From d558092522153caa627e33e4a76c6f64332bc609 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 14 May 2003 13:40:06 +1000 Subject: - (djm) RCSID sync w/ OpenBSD --- ssh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ssh.c') diff --git a/ssh.c b/ssh.c index 21bfc56e3..307b5f26a 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.190 2003/02/06 09:27:29 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.191 2003/04/08 20:21:29 itojun Exp $"); #include #include -- cgit v1.2.3 From b1ca8bb159bba7cedebe8fa467bf29e4ab1a65be Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 14 May 2003 13:45:42 +1000 Subject: - markus@cvs.openbsd.org 2003/05/11 20:30:25 [channels.c clientloop.c serverloop.c session.c ssh.c] make channel_new() strdup the 'remote_name' (not the caller); ok theo --- ChangeLog | 5 ++++- channels.c | 29 +++++++++++------------------ clientloop.c | 9 ++++----- serverloop.c | 6 +++--- session.c | 4 ++-- ssh.c | 4 ++-- 6 files changed, 26 insertions(+), 31 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 3f6e36681..795bae3c4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,9 @@ rsa1 private or rsa1 public and ssh2 keys. this makes ssh-keygen -e fail for ssh1 keys more gracefully for example; report from itojun (netbsd pr 20550). + - markus@cvs.openbsd.org 2003/05/11 20:30:25 + [channels.c clientloop.c serverloop.c session.c ssh.c] + make channel_new() strdup the 'remote_name' (not the caller); ok theo 20030512 - (djm) Redhat spec: Don't install profile.d scripts when not @@ -1429,4 +1432,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2687 2003/05/14 03:45:22 djm Exp $ +$Id: ChangeLog,v 1.2688 2003/05/14 03:45:42 djm Exp $ diff --git a/channels.c b/channels.c index 27707a128..ad879cc61 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.189 2003/04/14 14:17:50 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.190 2003/05/11 20:30:24 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -256,7 +256,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, c->local_consumed = 0; c->local_maxpacket = maxpack; c->remote_id = -1; - c->remote_name = remote_name; + c->remote_name = xstrdup(remote_name); c->remote_window = 0; c->remote_maxpacket = 0; c->force_drain = 0; @@ -1013,8 +1013,7 @@ channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset) nc = channel_new("accepted x11 socket", SSH_CHANNEL_OPENING, newsock, newsock, -1, - c->local_window_max, c->local_maxpacket, - 0, xstrdup(buf), 1); + c->local_window_max, c->local_maxpacket, 0, buf, 1); if (compat20) { packet_start(SSH2_MSG_CHANNEL_OPEN); packet_put_cstring("x11"); @@ -1129,10 +1128,8 @@ channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset) return; } set_nodelay(newsock); - nc = channel_new(rtype, - nextstate, newsock, newsock, -1, - c->local_window_max, c->local_maxpacket, - 0, xstrdup(rtype), 1); + nc = channel_new(rtype, nextstate, newsock, newsock, -1, + c->local_window_max, c->local_maxpacket, 0, rtype, 1); nc->listening_port = c->listening_port; nc->host_port = c->host_port; strlcpy(nc->path, c->path, sizeof(nc->path)); @@ -1158,7 +1155,6 @@ static void channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset) { Channel *nc; - char *name; int newsock; struct sockaddr addr; socklen_t addrlen; @@ -1170,11 +1166,10 @@ channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset) error("accept from auth socket: %.100s", strerror(errno)); return; } - name = xstrdup("accepted auth socket"); nc = channel_new("accepted auth socket", SSH_CHANNEL_OPENING, newsock, newsock, -1, c->local_window_max, c->local_maxpacket, - 0, name, 1); + 0, "accepted auth socket", 1); if (compat20) { packet_start(SSH2_MSG_CHANNEL_OPEN); packet_put_cstring("auth-agent@openssh.com"); @@ -1996,8 +1991,8 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt) originator_string, 1); c->remote_id = remote_id; } + xfree(originator_string); if (c == NULL) { - xfree(originator_string); packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); packet_put_int(remote_id); packet_send(); @@ -2094,7 +2089,7 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por /* Allocate a channel number for the socket. */ c = channel_new("port listener", type, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, - 0, xstrdup("port listener"), 1); + 0, "port listener", 1); strlcpy(c->path, host, sizeof(c->path)); c->host_port = port_to_connect; c->listening_port = listen_port; @@ -2450,7 +2445,7 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost, nc = channel_new("x11 listener", SSH_CHANNEL_X11_LISTENER, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, - 0, xstrdup("X11 inet listener"), 1); + 0, "X11 inet listener", 1); nc->single_connection = single_connection; } @@ -2607,11 +2602,11 @@ x11_input_open(int type, u_int32_t seq, void *ctxt) c->remote_id = remote_id; c->force_drain = 1; } + xfree(remote_host); if (c == NULL) { /* Send refusal to the remote host. */ packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); packet_put_int(remote_id); - xfree(remote_host); } else { /* Send a confirmation to the remote host. */ packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); @@ -2733,7 +2728,6 @@ auth_input_open_request(int type, u_int32_t seq, void *ctxt) { Channel *c = NULL; int remote_id, sock; - char *name; /* Read the remote channel number from the message. */ remote_id = packet_get_int(); @@ -2752,9 +2746,8 @@ auth_input_open_request(int type, u_int32_t seq, void *ctxt) * agent. */ if (sock >= 0) { - name = xstrdup("authentication agent connection"); c = channel_new("", SSH_CHANNEL_OPEN, sock, sock, - -1, 0, 0, 0, name, 1); + -1, 0, 0, 0, "authentication agent connection", 1); c->remote_id = remote_id; c->force_drain = 1; } diff --git a/clientloop.c b/clientloop.c index e4ef71632..e5270aa57 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.109 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.110 2003/05/11 20:30:24 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1145,7 +1145,7 @@ client_request_forwarded_tcpip(const char *request_type, int rchan) c = channel_new("forwarded-tcpip", SSH_CHANNEL_CONNECTING, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, - xstrdup(originator_address), 1); + originator_address, 1); xfree(originator_address); xfree(listen_address); return c; @@ -1181,8 +1181,7 @@ client_request_x11(const char *request_type, int rchan) return NULL; c = channel_new("x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, - xstrdup("x11"), 1); + CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); c->force_drain = 1; return c; } @@ -1204,7 +1203,7 @@ client_request_agent(const char *request_type, int rchan) c = channel_new("authentication agent connection", SSH_CHANNEL_OPEN, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, - xstrdup("authentication agent connection"), 1); + "authentication agent connection", 1); c->force_drain = 1; return c; } diff --git a/serverloop.c b/serverloop.c index 187afc716..39c2a488c 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.107 2003/04/02 09:48:07 markus Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.108 2003/05/11 20:30:24 markus Exp $"); #include "xmalloc.h" #include "packet.h" @@ -880,7 +880,7 @@ server_request_direct_tcpip(char *ctype) return NULL; c = channel_new(ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, - CHAN_TCP_PACKET_DEFAULT, 0, xstrdup("direct-tcpip"), 1); + CHAN_TCP_PACKET_DEFAULT, 0, "direct-tcpip", 1); return c; } @@ -899,7 +899,7 @@ server_request_session(char *ctype) */ c = channel_new(ctype, SSH_CHANNEL_LARVAL, -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, - 0, xstrdup("server-session"), 1); + 0, "server-session", 1); if (session_open(xxx_authctxt, c->self) != 1) { debug("session open failed, free channel %d", c->self); channel_free(c); diff --git a/session.c b/session.c index f52bc6585..1a86f5f81 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.155 2003/04/08 20:21:29 itojun Exp $"); +RCSID("$OpenBSD: session.c,v 1.156 2003/05/11 20:30:25 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -192,7 +192,7 @@ auth_input_request_forwarding(struct passwd * pw) nc = channel_new("auth socket", SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, - 0, xstrdup("auth socket"), 1); + 0, "auth socket", 1); strlcpy(nc->path, auth_sock_name, sizeof(nc->path)); return 1; } diff --git a/ssh.c b/ssh.c index 307b5f26a..6f5a146fe 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.191 2003/04/08 20:21:29 itojun Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.192 2003/05/11 20:30:25 markus Exp $"); #include #include @@ -1132,7 +1132,7 @@ ssh_session2_open(void) c = channel_new( "session", SSH_CHANNEL_OPENING, in, out, err, window, packetmax, CHAN_EXTENDED_WRITE, - xstrdup("client-session"), /*nonblock*/0); + "client-session", /*nonblock*/0); debug3("ssh_session2_open: channel_new: %d", c->self); -- cgit v1.2.3 From 1ea7166019154c4e4c829ff5b170b778a5a4cab7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 14 May 2003 22:33:58 +1000 Subject: - (djm) Bug #258: sscanf("[0-9]") -> sscanf("[0123456789]") for portability --- ChangeLog | 3 ++- ssh.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 5f11ce1e7..46d14e74d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -84,6 +84,7 @@ - (djm) Die screaming if start_pam() is called when UsePAM=no - (djm) Avoid KrbV leak for MIT Kerberos - (dtucker) Set ai_socktype and ai_protocol in fake-getaddrinfo.c. ok djm@ + - (djm) Bug #258: sscanf("[0-9]") -> sscanf("[0123456789]") for portability 20030512 - (djm) Redhat spec: Don't install profile.d scripts when not @@ -1471,4 +1472,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2699 2003/05/14 11:48:51 dtucker Exp $ +$Id: ChangeLog,v 1.2700 2003/05/14 12:33:58 djm Exp $ diff --git a/ssh.c b/ssh.c index 6f5a146fe..0e2b7628e 100644 --- a/ssh.c +++ b/ssh.c @@ -427,9 +427,9 @@ again: case 'L': case 'R': - if (sscanf(optarg, "%5[0-9]:%255[^:]:%5[0-9]", + if (sscanf(optarg, "%5[0123456789]:%255[^:]:%5[0123456789]", sfwd_port, buf, sfwd_host_port) != 3 && - sscanf(optarg, "%5[0-9]/%255[^/]/%5[0-9]", + sscanf(optarg, "%5[0123456789]/%255[^/]/%5[0123456789]", sfwd_port, buf, sfwd_host_port) != 3) { fprintf(stderr, "Bad forwarding specification '%s'\n", -- cgit v1.2.3 From 6e80c36e2a2c733adedc65ae9fe272b74dc9a06c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 16 May 2003 11:38:00 +1000 Subject: - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2003/05/15 13:52:10 [ssh.c] Make "ssh -V" print the OpenSSL version in a human readable form. Patch from Craig Leres (mindrot at ee.lbl.gov); ok markus@ --- ChangeLog | 9 ++++++++- ssh.c | 6 +++--- 2 files changed, 11 insertions(+), 4 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 6cf14ea84..801ca5a12 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20030516 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/05/15 13:52:10 + [ssh.c] + Make "ssh -V" print the OpenSSL version in a human readable form. Patch + from Craig Leres (mindrot at ee.lbl.gov); ok markus@ + 20030515 - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2003/05/14 13:11:56 @@ -1528,4 +1535,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2723 2003/05/15 11:42:59 dtucker Exp $ +$Id: ChangeLog,v 1.2724 2003/05/16 01:38:00 djm Exp $ diff --git a/ssh.c b/ssh.c index 0e2b7628e..096116b8b 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.192 2003/05/11 20:30:25 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.193 2003/05/15 13:52:10 djm Exp $"); #include #include @@ -357,11 +357,11 @@ again: /* fallthrough */ case 'V': fprintf(stderr, - "%s, SSH protocols %d.%d/%d.%d, OpenSSL 0x%8.8lx\n", + "%s, SSH protocols %d.%d/%d.%d, %s\n", SSH_VERSION, PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1, PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, - SSLeay()); + SSLeay_version(SSLEAY_VERSION)); if (opt == 'V') exit(0); break; -- cgit v1.2.3 From 7e1bbc55af32d8f5d81200323198c65b548faaad Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 18 May 2003 20:52:40 +1000 Subject: - (djm) Remove IPv4 by default hack now that we can specify AF in config --- ChangeLog | 3 ++- acconfig.h | 5 +---- configure.ac | 16 +--------------- ssh-keyscan.c | 4 ---- ssh.c | 4 ---- sshd.c | 4 ---- 6 files changed, 4 insertions(+), 32 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 6b657c8ee..126f497aa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ [readconf.c ssh_config ssh_config.5 ssh-keysign.c] add AddressFamily option to ssh_config (like -4, -6 on commandline). Portable bug #534; ok markus@ + - (djm) Remove IPv4 by default hack now that we can specify AF in config 20030517 - (bal) strcat -> strlcat on openbsd-compat/realpath.c (rev 1.8 OpenBSD) @@ -1561,4 +1562,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2733 2003/05/18 10:50:30 djm Exp $ +$Id: ChangeLog,v 1.2734 2003/05/18 10:52:40 djm Exp $ diff --git a/acconfig.h b/acconfig.h index 8ea6b9ab8..7914deb52 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.153 2003/05/15 02:27:08 djm Exp $ */ +/* $Id: acconfig.h,v 1.154 2003/05/18 10:52:40 djm Exp $ */ #ifndef _CONFIG_H #define _CONFIG_H @@ -295,9 +295,6 @@ /* Specify location of ssh.pid */ #undef _PATH_SSH_PIDDIR -/* Use IPv4 for connection by default, IPv6 can still if explicity asked */ -#undef IPV4_DEFAULT - /* getaddrinfo is broken (if present) */ #undef BROKEN_GETADDRINFO diff --git a/configure.ac b/configure.ac index 99a85264c..bdc198592 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.121 2003/05/15 11:42:59 dtucker Exp $ +# $Id: configure.ac,v 1.122 2003/05/18 10:52:40 djm Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -95,7 +95,6 @@ case "$host" in AC_DEFINE(HAVE_CYGWIN) AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_SHADOW) - AC_DEFINE(IPV4_DEFAULT) AC_DEFINE(IP_TOS_IS_BROKEN) AC_DEFINE(NO_X11_UNIX_SOCKETS) AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) @@ -2249,18 +2248,6 @@ AC_ARG_WITH(superuser-path, ) -# Whether to force IPv4 by default (needed on broken glibc Linux) -IPV4_HACK_MSG="no" -AC_ARG_WITH(ipv4-default, - [ --with-ipv4-default Use IPv4 by connections unless '-6' specified], - [ - if test "x$withval" != "xno" ; then - AC_DEFINE(IPV4_DEFAULT) - IPV4_HACK_MSG="yes" - fi - ] -) - AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses]) IPV4_IN6_HACK_MSG="no" AC_ARG_WITH(4in6, @@ -2601,7 +2588,6 @@ echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" -echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 6b1954269..e2cd789b5 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -31,11 +31,7 @@ RCSID("$OpenBSD: ssh-keyscan.c,v 1.43 2003/04/26 04:29:49 deraadt Exp $"); /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. Default value is AF_UNSPEC means both IPv4 and IPv6. */ -#ifdef IPV4_DEFAULT -int IPv4or6 = AF_INET; -#else int IPv4or6 = AF_UNSPEC; -#endif int ssh_port = SSH_DEFAULT_PORT; diff --git a/ssh.c b/ssh.c index 096116b8b..480bd85e6 100644 --- a/ssh.c +++ b/ssh.c @@ -81,11 +81,7 @@ char *__progname; /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. Default value is AF_UNSPEC means both IPv4 and IPv6. */ -#ifdef IPV4_DEFAULT -int IPv4or6 = AF_INET; -#else int IPv4or6 = AF_UNSPEC; -#endif /* Flag indicating whether debug mode is on. This can be set on the command line. */ int debug_flag = 0; diff --git a/sshd.c b/sshd.c index c0221bea7..65837c938 100644 --- a/sshd.c +++ b/sshd.c @@ -112,11 +112,7 @@ char *config_file_name = _PATH_SERVER_CONFIG_FILE; * Flag indicating whether IPv4 or IPv6. This can be set on the command line. * Default value is AF_UNSPEC means both IPv4 and IPv6. */ -#ifdef IPV4_DEFAULT -int IPv4or6 = AF_INET; -#else int IPv4or6 = AF_UNSPEC; -#endif /* * Debug mode flag. This can be set on the command line. If debug -- cgit v1.2.3 From 56a0bb07c47285fe78268c95650032ab0ea667cd Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 18 Jun 2003 20:28:40 +1000 Subject: - markus@cvs.openbsd.org 2003/06/12 19:12:03 [scard.c scard.h ssh-agent.c ssh.c] add sc_get_key_label; larsch at trustcenter.de; bugzilla#591 --- ChangeLog | 5 ++++- scard.c | 9 ++++++++- scard.h | 3 ++- ssh-agent.c | 4 ++-- ssh.c | 4 ++-- 5 files changed, 18 insertions(+), 7 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index f5d3b36f0..2ccd501ab 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ - nino@cvs.openbsd.org 2003/06/12 15:34:09 [scp.c] Typo. Ok markus@. + - markus@cvs.openbsd.org 2003/06/12 19:12:03 + [scard.c scard.h ssh-agent.c ssh.c] + add sc_get_key_label; larsch at trustcenter.de; bugzilla#591 20030614 - (djm) Update license on fake-rfc2553.[ch]; ok itojun@ @@ -524,4 +527,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2804 2003/06/18 10:26:34 djm Exp $ +$Id: ChangeLog,v 1.2805 2003/06/18 10:28:40 djm Exp $ diff --git a/scard.c b/scard.c index 65f8bff14..906287ba2 100644 --- a/scard.c +++ b/scard.c @@ -24,7 +24,7 @@ #include "includes.h" #if defined(SMARTCARD) && defined(USE_SECTOK) -RCSID("$OpenBSD: scard.c,v 1.27 2003/04/08 20:21:29 itojun Exp $"); +RCSID("$OpenBSD: scard.c,v 1.28 2003/06/12 19:12:02 markus Exp $"); #include #include @@ -554,4 +554,11 @@ done: sectok_close(fd); return (status); } + +char * +sc_get_key_label(Key *key) +{ + return xstrdup("smartcard key"); +} + #endif /* SMARTCARD && USE_SECTOK */ diff --git a/scard.h b/scard.h index 00999cb09..9ba20a361 100644 --- a/scard.h +++ b/scard.h @@ -1,4 +1,4 @@ -/* $OpenBSD: scard.h,v 1.11 2002/06/30 21:59:45 deraadt Exp $ */ +/* $OpenBSD: scard.h,v 1.12 2003/06/12 19:12:03 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -36,5 +36,6 @@ Key **sc_get_keys(const char *, const char *); void sc_close(void); int sc_put_key(Key *, const char *); +char *sc_get_key_label(Key *); #endif diff --git a/ssh-agent.c b/ssh-agent.c index 61ea34580..6c8ff30dd 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -35,7 +35,7 @@ #include "includes.h" #include "openbsd-compat/sys-queue.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.110 2003/06/11 11:18:38 djm Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.111 2003/06/12 19:12:03 markus Exp $"); #include #include @@ -618,7 +618,7 @@ process_add_smartcard_key (SocketEntry *e) if (lookup_identity(k, version) == NULL) { id = xmalloc(sizeof(Identity)); id->key = k; - id->comment = xstrdup("smartcard key"); + id->comment = sc_get_key_label(k); id->death = death; id->confirm = confirm; TAILQ_INSERT_TAIL(&tab->idlist, id, next); diff --git a/ssh.c b/ssh.c index 480bd85e6..0142e7fad 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.193 2003/05/15 13:52:10 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.194 2003/06/12 19:12:03 markus Exp $"); #include #include @@ -1180,7 +1180,7 @@ load_public_identity_files(void) sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); options.num_identity_files++; options.identity_keys[0] = keys[i]; - options.identity_files[0] = xstrdup("smartcard key");; + options.identity_files[0] = sc_get_key_label(keys[i]); } if (options.num_identity_files > SSH_MAX_IDENTITY_FILES) options.num_identity_files = SSH_MAX_IDENTITY_FILES; -- cgit v1.2.3 From 3f521e21c0b94cd0ac4752d60a9f9b4dfa9bf3f8 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 3 Jul 2003 16:20:42 +1000 Subject: - markus@cvs.openbsd.org 2003/07/02 20:37:48 [ssh.c] convert hostkeyalias to lowercase, otherwise uppercase aliases will not match at all; ok henning@ --- ChangeLog | 6 +++++- ssh.c | 9 ++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 9c960f13d..a21f7b9f9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,10 @@ (re)add socks5 suppport to -D; ok djm@ now ssh(1) can act both as a socks 4 and socks 5 server and dynamically forward ports. + - markus@cvs.openbsd.org 2003/07/02 20:37:48 + [ssh.c] + convert hostkeyalias to lowercase, otherwise uppercase aliases will + not match at all; ok henning@ 20030630 - (djm) Search for support functions necessary to build our @@ -640,4 +644,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2840 2003/07/03 03:55:19 dtucker Exp $ +$Id: ChangeLog,v 1.2841 2003/07/03 06:20:42 dtucker Exp $ diff --git a/ssh.c b/ssh.c index 0142e7fad..a86f9204f 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.194 2003/06/12 19:12:03 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.195 2003/07/02 20:37:48 markus Exp $"); #include #include @@ -597,6 +597,13 @@ again: if (options.hostname != NULL) host = options.hostname; + /* force lowercase for hostkey matching */ + if (options.host_key_alias != NULL) { + for (p = options.host_key_alias; *p; p++) + if (isupper(*p)) + *p = tolower(*p); + } + if (options.proxy_command != NULL && strcmp(options.proxy_command, "none") == 0) options.proxy_command = NULL; -- cgit v1.2.3 From 0a4f04b5b255d116e4de441c93a867aac9f616ee Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 3 Jul 2003 20:37:47 +1000 Subject: - djm@cvs.openbsd.org 2003/07/03 08:09:06 [readconf.c readconf.h ssh-keysign.c ssh.c] fix AddressFamily option in config file, from brent@graveland.net; ok markus@ --- ChangeLog | 6 +++++- readconf.c | 15 ++++++++++----- readconf.h | 3 ++- ssh-keysign.c | 3 +-- ssh.c | 17 +++++++---------- 5 files changed, 25 insertions(+), 19 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 513b0f109..7ee25f842 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,10 @@ - markus@cvs.openbsd.org 2003/07/03 08:24:13 [regress/Makefile] enable tests for dynamic fwd via socks (-D), uses nc(1) + - djm@cvs.openbsd.org 2003/07/03 08:09:06 + [readconf.c readconf.h ssh-keysign.c ssh.c] + fix AddressFamily option in config file, from brent@graveland.net; + ok markus@ 20030630 - (djm) Search for support functions necessary to build our @@ -650,4 +654,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2843 2003/07/03 10:27:55 dtucker Exp $ +$Id: ChangeLog,v 1.2844 2003/07/03 10:37:47 dtucker Exp $ diff --git a/readconf.c b/readconf.c index a01d7a33e..3c08f7638 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.113 2003/06/26 20:08:33 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.114 2003/07/03 08:09:05 djm Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -288,7 +288,6 @@ process_config_line(Options *options, const char *host, size_t len; u_short fwd_port, fwd_host_port; char sfwd_host_port[6]; - extern int IPv4or6; /* Strip trailing whitespace */ for(len = strlen(line) - 1; len > 0; len--) { @@ -727,14 +726,17 @@ parse_int: case oAddressFamily: arg = strdelim(&s); + intptr = &options->address_family; if (strcasecmp(arg, "inet") == 0) - IPv4or6 = AF_INET; + value = AF_INET; else if (strcasecmp(arg, "inet6") == 0) - IPv4or6 = AF_INET6; + value = AF_INET6; else if (strcasecmp(arg, "any") == 0) - IPv4or6 = AF_UNSPEC; + value = AF_UNSPEC; else fatal("Unsupported AddressFamily \"%s\"", arg); + if (*activep && *intptr == -1) + *intptr = value; break; case oEnableSSHKeysign: @@ -839,6 +841,7 @@ initialize_options(Options * options) options->keepalives = -1; options->compression_level = -1; options->port = -1; + options->address_family = -1; options->connection_attempts = -1; options->connection_timeout = -1; options->number_of_password_prompts = -1; @@ -926,6 +929,8 @@ fill_default_options(Options * options) options->compression_level = 6; if (options->port == -1) options->port = 0; /* Filled in ssh_connect. */ + if (options->address_family == -1) + options->address_family = AF_UNSPEC; if (options->connection_attempts == -1) options->connection_attempts = 1; if (options->number_of_password_prompts == -1) diff --git a/readconf.h b/readconf.h index c884de68b..4e0b74318 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.50 2003/05/15 14:55:25 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.51 2003/07/03 08:09:06 djm Exp $ */ /* * Author: Tatu Ylonen @@ -58,6 +58,7 @@ typedef struct { LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ + int address_family; int connection_attempts; /* Max attempts (seconds) before * giving up */ int connection_timeout; /* Max time (seconds) before diff --git a/ssh-keysign.c b/ssh-keysign.c index 063364ee7..c7ca5c4e4 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: ssh-keysign.c,v 1.12 2003/05/16 03:27:12 djm Exp $"); +RCSID("$OpenBSD: ssh-keysign.c,v 1.13 2003/07/03 08:09:06 djm Exp $"); #include #include @@ -44,7 +44,6 @@ RCSID("$OpenBSD: ssh-keysign.c,v 1.12 2003/05/16 03:27:12 djm Exp $"); /* XXX readconf.c needs these */ uid_t original_real_uid; -int IPv4or6; #ifdef HAVE___PROGNAME extern char *__progname; diff --git a/ssh.c b/ssh.c index a86f9204f..1f1f06834 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.195 2003/07/02 20:37:48 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.196 2003/07/03 08:09:06 djm Exp $"); #include #include @@ -79,10 +79,6 @@ extern char *__progname; char *__progname; #endif -/* Flag indicating whether IPv4 or IPv6. This can be set on the command line. - Default value is AF_UNSPEC means both IPv4 and IPv6. */ -int IPv4or6 = AF_UNSPEC; - /* Flag indicating whether debug mode is on. This can be set on the command line. */ int debug_flag = 0; @@ -280,10 +276,10 @@ again: options.protocol = SSH_PROTO_2; break; case '4': - IPv4or6 = AF_INET; + options.address_family = AF_INET; break; case '6': - IPv4or6 = AF_INET6; + options.address_family = AF_INET6; break; case 'n': stdin_null_flag = 1; @@ -514,7 +510,6 @@ again: SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); - channel_set_af(IPv4or6); /* Initialize the command to execute on remote host. */ buffer_init(&command); @@ -586,6 +581,8 @@ again: /* Fill configuration defaults. */ fill_default_options(&options); + channel_set_af(options.address_family); + /* reinit */ log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); @@ -621,8 +618,8 @@ again: } /* Open a connection to the remote host. */ - if (ssh_connect(host, &hostaddr, options.port, IPv4or6, - options.connection_attempts, + if (ssh_connect(host, &hostaddr, options.port, + options.address_family, options.connection_attempts, #ifdef HAVE_CYGWIN options.use_privileged_port, #else -- cgit v1.2.3 From e98dfa323e7f7dc57afb70f99851a596f3194047 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 19 Jul 2003 19:54:31 +1000 Subject: - markus@cvs.openbsd.org 2003/07/16 10:34:53 [ssh.c sshd.c] don't exit on multiple -v or -d; ok deraadt@ --- ChangeLog | 5 ++++- ssh.c | 12 ++++++------ sshd.c | 10 +++------- 3 files changed, 13 insertions(+), 14 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 03411c46b..78e70b107 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ [sshd.c] remove undocumented -V option. would be only useful if openssh is used as ssh v1 server for ssh.com's ssh v2. + - markus@cvs.openbsd.org 2003/07/16 10:34:53 + [ssh.c sshd.c] + don't exit on multiple -v or -d; ok deraadt@ 20030714 - (dtucker) [acconfig.h configure.ac port-aix.c] Older AIXes don't declare @@ -702,4 +705,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2858 2003/07/19 09:52:28 dtucker Exp $ +$Id: ChangeLog,v 1.2859 2003/07/19 09:54:31 dtucker Exp $ diff --git a/ssh.c b/ssh.c index 1f1f06834..2bcd5871e 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.196 2003/07/03 08:09:06 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.197 2003/07/16 10:34:53 markus Exp $"); #include #include @@ -338,14 +338,14 @@ again: tty_flag = 1; break; case 'v': - if (0 == debug_flag) { + if (debug_flag == 0) { debug_flag = 1; options.log_level = SYSLOG_LEVEL_DEBUG1; - } else if (options.log_level < SYSLOG_LEVEL_DEBUG3) { - options.log_level++; + } else { + if (options.log_level < SYSLOG_LEVEL_DEBUG3) + options.log_level++; break; - } else - fatal("Too high debugging level."); + } /* fallthrough */ case 'V': fprintf(stderr, diff --git a/sshd.c b/sshd.c index e3748da7d..a8cb966b0 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.272 2003/07/14 12:36:37 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.273 2003/07/16 10:34:53 markus Exp $"); #include #include @@ -851,15 +851,11 @@ main(int ac, char **av) config_file_name = optarg; break; case 'd': - if (0 == debug_flag) { + if (debug_flag == 0) { debug_flag = 1; options.log_level = SYSLOG_LEVEL_DEBUG1; - } else if (options.log_level < SYSLOG_LEVEL_DEBUG3) { + } else if (options.log_level < SYSLOG_LEVEL_DEBUG3) options.log_level++; - } else { - fprintf(stderr, "Too high debugging level.\n"); - exit(1); - } break; case 'D': no_daemon_flag = 1; -- cgit v1.2.3 From 6aaa58c4709c43ffb9f3f2be299cd5c4044f24a3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 2 Aug 2003 22:24:49 +1000 Subject: - (dtucker) OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/07/22 13:35:22 [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h] remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@ - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support. - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files. I hope I got this right.... --- ChangeLog | 11 +- Makefile.in | 6 +- acconfig.h | 8 +- auth-krb4.c | 368 --------------------------------------------------------- auth-passwd.c | 10 +- auth.h | 19 +-- auth1.c | 45 +------ configure.ac | 87 +------------- monitor.c | 54 +-------- monitor.h | 1 - monitor_wrap.c | 38 +----- monitor_wrap.h | 5 +- radix.c | 158 ------------------------- radix.h | 28 ----- readconf.c | 17 +-- readconf.h | 3 +- servconf.c | 25 +--- servconf.h | 3 +- session.c | 57 +-------- ssh.1 | 4 +- ssh.c | 9 +- ssh.h | 5 +- ssh_config.5 | 10 +- sshconnect1.c | 287 +------------------------------------------- sshd.c | 21 +--- sshd_config.5 | 9 +- 26 files changed, 52 insertions(+), 1236 deletions(-) delete mode 100644 auth-krb4.c delete mode 100644 radix.c delete mode 100644 radix.h (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index c930ad347..67ca07ce4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,14 @@ 20030802 - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/07/22 13:35:22 + [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c + monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1 + ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h] + remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); + test+ok henning@ + - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support. + - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files. 20030730 - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal @@ -738,4 +747,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2868 2003/08/02 10:37:03 dtucker Exp $ +$Id: ChangeLog,v 1.2869 2003/08/02 12:24:49 dtucker Exp $ diff --git a/Makefile.in b/Makefile.in index 4252ae6f3..c5674c735 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.238 2003/06/05 08:53:43 djm Exp $ +# $Id: Makefile.in,v 1.239 2003/08/02 12:24:49 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -63,7 +63,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ cipher.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \ compat.o compress.o crc32.o deattack.o fatal.o \ - hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o \ + hostfile.o log.o match.o mpaux.o nchan.o packet.o \ readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \ key.o dispatch.o kex.o mac.o uuencode.o misc.o \ rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ @@ -81,7 +81,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \ kexdhs.o kexgexs.o \ - auth-krb5.o auth2-krb5.o auth-krb4.o \ + auth-krb5.o auth2-krb5.o \ loginrec.o auth-pam.o auth-sia.o md5crypt.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out diff --git a/acconfig.h b/acconfig.h index 0af93663c..24c07beed 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.159 2003/07/14 06:21:44 dtucker Exp $ */ +/* $Id: acconfig.h,v 1.160 2003/08/02 12:24:49 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -238,12 +238,6 @@ /* Define this if you are using the Heimdal version of Kerberos V5 */ #undef HEIMDAL -/* Define if you want Kerberos 4 support */ -#undef KRB4 - -/* Define if you want AFS support */ -#undef AFS - /* Define if you want S/Key support */ #undef SKEY diff --git a/auth-krb4.c b/auth-krb4.c deleted file mode 100644 index 9e1c800be..000000000 --- a/auth-krb4.c +++ /dev/null @@ -1,368 +0,0 @@ -/* - * Copyright (c) 1999 Dug Song. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "includes.h" -RCSID("$OpenBSD: auth-krb4.c,v 1.30 2003/04/08 20:21:28 itojun Exp $"); - -#include "ssh.h" -#include "ssh1.h" -#include "packet.h" -#include "xmalloc.h" -#include "log.h" -#include "servconf.h" -#include "uidswap.h" -#include "auth.h" - -#ifdef AFS -#include "radix.h" -#endif - -#ifdef KRB4 -extern ServerOptions options; - -static int -krb4_init(void *context) -{ - static int cleanup_registered = 0; - Authctxt *authctxt = (Authctxt *)context; - const char *tkt_root = TKT_ROOT; - struct stat st; - int fd; - - if (!authctxt->krb4_ticket_file) { - /* Set unique ticket string manually since we're still root. */ - authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN); -#ifdef AFS - if (lstat("/ticket", &st) != -1) - tkt_root = "/ticket/"; -#endif /* AFS */ - snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld", - tkt_root, authctxt->pw->pw_uid, (long)getpid()); - krb_set_tkt_string(authctxt->krb4_ticket_file); - } - /* Register ticket cleanup in case of fatal error. */ - if (!cleanup_registered) { - fatal_add_cleanup(krb4_cleanup_proc, authctxt); - cleanup_registered = 1; - } - /* Try to create our ticket file. */ - if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) { - close(fd); - return (1); - } - /* Ticket file exists - make sure user owns it (just passed ticket). */ - if (lstat(authctxt->krb4_ticket_file, &st) != -1) { - if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) && - st.st_uid == authctxt->pw->pw_uid) - return (1); - } - /* Failure - cancel cleanup function, leaving ticket for inspection. */ - logit("WARNING: bad ticket file %s", authctxt->krb4_ticket_file); - - fatal_remove_cleanup(krb4_cleanup_proc, authctxt); - cleanup_registered = 0; - - xfree(authctxt->krb4_ticket_file); - authctxt->krb4_ticket_file = NULL; - - return (0); -} - -/* - * try krb4 authentication, - * return 1 on success, 0 on failure, -1 if krb4 is not available - */ -int -auth_krb4_password(Authctxt *authctxt, const char *password) -{ - AUTH_DAT adata; - KTEXT_ST tkt; - struct hostent *hp; - struct passwd *pw; - char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ]; - u_int32_t faddr; - int r; - - if ((pw = authctxt->pw) == NULL) - return (0); - - /* - * Try Kerberos password authentication only for non-root - * users and only if Kerberos is installed. - */ - if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) { - /* Set up our ticket file. */ - if (!krb4_init(authctxt)) { - logit("Couldn't initialize Kerberos ticket file for %s!", - pw->pw_name); - goto failure; - } - /* Try to get TGT using our password. */ - r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm, - "krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password); - if (r != INTK_OK) { - debug("Kerberos v4 password authentication for %s " - "failed: %s", pw->pw_name, krb_err_txt[r]); - goto failure; - } - /* Successful authentication. */ - chown(tkt_string(), pw->pw_uid, pw->pw_gid); - - /* - * Now that we have a TGT, try to get a local - * "rcmd" ticket to ensure that we are not talking - * to a bogus Kerberos server. - */ - gethostname(localhost, sizeof(localhost)); - strlcpy(phost, (char *)krb_get_phost(localhost), - sizeof(phost)); - r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); - - if (r == KSUCCESS) { - if ((hp = gethostbyname(localhost)) == NULL) { - logit("Couldn't get local host address!"); - goto failure; - } - memmove((void *)&faddr, (void *)hp->h_addr, - sizeof(faddr)); - - /* Verify our "rcmd" ticket. */ - r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, - faddr, &adata, ""); - if (r == RD_AP_UNDEC) { - /* - * Probably didn't have a srvtab on - * localhost. Disallow login. - */ - logit("Kerberos v4 TGT for %s unverifiable, " - "no srvtab installed? krb_rd_req: %s", - pw->pw_name, krb_err_txt[r]); - goto failure; - } else if (r != KSUCCESS) { - logit("Kerberos v4 %s ticket unverifiable: %s", - KRB4_SERVICE_NAME, krb_err_txt[r]); - goto failure; - } - } else if (r == KDC_PR_UNKNOWN) { - /* - * Disallow login if no rcmd service exists, and - * log the error. - */ - logit("Kerberos v4 TGT for %s unverifiable: %s; %s.%s " - "not registered, or srvtab is wrong?", pw->pw_name, - krb_err_txt[r], KRB4_SERVICE_NAME, phost); - goto failure; - } else { - /* - * TGT is bad, forget it. Possibly spoofed! - */ - debug("WARNING: Kerberos v4 TGT possibly spoofed " - "for %s: %s", pw->pw_name, krb_err_txt[r]); - goto failure; - } - /* Authentication succeeded. */ - return (1); - } else - /* Logging in as root or no local Kerberos realm. */ - debug("Unable to authenticate to Kerberos."); - - failure: - krb4_cleanup_proc(authctxt); - - if (!options.kerberos_or_local_passwd) - return (0); - - /* Fall back to ordinary passwd authentication. */ - return (-1); -} - -void -krb4_cleanup_proc(void *context) -{ - Authctxt *authctxt = (Authctxt *)context; - debug("krb4_cleanup_proc called"); - if (authctxt->krb4_ticket_file) { - (void) dest_tkt(); - xfree(authctxt->krb4_ticket_file); - authctxt->krb4_ticket_file = NULL; - } -} - -int -auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply) -{ - AUTH_DAT adat = {0}; - Key_schedule schedule; - struct sockaddr_in local, foreign; - char instance[INST_SZ]; - socklen_t slen; - u_int cksum; - int r, s; - - s = packet_get_connection_in(); - - slen = sizeof(local); - memset(&local, 0, sizeof(local)); - if (getsockname(s, (struct sockaddr *) & local, &slen) < 0) - debug("getsockname failed: %.100s", strerror(errno)); - slen = sizeof(foreign); - memset(&foreign, 0, sizeof(foreign)); - if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) { - debug("getpeername failed: %.100s", strerror(errno)); - fatal_cleanup(); - } - instance[0] = '*'; - instance[1] = 0; - - /* Get the encrypted request, challenge, and session key. */ - if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, - 0, &adat, ""))) { - debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]); - return (0); - } - des_key_sched((des_cblock *) adat.session, schedule); - - *client = xmalloc(MAX_K_NAME_SZ); - (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname, - *adat.pinst ? "." : "", adat.pinst, adat.prealm); - - /* Check ~/.klogin authorization now. */ - if (kuserok(&adat, authctxt->user) != KSUCCESS) { - logit("Kerberos v4 .klogin authorization failed for %s to " - "account %s", *client, authctxt->user); - xfree(*client); - *client = NULL; - return (0); - } - /* Increment the checksum, and return it encrypted with the - session key. */ - cksum = adat.checksum + 1; - cksum = htonl(cksum); - - /* If we can't successfully encrypt the checksum, we send back an - empty message, admitting our failure. */ - if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1, - schedule, &adat.session, &local, &foreign)) < 0) { - debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]); - reply->dat[0] = 0; - reply->length = 0; - } else - reply->length = r; - - /* Clear session key. */ - memset(&adat.session, 0, sizeof(adat.session)); - return (1); -} -#endif /* KRB4 */ - -#ifdef AFS -int -auth_krb4_tgt(Authctxt *authctxt, const char *string) -{ - CREDENTIALS creds; - struct passwd *pw; - - if ((pw = authctxt->pw) == NULL) - goto failure; - - temporarily_use_uid(pw); - - if (!radix_to_creds(string, &creds)) { - logit("Protocol error decoding Kerberos v4 TGT"); - goto failure; - } - if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ - strlcpy(creds.service, "krbtgt", sizeof creds.service); - - if (strcmp(creds.service, "krbtgt")) { - logit("Kerberos v4 TGT (%s%s%s@%s) rejected for %s", - creds.pname, creds.pinst[0] ? "." : "", creds.pinst, - creds.realm, pw->pw_name); - goto failure; - } - if (!krb4_init(authctxt)) - goto failure; - - if (in_tkt(creds.pname, creds.pinst) != KSUCCESS) - goto failure; - - if (save_credentials(creds.service, creds.instance, creds.realm, - creds.session, creds.lifetime, creds.kvno, &creds.ticket_st, - creds.issue_date) != KSUCCESS) { - debug("Kerberos v4 TGT refused: couldn't save credentials"); - goto failure; - } - /* Successful authentication, passed all checks. */ - chown(tkt_string(), pw->pw_uid, pw->pw_gid); - - debug("Kerberos v4 TGT accepted (%s%s%s@%s)", - creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm); - memset(&creds, 0, sizeof(creds)); - - restore_uid(); - - return (1); - - failure: - krb4_cleanup_proc(authctxt); - memset(&creds, 0, sizeof(creds)); - restore_uid(); - - return (0); -} - -int -auth_afs_token(Authctxt *authctxt, const char *token_string) -{ - CREDENTIALS creds; - struct passwd *pw; - uid_t uid; - - if ((pw = authctxt->pw) == NULL) - return (0); - - if (!radix_to_creds(token_string, &creds)) { - logit("Protocol error decoding AFS token"); - return (0); - } - if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ - strlcpy(creds.service, "afs", sizeof creds.service); - - if (strncmp(creds.pname, "AFS ID ", 7) == 0) - uid = atoi(creds.pname + 7); - else - uid = pw->pw_uid; - - if (kafs_settoken(creds.realm, uid, &creds)) { - logit("AFS token (%s@%s) rejected for %s", - creds.pname, creds.realm, pw->pw_name); - memset(&creds, 0, sizeof(creds)); - return (0); - } - debug("AFS token accepted (%s@%s)", creds.pname, creds.realm); - memset(&creds, 0, sizeof(creds)); - - return (1); -} -#endif /* AFS */ diff --git a/auth-passwd.c b/auth-passwd.c index c0b7f725f..780e92344 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $"); +RCSID("$OpenBSD: auth-passwd.c,v 1.28 2003/07/22 13:35:22 markus Exp $"); #include "packet.h" #include "log.h" @@ -131,14 +131,6 @@ auth_password(Authctxt *authctxt, const char *password) return (authsuccess); } # endif -# ifdef KRB4 - if (options.kerberos_authentication == 1) { - int ret = auth_krb4_password(authctxt, password); - if (ret == 1 || ret == 0) - return ret; - /* Fall back to ordinary passwd authentication. */ - } -# endif # ifdef BSD_AUTH if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", (char *)password) == 0) diff --git a/auth.h b/auth.h index 776e4195c..1ed92e018 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.42 2003/04/16 14:35:27 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.43 2003/07/22 13:35:22 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -60,9 +60,6 @@ struct Authctxt { #ifdef BSD_AUTH auth_session_t *as; #endif -#ifdef KRB4 - char *krb4_ticket_file; -#endif #ifdef KRB5 krb5_context krb5_ctx; krb5_auth_context krb5_auth_ctx; @@ -117,20 +114,6 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int user_key_allowed(struct passwd *, Key *); -#ifdef KRB4 -#include -int auth_krb4(Authctxt *, KTEXT, char **, KTEXT); -int auth_krb4_password(Authctxt *, const char *); -void krb4_cleanup_proc(void *); - -#ifdef AFS -#include -int auth_krb4_tgt(Authctxt *, const char *); -int auth_afs_token(Authctxt *, const char *); -#endif /* AFS */ - -#endif /* KRB4 */ - #ifdef KRB5 int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); diff --git a/auth1.c b/auth1.c index 6cb0b04b2..877e2e62d 100644 --- a/auth1.c +++ b/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.48 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -49,7 +49,7 @@ get_authname(int type) case SSH_CMSG_AUTH_TIS: case SSH_CMSG_AUTH_TIS_RESPONSE: return "challenge-response"; -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 case SSH_CMSG_AUTH_KERBEROS: return "kerberos"; #endif @@ -81,7 +81,7 @@ do_authloop(Authctxt *authctxt) /* If the user has no password, accept authentication immediately. */ if (options.password_authentication && -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif PRIVSEP(auth_password(authctxt, ""))) { @@ -120,7 +120,7 @@ do_authloop(Authctxt *authctxt) /* Process the packet. */ switch (type) { -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 case SSH_CMSG_AUTH_KERBEROS: if (!options.kerberos_authentication) { verbose("Kerberos authentication disabled."); @@ -128,30 +128,7 @@ do_authloop(Authctxt *authctxt) char *kdata = packet_get_string(&dlen); packet_check_eom(); - if (kdata[0] == 4) { /* KRB_PROT_VERSION */ -#ifdef KRB4 - KTEXT_ST tkt, reply; - tkt.length = dlen; - if (tkt.length < MAX_KTXT_LEN) - memcpy(tkt.dat, kdata, tkt.length); - - if (PRIVSEP(auth_krb4(authctxt, &tkt, - &client_user, &reply))) { - authenticated = 1; - snprintf(info, sizeof(info), - " tktuser %.100s", - client_user); - - packet_start( - SSH_SMSG_AUTH_KERBEROS_RESPONSE); - packet_put_string((char *) - reply.dat, reply.length); - packet_send(); - packet_write_wait(); - } -#endif /* KRB4 */ - } else { -#ifdef KRB5 + if (kdata[0] != 4) { /* KRB_PROT_VERSION */ krb5_data tkt, reply; tkt.length = dlen; tkt.data = kdata; @@ -174,24 +151,14 @@ do_authloop(Authctxt *authctxt) if (reply.length) xfree(reply.data); } -#endif /* KRB5 */ } xfree(kdata); } break; -#endif /* KRB4 || KRB5 */ - -#if defined(AFS) || defined(KRB5) - /* XXX - punt on backward compatibility here. */ case SSH_CMSG_HAVE_KERBEROS_TGT: packet_send_debug("Kerberos TGT passing disabled before authentication."); break; -#ifdef AFS - case SSH_CMSG_HAVE_AFS_TOKEN: - packet_send_debug("AFS token passing disabled before authentication."); - break; -#endif /* AFS */ -#endif /* AFS || KRB5 */ +#endif case SSH_CMSG_AUTH_RHOSTS: if (!options.rhosts_authentication) { diff --git a/configure.ac b/configure.ac index 74909343d..68fa5c1f2 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.137 2003/07/23 04:33:10 dtucker Exp $ +# $Id: configure.ac,v 1.138 2003/08/02 12:24:49 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -54,7 +54,6 @@ fi # Check for some target-specific stuff case "$host" in *-*-aix*) - AFS_LIBS="-lld" CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) @@ -1940,87 +1939,7 @@ AC_ARG_WITH(kerberos5, fi ] ) -# Check whether user wants Kerberos 4 support -KRB4_MSG="no" -AC_ARG_WITH(kerberos4, - [ --with-kerberos4=PATH Enable Kerberos 4 support], - [ - if test "x$withval" != "xno" ; then - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R${withval}/lib" - fi - if test ! -z "$blibpath" ; then - blibpath="$blibpath:${withval}/lib" - fi - else - if test -d /usr/include/kerberosIV ; then - CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV" - fi - fi - - AC_CHECK_HEADERS(krb.h) - if test "$ac_cv_header_krb_h" != yes; then - AC_MSG_WARN([Cannot find krb.h, build may fail]) - fi - AC_CHECK_LIB(krb, main) - if test "$ac_cv_lib_krb_main" != yes; then - AC_CHECK_LIB(krb4, main) - if test "$ac_cv_lib_krb4_main" != yes; then - AC_MSG_WARN([Cannot find libkrb nor libkrb4, build may fail]) - else - KLIBS="-lkrb4" - fi - else - KLIBS="-lkrb" - fi - AC_CHECK_LIB(des, des_cbc_encrypt) - if test "$ac_cv_lib_des_des_cbc_encrypt" != yes; then - AC_CHECK_LIB(des425, des_cbc_encrypt) - if test "$ac_cv_lib_des425_des_cbc_encrypt" != yes; then - AC_MSG_WARN([Cannot find libdes nor libdes425, build may fail]) - else - KLIBS="-ldes425" - fi - else - KLIBS="-ldes" - fi - AC_CHECK_LIB(resolv, dn_expand, , ) - KRB4=yes - KRB4_MSG="yes" - AC_DEFINE(KRB4) - fi - ] -) - -# Check whether user wants AFS support -AFS_MSG="no" -AC_ARG_WITH(afs, - [ --with-afs=PATH Enable AFS support], - [ - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - fi - - if test -z "$KRB4" ; then - AC_MSG_WARN([AFS requires Kerberos IV support, build may fail]) - fi - - LIBS="-lkafs $LIBS" - if test ! -z "$AFS_LIBS" ; then - LIBS="$LIBS $AFS_LIBS" - fi - AC_DEFINE(AFS) - AFS_MSG="yes" - fi - ] -) -LIBS="$LIBS $KLIBS $K5LIBS" +LIBS="$LIBS $K5LIBS" # Looking for programs, paths and files @@ -2648,10 +2567,8 @@ fi echo " Manpage format: $MANTYPE" echo " DNS support: $DNS_MSG" echo " PAM support: $PAM_MSG" -echo " KerberosIV support: $KRB4_MSG" echo " KerberosV support: $KRB5_MSG" echo " Smartcard support: $SCARD_MSG" -echo " AFS support: $AFS_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" diff --git a/monitor.c b/monitor.c index 3a8735f58..95fd0cf64 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.44 2003/06/24 08:23:46 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $"); #include @@ -124,9 +124,6 @@ int mm_answer_pam_respond(int, Buffer *); int mm_answer_pam_free_ctx(int, Buffer *); #endif -#ifdef KRB4 -int mm_answer_krb4(int, Buffer *); -#endif #ifdef KRB5 int mm_answer_krb5(int, Buffer *); #endif @@ -222,9 +219,6 @@ struct mon_table mon_dispatch_proto15[] = { {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif -#ifdef KRB4 - {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4}, -#endif #ifdef KRB5 {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, #endif @@ -1428,52 +1422,6 @@ mm_answer_rsa_response(int socket, Buffer *m) return (success); } -#ifdef KRB4 -int -mm_answer_krb4(int socket, Buffer *m) -{ - KTEXT_ST auth, reply; - char *client, *p; - int success; - u_int alen; - - reply.length = auth.length = 0; - - p = buffer_get_string(m, &alen); - if (alen >= MAX_KTXT_LEN) - fatal("%s: auth too large", __func__); - memcpy(auth.dat, p, alen); - auth.length = alen; - memset(p, 0, alen); - xfree(p); - - success = options.kerberos_authentication && - authctxt->valid && - auth_krb4(authctxt, &auth, &client, &reply); - - memset(auth.dat, 0, alen); - buffer_clear(m); - buffer_put_int(m, success); - - if (success) { - buffer_put_cstring(m, client); - buffer_put_string(m, reply.dat, reply.length); - if (client) - xfree(client); - if (reply.length) - memset(reply.dat, 0, reply.length); - } - - debug3("%s: sending result %d", __func__, success); - mm_request_send(socket, MONITOR_ANS_KRB4, m); - - auth_method = "kerberos"; - - /* Causes monitor loop to terminate if authenticated */ - return (success); -} -#endif - #ifdef KRB5 int mm_answer_krb5(int socket, Buffer *m) diff --git a/monitor.h b/monitor.h index 97044cb87..7d86b4595 100644 --- a/monitor.h +++ b/monitor.h @@ -49,7 +49,6 @@ enum monitor_reqtype { MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, - MONITOR_REQ_KRB4, MONITOR_ANS_KRB4, MONITOR_REQ_KRB5, MONITOR_ANS_KRB5, MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, diff --git a/monitor_wrap.c b/monitor_wrap.c index 10a79c035..c7ba86ffc 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.27 2003/06/28 16:23:06 deraadt Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $"); #include #include @@ -1043,42 +1043,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) return (success); } -#ifdef KRB4 -int -mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply) -{ - KTEXT auth, reply; - Buffer m; - u_int rlen; - int success = 0; - char *p; - - debug3("%s entering", __func__); - auth = _auth; - reply = _reply; - - buffer_init(&m); - buffer_put_string(&m, auth->dat, auth->length); - - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m); - - success = buffer_get_int(&m); - if (success) { - *client = buffer_get_string(&m, NULL); - p = buffer_get_string(&m, &rlen); - if (rlen >= MAX_KTXT_LEN) - fatal("%s: reply from monitor too large", __func__); - reply->length = rlen; - memcpy(reply->dat, p, rlen); - memset(p, 0, rlen); - xfree(p); - } - buffer_free(&m); - return (success); -} -#endif - #ifdef KRB5 int mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp) diff --git a/monitor_wrap.h b/monitor_wrap.h index d551c9d41..e0dd73bd0 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */ /* * Copyright 2002 Niels Provos @@ -88,9 +88,6 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_skey_respond(void *, u_int, char **); /* auth_krb */ -#ifdef KRB4 -int mm_auth_krb4(struct Authctxt *, void *, char **, void *); -#endif #ifdef KRB5 /* auth and reply are really krb5_data objects, but we don't want to * include all of the krb5 headers here */ diff --git a/radix.c b/radix.c deleted file mode 100644 index c680d6bf3..000000000 --- a/radix.c +++ /dev/null @@ -1,158 +0,0 @@ -/* - * Copyright (c) 1999 Dug Song. All rights reserved. - * Copyright (c) 2002 Markus Friedl. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "includes.h" -#include "uuencode.h" - -RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $"); - -#ifdef AFS -#include - -#include -#include "bufaux.h" - -int -creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen) -{ - Buffer b; - int ret; - - buffer_init(&b); - - buffer_put_char(&b, 1); /* version */ - - buffer_append(&b, creds->service, strlen(creds->service)); - buffer_put_char(&b, '\0'); - buffer_append(&b, creds->instance, strlen(creds->instance)); - buffer_put_char(&b, '\0'); - buffer_append(&b, creds->realm, strlen(creds->realm)); - buffer_put_char(&b, '\0'); - buffer_append(&b, creds->pname, strlen(creds->pname)); - buffer_put_char(&b, '\0'); - buffer_append(&b, creds->pinst, strlen(creds->pinst)); - buffer_put_char(&b, '\0'); - - /* Null string to repeat the realm. */ - buffer_put_char(&b, '\0'); - - buffer_put_int(&b, creds->issue_date); - buffer_put_int(&b, krb_life_to_time(creds->issue_date, - creds->lifetime)); - buffer_append(&b, creds->session, sizeof(creds->session)); - buffer_put_short(&b, creds->kvno); - - /* 32 bit size + data */ - buffer_put_string(&b, creds->ticket_st.dat, creds->ticket_st.length); - - ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen); - - buffer_free(&b); - return ret; -} - -#define GETSTRING(b, t, tlen) \ - do { \ - int i, found = 0; \ - for (i = 0; i < tlen; i++) { \ - if (buffer_len(b) == 0) \ - goto done; \ - t[i] = buffer_get_char(b); \ - if (t[i] == '\0') { \ - found = 1; \ - break; \ - } \ - } \ - if (!found) \ - goto done; \ - } while(0) - -int -radix_to_creds(const char *buf, CREDENTIALS *creds) -{ - Buffer b; - u_char *space; - char c, version, *p; - u_int endTime, len; - int blen, ret; - - ret = 0; - blen = strlen(buf); - - /* sanity check for size */ - if (blen > 8192) - return 0; - - buffer_init(&b); - space = buffer_append_space(&b, blen); - - /* check version and length! */ - len = uudecode(buf, space, blen); - if (len < 1) - goto done; - - version = buffer_get_char(&b); - - GETSTRING(&b, creds->service, sizeof creds->service); - GETSTRING(&b, creds->instance, sizeof creds->instance); - GETSTRING(&b, creds->realm, sizeof creds->realm); - GETSTRING(&b, creds->pname, sizeof creds->pname); - GETSTRING(&b, creds->pinst, sizeof creds->pinst); - - if (buffer_len(&b) == 0) - goto done; - - /* Ignore possibly different realm. */ - while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0') - ; - - if (buffer_len(&b) == 0) - goto done; - - creds->issue_date = buffer_get_int(&b); - - endTime = buffer_get_int(&b); - creds->lifetime = krb_time_to_life(creds->issue_date, endTime); - - len = buffer_len(&b); - if (len < sizeof(creds->session)) - goto done; - memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session)); - buffer_consume(&b, sizeof(creds->session)); - - creds->kvno = buffer_get_short(&b); - - p = buffer_get_string(&b, &len); - if (len < 0 || len > sizeof(creds->ticket_st.dat)) - goto done; - memcpy(&creds->ticket_st.dat, p, len); - creds->ticket_st.length = len; - - ret = 1; -done: - buffer_free(&b); - return ret; -} -#endif /* AFS */ diff --git a/radix.h b/radix.h deleted file mode 100644 index e94e4acc6..000000000 --- a/radix.h +++ /dev/null @@ -1,28 +0,0 @@ -/* $OpenBSD: radix.h,v 1.4 2001/06/26 17:27:24 markus Exp $ */ - -/* - * Copyright (c) 1999 Dug Song. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -int creds_to_radix(CREDENTIALS *, u_char *, size_t); -int radix_to_creds(const char *, CREDENTIALS *); diff --git a/readconf.c b/readconf.c index 3c08f7638..332500e7c 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.114 2003/07/03 08:09:05 djm Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -94,7 +94,7 @@ typedef enum { oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, oPasswordAuthentication, oRSAAuthentication, oChallengeResponseAuthentication, oXAuthLocation, - oKerberosAuthentication, oKerberosTgtPassing, oAFSTokenPassing, + oKerberosAuthentication, oKerberosTgtPassing, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, @@ -134,18 +134,14 @@ static struct { { "challengeresponseauthentication", oChallengeResponseAuthentication }, { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 { "kerberosauthentication", oKerberosAuthentication }, { "kerberostgtpassing", oKerberosTgtPassing }, #else { "kerberosauthentication", oUnsupported }, { "kerberostgtpassing", oUnsupported }, #endif -#if defined(AFS) - { "afstokenpassing", oAFSTokenPassing }, -#else { "afstokenpassing", oUnsupported }, -#endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, { "identityfile", oIdentityFile }, @@ -399,10 +395,6 @@ parse_flag: intptr = &options->kerberos_tgt_passing; goto parse_flag; - case oAFSTokenPassing: - intptr = &options->afs_token_passing; - goto parse_flag; - case oBatchMode: intptr = &options->batch_mode; goto parse_flag; @@ -828,7 +820,6 @@ initialize_options(Options * options) options->challenge_response_authentication = -1; options->kerberos_authentication = -1; options->kerberos_tgt_passing = -1; - options->afs_token_passing = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; @@ -905,8 +896,6 @@ fill_default_options(Options * options) options->kerberos_authentication = 1; if (options->kerberos_tgt_passing == -1) options->kerberos_tgt_passing = 1; - if (options->afs_token_passing == -1) - options->afs_token_passing = 1; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) diff --git a/readconf.h b/readconf.h index 4e0b74318..cc94253e6 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.51 2003/07/03 08:09:06 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $ */ /* * Author: Tatu Ylonen @@ -43,7 +43,6 @@ typedef struct { /* Try S/Key or TIS, authentication. */ int kerberos_authentication; /* Try Kerberos authentication. */ int kerberos_tgt_passing; /* Try Kerberos TGT passing. */ - int afs_token_passing; /* Try AFS token passing. */ int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ diff --git a/servconf.c b/servconf.c index 6df2a255b..c4b2bb284 100644 --- a/servconf.c +++ b/servconf.c @@ -10,15 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $"); - -#if defined(KRB4) -#include -#endif - -#ifdef AFS -#include -#endif +RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $"); #include "ssh.h" #include "log.h" @@ -82,7 +74,6 @@ initialize_server_options(ServerOptions *options) options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; options->kerberos_tgt_passing = -1; - options->afs_token_passing = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; @@ -194,8 +185,6 @@ fill_default_server_options(ServerOptions *options) options->kerberos_ticket_cleanup = 1; if (options->kerberos_tgt_passing == -1) options->kerberos_tgt_passing = 0; - if (options->afs_token_passing == -1) - options->afs_token_passing = 0; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -261,7 +250,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, - sKerberosTgtPassing, sAFSTokenPassing, sChallengeResponseAuthentication, + sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, @@ -306,7 +295,7 @@ static struct { { "rsaauthentication", sRSAAuthentication }, { "pubkeyauthentication", sPubkeyAuthentication }, { "dsaauthentication", sPubkeyAuthentication }, /* alias */ -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 { "kerberosauthentication", sKerberosAuthentication }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, { "kerberosticketcleanup", sKerberosTicketCleanup }, @@ -317,11 +306,7 @@ static struct { { "kerberosticketcleanup", sUnsupported }, { "kerberostgtpassing", sUnsupported }, #endif -#if defined(AFS) - { "afstokenpassing", sAFSTokenPassing }, -#else { "afstokenpassing", sUnsupported }, -#endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, { "challengeresponseauthentication", sChallengeResponseAuthentication }, @@ -644,10 +629,6 @@ parse_flag: intptr = &options->kerberos_tgt_passing; goto parse_flag; - case sAFSTokenPassing: - intptr = &options->afs_token_passing; - goto parse_flag; - case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; diff --git a/servconf.h b/servconf.h index b676f2b67..65ad2071a 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $ */ /* * Author: Tatu Ylonen @@ -84,7 +84,6 @@ typedef struct { * file on logout. */ int kerberos_tgt_passing; /* If true, permit Kerberos TGT * passing. */ - int afs_token_passing; /* If true, permit AFS token passing. */ int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ diff --git a/session.c b/session.c index 4b443831b..7a064ad50 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.159 2003/07/22 13:35:22 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -222,10 +222,6 @@ do_authenticated(Authctxt *authctxt) /* remove agent socket */ if (auth_sock_name != NULL) auth_sock_cleanup_proc(authctxt->pw); -#ifdef KRB4 - if (options.kerberos_ticket_cleanup) - krb4_cleanup_proc(authctxt); -#endif #ifdef KRB5 if (options.kerberos_ticket_cleanup) krb5_cleanup_proc(authctxt); @@ -338,7 +334,7 @@ do_authenticated1(Authctxt *authctxt) success = 1; break; -#if defined(AFS) || defined(KRB5) +#ifdef KRB5 case SSH_CMSG_HAVE_KERBEROS_TGT: if (!options.kerberos_tgt_passing) { verbose("Kerberos TGT passing disabled."); @@ -346,9 +342,8 @@ do_authenticated1(Authctxt *authctxt) char *kdata = packet_get_string(&dlen); packet_check_eom(); - /* XXX - 0x41, see creds_to_radix version */ + /* XXX - 0x41, used for AFS */ if (kdata[0] != 0x41) { -#ifdef KRB5 krb5_data tgt; tgt.data = kdata; tgt.length = dlen; @@ -357,38 +352,11 @@ do_authenticated1(Authctxt *authctxt) success = 1; else verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user); -#endif /* KRB5 */ - } else { -#ifdef AFS - if (auth_krb4_tgt(s->authctxt, kdata)) - success = 1; - else - verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user); -#endif /* AFS */ } xfree(kdata); } break; -#endif /* AFS || KRB5 */ - -#ifdef AFS - case SSH_CMSG_HAVE_AFS_TOKEN: - if (!options.afs_token_passing || !k_hasafs()) { - verbose("AFS token passing disabled."); - } else { - /* Accept AFS token. */ - char *token = packet_get_string(&dlen); - packet_check_eom(); - - if (auth_afs_token(s->authctxt, token)) - success = 1; - else - verbose("AFS token refused for %.100s", - s->authctxt->user); - xfree(token); - } - break; -#endif /* AFS */ +#endif case SSH_CMSG_EXEC_SHELL: case SSH_CMSG_EXEC_CMD: @@ -1066,11 +1034,6 @@ do_setup_env(Session *s, const char *shell) read_environment_file(&env, &envsize, "/etc/environment"); } #endif -#ifdef KRB4 - if (s->authctxt->krb4_ticket_file) - child_set_env(&env, &envsize, "KRBTKFILE", - s->authctxt->krb4_ticket_file); -#endif #ifdef KRB5 if (s->authctxt->krb5_ticket_file) child_set_env(&env, &envsize, "KRB5CCNAME", @@ -1396,18 +1359,6 @@ do_child(Session *s, const char *command) */ environ = env; -#ifdef AFS - /* Try to get AFS tokens for the local cell. */ - if (k_hasafs()) { - char cell[64]; - - if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) - krb_afslog(cell, 0); - - krb_afslog(0, 0); - } -#endif /* AFS */ - /* Change current directory to the user\'s home directory. */ if (chdir(pw->pw_dir) < 0) { fprintf(stderr, "Could not chdir to home directory %s: %s\n", diff --git a/ssh.1 b/ssh.1 index 8a7d2f428..c81cb42c6 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.174 2003/07/02 14:51:16 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -494,7 +494,7 @@ The argument is the device should use to communicate with a smartcard used for storing the user's private RSA key. .It Fl k -Disables forwarding of Kerberos tickets and AFS tokens. +Disables forwarding of Kerberos tickets. This may also be specified on a per-host basis in the configuration file. .It Fl l Ar login_name Specifies the user to log in as on the remote machine. diff --git a/ssh.c b/ssh.c index 2bcd5871e..82b40193d 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.197 2003/07/16 10:34:53 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $"); #include #include @@ -154,9 +154,7 @@ usage(void) _PATH_SSH_USER_CONFFILE); fprintf(stderr, " -A Enable authentication agent forwarding.\n"); fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); -#ifdef AFS - fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n"); -#endif /* AFS */ + fprintf(stderr, " -k Disable Kerberos ticket forwarding.\n"); fprintf(stderr, " -X Enable X11 connection forwarding.\n"); fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); fprintf(stderr, " -i file Identity for public key authentication " @@ -306,12 +304,9 @@ again: case 'A': options.forward_agent = 1; break; -#ifdef AFS case 'k': options.kerberos_tgt_passing = 0; - options.afs_token_passing = 0; break; -#endif case 'i': if (stat(optarg, &st) < 0) { fprintf(stderr, "Warning: Identity file %s " diff --git a/ssh.h b/ssh.h index 25a9213f3..607621769 100644 --- a/ssh.h +++ b/ssh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.h,v 1.72 2003/06/28 16:23:06 deraadt Exp $ */ +/* $OpenBSD: ssh.h,v 1.73 2003/07/22 13:35:22 markus Exp $ */ /* * Author: Tatu Ylonen @@ -88,9 +88,6 @@ */ #define SSH_SESSION_KEY_LENGTH 32 -/* Name of Kerberos service for SSH to use. */ -#define KRB4_SERVICE_NAME "rcmd" - /* Used to identify ``EscapeChar none'' */ #define SSH_ESCAPECHAR_NONE -2 diff --git a/ssh_config.5 b/ssh_config.5 index 79d05f018..3a79af8f0 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.15 2003/07/02 14:51:16 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -123,13 +123,6 @@ Valid arguments are (Use IPv4 only) or .Dq inet6 (Use IPv6 only.) -.It Cm AFSTokenPassing -Specifies whether to pass AFS tokens to remote host. -The argument to this keyword must be -.Dq yes -or -.Dq no . -This option applies to protocol version 1 only. .It Cm BatchMode If set to .Dq yes , @@ -410,7 +403,6 @@ or .Dq no . .It Cm KerberosTgtPassing Specifies whether a Kerberos TGT will be forwarded to the server. -This will only work if the Kerberos server is actually an AFS kaserver. The argument to this keyword must be .Dq yes or diff --git a/sshconnect1.c b/sshconnect1.c index 2a822a98f..8851c35f6 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -13,24 +13,17 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.53 2003/04/08 20:21:29 itojun Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $"); #include #include -#ifdef KRB4 -#include -#endif #ifdef KRB5 #include #ifndef HEIMDAL #define krb5_get_err_text(context,code) error_message(code) #endif /* !HEIMDAL */ #endif -#ifdef AFS -#include -#include "radix.h" -#endif #include "ssh.h" #include "ssh1.h" @@ -380,128 +373,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key) return 0; } -#ifdef KRB4 -static int -try_krb4_authentication(void) -{ - KTEXT_ST auth; /* Kerberos data */ - char *reply; - char inst[INST_SZ]; - char *realm; - CREDENTIALS cred; - int r, type; - socklen_t slen; - Key_schedule schedule; - u_long checksum, cksum; - MSG_DAT msg_data; - struct sockaddr_in local, foreign; - struct stat st; - - /* Don't do anything if we don't have any tickets. */ - if (stat(tkt_string(), &st) < 0) - return 0; - - strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)), - INST_SZ); - - realm = (char *)krb_realmofhost(get_canonical_hostname(1)); - if (!realm) { - debug("Kerberos v4: no realm for %s", get_canonical_hostname(1)); - return 0; - } - /* This can really be anything. */ - checksum = (u_long)getpid(); - - r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum); - if (r != KSUCCESS) { - debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]); - return 0; - } - /* Get session key to decrypt the server's reply with. */ - r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred); - if (r != KSUCCESS) { - debug("get_cred failed: %s", krb_err_txt[r]); - return 0; - } - des_key_sched((des_cblock *) cred.session, schedule); - - /* Send authentication info to server. */ - packet_start(SSH_CMSG_AUTH_KERBEROS); - packet_put_string((char *) auth.dat, auth.length); - packet_send(); - packet_write_wait(); - - /* Zero the buffer. */ - (void) memset(auth.dat, 0, MAX_KTXT_LEN); - - slen = sizeof(local); - memset(&local, 0, sizeof(local)); - if (getsockname(packet_get_connection_in(), - (struct sockaddr *)&local, &slen) < 0) - debug("getsockname failed: %s", strerror(errno)); - - slen = sizeof(foreign); - memset(&foreign, 0, sizeof(foreign)); - if (getpeername(packet_get_connection_in(), - (struct sockaddr *)&foreign, &slen) < 0) { - debug("getpeername failed: %s", strerror(errno)); - fatal_cleanup(); - } - /* Get server reply. */ - type = packet_read(); - switch (type) { - case SSH_SMSG_FAILURE: - /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ - debug("Kerberos v4 authentication failed."); - return 0; - break; - - case SSH_SMSG_AUTH_KERBEROS_RESPONSE: - /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ - debug("Kerberos v4 authentication accepted."); - - /* Get server's response. */ - reply = packet_get_string((u_int *) &auth.length); - if (auth.length >= MAX_KTXT_LEN) - fatal("Kerberos v4: Malformed response from server"); - memcpy(auth.dat, reply, auth.length); - xfree(reply); - - packet_check_eom(); - - /* - * If his response isn't properly encrypted with the session - * key, and the decrypted checksum fails to match, he's - * bogus. Bail out. - */ - r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session, - &foreign, &local, &msg_data); - if (r != KSUCCESS) { - debug("Kerberos v4 krb_rd_priv failed: %s", - krb_err_txt[r]); - packet_disconnect("Kerberos v4 challenge failed!"); - } - /* Fetch the (incremented) checksum that we supplied in the request. */ - memcpy((char *)&cksum, (char *)msg_data.app_data, - sizeof(cksum)); - cksum = ntohl(cksum); - - /* If it matches, we're golden. */ - if (cksum == checksum + 1) { - debug("Kerberos v4 challenge successful."); - return 1; - } else - packet_disconnect("Kerberos v4 challenge failed!"); - break; - - default: - packet_disconnect("Protocol error on Kerberos v4 response: %d", type); - } - return 0; -} - -#endif /* KRB4 */ - #ifdef KRB5 static int try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context) @@ -729,129 +600,6 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context) } #endif /* KRB5 */ -#ifdef AFS -static void -send_krb4_tgt(void) -{ - CREDENTIALS *creds; - struct stat st; - char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; - int problem, type; - - /* Don't do anything if we don't have any tickets. */ - if (stat(tkt_string(), &st) < 0) - return; - - creds = xmalloc(sizeof(*creds)); - - problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm); - if (problem) - goto out; - - problem = krb_get_cred("krbtgt", prealm, prealm, creds); - if (problem) - goto out; - - if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) { - problem = RD_AP_EXP; - goto out; - } - creds_to_radix(creds, (u_char *)buffer, sizeof(buffer)); - - packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); - packet_put_cstring(buffer); - packet_send(); - packet_write_wait(); - - type = packet_read(); - - if (type == SSH_SMSG_SUCCESS) - debug("Kerberos v4 TGT forwarded (%s%s%s@%s).", - creds->pname, creds->pinst[0] ? "." : "", - creds->pinst, creds->realm); - else - debug("Kerberos v4 TGT rejected."); - - xfree(creds); - return; - - out: - debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]); - xfree(creds); -} - -static void -send_afs_tokens(void) -{ - CREDENTIALS creds; - struct ViceIoctl parms; - struct ClearToken ct; - int i, type, len; - char buf[2048], *p, *server_cell; - char buffer[8192]; - - /* Move over ktc_GetToken, here's something leaner. */ - for (i = 0; i < 100; i++) { /* just in case */ - parms.in = (char *) &i; - parms.in_size = sizeof(i); - parms.out = buf; - parms.out_size = sizeof(buf); - if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) - break; - p = buf; - - /* Get secret token. */ - memcpy(&creds.ticket_st.length, p, sizeof(u_int)); - if (creds.ticket_st.length > MAX_KTXT_LEN) - break; - p += sizeof(u_int); - memcpy(creds.ticket_st.dat, p, creds.ticket_st.length); - p += creds.ticket_st.length; - - /* Get clear token. */ - memcpy(&len, p, sizeof(len)); - if (len != sizeof(struct ClearToken)) - break; - p += sizeof(len); - memcpy(&ct, p, len); - p += len; - p += sizeof(len); /* primary flag */ - server_cell = p; - - /* Flesh out our credentials. */ - strlcpy(creds.service, "afs", sizeof(creds.service)); - creds.instance[0] = '\0'; - strlcpy(creds.realm, server_cell, REALM_SZ); - memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ); - creds.issue_date = ct.BeginTimestamp; - creds.lifetime = krb_time_to_life(creds.issue_date, - ct.EndTimestamp); - creds.kvno = ct.AuthHandle; - snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId); - creds.pinst[0] = '\0'; - - /* Encode token, ship it off. */ - if (creds_to_radix(&creds, (u_char *)buffer, - sizeof(buffer)) <= 0) - break; - packet_start(SSH_CMSG_HAVE_AFS_TOKEN); - packet_put_cstring(buffer); - packet_send(); - packet_write_wait(); - - /* Roger, Roger. Clearance, Clarence. What's your vector, - Victor? */ - type = packet_read(); - - if (type == SSH_SMSG_FAILURE) - debug("AFS token for cell %s rejected.", server_cell); - else if (type != SSH_SMSG_SUCCESS) - packet_disconnect("Protocol error on AFS token response: %d", type); - } -} - -#endif /* AFS */ - /* * Tries to authenticate with any string-based challenge/response system. * Note that the client code is not tied to s/key or TIS. @@ -1183,21 +931,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host, } #endif /* KRB5 */ -#ifdef KRB4 - if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && - options.kerberos_authentication) { - debug("Trying Kerberos v4 authentication."); - - if (try_krb4_authentication()) { - type = packet_read(); - if (type == SSH_SMSG_SUCCESS) - goto success; - if (type != SSH_SMSG_FAILURE) - packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type); - } - } -#endif /* KRB4 */ - /* * Use rhosts authentication if running in privileged socket and we * do not wish to remain anonymous. @@ -1284,23 +1017,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host, if (context) krb5_free_context(context); #endif - -#ifdef AFS - /* Try Kerberos v4 TGT passing if the server supports it. */ - if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && - options.kerberos_tgt_passing) { - if (options.cipher == SSH_CIPHER_NONE) - logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); - send_krb4_tgt(); - } - /* Try AFS token passing if the server supports it. */ - if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && - options.afs_token_passing && k_hasafs()) { - if (options.cipher == SSH_CIPHER_NONE) - logit("WARNING: Encryption is disabled! Token will be transmitted in the clear!"); - send_afs_tokens(); - } -#endif /* AFS */ - return; /* need statement after label */ } diff --git a/sshd.c b/sshd.c index a8cb966b0..896e56c76 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.273 2003/07/16 10:34:53 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $"); #include #include @@ -1476,20 +1476,13 @@ main(int ac, char **av) "originating port %d not trusted.", remote_port); options.rhosts_authentication = 0; } -#if defined(KRB4) && !defined(KRB5) +#ifdef KRB5 if (!packet_connection_is_ipv4() && options.kerberos_authentication) { debug("Kerberos Authentication disabled, only available for IPv4."); options.kerberos_authentication = 0; } -#endif /* KRB4 && !KRB5 */ -#ifdef AFS - /* If machine has AFS, set process authentication group. */ - if (k_hasafs()) { - k_setpag(); - k_unlog(); - } -#endif /* AFS */ +#endif packet_set_nonblocking(); @@ -1656,17 +1649,11 @@ do_ssh1_kex(void) auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; if (options.rsa_authentication) auth_mask |= 1 << SSH_AUTH_RSA; -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 if (options.kerberos_authentication) auth_mask |= 1 << SSH_AUTH_KERBEROS; -#endif -#if defined(AFS) || defined(KRB5) if (options.kerberos_tgt_passing) auth_mask |= 1 << SSH_PASS_KERBEROS_TGT; -#endif -#ifdef AFS - if (options.afs_token_passing) - auth_mask |= 1 << SSH_PASS_AFS_TOKEN; #endif if (options.challenge_response_authentication == 1) auth_mask |= 1 << SSH_AUTH_TIS; diff --git a/sshd_config.5 b/sshd_config.5 index dfd3565a6..223ff8aae 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.20 2003/06/20 05:47:58 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.21 2003/07/22 13:35:22 markus Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -61,10 +61,6 @@ The possible keywords and their meanings are as follows (note that keywords are case-insensitive and arguments are case-sensitive): .Bl -tag -width Ds -.It Cm AFSTokenPassing -Specifies whether an AFS token may be forwarded to the server. -Default is -.Dq no . .It Cm AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces. @@ -327,8 +323,7 @@ Default is .It Cm KerberosTgtPassing Specifies whether a Kerberos TGT may be forwarded to the server. Default is -.Dq no , -as this only works when the Kerberos KDC is actually an AFS kaserver. +.Dq no . .It Cm KerberosTicketCleanup Specifies whether to automatically destroy the user's ticket cache file on logout. -- cgit v1.2.3 From ec960f2c933aa55ca5dc319cff55cecce34f1f4b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 13 Aug 2003 20:37:05 +1000 Subject: - markus@cvs.openbsd.org 2003/08/13 08:46:31 [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5] remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@, fgsch@, miod@, henning@, jakob@ and others --- ChangeLog | 7 ++++++- auth1.c | 22 +--------------------- readconf.c | 15 +++------------ readconf.h | 3 +-- servconf.c | 13 +++---------- servconf.h | 4 +--- ssh.c | 14 +------------- ssh_config | 3 +-- ssh_config.5 | 28 +++------------------------- sshconnect1.c | 22 +--------------------- sshd.8 | 3 +-- sshd.c | 19 ++----------------- sshd_config | 8 +++----- sshd_config.5 | 7 +------ 14 files changed, 28 insertions(+), 140 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index f80dea665..b421d6ffd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,11 @@ [session.c] use more portable tcsendbreak(3) and ignore break_length; ok deraadt, millert + - markus@cvs.openbsd.org 2003/08/13 08:46:31 + [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config + ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5] + remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@, + fgsch@, miod@, henning@, jakob@ and others 20030811 - (dtucker) OpenBSD CVS Sync @@ -823,4 +828,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2890 2003/08/13 10:31:05 dtucker Exp $ +$Id: ChangeLog,v 1.2891 2003/08/13 10:37:05 dtucker Exp $ diff --git a/auth1.c b/auth1.c index 877e2e62d..7c0100103 100644 --- a/auth1.c +++ b/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.50 2003/08/13 08:46:30 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -160,26 +160,6 @@ do_authloop(Authctxt *authctxt) break; #endif - case SSH_CMSG_AUTH_RHOSTS: - if (!options.rhosts_authentication) { - verbose("Rhosts authentication disabled."); - break; - } - /* - * Get client user name. Note that we just have to - * trust the client; this is one reason why rhosts - * authentication is insecure. (Another is - * IP-spoofing on a local network.) - */ - client_user = packet_get_string(&ulen); - packet_check_eom(); - - /* Try to authenticate using /etc/hosts.equiv and .rhosts. */ - authenticated = auth_rhosts(pw, client_user); - - snprintf(info, sizeof info, " ruser %.100s", client_user); - break; - case SSH_CMSG_AUTH_RHOSTS_RSA: if (!options.rhosts_rsa_authentication) { verbose("Rhosts with RSA authentication disabled."); diff --git a/readconf.c b/readconf.c index 332500e7c..355a7dfcc 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.116 2003/08/13 08:46:30 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -57,7 +57,6 @@ RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $"); Host fascist.blob.com Port 23123 User tylonen - RhostsAuthentication no PasswordAuthentication no Host puukko.hut.fi @@ -75,7 +74,6 @@ RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $"); Host * ForwardAgent no ForwardX11 no - RhostsAuthentication yes PasswordAuthentication yes RSAAuthentication yes RhostsRSAAuthentication yes @@ -91,7 +89,7 @@ RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $"); typedef enum { oBadOption, - oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, + oForwardAgent, oForwardX11, oGatewayPorts, oPasswordAuthentication, oRSAAuthentication, oChallengeResponseAuthentication, oXAuthLocation, oKerberosAuthentication, oKerberosTgtPassing, @@ -122,7 +120,7 @@ static struct { { "xauthlocation", oXAuthLocation }, { "gatewayports", oGatewayPorts }, { "useprivilegedport", oUsePrivilegedPort }, - { "rhostsauthentication", oRhostsAuthentication }, + { "rhostsauthentication", oDeprecated }, { "passwordauthentication", oPasswordAuthentication }, { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, { "kbdinteractivedevices", oKbdInteractiveDevices }, @@ -351,10 +349,6 @@ parse_flag: intptr = &options->use_privileged_port; goto parse_flag; - case oRhostsAuthentication: - intptr = &options->rhosts_authentication; - goto parse_flag; - case oPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; @@ -814,7 +808,6 @@ initialize_options(Options * options) options->xauth_location = NULL; options->gateway_ports = -1; options->use_privileged_port = -1; - options->rhosts_authentication = -1; options->rsa_authentication = -1; options->pubkey_authentication = -1; options->challenge_response_authentication = -1; @@ -884,8 +877,6 @@ fill_default_options(Options * options) options->gateway_ports = 0; if (options->use_privileged_port == -1) options->use_privileged_port = 0; - if (options->rhosts_authentication == -1) - options->rhosts_authentication = 0; if (options->rsa_authentication == -1) options->rsa_authentication = 1; if (options->pubkey_authentication == -1) diff --git a/readconf.h b/readconf.h index cc94253e6..6fbf467e5 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.53 2003/08/13 08:46:30 markus Exp $ */ /* * Author: Tatu Ylonen @@ -33,7 +33,6 @@ typedef struct { char *xauth_location; /* Location for xauth program */ int gateway_ports; /* Allow remote connects to forwarded ports. */ int use_privileged_port; /* Don't use privileged port if false. */ - int rhosts_authentication; /* Try rhosts authentication. */ int rhosts_rsa_authentication; /* Try rhosts with RSA * authentication. */ int rsa_authentication; /* Try RSA authentication. */ diff --git a/servconf.c b/servconf.c index c4b2bb284..e9c313bbb 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.124 2003/08/13 08:46:30 markus Exp $"); #include "ssh.h" #include "log.h" @@ -64,7 +64,6 @@ initialize_server_options(ServerOptions *options) options->keepalives = -1; options->log_facility = SYSLOG_FACILITY_NOT_SET; options->log_level = SYSLOG_LEVEL_NOT_SET; - options->rhosts_authentication = -1; options->rhosts_rsa_authentication = -1; options->hostbased_authentication = -1; options->hostbased_uses_name_from_packet_only = -1; @@ -165,8 +164,6 @@ fill_default_server_options(ServerOptions *options) options->log_facility = SYSLOG_FACILITY_AUTH; if (options->log_level == SYSLOG_LEVEL_NOT_SET) options->log_level = SYSLOG_LEVEL_INFO; - if (options->rhosts_authentication == -1) - options->rhosts_authentication = 0; if (options->rhosts_rsa_authentication == -1) options->rhosts_rsa_authentication = 0; if (options->hostbased_authentication == -1) @@ -248,7 +245,7 @@ typedef enum { /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, - sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, + sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, @@ -288,7 +285,7 @@ static struct { { "permitrootlogin", sPermitRootLogin }, { "syslogfacility", sLogFacility }, { "loglevel", sLogLevel }, - { "rhostsauthentication", sRhostsAuthentication }, + { "rhostsauthentication", sDeprecated }, { "rhostsrsaauthentication", sRhostsRSAAuthentication }, { "hostbasedauthentication", sHostbasedAuthentication }, { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, @@ -589,10 +586,6 @@ parse_flag: intptr = &options->ignore_user_known_hosts; goto parse_flag; - case sRhostsAuthentication: - intptr = &options->rhosts_authentication; - goto parse_flag; - case sRhostsRSAAuthentication: intptr = &options->rhosts_rsa_authentication; goto parse_flag; diff --git a/servconf.h b/servconf.h index 65ad2071a..42bcda757 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.63 2003/08/13 08:46:30 markus Exp $ */ /* * Author: Tatu Ylonen @@ -65,8 +65,6 @@ typedef struct { int gateway_ports; /* If true, allow remote connects to forwarded ports. */ SyslogFacility log_facility; /* Facility for system logging. */ LogLevel log_level; /* Level for system logging. */ - int rhosts_authentication; /* If true, permit rhosts - * authentication. */ int rhosts_rsa_authentication; /* If true, permit rhosts RSA * authentication. */ int hostbased_authentication; /* If true, permit ssh2 hostbased auth */ diff --git a/ssh.c b/ssh.c index 82b40193d..71556e205 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.199 2003/08/13 08:46:30 markus Exp $"); #include #include @@ -600,19 +600,7 @@ again: strcmp(options.proxy_command, "none") == 0) options.proxy_command = NULL; - /* Disable rhosts authentication if not running as root. */ -#ifdef HAVE_CYGWIN - /* Ignore uid if running under Windows */ - if (!options.use_privileged_port) { -#else - if (original_effective_uid != 0 || !options.use_privileged_port) { -#endif - debug("Rhosts Authentication disabled, " - "originating port will not be trusted."); - options.rhosts_authentication = 0; - } /* Open a connection to the remote host. */ - if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, #ifdef HAVE_CYGWIN diff --git a/ssh_config b/ssh_config index 721e374e0..2692e8913 100644 --- a/ssh_config +++ b/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.18 2003/05/16 03:27:12 djm Exp $ +# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -18,7 +18,6 @@ # Host * # ForwardAgent no # ForwardX11 no -# RhostsAuthentication no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes diff --git a/ssh_config.5 b/ssh_config.5 index 3a79af8f0..fb341d79b 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.17 2003/08/13 08:46:31 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -529,26 +529,6 @@ IPv6 addresses can be specified with an alternative syntax: Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. -.It Cm RhostsAuthentication -Specifies whether to try rhosts based authentication. -Note that this -declaration only affects the client side and has no effect whatsoever -on security. -Most servers do not permit RhostsAuthentication because it -is not secure (see -.Cm RhostsRSAAuthentication ) . -The argument to this keyword must be -.Dq yes -or -.Dq no . -The default is -.Dq no . -This option applies to protocol version 1 only and requires -.Nm ssh -to be setuid root and -.Cm UsePrivilegedPort -to be set to -.Dq yes . .It Cm RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. @@ -629,11 +609,9 @@ If set to must be setuid root. Note that this option must be set to .Dq yes -if -.Cm RhostsAuthentication -and +for .Cm RhostsRSAAuthentication -authentications are needed with older servers. +with older servers. .It Cm User Specifies the user to log in as. This can be useful when a different user name is used on different machines. diff --git a/sshconnect1.c b/sshconnect1.c index 8851c35f6..5e1802b10 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $"); #include #include @@ -931,26 +931,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host, } #endif /* KRB5 */ - /* - * Use rhosts authentication if running in privileged socket and we - * do not wish to remain anonymous. - */ - if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) && - options.rhosts_authentication) { - debug("Trying rhosts authentication."); - packet_start(SSH_CMSG_AUTH_RHOSTS); - packet_put_cstring(local_user); - packet_send(); - packet_write_wait(); - - /* The server should respond with success or failure. */ - type = packet_read(); - if (type == SSH_SMSG_SUCCESS) - goto success; - if (type != SSH_SMSG_FAILURE) - packet_disconnect("Protocol error: got %d in response to rhosts auth", - type); - } /* * Try .rhosts or /etc/hosts.equiv authentication with RSA host * authentication. diff --git a/sshd.8 b/sshd.8 index 1cad834f6..4749fab84 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.198 2003/06/10 09:12:12 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -292,7 +292,6 @@ may also be used to prevent from making DNS requests unless the authentication mechanism or configuration requires it. Authentication mechanisms that may require DNS include -.Cm RhostsAuthentication , .Cm RhostsRSAAuthentication , .Cm HostbasedAuthentication and using a diff --git a/sshd.c b/sshd.c index 896e56c76..dc275b0cb 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.275 2003/08/13 08:46:31 markus Exp $"); #include #include @@ -1462,20 +1462,7 @@ main(int ac, char **av) alarm(options.login_grace_time); sshd_exchange_identification(sock_in, sock_out); - /* - * Check that the connection comes from a privileged port. - * Rhosts-Authentication only makes sense from privileged - * programs. Of course, if the intruder has root access on his local - * machine, he can connect from any port. So do not use these - * authentication methods from machines that you do not trust. - */ - if (options.rhosts_authentication && - (remote_port >= IPPORT_RESERVED || - remote_port < IPPORT_RESERVED / 2)) { - debug("Rhosts Authentication disabled, " - "originating port %d not trusted.", remote_port); - options.rhosts_authentication = 0; - } + #ifdef KRB5 if (!packet_connection_is_ipv4() && options.kerberos_authentication) { @@ -1643,8 +1630,6 @@ do_ssh1_kex(void) /* Declare supported authentication types. */ auth_mask = 0; - if (options.rhosts_authentication) - auth_mask |= 1 << SSH_AUTH_RHOSTS; if (options.rhosts_rsa_authentication) auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; if (options.rsa_authentication) diff --git a/sshd_config b/sshd_config index 262b6883a..a2bd2ff60 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.62 2003/07/23 07:42:43 markus Exp $ +# $OpenBSD: sshd_config,v 1.63 2003/08/13 08:46:31 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -40,10 +40,6 @@ #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys -# rhosts authentication should not be used -#RhostsAuthentication no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 @@ -51,6 +47,8 @@ # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes diff --git a/sshd_config.5 b/sshd_config.5 index 223ff8aae..3d920cc80 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.21 2003/07/22 13:35:22 markus Exp $ +.\" $OpenBSD: sshd_config.5,v 1.22 2003/08/13 08:46:31 markus Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -260,7 +260,6 @@ Specifies that and .Pa .shosts files will not be used in -.Cm RhostsAuthentication , .Cm RhostsRSAAuthentication or .Cm HostbasedAuthentication . @@ -529,10 +528,6 @@ Specifies whether public key authentication is allowed. The default is .Dq yes . Note that this option applies to protocol version 2 only. -.It Cm RhostsAuthentication -Specifies whether authentication using rhosts or /etc/hosts.equiv -files is sufficient. -Normally, this method should not be permitted because it is insecure. .Cm RhostsRSAAuthentication should be used instead, because it performs RSA-based host authentication in addition -- cgit v1.2.3 From 1c52ee3e6f2653a474c8a31aafa5a7e595dd8081 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 13 Aug 2003 20:38:36 +1000 Subject: - markus@cvs.openbsd.org 2003/08/13 09:07:10 [readconf.c ssh.c] socks4->socks, since with support both 4 and 5; dtucker@zip.com.au --- ChangeLog | 5 ++++- readconf.c | 4 ++-- ssh.c | 4 ++-- 3 files changed, 8 insertions(+), 5 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index b421d6ffd..2140b20c8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5] remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@, fgsch@, miod@, henning@, jakob@ and others + - markus@cvs.openbsd.org 2003/08/13 09:07:10 + [readconf.c ssh.c] + socks4->socks, since with support both 4 and 5; dtucker@zip.com.au 20030811 - (dtucker) OpenBSD CVS Sync @@ -828,4 +831,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2891 2003/08/13 10:37:05 dtucker Exp $ +$Id: ChangeLog,v 1.2892 2003/08/13 10:38:36 dtucker Exp $ diff --git a/readconf.c b/readconf.c index 355a7dfcc..96ad25a51 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.116 2003/08/13 08:46:30 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.117 2003/08/13 09:07:09 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -670,7 +670,7 @@ parse_int: fatal("%.200s line %d: Badly formatted port number.", filename, linenum); if (*activep) - add_local_forward(options, fwd_port, "socks4", 0); + add_local_forward(options, fwd_port, "socks", 0); break; case oClearAllForwardings: diff --git a/ssh.c b/ssh.c index 71556e205..694bb5acc 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.199 2003/08/13 08:46:30 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.200 2003/08/13 09:07:10 markus Exp $"); #include #include @@ -445,7 +445,7 @@ again: optarg); exit(1); } - add_local_forward(&options, fwd_port, "socks4", 0); + add_local_forward(&options, fwd_port, "socks", 0); break; case 'C': -- cgit v1.2.3 From 59d3d5b8b4813bdd1d4518d6839bd392ff6d21f7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 22 Aug 2003 09:34:41 +1000 Subject: - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal -lbroken; ok dtucker --- ChangeLog | 6 +++++- logintest.c | 4 ++-- openbsd-compat/bsd-misc.c | 4 ++-- openbsd-compat/bsd-misc.h | 4 ++-- scp.c | 2 +- sftp-server.c | 2 +- sftp.c | 2 +- ssh-add.c | 2 +- ssh-agent.c | 2 +- ssh-keygen.c | 2 +- ssh-keyscan.c | 2 +- ssh-rand-helper.c | 4 ++-- ssh.c | 2 +- sshd.c | 2 +- 14 files changed, 22 insertions(+), 18 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 081b07907..ded30f05a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20030822 + - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal + -lbroken; ok dtucker + 20030821 - (dtucker) OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/08/14 16:08:58 @@ -845,4 +849,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2896 2003/08/21 07:58:29 dtucker Exp $ +$Id: ChangeLog,v 1.2897 2003/08/21 23:34:41 djm Exp $ diff --git a/logintest.c b/logintest.c index a0c08118b..3f3997d10 100644 --- a/logintest.c +++ b/logintest.c @@ -43,7 +43,7 @@ #include "loginrec.h" -RCSID("$Id: logintest.c,v 1.9 2003/06/02 00:42:17 djm Exp $"); +RCSID("$Id: logintest.c,v 1.10 2003/08/21 23:34:41 djm Exp $"); #ifdef HAVE___PROGNAME extern char *__progname; @@ -287,7 +287,7 @@ main(int argc, char *argv[]) { printf("Platform-independent login recording test driver\n"); - __progname = get_progname(argv[0]); + __progname = ssh_get_progname(argv[0]); if (argc == 2) { if (strncmp(argv[1], "-i", 3) == 0) compile_opts_only = 1; diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c index d4c793724..56cb45ade 100644 --- a/openbsd-compat/bsd-misc.c +++ b/openbsd-compat/bsd-misc.c @@ -25,13 +25,13 @@ #include "includes.h" #include "xmalloc.h" -RCSID("$Id: bsd-misc.c,v 1.17 2003/08/13 10:48:07 dtucker Exp $"); +RCSID("$Id: bsd-misc.c,v 1.18 2003/08/21 23:34:42 djm Exp $"); /* * NB. duplicate __progname in case it is an alias for argv[0] * Otherwise it may get clobbered by setproctitle() */ -char *get_progname(char *argv0) +char *ssh_get_progname(char *argv0) { #ifdef HAVE___PROGNAME extern char *__progname; diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h index f2fbdc2e3..2857de59b 100644 --- a/openbsd-compat/bsd-misc.h +++ b/openbsd-compat/bsd-misc.h @@ -22,14 +22,14 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: bsd-misc.h,v 1.10 2003/08/13 10:48:07 dtucker Exp $ */ +/* $Id: bsd-misc.h,v 1.11 2003/08/21 23:34:42 djm Exp $ */ #ifndef _BSD_MISC_H #define _BSD_MISC_H #include "config.h" -char *get_progname(char *); +char *ssh_get_progname(char *); #ifndef HAVE_SETSID #define setsid() setpgrp(0, getpid()) diff --git a/scp.c b/scp.c index cf979f250..4f9247c2d 100644 --- a/scp.c +++ b/scp.c @@ -222,7 +222,7 @@ main(int argc, char **argv) extern char *optarg; extern int optind; - __progname = get_progname(argv[0]); + __progname = ssh_get_progname(argv[0]); args.list = NULL; addargs(&args, "ssh"); /* overwritten with ssh_program */ diff --git a/sftp-server.c b/sftp-server.c index 250814d72..9166853ed 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1030,7 +1030,7 @@ main(int ac, char **av) /* XXX should use getopt */ - __progname = get_progname(av[0]); + __progname = ssh_get_progname(av[0]); handle_init(); #ifdef DEBUG_SFTP_SERVER diff --git a/sftp.c b/sftp.c index 4354bfd44..c2a6593b8 100644 --- a/sftp.c +++ b/sftp.c @@ -132,7 +132,7 @@ main(int argc, char **argv) extern int optind; extern char *optarg; - __progname = get_progname(argv[0]); + __progname = ssh_get_progname(argv[0]); args.list = NULL; addargs(&args, "ssh"); /* overwritten with ssh_program */ addargs(&args, "-oForwardX11 no"); diff --git a/ssh-add.c b/ssh-add.c index 5b0fbbce6..2e394e5c1 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -319,7 +319,7 @@ main(int argc, char **argv) char *sc_reader_id = NULL; int i, ch, deleting = 0, ret = 0; - __progname = get_progname(argv[0]); + __progname = ssh_get_progname(argv[0]); init_rng(); seed_rng(); diff --git a/ssh-agent.c b/ssh-agent.c index 6c8ff30dd..c05c61468 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1024,7 +1024,7 @@ main(int ac, char **av) SSLeay_add_all_algorithms(); - __progname = get_progname(av[0]); + __progname = ssh_get_progname(av[0]); init_rng(); seed_rng(); diff --git a/ssh-keygen.c b/ssh-keygen.c index 2ce5553f6..dbc514737 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -809,7 +809,7 @@ main(int ac, char **av) extern int optind; extern char *optarg; - __progname = get_progname(av[0]); + __progname = ssh_get_progname(av[0]); SSLeay_add_all_algorithms(); log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 358a1e353..9fa8aaebc 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -697,7 +697,7 @@ main(int argc, char **argv) extern int optind; extern char *optarg; - __progname = get_progname(argv[0]); + __progname = ssh_get_progname(argv[0]); init_rng(); seed_rng(); TAILQ_INIT(&tq); diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c index 88e6e7c05..7e65e4569 100644 --- a/ssh-rand-helper.c +++ b/ssh-rand-helper.c @@ -39,7 +39,7 @@ #include "pathnames.h" #include "log.h" -RCSID("$Id: ssh-rand-helper.c,v 1.12 2003/07/06 05:20:46 dtucker Exp $"); +RCSID("$Id: ssh-rand-helper.c,v 1.13 2003/08/21 23:34:41 djm Exp $"); /* Number of bytes we write out */ #define OUTPUT_SEED_SIZE 48 @@ -769,7 +769,7 @@ main(int argc, char **argv) extern char *optarg; LogLevel ll; - __progname = get_progname(argv[0]); + __progname = ssh_get_progname(argv[0]); log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); ll = SYSLOG_LEVEL_INFO; diff --git a/ssh.c b/ssh.c index 694bb5acc..46640a857 100644 --- a/ssh.c +++ b/ssh.c @@ -212,7 +212,7 @@ main(int ac, char **av) extern int optind, optreset; extern char *optarg; - __progname = get_progname(av[0]); + __progname = ssh_get_progname(av[0]); init_rng(); /* diff --git a/sshd.c b/sshd.c index dc275b0cb..0e1bde3a3 100644 --- a/sshd.c +++ b/sshd.c @@ -819,7 +819,7 @@ main(int ac, char **av) #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); #endif - __progname = get_progname(av[0]); + __progname = ssh_get_progname(av[0]); init_rng(); /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ -- cgit v1.2.3 From fb10e9abe83d4d0b9ec36ee90587270d5bdc0cfd Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 2 Sep 2003 22:58:22 +1000 Subject: - markus@cvs.openbsd.org 2003/09/01 18:15:50 [readconf.c readconf.h servconf.c servconf.h ssh.c] remove unused kerberos code; ok henning@ --- ChangeLog | 5 ++++- readconf.c | 17 +---------------- readconf.h | 4 +--- servconf.c | 9 +-------- servconf.h | 4 +--- ssh.c | 5 ++--- 6 files changed, 10 insertions(+), 34 deletions(-) (limited to 'ssh.c') diff --git a/ChangeLog b/ChangeLog index 5796787d5..1aaa41485 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,9 @@ - markus@cvs.openbsd.org 2003/09/01 13:52:18 [ssh.h] rm whitespace + - markus@cvs.openbsd.org 2003/09/01 18:15:50 + [readconf.c readconf.h servconf.c servconf.h ssh.c] + remove unused kerberos code; ok henning@ 20030829 - (bal) openbsd-compat/ clean up. Considate headers, add in Id on our @@ -956,4 +959,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2931 2003/09/02 12:57:54 djm Exp $ +$Id: ChangeLog,v 1.2932 2003/09/02 12:58:22 djm Exp $ diff --git a/readconf.c b/readconf.c index d7ef58936..13987ffa7 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.120 2003/09/01 12:50:46 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.121 2003/09/01 18:15:50 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -92,7 +92,6 @@ typedef enum { oForwardAgent, oForwardX11, oGatewayPorts, oPasswordAuthentication, oRSAAuthentication, oChallengeResponseAuthentication, oXAuthLocation, - oKerberosAuthentication, oKerberosTgtPassing, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, @@ -383,14 +382,6 @@ parse_flag: intptr = &options->challenge_response_authentication; goto parse_flag; - case oKerberosAuthentication: - intptr = &options->kerberos_authentication; - goto parse_flag; - - case oKerberosTgtPassing: - intptr = &options->kerberos_tgt_passing; - goto parse_flag; - case oGssAuthentication: intptr = &options->gss_authentication; goto parse_flag; @@ -821,8 +812,6 @@ initialize_options(Options * options) options->rsa_authentication = -1; options->pubkey_authentication = -1; options->challenge_response_authentication = -1; - options->kerberos_authentication = -1; - options->kerberos_tgt_passing = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; options->password_authentication = -1; @@ -895,10 +884,6 @@ fill_default_options(Options * options) options->pubkey_authentication = 1; if (options->challenge_response_authentication == -1) options->challenge_response_authentication = 1; - if (options->kerberos_authentication == -1) - options->kerberos_authentication = 1; - if (options->kerberos_tgt_passing == -1) - options->kerberos_tgt_passing = 1; if (options->gss_authentication == -1) options->gss_authentication = 1; if (options->gss_deleg_creds == -1) diff --git a/readconf.h b/readconf.h index 1100205b8..60287f710 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.54 2003/08/22 10:56:09 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.55 2003/09/01 18:15:50 markus Exp $ */ /* * Author: Tatu Ylonen @@ -40,8 +40,6 @@ typedef struct { int hostbased_authentication; /* ssh2's rhosts_rsa */ int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ - int kerberos_authentication; /* Try Kerberos authentication. */ - int kerberos_tgt_passing; /* Try Kerberos TGT passing. */ int gss_authentication; /* Try GSS authentication */ int gss_deleg_creds; /* Delegate GSS credentials */ int password_authentication; /* Try password diff --git a/servconf.c b/servconf.c index 6051918c2..71e28b3cb 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.126 2003/08/28 12:54:34 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.127 2003/09/01 18:15:50 markus Exp $"); #include "ssh.h" #include "log.h" @@ -72,7 +72,6 @@ initialize_server_options(ServerOptions *options) options->kerberos_authentication = -1; options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; - options->kerberos_tgt_passing = -1; options->gss_authentication=-1; options->gss_cleanup_creds = -1; options->password_authentication = -1; @@ -182,8 +181,6 @@ fill_default_server_options(ServerOptions *options) options->kerberos_or_local_passwd = 1; if (options->kerberos_ticket_cleanup == -1) options->kerberos_ticket_cleanup = 1; - if (options->kerberos_tgt_passing == -1) - options->kerberos_tgt_passing = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) @@ -632,10 +629,6 @@ parse_flag: intptr = &options->kerberos_ticket_cleanup; goto parse_flag; - case sKerberosTgtPassing: - intptr = &options->kerberos_tgt_passing; - goto parse_flag; - case sGssAuthentication: intptr = &options->gss_authentication; goto parse_flag; diff --git a/servconf.h b/servconf.h index f86cb2209..828e94c5c 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.64 2003/08/22 10:56:09 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.65 2003/09/01 18:15:50 markus Exp $ */ /* * Author: Tatu Ylonen @@ -80,8 +80,6 @@ typedef struct { * /etc/passwd */ int kerberos_ticket_cleanup; /* If true, destroy ticket * file on logout. */ - int kerberos_tgt_passing; /* If true, permit Kerberos TGT - * passing. */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ int password_authentication; /* If true, permit password diff --git a/ssh.c b/ssh.c index 46640a857..35418f693 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.200 2003/08/13 09:07:10 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.201 2003/09/01 18:15:50 markus Exp $"); #include #include @@ -154,7 +154,6 @@ usage(void) _PATH_SSH_USER_CONFFILE); fprintf(stderr, " -A Enable authentication agent forwarding.\n"); fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); - fprintf(stderr, " -k Disable Kerberos ticket forwarding.\n"); fprintf(stderr, " -X Enable X11 connection forwarding.\n"); fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); fprintf(stderr, " -i file Identity for public key authentication " @@ -305,7 +304,7 @@ again: options.forward_agent = 1; break; case 'k': - options.kerberos_tgt_passing = 0; + /* ignored for backward compatibility */ break; case 'i': if (stat(optarg, &st) < 0) { -- cgit v1.2.3