diff options
| author | Ben Lindstrom <mouring@eviladmin.org> | 2001-01-09 00:35:42 +0000 |
|---|---|---|
| committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-01-09 00:35:42 +0000 |
| commit | 48bd7c118a25b950842864c7eb87ef666cbc342d (patch) | |
| tree | b678668f292f8a8bb5e00b9b8f89d86370a8e11f | |
| parent | 99a0563fd59e1d3e1b79a1a9dd38ce9f6b5059ee (diff) | |
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/01/08 22:29:05
[auth2.c compat.c compat.h servconf.c servconf.h sshd.8
sshd_config version.h]
implement option 'Banner /etc/issue.net' for ssh2, move version to
2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner
is enabled).
- markus@cvs.openbsd.org 2001/01/08 22:03:23
[channels.c ssh-keyscan.c]
O_NDELAY -> O_NONBLOCK; thanks stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/08 21:55:41
[sshconnect1.c]
more cleanups and fixes from stevesk@pobox.com:
1) try_agent_authentication() for loop will overwrite key just
allocated with key_new(); don't alloc
2) call ssh_close_authentication_connection() before exit
try_agent_authentication()
3) free mem on bad passphrase in try_rsa_authentication()
- markus@cvs.openbsd.org 2001/01/08 21:48:17
[kex.c]
missing free; thanks stevesk@pobox.com
| -rw-r--r-- | ChangeLog | 21 | ||||
| -rw-r--r-- | auth2.c | 37 | ||||
| -rw-r--r-- | channels.c | 4 | ||||
| -rw-r--r-- | compat.c | 7 | ||||
| -rw-r--r-- | compat.h | 3 | ||||
| -rw-r--r-- | kex.c | 3 | ||||
| -rw-r--r-- | servconf.c | 9 | ||||
| -rw-r--r-- | servconf.h | 3 | ||||
| -rw-r--r-- | ssh-keyscan.c | 4 | ||||
| -rw-r--r-- | sshconnect1.c | 7 | ||||
| -rw-r--r-- | sshd.8 | 9 | ||||
| -rw-r--r-- | sshd_config | 1 | ||||
| -rw-r--r-- | version.h | 4 |
13 files changed, 96 insertions, 16 deletions
@@ -2,6 +2,27 @@ - (bal) Resync CVS ID of cli.c - (stevesk) auth1.c: free should be after WITH_AIXAUTHENTICATE code. + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/01/08 22:29:05 + [auth2.c compat.c compat.h servconf.c servconf.h sshd.8 + sshd_config version.h] + implement option 'Banner /etc/issue.net' for ssh2, move version to + 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner + is enabled). + - markus@cvs.openbsd.org 2001/01/08 22:03:23 + [channels.c ssh-keyscan.c] + O_NDELAY -> O_NONBLOCK; thanks stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/08 21:55:41 + [sshconnect1.c] + more cleanups and fixes from stevesk@pobox.com: + 1) try_agent_authentication() for loop will overwrite key just + allocated with key_new(); don't alloc + 2) call ssh_close_authentication_connection() before exit + try_agent_authentication() + 3) free mem on bad passphrase in try_rsa_authentication() + - markus@cvs.openbsd.org 2001/01/08 21:48:17 + [kex.c] + missing free; thanks stevesk@pobox.com 20010108 - (bal) Fixed another typo in cli.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.24 2000/12/28 14:25:51 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.25 2001/01/08 22:29:05 markus Exp $"); #ifdef HAVE_OSF_SIA # include <sia.h> @@ -92,6 +92,7 @@ int user_key_allowed(struct passwd *pw, Key *key); char *authmethods_get(void); /* auth */ +void userauth_banner(void); int userauth_none(Authctxt *authctxt); int userauth_passwd(Authctxt *authctxt); int userauth_pubkey(Authctxt *authctxt); @@ -257,6 +258,39 @@ input_userauth_request(int type, int plen, void *ctxt) xfree(method); } +void +userauth_banner(void) +{ + struct stat st; + char *banner = NULL; + off_t len, n; + int fd; + + if (options.banner == NULL || (datafellows & SSH_BUG_BANNER)) + return; + if ((fd = open(options.banner, O_RDONLY)) < 0) { + error("userauth_banner: open %s failed: %s", + options.banner, strerror(errno)); + return; + } + if (fstat(fd, &st) < 0) + goto done; + len = st.st_size; + banner = xmalloc(len + 1); + if ((n = read(fd, banner, len)) < 0) + goto done; + banner[n] = '\0'; + packet_start(SSH2_MSG_USERAUTH_BANNER); + packet_put_cstring(banner); + packet_put_cstring(""); /* language, unused */ + packet_send(); + debug("userauth_banner: sent"); +done: + if (banner) + xfree(banner); + close(fd); + return; +} void userauth_log(Authctxt *authctxt, int authenticated, char *method) @@ -335,6 +369,7 @@ userauth_none(Authctxt *authctxt) if (m != NULL) m->enabled = NULL; packet_done(); + userauth_banner(); if (authctxt->valid == 0) return(0); @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.79 2000/12/29 22:19:13 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.80 2001/01/08 22:03:23 markus Exp $"); #include "ssh.h" #include "packet.h" @@ -1743,7 +1743,7 @@ channel_connect_to(const char *host, u_short host_port) error("socket: %.100s", strerror(errno)); continue; } - if (fcntl(sock, F_SETFL, O_NDELAY) < 0) + if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0) fatal("connect_to: F_SETFL: %s", strerror(errno)); /* Connect to the host/port. */ if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 && @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: compat.c,v 1.32 2000/12/09 23:51:11 provos Exp $"); +RCSID("$OpenBSD: compat.c,v 1.33 2001/01/08 22:29:05 markus Exp $"); #include "ssh.h" #include "packet.h" @@ -62,7 +62,10 @@ compat_datafellows(const char *version) char *pat; int bugs; } check[] = { - { "^OpenSSH[-_]2\\.[012]", SSH_OLD_SESSIONID }, + { "^OpenSSH[-_]2\\.[012]", + SSH_OLD_SESSIONID|SSH_BUG_BANNER }, + { "^OpenSSH_2\\.3\\.0", SSH_BUG_BANNER }, + { "^OpenSSH", 0 }, { "MindTerm", 0 }, { "^2\\.1\\.0", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG }, @@ -21,7 +21,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: compat.h,v 1.13 2000/12/06 22:58:15 markus Exp $"); */ +/* RCSID("$OpenBSD: compat.h,v 1.14 2001/01/08 22:29:05 markus Exp $"); */ #ifndef COMPAT_H #define COMPAT_H @@ -38,6 +38,7 @@ #define SSH_OLD_SESSIONID 0x10 #define SSH_BUG_PKAUTH 0x20 #define SSH_BUG_DEBUG 0x40 +#define SSH_BUG_BANNER 0x80 void enable_compat13(void); void enable_compat20(void); @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.16 2000/12/20 19:37:22 markus Exp $"); +RCSID("$OpenBSD: kex.c,v 1.17 2001/01/08 21:48:17 markus Exp $"); #include "ssh.h" #include "ssh2.h" @@ -465,6 +465,7 @@ choose_hostkeyalg(Kex *k, char *client, char *server) k->hostkey_type = key_type_from_name(hostkeyalg); if (k->hostkey_type == KEY_UNSPEC) fatal("bad hostkey alg '%s'", hostkeyalg); + xfree(hostkeyalg); } Kex * @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.56 2001/01/07 11:28:06 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.57 2001/01/08 22:29:05 markus Exp $"); #include "ssh.h" #include "servconf.h" @@ -78,6 +78,7 @@ initialize_server_options(ServerOptions *options) options->max_startups_begin = -1; options->max_startups_rate = -1; options->max_startups = -1; + options->banner = NULL; } void @@ -198,6 +199,7 @@ typedef enum { sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, + sBanner } ServerOpCodes; /* Textual representation of the tokens. */ @@ -257,6 +259,7 @@ static struct { { "gatewayports", sGatewayPorts }, { "subsystem", sSubsystem }, { "maxstartups", sMaxStartups }, + { "banner", sBanner }, { NULL, 0 } }; @@ -697,6 +700,10 @@ parse_flag: intptr = &options->max_startups; goto parse_int; + case sBanner: + charptr = &options->banner; + goto parse_filename; + default: fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n", filename, linenum, arg, opcode); @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: servconf.h,v 1.32 2000/12/19 23:17:58 markus Exp $"); */ +/* RCSID("$OpenBSD: servconf.h,v 1.33 2001/01/08 22:29:05 markus Exp $"); */ #ifndef SERVCONF_H #define SERVCONF_H @@ -104,6 +104,7 @@ typedef struct { int max_startups_begin; int max_startups_rate; int max_startups; + char *banner; /* SSH-2 banner message */ } ServerOptions; /* diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 68593fe7..5d5427aa 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -8,7 +8,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keyscan.c,v 1.6 2000/12/19 23:17:58 markus Exp $"); +RCSID("$OpenBSD: ssh-keyscan.c,v 1.7 2001/01/08 22:03:23 markus Exp $"); #if defined(HAVE_SYS_QUEUE_H) && !defined(HAVE_BOGUS_SYS_QUEUE_H) #include <sys/queue.h> @@ -310,7 +310,7 @@ tcpconnect(char *host) error("socket: %s", strerror(errno)); continue; } - if (fcntl(s, F_SETFL, O_NDELAY) < 0) + if (fcntl(s, F_SETFL, O_NONBLOCK) < 0) fatal("F_SETFL: %s", strerror(errno)); if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0 && errno != EINPROGRESS) diff --git a/sshconnect1.c b/sshconnect1.c index d6230529..09d0210a 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.13 2000/12/19 23:17:58 markus Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.14 2001/01/08 21:55:41 markus Exp $"); #include <openssl/bn.h> #include <openssl/dsa.h> @@ -62,7 +62,6 @@ try_agent_authentication() return 0; challenge = BN_new(); - key = key_new(KEY_RSA1); /* Loop through identities served by the agent. */ for (key = ssh_get_first_identity(auth, &comment, 1); @@ -125,6 +124,7 @@ try_agent_authentication() /* The server returns success if it accepted the authentication. */ if (type == SSH_SMSG_SUCCESS) { + ssh_close_authentication_connection(auth); BN_clear_free(challenge); debug("RSA authentication accepted by server."); return 1; @@ -134,6 +134,7 @@ try_agent_authentication() packet_disconnect("Protocol error waiting RSA auth response: %d", type); } + ssh_close_authentication_connection(auth); BN_clear_free(challenge); debug("RSA authentication using agent refused."); return 0; @@ -270,6 +271,8 @@ try_rsa_authentication(const char *authfile) /* Expect the server to reject it... */ packet_read_expect(&plen, SSH_SMSG_FAILURE); xfree(comment); + key_free(private); + BN_clear_free(challenge); return 0; } /* Destroy the passphrase. */ @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.79 2001/01/07 11:28:07 markus Exp $ +.\" $OpenBSD: sshd.8,v 1.80 2001/01/08 22:29:05 markus Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -333,6 +333,13 @@ wildcards in the patterns. Only user names are valid; a numerical user ID isn't recognized. By default login is allowed regardless of the user name. .Pp +.It Cm Banner +In some jurisdictions, sending a warning message before authentication +may be relevant for getting legal protection. +The contents of the specified file are sent to the remote user before +authentication is allowed. +This option is only available for protocol version 2. +.Pp .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. diff --git a/sshd_config b/sshd_config index 357c4250..26372ab1 100644 --- a/sshd_config +++ b/sshd_config @@ -56,3 +56,4 @@ CheckMail no # Uncomment if you want to enable sftp #Subsystem sftp /usr/libexec/sftp-server #MaxStartups 10:30:60 +#Banner /etc/issue.net @@ -1,3 +1,3 @@ -/* $OpenBSD: version.h,v 1.13 2000/10/16 09:38:45 djm Exp $ */ +/* $OpenBSD: version.h,v 1.16 2001/01/08 22:29:05 markus Exp $ */ -#define SSH_VERSION "OpenSSH_2.3.0p2" +#define SSH_VERSION "OpenSSH_2.3.1p1" |