- (bal) OpenBSD Sync

- markus@cvs.openbsd.org 2001/01/08 22:29:05 [auth2.c compat.c compat.h servconf.c servconf.h sshd.8 sshd_config version.h] implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled). - markus@cvs.openbsd.org 2001/01/08 22:03:23 [channels.c ssh-keyscan.c] O_NDELAY -> O_NONBLOCK; thanks stevesk@pobox.com - markus@cvs.openbsd.org 2001/01/08 21:55:41 [sshconnect1.c] more cleanups and fixes from stevesk@pobox.com: 1) try_agent_authentication() for loop will overwrite key just allocated with key_new(); don't alloc 2) call ssh_close_authentication_connection() before exit try_agent_authentication() 3) free mem on bad passphrase in try_rsa_authentication() - markus@cvs.openbsd.org 2001/01/08 21:48:17 [kex.c] missing free; thanks stevesk@pobox.com
author: Ben Lindstrom <mouring@eviladmin.org> 2001-01-09 00:35:42 +0000
committer: Ben Lindstrom <mouring@eviladmin.org> 2001-01-09 00:35:42 +0000
commit: 48bd7c118a25b950842864c7eb87ef666cbc342d (patch)
tree: b678668f292f8a8bb5e00b9b8f89d86370a8e11f
parent: 99a0563fd59e1d3e1b79a1a9dd38ce9f6b5059ee (diff)
13 files changed, 96 insertions, 16 deletions
diff --git a/ChangeLog b/ChangeLog
index 564c513e2..b21180335 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,27 @@
 - (bal) Resync CVS ID of cli.c
 - (stevesk) auth1.c: free should be after WITH_AIXAUTHENTICATE
   code.
+ - (bal) OpenBSD Sync
+   - markus@cvs.openbsd.org 2001/01/08 22:29:05
+     [auth2.c compat.c compat.h servconf.c servconf.h sshd.8
+      sshd_config version.h]
+     implement option 'Banner /etc/issue.net' for ssh2, move version to
+     2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner
+     is enabled).
+   - markus@cvs.openbsd.org 2001/01/08 22:03:23
+     [channels.c ssh-keyscan.c]
+     O_NDELAY -> O_NONBLOCK; thanks stevesk@pobox.com
+   - markus@cvs.openbsd.org 2001/01/08 21:55:41
+     [sshconnect1.c]
+     more cleanups and fixes from stevesk@pobox.com:
+     1) try_agent_authentication() for loop will overwrite key just
+        allocated with key_new(); don't alloc
+     2) call ssh_close_authentication_connection() before exit
+        try_agent_authentication()
+     3) free mem on bad passphrase in try_rsa_authentication()
+   - markus@cvs.openbsd.org 2001/01/08 21:48:17
+     [kex.c]
+     missing free; thanks stevesk@pobox.com
 20010108
 - (bal) Fixed another typo in cli.c
diff --git a/auth2.c b/auth2.c
index 4880b736e..3a247f588 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.24 2000/12/28 14:25:51 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.25 2001/01/08 22:29:05 markus Exp $");
 #ifdef HAVE_OSF_SIA
 # include <sia.h>
@@ -92,6 +92,7 @@ int	user_key_allowed(struct passwd *pw, Key *key);
 char    *authmethods_get(void);
 /* auth */
+void    userauth_banner(void);
 int     userauth_none(Authctxt *authctxt);
 int     userauth_passwd(Authctxt *authctxt);
 int     userauth_pubkey(Authctxt *authctxt);
@@ -257,6 +258,39 @@ input_userauth_request(int type, int plen, void *ctxt)
        xfree(method);
 }
+void
+userauth_banner(void)
+{
+        struct stat st;
+        char *banner = NULL;
+        off_t len, n;
+        int fd;
+        if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
+                return;
+        if ((fd = open(options.banner, O_RDONLY)) < 0) {
+                error("userauth_banner: open %s failed: %s",
+                    options.banner, strerror(errno));
+                return;
+        }
+        if (fstat(fd, &st) < 0)
+                goto done;
+        len = st.st_size;
+        banner = xmalloc(len + 1);
+        if ((n = read(fd, banner, len)) < 0)
+                goto done;
+        banner[n] = '\0';
+        packet_start(SSH2_MSG_USERAUTH_BANNER);
+        packet_put_cstring(banner);
+        packet_put_cstring("");         /* language, unused */
+        packet_send();
+        debug("userauth_banner: sent");
+done:
+        if (banner)
+                xfree(banner);
+        close(fd);
+        return;
+}
 void
 userauth_log(Authctxt *authctxt, int authenticated, char *method)
@@ -335,6 +369,7 @@ userauth_none(Authctxt *authctxt)
        if (m != NULL)
                m->enabled = NULL;
        packet_done();
+        userauth_banner();
        if (authctxt->valid == 0)
                return(0);
diff --git a/channels.c b/channels.c
index b1fcd7ca8..254f5df2f 100644
--- a/channels.c
+++ b/channels.c
@@ -40,7 +40,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.79 2000/12/29 22:19:13 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.80 2001/01/08 22:03:23 markus Exp $");
 #include "ssh.h"
 #include "packet.h"
@@ -1743,7 +1743,7 @@ channel_connect_to(const char *host, u_short host_port)
                        error("socket: %.100s", strerror(errno));
                        continue;
                }
-                if (fcntl(sock, F_SETFL, O_NDELAY) < 0)
+                if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0)
                        fatal("connect_to: F_SETFL: %s", strerror(errno));
                /* Connect to the host/port. */
                if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 &&
diff --git a/compat.c b/compat.c
index a2d3a3383..47af1a8ea 100644
--- a/compat.c
+++ b/compat.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: compat.c,v 1.32 2000/12/09 23:51:11 provos Exp $");
+RCSID("$OpenBSD: compat.c,v 1.33 2001/01/08 22:29:05 markus Exp $");
 #include "ssh.h"
 #include "packet.h"
@@ -62,7 +62,10 @@ compat_datafellows(const char *version)
                char    *pat;
                int     bugs;
        } check[] = {
-                { "^OpenSSH[-_]2\\.[012]",      SSH_OLD_SESSIONID },
+                { "^OpenSSH[-_]2\\.[012]",
+                                        SSH_OLD_SESSIONID|SSH_BUG_BANNER },
+                { "^OpenSSH_2\\.3\\.0", SSH_BUG_BANNER },
+                { "^OpenSSH",           0 },
                { "MindTerm",           0 },
                { "^2\\.1\\.0",         SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
                                        SSH_OLD_SESSIONID|SSH_BUG_DEBUG },
diff --git a/compat.h b/compat.h
index cf97c7d28..fb65cd6d6 100644
--- a/compat.h
+++ b/compat.h
@@ -21,7 +21,7 @@
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-/* RCSID("$OpenBSD: compat.h,v 1.13 2000/12/06 22:58:15 markus Exp $"); */
+/* RCSID("$OpenBSD: compat.h,v 1.14 2001/01/08 22:29:05 markus Exp $"); */
 #ifndef COMPAT_H
 #define COMPAT_H
@@ -38,6 +38,7 @@
 #define SSH_OLD_SESSIONID       0x10
 #define SSH_BUG_PKAUTH          0x20
 #define SSH_BUG_DEBUG           0x40
+#define SSH_BUG_BANNER          0x80
 void    enable_compat13(void);
 void    enable_compat20(void);
diff --git a/kex.c b/kex.c
index de315705e..9a31ae927 100644
--- a/kex.c
+++ b/kex.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.16 2000/12/20 19:37:22 markus Exp $");
+RCSID("$OpenBSD: kex.c,v 1.17 2001/01/08 21:48:17 markus Exp $");
 #include "ssh.h"
 #include "ssh2.h"
@@ -465,6 +465,7 @@ choose_hostkeyalg(Kex *k, char *client, char *server)
        k->hostkey_type = key_type_from_name(hostkeyalg);
        if (k->hostkey_type == KEY_UNSPEC)
                fatal("bad hostkey alg '%s'", hostkeyalg);
+        xfree(hostkeyalg);
 }
 Kex *
diff --git a/servconf.c b/servconf.c
index 6604e3d23..fb42d74ef 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.56 2001/01/07 11:28:06 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.57 2001/01/08 22:29:05 markus Exp $");
 #include "ssh.h"
 #include "servconf.h"
@@ -78,6 +78,7 @@ initialize_server_options(ServerOptions *options)
        options->max_startups_begin = -1;
        options->max_startups_rate = -1;
        options->max_startups = -1;
+        options->banner = NULL;
 }
 void
@@ -198,6 +199,7 @@ typedef enum {
        sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
        sIgnoreUserKnownHosts, sCiphers, sProtocol, sPidFile,
        sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
+        sBanner
 } ServerOpCodes;
 /* Textual representation of the tokens. */
@@ -257,6 +259,7 @@ static struct {
        { "gatewayports", sGatewayPorts },
        { "subsystem", sSubsystem },
        { "maxstartups", sMaxStartups },
+        { "banner", sBanner },
        { NULL, 0 }
 };
@@ -697,6 +700,10 @@ parse_flag:
                        intptr = &options->max_startups;
                        goto parse_int;
+                case sBanner:
+                        charptr = &options->banner;
+                        goto parse_filename;
+                        
                default:
                        fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
                                filename, linenum, arg, opcode);
diff --git a/servconf.h b/servconf.h
index 7d5016662..532b22f6e 100644
--- a/servconf.h
+++ b/servconf.h
@@ -11,7 +11,7 @@
 * called by a name other than "ssh" or "Secure Shell".
 */
-/* RCSID("$OpenBSD: servconf.h,v 1.32 2000/12/19 23:17:58 markus Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.33 2001/01/08 22:29:05 markus Exp $"); */
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -104,6 +104,7 @@ typedef struct {
        int     max_startups_begin;
        int     max_startups_rate;
        int     max_startups;
+        char   *banner;                 /* SSH-2 banner message */
 }       ServerOptions;
 /*
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 68593fe75..5d5427aad 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -8,7 +8,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.6 2000/12/19 23:17:58 markus Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.7 2001/01/08 22:03:23 markus Exp $");
 #if defined(HAVE_SYS_QUEUE_H)  &&  !defined(HAVE_BOGUS_SYS_QUEUE_H)
 #include <sys/queue.h>
@@ -310,7 +310,7 @@ tcpconnect(char *host)
                        error("socket: %s", strerror(errno));
                        continue;
                }
-                if (fcntl(s, F_SETFL, O_NDELAY) < 0)
+                if (fcntl(s, F_SETFL, O_NONBLOCK) < 0)
                        fatal("F_SETFL: %s", strerror(errno));
                if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0 &&
                    errno != EINPROGRESS)
diff --git a/sshconnect1.c b/sshconnect1.c
index d6230529f..09d0210a9 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.13 2000/12/19 23:17:58 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.14 2001/01/08 21:55:41 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
@@ -62,7 +62,6 @@ try_agent_authentication()
                return 0;
        challenge = BN_new();
-        key = key_new(KEY_RSA1);
        /* Loop through identities served by the agent. */
        for (key = ssh_get_first_identity(auth, &comment, 1);
@@ -125,6 +124,7 @@ try_agent_authentication()
                /* The server returns success if it accepted the authentication. */
                if (type == SSH_SMSG_SUCCESS) {
+                        ssh_close_authentication_connection(auth);
                        BN_clear_free(challenge);
                        debug("RSA authentication accepted by server.");
                        return 1;
@@ -134,6 +134,7 @@ try_agent_authentication()
                        packet_disconnect("Protocol error waiting RSA auth response: %d",
                                          type);
        }
+        ssh_close_authentication_connection(auth);
        BN_clear_free(challenge);
        debug("RSA authentication using agent refused.");
        return 0;
@@ -270,6 +271,8 @@ try_rsa_authentication(const char *authfile)
                        /* Expect the server to reject it... */
                        packet_read_expect(&plen, SSH_SMSG_FAILURE);
                        xfree(comment);
+                        key_free(private);
+                        BN_clear_free(challenge);
                        return 0;
                }
                /* Destroy the passphrase. */
diff --git a/sshd.8 b/sshd.8
index d6232f4b2..fef26b50b 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.79 2001/01/07 11:28:07 markus Exp $
+.\" $OpenBSD: sshd.8,v 1.80 2001/01/08 22:29:05 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -333,6 +333,13 @@ wildcards in the patterns.
 Only user names are valid; a numerical user ID isn't recognized.
 By default login is allowed regardless of the user name.
 .Pp
+.It Cm Banner
+In some jurisdictions, sending a warning message before authentication
+may be relevant for getting legal protection.
+The contents of the specified file are sent to the remote user before
+authentication is allowed.
+This option is only available for protocol version 2.
+.Pp
 .It Cm Ciphers
 Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
diff --git a/sshd_config b/sshd_config
index 357c42502..26372ab16 100644
--- a/sshd_config
+++ b/sshd_config
@@ -56,3 +56,4 @@ CheckMail no
 # Uncomment if you want to enable sftp
 #Subsystem      sftp    /usr/libexec/sftp-server
 #MaxStartups 10:30:60
+#Banner /etc/issue.net
diff --git a/version.h b/version.h
index 7e07541a9..591fbdfc6 100644
--- a/version.h
+++ b/version.h
@@ -1,3 +1,3 @@
-/* $OpenBSD: version.h,v 1.13 2000/10/16 09:38:45 djm Exp $ */
+/* $OpenBSD: version.h,v 1.16 2001/01/08 22:29:05 markus Exp $ */
-#define SSH_VERSION     "OpenSSH_2.3.0p2"
+#define SSH_VERSION     "OpenSSH_2.3.1p1"
author	Ben Lindstrom <mouring@eviladmin.org>	2001-01-09 00:35:42 +0000
committer	Ben Lindstrom <mouring@eviladmin.org>	2001-01-09 00:35:42 +0000
commit	48bd7c118a25b950842864c7eb87ef666cbc342d (patch)
tree	b678668f292f8a8bb5e00b9b8f89d86370a8e11f
parent	99a0563fd59e1d3e1b79a1a9dd38ce9f6b5059ee (diff)