diff options
| author | Damien Miller <djm@mindrot.org> | 2000-04-12 20:17:38 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2000-04-12 20:17:38 +1000 |
| commit | 78928793fb23a3a4c80ae62eca6a7826b2987690 (patch) | |
| tree | add8a953ac4cf06877b91624fe7f647b17e6cf6f /sshd.c | |
| parent | efb4afe0265333ce554f699c2a19ae249dd8d1b5 (diff) | |
- OpenBSD CVS updates:
- [channels.c]
repair x11-fwd
- [sshconnect.c]
fix passwd prompt for ssh2, less debugging output.
- [clientloop.c compat.c dsa.c kex.c sshd.c]
less debugging output
- [kex.c kex.h sshconnect.c sshd.c]
check for reasonable public DH values
- [README.openssh2 cipher.c cipher.h compat.c compat.h readconf.c]
[readconf.h servconf.c servconf.h ssh.c ssh.h sshconnect.c sshd.c]
add Cipher and Protocol options to ssh/sshd, e.g.:
ssh -o 'Protocol 1,2' if you prefer proto 1, ssh -o 'Ciphers
arcfour,3des-cbc'
- [sshd.c]
print 1.99 only if server supports both
Diffstat (limited to 'sshd.c')
| -rw-r--r-- | sshd.c | 76 |
1 files changed, 51 insertions, 25 deletions
| @@ -14,7 +14,7 @@ | |||
| 14 | */ | 14 | */ |
| 15 | 15 | ||
| 16 | #include "includes.h" | 16 | #include "includes.h" |
| 17 | RCSID("$OpenBSD: sshd.c,v 1.99 2000/04/07 09:17:39 markus Exp $"); | 17 | RCSID("$OpenBSD: sshd.c,v 1.103 2000/04/12 08:11:36 markus Exp $"); |
| 18 | 18 | ||
| 19 | #include "xmalloc.h" | 19 | #include "xmalloc.h" |
| 20 | #include "rsa.h" | 20 | #include "rsa.h" |
| @@ -77,9 +77,6 @@ int IPv4or6 = AF_INET; | |||
| 77 | int IPv4or6 = AF_UNSPEC; | 77 | int IPv4or6 = AF_UNSPEC; |
| 78 | #endif | 78 | #endif |
| 79 | 79 | ||
| 80 | /* Flag indicating whether SSH2 is enabled */ | ||
| 81 | int allow_ssh2 = 0; | ||
| 82 | |||
| 83 | /* | 80 | /* |
| 84 | * Debug mode flag. This can be set on the command line. If debug | 81 | * Debug mode flag. This can be set on the command line. If debug |
| 85 | * mode is enabled, extra debugging output will be sent to the system | 82 | * mode is enabled, extra debugging output will be sent to the system |
| @@ -284,16 +281,25 @@ chop(char *s) | |||
| 284 | void | 281 | void |
| 285 | sshd_exchange_identification(int sock_in, int sock_out) | 282 | sshd_exchange_identification(int sock_in, int sock_out) |
| 286 | { | 283 | { |
| 287 | int i; | 284 | int i, mismatch; |
| 288 | int remote_major, remote_minor; | 285 | int remote_major, remote_minor; |
| 286 | int major, minor; | ||
| 289 | char *s; | 287 | char *s; |
| 290 | char buf[256]; /* Must not be larger than remote_version. */ | 288 | char buf[256]; /* Must not be larger than remote_version. */ |
| 291 | char remote_version[256]; /* Must be at least as big as buf. */ | 289 | char remote_version[256]; /* Must be at least as big as buf. */ |
| 292 | 290 | ||
| 293 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", | 291 | if ((options.protocol & SSH_PROTO_1) && |
| 294 | allow_ssh2 ? 1 : PROTOCOL_MAJOR, | 292 | (options.protocol & SSH_PROTO_2)) { |
| 295 | allow_ssh2 ? 99 : PROTOCOL_MINOR, | 293 | major = PROTOCOL_MAJOR_1; |
| 296 | SSH_VERSION); | 294 | minor = 99; |
| 295 | } else if (options.protocol & SSH_PROTO_2) { | ||
| 296 | major = PROTOCOL_MAJOR_2; | ||
| 297 | minor = PROTOCOL_MINOR_2; | ||
| 298 | } else { | ||
| 299 | major = PROTOCOL_MAJOR_1; | ||
| 300 | minor = PROTOCOL_MINOR_1; | ||
| 301 | } | ||
| 302 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION); | ||
| 297 | server_version_string = xstrdup(buf); | 303 | server_version_string = xstrdup(buf); |
| 298 | 304 | ||
| 299 | if (client_version_string == NULL) { | 305 | if (client_version_string == NULL) { |
| @@ -314,7 +320,6 @@ sshd_exchange_identification(int sock_in, int sock_out) | |||
| 314 | buf[i] = '\n'; | 320 | buf[i] = '\n'; |
| 315 | buf[i + 1] = 0; | 321 | buf[i + 1] = 0; |
| 316 | continue; | 322 | continue; |
| 317 | //break; | ||
| 318 | } | 323 | } |
| 319 | if (buf[i] == '\n') { | 324 | if (buf[i] == '\n') { |
| 320 | /* buf[i] == '\n' */ | 325 | /* buf[i] == '\n' */ |
| @@ -345,8 +350,13 @@ sshd_exchange_identification(int sock_in, int sock_out) | |||
| 345 | 350 | ||
| 346 | compat_datafellows(remote_version); | 351 | compat_datafellows(remote_version); |
| 347 | 352 | ||
| 353 | mismatch = 0; | ||
| 348 | switch(remote_major) { | 354 | switch(remote_major) { |
| 349 | case 1: | 355 | case 1: |
| 356 | if (!(options.protocol & SSH_PROTO_1)) { | ||
| 357 | mismatch = 1; | ||
| 358 | break; | ||
| 359 | } | ||
| 350 | if (remote_minor < 3) { | 360 | if (remote_minor < 3) { |
| 351 | packet_disconnect("Your ssh version is too old and" | 361 | packet_disconnect("Your ssh version is too old and" |
| 352 | "is no longer supported. Please install a newer version."); | 362 | "is no longer supported. Please install a newer version."); |
| @@ -354,27 +364,37 @@ sshd_exchange_identification(int sock_in, int sock_out) | |||
| 354 | /* note that this disables agent-forwarding */ | 364 | /* note that this disables agent-forwarding */ |
| 355 | enable_compat13(); | 365 | enable_compat13(); |
| 356 | } | 366 | } |
| 357 | if (remote_minor != 99) | 367 | if (remote_minor == 99) { |
| 358 | break; | 368 | if (options.protocol & SSH_PROTO_2) |
| 359 | /* FALLTHROUGH */ | 369 | enable_compat20(); |
| 370 | else | ||
| 371 | mismatch = 1; | ||
| 372 | } | ||
| 373 | break; | ||
| 360 | case 2: | 374 | case 2: |
| 361 | if (allow_ssh2) { | 375 | if (options.protocol & SSH_PROTO_2) { |
| 362 | enable_compat20(); | 376 | enable_compat20(); |
| 363 | break; | 377 | break; |
| 364 | } | 378 | } |
| 365 | /* FALLTHROUGH */ | 379 | /* FALLTHROUGH */ |
| 366 | default: | 380 | default: |
| 381 | mismatch = 1; | ||
| 382 | break; | ||
| 383 | } | ||
| 384 | chop(server_version_string); | ||
| 385 | chop(client_version_string); | ||
| 386 | debug("Local version string %.200s", server_version_string); | ||
| 387 | |||
| 388 | if (mismatch) { | ||
| 367 | s = "Protocol major versions differ.\n"; | 389 | s = "Protocol major versions differ.\n"; |
| 368 | (void) atomicio(write, sock_out, s, strlen(s)); | 390 | (void) atomicio(write, sock_out, s, strlen(s)); |
| 369 | close(sock_in); | 391 | close(sock_in); |
| 370 | close(sock_out); | 392 | close(sock_out); |
| 371 | log("Protocol major versions differ for %s: %d vs. %d", | 393 | log("Protocol major versions differ for %s: %.200s vs. %.200s", |
| 372 | get_remote_ipaddr(), PROTOCOL_MAJOR, remote_major); | 394 | get_remote_ipaddr(), |
| 395 | server_version_string, client_version_string); | ||
| 373 | fatal_cleanup(); | 396 | fatal_cleanup(); |
| 374 | break; | ||
| 375 | } | 397 | } |
| 376 | chop(server_version_string); | ||
| 377 | chop(client_version_string); | ||
| 378 | } | 398 | } |
| 379 | 399 | ||
| 380 | /* | 400 | /* |
| @@ -410,11 +430,8 @@ main(int ac, char **av) | |||
| 410 | initialize_server_options(&options); | 430 | initialize_server_options(&options); |
| 411 | 431 | ||
| 412 | /* Parse command-line arguments. */ | 432 | /* Parse command-line arguments. */ |
| 413 | while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:diqQ246")) != EOF) { | 433 | while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:diqQ46")) != EOF) { |
| 414 | switch (opt) { | 434 | switch (opt) { |
| 415 | case '2': | ||
| 416 | allow_ssh2 = 1; | ||
| 417 | break; | ||
| 418 | case '4': | 435 | case '4': |
| 419 | IPv4or6 = AF_INET; | 436 | IPv4or6 = AF_INET; |
| 420 | break; | 437 | break; |
| @@ -593,6 +610,7 @@ main(int ac, char **av) | |||
| 593 | public_key = RSA_new(); | 610 | public_key = RSA_new(); |
| 594 | sensitive_data.private_key = RSA_new(); | 611 | sensitive_data.private_key = RSA_new(); |
| 595 | 612 | ||
| 613 | /* XXX check options.protocol */ | ||
| 596 | log("Generating %d bit RSA key.", options.server_key_bits); | 614 | log("Generating %d bit RSA key.", options.server_key_bits); |
| 597 | rsa_generate_key(sensitive_data.private_key, public_key, | 615 | rsa_generate_key(sensitive_data.private_key, public_key, |
| 598 | options.server_key_bits); | 616 | options.server_key_bits); |
| @@ -1126,6 +1144,11 @@ do_ssh2_kex() | |||
| 1126 | 1144 | ||
| 1127 | /* KEXINIT */ | 1145 | /* KEXINIT */ |
| 1128 | 1146 | ||
| 1147 | if (options.ciphers != NULL) { | ||
| 1148 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | ||
| 1149 | myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; | ||
| 1150 | } | ||
| 1151 | |||
| 1129 | debug("Sending KEX init."); | 1152 | debug("Sending KEX init."); |
| 1130 | 1153 | ||
| 1131 | for (i = 0; i < PROPOSAL_MAX; i++) | 1154 | for (i = 0; i < PROPOSAL_MAX; i++) |
| @@ -1185,7 +1208,7 @@ do_ssh2_kex() | |||
| 1185 | #endif | 1208 | #endif |
| 1186 | 1209 | ||
| 1187 | /* generate DH key */ | 1210 | /* generate DH key */ |
| 1188 | dh = new_dh_group1(); /* XXX depends on 'kex' */ | 1211 | dh = dh_new_group1(); /* XXX depends on 'kex' */ |
| 1189 | 1212 | ||
| 1190 | #ifdef DEBUG_KEXDH | 1213 | #ifdef DEBUG_KEXDH |
| 1191 | fprintf(stderr, "\np= "); | 1214 | fprintf(stderr, "\np= "); |
| @@ -1196,6 +1219,8 @@ do_ssh2_kex() | |||
| 1196 | bignum_print(dh->pub_key); | 1219 | bignum_print(dh->pub_key); |
| 1197 | fprintf(stderr, "\n"); | 1220 | fprintf(stderr, "\n"); |
| 1198 | #endif | 1221 | #endif |
| 1222 | if (!dh_pub_is_valid(dh, dh_client_pub)) | ||
| 1223 | packet_disconnect("bad client public DH value"); | ||
| 1199 | 1224 | ||
| 1200 | klen = DH_size(dh); | 1225 | klen = DH_size(dh); |
| 1201 | kbuf = xmalloc(klen); | 1226 | kbuf = xmalloc(klen); |
| @@ -1267,11 +1292,12 @@ do_ssh2_kex() | |||
| 1267 | packet_read_expect(&payload_len, SSH2_MSG_NEWKEYS); | 1292 | packet_read_expect(&payload_len, SSH2_MSG_NEWKEYS); |
| 1268 | debug("GOT SSH2_MSG_NEWKEYS."); | 1293 | debug("GOT SSH2_MSG_NEWKEYS."); |
| 1269 | 1294 | ||
| 1295 | #ifdef DEBUG_KEXDH | ||
| 1270 | /* send 1st encrypted/maced/compressed message */ | 1296 | /* send 1st encrypted/maced/compressed message */ |
| 1271 | packet_start(SSH2_MSG_IGNORE); | 1297 | packet_start(SSH2_MSG_IGNORE); |
| 1272 | packet_put_cstring("markus"); | 1298 | packet_put_cstring("markus"); |
| 1273 | packet_send(); | 1299 | packet_send(); |
| 1274 | packet_write_wait(); | 1300 | packet_write_wait(); |
| 1275 | 1301 | #endif | |
| 1276 | debug("done: KEX2."); | 1302 | debug("done: KEX2."); |
| 1277 | } | 1303 | } |