- markus@cvs.openbsd.org 2000/12/12 14:45:21
[sshd.c]
source port < 1024 is no longer required for rhosts-rsa since it
adds no additional security.
- markus@cvs.openbsd.org 2000/12/12 16:11:49
[ssh.1 ssh.c]
rhosts-rsa is no longer automagically disabled if ssh is not privileged.
UsePrivilegedPort=no disables rhosts-rsa _only_ for old servers.
these changes should not change the visible default behaviour of the ssh client.
This commit is contained in:
Kevin Steves
parent
fa72ddac73
commit
fcec7f82bb
|
|
@ -15,6 +15,15 @@
|
|||
- deraadt@cvs.openbsd.org 2000/12/13 06:36:05
|
||||
[pty.c]
|
||||
KNF
|
||||
- markus@cvs.openbsd.org 2000/12/12 14:45:21
|
||||
[sshd.c]
|
||||
source port < 1024 is no longer required for rhosts-rsa since it
|
||||
adds no additional security.
|
||||
- markus@cvs.openbsd.org 2000/12/12 16:11:49
|
||||
[ssh.1 ssh.c]
|
||||
rhosts-rsa is no longer automagically disabled if ssh is not privileged.
|
||||
UsePrivilegedPort=no disables rhosts-rsa _only_ for old servers.
|
||||
these changes should not change the visible default behaviour of the ssh client.
|
||||
|
||||
20001213
|
||||
- (djm) Make sure we reset the SIGPIPE disposition after we fork. Report
|
||||
|
|
|
|||
8
ssh.1
8
ssh.1
|
|
@ -34,7 +34,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh.1,v 1.71 2000/12/07 04:24:59 djm Exp $
|
||||
.\" $OpenBSD: ssh.1,v 1.72 2000/12/12 23:11:48 markus Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSH 1
|
||||
.Os
|
||||
|
|
@ -464,7 +464,8 @@ not permit connections from privileged ports.
|
|||
Note that this option turns off
|
||||
.Cm RhostsAuthentication
|
||||
and
|
||||
.Cm RhostsRSAAuthentication .
|
||||
.Cm RhostsRSAAuthentication
|
||||
for older servers.
|
||||
.It Fl q
|
||||
Quiet mode.
|
||||
Causes all warning and diagnostic messages to be suppressed.
|
||||
|
|
@ -948,7 +949,8 @@ Note that setting this option to
|
|||
turns off
|
||||
.Cm RhostsAuthentication
|
||||
and
|
||||
.Cm RhostsRSAAuthentication .
|
||||
.Cm RhostsRSAAuthentication
|
||||
for older servers.
|
||||
.It Cm User
|
||||
Specifies the user to log in as.
|
||||
This can be useful if you have a different user name on different machines.
|
||||
|
|
|
|||
21
ssh.c
21
ssh.c
|
|
@ -39,7 +39,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: ssh.c,v 1.75 2000/11/30 07:02:35 markus Exp $");
|
||||
RCSID("$OpenBSD: ssh.c,v 1.77 2000/12/12 23:11:48 markus Exp $");
|
||||
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/dsa.h>
|
||||
|
|
@ -575,11 +575,10 @@ main(int ac, char **av)
|
|||
if (!options.use_privileged_port) {
|
||||
#else
|
||||
if (original_effective_uid != 0 || !options.use_privileged_port) {
|
||||
debug("Rhosts Authentication methods disabled, "
|
||||
"originating port will not be trusted.");
|
||||
#endif
|
||||
debug("Rhosts Authentication disabled, "
|
||||
"originating port will not be trusted.");
|
||||
options.rhosts_authentication = 0;
|
||||
options.rhosts_rsa_authentication = 0;
|
||||
}
|
||||
/*
|
||||
* If using rsh has been selected, exec it now (without trying
|
||||
|
|
@ -602,17 +601,13 @@ main(int ac, char **av)
|
|||
/* Restore our superuser privileges. */
|
||||
restore_uid();
|
||||
|
||||
/*
|
||||
* Open a connection to the remote host. This needs root privileges
|
||||
* if rhosts_{rsa_}authentication is enabled.
|
||||
*/
|
||||
/* Open a connection to the remote host. */
|
||||
|
||||
ok = ssh_connect(host, &hostaddr, options.port,
|
||||
options.connection_attempts,
|
||||
!options.rhosts_authentication &&
|
||||
!options.rhosts_rsa_authentication,
|
||||
original_real_uid,
|
||||
options.proxy_command);
|
||||
options.connection_attempts,
|
||||
original_effective_uid != 0 || !options.use_privileged_port,
|
||||
original_real_uid,
|
||||
options.proxy_command);
|
||||
|
||||
/*
|
||||
* If we successfully made the connection, load the host private key
|
||||
|
|
|
|||
9
sshd.c
9
sshd.c
|
|
@ -40,7 +40,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshd.c,v 1.136 2000/12/05 16:47:28 todd Exp $");
|
||||
RCSID("$OpenBSD: sshd.c,v 1.137 2000/12/12 21:45:21 markus Exp $");
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "rsa.h"
|
||||
|
|
@ -1119,18 +1119,17 @@ main(int ac, char **av)
|
|||
|
||||
sshd_exchange_identification(sock_in, sock_out);
|
||||
/*
|
||||
* Check that the connection comes from a privileged port. Rhosts-
|
||||
* and Rhosts-RSA-Authentication only make sense from priviledged
|
||||
* Check that the connection comes from a privileged port.
|
||||
* Rhosts-Authentication only makes sense from priviledged
|
||||
* programs. Of course, if the intruder has root access on his local
|
||||
* machine, he can connect from any port. So do not use these
|
||||
* authentication methods from machines that you do not trust.
|
||||
*/
|
||||
if (remote_port >= IPPORT_RESERVED ||
|
||||
remote_port < IPPORT_RESERVED / 2) {
|
||||
debug("Rhosts Authentication methods disabled, "
|
||||
debug("Rhosts Authentication disabled, "
|
||||
"originating port not trusted.");
|
||||
options.rhosts_authentication = 0;
|
||||
options.rhosts_rsa_authentication = 0;
|
||||
}
|
||||
#ifdef KRB4
|
||||
if (!packet_connection_is_ipv4() &&
|
||||
|
|
|
|||
Loading…
Reference in New Issue