From 04f9af7dfcac6a2230bbb574ea8ddaa5e39baa04 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Thu, 4 Jul 2002 00:03:56 +0000 Subject: - markus@cvs.openbsd.org 2002/06/27 08:49:44 [dh.c ssh-keyscan.c sshconnect.c] more checks for NULL pointers; from grendel@zeitbombe.org; ok deraadt@ --- sshconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sshconnect.c') diff --git a/sshconnect.c b/sshconnect.c index b89321fb8..32e57296e 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.126 2002/06/23 03:30:17 deraadt Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.127 2002/06/27 08:49:44 markus Exp $"); #include @@ -476,7 +476,7 @@ confirm(const char *prompt) (p[0] == '\0') || (p[0] == '\n') || strncasecmp(p, "no", 2) == 0) ret = 0; - if (strncasecmp(p, "yes", 3) == 0) + if (p && strncasecmp(p, "yes", 3) == 0) ret = 1; if (p) xfree(p); -- cgit v1.2.3 From efee05958cc5ef649fde971a307b70eee2941871 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Thu, 11 Jul 2002 03:54:43 +0000 Subject: - itojun@cvs.openbsd.org 2002/07/09 11:56:50 [sshconnect.c] silently try next address on connect(2). markus ok --- ChangeLog | 6 +++++- sshconnect.c | 4 +++- 2 files changed, 8 insertions(+), 2 deletions(-) (limited to 'sshconnect.c') diff --git a/ChangeLog b/ChangeLog index 52aafe15f..8d06e07c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ 20020710 - (tim) [contrib/cygwin/ssh-host-config] explicitely sets the permissions on /var/empty to 755 Patch by vinschen@redhat.com + - (bal) OpenBSD CVS Sync + - itojun@cvs.openbsd.org 2002/07/09 11:56:50 + [sshconnect.c] + silently try next address on connect(2). markus ok 20020709 - (bal) NO_IPPORT_RESERVED_CONCEPT used instead of CYGWIN so other platforms @@ -1324,4 +1328,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2353 2002/07/10 14:40:11 tim Exp $ +$Id: ChangeLog,v 1.2354 2002/07/11 03:54:43 mouring Exp $ diff --git a/sshconnect.c b/sshconnect.c index 32e57296e..f4301be39 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.127 2002/06/27 08:49:44 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.128 2002/07/09 11:56:50 itojun Exp $"); #include @@ -307,9 +307,11 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, } else { if (errno == ECONNREFUSED) full_failure = 0; +#if 0 log("ssh: connect to address %s port %s: %s", sockaddr_ntop(ai->ai_addr, ai->ai_addrlen), strport, strerror(errno)); +#endif /* * Close the failed socket; there appear to * be some problems when reusing a socket for -- cgit v1.2.3 From ba8df7d76d980e3c3cb3a0af79a87312cfaf5840 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Thu, 11 Jul 2002 03:58:11 +0000 Subject: - itojun@cvs.openbsd.org 2002/07/09 12:04:02 [sshconnect.c] ed static function (less warnings) --- ChangeLog | 5 ++++- sshconnect.c | 4 +++- 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'sshconnect.c') diff --git a/ChangeLog b/ChangeLog index d6c8753b1..1258042b9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ suppress log on reverse lookup failiure, as there's no real value in doing so. markus ok + - itojun@cvs.openbsd.org 2002/07/09 12:04:02 + [sshconnect.c] + ed static function (less warnings) 20020709 - (bal) NO_IPPORT_RESERVED_CONCEPT used instead of CYGWIN so other platforms @@ -1333,4 +1336,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2355 2002/07/11 03:56:46 mouring Exp $ +$Id: ChangeLog,v 1.2356 2002/07/11 03:58:11 mouring Exp $ diff --git a/sshconnect.c b/sshconnect.c index f4301be39..ba5deb441 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.128 2002/07/09 11:56:50 itojun Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.129 2002/07/09 12:04:02 itojun Exp $"); #include @@ -46,6 +46,7 @@ extern uid_t original_effective_uid; #define INET6_ADDRSTRLEN 46 #endif +#if 0 static const char * sockaddr_ntop(struct sockaddr *sa, socklen_t salen) { @@ -56,6 +57,7 @@ sockaddr_ntop(struct sockaddr *sa, socklen_t salen) fatal("sockaddr_ntop: getnameinfo NI_NUMERICHOST failed"); return addrbuf; } +#endif /* * Connect to the given ssh server using a proxy command. -- cgit v1.2.3 From a6cd75c49ed90186bb400c08b8878c2c711b9f58 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Thu, 11 Jul 2002 04:00:19 +0000 Subject: - itojun@cvs.openbsd.org 2002/07/10 10:28:15 [sshconnect.c] bark if all connection attempt fails. --- ChangeLog | 5 ++++- sshconnect.c | 12 +++++------- 2 files changed, 9 insertions(+), 8 deletions(-) (limited to 'sshconnect.c') diff --git a/ChangeLog b/ChangeLog index a2dc37ccb..b869756c1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,9 @@ - stevesk@cvs.openbsd.org 2002/07/09 17:46:25 [sshd_config.5] clarify no preference ordering in protocol list; ok markus@ + - itojun@cvs.openbsd.org 2002/07/10 10:28:15 + [sshconnect.c] + bark if all connection attempt fails. 20020709 - (bal) NO_IPPORT_RESERVED_CONCEPT used instead of CYGWIN so other platforms @@ -1339,4 +1342,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2357 2002/07/11 03:59:18 mouring Exp $ +$Id: ChangeLog,v 1.2358 2002/07/11 04:00:19 mouring Exp $ diff --git a/sshconnect.c b/sshconnect.c index ba5deb441..ae6c5f32b 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.129 2002/07/09 12:04:02 itojun Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.130 2002/07/10 10:28:15 itojun Exp $"); #include @@ -309,11 +309,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, } else { if (errno == ECONNREFUSED) full_failure = 0; -#if 0 - log("ssh: connect to address %s port %s: %s", - sockaddr_ntop(ai->ai_addr, ai->ai_addrlen), - strport, strerror(errno)); -#endif /* * Close the failed socket; there appear to * be some problems when reusing a socket for @@ -336,8 +331,11 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, freeaddrinfo(aitop); /* Return failure if we didn't get a successful connection. */ - if (attempt >= connection_attempts) + if (attempt >= connection_attempts) { + log("ssh: connect to host %s port %s: %s", + host, strport, strerror(errno)); return full_failure ? ECONNABORTED : ECONNREFUSED; + } debug("Connection established."); -- cgit v1.2.3 From 728aa7e18c378ce990aa3419917c665181904ba8 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Mon, 15 Jul 2002 17:48:11 +0000 Subject: - itojun@cvs.openbsd.org 2002/07/12 13:29:09 [sshconnect.c] print connect failure during debugging mode. --- ChangeLog | 8 +++++++- sshconnect.c | 17 +++-------------- 2 files changed, 10 insertions(+), 15 deletions(-) (limited to 'sshconnect.c') diff --git a/ChangeLog b/ChangeLog index f60d926f3..2c765c7e5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20020715 + - (bal) OpenBSD CVS Sync + - itojun@cvs.openbsd.org 2002/07/12 13:29:09 + [sshconnect.c] + print connect failure during debugging mode. + 20020714 - (tim) [Makefile.in] replace "id sshd" with "sshd -t" - (bal/tim) [acconfig.h configure.ac monitor_mm.c servconf.c @@ -1361,4 +1367,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2366 2002/07/14 22:50:51 tim Exp $ +$Id: ChangeLog,v 1.2367 2002/07/15 17:48:11 mouring Exp $ diff --git a/sshconnect.c b/sshconnect.c index ae6c5f32b..9f8458dc7 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.130 2002/07/10 10:28:15 itojun Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.131 2002/07/12 13:29:09 itojun Exp $"); #include @@ -46,19 +46,6 @@ extern uid_t original_effective_uid; #define INET6_ADDRSTRLEN 46 #endif -#if 0 -static const char * -sockaddr_ntop(struct sockaddr *sa, socklen_t salen) -{ - static char addrbuf[NI_MAXHOST]; - - if (getnameinfo(sa, salen, addrbuf, sizeof(addrbuf), NULL, 0, - NI_NUMERICHOST) != 0) - fatal("sockaddr_ntop: getnameinfo NI_NUMERICHOST failed"); - return addrbuf; -} -#endif - /* * Connect to the given ssh server using a proxy command. */ @@ -309,6 +296,8 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, } else { if (errno == ECONNREFUSED) full_failure = 0; + debug("connect to address %s port %s: %s", + ntop, strport, strerror(errno)); /* * Close the failed socket; there appear to * be some problems when reusing a socket for -- cgit v1.2.3 From 3ed6640532ea53bc37182262141c9e917a448025 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Thu, 1 Aug 2002 01:21:56 +0000 Subject: - markus@cvs.openbsd.org 2002/07/24 16:11:18 [hostfile.c hostfile.h sshconnect.c] print out all known keys for a host if we get a unknown host key, see discussion at http://marc.theaimsgroup.com/?t=101069210100016&r=1&w=4 the ssharp mitm tool attacks users in a similar way, so i'd like to pointed out again: A MITM attack is always possible if the ssh client prints: The authenticity of host 'bla' can't be established. (protocol version 2 with pubkey authentication allows you to detect MITM attacks) --- ChangeLog | 16 ++++++++++++- hostfile.c | 44 +++++++++++++++++++++++++++++------- hostfile.h | 6 +++-- sshconnect.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++---- 4 files changed, 124 insertions(+), 15 deletions(-) (limited to 'sshconnect.c') diff --git a/ChangeLog b/ChangeLog index d53270d4e..546671bf0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,17 @@ +20020731 + - (bal) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2002/07/24 16:11:18 + [hostfile.c hostfile.h sshconnect.c] + print out all known keys for a host if we get a unknown host key, + see discussion at http://marc.theaimsgroup.com/?t=101069210100016&r=1&w=4 + + the ssharp mitm tool attacks users in a similar way, so i'd like to + pointed out again: + A MITM attack is always possible if the ssh client prints: + The authenticity of host 'bla' can't be established. + (protocol version 2 with pubkey authentication allows you to detect + MITM attacks) + 20020730 - (bal) [uidswap.c] SCO compile correction by gert@greenie.muc.de @@ -1465,4 +1479,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2409 2002/07/30 19:32:07 mouring Exp $ +$Id: ChangeLog,v 1.2410 2002/08/01 01:21:56 mouring Exp $ diff --git a/hostfile.c b/hostfile.c index cefff8d62..dcee03448 100644 --- a/hostfile.c +++ b/hostfile.c @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: hostfile.c,v 1.29 2001/12/18 10:04:21 jakob Exp $"); +RCSID("$OpenBSD: hostfile.c,v 1.30 2002/07/24 16:11:18 markus Exp $"); #include "packet.h" #include "match.h" @@ -91,11 +91,14 @@ hostfile_check_key(int bits, Key *key, const char *host, const char *filename, i * in the list of our known hosts. Returns HOST_OK if the host is known and * has the specified key, HOST_NEW if the host is not known, and HOST_CHANGED * if the host is known but used to have a different host key. + * + * If no 'key' has been specified and a key of type 'keytype' is known + * for the specified host, then HOST_FOUND is returned. */ -HostStatus -check_host_in_hostfile(const char *filename, const char *host, Key *key, - Key *found, int *numret) +static HostStatus +check_host_in_hostfile_by_key_or_type(const char *filename, + const char *host, Key *key, int keytype, Key *found, int *numret) { FILE *f; char line[8192]; @@ -105,8 +108,7 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key, HostStatus end_return; debug3("check_host_in_hostfile: filename %s", filename); - if (key == NULL) - fatal("no key to look up"); + /* Open the file containing the list of known hosts. */ f = fopen(filename, "r"); if (!f) @@ -147,12 +149,20 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key, */ if (!hostfile_read_key(&cp, &kbits, found)) continue; - if (!hostfile_check_key(kbits, found, host, filename, linenum)) - continue; if (numret != NULL) *numret = linenum; + if (key == NULL) { + /* we found a key of the requested type */ + if (found->type == keytype) + return HOST_FOUND; + continue; + } + + if (!hostfile_check_key(kbits, found, host, filename, linenum)) + continue; + /* Check if the current key is the same as the given key. */ if (key_equal(key, found)) { /* Ok, they match. */ @@ -177,6 +187,24 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key, return end_return; } +HostStatus +check_host_in_hostfile(const char *filename, const char *host, Key *key, + Key *found, int *numret) +{ + if (key == NULL) + fatal("no key to look up"); + return (check_host_in_hostfile_by_key_or_type(filename, host, key, 0, + found, numret)); +} + +int +lookup_key_in_hostfile_by_type(const char *filename, const char *host, + int keytype, Key *found, int *numret) +{ + return (check_host_in_hostfile_by_key_or_type(filename, host, NULL, + keytype, found, numret) == HOST_FOUND); +} + /* * Appends an entry to the host file. Returns false if the entry could not * be appended. diff --git a/hostfile.h b/hostfile.h index 0244fdb53..063732421 100644 --- a/hostfile.h +++ b/hostfile.h @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.h,v 1.10 2001/12/18 10:04:21 jakob Exp $ */ +/* $OpenBSD: hostfile.h,v 1.11 2002/07/24 16:11:18 markus Exp $ */ /* * Author: Tatu Ylonen @@ -15,12 +15,14 @@ #define HOSTFILE_H typedef enum { - HOST_OK, HOST_NEW, HOST_CHANGED + HOST_OK, HOST_NEW, HOST_CHANGED, HOST_FOUND, } HostStatus; int hostfile_read_key(char **, u_int *, Key *); HostStatus check_host_in_hostfile(const char *, const char *, Key *, Key *, int *); int add_host_to_hostfile(const char *, const char *, Key *); +int +lookup_key_in_hostfile_by_type(const char *, const char *, int , Key *, int *); #endif diff --git a/sshconnect.c b/sshconnect.c index 9f8458dc7..8599684e5 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.131 2002/07/12 13:29:09 itojun Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.132 2002/07/24 16:11:18 markus Exp $"); #include @@ -46,6 +46,8 @@ extern uid_t original_effective_uid; #define INET6_ADDRSTRLEN 46 #endif +static int show_other_keys(const char *, Key *); + /* * Connect to the given ssh server using a proxy command. */ @@ -494,7 +496,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, int salen; char ntop[NI_MAXHOST]; char msg[1024]; - int len, host_line, ip_line; + int len, host_line, ip_line, has_keys; const char *host_file = NULL, *ip_file = NULL; /* @@ -638,14 +640,19 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, "have requested strict checking.", type, host); goto fail; } else if (options.strict_host_key_checking == 2) { + has_keys = show_other_keys(host, host_key); /* The default */ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); snprintf(msg, sizeof(msg), "The authenticity of host '%.200s (%s)' can't be " - "established.\n" + "established%s\n" "%s key fingerprint is %s.\n" "Are you sure you want to continue connecting " - "(yes/no)? ", host, ip, type, fp); + "(yes/no)? ", + host, ip, + has_keys ? ",\nbut keys of different type are already " + "known for this host." : ".", + type, fp); xfree(fp); if (!confirm(msg)) goto fail; @@ -748,6 +755,9 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, * accept the authentication. */ break; + case HOST_FOUND: + fatal("internal error"); + break; } if (options.check_host_ip && host_status != HOST_CHANGED && @@ -859,3 +869,58 @@ ssh_put_password(char *password) memset(padded, 0, size); xfree(padded); } + +static int +show_key_from_file(const char *file, const char *host, int keytype) +{ + Key *found; + char *fp; + int line, ret; + + found = key_new(keytype); + if ((ret = lookup_key_in_hostfile_by_type(file, host, + keytype, found, &line))) { + fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); + log("WARNING: %s key found for host %s\n" + "in file %s line %d with\n" + "%s key fingerprint %s.", + key_type(found), host, file, line, + key_type(found), fp); + xfree(fp); + } + key_free(found); + return (ret); +} + +/* print all known host keys for a given host, but skip keys of given type */ +static int +show_other_keys(const char *host, Key *key) +{ + int type[] = { KEY_RSA1, KEY_RSA, KEY_DSA, -1}; + int i, found = 0; + + for (i = 0; type[i] != -1; i++) { + if (type[i] == key->type) + continue; + if (type[i] != KEY_RSA1 && + show_key_from_file(options.user_hostfile2, host, type[i])) { + found = 1; + continue; + } + if (type[i] != KEY_RSA1 && + show_key_from_file(options.system_hostfile2, host, type[i])) { + found = 1; + continue; + } + if (show_key_from_file(options.user_hostfile, host, type[i])) { + found = 1; + continue; + } + if (show_key_from_file(options.system_hostfile, host, type[i])) { + found = 1; + continue; + } + debug2("no key of type %d for host %s", type[i], host); + } + return (found); +} -- cgit v1.2.3 From 4b99be899cc47064c13d8beabc32fe5c3a8f94b5 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Thu, 1 Aug 2002 01:26:29 +0000 Subject: - markus@cvs.openbsd.org 2002/07/29 18:57:30 [sshconnect.c] print file:line --- ChangeLog | 5 ++++- sshconnect.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'sshconnect.c') diff --git a/ChangeLog b/ChangeLog index 990778d46..9657aca12 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,9 @@ [sftp.c] FallBackToRsh does not exist anywhere else. Remove it from here. OK deraadt. + - markus@cvs.openbsd.org 2002/07/29 18:57:30 + [sshconnect.c] + print file:line 20020730 - (bal) [uidswap.c] SCO compile correction by gert@greenie.muc.de @@ -1483,4 +1486,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2411 2002/08/01 01:25:00 mouring Exp $ +$Id: ChangeLog,v 1.2412 2002/08/01 01:26:29 mouring Exp $ diff --git a/sshconnect.c b/sshconnect.c index 8599684e5..6004bf5e4 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.132 2002/07/24 16:11:18 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.133 2002/07/29 18:57:30 markus Exp $"); #include @@ -882,7 +882,7 @@ show_key_from_file(const char *file, const char *host, int keytype) keytype, found, &line))) { fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); log("WARNING: %s key found for host %s\n" - "in file %s line %d with\n" + "in %s:%d\n" "%s key fingerprint %s.", key_type(found), host, file, line, key_type(found), fp); -- cgit v1.2.3 From e1383cee9d671906424797c084940b2d382f2813 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 19 Sep 2002 11:49:37 +1000 Subject: - stevesk@cvs.openbsd.org 2002/09/13 19:23:09 [channels.c sshconnect.c sshd.c] remove use of SO_LINGER, it should not be needed. error check SO_REUSEADDR. fixup comments. ok markus@ --- ChangeLog | 6 +++++- channels.c | 15 +++++++-------- sshconnect.c | 12 +----------- sshd.c | 28 ++++++---------------------- 4 files changed, 19 insertions(+), 42 deletions(-) (limited to 'sshconnect.c') diff --git a/ChangeLog b/ChangeLog index 43c701af3..b0b40b288 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ - stevesk@cvs.openbsd.org 2002/09/12 19:50:36 [session.c ssh.1] add SSH_CONNECTION and deprecate SSH_CLIENT; bug #384. ok markus@ + - stevesk@cvs.openbsd.org 2002/09/13 19:23:09 + [channels.c sshconnect.c sshd.c] + remove use of SO_LINGER, it should not be needed. error check + SO_REUSEADDR. fixup comments. ok markus@ 20020912 - (djm) Made GNOME askpass programs return non-zero if cancel button is @@ -656,4 +660,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2465 2002/09/19 01:47:55 djm Exp $ +$Id: ChangeLog,v 1.2466 2002/09/19 01:49:37 djm Exp $ diff --git a/channels.c b/channels.c index 0ae37b6d8..cf1a6462b 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.181 2002/09/09 14:54:14 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.182 2002/09/13 19:23:09 stevesk Exp $"); #include "ssh.h" #include "ssh1.h" @@ -2022,7 +2022,6 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por struct addrinfo hints, *ai, *aitop; const char *host; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; - struct linger linger; success = 0; host = (type == SSH_CHANNEL_RPORT_LISTENER) ? @@ -2065,13 +2064,13 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por continue; } /* - * Set socket options. We would like the socket to disappear - * as soon as it has been closed for whatever reason. + * Set socket options. + * Allow local port reuse in TIME_WAIT. */ - setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); - linger.l_onoff = 1; - linger.l_linger = 5; - setsockopt(sock, SOL_SOCKET, SO_LINGER, &linger, sizeof(linger)); + if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, + sizeof(on)) == -1) + error("setsockopt SO_REUSEADDR: %s", strerror(errno)); + debug("Local forwarding listening on %s port %s.", ntop, strport); /* Bind the socket to the address. */ diff --git a/sshconnect.c b/sshconnect.c index 6004bf5e4..0cb824852 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.133 2002/07/29 18:57:30 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.134 2002/09/13 19:23:09 stevesk Exp $"); #include @@ -229,7 +229,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, int sock = -1, attempt; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; struct addrinfo hints, *ai, *aitop; - struct linger linger; struct servent *sp; /* * Did we get only other errors than "Connection refused" (which @@ -330,15 +329,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, debug("Connection established."); - /* - * Set socket options. We would like the socket to disappear as soon - * as it has been closed for whatever reason. - */ - /* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */ - linger.l_onoff = 1; - linger.l_linger = 5; - setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger)); - /* Set keepalives if requested. */ if (options.keepalives && setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, diff --git a/sshd.c b/sshd.c index 55c57e195..17f001669 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.257 2002/07/23 16:03:10 stevesk Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.258 2002/09/13 19:23:09 stevesk Exp $"); #include #include @@ -806,7 +806,6 @@ main(int ac, char **av) const char *remote_ip; int remote_port; FILE *f; - struct linger linger; struct addrinfo *ai; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; int listen_sock, maxfd; @@ -1152,17 +1151,12 @@ main(int ac, char **av) continue; } /* - * Set socket options. We try to make the port - * reusable and have it close as fast as possible - * without waiting in unnecessary wait states on - * close. + * Set socket options. + * Allow local port reuse in TIME_WAIT. */ - setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, - &on, sizeof(on)); - linger.l_onoff = 1; - linger.l_linger = 5; - setsockopt(listen_sock, SOL_SOCKET, SO_LINGER, - &linger, sizeof(linger)); + if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, + &on, sizeof(on)) == -1) + error("setsockopt SO_REUSEADDR: %s", strerror(errno)); debug("Bind to port %s on %s.", strport, ntop); @@ -1411,16 +1405,6 @@ main(int ac, char **av) signal(SIGCHLD, SIG_DFL); signal(SIGINT, SIG_DFL); - /* - * Set socket options for the connection. We want the socket to - * close as fast as possible without waiting for anything. If the - * connection is not a socket, these will do nothing. - */ - /* setsockopt(sock_in, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */ - linger.l_onoff = 1; - linger.l_linger = 5; - setsockopt(sock_in, SOL_SOCKET, SO_LINGER, &linger, sizeof(linger)); - /* Set keepalives if requested. */ if (options.keepalives && setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, -- cgit v1.2.3 From 8c4e18a6ec22a09b9082ff74b668685c30a028e7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 19 Sep 2002 12:05:02 +1000 Subject: - djm@cvs.openbsd.org 2002/09/19 01:58:18 [ssh.c sshconnect.c] bugzilla.mindrot.org #223 - ProxyCommands don't exit. Patch from dtucker@zip.com.au; ok markus@ --- ChangeLog | 6 +++++- ssh.c | 13 ++++++++++++- sshconnect.c | 16 +++++++++++++--- 3 files changed, 30 insertions(+), 5 deletions(-) (limited to 'sshconnect.c') diff --git a/ChangeLog b/ChangeLog index 64b36b57c..938a39181 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,10 @@ don't quit while creating X11 listening socket. http://mail-index.netbsd.org/current-users/2002/09/16/0005.html got from portable. markus ok + - djm@cvs.openbsd.org 2002/09/19 01:58:18 + [ssh.c sshconnect.c] + bugzilla.mindrot.org #223 - ProxyCommands don't exit. + Patch from dtucker@zip.com.au; ok markus@ 20020912 - (djm) Made GNOME askpass programs return non-zero if cancel button is @@ -674,4 +678,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2470 2002/09/19 01:54:54 djm Exp $ +$Id: ChangeLog,v 1.2471 2002/09/19 02:05:02 djm Exp $ diff --git a/ssh.c b/ssh.c index 7cef5e5ac..2c589de82 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.185 2002/09/11 18:27:26 stevesk Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.186 2002/09/19 01:58:18 djm Exp $"); #include #include @@ -146,6 +146,9 @@ int subsystem_flag = 0; /* # of replies received for global requests */ static int client_global_request_id = 0; +/* pid of proxycommand child process */ +pid_t proxy_command_pid = 0; + /* Prints a help message to the user. This function never returns. */ static void @@ -722,6 +725,14 @@ again: exit_status = compat20 ? ssh_session2() : ssh_session(); packet_close(); + + /* + * Send SIGHUP to proxy command if used. We don't wait() in + * case it hangs and instead rely on init to reap the child + */ + if (proxy_command_pid > 1) + kill(proxy_command_pid, SIGHUP); + return exit_status; } diff --git a/sshconnect.c b/sshconnect.c index 0cb824852..776d72065 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.134 2002/09/13 19:23:09 stevesk Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.135 2002/09/19 01:58:18 djm Exp $"); #include @@ -41,6 +41,7 @@ extern Options options; extern char *__progname; extern uid_t original_real_uid; extern uid_t original_effective_uid; +extern pid_t proxy_command_pid; #ifndef INET6_ADDRSTRLEN /* for non IPv6 machines */ #define INET6_ADDRSTRLEN 46 @@ -64,9 +65,16 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) /* Convert the port number into a string. */ snprintf(strport, sizeof strport, "%hu", port); - /* Build the final command string in the buffer by making the - appropriate substitutions to the given proxy command. */ + /* + * Build the final command string in the buffer by making the + * appropriate substitutions to the given proxy command. + * + * Use "exec" to avoid "sh -c" processes on some platforms + * (e.g. Solaris) + */ buffer_init(&command); + buffer_append(&command, "exec ", 5); + for (cp = proxy_command; *cp; cp++) { if (cp[0] == '%' && cp[1] == '%') { buffer_append(&command, "%", 1); @@ -134,6 +142,8 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) /* Parent. */ if (pid < 0) fatal("fork failed: %.100s", strerror(errno)); + else + proxy_command_pid = pid; /* save pid to clean up later */ /* Close child side of the descriptors. */ close(pin[0]); -- cgit v1.2.3