-/* $OpenBSD: sshd.c,v 1.347 2006/08/18 09:15:20 markus Exp $ */
+/* $OpenBSD: sshd.c,v 1.351 2007/05/22 10:18:52 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
logit("Received SIGHUP; restarting.");
close_listen_socks();
close_startup_pipes();
+ alarm(0); /* alarm timer persists across exec */
execv(saved_argv[0], saved_argv);
logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
strerror(errno));
int ret, listen_sock, on = 1;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+ int socksize;
+ int socksizelen = sizeof(int);
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
error("setsockopt SO_REUSEADDR: %s", strerror(errno));
debug("Bind to port %s on %s.", strport, ntop);
+
+ getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
+ &socksize, &socksizelen);
+ debug("Server TCP RWIN socket size: %d", socksize);
+ debug("HPN Buffer Size: %d", options.hpn_buffer_size);
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
+ /* challenge-response is implemented via keyboard interactive */
+ if (options.challenge_response_authentication)
+ options.kbd_interactive_authentication = 1;
+
/* set default channel AF */
channel_set_af(options.address_family);
debug("sshd version %.100s", SSH_RELEASE);
- /* Store privilege separation user for later use */
- if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL)
- fatal("Privilege separation user %s does not exist",
- SSH_PRIVSEP_USER);
- memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd));
- privsep_pw->pw_passwd = "*";
- privsep_pw = pwcopy(privsep_pw);
+ /* Store privilege separation user for later use if required. */
+ if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
+ if (use_privsep || options.kerberos_authentication)
+ fatal("Privilege separation user %s does not exist",
+ SSH_PRIVSEP_USER);
+ } else {
+ memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd));
+ privsep_pw = pwcopy(privsep_pw);
+ xfree(privsep_pw->pw_passwd);
+ privsep_pw->pw_passwd = xstrdup("*");
+ }
endpwent();
/* load private host keys */
* key is in the highest bits.
*/
if (!rsafail) {
- BN_mask_bits(session_key_int, sizeof(session_key) * 8);
+ (void) BN_mask_bits(session_key_int, sizeof(session_key) * 8);
len = BN_num_bytes(session_key_int);
if (len < 0 || (u_int)len > sizeof(session_key)) {
- error("do_connection: bad session key len from %s: "
+ error("do_ssh1_kex: bad session key len from %s: "
"session_key_int %d > sizeof(session_key) %lu",
get_remote_ipaddr(), len, (u_long)sizeof(session_key));
rsafail++;
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
- /* start key exchange */
-
#ifdef GSSAPI
{
char *orig;
orig = myproposal[PROPOSAL_KEX_ALGS];
/*
- * If we don't have a host key, then there's no point advertising
- * the other key exchange algorithms
+ * If we don't have a host key, then there's no point advertising
+ * the other key exchange algorithms
*/
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
else
gss = NULL;
- if (gss && orig) {
- int len = strlen(orig) + strlen(gss) + 2;
- newstr = xmalloc(len);
- snprintf(newstr, len, "%s,%s", gss, orig);
- } else if (gss) {
+ if (gss && orig)
+ xasprintf(&newstr, "%s,%s", gss, orig);
+ else if (gss)
newstr = gss;
- } else if (orig) {
+ else if (orig)
newstr = orig;
- }
+
/*
* If we've got GSSAPI mechanisms, then we've got the 'null' host
* key alg, but we can't tell people about it unless its the only
}
#endif
- /* start key exchange */
- kex = kex_setup(myproposal);
- kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
+ /* start key exchange */
+ /* start key exchange */
+ kex = kex_setup(myproposal);
+ kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+ kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
#ifdef GSSAPI
kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
#endif
- kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;