diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2000-12-28 16:40:05 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2000-12-28 16:40:05 +0000 |
commit | 4dccfa5fb73853e6c9281beac2c42a31391acdc7 (patch) | |
tree | 2a64c6b1e096010f2b5fd45a08f9878cac5d400e | |
parent | 42717bf8fff94146edf43ea266113f1a54456c62 (diff) |
- (bal) OpenBSD CVS Update
- markus@cvs.openbsd.org 2000/12/28 14:25:51
[auth.h auth2.c]
count authentication failures only
- markus@cvs.openbsd.org 2000/12/28 14:25:03
[sshconnect.c]
fingerprint for MITM attacks, too.
- markus@cvs.openbsd.org 2000/12/28 12:03:57
[sshd.8 sshd.c]
document -D
- markus@cvs.openbsd.org 2000/12/27 14:19:21
[serverloop.c]
less chatty
- markus@cvs.openbsd.org 2000/12/27 12:34
[auth1.c sshconnect2.c sshd.c]
typo
- markus@cvs.openbsd.org 2000/12/27 12:30:19
[readconf.c readconf.h ssh.1 sshconnect.c]
new option: HostKeyAlias: allow the user to record the host key
under a different name. This is useful for ssh tunneling over
forwarded connections or if you run multiple sshd's on different
ports on the same machine.
- markus@cvs.openbsd.org 2000/12/27 11:51:53
[ssh.1 ssh.c]
multiple -t force pty allocation, document ORIGINAL_COMMAND
- markus@cvs.openbsd.org 2000/12/27 11:41:31
[sshd.8]
update for ssh-2
-rw-r--r-- | ChangeLog | 28 | ||||
-rw-r--r-- | auth.h | 3 | ||||
-rw-r--r-- | auth1.c | 8 | ||||
-rw-r--r-- | auth2.c | 21 | ||||
-rw-r--r-- | readconf.c | 11 | ||||
-rw-r--r-- | readconf.h | 3 | ||||
-rw-r--r-- | serverloop.c | 4 | ||||
-rw-r--r-- | ssh.1 | 24 | ||||
-rw-r--r-- | ssh.c | 9 | ||||
-rw-r--r-- | sshconnect.c | 30 | ||||
-rw-r--r-- | sshconnect2.c | 4 | ||||
-rw-r--r-- | sshd.8 | 41 | ||||
-rw-r--r-- | sshd.c | 5 |
13 files changed, 140 insertions, 51 deletions
@@ -2,6 +2,34 @@ | |||
2 | 20001229 | 2 | 20001229 |
3 | - (bal) Fixed spelling of 'authorized_keys' in ssh-copy-id.1 by Christian | 3 | - (bal) Fixed spelling of 'authorized_keys' in ssh-copy-id.1 by Christian |
4 | Kurz <shorty@debain.org> | 4 | Kurz <shorty@debain.org> |
5 | - (bal) OpenBSD CVS Update | ||
6 | - markus@cvs.openbsd.org 2000/12/28 14:25:51 | ||
7 | [auth.h auth2.c] | ||
8 | count authentication failures only | ||
9 | - markus@cvs.openbsd.org 2000/12/28 14:25:03 | ||
10 | [sshconnect.c] | ||
11 | fingerprint for MITM attacks, too. | ||
12 | - markus@cvs.openbsd.org 2000/12/28 12:03:57 | ||
13 | [sshd.8 sshd.c] | ||
14 | document -D | ||
15 | - markus@cvs.openbsd.org 2000/12/27 14:19:21 | ||
16 | [serverloop.c] | ||
17 | less chatty | ||
18 | - markus@cvs.openbsd.org 2000/12/27 12:34 | ||
19 | [auth1.c sshconnect2.c sshd.c] | ||
20 | typo | ||
21 | - markus@cvs.openbsd.org 2000/12/27 12:30:19 | ||
22 | [readconf.c readconf.h ssh.1 sshconnect.c] | ||
23 | new option: HostKeyAlias: allow the user to record the host key | ||
24 | under a different name. This is useful for ssh tunneling over | ||
25 | forwarded connections or if you run multiple sshd's on different | ||
26 | ports on the same machine. | ||
27 | - markus@cvs.openbsd.org 2000/12/27 11:51:53 | ||
28 | [ssh.1 ssh.c] | ||
29 | multiple -t force pty allocation, document ORIGINAL_COMMAND | ||
30 | - markus@cvs.openbsd.org 2000/12/27 11:41:31 | ||
31 | [sshd.8] | ||
32 | update for ssh-2 | ||
5 | 33 | ||
6 | 20001228 | 34 | 20001228 |
7 | - (bal) Patch to add libutil.h to loginrec.c only if the platform has | 35 | - (bal) Patch to add libutil.h to loginrec.c only if the platform has |
@@ -20,6 +20,8 @@ | |||
20 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | 20 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
21 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 21 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
23 | * | ||
24 | * $OpenBSD: auth.h,v 1.8 2000/12/28 14:25:51 markus Exp $ | ||
23 | */ | 25 | */ |
24 | #ifndef AUTH_H | 26 | #ifndef AUTH_H |
25 | #define AUTH_H | 27 | #define AUTH_H |
@@ -29,6 +31,7 @@ struct Authctxt { | |||
29 | int success; | 31 | int success; |
30 | int valid; | 32 | int valid; |
31 | int attempt; | 33 | int attempt; |
34 | int failures; | ||
32 | char *user; | 35 | char *user; |
33 | char *service; | 36 | char *service; |
34 | struct passwd *pw; | 37 | struct passwd *pw; |
@@ -10,7 +10,7 @@ | |||
10 | */ | 10 | */ |
11 | 11 | ||
12 | #include "includes.h" | 12 | #include "includes.h" |
13 | RCSID("$OpenBSD: auth1.c,v 1.8 2000/12/19 23:17:55 markus Exp $"); | 13 | RCSID("$OpenBSD: auth1.c,v 1.9 2000/12/27 12:34:49 markus Exp $"); |
14 | 14 | ||
15 | #ifdef HAVE_OSF_SIA | 15 | #ifdef HAVE_OSF_SIA |
16 | # include <sia.h> | 16 | # include <sia.h> |
@@ -71,7 +71,7 @@ get_authname(int type) | |||
71 | 71 | ||
72 | /* | 72 | /* |
73 | * read packets and try to authenticate local user 'luser'. | 73 | * read packets and try to authenticate local user 'luser'. |
74 | * return if authentication is successfull. not that pw == NULL | 74 | * return if authentication is successful. not that pw == NULL |
75 | * if the user does not exists or is not allowed to login. | 75 | * if the user does not exists or is not allowed to login. |
76 | * each auth method has to 'fake' authentication for nonexisting | 76 | * each auth method has to 'fake' authentication for nonexisting |
77 | * users. | 77 | * users. |
@@ -469,11 +469,11 @@ do_authentication() | |||
469 | } else { | 469 | } else { |
470 | /* Loop until the user has been authenticated or the | 470 | /* Loop until the user has been authenticated or the |
471 | connection is closed, do_authloop() returns only if | 471 | connection is closed, do_authloop() returns only if |
472 | authentication is successfull */ | 472 | authentication is successful */ |
473 | do_authloop(pw, user); | 473 | do_authloop(pw, user); |
474 | } | 474 | } |
475 | if (pw == NULL) | 475 | if (pw == NULL) |
476 | fatal("internal error, authentication successfull for user '%.100s'", user); | 476 | fatal("internal error, authentication successful for user '%.100s'", user); |
477 | 477 | ||
478 | /* The user has been authenticated and accepted. */ | 478 | /* The user has been authenticated and accepted. */ |
479 | packet_start(SSH_SMSG_SUCCESS); | 479 | packet_start(SSH_SMSG_SUCCESS); |
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth2.c,v 1.23 2000/12/19 23:17:55 markus Exp $"); | 26 | RCSID("$OpenBSD: auth2.c,v 1.24 2000/12/28 14:25:51 markus Exp $"); |
27 | 27 | ||
28 | #ifdef HAVE_OSF_SIA | 28 | #ifdef HAVE_OSF_SIA |
29 | # include <sia.h> | 29 | # include <sia.h> |
@@ -124,6 +124,7 @@ do_authentication2() | |||
124 | memset(authctxt, 'a', sizeof(*authctxt)); | 124 | memset(authctxt, 'a', sizeof(*authctxt)); |
125 | authctxt->valid = 0; | 125 | authctxt->valid = 0; |
126 | authctxt->attempt = 0; | 126 | authctxt->attempt = 0; |
127 | authctxt->failures = 0; | ||
127 | authctxt->success = 0; | 128 | authctxt->success = 0; |
128 | x_authctxt = authctxt; /*XXX*/ | 129 | x_authctxt = authctxt; /*XXX*/ |
129 | 130 | ||
@@ -190,21 +191,14 @@ input_userauth_request(int type, int plen, void *ctxt) | |||
190 | 191 | ||
191 | if (authctxt == NULL) | 192 | if (authctxt == NULL) |
192 | fatal("input_userauth_request: no authctxt"); | 193 | fatal("input_userauth_request: no authctxt"); |
193 | if (authctxt->attempt++ >= AUTH_FAIL_MAX) { | ||
194 | #ifdef WITH_AIXAUTHENTICATE | ||
195 | loginfailed(authctxt->user?authctxt->user:"NOUSER", | ||
196 | get_canonical_hostname(), "ssh"); | ||
197 | #endif /* WITH_AIXAUTHENTICATE */ | ||
198 | packet_disconnect("too many failed userauth_requests"); | ||
199 | } | ||
200 | 194 | ||
201 | user = packet_get_string(NULL); | 195 | user = packet_get_string(NULL); |
202 | service = packet_get_string(NULL); | 196 | service = packet_get_string(NULL); |
203 | method = packet_get_string(NULL); | 197 | method = packet_get_string(NULL); |
204 | debug("userauth-request for user %s service %s method %s", user, service, method); | 198 | debug("userauth-request for user %s service %s method %s", user, service, method); |
205 | debug("attempt #%d", authctxt->attempt); | 199 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
206 | 200 | ||
207 | if (authctxt->attempt == 1) { | 201 | if (authctxt->attempt++ == 0) { |
208 | /* setup auth context */ | 202 | /* setup auth context */ |
209 | struct passwd *pw = NULL; | 203 | struct passwd *pw = NULL; |
210 | setproctitle("%s", user); | 204 | setproctitle("%s", user); |
@@ -273,7 +267,7 @@ userauth_log(Authctxt *authctxt, int authenticated, char *method) | |||
273 | /* Raise logging level */ | 267 | /* Raise logging level */ |
274 | if (authenticated == 1 || | 268 | if (authenticated == 1 || |
275 | !authctxt->valid || | 269 | !authctxt->valid || |
276 | authctxt->attempt >= AUTH_FAIL_LOG || | 270 | authctxt->failures >= AUTH_FAIL_LOG || |
277 | strcmp(method, "password") == 0) | 271 | strcmp(method, "password") == 0) |
278 | authlog = log; | 272 | authlog = log; |
279 | 273 | ||
@@ -302,6 +296,7 @@ userauth_log(Authctxt *authctxt, int authenticated, char *method) | |||
302 | void | 296 | void |
303 | userauth_reply(Authctxt *authctxt, int authenticated) | 297 | userauth_reply(Authctxt *authctxt, int authenticated) |
304 | { | 298 | { |
299 | char *methods; | ||
305 | /* XXX todo: check if multiple auth methods are needed */ | 300 | /* XXX todo: check if multiple auth methods are needed */ |
306 | if (authenticated == 1) { | 301 | if (authenticated == 1) { |
307 | #ifdef WITH_AIXAUTHENTICATE | 302 | #ifdef WITH_AIXAUTHENTICATE |
@@ -318,7 +313,9 @@ userauth_reply(Authctxt *authctxt, int authenticated) | |||
318 | /* now we can break out */ | 313 | /* now we can break out */ |
319 | authctxt->success = 1; | 314 | authctxt->success = 1; |
320 | } else if (authenticated == 0) { | 315 | } else if (authenticated == 0) { |
321 | char *methods = authmethods_get(); | 316 | if (authctxt->failures++ >= AUTH_FAIL_MAX) |
317 | packet_disconnect("too many failed userauth_requests"); | ||
318 | methods = authmethods_get(); | ||
322 | packet_start(SSH2_MSG_USERAUTH_FAILURE); | 319 | packet_start(SSH2_MSG_USERAUTH_FAILURE); |
323 | packet_put_cstring(methods); | 320 | packet_put_cstring(methods); |
324 | packet_put_char(0); /* XXX partial success, unused */ | 321 | packet_put_char(0); /* XXX partial success, unused */ |
diff --git a/readconf.c b/readconf.c index 6f5ac8ca6..d90ba37bb 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -12,7 +12,7 @@ | |||
12 | */ | 12 | */ |
13 | 13 | ||
14 | #include "includes.h" | 14 | #include "includes.h" |
15 | RCSID("$OpenBSD: readconf.c,v 1.51 2000/12/19 23:17:57 markus Exp $"); | 15 | RCSID("$OpenBSD: readconf.c,v 1.52 2000/12/27 12:30:19 markus Exp $"); |
16 | 16 | ||
17 | #include "ssh.h" | 17 | #include "ssh.h" |
18 | #include "readconf.h" | 18 | #include "readconf.h" |
@@ -103,7 +103,7 @@ typedef enum { | |||
103 | oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication, | 103 | oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication, |
104 | oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, | 104 | oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, |
105 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, | 105 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, |
106 | oKbdInteractiveAuthentication, oKbdInteractiveDevices | 106 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias |
107 | } OpCodes; | 107 | } OpCodes; |
108 | 108 | ||
109 | /* Textual representations of the tokens. */ | 109 | /* Textual representations of the tokens. */ |
@@ -137,6 +137,7 @@ static struct { | |||
137 | { "identityfile", oIdentityFile }, | 137 | { "identityfile", oIdentityFile }, |
138 | { "identityfile2", oIdentityFile }, /* alias */ | 138 | { "identityfile2", oIdentityFile }, /* alias */ |
139 | { "hostname", oHostName }, | 139 | { "hostname", oHostName }, |
140 | { "hostkeyalias", oHostKeyAlias }, | ||
140 | { "proxycommand", oProxyCommand }, | 141 | { "proxycommand", oProxyCommand }, |
141 | { "port", oPort }, | 142 | { "port", oPort }, |
142 | { "cipher", oCipher }, | 143 | { "cipher", oCipher }, |
@@ -435,6 +436,10 @@ parse_string: | |||
435 | charptr = &options->hostname; | 436 | charptr = &options->hostname; |
436 | goto parse_string; | 437 | goto parse_string; |
437 | 438 | ||
439 | case oHostKeyAlias: | ||
440 | charptr = &options->host_key_alias; | ||
441 | goto parse_string; | ||
442 | |||
438 | case oProxyCommand: | 443 | case oProxyCommand: |
439 | charptr = &options->proxy_command; | 444 | charptr = &options->proxy_command; |
440 | string = xstrdup(""); | 445 | string = xstrdup(""); |
@@ -689,6 +694,7 @@ initialize_options(Options * options) | |||
689 | options->protocol = SSH_PROTO_UNKNOWN; | 694 | options->protocol = SSH_PROTO_UNKNOWN; |
690 | options->num_identity_files = 0; | 695 | options->num_identity_files = 0; |
691 | options->hostname = NULL; | 696 | options->hostname = NULL; |
697 | options->host_key_alias = NULL; | ||
692 | options->proxy_command = NULL; | 698 | options->proxy_command = NULL; |
693 | options->user = NULL; | 699 | options->user = NULL; |
694 | options->escape_char = -1; | 700 | options->escape_char = -1; |
@@ -802,4 +808,5 @@ fill_default_options(Options * options) | |||
802 | /* options->proxy_command should not be set by default */ | 808 | /* options->proxy_command should not be set by default */ |
803 | /* options->user will be set in the main program if appropriate */ | 809 | /* options->user will be set in the main program if appropriate */ |
804 | /* options->hostname will be set in the main program if appropriate */ | 810 | /* options->hostname will be set in the main program if appropriate */ |
811 | /* options->host_key_alias should not be set by default */ | ||
805 | } | 812 | } |
diff --git a/readconf.h b/readconf.h index 85d937d87..08ff70839 100644 --- a/readconf.h +++ b/readconf.h | |||
@@ -11,7 +11,7 @@ | |||
11 | * called by a name other than "ssh" or "Secure Shell". | 11 | * called by a name other than "ssh" or "Secure Shell". |
12 | */ | 12 | */ |
13 | 13 | ||
14 | /* RCSID("$OpenBSD: readconf.h,v 1.23 2000/11/12 19:50:37 markus Exp $"); */ | 14 | /* RCSID("$OpenBSD: readconf.h,v 1.24 2000/12/27 12:30:20 markus Exp $"); */ |
15 | 15 | ||
16 | #ifndef READCONF_H | 16 | #ifndef READCONF_H |
17 | #define READCONF_H | 17 | #define READCONF_H |
@@ -69,6 +69,7 @@ typedef struct { | |||
69 | char *ciphers; /* SSH2 ciphers in order of preference. */ | 69 | char *ciphers; /* SSH2 ciphers in order of preference. */ |
70 | int protocol; /* Protocol in order of preference. */ | 70 | int protocol; /* Protocol in order of preference. */ |
71 | char *hostname; /* Real host to connect. */ | 71 | char *hostname; /* Real host to connect. */ |
72 | char *host_key_alias; /* hostname alias for .ssh/known_hosts */ | ||
72 | char *proxy_command; /* Proxy command for connecting the host. */ | 73 | char *proxy_command; /* Proxy command for connecting the host. */ |
73 | char *user; /* User to log in as. */ | 74 | char *user; /* User to log in as. */ |
74 | int escape_char; /* Escape character; -2 = none */ | 75 | int escape_char; /* Escape character; -2 = none */ |
diff --git a/serverloop.c b/serverloop.c index 57e7f1f73..5fb0ed020 100644 --- a/serverloop.c +++ b/serverloop.c | |||
@@ -35,7 +35,7 @@ | |||
35 | */ | 35 | */ |
36 | 36 | ||
37 | #include "includes.h" | 37 | #include "includes.h" |
38 | RCSID("$OpenBSD: serverloop.c,v 1.38 2000/12/19 23:17:58 markus Exp $"); | 38 | RCSID("$OpenBSD: serverloop.c,v 1.39 2000/12/27 14:19:21 markus Exp $"); |
39 | 39 | ||
40 | #include "xmalloc.h" | 40 | #include "xmalloc.h" |
41 | #include "ssh.h" | 41 | #include "ssh.h" |
@@ -250,7 +250,7 @@ retry_select: | |||
250 | tvp = &tv; | 250 | tvp = &tv; |
251 | } | 251 | } |
252 | if (tvp!=NULL) | 252 | if (tvp!=NULL) |
253 | debug("tvp!=NULL kid %d mili %d", child_terminated, max_time_milliseconds); | 253 | debug2("tvp!=NULL kid %d mili %d", child_terminated, max_time_milliseconds); |
254 | 254 | ||
255 | /* Wait for something to happen, or the timeout to expire. */ | 255 | /* Wait for something to happen, or the timeout to expire. */ |
256 | ret = select(max_fd + 1, readset, writeset, NULL, tvp); | 256 | ret = select(max_fd + 1, readset, writeset, NULL, tvp); |
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.72 2000/12/12 23:11:48 markus Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.74 2000/12/27 12:30:20 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -475,6 +475,11 @@ Force pseudo-tty allocation. | |||
475 | This can be used to execute arbitrary | 475 | This can be used to execute arbitrary |
476 | screen-based programs on a remote machine, which can be very useful, | 476 | screen-based programs on a remote machine, which can be very useful, |
477 | e.g., when implementing menu services. | 477 | e.g., when implementing menu services. |
478 | Multiple | ||
479 | .Fl t | ||
480 | options force tty allocation, even if | ||
481 | .Nm | ||
482 | has no local tty. | ||
478 | .It Fl T | 483 | .It Fl T |
479 | Disable pseudo-tty allocation. | 484 | Disable pseudo-tty allocation. |
480 | .It Fl v | 485 | .It Fl v |
@@ -484,10 +489,9 @@ Causes | |||
484 | to print debugging messages about its progress. | 489 | to print debugging messages about its progress. |
485 | This is helpful in | 490 | This is helpful in |
486 | debugging connection, authentication, and configuration problems. | 491 | debugging connection, authentication, and configuration problems. |
487 | The verbose mode is also used to display | 492 | Multiple |
488 | .Xr skey 1 | 493 | .Fl v |
489 | challenges, if the user entered "s/key" as password. | 494 | options increases the verbosity. |
490 | Multiple -v options increases the verbosity. | ||
491 | Maximum is 3. | 495 | Maximum is 3. |
492 | .It Fl x | 496 | .It Fl x |
493 | Disables X11 forwarding. | 497 | Disables X11 forwarding. |
@@ -742,6 +746,12 @@ The default is | |||
742 | .It Cm GlobalKnownHostsFile | 746 | .It Cm GlobalKnownHostsFile |
743 | Specifies a file to use instead of | 747 | Specifies a file to use instead of |
744 | .Pa /etc/ssh_known_hosts . | 748 | .Pa /etc/ssh_known_hosts . |
749 | .It Cm HostKeyAlias | ||
750 | Specifies an alias that should be used instead of the | ||
751 | real host name when looking up or saving the host key | ||
752 | the kown_hosts files. | ||
753 | This option is useful for tunneling ssh connection | ||
754 | or if you have multiple servers running on a single host. | ||
745 | .It Cm HostName | 755 | .It Cm HostName |
746 | Specifies the real host name to log into. | 756 | Specifies the real host name to log into. |
747 | This can be used to specify nicknames or abbreviations for hosts. | 757 | This can be used to specify nicknames or abbreviations for hosts. |
@@ -1023,6 +1033,10 @@ Identifies the client end of the connection. | |||
1023 | The variable contains | 1033 | The variable contains |
1024 | three space-separated values: client ip-address, client port number, | 1034 | three space-separated values: client ip-address, client port number, |
1025 | and server port number. | 1035 | and server port number. |
1036 | .It Ev SSH_ORIGINAL_COMMAND | ||
1037 | The variable contains the original command line if a forced command | ||
1038 | is executed. | ||
1039 | It can be used to extract the original arguments. | ||
1026 | .It Ev SSH_TTY | 1040 | .It Ev SSH_TTY |
1027 | This is set to the name of the tty (path to the device) associated | 1041 | This is set to the name of the tty (path to the device) associated |
1028 | with the current shell or command. | 1042 | with the current shell or command. |
@@ -39,7 +39,7 @@ | |||
39 | */ | 39 | */ |
40 | 40 | ||
41 | #include "includes.h" | 41 | #include "includes.h" |
42 | RCSID("$OpenBSD: ssh.c,v 1.78 2000/12/19 23:17:58 markus Exp $"); | 42 | RCSID("$OpenBSD: ssh.c,v 1.79 2000/12/27 11:51:54 markus Exp $"); |
43 | 43 | ||
44 | #include <openssl/evp.h> | 44 | #include <openssl/evp.h> |
45 | #include <openssl/dsa.h> | 45 | #include <openssl/dsa.h> |
@@ -79,10 +79,11 @@ int debug_flag = 0; | |||
79 | 79 | ||
80 | /* Flag indicating whether a tty should be allocated */ | 80 | /* Flag indicating whether a tty should be allocated */ |
81 | int tty_flag = 0; | 81 | int tty_flag = 0; |
82 | int no_tty_flag = 0; | ||
83 | int force_tty_flag = 0; | ||
82 | 84 | ||
83 | /* don't exec a shell */ | 85 | /* don't exec a shell */ |
84 | int no_shell_flag = 0; | 86 | int no_shell_flag = 0; |
85 | int no_tty_flag = 0; | ||
86 | 87 | ||
87 | /* | 88 | /* |
88 | * Flag indicating that nothing should be read from stdin. This can be set | 89 | * Flag indicating that nothing should be read from stdin. This can be set |
@@ -373,6 +374,8 @@ main(int ac, char **av) | |||
373 | options.identity_files[options.num_identity_files++] = xstrdup(optarg); | 374 | options.identity_files[options.num_identity_files++] = xstrdup(optarg); |
374 | break; | 375 | break; |
375 | case 't': | 376 | case 't': |
377 | if (tty_flag) | ||
378 | force_tty_flag = 1; | ||
376 | tty_flag = 1; | 379 | tty_flag = 1; |
377 | break; | 380 | break; |
378 | case 'v': | 381 | case 'v': |
@@ -521,7 +524,7 @@ main(int ac, char **av) | |||
521 | if (no_tty_flag) | 524 | if (no_tty_flag) |
522 | tty_flag = 0; | 525 | tty_flag = 0; |
523 | /* Do not allocate a tty if stdin is not a tty. */ | 526 | /* Do not allocate a tty if stdin is not a tty. */ |
524 | if (!isatty(fileno(stdin))) { | 527 | if (!isatty(fileno(stdin)) && !force_tty_flag) { |
525 | if (tty_flag) | 528 | if (tty_flag) |
526 | fprintf(stderr, "Pseudo-terminal will not be allocated because stdin is not a terminal.\n"); | 529 | fprintf(stderr, "Pseudo-terminal will not be allocated because stdin is not a terminal.\n"); |
527 | tty_flag = 0; | 530 | tty_flag = 0; |
diff --git a/sshconnect.c b/sshconnect.c index 647aec797..22e691424 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -13,7 +13,7 @@ | |||
13 | */ | 13 | */ |
14 | 14 | ||
15 | #include "includes.h" | 15 | #include "includes.h" |
16 | RCSID("$OpenBSD: sshconnect.c,v 1.85 2000/12/21 15:10:17 markus Exp $"); | 16 | RCSID("$OpenBSD: sshconnect.c,v 1.87 2000/12/28 14:25:03 markus Exp $"); |
17 | 17 | ||
18 | #include <openssl/bn.h> | 18 | #include <openssl/bn.h> |
19 | #include <openssl/dsa.h> | 19 | #include <openssl/dsa.h> |
@@ -499,8 +499,13 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
499 | break; | 499 | break; |
500 | } | 500 | } |
501 | if (local) { | 501 | if (local) { |
502 | debug("Forcing accepting of host key for loopback/localhost."); | 502 | if (options.host_key_alias == NULL) { |
503 | return; | 503 | debug("Forcing accepting of host key for " |
504 | "loopback/localhost."); | ||
505 | return; | ||
506 | } | ||
507 | if (options.check_host_ip) | ||
508 | options.check_host_ip = 0; | ||
504 | } | 509 | } |
505 | 510 | ||
506 | /* | 511 | /* |
@@ -514,7 +519,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
514 | 519 | ||
515 | if (options.proxy_command == NULL) { | 520 | if (options.proxy_command == NULL) { |
516 | if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), | 521 | if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), |
517 | NULL, 0, NI_NUMERICHOST) != 0) | 522 | NULL, 0, NI_NUMERICHOST) != 0) |
518 | fatal("check_host_key: getnameinfo failed"); | 523 | fatal("check_host_key: getnameinfo failed"); |
519 | ip = xstrdup(ntop); | 524 | ip = xstrdup(ntop); |
520 | } else { | 525 | } else { |
@@ -522,6 +527,16 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
522 | } | 527 | } |
523 | 528 | ||
524 | /* | 529 | /* |
530 | * Allow the user to record the key under a different name. This is | ||
531 | * useful for ssh tunneling over forwarded connections or if you run | ||
532 | * multiple sshd's on different ports on the same machine. | ||
533 | */ | ||
534 | if (options.host_key_alias != NULL) { | ||
535 | host = options.host_key_alias; | ||
536 | debug("using hostkeyalias: %s", host); | ||
537 | } | ||
538 | |||
539 | /* | ||
525 | * Store the host key from the known host file in here so that we can | 540 | * Store the host key from the known host file in here so that we can |
526 | * compare it with the key for the IP address. | 541 | * compare it with the key for the IP address. |
527 | */ | 542 | */ |
@@ -592,12 +607,11 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
592 | } else if (options.strict_host_key_checking == 2) { | 607 | } else if (options.strict_host_key_checking == 2) { |
593 | /* The default */ | 608 | /* The default */ |
594 | char prompt[1024]; | 609 | char prompt[1024]; |
595 | char *fp = key_fingerprint(host_key); | ||
596 | snprintf(prompt, sizeof(prompt), | 610 | snprintf(prompt, sizeof(prompt), |
597 | "The authenticity of host '%.200s (%s)' can't be established.\n" | 611 | "The authenticity of host '%.200s (%s)' can't be established.\n" |
598 | "%s key fingerprint is %s.\n" | 612 | "%s key fingerprint is %s.\n" |
599 | "Are you sure you want to continue connecting (yes/no)? ", | 613 | "Are you sure you want to continue connecting (yes/no)? ", |
600 | host, ip, type, fp); | 614 | host, ip, type, key_fingerprint(host_key)); |
601 | if (!read_yes_or_no(prompt, -1)) | 615 | if (!read_yes_or_no(prompt, -1)) |
602 | fatal("Aborted by user!\n"); | 616 | fatal("Aborted by user!\n"); |
603 | } | 617 | } |
@@ -642,9 +656,11 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
642 | error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); | 656 | error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); |
643 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); | 657 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); |
644 | error("It is also possible that the %s host key has just been changed.", type); | 658 | error("It is also possible that the %s host key has just been changed.", type); |
659 | error("The fingerprint for the %s key sent by the remote host is\n%s.", | ||
660 | type, key_fingerprint(host_key)); | ||
645 | error("Please contact your system administrator."); | 661 | error("Please contact your system administrator."); |
646 | error("Add correct host key in %.100s to get rid of this message.", | 662 | error("Add correct host key in %.100s to get rid of this message.", |
647 | user_hostfile); | 663 | user_hostfile); |
648 | error("Offending key in %s:%d", host_file, host_line); | 664 | error("Offending key in %s:%d", host_file, host_line); |
649 | 665 | ||
650 | /* | 666 | /* |
diff --git a/sshconnect2.c b/sshconnect2.c index aee547fbe..34d72818f 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: sshconnect2.c,v 1.33 2000/12/20 19:37:22 markus Exp $"); | 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.34 2000/12/27 12:34:50 markus Exp $"); |
27 | 27 | ||
28 | #include <openssl/bn.h> | 28 | #include <openssl/bn.h> |
29 | #include <openssl/rsa.h> | 29 | #include <openssl/rsa.h> |
@@ -548,7 +548,7 @@ ssh_userauth2(const char *server_user, char *host) | |||
548 | if (authctxt.agent != NULL) | 548 | if (authctxt.agent != NULL) |
549 | ssh_close_authentication_connection(authctxt.agent); | 549 | ssh_close_authentication_connection(authctxt.agent); |
550 | 550 | ||
551 | debug("ssh-userauth2 successfull: method %s", authctxt.method->name); | 551 | debug("ssh-userauth2 successful: method %s", authctxt.method->name); |
552 | } | 552 | } |
553 | void | 553 | void |
554 | input_userauth_error(int type, int plen, void *ctxt) | 554 | input_userauth_error(int type, int plen, void *ctxt) |
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.73 2000/11/22 15:38:30 provos Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.76 2000/12/28 12:03:57 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -43,7 +43,7 @@ | |||
43 | .Nd secure shell daemon | 43 | .Nd secure shell daemon |
44 | .Sh SYNOPSIS | 44 | .Sh SYNOPSIS |
45 | .Nm sshd | 45 | .Nm sshd |
46 | .Op Fl diqQ46 | 46 | .Op Fl diqDQ46 |
47 | .Op Fl b Ar bits | 47 | .Op Fl b Ar bits |
48 | .Op Fl f Ar config_file | 48 | .Op Fl f Ar config_file |
49 | .Op Fl g Ar login_grace_time | 49 | .Op Fl g Ar login_grace_time |
@@ -202,12 +202,14 @@ If the client fails to authenticate the user within | |||
202 | this many seconds, the server disconnects and exits. | 202 | this many seconds, the server disconnects and exits. |
203 | A value of zero indicates no limit. | 203 | A value of zero indicates no limit. |
204 | .It Fl h Ar host_key_file | 204 | .It Fl h Ar host_key_file |
205 | Specifies the file from which the RSA host key is read (default | 205 | Specifies the file from which the host key is read (default |
206 | .Pa /etc/ssh_host_key ) . | 206 | .Pa /etc/ssh_host_key ) . |
207 | This option must be given if | 207 | This option must be given if |
208 | .Nm | 208 | .Nm |
209 | is not run as root (as the normal | 209 | is not run as root (as the normal |
210 | host file is normally not readable by anyone but root). | 210 | host file is normally not readable by anyone but root). |
211 | It is possible to have multiple host key files for | ||
212 | the different protocol versions. | ||
211 | .It Fl i | 213 | .It Fl i |
212 | Specifies that | 214 | Specifies that |
213 | .Nm | 215 | .Nm |
@@ -254,6 +256,12 @@ indicates that only dotted decimal addresses | |||
254 | should be put into the | 256 | should be put into the |
255 | .Pa utmp | 257 | .Pa utmp |
256 | file. | 258 | file. |
259 | .It Fl D | ||
260 | When this option is specified | ||
261 | .Nm | ||
262 | will not detach and does not become a daemon. | ||
263 | This allows easy monitoring of | ||
264 | .Nm sshd . | ||
257 | .It Fl Q | 265 | .It Fl Q |
258 | Do not print an error message if RSA support is missing. | 266 | Do not print an error message if RSA support is missing. |
259 | .It Fl V Ar client_protocol_id | 267 | .It Fl V Ar client_protocol_id |
@@ -720,26 +728,37 @@ file lists the RSA keys that are | |||
720 | permitted for RSA authentication in SSH protocols 1.3 and 1.5 | 728 | permitted for RSA authentication in SSH protocols 1.3 and 1.5 |
721 | Similarly, the | 729 | Similarly, the |
722 | .Pa $HOME/.ssh/authorized_keys2 | 730 | .Pa $HOME/.ssh/authorized_keys2 |
723 | file lists the DSA keys that are | 731 | file lists the DSA and RSA keys that are |
724 | permitted for DSA authentication in SSH protocol 2.0. | 732 | permitted for public key authentication (PubkeyAuthentication) |
733 | in SSH protocol 2.0. | ||
734 | .Pp | ||
725 | Each line of the file contains one | 735 | Each line of the file contains one |
726 | key (empty lines and lines starting with a | 736 | key (empty lines and lines starting with a |
727 | .Ql # | 737 | .Ql # |
728 | are ignored as | 738 | are ignored as |
729 | comments). | 739 | comments). |
730 | Each line consists of the following fields, separated by | 740 | Each RSA public key consists of the following fields, separated by |
731 | spaces: options, bits, exponent, modulus, comment. | 741 | spaces: options, bits, exponent, modulus, comment. |
732 | The options field | 742 | Each protocol version 2 public key consists of: |
733 | is optional; its presence is determined by whether the line starts | 743 | options, keytype, base64 encoded key, comment. |
744 | The options fields | ||
745 | are optional; its presence is determined by whether the line starts | ||
734 | with a number or not (the option field never starts with a number). | 746 | with a number or not (the option field never starts with a number). |
735 | The bits, exponent, modulus and comment fields give the RSA key; the | 747 | The bits, exponent, modulus and comment fields give the RSA key for |
748 | protocol version 1; the | ||
736 | comment field is not used for anything (but may be convenient for the | 749 | comment field is not used for anything (but may be convenient for the |
737 | user to identify the key). | 750 | user to identify the key). |
751 | For protocol version 2 the keytype is | ||
752 | .Dq ssh-dss | ||
753 | or | ||
754 | .Dq ssh-rsa . | ||
738 | .Pp | 755 | .Pp |
739 | Note that lines in this file are usually several hundred bytes long | 756 | Note that lines in this file are usually several hundred bytes long |
740 | (because of the size of the RSA key modulus). | 757 | (because of the size of the RSA key modulus). |
741 | You don't want to type them in; instead, copy the | 758 | You don't want to type them in; instead, copy the |
742 | .Pa identity.pub | 759 | .Pa identity.pub |
760 | or the | ||
761 | .Pa id_dsa.pub | ||
743 | file and edit it. | 762 | file and edit it. |
744 | .Pp | 763 | .Pp |
745 | The options (if present) consist of comma-separated option | 764 | The options (if present) consist of comma-separated option |
@@ -1053,7 +1072,7 @@ This version of OpenSSH | |||
1053 | .Bl -bullet | 1072 | .Bl -bullet |
1054 | .It | 1073 | .It |
1055 | has all components of a restrictive nature (i.e., patents, see | 1074 | has all components of a restrictive nature (i.e., patents, see |
1056 | .Xr crypto 3 ) | 1075 | .Xr ssl 8 ) |
1057 | directly removed from the source code; any licensed or patented components | 1076 | directly removed from the source code; any licensed or patented components |
1058 | are chosen from | 1077 | are chosen from |
1059 | external libraries. | 1078 | external libraries. |
@@ -1080,6 +1099,6 @@ The support for SSH protocol 2 was written by Markus Friedl. | |||
1080 | .Xr ssh-add 1 , | 1099 | .Xr ssh-add 1 , |
1081 | .Xr ssh-agent 1 , | 1100 | .Xr ssh-agent 1 , |
1082 | .Xr ssh-keygen 1 , | 1101 | .Xr ssh-keygen 1 , |
1083 | .Xr crypto 3 , | 1102 | .Xr ssl 8 , |
1084 | .Xr rlogin 1 , | 1103 | .Xr rlogin 1 , |
1085 | .Xr rsh 1 | 1104 | .Xr rsh 1 |
@@ -40,7 +40,7 @@ | |||
40 | */ | 40 | */ |
41 | 41 | ||
42 | #include "includes.h" | 42 | #include "includes.h" |
43 | RCSID("$OpenBSD: sshd.c,v 1.142 2000/12/20 19:37:22 markus Exp $"); | 43 | RCSID("$OpenBSD: sshd.c,v 1.144 2000/12/28 12:03:58 markus Exp $"); |
44 | 44 | ||
45 | #include "xmalloc.h" | 45 | #include "xmalloc.h" |
46 | #include "rsa.h" | 46 | #include "rsa.h" |
@@ -653,6 +653,7 @@ main(int ac, char **av) | |||
653 | fprintf(stderr, " -f file Configuration file (default %s)\n", SERVER_CONFIG_FILE); | 653 | fprintf(stderr, " -f file Configuration file (default %s)\n", SERVER_CONFIG_FILE); |
654 | fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n"); | 654 | fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n"); |
655 | fprintf(stderr, " -i Started from inetd\n"); | 655 | fprintf(stderr, " -i Started from inetd\n"); |
656 | fprintf(stderr, " -D Do not fork into daemon mode\n"); | ||
656 | fprintf(stderr, " -q Quiet (no logging)\n"); | 657 | fprintf(stderr, " -q Quiet (no logging)\n"); |
657 | fprintf(stderr, " -p port Listen on the specified port (default: 22)\n"); | 658 | fprintf(stderr, " -p port Listen on the specified port (default: 22)\n"); |
658 | fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n"); | 659 | fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n"); |
@@ -947,7 +948,7 @@ main(int ac, char **av) | |||
947 | /* | 948 | /* |
948 | * the read end of the pipe is ready | 949 | * the read end of the pipe is ready |
949 | * if the child has closed the pipe | 950 | * if the child has closed the pipe |
950 | * after successfull authentication | 951 | * after successful authentication |
951 | * or if the child has died | 952 | * or if the child has died |
952 | */ | 953 | */ |
953 | close(startup_pipes[i]); | 954 | close(startup_pipes[i]); |