From 51096383e9bff34c80c9bab424e207767792e782 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 26 Mar 2006 14:30:00 +1100 Subject: - djm@cvs.openbsd.org 2006/03/25 22:22:43 [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h] [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h] [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h] [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c] [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h] [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h] [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h] [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h] [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h] [ttymodes.h uidswap.h uuencode.h xmalloc.h] standardise spacing in $OpenBSD$ tags; requested by deraadt@ --- servconf.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'servconf.h') diff --git a/servconf.h b/servconf.h index ab82c8f57..73604a98e 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.72 2005/12/06 22:38:27 reyk Exp $ */ +/* $OpenBSD: servconf.h,v 1.73 2006/03/25 22:22:43 djm Exp $ */ /* * Author: Tatu Ylonen -- cgit v1.2.3 From 917f9b6b6eb560e205a787bd8f38d4b9741c9a9f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 10 Jul 2006 20:36:47 +1000 Subject: - djm@cvs.openbsd.org 2006/07/06 10:47:05 [servconf.c servconf.h session.c sshd_config.5] support arguments to Subsystem commands; ok markus@ --- ChangeLog | 5 ++++- servconf.c | 14 +++++++++++++- servconf.h | 3 ++- session.c | 11 ++++++----- sshd_config.5 | 6 +++--- 5 files changed, 28 insertions(+), 11 deletions(-) (limited to 'servconf.h') diff --git a/ChangeLog b/ChangeLog index 70f96ef77..2e45ea652 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,9 @@ [serverloop.c sshconnect.c uuencode.c] move #include out of includes.h; ok deraadt@ (also ssh-rand-helper.c logintest.c loginrec.c) + - djm@cvs.openbsd.org 2006/07/06 10:47:05 + [servconf.c servconf.h session.c sshd_config.5] + support arguments to Subsystem commands; ok markus@ 20060706 - (dtucker) [configure.ac] Try AIX blibpath test in different order when @@ -4768,4 +4771,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4368 2006/07/10 10:35:38 djm Exp $ +$Id: ChangeLog,v 1.4369 2006/07/10 10:36:47 djm Exp $ diff --git a/servconf.c b/servconf.c index 43372e20f..af0ad1a35 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.150 2006/03/25 13:17:02 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.151 2006/07/06 10:47:05 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -446,6 +446,7 @@ process_server_config_line(ServerOptions *options, char *line, ServerOpCodes opcode; u_short port; u_int i; + size_t len; cp = line; if ((arg = strdelim(&cp)) == NULL) @@ -901,6 +902,17 @@ parse_flag: fatal("%s line %d: Missing subsystem command.", filename, linenum); options->subsystem_command[options->num_subsystems] = xstrdup(arg); + + /* Collect arguments (separate to executable) */ + p = xstrdup(arg); + len = strlen(p) + 1; + while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { + len += 1 + strlen(arg); + p = xrealloc(p, 1, len); + strlcat(p, " ", len); + strlcat(p, arg, len); + } + options->subsystem_args[options->num_subsystems] = p; options->num_subsystems++; break; diff --git a/servconf.h b/servconf.h index 73604a98e..671050e4c 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.73 2006/03/25 22:22:43 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.74 2006/07/06 10:47:05 djm Exp $ */ /* * Author: Tatu Ylonen @@ -111,6 +111,7 @@ typedef struct { u_int num_subsystems; char *subsystem_name[MAX_SUBSYSTEMS]; char *subsystem_command[MAX_SUBSYSTEMS]; + char *subsystem_args[MAX_SUBSYSTEMS]; u_int num_accept_env; char *accept_env[MAX_ACCEPT_ENV]; diff --git a/session.c b/session.c index cb0e8267c..899c3a16b 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.204 2006/07/02 22:45:59 stevesk Exp $ */ +/* $OpenBSD: session.c,v 1.205 2006/07/06 10:47:05 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1841,7 +1841,7 @@ session_subsystem_req(Session *s) struct stat st; u_int len; int success = 0; - char *cmd, *subsys = packet_get_string(&len); + char *prog, *cmd, *subsys = packet_get_string(&len); u_int i; packet_check_eom(); @@ -1849,9 +1849,10 @@ session_subsystem_req(Session *s) for (i = 0; i < options.num_subsystems; i++) { if (strcmp(subsys, options.subsystem_name[i]) == 0) { - cmd = options.subsystem_command[i]; - if (stat(cmd, &st) < 0) { - error("subsystem: cannot stat %s: %s", cmd, + prog = options.subsystem_command[i]; + cmd = options.subsystem_args[i]; + if (stat(prog, &st) < 0) { + error("subsystem: cannot stat %s: %s", prog, strerror(errno)); break; } diff --git a/sshd_config.5 b/sshd_config.5 index 836add94f..3b639b17d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.58 2006/07/02 17:12:58 stevesk Exp $ +.\" $OpenBSD: sshd_config.5,v 1.59 2006/07/06 10:47:05 djm Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -643,8 +643,8 @@ The default is .Dq yes . .It Cm Subsystem Configures an external subsystem (e.g. file transfer daemon). -Arguments should be a subsystem name and a command to execute upon subsystem -request. +Arguments should be a subsystem name and a command (with optional arguments) +to execute upon subsystem request. The command .Xr sftp-server 8 implements the -- cgit v1.2.3 From 4515047e47f26377a46f480ed5929e8ccfa18720 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 12 Jul 2006 22:34:17 +1000 Subject: - dtucker@cvs.openbsd.org 2006/07/12 11:34:58 [sshd.c servconf.h servconf.c sshd_config.5 auth.c] Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config. Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no will allow port forwarding by all users except "anoncvs". Currently only a very small subset of directives are supported. ok djm@ --- ChangeLog | 14 ++- auth.c | 5 +- servconf.c | 356 ++++++++++++++++++++++++++++++++++++++++++---------------- servconf.h | 11 +- sshd.c | 17 ++- sshd_config.5 | 23 +++- 6 files changed, 314 insertions(+), 112 deletions(-) (limited to 'servconf.h') diff --git a/ChangeLog b/ChangeLog index 2710249f2..5d86e4451 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,18 @@ - stevesk@cvs.openbsd.org 2006/07/11 20:27:56 [authfile.c ssh.c] need here also (it's also included in ) + - dtucker@cvs.openbsd.org 2006/07/12 11:34:58 + [sshd.c servconf.h servconf.c sshd_config.5 auth.c] + Add support for conditional directives to sshd_config via a "Match" + keyword, which works similarly to the "Host" directive in ssh_config. + Lines after a Match line override the default set in the main section + if the condition on the Match line is true, eg + AllowTcpForwarding yes + Match User anoncvs + AllowTcpForwarding no + will allow port forwarding by all users except "anoncvs". + Currently only a very small subset of directives are supported. + ok djm@ 20060711 - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c @@ -4892,4 +4904,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4399 2006/07/12 12:24:22 dtucker Exp $ +$Id: ChangeLog,v 1.4400 2006/07/12 12:34:17 dtucker Exp $ diff --git a/auth.c b/auth.c index e5ddc79da..3bca8dc21 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.70 2006/07/11 20:07:25 stevesk Exp $ */ +/* $OpenBSD: auth.c,v 1.71 2006/07/12 11:34:58 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -467,6 +467,9 @@ getpwnamallow(const char *user) #endif struct passwd *pw; + parse_server_match_config(&options, user, + get_canonical_hostname(options.use_dns), get_remote_ipaddr()); + pw = getpwnam(user); if (pw == NULL) { logit("Invalid user %.100s from %.100s", diff --git a/servconf.c b/servconf.c index c5b933ab9..42ec340f3 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.152 2006/07/08 21:47:12 stevesk Exp $ */ +/* $OpenBSD: servconf.c,v 1.153 2006/07/12 11:34:58 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -25,12 +25,14 @@ #include "cipher.h" #include "kex.h" #include "mac.h" +#include "match.h" static void add_listen_addr(ServerOptions *, char *, u_short); static void add_one_listen_addr(ServerOptions *, char *, u_short); /* Use of privilege separation or not */ extern int use_privsep; +extern Buffer cfg; /* Initializes the server options to their default values. */ @@ -105,9 +107,6 @@ initialize_server_options(ServerOptions *options) options->authorized_keys_file2 = NULL; options->num_accept_env = 0; options->permit_tun = -1; - - /* Needs to be accessable in many places */ - use_privsep = -1; } void @@ -277,110 +276,116 @@ typedef enum { sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, + sMatch, sUsePrivilegeSeparation, sDeprecated, sUnsupported } ServerOpCodes; +#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ +#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ +#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) + /* Textual representation of the tokens. */ static struct { const char *name; ServerOpCodes opcode; + u_int flags; } keywords[] = { /* Portable-specific options */ #ifdef USE_PAM - { "usepam", sUsePAM }, + { "usepam", sUsePAM, SSHCFG_GLOBAL }, #else - { "usepam", sUnsupported }, + { "usepam", sUnsupported, SSHCFG_GLOBAL }, #endif - { "pamauthenticationviakbdint", sDeprecated }, + { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ - { "port", sPort }, - { "hostkey", sHostKeyFile }, - { "hostdsakey", sHostKeyFile }, /* alias */ - { "pidfile", sPidFile }, - { "serverkeybits", sServerKeyBits }, - { "logingracetime", sLoginGraceTime }, - { "keyregenerationinterval", sKeyRegenerationTime }, - { "permitrootlogin", sPermitRootLogin }, - { "syslogfacility", sLogFacility }, - { "loglevel", sLogLevel }, - { "rhostsauthentication", sDeprecated }, - { "rhostsrsaauthentication", sRhostsRSAAuthentication }, - { "hostbasedauthentication", sHostbasedAuthentication }, - { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, - { "rsaauthentication", sRSAAuthentication }, - { "pubkeyauthentication", sPubkeyAuthentication }, - { "dsaauthentication", sPubkeyAuthentication }, /* alias */ + { "port", sPort, SSHCFG_GLOBAL }, + { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, + { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ + { "pidfile", sPidFile, SSHCFG_GLOBAL }, + { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, + { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, + { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, + { "permitrootlogin", sPermitRootLogin, SSHCFG_GLOBAL }, + { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, + { "loglevel", sLogLevel, SSHCFG_GLOBAL }, + { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, + { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL }, + { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL }, + { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL }, + { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL }, + { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, + { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ #ifdef KRB5 - { "kerberosauthentication", sKerberosAuthentication }, - { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, - { "kerberosticketcleanup", sKerberosTicketCleanup }, + { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL }, + { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, + { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, #ifdef USE_AFS - { "kerberosgetafstoken", sKerberosGetAFSToken }, + { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL }, #else - { "kerberosgetafstoken", sUnsupported }, + { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif #else - { "kerberosauthentication", sUnsupported }, - { "kerberosorlocalpasswd", sUnsupported }, - { "kerberosticketcleanup", sUnsupported }, - { "kerberosgetafstoken", sUnsupported }, + { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif - { "kerberostgtpassing", sUnsupported }, - { "afstokenpassing", sUnsupported }, + { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, + { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, #ifdef GSSAPI - { "gssapiauthentication", sGssAuthentication }, - { "gssapicleanupcredentials", sGssCleanupCreds }, + { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL }, + { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, #else - { "gssapiauthentication", sUnsupported }, - { "gssapicleanupcredentials", sUnsupported }, + { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, #endif - { "passwordauthentication", sPasswordAuthentication }, - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, - { "challengeresponseauthentication", sChallengeResponseAuthentication }, - { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ - { "checkmail", sDeprecated }, - { "listenaddress", sListenAddress }, - { "addressfamily", sAddressFamily }, - { "printmotd", sPrintMotd }, - { "printlastlog", sPrintLastLog }, - { "ignorerhosts", sIgnoreRhosts }, - { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, - { "x11forwarding", sX11Forwarding }, - { "x11displayoffset", sX11DisplayOffset }, - { "x11uselocalhost", sX11UseLocalhost }, - { "xauthlocation", sXAuthLocation }, - { "strictmodes", sStrictModes }, - { "permitemptypasswords", sEmptyPasswd }, - { "permituserenvironment", sPermitUserEnvironment }, - { "uselogin", sUseLogin }, - { "compression", sCompression }, - { "tcpkeepalive", sTCPKeepAlive }, - { "keepalive", sTCPKeepAlive }, /* obsolete alias */ - { "allowtcpforwarding", sAllowTcpForwarding }, - { "allowusers", sAllowUsers }, - { "denyusers", sDenyUsers }, - { "allowgroups", sAllowGroups }, - { "denygroups", sDenyGroups }, - { "ciphers", sCiphers }, - { "macs", sMacs }, - { "protocol", sProtocol }, - { "gatewayports", sGatewayPorts }, - { "subsystem", sSubsystem }, - { "maxstartups", sMaxStartups }, - { "maxauthtries", sMaxAuthTries }, - { "banner", sBanner }, - { "usedns", sUseDNS }, - { "verifyreversemapping", sDeprecated }, - { "reversemappingcheck", sDeprecated }, - { "clientaliveinterval", sClientAliveInterval }, - { "clientalivecountmax", sClientAliveCountMax }, - { "authorizedkeysfile", sAuthorizedKeysFile }, - { "authorizedkeysfile2", sAuthorizedKeysFile2 }, - { "useprivilegeseparation", sUsePrivilegeSeparation}, - { "acceptenv", sAcceptEnv }, - { "permittunnel", sPermitTunnel }, - { NULL, sBadOption } + { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL }, + { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, + { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ + { "checkmail", sDeprecated, SSHCFG_GLOBAL }, + { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, + { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, + { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, + { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, + { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, + { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, + { "x11forwarding", sX11Forwarding, SSHCFG_GLOBAL }, + { "x11displayoffset", sX11DisplayOffset, SSHCFG_GLOBAL }, + { "x11uselocalhost", sX11UseLocalhost, SSHCFG_GLOBAL }, + { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, + { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, + { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL }, + { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, + { "uselogin", sUseLogin, SSHCFG_GLOBAL }, + { "compression", sCompression, SSHCFG_GLOBAL }, + { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, + { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ + { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, + { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, + { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, + { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, + { "denygroups", sDenyGroups, SSHCFG_GLOBAL }, + { "ciphers", sCiphers, SSHCFG_GLOBAL }, + { "macs", sMacs, SSHCFG_GLOBAL }, + { "protocol", sProtocol, SSHCFG_GLOBAL }, + { "gatewayports", sGatewayPorts, SSHCFG_ALL }, + { "subsystem", sSubsystem, SSHCFG_GLOBAL }, + { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, + { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, + { "banner", sBanner, SSHCFG_GLOBAL }, + { "usedns", sUseDNS, SSHCFG_GLOBAL }, + { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, + { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, + { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, + { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, + { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL }, + { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL }, + { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL }, + { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, + { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL }, + { NULL, sBadOption, 0 } }; /* @@ -389,13 +394,15 @@ static struct { static ServerOpCodes parse_token(const char *cp, const char *filename, - int linenum) + int linenum, u_int *flags) { u_int i; for (i = 0; keywords[i].name; i++) - if (strcasecmp(cp, keywords[i].name) == 0) + if (strcasecmp(cp, keywords[i].name) == 0) { + *flags = keywords[i].flags; return keywords[i].opcode; + } error("%s: line %d: Bad configuration option: %s", filename, linenum, cp); @@ -440,15 +447,112 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port) options->listen_addrs = aitop; } +/* + * The strategy for the Match blocks is that the config file is parsed twice. + * + * The first time is at startup. activep is initialized to 1 and the + * directives in the global context are processed and acted on. Hitting a + * Match directive unsets activep and the directives inside the block are + * checked for syntax only. + * + * The second time is after a connection has been established but before + * authentication. activep is initialized to 2 and global config directives + * are ignored since they have already been processed. If the criteria in a + * Match block is met, activep is set and the subsequent directives + * processed and actioned until EOF or another Match block unsets it. Any + * options set are copied into the main server config. + * + * Potential additions/improvements: + * - Add Match support for pre-kex directives, eg Protocol, Ciphers. + * + * - Add a Tag directive (idea from David Leonard) ala pf, eg: + * Match Address 192.168.0.* + * Tag trusted + * Match Group wheel + * Tag trusted + * Match Tag trusted + * AllowTcpForwarding yes + * GatewayPorts clientspecified + * [...] + * + * - Add a PermittedChannelRequests directive + * Match Group shell + * PermittedChannelRequests session,forwarded-tcpip + */ + +static int +match_cfg_line(char **condition, int line, const char *user, const char *host, + const char *address) +{ + int result = 1; + char *arg, *attrib, *cp = *condition; + size_t len; + + if (user == NULL) + debug3("checking syntax for 'Match %s'", cp); + else + debug3("checking match for '%s' user %s host %s addr %s", cp, + user ? user : "(null)", host ? host : "(null)", + address ? address : "(null)"); + + while ((attrib = strdelim(&cp)) && *attrib != '\0') { + if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { + error("Missing Match criteria for %s", attrib); + return -1; + } + len = strlen(arg); + if (strcasecmp(attrib, "user") == 0) { + if (!user) { + result = 0; + continue; + } + if (match_pattern_list(user, arg, len, 0) != 1) + result = 0; + else + debug("user %.100s matched 'User %.100s' at " + "line %d", user, arg, line); + } else if (strcasecmp(attrib, "host") == 0) { + if (!host) { + result = 0; + continue; + } + if (match_hostname(host, arg, len) != 1) + result = 0; + else + debug("connection from %.100s matched 'Host " + "%.100s' at line %d", host, arg, line); + } else if (strcasecmp(attrib, "address") == 0) { + debug("address '%s' arg '%s'", address, arg); + if (!address) { + result = 0; + continue; + } + if (match_hostname(address, arg, len) != 1) + result = 0; + else + debug("connection from %.100s matched 'Address " + "%.100s' at line %d", address, arg, line); + } else { + error("Unsupported Match attribute %s", attrib); + return -1; + } + } + if (user != NULL) + debug3("match %sfound", result ? "" : "not "); + *condition = cp; + return result; +} + int process_server_config_line(ServerOptions *options, char *line, - const char *filename, int linenum) + const char *filename, int linenum, int *activep, const char *user, + const char *host, const char *address) { char *cp, **charptr, *arg, *p; - int *intptr, value, n; + int cmdline = 0, *intptr, value, n; ServerOpCodes opcode; u_short port; - u_int i; + u_int i, flags = 0; size_t len; cp = line; @@ -461,7 +565,25 @@ process_server_config_line(ServerOptions *options, char *line, return 0; intptr = NULL; charptr = NULL; - opcode = parse_token(arg, filename, linenum); + opcode = parse_token(arg, filename, linenum, &flags); + + if (activep == NULL) { /* We are processing a command line directive */ + cmdline = 1; + activep = &cmdline; + } + if (*activep && opcode != sMatch) + debug3("%s:%d setting %s %s", filename, linenum, arg, cp); + if (*activep == 0 && !(flags & SSHCFG_MATCH)) { + if (user == NULL) { + fatal("%s line %d: Directive '%s' is not allowed " + "within a Match block", filename, linenum, arg); + } else { /* this is a directive we have already processed */ + while (arg) + arg = strdelim(&cp); + return 0; + } + } + switch (opcode) { /* Portable-specific options */ case sUsePAM: @@ -499,7 +621,7 @@ parse_int: fatal("%s line %d: missing integer value.", filename, linenum); value = atoi(arg); - if (*intptr == -1) + if (*activep && *intptr == -1) *intptr = value; break; @@ -579,7 +701,7 @@ parse_filename: if (!arg || *arg == '\0') fatal("%s line %d: missing file name.", filename, linenum); - if (*charptr == NULL) { + if (*activep && *charptr == NULL) { *charptr = tilde_expand_filename(arg, getuid()); /* increase optional counter */ if (intptr != NULL) @@ -630,7 +752,7 @@ parse_flag: else fatal("%s line %d: Bad yes/no argument: %s", filename, linenum, arg); - if (*intptr == -1) + if (*activep && *intptr == -1) *intptr = value; break; @@ -895,6 +1017,10 @@ parse_flag: if (!arg || *arg == '\0') fatal("%s line %d: Missing subsystem name.", filename, linenum); + if (!*activep) { + arg = strdelim(&cp); + break; + } for (i = 0; i < options->num_subsystems; i++) if (strcmp(arg, options->subsystem_name[i]) == 0) fatal("%s line %d: Subsystem '%s' already defined.", @@ -977,6 +1103,8 @@ parse_flag: if (options->num_accept_env >= MAX_ACCEPT_ENV) fatal("%s line %d: too many allow env.", filename, linenum); + if (!*activep) + break; options->accept_env[options->num_accept_env++] = xstrdup(arg); } @@ -1004,6 +1132,17 @@ parse_flag: *intptr = value; break; + case sMatch: + if (cmdline) + fatal("Match directive not supported as a command-line " + "option"); + value = match_cfg_line(&cp, linenum, user, host, address); + if (value < 0) + fatal("%s line %d: Bad Match condition", filename, + linenum); + *activep = value; + break; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -1060,18 +1199,41 @@ load_server_config(const char *filename, Buffer *conf) } void -parse_server_config(ServerOptions *options, const char *filename, Buffer *conf) +parse_server_match_config(ServerOptions *options, const char *user, + const char *host, const char *address) +{ + ServerOptions mo; + + initialize_server_options(&mo); + parse_server_config(&mo, "reprocess config", &cfg, user, host, address); + copy_set_server_options(options, &mo); +} + +/* Copy any (supported) values that are set */ +void +copy_set_server_options(ServerOptions *dst, ServerOptions *src) +{ + if (src->allow_tcp_forwarding != -1) + dst->allow_tcp_forwarding = src->allow_tcp_forwarding; + if (src->gateway_ports != -1) + dst->gateway_ports = src->gateway_ports; +} + +void +parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, + const char *user, const char *host, const char *address) { - int linenum, bad_options = 0; + int active, linenum, bad_options = 0; char *cp, *obuf, *cbuf; debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); obuf = cbuf = xstrdup(buffer_ptr(conf)); + active = user ? 0 : 1; linenum = 1; while ((cp = strsep(&cbuf, "\n")) != NULL) { if (process_server_config_line(options, cp, filename, - linenum++) != 0) + linenum++, &active, user, host, address) != 0) bad_options++; } xfree(obuf); diff --git a/servconf.h b/servconf.h index 671050e4c..a74716e6f 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.74 2006/07/06 10:47:05 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.75 2006/07/12 11:34:58 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -142,8 +142,13 @@ typedef struct { void initialize_server_options(ServerOptions *); void fill_default_server_options(ServerOptions *); -int process_server_config_line(ServerOptions *, char *, const char *, int); +int process_server_config_line(ServerOptions *, char *, const char *, int, + int *, const char *, const char *, const char *); void load_server_config(const char *, Buffer *); -void parse_server_config(ServerOptions *, const char *, Buffer *); +void parse_server_config(ServerOptions *, const char *, Buffer *, + const char *, const char *, const char *); +void parse_server_match_config(ServerOptions *, const char *, const char *, + const char *); +void copy_set_server_options(ServerOptions *, ServerOptions *); #endif /* SERVCONF_H */ diff --git a/sshd.c b/sshd.c index f3fe9d184..497525df8 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.336 2006/07/11 20:07:25 stevesk Exp $ */ +/* $OpenBSD: sshd.c,v 1.337 2006/07/12 11:34:58 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -219,12 +219,15 @@ int *startup_pipes = NULL; int startup_pipe; /* in child */ /* variables used for privilege separation */ -int use_privsep; +int use_privsep = -1; struct monitor *pmonitor = NULL; /* global authentication context */ Authctxt *the_authctxt = NULL; +/* sshd_config buffer */ +Buffer cfg; + /* message to be displayed after login */ Buffer loginmsg; @@ -916,7 +919,6 @@ main(int ac, char **av) Key *key; Authctxt *authctxt; int ret, key_used = 0; - Buffer cfg; #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); @@ -1036,7 +1038,7 @@ main(int ac, char **av) case 'o': line = xstrdup(optarg); if (process_server_config_line(&options, line, - "command-line", 0) != 0) + "command-line", 0, NULL, NULL, NULL, NULL) != 0) exit(1); xfree(line); break; @@ -1094,11 +1096,8 @@ main(int ac, char **av) else load_server_config(config_file_name, &cfg); - parse_server_config(&options, - rexeced_flag ? "rexec" : config_file_name, &cfg); - - if (!rexec_flag) - buffer_free(&cfg); + parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, + &cfg, NULL, NULL, NULL); seed_rng(); diff --git a/sshd_config.5 b/sshd_config.5 index 3b639b17d..0b2646027 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.59 2006/07/06 10:47:05 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.60 2006/07/12 11:34:58 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -463,6 +463,27 @@ for data integrity protection. Multiple algorithms must be comma-separated. The default is: .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . +.It Cm Match +Introduces a conditional block. Keywords on lines following a +.Cm Match +block are only applied if all of the criteria on the +.Cm Match +are satisfied. +The the arguments to +.Cm Match +block are one or more criteria-pattern pairs. +The available criteria are +.Cm User , +.Cm Host , +and +.Cm Address . +Only a subset of keywords may be used on the lines following a +.Cm Match +keyword. +Available keywords are +.Cm AllowTcpForwarding , +and +.Cm GatewayPorts . .It Cm MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. -- cgit v1.2.3 From e275443f66aab6d46356d6940b8a8b291cab4f9e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Jul 2006 14:06:47 +1000 Subject: - dtucker@cvs.openbsd.org 2006/07/19 13:07:10 [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] Add ForceCommand keyword to sshd_config, equivalent to the "command=" key option, man page entry and example in sshd_config. Feedback & ok djm@, man page corrections & ok jmc@ --- ChangeLog | 7 ++++++- servconf.c | 22 ++++++++++++++++++++-- servconf.h | 4 +++- session.c | 10 +++++++--- sshd.8 | 5 ++++- sshd_config | 8 +++++++- sshd_config.5 | 15 ++++++++++++++- 7 files changed, 61 insertions(+), 10 deletions(-) (limited to 'servconf.h') diff --git a/ChangeLog b/ChangeLog index e42f8a786..0ae5d3f6c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -56,6 +56,11 @@ [servconf.c sshd_config.5] Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to Match. ok djm@ + - dtucker@cvs.openbsd.org 2006/07/19 13:07:10 + [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] + Add ForceCommand keyword to sshd_config, equivalent to the "command=" + key option, man page entry and example in sshd_config. + Feedback & ok djm@, man page corrections & ok jmc@ 20060713 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h @@ -4974,4 +4979,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4421 2006/07/24 04:05:48 djm Exp $ +$Id: ChangeLog,v 1.4422 2006/07/24 04:06:47 djm Exp $ diff --git a/servconf.c b/servconf.c index bc457eebe..e2c1d4458 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.157 2006/07/19 08:56:41 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -113,6 +113,7 @@ initialize_server_options(ServerOptions *options) options->authorized_keys_file2 = NULL; options->num_accept_env = 0; options->permit_tun = -1; + options->adm_forced_command = NULL; } void @@ -282,7 +283,7 @@ typedef enum { sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, - sMatch, sPermitOpen, + sMatch, sPermitOpen, sForceCommand, sUsePrivilegeSeparation, sDeprecated, sUnsupported } ServerOpCodes; @@ -393,6 +394,7 @@ static struct { { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL }, { "match", sMatch, SSHCFG_ALL }, { "permitopen", sPermitOpen, SSHCFG_ALL }, + { "forcecommand", sForceCommand, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -551,6 +553,8 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, return result; } +#define WHITESPACE " \t\r\n" + int process_server_config_line(ServerOptions *options, char *line, const char *filename, int linenum, int *activep, const char *user, @@ -1173,6 +1177,15 @@ parse_flag: channel_add_adm_permitted_opens(p, port); break; + case sForceCommand: + if (cp == NULL) + fatal("%.200s line %d: Missing argument.", filename, + linenum); + len = strspn(cp, WHITESPACE); + if (*activep && options->adm_forced_command == NULL) + options->adm_forced_command = xstrdup(cp + len); + return 0; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -1247,6 +1260,11 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src) dst->allow_tcp_forwarding = src->allow_tcp_forwarding; if (src->gateway_ports != -1) dst->gateway_ports = src->gateway_ports; + if (src->adm_forced_command != NULL) { + if (dst->adm_forced_command != NULL) + xfree(dst->adm_forced_command); + dst->adm_forced_command = src->adm_forced_command; + } if (src->x11_display_offset != -1) dst->x11_display_offset = src->x11_display_offset; if (src->x11_forwarding != -1) diff --git a/servconf.h b/servconf.h index a74716e6f..41dce7686 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.75 2006/07/12 11:34:58 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -135,6 +135,8 @@ typedef struct { char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; + char *adm_forced_command; + int use_pam; /* Enable auth via PAM */ int permit_tun; diff --git a/session.c b/session.c index 5441a4762..e189acdf2 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.209 2006/07/11 20:07:25 stevesk Exp $ */ +/* $OpenBSD: session.c,v 1.210 2006/07/19 13:07:10 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -672,10 +672,14 @@ do_pre_login(Session *s) void do_exec(Session *s, const char *command) { - if (forced_command) { + if (options.adm_forced_command) { + original_command = command; + command = options.adm_forced_command; + debug("Forced command (config) '%.900s'", command); + } else if (forced_command) { original_command = command; command = forced_command; - debug("Forced command '%.900s'", command); + debug("Forced command (key option) '%.900s'", command); } #ifdef SSH_AUDIT_EVENTS diff --git a/sshd.8 b/sshd.8 index 48be5a760..778ea906b 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.232 2006/07/10 16:04:21 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.233 2006/07/19 13:07:10 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -481,6 +481,9 @@ to restrict certain public keys to perform just a specific operation. An example might be a key that permits remote backups but nothing else. Note that the client may specify TCP and/or X11 forwarding unless they are explicitly prohibited. +The command originally supplied by the client is available in the +.Ev SSH_ORIGINAL_COMMAND +environment variable. Note that this option applies to shell, command or subsystem execution. .It Cm environment="NAME=value" Specifies that the string is to be added to the environment when diff --git a/sshd_config b/sshd_config index 57f9a17bb..6a3cad886 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ +# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -104,3 +104,9 @@ # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server diff --git a/sshd_config.5 b/sshd_config.5 index 9196b761e..26c895f7a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.66 2006/07/19 08:56:41 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -283,6 +283,18 @@ See in .Xr ssh_config 5 for more information on patterns. +.It Cm ForceCommand +Forces the execution of the command specified by +.Cm ForceCommand , +ignoring any command supplied by the client. +The command is invoked by using the user's login shell with the -c option. +This applies to shell, command, or subsystem execution. +It is most useful inside a +.Cm Match +block. +The command originally supplied by the client is available in the +.Ev SSH_ORIGINAL_COMMAND +environment variable. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. @@ -484,6 +496,7 @@ Only a subset of keywords may be used on the lines following a keyword. Available keywords are .Cm AllowTcpForwarding , +.Cm ForceCommand , .Cm GatewayPorts , .Cm PermitOpen , .Cm X11DisplayOffset , -- cgit v1.2.3 From a765cf4b66ba116626c317204ac317607fe0c848 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Jul 2006 14:08:13 +1000 Subject: - dtucker@cvs.openbsd.org 2006/07/21 12:43:36 [channels.c channels.h servconf.c servconf.h sshd_config.5] Make PermitOpen take a list of permitted ports and act more like most other keywords (ie the first match is the effective setting). This also makes it easier to override a previously set PermitOpen. ok djm@ --- ChangeLog | 7 ++++++- channels.c | 8 ++++---- channels.h | 4 ++-- servconf.c | 32 ++++++++++++++++++++------------ servconf.h | 4 +++- sshd_config.5 | 6 ++---- 6 files changed, 37 insertions(+), 24 deletions(-) (limited to 'servconf.h') diff --git a/ChangeLog b/ChangeLog index 50937e3b3..04fa8c25a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -65,6 +65,11 @@ [auth1.c serverloop.c session.c sshconnect2.c] missed some needed #include when KERBEROS5=no; issue from massimo@cedoc.mo.it + - dtucker@cvs.openbsd.org 2006/07/21 12:43:36 + [channels.c channels.h servconf.c servconf.h sshd_config.5] + Make PermitOpen take a list of permitted ports and act more like most + other keywords (ie the first match is the effective setting). This + also makes it easier to override a previously set PermitOpen. ok djm@ 20060713 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h @@ -4983,4 +4988,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4423 2006/07/24 04:07:35 djm Exp $ +$Id: ChangeLog,v 1.4424 2006/07/24 04:08:13 djm Exp $ diff --git a/channels.c b/channels.c index 9aaf7e9d7..c6c5c8899 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.257 2006/07/17 12:06:00 dtucker Exp $ */ +/* $OpenBSD: channels.c,v 1.258 2006/07/21 12:43:36 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2653,17 +2653,17 @@ channel_add_permitted_opens(char *host, int port) all_opens_permitted = 0; } -void +int channel_add_adm_permitted_opens(char *host, int port) { if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("channel_add_adm_permitted_opens: too many forwards"); - debug("allow port forwarding to host %s port %d", host, port); + debug("config allows port forwarding to host %s port %d", host, port); permitted_adm_opens[num_adm_permitted_opens].host_to_connect = xstrdup(host); permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; - num_adm_permitted_opens++; + return ++num_adm_permitted_opens; } void diff --git a/channels.h b/channels.h index c473b730c..ed719f724 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.86 2006/07/17 12:06:00 dtucker Exp $ */ +/* $OpenBSD: channels.h,v 1.87 2006/07/21 12:43:36 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -207,7 +207,7 @@ int channel_find_open(void); void channel_set_af(int af); void channel_permit_all_opens(void); void channel_add_permitted_opens(char *, int); -void channel_add_adm_permitted_opens(char *, int); +int channel_add_adm_permitted_opens(char *, int); void channel_clear_permitted_opens(void); void channel_clear_adm_permitted_opens(void); int channel_input_port_forward_request(int, int); diff --git a/servconf.c b/servconf.c index e2c1d4458..46558b690 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.159 2006/07/21 12:43:36 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -113,6 +113,7 @@ initialize_server_options(ServerOptions *options) options->authorized_keys_file2 = NULL; options->num_accept_env = 0; options->permit_tun = -1; + options->num_permitted_opens = -1; options->adm_forced_command = NULL; } @@ -1161,20 +1162,27 @@ parse_flag: fatal("%s line %d: missing PermitOpen specification", filename, linenum); if (strcmp(arg, "any") == 0) { - if (*activep) + if (*activep) { channel_clear_adm_permitted_opens(); + options->num_permitted_opens = 0; + } break; } - p = hpdelim(&arg); - if (p == NULL) - fatal("%s line %d: missing host in PermitOpen", - filename, linenum); - p = cleanhostname(p); - if (arg == NULL || (port = a2port(arg)) == 0) - fatal("%s line %d: bad port number in PermitOpen", - filename, linenum); - if (*activep) - channel_add_adm_permitted_opens(p, port); + for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { + p = hpdelim(&arg); + if (p == NULL) + fatal("%s line %d: missing host in PermitOpen", + filename, linenum); + p = cleanhostname(p); + if (arg == NULL || (port = a2port(arg)) == 0) + fatal("%s line %d: bad port number in " + "PermitOpen", filename, linenum); + if (*activep && options->num_permitted_opens == -1) { + channel_clear_adm_permitted_opens(); + options->num_permitted_opens = + channel_add_adm_permitted_opens(p, port); + } + } break; case sForceCommand: diff --git a/servconf.h b/servconf.h index 41dce7686..0add6518d 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.77 2006/07/21 12:43:36 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -140,6 +140,8 @@ typedef struct { int use_pam; /* Enable auth via PAM */ int permit_tun; + + int num_permitted_opens; } ServerOptions; void initialize_server_options(ServerOptions *); diff --git a/sshd_config.5 b/sshd_config.5 index 26c895f7a..ff5457dff 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.68 2006/07/21 12:43:36 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -564,9 +564,7 @@ The forwarding specification must be one of the following forms: .Sm on .El .Pp -Multiple instances of -.Cm PermitOpen -are permitted. +Multiple forwards may be specified by separating them with whitespace. An argument of .Dq any can be used to remove all restrictions and permit any forwarding requests. -- cgit v1.2.3 From d783435315d8e604998925d5e47b663a500ed252 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 5 Aug 2006 12:39:39 +1000 Subject: - deraadt@cvs.openbsd.org 2006/08/03 03:34:42 [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] [serverloop.c session.c session.h sftp-client.c sftp-common.c] [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step NB. portable commit contains everything *except* removing includes.h, as that will take a fair bit more work as we move headers that are required for portability workarounds to defines.h. (also, this step wasn't "easy") --- ChangeLog | 30 +++++++++++++++++++++++++++++- OVERVIEW | 3 +-- atomicio.c | 3 ++- atomicio.h | 7 +------ auth-bsdauth.c | 11 ++++++++++- auth-chall.c | 8 ++++++-- auth-krb5.c | 11 +++++++++-- auth-options.c | 12 ++++++++++-- auth-options.h | 6 +----- auth-passwd.c | 5 ++++- auth-rh-rsa.c | 8 ++++++-- auth-rhosts.c | 6 +++++- auth-rsa.c | 11 ++++++++--- auth-skey.c | 5 ++++- auth.c | 10 +++++++--- auth.h | 11 +---------- auth1.c | 8 +++++++- auth2-chall.c | 9 +++++++-- auth2-gss.c | 14 +++++++------- auth2-hostbased.c | 12 ++++++++---- auth2-kbdint.c | 9 +++++++-- auth2-none.c | 10 ++++++++-- auth2-passwd.c | 11 ++++++++++- auth2-pubkey.c | 12 ++++++++---- auth2.c | 10 +++++++--- authfd.c | 7 ++++--- authfd.h | 4 +--- authfile.c | 6 +++--- bufaux.c | 7 +++++-- bufbn.c | 7 +++++-- buffer.c | 3 ++- buffer.h | 38 +++++++++++++++++++++++++++++++++++++- canohost.c | 5 +++-- channels.c | 9 +++++---- channels.h | 4 +--- cipher-3des1.c | 4 +++- cipher-bf1.c | 4 +++- cipher-ctr.c | 6 ++++-- cipher.c | 5 ++++- cleanup.c | 5 ++++- clientloop.c | 8 ++++---- compat.c | 7 +++++-- compress.c | 6 +++++- deattack.c | 8 ++++++-- dh.c | 2 +- dispatch.c | 6 +++++- dns.c | 2 +- dns.h | 9 +-------- fatal.c | 4 +++- groupaccess.c | 5 +++-- groupaccess.h | 4 +--- gss-genr.c | 6 ++++-- gss-serv-krb5.c | 9 +++++++-- gss-serv.c | 10 +++++++--- hostfile.c | 4 ++-- includes.h | 3 --- kex.c | 12 ++++++------ kex.h | 8 +------- kexdh.c | 9 +++++++-- kexdhc.c | 7 ++++++- kexdhs.c | 9 ++++++++- kexgex.c | 8 ++++++-- kexgexc.c | 7 ++++++- kexgexs.c | 8 +++++++- key.c | 6 ++++-- key.h | 4 +--- log.c | 6 ++++-- log.h | 8 +------- loginrec.c | 4 +++- loginrec.h | 4 ---- mac.c | 7 ++++++- match.c | 6 ++++-- md-sha256.c | 4 +++- misc.c | 6 +++--- misc.h | 7 +------ moduli.c | 3 ++- monitor.c | 15 ++++++++++----- monitor_fdpass.c | 3 ++- monitor_mm.c | 7 +++++-- monitor_mm.h | 3 +-- monitor_wrap.c | 25 +++++++++++++------------ monitor_wrap.h | 10 +--------- msg.c | 6 +++++- nchan.c | 3 ++- openbsd-compat/port-aix.c | 7 +++++-- openbsd-compat/port-tun.h | 2 -- packet.c | 8 +++----- progressmeter.c | 3 ++- readconf.c | 7 +++++-- readconf.h | 4 +--- readpass.c | 2 +- rsa.c | 6 ++++-- scard.c | 8 +++++--- scard.h | 4 +--- scp.c | 3 ++- servconf.c | 8 ++++++-- servconf.h | 4 +--- serverloop.c | 8 ++++++-- session.c | 15 ++++++++------- session.h | 6 +----- sftp-client.c | 12 ++++++------ sftp-common.c | 6 +++--- sftp-common.h | 7 +------ sftp-glob.c | 4 ++-- sftp-server.c | 12 +++++++----- sftp.c | 6 ++++-- ssh-add.c | 5 +++-- ssh-agent.c | 5 ++--- ssh-dss.c | 5 +++-- ssh-gss.h | 4 +--- ssh-keygen.c | 3 +-- ssh-keyscan.c | 7 ++++--- ssh-keysign.c | 6 +++--- ssh-rsa.c | 6 ++++-- ssh.c | 7 +++---- ssh.h | 16 +--------------- sshconnect.c | 6 ++++-- sshconnect.h | 11 +---------- sshconnect1.c | 14 ++++++++++---- sshconnect2.c | 9 ++++++--- sshd.c | 18 +++++++++++------- sshlogin.c | 4 +++- sshlogin.h | 9 +-------- sshpty.c | 7 ++++--- sshpty.h | 10 +--------- sshtty.c | 4 +++- ttymodes.c | 6 ++++-- uidswap.c | 5 ++--- uidswap.h | 11 +---------- uuencode.c | 4 +--- uuencode.h | 8 +------- xmalloc.c | 3 +-- xmalloc.h | 7 +------ 133 files changed, 584 insertions(+), 412 deletions(-) (limited to 'servconf.h') diff --git a/ChangeLog b/ChangeLog index b955ea8a4..7f48d236e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -54,6 +54,34 @@ - stevesk@cvs.openbsd.org 2006/08/01 23:36:12 [authfile.c channels.c progressmeter.c scard.c servconf.c ssh.c] clean extra spaces + - deraadt@cvs.openbsd.org 2006/08/03 03:34:42 + [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] + [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] + [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] + [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] + [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] + [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] + [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] + [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] + [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] + [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] + [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] + [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] + [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] + [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] + [serverloop.c session.c session.h sftp-client.c sftp-common.c] + [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] + [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] + [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] + [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] + [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] + [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] + almost entirely get rid of the culture of ".h files that include .h files" + ok djm, sort of ok stevesk + makes the pain stop in one easy step + NB. portable commit contains everything *except* removing includes.h, as + that will take a fair bit more work as we move headers that are required + for portability workarounds to defines.h. (also, this step wasn't "easy") 20060804 - (dtucker) [configure.ac] The "crippled AES" test does not work on recent @@ -5124,4 +5152,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4451 2006/08/05 01:38:40 djm Exp $ +$Id: ChangeLog,v 1.4452 2006/08/05 02:39:39 djm Exp $ diff --git a/OVERVIEW b/OVERVIEW index 64b6f75fa..2e1cc0ba3 100644 --- a/OVERVIEW +++ b/OVERVIEW @@ -162,8 +162,7 @@ these programs. - There are several other files in the distribution that contain various auxiliary routines: ssh.h the main header file for ssh (various definitions) - includes.h includes most system headers. Lots of #ifdefs. uidswap.c uid-swapping xmalloc.c "safe" malloc routines -$OpenBSD: OVERVIEW,v 1.10 2006/04/01 05:37:46 djm Exp $ +$OpenBSD: OVERVIEW,v 1.11 2006/08/03 03:34:41 deraadt Exp $ diff --git a/atomicio.c b/atomicio.c index 4ff990fd3..f651a292c 100644 --- a/atomicio.c +++ b/atomicio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: atomicio.c,v 1.22 2006/07/26 02:35:17 stevesk Exp $ */ +/* $OpenBSD: atomicio.c,v 1.23 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2006 Damien Miller. All rights reserved. * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved. @@ -29,6 +29,7 @@ #include "includes.h" #include +#include #include #include diff --git a/atomicio.h b/atomicio.h index 05b97ab8b..2fcd25d43 100644 --- a/atomicio.h +++ b/atomicio.h @@ -1,4 +1,4 @@ -/* $OpenBSD: atomicio.h,v 1.9 2006/07/30 20:15:19 stevesk Exp $ */ +/* $OpenBSD: atomicio.h,v 1.10 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2006 Damien Miller. All rights reserved. @@ -29,11 +29,6 @@ #ifndef _ATOMICIO_H #define _ATOMICIO_H -#include -#include - -#include - /* * Ensure all of data on socket comes through. f==read || f==vwrite */ diff --git a/auth-bsdauth.c b/auth-bsdauth.c index c309e4a11..f718e5d38 100644 --- a/auth-bsdauth.c +++ b/auth-bsdauth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-bsdauth.c,v 1.9 2006/03/25 13:17:01 djm Exp $ */ +/* $OpenBSD: auth-bsdauth.c,v 1.10 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -22,12 +22,21 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + #include "includes.h" +#include + #ifdef BSD_AUTH #include "xmalloc.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "log.h" +#include "buffer.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" static void * diff --git a/auth-chall.c b/auth-chall.c index 023e7ee01..9c1079a17 100644 --- a/auth-chall.c +++ b/auth-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-chall.c,v 1.11 2006/03/25 13:17:01 djm Exp $ */ +/* $OpenBSD: auth-chall.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -25,9 +25,13 @@ #include "includes.h" +#include + +#include "xmalloc.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "log.h" -#include "xmalloc.h" #include "servconf.h" /* limited protocol v1 interface to kbd-interactive authentication */ diff --git a/auth-krb5.c b/auth-krb5.c index 676b8ab1f..868288126 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-krb5.c,v 1.18 2006/05/06 08:35:40 dtucker Exp $ */ +/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */ /* * Kerberos v5 authentication and ticket-passing routines. * @@ -30,13 +30,20 @@ #include "includes.h" +#include +#include +#include + +#include "xmalloc.h" #include "ssh.h" #include "ssh1.h" #include "packet.h" -#include "xmalloc.h" #include "log.h" +#include "buffer.h" #include "servconf.h" #include "uidswap.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #ifdef KRB5 diff --git a/auth-options.c b/auth-options.c index cd904967a..ca5e1c931 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.39 2006/07/22 20:48:22 stevesk Exp $ */ +/* $OpenBSD: auth-options.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -17,17 +17,25 @@ #include #include #include +#include +#include #include "xmalloc.h" #include "match.h" #include "log.h" #include "canohost.h" +#include "buffer.h" #include "channels.h" #include "auth-options.h" #include "servconf.h" #include "misc.h" -#include "monitor_wrap.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif +#include "monitor_wrap.h" /* Flags set authorized_keys flags */ int no_port_forwarding_flag = 0; diff --git a/auth-options.h b/auth-options.h index cd2b030cd..853f8b517 100644 --- a/auth-options.h +++ b/auth-options.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.h,v 1.15 2006/07/06 16:03:53 stevesk Exp $ */ +/* $OpenBSD: auth-options.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -15,10 +15,6 @@ #ifndef AUTH_OPTIONS_H #define AUTH_OPTIONS_H -#include - -#include - /* Linked list of custom environment strings */ struct envstring { struct envstring *next; diff --git a/auth-passwd.c b/auth-passwd.c index f8df17e6a..be6283796 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-passwd.c,v 1.39 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: auth-passwd.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -43,11 +43,14 @@ #include #include #include +#include #include "packet.h" #include "buffer.h" #include "log.h" #include "servconf.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "auth-options.h" diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index 8fa21e12c..eca750275 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rh-rsa.c,v 1.41 2006/07/06 16:03:53 stevesk Exp $ */ +/* $OpenBSD: auth-rh-rsa.c,v 1.42 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -18,17 +18,21 @@ #include #include +#include #include "packet.h" #include "uidswap.h" #include "log.h" +#include "buffer.h" #include "servconf.h" #include "key.h" #include "hostfile.h" #include "pathnames.h" #include "auth.h" #include "canohost.h" - +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" /* import */ diff --git a/auth-rhosts.c b/auth-rhosts.c index 8dc4ede05..cd0a7967a 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rhosts.c,v 1.40 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: auth-rhosts.c,v 1.41 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -25,13 +25,17 @@ #include #include #include +#include #include "packet.h" +#include "buffer.h" #include "uidswap.h" #include "pathnames.h" #include "log.h" #include "servconf.h" #include "canohost.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" /* import */ diff --git a/auth-rsa.c b/auth-rsa.c index f3e27e9fa..1c66b86a4 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rsa.c,v 1.70 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.71 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -26,18 +26,23 @@ #include #include +#include "xmalloc.h" #include "rsa.h" #include "packet.h" -#include "xmalloc.h" #include "ssh1.h" #include "uidswap.h" #include "match.h" +#include "buffer.h" #include "auth-options.h" #include "pathnames.h" #include "log.h" #include "servconf.h" -#include "auth.h" +#include "key.h" #include "hostfile.h" +#include "auth.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" #include "ssh.h" #include "misc.h" diff --git a/auth-skey.c b/auth-skey.c index 9c981ec83..d49e59b75 100644 --- a/auth-skey.c +++ b/auth-skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-skey.c,v 1.23 2006/03/25 13:17:01 djm Exp $ */ +/* $OpenBSD: auth-skey.c,v 1.24 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -22,10 +22,13 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + #include "includes.h" #ifdef SKEY +#include + #include #include "xmalloc.h" diff --git a/auth.c b/auth.c index 88a8e22ef..fba32eb96 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.74 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: auth.c,v 1.75 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -51,17 +51,21 @@ #include "match.h" #include "groupaccess.h" #include "log.h" +#include "buffer.h" #include "servconf.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "auth-options.h" #include "canohost.h" -#include "buffer.h" -#include "bufaux.h" #include "uidswap.h" #include "misc.h" #include "bufaux.h" #include "packet.h" #include "loginrec.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" /* import */ diff --git a/auth.h b/auth.h index 2c7499573..26158b9dd 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.56 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: auth.h,v 1.57 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -28,14 +28,8 @@ #ifndef AUTH_H #define AUTH_H -#include - -#include -#include #include -#include -#include "buffer.h" #include #ifdef HAVE_LOGIN_CAP @@ -48,9 +42,6 @@ #include #endif -#include "key.h" -#include "hostfile.h" - typedef struct Authctxt Authctxt; typedef struct Authmethod Authmethod; typedef struct KbdintDevice KbdintDevice; diff --git a/auth1.c b/auth1.c index 2c5585768..34dcf6266 100644 --- a/auth1.c +++ b/auth1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth1.c,v 1.69 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: auth1.c,v 1.70 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -17,6 +17,7 @@ #include #include #include +#include #include "xmalloc.h" #include "rsa.h" @@ -26,10 +27,15 @@ #include "log.h" #include "servconf.h" #include "compat.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "channels.h" #include "session.h" #include "uidswap.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" #include "buffer.h" diff --git a/auth2-chall.c b/auth2-chall.c index 89b261e61..8358140b9 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-chall.c,v 1.29 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: auth2-chall.c,v 1.30 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Per Allansson. All rights reserved. @@ -23,16 +23,21 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + #include "includes.h" +#include + #include #include +#include "xmalloc.h" #include "ssh2.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "buffer.h" #include "packet.h" -#include "xmalloc.h" #include "dispatch.h" #include "log.h" #include "servconf.h" diff --git a/auth2-gss.c b/auth2-gss.c index 03210673b..67144e495 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.14 2006/03/25 22:22:42 djm Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -26,18 +26,20 @@ #include "includes.h" -#ifdef GSSAPI +#include +#include "xmalloc.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "ssh2.h" -#include "xmalloc.h" #include "log.h" #include "dispatch.h" +#include "buffer.h" #include "servconf.h" #include "packet.h" -#include "monitor_wrap.h" - #include "ssh-gss.h" +#include "monitor_wrap.h" extern ServerOptions options; @@ -291,5 +293,3 @@ Authmethod method_gssapi = { userauth_gssapi, &options.gss_authentication }; - -#endif /* GSSAPI */ diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 5cb617e1c..663dec5d9 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.10 2006/07/22 20:48:22 stevesk Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.11 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -29,18 +29,22 @@ #include #include +#include -#include "ssh2.h" #include "xmalloc.h" +#include "ssh2.h" #include "packet.h" #include "buffer.h" #include "log.h" #include "servconf.h" #include "compat.h" -#include "bufaux.h" -#include "auth.h" #include "key.h" +#include "hostfile.h" +#include "auth.h" #include "canohost.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" #include "pathnames.h" diff --git a/auth2-kbdint.c b/auth2-kbdint.c index 796714eec..901596484 100644 --- a/auth2-kbdint.c +++ b/auth2-kbdint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-kbdint.c,v 1.4 2006/03/25 13:17:01 djm Exp $ */ +/* $OpenBSD: auth2-kbdint.c,v 1.5 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -25,11 +25,16 @@ #include "includes.h" +#include + +#include "xmalloc.h" #include "packet.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "log.h" +#include "buffer.h" #include "servconf.h" -#include "xmalloc.h" /* import */ extern ServerOptions options; diff --git a/auth2-none.c b/auth2-none.c index d6738175f..1e4afa0e7 100644 --- a/auth2-none.c +++ b/auth2-none.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-none.c,v 1.11 2006/07/09 15:15:10 stevesk Exp $ */ +/* $OpenBSD: auth2-none.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -30,14 +30,20 @@ #include -#include "auth.h" #include "xmalloc.h" +#include "key.h" +#include "hostfile.h" +#include "auth.h" #include "packet.h" #include "log.h" +#include "buffer.h" #include "servconf.h" #include "atomicio.h" #include "compat.h" #include "ssh2.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" /* import */ diff --git a/auth2-passwd.c b/auth2-passwd.c index a1b65da50..421c5c25d 100644 --- a/auth2-passwd.c +++ b/auth2-passwd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-passwd.c,v 1.8 2006/07/22 20:48:22 stevesk Exp $ */ +/* $OpenBSD: auth2-passwd.c,v 1.9 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -25,12 +25,21 @@ #include "includes.h" +#include + #include +#include #include "xmalloc.h" #include "packet.h" #include "log.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" +#include "buffer.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" #include "servconf.h" diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 41763f763..9863cd9e6 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.14 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -30,22 +30,26 @@ #include #include +#include +#include "xmalloc.h" #include "ssh.h" #include "ssh2.h" -#include "xmalloc.h" #include "packet.h" #include "buffer.h" #include "log.h" #include "servconf.h" #include "compat.h" -#include "bufaux.h" -#include "auth.h" #include "key.h" +#include "hostfile.h" +#include "auth.h" #include "pathnames.h" #include "uidswap.h" #include "auth-options.h" #include "canohost.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" #include "misc.h" diff --git a/auth2.c b/auth2.c index 83d5224c9..2d880b57c 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.112 2006/07/22 20:48:22 stevesk Exp $ */ +/* $OpenBSD: auth2.c,v 1.113 2006/08/03 03:34:41 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -28,23 +28,27 @@ #include #include +#include #include -#include "ssh2.h" #include "xmalloc.h" +#include "ssh2.h" #include "packet.h" #include "log.h" +#include "buffer.h" #include "servconf.h" #include "compat.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "dispatch.h" #include "pathnames.h" -#include "monitor_wrap.h" #include "buffer.h" #ifdef GSSAPI #include "ssh-gss.h" #endif +#include "monitor_wrap.h" /* import */ extern ServerOptions options; diff --git a/authfd.c b/authfd.c index f8ee8051d..5c910df13 100644 --- a/authfd.c +++ b/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.79 2006/07/26 13:57:17 stevesk Exp $ */ +/* $OpenBSD: authfd.c,v 1.80 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -43,16 +43,17 @@ #include +#include #include #include +#include #include #include +#include "xmalloc.h" #include "ssh.h" #include "rsa.h" #include "buffer.h" -#include "bufaux.h" -#include "xmalloc.h" #include "key.h" #include "authfd.h" #include "cipher.h" diff --git a/authfd.h b/authfd.h index 8ad8f2e71..3da256112 100644 --- a/authfd.h +++ b/authfd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.h,v 1.35 2006/03/25 22:22:42 djm Exp $ */ +/* $OpenBSD: authfd.h,v 1.36 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -16,8 +16,6 @@ #ifndef AUTHFD_H #define AUTHFD_H -#include "buffer.h" - /* Messages for the authentication agent connection. */ #define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1 #define SSH_AGENT_RSA_IDENTITIES_ANSWER 2 diff --git a/authfile.c b/authfile.c index 400e60b39..675085646 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.75 2006/08/01 23:36:11 stevesk Exp $ */ +/* $OpenBSD: authfile.c,v 1.76 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -41,6 +41,7 @@ #include #include #include +#include #include #include @@ -53,10 +54,9 @@ #include #include -#include "cipher.h" #include "xmalloc.h" +#include "cipher.h" #include "buffer.h" -#include "bufaux.h" #include "key.h" #include "ssh.h" #include "log.h" diff --git a/bufaux.c b/bufaux.c index a384cc685..cbdc22c64 100644 --- a/bufaux.c +++ b/bufaux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufaux.c,v 1.43 2006/07/22 20:48:22 stevesk Exp $ */ +/* $OpenBSD: bufaux.c,v 1.44 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -39,12 +39,15 @@ #include "includes.h" +#include + #include #include +#include -#include "bufaux.h" #include "xmalloc.h" +#include "buffer.h" #include "log.h" #include "misc.h" diff --git a/bufbn.c b/bufbn.c index aa42ea62b..6cf65d372 100644 --- a/bufbn.c +++ b/bufbn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufbn.c,v 1.2 2006/07/22 20:48:22 stevesk Exp $*/ +/* $OpenBSD: bufbn.c,v 1.3 2006/08/03 03:34:41 deraadt Exp $*/ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -39,12 +39,15 @@ #include "includes.h" +#include + #include #include +#include -#include "bufaux.h" #include "xmalloc.h" +#include "buffer.h" #include "log.h" #include "misc.h" diff --git a/buffer.c b/buffer.c index 25868b94d..e02e1e35c 100644 --- a/buffer.c +++ b/buffer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.c,v 1.30 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: buffer.c,v 1.31 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -18,6 +18,7 @@ #include #include +#include #include "xmalloc.h" #include "buffer.h" diff --git a/buffer.h b/buffer.h index 43414ae99..ecc4aea83 100644 --- a/buffer.h +++ b/buffer.h @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.h,v 1.15 2006/04/16 00:48:52 djm Exp $ */ +/* $OpenBSD: buffer.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -46,4 +46,40 @@ int buffer_get_ret(Buffer *, void *, u_int); int buffer_consume_ret(Buffer *, u_int); int buffer_consume_end_ret(Buffer *, u_int); +#include + +void buffer_put_bignum(Buffer *, const BIGNUM *); +void buffer_put_bignum2(Buffer *, const BIGNUM *); +void buffer_get_bignum(Buffer *, BIGNUM *); +void buffer_get_bignum2(Buffer *, BIGNUM *); + +u_short buffer_get_short(Buffer *); +void buffer_put_short(Buffer *, u_short); + +u_int buffer_get_int(Buffer *); +void buffer_put_int(Buffer *, u_int); + +u_int64_t buffer_get_int64(Buffer *); +void buffer_put_int64(Buffer *, u_int64_t); + +int buffer_get_char(Buffer *); +void buffer_put_char(Buffer *, int); + +void *buffer_get_string(Buffer *, u_int *); +void buffer_put_string(Buffer *, const void *, u_int); +void buffer_put_cstring(Buffer *, const char *); + +#define buffer_skip_string(b) \ + do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while (0) + +int buffer_put_bignum_ret(Buffer *, const BIGNUM *); +int buffer_get_bignum_ret(Buffer *, BIGNUM *); +int buffer_put_bignum2_ret(Buffer *, const BIGNUM *); +int buffer_get_bignum2_ret(Buffer *, BIGNUM *); +int buffer_get_short_ret(u_short *, Buffer *); +int buffer_get_int_ret(u_int *, Buffer *); +int buffer_get_int64_ret(u_int64_t *, Buffer *); +void *buffer_get_string_ret(Buffer *, u_int *); +int buffer_get_char_ret(char *, Buffer *); + #endif /* BUFFER_H */ diff --git a/canohost.c b/canohost.c index c236617d7..dd3972e8d 100644 --- a/canohost.c +++ b/canohost.c @@ -1,4 +1,4 @@ -/* $OpenBSD: canohost.c,v 1.60 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: canohost.c,v 1.61 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -25,9 +25,10 @@ #include #include #include +#include -#include "packet.h" #include "xmalloc.h" +#include "packet.h" #include "log.h" #include "canohost.h" diff --git a/channels.c b/channels.c index fb4d287d6..dfa1e591b 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.264 2006/08/01 23:36:11 stevesk Exp $ */ +/* $OpenBSD: channels.c,v 1.265 2006/08/03 03:34:41 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -41,8 +41,8 @@ #include "includes.h" -#include #include +#include #include #include #ifdef HAVE_SYS_TIME_H @@ -59,21 +59,22 @@ #include #include #include +#include +#include "xmalloc.h" #include "ssh.h" #include "ssh1.h" #include "ssh2.h" #include "packet.h" -#include "xmalloc.h" #include "log.h" #include "misc.h" +#include "buffer.h" #include "channels.h" #include "compat.h" #include "canohost.h" #include "key.h" #include "authfd.h" #include "pathnames.h" -#include "bufaux.h" /* -- channel core */ diff --git a/channels.h b/channels.h index ed719f724..2674f096e 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.87 2006/07/21 12:43:36 dtucker Exp $ */ +/* $OpenBSD: channels.h,v 1.88 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -38,8 +38,6 @@ #ifndef CHANNEL_H #define CHANNEL_H -#include "buffer.h" - /* Definitions for channel types. */ #define SSH_CHANNEL_X11_LISTENER 1 /* Listening for inet X11 conn. */ #define SSH_CHANNEL_PORT_LISTENER 2 /* Listening on a port. */ diff --git a/cipher-3des1.c b/cipher-3des1.c index 2e8735d54..61798bfde 100644 --- a/cipher-3des1.c +++ b/cipher-3des1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher-3des1.c,v 1.5 2006/07/22 20:48:22 stevesk Exp $ */ +/* $OpenBSD: cipher-3des1.c,v 1.6 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2003 Markus Friedl. All rights reserved. * @@ -25,6 +25,8 @@ #include "includes.h" +#include + #include #include diff --git a/cipher-bf1.c b/cipher-bf1.c index 95b4e5e93..eb4c04777 100644 --- a/cipher-bf1.c +++ b/cipher-bf1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher-bf1.c,v 1.4 2006/07/22 20:48:22 stevesk Exp $ */ +/* $OpenBSD: cipher-bf1.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2003 Markus Friedl. All rights reserved. * @@ -25,6 +25,8 @@ #include "includes.h" +#include + #include #include diff --git a/cipher-ctr.c b/cipher-ctr.c index 105d0bd5b..9733b7d56 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher-ctr.c,v 1.9 2006/07/22 20:48:22 stevesk Exp $ */ +/* $OpenBSD: cipher-ctr.c,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2003 Markus Friedl * @@ -16,12 +16,14 @@ */ #include "includes.h" +#include + #include #include -#include "log.h" #include "xmalloc.h" +#include "log.h" /* compatibility with old or broken OpenSSL versions */ #include "openbsd-compat/openssl-compat.h" diff --git a/cipher.c b/cipher.c index 20fa59c6a..b264063c4 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.80 2006/07/22 20:48:22 stevesk Exp $ */ +/* $OpenBSD: cipher.c,v 1.81 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -37,9 +37,12 @@ #include "includes.h" +#include + #include #include +#include #include "xmalloc.h" #include "log.h" diff --git a/cleanup.c b/cleanup.c index 0d9f2a6d2..c41ef1c6a 100644 --- a/cleanup.c +++ b/cleanup.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cleanup.c,v 1.4 2006/07/17 01:31:09 stevesk Exp $ */ +/* $OpenBSD: cleanup.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2003 Markus Friedl * @@ -17,7 +17,10 @@ #include "config.h" +#include + #include +#include #include "log.h" diff --git a/clientloop.c b/clientloop.c index f9ffa2bb7..132d75a44 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.174 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: clientloop.c,v 1.175 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -82,20 +82,20 @@ #include #include #include +#include #include +#include "xmalloc.h" #include "ssh.h" #include "ssh1.h" #include "ssh2.h" -#include "xmalloc.h" #include "packet.h" #include "buffer.h" #include "compat.h" #include "channels.h" #include "dispatch.h" -#include "buffer.h" -#include "bufaux.h" #include "key.h" +#include "cipher.h" #include "kex.h" #include "log.h" #include "readconf.h" diff --git a/compat.c b/compat.c index e1a8b2bfd..da67f9410 100644 --- a/compat.c +++ b/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.75 2006/07/26 13:57:17 stevesk Exp $ */ +/* $OpenBSD: compat.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -25,12 +25,15 @@ #include "includes.h" +#include + #include #include +#include +#include "xmalloc.h" #include "buffer.h" #include "packet.h" -#include "xmalloc.h" #include "compat.h" #include "log.h" #include "match.h" diff --git a/compress.c b/compress.c index 8aba84efa..f5d30b8a6 100644 --- a/compress.c +++ b/compress.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compress.c,v 1.23 2006/03/25 13:17:01 djm Exp $ */ +/* $OpenBSD: compress.c,v 1.24 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -14,6 +14,10 @@ #include "includes.h" +#include + +#include + #include "log.h" #include "buffer.h" #include "zlib.h" diff --git a/deattack.c b/deattack.c index 57a747da5..b4fed7f85 100644 --- a/deattack.c +++ b/deattack.c @@ -1,4 +1,4 @@ -/* $OpenBSD: deattack.c,v 1.28 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: deattack.c,v 1.29 2006/08/03 03:34:42 deraadt Exp $ */ /* * Cryptographic attack detector for ssh - source code * @@ -20,12 +20,16 @@ #include "includes.h" +#include + #include +#include +#include +#include "xmalloc.h" #include "deattack.h" #include "log.h" #include "crc32.h" -#include "xmalloc.h" #include "misc.h" /* SSH Constants */ diff --git a/dh.c b/dh.c index 4ca949138..925eedddf 100644 --- a/dh.c +++ b/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.41 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: dh.c,v 1.42 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * diff --git a/dispatch.c b/dispatch.c index c1d98a78e..d6b63be4b 100644 --- a/dispatch.c +++ b/dispatch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dispatch.c,v 1.20 2006/07/23 01:11:05 stevesk Exp $ */ +/* $OpenBSD: dispatch.c,v 1.21 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -22,9 +22,13 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + #include "includes.h" +#include + #include +#include #include "ssh1.h" #include "ssh2.h" diff --git a/dns.c b/dns.c index 008fc596f..229210835 100644 --- a/dns.c +++ b/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.22 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: dns.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. diff --git a/dns.h b/dns.h index 8f9601824..b2633a1fe 100644 --- a/dns.h +++ b/dns.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.h,v 1.9 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: dns.h,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -25,13 +25,6 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include "includes.h" - -#include -#include - -#include - #ifndef DNS_H #define DNS_H diff --git a/fatal.c b/fatal.c index 1f2cd0bc8..5e5aa3fe1 100644 --- a/fatal.c +++ b/fatal.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fatal.c,v 1.6 2006/07/10 16:37:36 stevesk Exp $ */ +/* $OpenBSD: fatal.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -25,6 +25,8 @@ #include "includes.h" +#include + #include #include "log.h" diff --git a/groupaccess.c b/groupaccess.c index 3431691b9..e73f62b22 100644 --- a/groupaccess.c +++ b/groupaccess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: groupaccess.c,v 1.11 2006/07/26 02:35:17 stevesk Exp $ */ +/* $OpenBSD: groupaccess.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001 Kevin Steves. All rights reserved. * @@ -30,9 +30,10 @@ #include #include +#include -#include "groupaccess.h" #include "xmalloc.h" +#include "groupaccess.h" #include "match.h" #include "log.h" diff --git a/groupaccess.h b/groupaccess.h index b0baccfbf..04b449894 100644 --- a/groupaccess.h +++ b/groupaccess.h @@ -1,4 +1,4 @@ -/* $OpenBSD: groupaccess.h,v 1.6 2006/07/02 22:45:59 stevesk Exp $ */ +/* $OpenBSD: groupaccess.h,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001 Kevin Steves. All rights reserved. @@ -27,8 +27,6 @@ #ifndef GROUPACCESS_H #define GROUPACCESS_H -#include - int ga_init(const char *, gid_t); int ga_match(char * const *, int); void ga_free(void); diff --git a/gss-genr.c b/gss-genr.c index 93dbeeebb..da39479e1 100644 --- a/gss-genr.c +++ b/gss-genr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-genr.c,v 1.12 2006/07/26 02:35:17 stevesk Exp $ */ +/* $OpenBSD: gss-genr.c,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -28,13 +28,15 @@ #ifdef GSSAPI +#include #include +#include #include #include #include "xmalloc.h" -#include "bufaux.h" +#include "buffer.h" #include "log.h" #include "ssh2.h" diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 7b78cfe0a..006bedad9 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv-krb5.c,v 1.6 2006/07/02 18:36:47 stevesk Exp $ */ +/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -29,13 +29,18 @@ #ifdef GSSAPI #ifdef KRB5 +#include + #include -#include "auth.h" #include "xmalloc.h" +#include "key.h" +#include "hostfile.h" +#include "auth.h" #include "log.h" #include "servconf.h" +#include "buffer.h" #include "ssh-gss.h" extern ServerOptions options; diff --git a/gss-serv.c b/gss-serv.c index b5c5538fe..296f63a89 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.19 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -28,15 +28,19 @@ #ifdef GSSAPI +#include + #include #include -#include "bufaux.h" +#include "xmalloc.h" +#include "buffer.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "log.h" #include "channels.h" #include "session.h" -#include "xmalloc.h" #include "misc.h" #include "ssh-gss.h" diff --git a/hostfile.c b/hostfile.c index 7ac69e776..08ba44264 100644 --- a/hostfile.c +++ b/hostfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.c,v 1.44 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: hostfile.c,v 1.45 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -50,11 +50,11 @@ #include #include +#include "xmalloc.h" #include "match.h" #include "key.h" #include "hostfile.h" #include "log.h" -#include "xmalloc.h" static int extract_salt(const char *s, u_int l, char *salt, size_t salt_len) diff --git a/includes.h b/includes.h index 9b6a63fb3..8e600567d 100644 --- a/includes.h +++ b/includes.h @@ -25,9 +25,6 @@ #ifdef HAVE_LIMITS_H # include /* For PATH_MAX */ #endif -#ifdef HAVE_GETOPT_H -# include -#endif #ifdef HAVE_BSTRING_H # include #endif diff --git a/kex.c b/kex.c index 3525307c3..0c36519a1 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.75 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: kex.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -27,21 +27,21 @@ #include -#include - +#include #include #include #include -#include "ssh2.h" +#include + #include "xmalloc.h" +#include "ssh2.h" #include "buffer.h" -#include "bufaux.h" #include "packet.h" #include "compat.h" #include "cipher.h" -#include "kex.h" #include "key.h" +#include "kex.h" #include "log.h" #include "mac.h" #include "match.h" diff --git a/kex.h b/kex.h index a48c5c885..b1b20f500 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.43 2006/07/23 01:11:05 stevesk Exp $ */ +/* $OpenBSD: kex.h,v 1.44 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -29,12 +29,6 @@ #include #include -#include - -#include "buffer.h" -#include "cipher.h" -#include "key.h" - #define KEX_DH1 "diffie-hellman-group1-sha1" #define KEX_DH14 "diffie-hellman-group14-sha1" #define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1" diff --git a/kexdh.c b/kexdh.c index 2d13127b8..56e22f5bc 100644 --- a/kexdh.c +++ b/kexdh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdh.c,v 1.22 2006/03/25 13:17:02 djm Exp $ */ +/* $OpenBSD: kexdh.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -25,11 +25,16 @@ #include "includes.h" +#include + +#include + #include #include "buffer.h" -#include "bufaux.h" #include "ssh2.h" +#include "key.h" +#include "cipher.h" #include "kex.h" void diff --git a/kexdhc.c b/kexdhc.c index 9d123e748..bf875ae07 100644 --- a/kexdhc.c +++ b/kexdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhc.c,v 1.8 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: kexdhc.c,v 1.9 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -25,11 +25,16 @@ #include "includes.h" +#include + #include #include +#include #include "xmalloc.h" +#include "buffer.h" #include "key.h" +#include "cipher.h" #include "kex.h" #include "log.h" #include "packet.h" diff --git a/kexdhs.c b/kexdhs.c index c64cd77cb..7d2c21eed 100644 --- a/kexdhs.c +++ b/kexdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhs.c,v 1.6 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: kexdhs.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -25,15 +25,22 @@ #include "includes.h" +#include #include +#include #include "xmalloc.h" +#include "buffer.h" #include "key.h" +#include "cipher.h" #include "kex.h" #include "log.h" #include "packet.h" #include "dh.h" #include "ssh2.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" void diff --git a/kexgex.c b/kexgex.c index 5ab6745a3..b60ab5c53 100644 --- a/kexgex.c +++ b/kexgex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgex.c,v 1.26 2006/03/25 13:17:02 djm Exp $ */ +/* $OpenBSD: kexgex.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -26,10 +26,14 @@ #include "includes.h" +#include + #include +#include #include "buffer.h" -#include "bufaux.h" +#include "key.h" +#include "cipher.h" #include "kex.h" #include "ssh2.h" diff --git a/kexgexc.c b/kexgexc.c index 9c618ec6c..fc48880d4 100644 --- a/kexgexc.c +++ b/kexgexc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexc.c,v 1.8 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: kexgexc.c,v 1.9 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -26,11 +26,16 @@ #include "includes.h" +#include + #include #include +#include #include "xmalloc.h" +#include "buffer.h" #include "key.h" +#include "cipher.h" #include "kex.h" #include "log.h" #include "packet.h" diff --git a/kexgexs.c b/kexgexs.c index 0b01ed800..7599f2af4 100644 --- a/kexgexs.c +++ b/kexgexs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexs.c,v 1.7 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.8 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -30,15 +30,21 @@ #include #include +#include #include "xmalloc.h" +#include "buffer.h" #include "key.h" +#include "cipher.h" #include "kex.h" #include "log.h" #include "packet.h" #include "dh.h" #include "ssh2.h" #include "compat.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" void diff --git a/key.c b/key.c index 745c474f9..40aab20ea 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.66 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: key.c,v 1.67 2006/08/03 03:34:42 deraadt Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -32,8 +32,11 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + #include "includes.h" +#include + #include #include @@ -44,7 +47,6 @@ #include "rsa.h" #include "uuencode.h" #include "buffer.h" -#include "bufaux.h" #include "log.h" Key * diff --git a/key.h b/key.h index 57af279b8..6873dd793 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.25 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: key.h,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -29,8 +29,6 @@ #include #include -#include - typedef struct Key Key; enum types { KEY_RSA1, diff --git a/log.c b/log.c index 871bc2c42..6eac73743 100644 --- a/log.c +++ b/log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.37 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: log.c,v 1.38 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -36,6 +36,8 @@ #include "includes.h" +#include + #include #include #include @@ -46,8 +48,8 @@ # include #endif -#include "log.h" #include "xmalloc.h" +#include "log.h" static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 1; diff --git a/log.h b/log.h index 15ebc93b5..a8e788a2d 100644 --- a/log.h +++ b/log.h @@ -1,4 +1,4 @@ -/* $OpenBSD: log.h,v 1.13 2006/07/10 16:37:36 stevesk Exp $ */ +/* $OpenBSD: log.h,v 1.14 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -15,12 +15,6 @@ #ifndef SSH_LOG_H #define SSH_LOG_H -#include "includes.h" - -#include - -#include /* Needed for LOG_AUTHPRIV (if present) */ - /* Supported syslog facilities and levels. */ typedef enum { SYSLOG_FACILITY_DAEMON, diff --git a/loginrec.c b/loginrec.c index 955d42e8f..7850312b6 100644 --- a/loginrec.c +++ b/loginrec.c @@ -159,8 +159,10 @@ #include #include -#include "ssh.h" #include "xmalloc.h" +#include "key.h" +#include "hostfile.h" +#include "ssh.h" #include "loginrec.h" #include "log.h" #include "atomicio.h" diff --git a/loginrec.h b/loginrec.h index 4fe24ac2a..859e1a630 100644 --- a/loginrec.h +++ b/loginrec.h @@ -31,10 +31,6 @@ #include "includes.h" -#include -#include -#include - /** ** you should use the login_* calls to work around platform dependencies **/ diff --git a/mac.c b/mac.c index a59e7edf1..edf9b69bd 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.11 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: mac.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -25,13 +25,18 @@ #include "includes.h" +#include + #include #include +#include #include "xmalloc.h" #include "log.h" #include "cipher.h" +#include "buffer.h" +#include "key.h" #include "kex.h" #include "mac.h" #include "misc.h" diff --git a/match.c b/match.c index 8f12ef539..e3c993073 100644 --- a/match.c +++ b/match.c @@ -1,4 +1,4 @@ -/* $OpenBSD: match.c,v 1.25 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: match.c,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -37,11 +37,13 @@ #include "includes.h" +#include + #include #include -#include "match.h" #include "xmalloc.h" +#include "match.h" /* * Returns true if the given string matches the pattern (which may contain ? diff --git a/md-sha256.c b/md-sha256.c index 063a1014f..8c1b3b92d 100644 --- a/md-sha256.c +++ b/md-sha256.c @@ -1,4 +1,4 @@ -/* $OpenBSD: md-sha256.c,v 1.4 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: md-sha256.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2005 Damien Miller * @@ -18,6 +18,8 @@ /* EVP wrapper for SHA256 */ #include "includes.h" + +#include #include #if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) diff --git a/misc.c b/misc.c index ef2014f61..78bca2fae 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.63 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: misc.c,v 1.64 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -26,8 +26,8 @@ #include "includes.h" -#include #include +#include #include #include @@ -50,9 +50,9 @@ #include #endif +#include "xmalloc.h" #include "misc.h" #include "log.h" -#include "xmalloc.h" #include "ssh.h" /* remove newline at end of string */ diff --git a/misc.h b/misc.h index 1dded7215..072470bad 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.34 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: misc.h,v 1.35 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -15,11 +15,6 @@ #ifndef _MISC_H #define _MISC_H -#include - -#include -#include - /* misc.c */ char *chop(char *); diff --git a/moduli.c b/moduli.c index a164b4f5d..e18929bad 100644 --- a/moduli.c +++ b/moduli.c @@ -1,4 +1,4 @@ -/* $OpenBSD: moduli.c,v 1.17 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: moduli.c,v 1.18 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -46,6 +46,7 @@ #include #include #include +#include #include #include "xmalloc.h" diff --git a/monitor.c b/monitor.c index 325179854..595aae1a8 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.84 2006/07/26 13:57:17 stevesk Exp $ */ +/* $OpenBSD: monitor.c,v 1.85 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -30,6 +30,7 @@ #include #include #include +#include "openbsd-compat/sys-tree.h" #include #include @@ -48,8 +49,13 @@ #include +#include "xmalloc.h" #include "ssh.h" +#include "key.h" +#include "buffer.h" +#include "hostfile.h" #include "auth.h" +#include "cipher.h" #include "kex.h" #include "dh.h" #ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ @@ -70,17 +76,16 @@ #include "servconf.h" #include "monitor.h" #include "monitor_mm.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" #include "monitor_fdpass.h" -#include "xmalloc.h" #include "misc.h" -#include "buffer.h" -#include "bufaux.h" #include "compat.h" #include "ssh2.h" #ifdef GSSAPI -#include "ssh-gss.h" static Gssctxt *gsscontext = NULL; #endif diff --git a/monitor_fdpass.c b/monitor_fdpass.c index d3e65cbaa..c5fc4c397 100644 --- a/monitor_fdpass.c +++ b/monitor_fdpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_fdpass.c,v 1.11 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: monitor_fdpass.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright 2001 Niels Provos * All rights reserved. @@ -32,6 +32,7 @@ #include #include +#include #include "log.h" #include "monitor_fdpass.h" diff --git a/monitor_mm.c b/monitor_mm.c index 89a8c9b49..dab747532 100644 --- a/monitor_mm.c +++ b/monitor_mm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_mm.c,v 1.14 2006/07/26 02:35:17 stevesk Exp $ */ +/* $OpenBSD: monitor_mm.c,v 1.15 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright 2002 Niels Provos * All rights reserved. @@ -26,16 +26,19 @@ #include "includes.h" +#include #ifdef HAVE_SYS_MMAN_H #include #endif #include +#include "openbsd-compat/sys-tree.h" #include +#include #include -#include "ssh.h" #include "xmalloc.h" +#include "ssh.h" #include "log.h" #include "monitor_mm.h" diff --git a/monitor_mm.h b/monitor_mm.h index 3499c7521..36a07a06d 100644 --- a/monitor_mm.h +++ b/monitor_mm.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_mm.h,v 1.3 2006/03/25 22:22:43 djm Exp $ */ +/* $OpenBSD: monitor_mm.h,v 1.4 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright 2002 Niels Provos @@ -27,7 +27,6 @@ #ifndef _MM_H_ #define _MM_H_ -#include "openbsd-compat/sys-tree.h" struct mm_share { RB_ENTRY(mm_share) next; diff --git a/monitor_wrap.c b/monitor_wrap.c index 27e2fc7c3..52ea17592 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.49 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.50 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -29,21 +29,25 @@ #include -#include -#include - #include #include +#include #include #include +#include +#include + +#include "xmalloc.h" #include "ssh.h" #include "dh.h" +#include "buffer.h" +#include "key.h" +#include "cipher.h" #include "kex.h" +#include "hostfile.h" #include "auth.h" #include "auth-options.h" -#include "buffer.h" -#include "bufaux.h" #include "packet.h" #include "mac.h" #include "log.h" @@ -55,21 +59,18 @@ #include "zlib.h" #endif #include "monitor.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" -#include "xmalloc.h" #include "atomicio.h" #include "monitor_fdpass.h" #include "misc.h" #include "servconf.h" -#include "auth.h" #include "channels.h" #include "session.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#endif - /* Imports */ extern int compat20; extern Newkeys *newkeys[]; diff --git a/monitor_wrap.h b/monitor_wrap.h index fd5cccd08..329189c2a 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.19 2006/07/14 01:15:28 stevesk Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright 2002 Niels Provos @@ -28,13 +28,6 @@ #ifndef _MM_WRAP_H_ #define _MM_WRAP_H_ -#include - -#include - -#include "key.h" -#include "buffer.h" - extern int use_privsep; #define PRIVSEP(x) (use_privsep ? mm_##x : x) @@ -61,7 +54,6 @@ int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *); BIGNUM *mm_auth_rsa_generate_challenge(Key *); #ifdef GSSAPI -#include "ssh-gss.h" OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); diff --git a/msg.c b/msg.c index 322472668..cd5f98c4f 100644 --- a/msg.c +++ b/msg.c @@ -1,4 +1,4 @@ -/* $OpenBSD: msg.c,v 1.14 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: msg.c,v 1.15 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -22,13 +22,17 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + #include "includes.h" #include +#include #include +#include #include #include +#include #include "buffer.h" #include "log.h" diff --git a/nchan.c b/nchan.c index 78908c3c6..ad461f4af 100644 --- a/nchan.c +++ b/nchan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nchan.c,v 1.56 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: nchan.c,v 1.57 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -30,6 +30,7 @@ #include #include +#include #include "ssh1.h" #include "ssh2.h" diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 2d56e7e4a..a7ced57e9 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -25,11 +25,14 @@ * */ #include "includes.h" + +#include "xmalloc.h" +#include "buffer.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "ssh.h" #include "log.h" -#include "xmalloc.h" -#include "buffer.h" #ifdef _AIX diff --git a/openbsd-compat/port-tun.h b/openbsd-compat/port-tun.h index 86d9272b4..9f7a98614 100644 --- a/openbsd-compat/port-tun.h +++ b/openbsd-compat/port-tun.h @@ -17,8 +17,6 @@ #ifndef _PORT_TUN_H #define _PORT_TUN_H -#include "channels.h" - #if defined(SSH_TUN_LINUX) || defined(SSH_TUN_FREEBSD) # define CUSTOM_SYS_TUN_OPEN int sys_tun_open(int, int); diff --git a/packet.c b/packet.c index acf72f77e..f2e03f800 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.141 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: packet.c,v 1.142 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -57,22 +57,20 @@ #include #include #include +#include #include "xmalloc.h" #include "buffer.h" #include "packet.h" -#include "bufaux.h" #include "crc32.h" - #include "compress.h" #include "deattack.h" #include "channels.h" - #include "compat.h" #include "ssh1.h" #include "ssh2.h" - #include "cipher.h" +#include "key.h" #include "kex.h" #include "mac.h" #include "log.h" diff --git a/progressmeter.c b/progressmeter.c index e8534fa2f..0f95222d2 100644 --- a/progressmeter.c +++ b/progressmeter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: progressmeter.c,v 1.36 2006/08/01 23:36:12 stevesk Exp $ */ +/* $OpenBSD: progressmeter.c,v 1.37 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2003 Nils Nordman. All rights reserved. * @@ -27,6 +27,7 @@ #include #include +#include #include #include diff --git a/readconf.c b/readconf.c index 9975c9d32..c57ea0c82 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.158 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: readconf.c,v 1.159 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -23,19 +23,22 @@ #include #include #include +#include #include #include #include -#include "ssh.h" #include "xmalloc.h" +#include "ssh.h" #include "compat.h" #include "cipher.h" #include "pathnames.h" #include "log.h" +#include "key.h" #include "readconf.h" #include "match.h" #include "misc.h" +#include "buffer.h" #include "kex.h" #include "mac.h" diff --git a/readconf.h b/readconf.h index e99b1ff25..d484f258e 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.70 2006/07/11 18:50:48 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.71 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -16,8 +16,6 @@ #ifndef READCONF_H #define READCONF_H -#include "key.h" - /* Data structure for representing a forwarding request. */ typedef struct { diff --git a/readpass.c b/readpass.c index 8af5d444d..bd144c2e3 100644 --- a/readpass.c +++ b/readpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readpass.c,v 1.46 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: readpass.c,v 1.47 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * diff --git a/rsa.c b/rsa.c index c656291ed..875b486c4 100644 --- a/rsa.c +++ b/rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.c,v 1.27 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: rsa.c,v 1.28 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -62,11 +62,13 @@ #include "includes.h" +#include + #include +#include "xmalloc.h" #include "rsa.h" #include "log.h" -#include "xmalloc.h" void rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key) diff --git a/scard.c b/scard.c index e22da596f..a2d28cba1 100644 --- a/scard.c +++ b/scard.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scard.c,v 1.34 2006/08/01 23:36:12 stevesk Exp $ */ +/* $OpenBSD: scard.c,v 1.35 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -26,14 +26,16 @@ #include "includes.h" #if defined(SMARTCARD) && defined(USE_SECTOK) -#include +#include #include #include +#include + +#include "xmalloc.h" #include "key.h" #include "log.h" -#include "xmalloc.h" #include "misc.h" #include "scard.h" diff --git a/scard.h b/scard.h index 146182261..82efe4839 100644 --- a/scard.h +++ b/scard.h @@ -1,4 +1,4 @@ -/* $OpenBSD: scard.h,v 1.13 2006/03/25 22:22:43 djm Exp $ */ +/* $OpenBSD: scard.h,v 1.14 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -27,8 +27,6 @@ #ifndef SCARD_H #define SCARD_H -#include "key.h" - #define SCARD_ERROR_FAIL -1 #define SCARD_ERROR_NOCARD -2 #define SCARD_ERROR_APPLET -3 diff --git a/scp.c b/scp.c index 8d9de0135..56a3e79ff 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.154 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: scp.c,v 1.155 2006/08/03 03:34:42 deraadt Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -82,6 +82,7 @@ # include #endif #include +#include #include #include diff --git a/servconf.c b/servconf.c index b1fc45c50..5884b95be 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.163 2006/08/01 23:36:12 stevesk Exp $ */ +/* $OpenBSD: servconf.c,v 1.164 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -19,16 +19,20 @@ #include #include #include +#include #include +#include +#include "xmalloc.h" #include "ssh.h" #include "log.h" +#include "buffer.h" #include "servconf.h" -#include "xmalloc.h" #include "compat.h" #include "pathnames.h" #include "misc.h" #include "cipher.h" +#include "key.h" #include "kex.h" #include "mac.h" #include "match.h" diff --git a/servconf.h b/servconf.h index 0add6518d..2593b1cd1 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.77 2006/07/21 12:43:36 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.78 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -16,8 +16,6 @@ #ifndef SERVCONF_H #define SERVCONF_H -#include "buffer.h" - #define MAX_PORTS 256 /* Max # ports. */ #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ diff --git a/serverloop.c b/serverloop.c index 77c4a5a27..6e5fdc2d8 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.143 2006/07/26 02:35:17 stevesk Exp $ */ +/* $OpenBSD: serverloop.c,v 1.144 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -54,6 +54,7 @@ #include #include #include +#include #include "xmalloc.h" #include "packet.h" @@ -66,13 +67,16 @@ #include "compat.h" #include "ssh1.h" #include "ssh2.h" +#include "key.h" +#include "cipher.h" +#include "kex.h" +#include "hostfile.h" #include "auth.h" #include "session.h" #include "dispatch.h" #include "auth-options.h" #include "serverloop.h" #include "misc.h" -#include "kex.h" extern ServerOptions options; diff --git a/session.c b/session.c index a6d5ad257..1d63f9f50 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.215 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: session.c,v 1.216 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -58,10 +58,10 @@ #include #include +#include "xmalloc.h" #include "ssh.h" #include "ssh1.h" #include "ssh2.h" -#include "xmalloc.h" #include "sshpty.h" #include "packet.h" #include "buffer.h" @@ -69,7 +69,12 @@ #include "uidswap.h" #include "compat.h" #include "channels.h" -#include "bufaux.h" +#include "key.h" +#include "cipher.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif +#include "hostfile.h" #include "auth.h" #include "auth-options.h" #include "pathnames.h" @@ -86,10 +91,6 @@ #include #endif -#ifdef GSSAPI -#include "ssh-gss.h" -#endif - /* func */ Session *session_new(void); diff --git a/session.h b/session.h index c3a12821f..ee9338e4f 100644 --- a/session.h +++ b/session.h @@ -1,4 +1,4 @@ -/* $OpenBSD: session.h,v 1.28 2006/07/06 16:03:53 stevesk Exp $ */ +/* $OpenBSD: session.h,v 1.29 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -26,10 +26,6 @@ #ifndef SESSION_H #define SESSION_H -#include - -#include - #define TTYSZ 64 typedef struct Session Session; struct Session { diff --git a/sftp-client.c b/sftp-client.c index b7b126d21..e31b2cfaf 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.73 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.74 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -24,25 +24,25 @@ #include #include +#include "openbsd-compat/sys-queue.h" #ifdef HAVE_SYS_STAT_H # include #endif #ifdef HAVE_SYS_TIME_H # include #endif +#include #include #include #include +#include #include #include #include -#include "openbsd-compat/sys-queue.h" - -#include "buffer.h" -#include "bufaux.h" #include "xmalloc.h" +#include "buffer.h" #include "log.h" #include "atomicio.h" #include "progressmeter.h" @@ -82,7 +82,7 @@ send_msg(int fd, Buffer *m) iov[0].iov_len = sizeof(mlen); iov[1].iov_base = buffer_ptr(m); iov[1].iov_len = buffer_len(m); - + if (atomiciov(writev, fd, iov, 2) != buffer_len(m) + sizeof(mlen)) fatal("Couldn't send packet: %s", strerror(errno)); diff --git a/sftp-common.c b/sftp-common.c index 3faed373e..7ebadcc53 100644 --- a/sftp-common.c +++ b/sftp-common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-common.c,v 1.19 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: sftp-common.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Damien Miller. All rights reserved. @@ -35,11 +35,11 @@ #include #include #include +#include +#include "xmalloc.h" #include "buffer.h" -#include "bufaux.h" #include "log.h" -#include "xmalloc.h" #include "sftp.h" #include "sftp-common.h" diff --git a/sftp-common.h b/sftp-common.h index 9a64dc522..9b5848462 100644 --- a/sftp-common.h +++ b/sftp-common.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-common.h,v 1.9 2006/07/10 16:01:57 stevesk Exp $ */ +/* $OpenBSD: sftp-common.h,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -25,11 +25,6 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include -#include - -#include "buffer.h" - /* Maximum packet that we are willing to send/accept */ #define SFTP_MAX_MSG_LENGTH (256 * 1024) diff --git a/sftp-glob.c b/sftp-glob.c index f8549ea76..cdc270827 100644 --- a/sftp-glob.c +++ b/sftp-glob.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-glob.c,v 1.21 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: sftp-glob.c,v 1.22 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -26,8 +26,8 @@ #include #include "xmalloc.h" - #include "sftp.h" +#include "buffer.h" #include "sftp-common.h" #include "sftp-client.h" diff --git a/sftp-server.c b/sftp-server.c index c0839782d..c57958b0f 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.69 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.70 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -14,6 +14,7 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + #include "includes.h" #include @@ -30,13 +31,14 @@ #include #include #include +#include #include #include +#include +#include "xmalloc.h" #include "buffer.h" -#include "bufaux.h" #include "log.h" -#include "xmalloc.h" #include "misc.h" #include "uidswap.h" @@ -135,7 +137,7 @@ string_from_portable(int pflags) #define PAPPEND(str) { \ if (*ret != '\0') \ strlcat(ret, ",", sizeof(ret)); \ - strlcat(ret, str, sizeof(ret)); \ + strlcat(ret, str, sizeof(ret)); \ } if (pflags & SSH2_FXF_READ) @@ -1225,7 +1227,7 @@ main(int argc, char **argv) case 'c': /* * Ignore all arguments if we are invoked as a - * shell using "sftp-server -c command" + * shell using "sftp-server -c command" */ skipargs = 1; break; diff --git a/sftp.c b/sftp.c index 82ef58019..cf3dea048 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.90 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: sftp.c,v 1.91 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -18,10 +18,10 @@ #include "includes.h" #include +#include #ifdef HAVE_SYS_STAT_H # include #endif -#include #include #include #include @@ -41,6 +41,7 @@ typedef void EditLine; #include #include #include +#include #include "xmalloc.h" #include "log.h" @@ -48,6 +49,7 @@ typedef void EditLine; #include "misc.h" #include "sftp.h" +#include "buffer.h" #include "sftp-common.h" #include "sftp-client.h" diff --git a/ssh-add.c b/ssh-add.c index a8d98fd1f..518f47066 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.88 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.89 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -50,11 +50,12 @@ #include #include +#include "xmalloc.h" #include "ssh.h" #include "rsa.h" #include "log.h" -#include "xmalloc.h" #include "key.h" +#include "buffer.h" #include "authfd.h" #include "authfile.h" #include "pathnames.h" diff --git a/ssh-agent.c b/ssh-agent.c index 54c2b9c47..e43faae42 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.150 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.151 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -64,11 +64,10 @@ #include #include +#include "xmalloc.h" #include "ssh.h" #include "rsa.h" #include "buffer.h" -#include "bufaux.h" -#include "xmalloc.h" #include "key.h" #include "authfd.h" #include "compat.h" diff --git a/ssh-dss.c b/ssh-dss.c index a8d45a2b4..448f704f6 100644 --- a/ssh-dss.c +++ b/ssh-dss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-dss.c,v 1.22 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: ssh-dss.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -25,6 +25,8 @@ #include "includes.h" +#include + #include #include @@ -32,7 +34,6 @@ #include "xmalloc.h" #include "buffer.h" -#include "bufaux.h" #include "compat.h" #include "log.h" #include "key.h" diff --git a/ssh-gss.h b/ssh-gss.h index d3fd79bf2..0837c9b76 100644 --- a/ssh-gss.h +++ b/ssh-gss.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-gss.h,v 1.6 2006/03/25 22:22:43 djm Exp $ */ +/* $OpenBSD: ssh-gss.h,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. * @@ -28,8 +28,6 @@ #ifdef GSSAPI -#include "buffer.h" - #ifdef HAVE_GSSAPI_H #include #elif defined(HAVE_GSSAPI_GSSAPI_H) diff --git a/ssh-keygen.c b/ssh-keygen.c index d8b793e81..c607e257e 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.153 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.154 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -40,7 +40,6 @@ #include "authfile.h" #include "uuencode.h" #include "buffer.h" -#include "bufaux.h" #include "pathnames.h" #include "log.h" #include "misc.h" diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 701540841..64d4d0870 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.72 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.73 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -23,20 +23,21 @@ #include #include #include +#include #include #include #include "xmalloc.h" #include "ssh.h" #include "ssh1.h" +#include "buffer.h" #include "key.h" +#include "cipher.h" #include "kex.h" #include "compat.h" #include "myproposal.h" #include "packet.h" #include "dispatch.h" -#include "buffer.h" -#include "bufaux.h" #include "log.h" #include "atomicio.h" #include "misc.h" diff --git a/ssh-keysign.c b/ssh-keysign.c index 89fdbda36..1ddb2a058 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keysign.c,v 1.28 2006/07/26 13:57:17 stevesk Exp $ */ +/* $OpenBSD: ssh-keysign.c,v 1.29 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -22,6 +22,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + #include "includes.h" #include @@ -37,14 +38,13 @@ #include #include +#include "xmalloc.h" #include "log.h" #include "key.h" #include "ssh.h" #include "ssh2.h" #include "misc.h" -#include "xmalloc.h" #include "buffer.h" -#include "bufaux.h" #include "authfile.h" #include "msg.h" #include "canohost.h" diff --git a/ssh-rsa.c b/ssh-rsa.c index 236f77aac..28444c1f9 100644 --- a/ssh-rsa.c +++ b/ssh-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-rsa.c,v 1.38 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: ssh-rsa.c,v 1.39 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000, 2003 Markus Friedl * @@ -14,8 +14,11 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + #include "includes.h" +#include + #include #include @@ -24,7 +27,6 @@ #include "xmalloc.h" #include "log.h" #include "buffer.h" -#include "bufaux.h" #include "key.h" #include "compat.h" #include "ssh.h" diff --git a/ssh.c b/ssh.c index 10dd8777a..07a4ca3c8 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.292 2006/08/01 23:36:12 stevesk Exp $ */ +/* $OpenBSD: ssh.c,v 1.293 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -69,15 +69,14 @@ #include #include +#include "xmalloc.h" #include "ssh.h" #include "ssh1.h" #include "ssh2.h" #include "compat.h" #include "cipher.h" -#include "xmalloc.h" #include "packet.h" #include "buffer.h" -#include "bufaux.h" #include "channels.h" #include "key.h" #include "authfd.h" @@ -1256,7 +1255,7 @@ load_public_identity_files(void) cp = tilde_expand_filename(options.identity_files[i], original_real_uid); filename = percent_expand(cp, "d", pw->pw_dir, - "u", pw->pw_name, "l", thishost, "h", host, + "u", pw->pw_name, "l", thishost, "h", host, "r", options.user, (char *)NULL); xfree(cp); public = key_load_public(filename, NULL); diff --git a/ssh.h b/ssh.h index ed5fb9aaa..186cfff96 100644 --- a/ssh.h +++ b/ssh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.h,v 1.77 2006/03/25 22:22:43 djm Exp $ */ +/* $OpenBSD: ssh.h,v 1.78 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -12,18 +12,6 @@ * called by a name other than "ssh" or "Secure Shell". */ -#ifndef SSH_H -#define SSH_H - -#include /* For struct sockaddr_in */ -#include /* For struct pw */ -#include /* For va_list */ -#include /* For LOG_AUTH and friends */ -#include /* For struct sockaddr_storage */ -#ifdef HAVE_SYS_SELECT_H -# include -#endif - /* Cipher used for encrypting authentication files. */ #define SSH_AUTHFILE_CIPHER SSH_CIPHER_3DES @@ -112,5 +100,3 @@ /* Listen backlog for sshd, ssh-agent and forwarding sockets */ #define SSH_LISTEN_BACKLOG 128 - -#endif /* SSH_H */ diff --git a/sshconnect.c b/sshconnect.c index af75bba8d..71ca4ec52 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.198 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.199 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -37,8 +37,10 @@ #include #include -#include "ssh.h" #include "xmalloc.h" +#include "key.h" +#include "hostfile.h" +#include "ssh.h" #include "rsa.h" #include "buffer.h" #include "packet.h" diff --git a/sshconnect.h b/sshconnect.h index 0b3896f9d..4e66bbffc 100644 --- a/sshconnect.h +++ b/sshconnect.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.h,v 1.22 2006/07/08 21:47:12 stevesk Exp $ */ +/* $OpenBSD: sshconnect.h,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -23,13 +23,6 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifndef SSHCONNECT_H -#define SSHCONNECT_H - -#include -#include - -#include typedef struct Sensitive Sensitive; struct Sensitive { @@ -74,5 +67,3 @@ int ssh_local_cmd(const char *); strerror(errno)); \ errno = save_errno; \ } while (0) - -#endif diff --git a/sshconnect1.c b/sshconnect1.c index f0eee3bdf..51f1f8088 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect1.c,v 1.68 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: sshconnect1.c,v 1.69 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -15,30 +15,36 @@ #include "includes.h" +#include +#include + #include #include #include #include #include +#include +#include +#include "xmalloc.h" #include "ssh.h" #include "ssh1.h" -#include "xmalloc.h" #include "rsa.h" #include "buffer.h" #include "packet.h" +#include "key.h" +#include "cipher.h" #include "kex.h" #include "uidswap.h" #include "log.h" #include "readconf.h" -#include "key.h" #include "authfd.h" #include "sshconnect.h" #include "authfile.h" #include "misc.h" -#include "cipher.h" #include "canohost.h" +#include "hostfile.h" #include "auth.h" /* Session id for the current session. */ diff --git a/sshconnect2.c b/sshconnect2.c index 27e5442e9..e58d078c4 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.159 2006/08/01 23:22:48 stevesk Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.160 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -26,24 +26,27 @@ #include "includes.h" #include +#include #include #include #include +#include +#include #include #include #include #include "openbsd-compat/sys-queue.h" +#include "xmalloc.h" #include "ssh.h" #include "ssh2.h" -#include "xmalloc.h" #include "buffer.h" #include "packet.h" #include "compat.h" -#include "bufaux.h" #include "cipher.h" +#include "key.h" #include "kex.h" #include "myproposal.h" #include "sshconnect.h" diff --git a/sshd.c b/sshd.c index 5cefd1024..52c21e500 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.342 2006/08/01 23:22:48 stevesk Exp $ */ +/* $OpenBSD: sshd.c,v 1.343 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -45,14 +45,15 @@ #include "includes.h" #include +#include +#include #ifdef HAVE_SYS_STAT_H # include #endif -#include -#include #ifdef HAVE_SYS_TIME_H # include #endif +#include "openbsd-compat/sys-tree.h" #include #include @@ -77,28 +78,28 @@ #include #endif +#include "xmalloc.h" #include "ssh.h" #include "ssh1.h" #include "ssh2.h" -#include "xmalloc.h" #include "rsa.h" #include "sshpty.h" #include "packet.h" #include "log.h" +#include "buffer.h" #include "servconf.h" #include "uidswap.h" #include "compat.h" -#include "buffer.h" -#include "bufaux.h" #include "cipher.h" -#include "kex.h" #include "key.h" +#include "kex.h" #include "dh.h" #include "myproposal.h" #include "authfile.h" #include "pathnames.h" #include "atomicio.h" #include "canohost.h" +#include "hostfile.h" #include "auth.h" #include "misc.h" #include "msg.h" @@ -107,6 +108,9 @@ #include "session.h" #include "monitor_mm.h" #include "monitor.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" #include "monitor_fdpass.h" #include "version.h" diff --git a/sshlogin.c b/sshlogin.c index b01fde091..fba8a4d24 100644 --- a/sshlogin.c +++ b/sshlogin.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshlogin.c,v 1.24 2006/08/01 23:22:48 stevesk Exp $ */ +/* $OpenBSD: sshlogin.c,v 1.25 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -43,9 +43,11 @@ #include #include +#include #include #include +#include #include #include #include diff --git a/sshlogin.h b/sshlogin.h index c0f9cd300..500d3fefd 100644 --- a/sshlogin.h +++ b/sshlogin.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshlogin.h,v 1.7 2006/07/08 21:47:12 stevesk Exp $ */ +/* $OpenBSD: sshlogin.h,v 1.8 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -11,11 +11,6 @@ * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell". */ -#ifndef SSHLOGIN_H -#define SSHLOGIN_H - -#include -#include void record_login(pid_t, const char *, const char *, uid_t, const char *, struct sockaddr *, socklen_t); @@ -26,5 +21,3 @@ time_t get_last_login_time(uid_t, const char *, char *, u_int); void record_utmp_only(pid_t, const char *, const char *, const char *, struct sockaddr *, socklen_t); #endif - -#endif diff --git a/sshpty.c b/sshpty.c index 719a79303..79c62ee9c 100644 --- a/sshpty.c +++ b/sshpty.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshpty.c,v 1.25 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: sshpty.c,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -14,8 +14,8 @@ #include "includes.h" -#include #include +#include #include #include @@ -26,11 +26,12 @@ # include #endif #include +#include #include #include #ifdef HAVE_UTIL_H # include -#endif /* HAVE_UTIL_H */ +#endif #include #include "sshpty.h" diff --git a/sshpty.h b/sshpty.h index a7b337474..7fac622d9 100644 --- a/sshpty.h +++ b/sshpty.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshpty.h,v 1.9 2006/07/06 16:03:53 stevesk Exp $ */ +/* $OpenBSD: sshpty.h,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -14,12 +14,6 @@ * called by a name other than "ssh" or "Secure Shell". */ -#ifndef SSHPTY_H -#define SSHPTY_H - -#include - -#include #include struct termios get_saved_tio(void); @@ -31,5 +25,3 @@ void pty_release(const char *); void pty_make_controlling_tty(int *, const char *); void pty_change_window_size(int, u_int, u_int, u_int, u_int); void pty_setowner(struct passwd *, const char *); - -#endif /* SSHPTY_H */ diff --git a/sshtty.c b/sshtty.c index 70668afde..04567669b 100644 --- a/sshtty.c +++ b/sshtty.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshtty.c,v 1.11 2006/08/01 23:22:48 stevesk Exp $ */ +/* $OpenBSD: sshtty.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -37,8 +37,10 @@ #include "includes.h" +#include #include #include +#include #include "sshpty.h" diff --git a/ttymodes.c b/ttymodes.c index 680909b22..d8e2c553a 100644 --- a/ttymodes.c +++ b/ttymodes.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ttymodes.c,v 1.25 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: ttymodes.c,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -45,16 +45,18 @@ #include "includes.h" +#include + #include #include #include +#include #include "packet.h" #include "log.h" #include "ssh1.h" #include "compat.h" #include "buffer.h" -#include "bufaux.h" #define TTY_OP_END 0 /* diff --git a/uidswap.c b/uidswap.c index 878258704..91d878c30 100644 --- a/uidswap.c +++ b/uidswap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uidswap.c,v 1.34 2006/07/26 02:35:17 stevesk Exp $ */ +/* $OpenBSD: uidswap.c,v 1.35 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -14,13 +14,12 @@ #include "includes.h" -#include #include - #include #include #include #include +#include #include diff --git a/uidswap.h b/uidswap.h index 436c10f75..1c1163d75 100644 --- a/uidswap.h +++ b/uidswap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: uidswap.h,v 1.12 2006/07/06 16:03:53 stevesk Exp $ */ +/* $OpenBSD: uidswap.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -12,16 +12,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -#ifndef UIDSWAP_H -#define UIDSWAP_H - -#include - -#include - void temporarily_use_uid(struct passwd *); void restore_uid(void); void permanently_set_uid(struct passwd *); void permanently_drop_suid(uid_t); - -#endif /* UIDSWAP_H */ diff --git a/uuencode.c b/uuencode.c index 8a6742e95..a13949585 100644 --- a/uuencode.c +++ b/uuencode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uuencode.c,v 1.23 2006/08/01 23:22:48 stevesk Exp $ */ +/* $OpenBSD: uuencode.c,v 1.24 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -26,9 +26,7 @@ #include "includes.h" #include - #include - #include #include diff --git a/uuencode.h b/uuencode.h index df09eb59b..fec55b491 100644 --- a/uuencode.h +++ b/uuencode.h @@ -1,4 +1,4 @@ -/* $OpenBSD: uuencode.h,v 1.12 2006/08/01 23:22:48 stevesk Exp $ */ +/* $OpenBSD: uuencode.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -24,12 +24,6 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifndef UUENCODE_H -#define UUENCODE_H - -#include - int uuencode(const u_char *, u_int, char *, size_t); int uudecode(const char *, u_char *, size_t); void dump_base64(FILE *, u_char *, u_int); -#endif diff --git a/xmalloc.c b/xmalloc.c index 6aea495ef..9985b4cc2 100644 --- a/xmalloc.c +++ b/xmalloc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: xmalloc.c,v 1.26 2006/08/01 23:22:48 stevesk Exp $ */ +/* $OpenBSD: xmalloc.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -16,7 +16,6 @@ #include "includes.h" #include - #include #include #include diff --git a/xmalloc.h b/xmalloc.h index 27f25d584..fb217a45c 100644 --- a/xmalloc.h +++ b/xmalloc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: xmalloc.h,v 1.12 2006/03/25 22:22:43 djm Exp $ */ +/* $OpenBSD: xmalloc.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -16,9 +16,6 @@ * called by a name other than "ssh" or "Secure Shell". */ -#ifndef XMALLOC_H -#define XMALLOC_H - void *xmalloc(size_t); void *xcalloc(size_t, size_t); void *xrealloc(void *, size_t, size_t); @@ -27,5 +24,3 @@ char *xstrdup(const char *); int xasprintf(char **, const char *, ...) __attribute__((__format__ (printf, 2, 3))) __attribute__((__nonnull__ (2))); - -#endif /* XMALLOC_H */ -- cgit v1.2.3 From 565ca3f60058f22d083572930833aaff2292ac20 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 19 Aug 2006 00:23:15 +1000 Subject: - dtucker@cvs.openbsd.org 2006/08/14 12:40:25 [servconf.c servconf.h sshd_config.5] Add ability to match groups to Match keyword in sshd_config. Feedback djm@, stevesk@, ok stevesk@. --- ChangeLog | 6 +++++- servconf.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++- servconf.h | 3 ++- sshd_config.5 | 3 ++- 4 files changed, 64 insertions(+), 4 deletions(-) (limited to 'servconf.h') diff --git a/ChangeLog b/ChangeLog index 674d2b9e3..328f0c116 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,10 @@ Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes) + - dtucker@cvs.openbsd.org 2006/08/14 12:40:25 + [servconf.c servconf.h sshd_config.5] + Add ability to match groups to Match keyword in sshd_config. Feedback + djm@, stevesk@, ok stevesk@. 20060817 - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c] @@ -5235,4 +5239,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4488 2006/08/18 14:22:40 djm Exp $ +$Id: ChangeLog,v 1.4489 2006/08/18 14:23:15 djm Exp $ diff --git a/servconf.c b/servconf.c index 5884b95be..1f80de22d 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.164 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -16,6 +16,7 @@ #include #include +#include #include #include #include @@ -37,6 +38,7 @@ #include "mac.h" #include "match.h" #include "channels.h" +#include "groupaccess.h" static void add_listen_addr(ServerOptions *, char *, u_short); static void add_one_listen_addr(ServerOptions *, char *, u_short); @@ -496,6 +498,51 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port) * PermittedChannelRequests session,forwarded-tcpip */ +static int +match_cfg_line_group(const char *grps, int line, const char *user) +{ + int result = 0; + u_int ngrps = 0; + char *arg, *p, *cp, *grplist[MAX_MATCH_GROUPS]; + struct passwd *pw; + + /* + * Even if we do not have a user yet, we still need to check for + * valid syntax. + */ + arg = cp = xstrdup(grps); + while ((p = strsep(&cp, ",")) != NULL && *p != '\0') { + if (ngrps >= MAX_MATCH_GROUPS) { + error("line %d: too many groups in Match Group", line); + result = -1; + goto out; + } + grplist[ngrps++] = p; + } + + if (user == NULL) + goto out; + + if ((pw = getpwnam(user)) == NULL) { + debug("Can't match group at line %d because user %.100s does " + "not exist", line, user); + } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { + debug("Can't Match group because user %.100s not in any group " + "at line %d", user, line); + } else if (ga_match(grplist, ngrps) != 1) { + debug("user %.100s does not match group %.100s at line %d", + user, arg, line); + } else { + debug("user %.100s matched group %.100s at line %d", user, + arg, line); + result = 1; + } +out: + ga_free(); + xfree(arg); + return result; +} + static int match_cfg_line(char **condition, int line, const char *user, const char *host, const char *address) @@ -527,6 +574,13 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, else debug("user %.100s matched 'User %.100s' at " "line %d", user, arg, line); + } else if (strcasecmp(attrib, "group") == 0) { + switch (match_cfg_line_group(arg, line, user)) { + case -1: + return -1; + case 0: + result = 0; + } } else if (strcasecmp(attrib, "host") == 0) { if (!host) { result = 0; diff --git a/servconf.h b/servconf.h index 2593b1cd1..ad496f64b 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.78 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -25,6 +25,7 @@ #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ #define MAX_HOSTKEYS 256 /* Max # hostkeys. */ #define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ +#define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */ /* permit_root_login */ #define PERMIT_NOT_SET -1 diff --git a/sshd_config.5 b/sshd_config.5 index ff5457dff..3c20c1faa 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.68 2006/07/21 12:43:36 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.69 2006/08/14 12:40:25 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -488,6 +488,7 @@ The arguments to are one or more criteria-pattern pairs. The available criteria are .Cm User , +.Cm Group , .Cm Host , and .Cm Address . -- cgit v1.2.3 From 1629c07c0725fd5cc533c9664b8e8add27a81c69 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 19 Feb 2007 22:25:37 +1100 Subject: - dtucker@cvs.openbsd.org 2007/02/19 10:45:58 [monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5] Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@ --- ChangeLog | 8 +++++- monitor.c | 5 +++- monitor_wrap.c | 20 ++++++++++--- servconf.c | 88 +++++++++++++++++++++++++++++++++++++--------------------- servconf.h | 4 +-- sshd_config.5 | 10 ++++++- 6 files changed, 95 insertions(+), 40 deletions(-) (limited to 'servconf.h') diff --git a/ChangeLog b/ChangeLog index c2a22bd1a..ec16391eb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,12 @@ - stevesk@cvs.openbsd.org 2007/02/14 14:32:00 [bufbn.c] typos in comments; ok jmc@ + - dtucker@cvs.openbsd.org 2007/02/19 10:45:58 + [monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5] + Teach Match how handle config directives that are used before + authentication. This allows configurations such as permitting password + authentication from the local net only while requiring pubkey from + offsite. ok djm@, man page bits ok jmc@ 20070128 - (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52) @@ -2730,4 +2736,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4616 2007/02/19 11:17:28 dtucker Exp $ +$Id: ChangeLog,v 1.4617 2007/02/19 11:25:37 dtucker Exp $ diff --git a/monitor.c b/monitor.c index 48ae46ccc..02f2dc869 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.89 2006/11/07 10:31:31 markus Exp $ */ +/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -642,6 +642,9 @@ mm_answer_pwnamallow(int sock, Buffer *m) #endif buffer_put_cstring(m, pwent->pw_dir); buffer_put_cstring(m, pwent->pw_shell); + buffer_put_string(m, &options, sizeof(options)); + if (options.banner != NULL) + buffer_put_cstring(m, options.banner); out: debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); diff --git a/monitor_wrap.c b/monitor_wrap.c index 3865539df..27cc1c5f1 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.54 2006/08/12 20:46:46 miod Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -73,6 +73,7 @@ #include "channels.h" #include "session.h" +#include "servconf.h" /* Imports */ extern int compat20; @@ -207,7 +208,8 @@ mm_getpwnamallow(const char *username) { Buffer m; struct passwd *pw; - u_int pwlen; + u_int len; + ServerOptions *newopts; debug3("%s entering", __func__); @@ -223,8 +225,8 @@ mm_getpwnamallow(const char *username) buffer_free(&m); return (NULL); } - pw = buffer_get_string(&m, &pwlen); - if (pwlen != sizeof(struct passwd)) + pw = buffer_get_string(&m, &len); + if (len != sizeof(struct passwd)) fatal("%s: struct passwd size mismatch", __func__); pw->pw_name = buffer_get_string(&m, NULL); pw->pw_passwd = buffer_get_string(&m, NULL); @@ -234,6 +236,16 @@ mm_getpwnamallow(const char *username) #endif pw->pw_dir = buffer_get_string(&m, NULL); pw->pw_shell = buffer_get_string(&m, NULL); + + /* copy options block as a Match directive may have changed some */ + newopts = buffer_get_string(&m, &len); + if (len != sizeof(*newopts)) + fatal("%s: option block size mismatch", __func__); + if (newopts->banner != NULL) + newopts->banner = buffer_get_string(&m, NULL); + copy_set_server_options(&options, newopts, 1); + xfree(newopts); + buffer_free(&m); return (pw); diff --git a/servconf.c b/servconf.c index 872ff4a87..86949c33f 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.167 2006/12/14 10:01:14 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.168 2007/02/19 10:45:58 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -325,14 +325,14 @@ static struct { { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, { "loglevel", sLogLevel, SSHCFG_GLOBAL }, { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, - { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL }, - { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL }, + { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, + { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL }, - { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL }, - { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, + { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, + { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ #ifdef KRB5 - { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL }, + { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, #ifdef USE_AFS @@ -341,7 +341,7 @@ static struct { { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif #else - { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, @@ -349,15 +349,15 @@ static struct { { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, #ifdef GSSAPI - { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL }, + { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, #else - { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, #endif - { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL }, - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL }, - { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, + { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, + { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL }, { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ { "checkmail", sDeprecated, SSHCFG_GLOBAL }, { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, @@ -389,7 +389,7 @@ static struct { { "subsystem", sSubsystem, SSHCFG_GLOBAL }, { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, - { "banner", sBanner, SSHCFG_GLOBAL }, + { "banner", sBanner, SSHCFG_ALL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, @@ -1317,30 +1317,56 @@ parse_server_match_config(ServerOptions *options, const char *user, initialize_server_options(&mo); parse_server_config(&mo, "reprocess config", &cfg, user, host, address); - copy_set_server_options(options, &mo); + copy_set_server_options(options, &mo, 0); } -/* Copy any (supported) values that are set */ +/* Helper macros */ +#define M_CP_INTOPT(n) do {\ + if (src->n != -1) \ + dst->n = src->n; \ +} while (0) +#define M_CP_STROPT(n) do {\ + if (src->n != NULL) { \ + if (dst->n != NULL) \ + xfree(dst->n); \ + dst->n = src->n; \ + } \ +} while(0) + +/* + * Copy any supported values that are set. + * + * If the preauth flag is set, we do not bother copying the the string or + * array values that are not used pre-authentication, because any that we + * do use must be explictly sent in mm_getpwnamallow(). + */ void -copy_set_server_options(ServerOptions *dst, ServerOptions *src) +copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) { - if (src->allow_tcp_forwarding != -1) - dst->allow_tcp_forwarding = src->allow_tcp_forwarding; - if (src->gateway_ports != -1) - dst->gateway_ports = src->gateway_ports; - if (src->adm_forced_command != NULL) { - if (dst->adm_forced_command != NULL) - xfree(dst->adm_forced_command); - dst->adm_forced_command = src->adm_forced_command; - } - if (src->x11_display_offset != -1) - dst->x11_display_offset = src->x11_display_offset; - if (src->x11_forwarding != -1) - dst->x11_forwarding = src->x11_forwarding; - if (src->x11_use_localhost != -1) - dst->x11_use_localhost = src->x11_use_localhost; + M_CP_INTOPT(password_authentication); + M_CP_INTOPT(gss_authentication); + M_CP_INTOPT(rsa_authentication); + M_CP_INTOPT(pubkey_authentication); + M_CP_INTOPT(kerberos_authentication); + M_CP_INTOPT(hostbased_authentication); + M_CP_INTOPT(kbd_interactive_authentication); + M_CP_INTOPT(challenge_response_authentication); + + M_CP_INTOPT(allow_tcp_forwarding); + M_CP_INTOPT(gateway_ports); + M_CP_INTOPT(x11_display_offset); + M_CP_INTOPT(x11_forwarding); + M_CP_INTOPT(x11_use_localhost); + + M_CP_STROPT(banner); + if (preauth) + return; + M_CP_STROPT(adm_forced_command); } +#undef M_CP_INTOPT +#undef M_CP_STROPT + void parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, const char *user, const char *host, const char *address) diff --git a/servconf.h b/servconf.h index ad496f64b..8a5b950ea 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.80 2007/02/19 10:45:58 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -152,6 +152,6 @@ void parse_server_config(ServerOptions *, const char *, Buffer *, const char *, const char *, const char *); void parse_server_match_config(ServerOptions *, const char *, const char *, const char *); -void copy_set_server_options(ServerOptions *, ServerOptions *); +void copy_set_server_options(ServerOptions *, ServerOptions *, int); #endif /* SERVCONF_H */ diff --git a/sshd_config.5 b/sshd_config.5 index 53207fd84..54231d562 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.71 2007/01/02 09:57:25 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.72 2007/02/19 10:45:58 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -512,9 +512,17 @@ Only a subset of keywords may be used on the lines following a keyword. Available keywords are .Cm AllowTcpForwarding , +.Cm Banner , +.Cm ChallengeResponseAuthentication , .Cm ForceCommand , .Cm GatewayPorts , +.Cm GSSApiAuthentication , +.Cm KerberosAuthentication , +.Cm KeyboardInteractiveAuthentication , +.Cm PasswordAuthentication , .Cm PermitOpen , +.Cm RhostsRSAAuthentication , +.Cm RSAAuthentication , .Cm X11DisplayOffset , .Cm X11Forwarding , and -- cgit v1.2.3