Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssh merge openssh-5.9
details: https://anonhg.NetBSD.org/src/rev/c0c02e3e8495
branches: trunk
changeset: 769374:c0c02e3e8495
user: christos <christos%NetBSD.org@localhost>
date: Wed Sep 07 17:49:19 2011 +0000
description:
merge openssh-5.9
diffstat:
crypto/external/bsd/openssh/bin/sshd/Makefile | 4 +-
crypto/external/bsd/openssh/dist/PROTOCOL.mux | 32 +-
crypto/external/bsd/openssh/dist/addrmatch.c | 10 +-
crypto/external/bsd/openssh/dist/auth-rsa.c | 231 ++++++++--------
crypto/external/bsd/openssh/dist/auth.c | 27 +-
crypto/external/bsd/openssh/dist/auth.h | 8 +-
crypto/external/bsd/openssh/dist/auth2-gss.c | 8 +-
crypto/external/bsd/openssh/dist/auth2-pubkey.c | 23 +-
crypto/external/bsd/openssh/dist/auth2.c | 10 +-
crypto/external/bsd/openssh/dist/authfd.c | 11 +-
crypto/external/bsd/openssh/dist/authfile.c | 156 +++++++----
crypto/external/bsd/openssh/dist/authfile.h | 6 +-
crypto/external/bsd/openssh/dist/channels.c | 10 +-
crypto/external/bsd/openssh/dist/channels.h | 6 +-
crypto/external/bsd/openssh/dist/clientloop.c | 114 +++++--
crypto/external/bsd/openssh/dist/clientloop.h | 12 +-
crypto/external/bsd/openssh/dist/gss-serv.c | 8 +-
crypto/external/bsd/openssh/dist/key.c | 9 +-
crypto/external/bsd/openssh/dist/log.c | 66 +++-
crypto/external/bsd/openssh/dist/log.h | 10 +-
crypto/external/bsd/openssh/dist/mac.c | 10 +-
crypto/external/bsd/openssh/dist/misc.c | 20 +-
crypto/external/bsd/openssh/dist/misc.h | 5 +-
crypto/external/bsd/openssh/dist/monitor.c | 148 +++++++++-
crypto/external/bsd/openssh/dist/monitor.h | 6 +-
crypto/external/bsd/openssh/dist/monitor_wrap.c | 50 +++-
crypto/external/bsd/openssh/dist/monitor_wrap.h | 5 +-
crypto/external/bsd/openssh/dist/mux.c | 171 ++++++++++-
crypto/external/bsd/openssh/dist/myproposal.h | 13 +-
crypto/external/bsd/openssh/dist/packet.c | 40 +-
crypto/external/bsd/openssh/dist/packet.h | 5 +-
crypto/external/bsd/openssh/dist/pathnames.h | 4 +-
crypto/external/bsd/openssh/dist/readconf.c | 123 ++++++--
crypto/external/bsd/openssh/dist/readconf.h | 21 +-
crypto/external/bsd/openssh/dist/sandbox-rlimit.c | 2 +
crypto/external/bsd/openssh/dist/servconf.c | 304 +++++++++++----------
crypto/external/bsd/openssh/dist/servconf.h | 28 +-
crypto/external/bsd/openssh/dist/serverloop.c | 10 +-
crypto/external/bsd/openssh/dist/sftp-server.c | 10 +-
crypto/external/bsd/openssh/dist/sftp.1 | 12 +-
crypto/external/bsd/openssh/dist/ssh-add.c | 37 +-
crypto/external/bsd/openssh/dist/ssh-agent.c | 12 +-
crypto/external/bsd/openssh/dist/ssh-keygen.1 | 29 +-
crypto/external/bsd/openssh/dist/ssh-keygen.c | 181 ++++++++++--
crypto/external/bsd/openssh/dist/ssh-keyscan.c | 8 +-
crypto/external/bsd/openssh/dist/ssh-keysign.c | 27 +-
crypto/external/bsd/openssh/dist/ssh.1 | 17 +-
crypto/external/bsd/openssh/dist/ssh.c | 113 ++++---
crypto/external/bsd/openssh/dist/ssh_config.5 | 72 ++++-
crypto/external/bsd/openssh/dist/sshconnect.c | 79 ++--
crypto/external/bsd/openssh/dist/sshconnect2.c | 18 +-
crypto/external/bsd/openssh/dist/sshd.8 | 15 +-
crypto/external/bsd/openssh/dist/sshd.c | 47 ++-
crypto/external/bsd/openssh/dist/sshd_config | 11 +-
crypto/external/bsd/openssh/dist/sshd_config.5 | 19 +-
crypto/external/bsd/openssh/dist/version.h | 7 +-
crypto/external/bsd/openssh/lib/shlib_version | 4 +-
57 files changed, 1613 insertions(+), 831 deletions(-)
diffs (truncated from 5055 to 300 lines):
diff -r 9db1e4319343 -r c0c02e3e8495 crypto/external/bsd/openssh/bin/sshd/Makefile
--- a/crypto/external/bsd/openssh/bin/sshd/Makefile Wed Sep 07 14:03:49 2011 +0000
+++ b/crypto/external/bsd/openssh/bin/sshd/Makefile Wed Sep 07 17:49:19 2011 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.7 2011/08/16 09:42:21 christos Exp $
+# $NetBSD: Makefile,v 1.8 2011/09/07 17:49:19 christos Exp $
.include <bsd.own.mk>
@@ -16,7 +16,7 @@
monitor_mm.c monitor.c monitor_wrap.c \
kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
auth2-jpake.c \
- roaming_common.c roaming_serv.c
+ roaming_common.c roaming_serv.c sandbox-rlimit.c
.if defined(HAVE_GCC) || defined(HAVE_PCC)
COPTS.auth-options.c= -Wno-pointer-sign
diff -r 9db1e4319343 -r c0c02e3e8495 crypto/external/bsd/openssh/dist/PROTOCOL.mux
--- a/crypto/external/bsd/openssh/dist/PROTOCOL.mux Wed Sep 07 14:03:49 2011 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL.mux Wed Sep 07 17:49:19 2011 +0000
@@ -73,6 +73,13 @@
client must cope with are it receiving a signal itself and the
server disconnecting without sending an exit message.
+A master may also send a MUX_S_TTY_ALLOC_FAIL before MUX_S_EXIT_MESSAGE
+if remote TTY allocation was unsuccessful. The client may use this to
+return its local tty to "cooked" mode.
+
+ uint32 MUX_S_TTY_ALLOC_FAIL
+ uint32 session id
+
3. Health checks
The client may request a health check/PID report from a server:
@@ -149,10 +156,21 @@
The contents of "reserved" are currently ignored.
-A server may reply with a MUX_S_SESSION_OPEED, a MUX_S_PERMISSION_DENIED
+A server may reply with a MUX_S_SESSION_OPENED, a MUX_S_PERMISSION_DENIED
or a MUX_S_FAILURE.
-8. Status messages
+8. Requesting shutdown of mux listener
+
+A client may request the master to stop accepting new multiplexing requests
+and remove its listener socket.
+
+ uint32 MUX_C_STOP_LISTENING
+ uint32 request id
+
+A server may reply with a MUX_S_OK, a MUX_S_PERMISSION_DENIED or a
+MUX_S_FAILURE.
+
+9. Status messages
The MUX_S_OK message is empty:
@@ -169,7 +187,7 @@
uint32 client request id
string reason
-9. Protocol numbers
+10. Protocol numbers
#define MUX_MSG_HELLO 0x00000001
#define MUX_C_NEW_SESSION 0x10000002
@@ -178,6 +196,7 @@
#define MUX_C_OPEN_FWD 0x10000006
#define MUX_C_CLOSE_FWD 0x10000007
#define MUX_C_NEW_STDIO_FWD 0x10000008
+#define MUX_C_STOP_LISTENING 0x10000009
#define MUX_S_OK 0x80000001
#define MUX_S_PERMISSION_DENIED 0x80000002
#define MUX_S_FAILURE 0x80000003
@@ -185,6 +204,7 @@
#define MUX_S_ALIVE 0x80000005
#define MUX_S_SESSION_OPENED 0x80000006
#define MUX_S_REMOTE_PORT 0x80000007
+#define MUX_S_TTY_ALLOC_FAIL 0x80000008
#define MUX_FWD_LOCAL 1
#define MUX_FWD_REMOTE 2
@@ -192,13 +212,11 @@
XXX TODO
XXX extended status (e.g. report open channels / forwards)
-XXX graceful close (delete listening socket, but keep existing sessions active)
XXX lock (maybe)
XXX watch in/out traffic (pre/post crypto)
XXX inject packet (what about replies)
XXX server->client error/warning notifications
-XXX port0 rfwd (need custom response message)
XXX send signals via mux
-$OpenBSD: PROTOCOL.mux,v 1.4 2011/01/31 21:42:15 djm Exp $
-$NetBSD: PROTOCOL.mux,v 1.2 2011/07/25 03:03:10 christos Exp $
+$OpenBSD: PROTOCOL.mux,v 1.7 2011/05/08 12:52:01 djm Exp $
+$NetBSD: PROTOCOL.mux,v 1.3 2011/09/07 17:49:19 christos Exp $
diff -r 9db1e4319343 -r c0c02e3e8495 crypto/external/bsd/openssh/dist/addrmatch.c
--- a/crypto/external/bsd/openssh/dist/addrmatch.c Wed Sep 07 14:03:49 2011 +0000
+++ b/crypto/external/bsd/openssh/dist/addrmatch.c Wed Sep 07 17:49:19 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: addrmatch.c,v 1.3 2010/11/21 18:29:48 adam Exp $ */
+/* $NetBSD: addrmatch.c,v 1.4 2011/09/07 17:49:19 christos Exp $ */
/* $OpenBSD: addrmatch.c,v 1.5 2010/02/26 20:29:54 djm Exp $ */
/*
@@ -18,7 +18,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: addrmatch.c,v 1.3 2010/11/21 18:29:48 adam Exp $");
+__RCSID("$NetBSD: addrmatch.c,v 1.4 2011/09/07 17:49:19 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
@@ -82,8 +82,8 @@
static int
addr_sa_to_xaddr(struct sockaddr *sa, socklen_t slen, struct xaddr *xa)
{
- struct sockaddr_in *in4 = (struct sockaddr_in *)sa;
- struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)sa;
+ struct sockaddr_in *in4 = (struct sockaddr_in *)(void *)sa;
+ struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)(void *)sa;
memset(xa, '\0', sizeof(*xa));
@@ -313,7 +313,7 @@
addr_pton_cidr(const char *p, struct xaddr *n, u_int *l)
{
struct xaddr tmp;
- long unsigned int masklen = 999;
+ unsigned int masklen = 999;
char addrbuf[64], *mp, *cp;
/* Don't modify argument */
diff -r 9db1e4319343 -r c0c02e3e8495 crypto/external/bsd/openssh/dist/auth-rsa.c
--- a/crypto/external/bsd/openssh/dist/auth-rsa.c Wed Sep 07 14:03:49 2011 +0000
+++ b/crypto/external/bsd/openssh/dist/auth-rsa.c Wed Sep 07 17:49:19 2011 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: auth-rsa.c,v 1.5 2011/07/25 03:03:10 christos Exp $ */
-/* $OpenBSD: auth-rsa.c,v 1.79 2010/12/03 23:55:27 djm Exp $ */
+/* $NetBSD: auth-rsa.c,v 1.6 2011/09/07 17:49:19 christos Exp $ */
+/* $OpenBSD: auth-rsa.c,v 1.80 2011/05/23 03:30:07 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -16,7 +16,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: auth-rsa.c,v 1.5 2011/07/25 03:03:10 christos Exp $");
+__RCSID("$NetBSD: auth-rsa.c,v 1.6 2011/09/07 17:49:19 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
@@ -160,6 +160,108 @@
return (success);
}
+static int
+rsa_key_allowed_in_file(struct passwd *pw, char *file,
+ const BIGNUM *client_n, Key **rkey)
+{
+ char line[SSH_MAX_PUBKEY_BYTES];
+ int allowed = 0;
+ u_int bits;
+ FILE *f;
+ u_long linenum = 0;
+ Key *key;
+
+ debug("trying public RSA key file %s", file);
+ if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
+ return 0;
+
+ /*
+ * Go though the accepted keys, looking for the current key. If
+ * found, perform a challenge-response dialog to verify that the
+ * user really has the corresponding private key.
+ */
+ key = key_new(KEY_RSA1);
+ while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+ char *cp;
+ char *key_options;
+ int keybits;
+
+ /* Skip leading whitespace, empty and comment lines. */
+ for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+ ;
+ if (!*cp || *cp == '\n' || *cp == '#')
+ continue;
+
+ /*
+ * Check if there are options for this key, and if so,
+ * save their starting address and skip the option part
+ * for now. If there are no options, set the starting
+ * address to NULL.
+ */
+ if (*cp < '0' || *cp > '9') {
+ int quoted = 0;
+ key_options = cp;
+ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+ if (*cp == '\\' && cp[1] == '"')
+ cp++; /* Skip both */
+ else if (*cp == '"')
+ quoted = !quoted;
+ }
+ } else
+ key_options = NULL;
+
+ /* Parse the key from the line. */
+ if (hostfile_read_key(&cp, &bits, key) == 0) {
+ debug("%.100s, line %lu: non ssh1 key syntax",
+ file, linenum);
+ continue;
+ }
+ /* cp now points to the comment part. */
+
+ /*
+ * Check if the we have found the desired key (identified
+ * by its modulus).
+ */
+ if (BN_cmp(key->rsa->n, client_n) != 0)
+ continue;
+
+ /* check the real bits */
+ keybits = BN_num_bits(key->rsa->n);
+ if (keybits < 0 || bits != (u_int)keybits)
+ logit("Warning: %s, line %lu: keysize mismatch: "
+ "actual %d vs. announced %d.",
+ file, linenum, BN_num_bits(key->rsa->n), bits);
+
+ /* Never accept a revoked key */
+ if (auth_key_is_revoked(key))
+ break;
+
+ /* We have found the desired key. */
+ /*
+ * If our options do not allow this key to be used,
+ * do not send challenge.
+ */
+ if (!auth_parse_options(pw, key_options, file, linenum))
+ continue;
+ if (key_is_cert_authority)
+ continue;
+ /* break out, this key is allowed */
+ allowed = 1;
+ break;
+ }
+
+ /* Close the file. */
+ fclose(f);
+
+ /* return key if allowed */
+ if (allowed && rkey != NULL)
+ *rkey = key;
+ else
+ key_free(key);
+
+ return allowed;
+}
+
/*
* check if there's user key matching client_n,
* return key if login is allowed, NULL otherwise
@@ -168,25 +270,18 @@
int
auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
{
- char line[SSH_MAX_PUBKEY_BYTES], *file;
- int allowed = 0;
- u_int bits;
- FILE *f;
- u_long linenum = 0;
- Key *key;
-#ifdef WITH_LDAP_PUBKEY
- ldap_key_t * k;
- unsigned int i = 0;
-#endif
-
- /* Temporarily use the user's uid. */
+ char *file;
+ u_int i, allowed = 0;
+
temporarily_use_uid(pw);
#ifdef WITH_LDAP_PUBKEY
- /* here is the job */
- key = key_new(KEY_RSA1);
+ if (options.lpk.on) {
+ u_int bits;
+ ldap_key_t *k;
+ /* here is the job */
+ Key *key = key_new(KEY_RSA1);
- if (options.lpk.on) {
debug("[LDAP] trying LDAP first uid=%s", pw->pw_name);
if ( ldap_ismember(&options.lpk, pw->pw_name) > 0) {
Home |
Main Index |
Thread Index |
Old Index