From: Peter Avalos Date: Thu, 29 Mar 2007 00:46:51 +0000 (+0000) Subject: Import OpenSSH 4.6p1. X-Git-Tag: v2.0.1~3328^2 X-Git-Url: https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/bc5edf69074d4054348acf9fc97b9d6c85dc81f9 Import OpenSSH 4.6p1. --- diff --git a/crypto/openssh-4/README b/crypto/openssh-4/README index fb53b554b7..0c732cffe0 100644 --- a/crypto/openssh-4/README +++ b/crypto/openssh-4/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-4.5 for the release notes. +See http://www.openssh.com/txt/release-4.6 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.64 2006/11/07 12:25:45 dtucker Exp $ +$Id: README,v 1.64.4.1 2007/03/06 10:27:56 djm Exp $ diff --git a/crypto/openssh-4/auth-skey.c b/crypto/openssh-4/auth-skey.c index 25073dbae0..cb43dba485 100644 --- a/crypto/openssh-4/auth-skey.c +++ b/crypto/openssh-4/auth-skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-skey.c,v 1.26 2006/08/05 08:28:24 dtucker Exp $ */ +/* $OpenBSD: auth-skey.c,v 1.27 2007/01/21 01:41:54 stevesk Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -59,8 +59,8 @@ skey_query(void *ctx, char **name, char **infotxt, sizeof(challenge)) == -1) return -1; - *name = xstrdup(""); - *infotxt = xstrdup(""); + *name = xstrdup(""); + *infotxt = xstrdup(""); *numprompts = 1; *prompts = xcalloc(*numprompts, sizeof(char *)); *echo_on = xcalloc(*numprompts, sizeof(u_int)); diff --git a/crypto/openssh-4/auth.c b/crypto/openssh-4/auth.c index 5d23343b92..505102f8ab 100644 --- a/crypto/openssh-4/auth.c +++ b/crypto/openssh-4/auth.c @@ -569,8 +569,8 @@ fakepw(void) fake.pw_passwd = "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; fake.pw_gecos = "NOUSER"; - fake.pw_uid = privsep_pw->pw_uid; - fake.pw_gid = privsep_pw->pw_gid; + fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid; + fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid; #ifdef HAVE_PW_CLASS_IN_PASSWD fake.pw_class = ""; #endif diff --git a/crypto/openssh-4/auth2-chall.c b/crypto/openssh-4/auth2-chall.c index b78b739cdc..51059c2bd6 100644 --- a/crypto/openssh-4/auth2-chall.c +++ b/crypto/openssh-4/auth2-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-chall.c,v 1.31 2006/08/05 08:28:24 dtucker Exp $ */ +/* $OpenBSD: auth2-chall.c,v 1.32 2007/01/03 03:01:40 stevesk Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Per Allansson. All rights reserved. @@ -206,7 +206,7 @@ auth2_challenge_stop(Authctxt *authctxt) { /* unregister callback */ dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); - if (authctxt->kbdintctxt != NULL) { + if (authctxt->kbdintctxt != NULL) { kbdint_free(authctxt->kbdintctxt); authctxt->kbdintctxt = NULL; } diff --git a/crypto/openssh-4/auth2.c b/crypto/openssh-4/auth2.c index 2d880b57cf..b1a4e3635a 100644 --- a/crypto/openssh-4/auth2.c +++ b/crypto/openssh-4/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.113 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth2.c,v 1.114 2007/03/01 10:28:02 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -96,10 +96,6 @@ int user_key_allowed(struct passwd *, Key *); void do_authentication2(Authctxt *authctxt) { - /* challenge-response is implemented via keyboard interactive */ - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; - dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); diff --git a/crypto/openssh-4/bufbn.c b/crypto/openssh-4/bufbn.c index 9706ba8a86..ce8fba5151 100644 --- a/crypto/openssh-4/bufbn.c +++ b/crypto/openssh-4/bufbn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufbn.c,v 1.4 2006/11/06 21:25:28 markus Exp $*/ +/* $OpenBSD: bufbn.c,v 1.5 2007/02/14 14:32:00 stevesk Exp $*/ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -93,7 +93,7 @@ buffer_put_bignum(Buffer *buffer, const BIGNUM *value) } /* - * Retrieves an BIGNUM from the buffer. + * Retrieves a BIGNUM from the buffer. */ int buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value) @@ -101,7 +101,7 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value) u_int bits, bytes; u_char buf[2], *bin; - /* Get the number for bits. */ + /* Get the number of bits. */ if (buffer_get_ret(buffer, (char *) buf, 2) == -1) { error("buffer_get_bignum_ret: invalid length"); return (-1); @@ -137,7 +137,7 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value) } /* - * Stores an BIGNUM in the buffer in SSH2 format. + * Stores a BIGNUM in the buffer in SSH2 format. */ int buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value) diff --git a/crypto/openssh-4/channels.c b/crypto/openssh-4/channels.c index 26b63a1aae..c68ad6419f 100644 --- a/crypto/openssh-4/channels.c +++ b/crypto/openssh-4/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.266 2006/08/29 10:40:18 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.268 2007/01/03 03:01:40 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1052,7 +1052,7 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) if (have < nmethods + 2) return 0; /* look for method: "NO AUTHENTICATION REQUIRED" */ - for (found = 0, i = 2 ; i < nmethods + 2; i++) { + for (found = 0, i = 2; i < nmethods + 2; i++) { if (p[i] == SSH_SOCKS5_NOAUTH) { found = 1; break; @@ -1449,10 +1449,11 @@ channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset) int len; if (c->rfd != -1 && - FD_ISSET(c->rfd, readset)) { + (c->detach_close || FD_ISSET(c->rfd, readset))) { errno = 0; len = read(c->rfd, buf, sizeof(buf)); - if (len < 0 && (errno == EINTR || errno == EAGAIN)) + if (len < 0 && (errno == EINTR || + (errno == EAGAIN && !(c->isatty && c->detach_close)))) return 1; #ifndef PTY_ZEROREAD if (len <= 0) { @@ -1604,11 +1605,12 @@ channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset) c->local_consumed += len; } } else if (c->extended_usage == CHAN_EXTENDED_READ && - FD_ISSET(c->efd, readset)) { + (c->detach_close || FD_ISSET(c->efd, readset))) { len = read(c->efd, buf, sizeof(buf)); debug2("channel %d: read %d from efd %d", c->self, len, c->efd); - if (len < 0 && (errno == EINTR || errno == EAGAIN)) + if (len < 0 && (errno == EINTR || + (errno == EAGAIN && !c->detach_close))) return 1; if (len <= 0) { debug2("channel %d: closing read-efd %d", @@ -2525,11 +2527,18 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port, /* Send the forward request to the remote side. */ if (compat20) { const char *address_to_bind; - if (listen_host == NULL) - address_to_bind = "localhost"; - else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) - address_to_bind = ""; - else + if (listen_host == NULL) { + if (datafellows & SSH_BUG_RFWD_ADDR) + address_to_bind = "127.0.0.1"; + else + address_to_bind = "localhost"; + } else if (*listen_host == '\0' || + strcmp(listen_host, "*") == 0) { + if (datafellows & SSH_BUG_RFWD_ADDR) + address_to_bind = "0.0.0.0"; + else + address_to_bind = ""; + } else address_to_bind = listen_host; packet_start(SSH2_MSG_GLOBAL_REQUEST); diff --git a/crypto/openssh-4/clientloop.c b/crypto/openssh-4/clientloop.c index 4c5108199c..c7362caa8c 100644 --- a/crypto/openssh-4/clientloop.c +++ b/crypto/openssh-4/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.176 2006/10/11 12:38:03 markus Exp $ */ +/* $OpenBSD: clientloop.c,v 1.178 2007/02/20 10:25:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -707,7 +707,7 @@ client_process_control(fd_set *readset) { Buffer m; Channel *c; - int client_fd, new_fd[3], ver, allowed; + int client_fd, new_fd[3], ver, allowed, window, packetmax; socklen_t addrlen; struct sockaddr_storage addr; struct confirm_ctx *cctx; @@ -900,9 +900,15 @@ client_process_control(fd_set *readset) set_nonblock(client_fd); + window = CHAN_SES_WINDOW_DEFAULT; + packetmax = CHAN_SES_PACKET_DEFAULT; + if (cctx->want_tty) { + window >>= 1; + packetmax >>= 1; + } + c = channel_new("session", SSH_CHANNEL_OPENING, - new_fd[0], new_fd[1], new_fd[2], - CHAN_SES_WINDOW_DEFAULT, CHAN_SES_PACKET_DEFAULT, + new_fd[0], new_fd[1], new_fd[2], window, packetmax, CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); /* XXX */ @@ -1757,7 +1763,7 @@ client_request_agent(const char *request_type, int rchan) error("Warning: this is probably a break-in attempt by a malicious server."); return NULL; } - sock = ssh_get_authentication_socket(); + sock = ssh_get_authentication_socket(); if (sock < 0) return NULL; c = channel_new("authentication agent connection", diff --git a/crypto/openssh-4/compat.c b/crypto/openssh-4/compat.c index da67f9410d..bc11315814 100644 --- a/crypto/openssh-4/compat.c +++ b/crypto/openssh-4/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: compat.c,v 1.77 2006/12/12 03:58:42 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -133,7 +133,8 @@ compat_datafellows(const char *version) { "2.3.*", SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5| SSH_BUG_FIRSTKEX }, { "2.4", SSH_OLD_SESSIONID }, /* Van Dyke */ - { "2.*", SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX }, + { "2.*", SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX| + SSH_BUG_RFWD_ADDR }, { "3.0.*", SSH_BUG_DEBUG }, { "3.0 SecureCRT*", SSH_OLD_SESSIONID }, { "1.7 SecureFX*", SSH_OLD_SESSIONID }, diff --git a/crypto/openssh-4/compat.h b/crypto/openssh-4/compat.h index 83d469d539..4d8ebc908a 100644 --- a/crypto/openssh-4/compat.h +++ b/crypto/openssh-4/compat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.h,v 1.40 2006/03/25 22:22:43 djm Exp $ */ +/* $OpenBSD: compat.h,v 1.41 2006/12/12 03:58:42 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. @@ -56,6 +56,7 @@ #define SSH_BUG_PROBE 0x00400000 #define SSH_BUG_FIRSTKEX 0x00800000 #define SSH_OLD_FORWARD_ADDR 0x01000000 +#define SSH_BUG_RFWD_ADDR 0x02000000 void enable_compat13(void); void enable_compat20(void); diff --git a/crypto/openssh-4/dh.c b/crypto/openssh-4/dh.c index 02b9a40816..78e230b9f2 100644 --- a/crypto/openssh-4/dh.c +++ b/crypto/openssh-4/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.43 2006/11/06 21:25:28 markus Exp $ */ +/* $OpenBSD: dh.c,v 1.44 2006/11/07 13:02:07 markus Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * diff --git a/crypto/openssh-4/dns.c b/crypto/openssh-4/dns.c index 92623de728..a89176f882 100644 --- a/crypto/openssh-4/dns.c +++ b/crypto/openssh-4/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: dns.c,v 1.24 2007/01/03 03:01:40 stevesk Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -217,7 +217,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, if (fingerprints->rri_nrdatas) *flags |= DNS_VERIFY_FOUND; - for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) { + for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) { /* * Extract the key from the answer. Ignore any badly * formatted fingerprints. diff --git a/crypto/openssh-4/kex.c b/crypto/openssh-4/kex.c index bfc1c11f97..b2223c5ffa 100644 --- a/crypto/openssh-4/kex.c +++ b/crypto/openssh-4/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: kex.c,v 1.77 2007/01/21 01:41:54 stevesk Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -552,7 +552,7 @@ dump_digest(char *msg, u_char *digest, int len) u_int i; fprintf(stderr, "%s\n", msg); - for (i = 0; i< len; i++) { + for (i = 0; i < len; i++) { fprintf(stderr, "%02x", digest[i]); if (i%32 == 31) fprintf(stderr, "\n"); diff --git a/crypto/openssh-4/misc.c b/crypto/openssh-4/misc.c index 78bca2faef..625a34368f 100644 --- a/crypto/openssh-4/misc.c +++ b/crypto/openssh-4/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.64 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: misc.c,v 1.65 2006/11/23 01:35:11 ray Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -616,6 +616,8 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, u_long *lineno) { while (fgets(buf, bufsz, f) != NULL) { + if (buf[0] == '\0') + continue; (*lineno)++; if (buf[strlen(buf) - 1] == '\n' || feof(f)) { return 0; diff --git a/crypto/openssh-4/moduli.c b/crypto/openssh-4/moduli.c index 44e5ddfc0c..8fa545daf0 100644 --- a/crypto/openssh-4/moduli.c +++ b/crypto/openssh-4/moduli.c @@ -1,4 +1,4 @@ -/* $OpenBSD: moduli.c,v 1.19 2006/11/06 21:25:28 markus Exp $ */ +/* $OpenBSD: moduli.c,v 1.20 2007/02/24 03:30:11 ray Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -490,11 +490,9 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted) res = 0; lp = xmalloc(QLINESIZE + 1); - while (fgets(lp, QLINESIZE, in) != NULL) { - int ll = strlen(lp); - + while (fgets(lp, QLINESIZE + 1, in) != NULL) { count_in++; - if (ll < 14 || *lp == '!' || *lp == '#') { + if (strlen(lp) < 14 || *lp == '!' || *lp == '#') { debug2("%10u: comment or short line", count_in); continue; } diff --git a/crypto/openssh-4/monitor.c b/crypto/openssh-4/monitor.c index 48ae46cccb..02f2dc8691 100644 --- a/crypto/openssh-4/monitor.c +++ b/crypto/openssh-4/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.89 2006/11/07 10:31:31 markus Exp $ */ +/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -642,6 +642,9 @@ mm_answer_pwnamallow(int sock, Buffer *m) #endif buffer_put_cstring(m, pwent->pw_dir); buffer_put_cstring(m, pwent->pw_shell); + buffer_put_string(m, &options, sizeof(options)); + if (options.banner != NULL) + buffer_put_cstring(m, options.banner); out: debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); diff --git a/crypto/openssh-4/monitor_wrap.c b/crypto/openssh-4/monitor_wrap.c index 3865539dfd..27cc1c5f1f 100644 --- a/crypto/openssh-4/monitor_wrap.c +++ b/crypto/openssh-4/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.54 2006/08/12 20:46:46 miod Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -73,6 +73,7 @@ #include "channels.h" #include "session.h" +#include "servconf.h" /* Imports */ extern int compat20; @@ -207,7 +208,8 @@ mm_getpwnamallow(const char *username) { Buffer m; struct passwd *pw; - u_int pwlen; + u_int len; + ServerOptions *newopts; debug3("%s entering", __func__); @@ -223,8 +225,8 @@ mm_getpwnamallow(const char *username) buffer_free(&m); return (NULL); } - pw = buffer_get_string(&m, &pwlen); - if (pwlen != sizeof(struct passwd)) + pw = buffer_get_string(&m, &len); + if (len != sizeof(struct passwd)) fatal("%s: struct passwd size mismatch", __func__); pw->pw_name = buffer_get_string(&m, NULL); pw->pw_passwd = buffer_get_string(&m, NULL); @@ -234,6 +236,16 @@ mm_getpwnamallow(const char *username) #endif pw->pw_dir = buffer_get_string(&m, NULL); pw->pw_shell = buffer_get_string(&m, NULL); + + /* copy options block as a Match directive may have changed some */ + newopts = buffer_get_string(&m, &len); + if (len != sizeof(*newopts)) + fatal("%s: option block size mismatch", __func__); + if (newopts->banner != NULL) + newopts->banner = buffer_get_string(&m, NULL); + copy_set_server_options(&options, newopts, 1); + xfree(newopts); + buffer_free(&m); return (pw); diff --git a/crypto/openssh-4/openbsd-compat/getrrsetbyname.c b/crypto/openssh-4/openbsd-compat/getrrsetbyname.c index 6c86e02c2a..07231d005f 100644 --- a/crypto/openssh-4/openbsd-compat/getrrsetbyname.c +++ b/crypto/openssh-4/openbsd-compat/getrrsetbyname.c @@ -303,10 +303,12 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, } /* allocate memory for signatures */ - rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo)); - if (rrset->rri_sigs == NULL) { - result = ERRSET_NOMEMORY; - goto fail; + if (rrset->rri_nsigs > 0) { + rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo)); + if (rrset->rri_sigs == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } } /* copy answers & signatures */ diff --git a/crypto/openssh-4/openbsd-compat/openssl-compat.h b/crypto/openssh-4/openbsd-compat/openssl-compat.h index c582cd269f..9b5ccff5fa 100644 --- a/crypto/openssh-4/openbsd-compat/openssl-compat.h +++ b/crypto/openssh-4/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.6 2006/02/22 11:24:47 dtucker Exp $ */ +/* $Id: openssl-compat.h,v 1.7 2007/03/05 07:25:20 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -46,6 +46,11 @@ extern const EVP_CIPHER *evp_acss(void); # endif #endif +/* OpenSSL 0.9.8e returns cipher key len not context key len */ +#if (OPENSSL_VERSION_NUMBER == 0x0090805fL) +# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len) +#endif + /* * We overload some of the OpenSSL crypto functions with ssh_* equivalents * which cater for older and/or less featureful OpenSSL version. diff --git a/crypto/openssh-4/packet.c b/crypto/openssh-4/packet.c index ab5a01002a..7d8fab1e90 100644 --- a/crypto/openssh-4/packet.c +++ b/crypto/openssh-4/packet.c @@ -47,7 +47,6 @@ # include #endif -#include #include #include #include diff --git a/crypto/openssh-4/readconf.c b/crypto/openssh-4/readconf.c index 4cacf60263..2485146a00 100644 --- a/crypto/openssh-4/readconf.c +++ b/crypto/openssh-4/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.159 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: readconf.c,v 1.161 2007/01/21 01:45:35 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -364,7 +364,7 @@ parse_time: if ((value = convtime(arg)) == -1) fatal("%s line %d: invalid time value.", filename, linenum); - if (*intptr == -1) + if (*activep && *intptr == -1) *intptr = value; break; @@ -545,7 +545,7 @@ parse_yesnoask: if (*intptr >= SSH_MAX_IDENTITY_FILES) fatal("%.200s line %d: Too many identity files specified (max %d).", filename, linenum, SSH_MAX_IDENTITY_FILES); - charptr = &options->identity_files[*intptr]; + charptr = &options->identity_files[*intptr]; *charptr = xstrdup(arg); *intptr = *intptr + 1; } diff --git a/crypto/openssh-4/scp.c b/crypto/openssh-4/scp.c index 56a3e79ffa..a52aaeb12f 100644 --- a/crypto/openssh-4/scp.c +++ b/crypto/openssh-4/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.155 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: scp.c,v 1.156 2007/01/22 13:06:21 djm Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -380,7 +380,7 @@ main(int argc, char **argv) if ((pwd = getpwuid(userid = getuid())) == NULL) fatal("unknown user %u", (u_int) userid); - if (!isatty(STDERR_FILENO)) + if (!isatty(STDOUT_FILENO)) showprogress = 0; remin = STDIN_FILENO; diff --git a/crypto/openssh-4/servconf.c b/crypto/openssh-4/servconf.c index 1f80de22d3..1e3c213a52 100644 --- a/crypto/openssh-4/servconf.c +++ b/crypto/openssh-4/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -325,14 +325,14 @@ static struct { { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, { "loglevel", sLogLevel, SSHCFG_GLOBAL }, { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, - { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL }, - { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL }, + { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, + { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL }, - { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL }, - { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, + { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, + { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ #ifdef KRB5 - { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL }, + { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, #ifdef USE_AFS @@ -341,7 +341,7 @@ static struct { { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif #else - { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, @@ -349,14 +349,14 @@ static struct { { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, #ifdef GSSAPI - { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL }, + { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, #else - { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, #endif - { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL }, - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL }, + { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ { "checkmail", sDeprecated, SSHCFG_GLOBAL }, @@ -389,7 +389,7 @@ static struct { { "subsystem", sSubsystem, SSHCFG_GLOBAL }, { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, - { "banner", sBanner, SSHCFG_GLOBAL }, + { "banner", sBanner, SSHCFG_ALL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, @@ -968,7 +968,7 @@ parse_flag: else fatal("%s line %d: Bad yes/no/clientspecified " "argument: %s", filename, linenum, arg); - if (*intptr == -1) + if (*activep && *intptr == -1) *intptr = value; break; @@ -1220,13 +1220,16 @@ parse_flag: if (!arg || *arg == '\0') fatal("%s line %d: missing PermitOpen specification", filename, linenum); + n = options->num_permitted_opens; /* modified later */ if (strcmp(arg, "any") == 0) { - if (*activep) { + if (*activep && n == -1) { channel_clear_adm_permitted_opens(); options->num_permitted_opens = 0; } break; } + if (*activep && n == -1) + channel_clear_adm_permitted_opens(); for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { p = hpdelim(&arg); if (p == NULL) @@ -1236,11 +1239,9 @@ parse_flag: if (arg == NULL || (port = a2port(arg)) == 0) fatal("%s line %d: bad port number in " "PermitOpen", filename, linenum); - if (*activep && options->num_permitted_opens == -1) { - channel_clear_adm_permitted_opens(); + if (*activep && n == -1) options->num_permitted_opens = channel_add_adm_permitted_opens(p, port); - } } break; @@ -1316,30 +1317,55 @@ parse_server_match_config(ServerOptions *options, const char *user, initialize_server_options(&mo); parse_server_config(&mo, "reprocess config", &cfg, user, host, address); - copy_set_server_options(options, &mo); + copy_set_server_options(options, &mo, 0); } -/* Copy any (supported) values that are set */ +/* Helper macros */ +#define M_CP_INTOPT(n) do {\ + if (src->n != -1) \ + dst->n = src->n; \ +} while (0) +#define M_CP_STROPT(n) do {\ + if (src->n != NULL) { \ + if (dst->n != NULL) \ + xfree(dst->n); \ + dst->n = src->n; \ + } \ +} while(0) + +/* + * Copy any supported values that are set. + * + * If the preauth flag is set, we do not bother copying the the string or + * array values that are not used pre-authentication, because any that we + * do use must be explictly sent in mm_getpwnamallow(). + */ void -copy_set_server_options(ServerOptions *dst, ServerOptions *src) +copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) { - if (src->allow_tcp_forwarding != -1) - dst->allow_tcp_forwarding = src->allow_tcp_forwarding; - if (src->gateway_ports != -1) - dst->gateway_ports = src->gateway_ports; - if (src->adm_forced_command != NULL) { - if (dst->adm_forced_command != NULL) - xfree(dst->adm_forced_command); - dst->adm_forced_command = src->adm_forced_command; - } - if (src->x11_display_offset != -1) - dst->x11_display_offset = src->x11_display_offset; - if (src->x11_forwarding != -1) - dst->x11_forwarding = src->x11_forwarding; - if (src->x11_use_localhost != -1) - dst->x11_use_localhost = src->x11_use_localhost; + M_CP_INTOPT(password_authentication); + M_CP_INTOPT(gss_authentication); + M_CP_INTOPT(rsa_authentication); + M_CP_INTOPT(pubkey_authentication); + M_CP_INTOPT(kerberos_authentication); + M_CP_INTOPT(hostbased_authentication); + M_CP_INTOPT(kbd_interactive_authentication); + + M_CP_INTOPT(allow_tcp_forwarding); + M_CP_INTOPT(gateway_ports); + M_CP_INTOPT(x11_display_offset); + M_CP_INTOPT(x11_forwarding); + M_CP_INTOPT(x11_use_localhost); + + M_CP_STROPT(banner); + if (preauth) + return; + M_CP_STROPT(adm_forced_command); } +#undef M_CP_INTOPT +#undef M_CP_STROPT + void parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, const char *user, const char *host, const char *address) @@ -1361,4 +1387,8 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, if (bad_options > 0) fatal("%s: terminating, %d bad configuration options", filename, bad_options); + + /* challenge-response is implemented via keyboard interactive */ + if (options->challenge_response_authentication == 1) + options->kbd_interactive_authentication = 1; } diff --git a/crypto/openssh-4/servconf.h b/crypto/openssh-4/servconf.h index ad496f64b9..8a5b950ea0 100644 --- a/crypto/openssh-4/servconf.h +++ b/crypto/openssh-4/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.80 2007/02/19 10:45:58 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -152,6 +152,6 @@ void parse_server_config(ServerOptions *, const char *, Buffer *, const char *, const char *, const char *); void parse_server_match_config(ServerOptions *, const char *, const char *, const char *); -void copy_set_server_options(ServerOptions *, ServerOptions *); +void copy_set_server_options(ServerOptions *, ServerOptions *, int); #endif /* SERVCONF_H */ diff --git a/crypto/openssh-4/serverloop.c b/crypto/openssh-4/serverloop.c index 69304b5fad..7e373f01bc 100644 --- a/crypto/openssh-4/serverloop.c +++ b/crypto/openssh-4/serverloop.c @@ -280,6 +280,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, struct timeval tv, *tvp; int ret; int client_alive_scheduled = 0; + int program_alive_scheduled = 0; /* * if using client_alive, set the max timeout accordingly, @@ -317,6 +318,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, * the client, try to get some more data from the program. */ if (packet_not_very_much_data_to_write()) { + program_alive_scheduled = child_terminated; if (!fdout_eof) FD_SET(fdout, *readsetp); if (!fderr_eof) @@ -362,8 +364,16 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, memset(*writesetp, 0, *nallocp); if (errno != EINTR) error("select: %.100s", strerror(errno)); - } else if (ret == 0 && client_alive_scheduled) - client_alive_check(); + } else { + if (ret == 0 && client_alive_scheduled) + client_alive_check(); + if (!compat20 && program_alive_scheduled && fdin_is_tty) { + if (!fdout_eof) + FD_SET(fdout, *readsetp); + if (!fderr_eof) + FD_SET(fderr, *readsetp); + } + } notify_done(*readsetp); } @@ -407,7 +417,8 @@ process_input(fd_set *readset) if (!fdout_eof && FD_ISSET(fdout, readset)) { errno = 0; len = read(fdout, buf, sizeof(buf)); - if (len < 0 && (errno == EINTR || errno == EAGAIN)) { + if (len < 0 && (errno == EINTR || + (errno == EAGAIN && !child_terminated))) { /* do nothing */ #ifndef PTY_ZEROREAD } else if (len <= 0) { @@ -425,7 +436,8 @@ process_input(fd_set *readset) if (!fderr_eof && FD_ISSET(fderr, readset)) { errno = 0; len = read(fderr, buf, sizeof(buf)); - if (len < 0 && (errno == EINTR || errno == EAGAIN)) { + if (len < 0 && (errno == EINTR || + (errno == EAGAIN && !child_terminated))) { /* do nothing */ #ifndef PTY_ZEROREAD } else if (len <= 0) { diff --git a/crypto/openssh-4/session.c b/crypto/openssh-4/session.c index 69153ad1e3..4c97c4a7dd 100644 --- a/crypto/openssh-4/session.c +++ b/crypto/openssh-4/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.220 2006/10/09 23:36:11 djm Exp $ */ +/* $OpenBSD: session.c,v 1.221 2007/01/21 01:41:54 stevesk Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -2027,7 +2027,7 @@ session_input_channel_req(Channel *c, const char *rtype) } else if (strcmp(rtype, "exec") == 0) { success = session_exec_req(s); } else if (strcmp(rtype, "pty-req") == 0) { - success = session_pty_req(s); + success = session_pty_req(s); } else if (strcmp(rtype, "x11-req") == 0) { success = session_x11_req(s); } else if (strcmp(rtype, "auth-agent-req@openssh.com") == 0) { @@ -2152,7 +2152,7 @@ session_close_single_x11(int id, void *arg) debug3("session_close_single_x11: channel %d", id); channel_cancel_cleanup(id); - if ((s = session_by_x11_channel(id)) == NULL) + if ((s = session_by_x11_channel(id)) == NULL) fatal("session_close_single_x11: no x11 channel %d", id); for (i = 0; s->x11_chanids[i] != -1; i++) { debug("session_close_single_x11: session %d: " diff --git a/crypto/openssh-4/sftp-client.c b/crypto/openssh-4/sftp-client.c index 42eb2b41bf..2746f32457 100644 --- a/crypto/openssh-4/sftp-client.c +++ b/crypto/openssh-4/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.75 2006/10/22 02:25:50 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.76 2007/01/22 11:32:50 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1140,6 +1140,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, close(local_fd); xfree(data); xfree(ack); + status = -1; goto done; } debug3("In write loop, ack for %u %u bytes at %llu", diff --git a/crypto/openssh-4/sftp-server.c b/crypto/openssh-4/sftp-server.c index c57958b0f3..64777beffd 100644 --- a/crypto/openssh-4/sftp-server.c +++ b/crypto/openssh-4/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.70 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.71 2007/01/03 07:22:36 stevesk Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -663,7 +663,7 @@ process_fstat(void) debug("request %u: fstat \"%s\" (handle %u)", id, handle_to_name(handle), handle); fd = handle_to_fd(handle); - if (fd >= 0) { + if (fd >= 0) { ret = fstat(fd, &st); if (ret < 0) { status = errno_to_portable(errno); diff --git a/crypto/openssh-4/sftp.c b/crypto/openssh-4/sftp.c index a39c782f70..f0d5dd557e 100644 --- a/crypto/openssh-4/sftp.c +++ b/crypto/openssh-4/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.93 2006/09/30 17:48:22 ray Exp $ */ +/* $OpenBSD: sftp.c,v 1.96 2007/01/03 04:09:15 stevesk Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -166,6 +166,7 @@ static const struct CMD cmds[] = { int interactive_loop(int fd_in, int fd_out, char *file1, char *file2); +/* ARGSUSED */ static void killchild(int signo) { @@ -177,6 +178,7 @@ killchild(int signo) _exit(1); } +/* ARGSUSED */ static void cmd_interrupt(int signo) { @@ -298,11 +300,11 @@ static char * path_append(char *p1, char *p2) { char *ret; - int len = strlen(p1) + strlen(p2) + 2; + size_t len = strlen(p1) + strlen(p2) + 2; ret = xmalloc(len); strlcpy(ret, p1, len); - if (p1[strlen(p1) - 1] != '/') + if (p1[0] != '\0' && p1[strlen(p1) - 1] != '/') strlcat(ret, "/", len); strlcat(ret, p2, len); @@ -1566,7 +1568,7 @@ main(int argc, char **argv) fprintf(stderr, "Missing username\n"); usage(); } - addargs(&args, "-l%s",userhost); + addargs(&args, "-l%s", userhost); } if ((cp = colon(host)) != NULL) { diff --git a/crypto/openssh-4/ssh-agent.c b/crypto/openssh-4/ssh-agent.c index ef95eb878f..a3a867c33b 100644 --- a/crypto/openssh-4/ssh-agent.c +++ b/crypto/openssh-4/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.153 2006/10/06 02:29:19 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.154 2007/02/28 00:55:30 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -434,6 +434,7 @@ reaper(void) for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) { nxt = TAILQ_NEXT(id, next); if (id->death != 0 && now >= id->death) { + debug("expiring key '%s'", id->comment); TAILQ_REMOVE(&tab->idlist, id, next); free_identity(id); tab->nentries--; @@ -698,9 +699,6 @@ process_message(SocketEntry *e) u_int msg_len, type; u_char *cp; - /* kill dead keys */ - reaper(); - if (buffer_len(&e->input) < 5) return; /* Incomplete message. */ cp = buffer_ptr(&e->input); @@ -1016,7 +1014,7 @@ int main(int ac, char **av) { int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0; - int sock, fd, ch; + int sock, fd, ch, result, saved_errno; u_int nalloc; char *shell, *format, *pidstr, *agentsocket = NULL; fd_set *readsetp = NULL, *writesetp = NULL; @@ -1029,6 +1027,7 @@ main(int ac, char **av) extern char *optarg; pid_t pid; char pidstrbuf[1 + 3 * sizeof pid]; + struct timeval tv; /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); @@ -1242,13 +1241,18 @@ skip: nalloc = 0; while (1) { + tv.tv_sec = 10; + tv.tv_usec = 0; prepare_select(&readsetp, &writesetp, &max_fd, &nalloc); - if (select(max_fd + 1, readsetp, writesetp, NULL, NULL) < 0) { - if (errno == EINTR) + result = select(max_fd + 1, readsetp, writesetp, NULL, &tv); + saved_errno = errno; + reaper(); /* remove expired keys */ + if (result < 0) { + if (saved_errno == EINTR) continue; - fatal("select: %s", strerror(errno)); - } - after_select(readsetp, writesetp); + fatal("select: %s", strerror(saved_errno)); + } else if (result > 0) + after_select(readsetp, writesetp); } /* NOTREACHED */ } diff --git a/crypto/openssh-4/ssh-keygen.1 b/crypto/openssh-4/ssh-keygen.1 index ab16bcd777..5a8c8c4715 100644 --- a/crypto/openssh-4/ssh-keygen.1 +++ b/crypto/openssh-4/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.74 2007/01/12 20:20:41 jmc Exp $ .\" .\" -*- nroff -*- .\" @@ -205,8 +205,8 @@ Download the RSA public key stored in the smartcard in .Ar reader . .It Fl e This option will read a private or public OpenSSH key file and -print the key in a -.Sq SECSH Public Key File Format +print the key in +RFC 4716 SSH Public Key File Format to stdout. This option allows exporting keys for use by several commercial SSH implementations. @@ -253,7 +253,7 @@ in SSH2-compatible format and print an OpenSSH compatible private (or public) key to stdout. .Nm also reads the -.Sq SECSH Public Key File Format . +RFC 4716 SSH Public Key File Format. This option allows importing keys from several commercial SSH implementations. .It Fl l @@ -450,12 +450,9 @@ The file format is described in .Xr moduli 5 , .Xr sshd 8 .Rs -.%A J. Galbraith -.%A R. Thayer -.%T "SECSH Public Key File Format" -.%N draft-ietf-secsh-publickeyfile-01.txt -.%D March 2001 -.%O work in progress material +.%R RFC 4716 +.%T "The Secure Shell (SSH) Public Key File Format" +.%D 2006 .Re .Sh AUTHORS OpenSSH is a derivative of the original and free diff --git a/crypto/openssh-4/ssh-keygen.c b/crypto/openssh-4/ssh-keygen.c index 1f42b93585..04a9b939ad 100644 --- a/crypto/openssh-4/ssh-keygen.c +++ b/crypto/openssh-4/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.155 2006/11/06 21:25:28 markus Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.160 2007/01/21 01:41:54 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -241,7 +241,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) buffer_init(&b); buffer_append(&b, blob, blen); - magic = buffer_get_int(&b); + magic = buffer_get_int(&b); if (magic != SSH_COM_PRIVATE_KEY_MAGIC) { error("bad magic 0x%x != 0x%x", magic, SSH_COM_PRIVATE_KEY_MAGIC); buffer_free(&b); @@ -253,7 +253,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) i2 = buffer_get_int(&b); i3 = buffer_get_int(&b); i4 = buffer_get_int(&b); - debug("ignore (%d %d %d %d)", i1,i2,i3,i4); + debug("ignore (%d %d %d %d)", i1, i2, i3, i4); if (strcmp(cipher, "none") != 0) { error("unsupported cipher %s", cipher); xfree(cipher); @@ -284,7 +284,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) buffer_get_bignum_bits(&b, key->dsa->priv_key); break; case KEY_RSA: - e = buffer_get_char(&b); + e = buffer_get_char(&b); debug("e %lx", e); if (e < 30) { e <<= 8; @@ -346,9 +346,8 @@ get_line(FILE *fp, char *line, size_t len) line[pos++] = c; line[pos] = '\0'; } - if (c == EOF) - return -1; - return pos; + /* We reached EOF */ + return -1; } static void @@ -554,7 +553,7 @@ do_fingerprint(struct passwd *pw) for (cp = line; *cp == ' ' || *cp == '\t'; cp++) ; if (!*cp || *cp == '\n' || *cp == '#') - continue ; + continue; i = strtol(cp, &ep, 10); if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) { int quoted = 0; @@ -1017,13 +1016,13 @@ usage(void) #ifdef SMARTCARD fprintf(stderr, " -D reader Download public key from smartcard.\n"); #endif /* SMARTCARD */ - fprintf(stderr, " -e Convert OpenSSH to IETF SECSH key file.\n"); + fprintf(stderr, " -e Convert OpenSSH to RFC 4716 key file.\n"); fprintf(stderr, " -F hostname Find hostname in known hosts file.\n"); fprintf(stderr, " -f filename Filename of the key file.\n"); fprintf(stderr, " -G file Generate candidates for DH-GEX moduli.\n"); fprintf(stderr, " -g Use generic DNS resource record format.\n"); fprintf(stderr, " -H Hash names in known_hosts file.\n"); - fprintf(stderr, " -i Convert IETF SECSH to OpenSSH key file.\n"); + fprintf(stderr, " -i Convert RFC 4716 to OpenSSH key file.\n"); fprintf(stderr, " -l Show fingerprint of key file.\n"); fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n"); fprintf(stderr, " -N phrase Provide new passphrase.\n"); @@ -1049,7 +1048,7 @@ usage(void) * Main program for key management. */ int -main(int ac, char **av) +main(int argc, char **argv) { char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; char out_file[MAXPATHLEN], *reader_id = NULL; @@ -1071,10 +1070,10 @@ main(int ac, char **av) /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); - __progname = ssh_get_progname(av[0]); + __progname = ssh_get_progname(argv[0]); SSLeay_add_all_algorithms(); - log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); init_rng(); seed_rng(); @@ -1090,7 +1089,7 @@ main(int ac, char **av) exit(1); } - while ((opt = getopt(ac, av, + while ((opt = getopt(argc, argv, "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { switch (opt) { case 'b': @@ -1223,9 +1222,9 @@ main(int ac, char **av) } /* reinit */ - log_init(av[0], log_level, SYSLOG_FACILITY_USER, 1); + log_init(argv[0], log_level, SYSLOG_FACILITY_USER, 1); - if (optind < ac) { + if (optind < argc) { printf("Too many arguments.\n"); usage(); } diff --git a/crypto/openssh-4/ssh.1 b/crypto/openssh-4/ssh.1 index 93be52f96b..b87ab41716 100644 --- a/crypto/openssh-4/ssh.1 +++ b/crypto/openssh-4/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.265 2006/10/28 18:08:10 otto Exp $ +.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1418,6 +1418,11 @@ manual page for more information. .%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" .%D 2006 .Re +.Rs +.%R RFC 4716 +.%T "The Secure Shell (SSH) Public Key File Format" +.%D 2006 +.Re .Sh AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. diff --git a/crypto/openssh-4/ssh.c b/crypto/openssh-4/ssh.c index 47297edbb3..cfaa1ff227 100644 --- a/crypto/openssh-4/ssh.c +++ b/crypto/openssh-4/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.294 2006/10/06 02:29:19 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.295 2007/01/03 03:01:40 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -614,7 +614,7 @@ main(int ac, char **av) if (!read_config_file(config, host, &options, 0)) fatal("Can't open user config file %.100s: " "%.100s", config, strerror(errno)); - } else { + } else { snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_CONFFILE); (void)read_config_file(buf, host, &options, 1); diff --git a/crypto/openssh-4/ssh_config.5 b/crypto/openssh-4/ssh_config.5 index 20c58934ad..c1ad53dcfa 100644 --- a/crypto/openssh-4/ssh_config.5 +++ b/crypto/openssh-4/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.97 2006/07/27 08:00:50 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -42,10 +42,8 @@ .Nm ssh_config .Nd OpenSSH SSH client configuration files .Sh SYNOPSIS -.Bl -tag -width Ds -compact -.It Pa ~/.ssh/config -.It Pa /etc/ssh/ssh_config -.El +.Nm ~/.ssh/config +.Nm /etc/ssh/ssh_config .Sh DESCRIPTION .Xr ssh 1 obtains configuration data from the following sources in diff --git a/crypto/openssh-4/sshd.c b/crypto/openssh-4/sshd.c index 4aa1c98ed4..0a76f2d3ac 100644 --- a/crypto/openssh-4/sshd.c +++ b/crypto/openssh-4/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.348 2006/11/06 21:25:28 markus Exp $ */ +/* $OpenBSD: sshd.c,v 1.349 2007/02/21 11:00:05 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -305,6 +305,7 @@ sighup_restart(void) logit("Received SIGHUP; restarting."); close_listen_socks(); close_startup_pipes(); + alarm(0); /* alarm timer persists across exec */ execv(saved_argv[0], saved_argv); logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], strerror(errno)); diff --git a/crypto/openssh-4/sshd_config.5 b/crypto/openssh-4/sshd_config.5 index 2bcaf22454..af12214456 100644 --- a/crypto/openssh-4/sshd_config.5 +++ b/crypto/openssh-4/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.70 2006/08/21 08:14:01 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.74 2007/03/01 16:19:33 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -42,9 +42,7 @@ .Nm sshd_config .Nd OpenSSH SSH daemon configuration file .Sh SYNOPSIS -.Bl -tag -width Ds -compact -.It Pa /etc/ssh/sshd_config -.El +.Nm /etc/ssh/sshd_config .Sh DESCRIPTION .Xr sshd 8 reads configuration data from @@ -514,9 +512,16 @@ Only a subset of keywords may be used on the lines following a keyword. Available keywords are .Cm AllowTcpForwarding , +.Cm Banner , .Cm ForceCommand , .Cm GatewayPorts , +.Cm GSSApiAuthentication , +.Cm KbdInteractiveAuthentication , +.Cm KerberosAuthentication , +.Cm PasswordAuthentication , .Cm PermitOpen , +.Cm RhostsRSAAuthentication , +.Cm RSAAuthentication , .Cm X11DisplayOffset , .Cm X11Forwarding , and