diff options
author | Damien Miller <djm@mindrot.org> | 2000-06-07 19:55:44 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-06-07 19:55:44 +1000 |
commit | d3a185709dfb8588ae7cacc079312d1fcc450e9c (patch) | |
tree | 8e9798d35f76171481f034720767e507e6bbd6f9 | |
parent | e37bfc19f7263b838896ae403e55aa703a06b69a (diff) |
- (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III
<tibbs@math.uh.edu>
- (djm) OpenBSD CVS updates:
- todd@cvs.openbsd.org
[sshconnect2.c]
teach protocol v2 to count login failures properly and also enable an
explanation of why the password prompt comes up again like v1; this is NOT
crypto
- markus@cvs.openbsd.org
[readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8]
xauth_location support; pr 1234
[readconf.c sshconnect2.c]
typo, unused
[session.c]
allow use_login only for login sessions, otherwise remote commands are
execed with uid==0
[sshd.8]
document UseLogin better
[version.h]
OpenSSH 2.1.1
[auth-rsa.c]
fix match_hostname() logic for auth-rsa: deny access if we have a
negative match or no match at all
[channels.c hostfile.c match.c]
don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via
kris@FreeBSD.org
-rw-r--r-- | ChangeLog | 28 | ||||
-rw-r--r-- | auth-rsa.c | 18 | ||||
-rw-r--r-- | channels.c | 19 | ||||
-rw-r--r-- | channels.h | 6 | ||||
-rw-r--r-- | contrib/redhat/openssh.spec | 3 | ||||
-rw-r--r-- | hostfile.c | 4 | ||||
-rw-r--r-- | match.c | 12 | ||||
-rw-r--r-- | match.h | 4 | ||||
-rw-r--r-- | readconf.c | 14 | ||||
-rw-r--r-- | readconf.h | 3 | ||||
-rw-r--r-- | servconf.c | 25 | ||||
-rw-r--r-- | servconf.h | 3 | ||||
-rw-r--r-- | session.c | 4 | ||||
-rw-r--r-- | ssh-keygen.c | 4 | ||||
-rw-r--r-- | ssh.1 | 8 | ||||
-rw-r--r-- | ssh.c | 26 | ||||
-rw-r--r-- | sshconnect2.c | 8 | ||||
-rw-r--r-- | sshd.8 | 13 | ||||
-rw-r--r-- | version.h | 2 |
19 files changed, 143 insertions, 61 deletions
@@ -1,4 +1,32 @@ | |||
1 | 20000606 | 1 | 20000606 |
2 | - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III | ||
3 | <tibbs@math.uh.edu> | ||
4 | - (djm) OpenBSD CVS updates: | ||
5 | - todd@cvs.openbsd.org | ||
6 | [sshconnect2.c] | ||
7 | teach protocol v2 to count login failures properly and also enable an | ||
8 | explanation of why the password prompt comes up again like v1; this is NOT | ||
9 | crypto | ||
10 | - markus@cvs.openbsd.org | ||
11 | [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8] | ||
12 | xauth_location support; pr 1234 | ||
13 | [readconf.c sshconnect2.c] | ||
14 | typo, unused | ||
15 | [session.c] | ||
16 | allow use_login only for login sessions, otherwise remote commands are | ||
17 | execed with uid==0 | ||
18 | [sshd.8] | ||
19 | document UseLogin better | ||
20 | [version.h] | ||
21 | OpenSSH 2.1.1 | ||
22 | [auth-rsa.c] | ||
23 | fix match_hostname() logic for auth-rsa: deny access if we have a | ||
24 | negative match or no match at all | ||
25 | [channels.c hostfile.c match.c] | ||
26 | don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via | ||
27 | kris@FreeBSD.org | ||
28 | |||
29 | 20000606 | ||
2 | - (djm) Added --with-cflags, --with-ldflags and --with-libs options to | 30 | - (djm) Added --with-cflags, --with-ldflags and --with-libs options to |
3 | configure. | 31 | configure. |
4 | 32 | ||
diff --git a/auth-rsa.c b/auth-rsa.c index 22e3f01f3..f01c5c920 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
@@ -16,7 +16,7 @@ | |||
16 | */ | 16 | */ |
17 | 17 | ||
18 | #include "includes.h" | 18 | #include "includes.h" |
19 | RCSID("$Id: auth-rsa.c,v 1.19 2000/04/30 00:00:53 damien Exp $"); | 19 | RCSID("$Id: auth-rsa.c,v 1.20 2000/06/07 09:55:44 djm Exp $"); |
20 | 20 | ||
21 | #include "rsa.h" | 21 | #include "rsa.h" |
22 | #include "packet.h" | 22 | #include "packet.h" |
@@ -133,6 +133,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
133 | unsigned long linenum = 0; | 133 | unsigned long linenum = 0; |
134 | struct stat st; | 134 | struct stat st; |
135 | RSA *pk; | 135 | RSA *pk; |
136 | int mname, mip; | ||
136 | 137 | ||
137 | /* Temporarily use the user's uid. */ | 138 | /* Temporarily use the user's uid. */ |
138 | temporarily_use_uid(pw->pw_uid); | 139 | temporarily_use_uid(pw->pw_uid); |
@@ -390,10 +391,17 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
390 | } | 391 | } |
391 | patterns[i] = 0; | 392 | patterns[i] = 0; |
392 | options++; | 393 | options++; |
393 | if (!match_hostname(get_canonical_hostname(), patterns, | 394 | /* |
394 | strlen(patterns)) && | 395 | * Deny access if we get a negative |
395 | !match_hostname(get_remote_ipaddr(), patterns, | 396 | * match for the hostname or the ip |
396 | strlen(patterns))) { | 397 | * or if we get not match at all |
398 | */ | ||
399 | mname = match_hostname(get_canonical_hostname(), | ||
400 | patterns, strlen(patterns)); | ||
401 | mip = match_hostname(get_remote_ipaddr(), | ||
402 | patterns, strlen(patterns)); | ||
403 | if (mname == -1 || mip == -1 || | ||
404 | (mname != 1 && mip != 1)) { | ||
397 | log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).", | 405 | log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).", |
398 | pw->pw_name, get_canonical_hostname(), | 406 | pw->pw_name, get_canonical_hostname(), |
399 | get_remote_ipaddr()); | 407 | get_remote_ipaddr()); |
diff --git a/channels.c b/channels.c index f26b3a65b..bfa025ad7 100644 --- a/channels.c +++ b/channels.c | |||
@@ -17,7 +17,7 @@ | |||
17 | */ | 17 | */ |
18 | 18 | ||
19 | #include "includes.h" | 19 | #include "includes.h" |
20 | RCSID("$Id: channels.c,v 1.31 2000/05/17 12:34:23 damien Exp $"); | 20 | RCSID("$Id: channels.c,v 1.32 2000/06/07 09:55:44 djm Exp $"); |
21 | 21 | ||
22 | #include "ssh.h" | 22 | #include "ssh.h" |
23 | #include "packet.h" | 23 | #include "packet.h" |
@@ -2113,11 +2113,11 @@ cleanup_socket(void) | |||
2113 | } | 2113 | } |
2114 | 2114 | ||
2115 | /* | 2115 | /* |
2116 | * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. | 2116 | * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. |
2117 | * This starts forwarding authentication requests. | 2117 | * This starts forwarding authentication requests. |
2118 | */ | 2118 | */ |
2119 | 2119 | ||
2120 | void | 2120 | int |
2121 | auth_input_request_forwarding(struct passwd * pw) | 2121 | auth_input_request_forwarding(struct passwd * pw) |
2122 | { | 2122 | { |
2123 | int sock, newch; | 2123 | int sock, newch; |
@@ -2135,8 +2135,16 @@ auth_input_request_forwarding(struct passwd * pw) | |||
2135 | strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME); | 2135 | strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME); |
2136 | 2136 | ||
2137 | /* Create private directory for socket */ | 2137 | /* Create private directory for socket */ |
2138 | if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) | 2138 | if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) { |
2139 | packet_disconnect("mkdtemp: %.100s", strerror(errno)); | 2139 | packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s", |
2140 | strerror(errno)); | ||
2141 | restore_uid(); | ||
2142 | xfree(channel_forwarded_auth_socket_name); | ||
2143 | xfree(channel_forwarded_auth_socket_dir); | ||
2144 | channel_forwarded_auth_socket_name = NULL; | ||
2145 | channel_forwarded_auth_socket_dir = NULL; | ||
2146 | return 0; | ||
2147 | } | ||
2140 | snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d", | 2148 | snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d", |
2141 | channel_forwarded_auth_socket_dir, (int) getpid()); | 2149 | channel_forwarded_auth_socket_dir, (int) getpid()); |
2142 | 2150 | ||
@@ -2171,6 +2179,7 @@ auth_input_request_forwarding(struct passwd * pw) | |||
2171 | xstrdup("auth socket")); | 2179 | xstrdup("auth socket")); |
2172 | strlcpy(channels[newch].path, channel_forwarded_auth_socket_name, | 2180 | strlcpy(channels[newch].path, channel_forwarded_auth_socket_name, |
2173 | sizeof(channels[newch].path)); | 2181 | sizeof(channels[newch].path)); |
2182 | return 1; | ||
2174 | } | 2183 | } |
2175 | 2184 | ||
2176 | /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ | 2185 | /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ |
diff --git a/channels.h b/channels.h index 9763edf8e..922c5d0ae 100644 --- a/channels.h +++ b/channels.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* RCSID("$Id: channels.h,v 1.9 2000/05/07 02:03:15 damien Exp $"); */ | 1 | /* RCSID("$Id: channels.h,v 1.10 2000/06/07 09:55:44 djm Exp $"); */ |
2 | 2 | ||
3 | #ifndef CHANNELS_H | 3 | #ifndef CHANNELS_H |
4 | #define CHANNELS_H | 4 | #define CHANNELS_H |
@@ -222,10 +222,10 @@ void auth_request_forwarding(void); | |||
222 | char *auth_get_socket_name(void); | 222 | char *auth_get_socket_name(void); |
223 | 223 | ||
224 | /* | 224 | /* |
225 | * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. | 225 | * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. |
226 | * This starts forwarding authentication requests. | 226 | * This starts forwarding authentication requests. |
227 | */ | 227 | */ |
228 | void auth_input_request_forwarding(struct passwd * pw); | 228 | int auth_input_request_forwarding(struct passwd * pw); |
229 | 229 | ||
230 | /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ | 230 | /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ |
231 | void auth_input_open_request(int type, int plen); | 231 | void auth_input_open_request(int type, int plen); |
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 8b1d0989f..ff12699f5 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec | |||
@@ -152,7 +152,8 @@ This package contains the GNOME passphrase dialog. | |||
152 | 152 | ||
153 | CFLAGS="$RPM_OPT_FLAGS" \ | 153 | CFLAGS="$RPM_OPT_FLAGS" \ |
154 | ./configure --prefix=/usr --sysconfdir=/etc/ssh \ | 154 | ./configure --prefix=/usr --sysconfdir=/etc/ssh \ |
155 | --with-tcp-wrappers --with-ipv4-default | 155 | --with-tcp-wrappers --with-ipv4-default \ |
156 | --with-rsh=/usr/bin/rsh | ||
156 | 157 | ||
157 | make | 158 | make |
158 | 159 | ||
diff --git a/hostfile.c b/hostfile.c index bac285da5..f58e1d67d 100644 --- a/hostfile.c +++ b/hostfile.c | |||
@@ -14,7 +14,7 @@ | |||
14 | */ | 14 | */ |
15 | 15 | ||
16 | #include "includes.h" | 16 | #include "includes.h" |
17 | RCSID("$OpenBSD: hostfile.c,v 1.18 2000/04/29 18:11:52 markus Exp $"); | 17 | RCSID("$OpenBSD: hostfile.c,v 1.19 2000/06/06 19:32:13 markus Exp $"); |
18 | 18 | ||
19 | #include "packet.h" | 19 | #include "packet.h" |
20 | #include "match.h" | 20 | #include "match.h" |
@@ -129,7 +129,7 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key, Key *fo | |||
129 | ; | 129 | ; |
130 | 130 | ||
131 | /* Check if the host name matches. */ | 131 | /* Check if the host name matches. */ |
132 | if (!match_hostname(host, cp, (unsigned int) (cp2 - cp))) | 132 | if (match_hostname(host, cp, (unsigned int) (cp2 - cp)) != 1) |
133 | continue; | 133 | continue; |
134 | 134 | ||
135 | /* Got a match. Skip host name. */ | 135 | /* Got a match. Skip host name. */ |
@@ -14,7 +14,7 @@ | |||
14 | */ | 14 | */ |
15 | 15 | ||
16 | #include "includes.h" | 16 | #include "includes.h" |
17 | RCSID("$Id: match.c,v 1.5 2000/04/16 01:18:43 damien Exp $"); | 17 | RCSID("$Id: match.c,v 1.6 2000/06/07 09:55:44 djm Exp $"); |
18 | 18 | ||
19 | #include "ssh.h" | 19 | #include "ssh.h" |
20 | 20 | ||
@@ -84,8 +84,8 @@ match_pattern(const char *s, const char *pattern) | |||
84 | /* | 84 | /* |
85 | * Tries to match the host name (which must be in all lowercase) against the | 85 | * Tries to match the host name (which must be in all lowercase) against the |
86 | * comma-separated sequence of subpatterns (each possibly preceded by ! to | 86 | * comma-separated sequence of subpatterns (each possibly preceded by ! to |
87 | * indicate negation). Returns true if there is a positive match; zero | 87 | * indicate negation). Returns -1 if negation matches, 1 if there is |
88 | * otherwise. | 88 | * a positive match, 0 if there is no match at all. |
89 | */ | 89 | */ |
90 | 90 | ||
91 | int | 91 | int |
@@ -127,15 +127,15 @@ match_hostname(const char *host, const char *pattern, unsigned int len) | |||
127 | /* Try to match the subpattern against the host name. */ | 127 | /* Try to match the subpattern against the host name. */ |
128 | if (match_pattern(host, sub)) { | 128 | if (match_pattern(host, sub)) { |
129 | if (negated) | 129 | if (negated) |
130 | return 0; /* Fail */ | 130 | return -1; /* Negative */ |
131 | else | 131 | else |
132 | got_positive = 1; | 132 | got_positive = 1; /* Positive */ |
133 | } | 133 | } |
134 | } | 134 | } |
135 | 135 | ||
136 | /* | 136 | /* |
137 | * Return success if got a positive match. If there was a negative | 137 | * Return success if got a positive match. If there was a negative |
138 | * match, we have already returned zero and never get here. | 138 | * match, we have already returned -1 and never get here. |
139 | */ | 139 | */ |
140 | return got_positive; | 140 | return got_positive; |
141 | } | 141 | } |
@@ -10,8 +10,8 @@ int match_pattern(const char *s, const char *pattern); | |||
10 | /* | 10 | /* |
11 | * Tries to match the host name (which must be in all lowercase) against the | 11 | * Tries to match the host name (which must be in all lowercase) against the |
12 | * comma-separated sequence of subpatterns (each possibly preceded by ! to | 12 | * comma-separated sequence of subpatterns (each possibly preceded by ! to |
13 | * indicate negation). Returns true if there is a positive match; zero | 13 | * indicate negation). Returns -1 if negation matches, 1 if there is |
14 | * otherwise. | 14 | * a positive match, 0 if there is no match at all. |
15 | */ | 15 | */ |
16 | int match_hostname(const char *host, const char *pattern, unsigned int len); | 16 | int match_hostname(const char *host, const char *pattern, unsigned int len); |
17 | 17 | ||
diff --git a/readconf.c b/readconf.c index d7011d7f7..2751db345 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -14,7 +14,7 @@ | |||
14 | */ | 14 | */ |
15 | 15 | ||
16 | #include "includes.h" | 16 | #include "includes.h" |
17 | RCSID("$Id: readconf.c,v 1.15 2000/05/30 03:44:53 damien Exp $"); | 17 | RCSID("$Id: readconf.c,v 1.16 2000/06/07 09:55:44 djm Exp $"); |
18 | 18 | ||
19 | #include "ssh.h" | 19 | #include "ssh.h" |
20 | #include "cipher.h" | 20 | #include "cipher.h" |
@@ -92,7 +92,7 @@ typedef enum { | |||
92 | oBadOption, | 92 | oBadOption, |
93 | oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, | 93 | oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, |
94 | oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh, | 94 | oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh, |
95 | oSkeyAuthentication, | 95 | oSkeyAuthentication, oXAuthLocation, |
96 | #ifdef KRB4 | 96 | #ifdef KRB4 |
97 | oKerberosAuthentication, | 97 | oKerberosAuthentication, |
98 | #endif /* KRB4 */ | 98 | #endif /* KRB4 */ |
@@ -116,6 +116,7 @@ static struct { | |||
116 | } keywords[] = { | 116 | } keywords[] = { |
117 | { "forwardagent", oForwardAgent }, | 117 | { "forwardagent", oForwardAgent }, |
118 | { "forwardx11", oForwardX11 }, | 118 | { "forwardx11", oForwardX11 }, |
119 | { "xauthlocation", oXAuthLocation }, | ||
119 | { "gatewayports", oGatewayPorts }, | 120 | { "gatewayports", oGatewayPorts }, |
120 | { "useprivilegedport", oUsePrivilegedPort }, | 121 | { "useprivilegedport", oUsePrivilegedPort }, |
121 | { "rhostsauthentication", oRhostsAuthentication }, | 122 | { "rhostsauthentication", oRhostsAuthentication }, |
@@ -396,6 +397,10 @@ parse_flag: | |||
396 | } | 397 | } |
397 | break; | 398 | break; |
398 | 399 | ||
400 | case oXAuthLocation: | ||
401 | charptr=&options->xauth_location; | ||
402 | goto parse_string; | ||
403 | |||
399 | case oUser: | 404 | case oUser: |
400 | charptr = &options->user; | 405 | charptr = &options->user; |
401 | parse_string: | 406 | parse_string: |
@@ -644,6 +649,7 @@ initialize_options(Options * options) | |||
644 | memset(options, 'X', sizeof(*options)); | 649 | memset(options, 'X', sizeof(*options)); |
645 | options->forward_agent = -1; | 650 | options->forward_agent = -1; |
646 | options->forward_x11 = -1; | 651 | options->forward_x11 = -1; |
652 | options->xauth_location = NULL; | ||
647 | options->gateway_ports = -1; | 653 | options->gateway_ports = -1; |
648 | options->use_privileged_port = -1; | 654 | options->use_privileged_port = -1; |
649 | options->rhosts_authentication = -1; | 655 | options->rhosts_authentication = -1; |
@@ -700,6 +706,10 @@ fill_default_options(Options * options) | |||
700 | options->forward_agent = 0; | 706 | options->forward_agent = 0; |
701 | if (options->forward_x11 == -1) | 707 | if (options->forward_x11 == -1) |
702 | options->forward_x11 = 0; | 708 | options->forward_x11 = 0; |
709 | #ifdef XAUTH_PATH | ||
710 | if (options->xauth_location == NULL) | ||
711 | options->xauth_location = XAUTH_PATH; | ||
712 | #endif /* XAUTH_PATH */ | ||
703 | if (options->gateway_ports == -1) | 713 | if (options->gateway_ports == -1) |
704 | options->gateway_ports = 0; | 714 | options->gateway_ports = 0; |
705 | if (options->use_privileged_port == -1) | 715 | if (options->use_privileged_port == -1) |
diff --git a/readconf.h b/readconf.h index 3f0e44254..aeaf39a1c 100644 --- a/readconf.h +++ b/readconf.h | |||
@@ -13,7 +13,7 @@ | |||
13 | * | 13 | * |
14 | */ | 14 | */ |
15 | 15 | ||
16 | /* RCSID("$Id: readconf.h,v 1.11 2000/05/09 01:03:01 damien Exp $"); */ | 16 | /* RCSID("$Id: readconf.h,v 1.12 2000/06/07 09:55:44 djm Exp $"); */ |
17 | 17 | ||
18 | #ifndef READCONF_H | 18 | #ifndef READCONF_H |
19 | #define READCONF_H | 19 | #define READCONF_H |
@@ -30,6 +30,7 @@ typedef struct { | |||
30 | typedef struct { | 30 | typedef struct { |
31 | int forward_agent; /* Forward authentication agent. */ | 31 | int forward_agent; /* Forward authentication agent. */ |
32 | int forward_x11; /* Forward X11 display. */ | 32 | int forward_x11; /* Forward X11 display. */ |
33 | char *xauth_location; /* Location for xauth program */ | ||
33 | int gateway_ports; /* Allow remote connects to forwarded ports. */ | 34 | int gateway_ports; /* Allow remote connects to forwarded ports. */ |
34 | int use_privileged_port; /* Don't use privileged port if false. */ | 35 | int use_privileged_port; /* Don't use privileged port if false. */ |
35 | int rhosts_authentication; /* Try rhosts authentication. */ | 36 | int rhosts_authentication; /* Try rhosts authentication. */ |
diff --git a/servconf.c b/servconf.c index 1aa4fe06d..6583829e7 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -12,7 +12,7 @@ | |||
12 | */ | 12 | */ |
13 | 13 | ||
14 | #include "includes.h" | 14 | #include "includes.h" |
15 | RCSID("$Id: servconf.c,v 1.17 2000/05/30 03:44:53 damien Exp $"); | 15 | RCSID("$Id: servconf.c,v 1.18 2000/06/07 09:55:44 djm Exp $"); |
16 | 16 | ||
17 | #include "ssh.h" | 17 | #include "ssh.h" |
18 | #include "servconf.h" | 18 | #include "servconf.h" |
@@ -44,6 +44,7 @@ initialize_server_options(ServerOptions *options) | |||
44 | options->check_mail = -1; | 44 | options->check_mail = -1; |
45 | options->x11_forwarding = -1; | 45 | options->x11_forwarding = -1; |
46 | options->x11_display_offset = -1; | 46 | options->x11_display_offset = -1; |
47 | options->xauth_location = NULL; | ||
47 | options->strict_modes = -1; | 48 | options->strict_modes = -1; |
48 | options->keepalives = -1; | 49 | options->keepalives = -1; |
49 | options->log_facility = (SyslogFacility) - 1; | 50 | options->log_facility = (SyslogFacility) - 1; |
@@ -109,6 +110,10 @@ fill_default_server_options(ServerOptions *options) | |||
109 | options->x11_forwarding = 0; | 110 | options->x11_forwarding = 0; |
110 | if (options->x11_display_offset == -1) | 111 | if (options->x11_display_offset == -1) |
111 | options->x11_display_offset = 10; | 112 | options->x11_display_offset = 10; |
113 | #ifdef XAUTH_PATH | ||
114 | if (options->xauth_location == NULL) | ||
115 | options->xauth_location = XAUTH_PATH; | ||
116 | #endif /* XAUTH_PATH */ | ||
112 | if (options->strict_modes == -1) | 117 | if (options->strict_modes == -1) |
113 | options->strict_modes = 1; | 118 | options->strict_modes = 1; |
114 | if (options->keepalives == -1) | 119 | if (options->keepalives == -1) |
@@ -177,7 +182,7 @@ typedef enum { | |||
177 | sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, | 182 | sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, |
178 | sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 183 | sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
179 | sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, | 184 | sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, |
180 | sGatewayPorts, sDSAAuthentication | 185 | sGatewayPorts, sDSAAuthentication, sXAuthLocation |
181 | } ServerOpCodes; | 186 | } ServerOpCodes; |
182 | 187 | ||
183 | /* Textual representation of the tokens. */ | 188 | /* Textual representation of the tokens. */ |
@@ -219,6 +224,7 @@ static struct { | |||
219 | { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, | 224 | { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, |
220 | { "x11forwarding", sX11Forwarding }, | 225 | { "x11forwarding", sX11Forwarding }, |
221 | { "x11displayoffset", sX11DisplayOffset }, | 226 | { "x11displayoffset", sX11DisplayOffset }, |
227 | { "xauthlocation", sXAuthLocation }, | ||
222 | { "strictmodes", sStrictModes }, | 228 | { "strictmodes", sStrictModes }, |
223 | { "permitemptypasswords", sEmptyPasswd }, | 229 | { "permitemptypasswords", sEmptyPasswd }, |
224 | { "uselogin", sUseLogin }, | 230 | { "uselogin", sUseLogin }, |
@@ -365,6 +371,7 @@ parse_int: | |||
365 | case sHostDSAKeyFile: | 371 | case sHostDSAKeyFile: |
366 | charptr = (opcode == sHostKeyFile ) ? | 372 | charptr = (opcode == sHostKeyFile ) ? |
367 | &options->host_key_file : &options->host_dsa_key_file; | 373 | &options->host_key_file : &options->host_dsa_key_file; |
374 | parse_filename: | ||
368 | cp = strtok(NULL, WHITESPACE); | 375 | cp = strtok(NULL, WHITESPACE); |
369 | if (!cp) { | 376 | if (!cp) { |
370 | fprintf(stderr, "%s line %d: missing file name.\n", | 377 | fprintf(stderr, "%s line %d: missing file name.\n", |
@@ -377,15 +384,7 @@ parse_int: | |||
377 | 384 | ||
378 | case sPidFile: | 385 | case sPidFile: |
379 | charptr = &options->pid_file; | 386 | charptr = &options->pid_file; |
380 | cp = strtok(NULL, WHITESPACE); | 387 | goto parse_filename; |
381 | if (!cp) { | ||
382 | fprintf(stderr, "%s line %d: missing file name.\n", | ||
383 | filename, linenum); | ||
384 | exit(1); | ||
385 | } | ||
386 | if (*charptr == NULL) | ||
387 | *charptr = tilde_expand_filename(cp, getuid()); | ||
388 | break; | ||
389 | 388 | ||
390 | case sRandomSeedFile: | 389 | case sRandomSeedFile: |
391 | fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n", | 390 | fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n", |
@@ -508,6 +507,10 @@ parse_flag: | |||
508 | intptr = &options->x11_display_offset; | 507 | intptr = &options->x11_display_offset; |
509 | goto parse_int; | 508 | goto parse_int; |
510 | 509 | ||
510 | case sXAuthLocation: | ||
511 | charptr = &options->xauth_location; | ||
512 | goto parse_filename; | ||
513 | |||
511 | case sStrictModes: | 514 | case sStrictModes: |
512 | intptr = &options->strict_modes; | 515 | intptr = &options->strict_modes; |
513 | goto parse_flag; | 516 | goto parse_flag; |
diff --git a/servconf.h b/servconf.h index 107438c05..5c6212f2d 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -13,7 +13,7 @@ | |||
13 | * | 13 | * |
14 | */ | 14 | */ |
15 | 15 | ||
16 | /* RCSID("$Id: servconf.h,v 1.11 2000/05/07 02:03:18 damien Exp $"); */ | 16 | /* RCSID("$Id: servconf.h,v 1.12 2000/06/07 09:55:44 djm Exp $"); */ |
17 | 17 | ||
18 | #ifndef SERVCONF_H | 18 | #ifndef SERVCONF_H |
19 | #define SERVCONF_H | 19 | #define SERVCONF_H |
@@ -47,6 +47,7 @@ typedef struct { | |||
47 | int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */ | 47 | int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */ |
48 | int x11_display_offset; /* What DISPLAY number to start | 48 | int x11_display_offset; /* What DISPLAY number to start |
49 | * searching at */ | 49 | * searching at */ |
50 | char *xauth_location; /* Location of xauth program */ | ||
50 | int strict_modes; /* If true, require string home dir modes. */ | 51 | int strict_modes; /* If true, require string home dir modes. */ |
51 | int keepalives; /* If true, set SO_KEEPALIVE. */ | 52 | int keepalives; /* If true, set SO_KEEPALIVE. */ |
52 | char *ciphers; /* Ciphers in order of preference. */ | 53 | char *ciphers; /* Ciphers in order of preference. */ |
@@ -812,6 +812,10 @@ do_child(const char *command, struct passwd * pw, const char *term, | |||
812 | struct stat st; | 812 | struct stat st; |
813 | char *argv[10]; | 813 | char *argv[10]; |
814 | 814 | ||
815 | /* login(1) is only called if we execute the login shell */ | ||
816 | if (options.use_login && command != NULL) | ||
817 | options.use_login = 0; | ||
818 | |||
815 | #ifndef USE_PAM /* pam_nologin handles this */ | 819 | #ifndef USE_PAM /* pam_nologin handles this */ |
816 | f = fopen("/etc/nologin", "r"); | 820 | f = fopen("/etc/nologin", "r"); |
817 | if (f) { | 821 | if (f) { |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 351036dd4..621b9c143 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -7,7 +7,7 @@ | |||
7 | */ | 7 | */ |
8 | 8 | ||
9 | #include "includes.h" | 9 | #include "includes.h" |
10 | RCSID("$Id: ssh-keygen.c,v 1.18 2000/05/09 01:03:02 damien Exp $"); | 10 | RCSID("$Id: ssh-keygen.c,v 1.19 2000/06/07 09:55:44 djm Exp $"); |
11 | 11 | ||
12 | #include <openssl/evp.h> | 12 | #include <openssl/evp.h> |
13 | #include <openssl/pem.h> | 13 | #include <openssl/pem.h> |
@@ -520,7 +520,7 @@ main(int ac, char **av) | |||
520 | extern int optind; | 520 | extern int optind; |
521 | extern char *optarg; | 521 | extern char *optarg; |
522 | 522 | ||
523 | OpenSSL_add_all_algorithms(); | 523 | SSLeay_add_all_algorithms(); |
524 | 524 | ||
525 | /* we need this for the home * directory. */ | 525 | /* we need this for the home * directory. */ |
526 | pw = getpwuid(getuid()); | 526 | pw = getpwuid(getuid()); |
@@ -9,7 +9,7 @@ | |||
9 | .\" | 9 | .\" |
10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo | 10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo |
11 | .\" | 11 | .\" |
12 | .\" $Id: ssh.1,v 1.27 2000/05/30 03:44:54 damien Exp $ | 12 | .\" $Id: ssh.1,v 1.28 2000/06/07 09:55:44 djm Exp $ |
13 | .\" | 13 | .\" |
14 | .Dd September 25, 1999 | 14 | .Dd September 25, 1999 |
15 | .Dt SSH 1 | 15 | .Dt SSH 1 |
@@ -940,6 +940,12 @@ The argument must be | |||
940 | .Dq yes | 940 | .Dq yes |
941 | or | 941 | or |
942 | .Dq no . | 942 | .Dq no . |
943 | .It Cm XAuthLocation | ||
944 | Specifies the location of the | ||
945 | .Xr xauth 1 | ||
946 | program. | ||
947 | The default is | ||
948 | .Pa /usr/X11R6/bin/xauth . | ||
943 | .Sh ENVIRONMENT | 949 | .Sh ENVIRONMENT |
944 | .Nm | 950 | .Nm |
945 | will normally set the following environment variables: | 951 | will normally set the following environment variables: |
@@ -11,7 +11,7 @@ | |||
11 | */ | 11 | */ |
12 | 12 | ||
13 | #include "includes.h" | 13 | #include "includes.h" |
14 | RCSID("$Id: ssh.c,v 1.33 2000/05/30 03:44:54 damien Exp $"); | 14 | RCSID("$Id: ssh.c,v 1.34 2000/06/07 09:55:44 djm Exp $"); |
15 | 15 | ||
16 | #include <openssl/evp.h> | 16 | #include <openssl/evp.h> |
17 | #include <openssl/dsa.h> | 17 | #include <openssl/dsa.h> |
@@ -438,7 +438,7 @@ main(int ac, char **av) | |||
438 | /* Initialize the command to execute on remote host. */ | 438 | /* Initialize the command to execute on remote host. */ |
439 | buffer_init(&command); | 439 | buffer_init(&command); |
440 | 440 | ||
441 | OpenSSL_add_all_algorithms(); | 441 | SSLeay_add_all_algorithms(); |
442 | 442 | ||
443 | /* | 443 | /* |
444 | * Save the command to execute on the remote host in a buffer. There | 444 | * Save the command to execute on the remote host in a buffer. There |
@@ -677,17 +677,17 @@ x11_get_proto(char *proto, int proto_len, char *data, int data_len) | |||
677 | FILE *f; | 677 | FILE *f; |
678 | int got_data = 0, i; | 678 | int got_data = 0, i; |
679 | 679 | ||
680 | #ifdef XAUTH_PATH | 680 | if (options.xauth_location) { |
681 | /* Try to get Xauthority information for the display. */ | 681 | /* Try to get Xauthority information for the display. */ |
682 | snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null", | 682 | snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null", |
683 | XAUTH_PATH, getenv("DISPLAY")); | 683 | options.xauth_location, getenv("DISPLAY")); |
684 | f = popen(line, "r"); | 684 | f = popen(line, "r"); |
685 | if (f && fgets(line, sizeof(line), f) && | 685 | if (f && fgets(line, sizeof(line), f) && |
686 | sscanf(line, "%*s %s %s", proto, data) == 2) | 686 | sscanf(line, "%*s %s %s", proto, data) == 2) |
687 | got_data = 1; | 687 | got_data = 1; |
688 | if (f) | 688 | if (f) |
689 | pclose(f); | 689 | pclose(f); |
690 | #endif /* XAUTH_PATH */ | 690 | } |
691 | /* | 691 | /* |
692 | * If we didn't get authentication data, just make up some | 692 | * If we didn't get authentication data, just make up some |
693 | * data. The forwarding code will check the validity of the | 693 | * data. The forwarding code will check the validity of the |
diff --git a/sshconnect2.c b/sshconnect2.c index 0abcf89a0..77b8652ea 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -28,7 +28,7 @@ | |||
28 | */ | 28 | */ |
29 | 29 | ||
30 | #include "includes.h" | 30 | #include "includes.h" |
31 | RCSID("$OpenBSD: sshconnect2.c,v 1.11 2000/05/25 20:45:20 markus Exp $"); | 31 | RCSID("$OpenBSD: sshconnect2.c,v 1.13 2000/06/02 02:00:19 todd Exp $"); |
32 | 32 | ||
33 | #include <openssl/bn.h> | 33 | #include <openssl/bn.h> |
34 | #include <openssl/rsa.h> | 34 | #include <openssl/rsa.h> |
@@ -71,7 +71,6 @@ void | |||
71 | ssh_kex_dh(Kex *kex, char *host, struct sockaddr *hostaddr, | 71 | ssh_kex_dh(Kex *kex, char *host, struct sockaddr *hostaddr, |
72 | Buffer *client_kexinit, Buffer *server_kexinit) | 72 | Buffer *client_kexinit, Buffer *server_kexinit) |
73 | { | 73 | { |
74 | int i; | ||
75 | int plen, dlen; | 74 | int plen, dlen; |
76 | unsigned int klen, kout; | 75 | unsigned int klen, kout; |
77 | char *signature = NULL; | 76 | char *signature = NULL; |
@@ -265,9 +264,12 @@ ssh2_try_passwd(const char *server_user, const char *host, const char *service) | |||
265 | char prompt[80]; | 264 | char prompt[80]; |
266 | char *password; | 265 | char *password; |
267 | 266 | ||
268 | if (attempt++ > options.number_of_password_prompts) | 267 | if (attempt++ >= options.number_of_password_prompts) |
269 | return 0; | 268 | return 0; |
270 | 269 | ||
270 | if(attempt != 1) | ||
271 | error("Permission denied, please try again."); | ||
272 | |||
271 | snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ", | 273 | snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ", |
272 | server_user, host); | 274 | server_user, host); |
273 | password = read_passphrase(prompt, 0); | 275 | password = read_passphrase(prompt, 0); |
@@ -9,7 +9,7 @@ | |||
9 | .\" | 9 | .\" |
10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo | 10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo |
11 | .\" | 11 | .\" |
12 | .\" $Id: sshd.8,v 1.22 2000/05/09 01:03:03 damien Exp $ | 12 | .\" $Id: sshd.8,v 1.23 2000/06/07 09:55:44 djm Exp $ |
13 | .\" | 13 | .\" |
14 | .Dd September 25, 1999 | 14 | .Dd September 25, 1999 |
15 | .Dt SSHD 8 | 15 | .Dt SSHD 8 |
@@ -552,7 +552,10 @@ The default is AUTH. | |||
552 | .It Cm UseLogin | 552 | .It Cm UseLogin |
553 | Specifies whether | 553 | Specifies whether |
554 | .Xr login 1 | 554 | .Xr login 1 |
555 | is used. | 555 | is used for interactive login sessions. |
556 | Note that | ||
557 | .Xr login 1 | ||
558 | is not never for remote command execution. | ||
556 | The default is | 559 | The default is |
557 | .Dq no . | 560 | .Dq no . |
558 | .It Cm X11DisplayOffset | 561 | .It Cm X11DisplayOffset |
@@ -569,6 +572,12 @@ The default is | |||
569 | .Dq no . | 572 | .Dq no . |
570 | Note that disabling X11 forwarding does not improve security in any | 573 | Note that disabling X11 forwarding does not improve security in any |
571 | way, as users can always install their own forwarders. | 574 | way, as users can always install their own forwarders. |
575 | .It Cm XAuthLocation | ||
576 | Specifies the location of the | ||
577 | .Xr xauth 1 | ||
578 | program. | ||
579 | The default is | ||
580 | .Pa /usr/X11R6/bin/xauth . | ||
572 | .El | 581 | .El |
573 | .Sh LOGIN PROCESS | 582 | .Sh LOGIN PROCESS |
574 | When a user successfully logs in, | 583 | When a user successfully logs in, |
@@ -1 +1 @@ | |||
#define SSH_VERSION "OpenSSH-2.1" | #define SSH_VERSION "OpenSSH_2.1.1" | ||