Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ssh OpenSSH 2.9.9 as of 2001/9/27
details: https://anonhg.NetBSD.org/src/rev/1e2b5331adee
branches: trunk
changeset: 515485:1e2b5331adee
user: itojun <itojun%NetBSD.org@localhost>
date: Thu Sep 27 02:00:33 2001 +0000
description:
OpenSSH 2.9.9 as of 2001/9/27
diffstat:
crypto/dist/ssh/LICENCE | 46 ++++-
crypto/dist/ssh/README.smartcard | 69 +++++++
crypto/dist/ssh/auth-options.c | 51 ++---
crypto/dist/ssh/auth-options.h | 14 +-
crypto/dist/ssh/auth-rsa.c | 8 +-
crypto/dist/ssh/authfd.h | 110 ++--------
crypto/dist/ssh/authfile.h | 26 +-
crypto/dist/ssh/bufaux.h | 51 +---
crypto/dist/ssh/buffer.h | 57 +----
crypto/dist/ssh/cipher.h | 27 +-
crypto/dist/ssh/compat.c | 22 +-
crypto/dist/ssh/compat.h | 18 +-
crypto/dist/ssh/compress.h | 38 +---
crypto/dist/ssh/crc32.h | 10 +-
crypto/dist/ssh/deattack.h | 6 +-
crypto/dist/ssh/dispatch.h | 14 +-
crypto/dist/ssh/kex.h | 28 +-
crypto/dist/ssh/key.h | 58 ++---
crypto/dist/ssh/log.c | 8 +-
crypto/dist/ssh/match.c | 53 +++++-
crypto/dist/ssh/match.h | 30 +--
crypto/dist/ssh/moduli | 1 -
crypto/dist/ssh/mpaux.h | 15 +-
crypto/dist/ssh/nchan.c | 12 +-
crypto/dist/ssh/packet.h | 229 +++++------------------
crypto/dist/ssh/readpassphrase.3 | 118 ++++++++++++
crypto/dist/ssh/readpassphrase.c | 133 +++++++++++++
crypto/dist/ssh/readpassphrase.h | 47 ++++
crypto/dist/ssh/rsa.c | 6 +-
crypto/dist/ssh/rsa.h | 11 +-
crypto/dist/ssh/scard.c | 371 +++++++++++++++++++++++++++++++++++++++
crypto/dist/ssh/scard.h | 41 ++++
crypto/dist/ssh/scard/Makefile | 20 ++
crypto/dist/ssh/scard/Ssh.bin.uu | 16 +
crypto/dist/ssh/scard/Ssh.java | 143 +++++++++++++++
crypto/dist/ssh/scp.1 | 29 ++-
crypto/dist/ssh/session.h | 17 +-
crypto/dist/ssh/sftp-glob.h | 8 +-
crypto/dist/ssh/sshconnect.h | 31 +-
crypto/dist/ssh/sshlogin.h | 29 +--
crypto/dist/ssh/sshpty.h | 35 +--
crypto/dist/ssh/sshtty.h | 27 +--
crypto/dist/ssh/ttymodes.c | 22 +-
crypto/dist/ssh/uidswap.c | 4 +-
crypto/dist/ssh/uidswap.h | 24 +-
crypto/dist/ssh/uuencode.h | 12 +-
crypto/dist/ssh/xmalloc.h | 19 +-
47 files changed, 1415 insertions(+), 749 deletions(-)
diffs (truncated from 3087 to 300 lines):
diff -r 0bd85630f5bf -r 1e2b5331adee crypto/dist/ssh/LICENCE
--- a/crypto/dist/ssh/LICENCE Thu Sep 27 01:08:22 2001 +0000
+++ b/crypto/dist/ssh/LICENCE Thu Sep 27 02:00:33 2001 +0000
@@ -26,7 +26,7 @@
[However, none of that term is relevant at this point in time. All of
these restrictively licenced software components which he talks about
- have been removed from OpenSSH, ie.
+ have been removed from OpenSSH, i.e.,
- RSA is no longer included, found in the OpenSSL library
- IDEA is no longer included, its use is deprecated
@@ -85,8 +85,7 @@
3)
The 32-bit CRC compensation attack detector in deattack.c was
- contributed by CORE SDI S.A. under a BSD-style license. See
- http://www.core-sdi.com/english/ssh/ for details.
+ contributed by CORE SDI S.A. under a BSD-style license.
* Cryptographic attack detector for ssh - source code
*
@@ -104,8 +103,45 @@
*
* Ariel Futoransky <futo%core-sdi.com@localhost>
* <http://www.core-sdi.com>
+
+4)
+ ssh-keygen was contributed by David Mazieres under a BSD-style
+ license.
+
+ * Copyright 1995, 1996 by David Mazieres <dm%lcs.mit.edu@localhost>.
+ *
+ * Modification and redistribution in source and binary forms is
+ * permitted provided that due credit is given to the author and the
+ * OpenBSD project by leaving this copyright notice intact.
+
+5)
+ The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers
+ and Paulo Barreto is in the public domain and distributed
+ with the following license:
+
+ * @version 3.0 (December 2000)
+ *
+ * Optimised ANSI C code for the Rijndael cipher (now AES)
+ *
+ * @author Vincent Rijmen <vincent.rijmen%esat.kuleuven.ac.be@localhost>
+ * @author Antoon Bosselaers <antoon.bosselaers%esat.kuleuven.ac.be@localhost>
+ * @author Paulo Barreto <paulo.barreto%terra.com.br@localhost>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-4)
+6)
Remaining components of the software are provided under a standard
2-term BSD licence with the following names as copyright holders:
@@ -114,6 +150,8 @@
Niels Provos
Dug Song
Aaron Campbell
+ Damien Miller
+ Kevin Steves
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff -r 0bd85630f5bf -r 1e2b5331adee crypto/dist/ssh/README.smartcard
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ssh/README.smartcard Thu Sep 27 02:00:33 2001 +0000
@@ -0,0 +1,69 @@
+How to use smartcards with OpenSSH?
+
+OpenSSH contains experimental support for authentication using
+Cyberflex smartcards and TODOS card readers. To enable this you
+need to:
+
+(1) install sectok
+
+ $ cd /usr/src/lib/libsectok
+ $ make obj depend all install includes
+ $ cd /usr/src/usr.bin/sectok
+ $ make obj depend all install
+
+(2) enable SMARTCARD support in OpenSSH:
+
+ $ vi /usr/src/usr.bin/ssh/Makefile.inc
+ and uncomment
+ CFLAGS+= -DSMARTCARD
+ LDADD+= -lsectok
+
+(3) load the Java Cardlet to the Cyberflex card:
+
+ $ sectok
+ sectok> login -d
+ sectok> jload /usr/libdata/ssh/Ssh.bin
+ sectok> quit
+
+(4) load a RSA key to the card:
+
+ please don't use your production RSA keys, since
+ with the current version of sectok/ssh-keygen
+ the private key file is still readable
+
+ $ ssh-keygen -f /path/to/rsakey -U 1
+ (where 1 is the reader number, you can also try 0)
+
+ In spite of the name, this does not generate a key.
+ It just loads an already existing key on to the card.
+
+(5) optional:
+
+ Change the card password so that only you can
+ read the private key:
+
+ $ sectok
+ sectok> login -d
+ sectok> setpass
+ sectok> quit
+
+ This prevents reading the key but not use of the
+ key by the card applet.
+
+ Do not forget the passphrase. There is no way to
+ recover if you do.
+
+ IMPORTANT WARNING: If you attempt to login with the
+ wrong passphrase three times in a row, you will
+ destroy your card.
+
+(6) tell the ssh client to use the card reader:
+
+ $ ssh -I 1 otherhost
+
+(7) or tell the agent (don't forget to restart) to use the smartcard:
+
+ $ ssh-add -s 1
+
+-markus,
+Tue Jul 17 23:54:51 CEST 2001
diff -r 0bd85630f5bf -r 1e2b5331adee crypto/dist/ssh/auth-options.c
--- a/crypto/dist/ssh/auth-options.c Thu Sep 27 01:08:22 2001 +0000
+++ b/crypto/dist/ssh/auth-options.c Thu Sep 27 02:00:33 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: auth-options.c,v 1.1.1.7 2001/06/23 16:36:23 itojun Exp $ */
+/* $NetBSD: auth-options.c,v 1.1.1.8 2001/09/27 02:00:36 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -11,7 +11,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.18 2001/05/31 10:30:12 markus Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.20 2001/08/30 20:36:34 stevesk Exp $");
#include "packet.h"
#include "xmalloc.h"
@@ -21,6 +21,7 @@
#include "channels.h"
#include "auth-options.h"
#include "servconf.h"
+#include "misc.h"
/* Flags set authorized_keys flags */
int no_port_forwarding_flag = 0;
@@ -168,7 +169,6 @@
}
cp = "from=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- int mname, mip;
const char *remote_ip = get_remote_ipaddr();
const char *remote_host = get_canonical_hostname(
options.reverse_mapping_check);
@@ -196,18 +196,9 @@
}
patterns[i] = 0;
opts++;
- /*
- * Deny access if we get a negative
- * match for the hostname or the ip
- * or if we get not match at all
- */
- mname = match_hostname(remote_host, patterns,
- strlen(patterns));
- mip = match_hostname(remote_ip, patterns,
- strlen(patterns));
- xfree(patterns);
- if (mname == -1 || mip == -1 ||
- (mname != 1 && mip != 1)) {
+ if (match_host_and_ip(remote_host, remote_ip,
+ patterns) != 1) {
+ xfree(patterns);
log("Authentication tried for %.100s with "
"correct key but not from a permitted "
"host (host=%.200s, ip=%.200s).",
@@ -218,13 +209,14 @@
/* deny access */
return 0;
}
+ xfree(patterns);
/* Host name matches. */
goto next_option;
}
cp = "permitopen=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+ char host[256], sport[6];
u_short port;
- char *c, *ep;
char *patterns = xmalloc(strlen(opts) + 1);
opts += strlen(cp);
@@ -249,28 +241,25 @@
}
patterns[i] = 0;
opts++;
- c = strchr(patterns, ':');
- if (c == NULL) {
- debug("%.100s, line %lu: permitopen: missing colon <%.100s>",
- file, linenum, patterns);
- packet_send_debug("%.100s, line %lu: missing colon",
- file, linenum);
+ if (sscanf(patterns, "%255[^:]:%5[0-9]", host, sport) != 2 &&
+ sscanf(patterns, "%255[^/]/%5[0-9]", host, sport) != 2) {
+ debug("%.100s, line %lu: Bad permitopen specification "
+ "<%.100s>", file, linenum, patterns);
+ packet_send_debug("%.100s, line %lu: "
+ "Bad permitopen specification", file, linenum);
xfree(patterns);
goto bad_option;
}
- *c = 0;
- c++;
- port = strtol(c, &ep, 0);
- if (c == ep) {
- debug("%.100s, line %lu: permitopen: missing port <%.100s>",
- file, linenum, patterns);
- packet_send_debug("%.100s, line %lu: missing port",
- file, linenum);
+ if ((port = a2port(sport)) == 0) {
+ debug("%.100s, line %lu: Bad permitopen port <%.100s>",
+ file, linenum, sport);
+ packet_send_debug("%.100s, line %lu: "
+ "Bad permitopen port", file, linenum);
xfree(patterns);
goto bad_option;
}
if (options.allow_tcp_forwarding)
- channel_add_permitted_opens(patterns, port);
+ channel_add_permitted_opens(host, port);
xfree(patterns);
goto next_option;
}
diff -r 0bd85630f5bf -r 1e2b5331adee crypto/dist/ssh/auth-options.h
--- a/crypto/dist/ssh/auth-options.h Thu Sep 27 01:08:22 2001 +0000
+++ b/crypto/dist/ssh/auth-options.h Thu Sep 27 02:00:33 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: auth-options.h,v 1.1.1.4 2001/04/10 07:13:48 itojun Exp $ */
+/* $NetBSD: auth-options.h,v 1.1.1.5 2001/09/27 02:00:36 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -12,7 +12,7 @@
* called by a name other than "ssh" or "Secure Shell".
*/
-/* $OpenBSD: auth-options.h,v 1.8 2001/01/21 19:05:42 markus Exp $ */
+/* $OpenBSD: auth-options.h,v 1.10 2001/06/26 17:27:22 markus Exp $ */
#ifndef AUTH_OPTIONS_H
#define AUTH_OPTIONS_H
@@ -31,15 +31,7 @@
extern char *forced_command;
extern struct envstring *custom_environment;
-/*
- * return 1 if access is granted, 0 if not.
- * side effect: sets key option flags
- */
-int
-auth_parse_options(struct passwd *pw, char *options, char *file,
- u_long linenum);
-
-/* reset options flags */
+int auth_parse_options(struct passwd *, char *, char *, u_long);
void auth_clear_options(void);
#endif
diff -r 0bd85630f5bf -r 1e2b5331adee crypto/dist/ssh/auth-rsa.c
Home |
Main Index |
Thread Index |
Old Index