- Merged yet more changes from OpenBSD CVS
- [auth-rh-rsa.c auth-rhosts.c auth-rsa.c channels.c clientloop.c]
[ssh.c ssh.h sshconnect.c sshd.c]
make all access to options via 'extern Options options'
and 'extern ServerOptions options' respectively;
options are no longer passed as arguments:
* make options handling more consistent
* remove #include "readconf.h" from ssh.h
* readconf.h is only included if necessary
- [mpaux.c] clear temp buffer
- [servconf.c] print _all_ bad options found in configfile
diff --git a/sshconnect.c b/sshconnect.c
index a16e25a..80e4aff 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -16,7 +16,7 @@
#include "config.h"
#include "includes.h"
-RCSID("$Id: sshconnect.c,v 1.5 1999/11/08 23:35:52 damien Exp $");
+RCSID("$Id: sshconnect.c,v 1.6 1999/11/12 04:19:27 damien Exp $");
#ifdef HAVE_OPENSSL
#include <openssl/bn.h>
@@ -36,7 +36,7 @@
#include "mpaux.h"
#include "uidswap.h"
#include "compat.h"
-
+#include "readconf.h"
/* Session id for the current session. */
unsigned char session_id[16];
@@ -486,9 +486,9 @@
the user using it. */
int
-try_rsa_authentication(struct passwd *pw, const char *authfile,
- int may_ask_passphrase)
+try_rsa_authentication(struct passwd *pw, const char *authfile)
{
+ extern Options options;
BIGNUM *challenge;
RSA *private_key;
RSA *public_key;
@@ -550,7 +550,7 @@
return. */
snprintf(buf, sizeof buf,
"Enter passphrase for RSA key '%.100s': ", comment);
- if (may_ask_passphrase)
+ if (!options.batch_mode)
passphrase = read_passphrase(buf, 0);
else
{
@@ -1014,8 +1014,9 @@
RSA *own_host_key,
const char *orighost,
struct sockaddr_in *hostaddr,
- Options *options, uid_t original_real_uid)
+ uid_t original_real_uid)
{
+ extern Options options;
int i, type;
char *password;
struct passwd *pw;
@@ -1035,7 +1036,7 @@
int payload_len, clen, sum_len = 0;
u_int32_t rand = 0;
- if (options->check_host_ip)
+ if (options.check_host_ip)
ip = xstrdup(inet_ntoa(hostaddr->sin_addr));
/* Convert the user-supplied hostname into all lowercase. */
@@ -1056,7 +1057,7 @@
if (!pw)
fatal("User id %d not found from user database.", original_real_uid);
local_user = xstrdup(pw->pw_name);
- server_user = options->user ? options->user : local_user;
+ server_user = options.user ? options.user : local_user;
debug("Waiting for server public key.");
@@ -1132,12 +1133,12 @@
/* Check if the host key is present in the user\'s list of known hosts
or in the systemwide list. */
- host_status = check_host_in_hostfile(options->user_hostfile,
+ host_status = check_host_in_hostfile(options.user_hostfile,
host, BN_num_bits(host_key->n),
host_key->e, host_key->n,
file_key->e, file_key->n);
if (host_status == HOST_NEW)
- host_status = check_host_in_hostfile(options->system_hostfile, host,
+ host_status = check_host_in_hostfile(options.system_hostfile, host,
BN_num_bits(host_key->n),
host_key->e, host_key->n,
file_key->e, file_key->n);
@@ -1154,17 +1155,17 @@
/* Also perform check for the ip address, skip the check if we are
localhost or the hostname was an ip address to begin with */
- if (options->check_host_ip && !local && strcmp(host, ip)) {
+ if (options.check_host_ip && !local && strcmp(host, ip)) {
RSA *ip_key = RSA_new();
ip_key->n = BN_new();
ip_key->e = BN_new();
- ip_status = check_host_in_hostfile(options->user_hostfile, ip,
+ ip_status = check_host_in_hostfile(options.user_hostfile, ip,
BN_num_bits(host_key->n),
host_key->e, host_key->n,
ip_key->e, ip_key->n);
if (ip_status == HOST_NEW)
- ip_status = check_host_in_hostfile(options->system_hostfile, ip,
+ ip_status = check_host_in_hostfile(options.system_hostfile, ip,
BN_num_bits(host_key->n),
host_key->e, host_key->n,
ip_key->e, ip_key->n);
@@ -1183,13 +1184,13 @@
case HOST_OK:
/* The host is known and the key matches. */
debug("Host '%.200s' is known and matches the host key.", host);
- if (options->check_host_ip) {
+ if (options.check_host_ip) {
if (ip_status == HOST_NEW) {
- if (!add_host_to_hostfile(options->user_hostfile, ip,
+ if (!add_host_to_hostfile(options.user_hostfile, ip,
BN_num_bits(host_key->n),
host_key->e, host_key->n))
log("Failed to add the host ip to the list of known hosts (%.30s).",
- options->user_hostfile);
+ options.user_hostfile);
else
log("Warning: Permanently added host ip '%.30s' to the list of known hosts.", ip);
} else if (ip_status != HOST_OK)
@@ -1201,12 +1202,12 @@
{
char hostline[1000], *hostp = hostline;
/* The host is new. */
- if (options->strict_host_key_checking == 1) {
+ if (options.strict_host_key_checking == 1) {
/* User has requested strict host key checking. We will not
add the host key automatically. The only alternative left
is to abort. */
fatal("No host key is known for %.200s and you have requested strict checking.", host);
- } else if (options->strict_host_key_checking == 2) { /* The default */
+ } else if (options.strict_host_key_checking == 2) { /* The default */
char prompt[1024];
snprintf(prompt, sizeof(prompt),
"The authenticity of host '%.200s' can't be established.\n"
@@ -1216,25 +1217,25 @@
fatal("Aborted by user!\n");
}
- if (options->check_host_ip && ip_status == HOST_NEW && strcmp(host, ip))
+ if (options.check_host_ip && ip_status == HOST_NEW && strcmp(host, ip))
snprintf(hostline, sizeof(hostline), "%s,%s", host, ip);
else
hostp = host;
/* If not in strict mode, add the key automatically to the local
known_hosts file. */
- if (!add_host_to_hostfile(options->user_hostfile, hostp,
+ if (!add_host_to_hostfile(options.user_hostfile, hostp,
BN_num_bits(host_key->n),
host_key->e, host_key->n))
log("Failed to add the host to the list of known hosts (%.500s).",
- options->user_hostfile);
+ options.user_hostfile);
else
log("Warning: Permanently added '%.200s' to the list of known hosts.",
hostp);
break;
}
case HOST_CHANGED:
- if (options->check_host_ip) {
+ if (options.check_host_ip) {
if (host_ip_differ) {
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @");
@@ -1256,23 +1257,23 @@
error("It is also possible that the host key has just been changed.");
error("Please contact your system administrator.");
error("Add correct host key in %.100s to get rid of this message.",
- options->user_hostfile);
+ options.user_hostfile);
/* If strict host key checking is in use, the user will have to edit
the key manually and we can only abort. */
- if (options->strict_host_key_checking)
+ if (options.strict_host_key_checking)
fatal("Host key for %.200s has changed and you have requested strict checking.", host);
/* If strict host key checking has not been requested, allow the
connection but without password authentication or
agent forwarding. */
- if (options->password_authentication) {
+ if (options.password_authentication) {
error("Password authentication is disabled to avoid trojan horses.");
- options->password_authentication = 0;
+ options.password_authentication = 0;
}
- if (options->forward_agent) {
+ if (options.forward_agent) {
error("Agent forwarding is disabled to avoid trojan horses.");
- options->forward_agent = 0;
+ options.forward_agent = 0;
}
/* XXX Should permit the user to change to use the new id. This could
be done by converting the host key to an identifying sentence, tell
@@ -1281,7 +1282,7 @@
break;
}
- if (options->check_host_ip)
+ if (options.check_host_ip)
xfree(ip);
/* Generate a session key. */
@@ -1344,27 +1345,27 @@
rsa_public_encrypt(key, key, public_key);
}
- if (options->cipher == SSH_CIPHER_NOT_SET) {
+ if (options.cipher == SSH_CIPHER_NOT_SET) {
if (cipher_mask() & supported_ciphers & (1 << ssh_cipher_default))
- options->cipher = ssh_cipher_default;
+ options.cipher = ssh_cipher_default;
else {
debug("Cipher %d not supported, using %.100s instead.",
cipher_name(ssh_cipher_default),
cipher_name(SSH_FALLBACK_CIPHER));
- options->cipher = SSH_FALLBACK_CIPHER;
+ options.cipher = SSH_FALLBACK_CIPHER;
}
}
/* Check that the selected cipher is supported. */
- if (!(supported_ciphers & (1 << options->cipher)))
+ if (!(supported_ciphers & (1 << options.cipher)))
fatal("Selected cipher type %.100s not supported by server.",
- cipher_name(options->cipher));
+ cipher_name(options.cipher));
- debug("Encryption type: %.100s", cipher_name(options->cipher));
+ debug("Encryption type: %.100s", cipher_name(options.cipher));
/* Send the encrypted session key to the server. */
packet_start(SSH_CMSG_SESSION_KEY);
- packet_put_char(options->cipher);
+ packet_put_char(options.cipher);
/* Send the check bytes back to the server. */
for (i = 0; i < 8; i++)
@@ -1390,7 +1391,7 @@
/* Set the encryption key. */
packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH,
- options->cipher, 1);
+ options.cipher, 1);
/* We will no longer need the session key here. Destroy any extra copies. */
memset(session_key, 0, sizeof(session_key));
@@ -1420,17 +1421,17 @@
#ifdef AFS
/* Try Kerberos tgt passing if the server supports it. */
if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
- options->kerberos_tgt_passing)
+ options.kerberos_tgt_passing)
{
- if (options->cipher == SSH_CIPHER_NONE)
+ if (options.cipher == SSH_CIPHER_NONE)
log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
(void)send_kerberos_tgt();
}
/* Try AFS token passing if the server supports it. */
if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
- options->afs_token_passing && k_hasafs()) {
- if (options->cipher == SSH_CIPHER_NONE)
+ options.afs_token_passing && k_hasafs()) {
+ if (options.cipher == SSH_CIPHER_NONE)
log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
send_afs_tokens();
}
@@ -1438,7 +1439,7 @@
#ifdef KRB4
if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
- options->kerberos_authentication)
+ options.kerberos_authentication)
{
debug("Trying Kerberos authentication.");
if (try_kerberos_authentication()) {
@@ -1455,7 +1456,7 @@
/* Use rhosts authentication if running in privileged socket and we do not
wish to remain anonymous. */
if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) &&
- options->rhosts_authentication)
+ options.rhosts_authentication)
{
debug("Trying rhosts authentication.");
packet_start(SSH_CMSG_AUTH_RHOSTS);
@@ -1475,7 +1476,7 @@
/* Try .rhosts or /etc/hosts.equiv authentication with RSA host
authentication. */
if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
- options->rhosts_rsa_authentication && host_key_valid)
+ options.rhosts_rsa_authentication && host_key_valid)
{
if (try_rhosts_rsa_authentication(local_user, own_host_key))
return; /* Successful authentication. */
@@ -1483,7 +1484,7 @@
/* Try RSA authentication if the server supports it. */
if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
- options->rsa_authentication)
+ options.rsa_authentication)
{
/* Try RSA authentication using the authentication agent. The agent
is tried first because no passphrase is needed for it, whereas
@@ -1492,23 +1493,22 @@
return; /* Successful connection. */
/* Try RSA authentication for each identity. */
- for (i = 0; i < options->num_identity_files; i++)
- if (try_rsa_authentication(pw, options->identity_files[i],
- !options->batch_mode))
+ for (i = 0; i < options.num_identity_files; i++)
+ if (try_rsa_authentication(pw, options.identity_files[i]))
return; /* Successful connection. */
}
/* Try password authentication if the server supports it. */
if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
- options->password_authentication && !options->batch_mode)
+ options.password_authentication && !options.batch_mode)
{
char prompt[80];
snprintf(prompt, sizeof(prompt), "%.30s@%.30s's password: ",
server_user, host);
debug("Doing password authentication.");
- if (options->cipher == SSH_CIPHER_NONE)
+ if (options.cipher == SSH_CIPHER_NONE)
log("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
- for (i = 0; i < options->number_of_password_prompts; i++) {
+ for (i = 0; i < options.number_of_password_prompts; i++) {
if (i != 0)
error("Permission denied, please try again.");
password = read_passphrase(prompt, 0);