From d558092522153caa627e33e4a76c6f64332bc609 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 14 May 2003 13:40:06 +1000 Subject: - (djm) RCSID sync w/ OpenBSD --- ssh-keygen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ssh-keygen.c') diff --git a/ssh-keygen.c b/ssh-keygen.c index a264f099f..4bd79af6a 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.102 2002/11/26 00:45:03 wcobb Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.103 2003/04/08 20:21:29 itojun Exp $"); #include #include -- cgit v1.2.3 From db2747259c1a433a504085f733768d0d209eb50d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 14 May 2003 13:45:22 +1000 Subject: - markus@cvs.openbsd.org 2003/05/11 16:56:48 [authfile.c ssh-keygen.c] change key_load_public to try to read a public from: rsa1 private or rsa1 public and ssh2 keys. this makes ssh-keygen -e fail for ssh1 keys more gracefully for example; report from itojun (netbsd pr 20550). --- ChangeLog | 8 +++++++- authfile.c | 11 ++++++++++- ssh-keygen.c | 6 +++++- 3 files changed, 22 insertions(+), 3 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 600311ba5..3f6e36681 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,12 @@ [sshd.8] fix invalid .Pf macro usage introduced in previous commit ok jmc@ mouring@ + - markus@cvs.openbsd.org 2003/05/11 16:56:48 + [authfile.c ssh-keygen.c] + change key_load_public to try to read a public from: + rsa1 private or rsa1 public and ssh2 keys. + this makes ssh-keygen -e fail for ssh1 keys more gracefully + for example; report from itojun (netbsd pr 20550). 20030512 - (djm) Redhat spec: Don't install profile.d scripts when not @@ -1423,4 +1429,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2686 2003/05/14 03:44:58 djm Exp $ +$Id: ChangeLog,v 1.2687 2003/05/14 03:45:22 djm Exp $ diff --git a/authfile.c b/authfile.c index 90618efde..d563abb71 100644 --- a/authfile.c +++ b/authfile.c @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfile.c,v 1.52 2003/03/13 11:42:18 markus Exp $"); +RCSID("$OpenBSD: authfile.c,v 1.53 2003/05/11 16:56:48 markus Exp $"); #include #include @@ -629,9 +629,18 @@ key_load_public(const char *filename, char **commentp) Key *pub; char file[MAXPATHLEN]; + /* try rsa1 private key */ pub = key_load_public_type(KEY_RSA1, filename, commentp); if (pub != NULL) return pub; + + /* try rsa1 public key */ + pub = key_new(KEY_RSA1); + if (key_try_load_public(pub, filename, commentp) == 1) + return pub; + key_free(pub); + + /* try ssh2 public key */ pub = key_new(KEY_UNSPEC); if (key_try_load_public(pub, filename, commentp) == 1) return pub; diff --git a/ssh-keygen.c b/ssh-keygen.c index 4bd79af6a..1d08c7cec 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.103 2003/04/08 20:21:29 itojun Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.104 2003/05/11 16:56:48 markus Exp $"); #include #include @@ -163,6 +163,10 @@ do_convert_to_ssh2(struct passwd *pw) exit(1); } } + if (k->type == KEY_RSA1) { + fprintf(stderr, "version 1 keys are not supported\n"); + exit(1); + } if (key_to_blob(k, &blob, &len) <= 0) { fprintf(stderr, "key_to_blob failed\n"); exit(1); -- cgit v1.2.3 From 37876e913a069036501086a247ed2ea430cea206 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 15 May 2003 10:19:46 +1000 Subject: - jakob@cvs.openbsd.org 2003/05/14 18:16:20 [key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c] [dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c] add experimental support for verifying hos keys using DNS as described in draft-ietf-secsh-dns-xx.txt. more information in README.dns. ok markus@ and henning@ --- ChangeLog | 8 +- Makefile.in | 8 +- README.dns | 55 +++++++++++ dns.c | 293 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ dns.h | 57 ++++++++++++ key.c | 4 +- key.h | 3 +- readconf.c | 12 ++- readconf.h | 3 +- ssh-keygen.1 | 11 ++- ssh-keygen.c | 55 ++++++++++- ssh_config.5 | 7 +- sshconnect.c | 23 ++++- 13 files changed, 523 insertions(+), 16 deletions(-) create mode 100644 README.dns create mode 100644 dns.c create mode 100644 dns.h (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 8ad7108a6..8feae8b23 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,12 @@ [ssh-agent.1] setup -> set up; from wiz@netbsd + - jakob@cvs.openbsd.org 2003/05/14 18:16:20 + [key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c] + [dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c] + add experimental support for verifying hos keys using DNS as described + in draft-ietf-secsh-dns-xx.txt. more information in README.dns. + ok markus@ and henning@ 20030514 - (djm) Bug #117: Don't lie to PAM about username @@ -1479,4 +1485,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2701 2003/05/15 00:16:21 djm Exp $ +$Id: ChangeLog,v 1.2702 2003/05/15 00:19:46 djm Exp $ diff --git a/Makefile.in b/Makefile.in index ba898db40..f25fe0ae5 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.232 2003/05/14 04:31:11 djm Exp $ +# $Id: Makefile.in,v 1.233 2003/05/15 00:19:46 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -62,11 +62,11 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ cipher.o compat.o compress.o crc32.o deattack.o fatal.o \ - hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o readpass.o \ - rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \ + hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o \ + readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \ key.o dispatch.o kex.o mac.o uuencode.o misc.o \ rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ - kexdhc.o kexgexc.o scard.o msg.o progressmeter.o \ + kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ entropy.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ diff --git a/README.dns b/README.dns new file mode 100644 index 000000000..d6889b9a5 --- /dev/null +++ b/README.dns @@ -0,0 +1,55 @@ +How to verify host keys using OpenSSH and DNS +--------------------------------------------- + +OpenSSH contains experimental support for verifying host keys using DNS +as described in draft-ietf-secsh-dns-xx.txt. The document contains +very brief instructions on how to test this feature. Configuring DNS +and DNSSEC is out of the scope of this document. + + +(1) Enable DNS fingerprint support in OpenSSH + +Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing + + CFLAGS+= -DDNS + + +(2) Generate and publish the DNS RR + +To create a DNS resource record (RR) containing a fingerprint of the +public host key, use the following command: + + ssh-keygen -r hostname -f keyfile -g + +where "hostname" is your fully qualified hostname and "keyfile" is the +file containing the public host key file. If you have multiple keys, +you should generate one RR for each key. + +In the example above, ssh-keygen will print the fingerprint in a +generic DNS RR format parsable by most modern name server +implementations. If your nameserver has support for the SSHFP RR, as +defined by the draft, you can omit the -g flag and ssh-keygen will +print a standard RR. + +To publish the fingerprint using the DNS you must add the generated RR +to your DNS zone file and sign your zone. + + +(3) Enable the ssh client to verify host keys using DNS + +To enable the ssh client to verify host keys using DNS, you have to +add the following option to the ssh configuration file +($HOME/.ssh/config or /etc/ssh/ssh_config): + + VerifyHostKeyDNS yes + +Upon connection the client will try to look up the fingerprint RR +using DNS. If the fingerprint received from the DNS server matches +the remote host key, the user will be notified. + + + Jakob Schlyter + Wesley Griffin + + +$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $ diff --git a/dns.c b/dns.c new file mode 100644 index 000000000..9b7a0e7a0 --- /dev/null +++ b/dns.c @@ -0,0 +1,293 @@ +/* $OpenBSD: dns.c,v 1.4 2003/05/14 23:29:22 jakob Exp $ */ + +/* + * Copyright (c) 2003 Wesley Griffin. All rights reserved. + * Copyright (c) 2003 Jakob Schlyter. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + + +#include "includes.h" + +#ifdef DNS +#include +#ifdef LWRES +#include +#include +#else /* LWRES */ +#include +#endif /* LWRES */ + +#include "xmalloc.h" +#include "key.h" +#include "dns.h" +#include "log.h" +#include "uuencode.h" + +extern char *__progname; +RCSID("$OpenBSD: dns.c,v 1.4 2003/05/14 23:29:22 jakob Exp $"); + +#ifndef LWRES +static const char *errset_text[] = { + "success", /* 0 ERRSET_SUCCESS */ + "out of memory", /* 1 ERRSET_NOMEMORY */ + "general failure", /* 2 ERRSET_FAIL */ + "invalid parameter", /* 3 ERRSET_INVAL */ + "name does not exist", /* 4 ERRSET_NONAME */ + "data does not exist", /* 5 ERRSET_NODATA */ +}; + +static const char * +dns_result_totext(unsigned int error) +{ + switch (error) { + case ERRSET_SUCCESS: + return errset_text[ERRSET_SUCCESS]; + case ERRSET_NOMEMORY: + return errset_text[ERRSET_NOMEMORY]; + case ERRSET_FAIL: + return errset_text[ERRSET_FAIL]; + case ERRSET_INVAL: + return errset_text[ERRSET_INVAL]; + case ERRSET_NONAME: + return errset_text[ERRSET_NONAME]; + case ERRSET_NODATA: + return errset_text[ERRSET_NODATA]; + default: + return "unknown error"; + } +} +#endif /* LWRES */ + + +/* + * Read SSHFP parameters from key buffer. + */ +static int +dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type, + u_char **digest, u_int *digest_len, Key *key) +{ + int success = 0; + + switch (key->type) { + case KEY_RSA: + *algorithm = SSHFP_KEY_RSA; + break; + case KEY_DSA: + *algorithm = SSHFP_KEY_DSA; + break; + default: + *algorithm = SSHFP_KEY_RESERVED; + } + + if (*algorithm) { + *digest_type = SSHFP_HASH_SHA1; + *digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len); + success = 1; + } else { + *digest_type = SSHFP_HASH_RESERVED; + *digest = NULL; + *digest_len = 0; + success = 0; + } + + return success; +} + +/* + * Read SSHFP parameters from rdata buffer. + */ +static int +dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type, + u_char **digest, u_int *digest_len, u_char *rdata, int rdata_len) +{ + int success = 0; + + *algorithm = SSHFP_KEY_RESERVED; + *digest_type = SSHFP_HASH_RESERVED; + + if (rdata_len >= 2) { + *algorithm = rdata[0]; + *digest_type = rdata[1]; + *digest_len = rdata_len - 2; + + if (*digest_len > 0) { + *digest = (u_char *) xmalloc(*digest_len); + memcpy(*digest, rdata + 2, *digest_len); + } else { + *digest = NULL; + } + + success = 1; + } + + return success; +} + + +/* + * Verify the given hostname, address and host key using DNS. + * Returns 0 if key verifies or -1 if key does NOT verify + */ +int +verify_host_key_dns(const char *hostname, struct sockaddr *address, + Key *hostkey) +{ + int counter; + int result; + struct rrsetinfo *fingerprints = NULL; + int failures = 0; + + u_int8_t hostkey_algorithm; + u_int8_t hostkey_digest_type; + u_char *hostkey_digest; + u_int hostkey_digest_len; + + u_int8_t dnskey_algorithm; + u_int8_t dnskey_digest_type; + u_char *dnskey_digest; + u_int dnskey_digest_len; + + + debug3("verify_hostkey_dns"); + if (hostkey == NULL) + fatal("No key to look up!"); + + result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, + DNS_RDATATYPE_SSHFP, 0, &fingerprints); + if (result) { + verbose("DNS lookup error: %s", dns_result_totext(result)); + return DNS_VERIFY_ERROR; + } + +#ifdef DNSSEC + /* Only accept validated answers */ + if (!fingerprints->rri_flags & RRSET_VALIDATED) { + error("Ignored unvalidated fingerprint from DNS."); + return DNS_VERIFY_ERROR; + } +#endif + + debug("found %d fingerprints in DNS", fingerprints->rri_nrdatas); + + /* Initialize host key parameters */ + if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type, + &hostkey_digest, &hostkey_digest_len, hostkey)) { + error("Error calculating host key fingerprint."); + return DNS_VERIFY_ERROR; + } + + for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++) { + /* + * Extract the key from the answer. Ignore any badly + * formatted fingerprints. + */ + if (!dns_read_rdata(&dnskey_algorithm, &dnskey_digest_type, + &dnskey_digest, &dnskey_digest_len, + fingerprints->rri_rdatas[counter].rdi_data, + fingerprints->rri_rdatas[counter].rdi_length)) { + verbose("Error parsing fingerprint from DNS."); + continue; + } + + /* Check if the current key is the same as the given key */ + if (hostkey_algorithm == dnskey_algorithm && + hostkey_digest_type == dnskey_digest_type) { + + if (hostkey_digest_len == dnskey_digest_len && + memcmp(hostkey_digest, dnskey_digest, + hostkey_digest_len) == 0) { + + /* Matching algoritm and digest. */ + freerrset(fingerprints); +#ifdef DNSSEC + debug("matching host key fingerprint found in DNS"); + return DNS_VERIFY_OK; +#else + logit("Matching host key fingerprint found in DNS."); + return DNS_VERIFY_ERROR; +#endif + } else { + /* Correct algorithm but bad digest */ + debug("verify_hostkey_dns: failed"); + failures++; + } + } + } + + freerrset(fingerprints); + + if (failures) { + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); + error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); + error("It is also possible that the %s host key has just been changed.", + key_type(hostkey)); + error("Please contact your system administrator."); + return DNS_VERIFY_FAILED; + } + + debug("fingerprints found in DNS, but none of them matched"); + + return DNS_VERIFY_ERROR; +} + + +/* + * Export the fingerprint of a key as a DNS resource record + */ +int +export_dns_rr(const char *hostname, Key *key, FILE *f, int generic) +{ + u_int8_t rdata_pubkey_algorithm = 0; + u_int8_t rdata_digest_type = SSHFP_HASH_SHA1; + u_char *rdata_digest; + u_int rdata_digest_len; + + int i; + int success = 0; + + if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type, + &rdata_digest, &rdata_digest_len, key)) { + + if (generic) + fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname, + DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len, + rdata_pubkey_algorithm, rdata_digest_type); + else + fprintf(f, "%s IN SSHFP %d %d ", hostname, + rdata_pubkey_algorithm, rdata_digest_type); + + for (i = 0; i < rdata_digest_len; i++) + fprintf(f, "%02x", rdata_digest[i]); + fprintf(f, "\n"); + success = 1; + } else { + error("dns_export_rr: unsupported algorithm"); + } + + return success; +} + +#endif /* DNS */ diff --git a/dns.h b/dns.h new file mode 100644 index 000000000..ba0ea9fb4 --- /dev/null +++ b/dns.h @@ -0,0 +1,57 @@ +/* $OpenBSD: dns.h,v 1.3 2003/05/14 22:56:51 jakob Exp $ */ + +/* + * Copyright (c) 2003 Wesley Griffin. All rights reserved. + * Copyright (c) 2003 Jakob Schlyter. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + + +#include "includes.h" + +#ifdef DNS +#ifndef DNS_H +#define DNS_H + +enum sshfp_types { + SSHFP_KEY_RESERVED, + SSHFP_KEY_RSA, + SSHFP_KEY_DSA +}; + +enum sshfp_hashes { + SSHFP_HASH_RESERVED, + SSHFP_HASH_SHA1 +}; + +#define DNS_RDATACLASS_IN 1 +#define DNS_RDATATYPE_SSHFP 44 + +#define DNS_VERIFY_FAILED -1 +#define DNS_VERIFY_OK 0 +#define DNS_VERIFY_ERROR 1 + +int verify_host_key_dns(const char *, struct sockaddr *, Key *); +int export_dns_rr(const char *, Key *, FILE *, int); + +#endif /* DNS_H */ +#endif /* DNS */ diff --git a/key.c b/key.c index 060b63745..d918cfd0a 100644 --- a/key.c +++ b/key.c @@ -32,7 +32,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: key.c,v 1.51 2003/02/12 09:33:04 markus Exp $"); +RCSID("$OpenBSD: key.c,v 1.52 2003/05/14 18:16:20 jakob Exp $"); #include @@ -169,7 +169,7 @@ key_equal(Key *a, Key *b) return 0; } -static u_char * +u_char* key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) { const EVP_MD *md = NULL; diff --git a/key.h b/key.h index 725c7a04a..a7b6afe86 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.20 2003/02/12 09:33:04 markus Exp $ */ +/* $OpenBSD: key.h,v 1.21 2003/05/14 18:16:20 jakob Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -61,6 +61,7 @@ void key_free(Key *); Key *key_demote(Key *); int key_equal(Key *, Key *); char *key_fingerprint(Key *, enum fp_type, enum fp_rep); +u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *); char *key_type(Key *); int key_write(Key *, FILE *); int key_read(Key *, char **); diff --git a/readconf.c b/readconf.c index acdf128f6..c9c463b29 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.106 2003/04/09 12:00:37 djm Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.107 2003/05/14 18:16:20 jakob Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -114,7 +114,7 @@ typedef enum { oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oDeprecated } OpCodes; @@ -187,6 +187,7 @@ static struct { { "smartcarddevice", oSmartcardDevice }, { "clearallforwardings", oClearAllForwardings }, { "enablesshkeysign", oEnableSSHKeysign }, + { "verifyhostkeydns", oVerifyHostKeyDNS }, { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, { "rekeylimit", oRekeyLimit }, { NULL, oBadOption } @@ -392,6 +393,10 @@ parse_flag: intptr = &options->check_host_ip; goto parse_flag; + case oVerifyHostKeyDNS: + intptr = &options->verify_host_key_dns; + goto parse_flag; + case oStrictHostKeyChecking: intptr = &options->strict_host_key_checking; arg = strdelim(&s); @@ -829,6 +834,7 @@ initialize_options(Options * options) options->enable_ssh_keysign = - 1; options->no_host_authentication_for_localhost = - 1; options->rekey_limit = - 1; + options->verify_host_key_dns = -1; } /* @@ -947,6 +953,8 @@ fill_default_options(Options * options) options->enable_ssh_keysign = 0; if (options->rekey_limit == -1) options->rekey_limit = 0; + if (options->verify_host_key_dns == -1) + options->verify_host_key_dns = 0; /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ diff --git a/readconf.h b/readconf.h index d35472117..d141b8c00 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.47 2003/04/02 09:48:07 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.48 2003/05/14 18:16:20 jakob Exp $ */ /* * Author: Tatu Ylonen @@ -86,6 +86,7 @@ typedef struct { char *preferred_authentications; char *bind_address; /* local socket address for connection to sshd */ char *smartcard_device; /* Smartcard reader device */ + int verify_host_key_dns; /* Verify host key using DNS */ int num_identity_files; /* Number of files for RSA/DSA identities. */ char *identity_files[SSH_MAX_IDENTITY_FILES]; diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 000e8ff2a..613d71a07 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.56 2003/03/28 10:11:43 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.57 2003/05/14 18:16:20 jakob Exp $ .\" .\" -*- nroff -*- .\" @@ -83,6 +83,10 @@ .Nm ssh-keygen .Fl U Ar reader .Op Fl f Ar input_keyfile +.Nm ssh-keygen +.Fl r Ar hostname +.Op Fl f Ar input_keyfile +.Op Fl g .Sh DESCRIPTION .Nm generates, manages and converts authentication keys for @@ -163,6 +167,8 @@ print the key in a to stdout. This option allows exporting keys for use by several commercial SSH implementations. +.It Fl g +Use generic DNS resource record format. .It Fl f Ar filename Specifies the filename of the key file. .It Fl i @@ -218,6 +224,9 @@ Provides the (old) passphrase. .It Fl U Ar reader Upload an existing RSA private key into the smartcard in .Ar reader . +.It Fl r Ar hostname +Print DNS resource record with the specified +.Ar hostname . .El .Sh FILES .Bl -tag -width Ds diff --git a/ssh-keygen.c b/ssh-keygen.c index 1d08c7cec..f3ea4f1fd 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.104 2003/05/11 16:56:48 markus Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.105 2003/05/14 18:16:20 jakob Exp $"); #include #include @@ -70,6 +70,7 @@ char *identity_comment = NULL; int convert_to_ssh2 = 0; int convert_from_ssh2 = 0; int print_public = 0; +int print_generic = 0; char *key_type_name = NULL; @@ -620,6 +621,38 @@ do_change_passphrase(struct passwd *pw) exit(0); } +#ifdef DNS +/* + * Print the SSHFP RR. + */ +static void +do_print_resource_record(struct passwd *pw, char *hostname) +{ + Key *public; + char *comment = NULL; + struct stat st; + + if (!have_identity) + ask_filename(pw, "Enter file in which the key is"); + if (stat(identity_file, &st) < 0) { + perror(identity_file); + exit(1); + } + public = key_load_public(identity_file, &comment); + if (public != NULL) { + export_dns_rr(hostname, public, stdout, print_generic); + key_free(public); + xfree(comment); + exit(0); + } + if (comment) + xfree(comment); + + printf("failed to read v2 public key from %s.\n", identity_file); + exit(1); +} +#endif /* DNS */ + /* * Change the comment of a private key file. */ @@ -726,6 +759,7 @@ usage(void) fprintf(stderr, " -c Change comment in private and public key files.\n"); fprintf(stderr, " -e Convert OpenSSH to IETF SECSH key file.\n"); fprintf(stderr, " -f filename Filename of the key file.\n"); + fprintf(stderr, " -g Use generic DNS resource record format.\n"); fprintf(stderr, " -i Convert IETF SECSH to OpenSSH key file.\n"); fprintf(stderr, " -l Show fingerprint of key file.\n"); fprintf(stderr, " -p Change passphrase of private key file.\n"); @@ -736,6 +770,9 @@ usage(void) fprintf(stderr, " -C comment Provide new comment.\n"); fprintf(stderr, " -N phrase Provide new passphrase.\n"); fprintf(stderr, " -P phrase Provide old passphrase.\n"); +#ifdef DNS + fprintf(stderr, " -r hostname Print DNS resource record.\n"); +#endif /* DNS */ #ifdef SMARTCARD fprintf(stderr, " -D reader Download public key from smartcard.\n"); fprintf(stderr, " -U reader Upload private key to smartcard.\n"); @@ -752,6 +789,7 @@ main(int ac, char **av) { char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; char *reader_id = NULL; + char *resource_record_hostname = NULL; Key *private, *public; struct passwd *pw; struct stat st; @@ -778,7 +816,7 @@ main(int ac, char **av) exit(1); } - while ((opt = getopt(ac, av, "deiqpclBRxXyb:f:t:U:D:P:N:C:")) != -1) { + while ((opt = getopt(ac, av, "degiqpclBRxXyb:f:t:U:D:P:N:C:r:")) != -1) { switch (opt) { case 'b': bits = atoi(optarg); @@ -803,6 +841,9 @@ main(int ac, char **av) strlcpy(identity_file, optarg, sizeof(identity_file)); have_identity = 1; break; + case 'g': + print_generic = 1; + break; case 'P': identity_passphrase = optarg; break; @@ -843,6 +884,9 @@ main(int ac, char **av) case 'U': reader_id = optarg; break; + case 'r': + resource_record_hostname = optarg; + break; case '?': default: usage(); @@ -868,6 +912,13 @@ main(int ac, char **av) do_convert_from_ssh2(pw); if (print_public) do_print_public(pw); + if (resource_record_hostname != NULL) { +#ifdef DNS + do_print_resource_record(pw, resource_record_hostname); +#else /* DNS */ + fatal("no DNS support."); +#endif /* DNS */ + } if (reader_id != NULL) { #ifdef SMARTCARD if (download) diff --git a/ssh_config.5 b/ssh_config.5 index 44208b431..2f33aa3f3 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.8 2003/05/14 18:16:20 jakob Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -618,6 +618,11 @@ having to remember to give the user name on the command line. Specifies a file to use for the user host key database instead of .Pa $HOME/.ssh/known_hosts . +.It Cm VerifyHostKeyDNS +Specifies whether to verify the remote key using DNS and SSHFP resource +records. +The default is +.Dq no . .It Cm XAuthLocation Specifies the full pathname of the .Xr xauth 1 diff --git a/sshconnect.c b/sshconnect.c index 33d9c727f..32bef7d07 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.139 2003/04/14 14:17:50 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.140 2003/05/14 18:16:21 jakob Exp $"); #include @@ -33,6 +33,10 @@ RCSID("$OpenBSD: sshconnect.c,v 1.139 2003/04/14 14:17:50 markus Exp $"); #include "misc.h" #include "readpass.h" +#ifdef DNS +#include "dns.h" +#endif + char *client_version_string = NULL; char *server_version_string = NULL; @@ -797,11 +801,28 @@ fail: return -1; } +/* returns 0 if key verifies or -1 if key does NOT verify */ int verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) { struct stat st; +#ifdef DNS + if (options.verify_host_key_dns) { + switch(verify_host_key_dns(host, hostaddr, host_key)) { + case DNS_VERIFY_OK: + return 0; + case DNS_VERIFY_FAILED: + return -1; + case DNS_VERIFY_ERROR: + break; + default: + debug3("bad return value from verify_host_key_dns"); + break; + } + } +#endif /* DNS */ + /* return ok if the key can be found in an old keyfile */ if (stat(options.system_hostfile2, &st) == 0 || stat(options.user_hostfile2, &st) == 0) { -- cgit v1.2.3 From ed12a26f0d4749bf6e2807afc40e97d06bda041c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 15 May 2003 13:37:43 +1000 Subject: - djm@cvs.openbsd.org 2003/05/15 03:10:52 [ssh-keygen.c] avoid warning; ok jakob@ --- ChangeLog | 5 ++++- ssh-keygen.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 2e7aeb132..5f9128afc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,9 @@ - markus@cvs.openbsd.org 2003/05/15 03:08:29 [cipher.c cipher-bf1.c cipher-aes.c cipher-3des1.c] split out custom EVP ciphers + - djm@cvs.openbsd.org 2003/05/15 03:10:52 + [ssh-keygen.c] + avoid warning; ok jakob@ - (djm) Always parse UsePAM - (djm) Configure glue for DNS support (code doesn't work in portable yet) - (djm) Import getrrsetbyname() function from OpenBSD libc (for DNS support) @@ -1505,4 +1508,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2711 2003/05/15 03:37:19 djm Exp $ +$Id: ChangeLog,v 1.2712 2003/05/15 03:37:43 djm Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index f3ea4f1fd..c93d70bad 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.105 2003/05/14 18:16:20 jakob Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.106 2003/05/15 03:10:52 djm Exp $"); #include #include @@ -31,6 +31,9 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.105 2003/05/14 18:16:20 jakob Exp $"); #ifdef SMARTCARD #include "scard.h" #endif +#ifdef DNS +#include "dns.h" +#endif /* Number of bits in the RSA/DSA key. This value can be changed on the command line. */ int bits = 1024; -- cgit v1.2.3 From 019cefeaadc06a3664076cae10aedae4aed13911 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 2 Aug 2003 22:40:07 +1000 Subject: - djm@cvs.openbsd.org 2003/07/28 09:49:56 [ssh-keygen.1 ssh-keygen.c] Support for generating Diffie-Hellman groups (/etc/moduli) from ssh-keygen. Based on code from Phil Karn, William Allen Simpson and Niels Provos. ok markus@, thanks jmc@ --- ChangeLog | 7 ++++- ssh-keygen.1 | 100 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- ssh-keygen.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 187 insertions(+), 6 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 1f6249865..ca274eaac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,11 @@ - markus@cvs.openbsd.org 2003/07/23 07:42:43 [sshd_config] remove AFS; itojun@ + - djm@cvs.openbsd.org 2003/07/28 09:49:56 + [ssh-keygen.1 ssh-keygen.c] + Support for generating Diffie-Hellman groups (/etc/moduli) from ssh-keygen. + Based on code from Phil Karn, William Allen Simpson and Niels Provos. + ok markus@, thanks jmc@ 20030730 - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal @@ -751,4 +756,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2870 2003/08/02 12:31:45 dtucker Exp $ +$Id: ChangeLog,v 1.2871 2003/08/02 12:40:07 dtucker Exp $ diff --git a/ssh-keygen.1 b/ssh-keygen.1 index fc6b5a5e0..dc4bcacd0 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.59 2003/06/10 09:12:11 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.60 2003/07/28 09:49:56 djm Exp $ .\" .\" -*- nroff -*- .\" @@ -87,6 +87,16 @@ .Fl r Ar hostname .Op Fl f Ar input_keyfile .Op Fl g +.Nm ssh-keygen +.Fl G Ar output_file +.Op Fl b Ar bits +.Op Fl M Ar memory +.Op Fl S Ar start_point +.Nm ssh-keygen +.Fl T Ar output_file +.Fl f Ar input_file +.Op Fl a Ar num_trials +.Op Fl W Ar generator .Sh DESCRIPTION .Nm generates, manages and converts authentication keys for @@ -98,6 +108,13 @@ The type of key to be generated is specified with the .Fl t option. .Pp +.Nm +is also used to generate groups for use in Diffie-Hellman group +exchange (DH-GEX). +See the +.Sx MODULI GENERATION +section for details. +.Pp Normally each user wishing to use SSH with RSA or DSA authentication runs this once to create the authentication key in @@ -150,6 +167,11 @@ should be placed to be activated. .Pp The options are as follows: .Bl -tag -width Ds +.It Fl a Ar trials +Specifies the number of primality tests to perform when screening DH-GEX +candidates using the +.Fl T +command. .It Fl b Ar bits Specifies the number of bits in the key to create. Minimum is 512 bits. @@ -217,10 +239,27 @@ Provides the new comment. .It Fl D Ar reader Download the RSA public key stored in the smartcard in .Ar reader . +.It Fl G Ar output_file +Generate candidate primes for DH-GEX. +These primes must be screened for +safety (using the +.Fl T +option) before use. +.It Fl M Ar memory +Specify the amount of memory to use (in megabytes) when generating +candidate moduli for DH-GEX. .It Fl N Ar new_passphrase Provides the new passphrase. .It Fl P Ar passphrase Provides the (old) passphrase. +.It Fl S Ar start +Specify start point (in hex) when generating candidate moduli for DH-GEX. +.It Fl T Ar output_file +Test DH group exchange candidate primes (generated using the +.Fl G +option) for safety. +.It Fl W Ar generator +Specify desired generator when testing candidate moduli for DH-GEX. .It Fl U Ar reader Upload an existing RSA private key into the smartcard in .Ar reader . @@ -228,6 +267,60 @@ Upload an existing RSA private key into the smartcard in Print DNS resource record with the specified .Ar hostname . .El +.Sh MODULI GENERATION +.Nm +may be used to generate groups for the Diffie-Hellman Group Exchange +(DH-GEX) protocol. +Generating these groups is a two-step process: first, candidate +primes are generated using a fast, but memory intensive process. +These candidate primes are then tested for suitability (a CPU-intensive +process). +.Pp +Generation of primes is performed using the +.Fl G +option. +The desired length of the primes may be specified by the +.Fl b +option. +For example: +.Pp +.Dl ssh-keygen -G moduli-2048.candidates -b 2048 +.Pp +By default, the search for primes begins at a random point in the +desired length range. +This may be overridden using the +.Fl S +option, which specifies a different start point (in hex). +.Pp +Once a set of candidates have been generated, they must be tested for +suitability. +This may be performed using the +.Fl T +option. +In this mode +.Nm +will read candidates from standard input (or a file specified using the +.Fl f +option). +For example: +.Pp +.Dl ssh-keygen -T moduli-2048 -f moduli-2048.candidates +.Pp +By default, each candidate will be subjected to 100 primality tests. +This may be overridden using the +.Fl a +option. +The DH generator value will be chosen automatically for the +prime under consideration. +If a specific generator is desired, it may be requested using the +.Fl W +option. +Valid generator values are 2, 3 and 5. +.Pp +Screened DH groups may be installed in +.Pa /etc/moduli . +It is important that this file contains moduli of a range of bit lengths and +that both ends of a connection share common moduli. .Sh FILES .Bl -tag -width Ds .It Pa $HOME/.ssh/identity @@ -284,11 +377,16 @@ The contents of this file should be added to on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. +.It Pa /etc/moduli +Contains Diffie-Hellman groups used for DH-GEX. +The file format is described in +.Xr moduli 5 . .El .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , +.Xr moduli 5 , .Xr sshd 8 .Rs .%A J. Galbraith diff --git a/ssh-keygen.c b/ssh-keygen.c index c93d70bad..a6342b183 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.106 2003/05/15 03:10:52 djm Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.107 2003/07/28 09:49:56 djm Exp $"); #include #include @@ -27,6 +27,7 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.106 2003/05/15 03:10:52 djm Exp $"); #include "pathnames.h" #include "log.h" #include "readpass.h" +#include "moduli.h" #ifdef SMARTCARD #include "scard.h" @@ -781,6 +782,9 @@ usage(void) fprintf(stderr, " -U reader Upload private key to smartcard.\n"); #endif /* SMARTCARD */ + fprintf(stderr, " -G file Generate candidates for DH-GEX moduli\n"); + fprintf(stderr, " -T file Screen candidates for DH-GEX moduli\n"); + exit(1); } @@ -791,12 +795,15 @@ int main(int ac, char **av) { char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; - char *reader_id = NULL; + char out_file[PATH_MAX], *reader_id = NULL; char *resource_record_hostname = NULL; Key *private, *public; struct passwd *pw; struct stat st; - int opt, type, fd, download = 0; + int opt, type, fd, download = 0, memory = 0; + int generator_wanted = 0, trials = 100; + int do_gen_candidates = 0, do_screen_candidates = 0; + BIGNUM *start = NULL; FILE *f; extern int optind; @@ -805,6 +812,8 @@ main(int ac, char **av) __progname = get_progname(av[0]); SSLeay_add_all_algorithms(); + log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + init_rng(); seed_rng(); @@ -819,7 +828,8 @@ main(int ac, char **av) exit(1); } - while ((opt = getopt(ac, av, "degiqpclBRxXyb:f:t:U:D:P:N:C:r:")) != -1) { + while ((opt = getopt(ac, av, + "degiqpclBRxXyb:f:t:U:D:P:N:C:r:g:T:G:M:S:a:W:")) != -1) { switch (opt) { case 'b': bits = atoi(optarg); @@ -890,6 +900,39 @@ main(int ac, char **av) case 'r': resource_record_hostname = optarg; break; + case 'W': + generator_wanted = atoi(optarg); + if (generator_wanted < 1) + fatal("Desired generator has bad value."); + break; + case 'a': + trials = atoi(optarg); + if (trials < TRIAL_MINIMUM) { + fatal("Minimum primality trials is %d", + TRIAL_MINIMUM); + } + break; + case 'M': + memory = atoi(optarg); + if (memory != 0 && + (memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) { + fatal("Invalid memory amount (min %ld, max %ld)", + LARGE_MINIMUM, LARGE_MAXIMUM); + } + break; + case 'G': + do_gen_candidates = 1; + strlcpy(out_file, optarg, sizeof(out_file)); + break; + case 'T': + do_screen_candidates = 1; + strlcpy(out_file, optarg, sizeof(out_file)); + break; + case 'S': + /* XXX - also compare length against bits */ + if (BN_hex2bn(&start, optarg) == 0) + fatal("Invalid start point."); + break; case '?': default: usage(); @@ -933,6 +976,41 @@ main(int ac, char **av) #endif /* SMARTCARD */ } + if (do_gen_candidates) { + FILE *out = fopen(out_file, "w"); + + if (out == NULL) { + error("Couldn't open modulus candidate file \"%s\": %s", + out_file, strerror(errno)); + return (1); + } + if (gen_candidates(out, memory, bits, start) != 0) + fatal("modulus candidate generation failed\n"); + + return (0); + } + + if (do_screen_candidates) { + FILE *in; + FILE *out = fopen(out_file, "w"); + + if (have_identity && strcmp(identity_file, "-") != 0) { + if ((in = fopen(identity_file, "r")) == NULL) { + fatal("Couldn't open modulus candidate " + "file \"%s\": %s", identity_file, + strerror(errno)); + } + } else + in = stdin; + + if (out == NULL) { + fatal("Couldn't open moduli file \"%s\": %s", + out_file, strerror(errno)); + } + if (prime_test(in, out, trials, generator_wanted) != 0) + fatal("modulus screening failed\n"); + } + arc4random_stir(); if (key_type_name == NULL) { -- cgit v1.2.3 From f4220e6cefdddd30acd0dcaa152dedff84a15c0f Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 21 Aug 2003 16:44:07 +1000 Subject: - markus@cvs.openbsd.org 2003/08/14 16:08:58 [ssh-keygen.c] exit after primetest, ok djm@ --- ChangeLog | 8 +++++++- ssh-keygen.c | 3 ++- 2 files changed, 9 insertions(+), 2 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 47e97438b..097b08f16 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20030821 + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/08/14 16:08:58 + [ssh-keygen.c] + exit after primetest, ok djm@ + 20030813 - (dtucker) [session.c] Remove #ifdef TIOCSBRK kludge. - (dtucker) OpenBSD CVS Sync @@ -834,4 +840,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2893 2003/08/13 10:48:07 dtucker Exp $ +$Id: ChangeLog,v 1.2894 2003/08/21 06:44:07 dtucker Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index a6342b183..2ce5553f6 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.107 2003/07/28 09:49:56 djm Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.108 2003/08/14 16:08:58 markus Exp $"); #include #include @@ -1009,6 +1009,7 @@ main(int ac, char **av) } if (prime_test(in, out, trials, generator_wanted) != 0) fatal("modulus screening failed\n"); + return (0); } arc4random_stir(); -- cgit v1.2.3 From 59d3d5b8b4813bdd1d4518d6839bd392ff6d21f7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 22 Aug 2003 09:34:41 +1000 Subject: - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal -lbroken; ok dtucker --- ChangeLog | 6 +++++- logintest.c | 4 ++-- openbsd-compat/bsd-misc.c | 4 ++-- openbsd-compat/bsd-misc.h | 4 ++-- scp.c | 2 +- sftp-server.c | 2 +- sftp.c | 2 +- ssh-add.c | 2 +- ssh-agent.c | 2 +- ssh-keygen.c | 2 +- ssh-keyscan.c | 2 +- ssh-rand-helper.c | 4 ++-- ssh.c | 2 +- sshd.c | 2 +- 14 files changed, 22 insertions(+), 18 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 081b07907..ded30f05a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20030822 + - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal + -lbroken; ok dtucker + 20030821 - (dtucker) OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/08/14 16:08:58 @@ -845,4 +849,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2896 2003/08/21 07:58:29 dtucker Exp $ +$Id: ChangeLog,v 1.2897 2003/08/21 23:34:41 djm Exp $ diff --git a/logintest.c b/logintest.c index a0c08118b..3f3997d10 100644 --- a/logintest.c +++ b/logintest.c @@ -43,7 +43,7 @@ #include "loginrec.h" -RCSID("$Id: logintest.c,v 1.9 2003/06/02 00:42:17 djm Exp $"); +RCSID("$Id: logintest.c,v 1.10 2003/08/21 23:34:41 djm Exp $"); #ifdef HAVE___PROGNAME extern char *__progname; @@ -287,7 +287,7 @@ main(int argc, char *argv[]) { printf("Platform-independent login recording test driver\n"); - __progname = get_progname(argv[0]); + __progname = ssh_get_progname(argv[0]); if (argc == 2) { if (strncmp(argv[1], "-i", 3) == 0) compile_opts_only = 1; diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c index d4c793724..56cb45ade 100644 --- a/openbsd-compat/bsd-misc.c +++ b/openbsd-compat/bsd-misc.c @@ -25,13 +25,13 @@ #include "includes.h" #include "xmalloc.h" -RCSID("$Id: bsd-misc.c,v 1.17 2003/08/13 10:48:07 dtucker Exp $"); +RCSID("$Id: bsd-misc.c,v 1.18 2003/08/21 23:34:42 djm Exp $"); /* * NB. duplicate __progname in case it is an alias for argv[0] * Otherwise it may get clobbered by setproctitle() */ -char *get_progname(char *argv0) +char *ssh_get_progname(char *argv0) { #ifdef HAVE___PROGNAME extern char *__progname; diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h index f2fbdc2e3..2857de59b 100644 --- a/openbsd-compat/bsd-misc.h +++ b/openbsd-compat/bsd-misc.h @@ -22,14 +22,14 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: bsd-misc.h,v 1.10 2003/08/13 10:48:07 dtucker Exp $ */ +/* $Id: bsd-misc.h,v 1.11 2003/08/21 23:34:42 djm Exp $ */ #ifndef _BSD_MISC_H #define _BSD_MISC_H #include "config.h" -char *get_progname(char *); +char *ssh_get_progname(char *); #ifndef HAVE_SETSID #define setsid() setpgrp(0, getpid()) diff --git a/scp.c b/scp.c index cf979f250..4f9247c2d 100644 --- a/scp.c +++ b/scp.c @@ -222,7 +222,7 @@ main(int argc, char **argv) extern char *optarg; extern int optind; - __progname = get_progname(argv[0]); + __progname = ssh_get_progname(argv[0]); args.list = NULL; addargs(&args, "ssh"); /* overwritten with ssh_program */ diff --git a/sftp-server.c b/sftp-server.c index 250814d72..9166853ed 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1030,7 +1030,7 @@ main(int ac, char **av) /* XXX should use getopt */ - __progname = get_progname(av[0]); + __progname = ssh_get_progname(av[0]); handle_init(); #ifdef DEBUG_SFTP_SERVER diff --git a/sftp.c b/sftp.c index 4354bfd44..c2a6593b8 100644 --- a/sftp.c +++ b/sftp.c @@ -132,7 +132,7 @@ main(int argc, char **argv) extern int optind; extern char *optarg; - __progname = get_progname(argv[0]); + __progname = ssh_get_progname(argv[0]); args.list = NULL; addargs(&args, "ssh"); /* overwritten with ssh_program */ addargs(&args, "-oForwardX11 no"); diff --git a/ssh-add.c b/ssh-add.c index 5b0fbbce6..2e394e5c1 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -319,7 +319,7 @@ main(int argc, char **argv) char *sc_reader_id = NULL; int i, ch, deleting = 0, ret = 0; - __progname = get_progname(argv[0]); + __progname = ssh_get_progname(argv[0]); init_rng(); seed_rng(); diff --git a/ssh-agent.c b/ssh-agent.c index 6c8ff30dd..c05c61468 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1024,7 +1024,7 @@ main(int ac, char **av) SSLeay_add_all_algorithms(); - __progname = get_progname(av[0]); + __progname = ssh_get_progname(av[0]); init_rng(); seed_rng(); diff --git a/ssh-keygen.c b/ssh-keygen.c index 2ce5553f6..dbc514737 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -809,7 +809,7 @@ main(int ac, char **av) extern int optind; extern char *optarg; - __progname = get_progname(av[0]); + __progname = ssh_get_progname(av[0]); SSLeay_add_all_algorithms(); log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 358a1e353..9fa8aaebc 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -697,7 +697,7 @@ main(int argc, char **argv) extern int optind; extern char *optarg; - __progname = get_progname(argv[0]); + __progname = ssh_get_progname(argv[0]); init_rng(); seed_rng(); TAILQ_INIT(&tq); diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c index 88e6e7c05..7e65e4569 100644 --- a/ssh-rand-helper.c +++ b/ssh-rand-helper.c @@ -39,7 +39,7 @@ #include "pathnames.h" #include "log.h" -RCSID("$Id: ssh-rand-helper.c,v 1.12 2003/07/06 05:20:46 dtucker Exp $"); +RCSID("$Id: ssh-rand-helper.c,v 1.13 2003/08/21 23:34:41 djm Exp $"); /* Number of bytes we write out */ #define OUTPUT_SEED_SIZE 48 @@ -769,7 +769,7 @@ main(int argc, char **argv) extern char *optarg; LogLevel ll; - __progname = get_progname(argv[0]); + __progname = ssh_get_progname(argv[0]); log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); ll = SYSLOG_LEVEL_INFO; diff --git a/ssh.c b/ssh.c index 694bb5acc..46640a857 100644 --- a/ssh.c +++ b/ssh.c @@ -212,7 +212,7 @@ main(int ac, char **av) extern int optind, optreset; extern char *optarg; - __progname = get_progname(av[0]); + __progname = ssh_get_progname(av[0]); init_rng(); /* diff --git a/sshd.c b/sshd.c index dc275b0cb..0e1bde3a3 100644 --- a/sshd.c +++ b/sshd.c @@ -819,7 +819,7 @@ main(int ac, char **av) #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); #endif - __progname = get_progname(av[0]); + __progname = ssh_get_progname(av[0]); init_rng(); /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ -- cgit v1.2.3 From 2e0e38e3107381c18b99d55548f29252138c4622 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Mon, 8 Sep 2003 16:11:33 -0700 Subject: [ssh-keygen.c] s/PATH_MAX/MAXPATHLEN/ ok mouring@ --- ChangeLog | 3 ++- ssh-keygen.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 0343f2134..f352a38de 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ _getlong in #ifndef - (tim) [configure.ac acconfig.h openbsd-compat/getrrsetbyname.c] test for HEADER.ad in arpa/nameser.h + - (tim) [ssh-keygen.c] s/PATH_MAX/MAXPATHLEN/ ok mouring@ 20030907 - (dtucker) [agent-ptrace.sh dynamic-forward.sh (all regress/)] @@ -1043,4 +1044,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2971 2003/09/08 21:35:16 tim Exp $ +$Id: ChangeLog,v 1.2972 2003/09/08 23:11:33 tim Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index dbc514737..e74d3cd37 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -795,7 +795,7 @@ int main(int ac, char **av) { char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; - char out_file[PATH_MAX], *reader_id = NULL; + char out_file[MAXPATHLEN], *reader_id = NULL; char *resource_record_hostname = NULL; Key *private, *public; struct passwd *pw; -- cgit v1.2.3