diff options
| -rw-r--r-- | ChangeLog | 11 | ||||
| -rw-r--r-- | auth-rh-rsa.c | 4 | ||||
| -rw-r--r-- | auth-rhosts.c | 13 | ||||
| -rw-r--r-- | auth-rsa.c | 9 | ||||
| -rw-r--r-- | channels.c | 3 | ||||
| -rw-r--r-- | clientloop.c | 6 | ||||
| -rw-r--r-- | mpaux.c | 3 | ||||
| -rw-r--r-- | servconf.c | 16 | ||||
| -rw-r--r-- | ssh-keygen.c | 4 | ||||
| -rw-r--r-- | ssh.c | 4 | ||||
| -rw-r--r-- | ssh.h | 122 | ||||
| -rw-r--r-- | sshconnect.c | 102 | ||||
| -rw-r--r-- | sshd.c | 7 |
13 files changed, 159 insertions, 145 deletions
@@ -9,6 +9,17 @@ - Released 1.2pre10 - Added INSTALL documentation + - Merged yet more changes from OpenBSD CVS + - [auth-rh-rsa.c auth-rhosts.c auth-rsa.c channels.c clientloop.c] + [ssh.c ssh.h sshconnect.c sshd.c] + make all access to options via 'extern Options options' + and 'extern ServerOptions options' respectively; + options are no longer passed as arguments: + * make options handling more consistent + * remove #include "readconf.h" from ssh.h + * readconf.h is only included if necessary + - [mpaux.c] clear temp buffer + - [servconf.c] print _all_ bad options found in configfile 19991111 - Added (untested) Entropy Gathering Daemon (EGD) support diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index b6f1d6c7..fa855a1a 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c @@ -15,7 +15,7 @@ authentication. */ #include "includes.h" -RCSID("$Id: auth-rh-rsa.c,v 1.3 1999/11/12 00:33:04 damien Exp $"); +RCSID("$Id: auth-rh-rsa.c,v 1.4 1999/11/12 04:19:27 damien Exp $"); #include "packet.h" #include "ssh.h" @@ -38,7 +38,7 @@ int auth_rhosts_rsa(struct passwd *pw, const char *client_user, debug("Trying rhosts with RSA host authentication for %.100s", client_user); /* Check if we would accept it using rhosts authentication. */ - if (!auth_rhosts(pw, client_user, options.ignore_rhosts, options.strict_modes)) + if (!auth_rhosts(pw, client_user)) return 0; canonical_hostname = get_canonical_hostname(); diff --git a/auth-rhosts.c b/auth-rhosts.c index ebf2fcbc..7e5614cb 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -16,12 +16,13 @@ the login based on rhosts authentication. This file also processes */ #include "includes.h" -RCSID("$Id: auth-rhosts.c,v 1.1 1999/10/27 03:42:43 damien Exp $"); +RCSID("$Id: auth-rhosts.c,v 1.2 1999/11/12 04:19:27 damien Exp $"); #include "packet.h" #include "ssh.h" #include "xmalloc.h" #include "uidswap.h" +#include "servconf.h" /* This function processes an rhosts-style file (.rhosts, .shosts, or /etc/hosts.equiv). This returns true if authentication can be granted @@ -155,9 +156,9 @@ int check_rhosts_file(const char *filename, const char *hostname, true, only /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored). */ -int auth_rhosts(struct passwd *pw, const char *client_user, - int ignore_rhosts, int strict_modes) +int auth_rhosts(struct passwd *pw, const char *client_user) { + extern ServerOptions options; char buf[1024]; const char *hostname, *ipaddr; int port; @@ -234,7 +235,7 @@ int auth_rhosts(struct passwd *pw, const char *client_user, pw->pw_name, pw->pw_dir); return 0; } - if (strict_modes && + if (options.strict_modes && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0)) { @@ -261,7 +262,7 @@ int auth_rhosts(struct passwd *pw, const char *client_user, and make sure it is not writable by anyone but the owner. This is to help avoid novices accidentally allowing access to their account by anyone. */ - if (strict_modes && + if (options.strict_modes && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0)) { @@ -273,7 +274,7 @@ int auth_rhosts(struct passwd *pw, const char *client_user, /* Check if we have been configured to ignore .rhosts and .shosts files. */ - if (ignore_rhosts) + if (options.ignore_rhosts) { packet_send_debug("Server has been configured to ignore %.100s.", rhosts_files[rhosts_file_index]); @@ -17,7 +17,7 @@ validity of the host key. #include "config.h" #include "includes.h" -RCSID("$Id: auth-rsa.c,v 1.4 1999/11/08 05:15:55 damien Exp $"); +RCSID("$Id: auth-rsa.c,v 1.5 1999/11/12 04:19:27 damien Exp $"); #include "rsa.h" #include "packet.h" @@ -25,6 +25,7 @@ RCSID("$Id: auth-rsa.c,v 1.4 1999/11/08 05:15:55 damien Exp $"); #include "ssh.h" #include "mpaux.h" #include "uidswap.h" +#include "servconf.h" #ifdef HAVE_OPENSSL #include <openssl/rsa.h> @@ -100,7 +101,6 @@ auth_rsa_challenge_dialog(unsigned int bits, BIGNUM *e, BIGNUM *n) len = BN_num_bytes(challenge); if (len <= 0 || len > 32) fatal("auth_rsa_challenge_dialog: bad challenge length %d", len); - memset(buf, 0, 32); BN_bn2bin(challenge, buf + 32 - len); MD5_Init(&md); @@ -136,8 +136,9 @@ auth_rsa_challenge_dialog(unsigned int bits, BIGNUM *e, BIGNUM *n) successful. This may exit if there is a serious protocol violation. */ int -auth_rsa(struct passwd *pw, BIGNUM *client_n, int strict_modes) +auth_rsa(struct passwd *pw, BIGNUM *client_n) { + extern ServerOptions options; char line[8192]; int authenticated; unsigned int bits; @@ -172,7 +173,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n, int strict_modes) return 0; } - if (strict_modes) { + if (options.strict_modes) { int fail=0; char buf[1024]; /* Check open file in order to avoid open/stat races */ @@ -16,7 +16,7 @@ arbitrary tcp/ip connections, and the authentication agent connection. */ #include "includes.h" -RCSID("$Id: channels.c,v 1.4 1999/11/08 05:15:55 damien Exp $"); +RCSID("$Id: channels.c,v 1.5 1999/11/12 04:19:27 damien Exp $"); #include "ssh.h" #include "packet.h" @@ -24,6 +24,7 @@ RCSID("$Id: channels.c,v 1.4 1999/11/08 05:15:55 damien Exp $"); #include "buffer.h" #include "authfd.h" #include "uidswap.h" +#include "readconf.h" #include "servconf.h" #include "channels.h" diff --git a/clientloop.c b/clientloop.c index a236ce9b..410dc54d 100644 --- a/clientloop.c +++ b/clientloop.c @@ -15,7 +15,7 @@ The main loop for the interactive session (client side). */ #include "includes.h" -RCSID("$Id: clientloop.c,v 1.2 1999/11/11 06:57:39 damien Exp $"); +RCSID("$Id: clientloop.c,v 1.3 1999/11/12 04:19:27 damien Exp $"); #include "xmalloc.h" #include "ssh.h" @@ -24,9 +24,6 @@ RCSID("$Id: clientloop.c,v 1.2 1999/11/11 06:57:39 damien Exp $"); #include "authfd.h" #include "readconf.h" -/* Flag indicating whether quiet mode is on. */ -extern Options options; - /* Flag indicating that stdin should be redirected from /dev/null. */ extern int stdin_null_flag; @@ -764,6 +761,7 @@ void client_process_output(fd_set *writeset) int client_loop(int have_pty, int escape_char_arg) { + extern Options options; double start_time, total_time; int len; char buf[100]; @@ -16,7 +16,7 @@ precision integers. #include "config.h" #include "includes.h" -RCSID("$Id: mpaux.c,v 1.3 1999/10/28 05:23:30 damien Exp $"); +RCSID("$Id: mpaux.c,v 1.4 1999/11/12 04:19:27 damien Exp $"); #ifdef HAVE_OPENSSL #include <openssl/bn.h> @@ -50,5 +50,6 @@ compute_session_id(unsigned char session_id[16], MD5_Init(&md); MD5_Update(&md, buf, bytes); MD5_Final(session_id, &md); + memset(buf, 0, bytes); xfree(buf); } @@ -12,7 +12,7 @@ Created: Mon Aug 21 15:48:58 1995 ylo */ #include "includes.h" -RCSID("$Id: servconf.c,v 1.3 1999/11/12 00:33:04 damien Exp $"); +RCSID("$Id: servconf.c,v 1.4 1999/11/12 04:19:27 damien Exp $"); #include "ssh.h" #include "servconf.h" @@ -144,6 +144,7 @@ void fill_default_server_options(ServerOptions *options) /* Keyword tokens. */ typedef enum { + sBadOption, /* == unknown option */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, @@ -260,9 +261,9 @@ static ServerOpCodes parse_token(const char *cp, const char *filename, if (strcmp(cp, keywords[i].name) == 0) return keywords[i].opcode; - fprintf(stderr, "%s line %d: Bad configuration option: %s\n", + fprintf(stderr, "%s: line %d: Bad configuration option: %s\n", filename, linenum, cp); - exit(1); + return sBadOption; } /* Reads the server configuration file. */ @@ -273,6 +274,7 @@ void read_server_config(ServerOptions *options, const char *filename) char line[1024]; char *cp, **charptr; int linenum, *intptr, i, value; + int bad_options = 0; ServerOpCodes opcode; f = fopen(filename, "r"); @@ -300,6 +302,9 @@ void read_server_config(ServerOptions *options, const char *filename) opcode = parse_token(cp, filename, linenum); switch (opcode) { + case sBadOption: + bad_options++; + continue; case sPort: intptr = &options->port; parse_int: @@ -596,4 +601,9 @@ void read_server_config(ServerOptions *options, const char *filename) } } fclose(f); + if (bad_options > 0) { + fprintf(stderr, "%s: terminating, %d bad configuration options\n", + filename, bad_options); + exit(1); + } } diff --git a/ssh-keygen.c b/ssh-keygen.c index e2cb48fd..4d950aee 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -14,7 +14,7 @@ Identity and host key generation and maintenance. */ #include "includes.h" -RCSID("$Id: ssh-keygen.c,v 1.2 1999/11/08 04:30:59 damien Exp $"); +RCSID("$Id: ssh-keygen.c,v 1.3 1999/11/12 04:19:27 damien Exp $"); #include "rsa.h" #include "ssh.h" @@ -117,7 +117,7 @@ do_change_passphrase(struct passwd *pw) xfree(old_passphrase); } printf("Key has comment '%s'\n", comment); - + /* Ask the new passphrase (twice). */ if (identity_new_passphrase) { @@ -18,7 +18,7 @@ Modified to work with SSL by Niels Provos <provos@citi.umich.edu> in Canada. */ #include "includes.h" -RCSID("$Id: ssh.c,v 1.5 1999/11/11 06:57:40 damien Exp $"); +RCSID("$Id: ssh.c,v 1.6 1999/11/12 04:19:27 damien Exp $"); #include "xmalloc.h" #include "ssh.h" @@ -590,7 +590,7 @@ main(int ac, char **av) /* Log into the remote system. This never returns if the login fails. */ ssh_login(host_private_key_loaded, host_private_key, - host, &hostaddr, &options, original_real_uid); + host, &hostaddr, original_real_uid); /* We no longer need the host private key. Clear it now. */ if (host_private_key_loaded) @@ -13,7 +13,7 @@ Generic header file for ssh. */ -/* RCSID("$Id: ssh.h,v 1.11 1999/11/12 00:33:04 damien Exp $"); */ +/* RCSID("$Id: ssh.h,v 1.12 1999/11/12 04:19:27 damien Exp $"); */ #ifndef SSH_H #define SSH_H @@ -221,60 +221,6 @@ only by root, whereas ssh_config should be world-readable. */ #define SSH_CMSG_HAVE_KERBEROS_TGT 44 /* credentials (s) */ #define SSH_CMSG_HAVE_AFS_TOKEN 65 /* token (s) */ - -/*------------ Definitions for logging. -----------------------*/ - -/* Supported syslog facilities and levels. */ -typedef enum -{ - SYSLOG_FACILITY_DAEMON, - SYSLOG_FACILITY_USER, - SYSLOG_FACILITY_AUTH, - SYSLOG_FACILITY_LOCAL0, - SYSLOG_FACILITY_LOCAL1, - SYSLOG_FACILITY_LOCAL2, - SYSLOG_FACILITY_LOCAL3, - SYSLOG_FACILITY_LOCAL4, - SYSLOG_FACILITY_LOCAL5, - SYSLOG_FACILITY_LOCAL6, - SYSLOG_FACILITY_LOCAL7 -} SyslogFacility; - -typedef enum -{ - SYSLOG_LEVEL_QUIET, - SYSLOG_LEVEL_FATAL, - SYSLOG_LEVEL_ERROR, - SYSLOG_LEVEL_INFO, - SYSLOG_LEVEL_CHAT, - SYSLOG_LEVEL_DEBUG -} LogLevel; - -/* Initializes logging. */ -void log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr); - -/* Logging implementation, depending on server or client */ -void do_log(LogLevel level, const char *fmt, va_list args); - -/* Output a message to syslog or stderr */ -void fatal(const char *fmt, ...); -void error(const char *fmt, ...); -void log(const char *fmt, ...); -void chat(const char *fmt, ...); -void debug(const char *fmt, ...); - -/* same as fatal() but w/o logging */ -void fatal_cleanup(void); - -/* Registers a cleanup function to be called by fatal()/fatal_cleanup() before exiting. - It is permissible to call fatal_remove_cleanup for the function itself - from the function. */ -void fatal_add_cleanup(void (*proc)(void *context), void *context); - -/* Removes a cleanup function to be called at fatal(). */ -void fatal_remove_cleanup(void (*proc)(void *context), void *context); - - /*------------ definitions for login.c -------------*/ /* Returns the time when the user last logged in. Returns 0 if the @@ -314,21 +260,15 @@ int ssh_connect(const char *host, struct sockaddr_in *hostaddr, This initializes the random state, and leaves it initialized (it will also have references from the packet module). */ -/* for Options */ -#include "readconf.h" - void ssh_login(int host_key_valid, RSA *host_key, const char *host, - struct sockaddr_in *hostaddr, Options *options, - uid_t original_real_uid); + struct sockaddr_in *hostaddr, uid_t original_real_uid); /*------------ Definitions for various authentication methods. -------*/ /* Tries to authenticate the user using the .rhosts file. Returns true if authentication succeeds. If ignore_rhosts is non-zero, this will not - consider .rhosts and .shosts (/etc/hosts.equiv will still be used). - If strict_modes is true, checks ownership and modes of .rhosts/.shosts. */ -int auth_rhosts(struct passwd *pw, const char *client_user, - int ignore_rhosts, int strict_modes); + consider .rhosts and .shosts (/etc/hosts.equiv will still be used). */ +int auth_rhosts(struct passwd *pw, const char *client_user); /* Tries to authenticate the user using the .rhosts file and the host using its host key. Returns true if authentication succeeds. */ @@ -343,7 +283,7 @@ int auth_password(struct passwd *pw, const char *password); /* Performs the RSA authentication dialog with the client. This returns 0 if the client could not be authenticated, and 1 if authentication was successful. This may exit if there is a serious protocol violation. */ -int auth_rsa(struct passwd *pw, BIGNUM *client_n, int strict_modes); +int auth_rsa(struct passwd *pw, BIGNUM *client_n); /* Parses an RSA key (number of bits, e, n) from a string. Moves the pointer over the key. Skips any whitespace at the beginning and at end. */ @@ -421,6 +361,58 @@ int load_public_key(const char *filename, RSA *pub, int load_private_key(const char *filename, const char *passphrase, RSA *private_key, char **comment_return); +/*------------ Definitions for logging. -----------------------*/ + +/* Supported syslog facilities and levels. */ +typedef enum +{ + SYSLOG_FACILITY_DAEMON, + SYSLOG_FACILITY_USER, + SYSLOG_FACILITY_AUTH, + SYSLOG_FACILITY_LOCAL0, + SYSLOG_FACILITY_LOCAL1, + SYSLOG_FACILITY_LOCAL2, + SYSLOG_FACILITY_LOCAL3, + SYSLOG_FACILITY_LOCAL4, + SYSLOG_FACILITY_LOCAL5, + SYSLOG_FACILITY_LOCAL6, + SYSLOG_FACILITY_LOCAL7 +} SyslogFacility; + +typedef enum +{ + SYSLOG_LEVEL_QUIET, + SYSLOG_LEVEL_FATAL, + SYSLOG_LEVEL_ERROR, + SYSLOG_LEVEL_INFO, + SYSLOG_LEVEL_CHAT, + SYSLOG_LEVEL_DEBUG +} LogLevel; + +/* Initializes logging. */ +void log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr); + +/* Logging implementation, depending on server or client */ +void do_log(LogLevel level, const char *fmt, va_list args); + +/* Output a message to syslog or stderr */ +void fatal(const char *fmt, ...); +void error(const char *fmt, ...); +void log(const char *fmt, ...); +void chat(const char *fmt, ...); +void debug(const char *fmt, ...); + +/* same as fatal() but w/o logging */ +void fatal_cleanup(void); + +/* Registers a cleanup function to be called by fatal()/fatal_cleanup() before exiting. + It is permissible to call fatal_remove_cleanup for the function itself + from the function. */ +void fatal_add_cleanup(void (*proc)(void *context), void *context); + +/* Removes a cleanup function to be called at fatal(). */ +void fatal_remove_cleanup(void (*proc)(void *context), void *context); + /*---------------- definitions for channels ------------------*/ /* Sets specific protocol options. */ diff --git a/sshconnect.c b/sshconnect.c index a16e25a8..80e4aff4 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -16,7 +16,7 @@ login (authentication) dialog. #include "config.h" #include "includes.h" -RCSID("$Id: sshconnect.c,v 1.5 1999/11/08 23:35:52 damien Exp $"); +RCSID("$Id: sshconnect.c,v 1.6 1999/11/12 04:19:27 damien Exp $"); #ifdef HAVE_OPENSSL #include <openssl/bn.h> @@ -36,7 +36,7 @@ RCSID("$Id: sshconnect.c,v 1.5 1999/11/08 23:35:52 damien Exp $"); #include "mpaux.h" #include "uidswap.h" #include "compat.h" - +#include "readconf.h" /* Session id for the current session. */ unsigned char session_id[16]; @@ -486,9 +486,9 @@ respond_to_rsa_challenge(BIGNUM *challenge, RSA *prv) the user using it. */ int -try_rsa_authentication(struct passwd *pw, const char *authfile, - int may_ask_passphrase) +try_rsa_authentication(struct passwd *pw, const char *authfile) { + extern Options options; BIGNUM *challenge; RSA *private_key; RSA *public_key; @@ -550,7 +550,7 @@ try_rsa_authentication(struct passwd *pw, const char *authfile, return. */ snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ", comment); - if (may_ask_passphrase) + if (!options.batch_mode) passphrase = read_passphrase(buf, 0); else { @@ -1014,8 +1014,9 @@ void ssh_login(int host_key_valid, RSA *own_host_key, const char *orighost, struct sockaddr_in *hostaddr, - Options *options, uid_t original_real_uid) + uid_t original_real_uid) { + extern Options options; int i, type; char *password; struct passwd *pw; @@ -1035,7 +1036,7 @@ void ssh_login(int host_key_valid, int payload_len, clen, sum_len = 0; u_int32_t rand = 0; - if (options->check_host_ip) + if (options.check_host_ip) ip = xstrdup(inet_ntoa(hostaddr->sin_addr)); /* Convert the user-supplied hostname into all lowercase. */ @@ -1056,7 +1057,7 @@ void ssh_login(int host_key_valid, if (!pw) fatal("User id %d not found from user database.", original_real_uid); local_user = xstrdup(pw->pw_name); - server_user = options->user ? options->user : local_user; + server_user = options.user ? options.user : local_user; debug("Waiting for server public key."); @@ -1132,12 +1133,12 @@ void ssh_login(int host_key_valid, /* Check if the host key is present in the user\'s list of known hosts or in the systemwide list. */ - host_status = check_host_in_hostfile(options->user_hostfile, + host_status = check_host_in_hostfile(options.user_hostfile, host, BN_num_bits(host_key->n), host_key->e, host_key->n, file_key->e, file_key->n); if (host_status == HOST_NEW) - host_status = check_host_in_hostfile(options->system_hostfile, host, + host_status = check_host_in_hostfile(options.system_hostfile, host, BN_num_bits(host_key->n), host_key->e, host_key->n, file_key->e, file_key->n); @@ -1154,17 +1155,17 @@ void ssh_login(int host_key_valid, /* Also perform check for the ip address, skip the check if we are localhost or the hostname was an ip address to begin with */ - if (options->check_host_ip && !local && strcmp(host, ip)) { + if (options.check_host_ip && !local && strcmp(host, ip)) { RSA *ip_key = RSA_new(); ip_key->n = BN_new(); ip_key->e = BN_new(); - ip_status = check_host_in_hostfile(options->user_hostfile, ip, + ip_status = check_host_in_hostfile(options.user_hostfile, ip, BN_num_bits(host_key->n), host_key->e, host_key->n, ip_key->e, ip_key->n); if (ip_status == HOST_NEW) - ip_status = check_host_in_hostfile(options->system_hostfile, ip, + ip_status = check_host_in_hostfile(options.system_hostfile, ip, BN_num_bits(host_key->n), host_key->e, host_key->n, ip_key->e, ip_key->n); @@ -1183,13 +1184,13 @@ void ssh_login(int host_key_valid, case HOST_OK: /* The host is known and the key matches. */ debug("Host '%.200s' is known and matches the host key.", host); - if (options->check_host_ip) { + if (options.check_host_ip) { if (ip_status == HOST_NEW) { - if (!add_host_to_hostfile(options->user_hostfile, ip, + if (!add_host_to_hostfile(options.user_hostfile, ip, BN_num_bits(host_key->n), host_key->e, host_key->n)) log("Failed to add the host ip to the list of known hosts (%.30s).", - options->user_hostfile); + options.user_hostfile); else log("Warning: Permanently added host ip '%.30s' to the list of known hosts.", ip); } else if (ip_status != HOST_OK) @@ -1201,12 +1202,12 @@ void ssh_login(int host_key_valid, { char hostline[1000], *hostp = hostline; /* The host is new. */ - if (options->strict_host_key_checking == 1) { + if (options.strict_host_key_checking == 1) { /* User has requested strict host key checking. We will not add the host key automatically. The only alternative left is to abort. */ fatal("No host key is known for %.200s and you have requested strict checking.", host); - } else if (options->strict_host_key_checking == 2) { /* The default */ + } else if (options.strict_host_key_checking == 2) { /* The default */ char prompt[1024]; snprintf(prompt, sizeof(prompt), "The authenticity of host '%.200s' can't be established.\n" @@ -1216,25 +1217,25 @@ void ssh_login(int host_key_valid, fatal("Aborted by user!\n"); } - if (options->check_host_ip && ip_status == HOST_NEW && strcmp(host, ip)) + if (options.check_host_ip && ip_status == HOST_NEW && strcmp(host, ip)) snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); else hostp = host; /* If not in strict mode, add the key automatically to the local known_hosts file. */ - if (!add_host_to_hostfile(options->user_hostfile, hostp, + if (!add_host_to_hostfile(options.user_hostfile, hostp, BN_num_bits(host_key->n), host_key->e, host_key->n)) log("Failed to add the host to the list of known hosts (%.500s).", - options->user_hostfile); + options.user_hostfile); else log("Warning: Permanently added '%.200s' to the list of known hosts.", hostp); break; } case HOST_CHANGED: - if (options->check_host_ip) { + if (options.check_host_ip) { if (host_ip_differ) { error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @"); @@ -1256,23 +1257,23 @@ void ssh_login(int host_key_valid, error("It is also possible that the host key has just been changed."); error("Please contact your system administrator."); error("Add correct host key in %.100s to get rid of this message.", - options->user_hostfile); + options.user_hostfile); /* If strict host key checking is in use, the user will have to edit the key manually and we can only abort. */ - if (options->strict_host_key_checking) + if (options.strict_host_key_checking) fatal("Host key for %.200s has changed and you have requested strict checking.", host); /* If strict host key checking has not been requested, allow the connection but without password authentication or agent forwarding. */ - if (options->password_authentication) { + if (options.password_authentication) { error("Password authentication is disabled to avoid trojan horses."); - options->password_authentication = 0; + options.password_authentication = 0; } - if (options->forward_agent) { + if (options.forward_agent) { error("Agent forwarding is disabled to avoid trojan horses."); - options->forward_agent = 0; + options.forward_agent = 0; } /* XXX Should permit the user to change to use the new id. This could be done by converting the host key to an identifying sentence, tell @@ -1281,7 +1282,7 @@ void ssh_login(int host_key_valid, break; } - if (options->check_host_ip) + if (options.check_host_ip) xfree(ip); /* Generate a session key. */ @@ -1344,27 +1345,27 @@ void ssh_login(int host_key_valid, rsa_public_encrypt(key, key, public_key); } - if (options->cipher == SSH_CIPHER_NOT_SET) { + if (options.cipher == SSH_CIPHER_NOT_SET) { if (cipher_mask() & supported_ciphers & (1 << ssh_cipher_default)) - options->cipher = ssh_cipher_default; + options.cipher = ssh_cipher_default; else { debug("Cipher %d not supported, using %.100s instead.", cipher_name(ssh_cipher_default), cipher_name(SSH_FALLBACK_CIPHER)); - options->cipher = SSH_FALLBACK_CIPHER; + options.cipher = SSH_FALLBACK_CIPHER; } } /* Check that the selected cipher is supported. */ - if (!(supported_ciphers & (1 << options->cipher))) + if (!(supported_ciphers & (1 << options.cipher))) fatal("Selected cipher type %.100s not supported by server.", - cipher_name(options->cipher)); + cipher_name(options.cipher)); - debug("Encryption type: %.100s", cipher_name(options->cipher)); + debug("Encryption type: %.100s", cipher_name(options.cipher)); /* Send the encrypted session key to the server. */ packet_start(SSH_CMSG_SESSION_KEY); - packet_put_char(options->cipher); + packet_put_char(options.cipher); /* Send the check bytes back to the server. */ for (i = 0; i < 8; i++) @@ -1390,7 +1391,7 @@ void ssh_login(int host_key_valid, /* Set the encryption key. */ packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, - options->cipher, 1); + options.cipher, 1); /* We will no longer need the session key here. Destroy any extra copies. */ memset(session_key, 0, sizeof(session_key)); @@ -1420,17 +1421,17 @@ void ssh_login(int host_key_valid, #ifdef AFS /* Try Kerberos tgt passing if the server supports it. */ if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && - options->kerberos_tgt_passing) + options.kerberos_tgt_passing) { - if (options->cipher == SSH_CIPHER_NONE) + if (options.cipher == SSH_CIPHER_NONE) log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); (void)send_kerberos_tgt(); } /* Try AFS token passing if the server supports it. */ if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && - options->afs_token_passing && k_hasafs()) { - if (options->cipher == SSH_CIPHER_NONE) + options.afs_token_passing && k_hasafs()) { + if (options.cipher == SSH_CIPHER_NONE) log("WARNING: Encryption is disabled! Token will be transmitted in the clear!"); send_afs_tokens(); } @@ -1438,7 +1439,7 @@ void ssh_login(int host_key_valid, #ifdef KRB4 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && - options->kerberos_authentication) + options.kerberos_authentication) { debug("Trying Kerberos authentication."); if (try_kerberos_authentication()) { @@ -1455,7 +1456,7 @@ void ssh_login(int host_key_valid, /* Use rhosts authentication if running in privileged socket and we do not wish to remain anonymous. */ if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) && - options->rhosts_authentication) + options.rhosts_authentication) { debug("Trying rhosts authentication."); packet_start(SSH_CMSG_AUTH_RHOSTS); @@ -1475,7 +1476,7 @@ void ssh_login(int host_key_valid, /* Try .rhosts or /etc/hosts.equiv authentication with RSA host authentication. */ if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) && - options->rhosts_rsa_authentication && host_key_valid) + options.rhosts_rsa_authentication && host_key_valid) { if (try_rhosts_rsa_authentication(local_user, own_host_key)) return; /* Successful authentication. */ @@ -1483,7 +1484,7 @@ void ssh_login(int host_key_valid, /* Try RSA authentication if the server supports it. */ if ((supported_authentications & (1 << SSH_AUTH_RSA)) && - options->rsa_authentication) + options.rsa_authentication) { /* Try RSA authentication using the authentication agent. The agent is tried first because no passphrase is needed for it, whereas @@ -1492,23 +1493,22 @@ void ssh_login(int host_key_valid, return; /* Successful connection. */ /* Try RSA authentication for each identity. */ - for (i = 0; i < options->num_identity_files; i++) - if (try_rsa_authentication(pw, options->identity_files[i], - !options->batch_mode)) + for (i = 0; i < options.num_identity_files; i++) + if (try_rsa_authentication(pw, options.identity_files[i])) return; /* Successful connection. */ } /* Try password authentication if the server supports it. */ if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) && - options->password_authentication && !options->batch_mode) + options.password_authentication && !options.batch_mode) { char prompt[80]; snprintf(prompt, sizeof(prompt), "%.30s@%.30s's password: ", server_user, host); debug("Doing password authentication."); - if (options->cipher == SSH_CIPHER_NONE) + if (options.cipher == SSH_CIPHER_NONE) log("WARNING: Encryption is disabled! Password will be transmitted in clear text."); - for (i = 0; i < options->number_of_password_prompts; i++) { + for (i = 0; i < options.number_of_password_prompts; i++) { if (i != 0) error("Permission denied, please try again."); password = read_passphrase(prompt, 0); @@ -18,7 +18,7 @@ agent connections. */ #include "includes.h" -RCSID("$Id: sshd.c,v 1.16 1999/11/12 00:33:04 damien Exp $"); +RCSID("$Id: sshd.c,v 1.17 1999/11/12 04:19:27 damien Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -1343,8 +1343,7 @@ do_authentication(char *user, int privileged_port) } /* Try to authenticate using /etc/hosts.equiv and .rhosts. */ - if (auth_rhosts(pw, client_user, options.ignore_rhosts, - options.strict_modes)) + if (auth_rhosts(pw, client_user)) { /* Authentication accepted. */ log("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.", @@ -1431,7 +1430,7 @@ do_authentication(char *user, int privileged_port) packet_integrity_check(plen, nlen, type); - if (auth_rsa(pw, n, options.strict_modes)) + if (auth_rsa(pw, n)) { /* Successful authentication. */ BN_clear_free(n); |