diff options
author | Damien Miller <djm@mindrot.org> | 2000-04-12 20:17:38 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-04-12 20:17:38 +1000 |
commit | 78928793fb23a3a4c80ae62eca6a7826b2987690 (patch) | |
tree | add8a953ac4cf06877b91624fe7f647b17e6cf6f /sshd.c | |
parent | efb4afe0265333ce554f699c2a19ae249dd8d1b5 (diff) |
- OpenBSD CVS updates:
- [channels.c]
repair x11-fwd
- [sshconnect.c]
fix passwd prompt for ssh2, less debugging output.
- [clientloop.c compat.c dsa.c kex.c sshd.c]
less debugging output
- [kex.c kex.h sshconnect.c sshd.c]
check for reasonable public DH values
- [README.openssh2 cipher.c cipher.h compat.c compat.h readconf.c]
[readconf.h servconf.c servconf.h ssh.c ssh.h sshconnect.c sshd.c]
add Cipher and Protocol options to ssh/sshd, e.g.:
ssh -o 'Protocol 1,2' if you prefer proto 1, ssh -o 'Ciphers
arcfour,3des-cbc'
- [sshd.c]
print 1.99 only if server supports both
Diffstat (limited to 'sshd.c')
-rw-r--r-- | sshd.c | 76 |
1 files changed, 51 insertions, 25 deletions
@@ -14,7 +14,7 @@ | |||
14 | */ | 14 | */ |
15 | 15 | ||
16 | #include "includes.h" | 16 | #include "includes.h" |
17 | RCSID("$OpenBSD: sshd.c,v 1.99 2000/04/07 09:17:39 markus Exp $"); | 17 | RCSID("$OpenBSD: sshd.c,v 1.103 2000/04/12 08:11:36 markus Exp $"); |
18 | 18 | ||
19 | #include "xmalloc.h" | 19 | #include "xmalloc.h" |
20 | #include "rsa.h" | 20 | #include "rsa.h" |
@@ -77,9 +77,6 @@ int IPv4or6 = AF_INET; | |||
77 | int IPv4or6 = AF_UNSPEC; | 77 | int IPv4or6 = AF_UNSPEC; |
78 | #endif | 78 | #endif |
79 | 79 | ||
80 | /* Flag indicating whether SSH2 is enabled */ | ||
81 | int allow_ssh2 = 0; | ||
82 | |||
83 | /* | 80 | /* |
84 | * Debug mode flag. This can be set on the command line. If debug | 81 | * Debug mode flag. This can be set on the command line. If debug |
85 | * mode is enabled, extra debugging output will be sent to the system | 82 | * mode is enabled, extra debugging output will be sent to the system |
@@ -284,16 +281,25 @@ chop(char *s) | |||
284 | void | 281 | void |
285 | sshd_exchange_identification(int sock_in, int sock_out) | 282 | sshd_exchange_identification(int sock_in, int sock_out) |
286 | { | 283 | { |
287 | int i; | 284 | int i, mismatch; |
288 | int remote_major, remote_minor; | 285 | int remote_major, remote_minor; |
286 | int major, minor; | ||
289 | char *s; | 287 | char *s; |
290 | char buf[256]; /* Must not be larger than remote_version. */ | 288 | char buf[256]; /* Must not be larger than remote_version. */ |
291 | char remote_version[256]; /* Must be at least as big as buf. */ | 289 | char remote_version[256]; /* Must be at least as big as buf. */ |
292 | 290 | ||
293 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", | 291 | if ((options.protocol & SSH_PROTO_1) && |
294 | allow_ssh2 ? 1 : PROTOCOL_MAJOR, | 292 | (options.protocol & SSH_PROTO_2)) { |
295 | allow_ssh2 ? 99 : PROTOCOL_MINOR, | 293 | major = PROTOCOL_MAJOR_1; |
296 | SSH_VERSION); | 294 | minor = 99; |
295 | } else if (options.protocol & SSH_PROTO_2) { | ||
296 | major = PROTOCOL_MAJOR_2; | ||
297 | minor = PROTOCOL_MINOR_2; | ||
298 | } else { | ||
299 | major = PROTOCOL_MAJOR_1; | ||
300 | minor = PROTOCOL_MINOR_1; | ||
301 | } | ||
302 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION); | ||
297 | server_version_string = xstrdup(buf); | 303 | server_version_string = xstrdup(buf); |
298 | 304 | ||
299 | if (client_version_string == NULL) { | 305 | if (client_version_string == NULL) { |
@@ -314,7 +320,6 @@ sshd_exchange_identification(int sock_in, int sock_out) | |||
314 | buf[i] = '\n'; | 320 | buf[i] = '\n'; |
315 | buf[i + 1] = 0; | 321 | buf[i + 1] = 0; |
316 | continue; | 322 | continue; |
317 | //break; | ||
318 | } | 323 | } |
319 | if (buf[i] == '\n') { | 324 | if (buf[i] == '\n') { |
320 | /* buf[i] == '\n' */ | 325 | /* buf[i] == '\n' */ |
@@ -345,8 +350,13 @@ sshd_exchange_identification(int sock_in, int sock_out) | |||
345 | 350 | ||
346 | compat_datafellows(remote_version); | 351 | compat_datafellows(remote_version); |
347 | 352 | ||
353 | mismatch = 0; | ||
348 | switch(remote_major) { | 354 | switch(remote_major) { |
349 | case 1: | 355 | case 1: |
356 | if (!(options.protocol & SSH_PROTO_1)) { | ||
357 | mismatch = 1; | ||
358 | break; | ||
359 | } | ||
350 | if (remote_minor < 3) { | 360 | if (remote_minor < 3) { |
351 | packet_disconnect("Your ssh version is too old and" | 361 | packet_disconnect("Your ssh version is too old and" |
352 | "is no longer supported. Please install a newer version."); | 362 | "is no longer supported. Please install a newer version."); |
@@ -354,27 +364,37 @@ sshd_exchange_identification(int sock_in, int sock_out) | |||
354 | /* note that this disables agent-forwarding */ | 364 | /* note that this disables agent-forwarding */ |
355 | enable_compat13(); | 365 | enable_compat13(); |
356 | } | 366 | } |
357 | if (remote_minor != 99) | 367 | if (remote_minor == 99) { |
358 | break; | 368 | if (options.protocol & SSH_PROTO_2) |
359 | /* FALLTHROUGH */ | 369 | enable_compat20(); |
370 | else | ||
371 | mismatch = 1; | ||
372 | } | ||
373 | break; | ||
360 | case 2: | 374 | case 2: |
361 | if (allow_ssh2) { | 375 | if (options.protocol & SSH_PROTO_2) { |
362 | enable_compat20(); | 376 | enable_compat20(); |
363 | break; | 377 | break; |
364 | } | 378 | } |
365 | /* FALLTHROUGH */ | 379 | /* FALLTHROUGH */ |
366 | default: | 380 | default: |
381 | mismatch = 1; | ||
382 | break; | ||
383 | } | ||
384 | chop(server_version_string); | ||
385 | chop(client_version_string); | ||
386 | debug("Local version string %.200s", server_version_string); | ||
387 | |||
388 | if (mismatch) { | ||
367 | s = "Protocol major versions differ.\n"; | 389 | s = "Protocol major versions differ.\n"; |
368 | (void) atomicio(write, sock_out, s, strlen(s)); | 390 | (void) atomicio(write, sock_out, s, strlen(s)); |
369 | close(sock_in); | 391 | close(sock_in); |
370 | close(sock_out); | 392 | close(sock_out); |
371 | log("Protocol major versions differ for %s: %d vs. %d", | 393 | log("Protocol major versions differ for %s: %.200s vs. %.200s", |
372 | get_remote_ipaddr(), PROTOCOL_MAJOR, remote_major); | 394 | get_remote_ipaddr(), |
395 | server_version_string, client_version_string); | ||
373 | fatal_cleanup(); | 396 | fatal_cleanup(); |
374 | break; | ||
375 | } | 397 | } |
376 | chop(server_version_string); | ||
377 | chop(client_version_string); | ||
378 | } | 398 | } |
379 | 399 | ||
380 | /* | 400 | /* |
@@ -410,11 +430,8 @@ main(int ac, char **av) | |||
410 | initialize_server_options(&options); | 430 | initialize_server_options(&options); |
411 | 431 | ||
412 | /* Parse command-line arguments. */ | 432 | /* Parse command-line arguments. */ |
413 | while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:diqQ246")) != EOF) { | 433 | while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:diqQ46")) != EOF) { |
414 | switch (opt) { | 434 | switch (opt) { |
415 | case '2': | ||
416 | allow_ssh2 = 1; | ||
417 | break; | ||
418 | case '4': | 435 | case '4': |
419 | IPv4or6 = AF_INET; | 436 | IPv4or6 = AF_INET; |
420 | break; | 437 | break; |
@@ -593,6 +610,7 @@ main(int ac, char **av) | |||
593 | public_key = RSA_new(); | 610 | public_key = RSA_new(); |
594 | sensitive_data.private_key = RSA_new(); | 611 | sensitive_data.private_key = RSA_new(); |
595 | 612 | ||
613 | /* XXX check options.protocol */ | ||
596 | log("Generating %d bit RSA key.", options.server_key_bits); | 614 | log("Generating %d bit RSA key.", options.server_key_bits); |
597 | rsa_generate_key(sensitive_data.private_key, public_key, | 615 | rsa_generate_key(sensitive_data.private_key, public_key, |
598 | options.server_key_bits); | 616 | options.server_key_bits); |
@@ -1126,6 +1144,11 @@ do_ssh2_kex() | |||
1126 | 1144 | ||
1127 | /* KEXINIT */ | 1145 | /* KEXINIT */ |
1128 | 1146 | ||
1147 | if (options.ciphers != NULL) { | ||
1148 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | ||
1149 | myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; | ||
1150 | } | ||
1151 | |||
1129 | debug("Sending KEX init."); | 1152 | debug("Sending KEX init."); |
1130 | 1153 | ||
1131 | for (i = 0; i < PROPOSAL_MAX; i++) | 1154 | for (i = 0; i < PROPOSAL_MAX; i++) |
@@ -1185,7 +1208,7 @@ do_ssh2_kex() | |||
1185 | #endif | 1208 | #endif |
1186 | 1209 | ||
1187 | /* generate DH key */ | 1210 | /* generate DH key */ |
1188 | dh = new_dh_group1(); /* XXX depends on 'kex' */ | 1211 | dh = dh_new_group1(); /* XXX depends on 'kex' */ |
1189 | 1212 | ||
1190 | #ifdef DEBUG_KEXDH | 1213 | #ifdef DEBUG_KEXDH |
1191 | fprintf(stderr, "\np= "); | 1214 | fprintf(stderr, "\np= "); |
@@ -1196,6 +1219,8 @@ do_ssh2_kex() | |||
1196 | bignum_print(dh->pub_key); | 1219 | bignum_print(dh->pub_key); |
1197 | fprintf(stderr, "\n"); | 1220 | fprintf(stderr, "\n"); |
1198 | #endif | 1221 | #endif |
1222 | if (!dh_pub_is_valid(dh, dh_client_pub)) | ||
1223 | packet_disconnect("bad client public DH value"); | ||
1199 | 1224 | ||
1200 | klen = DH_size(dh); | 1225 | klen = DH_size(dh); |
1201 | kbuf = xmalloc(klen); | 1226 | kbuf = xmalloc(klen); |
@@ -1267,11 +1292,12 @@ do_ssh2_kex() | |||
1267 | packet_read_expect(&payload_len, SSH2_MSG_NEWKEYS); | 1292 | packet_read_expect(&payload_len, SSH2_MSG_NEWKEYS); |
1268 | debug("GOT SSH2_MSG_NEWKEYS."); | 1293 | debug("GOT SSH2_MSG_NEWKEYS."); |
1269 | 1294 | ||
1295 | #ifdef DEBUG_KEXDH | ||
1270 | /* send 1st encrypted/maced/compressed message */ | 1296 | /* send 1st encrypted/maced/compressed message */ |
1271 | packet_start(SSH2_MSG_IGNORE); | 1297 | packet_start(SSH2_MSG_IGNORE); |
1272 | packet_put_cstring("markus"); | 1298 | packet_put_cstring("markus"); |
1273 | packet_send(); | 1299 | packet_send(); |
1274 | packet_write_wait(); | 1300 | packet_write_wait(); |
1275 | 1301 | #endif | |
1276 | debug("done: KEX2."); | 1302 | debug("done: KEX2."); |
1277 | } | 1303 | } |