Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src sync with openssh 3.2 as of 2002/4/22.
details: https://anonhg.NetBSD.org/src/rev/a5fb356bf684
branches: trunk
changeset: 525944:a5fb356bf684
user: itojun <itojun%NetBSD.org@localhost>
date: Mon Apr 22 07:59:35 2002 +0000
description:
sync with openssh 3.2 as of 2002/4/22.
- privilege separation
- afs/kerberos auth security issue fixed
diffstat:
crypto/dist/ssh/auth-bsdauth.c | 17 +-
crypto/dist/ssh/auth-krb4.c | 5 +-
crypto/dist/ssh/auth-krb5.c | 29 +++-
crypto/dist/ssh/auth-skey.c | 23 +-
crypto/dist/ssh/auth.c | 47 +++++-
crypto/dist/ssh/auth.h | 35 +++-
crypto/dist/ssh/auth1.c | 43 ++--
crypto/dist/ssh/auth2-chall.c | 23 ++-
crypto/dist/ssh/auth2.c | 50 +++--
crypto/dist/ssh/authfd.c | 7 +-
crypto/dist/ssh/channels.c | 30 +++-
crypto/dist/ssh/channels.h | 16 +-
crypto/dist/ssh/cipher.c | 183 ++++++++++++++++++++++-
crypto/dist/ssh/clientloop.c | 71 ++++++++-
crypto/dist/ssh/compress.c | 16 +-
crypto/dist/ssh/kex.c | 38 +++-
crypto/dist/ssh/kexdh.c | 7 +-
crypto/dist/ssh/kexgex.c | 13 +-
crypto/dist/ssh/key.c | 47 +++++-
crypto/dist/ssh/misc.h | 10 +-
crypto/dist/ssh/monitor.c | 4 +-
crypto/dist/ssh/monitor_mm.h | 4 +-
crypto/dist/ssh/monitor_wrap.c | 10 +-
crypto/dist/ssh/packet.c | 128 ++++++++++++++--
crypto/dist/ssh/pathnames.h | 7 +-
crypto/dist/ssh/radix.c | 254 ++++++++++++-------------------
crypto/dist/ssh/readpass.c | 9 +-
crypto/dist/ssh/readpass.h | 5 +-
crypto/dist/ssh/scard.c | 307 +++++++++++++++++++++++++++++++-------
crypto/dist/ssh/scp.c | 19 +-
crypto/dist/ssh/servconf.c | 21 ++-
crypto/dist/ssh/servconf.h | 5 +-
crypto/dist/ssh/serverloop.c | 23 +-
crypto/dist/ssh/session.c | 159 +++++++++----------
crypto/dist/ssh/session.h | 4 +-
crypto/dist/ssh/sftp-client.c | 48 +++--
crypto/dist/ssh/sftp-glob.h | 6 +-
crypto/dist/ssh/sftp-int.c | 11 +-
crypto/dist/ssh/sftp.c | 23 +-
crypto/dist/ssh/ssh-add.c | 24 ++-
crypto/dist/ssh/ssh-agent.c | 112 ++++++-------
crypto/dist/ssh/ssh-keygen.c | 149 +++---------------
crypto/dist/ssh/ssh-rsa.c | 15 +-
crypto/dist/ssh/ssh.1 | 14 +-
crypto/dist/ssh/ssh.c | 59 +++----
crypto/dist/ssh/ssh.h | 14 +-
crypto/dist/ssh/sshconnect1.c | 8 +-
crypto/dist/ssh/sshconnect2.c | 81 +++++++++-
crypto/dist/ssh/sshd.8 | 62 +++++--
crypto/dist/ssh/sshd.c | 324 +++++++++++++++++++++++++++++++++++-----
crypto/dist/ssh/sshd_config | 8 +-
crypto/dist/ssh/version.h | 8 +-
usr.bin/ssh/libssh/Makefile | 4 +-
usr.bin/ssh/sshd/Makefile | 4 +-
54 files changed, 1802 insertions(+), 841 deletions(-)
diffs (truncated from 5024 to 300 lines):
diff -r 49582bb70962 -r a5fb356bf684 crypto/dist/ssh/auth-bsdauth.c
--- a/crypto/dist/ssh/auth-bsdauth.c Mon Apr 22 07:47:47 2002 +0000
+++ b/crypto/dist/ssh/auth-bsdauth.c Mon Apr 22 07:59:35 2002 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: auth-bsdauth.c,v 1.2 2002/03/08 02:00:50 itojun Exp $ */
+/* $NetBSD: auth-bsdauth.c,v 1.3 2002/04/22 07:59:35 itojun Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@@ -23,12 +23,13 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-bsdauth.c,v 1.2 2001/12/19 07:18:56 deraadt Exp $");
+RCSID("$OpenBSD: auth-bsdauth.c,v 1.3 2002/03/18 17:50:31 provos Exp $");
#ifdef BSD_AUTH
#include "xmalloc.h"
#include "auth.h"
#include "log.h"
+#include "monitor_wrap.h"
static void *
bsdauth_init_ctx(Authctxt *authctxt)
@@ -36,7 +37,7 @@
return authctxt;
}
-static int
+int
bsdauth_query(void *ctx, char **name, char **infotxt,
u_int *numprompts, char ***prompts, u_int **echo_on)
{
@@ -77,7 +78,7 @@
return 0;
}
-static int
+int
bsdauth_respond(void *ctx, u_int numresponses, char **responses)
{
Authctxt *authctxt = ctx;
@@ -114,4 +115,12 @@
bsdauth_respond,
bsdauth_free_ctx
};
+
+KbdintDevice mm_bsdauth_device = {
+ "bsdauth",
+ bsdauth_init_ctx,
+ mm_bsdauth_query,
+ mm_bsdauth_respond,
+ bsdauth_free_ctx
+};
#endif
diff -r 49582bb70962 -r a5fb356bf684 crypto/dist/ssh/auth-krb4.c
--- a/crypto/dist/ssh/auth-krb4.c Mon Apr 22 07:47:47 2002 +0000
+++ b/crypto/dist/ssh/auth-krb4.c Mon Apr 22 07:59:35 2002 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: auth-krb4.c,v 1.5 2002/03/08 02:00:50 itojun Exp $ */
+/* $NetBSD: auth-krb4.c,v 1.6 2002/04/22 07:59:35 itojun Exp $ */
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
*
@@ -24,7 +24,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-krb4.c,v 1.25 2001/12/19 07:18:56 deraadt Exp $");
+RCSID("$OpenBSD: auth-krb4.c,v 1.26 2002/03/18 01:30:10 dugsong Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -254,6 +254,7 @@
log("Kerberos v4 .klogin authorization failed for %s to "
"account %s", *client, authctxt->user);
xfree(*client);
+ *client = NULL;
return (0);
}
/* Increment the checksum, and return it encrypted with the
diff -r 49582bb70962 -r a5fb356bf684 crypto/dist/ssh/auth-krb5.c
--- a/crypto/dist/ssh/auth-krb5.c Mon Apr 22 07:47:47 2002 +0000
+++ b/crypto/dist/ssh/auth-krb5.c Mon Apr 22 07:59:35 2002 +0000
@@ -1,12 +1,35 @@
-/* $NetBSD: auth-krb5.c,v 1.8 2002/03/08 02:00:51 itojun Exp $ */
+/* $NetBSD: auth-krb5.c,v 1.9 2002/04/22 07:59:36 itojun Exp $ */
/*
* Kerberos v5 authentication and ticket-passing routines.
- *
+ *
* $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
*/
+/*
+ * Copyright (c) 2002 Daniel Kouril. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
#include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.6 2002/03/04 17:27:39 stevesk Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.8 2002/03/19 10:49:35 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
diff -r 49582bb70962 -r a5fb356bf684 crypto/dist/ssh/auth-skey.c
--- a/crypto/dist/ssh/auth-skey.c Mon Apr 22 07:47:47 2002 +0000
+++ b/crypto/dist/ssh/auth-skey.c Mon Apr 22 07:59:35 2002 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: auth-skey.c,v 1.6 2002/03/08 02:00:51 itojun Exp $ */
+/* $NetBSD: auth-skey.c,v 1.7 2002/04/22 07:59:36 itojun Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@@ -23,7 +23,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-skey.c,v 1.16 2002/01/12 13:10:29 markus Exp $");
+RCSID("$OpenBSD: auth-skey.c,v 1.17 2002/03/18 17:50:31 provos Exp $");
#ifdef SKEY
@@ -31,6 +31,7 @@
#include "xmalloc.h"
#include "auth.h"
+#include "monitor_wrap.h"
static void *
skey_init_ctx(Authctxt *authctxt)
@@ -38,9 +39,7 @@
return authctxt;
}
-#define PROMPT "\nS/Key Password: "
-
-static int
+int
skey_query(void *ctx, char **name, char **infotxt,
u_int* numprompts, char ***prompts, u_int **echo_on)
{
@@ -59,16 +58,16 @@
*echo_on = xmalloc(*numprompts * sizeof(u_int));
(*echo_on)[0] = 0;
- len = strlen(challenge) + strlen(PROMPT) + 1;
+ len = strlen(challenge) + strlen(SKEY_PROMPT) + 1;
p = xmalloc(len);
strlcpy(p, challenge, len);
- strlcat(p, PROMPT, len);
+ strlcat(p, SKEY_PROMPT, len);
(*prompts)[0] = p;
return 0;
}
-static int
+int
skey_respond(void *ctx, u_int numresponses, char **responses)
{
Authctxt *authctxt = ctx;
@@ -94,4 +93,12 @@
skey_respond,
skey_free_ctx
};
+
+KbdintDevice mm_skey_device = {
+ "skey",
+ skey_init_ctx,
+ mm_skey_query,
+ mm_skey_respond,
+ skey_free_ctx
+};
#endif /* SKEY */
diff -r 49582bb70962 -r a5fb356bf684 crypto/dist/ssh/auth.c
--- a/crypto/dist/ssh/auth.c Mon Apr 22 07:47:47 2002 +0000
+++ b/crypto/dist/ssh/auth.c Mon Apr 22 07:59:35 2002 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: auth.c,v 1.11 2002/03/08 02:00:51 itojun Exp $ */
+/* $NetBSD: auth.c,v 1.12 2002/04/22 07:59:36 itojun Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -24,7 +24,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.35 2002/03/01 13:12:10 markus Exp $");
+RCSID("$OpenBSD: auth.c,v 1.41 2002/03/19 15:31:47 markus Exp $");
#include <libgen.h>
@@ -40,6 +40,7 @@
#include "bufaux.h"
#include "uidswap.h"
#include "tildexpand.h"
+#include "misc.h"
#ifdef HAVE_LOGIN_CAP
#include <login_cap.h>
@@ -198,17 +199,17 @@
/* Return false if user is listed in DenyUsers */
if (options.num_deny_users > 0) {
for (i = 0; i < options.num_deny_users; i++)
- if (match_user(pw->pw_name, hostname, ipaddr,
+ if (match_user(pw->pw_name, hostname, ipaddr,
options.deny_users[i])) {
- log("User %.100s not allowed because listed in DenyUsers",
- pw->pw_name);
+ log("User %.100s not allowed because listed in DenyUsers",
+ pw->pw_name);
return 0;
}
}
/* Return false if AllowUsers isn't empty and user isn't listed there */
if (options.num_allow_users > 0) {
for (i = 0; i < options.num_allow_users; i++)
- if (match_user(pw->pw_name, hostname, ipaddr,
+ if (match_user(pw->pw_name, hostname, ipaddr,
options.allow_users[i]))
break;
/* i < options.num_allow_users iff we break for loop */
@@ -494,3 +495,37 @@
}
return 0;
}
+
+struct passwd *
+getpwnamallow(const char *user)
+{
+#ifdef HAVE_LOGIN_CAP
+ extern login_cap_t *lc;
+#ifdef BSD_AUTH
+ auth_session_t *as;
+#endif
+#endif
+ struct passwd *pw;
+
+ pw = getpwnam(user);
+ if (pw == NULL || !allowed_user(pw))
+ return (NULL);
+#ifdef HAVE_LOGIN_CAP
+ if ((lc = login_getclass(pw->pw_class)) == NULL) {
+ debug("unable to get login class: %s", user);
+ return (NULL);
+ }
+#ifdef BSD_AUTH
+ if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
+ auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
+ debug("Approval failure for %s", user);
+ pw = NULL;
+ }
+ if (as != NULL)
+ auth_close(as);
+#endif
+#endif
+ if (pw != NULL)
+ return (pwcopy(pw));
+ return (NULL);
+}
diff -r 49582bb70962 -r a5fb356bf684 crypto/dist/ssh/auth.h
--- a/crypto/dist/ssh/auth.h Mon Apr 22 07:47:47 2002 +0000
+++ b/crypto/dist/ssh/auth.h Mon Apr 22 07:59:35 2002 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: auth.h,v 1.8 2002/03/08 02:00:51 itojun Exp $ */
-/* $OpenBSD: auth.h,v 1.29 2002/03/04 17:27:39 stevesk Exp $ */
+/* $NetBSD: auth.h,v 1.9 2002/04/22 07:59:36 itojun Exp $ */
+/* $OpenBSD: auth.h,v 1.35 2002/03/19 10:35:39 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -89,14 +89,21 @@
void (*free_ctx)(void *ctx);
};
-int auth_rhosts(struct passwd *, const char *);
+int auth_rhosts(struct passwd *, const char *);
int
auth_rhosts2(struct passwd *, const char *, const char *, const char *);
-int auth_rhosts_rsa(struct passwd *, const char *, Key *);
Home |
Main Index |
Thread Index |
Old Index