+20001016
+ - (djm) Sync with OpenBSD:
+ - markus@cvs.openbsd.org 2000/10/14 04:01:15
+ [cipher.c]
+ debug3
+ - markus@cvs.openbsd.org 2000/10/14 04:07:23
+ [scp.c]
+ remove spaces from arguments; from djm@mindrot.org
+ - markus@cvs.openbsd.org 2000/10/14 06:09:46
+ [ssh.1]
+ Cipher is for SSH-1 only
+ - markus@cvs.openbsd.org 2000/10/14 06:12:09
+ [servconf.c servconf.h serverloop.c session.c sshd.8]
+ AllowTcpForwarding; from naddy@
+ - markus@cvs.openbsd.org 2000/10/14 06:16:56
+ [auth2.c compat.c compat.h sshconnect2.c version.h]
+ OpenSSH_2.3; note that is is not complete, but the version number
+ needs to be changed for interoperability reasons
+ - markus@cvs.openbsd.org 2000/10/14 06:19:45
+ [auth-rsa.c]
+ do not send RSA challenge if key is not allowed by key-options; from
+ eivind@ThinkSec.com
+ - markus@cvs.openbsd.org 2000/10/15 08:14:01
+ [rijndael.c session.c]
+ typos; from stevesk@sweden.hp.com
+ - markus@cvs.openbsd.org 2000/10/15 08:18:31
+ [rijndael.c]
+ typo
+
20001015
- (djm) Fix ssh2 hang on background processes at logout.
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.31 2000/10/11 19:59:52 markus Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $");
#include "rsa.h"
#include "packet.h"
}
} else
options = NULL;
+ /*
+ * If our options do not allow this key to be used,
+ * do not send challenge.
+ */
+ if (!auth_parse_options(pw, options, linenum))
+ continue;
/* Parse the key from the line. */
if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
* Break out of the loop if authentication was successful;
* otherwise continue searching.
*/
- authenticated = auth_parse_options(pw, options, linenum);
- if (authenticated)
- break;
+ authenticated = 1;
+ break;
}
/* Restore the privileged uid. */
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.19 2000/10/11 20:27:23 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $");
#ifdef HAVE_OSF_SIA
# include <sia.h>
sig = packet_get_string(&slen);
packet_done();
buffer_init(&b);
- if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {
- buffer_put_string(&b, session_id2, session_id2_len);
- } else {
+ if (datafellows & SSH_OLD_SESSIONID) {
buffer_append(&b, session_id2, session_id2_len);
+ } else {
+ buffer_put_string(&b, session_id2, session_id2_len);
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
*/
#include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.35 2000/10/13 18:59:13 markus Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.36 2000/10/14 10:01:15 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
xfree(ciphers);
return 0;
} else {
- debug("cipher ok: %s [%s]", p, names);
+ debug3("cipher ok: %s [%s]", p, names);
}
}
- debug("ciphers ok: [%s]", names);
+ debug3("ciphers ok: [%s]", names);
xfree(ciphers);
return 1;
}
*/
#include "includes.h"
-RCSID("$OpenBSD: compat.c,v 1.24 2000/10/10 20:20:45 markus Exp $");
+RCSID("$OpenBSD: compat.c,v 1.25 2000/10/14 12:16:56 markus Exp $");
#include "ssh.h"
#include "packet.h"
char *pat;
int bugs;
} check[] = {
- {"^.*MindTerm", 0},
- {"^2\\.1\\.0 ", SSH_BUG_SIGBLOB|SSH_BUG_HMAC},
- {"^2\\.0\\.", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD},
- {"^2\\.[23]\\.0 ", SSH_BUG_HMAC|SSH_COMPAT_SESSIONID_ENCODING},
- {"^2\\.[2-9]\\.", SSH_COMPAT_SESSIONID_ENCODING},
- {"^2\\.", SSH_BUG_HMAC|SSH_COMPAT_SESSIONID_ENCODING},
- {NULL, 0}
+ { "^OpenSSH-2\\.[01]", SSH_OLD_SESSIONID },
+ { "^OpenSSH_2\\.2", SSH_OLD_SESSIONID },
+ { "MindTerm", 0 },
+ { "^2\\.1\\.0 ", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+ SSH_OLD_SESSIONID },
+ { "^2\\.0\\.", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+ SSH_OLD_SESSIONID|
+ SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD },
+ { "^2\\.[23]\\.0 ", SSH_BUG_HMAC},
+ { "^2\\.[2-9]\\.", 0 },
+ { "^2\\.", SSH_BUG_HMAC}, /* XXX fallback */
+ { NULL, 0 }
};
/* process table, return first match */
for (i = 0; check[i].pat; i++) {
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-/* RCSID("$OpenBSD: compat.h,v 1.10 2000/09/07 20:27:50 deraadt Exp $"); */
+/* RCSID("$OpenBSD: compat.h,v 1.11 2000/10/14 12:16:56 markus Exp $"); */
#ifndef COMPAT_H
#define COMPAT_H
#define SSH_BUG_PUBKEYAUTH 0x02
#define SSH_BUG_HMAC 0x04
#define SSH_BUG_X11FWD 0x08
-#define SSH_COMPAT_SESSIONID_ENCODING 0x10
+#define SSH_OLD_SESSIONID 0x10
void enable_compat13(void);
void enable_compat20(void);
*/
#include "includes.h"
-RCSID("$OpenBSD: scp.c,v 1.41 2000/10/11 20:03:27 markus Exp $");
+RCSID("$OpenBSD: scp.c,v 1.42 2000/10/14 10:07:21 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
case 'o':
case 'c':
case 'i':
- addargs("-%c %s", ch, optarg);
+ addargs("-%c%s", ch, optarg);
break;
case 'P':
- addargs("-p %s", optarg);
+ addargs("-p%s", optarg);
break;
case 'B':
- addargs("-o Batchmode yes");
+ addargs("-oBatchmode yes");
break;
case 'p':
pflag = 1;
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.52 2000/10/11 20:14:39 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.53 2000/10/14 12:12:09 markus Exp $");
#include "ssh.h"
#include "servconf.h"
#endif
options->permit_empty_passwd = -1;
options->use_login = -1;
+ options->allow_tcp_forwarding = -1;
options->num_allow_users = 0;
options->num_deny_users = 0;
options->num_allow_groups = 0;
options->permit_empty_passwd = 0;
if (options->use_login == -1)
options->use_login = 0;
+ if (options->allow_tcp_forwarding == -1)
+ options->allow_tcp_forwarding = 1;
if (options->protocol == SSH_PROTO_UNKNOWN)
options->protocol = SSH_PROTO_1|SSH_PROTO_2;
if (options->gateway_ports == -1)
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
- sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+ sUseLogin, sAllowTcpForwarding,
+ sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups
} ServerOpCodes;
{ "uselogin", sUseLogin },
{ "randomseed", sRandomSeedFile },
{ "keepalive", sKeepAlives },
+ { "allowtcpforwarding", sAllowTcpForwarding },
{ "allowusers", sAllowUsers },
{ "denyusers", sDenyUsers },
{ "allowgroups", sAllowGroups },
*intptr = (LogLevel) value;
break;
+ case sAllowTcpForwarding:
+ intptr = &options->allow_tcp_forwarding;
+ goto parse_flag;
+
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
* called by a name other than "ssh" or "Secure Shell".
*/
-/* RCSID("$OpenBSD: servconf.h,v 1.29 2000/10/11 20:14:39 markus Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.30 2000/10/14 12:12:09 markus Exp $"); */
#ifndef SERVCONF_H
#define SERVCONF_H
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
int use_login; /* If true, login(1) is used */
+ int allow_tcp_forwarding;
unsigned int num_allow_users;
char *allow_users[MAX_ALLOW_USERS];
unsigned int num_deny_users;
#include "dispatch.h"
#include "auth-options.h"
+extern ServerOptions options;
+
static Buffer stdin_buffer; /* Buffer for stdin data. */
static Buffer stdout_buffer; /* Buffer for stdout data. */
static Buffer stderr_buffer; /* Buffer for stderr data. */
originator, originator_port, target, target_port);
/* XXX check permission */
- if (no_port_forwarding_flag) {
+ if (no_port_forwarding_flag || !options.allow_tcp_forwarding) {
xfree(target);
xfree(originator);
return -1;
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.38 2000/10/11 20:27:23 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.40 2000/10/15 14:14:01 markus Exp $");
#include "xmalloc.h"
#include "ssh.h"
* by the client telling us, so we can equally well trust the client
* not to request anything bogus.)
*/
- if (!no_port_forwarding_flag)
+ if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
channel_permit_all_opens();
s = session_new();
debug("Port forwarding not permitted for this authentication.");
break;
}
+ if (!options.allow_tcp_forwarding) {
+ debug("Port forwarding not permitted.");
+ break;
+ }
debug("Received TCP/IP port forwarding request.");
channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports);
success = 1;
to stdout and expects client requests from stdin.
.Nm
is not intended to be called directly, but from
-.Xr sshd 8
+.Xr sshd 8
using the
.Cm Subsystem
option.
See
-.Xr sshd 8
+.Xr sshd 8
for more information.
-.Sh HISTORY
-.Nm
-first appeared in OpenBSD 2.8.
-.Sh AUTHOR
-Markus Friedl <markus@openbsd.org>
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-keygen 1 ,
-.Xr sshd 8 ,
+.Xr sshd 8
+.Sh AUTHOR
+Markus Friedl <markus@openbsd.org>
+.Sh HISTORY
+.Nm
+first appeared in OpenBSD 2.8 .
.Dq no ,
the check will not be executed.
.It Cm Cipher
-Specifies the cipher to use for encrypting the session.
+Specifies the cipher to use for encrypting the session
+in protocol version 1
Currently,
.Dq blowfish ,
and
in order of preference.
Multiple ciphers must be comma-separated.
The default is
-.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc .
+.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour .
.It Cm Compression
Specifies whether to use compression.
The argument must be
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.25 2000/10/12 09:59:19 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.26 2000/10/14 12:16:56 markus Exp $");
#include <openssl/bn.h>
#include <openssl/rsa.h>
/* data to be signed */
buffer_init(&b);
- if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {
- buffer_put_string(&b, session_id2, session_id2_len);
- skip = buffer_len(&b);
- } else {
+ if (datafellows & SSH_OLD_SESSIONID) {
buffer_append(&b, session_id2, session_id2_len);
skip = session_id2_len;
+ } else {
+ buffer_put_string(&b, session_id2, session_id2_len);
+ skip = buffer_len(&b);
}
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
buffer_put_cstring(&b, authctxt->server_user);
Only group names are valid; a numerical group ID isn't recognized.
By default login is allowed regardless of the primary group.
.Pp
+.It Cm AllowTcpForwarding
+Specifies whether TCP forwarding is permitted.
+The default is
+.Dq yes .
+Note that disabling TCP forwarding does not improve security unless
+users are also denied shell access, as they can always install their
+own forwarders.
+.Pp
.It Cm AllowUsers
This keyword can be followed by a number of user names, separated
by spaces.
-#define SSH_VERSION "OpenSSH_2.2.0p2"
+#define SSH_VERSION "OpenSSH_2.3.0p1"
andersk / openssh.git / commitdiff
