Martin Petrak <petrak@spsknm.schools.sk>
- (djm) Include sys/types.h when including netinet/in.h in configure tests.
Patch from Jun-ichiro itojun Hagino <itojun@iijlab.net>
+ - OpenBSD CVS updates:
+ - deraadt@cvs.openbsd.org 2000/06/17 09:58:46
+ [channels.c]
+ everyone says "nix it" (remove protocol 2 debugging message)
+ - markus@cvs.openbsd.org 2000/06/17 13:24:34
+ [sshconnect.c]
+ allow extended server banners
+ - markus@cvs.openbsd.org 2000/06/17 14:30:10
+ [sshconnect.c]
+ missing atomicio, typo
+ - jakob@cvs.openbsd.org 2000/06/17 16:52:34
+ [servconf.c servconf.h session.c sshd.8 sshd_config]
+ add support for ssh v2 subsystems. ok markus@.
+ - deraadt@cvs.openbsd.org 2000/06/17 18:57:48
+ [readconf.c servconf.c]
+ include = in WHITESPACE; markus ok
+ - markus@cvs.openbsd.org 2000/06/17 19:09:10
+ [auth2.c]
+ implement bug compatibility with ssh-2.0.13 pubkey, server side
+ - markus@cvs.openbsd.org 2000/06/17 21:00:28
+ [compat.c]
+ initial support for ssh.com's 2.2.0
+ - markus@cvs.openbsd.org 2000/06/17 21:16:09
+ [scp.c]
+ typo
+ - markus@cvs.openbsd.org 2000/06/17 22:05:02
+ [auth-rsa.c auth2.c serverloop.c session.c auth-options.c auth-options.h]
+ split auth-rsa option parsing into auth-options
+ add options support to authorized_keys2
+ - markus@cvs.openbsd.org 2000/06/17 22:42:54
+ [session.c]
+ typo
20000613
- (djm) Fixes from Andrew McGill <andrewm@datrix.co.za>:
SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o
-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o
+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o
TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8
CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh.0 sshd.0
--- /dev/null
+#include "includes.h"
+RCSID("$Id$");
+
+#include "ssh.h"
+#include "packet.h"
+#include "xmalloc.h"
+#include "match.h"
+
+/* Flags set authorized_keys flags */
+int no_port_forwarding_flag = 0;
+int no_agent_forwarding_flag = 0;
+int no_x11_forwarding_flag = 0;
+int no_pty_flag = 0;
+
+/* "command=" option. */
+char *forced_command = NULL;
+
+/* "environment=" options. */
+struct envstring *custom_environment = NULL;
+
+/* return 1 if access is granted, 0 if not. side effect: sets key option flags */
+int
+auth_parse_options(struct passwd *pw, char *options, unsigned long linenum)
+{
+ const char *cp;
+ if (!options)
+ return 1;
+ while (*options && *options != ' ' && *options != '\t') {
+ cp = "no-port-forwarding";
+ if (strncmp(options, cp, strlen(cp)) == 0) {
+ packet_send_debug("Port forwarding disabled.");
+ no_port_forwarding_flag = 1;
+ options += strlen(cp);
+ goto next_option;
+ }
+ cp = "no-agent-forwarding";
+ if (strncmp(options, cp, strlen(cp)) == 0) {
+ packet_send_debug("Agent forwarding disabled.");
+ no_agent_forwarding_flag = 1;
+ options += strlen(cp);
+ goto next_option;
+ }
+ cp = "no-X11-forwarding";
+ if (strncmp(options, cp, strlen(cp)) == 0) {
+ packet_send_debug("X11 forwarding disabled.");
+ no_x11_forwarding_flag = 1;
+ options += strlen(cp);
+ goto next_option;
+ }
+ cp = "no-pty";
+ if (strncmp(options, cp, strlen(cp)) == 0) {
+ packet_send_debug("Pty allocation disabled.");
+ no_pty_flag = 1;
+ options += strlen(cp);
+ goto next_option;
+ }
+ cp = "command=\"";
+ if (strncmp(options, cp, strlen(cp)) == 0) {
+ int i;
+ options += strlen(cp);
+ forced_command = xmalloc(strlen(options) + 1);
+ i = 0;
+ while (*options) {
+ if (*options == '"')
+ break;
+ if (*options == '\\' && options[1] == '"') {
+ options += 2;
+ forced_command[i++] = '"';
+ continue;
+ }
+ forced_command[i++] = *options++;
+ }
+ if (!*options) {
+ debug("%.100s, line %lu: missing end quote",
+ SSH_USER_PERMITTED_KEYS, linenum);
+ packet_send_debug("%.100s, line %lu: missing end quote",
+ SSH_USER_PERMITTED_KEYS, linenum);
+ continue;
+ }
+ forced_command[i] = 0;
+ packet_send_debug("Forced command: %.900s", forced_command);
+ options++;
+ goto next_option;
+ }
+ cp = "environment=\"";
+ if (strncmp(options, cp, strlen(cp)) == 0) {
+ int i;
+ char *s;
+ struct envstring *new_envstring;
+ options += strlen(cp);
+ s = xmalloc(strlen(options) + 1);
+ i = 0;
+ while (*options) {
+ if (*options == '"')
+ break;
+ if (*options == '\\' && options[1] == '"') {
+ options += 2;
+ s[i++] = '"';
+ continue;
+ }
+ s[i++] = *options++;
+ }
+ if (!*options) {
+ debug("%.100s, line %lu: missing end quote",
+ SSH_USER_PERMITTED_KEYS, linenum);
+ packet_send_debug("%.100s, line %lu: missing end quote",
+ SSH_USER_PERMITTED_KEYS, linenum);
+ continue;
+ }
+ s[i] = 0;
+ packet_send_debug("Adding to environment: %.900s", s);
+ debug("Adding to environment: %.900s", s);
+ options++;
+ new_envstring = xmalloc(sizeof(struct envstring));
+ new_envstring->s = s;
+ new_envstring->next = custom_environment;
+ custom_environment = new_envstring;
+ goto next_option;
+ }
+ cp = "from=\"";
+ if (strncmp(options, cp, strlen(cp)) == 0) {
+ int mname, mip;
+ char *patterns = xmalloc(strlen(options) + 1);
+ int i;
+ options += strlen(cp);
+ i = 0;
+ while (*options) {
+ if (*options == '"')
+ break;
+ if (*options == '\\' && options[1] == '"') {
+ options += 2;
+ patterns[i++] = '"';
+ continue;
+ }
+ patterns[i++] = *options++;
+ }
+ if (!*options) {
+ debug("%.100s, line %lu: missing end quote",
+ SSH_USER_PERMITTED_KEYS, linenum);
+ packet_send_debug("%.100s, line %lu: missing end quote",
+ SSH_USER_PERMITTED_KEYS, linenum);
+ continue;
+ }
+ patterns[i] = 0;
+ options++;
+ /*
+ * Deny access if we get a negative
+ * match for the hostname or the ip
+ * or if we get not match at all
+ */
+ mname = match_hostname(get_canonical_hostname(),
+ patterns, strlen(patterns));
+ mip = match_hostname(get_remote_ipaddr(),
+ patterns, strlen(patterns));
+ xfree(patterns);
+ if (mname == -1 || mip == -1 ||
+ (mname != 1 && mip != 1)) {
+ log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
+ pw->pw_name, get_canonical_hostname(),
+ get_remote_ipaddr());
+ packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
+ get_canonical_hostname());
+ /* key invalid for this host, reset flags */
+ no_agent_forwarding_flag = 0;
+ no_port_forwarding_flag = 0;
+ no_pty_flag = 0;
+ no_x11_forwarding_flag = 0;
+ while (custom_environment) {
+ struct envstring *ce = custom_environment;
+ custom_environment = ce->next;
+ xfree(ce->s);
+ xfree(ce);
+ }
+ if (forced_command) {
+ xfree(forced_command);
+ forced_command = NULL;
+ }
+ /* deny access */
+ return 0;
+ }
+ /* Host name matches. */
+ goto next_option;
+ }
+next_option:
+ /*
+ * Skip the comma, and move to the next option
+ * (or break out if there are no more).
+ */
+ if (!*options)
+ fatal("Bugs in auth-options.c option processing.");
+ if (*options == ' ' || *options == '\t')
+ break; /* End of options. */
+ if (*options != ',')
+ goto bad_option;
+ options++;
+ /* Process the next option. */
+ }
+ /* grant access */
+ return 1;
+
+bad_option:
+ log("Bad options in %.100s file, line %lu: %.50s",
+ SSH_USER_PERMITTED_KEYS, linenum, options);
+ packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
+ SSH_USER_PERMITTED_KEYS, linenum, options);
+ /* deny access */
+ return 0;
+}
--- /dev/null
+#ifndef AUTH_OPTIONS_H
+#define AUTH_OPTIONS_H
+/* Flags that may be set in authorized_keys options. */
+extern int no_port_forwarding_flag;
+extern int no_agent_forwarding_flag;
+extern int no_x11_forwarding_flag;
+extern int no_pty_flag;
+extern char *forced_command;
+extern struct envstring *custom_environment;
+
+/* return 1 if access is granted, 0 if not. side effect: sets key option flags */
+int auth_parse_options(struct passwd *pw, char *options, unsigned long linenum);
+#endif
#include "uidswap.h"
#include "match.h"
#include "servconf.h"
+#include "auth-options.h"
#include <openssl/rsa.h>
#include <openssl/md5.h>
-/* Flags that may be set in authorized_keys options. */
-extern int no_port_forwarding_flag;
-extern int no_agent_forwarding_flag;
-extern int no_x11_forwarding_flag;
-extern int no_pty_flag;
-extern char *forced_command;
-extern struct envstring *custom_environment;
-
/*
* Session identifier that is used to bind key exchange and authentication
* responses to a particular session.
unsigned long linenum = 0;
struct stat st;
RSA *pk;
- int mname, mip;
/* Temporarily use the user's uid. */
temporarily_use_uid(pw->pw_uid);
* authenticated. Note that we have not yet processed the
* options; this will be reset if the options cause the
* authentication to be rejected.
- */
- authenticated = 1;
-
- /* RSA part of authentication was accepted. Now process the options. */
- if (options) {
- while (*options && *options != ' ' && *options != '\t') {
- cp = "no-port-forwarding";
- if (strncmp(options, cp, strlen(cp)) == 0) {
- packet_send_debug("Port forwarding disabled.");
- no_port_forwarding_flag = 1;
- options += strlen(cp);
- goto next_option;
- }
- cp = "no-agent-forwarding";
- if (strncmp(options, cp, strlen(cp)) == 0) {
- packet_send_debug("Agent forwarding disabled.");
- no_agent_forwarding_flag = 1;
- options += strlen(cp);
- goto next_option;
- }
- cp = "no-X11-forwarding";
- if (strncmp(options, cp, strlen(cp)) == 0) {
- packet_send_debug("X11 forwarding disabled.");
- no_x11_forwarding_flag = 1;
- options += strlen(cp);
- goto next_option;
- }
- cp = "no-pty";
- if (strncmp(options, cp, strlen(cp)) == 0) {
- packet_send_debug("Pty allocation disabled.");
- no_pty_flag = 1;
- options += strlen(cp);
- goto next_option;
- }
- cp = "command=\"";
- if (strncmp(options, cp, strlen(cp)) == 0) {
- int i;
- options += strlen(cp);
- forced_command = xmalloc(strlen(options) + 1);
- i = 0;
- while (*options) {
- if (*options == '"')
- break;
- if (*options == '\\' && options[1] == '"') {
- options += 2;
- forced_command[i++] = '"';
- continue;
- }
- forced_command[i++] = *options++;
- }
- if (!*options) {
- debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
- packet_send_debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
- continue;
- }
- forced_command[i] = 0;
- packet_send_debug("Forced command: %.900s", forced_command);
- options++;
- goto next_option;
- }
- cp = "environment=\"";
- if (strncmp(options, cp, strlen(cp)) == 0) {
- int i;
- char *s;
- struct envstring *new_envstring;
- options += strlen(cp);
- s = xmalloc(strlen(options) + 1);
- i = 0;
- while (*options) {
- if (*options == '"')
- break;
- if (*options == '\\' && options[1] == '"') {
- options += 2;
- s[i++] = '"';
- continue;
- }
- s[i++] = *options++;
- }
- if (!*options) {
- debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
- packet_send_debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
- continue;
- }
- s[i] = 0;
- packet_send_debug("Adding to environment: %.900s", s);
- debug("Adding to environment: %.900s", s);
- options++;
- new_envstring = xmalloc(sizeof(struct envstring));
- new_envstring->s = s;
- new_envstring->next = custom_environment;
- custom_environment = new_envstring;
- goto next_option;
- }
- cp = "from=\"";
- if (strncmp(options, cp, strlen(cp)) == 0) {
- char *patterns = xmalloc(strlen(options) + 1);
- int i;
- options += strlen(cp);
- i = 0;
- while (*options) {
- if (*options == '"')
- break;
- if (*options == '\\' && options[1] == '"') {
- options += 2;
- patterns[i++] = '"';
- continue;
- }
- patterns[i++] = *options++;
- }
- if (!*options) {
- debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
- packet_send_debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
- continue;
- }
- patterns[i] = 0;
- options++;
- /*
- * Deny access if we get a negative
- * match for the hostname or the ip
- * or if we get not match at all
- */
- mname = match_hostname(get_canonical_hostname(),
- patterns, strlen(patterns));
- mip = match_hostname(get_remote_ipaddr(),
- patterns, strlen(patterns));
- if (mname == -1 || mip == -1 ||
- (mname != 1 && mip != 1)) {
- log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
- pw->pw_name, get_canonical_hostname(),
- get_remote_ipaddr());
- packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
- get_canonical_hostname());
- xfree(patterns);
- /* key invalid for this host, reset flags */
- authenticated = 0;
- no_agent_forwarding_flag = 0;
- no_port_forwarding_flag = 0;
- no_pty_flag = 0;
- no_x11_forwarding_flag = 0;
- while (custom_environment) {
- struct envstring *ce = custom_environment;
- custom_environment = ce->next;
- xfree(ce->s);
- xfree(ce);
- }
- if (forced_command) {
- xfree(forced_command);
- forced_command = NULL;
- }
- break;
- }
- xfree(patterns);
- /* Host name matches. */
- goto next_option;
- }
- bad_option:
- log("Bad options in %.100s file, line %lu: %.50s",
- SSH_USER_PERMITTED_KEYS, linenum, options);
- packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
- SSH_USER_PERMITTED_KEYS, linenum, options);
- authenticated = 0;
- break;
-
- next_option:
- /*
- * Skip the comma, and move to the next option
- * (or break out if there are no more).
- */
- if (!*options)
- fatal("Bugs in auth-rsa.c option processing.");
- if (*options == ' ' || *options == '\t')
- break; /* End of options. */
- if (*options != ',')
- goto bad_option;
- options++;
- /* Process the next option. */
- continue;
- }
- }
- /*
* Break out of the loop if authentication was successful;
* otherwise continue searching.
*/
+ authenticated = auth_parse_options(pw, options, linenum);
if (authenticated)
break;
}
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.8 2000/05/08 17:42:24 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.10 2000/06/18 04:05:02 markus Exp $");
#include <openssl/dsa.h>
#include <openssl/rsa.h>
#include "dsa.h"
#include "uidswap.h"
+#include "auth-options.h"
/* import */
extern ServerOptions options;
/* auth */
int ssh2_auth_none(struct passwd *pw);
int ssh2_auth_password(struct passwd *pw);
-int ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen);
+int ssh2_auth_pubkey(struct passwd *pw, char *service);
/* helper */
struct passwd* auth_set_user(char *u, char *s);
{
static void (*authlog) (const char *fmt,...) = verbose;
static int attempt = 0;
- unsigned int len, rlen;
+ unsigned int len;
int authenticated = 0;
- char *raw, *user, *service, *method, *authmsg = NULL;
+ char *user, *service, *method, *authmsg = NULL;
struct passwd *pw;
#ifdef WITH_AIXAUTHENTICATE
extern char *aixloginmsg;
#endif /* WITH_AIXAUTHENTICATE */
- raw = packet_get_raw(&rlen);
- if (plen != rlen)
- fatal("plen != rlen");
user = packet_get_string(&len);
service = packet_get_string(&len);
method = packet_get_string(&len);
} else if (strcmp(method, "password") == 0) {
authenticated = ssh2_auth_password(pw);
} else if (strcmp(method, "publickey") == 0) {
- authenticated = ssh2_auth_pubkey(pw, raw, rlen);
+ authenticated = ssh2_auth_pubkey(pw, service);
}
}
if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {
return authenticated;
}
int
-ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen)
+ssh2_auth_pubkey(struct passwd *pw, char *service)
{
Buffer b;
Key *key;
debug("pubkey auth disabled");
return 0;
}
- if (datafellows & SSH_BUG_PUBKEYAUTH) {
- log("bug compatibility with ssh-2.0.13 pubkey not implemented");
- return 0;
- }
have_sig = packet_get_char();
pkalg = packet_get_string(&alen);
if (strcmp(pkalg, KEX_DSS) != 0) {
packet_done();
buffer_init(&b);
buffer_append(&b, session_id2, session_id2_len);
+
+ /* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- if (slen + 4 > rlen)
- fatal("bad rlen/slen");
- buffer_append(&b, raw, rlen - slen - 4);
+ buffer_put_cstring(&b, pw->pw_name);
+ buffer_put_cstring(&b,
+ datafellows & SSH_BUG_PUBKEYAUTH ?
+ "ssh-userauth" :
+ service);
+ buffer_put_cstring(&b, "publickey");
+ buffer_put_char(&b, have_sig);
+ buffer_put_cstring(&b, KEX_DSS);
+ buffer_put_string(&b, pkblob, blen);
#ifdef DEBUG_DSS
buffer_dump(&b);
#endif
found = key_new(KEY_DSA);
while (fgets(line, sizeof(line), f)) {
- char *cp;
+ char *cp, *options = NULL;
linenum++;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
;
if (!*cp || *cp == '\n' || *cp == '#')
continue;
+
bits = key_read(found, &cp);
- if (bits == 0)
- continue;
- if (key_equal(found, key)) {
+ if (bits == 0) {
+ /* no key? check if there are options for this key */
+ int quoted = 0;
+ options = cp;
+ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+ if (*cp == '\\' && cp[1] == '"')
+ cp++; /* Skip both */
+ else if (*cp == '"')
+ quoted = !quoted;
+ }
+ /* Skip remaining whitespace. */
+ for (; *cp == ' ' || *cp == '\t'; cp++)
+ ;
+ bits = key_read(found, &cp);
+ if (bits == 0) {
+ /* still no key? advance to next line*/
+ continue;
+ }
+ }
+ if (key_equal(found, key) &&
+ auth_parse_options(pw, options, linenum) == 1) {
found_key = 1;
debug("matching key found: file %s, line %ld",
file, linenum);
packet_send();
buffer_consume(&c->input, len);
c->remote_window -= len;
- debug("channel %d: send data len %d", c->self, len);
}
} else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
if (compat13)
char *version;
int bugs;
} check[] = {
+ {"2.2.0", SSH_BUG_HMAC},
{"2.1.0", SSH_BUG_SIGBLOB|SSH_BUG_HMAC},
{"2.0.1", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD},
{NULL, 0}
};
/* Characters considered whitespace in strtok calls. */
-#define WHITESPACE " \t\r\n"
+#define WHITESPACE " \t\r\n="
/*
args[i++] = "-4";
if (IPv6)
args[i++] = "-6";
- args[i++] = "-oFallBackToRsh no";
if (verbose_mode)
args[i++] = "-v";
if (compress_flag)
options->ciphers = NULL;
options->protocol = SSH_PROTO_UNKNOWN;
options->gateway_ports = -1;
+ options->num_subsystems = 0;
}
void
options->gateway_ports = 0;
}
-#define WHITESPACE " \t\r\n"
+#define WHITESPACE " \t\r\n="
/* Keyword tokens. */
typedef enum {
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
- sGatewayPorts, sDSAAuthentication, sXAuthLocation
+ sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem
} ServerOpCodes;
/* Textual representation of the tokens. */
{ "ciphers", sCiphers },
{ "protocol", sProtocol },
{ "gatewayports", sGatewayPorts },
+ { "subsystem", sSubsystem },
{ NULL, 0 }
};
int linenum, *intptr, value;
int bad_options = 0;
ServerOpCodes opcode;
+ int i;
f = fopen(filename, "r");
if (!f) {
*intptr = value;
break;
+ case sSubsystem:
+ if(options->num_subsystems >= MAX_SUBSYSTEMS) {
+ fatal("%s line %d: too many subsystems defined.",
+ filename, linenum);
+ }
+ cp = strtok(NULL, WHITESPACE);
+ if (!cp)
+ fatal("%s line %d: Missing subsystem name.",
+ filename, linenum);
+ for (i = 0; i < options->num_subsystems; i++)
+ if(strcmp(cp, options->subsystem_name[i]) == 0)
+ fatal("%s line %d: Subsystem '%s' already defined.",
+ filename, linenum, cp);
+ options->subsystem_name[options->num_subsystems] = xstrdup(cp);
+ cp = strtok(NULL, WHITESPACE);
+ if (!cp)
+ fatal("%s line %d: Missing subsystem command.",
+ filename, linenum);
+ options->subsystem_command[options->num_subsystems] = xstrdup(cp);
+ options->num_subsystems++;
+ break;
+
default:
fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
filename, linenum, cp, opcode);
#define MAX_DENY_USERS 256 /* Max # users on deny list. */
#define MAX_ALLOW_GROUPS 256 /* Max # groups on allow list. */
#define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */
+#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
typedef struct {
unsigned int num_ports;
char *allow_groups[MAX_ALLOW_GROUPS];
unsigned int num_deny_groups;
char *deny_groups[MAX_DENY_GROUPS];
+
+ unsigned int num_subsystems;
+ char *subsystem_name[MAX_SUBSYSTEMS];
+ char *subsystem_command[MAX_SUBSYSTEMS];
} ServerOptions;
/*
* Initializes the server options to special values that indicate that they
#include "ssh2.h"
#include "session.h"
#include "dispatch.h"
+#include "auth-options.h"
static Buffer stdin_buffer; /* Buffer for stdin data. */
static Buffer stdout_buffer; /* Buffer for stdout data. */
debug("open direct-tcpip: from %s port %d to %s port %d",
originator, originator_port, target, target_port);
+
/* XXX check permission */
+ if (! no_port_forwarding_flag) {
+ xfree(target);
+ xfree(originator);
+ return -1;
+ }
sock = channel_connect_to(target, target_port);
xfree(target);
xfree(originator);
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.17 2000/06/05 19:53:40 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.20 2000/06/18 04:42:54 markus Exp $");
#include "xmalloc.h"
#include "ssh.h"
#include "bufaux.h"
#include "ssh2.h"
#include "auth.h"
+#include "auth-options.h"
/* types */
char *aixloginmsg;
#endif /* WITH_AIXAUTHENTICATE */
-/* Flags set in auth-rsa from authorized_keys flags. These are set in auth-rsa.c. */
-int no_port_forwarding_flag = 0;
-int no_agent_forwarding_flag = 0;
-int no_x11_forwarding_flag = 0;
-int no_pty_flag = 0;
-
-/* RSA authentication "command=" option. */
-char *forced_command = NULL;
-
-/* RSA authentication "environment=" options. */
-struct envstring *custom_environment = NULL;
-
/*
* Remove local Xauthority file.
*/
unsigned int len;
char *term_modes; /* encoded terminal modes */
+ if (no_pty_flag)
+ return 0;
if (s->ttyfd != -1)
return 0;
s->term = packet_get_string(&len);
unsigned int len;
int success = 0;
char *subsys = packet_get_string(&len);
+ int i;
packet_done();
log("subsystem request for %s", subsys);
+ for (i = 0; i < options.num_subsystems; i++) {
+ if(strcmp(subsys, options.subsystem_name[i]) == 0) {
+ debug("subsystem: exec() %s", options.subsystem_command[i]);
+ do_exec_no_pty(s, options.subsystem_command[i], s->pw);
+ success = 1;
+ }
+ }
+
+ if (!success)
+ log("subsystem request for %s failed, subsystem not found", subsys);
+
xfree(subsys);
return success;
}
int
session_x11_req(Session *s)
{
+ if (!no_port_forwarding_flag) {
+ debug("X11 forwarding disabled in user configuration file.");
+ return 0;
+ }
if (!options.x11_forwarding) {
debug("X11 forwarding disabled in server configuration file.");
return 0;
return 1;
}
+int
+session_shell_req(Session *s)
+{
+ /* if forced_command == NULL, the shell is execed */
+ char *shell = forced_command;
+ packet_done();
+ s->extended = 1;
+ if (s->ttyfd == -1)
+ do_exec_no_pty(s, shell, s->pw);
+ else
+ do_exec_pty(s, shell, s->pw);
+ return 1;
+}
+
+int
+session_exec_req(Session *s)
+{
+ unsigned int len;
+ char *command = packet_get_string(&len);
+ packet_done();
+ if (forced_command) {
+ xfree(command);
+ command = forced_command;
+ debug("Forced command '%.500s'", forced_command);
+ }
+ s->extended = 1;
+ if (s->ttyfd == -1)
+ do_exec_no_pty(s, command, s->pw);
+ else
+ do_exec_pty(s, command, s->pw);
+ if (forced_command == NULL)
+ xfree(command);
+ return 1;
+}
+
void
session_input_channel_req(int id, void *arg)
{
*/
if (c->type == SSH_CHANNEL_LARVAL) {
if (strcmp(rtype, "shell") == 0) {
- packet_done();
- s->extended = 1;
- if (s->ttyfd == -1)
- do_exec_no_pty(s, NULL, s->pw);
- else
- do_exec_pty(s, NULL, s->pw);
- success = 1;
+ success = session_shell_req(s);
} else if (strcmp(rtype, "exec") == 0) {
- char *command = packet_get_string(&len);
- packet_done();
- s->extended = 1;
- if (s->ttyfd == -1)
- do_exec_no_pty(s, command, s->pw);
- else
- do_exec_pty(s, command, s->pw);
- xfree(command);
- success = 1;
+ success = session_exec_req(s);
} else if (strcmp(rtype, "pty-req") == 0) {
success = session_pty_req(s);
} else if (strcmp(rtype, "x11-req") == 0) {
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.74 2000/05/17 16:57:02 markus Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.76 2000/06/17 20:30:10 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dsa.h>
int connection_out = packet_get_connection_out();
/* Read other side\'s version identification. */
- for (i = 0; i < sizeof(buf) - 1; i++) {
- int len = read(connection_in, &buf[i], 1);
- if (len < 0)
- fatal("ssh_exchange_identification: read: %.100s", strerror(errno));
- if (len != 1)
- fatal("ssh_exchange_identification: Connection closed by remote host");
- if (buf[i] == '\r') {
- buf[i] = '\n';
- buf[i + 1] = 0;
- continue; /**XXX wait for \n */
+ for (;;) {
+ for (i = 0; i < sizeof(buf) - 1; i++) {
+ int len = atomicio(read, connection_in, &buf[i], 1);
+ if (len < 0)
+ fatal("ssh_exchange_identification: read: %.100s", strerror(errno));
+ if (len != 1)
+ fatal("ssh_exchange_identification: Connection closed by remote host");
+ if (buf[i] == '\r') {
+ buf[i] = '\n';
+ buf[i + 1] = 0;
+ continue; /**XXX wait for \n */
+ }
+ if (buf[i] == '\n') {
+ buf[i + 1] = 0;
+ break;
+ }
}
- if (buf[i] == '\n') {
- buf[i + 1] = 0;
+ buf[sizeof(buf) - 1] = 0;
+ if (strncmp(buf, "SSH-", 4) == 0)
break;
- }
+ debug("ssh_exchange_identification: %s", buf);
}
- buf[sizeof(buf) - 1] = 0;
server_version_string = xstrdup(buf);
/*
directory or files world-writable.
The default is
.Dq yes .
+.It Cm Subsystem
+Configures an external subsystem (e.g. file transfer daemon).
+Arguments should be a subsystem name and a command to execute upon subsystem request.
+By default no subsystems are defined.
+Note that this option applies to protocol version 2 only.
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Nm sshd .
CheckMail no
UseLogin no
+
+#Subsystem sftp /usr/local/sbin/sftpd
andersk / openssh.git / commitdiff
