From b0b12296f9c781e896fecbcab0ecd8223ecacc0a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Oct 2005 18:23:44 +1000 Subject: - dtucker@cvs.openbsd.org 2005/10/03 07:44:42 [canohost.c] Relocate check_ip_options call to prevent logging of garbage for connections with IP options set. bz#1092 from David Leonard, "looks good" deraadt@ --- canohost.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'canohost.c') diff --git a/canohost.c b/canohost.c index c27086bfd..0c4d36ff6 100644 --- a/canohost.c +++ b/canohost.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: canohost.c,v 1.44 2005/06/17 02:44:32 djm Exp $"); +RCSID("$OpenBSD: canohost.c,v 1.45 2005/10/03 07:44:42 dtucker Exp $"); #include "packet.h" #include "xmalloc.h" @@ -43,9 +43,6 @@ get_remote_hostname(int sock, int use_dns) cleanup_exit(255); } - if (from.ss_family == AF_INET) - check_ip_options(sock, ntop); - ipv64_normalise_mapped(&from, &fromlen); if (from.ss_family == AF_INET6) @@ -55,6 +52,9 @@ get_remote_hostname(int sock, int use_dns) NULL, 0, NI_NUMERICHOST) != 0) fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); + if (from.ss_family == AF_INET) + check_ip_options(sock, ntop); + if (!use_dns) return xstrdup(ntop); -- cgit v1.2.3 From 4d3fd54c91dae68ea2642387196015931ee83200 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 5 Nov 2005 15:13:24 +1100 Subject: - dtucker@cvs.openbsd.org 2005/10/30 08:29:29 [canohost.c sshd.c] Check for connections with IP options earlier and drop silently. ok djm@ --- ChangeLog | 5 ++++- canohost.c | 6 ++---- sshd.c | 9 +++++++-- 3 files changed, 13 insertions(+), 7 deletions(-) (limited to 'canohost.c') diff --git a/ChangeLog b/ChangeLog index 112f5728f..52660e2be 100644 --- a/ChangeLog +++ b/ChangeLog @@ -65,6 +65,9 @@ - djm@cvs.openbsd.org 2005/10/30 04:03:24 [ssh.c] fix misleading debug message; ok dtucker@ + - dtucker@cvs.openbsd.org 2005/10/30 08:29:29 + [canohost.c sshd.c] + Check for connections with IP options earlier and drop silently. ok djm@ 20051102 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup(). @@ -3198,4 +3201,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3942 2005/11/05 04:12:59 djm Exp $ +$Id: ChangeLog,v 1.3943 2005/11/05 04:13:24 djm Exp $ diff --git a/canohost.c b/canohost.c index 0c4d36ff6..66867c10b 100644 --- a/canohost.c +++ b/canohost.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: canohost.c,v 1.45 2005/10/03 07:44:42 dtucker Exp $"); +RCSID("$OpenBSD: canohost.c,v 1.46 2005/10/30 08:29:29 dtucker Exp $"); #include "packet.h" #include "xmalloc.h" @@ -158,9 +158,7 @@ check_ip_options(int sock, char *ipaddr) for (i = 0; i < option_size; i++) snprintf(text + i*3, sizeof(text) - i*3, " %2.2x", options[i]); - logit("Connection from %.100s with IP options:%.800s", - ipaddr, text); - packet_disconnect("Connection from %.100s with IP options:%.800s", + fatal("Connection from %.100s with IP options:%.800s", ipaddr, text); } #endif /* IP_OPTIONS */ diff --git a/sshd.c b/sshd.c index c4d66e2fc..4b5f89e2a 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.315 2005/09/21 23:37:11 djm Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.316 2005/10/30 08:29:29 dtucker Exp $"); #include #include @@ -1651,7 +1651,12 @@ main(int ac, char **av) debug("get_remote_port failed"); cleanup_exit(255); } - remote_ip = get_remote_ipaddr(); + + /* + * We use get_canonical_hostname with usedns = 0 instead of + * get_remote_ipaddr here so IP options will be checked. + */ + remote_ip = get_canonical_hostname(0); #ifdef SSH_AUDIT_EVENTS audit_connection_from(remote_ip, remote_port); -- cgit v1.2.3 From 24ecf612614d83622d9777349b4ecd21ee22bb2a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 5 Nov 2005 15:16:52 +1100 Subject: - dtucker@cvs.openbsd.org 2005/11/03 13:38:29 [canohost.c] Cache reverse lookups with and without DNS separately; ok markus@ --- ChangeLog | 5 ++++- canohost.c | 27 ++++++++++++++------------- serverloop.c | 36 +++++++++++++++++++++++++++++++++++- 3 files changed, 53 insertions(+), 15 deletions(-) (limited to 'canohost.c') diff --git a/ChangeLog b/ChangeLog index e4f703fe2..cefc3e0b4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -90,6 +90,9 @@ - jmc@cvs.openbsd.org 2005/10/31 19:55:25 [ssh-keygen.1] grammar; + - dtucker@cvs.openbsd.org 2005/11/03 13:38:29 + [canohost.c] + Cache reverse lookups with and without DNS separately; ok markus@ 20051102 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup(). @@ -3223,4 +3226,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3949 2005/11/05 04:16:27 djm Exp $ +$Id: ChangeLog,v 1.3950 2005/11/05 04:16:52 djm Exp $ diff --git a/canohost.c b/canohost.c index 66867c10b..bd7f830de 100644 --- a/canohost.c +++ b/canohost.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: canohost.c,v 1.46 2005/10/30 08:29:29 dtucker Exp $"); +RCSID("$OpenBSD: canohost.c,v 1.47 2005/11/03 13:38:29 dtucker Exp $"); #include "packet.h" #include "xmalloc.h" @@ -198,26 +198,27 @@ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) const char * get_canonical_hostname(int use_dns) { + char *host; static char *canonical_host_name = NULL; - static int use_dns_done = 0; + static char *remote_ip = NULL; /* Check if we have previously retrieved name with same option. */ - if (canonical_host_name != NULL) { - if (use_dns_done != use_dns) - xfree(canonical_host_name); - else - return canonical_host_name; - } + if (use_dns && canonical_host_name != NULL) + return canonical_host_name; + if (!use_dns && remote_ip != NULL) + return remote_ip; /* Get the real hostname if socket; otherwise return UNKNOWN. */ if (packet_connection_is_on_socket()) - canonical_host_name = get_remote_hostname( - packet_get_connection_in(), use_dns); + host = get_remote_hostname(packet_get_connection_in(), use_dns); else - canonical_host_name = xstrdup("UNKNOWN"); + host = "UNKNOWN"; - use_dns_done = use_dns; - return canonical_host_name; + if (use_dns) + canonical_host_name = host; + else + remote_ip = host; + return host; } /* diff --git a/serverloop.c b/serverloop.c index 208f7e1e9..03376bacf 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.120 2005/10/30 08:52:17 djm Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.121 2005/10/31 11:48:29 djm Exp $"); #include "xmalloc.h" #include "packet.h" @@ -61,6 +61,7 @@ extern ServerOptions options; /* XXX */ extern Kex *xxx_kex; extern Authctxt *the_authctxt; +extern int use_privsep; static Buffer stdin_buffer; /* Buffer for stdin data. */ static Buffer stdout_buffer; /* Buffer for stdout data. */ @@ -90,6 +91,9 @@ static int client_alive_timeouts = 0; static volatile sig_atomic_t child_terminated = 0; /* The child has terminated. */ +/* Cleanup on signals (!use_privsep case only) */ +static volatile sig_atomic_t received_sigterm = 0; + /* prototypes */ static void server_init_dispatch(void); @@ -151,6 +155,12 @@ sigchld_handler(int sig) errno = save_errno; } +static void +sigterm_handler(int sig) +{ + received_sigterm = sig; +} + /* * Make packets from buffered stderr data, and buffer it for sending * to the client. @@ -502,6 +512,12 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) child_terminated = 0; mysignal(SIGCHLD, sigchld_handler); + if (!use_privsep) { + signal(SIGTERM, sigterm_handler); + signal(SIGINT, sigterm_handler); + signal(SIGQUIT, sigterm_handler); + } + /* Initialize our global variables. */ fdin = fdin_arg; fdout = fdout_arg; @@ -629,6 +645,12 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) wait_until_can_do_something(&readset, &writeset, &max_fd, &nalloc, max_time_milliseconds); + if (received_sigterm) { + logit("Exiting on signal %d", received_sigterm); + /* Clean up sessions, utmp, etc. */ + cleanup_exit(255); + } + /* Process any channel events. */ channel_after_select(readset, writeset); @@ -749,6 +771,12 @@ server_loop2(Authctxt *authctxt) connection_in = packet_get_connection_in(); connection_out = packet_get_connection_out(); + if (!use_privsep) { + signal(SIGTERM, sigterm_handler); + signal(SIGINT, sigterm_handler); + signal(SIGQUIT, sigterm_handler); + } + notify_setup(); max_fd = MAX(connection_in, connection_out); @@ -766,6 +794,12 @@ server_loop2(Authctxt *authctxt) wait_until_can_do_something(&readset, &writeset, &max_fd, &nalloc, 0); + if (received_sigterm) { + logit("Exiting on signal %d", received_sigterm); + /* Clean up sessions, utmp, etc. */ + cleanup_exit(255); + } + collect_children(); if (!rekeying) { channel_after_select(readset, writeset); -- cgit v1.2.3 From 5eb137c6d11be7db14dc03ea12a74884bebea3e3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 31 Dec 2005 16:19:53 +1100 Subject: - (djm) OpenBSD CVS Sync - stevesk@cvs.openbsd.org 2005/12/28 22:46:06 [canohost.c channels.c clientloop.c] use 'break-in' for consistency; ok deraadt@ ok and input jmc@ --- ChangeLog | 8 +++++++- canohost.c | 6 +++--- channels.c | 4 ++-- clientloop.c | 6 +++--- 4 files changed, 15 insertions(+), 9 deletions(-) (limited to 'canohost.c') diff --git a/ChangeLog b/ChangeLog index f86d4090c..451f1b323 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20051229 + - (djm) OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2005/12/28 22:46:06 + [canohost.c channels.c clientloop.c] + use 'break-in' for consistency; ok deraadt@ ok and input jmc@ + 20051229 - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd @@ -3552,4 +3558,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4052 2005/12/28 22:28:08 tim Exp $ +$Id: ChangeLog,v 1.4053 2005/12/31 05:19:53 djm Exp $ diff --git a/canohost.c b/canohost.c index bd7f830de..6ca60e6b4 100644 --- a/canohost.c +++ b/canohost.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: canohost.c,v 1.47 2005/11/03 13:38:29 dtucker Exp $"); +RCSID("$OpenBSD: canohost.c,v 1.48 2005/12/28 22:46:06 stevesk Exp $"); #include "packet.h" #include "xmalloc.h" @@ -102,7 +102,7 @@ get_remote_hostname(int sock, int use_dns) hints.ai_socktype = SOCK_STREAM; if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { logit("reverse mapping checking getaddrinfo for %.700s " - "failed - POSSIBLE BREAKIN ATTEMPT!", name); + "failed - POSSIBLE BREAK-IN ATTEMPT!", name); return xstrdup(ntop); } /* Look for the address from the list of addresses. */ @@ -117,7 +117,7 @@ get_remote_hostname(int sock, int use_dns) if (!ai) { /* Address not found for the host name. */ logit("Address %.100s maps to %.600s, but this does not " - "map back to the address - POSSIBLE BREAKIN ATTEMPT!", + "map back to the address - POSSIBLE BREAK-IN ATTEMPT!", ntop, name); return xstrdup(ntop); } diff --git a/channels.c b/channels.c index e73dc247d..b431532a3 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.229 2005/12/12 13:46:18 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.230 2005/12/28 22:46:06 stevesk Exp $"); #include "ssh.h" #include "ssh1.h" @@ -3025,7 +3025,7 @@ deny_input_open(int type, u_int32_t seq, void *ctxt) error("deny_input_open: type %d", type); break; } - error("Warning: this is probably a break in attempt by a malicious server."); + error("Warning: this is probably a break-in attempt by a malicious server."); packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); packet_put_int(rchan); packet_send(); diff --git a/clientloop.c b/clientloop.c index 04f2d11be..a71552cad 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.147 2005/12/07 03:52:22 djm Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.148 2005/12/28 22:46:06 stevesk Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1688,7 +1688,7 @@ client_request_x11(const char *request_type, int rchan) if (!options.forward_x11) { error("Warning: ssh server tried X11 forwarding."); - error("Warning: this is probably a break in attempt by a malicious server."); + error("Warning: this is probably a break-in attempt by a malicious server."); return NULL; } originator = packet_get_string(NULL); @@ -1721,7 +1721,7 @@ client_request_agent(const char *request_type, int rchan) if (!options.forward_agent) { error("Warning: ssh server tried agent forwarding."); - error("Warning: this is probably a break in attempt by a malicious server."); + error("Warning: this is probably a break-in attempt by a malicious server."); return NULL; } sock = ssh_get_authentication_socket(); -- cgit v1.2.3