- (djm) OpenBSD CVS updates:

- provos@cvs.openbsd.org  2000/11/22 08:38:31
     [sshd.8]
     talk about /etc/primes, okay markus@
   - markus@cvs.openbsd.org  2000/11/23 14:03:48
     [ssh.c sshconnect1.c sshconnect2.c]
     complain about invalid ciphers for ssh1/ssh2, fall back to reasonable
     defaults
   - markus@cvs.openbsd.org  2000/11/25 09:42:53
     [sshconnect1.c]
     reorder check for illegal ciphers, bugreport from espie@
   - markus@cvs.openbsd.org  2000/11/25 10:19:34
     [ssh-keygen.c ssh.h]
     print keytype when generating a key.
     reasonable defaults for RSA1/RSA/DSA keys.

ChangeLog

@@ -4,6 +4,21 @@
  - (djm) Don't fail in defines.h on absence of 64 bit types (we will 
    still fail during compilation of sftp-server).
  - (djm) Fail if ar is not found during configure
+ - (djm) OpenBSD CVS updates:
+   - provos@cvs.openbsd.org  2000/11/22 08:38:31
+     [sshd.8]
+     talk about /etc/primes, okay markus@
+   - markus@cvs.openbsd.org  2000/11/23 14:03:48
+     [ssh.c sshconnect1.c sshconnect2.c]
+     complain about invalid ciphers for ssh1/ssh2, fall back to reasonable
+     defaults
+   - markus@cvs.openbsd.org  2000/11/25 09:42:53
+     [sshconnect1.c]
+     reorder check for illegal ciphers, bugreport from espie@
+   - markus@cvs.openbsd.org  2000/11/25 10:19:34
+     [ssh-keygen.c ssh.h]
+     print keytype when generating a key.
+     reasonable defaults for RSA1/RSA/DSA keys.
 
 20001125
  - (djm) Give up privs when reading seed file

ssh-keygen.c

@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.34 2000/11/15 20:24:43 millert Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.35 2000/11/25 17:19:33 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -67,9 +67,8 @@ int convert_to_ssh2 = 0;
 int convert_from_ssh2 = 0;
 int print_public = 0;
 
-/* key type */
-int dsa_mode = 0;		/* compat */
-char *key_type_name = NULL;
+/* default to RSA for SSH-1 */
+char *key_type_name = "rsa1";
 
 /* argv0 */
 #ifdef HAVE___PROGNAME
@@ -84,9 +83,24 @@ void
 ask_filename(struct passwd *pw, const char *prompt)
 {
 	char buf[1024];
-	snprintf(identity_file, sizeof(identity_file), "%s/%s",
-	    pw->pw_dir,
-	    dsa_mode ? SSH_CLIENT_ID_DSA: SSH_CLIENT_IDENTITY);
+	char *name = NULL;
+
+	switch (key_type_from_name(key_type_name)) {
+	case KEY_RSA1:
+		name = SSH_CLIENT_IDENTITY;
+		break;
+	case KEY_DSA:
+		name = SSH_CLIENT_ID_DSA;
+		break;
+	case KEY_RSA:
+		name = SSH_CLIENT_ID_RSA;
+		break;
+	default:
+		fprintf(stderr, "bad key type");
+		exit(1);
+		break;
+	}
+	snprintf(identity_file, sizeof(identity_file), "%s/%s", pw->pw_dir, name);
 	printf("%s (%s): ", prompt, identity_file);
 	fflush(stdout);
 	if (fgets(buf, sizeof(buf), stdin) == NULL)
@@ -600,10 +614,9 @@ main(int ac, char **av)
 {
 	char dotsshdir[16 * 1024], comment[1024], *passphrase1, *passphrase2;
 	struct passwd *pw;
-	int opt;
+	int opt, type;
 	struct stat st;
 	FILE *f;
-	int type = KEY_RSA1;
 	Key *private;
 	Key *public;
 
@@ -688,12 +701,10 @@ main(int ac, char **av)
 
 		case 'd':
 			key_type_name = "dsa";
-			dsa_mode = 1;
 			break;
 
 		case 't':
 			key_type_name = optarg;
-			dsa_mode = (strcmp(optarg, "dsa") == 0);
 			break;
 
 		case '?':
@@ -724,15 +735,13 @@ main(int ac, char **av)
 
 	arc4random_stir();
 
-	if (key_type_name != NULL) {
-		type = key_type_from_name(key_type_name);
-		if (type == KEY_UNSPEC) {
-			fprintf(stderr, "unknown key type %s\n", key_type_name);
-			exit(1);
-		}
+	type = key_type_from_name(key_type_name);
+	if (type == KEY_UNSPEC) {
+		fprintf(stderr, "unknown key type %s\n", key_type_name);
+		exit(1);
 	}
 	if (!quiet)
-		printf("Generating public/private key pair.\n");
+		printf("Generating public/private %s key pair.\n", key_type_name);
 	private = key_generate(type, bits);
 	if (private == NULL) {
 		fprintf(stderr, "key_generate failed");

ssh.c

@@ -39,7 +39,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.73 2000/11/15 19:58:08 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.74 2000/11/23 21:03:47 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/dsa.h>
@@ -427,12 +427,18 @@ main(int ac, char **av)
 				options.cipher = SSH_CIPHER_ILLEGAL;
 			} else {
 				/* SSH1 only */
-				Cipher *c = cipher_by_name(optarg);
-				if (c == NULL || c->number < 0) {
+				options.cipher = cipher_number(optarg);
+				if (options.cipher == -1) {
 					fprintf(stderr, "Unknown cipher type '%s'\n", optarg);
 					exit(1);
 				}
-				options.cipher = c->number;
+				if (options.cipher == SSH_CIPHER_3DES) {
+					options.ciphers = "3des-cbc";
+				} else if (options.cipher == SSH_CIPHER_BLOWFISH) {
+					options.ciphers = "blowfish-cbc";
+				} else {
+					options.ciphers = (char *)-1;
+				}
 			}
 			break;
 		case 'p':

ssh.h

@@ -12,7 +12,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-/* RCSID("$OpenBSD: ssh.h,v 1.54 2000/10/11 20:27:24 markus Exp $"); */
+/* RCSID("$OpenBSD: ssh.h,v 1.55 2000/11/25 17:19:33 markus Exp $"); */
 
 #ifndef SSH_H
 #define SSH_H
@@ -144,6 +144,7 @@
  */
 #define SSH_CLIENT_IDENTITY	".ssh/identity"
 #define SSH_CLIENT_ID_DSA	".ssh/id_dsa"
+#define SSH_CLIENT_ID_RSA	".ssh/id_rsa"
 
 /*
  * Configuration file in user\'s home directory.  This file need not be

sshconnect1.c

@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.9 2000/11/12 19:50:38 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.11 2000/11/25 16:42:53 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
@@ -833,13 +833,14 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
 	RSA_free(public_key);
 	RSA_free(host_key);
 
-	if (options.cipher == SSH_CIPHER_ILLEGAL) {
+	if (options.cipher == SSH_CIPHER_NOT_SET) {
+		if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default))
+			options.cipher = ssh_cipher_default;
+	} else if (options.cipher == SSH_CIPHER_ILLEGAL ||
+	    !(cipher_mask_ssh1(1) & (1 << options.cipher))) {
 		log("No valid SSH1 cipher, using %.100s instead.",
 		    cipher_name(ssh_cipher_default));
 		options.cipher = ssh_cipher_default;
-	} else if (options.cipher == SSH_CIPHER_NOT_SET) {
-		if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default))
-			options.cipher = ssh_cipher_default;
 	}
 	/* Check that the selected cipher is supported. */
 	if (!(supported_ciphers & (1 << options.cipher)))

sshconnect2.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.28 2000/11/12 19:50:38 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.29 2000/11/23 21:03:47 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
@@ -74,14 +74,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 	Buffer *client_kexinit, *server_kexinit;
 	char *sprop[PROPOSAL_MAX];
 
-	if (options.ciphers == NULL) {
-		if (options.cipher == SSH_CIPHER_3DES) {
-			options.ciphers = "3des-cbc";
-		} else if (options.cipher == SSH_CIPHER_BLOWFISH) {
-			options.ciphers = "blowfish-cbc";
-		} else if (options.cipher == SSH_CIPHER_DES) {
-			fatal("cipher DES not supported for protocol version 2");
-		}
+	if (options.ciphers == (char *)-1) {
+		log("No valid ciphers for protocol version 2 given, using defaults.");
+		options.ciphers = NULL;
 	}
 	if (options.ciphers != NULL) {
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =

sshd.8

@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.72 2000/11/12 19:50:38 markus Exp $
+.\" $OpenBSD: sshd.8,v 1.73 2000/11/22 15:38:30 provos Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -885,6 +885,8 @@ really used for anything; it is only provided for the convenience of
 the user so its contents can be copied to known hosts files.
 These two files are created using
 .Xr ssh-keygen 1 .
+.It Pa /etc/primes
+Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
 .It Pa /var/run/sshd.pid
 Contains the process ID of the
 .Nm