- (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III

<tibbs@math.uh.edu>
 - (djm) OpenBSD CVS updates:
  - todd@cvs.openbsd.org
    [sshconnect2.c]
    teach protocol v2 to count login failures properly and also enable an
    explanation of why the password prompt comes up again like v1; this is NOT
    crypto
  - markus@cvs.openbsd.org
    [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8]
    xauth_location support; pr 1234
    [readconf.c sshconnect2.c]
    typo, unused
    [session.c]
    allow use_login only for login sessions, otherwise remote commands are
    execed with uid==0
    [sshd.8]
    document UseLogin better
    [version.h]
    OpenSSH 2.1.1
    [auth-rsa.c]
    fix match_hostname() logic for auth-rsa: deny access if we have a
    negative match or no match at all
    [channels.c hostfile.c match.c]
    don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via
    kris@FreeBSD.org

ChangeLog

@@ -1,3 +1,31 @@
+20000606
+ - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III 
+   <tibbs@math.uh.edu>
+ - (djm) OpenBSD CVS updates:
+  - todd@cvs.openbsd.org
+    [sshconnect2.c]
+    teach protocol v2 to count login failures properly and also enable an
+    explanation of why the password prompt comes up again like v1; this is NOT
+    crypto
+  - markus@cvs.openbsd.org  
+    [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8]
+    xauth_location support; pr 1234
+    [readconf.c sshconnect2.c]
+    typo, unused
+    [session.c]
+    allow use_login only for login sessions, otherwise remote commands are
+    execed with uid==0
+    [sshd.8]
+    document UseLogin better
+    [version.h]
+    OpenSSH 2.1.1
+    [auth-rsa.c]
+    fix match_hostname() logic for auth-rsa: deny access if we have a 
+    negative match or no match at all
+    [channels.c hostfile.c match.c]
+    don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via 
+    kris@FreeBSD.org
+
 20000606
  - (djm) Added --with-cflags, --with-ldflags and --with-libs options to 
    configure.

auth-rsa.c

@@ -16,7 +16,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: auth-rsa.c,v 1.19 2000/04/30 00:00:53 damien Exp $");
+RCSID("$Id: auth-rsa.c,v 1.20 2000/06/07 09:55:44 djm Exp $");
 
 #include "rsa.h"
 #include "packet.h"
@@ -133,6 +133,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 	unsigned long linenum = 0;
 	struct stat st;
 	RSA *pk;
+	int mname, mip;
 
 	/* Temporarily use the user's uid. */
 	temporarily_use_uid(pw->pw_uid);
@@ -390,10 +391,17 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 					}
 					patterns[i] = 0;
 					options++;
-					if (!match_hostname(get_canonical_hostname(), patterns,
-						     strlen(patterns)) &&
-					    !match_hostname(get_remote_ipaddr(), patterns,
-						     strlen(patterns))) {
+					/*
+					 * Deny access if we get a negative
+					 * match for the hostname or the ip
+					 * or if we get not match at all
+					 */
+					mname = match_hostname(get_canonical_hostname(),
+					    patterns, strlen(patterns));
+					mip = match_hostname(get_remote_ipaddr(),
+					    patterns, strlen(patterns));
+					if (mname == -1 || mip == -1 ||
+					    (mname != 1 && mip != 1)) {
 						log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
 						    pw->pw_name, get_canonical_hostname(),
 						    get_remote_ipaddr());

channels.c

@@ -17,7 +17,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: channels.c,v 1.31 2000/05/17 12:34:23 damien Exp $");
+RCSID("$Id: channels.c,v 1.32 2000/06/07 09:55:44 djm Exp $");
 
 #include "ssh.h"
 #include "packet.h"
@@ -2113,11 +2113,11 @@ cleanup_socket(void)
 }
 
 /*
- * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
+ * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
  * This starts forwarding authentication requests.
  */
 
-void
+int
 auth_input_request_forwarding(struct passwd * pw)
 {
 	int sock, newch;
@@ -2135,8 +2135,16 @@ auth_input_request_forwarding(struct passwd * pw)
 	strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
 
 	/* Create private directory for socket */
-	if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL)
-		packet_disconnect("mkdtemp: %.100s", strerror(errno));
+	if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) {
+		packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s",
+		    strerror(errno));
+		restore_uid();
+		xfree(channel_forwarded_auth_socket_name);
+		xfree(channel_forwarded_auth_socket_dir);
+		channel_forwarded_auth_socket_name = NULL;
+		channel_forwarded_auth_socket_dir = NULL;
+		return 0;
+	}
 	snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
 		 channel_forwarded_auth_socket_dir, (int) getpid());
 
@@ -2171,6 +2179,7 @@ auth_input_request_forwarding(struct passwd * pw)
 				 xstrdup("auth socket"));
 	strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
 	    sizeof(channels[newch].path));
+	return 1;
 }
 
 /* This is called to process an SSH_SMSG_AGENT_OPEN message. */

channels.h

@@ -1,4 +1,4 @@
-/* RCSID("$Id: channels.h,v 1.9 2000/05/07 02:03:15 damien Exp $"); */
+/* RCSID("$Id: channels.h,v 1.10 2000/06/07 09:55:44 djm Exp $"); */
 
 #ifndef CHANNELS_H
 #define CHANNELS_H
@@ -222,10 +222,10 @@ void    auth_request_forwarding(void);
 char   *auth_get_socket_name(void);
 
 /*
- * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
+ * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
  * This starts forwarding authentication requests.
  */
-void    auth_input_request_forwarding(struct passwd * pw);
+int     auth_input_request_forwarding(struct passwd * pw);
 
 /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
 void    auth_input_open_request(int type, int plen);

contrib/redhat/openssh.spec

@@ -152,7 +152,8 @@ This package contains the GNOME passphrase dialog.
 
 CFLAGS="$RPM_OPT_FLAGS" \
 	./configure --prefix=/usr --sysconfdir=/etc/ssh \
-               --with-tcp-wrappers --with-ipv4-default
+               --with-tcp-wrappers --with-ipv4-default \
+					--with-rsh=/usr/bin/rsh
 
 make
 

hostfile.c

@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: hostfile.c,v 1.18 2000/04/29 18:11:52 markus Exp $");
+RCSID("$OpenBSD: hostfile.c,v 1.19 2000/06/06 19:32:13 markus Exp $");
 
 #include "packet.h"
 #include "match.h"
@@ -129,7 +129,7 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key, Key *fo
 			;
 
 		/* Check if the host name matches. */
-		if (!match_hostname(host, cp, (unsigned int) (cp2 - cp)))
+		if (match_hostname(host, cp, (unsigned int) (cp2 - cp)) != 1)
 			continue;
 
 		/* Got a match.  Skip host name. */

match.c

@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: match.c,v 1.5 2000/04/16 01:18:43 damien Exp $");
+RCSID("$Id: match.c,v 1.6 2000/06/07 09:55:44 djm Exp $");
 
 #include "ssh.h"
 
@@ -84,8 +84,8 @@ match_pattern(const char *s, const char *pattern)
 /*
  * Tries to match the host name (which must be in all lowercase) against the
  * comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation).  Returns true if there is a positive match; zero
- * otherwise.
+ * indicate negation).  Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
  */
 
 int
@@ -127,15 +127,15 @@ match_hostname(const char *host, const char *pattern, unsigned int len)
 		/* Try to match the subpattern against the host name. */
 		if (match_pattern(host, sub)) {
 			if (negated)
-				return 0;	/* Fail */
+				return -1;		/* Negative */
 			else
-				got_positive = 1;
+				got_positive = 1;	/* Positive */
 		}
 	}
 
 	/*
 	 * Return success if got a positive match.  If there was a negative
-	 * match, we have already returned zero and never get here.
+	 * match, we have already returned -1 and never get here.
 	 */
 	return got_positive;
 }

match.h

@@ -10,8 +10,8 @@ int     match_pattern(const char *s, const char *pattern);
 /*
  * Tries to match the host name (which must be in all lowercase) against the
  * comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation).  Returns true if there is a positive match; zero
- * otherwise.
+ * indicate negation).  Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
  */
 int     match_hostname(const char *host, const char *pattern, unsigned int len);
 

readconf.c

@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: readconf.c,v 1.15 2000/05/30 03:44:53 damien Exp $");
+RCSID("$Id: readconf.c,v 1.16 2000/06/07 09:55:44 djm Exp $");
 
 #include "ssh.h"
 #include "cipher.h"
@@ -92,7 +92,7 @@ typedef enum {
 	oBadOption,
 	oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
 	oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
-	oSkeyAuthentication,
+	oSkeyAuthentication, oXAuthLocation,
 #ifdef KRB4
 	oKerberosAuthentication,
 #endif /* KRB4 */
@@ -116,6 +116,7 @@ static struct {
 } keywords[] = {
 	{ "forwardagent", oForwardAgent },
 	{ "forwardx11", oForwardX11 },
+	{ "xauthlocation", oXAuthLocation },
 	{ "gatewayports", oGatewayPorts },
 	{ "useprivilegedport", oUsePrivilegedPort },
 	{ "rhostsauthentication", oRhostsAuthentication },
@@ -396,6 +397,10 @@ parse_flag:
 		}
 		break;
 
+	case oXAuthLocation:
+		charptr=&options->xauth_location;
+		goto parse_string;
+
 	case oUser:
 		charptr = &options->user;
 parse_string:
@@ -644,6 +649,7 @@ initialize_options(Options * options)
 	memset(options, 'X', sizeof(*options));
 	options->forward_agent = -1;
 	options->forward_x11 = -1;
+	options->xauth_location = NULL;
 	options->gateway_ports = -1;
 	options->use_privileged_port = -1;
 	options->rhosts_authentication = -1;
@@ -700,6 +706,10 @@ fill_default_options(Options * options)
 		options->forward_agent = 0;
 	if (options->forward_x11 == -1)
 		options->forward_x11 = 0;
+#ifdef XAUTH_PATH
+	if (options->xauth_location == NULL)
+		options->xauth_location = XAUTH_PATH;
+#endif /* XAUTH_PATH */
 	if (options->gateway_ports == -1)
 		options->gateway_ports = 0;
 	if (options->use_privileged_port == -1)

readconf.h

@@ -13,7 +13,7 @@
  *
  */
 
-/* RCSID("$Id: readconf.h,v 1.11 2000/05/09 01:03:01 damien Exp $"); */
+/* RCSID("$Id: readconf.h,v 1.12 2000/06/07 09:55:44 djm Exp $"); */
 
 #ifndef READCONF_H
 #define READCONF_H
@@ -30,6 +30,7 @@ typedef struct {
 typedef struct {
 	int     forward_agent;	/* Forward authentication agent. */
 	int     forward_x11;	/* Forward X11 display. */
+	char   *xauth_location;	/* Location for xauth program */
 	int     gateway_ports;	/* Allow remote connects to forwarded ports. */
 	int     use_privileged_port;	/* Don't use privileged port if false. */
 	int     rhosts_authentication;	/* Try rhosts authentication. */

servconf.c

@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: servconf.c,v 1.17 2000/05/30 03:44:53 damien Exp $");
+RCSID("$Id: servconf.c,v 1.18 2000/06/07 09:55:44 djm Exp $");
 
 #include "ssh.h"
 #include "servconf.h"
@@ -44,6 +44,7 @@ initialize_server_options(ServerOptions *options)
 	options->check_mail = -1;
 	options->x11_forwarding = -1;
 	options->x11_display_offset = -1;
+	options->xauth_location = NULL;
 	options->strict_modes = -1;
 	options->keepalives = -1;
 	options->log_facility = (SyslogFacility) - 1;
@@ -109,6 +110,10 @@ fill_default_server_options(ServerOptions *options)
 		options->x11_forwarding = 0;
 	if (options->x11_display_offset == -1)
 		options->x11_display_offset = 10;
+#ifdef XAUTH_PATH
+	if (options->xauth_location == NULL)
+		options->xauth_location = XAUTH_PATH;
+#endif /* XAUTH_PATH */
 	if (options->strict_modes == -1)
 		options->strict_modes = 1;
 	if (options->keepalives == -1)
@@ -177,7 +182,7 @@ typedef enum {
 	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
 	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
-	sGatewayPorts, sDSAAuthentication
+	sGatewayPorts, sDSAAuthentication, sXAuthLocation
 } ServerOpCodes;
 
 /* Textual representation of the tokens. */
@@ -219,6 +224,7 @@ static struct {
 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
 	{ "x11forwarding", sX11Forwarding },
 	{ "x11displayoffset", sX11DisplayOffset },
+	{ "xauthlocation", sXAuthLocation },
 	{ "strictmodes", sStrictModes },
 	{ "permitemptypasswords", sEmptyPasswd },
 	{ "uselogin", sUseLogin },
@@ -365,6 +371,7 @@ parse_int:
 		case sHostDSAKeyFile:
 			charptr = (opcode == sHostKeyFile ) ?
 			    &options->host_key_file : &options->host_dsa_key_file;
+parse_filename:
 			cp = strtok(NULL, WHITESPACE);
 			if (!cp) {
 				fprintf(stderr, "%s line %d: missing file name.\n",
@@ -377,15 +384,7 @@ parse_int:
 
 		case sPidFile:
 			charptr = &options->pid_file;
-			cp = strtok(NULL, WHITESPACE);
-			if (!cp) {
-				fprintf(stderr, "%s line %d: missing file name.\n",
-				    filename, linenum);
-				exit(1);
-			}
-			if (*charptr == NULL)
-				*charptr = tilde_expand_filename(cp, getuid());
-			break;
+			goto parse_filename;
 
 		case sRandomSeedFile:
 			fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
@@ -508,6 +507,10 @@ parse_flag:
 			intptr = &options->x11_display_offset;
 			goto parse_int;
 
+		case sXAuthLocation:
+			charptr = &options->xauth_location;
+			goto parse_filename;
+			
 		case sStrictModes:
 			intptr = &options->strict_modes;
 			goto parse_flag;

servconf.h

@@ -13,7 +13,7 @@
  *
  */
 
-/* RCSID("$Id: servconf.h,v 1.11 2000/05/07 02:03:18 damien Exp $"); */
+/* RCSID("$Id: servconf.h,v 1.12 2000/06/07 09:55:44 djm Exp $"); */
 
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -47,6 +47,7 @@ typedef struct {
 	int     x11_forwarding;	/* If true, permit inet (spoofing) X11 fwd. */
 	int     x11_display_offset;	/* What DISPLAY number to start
 					 * searching at */
+	char   *xauth_location;	/* Location of xauth program */
 	int     strict_modes;	/* If true, require string home dir modes. */
 	int     keepalives;	/* If true, set SO_KEEPALIVE. */
 	char   *ciphers;	/* Ciphers in order of preference. */

session.c

@@ -812,6 +812,10 @@ do_child(const char *command, struct passwd * pw, const char *term,
 	struct stat st;
 	char *argv[10];
 
+	/* login(1) is only called if we execute the login shell */
+	if (options.use_login && command != NULL)
+		options.use_login = 0;
+
 #ifndef USE_PAM /* pam_nologin handles this */
 	f = fopen("/etc/nologin", "r");
 	if (f) {

ssh-keygen.c

@@ -7,7 +7,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: ssh-keygen.c,v 1.18 2000/05/09 01:03:02 damien Exp $");
+RCSID("$Id: ssh-keygen.c,v 1.19 2000/06/07 09:55:44 djm Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -520,7 +520,7 @@ main(int ac, char **av)
 	extern int optind;
 	extern char *optarg;
 
-	OpenSSL_add_all_algorithms();
+	SSLeay_add_all_algorithms();
 
 	/* we need this for the home * directory.  */
 	pw = getpwuid(getuid());

ssh.1

@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: ssh.1,v 1.27 2000/05/30 03:44:54 damien Exp $
+.\" $Id: ssh.1,v 1.28 2000/06/07 09:55:44 djm Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSH 1
@@ -940,6 +940,12 @@ The argument must be
 .Dq yes
 or
 .Dq no .
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
 .Sh ENVIRONMENT
 .Nm
 will normally set the following environment variables:

ssh.c

@@ -11,7 +11,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: ssh.c,v 1.33 2000/05/30 03:44:54 damien Exp $");
+RCSID("$Id: ssh.c,v 1.34 2000/06/07 09:55:44 djm Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/dsa.h>
@@ -438,7 +438,7 @@ main(int ac, char **av)
 	/* Initialize the command to execute on remote host. */
 	buffer_init(&command);
 
-	OpenSSL_add_all_algorithms();
+	SSLeay_add_all_algorithms();
 
 	/*
 	 * Save the command to execute on the remote host in a buffer. There
@@ -677,17 +677,17 @@ x11_get_proto(char *proto, int proto_len, char *data, int data_len)
 	FILE *f;
 	int got_data = 0, i;
 
-#ifdef XAUTH_PATH
-	/* Try to get Xauthority information for the display. */
-	snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
-		 XAUTH_PATH, getenv("DISPLAY"));
-	f = popen(line, "r");
-	if (f && fgets(line, sizeof(line), f) &&
-	    sscanf(line, "%*s %s %s", proto, data) == 2)
-		got_data = 1;
-	if (f)
-		pclose(f);
-#endif /* XAUTH_PATH */
+	if (options.xauth_location) {
+		/* Try to get Xauthority information for the display. */
+		snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
+		    options.xauth_location, getenv("DISPLAY"));
+		f = popen(line, "r");
+		if (f && fgets(line, sizeof(line), f) &&
+		    sscanf(line, "%*s %s %s", proto, data) == 2)
+			got_data = 1;
+		if (f)
+			pclose(f);
+	}
 	/*
 	 * If we didn't get authentication data, just make up some
 	 * data.  The forwarding code will check the validity of the

sshconnect2.c

@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.11 2000/05/25 20:45:20 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.13 2000/06/02 02:00:19 todd Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
@@ -71,7 +71,6 @@ void
 ssh_kex_dh(Kex *kex, char *host, struct sockaddr *hostaddr,
     Buffer *client_kexinit, Buffer *server_kexinit)
 {
-	int i;
 	int plen, dlen;
 	unsigned int klen, kout;
 	char *signature = NULL;
@@ -265,9 +264,12 @@ ssh2_try_passwd(const char *server_user, const char *host, const char *service)
 	char prompt[80];
 	char *password;
 
-	if (attempt++ > options.number_of_password_prompts)
+	if (attempt++ >= options.number_of_password_prompts)
 		return 0;
 
+	if(attempt != 1)
+		error("Permission denied, please try again.");
+
 	snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ",
 	    server_user, host);
 	password = read_passphrase(prompt, 0);

sshd.8

@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: sshd.8,v 1.22 2000/05/09 01:03:03 damien Exp $
+.\" $Id: sshd.8,v 1.23 2000/06/07 09:55:44 djm Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSHD 8
@@ -552,7 +552,10 @@ The default is AUTH.
 .It Cm UseLogin
 Specifies whether
 .Xr login 1
-is used.
+is used for interactive login sessions.
+Note that
+.Xr login 1
+is not never for remote command execution.
 The default is
 .Dq no .
 .It Cm X11DisplayOffset
@@ -569,6 +572,12 @@ The default is
 .Dq no .
 Note that disabling X11 forwarding does not improve security in any
 way, as users can always install their own forwarders.
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
 .El
 .Sh LOGIN PROCESS
 When a user successfully logs in,

version.h

@@ -1 +1 @@
-#define SSH_VERSION	"OpenSSH-2.1"
+#define SSH_VERSION	"OpenSSH_2.1.1"