* New upstream release (http://www.openssh.org/txt/release-5.7):

- Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. - sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command. - scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host (closes: #508613). - ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races (closes: #454784). Stale server sockets are now automatically removed (closes: #523250). - ssh(1): install a SIGCHLD handler to reap expired child process (closes: #594687). - ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories (closes: #357469, although only if you arrange for ssh-agent to actually see $TMPDIR since the setgid bit will cause it to be stripped off).
author: Colin Watson <cjwatson@debian.org> 2011-01-24 12:43:25 +0000
committer: Colin Watson <cjwatson@debian.org> 2011-01-24 12:43:25 +0000
commit: 626f1d986ff72aa514da63e34744e1de9cf21b9a (patch)
tree: d215a5280bc2e57251e4a9e08bfd3674ad824a94 /ssh.c
parent: 6ed622cb6fe8f71bbe0d998cdd12280410bfb420 (diff)
parent: 0970072c89b079b022538e3c366fbfa2c53fc821 (diff)
1 files changed, 50 insertions, 27 deletions
diff --git a/ssh.c b/ssh.c
index 22d4f53c4..77dbde058 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.346 2010/08/12 21:49:44 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.356 2011/01/06 22:23:53 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -183,9 +183,6 @@ int subsystem_flag = 0;
 /* # of replies received for global requests */
 static int remote_forward_confirms_received = 0;
-/* pid of proxycommand child process */
-pid_t proxy_command_pid = 0;
 /* mux.c */
 extern int muxserver_sock;
 extern u_int muxclient_command;
@@ -224,7 +221,7 @@ int
 main(int ac, char **av)
 {
        int i, r, opt, exit_status, use_syslog;
-        char *p, *cp, *line, *argv0, buf[MAXPATHLEN];
+        char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg;
        struct stat st;
        struct passwd *pw;
        int dummy, timeout_ms;
@@ -601,7 +598,7 @@ main(int ac, char **av)
        if (!host)
                usage();
-        SSLeay_add_all_algorithms();
+        OpenSSL_add_all_algorithms();
        ERR_load_crypto_strings();
        /* Initialize the command to execute on remote host. */
@@ -696,6 +693,8 @@ main(int ac, char **av)
                options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT;
        }
+        /* preserve host name given on command line for %n expansion */
+        host_arg = host;
        if (options.hostname != NULL) {
                host = percent_expand(options.hostname,
                    "h", host, (char *)NULL);
@@ -710,7 +709,7 @@ main(int ac, char **av)
                debug3("expanding LocalCommand: %s", options.local_command);
                cp = options.local_command;
                options.local_command = percent_expand(cp, "d", pw->pw_dir,
-                    "h", host, "l", thishost, "n", host, "r", options.user,
+                    "h", host, "l", thishost, "n", host_arg, "r", options.user,
                    "p", buf, "u", pw->pw_name, (char *)NULL);
                debug3("expanded LocalCommand: %s", options.local_command);
                xfree(cp);
@@ -782,34 +781,53 @@ main(int ac, char **av)
        sensitive_data.external_keysign = 0;
        if (options.rhosts_rsa_authentication ||
            options.hostbased_authentication) {
-                sensitive_data.nkeys = 5;
+                sensitive_data.nkeys = 7;
                sensitive_data.keys = xcalloc(sensitive_data.nkeys,
                    sizeof(Key));
+                for (i = 0; i < sensitive_data.nkeys; i++)
+                        sensitive_data.keys[i] = NULL;
                PRIV_START;
                sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
                    _PATH_HOST_KEY_FILE, "", NULL, NULL);
                sensitive_data.keys[1] = key_load_private_cert(KEY_DSA,
                    _PATH_HOST_DSA_KEY_FILE, "", NULL);
-                sensitive_data.keys[2] = key_load_private_cert(KEY_RSA,
+#ifdef OPENSSL_HAS_ECC
+                sensitive_data.keys[2] = key_load_private_cert(KEY_ECDSA,
+                    _PATH_HOST_ECDSA_KEY_FILE, "", NULL);
+#endif
+                sensitive_data.keys[3] = key_load_private_cert(KEY_RSA,
                    _PATH_HOST_RSA_KEY_FILE, "", NULL);
-                sensitive_data.keys[3] = key_load_private_type(KEY_DSA,
+                sensitive_data.keys[4] = key_load_private_type(KEY_DSA,
                    _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);
-                sensitive_data.keys[4] = key_load_private_type(KEY_RSA,
+#ifdef OPENSSL_HAS_ECC
+                sensitive_data.keys[5] = key_load_private_type(KEY_ECDSA,
+                    _PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL);
+#endif
+                sensitive_data.keys[6] = key_load_private_type(KEY_RSA,
                    _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
                PRIV_END;
                if (options.hostbased_authentication == 1 &&
                    sensitive_data.keys[0] == NULL &&
-                    sensitive_data.keys[3] == NULL &&
+                    sensitive_data.keys[4] == NULL &&
-                    sensitive_data.keys[4] == NULL) {
+                    sensitive_data.keys[5] == NULL &&
+                    sensitive_data.keys[6] == NULL) {
                        sensitive_data.keys[1] = key_load_cert(
                            _PATH_HOST_DSA_KEY_FILE);
+#ifdef OPENSSL_HAS_ECC
                        sensitive_data.keys[2] = key_load_cert(
+                            _PATH_HOST_ECDSA_KEY_FILE);
+#endif
+                        sensitive_data.keys[3] = key_load_cert(
                            _PATH_HOST_RSA_KEY_FILE);
-                        sensitive_data.keys[3] = key_load_public(
-                            _PATH_HOST_DSA_KEY_FILE, NULL);
                        sensitive_data.keys[4] = key_load_public(
+                            _PATH_HOST_DSA_KEY_FILE, NULL);
+#ifdef OPENSSL_HAS_ECC
+                        sensitive_data.keys[5] = key_load_public(
+                            _PATH_HOST_ECDSA_KEY_FILE, NULL);
+#endif
+                        sensitive_data.keys[6] = key_load_public(
                            _PATH_HOST_RSA_KEY_FILE, NULL);
                        sensitive_data.external_keysign = 1;
                }
@@ -832,10 +850,19 @@ main(int ac, char **av)
         */
        r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
            strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
-        if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0)
+        if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) {
+#ifdef WITH_SELINUX
+                char *scon;
+                matchpathcon(buf, 0700, &scon);
+                setfscreatecon(scon);
+#endif
                if (mkdir(buf, 0700) < 0)
                        error("Could not create directory '%.200s'.", buf);
+#ifdef WITH_SELINUX
+                setfscreatecon(NULL);
+#endif
+        }
        /* load options.identity_files */
        load_public_identity_files();
@@ -855,7 +882,7 @@ main(int ac, char **av)
        /* Log into the remote system.  Never returns if the login fails. */
        ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr,
-            pw, timeout_ms);
+            options.port, pw, timeout_ms);
        if (packet_connection_is_on_socket()) {
                verbose("Authenticated to %s ([%s]:%d).", host,
@@ -893,12 +920,8 @@ main(int ac, char **av)
        if (options.control_path != NULL && muxserver_sock != -1)
                unlink(options.control_path);
-        /*
+        /* Kill ProxyCommand if it is running. */
-         * Send SIGHUP to proxy command if used. We don't wait() in
+        ssh_kill_proxy_command();
-         * case it hangs and instead rely on init to reap the child
-         */
-        if (proxy_command_pid > 1)
-                kill(proxy_command_pid, SIGHUP);
        return exit_status;
 }
@@ -930,6 +953,7 @@ control_persist_detach(void)
                tty_flag = otty_flag;
                close(muxserver_sock);
                muxserver_sock = -1;
+                options.control_master = SSHCTL_MASTER_NO;
                muxclient(options.control_path);
                /* muxclient() doesn't return on success. */
                fatal("Failed to connect to new control master");
@@ -1202,7 +1226,8 @@ ssh_session(void)
                }
        }
        /* Tell the packet module whether this is an interactive session. */
-        packet_set_interactive(interactive);
+        packet_set_interactive(interactive,
+            options.ip_qos_interactive, options.ip_qos_bulk);
        /* Request authentication agent forwarding if appropriate. */
        check_agent_present();
@@ -1300,8 +1325,6 @@ ssh_session2_setup(int id, int success, void *arg)
        client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),
            NULL, fileno(stdin), &command, environ);
-        packet_set_interactive(interactive);
 }
 /* open new channel for a session */
author	Colin Watson <cjwatson@debian.org>	2011-01-24 12:43:25 +0000
committer	Colin Watson <cjwatson@debian.org>	2011-01-24 12:43:25 +0000
commit	626f1d986ff72aa514da63e34744e1de9cf21b9a (patch)
tree	d215a5280bc2e57251e4a9e08bfd3674ad824a94 /ssh.c
parent	6ed622cb6fe8f71bbe0d998cdd12280410bfb420 (diff)
parent	0970072c89b079b022538e3c366fbfa2c53fc821 (diff)

diff --git a/ssh.c b/ssh.c index 22d4f53c4..77dbde058 100644 --- a/ssh.c +++ b/ssh.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssh.c,v 1.346 2010/08/12 21:49:44 djm Exp $ */	1	/* $OpenBSD: ssh.c,v 1.356 2011/01/06 22:23:53 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -183,9 +183,6 @@ int subsystem_flag = 0;
183	/* # of replies received for global requests */	183	/* # of replies received for global requests */
184	static int remote_forward_confirms_received = 0;	184	static int remote_forward_confirms_received = 0;
185		185
186	/* pid of proxycommand child process */
187	pid_t proxy_command_pid = 0;
188
189	/* mux.c */	186	/* mux.c */
190	extern int muxserver_sock;	187	extern int muxserver_sock;
191	extern u_int muxclient_command;	188	extern u_int muxclient_command;
@@ -224,7 +221,7 @@ int
224	main(int ac, char **av)	221	main(int ac, char **av)
225	{	222	{
226	int i, r, opt, exit_status, use_syslog;	223	int i, r, opt, exit_status, use_syslog;
227	char p, cp, line, argv0, buf[MAXPATHLEN];	224	char p, cp, line, argv0, buf[MAXPATHLEN], *host_arg;
228	struct stat st;	225	struct stat st;
229	struct passwd *pw;	226	struct passwd *pw;
230	int dummy, timeout_ms;	227	int dummy, timeout_ms;
@@ -601,7 +598,7 @@ main(int ac, char **av)
601	if (!host)	598	if (!host)
602	usage();	599	usage();
603		600
604	SSLeay_add_all_algorithms();	601	OpenSSL_add_all_algorithms();
605	ERR_load_crypto_strings();	602	ERR_load_crypto_strings();
606		603
607	/* Initialize the command to execute on remote host. */	604	/* Initialize the command to execute on remote host. */
@@ -696,6 +693,8 @@ main(int ac, char **av)
696	options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT;	693	options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT;
697	}	694	}
698		695
		696	/* preserve host name given on command line for %n expansion */
		697	host_arg = host;
699	if (options.hostname != NULL) {	698	if (options.hostname != NULL) {
700	host = percent_expand(options.hostname,	699	host = percent_expand(options.hostname,
701	"h", host, (char *)NULL);	700	"h", host, (char *)NULL);
@@ -710,7 +709,7 @@ main(int ac, char **av)
710	debug3("expanding LocalCommand: %s", options.local_command);	709	debug3("expanding LocalCommand: %s", options.local_command);
711	cp = options.local_command;	710	cp = options.local_command;
712	options.local_command = percent_expand(cp, "d", pw->pw_dir,	711	options.local_command = percent_expand(cp, "d", pw->pw_dir,
713	"h", host, "l", thishost, "n", host, "r", options.user,	712	"h", host, "l", thishost, "n", host_arg, "r", options.user,
714	"p", buf, "u", pw->pw_name, (char *)NULL);	713	"p", buf, "u", pw->pw_name, (char *)NULL);
715	debug3("expanded LocalCommand: %s", options.local_command);	714	debug3("expanded LocalCommand: %s", options.local_command);
716	xfree(cp);	715	xfree(cp);
@@ -782,34 +781,53 @@ main(int ac, char **av)
782	sensitive_data.external_keysign = 0;	781	sensitive_data.external_keysign = 0;
783	if (options.rhosts_rsa_authentication \|\|	782	if (options.rhosts_rsa_authentication \|\|
784	options.hostbased_authentication) {	783	options.hostbased_authentication) {
785	sensitive_data.nkeys = 5;	784	sensitive_data.nkeys = 7;
786	sensitive_data.keys = xcalloc(sensitive_data.nkeys,	785	sensitive_data.keys = xcalloc(sensitive_data.nkeys,
787	sizeof(Key));	786	sizeof(Key));
		787	for (i = 0; i < sensitive_data.nkeys; i++)
		788	sensitive_data.keys[i] = NULL;
788		789
789	PRIV_START;	790	PRIV_START;
790	sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,	791	sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
791	_PATH_HOST_KEY_FILE, "", NULL, NULL);	792	_PATH_HOST_KEY_FILE, "", NULL, NULL);
792	sensitive_data.keys[1] = key_load_private_cert(KEY_DSA,	793	sensitive_data.keys[1] = key_load_private_cert(KEY_DSA,
793	_PATH_HOST_DSA_KEY_FILE, "", NULL);	794	_PATH_HOST_DSA_KEY_FILE, "", NULL);
794	sensitive_data.keys[2] = key_load_private_cert(KEY_RSA,	795	#ifdef OPENSSL_HAS_ECC
		796	sensitive_data.keys[2] = key_load_private_cert(KEY_ECDSA,
		797	_PATH_HOST_ECDSA_KEY_FILE, "", NULL);
		798	#endif
		799	sensitive_data.keys[3] = key_load_private_cert(KEY_RSA,
795	_PATH_HOST_RSA_KEY_FILE, "", NULL);	800	_PATH_HOST_RSA_KEY_FILE, "", NULL);
796	sensitive_data.keys[3] = key_load_private_type(KEY_DSA,	801	sensitive_data.keys[4] = key_load_private_type(KEY_DSA,
797	_PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);	802	_PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);
798	sensitive_data.keys[4] = key_load_private_type(KEY_RSA,	803	#ifdef OPENSSL_HAS_ECC
		804	sensitive_data.keys[5] = key_load_private_type(KEY_ECDSA,
		805	_PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL);
		806	#endif
		807	sensitive_data.keys[6] = key_load_private_type(KEY_RSA,
799	_PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);	808	_PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
800	PRIV_END;	809	PRIV_END;
801		810
802	if (options.hostbased_authentication == 1 &&	811	if (options.hostbased_authentication == 1 &&
803	sensitive_data.keys[0] == NULL &&	812	sensitive_data.keys[0] == NULL &&
804	sensitive_data.keys[3] == NULL &&	813	sensitive_data.keys[4] == NULL &&
805	sensitive_data.keys[4] == NULL) {	814	sensitive_data.keys[5] == NULL &&
		815	sensitive_data.keys[6] == NULL) {
806	sensitive_data.keys[1] = key_load_cert(	816	sensitive_data.keys[1] = key_load_cert(
807	_PATH_HOST_DSA_KEY_FILE);	817	_PATH_HOST_DSA_KEY_FILE);
		818	#ifdef OPENSSL_HAS_ECC
808	sensitive_data.keys[2] = key_load_cert(	819	sensitive_data.keys[2] = key_load_cert(
		820	_PATH_HOST_ECDSA_KEY_FILE);
		821	#endif
		822	sensitive_data.keys[3] = key_load_cert(
809	_PATH_HOST_RSA_KEY_FILE);	823	_PATH_HOST_RSA_KEY_FILE);
810	sensitive_data.keys[3] = key_load_public(
811	_PATH_HOST_DSA_KEY_FILE, NULL);
812	sensitive_data.keys[4] = key_load_public(	824	sensitive_data.keys[4] = key_load_public(
		825	_PATH_HOST_DSA_KEY_FILE, NULL);
		826	#ifdef OPENSSL_HAS_ECC
		827	sensitive_data.keys[5] = key_load_public(
		828	_PATH_HOST_ECDSA_KEY_FILE, NULL);
		829	#endif
		830	sensitive_data.keys[6] = key_load_public(
813	_PATH_HOST_RSA_KEY_FILE, NULL);	831	_PATH_HOST_RSA_KEY_FILE, NULL);
814	sensitive_data.external_keysign = 1;	832	sensitive_data.external_keysign = 1;
815	}	833	}
@@ -832,10 +850,19 @@ main(int ac, char **av)
832	*/	850	*/
833	r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,	851	r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
834	strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);	852	strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
835	if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0)	853	if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) {
		854	#ifdef WITH_SELINUX
		855	char *scon;
		856
		857	matchpathcon(buf, 0700, &scon);
		858	setfscreatecon(scon);
		859	#endif
836	if (mkdir(buf, 0700) < 0)	860	if (mkdir(buf, 0700) < 0)
837	error("Could not create directory '%.200s'.", buf);	861	error("Could not create directory '%.200s'.", buf);
838		862	#ifdef WITH_SELINUX
		863	setfscreatecon(NULL);
		864	#endif
		865	}
839	/* load options.identity_files */	866	/* load options.identity_files */
840	load_public_identity_files();	867	load_public_identity_files();
841		868
@@ -855,7 +882,7 @@ main(int ac, char **av)
855		882
856	/* Log into the remote system. Never returns if the login fails. */	883	/* Log into the remote system. Never returns if the login fails. */
857	ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr,	884	ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr,
858	pw, timeout_ms);	885	options.port, pw, timeout_ms);
859		886
860	if (packet_connection_is_on_socket()) {	887	if (packet_connection_is_on_socket()) {
861	verbose("Authenticated to %s ([%s]:%d).", host,	888	verbose("Authenticated to %s ([%s]:%d).", host,
@@ -893,12 +920,8 @@ main(int ac, char **av)
893	if (options.control_path != NULL && muxserver_sock != -1)	920	if (options.control_path != NULL && muxserver_sock != -1)
894	unlink(options.control_path);	921	unlink(options.control_path);
895		922
896	/*	923	/* Kill ProxyCommand if it is running. */
897	* Send SIGHUP to proxy command if used. We don't wait() in	924	ssh_kill_proxy_command();
898	* case it hangs and instead rely on init to reap the child
899	*/
900	if (proxy_command_pid > 1)
901	kill(proxy_command_pid, SIGHUP);
902		925
903	return exit_status;	926	return exit_status;
904	}	927	}
@@ -930,6 +953,7 @@ control_persist_detach(void)
930	tty_flag = otty_flag;	953	tty_flag = otty_flag;
931	close(muxserver_sock);	954	close(muxserver_sock);
932	muxserver_sock = -1;	955	muxserver_sock = -1;
		956	options.control_master = SSHCTL_MASTER_NO;
933	muxclient(options.control_path);	957	muxclient(options.control_path);
934	/* muxclient() doesn't return on success. */	958	/* muxclient() doesn't return on success. */
935	fatal("Failed to connect to new control master");	959	fatal("Failed to connect to new control master");
@@ -1202,7 +1226,8 @@ ssh_session(void)
1202	}	1226	}
1203	}	1227	}
1204	/* Tell the packet module whether this is an interactive session. */	1228	/* Tell the packet module whether this is an interactive session. */
1205	packet_set_interactive(interactive);	1229	packet_set_interactive(interactive,
		1230	options.ip_qos_interactive, options.ip_qos_bulk);
1206		1231
1207	/* Request authentication agent forwarding if appropriate. */	1232	/* Request authentication agent forwarding if appropriate. */
1208	check_agent_present();	1233	check_agent_present();
@@ -1300,8 +1325,6 @@ ssh_session2_setup(int id, int success, void *arg)
1300		1325
1301	client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),	1326	client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),
1302	NULL, fileno(stdin), &command, environ);	1327	NULL, fileno(stdin), &command, environ);
1303
1304	packet_set_interactive(interactive);
1305	}	1328	}
1306		1329
1307	/* open new channel for a session */	1330	/* open new channel for a session */