From b407dd8d058e018ef92ead51027ab47425695dad Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 4 Feb 2011 11:46:39 +1100 Subject: - djm@cvs.openbsd.org 2011/01/31 21:42:15 [PROTOCOL.mux] cut'n'pasto; from bert.wesarg AT googlemail.com --- ChangeLog | 6 ++++++ PROTOCOL.mux | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index a69ed9fde..9ff6362e5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20110204 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2011/01/31 21:42:15 + [PROTOCOL.mux] + cut'n'pasto; from bert.wesarg AT googlemail.com + 20110128 - (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled before attempting setfscreatecon(). Check whether matchpathcon() diff --git a/PROTOCOL.mux b/PROTOCOL.mux index 3d6f81878..2a5817bd7 100644 --- a/PROTOCOL.mux +++ b/PROTOCOL.mux @@ -122,7 +122,7 @@ For dynamically allocated listen port the server replies with Note: currently unimplemented (server will always reply with MUX_S_FAILURE). -A client may request the master to establish a port forward: +A client may request the master to close a port forward: uint32 MUX_C_CLOSE_FWD uint32 request id @@ -200,4 +200,4 @@ XXX server->client error/warning notifications XXX port0 rfwd (need custom response message) XXX send signals via mux -$OpenBSD: PROTOCOL.mux,v 1.3 2011/01/13 21:55:25 djm Exp $ +$OpenBSD: PROTOCOL.mux,v 1.4 2011/01/31 21:42:15 djm Exp $ -- cgit v1.2.3 From 0a5f0129a3d64ac59a1b499cc6310f271c28a020 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 4 Feb 2011 11:47:01 +1100 Subject: - djm@cvs.openbsd.org 2011/02/04 00:44:21 [key.c] fix uninitialised nonce variable; reported by Mateusz Kocielski --- ChangeLog | 3 +++ key.c | 7 +++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9ff6362e5..aaf59c35a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - djm@cvs.openbsd.org 2011/01/31 21:42:15 [PROTOCOL.mux] cut'n'pasto; from bert.wesarg AT googlemail.com + - djm@cvs.openbsd.org 2011/02/04 00:44:21 + [key.c] + fix uninitialised nonce variable; reported by Mateusz Kocielski 20110128 - (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled diff --git a/key.c b/key.c index 1defb1132..e3a305e66 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.95 2010/11/10 01:33:07 djm Exp $ */ +/* $OpenBSD: key.c,v 1.96 2011/02/04 00:44:21 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1886,10 +1886,9 @@ key_certify(Key *k, Key *ca) buffer_put_cstring(&k->cert->certblob, key_ssh_name(k)); /* -v01 certs put nonce first */ - if (!key_cert_is_legacy(k)) { - arc4random_buf(&nonce, sizeof(nonce)); + arc4random_buf(&nonce, sizeof(nonce)); + if (!key_cert_is_legacy(k)) buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); - } switch (k->type) { case KEY_DSA_CERT_V00: -- cgit v1.2.3 From a69812707d34c979a2435d5147ba245c625c352a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 4 Feb 2011 11:47:20 +1100 Subject: - djm@cvs.openbsd.org 2011/02/04 00:44:43 [version.h] openssh-5.8 --- ChangeLog | 3 +++ version.h | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index aaf59c35a..e10760914 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ - djm@cvs.openbsd.org 2011/02/04 00:44:21 [key.c] fix uninitialised nonce variable; reported by Mateusz Kocielski + - djm@cvs.openbsd.org 2011/02/04 00:44:43 + [version.h] + openssh-5.8 20110128 - (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled diff --git a/version.h b/version.h index 202e0dec2..bf1c7124a 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.60 2011/01/22 09:18:53 djm Exp $ */ +/* $OpenBSD: version.h,v 1.61 2011/02/04 00:44:43 djm Exp $ */ -#define SSH_VERSION "OpenSSH_5.7" +#define SSH_VERSION "OpenSSH_5.8" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -- cgit v1.2.3 From 0d30b092ce0dee75cc4f5848720cbb2752694f8e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 4 Feb 2011 12:43:36 +1100 Subject: - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] update versions in docs and spec files. - Release OpenSSH 5.8p1 --- ChangeLog | 3 +++ README | 4 ++-- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index e10760914..9a404558d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ - djm@cvs.openbsd.org 2011/02/04 00:44:43 [version.h] openssh-5.8 + - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] update versions in docs and spec files. + - Release OpenSSH 5.8p1 20110128 - (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled diff --git a/README b/README index 4e7e9a9f2..481d40f29 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-5.7 for the release notes. +See http://www.openssh.com/txt/release-5.8 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.75 2011/01/22 09:23:12 djm Exp $ +$Id: README,v 1.76 2011/02/04 01:43:39 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 23397b04d..9fc553ed3 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -16,7 +16,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 -%define version 5.7p1 +%define version 5.8p1 %if %{use_stable} %define cvs %{nil} %define release 1 @@ -363,4 +363,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.73 2011/01/22 09:23:33 djm Exp $ +$Id: openssh.spec,v 1.74 2011/02/04 01:43:44 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 8fc76b625..e99e33d0f 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 5.7p1 +%define ver 5.8p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 4573c52fd..6afdcc4b4 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 5.7p1 +Version: 5.8p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.3 From 3b9617ecbd6bdb205e202a3345e84740851b021c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 6 Feb 2011 13:24:35 +1100 Subject: - (dtucker) [openbsd-compat/port-linux.c] Bug #1851: fix syntax error in selinux code. Patch from Leonardo Chiquitto. --- ChangeLog | 4 ++++ openbsd-compat/port-linux.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9a404558d..5af606b4d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20110206 + - (dtucker) [openbsd-compat/port-linux.c] Bug #1851: fix syntax error in + selinux code. Patch from Leonardo Chiquitto + 20110204 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/01/31 21:42:15 diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index eb280e616..ac1e4fefc 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c @@ -1,4 +1,4 @@ -/* $Id: port-linux.c,v 1.13 2011/01/27 23:30:20 djm Exp $ */ +/* $Id: port-linux.c,v 1.14 2011/02/06 02:24:35 dtucker Exp $ */ /* * Copyright (c) 2005 Daniel Walsh @@ -213,7 +213,7 @@ ssh_selinux_setfscreatecon(const char *path) if (!ssh_selinux_enabled()) return; - if (path == NULL) + if (path == NULL) { setfscreatecon(NULL); return; } -- cgit v1.2.3 From ea676a642264ee45f3f1191096d8d51a376061a4 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 6 Feb 2011 13:31:23 +1100 Subject: - (dtucker) [contrib/cygwin/ssh-{host,user}-config] Add ECDSA key generation and simplify. Patch from Corinna Vinschen. --- ChangeLog | 2 + contrib/cygwin/ssh-host-config | 6 +++ contrib/cygwin/ssh-user-config | 84 +++++++++--------------------------------- 3 files changed, 25 insertions(+), 67 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5af606b4d..3fa2f4534 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20110206 - (dtucker) [openbsd-compat/port-linux.c] Bug #1851: fix syntax error in selinux code. Patch from Leonardo Chiquitto + - (dtucker) [contrib/cygwin/ssh-{host,user}-config] Add ECDSA key + generation and simplify. Patch from Corinna Vinschen. 20110204 - OpenBSD CVS Sync diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index d968d4619..0af6907dc 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -63,6 +63,12 @@ create_host_keys() { csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null fi + + if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ] + then + csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key" + ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null + fi } # --- End of create_host_keys --- # # ====================================================================== diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config index f1a001a93..027ae6032 100644 --- a/contrib/cygwin/ssh-user-config +++ b/contrib/cygwin/ssh-user-config @@ -39,85 +39,34 @@ pwdhome= with_passphrase= # ====================================================================== -# Routine: create_ssh1_identity -# optionally create ~/.ssh/identity[.pub] +# Routine: create_identity +# optionally create identity of type argument in ~/.ssh # optionally add result to ~/.ssh/authorized_keys # ====================================================================== -create_ssh1_identity() { - if [ ! -f "${pwdhome}/.ssh/identity" ] +create_identity() { + local file="$1" + local type="$2" + local name="$3" + if [ ! -f "${pwdhome}/.ssh/${file}" ] then - if csih_request "Shall I create an SSH1 RSA identity file for you?" + if csih_request "Shall I create a ${name} identity file for you?" then - csih_inform "Generating ${pwdhome}/.ssh/identity" + csih_inform "Generating ${pwdhome}/.ssh/${file}" if [ "${with_passphrase}" = "yes" ] then - ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null + ssh-keygen -t "${type}" -N "${passphrase}" -f "${pwdhome}/.ssh/${file}" > /dev/null else - ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null + ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null fi if csih_request "Do you want to use this identity to login to this machine?" then csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" - cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys" + cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_keys" fi fi fi } # === End of create_ssh1_identity() === # -readonly -f create_ssh1_identity - -# ====================================================================== -# Routine: create_ssh2_rsa_identity -# optionally create ~/.ssh/id_rsa[.pub] -# optionally add result to ~/.ssh/authorized_keys -# ====================================================================== -create_ssh2_rsa_identity() { - if [ ! -f "${pwdhome}/.ssh/id_rsa" ] - then - if csih_request "Shall I create an SSH2 RSA identity file for you?" - then - csih_inform "Generating ${pwdhome}/.ssh/id_rsa" - if [ "${with_passphrase}" = "yes" ] - then - ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null - else - ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null - fi - if csih_request "Do you want to use this identity to login to this machine?" - then - csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" - cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys" - fi - fi - fi -} # === End of create_ssh2_rsa_identity() === # -readonly -f create_ssh2_rsa_identity - -# ====================================================================== -# Routine: create_ssh2_dsa_identity -# optionally create ~/.ssh/id_dsa[.pub] -# optionally add result to ~/.ssh/authorized_keys -# ====================================================================== -create_ssh2_dsa_identity() { - if [ ! -f "${pwdhome}/.ssh/id_dsa" ] - then - if csih_request "Shall I create an SSH2 DSA identity file for you?" - then - csih_inform "Generating ${pwdhome}/.ssh/id_dsa" - if [ "${with_passphrase}" = "yes" ] - then - ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null - else - ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null - fi - if csih_request "Do you want to use this identity to login to this machine?" - then - csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" - cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys" - fi - fi - fi -} # === End of create_ssh2_dsa_identity() === # -readonly -f create_ssh2_dsa_identity +readonly -f create_identity # ====================================================================== # Routine: check_user_homedir @@ -311,9 +260,10 @@ fi check_user_homedir check_user_dot_ssh_dir -create_ssh1_identity -create_ssh2_rsa_identity -create_ssh2_dsa_identity +create_identity id_rsa rsa "SSH2 RSA" +create_identity id_dsa dsa "SSH2 DSA" +create_identity id_ecdsa ecdsa "SSH2 ECDSA" +create_identity identity rsa1 "(deprecated) SSH1 RSA" fix_authorized_keys_perms echo -- cgit v1.2.3 From 0588beba3987853d02b849e92a243ec0a38aa4fb Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 18 Feb 2011 09:18:45 +1100 Subject: - djm@cvs.openbsd.org 2011/02/16 00:31:14 [ssh-keysign.c] make hostbased auth with ECDSA keys work correctly. Based on patch by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock) --- ChangeLog | 7 +++++++ ssh-keysign.c | 23 +++++++++++++++-------- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3fa2f4534..6f39440c2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20110218 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2011/02/16 00:31:14 + [ssh-keysign.c] + make hostbased auth with ECDSA keys work correctly. Based on patch + by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock) + 20110206 - (dtucker) [openbsd-compat/port-linux.c] Bug #1851: fix syntax error in selinux code. Patch from Leonardo Chiquitto diff --git a/ssh-keysign.c b/ssh-keysign.c index d05156005..4172491c2 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keysign.c,v 1.35 2010/08/31 12:33:38 djm Exp $ */ +/* $OpenBSD: ssh-keysign.c,v 1.36 2011/02/16 00:31:14 djm Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -150,9 +150,10 @@ main(int argc, char **argv) { Buffer b; Options options; - Key *keys[2], *key = NULL; +#define NUM_KEYTYPES 3 + Key *keys[NUM_KEYTYPES], *key = NULL; struct passwd *pw; - int key_fd[2], i, found, version = 2, fd; + int key_fd[NUM_KEYTYPES], i, found, version = 2, fd; u_char *signature, *data; char *host; u_int slen, dlen; @@ -165,8 +166,10 @@ main(int argc, char **argv) if (fd > 2) close(fd); - key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); - key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); + i = 0; + key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); + key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); + key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); original_real_uid = getuid(); /* XXX readconf.c needs this */ if ((pw = getpwuid(original_real_uid)) == NULL) @@ -191,7 +194,11 @@ main(int argc, char **argv) fatal("ssh-keysign not enabled in %s", _PATH_HOST_CONFIG_FILE); - if (key_fd[0] == -1 && key_fd[1] == -1) + for (i = found = 0; i < NUM_KEYTYPES; i++) { + if (key_fd[i] != -1) + found = 1; + } + if (found == 0) fatal("could not open any host key"); OpenSSL_add_all_algorithms(); @@ -200,7 +207,7 @@ main(int argc, char **argv) RAND_seed(rnd, sizeof(rnd)); found = 0; - for (i = 0; i < 2; i++) { + for (i = 0; i < NUM_KEYTYPES; i++) { keys[i] = NULL; if (key_fd[i] == -1) continue; @@ -230,7 +237,7 @@ main(int argc, char **argv) xfree(host); found = 0; - for (i = 0; i < 2; i++) { + for (i = 0; i < NUM_KEYTYPES; i++) { if (keys[i] != NULL && key_equal_public(key, keys[i])) { found = 1; -- cgit v1.2.3 From e541aaaf0f544fca9aeedff5941f5103b8e49a5c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 21 Feb 2011 21:41:29 +1100 Subject: - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the Cygwin-specific service installer script ssh-host-config. The actual functionality is the same, the revisited version is just more exact when it comes to check for problems which disallow to run certain aspects of the script. So, part of this script and the also rearranged service helper script library "csih" is to check if all the tools required to run the script are available on the system. The new script also is more thorough to inform the user why the script failed. Patch from vinschen at redhat com. --- ChangeLog | 11 + contrib/cygwin/ssh-host-config | 540 ++++++++++++++++++++++++++++------------- 2 files changed, 376 insertions(+), 175 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6f39440c2..03e151f8a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +20110221 + - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the + Cygwin-specific service installer script ssh-host-config. The actual + functionality is the same, the revisited version is just more + exact when it comes to check for problems which disallow to run + certain aspects of the script. So, part of this script and the also + rearranged service helper script library "csih" is to check if all + the tools required to run the script are available on the system. + The new script also is more thorough to inform the user why the + script failed. Patch from vinschen at redhat com. + 20110218 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/02/16 00:31:14 diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 0af6907dc..3ac39a621 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -1,6 +1,6 @@ #!/bin/bash # -# ssh-host-config, Copyright 2000-2009 Red Hat Inc. +# ssh-host-config, Copyright 2000-2011 Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. # @@ -19,12 +19,39 @@ # ====================================================================== # Initialization # ====================================================================== -PROGNAME=$(basename $0) -_tdir=$(dirname $0) -PROGDIR=$(cd $_tdir && pwd) CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh +# List of apps used. This is checkad for existance in csih_sanity_check +# Don't use *any* transient commands before sourcing the csih helper script, +# otherwise the sanity checks are short-circuited. +declare -a csih_required_commands=( + /usr/bin/basename coreutils + /usr/bin/cat coreutils + /usr/bin/chmod coreutils + /usr/bin/dirname coreutils + /usr/bin/id coreutils + /usr/bin/mv coreutils + /usr/bin/rm coreutils + /usr/bin/cygpath cygwin + /usr/bin/mount cygwin + /usr/bin/ps cygwin + /usr/bin/setfacl cygwin + /usr/bin/umount cygwin + /usr/bin/cmp diffutils + /usr/bin/grep grep + /usr/bin/awk gawk + /usr/bin/ssh-keygen openssh + /usr/sbin/sshd openssh + /usr/bin/sed sed +) +csih_sanity_check_server=yes +source ${CSIH_SCRIPT} + +PROGNAME=$(/usr/bin/basename $0) +_tdir=$(/usr/bin/dirname $0) +PROGDIR=$(cd $_tdir && pwd) + # Subdirectory where the new package is being installed PREFIX=/usr @@ -32,8 +59,6 @@ PREFIX=/usr SYSCONFDIR=/etc LOCALSTATEDIR=/var -source ${CSIH_SCRIPT} - port_number=22 privsep_configured=no privsep_used=yes @@ -46,29 +71,48 @@ opt_force=no # Routine: create_host_keys # ====================================================================== create_host_keys() { + local ret=0 + if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] then csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" - ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null + if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null + then + csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" + let ++ret + fi fi if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] then csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" - ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null + if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null + then + csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" + let ++ret + fi fi if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] then csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" - ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null + if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null + then + csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" + let ++ret + fi fi if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ] then csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key" - ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null + if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null + then + csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" + let ++ret + fi fi + return $ret } # --- End of create_host_keys --- # # ====================================================================== @@ -81,61 +125,58 @@ update_services_file() { local _spaces local _serv_tmp local _wservices + local ret=0 - if csih_is_nt - then - _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" - _services="${_my_etcdir}/services" - # On NT, 27 spaces, no space after the hash - _spaces=" #" - else - _win_etcdir="${WINDIR}" - _services="${_my_etcdir}/SERVICES" - # On 9x, 18 spaces (95 is very touchy), a space after the hash - _spaces=" # " - fi + _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" + _services="${_my_etcdir}/services" + _spaces=" #" _serv_tmp="${_my_etcdir}/srv.out.$$" - mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" + /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" # Depends on the above mount _wservices=`cygpath -w "${_services}"` # Remove sshd 22/port from services - if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] + if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] then - grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" + /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" if [ -f "${_serv_tmp}" ] then - if mv "${_serv_tmp}" "${_services}" + if /usr/bin/mv "${_serv_tmp}" "${_services}" then csih_inform "Removing sshd from ${_wservices}" else csih_warning "Removing sshd from ${_wservices} failed!" + let ++ret fi - rm -f "${_serv_tmp}" + /usr/bin/rm -f "${_serv_tmp}" else csih_warning "Removing sshd from ${_wservices} failed!" + let ++ret fi fi # Add ssh 22/tcp and ssh 22/udp to services - if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] + if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] then - if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" + if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" then - if mv "${_serv_tmp}" "${_services}" + if /usr/bin/mv "${_serv_tmp}" "${_services}" then csih_inform "Added ssh to ${_wservices}" else csih_warning "Adding ssh to ${_wservices} failed!" + let ++ret fi - rm -f "${_serv_tmp}" + /usr/bin/rm -f "${_serv_tmp}" else csih_warning "Adding ssh to ${_wservices} failed!" + let ++ret fi fi - umount "${_my_etcdir}" + /usr/bin/umount "${_my_etcdir}" + return $ret } # --- End of update_services_file --- # # ====================================================================== @@ -144,51 +185,57 @@ update_services_file() { # ====================================================================== sshd_privsep() { local sshdconfig_tmp + local ret=0 if [ "${privsep_configured}" != "yes" ] then - if csih_is_nt + csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." + csih_inform "However, this requires a non-privileged account called 'sshd'." + csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." + if csih_request "Should privilege separation be used?" then - csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." - csih_inform "However, this requires a non-privileged account called 'sshd'." - csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." - if csih_request "Should privilege separation be used?" + privsep_used=yes + if ! csih_create_unprivileged_user sshd then - privsep_used=yes - if ! csih_create_unprivileged_user sshd - then - csih_warning "Couldn't create user 'sshd'!" - csih_warning "Privilege separation set to 'no' again!" - csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" - privsep_used=no - fi - else + csih_error_recoverable "Couldn't create user 'sshd'!" + csih_error_recoverable "Privilege separation set to 'no' again!" + csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" + let ++ret privsep_used=no fi else - # On 9x don't use privilege separation. Since security isn't - # available it just adds useless additional processes. privsep_used=no fi fi # Create default sshd_config from skeleton files in /etc/defaults/etc or # modify to add the missing privsep configuration option - if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 + if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 then csih_inform "Updating ${SYSCONFDIR}/sshd_config file" sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ - sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ + /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ s/^#Port 22/Port ${port_number}/ s/^#StrictModes yes/StrictModes no/" \ < ${SYSCONFDIR}/sshd_config \ > "${sshdconfig_tmp}" - mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config + if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config + then + csih_warning "Setting privilege separation to 'yes' failed!" + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" + let ++ret + fi elif [ "${privsep_configured}" != "yes" ] then echo >> ${SYSCONFDIR}/sshd_config - echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config + if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config + then + csih_warning "Setting privilege separation to 'yes' failed!" + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" + let ++ret + fi fi + return $ret } # --- End of sshd_privsep --- # # ====================================================================== @@ -201,72 +248,82 @@ update_inetd_conf() { local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" local _with_comment=1 + local ret=0 if [ -d "${_inetcnf_dir}" ] then # we have inetutils-1.5 inetd.d support if [ -f "${_inetcnf}" ] then - grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 + /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 # check for sshd OR ssh in top-level inetd.conf file, and remove # will be replaced by a file in inetd.d/ - if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] + if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] then - grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" + /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" if [ -f "${_inetcnf_tmp}" ] then - if mv "${_inetcnf_tmp}" "${_inetcnf}" + if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" then csih_inform "Removed ssh[d] from ${_inetcnf}" else csih_warning "Removing ssh[d] from ${_inetcnf} failed!" + let ++ret fi - rm -f "${_inetcnf_tmp}" + /usr/bin/rm -f "${_inetcnf_tmp}" else csih_warning "Removing ssh[d] from ${_inetcnf} failed!" + let ++ret fi fi fi csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" - if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 + if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 then if [ "${_with_comment}" -eq 0 ] then - sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + else + /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + fi + if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" + then + csih_inform "Updated ${_sshd_inetd_conf}" else - sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + csih_warning "Updating ${_sshd_inetd_conf} failed!" + let ++ret fi - mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" - csih_inform "Updated ${_sshd_inetd_conf}" fi elif [ -f "${_inetcnf}" ] then - grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 + /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 # check for sshd in top-level inetd.conf file, and remove # will be replaced by a file in inetd.d/ - if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] + if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] then - grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" + /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" if [ -f "${_inetcnf_tmp}" ] then - if mv "${_inetcnf_tmp}" "${_inetcnf}" + if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" then csih_inform "Removed sshd from ${_inetcnf}" else csih_warning "Removing sshd from ${_inetcnf} failed!" + let ++ret fi - rm -f "${_inetcnf_tmp}" + /usr/bin/rm -f "${_inetcnf_tmp}" else csih_warning "Removing sshd from ${_inetcnf} failed!" + let ++ret fi fi # Add ssh line to inetd.conf - if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] + if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] then if [ "${_with_comment}" -eq 0 ] then @@ -274,11 +331,88 @@ update_inetd_conf() { else echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" fi - csih_inform "Added ssh to ${_inetcnf}" + if [ $? -eq 0 ] + then + csih_inform "Added ssh to ${_inetcnf}" + else + csih_warning "Adding ssh to ${_inetcnf} failed!" + let ++ret + fi fi fi + return $ret } # --- End of update_inetd_conf --- # +# ====================================================================== +# Routine: check_service_files_ownership +# Checks that the files in /etc and /var belong to the right owner +# ====================================================================== +check_service_files_ownership() { + local run_service_as=$1 + local ret=0 + + if [ -z "${run_service_as}" ] + then + accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') + if [ "${accnt_name}" = "LocalSystem" ] + then + # Convert "LocalSystem" to "SYSTEM" as is the correct account name + accnt_name="SYSTEM:" + elif [[ "${accnt_name}" =~ ^\.\\ ]] + then + # Convert "." domain to local machine name + accnt_name="U-${COMPUTERNAME}${accnt_name#.}," + fi + run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}') + if [ -z "${run_service_as}" ] + then + csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" + csih_warning "As a result, this script cannot make sure that the files used" + csih_warning "by the sshd service belong to the user running the service." + csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd" + csih_warning "file is in a good shape." + return 1 + fi + fi + for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub + do + if [ -f "$i" ] + then + if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 + then + csih_warning "Couldn't change owner of $i!" + let ++ret + fi + fi + done + if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 + then + csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" + let ++ret + fi + if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 + then + csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" + let ++ret + fi + if [ -f ${LOCALSTATEDIR}/log/sshd.log ] + then + if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 + then + csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" + let ++ret + fi + fi + if [ $ret -ne 0 ] + then + csih_warning "Couldn't change owner of important files to ${run_service_as}!" + csih_warning "This may cause the sshd service to fail! Please make sure that" + csih_warning "you have suufficient permissions to change the ownership of files" + csih_warning "and try to run the ssh-host-config script again." + fi + return $ret +} # --- End of check_service_files_ownership --- # + # ====================================================================== # Routine: install_service # Install sshd as a service @@ -286,103 +420,97 @@ update_inetd_conf() { install_service() { local run_service_as local password + local ret=0 - if csih_is_nt + echo + if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 then - if ! cygrunsrv -Q sshd >/dev/null 2>&1 + csih_inform "Sshd service is already installed." + check_service_files_ownership "" || let ret+=$? + else + echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" + if csih_request "(Say \"no\" if it is already installed as a service)" then - echo - echo - csih_warning "The following functions require administrator privileges!" - echo - echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" - if csih_request "(Say \"no\" if it is already installed as a service)" - then - csih_get_cygenv "${cygwin_value}" + csih_get_cygenv "${cygwin_value}" - if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) - then - csih_inform "On Windows Server 2003, Windows Vista, and above, the" - csih_inform "SYSTEM account cannot setuid to other users -- a capability" - csih_inform "sshd requires. You need to have or to create a privileged" - csih_inform "account. This script will help you do so." - echo + if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) + then + csih_inform "On Windows Server 2003, Windows Vista, and above, the" + csih_inform "SYSTEM account cannot setuid to other users -- a capability" + csih_inform "sshd requires. You need to have or to create a privileged" + csih_inform "account. This script will help you do so." + echo - [ "${opt_force}" = "yes" ] && opt_f=-f - [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" - csih_select_privileged_username ${opt_f} ${opt_u} sshd + [ "${opt_force}" = "yes" ] && opt_f=-f + [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" + csih_select_privileged_username ${opt_f} ${opt_u} sshd - if ! csih_create_privileged_user "${password_value}" - then - csih_error_recoverable "There was a serious problem creating a privileged user." - csih_request "Do you want to proceed anyway?" || exit 1 - fi + if ! csih_create_privileged_user "${password_value}" + then + csih_error_recoverable "There was a serious problem creating a privileged user." + csih_request "Do you want to proceed anyway?" || exit 1 + let ++ret fi + fi - # never returns empty if NT or above - run_service_as=$(csih_service_should_run_as) + # Never returns empty if NT or above + run_service_as=$(csih_service_should_run_as) - if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] + if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] + then + password="${csih_PRIVILEGED_PASSWORD}" + if [ -z "${password}" ] then - password="${csih_PRIVILEGED_PASSWORD}" - if [ -z "${password}" ] - then - csih_get_value "Please enter the password for user '${run_service_as}':" "-s" - password="${csih_value}" - fi + csih_get_value "Please enter the password for user '${run_service_as}':" "-s" + password="${csih_value}" fi + fi - # at this point, we either have $run_service_as = "system" and $password is empty, - # or $run_service_as is some privileged user and (hopefully) $password contains - # the correct password. So, from here out, we use '-z "${password}"' to discriminate - # the two cases. + # At this point, we either have $run_service_as = "system" and + # $password is empty, or $run_service_as is some privileged user and + # (hopefully) $password contains the correct password. So, from here + # out, we use '-z "${password}"' to discriminate the two cases. - csih_check_user "${run_service_as}" + csih_check_user "${run_service_as}" - if [ -n "${csih_cygenv}" ] + if [ -n "${csih_cygenv}" ] + then + cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) + fi + if [ -z "${password}" ] + then + if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ + -a "-D" -y tcpip "${cygwin_env[@]}" then - cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) + echo + csih_inform "The sshd service has been installed under the LocalSystem" + csih_inform "account (also known as SYSTEM). To start the service now, call" + csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" + csih_inform "will start automatically after the next reboot." fi - if [ -z "${password}" ] + else + if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ + -a "-D" -y tcpip "${cygwin_env[@]}" \ + -u "${run_service_as}" -w "${password}" then - if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ - -a "-D" -y tcpip "${cygwin_env[@]}" - then - echo - csih_inform "The sshd service has been installed under the LocalSystem" - csih_inform "account (also known as SYSTEM). To start the service now, call" - csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" - csih_inform "will start automatically after the next reboot." - fi - else - if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ - -a "-D" -y tcpip "${cygwin_env[@]}" \ - -u "${run_service_as}" -w "${password}" - then - echo - csih_inform "The sshd service has been installed under the '${run_service_as}'" - csih_inform "account. To start the service now, call \`net start sshd' or" - csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" - csih_inform "after the next reboot." - fi + echo + csih_inform "The sshd service has been installed under the '${run_service_as}'" + csih_inform "account. To start the service now, call \`net start sshd' or" + csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" + csih_inform "after the next reboot." fi + fi - # now, if successfully installed, set ownership of the affected files - if cygrunsrv -Q sshd >/dev/null 2>&1 - then - chown "${run_service_as}" ${SYSCONFDIR}/ssh* - chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty - chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog - if [ -f ${LOCALSTATEDIR}/log/sshd.log ] - then - chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log - fi - else - csih_warning "Something went wrong installing the sshd service." - fi - fi # user allowed us to install as service - fi # service not yet installed - fi # csih_is_nt + if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 + then + check_service_files_ownership "${run_service_as}" || let ret+=$? + else + csih_error_recoverable "Installing sshd as a service failed!" + let ++ret + fi + fi # user allowed us to install as service + fi # service not yet installed + return $ret } # --- End of install_service --- # # ====================================================================== @@ -494,21 +622,71 @@ done # Check for running ssh/sshd processes first. Refuse to do anything while # some ssh processes are still running -if ps -ef | grep -q '/sshd\?$' +if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' then echo csih_error "There are still ssh processes running. Please shut them down first." fi +# Make sure the user is running in an administrative context +admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) +if [ "${admin}" != "yes" ] +then + echo + csih_warning "Running this script typically requires administrator privileges!" + csih_warning "However, it seems your account does not have these privileges." + csih_warning "Here's the list of groups in your user token:" + echo + for i in $(/usr/bin/id -G) + do + /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group + done + echo + csih_warning "This usually means you're running this script from a non-admin" + csih_warning "desktop session, or in a non-elevated shell under UAC control." + echo + csih_warning "Make sure you have the appropriate privileges right now," + csih_warning "otherwise parts of this script will probably fail!" + echo + echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" + if ! csih_request "you have the required privileges)" + then + echo + csih_inform "Ok. Exiting. Make sure to switch to an administrative account" + csih_inform "or to start this script from an elevated shell." + exit 1 + fi +fi + +echo + +warning_cnt=0 + # Check for ${SYSCONFDIR} directory csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." -chmod 775 "${SYSCONFDIR}" -setfacl -m u:system:rwx "${SYSCONFDIR}" +if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1 +then + csih_warning "Can't set permissions on ${SYSCONFDIR}!" + let ++warning_cnt +fi +if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1 +then + csih_warning "Can't set extended permissions on ${SYSCONFDIR}!" + let ++warning_cnt +fi # Check for /var/log directory csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." -chmod 775 "${LOCALSTATEDIR}/log" -setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" +if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1 +then + csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!" + let ++warning_cnt +fi +if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1 +then + csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!" + let ++warning_cnt +fi # Create /var/log/lastlog if not already exists if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] @@ -519,26 +697,33 @@ then fi if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] then - cat /dev/null > ${LOCALSTATEDIR}/log/lastlog - chmod 644 ${LOCALSTATEDIR}/log/lastlog + /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog + if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 + then + csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" + let ++warning_cnt + fi fi # Create /var/empty file used as chroot jail for privilege separation csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." -chmod 755 "${LOCALSTATEDIR}/empty" -setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" +if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 +then + csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" + let ++warning_cnt +fi +if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 +then + csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!" + let ++warning_cnt +fi # host keys -create_host_keys - -# use 'cmp' program to determine if a config file is identical -# to the default version of that config file -csih_check_program_or_error cmp diffutils - +create_host_keys || let warning_cnt+=$? # handle ssh_config -csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" -if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 +csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt +if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 then if [ "${port_number}" != "22" ] then @@ -549,19 +734,24 @@ then fi # handle sshd_config (and privsep) -csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" -if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 +csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt +if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 then - grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes + /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes fi -sshd_privsep - +sshd_privsep || let warning_cnt+=$? - -update_services_file -update_inetd_conf -install_service +update_services_file || let warning_cnt+=$? +update_inetd_conf || let warning_cnt+=$? +install_service || let warning_cnt+=$? echo -csih_inform "Host configuration finished. Have fun!" - +if [ $warning_cnt -eq 0 ] +then + csih_inform "Host configuration finished. Have fun!" +else + csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" + csih_warning "Make sure that all problems reported are fixed," + csih_warning "then re-run ssh-host-config." +fi +exit $warning_cnt -- cgit v1.2.3 From db59a3fb22799c83bb979154a1110ba57961ef21 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 28 Mar 2011 15:07:06 +1100 Subject: (whitespace change to test sync to hg) --- ChangeLog | 1 - 1 file changed, 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 03e151f8a..56fe35211 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1261,4 +1261,3 @@ (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@ - -- cgit v1.2.3 From a10abe9e4be4ca3b5da71c34c6f5f1844336958e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 12 Apr 2011 15:39:35 +1000 Subject: s/recommended/required in warning: "It is recommended that your private key files are NOT accessible by others." since there is no way to skip this check; bz#1878 --- authfile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authfile.c b/authfile.c index f2aec267a..a49850c89 100644 --- a/authfile.c +++ b/authfile.c @@ -606,7 +606,7 @@ key_perm_ok(int fd, const char *filename) error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("Permissions 0%3.3o for '%s' are too open.", (u_int)st.st_mode & 0777, filename); - error("It is recommended that your private key files are NOT accessible by others."); + error("It is required that your private key files are NOT accessible by others."); error("This private key will be ignored."); return 0; } -- cgit v1.2.3 From 68790fedef210e03e36534b111e2f27b858170b4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 11:19:13 +1000 Subject: - (djm) [defines.h] Move up include of netinet/ip.h for IPTOS definitions. --- ChangeLog | 4 ++++ defines.h | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 56fe35211..0105a95ec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20110505 + - (djm) [defines.h] Move up include of netinet/ip.h for IPTOS + definitions. From des AT des.no + 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the Cygwin-specific service installer script ssh-host-config. The actual diff --git a/defines.h b/defines.h index cd273066d..b67cf467d 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.164 2011/01/17 10:15:31 dtucker Exp $ */ +/* $Id: defines.h,v 1.165 2011/05/05 01:19:15 djm Exp $ */ /* Constants */ @@ -45,6 +45,8 @@ enum /* * Definitions for IP type of service (ip_tos) */ +#include +#include #ifndef IPTOS_LOWDELAY # define IPTOS_LOWDELAY 0x10 # define IPTOS_THROUGHPUT 0x08 @@ -56,8 +58,6 @@ enum /* * Definitions for DiffServ Codepoints as per RFC2474 */ -#include -#include #ifndef IPTOS_DSCP_AF11 # define IPTOS_DSCP_AF11 0x28 # define IPTOS_DSCP_AF12 0x30 -- cgit v1.2.3 From f22019bdbfb986daf24428a9d37f9fe9bb3ff7ad Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 13:48:37 +1000 Subject: - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac] [entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] [regress/README.regress] Remove ssh-rand-helper and all its tentacles. PRNGd seeding has been rolled into entropy.c directly. Thanks to tim@ for testing on affected platforms. --- .cvsignore | 2 - ChangeLog | 7 + INSTALL | 6 +- Makefile.in | 50 +-- WARNING.RNG | 95 ----- aclocal.m4 | 12 +- buildpkg.sh.in | 7 - configure.ac | 249 ++++--------- contrib/aix/buildbff.sh | 11 +- entropy.c | 238 ++++++++----- regress/README.regress | 6 +- ssh-add.c | 1 - ssh-agent.c | 1 - ssh-keygen.c | 1 - ssh-keyscan.c | 1 - ssh-keysign.c | 1 - ssh-pkcs11-helper.c | 1 - ssh-rand-helper.8 | 94 ----- ssh-rand-helper.c | 932 ------------------------------------------------ ssh.c | 1 - ssh_prng_cmds.in | 75 ---- sshd.c | 1 - 22 files changed, 237 insertions(+), 1555 deletions(-) delete mode 100644 WARNING.RNG delete mode 100644 ssh-rand-helper.8 delete mode 100644 ssh-rand-helper.c delete mode 100644 ssh_prng_cmds.in diff --git a/.cvsignore b/.cvsignore index 8dd3ddff9..9baaa3b4e 100644 --- a/.cvsignore +++ b/.cvsignore @@ -22,8 +22,6 @@ ssh-keygen ssh-keyscan ssh-keysign ssh-pkcs11-helper -ssh-rand-helper -ssh_prng_cmds sshd stamp-h.in survey diff --git a/ChangeLog b/ChangeLog index 0105a95ec..25fe5918f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,13 @@ 20110505 - (djm) [defines.h] Move up include of netinet/ip.h for IPTOS definitions. From des AT des.no + - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac] + [entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] + [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] + [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] + [regress/README.regress] Remove ssh-rand-helper and all its + tentacles. PRNGd seeding has been rolled into entropy.c directly. + Thanks to tim@ for testing on affected platforms. 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/INSTALL b/INSTALL index 09dfd666d..0031dea85 100644 --- a/INSTALL +++ b/INSTALL @@ -16,9 +16,7 @@ The remaining items are optional. NB. If you operating system supports /dev/random, you should configure OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of -/dev/random, or failing that, either prngd or egd. If you don't have -any of these you will have to rely on ssh-rand-helper, which is inferior -to a good kernel-based solution or prngd. +/dev/random, or failing that, either prngd or egd PRNGD: @@ -262,4 +260,4 @@ Please refer to the "reporting bugs" section of the webpage at http://www.openssh.com/ -$Id: INSTALL,v 1.85 2010/02/11 22:34:22 djm Exp $ +$Id: INSTALL,v 1.86 2011/05/05 03:48:37 djm Exp $ diff --git a/Makefile.in b/Makefile.in index d0263779b..f5b147619 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.321 2011/01/25 01:16:16 djm Exp $ +# $Id: Makefile.in,v 1.322 2011/05/05 03:48:37 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -26,7 +26,6 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper -RAND_HELPER=$(libexecdir)/ssh-rand-helper PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ STRIP_OPT=@STRIP_OPT@ @@ -39,7 +38,6 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \ -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ - -DSSH_RAND_HELPER=\"$(RAND_HELPER)\" CC=@CC@ LD=@LD@ @@ -61,10 +59,7 @@ LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ EXEEXT=@EXEEXT@ MANFMT=@MANFMT@ -INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ -INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ - -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ @@ -96,15 +91,14 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 +MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out +MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out CONFIGFILES_IN=sshd_config ssh_config moduli PATHSUBS = \ - -e 's|/etc/ssh/ssh_prng_cmds|$(sysconfdir)/ssh_prng_cmds|g' \ -e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \ -e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \ -e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \ @@ -124,7 +118,7 @@ PATHSUBS = \ FIXPATHSCMD = $(SED) $(PATHSUBS) -all: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) +all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) $(LIBSSH_OBJS): Makefile.in config.h $(SSHOBJS): Makefile.in config.h @@ -175,9 +169,6 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o s sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) -ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o - $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) @@ -198,11 +189,6 @@ $(CONFIGFILES): $(CONFIGFILES_IN) conffile=`echo $@ | sed 's/.out$$//'`; \ $(FIXPATHSCMD) $(srcdir)/$${conffile} > $@ -ssh_prng_cmds.out: ssh_prng_cmds - if test ! -z "$(INSTALL_SSH_PRNG_CMDS)"; then \ - $(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \ - fi - # fake rule to stop make trying to compile moduli.o into a binary "moduli.o" moduli: echo @@ -215,7 +201,7 @@ clean: regressclean distclean: regressclean rm -f *.o *.a $(TARGETS) logintest config.cache config.log rm -f *.out core opensshd.init openssh.xml - rm -f Makefile buildpkg.sh config.h config.status ssh_prng_cmds + rm -f Makefile buildpkg.sh config.h config.status rm -f survey.sh openbsd-compat/regress/Makefile *~ rm -rf autom4te.cache (cd openbsd-compat && $(MAKE) distclean) @@ -242,9 +228,9 @@ distprep: catman-do $(AUTORECONF) -rm -rf autom4te.cache -install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config -install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf -install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files +install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config +install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf +install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files check-config: -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config @@ -265,9 +251,6 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) - if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \ - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-rand-helper$(EXEEXT) ; \ - fi $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) @@ -282,9 +265,6 @@ install-files: $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 - if [ ! -z "$(INSTALL_SSH_RAND_HELPER)" ]; then \ - $(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 ; \ - fi $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 @@ -308,13 +288,6 @@ install-sysconf: else \ echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \ fi - @if [ -f ssh_prng_cmds ] && [ ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \ - if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds ] ; then \ - $(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \ - else \ - echo "$(DESTDIR)$(sysconfdir)/ssh_prng_cmds already exists, install will not overwrite"; \ - fi ; \ - fi @if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \ if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \ echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \ @@ -361,7 +334,6 @@ host-key-force: ssh-keygen$(EXEEXT) uninstallall: uninstall -rm -f $(DESTDIR)$(sysconfdir)/ssh_config -rm -f $(DESTDIR)$(sysconfdir)/sshd_config - -rm -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds -rmdir $(DESTDIR)$(sysconfdir) -rmdir $(DESTDIR)$(bindir) -rmdir $(DESTDIR)$(sbindir) @@ -383,7 +355,6 @@ uninstall: -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) - -rm -f $(DESTDIR)$(RAND_HELPER)$(EXEEXT) -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 @@ -392,7 +363,6 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -462,7 +432,7 @@ survey: survey.sh ssh send-survey: survey mail portable-survey@mindrot.org postinstall << _EOF [ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ] || \\ cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\ \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config -[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default ] && { - [ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds ] || \\ - cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default \\ - \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds -} # make rc?.d dirs only if we are doing a test install [ -n "${TEST_DIR}" ] && [ $DO_SMF -ne 1 ] && { diff --git a/configure.ac b/configure.ac index c8d90ea0d..573c09710 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.471 2011/01/26 20:38:58 tim Exp $ +# $Id: configure.ac,v 1.472 2011/05/05 03:48:37 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.471 $) +AC_REVISION($Revision: 1.472 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2299,113 +2299,15 @@ AC_RUN_IFELSE( ], [ AC_MSG_RESULT([no]) - # Default to use of the rand helper if OpenSSL doesn't - # seed itself - USE_RAND_HELPER=yes ], [ AC_MSG_WARN([cross compiling: assuming yes]) - # This is safe, since all recent OpenSSL versions will - # complain at runtime if not seeded correctly. + # This is safe, since we will fatal() at runtime if + # OpenSSL is not seeded correctly. OPENSSL_SEEDS_ITSELF=yes ] ) -# Check for PAM libs -PAM_MSG="no" -AC_ARG_WITH([pam], - [ --with-pam Enable PAM support ], - [ - if test "x$withval" != "xno" ; then - if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \ - test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then - AC_MSG_ERROR([PAM headers not found]) - fi - - saved_LIBS="$LIBS" - AC_CHECK_LIB([dl], [dlopen], , ) - AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])]) - AC_CHECK_FUNCS([pam_getenvlist]) - AC_CHECK_FUNCS([pam_putenv]) - LIBS="$saved_LIBS" - - PAM_MSG="yes" - - SSHDLIBS="$SSHDLIBS -lpam" - AC_DEFINE([USE_PAM], [1], - [Define if you want to enable PAM support]) - - if test $ac_cv_lib_dl_dlopen = yes; then - case "$LIBS" in - *-ldl*) - # libdl already in LIBS - ;; - *) - SSHDLIBS="$SSHDLIBS -ldl" - ;; - esac - fi - fi - ] -) - -# Check for older PAM -if test "x$PAM_MSG" = "xyes" ; then - # Check PAM strerror arguments (old PAM) - AC_MSG_CHECKING([whether pam_strerror takes only one argument]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -#include -#if defined(HAVE_SECURITY_PAM_APPL_H) -#include -#elif defined (HAVE_PAM_PAM_APPL_H) -#include -#endif - ]], [[ -(void)pam_strerror((pam_handle_t *)NULL, -1); - ]])], [AC_MSG_RESULT([no])], [ - AC_DEFINE([HAVE_OLD_PAM], [1], - [Define if you have an old version of PAM - which takes only one argument to pam_strerror]) - AC_MSG_RESULT([yes]) - PAM_MSG="yes (old library)" - - ]) -fi - -# Do we want to force the use of the rand helper? -AC_ARG_WITH([rand-helper], - [ --with-rand-helper Use subprocess to gather strong randomness ], - [ - if test "x$withval" = "xno" ; then - # Force use of OpenSSL's internal RNG, even if - # the previous test showed it to be unseeded. - if test -z "$OPENSSL_SEEDS_ITSELF" ; then - AC_MSG_WARN([*** Forcing use of OpenSSL's non-self-seeding PRNG]) - OPENSSL_SEEDS_ITSELF=yes - USE_RAND_HELPER="" - fi - else - USE_RAND_HELPER=yes - fi - ], -) - -# Which randomness source do we use? -if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then - # OpenSSL only - AC_DEFINE([OPENSSL_PRNG_ONLY], [1], - [Define if you want OpenSSL's internally seeded PRNG only]) - RAND_MSG="OpenSSL internal ONLY" - INSTALL_SSH_RAND_HELPER="" -elif test ! -z "$USE_RAND_HELPER" ; then - # install rand helper - RAND_MSG="ssh-rand-helper" - INSTALL_SSH_RAND_HELPER="yes" -fi -AC_SUBST([INSTALL_SSH_RAND_HELPER]) - -### Configuration of ssh-rand-helper - # PRNGD TCP socket AC_ARG_WITH([prngd-port], [ --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT], @@ -2460,7 +2362,7 @@ AC_ARG_WITH([prngd-socket], ], [ # Check for existing socket only if we don't have a random device already - if test "$USE_RAND_HELPER" = yes ; then + if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then AC_MSG_CHECKING([for PRNGD/EGD socket]) # Insert other locations here for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do @@ -2479,19 +2381,79 @@ AC_ARG_WITH([prngd-socket], ] ) -# Change default command timeout for hashing entropy source -entropy_timeout=200 -AC_ARG_WITH([entropy-timeout], - [ --with-entropy-timeout Specify entropy gathering command timeout (msec)], +# Which randomness source do we use? +if test ! -z "$PRNGD_PORT" ; then + RAND_MSG="PRNGd port $PRNGD_PORT" +elif test ! -z "$PRNGD_SOCKET" ; then + RAND_MSG="PRNGd socket $PRNGD_SOCKET" +elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then + AC_DEFINE([OPENSSL_PRNG_ONLY], [1], + [Define if you want OpenSSL's internally seeded PRNG only]) + RAND_MSG="OpenSSL internal ONLY" +else + AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options]) +fi + +# Check for PAM libs +PAM_MSG="no" +AC_ARG_WITH([pam], + [ --with-pam Enable PAM support ], [ - if test -n "$withval" && test "x$withval" != "xno" && \ - test "x${withval}" != "xyes"; then - entropy_timeout=$withval + if test "x$withval" != "xno" ; then + if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \ + test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then + AC_MSG_ERROR([PAM headers not found]) + fi + + saved_LIBS="$LIBS" + AC_CHECK_LIB([dl], [dlopen], , ) + AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])]) + AC_CHECK_FUNCS([pam_getenvlist]) + AC_CHECK_FUNCS([pam_putenv]) + LIBS="$saved_LIBS" + + PAM_MSG="yes" + + SSHDLIBS="$SSHDLIBS -lpam" + AC_DEFINE([USE_PAM], [1], + [Define if you want to enable PAM support]) + + if test $ac_cv_lib_dl_dlopen = yes; then + case "$LIBS" in + *-ldl*) + # libdl already in LIBS + ;; + *) + SSHDLIBS="$SSHDLIBS -ldl" + ;; + esac + fi fi ] ) -AC_DEFINE_UNQUOTED([ENTROPY_TIMEOUT_MSEC], [$entropy_timeout], - [Builtin PRNG command timeout]) + +# Check for older PAM +if test "x$PAM_MSG" = "xyes" ; then + # Check PAM strerror arguments (old PAM) + AC_MSG_CHECKING([whether pam_strerror takes only one argument]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#if defined(HAVE_SECURITY_PAM_APPL_H) +#include +#elif defined (HAVE_PAM_PAM_APPL_H) +#include +#endif + ]], [[ +(void)pam_strerror((pam_handle_t *)NULL, -1); + ]])], [AC_MSG_RESULT([no])], [ + AC_DEFINE([HAVE_OLD_PAM], [1], + [Define if you have an old version of PAM + which takes only one argument to pam_strerror]) + AC_MSG_RESULT([yes]) + PAM_MSG="yes (old library)" + + ]) +fi SSH_PRIVSEP_USER=sshd AC_ARG_WITH([privsep-user], @@ -2507,56 +2469,6 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"], [non-privileged user for privilege separation]) AC_SUBST([SSH_PRIVSEP_USER]) -# We do this little dance with the search path to insure -# that programs that we select for use by installed programs -# (which may be run by the super-user) come from trusted -# locations before they come from the user's private area. -# This should help avoid accidentally configuring some -# random version of a program in someone's personal bin. - -OPATH=$PATH -PATH=/bin:/usr/bin -test -h /bin 2> /dev/null && PATH=/usr/bin -test -d /sbin && PATH=$PATH:/sbin -test -d /usr/sbin && PATH=$PATH:/usr/sbin -PATH=$PATH:/etc:$OPATH - -# These programs are used by the command hashing source to gather entropy -OSSH_PATH_ENTROPY_PROG([PROG_LS], [ls]) -OSSH_PATH_ENTROPY_PROG([PROG_NETSTAT], [netstat]) -OSSH_PATH_ENTROPY_PROG([PROG_ARP], [arp]) -OSSH_PATH_ENTROPY_PROG([PROG_IFCONFIG], [ifconfig]) -OSSH_PATH_ENTROPY_PROG([PROG_JSTAT], [jstat]) -OSSH_PATH_ENTROPY_PROG([PROG_PS], [ps]) -OSSH_PATH_ENTROPY_PROG([PROG_SAR], [sar]) -OSSH_PATH_ENTROPY_PROG([PROG_W], [w]) -OSSH_PATH_ENTROPY_PROG([PROG_WHO], [who]) -OSSH_PATH_ENTROPY_PROG([PROG_LAST], [last]) -OSSH_PATH_ENTROPY_PROG([PROG_LASTLOG], [lastlog]) -OSSH_PATH_ENTROPY_PROG([PROG_DF], [df]) -OSSH_PATH_ENTROPY_PROG([PROG_VMSTAT], [vmstat]) -OSSH_PATH_ENTROPY_PROG([PROG_UPTIME], [uptime]) -OSSH_PATH_ENTROPY_PROG([PROG_IPCS], [ipcs]) -OSSH_PATH_ENTROPY_PROG([PROG_TAIL], [tail]) -# restore PATH -PATH=$OPATH - -# Where does ssh-rand-helper get its randomness from? -INSTALL_SSH_PRNG_CMDS="" -if test ! -z "$INSTALL_SSH_RAND_HELPER" ; then - if test ! -z "$PRNGD_PORT" ; then - RAND_HELPER_MSG="TCP localhost:$PRNGD_PORT" - elif test ! -z "$PRNGD_SOCKET" ; then - RAND_HELPER_MSG="Unix domain socket \"$PRNGD_SOCKET\"" - else - RAND_HELPER_MSG="Command hashing (timeout $entropy_timeout)" - RAND_HELPER_CMDHASH=yes - INSTALL_SSH_PRNG_CMDS="yes" - fi -fi -AC_SUBST([INSTALL_SSH_PRNG_CMDS]) - - # Cheap hack to ensure NEWS-OS libraries are arranged right. if test ! -z "$SONY" ; then LIBS="$LIBS -liberty"; @@ -4157,7 +4069,7 @@ AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) AC_EXEEXT AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \ openbsd-compat/Makefile openbsd-compat/regress/Makefile \ - ssh_prng_cmds survey.sh]) + survey.sh]) AC_OUTPUT # Print summary of options @@ -4212,9 +4124,6 @@ echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" -if test ! -z "$USE_RAND_HELPER" ; then -echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" -fi echo "" @@ -4246,14 +4155,6 @@ if test "x$PAM_MSG" = "xyes" ; then echo "" fi -if test ! -z "$RAND_HELPER_CMDHASH" ; then - echo "WARNING: you are using the builtin random number collection " - echo "service. Please read WARNING.RNG and request that your OS " - echo "vendor includes kernel-based random number collection in " - echo "future versions of your OS." - echo "" -fi - if test ! -z "$NO_PEERCHECK" ; then echo "WARNING: the operating system that you are using does not" echo "appear to support getpeereid(), getpeerucred() or the" diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh index ca4bf0210..81d8cc301 100755 --- a/contrib/aix/buildbff.sh +++ b/contrib/aix/buildbff.sh @@ -1,7 +1,7 @@ #!/bin/sh # # buildbff.sh: Create AIX SMIT-installable OpenSSH packages -# $Id: buildbff.sh,v 1.12 2010/04/18 03:35:00 dtucker Exp $ +# $Id: buildbff.sh,v 1.13 2011/05/05 03:48:41 djm Exp $ # # Author: Darren Tucker (dtucker at zip dot com dot au) # This file is placed in the public domain and comes with absolutely @@ -156,13 +156,6 @@ do mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default done -# AIX 5.3 and newer have /dev/random and don't create ssh_prng_cmds -if [ -f $FAKE_ROOT/$sysconfdir/ssh_prng_cmds ] -then - mv $FAKE_ROOT/$sysconfdir/ssh_prng_cmds \ - $FAKE_ROOT/$sysconfdir/ssh_prng_cmds.default -fi - # # Generate lpp control files. # working dir is $FAKE_ROOT but files are generated in dir above @@ -197,7 +190,7 @@ cat <>../openssh.post_i #!/bin/sh echo Creating configs from defaults if necessary. -for cfgfile in ssh_config sshd_config ssh_prng_cmds +for cfgfile in ssh_config sshd_config do if [ ! -f $sysconfdir/\$cfgfile ] then diff --git a/entropy.c b/entropy.c index a82166258..2d6d3ec52 100644 --- a/entropy.c +++ b/entropy.c @@ -25,19 +25,19 @@ #include "includes.h" #include -#include - -#ifdef HAVE_SYS_STAT_H -# include +#include +#ifdef HAVE_SYS_UN_H +# include #endif -#ifdef HAVE_FCNTL_H -# include -#endif -#include -#include +#include +#include + +#include #include +#include #include +#include /* for offsetof */ #include #include @@ -54,118 +54,128 @@ /* * Portable OpenSSH PRNG seeding: * If OpenSSL has not "internally seeded" itself (e.g. pulled data from - * /dev/random), then we execute a "ssh-rand-helper" program which - * collects entropy and writes it to stdout. The child program must - * write at least RANDOM_SEED_SIZE bytes. The child is run with stderr - * attached, so error/debugging output should be visible. - * - * XXX: we should tell the child how many bytes we need. + * /dev/random), then collect RANDOM_SEED_SIZE bytes of randomness from + * PRNGd. */ - #ifndef OPENSSL_PRNG_ONLY + #define RANDOM_SEED_SIZE 48 -static uid_t original_uid, original_euid; -#endif -void -seed_rng(void) +/* + * Collect 'len' bytes of entropy into 'buf' from PRNGD/EGD daemon + * listening either on 'tcp_port', or via Unix domain socket at * + * 'socket_path'. + * Either a non-zero tcp_port or a non-null socket_path must be + * supplied. + * Returns 0 on success, -1 on error + */ +int +get_random_bytes_prngd(unsigned char *buf, int len, + unsigned short tcp_port, char *socket_path) { -#ifndef OPENSSL_PRNG_ONLY - int devnull; - int p[2]; - pid_t pid; - int ret; - unsigned char buf[RANDOM_SEED_SIZE]; - mysig_t old_sigchld; + int fd, addr_len, rval, errors; + u_char msg[2]; + struct sockaddr_storage addr; + struct sockaddr_in *addr_in = (struct sockaddr_in *)&addr; + struct sockaddr_un *addr_un = (struct sockaddr_un *)&addr; + mysig_t old_sigpipe; + + /* Sanity checks */ + if (socket_path == NULL && tcp_port == 0) + fatal("You must specify a port or a socket"); + if (socket_path != NULL && + strlen(socket_path) >= sizeof(addr_un->sun_path)) + fatal("Random pool path is too long"); + if (len <= 0 || len > 255) + fatal("Too many bytes (%d) to read from PRNGD", len); + + memset(&addr, '\0', sizeof(addr)); + + if (tcp_port != 0) { + addr_in->sin_family = AF_INET; + addr_in->sin_addr.s_addr = htonl(INADDR_LOOPBACK); + addr_in->sin_port = htons(tcp_port); + addr_len = sizeof(*addr_in); + } else { + addr_un->sun_family = AF_UNIX; + strlcpy(addr_un->sun_path, socket_path, + sizeof(addr_un->sun_path)); + addr_len = offsetof(struct sockaddr_un, sun_path) + + strlen(socket_path) + 1; + } - if (RAND_status() == 1) { - debug3("RNG is ready, skipping seeding"); - return; + old_sigpipe = mysignal(SIGPIPE, SIG_IGN); + + errors = 0; + rval = -1; +reopen: + fd = socket(addr.ss_family, SOCK_STREAM, 0); + if (fd == -1) { + error("Couldn't create socket: %s", strerror(errno)); + goto done; } - debug3("Seeding PRNG from %s", SSH_RAND_HELPER); - - if ((devnull = open("/dev/null", O_RDWR)) == -1) - fatal("Couldn't open /dev/null: %s", strerror(errno)); - if (pipe(p) == -1) - fatal("pipe: %s", strerror(errno)); - - old_sigchld = signal(SIGCHLD, SIG_DFL); - if ((pid = fork()) == -1) - fatal("Couldn't fork: %s", strerror(errno)); - if (pid == 0) { - dup2(devnull, STDIN_FILENO); - dup2(p[1], STDOUT_FILENO); - /* Keep stderr open for errors */ - close(p[0]); - close(p[1]); - close(devnull); - - if (original_uid != original_euid && - ( seteuid(getuid()) == -1 || - setuid(original_uid) == -1) ) { - fprintf(stderr, "(rand child) setuid(%li): %s\n", - (long int)original_uid, strerror(errno)); - _exit(1); + if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) { + if (tcp_port != 0) { + error("Couldn't connect to PRNGD port %d: %s", + tcp_port, strerror(errno)); + } else { + error("Couldn't connect to PRNGD socket \"%s\": %s", + addr_un->sun_path, strerror(errno)); } - - execl(SSH_RAND_HELPER, "ssh-rand-helper", NULL); - fprintf(stderr, "(rand child) Couldn't exec '%s': %s\n", - SSH_RAND_HELPER, strerror(errno)); - _exit(1); + goto done; } - close(devnull); - close(p[1]); + /* Send blocking read request to PRNGD */ + msg[0] = 0x02; + msg[1] = len; - memset(buf, '\0', sizeof(buf)); - ret = atomicio(read, p[0], buf, sizeof(buf)); - if (ret == -1) - fatal("Couldn't read from ssh-rand-helper: %s", + if (atomicio(vwrite, fd, msg, sizeof(msg)) != sizeof(msg)) { + if (errno == EPIPE && errors < 10) { + close(fd); + errors++; + goto reopen; + } + error("Couldn't write to PRNGD socket: %s", strerror(errno)); - if (ret != sizeof(buf)) - fatal("ssh-rand-helper child produced insufficient data"); - - close(p[0]); + goto done; + } - if (waitpid(pid, &ret, 0) == -1) - fatal("Couldn't wait for ssh-rand-helper completion: %s", + if (atomicio(read, fd, buf, len) != (size_t)len) { + if (errno == EPIPE && errors < 10) { + close(fd); + errors++; + goto reopen; + } + error("Couldn't read from PRNGD socket: %s", strerror(errno)); - signal(SIGCHLD, old_sigchld); - - /* We don't mind if the child exits upon a SIGPIPE */ - if (!WIFEXITED(ret) && - (!WIFSIGNALED(ret) || WTERMSIG(ret) != SIGPIPE)) - fatal("ssh-rand-helper terminated abnormally"); - if (WEXITSTATUS(ret) != 0) - fatal("ssh-rand-helper exit with exit status %d", ret); - - RAND_add(buf, sizeof(buf), sizeof(buf)); - memset(buf, '\0', sizeof(buf)); + goto done; + } -#endif /* OPENSSL_PRNG_ONLY */ - if (RAND_status() != 1) - fatal("PRNG is not seeded"); + rval = 0; +done: + mysignal(SIGPIPE, old_sigpipe); + if (fd != -1) + close(fd); + return rval; } -void -init_rng(void) +static int +seed_from_prngd(unsigned char *buf, size_t bytes) { - /* - * OpenSSL version numbers: MNNFFPPS: major minor fix patch status - * We match major, minor, fix and status (not patch) - */ - if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) - fatal("OpenSSL version mismatch. Built against %lx, you " - "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); - -#ifndef OPENSSL_PRNG_ONLY - original_uid = getuid(); - original_euid = geteuid(); +#ifdef PRNGD_PORT + debug("trying egd/prngd port %d", PRNGD_PORT); + if (get_random_bytes_prngd(buf, bytes, PRNGD_PORT, NULL) == 0) + return 0; +#endif +#ifdef PRNGD_SOCKET + debug("trying egd/prngd socket %s", PRNGD_SOCKET); + if (get_random_bytes_prngd(buf, bytes, 0, PRNGD_SOCKET) == 0) + return 0; #endif + return -1; } -#ifndef OPENSSL_PRNG_ONLY void rexec_send_rng_seed(Buffer *m) { @@ -191,4 +201,34 @@ rexec_recv_rng_seed(Buffer *m) RAND_add(buf, len, len); } } +#endif /* OPENSSL_PRNG_ONLY */ + +void +seed_rng(void) +{ +#ifndef OPENSSL_PRNG_ONLY + unsigned char buf[RANDOM_SEED_SIZE]; #endif + /* + * OpenSSL version numbers: MNNFFPPS: major minor fix patch status + * We match major, minor, fix and status (not patch) + */ + if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) + fatal("OpenSSL version mismatch. Built against %lx, you " + "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); + +#ifndef OPENSSL_PRNG_ONLY + if (RAND_status() == 1) { + debug3("RNG is ready, skipping seeding"); + return; + } + + if (seed_from_prngd(buf, sizeof(buf)) == -1) + fatal("Could not obtain seed from PRNGd"); + RAND_add(buf, sizeof(buf), sizeof(buf)); + memset(buf, '\0', sizeof(buf)); + +#endif /* OPENSSL_PRNG_ONLY */ + if (RAND_status() != 1) + fatal("PRNG is not seeded"); +} diff --git a/regress/README.regress b/regress/README.regress index da9bb6a99..82e4cc751 100644 --- a/regress/README.regress +++ b/regress/README.regress @@ -93,10 +93,6 @@ Failed tests can be difficult to diagnose. Suggestions: Known Issues. -- If your build requires ssh-rand-helper regress tests will fail - unless ssh-rand-helper is in pre-installed (the path to - ssh-rand-helper is hard coded). - - Similarly, if you do not have "scp" in your system's $PATH then the multiplex scp tests will fail (since the system's shell startup scripts will determine where the shell started by sshd will look for scp). @@ -105,4 +101,4 @@ Known Issues. test to fail. The old behaviour can be restored by setting (and exporting) _POSIX2_VERSION=199209 before running the tests. -$Id: README.regress,v 1.11 2010/08/16 21:04:29 djm Exp $ +$Id: README.regress,v 1.12 2011/05/05 03:48:42 djm Exp $ diff --git a/ssh-add.c b/ssh-add.c index 125d6645b..94b68ac18 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -372,7 +372,6 @@ main(int argc, char **argv) sanitise_stdfd(); __progname = ssh_get_progname(argv[0]); - init_rng(); seed_rng(); OpenSSL_add_all_algorithms(); diff --git a/ssh-agent.c b/ssh-agent.c index afba413d7..ae204b145 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1154,7 +1154,6 @@ main(int ac, char **av) OpenSSL_add_all_algorithms(); __progname = ssh_get_progname(av[0]); - init_rng(); seed_rng(); while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { diff --git a/ssh-keygen.c b/ssh-keygen.c index c95e4ab29..d379b1a2c 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1817,7 +1817,6 @@ main(int argc, char **argv) OpenSSL_add_all_algorithms(); log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); - init_rng(); seed_rng(); /* we need this for the home * directory. */ diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 25d7ac66f..eb282b948 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -620,7 +620,6 @@ main(int argc, char **argv) extern char *optarg; __progname = ssh_get_progname(argv[0]); - init_rng(); seed_rng(); TAILQ_INIT(&tq); diff --git a/ssh-keysign.c b/ssh-keysign.c index 4172491c2..1deb7e141 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -178,7 +178,6 @@ main(int argc, char **argv) permanently_set_uid(pw); - init_rng(); seed_rng(); arc4random_stir(); diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index 8e3f57ace..cd33515f6 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -280,7 +280,6 @@ main(int argc, char **argv) TAILQ_INIT(&pkcs11_keylist); pkcs11_init(0); - init_rng(); seed_rng(); __progname = ssh_get_progname(argv[0]); diff --git a/ssh-rand-helper.8 b/ssh-rand-helper.8 deleted file mode 100644 index af5a72fcb..000000000 --- a/ssh-rand-helper.8 +++ /dev/null @@ -1,94 +0,0 @@ -.\" $Id: ssh-rand-helper.8,v 1.3 2007/01/22 01:44:53 djm Exp $ -.\" -.\" Copyright (c) 2002 Damien Miller. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd April 14, 2002 -.Dt SSH-RAND-HELPER 8 -.Os -.Sh NAME -.Nm ssh-rand-helper -.Nd random number gatherer for OpenSSH -.Sh SYNOPSIS -.Nm ssh-rand-hlper -.Op Fl vxXh -.Op Fl b Ar bytes -.Sh DESCRIPTION -.Nm -is a small helper program used by -.Xr ssh 1 , -.Xr ssh-add 1 , -.Xr ssh-agent 1 , -.Xr ssh-keygen 1 , -.Xr ssh-keyscan 1 -and -.Xr sshd 8 -to gather random numbers of cryptographic quality if the -.Xr openssl 4 -library has not been configured to provide them itself. -.Pp -Normally -.Nm -will generate a strong random seed and provide it to the calling -program via standard output. If standard output is a tty, -.Nm -will instead print the seed in hexidecimal format unless told otherwise. -.Pp -.Nm -will by default gather random numbers from the system commands listed -in -.Pa /etc/ssh/ssh_prng_cmds . -The output of each of the commands listed will be hashed and used to -generate a random seed for the calling program. -.Nm -will also store seed files in -.Pa ~/.ssh/prng_seed -between executions. -.Pp -Alternately, -.Nm -may be configured at build time to collect random numbers from a -EGD/PRNGd server via a unix domain or localhost tcp socket. -.Pp -This program is not intended to be run by the end-user, so the few -commandline options are for debugging purposes only. -.Bl -tag -width Ds -.It Fl b Ar bytes -Specify the number of random bytes to include in the output. -.It Fl x -Output a hexidecimal instead of a binary seed. -.It Fl X -Force output of a binary seed, even if standard output is a tty -.It Fl v -Turn on debugging message. Multiple -.Fl v -options will increase the debugging level. -.It Fl h -Display a summary of options. -.El -.Sh AUTHORS -Damien Miller -.Sh SEE ALSO -.Xr ssh 1 , -.Xr ssh-add 1 , -.Xr ssh-keygen 1 , -.Xr sshd 8 diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c deleted file mode 100644 index fa5070499..000000000 --- a/ssh-rand-helper.c +++ /dev/null @@ -1,932 +0,0 @@ -/* - * Copyright (c) 2001-2002 Damien Miller. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "includes.h" - -#include -#include -#include -#include -#include - -#include -#include -#include - -#include -#include - -#ifdef HAVE_SYS_UN_H -# include -#endif - -#include -#include -#include -#include -#include -#include - -#include -#include -#include - -/* SunOS 4.4.4 needs this */ -#ifdef HAVE_FLOATINGPOINT_H -# include -#endif /* HAVE_FLOATINGPOINT_H */ - -#include "misc.h" -#include "xmalloc.h" -#include "atomicio.h" -#include "pathnames.h" -#include "log.h" - -/* Number of bytes we write out */ -#define OUTPUT_SEED_SIZE 48 - -/* Length of on-disk seedfiles */ -#define SEED_FILE_SIZE 1024 - -/* Maximum number of command-line arguments to read from file */ -#define NUM_ARGS 10 - -/* Minimum number of usable commands to be considered sufficient */ -#define MIN_ENTROPY_SOURCES 16 - -/* Path to on-disk seed file (relative to user's home directory */ -#ifndef SSH_PRNG_SEED_FILE -# define SSH_PRNG_SEED_FILE _PATH_SSH_USER_DIR"/prng_seed" -#endif - -/* Path to PRNG commands list */ -#ifndef SSH_PRNG_COMMAND_FILE -# define SSH_PRNG_COMMAND_FILE SSHDIR "/ssh_prng_cmds" -#endif - -extern char *__progname; - -#define WHITESPACE " \t\n" - -#ifndef RUSAGE_SELF -# define RUSAGE_SELF 0 -#endif -#ifndef RUSAGE_CHILDREN -# define RUSAGE_CHILDREN 0 -#endif - -#if !defined(PRNGD_SOCKET) && !defined(PRNGD_PORT) -# define USE_SEED_FILES -#endif - -typedef struct { - /* Proportion of data that is entropy */ - double rate; - /* Counter goes positive if this command times out */ - unsigned int badness; - /* Increases by factor of two each timeout */ - unsigned int sticky_badness; - /* Path to executable */ - char *path; - /* argv to pass to executable */ - char *args[NUM_ARGS]; /* XXX: arbitrary limit */ - /* full command string (debug) */ - char *cmdstring; -} entropy_cmd_t; - -/* slow command timeouts (all in milliseconds) */ -/* static int entropy_timeout_default = ENTROPY_TIMEOUT_MSEC; */ -static int entropy_timeout_current = ENTROPY_TIMEOUT_MSEC; - -/* this is initialised from a file, by prng_read_commands() */ -static entropy_cmd_t *entropy_cmds = NULL; - -/* Prototypes */ -double stir_from_system(void); -double stir_from_programs(void); -double stir_gettimeofday(double entropy_estimate); -double stir_clock(double entropy_estimate); -double stir_rusage(int who, double entropy_estimate); -double hash_command_output(entropy_cmd_t *src, unsigned char *hash); -int get_random_bytes_prngd(unsigned char *buf, int len, - unsigned short tcp_port, char *socket_path); - -/* - * Collect 'len' bytes of entropy into 'buf' from PRNGD/EGD daemon - * listening either on 'tcp_port', or via Unix domain socket at * - * 'socket_path'. - * Either a non-zero tcp_port or a non-null socket_path must be - * supplied. - * Returns 0 on success, -1 on error - */ -int -get_random_bytes_prngd(unsigned char *buf, int len, - unsigned short tcp_port, char *socket_path) -{ - int fd, addr_len, rval, errors; - u_char msg[2]; - struct sockaddr_storage addr; - struct sockaddr_in *addr_in = (struct sockaddr_in *)&addr; - struct sockaddr_un *addr_un = (struct sockaddr_un *)&addr; - mysig_t old_sigpipe; - - /* Sanity checks */ - if (socket_path == NULL && tcp_port == 0) - fatal("You must specify a port or a socket"); - if (socket_path != NULL && - strlen(socket_path) >= sizeof(addr_un->sun_path)) - fatal("Random pool path is too long"); - if (len <= 0 || len > 255) - fatal("Too many bytes (%d) to read from PRNGD", len); - - memset(&addr, '\0', sizeof(addr)); - - if (tcp_port != 0) { - addr_in->sin_family = AF_INET; - addr_in->sin_addr.s_addr = htonl(INADDR_LOOPBACK); - addr_in->sin_port = htons(tcp_port); - addr_len = sizeof(*addr_in); - } else { - addr_un->sun_family = AF_UNIX; - strlcpy(addr_un->sun_path, socket_path, - sizeof(addr_un->sun_path)); - addr_len = offsetof(struct sockaddr_un, sun_path) + - strlen(socket_path) + 1; - } - - old_sigpipe = mysignal(SIGPIPE, SIG_IGN); - - errors = 0; - rval = -1; -reopen: - fd = socket(addr.ss_family, SOCK_STREAM, 0); - if (fd == -1) { - error("Couldn't create socket: %s", strerror(errno)); - goto done; - } - - if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) { - if (tcp_port != 0) { - error("Couldn't connect to PRNGD port %d: %s", - tcp_port, strerror(errno)); - } else { - error("Couldn't connect to PRNGD socket \"%s\": %s", - addr_un->sun_path, strerror(errno)); - } - goto done; - } - - /* Send blocking read request to PRNGD */ - msg[0] = 0x02; - msg[1] = len; - - if (atomicio(vwrite, fd, msg, sizeof(msg)) != sizeof(msg)) { - if (errno == EPIPE && errors < 10) { - close(fd); - errors++; - goto reopen; - } - error("Couldn't write to PRNGD socket: %s", - strerror(errno)); - goto done; - } - - if (atomicio(read, fd, buf, len) != (size_t)len) { - if (errno == EPIPE && errors < 10) { - close(fd); - errors++; - goto reopen; - } - error("Couldn't read from PRNGD socket: %s", - strerror(errno)); - goto done; - } - - rval = 0; -done: - mysignal(SIGPIPE, old_sigpipe); - if (fd != -1) - close(fd); - return rval; -} - -static int -seed_from_prngd(unsigned char *buf, size_t bytes) -{ -#ifdef PRNGD_PORT - debug("trying egd/prngd port %d", PRNGD_PORT); - if (get_random_bytes_prngd(buf, bytes, PRNGD_PORT, NULL) == 0) - return 0; -#endif -#ifdef PRNGD_SOCKET - debug("trying egd/prngd socket %s", PRNGD_SOCKET); - if (get_random_bytes_prngd(buf, bytes, 0, PRNGD_SOCKET) == 0) - return 0; -#endif - return -1; -} - -double -stir_gettimeofday(double entropy_estimate) -{ - struct timeval tv; - - if (gettimeofday(&tv, NULL) == -1) - fatal("Couldn't gettimeofday: %s", strerror(errno)); - - RAND_add(&tv, sizeof(tv), entropy_estimate); - - return entropy_estimate; -} - -double -stir_clock(double entropy_estimate) -{ -#ifdef HAVE_CLOCK - clock_t c; - - c = clock(); - RAND_add(&c, sizeof(c), entropy_estimate); - - return entropy_estimate; -#else /* _HAVE_CLOCK */ - return 0; -#endif /* _HAVE_CLOCK */ -} - -double -stir_rusage(int who, double entropy_estimate) -{ -#ifdef HAVE_GETRUSAGE - struct rusage ru; - - if (getrusage(who, &ru) == -1) - return 0; - - RAND_add(&ru, sizeof(ru), entropy_estimate); - - return entropy_estimate; -#else /* _HAVE_GETRUSAGE */ - return 0; -#endif /* _HAVE_GETRUSAGE */ -} - -static int -timeval_diff(struct timeval *t1, struct timeval *t2) -{ - int secdiff, usecdiff; - - secdiff = t2->tv_sec - t1->tv_sec; - usecdiff = (secdiff*1000000) + (t2->tv_usec - t1->tv_usec); - return (int)(usecdiff / 1000); -} - -double -hash_command_output(entropy_cmd_t *src, unsigned char *hash) -{ - char buf[8192]; - fd_set rdset; - int bytes_read, cmd_eof, error_abort, msec_elapsed, p[2]; - int status, total_bytes_read; - static int devnull = -1; - pid_t pid; - SHA_CTX sha; - struct timeval tv_start, tv_current; - - debug3("Reading output from \'%s\'", src->cmdstring); - - if (devnull == -1) { - devnull = open("/dev/null", O_RDWR); - if (devnull == -1) - fatal("Couldn't open /dev/null: %s", - strerror(errno)); - } - - if (pipe(p) == -1) - fatal("Couldn't open pipe: %s", strerror(errno)); - - (void)gettimeofday(&tv_start, NULL); /* record start time */ - - switch (pid = fork()) { - case -1: /* Error */ - close(p[0]); - close(p[1]); - fatal("Couldn't fork: %s", strerror(errno)); - /* NOTREACHED */ - case 0: /* Child */ - dup2(devnull, STDIN_FILENO); - dup2(p[1], STDOUT_FILENO); - dup2(p[1], STDERR_FILENO); - close(p[0]); - close(p[1]); - close(devnull); - - execv(src->path, (char**)(src->args)); - - debug("(child) Couldn't exec '%s': %s", - src->cmdstring, strerror(errno)); - _exit(-1); - default: /* Parent */ - break; - } - - RAND_add(&pid, sizeof(&pid), 0.0); - - close(p[1]); - - /* Hash output from child */ - SHA1_Init(&sha); - - cmd_eof = error_abort = msec_elapsed = total_bytes_read = 0; - while (!error_abort && !cmd_eof) { - int ret; - struct timeval tv; - int msec_remaining; - - (void) gettimeofday(&tv_current, 0); - msec_elapsed = timeval_diff(&tv_start, &tv_current); - if (msec_elapsed >= entropy_timeout_current) { - error_abort=1; - continue; - } - msec_remaining = entropy_timeout_current - msec_elapsed; - - FD_ZERO(&rdset); - FD_SET(p[0], &rdset); - tv.tv_sec = msec_remaining / 1000; - tv.tv_usec = (msec_remaining % 1000) * 1000; - - ret = select(p[0] + 1, &rdset, NULL, NULL, &tv); - - RAND_add(&tv, sizeof(tv), 0.0); - - switch (ret) { - case 0: - /* timer expired */ - error_abort = 1; - kill(pid, SIGINT); - break; - case 1: - /* command input */ - do { - bytes_read = read(p[0], buf, sizeof(buf)); - } while (bytes_read == -1 && errno == EINTR); - RAND_add(&bytes_read, sizeof(&bytes_read), 0.0); - if (bytes_read == -1) { - error_abort = 1; - break; - } else if (bytes_read) { - SHA1_Update(&sha, buf, bytes_read); - total_bytes_read += bytes_read; - } else { - cmd_eof = 1; - } - break; - case -1: - default: - /* error */ - debug("Command '%s': select() failed: %s", - src->cmdstring, strerror(errno)); - error_abort = 1; - break; - } - } - - SHA1_Final(hash, &sha); - - close(p[0]); - - debug3("Time elapsed: %d msec", msec_elapsed); - - if (waitpid(pid, &status, 0) == -1) { - error("Couldn't wait for child '%s' completion: %s", - src->cmdstring, strerror(errno)); - return 0.0; - } - - RAND_add(&status, sizeof(&status), 0.0); - - if (error_abort) { - /* - * Closing p[0] on timeout causes the entropy command to - * SIGPIPE. Take whatever output we got, and mark this - * command as slow - */ - debug2("Command '%s' timed out", src->cmdstring); - src->sticky_badness *= 2; - src->badness = src->sticky_badness; - return total_bytes_read; - } - - if (WIFEXITED(status)) { - if (WEXITSTATUS(status) == 0) { - return total_bytes_read; - } else { - debug2("Command '%s' exit status was %d", - src->cmdstring, WEXITSTATUS(status)); - src->badness = src->sticky_badness = 128; - return 0.0; - } - } else if (WIFSIGNALED(status)) { - debug2("Command '%s' returned on uncaught signal %d !", - src->cmdstring, status); - src->badness = src->sticky_badness = 128; - return 0.0; - } else - return 0.0; -} - -double -stir_from_system(void) -{ - double total_entropy_estimate; - long int i; - - total_entropy_estimate = 0; - - i = getpid(); - RAND_add(&i, sizeof(i), 0.5); - total_entropy_estimate += 0.1; - - i = getppid(); - RAND_add(&i, sizeof(i), 0.5); - total_entropy_estimate += 0.1; - - i = getuid(); - RAND_add(&i, sizeof(i), 0.0); - i = getgid(); - RAND_add(&i, sizeof(i), 0.0); - - total_entropy_estimate += stir_gettimeofday(1.0); - total_entropy_estimate += stir_clock(0.5); - total_entropy_estimate += stir_rusage(RUSAGE_SELF, 2.0); - - return total_entropy_estimate; -} - -double -stir_from_programs(void) -{ - int c; - double entropy, total_entropy; - unsigned char hash[SHA_DIGEST_LENGTH]; - - total_entropy = 0; - for(c = 0; entropy_cmds[c].path != NULL; c++) { - if (!entropy_cmds[c].badness) { - /* Hash output from command */ - entropy = hash_command_output(&entropy_cmds[c], - hash); - - /* Scale back estimate by command's rate */ - entropy *= entropy_cmds[c].rate; - - /* Upper bound of entropy is SHA_DIGEST_LENGTH */ - if (entropy > SHA_DIGEST_LENGTH) - entropy = SHA_DIGEST_LENGTH; - - /* Stir it in */ - RAND_add(hash, sizeof(hash), entropy); - - debug3("Got %0.2f bytes of entropy from '%s'", - entropy, entropy_cmds[c].cmdstring); - - total_entropy += entropy; - - /* Execution time should be a bit unpredictable */ - total_entropy += stir_gettimeofday(0.05); - total_entropy += stir_clock(0.05); - total_entropy += stir_rusage(RUSAGE_SELF, 0.1); - total_entropy += stir_rusage(RUSAGE_CHILDREN, 0.1); - } else { - debug2("Command '%s' disabled (badness %d)", - entropy_cmds[c].cmdstring, - entropy_cmds[c].badness); - - if (entropy_cmds[c].badness > 0) - entropy_cmds[c].badness--; - } - } - - return total_entropy; -} - -/* - * prng seedfile functions - */ -int -prng_check_seedfile(char *filename) -{ - struct stat st; - - /* - * XXX raceable: eg replace seed between this stat and subsequent - * open. Not such a problem because we don't really trust the - * seed file anyway. - * XXX: use secure path checking as elsewhere in OpenSSH - */ - if (lstat(filename, &st) == -1) { - /* Give up on hard errors */ - if (errno != ENOENT) - debug("WARNING: Couldn't stat random seed file " - "\"%.100s\": %s", filename, strerror(errno)); - return 0; - } - - /* regular file? */ - if (!S_ISREG(st.st_mode)) - fatal("PRNG seedfile %.100s is not a regular file", - filename); - - /* mode 0600, owned by root or the current user? */ - if (((st.st_mode & 0177) != 0) || !(st.st_uid == getuid())) { - debug("WARNING: PRNG seedfile %.100s must be mode 0600, " - "owned by uid %li", filename, (long int)getuid()); - return 0; - } - - return 1; -} - -void -prng_write_seedfile(void) -{ - int fd, save_errno; - unsigned char seed[SEED_FILE_SIZE]; - char filename[MAXPATHLEN], tmpseed[MAXPATHLEN]; - struct passwd *pw; - mode_t old_umask; - - pw = getpwuid(getuid()); - if (pw == NULL) - fatal("Couldn't get password entry for current user " - "(%li): %s", (long int)getuid(), strerror(errno)); - - /* Try to ensure that the parent directory is there */ - snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, - _PATH_SSH_USER_DIR); - if (mkdir(filename, 0700) < 0 && errno != EEXIST) - fatal("mkdir %.200s: %s", filename, strerror(errno)); - - snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, - SSH_PRNG_SEED_FILE); - - strlcpy(tmpseed, filename, sizeof(tmpseed)); - if (strlcat(tmpseed, ".XXXXXXXXXX", sizeof(tmpseed)) >= - sizeof(tmpseed)) - fatal("PRNG seed filename too long"); - - if (RAND_bytes(seed, sizeof(seed)) <= 0) - fatal("PRNG seed extraction failed"); - - /* Don't care if the seed doesn't exist */ - prng_check_seedfile(filename); - - old_umask = umask(0177); - - if ((fd = mkstemp(tmpseed)) == -1) { - debug("WARNING: couldn't make temporary PRNG seedfile %.100s " - "(%.100s)", tmpseed, strerror(errno)); - } else { - debug("writing PRNG seed to file %.100s", tmpseed); - if (atomicio(vwrite, fd, &seed, sizeof(seed)) < sizeof(seed)) { - save_errno = errno; - close(fd); - unlink(tmpseed); - fatal("problem writing PRNG seedfile %.100s " - "(%.100s)", filename, strerror(save_errno)); - } - close(fd); - debug("moving temporary PRNG seed to file %.100s", filename); - if (rename(tmpseed, filename) == -1) { - save_errno = errno; - unlink(tmpseed); - fatal("problem renaming PRNG seedfile from %.100s " - "to %.100s (%.100s)", tmpseed, filename, - strerror(save_errno)); - } - } - umask(old_umask); -} - -void -prng_read_seedfile(void) -{ - int fd; - char seed[SEED_FILE_SIZE], filename[MAXPATHLEN]; - struct passwd *pw; - - pw = getpwuid(getuid()); - if (pw == NULL) - fatal("Couldn't get password entry for current user " - "(%li): %s", (long int)getuid(), strerror(errno)); - - snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, - SSH_PRNG_SEED_FILE); - - debug("loading PRNG seed from file %.100s", filename); - - if (!prng_check_seedfile(filename)) { - verbose("Random seed file not found or invalid, ignoring."); - return; - } - - /* open the file and read in the seed */ - fd = open(filename, O_RDONLY); - if (fd == -1) - fatal("could not open PRNG seedfile %.100s (%.100s)", - filename, strerror(errno)); - - if (atomicio(read, fd, &seed, sizeof(seed)) < sizeof(seed)) { - verbose("invalid or short read from PRNG seedfile " - "%.100s - ignoring", filename); - memset(seed, '\0', sizeof(seed)); - } - close(fd); - - /* stir in the seed, with estimated entropy zero */ - RAND_add(&seed, sizeof(seed), 0.0); -} - - -/* - * entropy command initialisation functions - */ -int -prng_read_commands(char *cmdfilename) -{ - char cmd[SEED_FILE_SIZE], *cp, line[1024], path[SEED_FILE_SIZE]; - double est; - entropy_cmd_t *entcmd; - FILE *f; - int cur_cmd, linenum, num_cmds, arg; - - if ((f = fopen(cmdfilename, "r")) == NULL) { - fatal("couldn't read entropy commands file %.100s: %.100s", - cmdfilename, strerror(errno)); - } - - num_cmds = 64; - entcmd = xcalloc(num_cmds, sizeof(entropy_cmd_t)); - - /* Read in file */ - cur_cmd = linenum = 0; - while (fgets(line, sizeof(line), f)) { - linenum++; - - /* Skip leading whitespace, blank lines and comments */ - cp = line + strspn(line, WHITESPACE); - if ((*cp == 0) || (*cp == '#')) - continue; /* done with this line */ - - /* - * The first non-whitespace char should be a double quote - * delimiting the commandline - */ - if (*cp != '"') { - error("bad entropy command, %.100s line %d", - cmdfilename, linenum); - continue; - } - - /* - * First token, command args (incl. argv[0]) in double - * quotes - */ - cp = strtok(cp, "\""); - if (cp == NULL) { - error("missing or bad command string, %.100s " - "line %d -- ignored", cmdfilename, linenum); - continue; - } - strlcpy(cmd, cp, sizeof(cmd)); - - /* Second token, full command path */ - if ((cp = strtok(NULL, WHITESPACE)) == NULL) { - error("missing command path, %.100s " - "line %d -- ignored", cmdfilename, linenum); - continue; - } - - /* Did configure mark this as dead? */ - if (strncmp("undef", cp, 5) == 0) - continue; - - strlcpy(path, cp, sizeof(path)); - - /* Third token, entropy rate estimate for this command */ - if ((cp = strtok(NULL, WHITESPACE)) == NULL) { - error("missing entropy estimate, %.100s " - "line %d -- ignored", cmdfilename, linenum); - continue; - } - est = strtod(cp, NULL); - - /* end of line */ - if ((cp = strtok(NULL, WHITESPACE)) != NULL) { - error("garbage at end of line %d in %.100s " - "-- ignored", linenum, cmdfilename); - continue; - } - - /* save the command for debug messages */ - entcmd[cur_cmd].cmdstring = xstrdup(cmd); - - /* split the command args */ - cp = strtok(cmd, WHITESPACE); - arg = 0; - do { - entcmd[cur_cmd].args[arg] = xstrdup(cp); - arg++; - } while(arg < NUM_ARGS && (cp = strtok(NULL, WHITESPACE))); - - if (strtok(NULL, WHITESPACE)) - error("ignored extra commands (max %d), %.100s " - "line %d", NUM_ARGS, cmdfilename, linenum); - - /* Copy the command path and rate estimate */ - entcmd[cur_cmd].path = xstrdup(path); - entcmd[cur_cmd].rate = est; - - /* Initialise other values */ - entcmd[cur_cmd].sticky_badness = 1; - - cur_cmd++; - - /* - * If we've filled the array, reallocate it twice the size - * Do this now because even if this we're on the last - * command we need another slot to mark the last entry - */ - if (cur_cmd == num_cmds) { - num_cmds *= 2; - entcmd = xrealloc(entcmd, num_cmds, - sizeof(entropy_cmd_t)); - } - } - - /* zero the last entry */ - memset(&entcmd[cur_cmd], '\0', sizeof(entropy_cmd_t)); - - /* trim to size */ - entropy_cmds = xrealloc(entcmd, (cur_cmd + 1), - sizeof(entropy_cmd_t)); - - debug("Loaded %d entropy commands from %.100s", cur_cmd, - cmdfilename); - - fclose(f); - return cur_cmd < MIN_ENTROPY_SOURCES ? -1 : 0; -} - -void -usage(void) -{ - fprintf(stderr, "Usage: %s [options]\n", __progname); - fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); - fprintf(stderr, " Multiple -v increases verbosity.\n"); - fprintf(stderr, " -x Force output in hexadecimal (for debugging)\n"); - fprintf(stderr, " -X Force output in binary\n"); - fprintf(stderr, " -b bytes Number of bytes to output (default %d)\n", - OUTPUT_SEED_SIZE); -} - -int -main(int argc, char **argv) -{ - unsigned char *buf; - int ret, ch, debug_level, output_hex, bytes; - extern char *optarg; - extern int optind; - LogLevel ll; - - __progname = ssh_get_progname(argv[0]); - log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); - - ll = SYSLOG_LEVEL_INFO; - debug_level = output_hex = 0; - bytes = OUTPUT_SEED_SIZE; - - /* Don't write binary data to a tty, unless we are forced to */ - if (isatty(STDOUT_FILENO)) - output_hex = 1; - - while ((ch = getopt(argc, argv, "vxXhb:")) != -1) { - switch (ch) { - case 'v': - if (debug_level < 3) - ll = SYSLOG_LEVEL_DEBUG1 + debug_level++; - break; - case 'x': - output_hex = 1; - break; - case 'X': - output_hex = 0; - break; - case 'b': - if ((bytes = atoi(optarg)) <= 0) - fatal("Invalid number of output bytes"); - break; - case 'h': - usage(); - exit(0); - default: - error("Invalid commandline option"); - usage(); - exit(1); - } - } - log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1); - - if (argc != optind) { - error("Unexpected commandline arguments."); - usage(); - exit(1); - } - -#ifdef USE_SEED_FILES - prng_read_seedfile(); -#endif - - buf = xmalloc(bytes); - - /* - * Seed the RNG from wherever we can - */ - - /* Take whatever is on the stack, but don't credit it */ - RAND_add(buf, bytes, 0); - - debug("Seeded RNG with %i bytes from system calls", - (int)stir_from_system()); - - /* try prngd, fall back to commands if prngd fails or not configured */ - if (seed_from_prngd(buf, bytes) == 0) { - RAND_add(buf, bytes, bytes); - } else { - /* Read in collection commands */ - if (prng_read_commands(SSH_PRNG_COMMAND_FILE) == -1) - fatal("PRNG initialisation failed -- exiting."); - debug("Seeded RNG with %i bytes from programs", - (int)stir_from_programs()); - } - -#ifdef USE_SEED_FILES - prng_write_seedfile(); -#endif - - /* - * Write the seed to stdout - */ - - if (!RAND_status()) - fatal("Not enough entropy in RNG"); - - if (RAND_bytes(buf, bytes) <= 0) - fatal("Couldn't extract entropy from PRNG"); - - if (output_hex) { - for(ret = 0; ret < bytes; ret++) - printf("%02x", (unsigned char)(buf[ret])); - printf("\n"); - } else - ret = atomicio(vwrite, STDOUT_FILENO, buf, bytes); - - memset(buf, '\0', bytes); - xfree(buf); - - return ret == bytes ? 0 : 1; -} - -/* - * We may attempt to re-seed during mkstemp if we are using the one in the - * compat library (via mkstemp -> _gettemp -> arc4random -> seed_rng) so we - * need our own seed_rng(). We must also check that we have enough entropy. - */ -void -seed_rng(void) -{ - if (!RAND_status()) - fatal("Not enough entropy in RNG"); -} diff --git a/ssh.c b/ssh.c index d32ef78b0..b543c6117 100644 --- a/ssh.c +++ b/ssh.c @@ -234,7 +234,6 @@ main(int ac, char **av) sanitise_stdfd(); __progname = ssh_get_progname(av[0]); - init_rng(); /* * Discard other fds that are hanging around. These can cause problem diff --git a/ssh_prng_cmds.in b/ssh_prng_cmds.in deleted file mode 100644 index 0d29d49f1..000000000 --- a/ssh_prng_cmds.in +++ /dev/null @@ -1,75 +0,0 @@ -# entropy gathering commands - -# Format is: "program-name args" path rate - -# The "rate" represents the number of bits of usuable entropy per -# byte of command output. Be conservative. -# -# $Id: ssh_prng_cmds.in,v 1.9 2003/11/21 12:48:56 djm Exp $ - -"ls -alni /var/log" @PROG_LS@ 0.02 -"ls -alni /var/adm" @PROG_LS@ 0.02 -"ls -alni /usr/adm" @PROG_LS@ 0.02 -"ls -alni /var/mail" @PROG_LS@ 0.02 -"ls -alni /usr/mail" @PROG_LS@ 0.02 -"ls -alni /var/adm/syslog" @PROG_LS@ 0.02 -"ls -alni /usr/adm/syslog" @PROG_LS@ 0.02 -"ls -alni /var/spool/mail" @PROG_LS@ 0.02 -"ls -alni /proc" @PROG_LS@ 0.02 -"ls -alni /tmp" @PROG_LS@ 0.02 -"ls -alni /var/tmp" @PROG_LS@ 0.02 -"ls -alni /usr/tmp" @PROG_LS@ 0.02 -"ls -alTi /var/log" @PROG_LS@ 0.02 -"ls -alTi /var/adm" @PROG_LS@ 0.02 -"ls -alTi /var/mail" @PROG_LS@ 0.02 -"ls -alTi /var/adm/syslog" @PROG_LS@ 0.02 -"ls -alTi /var/spool/mail" @PROG_LS@ 0.02 -"ls -alTi /proc" @PROG_LS@ 0.02 -"ls -alTi /tmp" @PROG_LS@ 0.02 -"ls -alTi /var/tmp" @PROG_LS@ 0.02 -"ls -alTi /usr/tmp" @PROG_LS@ 0.02 - -"netstat -an" @PROG_NETSTAT@ 0.05 -"netstat -in" @PROG_NETSTAT@ 0.05 -"netstat -rn" @PROG_NETSTAT@ 0.02 -"netstat -pn" @PROG_NETSTAT@ 0.02 -"netstat -ia" @PROG_NETSTAT@ 0.05 -"netstat -s" @PROG_NETSTAT@ 0.02 -"netstat -is" @PROG_NETSTAT@ 0.07 - -"arp -n -a" @PROG_ARP@ 0.02 - -"ifconfig -a" @PROG_IFCONFIG@ 0.02 - -"ps laxww" @PROG_PS@ 0.03 -"ps -al" @PROG_PS@ 0.03 -"ps -efl" @PROG_PS@ 0.03 -"jstat" @PROG_JSTAT@ 0.07 - -"w" @PROG_W@ 0.05 - -"who -i" @PROG_WHO@ 0.01 - -"last" @PROG_LAST@ 0.01 - -"lastlog" @PROG_LASTLOG@ 0.01 - -"df" @PROG_DF@ 0.01 -"df -i" @PROG_DF@ 0.01 - -"sar -d" @PROG_SAR@ 0.04 - -"vmstat" @PROG_VMSTAT@ 0.01 -"uptime" @PROG_UPTIME@ 0.01 - -"ipcs -a" @PROG_IPCS@ 0.01 - -"tail -200 /var/log/messages" @PROG_TAIL@ 0.01 -"tail -200 /var/log/syslog" @PROG_TAIL@ 0.01 -"tail -200 /var/adm/messages" @PROG_TAIL@ 0.01 -"tail -200 /var/adm/syslog" @PROG_TAIL@ 0.01 -"tail -200 /var/adm/syslog/syslog.log" @PROG_TAIL@ 0.01 -"tail -200 /var/log/maillog" @PROG_TAIL@ 0.01 -"tail -200 /var/adm/maillog" @PROG_TAIL@ 0.01 -"tail -200 /var/adm/syslog/mail.log" @PROG_TAIL@ 0.01 - diff --git a/sshd.c b/sshd.c index cb45cecbd..8f65858c9 100644 --- a/sshd.c +++ b/sshd.c @@ -1306,7 +1306,6 @@ main(int ac, char **av) (void)set_auth_parameters(ac, av); #endif __progname = ssh_get_progname(av[0]); - init_rng(); /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ saved_argc = ac; -- cgit v1.2.3 From 3fcdfd55a3a3a16342a4f110f2dc1ba998526e47 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:04:11 +1000 Subject: - OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/03/10 02:52:57 [auth2-gss.c auth2.c] allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock --- ChangeLog | 6 ++++++ auth2-gss.c | 4 +++- auth2.c | 6 ++++-- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 25fe5918f..62f026e2e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,12 @@ [regress/README.regress] Remove ssh-rand-helper and all its tentacles. PRNGd seeding has been rolled into entropy.c directly. Thanks to tim@ for testing on affected platforms. + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2011/03/10 02:52:57 + [auth2-gss.c auth2.c] + allow GSSAPI authentication to detect when a server-side failure causes + authentication failure and don't count such failures against MaxAuthTries; + bz#1244 from simon AT sxw.org.uk; ok markus@ before lock 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/auth2-gss.c b/auth2-gss.c index 0e08d889c..0d59b2177 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -102,6 +102,7 @@ userauth_gssapi(Authctxt *authctxt) if (!present) { xfree(doid); + authctxt->server_caused_failure = 1; return (0); } @@ -109,6 +110,7 @@ userauth_gssapi(Authctxt *authctxt) if (ctxt != NULL) ssh_gssapi_delete_ctx(&ctxt); xfree(doid); + authctxt->server_caused_failure = 1; return (0); } diff --git a/auth2.c b/auth2.c index 95820f96f..c06c95f06 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.122 2010/08/31 09:58:37 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.123 2011/03/10 02:52:57 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -274,6 +274,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) #endif authctxt->postponed = 0; + authctxt->server_caused_failure = 0; /* try to authenticate user */ m = authmethod_lookup(method); @@ -346,7 +347,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) } else { /* Allow initial try of "none" auth without failure penalty */ - if (authctxt->attempt > 1 || strcmp(method, "none") != 0) + if (!authctxt->server_caused_failure && + (authctxt->attempt > 1 || strcmp(method, "none") != 0)) authctxt->failures++; if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS -- cgit v1.2.3 From b2da7d185e1227501262449b634139349a3f736f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:04:50 +1000 Subject: - djm@cvs.openbsd.org 2011/03/10 11:34:25 [auth.h] allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock --- ChangeLog | 2 +- auth.h | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 62f026e2e..24b13ad0e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,7 +10,7 @@ Thanks to tim@ for testing on affected platforms. - OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/03/10 02:52:57 - [auth2-gss.c auth2.c] + [auth2-gss.c auth2.c auth.h] allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock diff --git a/auth.h b/auth.h index 77317aee6..772a8c898 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.66 2010/05/07 11:30:29 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.67 2011/03/10 11:34:25 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -53,6 +53,7 @@ struct Authctxt { int valid; /* user exists and is allowed to login */ int attempt; int failures; + int server_caused_failure; int force_pwchange; char *user; /* username sent by the client */ char *service; -- cgit v1.2.3 From c5219e701ecf6ce28d9bec1aecca5cfac114231d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:05:12 +1000 Subject: - okan@cvs.openbsd.org 2011/03/15 10:36:02 [ssh-keyscan.c] use timerclear macro ok djm@ --- ChangeLog | 4 ++++ ssh-keyscan.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 24b13ad0e..8a7083236 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,10 @@ allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock + - okan@cvs.openbsd.org 2011/03/15 10:36:02 + [ssh-keyscan.c] + use timerclear macro + ok djm@ 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/ssh-keyscan.c b/ssh-keyscan.c index eb282b948..b085dd417 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.84 2011/01/04 20:44:13 otto Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.85 2011/03/15 10:36:02 okan Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -535,7 +535,7 @@ conloop(void) seltime.tv_sec--; } } else - seltime.tv_sec = seltime.tv_usec = 0; + timerclear(&seltime); r = xcalloc(read_wait_nfdset, sizeof(fd_mask)); e = xcalloc(read_wait_nfdset, sizeof(fd_mask)); -- cgit v1.2.3 From 58f1bafb3d4cf0965ebcb65d94b3476b959f42d8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:06:15 +1000 Subject: - stevesk@cvs.openbsd.org 2011/03/23 15:16:22 [ssh-keygen.1 ssh-keygen.c] Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This will be used by /etc/rc to generate new host keys. Idea from deraadt. ok deraadt --- ChangeLog | 8 +++ ssh-keygen.1 | 13 ++++- ssh-keygen.c | 166 +++++++++++++++++++++++++++++++++++++++++++++++++---------- 3 files changed, 157 insertions(+), 30 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8a7083236..9e59adf1a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,14 @@ [ssh-keyscan.c] use timerclear macro ok djm@ + - stevesk@cvs.openbsd.org 2011/03/23 15:16:22 + [ssh-keygen.1 ssh-keygen.c] + Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa) + for which host keys do not exist, generate the host keys with the + default key file path, an empty passphrase, default bits for the key + type, and default comment. This will be used by /etc/rc to generate + new host keys. Idea from deraadt. + ok deraadt 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 205f741b8..2573087b3 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.101 2010/10/28 18:33:28 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.102 2011/03/23 15:16:22 stevesk Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: October 28 2010 $ +.Dd $Mdocdate: March 23 2011 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -117,6 +117,8 @@ .Nm ssh-keygen .Fl L .Op Fl f Ar input_keyfile +.Nm ssh-keygen +.Fl A .Ek .Sh DESCRIPTION .Nm @@ -192,6 +194,13 @@ should be placed to be activated. .Pp The options are as follows: .Bl -tag -width Ds +.It Fl A +For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys +do not exist, generate the host keys with the default key file path, +an empty passphrase, default bits for the key type, and default comment. +This is used by +.Pa /etc/rc +to generate new host keys. .It Fl a Ar trials Specifies the number of primality tests to perform when screening DH-GEX candidates using the diff --git a/ssh-keygen.c b/ssh-keygen.c index d379b1a2c..aae33e308 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.205 2011/01/11 06:13:10 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.206 2011/03/23 15:16:22 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -159,6 +159,38 @@ char hostname[MAXHOSTNAMELEN]; int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); int prime_test(FILE *, FILE *, u_int32_t, u_int32_t); +static void +type_bits_valid(int type, u_int32_t *bits) +{ + u_int maxbits; + + if (type == KEY_UNSPEC) { + fprintf(stderr, "unknown key type %s\n", key_type_name); + exit(1); + } + if (*bits == 0) { + if (type == KEY_DSA) + *bits = DEFAULT_BITS_DSA; + else if (type == KEY_ECDSA) + *bits = DEFAULT_BITS_ECDSA; + else + *bits = DEFAULT_BITS; + } + maxbits = (type == KEY_DSA) ? + OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; + if (*bits > maxbits) { + fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); + exit(1); + } + if (type == KEY_DSA && *bits != 1024) + fatal("DSA keys must be 1024 bits"); + else if (type != KEY_ECDSA && *bits < 768) + fatal("Key must at least be 768 bits"); + else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bits) == -1) + fatal("Invalid ECDSA key length - valid lengths are " + "256, 384 or 521 bits"); +} + static void ask_filename(struct passwd *pw, const char *prompt) { @@ -817,6 +849,98 @@ do_fingerprint(struct passwd *pw) exit(0); } +static void +do_gen_all_hostkeys(struct passwd *pw) +{ + struct { + char *key_type; + char *key_type_display; + char *path; + } key_types[] = { + { "rsa1", "RSA1", _PATH_HOST_KEY_FILE }, + { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, + { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, + { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, + { NULL, NULL, NULL } + }; + + int first = 0; + struct stat st; + Key *private, *public; + char comment[1024]; + int i, type, fd; + FILE *f; + + for (i = 0; key_types[i].key_type; i++) { + if (stat(key_types[i].path, &st) == 0) + continue; + if (errno != ENOENT) { + printf("Could not stat %s: %s", key_types[i].path, + strerror(errno)); + first = 0; + continue; + } + + if (first == 0) { + first = 1; + printf("%s: generating new host keys: ", __progname); + } + printf("%s ", key_types[i].key_type_display); + fflush(stdout); + arc4random_stir(); + type = key_type_from_name(key_types[i].key_type); + strlcpy(identity_file, key_types[i].path, sizeof(identity_file)); + bits = 0; + type_bits_valid(type, &bits); + private = key_generate(type, bits); + if (private == NULL) { + fprintf(stderr, "key_generate failed\n"); + first = 0; + continue; + } + public = key_from_private(private); + snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, + hostname); + if (!key_save_private(private, identity_file, "", comment)) { + printf("Saving the key failed: %s.\n", identity_file); + key_free(private); + key_free(public); + first = 0; + continue; + } + key_free(private); + arc4random_stir(); + strlcat(identity_file, ".pub", sizeof(identity_file)); + fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); + if (fd == -1) { + printf("Could not save your public key in %s\n", + identity_file); + key_free(public); + first = 0; + continue; + } + f = fdopen(fd, "w"); + if (f == NULL) { + printf("fdopen %s failed\n", identity_file); + key_free(public); + first = 0; + continue; + } + if (!key_write(public, f)) { + fprintf(stderr, "write key failed\n"); + key_free(public); + first = 0; + continue; + } + fprintf(f, " %s\n", comment); + fclose(f); + key_free(public); + + } + if (first != 0) + printf("\n"); +} + static void printhost(FILE *f, const char *name, Key *public, int ca, int hash) { @@ -1745,6 +1869,7 @@ usage(void) { fprintf(stderr, "usage: %s [options]\n", __progname); fprintf(stderr, "Options:\n"); + fprintf(stderr, " -A Generate non-existent host keys for all key types.\n"); fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n"); fprintf(stderr, " -B Show bubblebabble digest of key file.\n"); fprintf(stderr, " -b bits Number of bits in the key to create.\n"); @@ -1799,9 +1924,9 @@ main(int argc, char **argv) struct passwd *pw; struct stat st; int opt, type, fd; - u_int maxbits; u_int32_t memory = 0, generator_wanted = 0, trials = 100; int do_gen_candidates = 0, do_screen_candidates = 0; + int gen_all_hostkeys = 0; BIGNUM *start = NULL; FILE *f; const char *errstr; @@ -1830,9 +1955,12 @@ main(int argc, char **argv) exit(1); } - while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:" + while ((opt = getopt(argc, argv, "AdegiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:" "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) { switch (opt) { + case 'A': + gen_all_hostkeys = 1; + break; case 'b': bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr); if (errstr) @@ -2108,37 +2236,19 @@ main(int argc, char **argv) return (0); } + if (gen_all_hostkeys) { + do_gen_all_hostkeys(pw); + return (0); + } + arc4random_stir(); if (key_type_name == NULL) key_type_name = "rsa"; type = key_type_from_name(key_type_name); - if (type == KEY_UNSPEC) { - fprintf(stderr, "unknown key type %s\n", key_type_name); - exit(1); - } - if (bits == 0) { - if (type == KEY_DSA) - bits = DEFAULT_BITS_DSA; - else if (type == KEY_ECDSA) - bits = DEFAULT_BITS_ECDSA; - else - bits = DEFAULT_BITS; - } - maxbits = (type == KEY_DSA) ? - OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; - if (bits > maxbits) { - fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); - exit(1); - } - if (type == KEY_DSA && bits != 1024) - fatal("DSA keys must be 1024 bits"); - else if (type != KEY_ECDSA && bits < 768) - fatal("Key must at least be 768 bits"); - else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(bits) == -1) - fatal("Invalid ECDSA key length - valid lengths are " - "256, 384 or 521 bits"); + type_bits_valid(type, &bits); + if (!quiet) printf("Generating public/private %s key pair.\n", key_type_name); private = key_generate(type, bits); -- cgit v1.2.3 From 4a4d161545447bb847aa01dd5332a9424271da44 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:06:39 +1000 Subject: - stevesk@cvs.openbsd.org 2011/03/23 16:24:56 [ssh-keygen.1] -q not used in /etc/rc now so remove statement. --- ChangeLog | 3 +++ ssh-keygen.1 | 5 +---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9e59adf1a..4dfaa2780 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ type, and default comment. This will be used by /etc/rc to generate new host keys. Idea from deraadt. ok deraadt + - stevesk@cvs.openbsd.org 2011/03/23 16:24:56 + [ssh-keygen.1] + -q not used in /etc/rc now so remove statement. 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 2573087b3..e6c52ebe3 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.102 2011/03/23 15:16:22 stevesk Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.103 2011/03/23 16:24:56 stevesk Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -402,9 +402,6 @@ new passphrase. .It Fl q Silence .Nm ssh-keygen . -Used by -.Pa /etc/rc -when creating a new key. .It Fl R Ar hostname Removes all keys belonging to .Ar hostname -- cgit v1.2.3 From 111431963ef704c0ee2e6130ce986e6891ab7a90 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:13:25 +1000 Subject: - stevesk@cvs.openbsd.org 2011/03/23 16:50:04 [ssh-keygen.c] remove -d, documentation removed >10 years ago; ok markus --- ChangeLog | 3 +++ ssh-keygen.c | 7 ++----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4dfaa2780..6176bd89e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,9 @@ - stevesk@cvs.openbsd.org 2011/03/23 16:24:56 [ssh-keygen.1] -q not used in /etc/rc now so remove statement. + - stevesk@cvs.openbsd.org 2011/03/23 16:50:04 + [ssh-keygen.c] + remove -d, documentation removed >10 years ago; ok markus 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/ssh-keygen.c b/ssh-keygen.c index aae33e308..14aefbb98 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.206 2011/03/23 15:16:22 stevesk Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.207 2011/03/23 16:50:04 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1955,7 +1955,7 @@ main(int argc, char **argv) exit(1); } - while ((opt = getopt(argc, argv, "AdegiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:" + while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:" "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) { switch (opt) { case 'A': @@ -2055,9 +2055,6 @@ main(int argc, char **argv) case 'y': print_public = 1; break; - case 'd': - key_type_name = "dsa"; - break; case 's': ca_key_path = optarg; break; -- cgit v1.2.3 From 3ca1eb373f84a6d64eb17abf40beeffafa7b034c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:13:50 +1000 Subject: - jmc@cvs.openbsd.org 2011/03/24 15:29:30 [ssh-keygen.1] zap trailing whitespace; --- ChangeLog | 3 +++ ssh-keygen.1 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6176bd89e..f3c804ee3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,9 @@ - stevesk@cvs.openbsd.org 2011/03/23 16:50:04 [ssh-keygen.c] remove -d, documentation removed >10 years ago; ok markus + - jmc@cvs.openbsd.org 2011/03/24 15:29:30 + [ssh-keygen.1] + zap trailing whitespace; 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/ssh-keygen.1 b/ssh-keygen.1 index e6c52ebe3..c9fec0403 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.103 2011/03/23 16:24:56 stevesk Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.104 2011/03/24 15:29:30 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 23 2011 $ +.Dd $Mdocdate: March 24 2011 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -198,7 +198,7 @@ The options are as follows: For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. -This is used by +This is used by .Pa /etc/rc to generate new host keys. .It Fl a Ar trials -- cgit v1.2.3 From 044f4a6cc39d1c3d109c143c162c4c00fc4df0aa Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:14:08 +1000 Subject: - stevesk@cvs.openbsd.org 2011/03/24 22:14:54 [ssh-keygen.c] use strcasecmp() for "clear" cert permission option also; ok djm --- ChangeLog | 3 +++ ssh-keygen.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f3c804ee3..7b12fa966 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,9 @@ - jmc@cvs.openbsd.org 2011/03/24 15:29:30 [ssh-keygen.1] zap trailing whitespace; + - stevesk@cvs.openbsd.org 2011/03/24 22:14:54 + [ssh-keygen.c] + use strcasecmp() for "clear" cert permission option also; ok djm 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/ssh-keygen.c b/ssh-keygen.c index 14aefbb98..90cffa055 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.207 2011/03/23 16:50:04 stevesk Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.208 2011/03/24 22:14:54 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1717,7 +1717,7 @@ add_cert_option(char *opt) { char *val; - if (strcmp(opt, "clear") == 0) + if (strcasecmp(opt, "clear") == 0) certflags_flags = 0; else if (strcasecmp(opt, "no-x11-forwarding") == 0) certflags_flags &= ~CERTOPT_X_FWD; -- cgit v1.2.3 From 91475865997f16a728ae1dc3a98dda957c997a5d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:14:34 +1000 Subject: - stevesk@cvs.openbsd.org 2011/03/29 18:54:17 [misc.c misc.h servconf.c] print ipqos friendly string for sshd -T; ok markus # sshd -Tf sshd_config|grep ipqos ipqos lowdelay throughput --- ChangeLog | 5 +++++ misc.c | 15 ++++++++++++++- misc.h | 3 ++- servconf.c | 5 +++-- 4 files changed, 24 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7b12fa966..695f4ed22 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,11 @@ - stevesk@cvs.openbsd.org 2011/03/24 22:14:54 [ssh-keygen.c] use strcasecmp() for "clear" cert permission option also; ok djm + - stevesk@cvs.openbsd.org 2011/03/29 18:54:17 + [misc.c misc.h servconf.c] + print ipqos friendly string for sshd -T; ok markus + # sshd -Tf sshd_config|grep ipqos + ipqos lowdelay throughput 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/misc.c b/misc.c index 919b04e6b..5f63090d9 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.84 2010/11/21 01:01:13 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.85 2011/03/29 18:54:17 stevesk Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -985,6 +985,19 @@ parse_ipqos(const char *cp) return val; } +const char * +iptos2str(int iptos) +{ + int i; + static char iptos_str[sizeof "0xff"]; + + for (i = 0; ipqos[i].name != NULL; i++) { + if (ipqos[i].value == iptos) + return ipqos[i].name; + } + snprintf(iptos_str, sizeof iptos_str, "0x%02x", iptos); + return iptos_str; +} void sock_set_v6only(int s) { diff --git a/misc.h b/misc.h index 65cf4a616..f3142a95e 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.47 2010/11/21 01:01:13 djm Exp $ */ +/* $OpenBSD: misc.h,v 1.48 2011/03/29 18:54:17 stevesk Exp $ */ /* * Author: Tatu Ylonen @@ -89,6 +89,7 @@ void bandwidth_limit_init(struct bwlimit *, u_int64_t, size_t); void bandwidth_limit(struct bwlimit *, size_t); int parse_ipqos(const char *); +const char *iptos2str(int); void mktemp_proto(char *, size_t); /* readpass.c */ diff --git a/servconf.c b/servconf.c index e2f20a3d1..48cb0d5b1 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.213 2010/11/13 23:27:50 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.214 2011/03/29 18:54:17 stevesk Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1775,7 +1775,8 @@ dump_config(ServerOptions *o) } dump_cfg_string(sPermitTunnel, s); - printf("ipqos 0x%02x 0x%02x\n", o->ip_qos_interactive, o->ip_qos_bulk); + printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); + printf("%s\n", iptos2str(o->ip_qos_bulk)); channel_print_adm_permitted_opens(); } -- cgit v1.2.3 From 884b63a061dbaf750b6c95043358d6a6b87fdf7a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:14:52 +1000 Subject: - djm@cvs.openbsd.org 2011/04/12 04:23:50 [ssh-keygen.c] fix -Wshadow --- ChangeLog | 3 +++ ssh-keygen.c | 20 ++++++++++---------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 695f4ed22..56bbe8062 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ print ipqos friendly string for sshd -T; ok markus # sshd -Tf sshd_config|grep ipqos ipqos lowdelay throughput + - djm@cvs.openbsd.org 2011/04/12 04:23:50 + [ssh-keygen.c] + fix -Wshadow 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/ssh-keygen.c b/ssh-keygen.c index 90cffa055..b52fc39cf 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.208 2011/03/24 22:14:54 stevesk Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.209 2011/04/12 04:23:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -160,7 +160,7 @@ int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); int prime_test(FILE *, FILE *, u_int32_t, u_int32_t); static void -type_bits_valid(int type, u_int32_t *bits) +type_bits_valid(int type, u_int32_t *bitsp) { u_int maxbits; @@ -168,25 +168,25 @@ type_bits_valid(int type, u_int32_t *bits) fprintf(stderr, "unknown key type %s\n", key_type_name); exit(1); } - if (*bits == 0) { + if (*bitsp == 0) { if (type == KEY_DSA) - *bits = DEFAULT_BITS_DSA; + *bitsp = DEFAULT_BITS_DSA; else if (type == KEY_ECDSA) - *bits = DEFAULT_BITS_ECDSA; + *bitsp = DEFAULT_BITS_ECDSA; else - *bits = DEFAULT_BITS; + *bitsp = DEFAULT_BITS; } maxbits = (type == KEY_DSA) ? OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; - if (*bits > maxbits) { + if (*bitsp > maxbits) { fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); exit(1); } - if (type == KEY_DSA && *bits != 1024) + if (type == KEY_DSA && *bitsp != 1024) fatal("DSA keys must be 1024 bits"); - else if (type != KEY_ECDSA && *bits < 768) + else if (type != KEY_ECDSA && *bitsp < 768) fatal("Key must at least be 768 bits"); - else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bits) == -1) + else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) fatal("Invalid ECDSA key length - valid lengths are " "256, 384 or 521 bits"); } -- cgit v1.2.3 From 26b57ce6c24f243790e6b19659caf9a4e41a8afe Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:15:09 +1000 Subject: - djm@cvs.openbsd.org 2011/04/12 05:32:49 [sshd.c] exit with 0 status on SIGTERM; bz#1879 --- ChangeLog | 3 +++ sshd.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 56bbe8062..fe3bf96db 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,9 @@ - djm@cvs.openbsd.org 2011/04/12 04:23:50 [ssh-keygen.c] fix -Wshadow + - djm@cvs.openbsd.org 2011/04/12 05:32:49 + [sshd.c] + exit with 0 status on SIGTERM; bz#1879 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/sshd.c b/sshd.c index 8f65858c9..50d0dede4 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.381 2011/01/11 06:13:10 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.382 2011/04/12 05:32:49 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1115,7 +1115,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) (int) received_sigterm); close_listen_socks(); unlink(options.pid_file); - exit(255); + exit(received_sigterm == SIGTERM ? 0 : 255); } if (key_used && key_do_regen) { generate_ephemeral_server_key(); -- cgit v1.2.3 From 085c90fa202a232ea0a9b1034f27070119833574 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:15:33 +1000 Subject: - djm@cvs.openbsd.org 2011/04/13 04:02:48 [ssh-keygen.1] improve wording; bz#1861 --- ChangeLog | 3 +++ ssh-keygen.1 | 9 ++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index fe3bf96db..2a83c16d5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,9 @@ - djm@cvs.openbsd.org 2011/04/12 05:32:49 [sshd.c] exit with 0 status on SIGTERM; bz#1879 + - djm@cvs.openbsd.org 2011/04/13 04:02:48 + [ssh-keygen.1] + improve wording; bz#1861 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c9fec0403..51a152eef 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.104 2011/03/24 15:29:30 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.105 2011/04/13 04:02:48 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 24 2011 $ +.Dd $Mdocdate: April 13 2011 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -175,9 +175,8 @@ The passphrase can be changed later by using the option. .Pp There is no way to recover a lost passphrase. -If the passphrase is -lost or forgotten, a new key must be generated and copied to the -corresponding public key to other machines. +If the passphrase is lost or forgotten, a new key must be generated +and the corresponding public key copied to other machines. .Pp For RSA1 keys, there is also a comment field in the key file that is only for -- cgit v1.2.3 From ad21032e656aefcddb2cc52f014885026ba82d56 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:15:54 +1000 Subject: - djm@cvs.openbsd.org 2011/04/13 04:09:37 [ssh-keygen.1] mention valid -b sizes for ECDSA keys; bz#1862 --- ChangeLog | 3 +++ ssh-keygen.1 | 8 +++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 2a83c16d5..f7602a1b2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -52,6 +52,9 @@ - djm@cvs.openbsd.org 2011/04/13 04:02:48 [ssh-keygen.1] improve wording; bz#1861 + - djm@cvs.openbsd.org 2011/04/13 04:09:37 + [ssh-keygen.1] + mention valid -b sizes for ECDSA keys; bz#1862 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 51a152eef..ede37921c 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.105 2011/04/13 04:02:48 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.106 2011/04/13 04:09:37 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -212,6 +212,12 @@ Specifies the number of bits in the key to create. For RSA keys, the minimum size is 768 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. +For ECDSA keys, the +.Fl b +flag determines they key length by selecting from one of three elliptic +curve sizes: 256, 384 or 521 bits. +Attempting to use bit lengths other than these three values for ECDSA keys +will fail. .It Fl C Ar comment Provides a new comment. .It Fl c -- cgit v1.2.3 From 6c3eec7ab23d58157ded8a0e6283f93e45390d07 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:16:22 +1000 Subject: - djm@cvs.openbsd.org 2011/04/17 22:42:42 [PROTOCOL.mux clientloop.c clientloop.h mux.c ssh.1 ssh.c] allow graceful shutdown of multiplexing: request that a mux server removes its listener socket and refuse future multiplexing requests; ok markus@ --- ChangeLog | 5 ++++ PROTOCOL.mux | 19 +++++++++++--- clientloop.c | 34 +++++++++++++++++------- clientloop.h | 4 ++- mux.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- ssh.1 | 6 +++-- ssh.c | 4 ++- 7 files changed, 140 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index f7602a1b2..ddee8e5dd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -55,6 +55,11 @@ - djm@cvs.openbsd.org 2011/04/13 04:09:37 [ssh-keygen.1] mention valid -b sizes for ECDSA keys; bz#1862 + - djm@cvs.openbsd.org 2011/04/17 22:42:42 + [PROTOCOL.mux clientloop.c clientloop.h mux.c ssh.1 ssh.c] + allow graceful shutdown of multiplexing: request that a mux server + removes its listener socket and refuse future multiplexing requests; + ok markus@ 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/PROTOCOL.mux b/PROTOCOL.mux index 2a5817bd7..05bb14690 100644 --- a/PROTOCOL.mux +++ b/PROTOCOL.mux @@ -149,10 +149,21 @@ The client then sends its standard input and output file descriptors The contents of "reserved" are currently ignored. -A server may reply with a MUX_S_SESSION_OPEED, a MUX_S_PERMISSION_DENIED +A server may reply with a MUX_S_SESSION_OPENED, a MUX_S_PERMISSION_DENIED or a MUX_S_FAILURE. -8. Status messages +8. Requesting shutdown of mux listener + +A client may request the master to stop accepting new multiplexing requests +and remove its listener socket. + + uint32 MUX_C_STOP_LISTENING + uint32 request id + +A server may reply with a MUX_S_OK, a MUX_S_PERMISSION_DENIED or a +MUX_S_FAILURE. + +9. Status messages The MUX_S_OK message is empty: @@ -178,6 +189,7 @@ The MUX_S_PERMISSION_DENIED and MUX_S_FAILURE include a reason: #define MUX_C_OPEN_FWD 0x10000006 #define MUX_C_CLOSE_FWD 0x10000007 #define MUX_C_NEW_STDIO_FWD 0x10000008 +#define MUX_C_STOP_LISTENING 0x10000009 #define MUX_S_OK 0x80000001 #define MUX_S_PERMISSION_DENIED 0x80000002 #define MUX_S_FAILURE 0x80000003 @@ -192,7 +204,6 @@ The MUX_S_PERMISSION_DENIED and MUX_S_FAILURE include a reason: XXX TODO XXX extended status (e.g. report open channels / forwards) -XXX graceful close (delete listening socket, but keep existing sessions active) XXX lock (maybe) XXX watch in/out traffic (pre/post crypto) XXX inject packet (what about replies) @@ -200,4 +211,4 @@ XXX server->client error/warning notifications XXX port0 rfwd (need custom response message) XXX send signals via mux -$OpenBSD: PROTOCOL.mux,v 1.4 2011/01/31 21:42:15 djm Exp $ +$OpenBSD: PROTOCOL.mux,v 1.5 2011/04/17 22:42:41 djm Exp $ diff --git a/clientloop.c b/clientloop.c index f6c1444a3..502dd982c 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.231 2011/01/16 12:05:59 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.232 2011/04/17 22:42:41 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -265,10 +265,10 @@ static void set_control_persist_exit_time(void) { if (muxserver_sock == -1 || !options.control_persist - || options.control_persist_timeout == 0) + || options.control_persist_timeout == 0) { /* not using a ControlPersist timeout */ control_persist_exit_time = 0; - else if (channel_still_open()) { + } else if (channel_still_open()) { /* some client connections are still open */ if (control_persist_exit_time > 0) debug2("%s: cancel scheduled exit", __func__); @@ -1419,14 +1419,17 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) if (compat20) { session_ident = ssh2_chan_id; - if (escape_char_arg != SSH_ESCAPECHAR_NONE) - channel_register_filter(session_ident, - client_simple_escape_filter, NULL, - client_filter_cleanup, - client_new_escape_filter_ctx(escape_char_arg)); - if (session_ident != -1) + if (session_ident != -1) { + if (escape_char_arg != SSH_ESCAPECHAR_NONE) { + channel_register_filter(session_ident, + client_simple_escape_filter, NULL, + client_filter_cleanup, + client_new_escape_filter_ctx( + escape_char_arg)); + } channel_register_cleanup(session_ident, client_channel_closed, 0); + } } else { /* Check if we should immediately send eof on stdin. */ client_check_initial_eof_on_stdin(); @@ -2122,6 +2125,19 @@ client_init_dispatch(void) client_init_dispatch_15(); } +void +client_stop_mux(void) +{ + if (options.control_path != NULL && muxserver_sock != -1) + unlink(options.control_path); + /* + * If we are in persist mode, signal that we should close when all + * active channels are closed. + */ + if (options.control_persist) + session_closed = 1; +} + /* client specific fatal cleanup */ void cleanup_exit(int i) diff --git a/clientloop.h b/clientloop.h index 52115db6e..37d072906 100644 --- a/clientloop.h +++ b/clientloop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.h,v 1.25 2010/06/25 23:15:36 djm Exp $ */ +/* $OpenBSD: clientloop.h,v 1.26 2011/04/17 22:42:41 djm Exp $ */ /* * Author: Tatu Ylonen @@ -45,6 +45,7 @@ void client_global_request_reply_fwd(int, u_int32_t, void *); void client_session2_setup(int, int, int, const char *, struct termios *, int, Buffer *, char **); int client_request_tun_fwd(int, int, int); +void client_stop_mux(void); /* Escape filter for protocol 2 sessions */ void *client_new_escape_filter_ctx(int); @@ -64,6 +65,7 @@ void client_register_global_confirm(global_confirm_cb *, void *); #define SSHMUX_COMMAND_TERMINATE 3 /* Ask master to exit */ #define SSHMUX_COMMAND_STDIO_FWD 4 /* Open stdio fwd (ssh -W) */ #define SSHMUX_COMMAND_FORWARD 5 /* Forward only, no command */ +#define SSHMUX_COMMAND_STOP 6 /* Disable mux but not conn */ void muxserver_listen(void); void muxclient(const char *); diff --git a/mux.c b/mux.c index e370462db..09468359f 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.24 2011/01/13 21:54:53 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.25 2011/04/17 22:42:41 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -146,6 +146,7 @@ struct mux_master_state { #define MUX_C_OPEN_FWD 0x10000006 #define MUX_C_CLOSE_FWD 0x10000007 #define MUX_C_NEW_STDIO_FWD 0x10000008 +#define MUX_C_STOP_LISTENING 0x10000009 #define MUX_S_OK 0x80000001 #define MUX_S_PERMISSION_DENIED 0x80000002 #define MUX_S_FAILURE 0x80000003 @@ -168,6 +169,7 @@ static int process_mux_terminate(u_int, Channel *, Buffer *, Buffer *); static int process_mux_open_fwd(u_int, Channel *, Buffer *, Buffer *); static int process_mux_close_fwd(u_int, Channel *, Buffer *, Buffer *); static int process_mux_stdio_fwd(u_int, Channel *, Buffer *, Buffer *); +static int process_mux_stop_listening(u_int, Channel *, Buffer *, Buffer *); static const struct { u_int type; @@ -180,6 +182,7 @@ static const struct { { MUX_C_OPEN_FWD, process_mux_open_fwd }, { MUX_C_CLOSE_FWD, process_mux_close_fwd }, { MUX_C_NEW_STDIO_FWD, process_mux_stdio_fwd }, + { MUX_C_STOP_LISTENING, process_mux_stop_listening }, { 0, NULL } }; @@ -915,6 +918,39 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) return 0; } +static int +process_mux_stop_listening(u_int rid, Channel *c, Buffer *m, Buffer *r) +{ + debug("%s: channel %d: stop listening", __func__, c->self); + + if (options.control_master == SSHCTL_MASTER_ASK || + options.control_master == SSHCTL_MASTER_AUTO_ASK) { + if (!ask_permission("Disable further multiplexing on shared " + "connection to %s? ", host)) { + debug2("%s: stop listen refused by user", __func__); + buffer_put_int(r, MUX_S_PERMISSION_DENIED); + buffer_put_int(r, rid); + buffer_put_cstring(r, "Permission denied"); + return 0; + } + } + + if (mux_listener_channel != NULL) { + channel_free(mux_listener_channel); + client_stop_mux(); + xfree(options.control_path); + options.control_path = NULL; + mux_listener_channel = NULL; + muxserver_sock = -1; + } + + /* prepare reply */ + buffer_put_int(r, MUX_S_OK); + buffer_put_int(r, rid); + + return 0; +} + /* Channel callbacks fired on read/write from mux slave fd */ static int mux_master_read_cb(Channel *c) @@ -1813,6 +1849,50 @@ mux_client_request_stdio_fwd(int fd) fatal("%s: master returned unexpected message %u", __func__, type); } +static void +mux_client_request_stop_listening(int fd) +{ + Buffer m; + char *e; + u_int type, rid; + + debug3("%s: entering", __func__); + + buffer_init(&m); + buffer_put_int(&m, MUX_C_STOP_LISTENING); + buffer_put_int(&m, muxclient_request_id); + + if (mux_client_write_packet(fd, &m) != 0) + fatal("%s: write packet: %s", __func__, strerror(errno)); + + buffer_clear(&m); + + /* Read their reply */ + if (mux_client_read_packet(fd, &m) != 0) + fatal("%s: read from master failed: %s", + __func__, strerror(errno)); + + type = buffer_get_int(&m); + if ((rid = buffer_get_int(&m)) != muxclient_request_id) + fatal("%s: out of sequence reply: my id %u theirs %u", + __func__, muxclient_request_id, rid); + switch (type) { + case MUX_S_OK: + break; + case MUX_S_PERMISSION_DENIED: + e = buffer_get_string(&m, NULL); + fatal("Master refused stop listening request: %s", e); + case MUX_S_FAILURE: + e = buffer_get_string(&m, NULL); + fatal("%s: stop listening request failed: %s", __func__, e); + default: + fatal("%s: unexpected response from master 0x%08x", + __func__, type); + } + buffer_free(&m); + muxclient_request_id++; +} + /* Multiplex client main loop. */ void muxclient(const char *path) @@ -1906,6 +1986,10 @@ muxclient(const char *path) case SSHMUX_COMMAND_STDIO_FWD: mux_client_request_stdio_fwd(sock); exit(0); + case SSHMUX_COMMAND_STOP: + mux_client_request_stop_listening(sock); + fprintf(stderr, "Stop listening request sent.\r\n"); + exit(0); default: fatal("unrecognised muxclient_command %d", muxclient_command); } diff --git a/ssh.1 b/ssh.1 index e3a42b5ad..1b0bcb781 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.316 2010/11/18 15:01:00 jmc Exp $ -.Dd $Mdocdate: November 18 2010 $ +.\" $OpenBSD: ssh.1,v 1.317 2011/04/17 22:42:41 djm Exp $ +.Dd $Mdocdate: April 17 2011 $ .Dt SSH 1 .Os .Sh NAME @@ -395,6 +395,8 @@ Valid commands are: (request forwardings without command execution) and .Dq exit (request the master to exit). +.Dq stop +(request the master to stop accepting further multiplexing requests). .It Fl o Ar option Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate diff --git a/ssh.c b/ssh.c index b543c6117..4fd131c20 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.356 2011/01/06 22:23:53 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.357 2011/04/17 22:42:42 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -345,6 +345,8 @@ main(int ac, char **av) muxclient_command = SSHMUX_COMMAND_FORWARD; else if (strcmp(optarg, "exit") == 0) muxclient_command = SSHMUX_COMMAND_TERMINATE; + else if (strcmp(optarg, "stop") == 0) + muxclient_command = SSHMUX_COMMAND_STOP; else fatal("Invalid multiplex command."); break; -- cgit v1.2.3 From 8cb1cda1e3a24c6f73b96822f36762c1c80ae147 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:16:56 +1000 Subject: - djm@cvs.openbsd.org 2011/04/18 00:46:05 [ssh-keygen.c] certificate options are supposed to be packed in lexical order of option name (though we don't actually enforce this at present). Move one up that was out of sequence --- ChangeLog | 5 +++++ ssh.1 | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index ddee8e5dd..7cc6a2345 100644 --- a/ChangeLog +++ b/ChangeLog @@ -60,6 +60,11 @@ allow graceful shutdown of multiplexing: request that a mux server removes its listener socket and refuse future multiplexing requests; ok markus@ + - djm@cvs.openbsd.org 2011/04/18 00:46:05 + [ssh-keygen.c] + certificate options are supposed to be packed in lexical order of + option name (though we don't actually enforce this at present). + Move one up that was out of sequence 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/ssh.1 b/ssh.1 index 1b0bcb781..a51742f5a 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.317 2011/04/17 22:42:41 djm Exp $ -.Dd $Mdocdate: April 17 2011 $ +.\" $OpenBSD: ssh.1,v 1.318 2011/04/18 00:21:11 jmc Exp $ +.Dd $Mdocdate: April 18 2011 $ .Dt SSH 1 .Os .Sh NAME @@ -392,9 +392,9 @@ Valid commands are: .Dq check (check that the master process is running), .Dq forward -(request forwardings without command execution) and +(request forwardings without command execution), .Dq exit -(request the master to exit). +(request the master to exit), and .Dq stop (request the master to stop accepting further multiplexing requests). .It Fl o Ar option -- cgit v1.2.3 From 2ce12ef1ac96c47b386168459cf7264fdc6faf95 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 14:17:18 +1000 Subject: - djm@cvs.openbsd.org 2011/05/04 21:15:29 [authfile.c authfile.h ssh-add.c] allow "ssh-add - < key"; feedback and ok markus@ --- ChangeLog | 3 ++ authfile.c | 100 ++++++++++++++++++++++++++++++++++++++--------------------- authfile.h | 4 ++- ssh-add.c | 33 +++++++++++++++----- ssh-keygen.c | 8 ++--- 5 files changed, 99 insertions(+), 49 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7cc6a2345..6a324c716 100644 --- a/ChangeLog +++ b/ChangeLog @@ -65,6 +65,9 @@ certificate options are supposed to be packed in lexical order of option name (though we don't actually enforce this at present). Move one up that was out of sequence + - djm@cvs.openbsd.org 2011/05/04 21:15:29 + [authfile.c authfile.h ssh-add.c] + allow "ssh-add - < key"; feedback and ok markus@ 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/authfile.c b/authfile.c index a49850c89..608d1d06f 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.87 2010/11/29 18:57:04 markus Exp $ */ +/* $OpenBSD: authfile.c,v 1.88 2011/05/04 21:15:29 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -69,6 +69,8 @@ #include "misc.h" #include "atomicio.h" +#define MAX_KEY_FILE_SIZE (1024 * 1024) + /* Version identification string for SSH v1 identity files. */ static const char authfile_id_string[] = "SSH PRIVATE KEY FILE FORMAT 1.1\n"; @@ -312,12 +314,12 @@ key_parse_public_rsa1(Buffer *blob, char **commentp) return pub; } -/* Load the contents of a key file into a buffer */ -static int +/* Load a key from a fd into a buffer */ +int key_load_file(int fd, const char *filename, Buffer *blob) { + u_char buf[1024]; size_t len; - u_char *cp; struct stat st; if (fstat(fd, &st) < 0) { @@ -325,30 +327,45 @@ key_load_file(int fd, const char *filename, Buffer *blob) filename == NULL ? "" : filename, filename == NULL ? "" : " ", strerror(errno)); - close(fd); return 0; } - if (st.st_size > 1*1024*1024) { + if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 && + st.st_size > MAX_KEY_FILE_SIZE) { + toobig: error("%s: key file %.200s%stoo large", __func__, filename == NULL ? "" : filename, filename == NULL ? "" : " "); - close(fd); return 0; } - len = (size_t)st.st_size; /* truncated */ - buffer_init(blob); - cp = buffer_append_space(blob, len); - - if (atomicio(read, fd, cp, len) != len) { - debug("%s: read from key file %.200s%sfailed: %.100s", __func__, - filename == NULL ? "" : filename, - filename == NULL ? "" : " ", - strerror(errno)); + for (;;) { + if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) { + if (errno == EPIPE) + break; + debug("%s: read from key file %.200s%sfailed: %.100s", + __func__, filename == NULL ? "" : filename, + filename == NULL ? "" : " ", strerror(errno)); + buffer_clear(blob); + bzero(buf, sizeof(buf)); + return 0; + } + buffer_append(blob, buf, len); + if (buffer_len(blob) > MAX_KEY_FILE_SIZE) { + buffer_clear(blob); + bzero(buf, sizeof(buf)); + goto toobig; + } + } + bzero(buf, sizeof(buf)); + if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 && + st.st_size != buffer_len(blob)) { + debug("%s: key file %.200s%schanged size while reading", + __func__, filename == NULL ? "" : filename, + filename == NULL ? "" : " "); buffer_clear(blob); - close(fd); return 0; } + return 1; } @@ -669,12 +686,39 @@ key_load_private_type(int type, const char *filename, const char *passphrase, return ret; } +Key * +key_parse_private(Buffer *buffer, const char *filename, + const char *passphrase, char **commentp) +{ + Key *pub, *prv; + Buffer pubcopy; + + buffer_init(&pubcopy); + buffer_append(&pubcopy, buffer_ptr(buffer), buffer_len(buffer)); + /* it's a SSH v1 key if the public key part is readable */ + pub = key_parse_public_rsa1(&pubcopy, commentp); + buffer_free(&pubcopy); + if (pub == NULL) { + prv = key_parse_private_type(buffer, KEY_UNSPEC, + passphrase, NULL); + /* use the filename as a comment for PEM */ + if (commentp && prv) + *commentp = xstrdup(filename); + } else { + key_free(pub); + /* key_parse_public_rsa1() has already loaded the comment */ + prv = key_parse_private_type(buffer, KEY_RSA1, passphrase, + NULL); + } + return prv; +} + Key * key_load_private(const char *filename, const char *passphrase, char **commentp) { - Key *pub, *prv; - Buffer buffer, pubcopy; + Key *prv; + Buffer buffer; int fd; fd = open(filename, O_RDONLY); @@ -697,23 +741,7 @@ key_load_private(const char *filename, const char *passphrase, } close(fd); - buffer_init(&pubcopy); - buffer_append(&pubcopy, buffer_ptr(&buffer), buffer_len(&buffer)); - /* it's a SSH v1 key if the public key part is readable */ - pub = key_parse_public_rsa1(&pubcopy, commentp); - buffer_free(&pubcopy); - if (pub == NULL) { - prv = key_parse_private_type(&buffer, KEY_UNSPEC, - passphrase, NULL); - /* use the filename as a comment for PEM */ - if (commentp && prv) - *commentp = xstrdup(filename); - } else { - key_free(pub); - /* key_parse_public_rsa1() has already loaded the comment */ - prv = key_parse_private_type(&buffer, KEY_RSA1, passphrase, - NULL); - } + prv = key_parse_private(&buffer, filename, passphrase, commentp); buffer_free(&buffer); return prv; } diff --git a/authfile.h b/authfile.h index 6745dc062..78349beb5 100644 --- a/authfile.h +++ b/authfile.h @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.h,v 1.15 2010/08/04 05:42:47 djm Exp $ */ +/* $OpenBSD: authfile.h,v 1.16 2011/05/04 21:15:29 djm Exp $ */ /* * Author: Tatu Ylonen @@ -16,9 +16,11 @@ #define AUTHFILE_H int key_save_private(Key *, const char *, const char *, const char *); +int key_load_file(int, const char *, Buffer *); Key *key_load_cert(const char *); Key *key_load_public(const char *, char **); Key *key_load_public_type(int, const char *, char **); +Key *key_parse_private(Buffer *, const char *, const char *, char **); Key *key_load_private(const char *, const char *, char **); Key *key_load_private_cert(int, const char *, const char *, int *); Key *key_load_private_type(int, const char *, const char *, char **, int *); diff --git a/ssh-add.c b/ssh-add.c index 94b68ac18..6d5e2a957 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.100 2010/08/31 12:33:38 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.101 2011/05/04 21:15:29 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -145,8 +145,12 @@ add_file(AuthenticationConnection *ac, const char *filename) char *comment = NULL; char msg[1024], *certpath; int fd, perms_ok, ret = -1; + Buffer keyblob; - if ((fd = open(filename, O_RDONLY)) < 0) { + if (strcmp(filename, "-") == 0) { + fd = STDIN_FILENO; + filename = "(stdin)"; + } else if ((fd = open(filename, O_RDONLY)) < 0) { perror(filename); return -1; } @@ -155,18 +159,28 @@ add_file(AuthenticationConnection *ac, const char *filename) * Since we'll try to load a keyfile multiple times, permission errors * will occur multiple times, so check perms first and bail if wrong. */ - perms_ok = key_perm_ok(fd, filename); - close(fd); - if (!perms_ok) + if (fd != STDIN_FILENO) { + perms_ok = key_perm_ok(fd, filename); + if (!perms_ok) { + close(fd); + return -1; + } + } + buffer_init(&keyblob); + if (!key_load_file(fd, filename, &keyblob)) { + buffer_free(&keyblob); + close(fd); return -1; + } + close(fd); /* At first, try empty passphrase */ - private = key_load_private(filename, "", &comment); + private = key_parse_private(&keyblob, filename, "", &comment); if (comment == NULL) comment = xstrdup(filename); /* try last */ if (private == NULL && pass != NULL) - private = key_load_private(filename, pass, NULL); + private = key_parse_private(&keyblob, filename, pass, NULL); if (private == NULL) { /* clear passphrase since it did not work */ clear_pass(); @@ -177,9 +191,11 @@ add_file(AuthenticationConnection *ac, const char *filename) if (strcmp(pass, "") == 0) { clear_pass(); xfree(comment); + buffer_free(&keyblob); return -1; } - private = key_load_private(filename, pass, &comment); + private = key_parse_private(&keyblob, filename, pass, + &comment); if (private != NULL) break; clear_pass(); @@ -187,6 +203,7 @@ add_file(AuthenticationConnection *ac, const char *filename) "Bad passphrase, try again for %.200s: ", comment); } } + buffer_free(&keyblob); if (ssh_add_identity_constrained(ac, private, comment, lifetime, confirm)) { diff --git a/ssh-keygen.c b/ssh-keygen.c index b52fc39cf..49e4eee10 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.209 2011/04/12 04:23:50 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.210 2011/04/18 00:46:05 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1453,6 +1453,9 @@ prepare_options_buf(Buffer *c, int which) if ((which & OPTIONS_CRITICAL) != 0 && certflags_command != NULL) add_string_option(c, "force-command", certflags_command); + if ((which & OPTIONS_EXTENSIONS) != 0 && + (certflags_flags & CERTOPT_X_FWD) != 0) + add_flag_option(c, "permit-X11-forwarding"); if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_AGENT_FWD) != 0) add_flag_option(c, "permit-agent-forwarding"); @@ -1465,9 +1468,6 @@ prepare_options_buf(Buffer *c, int which) if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_USER_RC) != 0) add_flag_option(c, "permit-user-rc"); - if ((which & OPTIONS_EXTENSIONS) != 0 && - (certflags_flags & CERTOPT_X_FWD) != 0) - add_flag_option(c, "permit-X11-forwarding"); if ((which & OPTIONS_CRITICAL) != 0 && certflags_src_addr != NULL) add_string_option(c, "source-address", certflags_src_addr); -- cgit v1.2.3 From 19d8181b86f90d638dc1dfd0f5722903bf945d5b Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Wed, 4 May 2011 21:44:25 -0700 Subject: - (tim) [configure.ac] Add AC_LANG_SOURCE to OPENSSH_CHECK_CFLAG_COMPILE so autoreconf 2.68 is happy. --- ChangeLog | 2 ++ configure.ac | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6a324c716..1e42553ec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -68,6 +68,8 @@ - djm@cvs.openbsd.org 2011/05/04 21:15:29 [authfile.c authfile.h ssh-add.c] allow "ssh-add - < key"; feedback and ok markus@ + - (tim) [configure.ac] Add AC_LANG_SOURCE to OPENSSH_CHECK_CFLAG_COMPILE + so autoreconf 2.68 is happy. 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/configure.ac b/configure.ac index 573c09710..5357cab60 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.472 2011/05/05 03:48:37 djm Exp $ +# $Id: configure.ac,v 1.473 2011/05/05 04:44:25 tim Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.472 $) +AC_REVISION($Revision: 1.473 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -24,7 +24,7 @@ AC_DEFUN([OPENSSH_CHECK_CFLAG_COMPILE], [{ AC_MSG_CHECKING([if $CC supports $1]) saved_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $1" - AC_COMPILE_IFELSE([void main(void) { return 0; }], + AC_COMPILE_IFELSE([AC_LANG_SOURCE([[void main(void) { return 0; }]])], [ AC_MSG_RESULT([yes]) ], [ AC_MSG_RESULT([no]) CFLAGS="$saved_CFLAGS" ] -- cgit v1.2.3 From 9abb697d4fd4fffe7961db0bebb133aacf69a759 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Wed, 4 May 2011 23:06:59 -0700 Subject: - (tim) [defines.h] Deal with platforms that do not have S_IFSOCK ok djm@ --- ChangeLog | 1 + defines.h | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 1e42553ec..e7f49ea7d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -70,6 +70,7 @@ allow "ssh-add - < key"; feedback and ok markus@ - (tim) [configure.ac] Add AC_LANG_SOURCE to OPENSSH_CHECK_CFLAG_COMPILE so autoreconf 2.68 is happy. + - (tim) [defines.h] Deal with platforms that do not have S_IFSOCK ok djm@ 20110221 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the diff --git a/defines.h b/defines.h index b67cf467d..a435de76e 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.165 2011/05/05 01:19:15 djm Exp $ */ +/* $Id: defines.h,v 1.166 2011/05/05 06:06:59 tim Exp $ */ /* Constants */ @@ -131,6 +131,10 @@ enum # define O_NONBLOCK 00004 /* Non Blocking Open */ #endif +#ifndef S_IFSOCK +# define S_IFSOCK 0 +#endif /* S_IFSOCK */ + #ifndef S_ISDIR # define S_ISDIR(mode) (((mode) & (_S_IFMT)) == (_S_IFDIR)) #endif /* S_ISDIR */ -- cgit v1.2.3 From 343f75fa1968a84747f808c02bc81fc6c4f51b07 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 May 2011 10:43:50 +1000 Subject: - (dtucker) [openbsd-compat/regress/closefromtest.c] Bug #1875: add prototype for closefrom() in test code. Report from Dan Wallis via Gentoo. --- ChangeLog | 4 ++++ openbsd-compat/regress/closefromtest.c | 2 ++ 2 files changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index e7f49ea7d..9053a55ae 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20110506 + - (dtucker) [openbsd-compat/regress/closefromtest.c] Bug #1875: add prototype + for closefrom() in test code. Report from Dan Wallis via Gentoo. + 20110505 - (djm) [defines.h] Move up include of netinet/ip.h for IPTOS definitions. From des AT des.no diff --git a/openbsd-compat/regress/closefromtest.c b/openbsd-compat/regress/closefromtest.c index 145b09d7b..82ffeb9a7 100644 --- a/openbsd-compat/regress/closefromtest.c +++ b/openbsd-compat/regress/closefromtest.c @@ -24,6 +24,8 @@ #define NUM_OPENS 10 +int closefrom(int); + void fail(char *msg) { -- cgit v1.2.3 From d6548fe4cf3bcfe4e473a452757f1e307bf0eaf1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 May 2011 11:13:36 +1000 Subject: - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix --with-ssl-engine which was broken with the change from deprecated SSLeay_add_all_algorithms(). ok djm --- ChangeLog | 5 +++++ openbsd-compat/openssl-compat.c | 6 +++--- openbsd-compat/openssl-compat.h | 10 +++++----- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9053a55ae..680e96a8b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20110510 + - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix + --with-ssl-engine which was broken with the change from deprecated + SSLeay_add_all_algorithms(). ok djm + 20110506 - (dtucker) [openbsd-compat/regress/closefromtest.c] Bug #1875: add prototype for closefrom() in test code. Report from Dan Wallis via Gentoo. diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index b617fdf19..5189cab61 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.c,v 1.13 2011/01/21 22:37:06 dtucker Exp $ */ +/* $Id: openssl-compat.c,v 1.14 2011/05/10 01:13:38 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -134,9 +134,9 @@ RSA_get_default_method(void) #ifdef USE_OPENSSL_ENGINE void -ssh_SSLeay_add_all_algorithms(void) +ssh_OpenSSL_add_all_algorithms(void) { - SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms(); /* Enable use of crypto hardware */ ENGINE_load_builtin_engines(); diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 6d4f3f215..c5fc24eb4 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.18 2011/01/21 22:37:06 dtucker Exp $ */ +/* $Id: openssl-compat.h,v 1.19 2011/05/10 01:13:38 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -106,10 +106,10 @@ RSA_METHOD *RSA_get_default_method(void); # endif # ifdef USE_OPENSSL_ENGINE -# ifdef SSLeay_add_all_algorithms -# undef SSLeay_add_all_algorithms +# ifdef OpenSSL_add_all_algorithms +# undef OpenSSL_add_all_algorithms # endif -# define SSLeay_add_all_algorithms() ssh_SSLeay_add_all_algorithms() +# define OpenSSL_add_all_algorithms() ssh_OpenSSL_add_all_algorithms() # endif # ifndef HAVE_BN_IS_PRIME_EX @@ -129,6 +129,6 @@ int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *, unsigned char *, int); int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int); int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *); -void ssh_SSLeay_add_all_algorithms(void); +void ssh_OpenSSL_add_all_algorithms(void); #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ -- cgit v1.2.3 From 60432d8cf250e2176f50fd486342612a822d70e3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:34:46 +1000 Subject: - djm@cvs.openbsd.org 2011/05/05 05:12:08 [mux.c] gracefully fall back when ControlPath is too large for a sockaddr_un. ok markus@ as part of a larger diff --- ChangeLog | 7 +++++++ mux.c | 16 ++++++++++------ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 680e96a8b..d3b12b425 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20110515 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2011/05/05 05:12:08 + [mux.c] + gracefully fall back when ControlPath is too large for a + sockaddr_un. ok markus@ as part of a larger diff + 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix --with-ssl-engine which was broken with the change from deprecated diff --git a/mux.c b/mux.c index 09468359f..fb24c0f97 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.25 2011/04/17 22:42:41 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.26 2011/05/05 05:12:08 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -1095,21 +1095,25 @@ muxserver_listen(void) strlen(options.control_path) + 1; if (strlcpy(addr.sun_path, options.control_path, - sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) - fatal("ControlPath too long"); + sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { + error("ControlPath \"%s\" too long for Unix domain socket", + options.control_path); + goto disable_mux_master; + } if ((muxserver_sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) fatal("%s socket(): %s", __func__, strerror(errno)); old_umask = umask(0177); if (bind(muxserver_sock, (struct sockaddr *)&addr, sun_len) == -1) { - muxserver_sock = -1; if (errno == EINVAL || errno == EADDRINUSE) { error("ControlSocket %s already exists, " "disabling multiplexing", options.control_path); disable_mux_master: - close(muxserver_sock); - muxserver_sock = -1; + if (muxserver_sock != -1) { + close(muxserver_sock); + muxserver_sock = -1; + } xfree(options.control_path); options.control_path = NULL; options.control_master = SSHCTL_MASTER_NO; -- cgit v1.2.3 From fd53abd00bf1708c401f3de3d62e9d8ca635e4d3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:36:02 +1000 Subject: - dtucker@cvs.openbsd.org 2011/05/06 01:03:35 [sshd_config] clarify language about overriding defaults. bz#1892, from Petr Cerny --- ChangeLog | 3 +++ sshd_config | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d3b12b425..5201e5a2e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ [mux.c] gracefully fall back when ControlPath is too large for a sockaddr_un. ok markus@ as part of a larger diff + - dtucker@cvs.openbsd.org 2011/05/06 01:03:35 + [sshd_config] + clarify language about overriding defaults. bz#1892, from Petr Cerny 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/sshd_config b/sshd_config index 4534841c1..9b0d9fa20 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ +# $OpenBSD: sshd_config,v 1.83 2011/05/06 01:03:35 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -7,7 +7,7 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. #Port 22 -- cgit v1.2.3 From 58a77e2eac23f22708002e00a57af1b9cbec282f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:36:29 +1000 Subject: - djm@cvs.openbsd.org 2011/05/06 01:09:53 [sftp.1] mention that IPv6 addresses must be enclosed in square brackets; bz#1845 --- ChangeLog | 4 ++++ sftp.1 | 8 ++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5201e5a2e..440b06e54 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,10 @@ - dtucker@cvs.openbsd.org 2011/05/06 01:03:35 [sshd_config] clarify language about overriding defaults. bz#1892, from Petr Cerny + - djm@cvs.openbsd.org 2011/05/06 01:09:53 + [sftp.1] + mention that IPv6 addresses must be enclosed in square brackets; + bz#1845 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/sftp.1 b/sftp.1 index 89b5d3544..3b6ee3890 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.88 2010/12/04 00:18:01 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.89 2011/05/06 01:09:53 djm Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 4 2010 $ +.Dd $Mdocdate: May 6 2011 $ .Dt SFTP 1 .Os .Sh NAME @@ -89,6 +89,10 @@ to obviate the need to enter a password at connection time (see and .Xr ssh-keygen 1 for details). +.Pp +Since some usage formats use colon characters to delimit host names from path +names, IPv6 addresses must be enclosed in square brackets to avoid ambiguity. +.Pp The options are as follows: .Bl -tag -width Ds .It Fl 1 -- cgit v1.2.3 From 78c40c321bd4168bb2a17230f242d6aea684692a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:36:59 +1000 Subject: - djm@cvs.openbsd.org 2011/05/06 02:05:41 [sshconnect2.c] fix memory leak; bz#1849 ok dtucker@ --- ChangeLog | 3 +++ sshconnect2.c | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 440b06e54..8541eb33a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,9 @@ [sftp.1] mention that IPv6 addresses must be enclosed in square brackets; bz#1845 + - djm@cvs.openbsd.org 2011/05/06 02:05:41 + [sshconnect2.c] + fix memory leak; bz#1849 ok dtucker@ 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/sshconnect2.c b/sshconnect2.c index 3cb9b101c..673bf1a4f 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.186 2010/11/29 23:45:51 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.187 2011/05/06 02:05:41 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1888,9 +1888,12 @@ authmethod_get(char *authlist) authmethod_is_enabled(current)) { debug3("authmethod_is_enabled %s", name); debug("Next authentication method: %s", name); + xfree(name); return current; } } + if (name != NULL) + xfree(name); } static char * -- cgit v1.2.3 From d2ac5d74b4dd51d8e28615ea7af1ab5372a3db2b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:43:13 +1000 Subject: - djm@cvs.openbsd.org 2011/05/06 21:14:05 [packet.c packet.h] set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@ --- ChangeLog | 5 +++++ packet.c | 44 ++++++++++++++++++++++++++++---------------- packet.h | 3 +-- 3 files changed, 34 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8541eb33a..c68733ff4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,11 @@ - djm@cvs.openbsd.org 2011/05/06 02:05:41 [sshconnect2.c] fix memory leak; bz#1849 ok dtucker@ + - djm@cvs.openbsd.org 2011/05/06 21:14:05 + [packet.c packet.h] + set traffic class for IPv6 traffic as we do for IPv4 TOS; + patch from lionel AT mamane.lu via Colin Watson in bz#1855; + ok markus@ 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/packet.c b/packet.c index b4e01f716..f323e7eeb 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.172 2010/11/13 23:27:50 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.173 2011/05/06 21:14:05 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -422,10 +422,8 @@ packet_set_state(int mode, u_int32_t seqnr, u_int64_t blocks, u_int32_t packets, state->bytes = bytes; } -/* returns 1 if connection is via ipv4 */ - -int -packet_connection_is_ipv4(void) +static int +packet_connection_af(void) { struct sockaddr_storage to; socklen_t tolen = sizeof(to); @@ -439,9 +437,9 @@ packet_connection_is_ipv4(void) #ifdef IPV4_IN_IPV6 if (to.ss_family == AF_INET6 && IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&to)->sin6_addr)) - return 1; + return AF_INET; #endif - return 0; + return to.ss_family; } /* Sets the connection into non-blocking mode. */ @@ -1752,16 +1750,30 @@ packet_not_very_much_data_to_write(void) static void packet_set_tos(int tos) { -#if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) - if (!packet_connection_is_on_socket() || - !packet_connection_is_ipv4()) +#ifndef IP_TOS_IS_BROKEN + if (!packet_connection_is_on_socket()) return; - debug3("%s: set IP_TOS 0x%02x", __func__, tos); - if (setsockopt(active_state->connection_in, IPPROTO_IP, IP_TOS, &tos, - sizeof(tos)) < 0) - error("setsockopt IP_TOS %d: %.100s:", - tos, strerror(errno)); -#endif + switch (packet_connection_af()) { +# ifdef IP_TOS + case AF_INET: + debug3("%s: set IP_TOS 0x%02x", __func__, tos); + if (setsockopt(active_state->connection_in, + IPPROTO_IP, IP_TOS, &tos, sizeof(tos)) < 0) + error("setsockopt IP_TOS %d: %.100s:", + tos, strerror(errno)); + break; +# endif /* IP_TOS */ +# ifdef IPV6_TCLASS + case AF_INET6: + debug3("%s: set IPV6_TCLASS 0x%02x", __func__, tos); + if (setsockopt(active_state->connection_in, + IPPROTO_IPV6, IPV6_TCLASS, &tos, sizeof(tos)) < 0) + error("setsockopt IPV6_TCLASS %d: %.100s:", + tos, strerror(errno)); + break; + } +# endif /* IPV6_TCLASS */ +#endif /* IP_TOS_IS_BROKEN */ } /* Informs that the current session is interactive. Sets IP flags for that. */ diff --git a/packet.h b/packet.h index d516aae8d..90eec17a9 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.55 2010/11/13 23:27:50 djm Exp $ */ +/* $OpenBSD: packet.h,v 1.56 2011/05/06 21:14:05 djm Exp $ */ /* * Author: Tatu Ylonen @@ -92,7 +92,6 @@ int packet_have_data_to_write(void); int packet_not_very_much_data_to_write(void); int packet_connection_is_on_socket(void); -int packet_connection_is_ipv4(void); int packet_remaining(void); void packet_send_ignore(int); void packet_add_padding(u_char); -- cgit v1.2.3 From dfc85fa1815004bd885473068e7578be3dcbdfef Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:44:02 +1000 Subject: - djm@cvs.openbsd.org 2011/05/06 21:18:02 [ssh.c ssh_config.5] add a %L expansion (short-form of the local host name) for ControlPath; sync some more expansions with LocalCommand; ok markus@ --- ChangeLog | 4 ++++ ssh.c | 28 ++++++++++++++-------------- ssh_config.5 | 17 ++++++++++++----- 3 files changed, 30 insertions(+), 19 deletions(-) diff --git a/ChangeLog b/ChangeLog index c68733ff4..00f54f924 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,10 @@ set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@ + - djm@cvs.openbsd.org 2011/05/06 21:18:02 + [ssh.c ssh_config.5] + add a %L expansion (short-form of the local host name) for ControlPath; + sync some more expansions with LocalCommand; ok markus@ 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/ssh.c b/ssh.c index 4fd131c20..549dd5c22 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.357 2011/04/17 22:42:42 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.358 2011/05/06 21:18:02 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -222,6 +222,7 @@ main(int ac, char **av) { int i, r, opt, exit_status, use_syslog; char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg; + char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; struct stat st; struct passwd *pw; int dummy, timeout_ms; @@ -701,17 +702,19 @@ main(int ac, char **av) "h", host, (char *)NULL); } - if (options.local_command != NULL) { - char thishost[NI_MAXHOST]; + if (gethostname(thishost, sizeof(thishost)) == -1) + fatal("gethostname: %s", strerror(errno)); + strlcpy(shorthost, thishost, sizeof(shorthost)); + shorthost[strcspn(thishost, ".")] = '\0'; + snprintf(portstr, sizeof(portstr), "%d", options.port); - if (gethostname(thishost, sizeof(thishost)) == -1) - fatal("gethostname: %s", strerror(errno)); - snprintf(buf, sizeof(buf), "%d", options.port); + if (options.local_command != NULL) { debug3("expanding LocalCommand: %s", options.local_command); cp = options.local_command; options.local_command = percent_expand(cp, "d", pw->pw_dir, "h", host, "l", thishost, "n", host_arg, "r", options.user, - "p", buf, "u", pw->pw_name, (char *)NULL); + "p", portstr, "u", pw->pw_name, "L", shorthost, + (char *)NULL); debug3("expanded LocalCommand: %s", options.local_command); xfree(cp); } @@ -735,16 +738,13 @@ main(int ac, char **av) } if (options.control_path != NULL) { - char thishost[NI_MAXHOST]; - - if (gethostname(thishost, sizeof(thishost)) == -1) - fatal("gethostname: %s", strerror(errno)); - snprintf(buf, sizeof(buf), "%d", options.port); cp = tilde_expand_filename(options.control_path, original_real_uid); xfree(options.control_path); - options.control_path = percent_expand(cp, "p", buf, "h", host, - "r", options.user, "l", thishost, (char *)NULL); + options.control_path = percent_expand(cp, "h", host, + "l", thishost, "n", host_arg, "r", options.user, + "p", portstr, "u", pw->pw_name, "L", shorthost, + (char *)NULL); xfree(cp); } if (muxclient_command != 0 && options.control_path == NULL) diff --git a/ssh_config.5 b/ssh_config.5 index 50bcae82f..a5bad8cc7 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.146 2010/12/08 04:02:47 djm Exp $ -.Dd $Mdocdate: December 8 2010 $ +.\" $OpenBSD: ssh_config.5,v 1.147 2011/05/06 21:18:02 djm Exp $ +.Dd $Mdocdate: May 6 2011 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -305,14 +305,21 @@ section above or the string .Dq none to disable connection sharing. In the path, +.Ql %L +will be substituted by the first component of the local host name, .Ql %l -will be substituted by the local host name, +will be substituted by the local host name (including any domain name), .Ql %h will be substituted by the target host name, +.Ql %h +will be substituted by original target host name specified on the commandline, .Ql %p -the port, and +the port, .Ql %r -by the remote login username. +by the remote login username, and +.Ql %u +by the username of the user running +.Xr ssh 1 . It is recommended that any .Cm ControlPath used for opportunistic connection sharing include -- cgit v1.2.3 From fe92421772243702ecb18b862dbeb51a9bdbbc6e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:44:45 +1000 Subject: - djm@cvs.openbsd.org 2011/05/06 21:31:38 [readconf.c ssh_config.5] support negated Host matching, e.g. Host *.example.org !c.example.org User mekmitasdigoat Will match "a.example.org", "b.example.org", but not "c.example.org" ok markus@ --- ChangeLog | 9 +++++++++ readconf.c | 26 +++++++++++++++++++++----- ssh_config.5 | 11 ++++++++++- 3 files changed, 40 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 00f54f924..caec1dd27 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,15 @@ [ssh.c ssh_config.5] add a %L expansion (short-form of the local host name) for ControlPath; sync some more expansions with LocalCommand; ok markus@ + - djm@cvs.openbsd.org 2011/05/06 21:31:38 + [readconf.c ssh_config.5] + support negated Host matching, e.g. + + Host *.example.org !c.example.org + User mekmitasdigoat + + Will match "a.example.org", "b.example.org", but not "c.example.org" + ok markus@ 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/readconf.c b/readconf.c index eb4a8b9ee..927e7fefa 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.190 2010/11/13 23:27:50 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.191 2011/05/06 21:31:38 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -354,7 +354,7 @@ process_config_line(Options *options, const char *host, int *activep) { char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; - int opcode, *intptr, value, value2, scale; + int negated, opcode, *intptr, value, value2, scale; LogLevel *log_level_ptr; long long orig, val64; size_t len; @@ -793,12 +793,28 @@ parse_int: case oHost: *activep = 0; - while ((arg = strdelim(&s)) != NULL && *arg != '\0') + arg2 = NULL; + while ((arg = strdelim(&s)) != NULL && *arg != '\0') { + negated = *arg == '!'; + if (negated) + arg++; if (match_pattern(host, arg)) { - debug("Applying options for %.100s", arg); + if (negated) { + debug("%.200s line %d: Skipping Host " + "block because of negated match " + "for %.100s", filename, linenum, + arg); + *activep = 0; + break; + } + if (!*activep) + arg2 = arg; /* logged below */ *activep = 1; - break; } + } + if (*activep) + debug("%.200s line %d: Applying options for %.100s", + filename, linenum, arg2); /* Avoid garbage check below, as strdelim is done. */ return 0; diff --git a/ssh_config.5 b/ssh_config.5 index a5bad8cc7..5bdc7fec1 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.147 2011/05/06 21:18:02 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.148 2011/05/06 21:31:38 djm Exp $ .Dd $Mdocdate: May 6 2011 $ .Dt SSH_CONFIG 5 .Os @@ -112,6 +112,15 @@ The host is the argument given on the command line (i.e. the name is not converted to a canonicalized host name before matching). .Pp +A pattern entry may be negated by prefixing it with an exclamation mark +.Pq Sq !\& . +If a negated entry is matched, then the +.Cm Host +entry is ignored, regardless of whether any other patterns on the line +match. +Negated matches are therefore useful to provide exceptions for wildcard +matches. +.Pp See .Sx PATTERNS for more information on patterns. -- cgit v1.2.3 From 21771e22d3e23a10cb01983b2df83d47362eadda Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:45:50 +1000 Subject: - djm@cvs.openbsd.org 2011/05/06 21:34:32 [clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5] Add a RequestTTY ssh_config option to allow configuration-based control over tty allocation (like -t/-T); ok markus@ --- ChangeLog | 4 ++++ clientloop.c | 24 +++++++++++------------- mux.c | 7 +++---- readconf.c | 28 ++++++++++++++++++++++++++-- readconf.h | 8 +++++++- ssh.c | 41 ++++++++++++++++++++++------------------- ssh_config.5 | 19 ++++++++++++++++++- 7 files changed, 91 insertions(+), 40 deletions(-) diff --git a/ChangeLog b/ChangeLog index caec1dd27..67e651335 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,10 @@ Will match "a.example.org", "b.example.org", but not "c.example.org" ok markus@ + - djm@cvs.openbsd.org 2011/05/06 21:34:32 + [clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5] + Add a RequestTTY ssh_config option to allow configuration-based + control over tty allocation (like -t/-T); ok markus@ 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/clientloop.c b/clientloop.c index 502dd982c..5bd757dfb 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.232 2011/04/17 22:42:41 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.233 2011/05/06 21:34:32 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -130,9 +130,6 @@ extern int muxserver_sock; /* XXX use mux_client_cleanup() instead */ */ extern char *host; -/* Force TTY allocation */ -extern int force_tty_flag; - /* * Flag to indicate that we have received a window change signal which has * not yet been processed. This will cause a message indicating the new @@ -662,7 +659,7 @@ client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr) atomicio(vwrite, fileno(stderr), buffer_ptr(berr), buffer_len(berr)); - leave_raw_mode(force_tty_flag); + leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); /* * Free (and clear) the buffer to reduce the amount of data that gets @@ -683,7 +680,7 @@ client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr) buffer_init(bout); buffer_init(berr); - enter_raw_mode(force_tty_flag); + enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); } static void @@ -826,7 +823,7 @@ process_cmdline(void) bzero(&fwd, sizeof(fwd)); fwd.listen_host = fwd.connect_host = NULL; - leave_raw_mode(force_tty_flag); + leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); handler = signal(SIGINT, SIG_IGN); cmd = s = read_passphrase("\r\nssh> ", RP_ECHO); if (s == NULL) @@ -930,7 +927,7 @@ process_cmdline(void) out: signal(SIGINT, handler); - enter_raw_mode(force_tty_flag); + enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); if (cmd) xfree(cmd); if (fwd.listen_host != NULL) @@ -1049,7 +1046,8 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, * more new connections). */ /* Restore tty modes. */ - leave_raw_mode(force_tty_flag); + leave_raw_mode( + options.request_tty == REQUEST_TTY_FORCE); /* Stop listening for new connections. */ channel_stop_listening(); @@ -1344,7 +1342,7 @@ client_channel_closed(int id, void *arg) { channel_cancel_cleanup(id); session_closed = 1; - leave_raw_mode(force_tty_flag); + leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); } /* @@ -1415,7 +1413,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) signal(SIGWINCH, window_change_handler); if (have_pty) - enter_raw_mode(force_tty_flag); + enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); if (compat20) { session_ident = ssh2_chan_id; @@ -1559,7 +1557,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) channel_free_all(); if (have_pty) - leave_raw_mode(force_tty_flag); + leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); /* restore blocking io */ if (!isatty(fileno(stdin))) @@ -2142,7 +2140,7 @@ client_stop_mux(void) void cleanup_exit(int i) { - leave_raw_mode(force_tty_flag); + leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); leave_non_blocking(); if (options.control_path != NULL && muxserver_sock != -1) unlink(options.control_path); diff --git a/mux.c b/mux.c index fb24c0f97..1afd1bdf3 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.26 2011/05/05 05:12:08 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.27 2011/05/06 21:34:32 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -87,7 +87,6 @@ /* from ssh.c */ extern int tty_flag; -extern int force_tty_flag; extern Options options; extern int stdin_null_flag; extern char *host; @@ -1710,7 +1709,7 @@ mux_client_request_session(int fd) signal(SIGWINCH, control_client_sigrelay); if (tty_flag) - enter_raw_mode(force_tty_flag); + enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); /* * Stick around until the controlee closes the client_fd. @@ -1739,7 +1738,7 @@ mux_client_request_session(int fd) } close(fd); - leave_raw_mode(force_tty_flag); + leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); if (muxclient_terminate) { debug2("Exiting on signal %d", muxclient_terminate); diff --git a/readconf.c b/readconf.c index 927e7fefa..4780ae289 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.191 2011/05/06 21:31:38 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.192 2011/05/06 21:34:32 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -134,7 +134,7 @@ typedef enum { oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, - oKexAlgorithms, oIPQoS, + oKexAlgorithms, oIPQoS, oRequestTTY, oDeprecated, oUnsupported } OpCodes; @@ -245,6 +245,7 @@ static struct { #endif { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, + { "requesttty", oRequestTTY }, { NULL, oBadOption } }; @@ -1013,6 +1014,26 @@ parse_int: intptr = &options->use_roaming; goto parse_flag; + case oRequestTTY: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%s line %d: missing argument.", + filename, linenum); + intptr = &options->request_tty; + if (strcasecmp(arg, "yes") == 0) + value = REQUEST_TTY_YES; + else if (strcasecmp(arg, "no") == 0) + value = REQUEST_TTY_NO; + else if (strcasecmp(arg, "force") == 0) + value = REQUEST_TTY_FORCE; + else if (strcasecmp(arg, "auto") == 0) + value = REQUEST_TTY_AUTO; + else + fatal("Unsupported RequestTTY \"%s\"", arg); + if (*activep && *intptr == -1) + *intptr = value; + break; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1173,6 +1194,7 @@ initialize_options(Options * options) options->zero_knowledge_password_authentication = -1; options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; + options->request_tty = -1; } /* @@ -1331,6 +1353,8 @@ fill_default_options(Options * options) options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) options->ip_qos_bulk = IPTOS_THROUGHPUT; + if (options->request_tty == -1) + options->request_tty = REQUEST_TTY_AUTO; /* options->local_command should not be set by default */ /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ diff --git a/readconf.h b/readconf.h index ee160dfe7..bc3e8c1bb 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.88 2010/11/13 23:27:50 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.89 2011/05/06 21:34:32 djm Exp $ */ /* * Author: Tatu Ylonen @@ -132,6 +132,7 @@ typedef struct { int use_roaming; + int request_tty; } Options; #define SSHCTL_MASTER_NO 0 @@ -140,6 +141,11 @@ typedef struct { #define SSHCTL_MASTER_ASK 3 #define SSHCTL_MASTER_AUTO_ASK 4 +#define REQUEST_TTY_AUTO 0 +#define REQUEST_TTY_NO 1 +#define REQUEST_TTY_YES 2 +#define REQUEST_TTY_FORCE 3 + void initialize_options(Options *); void fill_default_options(Options *); int read_config_file(const char *, const char *, Options *, int); diff --git a/ssh.c b/ssh.c index 549dd5c22..7243fa2a6 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.358 2011/05/06 21:18:02 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.359 2011/05/06 21:34:32 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -114,10 +114,8 @@ extern char *__progname; /* Flag indicating whether debug mode is on. May be set on the command line. */ int debug_flag = 0; -/* Flag indicating whether a tty should be allocated */ +/* Flag indicating whether a tty should be requested */ int tty_flag = 0; -int no_tty_flag = 0; -int force_tty_flag = 0; /* don't exec a shell */ int no_shell_flag = 0; @@ -135,7 +133,7 @@ int stdin_null_flag = 0; int need_controlpersist_detach = 0; /* Copies of flags for ControlPersist foreground slave */ -int ostdin_null_flag, ono_shell_flag, ono_tty_flag, otty_flag; +int ostdin_null_flag, ono_shell_flag, otty_flag, orequest_tty; /* * Flag indicating that ssh should fork after authentication. This is useful @@ -389,9 +387,10 @@ main(int ac, char **av) #endif break; case 't': - if (tty_flag) - force_tty_flag = 1; - tty_flag = 1; + if (options.request_tty == REQUEST_TTY_YES) + options.request_tty = REQUEST_TTY_FORCE; + else + options.request_tty = REQUEST_TTY_YES; break; case 'v': if (debug_flag == 0) { @@ -434,7 +433,7 @@ main(int ac, char **av) optarg); exit(255); } - no_tty_flag = 1; + options.request_tty = REQUEST_TTY_NO; no_shell_flag = 1; options.clear_forwardings = 1; options.exit_on_forward_failure = 1; @@ -543,10 +542,10 @@ main(int ac, char **av) break; case 'N': no_shell_flag = 1; - no_tty_flag = 1; + options.request_tty = REQUEST_TTY_NO; break; case 'T': - no_tty_flag = 1; + options.request_tty = REQUEST_TTY_NO; break; case 'o': dummy = 1; @@ -606,6 +605,10 @@ main(int ac, char **av) /* Initialize the command to execute on remote host. */ buffer_init(&command); + if (options.request_tty == REQUEST_TTY_YES || + options.request_tty == REQUEST_TTY_FORCE) + tty_flag = 1; + /* * Save the command to execute on the remote host in a buffer. There * is no limit on the length of the command, except by the maximum @@ -613,7 +616,7 @@ main(int ac, char **av) */ if (!ac) { /* No command specified - execute shell on a tty. */ - tty_flag = 1; + tty_flag = options.request_tty != REQUEST_TTY_NO; if (subsystem_flag) { fprintf(stderr, "You must specify a subsystem to invoke.\n"); @@ -636,13 +639,14 @@ main(int ac, char **av) /* Allocate a tty by default if no command specified. */ if (buffer_len(&command) == 0) - tty_flag = 1; + tty_flag = options.request_tty != REQUEST_TTY_NO; /* Force no tty */ - if (no_tty_flag || muxclient_command != 0) + if (options.request_tty == REQUEST_TTY_NO || muxclient_command != 0) tty_flag = 0; /* Do not allocate a tty if stdin is not a tty. */ - if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { + if ((!isatty(fileno(stdin)) || stdin_null_flag) && + options.request_tty != REQUEST_TTY_FORCE) { if (tty_flag) logit("Pseudo-terminal will not be allocated because " "stdin is not a terminal."); @@ -946,8 +950,7 @@ control_persist_detach(void) /* Parent: set up mux slave to connect to backgrounded master */ debug2("%s: background process is %ld", __func__, (long)pid); stdin_null_flag = ostdin_null_flag; - no_shell_flag = ono_shell_flag; - no_tty_flag = ono_tty_flag; + options.request_tty = orequest_tty; tty_flag = otty_flag; close(muxserver_sock); muxserver_sock = -1; @@ -1394,11 +1397,11 @@ ssh_session2(void) if (options.control_persist && muxserver_sock != -1) { ostdin_null_flag = stdin_null_flag; ono_shell_flag = no_shell_flag; - ono_tty_flag = no_tty_flag; + orequest_tty = options.request_tty; otty_flag = tty_flag; stdin_null_flag = 1; no_shell_flag = 1; - no_tty_flag = 1; + options.request_tty == REQUEST_TTY_NO; tty_flag = 0; if (!fork_after_authentication_flag) need_controlpersist_detach = 1; diff --git a/ssh_config.5 b/ssh_config.5 index 5bdc7fec1..83baa82b1 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.148 2011/05/06 21:31:38 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.149 2011/05/06 21:34:32 djm Exp $ .Dd $Mdocdate: May 6 2011 $ .Dt SSH_CONFIG 5 .Os @@ -959,6 +959,23 @@ will only succeed if the server's .Cm GatewayPorts option is enabled (see .Xr sshd_config 5 ) . +.It Cm RequestTTY +Specifies whether to request a pseudo-tty for the session. +The argument may be one of: +.Dq no +(never request a TTY), +.Dq yes +(always request a TTY when standard input is a TTY), +.Dq force +(always request a TTY) or +.Dq auto +(request a TTY when opening a login session). +This option mirrors the +.Fl t +and +.Fl T +flags for +.Xr ssh 1 . .It Cm RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. -- cgit v1.2.3 From a6bbbe465825338637ad68b41c68827be732cc82 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:46:29 +1000 Subject: - djm@cvs.openbsd.org 2011/05/06 21:38:58 [ssh.c] fix dropping from previous diff --- ChangeLog | 3 +++ ssh.c | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 67e651335..7527d7654 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,9 @@ [clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5] Add a RequestTTY ssh_config option to allow configuration-based control over tty allocation (like -t/-T); ok markus@ + - djm@cvs.openbsd.org 2011/05/06 21:38:58 + [ssh.c] + fix dropping from previous diff 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/ssh.c b/ssh.c index 7243fa2a6..6080c0c27 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.359 2011/05/06 21:34:32 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.360 2011/05/06 21:38:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1401,7 +1401,6 @@ ssh_session2(void) otty_flag = tty_flag; stdin_null_flag = 1; no_shell_flag = 1; - options.request_tty == REQUEST_TTY_NO; tty_flag = 0; if (!fork_after_authentication_flag) need_controlpersist_detach = 1; -- cgit v1.2.3 From c067f6256048f01e646cc3db71ad3d836a742ac1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:46:54 +1000 Subject: - djm@cvs.openbsd.org 2011/05/06 22:20:10 [PROTOCOL.mux] fix numbering; from bert.wesarg AT googlemail.com --- ChangeLog | 3 +++ PROTOCOL.mux | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7527d7654..0a3b93580 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,9 @@ - djm@cvs.openbsd.org 2011/05/06 21:38:58 [ssh.c] fix dropping from previous diff + - djm@cvs.openbsd.org 2011/05/06 22:20:10 + [PROTOCOL.mux] + fix numbering; from bert.wesarg AT googlemail.com 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/PROTOCOL.mux b/PROTOCOL.mux index 05bb14690..3da9e37ae 100644 --- a/PROTOCOL.mux +++ b/PROTOCOL.mux @@ -180,7 +180,7 @@ The MUX_S_PERMISSION_DENIED and MUX_S_FAILURE include a reason: uint32 client request id string reason -9. Protocol numbers +10. Protocol numbers #define MUX_MSG_HELLO 0x00000001 #define MUX_C_NEW_SESSION 0x10000002 @@ -211,4 +211,4 @@ XXX server->client error/warning notifications XXX port0 rfwd (need custom response message) XXX send signals via mux -$OpenBSD: PROTOCOL.mux,v 1.5 2011/04/17 22:42:41 djm Exp $ +$OpenBSD: PROTOCOL.mux,v 1.6 2011/05/06 22:20:10 djm Exp $ -- cgit v1.2.3 From 486dd2eadbbb4d51d0062789fdb8d8f7a3fe51fd Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:47:18 +1000 Subject: - jmc@cvs.openbsd.org 2011/05/07 23:19:39 [ssh_config.5] - tweak previous - come consistency fixes ok djm --- ChangeLog | 5 +++++ ssh_config.5 | 11 ++++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0a3b93580..51de4ee26 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,11 @@ - djm@cvs.openbsd.org 2011/05/06 22:20:10 [PROTOCOL.mux] fix numbering; from bert.wesarg AT googlemail.com + - jmc@cvs.openbsd.org 2011/05/07 23:19:39 + [ssh_config.5] + - tweak previous + - come consistency fixes + ok djm 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/ssh_config.5 b/ssh_config.5 index 83baa82b1..7a3b641ff 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.149 2011/05/06 21:34:32 djm Exp $ -.Dd $Mdocdate: May 6 2011 $ +.\" $OpenBSD: ssh_config.5,v 1.150 2011/05/07 23:19:39 jmc Exp $ +.Dd $Mdocdate: May 7 2011 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -320,8 +320,9 @@ will be substituted by the first component of the local host name, will be substituted by the local host name (including any domain name), .Ql %h will be substituted by the target host name, -.Ql %h -will be substituted by original target host name specified on the commandline, +.Ql %n +will be substituted by the original target host name +specified on the command line, .Ql %p the port, .Ql %r @@ -585,7 +586,7 @@ Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. If the hostname contains the character sequence .Ql %h , -then this will be replaced with the host name specified on the commandline +then this will be replaced with the host name specified on the command line (this is useful for manipulating unqualified names). The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in -- cgit v1.2.3 From f4b32aad05cb65caa6eabe09049750b3c8a29cf3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:47:43 +1000 Subject: - jmc@cvs.openbsd.org 2011/05/07 23:20:25 [ssh.1] +.It RequestTTY --- ChangeLog | 3 +++ ssh.1 | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 51de4ee26..dee43400a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -47,6 +47,9 @@ - tweak previous - come consistency fixes ok djm + - jmc@cvs.openbsd.org 2011/05/07 23:20:25 + [ssh.1] + +.It RequestTTY 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/ssh.1 b/ssh.1 index a51742f5a..7f3a79b48 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.318 2011/04/18 00:21:11 jmc Exp $ -.Dd $Mdocdate: April 18 2011 $ +.\" $OpenBSD: ssh.1,v 1.319 2011/05/07 23:20:25 jmc Exp $ +.Dd $Mdocdate: May 7 2011 $ .Dt SSH 1 .Os .Sh NAME @@ -456,6 +456,7 @@ For full details of the options listed below, and their possible values, see .It PubkeyAuthentication .It RekeyLimit .It RemoteForward +.It RequestTTY .It RhostsRSAAuthentication .It RSAAuthentication .It SendEnv -- cgit v1.2.3 From 555f3b856f2681b46870a66386396b49426b9719 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:48:05 +1000 Subject: - djm@cvs.openbsd.org 2011/05/08 12:52:01 [PROTOCOL.mux clientloop.c clientloop.h mux.c] improve our behaviour when TTY allocation fails: if we are in RequestTTY=auto mode (the default), then do not treat at TTY allocation error as fatal but rather just restore the local TTY to cooked mode and continue. This is more graceful on devices that never allocate TTYs. If RequestTTY is set to "yes" or "force", then failure to allocate a TTY is fatal. ok markus@ --- ChangeLog | 12 ++++++++++++ PROTOCOL.mux | 11 +++++++++-- clientloop.c | 53 +++++++++++++++++++++++++++++++++++++++-------------- clientloop.h | 4 +++- mux.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++------------ 5 files changed, 111 insertions(+), 29 deletions(-) diff --git a/ChangeLog b/ChangeLog index dee43400a..713798cbb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,18 @@ - jmc@cvs.openbsd.org 2011/05/07 23:20:25 [ssh.1] +.It RequestTTY + - djm@cvs.openbsd.org 2011/05/08 12:52:01 + [PROTOCOL.mux clientloop.c clientloop.h mux.c] + improve our behaviour when TTY allocation fails: if we are in + RequestTTY=auto mode (the default), then do not treat at TTY + allocation error as fatal but rather just restore the local TTY + to cooked mode and continue. This is more graceful on devices that + never allocate TTYs. + + If RequestTTY is set to "yes" or "force", then failure to allocate + a TTY is fatal. + + ok markus@ 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/PROTOCOL.mux b/PROTOCOL.mux index 3da9e37ae..9ad256602 100644 --- a/PROTOCOL.mux +++ b/PROTOCOL.mux @@ -73,6 +73,13 @@ non-multiplexed ssh(1) connection. Two additional cases that the client must cope with are it receiving a signal itself and the server disconnecting without sending an exit message. +A master may also send a MUX_S_TTY_ALLOC_FAIL before MUX_S_EXIT_MESSAGE +if remote TTY allocation was unsuccessful. The client may use this to +return its local tty to "cooked" mode. + + uint32 MUX_S_TTY_ALLOC_FAIL + uint32 session id + 3. Health checks The client may request a health check/PID report from a server: @@ -197,6 +204,7 @@ The MUX_S_PERMISSION_DENIED and MUX_S_FAILURE include a reason: #define MUX_S_ALIVE 0x80000005 #define MUX_S_SESSION_OPENED 0x80000006 #define MUX_S_REMOTE_PORT 0x80000007 +#define MUX_S_TTY_ALLOC_FAIL 0x80000008 #define MUX_FWD_LOCAL 1 #define MUX_FWD_REMOTE 2 @@ -208,7 +216,6 @@ XXX lock (maybe) XXX watch in/out traffic (pre/post crypto) XXX inject packet (what about replies) XXX server->client error/warning notifications -XXX port0 rfwd (need custom response message) XXX send signals via mux -$OpenBSD: PROTOCOL.mux,v 1.6 2011/05/06 22:20:10 djm Exp $ +$OpenBSD: PROTOCOL.mux,v 1.7 2011/05/08 12:52:01 djm Exp $ diff --git a/clientloop.c b/clientloop.c index 5bd757dfb..ed1d8a238 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.233 2011/05/06 21:34:32 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.234 2011/05/08 12:52:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -174,9 +174,11 @@ struct escape_filter_ctx { }; /* Context for channel confirmation replies */ +enum confirm_action { CONFIRM_WARN = 0, CONFIRM_CLOSE, CONFIRM_TTY }; struct channel_reply_ctx { const char *request_type; - int id, do_close; + int id; + enum confirm_action action; }; /* Global request success/failure callbacks */ @@ -739,6 +741,15 @@ client_status_confirm(int type, Channel *c, void *ctx) char errmsg[256]; int tochan; + /* + * If a TTY was explicitly requested, then a failure to allocate + * one is fatal. + */ + if (cr->action == CONFIRM_TTY && + (options.request_tty == REQUEST_TTY_FORCE || + options.request_tty == REQUEST_TTY_YES)) + cr->action = CONFIRM_CLOSE; + /* XXX supress on mux _client_ quietmode */ tochan = options.log_level >= SYSLOG_LEVEL_ERROR && c->ctl_chan != -1 && c->extended_usage == CHAN_EXTENDED_WRITE; @@ -756,14 +767,27 @@ client_status_confirm(int type, Channel *c, void *ctx) cr->request_type, c->self); } /* If error occurred on primary session channel, then exit */ - if (cr->do_close && c->self == session_ident) + if (cr->action == CONFIRM_CLOSE && c->self == session_ident) fatal("%s", errmsg); - /* If error occurred on mux client, append to their stderr */ - if (tochan) - buffer_append(&c->extended, errmsg, strlen(errmsg)); - else + /* + * If error occurred on mux client, append to + * their stderr. + */ + if (tochan) { + buffer_append(&c->extended, errmsg, + strlen(errmsg)); + } else error("%s", errmsg); - if (cr->do_close) { + if (cr->action == CONFIRM_TTY) { + /* + * If a TTY allocation error occurred, then arrange + * for the correct TTY to leave raw mode. + */ + if (c->self == session_ident) + leave_raw_mode(0); + else + mux_tty_alloc_failed(c); + } else if (cr->action == CONFIRM_CLOSE) { chan_read_failed(c); chan_write_failed(c); } @@ -778,12 +802,13 @@ client_abandon_status_confirm(Channel *c, void *ctx) } static void -client_expect_confirm(int id, const char *request, int do_close) +client_expect_confirm(int id, const char *request, + enum confirm_action action) { struct channel_reply_ctx *cr = xmalloc(sizeof(*cr)); cr->request_type = request; - cr->do_close = do_close; + cr->action = action; channel_register_status_confirm(id, client_status_confirm, client_abandon_status_confirm, cr); @@ -1983,7 +2008,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem, memset(&ws, 0, sizeof(ws)); channel_request_start(id, "pty-req", 1); - client_expect_confirm(id, "PTY allocation", 1); + client_expect_confirm(id, "PTY allocation", CONFIRM_TTY); packet_put_cstring(term != NULL ? term : ""); packet_put_int((u_int)ws.ws_col); packet_put_int((u_int)ws.ws_row); @@ -2042,18 +2067,18 @@ client_session2_setup(int id, int want_tty, int want_subsystem, debug("Sending subsystem: %.*s", len, (u_char*)buffer_ptr(cmd)); channel_request_start(id, "subsystem", 1); - client_expect_confirm(id, "subsystem", 1); + client_expect_confirm(id, "subsystem", CONFIRM_CLOSE); } else { debug("Sending command: %.*s", len, (u_char*)buffer_ptr(cmd)); channel_request_start(id, "exec", 1); - client_expect_confirm(id, "exec", 1); + client_expect_confirm(id, "exec", CONFIRM_CLOSE); } packet_put_string(buffer_ptr(cmd), buffer_len(cmd)); packet_send(); } else { channel_request_start(id, "shell", 1); - client_expect_confirm(id, "shell", 1); + client_expect_confirm(id, "shell", CONFIRM_CLOSE); packet_send(); } } diff --git a/clientloop.h b/clientloop.h index 37d072906..ad588d14d 100644 --- a/clientloop.h +++ b/clientloop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.h,v 1.26 2011/04/17 22:42:41 djm Exp $ */ +/* $OpenBSD: clientloop.h,v 1.27 2011/05/08 12:52:01 djm Exp $ */ /* * Author: Tatu Ylonen @@ -70,3 +70,5 @@ void client_register_global_confirm(global_confirm_cb *, void *); void muxserver_listen(void); void muxclient(const char *); void mux_exit_message(Channel *, int); +void mux_tty_alloc_failed(Channel *); + diff --git a/mux.c b/mux.c index 1afd1bdf3..101d7524b 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.27 2011/05/06 21:34:32 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.28 2011/05/08 12:52:01 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -153,6 +153,7 @@ struct mux_master_state { #define MUX_S_ALIVE 0x80000005 #define MUX_S_SESSION_OPENED 0x80000006 #define MUX_S_REMOTE_PORT 0x80000007 +#define MUX_S_TTY_ALLOC_FAIL 0x80000008 /* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */ #define MUX_FWD_LOCAL 1 @@ -1054,6 +1055,27 @@ mux_exit_message(Channel *c, int exitval) buffer_free(&m); } +void +mux_tty_alloc_failed(Channel *c) +{ + Buffer m; + Channel *mux_chan; + + debug3("%s: channel %d: TTY alloc failed", __func__, c->self); + + if ((mux_chan = channel_by_id(c->ctl_chan)) == NULL) + fatal("%s: channel %d missing mux channel %d", + __func__, c->self, c->ctl_chan); + + /* Append exit message packet to control socket output queue */ + buffer_init(&m); + buffer_put_int(&m, MUX_S_TTY_ALLOC_FAIL); + buffer_put_int(&m, c->self); + + buffer_put_string(&mux_chan->output, buffer_ptr(&m), buffer_len(&m)); + buffer_free(&m); +} + /* Prepare a mux master to listen on a Unix domain socket. */ void muxserver_listen(void) @@ -1612,7 +1634,7 @@ mux_client_request_session(int fd) char *e, *term; u_int i, rid, sid, esid, exitval, type, exitval_seen; extern char **environ; - int devnull; + int devnull, rawmode; debug3("%s: entering", __func__); @@ -1708,6 +1730,7 @@ mux_client_request_session(int fd) signal(SIGTERM, control_client_sighandler); signal(SIGWINCH, control_client_sigrelay); + rawmode = tty_flag; if (tty_flag) enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); @@ -1723,22 +1746,35 @@ mux_client_request_session(int fd) if (mux_client_read_packet(fd, &m) != 0) break; type = buffer_get_int(&m); - if (type != MUX_S_EXIT_MESSAGE) { + switch (type) { + case MUX_S_TTY_ALLOC_FAIL: + if ((esid = buffer_get_int(&m)) != sid) + fatal("%s: tty alloc fail on unknown session: " + "my id %u theirs %u", + __func__, sid, esid); + leave_raw_mode(options.request_tty == + REQUEST_TTY_FORCE); + rawmode = 0; + continue; + case MUX_S_EXIT_MESSAGE: + if ((esid = buffer_get_int(&m)) != sid) + fatal("%s: exit on unknown session: " + "my id %u theirs %u", + __func__, sid, esid); + if (exitval_seen) + fatal("%s: exitval sent twice", __func__); + exitval = buffer_get_int(&m); + exitval_seen = 1; + continue; + default: e = buffer_get_string(&m, NULL); fatal("%s: master returned error: %s", __func__, e); } - if ((esid = buffer_get_int(&m)) != sid) - fatal("%s: exit on unknown session: my id %u theirs %u", - __func__, sid, esid); - debug("%s: master session id: %u", __func__, sid); - if (exitval_seen) - fatal("%s: exitval sent twice", __func__); - exitval = buffer_get_int(&m); - exitval_seen = 1; } close(fd); - leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); + if (rawmode) + leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); if (muxclient_terminate) { debug2("Exiting on signal %d", muxclient_terminate); -- cgit v1.2.3 From 3219824f2d8b0ea1711818745b046931ffcd3918 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:50:32 +1000 Subject: - djm@cvs.openbsd.org 2011/05/10 05:46:46 [authfile.c] despam debug() logs by detecting that we are trying to load a private key in key_try_load_public() and returning early; ok markus@ --- ChangeLog | 4 ++++ authfile.c | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 713798cbb..92aff179b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -62,6 +62,10 @@ a TTY is fatal. ok markus@ + - djm@cvs.openbsd.org 2011/05/10 05:46:46 + [authfile.c] + despam debug() logs by detecting that we are trying to load a private key + in key_try_load_public() and returning early; ok markus@ 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/authfile.c b/authfile.c index 608d1d06f..7a5b65142 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.88 2011/05/04 21:15:29 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.89 2011/05/10 05:46:46 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -765,6 +765,9 @@ key_try_load_public(Key *k, const char *filename, char **commentp) case '\0': continue; } + /* Abort loading if this looks like a private key */ + if (strncmp(cp, "-----BEGIN", 10) == 0) + break; /* Skip leading whitespace. */ for (; *cp && (*cp == ' ' || *cp == '\t'); cp++) ; -- cgit v1.2.3 From 7c1b2c4ea8a5d06908dda3f8e406b902b81fe905 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:51:05 +1000 Subject: - djm@cvs.openbsd.org 2011/05/11 04:47:06 [auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h] remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@ --- ChangeLog | 5 +++++ auth.c | 8 +------- auth.h | 3 +-- auth2-pubkey.c | 8 +------- pathnames.h | 5 +---- servconf.c | 15 +-------------- servconf.h | 3 +-- 7 files changed, 11 insertions(+), 36 deletions(-) diff --git a/ChangeLog b/ChangeLog index 92aff179b..288a202cf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -66,6 +66,11 @@ [authfile.c] despam debug() logs by detecting that we are trying to load a private key in key_try_load_public() and returning early; ok markus@ + - djm@cvs.openbsd.org 2011/05/11 04:47:06 + [auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h] + remove support for authorized_keys2; it is a relic from the early days + of protocol v.2 support and has been undocumented for many years; + ok markus@ 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/auth.c b/auth.c index 33680b91b..be78f1a28 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.91 2010/11/29 23:45:51 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.92 2011/05/11 04:47:06 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -360,12 +360,6 @@ authorized_keys_file(struct passwd *pw) return expand_authorized_keys(options.authorized_keys_file, pw); } -char * -authorized_keys_file2(struct passwd *pw) -{ - return expand_authorized_keys(options.authorized_keys_file2, pw); -} - char * authorized_principals_file(struct passwd *pw) { diff --git a/auth.h b/auth.h index 772a8c898..227395863 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.67 2011/03/10 11:34:25 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.68 2011/05/11 04:47:06 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -169,7 +169,6 @@ int verify_response(Authctxt *, const char *); void abandon_challenge_response(Authctxt *); char *authorized_keys_file(struct passwd *); -char *authorized_keys_file2(struct passwd *); char *authorized_principals_file(struct passwd *); FILE *auth_openkeyfile(const char *, struct passwd *, int); diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 7d2141355..a97509c28 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.27 2010/11/20 05:12:38 deraadt Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.28 2011/05/11 04:47:06 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -451,13 +451,7 @@ user_key_allowed(struct passwd *pw, Key *key) file = authorized_keys_file(pw); success = user_key_allowed2(pw, key, file); xfree(file); - if (success) - return success; - /* try suffix "2" for backward compat, too */ - file = authorized_keys_file2(pw); - success = user_key_allowed2(pw, key, file); - xfree(file); return success; } diff --git a/pathnames.h b/pathnames.h index e2dd49a9b..787bdb676 100644 --- a/pathnames.h +++ b/pathnames.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.20 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: pathnames.h,v 1.21 2011/05/11 04:47:06 djm Exp $ */ /* * Author: Tatu Ylonen @@ -96,9 +96,6 @@ */ #define _PATH_SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys" -/* backward compat for protocol v2 */ -#define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" - /* * Per-user and system-wide ssh "rc" files. These files are executed with * /bin/sh before starting the shell or command if they exist. They will be diff --git a/servconf.c b/servconf.c index 48cb0d5b1..03a503d07 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.214 2011/03/29 18:54:17 stevesk Exp $ */ +/* $OpenBSD: servconf.c,v 1.215 2011/05/11 04:47:06 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -127,7 +127,6 @@ initialize_server_options(ServerOptions *options) options->client_alive_interval = -1; options->client_alive_count_max = -1; options->authorized_keys_file = NULL; - options->authorized_keys_file2 = NULL; options->num_accept_env = 0; options->permit_tun = -1; options->num_permitted_opens = -1; @@ -264,13 +263,6 @@ fill_default_server_options(ServerOptions *options) options->client_alive_interval = 0; if (options->client_alive_count_max == -1) options->client_alive_count_max = 3; - if (options->authorized_keys_file2 == NULL) { - /* authorized_keys_file2 falls back to authorized_keys_file */ - if (options->authorized_keys_file != NULL) - options->authorized_keys_file2 = xstrdup(options->authorized_keys_file); - else - options->authorized_keys_file2 = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2); - } if (options->authorized_keys_file == NULL) options->authorized_keys_file = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); if (options->permit_tun == -1) @@ -1252,9 +1244,6 @@ process_server_config_line(ServerOptions *options, char *line, case sAuthorizedKeysFile: charptr = &options->authorized_keys_file; goto parse_tilde_filename; - case sAuthorizedKeysFile2: - charptr = &options->authorized_keys_file2; - goto parse_tilde_filename; case sAuthorizedPrincipalsFile: charptr = &options->authorized_principals_file; parse_tilde_filename: @@ -1519,7 +1508,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_STROPT(trusted_user_ca_keys); M_CP_STROPT(revoked_keys_file); M_CP_STROPT(authorized_keys_file); - M_CP_STROPT(authorized_keys_file2); M_CP_STROPT(authorized_principals_file); } @@ -1737,7 +1725,6 @@ dump_config(ServerOptions *o) dump_cfg_string(sMacs, o->macs); dump_cfg_string(sBanner, o->banner); dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file); - dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2); dump_cfg_string(sForceCommand, o->adm_forced_command); dump_cfg_string(sChrootDirectory, o->chroot_directory); dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); diff --git a/servconf.h b/servconf.h index 5a058a416..3f04b8501 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.95 2010/11/13 23:27:50 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.96 2011/05/11 04:47:06 djm Exp $ */ /* * Author: Tatu Ylonen @@ -146,7 +146,6 @@ typedef struct { */ char *authorized_keys_file; /* File containing public keys */ - char *authorized_keys_file2; char *adm_forced_command; -- cgit v1.2.3 From 9d276b8d689b4dc878fa6154e7b449c1c0c85290 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:51:43 +1000 Subject: - djm@cvs.openbsd.org 2011/05/13 00:05:36 [authfile.c] warn on unexpected key type in key_parse_private_type() --- ChangeLog | 3 +++ authfile.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 288a202cf..af1fd1c8e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -71,6 +71,9 @@ remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@ + - djm@cvs.openbsd.org 2011/05/13 00:05:36 + [authfile.c] + warn on unexpected key type in key_parse_private_type() 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/authfile.c b/authfile.c index 7a5b65142..734d657e9 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.89 2011/05/10 05:46:46 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.90 2011/05/13 00:05:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -643,6 +643,7 @@ key_parse_private_type(Buffer *blob, int type, const char *passphrase, case KEY_UNSPEC: return key_parse_private_pem(blob, type, passphrase, commentp); default: + error("%s: cannot parse key type %d", __func__, type); break; } return NULL; -- cgit v1.2.3 From 23f425b48b5c496a4a2f5289a491852e21a97623 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 15 May 2011 08:58:15 +1000 Subject: - (djm) [packet.c] unbreak portability #endif --- ChangeLog | 1 + packet.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index af1fd1c8e..f735d03f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -74,6 +74,7 @@ - djm@cvs.openbsd.org 2011/05/13 00:05:36 [authfile.c] warn on unexpected key type in key_parse_private_type() + - (djm) [packet.c] unbreak portability #endif 20110510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix diff --git a/packet.c b/packet.c index f323e7eeb..ba9341731 100644 --- a/packet.c +++ b/packet.c @@ -1771,8 +1771,8 @@ packet_set_tos(int tos) error("setsockopt IPV6_TCLASS %d: %.100s:", tos, strerror(errno)); break; - } # endif /* IPV6_TCLASS */ + } #endif /* IP_TOS_IS_BROKEN */ } -- cgit v1.2.3 From 14684a1f84e2c8fc949ccff1a6dce10e9bf52ac2 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 11:23:07 +1000 Subject: - (djm) [session.c] call setexeccon() before executing passwd for pw changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@ --- ChangeLog | 4 ++++ session.c | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/ChangeLog b/ChangeLog index f735d03f5..d898d8181 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20110520 + - (djm) [session.c] call setexeccon() before executing passwd for pw + changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@ + 20110515 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/05/05 05:12:08 diff --git a/session.c b/session.c index fff31b02e..6a7040078 100644 --- a/session.c +++ b/session.c @@ -96,6 +96,10 @@ #include #endif +#ifdef WITH_SELINUX +#include +#endif + #define IS_INTERNAL_SFTP(c) \ (!strncmp(c, INTERNAL_SFTP_NAME, sizeof(INTERNAL_SFTP_NAME) - 1) && \ (c[sizeof(INTERNAL_SFTP_NAME) - 1] == '\0' || \ @@ -1531,6 +1535,9 @@ do_pwchange(Session *s) if (s->ttyfd != -1) { fprintf(stderr, "You must change your password now and login again!\n"); +#ifdef WITH_SELINUX + setexeccon(NULL); +#endif #ifdef PASSWD_NEEDS_USERNAME execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name, (char *)NULL); -- cgit v1.2.3 From b176362d26dd746819b6287e4702bce90eefa2c1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 11:45:25 +1000 Subject: - (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options options, we should corresponding -W-option when trying to determine whether it is accepted. Also includes a warning fix on the program fragment uses (bad main() return type). bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@ --- aclocal.m4 | 20 +++++++++++++++++++- configure.ac | 32 ++++++++++---------------------- 2 files changed, 29 insertions(+), 23 deletions(-) diff --git a/aclocal.m4 b/aclocal.m4 index 83b241f7b..9bdea5ec2 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,8 +1,26 @@ -dnl $Id: aclocal.m4,v 1.7 2011/05/05 03:48:37 djm Exp $ +dnl $Id: aclocal.m4,v 1.8 2011/05/20 01:45:25 djm Exp $ dnl dnl OpenSSH-specific autoconf macros dnl +dnl OSSH_CHECK_CFLAG_COMPILE(check_flag[, define_flag]) +dnl Check that $CC accepts a flag 'check_flag'. If it is supported append +dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append +dnl 'check_flag'. +AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{ + AC_MSG_CHECKING([if $CC supports $1]) + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $1" + _define_flag="$2" + test "x$_define_flag" = "x" && _define_flag="$1" + AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], + [ AC_MSG_RESULT([yes]) + CFLAGS="$saved_CFLAGS $_define_flag"], + [ AC_MSG_RESULT([no]) + CFLAGS="$saved_CFLAGS" ] + ) +}]) + dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol) dnl Does AC_EGREP_HEADER on 'header' for the string 'field' diff --git a/configure.ac b/configure.ac index 5357cab60..d56bf6d36 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.473 2011/05/05 04:44:25 tim Exp $ +# $Id: configure.ac,v 1.474 2011/05/20 01:45:25 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,22 +15,10 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.473 $) +AC_REVISION($Revision: 1.474 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) -# local macros -AC_DEFUN([OPENSSH_CHECK_CFLAG_COMPILE], [{ - AC_MSG_CHECKING([if $CC supports $1]) - saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $1" - AC_COMPILE_IFELSE([AC_LANG_SOURCE([[void main(void) { return 0; }]])], - [ AC_MSG_RESULT([yes]) ], - [ AC_MSG_RESULT([no]) - CFLAGS="$saved_CFLAGS" ] - ) -}]) - AC_CONFIG_HEADER([config.h]) AC_PROG_CC AC_CANONICAL_HOST @@ -128,14 +116,14 @@ AC_ARG_WITH([stackprotect], if test "$GCC" = "yes" || test "$GCC" = "egcs"; then - OPENSSH_CHECK_CFLAG_COMPILE([-Wall]) - OPENSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) - OPENSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) - OPENSSH_CHECK_CFLAG_COMPILE([-Wsign-compare]) - OPENSSH_CHECK_CFLAG_COMPILE([-Wformat-security]) - OPENSSH_CHECK_CFLAG_COMPILE([-Wno-pointer-sign]) - OPENSSH_CHECK_CFLAG_COMPILE([-Wno-unused-result]) - OPENSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) + OSSH_CHECK_CFLAG_COMPILE([-Wall]) + OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) + OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) + OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare]) + OSSH_CHECK_CFLAG_COMPILE([-Wformat-security]) + OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign]) + OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) + OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) AC_MSG_CHECKING([gcc version]) GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` case $GCC_VER in -- cgit v1.2.3 From 989bb7f0c5c52ebe55f7ab1d9c7fef826cb0aaa4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 18:56:30 +1000 Subject: - (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options options, we should corresponding -W-option when trying to determine whether it is accepted. Also includes a warning fix on the program fragment uses (bad main() return type). bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@ --- ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index d898d8181..d3a85b26a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,11 @@ 20110520 - (djm) [session.c] call setexeccon() before executing passwd for pw changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@ + - (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options + options, we should corresponding -W-option when trying to determine + whether it is accepted. Also includes a warning fix on the program + fragment uses (bad main() return type). + bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@ 20110515 - (djm) OpenBSD CVS Sync -- cgit v1.2.3 From ec2eaa3daf7f5543d8619cec30c1d73268323d01 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 18:57:14 +1000 Subject: - (djm) [servconf.c] remove leftover droppings of AuthorizedKeysFile2 --- ChangeLog | 1 + servconf.c | 3 +-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d3a85b26a..b729c6f6f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ whether it is accepted. Also includes a warning fix on the program fragment uses (bad main() return type). bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@ + - (djm) [servconf.c] remove leftover droppings of AuthorizedKeysFile2 20110515 - (djm) OpenBSD CVS Sync diff --git a/servconf.c b/servconf.c index 03a503d07..f862fbfd8 100644 --- a/servconf.c +++ b/servconf.c @@ -313,7 +313,7 @@ typedef enum { sMaxStartups, sMaxAuthTries, sMaxSessions, sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, + sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, @@ -430,7 +430,6 @@ static struct { { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, - { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_ALL }, { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, { "permittunnel", sPermitTunnel, SSHCFG_ALL }, -- cgit v1.2.3 From 814ace08751a80c3b965c06fdfc1c9ac3d7698ca Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 19:02:47 +1000 Subject: - OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/05/15 08:09:01 [authfd.c monitor.c serverloop.c] use FD_CLOEXEC consistently; patch from zion AT x96.org --- ChangeLog | 4 ++++ authfd.c | 4 ++-- monitor.c | 4 ++-- serverloop.c | 6 +++--- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index b729c6f6f..481e9c310 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,10 @@ fragment uses (bad main() return type). bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@ - (djm) [servconf.c] remove leftover droppings of AuthorizedKeysFile2 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2011/05/15 08:09:01 + [authfd.c monitor.c serverloop.c] + use FD_CLOEXEC consistently; patch from zion AT x96.org 20110515 - (djm) OpenBSD CVS Sync diff --git a/authfd.c b/authfd.c index c11c3f5a8..c942a9110 100644 --- a/authfd.c +++ b/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.84 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: authfd.c,v 1.85 2011/05/15 08:09:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -110,7 +110,7 @@ ssh_get_authentication_socket(void) return -1; /* close on exec */ - if (fcntl(sock, F_SETFD, 1) == -1) { + if (fcntl(sock, F_SETFD, FD_CLOEXEC) == -1) { close(sock); return -1; } diff --git a/monitor.c b/monitor.c index 29d987c70..732cb365d 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.110 2010/09/09 10:45:45 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.111 2011/05/15 08:09:01 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1834,7 +1834,7 @@ mm_init_compression(struct mm_master *mm) /* XXX */ #define FD_CLOSEONEXEC(x) do { \ - if (fcntl(x, F_SETFD, 1) == -1) \ + if (fcntl(x, F_SETFD, FD_CLOEXEC) == -1) \ fatal("fcntl(%d, F_SETFD)", x); \ } while (0) diff --git a/serverloop.c b/serverloop.c index 8be01c5c3..19b84ff27 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.159 2009/05/28 16:50:16 andreas Exp $ */ +/* $OpenBSD: serverloop.c,v 1.160 2011/05/15 08:09:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -131,8 +131,8 @@ notify_setup(void) { if (pipe(notify_pipe) < 0) { error("pipe(notify_pipe) failed %s", strerror(errno)); - } else if ((fcntl(notify_pipe[0], F_SETFD, 1) == -1) || - (fcntl(notify_pipe[1], F_SETFD, 1) == -1)) { + } else if ((fcntl(notify_pipe[0], F_SETFD, FD_CLOEXEC) == -1) || + (fcntl(notify_pipe[1], F_SETFD, FD_CLOEXEC) == -1)) { error("fcntl(notify_pipe, F_SETFD) failed %s", strerror(errno)); close(notify_pipe[0]); close(notify_pipe[1]); -- cgit v1.2.3 From 8f639fe722133495eebad594f2f9c886857a5ef8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 19:03:08 +1000 Subject: - djm@cvs.openbsd.org 2011/05/17 07:13:31 [key.c] fatal() if asked to generate a legacy ECDSA cert (these don't exist) and fix the regress test that was trying to generate them :) --- ChangeLog | 4 ++++ key.c | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 481e9c310..6a0cf4932 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,10 @@ - djm@cvs.openbsd.org 2011/05/15 08:09:01 [authfd.c monitor.c serverloop.c] use FD_CLOEXEC consistently; patch from zion AT x96.org + - djm@cvs.openbsd.org 2011/05/17 07:13:31 + [key.c] + fatal() if asked to generate a legacy ECDSA cert (these don't exist) + and fix the regress test that was trying to generate them :) 20110515 - (djm) OpenBSD CVS Sync diff --git a/key.c b/key.c index e3a305e66..498cf5a60 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.96 2011/02/04 00:44:21 djm Exp $ */ +/* $OpenBSD: key.c,v 1.97 2011/05/17 07:13:31 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1817,6 +1817,9 @@ key_to_certified(Key *k, int legacy) k->type = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; return 0; case KEY_ECDSA: + if (legacy) + fatal("%s: legacy ECDSA certificates are not supported", + __func__); k->cert = cert_new(); k->type = KEY_ECDSA_CERT; return 0; -- cgit v1.2.3 From 5d74e58e62df1e80c23ff8444ff22483cba1995a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 19:03:31 +1000 Subject: - djm@cvs.openbsd.org 2011/05/20 00:55:02 [servconf.c] the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile and AuthorizedPrincipalsFile were not being correctly applied in Match blocks, despite being overridable there; ok dtucker@ --- ChangeLog | 5 +++++ servconf.c | 11 ++++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6a0cf4932..eb5136178 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,11 @@ [key.c] fatal() if asked to generate a legacy ECDSA cert (these don't exist) and fix the regress test that was trying to generate them :) + - djm@cvs.openbsd.org 2011/05/20 00:55:02 + [servconf.c] + the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile + and AuthorizedPrincipalsFile were not being correctly applied in + Match blocks, despite being overridable there; ok dtucker@ 20110515 - (djm) OpenBSD CVS Sync diff --git a/servconf.c b/servconf.c index f862fbfd8..ab134ee55 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.215 2011/05/11 04:47:06 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.216 2011/05/20 00:55:02 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1500,14 +1500,15 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(ip_qos_bulk); M_CP_STROPT(banner); - if (preauth) - return; - M_CP_STROPT(adm_forced_command); - M_CP_STROPT(chroot_directory); M_CP_STROPT(trusted_user_ca_keys); M_CP_STROPT(revoked_keys_file); M_CP_STROPT(authorized_keys_file); M_CP_STROPT(authorized_principals_file); + + if (preauth) + return; + M_CP_STROPT(adm_forced_command); + M_CP_STROPT(chroot_directory); } #undef M_CP_INTOPT -- cgit v1.2.3 From c2411909c7ff298744998e00c7a5f1f64fbb0349 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 19:03:49 +1000 Subject: - dtucker@cvs.openbsd.org 2011/05/20 02:00:19 [servconf.c] Add comment documenting what should be after the preauth check. ok djm --- ChangeLog | 3 +++ servconf.c | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index eb5136178..ff81d0522 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,9 @@ the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile and AuthorizedPrincipalsFile were not being correctly applied in Match blocks, despite being overridable there; ok dtucker@ + - dtucker@cvs.openbsd.org 2011/05/20 02:00:19 + [servconf.c] + Add comment documenting what should be after the preauth check. ok djm 20110515 - (djm) OpenBSD CVS Sync diff --git a/servconf.c b/servconf.c index ab134ee55..04a32973e 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.216 2011/05/20 00:55:02 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.217 2011/05/20 02:00:19 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1505,6 +1505,10 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_STROPT(authorized_keys_file); M_CP_STROPT(authorized_principals_file); + /* + * The only things that should be below this point are string options + * which are only used after authentication. + */ if (preauth) return; M_CP_STROPT(adm_forced_command); -- cgit v1.2.3 From f2e407e2dd83addc26b68b4218d8b6ceaceca54b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 19:04:14 +1000 Subject: - djm@cvs.openbsd.org 2011/05/20 03:25:45 [monitor.c monitor_wrap.c servconf.c servconf.h] use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering "this is at once beautiful and horrible" + ok dtucker@ --- ChangeLog | 7 +++++++ monitor.c | 13 ++++++++++--- monitor_wrap.c | 13 ++++++++++--- servconf.c | 9 +++------ servconf.h | 16 +++++++++++++++- 5 files changed, 45 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index ff81d0522..2cb2dce0c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,13 @@ - dtucker@cvs.openbsd.org 2011/05/20 02:00:19 [servconf.c] Add comment documenting what should be after the preauth check. ok djm + - djm@cvs.openbsd.org 2011/05/20 03:25:45 + [monitor.c monitor_wrap.c servconf.c servconf.h] + use a macro to define which string options to copy between configs + for Match. This avoids problems caused by forgetting to keep three + code locations in perfect sync and ordering + + "this is at once beautiful and horrible" + ok dtucker@ 20110515 - (djm) OpenBSD CVS Sync diff --git a/monitor.c b/monitor.c index 732cb365d..c3a418319 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.111 2011/05/15 08:09:01 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.112 2011/05/20 03:25:45 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -671,8 +671,15 @@ mm_answer_pwnamallow(int sock, Buffer *m) out: buffer_put_string(m, &options, sizeof(options)); - if (options.banner != NULL) - buffer_put_cstring(m, options.banner); + +#define M_CP_STROPT(x) do { \ + if (options.x != NULL) \ + buffer_put_cstring(m, options.x); \ + } while (0) + /* See comment in servconf.h */ + COPY_MATCH_STRING_OPTS(); +#undef M_CP_STROPT + debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); mm_request_send(sock, MONITOR_ANS_PWNAM, m); diff --git a/monitor_wrap.c b/monitor_wrap.c index 1a5dda561..d3f274021 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.70 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.71 2011/05/20 03:25:45 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -245,8 +245,15 @@ out: newopts = buffer_get_string(&m, &len); if (len != sizeof(*newopts)) fatal("%s: option block size mismatch", __func__); - if (newopts->banner != NULL) - newopts->banner = buffer_get_string(&m, NULL); + +#define M_CP_STROPT(x) do { \ + if (newopts->x != NULL) \ + newopts->x = buffer_get_string(&m, NULL); \ + } while (0) + /* See comment in servconf.h */ + COPY_MATCH_STRING_OPTS(); +#undef M_CP_STROPT + copy_set_server_options(&options, newopts, 1); xfree(newopts); diff --git a/servconf.c b/servconf.c index 04a32973e..daed26a66 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.217 2011/05/20 02:00:19 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.218 2011/05/20 03:25:45 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1499,11 +1499,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); - M_CP_STROPT(banner); - M_CP_STROPT(trusted_user_ca_keys); - M_CP_STROPT(revoked_keys_file); - M_CP_STROPT(authorized_keys_file); - M_CP_STROPT(authorized_principals_file); + /* See comment in servconf.h */ + COPY_MATCH_STRING_OPTS(); /* * The only things that should be below this point are string options diff --git a/servconf.h b/servconf.h index 3f04b8501..953ef8650 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.96 2011/05/11 04:47:06 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.97 2011/05/20 03:25:45 djm Exp $ */ /* * Author: Tatu Ylonen @@ -161,6 +161,20 @@ typedef struct { char *authorized_principals_file; } ServerOptions; +/* + * These are string config options that must be copied between the + * Match sub-config and the main config, and must be sent from the + * privsep slave to the privsep master. We use a macro to ensure all + * the options are copied and the copies are done in the correct order. + */ +#define COPY_MATCH_STRING_OPTS() do { \ + M_CP_STROPT(banner); \ + M_CP_STROPT(trusted_user_ca_keys); \ + M_CP_STROPT(revoked_keys_file); \ + M_CP_STROPT(authorized_keys_file); \ + M_CP_STROPT(authorized_principals_file); \ + } while (0) + void initialize_server_options(ServerOptions *); void fill_default_server_options(ServerOptions *); int process_server_config_line(ServerOptions *, char *, const char *, int, -- cgit v1.2.3 From f67188fe13d3ac96493c9cd67e87f64fd07f20e5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 19:06:48 +1000 Subject: - djm@cvs.openbsd.org 2011/05/17 07:13:31 [regress/cert-userkey.sh] fatal() if asked to generate a legacy ECDSA cert (these don't exist) and fix the regress test that was trying to generate them :) --- ChangeLog | 4 ++++ regress/cert-userkey.sh | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2cb2dce0c..80947351e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,10 @@ code locations in perfect sync and ordering "this is at once beautiful and horrible" + ok dtucker@ + - djm@cvs.openbsd.org 2011/05/17 07:13:31 + [regress/cert-userkey.sh] + fatal() if asked to generate a legacy ECDSA cert (these don't exist) + and fix the regress test that was trying to generate them :) 20110515 - (djm) OpenBSD CVS Sync diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index fcca3708b..6700db274 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.7 2010/08/31 12:24:09 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -27,7 +27,7 @@ for ktype in rsa dsa $ecdsa ; do -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" # v00 ecdsa certs do not exist - test "{ktype}" = "ecdsa" && continue + test "${ktype}" = "ecdsa" && continue cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ -- cgit v1.2.3 From 3045b45a030f04af7daf9037939a8aca5a54a574 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 19:07:45 +1000 Subject: - djm@cvs.openbsd.org 2011/05/20 02:43:36 [cert-hostkey.sh] another attempt to generate a v00 ECDSA key that broke the test ID sync only - portable already had this somehow --- ChangeLog | 4 ++++ regress/cert-hostkey.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 80947351e..e6723e687 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,10 @@ [regress/cert-userkey.sh] fatal() if asked to generate a legacy ECDSA cert (these don't exist) and fix the regress test that was trying to generate them :) + - djm@cvs.openbsd.org 2011/05/20 02:43:36 + [cert-hostkey.sh] + another attempt to generate a v00 ECDSA key that broke the test + ID sync only - portable already had this somehow 20110515 - (djm) OpenBSD CVS Sync diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3b147b9f7..6216abd87 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.5 2010/08/31 12:24:09 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $ # Placed in the Public Domain. tid="certified host keys" -- cgit v1.2.3 From 7b9451f382156bdc20945a63c1507a466959fab1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 19:08:11 +1000 Subject: - dtucker@cvs.openbsd.org 2011/05/20 05:19:50 [dynamic-forward.sh] Prevent races in dynamic forwarding test; ok djm --- ChangeLog | 3 +++ regress/dynamic-forward.sh | 23 ++++++++++++++++++++--- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index e6723e687..d5d5df3fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,9 @@ [cert-hostkey.sh] another attempt to generate a v00 ECDSA key that broke the test ID sync only - portable already had this somehow + - dtucker@cvs.openbsd.org 2011/05/20 05:19:50 + [dynamic-forward.sh] + Prevent races in dynamic forwarding test; ok djm 20110515 - (djm) OpenBSD CVS Sync diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index 4674a7baf..12ddef3a5 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dynamic-forward.sh,v 1.4 2004/06/22 22:55:56 dtucker Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.5 2011/05/20 05:19:50 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" @@ -21,8 +21,21 @@ start_sshd for p in 1 2; do trace "start dynamic forwarding, fork to background" - ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \ - exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' + rm -f $OBJ/remote_pid + ${SSH} -$p -F $OBJ/ssh_config -D $FWDPORT -q somehost \ + exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' & + client_pid=$! + + # Wait for ssh to start + n=0 + while test ! -f $OBJ/remote_pid; do + sleep 1 + n=`expr $n + 1` + if test $n > 60; then + kill $client_pid + fail "Timed out waiting for client to connect" + fi + done for s in 4 5; do for h in 127.0.0.1 localhost; do @@ -41,10 +54,14 @@ for p in 1 2; do if [ $remote -gt 1 ]; then kill -HUP $remote fi + rm -f $OBJ/remote_pid else fail "no pid file: $OBJ/remote_pid" fi + # Wait for listening ssh to terminate + wait + # Must allow time for connection tear-down sleep 2 done -- cgit v1.2.3 From acacced70b3fd520ee3f12d3f477f9fd7c2f687a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 19:08:40 +1000 Subject: - dtucker@cvs.openbsd.org 2011/05/20 06:32:30 [dynamic-forward.sh] fix dumb error in dynamic-forward test --- ChangeLog | 3 +++ regress/dynamic-forward.sh | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d5d5df3fa..1aac69cbc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,9 @@ - dtucker@cvs.openbsd.org 2011/05/20 05:19:50 [dynamic-forward.sh] Prevent races in dynamic forwarding test; ok djm + - dtucker@cvs.openbsd.org 2011/05/20 06:32:30 + [dynamic-forward.sh] + fix dumb error in dynamic-forward test 20110515 - (djm) OpenBSD CVS Sync diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index 12ddef3a5..d6df4491a 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dynamic-forward.sh,v 1.5 2011/05/20 05:19:50 dtucker Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.6 2011/05/20 06:32:30 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" @@ -31,7 +31,7 @@ for p in 1 2; do while test ! -f $OBJ/remote_pid; do sleep 1 n=`expr $n + 1` - if test $n > 60; then + if test $n -gt 60; then kill $client_pid fail "Timed out waiting for client to connect" fi -- cgit v1.2.3 From d8478b6a9b32760d47c2419279c4a73f5f88fdb6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 29 May 2011 21:39:36 +1000 Subject: OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/05/23 03:30:07 [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5] allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :) feedback and ok markus@ dtucker@ --- ChangeLog | 13 +++++++++++ auth-rsa.c | 70 ++++++++++++++++++++++++++++++++-------------------------- auth.c | 10 ++------- auth.h | 4 ++-- auth2-pubkey.c | 13 ++++++----- monitor.c | 9 ++++++-- monitor_wrap.c | 9 ++++++-- pathnames.h | 5 ++++- servconf.c | 54 ++++++++++++++++++++++++++++++++++++-------- servconf.h | 8 ++++--- sshd.8 | 12 +++++----- sshd_config | 7 ++++-- sshd_config.5 | 11 +++++---- 13 files changed, 151 insertions(+), 74 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1aac69cbc..4e08289d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,16 @@ +20110529 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2011/05/23 03:30:07 + [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c] + [pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5] + allow AuthorizedKeysFile to specify multiple files, separated by spaces. + Bring back authorized_keys2 as a default search path (to avoid breaking + existing users of this file), but override this in sshd_config so it will + be no longer used on fresh installs. Maybe in 2015 we can remove it + entierly :) + + feedback and ok markus@ dtucker@ + 20110520 - (djm) [session.c] call setexeccon() before executing passwd for pw changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@ diff --git a/auth-rsa.c b/auth-rsa.c index 4edaab056..4ab46cd51 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rsa.c,v 1.79 2010/12/03 23:55:27 djm Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.80 2011/05/23 03:30:07 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -160,44 +160,27 @@ auth_rsa_challenge_dialog(Key *key) return (success); } -/* - * check if there's user key matching client_n, - * return key if login is allowed, NULL otherwise - */ - -int -auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) +static int +rsa_key_allowed_in_file(struct passwd *pw, char *file, + const BIGNUM *client_n, Key **rkey) { - char line[SSH_MAX_PUBKEY_BYTES], *file; + char line[SSH_MAX_PUBKEY_BYTES]; int allowed = 0; u_int bits; FILE *f; u_long linenum = 0; Key *key; - /* Temporarily use the user's uid. */ - temporarily_use_uid(pw); - - /* The authorized keys. */ - file = authorized_keys_file(pw); debug("trying public RSA key file %s", file); - f = auth_openkeyfile(file, pw, options.strict_modes); - if (!f) { - xfree(file); - restore_uid(); - return (0); - } - - /* Flag indicating whether the key is allowed. */ - allowed = 0; - - key = key_new(KEY_RSA1); + if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) + return 0; /* * Go though the accepted keys, looking for the current key. If * found, perform a challenge-response dialog to verify that the * user really has the corresponding private key. */ + key = key_new(KEY_RSA1); while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { char *cp; char *key_options; @@ -235,7 +218,10 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) } /* cp now points to the comment part. */ - /* Check if the we have found the desired key (identified by its modulus). */ + /* + * Check if the we have found the desired key (identified + * by its modulus). + */ if (BN_cmp(key->rsa->n, client_n) != 0) continue; @@ -264,11 +250,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) break; } - /* Restore the privileged uid. */ - restore_uid(); - /* Close the file. */ - xfree(file); fclose(f); /* return key if allowed */ @@ -276,7 +258,33 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) *rkey = key; else key_free(key); - return (allowed); + + return allowed; +} + +/* + * check if there's user key matching client_n, + * return key if login is allowed, NULL otherwise + */ + +int +auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) +{ + char *file; + u_int i, allowed = 0; + + temporarily_use_uid(pw); + + for (i = 0; !allowed && i < options.num_authkeys_files; i++) { + file = expand_authorized_keys( + options.authorized_keys_files[i], pw); + allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); + xfree(file); + } + + restore_uid(); + + return allowed; } /* diff --git a/auth.c b/auth.c index be78f1a28..cac12b2e7 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.92 2011/05/11 04:47:06 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.93 2011/05/23 03:30:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -331,7 +331,7 @@ auth_root_allowed(char *method) * * This returns a buffer allocated by xmalloc. */ -static char * +char * expand_authorized_keys(const char *filename, struct passwd *pw) { char *file, ret[MAXPATHLEN]; @@ -354,12 +354,6 @@ expand_authorized_keys(const char *filename, struct passwd *pw) return (xstrdup(ret)); } -char * -authorized_keys_file(struct passwd *pw) -{ - return expand_authorized_keys(options.authorized_keys_file, pw); -} - char * authorized_principals_file(struct passwd *pw) { diff --git a/auth.h b/auth.h index 227395863..0d786c4d5 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.68 2011/05/11 04:47:06 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.69 2011/05/23 03:30:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -168,7 +168,7 @@ char *get_challenge(Authctxt *); int verify_response(Authctxt *, const char *); void abandon_challenge_response(Authctxt *); -char *authorized_keys_file(struct passwd *); +char *expand_authorized_keys(const char *, struct passwd *pw); char *authorized_principals_file(struct passwd *); FILE *auth_openkeyfile(const char *, struct passwd *, int); diff --git a/auth2-pubkey.c b/auth2-pubkey.c index a97509c28..137887ecd 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.28 2011/05/11 04:47:06 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.29 2011/05/23 03:30:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -436,7 +436,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) int user_key_allowed(struct passwd *pw, Key *key) { - int success; + u_int success, i; char *file; if (auth_key_is_revoked(key)) @@ -448,9 +448,12 @@ user_key_allowed(struct passwd *pw, Key *key) if (success) return success; - file = authorized_keys_file(pw); - success = user_key_allowed2(pw, key, file); - xfree(file); + for (i = 0; !success && i < options.num_authkeys_files; i++) { + file = expand_authorized_keys( + options.authorized_keys_files[i], pw); + success = user_key_allowed2(pw, key, file); + xfree(file); + } return success; } diff --git a/monitor.c b/monitor.c index c3a418319..4479e0a03 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.112 2011/05/20 03:25:45 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.113 2011/05/23 03:30:07 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -632,6 +632,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) char *username; struct passwd *pwent; int allowed = 0; + u_int i; debug3("%s", __func__); @@ -676,9 +677,14 @@ mm_answer_pwnamallow(int sock, Buffer *m) if (options.x != NULL) \ buffer_put_cstring(m, options.x); \ } while (0) +#define M_CP_STRARRAYOPT(x, nx) do { \ + for (i = 0; i < options.nx; i++) \ + buffer_put_cstring(m, options.x[i]); \ + } while (0) /* See comment in servconf.h */ COPY_MATCH_STRING_OPTS(); #undef M_CP_STROPT +#undef M_CP_STRARRAYOPT debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); mm_request_send(sock, MONITOR_ANS_PWNAM, m); @@ -691,7 +697,6 @@ mm_answer_pwnamallow(int sock, Buffer *m) monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } - #ifdef USE_PAM if (options.use_pam) monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); diff --git a/monitor_wrap.c b/monitor_wrap.c index d3f274021..7a90b3ba3 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.71 2011/05/20 03:25:45 djm Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.72 2011/05/23 03:30:07 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -211,7 +211,7 @@ mm_getpwnamallow(const char *username) { Buffer m; struct passwd *pw; - u_int len; + u_int len, i; ServerOptions *newopts; debug3("%s entering", __func__); @@ -250,9 +250,14 @@ out: if (newopts->x != NULL) \ newopts->x = buffer_get_string(&m, NULL); \ } while (0) +#define M_CP_STRARRAYOPT(x, nx) do { \ + for (i = 0; i < newopts->nx; i++) \ + newopts->x[i] = buffer_get_string(&m, NULL); \ + } while (0) /* See comment in servconf.h */ COPY_MATCH_STRING_OPTS(); #undef M_CP_STROPT +#undef M_CP_STRARRAYOPT copy_set_server_options(&options, newopts, 1); xfree(newopts); diff --git a/pathnames.h b/pathnames.h index 787bdb676..c3d9abff5 100644 --- a/pathnames.h +++ b/pathnames.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.21 2011/05/11 04:47:06 djm Exp $ */ +/* $OpenBSD: pathnames.h,v 1.22 2011/05/23 03:30:07 djm Exp $ */ /* * Author: Tatu Ylonen @@ -96,6 +96,9 @@ */ #define _PATH_SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys" +/* backward compat for protocol v2 */ +#define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" + /* * Per-user and system-wide ssh "rc" files. These files are executed with * /bin/sh before starting the shell or command if they exist. They will be diff --git a/servconf.c b/servconf.c index daed26a66..74710c41f 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.218 2011/05/20 03:25:45 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.219 2011/05/23 03:30:07 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -126,7 +126,7 @@ initialize_server_options(ServerOptions *options) options->use_dns = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; - options->authorized_keys_file = NULL; + options->num_authkeys_files = 0; options->num_accept_env = 0; options->permit_tun = -1; options->num_permitted_opens = -1; @@ -263,8 +263,12 @@ fill_default_server_options(ServerOptions *options) options->client_alive_interval = 0; if (options->client_alive_count_max == -1) options->client_alive_count_max = 3; - if (options->authorized_keys_file == NULL) - options->authorized_keys_file = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); + if (options->num_authkeys_files == 0) { + options->authorized_keys_files[options->num_authkeys_files++] = + xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); + options->authorized_keys_files[options->num_authkeys_files++] = + xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2); + } if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; if (options->zero_knowledge_password_authentication == -1) @@ -430,6 +434,7 @@ static struct { { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, + { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, { "permittunnel", sPermitTunnel, SSHCFG_ALL }, @@ -1241,11 +1246,22 @@ process_server_config_line(ServerOptions *options, char *line, * AuthorizedKeysFile /etc/ssh_keys/%u */ case sAuthorizedKeysFile: - charptr = &options->authorized_keys_file; - goto parse_tilde_filename; + if (*activep && options->num_authkeys_files == 0) { + while ((arg = strdelim(&cp)) && *arg != '\0') { + if (options->num_authkeys_files >= + MAX_AUTHKEYS_FILES) + fatal("%s line %d: " + "too many authorized keys files.", + filename, linenum); + options->authorized_keys_files[ + options->num_authkeys_files++] = + tilde_expand_filename(arg, getuid()); + } + } + return 0; + case sAuthorizedPrincipalsFile: charptr = &options->authorized_principals_file; - parse_tilde_filename: arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: missing file name.", @@ -1464,6 +1480,12 @@ parse_server_match_config(ServerOptions *options, const char *user, dst->n = src->n; \ } \ } while(0) +#define M_CP_STRARRAYOPT(n, num_n) do {\ + if (src->num_n != 0) { \ + for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ + dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ + } \ +} while(0) /* * Copy any supported values that are set. @@ -1508,12 +1530,14 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) */ if (preauth) return; + M_CP_STROPT(adm_forced_command); M_CP_STROPT(chroot_directory); } #undef M_CP_INTOPT #undef M_CP_STROPT +#undef M_CP_STRARRAYOPT void parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, @@ -1627,7 +1651,18 @@ dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals) u_int i; for (i = 0; i < count; i++) - printf("%s %s\n", lookup_opcode_name(code), vals[i]); + printf("%s %s\n", lookup_opcode_name(code), vals[i]); +} + +static void +dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) +{ + u_int i; + + printf("%s", lookup_opcode_name(code)); + for (i = 0; i < count; i++) + printf(" %s", vals[i]); + printf("\n"); } void @@ -1725,7 +1760,6 @@ dump_config(ServerOptions *o) dump_cfg_string(sCiphers, o->ciphers); dump_cfg_string(sMacs, o->macs); dump_cfg_string(sBanner, o->banner); - dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file); dump_cfg_string(sForceCommand, o->adm_forced_command); dump_cfg_string(sChrootDirectory, o->chroot_directory); dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); @@ -1738,6 +1772,8 @@ dump_config(ServerOptions *o) dump_cfg_string(sLogFacility, log_facility_name(o->log_facility)); /* string array arguments */ + dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files, + o->authorized_keys_files); dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, o->host_key_files); dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files, diff --git a/servconf.h b/servconf.h index 953ef8650..31e621bde 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.97 2011/05/20 03:25:45 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.98 2011/05/23 03:30:07 djm Exp $ */ /* * Author: Tatu Ylonen @@ -27,6 +27,7 @@ #define MAX_HOSTCERTS 256 /* Max # host certificates. */ #define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ #define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */ +#define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */ /* permit_root_login */ #define PERMIT_NOT_SET -1 @@ -145,7 +146,8 @@ typedef struct { * disconnect the session */ - char *authorized_keys_file; /* File containing public keys */ + u_int num_authkeys_files; /* Files containing public keys */ + char *authorized_keys_files[MAX_AUTHKEYS_FILES]; char *adm_forced_command; @@ -171,8 +173,8 @@ typedef struct { M_CP_STROPT(banner); \ M_CP_STROPT(trusted_user_ca_keys); \ M_CP_STROPT(revoked_keys_file); \ - M_CP_STROPT(authorized_keys_file); \ M_CP_STROPT(authorized_principals_file); \ + M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ } while (0) void initialize_server_options(ServerOptions *); diff --git a/sshd.8 b/sshd.8 index 5503b1331..8e007d100 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.260 2010/10/28 18:33:28 jmc Exp $ -.Dd $Mdocdate: October 28 2010 $ +.\" $OpenBSD: sshd.8,v 1.261 2011/05/23 03:30:07 djm Exp $ +.Dd $Mdocdate: May 23 2011 $ .Dt SSHD 8 .Os .Sh NAME @@ -462,10 +462,12 @@ is run, and if that does not exist either, xauth is used to add the cookie. .Sh AUTHORIZED_KEYS FILE FORMAT .Cm AuthorizedKeysFile -specifies the file containing public keys for +specifies the file or files containing public keys for public key authentication; -if none is specified, the default is -.Pa ~/.ssh/authorized_keys . +if none is specified, the default is both +.Pa ~/.ssh/authorized_keys +and +.Pa ~/.ssh/authorized_keys2 . Each line of the file contains one key (empty lines and lines starting with a .Ql # diff --git a/sshd_config b/sshd_config index 9b0d9fa20..473e86654 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.83 2011/05/06 01:03:35 dtucker Exp $ +# $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -44,7 +44,10 @@ #RSAAuthentication yes #PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no diff --git a/sshd_config.5 b/sshd_config.5 index c3d6df30a..b23e0f789 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.131 2010/12/08 04:02:47 djm Exp $ -.Dd $Mdocdate: December 8 2010 $ +.\" $OpenBSD: sshd_config.5,v 1.132 2011/05/23 03:30:07 djm Exp $ +.Dd $Mdocdate: May 23 2011 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -168,8 +168,11 @@ After expansion, .Cm AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. -The default is -.Dq .ssh/authorized_keys . +The default is both +.Dq .ssh/authorized_keys +and +.Dq .ssh/authorized_keys2 . +Multiple files may be listed separated by whitespace. .It Cm AuthorizedPrincipalsFile Specifies a file that lists principal names that are accepted for certificate authentication. -- cgit v1.2.3 From 1dd66e5f748af2de4e0d83fa66d2f663ba62146d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 29 May 2011 21:40:42 +1000 Subject: - djm@cvs.openbsd.org 2011/05/23 03:33:38 [auth.c] make secure_filename() spam debug logs less --- ChangeLog | 3 +++ auth.c | 9 +++------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4e08289d6..04544286c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ entierly :) feedback and ok markus@ dtucker@ + - djm@cvs.openbsd.org 2011/05/23 03:33:38 + [auth.c] + make secure_filename() spam debug logs less 20110520 - (djm) [session.c] call setexeccon() before executing passwd for pw diff --git a/auth.c b/auth.c index cac12b2e7..cd95da931 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.93 2011/05/23 03:30:07 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.94 2011/05/23 03:33:38 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -456,7 +456,6 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, } strlcpy(buf, cp, sizeof(buf)); - debug3("secure_filename: checking '%s'", buf); if (stat(buf, &st) < 0 || (st.st_uid != 0 && st.st_uid != uid) || (st.st_mode & 022) != 0) { @@ -466,11 +465,9 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, } /* If are past the homedir then we can stop */ - if (comparehome && strcmp(homedir, buf) == 0) { - debug3("secure_filename: terminating check at '%s'", - buf); + if (comparehome && strcmp(homedir, buf) == 0) break; - } + /* * dirname should always complete with a "/" path, * but we can be paranoid and check for "." too -- cgit v1.2.3 From 201f425d298d3c1c43fac122e2e0bcbf7a707939 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 29 May 2011 21:41:03 +1000 Subject: - djm@cvs.openbsd.org 2011/05/23 03:52:55 [sshconnect.c] remove extra newline --- ChangeLog | 3 +++ sshconnect.c | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 04544286c..75a88fd04 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,9 @@ - djm@cvs.openbsd.org 2011/05/23 03:33:38 [auth.c] make secure_filename() spam debug logs less + - djm@cvs.openbsd.org 2011/05/23 03:52:55 + [sshconnect.c] + remove extra newline 20110520 - (djm) [session.c] call setexeccon() before executing passwd for pw diff --git a/sshconnect.c b/sshconnect.c index 74643a8c4..603445227 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.232 2011/01/16 11:50:36 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.233 2011/05/23 03:52:55 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1111,7 +1111,6 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) /* XXX certs are not yet supported for DNS */ if (!key_is_cert(host_key) && options.verify_host_key_dns && verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { - if (flags & DNS_VERIFY_FOUND) { if (options.verify_host_key_dns == 1 && -- cgit v1.2.3 From b9132fc42717152cdb222a01595a4e6c04e257b3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 29 May 2011 21:41:40 +1000 Subject: - jmc@cvs.openbsd.org 2011/05/23 07:10:21 [sshd.8 sshd_config.5] tweak previous; ok djm --- ChangeLog | 3 +++ sshd.8 | 6 +++--- sshd_config.5 | 10 ++++------ 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 75a88fd04..acf4ea270 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,9 @@ - djm@cvs.openbsd.org 2011/05/23 03:52:55 [sshconnect.c] remove extra newline + - jmc@cvs.openbsd.org 2011/05/23 07:10:21 + [sshd.8 sshd_config.5] + tweak previous; ok djm 20110520 - (djm) [session.c] call setexeccon() before executing passwd for pw diff --git a/sshd.8 b/sshd.8 index 8e007d100..45362e29a 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.261 2011/05/23 03:30:07 djm Exp $ +.\" $OpenBSD: sshd.8,v 1.262 2011/05/23 07:10:21 jmc Exp $ .Dd $Mdocdate: May 23 2011 $ .Dt SSHD 8 .Os @@ -462,9 +462,9 @@ is run, and if that does not exist either, xauth is used to add the cookie. .Sh AUTHORIZED_KEYS FILE FORMAT .Cm AuthorizedKeysFile -specifies the file or files containing public keys for +specifies the files containing public keys for public key authentication; -if none is specified, the default is both +if none is specified, the default is .Pa ~/.ssh/authorized_keys and .Pa ~/.ssh/authorized_keys2 . diff --git a/sshd_config.5 b/sshd_config.5 index b23e0f789..70a53b3a9 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.132 2011/05/23 03:30:07 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.133 2011/05/23 07:10:21 jmc Exp $ .Dd $Mdocdate: May 23 2011 $ .Dt SSHD_CONFIG 5 .Os @@ -168,11 +168,9 @@ After expansion, .Cm AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. -The default is both -.Dq .ssh/authorized_keys -and -.Dq .ssh/authorized_keys2 . -Multiple files may be listed separated by whitespace. +Multiple files may be listed, separated by whitespace. +The default is +.Dq .ssh/authorized_keys .ssh/authorized_keys2 . .It Cm AuthorizedPrincipalsFile Specifies a file that lists principal names that are accepted for certificate authentication. -- cgit v1.2.3 From 04bb56ef10bca3219010fdb191f1f9941353174b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 29 May 2011 21:42:08 +1000 Subject: - djm@cvs.openbsd.org 2011/05/23 07:24:57 [authfile.c] read in key comments for v.2 keys (though note that these are not passed over the agent protocol); bz#439, based on patch from binder AT arago.de; ok markus@ --- ChangeLog | 5 +++++ authfile.c | 9 ++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index acf4ea270..f3f43a13f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,11 @@ - jmc@cvs.openbsd.org 2011/05/23 07:10:21 [sshd.8 sshd_config.5] tweak previous; ok djm + - djm@cvs.openbsd.org 2011/05/23 07:24:57 + [authfile.c] + read in key comments for v.2 keys (though note that these are not + passed over the agent protocol); bz#439, based on patch from binder + AT arago.de; ok markus@ 20110520 - (djm) [session.c] call setexeccon() before executing passwd for pw diff --git a/authfile.c b/authfile.c index 734d657e9..96d2bf338 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.90 2011/05/13 00:05:36 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.91 2011/05/23 07:24:57 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -774,8 +774,11 @@ key_try_load_public(Key *k, const char *filename, char **commentp) ; if (*cp) { if (key_read(k, &cp) == 1) { - if (commentp) - *commentp=xstrdup(filename); + cp[strcspn(cp, "\r\n")] = '\0'; + if (commentp) { + *commentp = xstrdup(*cp ? + cp : filename); + } fclose(f); return 1; } -- cgit v1.2.3 From 295ee63ab2123899fb21f76616ef4dac51515236 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 29 May 2011 21:42:31 +1000 Subject: - djm@cvs.openbsd.org 2011/05/24 07:15:47 [readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c] Remove undocumented legacy options UserKnownHostsFile2 and GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile accept multiple paths per line and making their defaults include known_hosts2; ok markus --- ChangeLog | 6 +++++ readconf.c | 69 ++++++++++++++++++++++++++++++++------------------------ readconf.h | 13 ++++++----- ssh.c | 28 ++++++++++++++--------- ssh_config.5 | 20 ++++++++++------- sshconnect.c | 72 +++++++++++++++++++++++++++++------------------------------ sshconnect2.c | 11 ++++----- 7 files changed, 125 insertions(+), 94 deletions(-) diff --git a/ChangeLog b/ChangeLog index f3f43a13f..c7db4a5df 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,12 @@ read in key comments for v.2 keys (though note that these are not passed over the agent protocol); bz#439, based on patch from binder AT arago.de; ok markus@ + - djm@cvs.openbsd.org 2011/05/24 07:15:47 + [readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c] + Remove undocumented legacy options UserKnownHostsFile2 and + GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile + accept multiple paths per line and making their defaults include + known_hosts2; ok markus 20110520 - (djm) [session.c] call setexeccon() before executing passwd for pw diff --git a/readconf.c b/readconf.c index 4780ae289..91dfa566f 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.192 2011/05/06 21:34:32 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.193 2011/05/24 07:15:47 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -193,9 +193,9 @@ static struct { { "host", oHost }, { "escapechar", oEscapeChar }, { "globalknownhostsfile", oGlobalKnownHostsFile }, - { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */ + { "globalknownhostsfile2", oDeprecated }, { "userknownhostsfile", oUserKnownHostsFile }, - { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */ + { "userknownhostsfile2", oDeprecated }, { "connectionattempts", oConnectionAttempts }, { "batchmode", oBatchMode }, { "checkhostip", oCheckHostIP }, @@ -354,7 +354,9 @@ process_config_line(Options *options, const char *host, char *line, const char *filename, int linenum, int *activep) { - char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; + char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; + char **cpptr, fwdarg[256]; + u_int *uintptr, max_entries = 0; int negated, opcode, *intptr, value, value2, scale; LogLevel *log_level_ptr; long long orig, val64; @@ -598,26 +600,33 @@ parse_yesnoask: parse_string: arg = strdelim(&s); if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing argument.", filename, linenum); + fatal("%.200s line %d: Missing argument.", + filename, linenum); if (*activep && *charptr == NULL) *charptr = xstrdup(arg); break; case oGlobalKnownHostsFile: - charptr = &options->system_hostfile; - goto parse_string; + cpptr = (char **)&options->system_hostfiles; + uintptr = &options->num_system_hostfiles; + max_entries = SSH_MAX_HOSTS_FILES; +parse_char_array: + if (*activep && *uintptr == 0) { + while ((arg = strdelim(&s)) != NULL && *arg != '\0') { + if ((*uintptr) >= max_entries) + fatal("%s line %d: " + "too many authorized keys files.", + filename, linenum); + cpptr[(*uintptr)++] = xstrdup(arg); + } + } + return 0; case oUserKnownHostsFile: - charptr = &options->user_hostfile; - goto parse_string; - - case oGlobalKnownHostsFile2: - charptr = &options->system_hostfile2; - goto parse_string; - - case oUserKnownHostsFile2: - charptr = &options->user_hostfile2; - goto parse_string; + cpptr = (char **)&options->user_hostfiles; + uintptr = &options->num_user_hostfiles; + max_entries = SSH_MAX_HOSTS_FILES; + goto parse_char_array; case oHostName: charptr = &options->hostname; @@ -1158,10 +1167,8 @@ initialize_options(Options * options) options->proxy_command = NULL; options->user = NULL; options->escape_char = -1; - options->system_hostfile = NULL; - options->user_hostfile = NULL; - options->system_hostfile2 = NULL; - options->user_hostfile2 = NULL; + options->num_system_hostfiles = 0; + options->num_user_hostfiles = 0; options->local_forwards = NULL; options->num_local_forwards = 0; options->remote_forwards = NULL; @@ -1301,14 +1308,18 @@ fill_default_options(Options * options) } if (options->escape_char == -1) options->escape_char = '~'; - if (options->system_hostfile == NULL) - options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE; - if (options->user_hostfile == NULL) - options->user_hostfile = _PATH_SSH_USER_HOSTFILE; - if (options->system_hostfile2 == NULL) - options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2; - if (options->user_hostfile2 == NULL) - options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2; + if (options->num_system_hostfiles == 0) { + options->system_hostfiles[options->num_system_hostfiles++] = + xstrdup(_PATH_SSH_SYSTEM_HOSTFILE); + options->system_hostfiles[options->num_system_hostfiles++] = + xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2); + } + if (options->num_user_hostfiles == 0) { + options->user_hostfiles[options->num_user_hostfiles++] = + xstrdup(_PATH_SSH_USER_HOSTFILE); + options->user_hostfiles[options->num_user_hostfiles++] = + xstrdup(_PATH_SSH_USER_HOSTFILE2); + } if (options->log_level == SYSLOG_LEVEL_NOT_SET) options->log_level = SYSLOG_LEVEL_INFO; if (options->clear_forwardings == 1) diff --git a/readconf.h b/readconf.h index bc3e8c1bb..5944cff93 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.89 2011/05/06 21:34:32 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.90 2011/05/24 07:15:47 djm Exp $ */ /* * Author: Tatu Ylonen @@ -27,7 +27,8 @@ typedef struct { } Forward; /* Data structure for representing option data. */ -#define MAX_SEND_ENV 256 +#define MAX_SEND_ENV 256 +#define SSH_MAX_HOSTS_FILES 256 typedef struct { int forward_agent; /* Forward authentication agent. */ @@ -83,10 +84,10 @@ typedef struct { char *user; /* User to log in as. */ int escape_char; /* Escape character; -2 = none */ - char *system_hostfile;/* Path for /etc/ssh/ssh_known_hosts. */ - char *user_hostfile; /* Path for $HOME/.ssh/known_hosts. */ - char *system_hostfile2; - char *user_hostfile2; + u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */ + char *system_hostfiles[SSH_MAX_HOSTS_FILES]; + u_int num_user_hostfiles; /* Path for $HOME/.ssh/known_hosts */ + char *user_hostfiles[SSH_MAX_HOSTS_FILES]; char *preferred_authentications; char *bind_address; /* local socket address for connection to sshd */ char *pkcs11_provider; /* PKCS#11 provider */ diff --git a/ssh.c b/ssh.c index 6080c0c27..e7e15cd65 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.360 2011/05/06 21:38:58 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.361 2011/05/24 07:15:47 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -212,6 +212,20 @@ static void main_sigchld_handler(int); void muxclient(const char *); void muxserver_listen(void); +/* ~/ expand a list of paths. NB. assumes path[n] is heap-allocated. */ +static void +tilde_expand_paths(char **paths, u_int num_paths) +{ + u_int i; + char *cp; + + for (i = 0; i < num_paths; i++) { + cp = tilde_expand_filename(paths[i], original_real_uid); + xfree(paths[i]); + paths[i] = cp; + } +} + /* * Main program for the ssh client. */ @@ -869,15 +883,9 @@ main(int ac, char **av) load_public_identity_files(); /* Expand ~ in known host file names. */ - /* XXX mem-leaks: */ - options.system_hostfile = - tilde_expand_filename(options.system_hostfile, original_real_uid); - options.user_hostfile = - tilde_expand_filename(options.user_hostfile, original_real_uid); - options.system_hostfile2 = - tilde_expand_filename(options.system_hostfile2, original_real_uid); - options.user_hostfile2 = - tilde_expand_filename(options.user_hostfile2, original_real_uid); + tilde_expand_paths(options.system_hostfiles, + options.num_system_hostfiles); + tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles); signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ signal(SIGCHLD, main_sigchld_handler); diff --git a/ssh_config.5 b/ssh_config.5 index 7a3b641ff..87574e381 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.150 2011/05/07 23:19:39 jmc Exp $ -.Dd $Mdocdate: May 7 2011 $ +.\" $OpenBSD: ssh_config.5,v 1.151 2011/05/24 07:15:47 djm Exp $ +.Dd $Mdocdate: May 24 2011 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -517,9 +517,11 @@ or The default is .Dq no . .It Cm GlobalKnownHostsFile -Specifies a file to use for the global -host key database instead of -.Pa /etc/ssh/ssh_known_hosts . +Specifies one or more files to use for the global +host key database, separated by whitespace. +The default is +.Pa /etc/ssh/ssh_known_hosts , +.Pa /etc/ssh/ssh_known_hosts2 . .It Cm GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. The default is @@ -1171,9 +1173,11 @@ This can be useful when a different user name is used on different machines. This saves the trouble of having to remember to give the user name on the command line. .It Cm UserKnownHostsFile -Specifies a file to use for the user -host key database instead of -.Pa ~/.ssh/known_hosts . +Specifies one or more files to use for the user +host key database, separated by whitespace. +The default is +.Pa ~/.ssh/known_hosts , +.Pa ~/.ssh/known_hosts2 . .It Cm VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. diff --git a/sshconnect.c b/sshconnect.c index 603445227..0ee726637 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.233 2011/05/23 03:52:55 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.234 2011/05/24 07:15:47 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -683,28 +683,30 @@ get_hostfile_hostname_ipaddr(char *hostname, struct sockaddr *hostaddr, /* * check whether the supplied host key is valid, return -1 if the key - * is not valid. the user_hostfile will not be updated if 'readonly' is true. + * is not valid. user_hostfile[0] will not be updated if 'readonly' is true. */ #define RDRW 0 #define RDONLY 1 #define ROQUIET 2 static int check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, - Key *host_key, int readonly, char *user_hostfile, - char *system_hostfile) + Key *host_key, int readonly, + char **user_hostfiles, u_int num_user_hostfiles, + char **system_hostfiles, u_int num_system_hostfiles) { + HostStatus host_status; + HostStatus ip_status; Key *raw_key = NULL; - const char *type; char *ip = NULL, *host = NULL; char hostline[1000], *hostp, *fp, *ra; - HostStatus host_status; - HostStatus ip_status; - int r, want_cert = key_is_cert(host_key), host_ip_differ = 0; - int local = sockaddr_is_local(hostaddr); char msg[1024]; + const char *type; + const struct hostkey_entry *host_found, *ip_found; int len, cancelled_forwarding = 0; + int local = sockaddr_is_local(hostaddr); + int r, want_cert = key_is_cert(host_key), host_ip_differ = 0; struct hostkeys *host_hostkeys, *ip_hostkeys; - const struct hostkey_entry *host_found, *ip_found; + u_int i; /* * Force accepting of the host key for loopback/localhost. The @@ -736,14 +738,18 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, options.check_host_ip = 0; host_hostkeys = init_hostkeys(); - load_hostkeys(host_hostkeys, host, user_hostfile); - load_hostkeys(host_hostkeys, host, system_hostfile); + for (i = 0; i < num_user_hostfiles; i++) + load_hostkeys(host_hostkeys, host, user_hostfiles[i]); + for (i = 0; i < num_system_hostfiles; i++) + load_hostkeys(host_hostkeys, host, system_hostfiles[i]); ip_hostkeys = NULL; if (!want_cert && options.check_host_ip) { ip_hostkeys = init_hostkeys(); - load_hostkeys(ip_hostkeys, ip, user_hostfile); - load_hostkeys(ip_hostkeys, ip, system_hostfile); + for (i = 0; i < num_user_hostfiles; i++) + load_hostkeys(ip_hostkeys, ip, user_hostfiles[i]); + for (i = 0; i < num_system_hostfiles; i++) + load_hostkeys(ip_hostkeys, ip, system_hostfiles[i]); } retry: @@ -788,11 +794,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, logit("%s host key for IP address " "'%.128s' not in list of known hosts.", type, ip); - else if (!add_host_to_hostfile(user_hostfile, ip, + else if (!add_host_to_hostfile(user_hostfiles[0], ip, host_key, options.hash_known_hosts)) logit("Failed to add the %s host key for IP " "address '%.128s' to the list of known " - "hosts (%.30s).", type, ip, user_hostfile); + "hosts (%.30s).", type, ip, + user_hostfiles[0]); else logit("Warning: Permanently added the %s host " "key for IP address '%.128s' to the list " @@ -811,7 +818,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, port != SSH_DEFAULT_PORT) { debug("checking without port identifier"); if (check_host_key(hostname, hostaddr, 0, host_key, - ROQUIET, user_hostfile, system_hostfile) == 0) { + ROQUIET, user_hostfiles, num_user_hostfiles, + system_hostfiles, num_system_hostfiles) == 0) { debug("found matching key w/out port"); break; } @@ -876,25 +884,25 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, hostp = hostline; if (options.hash_known_hosts) { /* Add hash of host and IP separately */ - r = add_host_to_hostfile(user_hostfile, host, - host_key, options.hash_known_hosts) && - add_host_to_hostfile(user_hostfile, ip, + r = add_host_to_hostfile(user_hostfiles[0], + host, host_key, options.hash_known_hosts) && + add_host_to_hostfile(user_hostfiles[0], ip, host_key, options.hash_known_hosts); } else { /* Add unhashed "host,ip" */ - r = add_host_to_hostfile(user_hostfile, + r = add_host_to_hostfile(user_hostfiles[0], hostline, host_key, options.hash_known_hosts); } } else { - r = add_host_to_hostfile(user_hostfile, host, host_key, - options.hash_known_hosts); + r = add_host_to_hostfile(user_hostfiles[0], host, + host_key, options.hash_known_hosts); hostp = host; } if (!r) logit("Failed to add the host to the list of known " - "hosts (%.500s).", user_hostfile); + "hosts (%.500s).", user_hostfiles[0]); else logit("Warning: Permanently added '%.200s' (%s) to the " "list of known hosts.", hostp, type); @@ -955,7 +963,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, /* The host key has changed. */ warn_changed_key(host_key); error("Add correct host key in %.100s to get rid of this message.", - user_hostfile); + user_hostfiles[0]); error("Offending %s key in %s:%lu", key_type(host_found->key), host_found->file, host_found->line); @@ -1100,7 +1108,6 @@ fail: int verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) { - struct stat st; int flags = 0; char *fp; @@ -1128,16 +1135,9 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) } } - /* return ok if the key can be found in an old keyfile */ - if (stat(options.system_hostfile2, &st) == 0 || - stat(options.user_hostfile2, &st) == 0) { - if (check_host_key(host, hostaddr, options.port, host_key, - RDONLY, options.user_hostfile2, - options.system_hostfile2) == 0) - return 0; - } - return check_host_key(host, hostaddr, options.port, host_key, - RDRW, options.user_hostfile, options.system_hostfile); + return check_host_key(host, hostaddr, options.port, host_key, RDRW, + options.user_hostfiles, options.num_user_hostfiles, + options.system_hostfiles, options.num_system_hostfiles); } /* diff --git a/sshconnect2.c b/sshconnect2.c index 673bf1a4f..c24b20278 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.187 2011/05/06 02:05:41 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.188 2011/05/24 07:15:47 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -109,14 +109,15 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) size_t maxlen; struct hostkeys *hostkeys; int ktype; + u_int i; /* Find all hostkeys for this hostname */ get_hostfile_hostname_ipaddr(host, hostaddr, port, &hostname, NULL); hostkeys = init_hostkeys(); - load_hostkeys(hostkeys, hostname, options.user_hostfile2); - load_hostkeys(hostkeys, hostname, options.system_hostfile2); - load_hostkeys(hostkeys, hostname, options.user_hostfile); - load_hostkeys(hostkeys, hostname, options.system_hostfile); + for (i = 0; i < options.num_user_hostfiles; i++) + load_hostkeys(hostkeys, hostname, options.user_hostfiles[i]); + for (i = 0; i < options.num_system_hostfiles; i++) + load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG); maxlen = strlen(avail) + 1; -- cgit v1.2.3 From 8cb3587336d3fe8e67db1d75da5f4c11456d3f1a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 29 May 2011 21:59:10 +1000 Subject: - djm@cvs.openbsd.org 2011/05/23 03:31:31 [regress/cfgmatch.sh] include testing of multiple/overridden AuthorizedKeysFiles refactor to simply daemon start/stop and get rid of racy constructs --- ChangeLog | 4 ++++ regress/cfgmatch.sh | 66 +++++++++++++++++++++++++++-------------------------- 2 files changed, 38 insertions(+), 32 deletions(-) diff --git a/ChangeLog b/ChangeLog index c7db4a5df..82aedc3a9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,10 @@ GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile accept multiple paths per line and making their defaults include known_hosts2; ok markus + - djm@cvs.openbsd.org 2011/05/23 03:31:31 + [regress/cfgmatch.sh] + include testing of multiple/overridden AuthorizedKeysFiles + refactor to simply daemon start/stop and get rid of racy constructs 20110520 - (djm) [session.c] call setexeccon() before executing passwd for pw diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 96badd51b..29234e566 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cfgmatch.sh,v 1.4 2006/12/13 08:36:36 dtucker Exp $ +# $OpenBSD: cfgmatch.sh,v 1.5 2011/05/23 03:31:31 djm Exp $ # Placed in the Public Domain. tid="sshd_config match" @@ -7,6 +7,28 @@ pidfile=$OBJ/remote_pid fwdport=3301 fwd="-L $fwdport:127.0.0.1:$PORT" +echo "ExitOnForwardFailure=yes" >> ssh_config +echo "ExitOnForwardFailure=yes" >> ssh_proxy + +start_client() +{ + rm -f $pidfile + ${SSH} -q -$p $fwd "$@" somehost \ + exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ + >>$TEST_SSH_LOGFILE 2>&1 & + client_pid=$! + # Wait for remote end + n=0 + while test ! -f $pidfile ; do + sleep 1 + n=`expr $n + 1` + if test $n -gt 60; then + kill $client_pid + fatal "timeout waiting for background ssh" + fi + done +} + stop_client() { pid=`cat $pidfile` @@ -14,11 +36,15 @@ stop_client() kill $pid sleep 1 fi + wait } cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak - +grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config +echo "Match user $USER" >>$OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy echo "Match Address 127.0.0.1" >>$OBJ/sshd_config echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config @@ -32,12 +58,8 @@ start_sshd # Test Match + PermitOpen in sshd_config. This should be permitted for p in 1 2; do - rm -f $pidfile trace "match permitopen localhost proto $p" - ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match permitopen proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_config ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ fail "match permitopen permit proto $p" stop_client @@ -45,12 +67,8 @@ done # Same but from different source. This should not be permitted for p in 1 2; do - rm -f $pidfile trace "match permitopen proxy proto $p" - ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match permitopen proxy proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_proxy ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ fail "match permitopen deny proto $p" stop_client @@ -62,12 +80,8 @@ cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER for p in 1 2; do - rm -f $pidfile trace "match permitopen proxy w/key opts proto $p" - ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match permitopen w/key opt proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_proxy ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ fail "match permitopen deny w/key opt proto $p" stop_client @@ -76,12 +90,8 @@ done # Test both sshd_config and key options permitting the same dst/port pair. # Should be permitted. for p in 1 2; do - rm -f $pidfile trace "match permitopen localhost proto $p" - ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match permitopen proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_config ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ fail "match permitopen permit proto $p" stop_client @@ -94,12 +104,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy # Test that a Match overrides a PermitOpen in the global section for p in 1 2; do - rm -f $pidfile trace "match permitopen proxy w/key opts proto $p" - ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match override permitopen proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_proxy ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ fail "match override permitopen proto $p" stop_client @@ -113,12 +119,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy # Test that a rule that doesn't match doesn't override, plus test a # PermitOpen entry that's not at the start of the list for p in 1 2; do - rm -f $pidfile trace "nomatch permitopen proxy w/key opts proto $p" - ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "nomatch override permitopen proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_proxy ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ fail "nomatch override permitopen proto $p" stop_client -- cgit v1.2.3 From c412c1567b6d9eac77bbb43f450b95ef47389ad1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 3 Jun 2011 10:35:23 +1000 Subject: - (dtucker) [README version.h contrib/caldera/openssh.spec contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version bumps from the 5.8p2 branch into HEAD. ok djm. --- ChangeLog | 5 +++++ README | 4 ++-- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- version.h | 2 +- 6 files changed, 12 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 82aedc3a9..7cab4c9cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20110603 + - (dtucker) [README version.h contrib/caldera/openssh.spec + contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version + bumps from the 5.8p2 branch into HEAD. ok djm. + 20110529 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/05/23 03:30:07 diff --git a/README b/README index 481d40f29..0a772d2bc 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-5.8 for the release notes. +See http://www.openssh.com/txt/release-5.8p2 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.76 2011/02/04 01:43:39 djm Exp $ +$Id: README,v 1.77 2011/06/03 00:35:26 dtucker Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 9fc553ed3..e6f5a9333 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -16,7 +16,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 -%define version 5.8p1 +%define version 5.8p2 %if %{use_stable} %define cvs %{nil} %define release 1 @@ -363,4 +363,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.74 2011/02/04 01:43:44 djm Exp $ +$Id: openssh.spec,v 1.75 2011/06/03 00:35:26 dtucker Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index e99e33d0f..23657eacd 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 5.8p1 +%define ver 5.8p2 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 6afdcc4b4..db0c127bd 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 5.8p1 +Version: 5.8p2 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz diff --git a/version.h b/version.h index bf1c7124a..24d000110 100644 --- a/version.h +++ b/version.h @@ -2,5 +2,5 @@ #define SSH_VERSION "OpenSSH_5.8" -#define SSH_PORTABLE "p1" +#define SSH_PORTABLE "p2" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -- cgit v1.2.3 From 90f42b07058d0813e258db90ccdd5da839844d19 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 2 Jun 2011 18:17:49 -0700 Subject: - (tim) [configure.ac defines.h] Run test program to detect system mail directory. Add --with-maildir option to override. Fixed OpenServer 6 getting it wrong. Fixed many systems having MAIL=/var/mail//username ok dtucker --- ChangeLog | 4 +++ configure.ac | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++------- defines.h | 17 +++++------ 3 files changed, 97 insertions(+), 20 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7cab4c9cb..201a3c24d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ - (dtucker) [README version.h contrib/caldera/openssh.spec contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version bumps from the 5.8p2 branch into HEAD. ok djm. + - (tim) [configure.ac defines.h] Run test program to detect system mail + directory. Add --with-maildir option to override. Fixed OpenServer 6 + getting it wrong. Fixed many systems having MAIL=/var/mail//username + ok dtucker 20110529 - (djm) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index d56bf6d36..51dea41c1 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.474 2011/05/20 01:45:25 djm Exp $ +# $Id: configure.ac,v 1.475 2011/06/03 01:17:49 tim Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.474 $) +AC_REVISION($Revision: 1.475 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -533,7 +533,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE([LOCKED_PASSWD_STRING], ["*"], [String used in /etc/passwd to denote locked account]) AC_DEFINE([SPT_TYPE], [SPT_PSTAT]) - MAIL="/var/mail/username" + maildir="/var/mail" LIBS="$LIBS -lsec" AC_CHECK_LIB([xnet], [t_error], , [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])]) @@ -674,7 +674,7 @@ mips-sony-bsd|mips-sony-newsos4) conf_lastlog_location="/usr/adm/lastlog" conf_utmp_location=/etc/utmp conf_wtmp_location=/usr/adm/wtmp - MAIL=/usr/spool/mail + maildir=/usr/spool/mail AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT]) AC_DEFINE([BROKEN_REALPATH]) AC_DEFINE([USE_PIPES]) @@ -797,6 +797,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([PASSWD_NEEDS_USERNAME]) case "$host" in *-*-sysv5SCO_SV*) # SCO OpenServer 6.x + maildir=/var/spool/mail TEST_SHELL=/u95/bin/sh AC_DEFINE([BROKEN_LIBIAF], [1], [ia_uinfo routines not supported by OS yet]) @@ -3479,12 +3480,87 @@ else AC_SUBST([XAUTH_PATH]) fi -# Check for mail directory (last resort if we cannot get it from headers) -if test ! -z "$MAIL" ; then - maildir=`dirname $MAIL` - AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"], - [Set this to your mail directory if you don't have maillock.h]) -fi +dnl # --with-maildir=/path/to/mail gets top priority. +dnl # if maildir is set in the platform case statement above we use that. +dnl # Otherwise we run a program to get the dir from system headers. +dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL +dnl # If we find _PATH_MAILDIR we do nothing because that is what +dnl # session.c expects anyway. Otherwise we set to the value found +dnl # stripping any trailing slash. If for some strage reason our program +dnl # does not find what it needs, we default to /var/spool/mail. +# Check for mail directory +AC_ARG_WITH([maildir], + [ --with-maildir=/path/to/mail Specify your system mail directory], + [ + if test "X$withval" != X && test "x$withval" != xno && \ + test "x${withval}" != xyes; then + AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"], + [Set this to your mail directory if you do not have _PATH_MAILDIR]) + fi + ],[ + if test "X$maildir" != "X"; then + AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"]) + else + AC_MSG_CHECKING([Discovering system mail directory]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#ifdef HAVE_PATHS_H +#include +#endif +#ifdef HAVE_MAILLOCK_H +#include +#endif +#define DATA "conftest.maildir" + ]], [[ + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + +#if defined (_PATH_MAILDIR) + if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0) + exit(1); +#elif defined (MAILDIR) + if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0) + exit(1); +#elif defined (_PATH_MAIL) + if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0) + exit(1); +#else + exit (2); +#endif + + exit(0); + ]])], + [ + maildir_what=`awk -F: '{print $1}' conftest.maildir` + maildir=`awk -F: '{print $2}' conftest.maildir \ + | sed 's|/$||'` + AC_MSG_RESULT([Using: $maildir from $maildir_what]) + if test "x$maildir_what" != "x_PATH_MAILDIR"; then + AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"]) + fi + ], + [ + if test "X$ac_status" = "X2";then +# our test program didn't find it. Default to /var/spool/mail + AC_MSG_RESULT([Using: default value of /var/spool/mail]) + AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"]) + else + AC_MSG_RESULT([*** not found ***]) + fi + ], + [ + AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail]) + ] + ) + fi + ] +) # maildir if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) diff --git a/defines.h b/defines.h index a435de76e..e4ccc5407 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.166 2011/05/05 06:06:59 tim Exp $ */ +/* $Id: defines.h,v 1.167 2011/06/03 01:17:49 tim Exp $ */ /* Constants */ @@ -389,18 +389,15 @@ struct winsize { # define _PATH_DEVNULL "/dev/null" #endif -#ifndef MAIL_DIRECTORY -# define MAIL_DIRECTORY "/var/spool/mail" -#endif +/* user may have set a different path */ +#if defined(_PATH_MAILDIR) && defined(MAIL_DIRECTORY) +# undef _PATH_MAILDIR MAILDIR +#endif /* defined(_PATH_MAILDIR) && defined(MAIL_DIRECTORY) */ -#ifndef MAILDIR -# define MAILDIR MAIL_DIRECTORY +#ifdef MAIL_DIRECTORY +# define _PATH_MAILDIR MAIL_DIRECTORY #endif -#if !defined(_PATH_MAILDIR) && defined(MAILDIR) -# define _PATH_MAILDIR MAILDIR -#endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */ - #ifndef _PATH_NOLOGIN # define _PATH_NOLOGIN "/etc/nologin" #endif -- cgit v1.2.3 From dd9e0385abcf9dd2e6c9fe6dc082b0ffd4ae2bac Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 3 Jun 2011 11:17:52 +1000 Subject: Remove the !HAVE_SOCKETPAIR case. We use socketpair unconditionally in other places and the survey data we have does not show any systems that use it. "nuke it" djm@ --- monitor.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/monitor.c b/monitor.c index 4479e0a03..2c9254182 100644 --- a/monitor.c +++ b/monitor.c @@ -1853,13 +1853,8 @@ mm_init_compression(struct mm_master *mm) static void monitor_socketpair(int *pair) { -#ifdef HAVE_SOCKETPAIR if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) fatal("%s: socketpair", __func__); -#else - fatal("%s: UsePrivilegeSeparation=yes not supported", - __func__); -#endif FD_CLOSEONEXEC(pair[0]); FD_CLOSEONEXEC(pair[1]); } -- cgit v1.2.3 From c3c7227ccc4443a0b9bf180ee660fef47a064cdf Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 3 Jun 2011 11:20:06 +1000 Subject: add missing changelog entry --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 201a3c24d..cf4da7124 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ directory. Add --with-maildir option to override. Fixed OpenServer 6 getting it wrong. Fixed many systems having MAIL=/var/mail//username ok dtucker + - (dtucker) [monitor.c] Remove the !HAVE_SOCKETPAIR case. We use socketpair + unconditionally in other places and the survey data we have does not show + any systems that use it. "nuke it" djm@ 20110529 - (djm) OpenBSD CVS Sync -- cgit v1.2.3 From ea2c1a4dc6b0568ec1c74f94adee124ad8a60c68 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 3 Jun 2011 12:10:22 +1000 Subject: - djm@cvs.openbsd.org 2011/06/03 00:54:38 [ssh.c] bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg AT googlemail.com; ok dtucker@ NB. includes additional portability code to enable setproctitle emulation on platforms that don't support it. --- ChangeLog | 6 ++++++ ssh.c | 20 +++++++++++++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index cf4da7124..d5a62dcc5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,12 @@ - (dtucker) [monitor.c] Remove the !HAVE_SOCKETPAIR case. We use socketpair unconditionally in other places and the survey data we have does not show any systems that use it. "nuke it" djm@ + - djm@cvs.openbsd.org 2011/06/03 00:54:38 + [ssh.c] + bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg + AT googlemail.com; ok dtucker@ + NB. includes additional portability code to enable setproctitle emulation + on platforms that don't support it. 20110529 - (djm) OpenBSD CVS Sync diff --git a/ssh.c b/ssh.c index e7e15cd65..900537581 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.361 2011/05/24 07:15:47 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.362 2011/06/03 00:54:38 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -111,6 +111,11 @@ extern char *__progname; +/* Saves a copy of argv for setproctitle emulation */ +#ifndef HAVE_SETPROCTITLE +static char **saved_av; +#endif + /* Flag indicating whether debug mode is on. May be set on the command line. */ int debug_flag = 0; @@ -240,6 +245,7 @@ main(int ac, char **av) int dummy, timeout_ms; extern int optind, optreset; extern char *optarg; + struct servent *sp; Forward fwd; @@ -248,6 +254,17 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); +#ifndef HAVE_SETPROCTITLE + /* Prepare for later setproctitle emulation */ + /* Save argv so it isn't clobbered by setproctitle() emulation */ + saved_av = xcalloc(ac + 1, sizeof(*saved_av)); + for (i = 0; i < ac; i++) + saved_av[i] = xstrdup(av[i]); + saved_av[i] = NULL; + compat_init_setproctitle(ac, av); + av = saved_av; +#endif + /* * Discard other fds that are hanging around. These can cause problem * with backgrounded ssh processes started by ControlPersist. @@ -977,6 +994,7 @@ control_persist_detach(void) if (devnull > STDERR_FILENO) close(devnull); } + setproctitle("%s [mux]", options.control_path); } /* Do fork() after authentication. Used by "ssh -f" */ -- cgit v1.2.3 From c09182f61366f31609224765b36386bab84298b2 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 3 Jun 2011 12:11:38 +1000 Subject: - (djm) [configure.ac] enable setproctitle emulation for OS X --- ChangeLog | 2 ++ configure.ac | 7 +++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d5a62dcc5..724bb4f1d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,8 @@ - (dtucker) [monitor.c] Remove the !HAVE_SOCKETPAIR case. We use socketpair unconditionally in other places and the survey data we have does not show any systems that use it. "nuke it" djm@ + - (djm) [configure.ac] enable setproctitle emulation for OS X + - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/06/03 00:54:38 [ssh.c] bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg diff --git a/configure.ac b/configure.ac index 51dea41c1..8f36338ff 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.475 2011/06/03 01:17:49 tim Exp $ +# $Id: configure.ac,v 1.476 2011/06/03 02:11:38 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.475 $) +AC_REVISION($Revision: 1.476 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -512,6 +512,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1], [Define if pututxline updates lastlog too]) ) + AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV], + [Define to a Set Process Title type if your system is + supported by bsd-setproctitle.c]) ;; *-*-dragonfly*) SSHDLIBS="$SSHDLIBS -lcrypt" -- cgit v1.2.3 From 3e78a516a0f476f193bc3b566b5e0919d29ccc17 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 3 Jun 2011 14:14:16 +1000 Subject: - dtucker@cvs.openbsd.org 2011/06/03 01:37:40 [ssh-agent.c] Check current parent process ID against saved one to determine if the parent has exited, rather than attempting to send a zero signal, since the latter won't work if the parent has changed privs. bz#1905, patch from Daniel Kahn Gillmor, ok djm@ --- ChangeLog | 6 ++++++ ssh-agent.c | 8 ++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 724bb4f1d..2831c374f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,12 @@ AT googlemail.com; ok dtucker@ NB. includes additional portability code to enable setproctitle emulation on platforms that don't support it. + - dtucker@cvs.openbsd.org 2011/06/03 01:37:40 + [ssh-agent.c] + Check current parent process ID against saved one to determine if the parent + has exited, rather than attempting to send a zero signal, since the latter + won't work if the parent has changed privs. bz#1905, patch from Daniel Kahn + Gillmor, ok djm@ 20110529 - (djm) OpenBSD CVS Sync diff --git a/ssh-agent.c b/ssh-agent.c index ae204b145..b9498e6ef 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.171 2010/11/21 01:01:13 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.172 2011/06/03 01:37:40 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1097,7 +1097,11 @@ cleanup_handler(int sig) static void check_parent_exists(void) { - if (parent_pid != -1 && kill(parent_pid, 0) < 0) { + /* + * If our parent has exited then getppid() will return (pid_t)1, + * so testing for that should be safe. + */ + if (parent_pid != -1 && getppid() != parent_pid) { /* printf("Parent has died - Authentication agent exiting.\n"); */ cleanup_socket(); _exit(2); -- cgit v1.2.3 From 260c8fbc4d8c5865fc312ed56a48b36817507b30 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 3 Jun 2011 14:17:27 +1000 Subject: - dtucker@cvs.openbsd.org 2011/05/31 02:01:58 [regress/dynamic-forward.sh] back out revs 1.6 and 1.5 since it's not reliable --- ChangeLog | 3 +++ regress/dynamic-forward.sh | 26 +++----------------------- 2 files changed, 6 insertions(+), 23 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2831c374f..3b5aa258f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,9 @@ has exited, rather than attempting to send a zero signal, since the latter won't work if the parent has changed privs. bz#1905, patch from Daniel Kahn Gillmor, ok djm@ + - dtucker@cvs.openbsd.org 2011/05/31 02:01:58 + [regress/dynamic-forward.sh] + back out revs 1.6 and 1.5 since it's not reliable 20110529 - (djm) OpenBSD CVS Sync diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index d6df4491a..0a862b504 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dynamic-forward.sh,v 1.6 2011/05/20 06:32:30 dtucker Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.7 2011/05/31 02:01:58 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" @@ -21,21 +21,8 @@ start_sshd for p in 1 2; do trace "start dynamic forwarding, fork to background" - rm -f $OBJ/remote_pid - ${SSH} -$p -F $OBJ/ssh_config -D $FWDPORT -q somehost \ - exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' & - client_pid=$! - - # Wait for ssh to start - n=0 - while test ! -f $OBJ/remote_pid; do - sleep 1 - n=`expr $n + 1` - if test $n -gt 60; then - kill $client_pid - fail "Timed out waiting for client to connect" - fi - done + ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \ + exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' for s in 4 5; do for h in 127.0.0.1 localhost; do @@ -54,14 +41,7 @@ for p in 1 2; do if [ $remote -gt 1 ]; then kill -HUP $remote fi - rm -f $OBJ/remote_pid else fail "no pid file: $OBJ/remote_pid" fi - - # Wait for listening ssh to terminate - wait - - # Must allow time for connection tear-down - sleep 2 done -- cgit v1.2.3 From 75e035c34e323cccb19aab5d58cb9c706ce8fcee Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 3 Jun 2011 14:18:17 +1000 Subject: - dtucker@cvs.openbsd.org 2011/05/31 02:03:34 [regress/dynamic-forward.sh] work around startup and teardown races; caught by deraadt --- ChangeLog | 3 +++ regress/dynamic-forward.sh | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3b5aa258f..af92ed3f9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ - dtucker@cvs.openbsd.org 2011/05/31 02:01:58 [regress/dynamic-forward.sh] back out revs 1.6 and 1.5 since it's not reliable + - dtucker@cvs.openbsd.org 2011/05/31 02:03:34 + [regress/dynamic-forward.sh] + work around startup and teardown races; caught by deraadt 20110529 - (djm) OpenBSD CVS Sync diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index 0a862b504..39b58c817 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dynamic-forward.sh,v 1.7 2011/05/31 02:01:58 dtucker Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.8 2011/05/31 02:03:34 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" @@ -21,7 +21,8 @@ start_sshd for p in 1 2; do trace "start dynamic forwarding, fork to background" - ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \ + ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \ + -oExitOnForwardFailure=yes somehost \ exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' for s in 4 5; do @@ -41,6 +42,7 @@ for p in 1 2; do if [ $remote -gt 1 ]; then kill -HUP $remote fi + sleep 1 else fail "no pid file: $OBJ/remote_pid" fi -- cgit v1.2.3 From bf4d05a37ca67a2b2c69ef072652b6be3b24fd76 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 3 Jun 2011 14:19:02 +1000 Subject: - dtucker@cvs.openbsd.org 2011/06/03 00:29:52 [regress/dynamic-forward.sh] Retry establishing the port forwarding after a small delay, should make the tests less flaky when the previous test is slow to shut down and free up the port. --- ChangeLog | 5 +++++ regress/dynamic-forward.sh | 22 +++++++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index af92ed3f9..c4ced5da6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,11 @@ - dtucker@cvs.openbsd.org 2011/05/31 02:03:34 [regress/dynamic-forward.sh] work around startup and teardown races; caught by deraadt + - dtucker@cvs.openbsd.org 2011/06/03 00:29:52 + [regress/dynamic-forward.sh] + Retry establishing the port forwarding after a small delay, should make + the tests less flaky when the previous test is slow to shut down and free + up the port. 20110529 - (djm) OpenBSD CVS Sync diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index 39b58c817..d1ab8059b 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dynamic-forward.sh,v 1.8 2011/05/31 02:03:34 dtucker Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.9 2011/06/03 00:29:52 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" @@ -20,10 +20,23 @@ trace "will use ProxyCommand $proxycmd" start_sshd for p in 1 2; do + n=0 + error="1" trace "start dynamic forwarding, fork to background" - ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \ - -oExitOnForwardFailure=yes somehost \ - exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' + while [ "$error" -ne 0 -a "$n" -lt 3 ]; do + n=`expr $n + 1` + ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \ + -oExitOnForwardFailure=yes somehost exec sh -c \ + \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' + error=$? + if [ "$error" -ne 0 ]; then + trace "forward failed proto $p attempt $n err $error" + sleep $n + fi + done + if [ "$error" -ne 0 ]; then + fatal "failed to start dynamic forwarding proto $p" + fi for s in 4 5; do for h in 127.0.0.1 localhost; do @@ -42,7 +55,6 @@ for p in 1 2; do if [ $remote -gt 1 ]; then kill -HUP $remote fi - sleep 1 else fail "no pid file: $OBJ/remote_pid" fi -- cgit v1.2.3 From bc481570d14b6061fe4cb286cec56d555351c28d Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 2 Jun 2011 22:26:19 -0700 Subject: - (tim) [regress/cfgmatch.sh] Build/test out of tree fix. --- ChangeLog | 1 + regress/cfgmatch.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c4ced5da6..32a383603 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,7 @@ Retry establishing the port forwarding after a small delay, should make the tests less flaky when the previous test is slow to shut down and free up the port. + - (tim) [regress/cfgmatch.sh] Build/test out of tree fix. 20110529 - (djm) OpenBSD CVS Sync diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 29234e566..a16a5c13a 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -7,8 +7,8 @@ pidfile=$OBJ/remote_pid fwdport=3301 fwd="-L $fwdport:127.0.0.1:$PORT" -echo "ExitOnForwardFailure=yes" >> ssh_config -echo "ExitOnForwardFailure=yes" >> ssh_proxy +echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config +echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy start_client() { -- cgit v1.2.3 From 6029e076b2c58f5a2cb0dce370b1f14912104fcd Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 20 Jun 2011 14:22:49 +1000 Subject: - djm@cvs.openbsd.org 2011/06/04 00:10:26 [ssh_config.5] explain IdentifyFile's semantics a little better, prompted by bz#1898 ok dtucker jmc --- ChangeLog | 7 +++++++ ssh_config.5 | 8 ++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 32a383603..e34289124 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20110620 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2011/06/04 00:10:26 + [ssh_config.5] + explain IdentifyFile's semantics a little better, prompted by bz#1898 + ok dtucker jmc + 20110603 - (dtucker) [README version.h contrib/caldera/openssh.spec contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version diff --git a/ssh_config.5 b/ssh_config.5 index 87574e381..694ff814e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.151 2011/05/24 07:15:47 djm Exp $ -.Dd $Mdocdate: May 24 2011 $ +.\" $OpenBSD: ssh_config.5,v 1.152 2011/06/04 00:10:26 djm Exp $ +.Dd $Mdocdate: June 4 2011 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -648,6 +648,10 @@ escape characters: It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence. +Multiple +.Cm IdentityFile +directives will add to the list of identities tried (this behaviour +differs from that of other configuration directives). .It Cm IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. Accepted values are -- cgit v1.2.3 From e7ac2bd42ad16c2e2485331641befedebaebdb46 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 20 Jun 2011 14:23:25 +1000 Subject: - markus@cvs.openbsd.org 2011/06/14 22:49:18 [authfile.c] make sure key_parse_public/private_rsa1() no longer consumes its input buffer. fixes ssh-add for passphrase-protected ssh1-keys; noted by naddy@; ok djm@ --- ChangeLog | 5 +++++ authfile.c | 53 ++++++++++++++++++++++++++++------------------------- 2 files changed, 33 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index e34289124..5dae2a859 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,11 @@ [ssh_config.5] explain IdentifyFile's semantics a little better, prompted by bz#1898 ok dtucker jmc + - markus@cvs.openbsd.org 2011/06/14 22:49:18 + [authfile.c] + make sure key_parse_public/private_rsa1() no longer consumes its input + buffer. fixes ssh-add for passphrase-protected ssh1-keys; + noted by naddy@; ok djm@ 20110603 - (dtucker) [README version.h contrib/caldera/openssh.spec diff --git a/authfile.c b/authfile.c index 96d2bf338..1d7e53cd1 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.91 2011/05/23 07:24:57 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.92 2011/06/14 22:49:18 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -279,6 +279,7 @@ static Key * key_parse_public_rsa1(Buffer *blob, char **commentp) { Key *pub; + Buffer copy; /* Check that it is at least big enough to contain the ID string. */ if (buffer_len(blob) < sizeof(authfile_id_string)) { @@ -295,21 +296,23 @@ key_parse_public_rsa1(Buffer *blob, char **commentp) debug3("Incorrect RSA1 identifier"); return NULL; } - buffer_consume(blob, sizeof(authfile_id_string)); + buffer_init(©); + buffer_append(©, buffer_ptr(blob), buffer_len(blob)); + buffer_consume(©, sizeof(authfile_id_string)); /* Skip cipher type and reserved data. */ - (void) buffer_get_char(blob); /* cipher type */ - (void) buffer_get_int(blob); /* reserved */ + (void) buffer_get_char(©); /* cipher type */ + (void) buffer_get_int(©); /* reserved */ /* Read the public key from the buffer. */ - (void) buffer_get_int(blob); + (void) buffer_get_int(©); pub = key_new(KEY_RSA1); - buffer_get_bignum(blob, pub->rsa->n); - buffer_get_bignum(blob, pub->rsa->e); + buffer_get_bignum(©, pub->rsa->n); + buffer_get_bignum(©, pub->rsa->e); if (commentp) - *commentp = buffer_get_string(blob, NULL); + *commentp = buffer_get_string(©, NULL); /* The encrypted private part is not parsed by this function. */ - buffer_clear(blob); + buffer_free(©); return pub; } @@ -420,6 +423,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) CipherContext ciphercontext; Cipher *cipher; Key *prv = NULL; + Buffer copy; /* Check that it is at least big enough to contain the ID string. */ if (buffer_len(blob) < sizeof(authfile_id_string)) { @@ -436,41 +440,44 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) debug3("Incorrect RSA1 identifier"); return NULL; } - buffer_consume(blob, sizeof(authfile_id_string)); + buffer_init(©); + buffer_append(©, buffer_ptr(blob), buffer_len(blob)); + buffer_consume(©, sizeof(authfile_id_string)); /* Read cipher type. */ - cipher_type = buffer_get_char(blob); - (void) buffer_get_int(blob); /* Reserved data. */ + cipher_type = buffer_get_char(©); + (void) buffer_get_int(©); /* Reserved data. */ /* Read the public key from the buffer. */ - (void) buffer_get_int(blob); + (void) buffer_get_int(©); prv = key_new_private(KEY_RSA1); - buffer_get_bignum(blob, prv->rsa->n); - buffer_get_bignum(blob, prv->rsa->e); + buffer_get_bignum(©, prv->rsa->n); + buffer_get_bignum(©, prv->rsa->e); if (commentp) - *commentp = buffer_get_string(blob, NULL); + *commentp = buffer_get_string(©, NULL); else - (void)buffer_get_string_ptr(blob, NULL); + (void)buffer_get_string_ptr(©, NULL); /* Check that it is a supported cipher. */ cipher = cipher_by_number(cipher_type); if (cipher == NULL) { debug("Unsupported RSA1 cipher %d", cipher_type); + buffer_free(©); goto fail; } /* Initialize space for decrypted data. */ buffer_init(&decrypted); - cp = buffer_append_space(&decrypted, buffer_len(blob)); + cp = buffer_append_space(&decrypted, buffer_len(©)); /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ cipher_set_key_string(&ciphercontext, cipher, passphrase, CIPHER_DECRYPT); cipher_crypt(&ciphercontext, cp, - buffer_ptr(blob), buffer_len(blob)); + buffer_ptr(©), buffer_len(©)); cipher_cleanup(&ciphercontext); memset(&ciphercontext, 0, sizeof(ciphercontext)); - buffer_clear(blob); + buffer_free(©); check1 = buffer_get_char(&decrypted); check2 = buffer_get_char(&decrypted); @@ -692,13 +699,9 @@ key_parse_private(Buffer *buffer, const char *filename, const char *passphrase, char **commentp) { Key *pub, *prv; - Buffer pubcopy; - buffer_init(&pubcopy); - buffer_append(&pubcopy, buffer_ptr(buffer), buffer_len(buffer)); /* it's a SSH v1 key if the public key part is readable */ - pub = key_parse_public_rsa1(&pubcopy, commentp); - buffer_free(&pubcopy); + pub = key_parse_public_rsa1(buffer, commentp); if (pub == NULL) { prv = key_parse_private_type(buffer, KEY_UNSPEC, passphrase, NULL); -- cgit v1.2.3 From 8f0bf237d4e699d00c2febaf1b88a9b9b827e77e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 20 Jun 2011 14:42:23 +1000 Subject: - djm@cvs.openbsd.org 2011/06/17 21:44:31 [log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c] make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@ --- ChangeLog | 4 ++ log.c | 35 ++++++++++++++-- log.h | 8 +++- monitor.c | 128 ++++++++++++++++++++++++++++++++++++++++++++++++++------- monitor.h | 4 +- monitor_wrap.c | 28 ++++++++++++- monitor_wrap.h | 3 +- sshd.c | 13 +++--- 8 files changed, 197 insertions(+), 26 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5dae2a859..d41208092 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ make sure key_parse_public/private_rsa1() no longer consumes its input buffer. fixes ssh-add for passphrase-protected ssh1-keys; noted by naddy@; ok djm@ + - djm@cvs.openbsd.org 2011/06/17 21:44:31 + [log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c] + make the pre-auth privsep slave log via a socketpair shared with the + monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@ 20110603 - (dtucker) [README version.h contrib/caldera/openssh.spec diff --git a/log.c b/log.c index 4a8239b93..ad5a10b47 100644 --- a/log.c +++ b/log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.41 2008/06/10 04:50:25 dtucker Exp $ */ +/* $OpenBSD: log.c,v 1.42 2011/06/17 21:44:30 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -56,6 +56,8 @@ static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 1; static int log_facility = LOG_AUTH; static char *argv0; +static log_handler_fn *log_handler; +static void *log_handler_ctx; extern char *__progname; @@ -260,6 +262,9 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) exit(1); } + log_handler = NULL; + log_handler_ctx = NULL; + log_on_stderr = on_stderr; if (on_stderr) return; @@ -326,6 +331,23 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) #define MSGBUFSIZ 1024 +void +set_log_handler(log_handler_fn *handler, void *ctx) +{ + log_handler = handler; + log_handler_ctx = ctx; +} + +void +do_log2(LogLevel level, const char *fmt,...) +{ + va_list args; + + va_start(args, fmt); + do_log(level, fmt, args); + va_end(args); +} + void do_log(LogLevel level, const char *fmt, va_list args) { @@ -337,6 +359,7 @@ do_log(LogLevel level, const char *fmt, va_list args) char *txt = NULL; int pri = LOG_INFO; int saved_errno = errno; + log_handler_fn *tmp_handler; if (level > log_level) return; @@ -375,7 +398,7 @@ do_log(LogLevel level, const char *fmt, va_list args) pri = LOG_ERR; break; } - if (txt != NULL) { + if (txt != NULL && log_handler == NULL) { snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt); vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args); } else { @@ -383,7 +406,13 @@ do_log(LogLevel level, const char *fmt, va_list args) } strnvis(fmtbuf, msgbuf, sizeof(fmtbuf), log_on_stderr ? LOG_STDERR_VIS : LOG_SYSLOG_VIS); - if (log_on_stderr) { + if (log_handler != NULL) { + /* Avoid recursion */ + tmp_handler = log_handler; + log_handler = NULL; + tmp_handler(level, fmtbuf, log_handler_ctx); + log_handler = tmp_handler; + } else if (log_on_stderr) { snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); write(STDERR_FILENO, msgbuf, strlen(msgbuf)); } else { diff --git a/log.h b/log.h index 650582791..1b8d2142b 100644 --- a/log.h +++ b/log.h @@ -1,4 +1,4 @@ -/* $OpenBSD: log.h,v 1.17 2008/06/13 00:12:02 dtucker Exp $ */ +/* $OpenBSD: log.h,v 1.18 2011/06/17 21:44:30 djm Exp $ */ /* * Author: Tatu Ylonen @@ -46,6 +46,8 @@ typedef enum { SYSLOG_LEVEL_NOT_SET = -1 } LogLevel; +typedef void (log_handler_fn)(LogLevel, const char *, void *); + void log_init(char *, LogLevel, SyslogFacility, int); SyslogFacility log_facility_number(char *); @@ -64,6 +66,10 @@ void debug(const char *, ...) __attribute__((format(printf, 1, 2))); void debug2(const char *, ...) __attribute__((format(printf, 1, 2))); void debug3(const char *, ...) __attribute__((format(printf, 1, 2))); + +void set_log_handler(log_handler_fn *, void *); +void do_log2(LogLevel, const char *, ...) + __attribute__((format(printf, 2, 3))); void do_log(LogLevel, const char *, va_list); void cleanup_exit(int) __attribute__((noreturn)); #endif diff --git a/monitor.c b/monitor.c index 2c9254182..bb8003c67 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.113 2011/05/23 03:30:07 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.114 2011/06/17 21:44:30 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -44,6 +44,13 @@ #include #include #include +#ifdef HAVE_POLL_H +#include +#else +# ifdef HAVE_SYS_POLL_H +# include +# endif +#endif #ifdef SKEY #include @@ -52,6 +59,7 @@ #include #include "openbsd-compat/sys-queue.h" +#include "atomicio.h" #include "xmalloc.h" #include "ssh.h" #include "key.h" @@ -179,6 +187,8 @@ int mm_answer_audit_event(int, Buffer *); int mm_answer_audit_command(int, Buffer *); #endif +static int monitor_read_log(struct monitor *); + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -346,6 +356,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) debug3("preauth child monitor started"); + close(pmonitor->m_recvfd); + close(pmonitor->m_log_sendfd); + pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; + authctxt = _authctxt; memset(authctxt, 0, sizeof(*authctxt)); @@ -405,6 +419,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) #endif } + /* Drain any buffered messages from the child */ + while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) + ; + if (!authctxt->valid) fatal("%s: authenticated invalid user", __func__); if (strcmp(auth_method, "unknown") == 0) @@ -414,6 +432,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) __func__, authctxt->user); mm_get_keystate(pmonitor); + + close(pmonitor->m_sendfd); + close(pmonitor->m_log_recvfd); + pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; } static void @@ -431,6 +453,9 @@ monitor_child_handler(int sig) void monitor_child_postauth(struct monitor *pmonitor) { + close(pmonitor->m_recvfd); + pmonitor->m_recvfd = -1; + monitor_set_child_handler(pmonitor->m_pid); signal(SIGHUP, &monitor_child_handler); signal(SIGTERM, &monitor_child_handler); @@ -454,6 +479,9 @@ monitor_child_postauth(struct monitor *pmonitor) for (;;) monitor_read(pmonitor, mon_dispatch, NULL); + + close(pmonitor->m_sendfd); + pmonitor->m_sendfd = -1; } void @@ -465,6 +493,52 @@ monitor_sync(struct monitor *pmonitor) } } +static int +monitor_read_log(struct monitor *pmonitor) +{ + Buffer logmsg; + u_int len, level; + char *msg; + + buffer_init(&logmsg); + + /* Read length */ + buffer_append_space(&logmsg, 4); + if (atomicio(read, pmonitor->m_log_recvfd, + buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg)) { + if (errno == EPIPE) { + debug("%s: child log fd closed", __func__); + close(pmonitor->m_log_recvfd); + pmonitor->m_log_recvfd = -1; + return -1; + } + fatal("%s: log fd read: %s", __func__, strerror(errno)); + } + len = buffer_get_int(&logmsg); + if (len <= 4 || len > 8192) + fatal("%s: invalid log message length %u", __func__, len); + + /* Read severity, message */ + buffer_clear(&logmsg); + buffer_append_space(&logmsg, len); + if (atomicio(read, pmonitor->m_log_recvfd, + buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg)) + fatal("%s: log fd read: %s", __func__, strerror(errno)); + + /* Log it */ + level = buffer_get_int(&logmsg); + msg = buffer_get_string(&logmsg, NULL); + if (log_level_name(level) == NULL) + fatal("%s: invalid log level %u (corrupted message?)", + __func__, level); + do_log2(level, "%s [preauth]", msg); + + buffer_free(&logmsg); + xfree(msg); + + return 0; +} + int monitor_read(struct monitor *pmonitor, struct mon_table *ent, struct mon_table **pent) @@ -472,6 +546,27 @@ monitor_read(struct monitor *pmonitor, struct mon_table *ent, Buffer m; int ret; u_char type; + struct pollfd pfd[2]; + + for (;;) { + bzero(&pfd, sizeof(pfd)); + pfd[0].fd = pmonitor->m_sendfd; + pfd[0].events = POLLIN; + pfd[1].fd = pmonitor->m_log_recvfd; + pfd[1].events = pfd[1].fd == -1 ? 0 : POLLIN; + if (poll(pfd, pfd[1].fd == -1 ? 1 : 2, -1) == -1) + fatal("%s: poll: %s", __func__, strerror(errno)); + if (pfd[1].revents) { + /* + * Drain all log messages before processing next + * monitor request. + */ + monitor_read_log(pmonitor); + continue; + } + if (pfd[0].revents) + break; /* Continues below */ + } buffer_init(&m); @@ -1851,12 +1946,26 @@ mm_init_compression(struct mm_master *mm) } while (0) static void -monitor_socketpair(int *pair) +monitor_openfds(struct monitor *mon, int do_logfds) { + int pair[2]; + if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) - fatal("%s: socketpair", __func__); + fatal("%s: socketpair: %s", __func__, strerror(errno)); FD_CLOSEONEXEC(pair[0]); FD_CLOSEONEXEC(pair[1]); + mon->m_recvfd = pair[0]; + mon->m_sendfd = pair[1]; + + if (do_logfds) { + if (pipe(pair) == -1) + fatal("%s: pipe: %s", __func__, strerror(errno)); + FD_CLOSEONEXEC(pair[0]); + FD_CLOSEONEXEC(pair[1]); + mon->m_log_recvfd = pair[0]; + mon->m_log_sendfd = pair[1]; + } else + mon->m_log_recvfd = mon->m_log_sendfd = -1; } #define MM_MEMSIZE 65536 @@ -1865,14 +1974,10 @@ struct monitor * monitor_init(void) { struct monitor *mon; - int pair[2]; mon = xcalloc(1, sizeof(*mon)); - monitor_socketpair(pair); - - mon->m_recvfd = pair[0]; - mon->m_sendfd = pair[1]; + monitor_openfds(mon, 1); /* Used to share zlib space across processes */ if (options.compression) { @@ -1889,12 +1994,7 @@ monitor_init(void) void monitor_reinit(struct monitor *mon) { - int pair[2]; - - monitor_socketpair(pair); - - mon->m_recvfd = pair[0]; - mon->m_sendfd = pair[1]; + monitor_openfds(mon, 0); } #ifdef GSSAPI diff --git a/monitor.h b/monitor.h index a8a2c0c19..5e7d552fb 100644 --- a/monitor.h +++ b/monitor.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.15 2008/11/04 08:22:13 djm Exp $ */ +/* $OpenBSD: monitor.h,v 1.16 2011/06/17 21:44:31 djm Exp $ */ /* * Copyright 2002 Niels Provos @@ -72,6 +72,8 @@ struct mm_master; struct monitor { int m_recvfd; int m_sendfd; + int m_log_recvfd; + int m_log_sendfd; struct mm_master *m_zback; struct mm_master *m_zlib; struct Kex **m_pkex; diff --git a/monitor_wrap.c b/monitor_wrap.c index 7a90b3ba3..1f60658e9 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.72 2011/05/23 03:30:07 djm Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.73 2011/06/17 21:44:31 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -88,6 +88,32 @@ extern struct monitor *pmonitor; extern Buffer loginmsg; extern ServerOptions options; +void +mm_log_handler(LogLevel level, const char *msg, void *ctx) +{ + Buffer log_msg; + struct monitor *mon = (struct monitor *)ctx; + + if (mon->m_log_sendfd == -1) + fatal("%s: no log channel", __func__); + + buffer_init(&log_msg); + /* + * Placeholder for packet length. Will be filled in with the actual + * packet length once the packet has been constucted. This saves + * fragile math. + */ + buffer_put_int(&log_msg, 0); + + buffer_put_int(&log_msg, level); + buffer_put_cstring(&log_msg, msg); + put_u32(buffer_ptr(&log_msg), buffer_len(&log_msg) - 4); + if (atomicio(vwrite, mon->m_log_sendfd, buffer_ptr(&log_msg), + buffer_len(&log_msg)) != buffer_len(&log_msg)) + fatal("%s: write: %s", __func__, strerror(errno)); + buffer_free(&log_msg); +} + int mm_is_monitor(void) { diff --git a/monitor_wrap.h b/monitor_wrap.h index de2d16f66..0c7f2e384 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.22 2009/03/05 07:18:19 djm Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.23 2011/06/17 21:44:31 djm Exp $ */ /* * Copyright 2002 Niels Provos @@ -37,6 +37,7 @@ struct monitor; struct mm_master; struct Authctxt; +void mm_log_handler(LogLevel, const char *, void *); int mm_is_monitor(void); DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); diff --git a/sshd.c b/sshd.c index 50d0dede4..6e15522b3 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.382 2011/04/12 05:32:49 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.383 2011/06/17 21:44:31 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -636,10 +636,8 @@ privsep_preauth(Authctxt *authctxt) } else if (pid != 0) { debug2("Network child is on pid %ld", (long)pid); - close(pmonitor->m_recvfd); pmonitor->m_pid = pid; monitor_child_preauth(authctxt, pmonitor); - close(pmonitor->m_sendfd); /* Sync memory */ monitor_sync(pmonitor); @@ -651,8 +649,11 @@ privsep_preauth(Authctxt *authctxt) return (1); } else { /* child */ - close(pmonitor->m_sendfd); + close(pmonitor->m_log_recvfd); + + /* Arrange for logging to be sent to the monitor */ + set_log_handler(mm_log_handler, pmonitor); /* Demote the child */ if (getuid() == 0 || geteuid() == 0) @@ -685,7 +686,6 @@ privsep_postauth(Authctxt *authctxt) fatal("fork of unprivileged child failed"); else if (pmonitor->m_pid != 0) { verbose("User child is on pid %ld", (long)pmonitor->m_pid); - close(pmonitor->m_recvfd); buffer_clear(&loginmsg); monitor_child_postauth(pmonitor); @@ -693,7 +693,10 @@ privsep_postauth(Authctxt *authctxt) exit(0); } + /* child */ + close(pmonitor->m_sendfd); + pmonitor->m_sendfd = -1; /* Demote the private keys to public keys. */ demote_sensitive_data(); -- cgit v1.2.3 From f145a5be1c7d7849c3c2699d32d253b26d0c895a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 20 Jun 2011 14:42:51 +1000 Subject: - djm@cvs.openbsd.org 2011/06/17 21:46:16 [sftp-server.c] the protocol version should be unsigned; bz#1913 reported by mb AT smartftp.com --- ChangeLog | 4 ++++ sftp-server.c | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index d41208092..15320284c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,10 @@ [log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c] make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@ + - djm@cvs.openbsd.org 2011/06/17 21:46:16 + [sftp-server.c] + the protocol version should be unsigned; bz#1913 reported by mb AT + smartftp.com 20110603 - (dtucker) [README version.h contrib/caldera/openssh.spec diff --git a/sftp-server.c b/sftp-server.c index b268d0883..9d01c7d79 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.93 2010/12/04 00:18:01 djm Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.94 2011/06/17 21:46:16 djm Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -68,7 +68,7 @@ Buffer iqueue; Buffer oqueue; /* Version of client */ -int version; +u_int version; /* Disable writes */ int readonly; @@ -522,7 +522,7 @@ process_init(void) Buffer msg; version = get_int(); - verbose("received client version %d", version); + verbose("received client version %u", version); buffer_init(&msg); buffer_put_char(&msg, SSH2_FXP_VERSION); buffer_put_int(&msg, SSH2_FILEXFER_VERSION); -- cgit v1.2.3 From 33322127ec41b04e380123d2ed4ae1df20bf18cc Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 20 Jun 2011 14:43:11 +1000 Subject: - djm@cvs.openbsd.org 2011/06/17 21:47:35 [servconf.c] factor out multi-choice option parsing into a parse_multistate label and some support structures; ok dtucker@ --- ChangeLog | 4 ++ servconf.c | 126 +++++++++++++++++++++++++++---------------------------------- 2 files changed, 60 insertions(+), 70 deletions(-) diff --git a/ChangeLog b/ChangeLog index 15320284c..74c3f90f4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,10 @@ [sftp-server.c] the protocol version should be unsigned; bz#1913 reported by mb AT smartftp.com + - djm@cvs.openbsd.org 2011/06/17 21:47:35 + [servconf.c] + factor out multi-choice option parsing into a parse_multistate label + and some support structures; ok dtucker@ 20110603 - (dtucker) [README version.h contrib/caldera/openssh.spec diff --git a/servconf.c b/servconf.c index 74710c41f..909ad7d8f 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.219 2011/05/23 03:30:07 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.220 2011/06/17 21:47:35 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -671,6 +671,37 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, #define WHITESPACE " \t\r\n" +/* Multistate option parsing */ +struct multistate { + char *key; + int value; +}; +static const struct multistate multistate_addressfamily[] = { + { "inet", AF_INET }, + { "inet6", AF_INET6 }, + { "any", AF_UNSPEC }, + { NULL, -1 } +}; +static const struct multistate multistate_permitrootlogin[] = { + { "without-password", PERMIT_NO_PASSWD }, + { "forced-commands-only", PERMIT_FORCED_ONLY }, + { "yes", PERMIT_YES }, + { "no", PERMIT_NO }, + { NULL, -1 } +}; +static const struct multistate multistate_compression[] = { + { "delayed", COMP_DELAYED }, + { "yes", COMP_ZLIB }, + { "no", COMP_NONE }, + { NULL, -1 } +}; +static const struct multistate multistate_gatewayports[] = { + { "clientspecified", 2 }, + { "yes", 1 }, + { "no", 0 }, + { NULL, -1 } +}; + int process_server_config_line(ServerOptions *options, char *line, const char *filename, int linenum, int *activep, const char *user, @@ -684,6 +715,7 @@ process_server_config_line(ServerOptions *options, char *line, int port; u_int i, flags = 0; size_t len; + const struct multistate *multistate_ptr; cp = line; if ((arg = strdelim(&cp)) == NULL) @@ -799,24 +831,27 @@ process_server_config_line(ServerOptions *options, char *line, break; case sAddressFamily: + intptr = &options->address_family; + multistate_ptr = multistate_addressfamily; + if (options->listen_addrs != NULL) + fatal("%s line %d: address family must be specified " + "before ListenAddress.", filename, linenum); + parse_multistate: arg = strdelim(&cp); if (!arg || *arg == '\0') - fatal("%s line %d: missing address family.", + fatal("%s line %d: missing argument.", filename, linenum); - intptr = &options->address_family; - if (options->listen_addrs != NULL) - fatal("%s line %d: address family must be specified before " - "ListenAddress.", filename, linenum); - if (strcasecmp(arg, "inet") == 0) - value = AF_INET; - else if (strcasecmp(arg, "inet6") == 0) - value = AF_INET6; - else if (strcasecmp(arg, "any") == 0) - value = AF_UNSPEC; - else - fatal("%s line %d: unsupported address family \"%s\".", + value = -1; + for (i = 0; multistate_ptr[i].key != NULL; i++) { + if (strcasecmp(arg, multistate_ptr[i].key) == 0) { + value = multistate_ptr[i].value; + break; + } + } + if (value == -1) + fatal("%s line %d: unsupported option \"%s\".", filename, linenum, arg); - if (*intptr == -1) + if (*activep && *intptr == -1) *intptr = value; break; @@ -855,27 +890,8 @@ process_server_config_line(ServerOptions *options, char *line, case sPermitRootLogin: intptr = &options->permit_root_login; - arg = strdelim(&cp); - if (!arg || *arg == '\0') - fatal("%s line %d: missing yes/" - "without-password/forced-commands-only/no " - "argument.", filename, linenum); - value = 0; /* silence compiler */ - if (strcmp(arg, "without-password") == 0) - value = PERMIT_NO_PASSWD; - else if (strcmp(arg, "forced-commands-only") == 0) - value = PERMIT_FORCED_ONLY; - else if (strcmp(arg, "yes") == 0) - value = PERMIT_YES; - else if (strcmp(arg, "no") == 0) - value = PERMIT_NO; - else - fatal("%s line %d: Bad yes/" - "without-password/forced-commands-only/no " - "argument: %s", filename, linenum, arg); - if (*activep && *intptr == -1) - *intptr = value; - break; + multistate_ptr = multistate_permitrootlogin; + goto parse_multistate; case sIgnoreRhosts: intptr = &options->ignore_rhosts; @@ -1006,43 +1022,13 @@ process_server_config_line(ServerOptions *options, char *line, case sCompression: intptr = &options->compression; - arg = strdelim(&cp); - if (!arg || *arg == '\0') - fatal("%s line %d: missing yes/no/delayed " - "argument.", filename, linenum); - value = 0; /* silence compiler */ - if (strcmp(arg, "delayed") == 0) - value = COMP_DELAYED; - else if (strcmp(arg, "yes") == 0) - value = COMP_ZLIB; - else if (strcmp(arg, "no") == 0) - value = COMP_NONE; - else - fatal("%s line %d: Bad yes/no/delayed " - "argument: %s", filename, linenum, arg); - if (*intptr == -1) - *intptr = value; - break; + multistate_ptr = multistate_compression; + goto parse_multistate; case sGatewayPorts: intptr = &options->gateway_ports; - arg = strdelim(&cp); - if (!arg || *arg == '\0') - fatal("%s line %d: missing yes/no/clientspecified " - "argument.", filename, linenum); - value = 0; /* silence compiler */ - if (strcmp(arg, "clientspecified") == 0) - value = 2; - else if (strcmp(arg, "yes") == 0) - value = 1; - else if (strcmp(arg, "no") == 0) - value = 0; - else - fatal("%s line %d: Bad yes/no/clientspecified " - "argument: %s", filename, linenum, arg); - if (*activep && *intptr == -1) - *intptr = value; - break; + multistate_ptr = multistate_gatewayports; + goto parse_multistate; case sUseDNS: intptr = &options->use_dns; -- cgit v1.2.3 From 4ac99c366cc1c2afacabc1a8df560aaee5a07b98 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 20 Jun 2011 14:43:31 +1000 Subject: - djm@cvs.openbsd.org 2011/06/17 21:57:25 [clientloop.c] setproctitle for a mux master that has been gracefully stopped; bz#1911 from Bert.Wesarg AT googlemail.com --- ChangeLog | 4 ++++ clientloop.c | 6 ++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 74c3f90f4..a566ec0d2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,10 @@ [servconf.c] factor out multi-choice option parsing into a parse_multistate label and some support structures; ok dtucker@ + - djm@cvs.openbsd.org 2011/06/17 21:57:25 + [clientloop.c] + setproctitle for a mux master that has been gracefully stopped; + bz#1911 from Bert.Wesarg AT googlemail.com 20110603 - (dtucker) [README version.h contrib/caldera/openssh.spec diff --git a/clientloop.c b/clientloop.c index ed1d8a238..7b7349bd7 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.234 2011/05/08 12:52:01 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.235 2011/06/17 21:57:25 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2157,8 +2157,10 @@ client_stop_mux(void) * If we are in persist mode, signal that we should close when all * active channels are closed. */ - if (options.control_persist) + if (options.control_persist) { session_closed = 1; + setproctitle("[stopped mux]"); + } } /* client specific fatal cleanup */ -- cgit v1.2.3 From 82c558761d0fa42dc954d62812b9e4b4a94f64bd Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 23 Jun 2011 08:20:30 +1000 Subject: - OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/06/22 21:47:28 [servconf.c] reuse the multistate option arrays to pretty-print options for "sshd -T" --- ChangeLog | 6 ++++++ servconf.c | 71 ++++++++++++++++++++++++++++++-------------------------------- 2 files changed, 40 insertions(+), 37 deletions(-) diff --git a/ChangeLog b/ChangeLog index a566ec0d2..b8adb8a87 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20110623 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2011/06/22 21:47:28 + [servconf.c] + reuse the multistate option arrays to pretty-print options for "sshd -T" + 20110620 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/06/04 00:10:26 diff --git a/servconf.c b/servconf.c index 909ad7d8f..03b974617 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.220 2011/06/17 21:47:35 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.221 2011/06/22 21:47:28 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1549,31 +1549,32 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, } static const char * -fmt_intarg(ServerOpCodes code, int val) +fmt_multistate_int(int val, const struct multistate *m) { - if (code == sAddressFamily) { - switch (val) { - case AF_INET: - return "inet"; - case AF_INET6: - return "inet6"; - case AF_UNSPEC: - return "any"; - default: - return "UNKNOWN"; - } - } - if (code == sPermitRootLogin) { - switch (val) { - case PERMIT_NO_PASSWD: - return "without-password"; - case PERMIT_FORCED_ONLY: - return "forced-commands-only"; - case PERMIT_YES: - return "yes"; - } + u_int i; + + for (i = 0; m[i].key != NULL; i++) { + if (m[i].value == val) + return m[i].key; } - if (code == sProtocol) { + return "UNKNOWN"; +} + +static const char * +fmt_intarg(ServerOpCodes code, int val) +{ + if (val == -1) + return "unset"; + switch (code) { + case sAddressFamily: + return fmt_multistate_int(val, multistate_addressfamily); + case sPermitRootLogin: + return fmt_multistate_int(val, multistate_permitrootlogin); + case sGatewayPorts: + return fmt_multistate_int(val, multistate_gatewayports); + case sCompression: + return fmt_multistate_int(val, multistate_compression); + case sProtocol: switch (val) { case SSH_PROTO_1: return "1"; @@ -1584,20 +1585,16 @@ fmt_intarg(ServerOpCodes code, int val) default: return "UNKNOWN"; } + default: + switch (val) { + case 0: + return "no"; + case 1: + return "yes"; + default: + return "UNKNOWN"; + } } - if (code == sGatewayPorts && val == 2) - return "clientspecified"; - if (code == sCompression && val == COMP_DELAYED) - return "delayed"; - switch (val) { - case -1: - return "unset"; - case 0: - return "no"; - case 1: - return "yes"; - } - return "UNKNOWN"; } static const char * -- cgit v1.2.3 From 69ff1df952eebf0489b775a60ede094eaf596a05 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 23 Jun 2011 08:30:03 +1000 Subject: - djm@cvs.openbsd.org 2011/06/22 21:57:01 [servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c] [sandbox-systrace.c sandbox.h configure.ac Makefile.in] introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@ --- ChangeLog | 20 ++++++ Makefile.in | 5 +- configure.ac | 43 +++++++++++- sandbox-rlimit.c | 92 ++++++++++++++++++++++++++ sandbox-systrace.c | 187 +++++++++++++++++++++++++++++++++++++++++++++++++++++ sandbox.h | 23 +++++++ servconf.c | 15 ++++- servconf.h | 7 +- sshd.c | 30 +++++++-- sshd_config.5 | 10 ++- 10 files changed, 417 insertions(+), 15 deletions(-) create mode 100644 sandbox-rlimit.c create mode 100644 sandbox-systrace.c create mode 100755 sandbox.h diff --git a/ChangeLog b/ChangeLog index b8adb8a87..6a18e7193 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,26 @@ - djm@cvs.openbsd.org 2011/06/22 21:47:28 [servconf.c] reuse the multistate option arrays to pretty-print options for "sshd -T" + - djm@cvs.openbsd.org 2011/06/22 21:57:01 + [servconf.c servconf.h sshd.c sshd_config.5] + [configure.ac Makefile.in] + introduce sandboxing of the pre-auth privsep child using systrace(4). + + This introduces a new "UsePrivilegeSeparation=sandbox" option for + sshd_config that applies mandatory restrictions on the syscalls the + privsep child can perform. This prevents a compromised privsep child + from being used to attack other hosts (by opening sockets and proxying) + or probing local kernel attack surface. + + The sandbox is implemented using systrace(4) in unsupervised "fast-path" + mode, where a list of permitted syscalls is supplied. Any syscall not + on the list results in SIGKILL being sent to the privsep child. Note + that this requires a kernel with the new SYSTR_POLICY_KILL option. + + UsePrivilegeSeparation=sandbox will become the default in the future + so please start testing it now. + + feedback dtucker@; ok markus@ 20110620 - OpenBSD CVS Sync diff --git a/Makefile.in b/Makefile.in index f5b147619..f64aaac94 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.322 2011/05/05 03:48:37 djm Exp $ +# $Id: Makefile.in,v 1.323 2011/06/22 22:30:03 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -89,7 +89,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ - roaming_common.o roaming_serv.o + roaming_common.o roaming_serv.o \ + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 diff --git a/configure.ac b/configure.ac index 8f36338ff..380a8b949 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.476 2011/06/03 02:11:38 djm Exp $ +# $Id: configure.ac,v 1.477 2011/06/22 22:30:03 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.476 $) +AC_REVISION($Revision: 1.477 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -106,6 +106,16 @@ AC_SUBST([LD]) AC_C_INLINE AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include ]) +AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [ + #include + #include + #include +]) +AC_CHECK_DECL([RLIMIT_NPROC], + [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [ + #include + #include +]) use_stack_protector=1 AC_ARG_WITH([stackprotect], @@ -2461,6 +2471,34 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"], [non-privileged user for privilege separation]) AC_SUBST([SSH_PRIVSEP_USER]) +# Decide which sandbox style to use +sandbox_arg="" +AC_ARG_WITH([sandbox], + [ --with-sandbox=style Specify privilege separation sandbox (no, rlimit, systrace)], + [ + if test "x$withval" = "xyes" ; then + sandbox_arg="" + else + sandbox_arg="$withval" + fi + ] +) +if test "x$sandbox_arg" = "xsystrace" || \ + ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then + SANDBOX_STYLE="systrace" + AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)]) +elif test "x$sandbox_arg" = "xrlimit" || \ + ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then + SANDBOX_STYLE="rlimit" + AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)]) +elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ + test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then + SANDBOX_STYLE="none" + AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing]) +else + AC_MSG_ERROR([unsupported -with-sandbox]) +fi + # Cheap hack to ensure NEWS-OS libraries are arranged right. if test ! -z "$SONY" ; then LIBS="$LIBS -liberty"; @@ -4191,6 +4229,7 @@ echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" +echo " Privsep sandbox style: $SANDBOX_STYLE" echo "" diff --git a/sandbox-rlimit.c b/sandbox-rlimit.c new file mode 100644 index 000000000..4d832fc3d --- /dev/null +++ b/sandbox-rlimit.c @@ -0,0 +1,92 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef SANDBOX_RLIMIT + +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include "log.h" +#include "sandbox.h" +#include "xmalloc.h" + +/* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */ + +struct ssh_sandbox { + pid_t child_pid; +}; + +struct ssh_sandbox * +ssh_sandbox_init(void) +{ + struct ssh_sandbox *box; + + /* + * Strictly, we don't need to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + debug3("%s: preparing rlimit sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + struct rlimit rl_zero; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", + __func__, strerror(errno)); +#ifdef HAVE_RLIMIT_NPROC + if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", + __func__, strerror(errno)); +#endif +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + box->child_pid = child_pid; +} + +#endif /* SANDBOX_RLIMIT */ diff --git a/sandbox-systrace.c b/sandbox-systrace.c new file mode 100644 index 000000000..5d0b7fb86 --- /dev/null +++ b/sandbox-systrace.c @@ -0,0 +1,187 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef SANDBOX_SYSTRACE + +#include +#include +#include +#include +#include + +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "atomicio.h" +#include "log.h" +#include "sandbox.h" +#include "xmalloc.h" + +static const int preauth_policy[] = { + SYS___sysctl, + SYS_close, + SYS_exit, + SYS_getpid, + SYS_gettimeofday, + SYS_madvise, + SYS_mmap, + SYS_mprotect, + SYS_poll, + SYS_munmap, + SYS_read, + SYS_select, + SYS_sigprocmask, + SYS_write, + -1 +}; + +struct ssh_sandbox { + int child_sock; + int parent_sock; + int systrace_fd; + pid_t child_pid; + struct systrace_policy policy; +}; + +struct ssh_sandbox * +ssh_sandbox_init(void) +{ + struct ssh_sandbox *box; + int s[2]; + + debug3("%s: preparing systrace sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + if (socketpair(AF_UNIX, SOCK_STREAM, 0, s) == -1) + fatal("%s: socketpair: %s", __func__, strerror(errno)); + box->child_sock = s[0]; + box->parent_sock = s[1]; + box->systrace_fd = -1; + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + char whatever = 0; + + close(box->parent_sock); + /* Signal parent that we are ready */ + debug3("%s: ready", __func__); + if (atomicio(vwrite, box->child_sock, &whatever, 1) != 1) + fatal("%s: write: %s", __func__, strerror(errno)); + /* Wait for parent to signal for us to go */ + if (atomicio(read, box->child_sock, &whatever, 1) != 1) + fatal("%s: read: %s", __func__, strerror(errno)); + debug3("%s: started", __func__); + close(box->child_sock); +} + +static void +ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid, + const int *allowed_syscalls) +{ + int dev_systrace, i, j, found; + char whatever = 0; + + debug3("%s: wait for child %ld", __func__, (long)child_pid); + box->child_pid = child_pid; + close(box->child_sock); + /* Wait for child to signal that it is ready */ + if (atomicio(read, box->parent_sock, &whatever, 1) != 1) + fatal("%s: read: %s", __func__, strerror(errno)); + debug3("%s: child %ld ready", __func__, (long)child_pid); + + /* Set up systracing of child */ + if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1) + fatal("%s: open(\"/dev/systrace\"): %s", __func__, + strerror(errno)); + if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1) + fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__, + dev_systrace, strerror(errno)); + close(dev_systrace); + debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd); + if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1) + fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__, + box->systrace_fd, child_pid, strerror(errno)); + + /* Allocate and assign policy */ + bzero(&box->policy, sizeof(box->policy)); + box->policy.strp_op = SYSTR_POLICY_NEW; + box->policy.strp_maxents = SYS_MAXSYSCALL; + if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1) + fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__, + box->systrace_fd, strerror(errno)); + + box->policy.strp_op = SYSTR_POLICY_ASSIGN; + box->policy.strp_pid = box->child_pid; + if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1) + fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s", + __func__, box->systrace_fd, strerror(errno)); + + /* Set per-syscall policy */ + for (i = 0; i < SYS_MAXSYSCALL; i++) { + for (j = found = 0; allowed_syscalls[j] != -1 && !found; j++) { + if (allowed_syscalls[j] == i) + found = 1; + } + box->policy.strp_op = SYSTR_POLICY_MODIFY; + box->policy.strp_code = i; + box->policy.strp_policy = found ? + SYSTR_POLICY_PERMIT : SYSTR_POLICY_KILL; + if (found) + debug3("%s: policy: enable syscall %d", __func__, i); + if (ioctl(box->systrace_fd, STRIOCPOLICY, + &box->policy) == -1) + fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s", + __func__, box->systrace_fd, strerror(errno)); + } + + /* Signal the child to start running */ + debug3("%s: start child %ld", __func__, (long)child_pid); + if (atomicio(vwrite, box->parent_sock, &whatever, 1) != 1) + fatal("%s: write: %s", __func__, strerror(errno)); + close(box->parent_sock); +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + /* Closing this before the child exits will terminate it */ + close(box->systrace_fd); + + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + ssh_sandbox_parent(box, child_pid, preauth_policy); +} + +#endif /* SANDBOX_SYSTRACE */ diff --git a/sandbox.h b/sandbox.h new file mode 100755 index 000000000..5fe30644d --- /dev/null +++ b/sandbox.h @@ -0,0 +1,23 @@ +/* $OpenBSD: sandbox.h,v 1.2 2011/06/22 22:14:05 djm Exp $ */ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +struct ssh_sandbox; + +struct ssh_sandbox *ssh_sandbox_init(void); +void ssh_sandbox_child(struct ssh_sandbox *); +void ssh_sandbox_parent_finish(struct ssh_sandbox *); +void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t); diff --git a/servconf.c b/servconf.c index 03b974617..91986e55d 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.221 2011/06/22 21:47:28 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.222 2011/06/22 21:57:01 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -280,7 +280,7 @@ fill_default_server_options(ServerOptions *options) /* Turn privilege separation on by default */ if (use_privsep == -1) - use_privsep = 1; + use_privsep = PRIVSEP_ON; #ifndef HAVE_MMAP if (use_privsep && options->compression == 1) { @@ -701,6 +701,12 @@ static const struct multistate multistate_gatewayports[] = { { "no", 0 }, { NULL, -1 } }; +static const struct multistate multistate_privsep[] = { + { "sandbox", PRIVSEP_SANDBOX }, + { "yes", PRIVSEP_ON }, + { "no", PRIVSEP_OFF }, + { NULL, -1 } +}; int process_server_config_line(ServerOptions *options, char *line, @@ -1066,7 +1072,8 @@ process_server_config_line(ServerOptions *options, char *line, case sUsePrivilegeSeparation: intptr = &use_privsep; - goto parse_flag; + multistate_ptr = multistate_privsep; + goto parse_multistate; case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { @@ -1574,6 +1581,8 @@ fmt_intarg(ServerOpCodes code, int val) return fmt_multistate_int(val, multistate_gatewayports); case sCompression: return fmt_multistate_int(val, multistate_compression); + case sUsePrivilegeSeparation: + return fmt_multistate_int(val, multistate_privsep); case sProtocol: switch (val) { case SSH_PROTO_1: diff --git a/servconf.h b/servconf.h index 31e621bde..89f38e20f 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.98 2011/05/23 03:30:07 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.99 2011/06/22 21:57:01 djm Exp $ */ /* * Author: Tatu Ylonen @@ -36,6 +36,11 @@ #define PERMIT_NO_PASSWD 2 #define PERMIT_YES 3 +/* use_privsep */ +#define PRIVSEP_OFF 0 +#define PRIVSEP_ON 1 +#define PRIVSEP_SANDBOX 2 + #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ diff --git a/sshd.c b/sshd.c index 6e15522b3..bebcb9bf5 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.383 2011/06/17 21:44:31 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.384 2011/06/22 21:57:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -118,6 +118,7 @@ #endif #include "monitor_wrap.h" #include "roaming.h" +#include "sandbox.h" #include "version.h" #ifdef LIBWRAP @@ -624,18 +625,23 @@ privsep_preauth(Authctxt *authctxt) { int status; pid_t pid; + struct ssh_sandbox *box = NULL; /* Set up unprivileged child process to deal with network data */ pmonitor = monitor_init(); /* Store a pointer to the kex for later rekeying */ pmonitor->m_pkex = &xxx_kex; + if (use_privsep == PRIVSEP_SANDBOX) + box = ssh_sandbox_init(); pid = fork(); if (pid == -1) { fatal("fork of unprivileged child failed"); } else if (pid != 0) { debug2("Network child is on pid %ld", (long)pid); + if (box != NULL) + ssh_sandbox_parent_preauth(box, pid); pmonitor->m_pid = pid; monitor_child_preauth(authctxt, pmonitor); @@ -643,10 +649,21 @@ privsep_preauth(Authctxt *authctxt) monitor_sync(pmonitor); /* Wait for the child's exit status */ - while (waitpid(pid, &status, 0) < 0) + while (waitpid(pid, &status, 0) < 0) { if (errno != EINTR) - break; - return (1); + fatal("%s: waitpid: %s", __func__, + strerror(errno)); + } + if (WIFEXITED(status)) { + if (WEXITSTATUS(status) != 0) + fatal("%s: preauth child exited with status %d", + __func__, WEXITSTATUS(status)); + } else if (WIFSIGNALED(status)) + fatal("%s: preauth child terminated by signal %d", + __func__, WTERMSIG(status)); + if (box != NULL) + ssh_sandbox_parent_finish(box); + return 1; } else { /* child */ close(pmonitor->m_sendfd); @@ -659,8 +676,11 @@ privsep_preauth(Authctxt *authctxt) if (getuid() == 0 || geteuid() == 0) privsep_preauth_child(); setproctitle("%s", "[net]"); + if (box != NULL) + ssh_sandbox_child(box); + + return 0; } - return (0); } static void diff --git a/sshd_config.5 b/sshd_config.5 index 70a53b3a9..f78452c85 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.133 2011/05/23 07:10:21 jmc Exp $ -.Dd $Mdocdate: May 23 2011 $ +.\" $OpenBSD: sshd_config.5,v 1.134 2011/06/22 21:57:01 djm Exp $ +.Dd $Mdocdate: June 22 2011 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1071,6 +1071,12 @@ The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is .Dq yes . +If +.Cm UsePrivilegeSeparation +is set to +.Dq sandbox +then the pre-authentication unprivileged process is subject to additional +restrictions. .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -- cgit v1.2.3 From 6d7b4377dd740a215ded149b5ffbc871ba7891f8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 23 Jun 2011 08:31:57 +1000 Subject: - djm@cvs.openbsd.org 2011/06/22 22:08:42 [channels.c channels.h clientloop.c clientloop.h mux.c ssh.c] hook up a channel confirm callback to warn the user then requested X11 forwarding was refused by the server; ok markus@ --- ChangeLog | 4 ++++ channels.c | 6 +++--- channels.h | 4 ++-- clientloop.c | 5 ++--- clientloop.h | 6 +++++- mux.c | 8 +++++--- ssh.c | 12 +++++++----- 7 files changed, 28 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6a18e7193..577f5ecd2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,10 @@ so please start testing it now. feedback dtucker@; ok markus@ + - djm@cvs.openbsd.org 2011/06/22 22:08:42 + [channels.c channels.h clientloop.c clientloop.h mux.c ssh.c] + hook up a channel confirm callback to warn the user then requested X11 + forwarding was refused by the server; ok markus@ 20110620 - OpenBSD CVS Sync diff --git a/channels.c b/channels.c index 6abe2d012..24d4a9f42 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.310 2010/11/24 01:24:14 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.311 2011/06/22 22:08:42 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -3562,7 +3562,7 @@ deny_input_open(int type, u_int32_t seq, void *ctxt) */ void x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, - const char *proto, const char *data) + const char *proto, const char *data, int want_reply) { u_int data_len = (u_int) strlen(data) / 2; u_int i, value; @@ -3615,7 +3615,7 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, /* Send the request packet. */ if (compat20) { - channel_request_start(client_session_id, "x11-req", 0); + channel_request_start(client_session_id, "x11-req", want_reply); packet_put_char(0); /* XXX bool single connection */ } else { packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); diff --git a/channels.h b/channels.h index 0680ed00e..e2941c85a 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.104 2010/05/14 23:29:23 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.105 2011/06/22 22:08:42 djm Exp $ */ /* * Author: Tatu Ylonen @@ -271,7 +271,7 @@ int x11_connect_display(void); int x11_create_display_inet(int, int, int, u_int *, int **); void x11_input_open(int, u_int32_t, void *); void x11_request_forwarding_with_spoofing(int, const char *, const char *, - const char *); + const char *, int); void deny_input_open(int, u_int32_t, void *); /* agent forwarding */ diff --git a/clientloop.c b/clientloop.c index 7b7349bd7..c19b01f19 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.235 2011/06/17 21:57:25 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.236 2011/06/22 22:08:42 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -174,7 +174,6 @@ struct escape_filter_ctx { }; /* Context for channel confirmation replies */ -enum confirm_action { CONFIRM_WARN = 0, CONFIRM_CLOSE, CONFIRM_TTY }; struct channel_reply_ctx { const char *request_type; int id; @@ -801,7 +800,7 @@ client_abandon_status_confirm(Channel *c, void *ctx) xfree(ctx); } -static void +void client_expect_confirm(int id, const char *request, enum confirm_action action) { diff --git a/clientloop.h b/clientloop.h index ad588d14d..a259b5e14 100644 --- a/clientloop.h +++ b/clientloop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.h,v 1.27 2011/05/08 12:52:01 djm Exp $ */ +/* $OpenBSD: clientloop.h,v 1.28 2011/06/22 22:08:42 djm Exp $ */ /* * Author: Tatu Ylonen @@ -56,6 +56,10 @@ int client_simple_escape_filter(Channel *, char *, int); typedef void global_confirm_cb(int, u_int32_t seq, void *); void client_register_global_confirm(global_confirm_cb *, void *); +/* Channel request confirmation callbacks */ +enum confirm_action { CONFIRM_WARN = 0, CONFIRM_CLOSE, CONFIRM_TTY }; +void client_expect_confirm(int, const char *, enum confirm_action); + /* Multiplexing protocol version */ #define SSHMUX_VER 4 diff --git a/mux.c b/mux.c index 101d7524b..add0e26b1 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.28 2011/05/08 12:52:01 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.29 2011/06/22 22:08:42 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -1214,8 +1214,10 @@ mux_session_confirm(int id, int success, void *arg) /* Request forwarding with authentication spoofing. */ debug("Requesting X11 forwarding with authentication " "spoofing."); - x11_request_forwarding_with_spoofing(id, display, proto, data); - /* XXX wait for reply */ + x11_request_forwarding_with_spoofing(id, display, proto, + data, 1); + client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN); + /* XXX exit_on_forward_failure */ } if (cctx->want_agent_fwd && options.forward_agent) { diff --git a/ssh.c b/ssh.c index 900537581..97eb9c0d4 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.362 2011/06/03 00:54:38 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.363 2011/06/22 22:08:42 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1239,8 +1239,8 @@ ssh_session(void) /* Request forwarding with authentication spoofing. */ debug("Requesting X11 forwarding with authentication " "spoofing."); - x11_request_forwarding_with_spoofing(0, display, proto, data); - + x11_request_forwarding_with_spoofing(0, display, proto, + data, 0); /* Read response from the server. */ type = packet_read(); if (type == SSH_SMSG_SUCCESS) { @@ -1338,9 +1338,11 @@ ssh_session2_setup(int id, int success, void *arg) /* Request forwarding with authentication spoofing. */ debug("Requesting X11 forwarding with authentication " "spoofing."); - x11_request_forwarding_with_spoofing(id, display, proto, data); + x11_request_forwarding_with_spoofing(id, display, proto, + data, 1); + client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN); + /* XXX exit_on_forward_failure */ interactive = 1; - /* XXX wait for reply */ } check_agent_present(); -- cgit v1.2.3 From 80b62e37384b14187b6d9fa5eb3cf6bf04a3cf3a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 23 Jun 2011 19:03:18 +1000 Subject: - (djm) [sandbox-null.c] Dummy sandbox for platforms that don't support setrlimit(2) --- ChangeLog | 2 ++ sandbox-null.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 sandbox-null.c diff --git a/ChangeLog b/ChangeLog index 577f5ecd2..9a6724225 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,8 @@ [channels.c channels.h clientloop.c clientloop.h mux.c ssh.c] hook up a channel confirm callback to warn the user then requested X11 forwarding was refused by the server; ok markus@ + - (djm) [sandbox-null.c] Dummy sandbox for platforms that don't support + setrlimit(2) 20110620 - OpenBSD CVS Sync diff --git a/sandbox-null.c b/sandbox-null.c new file mode 100644 index 000000000..eadaee2da --- /dev/null +++ b/sandbox-null.c @@ -0,0 +1,71 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef SANDBOX_NULL + +#include + +#include +#include +#include +#include +#include +#include + +#include "log.h" +#include "sandbox.h" +#include "xmalloc.h" + +/* dummy sandbox */ + +struct ssh_sandbox { + int junk; +}; + +struct ssh_sandbox * +ssh_sandbox_init(void) +{ + struct ssh_sandbox *box; + + /* + * Strictly, we don't need to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + box = xcalloc(1, sizeof(*box)); + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + /* Nothing to do here */ +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + /* Nothing to do here */ +} + +#endif /* SANDBOX_NULL */ -- cgit v1.2.3 From dcbd41e7aff4c7ef10dd13d8833a8cba82f9a794 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 23 Jun 2011 19:45:51 +1000 Subject: - djm@cvs.openbsd.org 2011/06/23 09:34:13 [sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c] [sandbox-null.c] rename sandbox.h => ssh-sandbox.h to make things easier for portable --- ChangeLog | 4 ++++ sandbox-null.c | 3 ++- sandbox-rlimit.c | 3 ++- sandbox-systrace.c | 3 ++- sandbox.h | 23 ----------------------- ssh-sandbox.h | 23 +++++++++++++++++++++++ sshd.c | 4 ++-- 7 files changed, 35 insertions(+), 28 deletions(-) delete mode 100755 sandbox.h create mode 100644 ssh-sandbox.h diff --git a/ChangeLog b/ChangeLog index 9a6724225..f9f9efcef 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,10 @@ [channels.c channels.h clientloop.c clientloop.h mux.c ssh.c] hook up a channel confirm callback to warn the user then requested X11 forwarding was refused by the server; ok markus@ + - djm@cvs.openbsd.org 2011/06/23 09:34:13 + [sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c] + [sandbox-null.c] + rename sandbox.h => ssh-sandbox.h to make things easier for portable - (djm) [sandbox-null.c] Dummy sandbox for platforms that don't support setrlimit(2) diff --git a/sandbox-null.c b/sandbox-null.c index eadaee2da..29fa9669f 100644 --- a/sandbox-null.c +++ b/sandbox-null.c @@ -1,3 +1,4 @@ +/* $OpenBSD$ */ /* * Copyright (c) 2011 Damien Miller * @@ -28,7 +29,7 @@ #include #include "log.h" -#include "sandbox.h" +#include "ssh-sandbox.h" #include "xmalloc.h" /* dummy sandbox */ diff --git a/sandbox-rlimit.c b/sandbox-rlimit.c index 4d832fc3d..761e9284f 100644 --- a/sandbox-rlimit.c +++ b/sandbox-rlimit.c @@ -1,3 +1,4 @@ +/* $OpenBSD: sandbox-rlimit.c,v 1.3 2011/06/23 09:34:13 djm Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -31,7 +32,7 @@ #include #include "log.h" -#include "sandbox.h" +#include "ssh-sandbox.h" #include "xmalloc.h" /* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */ diff --git a/sandbox-systrace.c b/sandbox-systrace.c index 5d0b7fb86..8058b7d40 100644 --- a/sandbox-systrace.c +++ b/sandbox-systrace.c @@ -1,3 +1,4 @@ +/* $OpenBSD: sandbox-systrace.c,v 1.3 2011/06/23 09:34:13 djm Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -37,7 +38,7 @@ #include "atomicio.h" #include "log.h" -#include "sandbox.h" +#include "ssh-sandbox.h" #include "xmalloc.h" static const int preauth_policy[] = { diff --git a/sandbox.h b/sandbox.h deleted file mode 100755 index 5fe30644d..000000000 --- a/sandbox.h +++ /dev/null @@ -1,23 +0,0 @@ -/* $OpenBSD: sandbox.h,v 1.2 2011/06/22 22:14:05 djm Exp $ */ -/* - * Copyright (c) 2011 Damien Miller - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -struct ssh_sandbox; - -struct ssh_sandbox *ssh_sandbox_init(void); -void ssh_sandbox_child(struct ssh_sandbox *); -void ssh_sandbox_parent_finish(struct ssh_sandbox *); -void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t); diff --git a/ssh-sandbox.h b/ssh-sandbox.h new file mode 100644 index 000000000..dfecd5aa0 --- /dev/null +++ b/ssh-sandbox.h @@ -0,0 +1,23 @@ +/* $OpenBSD: ssh-sandbox.h,v 1.1 2011/06/23 09:34:13 djm Exp $ */ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +struct ssh_sandbox; + +struct ssh_sandbox *ssh_sandbox_init(void); +void ssh_sandbox_child(struct ssh_sandbox *); +void ssh_sandbox_parent_finish(struct ssh_sandbox *); +void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t); diff --git a/sshd.c b/sshd.c index bebcb9bf5..cc1039558 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.384 2011/06/22 21:57:01 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.385 2011/06/23 09:34:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -118,7 +118,7 @@ #endif #include "monitor_wrap.h" #include "roaming.h" -#include "sandbox.h" +#include "ssh-sandbox.h" #include "version.h" #ifdef LIBWRAP -- cgit v1.2.3 From cd5e52ee784f0ff67b60ffeeab335ed64df688a4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 27 Jun 2011 07:18:18 +1000 Subject: - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing markus@ --- ChangeLog | 5 +++ Makefile.in | 4 +-- configure.ac | 11 +++++-- sandbox-darwin.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 114 insertions(+), 4 deletions(-) create mode 100644 sandbox-darwin.c diff --git a/ChangeLog b/ChangeLog index f9f9efcef..f25da55fb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20110624 + - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for + Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing + markus@ + 20110623 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/06/22 21:47:28 diff --git a/Makefile.in b/Makefile.in index f64aaac94..aeb67e1d8 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.323 2011/06/22 22:30:03 djm Exp $ +# $Id: Makefile.in,v 1.324 2011/06/26 21:18:20 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -90,7 +90,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o \ - sandbox-null.o sandbox-rlimit.o sandbox-systrace.o + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 diff --git a/configure.ac b/configure.ac index 380a8b949..74d5263a4 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.477 2011/06/22 22:30:03 djm Exp $ +# $Id: configure.ac,v 1.478 2011/06/26 21:18:20 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.477 $) +AC_REVISION($Revision: 1.478 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -525,6 +525,8 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV], [Define to a Set Process Title type if your system is supported by bsd-setproctitle.c]) + AC_CHECK_FUNCS([sandbox_init]) + AC_CHECK_HEADERS([sandbox.h]) ;; *-*-dragonfly*) SSHDLIBS="$SSHDLIBS -lcrypt" @@ -2487,6 +2489,11 @@ if test "x$sandbox_arg" = "xsystrace" || \ ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then SANDBOX_STYLE="systrace" AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)]) +elif test "x$sandbox_arg" = "xdarwin" || \ + ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \ + test "x$ac_cv_header_sandbox_h" = "xyes") ; then + SANDBOX_STYLE="darwin" + AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) elif test "x$sandbox_arg" = "xrlimit" || \ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then SANDBOX_STYLE="rlimit" diff --git a/sandbox-darwin.c b/sandbox-darwin.c new file mode 100644 index 000000000..69901ef14 --- /dev/null +++ b/sandbox-darwin.c @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef SANDBOX_DARWIN + +#include + +#include + +#include +#include +#include +#include +#include +#include + +#include "log.h" +#include "sandbox.h" +#include "xmalloc.h" + +/* Darwin/OS X sandbox */ + +struct ssh_sandbox { + pid_t child_pid; +}; + +struct ssh_sandbox * +ssh_sandbox_init(void) +{ + struct ssh_sandbox *box; + + /* + * Strictly, we don't need to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + debug3("%s: preparing Darwin sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + char *errmsg; + struct rlimit rl_zero; + + debug3("%s: starting Darwin sandbox", __func__); + if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED, + &errmsg) == -1) + fatal("%s: sandbox_init: %s", __func__, errmsg); + + /* + * The kSBXProfilePureComputation still allows sockets, so + * we must disable these using rlimit. + */ + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", + __func__, strerror(errno)); +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + box->child_pid = child_pid; +} + +#endif /* SANDBOX_DARWIN */ -- cgit v1.2.3 From 7741ce8bd2d0aef8aae0c2406eb51b617f1165fe Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 6 Aug 2011 06:15:15 +1000 Subject: - djm@cvs.openbsd.org 2011/06/23 23:35:42 [monitor.c] ignore EINTR errors from poll() --- ChangeLog | 6 ++++++ Makefile.in | 4 +++- monitor.c | 7 +++++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f25da55fb..ae6de3f2a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20110805 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2011/06/23 23:35:42 + [monitor.c] + ignore EINTR errors from poll() + 20110624 - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing diff --git a/Makefile.in b/Makefile.in index aeb67e1d8..3be3aa617 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.324 2011/06/26 21:18:20 djm Exp $ +# $Id: Makefile.in,v 1.325 2011/08/05 20:15:18 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -213,6 +213,8 @@ distclean: regressclean veryclean: distclean rm -f configure config.h.in *.0 +cleandir: veryclean + mrproper: veryclean realclean: veryclean diff --git a/monitor.c b/monitor.c index bb8003c67..a166fed2e 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.114 2011/06/17 21:44:30 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.115 2011/06/23 23:35:42 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -554,8 +554,11 @@ monitor_read(struct monitor *pmonitor, struct mon_table *ent, pfd[0].events = POLLIN; pfd[1].fd = pmonitor->m_log_recvfd; pfd[1].events = pfd[1].fd == -1 ? 0 : POLLIN; - if (poll(pfd, pfd[1].fd == -1 ? 1 : 2, -1) == -1) + if (poll(pfd, pfd[1].fd == -1 ? 1 : 2, -1) == -1) { + if (errno == EINTR || errno == EAGAIN) + continue; fatal("%s: poll: %s", __func__, strerror(errno)); + } if (pfd[1].revents) { /* * Drain all log messages before processing next -- cgit v1.2.3 From 6ea5e44871314a980e7506282450b58fc78ae9aa Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 6 Aug 2011 06:16:00 +1000 Subject: - tedu@cvs.openbsd.org 2011/07/06 18:09:21 [authfd.c] bzero the agent address. the kernel was for a while very cranky about these things. evne though that's fixed, always good to initialize memory. ok deraadt djm --- ChangeLog | 5 +++++ authfd.c | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ae6de3f2a..7de7fdbf8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,11 @@ - djm@cvs.openbsd.org 2011/06/23 23:35:42 [monitor.c] ignore EINTR errors from poll() + - tedu@cvs.openbsd.org 2011/07/06 18:09:21 + [authfd.c] + bzero the agent address. the kernel was for a while very cranky about + these things. evne though that's fixed, always good to initialize + memory. ok deraadt djm 20110624 - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for diff --git a/authfd.c b/authfd.c index c942a9110..f037e838b 100644 --- a/authfd.c +++ b/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.85 2011/05/15 08:09:01 djm Exp $ */ +/* $OpenBSD: authfd.c,v 1.86 2011/07/06 18:09:21 tedu Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -102,6 +102,7 @@ ssh_get_authentication_socket(void) if (!authsocket) return -1; + bzero(&sunaddr, sizeof(sunaddr)); sunaddr.sun_family = AF_UNIX; strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path)); -- cgit v1.2.3 From 35e48198a80aba7361bce8dde4fba464800e3ff6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 6 Aug 2011 06:16:23 +1000 Subject: - djm@cvs.openbsd.org 2011/07/29 14:42:45 [sandbox-systrace.c] fail open(2) with EPERM rather than SIGKILLing the whole process. libc will call open() to do strerror() when NLS is enabled; feedback and ok markus@ --- ChangeLog | 5 ++++ sandbox-systrace.c | 78 ++++++++++++++++++++++++++++++------------------------ 2 files changed, 49 insertions(+), 34 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7de7fdbf8..ccca485f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,11 @@ bzero the agent address. the kernel was for a while very cranky about these things. evne though that's fixed, always good to initialize memory. ok deraadt djm + - djm@cvs.openbsd.org 2011/07/29 14:42:45 + [sandbox-systrace.c] + fail open(2) with EPERM rather than SIGKILLing the whole process. libc + will call open() to do strerror() when NLS is enabled; + feedback and ok markus@ 20110624 - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for diff --git a/sandbox-systrace.c b/sandbox-systrace.c index 8058b7d40..5a39f4fe1 100644 --- a/sandbox-systrace.c +++ b/sandbox-systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sandbox-systrace.c,v 1.3 2011/06/23 09:34:13 djm Exp $ */ +/* $OpenBSD: sandbox-systrace.c,v 1.4 2011/07/29 14:42:45 djm Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -41,22 +41,30 @@ #include "ssh-sandbox.h" #include "xmalloc.h" -static const int preauth_policy[] = { - SYS___sysctl, - SYS_close, - SYS_exit, - SYS_getpid, - SYS_gettimeofday, - SYS_madvise, - SYS_mmap, - SYS_mprotect, - SYS_poll, - SYS_munmap, - SYS_read, - SYS_select, - SYS_sigprocmask, - SYS_write, - -1 +struct sandbox_policy { + int syscall; + int action; +}; + +/* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */ +static const struct sandbox_policy preauth_policy[] = { + { SYS_open, SYSTR_POLICY_NEVER }, + + { SYS___sysctl, SYSTR_POLICY_PERMIT }, + { SYS_close, SYSTR_POLICY_PERMIT }, + { SYS_exit, SYSTR_POLICY_PERMIT }, + { SYS_getpid, SYSTR_POLICY_PERMIT }, + { SYS_gettimeofday, SYSTR_POLICY_PERMIT }, + { SYS_madvise, SYSTR_POLICY_PERMIT }, + { SYS_mmap, SYSTR_POLICY_PERMIT }, + { SYS_mprotect, SYSTR_POLICY_PERMIT }, + { SYS_poll, SYSTR_POLICY_PERMIT }, + { SYS_munmap, SYSTR_POLICY_PERMIT }, + { SYS_read, SYSTR_POLICY_PERMIT }, + { SYS_select, SYSTR_POLICY_PERMIT }, + { SYS_sigprocmask, SYSTR_POLICY_PERMIT }, + { SYS_write, SYSTR_POLICY_PERMIT }, + { -1, -1 } }; struct ssh_sandbox { @@ -64,7 +72,6 @@ struct ssh_sandbox { int parent_sock; int systrace_fd; pid_t child_pid; - struct systrace_policy policy; }; struct ssh_sandbox * @@ -104,10 +111,11 @@ ssh_sandbox_child(struct ssh_sandbox *box) static void ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid, - const int *allowed_syscalls) + const struct sandbox_policy *allowed_syscalls) { int dev_systrace, i, j, found; char whatever = 0; + struct systrace_policy policy; debug3("%s: wait for child %ld", __func__, (long)child_pid); box->child_pid = child_pid; @@ -131,33 +139,35 @@ ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid, box->systrace_fd, child_pid, strerror(errno)); /* Allocate and assign policy */ - bzero(&box->policy, sizeof(box->policy)); - box->policy.strp_op = SYSTR_POLICY_NEW; - box->policy.strp_maxents = SYS_MAXSYSCALL; - if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1) + bzero(&policy, sizeof(policy)); + policy.strp_op = SYSTR_POLICY_NEW; + policy.strp_maxents = SYS_MAXSYSCALL; + if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1) fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__, box->systrace_fd, strerror(errno)); - box->policy.strp_op = SYSTR_POLICY_ASSIGN; - box->policy.strp_pid = box->child_pid; - if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1) + policy.strp_op = SYSTR_POLICY_ASSIGN; + policy.strp_pid = box->child_pid; + if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1) fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s", __func__, box->systrace_fd, strerror(errno)); /* Set per-syscall policy */ for (i = 0; i < SYS_MAXSYSCALL; i++) { - for (j = found = 0; allowed_syscalls[j] != -1 && !found; j++) { - if (allowed_syscalls[j] == i) + found = 0; + for (j = 0; allowed_syscalls[j].syscall != -1; j++) { + if (allowed_syscalls[j].syscall == i) { found = 1; + break; + } } - box->policy.strp_op = SYSTR_POLICY_MODIFY; - box->policy.strp_code = i; - box->policy.strp_policy = found ? - SYSTR_POLICY_PERMIT : SYSTR_POLICY_KILL; + policy.strp_op = SYSTR_POLICY_MODIFY; + policy.strp_code = i; + policy.strp_policy = found ? + allowed_syscalls[j].action : SYSTR_POLICY_KILL; if (found) debug3("%s: policy: enable syscall %d", __func__, i); - if (ioctl(box->systrace_fd, STRIOCPOLICY, - &box->policy) == -1) + if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1) fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s", __func__, box->systrace_fd, strerror(errno)); } -- cgit v1.2.3 From adb467fb692600c569d8129dfd96371b481d2653 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 6 Aug 2011 06:16:46 +1000 Subject: - markus@cvs.openbsd.org 2011/08/01 19:18:15 [gss-serv.c] prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); report Adam Zabrock; ok djm@, deraadt@ --- ChangeLog | 4 ++++ gss-serv.c | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ccca485f8..8b4676cfc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,10 @@ fail open(2) with EPERM rather than SIGKILLing the whole process. libc will call open() to do strerror() when NLS is enabled; feedback and ok markus@ + - markus@cvs.openbsd.org 2011/08/01 19:18:15 + [gss-serv.c] + prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); + report Adam Zabrock; ok djm@, deraadt@ 20110624 - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for diff --git a/gss-serv.c b/gss-serv.c index 2ec7ea19c..c719c1306 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -229,6 +229,8 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) name->length = get_u32(tok+offset); offset += 4; + if (UINT_MAX - offset < name->length) + return GSS_S_FAILURE; if (ename->length < offset+name->length) return GSS_S_FAILURE; -- cgit v1.2.3 From 20bd4535c01f4a47f535d6e4dc84420a6c5425a5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 6 Aug 2011 06:17:30 +1000 Subject: - djm@cvs.openbsd.org 2011/08/02 01:22:11 [mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5] Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt Patch from mdb AT juniper.net; feedback and ok markus@ --- ChangeLog | 5 +++++ mac.c | 6 +++++- myproposal.h | 15 ++++++++++++--- ssh.1 | 8 +++++--- ssh_config.5 | 8 +++++--- sshd.8 | 7 ++++--- sshd_config.5 | 8 +++++--- 7 files changed, 41 insertions(+), 16 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8b4676cfc..8dda3580c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,11 @@ [gss-serv.c] prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); report Adam Zabrock; ok djm@, deraadt@ + - djm@cvs.openbsd.org 2011/08/02 01:22:11 + [mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5] + Add new SHA256 and SHA512 based HMAC modes from + http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt + Patch from mdb AT juniper.net; feedback and ok markus@ 20110624 - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for diff --git a/mac.c b/mac.c index fabc3ed66..4965f38c8 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.15 2008/06/13 00:51:47 dtucker Exp $ */ +/* $OpenBSD: mac.c,v 1.16 2011/08/02 01:22:11 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -57,6 +57,10 @@ struct { } macs[] = { { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, + { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, + { "hmac-sha2-256-96", SSH_EVP, EVP_sha256, 96, -1, -1 }, + { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, + { "hmac-sha2-512-96", SSH_EVP, EVP_sha512, 96, -1, -1 }, { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, diff --git a/myproposal.h b/myproposal.h index 2c43607a7..aeb5201dc 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.27 2010/09/01 22:42:13 djm Exp $ */ +/* $OpenBSD: myproposal.h,v 1.28 2011/08/02 01:22:11 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -76,9 +76,18 @@ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" #define KEX_DEFAULT_MAC \ - "hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160," \ + "hmac-md5," \ + "hmac-sha1," \ + "umac-64@openssh.com," \ + "hmac-sha2-256," \ + "hmac-sha2-256-96," \ + "hmac-sha2-512," \ + "hmac-sha2-512-96," \ + "hmac-ripemd160," \ "hmac-ripemd160@openssh.com," \ - "hmac-sha1-96,hmac-md5-96" + "hmac-sha1-96," \ + "hmac-md5-96" + #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" #define KEX_DEFAULT_LANG "" diff --git a/ssh.1 b/ssh.1 index 7f3a79b48..9c1ca4b16 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.319 2011/05/07 23:20:25 jmc Exp $ -.Dd $Mdocdate: May 7 2011 $ +.\" $OpenBSD: ssh.1,v 1.320 2011/08/02 01:22:11 djm Exp $ +.Dd $Mdocdate: August 2 2011 $ .Dt SSH 1 .Os .Sh NAME @@ -667,7 +667,9 @@ Both protocols support similar authentication methods, but protocol 2 is the default since it provides additional mechanisms for confidentiality (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) -and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). +and integrity (hmac-md5, hmac-sha1, +hmac-sha2-256, hmac-sha2-512, +umac-64, hmac-ripemd160). Protocol 1 lacks a strong mechanism for ensuring the integrity of the connection. .Pp diff --git a/ssh_config.5 b/ssh_config.5 index 694ff814e..a782d6f41 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.152 2011/06/04 00:10:26 djm Exp $ -.Dd $Mdocdate: June 4 2011 $ +.\" $OpenBSD: ssh_config.5,v 1.153 2011/08/02 01:22:11 djm Exp $ +.Dd $Mdocdate: August 2 2011 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -793,7 +793,9 @@ Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent hmac-md5,hmac-sha1,umac-64@openssh.com, -hmac-ripemd160,hmac-sha1-96,hmac-md5-96 +hmac-ripemd160,hmac-sha1-96,hmac-md5-96, +hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512, +hmac-sha2-512-96 .Ed .It Cm NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across machines. diff --git a/sshd.8 b/sshd.8 index 45362e29a..a91be0fad 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.262 2011/05/23 07:10:21 jmc Exp $ -.Dd $Mdocdate: May 23 2011 $ +.\" $OpenBSD: sshd.8,v 1.263 2011/08/02 01:22:11 djm Exp $ +.Dd $Mdocdate: August 2 2011 $ .Dt SSHD 8 .Os .Sh NAME @@ -314,7 +314,8 @@ The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a cryptographic message authentication code -(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160). +(hmac-md5, hmac-sha1, umac-64, hmac-ripemd160, +hmac-sha2-256 or hmac-sha2-512). .Pp Finally, the server and the client enter an authentication dialog. The client tries to authenticate itself using diff --git a/sshd_config.5 b/sshd_config.5 index f78452c85..a6c378792 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.134 2011/06/22 21:57:01 djm Exp $ -.Dd $Mdocdate: June 22 2011 $ +.\" $OpenBSD: sshd_config.5,v 1.135 2011/08/02 01:22:11 djm Exp $ +.Dd $Mdocdate: August 2 2011 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -655,7 +655,9 @@ Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent hmac-md5,hmac-sha1,umac-64@openssh.com, -hmac-ripemd160,hmac-sha1-96,hmac-md5-96 +hmac-ripemd160,hmac-sha1-96,hmac-md5-96, +hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, +hmac-sha2-512-96 .Ed .It Cm Match Introduces a conditional block. -- cgit v1.2.3 From c471860d25d0d769a0f261f97a59e2a64e6a2781 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 6 Aug 2011 06:17:48 +1000 Subject: - djm@cvs.openbsd.org 2011/08/02 23:13:01 [version.h] crank now, release later --- ChangeLog | 3 +++ version.h | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8dda3580c..3fb320014 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,9 @@ Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt Patch from mdb AT juniper.net; feedback and ok markus@ + - djm@cvs.openbsd.org 2011/08/02 23:13:01 + [version.h] + crank now, release later 20110624 - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for diff --git a/version.h b/version.h index 24d000110..d3d57eab0 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.61 2011/02/04 00:44:43 djm Exp $ */ +/* $OpenBSD: version.h,v 1.62 2011/08/02 23:13:01 djm Exp $ */ -#define SSH_VERSION "OpenSSH_5.8" +#define SSH_VERSION "OpenSSH_5.9" #define SSH_PORTABLE "p2" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -- cgit v1.2.3 From 765f8c4effc6afdb4fa26daf1f72c3b660abb220 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 6 Aug 2011 06:18:16 +1000 Subject: - djm@cvs.openbsd.org 2011/08/02 23:15:03 [ssh.c] typo in comment --- ChangeLog | 3 +++ ssh.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3fb320014..1e1a06c30 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,9 @@ - djm@cvs.openbsd.org 2011/08/02 23:13:01 [version.h] crank now, release later + - djm@cvs.openbsd.org 2011/08/02 23:15:03 + [ssh.c] + typo in comment 20110624 - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for diff --git a/ssh.c b/ssh.c index 97eb9c0d4..c717dcf1d 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.363 2011/06/22 22:08:42 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.364 2011/08/02 23:15:03 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -706,7 +706,7 @@ main(int ac, char **av) if (r > 0 && (size_t)r < sizeof(buf)) (void)read_config_file(buf, host, &options, 1); - /* Read systemwide configuration file after use config. */ + /* Read systemwide configuration file after user config. */ (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, &options, 0); } -- cgit v1.2.3 From 578451ddda0f591b5186f005253af4c9f78c3321 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 7 Aug 2011 23:09:20 +1000 Subject: - (dtucker) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2008/06/26 06:59:39 [moduli.5] tweak previous; --- ChangeLog | 6 ++++++ moduli.5 | 28 +++++++++++++--------------- 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1e1a06c30..d65b45a8d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20110807 + - (dtucker) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2008/06/26 06:59:39 + [moduli.5] + tweak previous; + 20110805 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/06/23 23:35:42 diff --git a/moduli.5 b/moduli.5 index 4a99439cc..a1321abdf 100644 --- a/moduli.5 +++ b/moduli.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: moduli.5,v 1.12 2008/06/26 05:57:54 djm Exp $ +.\" $OpenBSD: moduli.5,v 1.13 2008/06/26 06:59:39 jmc Exp $ .\" .\" Copyright (c) 2008 Damien Miller .\" @@ -22,7 +22,7 @@ .Sh DESCRIPTION The .Pa /etc/moduli -file contains prime numbers and generators for use by +file contains prime numbers and generators for use by .Xr sshd 8 in the Diffie-Hellman Group Exchange key exchange method. .Pp @@ -31,13 +31,13 @@ New moduli may be generated with using a two-step process. An initial .Em candidate generation -pass, using +pass, using .Ic ssh-keygen -G , calculates numbers that are likely to be useful. A second .Em primality testing pass, using -.Ic ssh-keygen -T +.Ic ssh-keygen -T , provides a high degree of assurance that the numbers are prime and are safe for use in Diffie Hellman operations by .Xr sshd 8 . @@ -46,9 +46,8 @@ This format is used as the output from each pass. .Pp The file consists of newline-separated records, one per modulus, -containing seven space separated fields. +containing seven space-separated fields. These fields are as follows: -.Pp .Bl -tag -width Description -offset indent .It timestamp The time that the modulus was last processed as YYYYMMDDHHMMSS. @@ -58,7 +57,7 @@ Supported types are: .Pp .Bl -tag -width 0x00 -compact .It 0 -Unknown, not tested +Unknown, not tested. .It 2 "Safe" prime; (p-1)/2 is also prime. .It 4 @@ -68,7 +67,7 @@ Sophie Germain; (p+1)*2 is also prime. Moduli candidates initially produced by .Xr ssh-keygen 1 are Sophie Germain primes (type 4). -Futher primality testing with +Further primality testing with .Xr ssh-keygen 1 produces safe prime moduli (type 2) that are ready for use in .Xr sshd 8 . @@ -79,11 +78,11 @@ has been subjected to represented as a bitmask of the following values: .Pp .Bl -tag -width 0x00 -compact .It 0x00 -Not tested +Not tested. .It 0x01 -Composite number - not prime. +Composite number \(en not prime. .It 0x02 -Sieve of Eratosthenes +Sieve of Eratosthenes. .It 0x04 Probabalistic Miller-Rabin primality tests. .El @@ -95,8 +94,8 @@ Subsequent .Xr ssh-keygen 1 primality tests are Miller-Rabin tests (flag 0x04). .It trials -Decimal number indicating of primaility trials that have been performed -on the modulus. +Decimal number indicating the number of primality trials +that have been performed on the modulus. .It size Decimal number indicating the size of the prime in bits. .It generator @@ -113,10 +112,9 @@ Diffie Hellman output to sufficiently key the selected symmetric cipher. then randomly selects a modulus from .Fa /etc/moduli that best meets the size requirement. -.Pp .Sh SEE ALSO .Xr ssh-keygen 1 , -.Xr sshd 8 , +.Xr sshd 8 .Rs .%R RFC 4419 .%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" -- cgit v1.2.3 From f279474f1b81c194e29aea2e2da0872bda85e703 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 7 Aug 2011 23:10:11 +1000 Subject: - sobrado@cvs.openbsd.org 2009/10/28 08:56:54 [moduli.5] "Diffie-Hellman" is the usual spelling for the cryptographic protocol first published by Whitfield Diffie and Martin Hellman in 1976. ok jmc@ --- ChangeLog | 5 +++++ moduli.5 | 12 ++++++------ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index d65b45a8d..a2b9f598d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,11 @@ - jmc@cvs.openbsd.org 2008/06/26 06:59:39 [moduli.5] tweak previous; + - sobrado@cvs.openbsd.org 2009/10/28 08:56:54 + [moduli.5] + "Diffie-Hellman" is the usual spelling for the cryptographic protocol + first published by Whitfield Diffie and Martin Hellman in 1976. + ok jmc@ 20110805 - OpenBSD CVS Sync diff --git a/moduli.5 b/moduli.5 index a1321abdf..b1547bcdb 100644 --- a/moduli.5 +++ b/moduli.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: moduli.5,v 1.13 2008/06/26 06:59:39 jmc Exp $ +.\" $OpenBSD: moduli.5,v 1.14 2009/10/28 08:56:54 sobrado Exp $ .\" .\" Copyright (c) 2008 Damien Miller .\" @@ -13,12 +13,12 @@ .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.Dd $Mdocdate: June 26 2008 $ +.Dd $Mdocdate: October 28 2009 $ .Dt MODULI 5 .Os .Sh NAME .Nm moduli -.Nd Diffie Hellman moduli +.Nd Diffie-Hellman moduli .Sh DESCRIPTION The .Pa /etc/moduli @@ -39,7 +39,7 @@ A second pass, using .Ic ssh-keygen -T , provides a high degree of assurance that the numbers are prime and are -safe for use in Diffie Hellman operations by +safe for use in Diffie-Hellman operations by .Xr sshd 8 . This .Nm @@ -104,10 +104,10 @@ The recommended generator for use with this modulus (hexadecimal). The modulus itself in hexadecimal. .El .Pp -When performing Diffie Hellman Group Exchange, +When performing Diffie-Hellman Group Exchange, .Xr sshd 8 first estimates the size of the modulus required to produce enough -Diffie Hellman output to sufficiently key the selected symmetric cipher. +Diffie-Hellman output to sufficiently key the selected symmetric cipher. .Xr sshd 8 then randomly selects a modulus from .Fa /etc/moduli -- cgit v1.2.3 From 91e6b577290057b123ade507d6cfe8ed841afe92 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 7 Aug 2011 23:10:56 +1000 Subject: - jmc@cvs.openbsd.org 2010/10/14 20:41:28 [moduli.5] probabalistic -> probabilistic; from naddy --- ChangeLog | 3 +++ moduli.5 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a2b9f598d..984179d29 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ "Diffie-Hellman" is the usual spelling for the cryptographic protocol first published by Whitfield Diffie and Martin Hellman in 1976. ok jmc@ + - jmc@cvs.openbsd.org 2010/10/14 20:41:28 + [moduli.5] + probabalistic -> probabilistic; from naddy 20110805 - OpenBSD CVS Sync diff --git a/moduli.5 b/moduli.5 index b1547bcdb..0e01b9414 100644 --- a/moduli.5 +++ b/moduli.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: moduli.5,v 1.14 2009/10/28 08:56:54 sobrado Exp $ +.\" $OpenBSD: moduli.5,v 1.15 2010/10/14 20:41:28 jmc Exp $ .\" .\" Copyright (c) 2008 Damien Miller .\" @@ -13,7 +13,7 @@ .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.Dd $Mdocdate: October 28 2009 $ +.Dd $Mdocdate: October 14 2010 $ .Dt MODULI 5 .Os .Sh NAME @@ -84,7 +84,7 @@ Composite number \(en not prime. .It 0x02 Sieve of Eratosthenes. .It 0x04 -Probabalistic Miller-Rabin primality tests. +Probabilistic Miller-Rabin primality tests. .El .Pp The -- cgit v1.2.3 From ddccfb4b985ec765c605fb4eb1e6b54ad9321020 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 7 Aug 2011 23:12:26 +1000 Subject: - dtucker@cvs.openbsd.org 2011/08/07 12:55:30 [sftp.1] typo, fix from Laurent Gautrot --- ChangeLog | 3 +++ sftp.1 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 984179d29..b83290c2f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,9 @@ - jmc@cvs.openbsd.org 2010/10/14 20:41:28 [moduli.5] probabalistic -> probabilistic; from naddy + - dtucker@cvs.openbsd.org 2011/08/07 12:55:30 + [sftp.1] + typo, fix from Laurent Gautrot 20110805 - OpenBSD CVS Sync diff --git a/sftp.1 b/sftp.1 index 3b6ee3890..eb88014e2 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.89 2011/05/06 01:09:53 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.90 2011/08/07 12:55:30 dtucker Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 6 2011 $ +.Dd $Mdocdate: August 7 2011 $ .Dt SFTP 1 .Os .Sh NAME @@ -483,7 +483,7 @@ is specified, then .Ar remote-path must specify a directory. .Pp -If ether the +If either the .Fl P or .Fl p -- cgit v1.2.3 From 4d47ec9c892883b60b496335425b427a48498bbc Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 12 Aug 2011 10:12:53 +1000 Subject: - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context change error by reporting old and new context names Patch from jchadima at redhat. --- ChangeLog | 5 +++++ openbsd-compat/port-linux.c | 5 +++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index b83290c2f..8b1269324 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20110812 + - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context + change error by reporting old and new context names Patch from + jchadima at redhat. + 20110807 - (dtucker) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2008/06/26 06:59:39 diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index ac1e4fefc..be763656e 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c @@ -1,4 +1,4 @@ -/* $Id: port-linux.c,v 1.14 2011/02/06 02:24:35 dtucker Exp $ */ +/* $Id: port-linux.c,v 1.15 2011/08/12 00:12:55 dtucker Exp $ */ /* * Copyright (c) 2005 Daniel Walsh @@ -201,7 +201,8 @@ ssh_selinux_change_context(const char *newname) debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, newctx); if (setcon(newctx) < 0) - logit("%s: setcon failed with %s", __func__, strerror (errno)); + logit("%s: setcon %s from %s failed with %s", __func__, newctx, + oldctx, strerror (errno)); xfree(oldctx); xfree(newctx); } -- cgit v1.2.3 From 2db9977c061ff027bafa488c8e9afad505be773e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 12 Aug 2011 11:02:35 +1000 Subject: - (djm) [contrib/redhat/openssh.spec contrib/redhat/sshd.init] [contrib/suse/openssh.spec contrib/suse/rc.sshd] Updated RHEL and SLES init scrips from imorgan AT nas.nasa.gov --- ChangeLog | 3 ++ contrib/redhat/openssh.spec | 22 +++++++------- contrib/redhat/sshd.init | 71 +++++---------------------------------------- contrib/suse/openssh.spec | 16 ++++------ contrib/suse/rc.sshd | 16 ++-------- 5 files changed, 28 insertions(+), 100 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8b1269324..7d323f69e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context change error by reporting old and new context names Patch from jchadima at redhat. + - (djm) [contrib/redhat/openssh.spec contrib/redhat/sshd.init] + [contrib/suse/openssh.spec contrib/suse/rc.sshd] Updated RHEL and SLES + init scrips from imorgan AT nas.nasa.gov 20110807 - (dtucker) OpenBSD CVS Sync diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 23657eacd..2b927f177 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -84,24 +84,24 @@ Obsoletes: ssh %if %{build6x} PreReq: initscripts >= 5.00 %else -PreReq: initscripts >= 5.20 +Requires: initscripts >= 5.20 %endif -BuildPreReq: perl, openssl-devel, tcp_wrappers -BuildPreReq: /bin/login +BuildRequires: perl, openssl-devel, tcp_wrappers +BuildRequires: /bin/login %if ! %{build6x} BuildPreReq: glibc-devel, pam %else -BuildPreReq: /usr/include/security/pam_appl.h +BuildRequires: /usr/include/security/pam_appl.h %endif %if ! %{no_x11_askpass} -BuildPreReq: /usr/include/X11/Xlib.h +BuildRequires: /usr/include/X11/Xlib.h %endif %if ! %{no_gnome_askpass} -BuildPreReq: pkgconfig +BuildRequires: pkgconfig %endif %if %{kerberos5} -BuildPreReq: krb5-devel -BuildPreReq: krb5-libs +BuildRequires: krb5-devel +BuildRequires: krb5-libs %endif %package clients @@ -114,7 +114,7 @@ Obsoletes: ssh-clients Summary: The OpenSSH server daemon. Group: System Environment/Daemons Obsoletes: ssh-server -PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9 +Requires: openssh = %{version}-%{release}, chkconfig >= 0.9 %if ! %{build6x} Requires: /etc/pam.d/system-auth %endif @@ -712,7 +712,7 @@ fi it generates. * Thu Oct 5 2000 Nalin Dahyabhai -- Add BuildPreReq on /usr/include/security/pam_appl.h to be sure we always +- Add BuildRequires on /usr/include/security/pam_appl.h to be sure we always build PAM authentication in. - Try setting SSH_ASKPASS if gnome-ssh-askpass is installed. - Clean out no-longer-used patches. @@ -721,7 +721,7 @@ fi * Mon Oct 2 2000 Nalin Dahyabhai - Update x11-askpass to 1.0.2. (#17835) -- Add BuildPreReqs for /bin/login and /usr/bin/rsh so that configure will +- Add BuildRequiress for /bin/login and /usr/bin/rsh so that configure will always find them in the right place. (#17909) - Set the default path to be the same as the one supplied by /bin/login, but add /usr/X11R6/bin. (#17909) diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init index 854aff665..2334d8142 100755 --- a/contrib/redhat/sshd.init +++ b/contrib/redhat/sshd.init @@ -22,70 +22,9 @@ RETVAL=0 prog="sshd" # Some functions to make the below more readable -KEYGEN=/usr/bin/ssh-keygen SSHD=/usr/sbin/sshd -RSA1_KEY=/etc/ssh/ssh_host_key -RSA_KEY=/etc/ssh/ssh_host_rsa_key -DSA_KEY=/etc/ssh/ssh_host_dsa_key PID_FILE=/var/run/sshd.pid -do_rsa1_keygen() { - if [ ! -s $RSA1_KEY ]; then - echo -n $"Generating SSH1 RSA host key: " - if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then - chmod 600 $RSA1_KEY - chmod 644 $RSA1_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $RSA1_KEY.pub - fi - success $"RSA1 key generation" - echo - else - failure $"RSA1 key generation" - echo - exit 1 - fi - fi -} - -do_rsa_keygen() { - if [ ! -s $RSA_KEY ]; then - echo -n $"Generating SSH2 RSA host key: " - if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then - chmod 600 $RSA_KEY - chmod 644 $RSA_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $RSA_KEY.pub - fi - success $"RSA key generation" - echo - else - failure $"RSA key generation" - echo - exit 1 - fi - fi -} - -do_dsa_keygen() { - if [ ! -s $DSA_KEY ]; then - echo -n $"Generating SSH2 DSA host key: " - if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then - chmod 600 $DSA_KEY - chmod 644 $DSA_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $DSA_KEY.pub - fi - success $"DSA key generation" - echo - else - failure $"DSA key generation" - echo - exit 1 - fi - fi -} - do_restart_sanity_check() { $SSHD -t @@ -99,9 +38,13 @@ do_restart_sanity_check() start() { # Create keys if necessary - do_rsa1_keygen - do_rsa_keygen - do_dsa_keygen + /usr/bin/ssh-keygen -A + if [ -x /sbin/restorecon ]; then + /sbin/restorcon /etc/ssh/ssh_host_key.pub + /sbin/restorcon /etc/ssh/ssh_host_rsa_key.pub + /sbin/restorcon /etc/ssh/ssh_host_dsa_key.pub + /sbin/restorcon /etc/ssh/ssh_host_ecdsa_key.pub + fi echo -n $"Starting $prog:" $SSHD $OPTIONS && success || failure diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index db0c127bd..4621f548c 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -28,11 +28,12 @@ Provides: ssh # (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) # building prerequisites -- stuff for # OpenSSL (openssl-devel), -# TCP Wrappers (nkitb), +# TCP Wrappers (tcpd-devel), # and Gnome (glibdev, gtkdev, and gnlibsd) # BuildPrereq: openssl -BuildPrereq: nkitb +BuildPrereq: tcpd-devel +BuildPrereq: zlib-devel #BuildPrereq: glibdev #BuildPrereq: gtkdev #BuildPrereq: gnlibsd @@ -177,15 +178,8 @@ rm -rf $RPM_BUILD_ROOT /usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || : %post -if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then - echo "Generating SSH RSA host key..." - /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2 -fi -if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then - echo "Generating SSH DSA host key..." - /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2 -fi -%{fillup_and_insserv -n -s -y ssh sshd START_SSHD} +/usr/bin/ssh-keygen -A +%{fillup_and_insserv -n -y ssh sshd} %run_permissions %verifyscript diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd index 4d4880d7e..4a3bc41db 100644 --- a/contrib/suse/rc.sshd +++ b/contrib/suse/rc.sshd @@ -43,20 +43,8 @@ rc_reset case "$1" in start) - if ! test -f /etc/ssh/ssh_host_key ; then - echo Generating /etc/ssh/ssh_host_key. - ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N '' - fi - if ! test -f /etc/ssh/ssh_host_dsa_key ; then - echo Generating /etc/ssh/ssh_host_dsa_key. - - ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' - fi - if ! test -f /etc/ssh/ssh_host_rsa_key ; then - echo Generating /etc/ssh/ssh_host_rsa_key. - - ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' - fi + # Generate any missing host keys + ssh-keygen -A echo -n "Starting SSH daemon" ## Start daemon with startproc(8). If this fails ## the echo return value is set appropriate. -- cgit v1.2.3 From d1eb1dd5edf4960c1b4cbcda6cfc23462fe4f9fa Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 12 Aug 2011 11:22:47 +1000 Subject: - (djm) [contrib/ssh-copy-id] Fix failure for cases where the path to the identify file contained whitespace. bz#1828 patch from gwenael.lambrouin AT gmail.com; ok dtucker@ --- ChangeLog | 5 ++++- contrib/ssh-copy-id | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7d323f69e..2fc1f12a1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,7 +4,10 @@ jchadima at redhat. - (djm) [contrib/redhat/openssh.spec contrib/redhat/sshd.init] [contrib/suse/openssh.spec contrib/suse/rc.sshd] Updated RHEL and SLES - init scrips from imorgan AT nas.nasa.gov + init scrips from imorgan AT nas.nasa.gov; bz#1920 + - (djm) [contrib/ssh-copy-id] Fix failure for cases where the path to the + identify file contained whitespace. bz#1828 patch from gwenael.lambrouin + AT gmail.com; ok dtucker@ 20110807 - (dtucker) OpenBSD CVS Sync diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index 368645cb4..eca7cf520 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id @@ -25,7 +25,7 @@ else fi if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then - GET_ID="cat ${ID_FILE}" + GET_ID="cat "${ID_FILE}\"" fi if [ -z "`eval $GET_ID`" ]; then -- cgit v1.2.3 From a1226828add427f4ff29462b3153b1549d3b46a8 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Tue, 16 Aug 2011 17:29:01 -0700 Subject: - (tim) [mac.c myproposal.h] Wrap SHA256 and SHA512 in ifdefs for OpenSSL 0.9.7. ok djm --- ChangeLog | 4 ++++ mac.c | 2 ++ myproposal.h | 14 ++++++++++---- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2fc1f12a1..cc29abce4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20110817 + - (tim) [mac.c myproposal.h] Wrap SHA256 and SHA512 in ifdefs for + OpenSSL 0.9.7. ok djm + 20110812 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context change error by reporting old and new context names Patch from diff --git a/mac.c b/mac.c index 4965f38c8..eef50f48d 100644 --- a/mac.c +++ b/mac.c @@ -57,10 +57,12 @@ struct { } macs[] = { { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, +#ifdef HAVE_EVP_SHA256 { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, { "hmac-sha2-256-96", SSH_EVP, EVP_sha256, 96, -1, -1 }, { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, { "hmac-sha2-512-96", SSH_EVP, EVP_sha512, 96, -1, -1 }, +#endif { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, diff --git a/myproposal.h b/myproposal.h index aeb5201dc..0bc1c778c 100644 --- a/myproposal.h +++ b/myproposal.h @@ -75,14 +75,20 @@ "arcfour256,arcfour128," \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" +#ifdef HAVE_EVP_SHA256 +#define SHA2_HMAC_MODES \ + "hmac-sha2-256," \ + "hmac-sha2-256-96," \ + "hmac-sha2-512," \ + "hmac-sha2-512-96," +#else +# define SHA2_HMAC_MODES +#endif #define KEX_DEFAULT_MAC \ "hmac-md5," \ "hmac-sha1," \ "umac-64@openssh.com," \ - "hmac-sha2-256," \ - "hmac-sha2-256-96," \ - "hmac-sha2-512," \ - "hmac-sha2-512-96," \ + SHA2_HMAC_MODES \ "hmac-ripemd160," \ "hmac-ripemd160@openssh.com," \ "hmac-sha1-96," \ -- cgit v1.2.3 From 9c08312968c965aca19d21f08407e21f5824f8b4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Aug 2011 11:31:07 +1000 Subject: - (djm) [ openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h] binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen --- ChangeLog | 2 ++ openbsd-compat/bsd-cygwin_util.c | 17 +---------------- openbsd-compat/bsd-cygwin_util.h | 6 ++---- 3 files changed, 5 insertions(+), 20 deletions(-) diff --git a/ChangeLog b/ChangeLog index cc29abce4..724d22119 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20110817 - (tim) [mac.c myproposal.h] Wrap SHA256 and SHA512 in ifdefs for OpenSSL 0.9.7. ok djm + - (djm) [ openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h] + binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen 20110812 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c index e9fa3a0e2..9eedc88d2 100644 --- a/openbsd-compat/bsd-cygwin_util.c +++ b/openbsd-compat/bsd-cygwin_util.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2001, Corinna Vinschen + * Copyright (c) 2000, 2001, 2011 Corinna Vinschen * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -34,9 +34,6 @@ #if defined(open) && open == binary_open # undef open #endif -#if defined(pipe) && open == binary_pipe -# undef pipe -#endif #include @@ -59,18 +56,6 @@ binary_open(const char *filename, int flags, ...) return (open(filename, flags | O_BINARY, mode)); } -int -binary_pipe(int fd[2]) -{ - int ret = pipe(fd); - - if (!ret) { - setmode(fd[0], O_BINARY); - setmode(fd[1], O_BINARY); - } - return (ret); -} - int check_ntsec(const char *filename) { diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h index 39b8eb788..48f64b740 100644 --- a/openbsd-compat/bsd-cygwin_util.h +++ b/openbsd-compat/bsd-cygwin_util.h @@ -1,7 +1,7 @@ -/* $Id: bsd-cygwin_util.h,v 1.12 2009/03/08 00:40:28 dtucker Exp $ */ +/* $Id: bsd-cygwin_util.h,v 1.13 2011/08/17 01:31:09 djm Exp $ */ /* - * Copyright (c) 2000, 2001, Corinna Vinschen + * Copyright (c) 2000, 2001, 2011 Corinna Vinschen * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -41,13 +41,11 @@ #include int binary_open(const char *, int , ...); -int binary_pipe(int fd[2]); int check_ntsec(const char *); char **fetch_windows_environment(void); void free_windows_environment(char **); #define open binary_open -#define pipe binary_pipe #endif /* HAVE_CYGWIN */ -- cgit v1.2.3 From 1a91c0f163f0a53e092e7832791a09d659567546 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Aug 2011 11:59:25 +1000 Subject: - (djm) [configure.ac] error out if the host lacks the necessary bits for an explicitly requested sandbox type --- ChangeLog | 2 ++ configure.ac | 13 ++++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 724d22119..0b3152824 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ OpenSSL 0.9.7. ok djm - (djm) [ openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h] binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen + - (djm) [configure.ac] error out if the host lacks the necessary bits for + an explicitly requested sandbox type 20110812 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context diff --git a/configure.ac b/configure.ac index 74d5263a4..31e72867f 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.478 2011/06/26 21:18:20 djm Exp $ +# $Id: configure.ac,v 1.479 2011/08/17 01:59:26 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.478 $) +AC_REVISION($Revision: 1.479 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2476,7 +2476,7 @@ AC_SUBST([SSH_PRIVSEP_USER]) # Decide which sandbox style to use sandbox_arg="" AC_ARG_WITH([sandbox], - [ --with-sandbox=style Specify privilege separation sandbox (no, rlimit, systrace)], + [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace)], [ if test "x$withval" = "xyes" ; then sandbox_arg="" @@ -2487,15 +2487,22 @@ AC_ARG_WITH([sandbox], ) if test "x$sandbox_arg" = "xsystrace" || \ ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then + test "x$have_systr_policy_kill" != "x1" && \ + AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support]) SANDBOX_STYLE="systrace" AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)]) elif test "x$sandbox_arg" = "xdarwin" || \ ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \ test "x$ac_cv_header_sandbox_h" = "xyes") ; then + test "x$ac_cv_func_sandbox_init" != "xyes" -o \ + "x$ac_cv_header_sandbox_h" != "xyes" && \ + AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function]) SANDBOX_STYLE="darwin" AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) elif test "x$sandbox_arg" = "xrlimit" || \ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then + test "x$ac_cv_func_setrlimit" != "xyes" && \ + AC_MSG_ERROR([rlimit sandbox requires setrlimit function]) SANDBOX_STYLE="rlimit" AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)]) elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ -- cgit v1.2.3 From 44a6c9340ab0ae5fe616b0ae291187e8187f2ec6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Aug 2011 12:01:44 +1000 Subject: - (djm) [contrib/ssh-copy-id] Missing backlslash; spotted by bisson AT archlinux.org --- ChangeLog | 2 ++ contrib/ssh-copy-id | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 0b3152824..ab430749d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,8 @@ binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen - (djm) [configure.ac] error out if the host lacks the necessary bits for an explicitly requested sandbox type + - (djm) [contrib/ssh-copy-id] Missing backlslash; spotted by + bisson AT archlinux.org 20110812 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index eca7cf520..9451aceec 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id @@ -25,7 +25,7 @@ else fi if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then - GET_ID="cat "${ID_FILE}\"" + GET_ID="cat \"${ID_FILE}\"" fi if [ -z "`eval $GET_ID`" ]; then -- cgit v1.2.3 From 9231c8bde4169895243a9f3e2dff09ae795c0d21 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Aug 2011 12:08:15 +1000 Subject: - dtucker@cvs.openbsd.org 2011/06/03 05:35:10 [regress/cfgmatch.sh] use OBJ to find test configs, patch from Tim Rice --- ChangeLog | 4 ++++ regress/cfgmatch.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ab430749d..1ffc4b5f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,10 @@ an explicitly requested sandbox type - (djm) [contrib/ssh-copy-id] Missing backlslash; spotted by bisson AT archlinux.org + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2011/06/03 05:35:10 + [regress/cfgmatch.sh] + use OBJ to find test configs, patch from Tim Rice 20110812 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index a16a5c13a..0603fab64 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cfgmatch.sh,v 1.5 2011/05/23 03:31:31 djm Exp $ +# $OpenBSD: cfgmatch.sh,v 1.6 2011/06/03 05:35:10 dtucker Exp $ # Placed in the Public Domain. tid="sshd_config match" -- cgit v1.2.3 From faf4d80420af1eb5074a1ae2ce9fc3e1bf9850c0 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Aug 2011 12:09:19 +1000 Subject: - markus@cvs.openbsd.org 2011/06/30 22:44:43 [connect-privsep.sh] test with sandbox enabled; ok djm@ --- ChangeLog | 3 +++ regress/connect-privsep.sh | 13 ++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 1ffc4b5f5..85dbe0f33 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,9 @@ - dtucker@cvs.openbsd.org 2011/06/03 05:35:10 [regress/cfgmatch.sh] use OBJ to find test configs, patch from Tim Rice + - markus@cvs.openbsd.org 2011/06/30 22:44:43 + [regress/connect-privsep.sh] + test with sandbox enabled; ok djm@ 20110812 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh index d23cadba5..e7f938981 100644 --- a/regress/connect-privsep.sh +++ b/regress/connect-privsep.sh @@ -1,8 +1,9 @@ -# $OpenBSD: connect-privsep.sh,v 1.1 2002/03/21 21:45:07 markus Exp $ +# $OpenBSD: connect-privsep.sh,v 1.2 2011/06/30 22:44:43 markus Exp $ # Placed in the Public Domain. tid="proxy connect with privsep" +cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy for p in 1 2; do @@ -11,3 +12,13 @@ for p in 1 2; do fail "ssh privsep+proxyconnect protocol $p failed" fi done + +cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy +echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy + +for p in 1 2; do + ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true + if [ $? -ne 0 ]; then + fail "ssh privsep/sandbox+proxyconnect protocol $p failed" + fi +done -- cgit v1.2.3 From 062fa30532fdce4c2837e9d4e265595aa1cbca14 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Aug 2011 12:10:02 +1000 Subject: - djm@cvs.openbsd.org 2011/08/02 01:23:41 [regress/cipher-speed.sh regress/try-ciphers.sh] add SHA256/SHA512 based HMAC modes --- ChangeLog | 3 +++ regress/cipher-speed.sh | 9 ++++++--- regress/try-ciphers.sh | 5 +++-- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 85dbe0f33..441f1c312 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,9 @@ - markus@cvs.openbsd.org 2011/06/30 22:44:43 [regress/connect-privsep.sh] test with sandbox enabled; ok djm@ + - djm@cvs.openbsd.org 2011/08/02 01:23:41 + [regress/cipher-speed.sh regress/try-ciphers.sh] + add SHA256/SHA512 based HMAC modes 20110812 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 85de6d585..0cdafc092 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.3 2007/06/07 19:41:46 pvalchev Exp $ +# $OpenBSD: cipher-speed.sh,v 1.4 2011/08/02 01:23:41 djm Exp $ # Placed in the Public Domain. tid="cipher speed" @@ -12,9 +12,12 @@ tries="1 2" DATA=/bin/ls DATA=/bsd -macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc - arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr" + arcfour128 arcfour256 arcfour + aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se + aes128-ctr aes192-ctr aes256-ctr" +macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96 + hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" for c in $ciphers; do for m in $macs; do trace "proto 2 cipher $c mac $m" diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index ef776d2ee..5affb3943 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.11 2007/06/07 19:41:46 pvalchev Exp $ +# $OpenBSD: try-ciphers.sh,v 1.12 2011/08/02 01:23:41 djm Exp $ # Placed in the Public Domain. tid="try ciphers" @@ -7,7 +7,8 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr" -macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" +macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96 + hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" for c in $ciphers; do for m in $macs; do -- cgit v1.2.3 From 2df1bec086db1cf53db6620c18d88ae9cb27bb89 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Aug 2011 12:25:46 +1000 Subject: - (djm) [regress/cipher-speed.sh regress/try-ciphers.sh] disable HMAC-SHA2 MAC tests for platforms that hack EVP_SHA2 support --- ChangeLog | 2 ++ regress/cipher-speed.sh | 5 +++-- regress/try-ciphers.sh | 5 +++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 441f1c312..c36d2c5eb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,8 @@ - djm@cvs.openbsd.org 2011/08/02 01:23:41 [regress/cipher-speed.sh regress/try-ciphers.sh] add SHA256/SHA512 based HMAC modes + - (djm) [regress/cipher-speed.sh regress/try-ciphers.sh] disable HMAC-SHA2 + MAC tests for platforms that hack EVP_SHA2 support 20110812 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 0cdafc092..257afd179 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -16,8 +16,9 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr" -macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96 - hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" +macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" +config_defined HAVE_EVP_SHA256 && + macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" for c in $ciphers; do for m in $macs; do trace "proto 2 cipher $c mac $m" diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 5affb3943..0918d2245 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -7,8 +7,9 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr" -macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96 - hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" +macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" +config_defined HAVE_EVP_SHA256 && + macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" for c in $ciphers; do for m in $macs; do -- cgit v1.2.3 From a6e60616be992b689945fe349fbc652f3cf29f3c Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Wed, 17 Aug 2011 21:48:22 -0700 Subject: - (tim) [configure.ac] Typo in error message spotted by Andy Tsouladze --- ChangeLog | 3 +++ configure.ac | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index c36d2c5eb..b73d42c6f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20110818 + - (tim) [configure.ac] Typo in error message spotted by Andy Tsouladze + 20110817 - (tim) [mac.c myproposal.h] Wrap SHA256 and SHA512 in ifdefs for OpenSSL 0.9.7. ok djm diff --git a/configure.ac b/configure.ac index 31e72867f..7a915272d 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.479 2011/08/17 01:59:26 djm Exp $ +# $Id: configure.ac,v 1.480 2011/08/18 04:48:24 tim Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.479 $) +AC_REVISION($Revision: 1.480 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2510,7 +2510,7 @@ elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ SANDBOX_STYLE="none" AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing]) else - AC_MSG_ERROR([unsupported -with-sandbox]) + AC_MSG_ERROR([unsupported --with-sandbox]) fi # Cheap hack to ensure NEWS-OS libraries are arranged right. -- cgit v1.2.3 From 4438354870aa3bdbf52d9bc7bf20c85aa3fff1f9 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 28 Aug 2011 04:50:16 +1000 Subject: - (dtucker) [auth-skey.c] Add log.h to fix build --with-skey. --- ChangeLog | 3 +++ auth-skey.c | 1 + 2 files changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index b73d42c6f..3c557ed5b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20110827 + - (dtucker) [auth-skey.c] Add log.h to fix build --with-skey. + 20110818 - (tim) [configure.ac] Typo in error message spotted by Andy Tsouladze diff --git a/auth-skey.c b/auth-skey.c index cb43dba48..3536ec8fa 100644 --- a/auth-skey.c +++ b/auth-skey.c @@ -39,6 +39,7 @@ #include "hostfile.h" #include "auth.h" #include "ssh-gss.h" +#include "log.h" #include "monitor_wrap.h" static void * -- cgit v1.2.3 From 58ac11a2bd0935aee87b8cc60e2b724e71c41207 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 29 Aug 2011 16:09:52 +1000 Subject: - (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting to switch SELinux context away from unconfined_t, based on patch from Jan Chadima; bz#1919 ok dtucker@ --- ChangeLog | 5 +++++ openbsd-compat/port-linux.c | 25 +++++++++++++++++++------ 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3c557ed5b..9bf90758c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20110829 + - (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting + to switch SELinux context away from unconfined_t, based on patch from + Jan Chadima; bz#1919 ok dtucker@ + 20110827 - (dtucker) [auth-skey.c] Add log.h to fix build --with-skey. diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index be763656e..ea8dff40f 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c @@ -1,4 +1,4 @@ -/* $Id: port-linux.c,v 1.15 2011/08/12 00:12:55 dtucker Exp $ */ +/* $Id: port-linux.c,v 1.16 2011/08/29 06:09:57 djm Exp $ */ /* * Copyright (c) 2005 Daniel Walsh @@ -38,6 +38,10 @@ #include #include +#ifndef SSH_SELINUX_UNCONFINED_TYPE +# define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:" +#endif + /* Wrapper around is_selinux_enabled() to log its return value once only */ int ssh_selinux_enabled(void) @@ -177,12 +181,13 @@ ssh_selinux_change_context(const char *newname) { int len, newlen; char *oldctx, *newctx, *cx; + void (*switchlog) (const char *fmt,...) = logit; if (!ssh_selinux_enabled()) return; if (getcon((security_context_t *)&oldctx) < 0) { - logit("%s: getcon failed with %s", __func__, strerror (errno)); + logit("%s: getcon failed with %s", __func__, strerror(errno)); return; } if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == @@ -191,6 +196,14 @@ ssh_selinux_change_context(const char *newname) return; } + /* + * Check whether we are attempting to switch away from an unconfined + * security context. + */ + if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE, + sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0) + switchlog = debug3; + newlen = strlen(oldctx) + strlen(newname) + 1; newctx = xmalloc(newlen); len = cx - oldctx + 1; @@ -198,11 +211,11 @@ ssh_selinux_change_context(const char *newname) strlcpy(newctx + len, newname, newlen - len); if ((cx = index(cx + 1, ':'))) strlcat(newctx, cx, newlen); - debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, - newctx); + debug3("%s: setting context from '%s' to '%s'", __func__, + oldctx, newctx); if (setcon(newctx) < 0) - logit("%s: setcon %s from %s failed with %s", __func__, newctx, - oldctx, strerror (errno)); + switchlog("%s: setcon %s from %s failed with %s", __func__, + newctx, oldctx, strerror(errno)); xfree(oldctx); xfree(newctx); } -- cgit v1.2.3 From 6efd94f32e7ddf3cfdb94f0a3f91310304f8f6b5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 4 Sep 2011 19:04:16 +1000 Subject: - (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal regress errors for the sandbox to warnings. ok tim dtucker --- ChangeLog | 4 ++++ regress/connect-privsep.sh | 3 ++- regress/test-exec.sh | 5 +++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 9bf90758c..0436c32f6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20110904 + - (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal + regress errors for the sandbox to warnings. ok tim dtucker + 20110829 - (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting to switch SELinux context away from unconfined_t, based on patch from diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh index e7f938981..11fb9aef9 100644 --- a/regress/connect-privsep.sh +++ b/regress/connect-privsep.sh @@ -19,6 +19,7 @@ echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy for p in 1 2; do ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true if [ $? -ne 0 ]; then - fail "ssh privsep/sandbox+proxyconnect protocol $p failed" + # XXX replace this with fail once sandbox has stabilised + warn "ssh privsep/sandbox+proxyconnect protocol $p failed" fi done diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 5c56aefff..092cfed5b 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -204,6 +204,11 @@ verbose () fi } +warn () +{ + echo "WARNING: $@" >>$TEST_SSH_LOGFILE + echo "WARNING: $@" +} fail () { -- cgit v1.2.3 From 0dd24e02ec85146660302a7bcc491a0515b983ae Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 4 Sep 2011 19:59:26 +1000 Subject: - (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929: add null implementations ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support. --- ChangeLog | 2 ++ ssh-keygen.c | 3 --- ssh-pkcs11.c | 14 ++++++++++++++ 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0436c32f6..e09a6835b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20110904 - (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal regress errors for the sandbox to warnings. ok tim dtucker + - (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929: add null implementations + ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support. 20110829 - (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting diff --git a/ssh-keygen.c b/ssh-keygen.c index 49e4eee10..4b6218b10 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -49,10 +49,7 @@ #include "hostfile.h" #include "dns.h" #include "ssh2.h" - -#ifdef ENABLE_PKCS11 #include "ssh-pkcs11.h" -#endif /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ #define DEFAULT_BITS 2048 diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 286c232c7..1f4c1c8e4 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -590,4 +590,18 @@ fail: return (-1); } +#else + +int +pkcs11_init(int interactive) +{ + return (0); +} + +void +pkcs11_terminate(void) +{ + return; +} + #endif /* ENABLE_PKCS11 */ -- cgit v1.2.3 From 0b90fd6fd3f63c7df8a3e8a20f885027b0b4826a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 5 Sep 2011 10:27:57 +1000 Subject: - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update version numbers. --- ChangeLog | 7 ++++++- README | 4 ++-- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 5 files changed, 12 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index e09a6835b..29578ef0e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,8 +1,13 @@ +20110905 + - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Update version numbers. + 20110904 - (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal regress errors for the sandbox to warnings. ok tim dtucker - (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929: add null implementations - ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support. + ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen + support. 20110829 - (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting diff --git a/README b/README index 0a772d2bc..093a3849a 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-5.8p2 for the release notes. +See http://www.openssh.com/txt/release-5.9p1 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.77 2011/06/03 00:35:26 dtucker Exp $ +$Id: README,v 1.77.2.1 2011/09/05 00:27:58 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index e6f5a9333..73d441d0c 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -16,7 +16,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 -%define version 5.8p2 +%define version 5.9p1 %if %{use_stable} %define cvs %{nil} %define release 1 @@ -363,4 +363,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.75 2011/06/03 00:35:26 dtucker Exp $ +$Id: openssh.spec,v 1.75.2.1 2011/09/05 00:28:11 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 2b927f177..be6de088c 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 5.8p2 +%define ver 5.9p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 4621f548c..3a4dfea37 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 5.8p2 +Version: 5.9p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.3 From e21c9c2094733fc4778688766cf8ea3c9b473aca Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 5 Sep 2011 15:38:35 +1000 Subject: - (djm) Release OpenSSH-5.9 --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 29578ef0e..f75aa5637 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20110905 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update version numbers. + - (djm) Release OpenSSH-5.9 20110904 - (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal -- cgit v1.2.3 From 3a7e89697ca363de0f64e0d5704c57219294e41c Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 6 Sep 2011 09:49:21 +0100 Subject: autoreconf --- config.h.in | 6 ++++++ configure | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/config.h.in b/config.h.in index baf0011a7..ff651cc4a 100644 --- a/config.h.in +++ b/config.h.in @@ -1441,6 +1441,9 @@ /* Use btmp to log bad logins */ #undef USE_BTMP +/* platform uses an in-memory credentials cache */ +#undef USE_CCAPI + /* Use libedit for sftp */ #undef USE_LIBEDIT @@ -1456,6 +1459,9 @@ /* Use PIPES instead of a socketpair() */ #undef USE_PIPES +/* platform has the Security Authorization Session API */ +#undef USE_SECURITY_SESSION_API + /* Define if you have Solaris process contracts */ #undef USE_SOLARIS_PROCESS_CONTRACTS diff --git a/configure b/configure index 43c437263..c15fdc3cf 100755 --- a/configure +++ b/configure @@ -6521,6 +6521,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have the Security Authorization Session API" >&5 +$as_echo_n "checking if we have the Security Authorization Session API... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +SessionCreate(0, 0); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_use_security_session_api="yes" + +$as_echo "#define USE_SECURITY_SESSION_API 1" >>confdefs.h + + LIBS="$LIBS -framework Security" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + ac_cv_use_security_session_api="no" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have an in-memory credentials cache" >&5 +$as_echo_n "checking if we have an in-memory credentials cache... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +cc_context_t c; + (void) cc_initialize (&c, 0, NULL, NULL); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +$as_echo "#define USE_CCAPI 1" >>confdefs.h + + LIBS="$LIBS -framework Security" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + if test "x$ac_cv_use_security_session_api" = "xno"; then + as_fn_error $? "*** Need a security framework to use the credentials cache API ***" "$LINENO" 5 + fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : -- cgit v1.2.3