9 files changed, 74 insertions, 39 deletions
diff --git a/ChangeLog b/ChangeLog
index 9247ca021..4cf384c04 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,30 @@
+20001123
+ - (bal) Merge OpenBSD changes:
+   - markus@cvs.openbsd.org  2000/11/15 22:31:36
+     [auth-options.c]
+     case insensitive key options; from stevesk@sweeden.hp.com    
+   - markus@cvs.openbsd.org  2000/11/16 17:55:43
+     [dh.c]
+     do not use perror() in sshd, after child is forked()
+   - markus@cvs.openbsd.org  2000/11/14 23:42:40
+     [auth-rsa.c]
+     parse option only if key matches; fix some confusing seen by the client
+   - markus@cvs.openbsd.org  2000/11/14 23:44:19
+     [session.c]
+     check no_agent_forward_flag for ssh-2, too
+   - markus@cvs.openbsd.org  2000/11/15
+     [ssh-agent.1]
+     reorder SYNOPSIS; typo, use .It
+   - markus@cvs.openbsd.org  2000/11/14 23:48:55
+     [ssh-agent.c]
+     do not reorder keys if a key is removed
+   - markus@cvs.openbsd.org  2000/11/15 19:58:08
+     [ssh.c]
+     just ignore non existing user keys   
+   - millert@cvs.openbsd.org  200/11/15 20:24:43
+     [ssh-keygen.c]
+     Add missing \n at end of error message.
 20001122
 - (bal) Minor patch to ensure platforms lacking IRIX job limit supports
   are compilable.
diff --git a/auth-options.c b/auth-options.c
index c9c149d69..181bf7321 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -14,7 +14,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.5 2000/10/09 21:32:34 markus Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.6 2000/11/15 22:31:36 markus Exp $");
 #include "ssh.h"
 #include "packet.h"
@@ -65,35 +65,35 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum)
        while (*options && *options != ' ' && *options != '\t') {
                cp = "no-port-forwarding";
-                if (strncmp(options, cp, strlen(cp)) == 0) {
+                if (strncasecmp(options, cp, strlen(cp)) == 0) {
                        packet_send_debug("Port forwarding disabled.");
                        no_port_forwarding_flag = 1;
                        options += strlen(cp);
                        goto next_option;
                }
                cp = "no-agent-forwarding";
-                if (strncmp(options, cp, strlen(cp)) == 0) {
+                if (strncasecmp(options, cp, strlen(cp)) == 0) {
                        packet_send_debug("Agent forwarding disabled.");
                        no_agent_forwarding_flag = 1;
                        options += strlen(cp);
                        goto next_option;
                }
                cp = "no-X11-forwarding";
-                if (strncmp(options, cp, strlen(cp)) == 0) {
+                if (strncasecmp(options, cp, strlen(cp)) == 0) {
                        packet_send_debug("X11 forwarding disabled.");
                        no_x11_forwarding_flag = 1;
                        options += strlen(cp);
                        goto next_option;
                }
                cp = "no-pty";
-                if (strncmp(options, cp, strlen(cp)) == 0) {
+                if (strncasecmp(options, cp, strlen(cp)) == 0) {
                        packet_send_debug("Pty allocation disabled.");
                        no_pty_flag = 1;
                        options += strlen(cp);
                        goto next_option;
                }
                cp = "command=\"";
-                if (strncmp(options, cp, strlen(cp)) == 0) {
+                if (strncasecmp(options, cp, strlen(cp)) == 0) {
                        int i;
                        options += strlen(cp);
                        forced_command = xmalloc(strlen(options) + 1);
@@ -121,7 +121,7 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum)
                        goto next_option;
                }
                cp = "environment=\"";
-                if (strncmp(options, cp, strlen(cp)) == 0) {
+                if (strncasecmp(options, cp, strlen(cp)) == 0) {
                        int i;
                        char *s;
                        struct envstring *new_envstring;
@@ -156,7 +156,7 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum)
                        goto next_option;
                }
                cp = "from=\"";
-                if (strncmp(options, cp, strlen(cp)) == 0) {
+                if (strncasecmp(options, cp, strlen(cp)) == 0) {
                        int mname, mip;
                        char *patterns = xmalloc(strlen(options) + 1);
                        int i;
diff --git a/auth-rsa.c b/auth-rsa.c
index e8bfa1651..72cb909d7 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -14,7 +14,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.33 2000/11/14 23:42:40 markus Exp $");
 #include "rsa.h"
 #include "packet.h"
@@ -231,12 +231,6 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
                        }
                } else
                        options = NULL;
-                /*
-                 * If our options do not allow this key to be used,
-                 * do not send challenge.
-                 */
-                if (!auth_parse_options(pw, options, linenum))
-                        continue;
                /* Parse the key from the line. */
                if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
@@ -259,6 +253,12 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
                            file, linenum, BN_num_bits(pk->n), bits);
                /* We have found the desired key. */
+                /*
+                 * If our options do not allow this key to be used,
+                 * do not send challenge.
+                 */
+                if (!auth_parse_options(pw, options, linenum))
+                        continue;
                /* Perform the challenge-response dialog for this key. */
                if (!auth_rsa_challenge_dialog(pk)) {
diff --git a/dh.c b/dh.c
index ff84619cf..35e901433 100644
--- a/dh.c
+++ b/dh.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: dh.c,v 1.2 2000/10/11 20:11:35 markus Exp $");
+RCSID("$OpenBSD: dh.c,v 1.3 2000/11/16 17:55:43 markus Exp $");
 #include "xmalloc.h"
@@ -102,7 +102,6 @@ choose_dh(int minbits)
        f = fopen(DH_PRIMES, "r");
        if (!f) {
-                perror(DH_PRIMES);
                log("WARNING: %s does not exist, using old prime", DH_PRIMES);
                return (dh_new_group1());
        }
@@ -133,8 +132,7 @@ choose_dh(int minbits)
        f = fopen(DH_PRIMES, "r");
        if (!f) {
-                perror(DH_PRIMES);
+                fatal("WARNING: %s dissappeared, giving up", DH_PRIMES);
-                exit(1);
        }
        linenum = 0;
diff --git a/session.c b/session.c
index 890e16d59..826307ef1 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.43 2000/11/06 23:04:56 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.44 2000/11/14 23:44:19 markus Exp $");
 #include "xmalloc.h"
 #include "ssh.h"
@@ -1745,6 +1745,10 @@ session_auth_agent_req(Session *s)
 {
        static int called = 0;
        packet_done();
+        if (no_agent_forwarding_flag) {
+                debug("session_auth_agent_req: no_agent_forwarding_flag");
+                return 0;
+        }
        if (called) {
                return 0;
        } else {
diff --git a/ssh-agent.1 b/ssh-agent.1
index 31ea2b318..3ee5074b6 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.17 2000/11/10 05:10:40 aaron Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.19 2000/11/15 20:09:01 markus Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -42,12 +42,12 @@
 .Nd authentication agent
 .Sh SYNOPSIS
 .Nm ssh-agent
-.Op Fl c Li | Fl s
-.Op Fl k
-.Oo
 .Ar command
-.Op Ar args ...
+.Ar args ...
-.Oc
+.Nm ssh-agent
+.Op Fl c Li | Fl s
+.Nm ssh-agent
+.Fl k
 .Sh DESCRIPTION
 .Nm
 is a program to hold private keys used for public key authentication
@@ -154,7 +154,7 @@ but is normally added to the agent using
 at login time.
 .It Pa $HOME/.ssh/id_dsa
 Contains the DSA authentication identity of the user.
-.Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
+.It Pa /tmp/ssh-XXXXXXXX/agent.<pid>
 Unix-domain sockets used to contain the connection to the
 authentication agent.
 These sockets should only be readable by the owner.
@@ -172,7 +172,7 @@ This version of OpenSSH
 .Bl -bullet
 .It
 has all components of a restrictive nature (i.e., patents, see
-.Xr crypto 3 )
+.Xr ssl 8 )
 directly removed from the source code; any licensed or patented components
 are chosen from
 external libraries.
@@ -191,4 +191,4 @@ supports one-time password authentication with
 .Xr ssh-add 1 ,
 .Xr ssh-keygen 1 ,
 .Xr sshd 8 ,
-.Xr crypto 3
+.Xr ssl 8
diff --git a/ssh-agent.c b/ssh-agent.c
index f5f87cca3..6f89dd5ca 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssh-agent.c,v 1.39 2000/11/12 19:50:38 markus Exp $   */
+/*      $OpenBSD: ssh-agent.c,v 1.40 2000/11/14 23:48:55 markus Exp $   */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -37,7 +37,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.39 2000/11/12 19:50:38 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.40 2000/11/14 23:48:55 markus Exp $");
 #include "ssh.h"
 #include "rsa.h"
@@ -308,8 +308,9 @@ process_remove_identity(SocketEntry *e, int version)
                        /*
                         * We have this key.  Free the old key.  Since we
                         * don\'t want to leave empty slots in the middle of
-                         * the array, we actually free the key there and copy
+                         * the array, we actually free the key there and move
-                         * data from the last entry.
+                         * all the entries between the empty slot and the end
+                         * of the array.
                         */
                        Idtab *tab = idtab_lookup(version);
                        key_free(tab->identities[idx].key);
@@ -318,8 +319,13 @@ process_remove_identity(SocketEntry *e, int version)
                                fatal("process_remove_identity: "
                                    "internal error: tab->nentries %d",
                                    tab->nentries);
-                        if (idx != tab->nentries - 1)
+                        if (idx != tab->nentries - 1) {
-                                tab->identities[idx] = tab->identities[tab->nentries - 1];
+                                int i;
+                                for (i = idx; i < tab->nentries - 1; i++)
+                                        tab->identities[i] = tab->identities[i+1];
+                        }
+                        tab->identities[tab->nentries - 1].key = NULL;
+                        tab->identities[tab->nentries - 1].comment = NULL;
                        tab->nentries--;
                        success = 1;
                }
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 3653fc244..5da90035a 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.33 2000/11/12 19:50:38 markus Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.34 2000/11/15 20:24:43 millert Exp $");
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -727,7 +727,7 @@ main(int ac, char **av)
        if (key_type_name != NULL) {
                type = key_type_from_name(key_type_name);
                if (type == KEY_UNSPEC) {
-                        fprintf(stderr, "unknown key type %s", key_type_name);
+                        fprintf(stderr, "unknown key type %s\n", key_type_name);
                        exit(1);
                }
        }
diff --git a/ssh.c b/ssh.c
index a1cedc7e0..b41c87e12 100644
--- a/ssh.c
+++ b/ssh.c
@@ -39,7 +39,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.72 2000/11/12 19:50:38 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.73 2000/11/15 19:58:08 markus Exp $");
 #include <openssl/evp.h>
 #include <openssl/dsa.h>
@@ -1049,7 +1049,7 @@ guess_identity_file_type(const char *filename)
        int type = KEY_RSA1; /* default */
        if (stat(filename, &st) < 0) {
-                perror(filename);
+                /* ignore this key */
                return KEY_UNSPEC;
        }
        public = key_new(type);