From b18f15100a6b303734f22061d777352603a8968a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 5 Oct 2005 23:02:16 +1000 Subject: - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and senthilkumar_sen at hotpop.com. --- sshd.8 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'sshd.8') diff --git a/sshd.8 b/sshd.8 index fdff4ac91..94cefdea2 100644 --- a/sshd.8 +++ b/sshd.8 @@ -123,7 +123,10 @@ on Solaris, .Ql \&* on HP-UX, containing .Ql Nologin -on Tru64 and a leading +on Tru64, +a leading +.Ql \&*LOCKED\&* +on FreeBSD and a leading .Ql \&!! on Linux). If there is a requirement to disable password authentication for the account while allowing still public-key, then the passwd field -- cgit v1.2.3 From 46259d86a22512f9c53da031d7b829f45720f011 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Mon, 28 Nov 2005 18:40:34 -0800 Subject: - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string) for UnixWare. --- ChangeLog | 4 +++- configure.ac | 5 ++++- sshd.8 | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) (limited to 'sshd.8') diff --git a/ChangeLog b/ChangeLog index 3ce14070f..738741405 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,8 @@ - dtucker@cvs.openbsd.org 2005/11/29 02:04:55 [ssh-keygen.c] Populate default key sizes before checking them; from & ok tim@ + - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string) + for UnixWare. 20051128 - (dtucker) [regress/yes-head.sh] Work around breakage caused by some @@ -3383,4 +3385,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4014 2005/11/29 02:10:24 dtucker Exp $ +$Id: ChangeLog,v 1.4015 2005/11/29 02:40:34 tim Exp $ diff --git a/configure.ac b/configure.ac index ffa94e863..0afb48716 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.311 2005/11/26 11:24:10 dtucker Exp $ +# $Id: configure.ac,v 1.312 2005/11/29 02:40:34 tim Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -434,6 +434,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) + AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") ;; # UnixWare 7.x, OpenUNIX 8 *-*-sysv5*) @@ -450,6 +451,8 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(BROKEN_LIBIAF, 1, [ia_uinfo routines not supported by OS yet]) ;; + *) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + ;; esac ;; *-*-sysv*) diff --git a/sshd.8 b/sshd.8 index 94cefdea2..c610f47b8 100644 --- a/sshd.8 +++ b/sshd.8 @@ -119,7 +119,7 @@ or its group is listed in \&. The definition of a locked account is system dependant. Some platforms have their own account database (eg AIX) and some modify the passwd field ( .Ql \&*LK\&* -on Solaris, +on Solaris and UnixWare, .Ql \&* on HP-UX, containing .Ql Nologin -- cgit v1.2.3 From d27b947178df3689bfb7fdfb62a5f1337ef73481 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 13 Dec 2005 19:29:02 +1100 Subject: - reyk@cvs.openbsd.org 2005/12/06 22:38:28 [auth-options.c auth-options.h channels.c channels.h clientloop.c] [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] [sshconnect.h sshd.8 sshd_config sshd_config.5] Add support for tun(4) forwarding over OpenSSH, based on an idea and initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others --- ChangeLog | 17 ++++++++++++++++- auth-options.c | 41 ++++++++++++++++++++++++++++++++++++++++- auth-options.h | 3 ++- channels.c | 42 ++++++++++++++++++++++++++++++++++++++++-- channels.h | 4 +++- clientloop.c | 11 ++++++++++- misc.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- misc.h | 4 +++- readconf.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++--- readconf.h | 10 +++++++++- scp.c | 3 ++- servconf.c | 12 ++++++++++-- servconf.h | 5 ++++- serverloop.c | 34 +++++++++++++++++++++++++++++++++- sftp.c | 3 ++- ssh.1 | 20 +++++++++++++++++++- ssh.c | 39 ++++++++++++++++++++++++++++++++++++--- ssh_config | 5 ++++- ssh_config.5 | 38 +++++++++++++++++++++++++++++++++++++- sshconnect.c | 38 +++++++++++++++++++++++++++++++++++++- sshconnect.h | 4 ++-- sshd.8 | 10 +++++++++- sshd_config | 3 ++- sshd_config.5 | 8 +++++++- 24 files changed, 433 insertions(+), 31 deletions(-) (limited to 'sshd.8') diff --git a/ChangeLog b/ChangeLog index d187f2aa0..96ed9a05d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,21 @@ [ssh.1] avoid ambiguities in describing TZ; ok djm@ + - reyk@cvs.openbsd.org 2005/12/06 22:38:28 + [auth-options.c auth-options.h channels.c channels.h clientloop.c] + [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] + [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] + [sshconnect.h sshd.8 sshd_config sshd_config.5] + Add support for tun(4) forwarding over OpenSSH, based on an idea and + initial channel code bits by markus@. This is a simple and easy way to + use OpenSSH for ad hoc virtual private network connections, e.g. + administrative tunnels or secure wireless access. It's based on a new + ssh channel and works similar to the existing TCP forwarding support, + except that it depends on the tun(4) network interface on both ends of + the connection for layer 2 or layer 3 tunneling. This diff also adds + support for LocalCommand in the ssh(1) client. + + ok djm@, markus@, jmc@ (manpages), tested and discussed with others 20051201 - (djm) [envpass.sh] Remove regress script that was accidentally committed @@ -3399,4 +3414,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4018 2005/12/13 08:25:43 djm Exp $ +$Id: ChangeLog,v 1.4019 2005/12/13 08:29:02 djm Exp $ diff --git a/auth-options.c b/auth-options.c index a85e40835..54798d9ad 100644 --- a/auth-options.c +++ b/auth-options.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.31 2005/03/10 22:40:38 deraadt Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.32 2005/12/06 22:38:27 reyk Exp $"); #include "xmalloc.h" #include "match.h" @@ -35,6 +35,9 @@ char *forced_command = NULL; /* "environment=" options. */ struct envstring *custom_environment = NULL; +/* "tunnel=" option. */ +int forced_tun_device = -1; + extern ServerOptions options; void @@ -54,6 +57,7 @@ auth_clear_options(void) xfree(forced_command); forced_command = NULL; } + forced_tun_device = -1; channel_clear_permitted_opens(); auth_debug_reset(); } @@ -269,6 +273,41 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) xfree(patterns); goto next_option; } + cp = "tunnel=\""; + if (strncasecmp(opts, cp, strlen(cp)) == 0) { + char *tun = NULL; + opts += strlen(cp); + tun = xmalloc(strlen(opts) + 1); + i = 0; + while (*opts) { + if (*opts == '"') + break; + tun[i++] = *opts++; + } + if (!*opts) { + debug("%.100s, line %lu: missing end quote", + file, linenum); + auth_debug_add("%.100s, line %lu: missing end quote", + file, linenum); + xfree(tun); + forced_tun_device = -1; + goto bad_option; + } + tun[i] = 0; + forced_tun_device = a2tun(tun, NULL); + xfree(tun); + if (forced_tun_device < -1) { + debug("%.100s, line %lu: invalid tun device", + file, linenum); + auth_debug_add("%.100s, line %lu: invalid tun device", + file, linenum); + forced_tun_device = -1; + goto bad_option; + } + auth_debug_add("Forced tun device: %d", forced_tun_device); + opts++; + goto next_option; + } next_option: /* * Skip the comma, and move to the next option diff --git a/auth-options.h b/auth-options.h index 15fb21255..3cd02a71f 100644 --- a/auth-options.h +++ b/auth-options.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.h,v 1.12 2002/07/21 18:34:43 stevesk Exp $ */ +/* $OpenBSD: auth-options.h,v 1.13 2005/12/06 22:38:27 reyk Exp $ */ /* * Author: Tatu Ylonen @@ -28,6 +28,7 @@ extern int no_x11_forwarding_flag; extern int no_pty_flag; extern char *forced_command; extern struct envstring *custom_environment; +extern int forced_tun_device; int auth_parse_options(struct passwd *, char *, char *, u_long); void auth_clear_options(void); diff --git a/channels.c b/channels.c index 9607717cc..b4fd89f96 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.227 2005/10/14 02:29:37 stevesk Exp $"); +RCSID("$OpenBSD: channels.c,v 1.228 2005/12/06 22:38:27 reyk Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1414,6 +1414,8 @@ channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset) debug2("channel %d: filter stops", c->self); chan_read_failed(c); } + } else if (c->datagram) { + buffer_put_string(&c->input, buf, len); } else { buffer_append(&c->input, buf, len); } @@ -1432,6 +1434,23 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) if (c->wfd != -1 && FD_ISSET(c->wfd, writeset) && buffer_len(&c->output) > 0) { + if (c->datagram) { + data = buffer_get_string(&c->output, &dlen); + /* ignore truncated writes, datagrams might get lost */ + c->local_consumed += dlen + 4; + len = write(c->wfd, data, dlen); + xfree(data); + if (len < 0 && (errno == EINTR || errno == EAGAIN)) + return 1; + if (len <= 0) { + if (c->type != SSH_CHANNEL_OPEN) + chan_mark_dead(c); + else + chan_write_failed(c); + return -1; + } + return 1; + } data = buffer_ptr(&c->output); dlen = buffer_len(&c->output); #ifdef _AIX @@ -1792,6 +1811,22 @@ channel_output_poll(void) if ((c->istate == CHAN_INPUT_OPEN || c->istate == CHAN_INPUT_WAIT_DRAIN) && (len = buffer_len(&c->input)) > 0) { + if (c->datagram) { + if (len > 0) { + u_char *data; + u_int dlen; + + data = buffer_get_string(&c->input, + &dlen); + packet_start(SSH2_MSG_CHANNEL_DATA); + packet_put_int(c->remote_id); + packet_put_string(data, dlen); + packet_send(); + c->remote_window -= dlen + 4; + xfree(data); + } + continue; + } /* * Send some data for the other side over the secure * connection. @@ -1914,7 +1949,10 @@ channel_input_data(int type, u_int32_t seq, void *ctxt) c->local_window -= data_len; } packet_check_eom(); - buffer_append(&c->output, data, data_len); + if (c->datagram) + buffer_put_string(&c->output, data, data_len); + else + buffer_append(&c->output, data, data_len); xfree(data); } diff --git a/channels.h b/channels.h index 7e1cc7c5a..743a2065e 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.80 2005/10/10 10:23:08 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.81 2005/12/06 22:38:27 reyk Exp $ */ /* * Author: Tatu Ylonen @@ -112,6 +112,8 @@ struct Channel { /* filter */ channel_filter_fn *input_filter; + + int datagram; /* keep boundaries */ }; #define CHAN_EXTENDED_IGNORE 0 diff --git a/clientloop.c b/clientloop.c index 001c8f119..a97734c3f 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.145 2005/10/30 08:52:17 djm Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.146 2005/12/06 22:38:27 reyk Exp $"); #include "ssh.h" #include "ssh1.h" @@ -914,6 +914,15 @@ process_cmdline(void) logit(" -Lport:host:hostport Request local forward"); logit(" -Rport:host:hostport Request remote forward"); logit(" -KRhostport Cancel remote forward"); + if (!options.permit_local_command) + goto out; + logit(" !args Execute local command"); + goto out; + } + + if (*s == '!' && options.permit_local_command) { + s++; + ssh_local_cmd(s); goto out; } diff --git a/misc.c b/misc.c index 27b947f0c..9b23e2c37 100644 --- a/misc.c +++ b/misc.c @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.35 2005/09/13 23:40:07 djm Exp $"); +RCSID("$OpenBSD: misc.c,v 1.36 2005/12/06 22:38:27 reyk Exp $"); #include "misc.h" #include "log.h" @@ -194,6 +194,37 @@ a2port(const char *s) return port; } +int +a2tun(const char *s, int *remote) +{ + const char *errstr = NULL; + char *sp, *ep; + int tun; + + if (remote != NULL) { + *remote = -1; + sp = xstrdup(s); + if ((ep = strchr(sp, ':')) == NULL) { + xfree(sp); + return (a2tun(s, NULL)); + } + ep[0] = '\0'; ep++; + *remote = a2tun(ep, NULL); + tun = a2tun(sp, NULL); + xfree(sp); + return (tun); + } + + if (strcasecmp(s, "any") == 0) + return (-1); + + tun = strtonum(s, 0, INT_MAX, &errstr); + if (errstr != NULL || tun < -1) + return (-2); + + return (tun); +} + #define SECONDS 1 #define MINUTES (SECONDS * 60) #define HOURS (MINUTES * 60) @@ -507,6 +538,31 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, return -1; } +int +tun_open(int tun) +{ + char name[100]; + int i, fd; + + if (tun > -1) { + snprintf(name, sizeof(name), "/dev/tun%d", tun); + if ((fd = open(name, O_RDWR)) >= 0) { + debug("%s: %s: %d", __func__, name, fd); + return (fd); + } + } else { + for (i = 100; i >= 0; i--) { + snprintf(name, sizeof(name), "/dev/tun%d", i); + if ((fd = open(name, O_RDWR)) >= 0) { + debug("%s: %s: %d", __func__, name, fd); + return (fd); + } + } + } + debug("%s: %s failed: %s", __func__, name, strerror(errno)); + return (-1); +} + void sanitise_stdfd(void) { diff --git a/misc.h b/misc.h index 51541336c..ff2ba1b5a 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.26 2005/09/13 23:40:07 djm Exp $ */ +/* $OpenBSD: misc.h,v 1.27 2005/12/06 22:38:27 reyk Exp $ */ /* * Author: Tatu Ylonen @@ -20,6 +20,7 @@ int set_nonblock(int); int unset_nonblock(int); void set_nodelay(int); int a2port(const char *); +int a2tun(const char *, int *); char *hpdelim(char **); char *cleanhostname(char *); char *colon(char *); @@ -49,3 +50,4 @@ void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); char *read_passphrase(const char *, int); int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); +int tun_open(int); diff --git a/readconf.c b/readconf.c index cf27a9f41..b6aad9d8d 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.143 2005/07/30 02:03:47 djm Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.144 2005/12/06 22:38:27 reyk Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -70,6 +70,10 @@ RCSID("$OpenBSD: readconf.c,v 1.143 2005/07/30 02:03:47 djm Exp $"); Cipher none PasswordAuthentication no + Host vpn.fake.com + Tunnel yes + TunnelDevice 3 + # Defaults for various options Host * ForwardAgent no @@ -107,6 +111,7 @@ typedef enum { oAddressFamily, oGssAuthentication, oGssDelegateCreds, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, + oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oDeprecated, oUnsupported } OpCodes; @@ -198,6 +203,10 @@ static struct { { "controlpath", oControlPath }, { "controlmaster", oControlMaster }, { "hashknownhosts", oHashKnownHosts }, + { "tunnel", oTunnel }, + { "tunneldevice", oTunnelDevice }, + { "localcommand", oLocalCommand }, + { "permitlocalcommand", oPermitLocalCommand }, { NULL, oBadOption } }; @@ -264,6 +273,7 @@ clear_forwardings(Options *options) xfree(options->remote_forwards[i].connect_host); } options->num_remote_forwards = 0; + options->tun_open = 0; } /* @@ -296,7 +306,7 @@ process_config_line(Options *options, const char *host, int *activep) { char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; - int opcode, *intptr, value; + int opcode, *intptr, value, value2; size_t len; Forward fwd; @@ -553,9 +563,10 @@ parse_string: goto parse_string; case oProxyCommand: + charptr = &options->proxy_command; +parse_command: if (s == NULL) fatal("%.200s line %d: Missing argument.", filename, linenum); - charptr = &options->proxy_command; len = strspn(s, WHITESPACE "="); if (*activep && *charptr == NULL) *charptr = xstrdup(s + len); @@ -822,6 +833,31 @@ parse_int: intptr = &options->hash_known_hosts; goto parse_flag; + case oTunnel: + intptr = &options->tun_open; + goto parse_flag; + + case oTunnelDevice: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); + value = a2tun(arg, &value2); + if (value < -1) + fatal("%.200s line %d: Bad tun device.", filename, linenum); + if (*activep) { + options->tun_local = value; + options->tun_remote = value2; + } + break; + + case oLocalCommand: + charptr = &options->local_command; + goto parse_command; + + case oPermitLocalCommand: + intptr = &options->permit_local_command; + goto parse_flag; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -966,6 +1002,11 @@ initialize_options(Options * options) options->control_path = NULL; options->control_master = -1; options->hash_known_hosts = -1; + options->tun_open = -1; + options->tun_local = -1; + options->tun_remote = -1; + options->local_command = NULL; + options->permit_local_command = -1; } /* @@ -1090,6 +1131,11 @@ fill_default_options(Options * options) options->control_master = 0; if (options->hash_known_hosts == -1) options->hash_known_hosts = 0; + if (options->tun_open == -1) + options->tun_open = 0; + if (options->permit_local_command == -1) + options->permit_local_command = 0; + /* options->local_command should not be set by default */ /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ diff --git a/readconf.h b/readconf.h index 2b9deb9db..4565b2c2c 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.67 2005/06/08 11:25:09 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.68 2005/12/06 22:38:27 reyk Exp $ */ /* * Author: Tatu Ylonen @@ -114,6 +114,14 @@ typedef struct { int control_master; int hash_known_hosts; + + int tun_open; /* tun(4) */ + int tun_local; /* force tun device (optional) */ + int tun_remote; /* force tun device (optional) */ + + char *local_command; + int permit_local_command; + } Options; #define SSHCTL_MASTER_NO 0 diff --git a/scp.c b/scp.c index a19021f85..5dced6ce4 100644 --- a/scp.c +++ b/scp.c @@ -71,7 +71,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.127 2005/11/12 18:38:15 deraadt Exp $"); +RCSID("$OpenBSD: scp.c,v 1.128 2005/12/06 22:38:27 reyk Exp $"); #include "xmalloc.h" #include "atomicio.h" @@ -231,6 +231,7 @@ main(int argc, char **argv) addargs(&args, "ssh"); /* overwritten with ssh_program */ addargs(&args, "-x"); addargs(&args, "-oForwardAgent no"); + addargs(&args, "-oPermitLocalCommand no"); addargs(&args, "-oClearAllForwardings yes"); fflag = tflag = 0; diff --git a/servconf.c b/servconf.c index 9e420a527..91a0ced29 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.145 2005/12/06 22:38:27 reyk Exp $"); #include "ssh.h" #include "log.h" @@ -101,6 +101,7 @@ initialize_server_options(ServerOptions *options) options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; options->num_accept_env = 0; + options->permit_tun = -1; /* Needs to be accessable in many places */ use_privsep = -1; @@ -229,6 +230,8 @@ fill_default_server_options(ServerOptions *options) } if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; + if (options->permit_tun == -1) + options->permit_tun = 0; /* Turn privilege separation on by default */ if (use_privsep == -1) @@ -270,7 +273,7 @@ typedef enum { sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sUsePrivilegeSeparation, sDeprecated, sUnsupported } ServerOpCodes; @@ -373,6 +376,7 @@ static struct { { "authorizedkeysfile2", sAuthorizedKeysFile2 }, { "useprivilegeseparation", sUsePrivilegeSeparation}, { "acceptenv", sAcceptEnv }, + { "permittunnel", sPermitTunnel }, { NULL, sBadOption } }; @@ -962,6 +966,10 @@ parse_flag: } break; + case sPermitTunnel: + intptr = &options->permit_tun; + goto parse_flag; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); diff --git a/servconf.h b/servconf.h index f7e56d521..ab82c8f57 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.71 2004/12/23 23:11:00 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.72 2005/12/06 22:38:27 reyk Exp $ */ /* * Author: Tatu Ylonen @@ -133,7 +133,10 @@ typedef struct { char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; + int use_pam; /* Enable auth via PAM */ + + int permit_tun; } ServerOptions; void initialize_server_options(ServerOptions *); diff --git a/serverloop.c b/serverloop.c index 03376bacf..199f7696d 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.121 2005/10/31 11:48:29 djm Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.122 2005/12/06 22:38:27 reyk Exp $"); #include "xmalloc.h" #include "packet.h" @@ -913,6 +913,36 @@ server_request_direct_tcpip(void) return c; } +static Channel * +server_request_tun(void) +{ + Channel *c = NULL; + int sock, tun; + + if (!options.permit_tun) { + packet_send_debug("Server has disabled tunnel device forwarding."); + return NULL; + } + + tun = packet_get_int(); + if (forced_tun_device != -1) { + if (tun != -1 && forced_tun_device != tun) + goto done; + tun = forced_tun_device; + } + sock = tun_open(tun); + if (sock < 0) + goto done; + c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + c->datagram = 1; + + done: + if (c == NULL) + packet_send_debug("Failed to open the tunnel device."); + return c; +} + static Channel * server_request_session(void) { @@ -958,6 +988,8 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt) c = server_request_session(); } else if (strcmp(ctype, "direct-tcpip") == 0) { c = server_request_direct_tcpip(); + } else if (strcmp(ctype, "tun@openssh.com") == 0) { + c = server_request_tun(); } if (c != NULL) { debug("server_input_channel_open: confirm %s", ctype); diff --git a/sftp.c b/sftp.c index ff3223ad2..24f6dc538 100644 --- a/sftp.c +++ b/sftp.c @@ -16,7 +16,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.68 2005/10/31 06:15:04 dtucker Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.69 2005/12/06 22:38:27 reyk Exp $"); #ifdef USE_LIBEDIT #include @@ -1457,6 +1457,7 @@ main(int argc, char **argv) addargs(&args, "ssh"); /* overwritten with ssh_program */ addargs(&args, "-oForwardX11 no"); addargs(&args, "-oForwardAgent no"); + addargs(&args, "-oPermitLocalCommand no"); addargs(&args, "-oClearAllForwardings yes"); ll = SYSLOG_LEVEL_INFO; diff --git a/ssh.1 b/ssh.1 index dd97a8995..8a55c2f64 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.214 2005/11/30 11:45:20 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.215 2005/12/06 22:38:27 reyk Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -77,6 +77,7 @@ .Sm on .Oc .Op Fl S Ar ctl_path +.Op Fl w Ar tunnel : tunnel .Oo Ar user Ns @ Oc Ns Ar hostname .Op Ar command .Sh DESCRIPTION @@ -301,6 +302,12 @@ options (see below). It also allows the cancellation of existing remote port-forwardings using .Fl KR Ar hostport . +The +.Ic ! Ar command +allows the user to execute a local command if the +.Ic PermitLocalCommand +option is enabled in +.Xr ssh_config 5 . Basic help is available, using the .Fl h option. @@ -747,12 +754,14 @@ For full details of the options listed below, and their possible values, see .It IdentityFile .It IdentitiesOnly .It KbdInteractiveDevices +.It LocalCommand .It LocalForward .It LogLevel .It MACs .It NoHostAuthenticationForLocalhost .It NumberOfPasswordPrompts .It PasswordAuthentication +.It PermitLocalCommand .It Port .It PreferredAuthentications .It Protocol @@ -767,6 +776,8 @@ For full details of the options listed below, and their possible values, see .It SmartcardDevice .It StrictHostKeyChecking .It TCPKeepAlive +.It Tunnel +.It TunnelDevice .It UsePrivilegedPort .It User .It UserKnownHostsFile @@ -866,6 +877,13 @@ Multiple .Fl v options increase the verbosity. The maximum is 3. +.It Fl w +Requests a +.Xr tun 4 +device on the client and server like the +.Cm Tunnel +directive in +.Xr ssh_config 5 . .It Fl X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file. diff --git a/ssh.c b/ssh.c index 2227755cd..8a4a0e4c9 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.254 2005/10/30 08:52:18 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.255 2005/12/06 22:38:27 reyk Exp $"); #include #include @@ -162,7 +162,7 @@ usage(void) " [-i identity_file] [-L [bind_address:]port:host:hostport]\n" " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" " [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" -" [user@]hostname [command]\n" +" [-w tunnel:tunnel] [user@]hostname [command]\n" ); exit(1); } @@ -244,7 +244,7 @@ main(int ac, char **av) again: while ((opt = getopt(ac, av, - "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVXY")) != -1) { + "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) { switch (opt) { case '1': options.protocol = SSH_PROTO_1; @@ -340,6 +340,14 @@ again: if (opt == 'V') exit(0); break; + case 'w': + options.tun_open = 1; + options.tun_local = a2tun(optarg, &options.tun_remote); + if (options.tun_local < -1) { + fprintf(stderr, "Bad tun device '%s'\n", optarg); + exit(1); + } + break; case 'q': options.log_level = SYSLOG_LEVEL_QUIET; break; @@ -1059,6 +1067,26 @@ ssh_session2_setup(int id, void *arg) packet_send(); } + if (options.tun_open) { + Channel *c; + int fd; + + debug("Requesting tun."); + if ((fd = tun_open(options.tun_local)) >= 0) { + c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, + 0, "tun", 1); + c->datagram = 1; + packet_start(SSH2_MSG_CHANNEL_OPEN); + packet_put_cstring("tun@openssh.com"); + packet_put_int(c->self); + packet_put_int(c->local_window_max); + packet_put_int(c->local_maxpacket); + packet_put_int(options.tun_remote); + packet_send(); + } + } + client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply); @@ -1123,6 +1151,11 @@ ssh_session2(void) if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) id = ssh_session2_open(); + /* Execute a local command */ + if (options.local_command != NULL && + options.permit_local_command) + ssh_local_cmd(options.local_command); + /* If requested, let ssh continue in the background. */ if (fork_after_authentication_flag) if (daemon(1, 1) < 0) diff --git a/ssh_config b/ssh_config index f41bee0a2..7bc8762d6 100644 --- a/ssh_config +++ b/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.20 2005/01/28 09:45:53 dtucker Exp $ +# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -37,3 +37,6 @@ # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no diff --git a/ssh_config.5 b/ssh_config.5 index 13cdee88b..d1930baab 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.64 2005/10/30 08:43:47 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.65 2005/12/06 22:38:27 reyk Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -556,6 +556,14 @@ The default is Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. The default is to use the server specified list. +.It Cm LocalCommand +Specifies a command to execute on the local machine after successfully +connecting to the server. +The command string extends to the end of the line, and is executed with +.Pa /bin/sh . +This directive is ignored unless +.Cm PermitLocalCommand +has been enabled. .It Cm LocalForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. @@ -628,6 +636,19 @@ The default is .It Cm Port Specifies the port number to connect on the remote host. Default is 22. +.It Cm PermitLocalCommand +Allow local command execution via the +.Ic LocalCommand +option or using the +.Ic ! Ar command +escape sequence in +.Xr ssh 1 . +The argument must be +.Dq yes +or +.Dq no . +The default is +.Dq no . .It Cm PreferredAuthentications Specifies the order in which the client should try protocol 2 authentication methods. @@ -887,6 +908,21 @@ Note that this option must be set to for .Cm RhostsRSAAuthentication with older servers. +.It Cm Tunnel +Request starting +.Xr tun 4 +device forwarding between the client and the server. +The argument must be +.Dq yes +or +.Dq no . +The default is +.Dq no . +.It Cm TunnelDevice +Force a specified +.Xr tun 4 +device on the client. +Without this option, the next available device will be used. .It Cm User Specifies the user to log in as. This can be useful when a different user name is used on different machines. diff --git a/sshconnect.c b/sshconnect.c index 2245a8af6..64ffec240 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.170 2005/10/30 08:52:18 djm Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.171 2005/12/06 22:38:27 reyk Exp $"); #include @@ -1034,3 +1034,39 @@ warn_changed_key(Key *host_key) xfree(fp); } + +/* + * Execute a local command + */ +int +ssh_local_cmd(const char *args) +{ + char *shell; + pid_t pid; + int status; + + if (!options.permit_local_command || + args == NULL || !*args) + return (1); + + if ((shell = getenv("SHELL")) == NULL) + shell = _PATH_BSHELL; + + pid = fork(); + if (pid == 0) { + debug3("Executing %s -c \"%s\"", shell, args); + execl(shell, shell, "-c", args, (char *)NULL); + error("Couldn't execute %s -c \"%s\": %s", + shell, args, strerror(errno)); + _exit(1); + } else if (pid == -1) + fatal("fork failed: %.100s", strerror(errno)); + while (waitpid(pid, &status, 0) == -1) + if (errno != EINTR) + fatal("Couldn't wait for child: %s", strerror(errno)); + + if (!WIFEXITED(status)) + return (1); + + return (WEXITSTATUS(status)); +} diff --git a/sshconnect.h b/sshconnect.h index 0be30fe69..e7c7a2b34 100644 --- a/sshconnect.h +++ b/sshconnect.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.h,v 1.17 2002/06/19 00:27:55 deraadt Exp $ */ +/* $OpenBSD: sshconnect.h,v 1.18 2005/12/06 22:38:28 reyk Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -49,7 +49,7 @@ void ssh_userauth1(const char *, const char *, char *, Sensitive *); void ssh_userauth2(const char *, const char *, char *, Sensitive *); void ssh_put_password(char *); - +int ssh_local_cmd(const char *); /* * Macros to raise/lower permissions. diff --git a/sshd.8 b/sshd.8 index c610f47b8..53eddcdfb 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.208 2005/06/08 03:50:00 djm Exp $ +.\" $OpenBSD: sshd.8,v 1.209 2005/12/06 22:38:28 reyk Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -518,6 +518,12 @@ Multiple options may be applied separated by commas. No pattern matching is performed on the specified hostnames, they must be literal domains or addresses. +.It Cm tunnel="n" +Force a +.Xr tun 4 +device on the server. +Without this option, the next available device will be used if +the client requests a tunnel. .El .Ss Examples 1024 33 12121...312314325 ylo@foo.bar @@ -527,6 +533,8 @@ from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi .Pp permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 +.Pp +tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== reyk@openbsd.org .Sh SSH_KNOWN_HOSTS FILE FORMAT The .Pa /etc/ssh/ssh_known_hosts diff --git a/sshd_config b/sshd_config index 1440c05ff..4957dd1a6 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $ +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -96,6 +96,7 @@ #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 +#PermitTunnel no # no default banner path #Banner /some/path diff --git a/sshd_config.5 b/sshd_config.5 index 45c1c0131..3835fcd62 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.45 2005/09/21 23:36:54 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.46 2005/12/06 22:38:28 reyk Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -502,6 +502,12 @@ All other authentication methods are disabled for root. If this option is set to .Dq no root is not allowed to log in. +.It Cm PermitTunnel +Specifies whether +.Xr tun 4 +device forwarding is allowed. +The default is +.Dq no . .It Cm PermitUserEnvironment Specifies whether .Pa ~/.ssh/environment -- cgit v1.2.3 From d7f308f6d8b3583d8c97fa71cfb9b10f07ee5418 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 24 Dec 2005 14:55:16 +1100 Subject: - stevesk@cvs.openbsd.org 2005/12/21 22:44:26 [sshd.8] clarify precedence of -p, Port, ListenAddress; ok and help jmc@ --- ChangeLog | 5 ++++- ssh.1 | 7 ++++--- sshd.8 | 10 +++++++--- 3 files changed, 15 insertions(+), 7 deletions(-) (limited to 'sshd.8') diff --git a/ChangeLog b/ChangeLog index 4fd581232..645feffc0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,9 @@ [ssh.1] -Y does X11 forwarding too; ok markus + - stevesk@cvs.openbsd.org 2005/12/21 22:44:26 + [sshd.8] + clarify precedence of -p, Port, ListenAddress; ok and help jmc@ 20051220 - (dtucker) OpenBSD CVS Sync @@ -3525,4 +3528,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4045 2005/12/24 03:54:03 djm Exp $ +$Id: ChangeLog,v 1.4046 2005/12/24 03:55:16 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 2cf222234..36abe684a 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.226 2005/12/21 11:57:25 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.227 2005/12/21 12:53:31 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -851,9 +851,10 @@ If the variable is set to .Dq yes (or see the description of the -.Fl X +.Fl X , +.Fl x , and -.Fl x +.Fl Y options above) and the user is using X11 (the .Ev DISPLAY diff --git a/sshd.8 b/sshd.8 index 53eddcdfb..ee6e7d797 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.209 2005/12/06 22:38:28 reyk Exp $ +.\" $OpenBSD: sshd.8,v 1.210 2005/12/21 22:44:26 stevesk Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -288,8 +288,12 @@ For full details of the options, and their values, see Specifies the port on which the server listens for connections (default 22). Multiple port options are permitted. -Ports specified in the configuration file are ignored when a -command-line port is specified. +Ports specified in the configuration file with the +.Cm Port +option are ignored when a command-line port is specified. +Ports specified using the +.Cm ListenAddress +option override command-line ports. .It Fl q Quiet mode. Nothing is sent to the system log. -- cgit v1.2.3 From 7c24b81699c9b45f277ccefa5523e1a8d64a98a5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 14 Jan 2006 10:09:56 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/12 22:20:00 [sshd.8] refer to TCP forwarding, rather than TCP/IP forwarding; --- ChangeLog | 5 ++++- sshd.8 | 8 ++++---- 2 files changed, 8 insertions(+), 5 deletions(-) (limited to 'sshd.8') diff --git a/ChangeLog b/ChangeLog index b562035ef..b68b88e9a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,9 @@ refer to `TCP' rather than `TCP/IP' in the context of connection forwarding; ok markus + - jmc@cvs.openbsd.org 2006/01/12 22:20:00 + [sshd.8] + refer to TCP forwarding, rather than TCP/IP forwarding; 20060109 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on @@ -3696,4 +3699,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4087 2006/01/13 23:09:30 djm Exp $ +$Id: ChangeLog,v 1.4088 2006/01/13 23:09:56 djm Exp $ diff --git a/sshd.8 b/sshd.8 index ee6e7d797..241aefd43 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.210 2005/12/21 22:44:26 stevesk Exp $ +.\" $OpenBSD: sshd.8,v 1.211 2006/01/12 22:20:00 jmc Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -169,7 +169,7 @@ If the client successfully authenticates itself, a dialog for preparing the session is entered. At this time the client may request things like allocating a pseudo-tty, forwarding X11 connections, -forwarding TCP/IP connections, or forwarding the authentication agent +forwarding TCP connections, or forwarding the authentication agent connection over the secure channel. .Pp Finally, the client either requests a shell or execution of a command. @@ -480,7 +480,7 @@ A quote may be included in the command by quoting it with a backslash. This option might be useful to restrict certain public keys to perform just a specific operation. An example might be a key that permits remote backups but nothing else. -Note that the client may specify TCP/IP and/or X11 +Note that the client may specify TCP and/or X11 forwarding unless they are explicitly prohibited. Note that this option applies to shell, command or subsystem execution. .It Cm environment="NAME=value" @@ -497,7 +497,7 @@ This option is automatically disabled if .Cm UseLogin is enabled. .It Cm no-port-forwarding -Forbids TCP/IP forwarding when this key is used for authentication. +Forbids TCP forwarding when this key is used for authentication. Any port forward requests by the client will return an error. This might be used, e.g., in connection with the .Cm command -- cgit v1.2.3 From 99cc4a8f1e4e1ab45e41600518aa888e24b4df64 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 31 Jan 2006 21:45:53 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/25 09:04:34 [sshd.8] move the options description up the page, and a few additional tweaks whilst in here; ok markus --- ChangeLog | 7 +- sshd.8 | 231 +++++++++++++++++++++++++++++++------------------------------- 2 files changed, 121 insertions(+), 117 deletions(-) (limited to 'sshd.8') diff --git a/ChangeLog b/ChangeLog index ada3d3ae8..5ec6e615d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,11 @@ [ssh_config.5] - word change, agreed w/ markus - consistency fixes + - jmc@cvs.openbsd.org 2006/01/25 09:04:34 + [sshd.8] + move the options description up the page, and a few additional tweaks + whilst in here; + ok markus 20060129 - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the @@ -3729,4 +3734,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4095 2006/01/31 10:39:03 djm Exp $ +$Id: ChangeLog,v 1.4096 2006/01/31 10:45:53 djm Exp $ diff --git a/sshd.8 b/sshd.8 index 241aefd43..3ca929d50 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.211 2006/01/12 22:20:00 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.212 2006/01/25 09:04:34 jmc Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -56,16 +56,14 @@ .Ek .Sh DESCRIPTION .Nm -(SSH Daemon) is the daemon program for +(OpenSSH Daemon) is the daemon program for .Xr ssh 1 . Together these programs replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. -The programs are intended to be as easy to -install and use as possible. .Pp .Nm -is the daemon that listens for connections from clients. +listens for connections from clients. It is normally started at boot from .Pa /etc/rc . It forks a new @@ -73,122 +71,13 @@ daemon for each incoming connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange. -This implementation of -.Nm -supports both SSH protocol version 1 and 2 simultaneously. -.Nm -works as follows: -.Ss SSH protocol version 1 -Each host has a host-specific RSA key -(normally 2048 bits) used to identify the host. -Additionally, when -the daemon starts, it generates a server RSA key (normally 768 bits). -This key is normally regenerated every hour if it has been used, and -is never stored on disk. -.Pp -Whenever a client connects, the daemon responds with its public -host and server keys. -The client compares the -RSA host key against its own database to verify that it has not changed. -The client then generates a 256-bit random number. -It encrypts this -random number using both the host key and the server key, and sends -the encrypted number to the server. -Both sides then use this -random number as a session key which is used to encrypt all further -communications in the session. -The rest of the session is encrypted -using a conventional cipher, currently Blowfish or 3DES, with 3DES -being used by default. -The client selects the encryption algorithm -to use from those offered by the server. -.Pp -Next, the server and the client enter an authentication dialog. -The client tries to authenticate itself using -.Em .rhosts -authentication combined with RSA host -authentication, RSA challenge-response authentication, or password -based authentication. -.Pp -Regardless of the authentication type, the account is checked to -ensure that it is accessible. An account is not accessible if it is -locked, listed in -.Cm DenyUsers -or its group is listed in -.Cm DenyGroups -\&. The definition of a locked account is system dependant. Some platforms -have their own account database (eg AIX) and some modify the passwd field ( -.Ql \&*LK\&* -on Solaris and UnixWare, -.Ql \&* -on HP-UX, containing -.Ql Nologin -on Tru64, -a leading -.Ql \&*LOCKED\&* -on FreeBSD and a leading -.Ql \&!! -on Linux). If there is a requirement to disable password authentication -for the account while allowing still public-key, then the passwd field -should be set to something other than these values (eg -.Ql NP -or -.Ql \&*NP\&* -). -.Pp -.Nm rshd , -.Nm rlogind , -and -.Nm rexecd -are disabled (thus completely disabling -.Xr rlogin -and -.Xr rsh -into the machine). -.Ss SSH protocol version 2 -Version 2 works similarly: -Each host has a host-specific key (RSA or DSA) used to identify the host. -However, when the daemon starts, it does not generate a server key. -Forward security is provided through a Diffie-Hellman key agreement. -This key agreement results in a shared session key. -.Pp -The rest of the session is encrypted using a symmetric cipher, currently -128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. -The client selects the encryption algorithm -to use from those offered by the server. -Additionally, session integrity is provided -through a cryptographic message authentication code -(hmac-sha1 or hmac-md5). -.Pp -Protocol version 2 provides a public key based -user (PubkeyAuthentication) or -client host (HostbasedAuthentication) authentication method, -conventional password authentication and challenge response based methods. -.Ss Command execution and data forwarding -If the client successfully authenticates itself, a dialog for -preparing the session is entered. -At this time the client may request -things like allocating a pseudo-tty, forwarding X11 connections, -forwarding TCP connections, or forwarding the authentication agent -connection over the secure channel. -.Pp -Finally, the client either requests a shell or execution of a command. -The sides then enter session mode. -In this mode, either side may send -data at any time, and such data is forwarded to/from the shell or -command on the server side, and the user terminal in the client side. -.Pp -When the user program terminates and all forwarded X11 and other -connections have been closed, the server sends command exit status to -the client, and both sides exit. .Pp .Nm can be configured using command-line options or a configuration file (by default -.Xr sshd_config 5 ) . -Command-line options override values specified in the +.Xr sshd_config 5 ) ; +command-line options override values specified in the configuration file. -.Pp .Nm rereads its configuration file when it receives a hangup signal, .Dv SIGHUP , @@ -338,6 +227,116 @@ USER@HOST pattern in or .Cm DenyUsers . .El +.Pp +This implementation of +.Nm +supports both SSH protocol version 1 and 2 simultaneously. +.Nm +works as follows: +.Ss SSH protocol version 1 +Each host has a host-specific RSA key +(normally 2048 bits) used to identify the host. +Additionally, when +the daemon starts, it generates a server RSA key (normally 768 bits). +This key is normally regenerated every hour if it has been used, and +is never stored on disk. +.Pp +Whenever a client connects, the daemon responds with its public +host and server keys. +The client compares the +RSA host key against its own database to verify that it has not changed. +The client then generates a 256-bit random number. +It encrypts this +random number using both the host key and the server key, and sends +the encrypted number to the server. +Both sides then use this +random number as a session key which is used to encrypt all further +communications in the session. +The rest of the session is encrypted +using a conventional cipher, currently Blowfish or 3DES, with 3DES +being used by default. +The client selects the encryption algorithm +to use from those offered by the server. +.Pp +Next, the server and the client enter an authentication dialog. +The client tries to authenticate itself using +.Em rhosts +authentication combined with RSA host +authentication, RSA challenge-response authentication, or password +based authentication. +.Pp +Regardless of the authentication type, the account is checked to +ensure that it is accessible. An account is not accessible if it is +locked, listed in +.Cm DenyUsers +or its group is listed in +.Cm DenyGroups +\&. The definition of a locked account is system dependant. Some platforms +have their own account database (eg AIX) and some modify the passwd field ( +.Ql \&*LK\&* +on Solaris and UnixWare, +.Ql \&* +on HP-UX, containing +.Ql Nologin +on Tru64, +a leading +.Ql \&*LOCKED\&* +on FreeBSD and a leading +.Ql \&!! +on Linux). If there is a requirement to disable password authentication +for the account while allowing still public-key, then the passwd field +should be set to something other than these values (eg +.Ql NP +or +.Ql \&*NP\&* +). +.Pp +System security is not improved unless +.Nm rshd , +.Nm rlogind , +and +.Nm rexecd +are disabled (thus completely disabling +.Xr rlogin +and +.Xr rsh +into the machine). +.Ss SSH protocol version 2 +Version 2 works similarly: +Each host has a host-specific key (RSA or DSA) used to identify the host. +However, when the daemon starts, it does not generate a server key. +Forward security is provided through a Diffie-Hellman key agreement. +This key agreement results in a shared session key. +.Pp +The rest of the session is encrypted using a symmetric cipher, currently +128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. +The client selects the encryption algorithm +to use from those offered by the server. +Additionally, session integrity is provided +through a cryptographic message authentication code +(hmac-sha1 or hmac-md5). +.Pp +Protocol version 2 provides a public key based +user (PubkeyAuthentication) or +client host (HostbasedAuthentication) authentication method, +conventional password authentication and challenge response based methods. +.Ss Command execution and data forwarding +If the client successfully authenticates itself, a dialog for +preparing the session is entered. +At this time the client may request +things like allocating a pseudo-tty, forwarding X11 connections, +forwarding TCP connections, or forwarding the authentication agent +connection over the secure channel. +.Pp +Finally, the client either requests a shell or execution of a command. +The sides then enter session mode. +In this mode, either side may send +data at any time, and such data is forwarded to/from the shell or +command on the server side, and the user terminal in the client side. +.Pp +When the user program terminates and all forwarded X11 and other +connections have been closed, the server sends command exit status to +the client, and both sides exit. .Sh CONFIGURATION FILE .Nm reads configuration data from -- cgit v1.2.3 From 7602cba59d11822c51346b44c043a39ef2fe608a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 31 Jan 2006 21:46:20 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/25 09:07:22 [sshd.8] move subsections to full sections; --- ChangeLog | 5 ++++- sshd.8 | 8 ++++---- 2 files changed, 8 insertions(+), 5 deletions(-) (limited to 'sshd.8') diff --git a/ChangeLog b/ChangeLog index 5ec6e615d..9229652e8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ move the options description up the page, and a few additional tweaks whilst in here; ok markus + - jmc@cvs.openbsd.org 2006/01/25 09:07:22 + [sshd.8] + move subsections to full sections; 20060129 - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the @@ -3734,4 +3737,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4096 2006/01/31 10:45:53 djm Exp $ +$Id: ChangeLog,v 1.4097 2006/01/31 10:46:20 djm Exp $ diff --git a/sshd.8 b/sshd.8 index 3ca929d50..15c7651ba 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.212 2006/01/25 09:04:34 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.213 2006/01/25 09:07:22 jmc Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -233,7 +233,7 @@ This implementation of supports both SSH protocol version 1 and 2 simultaneously. .Nm works as follows: -.Ss SSH protocol version 1 +.Sh SSH PROTOCOL VERSION 1 Each host has a host-specific RSA key (normally 2048 bits) used to identify the host. Additionally, when @@ -301,7 +301,7 @@ are disabled (thus completely disabling and .Xr rsh into the machine). -.Ss SSH protocol version 2 +.Sh SSH PROTOCOL VERSION 2 Version 2 works similarly: Each host has a host-specific key (RSA or DSA) used to identify the host. However, when the daemon starts, it does not generate a server key. @@ -320,7 +320,7 @@ Protocol version 2 provides a public key based user (PubkeyAuthentication) or client host (HostbasedAuthentication) authentication method, conventional password authentication and challenge response based methods. -.Ss Command execution and data forwarding +.Sh COMMAND EXECUTION AND DATA FORWARDING If the client successfully authenticates itself, a dialog for preparing the session is entered. At this time the client may request -- cgit v1.2.3 From 8bbdf90f3333a148eb655993e47b0168d907693d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 1 Feb 2006 22:05:25 +1100 Subject: - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2006/02/01 09:06:50 [sshd.8] - merge sections on protocols 1 and 2 into a single section - remove configuration file section ok markus --- ChangeLog | 8 ++++++- sshd.8 | 81 +++++++++++++++++++++++++++------------------------------------ 2 files changed, 42 insertions(+), 47 deletions(-) (limited to 'sshd.8') diff --git a/ChangeLog b/ChangeLog index dfd6db809..1d352d967 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,12 @@ - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to determine the user's login name - needed for regress tests on Solaris 10 and OpenSolaris + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2006/02/01 09:06:50 + [sshd.8] + - merge sections on protocols 1 and 2 into a single section + - remove configuration file section + ok markus 20060131 - (djm) OpenBSD CVS Sync @@ -3803,4 +3809,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4113 2006/02/01 00:21:01 djm Exp $ +$Id: ChangeLog,v 1.4114 2006/02/01 11:05:25 djm Exp $ diff --git a/sshd.8 b/sshd.8 index 15c7651ba..0bc5f820a 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.213 2006/01/25 09:07:22 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.214 2006/02/01 09:06:50 jmc Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -227,20 +227,26 @@ USER@HOST pattern in or .Cm DenyUsers . .El -.Pp -This implementation of -.Nm -supports both SSH protocol version 1 and 2 simultaneously. -.Nm -works as follows: -.Sh SSH PROTOCOL VERSION 1 -Each host has a host-specific RSA key -(normally 2048 bits) used to identify the host. -Additionally, when -the daemon starts, it generates a server RSA key (normally 768 bits). +.Sh AUTHENTICATION +The OpenSSH SSH daemon supports SSH protocols 1 and 2. +Both protocols are supported by default, +though this can be changed via the +.Cm Protocol +option in +.Xr sshd_config 5 . +Protocol 2 supports both RSA and DSA keys; +protocol 1 only supports RSA keys. +For both protocols, +each host has a host-specific key, +normally 2048 bits, +used to identify the host. +.Pp +Forward security for protocol 1 is provided through +an additional server key, +normally 768 bits, +generated when the server starts. This key is normally regenerated every hour if it has been used, and is never stored on disk. -.Pp Whenever a client connects, the daemon responds with its public host and server keys. The client compares the @@ -258,12 +264,23 @@ being used by default. The client selects the encryption algorithm to use from those offered by the server. .Pp -Next, the server and the client enter an authentication dialog. +For protocol 2, +forward security is provided through a Diffie-Hellman key agreement. +This key agreement results in a shared session key. +The rest of the session is encrypted using a symmetric cipher, currently +128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. +The client selects the encryption algorithm +to use from those offered by the server. +Additionally, session integrity is provided +through a cryptographic message authentication code +(hmac-sha1 or hmac-md5). +.Pp +Finally, the server and the client enter an authentication dialog. The client tries to authenticate itself using -.Em rhosts -authentication combined with RSA host -authentication, RSA challenge-response authentication, or password -based authentication. +host-based authentication, +public key authentication, +challenge-response authentication, +or password authentication. .Pp Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is @@ -301,25 +318,6 @@ are disabled (thus completely disabling and .Xr rsh into the machine). -.Sh SSH PROTOCOL VERSION 2 -Version 2 works similarly: -Each host has a host-specific key (RSA or DSA) used to identify the host. -However, when the daemon starts, it does not generate a server key. -Forward security is provided through a Diffie-Hellman key agreement. -This key agreement results in a shared session key. -.Pp -The rest of the session is encrypted using a symmetric cipher, currently -128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. -The client selects the encryption algorithm -to use from those offered by the server. -Additionally, session integrity is provided -through a cryptographic message authentication code -(hmac-sha1 or hmac-md5). -.Pp -Protocol version 2 provides a public key based -user (PubkeyAuthentication) or -client host (HostbasedAuthentication) authentication method, -conventional password authentication and challenge response based methods. .Sh COMMAND EXECUTION AND DATA FORWARDING If the client successfully authenticates itself, a dialog for preparing the session is entered. @@ -337,15 +335,6 @@ command on the server side, and the user terminal in the client side. When the user program terminates and all forwarded X11 and other connections have been closed, the server sends command exit status to the client, and both sides exit. -.Sh CONFIGURATION FILE -.Nm -reads configuration data from -.Pa /etc/ssh/sshd_config -(or the file specified with -.Fl f -on the command line). -The file format and configuration options are described in -.Xr sshd_config 5 . .Sh LOGIN PROCESS When a user successfully logs in, .Nm -- cgit v1.2.3 From 2ac05779f76c651928eba7899165a4dca02f7b8f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 1 Feb 2006 22:05:42 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/01 09:11:41 [sshd.8] small tweak; --- ChangeLog | 5 ++++- sshd.8 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'sshd.8') diff --git a/ChangeLog b/ChangeLog index 1d352d967..1b9dc9cb5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ - merge sections on protocols 1 and 2 into a single section - remove configuration file section ok markus + - jmc@cvs.openbsd.org 2006/02/01 09:11:41 + [sshd.8] + small tweak; 20060131 - (djm) OpenBSD CVS Sync @@ -3809,4 +3812,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4114 2006/02/01 11:05:25 djm Exp $ +$Id: ChangeLog,v 1.4115 2006/02/01 11:05:42 djm Exp $ diff --git a/sshd.8 b/sshd.8 index 0bc5f820a..51d339b65 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.214 2006/02/01 09:06:50 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.215 2006/02/01 09:11:41 jmc Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -217,7 +217,7 @@ from making DNS requests unless the authentication mechanism or configuration requires it. Authentication mechanisms that may require DNS include .Cm RhostsRSAAuthentication , -.Cm HostbasedAuthentication +.Cm HostbasedAuthentication , and using a .Cm from="pattern-list" option in a key file. -- cgit v1.2.3