From: Peter Avalos Date: Sat, 9 Apr 2011 06:57:29 +0000 (-0700) Subject: Merge branch 'vendor/OPENSSH' X-Git-Tag: v2.11.0~73 X-Git-Url: https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/bc3542060d699ca6026adcd09209004e787ef645 Merge branch 'vendor/OPENSSH' --- bc3542060d699ca6026adcd09209004e787ef645 diff --cc crypto/openssh/auth-rsa.c index 369e66fac4,4edaab056a..12bc35ccb5 --- a/crypto/openssh/auth-rsa.c +++ b/crypto/openssh/auth-rsa.c @@@ -251,19 -246,10 +248,23 @@@ auth_rsa_key_allowed(struct passwd *pw "actual %d vs. announced %d.", file, linenum, BN_num_bits(key->rsa->n), bits); + /* Never accept a revoked key */ + if (auth_key_is_revoked(key)) + break; + + if (blacklisted_key(key)) { + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + if (options.permit_blacklisted_keys) + logit("Public key %s blacklisted (see " + "ssh-vulnkey(1)); continuing anyway", fp); + else + logit("Public key %s blacklisted (see " + "ssh-vulnkey(1))", fp); + xfree(fp); + if (!options.permit_blacklisted_keys) + continue; + } + /* We have found the desired key. */ /* * If our options do not allow this key to be used, diff --cc crypto/openssh/auth2.c index f76f883148,95820f96fa..e8e220d480 --- a/crypto/openssh/auth2.c +++ b/crypto/openssh/auth2.c @@@ -232,15 -221,10 +232,15 @@@ input_userauth_request(int type, u_int3 if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); - user = packet_get_string(NULL); - service = packet_get_string(NULL); - method = packet_get_string(NULL); + user = packet_get_cstring(NULL); + service = packet_get_cstring(NULL); + method = packet_get_cstring(NULL); debug("userauth-request for user %s service %s method %s", user, service, method); + if (!log_flag) { + logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s", + get_remote_ipaddr(), get_remote_port(), user); + log_flag = 1; + } debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); if ((style = strchr(user, ':')) != NULL) diff --cc crypto/openssh/kex.c index ad57047027,c65e28f94d..e99b244129 --- a/crypto/openssh/kex.c +++ b/crypto/openssh/kex.c @@@ -63,9 -62,36 +63,37 @@@ extern const EVP_MD *evp_ssh_sha256(voi static void kex_kexinit_finish(Kex *); static void kex_choose_conf(Kex *); + /* Validate KEX method name list */ + int + kex_names_valid(const char *names) + { + char *s, *cp, *p; + + if (names == NULL || strcmp(names, "") == 0) + return 0; + s = cp = xstrdup(names); + for ((p = strsep(&cp, ",")); p && *p != '\0'; + (p = strsep(&cp, ","))) { + if (strcmp(p, KEX_DHGEX_SHA256) != 0 && + strcmp(p, KEX_DHGEX_SHA1) != 0 && + strcmp(p, KEX_DH14) != 0 && + strcmp(p, KEX_DH1) != 0 && + (strncmp(p, KEX_ECDH_SHA2_STEM, + sizeof(KEX_ECDH_SHA2_STEM) - 1) != 0 || + kex_ecdh_name_to_nid(p) == -1)) { + error("Unsupported KEX algorithm \"%.100s\"", p); + xfree(s); + return 0; + } + } + debug3("kex names ok: [%s]", names); + xfree(s); + return 1; + } + /* put algorithm proposal into buffer */ -static void +/* used in sshconnect.c as well as kex.c */ +void kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX]) { u_int i; diff --cc crypto/openssh/kex.h index 20ff45a150,7373d3c789..3b4d4b591e --- a/crypto/openssh/kex.h +++ b/crypto/openssh/kex.h @@@ -132,8 -138,8 +138,10 @@@ struct Kex void (*kex[KEX_MAX])(Kex *); }; + int kex_names_valid(const char *); + +void kex_prop2buf(Buffer *, char *proposal[PROPOSAL_MAX]); + Kex *kex_setup(char *[PROPOSAL_MAX]); void kex_finish(Kex *); diff --cc crypto/openssh/packet.h index b5970226c6,d516aae8d4..a261f27662 --- a/crypto/openssh/packet.h +++ b/crypto/openssh/packet.h @@@ -19,10 -19,10 +19,13 @@@ #include #include + #ifdef OPENSSL_HAS_ECC + #include + #endif +void +packet_request_rekeying(void); + void packet_set_connection(int, int); void packet_set_timeout(int, int); void packet_set_nonblocking(void); diff --cc crypto/openssh/readconf.c index 0da667dbe0,eb4a8b9eea..02aeae01fe --- a/crypto/openssh/readconf.c +++ b/crypto/openssh/readconf.c @@@ -135,8 -134,8 +137,10 @@@ typedef enum oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, + oKexAlgorithms, oIPQoS, + oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled, - oHPNBufferSize, oDeprecated, oUnsupported ++ oHPNBufferSize, + oDeprecated, oUnsupported } OpCodes; /* Textual representations of the tokens. */ @@@ -245,12 -243,8 +249,14 @@@ static struct #else { "zeroknowledgepasswordauthentication", oUnsupported }, #endif + { "kexalgorithms", oKexAlgorithms }, + { "ipqos", oIPQoS }, + { "noneenabled", oNoneEnabled }, + { "tcprcvbufpoll", oTcpRcvBufPoll }, + { "tcprcvbuf", oTcpRcvBuf }, + { "noneswitch", oNoneSwitch }, + { "hpndisabled", oHPNDisabled }, + { "hpnbuffersize", oHPNBufferSize }, { NULL, oBadOption } }; @@@ -1173,12 -1155,8 +1209,14 @@@ initialize_options(Options * options options->use_roaming = -1; options->visual_host_key = -1; options->zero_knowledge_password_authentication = -1; + options->ip_qos_interactive = -1; + options->ip_qos_bulk = -1; + options->none_switch = -1; + options->none_enabled = -1; + options->hpn_disabled = -1; + options->hpn_buffer_size = -1; + options->tcp_rcv_buf_poll = -1; + options->tcp_rcv_buf = -1; } /* diff --cc crypto/openssh/readconf.h index ff585a8e43,ee160dfe7b..012ab5848a --- a/crypto/openssh/readconf.h +++ b/crypto/openssh/readconf.h @@@ -59,11 -59,8 +59,12 @@@ typedef struct int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int tcp_keep_alive; /* Set SO_KEEPALIVE. */ + int tcp_rcv_buf; /* user switch to set tcp recv buffer */ + int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */ + int hpn_disabled; /* Switch to disable HPN buffer management */ + int hpn_buffer_size; /* User definable size for HPN buffer window */ - + int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ + int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ diff --cc crypto/openssh/servconf.c index 7c35cf779c,e2f20a3d11..e026475c26 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@@ -279,43 -277,11 +290,47 @@@ fill_default_server_options(ServerOptio options->permit_tun = SSH_TUNMODE_NO; if (options->zero_knowledge_password_authentication == -1) options->zero_knowledge_password_authentication = 0; + if (options->ip_qos_interactive == -1) + options->ip_qos_interactive = IPTOS_LOWDELAY; + if (options->ip_qos_bulk == -1) + options->ip_qos_bulk = IPTOS_THROUGHPUT; + if (options->hpn_disabled == -1) + options->hpn_disabled = 0; + + if (options->hpn_buffer_size == -1) { + /* option not explicitly set. Now we have to figure out */ + /* what value to use */ + if (options->hpn_disabled == 1) { + options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; + } else { + /* get the current RCV size and set it to that */ + /*create a socket but don't connect it */ + /* we use that the get the rcv socket size */ + sock = socket(AF_INET, SOCK_STREAM, 0); + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, + &socksize, &socksizelen); + close(sock); + options->hpn_buffer_size = socksize; + debug ("HPN Buffer Size: %d", options->hpn_buffer_size); + + } + } else { + /* we have to do this incase the user sets both values in a contradictory */ + /* manner. hpn_disabled overrrides hpn_buffer_size*/ + if (options->hpn_disabled <= 0) { + if (options->hpn_buffer_size == 0) + options->hpn_buffer_size = 1; + /* limit the maximum buffer to 64MB */ + if (options->hpn_buffer_size > 64*1024) { + options->hpn_buffer_size = 64*1024*1024; + } else { + options->hpn_buffer_size *= 1024; + } + } else + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; + } + /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = 1; @@@ -361,8 -327,7 +376,9 @@@ typedef enum sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, + sKexAlgorithms, sIPQoS, + sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, + sVersionAddendum, sDeprecated, sUnsupported } ServerOpCodes; @@@ -487,10 -450,8 +503,12 @@@ static struct { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, + { "noneenabled", sNoneEnabled }, + { "hpndisabled", sHPNDisabled }, + { "hpnbuffersize", sHPNBufferSize }, + { "tcprcvbufpoll", sTcpRcvBufPoll }, + { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, + { "ipqos", sIPQoS, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; diff --cc crypto/openssh/ssh-keygen.c index 2ec947c4a2,c95e4ab298..249831c1a4 --- a/crypto/openssh/ssh-keygen.c +++ b/crypto/openssh/ssh-keygen.c @@@ -1448,10 -1478,10 +1478,10 @@@ do_ca_sign(struct passwd *pw, int argc fclose(f); if (!quiet) { - logit("Signed %s key %s: id \"%s\" serial %llu%s%s " + logit("Signed %s key %s: id \"%s\" serial %ju%s%s " "valid %s", key_cert_type(public), out, public->cert->key_id, - (intmax_t)public->cert->serial, + (unsigned long long)public->cert->serial, cert_principals != NULL ? " for " : "", cert_principals != NULL ? cert_principals : "", fmt_validity(cert_valid_from, cert_valid_to)); diff --cc crypto/openssh/ssh.1 index 90db22dc94,e3a42b5ad7..11b1c8fed1 --- a/crypto/openssh/ssh.1 +++ b/crypto/openssh/ssh.1 @@@ -1337,7 -1341,7 +1342,7 @@@ manual page for more information This file is for host-based authentication (see above). It should only be writable by root. .Pp - .It /etc/ssh/shosts.equiv -.It Pa /etc/shosts.equiv ++.It Pa /etc/ssh/shosts.equiv This file is used in exactly the same way as .Pa hosts.equiv , but allows host-based authentication without permitting login with diff --cc crypto/openssh/sshconnect.c index 278b48dbe2,74643a8c42..d815bb901f --- a/crypto/openssh/sshconnect.c +++ b/crypto/openssh/sshconnect.c @@@ -167,31 -170,17 +170,42 @@@ ssh_proxy_connect(const char *host, u_s return 0; } + void + ssh_kill_proxy_command(void) + { + /* + * Send SIGHUP to proxy command if used. We don't wait() in + * case it hangs and instead rely on init to reap the child + */ + if (proxy_command_pid > 1) + kill(proxy_command_pid, SIGHUP); + } + +/* + * Set TCP receive buffer if requested. + * Note: tuning needs to happen after the socket is + * created but before the connection happens + * so winscale is negotiated properly -cjr + */ +static void +ssh_set_socket_recvbuf(int sock) +{ + void *buf = (void *)&options.tcp_rcv_buf; + int sz = sizeof(options.tcp_rcv_buf); + int socksize; + int socksizelen = sizeof(int); + + debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf); + if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) { + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen); + debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize); + } + else + error("Couldn't set socket receive buffer to %d: %.100s", + options.tcp_rcv_buf, strerror(errno)); +} + + /* * Creates a (possibly privileged) socket for use as the ssh connection. */ diff --cc crypto/openssh/sshd.8 index 1aa1dbbbd2,5503b13311..b549fe21ab --- a/crypto/openssh/sshd.8 +++ b/crypto/openssh/sshd.8 @@@ -847,7 -850,7 +852,7 @@@ This file is for host-based authenticat .Xr ssh 1 ) . It should only be writable by root. .Pp - .It /etc/ssh/moduli -.It Pa /etc/moduli ++.It Pa /etc/ssh/moduli Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". The file format is described in .Xr moduli 5 . @@@ -865,7 -868,7 +870,7 @@@ are displayed to anyone trying to log i refused. The file should be world-readable. .Pp - .It /etc/ssh/shosts.equiv -.It Pa /etc/shosts.equiv ++.It Pa /etc/ssh/shosts.equiv This file is used in exactly the same way as .Pa hosts.equiv , but allows host-based authentication without permitting login with