+20070317
+ - [ gss-serv-krb5.c ]
+ Remove C99ism, where new_ccname was being declared in the middle of a
+ function
+
20061220
- [ servconf.c ]
Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
fake.pw_passwd =
"$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
fake.pw_gecos = "NOUSER";
- fake.pw_uid = privsep_pw->pw_uid;
- fake.pw_gid = privsep_pw->pw_gid;
+ fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
+ fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
#ifdef HAVE_PW_CLASS_IN_PASSWD
fake.pw_class = "";
#endif
-/* $OpenBSD: auth2.c,v 1.113 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth2.c,v 1.114 2007/03/01 10:28:02 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
void
do_authentication2(Authctxt *authctxt)
{
- /* challenge-response is implemented via keyboard interactive */
- if (options.challenge_response_authentication)
- options.kbd_interactive_authentication = 1;
-
dispatch_init(&dispatch_protocol_error);
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
-/* $OpenBSD: channels.c,v 1.266 2006/08/29 10:40:18 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.268 2007/01/03 03:01:40 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
if (have < nmethods + 2)
return 0;
/* look for method: "NO AUTHENTICATION REQUIRED" */
- for (found = 0, i = 2 ; i < nmethods + 2; i++) {
+ for (found = 0, i = 2; i < nmethods + 2; i++) {
if (p[i] == SSH_SOCKS5_NOAUTH) {
found = 1;
break;
int len;
if (c->rfd != -1 &&
- FD_ISSET(c->rfd, readset)) {
+ (c->detach_close || FD_ISSET(c->rfd, readset))) {
errno = 0;
len = read(c->rfd, buf, sizeof(buf));
- if (len < 0 && (errno == EINTR || errno == EAGAIN))
+ if (len < 0 && (errno == EINTR ||
+ (errno == EAGAIN && !(c->isatty && c->detach_close))))
return 1;
#ifndef PTY_ZEROREAD
if (len <= 0) {
c->local_consumed += len;
}
} else if (c->extended_usage == CHAN_EXTENDED_READ &&
- FD_ISSET(c->efd, readset)) {
+ (c->detach_close || FD_ISSET(c->efd, readset))) {
len = read(c->efd, buf, sizeof(buf));
debug2("channel %d: read %d from efd %d",
c->self, len, c->efd);
- if (len < 0 && (errno == EINTR || errno == EAGAIN))
+ if (len < 0 && (errno == EINTR ||
+ (errno == EAGAIN && !c->detach_close)))
return 1;
if (len <= 0) {
debug2("channel %d: closing read-efd %d",
/* Send the forward request to the remote side. */
if (compat20) {
const char *address_to_bind;
- if (listen_host == NULL)
- address_to_bind = "localhost";
- else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0)
- address_to_bind = "";
- else
+ if (listen_host == NULL) {
+ if (datafellows & SSH_BUG_RFWD_ADDR)
+ address_to_bind = "127.0.0.1";
+ else
+ address_to_bind = "localhost";
+ } else if (*listen_host == '\0' ||
+ strcmp(listen_host, "*") == 0) {
+ if (datafellows & SSH_BUG_RFWD_ADDR)
+ address_to_bind = "0.0.0.0";
+ else
+ address_to_bind = "";
+ } else
address_to_bind = listen_host;
packet_start(SSH2_MSG_GLOBAL_REQUEST);
-/* $OpenBSD: clientloop.c,v 1.176 2006/10/11 12:38:03 markus Exp $ */
+/* $OpenBSD: clientloop.c,v 1.178 2007/02/20 10:25:14 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
{
Buffer m;
Channel *c;
- int client_fd, new_fd[3], ver, allowed;
+ int client_fd, new_fd[3], ver, allowed, window, packetmax;
socklen_t addrlen;
struct sockaddr_storage addr;
struct confirm_ctx *cctx;
set_nonblock(client_fd);
if (options.hpn_disabled)
- c = channel_new("session", SSH_CHANNEL_OPENING,
- new_fd[0], new_fd[1], new_fd[2],
- CHAN_SES_WINDOW_DEFAULT, CHAN_SES_PACKET_DEFAULT,
- CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
- else
- c = channel_new("session", SSH_CHANNEL_OPENING,
- new_fd[0], new_fd[1], new_fd[2],
- options.hpn_buffer_size, CHAN_SES_PACKET_DEFAULT,
- CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
+ window = options.hpn_buffer_size;
+ else
+ window = CHAN_SES_WINDOW_DEFAULT;
+ packetmax = CHAN_SES_PACKET_DEFAULT;
+ if (cctx->want_tty) {
+ window >>= 1;
+ packetmax >>= 1;
+ }
+
+ c = channel_new("session", SSH_CHANNEL_OPENING,
+ new_fd[0], new_fd[1], new_fd[2], window, packetmax,
+ CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
+
/* XXX */
c->ctl_fd = client_fd;
error("Warning: this is probably a break-in attempt by a malicious server.");
return NULL;
}
- sock = ssh_get_authentication_socket();
+ sock = ssh_get_authentication_socket();
if (sock < 0)
return NULL;
if (options.hpn_disabled)
-/* $OpenBSD: compat.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: compat.c,v 1.77 2006/12/12 03:58:42 djm Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
*
{ "2.3.*", SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5|
SSH_BUG_FIRSTKEX },
{ "2.4", SSH_OLD_SESSIONID }, /* Van Dyke */
- { "2.*", SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX },
+ { "2.*", SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX|
+ SSH_BUG_RFWD_ADDR },
{ "3.0.*", SSH_BUG_DEBUG },
{ "3.0 SecureCRT*", SSH_OLD_SESSIONID },
{ "1.7 SecureFX*", SSH_OLD_SESSIONID },
-/* $OpenBSD: compat.h,v 1.40 2006/03/25 22:22:43 djm Exp $ */
+/* $OpenBSD: compat.h,v 1.41 2006/12/12 03:58:42 djm Exp $ */
/*
* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
#define SSH_BUG_PROBE 0x00400000
#define SSH_BUG_FIRSTKEX 0x00800000
#define SSH_OLD_FORWARD_ADDR 0x01000000
-#define SSH_BUG_LARGEWINDOW 0x02000000
+#define SSH_BUG_RFWD_ADDR 0x02000000
+#define SSH_BUG_LARGEWINDOW 0x04000000
void enable_compat13(void);
void enable_compat20(void);
;;
*-*-cygwin*)
check_for_libcrypt_later=1
- LIBS="$LIBS /usr/lib/textmode.o"
+ LIBS="$LIBS /usr/lib/textreadmode.o"
AC_DEFINE(HAVE_CYGWIN, 1, [Define if you are on Cygwin])
AC_DEFINE(USE_PIPES, 1, [Use PIPES instead of a socketpair()])
AC_DEFINE(DISABLE_SHADOW, 1,
AC_DEFINE(BROKEN_SETREGID)
;;
*-*-darwin*)
- AC_DEFINE(BROKEN_GETADDRINFO, 1, [getaddrinfo is broken (if present)])],
+ AC_DEFINE(BROKEN_GETADDRINFO, 1, [Define if getaddrinfo is broken)])
+ AC_DEFINE(BROKEN_GETADDRINFO)
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(BROKEN_SETREUID)
AC_DEFINE(BROKEN_SETREGID)
]
)
+AC_ARG_WITH(openssl-header-check,
+ [ --without-openssl-header-check Disable OpenSSL version consistency check],
+ [ if test "x$withval" = "xno" ; then
+ openssl_check_nonfatal=1
+ fi
+ ]
+)
+
# Sanity check OpenSSL headers
AC_MSG_CHECKING([whether OpenSSL's headers match the library])
AC_RUN_IFELSE(
],
[
AC_MSG_RESULT(no)
- AC_MSG_ERROR([Your OpenSSL headers do not match your library.
-Check config.log for details.
+ if test "x$openssl_check_nonfatal" = "x"; then
+ AC_MSG_ERROR([Your OpenSSL headers do not match your
+library. Check config.log for details.
+If you are sure your installation is consistent, you can disable the check
+by running "./configure --without-openssl-header-check".
+Also see contrib/findssl.sh for help identifying header/library mismatches.
+])
+ else
+ AC_MSG_WARN([Your OpenSSL headers do not match your
+library. Check config.log for details.
Also see contrib/findssl.sh for help identifying header/library mismatches.])
+ fi
],
[
AC_MSG_WARN([cross compiling: not checking])
LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH}
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
+# not all platforms have a 'which' command
+if which ls >/dev/null 2>/dev/null; then
+ : which is defined
+else
+ which () {
+ saveIFS="$IFS"
+ IFS=:
+ for p in $PATH; do
+ if test -x "$p/$1" -a -f "$p/$1"; then
+ IFS="$saveIFS"
+ echo "$p/$1"
+ return 0
+ fi
+ done
+ IFS="$saveIFS"
+ return 1
+ }
+fi
+
#
# Search for OpenSSL headers and print versions
#
-/* $OpenBSD: dns.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: dns.c,v 1.24 2007/01/03 03:01:40 stevesk Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
if (fingerprints->rri_nrdatas)
*flags |= DNS_VERIFY_FOUND;
- for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
+ for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
/*
* Extract the key from the answer. Ignore any badly
* formatted fingerprints.
OM_uint32 maj_status, min_status;
gss_cred_id_t krb5_cred_handle;
int len;
- const char* new_ccname;
+ const char *new_ccname;
if (client->creds == NULL) {
debug("No credentials stored");
-/* $OpenBSD: kex.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: kex.c,v 1.77 2007/01/21 01:41:54 stevesk Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
u_int i;
fprintf(stderr, "%s\n", msg);
- for (i = 0; i< len; i++) {
+ for (i = 0; i < len; i++) {
fprintf(stderr, "%02x", digest[i]);
if (i%32 == 31)
fprintf(stderr, "\n");
-/* $OpenBSD: misc.c,v 1.64 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: misc.c,v 1.65 2006/11/23 01:35:11 ray Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
u_long *lineno)
{
while (fgets(buf, bufsz, f) != NULL) {
+ if (buf[0] == '\0')
+ continue;
(*lineno)++;
if (buf[strlen(buf) - 1] == '\n' || feof(f)) {
return 0;
-/* $OpenBSD: moduli.c,v 1.19 2006/11/06 21:25:28 markus Exp $ */
+/* $OpenBSD: moduli.c,v 1.20 2007/02/24 03:30:11 ray Exp $ */
/*
* Copyright 1994 Phil Karn <karn@qualcomm.com>
* Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
res = 0;
lp = xmalloc(QLINESIZE + 1);
- while (fgets(lp, QLINESIZE, in) != NULL) {
- int ll = strlen(lp);
-
+ while (fgets(lp, QLINESIZE + 1, in) != NULL) {
count_in++;
- if (ll < 14 || *lp == '!' || *lp == '#') {
+ if (strlen(lp) < 14 || *lp == '!' || *lp == '#') {
debug2("%10u: comment or short line", count_in);
continue;
}
-/* $OpenBSD: monitor.c,v 1.89 2006/11/07 10:31:31 markus Exp $ */
+/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
#endif
buffer_put_cstring(m, pwent->pw_dir);
buffer_put_cstring(m, pwent->pw_shell);
+ buffer_put_string(m, &options, sizeof(options));
+ if (options.banner != NULL)
+ buffer_put_cstring(m, options.banner);
out:
debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
-/* $OpenBSD: monitor_wrap.c,v 1.54 2006/08/12 20:46:46 miod Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
#include "channels.h"
#include "session.h"
+#include "servconf.h"
/* Imports */
extern int compat20;
{
Buffer m;
struct passwd *pw;
- u_int pwlen;
+ u_int len;
+ ServerOptions *newopts;
debug3("%s entering", __func__);
buffer_free(&m);
return (NULL);
}
- pw = buffer_get_string(&m, &pwlen);
- if (pwlen != sizeof(struct passwd))
+ pw = buffer_get_string(&m, &len);
+ if (len != sizeof(struct passwd))
fatal("%s: struct passwd size mismatch", __func__);
pw->pw_name = buffer_get_string(&m, NULL);
pw->pw_passwd = buffer_get_string(&m, NULL);
#endif
pw->pw_dir = buffer_get_string(&m, NULL);
pw->pw_shell = buffer_get_string(&m, NULL);
+
+ /* copy options block as a Match directive may have changed some */
+ newopts = buffer_get_string(&m, &len);
+ if (len != sizeof(*newopts))
+ fatal("%s: option block size mismatch", __func__);
+ if (newopts->banner != NULL)
+ newopts->banner = buffer_get_string(&m, NULL);
+ copy_set_server_options(&options, newopts, 1);
+ xfree(newopts);
+
buffer_free(&m);
return (pw);
}
/* allocate memory for signatures */
- rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
- if (rrset->rri_sigs == NULL) {
- result = ERRSET_NOMEMORY;
- goto fail;
+ if (rrset->rri_nsigs > 0) {
+ rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
+ if (rrset->rri_sigs == NULL) {
+ result = ERRSET_NOMEMORY;
+ goto fail;
+ }
}
/* copy answers & signatures */
# include <sys/time.h>
#endif
-#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
-/* $OpenBSD: readconf.c,v 1.159 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: readconf.c,v 1.161 2007/01/21 01:45:35 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
if ((value = convtime(arg)) == -1)
fatal("%s line %d: invalid time value.",
filename, linenum);
- if (*intptr == -1)
+ if (*activep && *intptr == -1)
*intptr = value;
break;
if (*intptr >= SSH_MAX_IDENTITY_FILES)
fatal("%.200s line %d: Too many identity files specified (max %d).",
filename, linenum, SSH_MAX_IDENTITY_FILES);
- charptr = &options->identity_files[*intptr];
+ charptr = &options->identity_files[*intptr];
*charptr = xstrdup(arg);
*intptr = *intptr + 1;
}
-/* $OpenBSD: scp.c,v 1.155 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: scp.c,v 1.156 2007/01/22 13:06:21 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
if ((pwd = getpwuid(userid = getuid())) == NULL)
fatal("unknown user %u", (u_int) userid);
- if (!isatty(STDERR_FILENO))
+ if (!isatty(STDOUT_FILENO))
showprogress = 0;
remin = STDIN_FILENO;
-/* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
- { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL },
- { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL },
+ { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
+ { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
- { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL },
- { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },
+ { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
+ { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
#ifdef KRB5
- { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL },
+ { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
#ifdef USE_AFS
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
#else
- { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL },
+ { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
#ifdef GSSAPI
- { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
+ { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapicredentialspath", sGssCredsPath, SSHCFG_GLOBAL },
{ "gsiallowlimitedproxy", sGsiAllowLimitedProxy, SSHCFG_GLOBAL },
#endif
#else
- { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapicredentialspath", sUnsupported, SSHCFG_GLOBAL },
{ "sessionhookstartupcmd", sSessionHookStartupCmd, SSHCFG_GLOBAL },
{ "sessionhookshutdowncmd", sSessionHookShutdownCmd, SSHCFG_GLOBAL },
#endif
- { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },
- { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },
+ { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
+ { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
- { "banner", sBanner, SSHCFG_GLOBAL },
+ { "banner", sBanner, SSHCFG_ALL },
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
else
fatal("%s line %d: Bad yes/no/clientspecified "
"argument: %s", filename, linenum, arg);
- if (*intptr == -1)
+ if (*activep && *intptr == -1)
*intptr = value;
break;
if (!arg || *arg == '\0')
fatal("%s line %d: missing PermitOpen specification",
filename, linenum);
+ n = options->num_permitted_opens; /* modified later */
if (strcmp(arg, "any") == 0) {
- if (*activep) {
+ if (*activep && n == -1) {
channel_clear_adm_permitted_opens();
options->num_permitted_opens = 0;
}
break;
}
+ if (*activep && n == -1)
+ channel_clear_adm_permitted_opens();
for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
p = hpdelim(&arg);
if (p == NULL)
if (arg == NULL || (port = a2port(arg)) == 0)
fatal("%s line %d: bad port number in "
"PermitOpen", filename, linenum);
- if (*activep && options->num_permitted_opens == -1) {
- channel_clear_adm_permitted_opens();
+ if (*activep && n == -1)
options->num_permitted_opens =
channel_add_adm_permitted_opens(p, port);
- }
}
break;
initialize_server_options(&mo);
parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
- copy_set_server_options(options, &mo);
+ copy_set_server_options(options, &mo, 0);
}
-/* Copy any (supported) values that are set */
+/* Helper macros */
+#define M_CP_INTOPT(n) do {\
+ if (src->n != -1) \
+ dst->n = src->n; \
+} while (0)
+#define M_CP_STROPT(n) do {\
+ if (src->n != NULL) { \
+ if (dst->n != NULL) \
+ xfree(dst->n); \
+ dst->n = src->n; \
+ } \
+} while(0)
+
+/*
+ * Copy any supported values that are set.
+ *
+ * If the preauth flag is set, we do not bother copying the the string or
+ * array values that are not used pre-authentication, because any that we
+ * do use must be explictly sent in mm_getpwnamallow().
+ */
void
-copy_set_server_options(ServerOptions *dst, ServerOptions *src)
+copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
{
- if (src->allow_tcp_forwarding != -1)
- dst->allow_tcp_forwarding = src->allow_tcp_forwarding;
- if (src->gateway_ports != -1)
- dst->gateway_ports = src->gateway_ports;
- if (src->adm_forced_command != NULL) {
- if (dst->adm_forced_command != NULL)
- xfree(dst->adm_forced_command);
- dst->adm_forced_command = src->adm_forced_command;
- }
- if (src->x11_display_offset != -1)
- dst->x11_display_offset = src->x11_display_offset;
- if (src->x11_forwarding != -1)
- dst->x11_forwarding = src->x11_forwarding;
- if (src->x11_use_localhost != -1)
- dst->x11_use_localhost = src->x11_use_localhost;
+ M_CP_INTOPT(password_authentication);
+ M_CP_INTOPT(gss_authentication);
+ M_CP_INTOPT(rsa_authentication);
+ M_CP_INTOPT(pubkey_authentication);
+ M_CP_INTOPT(kerberos_authentication);
+ M_CP_INTOPT(hostbased_authentication);
+ M_CP_INTOPT(kbd_interactive_authentication);
+
+ M_CP_INTOPT(allow_tcp_forwarding);
+ M_CP_INTOPT(gateway_ports);
+ M_CP_INTOPT(x11_display_offset);
+ M_CP_INTOPT(x11_forwarding);
+ M_CP_INTOPT(x11_use_localhost);
+
+ M_CP_STROPT(banner);
+ if (preauth)
+ return;
+ M_CP_STROPT(adm_forced_command);
}
+#undef M_CP_INTOPT
+#undef M_CP_STROPT
+
void
parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
const char *user, const char *host, const char *address)
if (bad_options > 0)
fatal("%s: terminating, %d bad configuration options",
filename, bad_options);
+
+ /* challenge-response is implemented via keyboard interactive */
+ if (options->challenge_response_authentication == 1)
+ options->kbd_interactive_authentication = 1;
}
-/* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */
+/* $OpenBSD: servconf.h,v 1.80 2007/02/19 10:45:58 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
const char *, const char *, const char *);
void parse_server_match_config(ServerOptions *, const char *, const char *,
const char *);
-void copy_set_server_options(ServerOptions *, ServerOptions *);
+void copy_set_server_options(ServerOptions *, ServerOptions *, int);
#endif /* SERVCONF_H */
struct timeval tv, *tvp;
int ret;
int client_alive_scheduled = 0;
+ int program_alive_scheduled = 0;
/*
* if using client_alive, set the max timeout accordingly,
* the client, try to get some more data from the program.
*/
if (packet_not_very_much_data_to_write()) {
+ program_alive_scheduled = child_terminated;
if (!fdout_eof)
FD_SET(fdout, *readsetp);
if (!fderr_eof)
memset(*writesetp, 0, *nallocp);
if (errno != EINTR)
error("select: %.100s", strerror(errno));
- } else if (ret == 0 && client_alive_scheduled)
- client_alive_check();
+ } else {
+ if (ret == 0 && client_alive_scheduled)
+ client_alive_check();
+ if (!compat20 && program_alive_scheduled && fdin_is_tty) {
+ if (!fdout_eof)
+ FD_SET(fdout, *readsetp);
+ if (!fderr_eof)
+ FD_SET(fderr, *readsetp);
+ }
+ }
notify_done(*readsetp);
}
if (!fdout_eof && FD_ISSET(fdout, readset)) {
errno = 0;
len = read(fdout, buf, sizeof(buf));
- if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
+ if (len < 0 && (errno == EINTR ||
+ (errno == EAGAIN && !child_terminated))) {
/* do nothing */
#ifndef PTY_ZEROREAD
} else if (len <= 0) {
if (!fderr_eof && FD_ISSET(fderr, readset)) {
errno = 0;
len = read(fderr, buf, sizeof(buf));
- if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
+ if (len < 0 && (errno == EINTR ||
+ (errno == EAGAIN && !child_terminated))) {
/* do nothing */
#ifndef PTY_ZEROREAD
} else if (len <= 0) {
-/* $OpenBSD: session.c,v 1.220 2006/10/09 23:36:11 djm Exp $ */
+/* $OpenBSD: session.c,v 1.221 2007/01/21 01:41:54 stevesk Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
} else if (strcmp(rtype, "exec") == 0) {
success = session_exec_req(s);
} else if (strcmp(rtype, "pty-req") == 0) {
- success = session_pty_req(s);
+ success = session_pty_req(s);
} else if (strcmp(rtype, "x11-req") == 0) {
success = session_x11_req(s);
} else if (strcmp(rtype, "auth-agent-req@openssh.com") == 0) {
debug3("session_close_single_x11: channel %d", id);
channel_cancel_cleanup(id);
- if ((s = session_by_x11_channel(id)) == NULL)
+ if ((s = session_by_x11_channel(id)) == NULL)
fatal("session_close_single_x11: no x11 channel %d", id);
for (i = 0; s->x11_chanids[i] != -1; i++) {
debug("session_close_single_x11: session %d: "
-/* $OpenBSD: sftp.c,v 1.93 2006/09/30 17:48:22 ray Exp $ */
+/* $OpenBSD: sftp.c,v 1.96 2007/01/03 04:09:15 stevesk Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
int interactive_loop(int fd_in, int fd_out, char *file1, char *file2);
+/* ARGSUSED */
static void
killchild(int signo)
{
_exit(1);
}
+/* ARGSUSED */
static void
cmd_interrupt(int signo)
{
path_append(char *p1, char *p2)
{
char *ret;
- int len = strlen(p1) + strlen(p2) + 2;
+ size_t len = strlen(p1) + strlen(p2) + 2;
ret = xmalloc(len);
strlcpy(ret, p1, len);
- if (p1[strlen(p1) - 1] != '/')
+ if (p1[0] != '\0' && p1[strlen(p1) - 1] != '/')
strlcat(ret, "/", len);
strlcat(ret, p2, len);
fprintf(stderr, "Missing username\n");
usage();
}
- addargs(&args, "-l%s",userhost);
+ addargs(&args, "-l%s", userhost);
}
if ((cp = colon(host)) != NULL) {
-/* $OpenBSD: ssh-agent.c,v 1.153 2006/10/06 02:29:19 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.154 2007/02/28 00:55:30 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
nxt = TAILQ_NEXT(id, next);
if (id->death != 0 && now >= id->death) {
+ debug("expiring key '%s'", id->comment);
TAILQ_REMOVE(&tab->idlist, id, next);
free_identity(id);
tab->nentries--;
u_int msg_len, type;
u_char *cp;
- /* kill dead keys */
- reaper();
-
if (buffer_len(&e->input) < 5)
return; /* Incomplete message. */
cp = buffer_ptr(&e->input);
main(int ac, char **av)
{
int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0;
- int sock, fd, ch;
+ int sock, fd, ch, result, saved_errno;
u_int nalloc;
char *shell, *format, *pidstr, *agentsocket = NULL;
fd_set *readsetp = NULL, *writesetp = NULL;
extern char *optarg;
pid_t pid;
char pidstrbuf[1 + 3 * sizeof pid];
+ struct timeval tv;
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
nalloc = 0;
while (1) {
+ tv.tv_sec = 10;
+ tv.tv_usec = 0;
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc);
- if (select(max_fd + 1, readsetp, writesetp, NULL, NULL) < 0) {
- if (errno == EINTR)
+ result = select(max_fd + 1, readsetp, writesetp, NULL, &tv);
+ saved_errno = errno;
+ reaper(); /* remove expired keys */
+ if (result < 0) {
+ if (saved_errno == EINTR)
continue;
- fatal("select: %s", strerror(errno));
- }
- after_select(readsetp, writesetp);
+ fatal("select: %s", strerror(saved_errno));
+ } else if (result > 0)
+ after_select(readsetp, writesetp);
}
/* NOTREACHED */
}
.Os
.Sh NAME
.Nm ssh-rand-helper
-.Nd Random number gatherer for OpenSSH
+.Nd random number gatherer for OpenSSH
.Sh SYNOPSIS
.Nm ssh-rand-hlper
.Op Fl vxXh
Turn on debugging message. Multiple
.Fl v
options will increase the debugging level.
-.Fl h
+.It Fl h
Display a summary of options.
.El
.Sh AUTHORS
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.265 2006/10/28 18:08:10 otto Exp $
+.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
.%D 2006
.Re
+.Rs
+.%R RFC 4716
+.%T "The Secure Shell (SSH) Public Key File Format"
+.%D 2006
+.Re
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
-/* $OpenBSD: ssh.c,v 1.294 2006/10/06 02:29:19 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.295 2007/01/03 03:01:40 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
if (!read_config_file(config, host, &options, 0))
fatal("Can't open user config file %.100s: "
"%.100s", config, strerror(errno));
- } else {
+ } else {
/*
* Since the config file parsing code aborts if it sees
* options it doesn't recognize, allow users to put
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.97 2006/07/27 08:00:50 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
.Nm ssh_config
.Nd OpenSSH SSH client configuration files
.Sh SYNOPSIS
-.Bl -tag -width Ds -compact
-.It Pa ~/.ssh/config
-.It Pa /etc/ssh/ssh_config
-.El
+.Nm ~/.ssh/config
+.Nm /etc/ssh/ssh_config
.Sh DESCRIPTION
.Xr ssh 1
obtains configuration data from the following sources in
-/* $OpenBSD: sshd.c,v 1.348 2006/11/06 21:25:28 markus Exp $ */
+/* $OpenBSD: sshd.c,v 1.349 2007/02/21 11:00:05 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
logit("Received SIGHUP; restarting.");
close_listen_socks();
close_startup_pipes();
+ alarm(0); /* alarm timer persists across exec */
execv(saved_argv[0], saved_argv);
logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
strerror(errno));
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.70 2006/08/21 08:14:01 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.74 2007/03/01 16:19:33 jmc Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
.Nm sshd_config
.Nd OpenSSH SSH daemon configuration file
.Sh SYNOPSIS
-.Bl -tag -width Ds -compact
-.It Pa /etc/ssh/sshd_config
-.El
+.Nm /etc/ssh/sshd_config
.Sh DESCRIPTION
.Xr sshd 8
reads configuration data from
keyword.
Available keywords are
.Cm AllowTcpForwarding ,
+.Cm Banner ,
.Cm ForceCommand ,
.Cm GatewayPorts ,
+.Cm GSSApiAuthentication ,
+.Cm KbdInteractiveAuthentication ,
+.Cm KerberosAuthentication ,
+.Cm PasswordAuthentication ,
.Cm PermitOpen ,
+.Cm RhostsRSAAuthentication ,
+.Cm RSAAuthentication ,
.Cm X11DisplayOffset ,
.Cm X11Forwarding ,
and
-/* $OpenBSD: version.h,v 1.48 2006/11/07 10:31:31 markus Exp $ */
+/* $OpenBSD: version.h,v 1.49 2007/03/06 10:13:14 djm Exp $ */
#ifdef GSI
#define GSI_VERSION " GSI"
#define MGLUE_VERSION ""
#endif
-#define NCSA_VERSION " NCSA_GSSAPI_20070215"
+#define NCSA_VERSION " NCSA_GSSAPI_20070314"
-#define SSH_VERSION "OpenSSH_4.5"
+#define SSH_VERSION "OpenSSH_4.6"
#define SSH_PORTABLE "p1"
-#define SSH_HPN "-hpn12v14"
+#define SSH_HPN "-hpn12v16"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN \
NCSA_VERSION GSI_VERSION KRB5_VERSION MGLUE_VERSION