Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src sync with openssh 2.9.9 around 9/27.
details: https://anonhg.NetBSD.org/src/rev/af5712d43936
branches: trunk
changeset: 515487:af5712d43936
user: itojun <itojun%NetBSD.org@localhost>
date: Thu Sep 27 03:24:01 2001 +0000
description:
sync with openssh 2.9.9 around 9/27.
diffstat:
crypto/dist/ssh/atomicio.h | 4 +-
crypto/dist/ssh/auth-krb4.c | 364 ++++----
crypto/dist/ssh/auth-krb5.c | 401 ++++----
crypto/dist/ssh/auth-passwd.c | 38 +-
crypto/dist/ssh/auth.c | 27 +-
crypto/dist/ssh/auth.h | 163 +--
crypto/dist/ssh/auth1.c | 160 +--
crypto/dist/ssh/auth2.c | 20 +-
crypto/dist/ssh/authfd.c | 33 +-
crypto/dist/ssh/authfile.c | 19 +-
crypto/dist/ssh/canohost.h | 35 +-
crypto/dist/ssh/channels.c | 162 ++-
crypto/dist/ssh/channels.h | 154 +-
crypto/dist/ssh/cipher.c | 63 +-
crypto/dist/ssh/cli.c | 236 -----
crypto/dist/ssh/cli.h | 43 -
crypto/dist/ssh/clientloop.c | 21 +-
crypto/dist/ssh/clientloop.h | 6 +-
crypto/dist/ssh/dh.h | 12 +-
crypto/dist/ssh/groupaccess.c | 15 +-
crypto/dist/ssh/groupaccess.h | 23 +-
crypto/dist/ssh/hostfile.c | 6 +-
crypto/dist/ssh/hostfile.h | 24 +-
crypto/dist/ssh/kex.c | 6 +-
crypto/dist/ssh/kexdh.c | 16 +-
crypto/dist/ssh/kexgex.c | 14 +-
crypto/dist/ssh/key.c | 14 +-
crypto/dist/ssh/log.h | 46 +-
crypto/dist/ssh/mac.h | 10 +-
crypto/dist/ssh/misc.c | 42 +-
crypto/dist/ssh/misc.h | 61 +-
crypto/dist/ssh/moduli.5 | 4 +-
crypto/dist/ssh/packet.c | 10 +-
crypto/dist/ssh/radix.c | 3 +-
crypto/dist/ssh/radix.h | 8 +-
crypto/dist/ssh/readconf.c | 167 ++-
crypto/dist/ssh/readconf.h | 73 +-
crypto/dist/ssh/readpass.c | 50 +-
crypto/dist/ssh/readpass.h | 14 +-
crypto/dist/ssh/rijndael.c | 1601 ++++++++++++++++++++++++++++---------
crypto/dist/ssh/rijndael.h | 89 +-
crypto/dist/ssh/scp.c | 64 +-
crypto/dist/ssh/servconf.c | 160 +--
crypto/dist/ssh/servconf.h | 47 +-
crypto/dist/ssh/serverloop.c | 74 +-
crypto/dist/ssh/serverloop.h | 13 +-
crypto/dist/ssh/session.c | 205 ++--
crypto/dist/ssh/sftp-client.c | 6 +-
crypto/dist/ssh/sftp-client.h | 46 +-
crypto/dist/ssh/sftp-common.c | 11 +-
crypto/dist/ssh/sftp-common.h | 23 +-
crypto/dist/ssh/sftp-glob.c | 16 +-
crypto/dist/ssh/sftp-int.c | 12 +-
crypto/dist/ssh/sftp-int.h | 6 +-
crypto/dist/ssh/sftp-server.c | 10 +-
crypto/dist/ssh/sftp.1 | 90 +-
crypto/dist/ssh/sftp.c | 14 +-
crypto/dist/ssh/ssh-add.1 | 16 +-
crypto/dist/ssh/ssh-add.c | 105 +-
crypto/dist/ssh/ssh-agent.1 | 20 +-
crypto/dist/ssh/ssh-agent.c | 220 ++++-
crypto/dist/ssh/ssh-dss.c | 8 +-
crypto/dist/ssh/ssh-dss.h | 17 +-
crypto/dist/ssh/ssh-keygen.1 | 35 +-
crypto/dist/ssh/ssh-keygen.c | 266 +++++-
crypto/dist/ssh/ssh-keyscan.1 | 114 +-
crypto/dist/ssh/ssh-keyscan.c | 330 +++++--
crypto/dist/ssh/ssh-rsa.c | 8 +-
crypto/dist/ssh/ssh-rsa.h | 17 +-
crypto/dist/ssh/ssh.1 | 252 ++++-
crypto/dist/ssh/ssh.c | 302 ++++--
crypto/dist/ssh/ssh1.h | 5 +-
crypto/dist/ssh/sshconnect.c | 62 +-
crypto/dist/ssh/sshconnect1.c | 732 ++++++++--------
crypto/dist/ssh/sshconnect2.c | 49 +-
crypto/dist/ssh/sshd.8 | 128 +-
crypto/dist/ssh/sshd.c | 69 +-
crypto/dist/ssh/sshd_config | 5 +-
crypto/dist/ssh/sshpty.c | 6 +-
crypto/dist/ssh/tildexpand.c | 6 +-
crypto/dist/ssh/tildexpand.h | 10 +-
crypto/dist/ssh/version.h | 8 +-
crypto/dist/ssh/xmalloc.c | 9 +-
usr.bin/ssh/libssh/Makefile | 10 +-
usr.bin/ssh/ssh-keyscan/Makefile | 6 +-
85 files changed, 4613 insertions(+), 3256 deletions(-)
diffs (truncated from 13025 to 300 lines):
diff -r f1158a9d7676 -r af5712d43936 crypto/dist/ssh/atomicio.h
--- a/crypto/dist/ssh/atomicio.h Thu Sep 27 02:05:42 2001 +0000
+++ b/crypto/dist/ssh/atomicio.h Thu Sep 27 03:24:01 2001 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: atomicio.h,v 1.4 2001/04/10 08:07:54 itojun Exp $ */
-/* $OpenBSD: atomicio.h,v 1.3 2001/03/02 18:54:30 deraadt Exp $ */
+/* $NetBSD: atomicio.h,v 1.5 2001/09/27 03:24:01 itojun Exp $ */
+/* $OpenBSD: atomicio.h,v 1.4 2001/06/26 06:32:46 itojun Exp $ */
/*
* Copyright (c) 1995,1999 Theo de Raadt. All rights reserved.
diff -r f1158a9d7676 -r af5712d43936 crypto/dist/ssh/auth-krb4.c
--- a/crypto/dist/ssh/auth-krb4.c Thu Sep 27 02:05:42 2001 +0000
+++ b/crypto/dist/ssh/auth-krb4.c Thu Sep 27 03:24:01 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: auth-krb4.c,v 1.3 2001/04/10 08:07:54 itojun Exp $ */
+/* $NetBSD: auth-krb4.c,v 1.4 2001/09/27 03:24:02 itojun Exp $ */
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
*
@@ -24,7 +24,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $");
+RCSID("$OpenBSD: auth-krb4.c,v 1.24 2001/06/26 16:15:22 dugsong Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -32,6 +32,7 @@
#include "xmalloc.h"
#include "log.h"
#include "servconf.h"
+#include "uidswap.h"
#include "auth.h"
#ifdef AFS
@@ -39,70 +40,114 @@
#endif
#ifdef KRB4
-char *ticket = NULL;
+extern ServerOptions options;
-extern ServerOptions options;
+static int
+krb4_init(void *context)
+{
+ static int cleanup_registered = 0;
+ Authctxt *authctxt = (Authctxt *)context;
+ const char *tkt_root = TKT_ROOT;
+ struct stat st;
+ int fd;
+
+ if (!authctxt->krb4_ticket_file) {
+ /* Set unique ticket string manually since we're still root. */
+ authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
+#ifdef AFS
+ if (lstat("/ticket", &st) != -1)
+ tkt_root = "/ticket/";
+#endif /* AFS */
+ snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%d",
+ tkt_root, authctxt->pw->pw_uid, getpid());
+ krb_set_tkt_string(authctxt->krb4_ticket_file);
+ }
+ /* Register ticket cleanup in case of fatal error. */
+ if (!cleanup_registered) {
+ fatal_add_cleanup(krb4_cleanup_proc, authctxt);
+ cleanup_registered = 1;
+ }
+ /* Try to create our ticket file. */
+ if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
+ close(fd);
+ return (1);
+ }
+ /* Ticket file exists - make sure user owns it (just passed ticket). */
+ if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
+ if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
+ st.st_uid == authctxt->pw->pw_uid)
+ return (1);
+ }
+ /* Failure - cancel cleanup function, leaving ticket for inspection. */
+ log("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
+
+ fatal_remove_cleanup(krb4_cleanup_proc, authctxt);
+ cleanup_registered = 0;
+
+ xfree(authctxt->krb4_ticket_file);
+ authctxt->krb4_ticket_file = NULL;
+
+ return (0);
+}
/*
* try krb4 authentication,
* return 1 on success, 0 on failure, -1 if krb4 is not available
*/
-
int
-auth_krb4_password(struct passwd * pw, const char *password)
+auth_krb4_password(Authctxt *authctxt, const char *password)
{
AUTH_DAT adata;
KTEXT_ST tkt;
struct hostent *hp;
- u_long faddr;
- char localhost[MAXHOSTNAMELEN];
- char phost[INST_SZ];
- char realm[REALM_SZ];
+ struct passwd *pw;
+ char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
+ u_int32_t faddr;
int r;
-
+
+ if ((pw = authctxt->pw) == NULL)
+ return (0);
+
/*
* Try Kerberos password authentication only for non-root
* users and only if Kerberos is installed.
*/
if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
-
/* Set up our ticket file. */
- if (!krb4_init(pw->pw_uid)) {
+ if (!krb4_init(authctxt)) {
log("Couldn't initialize Kerberos ticket file for %s!",
pw->pw_name);
- goto kerberos_auth_failure;
+ goto failure;
}
/* Try to get TGT using our password. */
- r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
- realm, "krbtgt", realm,
- DEFAULT_TKT_LIFE, (char *) password);
+ r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
+ "krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
if (r != INTK_OK) {
- packet_send_debug("Kerberos V4 password "
- "authentication for %s failed: %s",
- pw->pw_name, krb_err_txt[r]);
- goto kerberos_auth_failure;
+ debug("Kerberos v4 password authentication for %s "
+ "failed: %s", pw->pw_name, krb_err_txt[r]);
+ goto failure;
}
/* Successful authentication. */
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
-
+
/*
* Now that we have a TGT, try to get a local
* "rcmd" ticket to ensure that we are not talking
* to a bogus Kerberos server.
*/
- (void) gethostname(localhost, sizeof(localhost));
- (void) strlcpy(phost, (char *) krb_get_phost(localhost),
- INST_SZ);
+ gethostname(localhost, sizeof(localhost));
+ strlcpy(phost, (char *)krb_get_phost(localhost),
+ sizeof(phost));
r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
-
+
if (r == KSUCCESS) {
- if (!(hp = gethostbyname(localhost))) {
+ if ((hp = gethostbyname(localhost)) == NULL) {
log("Couldn't get local host address!");
- goto kerberos_auth_failure;
+ goto failure;
}
- memmove((void *) &faddr, (void *) hp->h_addr,
+ memmove((void *)&faddr, (void *)hp->h_addr,
sizeof(faddr));
-
+
/* Verify our "rcmd" ticket. */
r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
faddr, &adata, "");
@@ -111,119 +156,74 @@
* Probably didn't have a srvtab on
* localhost. Disallow login.
*/
- log("Kerberos V4 TGT for %s unverifiable, "
+ log("Kerberos v4 TGT for %s unverifiable, "
"no srvtab installed? krb_rd_req: %s",
pw->pw_name, krb_err_txt[r]);
- goto kerberos_auth_failure;
+ goto failure;
} else if (r != KSUCCESS) {
- log("Kerberos V4 %s ticket unverifiable: %s",
+ log("Kerberos v4 %s ticket unverifiable: %s",
KRB4_SERVICE_NAME, krb_err_txt[r]);
- goto kerberos_auth_failure;
+ goto failure;
}
} else if (r == KDC_PR_UNKNOWN) {
/*
* Disallow login if no rcmd service exists, and
* log the error.
*/
- log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
+ log("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
"not registered, or srvtab is wrong?", pw->pw_name,
- krb_err_txt[r], KRB4_SERVICE_NAME, phost);
- goto kerberos_auth_failure;
+ krb_err_txt[r], KRB4_SERVICE_NAME, phost);
+ goto failure;
} else {
/*
* TGT is bad, forget it. Possibly spoofed!
*/
- packet_send_debug("WARNING: Kerberos V4 TGT "
- "possibly spoofed for %s: %s",
- pw->pw_name, krb_err_txt[r]);
- goto kerberos_auth_failure;
+ debug("WARNING: Kerberos v4 TGT possibly spoofed "
+ "for %s: %s", pw->pw_name, krb_err_txt[r]);
+ goto failure;
}
-
/* Authentication succeeded. */
- return 1;
-
-kerberos_auth_failure:
- krb4_cleanup_proc(NULL);
-
- if (!options.krb4_or_local_passwd)
- return 0;
- } else {
+ return (1);
+ } else
/* Logging in as root or no local Kerberos realm. */
- packet_send_debug("Unable to authenticate to Kerberos.");
- }
+ debug("Unable to authenticate to Kerberos.");
+
+ failure:
+ krb4_cleanup_proc(authctxt);
+
+ if (!options.kerberos_or_local_passwd)
+ return (0);
+
/* Fall back to ordinary passwd authentication. */
- return -1;
+ return (-1);
}
void
-krb4_cleanup_proc(void *ignore)
+krb4_cleanup_proc(void *context)
{
+ Authctxt *authctxt = (Authctxt *)context;
debug("krb4_cleanup_proc called");
- if (ticket) {
+ if (authctxt->krb4_ticket_file) {
(void) dest_tkt();
- xfree(ticket);
- ticket = NULL;
+ xfree(authctxt->krb4_ticket_file);
+ authctxt->krb4_ticket_file = NULL;
}
}
int
-krb4_init(uid_t uid)
-{
- static int cleanup_registered = 0;
- const char *tkt_root = TKT_ROOT;
- struct stat st;
- int fd;
-
- if (!ticket) {
- /* Set unique ticket string manually since we're still root. */
- ticket = xmalloc(MAXPATHLEN);
-#ifdef AFS
- if (lstat("/ticket", &st) != -1)
- tkt_root = "/ticket/";
-#endif /* AFS */
- snprintf(ticket, MAXPATHLEN, "%s%u_%d", tkt_root, uid, getpid());
- (void) krb_set_tkt_string(ticket);
- }
- /* Register ticket cleanup in case of fatal error. */
- if (!cleanup_registered) {
- fatal_add_cleanup(krb4_cleanup_proc, NULL);
- cleanup_registered = 1;
- }
- /* Try to create our ticket file. */
- if ((fd = mkstemp(ticket)) != -1) {
- close(fd);
- return 1;
- }
- /* Ticket file exists - make sure user owns it (just passed ticket). */
- if (lstat(ticket, &st) != -1) {
- if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
- st.st_uid == uid)
- return 1;
- }
- /* Failure - cancel cleanup function, leaving bad ticket for inspection. */
Home |
Main Index |
Thread Index |
Old Index