- (djm) Sync with OpenBSD:

- markus@cvs.openbsd.org  2000/10/14 04:01:15
     [cipher.c]
     debug3
   - markus@cvs.openbsd.org  2000/10/14 04:07:23
     [scp.c]
     remove spaces from arguments; from djm@mindrot.org
   - markus@cvs.openbsd.org  2000/10/14 06:09:46
     [ssh.1]
     Cipher is for SSH-1 only
   - markus@cvs.openbsd.org  2000/10/14 06:12:09
     [servconf.c servconf.h serverloop.c session.c sshd.8]
     AllowTcpForwarding; from naddy@
   - markus@cvs.openbsd.org  2000/10/14 06:16:56
     [auth2.c compat.c compat.h sshconnect2.c version.h]
     OpenSSH_2.3; note that is is not complete, but the version number
     needs to be changed for interoperability reasons
   - markus@cvs.openbsd.org  2000/10/14 06:19:45
     [auth-rsa.c]
     do not send RSA challenge if key is not allowed by key-options; from
     eivind@ThinkSec.com
   - markus@cvs.openbsd.org  2000/10/15 08:14:01
     [rijndael.c session.c]
     typos; from stevesk@sweden.hp.com
   - markus@cvs.openbsd.org  2000/10/15 08:18:31
     [rijndael.c]
     typo
 - Copy manpages back over from OpenBSD - too tedious to wade through diffs
This commit is contained in:
Damien Miller 2000-10-16 12:14:42 +11:00
parent 5993935f76
commit 50a41ed079
16 changed files with 111 additions and 47 deletions

View File

@ -1,3 +1,32 @@
20001016
- (djm) Sync with OpenBSD:
- markus@cvs.openbsd.org 2000/10/14 04:01:15
[cipher.c]
debug3
- markus@cvs.openbsd.org 2000/10/14 04:07:23
[scp.c]
remove spaces from arguments; from djm@mindrot.org
- markus@cvs.openbsd.org 2000/10/14 06:09:46
[ssh.1]
Cipher is for SSH-1 only
- markus@cvs.openbsd.org 2000/10/14 06:12:09
[servconf.c servconf.h serverloop.c session.c sshd.8]
AllowTcpForwarding; from naddy@
- markus@cvs.openbsd.org 2000/10/14 06:16:56
[auth2.c compat.c compat.h sshconnect2.c version.h]
OpenSSH_2.3; note that is is not complete, but the version number
needs to be changed for interoperability reasons
- markus@cvs.openbsd.org 2000/10/14 06:19:45
[auth-rsa.c]
do not send RSA challenge if key is not allowed by key-options; from
eivind@ThinkSec.com
- markus@cvs.openbsd.org 2000/10/15 08:14:01
[rijndael.c session.c]
typos; from stevesk@sweden.hp.com
- markus@cvs.openbsd.org 2000/10/15 08:18:31
[rijndael.c]
typo
20001015
- (djm) Fix ssh2 hang on background processes at logout.

View File

@ -14,7 +14,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-rsa.c,v 1.31 2000/10/11 19:59:52 markus Exp $");
RCSID("$OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $");
#include "rsa.h"
#include "packet.h"
@ -231,6 +231,12 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
}
} else
options = NULL;
/*
* If our options do not allow this key to be used,
* do not send challenge.
*/
if (!auth_parse_options(pw, options, linenum))
continue;
/* Parse the key from the line. */
if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
@ -269,8 +275,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
* Break out of the loop if authentication was successful;
* otherwise continue searching.
*/
authenticated = auth_parse_options(pw, options, linenum);
if (authenticated)
authenticated = 1;
break;
}

View File

@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth2.c,v 1.19 2000/10/11 20:27:23 markus Exp $");
RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $");
#ifdef HAVE_OSF_SIA
# include <sia.h>
@ -442,10 +442,10 @@ userauth_pubkey(Authctxt *authctxt)
sig = packet_get_string(&slen);
packet_done();
buffer_init(&b);
if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {
buffer_put_string(&b, session_id2, session_id2_len);
} else {
if (datafellows & SSH_OLD_SESSIONID) {
buffer_append(&b, session_id2, session_id2_len);
} else {
buffer_put_string(&b, session_id2, session_id2_len);
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);

View File

@ -35,7 +35,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: cipher.c,v 1.35 2000/10/13 18:59:13 markus Exp $");
RCSID("$OpenBSD: cipher.c,v 1.36 2000/10/14 10:01:15 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
@ -488,10 +488,10 @@ ciphers_valid(const char *names)
xfree(ciphers);
return 0;
} else {
debug("cipher ok: %s [%s]", p, names);
debug3("cipher ok: %s [%s]", p, names);
}
}
debug("ciphers ok: [%s]", names);
debug3("ciphers ok: [%s]", names);
xfree(ciphers);
return 1;
}

View File

@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: compat.c,v 1.24 2000/10/10 20:20:45 markus Exp $");
RCSID("$OpenBSD: compat.c,v 1.25 2000/10/14 12:16:56 markus Exp $");
#include "ssh.h"
#include "packet.h"
@ -62,12 +62,17 @@ compat_datafellows(const char *version)
char *pat;
int bugs;
} check[] = {
{"^.*MindTerm", 0},
{"^2\\.1\\.0 ", SSH_BUG_SIGBLOB|SSH_BUG_HMAC},
{"^2\\.0\\.", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD},
{"^2\\.[23]\\.0 ", SSH_BUG_HMAC|SSH_COMPAT_SESSIONID_ENCODING},
{"^2\\.[2-9]\\.", SSH_COMPAT_SESSIONID_ENCODING},
{"^2\\.", SSH_BUG_HMAC|SSH_COMPAT_SESSIONID_ENCODING},
{ "^OpenSSH-2\\.[01]", SSH_OLD_SESSIONID },
{ "^OpenSSH_2\\.2", SSH_OLD_SESSIONID },
{ "MindTerm", 0 },
{ "^2\\.1\\.0 ", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
SSH_OLD_SESSIONID },
{ "^2\\.0\\.", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
SSH_OLD_SESSIONID|
SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD },
{ "^2\\.[23]\\.0 ", SSH_BUG_HMAC},
{ "^2\\.[2-9]\\.", 0 },
{ "^2\\.", SSH_BUG_HMAC}, /* XXX fallback */
{ NULL, 0 }
};
/* process table, return first match */

View File

@ -21,7 +21,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* RCSID("$OpenBSD: compat.h,v 1.10 2000/09/07 20:27:50 deraadt Exp $"); */
/* RCSID("$OpenBSD: compat.h,v 1.11 2000/10/14 12:16:56 markus Exp $"); */
#ifndef COMPAT_H
#define COMPAT_H
@ -35,7 +35,7 @@
#define SSH_BUG_PUBKEYAUTH 0x02
#define SSH_BUG_HMAC 0x04
#define SSH_BUG_X11FWD 0x08
#define SSH_COMPAT_SESSIONID_ENCODING 0x10
#define SSH_OLD_SESSIONID 0x10
void enable_compat13(void);
void enable_compat20(void);

2
scp.c
View File

@ -75,7 +75,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: scp.c,v 1.41 2000/10/11 20:03:27 markus Exp $");
RCSID("$OpenBSD: scp.c,v 1.42 2000/10/14 10:07:21 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"

View File

@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.52 2000/10/11 20:14:39 markus Exp $");
RCSID("$OpenBSD: servconf.c,v 1.53 2000/10/14 12:12:09 markus Exp $");
#include "ssh.h"
#include "servconf.h"
@ -67,6 +67,7 @@ initialize_server_options(ServerOptions *options)
#endif
options->permit_empty_passwd = -1;
options->use_login = -1;
options->allow_tcp_forwarding = -1;
options->num_allow_users = 0;
options->num_deny_users = 0;
options->num_allow_groups = 0;
@ -159,6 +160,8 @@ fill_default_server_options(ServerOptions *options)
options->permit_empty_passwd = 0;
if (options->use_login == -1)
options->use_login = 0;
if (options->allow_tcp_forwarding == -1)
options->allow_tcp_forwarding = 1;
if (options->protocol == SSH_PROTO_UNKNOWN)
options->protocol = SSH_PROTO_1|SSH_PROTO_2;
if (options->gateway_ports == -1)
@ -189,7 +192,8 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sUseLogin, sAllowTcpForwarding,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups
} ServerOpCodes;
@ -240,6 +244,7 @@ static struct {
{ "uselogin", sUseLogin },
{ "randomseed", sRandomSeedFile },
{ "keepalive", sKeepAlives },
{ "allowtcpforwarding", sAllowTcpForwarding },
{ "allowusers", sAllowUsers },
{ "denyusers", sDenyUsers },
{ "allowgroups", sAllowGroups },
@ -573,6 +578,10 @@ parse_flag:
*intptr = (LogLevel) value;
break;
case sAllowTcpForwarding:
intptr = &options->allow_tcp_forwarding;
goto parse_flag;
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)

View File

@ -11,7 +11,7 @@
* called by a name other than "ssh" or "Secure Shell".
*/
/* RCSID("$OpenBSD: servconf.h,v 1.29 2000/10/11 20:14:39 markus Exp $"); */
/* RCSID("$OpenBSD: servconf.h,v 1.30 2000/10/14 12:12:09 markus Exp $"); */
#ifndef SERVCONF_H
#define SERVCONF_H
@ -86,6 +86,7 @@ typedef struct {
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
int use_login; /* If true, login(1) is used */
int allow_tcp_forwarding;
unsigned int num_allow_users;
char *allow_users[MAX_ALLOW_USERS];
unsigned int num_deny_users;

View File

@ -49,6 +49,8 @@
#include "dispatch.h"
#include "auth-options.h"
extern ServerOptions options;
static Buffer stdin_buffer; /* Buffer for stdin data. */
static Buffer stdout_buffer; /* Buffer for stdout data. */
static Buffer stderr_buffer; /* Buffer for stderr data. */
@ -749,7 +751,7 @@ input_direct_tcpip(void)
originator, originator_port, target, target_port);
/* XXX check permission */
if (no_port_forwarding_flag) {
if (no_port_forwarding_flag || !options.allow_tcp_forwarding) {
xfree(target);
xfree(originator);
return -1;

View File

@ -33,7 +33,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: session.c,v 1.38 2000/10/11 20:27:23 markus Exp $");
RCSID("$OpenBSD: session.c,v 1.40 2000/10/15 14:14:01 markus Exp $");
#include "xmalloc.h"
#include "ssh.h"
@ -236,7 +236,7 @@ do_authenticated(struct passwd * pw)
* by the client telling us, so we can equally well trust the client
* not to request anything bogus.)
*/
if (!no_port_forwarding_flag)
if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
channel_permit_all_opens();
s = session_new();
@ -388,6 +388,10 @@ do_authenticated(struct passwd * pw)
debug("Port forwarding not permitted for this authentication.");
break;
}
if (!options.allow_tcp_forwarding) {
debug("Port forwarding not permitted.");
break;
}
debug("Received TCP/IP port forwarding request.");
channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports);
success = 1;

View File

@ -43,13 +43,13 @@ option.
See
.Xr sshd 8
for more information.
.Sh HISTORY
.Nm
first appeared in OpenBSD 2.8.
.Sh AUTHOR
Markus Friedl <markus@openbsd.org>
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-keygen 1 ,
.Xr sshd 8 ,
.Xr sshd 8
.Sh AUTHOR
Markus Friedl <markus@openbsd.org>
.Sh HISTORY
.Nm
first appeared in OpenBSD 2.8 .

5
ssh.1
View File

@ -627,7 +627,8 @@ If the option is set to
.Dq no ,
the check will not be executed.
.It Cm Cipher
Specifies the cipher to use for encrypting the session.
Specifies the cipher to use for encrypting the session
in protocol version 1
Currently,
.Dq blowfish ,
and
@ -640,7 +641,7 @@ Specifies the ciphers allowed for protocol version 2
in order of preference.
Multiple ciphers must be comma-separated.
The default is
.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc .
.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour .
.It Cm Compression
Specifies whether to use compression.
The argument must be

View File

@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshconnect2.c,v 1.25 2000/10/12 09:59:19 markus Exp $");
RCSID("$OpenBSD: sshconnect2.c,v 1.26 2000/10/14 12:16:56 markus Exp $");
#include <openssl/bn.h>
#include <openssl/rsa.h>
@ -657,12 +657,12 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback)
/* data to be signed */
buffer_init(&b);
if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {
buffer_put_string(&b, session_id2, session_id2_len);
skip = buffer_len(&b);
} else {
if (datafellows & SSH_OLD_SESSIONID) {
buffer_append(&b, session_id2, session_id2_len);
skip = session_id2_len;
} else {
buffer_put_string(&b, session_id2, session_id2_len);
skip = buffer_len(&b);
}
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
buffer_put_cstring(&b, authctxt->server_user);

8
sshd.8
View File

@ -303,6 +303,14 @@ wildcards in the patterns.
Only group names are valid; a numerical group ID isn't recognized.
By default login is allowed regardless of the primary group.
.Pp
.It Cm AllowTcpForwarding
Specifies whether TCP forwarding is permitted.
The default is
.Dq yes .
Note that disabling TCP forwarding does not improve security unless
users are also denied shell access, as they can always install their
own forwarders.
.Pp
.It Cm AllowUsers
This keyword can be followed by a number of user names, separated
by spaces.

View File

@ -1 +1 @@
#define SSH_VERSION "OpenSSH_2.2.0p2"
#define SSH_VERSION "OpenSSH_2.3.0p1"