diff options
| author | Damien Miller <djm@mindrot.org> | 2000-10-16 12:14:42 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2000-10-16 12:14:42 +1100 |
| commit | 50a41ed079629fdcd9a1d2a781b73170422fc73a (patch) | |
| tree | dbac99a364edff124412c16f079975a2e89a0389 | |
| parent | 5993935f76e66c957f02efaa8fc0c8ff8a3f92c9 (diff) | |
- (djm) Sync with OpenBSD:
- markus@cvs.openbsd.org 2000/10/14 04:01:15
[cipher.c]
debug3
- markus@cvs.openbsd.org 2000/10/14 04:07:23
[scp.c]
remove spaces from arguments; from djm@mindrot.org
- markus@cvs.openbsd.org 2000/10/14 06:09:46
[ssh.1]
Cipher is for SSH-1 only
- markus@cvs.openbsd.org 2000/10/14 06:12:09
[servconf.c servconf.h serverloop.c session.c sshd.8]
AllowTcpForwarding; from naddy@
- markus@cvs.openbsd.org 2000/10/14 06:16:56
[auth2.c compat.c compat.h sshconnect2.c version.h]
OpenSSH_2.3; note that is is not complete, but the version number
needs to be changed for interoperability reasons
- markus@cvs.openbsd.org 2000/10/14 06:19:45
[auth-rsa.c]
do not send RSA challenge if key is not allowed by key-options; from
eivind@ThinkSec.com
- markus@cvs.openbsd.org 2000/10/15 08:14:01
[rijndael.c session.c]
typos; from stevesk@sweden.hp.com
- markus@cvs.openbsd.org 2000/10/15 08:18:31
[rijndael.c]
typo
- Copy manpages back over from OpenBSD - too tedious to wade through diffs
| -rw-r--r-- | ChangeLog | 29 | ||||
| -rw-r--r-- | auth-rsa.c | 13 | ||||
| -rw-r--r-- | auth2.c | 8 | ||||
| -rw-r--r-- | cipher.c | 6 | ||||
| -rw-r--r-- | compat.c | 21 | ||||
| -rw-r--r-- | compat.h | 4 | ||||
| -rw-r--r-- | scp.c | 8 | ||||
| -rw-r--r-- | servconf.c | 13 | ||||
| -rw-r--r-- | servconf.h | 3 | ||||
| -rw-r--r-- | serverloop.c | 4 | ||||
| -rw-r--r-- | session.c | 8 | ||||
| -rw-r--r-- | sftp-server.8 | 16 | ||||
| -rw-r--r-- | ssh.1 | 5 | ||||
| -rw-r--r-- | sshconnect2.c | 10 | ||||
| -rw-r--r-- | sshd.8 | 8 | ||||
| -rw-r--r-- | version.h | 2 |
16 files changed, 111 insertions, 47 deletions
@@ -1,3 +1,32 @@ +20001016 + - (djm) Sync with OpenBSD: + - markus@cvs.openbsd.org 2000/10/14 04:01:15 + [cipher.c] + debug3 + - markus@cvs.openbsd.org 2000/10/14 04:07:23 + [scp.c] + remove spaces from arguments; from djm@mindrot.org + - markus@cvs.openbsd.org 2000/10/14 06:09:46 + [ssh.1] + Cipher is for SSH-1 only + - markus@cvs.openbsd.org 2000/10/14 06:12:09 + [servconf.c servconf.h serverloop.c session.c sshd.8] + AllowTcpForwarding; from naddy@ + - markus@cvs.openbsd.org 2000/10/14 06:16:56 + [auth2.c compat.c compat.h sshconnect2.c version.h] + OpenSSH_2.3; note that is is not complete, but the version number + needs to be changed for interoperability reasons + - markus@cvs.openbsd.org 2000/10/14 06:19:45 + [auth-rsa.c] + do not send RSA challenge if key is not allowed by key-options; from + eivind@ThinkSec.com + - markus@cvs.openbsd.org 2000/10/15 08:14:01 + [rijndael.c session.c] + typos; from stevesk@sweden.hp.com + - markus@cvs.openbsd.org 2000/10/15 08:18:31 + [rijndael.c] + typo + 20001015 - (djm) Fix ssh2 hang on background processes at logout. @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rsa.c,v 1.31 2000/10/11 19:59:52 markus Exp $"); +RCSID("$OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $"); #include "rsa.h" #include "packet.h" @@ -231,6 +231,12 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) } } else options = NULL; + /* + * If our options do not allow this key to be used, + * do not send challenge. + */ + if (!auth_parse_options(pw, options, linenum)) + continue; /* Parse the key from the line. */ if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) { @@ -269,9 +275,8 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) * Break out of the loop if authentication was successful; * otherwise continue searching. */ - authenticated = auth_parse_options(pw, options, linenum); - if (authenticated) - break; + authenticated = 1; + break; } /* Restore the privileged uid. */ @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.19 2000/10/11 20:27:23 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $"); #ifdef HAVE_OSF_SIA # include <sia.h> @@ -442,10 +442,10 @@ userauth_pubkey(Authctxt *authctxt) sig = packet_get_string(&slen); packet_done(); buffer_init(&b); - if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) { - buffer_put_string(&b, session_id2, session_id2_len); - } else { + if (datafellows & SSH_OLD_SESSIONID) { buffer_append(&b, session_id2, session_id2_len); + } else { + buffer_put_string(&b, session_id2, session_id2_len); } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.35 2000/10/13 18:59:13 markus Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.36 2000/10/14 10:01:15 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -488,10 +488,10 @@ ciphers_valid(const char *names) xfree(ciphers); return 0; } else { - debug("cipher ok: %s [%s]", p, names); + debug3("cipher ok: %s [%s]", p, names); } } - debug("ciphers ok: [%s]", names); + debug3("ciphers ok: [%s]", names); xfree(ciphers); return 1; } @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: compat.c,v 1.24 2000/10/10 20:20:45 markus Exp $"); +RCSID("$OpenBSD: compat.c,v 1.25 2000/10/14 12:16:56 markus Exp $"); #include "ssh.h" #include "packet.h" @@ -62,13 +62,18 @@ compat_datafellows(const char *version) char *pat; int bugs; } check[] = { - {"^.*MindTerm", 0}, - {"^2\\.1\\.0 ", SSH_BUG_SIGBLOB|SSH_BUG_HMAC}, - {"^2\\.0\\.", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD}, - {"^2\\.[23]\\.0 ", SSH_BUG_HMAC|SSH_COMPAT_SESSIONID_ENCODING}, - {"^2\\.[2-9]\\.", SSH_COMPAT_SESSIONID_ENCODING}, - {"^2\\.", SSH_BUG_HMAC|SSH_COMPAT_SESSIONID_ENCODING}, - {NULL, 0} + { "^OpenSSH-2\\.[01]", SSH_OLD_SESSIONID }, + { "^OpenSSH_2\\.2", SSH_OLD_SESSIONID }, + { "MindTerm", 0 }, + { "^2\\.1\\.0 ", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| + SSH_OLD_SESSIONID }, + { "^2\\.0\\.", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| + SSH_OLD_SESSIONID| + SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD }, + { "^2\\.[23]\\.0 ", SSH_BUG_HMAC}, + { "^2\\.[2-9]\\.", 0 }, + { "^2\\.", SSH_BUG_HMAC}, /* XXX fallback */ + { NULL, 0 } }; /* process table, return first match */ for (i = 0; check[i].pat; i++) { @@ -21,7 +21,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: compat.h,v 1.10 2000/09/07 20:27:50 deraadt Exp $"); */ +/* RCSID("$OpenBSD: compat.h,v 1.11 2000/10/14 12:16:56 markus Exp $"); */ #ifndef COMPAT_H #define COMPAT_H @@ -35,7 +35,7 @@ #define SSH_BUG_PUBKEYAUTH 0x02 #define SSH_BUG_HMAC 0x04 #define SSH_BUG_X11FWD 0x08 -#define SSH_COMPAT_SESSIONID_ENCODING 0x10 +#define SSH_OLD_SESSIONID 0x10 void enable_compat13(void); void enable_compat20(void); @@ -75,7 +75,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.41 2000/10/11 20:03:27 markus Exp $"); +RCSID("$OpenBSD: scp.c,v 1.42 2000/10/14 10:07:21 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -266,13 +266,13 @@ main(argc, argv) case 'o': case 'c': case 'i': - addargs("-%c %s", ch, optarg); + addargs("-%c%s", ch, optarg); break; case 'P': - addargs("-p %s", optarg); + addargs("-p%s", optarg); break; case 'B': - addargs("-o Batchmode yes"); + addargs("-oBatchmode yes"); break; case 'p': pflag = 1; @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.52 2000/10/11 20:14:39 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.53 2000/10/14 12:12:09 markus Exp $"); #include "ssh.h" #include "servconf.h" @@ -67,6 +67,7 @@ initialize_server_options(ServerOptions *options) #endif options->permit_empty_passwd = -1; options->use_login = -1; + options->allow_tcp_forwarding = -1; options->num_allow_users = 0; options->num_deny_users = 0; options->num_allow_groups = 0; @@ -159,6 +160,8 @@ fill_default_server_options(ServerOptions *options) options->permit_empty_passwd = 0; if (options->use_login == -1) options->use_login = 0; + if (options->allow_tcp_forwarding == -1) + options->allow_tcp_forwarding = 1; if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->gateway_ports == -1) @@ -189,7 +192,8 @@ typedef enum { sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, - sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sUseLogin, sAllowTcpForwarding, + sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups } ServerOpCodes; @@ -240,6 +244,7 @@ static struct { { "uselogin", sUseLogin }, { "randomseed", sRandomSeedFile }, { "keepalive", sKeepAlives }, + { "allowtcpforwarding", sAllowTcpForwarding }, { "allowusers", sAllowUsers }, { "denyusers", sDenyUsers }, { "allowgroups", sAllowGroups }, @@ -573,6 +578,10 @@ parse_flag: *intptr = (LogLevel) value; break; + case sAllowTcpForwarding: + intptr = &options->allow_tcp_forwarding; + goto parse_flag; + case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: servconf.h,v 1.29 2000/10/11 20:14:39 markus Exp $"); */ +/* RCSID("$OpenBSD: servconf.h,v 1.30 2000/10/14 12:12:09 markus Exp $"); */ #ifndef SERVCONF_H #define SERVCONF_H @@ -86,6 +86,7 @@ typedef struct { int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int use_login; /* If true, login(1) is used */ + int allow_tcp_forwarding; unsigned int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; unsigned int num_deny_users; diff --git a/serverloop.c b/serverloop.c index 0c07a282..d98d74c2 100644 --- a/serverloop.c +++ b/serverloop.c @@ -49,6 +49,8 @@ #include "dispatch.h" #include "auth-options.h" +extern ServerOptions options; + static Buffer stdin_buffer; /* Buffer for stdin data. */ static Buffer stdout_buffer; /* Buffer for stdout data. */ static Buffer stderr_buffer; /* Buffer for stderr data. */ @@ -749,7 +751,7 @@ input_direct_tcpip(void) originator, originator_port, target, target_port); /* XXX check permission */ - if (no_port_forwarding_flag) { + if (no_port_forwarding_flag || !options.allow_tcp_forwarding) { xfree(target); xfree(originator); return -1; @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.38 2000/10/11 20:27:23 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.40 2000/10/15 14:14:01 markus Exp $"); #include "xmalloc.h" #include "ssh.h" @@ -236,7 +236,7 @@ do_authenticated(struct passwd * pw) * by the client telling us, so we can equally well trust the client * not to request anything bogus.) */ - if (!no_port_forwarding_flag) + if (!no_port_forwarding_flag && options.allow_tcp_forwarding) channel_permit_all_opens(); s = session_new(); @@ -388,6 +388,10 @@ do_authenticated(struct passwd * pw) debug("Port forwarding not permitted for this authentication."); break; } + if (!options.allow_tcp_forwarding) { + debug("Port forwarding not permitted."); + break; + } debug("Received TCP/IP port forwarding request."); channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports); success = 1; diff --git a/sftp-server.8 b/sftp-server.8 index 2a7ba258..fb4706c4 100644 --- a/sftp-server.8 +++ b/sftp-server.8 @@ -36,20 +36,20 @@ is a program that speaks the server side of SFTP protocol to stdout and expects client requests from stdin. .Nm is not intended to be called directly, but from -.Xr sshd 8 +.Xr sshd 8 using the .Cm Subsystem option. See -.Xr sshd 8 +.Xr sshd 8 for more information. -.Sh HISTORY -.Nm -first appeared in OpenBSD 2.8. -.Sh AUTHOR -Markus Friedl <markus@openbsd.org> .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-keygen 1 , -.Xr sshd 8 , +.Xr sshd 8 +.Sh AUTHOR +Markus Friedl <markus@openbsd.org> +.Sh HISTORY +.Nm +first appeared in OpenBSD 2.8 . @@ -627,7 +627,8 @@ If the option is set to .Dq no , the check will not be executed. .It Cm Cipher -Specifies the cipher to use for encrypting the session. +Specifies the cipher to use for encrypting the session +in protocol version 1 Currently, .Dq blowfish , and @@ -640,7 +641,7 @@ Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The default is -.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc . +.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour . .It Cm Compression Specifies whether to use compression. The argument must be diff --git a/sshconnect2.c b/sshconnect2.c index ca459f62..1f3b5a26 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.25 2000/10/12 09:59:19 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.26 2000/10/14 12:16:56 markus Exp $"); #include <openssl/bn.h> #include <openssl/rsa.h> @@ -657,12 +657,12 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) /* data to be signed */ buffer_init(&b); - if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) { - buffer_put_string(&b, session_id2, session_id2_len); - skip = buffer_len(&b); - } else { + if (datafellows & SSH_OLD_SESSIONID) { buffer_append(&b, session_id2, session_id2_len); skip = session_id2_len; + } else { + buffer_put_string(&b, session_id2, session_id2_len); + skip = buffer_len(&b); } buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); buffer_put_cstring(&b, authctxt->server_user); @@ -303,6 +303,14 @@ wildcards in the patterns. Only group names are valid; a numerical group ID isn't recognized. By default login is allowed regardless of the primary group. .Pp +.It Cm AllowTcpForwarding +Specifies whether TCP forwarding is permitted. +The default is +.Dq yes . +Note that disabling TCP forwarding does not improve security unless +users are also denied shell access, as they can always install their +own forwarders. +.Pp .It Cm AllowUsers This keyword can be followed by a number of user names, separated by spaces. @@ -1 +1 @@ -#define SSH_VERSION "OpenSSH_2.2.0p2" +#define SSH_VERSION "OpenSSH_2.3.0p1" |