From 6ad9628ae7c05cda38c44d43df1dbdd8bb22e5fa Mon Sep 17 00:00:00 2001 From: christos Date: Sat, 10 Mar 2007 22:35:27 +0000 Subject: [PATCH] import v4.6 --- crypto/dist/ssh/auth-rsa.c | 12 ++-- crypto/dist/ssh/auth-skey.c | 8 +-- crypto/dist/ssh/auth2-chall.c | 6 +- crypto/dist/ssh/auth2.c | 8 +-- crypto/dist/ssh/bufbn.c | 20 ++++--- crypto/dist/ssh/channels.c | 23 +++++--- crypto/dist/ssh/clientloop.c | 24 +++++--- crypto/dist/ssh/compat.c | 7 ++- crypto/dist/ssh/compat.h | 5 +- crypto/dist/ssh/dh.c | 4 +- crypto/dist/ssh/dns.c | 6 +- crypto/dist/ssh/kex.c | 6 +- crypto/dist/ssh/kexdhc.c | 13 +++-- crypto/dist/ssh/kexdhs.c | 14 +++-- crypto/dist/ssh/kexgexc.c | 13 +++-- crypto/dist/ssh/kexgexs.c | 14 +++-- crypto/dist/ssh/key.c | 18 +++--- crypto/dist/ssh/misc.c | 6 +- crypto/dist/ssh/moduli.c | 60 +++++++++++-------- crypto/dist/ssh/monitor.c | 13 +++-- crypto/dist/ssh/monitor_wrap.c | 23 ++++++-- crypto/dist/ssh/packet.c | 7 ++- crypto/dist/ssh/readconf.c | 10 ++-- crypto/dist/ssh/rsa.c | 20 ++++--- crypto/dist/ssh/scard.c | 14 +++-- crypto/dist/ssh/scp.c | 6 +- crypto/dist/ssh/servconf.c | 102 +++++++++++++++++++++------------ crypto/dist/ssh/servconf.h | 6 +- crypto/dist/ssh/serverloop.c | 10 ++-- crypto/dist/ssh/session.c | 10 ++-- crypto/dist/ssh/sftp-client.c | 7 ++- crypto/dist/ssh/sftp-server.c | 6 +- crypto/dist/ssh/sftp.c | 17 +++--- crypto/dist/ssh/ssh-agent.c | 28 +++++---- crypto/dist/ssh/ssh-dss.c | 9 +-- crypto/dist/ssh/ssh-keygen.1 | 19 +++--- crypto/dist/ssh/ssh-keygen.c | 34 +++++------ crypto/dist/ssh/ssh-keyscan.1 | 6 +- crypto/dist/ssh/ssh-keyscan.c | 6 +- crypto/dist/ssh/ssh.1 | 29 +++++++--- crypto/dist/ssh/ssh.c | 7 ++- crypto/dist/ssh/ssh_config.5 | 10 ++-- crypto/dist/ssh/sshconnect.c | 13 ++--- crypto/dist/ssh/sshconnect1.c | 24 +++++--- crypto/dist/ssh/sshd.c | 9 +-- crypto/dist/ssh/sshd_config.5 | 15 +++-- crypto/dist/ssh/version.h | 6 +- 47 files changed, 435 insertions(+), 298 deletions(-) diff --git a/crypto/dist/ssh/auth-rsa.c b/crypto/dist/ssh/auth-rsa.c index 0ad3d70818d8..d8c7893018aa 100644 --- a/crypto/dist/ssh/auth-rsa.c +++ b/crypto/dist/ssh/auth-rsa.c @@ -1,5 +1,5 @@ -/* $NetBSD: auth-rsa.c,v 1.1.1.15 2006/09/28 21:14:58 christos Exp $ */ -/* $OpenBSD: auth-rsa.c,v 1.71 2006/08/03 03:34:41 deraadt Exp $ */ +/* $NetBSD: auth-rsa.c,v 1.1.1.16 2007/03/10 22:35:27 christos Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.72 2006/11/06 21:25:27 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -74,10 +74,12 @@ auth_rsa_generate_challenge(Key *key) if ((challenge = BN_new()) == NULL) fatal("auth_rsa_generate_challenge: BN_new() failed"); /* Generate a random challenge. */ - BN_rand(challenge, 256, 0, 0); + if (BN_rand(challenge, 256, 0, 0) == 0) + fatal("auth_rsa_generate_challenge: BN_rand failed"); if ((ctx = BN_CTX_new()) == NULL) - fatal("auth_rsa_generate_challenge: BN_CTX_new() failed"); - BN_mod(challenge, challenge, key->rsa->n, ctx); + fatal("auth_rsa_generate_challenge: BN_CTX_new failed"); + if (BN_mod(challenge, challenge, key->rsa->n, ctx) == 0) + fatal("auth_rsa_generate_challenge: BN_mod failed"); BN_CTX_free(ctx); return challenge; diff --git a/crypto/dist/ssh/auth-skey.c b/crypto/dist/ssh/auth-skey.c index d3c1abbfd45b..41d6d6468219 100644 --- a/crypto/dist/ssh/auth-skey.c +++ b/crypto/dist/ssh/auth-skey.c @@ -1,5 +1,5 @@ -/* $NetBSD: auth-skey.c,v 1.1.1.8 2006/09/28 21:14:59 christos Exp $ */ -/* $OpenBSD: auth-skey.c,v 1.26 2006/08/05 08:28:24 dtucker Exp $ */ +/* $NetBSD: auth-skey.c,v 1.1.1.9 2007/03/10 22:35:28 christos Exp $ */ +/* $OpenBSD: auth-skey.c,v 1.27 2007/01/21 01:41:54 stevesk Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -56,8 +56,8 @@ skey_query(void *ctx, char **name, char **infotxt, if (skeychallenge(&skey, authctxt->user, challenge) == -1) return -1; - *name = xstrdup(""); - *infotxt = xstrdup(""); + *name = xstrdup(""); + *infotxt = xstrdup(""); *numprompts = 1; *prompts = xcalloc(*numprompts, sizeof(char *)); *echo_on = xcalloc(*numprompts, sizeof(u_int)); diff --git a/crypto/dist/ssh/auth2-chall.c b/crypto/dist/ssh/auth2-chall.c index f2a1083204d1..a6078442a4bd 100644 --- a/crypto/dist/ssh/auth2-chall.c +++ b/crypto/dist/ssh/auth2-chall.c @@ -1,5 +1,5 @@ -/* $NetBSD: auth2-chall.c,v 1.1.1.14 2006/09/28 21:15:00 christos Exp $ */ -/* $OpenBSD: auth2-chall.c,v 1.31 2006/08/05 08:28:24 dtucker Exp $ */ +/* $NetBSD: auth2-chall.c,v 1.1.1.15 2007/03/10 22:35:28 christos Exp $ */ +/* $OpenBSD: auth2-chall.c,v 1.32 2007/01/03 03:01:40 stevesk Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Per Allansson. All rights reserved. @@ -174,7 +174,7 @@ auth2_challenge_stop(Authctxt *authctxt) { /* unregister callback */ dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); - if (authctxt->kbdintctxt != NULL) { + if (authctxt->kbdintctxt != NULL) { kbdint_free(authctxt->kbdintctxt); authctxt->kbdintctxt = NULL; } diff --git a/crypto/dist/ssh/auth2.c b/crypto/dist/ssh/auth2.c index 9ad256efa9ac..3ddbdb2035bf 100644 --- a/crypto/dist/ssh/auth2.c +++ b/crypto/dist/ssh/auth2.c @@ -1,5 +1,5 @@ -/* $NetBSD: auth2.c,v 1.1.1.21 2006/09/28 21:14:57 christos Exp $ */ -/* $OpenBSD: auth2.c,v 1.113 2006/08/03 03:34:41 deraadt Exp $ */ +/* $NetBSD: auth2.c,v 1.1.1.22 2007/03/10 22:35:29 christos Exp $ */ +/* $OpenBSD: auth2.c,v 1.114 2007/03/01 10:28:02 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -93,10 +93,6 @@ int user_key_allowed(struct passwd *, Key *); void do_authentication2(Authctxt *authctxt) { - /* challenge-response is implemented via keyboard interactive */ - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; - dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); diff --git a/crypto/dist/ssh/bufbn.c b/crypto/dist/ssh/bufbn.c index df9574b4c049..7466d2f1b5f6 100644 --- a/crypto/dist/ssh/bufbn.c +++ b/crypto/dist/ssh/bufbn.c @@ -1,5 +1,5 @@ -/* $NetBSD: bufbn.c,v 1.1.1.1 2006/09/28 21:15:01 christos Exp $ */ -/* $OpenBSD: bufbn.c,v 1.3 2006/08/03 03:34:41 deraadt Exp $*/ +/* $NetBSD: bufbn.c,v 1.1.1.2 2007/03/10 22:35:30 christos Exp $ */ +/* $OpenBSD: bufbn.c,v 1.5 2007/02/14 14:32:00 stevesk Exp $*/ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -92,7 +92,7 @@ buffer_put_bignum(Buffer *buffer, const BIGNUM *value) } /* - * Retrieves an BIGNUM from the buffer. + * Retrieves a BIGNUM from the buffer. */ int buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value) @@ -100,7 +100,7 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value) u_int bits, bytes; u_char buf[2], *bin; - /* Get the number for bits. */ + /* Get the number of bits. */ if (buffer_get_ret(buffer, (char *) buf, 2) == -1) { error("buffer_get_bignum_ret: invalid length"); return (-1); @@ -117,7 +117,10 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value) return (-1); } bin = buffer_ptr(buffer); - BN_bin2bn(bin, bytes, value); + if (BN_bin2bn(bin, bytes, value) == NULL) { + error("buffer_get_bignum_ret: BN_bin2bn failed"); + return (-1); + } if (buffer_consume_ret(buffer, bytes) == -1) { error("buffer_get_bignum_ret: buffer_consume failed"); return (-1); @@ -133,7 +136,7 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value) } /* - * Stores an BIGNUM in the buffer in SSH2 format. + * Stores a BIGNUM in the buffer in SSH2 format. */ int buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value) @@ -201,7 +204,10 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value) xfree(bin); return (-1); } - BN_bin2bn(bin, len, value); + if (BN_bin2bn(bin, len, value) == NULL) { + error("buffer_get_bignum2_ret: BN_bin2bn failed"); + return (-1); + } xfree(bin); return (0); } diff --git a/crypto/dist/ssh/channels.c b/crypto/dist/ssh/channels.c index c58e65946da1..09689df583e3 100644 --- a/crypto/dist/ssh/channels.c +++ b/crypto/dist/ssh/channels.c @@ -1,5 +1,5 @@ -/* $NetBSD: channels.c,v 1.1.1.23 2006/09/28 21:15:04 christos Exp $ */ -/* $OpenBSD: channels.c,v 1.266 2006/08/29 10:40:18 djm Exp $ */ +/* $NetBSD: channels.c,v 1.1.1.24 2007/03/10 22:35:33 christos Exp $ */ +/* $OpenBSD: channels.c,v 1.268 2007/01/03 03:01:40 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1048,7 +1048,7 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) if (have < nmethods + 2) return 0; /* look for method: "NO AUTHENTICATION REQUIRED" */ - for (found = 0, i = 2 ; i < nmethods + 2; i++) { + for (found = 0, i = 2; i < nmethods + 2; i++) { if (p[i] == SSH_SOCKS5_NOAUTH) { found = 1; break; @@ -2506,11 +2506,18 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port, /* Send the forward request to the remote side. */ if (compat20) { const char *address_to_bind; - if (listen_host == NULL) - address_to_bind = "localhost"; - else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) - address_to_bind = ""; - else + if (listen_host == NULL) { + if (datafellows & SSH_BUG_RFWD_ADDR) + address_to_bind = "127.0.0.1"; + else + address_to_bind = "localhost"; + } else if (*listen_host == '\0' || + strcmp(listen_host, "*") == 0) { + if (datafellows & SSH_BUG_RFWD_ADDR) + address_to_bind = "0.0.0.0"; + else + address_to_bind = ""; + } else address_to_bind = listen_host; packet_start(SSH2_MSG_GLOBAL_REQUEST); diff --git a/crypto/dist/ssh/clientloop.c b/crypto/dist/ssh/clientloop.c index 36f12b797947..63a1e4402872 100644 --- a/crypto/dist/ssh/clientloop.c +++ b/crypto/dist/ssh/clientloop.c @@ -1,5 +1,5 @@ -/* $NetBSD: clientloop.c,v 1.1.1.23 2006/09/28 21:15:06 christos Exp $ */ -/* $OpenBSD: clientloop.c,v 1.175 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: clientloop.c,v 1.1.1.24 2007/03/10 22:35:35 christos Exp $ */ +/* $OpenBSD: clientloop.c,v 1.178 2007/02/20 10:25:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -457,8 +457,10 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) static void server_alive_check(void) { - if (++server_alive_timeouts > options.server_alive_count_max) - packet_disconnect("Timeout, server not responding."); + if (++server_alive_timeouts > options.server_alive_count_max) { + logit("Timeout, server not responding."); + cleanup_exit(255); + } packet_start(SSH2_MSG_GLOBAL_REQUEST); packet_put_cstring("keepalive@openssh.com"); packet_put_char(1); /* boolean: want reply */ @@ -698,7 +700,7 @@ client_process_control(fd_set *readset) { Buffer m; Channel *c; - int client_fd, new_fd[3], ver, allowed; + int client_fd, new_fd[3], ver, allowed, window, packetmax; socklen_t addrlen; struct sockaddr_storage addr; struct confirm_ctx *cctx; @@ -891,9 +893,15 @@ client_process_control(fd_set *readset) set_nonblock(client_fd); + window = CHAN_SES_WINDOW_DEFAULT; + packetmax = CHAN_SES_PACKET_DEFAULT; + if (cctx->want_tty) { + window >>= 1; + packetmax >>= 1; + } + c = channel_new("session", SSH_CHANNEL_OPENING, - new_fd[0], new_fd[1], new_fd[2], - CHAN_SES_WINDOW_DEFAULT, CHAN_SES_PACKET_DEFAULT, + new_fd[0], new_fd[1], new_fd[2], window, packetmax, CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); /* XXX */ @@ -1748,7 +1756,7 @@ client_request_agent(const char *request_type, int rchan) error("Warning: this is probably a break-in attempt by a malicious server."); return NULL; } - sock = ssh_get_authentication_socket(); + sock = ssh_get_authentication_socket(); if (sock < 0) return NULL; c = channel_new("authentication agent connection", diff --git a/crypto/dist/ssh/compat.c b/crypto/dist/ssh/compat.c index d583d77e9731..cb0e44e9a7b5 100644 --- a/crypto/dist/ssh/compat.c +++ b/crypto/dist/ssh/compat.c @@ -1,5 +1,5 @@ -/* $NetBSD: compat.c,v 1.1.1.16 2006/09/28 21:15:06 christos Exp $ */ -/* $OpenBSD: compat.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: compat.c,v 1.1.1.17 2007/03/10 22:35:35 christos Exp $ */ +/* $OpenBSD: compat.c,v 1.77 2006/12/12 03:58:42 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -132,7 +132,8 @@ compat_datafellows(const char *version) { "2.3.*", SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5| SSH_BUG_FIRSTKEX }, { "2.4", SSH_OLD_SESSIONID }, /* Van Dyke */ - { "2.*", SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX }, + { "2.*", SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX| + SSH_BUG_RFWD_ADDR }, { "3.0.*", SSH_BUG_DEBUG }, { "3.0 SecureCRT*", SSH_OLD_SESSIONID }, { "1.7 SecureFX*", SSH_OLD_SESSIONID }, diff --git a/crypto/dist/ssh/compat.h b/crypto/dist/ssh/compat.h index f8d3416991d9..2ea216fc741e 100644 --- a/crypto/dist/ssh/compat.h +++ b/crypto/dist/ssh/compat.h @@ -1,5 +1,5 @@ -/* $NetBSD: compat.h,v 1.1.1.15 2006/09/28 21:15:06 christos Exp $ */ -/* $OpenBSD: compat.h,v 1.40 2006/03/25 22:22:43 djm Exp $ */ +/* $NetBSD: compat.h,v 1.1.1.16 2007/03/10 22:35:35 christos Exp $ */ +/* $OpenBSD: compat.h,v 1.41 2006/12/12 03:58:42 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. @@ -57,6 +57,7 @@ #define SSH_BUG_PROBE 0x00400000 #define SSH_BUG_FIRSTKEX 0x00800000 #define SSH_OLD_FORWARD_ADDR 0x01000000 +#define SSH_BUG_RFWD_ADDR 0x02000000 void enable_compat13(void); void enable_compat20(void); diff --git a/crypto/dist/ssh/dh.c b/crypto/dist/ssh/dh.c index a96d82fc2f18..3490ad841407 100644 --- a/crypto/dist/ssh/dh.c +++ b/crypto/dist/ssh/dh.c @@ -1,5 +1,5 @@ -/* $NetBSD: dh.c,v 1.1.1.11 2006/09/28 21:15:07 christos Exp $ */ -/* $OpenBSD: dh.c,v 1.42 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: dh.c,v 1.1.1.12 2007/03/10 22:35:35 christos Exp $ */ +/* $OpenBSD: dh.c,v 1.44 2006/11/07 13:02:07 markus Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * diff --git a/crypto/dist/ssh/dns.c b/crypto/dist/ssh/dns.c index 11ec02bd4cf4..7bec82ef6548 100644 --- a/crypto/dist/ssh/dns.c +++ b/crypto/dist/ssh/dns.c @@ -1,5 +1,5 @@ -/* $NetBSD: dns.c,v 1.1.1.3 2006/09/28 21:15:07 christos Exp $ */ -/* $OpenBSD: dns.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: dns.c,v 1.1.1.4 2007/03/10 22:35:35 christos Exp $ */ +/* $OpenBSD: dns.c,v 1.24 2007/01/03 03:01:40 stevesk Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -215,7 +215,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, if (fingerprints->rri_nrdatas) *flags |= DNS_VERIFY_FOUND; - for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) { + for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) { /* * Extract the key from the answer. Ignore any badly * formatted fingerprints. diff --git a/crypto/dist/ssh/kex.c b/crypto/dist/ssh/kex.c index 07a76a340c60..a978af6c9011 100644 --- a/crypto/dist/ssh/kex.c +++ b/crypto/dist/ssh/kex.c @@ -1,5 +1,5 @@ -/* $NetBSD: kex.c,v 1.1.1.18 2006/09/28 21:15:09 christos Exp $ */ -/* $OpenBSD: kex.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: kex.c,v 1.1.1.19 2007/03/10 22:35:28 christos Exp $ */ +/* $OpenBSD: kex.c,v 1.77 2007/01/21 01:41:54 stevesk Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -542,7 +542,7 @@ dump_digest(char *msg, u_char *digest, int len) u_int i; fprintf(stderr, "%s\n", msg); - for (i = 0; i< len; i++) { + for (i = 0; i < len; i++) { fprintf(stderr, "%02x", digest[i]); if (i%32 == 31) fprintf(stderr, "\n"); diff --git a/crypto/dist/ssh/kexdhc.c b/crypto/dist/ssh/kexdhc.c index 68f70921a0bb..b401004c73fd 100644 --- a/crypto/dist/ssh/kexdhc.c +++ b/crypto/dist/ssh/kexdhc.c @@ -1,5 +1,5 @@ -/* $NetBSD: kexdhc.c,v 1.1.1.4 2006/09/28 21:15:09 christos Exp $ */ -/* $OpenBSD: kexdhc.c,v 1.9 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: kexdhc.c,v 1.1.1.5 2007/03/10 22:35:37 christos Exp $ */ +/* $OpenBSD: kexdhc.c,v 1.11 2006/11/06 21:25:28 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -48,7 +48,8 @@ kexdh_client(Kex *kex) Key *server_host_key; u_char *server_host_key_blob = NULL, *signature = NULL; u_char *kbuf, *hash; - u_int klen, kout, slen, sbloblen, hashlen; + u_int klen, slen, sbloblen, hashlen; + int kout; /* generate and send 'e', client DH public key */ switch (kex->kex_type) { @@ -110,13 +111,15 @@ kexdh_client(Kex *kex) klen = DH_size(dh); kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_server_pub, dh); + if ((kout = DH_compute_key(kbuf, dh_server_pub, dh)) < 0) + fatal("DH_compute_key: failed"); #ifdef DEBUG_KEXDH dump_digest("shared secret", kbuf, kout); #endif if ((shared_secret = BN_new()) == NULL) fatal("kexdh_client: BN_new failed"); - BN_bin2bn(kbuf, kout, shared_secret); + if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) + fatal("kexdh_client: BN_bin2bn failed"); memset(kbuf, 0, klen); xfree(kbuf); diff --git a/crypto/dist/ssh/kexdhs.c b/crypto/dist/ssh/kexdhs.c index 622eaa4d3742..680feca6841a 100644 --- a/crypto/dist/ssh/kexdhs.c +++ b/crypto/dist/ssh/kexdhs.c @@ -1,5 +1,5 @@ -/* $NetBSD: kexdhs.c,v 1.1.1.4 2006/09/28 21:15:09 christos Exp $ */ -/* $OpenBSD: kexdhs.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: kexdhs.c,v 1.1.1.5 2007/03/10 22:35:37 christos Exp $ */ +/* $OpenBSD: kexdhs.c,v 1.9 2006/11/06 21:25:28 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -50,8 +50,8 @@ kexdh_server(Kex *kex) DH *dh; Key *server_host_key; u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; - u_int sbloblen, klen, kout, hashlen; - u_int slen; + u_int sbloblen, klen, hashlen, slen; + int kout; /* generate server DH public key */ switch (kex->kex_type) { @@ -99,13 +99,15 @@ kexdh_server(Kex *kex) klen = DH_size(dh); kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_client_pub, dh); + if ((kout = DH_compute_key(kbuf, dh_client_pub, dh)) < 0) + fatal("DH_compute_key: failed"); #ifdef DEBUG_KEXDH dump_digest("shared secret", kbuf, kout); #endif if ((shared_secret = BN_new()) == NULL) fatal("kexdh_server: BN_new failed"); - BN_bin2bn(kbuf, kout, shared_secret); + if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) + fatal("kexdh_server: BN_bin2bn failed"); memset(kbuf, 0, klen); xfree(kbuf); diff --git a/crypto/dist/ssh/kexgexc.c b/crypto/dist/ssh/kexgexc.c index 9def8924db83..79c607ca68ca 100644 --- a/crypto/dist/ssh/kexgexc.c +++ b/crypto/dist/ssh/kexgexc.c @@ -1,5 +1,5 @@ -/* $NetBSD: kexgexc.c,v 1.1.1.4 2006/09/28 21:15:09 christos Exp $ */ -/* $OpenBSD: kexgexc.c,v 1.9 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: kexgexc.c,v 1.1.1.5 2007/03/10 22:35:37 christos Exp $ */ +/* $OpenBSD: kexgexc.c,v 1.11 2006/11/06 21:25:28 markus Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -49,7 +49,8 @@ kexgex_client(Kex *kex) BIGNUM *p = NULL, *g = NULL; Key *server_host_key; u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; - u_int klen, kout, slen, sbloblen, hashlen; + u_int klen, slen, sbloblen, hashlen; + int kout; int min, max, nbits; DH *dh; @@ -148,13 +149,15 @@ kexgex_client(Kex *kex) klen = DH_size(dh); kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_server_pub, dh); + if ((kout = DH_compute_key(kbuf, dh_server_pub, dh)) < 0) + fatal("DH_compute_key: failed"); #ifdef DEBUG_KEXDH dump_digest("shared secret", kbuf, kout); #endif if ((shared_secret = BN_new()) == NULL) fatal("kexgex_client: BN_new failed"); - BN_bin2bn(kbuf, kout, shared_secret); + if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) + fatal("kexgex_client: BN_bin2bn failed"); memset(kbuf, 0, klen); xfree(kbuf); diff --git a/crypto/dist/ssh/kexgexs.c b/crypto/dist/ssh/kexgexs.c index 86b445a2d22a..0c2c7f31ff86 100644 --- a/crypto/dist/ssh/kexgexs.c +++ b/crypto/dist/ssh/kexgexs.c @@ -1,5 +1,5 @@ -/* $NetBSD: kexgexs.c,v 1.1.1.3 2006/09/28 21:15:09 christos Exp $ */ -/* $OpenBSD: kexgexs.c,v 1.8 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: kexgexs.c,v 1.1.1.4 2007/03/10 22:35:38 christos Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.10 2006/11/06 21:25:28 markus Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -53,8 +53,8 @@ kexgex_server(Kex *kex) Key *server_host_key; DH *dh; u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; - u_int sbloblen, klen, kout, slen, hashlen; - int min = -1, max = -1, nbits = -1, type; + u_int sbloblen, klen, slen, hashlen; + int min = -1, max = -1, nbits = -1, type, kout; if (kex->load_host_key == NULL) fatal("Cannot load hostkey"); @@ -132,13 +132,15 @@ kexgex_server(Kex *kex) klen = DH_size(dh); kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_client_pub, dh); + if ((kout = DH_compute_key(kbuf, dh_client_pub, dh)) < 0) + fatal("DH_compute_key: failed"); #ifdef DEBUG_KEXDH dump_digest("shared secret", kbuf, kout); #endif if ((shared_secret = BN_new()) == NULL) fatal("kexgex_server: BN_new failed"); - BN_bin2bn(kbuf, kout, shared_secret); + if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) + fatal("kexgex_server: BN_bin2bn failed"); memset(kbuf, 0, klen); xfree(kbuf); diff --git a/crypto/dist/ssh/key.c b/crypto/dist/ssh/key.c index 707da889b6fa..d5ea3dd9f714 100644 --- a/crypto/dist/ssh/key.c +++ b/crypto/dist/ssh/key.c @@ -1,5 +1,5 @@ -/* $NetBSD: key.c,v 1.1.1.20 2006/09/28 21:15:09 christos Exp $ */ -/* $OpenBSD: key.c,v 1.67 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: key.c,v 1.1.1.21 2007/03/10 22:35:38 christos Exp $ */ +/* $OpenBSD: key.c,v 1.68 2006/11/06 21:25:28 markus Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -615,16 +615,18 @@ key_from_private(const Key *k) switch (k->type) { case KEY_DSA: n = key_new(k->type); - BN_copy(n->dsa->p, k->dsa->p); - BN_copy(n->dsa->q, k->dsa->q); - BN_copy(n->dsa->g, k->dsa->g); - BN_copy(n->dsa->pub_key, k->dsa->pub_key); + if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || + (BN_copy(n->dsa->q, k->dsa->q) == NULL) || + (BN_copy(n->dsa->g, k->dsa->g) == NULL) || + (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) + fatal("key_from_private: BN_copy failed"); break; case KEY_RSA: case KEY_RSA1: n = key_new(k->type); - BN_copy(n->rsa->n, k->rsa->n); - BN_copy(n->rsa->e, k->rsa->e); + if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || + (BN_copy(n->rsa->e, k->rsa->e) == NULL)) + fatal("key_from_private: BN_copy failed"); break; default: fatal("key_from_private: unknown type %d", k->type); diff --git a/crypto/dist/ssh/misc.c b/crypto/dist/ssh/misc.c index b98d20644def..4f6263b9a57c 100644 --- a/crypto/dist/ssh/misc.c +++ b/crypto/dist/ssh/misc.c @@ -1,5 +1,5 @@ -/* $NetBSD: misc.c,v 1.1.1.13 2006/09/28 21:15:10 christos Exp $ */ -/* $OpenBSD: misc.c,v 1.64 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: misc.c,v 1.1.1.14 2007/03/10 22:35:39 christos Exp $ */ +/* $OpenBSD: misc.c,v 1.65 2006/11/23 01:35:11 ray Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -604,6 +604,8 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, u_long *lineno) { while (fgets(buf, bufsz, f) != NULL) { + if (buf[0] == '\0') + continue; (*lineno)++; if (buf[strlen(buf) - 1] == '\n' || feof(f)) { return 0; diff --git a/crypto/dist/ssh/moduli.c b/crypto/dist/ssh/moduli.c index 3a8e79ff097d..79c23de7a630 100644 --- a/crypto/dist/ssh/moduli.c +++ b/crypto/dist/ssh/moduli.c @@ -1,5 +1,5 @@ -/* $NetBSD: moduli.c,v 1.1.1.4 2006/09/28 21:15:11 christos Exp $ */ -/* $OpenBSD: moduli.c,v 1.18 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: moduli.c,v 1.1.1.5 2007/03/10 22:35:39 christos Exp $ */ +/* $OpenBSD: moduli.c,v 1.20 2007/02/24 03:30:11 ray Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -326,20 +326,26 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start) /* validation check: count the number of primes tried */ largetries = 0; - q = BN_new(); + if ((q = BN_new()) == NULL) + fatal("BN_new failed"); /* * Generate random starting point for subprime search, or use * specified parameter. */ - largebase = BN_new(); - if (start == NULL) - BN_rand(largebase, power, 1, 1); - else - BN_copy(largebase, start); + if ((largebase = BN_new()) == NULL) + fatal("BN_new failed"); + if (start == NULL) { + if (BN_rand(largebase, power, 1, 1) == 0) + fatal("BN_rand failed"); + } else { + if (BN_copy(largebase, start) == NULL) + fatal("BN_copy: failed"); + } /* ensure odd */ - BN_set_bit(largebase, 0); + if (BN_set_bit(largebase, 0) == 0) + fatal("BN_set_bit: failed"); time(&time_start); @@ -423,8 +429,10 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start) continue; /* Definitely composite, skip */ debug2("test q = largebase+%u", 2 * j); - BN_set_word(q, 2 * j); - BN_add(q, q, largebase); + if (BN_set_word(q, 2 * j) == 0) + fatal("BN_set_word failed"); + if (BN_add(q, q, largebase) == 0) + fatal("BN_add failed"); if (qfileout(out, QTYPE_SOPHIE_GERMAIN, QTEST_SIEVE, largetries, (power - 1) /* MSB */, (0), q) == -1) { ret = -1; @@ -469,20 +477,21 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted) time(&time_start); - p = BN_new(); - q = BN_new(); - ctx = BN_CTX_new(); + if ((p = BN_new()) == NULL) + fatal("BN_new failed"); + if ((q = BN_new()) == NULL) + fatal("BN_new failed"); + if ((ctx = BN_CTX_new()) == NULL) + fatal("BN_CTX_new failed"); debug2("%.24s Final %u Miller-Rabin trials (%x generator)", ctime(&time_start), trials, generator_wanted); res = 0; lp = xmalloc(QLINESIZE + 1); - while (fgets(lp, QLINESIZE, in) != NULL) { - int ll = strlen(lp); - + while (fgets(lp, QLINESIZE + 1, in) != NULL) { count_in++; - if (ll < 14 || *lp == '!' || *lp == '#') { + if (strlen(lp) < 14 || *lp == '!' || *lp == '#') { debug2("%10u: comment or short line", count_in); continue; } @@ -519,10 +528,13 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted) case QTYPE_SOPHIE_GERMAIN: debug2("%10u: (%u) Sophie-Germain", count_in, in_type); a = q; - BN_hex2bn(&a, cp); + if (BN_hex2bn(&a, cp) == 0) + fatal("BN_hex2bn failed"); /* p = 2*q + 1 */ - BN_lshift(p, q, 1); - BN_add_word(p, 1); + if (BN_lshift(p, q, 1) == 0) + fatal("BN_lshift failed"); + if (BN_add_word(p, 1) == 0) + fatal("BN_add_word failed"); in_size += 1; generator_known = 0; break; @@ -533,9 +545,11 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted) case QTYPE_UNKNOWN: debug2("%10u: (%u)", count_in, in_type); a = p; - BN_hex2bn(&a, cp); + if (BN_hex2bn(&a, cp) == 0) + fatal("BN_hex2bn failed"); /* q = (p-1) / 2 */ - BN_rshift(q, p, 1); + if (BN_rshift(q, p, 1) == 0) + fatal("BN_rshift failed"); break; default: debug2("Unknown prime type"); diff --git a/crypto/dist/ssh/monitor.c b/crypto/dist/ssh/monitor.c index fefabca70007..6ba991d9fc29 100644 --- a/crypto/dist/ssh/monitor.c +++ b/crypto/dist/ssh/monitor.c @@ -1,5 +1,5 @@ -/* $NetBSD: monitor.c,v 1.1.1.10 2006/09/28 21:15:12 christos Exp $ */ -/* $OpenBSD: monitor.c,v 1.88 2006/08/12 20:46:46 miod Exp $ */ +/* $NetBSD: monitor.c,v 1.1.1.11 2007/03/10 22:35:40 christos Exp $ */ +/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -293,7 +293,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) /* The first few requests do not require asynchronous access */ while (!authenticated) { auth_method = "unknown"; - authenticated = monitor_read(pmonitor, mon_dispatch, &ent); + authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); if (authenticated) { if (!(ent->flags & MON_AUTHDECIDE)) fatal("%s: unexpected authentication from %d", @@ -571,6 +571,9 @@ mm_answer_pwnamallow(int sock, Buffer *m) buffer_put_cstring(m, pwent->pw_class); buffer_put_cstring(m, pwent->pw_dir); buffer_put_cstring(m, pwent->pw_shell); + buffer_put_string(m, &options, sizeof(options)); + if (options.banner != NULL) + buffer_put_cstring(m, options.banner); out: debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); @@ -1009,7 +1012,7 @@ mm_answer_keyverify(int sock, Buffer *m) verified = key_verify(key, signature, signaturelen, data, datalen); debug3("%s: key %p signature %s", - __func__, key, verified ? "verified" : "unverified"); + __func__, key, (verified == 1) ? "verified" : "unverified"); key_free(key); xfree(blob); @@ -1024,7 +1027,7 @@ mm_answer_keyverify(int sock, Buffer *m) buffer_put_int(m, verified); mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m); - return (verified); + return (verified == 1); } static void diff --git a/crypto/dist/ssh/monitor_wrap.c b/crypto/dist/ssh/monitor_wrap.c index 357966ca9c98..264c1ce6f40d 100644 --- a/crypto/dist/ssh/monitor_wrap.c +++ b/crypto/dist/ssh/monitor_wrap.c @@ -1,5 +1,5 @@ -/* $NetBSD: monitor_wrap.c,v 1.1.1.8 2006/09/28 21:15:13 christos Exp $ */ -/* $OpenBSD: monitor_wrap.c,v 1.54 2006/08/12 20:46:46 miod Exp $ */ +/* $NetBSD: monitor_wrap.c,v 1.1.1.9 2007/03/10 22:35:41 christos Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -64,6 +64,7 @@ #include "channels.h" #include "session.h" +#include "servconf.h" /* Imports */ extern int compat20; @@ -73,6 +74,7 @@ extern z_stream outgoing_stream; extern struct monitor *pmonitor; extern Buffer input, output; extern Buffer loginmsg; +extern ServerOptions options; int mm_is_monitor(void) @@ -197,7 +199,8 @@ mm_getpwnamallow(const char *username) { Buffer m; struct passwd *pw; - u_int pwlen; + u_int len; + ServerOptions *newopts; debug3("%s entering", __func__); @@ -213,8 +216,8 @@ mm_getpwnamallow(const char *username) buffer_free(&m); return (NULL); } - pw = buffer_get_string(&m, &pwlen); - if (pwlen != sizeof(struct passwd)) + pw = buffer_get_string(&m, &len); + if (len != sizeof(struct passwd)) fatal("%s: struct passwd size mismatch", __func__); pw->pw_name = buffer_get_string(&m, NULL); pw->pw_passwd = buffer_get_string(&m, NULL); @@ -222,6 +225,16 @@ mm_getpwnamallow(const char *username) pw->pw_class = buffer_get_string(&m, NULL); pw->pw_dir = buffer_get_string(&m, NULL); pw->pw_shell = buffer_get_string(&m, NULL); + + /* copy options block as a Match directive may have changed some */ + newopts = buffer_get_string(&m, &len); + if (len != sizeof(*newopts)) + fatal("%s: option block size mismatch", __func__); + if (newopts->banner != NULL) + newopts->banner = buffer_get_string(&m, NULL); + copy_set_server_options(&options, newopts, 1); + xfree(newopts); + buffer_free(&m); return (pw); diff --git a/crypto/dist/ssh/packet.c b/crypto/dist/ssh/packet.c index 9fb4e93db428..866f4a4db54c 100644 --- a/crypto/dist/ssh/packet.c +++ b/crypto/dist/ssh/packet.c @@ -1,5 +1,5 @@ -/* $NetBSD: packet.c,v 1.1.1.20 2006/09/28 21:15:14 christos Exp $ */ -/* $OpenBSD: packet.c,v 1.144 2006/09/16 19:53:37 djm Exp $ */ +/* $NetBSD: packet.c,v 1.1.1.21 2007/03/10 22:35:42 christos Exp $ */ +/* $OpenBSD: packet.c,v 1.145 2006/09/19 21:14:08 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -683,6 +683,9 @@ packet_enable_delayed_compress(void) */ after_authentication = 1; for (mode = 0; mode < MODE_MAX; mode++) { + /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */ + if (newkeys[mode] == NULL) + continue; comp = &newkeys[mode]->comp; if (comp && !comp->enabled && comp->type == COMP_DELAYED) { packet_init_compression(); diff --git a/crypto/dist/ssh/readconf.c b/crypto/dist/ssh/readconf.c index ebed58b472eb..64ca41c465e8 100644 --- a/crypto/dist/ssh/readconf.c +++ b/crypto/dist/ssh/readconf.c @@ -1,5 +1,5 @@ -/* $NetBSD: readconf.c,v 1.1.1.19 2006/09/28 21:15:16 christos Exp $ */ -/* $OpenBSD: readconf.c,v 1.159 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: readconf.c,v 1.1.1.20 2007/03/10 22:35:43 christos Exp $ */ +/* $OpenBSD: readconf.c,v 1.161 2007/01/21 01:45:35 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -360,7 +360,7 @@ parse_time: if ((value = convtime(arg)) == -1) fatal("%s line %d: invalid time value.", filename, linenum); - if (*intptr == -1) + if (*activep && *intptr == -1) *intptr = value; break; @@ -541,7 +541,7 @@ parse_yesnoask: if (*intptr >= SSH_MAX_IDENTITY_FILES) fatal("%.200s line %d: Too many identity files specified (max %d).", filename, linenum, SSH_MAX_IDENTITY_FILES); - charptr = &options->identity_files[*intptr]; + charptr = &options->identity_files[*intptr]; *charptr = xstrdup(arg); *intptr = *intptr + 1; } @@ -688,7 +688,7 @@ parse_int: break; case oLogLevel: - intptr = (int *)(void *)&options->log_level; + intptr = (int *) &options->log_level; arg = strdelim(&s); value = log_level_number(arg); if (value == SYSLOG_LEVEL_NOT_SET) diff --git a/crypto/dist/ssh/rsa.c b/crypto/dist/ssh/rsa.c index 4a9d1551cbc0..a8d6a8c8f44c 100644 --- a/crypto/dist/ssh/rsa.c +++ b/crypto/dist/ssh/rsa.c @@ -1,5 +1,5 @@ -/* $NetBSD: rsa.c,v 1.1.1.7 2006/09/28 21:15:16 christos Exp $ */ -/* $OpenBSD: rsa.c,v 1.28 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: rsa.c,v 1.1.1.8 2007/03/10 22:35:43 christos Exp $ */ +/* $OpenBSD: rsa.c,v 1.29 2006/11/06 21:25:28 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -89,7 +89,8 @@ rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key) RSA_PKCS1_PADDING)) <= 0) fatal("rsa_public_encrypt() failed"); - BN_bin2bn(outbuf, len, out); + if (BN_bin2bn(outbuf, len, out) == NULL) + fatal("rsa_public_encrypt: BN_bin2bn failed"); memset(outbuf, 0, olen); memset(inbuf, 0, ilen); @@ -114,7 +115,8 @@ rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key) RSA_PKCS1_PADDING)) <= 0) { error("rsa_private_decrypt() failed"); } else { - BN_bin2bn(outbuf, len, out); + if (BN_bin2bn(outbuf, len, out) == NULL) + fatal("rsa_private_decrypt: BN_bin2bn failed"); } memset(outbuf, 0, olen); memset(inbuf, 0, ilen); @@ -135,11 +137,11 @@ rsa_generate_additional_parameters(RSA *rsa) if ((ctx = BN_CTX_new()) == NULL) fatal("rsa_generate_additional_parameters: BN_CTX_new failed"); - BN_sub(aux, rsa->q, BN_value_one()); - BN_mod(rsa->dmq1, rsa->d, aux, ctx); - - BN_sub(aux, rsa->p, BN_value_one()); - BN_mod(rsa->dmp1, rsa->d, aux, ctx); + if ((BN_sub(aux, rsa->q, BN_value_one()) == 0) || + (BN_mod(rsa->dmq1, rsa->d, aux, ctx) == 0) || + (BN_sub(aux, rsa->p, BN_value_one()) == 0) || + (BN_mod(rsa->dmp1, rsa->d, aux, ctx) == 0)) + fatal("rsa_generate_additional_parameters: BN_sub/mod failed"); BN_clear_free(aux); BN_CTX_free(ctx); diff --git a/crypto/dist/ssh/scard.c b/crypto/dist/ssh/scard.c index 11efb0411cfa..fc8170527fe7 100644 --- a/crypto/dist/ssh/scard.c +++ b/crypto/dist/ssh/scard.c @@ -1,5 +1,5 @@ -/* $NetBSD: scard.c,v 1.1.1.7 2006/09/28 21:15:16 christos Exp $ */ -/* $OpenBSD: scard.c,v 1.35 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: scard.c,v 1.1.1.8 2007/03/10 22:35:44 christos Exp $ */ +/* $OpenBSD: scard.c,v 1.36 2006/11/06 21:25:28 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -390,15 +390,17 @@ sc_get_keys(const char *id, const char *pin) keys = xcalloc((nkeys+1), sizeof(Key *)); n = key_new(KEY_RSA1); - BN_copy(n->rsa->n, k->rsa->n); - BN_copy(n->rsa->e, k->rsa->e); + if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || + (BN_copy(n->rsa->e, k->rsa->e) == NULL)) + fatal("sc_get_keys: BN_copy failed"); RSA_set_method(n->rsa, sc_get_rsa()); n->flags |= KEY_FLAG_EXT; keys[0] = n; n = key_new(KEY_RSA); - BN_copy(n->rsa->n, k->rsa->n); - BN_copy(n->rsa->e, k->rsa->e); + if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || + (BN_copy(n->rsa->e, k->rsa->e) == NULL)) + fatal("sc_get_keys: BN_copy failed"); RSA_set_method(n->rsa, sc_get_rsa()); n->flags |= KEY_FLAG_EXT; keys[1] = n; diff --git a/crypto/dist/ssh/scp.c b/crypto/dist/ssh/scp.c index 7012b5ca4ddc..a8ef09282835 100644 --- a/crypto/dist/ssh/scp.c +++ b/crypto/dist/ssh/scp.c @@ -1,5 +1,5 @@ -/* $NetBSD: scp.c,v 1.1.1.20 2006/09/28 21:15:17 christos Exp $ */ -/* $OpenBSD: scp.c,v 1.155 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: scp.c,v 1.1.1.21 2007/03/10 22:35:44 christos Exp $ */ +/* $OpenBSD: scp.c,v 1.156 2007/01/22 13:06:21 djm Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -368,7 +368,7 @@ main(int argc, char **argv) if ((pwd = getpwuid(userid = getuid())) == NULL) fatal("unknown user %u", (u_int) userid); - if (!isatty(STDERR_FILENO)) + if (!isatty(STDOUT_FILENO)) showprogress = 0; remin = STDIN_FILENO; diff --git a/crypto/dist/ssh/servconf.c b/crypto/dist/ssh/servconf.c index 39a12296281d..5856cfd1e4f3 100644 --- a/crypto/dist/ssh/servconf.c +++ b/crypto/dist/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $NetBSD: servconf.c,v 1.1.1.21 2006/09/28 21:15:18 christos Exp $ */ -/* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */ +/* $NetBSD: servconf.c,v 1.1.1.22 2007/03/10 22:35:45 christos Exp $ */ +/* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -293,19 +293,19 @@ static struct { { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, { "loglevel", sLogLevel, SSHCFG_GLOBAL }, { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, - { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL }, - { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL }, + { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, + { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL }, - { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL }, - { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, + { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, + { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ #ifdef KRB5 - { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL }, + { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL }, #else - { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, @@ -313,14 +313,14 @@ static struct { { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, #ifdef GSSAPI - { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL }, + { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, #else - { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, #endif - { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL }, - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL }, + { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ { "checkmail", sDeprecated, SSHCFG_GLOBAL }, @@ -353,7 +353,7 @@ static struct { { "subsystem", sSubsystem, SSHCFG_GLOBAL }, { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, - { "banner", sBanner, SSHCFG_GLOBAL }, + { "banner", sBanner, SSHCFG_ALL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, @@ -926,7 +926,7 @@ parse_flag: else fatal("%s line %d: Bad yes/no/clientspecified " "argument: %s", filename, linenum, arg); - if (*intptr == -1) + if (*activep && *intptr == -1) *intptr = value; break; @@ -1178,13 +1178,16 @@ parse_flag: if (!arg || *arg == '\0') fatal("%s line %d: missing PermitOpen specification", filename, linenum); + n = options->num_permitted_opens; /* modified later */ if (strcmp(arg, "any") == 0) { - if (*activep) { + if (*activep && n == -1) { channel_clear_adm_permitted_opens(); options->num_permitted_opens = 0; } break; } + if (*activep && n == -1) + channel_clear_adm_permitted_opens(); for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { p = hpdelim(&arg); if (p == NULL) @@ -1194,11 +1197,9 @@ parse_flag: if (arg == NULL || (port = a2port(arg)) == 0) fatal("%s line %d: bad port number in " "PermitOpen", filename, linenum); - if (*activep && options->num_permitted_opens == -1) { - channel_clear_adm_permitted_opens(); + if (*activep && n == -1) options->num_permitted_opens = channel_add_adm_permitted_opens(p, port); - } } break; @@ -1274,30 +1275,55 @@ parse_server_match_config(ServerOptions *options, const char *user, initialize_server_options(&mo); parse_server_config(&mo, "reprocess config", &cfg, user, host, address); - copy_set_server_options(options, &mo); + copy_set_server_options(options, &mo, 0); } -/* Copy any (supported) values that are set */ +/* Helper macros */ +#define M_CP_INTOPT(n) do {\ + if (src->n != -1) \ + dst->n = src->n; \ +} while (0) +#define M_CP_STROPT(n) do {\ + if (src->n != NULL) { \ + if (dst->n != NULL) \ + xfree(dst->n); \ + dst->n = src->n; \ + } \ +} while(0) + +/* + * Copy any supported values that are set. + * + * If the preauth flag is set, we do not bother copying the the string or + * array values that are not used pre-authentication, because any that we + * do use must be explictly sent in mm_getpwnamallow(). + */ void -copy_set_server_options(ServerOptions *dst, ServerOptions *src) +copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) { - if (src->allow_tcp_forwarding != -1) - dst->allow_tcp_forwarding = src->allow_tcp_forwarding; - if (src->gateway_ports != -1) - dst->gateway_ports = src->gateway_ports; - if (src->adm_forced_command != NULL) { - if (dst->adm_forced_command != NULL) - xfree(dst->adm_forced_command); - dst->adm_forced_command = src->adm_forced_command; - } - if (src->x11_display_offset != -1) - dst->x11_display_offset = src->x11_display_offset; - if (src->x11_forwarding != -1) - dst->x11_forwarding = src->x11_forwarding; - if (src->x11_use_localhost != -1) - dst->x11_use_localhost = src->x11_use_localhost; + M_CP_INTOPT(password_authentication); + M_CP_INTOPT(gss_authentication); + M_CP_INTOPT(rsa_authentication); + M_CP_INTOPT(pubkey_authentication); + M_CP_INTOPT(kerberos_authentication); + M_CP_INTOPT(hostbased_authentication); + M_CP_INTOPT(kbd_interactive_authentication); + + M_CP_INTOPT(allow_tcp_forwarding); + M_CP_INTOPT(gateway_ports); + M_CP_INTOPT(x11_display_offset); + M_CP_INTOPT(x11_forwarding); + M_CP_INTOPT(x11_use_localhost); + + M_CP_STROPT(banner); + if (preauth) + return; + M_CP_STROPT(adm_forced_command); } +#undef M_CP_INTOPT +#undef M_CP_STROPT + void parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, const char *user, const char *host, const char *address) @@ -1319,4 +1345,8 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, if (bad_options > 0) fatal("%s: terminating, %d bad configuration options", filename, bad_options); + + /* challenge-response is implemented via keyboard interactive */ + if (options->challenge_response_authentication == 1) + options->kbd_interactive_authentication = 1; } diff --git a/crypto/dist/ssh/servconf.h b/crypto/dist/ssh/servconf.h index 28dcef145c79..763af323cfe6 100644 --- a/crypto/dist/ssh/servconf.h +++ b/crypto/dist/ssh/servconf.h @@ -1,5 +1,5 @@ -/* $NetBSD: servconf.h,v 1.1.1.16 2006/09/28 21:15:18 christos Exp $ */ -/* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */ +/* $NetBSD: servconf.h,v 1.1.1.17 2007/03/10 22:35:45 christos Exp $ */ +/* $OpenBSD: servconf.h,v 1.80 2007/02/19 10:45:58 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -151,6 +151,6 @@ void parse_server_config(ServerOptions *, const char *, Buffer *, const char *, const char *, const char *); void parse_server_match_config(ServerOptions *, const char *, const char *, const char *); -void copy_set_server_options(ServerOptions *, ServerOptions *); +void copy_set_server_options(ServerOptions *, ServerOptions *, int); #endif /* SERVCONF_H */ diff --git a/crypto/dist/ssh/serverloop.c b/crypto/dist/ssh/serverloop.c index 811077ba40fd..c0005584fd60 100644 --- a/crypto/dist/ssh/serverloop.c +++ b/crypto/dist/ssh/serverloop.c @@ -1,5 +1,5 @@ -/* $NetBSD: serverloop.c,v 1.1.1.23 2006/09/28 21:15:19 christos Exp $ */ -/* $OpenBSD: serverloop.c,v 1.144 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: serverloop.c,v 1.1.1.24 2007/03/10 22:35:45 christos Exp $ */ +/* $OpenBSD: serverloop.c,v 1.145 2006/10/11 12:38:03 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -243,8 +243,10 @@ client_alive_check(void) int channel_id; /* timeout, check to see how many we have had */ - if (++client_alive_timeouts > options.client_alive_count_max) - packet_disconnect("Timeout, your session not responding."); + if (++client_alive_timeouts > options.client_alive_count_max) { + logit("Timeout, client not responding."); + cleanup_exit(255); + } /* * send a bogus global/channel request with "wantreply", diff --git a/crypto/dist/ssh/session.c b/crypto/dist/ssh/session.c index 01a23448bba4..57272e97279a 100644 --- a/crypto/dist/ssh/session.c +++ b/crypto/dist/ssh/session.c @@ -1,5 +1,5 @@ -/* $NetBSD: session.c,v 1.1.1.23 2006/09/28 21:15:20 christos Exp $ */ -/* $OpenBSD: session.c,v 1.219 2006/08/29 10:40:19 djm Exp $ */ +/* $NetBSD: session.c,v 1.1.1.24 2007/03/10 22:35:37 christos Exp $ */ +/* $OpenBSD: session.c,v 1.221 2007/01/21 01:41:54 stevesk Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -764,7 +764,7 @@ do_setup_env(Session *s, const char *shell) /* Initialize the environment. */ envsize = 100; - env = xmalloc(envsize * sizeof(char *)); + env = xcalloc(envsize, sizeof(char *)); env[0] = NULL; #ifdef GSSAPI @@ -1599,7 +1599,7 @@ session_input_channel_req(Channel *c, const char *rtype) } else if (strcmp(rtype, "exec") == 0) { success = session_exec_req(s); } else if (strcmp(rtype, "pty-req") == 0) { - success = session_pty_req(s); + success = session_pty_req(s); } else if (strcmp(rtype, "x11-req") == 0) { success = session_x11_req(s); } else if (strcmp(rtype, "auth-agent-req@openssh.com") == 0) { @@ -1724,7 +1724,7 @@ session_close_single_x11(int id, void *arg) debug3("session_close_single_x11: channel %d", id); channel_cancel_cleanup(id); - if ((s = session_by_x11_channel(id)) == NULL) + if ((s = session_by_x11_channel(id)) == NULL) fatal("session_close_single_x11: no x11 channel %d", id); for (i = 0; s->x11_chanids[i] != -1; i++) { debug("session_close_single_x11: session %d: " diff --git a/crypto/dist/ssh/sftp-client.c b/crypto/dist/ssh/sftp-client.c index d82ae2c9e015..dd4af6423bd6 100644 --- a/crypto/dist/ssh/sftp-client.c +++ b/crypto/dist/ssh/sftp-client.c @@ -1,5 +1,5 @@ -/* $NetBSD: sftp-client.c,v 1.1.1.17 2006/09/28 21:15:21 christos Exp $ */ -/* $OpenBSD: sftp-client.c,v 1.74 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: sftp-client.c,v 1.1.1.18 2007/03/10 22:35:46 christos Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.76 2007/01/22 11:32:50 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1125,10 +1125,13 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, if (status != SSH2_FX_OK) { error("Couldn't write to remote file \"%s\": %s", remote_path, fx2txt(status)); + if (showprogress) + stop_progress_meter(); do_close(conn, handle, handle_len); close(local_fd); xfree(data); xfree(ack); + status = -1; goto done; } debug3("In write loop, ack for %u %u bytes at %llu", diff --git a/crypto/dist/ssh/sftp-server.c b/crypto/dist/ssh/sftp-server.c index 47b88b1cc148..034609378adb 100644 --- a/crypto/dist/ssh/sftp-server.c +++ b/crypto/dist/ssh/sftp-server.c @@ -1,5 +1,5 @@ -/* $NetBSD: sftp-server.c,v 1.1.1.17 2006/09/28 21:15:22 christos Exp $ */ -/* $OpenBSD: sftp-server.c,v 1.70 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: sftp-server.c,v 1.1.1.18 2007/03/10 22:35:47 christos Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.71 2007/01/03 07:22:36 stevesk Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -659,7 +659,7 @@ process_fstat(void) debug("request %u: fstat \"%s\" (handle %u)", id, handle_to_name(handle), handle); fd = handle_to_fd(handle); - if (fd >= 0) { + if (fd >= 0) { ret = fstat(fd, &st); if (ret < 0) { status = errno_to_portable(errno); diff --git a/crypto/dist/ssh/sftp.c b/crypto/dist/ssh/sftp.c index 7266fdfad4ce..1733d36dc21c 100644 --- a/crypto/dist/ssh/sftp.c +++ b/crypto/dist/ssh/sftp.c @@ -1,5 +1,5 @@ -/* $NetBSD: sftp.c,v 1.1.1.16 2006/09/28 21:15:23 christos Exp $ */ -/* $OpenBSD: sftp.c,v 1.91 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: sftp.c,v 1.1.1.17 2007/03/10 22:35:48 christos Exp $ */ +/* $OpenBSD: sftp.c,v 1.96 2007/01/03 04:09:15 stevesk Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -155,6 +155,7 @@ static const struct CMD cmds[] = { int interactive_loop(int fd_in, int fd_out, char *file1, char *file2); +/* ARGSUSED */ static void killchild(int signo) { @@ -166,6 +167,7 @@ killchild(int signo) _exit(1); } +/* ARGSUSED */ static void cmd_interrupt(int signo) { @@ -287,11 +289,11 @@ static char * path_append(char *p1, char *p2) { char *ret; - int len = strlen(p1) + strlen(p2) + 2; + size_t len = strlen(p1) + strlen(p2) + 2; ret = xmalloc(len); strlcpy(ret, p1, len); - if (p1[strlen(p1) - 1] != '/') + if (p1[0] != '\0' && p1[strlen(p1) - 1] != '/') strlcat(ret, "/", len); strlcat(ret, p2, len); @@ -482,7 +484,7 @@ is_dir(char *path) if (stat(path, &sb) == -1) return(0); - return(sb.st_mode & S_IFDIR); + return(S_ISDIR(sb.st_mode)); } static int @@ -506,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, char *path) return(0); if (!(a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) return(0); - return(a->perm & S_IFDIR); + return(S_ISDIR(a->perm)); } static int @@ -966,6 +968,7 @@ parse_args(const char **cpp, int *pflag, int *lflag, int *iflag, case I_CHOWN: case I_CHGRP: /* Get numeric arg (mandatory) */ + errno = 0; l = strtol(cp, &cp2, base); if (cp2 == cp || ((l == LONG_MIN || l == LONG_MAX) && errno == ERANGE) || l < 0) { @@ -1528,7 +1531,7 @@ main(int argc, char **argv) fprintf(stderr, "Missing username\n"); usage(); } - addargs(&args, "-l%s",userhost); + addargs(&args, "-l%s", userhost); } if ((cp = colon(host)) != NULL) { diff --git a/crypto/dist/ssh/ssh-agent.c b/crypto/dist/ssh/ssh-agent.c index ea7114ee6cb7..0f373a27b36a 100644 --- a/crypto/dist/ssh/ssh-agent.c +++ b/crypto/dist/ssh/ssh-agent.c @@ -1,5 +1,5 @@ -/* $NetBSD: ssh-agent.c,v 1.1.1.20 2006/09/28 21:15:24 christos Exp $ */ -/* $OpenBSD: ssh-agent.c,v 1.152 2006/08/04 20:46:05 stevesk Exp $ */ +/* $NetBSD: ssh-agent.c,v 1.1.1.21 2007/03/10 22:35:49 christos Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.154 2007/02/28 00:55:30 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -36,12 +36,12 @@ */ #include +#include #include #include #include #include #include -#include #include #include @@ -422,6 +422,7 @@ reaper(void) for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) { nxt = TAILQ_NEXT(id, next); if (id->death != 0 && now >= id->death) { + debug("expiring key '%s'", id->comment); TAILQ_REMOVE(&tab->idlist, id, next); free_identity(id); tab->nentries--; @@ -686,9 +687,6 @@ process_message(SocketEntry *e) u_int msg_len, type; u_char *cp; - /* kill dead keys */ - reaper(); - if (buffer_len(&e->input) < 5) return; /* Incomplete message. */ cp = buffer_ptr(&e->input); @@ -1004,7 +1002,7 @@ int main(int ac, char **av) { int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0; - int sock, fd, ch; + int sock, fd, ch, result, saved_errno; u_int nalloc; char *shell, *format, *pidstr, *agentsocket = NULL; fd_set *readsetp = NULL, *writesetp = NULL; @@ -1014,6 +1012,7 @@ main(int ac, char **av) extern char *optarg; pid_t pid; char pidstrbuf[1 + 3 * sizeof pid]; + struct timeval tv; /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); @@ -1213,13 +1212,18 @@ skip: nalloc = 0; while (1) { + tv.tv_sec = 10; + tv.tv_usec = 0; prepare_select(&readsetp, &writesetp, &max_fd, &nalloc); - if (select(max_fd + 1, readsetp, writesetp, NULL, NULL) < 0) { - if (errno == EINTR) + result = select(max_fd + 1, readsetp, writesetp, NULL, &tv); + saved_errno = errno; + reaper(); /* remove expired keys */ + if (result < 0) { + if (saved_errno == EINTR) continue; - fatal("select: %s", strerror(errno)); - } - after_select(readsetp, writesetp); + fatal("select: %s", strerror(saved_errno)); + } else if (result > 0) + after_select(readsetp, writesetp); } /* NOTREACHED */ } diff --git a/crypto/dist/ssh/ssh-dss.c b/crypto/dist/ssh/ssh-dss.c index 805580e613ee..cef9eb3fdc88 100644 --- a/crypto/dist/ssh/ssh-dss.c +++ b/crypto/dist/ssh/ssh-dss.c @@ -1,5 +1,5 @@ -/* $NetBSD: ssh-dss.c,v 1.1.1.14 2006/09/28 21:15:24 christos Exp $ */ -/* $OpenBSD: ssh-dss.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: ssh-dss.c,v 1.1.1.15 2007/03/10 22:35:49 christos Exp $ */ +/* $OpenBSD: ssh-dss.c,v 1.24 2006/11/06 21:25:28 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -159,8 +159,9 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, fatal("ssh_dss_verify: BN_new failed"); if ((sig->s = BN_new()) == NULL) fatal("ssh_dss_verify: BN_new failed"); - BN_bin2bn(sigblob, INTBLOB_LEN, sig->r); - BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s); + if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) || + (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) + fatal("ssh_dss_verify: BN_bin2bn failed"); /* clean up */ memset(sigblob, 0, len); diff --git a/crypto/dist/ssh/ssh-keygen.1 b/crypto/dist/ssh/ssh-keygen.1 index f211ffa58e12..a36cd8cdbde9 100644 --- a/crypto/dist/ssh/ssh-keygen.1 +++ b/crypto/dist/ssh/ssh-keygen.1 @@ -1,5 +1,5 @@ -.\" $NetBSD: ssh-keygen.1,v 1.1.1.17 2006/02/04 22:23:11 christos Exp $ -.\" $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $ +.\" $NetBSD: ssh-keygen.1,v 1.1.1.18 2007/03/10 22:35:50 christos Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.74 2007/01/12 20:20:41 jmc Exp $ .\" .\" -*- nroff -*- .\" @@ -206,8 +206,8 @@ Download the RSA public key stored in the smartcard in .Ar reader . .It Fl e This option will read a private or public OpenSSH key file and -print the key in a -.Sq SECSH Public Key File Format +print the key in +RFC 4716 SSH Public Key File Format to stdout. This option allows exporting keys for use by several commercial SSH implementations. @@ -254,7 +254,7 @@ in SSH2-compatible format and print an OpenSSH compatible private (or public) key to stdout. .Nm also reads the -.Sq SECSH Public Key File Format . +RFC 4716 SSH Public Key File Format. This option allows importing keys from several commercial SSH implementations. .It Fl l @@ -451,12 +451,9 @@ The file format is described in .Xr moduli 5 , .Xr sshd 8 .Rs -.%A J. Galbraith -.%A R. Thayer -.%T "SECSH Public Key File Format" -.%N draft-ietf-secsh-publickeyfile-01.txt -.%D March 2001 -.%O work in progress material +.%R RFC 4716 +.%T "The Secure Shell (SSH) Public Key File Format" +.%D 2006 .Re .Sh AUTHORS OpenSSH is a derivative of the original and free diff --git a/crypto/dist/ssh/ssh-keygen.c b/crypto/dist/ssh/ssh-keygen.c index 0e1c00cd825f..112ddb799ccc 100644 --- a/crypto/dist/ssh/ssh-keygen.c +++ b/crypto/dist/ssh/ssh-keygen.c @@ -1,5 +1,5 @@ -/* $NetBSD: ssh-keygen.c,v 1.1.1.20 2006/09/28 21:15:26 christos Exp $ */ -/* $OpenBSD: ssh-keygen.c,v 1.154 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: ssh-keygen.c,v 1.1.1.21 2007/03/10 22:35:51 christos Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.160 2007/01/21 01:41:54 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -216,7 +216,8 @@ buffer_get_bignum_bits(Buffer *b, BIGNUM *value) if (buffer_len(b) < bytes) fatal("buffer_get_bignum_bits: input buffer too small: " "need %d have %d", bytes, buffer_len(b)); - BN_bin2bn(buffer_ptr(b), bytes, value); + if (BN_bin2bn(buffer_ptr(b), bytes, value) == NULL) + fatal("buffer_get_bignum_bits: BN_bin2bn failed"); buffer_consume(b, bytes); } @@ -234,7 +235,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) buffer_init(&b); buffer_append(&b, blob, blen); - magic = buffer_get_int(&b); + magic = buffer_get_int(&b); if (magic != SSH_COM_PRIVATE_KEY_MAGIC) { error("bad magic 0x%x != 0x%x", magic, SSH_COM_PRIVATE_KEY_MAGIC); buffer_free(&b); @@ -246,7 +247,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) i2 = buffer_get_int(&b); i3 = buffer_get_int(&b); i4 = buffer_get_int(&b); - debug("ignore (%d %d %d %d)", i1,i2,i3,i4); + debug("ignore (%d %d %d %d)", i1, i2, i3, i4); if (strcmp(cipher, "none") != 0) { error("unsupported cipher %s", cipher); xfree(cipher); @@ -277,7 +278,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) buffer_get_bignum_bits(&b, key->dsa->priv_key); break; case KEY_RSA: - e = buffer_get_char(&b); + e = buffer_get_char(&b); debug("e %lx", e); if (e < 30) { e <<= 8; @@ -339,9 +340,8 @@ get_line(FILE *fp, char *line, size_t len) line[pos++] = c; line[pos] = '\0'; } - if (c == EOF) - return -1; - return pos; + /* We reached EOF */ + return -1; } static void @@ -547,7 +547,7 @@ do_fingerprint(struct passwd *pw) for (cp = line; *cp == ' ' || *cp == '\t'; cp++) ; if (!*cp || *cp == '\n' || *cp == '#') - continue ; + continue; i = strtol(cp, &ep, 10); if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) { int quoted = 0; @@ -1010,13 +1010,13 @@ usage(void) #ifdef SMARTCARD fprintf(stderr, " -D reader Download public key from smartcard.\n"); #endif /* SMARTCARD */ - fprintf(stderr, " -e Convert OpenSSH to IETF SECSH key file.\n"); + fprintf(stderr, " -e Convert OpenSSH to RFC 4716 key file.\n"); fprintf(stderr, " -F hostname Find hostname in known hosts file.\n"); fprintf(stderr, " -f filename Filename of the key file.\n"); fprintf(stderr, " -G file Generate candidates for DH-GEX moduli.\n"); fprintf(stderr, " -g Use generic DNS resource record format.\n"); fprintf(stderr, " -H Hash names in known_hosts file.\n"); - fprintf(stderr, " -i Convert IETF SECSH to OpenSSH key file.\n"); + fprintf(stderr, " -i Convert RFC 4716 to OpenSSH key file.\n"); fprintf(stderr, " -l Show fingerprint of key file.\n"); fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n"); fprintf(stderr, " -N phrase Provide new passphrase.\n"); @@ -1042,7 +1042,7 @@ usage(void) * Main program for key management. */ int -main(int ac, char **av) +main(int argc, char **argv) { char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; char out_file[MAXPATHLEN], *reader_id = NULL; @@ -1065,7 +1065,7 @@ main(int ac, char **av) sanitise_stdfd(); SSLeay_add_all_algorithms(); - log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); /* we need this for the home * directory. */ pw = getpwuid(getuid()); @@ -1078,7 +1078,7 @@ main(int ac, char **av) exit(1); } - while ((opt = getopt(ac, av, + while ((opt = getopt(argc, argv, "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { switch (opt) { case 'b': @@ -1211,9 +1211,9 @@ main(int ac, char **av) } /* reinit */ - log_init(av[0], log_level, SYSLOG_FACILITY_USER, 1); + log_init(argv[0], log_level, SYSLOG_FACILITY_USER, 1); - if (optind < ac) { + if (optind < argc) { printf("Too many arguments.\n"); usage(); } diff --git a/crypto/dist/ssh/ssh-keyscan.1 b/crypto/dist/ssh/ssh-keyscan.1 index 2d5a8eaae170..1a2ee2247ee2 100644 --- a/crypto/dist/ssh/ssh-keyscan.1 +++ b/crypto/dist/ssh/ssh-keyscan.1 @@ -1,5 +1,5 @@ -.\" $NetBSD: ssh-keyscan.1,v 1.1.1.12 2006/02/04 22:23:12 christos Exp $ -.\" $OpenBSD: ssh-keyscan.1,v 1.21 2005/09/30 20:34:26 jaredy Exp $ +.\" $NetBSD: ssh-keyscan.1,v 1.1.1.13 2007/03/10 22:35:51 christos Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.22 2006/09/25 04:55:38 ray Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -103,7 +103,7 @@ Causes to print debugging messages about its progress. .El .Sh SECURITY -If a ssh_known_hosts file is constructed using +If an ssh_known_hosts file is constructed using .Nm without verifying the keys, users will be vulnerable to .Em man in the middle diff --git a/crypto/dist/ssh/ssh-keyscan.c b/crypto/dist/ssh/ssh-keyscan.c index 6c045146f219..50d76160c19b 100644 --- a/crypto/dist/ssh/ssh-keyscan.c +++ b/crypto/dist/ssh/ssh-keyscan.c @@ -1,5 +1,5 @@ -/* $NetBSD: ssh-keyscan.c,v 1.1.1.18 2006/09/28 21:15:26 christos Exp $ */ -/* $OpenBSD: ssh-keyscan.c,v 1.73 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: ssh-keyscan.c,v 1.1.1.19 2007/03/10 22:35:51 christos Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.74 2006/10/06 02:29:19 djm Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -11,8 +11,8 @@ #include #include #include -#include #include +#include #include diff --git a/crypto/dist/ssh/ssh.1 b/crypto/dist/ssh/ssh.1 index 8802fa8f6f7b..0eee7dbdfdc8 100644 --- a/crypto/dist/ssh/ssh.1 +++ b/crypto/dist/ssh/ssh.1 @@ -1,4 +1,4 @@ -.\" $NetBSD: ssh.1,v 1.1.1.21 2006/09/28 21:15:27 christos Exp $ +.\" $NetBSD: ssh.1,v 1.1.1.22 2007/03/10 22:35:52 christos Exp $ .\" -*- nroff -*- .\" .\" Author: Tatu Ylonen @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.263 2006/07/11 18:50:48 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1078,12 +1078,22 @@ controls whether the server supports this, and at what level (layer 2 or 3 traffic). .Pp The following example would connect client network 10.0.50.0/24 -with remote network 10.0.99.0/24, provided that the SSH server -running on the gateway to the remote network, -at 192.168.1.15, allows it: +with remote network 10.0.99.0/24 using a point-to-point connection +from 10.1.1.1 to 10.1.1.2, +provided that the SSH server running on the gateway to the remote network, +at 192.168.1.15, allows it. +.Pp +On the client: .Bd -literal -offset indent # ssh -f -w 0:1 192.168.1.15 true -# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252 +# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252 +# route add 10.0.99.0/24 10.1.1.2 +.Ed +.Pp +On the server: +.Bd -literal -offset indent +# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252 +# route add 10.0.50.0/24 10.1.1.1 .Ed .Pp Client access may be more finely tuned via the @@ -1106,7 +1116,7 @@ tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john .Ed .Pp -Since a SSH-based setup entails a fair amount of overhead, +Since an SSH-based setup entails a fair amount of overhead, it may be more suited to temporary setups, such as for wireless VPNs. More permanent VPNs are better provided by tools such as @@ -1409,6 +1419,11 @@ manual page for more information. .%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" .%D 2006 .Re +.Rs +.%R RFC 4716 +.%T "The Secure Shell (SSH) Public Key File Format" +.%D 2006 +.Re .Sh AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. diff --git a/crypto/dist/ssh/ssh.c b/crypto/dist/ssh/ssh.c index 8a4a46e6b137..57ea5292a342 100644 --- a/crypto/dist/ssh/ssh.c +++ b/crypto/dist/ssh/ssh.c @@ -1,5 +1,5 @@ -/* $NetBSD: ssh.c,v 1.1.1.22 2006/09/28 21:15:28 christos Exp $ */ -/* $OpenBSD: ssh.c,v 1.293 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: ssh.c,v 1.1.1.23 2007/03/10 22:35:53 christos Exp $ */ +/* $OpenBSD: ssh.c,v 1.295 2007/01/03 03:01:40 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -42,6 +42,7 @@ */ #include +#include #include #include #include @@ -601,7 +602,7 @@ main(int ac, char **av) if (!read_config_file(config, host, &options, 0)) fatal("Can't open user config file %.100s: " "%.100s", config, strerror(errno)); - } else { + } else { snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_CONFFILE); (void)read_config_file(buf, host, &options, 1); diff --git a/crypto/dist/ssh/ssh_config.5 b/crypto/dist/ssh/ssh_config.5 index f18bc157247c..49891cbd5ac5 100644 --- a/crypto/dist/ssh/ssh_config.5 +++ b/crypto/dist/ssh/ssh_config.5 @@ -1,4 +1,4 @@ -.\" $NetBSD: ssh_config.5,v 1.1.1.7 2006/09/28 21:15:29 christos Exp $ +.\" $NetBSD: ssh_config.5,v 1.1.1.8 2007/03/10 22:35:54 christos Exp $ .\" -*- nroff -*- .\" .\" Author: Tatu Ylonen @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.97 2006/07/27 08:00:50 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -43,10 +43,8 @@ .Nm ssh_config .Nd OpenSSH SSH client configuration files .Sh SYNOPSIS -.Bl -tag -width Ds -compact -.It Pa ~/.ssh/config -.It Pa /etc/ssh/ssh_config -.El +.Nm ~/.ssh/config +.Nm /etc/ssh/ssh_config .Sh DESCRIPTION .Xr ssh 1 obtains configuration data from the following sources in diff --git a/crypto/dist/ssh/sshconnect.c b/crypto/dist/ssh/sshconnect.c index 6d7c493bfa4a..423db3720a4e 100644 --- a/crypto/dist/ssh/sshconnect.c +++ b/crypto/dist/ssh/sshconnect.c @@ -1,5 +1,5 @@ -/* $NetBSD: sshconnect.c,v 1.1.1.21 2006/09/28 21:15:30 christos Exp $ */ -/* $OpenBSD: sshconnect.c,v 1.199 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: sshconnect.c,v 1.1.1.22 2007/03/10 22:35:54 christos Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.200 2006/10/10 10:12:45 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -312,9 +312,11 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, gai_strerror(gaierr)); for (attempt = 0; attempt < connection_attempts; attempt++) { - if (attempt > 0) + if (attempt > 0) { + /* Sleep a moment before retrying. */ + sleep(1); debug("Trying again..."); - + } /* * Loop through addresses for this host, and try each one in * sequence until the connection succeeds. @@ -351,9 +353,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, } if (sock != -1) break; /* Successful connection. */ - - /* Sleep a moment before retrying. */ - sleep(1); } freeaddrinfo(aitop); diff --git a/crypto/dist/ssh/sshconnect1.c b/crypto/dist/ssh/sshconnect1.c index 408201c1463b..b6f701058a99 100644 --- a/crypto/dist/ssh/sshconnect1.c +++ b/crypto/dist/ssh/sshconnect1.c @@ -1,5 +1,5 @@ -/* $NetBSD: sshconnect1.c,v 1.1.1.19 2006/09/28 21:15:31 christos Exp $ */ -/* $OpenBSD: sshconnect1.c,v 1.69 2006/08/03 03:34:42 deraadt Exp $ */ +/* $NetBSD: sshconnect1.c,v 1.1.1.20 2007/03/10 22:35:55 christos Exp $ */ +/* $OpenBSD: sshconnect1.c,v 1.70 2006/11/06 21:25:28 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -561,14 +561,20 @@ ssh_kex(char *host, struct sockaddr *hostaddr) * the first 16 bytes of the session id. */ if ((key = BN_new()) == NULL) - fatal("respond_to_rsa_challenge: BN_new failed"); - BN_set_word(key, 0); + fatal("ssh_kex: BN_new failed"); + if (BN_set_word(key, 0) == 0) + fatal("ssh_kex: BN_set_word failed"); for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { - BN_lshift(key, key, 8); - if (i < 16) - BN_add_word(key, session_key[i] ^ session_id[i]); - else - BN_add_word(key, session_key[i]); + if (BN_lshift(key, key, 8) == 0) + fatal("ssh_kex: BN_lshift failed"); + if (i < 16) { + if (BN_add_word(key, session_key[i] ^ session_id[i]) + == 0) + fatal("ssh_kex: BN_add_word failed"); + } else { + if (BN_add_word(key, session_key[i]) == 0) + fatal("ssh_kex: BN_add_word failed"); + } } /* diff --git a/crypto/dist/ssh/sshd.c b/crypto/dist/ssh/sshd.c index c8c17f9d750a..7fa3062adadf 100644 --- a/crypto/dist/ssh/sshd.c +++ b/crypto/dist/ssh/sshd.c @@ -1,5 +1,5 @@ -/* $NetBSD: sshd.c,v 1.1.1.24 2006/09/28 21:15:33 christos Exp $ */ -/* $OpenBSD: sshd.c,v 1.347 2006/08/18 09:15:20 markus Exp $ */ +/* $NetBSD: sshd.c,v 1.1.1.25 2007/03/10 22:35:57 christos Exp $ */ +/* $OpenBSD: sshd.c,v 1.349 2007/02/21 11:00:05 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -289,6 +289,7 @@ sighup_restart(void) logit("Received SIGHUP; restarting."); close_listen_socks(); close_startup_pipes(); + alarm(0); /* alarm timer persists across exec */ execv(saved_argv[0], saved_argv); logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], strerror(errno)); @@ -1895,10 +1896,10 @@ do_ssh1_kex(void) * key is in the highest bits. */ if (!rsafail) { - BN_mask_bits(session_key_int, sizeof(session_key) * 8); + (void) BN_mask_bits(session_key_int, sizeof(session_key) * 8); len = BN_num_bytes(session_key_int); if (len < 0 || (u_int)len > sizeof(session_key)) { - error("do_connection: bad session key len from %s: " + error("do_ssh1_kex: bad session key len from %s: " "session_key_int %d > sizeof(session_key) %lu", get_remote_ipaddr(), len, (u_long)sizeof(session_key)); rsafail++; diff --git a/crypto/dist/ssh/sshd_config.5 b/crypto/dist/ssh/sshd_config.5 index 91bf2ad78506..0f64ba22db97 100644 --- a/crypto/dist/ssh/sshd_config.5 +++ b/crypto/dist/ssh/sshd_config.5 @@ -1,4 +1,4 @@ -.\" $NetBSD: sshd_config.5,v 1.1.1.7 2006/09/28 21:15:34 christos Exp $ +.\" $NetBSD: sshd_config.5,v 1.1.1.8 2007/03/10 22:35:57 christos Exp $ .\" -*- nroff -*- .\" .\" Author: Tatu Ylonen @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.70 2006/08/21 08:14:01 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.74 2007/03/01 16:19:33 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -43,9 +43,7 @@ .Nm sshd_config .Nd OpenSSH SSH daemon configuration file .Sh SYNOPSIS -.Bl -tag -width Ds -compact -.It Pa /etc/ssh/sshd_config -.El +.Nm /etc/ssh/sshd_config .Sh DESCRIPTION .Xr sshd 8 reads configuration data from @@ -515,9 +513,16 @@ Only a subset of keywords may be used on the lines following a keyword. Available keywords are .Cm AllowTcpForwarding , +.Cm Banner , .Cm ForceCommand , .Cm GatewayPorts , +.Cm GSSApiAuthentication , +.Cm KbdInteractiveAuthentication , +.Cm KerberosAuthentication , +.Cm PasswordAuthentication , .Cm PermitOpen , +.Cm RhostsRSAAuthentication , +.Cm RSAAuthentication , .Cm X11DisplayOffset , .Cm X11Forwarding , and diff --git a/crypto/dist/ssh/version.h b/crypto/dist/ssh/version.h index d63215b1bb54..555f531ce1ae 100644 --- a/crypto/dist/ssh/version.h +++ b/crypto/dist/ssh/version.h @@ -1,4 +1,4 @@ -/* $NetBSD: version.h,v 1.1.1.24 2006/09/28 21:15:35 christos Exp $ */ -/* $OpenBSD: version.h,v 1.47 2006/08/30 00:14:37 djm Exp $ */ +/* $NetBSD: version.h,v 1.1.1.25 2007/03/10 22:35:58 christos Exp $ */ +/* $OpenBSD: version.h,v 1.49 2007/03/06 10:13:14 djm Exp $ */ -#define SSH_VERSION "OpenSSH_4.4" +#define SSH_VERSION "OpenSSH_4.6"