- (bal) Resync CVS ID of cli.c
- (stevesk) auth1.c: free should be after WITH_AIXAUTHENTICATE
code.
+ - (bal) OpenBSD Sync
+ - markus@cvs.openbsd.org 2001/01/08 22:29:05
+ [auth2.c compat.c compat.h servconf.c servconf.h sshd.8
+ sshd_config version.h]
+ implement option 'Banner /etc/issue.net' for ssh2, move version to
+ 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner
+ is enabled).
+ - markus@cvs.openbsd.org 2001/01/08 22:03:23
+ [channels.c ssh-keyscan.c]
+ O_NDELAY -> O_NONBLOCK; thanks stevesk@pobox.com
+ - markus@cvs.openbsd.org 2001/01/08 21:55:41
+ [sshconnect1.c]
+ more cleanups and fixes from stevesk@pobox.com:
+ 1) try_agent_authentication() for loop will overwrite key just
+ allocated with key_new(); don't alloc
+ 2) call ssh_close_authentication_connection() before exit
+ try_agent_authentication()
+ 3) free mem on bad passphrase in try_rsa_authentication()
+ - markus@cvs.openbsd.org 2001/01/08 21:48:17
+ [kex.c]
+ missing free; thanks stevesk@pobox.com
20010108
- (bal) Fixed another typo in cli.c
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.24 2000/12/28 14:25:51 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.25 2001/01/08 22:29:05 markus Exp $");
#ifdef HAVE_OSF_SIA
# include <sia.h>
char *authmethods_get(void);
/* auth */
+void userauth_banner(void);
int userauth_none(Authctxt *authctxt);
int userauth_passwd(Authctxt *authctxt);
int userauth_pubkey(Authctxt *authctxt);
xfree(method);
}
+void
+userauth_banner(void)
+{
+ struct stat st;
+ char *banner = NULL;
+ off_t len, n;
+ int fd;
+
+ if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
+ return;
+ if ((fd = open(options.banner, O_RDONLY)) < 0) {
+ error("userauth_banner: open %s failed: %s",
+ options.banner, strerror(errno));
+ return;
+ }
+ if (fstat(fd, &st) < 0)
+ goto done;
+ len = st.st_size;
+ banner = xmalloc(len + 1);
+ if ((n = read(fd, banner, len)) < 0)
+ goto done;
+ banner[n] = '\0';
+ packet_start(SSH2_MSG_USERAUTH_BANNER);
+ packet_put_cstring(banner);
+ packet_put_cstring(""); /* language, unused */
+ packet_send();
+ debug("userauth_banner: sent");
+done:
+ if (banner)
+ xfree(banner);
+ close(fd);
+ return;
+}
void
userauth_log(Authctxt *authctxt, int authenticated, char *method)
if (m != NULL)
m->enabled = NULL;
packet_done();
+ userauth_banner();
if (authctxt->valid == 0)
return(0);
*/
#include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.79 2000/12/29 22:19:13 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.80 2001/01/08 22:03:23 markus Exp $");
#include "ssh.h"
#include "packet.h"
error("socket: %.100s", strerror(errno));
continue;
}
- if (fcntl(sock, F_SETFL, O_NDELAY) < 0)
+ if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0)
fatal("connect_to: F_SETFL: %s", strerror(errno));
/* Connect to the host/port. */
if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 &&
*/
#include "includes.h"
-RCSID("$OpenBSD: compat.c,v 1.32 2000/12/09 23:51:11 provos Exp $");
+RCSID("$OpenBSD: compat.c,v 1.33 2001/01/08 22:29:05 markus Exp $");
#include "ssh.h"
#include "packet.h"
char *pat;
int bugs;
} check[] = {
- { "^OpenSSH[-_]2\\.[012]", SSH_OLD_SESSIONID },
+ { "^OpenSSH[-_]2\\.[012]",
+ SSH_OLD_SESSIONID|SSH_BUG_BANNER },
+ { "^OpenSSH_2\\.3\\.0", SSH_BUG_BANNER },
+ { "^OpenSSH", 0 },
{ "MindTerm", 0 },
{ "^2\\.1\\.0", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
SSH_OLD_SESSIONID|SSH_BUG_DEBUG },
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-/* RCSID("$OpenBSD: compat.h,v 1.13 2000/12/06 22:58:15 markus Exp $"); */
+/* RCSID("$OpenBSD: compat.h,v 1.14 2001/01/08 22:29:05 markus Exp $"); */
#ifndef COMPAT_H
#define COMPAT_H
#define SSH_OLD_SESSIONID 0x10
#define SSH_BUG_PKAUTH 0x20
#define SSH_BUG_DEBUG 0x40
+#define SSH_BUG_BANNER 0x80
void enable_compat13(void);
void enable_compat20(void);
*/
#include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.16 2000/12/20 19:37:22 markus Exp $");
+RCSID("$OpenBSD: kex.c,v 1.17 2001/01/08 21:48:17 markus Exp $");
#include "ssh.h"
#include "ssh2.h"
k->hostkey_type = key_type_from_name(hostkeyalg);
if (k->hostkey_type == KEY_UNSPEC)
fatal("bad hostkey alg '%s'", hostkeyalg);
+ xfree(hostkeyalg);
}
Kex *
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.56 2001/01/07 11:28:06 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.57 2001/01/08 22:29:05 markus Exp $");
#include "ssh.h"
#include "servconf.h"
options->max_startups_begin = -1;
options->max_startups_rate = -1;
options->max_startups = -1;
+ options->banner = NULL;
}
void
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
+ sBanner
} ServerOpCodes;
/* Textual representation of the tokens. */
{ "gatewayports", sGatewayPorts },
{ "subsystem", sSubsystem },
{ "maxstartups", sMaxStartups },
+ { "banner", sBanner },
{ NULL, 0 }
};
intptr = &options->max_startups;
goto parse_int;
+ case sBanner:
+ charptr = &options->banner;
+ goto parse_filename;
+
default:
fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
filename, linenum, arg, opcode);
* called by a name other than "ssh" or "Secure Shell".
*/
-/* RCSID("$OpenBSD: servconf.h,v 1.32 2000/12/19 23:17:58 markus Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.33 2001/01/08 22:29:05 markus Exp $"); */
#ifndef SERVCONF_H
#define SERVCONF_H
int max_startups_begin;
int max_startups_rate;
int max_startups;
+ char *banner; /* SSH-2 banner message */
} ServerOptions;
/*
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.6 2000/12/19 23:17:58 markus Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.7 2001/01/08 22:03:23 markus Exp $");
#if defined(HAVE_SYS_QUEUE_H) && !defined(HAVE_BOGUS_SYS_QUEUE_H)
#include <sys/queue.h>
error("socket: %s", strerror(errno));
continue;
}
- if (fcntl(s, F_SETFL, O_NDELAY) < 0)
+ if (fcntl(s, F_SETFL, O_NONBLOCK) < 0)
fatal("F_SETFL: %s", strerror(errno));
if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0 &&
errno != EINPROGRESS)
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.13 2000/12/19 23:17:58 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.14 2001/01/08 21:55:41 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dsa.h>
return 0;
challenge = BN_new();
- key = key_new(KEY_RSA1);
/* Loop through identities served by the agent. */
for (key = ssh_get_first_identity(auth, &comment, 1);
/* The server returns success if it accepted the authentication. */
if (type == SSH_SMSG_SUCCESS) {
+ ssh_close_authentication_connection(auth);
BN_clear_free(challenge);
debug("RSA authentication accepted by server.");
return 1;
packet_disconnect("Protocol error waiting RSA auth response: %d",
type);
}
+ ssh_close_authentication_connection(auth);
BN_clear_free(challenge);
debug("RSA authentication using agent refused.");
return 0;
/* Expect the server to reject it... */
packet_read_expect(&plen, SSH_SMSG_FAILURE);
xfree(comment);
+ key_free(private);
+ BN_clear_free(challenge);
return 0;
}
/* Destroy the passphrase. */
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.79 2001/01/07 11:28:07 markus Exp $
+.\" $OpenBSD: sshd.8,v 1.80 2001/01/08 22:29:05 markus Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
Only user names are valid; a numerical user ID isn't recognized.
By default login is allowed regardless of the user name.
.Pp
+.It Cm Banner
+In some jurisdictions, sending a warning message before authentication
+may be relevant for getting legal protection.
+The contents of the specified file are sent to the remote user before
+authentication is allowed.
+This option is only available for protocol version 2.
+.Pp
.It Cm Ciphers
Specifies the ciphers allowed for protocol version 2.
Multiple ciphers must be comma-separated.
# Uncomment if you want to enable sftp
#Subsystem sftp /usr/libexec/sftp-server
#MaxStartups 10:30:60
+#Banner /etc/issue.net
-/* $OpenBSD: version.h,v 1.13 2000/10/16 09:38:45 djm Exp $ */
+/* $OpenBSD: version.h,v 1.16 2001/01/08 22:29:05 markus Exp $ */
-#define SSH_VERSION "OpenSSH_2.3.0p2"
+#define SSH_VERSION "OpenSSH_2.3.1p1"