mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-27 12:22:09 +00:00
- Merged OpenBSD CVS changes
- [ChangeLog.Ylonen] noone needs this anymore - [authfd.c] close-on-exec for auth-socket, ok deraadt - [hostfile.c] in known_hosts key lookup the entry for the bits does not need to match, all the information is contained in n and e. This solves the problem with buggy servers announcing the wrong modulus length. markus and me. - [serverloop.c] bugfix: check for space if child has terminated, from: iedowse@maths.tcd.ie - [ssh-add.1 ssh-add.c ssh-keygen.1 ssh-keygen.c sshconnect.c] [fingerprint.c fingerprint.h] rsa key fingerprints, idea from Bjoern Groenvall <bg@sics.se> - [ssh-agent.1] typo - [ssh.1] add OpenSSH information to AUTHOR section. okay markus@ - [sshd.c] force logging to stderr while loading private key file (lost while converting to new log-levels)
This commit is contained in:
parent
d743bba481
commit
10f6f6ba9e
21
ChangeLog
21
ChangeLog
@ -1,3 +1,24 @@
|
||||
19991117
|
||||
- Merged OpenBSD CVS changes
|
||||
- [ChangeLog.Ylonen] noone needs this anymore
|
||||
- [authfd.c] close-on-exec for auth-socket, ok deraadt
|
||||
- [hostfile.c]
|
||||
in known_hosts key lookup the entry for the bits does not need
|
||||
to match, all the information is contained in n and e. This
|
||||
solves the problem with buggy servers announcing the wrong
|
||||
modulus length. markus and me.
|
||||
- [serverloop.c]
|
||||
bugfix: check for space if child has terminated, from:
|
||||
iedowse@maths.tcd.ie
|
||||
- [ssh-add.1 ssh-add.c ssh-keygen.1 ssh-keygen.c sshconnect.c]
|
||||
[fingerprint.c fingerprint.h]
|
||||
rsa key fingerprints, idea from Bjoern Groenvall <bg@sics.se>
|
||||
- [ssh-agent.1] typo
|
||||
- [ssh.1] add OpenSSH information to AUTHOR section. okay markus@
|
||||
- [sshd.c]
|
||||
force logging to stderr while loading private key file
|
||||
(lost while converting to new log-levels)
|
||||
|
||||
19991116
|
||||
- Fix some Linux libc5 problems reported by Miles Wilson <mw@mctitle.com>
|
||||
- Merged OpenBSD CVS changes:
|
||||
|
578
ChangeLog.Ylonen
578
ChangeLog.Ylonen
@ -1,578 +0,0 @@
|
||||
Fri Nov 17 16:19:20 1995 Tatu Ylonen <ylo@trance.olari.clinet.fi>
|
||||
|
||||
* Released 1.2.12.
|
||||
|
||||
* channels.c: Commented out debugging messages about output draining.
|
||||
|
||||
* Added file OVERVIEW to give some idea about the structure of the
|
||||
ssh software.
|
||||
|
||||
Thu Nov 16 16:40:17 1995 Tatu Ylonen <ylo@trance.olari.clinet.fi>
|
||||
|
||||
* canohost.c (get_remote_hostname): Don't ever return NULL (causes
|
||||
segmentation violation).
|
||||
|
||||
* sshconnect.c: Host ip address printed incorrectly with -v.
|
||||
|
||||
* Implemented SSH_TTY environment variable.
|
||||
|
||||
Wed Nov 15 01:47:40 1995 Tatu Ylonen <ylo@trance.olari.clinet.fi>
|
||||
|
||||
* Implemented server and client option KeepAlive to specify
|
||||
whether to set SO_KEEPALIVE. Both default to "yes"; to disable
|
||||
keepalives, set the value to "no" in both the server and the
|
||||
client configuration files. Updated manual pages.
|
||||
|
||||
* sshd.c: Fixed Solaris utmp problem: wrong pid stored in utmp
|
||||
(patch from Petri Virkkula <argon@bat.cs.hut.fi>).
|
||||
|
||||
* login.c (record_logout): Fixed removing user from utmp on BSD
|
||||
(with HAVE_LIBUTIL_LOGIN).
|
||||
|
||||
* Added cleanup functions to be called from fatal(). Arranged for
|
||||
utmp to be cleaned if sshd terminates by calling fatal (e.g.,
|
||||
after dropping connection). Eliminated separate client-side
|
||||
fatal() functions and moved fatal() to log-client.c. Made all
|
||||
cleanups, including channel_stop_listening() and packet_close()
|
||||
be called using this mechanism.
|
||||
|
||||
Thu Nov 9 09:58:05 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* sshd.c: Permit immediate login with empty password only if
|
||||
password authentication is allowed.
|
||||
|
||||
Wed Nov 8 00:43:55 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* Eliminated unix-domain X11 forwarding. Inet-domain forwarding is
|
||||
now the only supported form. Renamed server option
|
||||
X11InetForwarding to X11Forwarding, and eliminated
|
||||
X11UnixForwarding. Updated documentation. Updated RFC (marked
|
||||
the SSH_CMSG_X11_REQUEST_FORWARDING message (code 26) as
|
||||
obsolete, and removed all references to it). Increased protocol
|
||||
version number to 1.3.
|
||||
|
||||
* scp.c (main): Added -B (BatchMode). Updated manual page.
|
||||
|
||||
* Cleaned up and updated all manual pages.
|
||||
|
||||
* clientloop.c: Added new escape sequences ~# (lists forwarded
|
||||
connections), ~& (background ssh when waiting for forwarded
|
||||
connections to terminate), ~? (list available escapes).
|
||||
Polished the output of the connection listing. Updated
|
||||
documentation.
|
||||
|
||||
* uidswap.c: If _POSIX_SAVED_IDS is defined, don't change the real
|
||||
uid. Assume that _POSIX_SAVED_IDS also applies to seteuid.
|
||||
This may solve problems with tcp_wrappers (libwrap) showing
|
||||
connections as coming from root.
|
||||
|
||||
Tue Nov 7 20:28:57 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* Added RandomSeed server configuration option. The argument
|
||||
specifies the location of the random seed file. Updated
|
||||
documentation.
|
||||
|
||||
* Locate perl5 in configure. Generate make-ssh-known-hosts (with
|
||||
the correct path for perl5) in Makefile.in, and install it with
|
||||
the other programs. Updated manual page.
|
||||
|
||||
* sshd.c (main): Added a call to umask to set the umask to a
|
||||
reasonable value.
|
||||
|
||||
* compress.c (buffer_compress): Fixed to follow the zlib
|
||||
documentation (which is slightly confusing).
|
||||
|
||||
* INSTALL: Added information about Linux libc.so.4 problem.
|
||||
|
||||
Mon Nov 6 15:42:36 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* (Actually autoconf fix) Installed patch to AC_ARG_PROGRAM.
|
||||
|
||||
* sshd.c, sshd.8.in: Renamed $HOME/.environment ->
|
||||
$HOME/.ssh/environment.
|
||||
|
||||
* configure.in: Disable shadow password checking on convex.
|
||||
Convex has /etc/shadow, but sets pw_passwd automatically if
|
||||
running as root.
|
||||
|
||||
* Eliminated HAVE_ETC_MASTER_PASSWD (NetBSD, FreeBSD); the
|
||||
pw_passwd field is automatically filled if running as root.
|
||||
Put explicit code in configure.in to prevent shadow password
|
||||
checking on FreeBSD and NetBSD.
|
||||
|
||||
* serverloop.c (signchld_handler): Don't print error if wait
|
||||
returns -1.
|
||||
|
||||
* Makefile.in (install): Fixed modes of data files.
|
||||
|
||||
* Makefile.in (install): Make links for slogin.1.
|
||||
|
||||
* make-ssh-known-hosts: Merged a patch from melo@ci.uminho.pt to
|
||||
fix the ping command.
|
||||
|
||||
Fri Nov 3 16:25:28 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* ssh.1.in: Added more information about X11 forwarding.
|
||||
|
||||
Thu Nov 2 18:42:13 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* Changes to use O_NONBLOCK_BROKEN consistently.
|
||||
|
||||
* pty.c (pty_make_controlling_tty): Use setpgid instead of
|
||||
setsid() on Ultrix.
|
||||
|
||||
* includes.h: Removed redundant #undefs for Ultrix and Sony News;
|
||||
these are already handled in configure.in.
|
||||
|
||||
Tue Oct 31 13:31:28 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* configure.in: Define SSH_WTMP to /var/adm/wtmp is wtmp not found.
|
||||
|
||||
* configure.in: Disable vhangup on Ultrix. I am told this fixes
|
||||
the server problems.
|
||||
|
||||
Sat Oct 28 14:22:05 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* sshconnect.c: Fixed a bug in connecting to a multi-homed host.
|
||||
Restructured the connecting code to never try to use the same
|
||||
socket a second time after a failed connection.
|
||||
|
||||
* Makefile.in: Added explicit -m option to install, and umask 022
|
||||
when creating directories and the host key.
|
||||
|
||||
Fri Oct 27 01:05:10 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* Makefile.in: Added cleaning of $(ZLIBDIR) to clean and distclean.
|
||||
|
||||
* login.c (get_last_login_time): Fixed a typo (define -> defined).
|
||||
|
||||
Thu Oct 26 01:28:07 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* configure.in: Moved testing for ANSI C compiler after the host
|
||||
specific code (problems on HPUX).
|
||||
|
||||
* Minor fixes to /etc/default/login stuff from Bryan O'Sullivan.
|
||||
|
||||
* Fixed .SH NAME sections in manual pages.
|
||||
|
||||
* compress.c: Trying to fix a mysterious bug in the compression
|
||||
glue.
|
||||
|
||||
* ssh-1.2.11.
|
||||
|
||||
* scp.c: disable agent forwarding when running ssh from scp.
|
||||
|
||||
* Added compression of plaintext packets using the gzip library
|
||||
(zlib). Client configuration options Compression and
|
||||
CompressionLevel (1-9 as in gzip). New ssh and scp option -C
|
||||
(to enable compression). Updated RFC.
|
||||
|
||||
Wed Oct 25 05:11:55 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* Implemented ProxyCommand stuff based on patches from Bryan
|
||||
O'Sullivan <bos@serpentine.com>.
|
||||
|
||||
* Merged BSD login/logout/lastlog patches from Mark Treacy
|
||||
<mark@labtam.oz.au>.
|
||||
|
||||
* sshd.c: Added chdir("/").
|
||||
|
||||
Tue Oct 24 00:29:01 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* Merged RSA environment= patches from Felix Leitner
|
||||
<leitner@prz.tu-berlin.de> with some changes.
|
||||
|
||||
* sshd.c: Made the packet code use two separate descriptors for
|
||||
the connection (one for input, the other for output). This will
|
||||
make future extensions easier (e.g., non-socket transports, etc.).
|
||||
sshd -i now uses both stdin and stdout separately.
|
||||
|
||||
Mon Oct 23 21:29:28 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* sshd.c: Merged execle -> execve patches from Mark Martinec
|
||||
<Mark.Martinec@nsc.ijs.si>. This may help with execle bugs on
|
||||
Convex (environment not getting passed properly). This might
|
||||
also solve similar problems on Sonys; please test!
|
||||
|
||||
* Removed all compatibility code for protocol version 1.0.
|
||||
THIS MEANS THAT WE ARE NO LONGER COMPATIBLE WITH SSH VERSIONS
|
||||
PRIOR TO 1.1.0.
|
||||
|
||||
* randoms.c (random_acquire_light_environmental_noise): If
|
||||
/dev/random is available, read up to 32 bytes (256 bits) from
|
||||
there in non-blocking mode, and mix the new random bytes into
|
||||
the pool.
|
||||
|
||||
* Added client configuration option StrictHostKeyChecking
|
||||
(disabled by default). If this is enabled, the client will not
|
||||
automatically add new host keys to $HOME/.ssh/known_hosts;
|
||||
instead the connection will be refused if the host key is not
|
||||
known. Similarly, if the host key has changed, the connection
|
||||
will be refused instead if just issuing a warning. This
|
||||
provides additional security against man-in-the-middle/trojan
|
||||
horse attacks (especially in scripts where there is no-one to
|
||||
see the warnings), but may be quite inconvenient in everyday
|
||||
interactive use unless /etc/ssh_known_hosts is very complete,
|
||||
because new host keys must now be added manually.
|
||||
|
||||
* sshconnect.c (ssh_connect): Use the user's uid when creating the
|
||||
socket and connecting it. I am hoping that this might help with
|
||||
tcp_wrappers showing the remote user as root.
|
||||
|
||||
* ssh.c: Try inet-domain X11 forwarding regardless of whether we
|
||||
can get local authorization information. If we don't, we just
|
||||
come up with fake information; the forwarding code will anyway
|
||||
generate its own fake information and validate that the client
|
||||
knows that information. It will then substitute our fake
|
||||
information for that, but that info should get ignored by the
|
||||
server if it doesn't support it.
|
||||
|
||||
* Added option BatchMode to disable password/passphrase querying
|
||||
in scripts.
|
||||
|
||||
* auth-rh-rsa.c: Changed to use uid-swapping when reading
|
||||
.ssh/known_hosts.
|
||||
|
||||
* sshd.8.in (command): Improved documentation of file permissions
|
||||
on the manual pages.
|
||||
|
||||
Thu Oct 19 21:05:51 1995 Tatu Ylonen <ylo@soikko.cs.hut.fi>
|
||||
|
||||
* ssh-add.c (add_file): Fixed a bug causing ssh to sometimes refer
|
||||
to freed memory (comment -> saved_comment).
|
||||
|
||||
* log-server.c: Added a prefix to debug/warning/error/fatal
|
||||
messages describing message types. Syslog does not include that
|
||||
information automatically.
|
||||
|
||||
Sun Oct 8 01:56:01 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* Merged /etc/default/login and MAIL environment variable changes
|
||||
from Bryan O'Sullivan <bos@serpentine.com>.
|
||||
- mail spool file location
|
||||
- process /etc/default/login
|
||||
- add HAVE_ETC_DEFAULT_LOGIN
|
||||
- new function child_get_env and read_etc_default_login (sshd.c)
|
||||
|
||||
* ssh-add.c (add_file): Fixed asking for passphrase.
|
||||
|
||||
* Makefile.in: Fixed installing configure-generated man pages when
|
||||
compiling in a separate object directory.
|
||||
|
||||
* sshd.c (main): Moved RSA key generation until after allocating
|
||||
the port number. (Actually, the code got duplicated because we
|
||||
never listen when run from inetd.)
|
||||
|
||||
* ssh.c: Fixed a problem that caused scp to hang when called with
|
||||
stdin closed.
|
||||
|
||||
Sat Oct 7 03:08:06 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* Added server config option StrictModes. It specifies whether to
|
||||
check ownership and modes of home directory and .rhosts files.
|
||||
|
||||
* ssh.c: If ssh is renamed/linked to a host name, connect to that
|
||||
host.
|
||||
|
||||
* serverloop.c, clientloop.c: Ignore EAGAIN reported on read from
|
||||
connection. Solaris has a kernel bug which causes select() to
|
||||
sometimes wake up even though there is no data available.
|
||||
|
||||
* Display all open connections when printing the "Waiting for
|
||||
forwarded connections to terminate" message.
|
||||
|
||||
* sshd.c, readconf.c: Added X11InetForwarding and
|
||||
X11UnixForwarding server config options.
|
||||
|
||||
Thu Oct 5 17:41:16 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* Some more SCO fixes.
|
||||
|
||||
Tue Oct 3 01:04:34 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* Fixes and cleanups in README, INSTALL, COPYING.
|
||||
|
||||
Mon Oct 2 03:36:08 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* ssh-add.c (add_file): Fixed a bug in ssh-add (xfree: NULL ...).
|
||||
|
||||
* Removed .BR from ".SH NAME" in man pages.
|
||||
|
||||
Sun Oct 1 04:16:07 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* ssh-1.2.10.
|
||||
|
||||
* configure.in: When checking that the compiler works, check that
|
||||
it understands ANSI C prototypes.
|
||||
|
||||
* Made uidswap error message a debug() to avoid confusing errors
|
||||
on AIX (AIX geteuid is brain-damaged and fails even for root).
|
||||
|
||||
* Fixed an error in sshd.8 (FacistLogging -> FascistLogging).
|
||||
|
||||
* Fixed distribution in Makefile.in (missing manual page .in files).
|
||||
|
||||
Sat Sep 30 17:38:46 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* auth-rhosts.c: Fixed serious security problem in
|
||||
/etc/hosts.equiv authentication.
|
||||
|
||||
Fri Sep 29 00:41:02 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* Include machine/endian.h on Paragon.
|
||||
|
||||
* ssh-add.c (add_file): Made ssh-add keep asking for the
|
||||
passphrase until the user just types return or cancels.
|
||||
Make the dialog display the comment of the key.
|
||||
|
||||
* Read use shosts.equiv in addition to /etc/hosts.equiv.
|
||||
|
||||
* sshd.8 is now sshd.8.in and is processed by configure to
|
||||
substitute the proper paths for various files. Ditto for ssh.1.
|
||||
Ditto for make-ssh-known-hosts.1.
|
||||
|
||||
* configure.in: Moved /etc/sshd_pid to PIDDIR/sshd.pid. PIDDIR
|
||||
will be /var/run if it exists, and ETCDIR otherwise.
|
||||
|
||||
Thu Sep 28 21:52:42 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* On Ultrix, check if sys/syslog.h needs to be included in
|
||||
addition to syslog.h.
|
||||
|
||||
* make-ssh-known-hosts.pl: Merged Kivinen's fixes for HPUX.
|
||||
|
||||
* configure.in: Put -lwrap, -lsocks, etc. at the head of LIBS.
|
||||
|
||||
* Fixed case-insensitivity in auth-rhosts.c.
|
||||
|
||||
* Added missing socketpair.c to EXTRA_SRCS (needed on SCO), plus
|
||||
other SCO fixes.
|
||||
|
||||
* Makefile.in: Fixed missing install_prefixes.
|
||||
|
||||
Wed Sep 27 03:57:00 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* ssh-1.2.9.
|
||||
|
||||
* Added SOCKS support.
|
||||
|
||||
* Fixed default setting of IgnoreRhosts option.
|
||||
|
||||
* Pass the magic cookie to xauth in stdin instead of command line;
|
||||
the command line is visible in ps.
|
||||
|
||||
* Added processing $HOME/.ssh/rc and /etc/sshrc.
|
||||
|
||||
* Added a section to sshd.8 on what happens at login time.
|
||||
|
||||
Tue Sep 26 01:27:40 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* Don't define speed_t on SunOS 4.1.1; it conflicts with system
|
||||
headers.
|
||||
|
||||
* Added support for .hushlogin.
|
||||
|
||||
* Added --with-etcdir.
|
||||
|
||||
* Read $HOME/.environment after /etc/environment.
|
||||
|
||||
Mon Sep 25 03:26:06 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* Merged patches for SCO Unix (from Michael Henits).
|
||||
|
||||
Sun Sep 24 22:28:02 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* Added ssh option ConnectionAttempts.
|
||||
|
||||
Sat Sep 23 12:30:15 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* sshd.c: Don't print last login time and /etc/motd if a command
|
||||
has been specified (with ssh -t host command).
|
||||
|
||||
* Added support for passing the screen number in X11 forwarding.
|
||||
It is implemented as a compatible protocol extension, signalled
|
||||
by SSH_PROTOFLAG_SCREEN_NUMBER by the child.
|
||||
|
||||
* clientloop.c: Fixed bugs in the order in which things were
|
||||
processed. This may solve problems with some data not getting
|
||||
sent to the server as soon as possible (probably solves the TCP
|
||||
forwarding delayed close problem). Also, it looked like window
|
||||
changes might not get transmitted as early as possible in some
|
||||
cases.
|
||||
|
||||
* clientloop.c: Changed to detect window size change that
|
||||
happened while ssh was suspended.
|
||||
|
||||
* ssh.c: Moved the do_session function (client main loop) to
|
||||
clientloop.c. Divided it into smaller functions. General cleanup.
|
||||
|
||||
* ssh-1.2.8
|
||||
|
||||
Fri Sep 22 22:07:46 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* sshconnect.c (ssh_login): Made ssh_login take the options
|
||||
structure as argument, instead of the individual arguments.
|
||||
|
||||
* auth-rhosts.c (check_rhosts_file): Added support for netgroups.
|
||||
|
||||
* auth-rhosts.c (check_rhosts_file): Added support for negated
|
||||
entries.
|
||||
|
||||
Thu Sep 21 00:07:56 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* auth-rhosts.c: Restructured rhosts authentication code.
|
||||
Hosts.equiv now has same format as .rhosts: user names are allowed.
|
||||
|
||||
* Added support for the Intel Paragon.
|
||||
|
||||
* sshd.c: Don't use X11 forwarding with spoofing if no xauth
|
||||
program. Changed configure.in to not define XAUTH_PATH if
|
||||
there is no xauth program.
|
||||
|
||||
* ssh-1.2.7
|
||||
|
||||
* sshd.c: Rewrote the code to build the environment. Now also reads
|
||||
/etc/environment.
|
||||
|
||||
* sshd.c: Fixed problems in libwrap code. --with-libwrap now
|
||||
takes optional library name/path.
|
||||
|
||||
* ssh-1.2.6
|
||||
|
||||
* Define USE_PIPES by default.
|
||||
|
||||
* Added support for Univel Unixware and MachTen.
|
||||
|
||||
* Added IgnoreRhosts server option.
|
||||
|
||||
* Added USE_STRLEN_FOR_AF_UNIX; it is needed at least on MachTen.
|
||||
|
||||
Wed Sep 20 02:41:02 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* sshd.c (do_child): don't call packet_close when /etc/nologin,
|
||||
because packet_close does shutdown, and the message does not get
|
||||
sent.
|
||||
|
||||
* pty.c (pty_allocate): Push ttcompat streams module.
|
||||
|
||||
* randoms.c (random_acquire_light_environmental_noise): Don't use
|
||||
the second argument to gettimeofday as it is not supported on
|
||||
all systems.
|
||||
|
||||
* login.c (record_login): Added NULL second argument to gettimeofday.
|
||||
|
||||
Tue Sep 19 13:25:48 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* fixed pclose wait() in sshd key regeneration (now only collects
|
||||
easily available noise).
|
||||
|
||||
* configure.in: test for bsdi before bsd*.
|
||||
|
||||
* ssh.c: Don't print "Connection closed" if -q.
|
||||
|
||||
Wed Sep 13 04:19:52 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* Released ssh-1.2.5.
|
||||
|
||||
* Hopefully fixed "Waiting for forwarded connections to terminate"
|
||||
message.
|
||||
|
||||
* randoms.c, md5.c: Large modifications to make these work on Cray
|
||||
(which has no 32 bit integer type).
|
||||
|
||||
* Fixed a problem with forwarded connection closes not being
|
||||
reported immediately.
|
||||
|
||||
* ssh.c: fixed rhosts authentication (broken by uid-swapping).
|
||||
|
||||
* scp.c: Don't use -l if server user not specified (it made
|
||||
setting User in the configuration file not work).
|
||||
|
||||
* configure.in: don't use -pipe on BSDI.
|
||||
|
||||
* randoms.c: Major modifications to make it work without 32 bit
|
||||
integers (e.g. Cray).
|
||||
|
||||
* md5.c: Major modifications to make it work without 32 bit
|
||||
integers (e.g. Cray).
|
||||
|
||||
* Eliminated HPSUX_BROKEN_PTYS. The code is now enabled by
|
||||
default on all systems.
|
||||
|
||||
Mon Sep 11 00:53:12 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* sshd.c: don't include sshd pathname in log messages.
|
||||
|
||||
* Added libwrap stuff (includes support for identd).
|
||||
|
||||
* Added OSF/1 C2 extended security stuff.
|
||||
|
||||
* Fixed interactions between getuid() and uid-swap stuff.
|
||||
|
||||
Sun Sep 10 00:29:27 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* serverloop.c: Don't send stdout data to client until after a few
|
||||
milliseconds if there is very little data. This is because some
|
||||
systems give data from pty one character at a time, which would
|
||||
multiply data size by about 16.
|
||||
|
||||
* serverloop.c: Moved server do_session to a separate file and
|
||||
renamed it server_loop. Split it into several functions and
|
||||
partially rewrote it. Fixed "cat /etc/termcap | ssh foo cat" hangup.
|
||||
|
||||
* Screwed up something while checking stuff in under cvs. No harm,
|
||||
but bogus log entries...
|
||||
|
||||
Sat Sep 9 02:24:51 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* minfd.c (_get_permanent_fd): Use SHELL environment variable.
|
||||
|
||||
* channels.c (x11_create_display_inet): Created
|
||||
HPSUX_NONSTANDARD_X11_KLUDGE; it causes DISPLAY to contain the
|
||||
IP address of the host instead of the name, because HPSUX uses
|
||||
some magic shared memory communication for local connections.
|
||||
|
||||
* Changed SIGHUP processing in server; it should now work multiple
|
||||
times.
|
||||
|
||||
* Added length limits in many debug/log/error/fatal calls just in
|
||||
case.
|
||||
|
||||
* login.c (get_last_login_time): Fixed location of lastlog.
|
||||
|
||||
* Rewrote all uid-swapping code. New files uidswap.h, uidswap.c.
|
||||
|
||||
* Fixed several security problems involving chmod and chgrp (race
|
||||
conditions). Added warnings about dubious modes for /tmp/.X11-unix.
|
||||
|
||||
Fri Sep 8 20:03:36 1995 Tatu Ylonen <ylo@shadows.cs.hut.fi>
|
||||
|
||||
* Changed readconf.c to never display anything from the config
|
||||
file. This should now be prevented otherwise, but let's play safe.
|
||||
|
||||
* log-server.c: Use %.500s in syslog() just to be sure (they
|
||||
should already be shorter than 1024 though).
|
||||
|
||||
* sshd.c: Moved setuid in child a little earlier (just to be
|
||||
conservative, there was no security problem that I could detect).
|
||||
|
||||
* README, INSTALL: Added info about mailing list and WWW page.
|
||||
|
||||
* sshd.c: Added code to use SIGCHLD and wait zombies immediately.
|
||||
|
||||
* Merged patch to set ut_addr in utmp.
|
||||
|
||||
* Created ChangeLog and added it to Makefile.in.
|
||||
|
||||
* Use read_passphrase instead of getpass().
|
||||
|
||||
* Added SSH_FALLBACK_CIPHER. Fixed a bug in default cipher
|
||||
selection (IDEA used to be selected even if not supported by the
|
||||
server).
|
||||
|
||||
* Use no encryption for key files if empty passphrase.
|
||||
|
||||
* Added section about --without-idea in INSTALL.
|
||||
|
||||
* Version 1.2.0 was released a couple of days ago.
|
||||
|
@ -31,7 +31,7 @@ OBJS= authfd.o authfile.o auth-passwd.o auth-rhosts.o auth-rh-rsa.o \
|
||||
|
||||
all: $(OBJS) $(TARGETS)
|
||||
|
||||
libssh.a: authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o hostfile.o match.o mpaux.o nchan.o packet.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o xmalloc.o helper.o rc4.o mktemp.o strlcpy.o log.o
|
||||
libssh.a: authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o hostfile.o match.o mpaux.o nchan.o packet.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o xmalloc.o helper.o rc4.o mktemp.o strlcpy.o log.o fingerprint.o
|
||||
$(AR) rv $@ $^
|
||||
$(RANLIB) $@
|
||||
|
||||
|
2
README
2
README
@ -4,6 +4,8 @@ OpenSSH is based on the last free version of Tatu Ylonen's SSH with
|
||||
all patent-encumbered algorithms removed, all known security bugs
|
||||
fixed, new features reintroduced and many other clean-ups. More
|
||||
information about SSH itself can be found in the file README.Ylonen.
|
||||
OpenSSH has been created by Aaron Cambell, Bob Beck, Markus Friedl,
|
||||
Niels Provos, Theo de Raadt, and Dug Song.
|
||||
|
||||
This port consists of the re-introduction of autoconf support, PAM
|
||||
support (for Linux and Solaris), EGD[1] support, and replacements for
|
||||
|
9
authfd.c
9
authfd.c
@ -14,7 +14,7 @@ Functions for connecting the local authentication agent.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$Id: authfd.c,v 1.4 1999/11/16 02:37:16 damien Exp $");
|
||||
RCSID("$Id: authfd.c,v 1.5 1999/11/17 06:29:08 damien Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "rsa.h"
|
||||
@ -51,6 +51,13 @@ ssh_get_authentication_socket()
|
||||
if (sock < 0)
|
||||
return -1;
|
||||
|
||||
/* close on exec */
|
||||
if (fcntl(sock, F_SETFD, 1) == -1)
|
||||
{
|
||||
close(sock);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (connect(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0)
|
||||
{
|
||||
close(sock);
|
||||
|
39
fingerprint.c
Normal file
39
fingerprint.c
Normal file
@ -0,0 +1,39 @@
|
||||
#include "includes.h"
|
||||
RCSID("$Id: fingerprint.c,v 1.1 1999/11/16 22:49:28 markus Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "xmalloc.h"
|
||||
#include <ssl/md5.h>
|
||||
|
||||
#define FPRINT "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x"
|
||||
|
||||
/* Generate key fingerprint in ascii format.
|
||||
Based on ideas and code from Bjoern Groenvall <bg@sics.se> */
|
||||
|
||||
char *
|
||||
fingerprint(BIGNUM *e, BIGNUM *n)
|
||||
{
|
||||
static char retval[80];
|
||||
MD5_CTX md;
|
||||
unsigned char d[16];
|
||||
char *buf;
|
||||
int nlen, elen;
|
||||
|
||||
nlen = BN_num_bytes(n);
|
||||
elen = BN_num_bytes(e);
|
||||
|
||||
buf = xmalloc(nlen + elen);
|
||||
|
||||
BN_bn2bin(n, buf);
|
||||
BN_bn2bin(e, buf + nlen);
|
||||
|
||||
MD5_Init(&md);
|
||||
MD5_Update(&md, buf, nlen + elen);
|
||||
MD5_Final(d, &md);
|
||||
snprintf(retval, sizeof(retval), FPRINT,
|
||||
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7],
|
||||
d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
|
||||
memset(buf, 0, nlen + elen);
|
||||
xfree(buf);
|
||||
return retval;
|
||||
}
|
6
fingerprint.h
Normal file
6
fingerprint.h
Normal file
@ -0,0 +1,6 @@
|
||||
/* RCSID("$Id: fingerprint.h,v 1.1 1999/11/16 22:49:28 markus Exp $"); */
|
||||
|
||||
#ifndef FINGERPRINT_H
|
||||
#define FINGERPRINT_H
|
||||
char * fingerprint(BIGNUM *e, BIGNUM *n);
|
||||
#endif
|
@ -14,7 +14,7 @@ Functions for manipulating the known hosts files.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$Id: hostfile.c,v 1.3 1999/11/16 02:37:16 damien Exp $");
|
||||
RCSID("$Id: hostfile.c,v 1.4 1999/11/17 06:29:08 damien Exp $");
|
||||
|
||||
#include "packet.h"
|
||||
#include "ssh.h"
|
||||
@ -231,7 +231,7 @@ check_host_in_hostfile(const char *filename, const char *host,
|
||||
}
|
||||
|
||||
/* Check if the current key is the same as the given key. */
|
||||
if (kbits == bits && BN_cmp(ke, e) == 0 && BN_cmp(kn, n) == 0)
|
||||
if (BN_cmp(ke, e) == 0 && BN_cmp(kn, n) == 0)
|
||||
{
|
||||
/* Ok, they match. */
|
||||
fclose(f);
|
||||
|
@ -269,8 +269,9 @@ retry_select:
|
||||
if (channel_max_fd() > max_fd)
|
||||
max_fd = channel_max_fd();
|
||||
|
||||
/* If child has terminated, read as much as is available and then exit. */
|
||||
if (child_terminated)
|
||||
/* If child has terminated and there is enough buffer space to read from
|
||||
it, then read as much as is available and exit. */
|
||||
if (child_terminated && packet_not_very_much_data_to_write())
|
||||
if (max_time_milliseconds == 0)
|
||||
max_time_milliseconds = 100;
|
||||
|
||||
|
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.\" Created: Sat Apr 22 23:55:14 1995 ylo
|
||||
.\"
|
||||
.\" $Id: ssh-add.1,v 1.3 1999/10/28 23:15:49 damien Exp $
|
||||
.\" $Id: ssh-add.1,v 1.4 1999/11/17 06:29:08 damien Exp $
|
||||
.\"
|
||||
.Dd September 25, 1999
|
||||
.Dt SSH-ADD 1
|
||||
@ -19,7 +19,7 @@
|
||||
.Nd adds identities for the authentication agent
|
||||
.Sh SYNOPSIS
|
||||
.Nm ssh-add
|
||||
.Op Fl ldD
|
||||
.Op Fl lLdD
|
||||
.Op Ar
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
@ -41,7 +41,9 @@ to work.
|
||||
The options are as follows:
|
||||
.Bl -tag -width Ds
|
||||
.It Fl l
|
||||
Lists all identities currently represented by the agent.
|
||||
Lists fingerprints of all identities currently represented by the agent.
|
||||
.It Fl L
|
||||
Lists public key parameters of all identities currently represented by the agent.
|
||||
.It Fl d
|
||||
Instead of adding the identity, removes the identity from the agent.
|
||||
.It Fl D
|
||||
|
44
ssh-add.c
44
ssh-add.c
@ -14,12 +14,13 @@ Adds an identity to the authentication server, or removes an identity.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$Id: ssh-add.c,v 1.9 1999/11/16 02:37:16 damien Exp $");
|
||||
RCSID("$Id: ssh-add.c,v 1.10 1999/11/17 06:29:08 damien Exp $");
|
||||
|
||||
#include "rsa.h"
|
||||
#include "ssh.h"
|
||||
#include "xmalloc.h"
|
||||
#include "authfd.h"
|
||||
#include "fingerprint.h"
|
||||
|
||||
#ifdef USE_EXTERNAL_ASKPASS
|
||||
int askpass(const char *filename, RSA *key, const char *saved_comment, char **comment);
|
||||
@ -115,7 +116,6 @@ add_file(AuthenticationConnection *ac, const char *filename)
|
||||
xfree(pass);
|
||||
if (success)
|
||||
break;
|
||||
|
||||
printf("Bad passphrase.\n");
|
||||
}
|
||||
}
|
||||
@ -130,7 +130,7 @@ add_file(AuthenticationConnection *ac, const char *filename)
|
||||
}
|
||||
|
||||
void
|
||||
list_identities(AuthenticationConnection *ac)
|
||||
list_identities(AuthenticationConnection *ac, int fp)
|
||||
{
|
||||
BIGNUM *e, *n;
|
||||
int status;
|
||||
@ -144,21 +144,25 @@ list_identities(AuthenticationConnection *ac)
|
||||
status;
|
||||
status = ssh_get_next_identity(ac, e, n, &comment))
|
||||
{
|
||||
char *ebuf, *nbuf;
|
||||
unsigned int bits = BN_num_bits(n);
|
||||
had_identities = 1;
|
||||
ebuf = BN_bn2dec(e);
|
||||
if (ebuf == NULL) {
|
||||
error("list_identities: BN_bn2dec(e) failed.");
|
||||
}else{
|
||||
nbuf = BN_bn2dec(n);
|
||||
if (nbuf == NULL) {
|
||||
error("list_identities: BN_bn2dec(n) failed.");
|
||||
}else{
|
||||
unsigned int bits = BN_num_bits(n);
|
||||
printf("%d %s %s %s\n", bits, ebuf, nbuf, comment);
|
||||
free(nbuf);
|
||||
}
|
||||
free(ebuf);
|
||||
if (fp) {
|
||||
printf("%d %s %s\n", bits, fingerprint(e, n), comment);
|
||||
} else {
|
||||
char *ebuf, *nbuf;
|
||||
ebuf = BN_bn2dec(e);
|
||||
if (ebuf == NULL) {
|
||||
error("list_identities: BN_bn2dec(e) failed.");
|
||||
}else{
|
||||
nbuf = BN_bn2dec(n);
|
||||
if (nbuf == NULL) {
|
||||
error("list_identities: BN_bn2dec(n) failed.");
|
||||
}else{
|
||||
printf("%d %s %s %s\n", bits, ebuf, nbuf, comment);
|
||||
free(nbuf);
|
||||
}
|
||||
free(ebuf);
|
||||
}
|
||||
}
|
||||
xfree(comment);
|
||||
}
|
||||
@ -180,6 +184,7 @@ main(int argc, char **argv)
|
||||
|
||||
/* check if RSA support exists */
|
||||
if (rsa_alive() == 0) {
|
||||
extern char *__progname;
|
||||
|
||||
fprintf(stderr,
|
||||
"%s: no RSA support in libssl and libcrypto. See ssl(8).\n",
|
||||
@ -196,9 +201,10 @@ main(int argc, char **argv)
|
||||
|
||||
for (i = 1; i < argc; i++)
|
||||
{
|
||||
if (strcmp(argv[i], "-l") == 0)
|
||||
if ((strcmp(argv[i], "-l") == 0) ||
|
||||
(strcmp(argv[i], "-L") == 0))
|
||||
{
|
||||
list_identities(ac);
|
||||
list_identities(ac, argv[i][1] == 'l' ? 1 : 0);
|
||||
no_files = 0; /* Don't default-add/delete if -l. */
|
||||
continue;
|
||||
}
|
||||
|
@ -1,11 +1,11 @@
|
||||
.\" $OpenBSD: ssh-agent.1,v 1.7 1999/10/28 08:43:10 markus Exp $
|
||||
.\" $OpenBSD: ssh-agent.1,v 1.8 1999/11/16 23:59:21 deraadt Exp $
|
||||
.\"
|
||||
.\" -*- nroff -*-
|
||||
.\"
|
||||
.\" ssh-agent.1
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
pp.\"
|
||||
.\"
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
.\" All rights reserved
|
||||
.\"
|
||||
|
12
ssh-keygen.1
12
ssh-keygen.1
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.\" Created: Sat Apr 22 23:55:14 1995 ylo
|
||||
.\"
|
||||
.\" $Id: ssh-keygen.1,v 1.4 1999/11/15 12:33:56 damien Exp $
|
||||
.\" $Id: ssh-keygen.1,v 1.5 1999/11/17 06:29:08 damien Exp $
|
||||
.\"
|
||||
.Dd September 25, 1999
|
||||
.Dt SSH-KEYGEN 1
|
||||
@ -23,14 +23,20 @@
|
||||
.Op Fl b Ar bits
|
||||
.Op Fl N Ar new_passphrase
|
||||
.Op Fl C Ar comment
|
||||
.Op Fl f Ar keyfile
|
||||
.Nm ssh-keygen
|
||||
.Fl p
|
||||
.Op Fl P Ar old_passphrase
|
||||
.Op Fl N Ar new_passphrase
|
||||
.Op Fl f Ar keyfile
|
||||
.Nm ssh-keygen
|
||||
.Fl c
|
||||
.Op Fl P Ar passphrase
|
||||
.Op Fl C Ar comment
|
||||
.Op Fl f Ar keyfile
|
||||
.Nm ssh-keygen
|
||||
.Fl l
|
||||
.Op Fl f Ar keyfile
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
generates and manages authentication keys for
|
||||
@ -79,6 +85,10 @@ default is 1024 bits.
|
||||
Requests changing the comment in the private and public key files.
|
||||
The program will prompt for the file containing the private keys, for
|
||||
passphrase if the key has one, and for the new comment.
|
||||
.It Fl f
|
||||
Specifies the filename of the key file.
|
||||
.It Fl l
|
||||
Show fingerprint of specified private or public key file.
|
||||
.It Fl p
|
||||
Requests changing the passphrase of a private key file instead of
|
||||
creating a new private key. The program will prompt for the file
|
||||
|
198
ssh-keygen.c
198
ssh-keygen.c
@ -14,11 +14,12 @@ Identity and host key generation and maintenance.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$Id: ssh-keygen.c,v 1.4 1999/11/15 06:10:57 damien Exp $");
|
||||
RCSID("$Id: ssh-keygen.c,v 1.5 1999/11/17 06:29:08 damien Exp $");
|
||||
|
||||
#include "rsa.h"
|
||||
#include "ssh.h"
|
||||
#include "xmalloc.h"
|
||||
#include "fingerprint.h"
|
||||
|
||||
#ifdef HAVE___PROGNAME
|
||||
extern char *__progname;
|
||||
@ -46,6 +47,9 @@ int change_comment = 0;
|
||||
|
||||
int quiet = 0;
|
||||
|
||||
/* Flag indicating that we just want to see the key fingerprint */
|
||||
int print_fingerprint = 0;
|
||||
|
||||
/* This is set to the identity file name if given on the command line. */
|
||||
char *identity_file = NULL;
|
||||
|
||||
@ -61,42 +65,101 @@ char *identity_comment = NULL;
|
||||
/* Perform changing a passphrase. The argument is the passwd structure
|
||||
for the current user. */
|
||||
|
||||
void
|
||||
do_change_passphrase(struct passwd *pw)
|
||||
char *
|
||||
get_filename(struct passwd *pw, const char *prompt)
|
||||
{
|
||||
char buf[1024], *comment;
|
||||
char *old_passphrase, *passphrase1, *passphrase2;
|
||||
struct stat st;
|
||||
RSA *private_key;
|
||||
char buf[1024], default_file[1024];
|
||||
|
||||
/* Read key file name. */
|
||||
if (identity_file != NULL) {
|
||||
strncpy(buf, identity_file, sizeof(buf));
|
||||
buf[sizeof(buf) - 1] = '\0';
|
||||
return xstrdup(identity_file);
|
||||
} else {
|
||||
printf("Enter file in which the key is ($HOME/%s): ", SSH_CLIENT_IDENTITY);
|
||||
snprintf(default_file, sizeof default_file, "%s/%s",
|
||||
pw->pw_dir, SSH_CLIENT_IDENTITY);
|
||||
printf("%s (%s): ", prompt, default_file);
|
||||
fflush(stdout);
|
||||
if (fgets(buf, sizeof(buf), stdin) == NULL)
|
||||
exit(1);
|
||||
if (strchr(buf, '\n'))
|
||||
*strchr(buf, '\n') = 0;
|
||||
if (strcmp(buf, "") == 0)
|
||||
snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, SSH_CLIENT_IDENTITY);
|
||||
return xstrdup(default_file);
|
||||
}
|
||||
return xstrdup(buf);
|
||||
}
|
||||
|
||||
void
|
||||
do_fingerprint(struct passwd *pw)
|
||||
{
|
||||
char *file, *comment;
|
||||
RSA *public_key;
|
||||
struct stat st;
|
||||
|
||||
file = get_filename(pw, "Enter file in which the key is");
|
||||
if (stat(file, &st) < 0)
|
||||
{
|
||||
perror(file);
|
||||
exit(1);
|
||||
}
|
||||
public_key = RSA_new();
|
||||
if (!load_public_key(file, public_key, &comment)) {
|
||||
char *cp, line[1024];
|
||||
BIGNUM *e, *n;
|
||||
int dummy, invalid = 0;
|
||||
FILE *f = fopen(file, "r");
|
||||
n = BN_new();
|
||||
e = BN_new();
|
||||
if (f && fgets(line, sizeof(line), f)) {
|
||||
cp = line;
|
||||
line[strlen(line)-1] = '\0';
|
||||
if (auth_rsa_read_key(&cp, &dummy, e, n)) {
|
||||
public_key->e = e;
|
||||
public_key->n = n;
|
||||
comment = xstrdup(cp ? cp : "no comment");
|
||||
} else {
|
||||
invalid = 1;
|
||||
}
|
||||
} else {
|
||||
invalid = 1;
|
||||
}
|
||||
if (invalid) {
|
||||
printf("%s is not a valid key file.\n", file);
|
||||
BN_free(e);
|
||||
BN_free(n);
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
printf("%d %s %s\n", BN_num_bits(public_key->n),
|
||||
fingerprint(public_key->e, public_key->n),
|
||||
comment);
|
||||
RSA_free(public_key);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
||||
void
|
||||
do_change_passphrase(struct passwd *pw)
|
||||
{
|
||||
char *file, *comment;
|
||||
char *old_passphrase, *passphrase1, *passphrase2;
|
||||
struct stat st;
|
||||
RSA *private_key;
|
||||
|
||||
file = get_filename(pw, "Enter file in which the key is");
|
||||
/* Check if the file exists. */
|
||||
if (stat(buf, &st) < 0)
|
||||
if (stat(file, &st) < 0)
|
||||
{
|
||||
perror(buf);
|
||||
perror(file);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* Try to load the public key from the file the verify that it is
|
||||
readable and of the proper format. */
|
||||
public_key = RSA_new();
|
||||
if (!load_public_key(buf, public_key, NULL))
|
||||
if (!load_public_key(file, public_key, NULL))
|
||||
{
|
||||
printf("%s is not a valid key file.\n", buf);
|
||||
printf("%s is not a valid key file.\n", file);
|
||||
exit(1);
|
||||
}
|
||||
/* Clear the public key since we are just about to load the whole file. */
|
||||
@ -104,14 +167,14 @@ do_change_passphrase(struct passwd *pw)
|
||||
|
||||
/* Try to load the file with empty passphrase. */
|
||||
private_key = RSA_new();
|
||||
if (!load_private_key(buf, "", private_key, &comment)) {
|
||||
if (!load_private_key(file, "", private_key, &comment)) {
|
||||
/* Read passphrase from the user. */
|
||||
if (identity_passphrase)
|
||||
old_passphrase = xstrdup(identity_passphrase);
|
||||
else
|
||||
old_passphrase = read_passphrase("Enter old passphrase: ", 1);
|
||||
/* Try to load using the passphrase. */
|
||||
if (!load_private_key(buf, old_passphrase, private_key, &comment))
|
||||
if (!load_private_key(file, old_passphrase, private_key, &comment))
|
||||
{
|
||||
memset(old_passphrase, 0, strlen(old_passphrase));
|
||||
xfree(old_passphrase);
|
||||
@ -152,10 +215,10 @@ do_change_passphrase(struct passwd *pw)
|
||||
}
|
||||
|
||||
/* Save the file using the new passphrase. */
|
||||
if (!save_private_key(buf, passphrase1, private_key, comment))
|
||||
if (!save_private_key(file, passphrase1, private_key, comment))
|
||||
{
|
||||
printf("Saving the key failed: %s: %s.\n",
|
||||
buf, strerror(errno));
|
||||
file, strerror(errno));
|
||||
memset(passphrase1, 0, strlen(passphrase1));
|
||||
xfree(passphrase1);
|
||||
RSA_free(private_key);
|
||||
@ -177,51 +240,33 @@ do_change_passphrase(struct passwd *pw)
|
||||
void
|
||||
do_change_comment(struct passwd *pw)
|
||||
{
|
||||
char buf[1024], new_comment[1024], *comment;
|
||||
char new_comment[1024], *file, *comment;
|
||||
RSA *private_key;
|
||||
char *passphrase;
|
||||
struct stat st;
|
||||
FILE *f;
|
||||
char *tmpbuf;
|
||||
|
||||
/* Read key file name. */
|
||||
if (identity_file)
|
||||
{
|
||||
strncpy(buf, identity_file, sizeof(buf));
|
||||
buf[sizeof(buf) - 1] = '\0';
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("Enter file in which the key is ($HOME/%s): ",
|
||||
SSH_CLIENT_IDENTITY);
|
||||
fflush(stdout);
|
||||
if (fgets(buf, sizeof(buf), stdin) == NULL)
|
||||
exit(1);
|
||||
if (strchr(buf, '\n'))
|
||||
*strchr(buf, '\n') = 0;
|
||||
if (strcmp(buf, "") == 0)
|
||||
snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, SSH_CLIENT_IDENTITY);
|
||||
}
|
||||
|
||||
file = get_filename(pw, "Enter file in which the key is");
|
||||
/* Check if the file exists. */
|
||||
if (stat(buf, &st) < 0)
|
||||
if (stat(file, &st) < 0)
|
||||
{
|
||||
perror(buf);
|
||||
perror(file);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* Try to load the public key from the file the verify that it is
|
||||
readable and of the proper format. */
|
||||
public_key = RSA_new();
|
||||
if (!load_public_key(buf, public_key, NULL))
|
||||
if (!load_public_key(file, public_key, NULL))
|
||||
{
|
||||
printf("%s is not a valid key file.\n", buf);
|
||||
printf("%s is not a valid key file.\n", file);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
private_key = RSA_new();
|
||||
/* Try to load the file with empty passphrase. */
|
||||
if (load_private_key(buf, "", private_key, &comment))
|
||||
if (load_private_key(file, "", private_key, &comment))
|
||||
passphrase = xstrdup("");
|
||||
else
|
||||
{
|
||||
@ -234,7 +279,7 @@ do_change_comment(struct passwd *pw)
|
||||
else
|
||||
passphrase = read_passphrase("Enter passphrase: ", 1);
|
||||
/* Try to load using the passphrase. */
|
||||
if (!load_private_key(buf, passphrase, private_key, &comment))
|
||||
if (!load_private_key(file, passphrase, private_key, &comment))
|
||||
{
|
||||
memset(passphrase, 0, strlen(passphrase));
|
||||
xfree(passphrase);
|
||||
@ -246,8 +291,7 @@ do_change_comment(struct passwd *pw)
|
||||
|
||||
if (identity_comment)
|
||||
{
|
||||
strncpy(new_comment, identity_comment, sizeof(new_comment));
|
||||
new_comment[sizeof(new_comment) - 1] = '\0';
|
||||
strlcpy(new_comment, identity_comment, sizeof(new_comment));
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -266,10 +310,10 @@ do_change_comment(struct passwd *pw)
|
||||
}
|
||||
|
||||
/* Save the file using the new passphrase. */
|
||||
if (!save_private_key(buf, passphrase, private_key, new_comment))
|
||||
if (!save_private_key(file, passphrase, private_key, new_comment))
|
||||
{
|
||||
printf("Saving the key failed: %s: %s.\n",
|
||||
buf, strerror(errno));
|
||||
file, strerror(errno));
|
||||
memset(passphrase, 0, strlen(passphrase));
|
||||
xfree(passphrase);
|
||||
RSA_free(private_key);
|
||||
@ -284,11 +328,11 @@ do_change_comment(struct passwd *pw)
|
||||
|
||||
/* Save the public key in text format in a file with the same name but
|
||||
.pub appended. */
|
||||
strcat(buf, ".pub");
|
||||
f = fopen(buf, "w");
|
||||
strcat(file, ".pub");
|
||||
f = fopen(file, "w");
|
||||
if (!f)
|
||||
{
|
||||
printf("Could not save your public key in %s\n", buf);
|
||||
printf("Could not save your public key in %s\n", file);
|
||||
exit(1);
|
||||
}
|
||||
fprintf(f, "%d ", BN_num_bits(public_key->n));
|
||||
@ -313,7 +357,7 @@ main(int ac, char **av)
|
||||
{
|
||||
char buf[16384], buf2[1024], *passphrase1, *passphrase2;
|
||||
struct passwd *pw;
|
||||
char *tmpbuf;
|
||||
char *file, *tmpbuf;
|
||||
int opt;
|
||||
struct stat st;
|
||||
FILE *f;
|
||||
@ -323,6 +367,7 @@ main(int ac, char **av)
|
||||
|
||||
/* check if RSA support exists */
|
||||
if (rsa_alive() == 0) {
|
||||
extern char *__progname;
|
||||
|
||||
fprintf(stderr,
|
||||
"%s: no RSA support in libssl and libcrypto. See ssl(8).\n",
|
||||
@ -345,7 +390,7 @@ main(int ac, char **av)
|
||||
error("Could not create directory '%s'.", buf);
|
||||
|
||||
/* Parse command line arguments. */
|
||||
while ((opt = getopt(ac, av, "qpcb:f:P:N:C:")) != EOF)
|
||||
while ((opt = getopt(ac, av, "qpclb:f:P:N:C:")) != EOF)
|
||||
{
|
||||
switch (opt)
|
||||
{
|
||||
@ -358,6 +403,10 @@ main(int ac, char **av)
|
||||
}
|
||||
break;
|
||||
|
||||
case 'l':
|
||||
print_fingerprint = 1;
|
||||
break;
|
||||
|
||||
case 'p':
|
||||
change_passphrase = 1;
|
||||
break;
|
||||
@ -404,6 +453,9 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (print_fingerprint)
|
||||
do_fingerprint(pw);
|
||||
|
||||
/* If the user requested to change the passphrase, do it now. This
|
||||
function never returns. */
|
||||
if (change_passphrase)
|
||||
@ -426,29 +478,12 @@ main(int ac, char **av)
|
||||
|
||||
ask_file_again:
|
||||
|
||||
/* Ask for a file to save the key in. */
|
||||
if (identity_file)
|
||||
{
|
||||
strncpy(buf, identity_file, sizeof(buf));
|
||||
buf[sizeof(buf) - 1] = '\0';
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("Enter file in which to save the key ($HOME/%s): ",
|
||||
SSH_CLIENT_IDENTITY);
|
||||
fflush(stdout);
|
||||
if (fgets(buf, sizeof(buf), stdin) == NULL)
|
||||
exit(1);
|
||||
if (strchr(buf, '\n'))
|
||||
*strchr(buf, '\n') = 0;
|
||||
if (strcmp(buf, "") == 0)
|
||||
snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, SSH_CLIENT_IDENTITY);
|
||||
}
|
||||
file = get_filename(pw, "Enter file in which to save the key");
|
||||
|
||||
/* If the file aready exists, ask the user to confirm. */
|
||||
if (stat(buf, &st) >= 0)
|
||||
if (stat(file, &st) >= 0)
|
||||
{
|
||||
printf("%s already exists.\n", buf);
|
||||
printf("%s already exists.\n", file);
|
||||
printf("Overwrite (y/n)? ");
|
||||
fflush(stdout);
|
||||
if (fgets(buf2, sizeof(buf2), stdin) == NULL)
|
||||
@ -501,12 +536,13 @@ main(int ac, char **av)
|
||||
}
|
||||
|
||||
/* Save the key with the given passphrase and comment. */
|
||||
if (!save_private_key(buf, passphrase1, private_key, buf2))
|
||||
if (!save_private_key(file, passphrase1, private_key, buf2))
|
||||
{
|
||||
printf("Saving the key failed: %s: %s.\n",
|
||||
buf, strerror(errno));
|
||||
file, strerror(errno));
|
||||
memset(passphrase1, 0, strlen(passphrase1));
|
||||
xfree(passphrase1);
|
||||
xfree(file);
|
||||
goto ask_file_again;
|
||||
}
|
||||
/* Clear the passphrase. */
|
||||
@ -518,7 +554,7 @@ main(int ac, char **av)
|
||||
arc4random_stir();
|
||||
|
||||
if (!quiet)
|
||||
printf("Your identification has been saved in %s.\n", buf);
|
||||
printf("Your identification has been saved in %s.\n", file);
|
||||
|
||||
/* Display the public key on the screen. */
|
||||
if (!quiet) {
|
||||
@ -534,11 +570,11 @@ main(int ac, char **av)
|
||||
|
||||
/* Save the public key in text format in a file with the same name but
|
||||
.pub appended. */
|
||||
strcat(buf, ".pub");
|
||||
f = fopen(buf, "w");
|
||||
strcat(file, ".pub");
|
||||
f = fopen(file, "w");
|
||||
if (!f)
|
||||
{
|
||||
printf("Could not save your public key in %s\n", buf);
|
||||
printf("Could not save your public key in %s\n", file);
|
||||
exit(1);
|
||||
}
|
||||
fprintf(f, "%d ", BN_num_bits(public_key->n));
|
||||
@ -551,7 +587,7 @@ main(int ac, char **av)
|
||||
fclose(f);
|
||||
|
||||
if (!quiet)
|
||||
printf("Your public key has been saved in %s\n", buf);
|
||||
printf("Your public key has been saved in %s\n", file);
|
||||
|
||||
exit(0);
|
||||
}
|
||||
|
5
ssh.1
5
ssh.1
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.\" Created: Sat Apr 22 21:55:14 1995 ylo
|
||||
.\"
|
||||
.\" $Id: ssh.1,v 1.6 1999/11/11 06:57:40 damien Exp $
|
||||
.\" $Id: ssh.1,v 1.7 1999/11/17 06:29:08 damien Exp $
|
||||
.\"
|
||||
.Dd September 25, 1999
|
||||
.Dt SSH 1
|
||||
@ -962,6 +962,9 @@ supports one-time password authentication with
|
||||
The libraries described in
|
||||
.Xr ssl 8
|
||||
are required for proper operation.
|
||||
.Pp
|
||||
OpenSSH has been created by Aaron Cambell, Bob Beck, Markus Friedl,
|
||||
Niels Provos, Theo de Raadt, and Dug Song.
|
||||
.Sh SEE ALSO
|
||||
.Xr rlogin 1 ,
|
||||
.Xr rsh 1 ,
|
||||
|
20
sshconnect.c
20
sshconnect.c
@ -15,7 +15,7 @@ login (authentication) dialog.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$Id: sshconnect.c,v 1.9 1999/11/16 02:37:17 damien Exp $");
|
||||
RCSID("$Id: sshconnect.c,v 1.10 1999/11/17 06:29:08 damien Exp $");
|
||||
|
||||
#ifdef HAVE_OPENSSL
|
||||
#include <openssl/bn.h>
|
||||
@ -1081,9 +1081,9 @@ void ssh_login(int host_key_valid,
|
||||
|
||||
rbits = BN_num_bits(public_key->n);
|
||||
if (bits != rbits) {
|
||||
log("Warning: Server lies about size of server public key,");
|
||||
log("Warning: this may be due to an old implementation of ssh.");
|
||||
log("Warning: (actual size %d bits, announced size %d bits)", rbits, bits);
|
||||
log("Warning: Server lies about size of server public key: "
|
||||
"actual size is %d bits vs. announced %d.", rbits, bits);
|
||||
log("Warning: This may be due to an old implementation of ssh.");
|
||||
}
|
||||
|
||||
/* Get the host key. */
|
||||
@ -1098,9 +1098,9 @@ void ssh_login(int host_key_valid,
|
||||
|
||||
rbits = BN_num_bits(host_key->n);
|
||||
if (bits != rbits) {
|
||||
log("Warning: Server lies about size of server host key,");
|
||||
log("Warning: this may be due to an old implementation of ssh.");
|
||||
log("Warning: (actual size %d bits, announced size %d bits)", rbits, bits);
|
||||
log("Warning: Server lies about size of server host key: "
|
||||
"actual size is %d bits vs. announced %d.", rbits, bits);
|
||||
log("Warning: This may be due to an old implementation of ssh.");
|
||||
}
|
||||
|
||||
/* Store the host key from the known host file in here
|
||||
@ -1205,10 +1205,12 @@ void ssh_login(int host_key_valid,
|
||||
fatal("No host key is known for %.200s and you have requested strict checking.", host);
|
||||
} else if (options.strict_host_key_checking == 2) { /* The default */
|
||||
char prompt[1024];
|
||||
char *fp = fingerprint(host_key->e, host_key->n);
|
||||
snprintf(prompt, sizeof(prompt),
|
||||
"The authenticity of host '%.200s' can't be established.\n"
|
||||
"Are you sure you want to continue connecting (yes/no)? ",
|
||||
host);
|
||||
"Key fingerprint is %d %s.\n"
|
||||
"Are you sure you want to continue connecting (yes/no)? ",
|
||||
host, BN_num_bits(host_key->n), fp);
|
||||
if (!read_yes_or_no(prompt, -1))
|
||||
fatal("Aborted by user!\n");
|
||||
}
|
||||
|
30
sshd.c
30
sshd.c
@ -18,7 +18,7 @@ agent connections.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$Id: sshd.c,v 1.21 1999/11/16 02:37:17 damien Exp $");
|
||||
RCSID("$Id: sshd.c,v 1.22 1999/11/17 06:29:08 damien Exp $");
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "rsa.h"
|
||||
@ -486,35 +486,29 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* Initialize the log (it is reinitialized below in case we forked). */
|
||||
|
||||
if (debug_flag && !inetd_flag)
|
||||
log_stderr = 1;
|
||||
|
||||
log_init(av0, options.log_level, options.log_facility, log_stderr);
|
||||
/* Force logging to stderr while loading the private host key
|
||||
unless started from inetd */
|
||||
log_init(av0, options.log_level, options.log_facility, !inetd_flag);
|
||||
|
||||
debug("sshd version %.100s", SSH_VERSION);
|
||||
|
||||
sensitive_data.host_key = RSA_new();
|
||||
errno = 0;
|
||||
/* Load the host key. It must have empty passphrase. */
|
||||
if (!load_private_key(options.host_key_file, "",
|
||||
sensitive_data.host_key, &comment))
|
||||
{
|
||||
if (debug_flag)
|
||||
fprintf(stderr, "Could not load host key: %s: %s\n",
|
||||
options.host_key_file, strerror(errno));
|
||||
else
|
||||
{
|
||||
int err = errno;
|
||||
/* force logging */
|
||||
log_init(av0, SYSLOG_LEVEL_DEBUG, options.log_facility, log_stderr);
|
||||
error("Could not load host key: %.200s: %.100s",
|
||||
options.host_key_file, strerror(err));
|
||||
}
|
||||
error("Could not load host key: %.200s: %.100s",
|
||||
options.host_key_file, strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
xfree(comment);
|
||||
|
||||
/* Initialize the log (it is reinitialized below in case we forked). */
|
||||
if (debug_flag && !inetd_flag)
|
||||
log_stderr = 1;
|
||||
log_init(av0, options.log_level, options.log_facility, log_stderr);
|
||||
|
||||
/* If not in debugging mode, and not started from inetd, disconnect from
|
||||
the controlling terminal, and fork. The original process exits. */
|
||||
if (!debug_flag && !inetd_flag)
|
||||
|
Loading…
Reference in New Issue
Block a user