From 1b0de9a04127eeec9a5352abd16113bb8faa494c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 26 May 2005 12:01:22 +1000 Subject: - dtucker@cvs.openbsd.org 2005/04/06 12:26:06 [ssh.c] Fix debug call for port forwards; patch from pete at seebeyond.com, ok djm@ (ID sync only - change already in portable) --- ssh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ssh.c') diff --git a/ssh.c b/ssh.c index 1f19229b7..cff54b9d6 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.234 2005/03/10 22:01:06 deraadt Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.235 2005/04/06 12:26:06 dtucker Exp $"); #include #include -- cgit v1.2.3 From ddee575b988e1f4858abfff0aca13d7ba016f2e4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 26 May 2005 12:05:05 +1000 Subject: - djm@cvs.openbsd.org 2005/04/21 11:47:19 [ssh.c] don't allocate a pty when -n flag (/dev/null stdin) is set, patch from ignasi.roca AT fujitsu-siemens.com (bz #829); ok dtucker@ --- ChangeLog | 6 +++++- ssh.c | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index b9d6de72d..68790ca14 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,10 @@ [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8] [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment variable, so don't say that we do (bz #623); ok deraadt@ + - djm@cvs.openbsd.org 2005/04/21 11:47:19 + [ssh.c] + don't allocate a pty when -n flag (/dev/null stdin) is set, patch from + ignasi.roca AT fujitsu-siemens.com (bz #829); ok dtucker@ 20050524 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] @@ -2526,4 +2530,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3768 2005/05/26 02:04:02 djm Exp $ +$Id: ChangeLog,v 1.3769 2005/05/26 02:05:05 djm Exp $ diff --git a/ssh.c b/ssh.c index cff54b9d6..add697ae0 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.235 2005/04/06 12:26:06 dtucker Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.236 2005/04/21 11:47:19 djm Exp $"); #include #include @@ -550,7 +550,7 @@ again: if (no_tty_flag) tty_flag = 0; /* Do not allocate a tty if stdin is not a tty. */ - if (!isatty(fileno(stdin)) && !force_tty_flag) { + if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { if (tty_flag) logit("Pseudo-terminal will not be allocated because stdin is not a terminal."); tty_flag = 0; -- cgit v1.2.3 From dadfd4dd3862df5cebae2f2dc9b7f112321fa85e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 26 May 2005 12:07:13 +1000 Subject: - jakob@cvs.openbsd.org 2005/04/26 13:08:37 [ssh.c ssh_config.5] fallback gracefully if client cannot connect to ControlPath. ok djm@ --- ChangeLog | 5 ++++- ssh.c | 29 ++++++++++++++++------------- ssh_config.5 | 7 ++++++- 3 files changed, 26 insertions(+), 15 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 9cc00405f..90eaf2d8b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,9 @@ - jmc@cvs.openbsd.org 2005/04/26 12:59:02 [sftp-client.h] spelling correction in comment from wiz@netbsd; + - jakob@cvs.openbsd.org 2005/04/26 13:08:37 + [ssh.c ssh_config.5] + fallback gracefully if client cannot connect to ControlPath. ok djm@ 20050524 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] @@ -2537,4 +2540,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3771 2005/05/26 02:05:49 djm Exp $ +$Id: ChangeLog,v 1.3772 2005/05/26 02:07:13 djm Exp $ diff --git a/ssh.c b/ssh.c index add697ae0..2bdc7ab91 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.236 2005/04/21 11:47:19 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.237 2005/04/26 13:08:37 jakob Exp $"); #include #include @@ -613,7 +613,7 @@ again: options.control_path, original_real_uid); } if (options.control_path != NULL && options.control_master == 0) - control_client(options.control_path); /* This doesn't return */ + control_client(options.control_path); /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, @@ -1290,15 +1290,6 @@ control_client(const char *path) extern char **environ; u_int flags; - if (stdin_null_flag) { - if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1) - fatal("open(/dev/null): %s", strerror(errno)); - if (dup2(fd, STDIN_FILENO) == -1) - fatal("dup2: %s", strerror(errno)); - if (fd > STDERR_FILENO) - close(fd); - } - memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; addr_len = offsetof(struct sockaddr_un, sun_path) + @@ -1311,8 +1302,20 @@ control_client(const char *path) if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) fatal("%s socket(): %s", __func__, strerror(errno)); - if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1) - fatal("Couldn't connect to %s: %s", path, strerror(errno)); + if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1) { + debug("Couldn't connect to %s: %s", path, strerror(errno)); + close(sock); + return; + } + + if (stdin_null_flag) { + if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1) + fatal("open(/dev/null): %s", strerror(errno)); + if (dup2(fd, STDIN_FILENO) == -1) + fatal("dup2: %s", strerror(errno)); + if (fd > STDERR_FILENO) + close(fd); + } if ((term = getenv("TERM")) == NULL) term = ""; diff --git a/ssh_config.5 b/ssh_config.5 index 7e48fa65b..d98246aa4 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.50 2005/04/21 06:17:50 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.51 2005/04/26 13:08:37 jakob Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -270,6 +270,11 @@ to listen for control connections, but require confirmation using the program before they are accepted (see .Xr ssh-add 1 for details). +If the +.Cm ControlPath +can not be opened, +.Nm ssh +will continue without connecting to a master instance. .It Cm ControlPath Specify the path to the control socket used for connection sharing. See -- cgit v1.2.3 From 924c25a64e063cf37eeeb3e5e5c0fa9a523435ff Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 26 May 2005 12:09:32 +1000 Subject: - djm@cvs.openbsd.org 2005/05/10 10:28:11 [ssh.c] print nice error message for EADDRINUSE as well (ID sync only) --- ChangeLog | 5 ++++- ssh.c | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 3a21b12d1..089af477f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -47,6 +47,9 @@ - markus@cvs.openbsd.org 2005/05/02 21:13:22 [readpass.c] missing {} + - djm@cvs.openbsd.org 2005/05/10 10:28:11 + [ssh.c] + print nice error message for EADDRINUSE as well (ID sync only) 20050524 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] @@ -2546,4 +2549,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3774 2005/05/26 02:07:47 djm Exp $ +$Id: ChangeLog,v 1.3775 2005/05/26 02:09:32 djm Exp $ diff --git a/ssh.c b/ssh.c index 2bdc7ab91..88bb308ae 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.237 2005/04/26 13:08:37 jakob Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.238 2005/05/10 10:28:11 djm Exp $"); #include #include -- cgit v1.2.3 From 538c9b71ecb11669053271ff95d7ce8a6d40294f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 26 May 2005 12:11:28 +1000 Subject: - djm@cvs.openbsd.org 2005/05/10 10:30:43 [ssh.c] report real errors on fallback from ControlMaster=no to normal connect --- ChangeLog | 5 ++++- ssh.c | 9 +++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 089af477f..a84287c81 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,9 @@ - djm@cvs.openbsd.org 2005/05/10 10:28:11 [ssh.c] print nice error message for EADDRINUSE as well (ID sync only) + - djm@cvs.openbsd.org 2005/05/10 10:30:43 + [ssh.c] + report real errors on fallback from ControlMaster=no to normal connect 20050524 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] @@ -2549,4 +2552,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3775 2005/05/26 02:09:32 djm Exp $ +$Id: ChangeLog,v 1.3776 2005/05/26 02:11:28 djm Exp $ diff --git a/ssh.c b/ssh.c index 88bb308ae..7754f581c 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.238 2005/05/10 10:28:11 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.239 2005/05/10 10:30:43 djm Exp $"); #include #include @@ -1303,7 +1303,12 @@ control_client(const char *path) fatal("%s socket(): %s", __func__, strerror(errno)); if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1) { - debug("Couldn't connect to %s: %s", path, strerror(errno)); + if (errno == ENOENT) + debug("Control socket \"%.100s\" does not exist", path); + else { + error("Control socket connect(%.100s): %s", path, + strerror(errno)); + } close(sock); return; } -- cgit v1.2.3 From 0814d3136f086a74c9d85ede5b6be2fd2bbab674 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 1 Jun 2005 23:08:51 +1000 Subject: - djm@cvs.openbsd.org 2005/05/27 08:30:37 [ssh.c] fix -O for cases where no ControlPath has been specified or socket at ControlPath is not contactable; spotted by and ok avsm@ --- ChangeLog | 6 +++++- ssh.c | 15 ++++++++++++--- 2 files changed, 17 insertions(+), 4 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index c4420926c..c3aef85c0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,10 @@ - dtucker@cvs.openbsd.org 2005/05/26 09:08:12 [ssh-keygen.c] uint32_t -> u_int32_t for consistency; ok djm@ + - djm@cvs.openbsd.org 2005/05/27 08:30:37 + [ssh.c] + fix -O for cases where no ControlPath has been specified or socket at + ControlPath is not contactable; spotted by and ok avsm@ 20050531 - (dtucker) [contrib/aix/pam.conf] Correct comments. From davidl at @@ -2661,4 +2665,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3806 2005/06/01 13:02:25 dtucker Exp $ +$Id: ChangeLog,v 1.3807 2005/06/01 13:08:51 dtucker Exp $ diff --git a/ssh.c b/ssh.c index 7754f581c..43ecbd924 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.239 2005/05/10 10:30:43 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.240 2005/05/27 08:30:37 djm Exp $"); #include #include @@ -145,7 +145,7 @@ pid_t proxy_command_pid = 0; int control_fd = -1; /* Multiplexing control command */ -static u_int mux_command = SSHMUX_COMMAND_OPEN; +static u_int mux_command = 0; /* Only used in control client mode */ volatile sig_atomic_t control_client_terminate = 0; @@ -612,8 +612,13 @@ again: options.control_path = tilde_expand_filename( options.control_path, original_real_uid); } - if (options.control_path != NULL && options.control_master == 0) + if (mux_command != 0 && options.control_path == NULL) + fatal("No ControlPath specified for \"-O\" command"); + if (options.control_path != NULL && options.control_master == 0) { + if (mux_command == 0) + mux_command = SSHMUX_COMMAND_OPEN; control_client(options.control_path); + } /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, @@ -1303,6 +1308,10 @@ control_client(const char *path) fatal("%s socket(): %s", __func__, strerror(errno)); if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1) { + if (mux_command != SSHMUX_COMMAND_OPEN) { + fatal("Control socket connect(%.100s): %s", path, + strerror(errno)); + } if (errno == ENOENT) debug("Control socket \"%.100s\" does not exist", path); else { -- cgit v1.2.3 From 6476cad9bb6b8a9524a153639b4ebceb3427e743 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 16 Jun 2005 13:18:34 +1000 Subject: - djm@cvs.openbsd.org 2005/06/06 11:20:36 [auth.c auth.h misc.c misc.h ssh.c ssh_config.5 sshconnect.c] introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@ --- ChangeLog | 7 +++++-- auth.c | 59 +++++++++++++++++------------------------------------- auth.h | 3 +-- misc.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- misc.h | 3 ++- ssh.c | 10 +++++++--- ssh_config.5 | 15 ++++++++++---- sshconnect.c | 41 ++++++++++---------------------------- 8 files changed, 119 insertions(+), 84 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 71e7beea0..b439cbecd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,7 +3,10 @@ - jaredy@cvs.openbsd.org 2005/06/07 13:25:23 [progressmeter.c] catch SIGWINCH and resize progress meter accordingly; ok markus dtucker - + - djm@cvs.openbsd.org 2005/06/06 11:20:36 + [auth.c auth.h misc.c misc.h ssh.c ssh_config.5 sshconnect.c] + introduce a generic %foo expansion function. replace existing % expansion + and add expansion to ControlPath; ok markus@ 20050609 - (dtucker) [cipher.c openbsd-compat/Makefile.in @@ -2699,4 +2702,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3816 2005/06/16 03:18:04 djm Exp $ +$Id: ChangeLog,v 1.3817 2005/06/16 03:18:34 djm Exp $ diff --git a/auth.c b/auth.c index 46b013137..68c2824fb 100644 --- a/auth.c +++ b/auth.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.58 2005/03/14 11:44:42 dtucker Exp $"); +RCSID("$OpenBSD: auth.c,v 1.59 2005/06/06 11:20:36 djm Exp $"); #ifdef HAVE_LOGIN_H #include @@ -326,64 +326,41 @@ auth_root_allowed(char *method) * * This returns a buffer allocated by xmalloc. */ -char * -expand_filename(const char *filename, struct passwd *pw) +static char * +expand_authorized_keys(const char *filename, struct passwd *pw) { - Buffer buffer; - char *file; - const char *cp; + char *file, *ret; - /* - * Build the filename string in the buffer by making the appropriate - * substitutions to the given file name. - */ - buffer_init(&buffer); - for (cp = filename; *cp; cp++) { - if (cp[0] == '%' && cp[1] == '%') { - buffer_append(&buffer, "%", 1); - cp++; - continue; - } - if (cp[0] == '%' && cp[1] == 'h') { - buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir)); - cp++; - continue; - } - if (cp[0] == '%' && cp[1] == 'u') { - buffer_append(&buffer, pw->pw_name, - strlen(pw->pw_name)); - cp++; - continue; - } - buffer_append(&buffer, cp, 1); - } - buffer_append(&buffer, "\0", 1); + file = percent_expand(filename, "h", pw->pw_dir, + "u", pw->pw_name, (char *)NULL); /* * Ensure that filename starts anchored. If not, be backward * compatible and prepend the '%h/' */ - file = xmalloc(MAXPATHLEN); - cp = buffer_ptr(&buffer); - if (*cp != '/') - snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp); - else - strlcpy(file, cp, MAXPATHLEN); + if (*file == '/') + return (file); + + ret = xmalloc(MAXPATHLEN); + if (strlcpy(ret, pw->pw_dir, MAXPATHLEN) >= MAXPATHLEN || + strlcat(ret, "/", MAXPATHLEN) >= MAXPATHLEN || + strlcat(ret, file, MAXPATHLEN) >= MAXPATHLEN) + fatal("expand_authorized_keys: path too long"); - buffer_free(&buffer); - return file; + xfree(file); + return (ret); } char * authorized_keys_file(struct passwd *pw) { - return expand_filename(options.authorized_keys_file, pw); + return expand_authorized_keys(options.authorized_keys_file, pw); } char * authorized_keys_file2(struct passwd *pw) { - return expand_filename(options.authorized_keys_file2, pw); + return expand_authorized_keys(options.authorized_keys_file2, pw); } /* return ok if key exists in sysfile or userfile */ diff --git a/auth.h b/auth.h index 471404e4e..bf47b9a64 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */ +/* $OpenBSD: auth.h,v 1.51 2005/06/06 11:20:36 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -163,7 +163,6 @@ char *get_challenge(Authctxt *); int verify_response(Authctxt *, const char *); void abandon_challenge_response(Authctxt *); -char *expand_filename(const char *, struct passwd *); char *authorized_keys_file(struct passwd *); char *authorized_keys_file2(struct passwd *); diff --git a/misc.c b/misc.c index 4bc07a42a..fc094f874 100644 --- a/misc.c +++ b/misc.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2005 Damien Miller. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -23,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.30 2005/04/09 04:32:54 djm Exp $"); +RCSID("$OpenBSD: misc.c,v 1.31 2005/06/06 11:20:36 djm Exp $"); #include "misc.h" #include "log.h" @@ -420,6 +421,68 @@ tilde_expand_filename(const char *filename, uid_t uid) return (xstrdup(ret)); } +/* + * Expand a string with a set of %[char] escapes. A number of escapes may be + * specified as (char *escape_chars, char *replacement) pairs. The list must + * be terminated by an escape_char of -1. Returns replaced string in memory + * allocated by xmalloc. + */ +char * +percent_expand(const char *string, ...) +{ +#define EXPAND_MAX_KEYS 16 + struct { + const char *key; + const char *repl; + } keys[EXPAND_MAX_KEYS]; + int num_keys, i, j; + char buf[4096]; + va_list ap; + + /* Gather keys */ + va_start(ap, string); + for (num_keys = 0; num_keys < EXPAND_MAX_KEYS; num_keys++) { + keys[num_keys].key = va_arg(ap, char *); + if (keys[num_keys].key == NULL) + break; + keys[num_keys].repl = va_arg(ap, char *); + if (keys[num_keys].repl == NULL) + fatal("percent_expand: NULL replacement"); + } + va_end(ap); + + if (num_keys >= EXPAND_MAX_KEYS) + fatal("percent_expand: too many keys"); + + /* Expand string */ + *buf = '\0'; + for (i = 0; *string != '\0'; string++) { + if (*string != '%') { + append: + buf[i++] = *string; + if (i >= sizeof(buf)) + fatal("percent_expand: string too long"); + buf[i] = '\0'; + continue; + } + string++; + if (*string == '%') + goto append; + for (j = 0; j < num_keys; j++) { + if (strchr(keys[j].key, *string) != NULL) { + i = strlcat(buf, keys[j].repl, sizeof(buf)); + if (i >= sizeof(buf)) + fatal("percent_expand: string too long"); + break; + } + } + if (j >= num_keys) + fatal("percent_expand: unknown key %%%c", *string); + } + return (xstrdup(buf)); +#undef EXPAND_MAX_KEYS +} + /* * Read an entire line from a public key file into a static buffer, discarding * lines that exceed the buffer size. Returns 0 on success, -1 on failure. diff --git a/misc.h b/misc.h index 798d80fbf..a85fcd134 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.22 2005/04/09 04:32:54 djm Exp $ */ +/* $OpenBSD: misc.h,v 1.23 2005/06/06 11:20:36 djm Exp $ */ /* * Author: Tatu Ylonen @@ -25,6 +25,7 @@ char *cleanhostname(char *); char *colon(char *); long convtime(const char *); char *tilde_expand_filename(const char *, uid_t); +char *percent_expand(const char *, ...) __attribute__((sentinel)); struct passwd *pwcopy(struct passwd *); diff --git a/ssh.c b/ssh.c index 43ecbd924..0871d06de 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.240 2005/05/27 08:30:37 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.241 2005/06/06 11:20:36 djm Exp $"); #include #include @@ -609,8 +609,12 @@ again: options.proxy_command = NULL; if (options.control_path != NULL) { - options.control_path = tilde_expand_filename( - options.control_path, original_real_uid); + snprintf(buf, sizeof(buf), "%d", options.port); + cp = tilde_expand_filename(options.control_path, + original_real_uid); + options.control_path = percent_expand(cp, "p", buf, "h", host, + "r", options.user, (char *)NULL); + xfree(cp); } if (mux_command != 0 && options.control_path == NULL) fatal("No ControlPath specified for \"-O\" command"); diff --git a/ssh_config.5 b/ssh_config.5 index 18899ae58..2afc3c093 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.54 2005/05/23 23:32:46 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.55 2005/06/06 11:20:36 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -279,10 +279,17 @@ can not be opened, .Nm ssh will continue without connecting to a master instance. .It Cm ControlPath -Specify the path to the control socket used for connection sharing. -See +Specify the path to the control socket used for connection sharing as described +in the .Cm ControlMaster -above. +section above. +In the path, +.Ql %h +will be substituted by the target host name, +.Ql %p +the port and +.Ql %r +by the remote login username. .It Cm DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application diff --git a/sshconnect.c b/sshconnect.c index b79cead5d..0bd351f6b 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.163 2005/05/24 17:32:44 avsm Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.164 2005/06/06 11:20:36 djm Exp $"); #include @@ -59,12 +59,11 @@ static void warn_changed_key(Key *); static int ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) { - Buffer command; - const char *cp; - char *command_string; + char *command_string, *tmp; int pin[2], pout[2]; pid_t pid; char strport[NI_MAXSERV]; + size_t len; /* Convert the port number into a string. */ snprintf(strport, sizeof strport, "%hu", port); @@ -76,31 +75,13 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) * Use "exec" to avoid "sh -c" processes on some platforms * (e.g. Solaris) */ - buffer_init(&command); - buffer_append(&command, "exec ", 5); - - for (cp = proxy_command; *cp; cp++) { - if (cp[0] == '%' && cp[1] == '%') { - buffer_append(&command, "%", 1); - cp++; - continue; - } - if (cp[0] == '%' && cp[1] == 'h') { - buffer_append(&command, host, strlen(host)); - cp++; - continue; - } - if (cp[0] == '%' && cp[1] == 'p') { - buffer_append(&command, strport, strlen(strport)); - cp++; - continue; - } - buffer_append(&command, cp, 1); - } - buffer_append(&command, "\0", 1); - - /* Get the final command string. */ - command_string = buffer_ptr(&command); + len = strlen(proxy_command) + 6; + tmp = xmalloc(len); + strlcpy(tmp, "exec ", len); + strlcat(tmp, proxy_command, len); + command_string = percent_expand(tmp, "h", host, + "p", strport, (char *)NULL); + xfree(tmp); /* Create pipes for communicating with the proxy. */ if (pipe(pin) < 0 || pipe(pout) < 0) @@ -154,7 +135,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) close(pout[1]); /* Free the command name. */ - buffer_free(&command); + xfree(command_string); /* Set the connection file descriptors. */ packet_set_connection(pout[0], pin[1]); -- cgit v1.2.3 From d14b1e731cf4cb79c3ff5ced9315cc11f1fceced Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 16 Jun 2005 13:19:41 +1000 Subject: - djm@cvs.openbsd.org 2005/06/08 11:25:09 [clientloop.c readconf.c readconf.h ssh.c ssh_config.5] add ControlMaster=auto/autoask options to support opportunistic multiplexing; tested avsm@ and jakob@, ok markus@ --- ChangeLog | 6 +++++- clientloop.c | 8 +++++--- readconf.c | 24 ++++++++++++++++++++++-- readconf.h | 7 ++++++- ssh.c | 32 ++++++++++++++++++++++++-------- ssh_config.5 | 18 +++++++++++++++++- 6 files changed, 79 insertions(+), 16 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 728026a62..35249dd85 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,10 @@ [ssh-keygen.1 ssh-keygen.c sshd.8] increase default rsa/dsa key length from 1024 to 2048 bits; ok markus@ deraadt@ + - djm@cvs.openbsd.org 2005/06/08 11:25:09 + [clientloop.c readconf.c readconf.h ssh.c ssh_config.5] + add ControlMaster=auto/autoask options to support opportunistic + multiplexing; tested avsm@ and jakob@, ok markus@ 20050609 - (dtucker) [cipher.c openbsd-compat/Makefile.in @@ -2706,4 +2710,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3818 2005/06/16 03:19:06 djm Exp $ +$Id: ChangeLog,v 1.3819 2005/06/16 03:19:41 djm Exp $ diff --git a/clientloop.c b/clientloop.c index 1591215bd..ae4dce820 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.136 2005/03/10 22:01:05 deraadt Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.137 2005/06/08 11:25:09 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -616,13 +616,15 @@ client_process_control(fd_set * readset) switch (command) { case SSHMUX_COMMAND_OPEN: - if (options.control_master == 2) + if (options.control_master == SSHCTL_MASTER_ASK || + options.control_master == SSHCTL_MASTER_AUTO_ASK) allowed = ask_permission("Allow shared connection " "to %s? ", host); /* continue below */ break; case SSHMUX_COMMAND_TERMINATE: - if (options.control_master == 2) + if (options.control_master == SSHCTL_MASTER_ASK || + options.control_master == SSHCTL_MASTER_AUTO_ASK) allowed = ask_permission("Terminate shared connection " "to %s? ", host); if (allowed) diff --git a/readconf.c b/readconf.c index d41220807..5ec89e2f0 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.140 2005/05/16 15:30:51 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.141 2005/06/08 11:25:09 djm Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -796,7 +796,27 @@ parse_int: case oControlMaster: intptr = &options->control_master; - goto parse_yesnoask; + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing ControlMaster argument.", + filename, linenum); + value = 0; /* To avoid compiler warning... */ + if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) + value = SSHCTL_MASTER_YES; + else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) + value = SSHCTL_MASTER_NO; + else if (strcmp(arg, "auto") == 0) + value = SSHCTL_MASTER_AUTO; + else if (strcmp(arg, "ask") == 0) + value = SSHCTL_MASTER_ASK; + else if (strcmp(arg, "autoask") == 0) + value = SSHCTL_MASTER_AUTO_ASK; + else + fatal("%.200s line %d: Bad ControlMaster argument.", + filename, linenum); + if (*activep && *intptr == -1) + *intptr = value; + break; case oHashKnownHosts: intptr = &options->hash_known_hosts; diff --git a/readconf.h b/readconf.h index de4b4cb27..2b9deb9db 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.66 2005/03/01 10:40:27 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.67 2005/06/08 11:25:09 djm Exp $ */ /* * Author: Tatu Ylonen @@ -116,6 +116,11 @@ typedef struct { int hash_known_hosts; } Options; +#define SSHCTL_MASTER_NO 0 +#define SSHCTL_MASTER_YES 1 +#define SSHCTL_MASTER_AUTO 2 +#define SSHCTL_MASTER_ASK 3 +#define SSHCTL_MASTER_AUTO_ASK 4 void initialize_options(Options *); void fill_default_options(Options *); diff --git a/ssh.c b/ssh.c index 0871d06de..a27c45725 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.241 2005/06/06 11:20:36 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.242 2005/06/08 11:25:09 djm Exp $"); #include #include @@ -386,8 +386,10 @@ again: } break; case 'M': - options.control_master = - (options.control_master >= 1) ? 2 : 1; + if (options.control_master == SSHCTL_MASTER_YES) + options.control_master = SSHCTL_MASTER_ASK; + else + options.control_master = SSHCTL_MASTER_YES; break; case 'p': options.port = a2port(optarg); @@ -618,11 +620,8 @@ again: } if (mux_command != 0 && options.control_path == NULL) fatal("No ControlPath specified for \"-O\" command"); - if (options.control_path != NULL && options.control_master == 0) { - if (mux_command == 0) - mux_command = SSHMUX_COMMAND_OPEN; + if (options.control_path != NULL) control_client(options.control_path); - } /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, @@ -1086,9 +1085,12 @@ ssh_control_listener(void) mode_t old_umask; int addr_len; - if (options.control_path == NULL || options.control_master <= 0) + if (options.control_path == NULL || + options.control_master == SSHCTL_MASTER_NO) return; + debug("setting up multiplex master socket"); + memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; addr_len = offsetof(struct sockaddr_un, sun_path) + @@ -1299,6 +1301,20 @@ control_client(const char *path) extern char **environ; u_int flags; + if (mux_command == 0) + mux_command = SSHMUX_COMMAND_OPEN; + + switch (options.control_master) { + case SSHCTL_MASTER_AUTO: + case SSHCTL_MASTER_AUTO_ASK: + debug("auto-mux: Trying existing master"); + /* FALLTHROUGH */ + case SSHCTL_MASTER_NO: + break; + default: + return; + } + memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; addr_len = offsetof(struct sockaddr_un, sun_path) + diff --git a/ssh_config.5 b/ssh_config.5 index 2afc3c093..a04ffc288 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.55 2005/06/06 11:20:36 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.56 2005/06/08 11:25:09 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -278,6 +278,17 @@ If the can not be opened, .Nm ssh will continue without connecting to a master instance. +.Pp +Two additional options allow for opportunistic multiplexing: try to use a +master connection but fall back to creating a new one if one does not already +exist. +These options are: +.Dq auto +and +.Dq autoask . +The latter requires confirmation like the +.Dq ask +option. .It Cm ControlPath Specify the path to the control socket used for connection sharing as described in the @@ -290,6 +301,11 @@ will be substituted by the target host name, the port and .Ql %r by the remote login username. +It is recommended that any +.Cm ControlPath +used for opportunistic connection sharing include +all three of these escape sequences. +This ensures that shared connections are uniquely identified. .It Cm DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application -- cgit v1.2.3 From 17e7ed0e754577ae61cdd5e3f03b33fba2a09337 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 17 Jun 2005 12:54:33 +1000 Subject: - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2005/06/16 03:38:36 [channels.c channels.h clientloop.c clientloop.h ssh.c] move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd easier later; ok deraadt@ --- ChangeLog | 10 ++++- channels.c | 10 ++--- channels.h | 5 ++- clientloop.c | 105 ++++++++++++++++++++++++++++++++++++++++++++++++- clientloop.h | 4 +- ssh.c | 126 +++++++---------------------------------------------------- 6 files changed, 138 insertions(+), 122 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index e91ea2fdb..248f2b8b3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20050617 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2005/06/16 03:38:36 + [channels.c channels.h clientloop.c clientloop.h ssh.c] + move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd + easier later; ok deraadt@ + + 20050616 - (djm) OpenBSD CVS Sync - jaredy@cvs.openbsd.org 2005/06/07 13:25:23 @@ -2714,4 +2722,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3820 2005/06/16 03:21:17 djm Exp $ +$Id: ChangeLog,v 1.3821 2005/06/17 02:54:33 djm Exp $ diff --git a/channels.c b/channels.c index 3f6db60c6..440043b9c 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.214 2005/03/14 11:46:56 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.215 2005/06/16 03:38:36 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -2952,7 +2952,7 @@ deny_input_open(int type, u_int32_t seq, void *ctxt) * This should be called in the client only. */ void -x11_request_forwarding_with_spoofing(int client_session_id, +x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, const char *proto, const char *data) { u_int data_len = (u_int) strlen(data) / 2; @@ -2962,9 +2962,9 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *cp; u_int32_t rnd = 0; - cp = getenv("DISPLAY"); - if (cp) - cp = strchr(cp, ':'); + cp = disp; + if (disp) + cp = strchr(disp, ':'); if (cp) cp = strchr(cp, '.'); if (cp) diff --git a/channels.h b/channels.h index fc20fb2c3..f87db6afb 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.76 2005/03/01 10:09:52 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.77 2005/06/16 03:38:36 djm Exp $ */ /* * Author: Tatu Ylonen @@ -216,7 +216,8 @@ int channel_cancel_rport_listener(const char *, u_short); int x11_connect_display(void); int x11_create_display_inet(int, int, int, u_int *); void x11_input_open(int, u_int32_t, void *); -void x11_request_forwarding_with_spoofing(int, const char *, const char *); +void x11_request_forwarding_with_spoofing(int, const char *, const char *, + const char *); void deny_input_open(int, u_int32_t, void *); /* agent forwarding */ diff --git a/clientloop.c b/clientloop.c index ae4dce820..ee36cc9e5 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.137 2005/06/08 11:25:09 djm Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.138 2005/06/16 03:38:36 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -208,6 +208,109 @@ get_current_time(void) return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0; } +#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" +void +client_x11_get_proto(const char *display, const char *xauth_path, + u_int trusted, char **_proto, char **_data) +{ + char cmd[1024]; + char line[512]; + char xdisplay[512]; + static char proto[512], data[512]; + FILE *f; + int got_data = 0, generated = 0, do_unlink = 0, i; + char *xauthdir, *xauthfile; + struct stat st; + + xauthdir = xauthfile = NULL; + *_proto = proto; + *_data = data; + proto[0] = data[0] = '\0'; + + if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) { + debug("No xauth program."); + } else { + if (display == NULL) { + debug("x11_get_proto: DISPLAY not set"); + return; + } + /* + * Handle FamilyLocal case where $DISPLAY does + * not match an authorization entry. For this we + * just try "xauth list unix:displaynum.screennum". + * XXX: "localhost" match to determine FamilyLocal + * is not perfect. + */ + if (strncmp(display, "localhost:", 10) == 0) { + snprintf(xdisplay, sizeof(xdisplay), "unix:%s", + display + 10); + display = xdisplay; + } + if (trusted == 0) { + xauthdir = xmalloc(MAXPATHLEN); + xauthfile = xmalloc(MAXPATHLEN); + strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN); + if (mkdtemp(xauthdir) != NULL) { + do_unlink = 1; + snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile", + xauthdir); + snprintf(cmd, sizeof(cmd), + "%s -f %s generate %s " SSH_X11_PROTO + " untrusted timeout 1200 2>" _PATH_DEVNULL, + xauth_path, xauthfile, display); + debug2("x11_get_proto: %s", cmd); + if (system(cmd) == 0) + generated = 1; + } + } + snprintf(cmd, sizeof(cmd), + "%s %s%s list %s . 2>" _PATH_DEVNULL, + xauth_path, + generated ? "-f " : "" , + generated ? xauthfile : "", + display); + debug2("x11_get_proto: %s", cmd); + f = popen(cmd, "r"); + if (f && fgets(line, sizeof(line), f) && + sscanf(line, "%*s %511s %511s", proto, data) == 2) + got_data = 1; + if (f) + pclose(f); + } + + if (do_unlink) { + unlink(xauthfile); + rmdir(xauthdir); + } + if (xauthdir) + xfree(xauthdir); + if (xauthfile) + xfree(xauthfile); + + /* + * If we didn't get authentication data, just make up some + * data. The forwarding code will check the validity of the + * response anyway, and substitute this data. The X11 + * server, however, will ignore this fake data and use + * whatever authentication mechanisms it was using otherwise + * for the local connection. + */ + if (!got_data) { + u_int32_t rnd = 0; + + logit("Warning: No xauth data; " + "using fake authentication data for X11 forwarding."); + strlcpy(proto, SSH_X11_PROTO, sizeof proto); + for (i = 0; i < 16; i++) { + if (i % 4 == 0) + rnd = arc4random(); + snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", + rnd & 0xff); + rnd >>= 8; + } + } +} + /* * This is called when the interactive is entered. This checks if there is * an EOF coming on stdin. We must check this explicitly, as select() does diff --git a/clientloop.h b/clientloop.h index b23c111cb..71c61b5d2 100644 --- a/clientloop.h +++ b/clientloop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.h,v 1.12 2004/11/07 00:01:46 djm Exp $ */ +/* $OpenBSD: clientloop.h,v 1.13 2005/06/16 03:38:36 djm Exp $ */ /* * Author: Tatu Ylonen @@ -37,6 +37,8 @@ /* Client side main loop for the interactive session. */ int client_loop(int, int, int); +void client_x11_get_proto(const char *, const char *, u_int, + char **, char **); void client_global_request_reply_fwd(int, u_int32_t, void *); void client_session2_setup(int, int, int, const char *, struct termios *, int, Buffer *, char **, dispatch_fn *); diff --git a/ssh.c b/ssh.c index a27c45725..5d53cd680 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.242 2005/06/08 11:25:09 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.243 2005/06/16 03:38:36 djm Exp $"); #include #include @@ -750,110 +750,6 @@ again: return exit_status; } -#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" - -static void -x11_get_proto(char **_proto, char **_data) -{ - char cmd[1024]; - char line[512]; - char xdisplay[512]; - static char proto[512], data[512]; - FILE *f; - int got_data = 0, generated = 0, do_unlink = 0, i; - char *display, *xauthdir, *xauthfile; - struct stat st; - - xauthdir = xauthfile = NULL; - *_proto = proto; - *_data = data; - proto[0] = data[0] = '\0'; - - if (!options.xauth_location || - (stat(options.xauth_location, &st) == -1)) { - debug("No xauth program."); - } else { - if ((display = getenv("DISPLAY")) == NULL) { - debug("x11_get_proto: DISPLAY not set"); - return; - } - /* - * Handle FamilyLocal case where $DISPLAY does - * not match an authorization entry. For this we - * just try "xauth list unix:displaynum.screennum". - * XXX: "localhost" match to determine FamilyLocal - * is not perfect. - */ - if (strncmp(display, "localhost:", 10) == 0) { - snprintf(xdisplay, sizeof(xdisplay), "unix:%s", - display + 10); - display = xdisplay; - } - if (options.forward_x11_trusted == 0) { - xauthdir = xmalloc(MAXPATHLEN); - xauthfile = xmalloc(MAXPATHLEN); - strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN); - if (mkdtemp(xauthdir) != NULL) { - do_unlink = 1; - snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile", - xauthdir); - snprintf(cmd, sizeof(cmd), - "%s -f %s generate %s " SSH_X11_PROTO - " untrusted timeout 1200 2>" _PATH_DEVNULL, - options.xauth_location, xauthfile, display); - debug2("x11_get_proto: %s", cmd); - if (system(cmd) == 0) - generated = 1; - } - } - snprintf(cmd, sizeof(cmd), - "%s %s%s list %s . 2>" _PATH_DEVNULL, - options.xauth_location, - generated ? "-f " : "" , - generated ? xauthfile : "", - display); - debug2("x11_get_proto: %s", cmd); - f = popen(cmd, "r"); - if (f && fgets(line, sizeof(line), f) && - sscanf(line, "%*s %511s %511s", proto, data) == 2) - got_data = 1; - if (f) - pclose(f); - } - - if (do_unlink) { - unlink(xauthfile); - rmdir(xauthdir); - } - if (xauthdir) - xfree(xauthdir); - if (xauthfile) - xfree(xauthfile); - - /* - * If we didn't get authentication data, just make up some - * data. The forwarding code will check the validity of the - * response anyway, and substitute this data. The X11 - * server, however, will ignore this fake data and use - * whatever authentication mechanisms it was using otherwise - * for the local connection. - */ - if (!got_data) { - u_int32_t rnd = 0; - - logit("Warning: No xauth data; " - "using fake authentication data for X11 forwarding."); - strlcpy(proto, SSH_X11_PROTO, sizeof proto); - for (i = 0; i < 16; i++) { - if (i % 4 == 0) - rnd = arc4random(); - snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", - rnd & 0xff); - rnd >>= 8; - } - } -} - static void ssh_init_forwarding(void) { @@ -916,6 +812,7 @@ ssh_session(void) int have_tty = 0; struct winsize ws; char *cp; + const char *display; /* Enable compression if requested. */ if (options.compression) { @@ -977,13 +874,15 @@ ssh_session(void) packet_disconnect("Protocol error waiting for pty request response."); } /* Request X11 forwarding if enabled and DISPLAY is set. */ - if (options.forward_x11 && getenv("DISPLAY") != NULL) { + display = getenv("DISPLAY"); + if (options.forward_x11 && display != NULL) { char *proto, *data; /* Get reasonable local authentication information. */ - x11_get_proto(&proto, &data); + client_x11_get_proto(display, options.xauth_location, + options.forward_x11_trusted, &proto, &data); /* Request forwarding with authentication spoofing. */ debug("Requesting X11 forwarding with authentication spoofing."); - x11_request_forwarding_with_spoofing(0, proto, data); + x11_request_forwarding_with_spoofing(0, display, proto, data); /* Read response from the server. */ type = packet_read(); @@ -1125,15 +1024,18 @@ static void ssh_session2_setup(int id, void *arg) { extern char **environ; - + const char *display; int interactive = tty_flag; - if (options.forward_x11 && getenv("DISPLAY") != NULL) { + + display = getenv("DISPLAY"); + if (options.forward_x11 && display != NULL) { char *proto, *data; /* Get reasonable local authentication information. */ - x11_get_proto(&proto, &data); + client_x11_get_proto(display, options.xauth_location, + options.forward_x11_trusted, &proto, &data); /* Request forwarding with authentication spoofing. */ debug("Requesting X11 forwarding with authentication spoofing."); - x11_request_forwarding_with_spoofing(id, proto, data); + x11_request_forwarding_with_spoofing(id, display, proto, data); interactive = 1; /* XXX wait for reply */ } -- cgit v1.2.3 From 9651fe690a95378cdb9b2a1cf3e8c5cb625052c7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 26 Jun 2005 08:55:25 +1000 Subject: - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2005/06/17 22:53:47 [ssh.c sshconnect.c] Fix ControlPath's %p expanding to "0" for a default port, spotted dwmw2 AT infradead.org; ok markus@ --- ChangeLog | 9 ++++++++- ssh.c | 9 ++++++++- sshconnect.c | 11 +---------- 3 files changed, 17 insertions(+), 12 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 04dce8489..c60eacc11 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20050626 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2005/06/17 22:53:47 + [ssh.c sshconnect.c] + Fix ControlPath's %p expanding to "0" for a default port, + spotted dwmw2 AT infradead.org; ok markus@ + 20050618 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2005/05/20 12:57:01; @@ -2749,4 +2756,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3827 2005/06/19 00:19:43 djm Exp $ +$Id: ChangeLog,v 1.3828 2005/06/25 22:55:25 djm Exp $ diff --git a/ssh.c b/ssh.c index 5d53cd680..2e93b161a 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.243 2005/06/16 03:38:36 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.244 2005/06/17 22:53:46 djm Exp $"); #include #include @@ -185,6 +185,7 @@ main(int ac, char **av) int dummy; extern int optind, optreset; extern char *optarg; + struct servent *sp; Forward fwd; __progname = ssh_get_progname(av[0]); @@ -623,6 +624,12 @@ again: if (options.control_path != NULL) control_client(options.control_path); + /* Get default port if port has not been set. */ + if (options.port == 0) { + sp = getservbyname(SSH_SERVICE_NAME, "tcp"); + options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; + } + /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, diff --git a/sshconnect.c b/sshconnect.c index cbbe54821..92f0f3800 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.165 2005/06/17 02:44:33 djm Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.166 2005/06/17 22:53:47 djm Exp $"); #include @@ -289,18 +289,9 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, int sock = -1, attempt; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; struct addrinfo hints, *ai, *aitop; - struct servent *sp; debug2("ssh_connect: needpriv %d", needpriv); - /* Get default port if port has not been set. */ - if (port == 0) { - sp = getservbyname(SSH_SERVICE_NAME, "tcp"); - if (sp) - port = ntohs(sp->s_port); - else - port = SSH_DEFAULT_PORT; - } /* If a proxy command is given, connect using it. */ if (proxy_command != NULL) return ssh_proxy_connect(host, port, proxy_command); -- cgit v1.2.3 From 8f74c8fc3216af41e466dbe7abbe8660679588ad Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 26 Jun 2005 08:56:03 +1000 Subject: - djm@cvs.openbsd.org 2005/06/18 04:30:36 [ssh.c ssh_config.5] allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@ --- ChangeLog | 5 ++++- ssh.c | 5 ++++- ssh_config.5 | 6 ++++-- 3 files changed, 12 insertions(+), 4 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index c60eacc11..519168aa3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ [ssh.c sshconnect.c] Fix ControlPath's %p expanding to "0" for a default port, spotted dwmw2 AT infradead.org; ok markus@ + - djm@cvs.openbsd.org 2005/06/18 04:30:36 + [ssh.c ssh_config.5] + allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@ 20050618 - (djm) OpenBSD CVS Sync @@ -2756,4 +2759,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3828 2005/06/25 22:55:25 djm Exp $ +$Id: ChangeLog,v 1.3829 2005/06/25 22:56:03 djm Exp $ diff --git a/ssh.c b/ssh.c index 2e93b161a..91f8559de 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.244 2005/06/17 22:53:46 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.245 2005/06/18 04:30:36 djm Exp $"); #include #include @@ -610,6 +610,9 @@ again: if (options.proxy_command != NULL && strcmp(options.proxy_command, "none") == 0) options.proxy_command = NULL; + if (options.control_path != NULL && + strcmp(options.control_path, "none") == 0) + options.control_path = NULL; if (options.control_path != NULL) { snprintf(buf, sizeof(buf), "%d", options.port); diff --git a/ssh_config.5 b/ssh_config.5 index a04ffc288..3e7ca8f28 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.56 2005/06/08 11:25:09 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.57 2005/06/18 04:30:36 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -293,7 +293,9 @@ option. Specify the path to the control socket used for connection sharing as described in the .Cm ControlMaster -section above. +section above or the string +.Dq none +to disable connection sharing. In the path, .Ql %h will be substituted by the target host name, -- cgit v1.2.3 From 7c71cc738c87905561d64eeb95ea7327917089f2 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 26 Jun 2005 08:56:31 +1000 Subject: - djm@cvs.openbsd.org 2005/06/25 22:47:49 [ssh.c] do the default port filling code a few lines earlier, so it really does fix %p --- ChangeLog | 5 ++++- ssh.c | 14 +++++++------- 2 files changed, 11 insertions(+), 8 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 519168aa3..cdeb942f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ - djm@cvs.openbsd.org 2005/06/18 04:30:36 [ssh.c ssh_config.5] allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@ + - djm@cvs.openbsd.org 2005/06/25 22:47:49 + [ssh.c] + do the default port filling code a few lines earlier, so it really does fix %p 20050618 - (djm) OpenBSD CVS Sync @@ -2759,4 +2762,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3829 2005/06/25 22:56:03 djm Exp $ +$Id: ChangeLog,v 1.3830 2005/06/25 22:56:31 djm Exp $ diff --git a/ssh.c b/ssh.c index 91f8559de..67af53e69 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.245 2005/06/18 04:30:36 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.246 2005/06/25 22:47:49 djm Exp $"); #include #include @@ -607,6 +607,12 @@ again: *p = tolower(*p); } + /* Get default port if port has not been set. */ + if (options.port == 0) { + sp = getservbyname(SSH_SERVICE_NAME, "tcp"); + options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; + } + if (options.proxy_command != NULL && strcmp(options.proxy_command, "none") == 0) options.proxy_command = NULL; @@ -627,12 +633,6 @@ again: if (options.control_path != NULL) control_client(options.control_path); - /* Get default port if port has not been set. */ - if (options.port == 0) { - sp = getservbyname(SSH_SERVICE_NAME, "tcp"); - options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; - } - /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, -- cgit v1.2.3 From 1339002e8b05d89b10767849d9ee9be55e460f4c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 6 Jul 2005 09:44:19 +1000 Subject: - djm@cvs.openbsd.org 2005/07/04 00:58:43 [channels.c clientloop.c clientloop.h misc.c misc.h ssh.c ssh_config.5] implement support for X11 and agent forwarding over multiplex slave connections. Because of protocol limitations, the slave connections inherit the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding their own. ok dtucker@ "put it in" deraadt@ --- ChangeLog | 9 ++++++++- channels.c | 61 +++++++++++++++++++++++++++++++++--------------------------- clientloop.c | 35 ++++++++++++++++++++++++++++------ clientloop.h | 7 ++++++- misc.c | 19 ++++++++++++++++++- misc.h | 3 ++- ssh.c | 45 +++++++++++++++++++++++--------------------- ssh_config.5 | 8 +++++++- 8 files changed, 128 insertions(+), 59 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 85d4e91c9..58607022a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,13 @@ - markus@cvs.openbsd.org 2005/07/01 13:19:47 [channels.c] don't free() if getaddrinfo() fails; report mpech@ + - djm@cvs.openbsd.org 2005/07/04 00:58:43 + [channels.c clientloop.c clientloop.h misc.c misc.h ssh.c ssh_config.5] + implement support for X11 and agent forwarding over multiplex slave + connections. Because of protocol limitations, the slave connections inherit + the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding + their own. + ok dtucker@ "put it in" deraadt@ 20050626 - (djm) OpenBSD CVS Sync @@ -2769,4 +2776,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3832 2005/07/05 23:36:05 djm Exp $ +$Id: ChangeLog,v 1.3833 2005/07/05 23:44:19 djm Exp $ diff --git a/channels.c b/channels.c index b58902328..14ff166ae 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.218 2005/07/01 13:19:47 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.219 2005/07/04 00:58:42 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -111,6 +111,9 @@ static int all_opens_permitted = 0; /* Maximum number of fake X11 displays to try. */ #define MAX_DISPLAYS 1000 +/* Saved X11 local (client) display. */ +static char *x11_saved_display = NULL; + /* Saved X11 authentication protocol name. */ static char *x11_saved_proto = NULL; @@ -2955,12 +2958,18 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, const char *proto, const char *data) { u_int data_len = (u_int) strlen(data) / 2; - u_int i, value, len; + u_int i, value; char *new_data; int screen_number; const char *cp; u_int32_t rnd = 0; + if (x11_saved_display && strcmp(disp, x11_saved_display) != 0) { + error("x11_request_forwarding_with_spoofing: different " + "$DISPLAY already forwarded"); + return; + } + cp = disp; if (disp) cp = strchr(disp, ':'); @@ -2971,33 +2980,31 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, else screen_number = 0; - /* Save protocol name. */ - x11_saved_proto = xstrdup(proto); - - /* - * Extract real authentication data and generate fake data of the - * same length. - */ - x11_saved_data = xmalloc(data_len); - x11_fake_data = xmalloc(data_len); - for (i = 0; i < data_len; i++) { - if (sscanf(data + 2 * i, "%2x", &value) != 1) - fatal("x11_request_forwarding: bad authentication data: %.100s", data); - if (i % 4 == 0) - rnd = arc4random(); - x11_saved_data[i] = value; - x11_fake_data[i] = rnd & 0xff; - rnd >>= 8; - } - x11_saved_data_len = data_len; - x11_fake_data_len = data_len; + if (x11_saved_proto == NULL) { + /* Save protocol name. */ + x11_saved_proto = xstrdup(proto); + /* + * Extract real authentication data and generate fake data + * of the same length. + */ + x11_saved_data = xmalloc(data_len); + x11_fake_data = xmalloc(data_len); + for (i = 0; i < data_len; i++) { + if (sscanf(data + 2 * i, "%2x", &value) != 1) + fatal("x11_request_forwarding: bad " + "authentication data: %.100s", data); + if (i % 4 == 0) + rnd = arc4random(); + x11_saved_data[i] = value; + x11_fake_data[i] = rnd & 0xff; + rnd >>= 8; + } + x11_saved_data_len = data_len; + x11_fake_data_len = data_len; + } /* Convert the fake data into hex. */ - len = 2 * data_len + 1; - new_data = xmalloc(len); - for (i = 0; i < data_len; i++) - snprintf(new_data + 2 * i, len - 2 * i, - "%02x", (u_char) x11_fake_data[i]); + new_data = tohex(x11_fake_data, data_len); /* Send the request packet. */ if (compat20) { diff --git a/clientloop.c b/clientloop.c index a030cf6e4..9611a5e3e 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.139 2005/06/17 02:44:32 djm Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.140 2005/07/04 00:58:43 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -140,6 +140,8 @@ int session_ident = -1; struct confirm_ctx { int want_tty; int want_subsys; + int want_x_fwd; + int want_agent_fwd; Buffer cmd; char *term; struct termios tio; @@ -631,6 +633,7 @@ static void client_extra_session2_setup(int id, void *arg) { struct confirm_ctx *cctx = arg; + const char *display; Channel *c; int i; @@ -639,6 +642,24 @@ client_extra_session2_setup(int id, void *arg) if ((c = channel_lookup(id)) == NULL) fatal("%s: no channel for id %d", __func__, id); + display = getenv("DISPLAY"); + if (cctx->want_x_fwd && options.forward_x11 && display != NULL) { + char *proto, *data; + /* Get reasonable local authentication information. */ + client_x11_get_proto(display, options.xauth_location, + options.forward_x11_trusted, &proto, &data); + /* Request forwarding with authentication spoofing. */ + debug("Requesting X11 forwarding with authentication spoofing."); + x11_request_forwarding_with_spoofing(id, display, proto, data); + /* XXX wait for reply */ + } + + if (cctx->want_agent_fwd && options.forward_agent) { + debug("Requesting authentication agent forwarding."); + channel_request_start(id, "auth-agent-req@openssh.com", 0); + packet_send(); + } + client_session2_setup(id, cctx->want_tty, cctx->want_subsys, cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env, client_subsystem_reply); @@ -704,7 +725,7 @@ client_process_control(fd_set * readset) buffer_free(&m); return; } - if ((ver = buffer_get_char(&m)) != 1) { + if ((ver = buffer_get_char(&m)) != SSHMUX_VER) { error("%s: wrong client version %d", __func__, ver); buffer_free(&m); close(client_fd); @@ -738,7 +759,7 @@ client_process_control(fd_set * readset) buffer_clear(&m); buffer_put_int(&m, allowed); buffer_put_int(&m, getpid()); - if (ssh_msg_send(client_fd, /* version */1, &m) == -1) { + if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) { error("%s: client msg_send failed", __func__); close(client_fd); buffer_free(&m); @@ -758,7 +779,7 @@ client_process_control(fd_set * readset) buffer_clear(&m); buffer_put_int(&m, allowed); buffer_put_int(&m, getpid()); - if (ssh_msg_send(client_fd, /* version */1, &m) == -1) { + if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) { error("%s: client msg_send failed", __func__); close(client_fd); buffer_free(&m); @@ -779,7 +800,7 @@ client_process_control(fd_set * readset) buffer_free(&m); return; } - if ((ver = buffer_get_char(&m)) != 1) { + if ((ver = buffer_get_char(&m)) != SSHMUX_VER) { error("%s: wrong client version %d", __func__, ver); buffer_free(&m); close(client_fd); @@ -790,6 +811,8 @@ client_process_control(fd_set * readset) memset(cctx, 0, sizeof(*cctx)); cctx->want_tty = (flags & SSHMUX_FLAG_TTY) != 0; cctx->want_subsys = (flags & SSHMUX_FLAG_SUBSYS) != 0; + cctx->want_x_fwd = (flags & SSHMUX_FLAG_X11_FWD) != 0; + cctx->want_agent_fwd = (flags & SSHMUX_FLAG_AGENT_FWD) != 0; cctx->term = buffer_get_string(&m, &len); cmd = buffer_get_string(&m, &len); @@ -823,7 +846,7 @@ client_process_control(fd_set * readset) /* This roundtrip is just for synchronisation of ttymodes */ buffer_clear(&m); - if (ssh_msg_send(client_fd, /* version */1, &m) == -1) { + if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) { error("%s: client msg_send failed", __func__); close(client_fd); close(new_fd[0]); diff --git a/clientloop.h b/clientloop.h index 71c61b5d2..aed2d918b 100644 --- a/clientloop.h +++ b/clientloop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.h,v 1.13 2005/06/16 03:38:36 djm Exp $ */ +/* $OpenBSD: clientloop.h,v 1.14 2005/07/04 00:58:43 djm Exp $ */ /* * Author: Tatu Ylonen @@ -43,6 +43,9 @@ void client_global_request_reply_fwd(int, u_int32_t, void *); void client_session2_setup(int, int, int, const char *, struct termios *, int, Buffer *, char **, dispatch_fn *); +/* Multiplexing protocol version */ +#define SSHMUX_VER 1 + /* Multiplexing control protocol flags */ #define SSHMUX_COMMAND_OPEN 1 /* Open new connection */ #define SSHMUX_COMMAND_ALIVE_CHECK 2 /* Check master is alive */ @@ -50,3 +53,5 @@ void client_session2_setup(int, int, int, const char *, struct termios *, #define SSHMUX_FLAG_TTY (1) /* Request tty on open */ #define SSHMUX_FLAG_SUBSYS (1<<1) /* Subsystem request on open */ +#define SSHMUX_FLAG_X11_FWD (1<<2) /* Request X11 forwarding */ +#define SSHMUX_FLAG_AGENT_FWD (1<<3) /* Request agent forwarding */ diff --git a/misc.c b/misc.c index c5ca0ce38..808b7ba27 100644 --- a/misc.c +++ b/misc.c @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.32 2005/06/17 02:44:32 djm Exp $"); +RCSID("$OpenBSD: misc.c,v 1.33 2005/07/04 00:58:43 djm Exp $"); #include "misc.h" #include "log.h" @@ -506,3 +506,20 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, } return -1; } + +char * +tohex(const u_char *d, u_int l) +{ + char b[3], *r; + u_int i, hl; + + hl = l * 2 + 1; + r = xmalloc(hl); + *r = '\0'; + for (i = 0; i < l; i++) { + snprintf(b, sizeof(b), "%02x", d[i]); + strlcat(r, b, hl); + } + return (r); +} + diff --git a/misc.h b/misc.h index a85fcd134..92848b28e 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.23 2005/06/06 11:20:36 djm Exp $ */ +/* $OpenBSD: misc.h,v 1.24 2005/07/04 00:58:43 djm Exp $ */ /* * Author: Tatu Ylonen @@ -26,6 +26,7 @@ char *colon(char *); long convtime(const char *); char *tilde_expand_filename(const char *, uid_t); char *percent_expand(const char *, ...) __attribute__((sentinel)); +char *tohex(const u_char *, u_int); struct passwd *pwcopy(struct passwd *); diff --git a/ssh.c b/ssh.c index 67af53e69..43d97abcc 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.246 2005/06/25 22:47:49 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.247 2005/07/04 00:58:43 djm Exp $"); #include #include @@ -1250,41 +1250,44 @@ control_client(const char *path) error("Control socket connect(%.100s): %s", path, strerror(errno)); } - close(sock); - return; - } - - if (stdin_null_flag) { - if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1) - fatal("open(/dev/null): %s", strerror(errno)); - if (dup2(fd, STDIN_FILENO) == -1) - fatal("dup2: %s", strerror(errno)); - if (fd > STDERR_FILENO) - close(fd); - } - - if ((term = getenv("TERM")) == NULL) - term = ""; + close(sock); + return; + } + + if (stdin_null_flag) { + if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1) + fatal("open(/dev/null): %s", strerror(errno)); + if (dup2(fd, STDIN_FILENO) == -1) + fatal("dup2: %s", strerror(errno)); + if (fd > STDERR_FILENO) + close(fd); + } + + term = getenv("TERM"); flags = 0; if (tty_flag) flags |= SSHMUX_FLAG_TTY; if (subsystem_flag) flags |= SSHMUX_FLAG_SUBSYS; + if (options.forward_x11) + flags |= SSHMUX_FLAG_X11_FWD; + if (options.forward_agent) + flags |= SSHMUX_FLAG_AGENT_FWD; buffer_init(&m); /* Send our command to server */ buffer_put_int(&m, mux_command); buffer_put_int(&m, flags); - if (ssh_msg_send(sock, /* version */1, &m) == -1) + if (ssh_msg_send(sock, SSHMUX_VER, &m) == -1) fatal("%s: msg_send", __func__); buffer_clear(&m); /* Get authorisation status and PID of controlee */ if (ssh_msg_recv(sock, &m) == -1) fatal("%s: msg_recv", __func__); - if (buffer_get_char(&m) != 1) + if (buffer_get_char(&m) != SSHMUX_VER) fatal("%s: wrong version", __func__); if (buffer_get_int(&m) != 1) fatal("Connection to master denied"); @@ -1308,7 +1311,7 @@ control_client(const char *path) } /* SSHMUX_COMMAND_OPEN */ - buffer_put_cstring(&m, term); + buffer_put_cstring(&m, term ? term : ""); buffer_append(&command, "\0", 1); buffer_put_cstring(&m, buffer_ptr(&command)); @@ -1330,7 +1333,7 @@ control_client(const char *path) } } - if (ssh_msg_send(sock, /* version */1, &m) == -1) + if (ssh_msg_send(sock, SSHMUX_VER, &m) == -1) fatal("%s: msg_send", __func__); mm_send_fd(sock, STDIN_FILENO); @@ -1341,7 +1344,7 @@ control_client(const char *path) buffer_clear(&m); if (ssh_msg_recv(sock, &m) == -1) fatal("%s: msg_recv", __func__); - if (buffer_get_char(&m) != 1) + if (buffer_get_char(&m) != SSHMUX_VER) fatal("%s: wrong version", __func__); buffer_free(&m); diff --git a/ssh_config.5 b/ssh_config.5 index 3e7ca8f28..40774297c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.57 2005/06/18 04:30:36 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.58 2005/07/04 00:58:43 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -279,6 +279,12 @@ can not be opened, .Nm ssh will continue without connecting to a master instance. .Pp +X11 and +.Xr ssh-agent 4 +forwarding is supported over these multiplexed connections, however the +display and agent fowarded will be the one belonging to the master +connection. I.e. it is not possible to forward multiple displays or agents. +.Pp Two additional options allow for opportunistic multiplexing: try to use a master connection but fall back to creating a new one if one does not already exist. -- cgit v1.2.3 From 46d38de48b1018c74040d2399bafbedf50247529 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 17 Jul 2005 17:02:09 +1000 Subject: - djm@cvs.openbsd.org 2005/07/16 01:35:24 [auth1.c channels.c cipher.c clientloop.c kex.c session.c ssh.c] [sshconnect.c] spacing --- ChangeLog | 9 ++++++++- auth1.c | 4 ++-- channels.c | 4 ++-- cipher.c | 4 ++-- clientloop.c | 4 ++-- kex.c | 4 ++-- session.c | 12 ++++++------ ssh.c | 12 ++++++------ sshconnect.c | 4 ++-- 9 files changed, 32 insertions(+), 25 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index d46f02d2b..08b382213 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20050717 +- OpenBSD CVS Sync + - djm@cvs.openbsd.org 2005/07/16 01:35:24 + [auth1.c channels.c cipher.c clientloop.c kex.c session.c ssh.c] + [sshconnect.c] + spacing + 20050716 - (dtucker) [auth-pam.c] Ensure that only one side of the authentication socketpair stays open on in both the monitor and PAM process. Patch from @@ -2830,4 +2837,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3846 2005/07/16 01:33:06 dtucker Exp $ +$Id: ChangeLog,v 1.3847 2005/07/17 07:02:09 djm Exp $ diff --git a/auth1.c b/auth1.c index 0f6be8201..ff937f80f 100644 --- a/auth1.c +++ b/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.61 2005/06/17 02:44:32 djm Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.62 2005/07/16 01:35:24 djm Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -179,7 +179,7 @@ static int auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) { char *challenge; - + if ((challenge = get_challenge(authctxt)) == NULL) return (0); diff --git a/channels.c b/channels.c index a7c69a066..b7ff85007 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.220 2005/07/04 14:04:11 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.221 2005/07/16 01:35:24 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -2986,7 +2986,7 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, /* Save protocol name. */ x11_saved_proto = xstrdup(proto); /* - * Extract real authentication data and generate fake data + * Extract real authentication data and generate fake data * of the same length. */ x11_saved_data = xmalloc(data_len); diff --git a/cipher.c b/cipher.c index fc1e2ae1c..0dddf270a 100644 --- a/cipher.c +++ b/cipher.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.76 2005/06/17 02:44:32 djm Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.77 2005/07/16 01:35:24 djm Exp $"); #include "xmalloc.h" #include "log.h" @@ -249,7 +249,7 @@ cipher_init(CipherContext *cc, Cipher *cipher, cipher->name); #endif - if (cipher->discard_len > 0) { + if (cipher->discard_len > 0) { junk = xmalloc(cipher->discard_len); discard = xmalloc(cipher->discard_len); if (EVP_Cipher(&cc->evp, discard, junk, diff --git a/clientloop.c b/clientloop.c index 9611a5e3e..47f3c7ecd 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.140 2005/07/04 00:58:43 djm Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -642,7 +642,7 @@ client_extra_session2_setup(int id, void *arg) if ((c = channel_lookup(id)) == NULL) fatal("%s: no channel for id %d", __func__, id); - display = getenv("DISPLAY"); + display = getenv("DISPLAY"); if (cctx->want_x_fwd && options.forward_x11 && display != NULL) { char *proto, *data; /* Get reasonable local authentication information. */ diff --git a/kex.c b/kex.c index 8736aa286..32c6d03ea 100644 --- a/kex.c +++ b/kex.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.61 2005/06/17 02:44:32 djm Exp $"); +RCSID("$OpenBSD: kex.c,v 1.62 2005/07/16 01:35:24 djm Exp $"); #include @@ -411,7 +411,7 @@ derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret) u_int have; int mdsz = EVP_MD_size(evp_md); u_char *digest; - + if (mdsz < 0) fatal("derive_key: mdsz < 0"); digest = xmalloc(roundup(need, mdsz)); diff --git a/session.c b/session.c index a1dc6835a..13c3b001f 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.182 2005/06/17 02:44:33 djm Exp $"); +RCSID("$OpenBSD: session.c,v 1.183 2005/07/16 01:35:24 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -196,11 +196,11 @@ auth_input_request_forwarding(struct passwd * pw) static void display_loginmsg(void) { - if (buffer_len(&loginmsg) > 0) { - buffer_append(&loginmsg, "\0", 1); - printf("%s", (char *)buffer_ptr(&loginmsg)); - buffer_clear(&loginmsg); - } + if (buffer_len(&loginmsg) > 0) { + buffer_append(&loginmsg, "\0", 1); + printf("%s", (char *)buffer_ptr(&loginmsg)); + buffer_clear(&loginmsg); + } } void diff --git a/ssh.c b/ssh.c index 43d97abcc..cabc538e3 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.247 2005/07/04 00:58:43 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.248 2005/07/16 01:35:24 djm Exp $"); #include #include @@ -790,8 +790,8 @@ ssh_init_forwarding(void) for (i = 0; i < options.num_remote_forwards; i++) { debug("Remote connections from %.200s:%d forwarded to " "local address %.200s:%d", - (options.remote_forwards[i].listen_host == NULL) ? - (options.gateway_ports ? "*" : "LOCALHOST") : + (options.remote_forwards[i].listen_host == NULL) ? + (options.gateway_ports ? "*" : "LOCALHOST") : options.remote_forwards[i].listen_host, options.remote_forwards[i].listen_port, options.remote_forwards[i].connect_host, @@ -1037,7 +1037,7 @@ ssh_session2_setup(int id, void *arg) const char *display; int interactive = tty_flag; - display = getenv("DISPLAY"); + display = getenv("DISPLAY"); if (options.forward_x11 && display != NULL) { char *proto, *data; /* Get reasonable local authentication information. */ @@ -1253,7 +1253,7 @@ control_client(const char *path) close(sock); return; } - + if (stdin_null_flag) { if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1) fatal("open(/dev/null): %s", strerror(errno)); @@ -1262,7 +1262,7 @@ control_client(const char *path) if (fd > STDERR_FILENO) close(fd); } - + term = getenv("TERM"); flags = 0; diff --git a/sshconnect.c b/sshconnect.c index 92f0f3800..84f287145 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.166 2005/06/17 22:53:47 djm Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.167 2005/07/16 01:35:24 djm Exp $"); #include @@ -404,7 +404,7 @@ ssh_exchange_identification(void) for (i = 0; i < sizeof(buf) - 1; i++) { size_t len = atomicio(read, connection_in, &buf[i], 1); - if (len != 1 && errno == EPIPE) + if (len != 1 && errno == EPIPE) fatal("ssh_exchange_identification: Connection closed by remote host"); else if (len != 1) fatal("ssh_exchange_identification: read: %.100s", strerror(errno)); -- cgit v1.2.3 From be1045dc588ff001674033bce06a65db73ad3654 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 12 Aug 2005 22:10:56 +1000 Subject: - djm@cvs.openbsd.org 2005/07/30 01:26:16 [ssh.c] fix -D listen_host initialisation, so it picks up gateway_ports setting correctly --- ChangeLog | 6 +++++- ssh.c | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 711621873..835cada42 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - markus@cvs.openbsd.org 2005/07/28 17:36:22 [packet.c] missing packet_init_compression(); from solar + - djm@cvs.openbsd.org 2005/07/30 01:26:16 + [ssh.c] + fix -D listen_host initialisation, so it picks up gateway_ports setting + correctly 20050810 - (dtucker) [configure.ac] Test libedit library and headers for compatibility. @@ -2913,4 +2917,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3866 2005/08/12 12:10:28 djm Exp $ +$Id: ChangeLog,v 1.3867 2005/08/12 12:10:56 djm Exp $ diff --git a/ssh.c b/ssh.c index cabc538e3..c9e5aac7a 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.248 2005/07/16 01:35:24 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.249 2005/07/30 01:26:16 djm Exp $"); #include #include @@ -439,7 +439,7 @@ again: fwd.listen_host = cleanhostname(fwd.listen_host); } else { fwd.listen_port = a2port(fwd.listen_host); - fwd.listen_host = ""; + fwd.listen_host = NULL; } if (fwd.listen_port == 0) { -- cgit v1.2.3