summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog21
-rw-r--r--auth2.c37
-rw-r--r--channels.c4
-rw-r--r--compat.c7
-rw-r--r--compat.h3
-rw-r--r--kex.c3
-rw-r--r--servconf.c9
-rw-r--r--servconf.h3
-rw-r--r--ssh-keyscan.c4
-rw-r--r--sshconnect1.c7
-rw-r--r--sshd.89
-rw-r--r--sshd_config1
-rw-r--r--version.h4
13 files changed, 96 insertions, 16 deletions
diff --git a/ChangeLog b/ChangeLog
index 564c513e2..b21180335 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,27 @@
2 - (bal) Resync CVS ID of cli.c 2 - (bal) Resync CVS ID of cli.c
3 - (stevesk) auth1.c: free should be after WITH_AIXAUTHENTICATE 3 - (stevesk) auth1.c: free should be after WITH_AIXAUTHENTICATE
4 code. 4 code.
5 - (bal) OpenBSD Sync
6 - markus@cvs.openbsd.org 2001/01/08 22:29:05
7 [auth2.c compat.c compat.h servconf.c servconf.h sshd.8
8 sshd_config version.h]
9 implement option 'Banner /etc/issue.net' for ssh2, move version to
10 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner
11 is enabled).
12 - markus@cvs.openbsd.org 2001/01/08 22:03:23
13 [channels.c ssh-keyscan.c]
14 O_NDELAY -> O_NONBLOCK; thanks stevesk@pobox.com
15 - markus@cvs.openbsd.org 2001/01/08 21:55:41
16 [sshconnect1.c]
17 more cleanups and fixes from stevesk@pobox.com:
18 1) try_agent_authentication() for loop will overwrite key just
19 allocated with key_new(); don't alloc
20 2) call ssh_close_authentication_connection() before exit
21 try_agent_authentication()
22 3) free mem on bad passphrase in try_rsa_authentication()
23 - markus@cvs.openbsd.org 2001/01/08 21:48:17
24 [kex.c]
25 missing free; thanks stevesk@pobox.com
5 26
620010108 2720010108
7 - (bal) Fixed another typo in cli.c 28 - (bal) Fixed another typo in cli.c
diff --git a/auth2.c b/auth2.c
index 4880b736e..3a247f588 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: auth2.c,v 1.24 2000/12/28 14:25:51 markus Exp $"); 26RCSID("$OpenBSD: auth2.c,v 1.25 2001/01/08 22:29:05 markus Exp $");
27 27
28#ifdef HAVE_OSF_SIA 28#ifdef HAVE_OSF_SIA
29# include <sia.h> 29# include <sia.h>
@@ -92,6 +92,7 @@ int user_key_allowed(struct passwd *pw, Key *key);
92char *authmethods_get(void); 92char *authmethods_get(void);
93 93
94/* auth */ 94/* auth */
95void userauth_banner(void);
95int userauth_none(Authctxt *authctxt); 96int userauth_none(Authctxt *authctxt);
96int userauth_passwd(Authctxt *authctxt); 97int userauth_passwd(Authctxt *authctxt);
97int userauth_pubkey(Authctxt *authctxt); 98int userauth_pubkey(Authctxt *authctxt);
@@ -257,6 +258,39 @@ input_userauth_request(int type, int plen, void *ctxt)
257 xfree(method); 258 xfree(method);
258} 259}
259 260
261void
262userauth_banner(void)
263{
264 struct stat st;
265 char *banner = NULL;
266 off_t len, n;
267 int fd;
268
269 if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
270 return;
271 if ((fd = open(options.banner, O_RDONLY)) < 0) {
272 error("userauth_banner: open %s failed: %s",
273 options.banner, strerror(errno));
274 return;
275 }
276 if (fstat(fd, &st) < 0)
277 goto done;
278 len = st.st_size;
279 banner = xmalloc(len + 1);
280 if ((n = read(fd, banner, len)) < 0)
281 goto done;
282 banner[n] = '\0';
283 packet_start(SSH2_MSG_USERAUTH_BANNER);
284 packet_put_cstring(banner);
285 packet_put_cstring(""); /* language, unused */
286 packet_send();
287 debug("userauth_banner: sent");
288done:
289 if (banner)
290 xfree(banner);
291 close(fd);
292 return;
293}
260 294
261void 295void
262userauth_log(Authctxt *authctxt, int authenticated, char *method) 296userauth_log(Authctxt *authctxt, int authenticated, char *method)
@@ -335,6 +369,7 @@ userauth_none(Authctxt *authctxt)
335 if (m != NULL) 369 if (m != NULL)
336 m->enabled = NULL; 370 m->enabled = NULL;
337 packet_done(); 371 packet_done();
372 userauth_banner();
338 373
339 if (authctxt->valid == 0) 374 if (authctxt->valid == 0)
340 return(0); 375 return(0);
diff --git a/channels.c b/channels.c
index b1fcd7ca8..254f5df2f 100644
--- a/channels.c
+++ b/channels.c
@@ -40,7 +40,7 @@
40 */ 40 */
41 41
42#include "includes.h" 42#include "includes.h"
43RCSID("$OpenBSD: channels.c,v 1.79 2000/12/29 22:19:13 markus Exp $"); 43RCSID("$OpenBSD: channels.c,v 1.80 2001/01/08 22:03:23 markus Exp $");
44 44
45#include "ssh.h" 45#include "ssh.h"
46#include "packet.h" 46#include "packet.h"
@@ -1743,7 +1743,7 @@ channel_connect_to(const char *host, u_short host_port)
1743 error("socket: %.100s", strerror(errno)); 1743 error("socket: %.100s", strerror(errno));
1744 continue; 1744 continue;
1745 } 1745 }
1746 if (fcntl(sock, F_SETFL, O_NDELAY) < 0) 1746 if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0)
1747 fatal("connect_to: F_SETFL: %s", strerror(errno)); 1747 fatal("connect_to: F_SETFL: %s", strerror(errno));
1748 /* Connect to the host/port. */ 1748 /* Connect to the host/port. */
1749 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 && 1749 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 &&
diff --git a/compat.c b/compat.c
index a2d3a3383..47af1a8ea 100644
--- a/compat.c
+++ b/compat.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: compat.c,v 1.32 2000/12/09 23:51:11 provos Exp $"); 26RCSID("$OpenBSD: compat.c,v 1.33 2001/01/08 22:29:05 markus Exp $");
27 27
28#include "ssh.h" 28#include "ssh.h"
29#include "packet.h" 29#include "packet.h"
@@ -62,7 +62,10 @@ compat_datafellows(const char *version)
62 char *pat; 62 char *pat;
63 int bugs; 63 int bugs;
64 } check[] = { 64 } check[] = {
65 { "^OpenSSH[-_]2\\.[012]", SSH_OLD_SESSIONID }, 65 { "^OpenSSH[-_]2\\.[012]",
66 SSH_OLD_SESSIONID|SSH_BUG_BANNER },
67 { "^OpenSSH_2\\.3\\.0", SSH_BUG_BANNER },
68 { "^OpenSSH", 0 },
66 { "MindTerm", 0 }, 69 { "MindTerm", 0 },
67 { "^2\\.1\\.0", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| 70 { "^2\\.1\\.0", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
68 SSH_OLD_SESSIONID|SSH_BUG_DEBUG }, 71 SSH_OLD_SESSIONID|SSH_BUG_DEBUG },
diff --git a/compat.h b/compat.h
index cf97c7d28..fb65cd6d6 100644
--- a/compat.h
+++ b/compat.h
@@ -21,7 +21,7 @@
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */ 23 */
24/* RCSID("$OpenBSD: compat.h,v 1.13 2000/12/06 22:58:15 markus Exp $"); */ 24/* RCSID("$OpenBSD: compat.h,v 1.14 2001/01/08 22:29:05 markus Exp $"); */
25 25
26#ifndef COMPAT_H 26#ifndef COMPAT_H
27#define COMPAT_H 27#define COMPAT_H
@@ -38,6 +38,7 @@
38#define SSH_OLD_SESSIONID 0x10 38#define SSH_OLD_SESSIONID 0x10
39#define SSH_BUG_PKAUTH 0x20 39#define SSH_BUG_PKAUTH 0x20
40#define SSH_BUG_DEBUG 0x40 40#define SSH_BUG_DEBUG 0x40
41#define SSH_BUG_BANNER 0x80
41 42
42void enable_compat13(void); 43void enable_compat13(void);
43void enable_compat20(void); 44void enable_compat20(void);
diff --git a/kex.c b/kex.c
index de315705e..9a31ae927 100644
--- a/kex.c
+++ b/kex.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: kex.c,v 1.16 2000/12/20 19:37:22 markus Exp $"); 26RCSID("$OpenBSD: kex.c,v 1.17 2001/01/08 21:48:17 markus Exp $");
27 27
28#include "ssh.h" 28#include "ssh.h"
29#include "ssh2.h" 29#include "ssh2.h"
@@ -465,6 +465,7 @@ choose_hostkeyalg(Kex *k, char *client, char *server)
465 k->hostkey_type = key_type_from_name(hostkeyalg); 465 k->hostkey_type = key_type_from_name(hostkeyalg);
466 if (k->hostkey_type == KEY_UNSPEC) 466 if (k->hostkey_type == KEY_UNSPEC)
467 fatal("bad hostkey alg '%s'", hostkeyalg); 467 fatal("bad hostkey alg '%s'", hostkeyalg);
468 xfree(hostkeyalg);
468} 469}
469 470
470Kex * 471Kex *
diff --git a/servconf.c b/servconf.c
index 6604e3d23..fb42d74ef 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: servconf.c,v 1.56 2001/01/07 11:28:06 markus Exp $"); 13RCSID("$OpenBSD: servconf.c,v 1.57 2001/01/08 22:29:05 markus Exp $");
14 14
15#include "ssh.h" 15#include "ssh.h"
16#include "servconf.h" 16#include "servconf.h"
@@ -78,6 +78,7 @@ initialize_server_options(ServerOptions *options)
78 options->max_startups_begin = -1; 78 options->max_startups_begin = -1;
79 options->max_startups_rate = -1; 79 options->max_startups_rate = -1;
80 options->max_startups = -1; 80 options->max_startups = -1;
81 options->banner = NULL;
81} 82}
82 83
83void 84void
@@ -198,6 +199,7 @@ typedef enum {
198 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 199 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
199 sIgnoreUserKnownHosts, sCiphers, sProtocol, sPidFile, 200 sIgnoreUserKnownHosts, sCiphers, sProtocol, sPidFile,
200 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 201 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
202 sBanner
201} ServerOpCodes; 203} ServerOpCodes;
202 204
203/* Textual representation of the tokens. */ 205/* Textual representation of the tokens. */
@@ -257,6 +259,7 @@ static struct {
257 { "gatewayports", sGatewayPorts }, 259 { "gatewayports", sGatewayPorts },
258 { "subsystem", sSubsystem }, 260 { "subsystem", sSubsystem },
259 { "maxstartups", sMaxStartups }, 261 { "maxstartups", sMaxStartups },
262 { "banner", sBanner },
260 { NULL, 0 } 263 { NULL, 0 }
261}; 264};
262 265
@@ -697,6 +700,10 @@ parse_flag:
697 intptr = &options->max_startups; 700 intptr = &options->max_startups;
698 goto parse_int; 701 goto parse_int;
699 702
703 case sBanner:
704 charptr = &options->banner;
705 goto parse_filename;
706
700 default: 707 default:
701 fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n", 708 fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
702 filename, linenum, arg, opcode); 709 filename, linenum, arg, opcode);
diff --git a/servconf.h b/servconf.h
index 7d5016662..532b22f6e 100644
--- a/servconf.h
+++ b/servconf.h
@@ -11,7 +11,7 @@
11 * called by a name other than "ssh" or "Secure Shell". 11 * called by a name other than "ssh" or "Secure Shell".
12 */ 12 */
13 13
14/* RCSID("$OpenBSD: servconf.h,v 1.32 2000/12/19 23:17:58 markus Exp $"); */ 14/* RCSID("$OpenBSD: servconf.h,v 1.33 2001/01/08 22:29:05 markus Exp $"); */
15 15
16#ifndef SERVCONF_H 16#ifndef SERVCONF_H
17#define SERVCONF_H 17#define SERVCONF_H
@@ -104,6 +104,7 @@ typedef struct {
104 int max_startups_begin; 104 int max_startups_begin;
105 int max_startups_rate; 105 int max_startups_rate;
106 int max_startups; 106 int max_startups;
107 char *banner; /* SSH-2 banner message */
107 108
108} ServerOptions; 109} ServerOptions;
109/* 110/*
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 68593fe75..5d5427aad 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -8,7 +8,7 @@
8 */ 8 */
9 9
10#include "includes.h" 10#include "includes.h"
11RCSID("$OpenBSD: ssh-keyscan.c,v 1.6 2000/12/19 23:17:58 markus Exp $"); 11RCSID("$OpenBSD: ssh-keyscan.c,v 1.7 2001/01/08 22:03:23 markus Exp $");
12 12
13#if defined(HAVE_SYS_QUEUE_H) && !defined(HAVE_BOGUS_SYS_QUEUE_H) 13#if defined(HAVE_SYS_QUEUE_H) && !defined(HAVE_BOGUS_SYS_QUEUE_H)
14#include <sys/queue.h> 14#include <sys/queue.h>
@@ -310,7 +310,7 @@ tcpconnect(char *host)
310 error("socket: %s", strerror(errno)); 310 error("socket: %s", strerror(errno));
311 continue; 311 continue;
312 } 312 }
313 if (fcntl(s, F_SETFL, O_NDELAY) < 0) 313 if (fcntl(s, F_SETFL, O_NONBLOCK) < 0)
314 fatal("F_SETFL: %s", strerror(errno)); 314 fatal("F_SETFL: %s", strerror(errno));
315 if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0 && 315 if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0 &&
316 errno != EINPROGRESS) 316 errno != EINPROGRESS)
diff --git a/sshconnect1.c b/sshconnect1.c
index d6230529f..09d0210a9 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
13 */ 13 */
14 14
15#include "includes.h" 15#include "includes.h"
16RCSID("$OpenBSD: sshconnect1.c,v 1.13 2000/12/19 23:17:58 markus Exp $"); 16RCSID("$OpenBSD: sshconnect1.c,v 1.14 2001/01/08 21:55:41 markus Exp $");
17 17
18#include <openssl/bn.h> 18#include <openssl/bn.h>
19#include <openssl/dsa.h> 19#include <openssl/dsa.h>
@@ -62,7 +62,6 @@ try_agent_authentication()
62 return 0; 62 return 0;
63 63
64 challenge = BN_new(); 64 challenge = BN_new();
65 key = key_new(KEY_RSA1);
66 65
67 /* Loop through identities served by the agent. */ 66 /* Loop through identities served by the agent. */
68 for (key = ssh_get_first_identity(auth, &comment, 1); 67 for (key = ssh_get_first_identity(auth, &comment, 1);
@@ -125,6 +124,7 @@ try_agent_authentication()
125 124
126 /* The server returns success if it accepted the authentication. */ 125 /* The server returns success if it accepted the authentication. */
127 if (type == SSH_SMSG_SUCCESS) { 126 if (type == SSH_SMSG_SUCCESS) {
127 ssh_close_authentication_connection(auth);
128 BN_clear_free(challenge); 128 BN_clear_free(challenge);
129 debug("RSA authentication accepted by server."); 129 debug("RSA authentication accepted by server.");
130 return 1; 130 return 1;
@@ -134,6 +134,7 @@ try_agent_authentication()
134 packet_disconnect("Protocol error waiting RSA auth response: %d", 134 packet_disconnect("Protocol error waiting RSA auth response: %d",
135 type); 135 type);
136 } 136 }
137 ssh_close_authentication_connection(auth);
137 BN_clear_free(challenge); 138 BN_clear_free(challenge);
138 debug("RSA authentication using agent refused."); 139 debug("RSA authentication using agent refused.");
139 return 0; 140 return 0;
@@ -270,6 +271,8 @@ try_rsa_authentication(const char *authfile)
270 /* Expect the server to reject it... */ 271 /* Expect the server to reject it... */
271 packet_read_expect(&plen, SSH_SMSG_FAILURE); 272 packet_read_expect(&plen, SSH_SMSG_FAILURE);
272 xfree(comment); 273 xfree(comment);
274 key_free(private);
275 BN_clear_free(challenge);
273 return 0; 276 return 0;
274 } 277 }
275 /* Destroy the passphrase. */ 278 /* Destroy the passphrase. */
diff --git a/sshd.8 b/sshd.8
index d6232f4b2..fef26b50b 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd.8,v 1.79 2001/01/07 11:28:07 markus Exp $ 37.\" $OpenBSD: sshd.8,v 1.80 2001/01/08 22:29:05 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD 8 39.Dt SSHD 8
40.Os 40.Os
@@ -333,6 +333,13 @@ wildcards in the patterns.
333Only user names are valid; a numerical user ID isn't recognized. 333Only user names are valid; a numerical user ID isn't recognized.
334By default login is allowed regardless of the user name. 334By default login is allowed regardless of the user name.
335.Pp 335.Pp
336.It Cm Banner
337In some jurisdictions, sending a warning message before authentication
338may be relevant for getting legal protection.
339The contents of the specified file are sent to the remote user before
340authentication is allowed.
341This option is only available for protocol version 2.
342.Pp
336.It Cm Ciphers 343.It Cm Ciphers
337Specifies the ciphers allowed for protocol version 2. 344Specifies the ciphers allowed for protocol version 2.
338Multiple ciphers must be comma-separated. 345Multiple ciphers must be comma-separated.
diff --git a/sshd_config b/sshd_config
index 357c42502..26372ab16 100644
--- a/sshd_config
+++ b/sshd_config
@@ -56,3 +56,4 @@ CheckMail no
56# Uncomment if you want to enable sftp 56# Uncomment if you want to enable sftp
57#Subsystem sftp /usr/libexec/sftp-server 57#Subsystem sftp /usr/libexec/sftp-server
58#MaxStartups 10:30:60 58#MaxStartups 10:30:60
59#Banner /etc/issue.net
diff --git a/version.h b/version.h
index 7e07541a9..591fbdfc6 100644
--- a/version.h
+++ b/version.h
@@ -1,3 +1,3 @@
1/* $OpenBSD: version.h,v 1.13 2000/10/16 09:38:45 djm Exp $ */ 1/* $OpenBSD: version.h,v 1.16 2001/01/08 22:29:05 markus Exp $ */
2 2
3#define SSH_VERSION "OpenSSH_2.3.0p2" 3#define SSH_VERSION "OpenSSH_2.3.1p1"