19261079b7
Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
96 lines
3.9 KiB
C
96 lines
3.9 KiB
C
/* $OpenBSD: monitor.h,v 1.23 2019/01/19 21:43:56 djm Exp $ */
|
|
|
|
/*
|
|
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#ifndef _MONITOR_H_
|
|
#define _MONITOR_H_
|
|
|
|
/* Please keep *_REQ_* values on even numbers and *_ANS_* on odd numbers */
|
|
enum monitor_reqtype {
|
|
MONITOR_REQ_MODULI = 0, MONITOR_ANS_MODULI = 1,
|
|
MONITOR_REQ_FREE = 2,
|
|
MONITOR_REQ_AUTHSERV = 4,
|
|
MONITOR_REQ_SIGN = 6, MONITOR_ANS_SIGN = 7,
|
|
MONITOR_REQ_PWNAM = 8, MONITOR_ANS_PWNAM = 9,
|
|
MONITOR_REQ_AUTH2_READ_BANNER = 10, MONITOR_ANS_AUTH2_READ_BANNER = 11,
|
|
MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13,
|
|
MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15,
|
|
MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17,
|
|
MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23,
|
|
MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25,
|
|
MONITOR_REQ_KEYEXPORT = 26,
|
|
MONITOR_REQ_PTY = 28, MONITOR_ANS_PTY = 29,
|
|
MONITOR_REQ_PTYCLEANUP = 30,
|
|
MONITOR_REQ_SESSKEY = 32, MONITOR_ANS_SESSKEY = 33,
|
|
MONITOR_REQ_SESSID = 34,
|
|
MONITOR_REQ_RSAKEYALLOWED = 36, MONITOR_ANS_RSAKEYALLOWED = 37,
|
|
MONITOR_REQ_RSACHALLENGE = 38, MONITOR_ANS_RSACHALLENGE = 39,
|
|
MONITOR_REQ_RSARESPONSE = 40, MONITOR_ANS_RSARESPONSE = 41,
|
|
MONITOR_REQ_GSSSETUP = 42, MONITOR_ANS_GSSSETUP = 43,
|
|
MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45,
|
|
MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47,
|
|
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
|
|
MONITOR_REQ_TERM = 50,
|
|
|
|
MONITOR_REQ_PAM_START = 100,
|
|
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
|
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
|
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
|
|
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
|
|
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
|
|
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
|
|
|
|
};
|
|
|
|
struct ssh;
|
|
|
|
struct monitor {
|
|
int m_recvfd;
|
|
int m_sendfd;
|
|
int m_log_recvfd;
|
|
int m_log_sendfd;
|
|
struct kex **m_pkex;
|
|
pid_t m_pid;
|
|
};
|
|
|
|
struct monitor *monitor_init(void);
|
|
void monitor_reinit(struct monitor *);
|
|
|
|
struct Authctxt;
|
|
void monitor_child_preauth(struct ssh *, struct monitor *);
|
|
void monitor_child_postauth(struct ssh *, struct monitor *);
|
|
|
|
void monitor_clear_keystate(struct ssh *, struct monitor *);
|
|
void monitor_apply_keystate(struct ssh *, struct monitor *);
|
|
|
|
/* Prototypes for request sending and receiving */
|
|
void mm_request_send(int, enum monitor_reqtype, struct sshbuf *);
|
|
void mm_request_receive(int, struct sshbuf *);
|
|
void mm_request_receive_expect(int, enum monitor_reqtype, struct sshbuf *);
|
|
void mm_get_keystate(struct ssh *, struct monitor *);
|
|
|
|
#endif /* _MONITOR_H_ */
|