From 44e72a764f7febd041263c61c6931896a67d338e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 14 May 2003 13:42:08 +1000 Subject: - naddy@cvs.openbsd.org 2003/04/12 11:40:15 [ssh.1] document -V switch, fix wording; ok markus@ --- ssh.1 | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'ssh.1') diff --git a/ssh.1 b/ssh.1 index fd822bb3d..a7e95c1f4 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.169 2003/04/12 11:40:15 naddy Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -49,7 +49,7 @@ .Pp .Nm ssh .Bk -words -.Op Fl afgknqstvxACNTX1246 +.Op Fl afgknqstvxACNTVX1246 .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec .Op Fl e Ar escape_char @@ -563,8 +563,10 @@ This is helpful in debugging connection, authentication, and configuration problems. Multiple .Fl v -options increases the verbosity. -Maximum is 3. +options increase the verbosity. +The maximum is 3. +.It Fl V +Display the version number and exit. .It Fl x Disables X11 forwarding. .It Fl X -- cgit v1.2.3 From 54c459866e2da288a3895eecf097104ac6f9f4d0 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 15 May 2003 10:20:13 +1000 Subject: - markus@cvs.openbsd.org 2003/05/14 22:24:42 [clientloop.c session.c ssh.1] allow to send a BREAK to the remote system; ok various --- ChangeLog | 5 ++++- clientloop.c | 18 ++++++++++++++++-- session.c | 24 +++++++++++++++++++++++- ssh.1 | 4 +++- 4 files changed, 46 insertions(+), 5 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 8feae8b23..6ec753efe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ add experimental support for verifying hos keys using DNS as described in draft-ietf-secsh-dns-xx.txt. more information in README.dns. ok markus@ and henning@ + - markus@cvs.openbsd.org 2003/05/14 22:24:42 + [clientloop.c session.c ssh.1] + allow to send a BREAK to the remote system; ok various 20030514 - (djm) Bug #117: Don't lie to PAM about username @@ -1485,4 +1488,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2702 2003/05/15 00:19:46 djm Exp $ +$Id: ChangeLog,v 1.2703 2003/05/15 00:20:13 djm Exp $ diff --git a/clientloop.c b/clientloop.c index e5270aa57..1c1acf481 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.110 2003/05/11 20:30:24 markus Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.111 2003/05/14 22:24:42 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -574,6 +574,19 @@ process_escapes(Buffer *bin, Buffer *bout, Buffer *berr, char *buf, int len) /* We have been continued. */ continue; + case 'B': + if (compat20) { + snprintf(string, sizeof string, + "%cB\r\n", escape_char); + buffer_append(berr, string, + strlen(string)); + channel_request_start(session_ident, + "break", 0); + packet_put_int(1000); + packet_send(); + } + continue; + case 'R': if (compat20) { if (datafellows & SSH_BUG_NOREKEY) @@ -636,6 +649,7 @@ process_escapes(Buffer *bin, Buffer *bout, Buffer *berr, char *buf, int len) "%c?\r\n\ Supported escape sequences:\r\n\ %c. - terminate connection\r\n\ +%cB - send a BREAK to the remote system\r\n\ %cC - open a command line\r\n\ %cR - Request rekey (SSH protocol 2 only)\r\n\ %c^Z - suspend ssh\r\n\ @@ -646,7 +660,7 @@ Supported escape sequences:\r\n\ (Note that escapes are only recognized immediately after newline.)\r\n", escape_char, escape_char, escape_char, escape_char, escape_char, escape_char, escape_char, escape_char, - escape_char, escape_char); + escape_char, escape_char, escape_char); buffer_append(berr, string, strlen(string)); continue; diff --git a/session.c b/session.c index 5b445f93b..796c5177c 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.156 2003/05/11 20:30:25 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.157 2003/05/14 22:24:42 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1742,6 +1742,26 @@ session_exec_req(Session *s) return 1; } +static int +session_break_req(Session *s) +{ + u_int break_length; + + break_length = packet_get_int(); + packet_check_eom(); + + if (s->ttyfd == -1) + return 0; + /* we will sleep from 500ms to 3000ms */ + break_length = MIN(break_length, 3000); + break_length = MAX(break_length, 500); + ioctl(s->ttyfd, TIOCSBRK, NULL); + /* should we care about EINTR? */ + usleep(break_length * 1000); + ioctl(s->ttyfd, TIOCCBRK, NULL); + return 1; +} + static int session_auth_agent_req(Session *s) { @@ -1789,6 +1809,8 @@ session_input_channel_req(Channel *c, const char *rtype) success = session_auth_agent_req(s); } else if (strcmp(rtype, "subsystem") == 0) { success = session_subsystem_req(s); + } else if (strcmp(rtype, "break") == 0) { + success = session_break_req(s); } } if (strcmp(rtype, "window-change") == 0) { diff --git a/ssh.1 b/ssh.1 index a7e95c1f4..8f91ba754 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.169 2003/04/12 11:40:15 naddy Exp $ +.\" $OpenBSD: ssh.1,v 1.170 2003/05/14 22:24:42 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -301,6 +301,8 @@ Background ssh at logout when waiting for forwarded connection / X11 sessions to terminate .It Cm ~? Display a list of escape characters +.It Cm ~B +Send a BREAK to the remote system. .It Cm ~C Open command line (only useful for adding port forwardings using the .Fl L -- cgit v1.2.3 From 46a7b40d1e14ab5947eb3697bd8c2ed86cc0476c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 15 May 2003 14:17:28 +1000 Subject: - markus@cvs.openbsd.org 2003/05/15 04:08:41 [ssh.1] ~B is ssh2 only --- ChangeLog | 5 ++++- ssh.1 | 5 +++-- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 67af70524..bb1a2d9c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,9 @@ - jakob@cvs.openbsd.org 2003/05/15 04:08:44 [readconf.c servconf.c] disable kerberos when not supported. ok markus@ + - markus@cvs.openbsd.org 2003/05/15 04:08:41 + [ssh.1] + ~B is ssh2 only - (djm) Always parse UsePAM - (djm) Configure glue for DNS support (code doesn't work in portable yet) - (djm) Import getrrsetbyname() function from OpenBSD libc (for DNS support) @@ -1520,4 +1523,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2718 2003/05/15 04:16:41 djm Exp $ +$Id: ChangeLog,v 1.2719 2003/05/15 04:17:28 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 8f91ba754..f4b1679e3 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.170 2003/05/14 22:24:42 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.171 2003/05/15 04:08:41 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -302,7 +302,8 @@ to terminate .It Cm ~? Display a list of escape characters .It Cm ~B -Send a BREAK to the remote system. +Send a BREAK to the remote system (only useful for SSH protocol version 2 +and if the peer supports it) .It Cm ~C Open command line (only useful for adding port forwardings using the .Fl L -- cgit v1.2.3 From fbf486b4a6e0f39b3d6533a2c18d1a120e98b83c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 23 May 2003 18:44:23 +1000 Subject: - jmc@cvs.openbsd.org 2003/05/20 12:09:31 [ssh.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1] new sentence, new line --- ChangeLog | 5 ++++- ssh-keygen.1 | 6 +++--- ssh.1 | 13 +++++++------ ssh_config.5 | 25 ++++++++++++++----------- sshd.8 | 14 +++++++------- sshd_config.5 | 38 ++++++++++++++++++++++---------------- 6 files changed, 57 insertions(+), 44 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 00681d3a8..d00d04263 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ - added .Xr's - typos ok djm@ + - jmc@cvs.openbsd.org 2003/05/20 12:09:31 + [ssh.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1] + new sentence, new line 20030520 - (djm) OpenBSD CVS Sync @@ -1596,4 +1599,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2746 2003/05/23 08:44:04 djm Exp $ +$Id: ChangeLog,v 1.2747 2003/05/23 08:44:23 djm Exp $ diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 613d71a07..1583384af 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.57 2003/05/14 18:16:20 jakob Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.58 2003/05/20 12:09:31 jmc Exp $ .\" .\" -*- nroff -*- .\" @@ -93,8 +93,8 @@ generates, manages and converts authentication keys for .Xr ssh 1 . .Nm can create RSA keys for use by SSH protocol version 1 and RSA or DSA -keys for use by SSH protocol version 2. The type of key to be generated -is specified with the +keys for use by SSH protocol version 2. +The type of key to be generated is specified with the .Fl t option. .Pp diff --git a/ssh.1 b/ssh.1 index f4b1679e3..d8af4de62 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.171 2003/05/15 04:08:41 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.172 2003/05/20 12:09:31 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -488,8 +488,8 @@ It is possible to have multiple options (and multiple identities specified in configuration files). .It Fl I Ar smartcard_device -Specifies which smartcard device to use. The argument is -the device +Specifies which smartcard device to use. +The argument is the device .Nm should use to communicate with a smartcard used for storing the user's private RSA key. @@ -542,9 +542,10 @@ per-host basis in the configuration file. Quiet mode. Causes all warning and diagnostic messages to be suppressed. .It Fl s -May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use -of SSH as a secure transport for other applications (eg. sftp). The -subsystem is specified as the remote command. +May be used to request invocation of a subsystem on the remote system. +Subsystems are a feature of the SSH2 protocol which facilitate the use +of SSH as a secure transport for other applications (eg. sftp). +The subsystem is specified as the remote command. .It Fl t Force pseudo-tty allocation. This can be used to execute arbitrary diff --git a/ssh_config.5 b/ssh_config.5 index 67166b758..99050d38a 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.10 2003/05/16 03:27:12 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.11 2003/05/20 12:09:32 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -116,7 +116,8 @@ The host is the argument given on the command line (i.e., the name is not converted to a canonicalized host name before matching). .It Cm AddressFamily -Specifies which address family to use when connecting. Valid arguments are +Specifies which address family to use when connecting. +Valid arguments are .Dq any , .Dq inet (Use IPv4 only) or @@ -236,9 +237,9 @@ This may be useful in scripts if the connection sometimes fails. The default is 1. .It Cm ConnectTimeout Specifies the timeout (in seconds) used when connecting to the ssh -server, instead of using the default system TCP timeout. This value is -used only when the target is down or really unreachable, not when it -refuses the connection. +server, instead of using the default system TCP timeout. +This value is used only when the target is down or really unreachable, +not when it refuses the connection. .It Cm DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application @@ -351,7 +352,8 @@ Numeric IP addresses are also permitted (both on the command line and in specifications). .It Cm IdentityFile Specifies a file from which the user's RSA or DSA authentication identity -is read. The default is +is read. +The default is .Pa $HOME/.ssh/identity for protocol version 1, and .Pa $HOME/.ssh/id_rsa @@ -448,7 +450,8 @@ Specifies the port number to connect on the remote host. Default is 22. .It Cm PreferredAuthentications Specifies the order in which the client should try protocol 2 -authentication methods. This allows a client to prefer one method (e.g. +authentication methods. +This allows a client to prefer one method (e.g. .Cm keyboard-interactive ) over another method (e.g. .Cm password ) @@ -561,12 +564,12 @@ The default is .Dq yes . Note that this option applies to protocol version 1 only. .It Cm SmartcardDevice -Specifies which smartcard device to use. The argument to this keyword is -the device +Specifies which smartcard device to use. +The argument to this keyword is the device .Nm ssh should use to communicate with a smartcard used for storing the user's -private RSA key. By default, no device is specified and smartcard support -is not activated. +private RSA key. +By default, no device is specified and smartcard support is not activated. .It Cm StrictHostKeyChecking If this flag is set to .Dq yes , diff --git a/sshd.8 b/sshd.8 index f7464d95b..827f4f77c 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.196 2003/04/30 20:41:07 david Exp $ +.\" $OpenBSD: sshd.8,v 1.197 2003/05/20 12:09:32 jmc Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -497,9 +497,9 @@ IPv6 addresses can be specified with an alternative syntax: .Ar host/port . Multiple .Cm permitopen -options may be applied separated by commas. No pattern matching is -performed on the specified hostnames, they must be literal domains or -addresses. +options may be applied separated by commas. +No pattern matching is performed on the specified hostnames, +they must be literal domains or addresses. .El .Ss Examples 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar @@ -525,9 +525,9 @@ bits, exponent, modulus, comment. The fields are separated by spaces. .Pp Hostnames is a comma-separated list of patterns -.Pf ( Ql \&* -and -.Ql \&? +.Pf ( Ql \&* +and +.Ql \&? act as wildcards); each pattern in turn is matched against the canonical host name (when authenticating a client) or against the user-supplied diff --git a/sshd_config.5 b/sshd_config.5 index 8250be8d6..86b3289a1 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.16 2003/04/30 01:16:20 mouring Exp $ +.\" $OpenBSD: sshd_config.5,v 1.17 2003/05/20 12:09:32 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -107,7 +107,8 @@ Specifies the file that contains the public keys that can be used for user authentication. .Cm AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection -set-up. The following tokens are defined: %% is replaced by a literal '%', +set-up. +The following tokens are defined: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated and %u is replaced by the username of that user. After expansion, @@ -153,20 +154,24 @@ This option applies to protocol version 2 only. Sets the number of client alive messages (see above) which may be sent without .Nm sshd -receiving any messages back from the client. If this threshold is -reached while client alive messages are being sent, +receiving any messages back from the client. +If this threshold is reached while client alive messages are being sent, .Nm sshd -will disconnect the client, terminating the session. It is important -to note that the use of client alive messages is very different from +will disconnect the client, terminating the session. +It is important to note that the use of client alive messages is very +different from .Cm KeepAlive -(below). The client alive messages are sent through the -encrypted channel and therefore will not be spoofable. The TCP keepalive -option enabled by +(below). +The client alive messages are sent through the encrypted channel +and therefore will not be spoofable. +The TCP keepalive option enabled by .Cm KeepAlive -is spoofable. The client alive mechanism is valuable when the client or +is spoofable. +The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. .Pp -The default value is 3. If +The default value is 3. +If .Cm ClientAliveInterval (above) is set to 15, and .Cm ClientAliveCountMax @@ -369,11 +374,12 @@ is not specified, .Nm sshd will listen on the address and all prior .Cm Port -options specified. The default is to listen on all local -addresses. +options specified. +The default is to listen on all local addresses. Multiple .Cm ListenAddress -options are permitted. Additionally, any +options are permitted. +Additionally, any .Cm Port options must precede this option for non port qualified addresses. .It Cm LoginGraceTime @@ -454,8 +460,8 @@ but only if the .Ar command option has been specified (which may be useful for taking remote backups even if root login is -normally not allowed). All other authentication methods are disabled -for root. +normally not allowed). +All other authentication methods are disabled for root. .Pp If this option is set to .Dq no -- cgit v1.2.3 From f1ce505daf3ab14b42aa1eba41272fa103d3f4d0 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 11 Jun 2003 22:04:39 +1000 Subject: - jmc@cvs.openbsd.org 2003/06/10 09:12:11 [scp.1 sftp-server.8 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5] [sshd.8 sshd_config.5 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8] - section reorder - COMPATIBILITY merge - macro cleanup - kill whitespace at EOL - new sentence, new line ssh pages ok markus@ --- ChangeLog | 15 ++++++++++++++- scp.1 | 20 +++++++++++--------- sftp-server.8 | 4 ++-- ssh-add.1 | 40 ++++++++++++++++++++-------------------- ssh-agent.1 | 12 ++++++------ ssh-keygen.1 | 20 ++++++++++---------- ssh-keyscan.1 | 51 +++++++++++++++++++++++++-------------------------- ssh-keysign.8 | 6 +++--- ssh.1 | 23 ++++++++++++----------- ssh_config.5 | 6 +++--- sshd.8 | 24 ++++++++++++------------ sshd_config.5 | 9 ++++----- 12 files changed, 122 insertions(+), 108 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 24dfa0be6..643b384fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,16 @@ +20030611 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2003/06/10 09:12:11 + [scp.1 sftp-server.8 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5] + [sshd.8 sshd_config.5 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8] + - section reorder + - COMPATIBILITY merge + - macro cleanup + - kill whitespace at EOL + - new sentence, new line + ssh pages ok markus@ + + 20030609 - (djm) Sync README.smartcard with OpenBSD -current - (djm) Re-merge OpenSC info into README.smartcard @@ -480,4 +493,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2792 2003/06/10 11:09:09 djm Exp $ +$Id: ChangeLog,v 1.2793 2003/06/11 12:04:39 djm Exp $ diff --git a/scp.1 b/scp.1 index a3ec2e0c6..a971500ee 100644 --- a/scp.1 +++ b/scp.1 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.27 2003/03/28 10:11:43 jmc Exp $ +.\" $OpenBSD: scp.1,v 1.28 2003/06/10 09:12:11 jmc Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -148,14 +148,6 @@ to use IPv6 addresses only. .Sh DIAGNOSTICS .Nm exits with 0 on success or >0 if an error occurred. -.Sh AUTHORS -Timo Rinne and Tatu Ylonen -.Sh HISTORY -.Nm -is based on the -.Xr rcp 1 -program in BSD source code from the Regents of the University of -California. .Sh SEE ALSO .Xr rcp 1 , .Xr sftp 1 , @@ -165,3 +157,13 @@ California. .Xr ssh-keygen 1 , .Xr ssh_config 5 , .Xr sshd 8 +.Sh HISTORY +.Nm +is based on the +.Xr rcp 1 +program in BSD source code from the Regents of the University of +California. +.Sh AUTHORS +.An Timo Rinne Aq tri@iki.fi +and +.An Tatu Ylonen Aq ylo@cs.hut.fi diff --git a/sftp-server.8 b/sftp-server.8 index 0a0210a34..871f83796 100644 --- a/sftp-server.8 +++ b/sftp-server.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.8 2001/06/23 05:57:08 deraadt Exp $ +.\" $OpenBSD: sftp-server.8,v 1.9 2003/06/10 09:12:11 jmc Exp $ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" @@ -56,7 +56,7 @@ for more information. .%O work in progress material .Re .Sh AUTHORS -Markus Friedl +.An Markus Friedl Aq markus@openbsd.org .Sh HISTORY .Nm first appeared in OpenBSD 2.8 . diff --git a/ssh-add.1 b/ssh-add.1 index bcdb8e7f6..fe0190859 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.38 2003/03/28 10:11:43 jmc Exp $ +.\" $OpenBSD: ssh-add.1,v 1.39 2003/06/10 09:12:11 jmc Exp $ .\" .\" -*- nroff -*- .\" @@ -109,20 +109,6 @@ Add key in smartcard Remove key in smartcard .Ar reader . .El -.Sh FILES -.Bl -tag -width Ds -.It Pa $HOME/.ssh/identity -Contains the protocol version 1 RSA authentication identity of the user. -.It Pa $HOME/.ssh/id_dsa -Contains the protocol version 2 DSA authentication identity of the user. -.It Pa $HOME/.ssh/id_rsa -Contains the protocol version 2 RSA authentication identity of the user. -.El -.Pp -Identity files should not be readable by anyone but the user. -Note that -.Nm -ignores identity files if they are accessible by others. .Sh ENVIRONMENT .Bl -tag -width Ds .It Ev "DISPLAY" and "SSH_ASKPASS" @@ -152,11 +138,30 @@ to make this work.) Identifies the path of a unix-domain socket used to communicate with the agent. .El +.Sh FILES +.Bl -tag -width Ds +.It Pa $HOME/.ssh/identity +Contains the protocol version 1 RSA authentication identity of the user. +.It Pa $HOME/.ssh/id_dsa +Contains the protocol version 2 DSA authentication identity of the user. +.It Pa $HOME/.ssh/id_rsa +Contains the protocol version 2 RSA authentication identity of the user. +.El +.Pp +Identity files should not be readable by anyone but the user. +Note that +.Nm +ignores identity files if they are accessible by others. .Sh DIAGNOSTICS Exit status is 0 on success, 1 if the specified command fails, and 2 if .Nm is unable to contact the authentication agent. +.Sh SEE ALSO +.Xr ssh 1 , +.Xr ssh-agent 1 , +.Xr ssh-keygen 1 , +.Xr sshd 8 .Sh AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. @@ -166,8 +171,3 @@ removed many bugs, re-added newer features and created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -.Sh SEE ALSO -.Xr ssh 1 , -.Xr ssh-agent 1 , -.Xr ssh-keygen 1 , -.Xr sshd 8 diff --git a/ssh-agent.1 b/ssh-agent.1 index eae6716b7..aab15cc7f 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.38 2003/05/14 13:11:56 jmc Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.39 2003/06/10 09:12:11 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -179,6 +179,11 @@ authentication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits. .El +.Sh SEE ALSO +.Xr ssh 1 , +.Xr ssh-add 1 , +.Xr ssh-keygen 1 , +.Xr sshd 8 .Sh AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. @@ -188,8 +193,3 @@ removed many bugs, re-added newer features and created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -.Sh SEE ALSO -.Xr ssh 1 , -.Xr ssh-add 1 , -.Xr ssh-keygen 1 , -.Xr sshd 8 diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 1583384af..fc6b5a5e0 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.58 2003/05/20 12:09:31 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.59 2003/06/10 09:12:11 jmc Exp $ .\" .\" -*- nroff -*- .\" @@ -285,15 +285,6 @@ on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. .El -.Sh AUTHORS -OpenSSH is a derivative of the original and free -ssh 1.2.12 release by Tatu Ylonen. -Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, -Theo de Raadt and Dug Song -removed many bugs, re-added newer features and -created OpenSSH. -Markus Friedl contributed the support for SSH -protocol versions 1.5 and 2.0. .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , @@ -307,3 +298,12 @@ protocol versions 1.5 and 2.0. .%D March 2001 .%O work in progress material .Re +.Sh AUTHORS +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by Tatu Ylonen. +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt and Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +Markus Friedl contributed the support for SSH +protocol versions 1.5 and 2.0. diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index 6d27569eb..572751f66 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.16 2003/05/12 18:35:18 markus Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.17 2003/06/10 09:12:11 jmc Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -103,24 +103,6 @@ On the other hand, if the security model allows such a risk, .Nm can help in the detection of tampered keyfiles or man in the middle attacks which have begun after the ssh_known_hosts file was created. -.Sh EXAMPLES -.Pp -Print the -.Pa rsa1 -host key for machine -.Pa hostname : -.Bd -literal -$ ssh-keyscan hostname -.Ed -.Pp -Find all hosts from the file -.Pa ssh_hosts -which have new or different keys from those in the sorted file -.Pa ssh_known_hosts : -.Bd -literal -$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\ - sort -u - ssh_known_hosts | diff ssh_known_hosts - -.Ed .Sh FILES .Pa Input format: .Bd -literal @@ -145,16 +127,33 @@ or .Dq ssh-dss . .Pp .Pa /etc/ssh/ssh_known_hosts -.Sh BUGS -It generates "Connection closed by remote host" messages on the consoles -of all the machines it scans if the server is older than version 2.9. -This is because it opens a connection to the ssh port, reads the public -key, and drops the connection as soon as it gets the key. +.Sh EXAMPLES +Print the +.Pa rsa1 +host key for machine +.Pa hostname : +.Bd -literal +$ ssh-keyscan hostname +.Ed +.Pp +Find all hosts from the file +.Pa ssh_hosts +which have new or different keys from those in the sorted file +.Pa ssh_known_hosts : +.Bd -literal +$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e + sort -u - ssh_known_hosts | diff ssh_known_hosts - +.Ed .Sh SEE ALSO .Xr ssh 1 , .Xr sshd 8 .Sh AUTHORS -David Mazieres +.An David Mazieres Aq dm@lcs.mit.edu wrote the initial version, and -Wayne Davison +.An Wayne Davison Aq wayned@users.sourceforge.net added support for protocol version 2. +.Sh BUGS +It generates "Connection closed by remote host" messages on the consoles +of all the machines it scans if the server is older than version 2.9. +This is because it opens a connection to the ssh port, reads the public +key, and drops the connection as soon as it gets the key. diff --git a/ssh-keysign.8 b/ssh-keysign.8 index 2e3f8ff3e..a17e8d5cf 100644 --- a/ssh-keysign.8 +++ b/ssh-keysign.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.6 2003/03/28 10:11:43 jmc Exp $ +.\" $OpenBSD: ssh-keysign.8,v 1.7 2003/06/10 09:12:11 jmc Exp $ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -74,9 +74,9 @@ must be set-uid root if hostbased authentication is used. .Xr ssh-keygen 1 , .Xr ssh_config 5 , .Xr sshd 8 -.Sh AUTHORS -Markus Friedl .Sh HISTORY .Nm first appeared in .Ox 3.2 . +.Sh AUTHORS +.An Markus Friedl Aq markus@openbsd.org diff --git a/ssh.1 b/ssh.1 index d8af4de62..defc0e640 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.172 2003/05/20 12:09:31 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.173 2003/06/10 09:12:11 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -922,7 +922,8 @@ or .Xr rsh 1 . .It Pa /etc/hosts.equiv This file is used during -.Pa \&.rhosts authentication. +.Pa \&.rhosts +authentication. It contains canonical hosts names, one per line (the full format is described on the @@ -964,15 +965,6 @@ above. .Nm exits with the exit status of the remote command or with 255 if an error occurred. -.Sh AUTHORS -OpenSSH is a derivative of the original and free -ssh 1.2.12 release by Tatu Ylonen. -Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, -Theo de Raadt and Dug Song -removed many bugs, re-added newer features and -created OpenSSH. -Markus Friedl contributed the support for SSH -protocol versions 1.5 and 2.0. .Sh SEE ALSO .Xr rsh 1 , .Xr scp 1 , @@ -995,3 +987,12 @@ protocol versions 1.5 and 2.0. .%D January 2002 .%O work in progress material .Re +.Sh AUTHORS +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by Tatu Ylonen. +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt and Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +Markus Friedl contributed the support for SSH +protocol versions 1.5 and 2.0. diff --git a/ssh_config.5 b/ssh_config.5 index aa86897a6..85a686b08 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.12 2003/06/02 08:31:10 jakob Exp $ +.\" $OpenBSD: ssh_config.5,v 1.13 2003/06/10 09:12:12 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -664,6 +664,8 @@ values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must be world-readable. .El +.Sh SEE ALSO +.Xr ssh 1 .Sh AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. @@ -673,5 +675,3 @@ removed many bugs, re-added newer features and created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -.Sh SEE ALSO -.Xr ssh 1 diff --git a/sshd.8 b/sshd.8 index 827f4f77c..1cad834f6 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.197 2003/05/20 12:09:32 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.198 2003/06/10 09:12:12 jmc Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -771,17 +771,6 @@ This can be used to specify machine-specific login-time initializations globally. This file should be writable only by root, and should be world-readable. .El -.Sh AUTHORS -OpenSSH is a derivative of the original and free -ssh 1.2.12 release by Tatu Ylonen. -Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, -Theo de Raadt and Dug Song -removed many bugs, re-added newer features and -created OpenSSH. -Markus Friedl contributed the support for SSH -protocol versions 1.5 and 2.0. -Niels Provos and Markus Friedl contributed support -for privilege separation. .Sh SEE ALSO .Xr scp 1 , .Xr sftp 1 , @@ -813,3 +802,14 @@ for privilege separation. .%D January 2002 .%O work in progress material .Re +.Sh AUTHORS +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by Tatu Ylonen. +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt and Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +Markus Friedl contributed the support for SSH +protocol versions 1.5 and 2.0. +Niels Provos and Markus Friedl contributed support +for privilege separation. diff --git a/sshd_config.5 b/sshd_config.5 index 0c6108e0f..522911a39 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.18 2003/06/02 09:17:34 markus Exp $ +.\" $OpenBSD: sshd_config.5,v 1.19 2003/06/10 09:12:12 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -660,7 +660,7 @@ display server may be exposed to attack when the ssh client requests forwarding (see the warnings for .Cm ForwardX11 in -.Xr ssh_config 5 ). +.Xr ssh_config 5 ) . A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a @@ -706,7 +706,6 @@ The default is .Pa /usr/X11R6/bin/xauth . .El .Ss Time Formats -.Pp .Nm sshd command-line arguments and configuration file options that specify time may be expressed using a sequence of the form: @@ -755,6 +754,8 @@ Contains configuration data for This file should be writable by root only, but it is recommended (though not necessary) that it be world-readable. .El +.Sh SEE ALSO +.Xr sshd 8 .Sh AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. @@ -766,5 +767,3 @@ Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -.Sh SEE ALSO -.Xr sshd 8 -- cgit v1.2.3 From 46471c9a81bdd0d797149a20364645bc6ffcf2cc Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 3 Jul 2003 13:55:19 +1000 Subject: - markus@cvs.openbsd.org 2003/07/02 14:51:16 [channels.c ssh.1 ssh_config.5] (re)add socks5 suppport to -D; ok djm@ now ssh(1) can act both as a socks 4 and socks 5 server and dynamically forward ports. --- ChangeLog | 7 +++- channels.c | 120 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- ssh.1 | 6 +-- ssh_config.5 | 6 +-- 4 files changed, 129 insertions(+), 10 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 40cf07d41..9c960f13d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,11 @@ - markus@cvs.openbsd.org 2003/07/02 12:56:34 [channels.c] deny dynamic forwarding with -R for v1, too; ok djm@ + - markus@cvs.openbsd.org 2003/07/02 14:51:16 + [channels.c ssh.1 ssh_config.5] + (re)add socks5 suppport to -D; ok djm@ + now ssh(1) can act both as a socks 4 and socks 5 server and + dynamically forward ports. 20030630 - (djm) Search for support functions necessary to build our @@ -635,4 +640,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2839 2003/07/03 03:52:04 dtucker Exp $ +$Id: ChangeLog,v 1.2840 2003/07/03 03:55:19 dtucker Exp $ diff --git a/channels.c b/channels.c index ce07db5c0..e5b2b8c51 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.192 2003/07/02 12:56:34 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.193 2003/07/02 14:51:16 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -54,7 +54,7 @@ RCSID("$OpenBSD: channels.c,v 1.192 2003/07/02 12:56:34 markus Exp $"); #include "key.h" #include "authfd.h" #include "pathnames.h" - +#include "bufaux.h" /* -- channel core */ @@ -941,6 +941,117 @@ channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset) return 1; } +/* try to decode a socks5 header */ +#define SSH_SOCKS5_AUTHDONE 0x1000 +#define SSH_SOCKS5_NOAUTH 0x00 +#define SSH_SOCKS5_IPV4 0x01 +#define SSH_SOCKS5_DOMAIN 0x03 +#define SSH_SOCKS5_IPV6 0x04 +#define SSH_SOCKS5_CONNECT 0x01 +#define SSH_SOCKS5_SUCCESS 0x00 + +static int +channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset) +{ + struct { + u_int8_t version; + u_int8_t command; + u_int8_t reserved; + u_int8_t atyp; + } s5_req, s5_rsp; + u_int16_t dest_port; + u_char *p, dest_addr[255+1]; + int i, have, found, nmethods, addrlen, af; + + debug2("channel %d: decode socks5", c->self); + p = buffer_ptr(&c->input); + if (p[0] != 0x05) + return -1; + have = buffer_len(&c->input); + if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { + /* format: ver | nmethods | methods */ + if (have < 2) + return 0; + nmethods = p[1]; + if (have < nmethods + 2) + return 0; + /* look for method: "NO AUTHENTICATION REQUIRED" */ + for (found = 0, i = 2 ; i < nmethods + 2; i++) { + if (p[i] == SSH_SOCKS5_NOAUTH ) { + found = 1; + break; + } + } + if (!found) { + debug("channel %d: method SSH_SOCKS5_NOAUTH not found", + c->self); + return -1; + } + buffer_consume(&c->input, nmethods + 2); + buffer_put_char(&c->output, 0x05); /* version */ + buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ + FD_SET(c->sock, writeset); + c->flags |= SSH_SOCKS5_AUTHDONE; + debug2("channel %d: socks5 auth done", c->self); + return 0; /* need more */ + } + debug2("channel %d: socks5 post auth", c->self); + if (have < sizeof(s5_req)+1) + return 0; /* need more */ + memcpy((char *)&s5_req, p, sizeof(s5_req)); + if (s5_req.version != 0x05 || + s5_req.command != SSH_SOCKS5_CONNECT || + s5_req.reserved != 0x00) { + debug("channel %d: only socks5 connect supported", c->self); + return -1; + } + switch(s5_req.atyp){ + case SSH_SOCKS5_IPV4: + addrlen = 4; + af = AF_INET; + break; + case SSH_SOCKS5_DOMAIN: + addrlen = p[sizeof(s5_req)]; + af = -1; + break; + case SSH_SOCKS5_IPV6: + addrlen = 16; + af = AF_INET6; + break; + default: + debug("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); + return -1; + } + if (have < 4 + addrlen + 2) + return 0; + buffer_consume(&c->input, sizeof(s5_req)); + if (s5_req.atyp == SSH_SOCKS5_DOMAIN) + buffer_consume(&c->input, 1); /* host string length */ + buffer_get(&c->input, (char *)&dest_addr, addrlen); + buffer_get(&c->input, (char *)&dest_port, 2); + dest_addr[addrlen] = '\0'; + if (s5_req.atyp == SSH_SOCKS5_DOMAIN) + strlcpy(c->path, dest_addr, sizeof(c->path)); + else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL) + return -1; + c->host_port = ntohs(dest_port); + + debug("channel %d: dynamic request: socks5 host %s port %u command %u", + c->self, c->path, c->host_port, s5_req.command); + + s5_rsp.version = 0x05; + s5_rsp.command = SSH_SOCKS5_SUCCESS; + s5_rsp.reserved = 0; /* ignored */ + s5_rsp.atyp = SSH_SOCKS5_IPV4; + ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; + dest_port = 0; /* ignored */ + + buffer_append(&c->output, (char *)&s5_rsp, sizeof(s5_rsp)); + buffer_append(&c->output, (char *)&dest_addr, sizeof(struct in_addr)); + buffer_append(&c->output, (char *)&dest_port, sizeof(dest_port)); + return 1; +} + /* dynamic port forwarding */ static void channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset) @@ -953,7 +1064,7 @@ channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset) debug2("channel %d: pre_dynamic: have %d", c->self, have); /* buffer_dump(&c->input); */ /* check if the fixed size part of the packet is in buffer. */ - if (have < 4) { + if (have < 3) { /* need more */ FD_SET(c->sock, readset); return; @@ -964,6 +1075,9 @@ channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset) case 0x04: ret = channel_decode_socks4(c, readset, writeset); break; + case 0x05: + ret = channel_decode_socks5(c, readset, writeset); + break; default: ret = -1; break; diff --git a/ssh.1 b/ssh.1 index defc0e640..8a7d2f428 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.173 2003/06/10 09:12:11 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.174 2003/07/02 14:51:16 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -649,9 +649,9 @@ on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. -Currently the SOCKS4 protocol is supported, and +Currently the SOCKS4 and SOCKS5 protocols are supported, and .Nm -will act as a SOCKS4 server. +will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file. .It Fl 1 diff --git a/ssh_config.5 b/ssh_config.5 index 56df3acec..79d05f018 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.14 2003/06/23 09:02:44 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.15 2003/07/02 14:51:16 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -246,9 +246,9 @@ over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. The argument must be a port number. -Currently the SOCKS4 protocol is supported, and +Currently the SOCKS4 and SOCKS5 protocols are supported, and .Nm ssh -will act as a SOCKS4 server. +will act as a SOCKS server. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. -- cgit v1.2.3 From 6aaa58c4709c43ffb9f3f2be299cd5c4044f24a3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 2 Aug 2003 22:24:49 +1000 Subject: - (dtucker) OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/07/22 13:35:22 [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h] remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@ - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support. - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files. I hope I got this right.... --- ChangeLog | 11 +- Makefile.in | 6 +- acconfig.h | 8 +- auth-krb4.c | 368 --------------------------------------------------------- auth-passwd.c | 10 +- auth.h | 19 +-- auth1.c | 45 +------ configure.ac | 87 +------------- monitor.c | 54 +-------- monitor.h | 1 - monitor_wrap.c | 38 +----- monitor_wrap.h | 5 +- radix.c | 158 ------------------------- radix.h | 28 ----- readconf.c | 17 +-- readconf.h | 3 +- servconf.c | 25 +--- servconf.h | 3 +- session.c | 57 +-------- ssh.1 | 4 +- ssh.c | 9 +- ssh.h | 5 +- ssh_config.5 | 10 +- sshconnect1.c | 287 +------------------------------------------- sshd.c | 21 +--- sshd_config.5 | 9 +- 26 files changed, 52 insertions(+), 1236 deletions(-) delete mode 100644 auth-krb4.c delete mode 100644 radix.c delete mode 100644 radix.h (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index c930ad347..67ca07ce4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,14 @@ 20030802 - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/07/22 13:35:22 + [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c + monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1 + ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h] + remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); + test+ok henning@ + - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support. + - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files. 20030730 - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal @@ -738,4 +747,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2868 2003/08/02 10:37:03 dtucker Exp $ +$Id: ChangeLog,v 1.2869 2003/08/02 12:24:49 dtucker Exp $ diff --git a/Makefile.in b/Makefile.in index 4252ae6f3..c5674c735 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.238 2003/06/05 08:53:43 djm Exp $ +# $Id: Makefile.in,v 1.239 2003/08/02 12:24:49 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -63,7 +63,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ cipher.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \ compat.o compress.o crc32.o deattack.o fatal.o \ - hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o \ + hostfile.o log.o match.o mpaux.o nchan.o packet.o \ readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \ key.o dispatch.o kex.o mac.o uuencode.o misc.o \ rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ @@ -81,7 +81,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \ kexdhs.o kexgexs.o \ - auth-krb5.o auth2-krb5.o auth-krb4.o \ + auth-krb5.o auth2-krb5.o \ loginrec.o auth-pam.o auth-sia.o md5crypt.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out diff --git a/acconfig.h b/acconfig.h index 0af93663c..24c07beed 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.159 2003/07/14 06:21:44 dtucker Exp $ */ +/* $Id: acconfig.h,v 1.160 2003/08/02 12:24:49 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -238,12 +238,6 @@ /* Define this if you are using the Heimdal version of Kerberos V5 */ #undef HEIMDAL -/* Define if you want Kerberos 4 support */ -#undef KRB4 - -/* Define if you want AFS support */ -#undef AFS - /* Define if you want S/Key support */ #undef SKEY diff --git a/auth-krb4.c b/auth-krb4.c deleted file mode 100644 index 9e1c800be..000000000 --- a/auth-krb4.c +++ /dev/null @@ -1,368 +0,0 @@ -/* - * Copyright (c) 1999 Dug Song. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "includes.h" -RCSID("$OpenBSD: auth-krb4.c,v 1.30 2003/04/08 20:21:28 itojun Exp $"); - -#include "ssh.h" -#include "ssh1.h" -#include "packet.h" -#include "xmalloc.h" -#include "log.h" -#include "servconf.h" -#include "uidswap.h" -#include "auth.h" - -#ifdef AFS -#include "radix.h" -#endif - -#ifdef KRB4 -extern ServerOptions options; - -static int -krb4_init(void *context) -{ - static int cleanup_registered = 0; - Authctxt *authctxt = (Authctxt *)context; - const char *tkt_root = TKT_ROOT; - struct stat st; - int fd; - - if (!authctxt->krb4_ticket_file) { - /* Set unique ticket string manually since we're still root. */ - authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN); -#ifdef AFS - if (lstat("/ticket", &st) != -1) - tkt_root = "/ticket/"; -#endif /* AFS */ - snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld", - tkt_root, authctxt->pw->pw_uid, (long)getpid()); - krb_set_tkt_string(authctxt->krb4_ticket_file); - } - /* Register ticket cleanup in case of fatal error. */ - if (!cleanup_registered) { - fatal_add_cleanup(krb4_cleanup_proc, authctxt); - cleanup_registered = 1; - } - /* Try to create our ticket file. */ - if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) { - close(fd); - return (1); - } - /* Ticket file exists - make sure user owns it (just passed ticket). */ - if (lstat(authctxt->krb4_ticket_file, &st) != -1) { - if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) && - st.st_uid == authctxt->pw->pw_uid) - return (1); - } - /* Failure - cancel cleanup function, leaving ticket for inspection. */ - logit("WARNING: bad ticket file %s", authctxt->krb4_ticket_file); - - fatal_remove_cleanup(krb4_cleanup_proc, authctxt); - cleanup_registered = 0; - - xfree(authctxt->krb4_ticket_file); - authctxt->krb4_ticket_file = NULL; - - return (0); -} - -/* - * try krb4 authentication, - * return 1 on success, 0 on failure, -1 if krb4 is not available - */ -int -auth_krb4_password(Authctxt *authctxt, const char *password) -{ - AUTH_DAT adata; - KTEXT_ST tkt; - struct hostent *hp; - struct passwd *pw; - char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ]; - u_int32_t faddr; - int r; - - if ((pw = authctxt->pw) == NULL) - return (0); - - /* - * Try Kerberos password authentication only for non-root - * users and only if Kerberos is installed. - */ - if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) { - /* Set up our ticket file. */ - if (!krb4_init(authctxt)) { - logit("Couldn't initialize Kerberos ticket file for %s!", - pw->pw_name); - goto failure; - } - /* Try to get TGT using our password. */ - r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm, - "krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password); - if (r != INTK_OK) { - debug("Kerberos v4 password authentication for %s " - "failed: %s", pw->pw_name, krb_err_txt[r]); - goto failure; - } - /* Successful authentication. */ - chown(tkt_string(), pw->pw_uid, pw->pw_gid); - - /* - * Now that we have a TGT, try to get a local - * "rcmd" ticket to ensure that we are not talking - * to a bogus Kerberos server. - */ - gethostname(localhost, sizeof(localhost)); - strlcpy(phost, (char *)krb_get_phost(localhost), - sizeof(phost)); - r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); - - if (r == KSUCCESS) { - if ((hp = gethostbyname(localhost)) == NULL) { - logit("Couldn't get local host address!"); - goto failure; - } - memmove((void *)&faddr, (void *)hp->h_addr, - sizeof(faddr)); - - /* Verify our "rcmd" ticket. */ - r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, - faddr, &adata, ""); - if (r == RD_AP_UNDEC) { - /* - * Probably didn't have a srvtab on - * localhost. Disallow login. - */ - logit("Kerberos v4 TGT for %s unverifiable, " - "no srvtab installed? krb_rd_req: %s", - pw->pw_name, krb_err_txt[r]); - goto failure; - } else if (r != KSUCCESS) { - logit("Kerberos v4 %s ticket unverifiable: %s", - KRB4_SERVICE_NAME, krb_err_txt[r]); - goto failure; - } - } else if (r == KDC_PR_UNKNOWN) { - /* - * Disallow login if no rcmd service exists, and - * log the error. - */ - logit("Kerberos v4 TGT for %s unverifiable: %s; %s.%s " - "not registered, or srvtab is wrong?", pw->pw_name, - krb_err_txt[r], KRB4_SERVICE_NAME, phost); - goto failure; - } else { - /* - * TGT is bad, forget it. Possibly spoofed! - */ - debug("WARNING: Kerberos v4 TGT possibly spoofed " - "for %s: %s", pw->pw_name, krb_err_txt[r]); - goto failure; - } - /* Authentication succeeded. */ - return (1); - } else - /* Logging in as root or no local Kerberos realm. */ - debug("Unable to authenticate to Kerberos."); - - failure: - krb4_cleanup_proc(authctxt); - - if (!options.kerberos_or_local_passwd) - return (0); - - /* Fall back to ordinary passwd authentication. */ - return (-1); -} - -void -krb4_cleanup_proc(void *context) -{ - Authctxt *authctxt = (Authctxt *)context; - debug("krb4_cleanup_proc called"); - if (authctxt->krb4_ticket_file) { - (void) dest_tkt(); - xfree(authctxt->krb4_ticket_file); - authctxt->krb4_ticket_file = NULL; - } -} - -int -auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply) -{ - AUTH_DAT adat = {0}; - Key_schedule schedule; - struct sockaddr_in local, foreign; - char instance[INST_SZ]; - socklen_t slen; - u_int cksum; - int r, s; - - s = packet_get_connection_in(); - - slen = sizeof(local); - memset(&local, 0, sizeof(local)); - if (getsockname(s, (struct sockaddr *) & local, &slen) < 0) - debug("getsockname failed: %.100s", strerror(errno)); - slen = sizeof(foreign); - memset(&foreign, 0, sizeof(foreign)); - if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) { - debug("getpeername failed: %.100s", strerror(errno)); - fatal_cleanup(); - } - instance[0] = '*'; - instance[1] = 0; - - /* Get the encrypted request, challenge, and session key. */ - if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, - 0, &adat, ""))) { - debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]); - return (0); - } - des_key_sched((des_cblock *) adat.session, schedule); - - *client = xmalloc(MAX_K_NAME_SZ); - (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname, - *adat.pinst ? "." : "", adat.pinst, adat.prealm); - - /* Check ~/.klogin authorization now. */ - if (kuserok(&adat, authctxt->user) != KSUCCESS) { - logit("Kerberos v4 .klogin authorization failed for %s to " - "account %s", *client, authctxt->user); - xfree(*client); - *client = NULL; - return (0); - } - /* Increment the checksum, and return it encrypted with the - session key. */ - cksum = adat.checksum + 1; - cksum = htonl(cksum); - - /* If we can't successfully encrypt the checksum, we send back an - empty message, admitting our failure. */ - if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1, - schedule, &adat.session, &local, &foreign)) < 0) { - debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]); - reply->dat[0] = 0; - reply->length = 0; - } else - reply->length = r; - - /* Clear session key. */ - memset(&adat.session, 0, sizeof(adat.session)); - return (1); -} -#endif /* KRB4 */ - -#ifdef AFS -int -auth_krb4_tgt(Authctxt *authctxt, const char *string) -{ - CREDENTIALS creds; - struct passwd *pw; - - if ((pw = authctxt->pw) == NULL) - goto failure; - - temporarily_use_uid(pw); - - if (!radix_to_creds(string, &creds)) { - logit("Protocol error decoding Kerberos v4 TGT"); - goto failure; - } - if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ - strlcpy(creds.service, "krbtgt", sizeof creds.service); - - if (strcmp(creds.service, "krbtgt")) { - logit("Kerberos v4 TGT (%s%s%s@%s) rejected for %s", - creds.pname, creds.pinst[0] ? "." : "", creds.pinst, - creds.realm, pw->pw_name); - goto failure; - } - if (!krb4_init(authctxt)) - goto failure; - - if (in_tkt(creds.pname, creds.pinst) != KSUCCESS) - goto failure; - - if (save_credentials(creds.service, creds.instance, creds.realm, - creds.session, creds.lifetime, creds.kvno, &creds.ticket_st, - creds.issue_date) != KSUCCESS) { - debug("Kerberos v4 TGT refused: couldn't save credentials"); - goto failure; - } - /* Successful authentication, passed all checks. */ - chown(tkt_string(), pw->pw_uid, pw->pw_gid); - - debug("Kerberos v4 TGT accepted (%s%s%s@%s)", - creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm); - memset(&creds, 0, sizeof(creds)); - - restore_uid(); - - return (1); - - failure: - krb4_cleanup_proc(authctxt); - memset(&creds, 0, sizeof(creds)); - restore_uid(); - - return (0); -} - -int -auth_afs_token(Authctxt *authctxt, const char *token_string) -{ - CREDENTIALS creds; - struct passwd *pw; - uid_t uid; - - if ((pw = authctxt->pw) == NULL) - return (0); - - if (!radix_to_creds(token_string, &creds)) { - logit("Protocol error decoding AFS token"); - return (0); - } - if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ - strlcpy(creds.service, "afs", sizeof creds.service); - - if (strncmp(creds.pname, "AFS ID ", 7) == 0) - uid = atoi(creds.pname + 7); - else - uid = pw->pw_uid; - - if (kafs_settoken(creds.realm, uid, &creds)) { - logit("AFS token (%s@%s) rejected for %s", - creds.pname, creds.realm, pw->pw_name); - memset(&creds, 0, sizeof(creds)); - return (0); - } - debug("AFS token accepted (%s@%s)", creds.pname, creds.realm); - memset(&creds, 0, sizeof(creds)); - - return (1); -} -#endif /* AFS */ diff --git a/auth-passwd.c b/auth-passwd.c index c0b7f725f..780e92344 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $"); +RCSID("$OpenBSD: auth-passwd.c,v 1.28 2003/07/22 13:35:22 markus Exp $"); #include "packet.h" #include "log.h" @@ -131,14 +131,6 @@ auth_password(Authctxt *authctxt, const char *password) return (authsuccess); } # endif -# ifdef KRB4 - if (options.kerberos_authentication == 1) { - int ret = auth_krb4_password(authctxt, password); - if (ret == 1 || ret == 0) - return ret; - /* Fall back to ordinary passwd authentication. */ - } -# endif # ifdef BSD_AUTH if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", (char *)password) == 0) diff --git a/auth.h b/auth.h index 776e4195c..1ed92e018 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.42 2003/04/16 14:35:27 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.43 2003/07/22 13:35:22 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -60,9 +60,6 @@ struct Authctxt { #ifdef BSD_AUTH auth_session_t *as; #endif -#ifdef KRB4 - char *krb4_ticket_file; -#endif #ifdef KRB5 krb5_context krb5_ctx; krb5_auth_context krb5_auth_ctx; @@ -117,20 +114,6 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int user_key_allowed(struct passwd *, Key *); -#ifdef KRB4 -#include -int auth_krb4(Authctxt *, KTEXT, char **, KTEXT); -int auth_krb4_password(Authctxt *, const char *); -void krb4_cleanup_proc(void *); - -#ifdef AFS -#include -int auth_krb4_tgt(Authctxt *, const char *); -int auth_afs_token(Authctxt *, const char *); -#endif /* AFS */ - -#endif /* KRB4 */ - #ifdef KRB5 int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); diff --git a/auth1.c b/auth1.c index 6cb0b04b2..877e2e62d 100644 --- a/auth1.c +++ b/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.48 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -49,7 +49,7 @@ get_authname(int type) case SSH_CMSG_AUTH_TIS: case SSH_CMSG_AUTH_TIS_RESPONSE: return "challenge-response"; -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 case SSH_CMSG_AUTH_KERBEROS: return "kerberos"; #endif @@ -81,7 +81,7 @@ do_authloop(Authctxt *authctxt) /* If the user has no password, accept authentication immediately. */ if (options.password_authentication && -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif PRIVSEP(auth_password(authctxt, ""))) { @@ -120,7 +120,7 @@ do_authloop(Authctxt *authctxt) /* Process the packet. */ switch (type) { -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 case SSH_CMSG_AUTH_KERBEROS: if (!options.kerberos_authentication) { verbose("Kerberos authentication disabled."); @@ -128,30 +128,7 @@ do_authloop(Authctxt *authctxt) char *kdata = packet_get_string(&dlen); packet_check_eom(); - if (kdata[0] == 4) { /* KRB_PROT_VERSION */ -#ifdef KRB4 - KTEXT_ST tkt, reply; - tkt.length = dlen; - if (tkt.length < MAX_KTXT_LEN) - memcpy(tkt.dat, kdata, tkt.length); - - if (PRIVSEP(auth_krb4(authctxt, &tkt, - &client_user, &reply))) { - authenticated = 1; - snprintf(info, sizeof(info), - " tktuser %.100s", - client_user); - - packet_start( - SSH_SMSG_AUTH_KERBEROS_RESPONSE); - packet_put_string((char *) - reply.dat, reply.length); - packet_send(); - packet_write_wait(); - } -#endif /* KRB4 */ - } else { -#ifdef KRB5 + if (kdata[0] != 4) { /* KRB_PROT_VERSION */ krb5_data tkt, reply; tkt.length = dlen; tkt.data = kdata; @@ -174,24 +151,14 @@ do_authloop(Authctxt *authctxt) if (reply.length) xfree(reply.data); } -#endif /* KRB5 */ } xfree(kdata); } break; -#endif /* KRB4 || KRB5 */ - -#if defined(AFS) || defined(KRB5) - /* XXX - punt on backward compatibility here. */ case SSH_CMSG_HAVE_KERBEROS_TGT: packet_send_debug("Kerberos TGT passing disabled before authentication."); break; -#ifdef AFS - case SSH_CMSG_HAVE_AFS_TOKEN: - packet_send_debug("AFS token passing disabled before authentication."); - break; -#endif /* AFS */ -#endif /* AFS || KRB5 */ +#endif case SSH_CMSG_AUTH_RHOSTS: if (!options.rhosts_authentication) { diff --git a/configure.ac b/configure.ac index 74909343d..68fa5c1f2 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.137 2003/07/23 04:33:10 dtucker Exp $ +# $Id: configure.ac,v 1.138 2003/08/02 12:24:49 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -54,7 +54,6 @@ fi # Check for some target-specific stuff case "$host" in *-*-aix*) - AFS_LIBS="-lld" CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) @@ -1940,87 +1939,7 @@ AC_ARG_WITH(kerberos5, fi ] ) -# Check whether user wants Kerberos 4 support -KRB4_MSG="no" -AC_ARG_WITH(kerberos4, - [ --with-kerberos4=PATH Enable Kerberos 4 support], - [ - if test "x$withval" != "xno" ; then - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R${withval}/lib" - fi - if test ! -z "$blibpath" ; then - blibpath="$blibpath:${withval}/lib" - fi - else - if test -d /usr/include/kerberosIV ; then - CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV" - fi - fi - - AC_CHECK_HEADERS(krb.h) - if test "$ac_cv_header_krb_h" != yes; then - AC_MSG_WARN([Cannot find krb.h, build may fail]) - fi - AC_CHECK_LIB(krb, main) - if test "$ac_cv_lib_krb_main" != yes; then - AC_CHECK_LIB(krb4, main) - if test "$ac_cv_lib_krb4_main" != yes; then - AC_MSG_WARN([Cannot find libkrb nor libkrb4, build may fail]) - else - KLIBS="-lkrb4" - fi - else - KLIBS="-lkrb" - fi - AC_CHECK_LIB(des, des_cbc_encrypt) - if test "$ac_cv_lib_des_des_cbc_encrypt" != yes; then - AC_CHECK_LIB(des425, des_cbc_encrypt) - if test "$ac_cv_lib_des425_des_cbc_encrypt" != yes; then - AC_MSG_WARN([Cannot find libdes nor libdes425, build may fail]) - else - KLIBS="-ldes425" - fi - else - KLIBS="-ldes" - fi - AC_CHECK_LIB(resolv, dn_expand, , ) - KRB4=yes - KRB4_MSG="yes" - AC_DEFINE(KRB4) - fi - ] -) - -# Check whether user wants AFS support -AFS_MSG="no" -AC_ARG_WITH(afs, - [ --with-afs=PATH Enable AFS support], - [ - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - fi - - if test -z "$KRB4" ; then - AC_MSG_WARN([AFS requires Kerberos IV support, build may fail]) - fi - - LIBS="-lkafs $LIBS" - if test ! -z "$AFS_LIBS" ; then - LIBS="$LIBS $AFS_LIBS" - fi - AC_DEFINE(AFS) - AFS_MSG="yes" - fi - ] -) -LIBS="$LIBS $KLIBS $K5LIBS" +LIBS="$LIBS $K5LIBS" # Looking for programs, paths and files @@ -2648,10 +2567,8 @@ fi echo " Manpage format: $MANTYPE" echo " DNS support: $DNS_MSG" echo " PAM support: $PAM_MSG" -echo " KerberosIV support: $KRB4_MSG" echo " KerberosV support: $KRB5_MSG" echo " Smartcard support: $SCARD_MSG" -echo " AFS support: $AFS_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" diff --git a/monitor.c b/monitor.c index 3a8735f58..95fd0cf64 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.44 2003/06/24 08:23:46 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $"); #include @@ -124,9 +124,6 @@ int mm_answer_pam_respond(int, Buffer *); int mm_answer_pam_free_ctx(int, Buffer *); #endif -#ifdef KRB4 -int mm_answer_krb4(int, Buffer *); -#endif #ifdef KRB5 int mm_answer_krb5(int, Buffer *); #endif @@ -222,9 +219,6 @@ struct mon_table mon_dispatch_proto15[] = { {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif -#ifdef KRB4 - {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4}, -#endif #ifdef KRB5 {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, #endif @@ -1428,52 +1422,6 @@ mm_answer_rsa_response(int socket, Buffer *m) return (success); } -#ifdef KRB4 -int -mm_answer_krb4(int socket, Buffer *m) -{ - KTEXT_ST auth, reply; - char *client, *p; - int success; - u_int alen; - - reply.length = auth.length = 0; - - p = buffer_get_string(m, &alen); - if (alen >= MAX_KTXT_LEN) - fatal("%s: auth too large", __func__); - memcpy(auth.dat, p, alen); - auth.length = alen; - memset(p, 0, alen); - xfree(p); - - success = options.kerberos_authentication && - authctxt->valid && - auth_krb4(authctxt, &auth, &client, &reply); - - memset(auth.dat, 0, alen); - buffer_clear(m); - buffer_put_int(m, success); - - if (success) { - buffer_put_cstring(m, client); - buffer_put_string(m, reply.dat, reply.length); - if (client) - xfree(client); - if (reply.length) - memset(reply.dat, 0, reply.length); - } - - debug3("%s: sending result %d", __func__, success); - mm_request_send(socket, MONITOR_ANS_KRB4, m); - - auth_method = "kerberos"; - - /* Causes monitor loop to terminate if authenticated */ - return (success); -} -#endif - #ifdef KRB5 int mm_answer_krb5(int socket, Buffer *m) diff --git a/monitor.h b/monitor.h index 97044cb87..7d86b4595 100644 --- a/monitor.h +++ b/monitor.h @@ -49,7 +49,6 @@ enum monitor_reqtype { MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, - MONITOR_REQ_KRB4, MONITOR_ANS_KRB4, MONITOR_REQ_KRB5, MONITOR_ANS_KRB5, MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, diff --git a/monitor_wrap.c b/monitor_wrap.c index 10a79c035..c7ba86ffc 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.27 2003/06/28 16:23:06 deraadt Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $"); #include #include @@ -1043,42 +1043,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) return (success); } -#ifdef KRB4 -int -mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply) -{ - KTEXT auth, reply; - Buffer m; - u_int rlen; - int success = 0; - char *p; - - debug3("%s entering", __func__); - auth = _auth; - reply = _reply; - - buffer_init(&m); - buffer_put_string(&m, auth->dat, auth->length); - - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m); - - success = buffer_get_int(&m); - if (success) { - *client = buffer_get_string(&m, NULL); - p = buffer_get_string(&m, &rlen); - if (rlen >= MAX_KTXT_LEN) - fatal("%s: reply from monitor too large", __func__); - reply->length = rlen; - memcpy(reply->dat, p, rlen); - memset(p, 0, rlen); - xfree(p); - } - buffer_free(&m); - return (success); -} -#endif - #ifdef KRB5 int mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp) diff --git a/monitor_wrap.h b/monitor_wrap.h index d551c9d41..e0dd73bd0 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */ /* * Copyright 2002 Niels Provos @@ -88,9 +88,6 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_skey_respond(void *, u_int, char **); /* auth_krb */ -#ifdef KRB4 -int mm_auth_krb4(struct Authctxt *, void *, char **, void *); -#endif #ifdef KRB5 /* auth and reply are really krb5_data objects, but we don't want to * include all of the krb5 headers here */ diff --git a/radix.c b/radix.c deleted file mode 100644 index c680d6bf3..000000000 --- a/radix.c +++ /dev/null @@ -1,158 +0,0 @@ -/* - * Copyright (c) 1999 Dug Song. All rights reserved. - * Copyright (c) 2002 Markus Friedl. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "includes.h" -#include "uuencode.h" - -RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $"); - -#ifdef AFS -#include - -#include -#include "bufaux.h" - -int -creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen) -{ - Buffer b; - int ret; - - buffer_init(&b); - - buffer_put_char(&b, 1); /* version */ - - buffer_append(&b, creds->service, strlen(creds->service)); - buffer_put_char(&b, '\0'); - buffer_append(&b, creds->instance, strlen(creds->instance)); - buffer_put_char(&b, '\0'); - buffer_append(&b, creds->realm, strlen(creds->realm)); - buffer_put_char(&b, '\0'); - buffer_append(&b, creds->pname, strlen(creds->pname)); - buffer_put_char(&b, '\0'); - buffer_append(&b, creds->pinst, strlen(creds->pinst)); - buffer_put_char(&b, '\0'); - - /* Null string to repeat the realm. */ - buffer_put_char(&b, '\0'); - - buffer_put_int(&b, creds->issue_date); - buffer_put_int(&b, krb_life_to_time(creds->issue_date, - creds->lifetime)); - buffer_append(&b, creds->session, sizeof(creds->session)); - buffer_put_short(&b, creds->kvno); - - /* 32 bit size + data */ - buffer_put_string(&b, creds->ticket_st.dat, creds->ticket_st.length); - - ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen); - - buffer_free(&b); - return ret; -} - -#define GETSTRING(b, t, tlen) \ - do { \ - int i, found = 0; \ - for (i = 0; i < tlen; i++) { \ - if (buffer_len(b) == 0) \ - goto done; \ - t[i] = buffer_get_char(b); \ - if (t[i] == '\0') { \ - found = 1; \ - break; \ - } \ - } \ - if (!found) \ - goto done; \ - } while(0) - -int -radix_to_creds(const char *buf, CREDENTIALS *creds) -{ - Buffer b; - u_char *space; - char c, version, *p; - u_int endTime, len; - int blen, ret; - - ret = 0; - blen = strlen(buf); - - /* sanity check for size */ - if (blen > 8192) - return 0; - - buffer_init(&b); - space = buffer_append_space(&b, blen); - - /* check version and length! */ - len = uudecode(buf, space, blen); - if (len < 1) - goto done; - - version = buffer_get_char(&b); - - GETSTRING(&b, creds->service, sizeof creds->service); - GETSTRING(&b, creds->instance, sizeof creds->instance); - GETSTRING(&b, creds->realm, sizeof creds->realm); - GETSTRING(&b, creds->pname, sizeof creds->pname); - GETSTRING(&b, creds->pinst, sizeof creds->pinst); - - if (buffer_len(&b) == 0) - goto done; - - /* Ignore possibly different realm. */ - while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0') - ; - - if (buffer_len(&b) == 0) - goto done; - - creds->issue_date = buffer_get_int(&b); - - endTime = buffer_get_int(&b); - creds->lifetime = krb_time_to_life(creds->issue_date, endTime); - - len = buffer_len(&b); - if (len < sizeof(creds->session)) - goto done; - memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session)); - buffer_consume(&b, sizeof(creds->session)); - - creds->kvno = buffer_get_short(&b); - - p = buffer_get_string(&b, &len); - if (len < 0 || len > sizeof(creds->ticket_st.dat)) - goto done; - memcpy(&creds->ticket_st.dat, p, len); - creds->ticket_st.length = len; - - ret = 1; -done: - buffer_free(&b); - return ret; -} -#endif /* AFS */ diff --git a/radix.h b/radix.h deleted file mode 100644 index e94e4acc6..000000000 --- a/radix.h +++ /dev/null @@ -1,28 +0,0 @@ -/* $OpenBSD: radix.h,v 1.4 2001/06/26 17:27:24 markus Exp $ */ - -/* - * Copyright (c) 1999 Dug Song. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -int creds_to_radix(CREDENTIALS *, u_char *, size_t); -int radix_to_creds(const char *, CREDENTIALS *); diff --git a/readconf.c b/readconf.c index 3c08f7638..332500e7c 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.114 2003/07/03 08:09:05 djm Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -94,7 +94,7 @@ typedef enum { oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, oPasswordAuthentication, oRSAAuthentication, oChallengeResponseAuthentication, oXAuthLocation, - oKerberosAuthentication, oKerberosTgtPassing, oAFSTokenPassing, + oKerberosAuthentication, oKerberosTgtPassing, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, @@ -134,18 +134,14 @@ static struct { { "challengeresponseauthentication", oChallengeResponseAuthentication }, { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 { "kerberosauthentication", oKerberosAuthentication }, { "kerberostgtpassing", oKerberosTgtPassing }, #else { "kerberosauthentication", oUnsupported }, { "kerberostgtpassing", oUnsupported }, #endif -#if defined(AFS) - { "afstokenpassing", oAFSTokenPassing }, -#else { "afstokenpassing", oUnsupported }, -#endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, { "identityfile", oIdentityFile }, @@ -399,10 +395,6 @@ parse_flag: intptr = &options->kerberos_tgt_passing; goto parse_flag; - case oAFSTokenPassing: - intptr = &options->afs_token_passing; - goto parse_flag; - case oBatchMode: intptr = &options->batch_mode; goto parse_flag; @@ -828,7 +820,6 @@ initialize_options(Options * options) options->challenge_response_authentication = -1; options->kerberos_authentication = -1; options->kerberos_tgt_passing = -1; - options->afs_token_passing = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; @@ -905,8 +896,6 @@ fill_default_options(Options * options) options->kerberos_authentication = 1; if (options->kerberos_tgt_passing == -1) options->kerberos_tgt_passing = 1; - if (options->afs_token_passing == -1) - options->afs_token_passing = 1; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) diff --git a/readconf.h b/readconf.h index 4e0b74318..cc94253e6 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.51 2003/07/03 08:09:06 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $ */ /* * Author: Tatu Ylonen @@ -43,7 +43,6 @@ typedef struct { /* Try S/Key or TIS, authentication. */ int kerberos_authentication; /* Try Kerberos authentication. */ int kerberos_tgt_passing; /* Try Kerberos TGT passing. */ - int afs_token_passing; /* Try AFS token passing. */ int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ diff --git a/servconf.c b/servconf.c index 6df2a255b..c4b2bb284 100644 --- a/servconf.c +++ b/servconf.c @@ -10,15 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $"); - -#if defined(KRB4) -#include -#endif - -#ifdef AFS -#include -#endif +RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $"); #include "ssh.h" #include "log.h" @@ -82,7 +74,6 @@ initialize_server_options(ServerOptions *options) options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; options->kerberos_tgt_passing = -1; - options->afs_token_passing = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; @@ -194,8 +185,6 @@ fill_default_server_options(ServerOptions *options) options->kerberos_ticket_cleanup = 1; if (options->kerberos_tgt_passing == -1) options->kerberos_tgt_passing = 0; - if (options->afs_token_passing == -1) - options->afs_token_passing = 0; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -261,7 +250,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, - sKerberosTgtPassing, sAFSTokenPassing, sChallengeResponseAuthentication, + sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, @@ -306,7 +295,7 @@ static struct { { "rsaauthentication", sRSAAuthentication }, { "pubkeyauthentication", sPubkeyAuthentication }, { "dsaauthentication", sPubkeyAuthentication }, /* alias */ -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 { "kerberosauthentication", sKerberosAuthentication }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, { "kerberosticketcleanup", sKerberosTicketCleanup }, @@ -317,11 +306,7 @@ static struct { { "kerberosticketcleanup", sUnsupported }, { "kerberostgtpassing", sUnsupported }, #endif -#if defined(AFS) - { "afstokenpassing", sAFSTokenPassing }, -#else { "afstokenpassing", sUnsupported }, -#endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, { "challengeresponseauthentication", sChallengeResponseAuthentication }, @@ -644,10 +629,6 @@ parse_flag: intptr = &options->kerberos_tgt_passing; goto parse_flag; - case sAFSTokenPassing: - intptr = &options->afs_token_passing; - goto parse_flag; - case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; diff --git a/servconf.h b/servconf.h index b676f2b67..65ad2071a 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $ */ /* * Author: Tatu Ylonen @@ -84,7 +84,6 @@ typedef struct { * file on logout. */ int kerberos_tgt_passing; /* If true, permit Kerberos TGT * passing. */ - int afs_token_passing; /* If true, permit AFS token passing. */ int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ diff --git a/session.c b/session.c index 4b443831b..7a064ad50 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.159 2003/07/22 13:35:22 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -222,10 +222,6 @@ do_authenticated(Authctxt *authctxt) /* remove agent socket */ if (auth_sock_name != NULL) auth_sock_cleanup_proc(authctxt->pw); -#ifdef KRB4 - if (options.kerberos_ticket_cleanup) - krb4_cleanup_proc(authctxt); -#endif #ifdef KRB5 if (options.kerberos_ticket_cleanup) krb5_cleanup_proc(authctxt); @@ -338,7 +334,7 @@ do_authenticated1(Authctxt *authctxt) success = 1; break; -#if defined(AFS) || defined(KRB5) +#ifdef KRB5 case SSH_CMSG_HAVE_KERBEROS_TGT: if (!options.kerberos_tgt_passing) { verbose("Kerberos TGT passing disabled."); @@ -346,9 +342,8 @@ do_authenticated1(Authctxt *authctxt) char *kdata = packet_get_string(&dlen); packet_check_eom(); - /* XXX - 0x41, see creds_to_radix version */ + /* XXX - 0x41, used for AFS */ if (kdata[0] != 0x41) { -#ifdef KRB5 krb5_data tgt; tgt.data = kdata; tgt.length = dlen; @@ -357,38 +352,11 @@ do_authenticated1(Authctxt *authctxt) success = 1; else verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user); -#endif /* KRB5 */ - } else { -#ifdef AFS - if (auth_krb4_tgt(s->authctxt, kdata)) - success = 1; - else - verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user); -#endif /* AFS */ } xfree(kdata); } break; -#endif /* AFS || KRB5 */ - -#ifdef AFS - case SSH_CMSG_HAVE_AFS_TOKEN: - if (!options.afs_token_passing || !k_hasafs()) { - verbose("AFS token passing disabled."); - } else { - /* Accept AFS token. */ - char *token = packet_get_string(&dlen); - packet_check_eom(); - - if (auth_afs_token(s->authctxt, token)) - success = 1; - else - verbose("AFS token refused for %.100s", - s->authctxt->user); - xfree(token); - } - break; -#endif /* AFS */ +#endif case SSH_CMSG_EXEC_SHELL: case SSH_CMSG_EXEC_CMD: @@ -1066,11 +1034,6 @@ do_setup_env(Session *s, const char *shell) read_environment_file(&env, &envsize, "/etc/environment"); } #endif -#ifdef KRB4 - if (s->authctxt->krb4_ticket_file) - child_set_env(&env, &envsize, "KRBTKFILE", - s->authctxt->krb4_ticket_file); -#endif #ifdef KRB5 if (s->authctxt->krb5_ticket_file) child_set_env(&env, &envsize, "KRB5CCNAME", @@ -1396,18 +1359,6 @@ do_child(Session *s, const char *command) */ environ = env; -#ifdef AFS - /* Try to get AFS tokens for the local cell. */ - if (k_hasafs()) { - char cell[64]; - - if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) - krb_afslog(cell, 0); - - krb_afslog(0, 0); - } -#endif /* AFS */ - /* Change current directory to the user\'s home directory. */ if (chdir(pw->pw_dir) < 0) { fprintf(stderr, "Could not chdir to home directory %s: %s\n", diff --git a/ssh.1 b/ssh.1 index 8a7d2f428..c81cb42c6 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.174 2003/07/02 14:51:16 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -494,7 +494,7 @@ The argument is the device should use to communicate with a smartcard used for storing the user's private RSA key. .It Fl k -Disables forwarding of Kerberos tickets and AFS tokens. +Disables forwarding of Kerberos tickets. This may also be specified on a per-host basis in the configuration file. .It Fl l Ar login_name Specifies the user to log in as on the remote machine. diff --git a/ssh.c b/ssh.c index 2bcd5871e..82b40193d 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.197 2003/07/16 10:34:53 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $"); #include #include @@ -154,9 +154,7 @@ usage(void) _PATH_SSH_USER_CONFFILE); fprintf(stderr, " -A Enable authentication agent forwarding.\n"); fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); -#ifdef AFS - fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n"); -#endif /* AFS */ + fprintf(stderr, " -k Disable Kerberos ticket forwarding.\n"); fprintf(stderr, " -X Enable X11 connection forwarding.\n"); fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); fprintf(stderr, " -i file Identity for public key authentication " @@ -306,12 +304,9 @@ again: case 'A': options.forward_agent = 1; break; -#ifdef AFS case 'k': options.kerberos_tgt_passing = 0; - options.afs_token_passing = 0; break; -#endif case 'i': if (stat(optarg, &st) < 0) { fprintf(stderr, "Warning: Identity file %s " diff --git a/ssh.h b/ssh.h index 25a9213f3..607621769 100644 --- a/ssh.h +++ b/ssh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.h,v 1.72 2003/06/28 16:23:06 deraadt Exp $ */ +/* $OpenBSD: ssh.h,v 1.73 2003/07/22 13:35:22 markus Exp $ */ /* * Author: Tatu Ylonen @@ -88,9 +88,6 @@ */ #define SSH_SESSION_KEY_LENGTH 32 -/* Name of Kerberos service for SSH to use. */ -#define KRB4_SERVICE_NAME "rcmd" - /* Used to identify ``EscapeChar none'' */ #define SSH_ESCAPECHAR_NONE -2 diff --git a/ssh_config.5 b/ssh_config.5 index 79d05f018..3a79af8f0 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.15 2003/07/02 14:51:16 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -123,13 +123,6 @@ Valid arguments are (Use IPv4 only) or .Dq inet6 (Use IPv6 only.) -.It Cm AFSTokenPassing -Specifies whether to pass AFS tokens to remote host. -The argument to this keyword must be -.Dq yes -or -.Dq no . -This option applies to protocol version 1 only. .It Cm BatchMode If set to .Dq yes , @@ -410,7 +403,6 @@ or .Dq no . .It Cm KerberosTgtPassing Specifies whether a Kerberos TGT will be forwarded to the server. -This will only work if the Kerberos server is actually an AFS kaserver. The argument to this keyword must be .Dq yes or diff --git a/sshconnect1.c b/sshconnect1.c index 2a822a98f..8851c35f6 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -13,24 +13,17 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.53 2003/04/08 20:21:29 itojun Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $"); #include #include -#ifdef KRB4 -#include -#endif #ifdef KRB5 #include #ifndef HEIMDAL #define krb5_get_err_text(context,code) error_message(code) #endif /* !HEIMDAL */ #endif -#ifdef AFS -#include -#include "radix.h" -#endif #include "ssh.h" #include "ssh1.h" @@ -380,128 +373,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key) return 0; } -#ifdef KRB4 -static int -try_krb4_authentication(void) -{ - KTEXT_ST auth; /* Kerberos data */ - char *reply; - char inst[INST_SZ]; - char *realm; - CREDENTIALS cred; - int r, type; - socklen_t slen; - Key_schedule schedule; - u_long checksum, cksum; - MSG_DAT msg_data; - struct sockaddr_in local, foreign; - struct stat st; - - /* Don't do anything if we don't have any tickets. */ - if (stat(tkt_string(), &st) < 0) - return 0; - - strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)), - INST_SZ); - - realm = (char *)krb_realmofhost(get_canonical_hostname(1)); - if (!realm) { - debug("Kerberos v4: no realm for %s", get_canonical_hostname(1)); - return 0; - } - /* This can really be anything. */ - checksum = (u_long)getpid(); - - r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum); - if (r != KSUCCESS) { - debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]); - return 0; - } - /* Get session key to decrypt the server's reply with. */ - r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred); - if (r != KSUCCESS) { - debug("get_cred failed: %s", krb_err_txt[r]); - return 0; - } - des_key_sched((des_cblock *) cred.session, schedule); - - /* Send authentication info to server. */ - packet_start(SSH_CMSG_AUTH_KERBEROS); - packet_put_string((char *) auth.dat, auth.length); - packet_send(); - packet_write_wait(); - - /* Zero the buffer. */ - (void) memset(auth.dat, 0, MAX_KTXT_LEN); - - slen = sizeof(local); - memset(&local, 0, sizeof(local)); - if (getsockname(packet_get_connection_in(), - (struct sockaddr *)&local, &slen) < 0) - debug("getsockname failed: %s", strerror(errno)); - - slen = sizeof(foreign); - memset(&foreign, 0, sizeof(foreign)); - if (getpeername(packet_get_connection_in(), - (struct sockaddr *)&foreign, &slen) < 0) { - debug("getpeername failed: %s", strerror(errno)); - fatal_cleanup(); - } - /* Get server reply. */ - type = packet_read(); - switch (type) { - case SSH_SMSG_FAILURE: - /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ - debug("Kerberos v4 authentication failed."); - return 0; - break; - - case SSH_SMSG_AUTH_KERBEROS_RESPONSE: - /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ - debug("Kerberos v4 authentication accepted."); - - /* Get server's response. */ - reply = packet_get_string((u_int *) &auth.length); - if (auth.length >= MAX_KTXT_LEN) - fatal("Kerberos v4: Malformed response from server"); - memcpy(auth.dat, reply, auth.length); - xfree(reply); - - packet_check_eom(); - - /* - * If his response isn't properly encrypted with the session - * key, and the decrypted checksum fails to match, he's - * bogus. Bail out. - */ - r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session, - &foreign, &local, &msg_data); - if (r != KSUCCESS) { - debug("Kerberos v4 krb_rd_priv failed: %s", - krb_err_txt[r]); - packet_disconnect("Kerberos v4 challenge failed!"); - } - /* Fetch the (incremented) checksum that we supplied in the request. */ - memcpy((char *)&cksum, (char *)msg_data.app_data, - sizeof(cksum)); - cksum = ntohl(cksum); - - /* If it matches, we're golden. */ - if (cksum == checksum + 1) { - debug("Kerberos v4 challenge successful."); - return 1; - } else - packet_disconnect("Kerberos v4 challenge failed!"); - break; - - default: - packet_disconnect("Protocol error on Kerberos v4 response: %d", type); - } - return 0; -} - -#endif /* KRB4 */ - #ifdef KRB5 static int try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context) @@ -729,129 +600,6 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context) } #endif /* KRB5 */ -#ifdef AFS -static void -send_krb4_tgt(void) -{ - CREDENTIALS *creds; - struct stat st; - char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; - int problem, type; - - /* Don't do anything if we don't have any tickets. */ - if (stat(tkt_string(), &st) < 0) - return; - - creds = xmalloc(sizeof(*creds)); - - problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm); - if (problem) - goto out; - - problem = krb_get_cred("krbtgt", prealm, prealm, creds); - if (problem) - goto out; - - if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) { - problem = RD_AP_EXP; - goto out; - } - creds_to_radix(creds, (u_char *)buffer, sizeof(buffer)); - - packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); - packet_put_cstring(buffer); - packet_send(); - packet_write_wait(); - - type = packet_read(); - - if (type == SSH_SMSG_SUCCESS) - debug("Kerberos v4 TGT forwarded (%s%s%s@%s).", - creds->pname, creds->pinst[0] ? "." : "", - creds->pinst, creds->realm); - else - debug("Kerberos v4 TGT rejected."); - - xfree(creds); - return; - - out: - debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]); - xfree(creds); -} - -static void -send_afs_tokens(void) -{ - CREDENTIALS creds; - struct ViceIoctl parms; - struct ClearToken ct; - int i, type, len; - char buf[2048], *p, *server_cell; - char buffer[8192]; - - /* Move over ktc_GetToken, here's something leaner. */ - for (i = 0; i < 100; i++) { /* just in case */ - parms.in = (char *) &i; - parms.in_size = sizeof(i); - parms.out = buf; - parms.out_size = sizeof(buf); - if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) - break; - p = buf; - - /* Get secret token. */ - memcpy(&creds.ticket_st.length, p, sizeof(u_int)); - if (creds.ticket_st.length > MAX_KTXT_LEN) - break; - p += sizeof(u_int); - memcpy(creds.ticket_st.dat, p, creds.ticket_st.length); - p += creds.ticket_st.length; - - /* Get clear token. */ - memcpy(&len, p, sizeof(len)); - if (len != sizeof(struct ClearToken)) - break; - p += sizeof(len); - memcpy(&ct, p, len); - p += len; - p += sizeof(len); /* primary flag */ - server_cell = p; - - /* Flesh out our credentials. */ - strlcpy(creds.service, "afs", sizeof(creds.service)); - creds.instance[0] = '\0'; - strlcpy(creds.realm, server_cell, REALM_SZ); - memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ); - creds.issue_date = ct.BeginTimestamp; - creds.lifetime = krb_time_to_life(creds.issue_date, - ct.EndTimestamp); - creds.kvno = ct.AuthHandle; - snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId); - creds.pinst[0] = '\0'; - - /* Encode token, ship it off. */ - if (creds_to_radix(&creds, (u_char *)buffer, - sizeof(buffer)) <= 0) - break; - packet_start(SSH_CMSG_HAVE_AFS_TOKEN); - packet_put_cstring(buffer); - packet_send(); - packet_write_wait(); - - /* Roger, Roger. Clearance, Clarence. What's your vector, - Victor? */ - type = packet_read(); - - if (type == SSH_SMSG_FAILURE) - debug("AFS token for cell %s rejected.", server_cell); - else if (type != SSH_SMSG_SUCCESS) - packet_disconnect("Protocol error on AFS token response: %d", type); - } -} - -#endif /* AFS */ - /* * Tries to authenticate with any string-based challenge/response system. * Note that the client code is not tied to s/key or TIS. @@ -1183,21 +931,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host, } #endif /* KRB5 */ -#ifdef KRB4 - if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && - options.kerberos_authentication) { - debug("Trying Kerberos v4 authentication."); - - if (try_krb4_authentication()) { - type = packet_read(); - if (type == SSH_SMSG_SUCCESS) - goto success; - if (type != SSH_SMSG_FAILURE) - packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type); - } - } -#endif /* KRB4 */ - /* * Use rhosts authentication if running in privileged socket and we * do not wish to remain anonymous. @@ -1284,23 +1017,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host, if (context) krb5_free_context(context); #endif - -#ifdef AFS - /* Try Kerberos v4 TGT passing if the server supports it. */ - if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && - options.kerberos_tgt_passing) { - if (options.cipher == SSH_CIPHER_NONE) - logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); - send_krb4_tgt(); - } - /* Try AFS token passing if the server supports it. */ - if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && - options.afs_token_passing && k_hasafs()) { - if (options.cipher == SSH_CIPHER_NONE) - logit("WARNING: Encryption is disabled! Token will be transmitted in the clear!"); - send_afs_tokens(); - } -#endif /* AFS */ - return; /* need statement after label */ } diff --git a/sshd.c b/sshd.c index a8cb966b0..896e56c76 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.273 2003/07/16 10:34:53 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $"); #include #include @@ -1476,20 +1476,13 @@ main(int ac, char **av) "originating port %d not trusted.", remote_port); options.rhosts_authentication = 0; } -#if defined(KRB4) && !defined(KRB5) +#ifdef KRB5 if (!packet_connection_is_ipv4() && options.kerberos_authentication) { debug("Kerberos Authentication disabled, only available for IPv4."); options.kerberos_authentication = 0; } -#endif /* KRB4 && !KRB5 */ -#ifdef AFS - /* If machine has AFS, set process authentication group. */ - if (k_hasafs()) { - k_setpag(); - k_unlog(); - } -#endif /* AFS */ +#endif packet_set_nonblocking(); @@ -1656,17 +1649,11 @@ do_ssh1_kex(void) auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; if (options.rsa_authentication) auth_mask |= 1 << SSH_AUTH_RSA; -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 if (options.kerberos_authentication) auth_mask |= 1 << SSH_AUTH_KERBEROS; -#endif -#if defined(AFS) || defined(KRB5) if (options.kerberos_tgt_passing) auth_mask |= 1 << SSH_PASS_KERBEROS_TGT; -#endif -#ifdef AFS - if (options.afs_token_passing) - auth_mask |= 1 << SSH_PASS_AFS_TOKEN; #endif if (options.challenge_response_authentication == 1) auth_mask |= 1 << SSH_AUTH_TIS; diff --git a/sshd_config.5 b/sshd_config.5 index dfd3565a6..223ff8aae 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.20 2003/06/20 05:47:58 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.21 2003/07/22 13:35:22 markus Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -61,10 +61,6 @@ The possible keywords and their meanings are as follows (note that keywords are case-insensitive and arguments are case-sensitive): .Bl -tag -width Ds -.It Cm AFSTokenPassing -Specifies whether an AFS token may be forwarded to the server. -Default is -.Dq no . .It Cm AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces. @@ -327,8 +323,7 @@ Default is .It Cm KerberosTgtPassing Specifies whether a Kerberos TGT may be forwarded to the server. Default is -.Dq no , -as this only works when the Kerberos KDC is actually an AFS kaserver. +.Dq no . .It Cm KerberosTicketCleanup Specifies whether to automatically destroy the user's ticket cache file on logout. -- cgit v1.2.3