diff options
author | Damien Miller <djm@mindrot.org> | 2000-03-17 23:40:15 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-03-17 23:40:15 +1100 |
commit | 7684ee17ee96426970c00cb44d9d00b6611b9a57 (patch) | |
tree | cb447b6e9d3fdc10b3e66a90b198092d7245447a | |
parent | d6121d2972c1a6924f6d186ea04eefe9dab774ef (diff) |
- OpenBSD CVS updates:
- [atomicio.c auth-krb4.c bufaux.c channels.c compress.c fingerprint.c]
[packet.h radix.c rsa.c scp.c ssh-agent.c ssh-keygen.c sshconnect.c]
[sshd.c]
pedantic: signed vs. unsigned, void*-arithm, etc
- [ssh.1 sshd.8]
Various cleanups and standardizations.
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | atomicio.c | 7 | ||||
-rw-r--r-- | auth-krb4.c | 9 | ||||
-rw-r--r-- | bufaux.c | 8 | ||||
-rw-r--r-- | channels.c | 6 | ||||
-rw-r--r-- | compress.c | 12 | ||||
-rw-r--r-- | fingerprint.c | 4 | ||||
-rw-r--r-- | packet.h | 6 | ||||
-rw-r--r-- | radix.c | 4 | ||||
-rw-r--r-- | rsa.c | 6 | ||||
-rw-r--r-- | scp.c | 6 | ||||
-rw-r--r-- | ssh-agent.c | 9 | ||||
-rw-r--r-- | ssh-keygen.c | 5 | ||||
-rw-r--r-- | ssh.1 | 496 | ||||
-rw-r--r-- | sshconnect.c | 30 | ||||
-rw-r--r-- | sshd.8 | 4 | ||||
-rw-r--r-- | sshd.c | 18 |
17 files changed, 377 insertions, 260 deletions
@@ -5,6 +5,13 @@ | |||
5 | <jmknoble@pobox.com> | 5 | <jmknoble@pobox.com> |
6 | - Checks for 64 bit int types. Problem report from Mats Fredholm | 6 | - Checks for 64 bit int types. Problem report from Mats Fredholm |
7 | <matsf@init.se> | 7 | <matsf@init.se> |
8 | - OpenBSD CVS updates: | ||
9 | - [atomicio.c auth-krb4.c bufaux.c channels.c compress.c fingerprint.c] | ||
10 | [packet.h radix.c rsa.c scp.c ssh-agent.c ssh-keygen.c sshconnect.c] | ||
11 | [sshd.c] | ||
12 | pedantic: signed vs. unsigned, void*-arithm, etc | ||
13 | - [ssh.1 sshd.8] | ||
14 | Various cleanups and standardizations. | ||
8 | 15 | ||
9 | 20000316 | 16 | 20000316 |
10 | - Fixed configure not passing LDFLAGS to Solaris. Report from David G. | 17 | - Fixed configure not passing LDFLAGS to Solaris. Report from David G. |
diff --git a/atomicio.c b/atomicio.c index d6797ec73..1299e5bf7 100644 --- a/atomicio.c +++ b/atomicio.c | |||
@@ -24,7 +24,7 @@ | |||
24 | */ | 24 | */ |
25 | 25 | ||
26 | #include "includes.h" | 26 | #include "includes.h" |
27 | RCSID("$Id: atomicio.c,v 1.9 2000/03/09 10:27:50 damien Exp $"); | 27 | RCSID("$Id: atomicio.c,v 1.10 2000/03/17 12:40:15 damien Exp $"); |
28 | 28 | ||
29 | #include "xmalloc.h" | 29 | #include "xmalloc.h" |
30 | #include "ssh.h" | 30 | #include "ssh.h" |
@@ -33,12 +33,13 @@ RCSID("$Id: atomicio.c,v 1.9 2000/03/09 10:27:50 damien Exp $"); | |||
33 | * ensure all of data on socket comes through. f==read || f==write | 33 | * ensure all of data on socket comes through. f==read || f==write |
34 | */ | 34 | */ |
35 | ssize_t | 35 | ssize_t |
36 | atomicio(f, fd, s, n) | 36 | atomicio(f, fd, _s, n) |
37 | ssize_t (*f) (); | 37 | ssize_t (*f) (); |
38 | int fd; | 38 | int fd; |
39 | void *s; | 39 | void *_s; |
40 | size_t n; | 40 | size_t n; |
41 | { | 41 | { |
42 | char *s = _s; | ||
42 | ssize_t res, pos = 0; | 43 | ssize_t res, pos = 0; |
43 | 44 | ||
44 | while (n > pos) { | 45 | while (n > pos) { |
diff --git a/auth-krb4.c b/auth-krb4.c index fb0e20ce2..95fc7229f 100644 --- a/auth-krb4.c +++ b/auth-krb4.c | |||
@@ -186,19 +186,20 @@ auth_krb4(const char *server_user, KTEXT auth, char **client) | |||
186 | KTEXT_ST reply; | 186 | KTEXT_ST reply; |
187 | char instance[INST_SZ]; | 187 | char instance[INST_SZ]; |
188 | int r, s; | 188 | int r, s; |
189 | socklen_t slen; | ||
189 | u_int cksum; | 190 | u_int cksum; |
190 | Key_schedule schedule; | 191 | Key_schedule schedule; |
191 | struct sockaddr_in local, foreign; | 192 | struct sockaddr_in local, foreign; |
192 | 193 | ||
193 | s = packet_get_connection_in(); | 194 | s = packet_get_connection_in(); |
194 | 195 | ||
195 | r = sizeof(local); | 196 | slen = sizeof(local); |
196 | memset(&local, 0, sizeof(local)); | 197 | memset(&local, 0, sizeof(local)); |
197 | if (getsockname(s, (struct sockaddr *) & local, &r) < 0) | 198 | if (getsockname(s, (struct sockaddr *) & local, &slen) < 0) |
198 | debug("getsockname failed: %.100s", strerror(errno)); | 199 | debug("getsockname failed: %.100s", strerror(errno)); |
199 | r = sizeof(foreign); | 200 | slen = sizeof(foreign); |
200 | memset(&foreign, 0, sizeof(foreign)); | 201 | memset(&foreign, 0, sizeof(foreign)); |
201 | if (getpeername(s, (struct sockaddr *) & foreign, &r) < 0) { | 202 | if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) { |
202 | debug("getpeername failed: %.100s", strerror(errno)); | 203 | debug("getpeername failed: %.100s", strerror(errno)); |
203 | fatal_cleanup(); | 204 | fatal_cleanup(); |
204 | } | 205 | } |
@@ -15,7 +15,7 @@ | |||
15 | */ | 15 | */ |
16 | 16 | ||
17 | #include "includes.h" | 17 | #include "includes.h" |
18 | RCSID("$Id: bufaux.c,v 1.7 1999/11/25 00:54:58 damien Exp $"); | 18 | RCSID("$Id: bufaux.c,v 1.8 2000/03/17 12:40:15 damien Exp $"); |
19 | 19 | ||
20 | #include "ssh.h" | 20 | #include "ssh.h" |
21 | 21 | ||
@@ -39,7 +39,7 @@ buffer_put_bignum(Buffer *buffer, BIGNUM *value) | |||
39 | { | 39 | { |
40 | int bits = BN_num_bits(value); | 40 | int bits = BN_num_bits(value); |
41 | int bin_size = (bits + 7) / 8; | 41 | int bin_size = (bits + 7) / 8; |
42 | char *buf = xmalloc(bin_size); | 42 | char unsigned *buf = xmalloc(bin_size); |
43 | int oi; | 43 | int oi; |
44 | char msg[2]; | 44 | char msg[2]; |
45 | 45 | ||
@@ -53,7 +53,7 @@ buffer_put_bignum(Buffer *buffer, BIGNUM *value) | |||
53 | PUT_16BIT(msg, bits); | 53 | PUT_16BIT(msg, bits); |
54 | buffer_append(buffer, msg, 2); | 54 | buffer_append(buffer, msg, 2); |
55 | /* Store the binary data. */ | 55 | /* Store the binary data. */ |
56 | buffer_append(buffer, buf, oi); | 56 | buffer_append(buffer, (char *)buf, oi); |
57 | 57 | ||
58 | memset(buf, 0, bin_size); | 58 | memset(buf, 0, bin_size); |
59 | xfree(buf); | 59 | xfree(buf); |
@@ -75,7 +75,7 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value) | |||
75 | bytes = (bits + 7) / 8; | 75 | bytes = (bits + 7) / 8; |
76 | if (buffer_len(buffer) < bytes) | 76 | if (buffer_len(buffer) < bytes) |
77 | fatal("buffer_get_bignum: input buffer too small"); | 77 | fatal("buffer_get_bignum: input buffer too small"); |
78 | bin = buffer_ptr(buffer); | 78 | bin = (unsigned char*) buffer_ptr(buffer); |
79 | BN_bin2bn(bin, bytes, value); | 79 | BN_bin2bn(bin, bytes, value); |
80 | buffer_consume(buffer, bytes); | 80 | buffer_consume(buffer, bytes); |
81 | 81 | ||
diff --git a/channels.c b/channels.c index 090cbf095..e60ecc614 100644 --- a/channels.c +++ b/channels.c | |||
@@ -16,7 +16,7 @@ | |||
16 | */ | 16 | */ |
17 | 17 | ||
18 | #include "includes.h" | 18 | #include "includes.h" |
19 | RCSID("$Id: channels.c,v 1.18 2000/03/11 09:45:41 damien Exp $"); | 19 | RCSID("$Id: channels.c,v 1.19 2000/03/17 12:40:15 damien Exp $"); |
20 | 20 | ||
21 | #include "ssh.h" | 21 | #include "ssh.h" |
22 | #include "packet.h" | 22 | #include "packet.h" |
@@ -1041,7 +1041,7 @@ channel_input_port_open(int payload_len) | |||
1041 | int remote_channel, sock = 0, newch, i; | 1041 | int remote_channel, sock = 0, newch, i; |
1042 | u_short host_port; | 1042 | u_short host_port; |
1043 | char *host, *originator_string; | 1043 | char *host, *originator_string; |
1044 | int host_len, originator_len; | 1044 | unsigned int host_len, originator_len; |
1045 | struct addrinfo hints, *ai, *aitop; | 1045 | struct addrinfo hints, *ai, *aitop; |
1046 | char ntop[NI_MAXHOST], strport[NI_MAXSERV]; | 1046 | char ntop[NI_MAXHOST], strport[NI_MAXSERV]; |
1047 | int gaierr; | 1047 | int gaierr; |
@@ -1341,7 +1341,7 @@ x11_input_open(int payload_len) | |||
1341 | int remote_channel, display_number, sock = 0, newch; | 1341 | int remote_channel, display_number, sock = 0, newch; |
1342 | const char *display; | 1342 | const char *display; |
1343 | char buf[1024], *cp, *remote_host; | 1343 | char buf[1024], *cp, *remote_host; |
1344 | int remote_len; | 1344 | unsigned int remote_len; |
1345 | struct addrinfo hints, *ai, *aitop; | 1345 | struct addrinfo hints, *ai, *aitop; |
1346 | char strport[NI_MAXSERV]; | 1346 | char strport[NI_MAXSERV]; |
1347 | int gaierr; | 1347 | int gaierr; |
diff --git a/compress.c b/compress.c index 544811c19..cf15c6670 100644 --- a/compress.c +++ b/compress.c | |||
@@ -14,7 +14,7 @@ | |||
14 | */ | 14 | */ |
15 | 15 | ||
16 | #include "includes.h" | 16 | #include "includes.h" |
17 | RCSID("$Id: compress.c,v 1.3 1999/11/25 00:54:59 damien Exp $"); | 17 | RCSID("$Id: compress.c,v 1.4 2000/03/17 12:40:16 damien Exp $"); |
18 | 18 | ||
19 | #include "ssh.h" | 19 | #include "ssh.h" |
20 | #include "buffer.h" | 20 | #include "buffer.h" |
@@ -75,13 +75,13 @@ buffer_compress(Buffer * input_buffer, Buffer * output_buffer) | |||
75 | return; | 75 | return; |
76 | 76 | ||
77 | /* Input is the contents of the input buffer. */ | 77 | /* Input is the contents of the input buffer. */ |
78 | outgoing_stream.next_in = buffer_ptr(input_buffer); | 78 | outgoing_stream.next_in = (unsigned char *) buffer_ptr(input_buffer); |
79 | outgoing_stream.avail_in = buffer_len(input_buffer); | 79 | outgoing_stream.avail_in = buffer_len(input_buffer); |
80 | 80 | ||
81 | /* Loop compressing until deflate() returns with avail_out != 0. */ | 81 | /* Loop compressing until deflate() returns with avail_out != 0. */ |
82 | do { | 82 | do { |
83 | /* Set up fixed-size output buffer. */ | 83 | /* Set up fixed-size output buffer. */ |
84 | outgoing_stream.next_out = buf; | 84 | outgoing_stream.next_out = (unsigned char *)buf; |
85 | outgoing_stream.avail_out = sizeof(buf); | 85 | outgoing_stream.avail_out = sizeof(buf); |
86 | 86 | ||
87 | /* Compress as much data into the buffer as possible. */ | 87 | /* Compress as much data into the buffer as possible. */ |
@@ -124,10 +124,10 @@ buffer_uncompress(Buffer * input_buffer, Buffer * output_buffer) | |||
124 | char buf[4096]; | 124 | char buf[4096]; |
125 | int status; | 125 | int status; |
126 | 126 | ||
127 | incoming_stream.next_in = buffer_ptr(input_buffer); | 127 | incoming_stream.next_in = (unsigned char *) buffer_ptr(input_buffer); |
128 | incoming_stream.avail_in = buffer_len(input_buffer); | 128 | incoming_stream.avail_in = buffer_len(input_buffer); |
129 | 129 | ||
130 | incoming_stream.next_out = buf; | 130 | incoming_stream.next_out = (unsigned char *) buf; |
131 | incoming_stream.avail_out = sizeof(buf); | 131 | incoming_stream.avail_out = sizeof(buf); |
132 | 132 | ||
133 | for (;;) { | 133 | for (;;) { |
@@ -136,7 +136,7 @@ buffer_uncompress(Buffer * input_buffer, Buffer * output_buffer) | |||
136 | case Z_OK: | 136 | case Z_OK: |
137 | buffer_append(output_buffer, buf, | 137 | buffer_append(output_buffer, buf, |
138 | sizeof(buf) - incoming_stream.avail_out); | 138 | sizeof(buf) - incoming_stream.avail_out); |
139 | incoming_stream.next_out = buf; | 139 | incoming_stream.next_out = (unsigned char *) buf; |
140 | incoming_stream.avail_out = sizeof(buf); | 140 | incoming_stream.avail_out = sizeof(buf); |
141 | break; | 141 | break; |
142 | case Z_STREAM_END: | 142 | case Z_STREAM_END: |
diff --git a/fingerprint.c b/fingerprint.c index 7784e8b7d..e6f27d061 100644 --- a/fingerprint.c +++ b/fingerprint.c | |||
@@ -28,7 +28,7 @@ | |||
28 | */ | 28 | */ |
29 | 29 | ||
30 | #include "includes.h" | 30 | #include "includes.h" |
31 | RCSID("$Id: fingerprint.c,v 1.4 1999/11/24 16:15:25 markus Exp $"); | 31 | RCSID("$Id: fingerprint.c,v 1.5 2000/03/16 20:56:14 markus Exp $"); |
32 | 32 | ||
33 | #include "ssh.h" | 33 | #include "ssh.h" |
34 | #include "xmalloc.h" | 34 | #include "xmalloc.h" |
@@ -51,7 +51,7 @@ fingerprint(BIGNUM *e, BIGNUM *n) | |||
51 | static char retval[80]; | 51 | static char retval[80]; |
52 | MD5_CTX md; | 52 | MD5_CTX md; |
53 | unsigned char d[16]; | 53 | unsigned char d[16]; |
54 | char *buf; | 54 | unsigned char *buf; |
55 | int nlen, elen; | 55 | int nlen, elen; |
56 | 56 | ||
57 | nlen = BN_num_bytes(n); | 57 | nlen = BN_num_bytes(n); |
@@ -13,7 +13,7 @@ | |||
13 | * | 13 | * |
14 | */ | 14 | */ |
15 | 15 | ||
16 | /* RCSID("$Id: packet.h,v 1.9 2000/01/14 04:45:51 damien Exp $"); */ | 16 | /* RCSID("$Id: packet.h,v 1.10 2000/03/17 12:40:16 damien Exp $"); */ |
17 | 17 | ||
18 | #ifndef PACKET_H | 18 | #ifndef PACKET_H |
19 | #define PACKET_H | 19 | #define PACKET_H |
@@ -151,7 +151,7 @@ char *packet_get_string(unsigned int *length_ptr); | |||
151 | * The error message should not contain a newline. The total length of the | 151 | * The error message should not contain a newline. The total length of the |
152 | * message must not exceed 1024 bytes. | 152 | * message must not exceed 1024 bytes. |
153 | */ | 153 | */ |
154 | void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2)));; | 154 | void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2))); |
155 | 155 | ||
156 | /* | 156 | /* |
157 | * Sends a diagnostic message to the other side. This message can be sent at | 157 | * Sends a diagnostic message to the other side. This message can be sent at |
@@ -163,7 +163,7 @@ void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, | |||
163 | * remote side protocol flags do not indicate that it supports SSH_MSG_DEBUG, | 163 | * remote side protocol flags do not indicate that it supports SSH_MSG_DEBUG, |
164 | * this will do nothing. | 164 | * this will do nothing. |
165 | */ | 165 | */ |
166 | void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));; | 166 | void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); |
167 | 167 | ||
168 | /* Checks if there is any buffered output, and tries to write some of the output. */ | 168 | /* Checks if there is any buffered output, and tries to write some of the output. */ |
169 | void packet_write_poll(void); | 169 | void packet_write_poll(void); |
@@ -213,7 +213,7 @@ creds_to_radix(CREDENTIALS *creds, unsigned char *buf) | |||
213 | p += creds->ticket_st.length; | 213 | p += creds->ticket_st.length; |
214 | len = p - temp; | 214 | len = p - temp; |
215 | 215 | ||
216 | return (uuencode(temp, len, buf)); | 216 | return (uuencode((unsigned char *)temp, len, (char *)buf)); |
217 | } | 217 | } |
218 | 218 | ||
219 | int | 219 | int |
@@ -225,7 +225,7 @@ radix_to_creds(const char *buf, CREDENTIALS *creds) | |||
225 | char version; | 225 | char version; |
226 | char temp[2048]; | 226 | char temp[2048]; |
227 | 227 | ||
228 | if (!(len = uudecode(buf, temp, sizeof(temp)))) | 228 | if (!(len = uudecode(buf, (unsigned char *)temp, sizeof(temp)))) |
229 | return 0; | 229 | return 0; |
230 | 230 | ||
231 | p = temp; | 231 | p = temp; |
@@ -35,7 +35,7 @@ | |||
35 | */ | 35 | */ |
36 | 36 | ||
37 | #include "includes.h" | 37 | #include "includes.h" |
38 | RCSID("$Id: rsa.c,v 1.10 2000/03/09 10:27:51 damien Exp $"); | 38 | RCSID("$Id: rsa.c,v 1.11 2000/03/17 12:40:16 damien Exp $"); |
39 | 39 | ||
40 | #include "rsa.h" | 40 | #include "rsa.h" |
41 | #include "ssh.h" | 41 | #include "ssh.h" |
@@ -145,7 +145,7 @@ rsa_generate_key(RSA *prv, RSA *pub, unsigned int bits) | |||
145 | void | 145 | void |
146 | rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key) | 146 | rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key) |
147 | { | 147 | { |
148 | char *inbuf, *outbuf; | 148 | unsigned char *inbuf, *outbuf; |
149 | int len, ilen, olen; | 149 | int len, ilen, olen; |
150 | 150 | ||
151 | if (BN_num_bits(key->e) < 2 || !BN_is_odd(key->e)) | 151 | if (BN_num_bits(key->e) < 2 || !BN_is_odd(key->e)) |
@@ -173,7 +173,7 @@ rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key) | |||
173 | void | 173 | void |
174 | rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key) | 174 | rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key) |
175 | { | 175 | { |
176 | char *inbuf, *outbuf; | 176 | unsigned char *inbuf, *outbuf; |
177 | int len, ilen, olen; | 177 | int len, ilen, olen; |
178 | 178 | ||
179 | olen = BN_num_bytes(key->n); | 179 | olen = BN_num_bytes(key->n); |
@@ -45,7 +45,7 @@ | |||
45 | */ | 45 | */ |
46 | 46 | ||
47 | #include "includes.h" | 47 | #include "includes.h" |
48 | RCSID("$Id: scp.c,v 1.17 2000/03/09 10:27:51 damien Exp $"); | 48 | RCSID("$Id: scp.c,v 1.18 2000/03/17 12:40:16 damien Exp $"); |
49 | 49 | ||
50 | #include "ssh.h" | 50 | #include "ssh.h" |
51 | #include "xmalloc.h" | 51 | #include "xmalloc.h" |
@@ -1008,7 +1008,7 @@ run_err(const char *fmt,...) | |||
1008 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 1008 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
1009 | * SUCH DAMAGE. | 1009 | * SUCH DAMAGE. |
1010 | * | 1010 | * |
1011 | * $Id: scp.c,v 1.17 2000/03/09 10:27:51 damien Exp $ | 1011 | * $Id: scp.c,v 1.18 2000/03/17 12:40:16 damien Exp $ |
1012 | */ | 1012 | */ |
1013 | 1013 | ||
1014 | char * | 1014 | char * |
@@ -1120,7 +1120,7 @@ alarmtimer(int wait) | |||
1120 | } | 1120 | } |
1121 | 1121 | ||
1122 | void | 1122 | void |
1123 | updateprogressmeter(int sig) | 1123 | updateprogressmeter(int ignore) |
1124 | { | 1124 | { |
1125 | int save_errno = errno; | 1125 | int save_errno = errno; |
1126 | 1126 | ||
diff --git a/ssh-agent.c b/ssh-agent.c index 8a69b1d08..459fa39f3 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-agent.c,v 1.25 2000/01/02 21:51:03 markus Exp $ */ | 1 | /* $OpenBSD: ssh-agent.c,v 1.26 2000/03/16 20:56:14 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -9,7 +9,7 @@ | |||
9 | */ | 9 | */ |
10 | 10 | ||
11 | #include "includes.h" | 11 | #include "includes.h" |
12 | RCSID("$OpenBSD: ssh-agent.c,v 1.25 2000/01/02 21:51:03 markus Exp $"); | 12 | RCSID("$OpenBSD: ssh-agent.c,v 1.26 2000/03/16 20:56:14 markus Exp $"); |
13 | 13 | ||
14 | #include "ssh.h" | 14 | #include "ssh.h" |
15 | #include "rsa.h" | 15 | #include "rsa.h" |
@@ -417,6 +417,7 @@ after_select(fd_set *readset, fd_set *writeset) | |||
417 | { | 417 | { |
418 | unsigned int i; | 418 | unsigned int i; |
419 | int len, sock; | 419 | int len, sock; |
420 | socklen_t slen; | ||
420 | char buf[1024]; | 421 | char buf[1024]; |
421 | struct sockaddr_un sunaddr; | 422 | struct sockaddr_un sunaddr; |
422 | 423 | ||
@@ -426,8 +427,8 @@ after_select(fd_set *readset, fd_set *writeset) | |||
426 | break; | 427 | break; |
427 | case AUTH_SOCKET: | 428 | case AUTH_SOCKET: |
428 | if (FD_ISSET(sockets[i].fd, readset)) { | 429 | if (FD_ISSET(sockets[i].fd, readset)) { |
429 | len = sizeof(sunaddr); | 430 | slen = sizeof(sunaddr); |
430 | sock = accept(sockets[i].fd, (struct sockaddr *) & sunaddr, &len); | 431 | sock = accept(sockets[i].fd, (struct sockaddr *) & sunaddr, &slen); |
431 | if (sock < 0) { | 432 | if (sock < 0) { |
432 | perror("accept from AUTH_SOCKET"); | 433 | perror("accept from AUTH_SOCKET"); |
433 | break; | 434 | break; |
diff --git a/ssh-keygen.c b/ssh-keygen.c index bf7f0ced2..81070d2ef 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -7,7 +7,7 @@ | |||
7 | */ | 7 | */ |
8 | 8 | ||
9 | #include "includes.h" | 9 | #include "includes.h" |
10 | RCSID("$Id: ssh-keygen.c,v 1.11 2000/03/09 10:27:51 damien Exp $"); | 10 | RCSID("$Id: ssh-keygen.c,v 1.12 2000/03/17 12:40:17 damien Exp $"); |
11 | 11 | ||
12 | #include "rsa.h" | 12 | #include "rsa.h" |
13 | #include "ssh.h" | 13 | #include "ssh.h" |
@@ -85,6 +85,7 @@ do_fingerprint(struct passwd *pw) | |||
85 | RSA *public_key; | 85 | RSA *public_key; |
86 | char *comment = NULL, *cp, *ep, line[16*1024]; | 86 | char *comment = NULL, *cp, *ep, line[16*1024]; |
87 | int i, skip = 0, num = 1, invalid = 1; | 87 | int i, skip = 0, num = 1, invalid = 1; |
88 | unsigned int ignore; | ||
88 | struct stat st; | 89 | struct stat st; |
89 | 90 | ||
90 | if (!have_identity) | 91 | if (!have_identity) |
@@ -142,7 +143,7 @@ do_fingerprint(struct passwd *pw) | |||
142 | *cp++ = '\0'; | 143 | *cp++ = '\0'; |
143 | } | 144 | } |
144 | ep = cp; | 145 | ep = cp; |
145 | if (auth_rsa_read_key(&cp, &i, e, n)) { | 146 | if (auth_rsa_read_key(&cp, &ignore, e, n)) { |
146 | invalid = 0; | 147 | invalid = 0; |
147 | comment = *cp ? cp : comment; | 148 | comment = *cp ? cp : comment; |
148 | printf("%d %s %s\n", BN_num_bits(n), | 149 | printf("%d %s %s\n", BN_num_bits(n), |
@@ -9,7 +9,7 @@ | |||
9 | .\" | 9 | .\" |
10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo | 10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo |
11 | .\" | 11 | .\" |
12 | .\" $Id: ssh.1,v 1.18 2000/03/09 10:27:52 damien Exp $ | 12 | .\" $Id: ssh.1,v 1.19 2000/03/17 12:40:17 damien Exp $ |
13 | .\" | 13 | .\" |
14 | .Dd September 25, 1999 | 14 | .Dd September 25, 1999 |
15 | .Dt SSH 1 | 15 | .Dt SSH 1 |
@@ -52,9 +52,11 @@ | |||
52 | .Sh DESCRIPTION | 52 | .Sh DESCRIPTION |
53 | .Nm | 53 | .Nm |
54 | (Secure Shell) is a program for logging into a remote machine and for | 54 | (Secure Shell) is a program for logging into a remote machine and for |
55 | executing commands on a remote machine. It is intended to replace | 55 | executing commands on a remote machine. |
56 | It is intended to replace | ||
56 | rlogin and rsh, and provide secure encrypted communications between | 57 | rlogin and rsh, and provide secure encrypted communications between |
57 | two untrusted hosts over an insecure network. X11 connections and | 58 | two untrusted hosts over an insecure network. |
59 | X11 connections and | ||
58 | arbitrary TCP/IP ports can also be forwarded over the secure channel. | 60 | arbitrary TCP/IP ports can also be forwarded over the secure channel. |
59 | .Pp | 61 | .Pp |
60 | .Nm | 62 | .Nm |
@@ -76,15 +78,16 @@ or | |||
76 | exists in the user's home directory on the | 78 | exists in the user's home directory on the |
77 | remote machine and contains a line containing the name of the client | 79 | remote machine and contains a line containing the name of the client |
78 | machine and the name of the user on that machine, the user is | 80 | machine and the name of the user on that machine, the user is |
79 | permitted to log in. This form of authentication alone is normally not | 81 | permitted to log in. |
82 | This form of authentication alone is normally not | ||
80 | allowed by the server because it is not secure. | 83 | allowed by the server because it is not secure. |
81 | .Pp | 84 | .Pp |
82 | The second (and primary) authentication method is the | 85 | The second (and primary) authentication method is the |
83 | .Pa rhosts | 86 | .Pa rhosts |
84 | or | 87 | or |
85 | .Pa hosts.equiv | 88 | .Pa hosts.equiv |
86 | method combined with RSA-based host authentication. It | 89 | method combined with RSA-based host authentication. |
87 | means that if the login would be permitted by | 90 | It means that if the login would be permitted by |
88 | .Pa \&.rhosts , | 91 | .Pa \&.rhosts , |
89 | .Pa \&.shosts , | 92 | .Pa \&.shosts , |
90 | .Pa /etc/hosts.equiv , | 93 | .Pa /etc/hosts.equiv , |
@@ -97,10 +100,10 @@ and | |||
97 | .Pa $HOME/.ssh/known_hosts | 100 | .Pa $HOME/.ssh/known_hosts |
98 | in the | 101 | in the |
99 | .Sx FILES | 102 | .Sx FILES |
100 | section), only then login is | 103 | section), only then login is permitted. |
101 | permitted. This authentication method closes security holes due to IP | 104 | This authentication method closes security holes due to IP |
102 | spoofing, DNS spoofing and routing spoofing. [Note to the | 105 | spoofing, DNS spoofing and routing spoofing. |
103 | administrator: | 106 | [Note to the administrator: |
104 | .Pa /etc/hosts.equiv , | 107 | .Pa /etc/hosts.equiv , |
105 | .Pa \&.rhosts , | 108 | .Pa \&.rhosts , |
106 | and the rlogin/rsh protocol in general, are inherently insecure and should be | 109 | and the rlogin/rsh protocol in general, are inherently insecure and should be |
@@ -112,34 +115,39 @@ supports RSA based authentication. | |||
112 | The scheme is based on public-key cryptography: there are cryptosystems | 115 | The scheme is based on public-key cryptography: there are cryptosystems |
113 | where encryption and decryption are done using separate keys, and it | 116 | where encryption and decryption are done using separate keys, and it |
114 | is not possible to derive the decryption key from the encryption key. | 117 | is not possible to derive the decryption key from the encryption key. |
115 | RSA is one such system. The idea is that each user creates a public/private | 118 | RSA is one such system. |
116 | key pair for authentication purposes. The | 119 | The idea is that each user creates a public/private |
117 | server knows the public key, and only the user knows the private key. | 120 | key pair for authentication purposes. |
121 | The server knows the public key, and only the user knows the private key. | ||
118 | The file | 122 | The file |
119 | .Pa $HOME/.ssh/authorized_keys | 123 | .Pa $HOME/.ssh/authorized_keys |
120 | lists the public keys that are permitted for logging | 124 | lists the public keys that are permitted for logging |
121 | in. When the user logs in, the | 125 | in. |
126 | When the user logs in, the | ||
122 | .Nm | 127 | .Nm |
123 | program tells the server which key pair it would like to use for | 128 | program tells the server which key pair it would like to use for |
124 | authentication. The server checks if this key is permitted, and if | 129 | authentication. |
130 | The server checks if this key is permitted, and if | ||
125 | so, sends the user (actually the | 131 | so, sends the user (actually the |
126 | .Nm | 132 | .Nm |
127 | program running on behalf of the user) a challenge, a random number, | 133 | program running on behalf of the user) a challenge, a random number, |
128 | encrypted by the user's public key. The challenge can only be | 134 | encrypted by the user's public key. |
129 | decrypted using the proper private key. The user's client then decrypts the | 135 | The challenge can only be |
136 | decrypted using the proper private key. | ||
137 | The user's client then decrypts the | ||
130 | challenge using the private key, proving that he/she knows the private | 138 | challenge using the private key, proving that he/she knows the private |
131 | key but without disclosing it to the server. | 139 | key but without disclosing it to the server. |
132 | .Pp | 140 | .Pp |
133 | .Nm | 141 | .Nm |
134 | implements the RSA authentication protocol automatically. The user | 142 | implements the RSA authentication protocol automatically. |
135 | creates his/her RSA key pair by running | 143 | The user creates his/her RSA key pair by running |
136 | .Xr ssh-keygen 1 . | 144 | .Xr ssh-keygen 1 . |
137 | This stores the private key in | 145 | This stores the private key in |
138 | .Pa \&.ssh/identity | 146 | .Pa \&.ssh/identity |
139 | and the public key in | 147 | and the public key in |
140 | .Pa \&.ssh/identity.pub | 148 | .Pa \&.ssh/identity.pub |
141 | in the user's home directory. The user should then | 149 | in the user's home directory. |
142 | copy the | 150 | The user should then copy the |
143 | .Pa identity.pub | 151 | .Pa identity.pub |
144 | to | 152 | to |
145 | .Pa \&.ssh/authorized_keys | 153 | .Pa \&.ssh/authorized_keys |
@@ -148,24 +156,28 @@ in his/her home directory on the remote machine (the | |||
148 | file corresponds to the conventional | 156 | file corresponds to the conventional |
149 | .Pa \&.rhosts | 157 | .Pa \&.rhosts |
150 | file, and has one key | 158 | file, and has one key |
151 | per line, though the lines can be very long). After this, the user | 159 | per line, though the lines can be very long). |
152 | can log in without giving the password. RSA authentication is much | 160 | After this, the user can log in without giving the password. |
161 | RSA authentication is much | ||
153 | more secure than rhosts authentication. | 162 | more secure than rhosts authentication. |
154 | .Pp | 163 | .Pp |
155 | The most convenient way to use RSA authentication may be with an | 164 | The most convenient way to use RSA authentication may be with an |
156 | authentication agent. See | 165 | authentication agent. |
166 | See | ||
157 | .Xr ssh-agent 1 | 167 | .Xr ssh-agent 1 |
158 | for more information. | 168 | for more information. |
159 | .Pp | 169 | .Pp |
160 | If other authentication methods fail, | 170 | If other authentication methods fail, |
161 | .Nm | 171 | .Nm |
162 | prompts the user for a password. The password is sent to the remote | 172 | prompts the user for a password. |
173 | The password is sent to the remote | ||
163 | host for checking; however, since all communications are encrypted, | 174 | host for checking; however, since all communications are encrypted, |
164 | the password cannot be seen by someone listening on the network. | 175 | the password cannot be seen by someone listening on the network. |
165 | .Pp | 176 | .Pp |
166 | When the user's identity has been accepted by the server, the server | 177 | When the user's identity has been accepted by the server, the server |
167 | either executes the given command, or logs into the machine and gives | 178 | either executes the given command, or logs into the machine and gives |
168 | the user a normal shell on the remote machine. All communication with | 179 | the user a normal shell on the remote machine. |
180 | All communication with | ||
169 | the remote command or shell will be automatically encrypted. | 181 | the remote command or shell will be automatically encrypted. |
170 | .Pp | 182 | .Pp |
171 | If a pseudo-terminal has been allocated (normal login session), the | 183 | If a pseudo-terminal has been allocated (normal login session), the |
@@ -182,19 +194,22 @@ the session blocks waiting for forwarded X11 or TCP/IP | |||
182 | connections to terminate, it can be backgrounded with | 194 | connections to terminate, it can be backgrounded with |
183 | .Ic ~& | 195 | .Ic ~& |
184 | (this should not be used while the user shell is active, as it can cause the | 196 | (this should not be used while the user shell is active, as it can cause the |
185 | shell to hang). All available escapes can be listed with | 197 | shell to hang). |
198 | All available escapes can be listed with | ||
186 | .Ic ~? . | 199 | .Ic ~? . |
187 | .Pp | 200 | .Pp |
188 | A single tilde character can be sent as | 201 | A single tilde character can be sent as |
189 | .Ic ~~ | 202 | .Ic ~~ |
190 | (or by following the tilde by a character other than those described above). | 203 | (or by following the tilde by a character other than those described above). |
191 | The escape character must always follow a newline to be interpreted as | 204 | The escape character must always follow a newline to be interpreted as |
192 | special. The escape character can be changed in configuration files | 205 | special. |
193 | or on the command line. | 206 | The escape character can be changed in configuration files |
207 | or on the command line. | ||
194 | .Pp | 208 | .Pp |
195 | If no pseudo tty has been allocated, the | 209 | If no pseudo tty has been allocated, the |
196 | session is transparent and can be used to reliably transfer binary | 210 | session is transparent and can be used to reliably transfer binary |
197 | data. On most systems, setting the escape character to | 211 | data. |
212 | On most systems, setting the escape character to | ||
198 | .Dq none | 213 | .Dq none |
199 | will also make the session transparent even if a tty is used. | 214 | will also make the session transparent even if a tty is used. |
200 | .Pp | 215 | .Pp |
@@ -210,7 +225,8 @@ environment variable is set), the connection to the X11 display is | |||
210 | automatically forwarded to the remote side in such a way that any X11 | 225 | automatically forwarded to the remote side in such a way that any X11 |
211 | programs started from the shell (or command) will go through the | 226 | programs started from the shell (or command) will go through the |
212 | encrypted channel, and the connection to the real X server will be made | 227 | encrypted channel, and the connection to the real X server will be made |
213 | from the local machine. The user should not manually set | 228 | from the local machine. |
229 | The user should not manually set | ||
214 | .Ev DISPLAY . | 230 | .Ev DISPLAY . |
215 | Forwarding of X11 connections can be | 231 | Forwarding of X11 connections can be |
216 | configured on the command line or in configuration files. | 232 | configured on the command line or in configuration files. |
@@ -220,7 +236,8 @@ The | |||
220 | value set by | 236 | value set by |
221 | .Nm | 237 | .Nm |
222 | will point to the server machine, but with a display number greater | 238 | will point to the server machine, but with a display number greater |
223 | than zero. This is normal, and happens because | 239 | than zero. |
240 | This is normal, and happens because | ||
224 | .Nm | 241 | .Nm |
225 | creates a | 242 | creates a |
226 | .Dq proxy | 243 | .Dq proxy |
@@ -232,7 +249,8 @@ will also automatically set up Xauthority data on the server machine. | |||
232 | For this purpose, it will generate a random authorization cookie, | 249 | For this purpose, it will generate a random authorization cookie, |
233 | store it in Xauthority on the server, and verify that any forwarded | 250 | store it in Xauthority on the server, and verify that any forwarded |
234 | connections carry this cookie and replace it by the real cookie when | 251 | connections carry this cookie and replace it by the real cookie when |
235 | the connection is opened. The real authentication cookie is never | 252 | the connection is opened. |
253 | The real authentication cookie is never | ||
236 | sent to the server machine (and no cookies are sent in the plain). | 254 | sent to the server machine (and no cookies are sent in the plain). |
237 | .Pp | 255 | .Pp |
238 | If the user is using an authentication agent, the connection to the agent | 256 | If the user is using an authentication agent, the connection to the agent |
@@ -240,25 +258,29 @@ is automatically forwarded to the remote side unless disabled on | |||
240 | command line or in a configuration file. | 258 | command line or in a configuration file. |
241 | .Pp | 259 | .Pp |
242 | Forwarding of arbitrary TCP/IP connections over the secure channel can | 260 | Forwarding of arbitrary TCP/IP connections over the secure channel can |
243 | be specified either on command line or in a configuration file. One | 261 | be specified either on command line or in a configuration file. |
244 | possible application of TCP/IP forwarding is a secure connection to an | 262 | One possible application of TCP/IP forwarding is a secure connection to an |
245 | electronic purse; another is going trough firewalls. | 263 | electronic purse; another is going trough firewalls. |
246 | .Pp | 264 | .Pp |
247 | .Nm | 265 | .Nm |
248 | automatically maintains and checks a database containing RSA-based | 266 | automatically maintains and checks a database containing RSA-based |
249 | identifications for all hosts it has ever been used with. The | 267 | identifications for all hosts it has ever been used with. |
250 | database is stored in | 268 | The database is stored in |
251 | .Pa \&.ssh/known_hosts | 269 | .Pa \&.ssh/known_hosts |
252 | in the user's home directory. Additionally, the file | 270 | in the user's home directory. |
271 | Additionally, the file | ||
253 | .Pa /etc/ssh_known_hosts | 272 | .Pa /etc/ssh_known_hosts |
254 | is automatically checked for known hosts. Any new hosts are | 273 | is automatically checked for known hosts. |
255 | automatically added to the user's file. If a host's identification | 274 | Any new hosts are automatically added to the user's file. |
275 | If a host's identification | ||
256 | ever changes, | 276 | ever changes, |
257 | .Nm | 277 | .Nm |
258 | warns about this and disables password authentication to prevent a | 278 | warns about this and disables password authentication to prevent a |
259 | trojan horse from getting the user's password. Another purpose of | 279 | trojan horse from getting the user's password. |
280 | Another purpose of | ||
260 | this mechanism is to prevent man-in-the-middle attacks which could | 281 | this mechanism is to prevent man-in-the-middle attacks which could |
261 | otherwise be used to circumvent the encryption. The | 282 | otherwise be used to circumvent the encryption. |
283 | The | ||
262 | .Cm StrictHostKeyChecking | 284 | .Cm StrictHostKeyChecking |
263 | option (see below) can be used to prevent logins to machines whose | 285 | option (see below) can be used to prevent logins to machines whose |
264 | host key is not known or has changed. | 286 | host key is not known or has changed. |
@@ -270,7 +292,8 @@ also be specified on a per-host basis in the configuration file. | |||
270 | .It Fl c Ar blowfish|3des | 292 | .It Fl c Ar blowfish|3des |
271 | Selects the cipher to use for encrypting the session. | 293 | Selects the cipher to use for encrypting the session. |
272 | .Ar 3des | 294 | .Ar 3des |
273 | is used by default. It is believed to be secure. | 295 | is used by default. |
296 | It is believed to be secure. | ||
274 | .Ar 3des | 297 | .Ar 3des |
275 | (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. | 298 | (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
276 | It is presumably more secure than the | 299 | It is presumably more secure than the |
@@ -278,26 +301,28 @@ It is presumably more secure than the | |||
278 | cipher which is no longer supported in ssh. | 301 | cipher which is no longer supported in ssh. |
279 | .Ar blowfish | 302 | .Ar blowfish |
280 | is a fast block cipher, it appears very secure and is much faster than | 303 | is a fast block cipher, it appears very secure and is much faster than |
281 | .Ar 3des . | 304 | .Ar 3des . |
282 | .It Fl e Ar ch|^ch|none | 305 | .It Fl e Ar ch|^ch|none |
283 | Sets the escape character for sessions with a pty (default: | 306 | Sets the escape character for sessions with a pty (default: |
284 | .Ql ~ ) . | 307 | .Ql ~ ) . |
285 | The escape character is only recognized at the beginning of a line. The | 308 | The escape character is only recognized at the beginning of a line. |
286 | escape character followed by a dot | 309 | The escape character followed by a dot |
287 | .Pq Ql \&. | 310 | .Pq Ql \&. |
288 | closes the connection, followed | 311 | closes the connection, followed |
289 | by control-Z suspends the connection, and followed by itself sends the | 312 | by control-Z suspends the connection, and followed by itself sends the |
290 | escape character once. Setting the character to | 313 | escape character once. |
314 | Setting the character to | ||
291 | .Dq none | 315 | .Dq none |
292 | disables any escapes and makes the session fully transparent. | 316 | disables any escapes and makes the session fully transparent. |
293 | .It Fl f | 317 | .It Fl f |
294 | Requests | 318 | Requests |
295 | .Nm | 319 | .Nm |
296 | to go to background just before command execution. This is useful | 320 | to go to background just before command execution. |
297 | if | 321 | This is useful if |
298 | .Nm | 322 | .Nm |
299 | is going to ask for passwords or passphrases, but the user | 323 | is going to ask for passwords or passphrases, but the user |
300 | wants it in the background. This implies | 324 | wants it in the background. |
325 | This implies | ||
301 | .Fl n . | 326 | .Fl n . |
302 | The recommended way to start X11 programs at a remote site is with | 327 | The recommended way to start X11 programs at a remote site is with |
303 | something like | 328 | something like |
@@ -306,11 +331,13 @@ something like | |||
306 | Allows remote hosts to connect to local forwarded ports. | 331 | Allows remote hosts to connect to local forwarded ports. |
307 | .It Fl i Ar identity_file | 332 | .It Fl i Ar identity_file |
308 | Selects the file from which the identity (private key) for | 333 | Selects the file from which the identity (private key) for |
309 | RSA authentication is read. Default is | 334 | RSA authentication is read. |
335 | Default is | ||
310 | .Pa \&.ssh/identity | 336 | .Pa \&.ssh/identity |
311 | in the user's home directory. Identity files may also be specified on | 337 | in the user's home directory. |
312 | a per-host basis in the configuration file. It is possible to have | 338 | Identity files may also be specified on |
313 | multiple | 339 | a per-host basis in the configuration file. |
340 | It is possible to have multiple | ||
314 | .Fl i | 341 | .Fl i |
315 | options (and multiple identities specified in | 342 | options (and multiple identities specified in |
316 | configuration files). | 343 | configuration files). |
@@ -318,16 +345,17 @@ configuration files). | |||
318 | Disables forwarding of Kerberos tickets and AFS tokens. This may | 345 | Disables forwarding of Kerberos tickets and AFS tokens. This may |
319 | also be specified on a per-host basis in the configuration file. | 346 | also be specified on a per-host basis in the configuration file. |
320 | .It Fl l Ar login_name | 347 | .It Fl l Ar login_name |
321 | Specifies the user to log in as on the remote machine. This may also | 348 | Specifies the user to log in as on the remote machine. |
322 | be specified on a per-host basis in the configuration file. | 349 | This also may be specified on a per-host basis in the configuration file. |
323 | .It Fl n | 350 | .It Fl n |
324 | Redirects stdin from | 351 | Redirects stdin from |
325 | .Pa /dev/null | 352 | .Pa /dev/null |
326 | (actually, prevents reading from stdin). | 353 | (actually, prevents reading from stdin). |
327 | This must be used when | 354 | This must be used when |
328 | .Nm | 355 | .Nm |
329 | is run in the background. A common trick is to use this to run X11 | 356 | is run in the background. |
330 | programs in a remote machine. For example, | 357 | A common trick is to use this to run X11 programs on a remote machine. |
358 | For example, | ||
331 | .Ic ssh -n shadows.cs.hut.fi emacs & | 359 | .Ic ssh -n shadows.cs.hut.fi emacs & |
332 | will start an emacs on shadows.cs.hut.fi, and the X11 | 360 | will start an emacs on shadows.cs.hut.fi, and the X11 |
333 | connection will be automatically forwarded over an encrypted channel. | 361 | connection will be automatically forwarded over an encrypted channel. |
@@ -342,10 +370,11 @@ option.) | |||
342 | .It Fl o Ar option | 370 | .It Fl o Ar option |
343 | Can be used to give options in the format used in the config file. | 371 | Can be used to give options in the format used in the config file. |
344 | This is useful for specifying options for which there is no separate | 372 | This is useful for specifying options for which there is no separate |
345 | command-line flag. The option has the same format as a line in the | 373 | command-line flag. |
346 | configuration file. | 374 | The option has the same format as a line in the configuration file. |
347 | .It Fl p Ar port | 375 | .It Fl p Ar port |
348 | Port to connect to on the remote host. This can be specified on a | 376 | Port to connect to on the remote host. |
377 | This can be specified on a | ||
349 | per-host basis in the configuration file. | 378 | per-host basis in the configuration file. |
350 | .It Fl P | 379 | .It Fl P |
351 | Use a non-privileged port for outgoing connections. | 380 | Use a non-privileged port for outgoing connections. |
@@ -356,35 +385,40 @@ Note that this option turns off | |||
356 | and | 385 | and |
357 | .Cm RhostsRSAAuthentication . | 386 | .Cm RhostsRSAAuthentication . |
358 | .It Fl q | 387 | .It Fl q |
359 | Quiet mode. Causes all warning and diagnostic messages to be | 388 | Quiet mode. |
360 | suppressed. Only fatal errors are displayed. | 389 | Causes all warning and diagnostic messages to be suppressed. |
390 | Only fatal errors are displayed. | ||
361 | .It Fl t | 391 | .It Fl t |
362 | Force pseudo-tty allocation. This can be used to execute arbitary | 392 | Force pseudo-tty allocation. |
363 | screen-based programs on a remote machine, which can be very useful | 393 | This can be used to execute arbitary |
364 | e.g. when implementing menu services. | 394 | screen-based programs on a remote machine, which can be very useful, |
395 | e.g., when implementing menu services. | ||
365 | .It Fl v | 396 | .It Fl v |
366 | Verbose mode. Causes | 397 | Verbose mode. |
398 | Causes | ||
367 | .Nm | 399 | .Nm |
368 | to print debugging messages about its progress. This is helpful in | 400 | to print debugging messages about its progress. |
401 | This is helpful in | ||
369 | debugging connection, authentication, and configuration problems. | 402 | debugging connection, authentication, and configuration problems. |
370 | The verbose mode is also used to display | 403 | The verbose mode is also used to display |
371 | .Xr skey 1 | 404 | .Xr skey 1 |
372 | challenges, if the user entered "s/key" as password. | 405 | challenges, if the user entered "s/key" as password. |
373 | .It Fl x | 406 | .It Fl x |
374 | Disables X11 forwarding. This can also be specified on a per-host | 407 | Disables X11 forwarding. |
375 | basis in a configuration file. | 408 | This can also be specified on a per-host basis in a configuration file. |
376 | .It Fl X | 409 | .It Fl X |
377 | Enables X11 forwarding. | 410 | Enables X11 forwarding. |
378 | .It Fl C | 411 | .It Fl C |
379 | Requests compression of all data (including stdin, stdout, stderr, and | 412 | Requests compression of all data (including stdin, stdout, stderr, and |
380 | data for forwarded X11 and TCP/IP connections). The compression | 413 | data for forwarded X11 and TCP/IP connections). |
381 | algorithm is the same used by | 414 | The compression algorithm is the same used by |
382 | .Xr gzip 1 , | 415 | .Xr gzip 1 , |
383 | and the | 416 | and the |
384 | .Dq level | 417 | .Dq level |
385 | can be controlled by the | 418 | can be controlled by the |
386 | .Cm CompressionLevel | 419 | .Cm CompressionLevel |
387 | option (see below). Compression is desirable on modem lines and other | 420 | option (see below). |
421 | Compression is desirable on modem lines and other | ||
388 | slow connections, but will only slow down things on fast networks. | 422 | slow connections, but will only slow down things on fast networks. |
389 | The default value can be set on a host-by-host basis in the | 423 | The default value can be set on a host-by-host basis in the |
390 | configuration files; see the | 424 | configuration files; see the |
@@ -392,8 +426,8 @@ configuration files; see the | |||
392 | option below. | 426 | option below. |
393 | .It Fl L Ar port:host:hostport | 427 | .It Fl L Ar port:host:hostport |
394 | Specifies that the given port on the local (client) host is to be | 428 | Specifies that the given port on the local (client) host is to be |
395 | forwarded to the given host and port on the remote side. This works | 429 | forwarded to the given host and port on the remote side. |
396 | by allocating a socket to listen to | 430 | This works by allocating a socket to listen to |
397 | .Ar port | 431 | .Ar port |
398 | on the local side, and whenever a connection is made to this port, the | 432 | on the local side, and whenever a connection is made to this port, the |
399 | connection is forwarded over the secure channel, and a connection is | 433 | connection is forwarded over the secure channel, and a connection is |
@@ -401,14 +435,15 @@ made to | |||
401 | .Ar host | 435 | .Ar host |
402 | port | 436 | port |
403 | .Ar hostport | 437 | .Ar hostport |
404 | from the remote machine. Port forwardings can also be specified in the | 438 | from the remote machine. |
405 | configuration file. Only root can forward privileged ports. | 439 | Port forwardings can also be specified in the configuration file. |
440 | Only root can forward privileged ports. | ||
406 | IPv6 addresses can be specified with an alternative syntax: | 441 | IPv6 addresses can be specified with an alternative syntax: |
407 | .Ar port/host/hostport | 442 | .Ar port/host/hostport |
408 | .It Fl R Ar port:host:hostport | 443 | .It Fl R Ar port:host:hostport |
409 | Specifies that the given port on the remote (server) host is to be | 444 | Specifies that the given port on the remote (server) host is to be |
410 | forwarded to the given host and port on the local side. This works | 445 | forwarded to the given host and port on the local side. |
411 | by allocating a socket to listen to | 446 | This works by allocating a socket to listen to |
412 | .Ar port | 447 | .Ar port |
413 | on the remote side, and whenever a connection is made to this port, the | 448 | on the remote side, and whenever a connection is made to this port, the |
414 | connection is forwarded over the secure channel, and a connection is | 449 | connection is forwarded over the secure channel, and a connection is |
@@ -416,8 +451,9 @@ made to | |||
416 | .Ar host | 451 | .Ar host |
417 | port | 452 | port |
418 | .Ar hostport | 453 | .Ar hostport |
419 | from the local machine. Port forwardings can also be specified in the | 454 | from the local machine. |
420 | configuration file. Privileged ports can be forwarded only when | 455 | Port forwardings can also be specified in the configuration file. |
456 | Privileged ports can be forwarded only when | ||
421 | logging in as root on the remote machine. | 457 | logging in as root on the remote machine. |
422 | .It Fl 4 | 458 | .It Fl 4 |
423 | Forces | 459 | Forces |
@@ -436,10 +472,12 @@ command line options, user's configuration file | |||
436 | and system-wide configuration file | 472 | and system-wide configuration file |
437 | .Pq Pa /etc/ssh_config . | 473 | .Pq Pa /etc/ssh_config . |
438 | For each parameter, the first obtained value | 474 | For each parameter, the first obtained value |
439 | will be used. The configuration files contain sections bracketed by | 475 | will be used. |
440 | "Host" specifications, and that section is only applied for hosts that | 476 | The configuration files contain sections bracketed by |
441 | match one of the patterns given in the specification. The matched | 477 | .Dq Host |
442 | host name is the one given on the command line. | 478 | specifications, and that section is only applied for hosts that |
479 | match one of the patterns given in the specification. | ||
480 | The matched host name is the one given on the command line. | ||
443 | .Pp | 481 | .Pp |
444 | Since the first obtained value for each parameter is used, more | 482 | Since the first obtained value for each parameter is used, more |
445 | host-specific declarations should be given near the beginning of the | 483 | host-specific declarations should be given near the beginning of the |
@@ -466,10 +504,12 @@ given after the keyword. | |||
466 | and | 504 | and |
467 | .Ql ? | 505 | .Ql ? |
468 | can be used as wildcards in the | 506 | can be used as wildcards in the |
469 | patterns. A single | 507 | patterns. |
508 | A single | ||
470 | .Ql \&* | 509 | .Ql \&* |
471 | as a pattern can be used to provide global | 510 | as a pattern can be used to provide global |
472 | defaults for all hosts. The host is the | 511 | defaults for all hosts. |
512 | The host is the | ||
473 | .Ar hostname | 513 | .Ar hostname |
474 | argument given on the command line (i.e., the name is not converted to | 514 | argument given on the command line (i.e., the name is not converted to |
475 | a canonicalized host name before matching). | 515 | a canonicalized host name before matching). |
@@ -482,9 +522,10 @@ or | |||
482 | .It Cm BatchMode | 522 | .It Cm BatchMode |
483 | If set to | 523 | If set to |
484 | .Dq yes , | 524 | .Dq yes , |
485 | passphrase/password querying will be disabled. This | 525 | passphrase/password querying will be disabled. |
486 | option is useful in scripts and other batch jobs where you have no | 526 | This option is useful in scripts and other batch jobs where you have no |
487 | user to supply the password. The argument must be | 527 | user to supply the password. |
528 | The argument must be | ||
488 | .Dq yes | 529 | .Dq yes |
489 | or | 530 | or |
490 | .Dq no . | 531 | .Dq no . |
@@ -498,33 +539,37 @@ If the option is set to | |||
498 | .Dq no , | 539 | .Dq no , |
499 | the check will not be executed. | 540 | the check will not be executed. |
500 | .It Cm Cipher | 541 | .It Cm Cipher |
501 | Specifies the cipher to use for encrypting the session. Currently, | 542 | Specifies the cipher to use for encrypting the session. |
543 | Currently, | ||
502 | .Dq blowfish , | 544 | .Dq blowfish , |
503 | and | 545 | and |
504 | .Dq 3des | 546 | .Dq 3des |
505 | are supported. The default is | 547 | are supported. |
548 | The default is | ||
506 | .Dq 3des . | 549 | .Dq 3des . |
507 | .It Cm Compression | 550 | .It Cm Compression |
508 | Specifies whether to use compression. The argument must be | 551 | Specifies whether to use compression. |
552 | The argument must be | ||
509 | .Dq yes | 553 | .Dq yes |
510 | or | 554 | or |
511 | .Dq no . | 555 | .Dq no . |
512 | .It Cm CompressionLevel | 556 | .It Cm CompressionLevel |
513 | Specifies the compression level to use if compression is enable. The | 557 | Specifies the compression level to use if compression is enable. |
514 | argument must be an integer from 1 (fast) to 9 (slow, best). The | 558 | The argument must be an integer from 1 (fast) to 9 (slow, best). |
515 | default level is 6, which is good for most applications. The meaning | 559 | The default level is 6, which is good for most applications. |
516 | of the values is the same as in | 560 | The meaning of the values is the same as in |
517 | .Xr gzip 1 . | 561 | .Xr gzip 1 . |
518 | .It Cm ConnectionAttempts | 562 | .It Cm ConnectionAttempts |
519 | Specifies the number of tries (one per second) to make before falling | 563 | Specifies the number of tries (one per second) to make before falling |
520 | back to rsh or exiting. The argument must be an integer. This may be | 564 | back to rsh or exiting. |
521 | useful in scripts if the connection sometimes fails. | 565 | The argument must be an integer. |
566 | This may be useful in scripts if the connection sometimes fails. | ||
522 | .It Cm EscapeChar | 567 | .It Cm EscapeChar |
523 | Sets the escape character (default: | 568 | Sets the escape character (default: |
524 | .Ql ~ ) . | 569 | .Ql ~ ) . |
525 | The escape character can also | 570 | The escape character can also |
526 | be set on the command line. The argument should be a single | 571 | be set on the command line. |
527 | character, | 572 | The argument should be a single character, |
528 | .Ql ^ | 573 | .Ql ^ |
529 | followed by a letter, or | 574 | followed by a letter, or |
530 | .Dq none | 575 | .Dq none |
@@ -539,13 +584,15 @@ fails due to a connection refused error (there is no | |||
539 | listening on the remote host), | 584 | listening on the remote host), |
540 | .Xr rsh 1 | 585 | .Xr rsh 1 |
541 | should automatically be used instead (after a suitable warning about | 586 | should automatically be used instead (after a suitable warning about |
542 | the session being unencrypted). The argument must be | 587 | the session being unencrypted). |
588 | The argument must be | ||
543 | .Dq yes | 589 | .Dq yes |
544 | or | 590 | or |
545 | .Dq no . | 591 | .Dq no . |
546 | .It Cm ForwardAgent | 592 | .It Cm ForwardAgent |
547 | Specifies whether the connection to the authentication agent (if any) | 593 | Specifies whether the connection to the authentication agent (if any) |
548 | will be forwarded to the remote machine. The argument must be | 594 | will be forwarded to the remote machine. |
595 | The argument must be | ||
549 | .Dq yes | 596 | .Dq yes |
550 | or | 597 | or |
551 | .Dq no . | 598 | .Dq no . |
@@ -553,7 +600,8 @@ or | |||
553 | Specifies whether X11 connections will be automatically redirected | 600 | Specifies whether X11 connections will be automatically redirected |
554 | over the secure channel and | 601 | over the secure channel and |
555 | .Ev DISPLAY | 602 | .Ev DISPLAY |
556 | set. The argument must be | 603 | set. |
604 | The argument must be | ||
557 | .Dq yes | 605 | .Dq yes |
558 | or | 606 | or |
559 | .Dq no . | 607 | .Dq no . |
@@ -572,10 +620,10 @@ The default is | |||
572 | Specifies a file to use instead of | 620 | Specifies a file to use instead of |
573 | .Pa /etc/ssh_known_hosts . | 621 | .Pa /etc/ssh_known_hosts . |
574 | .It Cm HostName | 622 | .It Cm HostName |
575 | Specifies the real host name to log into. This can be used to specify | 623 | Specifies the real host name to log into. |
576 | nicnames or abbreviations for hosts. Default is the name given on the | 624 | This can be used to specify nicknames or abbreviations for hosts. |
577 | command line. Numeric IP addresses are also permitted (both on the | 625 | Default is the name given on the command line. |
578 | command line and in | 626 | Numeric IP addresses are also permitted (both on the command line and in |
579 | .Cm HostName | 627 | .Cm HostName |
580 | specifications). | 628 | specifications). |
581 | .It Cm IdentityFile | 629 | .It Cm IdentityFile |
@@ -584,22 +632,26 @@ is read (default | |||
584 | .Pa .ssh/identity | 632 | .Pa .ssh/identity |
585 | in the user's home directory). | 633 | in the user's home directory). |
586 | Additionally, any identities represented by the authentication agent | 634 | Additionally, any identities represented by the authentication agent |
587 | will be used for authentication. The file name may use the tilde | 635 | will be used for authentication. |
588 | syntax to refer to a user's home directory. It is possible to have | 636 | The file name may use the tilde |
637 | syntax to refer to a user's home directory. | ||
638 | It is possible to have | ||
589 | multiple identity files specified in configuration files; all these | 639 | multiple identity files specified in configuration files; all these |
590 | identities will be tried in sequence. | 640 | identities will be tried in sequence. |
591 | .It Cm KeepAlive | 641 | .It Cm KeepAlive |
592 | Specifies whether the system should send keepalive messages to the | 642 | Specifies whether the system should send keepalive messages to the |
593 | other side. If they are sent, death of the connection or crash of one | 643 | other side. |
594 | of the machines will be properly noticed. However, this means that | 644 | If they are sent, death of the connection or crash of one |
645 | of the machines will be properly noticed. | ||
646 | However, this means that | ||
595 | connections will die if the route is down temporarily, and some people | 647 | connections will die if the route is down temporarily, and some people |
596 | find it annoying. | 648 | find it annoying. |
597 | .Pp | 649 | .Pp |
598 | The default is | 650 | The default is |
599 | .Dq yes | 651 | .Dq yes |
600 | (to send keepalives), and the client will notice | 652 | (to send keepalives), and the client will notice |
601 | if the network goes down or the remote host dies. This is important | 653 | if the network goes down or the remote host dies. |
602 | in scripts, and many users want it too. | 654 | This is important in scripts, and many users want it too. |
603 | .Pp | 655 | .Pp |
604 | To disable keepalives, the value should be set to | 656 | To disable keepalives, the value should be set to |
605 | .Dq no | 657 | .Dq no |
@@ -619,11 +671,12 @@ or | |||
619 | .Dq no . | 671 | .Dq no . |
620 | .It Cm LocalForward | 672 | .It Cm LocalForward |
621 | Specifies that a TCP/IP port on the local machine be forwarded over | 673 | Specifies that a TCP/IP port on the local machine be forwarded over |
622 | the secure channel to given host:port from the remote machine. The | 674 | the secure channel to given host:port from the remote machine. |
623 | first argument must be a port number, and the second must be | 675 | The first argument must be a port number, and the second must be |
624 | host:port. Multiple forwardings may be specified, and additional | 676 | host:port. |
625 | forwardings can be given on the command line. Only the root can | 677 | Multiple forwardings may be specified, and additional |
626 | forward privileged ports. | 678 | forwardings can be given on the command line. |
679 | Only the superuser can forward privileged ports. | ||
627 | .It Cm LogLevel | 680 | .It Cm LogLevel |
628 | Gives the verbosity level that is used when logging messages from | 681 | Gives the verbosity level that is used when logging messages from |
629 | .Nm ssh . | 682 | .Nm ssh . |
@@ -634,25 +687,33 @@ The default is INFO. | |||
634 | Specifies the number of password prompts before giving up. The | 687 | Specifies the number of password prompts before giving up. The |
635 | argument to this keyword must be an integer. Default is 3. | 688 | argument to this keyword must be an integer. Default is 3. |
636 | .It Cm PasswordAuthentication | 689 | .It Cm PasswordAuthentication |
637 | Specifies whether to use password authentication. The argument to | 690 | Specifies whether to use password authentication. |
638 | this keyword must be | 691 | The argument to this keyword must be |
639 | .Dq yes | 692 | .Dq yes |
640 | or | 693 | or |
641 | .Dq no . | 694 | .Dq no . |
642 | .It Cm Port | 695 | .It Cm Port |
643 | Specifies the port number to connect on the remote host. Default is | 696 | Specifies the port number to connect on the remote host. |
644 | 22. | 697 | Default is 22. |
645 | .It Cm ProxyCommand | 698 | .It Cm ProxyCommand |
646 | Specifies the command to use to connect to the server. The command | 699 | Specifies the command to use to connect to the server. |
647 | string extends to the end of the line, and is executed with /bin/sh. | 700 | The command |
648 | In the command string, %h will be substituted by the host name to | 701 | string extends to the end of the line, and is executed with |
649 | connect and %p by the port. The command can be basically anything, | 702 | .Pa /bin/sh . |
650 | and should read from its stdin and write to its stdout. It should | 703 | In the command string, |
651 | eventually connect an | 704 | .Ql %h |
705 | will be substituted by the host name to | ||
706 | connect and | ||
707 | .Ql %p | ||
708 | by the port. | ||
709 | The command can be basically anything, | ||
710 | and should read from its standard input and write to its standard output. | ||
711 | It should eventually connect an | ||
652 | .Xr sshd 8 | 712 | .Xr sshd 8 |
653 | server running on some machine, or execute | 713 | server running on some machine, or execute |
654 | .Ic sshd -i | 714 | .Ic sshd -i |
655 | somewhere. Host key management will be done using the | 715 | somewhere. |
716 | Host key management will be done using the | ||
656 | HostName of the host being connected (defaulting to the name typed by | 717 | HostName of the host being connected (defaulting to the name typed by |
657 | the user). | 718 | the user). |
658 | Note that | 719 | Note that |
@@ -661,32 +722,37 @@ is not available for connects with a proxy command. | |||
661 | .Pp | 722 | .Pp |
662 | .It Cm RemoteForward | 723 | .It Cm RemoteForward |
663 | Specifies that a TCP/IP port on the remote machine be forwarded over | 724 | Specifies that a TCP/IP port on the remote machine be forwarded over |
664 | the secure channel to given host:port from the local machine. The | 725 | the secure channel to given host:port from the local machine. |
665 | first argument must be a port number, and the second must be | 726 | The first argument must be a port number, and the second must be |
666 | host:port. Multiple forwardings may be specified, and additional | 727 | host:port. |
667 | forwardings can be given on the command line. Only the root can | 728 | Multiple forwardings may be specified, and additional |
668 | forward privileged ports. | 729 | forwardings can be given on the command line. |
730 | Only the superuser can forward privileged ports. | ||
669 | .It Cm RhostsAuthentication | 731 | .It Cm RhostsAuthentication |
670 | Specifies whether to try rhosts based authentication. Note that this | 732 | Specifies whether to try rhosts based authentication. |
733 | Note that this | ||
671 | declaration only affects the client side and has no effect whatsoever | 734 | declaration only affects the client side and has no effect whatsoever |
672 | on security. Disabling rhosts authentication may reduce | 735 | on security. |
736 | Disabling rhosts authentication may reduce | ||
673 | authentication time on slow connections when rhosts authentication is | 737 | authentication time on slow connections when rhosts authentication is |
674 | not used. Most servers do not permit RhostsAuthentication because it | 738 | not used. |
675 | is not secure (see RhostsRSAAuthentication). The argument to this | 739 | Most servers do not permit RhostsAuthentication because it |
676 | keyword must be | 740 | is not secure (see RhostsRSAAuthentication). |
741 | The argument to this keyword must be | ||
677 | .Dq yes | 742 | .Dq yes |
678 | or | 743 | or |
679 | .Dq no . | 744 | .Dq no . |
680 | .It Cm RhostsRSAAuthentication | 745 | .It Cm RhostsRSAAuthentication |
681 | Specifies whether to try rhosts based authentication with RSA host | 746 | Specifies whether to try rhosts based authentication with RSA host |
682 | authentication. This is the primary authentication method for most | 747 | authentication. |
683 | sites. The argument must be | 748 | This is the primary authentication method for most sites. |
749 | The argument must be | ||
684 | .Dq yes | 750 | .Dq yes |
685 | or | 751 | or |
686 | .Dq no . | 752 | .Dq no . |
687 | .It Cm RSAAuthentication | 753 | .It Cm RSAAuthentication |
688 | Specifies whether to try RSA authentication. The argument to this | 754 | Specifies whether to try RSA authentication. |
689 | keyword must be | 755 | The argument to this keyword must be |
690 | .Dq yes | 756 | .Dq yes |
691 | or | 757 | or |
692 | .Dq no . | 758 | .Dq no . |
@@ -696,8 +762,8 @@ running. | |||
696 | .It Cm SkeyAuthentication | 762 | .It Cm SkeyAuthentication |
697 | Specifies whether to use | 763 | Specifies whether to use |
698 | .Xr skey 1 | 764 | .Xr skey 1 |
699 | authentication. The argument to | 765 | authentication. |
700 | this keyword must be | 766 | The argument to this keyword must be |
701 | .Dq yes | 767 | .Dq yes |
702 | or | 768 | or |
703 | .Dq no . | 769 | .Dq no . |
@@ -709,16 +775,19 @@ If this flag is set to | |||
709 | .Nm | 775 | .Nm |
710 | ssh will never automatically add host keys to the | 776 | ssh will never automatically add host keys to the |
711 | .Pa $HOME/.ssh/known_hosts | 777 | .Pa $HOME/.ssh/known_hosts |
712 | file, and refuses to connect hosts whose host key has changed. This | 778 | file, and refuses to connect hosts whose host key has changed. |
713 | provides maximum protection against trojan horse attacks. However, it | 779 | This provides maximum protection against trojan horse attacks. |
714 | can be somewhat annoying if you don't have good | 780 | However, it can be somewhat annoying if you don't have good |
715 | .Pa /etc/ssh_known_hosts | 781 | .Pa /etc/ssh_known_hosts |
716 | files installed and frequently | 782 | files installed and frequently |
717 | connect new hosts. Basically this option forces the user to manually | 783 | connect new hosts. |
718 | add any new hosts. Normally this option is disabled, and new hosts | 784 | Basically this option forces the user to manually |
719 | will automatically be added to the known host files. The host keys of | 785 | add any new hosts. |
720 | known hosts will be verified automatically in either case. The | 786 | Normally this option is disabled, and new hosts |
721 | argument must be | 787 | will automatically be added to the known host files. |
788 | The host keys of | ||
789 | known hosts will be verified automatically in either case. | ||
790 | The argument must be | ||
722 | .Dq yes | 791 | .Dq yes |
723 | or | 792 | or |
724 | .Dq no . | 793 | .Dq no . |
@@ -737,23 +806,26 @@ turns off | |||
737 | and | 806 | and |
738 | .Cm RhostsRSAAuthentication . | 807 | .Cm RhostsRSAAuthentication . |
739 | .It Cm User | 808 | .It Cm User |
740 | Specifies the user to log in as. This can be useful if you have a | 809 | Specifies the user to log in as. |
741 | different user name in different machines. This saves the trouble of | 810 | This can be useful if you have a different user name on different machines. |
811 | This saves the trouble of | ||
742 | having to remember to give the user name on the command line. | 812 | having to remember to give the user name on the command line. |
743 | .It Cm UserKnownHostsFile | 813 | .It Cm UserKnownHostsFile |
744 | Specifies a file to use instead of | 814 | Specifies a file to use instead of |
745 | .Pa $HOME/.ssh/known_hosts . | 815 | .Pa $HOME/.ssh/known_hosts . |
746 | .It Cm UseRsh | 816 | .It Cm UseRsh |
747 | Specifies that rlogin/rsh should be used for this host. It is | 817 | Specifies that rlogin/rsh should be used for this host. |
748 | possible that the host does not at all support the | 818 | It is possible that the host does not at all support the |
749 | .Nm | 819 | .Nm |
750 | protocol. This causes | 820 | protocol. |
821 | This causes | ||
751 | .Nm | 822 | .Nm |
752 | to immediately exec | 823 | to immediately execute |
753 | .Xr rsh 1 . | 824 | .Xr rsh 1 . |
754 | All other options (except | 825 | All other options (except |
755 | .Cm HostName ) | 826 | .Cm HostName ) |
756 | are ignored if this has been specified. The argument must be | 827 | are ignored if this has been specified. |
828 | The argument must be | ||
757 | .Dq yes | 829 | .Dq yes |
758 | or | 830 | or |
759 | .Dq no . | 831 | .Dq no . |
@@ -764,15 +836,17 @@ will normally set the following environment variables: | |||
764 | .It Ev DISPLAY | 836 | .It Ev DISPLAY |
765 | The | 837 | The |
766 | .Ev DISPLAY | 838 | .Ev DISPLAY |
767 | variable indicates the location of the X11 server. It is | 839 | variable indicates the location of the X11 server. |
768 | automatically set by | 840 | It is automatically set by |
769 | .Nm | 841 | .Nm |
770 | to point to a value of the form | 842 | to point to a value of the form |
771 | .Dq hostname:n | 843 | .Dq hostname:n |
772 | where hostname indicates | 844 | where hostname indicates |
773 | the host where the shell runs, and n is an integer >= 1. Ssh uses | 845 | the host where the shell runs, and n is an integer >= 1. |
774 | this special value to forward X11 connections over the secure | 846 | .Nm |
775 | channel. The user should normally not set DISPLAY explicitly, as that | 847 | uses this special value to forward X11 connections over the secure |
848 | channel. | ||
849 | The user should normally not set DISPLAY explicitly, as that | ||
776 | will render the X11 connection insecure (and will require the user to | 850 | will render the X11 connection insecure (and will require the user to |
777 | manually copy any required authorization cookies). | 851 | manually copy any required authorization cookies). |
778 | .It Ev HOME | 852 | .It Ev HOME |
@@ -783,7 +857,7 @@ Synonym for | |||
783 | set for compatibility with systems that use this variable. | 857 | set for compatibility with systems that use this variable. |
784 | .It Ev MAIL | 858 | .It Ev MAIL |
785 | Set to point the user's mailbox. | 859 | Set to point the user's mailbox. |
786 | .It Ev PATH | 860 | .It Ev PATH |
787 | Set to the default | 861 | Set to the default |
788 | .Ev PATH , | 862 | .Ev PATH , |
789 | as specified when compiling | 863 | as specified when compiling |
@@ -792,12 +866,14 @@ as specified when compiling | |||
792 | indicates the path of a unix-domain socket used to communicate with the | 866 | indicates the path of a unix-domain socket used to communicate with the |
793 | agent. | 867 | agent. |
794 | .It Ev SSH_CLIENT | 868 | .It Ev SSH_CLIENT |
795 | Identifies the client end of the connection. The variable contains | 869 | Identifies the client end of the connection. |
870 | The variable contains | ||
796 | three space-separated values: client ip-address, client port number, | 871 | three space-separated values: client ip-address, client port number, |
797 | and server port number. | 872 | and server port number. |
798 | .It Ev SSH_TTY | 873 | .It Ev SSH_TTY |
799 | This is set to the name of the tty (path to the device) associated | 874 | This is set to the name of the tty (path to the device) associated |
800 | with the current shell or command. If the current session has no tty, | 875 | with the current shell or command. |
876 | If the current session has no tty, | ||
801 | this variable is not set. | 877 | this variable is not set. |
802 | .It Ev TZ | 878 | .It Ev TZ |
803 | The timezone variable is set to indicate the present timezone if it | 879 | The timezone variable is set to indicate the present timezone if it |
@@ -823,7 +899,8 @@ in | |||
823 | See | 899 | See |
824 | .Xr sshd 8 . | 900 | .Xr sshd 8 . |
825 | .It Pa $HOME/.ssh/identity | 901 | .It Pa $HOME/.ssh/identity |
826 | Contains the RSA authentication identity of the user. This file | 902 | Contains the RSA authentication identity of the user. |
903 | This file | ||
827 | contains sensitive data and should be readable by the user but not | 904 | contains sensitive data and should be readable by the user but not |
828 | accessible by others (read/write/execute). | 905 | accessible by others (read/write/execute). |
829 | Note that | 906 | Note that |
@@ -834,39 +911,50 @@ generating the key; the passphrase will be used to encrypt the | |||
834 | sensitive part of this file using 3DES. | 911 | sensitive part of this file using 3DES. |
835 | .It Pa $HOME/.ssh/identity.pub | 912 | .It Pa $HOME/.ssh/identity.pub |
836 | Contains the public key for authentication (public part of the | 913 | Contains the public key for authentication (public part of the |
837 | identity file in human-readable form). The contents of this file | 914 | identity file in human-readable form). |
838 | should be added to | 915 | The contents of this file should be added to |
839 | .Pa $HOME/.ssh/authorized_keys | 916 | .Pa $HOME/.ssh/authorized_keys |
840 | on all machines | 917 | on all machines |
841 | where you wish to log in using RSA authentication. This file is not | 918 | where you wish to log in using RSA authentication. |
842 | sensitive and can (but need not) be readable by anyone. This file is | 919 | This file is not |
920 | sensitive and can (but need not) be readable by anyone. | ||
921 | This file is | ||
843 | never used automatically and is not necessary; it is only provided for | 922 | never used automatically and is not necessary; it is only provided for |
844 | the convenience of the user. | 923 | the convenience of the user. |
845 | .It Pa $HOME/.ssh/config | 924 | .It Pa $HOME/.ssh/config |
846 | This is the per-user configuration file. The format of this file is | 925 | This is the per-user configuration file. |
847 | described above. This file is used by the | 926 | The format of this file is described above. |
927 | This file is used by the | ||
848 | .Nm | 928 | .Nm |
849 | client. This file does not usually contain any sensitive information, | 929 | client. |
930 | This file does not usually contain any sensitive information, | ||
850 | but the recommended permissions are read/write for the user, and not | 931 | but the recommended permissions are read/write for the user, and not |
851 | accessible by others. | 932 | accessible by others. |
852 | .It Pa $HOME/.ssh/authorized_keys | 933 | .It Pa $HOME/.ssh/authorized_keys |
853 | Lists the RSA keys that can be used for logging in as this user. The | 934 | Lists the RSA keys that can be used for logging in as this user. |
854 | format of this file is described in the | 935 | The format of this file is described in the |
855 | .Xr sshd 8 | 936 | .Xr sshd 8 |
856 | manual page. In the simplest form the format is the same as the .pub | 937 | manual page. |
938 | In the simplest form the format is the same as the .pub | ||
857 | identity files (that is, each line contains the number of bits in | 939 | identity files (that is, each line contains the number of bits in |
858 | modulus, public exponent, modulus, and comment fields, separated by | 940 | modulus, public exponent, modulus, and comment fields, separated by |
859 | spaces). This file is not highly sensitive, but the recommended | 941 | spaces). |
942 | This file is not highly sensitive, but the recommended | ||
860 | permissions are read/write for the user, and not accessible by others. | 943 | permissions are read/write for the user, and not accessible by others. |
861 | .It Pa /etc/ssh_known_hosts | 944 | .It Pa /etc/ssh_known_hosts |
862 | Systemwide list of known host keys. This file should be prepared by the | 945 | Systemwide list of known host keys. |
946 | This file should be prepared by the | ||
863 | system administrator to contain the public host keys of all machines in the | 947 | system administrator to contain the public host keys of all machines in the |
864 | organization. This file should be world-readable. This file contains | 948 | organization. |
949 | This file should be world-readable. | ||
950 | This file contains | ||
865 | public keys, one per line, in the following format (fields separated | 951 | public keys, one per line, in the following format (fields separated |
866 | by spaces): system name, number of bits in modulus, public exponent, | 952 | by spaces): system name, number of bits in modulus, public exponent, |
867 | modulus, and optional comment field. When different names are used | 953 | modulus, and optional comment field. |
954 | When different names are used | ||
868 | for the same machine, all such names should be listed, separated by | 955 | for the same machine, all such names should be listed, separated by |
869 | commas. The format is described on the | 956 | commas. |
957 | The format is described on the | ||
870 | .Xr sshd 8 | 958 | .Xr sshd 8 |
871 | manual page. | 959 | manual page. |
872 | .Pp | 960 | .Pp |
@@ -878,32 +966,37 @@ does not convert the user-supplied name to a canonical name before | |||
878 | checking the key, because someone with access to the name servers | 966 | checking the key, because someone with access to the name servers |
879 | would then be able to fool host authentication. | 967 | would then be able to fool host authentication. |
880 | .It Pa /etc/ssh_config | 968 | .It Pa /etc/ssh_config |
881 | Systemwide configuration file. This file provides defaults for those | 969 | Systemwide configuration file. |
970 | This file provides defaults for those | ||
882 | values that are not specified in the user's configuration file, and | 971 | values that are not specified in the user's configuration file, and |
883 | for those users who do not have a configuration file. This file must | 972 | for those users who do not have a configuration file. |
884 | be world-readable. | 973 | This file must be world-readable. |
885 | .It Pa $HOME/.rhosts | 974 | .It Pa $HOME/.rhosts |
886 | This file is used in | 975 | This file is used in |
887 | .Pa \&.rhosts | 976 | .Pa \&.rhosts |
888 | authentication to list the | 977 | authentication to list the |
889 | host/user pairs that are permitted to log in. (Note that this file is | 978 | host/user pairs that are permitted to log in. |
979 | (Note that this file is | ||
890 | also used by rlogin and rsh, which makes using this file insecure.) | 980 | also used by rlogin and rsh, which makes using this file insecure.) |
891 | Each line of the file contains a host name (in the canonical form | 981 | Each line of the file contains a host name (in the canonical form |
892 | returned by name servers), and then a user name on that host, | 982 | returned by name servers), and then a user name on that host, |
893 | separated by a space. One some machines this file may need to be | 983 | separated by a space. |
984 | One some machines this file may need to be | ||
894 | world-readable if the user's home directory is on a NFS partition, | 985 | world-readable if the user's home directory is on a NFS partition, |
895 | because | 986 | because |
896 | .Xr sshd 8 | 987 | .Xr sshd 8 |
897 | reads it as root. Additionally, this file must be owned by the user, | 988 | reads it as root. |
898 | and must not have write permissions for anyone else. The recommended | 989 | Additionally, this file must be owned by the user, |
990 | and must not have write permissions for anyone else. | ||
991 | The recommended | ||
899 | permission for most machines is read/write for the user, and not | 992 | permission for most machines is read/write for the user, and not |
900 | accessible by others. | 993 | accessible by others. |
901 | .Pp | 994 | .Pp |
902 | Note that by default | 995 | Note that by default |
903 | .Xr sshd 8 | 996 | .Xr sshd 8 |
904 | will be installed so that it requires successful RSA host | 997 | will be installed so that it requires successful RSA host |
905 | authentication before permitting \s+2.\s0rhosts authentication. If your | 998 | authentication before permitting \s+2.\s0rhosts authentication. |
906 | server machine does not have the client's host key in | 999 | If your server machine does not have the client's host key in |
907 | .Pa /etc/ssh_known_hosts , | 1000 | .Pa /etc/ssh_known_hosts , |
908 | you can store it in | 1001 | you can store it in |
909 | .Pa $HOME/.ssh/known_hosts . | 1002 | .Pa $HOME/.ssh/known_hosts . |
@@ -923,14 +1016,18 @@ or | |||
923 | .Xr rsh 1 . | 1016 | .Xr rsh 1 . |
924 | .It Pa /etc/hosts.equiv | 1017 | .It Pa /etc/hosts.equiv |
925 | This file is used during | 1018 | This file is used during |
926 | .Pa \&.rhosts authentication. It contains | 1019 | .Pa \&.rhosts authentication. |
1020 | It contains | ||
927 | canonical hosts names, one per line (the full format is described on | 1021 | canonical hosts names, one per line (the full format is described on |
928 | the | 1022 | the |
929 | .Xr sshd 8 | 1023 | .Xr sshd 8 |
930 | manual page). If the client host is found in this file, login is | 1024 | manual page). |
1025 | If the client host is found in this file, login is | ||
931 | automatically permitted provided client and server user names are the | 1026 | automatically permitted provided client and server user names are the |
932 | same. Additionally, successful RSA host authentication is normally | 1027 | same. |
933 | required. This file should only be writable by root. | 1028 | Additionally, successful RSA host authentication is normally |
1029 | required. | ||
1030 | This file should only be writable by root. | ||
934 | .It Pa /etc/shosts.equiv | 1031 | .It Pa /etc/shosts.equiv |
935 | This file is processed exactly as | 1032 | This file is processed exactly as |
936 | .Pa /etc/hosts.equiv . | 1033 | .Pa /etc/hosts.equiv . |
@@ -962,7 +1059,8 @@ is required for proper operation. | |||
962 | .Sh AUTHOR | 1059 | .Sh AUTHOR |
963 | OpenSSH | 1060 | OpenSSH |
964 | is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, | 1061 | is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, |
965 | but with bugs removed and newer features re-added. Rapidly after the | 1062 | but with bugs removed and newer features re-added. |
1063 | Rapidly after the | ||
966 | 1.2.12 release, newer versions of the original ssh bore successively | 1064 | 1.2.12 release, newer versions of the original ssh bore successively |
967 | more restrictive licenses, and thus demand for a free version was born. | 1065 | more restrictive licenses, and thus demand for a free version was born. |
968 | This version of OpenSSH | 1066 | This version of OpenSSH |
diff --git a/sshconnect.c b/sshconnect.c index c4c9aee1f..910548fac 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -8,7 +8,7 @@ | |||
8 | */ | 8 | */ |
9 | 9 | ||
10 | #include "includes.h" | 10 | #include "includes.h" |
11 | RCSID("$OpenBSD: sshconnect.c,v 1.56 2000/02/18 08:50:33 markus Exp $"); | 11 | RCSID("$OpenBSD: sshconnect.c,v 1.57 2000/03/16 20:56:14 markus Exp $"); |
12 | 12 | ||
13 | #ifdef HAVE_OPENSSL | 13 | #ifdef HAVE_OPENSSL |
14 | #include <openssl/bn.h> | 14 | #include <openssl/bn.h> |
@@ -638,6 +638,7 @@ try_kerberos_authentication() | |||
638 | char *realm; | 638 | char *realm; |
639 | CREDENTIALS cred; | 639 | CREDENTIALS cred; |
640 | int r, type, plen; | 640 | int r, type, plen; |
641 | socklen_t slen; | ||
641 | Key_schedule schedule; | 642 | Key_schedule schedule; |
642 | u_long checksum, cksum; | 643 | u_long checksum, cksum; |
643 | MSG_DAT msg_data; | 644 | MSG_DAT msg_data; |
@@ -680,16 +681,16 @@ try_kerberos_authentication() | |||
680 | /* Zero the buffer. */ | 681 | /* Zero the buffer. */ |
681 | (void) memset(auth.dat, 0, MAX_KTXT_LEN); | 682 | (void) memset(auth.dat, 0, MAX_KTXT_LEN); |
682 | 683 | ||
683 | r = sizeof(local); | 684 | slen = sizeof(local); |
684 | memset(&local, 0, sizeof(local)); | 685 | memset(&local, 0, sizeof(local)); |
685 | if (getsockname(packet_get_connection_in(), | 686 | if (getsockname(packet_get_connection_in(), |
686 | (struct sockaddr *) & local, &r) < 0) | 687 | (struct sockaddr *) & local, &slen) < 0) |
687 | debug("getsockname failed: %s", strerror(errno)); | 688 | debug("getsockname failed: %s", strerror(errno)); |
688 | 689 | ||
689 | r = sizeof(foreign); | 690 | slen = sizeof(foreign); |
690 | memset(&foreign, 0, sizeof(foreign)); | 691 | memset(&foreign, 0, sizeof(foreign)); |
691 | if (getpeername(packet_get_connection_in(), | 692 | if (getpeername(packet_get_connection_in(), |
692 | (struct sockaddr *) & foreign, &r) < 0) { | 693 | (struct sockaddr *) & foreign, &slen) < 0) { |
693 | debug("getpeername failed: %s", strerror(errno)); | 694 | debug("getpeername failed: %s", strerror(errno)); |
694 | fatal_cleanup(); | 695 | fatal_cleanup(); |
695 | } | 696 | } |
@@ -751,7 +752,7 @@ send_kerberos_tgt() | |||
751 | CREDENTIALS *creds; | 752 | CREDENTIALS *creds; |
752 | char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; | 753 | char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; |
753 | int r, type, plen; | 754 | int r, type, plen; |
754 | unsigned char buffer[8192]; | 755 | char buffer[8192]; |
755 | struct stat st; | 756 | struct stat st; |
756 | 757 | ||
757 | /* Don't do anything if we don't have any tickets. */ | 758 | /* Don't do anything if we don't have any tickets. */ |
@@ -772,11 +773,11 @@ send_kerberos_tgt() | |||
772 | debug("Kerberos V4 ticket expired: %s", TKT_FILE); | 773 | debug("Kerberos V4 ticket expired: %s", TKT_FILE); |
773 | return 0; | 774 | return 0; |
774 | } | 775 | } |
775 | creds_to_radix(creds, buffer); | 776 | creds_to_radix(creds, (unsigned char *)buffer); |
776 | xfree(creds); | 777 | xfree(creds); |
777 | 778 | ||
778 | packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); | 779 | packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); |
779 | packet_put_string((char *) buffer, strlen(buffer)); | 780 | packet_put_string(buffer, strlen(buffer)); |
780 | packet_send(); | 781 | packet_send(); |
781 | packet_write_wait(); | 782 | packet_write_wait(); |
782 | 783 | ||
@@ -798,7 +799,7 @@ send_afs_tokens(void) | |||
798 | struct ClearToken ct; | 799 | struct ClearToken ct; |
799 | int i, type, len, plen; | 800 | int i, type, len, plen; |
800 | char buf[2048], *p, *server_cell; | 801 | char buf[2048], *p, *server_cell; |
801 | unsigned char buffer[8192]; | 802 | char buffer[8192]; |
802 | 803 | ||
803 | /* Move over ktc_GetToken, here's something leaner. */ | 804 | /* Move over ktc_GetToken, here's something leaner. */ |
804 | for (i = 0; i < 100; i++) { /* just in case */ | 805 | for (i = 0; i < 100; i++) { /* just in case */ |
@@ -840,10 +841,10 @@ send_afs_tokens(void) | |||
840 | creds.pinst[0] = '\0'; | 841 | creds.pinst[0] = '\0'; |
841 | 842 | ||
842 | /* Encode token, ship it off. */ | 843 | /* Encode token, ship it off. */ |
843 | if (!creds_to_radix(&creds, buffer)) | 844 | if (!creds_to_radix(&creds, (unsigned char*) buffer)) |
844 | break; | 845 | break; |
845 | packet_start(SSH_CMSG_HAVE_AFS_TOKEN); | 846 | packet_start(SSH_CMSG_HAVE_AFS_TOKEN); |
846 | packet_put_string((char *) buffer, strlen(buffer)); | 847 | packet_put_string(buffer, strlen(buffer)); |
847 | packet_send(); | 848 | packet_send(); |
848 | packet_write_wait(); | 849 | packet_write_wait(); |
849 | 850 | ||
@@ -867,7 +868,9 @@ send_afs_tokens(void) | |||
867 | int | 868 | int |
868 | try_skey_authentication() | 869 | try_skey_authentication() |
869 | { | 870 | { |
870 | int type, i, payload_len; | 871 | int type, i; |
872 | int payload_len; | ||
873 | unsigned int clen; | ||
871 | char *challenge, *response; | 874 | char *challenge, *response; |
872 | 875 | ||
873 | debug("Doing skey authentication."); | 876 | debug("Doing skey authentication."); |
@@ -887,7 +890,8 @@ try_skey_authentication() | |||
887 | debug("No challenge for skey authentication."); | 890 | debug("No challenge for skey authentication."); |
888 | return 0; | 891 | return 0; |
889 | } | 892 | } |
890 | challenge = packet_get_string(&payload_len); | 893 | challenge = packet_get_string(&clen); |
894 | packet_integrity_check(payload_len, (4 + clen), type); | ||
891 | if (options.cipher == SSH_CIPHER_NONE) | 895 | if (options.cipher == SSH_CIPHER_NONE) |
892 | log("WARNING: Encryption is disabled! " | 896 | log("WARNING: Encryption is disabled! " |
893 | "Reponse will be transmitted in clear text."); | 897 | "Reponse will be transmitted in clear text."); |
@@ -9,7 +9,7 @@ | |||
9 | .\" | 9 | .\" |
10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo | 10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo |
11 | .\" | 11 | .\" |
12 | .\" $Id: sshd.8,v 1.13 2000/03/09 10:27:53 damien Exp $ | 12 | .\" $Id: sshd.8,v 1.14 2000/03/17 12:40:18 damien Exp $ |
13 | .\" | 13 | .\" |
14 | .Dd September 25, 1999 | 14 | .Dd September 25, 1999 |
15 | .Dt SSHD 8 | 15 | .Dt SSHD 8 |
@@ -147,7 +147,7 @@ is normally not run | |||
147 | from inetd because it needs to generate the server key before it can | 147 | from inetd because it needs to generate the server key before it can |
148 | respond to the client, and this may take tens of seconds. Clients | 148 | respond to the client, and this may take tens of seconds. Clients |
149 | would have to wait too long if the key was regenerated every time. | 149 | would have to wait too long if the key was regenerated every time. |
150 | However, with small key sizes (e.g. 512) using | 150 | However, with small key sizes (e.g., 512) using |
151 | .Nm | 151 | .Nm |
152 | from inetd may | 152 | from inetd may |
153 | be feasible. | 153 | be feasible. |
@@ -11,7 +11,7 @@ | |||
11 | */ | 11 | */ |
12 | 12 | ||
13 | #include "includes.h" | 13 | #include "includes.h" |
14 | RCSID("$OpenBSD: sshd.c,v 1.91 2000/03/09 19:31:47 markus Exp $"); | 14 | RCSID("$OpenBSD: sshd.c,v 1.92 2000/03/16 20:56:15 markus Exp $"); |
15 | 15 | ||
16 | #include "xmalloc.h" | 16 | #include "xmalloc.h" |
17 | #include "rsa.h" | 17 | #include "rsa.h" |
@@ -1202,7 +1202,8 @@ void | |||
1202 | do_authentication() | 1202 | do_authentication() |
1203 | { | 1203 | { |
1204 | struct passwd *pw, pwcopy; | 1204 | struct passwd *pw, pwcopy; |
1205 | int plen, ulen; | 1205 | int plen; |
1206 | unsigned int ulen; | ||
1206 | char *user; | 1207 | char *user; |
1207 | 1208 | ||
1208 | /* Get the name of the user that we wish to log in as. */ | 1209 | /* Get the name of the user that we wish to log in as. */ |
@@ -1304,7 +1305,9 @@ do_authloop(struct passwd * pw) | |||
1304 | BIGNUM *n; | 1305 | BIGNUM *n; |
1305 | char *client_user = NULL, *password = NULL; | 1306 | char *client_user = NULL, *password = NULL; |
1306 | char user[1024]; | 1307 | char user[1024]; |
1307 | int plen, dlen, nlen, ulen, elen; | 1308 | unsigned int dlen; |
1309 | int plen, nlen, elen; | ||
1310 | unsigned int ulen; | ||
1308 | int type = 0; | 1311 | int type = 0; |
1309 | void (*authlog) (const char *fmt,...) = verbose; | 1312 | void (*authlog) (const char *fmt,...) = verbose; |
1310 | 1313 | ||
@@ -1608,7 +1611,7 @@ do_fake_authloop(char *user) | |||
1608 | (void)packet_read(&plen); | 1611 | (void)packet_read(&plen); |
1609 | #else /* SKEY */ | 1612 | #else /* SKEY */ |
1610 | int type = packet_read(&plen); | 1613 | int type = packet_read(&plen); |
1611 | int dlen; | 1614 | unsigned int dlen; |
1612 | char *password, *skeyinfo; | 1615 | char *password, *skeyinfo; |
1613 | /* Try to send a fake s/key challenge. */ | 1616 | /* Try to send a fake s/key challenge. */ |
1614 | if (options.skey_authentication == 1 && | 1617 | if (options.skey_authentication == 1 && |
@@ -1697,6 +1700,8 @@ do_authenticated(struct passwd * pw) | |||
1697 | int row, col, xpixel, ypixel, screen; | 1700 | int row, col, xpixel, ypixel, screen; |
1698 | char ttyname[64]; | 1701 | char ttyname[64]; |
1699 | char *command, *term = NULL, *display = NULL, *proto = NULL, *data = NULL; | 1702 | char *command, *term = NULL, *display = NULL, *proto = NULL, *data = NULL; |
1703 | int plen; | ||
1704 | unsigned int dlen; | ||
1700 | int n_bytes; | 1705 | int n_bytes; |
1701 | 1706 | ||
1702 | /* | 1707 | /* |
@@ -1720,7 +1725,6 @@ do_authenticated(struct passwd * pw) | |||
1720 | * or a command. | 1725 | * or a command. |
1721 | */ | 1726 | */ |
1722 | while (1) { | 1727 | while (1) { |
1723 | int plen, dlen; | ||
1724 | 1728 | ||
1725 | /* Get a packet from the client. */ | 1729 | /* Get a packet from the client. */ |
1726 | type = packet_read(&plen); | 1730 | type = packet_read(&plen); |
@@ -1799,7 +1803,7 @@ do_authenticated(struct passwd * pw) | |||
1799 | if (display) | 1803 | if (display) |
1800 | packet_disconnect("Protocol error: X11 display already set."); | 1804 | packet_disconnect("Protocol error: X11 display already set."); |
1801 | { | 1805 | { |
1802 | int proto_len, data_len; | 1806 | unsigned int proto_len, data_len; |
1803 | proto = packet_get_string(&proto_len); | 1807 | proto = packet_get_string(&proto_len); |
1804 | data = packet_get_string(&data_len); | 1808 | data = packet_get_string(&data_len); |
1805 | packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type); | 1809 | packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type); |
@@ -1881,7 +1885,7 @@ do_authenticated(struct passwd * pw) | |||
1881 | goto do_forced_command; | 1885 | goto do_forced_command; |
1882 | /* Get command from the packet. */ | 1886 | /* Get command from the packet. */ |
1883 | { | 1887 | { |
1884 | int dlen; | 1888 | unsigned int dlen; |
1885 | command = packet_get_string(&dlen); | 1889 | command = packet_get_string(&dlen); |
1886 | debug("Executing command '%.500s'", command); | 1890 | debug("Executing command '%.500s'", command); |
1887 | packet_integrity_check(plen, 4 + dlen, type); | 1891 | packet_integrity_check(plen, 4 + dlen, type); |