-/* $OpenBSD: sshconnect2.c,v 1.162 2006/08/30 00:06:51 dtucker Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.164 2007/05/17 23:53:41 jolan Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
#include <sys/stat.h>
#include <errno.h>
+#include <netdb.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
extern char *client_version_string;
extern char *server_version_string;
extern Options options;
-extern Kex *xxx_kex;
/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
/* if it is set then prevent the switch to the null cipher */
#ifdef GSSAPI
char *orig = NULL, *gss = NULL;
- int len;
- char *gss_host = NULL;
+ char *gss_host = NULL;
#endif
xxx_host = host;
#ifdef GSSAPI
if (options.gss_keyex) {
- /* Add the GSSAPI mechanisms currently supported on this client to
- * the key exchange algorithm proposal */
- orig = myproposal[PROPOSAL_KEX_ALGS];
- if (options.gss_trust_dns)
- gss_host = (char *)get_canonical_hostname(1);
- else
- gss_host = host;
-
- gss = ssh_gssapi_client_mechanisms(gss_host);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- len = strlen(orig) + strlen(gss) + 2;
- myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len);
- snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", gss,
- orig);
- }
+ /* Add the GSSAPI mechanisms currently supported on this
+ * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
+ if (options.gss_trust_dns)
+ gss_host = (char *)get_canonical_hostname(1);
+ else
+ gss_host = host;
+
+ gss = ssh_gssapi_client_mechanisms(gss_host);
+ if (gss) {
+ debug("Offering GSSAPI proposal: %s", gss);
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
+ "%s,%s", gss, orig);
+ }
}
#endif
* 'null' hostkey, as a last resort */
if (options.gss_keyex && gss) {
orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
- len = strlen(orig) + sizeof(",null");
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = xmalloc(len);
- snprintf(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], len,
+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
"%s,null", orig);
}
#endif
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
+ kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
#ifdef GSSAPI
kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
#endif
- kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
kex->verify_host_key=&verify_host_key_callback;
pubkey_cleanup(&authctxt);
dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
- if ((options.none_switch == 1) && (options.none_enabled == 1) && !tty_flag) /* no null on tty sessions */
+
+ /* if the user wants to use the none cipher do it */
+ /* post authentication and only if the right conditions are met */
+ /* both of the NONE commands must be true and there must be no */
+ /* tty allocated */
+ if ((options.none_switch == 1) && (options.none_enabled == 1))
{
- debug("Requesting none rekeying...");
- myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
- myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
- kex_prop2buf(&xxx_kex->my,myproposal);
- packet_request_rekeying();
- fprintf(stderr, "WARNING: ENABLED NULL CIPHER\n");
+ if (!tty_flag) /* no null on tty sessions */
+ {
+ debug("Requesting none rekeying...");
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
+ kex_prop2buf(&xxx_kex->my,myproposal);
+ packet_request_rekeying();
+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
+ }
+ else
+ {
+ /* requested NONE cipher when in a tty */
+ debug("Cannot switch to NONE cipher with tty allocated");
+ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
+ }
}
debug("Authentication succeeded (%s).", authctxt.method->name);
}
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
- unsigned int oidlen;
- unsigned char *oidv;
+ u_int oidlen;
+ u_char *oidv;
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
Sensitive *sensitive = authctxt->sensitive;
Buffer b;
u_char *signature, *blob;
- char *chost, *pkalg, *p;
+ char *chost, *pkalg, *p, myname[NI_MAXHOST];
const char *service;
u_int blen, slen;
int ok, i, len, found = 0;
return 0;
}
/* figure out a name for the client host */
- p = get_local_name(packet_get_connection_in());
+ p = NULL;
+ if (packet_connection_is_on_socket())
+ p = get_local_name(packet_get_connection_in());
+ if (p == NULL) {
+ if (gethostname(myname, sizeof(myname)) == -1) {
+ verbose("userauth_hostbased: gethostname: %s",
+ strerror(errno));
+ } else
+ p = xstrdup(myname);
+ }
if (p == NULL) {
error("userauth_hostbased: cannot get local ipaddr/name");
key_free(private);