From d343d900d99497266aa41c838d8a7ad050b43392 Mon Sep 17 00:00:00 2001 From: mouring Date: Tue, 21 Nov 2000 21:24:55 +0000 Subject: [PATCH] 20001123 - (bal) Merge OpenBSD changes: - markus@cvs.openbsd.org 2000/11/15 22:31:36 [auth-options.c] case insensitive key options; from stevesk@sweeden.hp.com - markus@cvs.openbsd.org 2000/11/16 17:55:43 [dh.c] do not use perror() in sshd, after child is forked() - markus@cvs.openbsd.org 2000/11/14 23:42:40 [auth-rsa.c] parse option only if key matches; fix some confusing seen by the client - markus@cvs.openbsd.org 2000/11/14 23:44:19 [session.c] check no_agent_forward_flag for ssh-2, too - markus@cvs.openbsd.org 2000/11/15 [ssh-agent.1] reorder SYNOPSIS; typo, use .It - markus@cvs.openbsd.org 2000/11/14 23:48:55 [ssh-agent.c] do not reorder keys if a key is removed - markus@cvs.openbsd.org 2000/11/15 19:58:08 [ssh.c] just ignore non existing user keys - millert@cvs.openbsd.org 200/11/15 20:24:43 [ssh-keygen.c] Add missing \n at end of error message. --- ChangeLog | 27 +++++++++++++++++++++++++++ auth-options.c | 16 ++++++++-------- auth-rsa.c | 14 +++++++------- dh.c | 6 ++---- session.c | 6 +++++- ssh-agent.1 | 18 +++++++++--------- ssh-agent.c | 18 ++++++++++++------ ssh-keygen.c | 4 ++-- ssh.c | 4 ++-- 9 files changed, 74 insertions(+), 39 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9247ca02..4cf384c0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,30 @@ +20001123 + - (bal) Merge OpenBSD changes: + - markus@cvs.openbsd.org 2000/11/15 22:31:36 + [auth-options.c] + case insensitive key options; from stevesk@sweeden.hp.com + - markus@cvs.openbsd.org 2000/11/16 17:55:43 + [dh.c] + do not use perror() in sshd, after child is forked() + - markus@cvs.openbsd.org 2000/11/14 23:42:40 + [auth-rsa.c] + parse option only if key matches; fix some confusing seen by the client + - markus@cvs.openbsd.org 2000/11/14 23:44:19 + [session.c] + check no_agent_forward_flag for ssh-2, too + - markus@cvs.openbsd.org 2000/11/15 + [ssh-agent.1] + reorder SYNOPSIS; typo, use .It + - markus@cvs.openbsd.org 2000/11/14 23:48:55 + [ssh-agent.c] + do not reorder keys if a key is removed + - markus@cvs.openbsd.org 2000/11/15 19:58:08 + [ssh.c] + just ignore non existing user keys + - millert@cvs.openbsd.org 200/11/15 20:24:43 + [ssh-keygen.c] + Add missing \n at end of error message. + 20001122 - (bal) Minor patch to ensure platforms lacking IRIX job limit supports are compilable. diff --git a/auth-options.c b/auth-options.c index c9c149d6..181bf732 100644 --- a/auth-options.c +++ b/auth-options.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.5 2000/10/09 21:32:34 markus Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.6 2000/11/15 22:31:36 markus Exp $"); #include "ssh.h" #include "packet.h" @@ -65,35 +65,35 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum) while (*options && *options != ' ' && *options != '\t') { cp = "no-port-forwarding"; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(options, cp, strlen(cp)) == 0) { packet_send_debug("Port forwarding disabled."); no_port_forwarding_flag = 1; options += strlen(cp); goto next_option; } cp = "no-agent-forwarding"; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(options, cp, strlen(cp)) == 0) { packet_send_debug("Agent forwarding disabled."); no_agent_forwarding_flag = 1; options += strlen(cp); goto next_option; } cp = "no-X11-forwarding"; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(options, cp, strlen(cp)) == 0) { packet_send_debug("X11 forwarding disabled."); no_x11_forwarding_flag = 1; options += strlen(cp); goto next_option; } cp = "no-pty"; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(options, cp, strlen(cp)) == 0) { packet_send_debug("Pty allocation disabled."); no_pty_flag = 1; options += strlen(cp); goto next_option; } cp = "command=\""; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(options, cp, strlen(cp)) == 0) { int i; options += strlen(cp); forced_command = xmalloc(strlen(options) + 1); @@ -121,7 +121,7 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum) goto next_option; } cp = "environment=\""; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(options, cp, strlen(cp)) == 0) { int i; char *s; struct envstring *new_envstring; @@ -156,7 +156,7 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum) goto next_option; } cp = "from=\""; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(options, cp, strlen(cp)) == 0) { int mname, mip; char *patterns = xmalloc(strlen(options) + 1); int i; diff --git a/auth-rsa.c b/auth-rsa.c index e8bfa165..72cb909d 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $"); +RCSID("$OpenBSD: auth-rsa.c,v 1.33 2000/11/14 23:42:40 markus Exp $"); #include "rsa.h" #include "packet.h" @@ -231,12 +231,6 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) } } else options = NULL; - /* - * If our options do not allow this key to be used, - * do not send challenge. - */ - if (!auth_parse_options(pw, options, linenum)) - continue; /* Parse the key from the line. */ if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) { @@ -259,6 +253,12 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) file, linenum, BN_num_bits(pk->n), bits); /* We have found the desired key. */ + /* + * If our options do not allow this key to be used, + * do not send challenge. + */ + if (!auth_parse_options(pw, options, linenum)) + continue; /* Perform the challenge-response dialog for this key. */ if (!auth_rsa_challenge_dialog(pk)) { diff --git a/dh.c b/dh.c index ff84619c..35e90143 100644 --- a/dh.c +++ b/dh.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: dh.c,v 1.2 2000/10/11 20:11:35 markus Exp $"); +RCSID("$OpenBSD: dh.c,v 1.3 2000/11/16 17:55:43 markus Exp $"); #include "xmalloc.h" @@ -102,7 +102,6 @@ choose_dh(int minbits) f = fopen(DH_PRIMES, "r"); if (!f) { - perror(DH_PRIMES); log("WARNING: %s does not exist, using old prime", DH_PRIMES); return (dh_new_group1()); } @@ -133,8 +132,7 @@ choose_dh(int minbits) f = fopen(DH_PRIMES, "r"); if (!f) { - perror(DH_PRIMES); - exit(1); + fatal("WARNING: %s dissappeared, giving up", DH_PRIMES); } linenum = 0; diff --git a/session.c b/session.c index 890e16d5..826307ef 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.43 2000/11/06 23:04:56 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.44 2000/11/14 23:44:19 markus Exp $"); #include "xmalloc.h" #include "ssh.h" @@ -1745,6 +1745,10 @@ session_auth_agent_req(Session *s) { static int called = 0; packet_done(); + if (no_agent_forwarding_flag) { + debug("session_auth_agent_req: no_agent_forwarding_flag"); + return 0; + } if (called) { return 0; } else { diff --git a/ssh-agent.1 b/ssh-agent.1 index 31ea2b31..3ee5074b 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.17 2000/11/10 05:10:40 aaron Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.19 2000/11/15 20:09:01 markus Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -42,12 +42,12 @@ .Nd authentication agent .Sh SYNOPSIS .Nm ssh-agent -.Op Fl c Li | Fl s -.Op Fl k -.Oo .Ar command -.Op Ar args ... -.Oc +.Ar args ... +.Nm ssh-agent +.Op Fl c Li | Fl s +.Nm ssh-agent +.Fl k .Sh DESCRIPTION .Nm is a program to hold private keys used for public key authentication @@ -154,7 +154,7 @@ but is normally added to the agent using at login time. .It Pa $HOME/.ssh/id_dsa Contains the DSA authentication identity of the user. -.Pq Pa /tmp/ssh-XXXXXXXX/agent. , +.It Pa /tmp/ssh-XXXXXXXX/agent. Unix-domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. @@ -172,7 +172,7 @@ This version of OpenSSH .Bl -bullet .It has all components of a restrictive nature (i.e., patents, see -.Xr crypto 3 ) +.Xr ssl 8 ) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -191,4 +191,4 @@ supports one-time password authentication with .Xr ssh-add 1 , .Xr ssh-keygen 1 , .Xr sshd 8 , -.Xr crypto 3 +.Xr ssl 8 diff --git a/ssh-agent.c b/ssh-agent.c index f5f87cca..6f89dd5c 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.39 2000/11/12 19:50:38 markus Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.40 2000/11/14 23:48:55 markus Exp $ */ /* * Author: Tatu Ylonen @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.39 2000/11/12 19:50:38 markus Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.40 2000/11/14 23:48:55 markus Exp $"); #include "ssh.h" #include "rsa.h" @@ -308,8 +308,9 @@ process_remove_identity(SocketEntry *e, int version) /* * We have this key. Free the old key. Since we * don\'t want to leave empty slots in the middle of - * the array, we actually free the key there and copy - * data from the last entry. + * the array, we actually free the key there and move + * all the entries between the empty slot and the end + * of the array. */ Idtab *tab = idtab_lookup(version); key_free(tab->identities[idx].key); @@ -318,8 +319,13 @@ process_remove_identity(SocketEntry *e, int version) fatal("process_remove_identity: " "internal error: tab->nentries %d", tab->nentries); - if (idx != tab->nentries - 1) - tab->identities[idx] = tab->identities[tab->nentries - 1]; + if (idx != tab->nentries - 1) { + int i; + for (i = idx; i < tab->nentries - 1; i++) + tab->identities[i] = tab->identities[i+1]; + } + tab->identities[tab->nentries - 1].key = NULL; + tab->identities[tab->nentries - 1].comment = NULL; tab->nentries--; success = 1; } diff --git a/ssh-keygen.c b/ssh-keygen.c index 3653fc24..5da90035 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.33 2000/11/12 19:50:38 markus Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.34 2000/11/15 20:24:43 millert Exp $"); #include #include @@ -727,7 +727,7 @@ main(int ac, char **av) if (key_type_name != NULL) { type = key_type_from_name(key_type_name); if (type == KEY_UNSPEC) { - fprintf(stderr, "unknown key type %s", key_type_name); + fprintf(stderr, "unknown key type %s\n", key_type_name); exit(1); } } diff --git a/ssh.c b/ssh.c index a1cedc7e..b41c87e1 100644 --- a/ssh.c +++ b/ssh.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.72 2000/11/12 19:50:38 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.73 2000/11/15 19:58:08 markus Exp $"); #include #include @@ -1049,7 +1049,7 @@ guess_identity_file_type(const char *filename) int type = KEY_RSA1; /* default */ if (stat(filename, &st) < 0) { - perror(filename); + /* ignore this key */ return KEY_UNSPEC; } public = key_new(type); -- 2.45.1