyUsers or its group is listed in DenyGroups . The defini-
tion of a locked account is system dependant. Some platforms have their
own account database (eg AIX) and some modify the passwd field ( `*LK*'
on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a
leading `*LOCKED*' on FreeBSD and a leading `!!' on Linux). If there is
a requirement to disable password authentication for the account while
allowing still public-key, then the passwd field should be set to some-
thing other than these values (eg `NP' or `*NP*' ).
If the client successfully authenticates itself, a dialog for preparing
the session is entered. At this time the client may request things like
allocating a pseudo-tty, forwarding X11 connections, forwarding TCP con-
nections, or forwarding the authentication agent connection over the se-
cure channel.
After this, the client either requests a shell or execution of a command.
The sides then enter session mode. In this mode, either side may send
data at any time, and such data is forwarded to/from the shell or command
on the server side, and the user terminal in the client side.
When the user program terminates and all forwarded X11 and other connec-
tions have been closed, the server sends command exit status to the
client, and both sides exit.
LOGIN PROCESS
When a user successfully logs in, sshd does the following:
1. If the login is on a tty, and no command has been specified,
prints last login time and /etc/motd (unless prevented in the
configuration file or by ~/.hushlogin; see the FILES section).
2. If the login is on a tty, records login time.
3. Checks /etc/nologin; if it exists, prints contents and quits
(unless root).
4. Changes to run with normal user privileges.
5. Sets up basic environment.
6. Reads the file ~/.ssh/environment, if it exists, and users are
allowed to change their environment. See the
PermitUserEnvironment option in sshd_config(5).
7. Changes to user's home directory.
8. If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists,
runs it; otherwise runs xauth. The ``rc'' files are given the
X11 authentication protocol and cookie in standard input. See
SSHRC, below.
9. Runs user's shell or command.
SSHRC
If the file ~/.ssh/rc exists, sh(1) runs it after reading the environment
files but before starting the user's shell or command. It must not pro-
duce any output on stdout; stderr must be used instead. If X11 forward-
ing is in use, it will receive the "proto cookie" pair in its standard
input (and DISPLAY in its environment). The script must call xauth(1)
because sshd will not run xauth automatically to add X11 cookies.
The primary purpose of this file is to run any initialization routines
which may be needed before the user's home directory becomes accessible;
AFS is a particular example of such an environment.
This file will probably contain some initialization code followed by
something similar to:
if read proto cookie && [ -n "$DISPLAY" ]; then
if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
# X11UseLocalhost=yes
echo add unix:`echo $DISPLAY |
cut -c11-` $proto $cookie
else
# X11UseLocalhost=no
echo add $DISPLAY $proto $cookie
fi | xauth -q -
fi
If this file does not exist, /etc/ssh/sshrc is run, and if that does not
exist either, xauth is used to add the cookie.
AUTHORIZED_KEYS FILE FORMAT
AuthorizedKeysFile specifies the file containing public keys for public
key authentication; if none is specified, the default is
~/.ssh/authorized_keys. Each line of the file contains one key (empty
lines and lines starting with a `#' are ignored as comments). Protocol 1
public keys consist of the following space-separated fields: options,
bits, exponent, modulus, comment. Protocol 2 public key consist of: op-
tions, keytype, base64-encoded key, comment. The options field is op-
tional; its presence is determined by whether the line starts with a num-
ber or not (the options field never starts with a number). The bits, ex-
ponent, modulus, and comment fields give the RSA key for protocol version
1; the comment field is not used for anything (but may be convenient for
the user to identify the key). For protocol version 2 the keytype is
``ssh-dss'' or ``ssh-rsa''.
Note that lines in this file are usually several hundred bytes long (be-
cause of the size of the public key encoding) up to a limit of 8 kilo-
bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
kilobits. You don't want to type them in; instead, copy the
identity.pub, id_dsa.pub, or the id_rsa.pub file and edit it.
sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
2 keys of 768 bits.
The options (if present) consist of comma-separated option specifica-
tions. No spaces are permitted, except within double quotes. The fol-
lowing option specifications are supported (note that option keywords are
case-insensitive):
command="command"
Specifies that the command is executed whenever this key is used
for authentication. The command supplied by the user (if any) is
ignored. The command is run on a pty if the client requests a
pty; otherwise it is run without a tty. If an 8-bit clean chan-
nel is required, one must not request a pty or should specify no-
pty. A quote may be included in the command by quoting it with a
backslash. This option might be useful to restrict certain pub-
lic keys to perform just a specific operation. An example might
be a key that permits remote backups but nothing else. Note that
the client may specify TCP and/or X11 forwarding unless they are
explicitly prohibited. The command originally supplied by the
client is available in the SSH_ORIGINAL_COMMAND environment vari-
able. Note that this option applies to shell, command or subsys-
tem execution.
environment="NAME=value"
Specifies that the string is to be added to the environment when
logging in using this key. Environment variables set this way
override other default environment values. Multiple options of
this type are permitted. Environment processing is disabled by
default and is controlled via the PermitUserEnvironment option.
This option is automatically disabled if UseLogin is enabled.
from="pattern-list"
Specifies that in addition to public key authentication, the
canonical name of the remote host must be present in the comma-
separated list of patterns. The purpose of this option is to op-
tionally increase security: public key authentication by itself
does not trust the network or name servers or anything (but the
key); however, if somebody somehow steals the key, the key per-
mits an intruder to log in from anywhere in the world. This ad-
ditional option makes using a stolen key more difficult (name
servers and/or routers would have to be compromised in addition
to just the key).
See PATTERNS in ssh_config(5) for more information on patterns.
no-agent-forwarding
Forbids authentication agent forwarding when this key is used for
authentication.
no-port-forwarding
Forbids TCP forwarding when this key is used for authentication.
Any port forward requests by the client will return an error.
This might be used, e.g. in connection with the command option.
no-pty Prevents tty allocation (a request to allocate a pty will fail).
no-X11-forwarding
Forbids X11 forwarding when this key is used for authentication.
Any X11 forward requests by the client will return an error.
permitopen="host:port"
Limit local ``ssh -L'' port forwarding such that it may only con-
nect to the specified host and port. IPv6 addresses can be spec-
ified with an alternative syntax: host/port. Multiple permitopen
options may be applied separated by commas. No pattern matching
is performed on the specified hostnames, they must be literal do-
mains or addresses.
tunnel="n"
Force a tun(4) device on the server. Without this option, the
next available device will be used if the client requests a tun-
nel.
An example authorized_keys file:
# Comments allowed at start of line
ssh-rsa AAAAB3Nza...LiPk== user@example.net
from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
AAAAB2...19Q== john@example.net
command="dump /home",no-pty,no-port-forwarding ssh-dss
AAAAC3...51R== example.net
permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
AAAAB5...21S==
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
jane@example.net
SSH_KNOWN_HOSTS FILE FORMAT
The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
public keys for all known hosts. The global file should be prepared by
the administrator (optional), and the per-user file is maintained auto-
matically: whenever the user connects from an unknown host, its key is
added to the per-user file.
Each line in these files contains the following fields: hostnames, bits,
exponent, modulus, comment. The fields are separated by spaces.
Hostnames is a comma-separated list of patterns (`*' and `?' act as wild-
cards); each pattern in turn is matched against the canonical host name
(when authenticating a client) or against the user-supplied name (when
authenticating a server). A pattern may also be preceded by `!' to indi-
cate negation: if the host name matches a negated pattern, it is not ac-
cepted (by that line) even if it matched another pattern on the line. A
hostname or address may optionally be enclosed within `[' and `]' brack-
ets then followed by `:' and a non-standard port number.
Alternately, hostnames may be stored in a hashed form which hides host
names and addresses should the file's contents be disclosed. Hashed
hostnames start with a `|' character. Only one hashed hostname may ap-
pear on a single line and none of the above negation or wildcard opera-
tors may be applied.
Bits, exponent, and modulus are taken directly from the RSA host key;
they can be obtained, for example, from /etc/ssh/ssh_host_key.pub. The
optional comment field continues to the end of the line, and is not used.
Lines starting with `#' and empty lines are ignored as comments.
When performing host authentication, authentication is accepted if any
matching line has the proper key. It is thus permissible (but not recom-
mended) to have several lines or different host keys for the same names.
This will inevitably happen when short forms of host names from different
domains are put in the file. It is possible that the files contain con-
flicting information; authentication is accepted if valid information can
be found from either file.
Note that the lines in these files are typically hundreds of characters
long, and you definitely don't want to type in the host keys by hand.
Rather, generate them by a script or by taking /etc/ssh/ssh_host_key.pub
and adding the host names at the front.
An example ssh_known_hosts file:
# Comments allowed at start of line
closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net
cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
# A hashed hostname
|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
AAAA1234.....=
FILES
~/.hushlogin
This file is used to suppress printing the last login time and
/etc/motd, if PrintLastLog and PrintMotd, respectively, are en-
abled. It does not suppress printing of the banner specified by
Banner.
~/.rhosts
This file is used for host-based authentication (see ssh(1) for
more information). On some machines this file may need to be
world-readable if the user's home directory is on an NFS parti-
tion, because sshd reads it as root. Additionally, this file
must be owned by the user, and must not have write permissions
for anyone else. The recommended permission for most machines is
read/write for the user, and not accessible by others.
~/.shosts
This file is used in exactly the same way as .rhosts, but allows
host-based authentication without permitting login with
rlogin/rsh.
~/.ssh/authorized_keys
Lists the public keys (RSA/DSA) that can be used for logging in
as this user. The format of this file is described above. The
content of the file is not highly sensitive, but the recommended
permissions are read/write for the user, and not accessible by
others.
If this file, the ~/.ssh directory, or the user's home directory
are writable by other users, then the file could be modified or
replaced by unauthorized users. In this case, sshd will not al-
low it to be used unless the StrictModes option has been set to
``no''. The recommended permissions can be set by executing
``chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys''.
~/.ssh/environment
This file is read into the environment at login (if it exists).
It can only contain empty lines, comment lines (that start with
`#'), and assignment lines of the form name=value. The file
should be writable only by the user; it need not be readable by
anyone else. Environment processing is disabled by default and
is controlled via the PermitUserEnvironment option.
~/.ssh/known_hosts
Contains a list of host keys for all hosts the user has logged
into that are not already in the systemwide list of known host
keys. The format of this file is described above. This file
should be writable only by root/the owner and can, but need not
be, world-readable.
~/.ssh/rc
Contains initialization routines to be run before the user's home
directory becomes accessible. This file should be writable only
by the user, and need not be readable by anyone else.
/etc/hosts.allow
/etc/hosts.deny
Access controls that should be enforced by tcp-wrappers are de-
fined here. Further details are described in hosts_access(5).
/etc/hosts.equiv
This file is for host-based authentication (see ssh(1)). It
should only be writable by root.
/etc/moduli
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group
Exchange". The file format is described in moduli(5).
/etc/motd
See motd(5).
/etc/nologin
If this file exists, sshd refuses to let anyone except root log
in. The contents of the file are displayed to anyone trying to
log in, and non-root connections are refused. The file should be
world-readable.
/etc/shosts.equiv
This file is used in exactly the same way as hosts.equiv, but al-
lows host-based authentication without permitting login with
rlogin/rsh.
/etc/ssh/ssh_known_hosts
Systemwide list of known host keys. This file should be prepared
by the system administrator to contain the public host keys of
all machines in the organization. The format of this file is de-
scribed above. This file should be writable only by root/the
owner and should be world-readable.
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_rsa_key
These three files contain the private parts of the host keys.
These files should only be owned by root, readable only by root,
and not accessible to others. Note that sshd does not start if
these files are group/world-accessible.
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_rsa_key.pub
These three files contain the public parts of the host keys.
These files should be world-readable but writable only by root.
Their contents should match the respective private parts. These
files are not really used for anything; they are provided for the
convenience of the user so their contents can be copied to known
hosts files. These files are created using ssh-keygen(1).
/etc/ssh/sshd_config
Contains configuration data for sshd. The file format and con-
figuration options are described in sshd_config(5).
/etc/ssh/sshrc
Similar to ~/.ssh/rc, it can be used to specify machine-specific
login-time initializations globally. This file should be
writable only by root, and should be world-readable.
/var/empty
chroot(2) directory used by sshd during privilege separation in
the pre-authentication phase. The directory should not contain
any files and must be owned by root and not group or world-
writable.
/var/run/sshd.pid
Contains the process ID of the sshd listening for connections (if
there are several daemons running concurrently for different
ports, this contains the process ID of the one started last).
The content of this file is not sensitive; it can be world-read-
able.
SEE ALSO
scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
chroot(2), hosts_access(5), login.conf(5), moduli(5), sshd_config(5),
inetd(8), sftp-server(8)
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
de Raadt and Dug Song removed many bugs, re-added newer features and cre-
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
CAVEATS
System security is not improved unless rshd, rlogind, and rexecd are dis-
abled (thus completely disabling rlogin and rsh into the machine).
OpenBSD 4.1 September 25, 1999 9

3
sshd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.348 2006/11/06 21:25:28 markus Exp $ */
/* $OpenBSD: sshd.c,v 1.349 2007/02/21 11:00:05 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -305,6 +305,7 @@ sighup_restart(void)
logit("Received SIGHUP; restarting.");
close_listen_socks();
close_startup_pipes();
alarm(0); /* alarm timer persists across exec */
execv(saved_argv[0], saved_argv);
logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
strerror(errno));

573
sshd_config.0 Normal file
View File

@ -0,0 +1,573 @@
SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5)
NAME
sshd_config - OpenSSH SSH daemon configuration file
SYNOPSIS
/etc/ssh/sshd_config
DESCRIPTION
sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file
specified with -f on the command line). The file contains keyword-argu-
ment pairs, one per line. Lines starting with `#' and empty lines are
interpreted as comments. Arguments may optionally be enclosed in double
quotes (") in order to represent arguments containing spaces.
The possible keywords and their meanings are as follows (note that key-
words are case-insensitive and arguments are case-sensitive):
AcceptEnv
Specifies what environment variables sent by the client will be
copied into the session's environ(7). See SendEnv in
ssh_config(5) for how to configure the client. Note that envi-
ronment passing is only supported for protocol 2. Variables are
specified by name, which may contain the wildcard characters `*'
and `?'. Multiple environment variables may be separated by
whitespace or spread across multiple AcceptEnv directives. Be
warned that some environment variables could be used to bypass
restricted user environments. For this reason, care should be
taken in the use of this directive. The default is not to accept
any environment variables.
AddressFamily
Specifies which address family should be used by sshd(8). Valid
arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6''
(use IPv6 only). The default is ``any''.
AllowGroups
This keyword can be followed by a list of group name patterns,
separated by spaces. If specified, login is allowed only for
users whose primary group or supplementary group list matches one
of the patterns. Only group names are valid; a numerical group
ID is not recognized. By default, login is allowed for all
groups. The allow/deny directives are processed in the following
order: DenyUsers, AllowUsers, DenyGroups, and finally
AllowGroups.
See PATTERNS in ssh_config(5) for more information on patterns.
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The default is
``yes''. Note that disabling TCP forwarding does not improve se-
curity unless users are also denied shell access, as they can al-
ways install their own forwarders.
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for us-
er names that match one of the patterns. Only user names are
valid; a numerical user ID is not recognized. By default, login
is allowed for all users. If the pattern takes the form US-
ER@HOST then USER and HOST are separately checked, restricting
logins to particular users from particular hosts. The allow/deny
directives are processed in the following order: DenyUsers,
AllowUsers, DenyGroups, and finally AllowGroups.
See PATTERNS in ssh_config(5) for more information on patterns.
AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
for user authentication. AuthorizedKeysFile may contain tokens
of the form %T which are substituted during connection setup.
The following tokens are defined: %% is replaced by a literal
'%', %h is replaced by the home directory of the user being au-
thenticated, and %u is replaced by the username of that user.
After expansion, AuthorizedKeysFile is taken to be an absolute
path or one relative to the user's home directory. The default
is ``.ssh/authorized_keys''.
Banner In some jurisdictions, sending a warning message before authenti-
cation may be relevant for getting legal protection. The con-
tents of the specified file are sent to the remote user before
authentication is allowed. This option is only available for
protocol version 2. By default, no banner is displayed.
ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed.
All authentication styles from login.conf(5) are supported. The
default is ``yes''.
Ciphers
Specifies the ciphers allowed for protocol version 2. Multiple
ciphers must be comma-separated. The supported ciphers are
``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',
``arcfour256'', ``arcfour'', ``blowfish-cbc'', and
``cast128-cbc''. The default is:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr
ClientAliveCountMax
Sets the number of client alive messages (see below) which may be
sent without sshd(8) receiving any messages back from the client.
If this threshold is reached while client alive messages are be-
ing sent, sshd will disconnect the client, terminating the ses-
sion. It is important to note that the use of client alive mes-
sages is very different from TCPKeepAlive (below). The client
alive messages are sent through the encrypted channel and there-
fore will not be spoofable. The TCP keepalive option enabled by
TCPKeepAlive is spoofable. The client alive mechanism is valu-
able when the client or server depend on knowing when a connec-
tion has become inactive.
The default value is 3. If ClientAliveInterval (see below) is
set to 15, and ClientAliveCountMax is left at the default, unre-
sponsive SSH clients will be disconnected after approximately 45
seconds. This option applies to protocol version 2 only.
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the client, sshd(8) will send a message
through the encrypted channel to request a response from the
client. The default is 0, indicating that these messages will
not be sent to the client. This option applies to protocol ver-
sion 2 only.
Compression
Specifies whether compression is allowed, or delayed until the
user has authenticated successfully. The argument must be
``yes'', ``delayed'', or ``no''. The default is ``delayed''.
DenyGroups
This keyword can be followed by a list of group name patterns,
separated by spaces. Login is disallowed for users whose primary
group or supplementary group list matches one of the patterns.
Only group names are valid; a numerical group ID is not recog-
nized. By default, login is allowed for all groups. The al-
low/deny directives are processed in the following order:
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
See PATTERNS in ssh_config(5) for more information on patterns.
DenyUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. Login is disallowed for user names that
match one of the patterns. Only user names are valid; a numeri-
cal user ID is not recognized. By default, login is allowed for
all users. If the pattern takes the form USER@HOST then USER and
HOST are separately checked, restricting logins to particular
users from particular hosts. The allow/deny directives are pro-
cessed in the following order: DenyUsers, AllowUsers, DenyGroups,
and finally AllowGroups.
See PATTERNS in ssh_config(5) for more information on patterns.
ForceCommand
Forces the execution of the command specified by ForceCommand,
ignoring any command supplied by the client. The command is in-
voked by using the user's login shell with the -c option. This
applies to shell, command, or subsystem execution. It is most
useful inside a Match block. The command originally supplied by
the client is available in the SSH_ORIGINAL_COMMAND environment
variable.
GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client. By default, sshd(8) binds remote port
forwardings to the loopback address. This prevents other remote
hosts from connecting to forwarded ports. GatewayPorts can be
used to specify that sshd should allow remote port forwardings to
bind to non-loopback addresses, thus allowing other hosts to con-
nect. The argument may be ``no'' to force remote port forward-
ings to be available to the local host only, ``yes'' to force re-
mote port forwardings to bind to the wildcard address, or
``clientspecified'' to allow the client to select the address to
which the forwarding is bound. The default is ``no''.
GSSAPIAuthentication
Specifies whether user authentication based on GSSAPI is allowed.
The default is ``no''. Note that this option applies to protocol
version 2 only.
GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials
cache on logout. The default is ``yes''. Note that this option
applies to protocol version 2 only.
HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication to-
gether with successful public key client host authentication is
allowed (host-based authentication). This option is similar to
RhostsRSAAuthentication and applies to protocol version 2 only.
The default is ``no''.
HostbasedUsesNameFromPacketOnly
Specifies whether or not the server will attempt to perform a re-
verse name lookup when matching the name in the ~/.shosts,
~/.rhosts, and /etc/hosts.equiv files during
HostbasedAuthentication. A setting of ``yes'' means that sshd(8)
uses the name supplied by the client rather than attempting to
resolve the name from the TCP connection itself. The default is
``no''.
HostKey
Specifies a file containing a private host key used by SSH. The
default is /etc/ssh/ssh_host_key for protocol version 1, and
/etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro-
tocol version 2. Note that sshd(8) will refuse to use a file if
it is group/world-accessible. It is possible to have multiple
host key files. ``rsa1'' keys are used for version 1 and ``dsa''
or ``rsa'' are used for version 2 of the SSH protocol.
IgnoreRhosts
Specifies that .rhosts and .shosts files will not be used in
RhostsRSAAuthentication or HostbasedAuthentication.
/etc/hosts.equiv and /etc/shosts.equiv are still used. The de-
fault is ``yes''.
IgnoreUserKnownHosts
Specifies whether sshd(8) should ignore the user's
~/.ssh/known_hosts during RhostsRSAAuthentication or
HostbasedAuthentication. The default is ``no''.
KerberosAuthentication
Specifies whether the password provided by the user for
PasswordAuthentication will be validated through the Kerberos
KDC. To use this option, the server needs a Kerberos servtab
which allows the verification of the KDC's identity. The default
is ``no''.
KerberosGetAFSToken
If AFS is active and the user has a Kerberos 5 TGT, attempt to
acquire an AFS token before accessing the user's home directory.
The default is ``no''.
KerberosOrLocalPasswd
If password authentication through Kerberos fails then the pass-
word will be validated via any additional local mechanism such as
/etc/passwd. The default is ``yes''.
KerberosTicketCleanup
Specifies whether to automatically destroy the user's ticket
cache file on logout. The default is ``yes''.
KeyRegenerationInterval
In protocol version 1, the ephemeral server key is automatically
regenerated after this many seconds (if it has been used). The
purpose of regeneration is to prevent decrypting captured ses-
sions by later breaking into the machine and stealing the keys.
The key is never stored anywhere. If the value is 0, the key is
never regenerated. The default is 3600 (seconds).
ListenAddress
Specifies the local addresses sshd(8) should listen on. The fol-
lowing forms may be used:
ListenAddress host|IPv4_addr|IPv6_addr
ListenAddress host|IPv4_addr:port
ListenAddress [host|IPv6_addr]:port
If port is not specified, sshd will listen on the address and all
prior Port options specified. The default is to listen on all
local addresses. Multiple ListenAddress options are permitted.
Additionally, any Port options must precede this option for non-
port qualified addresses.
LoginGraceTime
The server disconnects after this time if the user has not suc-
cessfully logged in. If the value is 0, there is no time limit.
The default is 120 seconds.
LogLevel
Gives the verbosity level that is used when logging messages from
sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO,
VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
higher levels of debugging output. Logging with a DEBUG level
violates the privacy of users and is not recommended.
MACs Specifies the available MAC (message authentication code) algo-
rithms. The MAC algorithm is used in protocol version 2 for data
integrity protection. Multiple algorithms must be comma-separat-
ed. The default is: ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
sha1-96,hmac-md5-96''.
Match Introduces a conditional block. If all of the criteria on the
Match line are satisfied, the keywords on the following lines
override those set in the global section of the config file, un-
til either another Match line or the end of the file. The argu-
ments to Match are one or more criteria-pattern pairs. The
available criteria are User, Group, Host, and Address. Only a
subset of keywords may be used on the lines following a Match
keyword. Available keywords are AllowTcpForwarding, Banner,
ForceCommand, GatewayPorts, GSSApiAuthentication,
KbdInteractiveAuthentication, KerberosAuthentication,
PasswordAuthentication, PermitOpen, RhostsRSAAuthentication,
RSAAuthentication, X11DisplayOffset, X11Forwarding, and
X11UseLocalHost.
MaxAuthTries
Specifies the maximum number of authentication attempts permitted
per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.
MaxStartups
Specifies the maximum number of concurrent unauthenticated con-
nections to the SSH daemon. Additional connections will be
dropped until authentication succeeds or the LoginGraceTime ex-
pires for a connection. The default is 10.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability in-
creases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).
PasswordAuthentication
Specifies whether password authentication is allowed. The de-
fault is ``yes''.
PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings. The
default is ``no''.
PermitOpen
Specifies the destinations to which TCP port forwarding is per-
mitted. The forwarding specification must be one of the follow-
ing forms:
PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port
Multiple forwards may be specified by separating them with
whitespace. An argument of ``any'' can be used to remove all re-
strictions and permit any forwarding requests. By default all
port forwarding requests are permitted.
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be ``yes'', ``without-password'', ``forced-commands-only'',
or ``no''. The default is ``yes''.
If this option is set to ``without-password'', password authenti-
cation is disabled for root.
If this option is set to ``forced-commands-only'', root login
with public key authentication will be allowed, but only if the
command option has been specified (which may be useful for taking
remote backups even if root login is normally not allowed). All
other authentication methods are disabled for root.
If this option is set to ``no'', root is not allowed to log in.
PermitTunnel
Specifies whether tun(4) device forwarding is allowed. The argu-
ment must be ``yes'', ``point-to-point'' (layer 3), ``ethernet''
(layer 2), or ``no''. Specifying ``yes'' permits both ``point-
to-point'' and ``ethernet''. The default is ``no''.
PermitUserEnvironment
Specifies whether ~/.ssh/environment and environment= options in
~/.ssh/authorized_keys are processed by sshd(8). The default is
``no''. Enabling environment processing may enable users to by-
pass access restrictions in some configurations using mechanisms
such as LD_PRELOAD.
PidFile
Specifies the file that contains the process ID of the SSH dae-
mon. The default is /var/run/sshd.pid.
Port Specifies the port number that sshd(8) listens on. The default
is 22. Multiple options of this type are permitted. See also
ListenAddress.
PrintLastLog
Specifies whether sshd(8) should print the date and time of the
last user login when a user logs in interactively. The default
is ``yes''.
PrintMotd
Specifies whether sshd(8) should print /etc/motd when a user logs
in interactively. (On some systems it is also printed by the
shell, /etc/profile, or equivalent.) The default is ``yes''.
Protocol
Specifies the protocol versions sshd(8) supports. The possible
values are `1' and `2'. Multiple versions must be comma-separat-
ed. The default is ``2,1''. Note that the order of the protocol
list does not indicate preference, because the client selects
among multiple protocol versions offered by the server. Specify-
ing ``2,1'' is identical to ``1,2''.
PubkeyAuthentication
Specifies whether public key authentication is allowed. The de-
fault is ``yes''. Note that this option applies to protocol ver-
sion 2 only.
RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication to-
gether with successful RSA host authentication is allowed. The
default is ``no''. This option applies to protocol version 1 on-
ly.
RSAAuthentication
Specifies whether pure RSA authentication is allowed. The de-
fault is ``yes''. This option applies to protocol version 1 on-
ly.
ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 768.
StrictModes
Specifies whether sshd(8) should check file modes and ownership
of the user's files and home directory before accepting login.
This is normally desirable because novices sometimes accidentally
leave their directory or files world-writable. The default is
``yes''.
Subsystem
Configures an external subsystem (e.g. file transfer daemon).
Arguments should be a subsystem name and a command (with optional
arguments) to execute upon subsystem request. The command
sftp-server(8) implements the ``sftp'' file transfer subsystem.
By default no subsystems are defined. Note that this option ap-
plies to protocol version 2 only.
SyslogFacility
Gives the facility code that is used when logging messages from
sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
fault is AUTH.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
to the other side. If they are sent, death of the connection or
crash of one of the machines will be properly noticed. However,
this means that connections will die if the route is down tem-
porarily, and some people find it annoying. On the other hand,
if TCP keepalives are not sent, sessions may hang indefinitely on
the server, leaving ``ghost'' users and consuming server re-
sources.
The default is ``yes'' (to send TCP keepalive messages), and the
server will notice if the network goes down or the client host
crashes. This avoids infinitely hanging sessions.
To disable TCP keepalive messages, the value should be set to
``no''.
UseDNS Specifies whether sshd(8) should look up the remote host name and
check that the resolved host name for the remote IP address maps
back to the very same IP address. The default is ``yes''.
UseLogin
Specifies whether login(1) is used for interactive login ses-
sions. The default is ``no''. Note that login(1) is never used
for remote command execution. Note also, that if this is en-
abled, X11Forwarding will be disabled because login(1) does not
know how to handle xauth(1) cookies. If UsePrivilegeSeparation
is specified, it will be disabled after authentication.
UsePAM Enables the Pluggable Authentication Module interface. If set to
``yes'' this will enable PAM authentication using
ChallengeResponseAuthentication and PasswordAuthentication in ad-
dition to PAM account and session module processing for all au-
thentication types.
Because PAM challenge-response authentication usually serves an
equivalent role to password authentication, you should disable
either PasswordAuthentication or ChallengeResponseAuthentication.
If UsePAM is enabled, you will not be able to run sshd(8) as a
non-root user. The default is ``no''.
UsePrivilegeSeparation
Specifies whether sshd(8) separates privileges by creating an un-
privileged child process to deal with incoming network traffic.
After successful authentication, another process will be created
that has the privilege of the authenticated user. The goal of
privilege separation is to prevent privilege escalation by con-
taining any corruption within the unprivileged processes. The
default is ``yes''.
X11DisplayOffset
Specifies the first display number available for sshd(8)'s X11
forwarding. This prevents sshd from interfering with real X11
servers. The default is 10.
X11Forwarding
Specifies whether X11 forwarding is permitted. The argument must
be ``yes'' or ``no''. The default is ``no''.
When X11 forwarding is enabled, there may be additional exposure
to the server and to client displays if the sshd(8) proxy display
is configured to listen on the wildcard address (see
X11UseLocalhost below), though this is not the default. Addi-
tionally, the authentication spoofing and authentication data
verification and substitution occur on the client side. The se-
curity risk of using X11 forwarding is that the client's X11 dis-
play server may be exposed to attack when the SSH client requests
forwarding (see the warnings for ForwardX11 in ssh_config(5)). A
system administrator may have a stance in which they want to pro-
tect clients that may expose themselves to attack by unwittingly
requesting X11 forwarding, which can warrant a ``no'' setting.
Note that disabling X11 forwarding does not prevent users from
forwarding X11 traffic, as users can always install their own
forwarders. X11 forwarding is automatically disabled if UseLogin
is enabled.
X11UseLocalhost
Specifies whether sshd(8) should bind the X11 forwarding server
to the loopback address or to the wildcard address. By default,
sshd binds the forwarding server to the loopback address and sets
the hostname part of the DISPLAY environment variable to
``localhost''. This prevents remote hosts from connecting to the
proxy display. However, some older X11 clients may not function
with this configuration. X11UseLocalhost may be set to ``no'' to
specify that the forwarding server should be bound to the wild-
card address. The argument must be ``yes'' or ``no''. The de-
fault is ``yes''.
XAuthLocation
Specifies the full pathname of the xauth(1) program. The default
is /usr/X11R6/bin/xauth.
TIME FORMATS
sshd(8) command-line arguments and configuration file options that speci-
fy time may be expressed using a sequence of the form: time[qualifier],
where time is a positive integer value and qualifier is one of the fol-
lowing:
<none> seconds
s | S seconds
m | M minutes
h | H hours
d | D days
w | W weeks
Each member of the sequence is added together to calculate the total time
value.
Time format examples:
600 600 seconds (10 minutes)
10m 10 minutes
1h30m 1 hour 30 minutes (90 minutes)
FILES
/etc/ssh/sshd_config
Contains configuration data for sshd(8). This file should be
writable by root only, but it is recommended (though not neces-
sary) that it be world-readable.
SEE ALSO
sshd(8)
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
de Raadt and Dug Song removed many bugs, re-added newer features and cre-
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
OpenBSD 4.1 September 25, 1999 9

13
sshd_config.5
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.70 2006/08/21 08:14:01 dtucker Exp $
.\" $OpenBSD: sshd_config.5,v 1.74 2007/03/01 16:19:33 jmc Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@ -42,9 +42,7 @@
.Nm sshd_config
.Nd OpenSSH SSH daemon configuration file
.Sh SYNOPSIS
.Bl -tag -width Ds -compact
.It Pa /etc/ssh/sshd_config
.El
.Nm /etc/ssh/sshd_config
.Sh DESCRIPTION
.Xr sshd 8
reads configuration data from
@ -514,9 +512,16 @@ Only a subset of keywords may be used on the lines following a
keyword.
Available keywords are
.Cm AllowTcpForwarding ,
.Cm Banner ,
.Cm ForceCommand ,
.Cm GatewayPorts ,
.Cm GSSApiAuthentication ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
.Cm PasswordAuthentication ,
.Cm PermitOpen ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,
.Cm X11DisplayOffset ,
.Cm X11Forwarding ,
and

4
version.h
View File

@ -1,6 +1,6 @@
/* $OpenBSD: version.h,v 1.48 2006/11/07 10:31:31 markus Exp $ */
/* $OpenBSD: version.h,v 1.49 2007/03/06 10:13:14 djm Exp $ */
#define SSH_VERSION "OpenSSH_4.5"
#define SSH_VERSION "OpenSSH_4.6"
#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE