d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Resolve conflicts.

Browse Source
This commit is contained in:
Dag-Erling Smørgrav 2005-09-03 07:04:25 +00:00
parent f8a2a7f14a
commit d4ecd10857
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=149753
55 changed files with 1395 additions and 1004 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/openssh/LICENCE
View File

@ -204,6 +204,7 @@ OpenSSH contains no GPL code.
William Jones
Darren Tucker
Sun Microsystems
The SCO Group
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -255,6 +256,7 @@ OpenSSH contains no GPL code.
Damien Miller
Eric P. Allman
The Regents of the University of California
Constantin S. Svintsoff
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions

8
crypto/openssh/acconfig.h
View File

@ -1,4 +1,4 @@
/* $Id: acconfig.h,v 1.181 2005/02/25 23:07:38 dtucker Exp $ */
/* $Id: acconfig.h,v 1.183 2005/07/07 10:33:36 dtucker Exp $ */
/* $FreeBSD$ */
/*
@ -120,9 +120,6 @@
/* Define if you are on NeXT */
#undef HAVE_NEXT
/* Define if you are on NEWS-OS */
#undef HAVE_NEWS4
/* Define if you want to enable PAM support */
#undef USE_PAM
@ -206,9 +203,6 @@
/* Define if you don't want to use lastlog in session.c */
#undef NO_SSH_LASTLOG
/* Define if have krb5_init_ets */
#undef KRB5_INIT_ETS
/* Define if you don't want to use utmp */
#undef DISABLE_UTMP

57
crypto/openssh/auth-krb5.c
View File

@ -55,9 +55,6 @@ krb5_init(void *context)
problem = krb5_init_context(&authctxt->krb5_ctx);
if (problem)
return (problem);
#ifdef KRB5_INIT_ETS
krb5_init_ets(authctxt->krb5_ctx);
#endif
}
return (0);
}
@ -68,9 +65,6 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
#ifndef HEIMDAL
krb5_creds creds;
krb5_principal server;
char ccname[40];
int tmpfd;
mode_t old_umask;
#endif
krb5_error_code problem;
krb5_ccache ccache = NULL;
@ -147,26 +141,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
goto out;
}
snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
umask(old_umask);
if (tmpfd == -1) {
logit("mkstemp(): %.100s", strerror(errno));
problem = errno;
goto out;
}
if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
logit("fchmod(): %.100s", strerror(errno));
close(tmpfd);
problem = errno;
goto out;
}
close(tmpfd);
problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
if (problem)
goto out;
@ -235,4 +210,34 @@ krb5_cleanup_proc(Authctxt *authctxt)
}
}
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
int tmpfd, ret;
char ccname[40];
mode_t old_umask;
ret = snprintf(ccname, sizeof(ccname),
"FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
if (ret == -1 || ret >= sizeof(ccname))
return ENOMEM;
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
umask(old_umask);
if (tmpfd == -1) {
logit("mkstemp(): %.100s", strerror(errno));
return errno;
}
if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
logit("fchmod(): %.100s", strerror(errno));
close(tmpfd);
return errno;
}
close(tmpfd);
return (krb5_cc_resolve(ctx, ccname, ccache));
}
#endif /* !HEIMDAL */
#endif /* KRB5 */

45
crypto/openssh/auth-pam.c
View File

@ -47,7 +47,7 @@
/* Based on $xFreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
#include "includes.h"
RCSID("$Id: auth-pam.c,v 1.122 2005/05/25 06:18:10 dtucker Exp $");
RCSID("$Id: auth-pam.c,v 1.126 2005/07/17 07:18:50 djm Exp $");
RCSID("$FreeBSD$");
#ifdef USE_PAM
@ -57,6 +57,13 @@ RCSID("$FreeBSD$");
#include <pam/pam_appl.h>
#endif
/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
#ifdef PAM_SUN_CODEBASE
# define sshpam_const /* Solaris, HP-UX, AIX */
#else
# define sshpam_const const /* LinuxPAM, OpenPAM */
#endif
#include "auth.h"
#include "auth-pam.h"
#include "buffer.h"
@ -117,14 +124,14 @@ static struct pam_ctxt *cleanup_ctxt;
static int sshpam_thread_status = -1;
static mysig_t sshpam_oldsig;
static void
static void
sshpam_sigchld_handler(int sig)
{
signal(SIGCHLD, SIG_DFL);
if (cleanup_ctxt == NULL)
return; /* handler called after PAM cleanup, shouldn't happen */
if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, WNOHANG)
<= 0) {
<= 0) {
/* PAM thread has not exitted, privsep slave must have */
kill(cleanup_ctxt->pam_thread, SIGTERM);
if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0)
@ -151,6 +158,7 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused,
void *(*thread_start)(void *), void *arg)
{
pid_t pid;
struct pam_ctxt *ctx = arg;
sshpam_thread_status = -1;
switch ((pid = fork())) {
@ -158,10 +166,14 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused,
error("fork(): %s", strerror(errno));
return (-1);
case 0:
close(ctx->pam_psock);
ctx->pam_psock = -1;
thread_start(arg);
_exit(1);
default:
*thread = pid;
close(ctx->pam_csock);
ctx->pam_csock = -1;
sshpam_oldsig = signal(SIGCHLD, sshpam_sigchld_handler);
return (0);
}
@ -301,7 +313,7 @@ import_environments(Buffer *b)
* Conversation function for authentication thread.
*/
static int
sshpam_thread_conv(int n, struct pam_message **msg,
sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
Buffer buffer;
@ -400,8 +412,10 @@ sshpam_thread(void *ctxtp)
char **env_from_pam;
u_int i;
const char *pam_user;
const char **ptr_pam_user = &pam_user;
pam_get_item(sshpam_handle, PAM_USER, (void **)&pam_user);
pam_get_item(sshpam_handle, PAM_USER,
(sshpam_const void **)ptr_pam_user);
environ[0] = NULL;
if (sshpam_authctxt != NULL) {
@ -493,7 +507,7 @@ sshpam_thread_cleanup(void)
}
static int
sshpam_null_conv(int n, struct pam_message **msg,
sshpam_null_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
debug3("PAM: %s entering, %d messages", __func__, n);
@ -503,7 +517,7 @@ sshpam_null_conv(int n, struct pam_message **msg,
static struct pam_conv null_conv = { sshpam_null_conv, NULL };
static int
sshpam_store_conv(int n, struct pam_message **msg,
sshpam_store_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
struct pam_response *reply;
@ -572,11 +586,12 @@ sshpam_init(Authctxt *authctxt)
{
extern char *__progname;
const char *pam_rhost, *pam_user, *user = authctxt->user;
const char **ptr_pam_user = &pam_user;
if (sshpam_handle != NULL) {
/* We already have a PAM context; check if the user matches */
sshpam_err = pam_get_item(sshpam_handle,
PAM_USER, (void **)&pam_user);
PAM_USER, (sshpam_const void **)ptr_pam_user);
if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
return (0);
pam_end(sshpam_handle, sshpam_err);
@ -766,7 +781,7 @@ sshpam_respond(void *ctx, u_int num, char **resp)
buffer_init(&buffer);
if (sshpam_authctxt->valid &&
(sshpam_authctxt->pw->pw_uid != 0 ||
options.permit_root_login == PERMIT_YES))
options.permit_root_login == PERMIT_YES))
buffer_put_cstring(&buffer, *resp);
else
buffer_put_cstring(&buffer, badpw);
@ -839,7 +854,7 @@ do_pam_account(void)
sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
pam_strerror(sshpam_handle, sshpam_err));
if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
sshpam_account_status = 0;
return (sshpam_account_status);
@ -892,7 +907,7 @@ do_pam_setcred(int init)
}
static int
sshpam_tty_conv(int n, struct pam_message **msg,
sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
char input[PAM_MAX_MSG_SIZE];
@ -1051,7 +1066,7 @@ free_pam_environment(char **env)
* display.
*/
static int
sshpam_passwd_conv(int n, struct pam_message **msg,
sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
struct pam_response *reply;
@ -1097,7 +1112,7 @@ sshpam_passwd_conv(int n, struct pam_message **msg,
*resp = reply;
return (PAM_SUCCESS);
fail:
fail:
for(i = 0; i < n; i++) {
if (reply[i].resp != NULL)
xfree(reply[i].resp);
@ -1130,7 +1145,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
* information via timing (eg if the PAM config has a delay on fail).
*/
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
options.permit_root_login != PERMIT_YES))
options.permit_root_login != PERMIT_YES))
sshpam_password = badpw;
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
@ -1144,7 +1159,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
authctxt->user);
return 1;
return 1;
} else {
debug("PAM: password authentication failed for %.100s: %s",
authctxt->valid ? authctxt->user : "an illegal user",

4
crypto/openssh/auth-passwd.c
View File

@ -36,7 +36,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-passwd.c,v 1.33 2005/01/24 11:47:13 dtucker Exp $");
RCSID("$OpenBSD: auth-passwd.c,v 1.34 2005/07/19 15:32:26 otto Exp $");
RCSID("$FreeBSD$");
#include "packet.h"
@ -164,6 +164,8 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
(char *)password);
if (as == NULL)
return (0);
if (auth_getstate(as) & AUTH_PWEXPIRED) {
auth_close(as);
disable_forwarding();

4
crypto/openssh/auth-rh-rsa.c
View File

@ -13,7 +13,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-rh-rsa.c,v 1.37 2003/11/04 08:54:09 djm Exp $");
RCSID("$OpenBSD: auth-rh-rsa.c,v 1.38 2005/07/17 07:17:54 djm Exp $");
#include "packet.h"
#include "uidswap.h"
@ -86,7 +86,7 @@ auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key)
*/
verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
pw->pw_name, cuser, chost);
pw->pw_name, cuser, chost);
packet_send_debug("Rhosts with RSA host authentication accepted.");
return 1;
}

6
crypto/openssh/auth-rsa.c
View File

@ -14,7 +14,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-rsa.c,v 1.62 2004/12/11 01:48:56 dtucker Exp $");
RCSID("$OpenBSD: auth-rsa.c,v 1.63 2005/06/17 02:44:32 djm Exp $");
#include <openssl/rsa.h>
#include <openssl/md5.h>
@ -205,6 +205,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
char *cp;
char *key_options;
int keybits;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@ -243,7 +244,8 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
continue;
/* check the real bits */
if (bits != BN_num_bits(key->rsa->n))
keybits = BN_num_bits(key->rsa->n);
if (keybits < 0 || bits != (u_int)keybits)
logit("Warning: %s, line %lu: keysize mismatch: "
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);

2
crypto/openssh/auth-skey.c
View File

@ -56,7 +56,7 @@ skey_query(void *ctx, char **name, char **infotxt,
int len;
struct skey skey;
if (_compat_skeychallenge(&skey, authctxt->user, challenge,
if (_compat_skeychallenge(&skey, authctxt->user, challenge,
sizeof(challenge)) == -1)
return -1;

68
crypto/openssh/auth.c
View File

@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth.c,v 1.58 2005/03/14 11:44:42 dtucker Exp $");
RCSID("$OpenBSD: auth.c,v 1.60 2005/06/17 02:44:32 djm Exp $");
RCSID("$FreeBSD$");
#ifdef HAVE_LOGIN_H
@ -77,7 +77,7 @@ allowed_user(struct passwd * pw)
struct stat st;
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
char *shell;
int i;
u_int i;
#ifdef USE_SHADOW
struct spwd *spw = NULL;
#endif
@ -98,7 +98,11 @@ allowed_user(struct passwd * pw)
/* grab passwd field for locked account check */
#ifdef USE_SHADOW
if (spw != NULL)
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
passwd = get_iaf_password(pw);
#else
passwd = spw->sp_pwdp;
#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
#else
passwd = pw->pw_passwd;
#endif
@ -120,6 +124,9 @@ allowed_user(struct passwd * pw)
if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
locked = 1;
#endif
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
free(passwd);
#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
if (locked) {
logit("User %.100s not allowed because account is locked",
pw->pw_name);
@ -327,64 +334,41 @@ auth_root_allowed(char *method)
*
* This returns a buffer allocated by xmalloc.
*/
char *
expand_filename(const char *filename, struct passwd *pw)
static char *
expand_authorized_keys(const char *filename, struct passwd *pw)
{
Buffer buffer;
char *file;
const char *cp;
char *file, *ret;
/*
* Build the filename string in the buffer by making the appropriate
* substitutions to the given file name.
*/
buffer_init(&buffer);
for (cp = filename; *cp; cp++) {
if (cp[0] == '%' && cp[1] == '%') {
buffer_append(&buffer, "%", 1);
cp++;
continue;
}
if (cp[0] == '%' && cp[1] == 'h') {
buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir));
cp++;
continue;
}
if (cp[0] == '%' && cp[1] == 'u') {
buffer_append(&buffer, pw->pw_name,
strlen(pw->pw_name));
cp++;
continue;
}
buffer_append(&buffer, cp, 1);
}
buffer_append(&buffer, "\0", 1);
file = percent_expand(filename, "h", pw->pw_dir,
"u", pw->pw_name, (char *)NULL);
/*
* Ensure that filename starts anchored. If not, be backward
* compatible and prepend the '%h/'
*/
file = xmalloc(MAXPATHLEN);
cp = buffer_ptr(&buffer);
if (*cp != '/')
snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp);
else
strlcpy(file, cp, MAXPATHLEN);
if (*file == '/')
return (file);
buffer_free(&buffer);
return file;
ret = xmalloc(MAXPATHLEN);
if (strlcpy(ret, pw->pw_dir, MAXPATHLEN) >= MAXPATHLEN ||
strlcat(ret, "/", MAXPATHLEN) >= MAXPATHLEN ||
strlcat(ret, file, MAXPATHLEN) >= MAXPATHLEN)
fatal("expand_authorized_keys: path too long");
xfree(file);
return (ret);
}
char *
authorized_keys_file(struct passwd *pw)
{
return expand_filename(options.authorized_keys_file, pw);
return expand_authorized_keys(options.authorized_keys_file, pw);
}
char *
authorized_keys_file2(struct passwd *pw)
{
return expand_filename(options.authorized_keys_file2, pw);
return expand_authorized_keys(options.authorized_keys_file2, pw);
}
/* return ok if key exists in sysfile or userfile */

8
crypto/openssh/auth.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */
/* $OpenBSD: auth.h,v 1.51 2005/06/06 11:20:36 djm Exp $ */
/* $FreeBSD$ */
/*
@ -164,7 +164,6 @@ char *get_challenge(Authctxt *);
int verify_response(Authctxt *, const char *);
void abandon_challenge_response(Authctxt *);
char *expand_filename(const char *, struct passwd *);
char *authorized_keys_file(struct passwd *);
char *authorized_keys_file2(struct passwd *);
@ -197,6 +196,11 @@ int sys_auth_passwd(Authctxt *, const char *);
#define SKEY_PROMPT "\nOPIE Password: "
#else
#define SKEY_PROMPT "\nS/Key Password: "
#if defined(KRB5) && !defined(HEIMDAL)
#include <krb5.h>
krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
#endif
#endif
#endif

328
crypto/openssh/auth1.c
View File

@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
RCSID("$OpenBSD: auth1.c,v 1.62 2005/07/16 01:35:24 djm Exp $");
RCSID("$FreeBSD$");
#include "xmalloc.h"
@ -32,28 +32,182 @@ RCSID("$FreeBSD$");
extern ServerOptions options;
extern Buffer loginmsg;
/*
* convert ssh auth msg type into description
*/
static int auth1_process_password(Authctxt *, char *, size_t);
static int auth1_process_rsa(Authctxt *, char *, size_t);
static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t);
static int auth1_process_tis_challenge(Authctxt *, char *, size_t);
static int auth1_process_tis_response(Authctxt *, char *, size_t);
static char *client_user = NULL; /* Used to fill in remote user for PAM */
struct AuthMethod1 {
int type;
char *name;
int *enabled;
int (*method)(Authctxt *, char *, size_t);
};
const struct AuthMethod1 auth1_methods[] = {
{
SSH_CMSG_AUTH_PASSWORD, "password",
&options.password_authentication, auth1_process_password
},
{
SSH_CMSG_AUTH_RSA, "rsa",
&options.rsa_authentication, auth1_process_rsa
},
{
SSH_CMSG_AUTH_RHOSTS_RSA, "rhosts-rsa",
&options.rhosts_rsa_authentication, auth1_process_rhosts_rsa
},
{
SSH_CMSG_AUTH_TIS, "challenge-response",
&options.challenge_response_authentication,
auth1_process_tis_challenge
},
{
SSH_CMSG_AUTH_TIS_RESPONSE, "challenge-response",
&options.challenge_response_authentication,
auth1_process_tis_response
},
{ -1, NULL, NULL, NULL}
};
static const struct AuthMethod1
*lookup_authmethod1(int type)
{
int i;
for(i = 0; auth1_methods[i].name != NULL; i++)
if (auth1_methods[i].type == type)
return (&(auth1_methods[i]));
return (NULL);
}
static char *
get_authname(int type)
{
static char buf[1024];
switch (type) {
case SSH_CMSG_AUTH_PASSWORD:
return "password";
case SSH_CMSG_AUTH_RSA:
return "rsa";
case SSH_CMSG_AUTH_RHOSTS_RSA:
return "rhosts-rsa";
case SSH_CMSG_AUTH_RHOSTS:
return "rhosts";
case SSH_CMSG_AUTH_TIS:
case SSH_CMSG_AUTH_TIS_RESPONSE:
return "challenge-response";
const struct AuthMethod1 *a;
static char buf[64];
if ((a = lookup_authmethod1(type)) != NULL)
return (a->name);
snprintf(buf, sizeof(buf), "bad-auth-msg-%d", type);
return (buf);
}
static int
auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
{
int authenticated = 0;
char *password;
u_int dlen;
/*
* Read user password. It is in plain text, but was
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
password = packet_get_string(&dlen);
packet_check_eom();
/* Try authentication with the password. */
authenticated = PRIVSEP(auth_password(authctxt, password));
memset(password, 0, dlen);
xfree(password);
return (authenticated);
}
static int
auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
{
int authenticated = 0;
BIGNUM *n;
/* RSA authentication requested. */
if ((n = BN_new()) == NULL)
fatal("do_authloop: BN_new failed");
packet_get_bignum(n);
packet_check_eom();
authenticated = auth_rsa(authctxt, n);
BN_clear_free(n);
return (authenticated);
}
static int
auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
{
int keybits, authenticated = 0;
u_int bits;
Key *client_host_key;
u_int ulen;
/*
* Get client user name. Note that we just have to
* trust the client; root on the client machine can
* claim to be any user.
*/
client_user = packet_get_string(&ulen);
/* Get the client host key. */
client_host_key = key_new(KEY_RSA1);
bits = packet_get_int();
packet_get_bignum(client_host_key->rsa->e);
packet_get_bignum(client_host_key->rsa->n);
keybits = BN_num_bits(client_host_key->rsa->n);
if (keybits < 0 || bits != (u_int)keybits) {
verbose("Warning: keysize mismatch for client_host_key: "
"actual %d, announced %d",
BN_num_bits(client_host_key->rsa->n), bits);
}
snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
return buf;
packet_check_eom();
authenticated = auth_rhosts_rsa(authctxt, client_user,
client_host_key);
key_free(client_host_key);
snprintf(info, infolen, " ruser %.100s", client_user);
return (authenticated);
}
static int
auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
{
char *challenge;
if ((challenge = get_challenge(authctxt)) == NULL)
return (0);
debug("sending challenge '%s'", challenge);
packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
packet_put_cstring(challenge);
xfree(challenge);
packet_send();
packet_write_wait();
return (-1);
}
static int
auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
{
int authenticated = 0;
char *response;
u_int dlen;
response = packet_get_string(&dlen);
packet_check_eom();
authenticated = verify_response(authctxt, response);
memset(response, 'r', dlen);
xfree(response);
return (authenticated);
}
/*
@ -64,14 +218,9 @@ static void
do_authloop(Authctxt *authctxt)
{
int authenticated = 0;
u_int bits;
Key *client_host_key;
BIGNUM *n;
char *client_user, *password;
char info[1024];
u_int dlen;
u_int ulen;
int prev, type = 0;
int prev = 0, type = 0;
const struct AuthMethod1 *meth;
debug("Attempting authentication for %s%.100s.",
authctxt->valid ? "" : "invalid user ", authctxt->user);
@ -96,8 +245,6 @@ do_authloop(Authctxt *authctxt)
packet_send();
packet_write_wait();
client_user = NULL;
for (;;) {
/* default to fail */
authenticated = 0;
@ -119,107 +266,21 @@ do_authloop(Authctxt *authctxt)
type != SSH_CMSG_AUTH_TIS_RESPONSE)
abandon_challenge_response(authctxt);
/* Process the packet. */
switch (type) {
case SSH_CMSG_AUTH_RHOSTS_RSA:
if (!options.rhosts_rsa_authentication) {
verbose("Rhosts with RSA authentication disabled.");
break;
}
/*
* Get client user name. Note that we just have to
* trust the client; root on the client machine can
* claim to be any user.
*/
client_user = packet_get_string(&ulen);
/* Get the client host key. */
client_host_key = key_new(KEY_RSA1);
bits = packet_get_int();
packet_get_bignum(client_host_key->rsa->e);
packet_get_bignum(client_host_key->rsa->n);
if (bits != BN_num_bits(client_host_key->rsa->n))
verbose("Warning: keysize mismatch for client_host_key: "
"actual %d, announced %d",
BN_num_bits(client_host_key->rsa->n), bits);
packet_check_eom();
authenticated = auth_rhosts_rsa(authctxt, client_user,
client_host_key);
key_free(client_host_key);
snprintf(info, sizeof info, " ruser %.100s", client_user);
break;
case SSH_CMSG_AUTH_RSA:
if (!options.rsa_authentication) {
verbose("RSA authentication disabled.");
break;
}
/* RSA authentication requested. */
if ((n = BN_new()) == NULL)
fatal("do_authloop: BN_new failed");
packet_get_bignum(n);
packet_check_eom();
authenticated = auth_rsa(authctxt, n);
BN_clear_free(n);
break;
case SSH_CMSG_AUTH_PASSWORD:
if (!options.password_authentication) {
verbose("Password authentication disabled.");
break;
}
/*
* Read user password. It is in plain text, but was
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
password = packet_get_string(&dlen);
packet_check_eom();
/* Try authentication with the password. */
authenticated = PRIVSEP(auth_password(authctxt, password));
memset(password, 0, strlen(password));
xfree(password);
break;
case SSH_CMSG_AUTH_TIS:
debug("rcvd SSH_CMSG_AUTH_TIS");
if (options.challenge_response_authentication == 1) {
char *challenge = get_challenge(authctxt);
if (challenge != NULL) {
debug("sending challenge '%s'", challenge);
packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
packet_put_cstring(challenge);
xfree(challenge);
packet_send();
packet_write_wait();
continue;
}
}
break;
case SSH_CMSG_AUTH_TIS_RESPONSE:
debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
if (options.challenge_response_authentication == 1) {
char *response = packet_get_string(&dlen);
packet_check_eom();
authenticated = verify_response(authctxt, response);
memset(response, 'r', dlen);
xfree(response);
}
break;
default:
/*
* Any unknown messages will be ignored (and failure
* returned) during authentication.
*/
logit("Unknown message during authentication: type %d", type);
break;
if ((meth = lookup_authmethod1(type)) == NULL) {
logit("Unknown message during authentication: "
"type %d", type);
goto skip;
}
if (!*(meth->enabled)) {
verbose("%s authentication disabled.", meth->name);
goto skip;
}
authenticated = meth->method(authctxt, info, sizeof(info));
if (authenticated == -1)
continue; /* "postponed" */
#ifdef BSD_AUTH
if (authctxt->as) {
auth_close(authctxt->as);
@ -239,7 +300,7 @@ do_authloop(Authctxt *authctxt)
#ifdef HAVE_CYGWIN
if (authenticated &&
!check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
!check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
authctxt->pw)) {
packet_disconnect("Authentication rejected for uid %d.",
authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
@ -248,8 +309,8 @@ do_authloop(Authctxt *authctxt)
#else
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(get_authname(type))) {
authenticated = 0;
!auth_root_allowed(meth->name)) {
authenticated = 0;
# ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
# endif
@ -263,7 +324,7 @@ do_authloop(Authctxt *authctxt)
size_t len;
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
"configuration", authctxt->user);
len = buffer_len(&loginmsg);
buffer_append(&loginmsg, "\0", 1);
msg = buffer_ptr(&loginmsg);
@ -277,6 +338,7 @@ do_authloop(Authctxt *authctxt)
}
#endif
skip:
/* Log before sending the reply */
auth_log(authctxt, authenticated, get_authname(type), info);
@ -342,7 +404,7 @@ do_authentication(Authctxt *authctxt)
/*
* If we are not running as root, the user must have the same uid as
* the server. (Unless you are running Windows)
* the server.
*/
#ifndef HAVE_CYGWIN
if (!use_privsep && getuid() != 0 && authctxt->pw &&

11
crypto/openssh/auth2-chall.c
View File

@ -23,7 +23,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $");
RCSID("$OpenBSD: auth2-chall.c,v 1.24 2005/07/17 07:17:54 djm Exp $");
RCSID("$FreeBSD$");
#include "ssh2.h"
@ -168,7 +168,7 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt)
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
xfree(t);
debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
kbdintctxt->devices : "<empty>");
kbdintctxt->devices : "<empty>");
} while (kbdintctxt->devices && !kbdintctxt->device);
return kbdintctxt->device ? 1 : 0;
@ -240,8 +240,7 @@ send_userauth_info_request(Authctxt *authctxt)
{
KbdintAuthctxt *kbdintctxt;
char *name, *instr, **prompts;
int i;
u_int *echo_on;
u_int i, *echo_on;
kbdintctxt = authctxt->kbdintctxt;
if (kbdintctxt->device->query(kbdintctxt->ctxt,
@ -274,8 +273,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
{
Authctxt *authctxt = ctxt;
KbdintAuthctxt *kbdintctxt;
int i, authenticated = 0, res, len;
u_int nresp;
int authenticated = 0, res, len;
u_int i, nresp;
char **response = NULL, *method;
if (authctxt == NULL)

2
crypto/openssh/auth2.c
View File

@ -264,7 +264,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
packet_write_wait();
}
fatal("Access denied for user %s by PAM account "
"configuration", authctxt->user);
"configuration", authctxt->user);
}
}
#endif

12
crypto/openssh/authfd.c
View File

@ -35,7 +35,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: authfd.c,v 1.64 2004/08/11 21:44:31 avsm Exp $");
RCSID("$OpenBSD: authfd.c,v 1.66 2005/06/17 02:44:32 djm Exp $");
#include <openssl/evp.h>
@ -114,8 +114,7 @@ ssh_get_authentication_socket(void)
static int
ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply)
{
int l;
u_int len;
u_int l, len;
char buf[1024];
/* Get the length of the message, and format it in the buffer. */
@ -149,8 +148,7 @@ ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply
l = len;
if (l > sizeof(buf))
l = sizeof(buf);
l = atomicio(read, auth->fd, buf, l);
if (l <= 0) {
if (atomicio(read, auth->fd, buf, l) != l) {
error("Error reading response from authentication socket.");
return 0;
}
@ -303,6 +301,7 @@ ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int versi
Key *
ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int version)
{
int keybits;
u_int bits;
u_char *blob;
u_int blen;
@ -323,7 +322,8 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
buffer_get_bignum(&auth->identities, key->rsa->e);
buffer_get_bignum(&auth->identities, key->rsa->n);
*comment = buffer_get_string(&auth->identities, NULL);
if (bits != BN_num_bits(key->rsa->n))
keybits = BN_num_bits(key->rsa->n);
if (keybits < 0 || bits != (u_int)keybits)
logit("Warning: identity keysize mismatch: actual %d, announced %u",
BN_num_bits(key->rsa->n), bits);
break;

16
crypto/openssh/authfile.c
View File

@ -36,7 +36,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: authfile.c,v 1.60 2004/12/11 01:48:56 dtucker Exp $");
RCSID("$OpenBSD: authfile.c,v 1.61 2005/06/17 02:44:32 djm Exp $");
#include <openssl/err.h>
#include <openssl/evp.h>
@ -52,6 +52,7 @@ RCSID("$OpenBSD: authfile.c,v 1.60 2004/12/11 01:48:56 dtucker Exp $");
#include "authfile.h"
#include "rsa.h"
#include "misc.h"
#include "atomicio.h"
/* Version identification string for SSH v1 identity files. */
static const char authfile_id_string[] =
@ -147,8 +148,8 @@ key_save_private_rsa1(Key *key, const char *filename, const char *passphrase,
buffer_free(&encrypted);
return 0;
}
if (write(fd, buffer_ptr(&encrypted), buffer_len(&encrypted)) !=
buffer_len(&encrypted)) {
if (atomicio(vwrite, fd, buffer_ptr(&encrypted),
buffer_len(&encrypted)) != buffer_len(&encrypted)) {
error("write to key file %s failed: %s", filename,
strerror(errno));
buffer_free(&encrypted);
@ -236,7 +237,7 @@ key_load_public_rsa1(int fd, const char *filename, char **commentp)
Key *pub;
struct stat st;
char *cp;
int i;
u_int i;
size_t len;
if (fstat(fd, &st) < 0) {
@ -253,7 +254,7 @@ key_load_public_rsa1(int fd, const char *filename, char **commentp)
buffer_init(&buffer);
cp = buffer_append_space(&buffer, len);
if (read(fd, cp, (size_t) len) != (size_t) len) {
if (atomicio(read, fd, cp, len) != len) {
debug("Read from key file %.200s failed: %.100s", filename,
strerror(errno));
buffer_free(&buffer);
@ -322,7 +323,8 @@ static Key *
key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
char **commentp)
{
int i, check1, check2, cipher_type;
u_int i;
int check1, check2, cipher_type;
size_t len;
Buffer buffer, decrypted;
u_char *cp;
@ -347,7 +349,7 @@ key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
buffer_init(&buffer);
cp = buffer_append_space(&buffer, len);
if (read(fd, cp, (size_t) len) != (size_t) len) {
if (atomicio(read, fd, cp, len) != len) {
debug("Read from key file %.200s failed: %.100s", filename,
strerror(errno));
buffer_free(&buffer);

4
crypto/openssh/bufaux.c
View File

@ -37,7 +37,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: bufaux.c,v 1.35 2005/03/10 22:01:05 deraadt Exp $");
RCSID("$OpenBSD: bufaux.c,v 1.36 2005/06/17 02:44:32 djm Exp $");
RCSID("$FreeBSD$");
#include <openssl/bn.h>
@ -155,7 +155,7 @@ buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
buf[0] = 0x00;
/* Get the value of in binary */
oi = BN_bn2bin(value, buf+1);
if (oi != bytes-1) {
if (oi < 0 || (u_int)oi != bytes - 1) {
error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
"oi %d != bin_size %d", oi, bytes);
xfree(buf);

9
crypto/openssh/canohost.c
View File

@ -12,7 +12,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: canohost.c,v 1.42 2005/02/18 03:05:53 djm Exp $");
RCSID("$OpenBSD: canohost.c,v 1.44 2005/06/17 02:44:32 djm Exp $");
#include "packet.h"
#include "xmalloc.h"
@ -143,7 +143,8 @@ check_ip_options(int sock, char *ipaddr)
u_char options[200];
char text[sizeof(options) * 3 + 1];
socklen_t option_size;
int i, ipproto;
u_int i;
int ipproto;
struct protoent *ip;
if ((ip = getprotobyname("ip")) != NULL)
@ -173,7 +174,7 @@ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
struct in_addr inaddr;
u_int16_t port;
if (addr->ss_family != AF_INET6 ||
if (addr->ss_family != AF_INET6 ||
!IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr))
return;
@ -346,7 +347,7 @@ get_sock_port(int sock, int local)
} else {
if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
debug("getpeername failed: %.100s", strerror(errno));
cleanup_exit(255);
return -1;
}
}

106
crypto/openssh/channels.c
View File

@ -39,7 +39,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: channels.c,v 1.214 2005/03/14 11:46:56 markus Exp $");
RCSID("$OpenBSD: channels.c,v 1.223 2005/07/17 07:17:54 djm Exp $");
#include "ssh.h"
#include "ssh1.h"
@ -111,6 +111,9 @@ static int all_opens_permitted = 0;
/* Maximum number of fake X11 displays to try. */
#define MAX_DISPLAYS 1000
/* Saved X11 local (client) display. */
static char *x11_saved_display = NULL;
/* Saved X11 authentication protocol name. */
static char *x11_saved_proto = NULL;
@ -727,8 +730,8 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
FD_SET(c->wfd, writeset);
} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
debug2("channel %d: obuf_empty delayed efd %d/(%d)",
c->self, c->efd, buffer_len(&c->extended));
debug2("channel %d: obuf_empty delayed efd %d/(%d)",
c->self, c->efd, buffer_len(&c->extended));
else
chan_obuf_empty(c);
}
@ -894,7 +897,7 @@ static int
channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
{
char *p, *host;
int len, have, i, found;
u_int len, have, i, found;
char username[256];
struct {
u_int8_t version;
@ -979,7 +982,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
} s5_req, s5_rsp;
u_int16_t dest_port;
u_char *p, dest_addr[255+1];
int i, have, found, nmethods, addrlen, af;
u_int have, i, found, nmethods, addrlen, af;
debug2("channel %d: decode socks5", c->self);
p = buffer_ptr(&c->input);
@ -1075,7 +1078,8 @@ static void
channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
{
u_char *p;
int have, ret;
u_int have;
int ret;
have = buffer_len(&c->input);
c->delayed = 0;
@ -1178,7 +1182,7 @@ port_open_helper(Channel *c, char *rtype)
int direct;
char buf[1024];
char *remote_ipaddr = get_peer_ipaddr(c->sock);
u_short remote_port = get_peer_port(c->sock);
int remote_port = get_peer_port(c->sock);
direct = (strcmp(rtype, "direct-tcpip") == 0);
@ -1208,7 +1212,7 @@ port_open_helper(Channel *c, char *rtype)
}
/* originator host and port */
packet_put_cstring(remote_ipaddr);
packet_put_int(remote_port);
packet_put_int((u_int)remote_port);
packet_send();
} else {
packet_start(SSH_MSG_PORT_OPEN);
@ -1809,8 +1813,8 @@ channel_output_poll(void)
* hack for extended data: delay EOF if EFD still in use.
*/
if (CHANNEL_EFD_INPUT_ACTIVE(c))
debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
c->self, c->efd, buffer_len(&c->extended));
debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
c->self, c->efd, buffer_len(&c->extended));
else
chan_ibuf_empty(c);
}
@ -2195,11 +2199,11 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
if (host == NULL) {
error("No forward host name.");
return success;
return 0;
}
if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) {
error("Forward host name too long.");
return success;
return 0;
}
/*
@ -2250,12 +2254,10 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
packet_disconnect("getaddrinfo: fatal error: %s",
gai_strerror(r));
} else {
verbose("channel_setup_fwd_listener: "
"getaddrinfo(%.64s): %s", addr, gai_strerror(r));
packet_send_debug("channel_setup_fwd_listener: "
error("channel_setup_fwd_listener: "
"getaddrinfo(%.64s): %s", addr, gai_strerror(r));
}
aitop = NULL;
return 0;
}
for (ai = aitop; ai; ai = ai->ai_next) {
@ -2657,7 +2659,7 @@ channel_send_window_changes(void)
*/
int
x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
int single_connection, u_int *display_numberp)
int single_connection, u_int *display_numberp, int **chanids)
{
Channel *nc = NULL;
int display_number, sock;
@ -2747,6 +2749,8 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
}
/* Allocate a channel for each socket. */
if (chanids != NULL)
*chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
for (n = 0; n < num_socks; n++) {
sock = socks[n];
nc = channel_new("x11 listener",
@ -2754,7 +2758,11 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
0, "X11 inet listener", 1);
nc->single_connection = single_connection;
if (*chanids != NULL)
(*chanids)[n] = nc->self;
}
if (*chanids != NULL)
(*chanids)[n] = -1;
/* Return the display number for the DISPLAY environment variable. */
*display_numberp = display_number;
@ -2952,19 +2960,27 @@ deny_input_open(int type, u_int32_t seq, void *ctxt)
* This should be called in the client only.
*/
void
x11_request_forwarding_with_spoofing(int client_session_id,
x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
const char *proto, const char *data)
{
u_int data_len = (u_int) strlen(data) / 2;
u_int i, value, len;
u_int i, value;
char *new_data;
int screen_number;
const char *cp;
u_int32_t rnd = 0;
cp = getenv("DISPLAY");
if (cp)
cp = strchr(cp, ':');
if (x11_saved_display == NULL)
x11_saved_display = xstrdup(disp);
else if (strcmp(disp, x11_saved_display) != 0) {
error("x11_request_forwarding_with_spoofing: different "
"$DISPLAY already forwarded");
return;
}
cp = disp;
if (disp)
cp = strchr(disp, ':');
if (cp)
cp = strchr(cp, '.');
if (cp)
@ -2972,33 +2988,31 @@ x11_request_forwarding_with_spoofing(int client_session_id,
else
screen_number = 0;
/* Save protocol name. */
x11_saved_proto = xstrdup(proto);
/*
* Extract real authentication data and generate fake data of the
* same length.
*/
x11_saved_data = xmalloc(data_len);
x11_fake_data = xmalloc(data_len);
for (i = 0; i < data_len; i++) {
if (sscanf(data + 2 * i, "%2x", &value) != 1)
fatal("x11_request_forwarding: bad authentication data: %.100s", data);
if (i % 4 == 0)
rnd = arc4random();
x11_saved_data[i] = value;
x11_fake_data[i] = rnd & 0xff;
rnd >>= 8;
if (x11_saved_proto == NULL) {
/* Save protocol name. */
x11_saved_proto = xstrdup(proto);
/*
* Extract real authentication data and generate fake data
* of the same length.
*/
x11_saved_data = xmalloc(data_len);
x11_fake_data = xmalloc(data_len);
for (i = 0; i < data_len; i++) {
if (sscanf(data + 2 * i, "%2x", &value) != 1)
fatal("x11_request_forwarding: bad "
"authentication data: %.100s", data);
if (i % 4 == 0)
rnd = arc4random();
x11_saved_data[i] = value;
x11_fake_data[i] = rnd & 0xff;
rnd >>= 8;
}
x11_saved_data_len = data_len;
x11_fake_data_len = data_len;
}
x11_saved_data_len = data_len;
x11_fake_data_len = data_len;
/* Convert the fake data into hex. */
len = 2 * data_len + 1;
new_data = xmalloc(len);
for (i = 0; i < data_len; i++)
snprintf(new_data + 2 * i, len - 2 * i,
"%02x", (u_char) x11_fake_data[i]);
new_data = tohex(x11_fake_data, data_len);
/* Send the request packet. */
if (compat20) {

9
crypto/openssh/channels.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.h,v 1.76 2005/03/01 10:09:52 djm Exp $ */
/* $OpenBSD: channels.h,v 1.79 2005/07/17 06:49:04 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -149,7 +149,7 @@ struct Channel {
buffer_len(&c->extended) > 0))
#define CHANNEL_EFD_OUTPUT_ACTIVE(c) \
(compat20 && c->extended_usage == CHAN_EXTENDED_WRITE && \
((c->efd != -1 && !(c->flags & (CHAN_EOF_RCVD|CHAN_CLOSE_RCVD))) || \
c->efd != -1 && (!(c->flags & (CHAN_EOF_RCVD|CHAN_CLOSE_RCVD)) || \
buffer_len(&c->extended) > 0))
/* channel management */
@ -214,9 +214,10 @@ int channel_cancel_rport_listener(const char *, u_short);
/* x11 forwarding */
int x11_connect_display(void);
int x11_create_display_inet(int, int, int, u_int *);
int x11_create_display_inet(int, int, int, u_int *, int **);
void x11_input_open(int, u_int32_t, void *);
void x11_request_forwarding_with_spoofing(int, const char *, const char *);
void x11_request_forwarding_with_spoofing(int, const char *, const char *,
const char *);
void deny_input_open(int, u_int32_t, void *);
/* agent forwarding */

100
crypto/openssh/cipher.c
View File

@ -35,7 +35,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: cipher.c,v 1.73 2005/01/23 10:18:12 djm Exp $");
RCSID("$OpenBSD: cipher.c,v 1.77 2005/07/16 01:35:24 djm Exp $");
#include "xmalloc.h"
#include "log.h"
@ -43,25 +43,8 @@ RCSID("$OpenBSD: cipher.c,v 1.73 2005/01/23 10:18:12 djm Exp $");
#include <openssl/md5.h>
#if OPENSSL_VERSION_NUMBER < 0x00906000L
#define SSH_OLD_EVP
#define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
#endif
#if OPENSSL_VERSION_NUMBER < 0x00907000L
extern const EVP_CIPHER *evp_rijndael(void);
extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
#endif
#if !defined(EVP_CTRL_SET_ACSS_MODE)
# if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
extern const EVP_CIPHER *evp_acss(void);
# define EVP_acss evp_acss
# define EVP_CTRL_SET_ACSS_MODE xxx /* used below */
# else
# define EVP_acss NULL /* Don't try to support ACSS on older OpenSSL */
# endif /* (OPENSSL_VERSION_NUMBER >= 0x00906000L) */
#endif /* !defined(EVP_CTRL_SET_ACSS_MODE) */
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
extern const EVP_CIPHER *evp_ssh1_bf(void);
extern const EVP_CIPHER *evp_ssh1_3des(void);
@ -74,39 +57,32 @@ struct Cipher {
int number; /* for ssh1 only */
u_int block_size;
u_int key_len;
u_int discard_len;
const EVP_CIPHER *(*evptype)(void);
} ciphers[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des },
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf },
{ "none", SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des },
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc },
{ "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
{ "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
{ "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 },
#if OPENSSL_VERSION_NUMBER < 0x00907000L
{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael },
{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael },
{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc },
{ "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc },
{ "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_cast5_cbc },
{ "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 },
{ "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 },
{ "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 },
{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc },
{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc },
{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
{ "rijndael-cbc@lysator.liu.se",
SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
#else
{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc },
{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc },
{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
{ "rijndael-cbc@lysator.liu.se",
SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
{ "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr },
{ "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_128_ctr },
{ "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_128_ctr },
#ifdef USE_CIPHER_ACSS
{ "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, EVP_acss },
#endif
#if OPENSSL_VERSION_NUMBER >= 0x00905000L
{ "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr },
{ "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr },
{ "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr },
#endif
#if defined(EVP_CTRL_SET_ACSS_MODE)
{ "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, EVP_acss },
#endif
{ NULL, SSH_CIPHER_INVALID, 0, 0, NULL }
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, NULL }
};
/*--*/
@ -222,8 +198,9 @@ cipher_init(CipherContext *cc, Cipher *cipher,
EVP_CIPHER *type;
#else
const EVP_CIPHER *type;
#endif
int klen;
#endif
u_char *junk, *discard;
if (cipher->number == SSH_CIPHER_DES) {
if (dowarn) {
@ -261,7 +238,7 @@ cipher_init(CipherContext *cc, Cipher *cipher,
fatal("cipher_init: EVP_CipherInit failed for %s",
cipher->name);
klen = EVP_CIPHER_CTX_key_length(&cc->evp);
if (klen > 0 && keylen != klen) {
if (klen > 0 && keylen != (u_int)klen) {
debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
fatal("cipher_init: set keylen failed (%d -> %d)",
@ -271,6 +248,17 @@ cipher_init(CipherContext *cc, Cipher *cipher,
fatal("cipher_init: EVP_CipherInit: set key failed for %s",
cipher->name);
#endif
if (cipher->discard_len > 0) {
junk = xmalloc(cipher->discard_len);
discard = xmalloc(cipher->discard_len);
if (EVP_Cipher(&cc->evp, discard, junk,
cipher->discard_len) == 0)
fatal("evp_crypt: EVP_Cipher failed during discard");
memset(discard, 0, cipher->discard_len);
xfree(junk);
xfree(discard);
}
}
void
@ -278,23 +266,15 @@ cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
if (len % cc->cipher->block_size)
fatal("cipher_encrypt: bad plaintext length %d", len);
#ifdef SSH_OLD_EVP
EVP_Cipher(&cc->evp, dest, (u_char *)src, len);
#else
if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
fatal("evp_crypt: EVP_Cipher failed");
#endif
}
void
cipher_cleanup(CipherContext *cc)
{
#ifdef SSH_OLD_EVP
EVP_CIPHER_CTX_cleanup(&cc->evp);
#else
if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
#endif
}
/*
@ -349,9 +329,9 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
case SSH_CIPHER_DES:
case SSH_CIPHER_BLOWFISH:
evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
if (evplen == 0)
if (evplen <= 0)
return;
if (evplen != len)
if ((u_int)evplen != len)
fatal("%s: wrong iv length %d != %d", __func__,
evplen, len);
#if OPENSSL_VERSION_NUMBER < 0x00907000L

403
crypto/openssh/configure.ac
View File

@ -1,4 +1,4 @@
# $Id: configure.ac,v 1.260 2005/04/24 07:52:23 dtucker Exp $
# $Id: configure.ac,v 1.292 2005/08/31 16:59:49 tim Exp $
# $FreeBSD$
#
# Copyright (c) 1999-2004 Damien Miller
@ -15,7 +15,7 @@
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT(OpenSSH, Portable)
AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
AC_CONFIG_SRCDIR([ssh.c])
AC_CONFIG_HEADER(config.h)
@ -78,8 +78,94 @@ fi
AC_SUBST(LD)
AC_C_INLINE
AC_CHECK_DECL(LLONG_MAX, have_llong_max=1, , [#include <limits.h>])
if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wno-uninitialized"
CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
GCC_VER=`$CC --version`
case $GCC_VER in
1.*) ;;
2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
2.*) ;;
*) CFLAGS="$CFLAGS -Wsign-compare" ;;
esac
if test -z "$have_llong_max"; then
# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
unset ac_cv_have_decl_LLONG_MAX
saved_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -std=gnu99"
AC_CHECK_DECL(LLONG_MAX,
[have_llong_max=1],
[CFLAGS="$saved_CFLAGS"],
[#include <limits.h>]
)
fi
fi
if test -z "$have_llong_max"; then
AC_MSG_CHECKING([for max value of long long])
AC_RUN_IFELSE(
[AC_LANG_SOURCE([[
#include <stdio.h>
/* Why is this so damn hard? */
#ifdef __GNUC__
# undef __GNUC__
#endif
#define __USE_ISOC99
#include <limits.h>
#define DATA "conftest.llminmax"
int main(void) {
FILE *f;
long long i, llmin, llmax = 0;
if((f = fopen(DATA,"w")) == NULL)
exit(1);
#if defined(LLONG_MIN) && defined(LLONG_MAX)
fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
llmin = LLONG_MIN;
llmax = LLONG_MAX;
#else
fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
/* This will work on one's complement and two's complement */
for (i = 1; i > llmax; i <<= 1, i++)
llmax = i;
llmin = llmax + 1LL; /* wrap */
#endif
/* Sanity check */
if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
|| llmax - 1 > llmax) {
fprintf(f, "unknown unknown\n");
exit(2);
}
if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
exit(3);
exit(0);
}
]])],
[
llong_min=`$AWK '{print $1}' conftest.llminmax`
llong_max=`$AWK '{print $2}' conftest.llminmax`
AC_MSG_RESULT($llong_max)
AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL],
[max value of long long calculated by configure])
AC_MSG_CHECKING([for min value of long long])
AC_MSG_RESULT($llong_min)
AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL],
[min value of long long calculated by configure])
],
[
AC_MSG_RESULT(not found)
],
[
AC_MSG_WARN([cross compiling: not checking])
]
)
fi
AC_ARG_WITH(rpath,
@ -182,26 +268,8 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
AC_DEFINE(BROKEN_SETREGID)
AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1)
;;
*-*-hpux10.26)
if test -z "$GCC"; then
CFLAGS="$CFLAGS -Ae"
fi
CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
IPADDR_IN_DISPLAY=yes
AC_DEFINE(HAVE_SECUREWARE)
AC_DEFINE(USE_PIPES)
AC_DEFINE(LOGIN_NO_ENDOPT)
AC_DEFINE(LOGIN_NEEDS_UTMPX)
AC_DEFINE(LOCKED_PASSWD_STRING, "*")
AC_DEFINE(SPT_TYPE,SPT_PSTAT)
LIBS="$LIBS -lsec -lsecpw"
AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
disable_ptmx_check=yes
;;
*-*-hpux10*)
if test -z "$GCC"; then
CFLAGS="$CFLAGS -Ae"
fi
*-*-hpux*)
# first we define all of the options common to all HP-UX releases
CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
IPADDR_IN_DISPLAY=yes
AC_DEFINE(USE_PIPES)
@ -210,23 +278,33 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
AC_DEFINE(LOCKED_PASSWD_STRING, "*")
AC_DEFINE(SPT_TYPE,SPT_PSTAT)
LIBS="$LIBS -lsec"
AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
;;
*-*-hpux11*)
CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
IPADDR_IN_DISPLAY=yes
AC_DEFINE(PAM_SUN_CODEBASE)
AC_DEFINE(USE_PIPES)
AC_DEFINE(LOGIN_NO_ENDOPT)
AC_DEFINE(LOGIN_NEEDS_UTMPX)
AC_DEFINE(DISABLE_UTMP)
AC_DEFINE(LOCKED_PASSWD_STRING, "*")
AC_DEFINE(SPT_TYPE,SPT_PSTAT)
AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
check_for_hpux_broken_getaddrinfo=1
check_for_conflicting_getspnam=1
LIBS="$LIBS -lsec"
AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
AC_CHECK_LIB(xnet, t_error, ,
AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
# next, we define all of the options specific to major releases
case "$host" in
*-*-hpux10*)
if test -z "$GCC"; then
CFLAGS="$CFLAGS -Ae"
fi
;;
*-*-hpux11*)
AC_DEFINE(PAM_SUN_CODEBASE)
AC_DEFINE(DISABLE_UTMP)
AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
check_for_hpux_broken_getaddrinfo=1
check_for_conflicting_getspnam=1
;;
esac
# lastly, we define options specific to minor releases
case "$host" in
*-*-hpux10.26)
AC_DEFINE(HAVE_SECUREWARE)
disable_ptmx_check=yes
LIBS="$LIBS -lsecpw"
;;
esac
;;
*-*-irix5*)
PATH="$PATH:/usr/etc"
@ -270,7 +348,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
esac
;;
mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE(HAVE_NEWS4)
AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty])
SONY=1
;;
*-*-netbsd*)
@ -297,6 +375,9 @@ mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE(USE_PIPES)
AC_DEFINE(BROKEN_SAVED_UIDS)
;;
*-*-openbsd*)
AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel])
;;
*-*-solaris*)
if test "x$withval" != "xno" ; then
need_dash_r=1
@ -366,11 +447,19 @@ mips-sony-bsd|mips-sony-newsos4)
;;
# UnixWare 7.x, OpenUNIX 8
*-*-sysv5*)
check_for_libcrypt_later=1
AC_DEFINE(UNIXWARE_LONG_PASSWORDS, 1, [Support passwords > 8 chars])
AC_DEFINE(USE_PIPES)
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(BROKEN_SETREUID)
AC_DEFINE(BROKEN_SETREGID)
AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd])
case "$host" in
*-*-sysv5SCO_SV*) # SCO OpenServer 6.x
TEST_SHELL=/u95/bin/sh
AC_DEFINE(BROKEN_LIBIAF, 1, [ia_uinfo routines not supported by OS yet])
;;
esac
;;
*-*-sysv*)
;;
@ -469,6 +558,19 @@ mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE(MISSING_HOWMANY)
AC_DEFINE(MISSING_FD_MASK)
;;
*-*-ultrix*)
AC_DEFINE(BROKEN_GETGROUPS, [], [getgroups(0,NULL) will return -1])
AC_DEFINE(BROKEN_MMAP, [], [Ultrix mmap can't map files])
AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty])
AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix])
;;
*-*-lynxos)
CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
AC_DEFINE(MISSING_HOWMANY)
AC_DEFINE(BROKEN_SETVBUF, 1, [LynxOS has broken setvbuf() implementation])
;;
esac
# Allow user to specify flags
@ -508,6 +610,17 @@ AC_ARG_WITH(libs,
fi
]
)
AC_ARG_WITH(Werror,
[ --with-Werror Build main code with -Werror],
[
if test -n "$withval" && test "x$withval" != "xno"; then
werror_flags="-Werror"
if "x${withval}" != "xyes"; then
werror_flags="$withval"
fi
fi
]
)
AC_MSG_CHECKING(compiler and flags for sanity)
AC_RUN_IFELSE(
@ -523,17 +636,67 @@ int main(){exit(0);}
[ AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
)
# Checks for header files.
AC_CHECK_HEADERS(bstring.h crypt.h dirent.h endian.h features.h \
floatingpoint.h getopt.h glob.h ia.h lastlog.h limits.h login.h \
login_cap.h maillock.h ndir.h netdb.h netgroup.h \
netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \
rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
strings.h sys/dir.h sys/strtio.h sys/audit.h sys/bitypes.h \
sys/bsdtty.h sys/cdefs.h sys/mman.h sys/ndir.h sys/prctl.h \
sys/pstat.h sys/select.h sys/stat.h sys/stream.h \
sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h sys/un.h \
time.h tmpdir.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h)
dnl Checks for header files.
AC_CHECK_HEADERS( \
bstring.h \
crypt.h \
dirent.h \
endian.h \
features.h \
floatingpoint.h \
getopt.h \
glob.h \
ia.h \
iaf.h \
lastlog.h \
limits.h \
login.h \
login_cap.h \
maillock.h \
ndir.h \
netdb.h \
netgroup.h \
netinet/in_systm.h \
pam/pam_appl.h \
paths.h \
pty.h \
readpassphrase.h \
rpc/types.h \
security/pam_appl.h \
shadow.h \
stddef.h \
stdint.h \
string.h \
strings.h \
sys/audit.h \
sys/bitypes.h \
sys/bsdtty.h \
sys/cdefs.h \
sys/dir.h \
sys/mman.h \
sys/ndir.h \
sys/prctl.h \
sys/pstat.h \
sys/select.h \
sys/stat.h \
sys/stream.h \
sys/stropts.h \
sys/strtio.h \
sys/sysmacros.h \
sys/time.h \
sys/timers.h \
sys/un.h \
time.h \
tmpdir.h \
ttyent.h \
unistd.h \
usersec.h \
util.h \
utime.h \
utmp.h \
utmpx.h \
vis.h \
)
# sys/ptms.h requires sys/stream.h to be included first on Solaris
AC_CHECK_HEADERS(sys/ptms.h, [], [], [
@ -661,8 +824,8 @@ int main()
if (a == 1 && b == 1 && c >= 4)
exit(0);
/* 1.2.1.2 and up are OK */
if (v >= 1020102)
/* 1.2.3 and up are OK */
if (v >= 1020300)
exit(0);
exit(2);
@ -676,7 +839,7 @@ Your reported zlib version has known security problems. It's possible your
vendor has fixed these problems without changing the version number. If you
are sure this is the case, you can disable the check by running
"./configure --without-zlib-version-check".
If you are in doubt, upgrade zlib to version 1.2.1.2 or greater.
If you are in doubt, upgrade zlib to version 1.2.3 or greater.
See http://www.gzip.org/zlib/ for details.])
else
AC_MSG_WARN([zlib version may have security problems])
@ -912,6 +1075,21 @@ AC_ARG_WITH(libedit,
[ AC_MSG_ERROR(libedit not found) ],
[ -lcurses ]
)
AC_MSG_CHECKING(if libedit version is compatible)
AC_COMPILE_IFELSE(
[AC_LANG_SOURCE([[
#include <histedit.h>
int main(void)
{
int i = H_SETSIZE;
el_init("", NULL, NULL, NULL);
exit(0);
}
]])],
[ AC_MSG_RESULT(yes) ],
[ AC_MSG_RESULT(no)
AC_MSG_ERROR(libedit version is not compatible) ]
)
fi ]
)
@ -940,6 +1118,9 @@ AC_ARG_WITH(audit,
AC_MSG_RESULT(debug)
AC_DEFINE(SSH_AUDIT_EVENTS, [], Use audit debugging module)
;;
no)
AC_MSG_RESULT(no)
;;
*)
AC_MSG_ERROR([Unknown audit module $withval])
;;
@ -947,19 +1128,87 @@ AC_ARG_WITH(audit,
)
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS(\
arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \
bindresvport_sa clock closefrom dirfd fchdir fchmod fchown \
freeaddrinfo futimes getaddrinfo getcwd getgrouplist getnameinfo \
getopt getpeereid _getpty getrlimit getttyent glob inet_aton \
inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \
mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \
pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \
setdtablesize setegid setenv seteuid setgroups setlogin setpcred \
setproctitle setregid setreuid setrlimit \
setsid setvbuf sigaction sigvec snprintf socketpair strerror \
strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \
truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \
AC_CHECK_FUNCS( \
arc4random \
b64_ntop \
__b64_ntop \
b64_pton \
__b64_pton \
bcopy \
bindresvport_sa \
clock \
closefrom \
dirfd \
fchmod \
fchown \
freeaddrinfo \
futimes \
getaddrinfo \
getcwd \
getgrouplist \
getnameinfo \
getopt \
getpeereid \
_getpty \
getrlimit \
getttyent \
glob \
inet_aton \
inet_ntoa \
inet_ntop \
innetgr \
login_getcapbool \
md5_crypt \
memmove \
mkdtemp \
mmap \
ngetaddrinfo \
nsleep \
ogetaddrinfo \
openlog_r \
openpty \
prctl \
pstat \
readpassphrase \
realpath \
recvmsg \
rresvport_af \
sendmsg \
setdtablesize \
setegid \
setenv \
seteuid \
setgroups \
setlogin \
setpcred \
setproctitle \
setregid \
setreuid \
setrlimit \
setsid \
setvbuf \
sigaction \
sigvec \
snprintf \
socketpair \
strdup \
strerror \
strlcat \
strlcpy \
strmode \
strnvis \
strtonum \
strtoll \
strtoul \
sysconf \
tcgetpgrp \
truncate \
unsetenv \
updwtmpx \
utimes \
vhangup \
vsnprintf \
waitpid \
)
# IRIX has a const char return value for gai_strerror()
@ -980,8 +1229,15 @@ str = gai_strerror(0);],[
AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP))
dnl Make sure prototypes are defined for these before using them.
AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)])
AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)])
AC_CHECK_DECL(strsep,
[AC_CHECK_FUNCS(strsep)],
[],
[
#ifdef HAVE_STRING_H
# include <string.h>
#endif
])
dnl tcsendbreak might be a macro
AC_CHECK_DECL(tcsendbreak,
@ -1505,6 +1761,7 @@ if test "x$check_for_libcrypt_later" = "x1"; then
AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt")
fi
AC_CHECK_LIB(iaf, ia_openinfo)
### Configure cryptographic random number support
@ -2442,6 +2699,9 @@ int main()
AC_MSG_RESULT(no)])
])
AC_CHECK_FUNCS(_getshort _getlong)
AC_CHECK_DECLS([_getshort, _getlong], , ,
[#include <sys/types.h>
#include <arpa/nameser.h>])
AC_CHECK_MEMBER(HEADER.ad,
[AC_DEFINE(HAVE_HEADER_AD)],,
[#include <arpa/nameser.h>])
@ -2545,7 +2805,6 @@ AC_ARG_WITH(kerberos5,
LIBS="$LIBS $K5LIBS"
AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS))
AC_SEARCH_LIBS(krb5_init_ets, $K5LIBS, AC_DEFINE(KRB5_INIT_ETS))
]
)
@ -3184,6 +3443,10 @@ if test "$ac_cv_lib_pam_pam_set_item" = yes ; then
LIBS=`echo $LIBS | sed 's/-ldl //'`
fi
dnl Adding -Werror to CFLAGS early prevents configure tests from running.
dnl Add now.
CFLAGS="$CFLAGS $werror_flags"
AC_EXEEXT
AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openbsd-compat/Makefile \
scard/Makefile ssh_prng_cmds survey.sh])

4
crypto/openssh/hostfile.c
View File

@ -36,7 +36,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: hostfile.c,v 1.34 2005/03/10 22:01:05 deraadt Exp $");
RCSID("$OpenBSD: hostfile.c,v 1.35 2005/07/27 10:39:03 dtucker Exp $");
#include <resolv.h>
#include <openssl/hmac.h>
@ -315,7 +315,7 @@ add_host_to_hostfile(const char *filename, const char *host, const Key *key,
{
FILE *f;
int success = 0;
char *hashed_host;
char *hashed_host = NULL;
if (key == NULL)
return 1; /* XXX ? */

11
crypto/openssh/includes.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: includes.h,v 1.18 2004/06/13 15:03:02 djm Exp $ */
/* $OpenBSD: includes.h,v 1.19 2005/05/19 02:42:26 djm Exp $ */
/* $FreeBSD$ */
/*
@ -22,6 +22,7 @@ __RCSID(msg)
#include "config.h"
#include <stdarg.h>
#include <stdio.h>
#include <ctype.h>
#include <errno.h>
@ -169,6 +170,10 @@ __RCSID(msg)
# include <ia.h>
#endif
#ifdef HAVE_IAF_H
# include <iaf.h>
#endif
#ifdef HAVE_TMPDIR_H
# include <tmpdir.h>
#endif
@ -182,6 +187,10 @@ __RCSID(msg)
# include <kafs.h>
#endif
#if defined(HAVE_SYS_SYSLOG_H)
# include <sys/syslog.h>
#endif
/*
* On HP-UX 11.11, shadow.h and prot.h provide conflicting declarations
* of getspnam when _INCLUDE__STDC__ is defined, so we unset it here.

4
crypto/openssh/key.c
View File

@ -32,7 +32,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: key.c,v 1.57 2004/10/29 23:57:05 djm Exp $");
RCSID("$OpenBSD: key.c,v 1.58 2005/06/17 02:44:32 djm Exp $");
#include <openssl/evp.h>
@ -231,7 +231,7 @@ static char *
key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
{
char *retval;
int i;
u_int i;
retval = xmalloc(dgst_raw_len * 3 + 1);
retval[0] = '\0';

39
crypto/openssh/loginrec.c
View File

@ -165,7 +165,7 @@
# include <libutil.h>
#endif
RCSID("$Id: loginrec.c,v 1.67 2005/02/15 11:19:28 dtucker Exp $");
RCSID("$Id: loginrec.c,v 1.70 2005/07/17 07:26:44 djm Exp $");
RCSID("$FreeBSD$");
/**
@ -363,7 +363,7 @@ login_init_entry(struct logininfo *li, int pid, const char *username,
strlcpy(li->username, username, sizeof(li->username));
pw = getpwnam(li->username);
if (pw == NULL) {
fatal("%s: Cannot find user \"%s\"", __func__,
fatal("%s: Cannot find user \"%s\"", __func__,
li->username);
}
li->uid = pw->pw_uid;
@ -375,7 +375,7 @@ login_init_entry(struct logininfo *li, int pid, const char *username,
return (1);
}
/*
/*
* login_set_current_time(struct logininfo *) - set the current time
*
* Set the current time in a logininfo structure. This function is
@ -444,8 +444,9 @@ login_write(struct logininfo *li)
wtmpx_write_entry(li);
#endif
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
if (li->type == LTYPE_LOGIN &&
!sys_auth_record_login(li->username,li->hostname,li->line, &loginmsg))
if (li->type == LTYPE_LOGIN &&
!sys_auth_record_login(li->username,li->hostname,li->line,
&loginmsg))
logit("Writing login record failed for %s", li->username);
#endif
#ifdef SSH_AUDIT_EVENTS
@ -535,7 +536,7 @@ getlast_entry(struct logininfo *li)
* sure dst has enough space, if not just copy src (ugh)
*/
char *
line_fullname(char *dst, const char *src, int dstsize)
line_fullname(char *dst, const char *src, u_int dstsize)
{
memset(dst, '\0', dstsize);
if ((strncmp(src, "/dev/", 5) == 0) || (dstsize < (strlen(src) + 5)))
@ -559,7 +560,7 @@ line_stripname(char *dst, const char *src, int dstsize)
return (dst);
}
/*
/*
* line_abbrevname(): Return the abbreviated (usually four-character)
* form of the line (Just use the last <dstsize> characters of the
* full name.)
@ -809,7 +810,7 @@ utmp_write_library(struct logininfo *li, struct utmp *ut)
}
# else /* UTMP_USE_LIBRARY */
/*
/*
* Write a utmp entry direct to the file
* This is a slightly modification of code in OpenBSD's login.c
*/
@ -853,7 +854,7 @@ utmp_write_direct(struct logininfo *li, struct utmp *ut)
return (0);
}
if (ret != pos) {
logit("%s: Couldn't seek to tty %d slot in %s",
logit("%s: Couldn't seek to tty %d slot in %s",
__func__, tty, UTMP_FILE);
return (0);
}
@ -1053,7 +1054,7 @@ utmpx_write_entry(struct logininfo *li)
#ifdef USE_WTMP
/*
/*
* Write a wtmp entry direct to the end of the file
* This is a slight modification of code in OpenBSD's logwtmp.c
*/
@ -1114,7 +1115,7 @@ wtmp_write_entry(struct logininfo *li)
}
/*
/*
* Notes on fetching login data from wtmp/wtmpx
*
* Logouts are usually recorded with (amongst other things) a blank
@ -1158,12 +1159,12 @@ wtmp_get_entry(struct logininfo *li)
li->tv_sec = li->tv_usec = 0;
if ((fd = open(WTMP_FILE, O_RDONLY)) < 0) {
logit("%s: problem opening %s: %s", __func__,
logit("%s: problem opening %s: %s", __func__,
WTMP_FILE, strerror(errno));
return (0);
}
if (fstat(fd, &st) != 0) {
logit("%s: couldn't stat %s: %s", __func__,
logit("%s: couldn't stat %s: %s", __func__,
WTMP_FILE, strerror(errno));
close(fd);
return (0);
@ -1178,7 +1179,7 @@ wtmp_get_entry(struct logininfo *li)
while (!found) {
if (atomicio(read, fd, &ut, sizeof(ut)) != sizeof(ut)) {
logit("%s: read of %s failed: %s", __func__,
logit("%s: read of %s failed: %s", __func__,
WTMP_FILE, strerror(errno));
close (fd);
return (0);
@ -1236,7 +1237,7 @@ wtmpx_write(struct logininfo *li, struct utmpx *utx)
int fd, ret = 1;
if ((fd = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0)) < 0) {
logit("%s: problem opening %s: %s", __func__,
logit("%s: problem opening %s: %s", __func__,
WTMPX_FILE, strerror(errno));
return (0);
}
@ -1323,12 +1324,12 @@ wtmpx_get_entry(struct logininfo *li)
li->tv_sec = li->tv_usec = 0;
if ((fd = open(WTMPX_FILE, O_RDONLY)) < 0) {
logit("%s: problem opening %s: %s", __func__,
logit("%s: problem opening %s: %s", __func__,
WTMPX_FILE, strerror(errno));
return (0);
}
if (fstat(fd, &st) != 0) {
logit("%s: couldn't stat %s: %s", __func__,
logit("%s: couldn't stat %s: %s", __func__,
WTMPX_FILE, strerror(errno));
close(fd);
return (0);
@ -1343,13 +1344,13 @@ wtmpx_get_entry(struct logininfo *li)
while (!found) {
if (atomicio(read, fd, &utx, sizeof(utx)) != sizeof(utx)) {
logit("%s: read of %s failed: %s", __func__,
logit("%s: read of %s failed: %s", __func__,
WTMPX_FILE, strerror(errno));
close (fd);
return (0);
}
/*
* Logouts are recorded as a blank username on a particular
* Logouts are recorded as a blank username on a particular
* line. So, we just need to find the username in struct utmpx
*/
if (wtmpx_islogin(li, &utx)) {

8
crypto/openssh/monitor.c
View File

@ -878,8 +878,8 @@ int
mm_answer_pam_query(int sock, Buffer *m)
{
char *name, *info, **prompts;
u_int num, *echo_on;
int i, ret;
u_int i, num, *echo_on;
int ret;
debug3("%s", __func__);
sshpam_authok = NULL;
@ -912,8 +912,8 @@ int
mm_answer_pam_respond(int sock, Buffer *m)
{
char **resp;
u_int num;
int i, ret;
u_int i, num;
int ret;
debug3("%s", __func__);
sshpam_authok = NULL;

25
crypto/openssh/monitor_wrap.c
View File

@ -25,7 +25,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: monitor_wrap.c,v 1.39 2004/07/17 05:31:41 dtucker Exp $");
RCSID("$OpenBSD: monitor_wrap.c,v 1.40 2005/05/24 17:32:43 avsm Exp $");
RCSID("$FreeBSD$");
#include <openssl/bn.h>
@ -96,9 +96,9 @@ mm_request_send(int sock, enum monitor_reqtype type, Buffer *m)
PUT_32BIT(buf, mlen + 1);
buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */
if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf))
fatal("%s: write", __func__);
fatal("%s: write: %s", __func__, strerror(errno));
if (atomicio(vwrite, sock, buffer_ptr(m), mlen) != mlen)
fatal("%s: write", __func__);
fatal("%s: write: %s", __func__, strerror(errno));
}
void
@ -106,24 +106,21 @@ mm_request_receive(int sock, Buffer *m)
{
u_char buf[4];
u_int msg_len;
ssize_t res;
debug3("%s entering", __func__);
res = atomicio(read, sock, buf, sizeof(buf));
if (res != sizeof(buf)) {
if (res == 0)
if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
if (errno == EPIPE)
cleanup_exit(255);
fatal("%s: read: %ld", __func__, (long)res);
fatal("%s: read: %s", __func__, strerror(errno));
}
msg_len = GET_32BIT(buf);
if (msg_len > 256 * 1024)
fatal("%s: read: bad msg_len %d", __func__, msg_len);
buffer_clear(m);
buffer_append_space(m, msg_len);
res = atomicio(read, sock, buffer_ptr(m), msg_len);
if (res != msg_len)
fatal("%s: read: %ld != msg_len", __func__, (long)res);
if (atomicio(read, sock, buffer_ptr(m), msg_len) != msg_len)
fatal("%s: read: %s", __func__, strerror(errno));
}
void
@ -768,7 +765,8 @@ mm_sshpam_query(void *ctx, char **name, char **info,
u_int *num, char ***prompts, u_int **echo_on)
{
Buffer m;
int i, ret;
u_int i;
int ret;
debug3("%s", __func__);
buffer_init(&m);
@ -794,7 +792,8 @@ int
mm_sshpam_respond(void *ctx, u_int num, char **resp)
{
Buffer m;
int i, ret;
u_int i;
int ret;
debug3("%s", __func__);
buffer_init(&m);

46
crypto/openssh/mpaux.c
View File

@ -1,46 +0,0 @@
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
* This file contains various auxiliary functions related to multiple
* precision integers.
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
*/
#include "includes.h"
RCSID("$OpenBSD: mpaux.c,v 1.16 2001/02/08 19:30:52 itojun Exp $");
#include <openssl/bn.h>
#include "getput.h"
#include "xmalloc.h"
#include <openssl/md5.h>
#include "mpaux.h"
void
compute_session_id(u_char session_id[16],
u_char cookie[8],
BIGNUM* host_key_n,
BIGNUM* session_key_n)
{
u_int host_key_bytes = BN_num_bytes(host_key_n);
u_int session_key_bytes = BN_num_bytes(session_key_n);
u_int bytes = host_key_bytes + session_key_bytes;
u_char *buf = xmalloc(bytes);
MD5_CTX md;
BN_bn2bin(host_key_n, buf);
BN_bn2bin(session_key_n, buf + host_key_bytes);
MD5_Init(&md);
MD5_Update(&md, buf, bytes);
MD5_Update(&md, cookie, 8);
MD5_Final(session_id, &md);
memset(buf, 0, bytes);
xfree(buf);
}

22
crypto/openssh/mpaux.h
View File

@ -1,22 +0,0 @@
/* $OpenBSD: mpaux.h,v 1.12 2002/03/04 17:27:39 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
* This file contains various auxiliary functions related to multiple
* precision integers.
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
*/
#ifndef MPAUX_H
#define MPAUX_H
void compute_session_id(u_char[16], u_char[8], BIGNUM *, BIGNUM *);
#endif /* MPAUX_H */

7
crypto/openssh/myproposal.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: myproposal.h,v 1.16 2004/06/13 12:53:24 djm Exp $ */
/* $OpenBSD: myproposal.h,v 1.18 2005/07/25 11:59:39 markus Exp $ */
/* $FreeBSD$ */
/*
@ -29,14 +29,15 @@
"diffie-hellman-group1-sha1"
#define KEX_DEFAULT_PK_ALG "ssh-dss,ssh-rsa"
#define KEX_DEFAULT_ENCRYPT \
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
"arcfour128,arcfour256,arcfour," \
"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
"aes128-ctr,aes192-ctr,aes256-ctr"
#define KEX_DEFAULT_MAC \
"hmac-md5,hmac-sha1,hmac-ripemd160," \
"hmac-ripemd160@openssh.com," \
"hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib"
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
#define KEX_DEFAULT_LANG ""

16
crypto/openssh/openbsd-compat/fake-rfc2553.h
View File

@ -1,4 +1,4 @@
/* $Id: fake-rfc2553.h,v 1.10 2005/02/11 07:32:13 dtucker Exp $ */
/* $Id: fake-rfc2553.h,v 1.12 2005/08/03 05:36:21 dtucker Exp $ */
/* $FreeBSD$ */
/*
@ -114,11 +114,17 @@ struct sockaddr_in6 {
# define NI_MAXHOST 1025
#endif /* !NI_MAXHOST */
#ifndef EAI_NODATA
# define EAI_NODATA (INT_MAX - 1)
#endif
#ifndef EAI_MEMORY
# define EAI_MEMORY (INT_MAX - 2)
#endif
#ifndef EAI_NONAME
# define EAI_NODATA 1
# define EAI_MEMORY 2
# define EAI_NONAME 3
# define EAI_SYSTEM 4
# define EAI_NONAME (INT_MAX - 3)
#endif
#ifndef EAI_SYSTEM
# define EAI_SYSTEM (INT_MAX - 4)
#endif
#ifndef HAVE_STRUCT_ADDRINFO

6
crypto/openssh/packet.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: packet.h,v 1.41 2004/05/11 19:01:43 deraadt Exp $ */
/* $OpenBSD: packet.h,v 1.43 2005/07/25 11:59:40 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -30,6 +30,8 @@ u_int packet_get_protocol_flags(void);
void packet_start_compression(int);
void packet_set_interactive(int);
int packet_is_interactive(void);
void packet_set_server(void);
void packet_set_authenticated(void);
void packet_start(u_char);
void packet_put_char(int ch);
@ -52,7 +54,7 @@ u_int packet_get_char(void);
u_int packet_get_int(void);
void packet_get_bignum(BIGNUM * value);
void packet_get_bignum2(BIGNUM * value);
void *packet_get_raw(int *length_ptr);
void *packet_get_raw(u_int *length_ptr);
void *packet_get_string(u_int *length_ptr);
void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2)));
void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));

31
crypto/openssh/readconf.c
View File

@ -12,7 +12,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: readconf.c,v 1.139 2005/03/10 22:01:05 deraadt Exp $");
RCSID("$OpenBSD: readconf.c,v 1.143 2005/07/30 02:03:47 djm Exp $");
RCSID("$FreeBSD$");
#include "ssh.h"
@ -698,7 +698,7 @@ process_config_line(Options *options, const char *host,
fwd.listen_host = cleanhostname(fwd.listen_host);
} else {
fwd.listen_port = a2port(fwd.listen_host);
fwd.listen_host = "";
fwd.listen_host = NULL;
}
if (fwd.listen_port == 0)
fatal("%.200s line %d: Badly formatted port number.",
@ -746,6 +746,9 @@ process_config_line(Options *options, const char *host,
case oAddressFamily:
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%s line %d: missing address family.",
filename, linenum);
intptr = &options->address_family;
if (strcasecmp(arg, "inet") == 0)
value = AF_INET;
@ -796,7 +799,27 @@ process_config_line(Options *options, const char *host,
case oControlMaster:
intptr = &options->control_master;
goto parse_yesnoask;
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing ControlMaster argument.",
filename, linenum);
value = 0; /* To avoid compiler warning... */
if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
value = SSHCTL_MASTER_YES;
else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
value = SSHCTL_MASTER_NO;
else if (strcmp(arg, "auto") == 0)
value = SSHCTL_MASTER_AUTO;
else if (strcmp(arg, "ask") == 0)
value = SSHCTL_MASTER_ASK;
else if (strcmp(arg, "autoask") == 0)
value = SSHCTL_MASTER_AUTO_ASK;
else
fatal("%.200s line %d: Bad ControlMaster argument.",
filename, linenum);
if (*activep && *intptr == -1)
*intptr = value;
break;
case oHashKnownHosts:
intptr = &options->hash_known_hosts;
@ -826,7 +849,7 @@ process_config_line(Options *options, const char *host,
/* Check that there is no garbage at end of line. */
if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
filename, linenum, arg);
filename, linenum, arg);
}
return 0;
}

7
crypto/openssh/readconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.h,v 1.66 2005/03/01 10:40:27 djm Exp $ */
/* $OpenBSD: readconf.h,v 1.67 2005/06/08 11:25:09 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -116,6 +116,11 @@ typedef struct {
int hash_known_hosts;
} Options;
#define SSHCTL_MASTER_NO 0
#define SSHCTL_MASTER_YES 1
#define SSHCTL_MASTER_AUTO 2
#define SSHCTL_MASTER_ASK 3
#define SSHCTL_MASTER_AUTO_ASK 4
void initialize_options(Options *);
void fill_default_options(Options *);

42
crypto/openssh/scp.c
View File

@ -71,7 +71,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: scp.c,v 1.121 2005/04/02 12:41:16 djm Exp $");
RCSID("$OpenBSD: scp.c,v 1.125 2005/07/27 10:39:03 dtucker Exp $");
#include "xmalloc.h"
#include "atomicio.h"
@ -109,11 +109,13 @@ static void
killchild(int signo)
{
if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo);
kill(do_cmd_pid, signo ? signo : SIGTERM);
waitpid(do_cmd_pid, NULL, 0);
}
_exit(1);
if (signo)
_exit(1);
exit(1);
}
/*
@ -184,7 +186,7 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
}
typedef struct {
int cnt;
size_t cnt;
char *buf;
} BUF;
@ -502,8 +504,9 @@ source(int argc, char **argv)
struct stat stb;
static BUF buffer;
BUF *bp;
off_t i, amt, result, statbytes;
int fd, haderr, indx;
off_t i, amt, statbytes;
size_t result;
int fd = -1, haderr, indx;
char *last, *name, buf[2048];
int len;
@ -578,14 +581,14 @@ next: (void) close(fd);
if (!haderr) {
result = atomicio(read, fd, bp->buf, amt);
if (result != amt)
haderr = result >= 0 ? EIO : errno;
haderr = errno;
}
if (haderr)
(void) atomicio(vwrite, remout, bp->buf, amt);
else {
result = atomicio(vwrite, remout, bp->buf, amt);
if (result != amt)
haderr = result >= 0 ? EIO : errno;
haderr = errno;
statbytes += result;
}
if (limit_rate)
@ -720,8 +723,9 @@ sink(int argc, char **argv)
YES, NO, DISPLAYED
} wrerr;
BUF *bp;
off_t i, j;
int amt, count, exists, first, mask, mode, ofd, omode;
off_t i;
size_t j, count;
int amt, exists, first, mask, mode, ofd, omode;
off_t size, statbytes;
int setimes, targisdir, wrerrno = 0;
char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
@ -748,7 +752,7 @@ sink(int argc, char **argv)
targisdir = 1;
for (first = 1;; first = 0) {
cp = buf;
if (atomicio(read, remin, cp, 1) <= 0)
if (atomicio(read, remin, cp, 1) != 1)
return;
if (*cp++ == '\n')
SCREWUP("unexpected <newline>");
@ -829,7 +833,7 @@ sink(int argc, char **argv)
}
if (targisdir) {
static char *namebuf;
static int cursize;
static size_t cursize;
size_t need;
need = strlen(targ) + strlen(cp) + 250;
@ -902,7 +906,7 @@ bad: run_err("%s: %s", np, strerror(errno));
count += amt;
do {
j = atomicio(read, remin, cp, amt);
if (j <= 0) {
if (j == 0) {
run_err("%s", j ? strerror(errno) :
"dropped connection");
exit(1);
@ -918,10 +922,10 @@ bad: run_err("%s: %s", np, strerror(errno));
if (count == bp->cnt) {
/* Keep reading so we stay sync'd up. */
if (wrerr == NO) {
j = atomicio(vwrite, ofd, bp->buf, count);
if (j != count) {
if (atomicio(vwrite, ofd, bp->buf,
count) != count) {
wrerr = YES;
wrerrno = j >= 0 ? EIO : errno;
wrerrno = errno;
}
}
count = 0;
@ -931,9 +935,9 @@ bad: run_err("%s: %s", np, strerror(errno));
if (showprogress)
stop_progress_meter();
if (count != 0 && wrerr == NO &&
(j = atomicio(vwrite, ofd, bp->buf, count)) != count) {
atomicio(vwrite, ofd, bp->buf, count) != count) {
wrerr = YES;
wrerrno = j >= 0 ? EIO : errno;
wrerrno = errno;
}
if (wrerr == NO && ftruncate(ofd, size) != 0) {
run_err("%s: truncate: %s", np, strerror(errno));
@ -1070,7 +1074,7 @@ verifydir(char *cp)
errno = ENOTDIR;
}
run_err("%s: %s", cp, strerror(errno));
exit(1);
killchild(0);
}
int

36
crypto/openssh/servconf.c
View File

@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.140 2005/03/10 22:01:05 deraadt Exp $");
RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $");
RCSID("$FreeBSD$");
#include "ssh.h"
@ -204,7 +204,7 @@ fill_default_server_options(ServerOptions *options)
if (options->use_login == -1)
options->use_login = 0;
if (options->compression == -1)
options->compression = 1;
options->compression = COMP_DELAYED;
if (options->allow_tcp_forwarding == -1)
options->allow_tcp_forwarding = 1;
if (options->gateway_ports == -1)
@ -403,7 +403,7 @@ parse_token(const char *cp, const char *filename,
static void
add_listen_addr(ServerOptions *options, char *addr, u_short port)
{
int i;
u_int i;
if (options->num_ports == 0)
options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
@ -443,9 +443,10 @@ process_server_config_line(ServerOptions *options, char *line,
const char *filename, int linenum)
{
char *cp, **charptr, *arg, *p;
int *intptr, value, i, n;
int *intptr, value, n;
ServerOpCodes opcode;
u_short port;
u_int i;
cp = line;
arg = strdelim(&cp);
@ -521,6 +522,12 @@ process_server_config_line(ServerOptions *options, char *line,
if (arg == NULL || *arg == '\0')
fatal("%s line %d: missing address",
filename, linenum);
/* check for bare IPv6 address: no "[]" and 2 or more ":" */
if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
&& strchr(p+1, ':') != NULL) {
add_listen_addr(options, arg, 0);
break;
}
p = hpdelim(&arg);
if (p == NULL)
fatal("%s line %d: bad address:port usage",
@ -537,6 +544,9 @@ process_server_config_line(ServerOptions *options, char *line,
case sAddressFamily:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: missing address family.",
filename, linenum);
intptr = &options->address_family;
if (options->listen_addrs != NULL)
fatal("%s line %d: address family must be specified before "
@ -726,7 +736,23 @@ process_server_config_line(ServerOptions *options, char *line,
case sCompression:
intptr = &options->compression;
goto parse_flag;
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: missing yes/no/delayed "
"argument.", filename, linenum);
value = 0; /* silence compiler */
if (strcmp(arg, "delayed") == 0)
value = COMP_DELAYED;
else if (strcmp(arg, "yes") == 0)
value = COMP_ZLIB;
else if (strcmp(arg, "no") == 0)
value = COMP_NONE;
else
fatal("%s line %d: Bad yes/no/delayed "
"argument: %s", filename, linenum, arg);
if (*intptr == -1)
*intptr = value;
break;
case sGatewayPorts:
intptr = &options->gateway_ports;

6
crypto/openssh/serverloop.c
View File

@ -35,7 +35,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: serverloop.c,v 1.117 2004/08/11 21:43:05 avsm Exp $");
RCSID("$OpenBSD: serverloop.c,v 1.118 2005/07/17 07:17:55 djm Exp $");
#include "xmalloc.h"
#include "packet.h"
@ -865,7 +865,7 @@ server_request_direct_tcpip(void)
packet_check_eom();
debug("server_request_direct_tcpip: originator %s port %d, target %s port %d",
originator, originator_port, target, target_port);
originator, originator_port, target, target_port);
/* XXX check permission */
sock = channel_connect_to(target, target_port);
@ -983,7 +983,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
#ifndef NO_IPPORT_RESERVED_CONCEPT
|| (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)
#endif
) {
) {
success = 0;
packet_send_debug("Server has disabled port forwarding.");
} else {

133
crypto/openssh/session.c
View File

@ -33,7 +33,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: session.c,v 1.181 2004/12/23 17:35:48 markus Exp $");
RCSID("$OpenBSD: session.c,v 1.186 2005/07/25 11:59:40 markus Exp $");
RCSID("$FreeBSD$");
#include "ssh.h"
@ -57,6 +57,7 @@ RCSID("$FreeBSD$");
#include "serverloop.h"
#include "canohost.h"
#include "session.h"
#include "kex.h"
#include "monitor_wrap.h"
#if defined(KRB5) && defined(USE_AFS)
@ -197,11 +198,11 @@ auth_input_request_forwarding(struct passwd * pw)
static void
display_loginmsg(void)
{
if (buffer_len(&loginmsg) > 0) {
buffer_append(&loginmsg, "\0", 1);
printf("%s", (char *)buffer_ptr(&loginmsg));
buffer_clear(&loginmsg);
}
if (buffer_len(&loginmsg) > 0) {
buffer_append(&loginmsg, "\0", 1);
printf("%s", (char *)buffer_ptr(&loginmsg));
buffer_clear(&loginmsg);
}
}
void
@ -273,7 +274,7 @@ do_authenticated1(Authctxt *authctxt)
compression_level);
break;
}
if (!options.compression) {
if (options.compression == COMP_NONE) {
debug2("compression disabled");
break;
}
@ -965,7 +966,8 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid)
}
#endif /* HAVE_ETC_DEFAULT_LOGIN */
void copy_environment(char **source, char ***env, u_int *envsize)
void
copy_environment(char **source, char ***env, u_int *envsize)
{
char *var_name, *var_val;
int i;
@ -1363,6 +1365,11 @@ do_setusercontext(struct passwd *pw)
# ifdef _AIX
aix_usrinfo(pw);
# endif /* _AIX */
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
if (set_id(pw->pw_name) != 0) {
exit(1);
}
#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
@ -1567,7 +1574,7 @@ do_child(Session *s, const char *command)
*/
if (options.kerberos_get_afs_token && k_hasafs() &&
(s->authctxt->krb5_ctx != NULL)) {
(s->authctxt->krb5_ctx != NULL)) {
char cell[64];
debug("Getting AFS token");
@ -1671,6 +1678,7 @@ session_new(void)
s->ttyfd = -1;
s->used = 1;
s->self = i;
s->x11_chanids = NULL;
debug("session_new: session %d", i);
return s;
}
@ -1743,6 +1751,29 @@ session_by_channel(int id)
return NULL;
}
static Session *
session_by_x11_channel(int id)
{
int i, j;
for (i = 0; i < MAX_SESSIONS; i++) {
Session *s = &sessions[i];
if (s->x11_chanids == NULL || !s->used)
continue;
for (j = 0; s->x11_chanids[j] != -1; j++) {
if (s->x11_chanids[j] == id) {
debug("session_by_x11_channel: session %d "
"channel %d", s->self, id);
return s;
}
}
}
debug("session_by_x11_channel: unknown channel %d", id);
session_dump();
return NULL;
}
static Session *
session_by_pid(pid_t pid)
{
@ -1838,7 +1869,7 @@ session_subsystem_req(Session *s)
u_int len;
int success = 0;
char *cmd, *subsys = packet_get_string(&len);
int i;
u_int i;
packet_check_eom();
logit("subsystem request for %.100s", subsys);
@ -1872,6 +1903,11 @@ session_x11_req(Session *s)
{
int success;
if (s->auth_proto != NULL || s->auth_data != NULL) {
error("session_x11_req: session %d: "
"x11 fowarding already active", s->self);
return 0;
}
s->single_connection = packet_get_char();
s->auth_proto = packet_get_string(NULL);
s->auth_data = packet_get_string(NULL);
@ -2096,10 +2132,67 @@ sig2name(int sig)
return "SIG@openssh.com";
}
static void
session_close_x11(int id)
{
Channel *c;
if ((c = channel_lookup(id)) == NULL) {
debug("session_close_x11: x11 channel %d missing", id);
} else {
/* Detach X11 listener */
debug("session_close_x11: detach x11 channel %d", id);
channel_cancel_cleanup(id);
if (c->ostate != CHAN_OUTPUT_CLOSED)
chan_mark_dead(c);
}
}
static void
session_close_single_x11(int id, void *arg)
{
Session *s;
u_int i;
debug3("session_close_single_x11: channel %d", id);
channel_cancel_cleanup(id);
if ((s = session_by_x11_channel(id)) == NULL)
fatal("session_close_single_x11: no x11 channel %d", id);
for (i = 0; s->x11_chanids[i] != -1; i++) {
debug("session_close_single_x11: session %d: "
"closing channel %d", s->self, s->x11_chanids[i]);
/*
* The channel "id" is already closing, but make sure we
* close all of its siblings.
*/
if (s->x11_chanids[i] != id)
session_close_x11(s->x11_chanids[i]);
}
xfree(s->x11_chanids);
s->x11_chanids = NULL;
if (s->display) {
xfree(s->display);
s->display = NULL;
}
if (s->auth_proto) {
xfree(s->auth_proto);
s->auth_proto = NULL;
}
if (s->auth_data) {
xfree(s->auth_data);
s->auth_data = NULL;
}
if (s->auth_display) {
xfree(s->auth_display);
s->auth_display = NULL;
}
}
static void
session_exit_message(Session *s, int status)
{
Channel *c;
u_int i;
if ((c = channel_lookup(s->chanid)) == NULL)
fatal("session_exit_message: session %d: no channel %d",
@ -2139,12 +2232,20 @@ session_exit_message(Session *s, int status)
if (c->ostate != CHAN_OUTPUT_CLOSED)
chan_write_failed(c);
s->chanid = -1;
/* Close any X11 listeners associated with this session */
if (s->x11_chanids != NULL) {
for (i = 0; s->x11_chanids[i] != -1; i++) {
session_close_x11(s->x11_chanids[i]);
s->x11_chanids[i] = -1;
}
}
}
void
session_close(Session *s)
{
int i;
u_int i;
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
if (s->ttyfd != -1)
@ -2153,6 +2254,8 @@ session_close(Session *s)
xfree(s->term);
if (s->display)
xfree(s->display);
if (s->x11_chanids)
xfree(s->x11_chanids);
if (s->auth_display)
xfree(s->auth_display);
if (s->auth_data)
@ -2191,6 +2294,7 @@ void
session_close_by_channel(int id, void *arg)
{
Session *s = session_by_channel(id);
if (s == NULL) {
debug("session_close_by_channel: no session for id %d", id);
return;
@ -2271,6 +2375,7 @@ session_setup_x11fwd(Session *s)
struct stat st;
char display[512], auth_display[512];
char hostname[MAXHOSTNAMELEN];
u_int i;
if (no_x11_forwarding_flag) {
packet_send_debug("X11 forwarding disabled in user configuration file.");
@ -2296,10 +2401,14 @@ session_setup_x11fwd(Session *s)
}
if (x11_create_display_inet(options.x11_display_offset,
options.x11_use_localhost, s->single_connection,
&s->display_number) == -1) {
&s->display_number, &s->x11_chanids) == -1) {
debug("x11_create_display_inet failed.");
return 0;
}
for (i = 0; s->x11_chanids[i] != -1; i++) {
channel_register_cleanup(s->x11_chanids[i],
session_close_single_x11);
}
/* Set up a suitable value for the DISPLAY variable. */
if (gethostname(hostname, sizeof(hostname)) < 0)

5
crypto/openssh/session.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: session.h,v 1.23 2004/07/17 05:31:41 dtucker Exp $ */
/* $OpenBSD: session.h,v 1.25 2005/07/17 06:49:04 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -49,8 +49,9 @@ struct Session {
int single_connection;
/* proto 2 */
int chanid;
int *x11_chanids;
int is_subsystem;
int num_env;
u_int num_env;
struct {
char *name;
char *val;

4
crypto/openssh/ssh-add.c
View File

@ -35,7 +35,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: ssh-add.c,v 1.71 2005/03/10 22:01:06 deraadt Exp $");
RCSID("$OpenBSD: ssh-add.c,v 1.72 2005/07/17 07:17:55 djm Exp $");
#include <openssl/evp.h>
@ -145,7 +145,7 @@ add_file(AuthenticationConnection *ac, const char *filename)
/* clear passphrase since it did not work */
clear_pass();
snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ",
comment);
comment);
for (;;) {
pass = read_passphrase(msg, RP_ALLOW_STDIN);
if (strcmp(pass, "") == 0) {

34
crypto/openssh/ssh-keyscan.c
View File

@ -7,7 +7,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: ssh-keyscan.c,v 1.52 2005/03/01 15:47:14 jmc Exp $");
RCSID("$OpenBSD: ssh-keyscan.c,v 1.55 2005/06/17 02:44:33 djm Exp $");
#include "openbsd-compat/sys-queue.h"
@ -166,7 +166,7 @@ Linebuf_lineno(Linebuf * lb)
static char *
Linebuf_getline(Linebuf * lb)
{
int n = 0;
size_t n = 0;
void *p;
lb->lineno++;
@ -493,7 +493,7 @@ conrecycle(int s)
static void
congreet(int s)
{
int remote_major = 0, remote_minor = 0, n = 0;
int n = 0, remote_major = 0, remote_minor = 0;
char buf[256], *cp;
char remote_version[sizeof buf];
size_t bufsiz;
@ -506,14 +506,17 @@ congreet(int s)
*cp = '\n';
cp++;
}
if (n < 0) {
if (errno != ECONNREFUSED)
error("read (%s): %s", c->c_name, strerror(errno));
conrecycle(s);
return;
}
if (n == 0) {
error("%s: Connection closed by remote host", c->c_name);
switch (errno) {
case EPIPE:
error("%s: Connection closed by remote host", c->c_name);
break;
case ECONNREFUSED:
break;
default:
error("read (%s): %s", c->c_name, strerror(errno));
break;
}
conrecycle(s);
return;
}
@ -543,7 +546,12 @@ congreet(int s)
n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n",
c->c_keytype == KT_RSA1? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2,
c->c_keytype == KT_RSA1? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2);
if (atomicio(vwrite, s, buf, n) != n) {
if (n < 0 || (size_t)n >= sizeof(buf)) {
error("snprintf: buffer too small");
confree(s);
return;
}
if (atomicio(vwrite, s, buf, n) != (size_t)n) {
error("write (%s): %s", c->c_name, strerror(errno));
confree(s);
return;
@ -561,14 +569,14 @@ static void
conread(int s)
{
con *c = &fdcon[s];
int n;
size_t n;
if (c->c_status == CS_CON) {
congreet(s);
return;
}
n = atomicio(read, s, c->c_data + c->c_off, c->c_len - c->c_off);
if (n < 0) {
if (n == 0) {
error("read (%s): %s", c->c_name, strerror(errno));
confree(s);
return;

99
crypto/openssh/ssh.1
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $
.\" $OpenBSD: ssh.1,v 1.209 2005/07/06 09:33:05 dtucker Exp $
.\" $FreeBSD$
.Dd September 25, 1999
.Dt SSH 1
@ -126,17 +126,24 @@ The second authentication method is the
or
.Em hosts.equiv
method combined with RSA-based host authentication.
It means that if the login would be permitted by
.Pa $HOME/.rhosts ,
.Pa $HOME/.shosts ,
.Pa /etc/hosts.equiv ,
If the machine the user logs in from is listed in
.Pa /etc/hosts.equiv
or
.Pa /etc/ssh/shosts.equiv ,
and if additionally the server can verify the client's
.Pa /etc/shosts.equiv
on the remote machine, and the user names are
the same on both sides, or if the files
.Pa ~/.rhosts
or
.Pa ~/.shosts
exist in the user's home directory on the
remote machine and contain a line containing the name of the client
machine and the name of the user on that machine, the user is
considered for log in.
Additionally, if the server can verify the client's
host key (see
.Pa /etc/ssh/ssh_known_hosts
and
.Pa $HOME/.ssh/known_hosts
.Pa ~/.ssh/known_hosts
in the
.Sx FILES
section), only then is login permitted.
@ -144,7 +151,7 @@ This authentication method closes security holes due to IP
spoofing, DNS spoofing and routing spoofing.
[Note to the administrator:
.Pa /etc/hosts.equiv ,
.Pa $HOME/.rhosts ,
.Pa ~/.rhosts ,
and the rlogin/rsh protocol in general, are inherently insecure and should be
disabled if security is desired.]
.Pp
@ -160,7 +167,7 @@ key pair for authentication purposes.
The server knows the public key, and only the user knows the private key.
.Pp
The file
.Pa $HOME/.ssh/authorized_keys
.Pa ~/.ssh/authorized_keys
lists the public keys that are permitted for logging in.
When the user logs in, the
.Nm
@ -181,18 +188,18 @@ implements the RSA authentication protocol automatically.
The user creates his/her RSA key pair by running
.Xr ssh-keygen 1 .
This stores the private key in
.Pa $HOME/.ssh/identity
.Pa ~/.ssh/identity
and stores the public key in
.Pa $HOME/.ssh/identity.pub
.Pa ~/.ssh/identity.pub
in the user's home directory.
The user should then copy the
.Pa identity.pub
to
.Pa $HOME/.ssh/authorized_keys
.Pa ~/.ssh/authorized_keys
in his/her home directory on the remote machine (the
.Pa authorized_keys
file corresponds to the conventional
.Pa $HOME/.rhosts
.Pa ~/.rhosts
file, and has one key
per line, though the lines can be very long).
After this, the user can log in without giving the password.
@ -225,12 +232,12 @@ password authentication are tried.
The public key method is similar to RSA authentication described
in the previous section and allows the RSA or DSA algorithm to be used:
The client uses his private key,
.Pa $HOME/.ssh/id_dsa
.Pa ~/.ssh/id_dsa
or
.Pa $HOME/.ssh/id_rsa ,
.Pa ~/.ssh/id_rsa ,
to sign the session identifier and sends the result to the server.
The server checks whether the matching public key is listed in
.Pa $HOME/.ssh/authorized_keys
.Pa ~/.ssh/authorized_keys
and grants access if both the key is found and the signature is correct.
The session identifier is derived from a shared Diffie-Hellman value
and is only known to the client and the server.
@ -384,7 +391,7 @@ electronic purse; another is going through firewalls.
automatically maintains and checks a database containing
identifications for all hosts it has ever been used with.
Host keys are stored in
.Pa $HOME/.ssh/known_hosts
.Pa ~/.ssh/known_hosts
in the user's home directory.
Additionally, the file
.Pa /etc/ssh/ssh_known_hosts
@ -442,8 +449,11 @@ authenticate using the identities loaded into the agent.
.It Fl a
Disables forwarding of the authentication agent connection.
.It Fl b Ar bind_address
Specify the interface to transmit from on machines with multiple
interfaces or aliased addresses.
Use
.Ar bind_address
on the local machine as the source address
of the connection.
Only useful on systems with more than one address.
.It Fl C
Requests compression of all data (including stdin, stdout, stderr, and
data for forwarded X11 and TCP/IP connections).
@ -498,14 +508,17 @@ The supported ciphers are
.Dq aes128-ctr ,
.Dq aes192-ctr ,
.Dq aes256-ctr ,
.Dq arcfour128 ,
.Dq arcfour256 ,
.Dq arcfour ,
.Dq blowfish-cbc ,
and
.Dq cast128-cbc .
The default is
.Bd -literal
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc''
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr''
.Ed
.It Fl D Ar port
Specifies a local
@ -541,7 +554,7 @@ the system-wide configuration file
.Pq Pa /etc/ssh/ssh_config
will be ignored.
The default for the per-user configuration file is
.Pa $HOME/.ssh/config .
.Pa ~/.ssh/config .
.It Fl f
Requests
.Nm
@ -567,11 +580,11 @@ private RSA key.
Selects a file from which the identity (private key) for
RSA or DSA authentication is read.
The default is
.Pa $HOME/.ssh/identity
.Pa ~/.ssh/identity
for protocol version 1, and
.Pa $HOME/.ssh/id_rsa
.Pa ~/.ssh/id_rsa
and
.Pa $HOME/.ssh/id_dsa
.Pa ~/.ssh/id_dsa
for protocol version 2.
Identity files may also be specified on
a per-host basis in the configuration file.
@ -894,7 +907,7 @@ Set to the name of the user logging in.
Additionally,
.Nm
reads
.Pa $HOME/.ssh/environment ,
.Pa ~/.ssh/environment ,
and adds lines of the format
.Dq VARNAME=value
to the environment if the file exists and if users are allowed to
@ -905,13 +918,13 @@ option in
.Xr sshd_config 5 .
.Sh FILES
.Bl -tag -width Ds
.It Pa $HOME/.ssh/known_hosts
.It Pa ~/.ssh/known_hosts
Records host keys for all hosts the user has logged into that are not
in
.Pa /etc/ssh/ssh_known_hosts .
See
.Xr sshd 8 .
.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa
.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa
Contains the authentication identity of the user.
They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
These files
@ -923,21 +936,21 @@ ignores a private key file if it is accessible by others.
It is possible to specify a passphrase when
generating the key; the passphrase will be used to encrypt the
sensitive part of this file using 3DES.
.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub
.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub
Contains the public key for authentication (public part of the
identity file in human-readable form).
The contents of the
.Pa $HOME/.ssh/identity.pub
.Pa ~/.ssh/identity.pub
file should be added to the file
.Pa $HOME/.ssh/authorized_keys
.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using protocol version 1 RSA authentication.
The contents of the
.Pa $HOME/.ssh/id_dsa.pub
.Pa ~/.ssh/id_dsa.pub
and
.Pa $HOME/.ssh/id_rsa.pub
.Pa ~/.ssh/id_rsa.pub
file should be added to
.Pa $HOME/.ssh/authorized_keys
.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using protocol version 2 DSA/RSA authentication.
These files are not
@ -945,13 +958,13 @@ sensitive and can (but need not) be readable by anyone.
These files are
never used automatically and are not necessary; they are only provided for
the convenience of the user.
.It Pa $HOME/.ssh/config
.It Pa ~/.ssh/config
This is the per-user configuration file.
The file format and configuration options are described in
.Xr ssh_config 5 .
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not accessible by others.
.It Pa $HOME/.ssh/authorized_keys
.It Pa ~/.ssh/authorized_keys
Lists the public keys (RSA/DSA) that can be used for logging in as this user.
The format of this file is described in the
.Xr sshd 8
@ -1011,7 +1024,7 @@ be setuid root when that authentication method is used.
By default
.Nm
is not setuid root.
.It Pa $HOME/.rhosts
.It Pa ~/.rhosts
This file is used in
.Em rhosts
authentication to list the
@ -1041,12 +1054,12 @@ authentication.
If the server machine does not have the client's host key in
.Pa /etc/ssh/ssh_known_hosts ,
it can be stored in
.Pa $HOME/.ssh/known_hosts .
.Pa ~/.ssh/known_hosts .
The easiest way to do this is to
connect back to the client from the server machine using ssh; this
will automatically add the host key to
.Pa $HOME/.ssh/known_hosts .
.It Pa $HOME/.shosts
.Pa ~/.ssh/known_hosts .
.It Pa ~/.shosts
This file is used exactly the same way as
.Pa .rhosts .
The purpose for
@ -1083,7 +1096,7 @@ when the user logs in just before the user's shell (or command) is started.
See the
.Xr sshd 8
manual page for more information.
.It Pa $HOME/.ssh/rc
.It Pa ~/.ssh/rc
Commands in this file are executed by
.Nm
when the user logs in just before the user's shell (or command) is
@ -1091,7 +1104,7 @@ started.
See the
.Xr sshd 8
manual page for more information.
.It Pa $HOME/.ssh/environment
.It Pa ~/.ssh/environment
Contains additional definitions for environment variables, see section
.Sx ENVIRONMENT
above.

232
crypto/openssh/ssh.c
View File

@ -40,7 +40,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: ssh.c,v 1.234 2005/03/10 22:01:06 deraadt Exp $");
RCSID("$OpenBSD: ssh.c,v 1.249 2005/07/30 01:26:16 djm Exp $");
RCSID("$FreeBSD$");
#include <openssl/evp.h>
@ -146,7 +146,7 @@ pid_t proxy_command_pid = 0;
int control_fd = -1;
/* Multiplexing control command */
static u_int mux_command = SSHMUX_COMMAND_OPEN;
static u_int mux_command = 0;
/* Only used in control client mode */
volatile sig_atomic_t control_client_terminate = 0;
@ -186,6 +186,7 @@ main(int ac, char **av)
int dummy;
extern int optind, optreset;
extern char *optarg;
struct servent *sp;
Forward fwd;
__progname = ssh_get_progname(av[0]);
@ -387,8 +388,10 @@ main(int ac, char **av)
}
break;
case 'M':
options.control_master =
(options.control_master >= 1) ? 2 : 1;
if (options.control_master == SSHCTL_MASTER_YES)
options.control_master = SSHCTL_MASTER_ASK;
else
options.control_master = SSHCTL_MASTER_YES;
break;
case 'p':
options.port = a2port(optarg);
@ -437,7 +440,7 @@ main(int ac, char **av)
fwd.listen_host = cleanhostname(fwd.listen_host);
} else {
fwd.listen_port = a2port(fwd.listen_host);
fwd.listen_host = "";
fwd.listen_host = NULL;
}
if (fwd.listen_port == 0) {
@ -551,7 +554,7 @@ main(int ac, char **av)
if (no_tty_flag)
tty_flag = 0;
/* Do not allocate a tty if stdin is not a tty. */
if (!isatty(fileno(stdin)) && !force_tty_flag) {
if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) {
if (tty_flag)
logit("Pseudo-terminal will not be allocated because stdin is not a terminal.");
tty_flag = 0;
@ -622,16 +625,31 @@ main(int ac, char **av)
*p = tolower(*p);
}
/* Get default port if port has not been set. */
if (options.port == 0) {
sp = getservbyname(SSH_SERVICE_NAME, "tcp");
options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT;
}
if (options.proxy_command != NULL &&
strcmp(options.proxy_command, "none") == 0)
options.proxy_command = NULL;
if (options.control_path != NULL &&
strcmp(options.control_path, "none") == 0)
options.control_path = NULL;
if (options.control_path != NULL) {
options.control_path = tilde_expand_filename(
options.control_path, original_real_uid);
snprintf(buf, sizeof(buf), "%d", options.port);
cp = tilde_expand_filename(options.control_path,
original_real_uid);
options.control_path = percent_expand(cp, "p", buf, "h", host,
"r", options.user, (char *)NULL);
xfree(cp);
}
if (options.control_path != NULL && options.control_master == 0)
control_client(options.control_path); /* This doesn't return */
if (mux_command != 0 && options.control_path == NULL)
fatal("No ControlPath specified for \"-O\" command");
if (options.control_path != NULL)
control_client(options.control_path);
/* Open a connection to the remote host. */
if (ssh_connect(host, &hostaddr, options.port,
@ -760,110 +778,6 @@ main(int ac, char **av)
return exit_status;
}
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
static void
x11_get_proto(char **_proto, char **_data)
{
char cmd[1024];
char line[512];
char xdisplay[512];
static char proto[512], data[512];
FILE *f;
int got_data = 0, generated = 0, do_unlink = 0, i;
char *display, *xauthdir, *xauthfile;
struct stat st;
xauthdir = xauthfile = NULL;
*_proto = proto;
*_data = data;
proto[0] = data[0] = '\0';
if (!options.xauth_location ||
(stat(options.xauth_location, &st) == -1)) {
debug("No xauth program.");
} else {
if ((display = getenv("DISPLAY")) == NULL) {
debug("x11_get_proto: DISPLAY not set");
return;
}
/*
* Handle FamilyLocal case where $DISPLAY does
* not match an authorization entry. For this we
* just try "xauth list unix:displaynum.screennum".
* XXX: "localhost" match to determine FamilyLocal
* is not perfect.
*/
if (strncmp(display, "localhost:", 10) == 0) {
snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
display + 10);
display = xdisplay;
}
if (options.forward_x11_trusted == 0) {
xauthdir = xmalloc(MAXPATHLEN);
xauthfile = xmalloc(MAXPATHLEN);
strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);
if (mkdtemp(xauthdir) != NULL) {
do_unlink = 1;
snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
xauthdir);
snprintf(cmd, sizeof(cmd),
"%s -f %s generate %s " SSH_X11_PROTO
" untrusted timeout 1200 2>" _PATH_DEVNULL,
options.xauth_location, xauthfile, display);
debug2("x11_get_proto: %s", cmd);
if (system(cmd) == 0)
generated = 1;
}
}
snprintf(cmd, sizeof(cmd),
"%s %s%s list %s . 2>" _PATH_DEVNULL,
options.xauth_location,
generated ? "-f " : "" ,
generated ? xauthfile : "",
display);
debug2("x11_get_proto: %s", cmd);
f = popen(cmd, "r");
if (f && fgets(line, sizeof(line), f) &&
sscanf(line, "%*s %511s %511s", proto, data) == 2)
got_data = 1;
if (f)
pclose(f);
}
if (do_unlink) {
unlink(xauthfile);
rmdir(xauthdir);
}
if (xauthdir)
xfree(xauthdir);
if (xauthfile)
xfree(xauthfile);
/*
* If we didn't get authentication data, just make up some
* data. The forwarding code will check the validity of the
* response anyway, and substitute this data. The X11
* server, however, will ignore this fake data and use
* whatever authentication mechanisms it was using otherwise
* for the local connection.
*/
if (!got_data) {
u_int32_t rnd = 0;
logit("Warning: No xauth data; "
"using fake authentication data for X11 forwarding.");
strlcpy(proto, SSH_X11_PROTO, sizeof proto);
for (i = 0; i < 16; i++) {
if (i % 4 == 0)
rnd = arc4random();
snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",
rnd & 0xff);
rnd >>= 8;
}
}
}
static void
ssh_init_forwarding(void)
{
@ -894,8 +808,8 @@ ssh_init_forwarding(void)
for (i = 0; i < options.num_remote_forwards; i++) {
debug("Remote connections from %.200s:%d forwarded to "
"local address %.200s:%d",
(options.remote_forwards[i].listen_host == NULL) ?
(options.gateway_ports ? "*" : "LOCALHOST") :
(options.remote_forwards[i].listen_host == NULL) ?
(options.gateway_ports ? "*" : "LOCALHOST") :
options.remote_forwards[i].listen_host,
options.remote_forwards[i].listen_port,
options.remote_forwards[i].connect_host,
@ -926,6 +840,7 @@ ssh_session(void)
int have_tty = 0;
struct winsize ws;
char *cp;
const char *display;
/* Enable compression if requested. */
if (options.compression) {
@ -987,13 +902,15 @@ ssh_session(void)
packet_disconnect("Protocol error waiting for pty request response.");
}
/* Request X11 forwarding if enabled and DISPLAY is set. */
if (options.forward_x11 && getenv("DISPLAY") != NULL) {
display = getenv("DISPLAY");
if (options.forward_x11 && display != NULL) {
char *proto, *data;
/* Get reasonable local authentication information. */
x11_get_proto(&proto, &data);
client_x11_get_proto(display, options.xauth_location,
options.forward_x11_trusted, &proto, &data);
/* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication spoofing.");
x11_request_forwarding_with_spoofing(0, proto, data);
x11_request_forwarding_with_spoofing(0, display, proto, data);
/* Read response from the server. */
type = packet_read();
@ -1095,9 +1012,12 @@ ssh_control_listener(void)
mode_t old_umask;
int addr_len;
if (options.control_path == NULL || options.control_master <= 0)
if (options.control_path == NULL ||
options.control_master == SSHCTL_MASTER_NO)
return;
debug("setting up multiplex master socket");
memset(&addr, '\0', sizeof(addr));
addr.sun_family = AF_UNIX;
addr_len = offsetof(struct sockaddr_un, sun_path) +
@ -1132,15 +1052,18 @@ static void
ssh_session2_setup(int id, void *arg)
{
extern char **environ;
const char *display;
int interactive = tty_flag;
if (options.forward_x11 && getenv("DISPLAY") != NULL) {
display = getenv("DISPLAY");
if (options.forward_x11 && display != NULL) {
char *proto, *data;
/* Get reasonable local authentication information. */
x11_get_proto(&proto, &data);
client_x11_get_proto(display, options.xauth_location,
options.forward_x11_trusted, &proto, &data);
/* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication spoofing.");
x11_request_forwarding_with_spoofing(id, proto, data);
x11_request_forwarding_with_spoofing(id, display, proto, data);
interactive = 1;
/* XXX wait for reply */
}
@ -1308,13 +1231,18 @@ control_client(const char *path)
extern char **environ;
u_int flags;
if (stdin_null_flag) {
if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1)
fatal("open(/dev/null): %s", strerror(errno));
if (dup2(fd, STDIN_FILENO) == -1)
fatal("dup2: %s", strerror(errno));
if (fd > STDERR_FILENO)
close(fd);
if (mux_command == 0)
mux_command = SSHMUX_COMMAND_OPEN;
switch (options.control_master) {
case SSHCTL_MASTER_AUTO:
case SSHCTL_MASTER_AUTO_ASK:
debug("auto-mux: Trying existing master");
/* FALLTHROUGH */
case SSHCTL_MASTER_NO:
break;
default:
return;
}
memset(&addr, '\0', sizeof(addr));
@ -1329,31 +1257,55 @@ control_client(const char *path)
if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
fatal("%s socket(): %s", __func__, strerror(errno));
if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1)
fatal("Couldn't connect to %s: %s", path, strerror(errno));
if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1) {
if (mux_command != SSHMUX_COMMAND_OPEN) {
fatal("Control socket connect(%.100s): %s", path,
strerror(errno));
}
if (errno == ENOENT)
debug("Control socket \"%.100s\" does not exist", path);
else {
error("Control socket connect(%.100s): %s", path,
strerror(errno));
}
close(sock);
return;
}
if ((term = getenv("TERM")) == NULL)
term = "";
if (stdin_null_flag) {
if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1)
fatal("open(/dev/null): %s", strerror(errno));
if (dup2(fd, STDIN_FILENO) == -1)
fatal("dup2: %s", strerror(errno));
if (fd > STDERR_FILENO)
close(fd);
}
term = getenv("TERM");
flags = 0;
if (tty_flag)
flags |= SSHMUX_FLAG_TTY;
if (subsystem_flag)
flags |= SSHMUX_FLAG_SUBSYS;
if (options.forward_x11)
flags |= SSHMUX_FLAG_X11_FWD;
if (options.forward_agent)
flags |= SSHMUX_FLAG_AGENT_FWD;
buffer_init(&m);
/* Send our command to server */
buffer_put_int(&m, mux_command);
buffer_put_int(&m, flags);
if (ssh_msg_send(sock, /* version */1, &m) == -1)
if (ssh_msg_send(sock, SSHMUX_VER, &m) == -1)
fatal("%s: msg_send", __func__);
buffer_clear(&m);
/* Get authorisation status and PID of controlee */
if (ssh_msg_recv(sock, &m) == -1)
fatal("%s: msg_recv", __func__);
if (buffer_get_char(&m) != 1)
if (buffer_get_char(&m) != SSHMUX_VER)
fatal("%s: wrong version", __func__);
if (buffer_get_int(&m) != 1)
fatal("Connection to master denied");
@ -1377,7 +1329,7 @@ control_client(const char *path)
}
/* SSHMUX_COMMAND_OPEN */
buffer_put_cstring(&m, term);
buffer_put_cstring(&m, term ? term : "");
buffer_append(&command, "\0", 1);
buffer_put_cstring(&m, buffer_ptr(&command));
@ -1399,7 +1351,7 @@ control_client(const char *path)
}
}
if (ssh_msg_send(sock, /* version */1, &m) == -1)
if (ssh_msg_send(sock, SSHMUX_VER, &m) == -1)
fatal("%s: msg_send", __func__);
mm_send_fd(sock, STDIN_FILENO);
@ -1410,7 +1362,7 @@ control_client(const char *path)
buffer_clear(&m);
if (ssh_msg_recv(sock, &m) == -1)
fatal("%s: msg_recv", __func__);
if (buffer_get_char(&m) != 1)
if (buffer_get_char(&m) != SSHMUX_VER)
fatal("%s: wrong version", __func__);
buffer_free(&m);

2
crypto/openssh/ssh_config
View File

@ -38,4 +38,4 @@
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
# VersionAddendum FreeBSD-20050605
# VersionAddendum FreeBSD-20050903

84
crypto/openssh/ssh_config.5
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.49 2005/03/16 11:10:38 jmc Exp $
.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $
.\" $FreeBSD$
.Dd September 25, 1999
.Dt SSH_CONFIG 5
@ -44,7 +44,7 @@
.Nd OpenSSH SSH client configuration files
.Sh SYNOPSIS
.Bl -tag -width Ds -compact
.It Pa $HOME/.ssh/config
.It Pa ~/.ssh/config
.It Pa /etc/ssh/ssh_config
.El
.Sh DESCRIPTION
@ -56,7 +56,7 @@ the following order:
command-line options
.It
user's configuration file
.Pq Pa $HOME/.ssh/config
.Pq Pa ~/.ssh/config
.It
system-wide configuration file
.Pq Pa /etc/ssh/ssh_config
@ -137,8 +137,9 @@ or
The default is
.Dq no .
.It Cm BindAddress
Specify the interface to transmit from on machines with multiple
interfaces or aliased addresses.
Use the specified address on the local machine as the source address of
the connection.
Only useful on systems with more than one address.
Note that this option does not work if
.Cm UsePrivilegedPort
is set to
@ -194,14 +195,17 @@ The supported ciphers are
.Dq aes128-ctr ,
.Dq aes192-ctr ,
.Dq aes256-ctr ,
.Dq arcfour128 ,
.Dq arcfour256 ,
.Dq arcfour ,
.Dq blowfish-cbc ,
and
.Dq cast128-cbc .
The default is
.Bd -literal
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc''
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr''
.Ed
.It Cm ClearAllForwardings
Specifies that all local, remote and dynamic port forwardings
@ -271,11 +275,47 @@ to listen for control connections, but require confirmation using the
program before they are accepted (see
.Xr ssh-add 1
for details).
If the
.Cm ControlPath
can not be opened,
.Nm ssh
will continue without connecting to a master instance.
.Pp
X11 and
.Xr ssh-agent 1
forwarding is supported over these multiplexed connections, however the
display and agent fowarded will be the one belonging to the master
connection i.e. it is not possible to forward multiple displays or agents.
.Pp
Two additional options allow for opportunistic multiplexing: try to use a
master connection but fall back to creating a new one if one does not already
exist.
These options are:
.Dq auto
and
.Dq autoask .
The latter requires confirmation like the
.Dq ask
option.
.It Cm ControlPath
Specify the path to the control socket used for connection sharing.
See
Specify the path to the control socket used for connection sharing as described
in the
.Cm ControlMaster
above.
section above or the string
.Dq none
to disable connection sharing.
In the path,
.Ql %h
will be substituted by the target host name,
.Ql %p
the port and
.Ql %r
by the remote login username.
It is recommended that any
.Cm ControlPath
used for opportunistic connection sharing include
all three of these escape sequences.
This ensures that shared connections are uniquely identified.
.It Cm DynamicForward
Specifies that a TCP/IP port on the local machine be forwarded
over the secure channel, and the application
@ -412,7 +452,7 @@ Note that this option applies to protocol version 2 only.
Indicates that
.Nm ssh
should hash host names and addresses when they are added to
.Pa $HOME/.ssh/known_hosts .
.Pa ~/.ssh/known_hosts .
These hashed names may be used normally by
.Nm ssh
and
@ -458,11 +498,11 @@ specifications).
Specifies a file from which the user's RSA or DSA authentication identity
is read.
The default is
.Pa $HOME/.ssh/identity
.Pa ~/.ssh/identity
for protocol version 1, and
.Pa $HOME/.ssh/id_rsa
.Pa ~/.ssh/id_rsa
and
.Pa $HOME/.ssh/id_dsa
.Pa ~/.ssh/id_dsa
for protocol version 2.
Additionally, any identities represented by the authentication agent
will be used for authentication.
@ -617,6 +657,14 @@ Note that
.Cm CheckHostIP
is not available for connects with a proxy command.
.Pp
This directive is useful in conjunction with
.Xr nc 1
and its proxy support.
For example, the following directive would connect via an HTTP proxy at
192.0.2.0:
.Bd -literal -offset 3n
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
.Ed
.It Cm PubkeyAuthentication
Specifies whether to try public key authentication.
The argument to this keyword must be
@ -752,7 +800,7 @@ If this flag is set to
.Dq yes ,
.Nm ssh
will never automatically add host keys to the
.Pa $HOME/.ssh/known_hosts
.Pa ~/.ssh/known_hosts
file, and refuses to connect to hosts whose host key has changed.
This provides maximum protection against trojan horse attacks,
however, can be annoying when the
@ -824,7 +872,7 @@ having to remember to give the user name on the command line.
.It Cm UserKnownHostsFile
Specifies a file to use for the user
host key database instead of
.Pa $HOME/.ssh/known_hosts .
.Pa ~/.ssh/known_hosts .
.It Cm VerifyHostKeyDNS
Specifies whether to verify the remote key using DNS and SSHFP resource
records.
@ -852,7 +900,7 @@ Note that this option applies to protocol version 2 only.
Specifies a string to append to the regular version string to identify
OS- or site-specific modifications.
The default is
.Dq FreeBSD-20050605 .
.Dq FreeBSD-20050903 .
.It Cm XAuthLocation
Specifies the full pathname of the
.Xr xauth 1
@ -862,7 +910,7 @@ The default is
.El
.Sh FILES
.Bl -tag -width Ds
.It Pa $HOME/.ssh/config
.It Pa ~/.ssh/config
This is the per-user configuration file.
The format of this file is described above.
This file is used by the

70
crypto/openssh/sshconnect.c
View File

@ -13,7 +13,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshconnect.c,v 1.162 2005/03/10 22:01:06 deraadt Exp $");
RCSID("$OpenBSD: sshconnect.c,v 1.168 2005/07/17 07:17:55 djm Exp $");
#include <openssl/bn.h>
@ -59,12 +59,11 @@ static void warn_changed_key(Key *);
static int
ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
{
Buffer command;
const char *cp;
char *command_string;
char *command_string, *tmp;
int pin[2], pout[2];
pid_t pid;
char strport[NI_MAXSERV];
size_t len;
/* Convert the port number into a string. */
snprintf(strport, sizeof strport, "%hu", port);
@ -76,31 +75,13 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
* Use "exec" to avoid "sh -c" processes on some platforms
* (e.g. Solaris)
*/
buffer_init(&command);
buffer_append(&command, "exec ", 5);
for (cp = proxy_command; *cp; cp++) {
if (cp[0] == '%' && cp[1] == '%') {
buffer_append(&command, "%", 1);
cp++;
continue;
}
if (cp[0] == '%' && cp[1] == 'h') {
buffer_append(&command, host, strlen(host));
cp++;
continue;
}
if (cp[0] == '%' && cp[1] == 'p') {
buffer_append(&command, strport, strlen(strport));
cp++;
continue;
}
buffer_append(&command, cp, 1);
}
buffer_append(&command, "\0", 1);
/* Get the final command string. */
command_string = buffer_ptr(&command);
len = strlen(proxy_command) + 6;
tmp = xmalloc(len);
strlcpy(tmp, "exec ", len);
strlcat(tmp, proxy_command, len);
command_string = percent_expand(tmp, "h", host,
"p", strport, (char *)NULL);
xfree(tmp);
/* Create pipes for communicating with the proxy. */
if (pipe(pin) < 0 || pipe(pout) < 0)
@ -154,7 +135,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
close(pout[1]);
/* Free the command name. */
buffer_free(&command);
xfree(command_string);
/* Set the connection file descriptors. */
packet_set_connection(pout[0], pin[1]);
@ -308,18 +289,9 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
int sock = -1, attempt;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
struct addrinfo hints, *ai, *aitop;
struct servent *sp;
debug2("ssh_connect: needpriv %d", needpriv);
/* Get default port if port has not been set. */
if (port == 0) {
sp = getservbyname(SSH_SERVICE_NAME, "tcp");
if (sp)
port = ntohs(sp->s_port);
else
port = SSH_DEFAULT_PORT;
}
/* If a proxy command is given, connect using it. */
if (proxy_command != NULL)
return ssh_proxy_connect(host, port, proxy_command);
@ -421,19 +393,21 @@ static void
ssh_exchange_identification(void)
{
char buf[256], remote_version[256]; /* must be same size! */
int remote_major, remote_minor, i, mismatch;
int remote_major, remote_minor, mismatch;
int connection_in = packet_get_connection_in();
int connection_out = packet_get_connection_out();
int minor1 = PROTOCOL_MINOR_1;
u_int i;
/* Read other side\'s version identification. */
/* Read other side's version identification. */
for (;;) {
for (i = 0; i < sizeof(buf) - 1; i++) {
int len = atomicio(read, connection_in, &buf[i], 1);
if (len < 0)
fatal("ssh_exchange_identification: read: %.100s", strerror(errno));
if (len != 1)
size_t len = atomicio(read, connection_in, &buf[i], 1);
if (len != 1 && errno == EPIPE)
fatal("ssh_exchange_identification: Connection closed by remote host");
else if (len != 1)
fatal("ssh_exchange_identification: read: %.100s", strerror(errno));
if (buf[i] == '\r') {
buf[i] = '\n';
buf[i + 1] = 0;
@ -573,7 +547,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
switch (hostaddr->sa_family) {
case AF_INET:
local = (ntohl(((struct sockaddr_in *)hostaddr)->
sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
salen = sizeof(struct sockaddr_in);
break;
case AF_INET6:
@ -706,8 +680,8 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
if (show_other_keys(host, host_key))
snprintf(msg1, sizeof(msg1),
"\nbut keys of different type are already"
" known for this host.");
"\nbut keys of different type are already"
" known for this host.");
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */

4
crypto/openssh/sshconnect1.c
View File

@ -13,7 +13,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshconnect1.c,v 1.60 2004/07/28 09:40:29 markus Exp $");
RCSID("$OpenBSD: sshconnect1.c,v 1.61 2005/06/17 02:44:33 djm Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
@ -162,7 +162,7 @@ respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
/* Compute the response. */
/* The response is MD5 of decrypted challenge plus session id. */
len = BN_num_bytes(challenge);
if (len <= 0 || len > sizeof(buf))
if (len <= 0 || (u_int)len > sizeof(buf))
packet_disconnect(
"respond_to_rsa_challenge: bad challenge length %d", len);

18
crypto/openssh/sshconnect2.c
View File

@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshconnect2.c,v 1.138 2004/06/13 12:53:24 djm Exp $");
RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $");
#include "openbsd-compat/sys-queue.h"
@ -101,10 +101,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
if (options.compression) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib,none";
myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
} else {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib";
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
}
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
@ -352,7 +352,7 @@ void
input_userauth_error(int type, u_int32_t seq, void *ctxt)
{
fatal("input_userauth_error: bad message during authentication: "
"type %d", type);
"type %d", type);
}
void
@ -482,7 +482,7 @@ userauth_gssapi(Authctxt *authctxt)
{
Gssctxt *gssctxt = NULL;
static gss_OID_set gss_supported = NULL;
static int mech = 0;
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
@ -509,7 +509,8 @@ userauth_gssapi(Authctxt *authctxt)
}
}
if (!ok) return 0;
if (!ok)
return 0;
authctxt->methoddata=(void *)gssctxt;
@ -544,7 +545,8 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt = authctxt->methoddata;
gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
gss_buffer_desc gssbuf, mic;
gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
gss_buffer_desc gssbuf;
OM_uint32 status, ms, flags;
Buffer b;
@ -678,7 +680,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
/* Stick it into GSSAPI and see what it says */
status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
&recv_tok, &send_tok, NULL);
&recv_tok, &send_tok, NULL);
xfree(recv_tok.value);
gss_release_buffer(&ms, &send_tok);

32
crypto/openssh/sshd.8
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd.8,v 1.206 2005/03/01 14:59:49 jmc Exp $
.\" $OpenBSD: sshd.8,v 1.208 2005/06/08 03:50:00 djm Exp $
.\" $FreeBSD$
.Dd September 25, 1999
.Dt SSHD 8
@ -81,7 +81,7 @@ supports both SSH protocol version 1 and 2 simultaneously.
works as follows:
.Ss SSH protocol version 1
Each host has a host-specific RSA key
(normally 1024 bits) used to identify the host.
(normally 2048 bits) used to identify the host.
Additionally, when
the daemon starts, it generates a server RSA key (normally 768 bits).
This key is normally regenerated every hour if it has been used, and
@ -349,7 +349,7 @@ If the login is on a tty, and no command has been specified,
prints last login time and
.Pa /etc/motd
(unless prevented in the configuration file or by
.Pa $HOME/.hushlogin ;
.Pa ~/.hushlogin ;
see the
.Sx FILES
section).
@ -367,7 +367,7 @@ Changes to run with normal user privileges.
Sets up basic environment.
.It
Reads the file
.Pa $HOME/.ssh/environment ,
.Pa ~/.ssh/environment ,
if it exists, and users are allowed to change their environment.
See the
.Cm PermitUserEnvironment
@ -377,7 +377,7 @@ option in
Changes to user's home directory.
.It
If
.Pa $HOME/.ssh/rc
.Pa ~/.ssh/rc
exists, runs it; else if
.Pa /etc/ssh/sshrc
exists, runs
@ -391,7 +391,7 @@ authentication protocol and cookie (if applicable) in standard input.
Runs user's shell or command.
.El
.Sh AUTHORIZED_KEYS FILE FORMAT
.Pa $HOME/.ssh/authorized_keys
.Pa ~/.ssh/authorized_keys
is the default file that lists the public keys that are
permitted for RSA authentication in protocol version 1
and for public key authentication (PubkeyAuthentication)
@ -529,7 +529,7 @@ permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
The
.Pa /etc/ssh/ssh_known_hosts
and
.Pa $HOME/.ssh/known_hosts
.Pa ~/.ssh/known_hosts
files contain host public keys for all known hosts.
The global file should
be prepared by the administrator (optional), and the per-user file is
@ -640,7 +640,7 @@ listening for connections (if there are several daemons running
concurrently for different ports, this contains the process ID of the one
started last).
The content of this file is not sensitive; it can be world-readable.
.It Pa $HOME/.ssh/authorized_keys
.It Pa ~/.ssh/authorized_keys
Lists the public keys (RSA or DSA) that can be used to log into the user's account.
This file must be readable by root (which may on some machines imply
it being world-readable if the user's home directory resides on an NFS
@ -654,7 +654,7 @@ and/or
.Pa id_rsa.pub
files into this file, as described in
.Xr ssh-keygen 1 .
.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts"
.It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts"
These files are consulted when using rhosts with RSA host
authentication or protocol version 2 hostbased authentication
to check the public key of the host.
@ -664,12 +664,12 @@ to verify that it is connecting to the correct remote host.
These files should be writable only by root/the owner.
.Pa /etc/ssh/ssh_known_hosts
should be world-readable, and
.Pa $HOME/.ssh/known_hosts
.Pa ~/.ssh/known_hosts
can, but need not be, world-readable.
.It Pa /etc/motd
See
.Xr motd 5 .
.It Pa $HOME/.hushlogin
.It Pa ~/.hushlogin
This file is used to suppress printing the last login time and
.Pa /etc/motd ,
if
@ -692,7 +692,7 @@ The file should be world-readable.
Access controls that should be enforced by tcp-wrappers are defined here.
Further details are described in
.Xr hosts_access 5 .
.It Pa $HOME/.rhosts
.It Pa ~/.rhosts
This file is used during
.Cm RhostsRSAAuthentication
and
@ -710,7 +710,7 @@ It is also possible to use netgroups in the file.
Either host or user
name may be of the form +@groupname to specify all hosts or all users
in the group.
.It Pa $HOME/.shosts
.It Pa ~/.shosts
For ssh,
this file is exactly the same as for
.Pa .rhosts .
@ -759,7 +759,7 @@ This is processed exactly as
.Pa /etc/hosts.equiv .
However, this file may be useful in environments that want to run both
rsh/rlogin and ssh.
.It Pa $HOME/.ssh/environment
.It Pa ~/.ssh/environment
This file is read into the environment at login (if it exists).
It can only contain empty lines, comment lines (that start with
.Ql # ) ,
@ -770,7 +770,7 @@ Environment processing is disabled by default and is
controlled via the
.Cm PermitUserEnvironment
option.
.It Pa $HOME/.ssh/rc
.It Pa ~/.ssh/rc
If this file exists, it is run with
.Pa /bin/sh
after reading the
@ -815,7 +815,7 @@ This file should be writable only by the user, and need not be
readable by anyone else.
.It Pa /etc/ssh/sshrc
Like
.Pa $HOME/.ssh/rc .
.Pa ~/.ssh/rc .
This can be used to specify
machine-specific login-time initializations globally.
This file should be writable only by root, and should be world-readable.

38
crypto/openssh/sshd.c
View File

@ -42,7 +42,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshd.c,v 1.308 2005/02/08 22:24:57 dtucker Exp $");
RCSID("$OpenBSD: sshd.c,v 1.312 2005/07/25 11:59:40 markus Exp $");
RCSID("$FreeBSD$");
#include <openssl/dh.h>
@ -363,7 +363,8 @@ key_regeneration_alarm(int sig)
static void
sshd_exchange_identification(int sock_in, int sock_out)
{
int i, mismatch;
u_int i;
int mismatch;
int remote_major, remote_minor;
int major, minor;
char *s;
@ -675,6 +676,12 @@ privsep_postauth(Authctxt *authctxt)
/* It is safe now to apply the key state */
monitor_apply_keystate(pmonitor);
/*
* Tell the packet layer that authentication was successful, since
* this information is not part of the key state.
*/
packet_set_authenticated();
}
static char *
@ -1038,7 +1045,7 @@ main(int ac, char **av)
/*
* Unset KRB5CCNAME, otherwise the user's session may inherit it from
* root's environment
*/
*/
if (getenv("KRB5CCNAME") != NULL)
unsetenv("KRB5CCNAME");
@ -1620,12 +1627,6 @@ main(int ac, char **av)
signal(SIGCHLD, SIG_DFL);
signal(SIGINT, SIG_DFL);
/* Set SO_KEEPALIVE if requested. */
if (options.tcp_keep_alive &&
setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
sizeof(on)) < 0)
error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
#ifdef __FreeBSD__
/*
* Initialize the resolver. This may not happen automatically
@ -1642,8 +1643,17 @@ main(int ac, char **av)
* not have a key.
*/
packet_set_connection(sock_in, sock_out);
packet_set_server();
remote_port = get_remote_port();
/* Set SO_KEEPALIVE if requested. */
if (options.tcp_keep_alive && packet_connection_is_on_socket() &&
setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0)
error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
if ((remote_port = get_remote_port()) < 0) {
debug("get_remote_port failed");
cleanup_exit(255);
}
remote_ip = get_remote_ipaddr();
#ifdef SSH_AUDIT_EVENTS
@ -1914,7 +1924,7 @@ do_ssh1_kex(void)
if (!rsafail) {
BN_mask_bits(session_key_int, sizeof(session_key) * 8);
len = BN_num_bytes(session_key_int);
if (len < 0 || len > sizeof(session_key)) {
if (len < 0 || (u_int)len > sizeof(session_key)) {
error("do_connection: bad session key len from %s: "
"session_key_int %d > sizeof(session_key) %lu",
get_remote_ipaddr(), len, (u_long)sizeof(session_key));
@ -2001,10 +2011,14 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
}
if (!options.compression) {
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
} else if (options.compression == COMP_DELAYED) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
}
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
/* start key exchange */

8
crypto/openssh/sshd_config
View File

@ -1,4 +1,4 @@
# $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $
# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $
# $FreeBSD$
# This is the sshd server system-wide configuration file. See
@ -14,7 +14,7 @@
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.
#VersionAddendum FreeBSD-20050605
#VersionAddendum FreeBSD-20050903
#Port 22
#Protocol 2
@ -32,7 +32,7 @@
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
@ -95,7 +95,7 @@
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes

39
crypto/openssh/sshd_config.5
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.40 2005/03/18 17:05:00 jmc Exp $
.\" $OpenBSD: sshd_config.5,v 1.44 2005/07/25 11:59:40 markus Exp $
.\" $FreeBSD$
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
@ -176,24 +176,18 @@ The supported ciphers are
.Dq aes128-ctr ,
.Dq aes192-ctr ,
.Dq aes256-ctr ,
.Dq arcfour128 ,
.Dq arcfour256 ,
.Dq arcfour ,
.Dq blowfish-cbc ,
and
.Dq cast128-cbc .
The default is
.Bd -literal
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr''
.Ed
.It Cm ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received
from the client,
.Nm sshd
will send a message through the encrypted
channel to request a response from the client.
The default
is 0, indicating that these messages will not be sent to the client.
This option applies to protocol version 2 only.
.It Cm ClientAliveCountMax
Sets the number of client alive messages (see above) which may be
sent without
@ -221,14 +215,25 @@ If
.Cm ClientAliveCountMax
is left at the default, unresponsive ssh clients
will be disconnected after approximately 45 seconds.
.It Cm ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received
from the client,
.Nm sshd
will send a message through the encrypted
channel to request a response from the client.
The default
is 0, indicating that these messages will not be sent to the client.
This option applies to protocol version 2 only.
.It Cm Compression
Specifies whether compression is allowed.
Specifies whether compression is allowed, or delayed until
the user has authenticated successfully.
The argument must be
.Dq yes
.Dq yes ,
.Dq delayed ,
or
.Dq no .
The default is
.Dq yes .
.Dq delayed .
.It Cm DenyGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
@ -333,7 +338,7 @@ The default is
Specifies whether
.Nm sshd
should ignore the user's
.Pa $HOME/.ssh/known_hosts
.Pa ~/.ssh/known_hosts
during
.Cm RhostsRSAAuthentication
or
@ -720,7 +725,7 @@ The default is
Specifies a string to append to the regular version string to identify
OS- or site-specific modifications.
The default is
.Dq FreeBSD-20050605 .
.Dq FreeBSD-20050903 .
.It Cm X11DisplayOffset
Specifies the first display number available for
.Nm sshd Ns 's

4
crypto/openssh/sshpty.c
View File

@ -128,10 +128,10 @@ pty_make_controlling_tty(int *ttyfd, const char *tty)
if (ioctl(*ttyfd, TIOCSCTTY, NULL) < 0)
error("ioctl(TIOCSCTTY): %.100s", strerror(errno));
#endif /* TIOCSCTTY */
#ifdef HAVE_NEWS4
#ifdef NEED_SETPGRP
if (setpgrp(0,0) < 0)
error("SETPGRP %s",strerror(errno));
#endif /* HAVE_NEWS4 */
#endif /* NEED_SETPGRP */
#ifdef USE_VHANGUP
old = signal(SIGHUP, SIG_IGN);
vhangup();

73
crypto/openssh/tildexpand.c
View File

@ -1,73 +0,0 @@
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
*/
#include "includes.h"
RCSID("$OpenBSD: tildexpand.c,v 1.15 2004/05/21 08:43:03 markus Exp $");
#include "xmalloc.h"
#include "log.h"
#include "misc.h"
/*
* Expands tildes in the file name. Returns data allocated by xmalloc.
* Warning: this calls getpw*.
*/
char *
tilde_expand_filename(const char *filename, uid_t my_uid)
{
const char *cp;
u_int userlen;
char *expanded;
struct passwd *pw;
char user[100];
int len;
/* Return immediately if no tilde. */
if (filename[0] != '~')
return xstrdup(filename);
/* Skip the tilde. */
filename++;
/* Find where the username ends. */
cp = strchr(filename, '/');
if (cp)
userlen = cp - filename; /* Something after username. */
else
userlen = strlen(filename); /* Nothing after username. */
if (userlen == 0)
pw = getpwuid(my_uid); /* Own home directory. */
else {
/* Tilde refers to someone elses home directory. */
if (userlen > sizeof(user) - 1)
fatal("User name after tilde too long.");
memcpy(user, filename, userlen);
user[userlen] = 0;
pw = getpwnam(user);
}
if (!pw)
fatal("Unknown user %100s.", user);
/* If referring to someones home directory, return it now. */
if (!cp) {
/* Only home directory specified */
return xstrdup(pw->pw_dir);
}
/* Build a path combining the specified directory and path. */
len = strlen(pw->pw_dir) + strlen(cp + 1) + 2;
if (len > MAXPATHLEN)
fatal("Home directory too long (%d > %d", len-1, MAXPATHLEN-1);
expanded = xmalloc(len);
snprintf(expanded, len, "%s%s%s", pw->pw_dir,
strcmp(pw->pw_dir, "/") ? "/" : "", cp + 1);
return expanded;
}

6
crypto/openssh/version.h
View File

@ -1,12 +1,12 @@
/* $OpenBSD: version.h,v 1.44 2005/03/16 21:17:39 markus Exp $ */
/* $OpenBSD: version.h,v 1.45 2005/08/31 09:28:42 markus Exp $ */
/* $FreeBSD$ */
#ifndef SSH_VERSION
#define SSH_VERSION (ssh_version_get())
#define SSH_RELEASE (ssh_version_get())
#define SSH_VERSION_BASE "OpenSSH_4.1p1"
#define SSH_VERSION_ADDENDUM "FreeBSD-20050605"
#define SSH_VERSION_BASE "OpenSSH_4.2p1"
#define SSH_VERSION_ADDENDUM "FreeBSD-20050903"
const char *ssh_version_get(void);
void ssh_version_set_addendum(const char *add);