Commit 30c3d429 authored by Damien Miller's avatar Damien Miller

- OpenBSD CVS update

  - markus@cvs.openbsd.org
    [cipher.h myproposal.h readconf.c readconf.h servconf.c ssh.1 ssh.c]
    [ssh.h sshconnect1.c sshconnect2.c sshd.8]
    - complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
  - hugh@cvs.openbsd.org
    [ssh.1]
    - zap typo
    [ssh-keygen.1]
    - One last nit fix. (markus approved)
    [sshd.8]
    - some markus certified spelling adjustments
  - markus@cvs.openbsd.org
    [auth2.c channels.c clientloop.c compat compat.h dsa.c kex.c]
    [sshconnect2.c ]
    - bug compat w/ ssh-2.0.13 x11, split out bugs
    [nchan.c]
    - no drain if ibuf_empty, fixes x11fwd problems; tests by fries@
    [ssh-keygen.c]
    - handle escapes in real and original key format, ok millert@
    [version.h]
    - OpenSSH-2.1
parent 61e50f10
20000509
- OpenBSD CVS update
- markus@cvs.openbsd.org
[cipher.h myproposal.h readconf.c readconf.h servconf.c ssh.1 ssh.c]
[ssh.h sshconnect1.c sshconnect2.c sshd.8]
- complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
- hugh@cvs.openbsd.org
[ssh.1]
- zap typo
[ssh-keygen.1]
- One last nit fix. (markus approved)
[sshd.8]
- some markus certified spelling adjustments
- markus@cvs.openbsd.org
[auth2.c channels.c clientloop.c compat compat.h dsa.c kex.c]
[sshconnect2.c ]
- bug compat w/ ssh-2.0.13 x11, split out bugs
[nchan.c]
- no drain if ibuf_empty, fixes x11fwd problems; tests by fries@
[ssh-keygen.c]
- handle escapes in real and original key format, ok millert@
[version.h]
- OpenSSH-2.1
20000508
- Makefile and RPM spec fixes
- Generate DSA host keys during "make key" or RPM installs
......
......@@ -27,7 +27,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: auth2.c,v 1.7 2000/05/06 17:45:36 markus Exp $");
RCSID("$OpenBSD: auth2.c,v 1.8 2000/05/08 17:42:24 markus Exp $");
#include <openssl/dsa.h>
#include <openssl/rsa.h>
......@@ -278,6 +278,10 @@ ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen)
debug("pubkey auth disabled");
return 0;
}
if (datafellows & SSH_BUG_PUBKEYAUTH) {
log("bug compatibility with ssh-2.0.13 pubkey not implemented");
return 0;
}
have_sig = packet_get_char();
pkalg = packet_get_string(&alen);
if (strcmp(pkalg, KEX_DSS) != 0) {
......
......@@ -17,7 +17,7 @@
*/
#include "includes.h"
RCSID("$Id: channels.c,v 1.29 2000/05/07 02:03:15 damien Exp $");
RCSID("$Id: channels.c,v 1.30 2000/05/09 01:02:59 damien Exp $");
#include "ssh.h"
#include "packet.h"
......@@ -505,7 +505,10 @@ channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
int ret = x11_open_helper(c);
if (ret == 1) {
c->type = SSH_CHANNEL_OPEN;
channel_pre_open_15(c, readset, writeset);
if (compat20)
channel_pre_open_20(c, readset, writeset);
else
channel_pre_open_15(c, readset, writeset);
} else if (ret == -1) {
debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
chan_read_failed(c); /** force close? */
......@@ -549,7 +552,11 @@ channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
packet_put_int(c->local_maxpacket);
/* originator host and port */
packet_put_cstring(remote_hostname);
packet_put_int(remote_port);
if (datafellows & SSH_BUG_X11FWD) {
debug("ssh2 x11 bug compat mode");
} else {
packet_put_int(remote_port);
}
packet_send();
} else {
packet_start(SSH_SMSG_X11_OPEN);
......
......@@ -11,7 +11,7 @@
*
*/
/* RCSID("$Id: cipher.h,v 1.12 2000/04/16 02:31:50 damien Exp $"); */
/* RCSID("$Id: cipher.h,v 1.13 2000/05/09 01:03:00 damien Exp $"); */
#ifndef CIPHER_H
#define CIPHER_H
......@@ -23,6 +23,7 @@
/* Cipher types. New types can be added, but old types should not be removed
for compatibility. The maximum allowed value is 31. */
#define SSH_CIPHER_ILLEGAL -2 /* No valid cipher selected. */
#define SSH_CIPHER_NOT_SET -1 /* None selected (invalid number). */
#define SSH_CIPHER_NONE 0 /* no encryption */
#define SSH_CIPHER_IDEA 1 /* IDEA CFB */
......
......@@ -16,7 +16,7 @@
*/
#include "includes.h"
RCSID("$Id: clientloop.c,v 1.15 2000/05/08 03:44:53 damien Exp $");
RCSID("$Id: clientloop.c,v 1.16 2000/05/09 01:03:00 damien Exp $");
#include "xmalloc.h"
#include "ssh.h"
......@@ -979,11 +979,11 @@ client_input_channel_open(int type, int plen)
char *originator;
int originator_port;
originator = packet_get_string(NULL);
if (packet_remaining() > 0) {
originator_port = packet_get_int();
} else {
if (datafellows & SSH_BUG_X11FWD) {
debug("buggy server: x11 request w/o originator_port");
originator_port = 0;
} else {
originator_port = packet_get_int();
}
packet_done();
/* XXX check permission */
......
......@@ -28,7 +28,7 @@
*/
#include "includes.h"
RCSID("$Id: compat.c,v 1.9 2000/04/29 13:57:10 damien Exp $");
RCSID("$Id: compat.c,v 1.10 2000/05/09 01:03:00 damien Exp $");
#include "ssh.h"
#include "packet.h"
......@@ -57,17 +57,20 @@ compat_datafellows(const char *version)
{
int i;
size_t len;
static const char *check[] = {
"2.0.1",
"2.1.0",
NULL
struct {
char *version;
int bugs;
} check[] = {
{"2.1.0", SSH_BUG_SIGBLOB|SSH_BUG_HMAC},
{"2.0.1", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD},
{NULL, 0}
};
for (i = 0; check[i]; i++) {
len = strlen(check[i]);
for (i = 0; check[i].version; i++) {
len = strlen(check[i].version);
if (strlen(version) >= len &&
(strncmp(version, check[i], len) == 0)) {
(strncmp(version, check[i].version, len) == 0)) {
verbose("datafellows: %.200s", version);
datafellows = 1;
datafellows = check[i].bugs;
return;
}
}
......
......@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* RCSID("$Id: compat.h,v 1.5 2000/04/12 10:17:39 damien Exp $"); */
/* RCSID("$Id: compat.h,v 1.6 2000/05/09 01:03:00 damien Exp $"); */
#ifndef COMPAT_H
#define COMPAT_H
......@@ -36,6 +36,11 @@
#define SSH_PROTO_1_PREFERRED 0x02
#define SSH_PROTO_2 0x04
#define SSH_BUG_SIGBLOB 0x01
#define SSH_BUG_PUBKEYAUTH 0x02
#define SSH_BUG_HMAC 0x04
#define SSH_BUG_X11FWD 0x08
void enable_compat13(void);
void enable_compat20(void);
void compat_datafellows(const char *s);
......
# Version of OpenSSH
%define oversion 2.0.0beta2
%define oversion 2.1.0beta1
# Version of ssh-askpass
%define aversion 1.0
......
Summary: OpenSSH, a free Secure Shell (SSH) implementation
Name: openssh
Version: 2.0.0beta2
Version: 2.1.0beta1
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
......
......@@ -28,7 +28,7 @@
*/
#include "includes.h"
RCSID("$Id: dsa.c,v 1.6 2000/05/04 22:37:59 markus Exp $");
RCSID("$Id: dsa.c,v 1.7 2000/05/08 17:42:24 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
......@@ -162,7 +162,7 @@ dsa_sign(
BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
DSA_SIG_free(sig);
if (datafellows) {
if (datafellows & SSH_BUG_SIGBLOB) {
debug("datafellows");
ret = xmalloc(SIGBLOB_LEN);
memcpy(ret, sigblob, SIGBLOB_LEN);
......@@ -209,15 +209,20 @@ dsa_verify(
return -1;
}
if (datafellows && signaturelen != SIGBLOB_LEN) {
log("heh? datafellows ssh2 complies with ietf-drafts????");
datafellows = 0;
if (!(datafellows & SSH_BUG_SIGBLOB) &&
signaturelen == SIGBLOB_LEN) {
datafellows |= ~SSH_BUG_SIGBLOB;
log("autodetect SSH_BUG_SIGBLOB");
} else if ((datafellows & SSH_BUG_SIGBLOB) &&
signaturelen != SIGBLOB_LEN) {
log("autoremove SSH_BUG_SIGBLOB");
datafellows &= ~SSH_BUG_SIGBLOB;
}
debug("len %d datafellows %d", signaturelen, datafellows);
/* fetch signature */
if (datafellows) {
if (datafellows & SSH_BUG_SIGBLOB) {
sigblob = signature;
len = signaturelen;
} else {
......@@ -242,7 +247,8 @@ dsa_verify(
sig->s = BN_new();
BN_bin2bn(sigblob, INTBLOB_LEN, sig->r);
BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s);
if (!datafellows) {
if (!(datafellows & SSH_BUG_SIGBLOB)) {
memset(sigblob, 0, len);
xfree(sigblob);
}
......
......@@ -28,7 +28,7 @@
*/
#include "includes.h"
RCSID("$Id: kex.c,v 1.7 2000/04/16 01:52:47 damien Exp $");
RCSID("$Id: kex.c,v 1.8 2000/05/09 01:03:01 damien Exp $");
#include "ssh.h"
#include "ssh2.h"
......@@ -314,7 +314,7 @@ choose_mac(Mac *mac, char *client, char *server)
}
mac->name = name;
mac->mac_len = mac->md->md_size;
mac->key_len = datafellows ? 16 : mac->mac_len;
mac->key_len = (datafellows & SSH_BUG_HMAC) ? 16 : mac->mac_len;
mac->key = NULL;
mac->enabled = 0;
}
......
#define KEX_DEFAULT_KEX "diffie-hellman-group1-sha1"
#define KEX_DEFAULT_PK_ALG "ssh-dss"
#define KEX_DEFAULT_ENCRYPT "blowfish-cbc,3des-cbc,arcfour,cast128-cbc"
#define KEX_DEFAULT_ENCRYPT "3des-cbc,blowfish-cbc,arcfour,cast128-cbc"
#define KEX_DEFAULT_MAC "hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com"
#define KEX_DEFAULT_COMP "zlib,none"
#define KEX_DEFAULT_LANG ""
......
......@@ -28,7 +28,7 @@
*/
#include "includes.h"
RCSID("$Id: nchan.c,v 1.9 2000/05/07 02:03:16 damien Exp $");
RCSID("$Id: nchan.c,v 1.10 2000/05/09 01:03:01 damien Exp $");
#include "ssh.h"
......@@ -107,6 +107,10 @@ chan_read_failed_12(Channel *c)
debug("channel %d: input open -> drain", c->self);
chan_shutdown_read(c);
c->istate = CHAN_INPUT_WAIT_DRAIN;
if (buffer_len(&c->input) == 0) {
debug("channel %d: input: no drain shortcut", c->self);
chan_ibuf_empty(c);
}
break;
default:
error("channel %d: internal error: we do not read, but chan_read_failed for istate %d",
......
......@@ -14,7 +14,7 @@
*/
#include "includes.h"
RCSID("$Id: readconf.c,v 1.13 2000/05/07 02:03:17 damien Exp $");
RCSID("$Id: readconf.c,v 1.14 2000/05/09 01:03:01 damien Exp $");
#include "ssh.h"
#include "cipher.h"
......@@ -475,7 +475,7 @@ parse_int:
case oCiphers:
cp = strtok(NULL, WHITESPACE);
if (!ciphers_valid(cp))
fatal("%.200s line %d: Bad cipher spec '%s'.",
fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
filename, linenum, cp ? cp : "<NONE>");
if (*activep && options->ciphers == NULL)
options->ciphers = xstrdup(cp);
......@@ -745,6 +745,7 @@ fill_default_options(Options * options)
/* Selected in ssh_login(). */
if (options->cipher == -1)
options->cipher = SSH_CIPHER_NOT_SET;
/* options->ciphers, default set in myproposals.h */
if (options->protocol == SSH_PROTO_UNKNOWN)
options->protocol = SSH_PROTO_1|SSH_PROTO_2|SSH_PROTO_1_PREFERRED;
if (options->num_identity_files == 0) {
......
......@@ -13,7 +13,7 @@
*
*/
/* RCSID("$Id: readconf.h,v 1.10 2000/05/07 02:03:17 damien Exp $"); */
/* RCSID("$Id: readconf.h,v 1.11 2000/05/09 01:03:01 damien Exp $"); */
#ifndef READCONF_H
#define READCONF_H
......@@ -65,7 +65,7 @@ typedef struct {
int number_of_password_prompts; /* Max number of password
* prompts. */
int cipher; /* Cipher to use. */
char *ciphers; /* Ciphers in order of preference. */
char *ciphers; /* SSH2 ciphers in order of preference. */
int protocol; /* Protocol in order of preference. */
char *hostname; /* Real host to connect. */
char *proxy_command; /* Proxy command for connecting the host. */
......
......@@ -12,7 +12,7 @@
*/
#include "includes.h"
RCSID("$Id: servconf.c,v 1.15 2000/05/07 02:03:18 damien Exp $");
RCSID("$Id: servconf.c,v 1.16 2000/05/09 01:03:01 damien Exp $");
#include "ssh.h"
#include "servconf.h"
......@@ -589,7 +589,7 @@ parse_flag:
case sCiphers:
cp = strtok(NULL, WHITESPACE);
if (!ciphers_valid(cp))
fatal("%s line %d: Bad cipher spec '%s'.",
fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
filename, linenum, cp ? cp : "<NONE>");
if (options->ciphers == NULL)
options->ciphers = xstrdup(cp);
......
......@@ -9,7 +9,7 @@
.\"
.\" Created: Sat Apr 22 23:55:14 1995 ylo
.\"
.\" $Id: ssh-keygen.1,v 1.14 2000/05/07 02:03:18 damien Exp $
.\" $Id: ssh-keygen.1,v 1.15 2000/05/09 01:03:02 damien Exp $
.\"
.Dd September 25, 1999
.Dt SSH-KEYGEN 1
......@@ -142,13 +142,13 @@ support is not functional, exits with code 1. This flag will be
removed once the RSA patent expires.
.It Fl x
This option will read a private
OpenSSH DSA format file and prints to stdout a SSH2-compatible public key.
OpenSSH DSA format file and print a SSH2-compatible public key to stdout.
.It Fl X
This option will read a
SSH2-compatible public key file and print to stdout an OpenSSH DSA compatible public key.
SSH2-compatible public key file and print an OpenSSH DSA compatible public key to stdout.
.It Fl y
This option will read a private
OpenSSH DSA format file and prints to stdout an OpenSSH DSA public key.
OpenSSH DSA format file and print an OpenSSH DSA public key to stdout.
.El
.Sh FILES
.Bl -tag -width Ds
......
......@@ -7,7 +7,7 @@
*/
#include "includes.h"
RCSID("$Id: ssh-keygen.c,v 1.17 2000/05/07 02:03:19 damien Exp $");
RCSID("$Id: ssh-keygen.c,v 1.18 2000/05/09 01:03:02 damien Exp $");
#include <openssl/evp.h>
#include <openssl/pem.h>
......@@ -148,6 +148,7 @@ do_convert_from_ssh2(struct passwd *pw)
char blob[8096];
char encoded[8096];
struct stat st;
int escaped = 0;
FILE *fp;
if (!have_identity)
......@@ -163,14 +164,21 @@ do_convert_from_ssh2(struct passwd *pw)
}
encoded[0] = '\0';
while (fgets(line, sizeof(line), fp)) {
if (!(p = strchr(line, '\n'))) {
fprintf(stderr, "input line too long.\n");
exit(1);
}
if (p > line && p[-1] == '\\')
escaped++;
if (strncmp(line, "----", 4) == 0 ||
strstr(line, ": ") != NULL) {
fprintf(stderr, "ignore: %s", line);
continue;
}
if (!(p = strchr(line, '\n'))) {
fprintf(stderr, "input line too long.\n");
exit(1);
if (escaped) {
escaped--;
fprintf(stderr, "escaped: %s", line);
continue;
}
*p = '\0';
strlcat(encoded, line, sizeof(encoded));
......
......@@ -9,7 +9,7 @@
.\"
.\" Created: Sat Apr 22 21:55:14 1995 ylo
.\"
.\" $Id: ssh.1,v 1.24 2000/05/07 02:03:19 damien Exp $
.\" $Id: ssh.1,v 1.25 2000/05/09 01:03:02 damien Exp $
.\"
.Dd September 25, 1999
.Dt SSH 1
......@@ -25,7 +25,7 @@
.Pp
.Nm ssh
.Op Fl afgknqtvxCPX246
.Op Fl c Ar blowfish | 3des
.Op Fl c Ar cipher_spec
.Op Fl e Ar escape_char
.Op Fl i Ar identity_file
.Op Fl l Ar login_name
......@@ -202,7 +202,7 @@ This protocol 2 implementation does not yet support Kerberos or
S/Key authentication.
.Pp
Protocol 2 provides additional mechanisms for confidentiality
(the traffic is encrypted using 3DES, blowfish, cast128 or arcfour)
(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour)
and integrity (hmac-sha1, hmac-md5).
Note that protocol 1 lacks a strong mechanism for ensuring the
integrity of the connection.
......@@ -342,10 +342,15 @@ It is believed to be secure.
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
It is presumably more secure than the
.Ar des
cipher which is no longer supported in ssh.
cipher which is no longer supported in
.Nm ssh .
.Ar blowfish
is a fast block cipher, it appears very secure and is much faster than
.Ar 3des .
.It Fl c Ar "3des-cbc,blowfish-cbc,arcfour,cast128-cbc"
Additionally, for protocol version 2 a comma-separated list of ciphers can
be specified in order of preference. Protocol version 2 supports
3DES, Blowfish and CAST128 in CBC mode and Arcfour.
.It Fl e Ar ch|^ch|none
Sets the escape character for sessions with a pty (default:
.Ql ~ ) .
......@@ -601,7 +606,7 @@ Specifies the ciphers allowed for protocol version 2
in order of preference.
Multiple ciphers must be comma-separated.
The default is
.Dq blowfish-cbc,3des-cbc,arcfour,cast128-cbc .
.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc .
.It Cm Compression
Specifies whether to use compression.
The argument must be
......@@ -785,7 +790,7 @@ The default is
This means that
.Nm
tries version 1 and falls back to version 2
if version 1 is no available.
if version 1 is not available.
.It Cm ProxyCommand
Specifies the command to use to connect to the server.
The command
......
......@@ -11,7 +11,7 @@
*/
#include "includes.h"
RCSID("$Id: ssh.c,v 1.29 2000/05/01 10:59:51 damien Exp $");
RCSID("$Id: ssh.c,v 1.30 2000/05/09 01:03:02 damien Exp $");
#include <openssl/evp.h>
#include <openssl/dsa.h>
......@@ -367,6 +367,7 @@ main(int ac, char **av)
if (ciphers_valid(optarg)) {
/* SSH2 only */
options.ciphers = xstrdup(optarg);
options.cipher = SSH_CIPHER_ILLEGAL;
} else {
/* SSH1 only */
options.cipher = cipher_number(optarg);
......
......@@ -13,7 +13,7 @@
*
*/
/* RCSID("$Id: ssh.h,v 1.38 2000/05/07 02:03:19 damien Exp $"); */
/* RCSID("$Id: ssh.h,v 1.39 2000/05/09 01:03:02 damien Exp $"); */
#ifndef SSH_H
#define SSH_H
......@@ -30,6 +30,7 @@
#include "cipher.h"
/*
* XXX
* The default cipher used if IDEA is not supported by the remote host. It is
* recommended that this be one of the mandatory ciphers (DES, 3DES), though
* that is not required.
......
......@@ -9,7 +9,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshconnect1.c,v 1.2 2000/05/04 22:38:00 markus Exp $");
RCSID("$OpenBSD: sshconnect1.c,v 1.3 2000/05/08 17:12:16 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dsa.h>
......@@ -832,13 +832,17 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
RSA_free(public_key);
RSA_free(host_key);
if (options.cipher == SSH_CIPHER_NOT_SET) {
if (options.cipher == SSH_CIPHER_ILLEGAL) {
log("No valid SSH1 cipher, using %.100s instead.",
cipher_name(SSH_FALLBACK_CIPHER));
options.cipher = SSH_FALLBACK_CIPHER;
} else if (options.cipher == SSH_CIPHER_NOT_SET) {
if (cipher_mask1() & supported_ciphers & (1 << ssh_cipher_default))
options.cipher = ssh_cipher_default;
else {
debug("Cipher %s not supported, using %.100s instead.",
cipher_name(ssh_cipher_default),
cipher_name(SSH_FALLBACK_CIPHER));
cipher_name(ssh_cipher_default),
cipher_name(SSH_FALLBACK_CIPHER));
options.cipher = SSH_FALLBACK_CIPHER;
}
}
......
......@@ -28,7 +28,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshconnect2.c,v 1.8 2000/05/07 18:23:32 markus Exp $");
RCSID("$OpenBSD: sshconnect2.c,v 1.10 2000/05/08 17:42:25 markus Exp $");
#include <openssl/bn.h>
#include <openssl/rsa.h>
......@@ -96,13 +96,14 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
} else if (
options.cipher == SSH_CIPHER_ARCFOUR ||
options.cipher == SSH_CIPHER_3DES_CBC ||
options.cipher == SSH_CIPHER_CAST128_CBC ||
options.cipher == SSH_CIPHER_BLOWFISH_CBC) {
} else if (options.cipher == SSH_CIPHER_3DES) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = cipher_name(options.cipher);
myproposal[PROPOSAL_ENC_ALGS_STOC] =
cipher_name(SSH_CIPHER_3DES_CBC);
} else if (options.cipher == SSH_CIPHER_BLOWFISH) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] =
cipher_name(SSH_CIPHER_BLOWFISH_CBC);
}
if (options.compression) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] = "zlib";
......@@ -344,12 +345,14 @@ ssh2_try_pubkey(char *filename,
buffer_append(&b, session_id2, session_id2_len);
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
buffer_put_cstring(&b, server_user);
buffer_put_cstring(&b, service);
buffer_put_cstring(&b,
datafellows & SSH_BUG_PUBKEYAUTH ?
"ssh-userauth" :
service);
buffer_put_cstring(&b, "publickey");
buffer_put_char(&b, 1);
buffer_put_cstring(&b, KEX_DSS);
buffer_put_string(&b, blob, bloblen);
xfree(blob);
/* generate signature */
dsa_sign(k, &signature, &slen, buffer_ptr(&b), buffer_len(&b));
......@@ -357,6 +360,19 @@ ssh2_try_pubkey(char *filename,
#ifdef DEBUG_DSS
buffer_dump(&b);
#endif
if (datafellows & SSH_BUG_PUBKEYAUTH) {
/* e.g. ssh-2.0.13: data-to-be-signed != data-on-the-wire */
buffer_clear(&b);
buffer_append(&b, session_id2, session_id2_len);
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
buffer_put_cstring(&b, server_user);
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "publickey");
buffer_put_char(&b, 1);
buffer_put_cstring(&b, KEX_DSS);
buffer_put_string(&b, blob, bloblen);
}
xfree(blob);
/* append signature */
buffer_put_string(&b, signature, slen);
xfree(signature);
......
......@@ -9,7 +9,7 @@
.\"
.\" Created: Sat Apr 22 21:55:14 1995 ylo
.\"
.\" $Id: sshd.8,v 1.21 2000/05/07 02:03:20 damien Exp $
.\" $Id: sshd.8,v 1.22 2000/05/09 01:03:03 damien Exp $
.\"
.Dd September 25, 1999
.Dt SSHD 8
......@@ -115,7 +115,7 @@ Blowfish, 3DES or CAST128 in CBC mode or Arcfour.
The client selects the encryption algorithm
to use from those offered by the server.
Additionally, session integrity is provided
through a crytographic message authentication code
through a cryptographic message authentication code
(hmac-sha1 or hmac-md5).
.Pp
Protocol version 2 provides a public key based
......@@ -277,7 +277,7 @@ By default login is allowed regardless of the user name.
Specifies the ciphers allowed for protocol version 2.
Multiple ciphers must be comma-separated.
The default is
.Dq blowfish-cbc,3des-cbc,arcfour,cast128-cbc .
.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc .
.It Cm CheckMail
Specifies whether
.Nm
......@@ -327,14 +327,14 @@ Specifies the file containing the private DSA host key (default
used by SSH protocol 2.0.
Note that
.Nm
disables protcol 2.0 if this file is group/world-accessible.
disables protocol 2.0 if this file is group/world-accessible.
.It Cm HostKey
Specifies the file containing the private RSA host key (default
.Pa /etc/ssh_host_key )
used by SSH protocols 1.3 and 1.5.
Note that
.Nm
disables protcols 1.3 and 1.5 if this file is group/world-accessible.
disables protocols 1.3 and 1.5 if this file is group/world-accessible.
.It Cm IgnoreRhosts
Specifies that
.Pa .rhosts
......@@ -364,7 +364,7 @@ of the machines will be properly noticed.
However, this means that
connections will die if the route is down temporarily, and some people
find it annoying.
On the other hand, if keepalives are not send,
On the other hand, if keepalives are not sent,
sessions may hang indefinitely on the server, leaving
.Dq ghost
users and consuming server resources.
......@@ -620,7 +620,7 @@ The
.Pa $HOME/.ssh/authorized_keys
file lists the RSA keys that are
permitted for RSA authentication in SSH protocols 1.3 and 1.5
Similarily, the
Similarly, the
.Pa $HOME/.ssh/authorized_keys2
file lists the DSA keys that are
permitted for DSA authentication in SSH protocol 2.0.
......@@ -679,8 +679,8 @@ A quote may be included in the command by quoting it with a backslash.
This option might be useful
to restrict certain RSA keys to perform just a specific operation.
An example might be a key that permits remote backups but nothing else.
Notice that the client may specify TCP/IP and/or X11
forwardings unless they are explicitly prohibited.
Note that the client may specify TCP/IP and/or X11
forwarding unless they are explicitly prohibited.
.It Cm environment="NAME=value"
Specifies that the string is to be added to the environment when
logging in using this key.
......
#define SSH_VERSION "OpenSSH-2.0"
#define SSH_VERSION "OpenSSH-2.1"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment