summaryrefslogtreecommitdiff
path: root/authfile.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2007-06-12 16:16:35 +0000
committerColin Watson <cjwatson@debian.org>2007-06-12 16:16:35 +0000
commitb7e40fa9da0b5491534a429dadb321eab5a77558 (patch)
treebed1da11e9f829925797aa093e379fc0b5868ecd /authfile.c
parent4f84beedf1005e44ff33c854abd6b711ffc0adb7 (diff)
parent086ea76990b1e6287c24b6db74adffd4605eb3b0 (diff)
* New upstream release (closes: #395507, #397961, #420035). Important
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
Diffstat (limited to 'authfile.c')
-rw-r--r--authfile.c32
1 files changed, 22 insertions, 10 deletions
diff --git a/authfile.c b/authfile.c
index 420813f37..735c64780 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,3 +1,4 @@
1/* $OpenBSD: authfile.c,v 1.76 2006/08/03 03:34:41 deraadt Exp $ */
1/* 2/*
2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -36,16 +37,27 @@
36 */ 37 */
37 38
38#include "includes.h" 39#include "includes.h"
39RCSID("$OpenBSD: authfile.c,v 1.61 2005/06/17 02:44:32 djm Exp $"); 40
41#include <sys/types.h>
42#include <sys/stat.h>
43#include <sys/param.h>
44#include <sys/uio.h>
40 45
41#include <openssl/err.h> 46#include <openssl/err.h>
42#include <openssl/evp.h> 47#include <openssl/evp.h>
43#include <openssl/pem.h> 48#include <openssl/pem.h>
44 49
45#include "cipher.h" 50#include <errno.h>
51#include <fcntl.h>
52#include <stdarg.h>
53#include <stdio.h>
54#include <stdlib.h>
55#include <string.h>
56#include <unistd.h>
57
46#include "xmalloc.h" 58#include "xmalloc.h"
59#include "cipher.h"
47#include "buffer.h" 60#include "buffer.h"
48#include "bufaux.h"
49#include "key.h" 61#include "key.h"
50#include "ssh.h" 62#include "ssh.h"
51#include "log.h" 63#include "log.h"
@@ -184,7 +196,7 @@ key_save_private_pem(Key *key, const char *filename, const char *_passphrase,
184 return 0; 196 return 0;
185 } 197 }
186 fp = fdopen(fd, "w"); 198 fp = fdopen(fd, "w");
187 if (fp == NULL ) { 199 if (fp == NULL) {
188 error("fdopen %s failed: %s.", filename, strerror(errno)); 200 error("fdopen %s failed: %s.", filename, strerror(errno));
189 close(fd); 201 close(fd);
190 return 0; 202 return 0;
@@ -211,12 +223,10 @@ key_save_private(Key *key, const char *filename, const char *passphrase,
211 case KEY_RSA1: 223 case KEY_RSA1:
212 return key_save_private_rsa1(key, filename, passphrase, 224 return key_save_private_rsa1(key, filename, passphrase,
213 comment); 225 comment);
214 break;
215 case KEY_DSA: 226 case KEY_DSA:
216 case KEY_RSA: 227 case KEY_RSA:
217 return key_save_private_pem(key, filename, passphrase, 228 return key_save_private_pem(key, filename, passphrase,
218 comment); 229 comment);
219 break;
220 default: 230 default:
221 break; 231 break;
222 } 232 }
@@ -507,7 +517,7 @@ key_load_private_pem(int fd, int type, const char *passphrase,
507 return prv; 517 return prv;
508} 518}
509 519
510static int 520int
511key_perm_ok(int fd, const char *filename) 521key_perm_ok(int fd, const char *filename)
512{ 522{
513 struct stat st; 523 struct stat st;
@@ -537,7 +547,7 @@ key_perm_ok(int fd, const char *filename)
537 547
538Key * 548Key *
539key_load_private_type(int type, const char *filename, const char *passphrase, 549key_load_private_type(int type, const char *filename, const char *passphrase,
540 char **commentp) 550 char **commentp, int *perm_ok)
541{ 551{
542 int fd; 552 int fd;
543 553
@@ -545,22 +555,24 @@ key_load_private_type(int type, const char *filename, const char *passphrase,
545 if (fd < 0) 555 if (fd < 0)
546 return NULL; 556 return NULL;
547 if (!key_perm_ok(fd, filename)) { 557 if (!key_perm_ok(fd, filename)) {
558 if (perm_ok != NULL)
559 *perm_ok = 0;
548 error("bad permissions: ignore key: %s", filename); 560 error("bad permissions: ignore key: %s", filename);
549 close(fd); 561 close(fd);
550 return NULL; 562 return NULL;
551 } 563 }
564 if (perm_ok != NULL)
565 *perm_ok = 1;
552 switch (type) { 566 switch (type) {
553 case KEY_RSA1: 567 case KEY_RSA1:
554 return key_load_private_rsa1(fd, filename, passphrase, 568 return key_load_private_rsa1(fd, filename, passphrase,
555 commentp); 569 commentp);
556 /* closes fd */ 570 /* closes fd */
557 break;
558 case KEY_DSA: 571 case KEY_DSA:
559 case KEY_RSA: 572 case KEY_RSA:
560 case KEY_UNSPEC: 573 case KEY_UNSPEC:
561 return key_load_private_pem(fd, type, passphrase, commentp); 574 return key_load_private_pem(fd, type, passphrase, commentp);
562 /* closes fd */ 575 /* closes fd */
563 break;
564 default: 576 default:
565 close(fd); 577 close(fd);
566 break; 578 break;
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-21 06:23:52 +0000