from ftp.openbsd.org
This commit is contained in:
parent
785b3e18bf
commit
ddfd2449b0
|
@ -133,6 +133,7 @@ A client may request the master to close a port forward:
|
|||
|
||||
uint32 MUX_C_CLOSE_FWD
|
||||
uint32 request id
|
||||
uint32 forwarding type
|
||||
string listen host
|
||||
string listen port
|
||||
string connect host
|
||||
|
@ -218,4 +219,4 @@ XXX inject packet (what about replies)
|
|||
XXX server->client error/warning notifications
|
||||
XXX send signals via mux
|
||||
|
||||
$OpenBSD: PROTOCOL.mux,v 1.7 2011/05/08 12:52:01 djm Exp $
|
||||
$OpenBSD: PROTOCOL.mux,v 1.8 2011/09/09 00:44:07 djm Exp $
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: auth-options.c,v 1.54 2010/12/24 21:41:48 djm Exp $ */
|
||||
/* $OpenBSD: auth-options.c,v 1.56 2011/10/18 04:58:26 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -339,7 +339,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
|
|||
goto bad_option;
|
||||
}
|
||||
host = cleanhostname(host);
|
||||
if (p == NULL || (port = a2port(p)) <= 0) {
|
||||
if (p == NULL || (port = permitopen_port(p)) < 0) {
|
||||
debug("%.100s, line %lu: Bad permitopen port "
|
||||
"<%.100s>", file, linenum, p ? p : "");
|
||||
auth_debug_add("%.100s, line %lu: "
|
||||
|
@ -450,10 +450,6 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
|
|||
buffer_append(&data, data_blob, dlen);
|
||||
debug3("found certificate option \"%.100s\" len %u",
|
||||
name, dlen);
|
||||
if (strlen(name) != nlen) {
|
||||
error("Certificate constraint name contains \\0");
|
||||
goto out;
|
||||
}
|
||||
found = 0;
|
||||
if ((which & OPTIONS_EXTENSIONS) != 0) {
|
||||
if (strcmp(name, "permit-X11-forwarding") == 0) {
|
||||
|
@ -483,11 +479,6 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
|
|||
"corrupt", name);
|
||||
goto out;
|
||||
}
|
||||
if (strlen(command) != clen) {
|
||||
error("force-command constraint "
|
||||
"contains \\0");
|
||||
goto out;
|
||||
}
|
||||
if (*cert_forced_command != NULL) {
|
||||
error("Certificate has multiple "
|
||||
"force-command options");
|
||||
|
@ -504,11 +495,6 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
|
|||
"\"%s\" corrupt", name);
|
||||
goto out;
|
||||
}
|
||||
if (strlen(allowed) != clen) {
|
||||
error("source-address constraint "
|
||||
"contains \\0");
|
||||
goto out;
|
||||
}
|
||||
if ((*cert_source_address_done)++) {
|
||||
error("Certificate has multiple "
|
||||
"source-address options");
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: auth2-pubkey.c,v 1.29 2011/05/23 03:30:07 djm Exp $ */
|
||||
/* $OpenBSD: auth2-pubkey.c,v 1.30 2011/09/25 05:44:47 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -237,8 +237,9 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
|
|||
}
|
||||
for (i = 0; i < cert->nprincipals; i++) {
|
||||
if (strcmp(cp, cert->principals[i]) == 0) {
|
||||
debug3("matched principal from file \"%.100s\"",
|
||||
cert->principals[i]);
|
||||
debug3("matched principal \"%.100s\" "
|
||||
"from file \"%s\" on line %lu",
|
||||
cert->principals[i], file, linenum);
|
||||
if (auth_parse_options(pw, line_opts,
|
||||
file, linenum) != 1)
|
||||
continue;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: auth2.c,v 1.123 2011/03/10 02:52:57 djm Exp $ */
|
||||
/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -109,7 +109,7 @@ auth2_read_banner(void)
|
|||
close(fd);
|
||||
return (NULL);
|
||||
}
|
||||
if (st.st_size > 1*1024*1024) {
|
||||
if (st.st_size <= 0 || st.st_size > 1*1024*1024) {
|
||||
close(fd);
|
||||
return (NULL);
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: authfile.c,v 1.92 2011/06/14 22:49:18 markus Exp $ */
|
||||
/* $OpenBSD: authfile.c,v 1.93 2012/01/25 19:36:31 markus Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -329,7 +329,7 @@ key_load_file(int fd, const char *filename, Buffer *blob)
|
|||
filename == NULL ? "" : " ");
|
||||
return 0;
|
||||
}
|
||||
buffer_init(blob);
|
||||
buffer_clear(blob);
|
||||
for (;;) {
|
||||
if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
|
||||
if (errno == EPIPE)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: channels.c,v 1.311 2011/06/22 22:08:42 djm Exp $ */
|
||||
/* $OpenBSD: channels.c,v 1.315 2011/09/23 07:45:05 markus Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -121,6 +121,9 @@ static int num_permitted_opens = 0;
|
|||
/* Number of permitted host/port pair in the array permitted by the admin. */
|
||||
static int num_adm_permitted_opens = 0;
|
||||
|
||||
/* special-case port number meaning allow any port */
|
||||
#define FWD_PERMIT_ANY_PORT 0
|
||||
|
||||
/*
|
||||
* If this is true, all opens are permitted. This is the case on the server
|
||||
* on which we have to trust the client anyway, and the user could do
|
||||
|
@ -297,6 +300,8 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
|
|||
buffer_init(&c->output);
|
||||
buffer_init(&c->extended);
|
||||
c->path = NULL;
|
||||
c->listening_addr = NULL;
|
||||
c->listening_port = 0;
|
||||
c->ostate = CHAN_OUTPUT_OPEN;
|
||||
c->istate = CHAN_INPUT_OPEN;
|
||||
c->flags = 0;
|
||||
|
@ -406,6 +411,10 @@ channel_free(Channel *c)
|
|||
xfree(c->path);
|
||||
c->path = NULL;
|
||||
}
|
||||
if (c->listening_addr) {
|
||||
xfree(c->listening_addr);
|
||||
c->listening_addr = NULL;
|
||||
}
|
||||
while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
|
||||
if (cc->abandon_cb != NULL)
|
||||
cc->abandon_cb(c, cc->ctx);
|
||||
|
@ -2612,6 +2621,46 @@ channel_set_af(int af)
|
|||
IPv4or6 = af;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Determine whether or not a port forward listens to loopback, the
|
||||
* specified address or wildcard. On the client, a specified bind
|
||||
* address will always override gateway_ports. On the server, a
|
||||
* gateway_ports of 1 (``yes'') will override the client's specification
|
||||
* and force a wildcard bind, whereas a value of 2 (``clientspecified'')
|
||||
* will bind to whatever address the client asked for.
|
||||
*
|
||||
* Special-case listen_addrs are:
|
||||
*
|
||||
* "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
|
||||
* "" (empty string), "*" -> wildcard v4/v6
|
||||
* "localhost" -> loopback v4/v6
|
||||
*/
|
||||
static const char *
|
||||
channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
|
||||
int is_client, int gateway_ports)
|
||||
{
|
||||
const char *addr = NULL;
|
||||
int wildcard = 0;
|
||||
|
||||
if (listen_addr == NULL) {
|
||||
/* No address specified: default to gateway_ports setting */
|
||||
if (gateway_ports)
|
||||
wildcard = 1;
|
||||
} else if (gateway_ports || is_client) {
|
||||
if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
|
||||
strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
|
||||
*listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
|
||||
(!is_client && gateway_ports == 1))
|
||||
wildcard = 1;
|
||||
else if (strcmp(listen_addr, "localhost") != 0)
|
||||
addr = listen_addr;
|
||||
}
|
||||
if (wildcardp != NULL)
|
||||
*wildcardp = wildcard;
|
||||
return addr;
|
||||
}
|
||||
|
||||
static int
|
||||
channel_setup_fwd_listener(int type, const char *listen_addr,
|
||||
u_short listen_port, int *allocated_listen_port,
|
||||
|
@ -2637,36 +2686,9 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
|
|||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Determine whether or not a port forward listens to loopback,
|
||||
* specified address or wildcard. On the client, a specified bind
|
||||
* address will always override gateway_ports. On the server, a
|
||||
* gateway_ports of 1 (``yes'') will override the client's
|
||||
* specification and force a wildcard bind, whereas a value of 2
|
||||
* (``clientspecified'') will bind to whatever address the client
|
||||
* asked for.
|
||||
*
|
||||
* Special-case listen_addrs are:
|
||||
*
|
||||
* "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
|
||||
* "" (empty string), "*" -> wildcard v4/v6
|
||||
* "localhost" -> loopback v4/v6
|
||||
*/
|
||||
addr = NULL;
|
||||
if (listen_addr == NULL) {
|
||||
/* No address specified: default to gateway_ports setting */
|
||||
if (gateway_ports)
|
||||
wildcard = 1;
|
||||
} else if (gateway_ports || is_client) {
|
||||
if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
|
||||
strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
|
||||
*listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
|
||||
(!is_client && gateway_ports == 1))
|
||||
wildcard = 1;
|
||||
else if (strcmp(listen_addr, "localhost") != 0)
|
||||
addr = listen_addr;
|
||||
}
|
||||
|
||||
/* Determine the bind address, cf. channel_fwd_bind_addr() comment */
|
||||
addr = channel_fwd_bind_addr(listen_addr, &wildcard,
|
||||
is_client, gateway_ports);
|
||||
debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s",
|
||||
type, wildcard, (addr == NULL) ? "NULL" : addr);
|
||||
|
||||
|
@ -2764,7 +2786,12 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
|
|||
0, "port listener", 1);
|
||||
c->path = xstrdup(host);
|
||||
c->host_port = port_to_connect;
|
||||
c->listening_port = listen_port;
|
||||
c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
|
||||
if (listen_port == 0 && allocated_listen_port != NULL &&
|
||||
!(datafellows & SSH_BUG_DYNAMIC_RPORT))
|
||||
c->listening_port = *allocated_listen_port;
|
||||
else
|
||||
c->listening_port = listen_port;
|
||||
success = 1;
|
||||
}
|
||||
if (success == 0)
|
||||
|
@ -2782,9 +2809,44 @@ channel_cancel_rport_listener(const char *host, u_short port)
|
|||
|
||||
for (i = 0; i < channels_alloc; i++) {
|
||||
Channel *c = channels[i];
|
||||
if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER)
|
||||
continue;
|
||||
if (strcmp(c->path, host) == 0 && c->listening_port == port) {
|
||||
debug2("%s: close channel %d", __func__, i);
|
||||
channel_free(c);
|
||||
found = 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER &&
|
||||
strcmp(c->path, host) == 0 && c->listening_port == port) {
|
||||
return (found);
|
||||
}
|
||||
|
||||
int
|
||||
channel_cancel_lport_listener(const char *lhost, u_short lport,
|
||||
int cport, int gateway_ports)
|
||||
{
|
||||
u_int i;
|
||||
int found = 0;
|
||||
const char *addr = channel_fwd_bind_addr(lhost, NULL, 1, gateway_ports);
|
||||
|
||||
for (i = 0; i < channels_alloc; i++) {
|
||||
Channel *c = channels[i];
|
||||
if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER)
|
||||
continue;
|
||||
if (c->listening_port != lport)
|
||||
continue;
|
||||
if (cport == CHANNEL_CANCEL_PORT_STATIC) {
|
||||
/* skip dynamic forwardings */
|
||||
if (c->host_port == 0)
|
||||
continue;
|
||||
} else {
|
||||
if (c->host_port != cport)
|
||||
continue;
|
||||
}
|
||||
if ((c->listening_addr == NULL && addr != NULL) ||
|
||||
(c->listening_addr != NULL && addr == NULL))
|
||||
continue;
|
||||
if (addr == NULL || strcmp(c->listening_addr, addr) == 0) {
|
||||
debug2("%s: close channel %d", __func__, i);
|
||||
channel_free(c);
|
||||
found = 1;
|
||||
|
@ -2814,38 +2876,45 @@ channel_setup_remote_fwd_listener(const char *listen_address,
|
|||
NULL, 0, gateway_ports);
|
||||
}
|
||||
|
||||
/*
|
||||
* Translate the requested rfwd listen host to something usable for
|
||||
* this server.
|
||||
*/
|
||||
static const char *
|
||||
channel_rfwd_bind_host(const char *listen_host)
|
||||
{
|
||||
if (listen_host == NULL) {
|
||||
if (datafellows & SSH_BUG_RFWD_ADDR)
|
||||
return "127.0.0.1";
|
||||
else
|
||||
return "localhost";
|
||||
} else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) {
|
||||
if (datafellows & SSH_BUG_RFWD_ADDR)
|
||||
return "0.0.0.0";
|
||||
else
|
||||
return "";
|
||||
} else
|
||||
return listen_host;
|
||||
}
|
||||
|
||||
/*
|
||||
* Initiate forwarding of connections to port "port" on remote host through
|
||||
* the secure channel to host:port from local side.
|
||||
* Returns handle (index) for updating the dynamic listen port with
|
||||
* channel_update_permitted_opens().
|
||||
*/
|
||||
|
||||
int
|
||||
channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
|
||||
const char *host_to_connect, u_short port_to_connect)
|
||||
{
|
||||
int type, success = 0;
|
||||
int type, success = 0, idx = -1;
|
||||
|
||||
/* Send the forward request to the remote side. */
|
||||
if (compat20) {
|
||||
const char *address_to_bind;
|
||||
if (listen_host == NULL) {
|
||||
if (datafellows & SSH_BUG_RFWD_ADDR)
|
||||
address_to_bind = "127.0.0.1";
|
||||
else
|
||||
address_to_bind = "localhost";
|
||||
} else if (*listen_host == '\0' ||
|
||||
strcmp(listen_host, "*") == 0) {
|
||||
if (datafellows & SSH_BUG_RFWD_ADDR)
|
||||
address_to_bind = "0.0.0.0";
|
||||
else
|
||||
address_to_bind = "";
|
||||
} else
|
||||
address_to_bind = listen_host;
|
||||
|
||||
packet_start(SSH2_MSG_GLOBAL_REQUEST);
|
||||
packet_put_cstring("tcpip-forward");
|
||||
packet_put_char(1); /* boolean: want reply */
|
||||
packet_put_cstring(address_to_bind);
|
||||
packet_put_char(1); /* boolean: want reply */
|
||||
packet_put_cstring(channel_rfwd_bind_host(listen_host));
|
||||
packet_put_int(listen_port);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
|
@ -2877,25 +2946,25 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
|
|||
/* Record that connection to this host/port is permitted. */
|
||||
permitted_opens = xrealloc(permitted_opens,
|
||||
num_permitted_opens + 1, sizeof(*permitted_opens));
|
||||
permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
|
||||
permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
|
||||
permitted_opens[num_permitted_opens].listen_port = listen_port;
|
||||
num_permitted_opens++;
|
||||
idx = num_permitted_opens++;
|
||||
permitted_opens[idx].host_to_connect = xstrdup(host_to_connect);
|
||||
permitted_opens[idx].port_to_connect = port_to_connect;
|
||||
permitted_opens[idx].listen_port = listen_port;
|
||||
}
|
||||
return (success ? 0 : -1);
|
||||
return (idx);
|
||||
}
|
||||
|
||||
/*
|
||||
* Request cancellation of remote forwarding of connection host:port from
|
||||
* local side.
|
||||
*/
|
||||
void
|
||||
int
|
||||
channel_request_rforward_cancel(const char *host, u_short port)
|
||||
{
|
||||
int i;
|
||||
|
||||
if (!compat20)
|
||||
return;
|
||||
return -1;
|
||||
|
||||
for (i = 0; i < num_permitted_opens; i++) {
|
||||
if (permitted_opens[i].host_to_connect != NULL &&
|
||||
|
@ -2904,12 +2973,12 @@ channel_request_rforward_cancel(const char *host, u_short port)
|
|||
}
|
||||
if (i >= num_permitted_opens) {
|
||||
debug("%s: requested forward not found", __func__);
|
||||
return;
|
||||
return -1;
|
||||
}
|
||||
packet_start(SSH2_MSG_GLOBAL_REQUEST);
|
||||
packet_put_cstring("cancel-tcpip-forward");
|
||||
packet_put_char(0);
|
||||
packet_put_cstring(host == NULL ? "" : host);
|
||||
packet_put_cstring(channel_rfwd_bind_host(host));
|
||||
packet_put_int(port);
|
||||
packet_send();
|
||||
|
||||
|
@ -2917,6 +2986,8 @@ channel_request_rforward_cancel(const char *host, u_short port)
|
|||
permitted_opens[i].port_to_connect = 0;
|
||||
xfree(permitted_opens[i].host_to_connect);
|
||||
permitted_opens[i].host_to_connect = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -2983,6 +3054,35 @@ channel_add_permitted_opens(char *host, int port)
|
|||
all_opens_permitted = 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Update the listen port for a dynamic remote forward, after
|
||||
* the actual 'newport' has been allocated. If 'newport' < 0 is
|
||||
* passed then they entry will be invalidated.
|
||||
*/
|
||||
void
|
||||
channel_update_permitted_opens(int idx, int newport)
|
||||
{
|
||||
if (idx < 0 || idx >= num_permitted_opens) {
|
||||
debug("channel_update_permitted_opens: index out of range:"
|
||||
" %d num_permitted_opens %d", idx, num_permitted_opens);
|
||||
return;
|
||||
}
|
||||
debug("%s allowed port %d for forwarding to host %s port %d",
|
||||
newport > 0 ? "Updating" : "Removing",
|
||||
newport,
|
||||
permitted_opens[idx].host_to_connect,
|
||||
permitted_opens[idx].port_to_connect);
|
||||
if (newport >= 0) {
|
||||
permitted_opens[idx].listen_port =
|
||||
(datafellows & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport;
|
||||
} else {
|
||||
permitted_opens[idx].listen_port = 0;
|
||||
permitted_opens[idx].port_to_connect = 0;
|
||||
xfree(permitted_opens[idx].host_to_connect);
|
||||
permitted_opens[idx].host_to_connect = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
int
|
||||
channel_add_adm_permitted_opens(char *host, int port)
|
||||
{
|
||||
|
@ -3043,6 +3143,28 @@ channel_print_adm_permitted_opens(void)
|
|||
printf("\n");
|
||||
}
|
||||
|
||||
/* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
|
||||
int
|
||||
permitopen_port(const char *p)
|
||||
{
|
||||
int port;
|
||||
|
||||
if (strcmp(p, "*") == 0)
|
||||
return FWD_PERMIT_ANY_PORT;
|
||||
if ((port = a2port(p)) > 0)
|
||||
return port;
|
||||
return -1;
|
||||
}
|
||||
|
||||
static int
|
||||
port_match(u_short allowedport, u_short requestedport)
|
||||
{
|
||||
if (allowedport == FWD_PERMIT_ANY_PORT ||
|
||||
allowedport == requestedport)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Try to start non-blocking connect to next host in cctx list */
|
||||
static int
|
||||
connect_next(struct channel_connect *cctx)
|
||||
|
@ -3145,7 +3267,7 @@ channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname)
|
|||
|
||||
for (i = 0; i < num_permitted_opens; i++) {
|
||||
if (permitted_opens[i].host_to_connect != NULL &&
|
||||
permitted_opens[i].listen_port == listen_port) {
|
||||
port_match(permitted_opens[i].listen_port, listen_port)) {
|
||||
return connect_to(
|
||||
permitted_opens[i].host_to_connect,
|
||||
permitted_opens[i].port_to_connect, ctype, rname);
|
||||
|
@ -3166,7 +3288,7 @@ channel_connect_to(const char *host, u_short port, char *ctype, char *rname)
|
|||
if (!permit) {
|
||||
for (i = 0; i < num_permitted_opens; i++)
|
||||
if (permitted_opens[i].host_to_connect != NULL &&
|
||||
permitted_opens[i].port_to_connect == port &&
|
||||
port_match(permitted_opens[i].port_to_connect, port) &&
|
||||
strcmp(permitted_opens[i].host_to_connect, host) == 0)
|
||||
permit = 1;
|
||||
}
|
||||
|
@ -3175,7 +3297,7 @@ channel_connect_to(const char *host, u_short port, char *ctype, char *rname)
|
|||
permit_adm = 0;
|
||||
for (i = 0; i < num_adm_permitted_opens; i++)
|
||||
if (permitted_adm_opens[i].host_to_connect != NULL &&
|
||||
permitted_adm_opens[i].port_to_connect == port &&
|
||||
port_match(permitted_adm_opens[i].port_to_connect, port) &&
|
||||
strcmp(permitted_adm_opens[i].host_to_connect, host)
|
||||
== 0)
|
||||
permit_adm = 1;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: channels.h,v 1.105 2011/06/22 22:08:42 djm Exp $ */
|
||||
/* $OpenBSD: channels.h,v 1.109 2011/09/23 07:45:05 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -57,6 +57,8 @@
|
|||
#define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */
|
||||
#define SSH_CHANNEL_MAX_TYPE 17
|
||||
|
||||
#define CHANNEL_CANCEL_PORT_STATIC -1
|
||||
|
||||
struct Channel;
|
||||
typedef struct Channel Channel;
|
||||
|
||||
|
@ -115,6 +117,7 @@ struct Channel {
|
|||
char *path;
|
||||
/* path for unix domain sockets, or host name for forwards */
|
||||
int listening_port; /* port being listened for forwards */
|
||||
char *listening_addr; /* addr being listened for forwards */
|
||||
int host_port; /* remote port to connect for forwards */
|
||||
char *remote_name; /* remote hostname */
|
||||
|
||||
|
@ -249,6 +252,7 @@ void channel_set_af(int af);
|
|||
void channel_permit_all_opens(void);
|
||||
void channel_add_permitted_opens(char *, int);
|
||||
int channel_add_adm_permitted_opens(char *, int);
|
||||
void channel_update_permitted_opens(int, int);
|
||||
void channel_clear_permitted_opens(void);
|
||||
void channel_clear_adm_permitted_opens(void);
|
||||
void channel_print_adm_permitted_opens(void);
|
||||
|
@ -260,9 +264,11 @@ int channel_request_remote_forwarding(const char *, u_short,
|
|||
const char *, u_short);
|
||||
int channel_setup_local_fwd_listener(const char *, u_short,
|
||||
const char *, u_short, int);
|
||||
void channel_request_rforward_cancel(const char *host, u_short port);
|
||||
int channel_request_rforward_cancel(const char *host, u_short port);
|
||||
int channel_setup_remote_fwd_listener(const char *, u_short, int *, int);
|
||||
int channel_cancel_rport_listener(const char *, u_short);
|
||||
int channel_cancel_lport_listener(const char *, u_short, int, int);
|
||||
int permitopen_port(const char *);
|
||||
|
||||
/* x11 forwarding */
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: clientloop.c,v 1.236 2011/06/22 22:08:42 djm Exp $ */
|
||||
/* $OpenBSD: clientloop.c,v 1.238 2012/01/18 21:46:43 dtucker Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -273,6 +273,23 @@ set_control_persist_exit_time(void)
|
|||
/* else we are already counting down to the timeout */
|
||||
}
|
||||
|
||||
#define SSH_X11_VALID_DISPLAY_CHARS ":/.-_"
|
||||
static int
|
||||
client_x11_display_valid(const char *display)
|
||||
{
|
||||
size_t i, dlen;
|
||||
|
||||
dlen = strlen(display);
|
||||
for (i = 0; i < dlen; i++) {
|
||||
if (!isalnum(display[i]) &&
|
||||
strchr(SSH_X11_VALID_DISPLAY_CHARS, display[i]) == NULL) {
|
||||
debug("Invalid character '%c' in DISPLAY", display[i]);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
|
||||
void
|
||||
client_x11_get_proto(const char *display, const char *xauth_path,
|
||||
|
@ -295,6 +312,9 @@ client_x11_get_proto(const char *display, const char *xauth_path,
|
|||
|
||||
if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
|
||||
debug("No xauth program.");
|
||||
} else if (!client_x11_display_valid(display)) {
|
||||
logit("DISPLAY '%s' invalid, falling back to fake xauth data",
|
||||
display);
|
||||
} else {
|
||||
if (display == NULL) {
|
||||
debug("x11_get_proto: DISPLAY not set");
|
||||
|
@ -830,9 +850,8 @@ process_cmdline(void)
|
|||
{
|
||||
void (*handler)(int);
|
||||
char *s, *cmd, *cancel_host;
|
||||
int delete = 0;
|
||||
int local = 0, remote = 0, dynamic = 0;
|
||||
int cancel_port;
|
||||
int delete = 0, local = 0, remote = 0, dynamic = 0;
|
||||
int cancel_port, ok;
|
||||
Forward fwd;
|
||||
|
||||
bzero(&fwd, sizeof(fwd));
|
||||
|
@ -858,8 +877,12 @@ process_cmdline(void)
|
|||
"Request remote forward");
|
||||
logit(" -D[bind_address:]port "
|
||||
"Request dynamic forward");
|
||||
logit(" -KL[bind_address:]port "
|
||||
"Cancel local forward");
|
||||
logit(" -KR[bind_address:]port "
|
||||
"Cancel remote forward");
|
||||
logit(" -KD[bind_address:]port "
|
||||
"Cancel dynamic forward");
|
||||
if (!options.permit_local_command)
|
||||
goto out;
|
||||
logit(" !args "
|
||||
|
@ -888,11 +911,7 @@ process_cmdline(void)
|
|||
goto out;
|
||||
}
|
||||
|
||||
if ((local || dynamic) && delete) {
|
||||
logit("Not supported.");
|
||||
goto out;
|
||||
}
|
||||
if (remote && delete && !compat20) {
|
||||
if (delete && !compat20) {
|
||||
logit("Not supported for SSH protocol version 1.");
|
||||
goto out;
|
||||
}
|
||||
|
@ -915,7 +934,21 @@ process_cmdline(void)
|
|||
logit("Bad forwarding close port");
|
||||
goto out;
|
||||
}
|
||||
channel_request_rforward_cancel(cancel_host, cancel_port);
|
||||
if (remote)
|
||||
ok = channel_request_rforward_cancel(cancel_host,
|
||||
cancel_port) == 0;
|
||||
else if (dynamic)
|
||||
ok = channel_cancel_lport_listener(cancel_host,
|
||||
cancel_port, 0, options.gateway_ports) > 0;
|
||||
else
|
||||
ok = channel_cancel_lport_listener(cancel_host,
|
||||
cancel_port, CHANNEL_CANCEL_PORT_STATIC,
|
||||
options.gateway_ports) > 0;
|
||||
if (!ok) {
|
||||
logit("Unkown port forwarding.");
|
||||
goto out;
|
||||
}
|
||||
logit("Canceled forwarding.");
|
||||
} else {
|
||||
if (!parse_forward(&fwd, s, dynamic, remote)) {
|
||||
logit("Bad forwarding specification.");
|
||||
|
@ -936,7 +969,6 @@ process_cmdline(void)
|
|||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
logit("Forwarding port.");
|
||||
}
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: clientloop.h,v 1.28 2011/06/22 22:08:42 djm Exp $ */
|
||||
/* $OpenBSD: clientloop.h,v 1.29 2011/09/09 22:46:44 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -70,6 +70,7 @@ void client_expect_confirm(int, const char *, enum confirm_action);
|
|||
#define SSHMUX_COMMAND_STDIO_FWD 4 /* Open stdio fwd (ssh -W) */
|
||||
#define SSHMUX_COMMAND_FORWARD 5 /* Forward only, no command */
|
||||
#define SSHMUX_COMMAND_STOP 6 /* Disable mux but not conn */
|
||||
#define SSHMUX_COMMAND_CANCEL_FWD 7 /* Cancel forwarding(s) */
|
||||
|
||||
void muxserver_listen(void);
|
||||
void muxclient(const char *);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: compat.c,v 1.78 2008/09/11 14:22:37 markus Exp $ */
|
||||
/* $OpenBSD: compat.c,v 1.79 2011/09/23 07:45:05 markus Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -90,6 +90,7 @@ compat_datafellows(const char *version)
|
|||
{ "OpenSSH_3.*", SSH_OLD_FORWARD_ADDR },
|
||||
{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
|
||||
{ "OpenSSH_4*", 0 },
|
||||
{ "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
|
||||
{ "OpenSSH*", SSH_NEW_OPENSSH },
|
||||
{ "*MindTerm*", 0 },
|
||||
{ "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: compat.h,v 1.42 2008/09/11 14:22:37 markus Exp $ */
|
||||
/* $OpenBSD: compat.h,v 1.43 2011/09/23 07:45:05 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
|
||||
|
@ -58,6 +58,7 @@
|
|||
#define SSH_OLD_FORWARD_ADDR 0x01000000
|
||||
#define SSH_BUG_RFWD_ADDR 0x02000000
|
||||
#define SSH_NEW_OPENSSH 0x04000000
|
||||
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
|
||||
|
||||
void enable_compat13(void);
|
||||
void enable_compat20(void);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: dh.c,v 1.48 2009/10/01 11:37:33 grunk Exp $ */
|
||||
/* $OpenBSD: dh.c,v 1.49 2011/12/07 05:44:38 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
*
|
||||
|
@ -233,6 +233,8 @@ dh_gen_key(DH *dh, int need)
|
|||
{
|
||||
int i, bits_set, tries = 0;
|
||||
|
||||
if (need < 0)
|
||||
fatal("dh_gen_key: need < 0");
|
||||
if (dh->p == NULL)
|
||||
fatal("dh_gen_key: dh->p == NULL");
|
||||
if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: key.c,v 1.97 2011/05/17 07:13:31 djm Exp $ */
|
||||
/* $OpenBSD: key.c,v 1.98 2011/10/18 04:58:26 djm Exp $ */
|
||||
/*
|
||||
* read_bignum():
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -1310,11 +1310,6 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen)
|
|||
goto out;
|
||||
}
|
||||
|
||||
if (kidlen != strlen(key->cert->key_id)) {
|
||||
error("%s: key ID contains \\0 character", __func__);
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* Signature is left in the buffer so we can calculate this length */
|
||||
signed_len = buffer_len(&key->cert->certblob) - buffer_len(b);
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: mac.c,v 1.16 2011/08/02 01:22:11 djm Exp $ */
|
||||
/* $OpenBSD: mac.c,v 1.17 2011/12/02 00:43:57 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -111,6 +111,7 @@ mac_init(Mac *mac)
|
|||
case SSH_EVP:
|
||||
if (mac->evp_md == NULL)
|
||||
return -1;
|
||||
HMAC_CTX_init(&mac->evp_ctx);
|
||||
HMAC_Init(&mac->evp_ctx, mac->key, mac->key_len, mac->evp_md);
|
||||
return 0;
|
||||
case SSH_UMAC:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: misc.c,v 1.85 2011/03/29 18:54:17 stevesk Exp $ */
|
||||
/* $OpenBSD: misc.c,v 1.86 2011/09/05 05:59:08 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
|
||||
|
@ -920,7 +920,7 @@ static const struct {
|
|||
{ "af11", IPTOS_DSCP_AF11 },
|
||||
{ "af12", IPTOS_DSCP_AF12 },
|
||||
{ "af13", IPTOS_DSCP_AF13 },
|
||||
{ "af14", IPTOS_DSCP_AF21 },
|
||||
{ "af21", IPTOS_DSCP_AF21 },
|
||||
{ "af22", IPTOS_DSCP_AF22 },
|
||||
{ "af23", IPTOS_DSCP_AF23 },
|
||||
{ "af31", IPTOS_DSCP_AF31 },
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: moduli.c,v 1.22 2010/11/10 01:33:07 djm Exp $ */
|
||||
/* $OpenBSD: moduli.c,v 1.25 2011/10/19 00:06:10 djm Exp $ */
|
||||
/*
|
||||
* Copyright 1994 Phil Karn <karn@qualcomm.com>
|
||||
* Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
|
||||
|
@ -37,16 +37,19 @@
|
|||
* Second step: test primes' safety (processor intensive)
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/dh.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
#include <time.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "dh.h"
|
||||
|
@ -133,7 +136,7 @@ static u_int32_t largebits, largememory; /* megabytes */
|
|||
static BIGNUM *largebase;
|
||||
|
||||
int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
|
||||
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
|
||||
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *);
|
||||
|
||||
/*
|
||||
* print moduli out in consistent form,
|
||||
|
@ -434,6 +437,52 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
|
|||
return (ret);
|
||||
}
|
||||
|
||||
static void
|
||||
write_checkpoint(char *cpfile, u_int32_t lineno)
|
||||
{
|
||||
FILE *fp;
|
||||
char tmp[MAXPATHLEN];
|
||||
int r;
|
||||
|
||||
r = snprintf(tmp, sizeof(tmp), "%s.XXXXXXXXXX", cpfile);
|
||||
if (r == -1 || r >= MAXPATHLEN) {
|
||||
logit("write_checkpoint: temp pathname too long");
|
||||
return;
|
||||
}
|
||||
if ((r = mkstemp(tmp)) == -1) {
|
||||
logit("mkstemp(%s): %s", tmp, strerror(errno));
|
||||
return;
|
||||
}
|
||||
if ((fp = fdopen(r, "w")) == NULL) {
|
||||
logit("write_checkpoint: fdopen: %s", strerror(errno));
|
||||
close(r);
|
||||
return;
|
||||
}
|
||||
if (fprintf(fp, "%lu\n", (unsigned long)lineno) > 0 && fclose(fp) == 0
|
||||
&& rename(tmp, cpfile) == 0)
|
||||
debug3("wrote checkpoint line %lu to '%s'",
|
||||
(unsigned long)lineno, cpfile);
|
||||
else
|
||||
logit("failed to write to checkpoint file '%s': %s", cpfile,
|
||||
strerror(errno));
|
||||
}
|
||||
|
||||
static unsigned long
|
||||
read_checkpoint(char *cpfile)
|
||||
{
|
||||
FILE *fp;
|
||||
unsigned long lineno = 0;
|
||||
|
||||
if ((fp = fopen(cpfile, "r")) == NULL)
|
||||
return 0;
|
||||
if (fscanf(fp, "%lu\n", &lineno) < 1)
|
||||
logit("Failed to load checkpoint from '%s'", cpfile);
|
||||
else
|
||||
logit("Loaded checkpoint from '%s' line %lu", cpfile, lineno);
|
||||
fclose(fp);
|
||||
return lineno;
|
||||
}
|
||||
|
||||
/*
|
||||
* perform a Miller-Rabin primality test
|
||||
* on the list of candidates
|
||||
|
@ -441,13 +490,15 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
|
|||
* The result is a list of so-call "safe" primes
|
||||
*/
|
||||
int
|
||||
prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
|
||||
prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted,
|
||||
char *checkpoint_file)
|
||||
{
|
||||
BIGNUM *q, *p, *a;
|
||||
BN_CTX *ctx;
|
||||
char *cp, *lp;
|
||||
u_int32_t count_in = 0, count_out = 0, count_possible = 0;
|
||||
u_int32_t generator_known, in_tests, in_tries, in_type, in_size;
|
||||
unsigned long last_processed = 0;
|
||||
time_t time_start, time_stop;
|
||||
int res;
|
||||
|
||||
|
@ -468,10 +519,21 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
|
|||
debug2("%.24s Final %u Miller-Rabin trials (%x generator)",
|
||||
ctime(&time_start), trials, generator_wanted);
|
||||
|
||||
if (checkpoint_file != NULL)
|
||||
last_processed = read_checkpoint(checkpoint_file);
|
||||
|
||||
res = 0;
|
||||
lp = xmalloc(QLINESIZE + 1);
|
||||
while (fgets(lp, QLINESIZE + 1, in) != NULL) {
|
||||
count_in++;
|
||||
if (checkpoint_file != NULL) {
|
||||
if (count_in <= last_processed) {
|
||||
debug3("skipping line %u, before checkpoint",
|
||||
count_in);
|
||||
continue;
|
||||
}
|
||||
write_checkpoint(checkpoint_file, count_in);
|
||||
}
|
||||
if (strlen(lp) < 14 || *lp == '!' || *lp == '#') {
|
||||
debug2("%10u: comment or short line", count_in);
|
||||
continue;
|
||||
|
@ -640,6 +702,9 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
|
|||
BN_free(q);
|
||||
BN_CTX_free(ctx);
|
||||
|
||||
if (checkpoint_file != NULL)
|
||||
unlink(checkpoint_file);
|
||||
|
||||
logit("%.24s Found %u safe primes of %u candidates in %ld seconds",
|
||||
ctime(&time_stop), count_out, count_possible,
|
||||
(long) (time_stop - time_start));
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: monitor.c,v 1.115 2011/06/23 23:35:42 djm Exp $ */
|
||||
/* $OpenBSD: monitor.c,v 1.116 2012/01/05 00:16:56 djm Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
|
@ -415,6 +415,7 @@ monitor_read_log(struct monitor *pmonitor)
|
|||
if (atomicio(read, pmonitor->m_log_recvfd,
|
||||
buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg)) {
|
||||
if (errno == EPIPE) {
|
||||
buffer_free(&logmsg);
|
||||
debug("%s: child log fd closed", __func__);
|
||||
close(pmonitor->m_log_recvfd);
|
||||
pmonitor->m_log_recvfd = -1;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: mux.c,v 1.29 2011/06/22 22:08:42 djm Exp $ */
|
||||
/* $OpenBSD: mux.c,v 1.34 2012/01/07 21:11:36 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
|
||||
*
|
||||
|
@ -324,10 +324,8 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
|||
env_len = 0;
|
||||
while (buffer_len(m) > 0) {
|
||||
#define MUX_MAX_ENV_VARS 4096
|
||||
if ((cp = buffer_get_string_ret(m, &len)) == NULL) {
|
||||
xfree(cmd);
|
||||
if ((cp = buffer_get_string_ret(m, &len)) == NULL)
|
||||
goto malf;
|
||||
}
|
||||
if (!env_permitted(cp)) {
|
||||
xfree(cp);
|
||||
continue;
|
||||
|
@ -584,12 +582,16 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
|
|||
buffer_put_int(&out, MUX_S_REMOTE_PORT);
|
||||
buffer_put_int(&out, fctx->rid);
|
||||
buffer_put_int(&out, rfwd->allocated_port);
|
||||
channel_update_permitted_opens(rfwd->handle,
|
||||
rfwd->allocated_port);
|
||||
} else {
|
||||
buffer_put_int(&out, MUX_S_OK);
|
||||
buffer_put_int(&out, fctx->rid);
|
||||
}
|
||||
goto out;
|
||||
} else {
|
||||
if (rfwd->listen_port == 0)
|
||||
channel_update_permitted_opens(rfwd->handle, -1);
|
||||
xasprintf(&failmsg, "remote port forwarding failed for "
|
||||
"listen port %d", rfwd->listen_port);
|
||||
}
|
||||
|
@ -728,8 +730,9 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
|||
} else {
|
||||
struct mux_channel_confirm_ctx *fctx;
|
||||
|
||||
if (channel_request_remote_forwarding(fwd.listen_host,
|
||||
fwd.listen_port, fwd.connect_host, fwd.connect_port) < 0)
|
||||
fwd.handle = channel_request_remote_forwarding(fwd.listen_host,
|
||||
fwd.listen_port, fwd.connect_host, fwd.connect_port);
|
||||
if (fwd.handle < 0)
|
||||
goto fail;
|
||||
add_remote_forward(&options, &fwd);
|
||||
fctx = xcalloc(1, sizeof(*fctx));
|
||||
|
@ -760,10 +763,11 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
|||
static int
|
||||
process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
{
|
||||
Forward fwd;
|
||||
Forward fwd, *found_fwd;
|
||||
char *fwd_desc = NULL;
|
||||
const char *error_reason = NULL;
|
||||
u_int ftype;
|
||||
int ret = 0;
|
||||
int i, listen_port, ret = 0;
|
||||
|
||||
fwd.listen_host = fwd.connect_host = NULL;
|
||||
if (buffer_get_int_ret(&ftype, m) != 0 ||
|
||||
|
@ -785,14 +789,70 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
|||
fwd.connect_host = NULL;
|
||||
}
|
||||
|
||||
debug2("%s: channel %d: request %s", __func__, c->self,
|
||||
debug2("%s: channel %d: request cancel %s", __func__, c->self,
|
||||
(fwd_desc = format_forward(ftype, &fwd)));
|
||||
|
||||
/* XXX implement this */
|
||||
buffer_put_int(r, MUX_S_FAILURE);
|
||||
buffer_put_int(r, rid);
|
||||
buffer_put_cstring(r, "unimplemented");
|
||||
/* make sure this has been requested */
|
||||
found_fwd = NULL;
|
||||
switch (ftype) {
|
||||
case MUX_FWD_LOCAL:
|
||||
case MUX_FWD_DYNAMIC:
|
||||
for (i = 0; i < options.num_local_forwards; i++) {
|
||||
if (compare_forward(&fwd,
|
||||
options.local_forwards + i)) {
|
||||
found_fwd = options.local_forwards + i;
|
||||
break;
|
||||
}
|
||||
}
|
||||
break;
|
||||
case MUX_FWD_REMOTE:
|
||||
for (i = 0; i < options.num_remote_forwards; i++) {
|
||||
if (compare_forward(&fwd,
|
||||
options.remote_forwards + i)) {
|
||||
found_fwd = options.remote_forwards + i;
|
||||
break;
|
||||
}
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
if (found_fwd == NULL)
|
||||
error_reason = "port not forwarded";
|
||||
else if (ftype == MUX_FWD_REMOTE) {
|
||||
/*
|
||||
* This shouldn't fail unless we confused the host/port
|
||||
* between options.remote_forwards and permitted_opens.
|
||||
* However, for dynamic allocated listen ports we need
|
||||
* to lookup the actual listen port.
|
||||
*/
|
||||
listen_port = (fwd.listen_port == 0) ?
|
||||
found_fwd->allocated_port : fwd.listen_port;
|
||||
if (channel_request_rforward_cancel(fwd.listen_host,
|
||||
listen_port) == -1)
|
||||
error_reason = "port not in permitted opens";
|
||||
} else { /* local and dynamic forwards */
|
||||
/* Ditto */
|
||||
if (channel_cancel_lport_listener(fwd.listen_host,
|
||||
fwd.listen_port, fwd.connect_port,
|
||||
options.gateway_ports) == -1)
|
||||
error_reason = "port not found";
|
||||
}
|
||||
|
||||
if (error_reason == NULL) {
|
||||
buffer_put_int(r, MUX_S_OK);
|
||||
buffer_put_int(r, rid);
|
||||
|
||||
if (found_fwd->listen_host != NULL)
|
||||
xfree(found_fwd->listen_host);
|
||||
if (found_fwd->connect_host != NULL)
|
||||
xfree(found_fwd->connect_host);
|
||||
found_fwd->listen_host = found_fwd->connect_host = NULL;
|
||||
found_fwd->listen_port = found_fwd->connect_port = 0;
|
||||
} else {
|
||||
buffer_put_int(r, MUX_S_FAILURE);
|
||||
buffer_put_int(r, rid);
|
||||
buffer_put_cstring(r, error_reason);
|
||||
}
|
||||
out:
|
||||
if (fwd_desc != NULL)
|
||||
xfree(fwd_desc);
|
||||
|
@ -1513,18 +1573,19 @@ mux_client_request_terminate(int fd)
|
|||
}
|
||||
|
||||
static int
|
||||
mux_client_request_forward(int fd, u_int ftype, Forward *fwd)
|
||||
mux_client_forward(int fd, int cancel_flag, u_int ftype, Forward *fwd)
|
||||
{
|
||||
Buffer m;
|
||||
char *e, *fwd_desc;
|
||||
u_int type, rid;
|
||||
|
||||
fwd_desc = format_forward(ftype, fwd);
|
||||
debug("Requesting %s", fwd_desc);
|
||||
debug("Requesting %s %s",
|
||||
cancel_flag ? "cancellation of" : "forwarding of", fwd_desc);
|
||||
xfree(fwd_desc);
|
||||
|
||||
buffer_init(&m);
|
||||
buffer_put_int(&m, MUX_C_OPEN_FWD);
|
||||
buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD);
|
||||
buffer_put_int(&m, muxclient_request_id);
|
||||
buffer_put_int(&m, ftype);
|
||||
buffer_put_cstring(&m,
|
||||
|
@ -1553,6 +1614,8 @@ mux_client_request_forward(int fd, u_int ftype, Forward *fwd)
|
|||
case MUX_S_OK:
|
||||
break;
|
||||
case MUX_S_REMOTE_PORT:
|
||||
if (cancel_flag)
|
||||
fatal("%s: got MUX_S_REMOTE_PORT for cancel", __func__);
|
||||
fwd->allocated_port = buffer_get_int(&m);
|
||||
logit("Allocated port %u for remote forward to %s:%d",
|
||||
fwd->allocated_port,
|
||||
|
@ -1582,27 +1645,28 @@ mux_client_request_forward(int fd, u_int ftype, Forward *fwd)
|
|||
}
|
||||
|
||||
static int
|
||||
mux_client_request_forwards(int fd)
|
||||
mux_client_forwards(int fd, int cancel_flag)
|
||||
{
|
||||
int i;
|
||||
int i, ret = 0;
|
||||
|
||||
debug3("%s: requesting forwardings: %d local, %d remote", __func__,
|
||||
debug3("%s: %s forwardings: %d local, %d remote", __func__,
|
||||
cancel_flag ? "cancel" : "request",
|
||||
options.num_local_forwards, options.num_remote_forwards);
|
||||
|
||||
/* XXX ExitOnForwardingFailure */
|
||||
for (i = 0; i < options.num_local_forwards; i++) {
|
||||
if (mux_client_request_forward(fd,
|
||||
if (mux_client_forward(fd, cancel_flag,
|
||||
options.local_forwards[i].connect_port == 0 ?
|
||||
MUX_FWD_DYNAMIC : MUX_FWD_LOCAL,
|
||||
options.local_forwards + i) != 0)
|
||||
return -1;
|
||||
ret = -1;
|
||||
}
|
||||
for (i = 0; i < options.num_remote_forwards; i++) {
|
||||
if (mux_client_request_forward(fd, MUX_FWD_REMOTE,
|
||||
if (mux_client_forward(fd, cancel_flag, MUX_FWD_REMOTE,
|
||||
options.remote_forwards + i) != 0)
|
||||
return -1;
|
||||
ret = -1;
|
||||
}
|
||||
return 0;
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int
|
||||
|
@ -1989,11 +2053,11 @@ muxclient(const char *path)
|
|||
fprintf(stderr, "Exit request sent.\r\n");
|
||||
exit(0);
|
||||
case SSHMUX_COMMAND_FORWARD:
|
||||
if (mux_client_request_forwards(sock) != 0)
|
||||
if (mux_client_forwards(sock, 0) != 0)
|
||||
fatal("%s: master forward request failed", __func__);
|
||||
exit(0);
|
||||
case SSHMUX_COMMAND_OPEN:
|
||||
if (mux_client_request_forwards(sock) != 0) {
|
||||
if (mux_client_forwards(sock, 0) != 0) {
|
||||
error("%s: master forward request failed", __func__);
|
||||
return;
|
||||
}
|
||||
|
@ -2006,6 +2070,11 @@ muxclient(const char *path)
|
|||
mux_client_request_stop_listening(sock);
|
||||
fprintf(stderr, "Stop listening request sent.\r\n");
|
||||
exit(0);
|
||||
case SSHMUX_COMMAND_CANCEL_FWD:
|
||||
if (mux_client_forwards(sock, 1) != 0)
|
||||
error("%s: master cancel forward request failed",
|
||||
__func__);
|
||||
exit(0);
|
||||
default:
|
||||
fatal("unrecognised muxclient_command %d", muxclient_command);
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: packet.c,v 1.173 2011/05/06 21:14:05 djm Exp $ */
|
||||
/* $OpenBSD: packet.c,v 1.176 2012/01/25 19:40:09 markus Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -238,7 +238,7 @@ packet_set_connection(int fd_in, int fd_out)
|
|||
void
|
||||
packet_set_timeout(int timeout, int count)
|
||||
{
|
||||
if (timeout == 0 || count == 0) {
|
||||
if (timeout <= 0 || count <= 0) {
|
||||
active_state->packet_timeout_ms = -1;
|
||||
return;
|
||||
}
|
||||
|
@ -959,8 +959,10 @@ packet_send2(void)
|
|||
|
||||
/* during rekeying we can only send key exchange messages */
|
||||
if (active_state->rekeying) {
|
||||
if (!((type >= SSH2_MSG_TRANSPORT_MIN) &&
|
||||
(type <= SSH2_MSG_TRANSPORT_MAX))) {
|
||||
if ((type < SSH2_MSG_TRANSPORT_MIN) ||
|
||||
(type > SSH2_MSG_TRANSPORT_MAX) ||
|
||||
(type == SSH2_MSG_SERVICE_REQUEST) ||
|
||||
(type == SSH2_MSG_SERVICE_ACCEPT)) {
|
||||
debug("enqueue packet: %u", type);
|
||||
p = xmalloc(sizeof(*p));
|
||||
p->type = type;
|
||||
|
@ -1434,12 +1436,6 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
|
|||
}
|
||||
}
|
||||
|
||||
int
|
||||
packet_read_poll(void)
|
||||
{
|
||||
return packet_read_poll_seqnr(NULL);
|
||||
}
|
||||
|
||||
/*
|
||||
* Buffers the given amount of input characters. This is intended to be used
|
||||
* together with packet_read_poll.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: packet.h,v 1.56 2011/05/06 21:14:05 djm Exp $ */
|
||||
/* $OpenBSD: packet.h,v 1.57 2012/01/25 19:40:09 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -51,7 +51,6 @@ void packet_send(void);
|
|||
|
||||
int packet_read(void);
|
||||
void packet_read_expect(int type);
|
||||
int packet_read_poll(void);
|
||||
void packet_process_incoming(const char *buf, u_int len);
|
||||
int packet_read_seqnr(u_int32_t *seqnr_p);
|
||||
int packet_read_poll_seqnr(u_int32_t *seqnr_p);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: readconf.c,v 1.193 2011/05/24 07:15:47 djm Exp $ */
|
||||
/* $OpenBSD: readconf.c,v 1.194 2011/09/23 07:45:05 markus Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -290,6 +290,7 @@ add_remote_forward(Options *options, const Forward *newfwd)
|
|||
fwd->listen_port = newfwd->listen_port;
|
||||
fwd->connect_host = newfwd->connect_host;
|
||||
fwd->connect_port = newfwd->connect_port;
|
||||
fwd->handle = newfwd->handle;
|
||||
fwd->allocated_port = 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: readconf.h,v 1.90 2011/05/24 07:15:47 djm Exp $ */
|
||||
/* $OpenBSD: readconf.h,v 1.91 2011/09/23 07:45:05 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -24,6 +24,7 @@ typedef struct {
|
|||
char *connect_host; /* Host to connect. */
|
||||
int connect_port; /* Port to connect on connect_host. */
|
||||
int allocated_port; /* Dynamically allocated listen port */
|
||||
int handle; /* Handle for dynamic listen ports */
|
||||
} Forward;
|
||||
/* Data structure for representing option data. */
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: roaming.h,v 1.5 2009/10/24 11:11:58 andreas Exp $ */
|
||||
/* $OpenBSD: roaming.h,v 1.6 2011/12/07 05:44:38 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2004-2009 AppGate Network Security AB
|
||||
*
|
||||
|
@ -18,8 +18,9 @@
|
|||
#ifndef ROAMING_H
|
||||
#define ROAMING_H
|
||||
|
||||
#define DEFAULT_ROAMBUF 65536
|
||||
#define ROAMING_REQUEST "roaming@appgate.com"
|
||||
#define DEFAULT_ROAMBUF 65536
|
||||
#define MAX_ROAMBUF (2*1024*1024) /* XXX arbitrary */
|
||||
#define ROAMING_REQUEST "roaming@appgate.com"
|
||||
|
||||
extern int roaming_enabled;
|
||||
extern int resume_in_progress;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: roaming_client.c,v 1.3 2010/01/18 01:50:27 dtucker Exp $ */
|
||||
/* $OpenBSD: roaming_client.c,v 1.4 2011/12/07 05:44:38 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2004-2009 AppGate Network Security AB
|
||||
*
|
||||
|
@ -68,7 +68,7 @@ roaming_reply(int type, u_int32_t seq, void *ctxt)
|
|||
cookie = packet_get_int64();
|
||||
key1 = oldkey1 = packet_get_int64();
|
||||
key2 = oldkey2 = packet_get_int64();
|
||||
set_out_buffer_size(packet_get_int() + get_snd_buf_size());
|
||||
set_out_buffer_size(packet_get_int() + get_snd_buf_size());
|
||||
roaming_enabled = 1;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: roaming_common.c,v 1.8 2010/01/12 00:59:29 djm Exp $ */
|
||||
/* $OpenBSD: roaming_common.c,v 1.9 2011/12/07 05:44:38 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2004-2009 AppGate Network Security AB
|
||||
*
|
||||
|
@ -71,6 +71,8 @@ get_recv_buf_size()
|
|||
void
|
||||
set_out_buffer_size(size_t size)
|
||||
{
|
||||
if (size == 0 || size > MAX_ROAMBUF)
|
||||
fatal("%s: bad buffer size %lu", __func__, (u_long)size);
|
||||
/*
|
||||
* The buffer size can only be set once and the buffer will live
|
||||
* as long as the session lives.
|
||||
|
|
|
@ -8,9 +8,9 @@
|
|||
.\"
|
||||
.\" Created: Sun May 7 00:14:37 1995 ylo
|
||||
.\"
|
||||
.\" $OpenBSD: scp.1,v 1.56 2010/12/09 14:13:32 jmc Exp $
|
||||
.\" $OpenBSD: scp.1,v 1.58 2011/09/05 07:01:44 jmc Exp $
|
||||
.\"
|
||||
.Dd $Mdocdate: December 9 2010 $
|
||||
.Dd $Mdocdate: September 5 2011 $
|
||||
.Dt SCP 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -31,7 +31,7 @@
|
|||
.Oo
|
||||
.Op Ar user No @
|
||||
.Ar host1 No :
|
||||
.Oc Ns Ar file1
|
||||
.Oc Ar file1
|
||||
.Sm on
|
||||
.Ar ...
|
||||
.Sm off
|
||||
|
@ -140,6 +140,7 @@ For full details of the options listed below, and their possible values, see
|
|||
.It ConnectTimeout
|
||||
.It ControlMaster
|
||||
.It ControlPath
|
||||
.It ControlPersist
|
||||
.It GlobalKnownHostsFile
|
||||
.It GSSAPIAuthentication
|
||||
.It GSSAPIDelegateCredentials
|
||||
|
@ -152,6 +153,7 @@ For full details of the options listed below, and their possible values, see
|
|||
.It IdentityFile
|
||||
.It IdentitiesOnly
|
||||
.It IPQoS
|
||||
.It KbdInteractiveAuthentication
|
||||
.It KbdInteractiveDevices
|
||||
.It KexAlgorithms
|
||||
.It LogLevel
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: scp.c,v 1.170 2010/12/09 14:13:33 jmc Exp $ */
|
||||
/* $OpenBSD: scp.c,v 1.171 2011/09/09 22:37:01 djm Exp $ */
|
||||
/*
|
||||
* scp - secure remote copy. This is basically patched BSD rcp which
|
||||
* uses ssh to do the data transfer (instead of using rcmd).
|
||||
|
@ -580,12 +580,14 @@ toremote(char *targ, int argc, char **argv)
|
|||
host = cleanhostname(argv[i]);
|
||||
suser = NULL;
|
||||
}
|
||||
xasprintf(&bp, "%s -f -- %s", cmd, src);
|
||||
xasprintf(&bp, "%s -f %s%s", cmd,
|
||||
*src == '-' ? "-- " : "", src);
|
||||
if (do_cmd(host, suser, bp, &remin, &remout) < 0)
|
||||
exit(1);
|
||||
(void) xfree(bp);
|
||||
host = cleanhostname(thost);
|
||||
xasprintf(&bp, "%s -t -- %s", cmd, targ);
|
||||
xasprintf(&bp, "%s -t %s%s", cmd,
|
||||
*targ == '-' ? "-- " : "", targ);
|
||||
if (do_cmd2(host, tuser, bp, remin, remout) < 0)
|
||||
exit(1);
|
||||
(void) xfree(bp);
|
||||
|
@ -631,7 +633,8 @@ toremote(char *targ, int argc, char **argv)
|
|||
errs = 1;
|
||||
} else { /* local to remote */
|
||||
if (remin == -1) {
|
||||
xasprintf(&bp, "%s -t -- %s", cmd, targ);
|
||||
xasprintf(&bp, "%s -t %s%s", cmd,
|
||||
*targ == '-' ? "-- " : "", targ);
|
||||
host = cleanhostname(thost);
|
||||
if (do_cmd(host, tuser, bp, &remin,
|
||||
&remout) < 0)
|
||||
|
@ -684,7 +687,8 @@ tolocal(int argc, char **argv)
|
|||
suser = pwd->pw_name;
|
||||
}
|
||||
host = cleanhostname(host);
|
||||
xasprintf(&bp, "%s -f -- %s", cmd, src);
|
||||
xasprintf(&bp, "%s -f %s%s",
|
||||
cmd, *src == '-' ? "-- " : "", src);
|
||||
if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
|
||||
(void) xfree(bp);
|
||||
++errs;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.c,v 1.222 2011/06/22 21:57:01 djm Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.223 2011/09/23 00:22:04 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -1296,7 +1296,7 @@ process_server_config_line(ServerOptions *options, char *line,
|
|||
fatal("%s line %d: missing host in PermitOpen",
|
||||
filename, linenum);
|
||||
p = cleanhostname(p);
|
||||
if (arg == NULL || (port = a2port(arg)) <= 0)
|
||||
if (arg == NULL || ((port = permitopen_port(arg)) < 0))
|
||||
fatal("%s line %d: bad port number in "
|
||||
"PermitOpen", filename, linenum);
|
||||
if (*activep && n == -1)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: session.c,v 1.258 2010/11/25 04:10:09 djm Exp $ */
|
||||
/* $OpenBSD: session.c,v 1.259 2011/10/24 02:13:13 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -1808,7 +1808,7 @@ session_break_req(Session *s)
|
|||
packet_get_int(); /* ignored */
|
||||
packet_check_eom();
|
||||
|
||||
if (s->ttyfd == -1 || tcsendbreak(s->ttyfd, 0) < 0)
|
||||
if (s->ptymaster == -1 || tcsendbreak(s->ptymaster, 0) < 0)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sftp-client.c,v 1.94 2010/12/04 00:18:01 djm Exp $ */
|
||||
/* $OpenBSD: sftp-client.c,v 1.96 2011/09/12 08:46:15 markus Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
|
||||
*
|
||||
|
@ -455,12 +455,12 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
|
|||
buffer_put_cstring(&msg, path);
|
||||
send_msg(conn, &msg);
|
||||
|
||||
buffer_clear(&msg);
|
||||
|
||||
handle = get_handle(conn, id, &handle_len,
|
||||
"remote readdir(\"%s\")", path);
|
||||
if (handle == NULL)
|
||||
if (handle == NULL) {
|
||||
buffer_free(&msg);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (dir) {
|
||||
ents = 0;
|
||||
|
@ -503,6 +503,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
|
|||
fx2txt(status));
|
||||
do_close(conn, handle, handle_len);
|
||||
xfree(handle);
|
||||
buffer_free(&msg);
|
||||
return(status);
|
||||
}
|
||||
} else if (type != SSH2_FXP_NAME)
|
||||
|
@ -798,15 +799,15 @@ do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath)
|
|||
Buffer msg;
|
||||
u_int status, id;
|
||||
|
||||
buffer_init(&msg);
|
||||
|
||||
/* Send link request */
|
||||
id = conn->msg_id++;
|
||||
if ((conn->exts & SFTP_EXT_HARDLINK) == 0) {
|
||||
error("Server does not support hardlink@openssh.com extension");
|
||||
return -1;
|
||||
}
|
||||
|
||||
buffer_init(&msg);
|
||||
|
||||
/* Send link request */
|
||||
id = conn->msg_id++;
|
||||
buffer_put_char(&msg, SSH2_FXP_EXTENDED);
|
||||
buffer_put_int(&msg, id);
|
||||
buffer_put_cstring(&msg, "hardlink@openssh.com");
|
||||
|
@ -882,6 +883,7 @@ do_readlink(struct sftp_conn *conn, char *path)
|
|||
u_int status = buffer_get_int(&msg);
|
||||
|
||||
error("Couldn't readlink: %s", fx2txt(status));
|
||||
buffer_free(&msg);
|
||||
return(NULL);
|
||||
} else if (type != SSH2_FXP_NAME)
|
||||
fatal("Expected SSH2_FXP_NAME(%u) packet, got %u",
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sftp-glob.c,v 1.22 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/* $OpenBSD: sftp-glob.c,v 1.23 2011/10/04 14:17:32 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
|
||||
*
|
||||
|
@ -84,7 +84,7 @@ fudge_lstat(const char *path, struct stat *st)
|
|||
{
|
||||
Attrib *a;
|
||||
|
||||
if (!(a = do_lstat(cur.conn, (char *)path, 0)))
|
||||
if (!(a = do_lstat(cur.conn, (char *)path, 1)))
|
||||
return(-1);
|
||||
|
||||
attrib_to_stat(a, st);
|
||||
|
@ -97,7 +97,7 @@ fudge_stat(const char *path, struct stat *st)
|
|||
{
|
||||
Attrib *a;
|
||||
|
||||
if (!(a = do_stat(cur.conn, (char *)path, 0)))
|
||||
if (!(a = do_stat(cur.conn, (char *)path, 1)))
|
||||
return(-1);
|
||||
|
||||
attrib_to_stat(a, st);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $OpenBSD: sftp.1,v 1.90 2011/08/07 12:55:30 dtucker Exp $
|
||||
.\" $OpenBSD: sftp.1,v 1.91 2011/09/05 05:56:13 djm Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
|
||||
.\"
|
||||
|
@ -22,7 +22,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: August 7 2011 $
|
||||
.Dd $Mdocdate: September 5 2011 $
|
||||
.Dt SFTP 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -194,6 +194,7 @@ For full details of the options listed below, and their possible values, see
|
|||
.It ConnectTimeout
|
||||
.It ControlMaster
|
||||
.It ControlPath
|
||||
.It ControlPersist
|
||||
.It GlobalKnownHostsFile
|
||||
.It GSSAPIAuthentication
|
||||
.It GSSAPIDelegateCredentials
|
||||
|
@ -206,6 +207,7 @@ For full details of the options listed below, and their possible values, see
|
|||
.It IdentityFile
|
||||
.It IdentitiesOnly
|
||||
.It IPQoS
|
||||
.It KbdInteractiveAuthentication
|
||||
.It KbdInteractiveDevices
|
||||
.It KexAlgorithms
|
||||
.It LogLevel
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sftp.c,v 1.132 2010/12/04 00:18:01 djm Exp $ */
|
||||
/* $OpenBSD: sftp.c,v 1.134 2011/11/16 12:24:28 oga Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
|
||||
*
|
||||
|
@ -770,7 +770,8 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
|
|||
memset(&g, 0, sizeof(g));
|
||||
|
||||
if (remote_glob(conn, path,
|
||||
GLOB_MARK|GLOB_NOCHECK|GLOB_BRACE|GLOB_KEEPSTAT, NULL, &g) ||
|
||||
GLOB_MARK|GLOB_NOCHECK|GLOB_BRACE|GLOB_KEEPSTAT|GLOB_NOSORT,
|
||||
NULL, &g) ||
|
||||
(g.gl_pathc && !g.gl_matchc)) {
|
||||
if (g.gl_pathc)
|
||||
globfree(&g);
|
||||
|
@ -1606,8 +1607,10 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote,
|
|||
}
|
||||
list[count] = NULL;
|
||||
|
||||
if (count == 0)
|
||||
if (count == 0) {
|
||||
xfree(list);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Complete ambigious command */
|
||||
tmp = complete_ambiguous(cmd, list, count);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $OpenBSD: ssh-add.1,v 1.55 2010/10/28 18:33:28 jmc Exp $
|
||||
.\" $OpenBSD: ssh-add.1,v 1.56 2011/10/18 05:00:48 djm Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -35,7 +35,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: October 28 2010 $
|
||||
.Dd $Mdocdate: October 18 2011 $
|
||||
.Dt SSH-ADD 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -43,7 +43,7 @@
|
|||
.Nd adds private key identities to the authentication agent
|
||||
.Sh SYNOPSIS
|
||||
.Nm ssh-add
|
||||
.Op Fl cDdLlXx
|
||||
.Op Fl cDdkLlXx
|
||||
.Op Fl t Ar life
|
||||
.Op Ar
|
||||
.Nm ssh-add
|
||||
|
@ -110,6 +110,9 @@ and retry.
|
|||
.It Fl e Ar pkcs11
|
||||
Remove keys provided by the PKCS#11 shared library
|
||||
.Ar pkcs11 .
|
||||
.It Fl k
|
||||
When loading keys into the agent, load plain private keys only and skip
|
||||
certificates.
|
||||
.It Fl L
|
||||
Lists public key parameters of all identities currently represented
|
||||
by the agent.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-add.c,v 1.101 2011/05/04 21:15:29 djm Exp $ */
|
||||
/* $OpenBSD: ssh-add.c,v 1.103 2011/10/18 23:37:42 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -133,11 +133,11 @@ delete_all(AuthenticationConnection *ac)
|
|||
}
|
||||
|
||||
static int
|
||||
add_file(AuthenticationConnection *ac, const char *filename)
|
||||
add_file(AuthenticationConnection *ac, const char *filename, int key_only)
|
||||
{
|
||||
Key *private, *cert;
|
||||
char *comment = NULL;
|
||||
char msg[1024], *certpath;
|
||||
char msg[1024], *certpath = NULL;
|
||||
int fd, perms_ok, ret = -1;
|
||||
Buffer keyblob;
|
||||
|
||||
|
@ -213,6 +213,9 @@ add_file(AuthenticationConnection *ac, const char *filename)
|
|||
fprintf(stderr, "Could not add identity: %s\n", filename);
|
||||
}
|
||||
|
||||
/* Skip trying to load the cert if requested */
|
||||
if (key_only)
|
||||
goto out;
|
||||
|
||||
/* Now try to add the certificate flavour too */
|
||||
xasprintf(&certpath, "%s-cert.pub", filename);
|
||||
|
@ -247,7 +250,8 @@ add_file(AuthenticationConnection *ac, const char *filename)
|
|||
if (confirm != 0)
|
||||
fprintf(stderr, "The user must confirm each use of the key\n");
|
||||
out:
|
||||
xfree(certpath);
|
||||
if (certpath != NULL)
|
||||
xfree(certpath);
|
||||
xfree(comment);
|
||||
key_free(private);
|
||||
|
||||
|
@ -341,13 +345,13 @@ lock_agent(AuthenticationConnection *ac, int lock)
|
|||
}
|
||||
|
||||
static int
|
||||
do_file(AuthenticationConnection *ac, int deleting, char *file)
|
||||
do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file)
|
||||
{
|
||||
if (deleting) {
|
||||
if (delete_file(ac, file) == -1)
|
||||
return -1;
|
||||
} else {
|
||||
if (add_file(ac, file) == -1)
|
||||
if (add_file(ac, file, key_only) == -1)
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
|
@ -360,12 +364,13 @@ usage(void)
|
|||
fprintf(stderr, "Options:\n");
|
||||
fprintf(stderr, " -l List fingerprints of all identities.\n");
|
||||
fprintf(stderr, " -L List public key parameters of all identities.\n");
|
||||
fprintf(stderr, " -k Load only keys and not certificates.\n");
|
||||
fprintf(stderr, " -c Require confirmation to sign using identities\n");
|
||||
fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n");
|
||||
fprintf(stderr, " -d Delete identity.\n");
|
||||
fprintf(stderr, " -D Delete all identities.\n");
|
||||
fprintf(stderr, " -x Lock agent.\n");
|
||||
fprintf(stderr, " -X Unlock agent.\n");
|
||||
fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n");
|
||||
fprintf(stderr, " -c Require confirmation to sign using identities\n");
|
||||
fprintf(stderr, " -s pkcs11 Add keys from PKCS#11 provider.\n");
|
||||
fprintf(stderr, " -e pkcs11 Remove keys provided by PKCS#11 provider.\n");
|
||||
}
|
||||
|
@ -377,7 +382,7 @@ main(int argc, char **argv)
|
|||
extern int optind;
|
||||
AuthenticationConnection *ac = NULL;
|
||||
char *pkcs11provider = NULL;
|
||||
int i, ch, deleting = 0, ret = 0;
|
||||
int i, ch, deleting = 0, ret = 0, key_only = 0;
|
||||
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
|
@ -391,8 +396,11 @@ main(int argc, char **argv)
|
|||
"Could not open a connection to your authentication agent.\n");
|
||||
exit(2);
|
||||
}
|
||||
while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
|
||||
while ((ch = getopt(argc, argv, "klLcdDxXe:s:t:")) != -1) {
|
||||
switch (ch) {
|
||||
case 'k':
|
||||
key_only = 1;
|
||||
break;
|
||||
case 'l':
|
||||
case 'L':
|
||||
if (list_identities(ac, ch == 'l' ? 1 : 0) == -1)
|
||||
|
@ -458,7 +466,7 @@ main(int argc, char **argv)
|
|||
default_files[i]);
|
||||
if (stat(buf, &st) < 0)
|
||||
continue;
|
||||
if (do_file(ac, deleting, buf) == -1)
|
||||
if (do_file(ac, deleting, key_only, buf) == -1)
|
||||
ret = 1;
|
||||
else
|
||||
count++;
|
||||
|
@ -467,7 +475,7 @@ main(int argc, char **argv)
|
|||
ret = 1;
|
||||
} else {
|
||||
for (i = 0; i < argc; i++) {
|
||||
if (do_file(ac, deleting, argv[i]) == -1)
|
||||
if (do_file(ac, deleting, key_only, argv[i]) == -1)
|
||||
ret = 1;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-ecdsa.c,v 1.4 2010/09/10 01:04:10 djm Exp $ */
|
||||
/* $OpenBSD: ssh-ecdsa.c,v 1.5 2012/01/08 13:17:11 miod Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2010 Damien Miller. All rights reserved.
|
||||
|
@ -141,6 +141,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
|
|||
buffer_get_bignum2(&bb, sig->s);
|
||||
if (buffer_len(&bb) != 0)
|
||||
fatal("%s: remaining bytes in inner sigblob", __func__);
|
||||
buffer_free(&bb);
|
||||
|
||||
/* clean up */
|
||||
memset(sigblob, 0, len);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $OpenBSD: ssh-keygen.1,v 1.106 2011/04/13 04:09:37 djm Exp $
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.108 2011/10/16 11:02:46 dtucker Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -35,7 +35,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: April 13 2011 $
|
||||
.Dd $Mdocdate: October 16 2011 $
|
||||
.Dt SSH-KEYGEN 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -104,6 +104,7 @@
|
|||
.Fl f Ar input_file
|
||||
.Op Fl v
|
||||
.Op Fl a Ar num_trials
|
||||
.Op Fl K Ar checkpt
|
||||
.Op Fl W Ar generator
|
||||
.Nm ssh-keygen
|
||||
.Fl s Ar ca_key
|
||||
|
@ -214,7 +215,7 @@ Generally, 2048 bits is considered sufficient.
|
|||
DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
|
||||
For ECDSA keys, the
|
||||
.Fl b
|
||||
flag determines they key length by selecting from one of three elliptic
|
||||
flag determines the key length by selecting from one of three elliptic
|
||||
curve sizes: 256, 384 or 521 bits.
|
||||
Attempting to use bit lengths other than these three values for ECDSA keys
|
||||
will fail.
|
||||
|
@ -296,6 +297,14 @@ in the format specified by the
|
|||
.Fl m
|
||||
option and print an OpenSSH compatible private
|
||||
(or public) key to stdout.
|
||||
.It Fl K Ar checkpt
|
||||
Write the last line processed to the file
|
||||
.Ar checkpt
|
||||
while performing DH candidate screening using the
|
||||
.Fl T
|
||||
option.
|
||||
This will be used to skip lines in the input file that have already been
|
||||
processed if the job is restarted.
|
||||
This option allows importing keys from other software, including several
|
||||
commercial SSH implementations.
|
||||
The default import format is
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-keygen.c,v 1.210 2011/04/18 00:46:05 djm Exp $ */
|
||||
/* $OpenBSD: ssh-keygen.c,v 1.212 2011/10/16 15:02:41 jmc Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -149,7 +149,7 @@ char hostname[MAXHOSTNAMELEN];
|
|||
|
||||
/* moduli.c */
|
||||
int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
|
||||
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
|
||||
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *);
|
||||
|
||||
static void
|
||||
type_bits_valid(int type, u_int32_t *bitsp)
|
||||
|
@ -1871,6 +1871,7 @@ usage(void)
|
|||
fprintf(stderr, " -h Generate host certificate instead of a user certificate.\n");
|
||||
fprintf(stderr, " -I key_id Key identifier to include in certificate.\n");
|
||||
fprintf(stderr, " -i Import foreign format to OpenSSH key file.\n");
|
||||
fprintf(stderr, " -K checkpt Write checkpoints to this file.\n");
|
||||
fprintf(stderr, " -L Print the contents of a certificate.\n");
|
||||
fprintf(stderr, " -l Show fingerprint of key file.\n");
|
||||
fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
|
||||
|
@ -1903,6 +1904,7 @@ int
|
|||
main(int argc, char **argv)
|
||||
{
|
||||
char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
|
||||
char *checkpoint = NULL;
|
||||
char out_file[MAXPATHLEN], *rr_hostname = NULL;
|
||||
Key *private, *public;
|
||||
struct passwd *pw;
|
||||
|
@ -1935,7 +1937,7 @@ main(int argc, char **argv)
|
|||
exit(1);
|
||||
}
|
||||
|
||||
while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
|
||||
while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:K:P:m:N:n:"
|
||||
"O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {
|
||||
switch (opt) {
|
||||
case 'A':
|
||||
|
@ -2086,6 +2088,11 @@ main(int argc, char **argv)
|
|||
sizeof(out_file))
|
||||
fatal("Output filename too long");
|
||||
break;
|
||||
case 'K':
|
||||
if (strlen(optarg) >= MAXPATHLEN)
|
||||
fatal("Checkpoint filename too long");
|
||||
checkpoint = xstrdup(optarg);
|
||||
break;
|
||||
case 'S':
|
||||
/* XXX - also compare length against bits */
|
||||
if (BN_hex2bn(&start, optarg) == 0)
|
||||
|
@ -2208,7 +2215,8 @@ main(int argc, char **argv)
|
|||
fatal("Couldn't open moduli file \"%s\": %s",
|
||||
out_file, strerror(errno));
|
||||
}
|
||||
if (prime_test(in, out, trials, generator_wanted) != 0)
|
||||
if (prime_test(in, out, trials, generator_wanted, checkpoint)
|
||||
!= 0)
|
||||
fatal("modulus screening failed");
|
||||
return (0);
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-pkcs11-client.c,v 1.2 2010/02/24 06:12:53 djm Exp $ */
|
||||
/* $OpenBSD: ssh-pkcs11-client.c,v 1.3 2012/01/16 20:34:09 miod Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2010 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -117,6 +117,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
|
|||
buffer_put_int(&msg, 0);
|
||||
xfree(blob);
|
||||
send_msg(&msg);
|
||||
buffer_clear(&msg);
|
||||
|
||||
if (recv_msg(&msg) == SSH2_AGENT_SIGN_RESPONSE) {
|
||||
signature = buffer_get_string(&msg, &slen);
|
||||
|
@ -126,6 +127,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
|
|||
}
|
||||
xfree(signature);
|
||||
}
|
||||
buffer_free(&msg);
|
||||
return (ret);
|
||||
}
|
||||
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh.1,v 1.320 2011/08/02 01:22:11 djm Exp $
|
||||
.Dd $Mdocdate: August 2 2011 $
|
||||
.\" $OpenBSD: ssh.1,v 1.323 2011/09/11 06:59:05 okan Exp $
|
||||
.Dd $Mdocdate: September 11 2011 $
|
||||
.Dt SSH 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -393,6 +393,8 @@ Valid commands are:
|
|||
(check that the master process is running),
|
||||
.Dq forward
|
||||
(request forwardings without command execution),
|
||||
.Dq cancel
|
||||
(cancel forwardings),
|
||||
.Dq exit
|
||||
(request the master to exit), and
|
||||
.Dq stop
|
||||
|
@ -419,11 +421,13 @@ For full details of the options listed below, and their possible values, see
|
|||
.It ConnectTimeout
|
||||
.It ControlMaster
|
||||
.It ControlPath
|
||||
.It ControlPersist
|
||||
.It DynamicForward
|
||||
.It EscapeChar
|
||||
.It ExitOnForwardFailure
|
||||
.It ForwardAgent
|
||||
.It ForwardX11
|
||||
.It ForwardX11Timeout
|
||||
.It ForwardX11Trusted
|
||||
.It GatewayPorts
|
||||
.It GlobalKnownHostsFile
|
||||
|
@ -438,6 +442,7 @@ For full details of the options listed below, and their possible values, see
|
|||
.It IdentityFile
|
||||
.It IdentitiesOnly
|
||||
.It IPQoS
|
||||
.It KbdInteractiveAuthentication
|
||||
.It KbdInteractiveDevices
|
||||
.It KexAlgorithms
|
||||
.It LocalCommand
|
||||
|
@ -896,11 +901,20 @@ Currently this allows the addition of port forwardings using the
|
|||
and
|
||||
.Fl D
|
||||
options (see above).
|
||||
It also allows the cancellation of existing remote port-forwardings
|
||||
using
|
||||
It also allows the cancellation of existing port-forwardings
|
||||
with
|
||||
.Sm off
|
||||
.Fl KR Oo Ar bind_address : Oc Ar port .
|
||||
.Fl KL Oo Ar bind_address : Oc Ar port
|
||||
.Sm on
|
||||
for local,
|
||||
.Sm off
|
||||
.Fl KR Oo Ar bind_address : Oc Ar port
|
||||
.Sm on
|
||||
for remote and
|
||||
.Sm off
|
||||
.Fl KD Oo Ar bind_address : Oc Ar port
|
||||
.Sm on
|
||||
for dynamic port-forwardings.
|
||||
.Ic !\& Ns Ar command
|
||||
allows the user to execute a local command if the
|
||||
.Ic PermitLocalCommand
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh.c,v 1.364 2011/08/02 23:15:03 djm Exp $ */
|
||||
/* $OpenBSD: ssh.c,v 1.368 2011/10/24 02:10:46 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -348,6 +348,8 @@ main(int ac, char **av)
|
|||
muxclient_command = SSHMUX_COMMAND_TERMINATE;
|
||||
else if (strcmp(optarg, "stop") == 0)
|
||||
muxclient_command = SSHMUX_COMMAND_STOP;
|
||||
else if (strcmp(optarg, "cancel") == 0)
|
||||
muxclient_command = SSHMUX_COMMAND_CANCEL_FWD;
|
||||
else
|
||||
fatal("Invalid multiplex command.");
|
||||
break;
|
||||
|
@ -839,11 +841,14 @@ main(int ac, char **av)
|
|||
* Now that we are back to our own permissions, create ~/.ssh
|
||||
* directory if it doesn't already exist.
|
||||
*/
|
||||
r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
|
||||
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
|
||||
if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0)
|
||||
if (mkdir(buf, 0700) < 0)
|
||||
error("Could not create directory '%.200s'.", buf);
|
||||
if (config == NULL) {
|
||||
r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
|
||||
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
|
||||
if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0)
|
||||
if (mkdir(buf, 0700) < 0)
|
||||
error("Could not create directory '%.200s'.",
|
||||
buf);
|
||||
}
|
||||
|
||||
/* load options.identity_files */
|
||||
load_public_identity_files();
|
||||
|
@ -968,11 +973,17 @@ ssh_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
|
|||
debug("remote forward %s for: listen %d, connect %s:%d",
|
||||
type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
|
||||
rfwd->listen_port, rfwd->connect_host, rfwd->connect_port);
|
||||
if (type == SSH2_MSG_REQUEST_SUCCESS && rfwd->listen_port == 0) {
|
||||
rfwd->allocated_port = packet_get_int();
|
||||
logit("Allocated port %u for remote forward to %s:%d",
|
||||
rfwd->allocated_port,
|
||||
rfwd->connect_host, rfwd->connect_port);
|
||||
if (rfwd->listen_port == 0) {
|
||||
if (type == SSH2_MSG_REQUEST_SUCCESS) {
|
||||
rfwd->allocated_port = packet_get_int();
|
||||
logit("Allocated port %u for remote forward to %s:%d",
|
||||
rfwd->allocated_port,
|
||||
rfwd->connect_host, rfwd->connect_port);
|
||||
channel_update_permitted_opens(rfwd->handle,
|
||||
rfwd->allocated_port);
|
||||
} else {
|
||||
channel_update_permitted_opens(rfwd->handle, -1);
|
||||
}
|
||||
}
|
||||
|
||||
if (type == SSH2_MSG_REQUEST_FAILURE) {
|
||||
|
@ -997,25 +1008,26 @@ client_cleanup_stdio_fwd(int id, void *arg)
|
|||
cleanup_exit(0);
|
||||
}
|
||||
|
||||
static int
|
||||
client_setup_stdio_fwd(const char *host_to_connect, u_short port_to_connect)
|
||||
static void
|
||||
ssh_init_stdio_forwarding(void)
|
||||
{
|
||||
Channel *c;
|
||||
int in, out;
|
||||
|
||||
debug3("client_setup_stdio_fwd %s:%d", host_to_connect,
|
||||
port_to_connect);
|
||||
if (stdio_forward_host == NULL)
|
||||
return;
|
||||
if (!compat20)
|
||||
fatal("stdio forwarding require Protocol 2");
|
||||
|
||||
in = dup(STDIN_FILENO);
|
||||
out = dup(STDOUT_FILENO);
|
||||
if (in < 0 || out < 0)
|
||||
debug3("%s: %s:%d", __func__, stdio_forward_host, stdio_forward_port);
|
||||
|
||||
if ((in = dup(STDIN_FILENO)) < 0 ||
|
||||
(out = dup(STDOUT_FILENO)) < 0)
|
||||
fatal("channel_connect_stdio_fwd: dup() in/out failed");
|
||||
|
||||
if ((c = channel_connect_stdio_fwd(host_to_connect, port_to_connect,
|
||||
in, out)) == NULL)
|
||||
return 0;
|
||||
if ((c = channel_connect_stdio_fwd(stdio_forward_host,
|
||||
stdio_forward_port, in, out)) == NULL)
|
||||
fatal("%s: channel_connect_stdio_fwd failed", __func__);
|
||||
channel_register_cleanup(c->self, client_cleanup_stdio_fwd, 0);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -1024,15 +1036,6 @@ ssh_init_forwarding(void)
|
|||
int success = 0;
|
||||
int i;
|
||||
|
||||
if (stdio_forward_host != NULL) {
|
||||
if (!compat20) {
|
||||
fatal("stdio forwarding require Protocol 2");
|
||||
}
|
||||
if (!client_setup_stdio_fwd(stdio_forward_host,
|
||||
stdio_forward_port))
|
||||
fatal("Failed to connect in stdio forward mode.");
|
||||
}
|
||||
|
||||
/* Initiate local TCP/IP port forwardings. */
|
||||
for (i = 0; i < options.num_local_forwards; i++) {
|
||||
debug("Local connections to %.200s:%d forwarded to remote "
|
||||
|
@ -1064,19 +1067,22 @@ ssh_init_forwarding(void)
|
|||
options.remote_forwards[i].listen_port,
|
||||
options.remote_forwards[i].connect_host,
|
||||
options.remote_forwards[i].connect_port);
|
||||
if (channel_request_remote_forwarding(
|
||||
options.remote_forwards[i].handle =
|
||||
channel_request_remote_forwarding(
|
||||
options.remote_forwards[i].listen_host,
|
||||
options.remote_forwards[i].listen_port,
|
||||
options.remote_forwards[i].connect_host,
|
||||
options.remote_forwards[i].connect_port) < 0) {
|
||||
options.remote_forwards[i].connect_port);
|
||||
if (options.remote_forwards[i].handle < 0) {
|
||||
if (options.exit_on_forward_failure)
|
||||
fatal("Could not request remote forwarding.");
|
||||
else
|
||||
logit("Warning: Could not request remote "
|
||||
"forwarding.");
|
||||
} else {
|
||||
client_register_global_confirm(ssh_confirm_remote_forward,
|
||||
&options.remote_forwards[i]);
|
||||
}
|
||||
client_register_global_confirm(ssh_confirm_remote_forward,
|
||||
&options.remote_forwards[i]);
|
||||
}
|
||||
|
||||
/* Initiate tunnel forwarding. */
|
||||
|
@ -1220,6 +1226,7 @@ ssh_session(void)
|
|||
}
|
||||
|
||||
/* Initiate port forwardings. */
|
||||
ssh_init_stdio_forwarding();
|
||||
ssh_init_forwarding();
|
||||
|
||||
/* Execute a local command */
|
||||
|
@ -1358,15 +1365,18 @@ ssh_session2(void)
|
|||
int id = -1;
|
||||
|
||||
/* XXX should be pre-session */
|
||||
if (!options.control_persist)
|
||||
ssh_init_stdio_forwarding();
|
||||
ssh_init_forwarding();
|
||||
|
||||
/* Start listening for multiplex clients */
|
||||
muxserver_listen();
|
||||
|
||||
/*
|
||||
* If we are in control persist mode, then prepare to background
|
||||
* ourselves and have a foreground client attach as a control
|
||||
* slave. NB. we must save copies of the flags that we override for
|
||||
* If we are in control persist mode and have a working mux listen
|
||||
* socket, then prepare to background ourselves and have a foreground
|
||||
* client attach as a control slave.
|
||||
* NB. we must save copies of the flags that we override for
|
||||
* the backgrounding, since we defer attachment of the slave until
|
||||
* after the connection is fully established (in particular,
|
||||
* async rfwd replies have been received for ExitOnForwardFailure).
|
||||
|
@ -1383,6 +1393,12 @@ ssh_session2(void)
|
|||
need_controlpersist_detach = 1;
|
||||
fork_after_authentication_flag = 1;
|
||||
}
|
||||
/*
|
||||
* ControlPersist mux listen socket setup failed, attempt the
|
||||
* stdio forward setup that we skipped earlier.
|
||||
*/
|
||||
if (options.control_persist && muxserver_sock == -1)
|
||||
ssh_init_stdio_forwarding();
|
||||
|
||||
if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
|
||||
id = ssh_session2_open();
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.153 2011/08/02 01:22:11 djm Exp $
|
||||
.Dd $Mdocdate: August 2 2011 $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.154 2011/09/09 00:43:00 djm Exp $
|
||||
.Dd $Mdocdate: September 9 2011 $
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -658,7 +658,7 @@ Accepted values are
|
|||
.Dq af11 ,
|
||||
.Dq af12 ,
|
||||
.Dq af13 ,
|
||||
.Dq af14 ,
|
||||
.Dq af21 ,
|
||||
.Dq af22 ,
|
||||
.Dq af23 ,
|
||||
.Dq af31 ,
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd.8,v 1.263 2011/08/02 01:22:11 djm Exp $
|
||||
.Dd $Mdocdate: August 2 2011 $
|
||||
.\" $OpenBSD: sshd.8,v 1.264 2011/09/23 00:22:04 dtucker Exp $
|
||||
.Dd $Mdocdate: September 23 2011 $
|
||||
.Dt SSHD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -581,6 +581,9 @@ Multiple
|
|||
options may be applied separated by commas.
|
||||
No pattern matching is performed on the specified hostnames,
|
||||
they must be literal domains or addresses.
|
||||
A port specification of
|
||||
.Cm *
|
||||
matches any port.
|
||||
.It Cm principals="principals"
|
||||
On a
|
||||
.Cm cert-authority
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshd.c,v 1.385 2011/06/23 09:34:13 djm Exp $ */
|
||||
/* $OpenBSD: sshd.c,v 1.388 2011/09/30 21:22:49 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -222,6 +222,7 @@ int startup_pipe; /* in child */
|
|||
/* variables used for privilege separation */
|
||||
int use_privsep = -1;
|
||||
struct monitor *pmonitor = NULL;
|
||||
int privsep_is_preauth = 1;
|
||||
|
||||
/* global authentication context */
|
||||
Authctxt *the_authctxt = NULL;
|
||||
|
@ -637,10 +638,13 @@ privsep_preauth(Authctxt *authctxt)
|
|||
|
||||
/* Wait for the child's exit status */
|
||||
while (waitpid(pid, &status, 0) < 0) {
|
||||
if (errno != EINTR)
|
||||
fatal("%s: waitpid: %s", __func__,
|
||||
strerror(errno));
|
||||
if (errno == EINTR)
|
||||
continue;
|
||||
pmonitor->m_pid = -1;
|
||||
fatal("%s: waitpid: %s", __func__, strerror(errno));
|
||||
}
|
||||
privsep_is_preauth = 0;
|
||||
pmonitor->m_pid = -1;
|
||||
if (WIFEXITED(status)) {
|
||||
if (WEXITSTATUS(status) != 0)
|
||||
fatal("%s: preauth child exited with status %d",
|
||||
|
@ -2217,7 +2221,15 @@ do_ssh2_kex(void)
|
|||
void
|
||||
cleanup_exit(int i)
|
||||
{
|
||||
if (the_authctxt)
|
||||
if (the_authctxt) {
|
||||
do_cleanup(the_authctxt);
|
||||
if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) {
|
||||
debug("Killing privsep child %d", pmonitor->m_pid);
|
||||
if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
|
||||
errno != ESRCH)
|
||||
error("%s: kill(%d): %s", __func__,
|
||||
pmonitor->m_pid, strerror(errno));
|
||||
}
|
||||
}
|
||||
_exit(i);
|
||||
}
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.135 2011/08/02 01:22:11 djm Exp $
|
||||
.Dd $Mdocdate: August 2 2011 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.136 2011/09/09 00:43:00 djm Exp $
|
||||
.Dd $Mdocdate: September 9 2011 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -520,7 +520,7 @@ Accepted values are
|
|||
.Dq af11 ,
|
||||
.Dq af12 ,
|
||||
.Dq af13 ,
|
||||
.Dq af14 ,
|
||||
.Dq af21 ,
|
||||
.Dq af22 ,
|
||||
.Dq af23 ,
|
||||
.Dq af31 ,
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: umac.c,v 1.3 2008/05/12 20:52:20 pvalchev Exp $ */
|
||||
/* $OpenBSD: umac.c,v 1.4 2011/10/19 10:39:48 djm Exp $ */
|
||||
/* -----------------------------------------------------------------------
|
||||
*
|
||||
* umac.c -- C Implementation UMAC Message Authentication
|
||||
|
@ -312,7 +312,7 @@ static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8])
|
|||
|
||||
typedef struct {
|
||||
UINT8 nh_key [L1_KEY_LEN + L1_KEY_SHIFT * (STREAMS - 1)]; /* NH Key */
|
||||
UINT8 data [HASH_BUF_BYTES]; /* Incomming data buffer */
|
||||
UINT8 data [HASH_BUF_BYTES]; /* Incoming data buffer */
|
||||
int next_data_empty; /* Bookeeping variable for data buffer. */
|
||||
int bytes_hashed; /* Bytes (out of L1_KEY_LEN) incorperated. */
|
||||
UINT64 state[STREAMS]; /* on-line state */
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
/* $OpenBSD: version.h,v 1.62 2011/08/02 23:13:01 djm Exp $ */
|
||||
/* $OpenBSD: version.h,v 1.64 2012/02/09 20:00:18 markus Exp $ */
|
||||
|
||||
#define SSH_VERSION "OpenSSH_5.9"
|
||||
#define SSH_VERSION "OpenSSH_6.0"
|
||||
|
|
Loading…
Reference in New Issue