Resolve conflicts.
This commit is contained in:
parent
6dbd30e786
commit
aa49c9264c
crypto/openssh
LICENCEacconfig.hauth-chall.cauth-krb5.cauth-pam.cauth-pam.hauth-passwd.cauth-rsa.cauth.cauth.hauth1.cauth2-chall.cauth2-kbdint.cauth2.cauthfile.cbufaux.ccanohost.cchannels.cchannels.hcipher.ccompat.ccompat.hconfigure.achostfile.cincludes.hkey.cloginrec.cmonitor.cmonitor.hmonitor_wrap.cmonitor_wrap.h
openbsd-compat
readconf.creadconf.hscp.cservconf.cservconf.hsession.cssh-add.cssh-agent.cssh-keyscan.cssh.1ssh.cssh.hssh_configssh_config.5sshconnect.csshd.8sshd.csshd_configsshd_config.5version.h@ -97,7 +97,7 @@ OpenSSH contains no GPL code.
|
||||
* <http://www.core-sdi.com>
|
||||
|
||||
3)
|
||||
ssh-keygen was contributed by David Mazieres under a BSD-style
|
||||
ssh-keyscan was contributed by David Mazieres under a BSD-style
|
||||
license.
|
||||
|
||||
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
||||
@ -203,6 +203,7 @@ OpenSSH contains no GPL code.
|
||||
Wayne Schroeder
|
||||
William Jones
|
||||
Darren Tucker
|
||||
Sun Microsystems
|
||||
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -329,4 +330,4 @@ OpenSSH contains no GPL code.
|
||||
|
||||
|
||||
------
|
||||
$OpenBSD: LICENCE,v 1.18 2003/11/21 11:57:02 djm Exp $
|
||||
$OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: acconfig.h,v 1.180 2004/08/16 13:12:06 dtucker Exp $ */
|
||||
/* $Id: acconfig.h,v 1.181 2005/02/25 23:07:38 dtucker Exp $ */
|
||||
/* $FreeBSD$ */
|
||||
|
||||
/*
|
||||
@ -53,9 +53,6 @@
|
||||
#undef SPT_TYPE
|
||||
#undef SPT_PADCHAR
|
||||
|
||||
/* setgroups() NOOP allowed */
|
||||
#undef SETGROUPS_NOOP
|
||||
|
||||
/* SCO workaround */
|
||||
#undef BROKEN_SYS_TERMIO_H
|
||||
|
||||
|
@ -29,11 +29,13 @@ RCSID("$FreeBSD$");
|
||||
#include "auth.h"
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
#include "servconf.h"
|
||||
|
||||
/* limited protocol v1 interface to kbd-interactive authentication */
|
||||
|
||||
extern KbdintDevice *devices[];
|
||||
static KbdintDevice *device;
|
||||
extern ServerOptions options;
|
||||
|
||||
char *
|
||||
get_challenge(Authctxt *authctxt)
|
||||
@ -42,6 +44,11 @@ get_challenge(Authctxt *authctxt)
|
||||
u_int i, numprompts;
|
||||
u_int *echo_on;
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (!options.use_pam)
|
||||
remove_kbdint_device("pam");
|
||||
#endif
|
||||
|
||||
device = devices[0]; /* we always use the 1st device for protocol 1 */
|
||||
if (device == NULL)
|
||||
return NULL;
|
||||
|
@ -188,6 +188,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||
snprintf(authctxt->krb5_ccname, len, "FILE:%s",
|
||||
authctxt->krb5_ticket_file);
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
|
||||
#endif
|
||||
|
||||
out:
|
||||
restore_uid();
|
||||
|
||||
|
@ -47,7 +47,7 @@
|
||||
|
||||
/* Based on $xFreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
|
||||
#include "includes.h"
|
||||
RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $");
|
||||
RCSID("$Id: auth-pam.c,v 1.122 2005/05/25 06:18:10 dtucker Exp $");
|
||||
RCSID("$FreeBSD$");
|
||||
|
||||
#ifdef USE_PAM
|
||||
@ -77,7 +77,17 @@ extern Buffer loginmsg;
|
||||
extern int compat20;
|
||||
extern u_int utmp_len;
|
||||
|
||||
/* so we don't silently change behaviour */
|
||||
#ifdef USE_POSIX_THREADS
|
||||
# error "USE_POSIX_THREADS replaced by UNSUPPORTED_POSIX_THREADS_HACK"
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Formerly known as USE_POSIX_THREADS, using this is completely unsupported
|
||||
* and generally a bad idea. Use at own risk and do not expect support if
|
||||
* this breaks.
|
||||
*/
|
||||
#ifdef UNSUPPORTED_POSIX_THREADS_HACK
|
||||
#include <pthread.h>
|
||||
/*
|
||||
* Avoid namespace clash when *not* using pthreads for systems *with*
|
||||
@ -99,7 +109,7 @@ struct pam_ctxt {
|
||||
static void sshpam_free_ctx(void *);
|
||||
static struct pam_ctxt *cleanup_ctxt;
|
||||
|
||||
#ifndef USE_POSIX_THREADS
|
||||
#ifndef UNSUPPORTED_POSIX_THREADS_HACK
|
||||
/*
|
||||
* Simulate threads with processes.
|
||||
*/
|
||||
@ -187,6 +197,7 @@ static int sshpam_account_status = -1;
|
||||
static char **sshpam_env = NULL;
|
||||
static Authctxt *sshpam_authctxt = NULL;
|
||||
static const char *sshpam_password = NULL;
|
||||
static char badpw[] = "\b\n\r\177INCORRECT";
|
||||
|
||||
/* Some PAM implementations don't implement this */
|
||||
#ifndef HAVE_PAM_GETENVLIST
|
||||
@ -255,7 +266,7 @@ import_environments(Buffer *b)
|
||||
|
||||
debug3("PAM: %s entering", __func__);
|
||||
|
||||
#ifndef USE_POSIX_THREADS
|
||||
#ifndef UNSUPPORTED_POSIX_THREADS_HACK
|
||||
/* Import variables set by do_pam_account */
|
||||
sshpam_account_status = buffer_get_int(b);
|
||||
sshpam_password_change_required(buffer_get_int(b));
|
||||
@ -384,7 +395,7 @@ sshpam_thread(void *ctxtp)
|
||||
struct pam_conv sshpam_conv;
|
||||
int flags = (options.permit_empty_passwd == 0 ?
|
||||
PAM_DISALLOW_NULL_AUTHTOK : 0);
|
||||
#ifndef USE_POSIX_THREADS
|
||||
#ifndef UNSUPPORTED_POSIX_THREADS_HACK
|
||||
extern char **environ;
|
||||
char **env_from_pam;
|
||||
u_int i;
|
||||
@ -428,7 +439,7 @@ sshpam_thread(void *ctxtp)
|
||||
|
||||
buffer_put_cstring(&buffer, "OK");
|
||||
|
||||
#ifndef USE_POSIX_THREADS
|
||||
#ifndef UNSUPPORTED_POSIX_THREADS_HACK
|
||||
/* Export variables set by do_pam_account */
|
||||
buffer_put_int(&buffer, sshpam_account_status);
|
||||
buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);
|
||||
@ -447,7 +458,7 @@ sshpam_thread(void *ctxtp)
|
||||
buffer_put_int(&buffer, i);
|
||||
for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++)
|
||||
buffer_put_cstring(&buffer, env_from_pam[i]);
|
||||
#endif /* USE_POSIX_THREADS */
|
||||
#endif /* UNSUPPORTED_POSIX_THREADS_HACK */
|
||||
|
||||
/* XXX - can't do much about an error here */
|
||||
ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
|
||||
@ -491,6 +502,51 @@ sshpam_null_conv(int n, struct pam_message **msg,
|
||||
|
||||
static struct pam_conv null_conv = { sshpam_null_conv, NULL };
|
||||
|
||||
static int
|
||||
sshpam_store_conv(int n, struct pam_message **msg,
|
||||
struct pam_response **resp, void *data)
|
||||
{
|
||||
struct pam_response *reply;
|
||||
int i;
|
||||
size_t len;
|
||||
|
||||
debug3("PAM: %s called with %d messages", __func__, n);
|
||||
*resp = NULL;
|
||||
|
||||
if (n <= 0 || n > PAM_MAX_NUM_MSG)
|
||||
return (PAM_CONV_ERR);
|
||||
|
||||
if ((reply = malloc(n * sizeof(*reply))) == NULL)
|
||||
return (PAM_CONV_ERR);
|
||||
memset(reply, 0, n * sizeof(*reply));
|
||||
|
||||
for (i = 0; i < n; ++i) {
|
||||
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
|
||||
case PAM_ERROR_MSG:
|
||||
case PAM_TEXT_INFO:
|
||||
len = strlen(PAM_MSG_MEMBER(msg, i, msg));
|
||||
buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len);
|
||||
buffer_append(&loginmsg, "\n", 1 );
|
||||
reply[i].resp_retcode = PAM_SUCCESS;
|
||||
break;
|
||||
default:
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
*resp = reply;
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
fail:
|
||||
for(i = 0; i < n; i++) {
|
||||
if (reply[i].resp != NULL)
|
||||
xfree(reply[i].resp);
|
||||
}
|
||||
xfree(reply);
|
||||
return (PAM_CONV_ERR);
|
||||
}
|
||||
|
||||
static struct pam_conv store_conv = { sshpam_store_conv, NULL };
|
||||
|
||||
void
|
||||
sshpam_cleanup(void)
|
||||
{
|
||||
@ -528,7 +584,7 @@ sshpam_init(Authctxt *authctxt)
|
||||
}
|
||||
debug("PAM: initializing for \"%s\"", user);
|
||||
sshpam_err =
|
||||
pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
|
||||
pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
|
||||
sshpam_authctxt = authctxt;
|
||||
|
||||
if (sshpam_err != PAM_SUCCESS) {
|
||||
@ -610,7 +666,7 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
size_t plen;
|
||||
u_char type;
|
||||
char *msg;
|
||||
size_t len;
|
||||
size_t len, mlen;
|
||||
|
||||
debug3("PAM: %s entering", __func__);
|
||||
buffer_init(&buffer);
|
||||
@ -623,22 +679,27 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
|
||||
type = buffer_get_char(&buffer);
|
||||
msg = buffer_get_string(&buffer, NULL);
|
||||
mlen = strlen(msg);
|
||||
switch (type) {
|
||||
case PAM_PROMPT_ECHO_ON:
|
||||
case PAM_PROMPT_ECHO_OFF:
|
||||
*num = 1;
|
||||
len = plen + strlen(msg) + 1;
|
||||
len = plen + mlen + 1;
|
||||
**prompts = xrealloc(**prompts, len);
|
||||
plen += snprintf(**prompts + plen, len, "%s", msg);
|
||||
strlcpy(**prompts + plen, msg, len - plen);
|
||||
plen += mlen;
|
||||
**echo_on = (type == PAM_PROMPT_ECHO_ON);
|
||||
xfree(msg);
|
||||
return (0);
|
||||
case PAM_ERROR_MSG:
|
||||
case PAM_TEXT_INFO:
|
||||
/* accumulate messages */
|
||||
len = plen + strlen(msg) + 2;
|
||||
len = plen + mlen + 2;
|
||||
**prompts = xrealloc(**prompts, len);
|
||||
plen += snprintf(**prompts + plen, len, "%s\n", msg);
|
||||
strlcpy(**prompts + plen, msg, len - plen);
|
||||
plen += mlen;
|
||||
strlcat(**prompts + plen, "\n", len - plen);
|
||||
plen++;
|
||||
xfree(msg);
|
||||
break;
|
||||
case PAM_SUCCESS:
|
||||
@ -652,6 +713,12 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
**prompts = NULL;
|
||||
}
|
||||
if (type == PAM_SUCCESS) {
|
||||
if (!sshpam_authctxt->valid ||
|
||||
(sshpam_authctxt->pw->pw_uid == 0 &&
|
||||
options.permit_root_login != PERMIT_YES))
|
||||
fatal("Internal error: PAM auth "
|
||||
"succeeded when it should have "
|
||||
"failed");
|
||||
import_environments(&buffer);
|
||||
*num = 0;
|
||||
**echo_on = 0;
|
||||
@ -697,7 +764,12 @@ sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
return (-1);
|
||||
}
|
||||
buffer_init(&buffer);
|
||||
buffer_put_cstring(&buffer, *resp);
|
||||
if (sshpam_authctxt->valid &&
|
||||
(sshpam_authctxt->pw->pw_uid != 0 ||
|
||||
options.permit_root_login == PERMIT_YES))
|
||||
buffer_put_cstring(&buffer, *resp);
|
||||
else
|
||||
buffer_put_cstring(&buffer, badpw);
|
||||
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
|
||||
buffer_free(&buffer);
|
||||
return (-1);
|
||||
@ -760,11 +832,13 @@ finish_pam(void)
|
||||
u_int
|
||||
do_pam_account(void)
|
||||
{
|
||||
debug("%s: called", __func__);
|
||||
if (sshpam_account_status != -1)
|
||||
return (sshpam_account_status);
|
||||
|
||||
sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
|
||||
debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err);
|
||||
debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
|
||||
pam_strerror(sshpam_handle, sshpam_err));
|
||||
|
||||
if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
|
||||
sshpam_account_status = 0;
|
||||
@ -794,7 +868,7 @@ void
|
||||
do_pam_setcred(int init)
|
||||
{
|
||||
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
|
||||
(const void *)&null_conv);
|
||||
(const void *)&store_conv);
|
||||
if (sshpam_err != PAM_SUCCESS)
|
||||
fatal("PAM: failed to set PAM_CONV: %s",
|
||||
pam_strerror(sshpam_handle, sshpam_err));
|
||||
@ -895,51 +969,6 @@ do_pam_chauthtok(void)
|
||||
pam_strerror(sshpam_handle, sshpam_err));
|
||||
}
|
||||
|
||||
static int
|
||||
sshpam_store_conv(int n, struct pam_message **msg,
|
||||
struct pam_response **resp, void *data)
|
||||
{
|
||||
struct pam_response *reply;
|
||||
int i;
|
||||
size_t len;
|
||||
|
||||
debug3("PAM: %s called with %d messages", __func__, n);
|
||||
*resp = NULL;
|
||||
|
||||
if (n <= 0 || n > PAM_MAX_NUM_MSG)
|
||||
return (PAM_CONV_ERR);
|
||||
|
||||
if ((reply = malloc(n * sizeof(*reply))) == NULL)
|
||||
return (PAM_CONV_ERR);
|
||||
memset(reply, 0, n * sizeof(*reply));
|
||||
|
||||
for (i = 0; i < n; ++i) {
|
||||
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
|
||||
case PAM_ERROR_MSG:
|
||||
case PAM_TEXT_INFO:
|
||||
len = strlen(PAM_MSG_MEMBER(msg, i, msg));
|
||||
buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len);
|
||||
buffer_append(&loginmsg, "\n", 1 );
|
||||
reply[i].resp_retcode = PAM_SUCCESS;
|
||||
break;
|
||||
default:
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
*resp = reply;
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
fail:
|
||||
for(i = 0; i < n; i++) {
|
||||
if (reply[i].resp != NULL)
|
||||
xfree(reply[i].resp);
|
||||
}
|
||||
xfree(reply);
|
||||
return (PAM_CONV_ERR);
|
||||
}
|
||||
|
||||
static struct pam_conv store_conv = { sshpam_store_conv, NULL };
|
||||
|
||||
void
|
||||
do_pam_session(void)
|
||||
{
|
||||
@ -950,10 +979,21 @@ do_pam_session(void)
|
||||
fatal("PAM: failed to set PAM_CONV: %s",
|
||||
pam_strerror(sshpam_handle, sshpam_err));
|
||||
sshpam_err = pam_open_session(sshpam_handle, 0);
|
||||
if (sshpam_err != PAM_SUCCESS)
|
||||
fatal("PAM: pam_open_session(): %s",
|
||||
if (sshpam_err == PAM_SUCCESS)
|
||||
sshpam_session_open = 1;
|
||||
else {
|
||||
sshpam_session_open = 0;
|
||||
disable_forwarding();
|
||||
error("PAM: pam_open_session(): %s",
|
||||
pam_strerror(sshpam_handle, sshpam_err));
|
||||
sshpam_session_open = 1;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
int
|
||||
is_pam_session_open(void)
|
||||
{
|
||||
return sshpam_session_open;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -1076,7 +1116,6 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
{
|
||||
int flags = (options.permit_empty_passwd == 0 ?
|
||||
PAM_DISALLOW_NULL_AUTHTOK : 0);
|
||||
static char badpw[] = "\b\n\r\177INCORRECT";
|
||||
|
||||
if (!options.use_pam || sshpam_handle == NULL)
|
||||
fatal("PAM: %s called when PAM disabled or failed to "
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: auth-pam.h,v 1.26 2004/05/30 10:43:59 dtucker Exp $ */
|
||||
/* $Id: auth-pam.h,v 1.27 2004/09/11 12:17:26 dtucker Exp $ */
|
||||
/* $FreeBSD$ */
|
||||
|
||||
/*
|
||||
@ -46,5 +46,6 @@ void free_pam_environment(char **);
|
||||
void sshpam_thread_cleanup(void);
|
||||
void sshpam_cleanup(void);
|
||||
int sshpam_auth_passwd(Authctxt *, const char *);
|
||||
int is_pam_session_open(void);
|
||||
|
||||
#endif /* USE_PAM */
|
||||
|
@ -36,17 +36,26 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $");
|
||||
RCSID("$OpenBSD: auth-passwd.c,v 1.33 2005/01/24 11:47:13 dtucker Exp $");
|
||||
RCSID("$FreeBSD$");
|
||||
|
||||
#include "packet.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
#include "auth.h"
|
||||
#include "auth-options.h"
|
||||
|
||||
extern Buffer loginmsg;
|
||||
extern ServerOptions options;
|
||||
int sys_auth_passwd(Authctxt *, const char *);
|
||||
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
extern login_cap_t *lc;
|
||||
#endif
|
||||
|
||||
|
||||
#define DAY (24L * 60 * 60) /* 1 day in seconds */
|
||||
#define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */
|
||||
|
||||
void
|
||||
disable_forwarding(void)
|
||||
@ -64,7 +73,7 @@ int
|
||||
auth_password(Authctxt *authctxt, const char *password)
|
||||
{
|
||||
struct passwd * pw = authctxt->pw;
|
||||
int ok = authctxt->valid;
|
||||
int result, ok = authctxt->valid;
|
||||
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
|
||||
static int expire_checked = 0;
|
||||
#endif
|
||||
@ -101,22 +110,57 @@ auth_password(Authctxt *authctxt, const char *password)
|
||||
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
|
||||
if (!expire_checked) {
|
||||
expire_checked = 1;
|
||||
if (auth_shadow_pwexpired(authctxt)) {
|
||||
disable_forwarding();
|
||||
if (auth_shadow_pwexpired(authctxt))
|
||||
authctxt->force_pwchange = 1;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
return (sys_auth_passwd(authctxt, password) && ok);
|
||||
result = sys_auth_passwd(authctxt, password);
|
||||
if (authctxt->force_pwchange)
|
||||
disable_forwarding();
|
||||
return (result && ok);
|
||||
}
|
||||
|
||||
#ifdef BSD_AUTH
|
||||
static void
|
||||
warn_expiry(Authctxt *authctxt, auth_session_t *as)
|
||||
{
|
||||
char buf[256];
|
||||
quad_t pwtimeleft, actimeleft, daysleft, pwwarntime, acwarntime;
|
||||
|
||||
pwwarntime = acwarntime = TWO_WEEKS;
|
||||
|
||||
pwtimeleft = auth_check_change(as);
|
||||
actimeleft = auth_check_expire(as);
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
if (authctxt->valid) {
|
||||
pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS,
|
||||
TWO_WEEKS);
|
||||
acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS,
|
||||
TWO_WEEKS);
|
||||
}
|
||||
#endif
|
||||
if (pwtimeleft != 0 && pwtimeleft < pwwarntime) {
|
||||
daysleft = pwtimeleft / DAY + 1;
|
||||
snprintf(buf, sizeof(buf),
|
||||
"Your password will expire in %lld day%s.\n",
|
||||
daysleft, daysleft == 1 ? "" : "s");
|
||||
buffer_append(&loginmsg, buf, strlen(buf));
|
||||
}
|
||||
if (actimeleft != 0 && actimeleft < acwarntime) {
|
||||
daysleft = actimeleft / DAY + 1;
|
||||
snprintf(buf, sizeof(buf),
|
||||
"Your account will expire in %lld day%s.\n",
|
||||
daysleft, daysleft == 1 ? "" : "s");
|
||||
buffer_append(&loginmsg, buf, strlen(buf));
|
||||
}
|
||||
}
|
||||
|
||||
int
|
||||
sys_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
{
|
||||
struct passwd *pw = authctxt->pw;
|
||||
auth_session_t *as;
|
||||
static int expire_checked = 0;
|
||||
|
||||
as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
|
||||
(char *)password);
|
||||
@ -126,6 +170,10 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
authctxt->force_pwchange = 1;
|
||||
return (1);
|
||||
} else {
|
||||
if (!expire_checked) {
|
||||
expire_checked = 1;
|
||||
warn_expiry(authctxt, as);
|
||||
}
|
||||
return (auth_close(as));
|
||||
}
|
||||
}
|
||||
|
@ -14,7 +14,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-rsa.c,v 1.60 2004/06/21 17:36:31 avsm Exp $");
|
||||
RCSID("$OpenBSD: auth-rsa.c,v 1.62 2004/12/11 01:48:56 dtucker Exp $");
|
||||
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/md5.h>
|
||||
@ -33,6 +33,7 @@ RCSID("$OpenBSD: auth-rsa.c,v 1.60 2004/06/21 17:36:31 avsm Exp $");
|
||||
#include "hostfile.h"
|
||||
#include "monitor_wrap.h"
|
||||
#include "ssh.h"
|
||||
#include "misc.h"
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
@ -49,7 +50,7 @@ extern u_char session_id[16];
|
||||
* options bits e n comment
|
||||
* where bits, e and n are decimal numbers,
|
||||
* and comment is any string of characters up to newline. The maximum
|
||||
* length of a line is 8000 characters. See the documentation for a
|
||||
* length of a line is SSH_MAX_PUBKEY_BYTES characters. See sshd(8) for a
|
||||
* description of the options.
|
||||
*/
|
||||
|
||||
@ -152,7 +153,7 @@ auth_rsa_challenge_dialog(Key *key)
|
||||
int
|
||||
auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
|
||||
{
|
||||
char line[8192], *file;
|
||||
char line[SSH_MAX_PUBKEY_BYTES], *file;
|
||||
int allowed = 0;
|
||||
u_int bits;
|
||||
FILE *f;
|
||||
@ -201,12 +202,10 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
|
||||
* found, perform a challenge-response dialog to verify that the
|
||||
* user really has the corresponding private key.
|
||||
*/
|
||||
while (fgets(line, sizeof(line), f)) {
|
||||
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
||||
char *cp;
|
||||
char *key_options;
|
||||
|
||||
linenum++;
|
||||
|
||||
/* Skip leading whitespace, empty and comment lines. */
|
||||
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
|
||||
;
|
||||
|
@ -23,7 +23,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth.c,v 1.56 2004/07/28 09:40:29 markus Exp $");
|
||||
RCSID("$OpenBSD: auth.c,v 1.58 2005/03/14 11:44:42 dtucker Exp $");
|
||||
RCSID("$FreeBSD$");
|
||||
|
||||
#ifdef HAVE_LOGIN_H
|
||||
@ -51,6 +51,8 @@ RCSID("$FreeBSD$");
|
||||
#include "misc.h"
|
||||
#include "bufaux.h"
|
||||
#include "packet.h"
|
||||
#include "loginrec.h"
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
@ -144,7 +146,8 @@ allowed_user(struct passwd * pw)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (options.num_deny_users > 0 || options.num_allow_users > 0) {
|
||||
if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
|
||||
options.num_deny_groups > 0 || options.num_allow_groups > 0) {
|
||||
hostname = get_canonical_hostname(options.use_dns);
|
||||
ipaddr = get_remote_ipaddr();
|
||||
}
|
||||
@ -154,8 +157,9 @@ allowed_user(struct passwd * pw)
|
||||
for (i = 0; i < options.num_deny_users; i++)
|
||||
if (match_user(pw->pw_name, hostname, ipaddr,
|
||||
options.deny_users[i])) {
|
||||
logit("User %.100s not allowed because listed in DenyUsers",
|
||||
pw->pw_name);
|
||||
logit("User %.100s from %.100s not allowed "
|
||||
"because listed in DenyUsers",
|
||||
pw->pw_name, hostname);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
@ -167,16 +171,16 @@ allowed_user(struct passwd * pw)
|
||||
break;
|
||||
/* i < options.num_allow_users iff we break for loop */
|
||||
if (i >= options.num_allow_users) {
|
||||
logit("User %.100s not allowed because not listed in AllowUsers",
|
||||
pw->pw_name);
|
||||
logit("User %.100s from %.100s not allowed because "
|
||||
"not listed in AllowUsers", pw->pw_name, hostname);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
|
||||
/* Get the user's group access list (primary and supplementary) */
|
||||
if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
|
||||
logit("User %.100s not allowed because not in any group",
|
||||
pw->pw_name);
|
||||
logit("User %.100s from %.100s not allowed because "
|
||||
"not in any group", pw->pw_name, hostname);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -185,8 +189,9 @@ allowed_user(struct passwd * pw)
|
||||
if (ga_match(options.deny_groups,
|
||||
options.num_deny_groups)) {
|
||||
ga_free();
|
||||
logit("User %.100s not allowed because a group is listed in DenyGroups",
|
||||
pw->pw_name);
|
||||
logit("User %.100s from %.100s not allowed "
|
||||
"because a group is listed in DenyGroups",
|
||||
pw->pw_name, hostname);
|
||||
return 0;
|
||||
}
|
||||
/*
|
||||
@ -197,15 +202,16 @@ allowed_user(struct passwd * pw)
|
||||
if (!ga_match(options.allow_groups,
|
||||
options.num_allow_groups)) {
|
||||
ga_free();
|
||||
logit("User %.100s not allowed because none of user's groups are listed in AllowGroups",
|
||||
pw->pw_name);
|
||||
logit("User %.100s from %.100s not allowed "
|
||||
"because none of user's groups are listed "
|
||||
"in AllowGroups", pw->pw_name, hostname);
|
||||
return 0;
|
||||
}
|
||||
ga_free();
|
||||
}
|
||||
|
||||
#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
|
||||
if (!sys_auth_allowed_user(pw))
|
||||
if (!sys_auth_allowed_user(pw, &loginmsg))
|
||||
return 0;
|
||||
#endif
|
||||
|
||||
@ -241,8 +247,50 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
|
||||
info);
|
||||
|
||||
#ifdef CUSTOM_FAILED_LOGIN
|
||||
if (authenticated == 0 && strcmp(method, "password") == 0)
|
||||
record_failed_login(authctxt->user, "ssh");
|
||||
if (authenticated == 0 && !authctxt->postponed &&
|
||||
(strcmp(method, "password") == 0 ||
|
||||
strncmp(method, "keyboard-interactive", 20) == 0 ||
|
||||
strcmp(method, "challenge-response") == 0))
|
||||
record_failed_login(authctxt->user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (authenticated == 0 && !authctxt->postponed) {
|
||||
ssh_audit_event_t event;
|
||||
|
||||
debug3("audit failed auth attempt, method %s euid %d",
|
||||
method, (int)geteuid());
|
||||
/*
|
||||
* Because the auth loop is used in both monitor and slave,
|
||||
* we must be careful to send each event only once and with
|
||||
* enough privs to write the event.
|
||||
*/
|
||||
event = audit_classify_auth(method);
|
||||
switch(event) {
|
||||
case SSH_AUTH_FAIL_NONE:
|
||||
case SSH_AUTH_FAIL_PASSWD:
|
||||
case SSH_AUTH_FAIL_KBDINT:
|
||||
if (geteuid() == 0)
|
||||
audit_event(event);
|
||||
break;
|
||||
case SSH_AUTH_FAIL_PUBKEY:
|
||||
case SSH_AUTH_FAIL_HOSTBASED:
|
||||
case SSH_AUTH_FAIL_GSSAPI:
|
||||
/*
|
||||
* This is required to handle the case where privsep
|
||||
* is enabled but it's root logging in, since
|
||||
* use_privsep won't be cleared until after a
|
||||
* successful login.
|
||||
*/
|
||||
if (geteuid() == 0)
|
||||
audit_event(event);
|
||||
else
|
||||
PRIVSEP(audit_event(event));
|
||||
break;
|
||||
default:
|
||||
error("unknown authentication audit event %d", event);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -466,8 +514,12 @@ getpwnamallow(const char *user)
|
||||
logit("Invalid user %.100s from %.100s",
|
||||
user, get_remote_ipaddr());
|
||||
#ifdef CUSTOM_FAILED_LOGIN
|
||||
record_failed_login(user, "ssh");
|
||||
record_failed_login(user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_event(SSH_INVALID_USER);
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
return (NULL);
|
||||
}
|
||||
if (!allowed_user(pw))
|
||||
|
@ -31,6 +31,7 @@
|
||||
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "buffer.h"
|
||||
#include <openssl/rsa.h>
|
||||
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
@ -69,6 +70,7 @@ struct Authctxt {
|
||||
char *krb5_ticket_file;
|
||||
char *krb5_ccname;
|
||||
#endif
|
||||
Buffer *loginmsg;
|
||||
void *methoddata;
|
||||
};
|
||||
/*
|
||||
@ -131,6 +133,9 @@ int auth_shadow_pwexpired(Authctxt *);
|
||||
#endif
|
||||
|
||||
#include "auth-pam.h"
|
||||
#include "audit.h"
|
||||
void remove_kbdint_device(const char *);
|
||||
|
||||
void disable_forwarding(void);
|
||||
|
||||
void do_authentication(Authctxt *);
|
||||
@ -138,6 +143,7 @@ void do_authentication2(Authctxt *);
|
||||
|
||||
void auth_log(Authctxt *, int, char *, char *);
|
||||
void userauth_finish(Authctxt *, int, char *);
|
||||
void userauth_send_banner(const char *);
|
||||
int auth_root_allowed(char *);
|
||||
|
||||
char *auth2_read_banner(void);
|
||||
@ -182,6 +188,8 @@ void auth_debug_reset(void);
|
||||
|
||||
struct passwd *fakepw(void);
|
||||
|
||||
int sys_auth_passwd(Authctxt *, const char *);
|
||||
|
||||
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
|
||||
|
||||
#ifdef SKEY
|
||||
|
@ -26,9 +26,11 @@ RCSID("$FreeBSD$");
|
||||
#include "session.h"
|
||||
#include "uidswap.h"
|
||||
#include "monitor_wrap.h"
|
||||
#include "buffer.h"
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
extern Buffer loginmsg;
|
||||
|
||||
/*
|
||||
* convert ssh auth msg type into description
|
||||
@ -246,14 +248,33 @@ do_authloop(Authctxt *authctxt)
|
||||
#else
|
||||
/* Special handling for root */
|
||||
if (authenticated && authctxt->pw->pw_uid == 0 &&
|
||||
!auth_root_allowed(get_authname(type)))
|
||||
!auth_root_allowed(get_authname(type))) {
|
||||
authenticated = 0;
|
||||
# ifdef SSH_AUDIT_EVENTS
|
||||
PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
|
||||
# endif
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam && authenticated &&
|
||||
!PRIVSEP(do_pam_account()))
|
||||
authenticated = 0;
|
||||
!PRIVSEP(do_pam_account())) {
|
||||
char *msg;
|
||||
size_t len;
|
||||
|
||||
error("Access denied for user %s by PAM account "
|
||||
"configuration", authctxt->user);
|
||||
len = buffer_len(&loginmsg);
|
||||
buffer_append(&loginmsg, "\0", 1);
|
||||
msg = buffer_ptr(&loginmsg);
|
||||
/* strip trailing newlines */
|
||||
if (len > 0)
|
||||
while (len > 0 && msg[--len] == '\n')
|
||||
msg[len] = '\0';
|
||||
else
|
||||
msg = "Access denied.";
|
||||
packet_disconnect(msg);
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Log before sending the reply */
|
||||
@ -267,8 +288,12 @@ do_authloop(Authctxt *authctxt)
|
||||
if (authenticated)
|
||||
return;
|
||||
|
||||
if (authctxt->failures++ > options.max_authtries)
|
||||
if (authctxt->failures++ > options.max_authtries) {
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
|
||||
#endif
|
||||
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
|
||||
}
|
||||
|
||||
packet_start(SSH_SMSG_FAILURE);
|
||||
packet_send();
|
||||
|
@ -23,7 +23,7 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2-chall.c,v 1.21 2004/06/01 14:20:45 dtucker Exp $");
|
||||
RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $");
|
||||
RCSID("$FreeBSD$");
|
||||
|
||||
#include "ssh2.h"
|
||||
@ -33,6 +33,10 @@ RCSID("$FreeBSD$");
|
||||
#include "xmalloc.h"
|
||||
#include "dispatch.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
|
||||
static int auth2_challenge_start(Authctxt *);
|
||||
static int send_userauth_info_request(Authctxt *);
|
||||
@ -72,6 +76,21 @@ struct KbdintAuthctxt
|
||||
u_int nreq;
|
||||
};
|
||||
|
||||
#ifdef USE_PAM
|
||||
void
|
||||
remove_kbdint_device(const char *devname)
|
||||
{
|
||||
int i, j;
|
||||
|
||||
for (i = 0; devices[i] != NULL; i++)
|
||||
if (strcmp(devices[i]->name, devname) == 0) {
|
||||
for (j = i; devices[j] != NULL; j++)
|
||||
devices[j] = devices[j+1];
|
||||
i--;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
static KbdintAuthctxt *
|
||||
kbdint_alloc(const char *devs)
|
||||
{
|
||||
@ -79,6 +98,11 @@ kbdint_alloc(const char *devs)
|
||||
Buffer b;
|
||||
int i;
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (!options.use_pam)
|
||||
remove_kbdint_device("pam");
|
||||
#endif
|
||||
|
||||
kbdintctxt = xmalloc(sizeof(KbdintAuthctxt));
|
||||
if (strcmp(devs, "") == 0) {
|
||||
buffer_init(&b);
|
||||
@ -275,12 +299,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
|
||||
}
|
||||
packet_check_eom();
|
||||
|
||||
if (authctxt->valid) {
|
||||
res = kbdintctxt->device->respond(kbdintctxt->ctxt,
|
||||
nresp, response);
|
||||
} else {
|
||||
res = -1;
|
||||
}
|
||||
res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
|
||||
|
||||
for (i = 0; i < nresp; i++) {
|
||||
memset(response[i], 'r', strlen(response[i]));
|
||||
@ -292,7 +311,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
|
||||
switch (res) {
|
||||
case 0:
|
||||
/* Success! */
|
||||
authenticated = 1;
|
||||
authenticated = authctxt->valid ? 1 : 0;
|
||||
break;
|
||||
case 1:
|
||||
/* Authentication needs further interaction */
|
||||
|
@ -54,7 +54,7 @@ userauth_kbdint(Authctxt *authctxt)
|
||||
xfree(lang);
|
||||
#ifdef HAVE_CYGWIN
|
||||
if (check_nt_auth(0, authctxt->pw) == 0)
|
||||
return(0);
|
||||
authenticated = 0;
|
||||
#endif
|
||||
return authenticated;
|
||||
}
|
||||
|
@ -37,6 +37,7 @@ RCSID("$FreeBSD$");
|
||||
#include "dispatch.h"
|
||||
#include "pathnames.h"
|
||||
#include "monitor_wrap.h"
|
||||
#include "buffer.h"
|
||||
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
@ -46,6 +47,7 @@ RCSID("$FreeBSD$");
|
||||
extern ServerOptions options;
|
||||
extern u_char *session_id2;
|
||||
extern u_int session_id2_len;
|
||||
extern Buffer loginmsg;
|
||||
|
||||
/* methods */
|
||||
|
||||
@ -173,6 +175,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
PRIVSEP(start_pam(authctxt));
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
PRIVSEP(audit_event(SSH_INVALID_USER));
|
||||
#endif
|
||||
}
|
||||
setproctitle("%s%s", authctxt->valid ? user : "unknown",
|
||||
@ -242,12 +247,26 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
|
||||
|
||||
/* Special handling for root */
|
||||
if (authenticated && authctxt->pw->pw_uid == 0 &&
|
||||
!auth_root_allowed(method))
|
||||
!auth_root_allowed(method)) {
|
||||
authenticated = 0;
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))
|
||||
authenticated = 0;
|
||||
if (options.use_pam && authenticated) {
|
||||
if (!PRIVSEP(do_pam_account())) {
|
||||
/* if PAM returned a message, send it to the user */
|
||||
if (buffer_len(&loginmsg) > 0) {
|
||||
buffer_append(&loginmsg, "\0", 1);
|
||||
userauth_send_banner(buffer_ptr(&loginmsg));
|
||||
packet_write_wait();
|
||||
}
|
||||
fatal("Access denied for user %s by PAM account "
|
||||
"configuration", authctxt->user);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef _UNICOS
|
||||
@ -273,8 +292,12 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
|
||||
/* now we can break out */
|
||||
authctxt->success = 1;
|
||||
} else {
|
||||
if (authctxt->failures++ > options.max_authtries)
|
||||
if (authctxt->failures++ > options.max_authtries) {
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
|
||||
#endif
|
||||
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
|
||||
}
|
||||
methods = authmethods_get();
|
||||
packet_start(SSH2_MSG_USERAUTH_FAILURE);
|
||||
packet_put_cstring(methods);
|
||||
|
@ -36,7 +36,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: authfile.c,v 1.57 2004/06/21 17:36:31 avsm Exp $");
|
||||
RCSID("$OpenBSD: authfile.c,v 1.60 2004/12/11 01:48:56 dtucker Exp $");
|
||||
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
@ -51,6 +51,7 @@ RCSID("$OpenBSD: authfile.c,v 1.57 2004/06/21 17:36:31 avsm Exp $");
|
||||
#include "log.h"
|
||||
#include "authfile.h"
|
||||
#include "rsa.h"
|
||||
#include "misc.h"
|
||||
|
||||
/* Version identification string for SSH v1 identity files. */
|
||||
static const char authfile_id_string[] =
|
||||
@ -243,8 +244,10 @@ key_load_public_rsa1(int fd, const char *filename, char **commentp)
|
||||
filename, strerror(errno));
|
||||
return NULL;
|
||||
}
|
||||
if (st.st_size > 1*1024*1024)
|
||||
close(fd);
|
||||
if (st.st_size > 1*1024*1024) {
|
||||
error("key file %.200s too large", filename);
|
||||
return NULL;
|
||||
}
|
||||
len = (size_t)st.st_size; /* truncated */
|
||||
|
||||
buffer_init(&buffer);
|
||||
@ -335,6 +338,7 @@ key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
|
||||
return NULL;
|
||||
}
|
||||
if (st.st_size > 1*1024*1024) {
|
||||
error("key file %.200s too large", filename);
|
||||
close(fd);
|
||||
return (NULL);
|
||||
}
|
||||
@ -598,13 +602,14 @@ static int
|
||||
key_try_load_public(Key *k, const char *filename, char **commentp)
|
||||
{
|
||||
FILE *f;
|
||||
char line[4096];
|
||||
char line[SSH_MAX_PUBKEY_BYTES];
|
||||
char *cp;
|
||||
u_long linenum = 0;
|
||||
|
||||
f = fopen(filename, "r");
|
||||
if (f != NULL) {
|
||||
while (fgets(line, sizeof(line), f)) {
|
||||
line[sizeof(line)-1] = '\0';
|
||||
while (read_keyfile_line(f, filename, line, sizeof(line),
|
||||
&linenum) != -1) {
|
||||
cp = line;
|
||||
switch (*cp) {
|
||||
case '#':
|
||||
|
@ -37,7 +37,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: bufaux.c,v 1.32 2004/02/23 15:12:46 markus Exp $");
|
||||
RCSID("$OpenBSD: bufaux.c,v 1.35 2005/03/10 22:01:05 deraadt Exp $");
|
||||
RCSID("$FreeBSD$");
|
||||
|
||||
#include <openssl/bn.h>
|
||||
@ -50,8 +50,8 @@ RCSID("$FreeBSD$");
|
||||
* Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed
|
||||
* by (bits+7)/8 bytes of binary data, msb first.
|
||||
*/
|
||||
void
|
||||
buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
|
||||
int
|
||||
buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
int bits = BN_num_bits(value);
|
||||
int bin_size = (bits + 7) / 8;
|
||||
@ -61,9 +61,11 @@ buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
|
||||
|
||||
/* Get the value of in binary */
|
||||
oi = BN_bn2bin(value, buf);
|
||||
if (oi != bin_size)
|
||||
fatal("buffer_put_bignum: BN_bn2bin() failed: oi %d != bin_size %d",
|
||||
if (oi != bin_size) {
|
||||
error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
|
||||
oi, bin_size);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
/* Store the number of bits in the buffer in two bytes, msb first. */
|
||||
PUT_16BIT(msg, bits);
|
||||
@ -73,36 +75,63 @@ buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
|
||||
|
||||
memset(buf, 0, bin_size);
|
||||
xfree(buf);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
if (buffer_put_bignum_ret(buffer, value) == -1)
|
||||
fatal("buffer_put_bignum: buffer error");
|
||||
}
|
||||
|
||||
/*
|
||||
* Retrieves an BIGNUM from the buffer.
|
||||
*/
|
||||
void
|
||||
buffer_get_bignum(Buffer *buffer, BIGNUM *value)
|
||||
int
|
||||
buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
u_int bits, bytes;
|
||||
u_char buf[2], *bin;
|
||||
|
||||
/* Get the number for bits. */
|
||||
buffer_get(buffer, (char *) buf, 2);
|
||||
if (buffer_get_ret(buffer, (char *) buf, 2) == -1) {
|
||||
error("buffer_get_bignum_ret: invalid length");
|
||||
return (-1);
|
||||
}
|
||||
bits = GET_16BIT(buf);
|
||||
/* Compute the number of binary bytes that follow. */
|
||||
bytes = (bits + 7) / 8;
|
||||
if (bytes > 8 * 1024)
|
||||
fatal("buffer_get_bignum: cannot handle BN of size %d", bytes);
|
||||
if (buffer_len(buffer) < bytes)
|
||||
fatal("buffer_get_bignum: input buffer too small");
|
||||
if (bytes > 8 * 1024) {
|
||||
error("buffer_get_bignum_ret: cannot handle BN of size %d", bytes);
|
||||
return (-1);
|
||||
}
|
||||
if (buffer_len(buffer) < bytes) {
|
||||
error("buffer_get_bignum_ret: input buffer too small");
|
||||
return (-1);
|
||||
}
|
||||
bin = buffer_ptr(buffer);
|
||||
BN_bin2bn(bin, bytes, value);
|
||||
buffer_consume(buffer, bytes);
|
||||
if (buffer_consume_ret(buffer, bytes) == -1) {
|
||||
error("buffer_get_bignum_ret: buffer_consume failed");
|
||||
return (-1);
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
buffer_get_bignum(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
if (buffer_get_bignum_ret(buffer, value) == -1)
|
||||
fatal("buffer_get_bignum: buffer error");
|
||||
}
|
||||
|
||||
/*
|
||||
* Stores an BIGNUM in the buffer in SSH2 format.
|
||||
*/
|
||||
void
|
||||
buffer_put_bignum2(Buffer *buffer, const BIGNUM *value)
|
||||
int
|
||||
buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
u_int bytes;
|
||||
u_char *buf;
|
||||
@ -111,69 +140,140 @@ buffer_put_bignum2(Buffer *buffer, const BIGNUM *value)
|
||||
|
||||
if (BN_is_zero(value)) {
|
||||
buffer_put_int(buffer, 0);
|
||||
return;
|
||||
return 0;
|
||||
}
|
||||
if (value->neg) {
|
||||
error("buffer_put_bignum2_ret: negative numbers not supported");
|
||||
return (-1);
|
||||
}
|
||||
if (value->neg)
|
||||
fatal("buffer_put_bignum2: negative numbers not supported");
|
||||
bytes = BN_num_bytes(value) + 1; /* extra padding byte */
|
||||
if (bytes < 2)
|
||||
fatal("buffer_put_bignum2: BN too small");
|
||||
if (bytes < 2) {
|
||||
error("buffer_put_bignum2_ret: BN too small");
|
||||
return (-1);
|
||||
}
|
||||
buf = xmalloc(bytes);
|
||||
buf[0] = '\0';
|
||||
buf[0] = 0x00;
|
||||
/* Get the value of in binary */
|
||||
oi = BN_bn2bin(value, buf+1);
|
||||
if (oi != bytes-1)
|
||||
fatal("buffer_put_bignum2: BN_bn2bin() failed: "
|
||||
if (oi != bytes-1) {
|
||||
error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
|
||||
"oi %d != bin_size %d", oi, bytes);
|
||||
xfree(buf);
|
||||
return (-1);
|
||||
}
|
||||
hasnohigh = (buf[1] & 0x80) ? 0 : 1;
|
||||
buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
|
||||
memset(buf, 0, bytes);
|
||||
xfree(buf);
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
buffer_put_bignum2(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
if (buffer_put_bignum2_ret(buffer, value) == -1)
|
||||
fatal("buffer_put_bignum2: buffer error");
|
||||
}
|
||||
|
||||
int
|
||||
buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
u_int len;
|
||||
u_char *bin;
|
||||
|
||||
if ((bin = buffer_get_string_ret(buffer, &len)) == NULL) {
|
||||
error("buffer_get_bignum2_ret: invalid bignum");
|
||||
return (-1);
|
||||
}
|
||||
|
||||
if (len > 0 && (bin[0] & 0x80)) {
|
||||
error("buffer_get_bignum2_ret: negative numbers not supported");
|
||||
return (-1);
|
||||
}
|
||||
if (len > 8 * 1024) {
|
||||
error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
|
||||
return (-1);
|
||||
}
|
||||
BN_bin2bn(bin, len, value);
|
||||
xfree(bin);
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
u_int len;
|
||||
u_char *bin = buffer_get_string(buffer, &len);
|
||||
|
||||
if (len > 0 && (bin[0] & 0x80))
|
||||
fatal("buffer_get_bignum2: negative numbers not supported");
|
||||
if (len > 8 * 1024)
|
||||
fatal("buffer_get_bignum2: cannot handle BN of size %d", len);
|
||||
BN_bin2bn(bin, len, value);
|
||||
xfree(bin);
|
||||
if (buffer_get_bignum2_ret(buffer, value) == -1)
|
||||
fatal("buffer_get_bignum2: buffer error");
|
||||
}
|
||||
|
||||
/*
|
||||
* Returns integers from the buffer (msb first).
|
||||
*/
|
||||
|
||||
u_short
|
||||
buffer_get_short(Buffer *buffer)
|
||||
int
|
||||
buffer_get_short_ret(u_short *ret, Buffer *buffer)
|
||||
{
|
||||
u_char buf[2];
|
||||
|
||||
buffer_get(buffer, (char *) buf, 2);
|
||||
return GET_16BIT(buf);
|
||||
if (buffer_get_ret(buffer, (char *) buf, 2) == -1)
|
||||
return (-1);
|
||||
*ret = GET_16BIT(buf);
|
||||
return (0);
|
||||
}
|
||||
|
||||
u_short
|
||||
buffer_get_short(Buffer *buffer)
|
||||
{
|
||||
u_short ret;
|
||||
|
||||
if (buffer_get_short_ret(&ret, buffer) == -1)
|
||||
fatal("buffer_get_short: buffer error");
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
int
|
||||
buffer_get_int_ret(u_int *ret, Buffer *buffer)
|
||||
{
|
||||
u_char buf[4];
|
||||
|
||||
if (buffer_get_ret(buffer, (char *) buf, 4) == -1)
|
||||
return (-1);
|
||||
*ret = GET_32BIT(buf);
|
||||
return (0);
|
||||
}
|
||||
|
||||
u_int
|
||||
buffer_get_int(Buffer *buffer)
|
||||
{
|
||||
u_char buf[4];
|
||||
u_int ret;
|
||||
|
||||
buffer_get(buffer, (char *) buf, 4);
|
||||
return GET_32BIT(buf);
|
||||
if (buffer_get_int_ret(&ret, buffer) == -1)
|
||||
fatal("buffer_get_int: buffer error");
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
int
|
||||
buffer_get_int64_ret(u_int64_t *ret, Buffer *buffer)
|
||||
{
|
||||
u_char buf[8];
|
||||
|
||||
if (buffer_get_ret(buffer, (char *) buf, 8) == -1)
|
||||
return (-1);
|
||||
*ret = GET_64BIT(buf);
|
||||
return (0);
|
||||
}
|
||||
|
||||
u_int64_t
|
||||
buffer_get_int64(Buffer *buffer)
|
||||
{
|
||||
u_char buf[8];
|
||||
u_int64_t ret;
|
||||
|
||||
buffer_get(buffer, (char *) buf, 8);
|
||||
return GET_64BIT(buf);
|
||||
if (buffer_get_int64_ret(&ret, buffer) == -1)
|
||||
fatal("buffer_get_int: buffer error");
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -215,25 +315,41 @@ buffer_put_int64(Buffer *buffer, u_int64_t value)
|
||||
* to the returned string, and is not counted in length.
|
||||
*/
|
||||
void *
|
||||
buffer_get_string(Buffer *buffer, u_int *length_ptr)
|
||||
buffer_get_string_ret(Buffer *buffer, u_int *length_ptr)
|
||||
{
|
||||
u_char *value;
|
||||
u_int len;
|
||||
|
||||
/* Get the length. */
|
||||
len = buffer_get_int(buffer);
|
||||
if (len > 256 * 1024)
|
||||
fatal("buffer_get_string: bad string length %u", len);
|
||||
if (len > 256 * 1024) {
|
||||
error("buffer_get_string_ret: bad string length %u", len);
|
||||
return (NULL);
|
||||
}
|
||||
/* Allocate space for the string. Add one byte for a null character. */
|
||||
value = xmalloc(len + 1);
|
||||
/* Get the string. */
|
||||
buffer_get(buffer, value, len);
|
||||
if (buffer_get_ret(buffer, value, len) == -1) {
|
||||
error("buffer_get_string_ret: buffer_get failed");
|
||||
xfree(value);
|
||||
return (NULL);
|
||||
}
|
||||
/* Append a null character to make processing easier. */
|
||||
value[len] = 0;
|
||||
/* Optionally return the length of the string. */
|
||||
if (length_ptr)
|
||||
*length_ptr = len;
|
||||
return value;
|
||||
return (value);
|
||||
}
|
||||
|
||||
void *
|
||||
buffer_get_string(Buffer *buffer, u_int *length_ptr)
|
||||
{
|
||||
void *ret;
|
||||
|
||||
if ((ret = buffer_get_string_ret(buffer, length_ptr)) == NULL)
|
||||
fatal("buffer_get_string: buffer error");
|
||||
return (ret);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -256,12 +372,23 @@ buffer_put_cstring(Buffer *buffer, const char *s)
|
||||
/*
|
||||
* Returns a character from the buffer (0 - 255).
|
||||
*/
|
||||
int
|
||||
buffer_get_char_ret(char *ret, Buffer *buffer)
|
||||
{
|
||||
if (buffer_get_ret(buffer, ret, 1) == -1) {
|
||||
error("buffer_get_char_ret: buffer_get_ret failed");
|
||||
return (-1);
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
buffer_get_char(Buffer *buffer)
|
||||
{
|
||||
char ch;
|
||||
|
||||
buffer_get(buffer, &ch, 1);
|
||||
if (buffer_get_char_ret(&ch, buffer) == -1)
|
||||
fatal("buffer_get_char: buffer error");
|
||||
return (u_char) ch;
|
||||
}
|
||||
|
||||
|
@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: canohost.c,v 1.41 2004/07/21 11:51:29 djm Exp $");
|
||||
RCSID("$OpenBSD: canohost.c,v 1.42 2005/02/18 03:05:53 djm Exp $");
|
||||
|
||||
#include "packet.h"
|
||||
#include "xmalloc.h"
|
||||
@ -20,7 +20,6 @@ RCSID("$OpenBSD: canohost.c,v 1.41 2004/07/21 11:51:29 djm Exp $");
|
||||
#include "canohost.h"
|
||||
|
||||
static void check_ip_options(int, char *);
|
||||
static void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
|
||||
|
||||
/*
|
||||
* Return the canonical name of the host at the other end of the socket. The
|
||||
@ -166,7 +165,7 @@ check_ip_options(int sock, char *ipaddr)
|
||||
#endif /* IP_OPTIONS */
|
||||
}
|
||||
|
||||
static void
|
||||
void
|
||||
ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
|
||||
{
|
||||
struct sockaddr_in6 *a6 = (struct sockaddr_in6 *)addr;
|
||||
@ -232,6 +231,7 @@ get_socket_address(int sock, int remote, int flags)
|
||||
struct sockaddr_storage addr;
|
||||
socklen_t addrlen;
|
||||
char ntop[NI_MAXHOST];
|
||||
int r;
|
||||
|
||||
/* Get IP address of client. */
|
||||
addrlen = sizeof(addr);
|
||||
@ -251,10 +251,13 @@ get_socket_address(int sock, int remote, int flags)
|
||||
if (addr.ss_family == AF_INET6)
|
||||
addrlen = sizeof(struct sockaddr_in6);
|
||||
|
||||
ipv64_normalise_mapped(&addr, &addrlen);
|
||||
|
||||
/* Get the address in ascii. */
|
||||
if (getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop),
|
||||
NULL, 0, flags) != 0) {
|
||||
error("get_socket_address: getnameinfo %d failed", flags);
|
||||
if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop,
|
||||
sizeof(ntop), NULL, 0, flags)) != 0) {
|
||||
error("get_socket_address: getnameinfo %d failed: %s", flags,
|
||||
r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r));
|
||||
return NULL;
|
||||
}
|
||||
return xstrdup(ntop);
|
||||
@ -330,6 +333,7 @@ get_sock_port(int sock, int local)
|
||||
struct sockaddr_storage from;
|
||||
socklen_t fromlen;
|
||||
char strport[NI_MAXSERV];
|
||||
int r;
|
||||
|
||||
/* Get IP address of client. */
|
||||
fromlen = sizeof(from);
|
||||
@ -351,9 +355,10 @@ get_sock_port(int sock, int local)
|
||||
fromlen = sizeof(struct sockaddr_in6);
|
||||
|
||||
/* Return port number. */
|
||||
if (getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0,
|
||||
strport, sizeof(strport), NI_NUMERICSERV) != 0)
|
||||
fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed");
|
||||
if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0,
|
||||
strport, sizeof(strport), NI_NUMERICSERV)) != 0)
|
||||
fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed: %s",
|
||||
r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r));
|
||||
return atoi(strport);
|
||||
}
|
||||
|
||||
|
@ -39,7 +39,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: channels.c,v 1.209 2004/08/11 21:43:04 avsm Exp $");
|
||||
RCSID("$OpenBSD: channels.c,v 1.214 2005/03/14 11:46:56 markus Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
@ -58,6 +58,8 @@ RCSID("$OpenBSD: channels.c,v 1.209 2004/08/11 21:43:04 avsm Exp $");
|
||||
|
||||
/* -- channel core */
|
||||
|
||||
#define CHAN_RBUF 16*1024
|
||||
|
||||
/*
|
||||
* Pointer to an array containing all allocated channels. The array is
|
||||
* dynamically extended as needed.
|
||||
@ -712,6 +714,9 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
{
|
||||
u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
|
||||
|
||||
/* check buffer limits */
|
||||
limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF));
|
||||
|
||||
if (c->istate == CHAN_INPUT_OPEN &&
|
||||
limit > 0 &&
|
||||
buffer_len(&c->input) < limit)
|
||||
@ -1018,7 +1023,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
debug2("channel %d: only socks5 connect supported", c->self);
|
||||
return -1;
|
||||
}
|
||||
switch(s5_req.atyp){
|
||||
switch (s5_req.atyp){
|
||||
case SSH_SOCKS5_IPV4:
|
||||
addrlen = 4;
|
||||
af = AF_INET;
|
||||
@ -1360,7 +1365,7 @@ channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
static int
|
||||
channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
{
|
||||
char buf[16*1024];
|
||||
char buf[CHAN_RBUF];
|
||||
int len;
|
||||
|
||||
if (c->rfd != -1 &&
|
||||
@ -1454,7 +1459,7 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
static int
|
||||
channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
{
|
||||
char buf[16*1024];
|
||||
char buf[CHAN_RBUF];
|
||||
int len;
|
||||
|
||||
/** XXX handle drain efd, too */
|
||||
@ -2179,14 +2184,14 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
|
||||
const char *host_to_connect, u_short port_to_connect, int gateway_ports)
|
||||
{
|
||||
Channel *c;
|
||||
int success, sock, on = 1;
|
||||
int sock, r, success = 0, on = 1, wildcard = 0, is_client;
|
||||
struct addrinfo hints, *ai, *aitop;
|
||||
const char *host;
|
||||
const char *host, *addr;
|
||||
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
|
||||
|
||||
success = 0;
|
||||
host = (type == SSH_CHANNEL_RPORT_LISTENER) ?
|
||||
listen_addr : host_to_connect;
|
||||
is_client = (type == SSH_CHANNEL_PORT_LISTENER);
|
||||
|
||||
if (host == NULL) {
|
||||
error("No forward host name.");
|
||||
@ -2197,17 +2202,61 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
|
||||
return success;
|
||||
}
|
||||
|
||||
/*
|
||||
* Determine whether or not a port forward listens to loopback,
|
||||
* specified address or wildcard. On the client, a specified bind
|
||||
* address will always override gateway_ports. On the server, a
|
||||
* gateway_ports of 1 (``yes'') will override the client's
|
||||
* specification and force a wildcard bind, whereas a value of 2
|
||||
* (``clientspecified'') will bind to whatever address the client
|
||||
* asked for.
|
||||
*
|
||||
* Special-case listen_addrs are:
|
||||
*
|
||||
* "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
|
||||
* "" (empty string), "*" -> wildcard v4/v6
|
||||
* "localhost" -> loopback v4/v6
|
||||
*/
|
||||
addr = NULL;
|
||||
if (listen_addr == NULL) {
|
||||
/* No address specified: default to gateway_ports setting */
|
||||
if (gateway_ports)
|
||||
wildcard = 1;
|
||||
} else if (gateway_ports || is_client) {
|
||||
if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
|
||||
strcmp(listen_addr, "0.0.0.0") == 0) ||
|
||||
*listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
|
||||
(!is_client && gateway_ports == 1))
|
||||
wildcard = 1;
|
||||
else if (strcmp(listen_addr, "localhost") != 0)
|
||||
addr = listen_addr;
|
||||
}
|
||||
|
||||
debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s",
|
||||
type, wildcard, (addr == NULL) ? "NULL" : addr);
|
||||
|
||||
/*
|
||||
* getaddrinfo returns a loopback address if the hostname is
|
||||
* set to NULL and hints.ai_flags is not AI_PASSIVE
|
||||
*/
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = IPv4or6;
|
||||
hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
|
||||
hints.ai_flags = wildcard ? AI_PASSIVE : 0;
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
snprintf(strport, sizeof strport, "%d", listen_port);
|
||||
if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
|
||||
packet_disconnect("getaddrinfo: fatal error");
|
||||
if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
|
||||
if (addr == NULL) {
|
||||
/* This really shouldn't happen */
|
||||
packet_disconnect("getaddrinfo: fatal error: %s",
|
||||
gai_strerror(r));
|
||||
} else {
|
||||
verbose("channel_setup_fwd_listener: "
|
||||
"getaddrinfo(%.64s): %s", addr, gai_strerror(r));
|
||||
packet_send_debug("channel_setup_fwd_listener: "
|
||||
"getaddrinfo(%.64s): %s", addr, gai_strerror(r));
|
||||
}
|
||||
aitop = NULL;
|
||||
}
|
||||
|
||||
for (ai = aitop; ai; ai = ai->ai_next) {
|
||||
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
|
||||
@ -2273,13 +2322,13 @@ channel_cancel_rport_listener(const char *host, u_short port)
|
||||
u_int i;
|
||||
int found = 0;
|
||||
|
||||
for(i = 0; i < channels_alloc; i++) {
|
||||
for (i = 0; i < channels_alloc; i++) {
|
||||
Channel *c = channels[i];
|
||||
|
||||
if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER &&
|
||||
strncmp(c->path, host, sizeof(c->path)) == 0 &&
|
||||
c->listening_port == port) {
|
||||
debug2("%s: close clannel %d", __func__, i);
|
||||
debug2("%s: close channel %d", __func__, i);
|
||||
channel_free(c);
|
||||
found = 1;
|
||||
}
|
||||
@ -2290,11 +2339,12 @@ channel_cancel_rport_listener(const char *host, u_short port)
|
||||
|
||||
/* protocol local port fwd, used by ssh (and sshd in v1) */
|
||||
int
|
||||
channel_setup_local_fwd_listener(u_short listen_port,
|
||||
channel_setup_local_fwd_listener(const char *listen_host, u_short listen_port,
|
||||
const char *host_to_connect, u_short port_to_connect, int gateway_ports)
|
||||
{
|
||||
return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER,
|
||||
NULL, listen_port, host_to_connect, port_to_connect, gateway_ports);
|
||||
listen_host, listen_port, host_to_connect, port_to_connect,
|
||||
gateway_ports);
|
||||
}
|
||||
|
||||
/* protocol v2 remote port fwd, used by sshd */
|
||||
@ -2312,7 +2362,7 @@ channel_setup_remote_fwd_listener(const char *listen_address,
|
||||
*/
|
||||
|
||||
void
|
||||
channel_request_remote_forwarding(u_short listen_port,
|
||||
channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
|
||||
const char *host_to_connect, u_short port_to_connect)
|
||||
{
|
||||
int type, success = 0;
|
||||
@ -2323,7 +2373,14 @@ channel_request_remote_forwarding(u_short listen_port,
|
||||
|
||||
/* Send the forward request to the remote side. */
|
||||
if (compat20) {
|
||||
const char *address_to_bind = "0.0.0.0";
|
||||
const char *address_to_bind;
|
||||
if (listen_host == NULL)
|
||||
address_to_bind = "localhost";
|
||||
else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0)
|
||||
address_to_bind = "";
|
||||
else
|
||||
address_to_bind = listen_host;
|
||||
|
||||
packet_start(SSH2_MSG_GLOBAL_REQUEST);
|
||||
packet_put_cstring("tcpip-forward");
|
||||
packet_put_char(1); /* boolean: want reply */
|
||||
@ -2369,10 +2426,9 @@ channel_request_remote_forwarding(u_short listen_port,
|
||||
* local side.
|
||||
*/
|
||||
void
|
||||
channel_request_rforward_cancel(u_short port)
|
||||
channel_request_rforward_cancel(const char *host, u_short port)
|
||||
{
|
||||
int i;
|
||||
const char *address_to_bind = "0.0.0.0";
|
||||
|
||||
if (!compat20)
|
||||
return;
|
||||
@ -2389,7 +2445,7 @@ channel_request_rforward_cancel(u_short port)
|
||||
packet_start(SSH2_MSG_GLOBAL_REQUEST);
|
||||
packet_put_cstring("cancel-tcpip-forward");
|
||||
packet_put_char(0);
|
||||
packet_put_cstring(address_to_bind);
|
||||
packet_put_cstring(host == NULL ? "" : host);
|
||||
packet_put_int(port);
|
||||
packet_send();
|
||||
|
||||
@ -2430,7 +2486,8 @@ channel_input_port_forward_request(int is_root, int gateway_ports)
|
||||
#endif
|
||||
|
||||
/* Initiate forwarding */
|
||||
channel_setup_local_fwd_listener(port, hostname, host_port, gateway_ports);
|
||||
channel_setup_local_fwd_listener(NULL, port, hostname,
|
||||
host_port, gateway_ports);
|
||||
|
||||
/* Free the argument string. */
|
||||
xfree(hostname);
|
||||
@ -2577,7 +2634,7 @@ channel_send_window_changes(void)
|
||||
struct winsize ws;
|
||||
|
||||
for (i = 0; i < channels_alloc; i++) {
|
||||
if (channels[i] == NULL ||
|
||||
if (channels[i] == NULL || !channels[i]->client_tty ||
|
||||
channels[i]->type != SSH_CHANNEL_OPEN)
|
||||
continue;
|
||||
if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: channels.h,v 1.74 2004/08/11 21:43:04 avsm Exp $ */
|
||||
/* $OpenBSD: channels.h,v 1.76 2005/03/01 10:09:52 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -79,6 +79,7 @@ struct Channel {
|
||||
int ctl_fd; /* control fd (client sharing) */
|
||||
int isatty; /* rfd is a tty */
|
||||
int wfd_isatty; /* wfd is a tty */
|
||||
int client_tty; /* (client) TTY has been requested */
|
||||
int force_drain; /* force close on iEOF */
|
||||
int delayed; /* fdset hack */
|
||||
Buffer input; /* data read from socket, to be sent over
|
||||
@ -202,9 +203,11 @@ void channel_clear_permitted_opens(void);
|
||||
void channel_input_port_forward_request(int, int);
|
||||
int channel_connect_to(const char *, u_short);
|
||||
int channel_connect_by_listen_address(u_short);
|
||||
void channel_request_remote_forwarding(u_short, const char *, u_short);
|
||||
void channel_request_rforward_cancel(u_short port);
|
||||
int channel_setup_local_fwd_listener(u_short, const char *, u_short, int);
|
||||
void channel_request_remote_forwarding(const char *, u_short,
|
||||
const char *, u_short);
|
||||
int channel_setup_local_fwd_listener(const char *, u_short,
|
||||
const char *, u_short, int);
|
||||
void channel_request_rforward_cancel(const char *host, u_short port);
|
||||
int channel_setup_remote_fwd_listener(const char *, u_short, int);
|
||||
int channel_cancel_rport_listener(const char *, u_short);
|
||||
|
||||
|
@ -35,7 +35,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: cipher.c,v 1.71 2004/07/28 09:40:29 markus Exp $");
|
||||
RCSID("$OpenBSD: cipher.c,v 1.73 2005/01/23 10:18:12 djm Exp $");
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
@ -146,7 +146,7 @@ cipher_by_name(const char *name)
|
||||
{
|
||||
Cipher *c;
|
||||
for (c = ciphers; c->name != NULL; c++)
|
||||
if (strcasecmp(c->name, name) == 0)
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
}
|
||||
@ -199,8 +199,10 @@ cipher_number(const char *name)
|
||||
Cipher *c;
|
||||
if (name == NULL)
|
||||
return -1;
|
||||
c = cipher_by_name(name);
|
||||
return (c==NULL) ? -1 : c->number;
|
||||
for (c = ciphers; c->name != NULL; c++)
|
||||
if (strcasecmp(c->name, name) == 0)
|
||||
return c->number;
|
||||
return -1;
|
||||
}
|
||||
|
||||
char *
|
||||
|
@ -23,7 +23,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: compat.c,v 1.70 2003/11/02 11:01:03 markus Exp $");
|
||||
RCSID("$OpenBSD: compat.c,v 1.71 2005/03/01 10:09:52 djm Exp $");
|
||||
RCSID("$FreeBSD$");
|
||||
|
||||
#include "buffer.h"
|
||||
@ -63,24 +63,28 @@ compat_datafellows(const char *version)
|
||||
"OpenSSH_2.1*,"
|
||||
"OpenSSH_2.2*", SSH_OLD_SESSIONID|SSH_BUG_BANNER|
|
||||
SSH_OLD_DHGEX|SSH_BUG_NOREKEY|
|
||||
SSH_BUG_EXTEOF},
|
||||
SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
|
||||
{ "OpenSSH_2.3.0*", SSH_BUG_BANNER|SSH_BUG_BIGENDIANAES|
|
||||
SSH_OLD_DHGEX|SSH_BUG_NOREKEY|
|
||||
SSH_BUG_EXTEOF},
|
||||
SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
|
||||
{ "OpenSSH_2.3.*", SSH_BUG_BIGENDIANAES|SSH_OLD_DHGEX|
|
||||
SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
|
||||
SSH_BUG_NOREKEY|SSH_BUG_EXTEOF|
|
||||
SSH_OLD_FORWARD_ADDR},
|
||||
{ "OpenSSH_2.5.0p1*,"
|
||||
"OpenSSH_2.5.1p1*",
|
||||
SSH_BUG_BIGENDIANAES|SSH_OLD_DHGEX|
|
||||
SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
|
||||
SSH_BUG_NOREKEY|SSH_BUG_EXTEOF|
|
||||
SSH_OLD_FORWARD_ADDR},
|
||||
{ "OpenSSH_2.5.0*,"
|
||||
"OpenSSH_2.5.1*,"
|
||||
"OpenSSH_2.5.2*", SSH_OLD_DHGEX|SSH_BUG_NOREKEY|
|
||||
SSH_BUG_EXTEOF},
|
||||
{ "OpenSSH_2.5.3*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
|
||||
SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
|
||||
{ "OpenSSH_2.5.3*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF|
|
||||
SSH_OLD_FORWARD_ADDR},
|
||||
{ "OpenSSH_2.*,"
|
||||
"OpenSSH_3.0*,"
|
||||
"OpenSSH_3.1*", SSH_BUG_EXTEOF},
|
||||
"OpenSSH_3.1*", SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
|
||||
{ "OpenSSH_3.*", SSH_OLD_FORWARD_ADDR },
|
||||
{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
|
||||
{ "OpenSSH*", 0 },
|
||||
{ "*MindTerm*", 0 },
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: compat.h,v 1.38 2004/07/11 17:48:47 deraadt Exp $ */
|
||||
/* $OpenBSD: compat.h,v 1.39 2005/03/01 10:09:52 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
|
||||
@ -55,6 +55,7 @@
|
||||
#define SSH_BUG_EXTEOF 0x00200000
|
||||
#define SSH_BUG_PROBE 0x00400000
|
||||
#define SSH_BUG_FIRSTKEX 0x00800000
|
||||
#define SSH_OLD_FORWARD_ADDR 0x01000000
|
||||
|
||||
void enable_compat13(void);
|
||||
void enable_compat20(void);
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -36,13 +36,102 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: hostfile.c,v 1.32 2003/11/10 16:23:41 jakob Exp $");
|
||||
RCSID("$OpenBSD: hostfile.c,v 1.34 2005/03/10 22:01:05 deraadt Exp $");
|
||||
|
||||
#include <resolv.h>
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/sha.h>
|
||||
|
||||
#include "packet.h"
|
||||
#include "match.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
static int
|
||||
extract_salt(const char *s, u_int l, char *salt, size_t salt_len)
|
||||
{
|
||||
char *p, *b64salt;
|
||||
u_int b64len;
|
||||
int ret;
|
||||
|
||||
if (l < sizeof(HASH_MAGIC) - 1) {
|
||||
debug2("extract_salt: string too short");
|
||||
return (-1);
|
||||
}
|
||||
if (strncmp(s, HASH_MAGIC, sizeof(HASH_MAGIC) - 1) != 0) {
|
||||
debug2("extract_salt: invalid magic identifier");
|
||||
return (-1);
|
||||
}
|
||||
s += sizeof(HASH_MAGIC) - 1;
|
||||
l -= sizeof(HASH_MAGIC) - 1;
|
||||
if ((p = memchr(s, HASH_DELIM, l)) == NULL) {
|
||||
debug2("extract_salt: missing salt termination character");
|
||||
return (-1);
|
||||
}
|
||||
|
||||
b64len = p - s;
|
||||
/* Sanity check */
|
||||
if (b64len == 0 || b64len > 1024) {
|
||||
debug2("extract_salt: bad encoded salt length %u", b64len);
|
||||
return (-1);
|
||||
}
|
||||
b64salt = xmalloc(1 + b64len);
|
||||
memcpy(b64salt, s, b64len);
|
||||
b64salt[b64len] = '\0';
|
||||
|
||||
ret = __b64_pton(b64salt, salt, salt_len);
|
||||
xfree(b64salt);
|
||||
if (ret == -1) {
|
||||
debug2("extract_salt: salt decode error");
|
||||
return (-1);
|
||||
}
|
||||
if (ret != SHA_DIGEST_LENGTH) {
|
||||
debug2("extract_salt: expected salt len %u, got %u",
|
||||
salt_len, ret);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
char *
|
||||
host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
|
||||
{
|
||||
const EVP_MD *md = EVP_sha1();
|
||||
HMAC_CTX mac_ctx;
|
||||
char salt[256], result[256], uu_salt[512], uu_result[512];
|
||||
static char encoded[1024];
|
||||
u_int i, len;
|
||||
|
||||
len = EVP_MD_size(md);
|
||||
|
||||
if (name_from_hostfile == NULL) {
|
||||
/* Create new salt */
|
||||
for (i = 0; i < len; i++)
|
||||
salt[i] = arc4random();
|
||||
} else {
|
||||
/* Extract salt from known host entry */
|
||||
if (extract_salt(name_from_hostfile, src_len, salt,
|
||||
sizeof(salt)) == -1)
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
HMAC_Init(&mac_ctx, salt, len, md);
|
||||
HMAC_Update(&mac_ctx, host, strlen(host));
|
||||
HMAC_Final(&mac_ctx, result, NULL);
|
||||
HMAC_cleanup(&mac_ctx);
|
||||
|
||||
if (__b64_ntop(salt, len, uu_salt, sizeof(uu_salt)) == -1 ||
|
||||
__b64_ntop(result, len, uu_result, sizeof(uu_result)) == -1)
|
||||
fatal("host_hash: __b64_ntop failed");
|
||||
|
||||
snprintf(encoded, sizeof(encoded), "%s%s%c%s", HASH_MAGIC, uu_salt,
|
||||
HASH_DELIM, uu_result);
|
||||
|
||||
return (encoded);
|
||||
}
|
||||
|
||||
/*
|
||||
* Parses an RSA (number of bits, e, n) or DSA key from a string. Moves the
|
||||
@ -104,7 +193,7 @@ check_host_in_hostfile_by_key_or_type(const char *filename,
|
||||
char line[8192];
|
||||
int linenum = 0;
|
||||
u_int kbits;
|
||||
char *cp, *cp2;
|
||||
char *cp, *cp2, *hashed_host;
|
||||
HostStatus end_return;
|
||||
|
||||
debug3("check_host_in_hostfile: filename %s", filename);
|
||||
@ -137,8 +226,18 @@ check_host_in_hostfile_by_key_or_type(const char *filename,
|
||||
;
|
||||
|
||||
/* Check if the host name matches. */
|
||||
if (match_hostname(host, cp, (u_int) (cp2 - cp)) != 1)
|
||||
continue;
|
||||
if (match_hostname(host, cp, (u_int) (cp2 - cp)) != 1) {
|
||||
if (*cp != HASH_DELIM)
|
||||
continue;
|
||||
hashed_host = host_hash(host, cp, (u_int) (cp2 - cp));
|
||||
if (hashed_host == NULL) {
|
||||
debug("Invalid hashed host line %d of %s",
|
||||
linenum, filename);
|
||||
continue;
|
||||
}
|
||||
if (strncmp(hashed_host, cp, (u_int) (cp2 - cp)) != 0)
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Got a match. Skip host name. */
|
||||
cp = cp2;
|
||||
@ -211,16 +310,28 @@ lookup_key_in_hostfile_by_type(const char *filename, const char *host,
|
||||
*/
|
||||
|
||||
int
|
||||
add_host_to_hostfile(const char *filename, const char *host, const Key *key)
|
||||
add_host_to_hostfile(const char *filename, const char *host, const Key *key,
|
||||
int store_hash)
|
||||
{
|
||||
FILE *f;
|
||||
int success = 0;
|
||||
char *hashed_host;
|
||||
|
||||
if (key == NULL)
|
||||
return 1; /* XXX ? */
|
||||
f = fopen(filename, "a");
|
||||
if (!f)
|
||||
return 0;
|
||||
fprintf(f, "%s ", host);
|
||||
|
||||
if (store_hash) {
|
||||
if ((hashed_host = host_hash(host, NULL, 0)) == NULL) {
|
||||
error("add_host_to_hostfile: host_hash failed");
|
||||
fclose(f);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
fprintf(f, "%s ", store_hash ? hashed_host : host);
|
||||
|
||||
if (key_write(key, f)) {
|
||||
success = 1;
|
||||
} else {
|
||||
|
@ -186,7 +186,7 @@ __RCSID(msg)
|
||||
* On HP-UX 11.11, shadow.h and prot.h provide conflicting declarations
|
||||
* of getspnam when _INCLUDE__STDC__ is defined, so we unset it here.
|
||||
*/
|
||||
#ifdef __hpux
|
||||
#ifdef GETSPNAM_CONFLICTING_DEFS
|
||||
# ifdef _INCLUDE__STDC__
|
||||
# undef _INCLUDE__STDC__
|
||||
# endif
|
||||
|
@ -32,7 +32,7 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: key.c,v 1.56 2004/07/28 09:40:29 markus Exp $");
|
||||
RCSID("$OpenBSD: key.c,v 1.57 2004/10/29 23:57:05 djm Exp $");
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
@ -681,8 +681,8 @@ Key *
|
||||
key_from_blob(const u_char *blob, u_int blen)
|
||||
{
|
||||
Buffer b;
|
||||
char *ktype;
|
||||
int rlen, type;
|
||||
char *ktype = NULL;
|
||||
Key *key = NULL;
|
||||
|
||||
#ifdef DEBUG_PK
|
||||
@ -690,24 +690,38 @@ key_from_blob(const u_char *blob, u_int blen)
|
||||
#endif
|
||||
buffer_init(&b);
|
||||
buffer_append(&b, blob, blen);
|
||||
ktype = buffer_get_string(&b, NULL);
|
||||
if ((ktype = buffer_get_string_ret(&b, NULL)) == NULL) {
|
||||
error("key_from_blob: can't read key type");
|
||||
goto out;
|
||||
}
|
||||
|
||||
type = key_type_from_name(ktype);
|
||||
|
||||
switch (type) {
|
||||
case KEY_RSA:
|
||||
key = key_new(type);
|
||||
buffer_get_bignum2(&b, key->rsa->e);
|
||||
buffer_get_bignum2(&b, key->rsa->n);
|
||||
if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
|
||||
buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
|
||||
error("key_from_blob: can't read rsa key");
|
||||
key_free(key);
|
||||
key = NULL;
|
||||
goto out;
|
||||
}
|
||||
#ifdef DEBUG_PK
|
||||
RSA_print_fp(stderr, key->rsa, 8);
|
||||
#endif
|
||||
break;
|
||||
case KEY_DSA:
|
||||
key = key_new(type);
|
||||
buffer_get_bignum2(&b, key->dsa->p);
|
||||
buffer_get_bignum2(&b, key->dsa->q);
|
||||
buffer_get_bignum2(&b, key->dsa->g);
|
||||
buffer_get_bignum2(&b, key->dsa->pub_key);
|
||||
if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
|
||||
buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
|
||||
buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
|
||||
buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
|
||||
error("key_from_blob: can't read dsa key");
|
||||
key_free(key);
|
||||
key = NULL;
|
||||
goto out;
|
||||
}
|
||||
#ifdef DEBUG_PK
|
||||
DSA_print_fp(stderr, key->dsa, 8);
|
||||
#endif
|
||||
@ -717,12 +731,14 @@ key_from_blob(const u_char *blob, u_int blen)
|
||||
break;
|
||||
default:
|
||||
error("key_from_blob: cannot handle type %s", ktype);
|
||||
break;
|
||||
goto out;
|
||||
}
|
||||
rlen = buffer_len(&b);
|
||||
if (key != NULL && rlen != 0)
|
||||
error("key_from_blob: remaining bytes in key blob %d", rlen);
|
||||
xfree(ktype);
|
||||
out:
|
||||
if (ktype != NULL)
|
||||
xfree(ktype);
|
||||
buffer_free(&b);
|
||||
return key;
|
||||
}
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -25,7 +25,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: monitor.c,v 1.61 2004/07/17 05:31:41 dtucker Exp $");
|
||||
RCSID("$OpenBSD: monitor.c,v 1.63 2005/03/10 22:01:05 deraadt Exp $");
|
||||
RCSID("$FreeBSD$");
|
||||
|
||||
#include <openssl/dh.h>
|
||||
@ -152,6 +152,11 @@ int mm_answer_gss_userok(int, Buffer *);
|
||||
int mm_answer_gss_checkmic(int, Buffer *);
|
||||
#endif
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
int mm_answer_audit_event(int, Buffer *);
|
||||
int mm_answer_audit_command(int, Buffer *);
|
||||
#endif
|
||||
|
||||
static Authctxt *authctxt;
|
||||
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
|
||||
|
||||
@ -195,6 +200,9 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
|
||||
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
#endif
|
||||
#ifdef BSD_AUTH
|
||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||
{MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},
|
||||
@ -220,6 +228,10 @@ struct mon_table mon_dispatch_postauth20[] = {
|
||||
{MONITOR_REQ_PTY, 0, mm_answer_pty},
|
||||
{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
|
||||
{MONITOR_REQ_TERM, 0, mm_answer_term},
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
|
||||
@ -247,6 +259,9 @@ struct mon_table mon_dispatch_proto15[] = {
|
||||
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
|
||||
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
|
||||
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@ -255,6 +270,10 @@ struct mon_table mon_dispatch_postauth15[] = {
|
||||
{MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
|
||||
{MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
|
||||
{MONITOR_REQ_TERM, 0, mm_answer_term},
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
|
||||
@ -300,6 +319,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
|
||||
authctxt = _authctxt;
|
||||
memset(authctxt, 0, sizeof(*authctxt));
|
||||
|
||||
authctxt->loginmsg = &loginmsg;
|
||||
|
||||
if (compat20) {
|
||||
mon_dispatch = mon_dispatch_proto20;
|
||||
|
||||
@ -618,6 +639,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
|
||||
if (options.use_pam)
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_COMMAND, 1);
|
||||
#endif
|
||||
|
||||
return (0);
|
||||
}
|
||||
@ -819,6 +843,9 @@ mm_answer_pam_account(int sock, Buffer *m)
|
||||
ret = do_pam_account();
|
||||
|
||||
buffer_put_int(m, ret);
|
||||
buffer_append(&loginmsg, "\0", 1);
|
||||
buffer_put_cstring(m, buffer_ptr(&loginmsg));
|
||||
buffer_clear(&loginmsg);
|
||||
|
||||
mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
|
||||
|
||||
@ -960,7 +987,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
|
||||
debug3("%s: key_from_blob: %p", __func__, key);
|
||||
|
||||
if (key != NULL && authctxt->valid) {
|
||||
switch(type) {
|
||||
switch (type) {
|
||||
case MM_USERKEY:
|
||||
allowed = options.pubkey_authentication &&
|
||||
user_key_allowed(authctxt->pw, key);
|
||||
@ -1306,7 +1333,7 @@ mm_answer_sesskey(int sock, Buffer *m)
|
||||
int rsafail;
|
||||
|
||||
/* Turn off permissions */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 0);
|
||||
|
||||
if ((p = BN_new()) == NULL)
|
||||
fatal("%s: BN_new", __func__);
|
||||
@ -1497,6 +1524,48 @@ mm_answer_term(int sock, Buffer *req)
|
||||
exit(res);
|
||||
}
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
/* Report that an audit event occurred */
|
||||
int
|
||||
mm_answer_audit_event(int socket, Buffer *m)
|
||||
{
|
||||
ssh_audit_event_t event;
|
||||
|
||||
debug3("%s entering", __func__);
|
||||
|
||||
event = buffer_get_int(m);
|
||||
switch(event) {
|
||||
case SSH_AUTH_FAIL_PUBKEY:
|
||||
case SSH_AUTH_FAIL_HOSTBASED:
|
||||
case SSH_AUTH_FAIL_GSSAPI:
|
||||
case SSH_LOGIN_EXCEED_MAXTRIES:
|
||||
case SSH_LOGIN_ROOT_DENIED:
|
||||
case SSH_CONNECTION_CLOSE:
|
||||
case SSH_INVALID_USER:
|
||||
audit_event(event);
|
||||
break;
|
||||
default:
|
||||
fatal("Audit event type %d not permitted", event);
|
||||
}
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
mm_answer_audit_command(int socket, Buffer *m)
|
||||
{
|
||||
u_int len;
|
||||
char *cmd;
|
||||
|
||||
debug3("%s entering", __func__);
|
||||
cmd = buffer_get_string(m, &len);
|
||||
/* sanity check command, if so how? */
|
||||
audit_run_command(cmd);
|
||||
xfree(cmd);
|
||||
return (0);
|
||||
}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
|
||||
void
|
||||
monitor_apply_keystate(struct monitor *pmonitor)
|
||||
{
|
||||
|
@ -60,6 +60,7 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
|
||||
MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
|
||||
MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
|
||||
MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
|
||||
MONITOR_REQ_TERM
|
||||
};
|
||||
|
||||
|
@ -73,6 +73,7 @@ extern struct monitor *pmonitor;
|
||||
extern Buffer input, output;
|
||||
extern Buffer loginmsg;
|
||||
extern ServerOptions options;
|
||||
extern Buffer loginmsg;
|
||||
|
||||
int
|
||||
mm_is_monitor(void)
|
||||
@ -717,6 +718,7 @@ mm_do_pam_account(void)
|
||||
{
|
||||
Buffer m;
|
||||
u_int ret;
|
||||
char *msg;
|
||||
|
||||
debug3("%s entering", __func__);
|
||||
if (!options.use_pam)
|
||||
@ -728,6 +730,9 @@ mm_do_pam_account(void)
|
||||
mm_request_receive_expect(pmonitor->m_recvfd,
|
||||
MONITOR_ANS_PAM_ACCOUNT, &m);
|
||||
ret = buffer_get_int(&m);
|
||||
msg = buffer_get_string(&m, NULL);
|
||||
buffer_append(&loginmsg, msg, strlen(msg));
|
||||
xfree(msg);
|
||||
|
||||
buffer_free(&m);
|
||||
|
||||
@ -1099,6 +1104,36 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
|
||||
return (success);
|
||||
}
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
void
|
||||
mm_audit_event(ssh_audit_event_t event)
|
||||
{
|
||||
Buffer m;
|
||||
|
||||
debug3("%s entering", __func__);
|
||||
|
||||
buffer_init(&m);
|
||||
buffer_put_int(&m, event);
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, &m);
|
||||
buffer_free(&m);
|
||||
}
|
||||
|
||||
void
|
||||
mm_audit_run_command(const char *command)
|
||||
{
|
||||
Buffer m;
|
||||
|
||||
debug3("%s entering command %s", __func__, command);
|
||||
|
||||
buffer_init(&m);
|
||||
buffer_put_cstring(&m, command);
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
|
||||
buffer_free(&m);
|
||||
}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
|
||||
#ifdef GSSAPI
|
||||
OM_uint32
|
||||
mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
|
||||
|
@ -75,6 +75,12 @@ int mm_sshpam_respond(void *, u_int, char **);
|
||||
void mm_sshpam_free_ctx(void *);
|
||||
#endif
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
#include "audit.h"
|
||||
void mm_audit_event(ssh_audit_event_t);
|
||||
void mm_audit_run_command(const char *);
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
void mm_terminate(void);
|
||||
int mm_pty_allocate(int *, int *, char *, int);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: fake-rfc2553.h,v 1.8 2004/02/10 02:05:41 dtucker Exp $ */
|
||||
/* $Id: fake-rfc2553.h,v 1.10 2005/02/11 07:32:13 dtucker Exp $ */
|
||||
/* $FreeBSD$ */
|
||||
|
||||
/*
|
||||
@ -118,6 +118,7 @@ struct sockaddr_in6 {
|
||||
# define EAI_NODATA 1
|
||||
# define EAI_MEMORY 2
|
||||
# define EAI_NONAME 3
|
||||
# define EAI_SYSTEM 4
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_STRUCT_ADDRINFO
|
||||
|
@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: readconf.c,v 1.134 2004/07/11 17:48:47 deraadt Exp $");
|
||||
RCSID("$OpenBSD: readconf.c,v 1.139 2005/03/10 22:01:05 deraadt Exp $");
|
||||
RCSID("$FreeBSD$");
|
||||
|
||||
#include "ssh.h"
|
||||
@ -107,7 +107,7 @@ typedef enum {
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oControlPath, oControlMaster,
|
||||
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
|
||||
oVersionAddendum,
|
||||
oDeprecated, oUnsupported
|
||||
} OpCodes;
|
||||
@ -199,6 +199,7 @@ static struct {
|
||||
{ "sendenv", oSendEnv },
|
||||
{ "controlpath", oControlPath },
|
||||
{ "controlmaster", oControlMaster },
|
||||
{ "hashknownhosts", oHashKnownHosts },
|
||||
{ "versionaddendum", oVersionAddendum },
|
||||
{ NULL, oBadOption }
|
||||
};
|
||||
@ -209,21 +210,23 @@ static struct {
|
||||
*/
|
||||
|
||||
void
|
||||
add_local_forward(Options *options, u_short port, const char *host,
|
||||
u_short host_port)
|
||||
add_local_forward(Options *options, const Forward *newfwd)
|
||||
{
|
||||
Forward *fwd;
|
||||
#ifndef NO_IPPORT_RESERVED_CONCEPT
|
||||
extern uid_t original_real_uid;
|
||||
if (port < IPPORT_RESERVED && original_real_uid != 0)
|
||||
if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
|
||||
fatal("Privileged ports can only be forwarded by root.");
|
||||
#endif
|
||||
if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
|
||||
fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
|
||||
fwd = &options->local_forwards[options->num_local_forwards++];
|
||||
fwd->port = port;
|
||||
fwd->host = xstrdup(host);
|
||||
fwd->host_port = host_port;
|
||||
|
||||
fwd->listen_host = (newfwd->listen_host == NULL) ?
|
||||
NULL : xstrdup(newfwd->listen_host);
|
||||
fwd->listen_port = newfwd->listen_port;
|
||||
fwd->connect_host = xstrdup(newfwd->connect_host);
|
||||
fwd->connect_port = newfwd->connect_port;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -232,17 +235,19 @@ add_local_forward(Options *options, u_short port, const char *host,
|
||||
*/
|
||||
|
||||
void
|
||||
add_remote_forward(Options *options, u_short port, const char *host,
|
||||
u_short host_port)
|
||||
add_remote_forward(Options *options, const Forward *newfwd)
|
||||
{
|
||||
Forward *fwd;
|
||||
if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
|
||||
fatal("Too many remote forwards (max %d).",
|
||||
SSH_MAX_FORWARDS_PER_DIRECTION);
|
||||
fwd = &options->remote_forwards[options->num_remote_forwards++];
|
||||
fwd->port = port;
|
||||
fwd->host = xstrdup(host);
|
||||
fwd->host_port = host_port;
|
||||
|
||||
fwd->listen_host = (newfwd->listen_host == NULL) ?
|
||||
NULL : xstrdup(newfwd->listen_host);
|
||||
fwd->listen_port = newfwd->listen_port;
|
||||
fwd->connect_host = xstrdup(newfwd->connect_host);
|
||||
fwd->connect_port = newfwd->connect_port;
|
||||
}
|
||||
|
||||
static void
|
||||
@ -250,11 +255,17 @@ clear_forwardings(Options *options)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < options->num_local_forwards; i++)
|
||||
xfree(options->local_forwards[i].host);
|
||||
for (i = 0; i < options->num_local_forwards; i++) {
|
||||
if (options->local_forwards[i].listen_host != NULL)
|
||||
xfree(options->local_forwards[i].listen_host);
|
||||
xfree(options->local_forwards[i].connect_host);
|
||||
}
|
||||
options->num_local_forwards = 0;
|
||||
for (i = 0; i < options->num_remote_forwards; i++)
|
||||
xfree(options->remote_forwards[i].host);
|
||||
for (i = 0; i < options->num_remote_forwards; i++) {
|
||||
if (options->remote_forwards[i].listen_host != NULL)
|
||||
xfree(options->remote_forwards[i].listen_host);
|
||||
xfree(options->remote_forwards[i].connect_host);
|
||||
}
|
||||
options->num_remote_forwards = 0;
|
||||
}
|
||||
|
||||
@ -287,14 +298,13 @@ process_config_line(Options *options, const char *host,
|
||||
char *line, const char *filename, int linenum,
|
||||
int *activep)
|
||||
{
|
||||
char buf[256], *s, **charptr, *endofnumber, *keyword, *arg;
|
||||
char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
|
||||
int opcode, *intptr, value;
|
||||
size_t len;
|
||||
u_short fwd_port, fwd_host_port;
|
||||
char sfwd_host_port[6];
|
||||
Forward fwd;
|
||||
|
||||
/* Strip trailing whitespace */
|
||||
for(len = strlen(line) - 1; len > 0; len--) {
|
||||
for (len = strlen(line) - 1; len > 0; len--) {
|
||||
if (strchr(WHITESPACE, line[len]) == NULL)
|
||||
break;
|
||||
line[len] = '\0';
|
||||
@ -648,30 +658,26 @@ parse_int:
|
||||
case oLocalForward:
|
||||
case oRemoteForward:
|
||||
arg = strdelim(&s);
|
||||
if (!arg || *arg == '\0')
|
||||
if (arg == NULL || *arg == '\0')
|
||||
fatal("%.200s line %d: Missing port argument.",
|
||||
filename, linenum);
|
||||
if ((fwd_port = a2port(arg)) == 0)
|
||||
fatal("%.200s line %d: Bad listen port.",
|
||||
arg2 = strdelim(&s);
|
||||
if (arg2 == NULL || *arg2 == '\0')
|
||||
fatal("%.200s line %d: Missing target argument.",
|
||||
filename, linenum);
|
||||
arg = strdelim(&s);
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%.200s line %d: Missing second argument.",
|
||||
filename, linenum);
|
||||
if (sscanf(arg, "%255[^:]:%5[0-9]", buf, sfwd_host_port) != 2 &&
|
||||
sscanf(arg, "%255[^/]/%5[0-9]", buf, sfwd_host_port) != 2)
|
||||
|
||||
/* construct a string for parse_forward */
|
||||
snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
|
||||
|
||||
if (parse_forward(&fwd, fwdarg) == 0)
|
||||
fatal("%.200s line %d: Bad forwarding specification.",
|
||||
filename, linenum);
|
||||
if ((fwd_host_port = a2port(sfwd_host_port)) == 0)
|
||||
fatal("%.200s line %d: Bad forwarding port.",
|
||||
filename, linenum);
|
||||
|
||||
if (*activep) {
|
||||
if (opcode == oLocalForward)
|
||||
add_local_forward(options, fwd_port, buf,
|
||||
fwd_host_port);
|
||||
add_local_forward(options, &fwd);
|
||||
else if (opcode == oRemoteForward)
|
||||
add_remote_forward(options, fwd_port, buf,
|
||||
fwd_host_port);
|
||||
add_remote_forward(options, &fwd);
|
||||
}
|
||||
break;
|
||||
|
||||
@ -680,12 +686,25 @@ parse_int:
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%.200s line %d: Missing port argument.",
|
||||
filename, linenum);
|
||||
fwd_port = a2port(arg);
|
||||
if (fwd_port == 0)
|
||||
memset(&fwd, '\0', sizeof(fwd));
|
||||
fwd.connect_host = "socks";
|
||||
fwd.listen_host = hpdelim(&arg);
|
||||
if (fwd.listen_host == NULL ||
|
||||
strlen(fwd.listen_host) >= NI_MAXHOST)
|
||||
fatal("%.200s line %d: Bad forwarding specification.",
|
||||
filename, linenum);
|
||||
if (arg) {
|
||||
fwd.listen_port = a2port(arg);
|
||||
fwd.listen_host = cleanhostname(fwd.listen_host);
|
||||
} else {
|
||||
fwd.listen_port = a2port(fwd.listen_host);
|
||||
fwd.listen_host = "";
|
||||
}
|
||||
if (fwd.listen_port == 0)
|
||||
fatal("%.200s line %d: Badly formatted port number.",
|
||||
filename, linenum);
|
||||
if (*activep)
|
||||
add_local_forward(options, fwd_port, "socks", 0);
|
||||
add_local_forward(options, &fwd);
|
||||
break;
|
||||
|
||||
case oClearAllForwardings:
|
||||
@ -761,6 +780,8 @@ parse_int:
|
||||
if (strchr(arg, '=') != NULL)
|
||||
fatal("%s line %d: Invalid environment name.",
|
||||
filename, linenum);
|
||||
if (!*activep)
|
||||
continue;
|
||||
if (options->num_send_env >= MAX_SEND_ENV)
|
||||
fatal("%s line %d: too many send env.",
|
||||
filename, linenum);
|
||||
@ -777,6 +798,10 @@ parse_int:
|
||||
intptr = &options->control_master;
|
||||
goto parse_yesnoask;
|
||||
|
||||
case oHashKnownHosts:
|
||||
intptr = &options->hash_known_hosts;
|
||||
goto parse_flag;
|
||||
|
||||
case oVersionAddendum:
|
||||
ssh_version_set_addendum(strtok(s, "\n"));
|
||||
do {
|
||||
@ -927,6 +952,7 @@ initialize_options(Options * options)
|
||||
options->num_send_env = 0;
|
||||
options->control_path = NULL;
|
||||
options->control_master = -1;
|
||||
options->hash_known_hosts = -1;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -1049,9 +1075,76 @@ fill_default_options(Options * options)
|
||||
options->server_alive_count_max = 3;
|
||||
if (options->control_master == -1)
|
||||
options->control_master = 0;
|
||||
if (options->hash_known_hosts == -1)
|
||||
options->hash_known_hosts = 0;
|
||||
/* options->proxy_command should not be set by default */
|
||||
/* options->user will be set in the main program if appropriate */
|
||||
/* options->hostname will be set in the main program if appropriate */
|
||||
/* options->host_key_alias should not be set by default */
|
||||
/* options->preferred_authentications will be set in ssh */
|
||||
}
|
||||
|
||||
/*
|
||||
* parse_forward
|
||||
* parses a string containing a port forwarding specification of the form:
|
||||
* [listenhost:]listenport:connecthost:connectport
|
||||
* returns number of arguments parsed or zero on error
|
||||
*/
|
||||
int
|
||||
parse_forward(Forward *fwd, const char *fwdspec)
|
||||
{
|
||||
int i;
|
||||
char *p, *cp, *fwdarg[4];
|
||||
|
||||
memset(fwd, '\0', sizeof(*fwd));
|
||||
|
||||
cp = p = xstrdup(fwdspec);
|
||||
|
||||
/* skip leading spaces */
|
||||
while (*cp && isspace(*cp))
|
||||
cp++;
|
||||
|
||||
for (i = 0; i < 4; ++i)
|
||||
if ((fwdarg[i] = hpdelim(&cp)) == NULL)
|
||||
break;
|
||||
|
||||
/* Check for trailing garbage in 4-arg case*/
|
||||
if (cp != NULL)
|
||||
i = 0; /* failure */
|
||||
|
||||
switch (i) {
|
||||
case 3:
|
||||
fwd->listen_host = NULL;
|
||||
fwd->listen_port = a2port(fwdarg[0]);
|
||||
fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
|
||||
fwd->connect_port = a2port(fwdarg[2]);
|
||||
break;
|
||||
|
||||
case 4:
|
||||
fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
|
||||
fwd->listen_port = a2port(fwdarg[1]);
|
||||
fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
|
||||
fwd->connect_port = a2port(fwdarg[3]);
|
||||
break;
|
||||
default:
|
||||
i = 0; /* failure */
|
||||
}
|
||||
|
||||
xfree(p);
|
||||
|
||||
if (fwd->listen_port == 0 && fwd->connect_port == 0)
|
||||
goto fail_free;
|
||||
|
||||
if (fwd->connect_host != NULL &&
|
||||
strlen(fwd->connect_host) >= NI_MAXHOST)
|
||||
goto fail_free;
|
||||
|
||||
return (i);
|
||||
|
||||
fail_free:
|
||||
if (fwd->connect_host != NULL)
|
||||
xfree(fwd->connect_host);
|
||||
if (fwd->listen_host != NULL)
|
||||
xfree(fwd->listen_host);
|
||||
return (0);
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: readconf.h,v 1.64 2004/07/11 17:48:47 deraadt Exp $ */
|
||||
/* $OpenBSD: readconf.h,v 1.66 2005/03/01 10:40:27 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -21,9 +21,10 @@
|
||||
/* Data structure for representing a forwarding request. */
|
||||
|
||||
typedef struct {
|
||||
u_short port; /* Port to forward. */
|
||||
char *host; /* Host to connect. */
|
||||
u_short host_port; /* Port to connect on host. */
|
||||
char *listen_host; /* Host (address) to listen on. */
|
||||
u_short listen_port; /* Port to forward. */
|
||||
char *connect_host; /* Host to connect. */
|
||||
u_short connect_port; /* Port to connect on connect_host. */
|
||||
} Forward;
|
||||
/* Data structure for representing option data. */
|
||||
|
||||
@ -111,17 +112,20 @@ typedef struct {
|
||||
|
||||
char *control_path;
|
||||
int control_master;
|
||||
|
||||
int hash_known_hosts;
|
||||
} Options;
|
||||
|
||||
|
||||
void initialize_options(Options *);
|
||||
void fill_default_options(Options *);
|
||||
int read_config_file(const char *, const char *, Options *, int);
|
||||
int parse_forward(Forward *, const char *);
|
||||
|
||||
int
|
||||
process_config_line(Options *, const char *, char *, const char *, int, int *);
|
||||
|
||||
void add_local_forward(Options *, u_short, const char *, u_short);
|
||||
void add_remote_forward(Options *, u_short, const char *, u_short);
|
||||
void add_local_forward(Options *, const Forward *);
|
||||
void add_remote_forward(Options *, const Forward *);
|
||||
|
||||
#endif /* READCONF_H */
|
||||
|
@ -71,7 +71,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: scp.c,v 1.117 2004/08/11 21:44:32 avsm Exp $");
|
||||
RCSID("$OpenBSD: scp.c,v 1.121 2005/04/02 12:41:16 djm Exp $");
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "atomicio.h"
|
||||
@ -108,8 +108,10 @@ pid_t do_cmd_pid = -1;
|
||||
static void
|
||||
killchild(int signo)
|
||||
{
|
||||
if (do_cmd_pid > 1)
|
||||
if (do_cmd_pid > 1) {
|
||||
kill(do_cmd_pid, signo);
|
||||
waitpid(do_cmd_pid, NULL, 0);
|
||||
}
|
||||
|
||||
_exit(1);
|
||||
}
|
||||
@ -359,20 +361,21 @@ void
|
||||
toremote(char *targ, int argc, char **argv)
|
||||
{
|
||||
int i, len;
|
||||
char *bp, *host, *src, *suser, *thost, *tuser;
|
||||
char *bp, *host, *src, *suser, *thost, *tuser, *arg;
|
||||
|
||||
*targ++ = 0;
|
||||
if (*targ == 0)
|
||||
targ = ".";
|
||||
|
||||
if ((thost = strrchr(argv[argc - 1], '@'))) {
|
||||
arg = xstrdup(argv[argc - 1]);
|
||||
if ((thost = strrchr(arg, '@'))) {
|
||||
/* user@host */
|
||||
*thost++ = 0;
|
||||
tuser = argv[argc - 1];
|
||||
tuser = arg;
|
||||
if (*tuser == '\0')
|
||||
tuser = NULL;
|
||||
} else {
|
||||
thost = argv[argc - 1];
|
||||
thost = arg;
|
||||
tuser = NULL;
|
||||
}
|
||||
|
||||
@ -726,7 +729,7 @@ sink(int argc, char **argv)
|
||||
|
||||
#define atime tv[0]
|
||||
#define mtime tv[1]
|
||||
#define SCREWUP(str) do { why = str; goto screwup; } while (0)
|
||||
#define SCREWUP(str) { why = str; goto screwup; }
|
||||
|
||||
setimes = targisdir = 0;
|
||||
mask = umask(0);
|
||||
|
@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: servconf.c,v 1.137 2004/08/13 11:09:24 dtucker Exp $");
|
||||
RCSID("$OpenBSD: servconf.c,v 1.140 2005/03/10 22:01:05 deraadt Exp $");
|
||||
RCSID("$FreeBSD$");
|
||||
|
||||
#include "ssh.h"
|
||||
@ -27,8 +27,6 @@ RCSID("$FreeBSD$");
|
||||
static void add_listen_addr(ServerOptions *, char *, u_short);
|
||||
static void add_one_listen_addr(ServerOptions *, char *, u_short);
|
||||
|
||||
/* AF_UNSPEC or AF_INET or AF_INET6 */
|
||||
extern int IPv4or6;
|
||||
/* Use of privilege separation or not */
|
||||
extern int use_privsep;
|
||||
|
||||
@ -46,6 +44,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->num_ports = 0;
|
||||
options->ports_from_cmdline = 0;
|
||||
options->listen_addrs = NULL;
|
||||
options->address_family = -1;
|
||||
options->num_host_key_files = 0;
|
||||
options->pid_file = NULL;
|
||||
options->server_key_bits = -1;
|
||||
@ -261,7 +260,8 @@ typedef enum {
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
sKerberosGetAFSToken,
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
||||
sStrictModes, sEmptyPasswd, sTCPKeepAlive,
|
||||
@ -339,6 +339,7 @@ static struct {
|
||||
{ "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
|
||||
{ "checkmail", sDeprecated },
|
||||
{ "listenaddress", sListenAddress },
|
||||
{ "addressfamily", sAddressFamily },
|
||||
{ "printmotd", sPrintMotd },
|
||||
{ "printlastlog", sPrintLastLog },
|
||||
{ "ignorerhosts", sIgnoreRhosts },
|
||||
@ -406,6 +407,8 @@ add_listen_addr(ServerOptions *options, char *addr, u_short port)
|
||||
|
||||
if (options->num_ports == 0)
|
||||
options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
|
||||
if (options->address_family == -1)
|
||||
options->address_family = AF_UNSPEC;
|
||||
if (port == 0)
|
||||
for (i = 0; i < options->num_ports; i++)
|
||||
add_one_listen_addr(options, addr, options->ports[i]);
|
||||
@ -421,7 +424,7 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
|
||||
int gaierr;
|
||||
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = IPv4or6;
|
||||
hints.ai_family = options->address_family;
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
|
||||
snprintf(strport, sizeof strport, "%u", port);
|
||||
@ -442,6 +445,7 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
char *cp, **charptr, *arg, *p;
|
||||
int *intptr, value, i, n;
|
||||
ServerOpCodes opcode;
|
||||
u_short port;
|
||||
|
||||
cp = line;
|
||||
arg = strdelim(&cp);
|
||||
@ -514,39 +518,40 @@ parse_time:
|
||||
|
||||
case sListenAddress:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
|
||||
fatal("%s line %d: missing inet addr.",
|
||||
if (arg == NULL || *arg == '\0')
|
||||
fatal("%s line %d: missing address",
|
||||
filename, linenum);
|
||||
if (*arg == '[') {
|
||||
if ((p = strchr(arg, ']')) == NULL)
|
||||
fatal("%s line %d: bad ipv6 inet addr usage.",
|
||||
filename, linenum);
|
||||
arg++;
|
||||
memmove(p, p+1, strlen(p+1)+1);
|
||||
} else if (((p = strchr(arg, ':')) == NULL) ||
|
||||
(strchr(p+1, ':') != NULL)) {
|
||||
add_listen_addr(options, arg, 0);
|
||||
break;
|
||||
}
|
||||
if (*p == ':') {
|
||||
u_short port;
|
||||
p = hpdelim(&arg);
|
||||
if (p == NULL)
|
||||
fatal("%s line %d: bad address:port usage",
|
||||
filename, linenum);
|
||||
p = cleanhostname(p);
|
||||
if (arg == NULL)
|
||||
port = 0;
|
||||
else if ((port = a2port(arg)) == 0)
|
||||
fatal("%s line %d: bad port number", filename, linenum);
|
||||
|
||||
p++;
|
||||
if (*p == '\0')
|
||||
fatal("%s line %d: bad inet addr:port usage.",
|
||||
filename, linenum);
|
||||
else {
|
||||
*(p-1) = '\0';
|
||||
if ((port = a2port(p)) == 0)
|
||||
fatal("%s line %d: bad port number.",
|
||||
filename, linenum);
|
||||
add_listen_addr(options, arg, port);
|
||||
}
|
||||
} else if (*p == '\0')
|
||||
add_listen_addr(options, arg, 0);
|
||||
add_listen_addr(options, p, port);
|
||||
|
||||
break;
|
||||
|
||||
case sAddressFamily:
|
||||
arg = strdelim(&cp);
|
||||
intptr = &options->address_family;
|
||||
if (options->listen_addrs != NULL)
|
||||
fatal("%s line %d: address family must be specified before "
|
||||
"ListenAddress.", filename, linenum);
|
||||
if (strcasecmp(arg, "inet") == 0)
|
||||
value = AF_INET;
|
||||
else if (strcasecmp(arg, "inet6") == 0)
|
||||
value = AF_INET6;
|
||||
else if (strcasecmp(arg, "any") == 0)
|
||||
value = AF_UNSPEC;
|
||||
else
|
||||
fatal("%s line %d: bad inet addr usage.",
|
||||
filename, linenum);
|
||||
fatal("%s line %d: unsupported address family \"%s\".",
|
||||
filename, linenum, arg);
|
||||
if (*intptr == -1)
|
||||
*intptr = value;
|
||||
break;
|
||||
|
||||
case sHostKeyFile:
|
||||
@ -725,7 +730,23 @@ parse_flag:
|
||||
|
||||
case sGatewayPorts:
|
||||
intptr = &options->gateway_ports;
|
||||
goto parse_flag;
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%s line %d: missing yes/no/clientspecified "
|
||||
"argument.", filename, linenum);
|
||||
value = 0; /* silence compiler */
|
||||
if (strcmp(arg, "clientspecified") == 0)
|
||||
value = 2;
|
||||
else if (strcmp(arg, "yes") == 0)
|
||||
value = 1;
|
||||
else if (strcmp(arg, "no") == 0)
|
||||
value = 0;
|
||||
else
|
||||
fatal("%s line %d: Bad yes/no/clientspecified "
|
||||
"argument: %s", filename, linenum, arg);
|
||||
if (*intptr == -1)
|
||||
*intptr = value;
|
||||
break;
|
||||
|
||||
case sUseDNS:
|
||||
intptr = &options->use_dns;
|
||||
@ -992,7 +1013,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
|
||||
|
||||
obuf = cbuf = xstrdup(buffer_ptr(conf));
|
||||
linenum = 1;
|
||||
while((cp = strsep(&cbuf, "\n")) != NULL) {
|
||||
while ((cp = strsep(&cbuf, "\n")) != NULL) {
|
||||
if (process_server_config_line(options, cp, filename,
|
||||
linenum++) != 0)
|
||||
bad_options++;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: servconf.h,v 1.70 2004/06/24 19:30:54 djm Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.71 2004/12/23 23:11:00 djm Exp $ */
|
||||
/* $FreeBSD$ */
|
||||
|
||||
/*
|
||||
@ -44,6 +44,7 @@ typedef struct {
|
||||
u_short ports[MAX_PORTS]; /* Port number to listen on. */
|
||||
char *listen_addr; /* Address on which the server listens. */
|
||||
struct addrinfo *listen_addrs; /* Addresses on which the server listens. */
|
||||
int address_family; /* Address family used by the server. */
|
||||
char *host_key_files[MAX_HOSTKEYS]; /* Files containing host keys. */
|
||||
int num_host_key_files; /* Number of files for host keys. */
|
||||
char *pid_file; /* Where to put our pid */
|
||||
|
@ -33,7 +33,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: session.c,v 1.180 2004/07/28 09:40:29 markus Exp $");
|
||||
RCSID("$OpenBSD: session.c,v 1.181 2004/12/23 17:35:48 markus Exp $");
|
||||
RCSID("$FreeBSD$");
|
||||
|
||||
#include "ssh.h"
|
||||
@ -246,6 +246,10 @@ do_authenticated1(Authctxt *authctxt)
|
||||
u_int proto_len, data_len, dlen, compression_level = 0;
|
||||
|
||||
s = session_new();
|
||||
if (s == NULL) {
|
||||
error("no more sessions");
|
||||
return;
|
||||
}
|
||||
s->authctxt = authctxt;
|
||||
s->pw = authctxt->pw;
|
||||
|
||||
@ -662,11 +666,15 @@ do_exec(Session *s, const char *command)
|
||||
debug("Forced command '%.900s'", command);
|
||||
}
|
||||
|
||||
#ifdef GSSAPI
|
||||
if (options.gss_authentication) {
|
||||
temporarily_use_uid(s->pw);
|
||||
ssh_gssapi_storecreds();
|
||||
restore_uid();
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (command != NULL)
|
||||
PRIVSEP(audit_run_command(command));
|
||||
else if (s->ttyfd == -1) {
|
||||
char *shell = s->pw->pw_shell;
|
||||
|
||||
if (shell[0] == '\0') /* empty shell means /bin/sh */
|
||||
shell =_PATH_BSHELL;
|
||||
PRIVSEP(audit_run_command(shell));
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -1002,7 +1010,13 @@ do_setup_env(Session *s, const char *shell)
|
||||
* The Windows environment contains some setting which are
|
||||
* important for a running system. They must not be dropped.
|
||||
*/
|
||||
copy_environment(environ, &env, &envsize);
|
||||
{
|
||||
char **p;
|
||||
|
||||
p = fetch_windows_environment();
|
||||
copy_environment(p, &env, &envsize);
|
||||
free_windows_environment(p);
|
||||
}
|
||||
#endif
|
||||
|
||||
if (getenv("TZ"))
|
||||
@ -1111,14 +1125,24 @@ do_setup_env(Session *s, const char *shell)
|
||||
child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir);
|
||||
#endif /* _UNICOS */
|
||||
|
||||
/*
|
||||
* Since we clear KRB5CCNAME at startup, if it's set now then it
|
||||
* must have been set by a native authentication method (eg AIX or
|
||||
* SIA), so copy it to the child.
|
||||
*/
|
||||
{
|
||||
char *cp;
|
||||
|
||||
if ((cp = getenv("KRB5CCNAME")) != NULL)
|
||||
child_set_env(&env, &envsize, "KRB5CCNAME", cp);
|
||||
}
|
||||
|
||||
#ifdef _AIX
|
||||
{
|
||||
char *cp;
|
||||
|
||||
if ((cp = getenv("AUTHSTATE")) != NULL)
|
||||
child_set_env(&env, &envsize, "AUTHSTATE", cp);
|
||||
if ((cp = getenv("KRB5CCNAME")) != NULL)
|
||||
child_set_env(&env, &envsize, "KRB5CCNAME", cp);
|
||||
read_environment_file(&env, &envsize, "/etc/environment");
|
||||
}
|
||||
#endif
|
||||
@ -1278,6 +1302,13 @@ do_setusercontext(struct passwd *pw)
|
||||
# ifdef __bsdi__
|
||||
setpgid(0, 0);
|
||||
# endif
|
||||
#ifdef GSSAPI
|
||||
if (options.gss_authentication) {
|
||||
temporarily_use_uid(pw);
|
||||
ssh_gssapi_storecreds();
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
# ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
do_pam_session();
|
||||
@ -1308,6 +1339,13 @@ do_setusercontext(struct passwd *pw)
|
||||
exit(1);
|
||||
}
|
||||
endgrent();
|
||||
#ifdef GSSAPI
|
||||
if (options.gss_authentication) {
|
||||
temporarily_use_uid(pw);
|
||||
ssh_gssapi_storecreds();
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
# ifdef USE_PAM
|
||||
/*
|
||||
* PAM credentials may take the form of supplementary groups.
|
||||
@ -1345,7 +1383,12 @@ do_pwchange(Session *s)
|
||||
if (s->ttyfd != -1) {
|
||||
fprintf(stderr,
|
||||
"You must change your password now and login again!\n");
|
||||
#ifdef PASSWD_NEEDS_USERNAME
|
||||
execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
|
||||
(char *)NULL);
|
||||
#else
|
||||
execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);
|
||||
#endif
|
||||
perror("passwd");
|
||||
} else {
|
||||
fprintf(stderr,
|
||||
@ -1462,11 +1505,19 @@ do_child(Session *s, const char *command)
|
||||
* generated messages, so if this in an interactive
|
||||
* login then display them too.
|
||||
*/
|
||||
if (command == NULL)
|
||||
if (!check_quietlogin(s, command))
|
||||
display_loginmsg();
|
||||
#endif /* HAVE_OSF_SIA */
|
||||
}
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam && !options.use_login && !is_pam_session_open()) {
|
||||
debug3("PAM session not opened, exiting");
|
||||
display_loginmsg();
|
||||
exit(254);
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Get the shell from the password data. An empty shell field is
|
||||
* legal, and means /bin/sh.
|
||||
|
@ -35,7 +35,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: ssh-add.c,v 1.70 2004/05/08 00:21:31 djm Exp $");
|
||||
RCSID("$OpenBSD: ssh-add.c,v 1.71 2005/03/10 22:01:06 deraadt Exp $");
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
@ -389,7 +389,7 @@ main(int argc, char **argv)
|
||||
goto done;
|
||||
}
|
||||
|
||||
for(i = 0; default_files[i]; i++) {
|
||||
for (i = 0; default_files[i]; i++) {
|
||||
snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
|
||||
default_files[i]);
|
||||
if (stat(buf, &st) < 0)
|
||||
@ -402,7 +402,7 @@ main(int argc, char **argv)
|
||||
if (count == 0)
|
||||
ret = 1;
|
||||
} else {
|
||||
for(i = 0; i < argc; i++) {
|
||||
for (i = 0; i < argc; i++) {
|
||||
if (do_file(ac, deleting, argv[i]) == -1)
|
||||
ret = 1;
|
||||
}
|
||||
|
@ -35,7 +35,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
RCSID("$OpenBSD: ssh-agent.c,v 1.120 2004/08/11 21:43:05 avsm Exp $");
|
||||
RCSID("$OpenBSD: ssh-agent.c,v 1.122 2004/10/29 22:53:56 djm Exp $");
|
||||
RCSID("$FreeBSD$");
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -169,23 +169,15 @@ lookup_identity(Key *key, int version)
|
||||
static int
|
||||
confirm_key(Identity *id)
|
||||
{
|
||||
char *p, prompt[1024];
|
||||
char *p;
|
||||
int ret = -1;
|
||||
|
||||
p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
snprintf(prompt, sizeof(prompt), "Allow use of key %s?\n"
|
||||
"Key fingerprint %s.", id->comment, p);
|
||||
if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
|
||||
id->comment, p))
|
||||
ret = 0;
|
||||
xfree(p);
|
||||
p = read_passphrase(prompt, RP_ALLOW_EOF);
|
||||
if (p != NULL) {
|
||||
/*
|
||||
* Accept empty responses and responses consisting
|
||||
* of the word "yes" as affirmative.
|
||||
*/
|
||||
if (*p == '\0' || *p == '\n' || strcasecmp(p, "yes") == 0)
|
||||
ret = 0;
|
||||
xfree(p);
|
||||
}
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
@ -1011,9 +1003,7 @@ main(int ac, char **av)
|
||||
#ifdef HAVE_SETRLIMIT
|
||||
struct rlimit rlim;
|
||||
#endif
|
||||
#ifdef HAVE_CYGWIN
|
||||
int prev_mask;
|
||||
#endif
|
||||
extern int optind;
|
||||
extern char *optarg;
|
||||
pid_t pid;
|
||||
@ -1126,24 +1116,20 @@ main(int ac, char **av)
|
||||
sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||
if (sock < 0) {
|
||||
perror("socket");
|
||||
*socket_name = '\0'; /* Don't unlink any existing file */
|
||||
cleanup_exit(1);
|
||||
}
|
||||
memset(&sunaddr, 0, sizeof(sunaddr));
|
||||
sunaddr.sun_family = AF_UNIX;
|
||||
strlcpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path));
|
||||
#ifdef HAVE_CYGWIN
|
||||
prev_mask = umask(0177);
|
||||
#endif
|
||||
if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) {
|
||||
perror("bind");
|
||||
#ifdef HAVE_CYGWIN
|
||||
*socket_name = '\0'; /* Don't unlink any existing file */
|
||||
umask(prev_mask);
|
||||
#endif
|
||||
cleanup_exit(1);
|
||||
}
|
||||
#ifdef HAVE_CYGWIN
|
||||
umask(prev_mask);
|
||||
#endif
|
||||
if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
|
||||
perror("listen");
|
||||
cleanup_exit(1);
|
||||
|
@ -7,7 +7,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: ssh-keyscan.c,v 1.50 2004/08/11 21:44:32 avsm Exp $");
|
||||
RCSID("$OpenBSD: ssh-keyscan.c,v 1.52 2005/03/01 15:47:14 jmc Exp $");
|
||||
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@ -28,6 +28,7 @@ RCSID("$OpenBSD: ssh-keyscan.c,v 1.50 2004/08/11 21:44:32 avsm Exp $");
|
||||
#include "log.h"
|
||||
#include "atomicio.h"
|
||||
#include "misc.h"
|
||||
#include "hostfile.h"
|
||||
|
||||
/* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
|
||||
Default value is AF_UNSPEC means both IPv4 and IPv6. */
|
||||
@ -41,6 +42,8 @@ int ssh_port = SSH_DEFAULT_PORT;
|
||||
|
||||
int get_keytypes = KT_RSA1; /* Get only RSA1 keys by default */
|
||||
|
||||
int hash_hosts = 0; /* Hash hostname on output */
|
||||
|
||||
#define MAXMAXFD 256
|
||||
|
||||
/* The number of seconds after which to give up on a TCP connection */
|
||||
@ -366,10 +369,14 @@ keygrab_ssh2(con *c)
|
||||
static void
|
||||
keyprint(con *c, Key *key)
|
||||
{
|
||||
char *host = c->c_output_name ? c->c_output_name : c->c_name;
|
||||
|
||||
if (!key)
|
||||
return;
|
||||
if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL)
|
||||
fatal("host_hash failed");
|
||||
|
||||
fprintf(stdout, "%s ", c->c_output_name ? c->c_output_name : c->c_name);
|
||||
fprintf(stdout, "%s ", host);
|
||||
key_write(key, stdout);
|
||||
fputs("\n", stdout);
|
||||
}
|
||||
@ -676,7 +683,7 @@ fatal(const char *fmt,...)
|
||||
static void
|
||||
usage(void)
|
||||
{
|
||||
fprintf(stderr, "usage: %s [-v46] [-p port] [-T timeout] [-t type] [-f file]\n"
|
||||
fprintf(stderr, "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n"
|
||||
"\t\t [host | addrlist namelist] [...]\n",
|
||||
__progname);
|
||||
exit(1);
|
||||
@ -700,8 +707,11 @@ main(int argc, char **argv)
|
||||
if (argc <= 1)
|
||||
usage();
|
||||
|
||||
while ((opt = getopt(argc, argv, "v46p:T:t:f:")) != -1) {
|
||||
while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) {
|
||||
switch (opt) {
|
||||
case 'H':
|
||||
hash_hosts = 1;
|
||||
break;
|
||||
case 'p':
|
||||
ssh_port = a2port(optarg);
|
||||
if (ssh_port == 0) {
|
||||
|
@ -341,7 +341,6 @@ The user should not manually set
|
||||
.Ev DISPLAY .
|
||||
Forwarding of X11 connections can be
|
||||
configured on the command line or in configuration files.
|
||||
Take note that X11 forwarding can represent a security hazard.
|
||||
.Pp
|
||||
The
|
||||
.Ev DISPLAY
|
||||
|
@ -40,7 +40,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: ssh.c,v 1.224 2004/07/28 09:40:29 markus Exp $");
|
||||
RCSID("$OpenBSD: ssh.c,v 1.234 2005/03/10 22:01:06 deraadt Exp $");
|
||||
RCSID("$FreeBSD$");
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -145,6 +145,9 @@ pid_t proxy_command_pid = 0;
|
||||
/* fd to control socket */
|
||||
int control_fd = -1;
|
||||
|
||||
/* Multiplexing control command */
|
||||
static u_int mux_command = SSHMUX_COMMAND_OPEN;
|
||||
|
||||
/* Only used in control client mode */
|
||||
volatile sig_atomic_t control_client_terminate = 0;
|
||||
u_int control_server_pid = 0;
|
||||
@ -155,10 +158,12 @@ static void
|
||||
usage(void)
|
||||
{
|
||||
fprintf(stderr,
|
||||
"usage: ssh [-1246AaCfghkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
|
||||
" [-D port] [-e escape_char] [-F configfile] [-i identity_file]\n"
|
||||
" [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]\n"
|
||||
" [-p port] [-R port:host:hostport] [-S ctl] [user@]hostname [command]\n"
|
||||
"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
|
||||
" [-D port] [-e escape_char] [-F configfile]\n"
|
||||
" [-i identity_file] [-L [bind_address:]port:host:hostport]\n"
|
||||
" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
|
||||
" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n"
|
||||
" [user@]hostname [command]\n"
|
||||
);
|
||||
exit(1);
|
||||
}
|
||||
@ -175,14 +180,13 @@ int
|
||||
main(int ac, char **av)
|
||||
{
|
||||
int i, opt, exit_status;
|
||||
u_short fwd_port, fwd_host_port;
|
||||
char sfwd_port[6], sfwd_host_port[6];
|
||||
char *p, *cp, *line, buf[256];
|
||||
struct stat st;
|
||||
struct passwd *pw;
|
||||
int dummy;
|
||||
extern int optind, optreset;
|
||||
extern char *optarg;
|
||||
Forward fwd;
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
init_rng();
|
||||
@ -237,7 +241,7 @@ main(int ac, char **av)
|
||||
|
||||
again:
|
||||
while ((opt = getopt(ac, av,
|
||||
"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNPR:S:TVXY")) != -1) {
|
||||
"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVXY")) != -1) {
|
||||
switch (opt) {
|
||||
case '1':
|
||||
options.protocol = SSH_PROTO_1;
|
||||
@ -271,6 +275,14 @@ again:
|
||||
case 'g':
|
||||
options.gateway_ports = 1;
|
||||
break;
|
||||
case 'O':
|
||||
if (strcmp(optarg, "check") == 0)
|
||||
mux_command = SSHMUX_COMMAND_ALIVE_CHECK;
|
||||
else if (strcmp(optarg, "exit") == 0)
|
||||
mux_command = SSHMUX_COMMAND_TERMINATE;
|
||||
else
|
||||
fatal("Invalid multiplex command.");
|
||||
break;
|
||||
case 'P': /* deprecated */
|
||||
options.use_privileged_port = 0;
|
||||
break;
|
||||
@ -286,7 +298,8 @@ again:
|
||||
case 'i':
|
||||
if (stat(optarg, &st) < 0) {
|
||||
fprintf(stderr, "Warning: Identity file %s "
|
||||
"does not exist.\n", optarg);
|
||||
"not accessible: %s.\n", optarg,
|
||||
strerror(errno));
|
||||
break;
|
||||
}
|
||||
if (options.num_identity_files >=
|
||||
@ -317,10 +330,10 @@ again:
|
||||
options.log_level++;
|
||||
break;
|
||||
}
|
||||
/* fallthrough */
|
||||
/* FALLTHROUGH */
|
||||
case 'V':
|
||||
fprintf(stderr, "%s, %s\n",
|
||||
SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
|
||||
SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
|
||||
if (opt == 'V')
|
||||
exit(0);
|
||||
break;
|
||||
@ -389,39 +402,51 @@ again:
|
||||
break;
|
||||
|
||||
case 'L':
|
||||
case 'R':
|
||||
if (sscanf(optarg, "%5[0123456789]:%255[^:]:%5[0123456789]",
|
||||
sfwd_port, buf, sfwd_host_port) != 3 &&
|
||||
sscanf(optarg, "%5[0123456789]/%255[^/]/%5[0123456789]",
|
||||
sfwd_port, buf, sfwd_host_port) != 3) {
|
||||
if (parse_forward(&fwd, optarg))
|
||||
add_local_forward(&options, &fwd);
|
||||
else {
|
||||
fprintf(stderr,
|
||||
"Bad forwarding specification '%s'\n",
|
||||
"Bad local forwarding specification '%s'\n",
|
||||
optarg);
|
||||
usage();
|
||||
/* NOTREACHED */
|
||||
}
|
||||
if ((fwd_port = a2port(sfwd_port)) == 0 ||
|
||||
(fwd_host_port = a2port(sfwd_host_port)) == 0) {
|
||||
fprintf(stderr,
|
||||
"Bad forwarding port(s) '%s'\n", optarg);
|
||||
exit(1);
|
||||
}
|
||||
if (opt == 'L')
|
||||
add_local_forward(&options, fwd_port, buf,
|
||||
fwd_host_port);
|
||||
else if (opt == 'R')
|
||||
add_remote_forward(&options, fwd_port, buf,
|
||||
fwd_host_port);
|
||||
break;
|
||||
|
||||
case 'R':
|
||||
if (parse_forward(&fwd, optarg)) {
|
||||
add_remote_forward(&options, &fwd);
|
||||
} else {
|
||||
fprintf(stderr,
|
||||
"Bad remote forwarding specification "
|
||||
"'%s'\n", optarg);
|
||||
exit(1);
|
||||
}
|
||||
break;
|
||||
|
||||
case 'D':
|
||||
fwd_port = a2port(optarg);
|
||||
if (fwd_port == 0) {
|
||||
cp = p = xstrdup(optarg);
|
||||
memset(&fwd, '\0', sizeof(fwd));
|
||||
fwd.connect_host = "socks";
|
||||
if ((fwd.listen_host = hpdelim(&cp)) == NULL) {
|
||||
fprintf(stderr, "Bad dynamic forwarding "
|
||||
"specification '%.100s'\n", optarg);
|
||||
exit(1);
|
||||
}
|
||||
if (cp != NULL) {
|
||||
fwd.listen_port = a2port(cp);
|
||||
fwd.listen_host = cleanhostname(fwd.listen_host);
|
||||
} else {
|
||||
fwd.listen_port = a2port(fwd.listen_host);
|
||||
fwd.listen_host = "";
|
||||
}
|
||||
|
||||
if (fwd.listen_port == 0) {
|
||||
fprintf(stderr, "Bad dynamic port '%s'\n",
|
||||
optarg);
|
||||
exit(1);
|
||||
}
|
||||
add_local_forward(&options, fwd_port, "socks", 0);
|
||||
add_local_forward(&options, &fwd);
|
||||
xfree(p);
|
||||
break;
|
||||
|
||||
case 'C':
|
||||
@ -847,14 +872,19 @@ ssh_init_forwarding(void)
|
||||
|
||||
/* Initiate local TCP/IP port forwardings. */
|
||||
for (i = 0; i < options.num_local_forwards; i++) {
|
||||
debug("Connections to local port %d forwarded to remote address %.200s:%d",
|
||||
options.local_forwards[i].port,
|
||||
options.local_forwards[i].host,
|
||||
options.local_forwards[i].host_port);
|
||||
debug("Local connections to %.200s:%d forwarded to remote "
|
||||
"address %.200s:%d",
|
||||
(options.local_forwards[i].listen_host == NULL) ?
|
||||
(options.gateway_ports ? "*" : "LOCALHOST") :
|
||||
options.local_forwards[i].listen_host,
|
||||
options.local_forwards[i].listen_port,
|
||||
options.local_forwards[i].connect_host,
|
||||
options.local_forwards[i].connect_port);
|
||||
success += channel_setup_local_fwd_listener(
|
||||
options.local_forwards[i].port,
|
||||
options.local_forwards[i].host,
|
||||
options.local_forwards[i].host_port,
|
||||
options.local_forwards[i].listen_host,
|
||||
options.local_forwards[i].listen_port,
|
||||
options.local_forwards[i].connect_host,
|
||||
options.local_forwards[i].connect_port,
|
||||
options.gateway_ports);
|
||||
}
|
||||
if (i > 0 && success == 0)
|
||||
@ -862,14 +892,19 @@ ssh_init_forwarding(void)
|
||||
|
||||
/* Initiate remote TCP/IP port forwardings. */
|
||||
for (i = 0; i < options.num_remote_forwards; i++) {
|
||||
debug("Connections to remote port %d forwarded to local address %.200s:%d",
|
||||
options.remote_forwards[i].port,
|
||||
options.remote_forwards[i].host,
|
||||
options.remote_forwards[i].host_port);
|
||||
debug("Remote connections from %.200s:%d forwarded to "
|
||||
"local address %.200s:%d",
|
||||
(options.remote_forwards[i].listen_host == NULL) ?
|
||||
(options.gateway_ports ? "*" : "LOCALHOST") :
|
||||
options.remote_forwards[i].listen_host,
|
||||
options.remote_forwards[i].listen_port,
|
||||
options.remote_forwards[i].connect_host,
|
||||
options.remote_forwards[i].connect_port);
|
||||
channel_request_remote_forwarding(
|
||||
options.remote_forwards[i].port,
|
||||
options.remote_forwards[i].host,
|
||||
options.remote_forwards[i].host_port);
|
||||
options.remote_forwards[i].listen_host,
|
||||
options.remote_forwards[i].listen_port,
|
||||
options.remote_forwards[i].connect_host,
|
||||
options.remote_forwards[i].connect_port);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1045,12 +1080,12 @@ client_global_request_reply_fwd(int type, u_int32_t seq, void *ctxt)
|
||||
return;
|
||||
debug("remote forward %s for: listen %d, connect %s:%d",
|
||||
type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
|
||||
options.remote_forwards[i].port,
|
||||
options.remote_forwards[i].host,
|
||||
options.remote_forwards[i].host_port);
|
||||
options.remote_forwards[i].listen_port,
|
||||
options.remote_forwards[i].connect_host,
|
||||
options.remote_forwards[i].connect_port);
|
||||
if (type == SSH2_MSG_REQUEST_FAILURE)
|
||||
logit("Warning: remote port forwarding failed for listen port %d",
|
||||
options.remote_forwards[i].port);
|
||||
logit("Warning: remote port forwarding failed for listen "
|
||||
"port %d", options.remote_forwards[i].listen_port);
|
||||
}
|
||||
|
||||
static void
|
||||
@ -1078,7 +1113,7 @@ ssh_control_listener(void)
|
||||
old_umask = umask(0177);
|
||||
if (bind(control_fd, (struct sockaddr*)&addr, addr_len) == -1) {
|
||||
control_fd = -1;
|
||||
if (errno == EINVAL)
|
||||
if (errno == EINVAL || errno == EADDRINUSE)
|
||||
fatal("ControlSocket %s already exists",
|
||||
options.control_path);
|
||||
else
|
||||
@ -1267,10 +1302,20 @@ static void
|
||||
control_client(const char *path)
|
||||
{
|
||||
struct sockaddr_un addr;
|
||||
int i, r, sock, exitval, num_env, addr_len;
|
||||
int i, r, fd, sock, exitval, num_env, addr_len;
|
||||
Buffer m;
|
||||
char *cp;
|
||||
char *term;
|
||||
extern char **environ;
|
||||
u_int flags;
|
||||
|
||||
if (stdin_null_flag) {
|
||||
if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1)
|
||||
fatal("open(/dev/null): %s", strerror(errno));
|
||||
if (dup2(fd, STDIN_FILENO) == -1)
|
||||
fatal("dup2: %s", strerror(errno));
|
||||
if (fd > STDERR_FILENO)
|
||||
close(fd);
|
||||
}
|
||||
|
||||
memset(&addr, '\0', sizeof(addr));
|
||||
addr.sun_family = AF_UNIX;
|
||||
@ -1287,26 +1332,52 @@ control_client(const char *path)
|
||||
if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1)
|
||||
fatal("Couldn't connect to %s: %s", path, strerror(errno));
|
||||
|
||||
if ((cp = getenv("TERM")) == NULL)
|
||||
cp = "";
|
||||
if ((term = getenv("TERM")) == NULL)
|
||||
term = "";
|
||||
|
||||
flags = 0;
|
||||
if (tty_flag)
|
||||
flags |= SSHMUX_FLAG_TTY;
|
||||
if (subsystem_flag)
|
||||
flags |= SSHMUX_FLAG_SUBSYS;
|
||||
|
||||
buffer_init(&m);
|
||||
|
||||
/* Get PID of controlee */
|
||||
/* Send our command to server */
|
||||
buffer_put_int(&m, mux_command);
|
||||
buffer_put_int(&m, flags);
|
||||
if (ssh_msg_send(sock, /* version */1, &m) == -1)
|
||||
fatal("%s: msg_send", __func__);
|
||||
buffer_clear(&m);
|
||||
|
||||
/* Get authorisation status and PID of controlee */
|
||||
if (ssh_msg_recv(sock, &m) == -1)
|
||||
fatal("%s: msg_recv", __func__);
|
||||
if (buffer_get_char(&m) != 0)
|
||||
if (buffer_get_char(&m) != 1)
|
||||
fatal("%s: wrong version", __func__);
|
||||
/* Connection allowed? */
|
||||
if (buffer_get_int(&m) != 1)
|
||||
fatal("Connection to master denied");
|
||||
control_server_pid = buffer_get_int(&m);
|
||||
|
||||
buffer_clear(&m);
|
||||
buffer_put_int(&m, tty_flag);
|
||||
buffer_put_int(&m, subsystem_flag);
|
||||
buffer_put_cstring(&m, cp);
|
||||
|
||||
switch (mux_command) {
|
||||
case SSHMUX_COMMAND_ALIVE_CHECK:
|
||||
fprintf(stderr, "Master running (pid=%d)\r\n",
|
||||
control_server_pid);
|
||||
exit(0);
|
||||
case SSHMUX_COMMAND_TERMINATE:
|
||||
fprintf(stderr, "Exit request sent.\r\n");
|
||||
exit(0);
|
||||
case SSHMUX_COMMAND_OPEN:
|
||||
/* continue below */
|
||||
break;
|
||||
default:
|
||||
fatal("silly mux_command %d", mux_command);
|
||||
}
|
||||
|
||||
/* SSHMUX_COMMAND_OPEN */
|
||||
buffer_put_cstring(&m, term);
|
||||
buffer_append(&command, "\0", 1);
|
||||
buffer_put_cstring(&m, buffer_ptr(&command));
|
||||
|
||||
@ -1328,7 +1399,7 @@ control_client(const char *path)
|
||||
}
|
||||
}
|
||||
|
||||
if (ssh_msg_send(sock, /* version */0, &m) == -1)
|
||||
if (ssh_msg_send(sock, /* version */1, &m) == -1)
|
||||
fatal("%s: msg_send", __func__);
|
||||
|
||||
mm_send_fd(sock, STDIN_FILENO);
|
||||
@ -1339,10 +1410,11 @@ control_client(const char *path)
|
||||
buffer_clear(&m);
|
||||
if (ssh_msg_recv(sock, &m) == -1)
|
||||
fatal("%s: msg_recv", __func__);
|
||||
if (buffer_get_char(&m) != 0)
|
||||
fatal("%s: master returned error", __func__);
|
||||
if (buffer_get_char(&m) != 1)
|
||||
fatal("%s: wrong version", __func__);
|
||||
buffer_free(&m);
|
||||
|
||||
signal(SIGHUP, control_client_sighandler);
|
||||
signal(SIGINT, control_client_sighandler);
|
||||
signal(SIGTERM, control_client_sighandler);
|
||||
signal(SIGWINCH, control_client_sigrelay);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh.h,v 1.75 2003/12/02 17:01:15 markus Exp $ */
|
||||
/* $OpenBSD: ssh.h,v 1.76 2004/12/06 11:41:03 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -39,6 +39,13 @@
|
||||
*/
|
||||
#define SSH_MAX_IDENTITY_FILES 100
|
||||
|
||||
/*
|
||||
* Maximum length of lines in authorized_keys file.
|
||||
* Current value permits 16kbit RSA and RSA1 keys and 8kbit DSA keys, with
|
||||
* some room for options and comments.
|
||||
*/
|
||||
#define SSH_MAX_PUBKEY_BYTES 8192
|
||||
|
||||
/*
|
||||
* Major protocol version. Different version indicates major incompatibility
|
||||
* that prevents communication.
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
|
||||
# $OpenBSD: ssh_config,v 1.20 2005/01/28 09:45:53 dtucker Exp $
|
||||
# $FreeBSD$
|
||||
|
||||
# This is the ssh client system-wide configuration file. See
|
||||
@ -14,7 +14,9 @@
|
||||
# Thus, host-specific definitions should be at the beginning of the
|
||||
# configuration file, and defaults at the end.
|
||||
|
||||
# Site-wide defaults for various options
|
||||
# Site-wide defaults for some commonly used options. For a comprehensive
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
# Host *
|
||||
# ForwardAgent no
|
||||
@ -36,4 +38,4 @@
|
||||
# Cipher 3des
|
||||
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
|
||||
# EscapeChar ~
|
||||
# VersionAddendum FreeBSD-20041028
|
||||
# VersionAddendum FreeBSD-20050605
|
||||
|
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.38 2004/06/26 09:11:14 jmc Exp $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.49 2005/03/16 11:10:38 jmc Exp $
|
||||
.\" $FreeBSD$
|
||||
.Dd September 25, 1999
|
||||
.Dt SSH_CONFIG 5
|
||||
@ -64,7 +64,7 @@ system-wide configuration file
|
||||
.Pp
|
||||
For each parameter, the first obtained value
|
||||
will be used.
|
||||
The configuration files contain sections bracketed by
|
||||
The configuration files contain sections separated by
|
||||
.Dq Host
|
||||
specifications, and that section is only applied for hosts that
|
||||
match one of the patterns given in the specification.
|
||||
@ -121,9 +121,9 @@ Specifies which address family to use when connecting.
|
||||
Valid arguments are
|
||||
.Dq any ,
|
||||
.Dq inet
|
||||
(Use IPv4 only) or
|
||||
(use IPv4 only) or
|
||||
.Dq inet6
|
||||
(Use IPv6 only.)
|
||||
(use IPv6 only).
|
||||
.It Cm BatchMode
|
||||
If set to
|
||||
.Dq yes ,
|
||||
@ -360,11 +360,16 @@ option is also enabled.
|
||||
If this option is set to
|
||||
.Dq yes
|
||||
then remote X11 clients will have full access to the original X11 display.
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Dq no
|
||||
then remote X11 clients will be considered untrusted and prevented
|
||||
from stealing or tampering with data belonging to trusted X11
|
||||
clients.
|
||||
Furthermore, the
|
||||
.Xr xauth 1
|
||||
token used for the session will be set to expire after 20 minutes.
|
||||
Remote clients will be refused access after this time.
|
||||
.Pp
|
||||
The default is
|
||||
.Dq no .
|
||||
@ -403,6 +408,22 @@ Forward (delegate) credentials to the server.
|
||||
The default is
|
||||
.Dq no .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Nm ssh
|
||||
should hash host names and addresses when they are added to
|
||||
.Pa $HOME/.ssh/known_hosts .
|
||||
These hashed names may be used normally by
|
||||
.Nm ssh
|
||||
and
|
||||
.Nm sshd ,
|
||||
but they do not reveal identifying information should the file's contents
|
||||
be disclosed.
|
||||
The default is
|
||||
.Dq no .
|
||||
Note that hashing of names and addresses will not be retrospectively applied
|
||||
to existing known hosts files, but these may be manually hashed using
|
||||
.Xr ssh-keygen 1 .
|
||||
.It Cm HostbasedAuthentication
|
||||
Specifies whether to try rhosts based authentication with public key
|
||||
authentication.
|
||||
@ -468,16 +489,41 @@ This option is intented for situations where
|
||||
offers many different identities.
|
||||
The default is
|
||||
.Dq no .
|
||||
.It Cm KbdInteractiveDevices
|
||||
Specifies the list of methods to use in keyboard-interactive authentication.
|
||||
Multiple method names must be comma-separated.
|
||||
The default is to use the server specified list.
|
||||
.It Cm LocalForward
|
||||
Specifies that a TCP/IP port on the local machine be forwarded over
|
||||
the secure channel to the specified host and port from the remote machine.
|
||||
The first argument must be a port number, and the second must be
|
||||
.Ar host:port .
|
||||
IPv6 addresses can be specified with an alternative syntax:
|
||||
.Ar host/port .
|
||||
Multiple forwardings may be specified, and additional
|
||||
forwardings can be given on the command line.
|
||||
The first argument must be
|
||||
.Sm off
|
||||
.Oo Ar bind_address : Oc Ar port
|
||||
.Sm on
|
||||
and the second argument must be
|
||||
.Ar host : Ns Ar hostport .
|
||||
IPv6 addresses can be specified by enclosing addresses in square brackets or
|
||||
by using an alternative syntax:
|
||||
.Oo Ar bind_address Ns / Oc Ns Ar port
|
||||
and
|
||||
.Ar host Ns / Ns Ar hostport .
|
||||
Multiple forwardings may be specified, and additional forwardings can be
|
||||
given on the command line.
|
||||
Only the superuser can forward privileged ports.
|
||||
By default, the local port is bound in accordance with the
|
||||
.Cm GatewayPorts
|
||||
setting.
|
||||
However, an explicit
|
||||
.Ar bind_address
|
||||
may be used to bind the connection to a specific address.
|
||||
The
|
||||
.Ar bind_address
|
||||
of
|
||||
.Dq localhost
|
||||
indicates that the listening port be bound for local use only, while an
|
||||
empty address or
|
||||
.Sq *
|
||||
indicates that the port should be available from all interfaces.
|
||||
.It Cm LogLevel
|
||||
Gives the verbosity level that is used when logging messages from
|
||||
.Nm ssh .
|
||||
@ -522,9 +568,9 @@ Default is 22.
|
||||
.It Cm PreferredAuthentications
|
||||
Specifies the order in which the client should try protocol 2
|
||||
authentication methods.
|
||||
This allows a client to prefer one method (e.g.
|
||||
This allows a client to prefer one method (e.g.\&
|
||||
.Cm keyboard-interactive )
|
||||
over another method (e.g.
|
||||
over another method (e.g.\&
|
||||
.Cm password )
|
||||
The default for this option is:
|
||||
.Dq hostbased,publickey,keyboard-interactive,password .
|
||||
@ -583,13 +629,36 @@ This option applies to protocol version 2 only.
|
||||
.It Cm RemoteForward
|
||||
Specifies that a TCP/IP port on the remote machine be forwarded over
|
||||
the secure channel to the specified host and port from the local machine.
|
||||
The first argument must be a port number, and the second must be
|
||||
.Ar host:port .
|
||||
IPv6 addresses can be specified with an alternative syntax:
|
||||
.Ar host/port .
|
||||
The first argument must be
|
||||
.Sm off
|
||||
.Oo Ar bind_address : Oc Ar port
|
||||
.Sm on
|
||||
and the second argument must be
|
||||
.Ar host : Ns Ar hostport .
|
||||
IPv6 addresses can be specified by enclosing addresses in square brackets
|
||||
or by using an alternative syntax:
|
||||
.Oo Ar bind_address Ns / Oc Ns Ar port
|
||||
and
|
||||
.Ar host Ns / Ns Ar hostport .
|
||||
Multiple forwardings may be specified, and additional
|
||||
forwardings can be given on the command line.
|
||||
Only the superuser can forward privileged ports.
|
||||
.Pp
|
||||
If the
|
||||
.Ar bind_address
|
||||
is not specified, the default is to only bind to loopback addresses.
|
||||
If the
|
||||
.Ar bind_address
|
||||
is
|
||||
.Ql *
|
||||
or an empty string, then the forwarding is requested to listen on all
|
||||
interfaces.
|
||||
Specifying a remote
|
||||
.Ar bind_address
|
||||
will only succeed if the server's
|
||||
.Cm GatewayPorts
|
||||
option is enabled (see
|
||||
.Xr sshd_config 5 ) .
|
||||
.It Cm RhostsRSAAuthentication
|
||||
Specifies whether to try rhosts based authentication with RSA host
|
||||
authentication.
|
||||
@ -783,7 +852,7 @@ Note that this option applies to protocol version 2 only.
|
||||
Specifies a string to append to the regular version string to identify
|
||||
OS- or site-specific modifications.
|
||||
The default is
|
||||
.Dq FreeBSD-20041028 .
|
||||
.Dq FreeBSD-20050605 .
|
||||
.It Cm XAuthLocation
|
||||
Specifies the full pathname of the
|
||||
.Xr xauth 1
|
||||
|
@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshconnect.c,v 1.158 2004/06/21 17:36:31 avsm Exp $");
|
||||
RCSID("$OpenBSD: sshconnect.c,v 1.162 2005/03/10 22:01:06 deraadt Exp $");
|
||||
|
||||
#include <openssl/bn.h>
|
||||
|
||||
@ -247,13 +247,13 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
|
||||
tv.tv_sec = timeout;
|
||||
tv.tv_usec = 0;
|
||||
|
||||
for(;;) {
|
||||
for (;;) {
|
||||
rc = select(sockfd + 1, NULL, fdset, NULL, &tv);
|
||||
if (rc != -1 || errno != EINTR)
|
||||
break;
|
||||
}
|
||||
|
||||
switch(rc) {
|
||||
switch (rc) {
|
||||
case 0:
|
||||
/* Timed out */
|
||||
errno = ETIMEDOUT;
|
||||
@ -297,12 +297,6 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
|
||||
* second). If proxy_command is non-NULL, it specifies the command (with %h
|
||||
* and %p substituted for host and port, respectively) to use to contact
|
||||
* the daemon.
|
||||
* Return values:
|
||||
* 0 for OK
|
||||
* ECONNREFUSED if we got a "Connection Refused" by the peer on any address
|
||||
* ECONNABORTED if we failed without a "Connection refused"
|
||||
* Suitable error messages for the connection failure will already have been
|
||||
* printed.
|
||||
*/
|
||||
int
|
||||
ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
|
||||
@ -315,12 +309,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
|
||||
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
|
||||
struct addrinfo hints, *ai, *aitop;
|
||||
struct servent *sp;
|
||||
/*
|
||||
* Did we get only other errors than "Connection refused" (which
|
||||
* should block fallback to rsh and similar), or did we get at least
|
||||
* one "Connection refused"?
|
||||
*/
|
||||
int full_failure = 1;
|
||||
|
||||
debug2("ssh_connect: needpriv %d", needpriv);
|
||||
|
||||
@ -381,8 +369,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
|
||||
memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
|
||||
break;
|
||||
} else {
|
||||
if (errno == ECONNREFUSED)
|
||||
full_failure = 0;
|
||||
debug("connect to address %s port %s: %s",
|
||||
ntop, strport, strerror(errno));
|
||||
/*
|
||||
@ -408,9 +394,9 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
|
||||
|
||||
/* Return failure if we didn't get a successful connection. */
|
||||
if (attempt >= connection_attempts) {
|
||||
logit("ssh: connect to host %s port %s: %s",
|
||||
error("ssh: connect to host %s port %s: %s",
|
||||
host, strport, strerror(errno));
|
||||
return full_failure ? ECONNABORTED : ECONNREFUSED;
|
||||
return (-1);
|
||||
}
|
||||
|
||||
debug("Connection established.");
|
||||
@ -568,7 +554,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
|
||||
char hostline[1000], *hostp, *fp;
|
||||
HostStatus host_status;
|
||||
HostStatus ip_status;
|
||||
int local = 0, host_ip_differ = 0;
|
||||
int r, local = 0, host_ip_differ = 0;
|
||||
int salen;
|
||||
char ntop[NI_MAXHOST];
|
||||
char msg[1024];
|
||||
@ -692,7 +678,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
|
||||
"'%.128s' not in list of known hosts.",
|
||||
type, ip);
|
||||
else if (!add_host_to_hostfile(user_hostfile, ip,
|
||||
host_key))
|
||||
host_key, options.hash_known_hosts))
|
||||
logit("Failed to add the %s host key for IP "
|
||||
"address '%.128s' to the list of known "
|
||||
"hosts (%.30s).", type, ip, user_hostfile);
|
||||
@ -748,17 +734,33 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
|
||||
if (!confirm(msg))
|
||||
goto fail;
|
||||
}
|
||||
if (options.check_host_ip && ip_status == HOST_NEW) {
|
||||
snprintf(hostline, sizeof(hostline), "%s,%s", host, ip);
|
||||
hostp = hostline;
|
||||
} else
|
||||
hostp = host;
|
||||
|
||||
/*
|
||||
* If not in strict mode, add the key automatically to the
|
||||
* local known_hosts file.
|
||||
*/
|
||||
if (!add_host_to_hostfile(user_hostfile, hostp, host_key))
|
||||
if (options.check_host_ip && ip_status == HOST_NEW) {
|
||||
snprintf(hostline, sizeof(hostline), "%s,%s",
|
||||
host, ip);
|
||||
hostp = hostline;
|
||||
if (options.hash_known_hosts) {
|
||||
/* Add hash of host and IP separately */
|
||||
r = add_host_to_hostfile(user_hostfile, host,
|
||||
host_key, options.hash_known_hosts) &&
|
||||
add_host_to_hostfile(user_hostfile, ip,
|
||||
host_key, options.hash_known_hosts);
|
||||
} else {
|
||||
/* Add unhashed "host,ip" */
|
||||
r = add_host_to_hostfile(user_hostfile,
|
||||
hostline, host_key,
|
||||
options.hash_known_hosts);
|
||||
}
|
||||
} else {
|
||||
r = add_host_to_hostfile(user_hostfile, host, host_key,
|
||||
options.hash_known_hosts);
|
||||
hostp = host;
|
||||
}
|
||||
|
||||
if (!r)
|
||||
logit("Failed to add the host to the list of known "
|
||||
"hosts (%.500s).", user_hostfile);
|
||||
else
|
||||
|
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd.8,v 1.201 2004/05/02 11:54:31 dtucker Exp $
|
||||
.\" $OpenBSD: sshd.8,v 1.206 2005/03/01 14:59:49 jmc Exp $
|
||||
.\" $FreeBSD$
|
||||
.Dd September 25, 1999
|
||||
.Dt SSHD 8
|
||||
@ -107,8 +107,6 @@ to use from those offered by the server.
|
||||
Next, the server and the client enter an authentication dialog.
|
||||
The client tries to authenticate itself using
|
||||
.Em .rhosts
|
||||
authentication,
|
||||
.Em .rhosts
|
||||
authentication combined with RSA host
|
||||
authentication, RSA challenge-response authentication, or password
|
||||
based authentication.
|
||||
@ -136,11 +134,6 @@ or
|
||||
.Ql \&*NP\&*
|
||||
).
|
||||
.Pp
|
||||
.Em rhosts
|
||||
authentication is normally disabled
|
||||
because it is fundamentally insecure, but can be enabled in the server
|
||||
configuration file if desired.
|
||||
System security is not improved unless
|
||||
.Nm rshd ,
|
||||
.Nm rlogind ,
|
||||
and
|
||||
@ -428,7 +421,9 @@ or
|
||||
.Dq ssh-rsa .
|
||||
.Pp
|
||||
Note that lines in this file are usually several hundred bytes long
|
||||
(because of the size of the public key encoding).
|
||||
(because of the size of the public key encoding) up to a limit of
|
||||
8 kilobytes, which permits DSA keys up to 8 kilobits and RSA
|
||||
keys up to 16 kilobits.
|
||||
You don't want to type them in; instead, copy the
|
||||
.Pa identity.pub ,
|
||||
.Pa id_dsa.pub
|
||||
@ -559,6 +554,14 @@ to indicate negation: if the host name matches a negated
|
||||
pattern, it is not accepted (by that line) even if it matched another
|
||||
pattern on the line.
|
||||
.Pp
|
||||
Alternately, hostnames may be stored in a hashed form which hides host names
|
||||
and addresses should the file's contents be disclosed.
|
||||
Hashed hostnames start with a
|
||||
.Ql |
|
||||
character.
|
||||
Only one hashed hostname may appear on a single line and none of the above
|
||||
negation or wildcard operators may be applied.
|
||||
.Pp
|
||||
Bits, exponent, and modulus are taken directly from the RSA host key; they
|
||||
can be obtained, e.g., from
|
||||
.Pa /etc/ssh/ssh_host_key.pub .
|
||||
@ -590,6 +593,11 @@ and adding the host names at the front.
|
||||
closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
|
||||
cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=
|
||||
.Ed
|
||||
.Bd -literal
|
||||
# A hashed hostname
|
||||
|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
|
||||
AAAA1234.....=
|
||||
.Ed
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
.It Pa /etc/ssh/sshd_config
|
||||
@ -658,6 +666,20 @@ These files should be writable only by root/the owner.
|
||||
should be world-readable, and
|
||||
.Pa $HOME/.ssh/known_hosts
|
||||
can, but need not be, world-readable.
|
||||
.It Pa /etc/motd
|
||||
See
|
||||
.Xr motd 5 .
|
||||
.It Pa $HOME/.hushlogin
|
||||
This file is used to suppress printing the last login time and
|
||||
.Pa /etc/motd ,
|
||||
if
|
||||
.Cm PrintLastLog
|
||||
and
|
||||
.Cm PrintMotd ,
|
||||
respectively,
|
||||
are enabled.
|
||||
It does not suppress printing of the banner specified by
|
||||
.Cm Banner .
|
||||
.It Pa /etc/nologin
|
||||
If this file exists,
|
||||
.Nm
|
||||
@ -671,7 +693,11 @@ Access controls that should be enforced by tcp-wrappers are defined here.
|
||||
Further details are described in
|
||||
.Xr hosts_access 5 .
|
||||
.It Pa $HOME/.rhosts
|
||||
This file contains host-username pairs, separated by a space, one per
|
||||
This file is used during
|
||||
.Cm RhostsRSAAuthentication
|
||||
and
|
||||
.Cm HostbasedAuthentication
|
||||
and contains host-username pairs, separated by a space, one per
|
||||
line.
|
||||
The given user on the corresponding host is permitted to log in
|
||||
without a password.
|
||||
@ -692,7 +718,9 @@ However, this file is
|
||||
not used by rlogin and rshd, so using this permits access using SSH only.
|
||||
.It Pa /etc/hosts.equiv
|
||||
This file is used during
|
||||
.Em rhosts
|
||||
.Cm RhostsRSAAuthentication
|
||||
and
|
||||
.Cm HostbasedAuthentication
|
||||
authentication.
|
||||
In the simplest form, this file contains host names, one per line.
|
||||
Users on
|
||||
@ -711,7 +739,7 @@ Negated entries start with
|
||||
If the client host/user is successfully matched in this file, login is
|
||||
automatically permitted provided the client and server user names are the
|
||||
same.
|
||||
Additionally, successful RSA host authentication is normally required.
|
||||
Additionally, successful client host key authentication is required.
|
||||
This file must be writable only by root; it is recommended
|
||||
that it be world-readable.
|
||||
.Pp
|
||||
|
@ -42,7 +42,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshd.c,v 1.301 2004/08/11 11:50:09 dtucker Exp $");
|
||||
RCSID("$OpenBSD: sshd.c,v 1.308 2005/02/08 22:24:57 dtucker Exp $");
|
||||
RCSID("$FreeBSD$");
|
||||
|
||||
#include <openssl/dh.h>
|
||||
@ -116,12 +116,6 @@ ServerOptions options;
|
||||
/* Name of the server configuration file. */
|
||||
char *config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||
|
||||
/*
|
||||
* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
|
||||
* Default value is AF_UNSPEC means both IPv4 and IPv6.
|
||||
*/
|
||||
int IPv4or6 = AF_UNSPEC;
|
||||
|
||||
/*
|
||||
* Debug mode flag. This can be set on the command line. If debug
|
||||
* mode is enabled, extra debugging output will be sent to the system
|
||||
@ -755,7 +749,7 @@ get_hostkey_index(Key *key)
|
||||
static int
|
||||
drop_connection(int startups)
|
||||
{
|
||||
double p, r;
|
||||
int p, r;
|
||||
|
||||
if (startups < options.max_startups_begin)
|
||||
return 0;
|
||||
@ -766,12 +760,11 @@ drop_connection(int startups)
|
||||
|
||||
p = 100 - options.max_startups_rate;
|
||||
p *= startups - options.max_startups_begin;
|
||||
p /= (double) (options.max_startups - options.max_startups_begin);
|
||||
p /= options.max_startups - options.max_startups_begin;
|
||||
p += options.max_startups_rate;
|
||||
p /= 100.0;
|
||||
r = arc4random() / (double) UINT_MAX;
|
||||
r = arc4random() % 100;
|
||||
|
||||
debug("drop_connection: p %g, r %g", p, r);
|
||||
debug("drop_connection: p %d, r %d", p, r);
|
||||
return (r < p) ? 1 : 0;
|
||||
}
|
||||
|
||||
@ -779,7 +772,7 @@ static void
|
||||
usage(void)
|
||||
{
|
||||
fprintf(stderr, "%s, %s\n",
|
||||
SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
|
||||
SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
|
||||
fprintf(stderr,
|
||||
"usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n"
|
||||
" [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n"
|
||||
@ -889,7 +882,7 @@ main(int ac, char **av)
|
||||
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
|
||||
char *line;
|
||||
int listen_sock, maxfd;
|
||||
int startup_p[2], config_s[2];
|
||||
int startup_p[2] = { -1 , -1 }, config_s[2] = { -1 , -1 };
|
||||
int startups = 0;
|
||||
Key *key;
|
||||
Authctxt *authctxt;
|
||||
@ -926,10 +919,10 @@ main(int ac, char **av)
|
||||
while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:dDeiqrtQR46")) != -1) {
|
||||
switch (opt) {
|
||||
case '4':
|
||||
IPv4or6 = AF_INET;
|
||||
options.address_family = AF_INET;
|
||||
break;
|
||||
case '6':
|
||||
IPv4or6 = AF_INET6;
|
||||
options.address_family = AF_INET6;
|
||||
break;
|
||||
case 'f':
|
||||
config_file_name = optarg;
|
||||
@ -1030,7 +1023,6 @@ main(int ac, char **av)
|
||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||||
|
||||
SSLeay_add_all_algorithms();
|
||||
channel_set_af(IPv4or6);
|
||||
|
||||
/*
|
||||
* Force logging to stderr until we have loaded the private host
|
||||
@ -1043,13 +1035,13 @@ main(int ac, char **av)
|
||||
SYSLOG_FACILITY_AUTH : options.log_facility,
|
||||
log_stderr || !inetd_flag);
|
||||
|
||||
#ifdef _AIX
|
||||
/*
|
||||
* Unset KRB5CCNAME, otherwise the user's session may inherit it from
|
||||
* root's environment
|
||||
*/
|
||||
unsetenv("KRB5CCNAME");
|
||||
#endif /* _AIX */
|
||||
if (getenv("KRB5CCNAME") != NULL)
|
||||
unsetenv("KRB5CCNAME");
|
||||
|
||||
#ifdef _UNICOS
|
||||
/* Cray can define user privs drop all privs now!
|
||||
* Not needed on PRIV_SU systems!
|
||||
@ -1080,13 +1072,16 @@ main(int ac, char **av)
|
||||
/* Fill in default values for those options not explicitly set. */
|
||||
fill_default_server_options(&options);
|
||||
|
||||
/* set default channel AF */
|
||||
channel_set_af(options.address_family);
|
||||
|
||||
/* Check that there are no remaining arguments. */
|
||||
if (optind < ac) {
|
||||
fprintf(stderr, "Extra argument %s.\n", av[optind]);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
debug("sshd version %.100s", SSH_VERSION);
|
||||
debug("sshd version %.100s", SSH_RELEASE);
|
||||
|
||||
/* load private host keys */
|
||||
sensitive_data.host_keys = xmalloc(options.num_host_key_files *
|
||||
@ -1202,7 +1197,7 @@ main(int ac, char **av)
|
||||
}
|
||||
|
||||
/* Initialize the log (it is reinitialized below in case we forked). */
|
||||
if (debug_flag && !inetd_flag)
|
||||
if (debug_flag && (!inetd_flag || rexeced_flag))
|
||||
log_stderr = 1;
|
||||
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
||||
|
||||
@ -1278,10 +1273,12 @@ main(int ac, char **av)
|
||||
if (num_listen_socks >= MAX_LISTEN_SOCKS)
|
||||
fatal("Too many listen sockets. "
|
||||
"Enlarge MAX_LISTEN_SOCKS");
|
||||
if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
|
||||
if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
|
||||
ntop, sizeof(ntop), strport, sizeof(strport),
|
||||
NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
|
||||
error("getnameinfo failed");
|
||||
NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
|
||||
error("getnameinfo failed: %.100s",
|
||||
(ret != EAI_SYSTEM) ? gai_strerror(ret) :
|
||||
strerror(errno));
|
||||
continue;
|
||||
}
|
||||
/* Create socket for listening. */
|
||||
@ -1512,7 +1509,8 @@ main(int ac, char **av)
|
||||
sock_in = newsock;
|
||||
sock_out = newsock;
|
||||
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
||||
close(config_s[0]);
|
||||
if (rexec_flag)
|
||||
close(config_s[0]);
|
||||
break;
|
||||
}
|
||||
}
|
||||
@ -1648,6 +1646,9 @@ main(int ac, char **av)
|
||||
remote_port = get_remote_port();
|
||||
remote_ip = get_remote_ipaddr();
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_connection_from(remote_ip, remote_port);
|
||||
#endif
|
||||
#ifdef LIBWRAP
|
||||
/* Check whether logins are denied from this host. */
|
||||
if (packet_connection_is_on_socket()) {
|
||||
@ -1684,23 +1685,22 @@ main(int ac, char **av)
|
||||
|
||||
packet_set_nonblocking();
|
||||
|
||||
/* prepare buffers to collect authentication messages */
|
||||
buffer_init(&loginmsg);
|
||||
|
||||
/* allocate authentication context */
|
||||
authctxt = xmalloc(sizeof(*authctxt));
|
||||
memset(authctxt, 0, sizeof(*authctxt));
|
||||
|
||||
authctxt->loginmsg = &loginmsg;
|
||||
|
||||
/* XXX global for cleanup, access from other modules */
|
||||
the_authctxt = authctxt;
|
||||
|
||||
/* prepare buffer to collect messages to display to user after login */
|
||||
buffer_init(&loginmsg);
|
||||
|
||||
if (use_privsep)
|
||||
if (privsep_preauth(authctxt) == 1)
|
||||
goto authenticated;
|
||||
|
||||
/* prepare buffer to collect messages to display to user after login */
|
||||
buffer_init(&loginmsg);
|
||||
|
||||
/* perform the key exchange */
|
||||
/* authenticate user and start session */
|
||||
if (compat20) {
|
||||
@ -1720,6 +1720,10 @@ main(int ac, char **av)
|
||||
}
|
||||
|
||||
authenticated:
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_event(SSH_AUTH_SUCCESS);
|
||||
#endif
|
||||
|
||||
/*
|
||||
* In privilege separation, we fork another child and prepare
|
||||
* file descriptor passing.
|
||||
@ -1742,6 +1746,10 @@ main(int ac, char **av)
|
||||
finish_pam();
|
||||
#endif /* USE_PAM */
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
PRIVSEP(audit_event(SSH_CONNECTION_CLOSE));
|
||||
#endif
|
||||
|
||||
packet_close();
|
||||
|
||||
if (use_privsep)
|
||||
@ -2033,5 +2041,10 @@ cleanup_exit(int i)
|
||||
{
|
||||
if (the_authctxt)
|
||||
do_cleanup(the_authctxt);
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
|
||||
if (!use_privsep || mm_is_monitor())
|
||||
audit_event(SSH_CONNECTION_ABANDON);
|
||||
#endif
|
||||
_exit(i);
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
|
||||
# $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $
|
||||
# $FreeBSD$
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
@ -14,10 +14,11 @@
|
||||
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
|
||||
# FreeBSD has a few additional options.
|
||||
|
||||
#VersionAddendum FreeBSD-20041028
|
||||
#VersionAddendum FreeBSD-20050605
|
||||
|
||||
#Port 22
|
||||
#Protocol 2
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
||||
|
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.35 2004/06/26 09:14:40 jmc Exp $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.40 2005/03/18 17:05:00 jmc Exp $
|
||||
.\" $FreeBSD$
|
||||
.Dd September 25, 1999
|
||||
.Dt SSHD_CONFIG 5
|
||||
@ -84,6 +84,17 @@ Be warned that some environment variables could be used to bypass restricted
|
||||
user environments.
|
||||
For this reason, care should be taken in the use of this directive.
|
||||
The default is not to accept any environment variables.
|
||||
.It Cm AddressFamily
|
||||
Specifies which address family should be used by
|
||||
.Nm sshd .
|
||||
Valid arguments are
|
||||
.Dq any ,
|
||||
.Dq inet
|
||||
(use IPv4 only) or
|
||||
.Dq inet6
|
||||
(use IPv6 only).
|
||||
The default is
|
||||
.Dq any .
|
||||
.It Cm AllowGroups
|
||||
This keyword can be followed by a list of group name patterns, separated
|
||||
by spaces.
|
||||
@ -253,12 +264,15 @@ This prevents other remote hosts from connecting to forwarded ports.
|
||||
.Cm GatewayPorts
|
||||
can be used to specify that
|
||||
.Nm sshd
|
||||
should bind remote port forwardings to the wildcard address,
|
||||
thus allowing remote hosts to connect to forwarded ports.
|
||||
The argument must be
|
||||
should allow remote port forwardings to bind to non-loopback addresses, thus
|
||||
allowing other hosts to connect.
|
||||
The argument may be
|
||||
.Dq no
|
||||
to force remote port forwardings to be available to the local host only,
|
||||
.Dq yes
|
||||
or
|
||||
.Dq no .
|
||||
to force remote port forwardings to bind to the wildcard address, or
|
||||
.Dq clientspecified
|
||||
to allow the client to select the address to which the forwarding is bound.
|
||||
The default is
|
||||
.Dq no .
|
||||
.It Cm GSSAPIAuthentication
|
||||
@ -476,7 +490,7 @@ server allows login to accounts with empty password strings.
|
||||
The default is
|
||||
.Dq no .
|
||||
.It Cm PermitRootLogin
|
||||
Specifies whether root can login using
|
||||
Specifies whether root can log in using
|
||||
.Xr ssh 1 .
|
||||
The argument must be
|
||||
.Dq yes ,
|
||||
@ -496,9 +510,7 @@ the root user may be allowed in with its password even if
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Dq without-password
|
||||
password authentication is disabled for root. Note that other authentication
|
||||
methods (e.g., keyboard-interactive/PAM) may still allow root to login using
|
||||
a password.
|
||||
password authentication is disabled for root.
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Dq forced-commands-only
|
||||
@ -512,7 +524,7 @@ All other authentication methods are disabled for root.
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Dq no
|
||||
root is not allowed to login.
|
||||
root is not allowed to log in.
|
||||
.It Cm PermitUserEnvironment
|
||||
Specifies whether
|
||||
.Pa ~/.ssh/environment
|
||||
@ -544,7 +556,8 @@ See also
|
||||
.It Cm PrintLastLog
|
||||
Specifies whether
|
||||
.Nm sshd
|
||||
should print the date and time when the user last logged in.
|
||||
should print the date and time of the last user login when a user logs
|
||||
in interactively.
|
||||
The default is
|
||||
.Dq yes .
|
||||
.It Cm PrintMotd
|
||||
@ -647,7 +660,7 @@ To disable TCP keepalive messages, the value should be set to
|
||||
.It Cm UseDNS
|
||||
Specifies whether
|
||||
.Nm sshd
|
||||
should lookup the remote host name and check that
|
||||
should look up the remote host name and check that
|
||||
the resolved host name for the remote IP address maps back to the
|
||||
very same IP address.
|
||||
The default is
|
||||
@ -707,7 +720,7 @@ The default is
|
||||
Specifies a string to append to the regular version string to identify
|
||||
OS- or site-specific modifications.
|
||||
The default is
|
||||
.Dq FreeBSD-20041028 .
|
||||
.Dq FreeBSD-20050605 .
|
||||
.It Cm X11DisplayOffset
|
||||
Specifies the first display number available for
|
||||
.Nm sshd Ns 's
|
||||
|
@ -1,10 +1,11 @@
|
||||
/* $OpenBSD: version.h,v 1.42 2004/08/16 08:17:01 markus Exp $ */
|
||||
/* $OpenBSD: version.h,v 1.44 2005/03/16 21:17:39 markus Exp $ */
|
||||
/* $FreeBSD$ */
|
||||
|
||||
#ifndef SSH_VERSION
|
||||
|
||||
#define SSH_VERSION (ssh_version_get())
|
||||
#define SSH_VERSION_BASE "OpenSSH_3.9p1"
|
||||
#define SSH_RELEASE (ssh_version_get())
|
||||
#define SSH_VERSION_BASE "OpenSSH_4.1p1"
|
||||
#define SSH_VERSION_ADDENDUM "FreeBSD-20041028"
|
||||
|
||||
const char *ssh_version_get(void);
|
||||
|
Loading…
x
Reference in New Issue
Block a user