diff options
author | Kevin Steves <stevesk@pobox.com> | 2000-12-15 19:55:48 +0000 |
---|---|---|
committer | Kevin Steves <stevesk@pobox.com> | 2000-12-15 19:55:48 +0000 |
commit | fcec7f82bb394762afce0801f43bad6d2a4b4a86 (patch) | |
tree | c746459c01b391b6e316e97ba47098eb05cc0068 | |
parent | fa72ddac73e3549cf5d399fae31bfb5a293ed0cc (diff) |
- markus@cvs.openbsd.org 2000/12/12 14:45:21
[sshd.c]
source port < 1024 is no longer required for rhosts-rsa since it
adds no additional security.
- markus@cvs.openbsd.org 2000/12/12 16:11:49
[ssh.1 ssh.c]
rhosts-rsa is no longer automagically disabled if ssh is not privileged.
UsePrivilegedPort=no disables rhosts-rsa _only_ for old servers.
these changes should not change the visible default behaviour of the ssh client.
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | ssh.1 | 8 | ||||
-rw-r--r-- | ssh.c | 21 | ||||
-rw-r--r-- | sshd.c | 9 |
4 files changed, 26 insertions, 21 deletions
@@ -15,6 +15,15 @@ | |||
15 | - deraadt@cvs.openbsd.org 2000/12/13 06:36:05 | 15 | - deraadt@cvs.openbsd.org 2000/12/13 06:36:05 |
16 | [pty.c] | 16 | [pty.c] |
17 | KNF | 17 | KNF |
18 | - markus@cvs.openbsd.org 2000/12/12 14:45:21 | ||
19 | [sshd.c] | ||
20 | source port < 1024 is no longer required for rhosts-rsa since it | ||
21 | adds no additional security. | ||
22 | - markus@cvs.openbsd.org 2000/12/12 16:11:49 | ||
23 | [ssh.1 ssh.c] | ||
24 | rhosts-rsa is no longer automagically disabled if ssh is not privileged. | ||
25 | UsePrivilegedPort=no disables rhosts-rsa _only_ for old servers. | ||
26 | these changes should not change the visible default behaviour of the ssh client. | ||
18 | 27 | ||
19 | 20001213 | 28 | 20001213 |
20 | - (djm) Make sure we reset the SIGPIPE disposition after we fork. Report | 29 | - (djm) Make sure we reset the SIGPIPE disposition after we fork. Report |
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.71 2000/12/07 04:24:59 djm Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.72 2000/12/12 23:11:48 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -464,7 +464,8 @@ not permit connections from privileged ports. | |||
464 | Note that this option turns off | 464 | Note that this option turns off |
465 | .Cm RhostsAuthentication | 465 | .Cm RhostsAuthentication |
466 | and | 466 | and |
467 | .Cm RhostsRSAAuthentication . | 467 | .Cm RhostsRSAAuthentication |
468 | for older servers. | ||
468 | .It Fl q | 469 | .It Fl q |
469 | Quiet mode. | 470 | Quiet mode. |
470 | Causes all warning and diagnostic messages to be suppressed. | 471 | Causes all warning and diagnostic messages to be suppressed. |
@@ -948,7 +949,8 @@ Note that setting this option to | |||
948 | turns off | 949 | turns off |
949 | .Cm RhostsAuthentication | 950 | .Cm RhostsAuthentication |
950 | and | 951 | and |
951 | .Cm RhostsRSAAuthentication . | 952 | .Cm RhostsRSAAuthentication |
953 | for older servers. | ||
952 | .It Cm User | 954 | .It Cm User |
953 | Specifies the user to log in as. | 955 | Specifies the user to log in as. |
954 | This can be useful if you have a different user name on different machines. | 956 | This can be useful if you have a different user name on different machines. |
@@ -39,7 +39,7 @@ | |||
39 | */ | 39 | */ |
40 | 40 | ||
41 | #include "includes.h" | 41 | #include "includes.h" |
42 | RCSID("$OpenBSD: ssh.c,v 1.75 2000/11/30 07:02:35 markus Exp $"); | 42 | RCSID("$OpenBSD: ssh.c,v 1.77 2000/12/12 23:11:48 markus Exp $"); |
43 | 43 | ||
44 | #include <openssl/evp.h> | 44 | #include <openssl/evp.h> |
45 | #include <openssl/dsa.h> | 45 | #include <openssl/dsa.h> |
@@ -575,11 +575,10 @@ main(int ac, char **av) | |||
575 | if (!options.use_privileged_port) { | 575 | if (!options.use_privileged_port) { |
576 | #else | 576 | #else |
577 | if (original_effective_uid != 0 || !options.use_privileged_port) { | 577 | if (original_effective_uid != 0 || !options.use_privileged_port) { |
578 | debug("Rhosts Authentication methods disabled, " | ||
579 | "originating port will not be trusted."); | ||
580 | #endif | 578 | #endif |
579 | debug("Rhosts Authentication disabled, " | ||
580 | "originating port will not be trusted."); | ||
581 | options.rhosts_authentication = 0; | 581 | options.rhosts_authentication = 0; |
582 | options.rhosts_rsa_authentication = 0; | ||
583 | } | 582 | } |
584 | /* | 583 | /* |
585 | * If using rsh has been selected, exec it now (without trying | 584 | * If using rsh has been selected, exec it now (without trying |
@@ -602,17 +601,13 @@ main(int ac, char **av) | |||
602 | /* Restore our superuser privileges. */ | 601 | /* Restore our superuser privileges. */ |
603 | restore_uid(); | 602 | restore_uid(); |
604 | 603 | ||
605 | /* | 604 | /* Open a connection to the remote host. */ |
606 | * Open a connection to the remote host. This needs root privileges | ||
607 | * if rhosts_{rsa_}authentication is enabled. | ||
608 | */ | ||
609 | 605 | ||
610 | ok = ssh_connect(host, &hostaddr, options.port, | 606 | ok = ssh_connect(host, &hostaddr, options.port, |
611 | options.connection_attempts, | 607 | options.connection_attempts, |
612 | !options.rhosts_authentication && | 608 | original_effective_uid != 0 || !options.use_privileged_port, |
613 | !options.rhosts_rsa_authentication, | 609 | original_real_uid, |
614 | original_real_uid, | 610 | options.proxy_command); |
615 | options.proxy_command); | ||
616 | 611 | ||
617 | /* | 612 | /* |
618 | * If we successfully made the connection, load the host private key | 613 | * If we successfully made the connection, load the host private key |
@@ -40,7 +40,7 @@ | |||
40 | */ | 40 | */ |
41 | 41 | ||
42 | #include "includes.h" | 42 | #include "includes.h" |
43 | RCSID("$OpenBSD: sshd.c,v 1.136 2000/12/05 16:47:28 todd Exp $"); | 43 | RCSID("$OpenBSD: sshd.c,v 1.137 2000/12/12 21:45:21 markus Exp $"); |
44 | 44 | ||
45 | #include "xmalloc.h" | 45 | #include "xmalloc.h" |
46 | #include "rsa.h" | 46 | #include "rsa.h" |
@@ -1119,18 +1119,17 @@ main(int ac, char **av) | |||
1119 | 1119 | ||
1120 | sshd_exchange_identification(sock_in, sock_out); | 1120 | sshd_exchange_identification(sock_in, sock_out); |
1121 | /* | 1121 | /* |
1122 | * Check that the connection comes from a privileged port. Rhosts- | 1122 | * Check that the connection comes from a privileged port. |
1123 | * and Rhosts-RSA-Authentication only make sense from priviledged | 1123 | * Rhosts-Authentication only makes sense from priviledged |
1124 | * programs. Of course, if the intruder has root access on his local | 1124 | * programs. Of course, if the intruder has root access on his local |
1125 | * machine, he can connect from any port. So do not use these | 1125 | * machine, he can connect from any port. So do not use these |
1126 | * authentication methods from machines that you do not trust. | 1126 | * authentication methods from machines that you do not trust. |
1127 | */ | 1127 | */ |
1128 | if (remote_port >= IPPORT_RESERVED || | 1128 | if (remote_port >= IPPORT_RESERVED || |
1129 | remote_port < IPPORT_RESERVED / 2) { | 1129 | remote_port < IPPORT_RESERVED / 2) { |
1130 | debug("Rhosts Authentication methods disabled, " | 1130 | debug("Rhosts Authentication disabled, " |
1131 | "originating port not trusted."); | 1131 | "originating port not trusted."); |
1132 | options.rhosts_authentication = 0; | 1132 | options.rhosts_authentication = 0; |
1133 | options.rhosts_rsa_authentication = 0; | ||
1134 | } | 1133 | } |
1135 | #ifdef KRB4 | 1134 | #ifdef KRB4 |
1136 | if (!packet_connection_is_ipv4() && | 1135 | if (!packet_connection_is_ipv4() && |