Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ssh OpenSSH 3.2 as of 2002/4/22. fixes issues w...
details: https://anonhg.NetBSD.org/src/rev/b0fbcd2772cb
branches: trunk
changeset: 525942:b0fbcd2772cb
user: itojun <itojun%NetBSD.org@localhost>
date: Mon Apr 22 07:35:39 2002 +0000
description:
OpenSSH 3.2 as of 2002/4/22. fixes issues with AFS/kerberos auth
diffstat:
crypto/dist/ssh/LICENCE | 1 +
crypto/dist/ssh/README.smartcard | 76 +-
crypto/dist/ssh/auth-options.c | 82 +-
crypto/dist/ssh/auth-rh-rsa.c | 61 +-
crypto/dist/ssh/auth-rsa.c | 213 +++--
crypto/dist/ssh/authfd.h | 6 +-
crypto/dist/ssh/bufaux.c | 32 +-
crypto/dist/ssh/bufaux.h | 10 +-
crypto/dist/ssh/cipher.h | 11 +-
crypto/dist/ssh/compat.c | 32 +-
crypto/dist/ssh/compat.h | 6 +-
crypto/dist/ssh/kex.h | 5 +-
crypto/dist/ssh/key.h | 5 +-
crypto/dist/ssh/monitor.c | 1442 ++++++++++++++++++++++++++++++++++++++
crypto/dist/ssh/monitor.h | 81 ++
crypto/dist/ssh/monitor_fdpass.c | 97 ++
crypto/dist/ssh/monitor_fdpass.h | 35 +
crypto/dist/ssh/monitor_mm.c | 330 ++++++++
crypto/dist/ssh/monitor_mm.h | 67 +
crypto/dist/ssh/monitor_wrap.c | 895 +++++++++++++++++++++++
crypto/dist/ssh/monitor_wrap.h | 88 ++
crypto/dist/ssh/myproposal.h | 6 +-
crypto/dist/ssh/nchan.c | 62 +-
crypto/dist/ssh/packet.h | 14 +-
crypto/dist/ssh/scard.h | 12 +-
crypto/dist/ssh/scard/Ssh.bin.uu | 27 +-
crypto/dist/ssh/scard/Ssh.java | 61 +-
crypto/dist/ssh/session.h | 40 +-
crypto/dist/ssh/ttymodes.c | 20 +-
crypto/dist/ssh/uidswap.c | 5 +-
30 files changed, 3534 insertions(+), 288 deletions(-)
diffs (truncated from 4589 to 300 lines):
diff -r 36d8aebd7faa -r b0fbcd2772cb crypto/dist/ssh/LICENCE
--- a/crypto/dist/ssh/LICENCE Mon Apr 22 06:10:16 2002 +0000
+++ b/crypto/dist/ssh/LICENCE Mon Apr 22 07:35:39 2002 +0000
@@ -190,6 +190,7 @@
Aaron Campbell
Damien Miller
Kevin Steves
+ Daniel Kouril
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff -r 36d8aebd7faa -r b0fbcd2772cb crypto/dist/ssh/README.smartcard
--- a/crypto/dist/ssh/README.smartcard Mon Apr 22 06:10:16 2002 +0000
+++ b/crypto/dist/ssh/README.smartcard Mon Apr 22 07:35:39 2002 +0000
@@ -4,52 +4,33 @@
Cyberflex smartcards and TODOS card readers. To enable this you
need to:
-(1) install sectok
-
- $ cd /usr/src/lib/libsectok
- $ make obj depend all install includes
- $ cd /usr/src/usr.bin/sectok
- $ make obj depend all install
-
-(2) enable SMARTCARD support in OpenSSH:
+(1) enable SMARTCARD support in OpenSSH:
$ vi /usr/src/usr.bin/ssh/Makefile.inc
and uncomment
CFLAGS+= -DSMARTCARD
LDADD+= -lsectok
-(3) load the Java Cardlet to the Cyberflex card:
+(2) If you have used a previous version of ssh with your card, you
+ must remove the old applet and keys.
+
+ $ sectok
+ sectok> login -d
+ sectok> junload Ssh.bin
+ sectok> delete 0012
+ sectok> delete sh
+ sectok> quit
+
+(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
$ sectok
sectok> login -d
sectok> jload /usr/libdata/ssh/Ssh.bin
+ sectok> setpass
+ Enter new AUT0 passphrase:
+ Re-enter passphrase:
sectok> quit
-(4) load a RSA key to the card:
-
- please don't use your production RSA keys, since
- with the current version of sectok/ssh-keygen
- the private key file is still readable
-
- $ ssh-keygen -f /path/to/rsakey -U 1
- (where 1 is the reader number, you can also try 0)
-
- In spite of the name, this does not generate a key.
- It just loads an already existing key on to the card.
-
-(5) optional:
-
- Change the card password so that only you can
- read the private key:
-
- $ sectok
- sectok> login -d
- sectok> setpass
- sectok> quit
-
- This prevents reading the key but not use of the
- key by the card applet.
-
Do not forget the passphrase. There is no way to
recover if you do.
@@ -57,13 +38,36 @@
wrong passphrase three times in a row, you will
destroy your card.
-(6) tell the ssh client to use the card reader:
+(4) load a RSA key to the card:
+
+ $ ssh-keygen -f /path/to/rsakey -U 1
+ (where 1 is the reader number, you can also try 0)
+
+ In spite of the name, this does not generate a key.
+ It just loads an already existing key on to the card.
+
+(5) tell the ssh client to use the card reader:
$ ssh -I 1 otherhost
-(7) or tell the agent (don't forget to restart) to use the smartcard:
+(6) or tell the agent (don't forget to restart) to use the smartcard:
$ ssh-add -s 1
+(7) Optional: If you don't want to use a card passphrase, change the
+ acl on the private key file:
+
+ $ sectok
+ sectok> login -d
+ sectok> acl 0012 world: w
+ world: w
+ AUT0: w inval
+ sectok> quit
+
+ If you do this, anyone who has access to your card
+ can assume your identity. This is not recommended.
+
-markus,
Tue Jul 17 23:54:51 CEST 2001
+
+$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $
diff -r 36d8aebd7faa -r b0fbcd2772cb crypto/dist/ssh/auth-options.c
--- a/crypto/dist/ssh/auth-options.c Mon Apr 22 06:10:16 2002 +0000
+++ b/crypto/dist/ssh/auth-options.c Mon Apr 22 07:35:39 2002 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: auth-options.c,v 1.1.1.9 2002/03/08 01:20:30 itojun Exp $ */
+/* $NetBSD: auth-options.c,v 1.1.1.10 2002/04/22 07:35:43 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -11,7 +11,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.21 2002/01/29 14:32:03 markus Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.23 2002/03/19 10:35:39 markus Exp $");
#include "packet.h"
#include "xmalloc.h"
@@ -21,7 +21,13 @@
#include "channels.h"
#include "auth-options.h"
#include "servconf.h"
+#include "bufaux.h"
#include "misc.h"
+#include "monitor_wrap.h"
+
+/* Debugging messages */
+Buffer auth_debug;
+int auth_debug_init;
/* Flags set authorized_keys flags */
int no_port_forwarding_flag = 0;
@@ -37,9 +43,28 @@
extern ServerOptions options;
+static void
+auth_send_debug(Buffer *m)
+{
+ char *msg;
+
+ while (buffer_len(m)) {
+ msg = buffer_get_string(m, NULL);
+ packet_send_debug("%s", msg);
+ xfree(msg);
+ }
+}
+
void
auth_clear_options(void)
{
+ if (auth_debug_init)
+ buffer_clear(&auth_debug);
+ else {
+ buffer_init(&auth_debug);
+ auth_debug_init = 1;
+ }
+
no_agent_forwarding_flag = 0;
no_port_forwarding_flag = 0;
no_pty_flag = 0;
@@ -64,6 +89,7 @@
int
auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
{
+ char tmp[1024];
const char *cp;
int i;
@@ -76,28 +102,32 @@
while (*opts && *opts != ' ' && *opts != '\t') {
cp = "no-port-forwarding";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- packet_send_debug("Port forwarding disabled.");
+ snprintf(tmp, sizeof(tmp), "Port forwarding disabled.");
+ buffer_put_cstring(&auth_debug, tmp);
no_port_forwarding_flag = 1;
opts += strlen(cp);
goto next_option;
}
cp = "no-agent-forwarding";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- packet_send_debug("Agent forwarding disabled.");
+ snprintf(tmp, sizeof(tmp), "Agent forwarding disabled.");
+ buffer_put_cstring(&auth_debug, tmp);
no_agent_forwarding_flag = 1;
opts += strlen(cp);
goto next_option;
}
cp = "no-X11-forwarding";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- packet_send_debug("X11 forwarding disabled.");
+ snprintf(tmp, sizeof(tmp), "X11 forwarding disabled.");
+ buffer_put_cstring(&auth_debug, tmp);
no_x11_forwarding_flag = 1;
opts += strlen(cp);
goto next_option;
}
cp = "no-pty";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- packet_send_debug("Pty allocation disabled.");
+ snprintf(tmp, sizeof(tmp), "Pty allocation disabled.");
+ buffer_put_cstring(&auth_debug, tmp);
no_pty_flag = 1;
opts += strlen(cp);
goto next_option;
@@ -120,14 +150,16 @@
if (!*opts) {
debug("%.100s, line %lu: missing end quote",
file, linenum);
- packet_send_debug("%.100s, line %lu: missing end quote",
+ snprintf(tmp, sizeof(tmp), "%.100s, line %lu: missing end quote",
file, linenum);
+ buffer_put_cstring(&auth_debug, tmp);
xfree(forced_command);
forced_command = NULL;
goto bad_option;
}
forced_command[i] = 0;
- packet_send_debug("Forced command: %.900s", forced_command);
+ snprintf(tmp, sizeof(tmp), "Forced command: %.900s", forced_command);
+ buffer_put_cstring(&auth_debug, tmp);
opts++;
goto next_option;
}
@@ -152,13 +184,15 @@
if (!*opts) {
debug("%.100s, line %lu: missing end quote",
file, linenum);
- packet_send_debug("%.100s, line %lu: missing end quote",
+ snprintf(tmp, sizeof(tmp), "%.100s, line %lu: missing end quote",
file, linenum);
+ buffer_put_cstring(&auth_debug, tmp);
xfree(s);
goto bad_option;
}
s[i] = 0;
- packet_send_debug("Adding to environment: %.900s", s);
+ snprintf(tmp, sizeof(tmp), "Adding to environment: %.900s", s);
+ buffer_put_cstring(&auth_debug, tmp);
debug("Adding to environment: %.900s", s);
opts++;
new_envstring = xmalloc(sizeof(struct envstring));
@@ -189,8 +223,9 @@
if (!*opts) {
debug("%.100s, line %lu: missing end quote",
file, linenum);
- packet_send_debug("%.100s, line %lu: missing end quote",
+ snprintf(tmp, sizeof(tmp), "%.100s, line %lu: missing end quote",
file, linenum);
+ buffer_put_cstring(&auth_debug, tmp);
xfree(patterns);
goto bad_option;
}
@@ -203,9 +238,11 @@
"correct key but not from a permitted "
"host (host=%.200s, ip=%.200s).",
pw->pw_name, remote_host, remote_ip);
- packet_send_debug("Your host '%.200s' is not "
+ snprintf(tmp, sizeof(tmp),
+ "Your host '%.200s' is not "
"permitted to use this key for login.",
remote_host);
+ buffer_put_cstring(&auth_debug, tmp);
/* deny access */
return 0;
}
@@ -234,8 +271,9 @@
if (!*opts) {
debug("%.100s, line %lu: missing end quote",
file, linenum);
- packet_send_debug("%.100s, line %lu: missing end quote",
+ snprintf(tmp, sizeof(tmp), "%.100s, line %lu: missing end quote",
file, linenum);
+ buffer_put_cstring(&auth_debug, tmp);
xfree(patterns);
goto bad_option;
}
@@ -245,16 +283,18 @@
Home |
Main Index |
Thread Index |
Old Index