- (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III
<tibbs@math.uh.edu>
- (djm) OpenBSD CVS updates:
- todd@cvs.openbsd.org
[sshconnect2.c]
teach protocol v2 to count login failures properly and also enable an
explanation of why the password prompt comes up again like v1; this is NOT
crypto
- markus@cvs.openbsd.org
[readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8]
xauth_location support; pr 1234
[readconf.c sshconnect2.c]
typo, unused
[session.c]
allow use_login only for login sessions, otherwise remote commands are
execed with uid==0
[sshd.8]
document UseLogin better
[version.h]
OpenSSH 2.1.1
[auth-rsa.c]
fix match_hostname() logic for auth-rsa: deny access if we have a
negative match or no match at all
[channels.c hostfile.c match.c]
don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via
kris@FreeBSD.org
diff --git a/ChangeLog b/ChangeLog
index b404849..997aa31 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,32 @@
20000606
+ - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III
+ <tibbs@math.uh.edu>
+ - (djm) OpenBSD CVS updates:
+ - todd@cvs.openbsd.org
+ [sshconnect2.c]
+ teach protocol v2 to count login failures properly and also enable an
+ explanation of why the password prompt comes up again like v1; this is NOT
+ crypto
+ - markus@cvs.openbsd.org
+ [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8]
+ xauth_location support; pr 1234
+ [readconf.c sshconnect2.c]
+ typo, unused
+ [session.c]
+ allow use_login only for login sessions, otherwise remote commands are
+ execed with uid==0
+ [sshd.8]
+ document UseLogin better
+ [version.h]
+ OpenSSH 2.1.1
+ [auth-rsa.c]
+ fix match_hostname() logic for auth-rsa: deny access if we have a
+ negative match or no match at all
+ [channels.c hostfile.c match.c]
+ don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via
+ kris@FreeBSD.org
+
+20000606
- (djm) Added --with-cflags, --with-ldflags and --with-libs options to
configure.
diff --git a/auth-rsa.c b/auth-rsa.c
index 22e3f01..f01c5c9 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -16,7 +16,7 @@
*/
#include "includes.h"
-RCSID("$Id: auth-rsa.c,v 1.19 2000/04/30 00:00:53 damien Exp $");
+RCSID("$Id: auth-rsa.c,v 1.20 2000/06/07 09:55:44 djm Exp $");
#include "rsa.h"
#include "packet.h"
@@ -133,6 +133,7 @@
unsigned long linenum = 0;
struct stat st;
RSA *pk;
+ int mname, mip;
/* Temporarily use the user's uid. */
temporarily_use_uid(pw->pw_uid);
@@ -390,10 +391,17 @@
}
patterns[i] = 0;
options++;
- if (!match_hostname(get_canonical_hostname(), patterns,
- strlen(patterns)) &&
- !match_hostname(get_remote_ipaddr(), patterns,
- strlen(patterns))) {
+ /*
+ * Deny access if we get a negative
+ * match for the hostname or the ip
+ * or if we get not match at all
+ */
+ mname = match_hostname(get_canonical_hostname(),
+ patterns, strlen(patterns));
+ mip = match_hostname(get_remote_ipaddr(),
+ patterns, strlen(patterns));
+ if (mname == -1 || mip == -1 ||
+ (mname != 1 && mip != 1)) {
log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
pw->pw_name, get_canonical_hostname(),
get_remote_ipaddr());
diff --git a/channels.c b/channels.c
index f26b3a6..bfa025a 100644
--- a/channels.c
+++ b/channels.c
@@ -17,7 +17,7 @@
*/
#include "includes.h"
-RCSID("$Id: channels.c,v 1.31 2000/05/17 12:34:23 damien Exp $");
+RCSID("$Id: channels.c,v 1.32 2000/06/07 09:55:44 djm Exp $");
#include "ssh.h"
#include "packet.h"
@@ -2113,11 +2113,11 @@
}
/*
- * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
+ * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
* This starts forwarding authentication requests.
*/
-void
+int
auth_input_request_forwarding(struct passwd * pw)
{
int sock, newch;
@@ -2135,8 +2135,16 @@
strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
/* Create private directory for socket */
- if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL)
- packet_disconnect("mkdtemp: %.100s", strerror(errno));
+ if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) {
+ packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s",
+ strerror(errno));
+ restore_uid();
+ xfree(channel_forwarded_auth_socket_name);
+ xfree(channel_forwarded_auth_socket_dir);
+ channel_forwarded_auth_socket_name = NULL;
+ channel_forwarded_auth_socket_dir = NULL;
+ return 0;
+ }
snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
channel_forwarded_auth_socket_dir, (int) getpid());
@@ -2171,6 +2179,7 @@
xstrdup("auth socket"));
strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
sizeof(channels[newch].path));
+ return 1;
}
/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
diff --git a/channels.h b/channels.h
index 9763edf..922c5d0 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* RCSID("$Id: channels.h,v 1.9 2000/05/07 02:03:15 damien Exp $"); */
+/* RCSID("$Id: channels.h,v 1.10 2000/06/07 09:55:44 djm Exp $"); */
#ifndef CHANNELS_H
#define CHANNELS_H
@@ -222,10 +222,10 @@
char *auth_get_socket_name(void);
/*
- * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
+ * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
* This starts forwarding authentication requests.
*/
-void auth_input_request_forwarding(struct passwd * pw);
+int auth_input_request_forwarding(struct passwd * pw);
/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
void auth_input_open_request(int type, int plen);
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 8b1d098..ff12699 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -152,7 +152,8 @@
CFLAGS="$RPM_OPT_FLAGS" \
./configure --prefix=/usr --sysconfdir=/etc/ssh \
- --with-tcp-wrappers --with-ipv4-default
+ --with-tcp-wrappers --with-ipv4-default \
+ --with-rsh=/usr/bin/rsh
make
diff --git a/hostfile.c b/hostfile.c
index bac285d..f58e1d6 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: hostfile.c,v 1.18 2000/04/29 18:11:52 markus Exp $");
+RCSID("$OpenBSD: hostfile.c,v 1.19 2000/06/06 19:32:13 markus Exp $");
#include "packet.h"
#include "match.h"
@@ -129,7 +129,7 @@
;
/* Check if the host name matches. */
- if (!match_hostname(host, cp, (unsigned int) (cp2 - cp)))
+ if (match_hostname(host, cp, (unsigned int) (cp2 - cp)) != 1)
continue;
/* Got a match. Skip host name. */
diff --git a/match.c b/match.c
index ef94985..1551ed5 100644
--- a/match.c
+++ b/match.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-RCSID("$Id: match.c,v 1.5 2000/04/16 01:18:43 damien Exp $");
+RCSID("$Id: match.c,v 1.6 2000/06/07 09:55:44 djm Exp $");
#include "ssh.h"
@@ -84,8 +84,8 @@
/*
* Tries to match the host name (which must be in all lowercase) against the
* comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation). Returns true if there is a positive match; zero
- * otherwise.
+ * indicate negation). Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
*/
int
@@ -127,15 +127,15 @@
/* Try to match the subpattern against the host name. */
if (match_pattern(host, sub)) {
if (negated)
- return 0; /* Fail */
+ return -1; /* Negative */
else
- got_positive = 1;
+ got_positive = 1; /* Positive */
}
}
/*
* Return success if got a positive match. If there was a negative
- * match, we have already returned zero and never get here.
+ * match, we have already returned -1 and never get here.
*/
return got_positive;
}
diff --git a/match.h b/match.h
index 4625d97..8eac0a5 100644
--- a/match.h
+++ b/match.h
@@ -10,8 +10,8 @@
/*
* Tries to match the host name (which must be in all lowercase) against the
* comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation). Returns true if there is a positive match; zero
- * otherwise.
+ * indicate negation). Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
*/
int match_hostname(const char *host, const char *pattern, unsigned int len);
diff --git a/readconf.c b/readconf.c
index d7011d7..2751db3 100644
--- a/readconf.c
+++ b/readconf.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-RCSID("$Id: readconf.c,v 1.15 2000/05/30 03:44:53 damien Exp $");
+RCSID("$Id: readconf.c,v 1.16 2000/06/07 09:55:44 djm Exp $");
#include "ssh.h"
#include "cipher.h"
@@ -92,7 +92,7 @@
oBadOption,
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
- oSkeyAuthentication,
+ oSkeyAuthentication, oXAuthLocation,
#ifdef KRB4
oKerberosAuthentication,
#endif /* KRB4 */
@@ -116,6 +116,7 @@
} keywords[] = {
{ "forwardagent", oForwardAgent },
{ "forwardx11", oForwardX11 },
+ { "xauthlocation", oXAuthLocation },
{ "gatewayports", oGatewayPorts },
{ "useprivilegedport", oUsePrivilegedPort },
{ "rhostsauthentication", oRhostsAuthentication },
@@ -396,6 +397,10 @@
}
break;
+ case oXAuthLocation:
+ charptr=&options->xauth_location;
+ goto parse_string;
+
case oUser:
charptr = &options->user;
parse_string:
@@ -644,6 +649,7 @@
memset(options, 'X', sizeof(*options));
options->forward_agent = -1;
options->forward_x11 = -1;
+ options->xauth_location = NULL;
options->gateway_ports = -1;
options->use_privileged_port = -1;
options->rhosts_authentication = -1;
@@ -700,6 +706,10 @@
options->forward_agent = 0;
if (options->forward_x11 == -1)
options->forward_x11 = 0;
+#ifdef XAUTH_PATH
+ if (options->xauth_location == NULL)
+ options->xauth_location = XAUTH_PATH;
+#endif /* XAUTH_PATH */
if (options->gateway_ports == -1)
options->gateway_ports = 0;
if (options->use_privileged_port == -1)
diff --git a/readconf.h b/readconf.h
index 3f0e442..aeaf39a 100644
--- a/readconf.h
+++ b/readconf.h
@@ -13,7 +13,7 @@
*
*/
-/* RCSID("$Id: readconf.h,v 1.11 2000/05/09 01:03:01 damien Exp $"); */
+/* RCSID("$Id: readconf.h,v 1.12 2000/06/07 09:55:44 djm Exp $"); */
#ifndef READCONF_H
#define READCONF_H
@@ -30,6 +30,7 @@
typedef struct {
int forward_agent; /* Forward authentication agent. */
int forward_x11; /* Forward X11 display. */
+ char *xauth_location; /* Location for xauth program */
int gateway_ports; /* Allow remote connects to forwarded ports. */
int use_privileged_port; /* Don't use privileged port if false. */
int rhosts_authentication; /* Try rhosts authentication. */
diff --git a/servconf.c b/servconf.c
index 1aa4fe0..6583829 100644
--- a/servconf.c
+++ b/servconf.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$Id: servconf.c,v 1.17 2000/05/30 03:44:53 damien Exp $");
+RCSID("$Id: servconf.c,v 1.18 2000/06/07 09:55:44 djm Exp $");
#include "ssh.h"
#include "servconf.h"
@@ -44,6 +44,7 @@
options->check_mail = -1;
options->x11_forwarding = -1;
options->x11_display_offset = -1;
+ options->xauth_location = NULL;
options->strict_modes = -1;
options->keepalives = -1;
options->log_facility = (SyslogFacility) - 1;
@@ -109,6 +110,10 @@
options->x11_forwarding = 0;
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
+#ifdef XAUTH_PATH
+ if (options->xauth_location == NULL)
+ options->xauth_location = XAUTH_PATH;
+#endif /* XAUTH_PATH */
if (options->strict_modes == -1)
options->strict_modes = 1;
if (options->keepalives == -1)
@@ -177,7 +182,7 @@
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
- sGatewayPorts, sDSAAuthentication
+ sGatewayPorts, sDSAAuthentication, sXAuthLocation
} ServerOpCodes;
/* Textual representation of the tokens. */
@@ -219,6 +224,7 @@
{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
{ "x11forwarding", sX11Forwarding },
{ "x11displayoffset", sX11DisplayOffset },
+ { "xauthlocation", sXAuthLocation },
{ "strictmodes", sStrictModes },
{ "permitemptypasswords", sEmptyPasswd },
{ "uselogin", sUseLogin },
@@ -365,6 +371,7 @@
case sHostDSAKeyFile:
charptr = (opcode == sHostKeyFile ) ?
&options->host_key_file : &options->host_dsa_key_file;
+parse_filename:
cp = strtok(NULL, WHITESPACE);
if (!cp) {
fprintf(stderr, "%s line %d: missing file name.\n",
@@ -377,15 +384,7 @@
case sPidFile:
charptr = &options->pid_file;
- cp = strtok(NULL, WHITESPACE);
- if (!cp) {
- fprintf(stderr, "%s line %d: missing file name.\n",
- filename, linenum);
- exit(1);
- }
- if (*charptr == NULL)
- *charptr = tilde_expand_filename(cp, getuid());
- break;
+ goto parse_filename;
case sRandomSeedFile:
fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
@@ -508,6 +507,10 @@
intptr = &options->x11_display_offset;
goto parse_int;
+ case sXAuthLocation:
+ charptr = &options->xauth_location;
+ goto parse_filename;
+
case sStrictModes:
intptr = &options->strict_modes;
goto parse_flag;
diff --git a/servconf.h b/servconf.h
index 107438c..5c6212f 100644
--- a/servconf.h
+++ b/servconf.h
@@ -13,7 +13,7 @@
*
*/
-/* RCSID("$Id: servconf.h,v 1.11 2000/05/07 02:03:18 damien Exp $"); */
+/* RCSID("$Id: servconf.h,v 1.12 2000/06/07 09:55:44 djm Exp $"); */
#ifndef SERVCONF_H
#define SERVCONF_H
@@ -47,6 +47,7 @@
int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */
int x11_display_offset; /* What DISPLAY number to start
* searching at */
+ char *xauth_location; /* Location of xauth program */
int strict_modes; /* If true, require string home dir modes. */
int keepalives; /* If true, set SO_KEEPALIVE. */
char *ciphers; /* Ciphers in order of preference. */
diff --git a/session.c b/session.c
index 4791857..0fdd613 100644
--- a/session.c
+++ b/session.c
@@ -812,6 +812,10 @@
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
#ifndef USE_PAM /* pam_nologin handles this */
f = fopen("/etc/nologin", "r");
if (f) {
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 351036d..621b9c1 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -7,7 +7,7 @@
*/
#include "includes.h"
-RCSID("$Id: ssh-keygen.c,v 1.18 2000/05/09 01:03:02 damien Exp $");
+RCSID("$Id: ssh-keygen.c,v 1.19 2000/06/07 09:55:44 djm Exp $");
#include <openssl/evp.h>
#include <openssl/pem.h>
@@ -520,7 +520,7 @@
extern int optind;
extern char *optarg;
- OpenSSL_add_all_algorithms();
+ SSLeay_add_all_algorithms();
/* we need this for the home * directory. */
pw = getpwuid(getuid());
diff --git a/ssh.1 b/ssh.1
index 6c1d376..cd56e7b 100644
--- a/ssh.1
+++ b/ssh.1
@@ -9,7 +9,7 @@
.\"
.\" Created: Sat Apr 22 21:55:14 1995 ylo
.\"
-.\" $Id: ssh.1,v 1.27 2000/05/30 03:44:54 damien Exp $
+.\" $Id: ssh.1,v 1.28 2000/06/07 09:55:44 djm Exp $
.\"
.Dd September 25, 1999
.Dt SSH 1
@@ -940,6 +940,12 @@
.Dq yes
or
.Dq no .
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
.Sh ENVIRONMENT
.Nm
will normally set the following environment variables:
diff --git a/ssh.c b/ssh.c
index 2934c3a..a5c1ac6 100644
--- a/ssh.c
+++ b/ssh.c
@@ -11,7 +11,7 @@
*/
#include "includes.h"
-RCSID("$Id: ssh.c,v 1.33 2000/05/30 03:44:54 damien Exp $");
+RCSID("$Id: ssh.c,v 1.34 2000/06/07 09:55:44 djm Exp $");
#include <openssl/evp.h>
#include <openssl/dsa.h>
@@ -438,7 +438,7 @@
/* Initialize the command to execute on remote host. */
buffer_init(&command);
- OpenSSL_add_all_algorithms();
+ SSLeay_add_all_algorithms();
/*
* Save the command to execute on the remote host in a buffer. There
@@ -677,17 +677,17 @@
FILE *f;
int got_data = 0, i;
-#ifdef XAUTH_PATH
- /* Try to get Xauthority information for the display. */
- snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
- XAUTH_PATH, getenv("DISPLAY"));
- f = popen(line, "r");
- if (f && fgets(line, sizeof(line), f) &&
- sscanf(line, "%*s %s %s", proto, data) == 2)
- got_data = 1;
- if (f)
- pclose(f);
-#endif /* XAUTH_PATH */
+ if (options.xauth_location) {
+ /* Try to get Xauthority information for the display. */
+ snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
+ options.xauth_location, getenv("DISPLAY"));
+ f = popen(line, "r");
+ if (f && fgets(line, sizeof(line), f) &&
+ sscanf(line, "%*s %s %s", proto, data) == 2)
+ got_data = 1;
+ if (f)
+ pclose(f);
+ }
/*
* If we didn't get authentication data, just make up some
* data. The forwarding code will check the validity of the
diff --git a/sshconnect2.c b/sshconnect2.c
index 0abcf89..77b8652 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -28,7 +28,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.11 2000/05/25 20:45:20 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.13 2000/06/02 02:00:19 todd Exp $");
#include <openssl/bn.h>
#include <openssl/rsa.h>
@@ -71,7 +71,6 @@
ssh_kex_dh(Kex *kex, char *host, struct sockaddr *hostaddr,
Buffer *client_kexinit, Buffer *server_kexinit)
{
- int i;
int plen, dlen;
unsigned int klen, kout;
char *signature = NULL;
@@ -265,9 +264,12 @@
char prompt[80];
char *password;
- if (attempt++ > options.number_of_password_prompts)
+ if (attempt++ >= options.number_of_password_prompts)
return 0;
+ if(attempt != 1)
+ error("Permission denied, please try again.");
+
snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ",
server_user, host);
password = read_passphrase(prompt, 0);
diff --git a/sshd.8 b/sshd.8
index 003f291..deb72e4 100644
--- a/sshd.8
+++ b/sshd.8
@@ -9,7 +9,7 @@
.\"
.\" Created: Sat Apr 22 21:55:14 1995 ylo
.\"
-.\" $Id: sshd.8,v 1.22 2000/05/09 01:03:03 damien Exp $
+.\" $Id: sshd.8,v 1.23 2000/06/07 09:55:44 djm Exp $
.\"
.Dd September 25, 1999
.Dt SSHD 8
@@ -552,7 +552,10 @@
.It Cm UseLogin
Specifies whether
.Xr login 1
-is used.
+is used for interactive login sessions.
+Note that
+.Xr login 1
+is not never for remote command execution.
The default is
.Dq no .
.It Cm X11DisplayOffset
@@ -569,6 +572,12 @@
.Dq no .
Note that disabling X11 forwarding does not improve security in any
way, as users can always install their own forwarders.
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
.El
.Sh LOGIN PROCESS
When a user successfully logs in,
diff --git a/version.h b/version.h
index d577644..fc63bc1 100644
--- a/version.h
+++ b/version.h
@@ -1 +1 @@
-#define SSH_VERSION "OpenSSH-2.1"
+#define SSH_VERSION "OpenSSH_2.1.1"