- (djm) Sync with OpenBSD:
- markus@cvs.openbsd.org 2000/10/14 04:01:15 [cipher.c] debug3 - markus@cvs.openbsd.org 2000/10/14 04:07:23 [scp.c] remove spaces from arguments; from djm@mindrot.org - markus@cvs.openbsd.org 2000/10/14 06:09:46 [ssh.1] Cipher is for SSH-1 only - markus@cvs.openbsd.org 2000/10/14 06:12:09 [servconf.c servconf.h serverloop.c session.c sshd.8] AllowTcpForwarding; from naddy@ - markus@cvs.openbsd.org 2000/10/14 06:16:56 [auth2.c compat.c compat.h sshconnect2.c version.h] OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons - markus@cvs.openbsd.org 2000/10/14 06:19:45 [auth-rsa.c] do not send RSA challenge if key is not allowed by key-options; from eivind@ThinkSec.com - markus@cvs.openbsd.org 2000/10/15 08:14:01 [rijndael.c session.c] typos; from stevesk@sweden.hp.com - markus@cvs.openbsd.org 2000/10/15 08:18:31 [rijndael.c] typo - Copy manpages back over from OpenBSD - too tedious to wade through diffs
This commit is contained in:
parent
5993935f76
commit
50a41ed079
29
ChangeLog
29
ChangeLog
|
@ -1,3 +1,32 @@
|
|||
20001016
|
||||
- (djm) Sync with OpenBSD:
|
||||
- markus@cvs.openbsd.org 2000/10/14 04:01:15
|
||||
[cipher.c]
|
||||
debug3
|
||||
- markus@cvs.openbsd.org 2000/10/14 04:07:23
|
||||
[scp.c]
|
||||
remove spaces from arguments; from djm@mindrot.org
|
||||
- markus@cvs.openbsd.org 2000/10/14 06:09:46
|
||||
[ssh.1]
|
||||
Cipher is for SSH-1 only
|
||||
- markus@cvs.openbsd.org 2000/10/14 06:12:09
|
||||
[servconf.c servconf.h serverloop.c session.c sshd.8]
|
||||
AllowTcpForwarding; from naddy@
|
||||
- markus@cvs.openbsd.org 2000/10/14 06:16:56
|
||||
[auth2.c compat.c compat.h sshconnect2.c version.h]
|
||||
OpenSSH_2.3; note that is is not complete, but the version number
|
||||
needs to be changed for interoperability reasons
|
||||
- markus@cvs.openbsd.org 2000/10/14 06:19:45
|
||||
[auth-rsa.c]
|
||||
do not send RSA challenge if key is not allowed by key-options; from
|
||||
eivind@ThinkSec.com
|
||||
- markus@cvs.openbsd.org 2000/10/15 08:14:01
|
||||
[rijndael.c session.c]
|
||||
typos; from stevesk@sweden.hp.com
|
||||
- markus@cvs.openbsd.org 2000/10/15 08:18:31
|
||||
[rijndael.c]
|
||||
typo
|
||||
|
||||
20001015
|
||||
- (djm) Fix ssh2 hang on background processes at logout.
|
||||
|
||||
|
|
13
auth-rsa.c
13
auth-rsa.c
|
@ -14,7 +14,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-rsa.c,v 1.31 2000/10/11 19:59:52 markus Exp $");
|
||||
RCSID("$OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $");
|
||||
|
||||
#include "rsa.h"
|
||||
#include "packet.h"
|
||||
|
@ -231,6 +231,12 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
|
|||
}
|
||||
} else
|
||||
options = NULL;
|
||||
/*
|
||||
* If our options do not allow this key to be used,
|
||||
* do not send challenge.
|
||||
*/
|
||||
if (!auth_parse_options(pw, options, linenum))
|
||||
continue;
|
||||
|
||||
/* Parse the key from the line. */
|
||||
if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
|
||||
|
@ -269,9 +275,8 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
|
|||
* Break out of the loop if authentication was successful;
|
||||
* otherwise continue searching.
|
||||
*/
|
||||
authenticated = auth_parse_options(pw, options, linenum);
|
||||
if (authenticated)
|
||||
break;
|
||||
authenticated = 1;
|
||||
break;
|
||||
}
|
||||
|
||||
/* Restore the privileged uid. */
|
||||
|
|
8
auth2.c
8
auth2.c
|
@ -23,7 +23,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2.c,v 1.19 2000/10/11 20:27:23 markus Exp $");
|
||||
RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $");
|
||||
|
||||
#ifdef HAVE_OSF_SIA
|
||||
# include <sia.h>
|
||||
|
@ -442,10 +442,10 @@ userauth_pubkey(Authctxt *authctxt)
|
|||
sig = packet_get_string(&slen);
|
||||
packet_done();
|
||||
buffer_init(&b);
|
||||
if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
} else {
|
||||
if (datafellows & SSH_OLD_SESSIONID) {
|
||||
buffer_append(&b, session_id2, session_id2_len);
|
||||
} else {
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
}
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
|
|
6
cipher.c
6
cipher.c
|
@ -35,7 +35,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: cipher.c,v 1.35 2000/10/13 18:59:13 markus Exp $");
|
||||
RCSID("$OpenBSD: cipher.c,v 1.36 2000/10/14 10:01:15 markus Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "xmalloc.h"
|
||||
|
@ -488,10 +488,10 @@ ciphers_valid(const char *names)
|
|||
xfree(ciphers);
|
||||
return 0;
|
||||
} else {
|
||||
debug("cipher ok: %s [%s]", p, names);
|
||||
debug3("cipher ok: %s [%s]", p, names);
|
||||
}
|
||||
}
|
||||
debug("ciphers ok: [%s]", names);
|
||||
debug3("ciphers ok: [%s]", names);
|
||||
xfree(ciphers);
|
||||
return 1;
|
||||
}
|
||||
|
|
21
compat.c
21
compat.c
|
@ -23,7 +23,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: compat.c,v 1.24 2000/10/10 20:20:45 markus Exp $");
|
||||
RCSID("$OpenBSD: compat.c,v 1.25 2000/10/14 12:16:56 markus Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "packet.h"
|
||||
|
@ -62,13 +62,18 @@ compat_datafellows(const char *version)
|
|||
char *pat;
|
||||
int bugs;
|
||||
} check[] = {
|
||||
{"^.*MindTerm", 0},
|
||||
{"^2\\.1\\.0 ", SSH_BUG_SIGBLOB|SSH_BUG_HMAC},
|
||||
{"^2\\.0\\.", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD},
|
||||
{"^2\\.[23]\\.0 ", SSH_BUG_HMAC|SSH_COMPAT_SESSIONID_ENCODING},
|
||||
{"^2\\.[2-9]\\.", SSH_COMPAT_SESSIONID_ENCODING},
|
||||
{"^2\\.", SSH_BUG_HMAC|SSH_COMPAT_SESSIONID_ENCODING},
|
||||
{NULL, 0}
|
||||
{ "^OpenSSH-2\\.[01]", SSH_OLD_SESSIONID },
|
||||
{ "^OpenSSH_2\\.2", SSH_OLD_SESSIONID },
|
||||
{ "MindTerm", 0 },
|
||||
{ "^2\\.1\\.0 ", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
|
||||
SSH_OLD_SESSIONID },
|
||||
{ "^2\\.0\\.", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
|
||||
SSH_OLD_SESSIONID|
|
||||
SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD },
|
||||
{ "^2\\.[23]\\.0 ", SSH_BUG_HMAC},
|
||||
{ "^2\\.[2-9]\\.", 0 },
|
||||
{ "^2\\.", SSH_BUG_HMAC}, /* XXX fallback */
|
||||
{ NULL, 0 }
|
||||
};
|
||||
/* process table, return first match */
|
||||
for (i = 0; check[i].pat; i++) {
|
||||
|
|
4
compat.h
4
compat.h
|
@ -21,7 +21,7 @@
|
|||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
/* RCSID("$OpenBSD: compat.h,v 1.10 2000/09/07 20:27:50 deraadt Exp $"); */
|
||||
/* RCSID("$OpenBSD: compat.h,v 1.11 2000/10/14 12:16:56 markus Exp $"); */
|
||||
|
||||
#ifndef COMPAT_H
|
||||
#define COMPAT_H
|
||||
|
@ -35,7 +35,7 @@
|
|||
#define SSH_BUG_PUBKEYAUTH 0x02
|
||||
#define SSH_BUG_HMAC 0x04
|
||||
#define SSH_BUG_X11FWD 0x08
|
||||
#define SSH_COMPAT_SESSIONID_ENCODING 0x10
|
||||
#define SSH_OLD_SESSIONID 0x10
|
||||
|
||||
void enable_compat13(void);
|
||||
void enable_compat20(void);
|
||||
|
|
8
scp.c
8
scp.c
|
@ -75,7 +75,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: scp.c,v 1.41 2000/10/11 20:03:27 markus Exp $");
|
||||
RCSID("$OpenBSD: scp.c,v 1.42 2000/10/14 10:07:21 markus Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "xmalloc.h"
|
||||
|
@ -266,13 +266,13 @@ main(argc, argv)
|
|||
case 'o':
|
||||
case 'c':
|
||||
case 'i':
|
||||
addargs("-%c %s", ch, optarg);
|
||||
addargs("-%c%s", ch, optarg);
|
||||
break;
|
||||
case 'P':
|
||||
addargs("-p %s", optarg);
|
||||
addargs("-p%s", optarg);
|
||||
break;
|
||||
case 'B':
|
||||
addargs("-o Batchmode yes");
|
||||
addargs("-oBatchmode yes");
|
||||
break;
|
||||
case 'p':
|
||||
pflag = 1;
|
||||
|
|
13
servconf.c
13
servconf.c
|
@ -10,7 +10,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: servconf.c,v 1.52 2000/10/11 20:14:39 markus Exp $");
|
||||
RCSID("$OpenBSD: servconf.c,v 1.53 2000/10/14 12:12:09 markus Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "servconf.h"
|
||||
|
@ -67,6 +67,7 @@ initialize_server_options(ServerOptions *options)
|
|||
#endif
|
||||
options->permit_empty_passwd = -1;
|
||||
options->use_login = -1;
|
||||
options->allow_tcp_forwarding = -1;
|
||||
options->num_allow_users = 0;
|
||||
options->num_deny_users = 0;
|
||||
options->num_allow_groups = 0;
|
||||
|
@ -159,6 +160,8 @@ fill_default_server_options(ServerOptions *options)
|
|||
options->permit_empty_passwd = 0;
|
||||
if (options->use_login == -1)
|
||||
options->use_login = 0;
|
||||
if (options->allow_tcp_forwarding == -1)
|
||||
options->allow_tcp_forwarding = 1;
|
||||
if (options->protocol == SSH_PROTO_UNKNOWN)
|
||||
options->protocol = SSH_PROTO_1|SSH_PROTO_2;
|
||||
if (options->gateway_ports == -1)
|
||||
|
@ -189,7 +192,8 @@ typedef enum {
|
|||
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
|
||||
sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
|
||||
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
|
||||
sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
||||
sUseLogin, sAllowTcpForwarding,
|
||||
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
||||
sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
|
||||
sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups
|
||||
} ServerOpCodes;
|
||||
|
@ -240,6 +244,7 @@ static struct {
|
|||
{ "uselogin", sUseLogin },
|
||||
{ "randomseed", sRandomSeedFile },
|
||||
{ "keepalive", sKeepAlives },
|
||||
{ "allowtcpforwarding", sAllowTcpForwarding },
|
||||
{ "allowusers", sAllowUsers },
|
||||
{ "denyusers", sDenyUsers },
|
||||
{ "allowgroups", sAllowGroups },
|
||||
|
@ -573,6 +578,10 @@ parse_flag:
|
|||
*intptr = (LogLevel) value;
|
||||
break;
|
||||
|
||||
case sAllowTcpForwarding:
|
||||
intptr = &options->allow_tcp_forwarding;
|
||||
goto parse_flag;
|
||||
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
* called by a name other than "ssh" or "Secure Shell".
|
||||
*/
|
||||
|
||||
/* RCSID("$OpenBSD: servconf.h,v 1.29 2000/10/11 20:14:39 markus Exp $"); */
|
||||
/* RCSID("$OpenBSD: servconf.h,v 1.30 2000/10/14 12:12:09 markus Exp $"); */
|
||||
|
||||
#ifndef SERVCONF_H
|
||||
#define SERVCONF_H
|
||||
|
@ -86,6 +86,7 @@ typedef struct {
|
|||
int permit_empty_passwd; /* If false, do not permit empty
|
||||
* passwords. */
|
||||
int use_login; /* If true, login(1) is used */
|
||||
int allow_tcp_forwarding;
|
||||
unsigned int num_allow_users;
|
||||
char *allow_users[MAX_ALLOW_USERS];
|
||||
unsigned int num_deny_users;
|
||||
|
|
|
@ -49,6 +49,8 @@
|
|||
#include "dispatch.h"
|
||||
#include "auth-options.h"
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
static Buffer stdin_buffer; /* Buffer for stdin data. */
|
||||
static Buffer stdout_buffer; /* Buffer for stdout data. */
|
||||
static Buffer stderr_buffer; /* Buffer for stderr data. */
|
||||
|
@ -749,7 +751,7 @@ input_direct_tcpip(void)
|
|||
originator, originator_port, target, target_port);
|
||||
|
||||
/* XXX check permission */
|
||||
if (no_port_forwarding_flag) {
|
||||
if (no_port_forwarding_flag || !options.allow_tcp_forwarding) {
|
||||
xfree(target);
|
||||
xfree(originator);
|
||||
return -1;
|
||||
|
|
|
@ -33,7 +33,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: session.c,v 1.38 2000/10/11 20:27:23 markus Exp $");
|
||||
RCSID("$OpenBSD: session.c,v 1.40 2000/10/15 14:14:01 markus Exp $");
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
|
@ -236,7 +236,7 @@ do_authenticated(struct passwd * pw)
|
|||
* by the client telling us, so we can equally well trust the client
|
||||
* not to request anything bogus.)
|
||||
*/
|
||||
if (!no_port_forwarding_flag)
|
||||
if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
|
||||
channel_permit_all_opens();
|
||||
|
||||
s = session_new();
|
||||
|
@ -388,6 +388,10 @@ do_authenticated(struct passwd * pw)
|
|||
debug("Port forwarding not permitted for this authentication.");
|
||||
break;
|
||||
}
|
||||
if (!options.allow_tcp_forwarding) {
|
||||
debug("Port forwarding not permitted.");
|
||||
break;
|
||||
}
|
||||
debug("Received TCP/IP port forwarding request.");
|
||||
channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports);
|
||||
success = 1;
|
||||
|
|
|
@ -43,13 +43,13 @@ option.
|
|||
See
|
||||
.Xr sshd 8
|
||||
for more information.
|
||||
.Sh HISTORY
|
||||
.Nm
|
||||
first appeared in OpenBSD 2.8.
|
||||
.Sh AUTHOR
|
||||
Markus Friedl <markus@openbsd.org>
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr sshd 8 ,
|
||||
.Xr sshd 8
|
||||
.Sh AUTHOR
|
||||
Markus Friedl <markus@openbsd.org>
|
||||
.Sh HISTORY
|
||||
.Nm
|
||||
first appeared in OpenBSD 2.8 .
|
||||
|
|
5
ssh.1
5
ssh.1
|
@ -627,7 +627,8 @@ If the option is set to
|
|||
.Dq no ,
|
||||
the check will not be executed.
|
||||
.It Cm Cipher
|
||||
Specifies the cipher to use for encrypting the session.
|
||||
Specifies the cipher to use for encrypting the session
|
||||
in protocol version 1
|
||||
Currently,
|
||||
.Dq blowfish ,
|
||||
and
|
||||
|
@ -640,7 +641,7 @@ Specifies the ciphers allowed for protocol version 2
|
|||
in order of preference.
|
||||
Multiple ciphers must be comma-separated.
|
||||
The default is
|
||||
.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc .
|
||||
.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour .
|
||||
.It Cm Compression
|
||||
Specifies whether to use compression.
|
||||
The argument must be
|
||||
|
|
|
@ -23,7 +23,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshconnect2.c,v 1.25 2000/10/12 09:59:19 markus Exp $");
|
||||
RCSID("$OpenBSD: sshconnect2.c,v 1.26 2000/10/14 12:16:56 markus Exp $");
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/rsa.h>
|
||||
|
@ -657,12 +657,12 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback)
|
|||
|
||||
/* data to be signed */
|
||||
buffer_init(&b);
|
||||
if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
skip = buffer_len(&b);
|
||||
} else {
|
||||
if (datafellows & SSH_OLD_SESSIONID) {
|
||||
buffer_append(&b, session_id2, session_id2_len);
|
||||
skip = session_id2_len;
|
||||
} else {
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
skip = buffer_len(&b);
|
||||
}
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
buffer_put_cstring(&b, authctxt->server_user);
|
||||
|
|
8
sshd.8
8
sshd.8
|
@ -303,6 +303,14 @@ wildcards in the patterns.
|
|||
Only group names are valid; a numerical group ID isn't recognized.
|
||||
By default login is allowed regardless of the primary group.
|
||||
.Pp
|
||||
.It Cm AllowTcpForwarding
|
||||
Specifies whether TCP forwarding is permitted.
|
||||
The default is
|
||||
.Dq yes .
|
||||
Note that disabling TCP forwarding does not improve security unless
|
||||
users are also denied shell access, as they can always install their
|
||||
own forwarders.
|
||||
.Pp
|
||||
.It Cm AllowUsers
|
||||
This keyword can be followed by a number of user names, separated
|
||||
by spaces.
|
||||
|
|
Loading…
Reference in New Issue