+20000606
+ - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III
+ <tibbs@math.uh.edu>
+ - (djm) OpenBSD CVS updates:
+ - todd@cvs.openbsd.org
+ [sshconnect2.c]
+ teach protocol v2 to count login failures properly and also enable an
+ explanation of why the password prompt comes up again like v1; this is NOT
+ crypto
+ - markus@cvs.openbsd.org
+ [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8]
+ xauth_location support; pr 1234
+ [readconf.c sshconnect2.c]
+ typo, unused
+ [session.c]
+ allow use_login only for login sessions, otherwise remote commands are
+ execed with uid==0
+ [sshd.8]
+ document UseLogin better
+ [version.h]
+ OpenSSH 2.1.1
+ [auth-rsa.c]
+ fix match_hostname() logic for auth-rsa: deny access if we have a
+ negative match or no match at all
+ [channels.c hostfile.c match.c]
+ don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via
+ kris@FreeBSD.org
+
20000606
- (djm) Added --with-cflags, --with-ldflags and --with-libs options to
configure.
unsigned long linenum = 0;
struct stat st;
RSA *pk;
+ int mname, mip;
/* Temporarily use the user's uid. */
temporarily_use_uid(pw->pw_uid);
}
patterns[i] = 0;
options++;
- if (!match_hostname(get_canonical_hostname(), patterns,
- strlen(patterns)) &&
- !match_hostname(get_remote_ipaddr(), patterns,
- strlen(patterns))) {
+ /*
+ * Deny access if we get a negative
+ * match for the hostname or the ip
+ * or if we get not match at all
+ */
+ mname = match_hostname(get_canonical_hostname(),
+ patterns, strlen(patterns));
+ mip = match_hostname(get_remote_ipaddr(),
+ patterns, strlen(patterns));
+ if (mname == -1 || mip == -1 ||
+ (mname != 1 && mip != 1)) {
log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
pw->pw_name, get_canonical_hostname(),
get_remote_ipaddr());
}
/*
- * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
+ * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
* This starts forwarding authentication requests.
*/
-void
+int
auth_input_request_forwarding(struct passwd * pw)
{
int sock, newch;
strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
/* Create private directory for socket */
- if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL)
- packet_disconnect("mkdtemp: %.100s", strerror(errno));
+ if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) {
+ packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s",
+ strerror(errno));
+ restore_uid();
+ xfree(channel_forwarded_auth_socket_name);
+ xfree(channel_forwarded_auth_socket_dir);
+ channel_forwarded_auth_socket_name = NULL;
+ channel_forwarded_auth_socket_dir = NULL;
+ return 0;
+ }
snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
channel_forwarded_auth_socket_dir, (int) getpid());
xstrdup("auth socket"));
strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
sizeof(channels[newch].path));
+ return 1;
}
/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
char *auth_get_socket_name(void);
/*
- * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
+ * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
* This starts forwarding authentication requests.
*/
-void auth_input_request_forwarding(struct passwd * pw);
+int auth_input_request_forwarding(struct passwd * pw);
/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
void auth_input_open_request(int type, int plen);
CFLAGS="$RPM_OPT_FLAGS" \
./configure --prefix=/usr --sysconfdir=/etc/ssh \
- --with-tcp-wrappers --with-ipv4-default
+ --with-tcp-wrappers --with-ipv4-default \
+ --with-rsh=/usr/bin/rsh
make
*/
#include "includes.h"
-RCSID("$OpenBSD: hostfile.c,v 1.18 2000/04/29 18:11:52 markus Exp $");
+RCSID("$OpenBSD: hostfile.c,v 1.19 2000/06/06 19:32:13 markus Exp $");
#include "packet.h"
#include "match.h"
;
/* Check if the host name matches. */
- if (!match_hostname(host, cp, (unsigned int) (cp2 - cp)))
+ if (match_hostname(host, cp, (unsigned int) (cp2 - cp)) != 1)
continue;
/* Got a match. Skip host name. */
/*
* Tries to match the host name (which must be in all lowercase) against the
* comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation). Returns true if there is a positive match; zero
- * otherwise.
+ * indicate negation). Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
*/
int
/* Try to match the subpattern against the host name. */
if (match_pattern(host, sub)) {
if (negated)
- return 0; /* Fail */
+ return -1; /* Negative */
else
- got_positive = 1;
+ got_positive = 1; /* Positive */
}
}
/*
* Return success if got a positive match. If there was a negative
- * match, we have already returned zero and never get here.
+ * match, we have already returned -1 and never get here.
*/
return got_positive;
}
/*
* Tries to match the host name (which must be in all lowercase) against the
* comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation). Returns true if there is a positive match; zero
- * otherwise.
+ * indicate negation). Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
*/
int match_hostname(const char *host, const char *pattern, unsigned int len);
oBadOption,
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
- oSkeyAuthentication,
+ oSkeyAuthentication, oXAuthLocation,
#ifdef KRB4
oKerberosAuthentication,
#endif /* KRB4 */
} keywords[] = {
{ "forwardagent", oForwardAgent },
{ "forwardx11", oForwardX11 },
+ { "xauthlocation", oXAuthLocation },
{ "gatewayports", oGatewayPorts },
{ "useprivilegedport", oUsePrivilegedPort },
{ "rhostsauthentication", oRhostsAuthentication },
}
break;
+ case oXAuthLocation:
+ charptr=&options->xauth_location;
+ goto parse_string;
+
case oUser:
charptr = &options->user;
parse_string:
memset(options, 'X', sizeof(*options));
options->forward_agent = -1;
options->forward_x11 = -1;
+ options->xauth_location = NULL;
options->gateway_ports = -1;
options->use_privileged_port = -1;
options->rhosts_authentication = -1;
options->forward_agent = 0;
if (options->forward_x11 == -1)
options->forward_x11 = 0;
+#ifdef XAUTH_PATH
+ if (options->xauth_location == NULL)
+ options->xauth_location = XAUTH_PATH;
+#endif /* XAUTH_PATH */
if (options->gateway_ports == -1)
options->gateway_ports = 0;
if (options->use_privileged_port == -1)
typedef struct {
int forward_agent; /* Forward authentication agent. */
int forward_x11; /* Forward X11 display. */
+ char *xauth_location; /* Location for xauth program */
int gateway_ports; /* Allow remote connects to forwarded ports. */
int use_privileged_port; /* Don't use privileged port if false. */
int rhosts_authentication; /* Try rhosts authentication. */
options->check_mail = -1;
options->x11_forwarding = -1;
options->x11_display_offset = -1;
+ options->xauth_location = NULL;
options->strict_modes = -1;
options->keepalives = -1;
options->log_facility = (SyslogFacility) - 1;
options->x11_forwarding = 0;
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
+#ifdef XAUTH_PATH
+ if (options->xauth_location == NULL)
+ options->xauth_location = XAUTH_PATH;
+#endif /* XAUTH_PATH */
if (options->strict_modes == -1)
options->strict_modes = 1;
if (options->keepalives == -1)
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
- sGatewayPorts, sDSAAuthentication
+ sGatewayPorts, sDSAAuthentication, sXAuthLocation
} ServerOpCodes;
/* Textual representation of the tokens. */
{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
{ "x11forwarding", sX11Forwarding },
{ "x11displayoffset", sX11DisplayOffset },
+ { "xauthlocation", sXAuthLocation },
{ "strictmodes", sStrictModes },
{ "permitemptypasswords", sEmptyPasswd },
{ "uselogin", sUseLogin },
case sHostDSAKeyFile:
charptr = (opcode == sHostKeyFile ) ?
&options->host_key_file : &options->host_dsa_key_file;
+parse_filename:
cp = strtok(NULL, WHITESPACE);
if (!cp) {
fprintf(stderr, "%s line %d: missing file name.\n",
case sPidFile:
charptr = &options->pid_file;
- cp = strtok(NULL, WHITESPACE);
- if (!cp) {
- fprintf(stderr, "%s line %d: missing file name.\n",
- filename, linenum);
- exit(1);
- }
- if (*charptr == NULL)
- *charptr = tilde_expand_filename(cp, getuid());
- break;
+ goto parse_filename;
case sRandomSeedFile:
fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
intptr = &options->x11_display_offset;
goto parse_int;
+ case sXAuthLocation:
+ charptr = &options->xauth_location;
+ goto parse_filename;
+
case sStrictModes:
intptr = &options->strict_modes;
goto parse_flag;
int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */
int x11_display_offset; /* What DISPLAY number to start
* searching at */
+ char *xauth_location; /* Location of xauth program */
int strict_modes; /* If true, require string home dir modes. */
int keepalives; /* If true, set SO_KEEPALIVE. */
char *ciphers; /* Ciphers in order of preference. */
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
#ifndef USE_PAM /* pam_nologin handles this */
f = fopen("/etc/nologin", "r");
if (f) {
extern int optind;
extern char *optarg;
- OpenSSL_add_all_algorithms();
+ SSLeay_add_all_algorithms();
/* we need this for the home * directory. */
pw = getpwuid(getuid());
.Dq yes
or
.Dq no .
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
.Sh ENVIRONMENT
.Nm
will normally set the following environment variables:
/* Initialize the command to execute on remote host. */
buffer_init(&command);
- OpenSSL_add_all_algorithms();
+ SSLeay_add_all_algorithms();
/*
* Save the command to execute on the remote host in a buffer. There
FILE *f;
int got_data = 0, i;
-#ifdef XAUTH_PATH
- /* Try to get Xauthority information for the display. */
- snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
- XAUTH_PATH, getenv("DISPLAY"));
- f = popen(line, "r");
- if (f && fgets(line, sizeof(line), f) &&
- sscanf(line, "%*s %s %s", proto, data) == 2)
- got_data = 1;
- if (f)
- pclose(f);
-#endif /* XAUTH_PATH */
+ if (options.xauth_location) {
+ /* Try to get Xauthority information for the display. */
+ snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
+ options.xauth_location, getenv("DISPLAY"));
+ f = popen(line, "r");
+ if (f && fgets(line, sizeof(line), f) &&
+ sscanf(line, "%*s %s %s", proto, data) == 2)
+ got_data = 1;
+ if (f)
+ pclose(f);
+ }
/*
* If we didn't get authentication data, just make up some
* data. The forwarding code will check the validity of the
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.11 2000/05/25 20:45:20 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.13 2000/06/02 02:00:19 todd Exp $");
#include <openssl/bn.h>
#include <openssl/rsa.h>
ssh_kex_dh(Kex *kex, char *host, struct sockaddr *hostaddr,
Buffer *client_kexinit, Buffer *server_kexinit)
{
- int i;
int plen, dlen;
unsigned int klen, kout;
char *signature = NULL;
char prompt[80];
char *password;
- if (attempt++ > options.number_of_password_prompts)
+ if (attempt++ >= options.number_of_password_prompts)
return 0;
+ if(attempt != 1)
+ error("Permission denied, please try again.");
+
snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ",
server_user, host);
password = read_passphrase(prompt, 0);
.It Cm UseLogin
Specifies whether
.Xr login 1
-is used.
+is used for interactive login sessions.
+Note that
+.Xr login 1
+is not never for remote command execution.
The default is
.Dq no .
.It Cm X11DisplayOffset
.Dq no .
Note that disabling X11 forwarding does not improve security in any
way, as users can always install their own forwarders.
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
.El
.Sh LOGIN PROCESS
When a user successfully logs in,
-#define SSH_VERSION "OpenSSH-2.1"
+#define SSH_VERSION "OpenSSH_2.1.1"