Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

upgrade to openssh 3.5. major changes include:

Browse Source 
- krb4/5 support for privsep (krb5 diff was already applied)

includes fake implementaation of getpeereid() from openssh-portable, which
does nothing useful - need improvement.
This commit is contained in:
itojun 2002-10-01 14:07:26 +00:00
parent 5964b80cf8
commit ef7d24574a
62 changed files with 1214 additions and 487 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
crypto/dist/ssh/auth-krb4.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth-krb4.c,v 1.7 2002/06/24 05:48:26 itojun Exp $ */
/* $NetBSD: auth-krb4.c,v 1.8 2002/10/01 14:07:26 itojun Exp $ */
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
*
@ -24,7 +24,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-krb4.c,v 1.27 2002/06/11 05:46:20 mpech Exp $");
RCSID("$OpenBSD: auth-krb4.c,v 1.28 2002/09/26 11:38:43 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@ -211,10 +211,9 @@ krb4_cleanup_proc(void *context)
}
int
auth_krb4(Authctxt *authctxt, KTEXT auth, char **client)
auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
{
AUTH_DAT adat = {0};
KTEXT_ST reply;
Key_schedule schedule;
struct sockaddr_in local, foreign;
char instance[INST_SZ];
@ -264,21 +263,16 @@ auth_krb4(Authctxt *authctxt, KTEXT auth, char **client)
/* If we can't successfully encrypt the checksum, we send back an
empty message, admitting our failure. */
if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,
if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
schedule, &adat.session, &local, &foreign)) < 0) {
debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
reply.dat[0] = 0;
reply.length = 0;
reply->dat[0] = 0;
reply->length = 0;
} else
reply.length = r;
reply->length = r;
/* Clear session key. */
memset(&adat.session, 0, sizeof(&adat.session));
packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
packet_put_string((char *) reply.dat, reply.length);
packet_send();
packet_write_wait();
return (1);
}
#endif /* KRB4 */

4
crypto/dist/ssh/auth-krb5.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth-krb5.c,v 1.10 2002/09/09 06:45:17 itojun Exp $ */
/* $NetBSD: auth-krb5.c,v 1.11 2002/10/01 14:07:26 itojun Exp $ */
/*
* Kerberos v5 authentication and ticket-passing routines.
*
@ -29,7 +29,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-krb5.c,v 1.8 2002/03/19 10:49:35 markus Exp $");
RCSID("$OpenBSD: auth-krb5.c,v 1.9 2002/09/09 06:48:06 itojun Exp $");
#include "ssh.h"
#include "ssh1.h"

13
crypto/dist/ssh/auth.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth.c,v 1.14 2002/06/24 05:48:27 itojun Exp $ */
/* $NetBSD: auth.c,v 1.15 2002/10/01 14:07:26 itojun Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -24,7 +24,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth.c,v 1.43 2002/05/17 14:27:55 millert Exp $");
RCSID("$OpenBSD: auth.c,v 1.45 2002/09/20 18:41:29 stevesk Exp $");
#include <libgen.h>
@ -430,7 +430,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
/*
* Check a given file for security. This is defined as all components
* of the path to the file must either be owned by either the owner of
* of the path to the file must be owned by either the owner of
* of the file or root and no directories must be group or world writable.
*
* XXX Should any specific check be done for sym links ?
@ -514,7 +514,12 @@ getpwnamallow(const char *user)
struct passwd *pw;
pw = getpwnam(user);
if (pw == NULL || !allowed_user(pw))
if (pw == NULL) {
log("Illegal user %.100s from %.100s",
user, get_remote_ipaddr());
return (NULL);
}
if (!allowed_user(pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
if ((lc = login_getclass(pw->pw_class)) == NULL) {

6
crypto/dist/ssh/auth.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: auth.h,v 1.13 2002/09/09 06:45:17 itojun Exp $ */
/* $OpenBSD: auth.h,v 1.39 2002/05/31 11:35:15 markus Exp $ */
/* $NetBSD: auth.h,v 1.14 2002/10/01 14:07:27 itojun Exp $ */
/* $OpenBSD: auth.h,v 1.41 2002/09/26 11:38:43 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -114,7 +114,7 @@ int user_key_allowed(struct passwd *, Key *);
#ifdef KRB4
#include <krb.h>
int auth_krb4(Authctxt *, KTEXT, char **);
int auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
int auth_krb4_password(Authctxt *, const char *);
void krb4_cleanup_proc(void *);

21
crypto/dist/ssh/auth1.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth1.c,v 1.19 2002/09/09 06:45:18 itojun Exp $ */
/* $NetBSD: auth1.c,v 1.20 2002/10/01 14:07:27 itojun Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -11,7 +11,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth1.c,v 1.41 2002/06/19 00:27:55 deraadt Exp $");
RCSID("$OpenBSD: auth1.c,v 1.44 2002/09/26 11:38:43 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@ -117,17 +117,25 @@ do_authloop(Authctxt *authctxt)
if (kdata[0] == 4) { /* KRB_PROT_VERSION */
#ifdef KRB4
KTEXT_ST tkt;
KTEXT_ST tkt, reply;
tkt.length = dlen;
if (tkt.length < MAX_KTXT_LEN)
memcpy(tkt.dat, kdata, tkt.length);
if (auth_krb4(authctxt, &tkt, &client_user)) {
if (PRIVSEP(auth_krb4(authctxt, &tkt,
&client_user, &reply))) {
authenticated = 1;
snprintf(info, sizeof(info),
" tktuser %.100s",
client_user);
packet_start(
SSH_SMSG_AUTH_KERBEROS_RESPONSE);
packet_put_string((char *)
reply.dat, reply.length);
packet_send();
packet_write_wait();
xfree(client_user);
}
#endif /* KRB4 */
@ -308,7 +316,8 @@ do_authloop(Authctxt *authctxt)
authctxt->user);
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
if (!use_privsep &&
authenticated && authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(get_authname(type)))
authenticated = 0;

7
crypto/dist/ssh/auth2.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth2.c,v 1.18 2002/07/01 06:17:11 itojun Exp $ */
/* $NetBSD: auth2.c,v 1.19 2002/10/01 14:07:27 itojun Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -24,7 +24,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth2.c,v 1.94 2002/06/30 21:54:16 deraadt Exp $");
RCSID("$OpenBSD: auth2.c,v 1.95 2002/08/22 21:33:58 markus Exp $");
#include "ssh2.h"
#include "xmalloc.h"
@ -196,7 +196,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
authctxt->user);
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
if (!use_privsep &&
authenticated && authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(method))
authenticated = 0;

22
crypto/dist/ssh/authfd.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: authfd.c,v 1.12 2002/06/26 14:08:29 itojun Exp $ */
/* $NetBSD: authfd.c,v 1.13 2002/10/01 14:07:28 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -36,7 +36,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: authfd.c,v 1.56 2002/06/25 16:22:42 markus Exp $");
RCSID("$OpenBSD: authfd.c,v 1.57 2002/09/11 18:27:26 stevesk Exp $");
#include <openssl/evp.h>
@ -54,6 +54,8 @@ RCSID("$OpenBSD: authfd.c,v 1.56 2002/06/25 16:22:42 markus Exp $");
#include "log.h"
#include "atomicio.h"
static int agent_present = 0;
/* helper */
int decode_reply(int type);
@ -62,6 +64,21 @@ int decode_reply(int type);
((x == SSH_AGENT_FAILURE) || (x == SSH_COM_AGENT2_FAILURE) || \
(x == SSH2_AGENT_FAILURE))
int
ssh_agent_present(void)
{
int authfd;
if (agent_present)
return 1;
if ((authfd = ssh_get_authentication_socket()) == -1)
return 0;
else {
ssh_close_authentication_socket(authfd);
return 1;
}
}
/* Returns the number of the authentication fd, or -1 if there is none. */
int
@ -91,6 +108,7 @@ ssh_get_authentication_socket(void)
close(sock);
return -1;
}
agent_present = 1;
return sock;
}

26
crypto/dist/ssh/canohost.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: canohost.c,v 1.13 2002/07/09 12:03:54 itojun Exp $ */
/* $NetBSD: canohost.c,v 1.14 2002/10/01 14:07:28 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -13,7 +13,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: canohost.c,v 1.33 2002/07/09 11:56:27 itojun Exp $");
RCSID("$OpenBSD: canohost.c,v 1.34 2002/09/23 20:46:27 stevesk Exp $");
#include "packet.h"
#include "xmalloc.h"
@ -197,18 +197,12 @@ get_socket_address(int socket, int remote, int flags)
if (remote) {
if (getpeername(socket, (struct sockaddr *)&addr, &addrlen)
< 0) {
debug("get_socket_ipaddr: getpeername failed: %.100s",
strerror(errno));
< 0)
return NULL;
}
} else {
if (getsockname(socket, (struct sockaddr *)&addr, &addrlen)
< 0) {
debug("get_socket_ipaddr: getsockname failed: %.100s",
strerror(errno));
< 0)
return NULL;
}
}
/* Get the address in ascii. */
if (getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop),
@ -222,13 +216,21 @@ get_socket_address(int socket, int remote, int flags)
char *
get_peer_ipaddr(int socket)
{
return get_socket_address(socket, 1, NI_NUMERICHOST);
char *p;
if ((p = get_socket_address(socket, 1, NI_NUMERICHOST)) != NULL)
return p;
return xstrdup("UNKNOWN");
}
char *
get_local_ipaddr(int socket)
{
return get_socket_address(socket, 0, NI_NUMERICHOST);
char *p;
if ((p = get_socket_address(socket, 0, NI_NUMERICHOST)) != NULL)
return p;
return xstrdup("UNKNOWN");
}
char *

30
crypto/dist/ssh/channels.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: channels.c,v 1.24 2002/09/17 06:26:18 itojun Exp $ */
/* $NetBSD: channels.c,v 1.25 2002/10/01 14:07:28 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -40,7 +40,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: channels.c,v 1.179 2002/06/26 08:55:02 markus Exp $");
RCSID("$OpenBSD: channels.c,v 1.183 2002/09/17 07:47:02 itojun Exp $");
#include "ssh.h"
#include "ssh1.h"
@ -574,6 +574,7 @@ void
channel_send_open(int id)
{
Channel *c = channel_lookup(id);
if (c == NULL) {
log("channel_send_open: %d: bad id", id);
return;
@ -591,6 +592,7 @@ void
channel_request_start(int local_id, char *service, int wantconfirm)
{
Channel *c = channel_lookup(local_id);
if (c == NULL) {
log("channel_request_start: %d: unknown channel id", local_id);
return;
@ -605,6 +607,7 @@ void
channel_register_confirm(int id, channel_callback_fn *fn)
{
Channel *c = channel_lookup(id);
if (c == NULL) {
log("channel_register_comfirm: %d: bad id", id);
return;
@ -615,6 +618,7 @@ void
channel_register_cleanup(int id, channel_callback_fn *fn)
{
Channel *c = channel_lookup(id);
if (c == NULL) {
log("channel_register_cleanup: %d: bad id", id);
return;
@ -625,6 +629,7 @@ void
channel_cancel_cleanup(int id)
{
Channel *c = channel_lookup(id);
if (c == NULL) {
log("channel_cancel_cleanup: %d: bad id", id);
return;
@ -635,6 +640,7 @@ void
channel_register_filter(int id, channel_filter_fn *fn)
{
Channel *c = channel_lookup(id);
if (c == NULL) {
log("channel_register_filter: %d: bad id", id);
return;
@ -647,6 +653,7 @@ channel_set_fds(int id, int rfd, int wfd, int efd,
int extusage, int nonblock, u_int window_max)
{
Channel *c = channel_lookup(id);
if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
fatal("channel_activate for non-larval channel %d.", id);
channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
@ -817,6 +824,7 @@ static void
channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
{
int ret = x11_open_helper(&c->output);
if (ret == 1) {
/* Start normal processing for the channel. */
c->type = SSH_CHANNEL_OPEN;
@ -868,7 +876,7 @@ channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
static int
channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
{
u_char *p, *host;
char *p, *host;
int len, have, i, found;
char username[256];
struct {
@ -1397,6 +1405,7 @@ static void
channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
{
int len;
/* Send buffered output data to the socket. */
if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
len = write(c->sock, buffer_ptr(&c->output),
@ -1474,6 +1483,7 @@ static void
channel_handler_init(void)
{
int i;
for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
channel_pre[i] = NULL;
channel_post[i] = NULL;
@ -2008,7 +2018,6 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
struct addrinfo hints, *ai, *aitop;
const char *host;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
struct linger linger;
success = 0;
host = (type == SSH_CHANNEL_RPORT_LISTENER) ?
@ -2051,13 +2060,13 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
continue;
}
/*
* Set socket options. We would like the socket to disappear
* as soon as it has been closed for whatever reason.
* Set socket options.
* Allow local port reuse in TIME_WAIT.
*/
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
linger.l_onoff = 1;
linger.l_linger = 5;
setsockopt(sock, SOL_SOCKET, SO_LINGER, &linger, sizeof(linger));
if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on,
sizeof(on)) == -1)
error("setsockopt SO_REUSEADDR: %s", strerror(errno));
debug("Local forwarding listening on %s port %s.", ntop, strport);
/* Bind the socket to the address. */
@ -2579,6 +2588,7 @@ void
deny_input_open(int type, u_int32_t seq, void *ctxt)
{
int rchan = packet_get_int();
switch (type) {
case SSH_SMSG_AGENT_OPEN:
error("Warning: ssh server tried agent forwarding.");

6
crypto/dist/ssh/cipher.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: cipher.c,v 1.11 2002/06/24 05:48:29 itojun Exp $ */
/* $NetBSD: cipher.c,v 1.12 2002/10/01 14:07:29 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -36,7 +36,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: cipher.c,v 1.60 2002/06/23 03:26:52 deraadt Exp $");
RCSID("$OpenBSD: cipher.c,v 1.61 2002/07/12 15:50:17 markus Exp $");
#include "xmalloc.h"
#include "log.h"
@ -526,7 +526,7 @@ evp_rijndael(void)
rijndal_cbc.cleanup = ssh_rijndael_cleanup;
rijndal_cbc.do_cipher = ssh_rijndael_cbc;
rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
EVP_CIPH_ALWAYS_CALL_INIT;
EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
return (&rijndal_cbc);
}
#endif

24
crypto/dist/ssh/clientloop.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: clientloop.c,v 1.21 2002/07/01 06:17:11 itojun Exp $ */
/* $NetBSD: clientloop.c,v 1.22 2002/10/01 14:07:30 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -60,7 +60,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: clientloop.c,v 1.103 2002/06/30 21:59:45 deraadt Exp $");
RCSID("$OpenBSD: clientloop.c,v 1.104 2002/08/22 19:38:42 stevesk Exp $");
#include "ssh.h"
#include "ssh1.h"
@ -636,16 +636,18 @@ process_escapes(Buffer *bin, Buffer *bout, Buffer *berr, char *buf, int len)
snprintf(string, sizeof string,
"%c?\r\n\
Supported escape sequences:\r\n\
~. - terminate connection\r\n\
~C - open a command line\r\n\
~R - Request rekey (SSH protocol 2 only)\r\n\
~^Z - suspend ssh\r\n\
~# - list forwarded connections\r\n\
~& - background ssh (when waiting for connections to terminate)\r\n\
~? - this message\r\n\
~~ - send the escape character by typing it twice\r\n\
%c. - terminate connection\r\n\
%cC - open a command line\r\n\
%cR - Request rekey (SSH protocol 2 only)\r\n\
%c^Z - suspend ssh\r\n\
%c# - list forwarded connections\r\n\
%c& - background ssh (when waiting for connections to terminate)\r\n\
%c? - this message\r\n\
%c%c - send the escape character by typing it twice\r\n\
(Note that escapes are only recognized immediately after newline.)\r\n",
escape_char);
escape_char, escape_char, escape_char, escape_char,
escape_char, escape_char, escape_char, escape_char,
escape_char, escape_char);
buffer_append(berr, string, strlen(string));
continue;

55
crypto/dist/ssh/getpeereid.c vendored Normal file
View File

@ -0,0 +1,55 @@
/* $NetBSD: getpeereid.c,v 1.1 2002/10/01 14:07:30 itojun Exp $ */
/*
* Copyright (c) 2002 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#include "getpeereid.h"
RCSID("Id: bsd-getpeereid.c,v 1.1 2002/09/12 00:33:02 djm Exp");
#if defined(SO_PEERCRED)
int
getpeereid(int s, uid_t *euid, gid_t *gid)
{
struct ucred cred;
size_t len = sizeof(cred);
if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, &cred, &len) < 0)
return (-1);
*euid = cred.uid;
*gid = cred.gid;
return (0);
}
#else
int
getpeereid(int s, uid_t *euid, gid_t *gid)
{
*euid = geteuid();
*gid = getgid();
return (0);
}
#endif /* defined(SO_PEERCRED) */

11
crypto/dist/ssh/getpeereid.h vendored Normal file
View File

@ -0,0 +1,11 @@
/* $NetBSD: getpeereid.h,v 1.1 2002/10/01 14:07:31 itojun Exp $ */
/* Id: bsd-getpeereid.h,v 1.1 2002/09/12 00:33:02 djm Exp */
#ifndef _BSD_GETPEEREID_H
#define _BSD_GETPEEREID_H
#include <sys/types.h> /* For uid_t, gid_t */
int getpeereid(int , uid_t *, gid_t *);
#endif /* _BSD_GETPEEREID_H */

46
crypto/dist/ssh/hostfile.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: hostfile.c,v 1.8 2002/03/08 02:00:52 itojun Exp $ */
/* $NetBSD: hostfile.c,v 1.9 2002/10/01 14:07:31 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -37,7 +37,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: hostfile.c,v 1.29 2001/12/18 10:04:21 jakob Exp $");
RCSID("$OpenBSD: hostfile.c,v 1.30 2002/07/24 16:11:18 markus Exp $");
#include "packet.h"
#include "match.h"
@ -92,11 +92,14 @@ hostfile_check_key(int bits, Key *key, const char *host, const char *filename, i
* in the list of our known hosts. Returns HOST_OK if the host is known and
* has the specified key, HOST_NEW if the host is not known, and HOST_CHANGED
* if the host is known but used to have a different host key.
*
* If no 'key' has been specified and a key of type 'keytype' is known
* for the specified host, then HOST_FOUND is returned.
*/
HostStatus
check_host_in_hostfile(const char *filename, const char *host, Key *key,
Key *found, int *numret)
static HostStatus
check_host_in_hostfile_by_key_or_type(const char *filename,
const char *host, Key *key, int keytype, Key *found, int *numret)
{
FILE *f;
char line[8192];
@ -106,8 +109,7 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key,
HostStatus end_return;
debug3("check_host_in_hostfile: filename %s", filename);
if (key == NULL)
fatal("no key to look up");
/* Open the file containing the list of known hosts. */
f = fopen(filename, "r");
if (!f)
@ -148,12 +150,20 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key,
*/
if (!hostfile_read_key(&cp, &kbits, found))
continue;
if (!hostfile_check_key(kbits, found, host, filename, linenum))
continue;
if (numret != NULL)
*numret = linenum;
if (key == NULL) {
/* we found a key of the requested type */
if (found->type == keytype)
return HOST_FOUND;
continue;
}
if (!hostfile_check_key(kbits, found, host, filename, linenum))
continue;
/* Check if the current key is the same as the given key. */
if (key_equal(key, found)) {
/* Ok, they match. */
@ -178,6 +188,24 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key,
return end_return;
}
HostStatus
check_host_in_hostfile(const char *filename, const char *host, Key *key,
Key *found, int *numret)
{
if (key == NULL)
fatal("no key to look up");
return (check_host_in_hostfile_by_key_or_type(filename, host, key, 0,
found, numret));
}
int
lookup_key_in_hostfile_by_type(const char *filename, const char *host,
int keytype, Key *found, int *numret)
{
return (check_host_in_hostfile_by_key_or_type(filename, host, NULL,
keytype, found, numret) == HOST_FOUND);
}
/*
* Appends an entry to the host file. Returns false if the entry could not
* be appended.

8
crypto/dist/ssh/hostfile.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: hostfile.h,v 1.6 2002/03/08 02:00:52 itojun Exp $ */
/* $OpenBSD: hostfile.h,v 1.10 2001/12/18 10:04:21 jakob Exp $ */
/* $NetBSD: hostfile.h,v 1.7 2002/10/01 14:07:31 itojun Exp $ */
/* $OpenBSD: hostfile.h,v 1.12 2002/09/08 20:24:08 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -16,12 +16,14 @@
#define HOSTFILE_H
typedef enum {
HOST_OK, HOST_NEW, HOST_CHANGED
HOST_OK, HOST_NEW, HOST_CHANGED, HOST_FOUND
} HostStatus;
int hostfile_read_key(char **, u_int *, Key *);
HostStatus
check_host_in_hostfile(const char *, const char *, Key *, Key *, int *);
int add_host_to_hostfile(const char *, const char *, Key *);
int
lookup_key_in_hostfile_by_type(const char *, const char *, int , Key *, int *);
#endif

20
crypto/dist/ssh/key.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: key.c,v 1.16 2002/07/01 06:17:11 itojun Exp $ */
/* $NetBSD: key.c,v 1.17 2002/10/01 14:07:32 itojun Exp $ */
/*
* read_bignum():
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -33,7 +33,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: key.c,v 1.46 2002/06/30 21:59:45 deraadt Exp $");
RCSID("$OpenBSD: key.c,v 1.49 2002/09/09 14:54:14 markus Exp $");
#include <openssl/evp.h>
@ -495,7 +495,8 @@ key_write(Key *key, FILE *f)
{
int n, success = 0;
u_int len, bits = 0;
u_char *blob, *uu;
u_char *blob;
char *uu;
if (key->type == KEY_RSA1 && key->rsa != NULL) {
/* size of modulus 'n' */
@ -730,7 +731,6 @@ key_to_blob(Key *key, u_char **blobp, u_int *lenp)
{
Buffer b;
int len;
u_char *buf;
if (key == NULL) {
error("key_to_blob: key == NULL");
@ -756,14 +756,14 @@ key_to_blob(Key *key, u_char **blobp, u_int *lenp)
return 0;
}
len = buffer_len(&b);
buf = xmalloc(len);
memcpy(buf, buffer_ptr(&b), len);
memset(buffer_ptr(&b), 0, len);
buffer_free(&b);
if (lenp != NULL)
*lenp = len;
if (blobp != NULL)
*blobp = buf;
if (blobp != NULL) {
*blobp = xmalloc(len);
memcpy(*blobp, buffer_ptr(&b), len);
}
memset(buffer_ptr(&b), 0, len);
buffer_free(&b);
return len;
}

24
crypto/dist/ssh/log.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: log.c,v 1.3 2002/03/08 02:00:53 itojun Exp $ */
/* $NetBSD: log.c,v 1.4 2002/10/01 14:07:32 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: log.c,v 1.22 2002/02/22 12:20:34 markus Exp $");
RCSID("$OpenBSD: log.c,v 1.24 2002/07/19 15:43:33 markus Exp $");
#include "log.h"
#include "xmalloc.h"
@ -90,6 +90,7 @@ SyslogFacility
log_facility_number(char *name)
{
int i;
if (name != NULL)
for (i = 0; log_facilities[i].name; i++)
if (strcasecmp(log_facilities[i].name, name) == 0)
@ -101,6 +102,7 @@ LogLevel
log_level_number(char *name)
{
int i;
if (name != NULL)
for (i = 0; log_levels[i].name; i++)
if (strcasecmp(log_levels[i].name, name) == 0)
@ -114,6 +116,7 @@ void
error(const char *fmt,...)
{
va_list args;
va_start(args, fmt);
do_log(SYSLOG_LEVEL_ERROR, fmt, args);
va_end(args);
@ -125,6 +128,7 @@ void
log(const char *fmt,...)
{
va_list args;
va_start(args, fmt);
do_log(SYSLOG_LEVEL_INFO, fmt, args);
va_end(args);
@ -136,6 +140,7 @@ void
verbose(const char *fmt,...)
{
va_list args;
va_start(args, fmt);
do_log(SYSLOG_LEVEL_VERBOSE, fmt, args);
va_end(args);
@ -147,6 +152,7 @@ void
debug(const char *fmt,...)
{
va_list args;
va_start(args, fmt);
do_log(SYSLOG_LEVEL_DEBUG1, fmt, args);
va_end(args);
@ -156,6 +162,7 @@ void
debug2(const char *fmt,...)
{
va_list args;
va_start(args, fmt);
do_log(SYSLOG_LEVEL_DEBUG2, fmt, args);
va_end(args);
@ -165,6 +172,7 @@ void
debug3(const char *fmt,...)
{
va_list args;
va_start(args, fmt);
do_log(SYSLOG_LEVEL_DEBUG3, fmt, args);
va_end(args);
@ -213,6 +221,18 @@ fatal_remove_cleanup(void (*proc) (void *context), void *context)
(u_long) proc, (u_long) context);
}
/* Remove all cleanups, to be called after fork() */
void
fatal_remove_all_cleanups(void)
{
struct fatal_cleanup *cu, *next_cu;
for (cu = fatal_cleanups; cu; cu = next_cu) {
next_cu = cu->next;
xfree(cu);
}
}
/* Cleanup and exit */
void
fatal_cleanup(void)

5
crypto/dist/ssh/log.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: log.h,v 1.6 2002/06/24 05:48:31 itojun Exp $ */
/* $OpenBSD: log.h,v 1.7 2002/05/19 20:54:52 deraadt Exp $ */
/* $NetBSD: log.h,v 1.7 2002/10/01 14:07:32 itojun Exp $ */
/* $OpenBSD: log.h,v 1.8 2002/07/19 15:43:33 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -60,6 +60,7 @@ void debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
void fatal_cleanup(void);
void fatal_add_cleanup(void (*) (void *), void *);
void fatal_remove_cleanup(void (*) (void *), void *);
void fatal_remove_all_cleanups(void);
void do_log(LogLevel, const char *, va_list);

4
crypto/dist/ssh/moduli.5 vendored
View File

@ -1,5 +1,5 @@
.\" $NetBSD: moduli.5,v 1.5 2002/06/13 00:14:26 wiz Exp $
.\" $OpenBSD: moduli.5,v 1.3 2001/06/24 18:50:52 provos Exp $
.\" $NetBSD: moduli.5,v 1.6 2002/10/01 14:07:32 itojun Exp $
.\" $OpenBSD: moduli.5,v 1.6 2002/09/18 07:36:32 deraadt Exp $
.\"
.\" Copyright 1997, 2000 William Allen Simpson <wsimpson@greendragon.com>
.\" All rights reserved.

85
crypto/dist/ssh/monitor.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: monitor.c,v 1.8 2002/09/09 06:45:18 itojun Exp $ */
/* $NetBSD: monitor.c,v 1.9 2002/10/01 14:07:33 itojun Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -26,7 +26,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: monitor.c,v 1.21 2002/06/27 10:35:47 deraadt Exp $");
RCSID("$OpenBSD: monitor.c,v 1.29 2002/09/26 11:38:43 markus Exp $");
#include <openssl/dh.h>
@ -117,6 +117,9 @@ int mm_answer_rsa_response(int, Buffer *);
int mm_answer_sesskey(int, Buffer *);
int mm_answer_sessid(int, Buffer *);
#ifdef KRB4
int mm_answer_krb4(int, Buffer *);
#endif
#ifdef KRB5
int mm_answer_krb5(int, Buffer *);
#endif
@ -128,8 +131,8 @@ static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
static u_char *key_blob = NULL;
static u_int key_bloblen = 0;
static int key_blobtype = MM_NOKEY;
static u_char *hostbased_cuser = NULL;
static u_char *hostbased_chost = NULL;
static char *hostbased_cuser = NULL;
static char *hostbased_chost = NULL;
static char *auth_method = "unknown";
static int session_id2_len = 0;
static u_char *session_id2 = NULL;
@ -194,6 +197,9 @@ struct mon_table mon_dispatch_proto15[] = {
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
#endif
#ifdef KRB4
{MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
#endif
#ifdef KRB5
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
#endif
@ -576,7 +582,8 @@ mm_answer_authpassword(int socket, Buffer *m)
{
static int call_count;
char *passwd;
int authenticated, plen;
int authenticated;
u_int plen;
passwd = buffer_get_string(m, &plen);
/* Only authenticate if the context is valid */
@ -723,7 +730,8 @@ int
mm_answer_keyallowed(int socket, Buffer *m)
{
Key *key;
u_char *cuser, *chost, *blob;
char *cuser, *chost;
u_char *blob;
u_int bloblen;
enum mm_keytype type = 0;
int allowed = 0;
@ -799,7 +807,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
u_char *p;
char *p;
u_int len;
int fail = 0;
@ -852,11 +860,11 @@ monitor_valid_userblob(u_char *data, u_int datalen)
}
static int
monitor_valid_hostbasedblob(u_char *data, u_int datalen, u_char *cuser,
u_char *chost)
monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
char *chost)
{
Buffer b;
u_char *p;
char *p;
u_int len;
int fail = 0;
@ -974,8 +982,8 @@ mm_record_login(Session *s, struct passwd *pw)
* the address be 0.0.0.0.
*/
memset(&from, 0, sizeof(from));
fromlen = sizeof(from);
if (packet_connection_is_on_socket()) {
fromlen = sizeof(from);
if (getpeername(packet_get_connection_in(),
(struct sockaddr *) & from, &fromlen) < 0) {
debug("getpeername: %.100s", strerror(errno));
@ -985,7 +993,7 @@ mm_record_login(Session *s, struct passwd *pw)
/* Record that there was a login on that tty from the remote host. */
record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
(struct sockaddr *)&from);
(struct sockaddr *)&from, fromlen);
}
static void
@ -1249,6 +1257,51 @@ mm_answer_rsa_response(int socket, Buffer *m)
return (success);
}
#ifdef KRB4
int
mm_answer_krb4(int socket, Buffer *m)
{
KTEXT_ST auth, reply;
char *client, *p;
int success;
u_int alen;
reply.length = auth.length = 0;
p = buffer_get_string(m, &alen);
if (alen >= MAX_KTXT_LEN)
fatal("%s: auth too large", __func__);
memcpy(auth.dat, p, alen);
auth.length = alen;
memset(p, 0, alen);
xfree(p);
success = options.kerberos_authentication &&
authctxt->valid &&
auth_krb4(authctxt, &auth, &client, &reply);
memset(auth.dat, 0, alen);
buffer_clear(m);
buffer_put_int(m, success);
if (success) {
buffer_put_cstring(m, client);
buffer_put_string(m, reply.dat, reply.length);
if (client)
xfree(client);
if (reply.length)
memset(reply.dat, 0, reply.length);
}
debug3("%s: sending result %d", __func__, success);
mm_request_send(socket, MONITOR_ANS_KRB4, m);
auth_method = "kerberos";
/* Causes monitor loop to terminate if authenticated */
return (success);
}
#endif
#ifdef KRB5
int
@ -1263,7 +1316,9 @@ mm_answer_krb5(int socket, Buffer *m)
tkt.data = buffer_get_string(m, &len);
tkt.length = len;
success = auth_krb5(authctxt, &tkt, &client_user, &reply);
success = options.kerberos_authentication &&
authctxt->valid &&
auth_krb5(authctxt, &tkt, &client_user, &reply);
if (tkt.length)
xfree(tkt.data);
@ -1462,10 +1517,10 @@ mm_get_keystate(struct monitor *pmonitor)
void *
mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
{
int len = size * ncount;
size_t len = size * ncount;
void *address;
if (len <= 0 || size > 65535 || ncount > 65535)
if (len == 0 || ncount > SIZE_T_MAX / size)
fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size);
address = mm_malloc(mm, len);

5
crypto/dist/ssh/monitor.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: monitor.h,v 1.2 2002/09/09 06:45:18 itojun Exp $ */
/* $OpenBSD: monitor.h,v 1.6 2002/06/11 05:46:20 mpech Exp $ */
/* $NetBSD: monitor.h,v 1.3 2002/10/01 14:07:33 itojun Exp $ */
/* $OpenBSD: monitor.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -50,6 +50,7 @@ enum monitor_reqtype {
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
MONITOR_REQ_TERM
};

8
crypto/dist/ssh/monitor_mm.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: monitor_mm.c,v 1.2 2002/07/01 06:17:12 itojun Exp $ */
/* $NetBSD: monitor_mm.c,v 1.3 2002/10/01 14:07:33 itojun Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@ -25,7 +25,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: monitor_mm.c,v 1.7 2002/06/28 01:49:31 millert Exp $");
RCSID("$OpenBSD: monitor_mm.c,v 1.8 2002/08/02 14:43:15 millert Exp $");
#include <sys/mman.h>
@ -161,8 +161,10 @@ mm_malloc(struct mm_master *mm, size_t size)
if (size == 0)
fatal("mm_malloc: try to allocate 0 space");
if (size > SIZE_T_MAX - MM_MINSIZE + 1)
fatal("mm_malloc: size too big");
size = ((size + MM_MINSIZE - 1) / MM_MINSIZE) * MM_MINSIZE;
size = ((size + (MM_MINSIZE - 1)) / MM_MINSIZE) * MM_MINSIZE;
RB_FOREACH(mms, mmtree, &mm->rb_free) {
if (mms->size >= size)

55
crypto/dist/ssh/monitor_wrap.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: monitor_wrap.c,v 1.6 2002/09/09 06:45:18 itojun Exp $ */
/* $NetBSD: monitor_wrap.c,v 1.7 2002/10/01 14:07:34 itojun Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -26,7 +26,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: monitor_wrap.c,v 1.14 2002/06/30 21:59:45 deraadt Exp $");
RCSID("$OpenBSD: monitor_wrap.c,v 1.19 2002/09/26 11:38:43 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dh.h>
@ -445,7 +445,6 @@ mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp)
{
Buffer b;
int len;
u_char *buf;
Enc *enc;
Mac *mac;
Comp *comp;
@ -483,14 +482,14 @@ mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp)
buffer_put_cstring(&b, comp->name);
len = buffer_len(&b);
buf = xmalloc(len);
memcpy(buf, buffer_ptr(&b), len);
memset(buffer_ptr(&b), 0, len);
buffer_free(&b);
if (lenp != NULL)
*lenp = len;
if (blobp != NULL)
*blobp = buf;
if (blobp != NULL) {
*blobp = xmalloc(len);
memcpy(*blobp, buffer_ptr(&b), len);
}
memset(buffer_ptr(&b), 0, len);
buffer_free(&b);
return len;
}
@ -599,7 +598,7 @@ int
mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
{
Buffer m;
u_char *p;
char *p;
int success = 0;
buffer_init(&m);
@ -920,6 +919,42 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
return (success);
}
#ifdef KRB4
int
mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
{
KTEXT auth, reply;
Buffer m;
u_int rlen;
int success = 0;
char *p;
debug3("%s entering", __func__);
auth = _auth;
reply = _reply;
buffer_init(&m);
buffer_put_string(&m, auth->dat, auth->length);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m);
success = buffer_get_int(&m);
if (success) {
*client = buffer_get_string(&m, NULL);
p = buffer_get_string(&m, &rlen);
if (rlen >= MAX_KTXT_LEN)
fatal("%s: reply from monitor too large", __func__);
reply->length = rlen;
memcpy(reply->dat, p, rlen);
memset(p, 0, rlen);
xfree(p);
}
buffer_free(&m);
return (success);
}
#endif
#ifdef KRB5
int
mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)

11
crypto/dist/ssh/monitor_wrap.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: monitor_wrap.h,v 1.2 2002/09/09 06:45:19 itojun Exp $ */
/* $OpenBSD: monitor_wrap.h,v 1.5 2002/05/12 23:53:45 djm Exp $ */
/* $NetBSD: monitor_wrap.h,v 1.3 2002/10/01 14:07:34 itojun Exp $ */
/* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -45,7 +45,7 @@ DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(const char *);
char* mm_auth2_read_banner(void);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
int mm_key_allowed(enum mm_keytype, char *, char *, Key *);
int mm_user_key_allowed(struct passwd *, Key *);
@ -80,7 +80,10 @@ int mm_bsdauth_respond(void *, u_int, char **);
int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_skey_respond(void *, u_int, char **);
/* auth_krb5 */
/* auth_krb */
#ifdef KRB4
int mm_auth_krb4(struct Authctxt *, void *, char **, void *);
#endif
#ifdef KRB5
/* auth and reply are really krb5_data objects, but we don't want to
* include all of the krb5 headers here */

15
crypto/dist/ssh/packet.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: packet.c,v 1.17 2002/06/24 05:48:31 itojun Exp $ */
/* $NetBSD: packet.c,v 1.18 2002/10/01 14:07:34 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -38,7 +38,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: packet.c,v 1.96 2002/06/23 21:10:02 deraadt Exp $");
RCSID("$OpenBSD: packet.c,v 1.97 2002/07/04 08:12:15 deraadt Exp $");
#include "xmalloc.h"
#include "buffer.h"
@ -135,6 +135,7 @@ void
packet_set_connection(int fd_in, int fd_out)
{
Cipher *none = cipher_by_name("none");
if (none == NULL)
fatal("packet_set_connection: cannot load cipher 'none'");
connection_in = fd_in;
@ -398,6 +399,7 @@ packet_set_encryption_key(const u_char *key, u_int keylen,
int number)
{
Cipher *cipher = cipher_by_number(number);
if (cipher == NULL)
fatal("packet_set_encryption_key: unknown cipher number %d", number);
if (keylen < 20)
@ -439,6 +441,7 @@ void
packet_put_char(int value)
{
char ch = value;
buffer_append(&outgoing_packet, &ch, 1);
}
void
@ -990,7 +993,8 @@ packet_read_poll2(u_int32_t *seqnr_p)
buffer_clear(&incoming_packet);
buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
buffer_len(&compression_buffer));
DBG(debug("input: len after de-compress %d", buffer_len(&incoming_packet)));
DBG(debug("input: len after de-compress %d",
buffer_len(&incoming_packet)));
}
/*
* get packet type, implies consume.
@ -1098,6 +1102,7 @@ u_int
packet_get_char(void)
{
char ch;
buffer_get(&incoming_packet, &ch, 1);
return (u_char) ch;
}
@ -1131,6 +1136,7 @@ void *
packet_get_raw(int *length_ptr)
{
int bytes = buffer_len(&incoming_packet);
if (length_ptr != NULL)
*length_ptr = bytes;
return buffer_ptr(&incoming_packet);
@ -1203,6 +1209,7 @@ packet_disconnect(const char *fmt,...)
char buf[1024];
va_list args;
static int disconnecting = 0;
if (disconnecting) /* Guard against recursive invocations. */
fatal("packet_disconnect called recursively.");
disconnecting = 1;
@ -1245,6 +1252,7 @@ void
packet_write_poll(void)
{
int len = buffer_len(&output);
if (len > 0) {
len = write(connection_out, buffer_ptr(&output), len);
if (len <= 0) {
@ -1358,6 +1366,7 @@ int
packet_set_maxsize(int s)
{
static int called = 0;
if (called) {
log("packet_set_maxsize: called twice: old %d new %d",
max_packet_size, s);

11
crypto/dist/ssh/radix.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: radix.c,v 1.9 2002/06/24 05:48:32 itojun Exp $ */
/* $NetBSD: radix.c,v 1.10 2002/10/01 14:07:35 itojun Exp $ */
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
* Copyright (c) 2002 Markus Friedl. All rights reserved.
@ -27,7 +27,7 @@
#include "includes.h"
#include "uuencode.h"
RCSID("$OpenBSD: radix.c,v 1.21 2002/06/19 00:27:55 deraadt Exp $");
RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $");
#ifdef AFS
#include <krb.h>
@ -94,9 +94,10 @@ int
radix_to_creds(const char *buf, CREDENTIALS *creds)
{
Buffer b;
char c, version, *space, *p;
u_int endTime;
int len, blen, ret;
u_char *space;
char c, version, *p;
u_int endTime, len;
int blen, ret;
ret = 0;
blen = strlen(buf);

6
crypto/dist/ssh/rijndael.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: rijndael.c,v 1.4 2002/03/08 02:00:54 itojun Exp $ */
/* $OpenBSD: rijndael.c,v 1.13 2001/12/19 07:18:56 deraadt Exp $ */
/* $NetBSD: rijndael.c,v 1.5 2002/10/01 14:07:35 itojun Exp $ */
/* $OpenBSD: rijndael.c,v 1.14 2002/07/10 17:53:54 deraadt Exp $ */
/**
* rijndael-alg-fst.c
@ -1225,7 +1225,7 @@ rijndael_set_key(rijndael_ctx *ctx, u_char *key, int bits, int encrypt)
memset(ctx->dk, 0, sizeof(ctx->dk));
} else {
ctx->decrypt = 1;
memcpy(ctx->dk, ctx->ek, sizeof(ctx->ek));
memcpy(ctx->dk, ctx->ek, sizeof(ctx->dk));
rijndaelKeySetupDec(ctx->dk, key, bits, ctx->Nr);
}
}

16
crypto/dist/ssh/servconf.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: servconf.c,v 1.20 2002/06/24 05:48:33 itojun Exp $ */
/* $NetBSD: servconf.c,v 1.21 2002/10/01 14:07:36 itojun Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -11,7 +11,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.112 2002/06/23 09:46:51 deraadt Exp $");
RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $");
#if defined(KRB4) || defined(KRB5)
#include <krb.h>
@ -89,6 +89,7 @@ initialize_server_options(ServerOptions *options)
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
options->permit_empty_passwd = -1;
options->permit_user_env = -1;
options->use_login = -1;
options->compression = -1;
options->allow_tcp_forwarding = -1;
@ -141,7 +142,7 @@ fill_default_server_options(ServerOptions *options)
if (options->server_key_bits == -1)
options->server_key_bits = 768;
if (options->login_grace_time == -1)
options->login_grace_time = 600;
options->login_grace_time = 120;
if (options->key_regeneration_time == -1)
options->key_regeneration_time = 3600;
if (options->permit_root_login == PERMIT_NOT_SET)
@ -208,6 +209,8 @@ fill_default_server_options(ServerOptions *options)
options->challenge_response_authentication = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
if (options->permit_user_env == -1)
options->permit_user_env = 0;
if (options->use_login == -1)
options->use_login = 0;
if (options->compression == -1)
@ -263,7 +266,7 @@ typedef enum {
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
sStrictModes, sEmptyPasswd, sKeepAlives,
sUseLogin, sAllowTcpForwarding, sCompression,
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
@ -325,6 +328,7 @@ static struct {
{ "xauthlocation", sXAuthLocation },
{ "strictmodes", sStrictModes },
{ "permitemptypasswords", sEmptyPasswd },
{ "permituserenvironment", sPermitUserEnvironment },
{ "uselogin", sUseLogin },
{ "compression", sCompression },
{ "keepalive", sKeepAlives },
@ -682,6 +686,10 @@ parse_flag:
intptr = &options->permit_empty_passwd;
goto parse_flag;
case sPermitUserEnvironment:
intptr = &options->permit_user_env;
goto parse_flag;
case sUseLogin:
intptr = &options->use_login;
goto parse_flag;

5
crypto/dist/ssh/servconf.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: servconf.h,v 1.13 2002/06/24 05:48:34 itojun Exp $ */
/* $OpenBSD: servconf.h,v 1.58 2002/06/20 23:05:55 markus Exp $ */
/* $NetBSD: servconf.h,v 1.14 2002/10/01 14:07:36 itojun Exp $ */
/* $OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -101,6 +101,7 @@ typedef struct {
int challenge_response_authentication;
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
int permit_user_env; /* If true, read ~/.ssh/environment */
int use_login; /* If true, login(1) is used */
int compression; /* If true, compression is allowed */
int allow_tcp_forwarding;

12
crypto/dist/ssh/serverloop.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: serverloop.c,v 1.19 2002/06/26 14:08:31 itojun Exp $ */
/* $NetBSD: serverloop.c,v 1.20 2002/10/01 14:07:37 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -36,13 +36,14 @@
*/
#include "includes.h"
RCSID("$OpenBSD: serverloop.c,v 1.103 2002/06/24 14:33:27 markus Exp $");
RCSID("$OpenBSD: serverloop.c,v 1.104 2002/09/19 16:03:15 stevesk Exp $");
#include "xmalloc.h"
#include "packet.h"
#include "buffer.h"
#include "log.h"
#include "servconf.h"
#include "canohost.h"
#include "sshpty.h"
#include "channels.h"
#include "compat.h"
@ -348,14 +349,17 @@ process_input(fd_set * readset)
if (FD_ISSET(connection_in, readset)) {
len = read(connection_in, buf, sizeof(buf));
if (len == 0) {
verbose("Connection closed by remote host.");
verbose("Connection closed by %.100s",
get_remote_ipaddr());
connection_closed = 1;
if (compat20)
return;
fatal_cleanup();
} else if (len < 0) {
if (errno != EINTR && errno != EAGAIN) {
verbose("Read error from remote host: %.100s", strerror(errno));
verbose("Read error from remote host "
"%.100s: %.100s",
get_remote_ipaddr(), strerror(errno));
fatal_cleanup();
}
} else {

50
crypto/dist/ssh/session.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: session.c,v 1.26 2002/07/01 06:17:12 itojun Exp $ */
/* $NetBSD: session.c,v 1.27 2002/10/01 14:07:37 itojun Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -34,7 +34,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: session.c,v 1.143 2002/06/30 21:54:16 deraadt Exp $");
RCSID("$OpenBSD: session.c,v 1.150 2002/09/16 19:55:33 stevesk Exp $");
#include "ssh.h"
#include "ssh1.h"
@ -442,6 +442,8 @@ do_exec_no_pty(Session *s, const char *command)
/* Fork the child. */
if ((pid = fork()) == 0) {
fatal_remove_all_cleanups();
/* Child. Reinitialize the log since the pid has changed. */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -548,6 +550,7 @@ do_exec_pty(Session *s, const char *command)
/* Fork the child. */
if ((pid = fork()) == 0) {
fatal_remove_all_cleanups();
/* Child. Reinitialize the log because the pid has changed. */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -645,8 +648,8 @@ do_login(Session *s, const char *command)
* the address be 0.0.0.0.
*/
memset(&from, 0, sizeof(from));
fromlen = sizeof(from);
if (packet_connection_is_on_socket()) {
fromlen = sizeof(from);
if (getpeername(packet_get_connection_in(),
(struct sockaddr *) & from, &fromlen) < 0) {
debug("getpeername: %.100s", strerror(errno));
@ -659,7 +662,7 @@ do_login(Session *s, const char *command)
record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
get_remote_name_or_ip(utmp_len,
options.verify_reverse_mapping),
(struct sockaddr *)&from);
(struct sockaddr *)&from, fromlen);
if (check_quietlogin(s, command))
return;
@ -846,8 +849,10 @@ do_setup_env(Session *s, const char *shell)
child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
child_set_env(&env, &envsize, "HOME", pw->pw_dir);
#ifdef HAVE_LOGIN_CAP
(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH);
child_set_env(&env, &envsize, "PATH", getenv("PATH"));
if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
else
child_set_env(&env, &envsize, "PATH", getenv("PATH"));
#else
child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
#endif
@ -880,10 +885,16 @@ do_setup_env(Session *s, const char *shell)
}
}
/* SSH_CLIENT deprecated */
snprintf(buf, sizeof buf, "%.50s %d %d",
get_remote_ipaddr(), get_remote_port(), get_local_port());
child_set_env(&env, &envsize, "SSH_CLIENT", buf);
snprintf(buf, sizeof buf, "%.50s %d %.50s %d",
get_remote_ipaddr(), get_remote_port(),
get_local_ipaddr(packet_get_connection_in()), get_local_port());
child_set_env(&env, &envsize, "SSH_CONNECTION", buf);
if (s->ttyfd != -1)
child_set_env(&env, &envsize, "SSH_TTY", s->tty);
if (s->term)
@ -908,7 +919,7 @@ do_setup_env(Session *s, const char *shell)
auth_sock_name);
/* read $HOME/.ssh/environment. */
if (!options.use_login) {
if (options.permit_user_env && !options.use_login) {
snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
pw->pw_dir);
read_environment_file(&env, &envsize, buf);
@ -1005,6 +1016,8 @@ do_nologin(struct passwd *pw)
#endif
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
log("User %.100s not allowed because %s exists",
pw->pw_name, _PATH_NOLOGIN);
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
@ -1610,6 +1623,27 @@ session_pty_cleanup(void *session)
PRIVSEP(session_pty_cleanup2(session));
}
static char *
sig2name(int sig)
{
#define SSH_SIG(x) if (sig == SIG ## x) return #x
SSH_SIG(ABRT);
SSH_SIG(ALRM);
SSH_SIG(FPE);
SSH_SIG(HUP);
SSH_SIG(ILL);
SSH_SIG(INT);
SSH_SIG(KILL);
SSH_SIG(PIPE);
SSH_SIG(QUIT);
SSH_SIG(SEGV);
SSH_SIG(TERM);
SSH_SIG(USR1);
SSH_SIG(USR2);
#undef SSH_SIG
return "SIG@openssh.com";
}
static void
session_exit_message(Session *s, int status)
{
@ -1627,7 +1661,7 @@ session_exit_message(Session *s, int status)
packet_send();
} else if (WIFSIGNALED(status)) {
channel_request_start(s->chanid, "exit-signal", 0);
packet_put_int(WTERMSIG(status));
packet_put_cstring(sig2name(WTERMSIG(status)));
packet_put_char(WCOREDUMP(status));
packet_put_cstring("");
packet_put_cstring("");

10
crypto/dist/ssh/sftp-client.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: sftp-client.c,v 1.17 2002/07/01 05:56:45 itojun Exp $ */
/* $NetBSD: sftp-client.c,v 1.18 2002/10/01 14:07:38 itojun Exp $ */
/*
* Copyright (c) 2001,2002 Damien Miller. All rights reserved.
*
@ -29,7 +29,7 @@
/* XXX: copy between two remote sites */
#include "includes.h"
RCSID("$OpenBSD: sftp-client.c,v 1.34 2002/06/27 10:35:47 deraadt Exp $");
RCSID("$OpenBSD: sftp-client.c,v 1.35 2002/09/11 22:41:49 djm Exp $");
#include <sys/queue.h>
@ -415,12 +415,6 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
return(0);
}
int
do_ls(struct sftp_conn *conn, char *path)
{
return(do_lsreaddir(conn, path, 1, NULL));
}
int
do_readdir(struct sftp_conn *conn, char *path, SFTP_DIRENT ***dir)
{

7
crypto/dist/ssh/sftp-client.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: sftp-client.h,v 1.6 2002/06/24 05:48:35 itojun Exp $ */
/* $OpenBSD: sftp-client.h,v 1.10 2002/06/23 09:30:14 deraadt Exp $ */
/* $NetBSD: sftp-client.h,v 1.7 2002/10/01 14:07:39 itojun Exp $ */
/* $OpenBSD: sftp-client.h,v 1.11 2002/09/11 22:41:50 djm Exp $ */
/*
* Copyright (c) 2001,2002 Damien Miller. All rights reserved.
@ -49,9 +49,6 @@ u_int sftp_proto_version(struct sftp_conn *);
/* Close file referred to by 'handle' */
int do_close(struct sftp_conn *, char *, u_int);
/* List contents of directory 'path' to stdout */
int do_ls(struct sftp_conn *, char *);
/* Read contents of 'path' to NULL-terminated array 'dir' */
int do_readdir(struct sftp_conn *, char *, SFTP_DIRENT ***);

66
crypto/dist/ssh/sftp-common.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: sftp-common.c,v 1.5 2002/06/24 05:48:35 itojun Exp $ */
/* $NetBSD: sftp-common.c,v 1.6 2002/10/01 14:07:39 itojun Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2001 Damien Miller. All rights reserved.
@ -25,7 +25,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sftp-common.c,v 1.6 2002/06/23 09:30:14 deraadt Exp $");
RCSID("$OpenBSD: sftp-common.c,v 1.7 2002/09/11 22:41:50 djm Exp $");
#include "buffer.h"
#include "bufaux.h"
@ -66,6 +66,26 @@ stat_to_attrib(struct stat *st, Attrib *a)
a->mtime = st->st_mtime;
}
/* Convert from filexfer attribs to struct stat */
void
attrib_to_stat(Attrib *a, struct stat *st)
{
memset(st, 0, sizeof(*st));
if (a->flags & SSH2_FILEXFER_ATTR_SIZE)
st->st_size = a->size;
if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
st->st_uid = a->uid;
st->st_gid = a->gid;
}
if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)
st->st_mode = a->perm;
if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
st->st_atime = a->atime;
st->st_mtime = a->mtime;
}
}
/* Decode attributes in buffer */
Attrib *
decode_attrib(Buffer *b)
@ -150,3 +170,45 @@ fx2txt(int status)
}
/* NOTREACHED */
}
/*
* drwxr-xr-x 5 markus markus 1024 Jan 13 18:39 .ssh
*/
char *
ls_file(char *name, struct stat *st, int remote)
{
int ulen, glen, sz = 0;
struct passwd *pw;
struct group *gr;
struct tm *ltime = localtime(&st->st_mtime);
char *user, *group;
char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
strmode(st->st_mode, mode);
if (!remote && (pw = getpwuid(st->st_uid)) != NULL) {
user = pw->pw_name;
} else {
snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
user = ubuf;
}
if (!remote && (gr = getgrgid(st->st_gid)) != NULL) {
group = gr->gr_name;
} else {
snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
group = gbuf;
}
if (ltime != NULL) {
if (time(NULL) - st->st_mtime < (365*24*60*60)/2)
sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime);
else
sz = strftime(tbuf, sizeof tbuf, "%b %e %Y", ltime);
}
if (sz == 0)
tbuf[0] = '\0';
ulen = MAX(strlen(user), 8);
glen = MAX(strlen(group), 8);
snprintf(buf, sizeof buf, "%s %3d %-*s %-*s %8llu %s %s", mode,
st->st_nlink, ulen, user, glen, group,
(u_int64_t)st->st_size, tbuf, name);
return xstrdup(buf);
}

6
crypto/dist/ssh/sftp-common.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: sftp-common.h,v 1.3 2001/09/27 03:24:05 itojun Exp $ */
/* $OpenBSD: sftp-common.h,v 1.3 2001/06/26 17:27:24 markus Exp $ */
/* $NetBSD: sftp-common.h,v 1.4 2002/10/01 14:07:39 itojun Exp $ */
/* $OpenBSD: sftp-common.h,v 1.4 2002/09/11 22:41:50 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@ -41,7 +41,9 @@ struct Attrib {
void attrib_clear(Attrib *);
void stat_to_attrib(struct stat *, Attrib *);
void attrib_to_stat(Attrib *, struct stat *);
Attrib *decode_attrib(Buffer *);
void encode_attrib(Buffer *, Attrib *);
char *ls_file(char *, struct stat *, int);
const char *fx2txt(int);

27
crypto/dist/ssh/sftp-glob.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: sftp-glob.c,v 1.9 2002/07/01 06:17:12 itojun Exp $ */
/* $NetBSD: sftp-glob.c,v 1.10 2002/10/01 14:07:39 itojun Exp $ */
/*
* Copyright (c) 2001,2002 Damien Miller. All rights reserved.
*
@ -24,7 +24,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sftp-glob.c,v 1.11 2002/06/30 21:59:45 deraadt Exp $");
RCSID("$OpenBSD: sftp-glob.c,v 1.13 2002/09/11 22:41:50 djm Exp $");
#include <glob.h>
@ -54,8 +54,10 @@ fudge_opendir(const char *path)
r = xmalloc(sizeof(*r));
if (do_readdir(cur.conn, (char *)path, &r->dir))
if (do_readdir(cur.conn, (char *)path, &r->dir)) {
xfree(r);
return(NULL);
}
r->offset = 0;
@ -84,25 +86,6 @@ fudge_closedir(struct SFTP_OPENDIR *od)
xfree(od);
}
static void
attrib_to_stat(Attrib *a, struct stat *st)
{
memset(st, 0, sizeof(*st));
if (a->flags & SSH2_FILEXFER_ATTR_SIZE)
st->st_size = a->size;
if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
st->st_uid = a->uid;
st->st_gid = a->gid;
}
if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)
st->st_mode = a->perm;
if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
st->st_atime = a->atime;
st->st_mtime = a->mtime;
}
}
static int
fudge_lstat(const char *path, struct stat *st)
{

7
crypto/dist/ssh/sftp-glob.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: sftp-glob.h,v 1.5 2002/04/22 07:59:44 itojun Exp $ */
/* $OpenBSD: sftp-glob.h,v 1.7 2002/03/19 10:49:35 markus Exp $ */
/* $NetBSD: sftp-glob.h,v 1.6 2002/10/01 14:07:39 itojun Exp $ */
/* $OpenBSD: sftp-glob.h,v 1.8 2002/09/11 22:41:50 djm Exp $ */
/*
* Copyright (c) 2001,2002 Damien Miller. All rights reserved.
@ -32,8 +32,7 @@
#include "sftp-client.h"
int
remote_glob(struct sftp_conn *, const char *, int,
int remote_glob(struct sftp_conn *, const char *, int,
int (*)(const char *, int), glob_t *);
#endif

205
crypto/dist/ssh/sftp-int.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: sftp-int.c,v 1.14 2002/06/24 05:48:35 itojun Exp $ */
/* $NetBSD: sftp-int.c,v 1.15 2002/10/01 14:07:40 itojun Exp $ */
/*
* Copyright (c) 2001,2002 Damien Miller. All rights reserved.
*
@ -23,11 +23,10 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* XXX: globbed ls */
/* XXX: recursive operations */
#include "includes.h"
RCSID("$OpenBSD: sftp-int.c,v 1.47 2002/06/23 09:30:14 deraadt Exp $");
RCSID("$OpenBSD: sftp-int.c,v 1.49 2002/09/12 00:13:06 djm Exp $");
#include <glob.h>
@ -204,6 +203,25 @@ local_do_ls(const char *args)
}
}
/* Strip one path (usually the pwd) from the start of another */
static char *
path_strip(char *path, char *strip)
{
size_t len;
if (strip == NULL)
return (xstrdup(path));
len = strlen(strip);
if (strip != NULL && strncmp(path, strip, len) == 0) {
if (strip[len - 1] != '/' && path[len] == '/')
len++;
return (xstrdup(path + len));
}
return (xstrdup(path));
}
static char *
path_append(char *p1, char *p2)
{
@ -212,7 +230,7 @@ path_append(char *p1, char *p2)
ret = xmalloc(len);
strlcpy(ret, p1, len);
if (strcmp(p1, "/") != 0)
if (p1[strlen(p1) - 1] != '/')
strlcat(ret, "/", len);
strlcat(ret, p2, len);
@ -276,6 +294,29 @@ parse_getput_flags(const char **cpp, int *pflag)
return(0);
}
static int
parse_ls_flags(const char **cpp, int *lflag)
{
const char *cp = *cpp;
/* Check for flags */
if (cp++[0] == '-') {
for(; strchr(WHITESPACE, *cp) == NULL; cp++) {
switch (*cp) {
case 'l':
*lflag = 1;
break;
default:
error("Invalid flag -%c", *cp);
return(-1);
}
}
*cpp = cp + strspn(cp, WHITESPACE);
}
return(0);
}
static int
get_pathname(const char **cpp, char **path)
{
@ -507,8 +548,129 @@ out:
}
static int
parse_args(const char **cpp, int *pflag, unsigned long *n_arg,
char **path1, char **path2)
sdirent_comp(const void *aa, const void *bb)
{
SFTP_DIRENT *a = *(SFTP_DIRENT **)aa;
SFTP_DIRENT *b = *(SFTP_DIRENT **)bb;
return (strcmp(a->filename, b->filename));
}
/* sftp ls.1 replacement for directories */
static int
do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
{
int n;
SFTP_DIRENT **d;
if ((n = do_readdir(conn, path, &d)) != 0)
return (n);
/* Count entries for sort */
for (n = 0; d[n] != NULL; n++)
;
qsort(d, n, sizeof(*d), sdirent_comp);
for (n = 0; d[n] != NULL; n++) {
char *tmp, *fname;
tmp = path_append(path, d[n]->filename);
fname = path_strip(tmp, strip_path);
xfree(tmp);
if (lflag) {
char *lname;
struct stat sb;
memset(&sb, 0, sizeof(sb));
attrib_to_stat(&d[n]->a, &sb);
lname = ls_file(fname, &sb, 1);
printf("%s\n", lname);
xfree(lname);
} else {
/* XXX - multicolumn display would be nice here */
printf("%s\n", fname);
}
xfree(fname);
}
free_sftp_dirents(d);
return (0);
}
/* sftp ls.1 replacement which handles path globs */
static int
do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
int lflag)
{
glob_t g;
int i;
Attrib *a;
struct stat sb;
memset(&g, 0, sizeof(g));
if (remote_glob(conn, path, GLOB_MARK|GLOB_NOCHECK|GLOB_BRACE,
NULL, &g)) {
error("Can't ls: \"%s\" not found", path);
return (-1);
}
/*
* If the glob returns a single match, which is the same as the
* input glob, and it is a directory, then just list its contents
*/
if (g.gl_pathc == 1 &&
strncmp(path, g.gl_pathv[0], strlen(g.gl_pathv[0]) - 1) == 0) {
if ((a = do_lstat(conn, path, 1)) == NULL) {
globfree(&g);
return (-1);
}
if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) &&
S_ISDIR(a->perm)) {
globfree(&g);
return (do_ls_dir(conn, path, strip_path, lflag));
}
}
for (i = 0; g.gl_pathv[i]; i++) {
char *fname, *lname;
fname = path_strip(g.gl_pathv[i], strip_path);
if (lflag) {
/*
* XXX: this is slow - 1 roundtrip per path
* A solution to this is to fork glob() and
* build a sftp specific version which keeps the
* attribs (which currently get thrown away)
* that the server returns as well as the filenames.
*/
memset(&sb, 0, sizeof(sb));
a = do_lstat(conn, g.gl_pathv[i], 1);
if (a != NULL)
attrib_to_stat(a, &sb);
lname = ls_file(fname, &sb, 1);
printf("%s\n", lname);
xfree(lname);
} else {
/* XXX - multicolumn display would be nice here */
printf("%s\n", fname);
}
xfree(fname);
}
if (g.gl_pathc)
globfree(&g);
return (0);
}
static int
parse_args(const char **cpp, int *pflag, int *lflag,
unsigned long *n_arg, char **path1, char **path2)
{
const char *cmd, *cp = *cpp;
char *cp2;
@ -548,7 +710,7 @@ parse_args(const char **cpp, int *pflag, unsigned long *n_arg,
}
/* Get arguments and parse flags */
*pflag = *n_arg = 0;
*lflag = *pflag = *n_arg = 0;
*path1 = *path2 = NULL;
switch (cmdnum) {
case I_GET:
@ -595,6 +757,8 @@ parse_args(const char **cpp, int *pflag, unsigned long *n_arg,
}
break;
case I_LS:
if (parse_ls_flags(&cp, lflag))
return(-1);
/* Path is optional */
if (get_pathname(&cp, path1))
return(-1);
@ -655,7 +819,7 @@ static int
parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd)
{
char *path1, *path2, *tmp;
int pflag, cmdnum, i;
int pflag, lflag, cmdnum, i;
unsigned long n_arg;
Attrib a, *aa;
char path_buf[MAXPATHLEN];
@ -663,7 +827,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd)
glob_t g;
path1 = path2 = NULL;
cmdnum = parse_args(&cmd, &pflag, &n_arg, &path1, &path2);
cmdnum = parse_args(&cmd, &pflag, &lflag, &n_arg,
&path1, &path2);
memset(&g, 0, sizeof(g));
@ -735,22 +900,18 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd)
break;
case I_LS:
if (!path1) {
do_ls(conn, *pwd);
do_globbed_ls(conn, *pwd, *pwd, lflag);
break;
}
/* Strip pwd off beginning of non-absolute paths */
tmp = NULL;
if (*path1 != '/')
tmp = *pwd;
path1 = make_absolute(path1, *pwd);
if ((tmp = do_realpath(conn, path1)) == NULL)
break;
xfree(path1);
path1 = tmp;
if ((aa = do_stat(conn, path1, 0)) == NULL)
break;
if ((aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) &&
!S_ISDIR(aa->perm)) {
error("Can't ls: \"%s\" is not a directory", path1);
break;
}
do_ls(conn, path1);
do_globbed_ls(conn, path1, tmp, lflag);
break;
case I_LCHDIR:
if (chdir(path1) == -1) {

48
crypto/dist/ssh/sftp-server.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: sftp-server.c,v 1.16 2002/06/26 14:08:32 itojun Exp $ */
/* $NetBSD: sftp-server.c,v 1.17 2002/10/01 14:07:40 itojun Exp $ */
/*
* Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved.
*
@ -23,7 +23,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: sftp-server.c,v 1.37 2002/06/24 17:57:20 deraadt Exp $");
RCSID("$OpenBSD: sftp-server.c,v 1.38 2002/09/11 22:41:50 djm Exp $");
#include "buffer.h"
#include "bufaux.h"
@ -676,48 +676,6 @@ process_opendir(void)
xfree(path);
}
/*
* drwxr-xr-x 5 markus markus 1024 Jan 13 18:39 .ssh
*/
static char *
ls_file(char *name, struct stat *st)
{
int ulen, glen, sz = 0;
struct passwd *pw;
struct group *gr;
struct tm *ltime = localtime(&st->st_mtime);
char *user, *group;
char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
strmode(st->st_mode, mode);
if ((pw = getpwuid(st->st_uid)) != NULL) {
user = pw->pw_name;
} else {
snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
user = ubuf;
}
if ((gr = getgrgid(st->st_gid)) != NULL) {
group = gr->gr_name;
} else {
snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
group = gbuf;
}
if (ltime != NULL) {
if (time(NULL) - st->st_mtime < (365*24*60*60)/2)
sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime);
else
sz = strftime(tbuf, sizeof tbuf, "%b %e %Y", ltime);
}
if (sz == 0)
tbuf[0] = '\0';
ulen = MAX(strlen(user), 8);
glen = MAX(strlen(group), 8);
snprintf(buf, sizeof buf, "%s %3d %-*s %-*s %8llu %s %s", mode,
st->st_nlink, ulen, user, glen, group,
(unsigned long long)st->st_size, tbuf, name);
return xstrdup(buf);
}
static void
process_readdir(void)
{
@ -753,7 +711,7 @@ process_readdir(void)
continue;
stat_to_attrib(&st, &(stats[count].attrib));
stats[count].name = xstrdup(dp->d_name);
stats[count].long_name = ls_file(dp->d_name, &st);
stats[count].long_name = ls_file(dp->d_name, &st, 0);
count++;
/* send up to 100 entries in one message */
/* XXX check packet size instead */

14
crypto/dist/ssh/sftp.1 vendored
View File

@ -1,5 +1,5 @@
.\" $NetBSD: sftp.1,v 1.9 2002/06/24 05:48:35 itojun Exp $
.\" $OpenBSD: sftp.1,v 1.35 2002/06/20 20:00:05 stevesk Exp $
.\" $NetBSD: sftp.1,v 1.10 2002/10/01 14:07:40 itojun Exp $
.\" $OpenBSD: sftp.1,v 1.36 2002/09/11 22:41:50 djm Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
@ -203,12 +203,18 @@ to
.Ar newpath .
.It Ic lpwd
Print local working directory.
.It Ic ls Op Ar path
.It Xo Ic ls
.Op Ar flags
.Op Ar path
.Xc
Display remote directory listing of either
.Ar path
or current directory if
.Ar path
is not specified.
is not specified. If the
.Fl l
flag is specified, then display additional details including permissions
and ownership information.
.It Ic lumask Ar umask
Set local umask to
.Ar umask .

5
crypto/dist/ssh/sftp.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: sftp.c,v 1.12 2002/06/24 05:48:36 itojun Exp $ */
/* $NetBSD: sftp.c,v 1.13 2002/10/01 14:07:41 itojun Exp $ */
/*
* Copyright (c) 2001,2002 Damien Miller. All rights reserved.
*
@ -25,7 +25,7 @@
#include "includes.h"
RCSID("$OpenBSD: sftp.c,v 1.30 2002/06/23 09:30:14 deraadt Exp $");
RCSID("$OpenBSD: sftp.c,v 1.31 2002/07/25 01:16:59 mouring Exp $");
/* XXX: short-form remote directory listings (like 'ls -C') */
@ -116,7 +116,6 @@ main(int argc, char **argv)
args.list = NULL;
addargs(&args, "ssh"); /* overwritten with ssh_program */
addargs(&args, "-oFallBackToRsh no");
addargs(&args, "-oForwardX11 no");
addargs(&args, "-oForwardAgent no");
addargs(&args, "-oClearAllForwardings yes");

6
crypto/dist/ssh/ssh-add.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ssh-add.c,v 1.18 2002/07/01 06:17:12 itojun Exp $ */
/* $NetBSD: ssh-add.c,v 1.19 2002/10/01 14:07:41 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -36,7 +36,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: ssh-add.c,v 1.62 2002/06/26 14:51:33 markus Exp $");
RCSID("$OpenBSD: ssh-add.c,v 1.63 2002/09/19 15:51:23 markus Exp $");
#include <openssl/evp.h>
@ -285,7 +285,7 @@ usage(void)
fprintf(stderr, " -d Delete identity.\n");
fprintf(stderr, " -D Delete all identities.\n");
fprintf(stderr, " -x Lock agent.\n");
fprintf(stderr, " -x Unlock agent.\n");
fprintf(stderr, " -X Unlock agent.\n");
fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n");
#ifdef SMARTCARD
fprintf(stderr, " -s reader Add key in smartcard reader.\n");

62
crypto/dist/ssh/ssh-agent.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ssh-agent.c,v 1.17 2002/06/26 14:08:33 itojun Exp $ */
/* $NetBSD: ssh-agent.c,v 1.18 2002/10/01 14:07:41 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -36,7 +36,7 @@
#include "includes.h"
#include <sys/queue.h>
RCSID("$OpenBSD: ssh-agent.c,v 1.97 2002/06/24 14:55:38 markus Exp $");
RCSID("$OpenBSD: ssh-agent.c,v 1.104 2002/09/12 19:11:52 stevesk Exp $");
#include <openssl/evp.h>
#include <openssl/md5.h>
@ -51,6 +51,7 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.97 2002/06/24 14:55:38 markus Exp $");
#include "authfd.h"
#include "compat.h"
#include "log.h"
#include "getpeereid.h"
#ifdef SMARTCARD
#include "scard.h"
@ -103,6 +104,17 @@ char *lock_passwd = NULL;
extern char *__progname;
static void
close_socket(SocketEntry *e)
{
close(e->fd);
e->fd = -1;
e->type = AUTH_UNUSED;
buffer_free(&e->input);
buffer_free(&e->output);
buffer_free(&e->request);
}
static void
idtab_init(void)
{
@ -614,13 +626,7 @@ process_message(SocketEntry *e)
cp = buffer_ptr(&e->input);
msg_len = GET_32BIT(cp);
if (msg_len > 256 * 1024) {
shutdown(e->fd, SHUT_RDWR);
close(e->fd);
e->fd = -1;
e->type = AUTH_UNUSED;
buffer_free(&e->input);
buffer_free(&e->output);
buffer_free(&e->request);
close_socket(e);
return;
}
if (buffer_len(&e->input) < msg_len + 4)
@ -802,6 +808,8 @@ after_select(fd_set *readset, fd_set *writeset)
char buf[1024];
int len, sock;
u_int i;
uid_t euid;
gid_t egid;
for (i = 0; i < sockets_alloc; i++)
switch (sockets[i].type) {
@ -817,6 +825,19 @@ after_select(fd_set *readset, fd_set *writeset)
strerror(errno));
break;
}
if (getpeereid(sock, &euid, &egid) < 0) {
error("getpeereid %d failed: %s",
sock, strerror(errno));
close(sock);
break;
}
if (getuid() != euid) {
error("uid mismatch: "
"peer euid %u != uid %u",
(u_int) euid, (u_int) getuid());
close(sock);
break;
}
new_socket(AUTH_CONNECTION, sock);
}
break;
@ -833,13 +854,7 @@ after_select(fd_set *readset, fd_set *writeset)
break;
} while (1);
if (len <= 0) {
shutdown(sockets[i].fd, SHUT_RDWR);
close(sockets[i].fd);
sockets[i].fd = -1;
sockets[i].type = AUTH_UNUSED;
buffer_free(&sockets[i].input);
buffer_free(&sockets[i].output);
buffer_free(&sockets[i].request);
close_socket(&sockets[i]);
break;
}
buffer_consume(&sockets[i].output, len);
@ -853,13 +868,7 @@ after_select(fd_set *readset, fd_set *writeset)
break;
} while (1);
if (len <= 0) {
shutdown(sockets[i].fd, SHUT_RDWR);
close(sockets[i].fd);
sockets[i].fd = -1;
sockets[i].type = AUTH_UNUSED;
buffer_free(&sockets[i].input);
buffer_free(&sockets[i].output);
buffer_free(&sockets[i].request);
close_socket(&sockets[i]);
break;
}
buffer_append(&sockets[i].input, buf, len);
@ -931,9 +940,14 @@ main(int ac, char **av)
struct sockaddr_un sunaddr;
struct rlimit rlim;
extern int optind;
extern char *optarg;
pid_t pid;
char pidstrbuf[1 + 3 * sizeof pid];
/* drop */
setegid(getgid());
setgid(getgid());
SSLeay_add_all_algorithms();
while ((ch = getopt(ac, av, "cdksa:")) != -1) {
@ -1030,7 +1044,7 @@ main(int ac, char **av)
perror("bind");
cleanup_exit(1);
}
if (listen(sock, 5) < 0) {
if (listen(sock, 128) < 0) {
perror("listen");
cleanup_exit(1);
}

24
crypto/dist/ssh/ssh-dss.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ssh-dss.c,v 1.10 2002/06/24 05:48:36 itojun Exp $ */
/* $NetBSD: ssh-dss.c,v 1.11 2002/10/01 14:07:42 itojun Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -24,7 +24,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: ssh-dss.c,v 1.15 2002/06/23 03:30:17 deraadt Exp $");
RCSID("$OpenBSD: ssh-dss.c,v 1.17 2002/07/04 10:41:47 markus Exp $");
#include <openssl/bn.h>
#include <openssl/evp.h>
@ -47,7 +47,7 @@ ssh_dss_sign(Key *key, u_char **sigp, u_int *lenp,
DSA_SIG *sig;
const EVP_MD *evp_md = EVP_sha1();
EVP_MD_CTX md;
u_char *ret, digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN];
u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN];
u_int rlen, slen, len, dlen;
Buffer b;
@ -80,25 +80,25 @@ ssh_dss_sign(Key *key, u_char **sigp, u_int *lenp,
DSA_SIG_free(sig);
if (datafellows & SSH_BUG_SIGBLOB) {
ret = xmalloc(SIGBLOB_LEN);
memcpy(ret, sigblob, SIGBLOB_LEN);
if (lenp != NULL)
*lenp = SIGBLOB_LEN;
if (sigp != NULL)
*sigp = ret;
if (sigp != NULL) {
*sigp = xmalloc(SIGBLOB_LEN);
memcpy(*sigp, sigblob, SIGBLOB_LEN);
}
} else {
/* ietf-drafts */
buffer_init(&b);
buffer_put_cstring(&b, "ssh-dss");
buffer_put_string(&b, sigblob, SIGBLOB_LEN);
len = buffer_len(&b);
ret = xmalloc(len);
memcpy(ret, buffer_ptr(&b), len);
buffer_free(&b);
if (lenp != NULL)
*lenp = len;
if (sigp != NULL)
*sigp = ret;
if (sigp != NULL) {
*sigp = xmalloc(len);
memcpy(*sigp, buffer_ptr(&b), len);
}
buffer_free(&b);
}
return 0;
}

41
crypto/dist/ssh/ssh-keyscan.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ssh-keyscan.c,v 1.16 2002/07/01 06:17:12 itojun Exp $ */
/* $NetBSD: ssh-keyscan.c,v 1.17 2002/10/01 14:07:42 itojun Exp $ */
/*
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
*
@ -8,7 +8,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: ssh-keyscan.c,v 1.38 2002/06/27 19:49:08 stevesk Exp $");
RCSID("$OpenBSD: ssh-keyscan.c,v 1.40 2002/07/06 17:47:58 stevesk Exp $");
#include <sys/queue.h>
#include <errno.h>
@ -166,13 +166,14 @@ static char *
Linebuf_getline(Linebuf * lb)
{
int n = 0;
void *p;
lb->lineno++;
for (;;) {
/* Read a line */
if (!fgets(&lb->buf[n], lb->size - n, lb->stream)) {
if (ferror(lb->stream) && lb->errfun)
(*lb->errfun) ("%s: %s\n", lb->filename,
(*lb->errfun)("%s: %s\n", lb->filename,
strerror(errno));
return (NULL);
}
@ -185,17 +186,20 @@ Linebuf_getline(Linebuf * lb)
}
if (n != lb->size - 1) {
if (lb->errfun)
(*lb->errfun) ("%s: skipping incomplete last line\n",
(*lb->errfun)("%s: skipping incomplete last line\n",
lb->filename);
return (NULL);
}
/* Double the buffer if we need more space */
if (!(lb->buf = realloc(lb->buf, (lb->size *= 2)))) {
lb->size *= 2;
if ((p = realloc(lb->buf, lb->size)) == NULL) {
lb->size /= 2;
if (lb->errfun)
(*lb->errfun) ("linebuf (%s): realloc failed\n",
(*lb->errfun)("linebuf (%s): realloc failed\n",
lb->filename);
return (NULL);
}
lb->buf = p;
}
}
@ -216,6 +220,7 @@ static int
fdlim_set(int lim)
{
struct rlimit rlfd;
if (lim <= 0)
return (-1);
if (getrlimit(RLIMIT_NOFILE, &rlfd) < 0)
@ -394,8 +399,8 @@ tcpconnect(char *host)
static int
conalloc(char *iname, char *oname, int keytype)
{
int s;
char *namebase, *name, *namelist;
int s;
namebase = namelist = xstrdup(iname);
@ -459,8 +464,8 @@ contouch(int s)
static int
conrecycle(int s)
{
int ret;
con *c = &fdcon[s];
int ret;
ret = conalloc(c->c_namelist, c->c_output_name, c->c_keytype);
confree(s);
@ -470,10 +475,10 @@ conrecycle(int s)
static void
congreet(int s)
{
int remote_major, remote_minor, n = 0;
char buf[256], *cp;
char remote_version[sizeof buf];
size_t bufsiz;
int remote_major, remote_minor, n = 0;
con *c = &fdcon[s];
bufsiz = sizeof(buf);
@ -537,8 +542,8 @@ congreet(int s)
static void
conread(int s)
{
int n;
con *c = &fdcon[s];
int n;
if (c->c_status == CS_CON) {
congreet(s);
@ -577,10 +582,10 @@ conread(int s)
static void
conloop(void)
{
fd_set *r, *e;
struct timeval seltime, now;
int i;
fd_set *r, *e;
con *c;
int i;
gettimeofday(&now, NULL);
c = TAILQ_FIRST(&tq);
@ -647,6 +652,7 @@ void
fatal(const char *fmt,...)
{
va_list args;
va_start(args, fmt);
do_log(SYSLOG_LEVEL_FATAL, fmt, args);
va_end(args);
@ -659,16 +665,9 @@ fatal(const char *fmt,...)
static void
usage(void)
{
fprintf(stderr, "Usage: %s [options] host ...\n",
fprintf(stderr, "usage: %s [-v46] [-p port] [-T timeout] [-f file]\n"
"\t\t [host | addrlist namelist] [...]\n",
__progname);
fprintf(stderr, "Options:\n");
fprintf(stderr, " -f file Read hosts or addresses from file.\n");
fprintf(stderr, " -p port Connect to the specified port.\n");
fprintf(stderr, " -t keytype Specify the host key type.\n");
fprintf(stderr, " -T timeout Set connection timeout.\n");
fprintf(stderr, " -v Verbose; display verbose debugging messages.\n");
fprintf(stderr, " -4 Use IPv4 only.\n");
fprintf(stderr, " -6 Use IPv6 only.\n");
exit(1);
}

4
crypto/dist/ssh/ssh-keysign.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ssh-keysign.c,v 1.4 2002/07/03 14:23:13 itojun Exp $ */
/* $NetBSD: ssh-keysign.c,v 1.5 2002/10/01 14:07:43 itojun Exp $ */
/*
* Copyright (c) 2002 Markus Friedl. All rights reserved.
*
@ -23,7 +23,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: ssh-keysign.c,v 1.6 2002/07/03 09:55:38 markus Exp $");
RCSID("$OpenBSD: ssh-keysign.c,v 1.7 2002/07/03 14:21:05 markus Exp $");
#include <openssl/evp.h>
#include <openssl/rand.h>

121
crypto/dist/ssh/ssh-rsa.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ssh-rsa.c,v 1.11 2002/06/24 05:48:37 itojun Exp $ */
/* $NetBSD: ssh-rsa.c,v 1.12 2002/10/01 14:07:43 itojun Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -24,7 +24,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: ssh-rsa.c,v 1.21 2002/06/23 03:30:17 deraadt Exp $");
RCSID("$OpenBSD: ssh-rsa.c,v 1.26 2002/08/27 17:13:56 stevesk Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
@ -38,6 +38,8 @@ RCSID("$OpenBSD: ssh-rsa.c,v 1.21 2002/06/23 03:30:17 deraadt Exp $");
#include "compat.h"
#include "ssh.h"
static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int , RSA *);
/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
int
ssh_rsa_sign(Key *key, u_char **sigp, u_int *lenp,
@ -45,7 +47,7 @@ ssh_rsa_sign(Key *key, u_char **sigp, u_int *lenp,
{
const EVP_MD *evp_md;
EVP_MD_CTX md;
u_char digest[EVP_MAX_MD_SIZE], *sig, *ret;
u_char digest[EVP_MAX_MD_SIZE], *sig;
u_int slen, dlen, len;
int ok, nid;
Buffer b;
@ -77,7 +79,7 @@ ssh_rsa_sign(Key *key, u_char **sigp, u_int *lenp,
return -1;
}
if (len < slen) {
int diff = slen - len;
u_int diff = slen - len;
debug("slen %u > len %u", slen, len);
memmove(sig + diff, sig, len);
memset(sig, 0, diff);
@ -91,16 +93,16 @@ ssh_rsa_sign(Key *key, u_char **sigp, u_int *lenp,
buffer_put_cstring(&b, "ssh-rsa");
buffer_put_string(&b, sig, slen);
len = buffer_len(&b);
ret = xmalloc(len);
memcpy(ret, buffer_ptr(&b), len);
if (lenp != NULL)
*lenp = len;
if (sigp != NULL) {
*sigp = xmalloc(len);
memcpy(*sigp, buffer_ptr(&b), len);
}
buffer_free(&b);
memset(sig, 's', slen);
xfree(sig);
if (lenp != NULL)
*lenp = len;
if (sigp != NULL)
*sigp = ret;
return 0;
}
@ -150,7 +152,7 @@ ssh_rsa_verify(Key *key, u_char *signature, u_int signaturelen,
xfree(sigblob);
return -1;
} else if (len < modlen) {
int diff = modlen - len;
u_int diff = modlen - len;
debug("ssh_rsa_verify: add padding: modlen %u > len %u",
modlen, len);
sigblob = xrealloc(sigblob, modlen);
@ -168,15 +170,100 @@ ssh_rsa_verify(Key *key, u_char *signature, u_int signaturelen,
EVP_DigestUpdate(&md, data, datalen);
EVP_DigestFinal(&md, digest, &dlen);
ret = RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
memset(digest, 'd', sizeof(digest));
memset(sigblob, 's', len);
xfree(sigblob);
if (ret == 0) {
int ecode = ERR_get_error();
error("ssh_rsa_verify: RSA_verify failed: %s",
ERR_error_string(ecode, NULL));
}
debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : "");
return ret;
}
/*
* See:
* http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
* ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn
*/
/*
* id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
* oiw(14) secsig(3) algorithms(2) 26 }
*/
static const u_char id_sha1[] = {
0x30, 0x21, /* type Sequence, length 0x21 (33) */
0x30, 0x09, /* type Sequence, length 0x09 */
0x06, 0x05, /* type OID, length 0x05 */
0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */
0x05, 0x00, /* NULL */
0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */
};
/*
* id-md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
* rsadsi(113549) digestAlgorithm(2) 5 }
*/
static const u_char id_md5[] = {
0x30, 0x20, /* type Sequence, length 0x20 (32) */
0x30, 0x0c, /* type Sequence, length 0x09 */
0x06, 0x08, /* type OID, length 0x05 */
0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* id-md5 */
0x05, 0x00, /* NULL */
0x04, 0x10 /* Octet string, length 0x10 (16), followed by md5 hash */
};
static int
openssh_RSA_verify(int type, u_char *hash, u_int hashlen,
u_char *sigbuf, u_int siglen, RSA *rsa)
{
u_int ret, rsasize, oidlen = 0, hlen = 0;
int len;
const u_char *oid = NULL;
u_char *decrypted = NULL;
ret = 0;
switch (type) {
case NID_sha1:
oid = id_sha1;
oidlen = sizeof(id_sha1);
hlen = 20;
break;
case NID_md5:
oid = id_md5;
oidlen = sizeof(id_md5);
hlen = 16;
break;
default:
goto done;
break;
}
if (hashlen != hlen) {
error("bad hashlen");
goto done;
}
rsasize = RSA_size(rsa);
if (siglen == 0 || siglen > rsasize) {
error("bad siglen");
goto done;
}
decrypted = xmalloc(rsasize);
if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
RSA_PKCS1_PADDING)) < 0) {
error("RSA_public_decrypt failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto done;
}
if (len != hlen + oidlen) {
error("bad decrypted len: %d != %d + %d", len, hlen, oidlen);
goto done;
}
if (memcmp(decrypted, oid, oidlen) != 0) {
error("oid mismatch");
goto done;
}
if (memcmp(decrypted + oidlen, hash, hlen) != 0) {
error("hash mismatch");
goto done;
}
ret = 1;
done:
if (decrypted)
xfree(decrypted);
return ret;
}

59
crypto/dist/ssh/ssh.1 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ssh.1,v 1.22 2002/06/24 05:48:37 itojun Exp $
.\" $NetBSD: ssh.1,v 1.23 2002/10/01 14:07:43 itojun Exp $
.\" -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.160 2002/06/22 11:51:39 naddy Exp $
.\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
@ -49,7 +49,7 @@
.Op Ar command
.Pp
.Nm ssh
.Op Fl afgknqstvxACNPTX1246
.Op Fl afgknqstvxACNTX1246
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl e Ar escape_char
@ -354,9 +354,17 @@ the connection is opened.
The real authentication cookie is never
sent to the server machine (and no cookies are sent in the plain).
.Pp
If the user is using an authentication agent, the connection to the agent
is automatically forwarded to the remote side unless disabled on
the command line or in a configuration file.
If the
.Cm ForwardAgent
variable is set to
.Dq yes
(or, see the description of the
.Fl A
and
.Fl a
options described later) and
the user is using an authentication agent, the connection to the agent
is automatically forwarded to the remote side.
.Pp
Forwarding of arbitrary TCP/IP connections over the secure channel can
be specified either on the command line or in a configuration file.
@ -395,6 +403,13 @@ Disables forwarding of the authentication agent connection.
.It Fl A
Enables forwarding of the authentication agent connection.
This can also be specified on a per-host basis in a configuration file.
.Pp
Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the agent's
Unix-domain socket) can access the local agent through the forwarded
connection. An attacker cannot obtain key material from the agent,
however they can perform operations on the keys that enable them to
authenticate using the identities loaded into the agent.
.It Fl b Ar bind_address
Specify the interface to transmit from on machines with multiple
interfaces or aliased addresses.
@ -516,15 +531,6 @@ command-line flag.
Port to connect to on the remote host.
This can be specified on a
per-host basis in the configuration file.
.It Fl P
Use a non-privileged port for outgoing connections.
This can be used if a firewall does
not permit connections from privileged ports.
Note that this option turns off
.Cm RhostsAuthentication
and
.Cm RhostsRSAAuthentication
for older servers.
.It Fl q
Quiet mode.
Causes all warning and diagnostic messages to be suppressed.
@ -560,6 +566,12 @@ Disables X11 forwarding.
.It Fl X
Enables X11 forwarding.
This can also be specified on a per-host basis in a configuration file.
.Pp
X11 forwarding should be enabled with caution. Users with the ability
to bypass file permissions on the remote host (for the user's X
authorization database) can access the local X11 display through the
forwarded connection. An attacker may then be able to perform
activities such as keystroke monitoring.
.It Fl C
Requests compression of all data (including stdin, stdout, stderr, and
data for forwarded X11 and TCP/IP connections).
@ -569,7 +581,7 @@ and the
.Dq level
can be controlled by the
.Cm CompressionLevel
option.
option for protocol version 1.
Compression is desirable on modem lines and other
slow connections, but will only slow down things on fast networks.
The default value can be set on a host-by-host basis in the
@ -715,11 +727,11 @@ to make this work.)
.It Ev SSH_AUTH_SOCK
Identifies the path of a unix-domain socket used to communicate with the
agent.
.It Ev SSH_CLIENT
Identifies the client end of the connection.
.It Ev SSH_CONNECTION
Identifies the client and server ends of the connection.
The variable contains
three space-separated values: client ip-address, client port number,
and server port number.
four space-separated values: client ip-address, client port number,
server ip-address and server port number.
.It Ev SSH_ORIGINAL_COMMAND
The variable contains the original command line if a forced command
is executed.
@ -743,7 +755,12 @@ reads
.Pa $HOME/.ssh/environment ,
and adds lines of the format
.Dq VARNAME=value
to the environment.
to the environment if the file exists and if users are allowed to
change their environment.
See the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
.Sh FILES
.Bl -tag -width Ds
.It Pa $HOME/.ssh/known_hosts

54
crypto/dist/ssh/ssh.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ssh.c,v 1.24 2002/07/03 14:23:13 itojun Exp $ */
/* $NetBSD: ssh.c,v 1.25 2002/10/01 14:07:44 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -41,7 +41,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: ssh.c,v 1.180 2002/06/30 21:59:45 deraadt Exp $");
RCSID("$OpenBSD: ssh.c,v 1.186 2002/09/19 01:58:18 djm Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
@ -139,6 +139,9 @@ int subsystem_flag = 0;
/* # of replies received for global requests */
static int client_global_request_id = 0;
/* pid of proxycommand child process */
pid_t proxy_command_pid = 0;
/* Prints a help message to the user. This function never returns. */
static void
@ -167,7 +170,6 @@ usage(void)
fprintf(stderr, " -v Verbose; display verbose debugging messages.\n");
fprintf(stderr, " Multiple -v increases verbosity.\n");
fprintf(stderr, " -V Display version number only.\n");
fprintf(stderr, " -P Don't allocate a privileged port.\n");
fprintf(stderr, " -q Quiet; don't display any warning messages.\n");
fprintf(stderr, " -f Fork into background after authentication.\n");
fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n");
@ -220,6 +222,15 @@ main(int ac, char **av)
original_real_uid = getuid();
original_effective_uid = geteuid();
/*
* Use uid-swapping to give up root privileges for the duration of
* option processing. We will re-instantiate the rights when we are
* ready to create the privileged port, and will permanently drop
* them when the port has been created (actually, when the connection
* has been made, as we may need to create the port several times).
*/
PRIV_END;
/* If we are installed setuid root be careful to not drop core. */
if (original_real_uid != original_effective_uid) {
struct rlimit rlim;
@ -236,15 +247,6 @@ main(int ac, char **av)
/* Take a copy of the returned structure. */
pw = pwcopy(pw);
/*
* Use uid-swapping to give up root privileges for the duration of
* option processing. We will re-instantiate the rights when we are
* ready to create the privileged port, and will permanently drop
* them when the port has been created (actually, when the connection
* has been made, as we may need to create the port several times).
*/
PRIV_END;
/*
* Set our umask to something reasonable, as some files are created
* with the default umask. This will make them world-readable but
@ -291,7 +293,7 @@ again:
case 'g':
options.gateway_ports = 1;
break;
case 'P':
case 'P': /* deprecated */
options.use_privileged_port = 0;
break;
case 'a':
@ -700,6 +702,14 @@ again:
exit_status = compat20 ? ssh_session2() : ssh_session();
packet_close();
/*
* Send SIGHUP to proxy command if used. We don't wait() in
* case it hangs and instead rely on init to reap the child
*/
if (proxy_command_pid > 1)
kill(proxy_command_pid, SIGHUP);
return exit_status;
}
@ -711,11 +721,19 @@ x11_get_proto(char **_proto, char **_data)
FILE *f;
int got_data = 0, i;
char *display;
struct stat st;
*_proto = proto;
*_data = data;
proto[0] = data[0] = '\0';
if (options.xauth_location && (display = getenv("DISPLAY"))) {
if (!options.xauth_location ||
(stat(options.xauth_location, &st) == -1)) {
debug("No xauth program.");
} else {
if ((display = getenv("DISPLAY")) == NULL) {
debug("x11_get_proto: DISPLAY not set");
return;
}
/* Try to get Xauthority information for the display. */
if (strncmp(display, "localhost:", 10) == 0)
/*
@ -730,7 +748,7 @@ x11_get_proto(char **_proto, char **_data)
else
snprintf(line, sizeof line, "%s list %.200s 2>"
_PATH_DEVNULL, options.xauth_location, display);
debug2("x11_get_proto %s", line);
debug2("x11_get_proto: %s", line);
f = popen(line, "r");
if (f && fgets(line, sizeof(line), f) &&
sscanf(line, "%*s %511s %511s", proto, data) == 2)
@ -749,6 +767,7 @@ x11_get_proto(char **_proto, char **_data)
if (!got_data) {
u_int32_t rand = 0;
log("Warning: No xauth data; using fake authentication data for X11 forwarding.");
strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto);
for (i = 0; i < 16; i++) {
if (i % 4 == 0)
@ -798,11 +817,8 @@ check_agent_present(void)
{
if (options.forward_agent) {
/* Clear agent forwarding if we don\'t have an agent. */
int authfd = ssh_get_authentication_socket();
if (authfd < 0)
if (!ssh_agent_present())
options.forward_agent = 0;
else
ssh_close_authentication_socket(authfd);
}
}

4
crypto/dist/ssh/ssh_config vendored
View File

@ -1,5 +1,5 @@
# $NetBSD: ssh_config,v 1.7 2002/07/03 14:23:14 itojun Exp $
# $OpenBSD: ssh_config,v 1.15 2002/06/20 20:03:34 stevesk Exp $
# $NetBSD: ssh_config,v 1.8 2002/10/01 14:07:45 itojun Exp $
# $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for

2
crypto/dist/ssh/ssh_config.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ssh_config.5,v 1.1.1.2 2002/10/01 13:40:03 itojun Exp $
.\" $NetBSD: ssh_config.5,v 1.2 2002/10/01 14:07:45 itojun Exp $
.\" -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>

99
crypto/dist/ssh/sshconnect.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: sshconnect.c,v 1.23 2002/07/12 13:28:36 itojun Exp $ */
/* $NetBSD: sshconnect.c,v 1.24 2002/10/01 14:07:45 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -14,7 +14,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshconnect.c,v 1.131 2002/07/12 13:29:09 itojun Exp $");
RCSID("$OpenBSD: sshconnect.c,v 1.135 2002/09/19 01:58:18 djm Exp $");
#include <openssl/bn.h>
@ -42,6 +42,9 @@ extern Options options;
extern char *__progname;
extern uid_t original_real_uid;
extern uid_t original_effective_uid;
extern pid_t proxy_command_pid;
static int show_other_keys(const char *, Key *);
/*
* Connect to the given ssh server using a proxy command.
@ -59,9 +62,16 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
/* Convert the port number into a string. */
snprintf(strport, sizeof strport, "%hu", port);
/* Build the final command string in the buffer by making the
appropriate substitutions to the given proxy command. */
/*
* Build the final command string in the buffer by making the
* appropriate substitutions to the given proxy command.
*
* Use "exec" to avoid "sh -c" processes on some platforms
* (e.g. Solaris)
*/
buffer_init(&command);
buffer_append(&command, "exec ", 5);
for (cp = proxy_command; *cp; cp++) {
if (cp[0] == '%' && cp[1] == '%') {
buffer_append(&command, "%", 1);
@ -129,6 +139,8 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
/* Parent. */
if (pid < 0)
fatal("fork failed: %.100s", strerror(errno));
else
proxy_command_pid = pid; /* save pid to clean up later */
/* Close child side of the descriptors. */
close(pin[0]);
@ -224,7 +236,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
int sock = -1, attempt;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
struct addrinfo hints, *ai, *aitop;
struct linger linger;
struct servent *sp;
/*
* Did we get only other errors than "Connection refused" (which
@ -325,15 +336,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
debug("Connection established.");
/*
* Set socket options. We would like the socket to disappear as soon
* as it has been closed for whatever reason.
*/
/* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
linger.l_onoff = 1;
linger.l_linger = 5;
setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
/* Set keepalives if requested. */
if (options.keepalives &&
setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
@ -490,7 +492,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
int local = 0, host_ip_differ = 0;
char ntop[NI_MAXHOST];
char msg[1024];
int len, host_line, ip_line;
int len, host_line, ip_line, has_keys;
const char *host_file = NULL, *ip_file = NULL;
/*
@ -631,14 +633,19 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
"have requested strict checking.", type, host);
goto fail;
} else if (options.strict_host_key_checking == 2) {
has_keys = show_other_keys(host, host_key);
/* The default */
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established.\n"
"established%s\n"
"%s key fingerprint is %s.\n"
"Are you sure you want to continue connecting "
"(yes/no)? ", host, ip, type, fp);
"(yes/no)? ",
host, ip,
has_keys ? ",\nbut keys of different type are already "
"known for this host." : ".",
type, fp);
xfree(fp);
if (!confirm(msg))
goto fail;
@ -741,6 +748,9 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
* accept the authentication.
*/
break;
case HOST_FOUND:
fatal("internal error");
break;
}
if (options.check_host_ip && host_status != HOST_CHANGED &&
@ -852,3 +862,58 @@ ssh_put_password(char *password)
memset(padded, 0, size);
xfree(padded);
}
static int
show_key_from_file(const char *file, const char *host, int keytype)
{
Key *found;
char *fp;
int line, ret;
found = key_new(keytype);
if ((ret = lookup_key_in_hostfile_by_type(file, host,
keytype, found, &line))) {
fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
log("WARNING: %s key found for host %s\n"
"in %s:%d\n"
"%s key fingerprint %s.",
key_type(found), host, file, line,
key_type(found), fp);
xfree(fp);
}
key_free(found);
return (ret);
}
/* print all known host keys for a given host, but skip keys of given type */
static int
show_other_keys(const char *host, Key *key)
{
int type[] = { KEY_RSA1, KEY_RSA, KEY_DSA, -1};
int i, found = 0;
for (i = 0; type[i] != -1; i++) {
if (type[i] == key->type)
continue;
if (type[i] != KEY_RSA1 &&
show_key_from_file(options.user_hostfile2, host, type[i])) {
found = 1;
continue;
}
if (type[i] != KEY_RSA1 &&
show_key_from_file(options.system_hostfile2, host, type[i])) {
found = 1;
continue;
}
if (show_key_from_file(options.user_hostfile, host, type[i])) {
found = 1;
continue;
}
if (show_key_from_file(options.system_hostfile, host, type[i])) {
found = 1;
continue;
}
debug2("no key of type %d for host %s", type[i], host);
}
return (found);
}

4
crypto/dist/ssh/sshconnect1.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: sshconnect1.c,v 1.21 2002/08/08 15:12:42 itojun Exp $ */
/* $NetBSD: sshconnect1.c,v 1.22 2002/10/01 14:07:45 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -14,7 +14,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshconnect1.c,v 1.51 2002/05/23 19:24:30 markus Exp $");
RCSID("$OpenBSD: sshconnect1.c,v 1.52 2002/08/08 13:50:23 aaron Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>

36
crypto/dist/ssh/sshd.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: sshd.8,v 1.30 2002/09/25 03:43:19 itojun Exp $
.\" $NetBSD: sshd.8,v 1.31 2002/10/01 14:07:46 itojun Exp $
.\" -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd.8,v 1.186 2002/06/22 16:45:29 stevesk Exp $
.\" $OpenBSD: sshd.8,v 1.193 2002/09/24 20:59:44 todd Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
@ -204,7 +204,7 @@ The default is
refuses to start if there is no configuration file.
.It Fl g Ar login_grace_time
Gives the grace time for clients to authenticate themselves (default
600 seconds).
120 seconds).
If the client fails to authenticate the user within
this many seconds, the server disconnects and exits.
A value of zero indicates no limit.
@ -351,7 +351,11 @@ Sets up basic environment.
.It
Reads
.Pa $HOME/.ssh/environment
if it exists.
if it exists and users are allowed to change their environment.
See the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
.It
Changes to user's home directory.
.It
@ -386,9 +390,9 @@ Each RSA public key consists of the following fields, separated by
spaces: options, bits, exponent, modulus, comment.
Each protocol version 2 public key consists of:
options, keytype, base64 encoded key, comment.
The options fields
are optional; its presence is determined by whether the line starts
with a number or not (the option field never starts with a number).
The options field
is optional; its presence is determined by whether the line starts
with a number or not (the options field never starts with a number).
The bits, exponent, modulus and comment fields give the RSA key for
protocol version 1; the
comment field is not used for anything (but may be convenient for the
@ -399,7 +403,7 @@ or
.Dq ssh-rsa .
.Pp
Note that lines in this file are usually several hundred bytes long
(because of the size of the RSA key modulus).
(because of the size of the public key encoding).
You don't want to type them in; instead, copy the
.Pa identity.pub ,
.Pa id_dsa.pub
@ -418,7 +422,7 @@ The following option specifications are supported (note
that option keywords are case-insensitive):
.Bl -tag -width Ds
.It Cm from="pattern-list"
Specifies that in addition to RSA authentication, the canonical name
Specifies that in addition to public key authentication, the canonical name
of the remote host must be present in the comma-separated list of
patterns
.Pf ( Ql *
@ -430,7 +434,7 @@ patterns negated by prefixing them with
.Ql ! ;
if the canonical host name matches a negated pattern, the key is not accepted.
The purpose
of this option is to optionally increase security: RSA authentication
of this option is to optionally increase security: public key authentication
by itself does not trust the network or name servers or anything (but
the key); however, if somebody somehow steals the key, the key
permits an intruder to log in from anywhere in the world.
@ -448,7 +452,7 @@ one must not request a pty or should specify
.Cm no-pty .
A quote may be included in the command by quoting it with a backslash.
This option might be useful
to restrict certain RSA keys to perform just a specific operation.
to restrict certain public keys to perform just a specific operation.
An example might be a key that permits remote backups but nothing else.
Note that the client may specify TCP/IP and/or X11
forwarding unless they are explicitly prohibited.
@ -459,6 +463,10 @@ logging in using this key.
Environment variables set this way
override other default environment values.
Multiple options of this type are permitted.
Environment processing is disabled by default and is
controlled via the
.Cm PermitUserEnvironment
option.
This option is automatically disabled if
.Cm UseLogin
is enabled.
@ -579,6 +587,8 @@ These files are created using
.Xr ssh-keygen 1 .
.It Pa /etc/moduli
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
The file format is described in
.Xr moduli 5 .
.It Pa /var/chroot/sshd
.Xr chroot 2
directory used by
@ -699,6 +709,10 @@ It can only contain empty lines, comment lines (that start with
and assignment lines of the form name=value.
The file should be writable
only by the user; it need not be readable by anyone else.
Environment processing is disabled by default and is
controlled via the
.Cm PermitUserEnvironment
option.
.It Pa $HOME/.ssh/rc
If this file exists, it is run with /bin/sh after reading the
environment files but before starting the user's shell or command.

55
crypto/dist/ssh/sshd.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: sshd.c,v 1.25 2002/07/01 06:17:13 itojun Exp $ */
/* $NetBSD: sshd.c,v 1.26 2002/10/01 14:07:47 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -43,7 +43,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshd.c,v 1.255 2002/06/30 21:59:45 deraadt Exp $");
RCSID("$OpenBSD: sshd.c,v 1.260 2002/09/27 10:42:09 mickey Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
@ -291,11 +291,8 @@ grace_alarm_handler(int sig)
{
/* XXX no idea how fix this signal handler */
/* Close the connection. */
packet_close();
/* Log error and exit. */
fatal("Timeout before authentication for %s.", get_remote_ipaddr());
fatal("Timeout before authentication for %s", get_remote_ipaddr());
}
/*
@ -415,6 +412,12 @@ sshd_exchange_identification(int sock_in, int sock_out)
compat_datafellows(remote_version);
if (datafellows & SSH_BUG_PROBE) {
log("probed from %s with %s. Don't panic.",
get_remote_ipaddr(), client_version_string);
fatal_cleanup();
}
if (datafellows & SSH_BUG_SCANNER) {
log("scanned from %s with %s. Don't panic.",
get_remote_ipaddr(), client_version_string);
@ -577,6 +580,8 @@ privsep_preauth(void)
if (pid == -1) {
fatal("fork of unprivileged child failed");
} else if (pid != 0) {
fatal_remove_cleanup((void (*) (void *)) packet_close, NULL);
debug2("Network child is on pid %ld", (long)pid);
close(pmonitor->m_recvfd);
@ -590,6 +595,10 @@ privsep_preauth(void)
while (waitpid(pid, &status, 0) < 0)
if (errno != EINTR)
break;
/* Reinstall, since the child has finished */
fatal_add_cleanup((void (*) (void *)) packet_close, NULL);
return (authctxt);
} else {
/* child */
@ -633,6 +642,8 @@ privsep_postauth(Authctxt *authctxt)
if (pmonitor->m_pid == -1)
fatal("fork of unprivileged child failed");
else if (pmonitor->m_pid != 0) {
fatal_remove_cleanup((void (*) (void *)) packet_close, NULL);
debug2("User child is on pid %ld", (long)pmonitor->m_pid);
close(pmonitor->m_recvfd);
monitor_child_postauth(pmonitor);
@ -785,7 +796,6 @@ main(int ac, char **av)
const char *remote_ip;
int remote_port;
FILE *f;
struct linger linger;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
int listen_sock, maxfd;
@ -886,8 +896,10 @@ main(int ac, char **av)
break;
case 'u':
utmp_len = atoi(optarg);
if (utmp_len < 0 || utmp_len > MAXHOSTNAMELEN)
usage();
if (utmp_len > MAXHOSTNAMELEN) {
fprintf(stderr, "Invalid utmp length.\n");
exit(1);
}
break;
case 'o':
if (process_server_config_line(&options, optarg,
@ -1099,17 +1111,12 @@ main(int ac, char **av)
continue;
}
/*
* Set socket options. We try to make the port
* reusable and have it close as fast as possible
* without waiting in unnecessary wait states on
* close.
* Set socket options.
* Allow local port reuse in TIME_WAIT.
*/
setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
&on, sizeof(on));
linger.l_onoff = 1;
linger.l_linger = 5;
setsockopt(listen_sock, SOL_SOCKET, SO_LINGER,
&linger, sizeof(linger));
if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
&on, sizeof(on)) == -1)
error("setsockopt SO_REUSEADDR: %s", strerror(errno));
debug("Bind to port %s on %s.", strport, ntop);
@ -1353,16 +1360,6 @@ main(int ac, char **av)
signal(SIGQUIT, SIG_DFL);
signal(SIGCHLD, SIG_DFL);
/*
* Set socket options for the connection. We want the socket to
* close as fast as possible without waiting for anything. If the
* connection is not a socket, these will do nothing.
*/
/* setsockopt(sock_in, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
linger.l_onoff = 1;
linger.l_linger = 5;
setsockopt(sock_in, SOL_SOCKET, SO_LINGER, &linger, sizeof(linger));
/* Set keepalives if requested. */
if (options.keepalives &&
setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,

7
crypto/dist/ssh/sshd_config vendored
View File

@ -1,5 +1,5 @@
# $NetBSD: sshd_config,v 1.15 2002/06/24 05:48:40 itojun Exp $
# $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $
# $NetBSD: sshd_config,v 1.16 2002/10/01 14:07:47 itojun Exp $
# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@ -31,7 +31,7 @@
# Authentication:
#LoginGraceTime 600
#LoginGraceTime 120
#PermitRootLogin no
#StrictModes yes
@ -77,6 +77,7 @@
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#MaxStartups 10

64
crypto/dist/ssh/sshd_config.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: sshd_config.5,v 1.2 2002/09/28 15:07:33 elric Exp $
.\" $NetBSD: sshd_config.5,v 1.3 2002/10/01 14:07:48 itojun Exp $
.\" -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.4 2002/06/22 16:45:29 stevesk Exp $
.\" $OpenBSD: sshd_config.5,v 1.13 2002/09/16 20:12:11 stevesk Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@ -380,7 +380,7 @@ options must precede this option for non port qualified addresses.
The server disconnects after this time if the user has not
successfully logged in.
If the value is 0, there is no time limit.
The default is 600 (seconds).
The default is 120 seconds.
.It Cm LogLevel
Gives the verbosity level that is used when logging messages from
.Nm sshd .
@ -460,6 +460,20 @@ for root.
If this option is set to
.Dq no
root is not allowed to login.
.It Cm PermitUserEnvironment
Specifies whether
.Pa ~/.ssh/environment
and
.Cm environment=
options in
.Pa ~/.ssh/authorized_keys
are processed by
.Nm sshd .
The default is
.Dq no .
Enabling environment processing may enable users to bypass access
restrictions in some configurations using mechanisms such as
.Ev LD_PRELOAD .
.It Cm PidFile
Specifies the file that contains the process ID of the
.Nm sshd
@ -494,7 +508,7 @@ The default is
.It Cm Protocol
Specifies the protocol versions
.Nm sshd
should support.
supports.
The possible values are
.Dq 1
and
@ -502,6 +516,13 @@ and
Multiple versions must be comma-separated.
The default is
.Dq 2,1 .
Note that the order of the protocol list does not indicate preference,
because the client selects among multiple protocol versions offered
by the server.
Specifying
.Dq 2,1
is identical to
.Dq 1,2 .
.It Cm PubkeyAuthentication
Specifies whether public key authentication is allowed.
The default is
@ -604,10 +625,35 @@ from interfering with real X11 servers.
The default is 10.
.It Cm X11Forwarding
Specifies whether X11 forwarding is permitted.
The argument must be
.Dq yes
or
.Dq no .
The default is
.Dq no .
Note that disabling X11 forwarding does not improve security in any
way, as users can always install their own forwarders.
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the
.Nm sshd
proxy display is configured to listen on the wildcard address (see
.Cm X11UseLocalhost
below), however this is not the default.
Additionally, the authentication spoofing and authentication data
verification and substitution occur on the client side.
The security risk of using X11 forwarding is that the client's X11
display server may be exposed to attack when the ssh client requests
forwarding (see the warnings for
.Cm ForwardX11
in
.Xr ssh_config 5 ).
A system administrator may have a stance in which they want to
protect clients that may expose themselves to attack by unwittingly
requesting X11 forwarding, which can warrant a
.Dq no
setting.
.Pp
Note that disabling X11 forwarding does not prevent users from
forwarding X11 traffic, as users can always install their own forwarders.
X11 forwarding is automatically disabled if
.Cm UseLogin
is enabled.
@ -622,7 +668,7 @@ hostname part of the
.Ev DISPLAY
environment variable to
.Dq localhost .
This prevents remote hosts from connecting to the fake display.
This prevents remote hosts from connecting to the proxy display.
However, some older X11 clients may not function with this
configuration.
.Cm X11UseLocalhost
@ -637,7 +683,7 @@ or
The default is
.Dq yes .
.It Cm XAuthLocation
Specifies the location of the
Specifies the full pathname of the
.Xr xauth 1
program.
The default is
@ -649,7 +695,7 @@ The default is
command-line arguments and configuration file options that specify time
may be expressed using a sequence of the form:
.Sm off
.Ar time Oo Ar qualifier Oc ,
.Ar time Op Ar qualifier ,
.Sm on
where
.Ar time

6
crypto/dist/ssh/sshlogin.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: sshlogin.c,v 1.6 2002/08/20 07:42:53 itojun Exp $ */
/* $NetBSD: sshlogin.c,v 1.7 2002/10/01 14:07:48 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -40,7 +40,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshlogin.c,v 1.4 2002/06/23 03:30:17 deraadt Exp $");
RCSID("$OpenBSD: sshlogin.c,v 1.5 2002/08/29 15:57:25 stevesk Exp $");
#include <util.h>
#ifdef SUPPORT_UTMP
@ -105,7 +105,7 @@ get_last_login_time(uid_t uid, const char *logname,
*/
void
record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
const char *host, struct sockaddr * addr)
const char *host, struct sockaddr * addr, socklen_t addrlen)
{
#if defined(SUPPORT_UTMP) || defined(SUPPORT_UTMPX)
int fd;

6
crypto/dist/ssh/sshlogin.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: sshlogin.h,v 1.2 2001/12/13 15:53:54 he Exp $ */
/* $OpenBSD: sshlogin.h,v 1.3 2001/06/26 17:27:25 markus Exp $ */
/* $NetBSD: sshlogin.h,v 1.3 2002/10/01 14:07:48 itojun Exp $ */
/* $OpenBSD: sshlogin.h,v 1.4 2002/08/29 15:57:25 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -17,7 +17,7 @@
void
record_login(pid_t, const char *, const char *, uid_t,
const char *, struct sockaddr *);
const char *, struct sockaddr *, socklen_t);
void record_logout(pid_t, const char *);
u_long get_last_login_time(uid_t, const char *, char *, u_int);

7
crypto/dist/ssh/uuencode.c vendored
View File

@ -1,5 +1,4 @@
/* $NetBSD: uuencode.c,v 1.6 2002/03/08 02:00:57 itojun Exp $ */
/* $NetBSD: uuencode.c,v 1.6 2002/03/08 02:00:57 itojun Exp $ */
/* $NetBSD: uuencode.c,v 1.7 2002/10/01 14:07:48 itojun Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -25,7 +24,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: uuencode.c,v 1.15 2002/03/04 17:27:39 stevesk Exp $");
RCSID("$OpenBSD: uuencode.c,v 1.16 2002/09/09 14:54:15 markus Exp $");
#include "xmalloc.h"
#include "uuencode.h"
@ -62,7 +61,7 @@ uudecode(const char *src, u_char *target, size_t targsize)
void
dump_base64(FILE *fp, u_char *data, u_int len)
{
u_char *buf = xmalloc(2*len);
char *buf = xmalloc(2*len);
int i, n;
n = uuencode(data, len, buf, 2*len);

8
crypto/dist/ssh/version.h vendored
View File

@ -1,8 +1,8 @@
/* $NetBSD: version.h,v 1.26 2002/06/26 14:08:34 itojun Exp $ */
/* $OpenBSD: version.h,v 1.34 2002/06/26 13:56:27 markus Exp $ */
/* $NetBSD: version.h,v 1.27 2002/10/01 14:07:49 itojun Exp $ */
/* $OpenBSD: version.h,v 1.35 2002/10/01 13:24:50 markus Exp $ */
#define __OPENSSH_VERSION "OpenSSH_3.4"
#define __NETBSDSSH_VERSION "NetBSD_Secure_Shell-20020626"
#define __OPENSSH_VERSION "OpenSSH_3.5"
#define __NETBSDSSH_VERSION "NetBSD_Secure_Shell-20021001"
/*
* it is important to retain OpenSSH version identification part, it is

6
usr.bin/ssh/libssh/Makefile
View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.14 2002/06/24 05:48:25 itojun Exp $
# $NetBSD: Makefile,v 1.15 2002/10/01 14:07:50 itojun Exp $
NOLINT= # defined
NOMAN= # defined
@ -14,12 +14,12 @@ LIB= ssh
SRCS= authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \
cipher.c compat.c compress.c crc32.c deattack.c fatal.c \
hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \
rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \
rsa.c tildexpand.c ttymodes.c xmalloc.c atomicio.c \
key.c dispatch.c kex.c mac.c uuencode.c misc.c \
rijndael.c ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \
scard.c monitor_wrap.c monitor_fdpass.c msg.c
SRCS+= random.c
SRCS+= readpassphrase.c
SRCS+= readpassphrase.c getpeereid.c
# only needed during build - prevent installation of library
libinstall::