20091210
- (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c]
Remove hacks add for RoutingDomain in preparation for its removal.
+ - dtucker@cvs.openbsd.org 2010/01/09 23:04:13
+ [channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
+ ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
+ readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
+ Remove RoutingDomain from ssh since it's now not needed. It can be
+ replaced with "route exec" or "nc -V" as a proxycommand. "route exec"
+ also ensures that trafic such as DNS lookups stays withing the specified
+ routingdomain. For example (from reyk):
+ # route -T 2 exec /usr/sbin/sshd
+ or inherited from the parent process
+ $ route -T 2 exec sh
+ $ ssh 10.1.2.3
+ ok deraadt@ markus@ stevesk@ reyk@
20091209
- (dtucker) Wrap use of IPPROTO_IPV6 in an ifdef for platforms that don't
-/* $OpenBSD: channels.c,v 1.299 2009/11/11 21:37:03 markus Exp $ */
+/* $OpenBSD: channels.c,v 1.300 2010/01/09 23:04:13 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
/* AF_UNSPEC or AF_INET or AF_INET6 */
static int IPv4or6 = AF_UNSPEC;
-/* Set the routing domain a.k.a. VRF */
-static int channel_rdomain = -1;
-
/* helper */
static void port_open_helper(Channel *c, char *rtype);
IPv4or6 = af;
}
-void
-channel_set_rdomain(int rdomain)
-{
- channel_rdomain = rdomain;
-}
-
static int
channel_setup_fwd_listener(int type, const char *listen_addr,
u_short listen_port, int *allocated_listen_port,
continue;
}
/* Create a port to listen for the host. */
- sock = socket_rdomain(ai->ai_family, ai->ai_socktype,
- ai->ai_protocol, channel_rdomain);
+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
if (sock < 0) {
/* this is no error since kernel may not support ipv6 */
verbose("socket: %.100s", strerror(errno));
error("connect_next: getnameinfo failed");
continue;
}
- if ((sock = socket_rdomain(cctx->ai->ai_family,
- cctx->ai->ai_socktype, cctx->ai->ai_protocol,
- channel_rdomain)) == -1) {
+ if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
+ cctx->ai->ai_protocol)) == -1) {
if (cctx->ai->ai_next == NULL)
error("socket: %.100s", strerror(errno));
else
for (ai = aitop; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
continue;
- sock = socket_rdomain(ai->ai_family, ai->ai_socktype,
- ai->ai_protocol, channel_rdomain);
+ sock = socket(ai->ai_family, ai->ai_socktype,
+ ai->ai_protocol);
if (sock < 0) {
if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) {
error("socket: %.100s", strerror(errno));
}
for (ai = aitop; ai; ai = ai->ai_next) {
/* Create a socket. */
- sock = socket_rdomain(ai->ai_family, ai->ai_socktype,
- ai->ai_protocol, channel_rdomain);
+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
if (sock < 0) {
debug2("socket: %.100s", strerror(errno));
continue;
-/* $OpenBSD: channels.h,v 1.100 2009/11/11 21:37:03 markus Exp $ */
+/* $OpenBSD: channels.h,v 1.101 2010/01/09 23:04:13 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
/* tcp forwarding */
void channel_set_af(int af);
-void channel_set_rdomain(int);
void channel_permit_all_opens(void);
void channel_add_permitted_opens(char *, int);
int channel_add_adm_permitted_opens(char *, int);
-/* $OpenBSD: misc.c,v 1.74 2009/12/25 19:40:21 stevesk Exp $ */
+/* $OpenBSD: misc.c,v 1.75 2010/01/09 23:04:13 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
error("setsockopt TCP_NODELAY: %.100s", strerror(errno));
}
-/* open a socket in the specified routing domain */
-int
-socket_rdomain(int domain, int type, int protocol, int rdomain)
-{
- int sock, ipproto = IPPROTO_IP;
-
- if ((sock = socket(domain, type, protocol)) == -1)
- return (-1);
-
- if (rdomain == -1)
- return (sock);
-
- switch (domain) {
- case AF_INET6:
- ipproto = IPPROTO_IPV6;
- /* FALLTHROUGH */
- case AF_INET:
- debug2("socket %d af %d setting rdomain %d",
- sock, domain, rdomain);
- if (setsockopt(sock, ipproto, SO_RDOMAIN, &rdomain,
- sizeof(rdomain)) == -1) {
- debug("setsockopt SO_RDOMAIN: %.100s",
- strerror(errno));
- close(sock);
- return (-1);
- }
- break;
- default:
- debug("socket %d af %d does not support rdomain %d",
- sock, domain, rdomain);
- close(sock);
- return (-1);
- }
-
- return (sock);
-}
-
/* Characters considered whitespace in strsep calls. */
#define WHITESPACE " \t\r\n"
#define QUOTE "\""
return (int)port;
}
-int
-a2rdomain(const char *s)
-{
- long long rdomain;
- const char *errstr;
-
- rdomain = strtonum(s, 0, RT_TABLEID_MAX, &errstr);
- if (errstr != NULL)
- return -1;
- return (int)rdomain;
-}
-
int
a2tun(const char *s, int *remote)
{
-/* $OpenBSD: misc.h,v 1.40 2009/12/25 19:40:21 stevesk Exp $ */
+/* $OpenBSD: misc.h,v 1.41 2010/01/09 23:04:13 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
int unset_nonblock(int);
void set_nodelay(int);
int a2port(const char *);
-int a2rdomain(const char *);
int a2tun(const char *, int *);
char *put_host_port(const char *, u_short);
char *hpdelim(char **);
int tun_open(int, int);
-int socket_rdomain(int, int, int, int);
-
/* Common definitions for ssh tunnel device forwarding */
#define SSH_TUNMODE_NO 0x00
#define SSH_TUNMODE_POINTOPOINT 0x01
-/* $OpenBSD: readconf.c,v 1.181 2009/12/29 16:38:41 stevesk Exp $ */
+/* $OpenBSD: readconf.c,v 1.182 2010/01/09 23:04:13 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
- oVisualHostKey, oUseRoaming, oRDomain,
- oZeroKnowledgePasswordAuthentication, oDeprecated, oUnsupported
+ oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
+ oDeprecated, oUnsupported
} OpCodes;
/* Textual representations of the tokens. */
{ "permitlocalcommand", oPermitLocalCommand },
{ "visualhostkey", oVisualHostKey },
{ "useroaming", oUseRoaming },
- { "routingdomain", oRDomain },
#ifdef JPAKE
{ "zeroknowledgepasswordauthentication",
oZeroKnowledgePasswordAuthentication },
intptr = &options->use_roaming;
goto parse_flag;
- case oRDomain:
- arg = strdelim(&s);
- if (!arg || *arg == '\0')
- fatal("%.200s line %d: Missing argument.",
- filename, linenum);
- value = a2rdomain(arg);
- if (value == -1)
- fatal("%.200s line %d: Bad rdomain.",
- filename, linenum);
- if (*activep)
- options->rdomain = value;
- break;
-
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
options->local_command = NULL;
options->permit_local_command = -1;
options->use_roaming = -1;
- options->rdomain = -1;
options->visual_host_key = -1;
options->zero_knowledge_password_authentication = -1;
}
/* options->hostname will be set in the main program if appropriate */
/* options->host_key_alias should not be set by default */
/* options->preferred_authentications will be set in ssh */
- /* options->rdomain should not be set by default */
}
/*
-/* $OpenBSD: readconf.h,v 1.80 2009/10/28 16:38:18 reyk Exp $ */
+/* $OpenBSD: readconf.h,v 1.81 2010/01/09 23:04:13 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
int use_roaming;
- int rdomain; /* routing domain a.k.a. VRF */
-
} Options;
#define SSHCTL_MASTER_NO 0
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
-.\" $OpenBSD: scp.1,v 1.48 2009/12/29 16:38:41 stevesk Exp $
+.\" $OpenBSD: scp.1,v 1.49 2010/01/09 23:04:13 dtucker Exp $
.\"
.Dd $Mdocdate$
.Dt SCP 1
.It PubkeyAuthentication
.It RekeyLimit
.It RhostsRSAAuthentication
-.It RoutingDomain
.It RSAAuthentication
.It SendEnv
.It ServerAliveInterval
-/* $OpenBSD: servconf.c,v 1.199 2009/12/29 16:38:41 stevesk Exp $ */
+/* $OpenBSD: servconf.c,v 1.200 2010/01/09 23:04:13 dtucker Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
options->zero_knowledge_password_authentication = -1;
- options->rdomain = -1;
}
void
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
- sUsePrivilegeSeparation, sAllowAgentForwarding, sRDomain,
+ sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication,
sDeprecated, sUnsupported
} ServerOpCodes;
{ "match", sMatch, SSHCFG_ALL },
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
- { "routingdomain", sRDomain, SSHCFG_GLOBAL },
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
*charptr = xstrdup(arg);
break;
- case sRDomain:
- intptr = &options->rdomain;
- arg = strdelim(&cp);
- if (!arg || *arg == '\0')
- fatal("%s line %d: missing rdomain value.",
- filename, linenum);
- if ((value = a2rdomain(arg)) == -1)
- fatal("%s line %d: invalid rdomain value.",
- filename, linenum);
- if (*intptr == -1)
- *intptr = value;
- break;
-
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
dump_cfg_int(sMaxSessions, o->max_sessions);
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
- dump_cfg_int(sRDomain, o->rdomain);
/* formatted integer arguments */
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
-/* $OpenBSD: servconf.h,v 1.88 2009/10/28 16:38:18 reyk Exp $ */
+/* $OpenBSD: servconf.h,v 1.89 2010/01/09 23:04:13 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
int num_permitted_opens;
- int rdomain;
-
char *chroot_directory;
} ServerOptions;
-.\" $OpenBSD: sftp.1,v 1.79 2009/12/29 16:38:41 stevesk Exp $
+.\" $OpenBSD: sftp.1,v 1.80 2010/01/09 23:04:13 dtucker Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
.It PubkeyAuthentication
.It RekeyLimit
.It RhostsRSAAuthentication
-.It RoutingDomain
.It RSAAuthentication
.It SendEnv
.It ServerAliveInterval
-.\" $OpenBSD: ssh-keyscan.1,v 1.27 2009/10/28 16:38:18 reyk Exp $
+.\" $OpenBSD: ssh-keyscan.1,v 1.28 2010/01/09 23:04:13 dtucker Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
.\"
.Op Fl p Ar port
.Op Fl T Ar timeout
.Op Fl t Ar type
-.Op Fl V Ar rdomain
.Op Ar host | addrlist namelist
.Ar ...
.Ek
Multiple values may be specified by separating them with commas.
The default is
.Dq rsa .
-.It Fl V Ar rdomain
-Set the routing domain.
.It Fl v
Verbose mode.
Causes
-/* $OpenBSD: ssh-keyscan.c,v 1.80 2009/12/25 19:40:21 stevesk Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.81 2010/01/09 23:04:13 dtucker Exp $ */
/*
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
*
int maxfd;
#define MAXCON (maxfd - 10)
-/* The default routing domain */
-int scan_rdomain = -1;
-
extern char *__progname;
fd_set *read_wait;
size_t read_wait_nfdset;
if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
fatal("getaddrinfo %s: %s", host, ssh_gai_strerror(gaierr));
for (ai = aitop; ai; ai = ai->ai_next) {
- s = socket_rdomain(ai->ai_family, ai->ai_socktype,
- ai->ai_protocol, scan_rdomain);
+ s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
if (s < 0) {
error("socket: %s", strerror(errno));
continue;
{
fprintf(stderr,
"usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n"
- "\t\t [-V rdomain] [host | addrlist namelist] ...\n",
+ "\t\t [host | addrlist namelist] ...\n",
__progname);
exit(1);
}
if (argc <= 1)
usage();
- while ((opt = getopt(argc, argv, "Hv46p:T:t:f:V:")) != -1) {
+ while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) {
switch (opt) {
case 'H':
hash_hosts = 1;
case '6':
IPv4or6 = AF_INET6;
break;
- case 'V':
- scan_rdomain = a2rdomain(optarg);
- if (scan_rdomain == -1) {
- fprintf(stderr, "Bad rdomain '%s'\n", optarg);
- exit(1);
- }
- break;
case '?':
default:
usage();
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.288 2009/12/29 16:38:41 stevesk Exp $
+.\" $OpenBSD: ssh.1,v 1.289 2010/01/09 23:04:13 dtucker Exp $
.Dd $Mdocdate$
.Dt SSH 1
.Os
.It RekeyLimit
.It RemoteForward
.It RhostsRSAAuthentication
-.It RoutingDomain
.It RSAAuthentication
.It SendEnv
.It ServerAliveInterval
-/* $OpenBSD: ssh.c,v 1.329 2009/12/20 07:28:36 guenther Exp $ */
+/* $OpenBSD: ssh.c,v 1.330 2010/01/09 23:04:13 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
fill_default_options(&options);
channel_set_af(options.address_family);
- channel_set_rdomain(options.rdomain);
/* reinit */
log_init(argv0, options.log_level, SYSLOG_FACILITY_USER, !use_syslog);
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.125 2009/12/29 18:03:32 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.126 2010/01/09 23:04:13 dtucker Exp $
.Dd $Mdocdate$
.Dt SSH_CONFIG 5
.Os
This option applies to protocol version 1 only and requires
.Xr ssh 1
to be setuid root.
-.It Cm RoutingDomain
-Set the routing domain number.
-The default routing domain is set by the system.
.It Cm RSAAuthentication
Specifies whether to try RSA authentication.
The argument to this keyword must be
-/* $OpenBSD: sshconnect.c,v 1.216 2009/11/10 04:30:45 dtucker Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.217 2010/01/09 23:04:13 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
debug("Allocated local port %d.", p);
return sock;
}
- sock = socket_rdomain(ai->ai_family, ai->ai_socktype, ai->ai_protocol,
- options.rdomain);
+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
if (sock < 0) {
error("socket: %.100s", strerror(errno));
return -1;
-/* $OpenBSD: sshd.c,v 1.369 2010/01/09 11:17:56 dtucker Exp $ */
+/* $OpenBSD: sshd.c,v 1.370 2010/01/09 23:04:13 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
continue;
}
/* Create socket for listening. */
- listen_sock = socket_rdomain(ai->ai_family, ai->ai_socktype,
- ai->ai_protocol, options.rdomain);
+ listen_sock = socket(ai->ai_family, ai->ai_socktype,
+ ai->ai_protocol);
if (listen_sock < 0) {
/* kernel may not support ipv6 */
verbose("socket: %.100s", strerror(errno));
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
- /* set default channel AF and routing domain */
+ /* set default channel AF */
channel_set_af(options.address_family);
- channel_set_rdomain(options.rdomain);
/* Check that there are no remaining arguments. */
if (optind < ac) {
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.115 2009/12/29 18:03:32 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.116 2010/01/09 23:04:13 dtucker Exp $
.Dd $Mdocdate$
.Dt SSHD_CONFIG 5
.Os
The default is
.Dq no .
This option applies to protocol version 1 only.
-.It Cm RoutingDomain
-Set the routing domain number.
-The default routing domain is set by the system.
.It Cm RSAAuthentication
Specifies whether pure RSA authentication is allowed.
The default is