diff options
-rw-r--r-- | auth-passwd.c | 38 | ||||
-rw-r--r-- | auth-rh-rsa.c | 20 | ||||
-rw-r--r-- | auth-rhosts.c | 57 | ||||
-rw-r--r-- | auth-rsa.c | 95 | ||||
-rw-r--r-- | auth-skey.c | 8 | ||||
-rw-r--r-- | authfd.c | 127 | ||||
-rw-r--r-- | authfd.h | 82 | ||||
-rw-r--r-- | authfile.c | 63 | ||||
-rw-r--r-- | bufaux.c | 4 | ||||
-rw-r--r-- | bufaux.h | 22 | ||||
-rw-r--r-- | buffer.c | 22 | ||||
-rw-r--r-- | buffer.h | 16 | ||||
-rw-r--r-- | canohost.c | 79 | ||||
-rw-r--r-- | channels.c | 380 | ||||
-rw-r--r-- | channels.h | 27 | ||||
-rw-r--r-- | cipher.c | 43 | ||||
-rw-r--r-- | cipher.h | 36 | ||||
-rw-r--r-- | clientloop.c | 317 | ||||
-rw-r--r-- | compat.c | 31 | ||||
-rw-r--r-- | compat.h | 30 | ||||
-rw-r--r-- | compress.c | 46 | ||||
-rw-r--r-- | compress.h | 38 | ||||
-rw-r--r-- | crc32.h | 8 | ||||
-rw-r--r-- | fingerprint.c | 31 | ||||
-rw-r--r-- | fingerprint.h | 30 | ||||
-rw-r--r-- | hostfile.c | 119 | ||||
-rw-r--r-- | includes.h | 6 | ||||
-rw-r--r-- | log.c | 6 | ||||
-rw-r--r-- | login.c | 29 | ||||
-rw-r--r-- | match.c | 35 | ||||
-rw-r--r-- | mpaux.h | 10 | ||||
-rw-r--r-- | nchan.c | 34 | ||||
-rw-r--r-- | nchan.h | 31 | ||||
-rw-r--r-- | nchan.ms | 28 | ||||
-rw-r--r-- | packet.c | 181 | ||||
-rw-r--r-- | packet.h | 118 | ||||
-rw-r--r-- | pty.c | 44 | ||||
-rw-r--r-- | pty.h | 24 | ||||
-rw-r--r-- | radix.c | 8 | ||||
-rw-r--r-- | readconf.c | 92 | ||||
-rw-r--r-- | readconf.h | 47 | ||||
-rw-r--r-- | readpass.c | 24 | ||||
-rw-r--r-- | rsa.c | 10 | ||||
-rw-r--r-- | rsa.h | 8 | ||||
-rw-r--r-- | scp.c | 20 | ||||
-rw-r--r-- | servconf.c | 17 | ||||
-rw-r--r-- | servconf.h | 14 | ||||
-rw-r--r-- | serverloop.c | 114 | ||||
-rw-r--r-- | ssh-add.1 | 9 | ||||
-rw-r--r-- | ssh-add.c | 167 | ||||
-rw-r--r-- | ssh-agent.c | 37 | ||||
-rw-r--r-- | ssh-keygen.c | 55 | ||||
-rw-r--r-- | ssh.1 | 4 | ||||
-rw-r--r-- | ssh.c | 181 | ||||
-rw-r--r-- | ssh.h | 518 | ||||
-rw-r--r-- | sshconnect.c | 187 | ||||
-rw-r--r-- | sshd.c | 499 | ||||
-rw-r--r-- | tildexpand.c | 8 | ||||
-rw-r--r-- | ttymodes.c | 3 | ||||
-rw-r--r-- | ttymodes.h | 139 | ||||
-rw-r--r-- | uidswap.c | 11 |
61 files changed, 2685 insertions, 1802 deletions
diff --git a/auth-passwd.c b/auth-passwd.c index d3914fca..e5574ffb 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -11,7 +11,7 @@ #ifndef HAVE_PAM -RCSID("$Id: auth-passwd.c,v 1.6 1999/11/24 13:26:21 damien Exp $"); +RCSID("$Id: auth-passwd.c,v 1.7 1999/11/25 00:54:57 damien Exp $"); #include "packet.h" #include "ssh.h" @@ -39,14 +39,10 @@ auth_password(struct passwd * pw, const char *password) struct spwd *spw; #endif - if (pw->pw_uid == 0 && options.permit_root_login == 2) { - /* Server does not permit root login with password */ + if (pw->pw_uid == 0 && options.permit_root_login == 2) return 0; - } - if (*password == '\0' && options.permit_empty_passwd == 0) { - /* Server does not permit empty password login */ + if (*password == '\0' && options.permit_empty_passwd == 0) return 0; - } /* deny if no user. */ if (pw == NULL) return 0; @@ -74,8 +70,10 @@ auth_password(struct passwd * pw, const char *password) #endif #if defined(KRB4) - /* Support for Kerberos v4 authentication - Dug Song - <dugsong@UMICH.EDU> */ + /* + * Support for Kerberos v4 authentication + * - Dug Song <dugsong@UMICH.EDU> + */ if (options.kerberos_authentication) { AUTH_DAT adata; KTEXT_ST tkt; @@ -86,8 +84,10 @@ auth_password(struct passwd * pw, const char *password) char realm[REALM_SZ]; int r; - /* Try Kerberos password authentication only for non-root - users and only if Kerberos is installed. */ + /* + * Try Kerberos password authentication only for non-root + * users and only if Kerberos is installed. + */ if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) { /* Set up our ticket file. */ @@ -144,14 +144,17 @@ auth_password(struct passwd * pw, const char *password) goto kerberos_auth_failure; } } else if (r == KDC_PR_UNKNOWN) { - /* Allow login if no rcmd service exists, - but log the error. */ + /* + * Allow login if no rcmd service exists, but + * log the error. + */ log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s " "not registered, or srvtab is wrong?", pw->pw_name, krb_err_txt[r], KRB4_SERVICE_NAME, phost); } else { - /* TGT is bad, forget it. Possibly - spoofed! */ + /* + * TGT is bad, forget it. Possibly spoofed! + */ packet_send_debug("WARNING: Kerberos V4 TGT " "possibly spoofed for %s: %s", pw->pw_name, krb_err_txt[r]); @@ -175,11 +178,8 @@ auth_password(struct passwd * pw, const char *password) #endif /* KRB4 */ /* Check for users with no password. */ - if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) { - packet_send_debug("Login permitted without a password " - "because the account has no password."); + if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) return 1; - } #ifdef HAVE_SHADOW_H spw = getspnam(pw->pw_name); diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index 4e9a383a..1392455c 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c @@ -15,7 +15,7 @@ */ #include "includes.h" -RCSID("$Id: auth-rh-rsa.c,v 1.6 1999/11/24 13:26:21 damien Exp $"); +RCSID("$Id: auth-rh-rsa.c,v 1.7 1999/11/25 00:54:57 damien Exp $"); #include "packet.h" #include "ssh.h" @@ -23,8 +23,10 @@ RCSID("$Id: auth-rh-rsa.c,v 1.6 1999/11/24 13:26:21 damien Exp $"); #include "uidswap.h" #include "servconf.h" -/* Tries to authenticate the user using the .rhosts file and the host using - its host key. Returns true if authentication succeeds. */ +/* + * Tries to authenticate the user using the .rhosts file and the host using + * its host key. Returns true if authentication succeeds. + */ int auth_rhosts_rsa(struct passwd *pw, const char *client_user, @@ -57,8 +59,10 @@ auth_rhosts_rsa(struct passwd *pw, const char *client_user, if (host_status != HOST_OK && !options.ignore_user_known_hosts) { struct stat st; char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid); - /* Check file permissions of SSH_USER_HOSTFILE, auth_rsa() - did already check pw->pw_dir, but there is a race XXX */ + /* + * Check file permissions of SSH_USER_HOSTFILE, auth_rsa() + * did already check pw->pw_dir, but there is a race XXX + */ if (options.strict_modes && (stat(user_hostfile, &st) == 0) && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || @@ -91,8 +95,10 @@ auth_rhosts_rsa(struct passwd *pw, const char *client_user, canonical_hostname); return 0; } - /* We have authenticated the user using .rhosts or /etc/hosts.equiv, and the host using RSA. - We accept the authentication. */ + /* + * We have authenticated the user using .rhosts or /etc/hosts.equiv, + * and the host using RSA. We accept the authentication. + */ verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.", pw->pw_name, client_user, canonical_hostname); diff --git a/auth-rhosts.c b/auth-rhosts.c index 500dcebb..2f12f134 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -16,7 +16,7 @@ */ #include "includes.h" -RCSID("$Id: auth-rhosts.c,v 1.5 1999/11/24 13:26:21 damien Exp $"); +RCSID("$Id: auth-rhosts.c,v 1.6 1999/11/25 00:54:57 damien Exp $"); #include "packet.h" #include "ssh.h" @@ -24,9 +24,11 @@ RCSID("$Id: auth-rhosts.c,v 1.5 1999/11/24 13:26:21 damien Exp $"); #include "uidswap.h" #include "servconf.h" -/* This function processes an rhosts-style file (.rhosts, .shosts, or - /etc/hosts.equiv). This returns true if authentication can be granted - based on the file, and returns zero otherwise. */ +/* + * This function processes an rhosts-style file (.rhosts, .shosts, or + * /etc/hosts.equiv). This returns true if authentication can be granted + * based on the file, and returns zero otherwise. + */ int check_rhosts_file(const char *filename, const char *hostname, @@ -41,7 +43,6 @@ check_rhosts_file(const char *filename, const char *hostname, if (!f) return 0; - /* Go through the file, checking every entry. */ while (fgets(buf, sizeof(buf), f)) { /* All three must be at least as big as buf to avoid overflows. */ char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp; @@ -52,13 +53,17 @@ check_rhosts_file(const char *filename, const char *hostname, if (*cp == '#' || *cp == '\n' || !*cp) continue; - /* NO_PLUS is supported at least on OSF/1. We skip it (we - don't ever support the plus syntax). */ + /* + * NO_PLUS is supported at least on OSF/1. We skip it (we + * don't ever support the plus syntax). + */ if (strncmp(cp, "NO_PLUS", 7) == 0) continue; - /* This should be safe because each buffer is as big as - the whole string, and thus cannot be overwritten. */ + /* + * This should be safe because each buffer is as big as the + * whole string, and thus cannot be overwritten. + */ switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) { case 0: packet_send_debug("Found empty line in %.100s.", filename); @@ -135,10 +140,11 @@ check_rhosts_file(const char *filename, const char *hostname, return 0; } -/* Tries to authenticate the user using the .shosts or .rhosts file. - Returns true if authentication succeeds. If ignore_rhosts is - true, only /etc/hosts.equiv will be considered (.rhosts and .shosts - are ignored). */ +/* + * Tries to authenticate the user using the .shosts or .rhosts file. Returns + * true if authentication succeeds. If ignore_rhosts is true, only + * /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored). + */ int auth_rhosts(struct passwd *pw, const char *client_user) @@ -150,11 +156,13 @@ auth_rhosts(struct passwd *pw, const char *client_user) static const char *rhosts_files[] = {".shosts", ".rhosts", NULL}; unsigned int rhosts_file_index; - /* Quick check: if the user has no .shosts or .rhosts files, - return failure immediately without doing costly lookups from - name servers. */ /* Switch to the user's uid. */ temporarily_use_uid(pw->pw_uid); + /* + * Quick check: if the user has no .shosts or .rhosts files, return + * failure immediately without doing costly lookups from name + * servers. + */ for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; rhosts_file_index++) { /* Check users .rhosts or .shosts. */ @@ -172,7 +180,6 @@ auth_rhosts(struct passwd *pw, const char *client_user) stat(SSH_HOSTS_EQUIV, &st) < 0) return 0; - /* Get the name, address, and port of the remote host. */ hostname = get_canonical_hostname(); ipaddr = get_remote_ipaddr(); @@ -191,8 +198,10 @@ auth_rhosts(struct passwd *pw, const char *client_user) return 1; } } - /* Check that the home directory is owned by root or the user, and - is not group or world writable. */ + /* + * Check that the home directory is owned by root or the user, and is + * not group or world writable. + */ if (stat(pw->pw_dir, &st) < 0) { log("Rhosts authentication refused for %.100s: no home directory %.200s", pw->pw_name, pw->pw_dir); @@ -221,10 +230,12 @@ auth_rhosts(struct passwd *pw, const char *client_user) if (stat(buf, &st) < 0) continue; - /* Make sure that the file is either owned by the user or - by root, and make sure it is not writable by anyone but - the owner. This is to help avoid novices accidentally - allowing access to their account by anyone. */ + /* + * Make sure that the file is either owned by the user or by + * root, and make sure it is not writable by anyone but the + * owner. This is to help avoid novices accidentally + * allowing access to their account by anyone. + */ if (options.strict_modes && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0)) { @@ -16,7 +16,7 @@ */ #include "includes.h" -RCSID("$Id: auth-rsa.c,v 1.9 1999/11/24 13:26:21 damien Exp $"); +RCSID("$Id: auth-rsa.c,v 1.10 1999/11/25 00:54:57 damien Exp $"); #include "rsa.h" #include "packet.h" @@ -43,22 +43,27 @@ extern int no_pty_flag; extern char *forced_command; extern struct envstring *custom_environment; -/* Session identifier that is used to bind key exchange and authentication - responses to a particular session. */ +/* + * Session identifier that is used to bind key exchange and authentication + * responses to a particular session. + */ extern unsigned char session_id[16]; -/* The .ssh/authorized_keys file contains public keys, one per line, in the - following format: - options bits e n comment - where bits, e and n are decimal numbers, - and comment is any string of characters up to newline. The maximum - length of a line is 8000 characters. See the documentation for a - description of the options. -*/ +/* + * The .ssh/authorized_keys file contains public keys, one per line, in the + * following format: + * options bits e n comment + * where bits, e and n are decimal numbers, + * and comment is any string of characters up to newline. The maximum + * length of a line is 8000 characters. See the documentation for a + * description of the options. + */ -/* Performs the RSA authentication challenge-response dialog with the client, - and returns true (non-zero) if the client gave the correct answer to - our challenge; returns zero if the client gives a wrong answer. */ +/* + * Performs the RSA authentication challenge-response dialog with the client, + * and returns true (non-zero) if the client gave the correct answer to + * our challenge; returns zero if the client gives a wrong answer. + */ int auth_rsa_challenge_dialog(BIGNUM *e, BIGNUM *n) @@ -128,9 +133,11 @@ auth_rsa_challenge_dialog(BIGNUM *e, BIGNUM *n) return 1; } -/* Performs the RSA authentication dialog with the client. This returns - 0 if the client could not be authenticated, and 1 if authentication was - successful. This may exit if there is a serious protocol violation. */ +/* + * Performs the RSA authentication dialog with the client. This returns + * 0 if the client could not be authenticated, and 1 if authentication was + * successful. This may exit if there is a serious protocol violation. + */ int auth_rsa(struct passwd *pw, BIGNUM *client_n) @@ -204,30 +211,32 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) /* Flag indicating whether authentication has succeeded. */ authenticated = 0; - /* Initialize mp-int variables. */ e = BN_new(); n = BN_new(); - /* Go though the accepted keys, looking for the current key. If - found, perform a challenge-response dialog to verify that the - user really has the corresponding private key. */ + /* + * Go though the accepted keys, looking for the current key. If + * found, perform a challenge-response dialog to verify that the + * user really has the corresponding private key. + */ while (fgets(line, sizeof(line), f)) { char *cp; char *options; linenum++; - /* Skip leading whitespace. */ - for (cp = line; *cp == ' ' || *cp == '\t'; cp++); - - /* Skip empty and comment lines. */ + /* Skip leading whitespace, empty and comment lines. */ + for (cp = line; *cp == ' ' || *cp == '\t'; cp++) + ; if (!*cp || *cp == '\n' || *cp == '#') continue; - /* Check if there are options for this key, and if so, - save their starting address and skip the option part - for now. If there are no options, set the starting - address to NULL. */ + /* + * Check if there are options for this key, and if so, + * save their starting address and skip the option part + * for now. If there are no options, set the starting + * address to NULL. + */ if (*cp < '0' || *cp > '9') { int quoted = 0; options = cp; @@ -258,7 +267,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) /* Check if the we have found the desired key (identified by its modulus). */ if (BN_cmp(n, client_n) != 0) - continue; /* Wrong key. */ + continue; /* We have found the desired key. */ @@ -269,10 +278,12 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) packet_send_debug("Wrong response to RSA authentication challenge."); continue; } - /* Correct response. The client has been successfully - authenticated. Note that we have not yet processed the - options; this will be reset if the options cause the - authentication to be rejected. */ + /* + * Correct response. The client has been successfully + * authenticated. Note that we have not yet processed the + * options; this will be reset if the options cause the + * authentication to be rejected. + */ authenticated = 1; /* RSA part of authentication was accepted. Now process the options. */ @@ -412,7 +423,6 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) goto next_option; } bad_option: - /* Unknown option. */ log("Bad options in %.100s file, line %lu: %.50s", SSH_USER_PERMITTED_KEYS, linenum, options); packet_send_debug("Bad options in %.100s file, line %lu: %.50s", @@ -421,12 +431,14 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) break; next_option: - /* Skip the comma, and move to the next option - (or break out if there are no more). */ + /* + * Skip the comma, and move to the next option + * (or break out if there are no more). + */ if (!*options) fatal("Bugs in auth-rsa.c option processing."); if (*options == ' ' || *options == '\t') - break; /* End of options. */ + break; /* End of options. */ if (*options != ',') goto bad_option; options++; @@ -434,8 +446,10 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) continue; } } - /* Break out of the loop if authentication was successful; - otherwise continue searching. */ + /* + * Break out of the loop if authentication was successful; + * otherwise continue searching. + */ if (authenticated) break; } @@ -446,7 +460,6 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) /* Close the file. */ fclose(f); - /* Clear any mp-int variables. */ BN_clear_free(n); BN_clear_free(e); diff --git a/auth-skey.c b/auth-skey.c index 457100cc..a0d786cb 100644 --- a/auth-skey.c +++ b/auth-skey.c @@ -1,11 +1,15 @@ #include "includes.h" #ifdef SKEY - RCSID("$Id: auth-skey.c,v 1.3 1999/11/23 22:25:52 markus Exp $"); #include "ssh.h" -#include <sha1.h> +#ifdef HAVE_OPENSSL +#include <openssl/sha1.h> +#endif +#ifdef HAVE_SSL +#include <ssl/sha1.h> +#endif /* from %OpenBSD: skeylogin.c,v 1.32 1999/08/16 14:46:56 millert Exp % */ @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$Id: authfd.c,v 1.7 1999/11/24 13:26:21 damien Exp $"); +RCSID("$Id: authfd.c,v 1.8 1999/11/25 00:54:57 damien Exp $"); #include "ssh.h" #include "rsa.h" @@ -63,9 +63,11 @@ ssh_get_authentication_socket() return sock; } -/* Closes the agent socket if it should be closed (depends on how it was - obtained). The argument must have been returned by - ssh_get_authentication_socket(). */ +/* + * Closes the agent socket if it should be closed (depends on how it was + * obtained). The argument must have been returned by + * ssh_get_authentication_socket(). + */ void ssh_close_authentication_socket(int sock) @@ -74,11 +76,13 @@ ssh_close_authentication_socket(int sock) close(sock); } -/* Opens and connects a private socket for communication with the - authentication agent. Returns the file descriptor (which must be - shut down and closed by the caller when no longer needed). - Returns NULL if an error occurred and the connection could not be - opened. */ +/* + * Opens and connects a private socket for communication with the + * authentication agent. Returns the file descriptor (which must be + * shut down and closed by the caller when no longer needed). + * Returns NULL if an error occurred and the connection could not be + * opened. + */ AuthenticationConnection * ssh_get_authentication_connection() @@ -88,12 +92,13 @@ ssh_get_authentication_connection() sock = ssh_get_authentication_socket(); - /* Fail if we couldn't obtain a connection. This happens if we - exited due to a timeout. */ + /* + * Fail if we couldn't obtain a connection. This happens if we + * exited due to a timeout. |