diff options
-rw-r--r-- | ChangeLog | 15 | ||||
-rw-r--r-- | ssh-keygen.c | 45 | ||||
-rw-r--r-- | ssh.c | 14 | ||||
-rw-r--r-- | ssh.h | 3 | ||||
-rw-r--r-- | sshconnect1.c | 11 | ||||
-rw-r--r-- | sshconnect2.c | 13 | ||||
-rw-r--r-- | sshd.8 | 4 |
7 files changed, 67 insertions, 38 deletions
@@ -4,6 +4,21 @@ | |||
4 | - (djm) Don't fail in defines.h on absence of 64 bit types (we will | 4 | - (djm) Don't fail in defines.h on absence of 64 bit types (we will |
5 | still fail during compilation of sftp-server). | 5 | still fail during compilation of sftp-server). |
6 | - (djm) Fail if ar is not found during configure | 6 | - (djm) Fail if ar is not found during configure |
7 | - (djm) OpenBSD CVS updates: | ||
8 | - provos@cvs.openbsd.org 2000/11/22 08:38:31 | ||
9 | [sshd.8] | ||
10 | talk about /etc/primes, okay markus@ | ||
11 | - markus@cvs.openbsd.org 2000/11/23 14:03:48 | ||
12 | [ssh.c sshconnect1.c sshconnect2.c] | ||
13 | complain about invalid ciphers for ssh1/ssh2, fall back to reasonable | ||
14 | defaults | ||
15 | - markus@cvs.openbsd.org 2000/11/25 09:42:53 | ||
16 | [sshconnect1.c] | ||
17 | reorder check for illegal ciphers, bugreport from espie@ | ||
18 | - markus@cvs.openbsd.org 2000/11/25 10:19:34 | ||
19 | [ssh-keygen.c ssh.h] | ||
20 | print keytype when generating a key. | ||
21 | reasonable defaults for RSA1/RSA/DSA keys. | ||
7 | 22 | ||
8 | 20001125 | 23 | 20001125 |
9 | - (djm) Give up privs when reading seed file | 24 | - (djm) Give up privs when reading seed file |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 5da90035a..89c03d901 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -12,7 +12,7 @@ | |||
12 | */ | 12 | */ |
13 | 13 | ||
14 | #include "includes.h" | 14 | #include "includes.h" |
15 | RCSID("$OpenBSD: ssh-keygen.c,v 1.34 2000/11/15 20:24:43 millert Exp $"); | 15 | RCSID("$OpenBSD: ssh-keygen.c,v 1.35 2000/11/25 17:19:33 markus Exp $"); |
16 | 16 | ||
17 | #include <openssl/evp.h> | 17 | #include <openssl/evp.h> |
18 | #include <openssl/pem.h> | 18 | #include <openssl/pem.h> |
@@ -67,9 +67,8 @@ int convert_to_ssh2 = 0; | |||
67 | int convert_from_ssh2 = 0; | 67 | int convert_from_ssh2 = 0; |
68 | int print_public = 0; | 68 | int print_public = 0; |
69 | 69 | ||
70 | /* key type */ | 70 | /* default to RSA for SSH-1 */ |
71 | int dsa_mode = 0; /* compat */ | 71 | char *key_type_name = "rsa1"; |
72 | char *key_type_name = NULL; | ||
73 | 72 | ||
74 | /* argv0 */ | 73 | /* argv0 */ |
75 | #ifdef HAVE___PROGNAME | 74 | #ifdef HAVE___PROGNAME |
@@ -84,9 +83,24 @@ void | |||
84 | ask_filename(struct passwd *pw, const char *prompt) | 83 | ask_filename(struct passwd *pw, const char *prompt) |
85 | { | 84 | { |
86 | char buf[1024]; | 85 | char buf[1024]; |
87 | snprintf(identity_file, sizeof(identity_file), "%s/%s", | 86 | char *name = NULL; |
88 | pw->pw_dir, | 87 | |
89 | dsa_mode ? SSH_CLIENT_ID_DSA: SSH_CLIENT_IDENTITY); | 88 | switch (key_type_from_name(key_type_name)) { |
89 | case KEY_RSA1: | ||
90 | name = SSH_CLIENT_IDENTITY; | ||
91 | break; | ||
92 | case KEY_DSA: | ||
93 | name = SSH_CLIENT_ID_DSA; | ||
94 | break; | ||
95 | case KEY_RSA: | ||
96 | name = SSH_CLIENT_ID_RSA; | ||
97 | break; | ||
98 | default: | ||
99 | fprintf(stderr, "bad key type"); | ||
100 | exit(1); | ||
101 | break; | ||
102 | } | ||
103 | snprintf(identity_file, sizeof(identity_file), "%s/%s", pw->pw_dir, name); | ||
90 | printf("%s (%s): ", prompt, identity_file); | 104 | printf("%s (%s): ", prompt, identity_file); |
91 | fflush(stdout); | 105 | fflush(stdout); |
92 | if (fgets(buf, sizeof(buf), stdin) == NULL) | 106 | if (fgets(buf, sizeof(buf), stdin) == NULL) |
@@ -600,10 +614,9 @@ main(int ac, char **av) | |||
600 | { | 614 | { |
601 | char dotsshdir[16 * 1024], comment[1024], *passphrase1, *passphrase2; | 615 | char dotsshdir[16 * 1024], comment[1024], *passphrase1, *passphrase2; |
602 | struct passwd *pw; | 616 | struct passwd *pw; |
603 | int opt; | 617 | int opt, type; |
604 | struct stat st; | 618 | struct stat st; |
605 | FILE *f; | 619 | FILE *f; |
606 | int type = KEY_RSA1; | ||
607 | Key *private; | 620 | Key *private; |
608 | Key *public; | 621 | Key *public; |
609 | 622 | ||
@@ -688,12 +701,10 @@ main(int ac, char **av) | |||
688 | 701 | ||
689 | case 'd': | 702 | case 'd': |
690 | key_type_name = "dsa"; | 703 | key_type_name = "dsa"; |
691 | dsa_mode = 1; | ||
692 | break; | 704 | break; |
693 | 705 | ||
694 | case 't': | 706 | case 't': |
695 | key_type_name = optarg; | 707 | key_type_name = optarg; |
696 | dsa_mode = (strcmp(optarg, "dsa") == 0); | ||
697 | break; | 708 | break; |
698 | 709 | ||
699 | case '?': | 710 | case '?': |
@@ -724,15 +735,13 @@ main(int ac, char **av) | |||
724 | 735 | ||
725 | arc4random_stir(); | 736 | arc4random_stir(); |
726 | 737 | ||
727 | if (key_type_name != NULL) { | 738 | type = key_type_from_name(key_type_name); |
728 | type = key_type_from_name(key_type_name); | 739 | if (type == KEY_UNSPEC) { |
729 | if (type == KEY_UNSPEC) { | 740 | fprintf(stderr, "unknown key type %s\n", key_type_name); |
730 | fprintf(stderr, "unknown key type %s\n", key_type_name); | 741 | exit(1); |
731 | exit(1); | ||
732 | } | ||
733 | } | 742 | } |
734 | if (!quiet) | 743 | if (!quiet) |
735 | printf("Generating public/private key pair.\n"); | 744 | printf("Generating public/private %s key pair.\n", key_type_name); |
736 | private = key_generate(type, bits); | 745 | private = key_generate(type, bits); |
737 | if (private == NULL) { | 746 | if (private == NULL) { |
738 | fprintf(stderr, "key_generate failed"); | 747 | fprintf(stderr, "key_generate failed"); |
@@ -39,7 +39,7 @@ | |||
39 | */ | 39 | */ |
40 | 40 | ||
41 | #include "includes.h" | 41 | #include "includes.h" |
42 | RCSID("$OpenBSD: ssh.c,v 1.73 2000/11/15 19:58:08 markus Exp $"); | 42 | RCSID("$OpenBSD: ssh.c,v 1.74 2000/11/23 21:03:47 markus Exp $"); |
43 | 43 | ||
44 | #include <openssl/evp.h> | 44 | #include <openssl/evp.h> |
45 | #include <openssl/dsa.h> | 45 | #include <openssl/dsa.h> |
@@ -427,12 +427,18 @@ main(int ac, char **av) | |||
427 | options.cipher = SSH_CIPHER_ILLEGAL; | 427 | options.cipher = SSH_CIPHER_ILLEGAL; |
428 | } else { | 428 | } else { |
429 | /* SSH1 only */ | 429 | /* SSH1 only */ |
430 | Cipher *c = cipher_by_name(optarg); | 430 | options.cipher = cipher_number(optarg); |
431 | if (c == NULL || c->number < 0) { | 431 | if (options.cipher == -1) { |
432 | fprintf(stderr, "Unknown cipher type '%s'\n", optarg); | 432 | fprintf(stderr, "Unknown cipher type '%s'\n", optarg); |
433 | exit(1); | 433 | exit(1); |
434 | } | 434 | } |
435 | options.cipher = c->number; | 435 | if (options.cipher == SSH_CIPHER_3DES) { |
436 | options.ciphers = "3des-cbc"; | ||
437 | } else if (options.cipher == SSH_CIPHER_BLOWFISH) { | ||
438 | options.ciphers = "blowfish-cbc"; | ||
439 | } else { | ||
440 | options.ciphers = (char *)-1; | ||
441 | } | ||
436 | } | 442 | } |
437 | break; | 443 | break; |
438 | case 'p': | 444 | case 'p': |
@@ -12,7 +12,7 @@ | |||
12 | * called by a name other than "ssh" or "Secure Shell". | 12 | * called by a name other than "ssh" or "Secure Shell". |
13 | */ | 13 | */ |
14 | 14 | ||
15 | /* RCSID("$OpenBSD: ssh.h,v 1.54 2000/10/11 20:27:24 markus Exp $"); */ | 15 | /* RCSID("$OpenBSD: ssh.h,v 1.55 2000/11/25 17:19:33 markus Exp $"); */ |
16 | 16 | ||
17 | #ifndef SSH_H | 17 | #ifndef SSH_H |
18 | #define SSH_H | 18 | #define SSH_H |
@@ -144,6 +144,7 @@ | |||
144 | */ | 144 | */ |
145 | #define SSH_CLIENT_IDENTITY ".ssh/identity" | 145 | #define SSH_CLIENT_IDENTITY ".ssh/identity" |
146 | #define SSH_CLIENT_ID_DSA ".ssh/id_dsa" | 146 | #define SSH_CLIENT_ID_DSA ".ssh/id_dsa" |
147 | #define SSH_CLIENT_ID_RSA ".ssh/id_rsa" | ||
147 | 148 | ||
148 | /* | 149 | /* |
149 | * Configuration file in user\'s home directory. This file need not be | 150 | * Configuration file in user\'s home directory. This file need not be |
diff --git a/sshconnect1.c b/sshconnect1.c index 227e10b4b..709329713 100644 --- a/sshconnect1.c +++ b/sshconnect1.c | |||
@@ -13,7 +13,7 @@ | |||
13 | */ | 13 | */ |
14 | 14 | ||
15 | #include "includes.h" | 15 | #include "includes.h" |
16 | RCSID("$OpenBSD: sshconnect1.c,v 1.9 2000/11/12 19:50:38 markus Exp $"); | 16 | RCSID("$OpenBSD: sshconnect1.c,v 1.11 2000/11/25 16:42:53 markus Exp $"); |
17 | 17 | ||
18 | #include <openssl/bn.h> | 18 | #include <openssl/bn.h> |
19 | #include <openssl/dsa.h> | 19 | #include <openssl/dsa.h> |
@@ -833,13 +833,14 @@ ssh_kex(char *host, struct sockaddr *hostaddr) | |||
833 | RSA_free(public_key); | 833 | RSA_free(public_key); |
834 | RSA_free(host_key); | 834 | RSA_free(host_key); |
835 | 835 | ||
836 | if (options.cipher == SSH_CIPHER_ILLEGAL) { | 836 | if (options.cipher == SSH_CIPHER_NOT_SET) { |
837 | if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) | ||
838 | options.cipher = ssh_cipher_default; | ||
839 | } else if (options.cipher == SSH_CIPHER_ILLEGAL || | ||
840 | !(cipher_mask_ssh1(1) & (1 << options.cipher))) { | ||
837 | log("No valid SSH1 cipher, using %.100s instead.", | 841 | log("No valid SSH1 cipher, using %.100s instead.", |
838 | cipher_name(ssh_cipher_default)); | 842 | cipher_name(ssh_cipher_default)); |
839 | options.cipher = ssh_cipher_default; | 843 | options.cipher = ssh_cipher_default; |
840 | } else if (options.cipher == SSH_CIPHER_NOT_SET) { | ||
841 | if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) | ||
842 | options.cipher = ssh_cipher_default; | ||
843 | } | 844 | } |
844 | /* Check that the selected cipher is supported. */ | 845 | /* Check that the selected cipher is supported. */ |
845 | if (!(supported_ciphers & (1 << options.cipher))) | 846 | if (!(supported_ciphers & (1 << options.cipher))) |
diff --git a/sshconnect2.c b/sshconnect2.c index bb4774aa4..69d9c49e3 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: sshconnect2.c,v 1.28 2000/11/12 19:50:38 markus Exp $"); | 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.29 2000/11/23 21:03:47 markus Exp $"); |
27 | 27 | ||
28 | #include <openssl/bn.h> | 28 | #include <openssl/bn.h> |
29 | #include <openssl/rsa.h> | 29 | #include <openssl/rsa.h> |
@@ -74,14 +74,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
74 | Buffer *client_kexinit, *server_kexinit; | 74 | Buffer *client_kexinit, *server_kexinit; |
75 | char *sprop[PROPOSAL_MAX]; | 75 | char *sprop[PROPOSAL_MAX]; |
76 | 76 | ||
77 | if (options.ciphers == NULL) { | 77 | if (options.ciphers == (char *)-1) { |
78 | if (options.cipher == SSH_CIPHER_3DES) { | 78 | log("No valid ciphers for protocol version 2 given, using defaults."); |
79 | options.ciphers = "3des-cbc"; | 79 | options.ciphers = NULL; |
80 | } else if (options.cipher == SSH_CIPHER_BLOWFISH) { | ||
81 | options.ciphers = "blowfish-cbc"; | ||
82 | } else if (options.cipher == SSH_CIPHER_DES) { | ||
83 | fatal("cipher DES not supported for protocol version 2"); | ||
84 | } | ||
85 | } | 80 | } |
86 | if (options.ciphers != NULL) { | 81 | if (options.ciphers != NULL) { |
87 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | 82 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = |
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.72 2000/11/12 19:50:38 markus Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.73 2000/11/22 15:38:30 provos Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -885,6 +885,8 @@ really used for anything; it is only provided for the convenience of | |||
885 | the user so its contents can be copied to known hosts files. | 885 | the user so its contents can be copied to known hosts files. |
886 | These two files are created using | 886 | These two files are created using |
887 | .Xr ssh-keygen 1 . | 887 | .Xr ssh-keygen 1 . |
888 | .It Pa /etc/primes | ||
889 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | ||
888 | .It Pa /var/run/sshd.pid | 890 | .It Pa /var/run/sshd.pid |
889 | Contains the process ID of the | 891 | Contains the process ID of the |
890 | .Nm | 892 | .Nm |