From: djm Date: Wed, 7 Jun 2000 09:55:44 +0000 (+0000) Subject: - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III X-Git-Tag: V_2_1_1_P1~8 X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/commitdiff_plain/fa649821f19dfa37f4d1aa355cd39047de65fd23 - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III - (djm) OpenBSD CVS updates: - todd@cvs.openbsd.org [sshconnect2.c] teach protocol v2 to count login failures properly and also enable an explanation of why the password prompt comes up again like v1; this is NOT crypto - markus@cvs.openbsd.org [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8] xauth_location support; pr 1234 [readconf.c sshconnect2.c] typo, unused [session.c] allow use_login only for login sessions, otherwise remote commands are execed with uid==0 [sshd.8] document UseLogin better [version.h] OpenSSH 2.1.1 [auth-rsa.c] fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all [channels.c hostfile.c match.c] don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via kris@FreeBSD.org --- diff --git a/ChangeLog b/ChangeLog index b404849c..997aa31d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,31 @@ +20000606 + - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III + + - (djm) OpenBSD CVS updates: + - todd@cvs.openbsd.org + [sshconnect2.c] + teach protocol v2 to count login failures properly and also enable an + explanation of why the password prompt comes up again like v1; this is NOT + crypto + - markus@cvs.openbsd.org + [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8] + xauth_location support; pr 1234 + [readconf.c sshconnect2.c] + typo, unused + [session.c] + allow use_login only for login sessions, otherwise remote commands are + execed with uid==0 + [sshd.8] + document UseLogin better + [version.h] + OpenSSH 2.1.1 + [auth-rsa.c] + fix match_hostname() logic for auth-rsa: deny access if we have a + negative match or no match at all + [channels.c hostfile.c match.c] + don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via + kris@FreeBSD.org + 20000606 - (djm) Added --with-cflags, --with-ldflags and --with-libs options to configure. diff --git a/auth-rsa.c b/auth-rsa.c index d7deabf2..35fff1fd 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -133,6 +133,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) unsigned long linenum = 0; struct stat st; RSA *pk; + int mname, mip; /* Temporarily use the user's uid. */ temporarily_use_uid(pw->pw_uid); @@ -390,10 +391,17 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) } patterns[i] = 0; options++; - if (!match_hostname(get_canonical_hostname(), patterns, - strlen(patterns)) && - !match_hostname(get_remote_ipaddr(), patterns, - strlen(patterns))) { + /* + * Deny access if we get a negative + * match for the hostname or the ip + * or if we get not match at all + */ + mname = match_hostname(get_canonical_hostname(), + patterns, strlen(patterns)); + mip = match_hostname(get_remote_ipaddr(), + patterns, strlen(patterns)); + if (mname == -1 || mip == -1 || + (mname != 1 && mip != 1)) { log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).", pw->pw_name, get_canonical_hostname(), get_remote_ipaddr()); diff --git a/channels.c b/channels.c index 5d410870..b485b50f 100644 --- a/channels.c +++ b/channels.c @@ -2113,11 +2113,11 @@ cleanup_socket(void) } /* - * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. + * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. * This starts forwarding authentication requests. */ -void +int auth_input_request_forwarding(struct passwd * pw) { int sock, newch; @@ -2135,8 +2135,16 @@ auth_input_request_forwarding(struct passwd * pw) strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME); /* Create private directory for socket */ - if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) - packet_disconnect("mkdtemp: %.100s", strerror(errno)); + if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) { + packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s", + strerror(errno)); + restore_uid(); + xfree(channel_forwarded_auth_socket_name); + xfree(channel_forwarded_auth_socket_dir); + channel_forwarded_auth_socket_name = NULL; + channel_forwarded_auth_socket_dir = NULL; + return 0; + } snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d", channel_forwarded_auth_socket_dir, (int) getpid()); @@ -2171,6 +2179,7 @@ auth_input_request_forwarding(struct passwd * pw) xstrdup("auth socket")); strlcpy(channels[newch].path, channel_forwarded_auth_socket_name, sizeof(channels[newch].path)); + return 1; } /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ diff --git a/channels.h b/channels.h index 613c0107..02aa3c50 100644 --- a/channels.h +++ b/channels.h @@ -222,10 +222,10 @@ void auth_request_forwarding(void); char *auth_get_socket_name(void); /* - * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. + * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. * This starts forwarding authentication requests. */ -void auth_input_request_forwarding(struct passwd * pw); +int auth_input_request_forwarding(struct passwd * pw); /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ void auth_input_open_request(int type, int plen); diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 8b1d0989..ff12699f 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -152,7 +152,8 @@ This package contains the GNOME passphrase dialog. CFLAGS="$RPM_OPT_FLAGS" \ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ - --with-tcp-wrappers --with-ipv4-default + --with-tcp-wrappers --with-ipv4-default \ + --with-rsh=/usr/bin/rsh make diff --git a/hostfile.c b/hostfile.c index bac285da..f58e1d67 100644 --- a/hostfile.c +++ b/hostfile.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: hostfile.c,v 1.18 2000/04/29 18:11:52 markus Exp $"); +RCSID("$OpenBSD: hostfile.c,v 1.19 2000/06/06 19:32:13 markus Exp $"); #include "packet.h" #include "match.h" @@ -129,7 +129,7 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key, Key *fo ; /* Check if the host name matches. */ - if (!match_hostname(host, cp, (unsigned int) (cp2 - cp))) + if (match_hostname(host, cp, (unsigned int) (cp2 - cp)) != 1) continue; /* Got a match. Skip host name. */ diff --git a/match.c b/match.c index 5d076ff9..4f07223f 100644 --- a/match.c +++ b/match.c @@ -84,8 +84,8 @@ match_pattern(const char *s, const char *pattern) /* * Tries to match the host name (which must be in all lowercase) against the * comma-separated sequence of subpatterns (each possibly preceded by ! to - * indicate negation). Returns true if there is a positive match; zero - * otherwise. + * indicate negation). Returns -1 if negation matches, 1 if there is + * a positive match, 0 if there is no match at all. */ int @@ -127,15 +127,15 @@ match_hostname(const char *host, const char *pattern, unsigned int len) /* Try to match the subpattern against the host name. */ if (match_pattern(host, sub)) { if (negated) - return 0; /* Fail */ + return -1; /* Negative */ else - got_positive = 1; + got_positive = 1; /* Positive */ } } /* * Return success if got a positive match. If there was a negative - * match, we have already returned zero and never get here. + * match, we have already returned -1 and never get here. */ return got_positive; } diff --git a/match.h b/match.h index 4625d976..8eac0a50 100644 --- a/match.h +++ b/match.h @@ -10,8 +10,8 @@ int match_pattern(const char *s, const char *pattern); /* * Tries to match the host name (which must be in all lowercase) against the * comma-separated sequence of subpatterns (each possibly preceded by ! to - * indicate negation). Returns true if there is a positive match; zero - * otherwise. + * indicate negation). Returns -1 if negation matches, 1 if there is + * a positive match, 0 if there is no match at all. */ int match_hostname(const char *host, const char *pattern, unsigned int len); diff --git a/readconf.c b/readconf.c index 3b4e048b..cbcc927c 100644 --- a/readconf.c +++ b/readconf.c @@ -92,7 +92,7 @@ typedef enum { oBadOption, oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh, - oSkeyAuthentication, + oSkeyAuthentication, oXAuthLocation, #ifdef KRB4 oKerberosAuthentication, #endif /* KRB4 */ @@ -116,6 +116,7 @@ static struct { } keywords[] = { { "forwardagent", oForwardAgent }, { "forwardx11", oForwardX11 }, + { "xauthlocation", oXAuthLocation }, { "gatewayports", oGatewayPorts }, { "useprivilegedport", oUsePrivilegedPort }, { "rhostsauthentication", oRhostsAuthentication }, @@ -396,6 +397,10 @@ parse_flag: } break; + case oXAuthLocation: + charptr=&options->xauth_location; + goto parse_string; + case oUser: charptr = &options->user; parse_string: @@ -644,6 +649,7 @@ initialize_options(Options * options) memset(options, 'X', sizeof(*options)); options->forward_agent = -1; options->forward_x11 = -1; + options->xauth_location = NULL; options->gateway_ports = -1; options->use_privileged_port = -1; options->rhosts_authentication = -1; @@ -700,6 +706,10 @@ fill_default_options(Options * options) options->forward_agent = 0; if (options->forward_x11 == -1) options->forward_x11 = 0; +#ifdef XAUTH_PATH + if (options->xauth_location == NULL) + options->xauth_location = XAUTH_PATH; +#endif /* XAUTH_PATH */ if (options->gateway_ports == -1) options->gateway_ports = 0; if (options->use_privileged_port == -1) diff --git a/readconf.h b/readconf.h index f7d33362..07da7e7c 100644 --- a/readconf.h +++ b/readconf.h @@ -30,6 +30,7 @@ typedef struct { typedef struct { int forward_agent; /* Forward authentication agent. */ int forward_x11; /* Forward X11 display. */ + char *xauth_location; /* Location for xauth program */ int gateway_ports; /* Allow remote connects to forwarded ports. */ int use_privileged_port; /* Don't use privileged port if false. */ int rhosts_authentication; /* Try rhosts authentication. */ diff --git a/servconf.c b/servconf.c index 6f4f8218..bf452958 100644 --- a/servconf.c +++ b/servconf.c @@ -44,6 +44,7 @@ initialize_server_options(ServerOptions *options) options->check_mail = -1; options->x11_forwarding = -1; options->x11_display_offset = -1; + options->xauth_location = NULL; options->strict_modes = -1; options->keepalives = -1; options->log_facility = (SyslogFacility) - 1; @@ -109,6 +110,10 @@ fill_default_server_options(ServerOptions *options) options->x11_forwarding = 0; if (options->x11_display_offset == -1) options->x11_display_offset = 10; +#ifdef XAUTH_PATH + if (options->xauth_location == NULL) + options->xauth_location = XAUTH_PATH; +#endif /* XAUTH_PATH */ if (options->strict_modes == -1) options->strict_modes = 1; if (options->keepalives == -1) @@ -177,7 +182,7 @@ typedef enum { sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, - sGatewayPorts, sDSAAuthentication + sGatewayPorts, sDSAAuthentication, sXAuthLocation } ServerOpCodes; /* Textual representation of the tokens. */ @@ -219,6 +224,7 @@ static struct { { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, { "x11forwarding", sX11Forwarding }, { "x11displayoffset", sX11DisplayOffset }, + { "xauthlocation", sXAuthLocation }, { "strictmodes", sStrictModes }, { "permitemptypasswords", sEmptyPasswd }, { "uselogin", sUseLogin }, @@ -365,6 +371,7 @@ parse_int: case sHostDSAKeyFile: charptr = (opcode == sHostKeyFile ) ? &options->host_key_file : &options->host_dsa_key_file; +parse_filename: cp = strtok(NULL, WHITESPACE); if (!cp) { fprintf(stderr, "%s line %d: missing file name.\n", @@ -377,15 +384,7 @@ parse_int: case sPidFile: charptr = &options->pid_file; - cp = strtok(NULL, WHITESPACE); - if (!cp) { - fprintf(stderr, "%s line %d: missing file name.\n", - filename, linenum); - exit(1); - } - if (*charptr == NULL) - *charptr = tilde_expand_filename(cp, getuid()); - break; + goto parse_filename; case sRandomSeedFile: fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n", @@ -508,6 +507,10 @@ parse_flag: intptr = &options->x11_display_offset; goto parse_int; + case sXAuthLocation: + charptr = &options->xauth_location; + goto parse_filename; + case sStrictModes: intptr = &options->strict_modes; goto parse_flag; diff --git a/servconf.h b/servconf.h index 40ef05fb..b8675481 100644 --- a/servconf.h +++ b/servconf.h @@ -47,6 +47,7 @@ typedef struct { int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */ int x11_display_offset; /* What DISPLAY number to start * searching at */ + char *xauth_location; /* Location of xauth program */ int strict_modes; /* If true, require string home dir modes. */ int keepalives; /* If true, set SO_KEEPALIVE. */ char *ciphers; /* Ciphers in order of preference. */ diff --git a/session.c b/session.c index 4791857c..0fdd613a 100644 --- a/session.c +++ b/session.c @@ -812,6 +812,10 @@ do_child(const char *command, struct passwd * pw, const char *term, struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + #ifndef USE_PAM /* pam_nologin handles this */ f = fopen("/etc/nologin", "r"); if (f) { diff --git a/ssh-keygen.c b/ssh-keygen.c index 07328ac8..83034cb9 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -520,7 +520,7 @@ main(int ac, char **av) extern int optind; extern char *optarg; - OpenSSL_add_all_algorithms(); + SSLeay_add_all_algorithms(); /* we need this for the home * directory. */ pw = getpwuid(getuid()); diff --git a/ssh.1 b/ssh.1 index c8405d7c..313acdc0 100644 --- a/ssh.1 +++ b/ssh.1 @@ -940,6 +940,12 @@ The argument must be .Dq yes or .Dq no . +.It Cm XAuthLocation +Specifies the location of the +.Xr xauth 1 +program. +The default is +.Pa /usr/X11R6/bin/xauth . .Sh ENVIRONMENT .Nm will normally set the following environment variables: diff --git a/ssh.c b/ssh.c index 7b9ed7a2..01603b46 100644 --- a/ssh.c +++ b/ssh.c @@ -438,7 +438,7 @@ main(int ac, char **av) /* Initialize the command to execute on remote host. */ buffer_init(&command); - OpenSSL_add_all_algorithms(); + SSLeay_add_all_algorithms(); /* * Save the command to execute on the remote host in a buffer. There @@ -677,17 +677,17 @@ x11_get_proto(char *proto, int proto_len, char *data, int data_len) FILE *f; int got_data = 0, i; -#ifdef XAUTH_PATH - /* Try to get Xauthority information for the display. */ - snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null", - XAUTH_PATH, getenv("DISPLAY")); - f = popen(line, "r"); - if (f && fgets(line, sizeof(line), f) && - sscanf(line, "%*s %s %s", proto, data) == 2) - got_data = 1; - if (f) - pclose(f); -#endif /* XAUTH_PATH */ + if (options.xauth_location) { + /* Try to get Xauthority information for the display. */ + snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null", + options.xauth_location, getenv("DISPLAY")); + f = popen(line, "r"); + if (f && fgets(line, sizeof(line), f) && + sscanf(line, "%*s %s %s", proto, data) == 2) + got_data = 1; + if (f) + pclose(f); + } /* * If we didn't get authentication data, just make up some * data. The forwarding code will check the validity of the diff --git a/sshconnect2.c b/sshconnect2.c index 0abcf89a..77b8652e 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.11 2000/05/25 20:45:20 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.13 2000/06/02 02:00:19 todd Exp $"); #include #include @@ -71,7 +71,6 @@ void ssh_kex_dh(Kex *kex, char *host, struct sockaddr *hostaddr, Buffer *client_kexinit, Buffer *server_kexinit) { - int i; int plen, dlen; unsigned int klen, kout; char *signature = NULL; @@ -265,9 +264,12 @@ ssh2_try_passwd(const char *server_user, const char *host, const char *service) char prompt[80]; char *password; - if (attempt++ > options.number_of_password_prompts) + if (attempt++ >= options.number_of_password_prompts) return 0; + if(attempt != 1) + error("Permission denied, please try again."); + snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ", server_user, host); password = read_passphrase(prompt, 0); diff --git a/sshd.8 b/sshd.8 index f9708289..e8e05355 100644 --- a/sshd.8 +++ b/sshd.8 @@ -552,7 +552,10 @@ The default is AUTH. .It Cm UseLogin Specifies whether .Xr login 1 -is used. +is used for interactive login sessions. +Note that +.Xr login 1 +is not never for remote command execution. The default is .Dq no . .It Cm X11DisplayOffset @@ -569,6 +572,12 @@ The default is .Dq no . Note that disabling X11 forwarding does not improve security in any way, as users can always install their own forwarders. +.It Cm XAuthLocation +Specifies the location of the +.Xr xauth 1 +program. +The default is +.Pa /usr/X11R6/bin/xauth . .El .Sh LOGIN PROCESS When a user successfully logs in, diff --git a/version.h b/version.h index d577644d..fc63bc10 100644 --- a/version.h +++ b/version.h @@ -1 +1 @@ -#define SSH_VERSION "OpenSSH-2.1" +#define SSH_VERSION "OpenSSH_2.1.1"