+20001203
+- (bal) OpenBSD CVS updates:
+ - markus@cvs.openbsd.org 2000/11/30 22:54:31
+ [channels.c]
+ debug->warn if tried to do -R style fwd w/o client requesting this;
+ ok neils@
+ - markus@cvs.openbsd.org 2000/11/29 20:39:17
+ [cipher.c]
+ des_cbc_encrypt -> des_ncbc_encrypt since it already updates the IV
+ - markus@cvs.openbsd.org 2000/11/30 18:33:05
+ [ssh-agent.c]
+ agents must not dump core, ok niels@
+ - markus@cvs.openbsd.org 2000/11/30 07:04:02
+ [ssh.1]
+ T is for both protocols
+ - markus@cvs.openbsd.org 2000/12/01 00:00:51
+ [ssh.1]
+ typo; from green@FreeBSD.org
+ - markus@cvs.openbsd.org 2000/11/30 07:02:35
+ [ssh.c]
+ check -T before isatty()
+ - provos@cvs.openbsd.org 2000/11/29 13:51:27
+ [sshconnect.c]
+ show IP address and hostname when new key is encountered. okay markus@
+ - markus@cvs.openbsd.org 2000/11/30 22:53:35
+ [sshconnect.c]
+ disable agent/x11/port fwding if hostkey has changed; ok niels@
+ - marksu@cvs.openbsd.org 2000/11/29 21:11:59
+ [sshd.c]
+ sshd -D, startup w/o deamon(), for monitoring scripts or inittab;
+ from handler@sub-rosa.com and eric@urbanrange.com; ok niels@
+
20001202
- (bal) Backed out of part of Alain St-Denis' loginrec.c patch.
- (bal) Irix need some sort of mansubdir, patch by Michael Stone
- Replacement for setproctitle() - HP/UX support only currently
- Improve PAM support (a pam_lastlog module will cause sshd to exit)
+ and maybe support alternate forms of authenications like OPIE via
+ pam?
- Complete Tru64 SIA support
*/
#include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.73 2000/11/06 23:04:55 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.74 2000/11/30 22:54:31 markus Exp $");
#include "ssh.h"
#include "packet.h"
return channel_connect_to(
permitted_opens[i].host_to_connect,
permitted_opens[i].port_to_connect);
- debug("channel_connect_by_listen_adress: unknown listen_port %d", listen_port);
+ error("WARNING: Server requests forwarding for unknown listen_port %d",
+ listen_port);
return -1;
}
*/
#include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.37 2000/10/23 19:31:54 markus Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.38 2000/11/29 20:39:17 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
memcpy(&iv1, iv2, 8);
- des_cbc_encrypt(src, dest, len, cc->u.des3.key1, &iv1, DES_ENCRYPT);
- memcpy(&iv1, dest + len - 8, 8);
-
- des_cbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_DECRYPT);
- memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */
-
- des_cbc_encrypt(dest, dest, len, cc->u.des3.key3, iv3, DES_ENCRYPT);
- memcpy(iv3, dest + len - 8, 8);
+ des_ncbc_encrypt(src, dest, len, cc->u.des3.key1, &iv1, DES_ENCRYPT);
+ des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_DECRYPT);
+ des_ncbc_encrypt(dest, dest, len, cc->u.des3.key3, iv3, DES_ENCRYPT);
}
void
des3_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
memcpy(&iv1, iv2, 8);
- des_cbc_encrypt(src, dest, len, cc->u.des3.key3, iv3, DES_DECRYPT);
- memcpy(iv3, src + len - 8, 8);
-
- des_cbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_ENCRYPT);
- memcpy(iv2, dest + len - 8, 8);
-
- des_cbc_encrypt(dest, dest, len, cc->u.des3.key1, &iv1, DES_DECRYPT);
- /* memcpy(&iv1, iv2, 8); */
- /* Note how iv1 == iv2 on entry and exit. */
+ des_ncbc_encrypt(src, dest, len, cc->u.des3.key3, iv3, DES_DECRYPT);
+ des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_ENCRYPT);
+ des_ncbc_encrypt(dest, dest, len, cc->u.des3.key1, &iv1, DES_DECRYPT);
}
/* Blowfish */
-/* $OpenBSD: ssh-agent.c,v 1.40 2000/11/14 23:48:55 markus Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.41 2000/11/30 18:33:05 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.40 2000/11/14 23:48:55 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.41 2000/11/30 18:33:05 markus Exp $");
#include "ssh.h"
#include "rsa.h"
fd_set readset, writeset;
int sock, c_flag = 0, k_flag = 0, s_flag = 0, ch;
struct sockaddr_un sunaddr;
+ struct rlimit rlim;
pid_t pid;
char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid];
extern int optind;
close(1);
close(2);
+ /* deny core dumps, since memory contains unencrypted private keys */
+ rlim.rlim_cur = rlim.rlim_max = 0;
+ if (setrlimit(RLIMIT_CORE, &rlim) < 0) {
+ perror("setrlimit rlimit_core failed");
+ cleanup_exit(1);
+ }
if (setsid() == -1) {
perror("setsid");
cleanup_exit(1);
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.68 2000/11/12 19:50:38 markus Exp $
+.\" $OpenBSD: ssh.1,v 1.70 2000/12/01 00:00:51 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
option.)
.It Fl N
Do not execute a remote command.
-This is usefull if you just want to forward ports
+This is useful if you just want to forward ports
(protocol version 2 only).
.It Fl o Ar option
Can be used to give options in the format used in the config file.
screen-based programs on a remote machine, which can be very useful,
e.g., when implementing menu services.
.It Fl T
-Disable pseudo-tty allocation (protocol version 2 only).
+Disable pseudo-tty allocation.
.It Fl v
Verbose mode.
Causes
.Bl -bullet
.It
has all components of a restrictive nature (i.e., patents, see
-.Xr crypto 3 )
+.Xr ssl 8 )
directly removed from the source code; any licensed or patented components
are chosen from
external libraries.
.Xr ssh-keygen 1 ,
.Xr telnet 1 ,
.Xr sshd 8 ,
-.Xr crypto 3
+.Xr ssl 8
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.74 2000/11/23 21:03:47 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.75 2000/11/30 07:02:35 markus Exp $");
#include <openssl/evp.h>
#include <openssl/dsa.h>
if (buffer_len(&command) == 0)
tty_flag = 1;
+ /* Force no tty*/
+ if (no_tty_flag)
+ tty_flag = 0;
/* Do not allocate a tty if stdin is not a tty. */
if (!isatty(fileno(stdin))) {
if (tty_flag)
fprintf(stderr, "Pseudo-terminal will not be allocated because stdin is not a terminal.\n");
tty_flag = 0;
}
- /* force */
- if (no_tty_flag)
- tty_flag = 0;
/* Get user data. */
pw = getpwuid(original_real_uid);
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.81 2000/11/06 23:16:35 markus Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.83 2000/11/30 22:53:35 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dsa.h>
if (options.proxy_command != NULL && options.check_host_ip)
options.check_host_ip = 0;
- if (options.check_host_ip) {
- if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop),
- NULL, 0, NI_NUMERICHOST) != 0)
- fatal("check_host_key: getnameinfo failed");
- ip = xstrdup(ntop);
- }
-
+ if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop),
+ NULL, 0, NI_NUMERICHOST) != 0)
+ fatal("check_host_key: getnameinfo failed");
+ ip = xstrdup(ntop);
+
/*
* Store the host key from the known host file in here so that we can
* compare it with the key for the IP address.
char prompt[1024];
char *fp = key_fingerprint(host_key);
snprintf(prompt, sizeof(prompt),
- "The authenticity of host '%.200s' can't be established.\n"
+ "The authenticity of host '%.200s (%s)' can't be established.\n"
"%s key fingerprint is %s.\n"
"Are you sure you want to continue connecting (yes/no)? ",
- host, type, fp);
+ host, ip, type, fp);
if (!read_yes_or_no(prompt, -1))
fatal("Aborted by user!\n");
}
error("Agent forwarding is disabled to avoid trojan horses.");
options.forward_agent = 0;
}
+ if (options.forward_x11) {
+ error("X11 forwarding is disabled to avoid trojan horses.");
+ options.forward_x11 = 0;
+ }
+ if (options.num_local_forwards > 0 || options.num_remote_forwards > 0) {
+ error("Port forwarding is disabled to avoid trojan horses.");
+ options.num_local_forwards = options.num_remote_forwards = 0;
+ }
/*
* XXX Should permit the user to change to use the new id.
* This could be done by converting the host key to an
*/
break;
}
- if (options.check_host_ip)
- xfree(ip);
+
+ xfree(ip);
}
/*
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.134 2000/11/12 19:50:38 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.135 2000/11/29 21:11:59 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
/* Flag indicating that the daemon is being started from inetd. */
int inetd_flag = 0;
+/* Flag indicating that sshd should not detach and become a daemon. */
+int no_daemon_flag = 0;
+
/* debug goes to stderr unless inetd_flag is set */
int log_stderr = 0;
initialize_server_options(&options);
/* Parse command-line arguments. */
- while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:diqQ46")) != EOF) {
+ while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:dDiqQ46")) != EOF) {
switch (opt) {
case '4':
IPv4or6 = AF_INET;
exit(1);
}
break;
+ case 'D':
+ no_daemon_flag = 1;
+ break;
case 'i':
inetd_flag = 1;
break;
* from the controlling terminal, and fork. The original process
* exits.
*/
- if (!debug_flag && !inetd_flag) {
+ if (!(debug_flag || inetd_flag || no_daemon_flag)) {
#ifdef TIOCNOTTY
int fd;
#endif /* TIOCNOTTY */