- deraadt@cvs.openbsd.org 2000/12/13 06:36:05
[pty.c]
KNF
+ - markus@cvs.openbsd.org 2000/12/12 14:45:21
+ [sshd.c]
+ source port < 1024 is no longer required for rhosts-rsa since it
+ adds no additional security.
+ - markus@cvs.openbsd.org 2000/12/12 16:11:49
+ [ssh.1 ssh.c]
+ rhosts-rsa is no longer automagically disabled if ssh is not privileged.
+ UsePrivilegedPort=no disables rhosts-rsa _only_ for old servers.
+ these changes should not change the visible default behaviour of the ssh client.
20001213
- (djm) Make sure we reset the SIGPIPE disposition after we fork. Report
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.71 2000/12/07 04:24:59 djm Exp $
+.\" $OpenBSD: ssh.1,v 1.72 2000/12/12 23:11:48 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
Note that this option turns off
.Cm RhostsAuthentication
and
-.Cm RhostsRSAAuthentication .
+.Cm RhostsRSAAuthentication
+for older servers.
.It Fl q
Quiet mode.
Causes all warning and diagnostic messages to be suppressed.
turns off
.Cm RhostsAuthentication
and
-.Cm RhostsRSAAuthentication .
+.Cm RhostsRSAAuthentication
+for older servers.
.It Cm User
Specifies the user to log in as.
This can be useful if you have a different user name on different machines.
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.75 2000/11/30 07:02:35 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.77 2000/12/12 23:11:48 markus Exp $");
#include <openssl/evp.h>
#include <openssl/dsa.h>
if (!options.use_privileged_port) {
#else
if (original_effective_uid != 0 || !options.use_privileged_port) {
- debug("Rhosts Authentication methods disabled, "
- "originating port will not be trusted.");
#endif
+ debug("Rhosts Authentication disabled, "
+ "originating port will not be trusted.");
options.rhosts_authentication = 0;
- options.rhosts_rsa_authentication = 0;
}
/*
* If using rsh has been selected, exec it now (without trying
/* Restore our superuser privileges. */
restore_uid();
- /*
- * Open a connection to the remote host. This needs root privileges
- * if rhosts_{rsa_}authentication is enabled.
- */
+ /* Open a connection to the remote host. */
ok = ssh_connect(host, &hostaddr, options.port,
- options.connection_attempts,
- !options.rhosts_authentication &&
- !options.rhosts_rsa_authentication,
- original_real_uid,
- options.proxy_command);
+ options.connection_attempts,
+ original_effective_uid != 0 || !options.use_privileged_port,
+ original_real_uid,
+ options.proxy_command);
/*
* If we successfully made the connection, load the host private key
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.136 2000/12/05 16:47:28 todd Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.137 2000/12/12 21:45:21 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
sshd_exchange_identification(sock_in, sock_out);
/*
- * Check that the connection comes from a privileged port. Rhosts-
- * and Rhosts-RSA-Authentication only make sense from priviledged
+ * Check that the connection comes from a privileged port.
+ * Rhosts-Authentication only makes sense from priviledged
* programs. Of course, if the intruder has root access on his local
* machine, he can connect from any port. So do not use these
* authentication methods from machines that you do not trust.
*/
if (remote_port >= IPPORT_RESERVED ||
remote_port < IPPORT_RESERVED / 2) {
- debug("Rhosts Authentication methods disabled, "
+ debug("Rhosts Authentication disabled, "
"originating port not trusted.");
options.rhosts_authentication = 0;
- options.rhosts_rsa_authentication = 0;
}
#ifdef KRB4
if (!packet_connection_is_ipv4() &&