зеркало из https://github.com/Azure/sonic-openssh.git
- Merged OpenBSD CVS changes:
- [auth-rh-rsa.c auth-rsa.c authfd.c authfd.h hostfile.c mpaux.c] [mpaux.h ssh-add.c ssh-agent.c ssh.h ssh.c sshd.c] the keysize of rsa-parameter 'n' is passed implizit, a few more checks and warnings about 'pretended' keysizes. - [cipher.c cipher.h packet.c packet.h sshd.c] remove support for cipher RC4 - [ssh.c] a note for legay systems about secuity issues with permanently_set_uid(), the private hostkey and ptrace() - [sshconnect.c] more detailed messages about adding and checking hostkeys
This commit is contained in:
Родитель
4874c79a3a
Коммит
7e8e820153
15
ChangeLog
15
ChangeLog
|
@ -1,3 +1,18 @@
|
||||||
|
19991116
|
||||||
|
- Fix some Linux libc5 problems reported by Miles Wilson <mw@mctitle.com>
|
||||||
|
- Merged OpenBSD CVS changes:
|
||||||
|
- [auth-rh-rsa.c auth-rsa.c authfd.c authfd.h hostfile.c mpaux.c]
|
||||||
|
[mpaux.h ssh-add.c ssh-agent.c ssh.h ssh.c sshd.c]
|
||||||
|
the keysize of rsa-parameter 'n' is passed implizit,
|
||||||
|
a few more checks and warnings about 'pretended' keysizes.
|
||||||
|
- [cipher.c cipher.h packet.c packet.h sshd.c]
|
||||||
|
remove support for cipher RC4
|
||||||
|
- [ssh.c]
|
||||||
|
a note for legay systems about secuity issues with permanently_set_uid(),
|
||||||
|
the private hostkey and ptrace()
|
||||||
|
- [sshconnect.c]
|
||||||
|
more detailed messages about adding and checking hostkeys
|
||||||
|
|
||||||
19991115
|
19991115
|
||||||
- Merged OpenBSD CVS changes:
|
- Merged OpenBSD CVS changes:
|
||||||
- [ssh-add.c] change passphrase loop logic and remove ref to
|
- [ssh-add.c] change passphrase loop logic and remove ref to
|
||||||
|
|
|
@ -15,7 +15,7 @@ authentication.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$Id: auth-rh-rsa.c,v 1.4 1999/11/12 04:19:27 damien Exp $");
|
RCSID("$Id: auth-rh-rsa.c,v 1.5 1999/11/16 02:37:16 damien Exp $");
|
||||||
|
|
||||||
#include "packet.h"
|
#include "packet.h"
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
|
@ -27,7 +27,6 @@ RCSID("$Id: auth-rh-rsa.c,v 1.4 1999/11/12 04:19:27 damien Exp $");
|
||||||
its host key. Returns true if authentication succeeds. */
|
its host key. Returns true if authentication succeeds. */
|
||||||
|
|
||||||
int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
|
int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
|
||||||
unsigned int client_host_key_bits,
|
|
||||||
BIGNUM *client_host_key_e, BIGNUM *client_host_key_n)
|
BIGNUM *client_host_key_e, BIGNUM *client_host_key_n)
|
||||||
{
|
{
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
|
@ -51,8 +50,7 @@ int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
|
||||||
ke = BN_new();
|
ke = BN_new();
|
||||||
kn = BN_new();
|
kn = BN_new();
|
||||||
host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,
|
host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,
|
||||||
client_host_key_bits, client_host_key_e,
|
client_host_key_e, client_host_key_n, ke, kn);
|
||||||
client_host_key_n, ke, kn);
|
|
||||||
|
|
||||||
/* Check user host file unless ignored. */
|
/* Check user host file unless ignored. */
|
||||||
if (host_status != HOST_OK && !options.ignore_user_known_hosts) {
|
if (host_status != HOST_OK && !options.ignore_user_known_hosts) {
|
||||||
|
@ -70,8 +68,7 @@ int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
|
||||||
/* XXX race between stat and the following open() */
|
/* XXX race between stat and the following open() */
|
||||||
temporarily_use_uid(pw->pw_uid);
|
temporarily_use_uid(pw->pw_uid);
|
||||||
host_status = check_host_in_hostfile(user_hostfile, canonical_hostname,
|
host_status = check_host_in_hostfile(user_hostfile, canonical_hostname,
|
||||||
client_host_key_bits, client_host_key_e,
|
client_host_key_e, client_host_key_n, ke, kn);
|
||||||
client_host_key_n, ke, kn);
|
|
||||||
restore_uid();
|
restore_uid();
|
||||||
}
|
}
|
||||||
xfree(user_hostfile);
|
xfree(user_hostfile);
|
||||||
|
@ -89,8 +86,7 @@ int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
|
||||||
/* A matching host key was found and is known. */
|
/* A matching host key was found and is known. */
|
||||||
|
|
||||||
/* Perform the challenge-response dialog with the client for the host key. */
|
/* Perform the challenge-response dialog with the client for the host key. */
|
||||||
if (!auth_rsa_challenge_dialog(client_host_key_bits,
|
if (!auth_rsa_challenge_dialog(client_host_key_e, client_host_key_n))
|
||||||
client_host_key_e, client_host_key_n))
|
|
||||||
{
|
{
|
||||||
log("Client on %.800s failed to respond correctly to host authentication.",
|
log("Client on %.800s failed to respond correctly to host authentication.",
|
||||||
canonical_hostname);
|
canonical_hostname);
|
||||||
|
|
24
auth-rsa.c
24
auth-rsa.c
|
@ -16,7 +16,7 @@ validity of the host key.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$Id: auth-rsa.c,v 1.6 1999/11/12 23:51:58 damien Exp $");
|
RCSID("$Id: auth-rsa.c,v 1.7 1999/11/16 02:37:16 damien Exp $");
|
||||||
|
|
||||||
#include "rsa.h"
|
#include "rsa.h"
|
||||||
#include "packet.h"
|
#include "packet.h"
|
||||||
|
@ -61,7 +61,7 @@ extern unsigned char session_id[16];
|
||||||
our challenge; returns zero if the client gives a wrong answer. */
|
our challenge; returns zero if the client gives a wrong answer. */
|
||||||
|
|
||||||
int
|
int
|
||||||
auth_rsa_challenge_dialog(unsigned int bits, BIGNUM *e, BIGNUM *n)
|
auth_rsa_challenge_dialog(BIGNUM *e, BIGNUM *n)
|
||||||
{
|
{
|
||||||
BIGNUM *challenge, *encrypted_challenge, *aux;
|
BIGNUM *challenge, *encrypted_challenge, *aux;
|
||||||
RSA *pk;
|
RSA *pk;
|
||||||
|
@ -138,7 +138,7 @@ int
|
||||||
auth_rsa(struct passwd *pw, BIGNUM *client_n)
|
auth_rsa(struct passwd *pw, BIGNUM *client_n)
|
||||||
{
|
{
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
char line[8192];
|
char line[8192], file[1024];
|
||||||
int authenticated;
|
int authenticated;
|
||||||
unsigned int bits;
|
unsigned int bits;
|
||||||
FILE *f;
|
FILE *f;
|
||||||
|
@ -150,11 +150,11 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
|
||||||
temporarily_use_uid(pw->pw_uid);
|
temporarily_use_uid(pw->pw_uid);
|
||||||
|
|
||||||
/* The authorized keys. */
|
/* The authorized keys. */
|
||||||
snprintf(line, sizeof line, "%.500s/%.100s", pw->pw_dir,
|
snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir,
|
||||||
SSH_USER_PERMITTED_KEYS);
|
SSH_USER_PERMITTED_KEYS);
|
||||||
|
|
||||||
/* Fail quietly if file does not exist */
|
/* Fail quietly if file does not exist */
|
||||||
if (stat(line, &st) < 0)
|
if (stat(file, &st) < 0)
|
||||||
{
|
{
|
||||||
/* Restore the privileged uid. */
|
/* Restore the privileged uid. */
|
||||||
restore_uid();
|
restore_uid();
|
||||||
|
@ -162,12 +162,12 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Open the file containing the authorized keys. */
|
/* Open the file containing the authorized keys. */
|
||||||
f = fopen(line, "r");
|
f = fopen(file, "r");
|
||||||
if (!f)
|
if (!f)
|
||||||
{
|
{
|
||||||
/* Restore the privileged uid. */
|
/* Restore the privileged uid. */
|
||||||
restore_uid();
|
restore_uid();
|
||||||
packet_send_debug("Could not open %.900s for reading.", line);
|
packet_send_debug("Could not open %.900s for reading.", file);
|
||||||
packet_send_debug("If your home is on an NFS volume, it may need to be world-readable.");
|
packet_send_debug("If your home is on an NFS volume, it may need to be world-readable.");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -180,7 +180,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
|
||||||
(st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
|
(st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
|
||||||
(st.st_mode & 022) != 0) {
|
(st.st_mode & 022) != 0) {
|
||||||
snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: "
|
snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: "
|
||||||
"bad ownership or modes for '%s'.", pw->pw_name, line);
|
"bad ownership or modes for '%s'.", pw->pw_name, file);
|
||||||
fail=1;
|
fail=1;
|
||||||
}else{
|
}else{
|
||||||
/* Check path to SSH_USER_PERMITTED_KEYS */
|
/* Check path to SSH_USER_PERMITTED_KEYS */
|
||||||
|
@ -263,6 +263,12 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
|
||||||
}
|
}
|
||||||
/* cp now points to the comment part. */
|
/* cp now points to the comment part. */
|
||||||
|
|
||||||
|
/* check the real bits */
|
||||||
|
if (bits != BN_num_bits(n))
|
||||||
|
error("Warning: error in %s, line %d: keysize mismatch: "
|
||||||
|
"actual size %d vs. announced %d.",
|
||||||
|
file, linenum, BN_num_bits(n), bits);
|
||||||
|
|
||||||
/* Check if the we have found the desired key (identified by its
|
/* Check if the we have found the desired key (identified by its
|
||||||
modulus). */
|
modulus). */
|
||||||
if (BN_cmp(n, client_n) != 0)
|
if (BN_cmp(n, client_n) != 0)
|
||||||
|
@ -271,7 +277,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
|
||||||
/* We have found the desired key. */
|
/* We have found the desired key. */
|
||||||
|
|
||||||
/* Perform the challenge-response dialog for this key. */
|
/* Perform the challenge-response dialog for this key. */
|
||||||
if (!auth_rsa_challenge_dialog(bits, e, n))
|
if (!auth_rsa_challenge_dialog(e, n))
|
||||||
{
|
{
|
||||||
/* Wrong response. */
|
/* Wrong response. */
|
||||||
log("Wrong response to RSA authentication challenge.");
|
log("Wrong response to RSA authentication challenge.");
|
||||||
|
|
20
authfd.c
20
authfd.c
|
@ -14,7 +14,7 @@ Functions for connecting the local authentication agent.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$Id: authfd.c,v 1.3 1999/11/12 23:51:58 damien Exp $");
|
RCSID("$Id: authfd.c,v 1.4 1999/11/16 02:37:16 damien Exp $");
|
||||||
|
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
#include "rsa.h"
|
#include "rsa.h"
|
||||||
|
@ -117,7 +117,7 @@ void ssh_close_authentication_connection(AuthenticationConnection *ac)
|
||||||
|
|
||||||
int
|
int
|
||||||
ssh_get_first_identity(AuthenticationConnection *auth,
|
ssh_get_first_identity(AuthenticationConnection *auth,
|
||||||
int *bitsp, BIGNUM *e, BIGNUM *n, char **comment)
|
BIGNUM *e, BIGNUM *n, char **comment)
|
||||||
{
|
{
|
||||||
unsigned char msg[8192];
|
unsigned char msg[8192];
|
||||||
int len, l;
|
int len, l;
|
||||||
|
@ -179,7 +179,7 @@ ssh_get_first_identity(AuthenticationConnection *auth,
|
||||||
fatal("Too many identities in authentication reply: %d\n", auth->howmany);
|
fatal("Too many identities in authentication reply: %d\n", auth->howmany);
|
||||||
|
|
||||||
/* Return the first entry (if any). */
|
/* Return the first entry (if any). */
|
||||||
return ssh_get_next_identity(auth, bitsp, e, n, comment);
|
return ssh_get_next_identity(auth, e, n, comment);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Returns the next authentication identity for the agent. Other functions
|
/* Returns the next authentication identity for the agent. Other functions
|
||||||
|
@ -189,19 +189,25 @@ ssh_get_first_identity(AuthenticationConnection *auth,
|
||||||
|
|
||||||
int
|
int
|
||||||
ssh_get_next_identity(AuthenticationConnection *auth,
|
ssh_get_next_identity(AuthenticationConnection *auth,
|
||||||
int *bitsp, BIGNUM *e, BIGNUM *n, char **comment)
|
BIGNUM *e, BIGNUM *n, char **comment)
|
||||||
{
|
{
|
||||||
|
unsigned int bits;
|
||||||
|
|
||||||
/* Return failure if no more entries. */
|
/* Return failure if no more entries. */
|
||||||
if (auth->howmany <= 0)
|
if (auth->howmany <= 0)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
/* Get the next entry from the packet. These will abort with a fatal
|
/* Get the next entry from the packet. These will abort with a fatal
|
||||||
error if the packet is too short or contains corrupt data. */
|
error if the packet is too short or contains corrupt data. */
|
||||||
*bitsp = buffer_get_int(&auth->identities);
|
bits = buffer_get_int(&auth->identities);
|
||||||
buffer_get_bignum(&auth->identities, e);
|
buffer_get_bignum(&auth->identities, e);
|
||||||
buffer_get_bignum(&auth->identities, n);
|
buffer_get_bignum(&auth->identities, n);
|
||||||
*comment = buffer_get_string(&auth->identities, NULL);
|
*comment = buffer_get_string(&auth->identities, NULL);
|
||||||
|
|
||||||
|
if (bits != BN_num_bits(n))
|
||||||
|
error("Warning: keysize mismatch: actual %d, announced %s",
|
||||||
|
BN_num_bits(n), bits);
|
||||||
|
|
||||||
/* Decrement the number of remaining entries. */
|
/* Decrement the number of remaining entries. */
|
||||||
auth->howmany--;
|
auth->howmany--;
|
||||||
|
|
||||||
|
@ -216,7 +222,7 @@ ssh_get_next_identity(AuthenticationConnection *auth,
|
||||||
|
|
||||||
int
|
int
|
||||||
ssh_decrypt_challenge(AuthenticationConnection *auth,
|
ssh_decrypt_challenge(AuthenticationConnection *auth,
|
||||||
int bits, BIGNUM *e, BIGNUM *n, BIGNUM *challenge,
|
BIGNUM *e, BIGNUM *n, BIGNUM *challenge,
|
||||||
unsigned char session_id[16],
|
unsigned char session_id[16],
|
||||||
unsigned int response_type,
|
unsigned int response_type,
|
||||||
unsigned char response[16])
|
unsigned char response[16])
|
||||||
|
@ -233,7 +239,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
|
||||||
buf[0] = SSH_AGENTC_RSA_CHALLENGE;
|
buf[0] = SSH_AGENTC_RSA_CHALLENGE;
|
||||||
buffer_init(&buffer);
|
buffer_init(&buffer);
|
||||||
buffer_append(&buffer, (char *)buf, 1);
|
buffer_append(&buffer, (char *)buf, 1);
|
||||||
buffer_put_int(&buffer, bits);
|
buffer_put_int(&buffer, BN_num_bits(n));
|
||||||
buffer_put_bignum(&buffer, e);
|
buffer_put_bignum(&buffer, e);
|
||||||
buffer_put_bignum(&buffer, n);
|
buffer_put_bignum(&buffer, n);
|
||||||
buffer_put_bignum(&buffer, challenge);
|
buffer_put_bignum(&buffer, challenge);
|
||||||
|
|
8
authfd.h
8
authfd.h
|
@ -13,7 +13,7 @@ Functions to interface with the SSH_AUTHENTICATION_FD socket.
|
||||||
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* RCSID("$Id: authfd.h,v 1.1 1999/10/27 03:42:43 damien Exp $"); */
|
/* RCSID("$Id: authfd.h,v 1.2 1999/11/16 02:37:16 damien Exp $"); */
|
||||||
|
|
||||||
#ifndef AUTHFD_H
|
#ifndef AUTHFD_H
|
||||||
#define AUTHFD_H
|
#define AUTHFD_H
|
||||||
|
@ -62,19 +62,19 @@ void ssh_close_authentication_connection(AuthenticationConnection *ac);
|
||||||
The caller must initialize the integers before the call, and free the
|
The caller must initialize the integers before the call, and free the
|
||||||
comment after a successful call (before calling ssh_get_next_identity). */
|
comment after a successful call (before calling ssh_get_next_identity). */
|
||||||
int ssh_get_first_identity(AuthenticationConnection *connection,
|
int ssh_get_first_identity(AuthenticationConnection *connection,
|
||||||
int *bitsp, BIGNUM *e, BIGNUM *n, char **comment);
|
BIGNUM *e, BIGNUM *n, char **comment);
|
||||||
|
|
||||||
/* Returns the next authentication identity for the agent. Other functions
|
/* Returns the next authentication identity for the agent. Other functions
|
||||||
can be called between this and ssh_get_first_identity or two calls of this
|
can be called between this and ssh_get_first_identity or two calls of this
|
||||||
function. This returns 0 if there are no more identities. The caller
|
function. This returns 0 if there are no more identities. The caller
|
||||||
must free comment after a successful return. */
|
must free comment after a successful return. */
|
||||||
int ssh_get_next_identity(AuthenticationConnection *connection,
|
int ssh_get_next_identity(AuthenticationConnection *connection,
|
||||||
int *bitsp, BIGNUM *e, BIGNUM *n, char **comment);
|
BIGNUM *e, BIGNUM *n, char **comment);
|
||||||
|
|
||||||
/* Requests the agent to decrypt the given challenge. Returns true if
|
/* Requests the agent to decrypt the given challenge. Returns true if
|
||||||
the agent claims it was able to decrypt it. */
|
the agent claims it was able to decrypt it. */
|
||||||
int ssh_decrypt_challenge(AuthenticationConnection *auth,
|
int ssh_decrypt_challenge(AuthenticationConnection *auth,
|
||||||
int bits, BIGNUM *e, BIGNUM *n, BIGNUM *challenge,
|
BIGNUM *e, BIGNUM *n, BIGNUM *challenge,
|
||||||
unsigned char session_id[16],
|
unsigned char session_id[16],
|
||||||
unsigned int response_type,
|
unsigned int response_type,
|
||||||
unsigned char response[16]);
|
unsigned char response[16]);
|
||||||
|
|
4
cipher.c
4
cipher.c
|
@ -12,7 +12,7 @@ Created: Wed Apr 19 17:41:39 1995 ylo
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$Id: cipher.c,v 1.5 1999/11/12 23:51:58 damien Exp $");
|
RCSID("$Id: cipher.c,v 1.6 1999/11/16 02:37:16 damien Exp $");
|
||||||
|
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
#include "cipher.h"
|
#include "cipher.h"
|
||||||
|
@ -235,7 +235,7 @@ void cipher_set_key(CipherContext *context, int cipher,
|
||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
fatal("cipher_set_key: unknown cipher: %d", cipher);
|
fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
|
||||||
}
|
}
|
||||||
memset(padded, 0, sizeof(padded));
|
memset(padded, 0, sizeof(padded));
|
||||||
}
|
}
|
||||||
|
|
10
cipher.h
10
cipher.h
|
@ -11,13 +11,13 @@ Created: Wed Apr 19 16:50:42 1995 ylo
|
||||||
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* RCSID("$Id: cipher.h,v 1.2 1999/10/28 03:25:17 damien Exp $"); */
|
/* RCSID("$Id: cipher.h,v 1.3 1999/11/16 02:37:16 damien Exp $"); */
|
||||||
|
|
||||||
#include "config.h"
|
|
||||||
|
|
||||||
#ifndef CIPHER_H
|
#ifndef CIPHER_H
|
||||||
#define CIPHER_H
|
#define CIPHER_H
|
||||||
|
|
||||||
|
#include "config.h"
|
||||||
|
|
||||||
#ifdef HAVE_OPENSSL
|
#ifdef HAVE_OPENSSL
|
||||||
#include <openssl/des.h>
|
#include <openssl/des.h>
|
||||||
#include <openssl/blowfish.h>
|
#include <openssl/blowfish.h>
|
||||||
|
@ -34,8 +34,8 @@ Created: Wed Apr 19 16:50:42 1995 ylo
|
||||||
#define SSH_CIPHER_IDEA 1 /* IDEA CFB */
|
#define SSH_CIPHER_IDEA 1 /* IDEA CFB */
|
||||||
#define SSH_CIPHER_DES 2 /* DES CBC */
|
#define SSH_CIPHER_DES 2 /* DES CBC */
|
||||||
#define SSH_CIPHER_3DES 3 /* 3DES CBC */
|
#define SSH_CIPHER_3DES 3 /* 3DES CBC */
|
||||||
#define SSH_CIPHER_TSS 4 /* TRI's Simple Stream encryption CBC */
|
#define SSH_CIPHER_BROKEN_TSS 4 /* TRI's Simple Stream encryption CBC */
|
||||||
#define SSH_CIPHER_RC4 5 /* Alleged RC4 */
|
#define SSH_CIPHER_BROKEN_RC4 5 /* Alleged RC4 */
|
||||||
#define SSH_CIPHER_BLOWFISH 6
|
#define SSH_CIPHER_BLOWFISH 6
|
||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
|
|
43
hostfile.c
43
hostfile.c
|
@ -14,7 +14,7 @@ Functions for manipulating the known hosts files.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$Id: hostfile.c,v 1.2 1999/11/08 05:15:55 damien Exp $");
|
RCSID("$Id: hostfile.c,v 1.3 1999/11/16 02:37:16 damien Exp $");
|
||||||
|
|
||||||
#include "packet.h"
|
#include "packet.h"
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
|
@ -166,29 +166,20 @@ match_hostname(const char *host, const char *pattern, unsigned int len)
|
||||||
but used to have a different host key. */
|
but used to have a different host key. */
|
||||||
|
|
||||||
HostStatus
|
HostStatus
|
||||||
check_host_in_hostfile(const char *filename,
|
check_host_in_hostfile(const char *filename, const char *host,
|
||||||
const char *host, unsigned int bits,
|
BIGNUM *e, BIGNUM *n, BIGNUM *ke, BIGNUM *kn)
|
||||||
BIGNUM *e, BIGNUM *n,
|
|
||||||
BIGNUM *ke, BIGNUM *kn)
|
|
||||||
{
|
{
|
||||||
FILE *f;
|
FILE *f;
|
||||||
char line[8192];
|
char line[8192];
|
||||||
unsigned int kbits, hostlen;
|
int linenum = 0;
|
||||||
|
unsigned int bits, kbits, hostlen;
|
||||||
char *cp, *cp2;
|
char *cp, *cp2;
|
||||||
HostStatus end_return;
|
HostStatus end_return;
|
||||||
struct stat st;
|
|
||||||
|
|
||||||
/* Open the file containing the list of known hosts. */
|
/* Open the file containing the list of known hosts. */
|
||||||
f = fopen(filename, "r");
|
f = fopen(filename, "r");
|
||||||
if (!f)
|
if (!f)
|
||||||
{
|
|
||||||
if (stat(filename, &st) >= 0)
|
|
||||||
{
|
|
||||||
packet_send_debug("Could not open %.900s for reading.", filename);
|
|
||||||
packet_send_debug("If your home directory is on an NFS volume, it may need to be world-readable.");
|
|
||||||
}
|
|
||||||
return HOST_NEW;
|
return HOST_NEW;
|
||||||
}
|
|
||||||
|
|
||||||
/* Cache the length of the host name. */
|
/* Cache the length of the host name. */
|
||||||
hostlen = strlen(host);
|
hostlen = strlen(host);
|
||||||
|
@ -198,10 +189,14 @@ check_host_in_hostfile(const char *filename,
|
||||||
one. */
|
one. */
|
||||||
end_return = HOST_NEW;
|
end_return = HOST_NEW;
|
||||||
|
|
||||||
|
/* size of modulus 'n' */
|
||||||
|
bits = BN_num_bits(n);
|
||||||
|
|
||||||
/* Go trough the file. */
|
/* Go trough the file. */
|
||||||
while (fgets(line, sizeof(line), f))
|
while (fgets(line, sizeof(line), f))
|
||||||
{
|
{
|
||||||
cp = line;
|
cp = line;
|
||||||
|
linenum++;
|
||||||
|
|
||||||
/* Skip any leading whitespace. */
|
/* Skip any leading whitespace. */
|
||||||
for (; *cp == ' ' || *cp == '\t'; cp++)
|
for (; *cp == ' ' || *cp == '\t'; cp++)
|
||||||
|
@ -227,7 +222,15 @@ check_host_in_hostfile(const char *filename,
|
||||||
if (!auth_rsa_read_key(&cp, &kbits, ke, kn))
|
if (!auth_rsa_read_key(&cp, &kbits, ke, kn))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
/* Check if the current key is the same as the previous one. */
|
if (kbits != BN_num_bits(kn)) {
|
||||||
|
error("Warning: error in %s, line %d: keysize mismatch for host %s: "
|
||||||
|
"actual size %d vs. announced %d.",
|
||||||
|
filename, linenum, host, BN_num_bits(kn), kbits);
|
||||||
|
error("Warning: replace %d with %d in %s, line %d.",
|
||||||
|
kbits, BN_num_bits(kn), filename, linenum);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Check if the current key is the same as the given key. */
|
||||||
if (kbits == bits && BN_cmp(ke, e) == 0 && BN_cmp(kn, n) == 0)
|
if (kbits == bits && BN_cmp(ke, e) == 0 && BN_cmp(kn, n) == 0)
|
||||||
{
|
{
|
||||||
/* Ok, they match. */
|
/* Ok, they match. */
|
||||||
|
@ -252,21 +255,25 @@ check_host_in_hostfile(const char *filename,
|
||||||
|
|
||||||
int
|
int
|
||||||
add_host_to_hostfile(const char *filename, const char *host,
|
add_host_to_hostfile(const char *filename, const char *host,
|
||||||
unsigned int bits, BIGNUM *e, BIGNUM *n)
|
BIGNUM *e, BIGNUM *n)
|
||||||
{
|
{
|
||||||
FILE *f;
|
FILE *f;
|
||||||
char *buf;
|
char *buf;
|
||||||
|
unsigned int bits;
|
||||||
|
|
||||||
/* Open the file for appending. */
|
/* Open the file for appending. */
|
||||||
f = fopen(filename, "a");
|
f = fopen(filename, "a");
|
||||||
if (!f)
|
if (!f)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
/* size of modulus 'n' */
|
||||||
|
bits = BN_num_bits(n);
|
||||||
|
|
||||||
/* Print the host name and key to the file. */
|
/* Print the host name and key to the file. */
|
||||||
fprintf(f, "%s %u ", host, bits);
|
fprintf(f, "%s %u ", host, bits);
|
||||||
buf = BN_bn2dec(e);
|
buf = BN_bn2dec(e);
|
||||||
if (buf == NULL) {
|
if (buf == NULL) {
|
||||||
error("add_host_to_hostfile: BN_bn2dec #1 failed");
|
error("add_host_to_hostfile: BN_bn2dec(e) failed");
|
||||||
fclose(f);
|
fclose(f);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -274,7 +281,7 @@ add_host_to_hostfile(const char *filename, const char *host,
|
||||||
free (buf);
|
free (buf);
|
||||||
buf = BN_bn2dec(n);
|
buf = BN_bn2dec(n);
|
||||||
if (buf == NULL) {
|
if (buf == NULL) {
|
||||||
error("add_host_to_hostfile: BN_bn2dec #2 failed");
|
error("add_host_to_hostfile: BN_bn2dec(n) failed");
|
||||||
fclose(f);
|
fclose(f);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
6
mpaux.c
6
mpaux.c
|
@ -15,7 +15,7 @@ precision integers.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$Id: mpaux.c,v 1.5 1999/11/12 23:51:58 damien Exp $");
|
RCSID("$Id: mpaux.c,v 1.6 1999/11/16 02:37:16 damien Exp $");
|
||||||
|
|
||||||
#ifdef HAVE_OPENSSL
|
#ifdef HAVE_OPENSSL
|
||||||
#include <openssl/bn.h>
|
#include <openssl/bn.h>
|
||||||
|
@ -33,11 +33,11 @@ RCSID("$Id: mpaux.c,v 1.5 1999/11/12 23:51:58 damien Exp $");
|
||||||
void
|
void
|
||||||
compute_session_id(unsigned char session_id[16],
|
compute_session_id(unsigned char session_id[16],
|
||||||
unsigned char cookie[8],
|
unsigned char cookie[8],
|
||||||
unsigned int host_key_bits,
|
|
||||||
BIGNUM *host_key_n,
|
BIGNUM *host_key_n,
|
||||||
unsigned int session_key_bits,
|
|
||||||
BIGNUM *session_key_n)
|
BIGNUM *session_key_n)
|
||||||
{
|
{
|
||||||
|
unsigned int host_key_bits = BN_num_bits(host_key_n);
|
||||||
|
unsigned int session_key_bits = BN_num_bits(session_key_n);
|
||||||
unsigned int bytes = (host_key_bits + 7) / 8 + (session_key_bits + 7) / 8 + 8;
|
unsigned int bytes = (host_key_bits + 7) / 8 + (session_key_bits + 7) / 8 + 8;
|
||||||
unsigned char *buf = xmalloc(bytes);
|
unsigned char *buf = xmalloc(bytes);
|
||||||
MD5_CTX md;
|
MD5_CTX md;
|
||||||
|
|
4
mpaux.h
4
mpaux.h
|
@ -14,7 +14,7 @@ precision integers.
|
||||||
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* RCSID("$Id: mpaux.h,v 1.1 1999/10/27 03:42:44 damien Exp $"); */
|
/* RCSID("$Id: mpaux.h,v 1.2 1999/11/16 02:37:16 damien Exp $"); */
|
||||||
|
|
||||||
#ifndef MPAUX_H
|
#ifndef MPAUX_H
|
||||||
#define MPAUX_H
|
#define MPAUX_H
|
||||||
|
@ -24,9 +24,7 @@ precision integers.
|
||||||
first representations of host_key_n, session_key_n, and the cookie. */
|
first representations of host_key_n, session_key_n, and the cookie. */
|
||||||
void compute_session_id(unsigned char session_id[16],
|
void compute_session_id(unsigned char session_id[16],
|
||||||
unsigned char cookie[8],
|
unsigned char cookie[8],
|
||||||
unsigned int host_key_bits,
|
|
||||||
BIGNUM *host_key_n,
|
BIGNUM *host_key_n,
|
||||||
unsigned int session_key_bits,
|
|
||||||
BIGNUM *session_key_n);
|
BIGNUM *session_key_n);
|
||||||
|
|
||||||
#endif /* MPAUX_H */
|
#endif /* MPAUX_H */
|
||||||
|
|
23
packet.c
23
packet.c
|
@ -15,7 +15,7 @@ with the other side. This same code is used both on client and server side.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$Id: packet.c,v 1.2 1999/11/08 05:15:55 damien Exp $");
|
RCSID("$Id: packet.c,v 1.3 1999/11/16 02:37:16 damien Exp $");
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "buffer.h"
|
#include "buffer.h"
|
||||||
|
@ -236,30 +236,11 @@ packet_decrypt(CipherContext *cc, void *dest, void *src,
|
||||||
|
|
||||||
void
|
void
|
||||||
packet_set_encryption_key(const unsigned char *key, unsigned int keylen,
|
packet_set_encryption_key(const unsigned char *key, unsigned int keylen,
|
||||||
int cipher, int is_client)
|
int cipher)
|
||||||
{
|
{
|
||||||
cipher_type = cipher;
|
|
||||||
if (cipher == SSH_CIPHER_RC4)
|
|
||||||
{
|
|
||||||
if (is_client)
|
|
||||||
{ /* In client: use first half for receiving, second for sending. */
|
|
||||||
cipher_set_key(&receive_context, cipher, key, keylen / 2, 0);
|
|
||||||
cipher_set_key(&send_context, cipher, key + keylen / 2,
|
|
||||||
keylen / 2, 1);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{ /* In server: use first half for sending, second for receiving. */
|
|
||||||
cipher_set_key(&receive_context, cipher, key + keylen / 2,
|
|
||||||
keylen / 2, 0);
|
|
||||||
cipher_set_key(&send_context, cipher, key, keylen / 2, 1);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
/* All other ciphers use the same key in both directions for now. */
|
/* All other ciphers use the same key in both directions for now. */
|
||||||
cipher_set_key(&receive_context, cipher, key, keylen, 0);
|
cipher_set_key(&receive_context, cipher, key, keylen, 0);
|
||||||
cipher_set_key(&send_context, cipher, key, keylen, 1);
|
cipher_set_key(&send_context, cipher, key, keylen, 1);
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Starts constructing a packet to send. */
|
/* Starts constructing a packet to send. */
|
||||||
|
|
4
packet.h
4
packet.h
|
@ -13,7 +13,7 @@ Interface for the packet protocol functions.
|
||||||
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* RCSID("$Id: packet.h,v 1.3 1999/11/15 04:40:55 damien Exp $"); */
|
/* RCSID("$Id: packet.h,v 1.4 1999/11/16 02:37:16 damien Exp $"); */
|
||||||
|
|
||||||
#ifndef PACKET_H
|
#ifndef PACKET_H
|
||||||
#define PACKET_H
|
#define PACKET_H
|
||||||
|
@ -51,7 +51,7 @@ void packet_close(void);
|
||||||
are encrypted independently of each other. Cipher types are
|
are encrypted independently of each other. Cipher types are
|
||||||
defined in ssh.h. */
|
defined in ssh.h. */
|
||||||
void packet_set_encryption_key(const unsigned char *key, unsigned int keylen,
|
void packet_set_encryption_key(const unsigned char *key, unsigned int keylen,
|
||||||
int cipher_type, int is_client);
|
int cipher_type);
|
||||||
|
|
||||||
/* Sets remote side protocol flags for the current connection. This can
|
/* Sets remote side protocol flags for the current connection. This can
|
||||||
be called at any time. */
|
be called at any time. */
|
||||||
|
|
35
ssh-add.c
35
ssh-add.c
|
@ -14,7 +14,7 @@ Adds an identity to the authentication server, or removes an identity.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$Id: ssh-add.c,v 1.8 1999/11/15 06:10:57 damien Exp $");
|
RCSID("$Id: ssh-add.c,v 1.9 1999/11/16 02:37:16 damien Exp $");
|
||||||
|
|
||||||
#include "rsa.h"
|
#include "rsa.h"
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
|
@ -133,33 +133,32 @@ void
|
||||||
list_identities(AuthenticationConnection *ac)
|
list_identities(AuthenticationConnection *ac)
|
||||||
{
|
{
|
||||||
BIGNUM *e, *n;
|
BIGNUM *e, *n;
|
||||||
int bits, status;
|
int status;
|
||||||
char *comment;
|
char *comment;
|
||||||
int had_identities;
|
int had_identities;
|
||||||
|
|
||||||
e = BN_new();
|
e = BN_new();
|
||||||
n = BN_new();
|
n = BN_new();
|
||||||
had_identities = 0;
|
had_identities = 0;
|
||||||
for (status = ssh_get_first_identity(ac, &bits, e, n, &comment);
|
for (status = ssh_get_first_identity(ac, e, n, &comment);
|
||||||
status;
|
status;
|
||||||
status = ssh_get_next_identity(ac, &bits, e, n, &comment))
|
status = ssh_get_next_identity(ac, e, n, &comment))
|
||||||
{
|
{
|
||||||
char *buf;
|
char *ebuf, *nbuf;
|
||||||
had_identities = 1;
|
had_identities = 1;
|
||||||
printf("%d ", bits);
|
ebuf = BN_bn2dec(e);
|
||||||
buf = BN_bn2dec(e);
|
if (ebuf == NULL) {
|
||||||
if (buf != NULL) {
|
error("list_identities: BN_bn2dec(e) failed.");
|
||||||
printf("%s ", buf);
|
}else{
|
||||||
free (buf);
|
nbuf = BN_bn2dec(n);
|
||||||
} else {
|
if (nbuf == NULL) {
|
||||||
error("list_identities: BN_bn2dec #1 failed.");
|
error("list_identities: BN_bn2dec(n) failed.");
|
||||||
|
}else{
|
||||||
|
unsigned int bits = BN_num_bits(n);
|
||||||
|
printf("%d %s %s %s\n", bits, ebuf, nbuf, comment);
|
||||||
|
free(nbuf);
|
||||||
}
|
}
|
||||||
buf = BN_bn2dec(n);
|
free(ebuf);
|
||||||
if (buf != NULL) {
|
|
||||||
printf("%s %s\n", buf, comment);
|
|
||||||
free (buf);
|
|
||||||
} else {
|
|
||||||
error("list_identities: BN_bn2dec #2 failed.");
|
|
||||||
}
|
}
|
||||||
xfree(comment);
|
xfree(comment);
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: ssh-agent.c,v 1.16 1999/10/28 20:41:23 markus Exp $ */
|
/* $OpenBSD: ssh-agent.c,v 1.18 1999/11/15 20:53:24 markus Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
||||||
|
@ -16,7 +16,7 @@ The authentication agent program.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$OpenBSD: ssh-agent.c,v 1.17 1999/11/02 19:42:36 markus Exp $");
|
RCSID("$OpenBSD: ssh-agent.c,v 1.18 1999/11/15 20:53:24 markus Exp $");
|
||||||
|
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
#include "rsa.h"
|
#include "rsa.h"
|
||||||
|
@ -196,6 +196,10 @@ process_remove_identity(SocketEntry *e)
|
||||||
buffer_get_bignum(&e->input, dummy);
|
buffer_get_bignum(&e->input, dummy);
|
||||||
buffer_get_bignum(&e->input, n);
|
buffer_get_bignum(&e->input, n);
|
||||||
|
|
||||||
|
if (bits != BN_num_bits(n))
|
||||||
|
error("Warning: keysize mismatch: actual %d, announced %s",
|
||||||
|
BN_num_bits(n), bits);
|
||||||
|
|
||||||
/* Check if we have the key. */
|
/* Check if we have the key. */
|
||||||
for (i = 0; i < num_identities; i++)
|
for (i = 0; i < num_identities; i++)
|
||||||
if (BN_cmp(identities[i].key->n, n) == 0)
|
if (BN_cmp(identities[i].key->n, n) == 0)
|
||||||
|
|
9
ssh.c
9
ssh.c
|
@ -18,7 +18,7 @@ Modified to work with SSL by Niels Provos <provos@citi.umich.edu> in Canada.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$Id: ssh.c,v 1.9 1999/11/15 06:10:57 damien Exp $");
|
RCSID("$Id: ssh.c,v 1.10 1999/11/16 02:37:16 damien Exp $");
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
|
@ -555,6 +555,13 @@ main(int ac, char **av)
|
||||||
them. Also, extra privileges could make it very hard to read identity
|
them. Also, extra privileges could make it very hard to read identity
|
||||||
files and other non-world-readable files from the user's home directory
|
files and other non-world-readable files from the user's home directory
|
||||||
if it happens to be on a NFS volume where root is mapped to nobody. */
|
if it happens to be on a NFS volume where root is mapped to nobody. */
|
||||||
|
|
||||||
|
/* Note that some legacy systems need to postpone the following call to
|
||||||
|
permanently_set_uid() until the private hostkey is destroyed with
|
||||||
|
RSA_free(). Otherwise the calling user could ptrace() the process,
|
||||||
|
read the private hostkey and impersonate the host. OpenBSD does not
|
||||||
|
allow ptracing of setuid processes. */
|
||||||
|
|
||||||
permanently_set_uid(original_real_uid);
|
permanently_set_uid(original_real_uid);
|
||||||
|
|
||||||
/* Now that we are back to our own permissions, create ~/.ssh directory
|
/* Now that we are back to our own permissions, create ~/.ssh directory
|
||||||
|
|
15
ssh.h
15
ssh.h
|
@ -13,7 +13,7 @@ Generic header file for ssh.
|
||||||
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* RCSID("$Id: ssh.h,v 1.12 1999/11/12 04:19:27 damien Exp $"); */
|
/* RCSID("$Id: ssh.h,v 1.13 1999/11/16 02:37:17 damien Exp $"); */
|
||||||
|
|
||||||
#ifndef SSH_H
|
#ifndef SSH_H
|
||||||
#define SSH_H
|
#define SSH_H
|
||||||
|
@ -273,8 +273,7 @@ int auth_rhosts(struct passwd *pw, const char *client_user);
|
||||||
/* Tries to authenticate the user using the .rhosts file and the host using
|
/* Tries to authenticate the user using the .rhosts file and the host using
|
||||||
its host key. Returns true if authentication succeeds. */
|
its host key. Returns true if authentication succeeds. */
|
||||||
int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
|
int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
|
||||||
unsigned int bits, BIGNUM *client_host_key_e,
|
BIGNUM *client_host_key_e, BIGNUM *client_host_key_n);
|
||||||
BIGNUM *client_host_key_n);
|
|
||||||
|
|
||||||
/* Tries to authenticate the user using password. Returns true if
|
/* Tries to authenticate the user using password. Returns true if
|
||||||
authentication succeeds. */
|
authentication succeeds. */
|
||||||
|
@ -319,20 +318,18 @@ int match_hostname(const char *host, const char *pattern, unsigned int len);
|
||||||
HOST_NEW if the host is not known, and HOST_CHANGED if the host is known
|
HOST_NEW if the host is not known, and HOST_CHANGED if the host is known
|
||||||
but used to have a different host key. The host must be in all lowercase. */
|
but used to have a different host key. The host must be in all lowercase. */
|
||||||
typedef enum { HOST_OK, HOST_NEW, HOST_CHANGED } HostStatus;
|
typedef enum { HOST_OK, HOST_NEW, HOST_CHANGED } HostStatus;
|
||||||
HostStatus check_host_in_hostfile(const char *filename,
|
HostStatus check_host_in_hostfile(const char *filename, const char *host,
|
||||||
const char *host, unsigned int bits,
|
BIGNUM *e, BIGNUM *n, BIGNUM *ke, BIGNUM *kn);
|
||||||
BIGNUM *e, BIGNUM *n,
|
|
||||||
BIGNUM *ke, BIGNUM *kn);
|
|
||||||
|
|
||||||
/* Appends an entry to the host file. Returns false if the entry
|
/* Appends an entry to the host file. Returns false if the entry
|
||||||
could not be appended. */
|
could not be appended. */
|
||||||
int add_host_to_hostfile(const char *filename, const char *host,
|
int add_host_to_hostfile(const char *filename, const char *host,
|
||||||
unsigned int bits, BIGNUM *e, BIGNUM *n);
|
BIGNUM *e, BIGNUM *n);
|
||||||
|
|
||||||
/* Performs the RSA authentication challenge-response dialog with the client,
|
/* Performs the RSA authentication challenge-response dialog with the client,
|
||||||
and returns true (non-zero) if the client gave the correct answer to
|
and returns true (non-zero) if the client gave the correct answer to
|
||||||
our challenge; returns zero if the client gives a wrong answer. */
|
our challenge; returns zero if the client gives a wrong answer. */
|
||||||
int auth_rsa_challenge_dialog(unsigned int bits, BIGNUM *e, BIGNUM *n);
|
int auth_rsa_challenge_dialog(BIGNUM *e, BIGNUM *n);
|
||||||
|
|
||||||
/* Reads a passphrase from /dev/tty with echo turned off. Returns the
|
/* Reads a passphrase from /dev/tty with echo turned off. Returns the
|
||||||
passphrase (allocated with xmalloc). Exits if EOF is encountered.
|
passphrase (allocated with xmalloc). Exits if EOF is encountered.
|
||||||
|
|
48
sshconnect.c
48
sshconnect.c
|
@ -15,7 +15,7 @@ login (authentication) dialog.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$Id: sshconnect.c,v 1.8 1999/11/15 04:25:10 damien Exp $");
|
RCSID("$Id: sshconnect.c,v 1.9 1999/11/16 02:37:17 damien Exp $");
|
||||||
|
|
||||||
#ifdef HAVE_OPENSSL
|
#ifdef HAVE_OPENSSL
|
||||||
#include <openssl/bn.h>
|
#include <openssl/bn.h>
|
||||||
|
@ -339,7 +339,7 @@ int ssh_connect(const char *host, struct sockaddr_in *hostaddr,
|
||||||
int
|
int
|
||||||
try_agent_authentication()
|
try_agent_authentication()
|
||||||
{
|
{
|
||||||
int status, type, bits;
|
int status, type;
|
||||||
char *comment;
|
char *comment;
|
||||||
AuthenticationConnection *auth;
|
AuthenticationConnection *auth;
|
||||||
unsigned char response[16];
|
unsigned char response[16];
|
||||||
|
@ -356,9 +356,9 @@ try_agent_authentication()
|
||||||
challenge = BN_new();
|
challenge = BN_new();
|
||||||
|
|
||||||
/* Loop through identities served by the agent. */
|
/* Loop through identities served by the agent. */
|
||||||
for (status = ssh_get_first_identity(auth, &bits, e, n, &comment);
|
for (status = ssh_get_first_identity(auth, e, n, &comment);
|
||||||
status;
|
status;
|
||||||
status = ssh_get_next_identity(auth, &bits, e, n, &comment))
|
status = ssh_get_next_identity(auth, e, n, &comment))
|
||||||
{
|
{
|
||||||
int plen, clen;
|
int plen, clen;
|
||||||
|
|
||||||
|
@ -395,7 +395,7 @@ try_agent_authentication()
|
||||||
debug("Received RSA challenge from server.");
|
debug("Received RSA challenge from server.");
|
||||||
|
|
||||||
/* Ask the agent to decrypt the challenge. */
|
/* Ask the agent to decrypt the challenge. */
|
||||||
if (!ssh_decrypt_challenge(auth, bits, e, n, challenge,
|
if (!ssh_decrypt_challenge(auth, e, n, challenge,
|
||||||
session_id, 1, response))
|
session_id, 1, response))
|
||||||
{
|
{
|
||||||
/* The agent failed to authenticate this identifier although it
|
/* The agent failed to authenticate this identifier although it
|
||||||
|
@ -1128,19 +1128,15 @@ void ssh_login(int host_key_valid,
|
||||||
SSH_SMSG_PUBLIC_KEY);
|
SSH_SMSG_PUBLIC_KEY);
|
||||||
|
|
||||||
/* Compute the session id. */
|
/* Compute the session id. */
|
||||||
compute_session_id(session_id, check_bytes,
|
compute_session_id(session_id, check_bytes, host_key->n, public_key->n);
|
||||||
BN_num_bits(host_key->n), host_key->n,
|
|
||||||
BN_num_bits(public_key->n), public_key->n);
|
|
||||||
|
|
||||||
/* Check if the host key is present in the user\'s list of known hosts
|
/* Check if the host key is present in the user\'s list of known hosts
|
||||||
or in the systemwide list. */
|
or in the systemwide list. */
|
||||||
host_status = check_host_in_hostfile(options.user_hostfile,
|
host_status = check_host_in_hostfile(options.user_hostfile, host,
|
||||||
host, BN_num_bits(host_key->n),
|
|
||||||
host_key->e, host_key->n,
|
host_key->e, host_key->n,
|
||||||
file_key->e, file_key->n);
|
file_key->e, file_key->n);
|
||||||
if (host_status == HOST_NEW)
|
if (host_status == HOST_NEW)
|
||||||
host_status = check_host_in_hostfile(options.system_hostfile, host,
|
host_status = check_host_in_hostfile(options.system_hostfile, host,
|
||||||
BN_num_bits(host_key->n),
|
|
||||||
host_key->e, host_key->n,
|
host_key->e, host_key->n,
|
||||||
file_key->e, file_key->n);
|
file_key->e, file_key->n);
|
||||||
/* Force accepting of the host key for localhost and 127.0.0.1.
|
/* Force accepting of the host key for localhost and 127.0.0.1.
|
||||||
|
@ -1161,13 +1157,11 @@ void ssh_login(int host_key_valid,
|
||||||
ip_key->n = BN_new();
|
ip_key->n = BN_new();
|
||||||
ip_key->e = BN_new();
|
ip_key->e = BN_new();
|
||||||
ip_status = check_host_in_hostfile(options.user_hostfile, ip,
|
ip_status = check_host_in_hostfile(options.user_hostfile, ip,
|
||||||
BN_num_bits(host_key->n),
|
|
||||||
host_key->e, host_key->n,
|
host_key->e, host_key->n,
|
||||||
ip_key->e, ip_key->n);
|
ip_key->e, ip_key->n);
|
||||||
|
|
||||||
if (ip_status == HOST_NEW)
|
if (ip_status == HOST_NEW)
|
||||||
ip_status = check_host_in_hostfile(options.system_hostfile, ip,
|
ip_status = check_host_in_hostfile(options.system_hostfile, ip,
|
||||||
BN_num_bits(host_key->n),
|
|
||||||
host_key->e, host_key->n,
|
host_key->e, host_key->n,
|
||||||
ip_key->e, ip_key->n);
|
ip_key->e, ip_key->n);
|
||||||
if (host_status == HOST_CHANGED &&
|
if (host_status == HOST_CHANGED &&
|
||||||
|
@ -1188,14 +1182,15 @@ void ssh_login(int host_key_valid,
|
||||||
if (options.check_host_ip) {
|
if (options.check_host_ip) {
|
||||||
if (ip_status == HOST_NEW) {
|
if (ip_status == HOST_NEW) {
|
||||||
if (!add_host_to_hostfile(options.user_hostfile, ip,
|
if (!add_host_to_hostfile(options.user_hostfile, ip,
|
||||||
BN_num_bits(host_key->n),
|
|
||||||
host_key->e, host_key->n))
|
host_key->e, host_key->n))
|
||||||
log("Failed to add the host ip to the list of known hosts (%.30s).",
|
log("Failed to add the host key for IP address '%.30s' to the list of known hosts (%.30s).",
|
||||||
options.user_hostfile);
|
ip, options.user_hostfile);
|
||||||
else
|
else
|
||||||
log("Warning: Permanently added host ip '%.30s' to the list of known hosts.", ip);
|
log("Warning: Permanently added host key for IP address '%.30s' to the list of known hosts.",
|
||||||
|
ip);
|
||||||
} else if (ip_status != HOST_OK)
|
} else if (ip_status != HOST_OK)
|
||||||
log("Warning: the host key differ from the key of the ip address '%.30s' differs", ip);
|
log("Warning: the host key for '%.200s' differs from the key for the IP address '%.30s'",
|
||||||
|
host, ip);
|
||||||
}
|
}
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
@ -1226,7 +1221,6 @@ void ssh_login(int host_key_valid,
|
||||||
/* If not in strict mode, add the key automatically to the local
|
/* If not in strict mode, add the key automatically to the local
|
||||||
known_hosts file. */
|
known_hosts file. */
|
||||||
if (!add_host_to_hostfile(options.user_hostfile, hostp,
|
if (!add_host_to_hostfile(options.user_hostfile, hostp,
|
||||||
BN_num_bits(host_key->n),
|
|
||||||
host_key->e, host_key->n))
|
host_key->e, host_key->n))
|
||||||
log("Failed to add the host to the list of known hosts (%.500s).",
|
log("Failed to add the host to the list of known hosts (%.500s).",
|
||||||
options.user_hostfile);
|
options.user_hostfile);
|
||||||
|
@ -1238,13 +1232,20 @@ void ssh_login(int host_key_valid,
|
||||||
case HOST_CHANGED:
|
case HOST_CHANGED:
|
||||||
if (options.check_host_ip) {
|
if (options.check_host_ip) {
|
||||||
if (host_ip_differ) {
|
if (host_ip_differ) {
|
||||||
|
char *msg;
|
||||||
|
if (ip_status == HOST_NEW)
|
||||||
|
msg = "is unknown";
|
||||||
|
else if (ip_status == HOST_OK)
|
||||||
|
msg = "is unchanged";
|
||||||
|
else
|
||||||
|
msg = "has a different value";
|
||||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||||
error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @");
|
error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @");
|
||||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||||
error("The host key for %s has changed,", host);
|
error("The host key for %s has changed,", host);
|
||||||
error("but the key for the according IP address %s has", ip);
|
error("and the key for the according IP address %s", ip);
|
||||||
error("a different status. This could either mean that DNS");
|
error("%s. This could either mean that", msg);
|
||||||
error("SPOOFING is happening or the IP address for the host");
|
error("DNS SPOOFING is happening or the IP address for the host");
|
||||||
error("and its host key have changed at the same time");
|
error("and its host key have changed at the same time");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1391,8 +1392,7 @@ void ssh_login(int host_key_valid,
|
||||||
debug("Sent encrypted session key.");
|
debug("Sent encrypted session key.");
|
||||||
|
|
||||||
/* Set the encryption key. */
|
/* Set the encryption key. */
|
||||||
packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH,
|
packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);
|
||||||
options.cipher, 1);
|
|
||||||
|
|
||||||
/* We will no longer need the session key here. Destroy any extra copies. */
|
/* We will no longer need the session key here. Destroy any extra copies. */
|
||||||
memset(session_key, 0, sizeof(session_key));
|
memset(session_key, 0, sizeof(session_key));
|
||||||
|
|
17
sshd.c
17
sshd.c
|
@ -18,7 +18,7 @@ agent connections.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$Id: sshd.c,v 1.20 1999/11/15 06:10:57 damien Exp $");
|
RCSID("$Id: sshd.c,v 1.21 1999/11/16 02:37:17 damien Exp $");
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "rsa.h"
|
#include "rsa.h"
|
||||||
|
@ -1036,9 +1036,7 @@ do_connection()
|
||||||
|
|
||||||
/* Compute session id for this session. */
|
/* Compute session id for this session. */
|
||||||
compute_session_id(session_id, check_bytes,
|
compute_session_id(session_id, check_bytes,
|
||||||
BN_num_bits(sensitive_data.host_key->n),
|
|
||||||
sensitive_data.host_key->n,
|
sensitive_data.host_key->n,
|
||||||
BN_num_bits(sensitive_data.private_key->n),
|
|
||||||
sensitive_data.private_key->n);
|
sensitive_data.private_key->n);
|
||||||
|
|
||||||
/* Extract session key from the decrypted integer. The key is in the
|
/* Extract session key from the decrypted integer. The key is in the
|
||||||
|
@ -1061,8 +1059,7 @@ do_connection()
|
||||||
|
|
||||||
/* Set the session key. From this on all communications will be
|
/* Set the session key. From this on all communications will be
|
||||||
encrypted. */
|
encrypted. */
|
||||||
packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH,
|
packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type);
|
||||||
cipher_type, 0);
|
|
||||||
|
|
||||||
/* Destroy our copy of the session key. It is no longer needed. */
|
/* Destroy our copy of the session key. It is no longer needed. */
|
||||||
memset(session_key, 0, sizeof(session_key));
|
memset(session_key, 0, sizeof(session_key));
|
||||||
|
@ -1270,7 +1267,7 @@ void
|
||||||
do_authloop(struct passwd *pw)
|
do_authloop(struct passwd *pw)
|
||||||
{
|
{
|
||||||
int authentication_failures = 0;
|
int authentication_failures = 0;
|
||||||
unsigned int client_host_key_bits;
|
unsigned int bits;
|
||||||
BIGNUM *client_host_key_e, *client_host_key_n;
|
BIGNUM *client_host_key_e, *client_host_key_n;
|
||||||
BIGNUM *n;
|
BIGNUM *n;
|
||||||
char *client_user = NULL, *password = NULL;
|
char *client_user = NULL, *password = NULL;
|
||||||
|
@ -1398,13 +1395,17 @@ do_authloop(struct passwd *pw)
|
||||||
/* Get the client host key. */
|
/* Get the client host key. */
|
||||||
client_host_key_e = BN_new();
|
client_host_key_e = BN_new();
|
||||||
client_host_key_n = BN_new();
|
client_host_key_n = BN_new();
|
||||||
client_host_key_bits = packet_get_int();
|
bits = packet_get_int();
|
||||||
packet_get_bignum(client_host_key_e, &elen);
|
packet_get_bignum(client_host_key_e, &elen);
|
||||||
packet_get_bignum(client_host_key_n, &nlen);
|
packet_get_bignum(client_host_key_n, &nlen);
|
||||||
|
|
||||||
|
if (bits != BN_num_bits(client_host_key_n))
|
||||||
|
error("Warning: keysize mismatch for client_host_key: "
|
||||||
|
"actual %d, announced %s", BN_num_bits(client_host_key_n), bits);
|
||||||
|
|
||||||
packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);
|
packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);
|
||||||
|
|
||||||
authenticated = auth_rhosts_rsa(pw, client_user, client_host_key_bits,
|
authenticated = auth_rhosts_rsa(pw, client_user,
|
||||||
client_host_key_e, client_host_key_n);
|
client_host_key_e, client_host_key_n);
|
||||||
log("Rhosts authentication %s for %.100s, remote %.100s.",
|
log("Rhosts authentication %s for %.100s, remote %.100s.",
|
||||||
authenticated ? "accepted" : "failed",
|
authenticated ? "accepted" : "failed",
|
||||||
|
|
Загрузка…
Ссылка в новой задаче