- djm@cvs.openbsd.org 2004/06/17 14:52:48
[clientloop.c clientloop.h ssh.c]
support environment passing over shared connections; ok markus@
+ - djm@cvs.openbsd.org 2004/06/17 15:10:14
+ [clientloop.c misc.h readconf.c readpass.c ssh.c ssh_config.5]
+ Add option for confirmation (ControlMaster=ask) via ssh-askpass before
+ opening shared connections; ok markus@
20040617
- (dtucker) [regress/scp.sh] diff -N is not portable (but needed for some
*/
#include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.126 2004/06/17 14:52:48 djm Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.127 2004/06/17 15:10:13 djm Exp $");
#include "ssh.h"
#include "ssh1.h"
client_session2_setup(id, cctx->want_tty, cctx->want_subsys,
cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env,
client_subsystem_reply);
-
+
c->confirm_ctx = NULL;
buffer_free(&cctx->cmd);
xfree(cctx->term);
{
Buffer m;
Channel *c;
- int client_fd, new_fd[3], ver, i;
+ int client_fd, new_fd[3], ver, i, allowed;
socklen_t addrlen;
struct sockaddr_storage addr;
struct confirm_ctx *cctx;
close(client_fd);
return;
}
- /* XXX: implement use of ssh-askpass to confirm additional channels */
+
+ allowed = 1;
+ if (options.control_master == 2) {
+ char *p, prompt[1024];
+
+ allowed = 0;
+ snprintf(prompt, sizeof(prompt),
+ "Allow shared connection to %s? ", host);
+ p = read_passphrase(prompt, RP_USE_ASKPASS|RP_ALLOW_EOF);
+ if (p != NULL) {
+ /*
+ * Accept empty responses and responses consisting
+ * of the word "yes" as affirmative.
+ */
+ if (*p == '\0' || *p == '\n' ||
+ strcasecmp(p, "yes") == 0)
+ allowed = 1;
+ xfree(p);
+ }
+ }
unset_nonblock(client_fd);
buffer_init(&m);
+ buffer_put_int(&m, allowed);
buffer_put_int(&m, getpid());
if (ssh_msg_send(client_fd, /* version */0, &m) == -1) {
error("%s: client msg_send failed", __func__);
close(client_fd);
+ buffer_free(&m);
return;
}
buffer_clear(&m);
+ if (!allowed) {
+ error("Refused control connection");
+ close(client_fd);
+ buffer_free(&m);
+ return;
+ }
+
if (ssh_msg_recv(client_fd, &m) == -1) {
error("%s: client msg_recv failed", __func__);
close(client_fd);
+ buffer_free(&m);
return;
}
close(new_fd[0]);
close(new_fd[1]);
close(new_fd[2]);
+ buffer_free(&m);
return;
}
buffer_free(&m);
-/* $OpenBSD: misc.h,v 1.15 2004/06/14 01:44:39 djm Exp $ */
+/* $OpenBSD: misc.h,v 1.16 2004/06/17 15:10:14 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
#define RP_ECHO 0x0001
#define RP_ALLOW_STDIN 0x0002
#define RP_ALLOW_EOF 0x0004
+#define RP_USE_ASKPASS 0x0008
char *read_passphrase(const char *, int);
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.132 2004/06/13 15:03:02 djm Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.133 2004/06/17 15:10:14 djm Exp $");
#include "ssh.h"
#include "xmalloc.h"
case oControlMaster:
intptr = &options->control_master;
- goto parse_flag;
+ goto parse_yesnoask;
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
*/
#include "includes.h"
-RCSID("$OpenBSD: readpass.c,v 1.29 2004/05/08 00:21:31 djm Exp $");
+RCSID("$OpenBSD: readpass.c,v 1.30 2004/06/17 15:10:14 djm Exp $");
#include "xmalloc.h"
#include "misc.h"
int rppflags, use_askpass = 0, ttyfd;
rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;
- if (flags & RP_ALLOW_STDIN) {
+ if (flags & RP_USE_ASKPASS)
+ use_askpass = 1;
+ else if (flags & RP_ALLOW_STDIN) {
if (!isatty(STDIN_FILENO))
use_askpass = 1;
} else {
use_askpass = 1;
}
+ if ((flags & RP_USE_ASKPASS) && getenv("DISPLAY") == NULL)
+ return (flags & RP_ALLOW_EOF) ? NULL : xstrdup("");
+
if (use_askpass && getenv("DISPLAY")) {
if (getenv(SSH_ASKPASS_ENV))
askpass = getenv(SSH_ASKPASS_ENV);
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.215 2004/06/17 14:52:48 djm Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.216 2004/06/17 15:10:14 djm Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
mode_t old_umask;
int addr_len;
- if (options.control_path == NULL || options.control_master != 1)
+ if (options.control_path == NULL || options.control_master <= 0)
return;
memset(&addr, '\0', sizeof(addr));
fatal("%s: msg_recv", __func__);
if (buffer_get_char(&m) != 0)
fatal("%s: wrong version", __func__);
+ /* Connection allowed? */
+ if (buffer_get_int(&m) != 1)
+ fatal("Connection to master denied");
control_server_pid = buffer_get_int(&m);
buffer_clear(&m);
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.36 2004/06/13 15:03:02 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.37 2004/06/17 15:10:14 djm Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
(the default.)
These sessions will reuse the master instance's network connection rather
than initiating new ones.
+Setting this to
+.Dq ask
+will cause
+.Nm ssh
+to listen for control connections, but require confirmation using the
+.Ev SSH_ASKPASS
+program before they are accepted (see
+.Xr ssh-add 1
+for details)
.It Cm ControlPath
Specify a the path to the control socket used for connection sharing.
See
andersk / openssh.git / commitdiff
