+20000412
+ - OpenBSD CVS updates:
+ - [channels.c]
+ repair x11-fwd
+ - [sshconnect.c]
+ fix passwd prompt for ssh2, less debugging output.
+ - [clientloop.c compat.c dsa.c kex.c sshd.c]
+ less debugging output
+ - [kex.c kex.h sshconnect.c sshd.c]
+ check for reasonable public DH values
+ - [README.openssh2 cipher.c cipher.h compat.c compat.h readconf.c]
+ [readconf.h servconf.c servconf.h ssh.c ssh.h sshconnect.c sshd.c]
+ add Cipher and Protocol options to ssh/sshd, e.g.:
+ ssh -o 'Protocol 1,2' if you prefer proto 1, ssh -o 'Ciphers
+ arcfour,3des-cbc'
+ - [sshd.c]
+ print 1.99 only if server supports both
+
20000408
- Avoid some compiler warnings in fake-get*.c
- Add IPTOS macros for systems which lack them
-$Id: README.openssh2,v 1.2 2000/04/06 21:28:22 markus Exp $
+$Id: README.openssh2,v 1.3 2000/04/12 07:45:43 markus Exp $
+
+howto:
+ 1) generate server key:
+ $ umask 077
+ $ openssl dsaparam 1024 -out dsa1024.pem
+ $ openssl gendsa -out /etc/ssh_dsa_key dsa1024.pem -rand /dev/arandom
+ 2) enable ssh2:
+ server: add 'Protocol 2,1' to /etc/sshd_config
+ client: ssh -o 'Protocol 2,1', or add to .ssh/config
works:
secsh-transport: works w/o rekey
tcp-forwarding: -L works
dss: verification works,
key database in ~/.ssh/known_hosts with bits == 0 hack
- dss: signature works, keygen w/ openssl:
- $ umask 077
- $ openssl dsaparam 1024 -out dsa1024.pem
- $ openssl gendsa -out /etc/ssh_dsa_key dsa1024.pem -rand /dev/arandom
- start sshd with '-2' flag
+ dss: signature works, keygen w/ openssl
client interops w/ sshd2, lshd
server interops w/ ssh2, lsh, ssh.com's Windows client, SecureCRT
server supports multiple concurrent sessions (e.g. with SSH.com Windows client)
sftp
-markus
-$Date: 2000/04/06 21:28:22 $
+$Date: 2000/04/12 07:45:43 $
*/
#include "includes.h"
-RCSID("$Id: channels.c,v 1.23 2000/04/12 08:45:06 damien Exp $");
+RCSID("$Id: channels.c,v 1.24 2000/04/12 10:17:38 damien Exp $");
#include "ssh.h"
#include "packet.h"
if (ret == 1) {
/* Start normal processing for the channel. */
c->type = SSH_CHANNEL_OPEN;
+ channel_pre_open_13(c, readset, writeset);
} else if (ret == -1) {
/*
* We have received an X11 connection that has bad
int ret = x11_open_helper(c);
if (ret == 1) {
c->type = SSH_CHANNEL_OPEN;
+ channel_pre_open_15(c, readset, writeset);
} else if (ret == -1) {
debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
chan_read_failed(c);
*/
#include "includes.h"
-RCSID("$Id: cipher.c,v 1.16 2000/04/06 02:32:39 damien Exp $");
+RCSID("$Id: cipher.c,v 1.17 2000/04/12 10:17:39 damien Exp $");
#include "ssh.h"
#include "cipher.h"
-#include "config.h"
+#include "xmalloc.h"
#ifdef HAVE_OPENSSL
#include <openssl/md5.h>
#endif
/*
- * What kind of tripple DES are these 2 routines?
+ * This is used by SSH1:
+ *
+ * What kind of triple DES are these 2 routines?
*
* Why is there a redundant initialization vector?
*
}
/*
- * SSH uses a variation on Blowfish, all bytes must be swapped before
+ * SSH1 uses a variation on Blowfish, all bytes must be swapped before
* and after encryption/decryption. Thus the swap_bytes stuff (yuk).
*/
static void
{
if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) ||
cipher_names[cipher] == NULL)
- fatal("cipher_name: bad cipher number: %d", cipher);
+ fatal("cipher_name: bad cipher name: %d", cipher);
return cipher_names[cipher];
}
+/* Returns 1 if the name of the ciphers are valid. */
+
+#define CIPHER_SEP ","
+int
+ciphers_valid(const char *names)
+{
+ char *ciphers;
+ char *p;
+ int i;
+
+ if (strcmp(names, "") == 0)
+ return 0;
+ ciphers = xstrdup(names);
+ for ((p = strtok(ciphers, CIPHER_SEP)); p; (p = strtok(NULL, CIPHER_SEP))) {
+ i = cipher_number(p);
+ if (i == -1 || !(cipher_mask2() & (1 << i))) {
+ xfree(ciphers);
+ return 0;
+ }
+ }
+ xfree(ciphers);
+ return 1;
+}
+
/*
* Parses the name of the cipher. Returns the number of the corresponding
* cipher, or -1 on error.
memset(padded, 0, sizeof(padded));
}
-
void
cipher_set_key_iv(CipherContext * context, int cipher,
const unsigned char *key, int keylen,
*
*/
-/* RCSID("$Id: cipher.h,v 1.8 2000/04/06 02:32:39 damien Exp $"); */
+/* RCSID("$Id: cipher.h,v 1.9 2000/04/12 10:17:39 damien Exp $"); */
#ifndef CIPHER_H
#define CIPHER_H
*/
int cipher_number(const char *name);
+/* returns 1 if all ciphers are supported (ssh2 only) */
+int ciphers_valid(const char *names);
+
/*
* Selects the cipher to use and sets the key. If for_encryption is true,
* the key is setup for encryption; otherwise it is setup for decryption.
*/
#include "includes.h"
-RCSID("$Id: clientloop.c,v 1.9 2000/04/06 02:32:39 damien Exp $");
+RCSID("$Id: clientloop.c,v 1.10 2000/04/12 10:17:39 damien Exp $");
#include "xmalloc.h"
#include "ssh.h"
rtype = packet_get_string(&len);
reply = packet_get_char();
- log("session_input_channel_req: rtype %s reply %d", rtype, reply);
+ debug("session_input_channel_req: rtype %s reply %d", rtype, reply);
c = channel_lookup(id);
if (c == NULL)
*/
#include "includes.h"
-RCSID("$Id: compat.c,v 1.6 2000/04/12 08:45:06 damien Exp $");
+RCSID("$Id: compat.c,v 1.7 2000/04/12 10:17:39 damien Exp $");
#include "ssh.h"
#include "packet.h"
+#include "xmalloc.h"
+#include "compat.h"
int compat13 = 0;
int compat20 = 0;
len = strlen(check[i]);
if (strlen(version) >= len &&
(strncmp(version, check[i], len) == 0)) {
- log("datafellows: %.200s", version);
+ verbose("datafellows: %.200s", version);
datafellows = 1;
return;
}
}
}
+
+#define SEP ","
+int
+proto_spec(const char *spec)
+{
+ char *s = xstrdup(spec);
+ char *p;
+ int ret = SSH_PROTO_UNKNOWN;
+
+ for ((p = strtok(s, SEP)); p; (p = strtok(NULL, SEP))) {
+ switch(atoi(p)) {
+ case 1:
+ if (ret == SSH_PROTO_UNKNOWN)
+ ret |= SSH_PROTO_1_PREFERRED;
+ ret |= SSH_PROTO_1;
+ break;
+ case 2:
+ ret |= SSH_PROTO_2;
+ break;
+ default:
+ log("ignoring bad proto spec: '%s'.", p);
+ break;
+ }
+ }
+ xfree(s);
+ return ret;
+}
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-/* RCSID("$Id: compat.h,v 1.4 2000/04/04 04:39:01 damien Exp $"); */
+/* RCSID("$Id: compat.h,v 1.5 2000/04/12 10:17:39 damien Exp $"); */
#ifndef COMPAT_H
#define COMPAT_H
+
+#define SSH_PROTO_UNKNOWN 0x00
+#define SSH_PROTO_1 0x01
+#define SSH_PROTO_1_PREFERRED 0x02
+#define SSH_PROTO_2 0x04
+
void enable_compat13(void);
void enable_compat20(void);
void compat_datafellows(const char *s);
+int proto_spec(const char *spec);
extern int compat13;
extern int compat20;
extern int datafellows;
*/
#include "includes.h"
-RCSID("$Id: dsa.c,v 1.1 2000/04/04 04:39:01 damien Exp $");
+RCSID("$Id: dsa.c,v 1.2 2000/04/12 06:37:02 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
buffer_append(&b, serverhostkey, serverhostkeylen);
ktype = buffer_get_string(&b, NULL);
if (strcmp(KEX_DSS, ktype) != 0) {
- log("dsa_serverkey_from_blob: cannot handle type %s", ktype);
+ error("dsa_serverkey_from_blob: cannot handle type %s", ktype);
key_free(key);
return NULL;
}
buffer_get_bignum2(&b, dsa->pub_key);
rlen = buffer_len(&b);
if(rlen != 0)
- log("dsa_serverkey_from_blob: remaining bytes in serverhostkey %d", rlen);
+ error("dsa_serverkey_from_blob: remaining bytes in serverhostkey %d", rlen);
buffer_free(&b);
- log("keytype %s", ktype);
+ debug("keytype %s", ktype);
#ifdef DEBUG_DSS
DSA_print_fp(stderr, dsa, 8);
#endif
Buffer b;
if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
- log("dsa_sign: no DSA key");
+ error("dsa_sign: no DSA key");
return -1;
}
digest = xmalloc(evp_md->md_size);
rlen = BN_num_bytes(sig->r);
slen = BN_num_bytes(sig->s);
if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
- log("bad sig size %d %d", rlen, slen);
+ error("bad sig size %d %d", rlen, slen);
DSA_SIG_free(sig);
return -1;
}
- log("sig size %d %d", rlen, slen);
+ debug("sig size %d %d", rlen, slen);
memset(sigblob, 0, SIGBLOB_LEN);
BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
DSA_SIG_free(sig);
if (datafellows) {
- log("datafellows");
+ debug("datafellows");
ret = xmalloc(SIGBLOB_LEN);
memcpy(ret, sigblob, SIGBLOB_LEN);
if (lenp != NULL)
int ret;
if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
- log("dsa_verify: no DSA key");
+ error("dsa_verify: no DSA key");
return -1;
}
datafellows = 0;
}
- log("len %d datafellows %d", signaturelen, datafellows);
+ debug("len %d datafellows %d", signaturelen, datafellows);
/* fetch signature */
if (datafellows) {
sigblob = (unsigned char *)buffer_get_string(&b, &len);
rlen = buffer_len(&b);
if(rlen != 0)
- log("remaining bytes in signature %d", rlen);
+ error("remaining bytes in signature %d", rlen);
buffer_free(&b);
}
txt = "error";
break;
}
- log("dsa_verify: signature %s", txt);
+ debug("dsa_verify: signature %s", txt);
return ret;
}
*/
#include "includes.h"
-RCSID("$Id: kex.c,v 1.2 2000/04/04 04:57:08 damien Exp $");
+RCSID("$Id: kex.c,v 1.3 2000/04/12 10:17:39 damien Exp $");
#include "ssh.h"
#include "ssh2.h"
# include <openssl/dh.h>
# include <openssl/crypto.h>
# include <openssl/bio.h>
-# include <openssl/bn.h>
-# include <openssl/dh.h>
# include <openssl/pem.h>
#endif /* HAVE_OPENSSL */
#if HAVE_SSL
# include <ssl/dh.h>
# include <ssl/crypto.h>
# include <ssl/bio.h>
-# include <ssl/bn.h>
-# include <ssl/dh.h>
# include <ssl/pem.h>
#endif /* HAVE_SSL */
-#include "entropy.h"
#include "kex.h"
Buffer *
/* diffie-hellman-group1-sha1 */
+int
+dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
+{
+ int i;
+ int n = BN_num_bits(dh_pub);
+ int bits_set = 0;
+
+ /* we only accept g==2 */
+ if (!BN_is_word(dh->g, 2)) {
+ log("invalid DH base != 2");
+ return 0;
+ }
+ if (dh_pub->neg) {
+ log("invalid public DH value: negativ");
+ return 0;
+ }
+ for (i = 0; i <= n; i++)
+ if (BN_is_bit_set(dh_pub, i))
+ bits_set++;
+ debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
+
+ /* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
+ if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
+ return 1;
+ log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
+ return 0;
+}
+
DH *
-new_dh_group1()
+dh_new_group1()
{
static char *group1 =
"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
"FFFFFFFF" "FFFFFFFF";
DH *dh;
- int ret;
+ int ret, tries = 0;
dh = DH_new();
if(dh == NULL)
fatal("DH_new");
- ret = BN_hex2bn(&dh->p,group1);
+ ret = BN_hex2bn(&dh->p, group1);
if(ret<0)
fatal("BN_hex2bn");
dh->g = BN_new();
if(dh->g == NULL)
fatal("DH_new g");
- BN_set_word(dh->g,2);
-
- seed_rng();
- if (DH_generate_key(dh) == 0)
- fatal("DH_generate_key");
-
+ BN_set_word(dh->g, 2);
+ do {
+ if (DH_generate_key(dh) == 0)
+ fatal("DH_generate_key");
+ if (tries++ > 10)
+ fatal("dh_new_group1: too many bad keys: giving up");
+ } while (!dh_pub_is_valid(dh, dh->pub_key));
return dh;
}
choose_enc (&k->enc [mode], cprop[nenc], sprop[nenc]);
choose_mac (&k->mac [mode], cprop[nmac], sprop[nmac]);
choose_comp(&k->comp[mode], cprop[ncomp], sprop[ncomp]);
- log("kex: %s %s %s %s",
+ debug("kex: %s %s %s %s",
ctos ? "client->server" : "server->client",
k->enc[mode].name,
k->mac[mode].name,
};
Buffer *kex_init(char *myproposal[PROPOSAL_MAX]);
-DH *new_dh_group1();
+int dh_pub_is_valid(DH *dh, BIGNUM *dh_pub);
+DH *dh_new_group1();
Kex *kex_choose_conf(char *cprop[PROPOSAL_MAX], char *sprop[PROPOSAL_MAX], int server);
int kex_derive_keys(Kex *k, unsigned char *hash, BIGNUM *shared_secret);
void bignum_print(BIGNUM *b);
*/
#include "includes.h"
-RCSID("$Id: readconf.c,v 1.9 2000/04/01 01:09:25 damien Exp $");
+RCSID("$Id: readconf.c,v 1.10 2000/04/12 10:17:40 damien Exp $");
#include "ssh.h"
#include "cipher.h"
#include "readconf.h"
#include "match.h"
#include "xmalloc.h"
+#include "compat.h"
/* Format of the configuration file:
oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication,
- oUsePrivilegedPort, oLogLevel
+ oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol
} OpCodes;
/* Textual representations of the tokens. */
{ "proxycommand", oProxyCommand },
{ "port", oPort },
{ "cipher", oCipher },
+ { "ciphers", oCiphers },
+ { "protocol", oProtocol },
{ "remoteforward", oRemoteForward },
{ "localforward", oLocalForward },
{ "user", oUser },
*intptr = value;
break;
+ case oCiphers:
+ cp = strtok(NULL, WHITESPACE);
+ if (!ciphers_valid(cp))
+ fatal("%.200s line %d: Bad cipher spec '%s'.",
+ filename, linenum, cp ? cp : "<NONE>");
+ if (*activep && options->ciphers == NULL)
+ options->ciphers = xstrdup(cp);
+ break;
+
+ case oProtocol:
+ intptr = &options->protocol;
+ cp = strtok(NULL, WHITESPACE);
+ value = proto_spec(cp);
+ if (value == SSH_PROTO_UNKNOWN)
+ fatal("%.200s line %d: Bad protocol spec '%s'.",
+ filename, linenum, cp ? cp : "<NONE>");
+ if (*activep && *intptr == SSH_PROTO_UNKNOWN)
+ *intptr = value;
+ break;
+
case oLogLevel:
intptr = (int *) &options->log_level;
cp = strtok(NULL, WHITESPACE);
options->connection_attempts = -1;
options->number_of_password_prompts = -1;
options->cipher = -1;
+ options->ciphers = NULL;
+ options->protocol = SSH_PROTO_UNKNOWN;
options->num_identity_files = 0;
options->hostname = NULL;
options->proxy_command = NULL;
/* Selected in ssh_login(). */
if (options->cipher == -1)
options->cipher = SSH_CIPHER_NOT_SET;
+ if (options->protocol == SSH_PROTO_UNKNOWN)
+ options->protocol = SSH_PROTO_1;
if (options->num_identity_files == 0) {
options->identity_files[0] =
xmalloc(2 + strlen(SSH_CLIENT_IDENTITY) + 1);
*
*/
-/* RCSID("$Id: readconf.h,v 1.6 1999/12/06 00:47:29 damien Exp $"); */
+/* RCSID("$Id: readconf.h,v 1.7 2000/04/12 10:17:40 damien Exp $"); */
#ifndef READCONF_H
#define READCONF_H
int number_of_password_prompts; /* Max number of password
* prompts. */
int cipher; /* Cipher to use. */
+ char *ciphers; /* Ciphers in order of preference. */
+ int protocol; /* Protocol in order of preference. */
char *hostname; /* Real host to connect. */
char *proxy_command; /* Proxy command for connecting the host. */
char *user; /* User to log in as. */
*/
#include "includes.h"
-RCSID("$Id: servconf.c,v 1.10 2000/04/12 08:45:06 damien Exp $");
+RCSID("$Id: servconf.c,v 1.11 2000/04/12 10:17:40 damien Exp $");
#include "ssh.h"
#include "servconf.h"
#include "xmalloc.h"
+#include "compat.h"
/* add listen address */
void add_listen_addr(ServerOptions *options, char *addr);
options->num_deny_users = 0;
options->num_allow_groups = 0;
options->num_deny_groups = 0;
+ options->ciphers = NULL;
+ options->protocol = SSH_PROTO_UNKNOWN;
}
void
options->permit_empty_passwd = 0;
if (options->use_login == -1)
options->use_login = 0;
+ if (options->protocol == SSH_PROTO_UNKNOWN)
+ options->protocol = SSH_PROTO_1;
}
#define WHITESPACE " \t\r\n"
sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
- sIgnoreUserKnownHosts, sDSAKeyFile
+ sIgnoreUserKnownHosts, sDSAKeyFile, sCiphers, sProtocol
} ServerOpCodes;
/* Textual representation of the tokens. */
{ "denyusers", sDenyUsers },
{ "allowgroups", sAllowGroups },
{ "denygroups", sDenyGroups },
+ { "ciphers", sCiphers },
+ { "protocol", sProtocol },
{ NULL, 0 }
};
value = log_facility_number(cp);
if (value == (SyslogFacility) - 1)
fatal("%.200s line %d: unsupported log facility '%s'\n",
- filename, linenum, cp ? cp : "<NONE>");
+ filename, linenum, cp ? cp : "<NONE>");
if (*intptr == -1)
*intptr = (SyslogFacility) value;
break;
value = log_level_number(cp);
if (value == (LogLevel) - 1)
fatal("%.200s line %d: unsupported log level '%s'\n",
- filename, linenum, cp ? cp : "<NONE>");
+ filename, linenum, cp ? cp : "<NONE>");
if (*intptr == -1)
*intptr = (LogLevel) value;
break;
case sAllowUsers:
while ((cp = strtok(NULL, WHITESPACE))) {
- if (options->num_allow_users >= MAX_ALLOW_USERS) {
- fprintf(stderr, "%s line %d: too many allow users.\n",
- filename, linenum);
- exit(1);
- }
+ if (options->num_allow_users >= MAX_ALLOW_USERS)
+ fatal("%s line %d: too many allow users.\n",
+ filename, linenum);
options->allow_users[options->num_allow_users++] = xstrdup(cp);
}
break;
case sDenyUsers:
while ((cp = strtok(NULL, WHITESPACE))) {
- if (options->num_deny_users >= MAX_DENY_USERS) {
- fprintf(stderr, "%s line %d: too many deny users.\n",
- filename, linenum);
- exit(1);
- }
+ if (options->num_deny_users >= MAX_DENY_USERS)
+ fatal( "%s line %d: too many deny users.\n",
+ filename, linenum);
options->deny_users[options->num_deny_users++] = xstrdup(cp);
}
break;
case sAllowGroups:
while ((cp = strtok(NULL, WHITESPACE))) {
- if (options->num_allow_groups >= MAX_ALLOW_GROUPS) {
- fprintf(stderr, "%s line %d: too many allow groups.\n",
- filename, linenum);
- exit(1);
- }
+ if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
+ fatal("%s line %d: too many allow groups.\n",
+ filename, linenum);
options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
}
break;
case sDenyGroups:
while ((cp = strtok(NULL, WHITESPACE))) {
- if (options->num_deny_groups >= MAX_DENY_GROUPS) {
- fprintf(stderr, "%s line %d: too many deny groups.\n",
- filename, linenum);
- exit(1);
- }
+ if (options->num_deny_groups >= MAX_DENY_GROUPS)
+ fatal("%s line %d: too many deny groups.\n",
+ filename, linenum);
options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
}
break;
+ case sCiphers:
+ cp = strtok(NULL, WHITESPACE);
+ if (!ciphers_valid(cp))
+ fatal("%s line %d: Bad cipher spec '%s'.",
+ filename, linenum, cp ? cp : "<NONE>");
+ if (options->ciphers == NULL)
+ options->ciphers = xstrdup(cp);
+ break;
+
+ case sProtocol:
+ intptr = &options->protocol;
+ cp = strtok(NULL, WHITESPACE);
+ value = proto_spec(cp);
+ if (value == SSH_PROTO_UNKNOWN)
+ fatal("%s line %d: Bad protocol spec '%s'.",
+ filename, linenum, cp ? cp : "<NONE>");
+ if (*intptr == SSH_PROTO_UNKNOWN)
+ *intptr = value;
+ break;
+
default:
fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
filename, linenum, cp, opcode);
*
*/
-/* RCSID("$Id: servconf.h,v 1.7 2000/04/12 08:45:07 damien Exp $"); */
+/* RCSID("$Id: servconf.h,v 1.8 2000/04/12 10:17:40 damien Exp $"); */
#ifndef SERVCONF_H
#define SERVCONF_H
* searching at */
int strict_modes; /* If true, require string home dir modes. */
int keepalives; /* If true, set SO_KEEPALIVE. */
+ char *ciphers; /* Ciphers in order of preference. */
+ int protocol; /* Protocol in order of preference. */
SyslogFacility log_facility; /* Facility for system logging. */
LogLevel log_level; /* Level for system logging. */
int rhosts_authentication; /* If true, permit rhosts
*/
#include "includes.h"
-RCSID("$Id: ssh.c,v 1.24 2000/04/06 02:32:40 damien Exp $");
+RCSID("$Id: ssh.c,v 1.25 2000/04/12 10:17:40 damien Exp $");
#include "xmalloc.h"
#include "ssh.h"
/* Flag indicating whether debug mode is on. This can be set on the command line. */
int debug_flag = 0;
+/* Flag indicating whether a tty should be allocated */
int tty_flag = 0;
/* don't exec a shell */
case 'v':
case 'V':
- fprintf(stderr, "SSH Version %s, protocol version %d.%d.\n",
- SSH_VERSION, PROTOCOL_MAJOR, PROTOCOL_MINOR);
+ fprintf(stderr, "SSH Version %s, protocol versions %d.%d/%d.%d.\n",
+ SSH_VERSION,
+ PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2);
fprintf(stderr, "Compiled with SSL (0x%8.8lx).\n", SSLeay());
if (opt == 'V')
exit(0);
*
*/
-/* RCSID("$Id: ssh.h,v 1.30 2000/04/12 08:45:07 damien Exp $"); */
+/* RCSID("$Id: ssh.h,v 1.31 2000/04/12 10:17:41 damien Exp $"); */
#ifndef SSH_H
#define SSH_H
/*
* Major protocol version. Different version indicates major incompatiblity
* that prevents communication.
- */
-#define PROTOCOL_MAJOR 1
-
-/*
+ *
* Minor protocol version. Different version indicates minor incompatibility
* that does not prevent interoperation.
*/
-#define PROTOCOL_MINOR 5
+#define PROTOCOL_MAJOR_1 1
+#define PROTOCOL_MINOR_1 5
+
+/* We support both SSH1 and SSH2 */
+#define PROTOCOL_MAJOR_2 2
+#define PROTOCOL_MINOR_2 0
/*
* Name for the service. The port named by this service overrides the
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.61 2000/04/04 21:37:27 markus Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.65 2000/04/12 07:56:16 markus Exp $");
#ifdef HAVE_OPENSSL
#include <openssl/bn.h>
ssh_exchange_identification()
{
char buf[256], remote_version[256]; /* must be same size! */
- int remote_major, remote_minor, i;
+ int remote_major, remote_minor, i, mismatch;
int connection_in = packet_get_connection_in();
int connection_out = packet_get_connection_out();
debug("Remote protocol version %d.%d, remote software version %.100s",
remote_major, remote_minor, remote_version);
-/*** XXX option for disabling 2.0 or 1.5 */
compat_datafellows(remote_version);
-
- /* Check if the remote protocol version is too old. */
- if (remote_major == 1 && remote_minor < 3)
- fatal("Remote machine has too old SSH software version.");
-
- /* We speak 1.3, too. */
- if (remote_major == 1 && remote_minor == 3) {
- enable_compat13();
- if (options.forward_agent) {
- log("Agent forwarding disabled for protocol 1.3");
- options.forward_agent = 0;
+ mismatch = 0;
+
+ switch(remote_major) {
+ case 1:
+ if (remote_minor == 99 &&
+ (options.protocol & SSH_PROTO_2) &&
+ !(options.protocol & SSH_PROTO_1_PREFERRED)) {
+ enable_compat20();
+ break;
}
+ if (!(options.protocol & SSH_PROTO_1)) {
+ mismatch = 1;
+ break;
+ }
+ if (remote_minor < 3) {
+ fatal("Remote machine has too old SSH software version.");
+ } else if (remote_minor == 3) {
+ /* We speak 1.3, too. */
+ enable_compat13();
+ if (options.forward_agent) {
+ log("Agent forwarding disabled for protocol 1.3");
+ options.forward_agent = 0;
+ }
+ }
+ break;
+ case 2:
+ if (options.protocol & SSH_PROTO_2) {
+ enable_compat20();
+ break;
+ }
+ /* FALLTHROUGH */
+ default:
+ mismatch = 1;
+ break;
}
- if ((remote_major == 2 && remote_minor == 0) ||
- (remote_major == 1 && remote_minor == 99)) {
- enable_compat20();
- }
-#if 0
- /*
- * Removed for now, to permit compatibility with latter versions. The
- * server will reject our version and disconnect if it doesn't
- * support it.
- */
- if (remote_major != PROTOCOL_MAJOR)
+ if (mismatch)
fatal("Protocol major versions differ: %d vs. %d",
- PROTOCOL_MAJOR, remote_major);
-#endif
+ (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
+ remote_major);
+
/* Send our own protocol version identification. */
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n",
- compat20 ? 2 : PROTOCOL_MAJOR,
- compat20 ? 0 : PROTOCOL_MINOR,
+ compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
+ compat20 ? PROTOCOL_MINOR_2 : PROTOCOL_MINOR_1,
SSH_VERSION);
if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf))
fatal("write: %.100s", strerror(errno));
/* KEXINIT */
debug("Sending KEX init.");
- if (options.cipher == SSH_CIPHER_ARCFOUR ||
+ if (options.ciphers != NULL) {
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+ } else if (
+ options.cipher == SSH_CIPHER_ARCFOUR ||
options.cipher == SSH_CIPHER_3DES_CBC ||
options.cipher == SSH_CIPHER_CAST128_CBC ||
options.cipher == SSH_CIPHER_BLOWFISH_CBC) {
- myproposal[PROPOSAL_ENC_ALGS_CTOS] = cipher_name(options.cipher);
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = cipher_name(options.cipher);
}
if (options.compression) {
debug("Sending SSH2_MSG_KEXDH_INIT.");
/* generate and send 'e', client DH public key */
- dh = new_dh_group1();
+ dh = dh_new_group1();
packet_start(SSH2_MSG_KEXDH_INIT);
packet_put_bignum2(dh->pub_key);
packet_send();
/* signed H */
signature = packet_get_string(&slen);
+ if (!dh_pub_is_valid(dh, dh_server_pub))
+ packet_disconnect("bad server public DH value");
+
klen = DH_size(dh);
kbuf = xmalloc(klen);
kout = DH_compute_key(kbuf, dh_server_pub, dh);
packet_write_wait();
debug("done: send SSH2_MSG_NEWKEYS.");
+#ifdef DEBUG_KEXDH
/* send 1st encrypted/maced/compressed message */
packet_start(SSH2_MSG_IGNORE);
packet_put_cstring("markus");
packet_send();
packet_write_wait();
-
+#endif
debug("done: KEX2.");
}
/*
unsigned int dlen;
int partial;
struct passwd *pw;
+ char prompt[80];
char *server_user, *local_user;
char *auths;
char *password;
fatal("passwd auth not supported: %s", auths);
xfree(auths);
/* try passwd */
- password = read_passphrase("password: ", 0);
+ snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ",
+ server_user, host);
+ password = read_passphrase(prompt, 0);
packet_start(SSH2_MSG_USERAUTH_REQUEST);
packet_put_cstring(server_user);
packet_put_cstring(service);
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.99 2000/04/07 09:17:39 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.103 2000/04/12 08:11:36 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
int IPv4or6 = AF_UNSPEC;
#endif
-/* Flag indicating whether SSH2 is enabled */
-int allow_ssh2 = 0;
-
/*
* Debug mode flag. This can be set on the command line. If debug
* mode is enabled, extra debugging output will be sent to the system
void
sshd_exchange_identification(int sock_in, int sock_out)
{
- int i;
+ int i, mismatch;
int remote_major, remote_minor;
+ int major, minor;
char *s;
char buf[256]; /* Must not be larger than remote_version. */
char remote_version[256]; /* Must be at least as big as buf. */
- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n",
- allow_ssh2 ? 1 : PROTOCOL_MAJOR,
- allow_ssh2 ? 99 : PROTOCOL_MINOR,
- SSH_VERSION);
+ if ((options.protocol & SSH_PROTO_1) &&
+ (options.protocol & SSH_PROTO_2)) {
+ major = PROTOCOL_MAJOR_1;
+ minor = 99;
+ } else if (options.protocol & SSH_PROTO_2) {
+ major = PROTOCOL_MAJOR_2;
+ minor = PROTOCOL_MINOR_2;
+ } else {
+ major = PROTOCOL_MAJOR_1;
+ minor = PROTOCOL_MINOR_1;
+ }
+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
server_version_string = xstrdup(buf);
if (client_version_string == NULL) {
buf[i] = '\n';
buf[i + 1] = 0;
continue;
- //break;
}
if (buf[i] == '\n') {
/* buf[i] == '\n' */
compat_datafellows(remote_version);
+ mismatch = 0;
switch(remote_major) {
case 1:
+ if (!(options.protocol & SSH_PROTO_1)) {
+ mismatch = 1;
+ break;
+ }
if (remote_minor < 3) {
packet_disconnect("Your ssh version is too old and"
"is no longer supported. Please install a newer version.");
/* note that this disables agent-forwarding */
enable_compat13();
}
- if (remote_minor != 99)
- break;
- /* FALLTHROUGH */
+ if (remote_minor == 99) {
+ if (options.protocol & SSH_PROTO_2)
+ enable_compat20();
+ else
+ mismatch = 1;
+ }
+ break;
case 2:
- if (allow_ssh2) {
+ if (options.protocol & SSH_PROTO_2) {
enable_compat20();
break;
}
/* FALLTHROUGH */
default:
+ mismatch = 1;
+ break;
+ }
+ chop(server_version_string);
+ chop(client_version_string);
+ debug("Local version string %.200s", server_version_string);
+
+ if (mismatch) {
s = "Protocol major versions differ.\n";
(void) atomicio(write, sock_out, s, strlen(s));
close(sock_in);
close(sock_out);
- log("Protocol major versions differ for %s: %d vs. %d",
- get_remote_ipaddr(), PROTOCOL_MAJOR, remote_major);
+ log("Protocol major versions differ for %s: %.200s vs. %.200s",
+ get_remote_ipaddr(),
+ server_version_string, client_version_string);
fatal_cleanup();
- break;
}
- chop(server_version_string);
- chop(client_version_string);
}
/*
initialize_server_options(&options);
/* Parse command-line arguments. */
- while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:diqQ246")) != EOF) {
+ while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:diqQ46")) != EOF) {
switch (opt) {
- case '2':
- allow_ssh2 = 1;
- break;
case '4':
IPv4or6 = AF_INET;
break;
public_key = RSA_new();
sensitive_data.private_key = RSA_new();
+ /* XXX check options.protocol */
log("Generating %d bit RSA key.", options.server_key_bits);
rsa_generate_key(sensitive_data.private_key, public_key,
options.server_key_bits);
/* KEXINIT */
+ if (options.ciphers != NULL) {
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+ }
+
debug("Sending KEX init.");
for (i = 0; i < PROPOSAL_MAX; i++)
#endif
/* generate DH key */
- dh = new_dh_group1(); /* XXX depends on 'kex' */
+ dh = dh_new_group1(); /* XXX depends on 'kex' */
#ifdef DEBUG_KEXDH
fprintf(stderr, "\np= ");
bignum_print(dh->pub_key);
fprintf(stderr, "\n");
#endif
+ if (!dh_pub_is_valid(dh, dh_client_pub))
+ packet_disconnect("bad client public DH value");
klen = DH_size(dh);
kbuf = xmalloc(klen);
packet_read_expect(&payload_len, SSH2_MSG_NEWKEYS);
debug("GOT SSH2_MSG_NEWKEYS.");
+#ifdef DEBUG_KEXDH
/* send 1st encrypted/maced/compressed message */
packet_start(SSH2_MSG_IGNORE);
packet_put_cstring("markus");
packet_send();
packet_write_wait();
-
+#endif
debug("done: KEX2.");
}
projects / thirdparty / openssh-portable.git / commitdiff
