diff options
author | Colin Watson <cjwatson@debian.org> | 2011-01-24 12:43:25 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-01-24 12:43:25 +0000 |
commit | 626f1d986ff72aa514da63e34744e1de9cf21b9a (patch) | |
tree | d215a5280bc2e57251e4a9e08bfd3674ad824a94 /ssh.c | |
parent | 6ed622cb6fe8f71bbe0d998cdd12280410bfb420 (diff) | |
parent | 0970072c89b079b022538e3c366fbfa2c53fc821 (diff) |
* New upstream release (http://www.openssh.org/txt/release-5.7):
- Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA
offer better performance than plain DH and DSA at the same equivalent
symmetric key length, as well as much shorter keys.
- sftp(1)/sftp-server(8): add a protocol extension to support a hard
link operation. It is available through the "ln" command in the
client. The old "ln" behaviour of creating a symlink is available
using its "-s" option or through the preexisting "symlink" command.
- scp(1): Add a new -3 option to scp: Copies between two remote hosts
are transferred through the local host (closes: #508613).
- ssh(1): "atomically" create the listening mux socket by binding it on
a temporary name and then linking it into position after listen() has
succeeded. This allows the mux clients to determine that the server
socket is either ready or stale without races (closes: #454784).
Stale server sockets are now automatically removed (closes: #523250).
- ssh(1): install a SIGCHLD handler to reap expired child process
(closes: #594687).
- ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent
temporary directories (closes: #357469, although only if you arrange
for ssh-agent to actually see $TMPDIR since the setgid bit will cause
it to be stripped off).
Diffstat (limited to 'ssh.c')
-rw-r--r-- | ssh.c | 77 |
1 files changed, 50 insertions, 27 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh.c,v 1.346 2010/08/12 21:49:44 djm Exp $ */ | 1 | /* $OpenBSD: ssh.c,v 1.356 2011/01/06 22:23:53 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -183,9 +183,6 @@ int subsystem_flag = 0; | |||
183 | /* # of replies received for global requests */ | 183 | /* # of replies received for global requests */ |
184 | static int remote_forward_confirms_received = 0; | 184 | static int remote_forward_confirms_received = 0; |
185 | 185 | ||
186 | /* pid of proxycommand child process */ | ||
187 | pid_t proxy_command_pid = 0; | ||
188 | |||
189 | /* mux.c */ | 186 | /* mux.c */ |
190 | extern int muxserver_sock; | 187 | extern int muxserver_sock; |
191 | extern u_int muxclient_command; | 188 | extern u_int muxclient_command; |
@@ -224,7 +221,7 @@ int | |||
224 | main(int ac, char **av) | 221 | main(int ac, char **av) |
225 | { | 222 | { |
226 | int i, r, opt, exit_status, use_syslog; | 223 | int i, r, opt, exit_status, use_syslog; |
227 | char *p, *cp, *line, *argv0, buf[MAXPATHLEN]; | 224 | char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg; |
228 | struct stat st; | 225 | struct stat st; |
229 | struct passwd *pw; | 226 | struct passwd *pw; |
230 | int dummy, timeout_ms; | 227 | int dummy, timeout_ms; |
@@ -601,7 +598,7 @@ main(int ac, char **av) | |||
601 | if (!host) | 598 | if (!host) |
602 | usage(); | 599 | usage(); |
603 | 600 | ||
604 | SSLeay_add_all_algorithms(); | 601 | OpenSSL_add_all_algorithms(); |
605 | ERR_load_crypto_strings(); | 602 | ERR_load_crypto_strings(); |
606 | 603 | ||
607 | /* Initialize the command to execute on remote host. */ | 604 | /* Initialize the command to execute on remote host. */ |
@@ -696,6 +693,8 @@ main(int ac, char **av) | |||
696 | options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; | 693 | options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; |
697 | } | 694 | } |
698 | 695 | ||
696 | /* preserve host name given on command line for %n expansion */ | ||
697 | host_arg = host; | ||
699 | if (options.hostname != NULL) { | 698 | if (options.hostname != NULL) { |
700 | host = percent_expand(options.hostname, | 699 | host = percent_expand(options.hostname, |
701 | "h", host, (char *)NULL); | 700 | "h", host, (char *)NULL); |
@@ -710,7 +709,7 @@ main(int ac, char **av) | |||
710 | debug3("expanding LocalCommand: %s", options.local_command); | 709 | debug3("expanding LocalCommand: %s", options.local_command); |
711 | cp = options.local_command; | 710 | cp = options.local_command; |
712 | options.local_command = percent_expand(cp, "d", pw->pw_dir, | 711 | options.local_command = percent_expand(cp, "d", pw->pw_dir, |
713 | "h", host, "l", thishost, "n", host, "r", options.user, | 712 | "h", host, "l", thishost, "n", host_arg, "r", options.user, |
714 | "p", buf, "u", pw->pw_name, (char *)NULL); | 713 | "p", buf, "u", pw->pw_name, (char *)NULL); |
715 | debug3("expanded LocalCommand: %s", options.local_command); | 714 | debug3("expanded LocalCommand: %s", options.local_command); |
716 | xfree(cp); | 715 | xfree(cp); |
@@ -782,34 +781,53 @@ main(int ac, char **av) | |||
782 | sensitive_data.external_keysign = 0; | 781 | sensitive_data.external_keysign = 0; |
783 | if (options.rhosts_rsa_authentication || | 782 | if (options.rhosts_rsa_authentication || |
784 | options.hostbased_authentication) { | 783 | options.hostbased_authentication) { |
785 | sensitive_data.nkeys = 5; | 784 | sensitive_data.nkeys = 7; |
786 | sensitive_data.keys = xcalloc(sensitive_data.nkeys, | 785 | sensitive_data.keys = xcalloc(sensitive_data.nkeys, |
787 | sizeof(Key)); | 786 | sizeof(Key)); |
787 | for (i = 0; i < sensitive_data.nkeys; i++) | ||
788 | sensitive_data.keys[i] = NULL; | ||
788 | 789 | ||
789 | PRIV_START; | 790 | PRIV_START; |
790 | sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, | 791 | sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, |
791 | _PATH_HOST_KEY_FILE, "", NULL, NULL); | 792 | _PATH_HOST_KEY_FILE, "", NULL, NULL); |
792 | sensitive_data.keys[1] = key_load_private_cert(KEY_DSA, | 793 | sensitive_data.keys[1] = key_load_private_cert(KEY_DSA, |
793 | _PATH_HOST_DSA_KEY_FILE, "", NULL); | 794 | _PATH_HOST_DSA_KEY_FILE, "", NULL); |
794 | sensitive_data.keys[2] = key_load_private_cert(KEY_RSA, | 795 | #ifdef OPENSSL_HAS_ECC |
796 | sensitive_data.keys[2] = key_load_private_cert(KEY_ECDSA, | ||
797 | _PATH_HOST_ECDSA_KEY_FILE, "", NULL); | ||
798 | #endif | ||
799 | sensitive_data.keys[3] = key_load_private_cert(KEY_RSA, | ||
795 | _PATH_HOST_RSA_KEY_FILE, "", NULL); | 800 | _PATH_HOST_RSA_KEY_FILE, "", NULL); |
796 | sensitive_data.keys[3] = key_load_private_type(KEY_DSA, | 801 | sensitive_data.keys[4] = key_load_private_type(KEY_DSA, |
797 | _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL); | 802 | _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL); |
798 | sensitive_data.keys[4] = key_load_private_type(KEY_RSA, | 803 | #ifdef OPENSSL_HAS_ECC |
804 | sensitive_data.keys[5] = key_load_private_type(KEY_ECDSA, | ||
805 | _PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL); | ||
806 | #endif | ||
807 | sensitive_data.keys[6] = key_load_private_type(KEY_RSA, | ||
799 | _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL); | 808 | _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL); |
800 | PRIV_END; | 809 | PRIV_END; |
801 | 810 | ||
802 | if (options.hostbased_authentication == 1 && | 811 | if (options.hostbased_authentication == 1 && |
803 | sensitive_data.keys[0] == NULL && | 812 | sensitive_data.keys[0] == NULL && |
804 | sensitive_data.keys[3] == NULL && | 813 | sensitive_data.keys[4] == NULL && |
805 | sensitive_data.keys[4] == NULL) { | 814 | sensitive_data.keys[5] == NULL && |
815 | sensitive_data.keys[6] == NULL) { | ||
806 | sensitive_data.keys[1] = key_load_cert( | 816 | sensitive_data.keys[1] = key_load_cert( |
807 | _PATH_HOST_DSA_KEY_FILE); | 817 | _PATH_HOST_DSA_KEY_FILE); |
818 | #ifdef OPENSSL_HAS_ECC | ||
808 | sensitive_data.keys[2] = key_load_cert( | 819 | sensitive_data.keys[2] = key_load_cert( |
820 | _PATH_HOST_ECDSA_KEY_FILE); | ||
821 | #endif | ||
822 | sensitive_data.keys[3] = key_load_cert( | ||
809 | _PATH_HOST_RSA_KEY_FILE); | 823 | _PATH_HOST_RSA_KEY_FILE); |
810 | sensitive_data.keys[3] = key_load_public( | ||
811 | _PATH_HOST_DSA_KEY_FILE, NULL); | ||
812 | sensitive_data.keys[4] = key_load_public( | 824 | sensitive_data.keys[4] = key_load_public( |
825 | _PATH_HOST_DSA_KEY_FILE, NULL); | ||
826 | #ifdef OPENSSL_HAS_ECC | ||
827 | sensitive_data.keys[5] = key_load_public( | ||
828 | _PATH_HOST_ECDSA_KEY_FILE, NULL); | ||
829 | #endif | ||
830 | sensitive_data.keys[6] = key_load_public( | ||
813 | _PATH_HOST_RSA_KEY_FILE, NULL); | 831 | _PATH_HOST_RSA_KEY_FILE, NULL); |
814 | sensitive_data.external_keysign = 1; | 832 | sensitive_data.external_keysign = 1; |
815 | } | 833 | } |
@@ -832,10 +850,19 @@ main(int ac, char **av) | |||
832 | */ | 850 | */ |
833 | r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir, | 851 | r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir, |
834 | strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); | 852 | strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); |
835 | if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) | 853 | if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) { |
854 | #ifdef WITH_SELINUX | ||
855 | char *scon; | ||
856 | |||
857 | matchpathcon(buf, 0700, &scon); | ||
858 | setfscreatecon(scon); | ||
859 | #endif | ||
836 | if (mkdir(buf, 0700) < 0) | 860 | if (mkdir(buf, 0700) < 0) |
837 | error("Could not create directory '%.200s'.", buf); | 861 | error("Could not create directory '%.200s'.", buf); |
838 | 862 | #ifdef WITH_SELINUX | |
863 | setfscreatecon(NULL); | ||
864 | #endif | ||
865 | } | ||
839 | /* load options.identity_files */ | 866 | /* load options.identity_files */ |
840 | load_public_identity_files(); | 867 | load_public_identity_files(); |
841 | 868 | ||
@@ -855,7 +882,7 @@ main(int ac, char **av) | |||
855 | 882 | ||
856 | /* Log into the remote system. Never returns if the login fails. */ | 883 | /* Log into the remote system. Never returns if the login fails. */ |
857 | ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, | 884 | ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, |
858 | pw, timeout_ms); | 885 | options.port, pw, timeout_ms); |
859 | 886 | ||
860 | if (packet_connection_is_on_socket()) { | 887 | if (packet_connection_is_on_socket()) { |
861 | verbose("Authenticated to %s ([%s]:%d).", host, | 888 | verbose("Authenticated to %s ([%s]:%d).", host, |
@@ -893,12 +920,8 @@ main(int ac, char **av) | |||
893 | if (options.control_path != NULL && muxserver_sock != -1) | 920 | if (options.control_path != NULL && muxserver_sock != -1) |
894 | unlink(options.control_path); | 921 | unlink(options.control_path); |
895 | 922 | ||
896 | /* | 923 | /* Kill ProxyCommand if it is running. */ |
897 | * Send SIGHUP to proxy command if used. We don't wait() in | 924 | ssh_kill_proxy_command(); |
898 | * case it hangs and instead rely on init to reap the child | ||
899 | */ | ||
900 | if (proxy_command_pid > 1) | ||
901 | kill(proxy_command_pid, SIGHUP); | ||
902 | 925 | ||
903 | return exit_status; | 926 | return exit_status; |
904 | } | 927 | } |
@@ -930,6 +953,7 @@ control_persist_detach(void) | |||
930 | tty_flag = otty_flag; | 953 | tty_flag = otty_flag; |
931 | close(muxserver_sock); | 954 | close(muxserver_sock); |
932 | muxserver_sock = -1; | 955 | muxserver_sock = -1; |
956 | options.control_master = SSHCTL_MASTER_NO; | ||
933 | muxclient(options.control_path); | 957 | muxclient(options.control_path); |
934 | /* muxclient() doesn't return on success. */ | 958 | /* muxclient() doesn't return on success. */ |
935 | fatal("Failed to connect to new control master"); | 959 | fatal("Failed to connect to new control master"); |
@@ -1202,7 +1226,8 @@ ssh_session(void) | |||
1202 | } | 1226 | } |
1203 | } | 1227 | } |
1204 | /* Tell the packet module whether this is an interactive session. */ | 1228 | /* Tell the packet module whether this is an interactive session. */ |
1205 | packet_set_interactive(interactive); | 1229 | packet_set_interactive(interactive, |
1230 | options.ip_qos_interactive, options.ip_qos_bulk); | ||
1206 | 1231 | ||
1207 | /* Request authentication agent forwarding if appropriate. */ | 1232 | /* Request authentication agent forwarding if appropriate. */ |
1208 | check_agent_present(); | 1233 | check_agent_present(); |
@@ -1300,8 +1325,6 @@ ssh_session2_setup(int id, int success, void *arg) | |||
1300 | 1325 | ||
1301 | client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), | 1326 | client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), |
1302 | NULL, fileno(stdin), &command, environ); | 1327 | NULL, fileno(stdin), &command, environ); |
1303 | |||
1304 | packet_set_interactive(interactive); | ||
1305 | } | 1328 | } |
1306 | 1329 | ||
1307 | /* open new channel for a session */ | 1330 | /* open new channel for a session */ |