- (djm) fix select hack in serverloop.c from Philippe WILLEM
<Philippe.WILLEM@urssaf.fr>
- (djm) Fix mangled AIXAUTHENTICATE code
+ - (djm) Sync with OpenBSD:
+ - markus@cvs.openbsd.org 2000/10/16 15:46:32
+ [ssh.1]
+ fixes from pekkas@netcore.fi
+ - markus@cvs.openbsd.org 2000/10/17 14:28:11
+ [atomicio.c]
+ return number of characters processed; ok deraadt@
+ - markus@cvs.openbsd.org 2000/10/18 12:04:02
+ [atomicio.c]
+ undo
+ - markus@cvs.openbsd.org 2000/10/18 12:23:02
+ [scp.c]
+ replace atomicio(read,...) with read(); ok deraadt@
+ - markus@cvs.openbsd.org 2000/10/18 12:42:00
+ [session.c]
+ restore old record login behaviour
+ - deraadt@cvs.openbsd.org 2000/10/19 10:41:13
+ [auth-skey.c]
+ fmt string problem in unused code
+ - provos@cvs.openbsd.org 2000/10/19 10:45:16
+ [sshconnect2.c]
+ don't reference freed memory. okay deraadt@
+ - markus@cvs.openbsd.org 2000/10/21 11:04:23
+ [canohost.c]
+ typo, eramore@era-t.ericsson.se; ok niels@
+ - markus@cvs.openbsd.org 2000/10/23 13:31:55
+ [cipher.c]
+ non-alignment dependent swap_bytes(); from
+ simonb@wasabisystems.com/netbsd
+ - markus@cvs.openbsd.org 2000/10/26 12:38:28
+ [compat.c]
+ add older vandyke products
+ - markus@cvs.openbsd.org 2000/10/27 01:32:19
+ [channels.c channels.h clientloop.c serverloop.c session.c]
+ [ssh.c util.c]
+ enable non-blocking IO on channels, and tty's (except for the
+ client ttys).
+ - markus@cvs.openbsd.org 2000/10/27 01:48:22
+ channels.c channels.h clientloop.c
+ deny agent/x11 forwarding unless requested; thanks to jwl@pobox.com
20001027
- (djm) Increase REKEY_BYTES to 2^24 for arc4random
*/
#include "includes.h"
-RCSID("$OpenBSD: atomicio.c,v 1.5 2000/09/07 20:27:49 deraadt Exp $");
+RCSID("$OpenBSD: atomicio.c,v 1.7 2000/10/18 18:04:02 markus Exp $");
#include "xmalloc.h"
#include "ssh.h"
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-skey.c,v 1.8 2000/09/07 20:27:49 deraadt Exp $");
+RCSID("$OpenBSD: auth-skey.c,v 1.9 2000/10/19 16:41:13 deraadt Exp $");
#ifdef SKEY
#include "ssh.h"
skeyinfo = skey_fake_keyinfo(pw->pw_name);
}
if (skeyinfo != NULL)
- packet_send_debug(skeyinfo);
+ packet_send_debug("%s", skeyinfo);
/* Try again. */
return 0;
} else if (skey_haskey(pw->pw_name) == 0 &&
*/
#include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.15 2000/09/07 21:13:37 markus Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.16 2000/10/21 17:04:22 markus Exp $");
#include "packet.h"
#include "xmalloc.h"
else
ipproto = IPPROTO_IP;
option_size = sizeof(options);
- if (getsockopt(0, ipproto, IP_OPTIONS, (char *) options,
+ if (getsockopt(socket, ipproto, IP_OPTIONS, (char *) options,
&option_size) >= 0 && option_size != 0) {
cp = text;
/* Note: "text" buffer must be at least 3x as big as options. */
*/
#include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.70 2000/09/28 18:03:18 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.72 2000/10/27 07:48:22 markus Exp $");
#include "ssh.h"
#include "packet.h"
*/
void
-channel_register_fds(Channel *c, int rfd, int wfd, int efd, int extusage)
+channel_register_fds(Channel *c, int rfd, int wfd, int efd,
+ int extusage, int nonblock)
{
/* Update the maximum file descriptor value. */
if (rfd > channel_max_fd_value)
c->sock = (rfd == wfd) ? rfd : -1;
c->efd = efd;
c->extended_usage = extusage;
- if (rfd != -1)
- set_nonblock(rfd);
- if (wfd != -1)
- set_nonblock(wfd);
- if (efd != -1)
- set_nonblock(efd);
+
+ /* enable nonblocking mode */
+ if (nonblock) {
+ if (rfd != -1)
+ set_nonblock(rfd);
+ if (wfd != -1)
+ set_nonblock(wfd);
+ if (efd != -1)
+ set_nonblock(efd);
+ }
}
/*
int
channel_new(char *ctype, int type, int rfd, int wfd, int efd,
- int window, int maxpack, int extusage, char *remote_name)
+ int window, int maxpack, int extusage, char *remote_name, int nonblock)
{
int i, found;
Channel *c;
buffer_init(&c->output);
buffer_init(&c->extended);
chan_init_iostates(c);
- channel_register_fds(c, rfd, wfd, efd, extusage);
+ channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
c->self = found;
c->type = type;
c->ctype = ctype;
int
channel_allocate(int type, int sock, char *remote_name)
{
- return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name);
+ return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name, 1);
}
newch = channel_new("x11",
SSH_CHANNEL_OPENING, newsock, newsock, -1,
c->local_window_max, c->local_maxpacket,
- 0, xstrdup(buf));
+ 0, xstrdup(buf), 1);
if (compat20) {
packet_start(SSH2_MSG_CHANNEL_OPEN);
packet_put_cstring("x11");
newch = channel_new("direct-tcpip",
SSH_CHANNEL_OPENING, newsock, newsock, -1,
c->local_window_max, c->local_maxpacket,
- 0, xstrdup(buf));
+ 0, xstrdup(buf), 1);
if (compat20) {
packet_start(SSH2_MSG_CHANNEL_OPEN);
packet_put_cstring("direct-tcpip");
"port listener", SSH_CHANNEL_PORT_LISTENER,
sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- 0, xstrdup("port listener"));
+ 0, xstrdup("port listener"), 1);
strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
channels[ch].host_port = host_port;
channels[ch].listening_port = port;
(void) channel_new("x11 listener",
SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
- 0, xstrdup("X11 inet listener"));
+ 0, xstrdup("X11 inet listener"), 1);
}
/* Return a suitable value for the DISPLAY environment variable. */
}
}
+/* dummy protocol handler that denies SSH-1 requests (agent/x11) */
+void
+deny_input_open(int type, int plen, void *ctxt)
+{
+ int rchan = packet_get_int();
+ switch(type){
+ case SSH_SMSG_AGENT_OPEN:
+ error("Warning: ssh server tried agent forwarding.");
+ break;
+ case SSH_SMSG_X11_OPEN:
+ error("Warning: ssh server tried X11 forwarding.");
+ break;
+ default:
+ error("deny_input_open: type %d plen %d", type, plen);
+ break;
+ }
+ error("Warning: this is probably a break in attempt by a malicious server.");
+ packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
+ packet_put_int(rchan);
+ packet_send();
+}
+
/*
* Requests forwarding of X11 connections, generates fake authentication
* data, and enables authentication spoofing.
}
void
-channel_set_fds(int id, int rfd, int wfd, int efd, int extusage)
+channel_set_fds(int id, int rfd, int wfd, int efd,
+ int extusage, int nonblock)
{
Channel *c = channel_lookup(id);
if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
fatal("channel_activate for non-larval channel %d.", id);
-
- channel_register_fds(c, rfd, wfd, efd, extusage);
+ channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
c->type = SSH_CHANNEL_OPEN;
/* XXX window size? */
c->local_window = c->local_window_max = c->local_maxpacket * 2;
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-/* RCSID("$OpenBSD: channels.h,v 1.20 2000/09/21 11:25:33 markus Exp $"); */
+/* RCSID("$OpenBSD: channels.h,v 1.22 2000/10/27 07:48:22 markus Exp $"); */
#ifndef CHANNELS_H
#define CHANNELS_H
#define CHAN_X11_PACKET_DEFAULT (CHAN_X11_WINDOW_DEFAULT/2)
-void channel_set_fds(int id, int rfd, int wfd, int efd, int extusage);
void channel_open(int id);
void channel_request(int id, char *service, int wantconfirm);
void channel_request_start(int id, char *service, int wantconfirm);
int
channel_new(char *ctype, int type, int rfd, int wfd, int efd,
- int window, int maxpack, int extended_usage, char *remote_name);
+ int window, int maxpack, int extended_usage, char *remote_name,
+ int nonblock);
+void
+channel_set_fds(int id, int rfd, int wfd, int efd,
+ int extusage, int nonblock);
+
+void deny_input_open(int type, int plen, void *ctxt);
void channel_input_channel_request(int type, int plen, void *ctxt);
void channel_input_close(int type, int plen, void *ctxt);
*/
#include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.36 2000/10/14 10:01:15 markus Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.37 2000/10/23 19:31:54 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
* and after encryption/decryption. Thus the swap_bytes stuff (yuk).
*/
static void
-swap_bytes(const unsigned char *src, unsigned char *dst_, int n)
-{
- /* dst must be properly aligned. */
- u_int32_t *dst = (u_int32_t *) dst_;
- union {
- u_int32_t i;
- char c[4];
- } t;
-
- /* Process 8 bytes every lap. */
- for (n = n / 8; n > 0; n--) {
- t.c[3] = *src++;
- t.c[2] = *src++;
- t.c[1] = *src++;
- t.c[0] = *src++;
- *dst++ = t.i;
-
- t.c[3] = *src++;
- t.c[2] = *src++;
- t.c[1] = *src++;
- t.c[0] = *src++;
- *dst++ = t.i;
+swap_bytes(const unsigned char *src, unsigned char *dst, int n)
+{
+ char c[4];
+
+ /* Process 4 bytes every lap. */
+ for (n = n / 4; n > 0; n--) {
+ c[3] = *src++;
+ c[2] = *src++;
+ c[1] = *src++;
+ c[0] = *src++;
+
+ *dst++ = c[0];
+ *dst++ = c[1];
+ *dst++ = c[2];
+ *dst++ = c[3];
}
}
*/
#include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.37 2000/09/26 19:59:58 markus Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.39 2000/10/27 07:48:22 markus Exp $");
#include "xmalloc.h"
#include "ssh.h"
#include "buffer.h"
#include "bufaux.h"
+
+/* import options */
+extern Options options;
+
/* Flag indicating that stdin should be redirected from /dev/null. */
extern int stdin_null_flag;
int
client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
{
- extern Options options;
double start_time, total_time;
int len;
char buf[100];
debug("client_input_channel_open: ctype %s rchan %d win %d max %d",
ctype, rchan, rwindow, rmaxpack);
- if (strcmp(ctype, "x11") == 0) {
+ if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
int sock;
char *originator;
int originator_port;
if (sock >= 0) {
id = channel_new("x11", SSH_CHANNEL_X11_OPEN,
sock, sock, -1, CHAN_X11_WINDOW_DEFAULT,
- CHAN_X11_PACKET_DEFAULT, 0, xstrdup("x11"));
+ CHAN_X11_PACKET_DEFAULT, 0, xstrdup("x11"), 1);
c = channel_lookup(id);
}
}
dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
- dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request);
dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status);
dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data);
dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data);
- dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open);
+
+ dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ?
+ &auth_input_open_request : &deny_input_open);
+ dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ?
+ &x11_input_open : &deny_input_open);
}
void
client_init_dispatch_15()
*/
#include "includes.h"
-RCSID("$OpenBSD: compat.c,v 1.25 2000/10/14 12:16:56 markus Exp $");
+RCSID("$OpenBSD: compat.c,v 1.26 2000/10/26 18:38:28 markus Exp $");
#include "ssh.h"
#include "packet.h"
SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD },
{ "^2\\.[23]\\.0 ", SSH_BUG_HMAC},
{ "^2\\.[2-9]\\.", 0 },
- { "^2\\.", SSH_BUG_HMAC}, /* XXX fallback */
+ { "^2\\.4$", SSH_OLD_SESSIONID}, /* Van Dyke */
+ { "^3\\.0 SecureCRT", SSH_OLD_SESSIONID},
+ { "^1\\.7 SecureFX", SSH_OLD_SESSIONID},
+ { "^2\\.", SSH_BUG_HMAC}, /* XXX fallback */
{ NULL, 0 }
};
/* process table, return first match */
*/
#include "includes.h"
-RCSID("$OpenBSD: scp.c,v 1.42 2000/10/14 10:07:21 markus Exp $");
+RCSID("$OpenBSD: scp.c,v 1.43 2000/10/18 18:23:02 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
amt = size - i;
count += amt;
do {
- j = atomicio(read, remin, cp, amt);
- if (j <= 0) {
+ j = read(remin, cp, amt);
+ if (j == -1 && (errno == EINTR || errno == EAGAIN)) {
+ continue;
+ } else if (j <= 0) {
run_err("%s", j ? strerror(errno) :
"dropped connection");
exit(1);
*/
#include "includes.h"
+RCSID("$OpenBSD: serverloop.c,v 1.34 2000/10/27 07:32:18 markus Exp $");
+
#include "xmalloc.h"
#include "ssh.h"
#include "packet.h"
return -1;
return channel_new("direct-tcpip", SSH_CHANNEL_OPEN,
sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT,
- CHAN_TCP_PACKET_DEFAULT, 0, xstrdup("direct-tcpip"));
+ CHAN_TCP_PACKET_DEFAULT, 0, xstrdup("direct-tcpip"), 1);
}
void
*/
id = channel_new(ctype, SSH_CHANNEL_LARVAL,
-1, -1, -1, 0, CHAN_SES_PACKET_DEFAULT,
- 0, xstrdup("server-session"));
+ 0, xstrdup("server-session"), 1);
if (session_open(id) == 1) {
channel_register_callback(id, SSH2_MSG_CHANNEL_REQUEST,
session_input_channel_req, (void *)0);
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.40 2000/10/15 14:14:01 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.42 2000/10/27 07:32:18 markus Exp $");
#include "xmalloc.h"
#include "ssh.h"
void session_proctitle(Session *s);
void do_exec_pty(Session *s, const char *command, struct passwd * pw);
void do_exec_no_pty(Session *s, const char *command, struct passwd * pw);
-void do_login(Session *s);
+void do_login(Session *s, const char *command);
void
do_child(const char *command, struct passwd * pw, const char *term,
close(ttyfd);
/* record login, etc. similar to login(1) */
- if (command == NULL && !options.use_login)
- do_login(s);
+ if (!(options.use_login && command == NULL))
+ do_login(s, command);
/* Do common processing for the child, such as execing the command. */
do_child(command, pw, s->term, s->display, s->auth_proto,
/* administrative, login(1)-like work */
void
-do_login(Session *s)
+do_login(Session *s, const char *command)
{
FILE *f;
char *time_string;
}
#endif
- /* Done if .hushlogin exists. */
+ /* Done if .hushlogin exists or a command given. */
+ if (command != NULL)
+ return;
snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir);
#ifdef HAVE_LOGIN_CAP
if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
fatal("no channel for session %d", s->self);
channel_set_fds(s->chanid,
fdout, fdin, fderr,
- fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ);
+ fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
+ 1);
}
void
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
+.\" $OpenBSD: ssh.1,v 1.64 2000/10/16 21:46:31 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
It is presumably more secure than the
.Ar des
-cipher which is no longer supported in
+cipher which is no longer fully supported in
.Nm ssh .
.Ar blowfish
is a fast block cipher, it appears very secure and is much faster than
the check will not be executed.
.It Cm Cipher
Specifies the cipher to use for encrypting the session
-in protocol version 1
+in protocol version 1.
Currently,
-.Dq blowfish ,
+.Dq blowfish
and
.Dq 3des
are supported.
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.68 2000/10/11 20:27:24 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.69 2000/10/27 07:32:19 markus Exp $");
#include <openssl/evp.h>
#include <openssl/dsa.h>
if (in < 0 || out < 0 || err < 0)
fatal("dup() in/out/err failed");
+ /* enable nonblocking unless tty */
+ if (!isatty(in))
+ set_nonblock(in);
+ if (!isatty(out))
+ set_nonblock(out);
+ if (!isatty(err))
+ set_nonblock(err);
+
/* should be pre-session */
init_local_fwd();
id = channel_new(
"session", SSH_CHANNEL_OPENING, in, out, err,
window, packetmax, CHAN_EXTENDED_WRITE,
- xstrdup("client-session"));
+ xstrdup("client-session"), /*nonblock*/0);
channel_open(id);
channel_register_callback(id, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, client_init, (void *)0);
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.26 2000/10/14 12:16:56 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.27 2000/10/19 16:45:16 provos Exp $");
#include <openssl/bn.h>
#include <openssl/rsa.h>
Authmethod *
authmethod_get(char *authlist)
{
- char *name = NULL;
+ char *name = NULL, *authname_old;
Authmethod *method = NULL;
/* Use a suitable default if we're passed a nil list. */
method = NULL;
}
- if (authname_current != NULL)
- xfree(authname_current);
-
+ authname_old = authname_current;
if (method != NULL) {
debug("next auth method to try is %s", name);
authname_current = xstrdup(name);
- return method;
} else {
debug("no more auth methods to try");
authname_current = NULL;
- return NULL;
}
+
+ if (authname_old != NULL)
+ xfree(authname_old);
+
+ return (method);
}
-/* $OpenBSD: util.c,v 1.5 2000/09/07 20:27:55 deraadt Exp $ */
+/* $OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*/
#include "includes.h"
-RCSID("$OpenBSD: util.c,v 1.5 2000/09/07 20:27:55 deraadt Exp $");
+RCSID("$OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $");
#include "ssh.h"
set_nonblock(int fd)
{
int val;
- if (isatty(fd)) {
- /* do not mess with tty's */
- debug("no set_nonblock for tty fd %d", fd);
- return;
- }
val = fcntl(fd, F_GETFL, 0);
if (val < 0) {
error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno));
return;
}
- if (val & O_NONBLOCK)
+ if (val & O_NONBLOCK) {
+ debug("fd %d IS O_NONBLOCK", fd);
return;
+ }
debug("fd %d setting O_NONBLOCK", fd);
val |= O_NONBLOCK;
if (fcntl(fd, F_SETFL, val) == -1)
andersk / openssh.git / commitdiff
