- OpenBSD CVS updates:

- [channels.c] repair x11-fwd - [sshconnect.c] fix passwd prompt for ssh2, less debugging output. - [clientloop.c compat.c dsa.c kex.c sshd.c] less debugging output - [kex.c kex.h sshconnect.c sshd.c] check for reasonable public DH values - [README.openssh2 cipher.c cipher.h compat.c compat.h readconf.c] [readconf.h servconf.c servconf.h ssh.c ssh.h sshconnect.c sshd.c] add Cipher and Protocol options to ssh/sshd, e.g.: ssh -o 'Protocol 1,2' if you prefer proto 1, ssh -o 'Ciphers arcfour,3des-cbc' - [sshd.c] print 1.99 only if server supports both
author: Damien Miller <djm@mindrot.org> 2000-04-12 20:17:38 +1000
committer: Damien Miller <djm@mindrot.org> 2000-04-12 20:17:38 +1000
commit: 78928793fb23a3a4c80ae62eca6a7826b2987690 (patch)
tree: add8a953ac4cf06877b91624fe7f647b17e6cf6f /sshconnect.c
parent: efb4afe0265333ce554f699c2a19ae249dd8d1b5 (diff)
1 files changed, 57 insertions, 34 deletions
diff --git a/sshconnect.c b/sshconnect.c
index 2f9496090..167b8e63a 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.61 2000/04/04 21:37:27 markus Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.65 2000/04/12 07:56:16 markus Exp $");
 #ifdef HAVE_OPENSSL
 #include <openssl/bn.h>
@@ -993,7 +993,7 @@ void
 ssh_exchange_identification()
 {
        char buf[256], remote_version[256];     /* must be same size! */
-        int remote_major, remote_minor, i;
+        int remote_major, remote_minor, i, mismatch;
        int connection_in = packet_get_connection_in();
        int connection_out = packet_get_connection_out();
@@ -1027,39 +1027,51 @@ ssh_exchange_identification()
        debug("Remote protocol version %d.%d, remote software version %.100s",
              remote_major, remote_minor, remote_version);
-/*** XXX option for disabling 2.0 or 1.5 */
        compat_datafellows(remote_version);
+        mismatch = 0;
-        /* Check if the remote protocol version is too old. */
-        if (remote_major == 1 && remote_minor < 3)
+        switch(remote_major) {
-                fatal("Remote machine has too old SSH software version.");
+        case 1:
+                if (remote_minor == 99 &&
-        /* We speak 1.3, too. */
+                    (options.protocol & SSH_PROTO_2) &&
-        if (remote_major == 1 && remote_minor == 3) {
+                    !(options.protocol & SSH_PROTO_1_PREFERRED)) {
-                enable_compat13();
+                        enable_compat20();
-                if (options.forward_agent) {
+                        break;
-                        log("Agent forwarding disabled for protocol 1.3");
-                        options.forward_agent = 0;
                }
+                if (!(options.protocol & SSH_PROTO_1)) {
+                        mismatch = 1;
+                        break;
+                }
+                if (remote_minor < 3) {
+                        fatal("Remote machine has too old SSH software version.");
+                } else if (remote_minor == 3) {
+                        /* We speak 1.3, too. */
+                        enable_compat13();
+                        if (options.forward_agent) {
+                                log("Agent forwarding disabled for protocol 1.3");
+                                options.forward_agent = 0;
+                        }
+                }
+                break;
+        case 2:
+                if (options.protocol & SSH_PROTO_2) {
+                        enable_compat20();
+                        break;
+                }
+                /* FALLTHROUGH */
+        default: 
+                mismatch = 1;
+                break;
        }
-        if ((remote_major == 2 && remote_minor == 0) ||
+        if (mismatch)
-            (remote_major == 1 && remote_minor == 99)) {
-                enable_compat20();
-        }
-#if 0
-        /*
-         * Removed for now, to permit compatibility with latter versions. The
-         * server will reject our version and disconnect if it doesn't
-         * support it.
-         */
-        if (remote_major != PROTOCOL_MAJOR)
                fatal("Protocol major versions differ: %d vs. %d",
-                      PROTOCOL_MAJOR, remote_major);
+                    (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
-#endif
+                    remote_major);
        /* Send our own protocol version identification. */
        snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n",
-            compat20 ? 2 : PROTOCOL_MAJOR,
+            compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
-            compat20 ? 0 : PROTOCOL_MINOR,
+            compat20 ? PROTOCOL_MINOR_2 : PROTOCOL_MINOR_1,
            SSH_VERSION);
        if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf))
                fatal("write: %.100s", strerror(errno));
@@ -1350,11 +1362,15 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 /* KEXINIT */
        debug("Sending KEX init.");
-        if (options.cipher == SSH_CIPHER_ARCFOUR ||
+        if (options.ciphers != NULL) {
+                myproposal[PROPOSAL_ENC_ALGS_CTOS] = 
+                myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+        } else if (
+            options.cipher == SSH_CIPHER_ARCFOUR ||
            options.cipher == SSH_CIPHER_3DES_CBC ||
            options.cipher == SSH_CIPHER_CAST128_CBC ||
            options.cipher == SSH_CIPHER_BLOWFISH_CBC) {
-                myproposal[PROPOSAL_ENC_ALGS_CTOS] = cipher_name(options.cipher);
+                myproposal[PROPOSAL_ENC_ALGS_CTOS] =
                myproposal[PROPOSAL_ENC_ALGS_STOC] = cipher_name(options.cipher);
        }
        if (options.compression) {
@@ -1404,7 +1420,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
        debug("Sending SSH2_MSG_KEXDH_INIT.");
        /* generate and send 'e', client DH public key */
-        dh = new_dh_group1();
+        dh = dh_new_group1();
        packet_start(SSH2_MSG_KEXDH_INIT);
        packet_put_bignum2(dh->pub_key);
        packet_send();
@@ -1451,6 +1467,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
        /* signed H */
        signature = packet_get_string(&slen);
+        if (!dh_pub_is_valid(dh, dh_server_pub))
+                packet_disconnect("bad server public DH value");
        klen = DH_size(dh);
        kbuf = xmalloc(klen);
        kout = DH_compute_key(kbuf, dh_server_pub, dh);
@@ -1507,12 +1526,13 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
        packet_write_wait();
        debug("done: send SSH2_MSG_NEWKEYS.");
+#ifdef DEBUG_KEXDH
        /* send 1st encrypted/maced/compressed message */
        packet_start(SSH2_MSG_IGNORE);
        packet_put_cstring("markus");
        packet_send();
        packet_write_wait();
+#endif
        debug("done: KEX2.");
 }
 /*
@@ -1527,6 +1547,7 @@ ssh_userauth2(int host_key_valid, RSA *own_host_key,
        unsigned int dlen;
        int partial;
        struct passwd *pw;
+        char prompt[80];
        char *server_user, *local_user;
        char *auths;
        char *password;
@@ -1578,7 +1599,9 @@ ssh_userauth2(int host_key_valid, RSA *own_host_key,
                        fatal("passwd auth not supported: %s", auths);
                xfree(auths);
                /* try passwd */
-                password = read_passphrase("password: ", 0);
+                snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ",
+                    server_user, host);
+                password = read_passphrase(prompt, 0);
                packet_start(SSH2_MSG_USERAUTH_REQUEST);
                packet_put_cstring(server_user);
                packet_put_cstring(service);
author	Damien Miller <djm@mindrot.org>	2000-04-12 20:17:38 +1000
committer	Damien Miller <djm@mindrot.org>	2000-04-12 20:17:38 +1000
commit	78928793fb23a3a4c80ae62eca6a7826b2987690 (patch)
tree	add8a953ac4cf06877b91624fe7f647b17e6cf6f /sshconnect.c
parent	efb4afe0265333ce554f699c2a19ae249dd8d1b5 (diff)

diff --git a/sshconnect.c b/sshconnect.c index 2f9496090..167b8e63a 100644 --- a/sshconnect.c +++ b/sshconnect.c
@@ -10,7 +10,7 @@
10	*/	10	*/
11		11
12	#include "includes.h"	12	#include "includes.h"
13	RCSID("$OpenBSD: sshconnect.c,v 1.61 2000/04/04 21:37:27 markus Exp $");	13	RCSID("$OpenBSD: sshconnect.c,v 1.65 2000/04/12 07:56:16 markus Exp $");
14		14
15	#ifdef HAVE_OPENSSL	15	#ifdef HAVE_OPENSSL
16	#include <openssl/bn.h>	16	#include <openssl/bn.h>
@@ -993,7 +993,7 @@ void
993	ssh_exchange_identification()	993	ssh_exchange_identification()
994	{	994	{
995	char buf[256], remote_version[256]; /* must be same size! */	995	char buf[256], remote_version[256]; /* must be same size! */
996	int remote_major, remote_minor, i;	996	int remote_major, remote_minor, i, mismatch;
997	int connection_in = packet_get_connection_in();	997	int connection_in = packet_get_connection_in();
998	int connection_out = packet_get_connection_out();	998	int connection_out = packet_get_connection_out();
999		999
@@ -1027,39 +1027,51 @@ ssh_exchange_identification()
1027	debug("Remote protocol version %d.%d, remote software version %.100s",	1027	debug("Remote protocol version %d.%d, remote software version %.100s",
1028	remote_major, remote_minor, remote_version);	1028	remote_major, remote_minor, remote_version);
1029		1029
1030	/*** XXX option for disabling 2.0 or 1.5 */
1031	compat_datafellows(remote_version);	1030	compat_datafellows(remote_version);
1032		1031	mismatch = 0;
1033	/* Check if the remote protocol version is too old. */	1032
1034	if (remote_major == 1 && remote_minor < 3)	1033	switch(remote_major) {
1035	fatal("Remote machine has too old SSH software version.");	1034	case 1:
1036		1035	if (remote_minor == 99 &&
1037	/* We speak 1.3, too. */	1036	(options.protocol & SSH_PROTO_2) &&
1038	if (remote_major == 1 && remote_minor == 3) {	1037	!(options.protocol & SSH_PROTO_1_PREFERRED)) {
1039	enable_compat13();	1038	enable_compat20();
1040	if (options.forward_agent) {	1039	break;
1041	log("Agent forwarding disabled for protocol 1.3");
1042	options.forward_agent = 0;
1043	}	1040	}
		1041	if (!(options.protocol & SSH_PROTO_1)) {
		1042	mismatch = 1;
		1043	break;
		1044	}
		1045	if (remote_minor < 3) {
		1046	fatal("Remote machine has too old SSH software version.");
		1047	} else if (remote_minor == 3) {
		1048	/* We speak 1.3, too. */
		1049	enable_compat13();
		1050	if (options.forward_agent) {
		1051	log("Agent forwarding disabled for protocol 1.3");
		1052	options.forward_agent = 0;
		1053	}
		1054	}
		1055	break;
		1056	case 2:
		1057	if (options.protocol & SSH_PROTO_2) {
		1058	enable_compat20();
		1059	break;
		1060	}
		1061	/* FALLTHROUGH */
		1062	default:
		1063	mismatch = 1;
		1064	break;
1044	}	1065	}
1045	if ((remote_major == 2 && remote_minor == 0) \|\|	1066	if (mismatch)
1046	(remote_major == 1 && remote_minor == 99)) {
1047	enable_compat20();
1048	}
1049	#if 0
1050	/*
1051	* Removed for now, to permit compatibility with latter versions. The
1052	* server will reject our version and disconnect if it doesn't
1053	* support it.
1054	*/
1055	if (remote_major != PROTOCOL_MAJOR)
1056	fatal("Protocol major versions differ: %d vs. %d",	1067	fatal("Protocol major versions differ: %d vs. %d",
1057	PROTOCOL_MAJOR, remote_major);	1068	(options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
1058	#endif	1069	remote_major);
		1070
1059	/* Send our own protocol version identification. */	1071	/* Send our own protocol version identification. */
1060	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n",	1072	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n",
1061	compat20 ? 2 : PROTOCOL_MAJOR,	1073	compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
1062	compat20 ? 0 : PROTOCOL_MINOR,	1074	compat20 ? PROTOCOL_MINOR_2 : PROTOCOL_MINOR_1,
1063	SSH_VERSION);	1075	SSH_VERSION);
1064	if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf))	1076	if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf))
1065	fatal("write: %.100s", strerror(errno));	1077	fatal("write: %.100s", strerror(errno));
@@ -1350,11 +1362,15 @@ ssh_kex2(char host, struct sockaddr hostaddr)
1350	/* KEXINIT */	1362	/* KEXINIT */
1351		1363
1352	debug("Sending KEX init.");	1364	debug("Sending KEX init.");
1353	if (options.cipher == SSH_CIPHER_ARCFOUR \|\|	1365	if (options.ciphers != NULL) {
		1366	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
		1367	myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
		1368	} else if (
		1369	options.cipher == SSH_CIPHER_ARCFOUR \|\|
1354	options.cipher == SSH_CIPHER_3DES_CBC \|\|	1370	options.cipher == SSH_CIPHER_3DES_CBC \|\|
1355	options.cipher == SSH_CIPHER_CAST128_CBC \|\|	1371	options.cipher == SSH_CIPHER_CAST128_CBC \|\|
1356	options.cipher == SSH_CIPHER_BLOWFISH_CBC) {	1372	options.cipher == SSH_CIPHER_BLOWFISH_CBC) {
1357	myproposal[PROPOSAL_ENC_ALGS_CTOS] = cipher_name(options.cipher);	1373	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
1358	myproposal[PROPOSAL_ENC_ALGS_STOC] = cipher_name(options.cipher);	1374	myproposal[PROPOSAL_ENC_ALGS_STOC] = cipher_name(options.cipher);
1359	}	1375	}
1360	if (options.compression) {	1376	if (options.compression) {
@@ -1404,7 +1420,7 @@ ssh_kex2(char host, struct sockaddr hostaddr)
1404	debug("Sending SSH2_MSG_KEXDH_INIT.");	1420	debug("Sending SSH2_MSG_KEXDH_INIT.");
1405		1421
1406	/* generate and send 'e', client DH public key */	1422	/* generate and send 'e', client DH public key */
1407	dh = new_dh_group1();	1423	dh = dh_new_group1();
1408	packet_start(SSH2_MSG_KEXDH_INIT);	1424	packet_start(SSH2_MSG_KEXDH_INIT);
1409	packet_put_bignum2(dh->pub_key);	1425	packet_put_bignum2(dh->pub_key);
1410	packet_send();	1426	packet_send();
@@ -1451,6 +1467,9 @@ ssh_kex2(char host, struct sockaddr hostaddr)
1451	/* signed H */	1467	/* signed H */
1452	signature = packet_get_string(&slen);	1468	signature = packet_get_string(&slen);
1453		1469
		1470	if (!dh_pub_is_valid(dh, dh_server_pub))
		1471	packet_disconnect("bad server public DH value");
		1472
1454	klen = DH_size(dh);	1473	klen = DH_size(dh);
1455	kbuf = xmalloc(klen);	1474	kbuf = xmalloc(klen);
1456	kout = DH_compute_key(kbuf, dh_server_pub, dh);	1475	kout = DH_compute_key(kbuf, dh_server_pub, dh);
@@ -1507,12 +1526,13 @@ ssh_kex2(char host, struct sockaddr hostaddr)
1507	packet_write_wait();	1526	packet_write_wait();
1508	debug("done: send SSH2_MSG_NEWKEYS.");	1527	debug("done: send SSH2_MSG_NEWKEYS.");
1509		1528
		1529	#ifdef DEBUG_KEXDH
1510	/* send 1st encrypted/maced/compressed message */	1530	/* send 1st encrypted/maced/compressed message */
1511	packet_start(SSH2_MSG_IGNORE);	1531	packet_start(SSH2_MSG_IGNORE);
1512	packet_put_cstring("markus");	1532	packet_put_cstring("markus");
1513	packet_send();	1533	packet_send();
1514	packet_write_wait();	1534	packet_write_wait();
1515		1535	#endif
1516	debug("done: KEX2.");	1536	debug("done: KEX2.");
1517	}	1537	}
1518	/*	1538	/*
@@ -1527,6 +1547,7 @@ ssh_userauth2(int host_key_valid, RSA *own_host_key,
1527	unsigned int dlen;	1547	unsigned int dlen;
1528	int partial;	1548	int partial;
1529	struct passwd *pw;	1549	struct passwd *pw;
		1550	char prompt[80];
1530	char server_user, local_user;	1551	char server_user, local_user;
1531	char *auths;	1552	char *auths;
1532	char *password;	1553	char *password;
@@ -1578,7 +1599,9 @@ ssh_userauth2(int host_key_valid, RSA *own_host_key,
1578	fatal("passwd auth not supported: %s", auths);	1599	fatal("passwd auth not supported: %s", auths);
1579	xfree(auths);	1600	xfree(auths);
1580	/* try passwd */	1601	/* try passwd */
1581	password = read_passphrase("password: ", 0);	1602	snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ",
		1603	server_user, host);
		1604	password = read_passphrase(prompt, 0);
1582	packet_start(SSH2_MSG_USERAUTH_REQUEST);	1605	packet_start(SSH2_MSG_USERAUTH_REQUEST);
1583	packet_put_cstring(server_user);	1606	packet_put_cstring(server_user);
1584	packet_put_cstring(service);	1607	packet_put_cstring(service);