- OpenBSD CVS Changes

- [canohost.c] fix get_remote_port() and friends for sshd -i; Holger.Trapp@Informatik.TU-Chemnitz.DE - [mpaux.c] make code simpler. no need for memcpy. niels@ ok - [pty.c] namebuflen not sizeof namebuflen; bnd@ep-ag.com via djm@mindrot.org fix proto; markus - [ssh.1] typo; mark.baushke@solipsa.com - [channels.c ssh.c ssh.h sshd.c] type conflict for 'extern Type *options' in channels.c; dot@dotat.at - [sshconnect.c] move checking of hostkey into own function. - [version.h] OpenSSH-1.2.1
2025-07-23 13:55:13 +02:00 · 1999-12-14 10:47:15 +11:00 · 1999-12-14 10:47:15 +11:00 · a34a28bf86
commit a34a28bf86
parent c6b3bbe2b9
11 changed files with 229 additions and 158 deletions
--- a/19
+++ b/19
@ -1,3 +1,22 @@
 19991214
 - OpenBSD CVS Changes
   - [canohost.c]
     fix get_remote_port() and friends for sshd -i; 
     Holger.Trapp@Informatik.TU-Chemnitz.DE
   - [mpaux.c]
     make code simpler. no need for memcpy. niels@ ok
   - [pty.c]
     namebuflen not sizeof namebuflen; bnd@ep-ag.com via djm@mindrot.org
     fix proto; markus
   - [ssh.1]
      typo; mark.baushke@solipsa.com
   - [channels.c ssh.c ssh.h sshd.c]
     type conflict for 'extern Type *options' in channels.c; dot@dotat.at
   - [sshconnect.c]
     move checking of hostkey into own function.
   - [version.h]
     OpenSSH-1.2.1
 19991211
 - Fix compilation on systems with AFS. Reported by 
   aloomis@glue.umd.edu
--- a/canohost.c
+++ b/canohost.c
@ -14,7 +14,7 @@
 */
 #include "includes.h"
-RCSID("$Id: canohost.c,v 1.4 1999/11/25 00:54:58 damien Exp $");
+RCSID("$Id: canohost.c,v 1.5 1999/12/13 23:47:15 damien Exp $");
 #include "packet.h"
 #include "xmalloc.h"
@ -143,6 +143,28 @@ check_ip_options:
 static char *canonical_host_name = NULL;
 static char *canonical_host_ip = NULL;
 /* Returns 1 if remote host is connected via socket, 0 if not. */
 int
 peer_connection_is_on_socket()
 {
 	struct sockaddr_in from;
 	int fromlen;
 	int in = packet_get_connection_in();
 	int out = packet_get_connection_out();
 	/* filedescriptors in and out are the same, so it's a socket */
 	if (in == out)
 		return 1;
 	fromlen = sizeof(from);
 	memset(&from, 0, sizeof(from));
 	if (getpeername(in, (struct sockaddr *) & from, &fromlen) < 0)
 		return 0;
 	if (from.sin_family != AF_INET && from.sin_family != AF_INET6)
 		return 0;
 	return 1;
 }
 /*
 * Return the canonical name of the host in the other side of the current
 * connection.  The host name is cached, so it is efficient to call this
@ -157,7 +179,7 @@ get_canonical_hostname()
 		return canonical_host_name;
 	/* Get the real hostname if socket; otherwise return UNKNOWN. */
-	if (packet_get_connection_in() == packet_get_connection_out())
+	if (peer_connection_is_on_socket())
 		canonical_host_name = get_remote_hostname(packet_get_connection_in());
 	else
 		canonical_host_name = xstrdup("UNKNOWN");
@ -181,7 +203,7 @@ get_remote_ipaddr()
 		return canonical_host_ip;
 	/* If not a socket, return UNKNOWN. */
-	if (packet_get_connection_in() != packet_get_connection_out()) {
+	if (!peer_connection_is_on_socket()) {
 		canonical_host_ip = xstrdup("UNKNOWN");
 		return canonical_host_ip;
 	}
@ -232,7 +254,7 @@ get_remote_port()
 	 * If the connection is not a socket, return 65535.  This is
 	 * intentionally chosen to be an unprivileged port number.
 	 */
-	if (packet_get_connection_in() != packet_get_connection_out())
+	if (!peer_connection_is_on_socket())
 		return 65535;
 	/* Get client socket. */
--- a/channels.c
+++ b/channels.c
@ -16,7 +16,7 @@
 */
 #include "includes.h"
-RCSID("$Id: channels.c,v 1.11 1999/12/07 05:47:28 damien Exp $");
+RCSID("$Id: channels.c,v 1.12 1999/12/13 23:47:15 damien Exp $");
 #include "ssh.h"
 #include "packet.h"
@ -877,11 +877,10 @@ channel_open_message()
 void 
 channel_request_local_forwarding(u_short port, const char *host,
-				 u_short host_port)
+				 u_short host_port, int gateway_ports)
 {
 	int ch, sock, on = 1;
 	struct sockaddr_in sin;
 	extern Options options;
 	struct linger linger;
 	if (strlen(host) > sizeof(channels[0].path) - 1)
@ -895,7 +894,7 @@ channel_request_local_forwarding(u_short port, const char *host,
 	/* Initialize socket address. */
 	memset(&sin, 0, sizeof(sin));
 	sin.sin_family = AF_INET;
-	if (options.gateway_ports == 1)
+	if (gateway_ports == 1)
 		sin.sin_addr.s_addr = htonl(INADDR_ANY);
 	else
 		sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
@ -983,9 +982,11 @@ channel_input_port_forward_request(int is_root)
 	if (port < IPPORT_RESERVED && !is_root)
 		packet_disconnect("Requested forwarding of port %d but user is not root.",
 				  port);
-
+	/*
-	/* Initiate forwarding. */
+	 * Initiate forwarding,
-	channel_request_local_forwarding(port, hostname, host_port);
+	 * bind port to localhost only (gateway ports == 0).
 	 */
 	channel_request_local_forwarding(port, hostname, host_port, 0);
 	/* Free the argument string. */
 	xfree(hostname);
@ -1116,16 +1117,15 @@ fail:
 */
 char *
-x11_create_display_inet(int screen_number)
+x11_create_display_inet(int screen_number, int x11_display_offset)
 {
 	extern ServerOptions options;
 	int display_number, sock;
 	u_short port;
 	struct sockaddr_in sin;
 	char buf[512];
 	char hostname[MAXHOSTNAMELEN];
-	for (display_number = options.x11_display_offset;
+	for (display_number = x11_display_offset;
 	     display_number < MAX_DISPLAYS;
 	     display_number++) {
 		port = 6000 + display_number;
--- a/mpaux.c
+++ b/mpaux.c
@ -15,7 +15,7 @@
 */
 #include "includes.h"
-RCSID("$Id: mpaux.c,v 1.7 1999/11/24 13:26:22 damien Exp $");
+RCSID("$Id: mpaux.c,v 1.8 1999/12/13 23:47:16 damien Exp $");
 #include "getput.h"
 #include "xmalloc.h"
@ -35,17 +35,17 @@ compute_session_id(unsigned char session_id[16],
 		   BIGNUM* host_key_n,
 		   BIGNUM* session_key_n)
 {
-	unsigned int host_key_bits = BN_num_bits(host_key_n);
+	unsigned int host_key_bytes = BN_num_bytes(host_key_n);
-	unsigned int session_key_bits = BN_num_bits(session_key_n);
+	unsigned int session_key_bytes = BN_num_bytes(session_key_n);
-	unsigned int bytes = (host_key_bits + 7) / 8 + (session_key_bits + 7) / 8 + 8;
+	unsigned int bytes = host_key_bytes + session_key_bytes;
 	unsigned char *buf = xmalloc(bytes);
 	MD5_CTX md;
 	BN_bn2bin(host_key_n, buf);
-	BN_bn2bin(session_key_n, buf + (host_key_bits + 7) / 8);
+	BN_bn2bin(session_key_n, buf + host_key_bytes);
 	memcpy(buf + (host_key_bits + 7) / 8 + (session_key_bits + 7) / 8, cookie, 8);
 	MD5_Init(&md);
 	MD5_Update(&md, buf, bytes);
 	MD5_Update(&md, cookie, 8);
 	MD5_Final(session_id, &md);
 	memset(buf, 0, bytes);
 	xfree(buf);
--- a/pty.c
+++ b/pty.c
@ -14,8 +14,9 @@
 */
 #include "includes.h"
-RCSID("$Id: pty.c,v 1.8 1999/12/08 23:16:55 damien Exp $");
+RCSID("$Id: pty.c,v 1.9 1999/12/13 23:47:16 damien Exp $");
 #include <util.h>
 #include "pty.h"
 #include "ssh.h"
@ -163,7 +164,7 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
 		*ptyfd = open(buf, O_RDWR | O_NOCTTY);
 		if (*ptyfd < 0)
 			continue;
-		snprintf(namebuf, sizeof namebuflen, "/dev/tty%c%c",
+		snprintf(namebuf, namebuflen, "/dev/tty%c%c",
 		    ptymajors[i / num_minors], ptyminors[i % num_minors]);
 		/* Open the slave side. */
--- a/ssh.1
+++ b/ssh.1
@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: ssh.1,v 1.11 1999/12/06 00:47:29 damien Exp $
+.\" $Id: ssh.1,v 1.12 1999/12/13 23:47:16 damien Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSH 1
@ -351,7 +351,7 @@ per-host basis in the configuration file.
 Use a non-privileged port for outgoing connections.
 This can be used if your firewall does
 not permit connections from privileged ports.
-Note that this option turns of
+Note that this option turns off
 .Cm RhostsAuthentication
 and
 .Cm RhostsRSAAuthentication .
@ -720,7 +720,7 @@ The default is
 .Dq yes .
 Note that setting this option to
 .Dq no
-turns of
+turns off
 .Cm RhostsAuthentication
 and
 .Cm RhostsRSAAuthentication .
--- a/ssh.c
+++ b/ssh.c
@ -11,7 +11,7 @@
 */
 #include "includes.h"
-RCSID("$Id: ssh.c,v 1.13 1999/12/06 00:47:29 damien Exp $");
+RCSID("$Id: ssh.c,v 1.14 1999/12/13 23:47:16 damien Exp $");
 #include "xmalloc.h"
 #include "ssh.h"
@ -732,7 +732,8 @@ main(int ac, char **av)
 		      options.local_forwards[i].host_port);
 		channel_request_local_forwarding(options.local_forwards[i].port,
 					  	 options.local_forwards[i].host,
-						 options.local_forwards[i].host_port);
+						 options.local_forwards[i].host_port,
 						 options.gateway_ports);
 	}
 	/* Initiate remote TCP/IP port forwardings. */
--- a/ssh.h
+++ b/ssh.h
@ -13,7 +13,7 @@
 * 
 */
-/* RCSID("$Id: ssh.h,v 1.19 1999/12/07 04:38:32 damien Exp $"); */
+/* RCSID("$Id: ssh.h,v 1.20 1999/12/13 23:47:16 damien Exp $"); */
 #ifndef SSH_H
 #define SSH_H
@ -589,7 +589,7 @@ char   *channel_open_message(void);
 */
 void 
 channel_request_local_forwarding(u_short port, const char *host,
-    u_short remote_port);
+    u_short remote_port, int gateway_ports);
 /*
 * Initiate forwarding of connections to port "port" on remote host through
@ -633,7 +633,7 @@ char   *x11_create_display(int screen);
 * Returns a suitable value for the DISPLAY variable, or NULL if an error
 * occurs.
 */
-char   *x11_create_display_inet(int screen);
+char   *x11_create_display_inet(int screen, int x11_display_offset);
 /*
 * This is called when SSH_SMSG_X11_OPEN is received.  The packet contains
--- a/sshconnect.c
+++ b/sshconnect.c
@ -8,7 +8,7 @@
 */
 #include "includes.h"
-RCSID("$Id: sshconnect.c,v 1.17 1999/12/07 04:38:32 damien Exp $");
+RCSID("$Id: sshconnect.c,v 1.18 1999/12/13 23:47:16 damien Exp $");
 #ifdef HAVE_OPENSSL
 #include <openssl/bn.h>
@ -156,8 +156,10 @@ ssh_create_socket(uid_t original_real_uid, int privileged)
 			fatal("rresvport: %.100s", strerror(errno));
 		debug("Allocated local port %d.", p);
 	} else {
-		/* Just create an ordinary socket on arbitrary port.  We
+		/*
-		   use the user's uid to create the socket. */
+		 * Just create an ordinary socket on arbitrary port.  We use
 		 * the user's uid to create the socket.
 		 */
 		temporarily_use_uid(original_real_uid);
 		sock = socket(AF_INET, SOCK_STREAM, 0);
 		if (sock < 0)
@ -209,9 +211,11 @@ ssh_connect(const char *host, struct sockaddr_in * hostaddr,
 	/* No host lookup made yet. */
 	hp = NULL;
-	/* Try to connect several times.  On some machines, the first time
+	/*
-	   will sometimes fail.  In general socket code appears to behave
+	 * Try to connect several times.  On some machines, the first time
-	   quite magically on many machines. */
+	 * will sometimes fail.  In general socket code appears to behave
 	 * quite magically on many machines.
 	 */
 	for (attempt = 0; attempt < connection_attempts; attempt++) {
 		if (attempt > 0)
 			debug("Trying again...");
@ -1087,39 +1091,21 @@ read_yes_or_no(const char *prompt, int defval)
 }
 /*
- * Starts a dialog with the server, and authenticates the current user on the
+ * check whether the supplied host key is valid, return only if ok.
 * server.  This does not need any extra privileges.  The basic connection
 * to the server must already have been established before this is called.
 * User is the remote user; if it is NULL, the current local user name will
 * be used.  Anonymous indicates that no rhosts authentication will be used.
 * If login fails, this function prints an error and never returns.
 * This function does not require super-user privileges.
 */
 void
-ssh_login(int host_key_valid,
+check_host_key(char *host,
-	  RSA *own_host_key,
+    struct sockaddr_in *hostaddr,
-	  const char *orighost,
+    RSA *host_key)
 	  struct sockaddr_in *hostaddr,
 	  uid_t original_real_uid)
 {
-	int i, type;
+	RSA *file_key;
-	struct passwd *pw;
+	char *ip = NULL;
 	BIGNUM *key;
 	RSA *host_key, *file_key;
 	RSA *public_key;
 	int bits, rbits;
 	unsigned char session_key[SSH_SESSION_KEY_LENGTH];
 	const char *server_user, *local_user;
 	char *cp, *host, *ip = NULL;
 	char hostline[1000], *hostp;
 	unsigned char check_bytes[8];
 	unsigned int supported_ciphers, supported_authentications, protocol_flags;
 	HostStatus host_status;
 	HostStatus ip_status;
 	int host_ip_differ = 0;
 	int local = (ntohl(hostaddr->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
 	int payload_len, clen, sum_len = 0;
 	u_int32_t rand = 0;
 	/*
 	 * Turn off check_host_ip for proxy connects, since
@ -1131,88 +1117,14 @@ ssh_login(int host_key_valid,
 	if (options.check_host_ip)
 		ip = xstrdup(inet_ntoa(hostaddr->sin_addr));
-	/* Convert the user-supplied hostname into all lowercase. */
+	/*
-	host = xstrdup(orighost);
+	 * Store the host key from the known host file in here so that we can
-	for (cp = host; *cp; cp++)
+	 * compare it with the key for the IP address.
-		if (isupper(*cp))
+	 */
 			*cp = tolower(*cp);
 	/* Exchange protocol version identification strings with the server. */
 	ssh_exchange_identification();
 	/* Put the connection into non-blocking mode. */
 	packet_set_nonblocking();
 	/* Get local user name.  Use it as server user if no user name was given. */
 	pw = getpwuid(original_real_uid);
 	if (!pw)
 		fatal("User id %d not found from user database.", original_real_uid);
 	local_user = xstrdup(pw->pw_name);
 	server_user = options.user ? options.user : local_user;
 	debug("Waiting for server public key.");
 	/* Wait for a public key packet from the server. */
 	packet_read_expect(&payload_len, SSH_SMSG_PUBLIC_KEY);
 	/* Get check bytes from the packet. */
 	for (i = 0; i < 8; i++)
 		check_bytes[i] = packet_get_char();
 	/* Get the public key. */
 	public_key = RSA_new();
 	bits = packet_get_int();/* bits */
 	public_key->e = BN_new();
 	packet_get_bignum(public_key->e, &clen);
 	sum_len += clen;
 	public_key->n = BN_new();
 	packet_get_bignum(public_key->n, &clen);
 	sum_len += clen;
 	rbits = BN_num_bits(public_key->n);
 	if (bits != rbits) {
 		log("Warning: Server lies about size of server public key: "
 		    "actual size is %d bits vs. announced %d.", rbits, bits);
 		log("Warning: This may be due to an old implementation of ssh.");
 	}
 	/* Get the host key. */
 	host_key = RSA_new();
 	bits = packet_get_int();/* bits */
 	host_key->e = BN_new();
 	packet_get_bignum(host_key->e, &clen);
 	sum_len += clen;
 	host_key->n = BN_new();
 	packet_get_bignum(host_key->n, &clen);
 	sum_len += clen;
 	rbits = BN_num_bits(host_key->n);
 	if (bits != rbits) {
 		log("Warning: Server lies about size of server host key: "
 		    "actual size is %d bits vs. announced %d.", rbits, bits);
 		log("Warning: This may be due to an old implementation of ssh.");
 	}
 	/* Store the host key from the known host file in here so that we
 	   can compare it with the key for the IP address. */
 	file_key = RSA_new();
 	file_key->n = BN_new();
 	file_key->e = BN_new();
 	/* Get protocol flags. */
 	protocol_flags = packet_get_int();
 	packet_set_protocol_flags(protocol_flags);
 	supported_ciphers = packet_get_int();
 	supported_authentications = packet_get_int();
 	debug("Received server public key (%d bits) and host key (%d bits).",
 	      BN_num_bits(public_key->n), BN_num_bits(host_key->n));
 	packet_integrity_check(payload_len,
 			       8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4,
 			       SSH_SMSG_PUBLIC_KEY);
 	compute_session_id(session_id, check_bytes, host_key->n, public_key->n);
 	/*
 	 * Check if the host key is present in the user\'s list of known
 	 * hosts or in the systemwide list.
@ -1372,9 +1284,121 @@ ssh_login(int host_key_valid,
 		 */
 		break;
 	}
 	if (options.check_host_ip)
 		xfree(ip);
 }
 /*
 * Starts a dialog with the server, and authenticates the current user on the
 * server.  This does not need any extra privileges.  The basic connection
 * to the server must already have been established before this is called.
 * User is the remote user; if it is NULL, the current local user name will
 * be used.  Anonymous indicates that no rhosts authentication will be used.
 * If login fails, this function prints an error and never returns.
 * This function does not require super-user privileges.
 */
 void
 ssh_login(int host_key_valid,
 	  RSA *own_host_key,
 	  const char *orighost,
 	  struct sockaddr_in *hostaddr,
 	  uid_t original_real_uid)
 {
 	int i, type;
 	struct passwd *pw;
 	BIGNUM *key;
 	RSA *host_key;
 	RSA *public_key;
 	int bits, rbits;
 	unsigned char session_key[SSH_SESSION_KEY_LENGTH];
 	const char *server_user, *local_user;
 	char *host, *cp;
 	unsigned char check_bytes[8];
 	unsigned int supported_ciphers, supported_authentications;
 	unsigned int server_flags, client_flags;
 	int payload_len, clen, sum_len = 0;
 	u_int32_t rand = 0;
 	/* Convert the user-supplied hostname into all lowercase. */
 	host = xstrdup(orighost);
 	for (cp = host; *cp; cp++)
 		if (isupper(*cp))
 			*cp = tolower(*cp);
 	/* Exchange protocol version identification strings with the server. */
 	ssh_exchange_identification();
 	/* Put the connection into non-blocking mode. */
 	packet_set_nonblocking();
 	/* Get local user name.  Use it as server user if no user name was given. */
 	pw = getpwuid(original_real_uid);
 	if (!pw)
 		fatal("User id %d not found from user database.", original_real_uid);
 	local_user = xstrdup(pw->pw_name);
 	server_user = options.user ? options.user : local_user;
 	debug("Waiting for server public key.");
 	/* Wait for a public key packet from the server. */
 	packet_read_expect(&payload_len, SSH_SMSG_PUBLIC_KEY);
 	/* Get check bytes from the packet. */
 	for (i = 0; i < 8; i++)
 		check_bytes[i] = packet_get_char();
 	/* Get the public key. */
 	public_key = RSA_new();
 	bits = packet_get_int();/* bits */
 	public_key->e = BN_new();
 	packet_get_bignum(public_key->e, &clen);
 	sum_len += clen;
 	public_key->n = BN_new();
 	packet_get_bignum(public_key->n, &clen);
 	sum_len += clen;
 	rbits = BN_num_bits(public_key->n);
 	if (bits != rbits) {
 		log("Warning: Server lies about size of server public key: "
 		    "actual size is %d bits vs. announced %d.", rbits, bits);
 		log("Warning: This may be due to an old implementation of ssh.");
 	}
 	/* Get the host key. */
 	host_key = RSA_new();
 	bits = packet_get_int();/* bits */
 	host_key->e = BN_new();
 	packet_get_bignum(host_key->e, &clen);
 	sum_len += clen;
 	host_key->n = BN_new();
 	packet_get_bignum(host_key->n, &clen);
 	sum_len += clen;
 	rbits = BN_num_bits(host_key->n);
 	if (bits != rbits) {
 		log("Warning: Server lies about size of server host key: "
 		    "actual size is %d bits vs. announced %d.", rbits, bits);
 		log("Warning: This may be due to an old implementation of ssh.");
 	}
 	/* Get protocol flags. */
 	server_flags = packet_get_int();
 	packet_set_protocol_flags(server_flags);
 	supported_ciphers = packet_get_int();
 	supported_authentications = packet_get_int();
 	debug("Received server public key (%d bits) and host key (%d bits).",
 	      BN_num_bits(public_key->n), BN_num_bits(host_key->n));
 	packet_integrity_check(payload_len,
 			       8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4,
 			       SSH_SMSG_PUBLIC_KEY);
 	check_host_key(host, hostaddr, host_key);
 	client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN;
 	compute_session_id(session_id, check_bytes, host_key->n, public_key->n);
 	/* Generate a session key. */
 	arc4random_stir();
@ -1465,7 +1489,7 @@ ssh_login(int host_key_valid,
 	packet_put_bignum(key);
 	/* Send protocol flags. */
-	packet_put_int(SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
+	packet_put_int(client_flags);
 	/* Send the packet now. */
 	packet_send();
--- a/sshd.c
+++ b/sshd.c
@ -11,7 +11,7 @@
 */
 #include "includes.h"
-RCSID("$Id: sshd.c,v 1.37 1999/12/08 23:31:37 damien Exp $");
+RCSID("$Id: sshd.c,v 1.38 1999/12/13 23:47:16 damien Exp $");
 #include <poll.h>
@ -960,7 +960,7 @@ do_connection()
 	unsigned char check_bytes[8];
 	char *user;
 	unsigned int cipher_type, auth_mask, protocol_flags;
-	int plen, slen;
+	int plen, slen, ulen;
 	u_int32_t rand = 0;
 	/*
@ -1139,11 +1139,8 @@ do_connection()
 	packet_read_expect(&plen, SSH_CMSG_USER);
 	/* Get the user name. */
-	{
+	user = packet_get_string(&ulen);
-		int ulen;
+	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
 		user = packet_get_string(&ulen);
 		packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
 	}
 	/* Destroy the private and public keys.  They will no longer be needed. */
 	RSA_free(public_key);
@ -1646,15 +1643,22 @@ do_fake_authloop(char *user)
 #ifdef SKEY
 		int dlen;
 		char *password, *skeyinfo;
-		if (options.password_authentication &&
+		/* Try to send a fake s/key challenge. */
-		    options.skey_authentication == 1 &&
+		if (options.skey_authentication == 1 &&
 		    type == SSH_CMSG_AUTH_PASSWORD &&
 		    (password = packet_get_string(&dlen)) != NULL &&
 		    dlen == 5 &&
 		    strncasecmp(password, "s/key", 5) == 0 &&
 		    (skeyinfo = skey_fake_keyinfo(user)) != NULL) {
-			/* Send a fake s/key challenge. */
+			if (type == SSH_CMSG_AUTH_TIS) {
-			packet_send_debug(skeyinfo);
+				packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
 				packet_put_string(skeyinfo, strlen(skeyinfo));
 				packet_send();
 				packet_write_wait();
 				continue;
 			} else if (type == SSH_CMSG_AUTH_PASSWORD &&
 			           options.password_authentication &&
 			           (password = packet_get_string(&dlen)) != NULL &&
 			           dlen == 5 &&
 			           strncasecmp(password, "s/key", 5) == 0 ) {
 				packet_send_debug(skeyinfo);
 			}
 		}
 #endif
 		if (attempt > AUTH_FAIL_MAX)
@ -1836,7 +1840,7 @@ do_authenticated(struct passwd * pw)
 				screen = packet_get_int();
 			else
 				screen = 0;
-			display = x11_create_display_inet(screen);
+			display = x11_create_display_inet(screen, options.x11_display_offset);
 			if (!display)
 				goto fail;
--- a/version.h
+++ b/version.h
@ -1 +1 @@
-#define SSH_VERSION	"OpenSSH-1.2"
+#define SSH_VERSION	"OpenSSH-1.2.1"
`@ -1 +1 @@`
	`#define SSH_VERSION "OpenSSH-1.2"`	`#define SSH_VERSION "OpenSSH-1.2.1"`