From 5efd43088bc1f6f7b3a7d78fd2ed82ee1cbd6ad5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 20 Mar 2003 11:05:10 +1100 Subject: Build gtk2 askpass by default (instead of old GNOME one) --- contrib/redhat/openssh.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 1b7add2cf..f71c0b261 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -21,7 +21,7 @@ %define scard 0 # Use GTK2 instead of GNOME in gnome-ssh-askpass -%define gtk2 0 +%define gtk2 1 # Is this build for RHL 6.x? %define build6x 0 -- cgit v1.2.3 From 5bd6eb71daf357f544a6b4d4c7c3cbbbe12b4edf Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Fri, 21 Mar 2003 00:34:34 +0000 Subject: - (bal) The days of lack of int64_t support are over. Sorry kids. --- ChangeLog | 3 ++- Makefile.in | 14 ++++++-------- configure.ac | 17 ++++++----------- 3 files changed, 14 insertions(+), 20 deletions(-) diff --git a/ChangeLog b/ChangeLog index 52b6650a6..d35c4e42e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ - markus@cvs.openbsd.org 2003/03/17 11:43:47 [version.h] enter 3.6 + - (bal) The days of lack of int64_t support are over. Sorry kids. 20030318 - (tim) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] @@ -1231,4 +1232,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2633 2003/03/19 23:11:34 djm Exp $ +$Id: ChangeLog,v 1.2634 2003/03/21 00:34:34 mouring Exp $ diff --git a/Makefile.in b/Makefile.in index 350b417f1..6702eb96e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.227 2003/02/24 23:22:36 djm Exp $ +# $Id: Makefile.in,v 1.228 2003/03/21 00:34:34 mouring Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -58,9 +58,7 @@ EXEEXT=@EXEEXT@ INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ -@NO_SFTP@SFTP_PROGS=sftp-server$(EXEEXT) sftp$(EXEEXT) - -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} $(SFTP_PROGS) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ cipher.o compat.o compress.o crc32.o deattack.o fatal.o \ @@ -247,8 +245,8 @@ install-files: scard-install $(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \ fi $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN) - @NO_SFTP@$(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp - @NO_SFTP@$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp + $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 @@ -261,8 +259,8 @@ install-files: scard-install if [ ! -z "$(INSTALL_SSH_RAND_HELPER)" ]; then \ $(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 ; \ fi - @NO_SFTP@$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 - @NO_SFTP@$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 + $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(bindir)/slogin ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin diff --git a/configure.ac b/configure.ac index 83575758f..aa2f3db2a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.111 2003/03/18 18:21:41 tim Exp $ +# $Id: configure.ac,v 1.112 2003/03/21 00:34:34 mouring Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -1485,12 +1485,14 @@ fi AC_CHECK_TYPES(struct timespec) -# If we don't have int64_t then we can't compile sftp-server. So don't -# even attempt to do it. +# We need int64_t or else certian parts of the compile will fail. if test "x$ac_cv_have_int64_t" = "xno" -a \ "x$ac_cv_sizeof_long_int" != "x8" -a \ "x$ac_cv_sizeof_long_long_int" = "x0" ; then - NO_SFTP='#' + echo "OpenSSH requires int64_t support. Contact your vendor or install" + echo "an alternative compiler (I.E., GCC) before continuing." + echo "" + exit 1; else dnl test snprintf (broken on SCO w/gcc) AC_TRY_RUN( @@ -1520,7 +1522,6 @@ main() { exit(0); } ], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ] ) fi -AC_SUBST(NO_SFTP) dnl Checks for structure members OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmp.h, HAVE_HOST_IN_UTMP) @@ -2555,12 +2556,6 @@ if test "x$PAM_MSG" = "xyes" ; then echo "" fi -if test ! -z "$NO_SFTP"; then - echo "sftp-server will be disabled. Your compiler does not " - echo "support 64bit integers." - echo "" -fi - if test ! -z "$RAND_HELPER_CMDHASH" ; then echo "WARNING: you are using the builtin random number collection " echo "service. Please read WARNING.RNG and request that your OS " -- cgit v1.2.3 From d54d9382a48355294a6bb2e1e847e0a48fd8c19f Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Fri, 21 Mar 2003 00:55:32 +0000 Subject: - (bal) scp.c 'limit' conflicts with Cray. Rename to 'limitbw' --- ChangeLog | 3 ++- scp.c | 10 +++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index d35c4e42e..fa3a64deb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,7 @@ [version.h] enter 3.6 - (bal) The days of lack of int64_t support are over. Sorry kids. + - (bal) scp.c 'limit' conflicts with Cray. Rename to 'limitbw' 20030318 - (tim) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] @@ -1232,4 +1233,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2634 2003/03/21 00:34:34 mouring Exp $ +$Id: ChangeLog,v 1.2635 2003/03/21 00:55:32 mouring Exp $ diff --git a/scp.c b/scp.c index ab67c0bb8..35d4c5f71 100644 --- a/scp.c +++ b/scp.c @@ -96,7 +96,7 @@ void bwlimit(int); arglist args; /* Bandwidth limit */ -off_t limit = 0; +off_t limitbw = 0; /* Name of current file being transferred. */ char *curfile; @@ -251,7 +251,7 @@ main(argc, argv) speed = strtod(optarg, &endp); if (speed <= 0 || *endp != '\0') usage(); - limit = speed * 1024; + limitbw = speed * 1024; break; case 'p': pflag = 1; @@ -594,7 +594,7 @@ next: (void) close(fd); haderr = result >= 0 ? EIO : errno; statbytes += result; } - if (limit) + if (limitbw) bwlimit(amt); } if (showprogress) @@ -688,7 +688,7 @@ bwlimit(int amount) return; lamt *= 8; - wait = (double)1000000L * lamt / limit; + wait = (double)1000000L * lamt / limitbw; bwstart.tv_sec = wait / 1000000L; bwstart.tv_usec = wait % 1000000L; @@ -917,7 +917,7 @@ bad: run_err("%s: %s", np, strerror(errno)); statbytes += j; } while (amt > 0); - if (limit) + if (limitbw) bwlimit(4096); if (count == bp->cnt) { -- cgit v1.2.3 From a5a2648b81c9347c241c37e6cba78f1df47e9320 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Fri, 21 Mar 2003 01:05:37 +0000 Subject: - (bal) Collection of Cray patches (bsd-cray.h fix for CRAYT3E and improved guessing rules) --- ChangeLog | 4 +++- config.guess | 3 +++ config.sub | 5 ++++- openbsd-compat/bsd-cray.h | 4 +++- 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index fa3a64deb..830136ac7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,8 @@ enter 3.6 - (bal) The days of lack of int64_t support are over. Sorry kids. - (bal) scp.c 'limit' conflicts with Cray. Rename to 'limitbw' + - (bal) Collection of Cray patches (bsd-cray.h fix for CRAYT3E and improved + guessing rules) 20030318 - (tim) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] @@ -1233,4 +1235,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2635 2003/03/21 00:55:32 mouring Exp $ +$Id: ChangeLog,v 1.2636 2003/03/21 01:05:37 mouring Exp $ diff --git a/config.guess b/config.guess index fd30ab031..e8f206123 100755 --- a/config.guess +++ b/config.guess @@ -726,6 +726,9 @@ EOF CRAY*SV1:*:*:*) echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; + *:UNICOS/mp:*:*) + echo nv1-cray-unicosmp | sed -e 's/\.[^.]*$/.X/' + exit 0 ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` diff --git a/config.sub b/config.sub index a03c1d15a..a0b7bb9e8 100755 --- a/config.sub +++ b/config.sub @@ -315,7 +315,7 @@ case $basic_machine in | mipsisa64-* | mipsisa64el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipstx39 | mipstx39el \ - | none-* | np1-* | ns16k-* | ns32k-* \ + | none-* | np1-* | ns16k-* | ns32k-* | nv1-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ @@ -715,6 +715,9 @@ case $basic_machine in nsr-tandem) basic_machine=nsr-tandem ;; + nv1) + basic_machine=nv1-cray + ;; op50n-* | op60c-*) basic_machine=hppa1.1-oki os=-proelf diff --git a/openbsd-compat/bsd-cray.h b/openbsd-compat/bsd-cray.h index 9a15cb251..a09954f2f 100644 --- a/openbsd-compat/bsd-cray.h +++ b/openbsd-compat/bsd-cray.h @@ -1,5 +1,5 @@ /* - * $Id: bsd-cray.h,v 1.6 2003/01/27 21:15:11 mouring Exp $ + * $Id: bsd-cray.h,v 1.7 2003/03/21 01:05:38 mouring Exp $ * * bsd-cray.h * @@ -49,8 +49,10 @@ extern char cray_tmpdir[]; /* cray tmpdir */ #ifndef MAXHOSTNAMELEN #define MAXHOSTNAMELEN 64 #endif +#ifndef _CRAYT3E #include #define TIOCGPGRP (tIOC|20) #endif +#endif #endif /* _BSD_CRAY_H */ -- cgit v1.2.3 From c8c548d24883eaff20ea1665022ee92bd0632e29 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Fri, 21 Mar 2003 01:18:09 +0000 Subject: - (bal) Disable Privsep for Tru64 after pre-authentication due to issues with SIA. Also, clean up of tru64 support patch by Chris Adams --- ChangeLog | 5 ++++- README.privsep | 6 +++++- auth-sia.c | 47 ++++++++++++++++------------------------------- auth-sia.h | 2 +- configure.ac | 3 ++- session.c | 2 +- 6 files changed, 29 insertions(+), 36 deletions(-) diff --git a/ChangeLog b/ChangeLog index 830136ac7..93b0c99db 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ - (bal) scp.c 'limit' conflicts with Cray. Rename to 'limitbw' - (bal) Collection of Cray patches (bsd-cray.h fix for CRAYT3E and improved guessing rules) + - (bal) Disable Privsep for Tru64 after pre-authentication due to issues + with SIA. Also, clean up of tru64 support patch by Chris Adams + 20030318 - (tim) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] @@ -1235,4 +1238,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2636 2003/03/21 01:05:37 mouring Exp $ +$Id: ChangeLog,v 1.2637 2003/03/21 01:18:09 mouring Exp $ diff --git a/README.privsep b/README.privsep index ced943f26..e8bf1db34 100644 --- a/README.privsep +++ b/README.privsep @@ -43,6 +43,10 @@ It does not function on HP-UX with a trusted system configuration. PAMAuthenticationViaKbdInt does not function with privsep. +On Compaq Tru64 Unix, only the pre-authentication part of privsep is +supported. Post-authentication privsep is disabled automatically (so +you won't see the additional process mentioned below). + Note that for a normal interactive login with a shell, enabling privsep will require 1 additional process per login session. @@ -58,4 +62,4 @@ process 1005 is the sshd process listening for new connections. process 6917 is the privileged monitor process, 6919 is the user owned sshd process and 6921 is the shell process. -$Id: README.privsep,v 1.10 2002/06/26 00:43:57 stevesk Exp $ +$Id: README.privsep,v 1.11 2003/03/21 01:18:09 mouring Exp $ diff --git a/auth-sia.c b/auth-sia.c index 071e154d8..5c9b3f5de 100644 --- a/auth-sia.c +++ b/auth-sia.c @@ -45,27 +45,25 @@ extern ServerOptions options; extern int saved_argc; extern char **saved_argv; -extern int errno; - int auth_sia_password(Authctxt *authctxt, char *pass) { int ret; SIAENTITY *ent = NULL; const char *host; - char *user = authctxt->user; host = get_canonical_hostname(options.verify_reverse_mapping); - if (pass[0] == '\0') + if (!authctxt->user || !pass || pass[0] == '\0') return(0); - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, - NULL) != SIASUCCESS) + if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, + NULL, 0, NULL) != SIASUCCESS) return(0); if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { - error("Couldn't authenticate %s from %s", user, host); + error("Couldn't authenticate %s from %s", authctxt->user, + host); if (ret & SIASTOP) sia_ses_release(&ent); return(0); @@ -77,48 +75,35 @@ auth_sia_password(Authctxt *authctxt, char *pass) } void -session_setup_sia(char *user, char *tty) +session_setup_sia(struct passwd *pw, char *tty) { - struct passwd *pw; SIAENTITY *ent = NULL; const char *host; - host = get_canonical_hostname (options.verify_reverse_mapping); + host = get_canonical_hostname(options.verify_reverse_mapping); - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, tty, + 0, NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } - if ((pw = getpwnam(user)) == NULL) { - sia_ses_release(&ent); - fatal("getpwnam: no user: %s", user); - } if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { sia_ses_release(&ent); fatal("sia_make_entity_pwd failed"); } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { - fatal("Couldn't establish session for %s from %s", user, - host); - } - - if (setpriority(PRIO_PROCESS, 0, 0) == -1) { - sia_ses_release(&ent); - fatal("setpriority: %s", strerror (errno)); - } + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) + fatal("Couldn't establish session for %s from %s", + pw->pw_name, host); - if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) { - fatal("Couldn't launch session for %s from %s", user, host); - } + if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) + fatal("Couldn't launch session for %s from %s", pw->pw_name, + host); sia_ses_release(&ent); - if (setreuid(geteuid(), geteuid()) < 0) { + if (setreuid(geteuid(), geteuid()) < 0) fatal("setreuid: %s", strerror(errno)); - } } #endif /* HAVE_OSF_SIA */ diff --git a/auth-sia.h b/auth-sia.h index caa584132..7aecce940 100644 --- a/auth-sia.h +++ b/auth-sia.h @@ -27,6 +27,6 @@ #ifdef HAVE_OSF_SIA int auth_sia_password(Authctxt *authctxt, char *pass); -void session_setup_sia(char *user, char *tty); +void session_setup_sia(struct passwd *pw, char *tty); #endif /* HAVE_OSF_SIA */ diff --git a/configure.ac b/configure.ac index aa2f3db2a..47fef0cbe 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.112 2003/03/21 00:34:34 mouring Exp $ +# $Id: configure.ac,v 1.113 2003/03/21 01:18:09 mouring Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -331,6 +331,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_MSG_RESULT(yes) AC_DEFINE(HAVE_OSF_SIA) AC_DEFINE(DISABLE_LOGIN) + AC_DEFINE(DISABLE_FD_PASSING) LIBS="$LIBS -lsecurity -ldb -lm -laud" else AC_MSG_RESULT(no) diff --git a/session.c b/session.c index ce9db27ef..c75fea966 100644 --- a/session.c +++ b/session.c @@ -1321,7 +1321,7 @@ do_child(Session *s, const char *command) */ if (!options.use_login) { #ifdef HAVE_OSF_SIA - session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); + session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); if (!check_quietlogin(s, command)) do_motd(); #else /* HAVE_OSF_SIA */ -- cgit v1.2.3 From 009b23f6ab8ee16480228bd12b50c76e037c9094 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 20 Mar 2003 20:50:41 -0800 Subject: [contrib/caldera/openssh.spec] workaround RPM quirk. Fix %files section --- ChangeLog | 3 ++- contrib/caldera/openssh.spec | 8 ++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 93b0c99db..e89d22d85 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,7 @@ - (bal) Disable Privsep for Tru64 after pre-authentication due to issues with SIA. Also, clean up of tru64 support patch by Chris Adams + - (tim) [contrib/caldera/openssh.spec] workaround RPM quirk. Fix %files 20030318 - (tim) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] @@ -1238,4 +1239,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2637 2003/03/21 01:18:09 mouring Exp $ +$Id: ChangeLog,v 1.2638 2003/03/21 04:50:41 tim Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index c67e19e3f..3a76231ad 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -198,7 +198,7 @@ xmkmf %Install [ %{buildroot} != "/" ] && rm -rf %{buildroot} -%makeinstall +make install DESTDIR=%{buildroot} %makeinstall -C %{askpass} \ BINDIR=%{_libexecdir} \ MANPATH=%{_mandir} \ @@ -325,6 +325,7 @@ fi %{_bindir}/ssh-keygen %{_bindir}/ssh-keyscan %dir %{_libexecdir} +%attr(4711,root,root) %{_libexecdir}/ssh-keysign %{_sbindir}/ssh-host-keygen %dir %{_defaultdocdir}/%{name}-%{version} %{_defaultdocdir}/%{name}-%{version}/CREDITS @@ -335,6 +336,8 @@ fi %{_defaultdocdir}/%{name}-%{version}/TODO %{_defaultdocdir}/%{name}-%{version}/faq.html %{_mandir}/man1/* +%{_mandir}/man8/ssh-keysign.8.gz +%{_mandir}/man5/ssh_config.5.gz %Files server %defattr(-,root,root) @@ -346,6 +349,7 @@ fi %config %{SVIcdir}/sshd %{_libexecdir}/sftp-server %{_sbindir}/sshd +%{_mandir}/man5/sshd_config.5.gz %{_mandir}/man8/sftp-server.8.gz %{_mandir}/man8/sshd.8.gz @@ -360,4 +364,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.40 2003/03/19 23:52:14 djm Exp $ +$Id: openssh.spec,v 1.41 2003/03/21 04:50:41 tim Exp $ -- cgit v1.2.3 From b062c293e084f16df3d09f9db510be4ddec6d2d6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Mar 2003 09:12:09 +1100 Subject: - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/03/23 19:02:00 [monitor.c] unbreak rekeying for privsep; ok millert@ --- ChangeLog | 9 ++++++++- monitor.c | 4 +++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e89d22d85..e81691f87 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20030324 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/03/23 19:02:00 + [monitor.c] + unbreak rekeying for privsep; ok millert@ + - Release 3.6p1 + 20030320 - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/03/17 10:38:38 @@ -1239,4 +1246,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2638 2003/03/21 04:50:41 tim Exp $ +$Id: ChangeLog,v 1.2639 2003/03/23 22:12:09 djm Exp $ diff --git a/monitor.c b/monitor.c index 2b4168831..3d7dcaf86 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.33 2003/03/05 22:33:43 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.34 2003/03/23 19:02:00 markus Exp $"); #include @@ -1466,6 +1466,8 @@ mm_get_kex(Buffer *m) (memcmp(kex->session_id, session_id2, session_id2_len) != 0)) fatal("mm_get_get: internal error: bad session id"); kex->we_need = buffer_get_int(m); + kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; + kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); -- cgit v1.2.3 From 62b6b17080f24da1513e41e426064fdc2e53cf23 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Mar 2003 13:35:58 +1100 Subject: - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au --- ChangeLog | 4 +++- openbsd-compat/fake-getaddrinfo.c | 8 ++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index e81691f87..baba423e1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,8 @@ [monitor.c] unbreak rekeying for privsep; ok millert@ - Release 3.6p1 + - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. + Report from murple@murple.net, diagnosis from dtucker@zip.com.au 20030320 - (djm) OpenBSD CVS Sync @@ -1246,4 +1248,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2639 2003/03/23 22:12:09 djm Exp $ +$Id: ChangeLog,v 1.2640 2003/03/24 02:35:58 djm Exp $ diff --git a/openbsd-compat/fake-getaddrinfo.c b/openbsd-compat/fake-getaddrinfo.c index e04776606..e63bda970 100644 --- a/openbsd-compat/fake-getaddrinfo.c +++ b/openbsd-compat/fake-getaddrinfo.c @@ -12,7 +12,7 @@ #include "includes.h" #include "ssh.h" -RCSID("$Id: fake-getaddrinfo.c,v 1.4 2003/02/24 01:35:09 djm Exp $"); +RCSID("$Id: fake-getaddrinfo.c,v 1.5 2003/03/24 02:35:59 djm Exp $"); #ifndef HAVE_GAI_STRERROR char *gai_strerror(int ecode) @@ -71,6 +71,7 @@ int getaddrinfo(const char *hostname, const char *servname, struct in_addr in; int i; long int port; + u_long addr; port = 0; if (servname != NULL) { @@ -86,7 +87,10 @@ int getaddrinfo(const char *hostname, const char *servname, } if (hints && hints->ai_flags & AI_PASSIVE) { - if (NULL != (*res = malloc_ai(port, htonl(0x00000000)))) + addr = htonl(0x00000000); + if (hostname && inet_aton(hostname, &in) != 0) + addr = in.s_addr; + if (NULL != (*res = malloc_ai(port, addr))) return 0; else return EAI_MEMORY; -- cgit v1.2.3 From 68d893dfed6d29c92410296c19f425c95fe9fbb8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 25 Mar 2003 09:07:52 +1100 Subject: - (djm) Fix getpeerid support for 64 bit BE systems. From Arnd Bergmann --- ChangeLog | 6 +++++- openbsd-compat/bsd-getpeereid.c | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index baba423e1..26e174cf8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20030325 + - (djm) Fix getpeerid support for 64 bit BE systems. From + Arnd Bergmann + 20030324 - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/03/23 19:02:00 @@ -1248,4 +1252,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2640 2003/03/24 02:35:58 djm Exp $ +$Id: ChangeLog,v 1.2641 2003/03/24 22:07:52 djm Exp $ diff --git a/openbsd-compat/bsd-getpeereid.c b/openbsd-compat/bsd-getpeereid.c index c7876823d..bcda2c155 100644 --- a/openbsd-compat/bsd-getpeereid.c +++ b/openbsd-compat/bsd-getpeereid.c @@ -24,7 +24,7 @@ #include "includes.h" -RCSID("$Id: bsd-getpeereid.c,v 1.1 2002/09/12 00:33:02 djm Exp $"); +RCSID("$Id: bsd-getpeereid.c,v 1.2 2003/03/24 22:07:52 djm Exp $"); #if !defined(HAVE_GETPEEREID) @@ -33,7 +33,7 @@ int getpeereid(int s, uid_t *euid, gid_t *gid) { struct ucred cred; - size_t len = sizeof(cred); + socklen_t len = sizeof(cred); if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, &cred, &len) < 0) return (-1); -- cgit v1.2.3 From b3207e8061c00791d40b3cc01bd352e002068255 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 26 Mar 2003 16:01:11 +1100 Subject: - (djm) OpenBSD CVS Sync - deraadt@cvs.openbsd.org 2003/03/26 04:02:51 [sftp-server.c] one last fix to the tree: race fix broke stuff; pr 3169; srp@srparish.net, help from djm --- ChangeLog | 9 ++++++++- sftp-server.c | 29 ++++++++++++++++++++--------- 2 files changed, 28 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 26e174cf8..ac1ce7e07 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20030326 + - (djm) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2003/03/26 04:02:51 + [sftp-server.c] + one last fix to the tree: race fix broke stuff; pr 3169; + srp@srparish.net, help from djm + 20030325 - (djm) Fix getpeerid support for 64 bit BE systems. From Arnd Bergmann @@ -1252,4 +1259,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2641 2003/03/24 22:07:52 djm Exp $ +$Id: ChangeLog,v 1.2642 2003/03/26 05:01:11 djm Exp $ diff --git a/sftp-server.c b/sftp-server.c index 0c00003f8..9a66b4de7 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: sftp-server.c,v 1.40 2003/03/05 22:33:43 markus Exp $"); +RCSID("$OpenBSD: sftp-server.c,v 1.41 2003/03/26 04:02:51 deraadt Exp $"); #include "buffer.h" #include "bufaux.h" @@ -836,20 +836,31 @@ process_rename(void) u_int32_t id; char *oldpath, *newpath; int status; + struct stat sb; id = get_int(); oldpath = get_string(NULL); newpath = get_string(NULL); TRACE("rename id %u old %s new %s", id, oldpath, newpath); - /* fail if 'newpath' exists */ - if (link(oldpath, newpath) == -1) + status = SSH2_FX_FAILURE; + if (lstat(oldpath, &sb) == -1) status = errno_to_portable(errno); - else if (unlink(oldpath) == -1) { - status = errno_to_portable(errno); - /* clean spare link */ - unlink(newpath); - } else - status = SSH2_FX_OK; + else if (S_ISREG(sb.st_mode)) { + /* Race-free rename of regular files */ + if (link(oldpath, newpath) == -1) + status = errno_to_portable(errno); + else if (unlink(oldpath) == -1) { + status = errno_to_portable(errno); + /* clean spare link */ + unlink(newpath); + } else + status = SSH2_FX_OK; + } else if (stat(newpath, &sb) == -1) { + if (rename(oldpath, newpath) == -1) + status = errno_to_portable(errno); + else + status = SSH2_FX_OK; + } send_status(id, status); xfree(oldpath); xfree(newpath); -- cgit v1.2.3 From f18462f5bff7265d151f9367d4dd2632a0b0fb25 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 1 Apr 2003 21:31:56 +1000 Subject: license from samba --- openbsd-compat/bsd-snprintf.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c index 1c72ea61d..2f82180d1 100644 --- a/openbsd-compat/bsd-snprintf.c +++ b/openbsd-compat/bsd-snprintf.c @@ -1,3 +1,10 @@ +/* + * Copyright Patrick Powell 1995 + * This code is based on code written by Patrick Powell (papowell@astart.com) + * It may be used for any purpose as long as this notice remains intact + * on all source code distributions + */ + /************************************************************** * Original: * Patrick Powell Tue Apr 11 09:48:21 PDT 1995 @@ -51,7 +58,7 @@ #include "includes.h" -RCSID("$Id: bsd-snprintf.c,v 1.5 2001/02/25 23:20:41 mouring Exp $"); +RCSID("$Id: bsd-snprintf.c,v 1.6 2003/04/01 11:31:56 djm Exp $"); #if defined(BROKEN_SNPRINTF) /* For those with broken snprintf() */ # undef HAVE_SNPRINTF -- cgit v1.2.3 From 495dca35186a9a33c85a6fa2bcc1b127512bb688 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 1 Apr 2003 21:42:14 +1000 Subject: - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2003/03/28 10:11:43 [scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5] [ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8] - killed whitespace - new sentence new line - .Bk for arguments ok markus@ --- ChangeLog | 13 ++++++++++++- scp.1 | 4 +++- sftp.1 | 26 ++++++++++++++++---------- ssh-add.1 | 9 +++++---- ssh-agent.1 | 7 ++++--- ssh-keygen.1 | 4 +++- ssh-keyscan.1 | 20 +++++++++++++------- ssh-keysign.8 | 6 +++--- ssh.1 | 34 ++++++++++++++++++++-------------- ssh_config.5 | 48 ++++++++++++++++++++++++++---------------------- sshd_config.5 | 30 +++++++++++++++++------------- 11 files changed, 122 insertions(+), 79 deletions(-) diff --git a/ChangeLog b/ChangeLog index ac1ce7e07..82053128b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +20030401 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2003/03/28 10:11:43 + [scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5] + [ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8] + - killed whitespace + - new sentence new line + - .Bk for arguments + ok markus@ + + 20030326 - (djm) OpenBSD CVS Sync - deraadt@cvs.openbsd.org 2003/03/26 04:02:51 @@ -1259,4 +1270,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2642 2003/03/26 05:01:11 djm Exp $ +$Id: ChangeLog,v 1.2643 2003/04/01 11:42:14 djm Exp $ diff --git a/scp.1 b/scp.1 index 89ebf7089..a3ec2e0c6 100644 --- a/scp.1 +++ b/scp.1 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.26 2003/01/28 17:24:51 stevesk Exp $ +.\" $OpenBSD: scp.1,v 1.27 2003/03/28 10:11:43 jmc Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -19,6 +19,7 @@ .Nd secure copy (remote file copy program) .Sh SYNOPSIS .Nm scp +.Bk -words .Op Fl pqrvBC1246 .Op Fl F Ar ssh_config .Op Fl S Ar program @@ -40,6 +41,7 @@ .Ar host2 No : .Oc Ar file2 .Sm on +.Ek .Sh DESCRIPTION .Nm copies files between hosts on a network. diff --git a/sftp.1 b/sftp.1 index ecd4d3174..02d2c274b 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.40 2003/01/10 08:19:07 fgsch Exp $ +.\" $OpenBSD: sftp.1,v 1.41 2003/03/28 10:11:43 jmc Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -30,6 +30,7 @@ .Nd Secure file transfer program .Sh SYNOPSIS .Nm sftp +.Bk -words .Op Fl vC1 .Op Fl b Ar batchfile .Op Fl o Ar ssh_option @@ -40,10 +41,15 @@ .Op Fl R Ar num_requests .Op Fl S Ar program .Ar host +.Ek .Nm sftp -.Op [\fIuser\fR@]\fIhost\fR[:\fIfile\fR [\fIfile\fR]] +.Oo Oo Ar user Ns No @ Oc Ns +.Ar host Ns Oo : Ns Ar file Oo +.Ar file Oc Oc Oc .Nm sftp -.Op [\fIuser\fR@]\fIhost\fR[:\fIdir\fR[\fI/\fR]] +.Oo Oo Ar user Ns No @ Oc Ns +.Ar host Ns Oo : Ns Ar dir Ns +.Oo Ar / Oc Oc Oc .Sh DESCRIPTION .Nm is an interactive file transfer program, similar to @@ -77,13 +83,13 @@ non-interactive authentication. will abort if any of the following commands fail: .Ic get , put , rename , ln , -.Ic rm , mkdir , chdir , ls , +.Ic rm , mkdir , chdir , ls , .Ic lchdir , chmod , chown , chgrp , lpwd and .Ic lmkdir . -Termination on error can be suppressed on a command by command basis by -prefixing the command with a -.Ic '-' +Termination on error can be suppressed on a command by command basis by +prefixing the command with a +.Ic '-' character (For example, .Ic -rm /tmp/blah* ). @@ -95,19 +101,19 @@ in the format used in This is useful for specifying options for which there is no separate .Nm sftp -command-line flag. For example, to specify an alternate +command-line flag. For example, to specify an alternate port use: .Ic sftp -oPort=24 . .It Fl s Ar subsystem | sftp_server Specifies the SSH2 subsystem or the path for an sftp server -on the remote host. A path is useful for using sftp over +on the remote host. A path is useful for using sftp over protocol version 1, or when the remote .Nm sshd does not have an sftp subsystem configured. .It Fl v Raise logging level. This option is also passed to ssh. .It Fl B Ar buffer_size -Specify the size of the buffer that +Specify the size of the buffer that .Nm uses when transferring files. Larger buffers require fewer round trips at the cost of higher memory consumption. The default is 32768 bytes. diff --git a/ssh-add.1 b/ssh-add.1 index 25d7333e9..bcdb8e7f6 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.37 2003/02/10 11:51:47 markus Exp $ +.\" $OpenBSD: ssh-add.1,v 1.38 2003/03/28 10:11:43 jmc Exp $ .\" .\" -*- nroff -*- .\" @@ -95,10 +95,11 @@ specified in .Xr sshd_config 5 . .It Fl c Indicates that added identities should be subject to confirmation before -being used for authentication. Confirmation is performed by the +being used for authentication. +Confirmation is performed by the .Ev SSH_ASKPASS -program mentioned below. Successful confirmation is signaled by a zero -exit status from the +program mentioned below. +Successful confirmation is signaled by a zero exit status from the .Ev SSH_ASKPASS program, rather than text entered into the requester. .It Fl s Ar reader diff --git a/ssh-agent.1 b/ssh-agent.1 index 98f9dc80d..fde4608bb 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.36 2003/01/21 18:14:36 marc Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.37 2003/03/28 10:11:43 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -88,7 +88,7 @@ Kill the current agent (given by the .Ev SSH_AGENT_PID environment variable). .It Fl t Ar life -Set a default value for the maximum lifetime of identities added to the agent. +Set a default value for the maximum lifetime of identities added to the agent. The lifetime may be specified in seconds or in a time format specified in .Xr sshd 8 . A lifetime specified for an identity with @@ -96,7 +96,8 @@ A lifetime specified for an identity with overrides this value. Without this option the default maximum lifetime is forever. .It Fl d -Debug mode. When this option is specified +Debug mode. +When this option is specified .Nm will not fork. .El diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 78fdb496a..000e8ff2a 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.55 2002/11/26 02:35:30 stevesk Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.56 2003/03/28 10:11:43 jmc Exp $ .\" .\" -*- nroff -*- .\" @@ -45,12 +45,14 @@ .Nd authentication key generation, management and conversion .Sh SYNOPSIS .Nm ssh-keygen +.Bk -words .Op Fl q .Op Fl b Ar bits .Fl t Ar type .Op Fl N Ar new_passphrase .Op Fl C Ar comment .Op Fl f Ar output_keyfile +.Ek .Nm ssh-keygen .Fl p .Op Fl P Ar old_passphrase diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index 2f33ddf20..f6596c481 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.14 2002/02/13 08:33:47 mpech Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.15 2003/03/28 10:11:43 jmc Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -14,6 +14,7 @@ .Nd gather ssh public keys .Sh SYNOPSIS .Nm ssh-keyscan +.Bk -words .Op Fl v46 .Op Fl p Ar port .Op Fl T Ar timeout @@ -21,10 +22,12 @@ .Op Fl f Ar file .Op Ar host | addrlist namelist .Op Ar ... +.Ek .Sh DESCRIPTION .Nm is a utility for gathering the public ssh host keys of a number of -hosts. It was designed to aid in building and verifying +hosts. +It was designed to aid in building and verifying .Pa ssh_known_hosts files. .Nm @@ -33,9 +36,11 @@ scripts. .Pp .Nm uses non-blocking socket I/O to contact as many hosts as possible in -parallel, so it is very efficient. The keys from a domain of 1,000 +parallel, so it is very efficient. +The keys from a domain of 1,000 hosts can be collected in tens of seconds, even when some of those -hosts are down or do not run ssh. For scanning, one does not need +hosts are down or do not run ssh. +For scanning, one does not need login access to the machines that are being scanned, nor does the scanning process involve any encryption. .Pp @@ -44,12 +49,13 @@ The options are as follows: .It Fl p Ar port Port to connect to on the remote host. .It Fl T Ar timeout -Set the timeout for connection attempts. If +Set the timeout for connection attempts. +If .Pa timeout seconds have elapsed since a connection was initiated to a host or since the last time anything was read from that host, then the connection is -closed and the host in question considered unavailable. Default is 5 -seconds. +closed and the host in question considered unavailable. +Default is 5 seconds. .It Fl t Ar type Specifies the type of the key to fetch from the scanned hosts. The possible values are diff --git a/ssh-keysign.8 b/ssh-keysign.8 index 99d373406..2e3f8ff3e 100644 --- a/ssh-keysign.8 +++ b/ssh-keysign.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.5 2002/11/24 21:46:24 stevesk Exp $ +.\" $OpenBSD: ssh-keysign.8,v 1.6 2003/03/28 10:11:43 jmc Exp $ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -62,8 +62,8 @@ Controls whether is enabled. .It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key These files contain the private parts of the host keys used to -generate the digital signature. They -should be owned by root, readable only by root, and not +generate the digital signature. +They should be owned by root, readable only by root, and not accessible to others. Since they are readable only by root, .Nm diff --git a/ssh.1 b/ssh.1 index 27808b1f3..fd822bb3d 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $ +.\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -48,6 +48,7 @@ .Op Ar command .Pp .Nm ssh +.Bk -words .Op Fl afgknqstvxACNTX1246 .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec @@ -66,6 +67,8 @@ .Sm on .Xc .Oc +.Ek +.Bk -words .Oo Fl R Xo .Sm off .Ar port : @@ -77,6 +80,7 @@ .Op Fl D Ar port .Ar hostname | user@hostname .Op Ar command +.Ek .Sh DESCRIPTION .Nm (SSH client) is a program for logging into a remote machine and for @@ -361,7 +365,7 @@ variable is set to .Fl A and .Fl a -options described later) and +options described later) and the user is using an authentication agent, the connection to the agent is automatically forwarded to the remote side. .Pp @@ -403,10 +407,11 @@ Disables forwarding of the authentication agent connection. Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file. .Pp -Agent forwarding should be enabled with caution. Users with the -ability to bypass file permissions on the remote host (for the agent's -Unix-domain socket) can access the local agent through the forwarded -connection. An attacker cannot obtain key material from the agent, +Agent forwarding should be enabled with caution. +Users with the ability to bypass file permissions on the remote host +(for the agent's Unix-domain socket) +can access the local agent through the forwarded connection. +An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. .It Fl b Ar bind_address @@ -428,8 +433,8 @@ is only supported in the client for interoperability with legacy protocol 1 implementations that do not support the .Ar 3des -cipher. Its use is strongly discouraged due to cryptographic -weaknesses. +cipher. +Its use is strongly discouraged due to cryptographic weaknesses. .It Fl c Ar cipher_spec Additionally, for protocol version 2 a comma-separated list of ciphers can be specified in order of preference. @@ -566,11 +571,11 @@ Disables X11 forwarding. Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file. .Pp -X11 forwarding should be enabled with caution. Users with the ability -to bypass file permissions on the remote host (for the user's X -authorization database) can access the local X11 display through the -forwarded connection. An attacker may then be able to perform -activities such as keystroke monitoring. +X11 forwarding should be enabled with caution. +Users with the ability to bypass file permissions on the remote host +(for the user's X authorization database) +can access the local X11 display through the forwarded connection. +An attacker may then be able to perform activities such as keystroke monitoring. .It Fl C Requests compression of all data (including stdin, stdout, stderr, and data for forwarded X11 and TCP/IP connections). @@ -637,7 +642,8 @@ This works by allocating a socket to listen to on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the -remote machine. Currently the SOCKS4 protocol is supported, and +remote machine. +Currently the SOCKS4 protocol is supported, and .Nm will act as a SOCKS4 server. Only root can forward privileged ports. diff --git a/ssh_config.5 b/ssh_config.5 index 710c068c5..44208b431 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.6 2003/02/06 09:27:29 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -176,8 +176,8 @@ is only supported in the client for interoperability with legacy protocol 1 implementations that do not support the .Ar 3des -cipher. Its use is strongly discouraged due to cryptographic -weaknesses. +cipher. +Its use is strongly discouraged due to cryptographic weaknesses. The default is .Dq 3des . .It Cm Ciphers @@ -193,7 +193,8 @@ The default is .It Cm ClearAllForwardings Specifies that all local, remote and dynamic port forwardings specified in the configuration files or on the command line be -cleared. This option is primarily useful when used from the +cleared. +This option is primarily useful when used from the .Nm ssh command line to clear port forwardings set in configuration files, and is automatically set by @@ -230,13 +231,14 @@ The default is 1. Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the -remote machine. The argument must be a port number. +remote machine. +The argument must be a port number. Currently the SOCKS4 protocol is supported, and .Nm ssh will act as a SOCKS4 server. Multiple forwardings may be specified, and -additional forwardings can be given on the command line. Only -the superuser can forward privileged ports. +additional forwardings can be given on the command line. +Only the superuser can forward privileged ports. .It Cm EscapeChar Sets the escape character (default: .Ql ~ ) . @@ -259,10 +261,11 @@ or The default is .Dq no . .Pp -Agent forwarding should be enabled with caution. Users with the -ability to bypass file permissions on the remote host (for the agent's -Unix-domain socket) can access the local agent through the forwarded -connection. An attacker cannot obtain key material from the agent, +Agent forwarding should be enabled with caution. +Users with the ability to bypass file permissions on the remote host +(for the agent's Unix-domain socket) +can access the local agent through the forwarded connection. +An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. .It Cm ForwardX11 @@ -277,18 +280,18 @@ or The default is .Dq no . .Pp -X11 forwarding should be enabled with caution. Users with the ability -to bypass file permissions on the remote host (for the user's X -authorization database) can access the local X11 display through the -forwarded connection. An attacker may then be able to perform -activities such as keystroke monitoring. +X11 forwarding should be enabled with caution. +Users with the ability to bypass file permissions on the remote host +(for the user's X authorization database) +can access the local X11 display through the forwarded connection. +An attacker may then be able to perform activities such as keystroke monitoring. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, .Nm ssh -binds local port forwardings to the loopback address. This -prevents other remote hosts from connecting to forwarded ports. +binds local port forwardings to the loopback address. +This prevents other remote hosts from connecting to forwarded ports. .Cm GatewayPorts can be used to specify that .Nm ssh @@ -395,8 +398,9 @@ Gives the verbosity level that is used when logging messages from .Nm ssh . The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. -The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 -and DEBUG3 each specify higher levels of verbose output. +The default is INFO. +DEBUG and DEBUG1 are equivalent. +DEBUG2 and DEBUG3 each specify higher levels of verbose output. .It Cm MACs Specifies the MAC (message authentication code) algorithms in order of preference. @@ -474,8 +478,8 @@ somewhere. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user). -Setting the command to -.Dq none +Setting the command to +.Dq none disables this option entirely. Note that .Cm CheckHostIP diff --git a/sshd_config.5 b/sshd_config.5 index 23ac0e96d..6f38a260a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.14 2003/01/23 08:58:47 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.15 2003/03/28 10:11:43 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -211,8 +211,8 @@ Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, .Nm sshd -binds remote port forwardings to the loopback address. This -prevents other remote hosts from connecting to forwarded ports. +binds remote port forwardings to the loopback address. +This prevents other remote hosts from connecting to forwarded ports. .Cm GatewayPorts can be used to specify that .Nm sshd @@ -370,7 +370,8 @@ is not specified, will listen on the address and all prior .Cm Port options specified. The default is to listen on all local -addresses. Multiple +addresses. +Multiple .Cm ListenAddress options are permitted. Additionally, any .Cm Port @@ -385,10 +386,10 @@ Gives the verbosity level that is used when logging messages from .Nm sshd . The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. -The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 -and DEBUG3 each specify higher levels of debugging output. -Logging with a DEBUG level violates the privacy of users -and is not recommended. +The default is INFO. +DEBUG and DEBUG1 are equivalent. +DEBUG2 and DEBUG3 each specify higher levels of debugging output. +Logging with a DEBUG level violates the privacy of users and is not recommended. .It Cm MACs Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 @@ -599,16 +600,18 @@ will be disabled because .Xr login 1 does not know how to handle .Xr xauth 1 -cookies. If +cookies. +If .Cm UsePrivilegeSeparation is specified, it will be disabled after authentication. .It Cm UsePrivilegeSeparation Specifies whether .Nm sshd separates privileges by creating an unprivileged child process -to deal with incoming network traffic. After successful authentication, -another process will be created that has the privilege of the authenticated -user. The goal of privilege separation is to prevent privilege +to deal with incoming network traffic. +After successful authentication, another process will be created that has +the privilege of the authenticated user. +The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is .Dq yes . @@ -666,7 +669,8 @@ is enabled. Specifies whether .Nm sshd should bind the X11 forwarding server to the loopback address or to -the wildcard address. By default, +the wildcard address. +By default, .Nm sshd binds the forwarding server to the loopback address and sets the hostname part of the -- cgit v1.2.3 From 2dc074ef4bd925a7c95b9741ab20ab07c79dc2ff Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 1 Apr 2003 21:43:39 +1000 Subject: - markus@cvs.openbsd.org 2003/04/01 10:10:23 [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c] [readconf.h serverloop.c sshconnect2.c] rekeying bugfixes and automatic rekeying: * both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying - markus@cvs.openbsd.org 2003/04/01 10:22:21 [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c] [readconf.h serverloop.c sshconnect2.c] backout rekeying changes (for 3.6.1) --- ChangeLog | 20 ++++++++++++++++++-- clientloop.c | 2 +- monitor.c | 2 +- monitor_wrap.c | 2 +- packet.c | 2 +- packet.h | 2 +- readconf.c | 2 +- readconf.h | 2 +- serverloop.c | 2 +- sshconnect2.c | 2 +- 10 files changed, 27 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 82053128b..cf216edcf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,7 +7,23 @@ - new sentence new line - .Bk for arguments ok markus@ - + - markus@cvs.openbsd.org 2003/04/01 10:10:23 + [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c] + [readconf.h serverloop.c sshconnect2.c] + rekeying bugfixes and automatic rekeying: + * both client and server rekey _automatically_ + (a) after 2^31 packets, because after 2^32 packets + the sequence number for packets wraps + (b) after 2^(blocksize_in_bits/4) blocks + (see: draft-ietf-secsh-newmodes-00.txt) + (a) and (b) are _enabled_ by default, and only disabled for known + openssh versions, that don't support rekeying properly. + * client option 'RekeyLimit' + * do not reply to requests during rekeying + - markus@cvs.openbsd.org 2003/04/01 10:22:21 + [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c] + [readconf.h serverloop.c sshconnect2.c] + backout rekeying changes (for 3.6.1) 20030326 - (djm) OpenBSD CVS Sync @@ -1270,4 +1286,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2643 2003/04/01 11:42:14 djm Exp $ +$Id: ChangeLog,v 1.2644 2003/04/01 11:43:39 djm Exp $ diff --git a/clientloop.c b/clientloop.c index fcd75d2d7..af207c070 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.105 2002/11/18 16:43:44 markus Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.107 2003/04/01 10:22:21 markus Exp $"); #include "ssh.h" #include "ssh1.h" diff --git a/monitor.c b/monitor.c index 3d7dcaf86..bcd007e60 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.34 2003/03/23 19:02:00 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.36 2003/04/01 10:22:21 markus Exp $"); #include diff --git a/monitor_wrap.c b/monitor_wrap.c index 1395a32f4..c9714138a 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.22 2003/02/16 17:30:33 markus Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.24 2003/04/01 10:22:21 markus Exp $"); #include #include diff --git a/packet.c b/packet.c index 3e2d1249d..3e21df722 100644 --- a/packet.c +++ b/packet.c @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.102 2002/12/10 19:47:14 markus Exp $"); +RCSID("$OpenBSD: packet.c,v 1.104 2003/04/01 10:22:21 markus Exp $"); #include "xmalloc.h" #include "buffer.h" diff --git a/packet.h b/packet.h index 3ff75593a..46830c3df 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.35 2002/06/19 18:01:00 markus Exp $ */ +/* $OpenBSD: packet.h,v 1.37 2003/04/01 10:22:21 markus Exp $ */ /* * Author: Tatu Ylonen diff --git a/readconf.c b/readconf.c index 8b576a7ad..1df5ce2d9 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.102 2003/02/05 09:02:28 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.104 2003/04/01 10:22:21 markus Exp $"); #include "ssh.h" #include "xmalloc.h" diff --git a/readconf.h b/readconf.h index bc5968843..78e04fedf 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.44 2002/11/07 22:08:07 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.46 2003/04/01 10:22:21 markus Exp $ */ /* * Author: Tatu Ylonen diff --git a/serverloop.c b/serverloop.c index 58e20dfb9..f4df9cccb 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.104 2002/09/19 16:03:15 stevesk Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.106 2003/04/01 10:22:21 markus Exp $"); #include "xmalloc.h" #include "packet.h" diff --git a/sshconnect2.c b/sshconnect2.c index 1f92f0296..642b34b9e 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.112 2003/03/05 22:33:43 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.114 2003/04/01 10:22:21 markus Exp $"); #include "ssh.h" #include "ssh2.h" -- cgit v1.2.3 From d32090426bc9ebf6ec982acad029b75a48033175 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 1 Apr 2003 21:44:37 +1000 Subject: - markus@cvs.openbsd.org 2003/04/01 10:31:26 [compat.c compat.h kex.c] bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself --- ChangeLog | 6 +++++- compat.c | 22 +++++++++++++--------- compat.h | 3 ++- kex.c | 5 +++-- 4 files changed, 23 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index cf216edcf..7ffc56696 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,10 @@ [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c] [readconf.h serverloop.c sshconnect2.c] backout rekeying changes (for 3.6.1) + - markus@cvs.openbsd.org 2003/04/01 10:31:26 + [compat.c compat.h kex.c] + bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; + tested by ho@ and myself 20030326 - (djm) OpenBSD CVS Sync @@ -1286,4 +1290,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2644 2003/04/01 11:43:39 djm Exp $ +$Id: ChangeLog,v 1.2645 2003/04/01 11:44:37 djm Exp $ diff --git a/compat.c b/compat.c index 757b0e679..5e1774ab6 100644 --- a/compat.c +++ b/compat.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: compat.c,v 1.65 2002/09/27 10:42:09 mickey Exp $"); +RCSID("$OpenBSD: compat.c,v 1.66 2003/04/01 10:31:26 markus Exp $"); #include "buffer.h" #include "packet.h" @@ -85,10 +85,12 @@ compat_datafellows(const char *version) { "*MindTerm*", 0 }, { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG| - SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE }, + SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE| + SSH_BUG_FIRSTKEX }, { "2.1 *", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG| - SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE }, + SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE| + SSH_BUG_FIRSTKEX }, { "2.0.13*," "2.0.14*," "2.0.15*," @@ -100,26 +102,28 @@ compat_datafellows(const char *version) SSH_BUG_PKSERVICE|SSH_BUG_X11FWD| SSH_BUG_PKOK|SSH_BUG_RSASIGMD5| SSH_BUG_HBSERVICE|SSH_BUG_OPENFAILURE| - SSH_BUG_DUMMYCHAN }, + SSH_BUG_DUMMYCHAN|SSH_BUG_FIRSTKEX }, { "2.0.11*," "2.0.12*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG| SSH_BUG_PKSERVICE|SSH_BUG_X11FWD| SSH_BUG_PKAUTH|SSH_BUG_PKOK| SSH_BUG_RSASIGMD5|SSH_BUG_OPENFAILURE| - SSH_BUG_DUMMYCHAN }, + SSH_BUG_DUMMYCHAN|SSH_BUG_FIRSTKEX }, { "2.0.*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG| SSH_BUG_PKSERVICE|SSH_BUG_X11FWD| SSH_BUG_PKAUTH|SSH_BUG_PKOK| SSH_BUG_RSASIGMD5|SSH_BUG_OPENFAILURE| - SSH_BUG_DERIVEKEY|SSH_BUG_DUMMYCHAN }, + SSH_BUG_DERIVEKEY|SSH_BUG_DUMMYCHAN| + SSH_BUG_FIRSTKEX }, { "2.2.0*," "2.3.0*", SSH_BUG_HMAC|SSH_BUG_DEBUG| - SSH_BUG_RSASIGMD5 }, - { "2.3.*", SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5 }, + SSH_BUG_RSASIGMD5|SSH_BUG_FIRSTKEX }, + { "2.3.*", SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5| + SSH_BUG_FIRSTKEX }, { "2.4", SSH_OLD_SESSIONID }, /* Van Dyke */ - { "2.*", SSH_BUG_DEBUG }, + { "2.*", SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX }, { "3.0.*", SSH_BUG_DEBUG }, { "3.0 SecureCRT*", SSH_OLD_SESSIONID }, { "1.7 SecureFX*", SSH_OLD_SESSIONID }, diff --git a/compat.h b/compat.h index 9299805af..881e450d3 100644 --- a/compat.h +++ b/compat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.h,v 1.33 2002/09/27 10:42:09 mickey Exp $ */ +/* $OpenBSD: compat.h,v 1.34 2003/04/01 10:31:26 markus Exp $ */ /* * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. @@ -55,6 +55,7 @@ #define SSH_BUG_EXTEOF 0x00200000 #define SSH_BUG_K5USER 0x00400000 #define SSH_BUG_PROBE 0x00800000 +#define SSH_BUG_FIRSTKEX 0x01000000 void enable_compat13(void); void enable_compat20(void); diff --git a/kex.c b/kex.c index 2c1cacfec..b070ccf42 100644 --- a/kex.c +++ b/kex.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.54 2003/02/16 17:09:57 markus Exp $"); +RCSID("$OpenBSD: kex.c,v 1.55 2003/04/01 10:31:26 markus Exp $"); #include @@ -392,7 +392,8 @@ kex_choose_conf(Kex *kex) kex->we_need = need; /* ignore the next message if the proposals do not match */ - if (first_kex_follows && !proposals_match(my, peer)) { + if (first_kex_follows && !proposals_match(my, peer) && + !(datafellows & SSH_BUG_FIRSTKEX)) { type = packet_read(); debug2("skipping next packet (type %u)", type); } -- cgit v1.2.3 From 13c1c7a75e523dc6320e1dd1b2affb223f5002f1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 1 Apr 2003 21:45:26 +1000 Subject: - markus@cvs.openbsd.org 2003/04/01 10:56:46 [version.h] 3.6.1 --- ChangeLog | 5 ++++- version.h | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7ffc56696..d5db7b22a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,9 @@ [compat.c compat.h kex.c] bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself + - markus@cvs.openbsd.org 2003/04/01 10:56:46 + [version.h] + 3.6.1 20030326 - (djm) OpenBSD CVS Sync @@ -1290,4 +1293,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2645 2003/04/01 11:44:37 djm Exp $ +$Id: ChangeLog,v 1.2646 2003/04/01 11:45:26 djm Exp $ diff --git a/version.h b/version.h index 380e35907..75a2b2554 100644 --- a/version.h +++ b/version.h @@ -1,3 +1,3 @@ -/* $OpenBSD: version.h,v 1.36 2003/03/17 11:43:47 markus Exp $ */ - -#define SSH_VERSION "OpenSSH_3.6p1" +/* $OpenBSD: version.h,v 1.37 2003/04/01 10:56:46 markus Exp $ */ + +#define SSH_VERSION "OpenSSH_3.6.1p1" -- cgit v1.2.3 From b80e52ab6f8230d87d33fab7f7bc79e3ddb7aa8b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 1 Apr 2003 21:46:53 +1000 Subject: - (djm) Crank spec file versions --- ChangeLog | 3 ++- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index d5db7b22a..51ef216f7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,7 @@ - markus@cvs.openbsd.org 2003/04/01 10:56:46 [version.h] 3.6.1 + - (djm) Crank spec file versions 20030326 - (djm) OpenBSD CVS Sync @@ -1293,4 +1294,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2646 2003/04/01 11:45:26 djm Exp $ +$Id: ChangeLog,v 1.2647 2003/04/01 11:46:53 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 3a76231ad..142d30d88 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -17,7 +17,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 %if %{use_stable} - %define version 3.6p1 + %define version 3.6.1p1 %define cvs %{nil} %define release 2 %else @@ -364,4 +364,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.41 2003/03/21 04:50:41 tim Exp $ +$Id: openssh.spec,v 1.42 2003/04/01 11:46:53 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index f71c0b261..7488357fb 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 3.6p1 +%define ver 3.6.1p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 55de013dc..194dbb7d1 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -1,6 +1,6 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 3.6p1 +Version: 3.6.1p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.3 From a0ab669c133a756bd5b8f4eef82693e367c49532 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 1 Apr 2003 21:47:16 +1000 Subject: - (djm) Release 3.6.1p1 --- ChangeLog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 51ef216f7..ebde74795 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,7 @@ [version.h] 3.6.1 - (djm) Crank spec file versions + - (djm) Release 3.6.1p1 20030326 - (djm) OpenBSD CVS Sync @@ -1294,4 +1295,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2647 2003/04/01 11:46:53 djm Exp $ +$Id: ChangeLog,v 1.2648 2003/04/01 11:47:16 djm Exp $ -- cgit v1.2.3