summaryrefslogtreecommitdiff
path: root/sshconnect2.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2007-12-24 10:29:57 +0000
committerColin Watson <cjwatson@debian.org>2007-12-24 10:29:57 +0000
commitc3e531b12b2335b7fa5a6bcc9a309d3c523ff64b (patch)
treeb72c0867348e7e7914d64af6fc5e25c728922e03 /sshconnect2.c
parent6b222fdf3cb54c11a446df38e027fe7acf2220cb (diff)
parent70847d299887abb96f8703ca99db6d817b78960e (diff)
* New upstream release (closes: #453367).
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec (closes: #444738). - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. - The SSH channel window size has been increased, and both ssh(1) sshd(8) now send window updates more aggressively. These improves performance on high-BDP (Bandwidth Delay Product) networks. - ssh(1) and sshd(8) now preserve MAC contexts between packets, which saves 2 hash calls per packet and results in 12-16% speedup for arcfour256/hmac-md5. - A new MAC algorithm has been added, UMAC-64 (RFC4418) as "umac-64@openssh.com". UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5. - Failure to establish a ssh(1) TunnelForward is now treated as a fatal error when the ExitOnForwardFailure option is set. - ssh(1) returns a sensible exit status if the control master goes away without passing the full exit status. - When using a ProxyCommand in ssh(1), set the outgoing hostname with gethostname(2), allowing hostbased authentication to work. - Make scp(1) skip FIFOs rather than hanging (closes: #246774). - Encode non-printing characters in scp(1) filenames. These could cause copies to be aborted with a "protocol error". - Handle SIGINT in sshd(8) privilege separation child process to ensure that wtmp and lastlog records are correctly updated. - Report GSSAPI mechanism in errors, for libraries that support multiple mechanisms. - Improve documentation for ssh-add(1)'s -d option. - Rearrange and tidy GSSAPI code, removing server-only code being linked into the client. - Delay execution of ssh(1)'s LocalCommand until after all forwardings have been established. - In scp(1), do not truncate non-regular files. - Improve exit message from ControlMaster clients. - Prevent sftp-server(8) from reading until it runs out of buffer space, whereupon it would exit with a fatal error (closes: #365541). - pam_end() was not being called if authentication failed (closes: #405041). - Manual page datestamps updated (closes: #433181).
Diffstat (limited to 'sshconnect2.c')
-rw-r--r--sshconnect2.c26
1 files changed, 17 insertions, 9 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index 63e9369b1..72d328692 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.162 2006/08/30 00:06:51 dtucker Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.164 2007/05/17 23:53:41 jolan Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -31,6 +31,7 @@
31#include <sys/stat.h> 31#include <sys/stat.h>
32 32
33#include <errno.h> 33#include <errno.h>
34#include <netdb.h>
34#include <pwd.h> 35#include <pwd.h>
35#include <signal.h> 36#include <signal.h>
36#include <stdarg.h> 37#include <stdarg.h>
@@ -173,11 +174,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
173 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 174 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
174 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; 175 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
175#ifdef GSSAPI 176#ifdef GSSAPI
176 if (options.gss_keyex) { 177 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
177 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; 178 kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
178 kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client; 179 kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
179 kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
180 }
181#endif 180#endif
182 kex->client_version_string=client_version_string; 181 kex->client_version_string=client_version_string;
183 kex->server_version_string=server_version_string; 182 kex->server_version_string=server_version_string;
@@ -687,7 +686,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
687 Authctxt *authctxt = ctxt; 686 Authctxt *authctxt = ctxt;
688 Gssctxt *gssctxt; 687 Gssctxt *gssctxt;
689 u_int oidlen; 688 u_int oidlen;
690 u_char *oidv, *oidv_free; 689 u_char *oidv;
691 690
692 if (authctxt == NULL) 691 if (authctxt == NULL)
693 fatal("input_gssapi_response: no authentication context"); 692 fatal("input_gssapi_response: no authentication context");
@@ -1433,7 +1432,7 @@ userauth_hostbased(Authctxt *authctxt)
1433 Sensitive *sensitive = authctxt->sensitive; 1432 Sensitive *sensitive = authctxt->sensitive;
1434 Buffer b; 1433 Buffer b;
1435 u_char *signature, *blob; 1434 u_char *signature, *blob;
1436 char *chost, *pkalg, *p; 1435 char *chost, *pkalg, *p, myname[NI_MAXHOST];
1437 const char *service; 1436 const char *service;
1438 u_int blen, slen; 1437 u_int blen, slen;
1439 int ok, i, len, found = 0; 1438 int ok, i, len, found = 0;
@@ -1457,7 +1456,16 @@ userauth_hostbased(Authctxt *authctxt)
1457 return 0; 1456 return 0;
1458 } 1457 }
1459 /* figure out a name for the client host */ 1458 /* figure out a name for the client host */
1460 p = get_local_name(packet_get_connection_in()); 1459 p = NULL;
1460 if (packet_connection_is_on_socket())
1461 p = get_local_name(packet_get_connection_in());
1462 if (p == NULL) {
1463 if (gethostname(myname, sizeof(myname)) == -1) {
1464 verbose("userauth_hostbased: gethostname: %s",
1465 strerror(errno));
1466 } else
1467 p = xstrdup(myname);
1468 }
1461 if (p == NULL) { 1469 if (p == NULL) {
1462 error("userauth_hostbased: cannot get local ipaddr/name"); 1470 error("userauth_hostbased: cannot get local ipaddr/name");
1463 key_free(private); 1471 key_free(private);