20001203

- (bal) OpenBSD CVS updates: - markus@cvs.openbsd.org 2000/11/30 22:54:31 [channels.c] debug->warn if tried to do -R style fwd w/o client requesting this; ok neils@ - markus@cvs.openbsd.org 2000/11/29 20:39:17 [cipher.c] des_cbc_encrypt -> des_ncbc_encrypt since it already updates the IV - markus@cvs.openbsd.org 2000/11/30 18:33:05 [ssh-agent.c] agents must not dump core, ok niels@ - markus@cvs.openbsd.org 2000/11/30 07:04:02 [ssh.1] T is for both protocols - markus@cvs.openbsd.org 2000/12/01 00:00:51 [ssh.1] typo; from green@FreeBSD.org - markus@cvs.openbsd.org 2000/11/30 07:02:35 [ssh.c] check -T before isatty() - provos@cvs.openbsd.org 2000/11/29 13:51:27 [sshconnect.c] show IP address and hostname when new key is encountered. okay markus@ - markus@cvs.openbsd.org 2000/11/30 22:53:35 [sshconnect.c] disable agent/x11/port fwding if hostkey has changed; ok niels@ - marksu@cvs.openbsd.org 2000/11/29 21:11:59 [sshd.c] sshd -D, startup w/o deamon(), for monitoring scripts or inittab; from handler@sub-rosa.com and eric@urbanrange.com; ok niels@
2025-07-24 06:14:59 +02:00 · 2000-12-02 19:03:54 +00:00 · 2000-12-02 19:03:54 +00:00 · c72745afa9
commit c72745afa9
parent a15e39b05f
9 changed files with 89 additions and 46 deletions
--- a/32
+++ b/32
@ -1,3 +1,35 @@
 20001203
 - (bal) OpenBSD CVS updates:
  - markus@cvs.openbsd.org 2000/11/30 22:54:31
    [channels.c]
    debug->warn if tried to do -R style fwd w/o client requesting this; 
    ok neils@
  - markus@cvs.openbsd.org 2000/11/29 20:39:17
    [cipher.c]
    des_cbc_encrypt -> des_ncbc_encrypt since it already updates the IV
  - markus@cvs.openbsd.org 2000/11/30 18:33:05
    [ssh-agent.c]
    agents must not dump core, ok niels@
  - markus@cvs.openbsd.org 2000/11/30 07:04:02 
    [ssh.1]
    T is for both protocols
  - markus@cvs.openbsd.org 2000/12/01 00:00:51
    [ssh.1]
    typo; from green@FreeBSD.org
  - markus@cvs.openbsd.org 2000/11/30 07:02:35
    [ssh.c]
    check -T before isatty()
  - provos@cvs.openbsd.org 2000/11/29 13:51:27
    [sshconnect.c]
    show IP address and hostname when new key is encountered. okay markus@ 
  - markus@cvs.openbsd.org 2000/11/30 22:53:35
    [sshconnect.c]
    disable agent/x11/port fwding if hostkey has changed; ok niels@
  - marksu@cvs.openbsd.org 2000/11/29 21:11:59
    [sshd.c]
    sshd -D, startup w/o deamon(), for monitoring scripts or inittab;
    from handler@sub-rosa.com and eric@urbanrange.com; ok niels@
 20001202
 - (bal) Backed out of part of Alain St-Denis' loginrec.c patch.
 - (bal) Irix need some sort of mansubdir, patch by Michael Stone 
--- a/2
+++ b/2
@ -2,6 +2,8 @@ Programming:
 - Replacement for setproctitle() - HP/UX support only currently
 - Improve PAM support (a pam_lastlog module will cause sshd to exit)
  and maybe support alternate forms of authenications like OPIE via
  pam?
 - Complete Tru64 SIA support
--- a/channels.c
+++ b/channels.c
@ -40,7 +40,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.73 2000/11/06 23:04:55 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.74 2000/11/30 22:54:31 markus Exp $");
 #include "ssh.h"
 #include "packet.h"
@ -1729,7 +1729,8 @@ channel_connect_by_listen_adress(u_short listen_port)
 			return channel_connect_to(
 			    permitted_opens[i].host_to_connect,
 			    permitted_opens[i].port_to_connect);
-	debug("channel_connect_by_listen_adress: unknown listen_port %d", listen_port);
+	error("WARNING: Server requests forwarding for unknown listen_port %d",
 	    listen_port);
 	return -1;
 }
--- a/cipher.c
+++ b/cipher.c
@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.37 2000/10/23 19:31:54 markus Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.38 2000/11/29 20:39:17 markus Exp $");
 #include "ssh.h"
 #include "xmalloc.h"
@ -154,14 +154,9 @@ des3_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
 	memcpy(&iv1, iv2, 8);
-	des_cbc_encrypt(src, dest, len, cc->u.des3.key1, &iv1, DES_ENCRYPT);
+	des_ncbc_encrypt(src,  dest, len, cc->u.des3.key1, &iv1, DES_ENCRYPT);
-	memcpy(&iv1, dest + len - 8, 8);
+	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_DECRYPT);
-
+	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key3, iv3, DES_ENCRYPT);
 	des_cbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_DECRYPT);
 	memcpy(iv2, &iv1, 8);	/* Note how iv1 == iv2 on entry and exit. */
 	des_cbc_encrypt(dest, dest, len, cc->u.des3.key3, iv3, DES_ENCRYPT);
 	memcpy(iv3, dest + len - 8, 8);
 }
 void
 des3_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
@ -173,15 +168,9 @@ des3_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
 	memcpy(&iv1, iv2, 8);
-	des_cbc_encrypt(src, dest, len, cc->u.des3.key3, iv3, DES_DECRYPT);
+	des_ncbc_encrypt(src,  dest, len, cc->u.des3.key3, iv3, DES_DECRYPT);
-	memcpy(iv3, src + len - 8, 8);
+	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_ENCRYPT);
-
+	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key1, &iv1, DES_DECRYPT);
 	des_cbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_ENCRYPT);
 	memcpy(iv2, dest + len - 8, 8);
 	des_cbc_encrypt(dest, dest, len, cc->u.des3.key1, &iv1, DES_DECRYPT);
 	/* memcpy(&iv1, iv2, 8); */
 	/* Note how iv1 == iv2 on entry and exit. */
 }
 /* Blowfish */
--- a/ssh-agent.c
+++ b/ssh-agent.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: ssh-agent.c,v 1.40 2000/11/14 23:48:55 markus Exp $	*/
+/*	$OpenBSD: ssh-agent.c,v 1.41 2000/11/30 18:33:05 markus Exp $	*/
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -37,7 +37,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.40 2000/11/14 23:48:55 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.41 2000/11/30 18:33:05 markus Exp $");
 #include "ssh.h"
 #include "rsa.h"
@ -674,6 +674,7 @@ main(int ac, char **av)
 	fd_set readset, writeset;
 	int sock, c_flag = 0, k_flag = 0, s_flag = 0, ch;
 	struct sockaddr_un sunaddr;
 	struct rlimit rlim;
 	pid_t pid;
 	char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid];
 	extern int optind;
@ -804,6 +805,12 @@ main(int ac, char **av)
 	close(1);
 	close(2);
 	/* deny core dumps, since memory contains unencrypted private keys */
 	rlim.rlim_cur = rlim.rlim_max = 0;
 	if (setrlimit(RLIMIT_CORE, &rlim) < 0) {
 		perror("setrlimit rlimit_core failed");
 		cleanup_exit(1);
 	}
 	if (setsid() == -1) {
 		perror("setsid");
 		cleanup_exit(1);
--- a/ssh.1
+++ b/ssh.1
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.68 2000/11/12 19:50:38 markus Exp $
+.\" $OpenBSD: ssh.1,v 1.70 2000/12/01 00:00:51 markus Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@ -446,7 +446,7 @@ needs to ask for a password or passphrase; see also the
 option.)
 .It Fl N
 Do not execute a remote command.
-This is usefull if you just want to forward ports
+This is useful if you just want to forward ports
 (protocol version 2 only).
 .It Fl o Ar option
 Can be used to give options in the format used in the config file.
@ -475,7 +475,7 @@ This can be used to execute arbitrary
 screen-based programs on a remote machine, which can be very useful,
 e.g., when implementing menu services.
 .It Fl T
-Disable pseudo-tty allocation (protocol version 2 only).
+Disable pseudo-tty allocation.
 .It Fl v
 Verbose mode.
 Causes
@ -1236,7 +1236,7 @@ This version of OpenSSH
 .Bl -bullet
 .It
 has all components of a restrictive nature (i.e., patents, see
-.Xr crypto 3 )
+.Xr ssl 8 )
 directly removed from the source code; any licensed or patented components
 are chosen from
 external libraries.
@ -1265,4 +1265,4 @@ The support for SSH protocol 2 was written by Markus Friedl.
 .Xr ssh-keygen 1 ,
 .Xr telnet 1 ,
 .Xr sshd 8 ,
-.Xr crypto 3
+.Xr ssl 8
--- a/ssh.c
+++ b/ssh.c
@ -39,7 +39,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.74 2000/11/23 21:03:47 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.75 2000/11/30 07:02:35 markus Exp $");
 #include <openssl/evp.h>
 #include <openssl/dsa.h>
@ -526,15 +526,15 @@ main(int ac, char **av)
 	if (buffer_len(&command) == 0)
 		tty_flag = 1;
 	/* Force no tty*/
 	if (no_tty_flag)
 		tty_flag = 0;
 	/* Do not allocate a tty if stdin is not a tty. */
 	if (!isatty(fileno(stdin))) {
 		if (tty_flag)
 			fprintf(stderr, "Pseudo-terminal will not be allocated because stdin is not a terminal.\n");
 		tty_flag = 0;
 	}
 	/* force */
 	if (no_tty_flag)
 		tty_flag = 0;
 	/* Get user data. */
 	pw = getpwuid(original_real_uid);
--- a/sshconnect.c
+++ b/sshconnect.c
@ -13,7 +13,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.81 2000/11/06 23:16:35 markus Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.83 2000/11/30 22:53:35 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
@ -508,13 +508,11 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
 	if (options.proxy_command != NULL && options.check_host_ip)
 		options.check_host_ip = 0;
-	if (options.check_host_ip) {
+  	if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop),
-		if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop),
+  			NULL, 0, NI_NUMERICHOST) != 0)
-		    NULL, 0, NI_NUMERICHOST) != 0)
+  		fatal("check_host_key: getnameinfo failed");
-			fatal("check_host_key: getnameinfo failed");
+  	ip = xstrdup(ntop);
-		ip = xstrdup(ntop);
+  
 	}
 	/*
 	 * Store the host key from the known host file in here so that we can
 	 * compare it with the key for the IP address.
@ -577,10 +575,10 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
 			char prompt[1024];
 			char *fp = key_fingerprint(host_key);
 			snprintf(prompt, sizeof(prompt),
-			    "The authenticity of host '%.200s' can't be established.\n"
+			    "The authenticity of host '%.200s (%s)' can't be established.\n"
 			    "%s key fingerprint is %s.\n"
 			    "Are you sure you want to continue connecting (yes/no)? ",
-			    host, type, fp);
+			    host, ip, type, fp);
 			if (!read_yes_or_no(prompt, -1))
 				fatal("Aborted by user!\n");
 		}
@ -647,6 +645,14 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
 			error("Agent forwarding is disabled to avoid trojan horses.");
 			options.forward_agent = 0;
 		}
 		if (options.forward_x11) {
 			error("X11 forwarding is disabled to avoid trojan horses.");
 			options.forward_x11 = 0;
 		}
 	        if (options.num_local_forwards > 0 || options.num_remote_forwards > 0) {
 			error("Port forwarding is disabled to avoid trojan horses.");
 			options.num_local_forwards = options.num_remote_forwards = 0;
 		}
 		/*
 		 * XXX Should permit the user to change to use the new id.
 		 * This could be done by converting the host key to an
@ -656,8 +662,8 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
 		 */
 		break;
 	}
-	if (options.check_host_ip)
+
-		xfree(ip);
+	xfree(ip);
 }
 /*
--- a/sshd.c
+++ b/sshd.c
@ -40,7 +40,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.134 2000/11/12 19:50:38 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.135 2000/11/29 21:11:59 markus Exp $");
 #include "xmalloc.h"
 #include "rsa.h"
@ -111,6 +111,9 @@ int debug_flag = 0;
 /* Flag indicating that the daemon is being started from inetd. */
 int inetd_flag = 0;
 /* Flag indicating that sshd should not detach and become a daemon. */
 int no_daemon_flag = 0;
 /* debug goes to stderr unless inetd_flag is set */
 int log_stderr = 0;
@ -583,7 +586,7 @@ main(int ac, char **av)
 	initialize_server_options(&options);
 	/* Parse command-line arguments. */
-	while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:diqQ46")) != EOF) {
+	while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:dDiqQ46")) != EOF) {
 		switch (opt) {
 		case '4':
 			IPv4or6 = AF_INET;
@ -605,6 +608,9 @@ main(int ac, char **av)
 				exit(1);
 			}
 			break;
 		case 'D':
 			no_daemon_flag = 1;
 			break;
 		case 'i':
 			inetd_flag = 1;
 			break;
@ -769,7 +775,7 @@ main(int ac, char **av)
 	 * from the controlling terminal, and fork.  The original process
 	 * exits.
 	 */
-	if (!debug_flag && !inetd_flag) {
+	if (!(debug_flag || inetd_flag || no_daemon_flag)) {
 #ifdef TIOCNOTTY
 		int fd;
 #endif /* TIOCNOTTY */