- markus@cvs.openbsd.org 2000/12/12 14:45:21
[sshd.c]
source port < 1024 is no longer required for rhosts-rsa since it
adds no additional security.
- markus@cvs.openbsd.org 2000/12/12 16:11:49
[ssh.1 ssh.c]
rhosts-rsa is no longer automagically disabled if ssh is not privileged.
UsePrivilegedPort=no disables rhosts-rsa _only_ for old servers.
these changes should not change the visible default behaviour of the ssh client.
diff --git a/ChangeLog b/ChangeLog
index 201aa42..a09e11f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,15 @@
- deraadt@cvs.openbsd.org 2000/12/13 06:36:05
[pty.c]
KNF
+ - markus@cvs.openbsd.org 2000/12/12 14:45:21
+ [sshd.c]
+ source port < 1024 is no longer required for rhosts-rsa since it
+ adds no additional security.
+ - markus@cvs.openbsd.org 2000/12/12 16:11:49
+ [ssh.1 ssh.c]
+ rhosts-rsa is no longer automagically disabled if ssh is not privileged.
+ UsePrivilegedPort=no disables rhosts-rsa _only_ for old servers.
+ these changes should not change the visible default behaviour of the ssh client.
20001213
- (djm) Make sure we reset the SIGPIPE disposition after we fork. Report
diff --git a/ssh.1 b/ssh.1
index 9a4330f..fd79120 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.71 2000/12/07 04:24:59 djm Exp $
+.\" $OpenBSD: ssh.1,v 1.72 2000/12/12 23:11:48 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
@@ -464,7 +464,8 @@
Note that this option turns off
.Cm RhostsAuthentication
and
-.Cm RhostsRSAAuthentication .
+.Cm RhostsRSAAuthentication
+for older servers.
.It Fl q
Quiet mode.
Causes all warning and diagnostic messages to be suppressed.
@@ -948,7 +949,8 @@
turns off
.Cm RhostsAuthentication
and
-.Cm RhostsRSAAuthentication .
+.Cm RhostsRSAAuthentication
+for older servers.
.It Cm User
Specifies the user to log in as.
This can be useful if you have a different user name on different machines.
diff --git a/ssh.c b/ssh.c
index 5efc5c7..c4ff5ee 100644
--- a/ssh.c
+++ b/ssh.c
@@ -39,7 +39,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.75 2000/11/30 07:02:35 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.77 2000/12/12 23:11:48 markus Exp $");
#include <openssl/evp.h>
#include <openssl/dsa.h>
@@ -575,11 +575,10 @@
if (!options.use_privileged_port) {
#else
if (original_effective_uid != 0 || !options.use_privileged_port) {
- debug("Rhosts Authentication methods disabled, "
- "originating port will not be trusted.");
#endif
+ debug("Rhosts Authentication disabled, "
+ "originating port will not be trusted.");
options.rhosts_authentication = 0;
- options.rhosts_rsa_authentication = 0;
}
/*
* If using rsh has been selected, exec it now (without trying
@@ -602,17 +601,13 @@
/* Restore our superuser privileges. */
restore_uid();
- /*
- * Open a connection to the remote host. This needs root privileges
- * if rhosts_{rsa_}authentication is enabled.
- */
+ /* Open a connection to the remote host. */
ok = ssh_connect(host, &hostaddr, options.port,
- options.connection_attempts,
- !options.rhosts_authentication &&
- !options.rhosts_rsa_authentication,
- original_real_uid,
- options.proxy_command);
+ options.connection_attempts,
+ original_effective_uid != 0 || !options.use_privileged_port,
+ original_real_uid,
+ options.proxy_command);
/*
* If we successfully made the connection, load the host private key
diff --git a/sshd.c b/sshd.c
index 6693054..0c9cdea 100644
--- a/sshd.c
+++ b/sshd.c
@@ -40,7 +40,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.136 2000/12/05 16:47:28 todd Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.137 2000/12/12 21:45:21 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -1119,18 +1119,17 @@
sshd_exchange_identification(sock_in, sock_out);
/*
- * Check that the connection comes from a privileged port. Rhosts-
- * and Rhosts-RSA-Authentication only make sense from priviledged
+ * Check that the connection comes from a privileged port.
+ * Rhosts-Authentication only makes sense from priviledged
* programs. Of course, if the intruder has root access on his local
* machine, he can connect from any port. So do not use these
* authentication methods from machines that you do not trust.
*/
if (remote_port >= IPPORT_RESERVED ||
remote_port < IPPORT_RESERVED / 2) {
- debug("Rhosts Authentication methods disabled, "
+ debug("Rhosts Authentication disabled, "
"originating port not trusted.");
options.rhosts_authentication = 0;
- options.rhosts_rsa_authentication = 0;
}
#ifdef KRB4
if (!packet_connection_is_ipv4() &&