diff --git a/ChangeLog b/ChangeLog index 564c513e2..b21180335 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,27 @@ - (bal) Resync CVS ID of cli.c - (stevesk) auth1.c: free should be after WITH_AIXAUTHENTICATE code. + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/01/08 22:29:05 + [auth2.c compat.c compat.h servconf.c servconf.h sshd.8 + sshd_config version.h] + implement option 'Banner /etc/issue.net' for ssh2, move version to + 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner + is enabled). + - markus@cvs.openbsd.org 2001/01/08 22:03:23 + [channels.c ssh-keyscan.c] + O_NDELAY -> O_NONBLOCK; thanks stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/08 21:55:41 + [sshconnect1.c] + more cleanups and fixes from stevesk@pobox.com: + 1) try_agent_authentication() for loop will overwrite key just + allocated with key_new(); don't alloc + 2) call ssh_close_authentication_connection() before exit + try_agent_authentication() + 3) free mem on bad passphrase in try_rsa_authentication() + - markus@cvs.openbsd.org 2001/01/08 21:48:17 + [kex.c] + missing free; thanks stevesk@pobox.com 20010108 - (bal) Fixed another typo in cli.c diff --git a/auth2.c b/auth2.c index 4880b736e..3a247f588 100644 --- a/auth2.c +++ b/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.24 2000/12/28 14:25:51 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.25 2001/01/08 22:29:05 markus Exp $"); #ifdef HAVE_OSF_SIA # include @@ -92,6 +92,7 @@ int user_key_allowed(struct passwd *pw, Key *key); char *authmethods_get(void); /* auth */ +void userauth_banner(void); int userauth_none(Authctxt *authctxt); int userauth_passwd(Authctxt *authctxt); int userauth_pubkey(Authctxt *authctxt); @@ -257,6 +258,39 @@ input_userauth_request(int type, int plen, void *ctxt) xfree(method); } +void +userauth_banner(void) +{ + struct stat st; + char *banner = NULL; + off_t len, n; + int fd; + + if (options.banner == NULL || (datafellows & SSH_BUG_BANNER)) + return; + if ((fd = open(options.banner, O_RDONLY)) < 0) { + error("userauth_banner: open %s failed: %s", + options.banner, strerror(errno)); + return; + } + if (fstat(fd, &st) < 0) + goto done; + len = st.st_size; + banner = xmalloc(len + 1); + if ((n = read(fd, banner, len)) < 0) + goto done; + banner[n] = '\0'; + packet_start(SSH2_MSG_USERAUTH_BANNER); + packet_put_cstring(banner); + packet_put_cstring(""); /* language, unused */ + packet_send(); + debug("userauth_banner: sent"); +done: + if (banner) + xfree(banner); + close(fd); + return; +} void userauth_log(Authctxt *authctxt, int authenticated, char *method) @@ -335,6 +369,7 @@ userauth_none(Authctxt *authctxt) if (m != NULL) m->enabled = NULL; packet_done(); + userauth_banner(); if (authctxt->valid == 0) return(0); diff --git a/channels.c b/channels.c index b1fcd7ca8..254f5df2f 100644 --- a/channels.c +++ b/channels.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.79 2000/12/29 22:19:13 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.80 2001/01/08 22:03:23 markus Exp $"); #include "ssh.h" #include "packet.h" @@ -1743,7 +1743,7 @@ channel_connect_to(const char *host, u_short host_port) error("socket: %.100s", strerror(errno)); continue; } - if (fcntl(sock, F_SETFL, O_NDELAY) < 0) + if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0) fatal("connect_to: F_SETFL: %s", strerror(errno)); /* Connect to the host/port. */ if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 && diff --git a/compat.c b/compat.c index a2d3a3383..47af1a8ea 100644 --- a/compat.c +++ b/compat.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: compat.c,v 1.32 2000/12/09 23:51:11 provos Exp $"); +RCSID("$OpenBSD: compat.c,v 1.33 2001/01/08 22:29:05 markus Exp $"); #include "ssh.h" #include "packet.h" @@ -62,7 +62,10 @@ compat_datafellows(const char *version) char *pat; int bugs; } check[] = { - { "^OpenSSH[-_]2\\.[012]", SSH_OLD_SESSIONID }, + { "^OpenSSH[-_]2\\.[012]", + SSH_OLD_SESSIONID|SSH_BUG_BANNER }, + { "^OpenSSH_2\\.3\\.0", SSH_BUG_BANNER }, + { "^OpenSSH", 0 }, { "MindTerm", 0 }, { "^2\\.1\\.0", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG }, diff --git a/compat.h b/compat.h index cf97c7d28..fb65cd6d6 100644 --- a/compat.h +++ b/compat.h @@ -21,7 +21,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: compat.h,v 1.13 2000/12/06 22:58:15 markus Exp $"); */ +/* RCSID("$OpenBSD: compat.h,v 1.14 2001/01/08 22:29:05 markus Exp $"); */ #ifndef COMPAT_H #define COMPAT_H @@ -38,6 +38,7 @@ #define SSH_OLD_SESSIONID 0x10 #define SSH_BUG_PKAUTH 0x20 #define SSH_BUG_DEBUG 0x40 +#define SSH_BUG_BANNER 0x80 void enable_compat13(void); void enable_compat20(void); diff --git a/kex.c b/kex.c index de315705e..9a31ae927 100644 --- a/kex.c +++ b/kex.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.16 2000/12/20 19:37:22 markus Exp $"); +RCSID("$OpenBSD: kex.c,v 1.17 2001/01/08 21:48:17 markus Exp $"); #include "ssh.h" #include "ssh2.h" @@ -465,6 +465,7 @@ choose_hostkeyalg(Kex *k, char *client, char *server) k->hostkey_type = key_type_from_name(hostkeyalg); if (k->hostkey_type == KEY_UNSPEC) fatal("bad hostkey alg '%s'", hostkeyalg); + xfree(hostkeyalg); } Kex * diff --git a/servconf.c b/servconf.c index 6604e3d23..fb42d74ef 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.56 2001/01/07 11:28:06 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.57 2001/01/08 22:29:05 markus Exp $"); #include "ssh.h" #include "servconf.h" @@ -78,6 +78,7 @@ initialize_server_options(ServerOptions *options) options->max_startups_begin = -1; options->max_startups_rate = -1; options->max_startups = -1; + options->banner = NULL; } void @@ -198,6 +199,7 @@ typedef enum { sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, + sBanner } ServerOpCodes; /* Textual representation of the tokens. */ @@ -257,6 +259,7 @@ static struct { { "gatewayports", sGatewayPorts }, { "subsystem", sSubsystem }, { "maxstartups", sMaxStartups }, + { "banner", sBanner }, { NULL, 0 } }; @@ -697,6 +700,10 @@ parse_flag: intptr = &options->max_startups; goto parse_int; + case sBanner: + charptr = &options->banner; + goto parse_filename; + default: fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n", filename, linenum, arg, opcode); diff --git a/servconf.h b/servconf.h index 7d5016662..532b22f6e 100644 --- a/servconf.h +++ b/servconf.h @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: servconf.h,v 1.32 2000/12/19 23:17:58 markus Exp $"); */ +/* RCSID("$OpenBSD: servconf.h,v 1.33 2001/01/08 22:29:05 markus Exp $"); */ #ifndef SERVCONF_H #define SERVCONF_H @@ -104,6 +104,7 @@ typedef struct { int max_startups_begin; int max_startups_rate; int max_startups; + char *banner; /* SSH-2 banner message */ } ServerOptions; /* diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 68593fe75..5d5427aad 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -8,7 +8,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keyscan.c,v 1.6 2000/12/19 23:17:58 markus Exp $"); +RCSID("$OpenBSD: ssh-keyscan.c,v 1.7 2001/01/08 22:03:23 markus Exp $"); #if defined(HAVE_SYS_QUEUE_H) && !defined(HAVE_BOGUS_SYS_QUEUE_H) #include @@ -310,7 +310,7 @@ tcpconnect(char *host) error("socket: %s", strerror(errno)); continue; } - if (fcntl(s, F_SETFL, O_NDELAY) < 0) + if (fcntl(s, F_SETFL, O_NONBLOCK) < 0) fatal("F_SETFL: %s", strerror(errno)); if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0 && errno != EINPROGRESS) diff --git a/sshconnect1.c b/sshconnect1.c index d6230529f..09d0210a9 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.13 2000/12/19 23:17:58 markus Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.14 2001/01/08 21:55:41 markus Exp $"); #include #include @@ -62,7 +62,6 @@ try_agent_authentication() return 0; challenge = BN_new(); - key = key_new(KEY_RSA1); /* Loop through identities served by the agent. */ for (key = ssh_get_first_identity(auth, &comment, 1); @@ -125,6 +124,7 @@ try_agent_authentication() /* The server returns success if it accepted the authentication. */ if (type == SSH_SMSG_SUCCESS) { + ssh_close_authentication_connection(auth); BN_clear_free(challenge); debug("RSA authentication accepted by server."); return 1; @@ -134,6 +134,7 @@ try_agent_authentication() packet_disconnect("Protocol error waiting RSA auth response: %d", type); } + ssh_close_authentication_connection(auth); BN_clear_free(challenge); debug("RSA authentication using agent refused."); return 0; @@ -270,6 +271,8 @@ try_rsa_authentication(const char *authfile) /* Expect the server to reject it... */ packet_read_expect(&plen, SSH_SMSG_FAILURE); xfree(comment); + key_free(private); + BN_clear_free(challenge); return 0; } /* Destroy the passphrase. */ diff --git a/sshd.8 b/sshd.8 index d6232f4b2..fef26b50b 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.79 2001/01/07 11:28:07 markus Exp $ +.\" $OpenBSD: sshd.8,v 1.80 2001/01/08 22:29:05 markus Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -333,6 +333,13 @@ wildcards in the patterns. Only user names are valid; a numerical user ID isn't recognized. By default login is allowed regardless of the user name. .Pp +.It Cm Banner +In some jurisdictions, sending a warning message before authentication +may be relevant for getting legal protection. +The contents of the specified file are sent to the remote user before +authentication is allowed. +This option is only available for protocol version 2. +.Pp .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. diff --git a/sshd_config b/sshd_config index 357c42502..26372ab16 100644 --- a/sshd_config +++ b/sshd_config @@ -56,3 +56,4 @@ CheckMail no # Uncomment if you want to enable sftp #Subsystem sftp /usr/libexec/sftp-server #MaxStartups 10:30:60 +#Banner /etc/issue.net diff --git a/version.h b/version.h index 7e07541a9..591fbdfc6 100644 --- a/version.h +++ b/version.h @@ -1,3 +1,3 @@ -/* $OpenBSD: version.h,v 1.13 2000/10/16 09:38:45 djm Exp $ */ +/* $OpenBSD: version.h,v 1.16 2001/01/08 22:29:05 markus Exp $ */ -#define SSH_VERSION "OpenSSH_2.3.0p2" +#define SSH_VERSION "OpenSSH_2.3.1p1"