diff options
Diffstat (limited to 'sshconnect.c')
-rw-r--r-- | sshconnect.c | 91 |
1 files changed, 57 insertions, 34 deletions
diff --git a/sshconnect.c b/sshconnect.c index 2f9496090..167b8e63a 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -10,7 +10,7 @@ | |||
10 | */ | 10 | */ |
11 | 11 | ||
12 | #include "includes.h" | 12 | #include "includes.h" |
13 | RCSID("$OpenBSD: sshconnect.c,v 1.61 2000/04/04 21:37:27 markus Exp $"); | 13 | RCSID("$OpenBSD: sshconnect.c,v 1.65 2000/04/12 07:56:16 markus Exp $"); |
14 | 14 | ||
15 | #ifdef HAVE_OPENSSL | 15 | #ifdef HAVE_OPENSSL |
16 | #include <openssl/bn.h> | 16 | #include <openssl/bn.h> |
@@ -993,7 +993,7 @@ void | |||
993 | ssh_exchange_identification() | 993 | ssh_exchange_identification() |
994 | { | 994 | { |
995 | char buf[256], remote_version[256]; /* must be same size! */ | 995 | char buf[256], remote_version[256]; /* must be same size! */ |
996 | int remote_major, remote_minor, i; | 996 | int remote_major, remote_minor, i, mismatch; |
997 | int connection_in = packet_get_connection_in(); | 997 | int connection_in = packet_get_connection_in(); |
998 | int connection_out = packet_get_connection_out(); | 998 | int connection_out = packet_get_connection_out(); |
999 | 999 | ||
@@ -1027,39 +1027,51 @@ ssh_exchange_identification() | |||
1027 | debug("Remote protocol version %d.%d, remote software version %.100s", | 1027 | debug("Remote protocol version %d.%d, remote software version %.100s", |
1028 | remote_major, remote_minor, remote_version); | 1028 | remote_major, remote_minor, remote_version); |
1029 | 1029 | ||
1030 | /*** XXX option for disabling 2.0 or 1.5 */ | ||
1031 | compat_datafellows(remote_version); | 1030 | compat_datafellows(remote_version); |
1032 | 1031 | mismatch = 0; | |
1033 | /* Check if the remote protocol version is too old. */ | 1032 | |
1034 | if (remote_major == 1 && remote_minor < 3) | 1033 | switch(remote_major) { |
1035 | fatal("Remote machine has too old SSH software version."); | 1034 | case 1: |
1036 | 1035 | if (remote_minor == 99 && | |
1037 | /* We speak 1.3, too. */ | 1036 | (options.protocol & SSH_PROTO_2) && |
1038 | if (remote_major == 1 && remote_minor == 3) { | 1037 | !(options.protocol & SSH_PROTO_1_PREFERRED)) { |
1039 | enable_compat13(); | 1038 | enable_compat20(); |
1040 | if (options.forward_agent) { | 1039 | break; |
1041 | log("Agent forwarding disabled for protocol 1.3"); | ||
1042 | options.forward_agent = 0; | ||
1043 | } | 1040 | } |
1041 | if (!(options.protocol & SSH_PROTO_1)) { | ||
1042 | mismatch = 1; | ||
1043 | break; | ||
1044 | } | ||
1045 | if (remote_minor < 3) { | ||
1046 | fatal("Remote machine has too old SSH software version."); | ||
1047 | } else if (remote_minor == 3) { | ||
1048 | /* We speak 1.3, too. */ | ||
1049 | enable_compat13(); | ||
1050 | if (options.forward_agent) { | ||
1051 | log("Agent forwarding disabled for protocol 1.3"); | ||
1052 | options.forward_agent = 0; | ||
1053 | } | ||
1054 | } | ||
1055 | break; | ||
1056 | case 2: | ||
1057 | if (options.protocol & SSH_PROTO_2) { | ||
1058 | enable_compat20(); | ||
1059 | break; | ||
1060 | } | ||
1061 | /* FALLTHROUGH */ | ||
1062 | default: | ||
1063 | mismatch = 1; | ||
1064 | break; | ||
1044 | } | 1065 | } |
1045 | if ((remote_major == 2 && remote_minor == 0) || | 1066 | if (mismatch) |
1046 | (remote_major == 1 && remote_minor == 99)) { | ||
1047 | enable_compat20(); | ||
1048 | } | ||
1049 | #if 0 | ||
1050 | /* | ||
1051 | * Removed for now, to permit compatibility with latter versions. The | ||
1052 | * server will reject our version and disconnect if it doesn't | ||
1053 | * support it. | ||
1054 | */ | ||
1055 | if (remote_major != PROTOCOL_MAJOR) | ||
1056 | fatal("Protocol major versions differ: %d vs. %d", | 1067 | fatal("Protocol major versions differ: %d vs. %d", |
1057 | PROTOCOL_MAJOR, remote_major); | 1068 | (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, |
1058 | #endif | 1069 | remote_major); |
1070 | |||
1059 | /* Send our own protocol version identification. */ | 1071 | /* Send our own protocol version identification. */ |
1060 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", | 1072 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", |
1061 | compat20 ? 2 : PROTOCOL_MAJOR, | 1073 | compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, |
1062 | compat20 ? 0 : PROTOCOL_MINOR, | 1074 | compat20 ? PROTOCOL_MINOR_2 : PROTOCOL_MINOR_1, |
1063 | SSH_VERSION); | 1075 | SSH_VERSION); |
1064 | if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf)) | 1076 | if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf)) |
1065 | fatal("write: %.100s", strerror(errno)); | 1077 | fatal("write: %.100s", strerror(errno)); |
@@ -1350,11 +1362,15 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
1350 | /* KEXINIT */ | 1362 | /* KEXINIT */ |
1351 | 1363 | ||
1352 | debug("Sending KEX init."); | 1364 | debug("Sending KEX init."); |
1353 | if (options.cipher == SSH_CIPHER_ARCFOUR || | 1365 | if (options.ciphers != NULL) { |
1366 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | ||
1367 | myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; | ||
1368 | } else if ( | ||
1369 | options.cipher == SSH_CIPHER_ARCFOUR || | ||
1354 | options.cipher == SSH_CIPHER_3DES_CBC || | 1370 | options.cipher == SSH_CIPHER_3DES_CBC || |
1355 | options.cipher == SSH_CIPHER_CAST128_CBC || | 1371 | options.cipher == SSH_CIPHER_CAST128_CBC || |
1356 | options.cipher == SSH_CIPHER_BLOWFISH_CBC) { | 1372 | options.cipher == SSH_CIPHER_BLOWFISH_CBC) { |
1357 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = cipher_name(options.cipher); | 1373 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = |
1358 | myproposal[PROPOSAL_ENC_ALGS_STOC] = cipher_name(options.cipher); | 1374 | myproposal[PROPOSAL_ENC_ALGS_STOC] = cipher_name(options.cipher); |
1359 | } | 1375 | } |
1360 | if (options.compression) { | 1376 | if (options.compression) { |
@@ -1404,7 +1420,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
1404 | debug("Sending SSH2_MSG_KEXDH_INIT."); | 1420 | debug("Sending SSH2_MSG_KEXDH_INIT."); |
1405 | 1421 | ||
1406 | /* generate and send 'e', client DH public key */ | 1422 | /* generate and send 'e', client DH public key */ |
1407 | dh = new_dh_group1(); | 1423 | dh = dh_new_group1(); |
1408 | packet_start(SSH2_MSG_KEXDH_INIT); | 1424 | packet_start(SSH2_MSG_KEXDH_INIT); |
1409 | packet_put_bignum2(dh->pub_key); | 1425 | packet_put_bignum2(dh->pub_key); |
1410 | packet_send(); | 1426 | packet_send(); |
@@ -1451,6 +1467,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
1451 | /* signed H */ | 1467 | /* signed H */ |
1452 | signature = packet_get_string(&slen); | 1468 | signature = packet_get_string(&slen); |
1453 | 1469 | ||
1470 | if (!dh_pub_is_valid(dh, dh_server_pub)) | ||
1471 | packet_disconnect("bad server public DH value"); | ||
1472 | |||
1454 | klen = DH_size(dh); | 1473 | klen = DH_size(dh); |
1455 | kbuf = xmalloc(klen); | 1474 | kbuf = xmalloc(klen); |
1456 | kout = DH_compute_key(kbuf, dh_server_pub, dh); | 1475 | kout = DH_compute_key(kbuf, dh_server_pub, dh); |
@@ -1507,12 +1526,13 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
1507 | packet_write_wait(); | 1526 | packet_write_wait(); |
1508 | debug("done: send SSH2_MSG_NEWKEYS."); | 1527 | debug("done: send SSH2_MSG_NEWKEYS."); |
1509 | 1528 | ||
1529 | #ifdef DEBUG_KEXDH | ||
1510 | /* send 1st encrypted/maced/compressed message */ | 1530 | /* send 1st encrypted/maced/compressed message */ |
1511 | packet_start(SSH2_MSG_IGNORE); | 1531 | packet_start(SSH2_MSG_IGNORE); |
1512 | packet_put_cstring("markus"); | 1532 | packet_put_cstring("markus"); |
1513 | packet_send(); | 1533 | packet_send(); |
1514 | packet_write_wait(); | 1534 | packet_write_wait(); |
1515 | 1535 | #endif | |
1516 | debug("done: KEX2."); | 1536 | debug("done: KEX2."); |
1517 | } | 1537 | } |
1518 | /* | 1538 | /* |
@@ -1527,6 +1547,7 @@ ssh_userauth2(int host_key_valid, RSA *own_host_key, | |||
1527 | unsigned int dlen; | 1547 | unsigned int dlen; |
1528 | int partial; | 1548 | int partial; |
1529 | struct passwd *pw; | 1549 | struct passwd *pw; |
1550 | char prompt[80]; | ||
1530 | char *server_user, *local_user; | 1551 | char *server_user, *local_user; |
1531 | char *auths; | 1552 | char *auths; |
1532 | char *password; | 1553 | char *password; |
@@ -1578,7 +1599,9 @@ ssh_userauth2(int host_key_valid, RSA *own_host_key, | |||
1578 | fatal("passwd auth not supported: %s", auths); | 1599 | fatal("passwd auth not supported: %s", auths); |
1579 | xfree(auths); | 1600 | xfree(auths); |
1580 | /* try passwd */ | 1601 | /* try passwd */ |
1581 | password = read_passphrase("password: ", 0); | 1602 | snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ", |
1603 | server_user, host); | ||
1604 | password = read_passphrase(prompt, 0); | ||
1582 | packet_start(SSH2_MSG_USERAUTH_REQUEST); | 1605 | packet_start(SSH2_MSG_USERAUTH_REQUEST); |
1583 | packet_put_cstring(server_user); | 1606 | packet_put_cstring(server_user); |
1584 | packet_put_cstring(service); | 1607 | packet_put_cstring(service); |