Commit 487bdb3a authored by Colin Watson's avatar Colin Watson

Import openssh_6.7p1.orig.tar.gz

parents 796ba4fd 28453d58
This diff is collapsed.
1. Prerequisites
----------------
You will need working installations of Zlib and OpenSSL.
You will need working installations of Zlib and libcrypto (LibreSSL /
OpenSSL)
Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
http://www.gzip.org/zlib/
OpenSSL 0.9.6 or greater:
http://www.openssl.org/
libcrypto (LibreSSL or OpenSSL >= 0.9.8f)
LibreSSL http://www.libressl.org/ ; or
OpenSSL http://www.openssl.org/
(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1
Blowfish) do not work correctly.)
LibreSSL/OpenSSL should be compiled as a position-independent library
(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
If you must use a non-position-independent libcrypto, then you may need
to configure OpenSSH --without-pie.
The remaining items are optional.
NB. If you operating system supports /dev/random, you should configure
OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of
/dev/random, or failing that, either prngd or egd
libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
direct support of /dev/random, or failing that, either prngd or egd
PRNGD:
......@@ -27,10 +31,10 @@ http://prngd.sourceforge.net/
EGD:
The Entropy Gathering Daemon (EGD) is supported if you have a system which
lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is
supported only if libcrypto supports it.
http://www.lothar.com/tech/crypto/
http://egd.sourceforge.net/
PAM:
......@@ -55,15 +59,6 @@ passphrase requester. This is maintained separately at:
http://www.jmknoble.net/software/x11-ssh-askpass/
TCP Wrappers:
If you wish to use the TCP wrappers functionality you will need at least
tcpd.h and libwrap.a, either in the standard include and library paths,
or in the directory specified by --with-tcp-wrappers. Version 7.6 is
known to work.
http://ftp.porcupine.org/pub/security/index.html
S/Key Libraries:
If you wish to use --with-skey then you will need the library below
......@@ -180,9 +175,6 @@ Integration Architecture. The default for OSF1 machines is enable.
--with-skey=PATH will enable S/Key one time password support. You will
need the S/Key libraries and header files installed for this to work.
--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
support.
--with-md5-passwords will enable the use of MD5 passwords. Enable this
if your operating system uses MD5 passwords and the system crypt() does
not support them directly (see the crypt(3/3c) man page). If enabled, the
......@@ -204,10 +196,11 @@ created.
--with-xauth=PATH specifies the location of the xauth binary
--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
libraries
are installed.
--with-ssl-engine enables OpenSSL's (hardware) ENGINE support
--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
......@@ -266,4 +259,4 @@ Please refer to the "reporting bugs" section of the webpage at
http://www.openssh.com/
$Id: INSTALL,v 1.88 2013/03/07 01:33:35 dtucker Exp $
$Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $
# $Id: Makefile.in,v 1.356 2014/02/04 00:12:56 djm Exp $
# $Id: Makefile.in,v 1.365 2014/08/30 06:23:07 djm Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
......@@ -29,6 +29,7 @@ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
TEST_SHELL=@TEST_SHELL@
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
......@@ -63,7 +64,16 @@ MANFMT=@MANFMT@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
LIBOPENSSH_OBJS=\
ssherr.o \
sshbuf.o \
sshkey.o \
sshbuf-getput-basic.o \
sshbuf-misc.o \
sshbuf-getput-crypto.o
LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-aes.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
......@@ -135,7 +145,7 @@ $(SSHOBJS): Makefile.in config.h
$(SSHDOBJS): Makefile.in config.h
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
$(LIBCOMPAT): always
......@@ -214,6 +224,12 @@ umac128.o: umac.c
clean: regressclean
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
rm -f *.out core survey
rm -f regress/unittests/test_helper/*.a
rm -f regress/unittests/test_helper/*.o
rm -f regress/unittests/sshbuf/*.o
rm -f regress/unittests/sshbuf/test_sshbuf
rm -f regress/unittests/sshkey/*.o
rm -f regress/unittests/sshkey/test_sshkey
(cd openbsd-compat && $(MAKE) clean)
distclean: regressclean
......@@ -222,6 +238,12 @@ distclean: regressclean
rm -f Makefile buildpkg.sh config.h config.status
rm -f survey.sh openbsd-compat/regress/Makefile *~
rm -rf autom4te.cache
rm -f regress/unittests/test_helper/*.a
rm -f regress/unittests/test_helper/*.o
rm -f regress/unittests/sshbuf/*.o
rm -f regress/unittests/sshbuf/test_sshbuf
rm -f regress/unittests/sshkey/*.o
rm -f regress/unittests/sshkey/test_sshkey
(cd openbsd-compat && $(MAKE) distclean)
if test -d pkg ; then \
rm -fr pkg ; \
......@@ -394,23 +416,71 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
regress-prep:
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
[ -d `pwd`/regress/unittests/test_helper ] || \
mkdir -p `pwd`/regress/unittests/test_helper
[ -d `pwd`/regress/unittests/sshbuf ] || \
mkdir -p `pwd`/regress/unittests/sshbuf
[ -d `pwd`/regress/unittests/sshkey ] || \
mkdir -p `pwd`/regress/unittests/sshkey
[ -f `pwd`/regress/Makefile ] || \
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
[ -f `pwd`/regress/Makefile ] || \
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$(EXEEXT)
UNITTESTS_TEST_HELPER_OBJS=\
regress/unittests/test_helper/test_helper.o \
regress/unittests/test_helper/fuzz.o
regress/unittests/test_helper/libtest_helper.a: ${UNITTESTS_TEST_HELPER_OBJS}
$(AR) rv $@ $(UNITTESTS_TEST_HELPER_OBJS)
$(RANLIB) $@
UNITTESTS_TEST_SSHBUF_OBJS=\
regress/unittests/sshbuf/tests.o \
regress/unittests/sshbuf/test_sshbuf.o \
regress/unittests/sshbuf/test_sshbuf_getput_basic.o \
regress/unittests/sshbuf/test_sshbuf_getput_crypto.o \
regress/unittests/sshbuf/test_sshbuf_misc.o \
regress/unittests/sshbuf/test_sshbuf_fuzz.o \
regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o \
regress/unittests/sshbuf/test_sshbuf_fixed.o
regress/unittests/sshbuf/test_sshbuf$(EXEEXT): ${UNITTESTS_TEST_SSHBUF_OBJS} \
regress/unittests/test_helper/libtest_helper.a libssh.a
$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \
regress/unittests/test_helper/libtest_helper.a \
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
UNITTESTS_TEST_SSHKEY_OBJS=\
regress/unittests/sshkey/test_fuzz.o \
regress/unittests/sshkey/tests.o \
regress/unittests/sshkey/common.o \
regress/unittests/sshkey/test_file.o \
regress/unittests/sshkey/test_sshkey.o
regress/unittests/sshkey/test_sshkey$(EXEEXT): ${UNITTESTS_TEST_SSHKEY_OBJS} \
regress/unittests/test_helper/libtest_helper.a libssh.a
$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHKEY_OBJS) \
regress/unittests/test_helper/libtest_helper.a \
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
REGRESS_BINARIES=\
regress/modpipe$(EXEEXT) \
regress/setuid-allowed$(EXEEXT) \
regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
regress/unittests/sshkey/test_sshkey$(EXEEXT)
tests interop-tests t-exec: regress-prep $(TARGETS) $(REGRESS_BINARIES)
BUILDDIR=`pwd`; \
TEST_SHELL="@TEST_SHELL@"; \
TEST_SSH_SCP="$${BUILDDIR}/scp"; \
TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
......@@ -434,7 +504,6 @@ tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$
OBJ="$${BUILDDIR}/regress/" \
PATH="$${BUILDDIR}:$${PATH}" \
TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
TEST_SHELL="$${TEST_SHELL}" \
TEST_SSH_SCP="$${TEST_SSH_SCP}" \
TEST_SSH_SSH="$${TEST_SSH_SSH}" \
TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \
......@@ -450,6 +519,7 @@ tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$
TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \
TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
TEST_SSH_ECC="$${TEST_SSH_ECC}" \
TEST_SHELL="${TEST_SHELL}" \
EXEEXT="$(EXEEXT)" \
$@ && echo all tests passed
......
......@@ -232,6 +232,56 @@ The contents of the "data" field for layer 2 packets is:
The "frame" field contains an IEEE 802.3 Ethernet frame, including
header.
2.4. connection: Unix domain socket forwarding
OpenSSH supports local and remote Unix domain socket forwarding
using the "streamlocal" extension. Forwarding is initiated as per
TCP sockets but with a single path instead of a host and port.
Similar to direct-tcpip, direct-streamlocal is sent by the client
to request that the server make a connection to a Unix domain socket.
byte SSH_MSG_CHANNEL_OPEN
string "direct-streamlocal@openssh.com"
uint32 sender channel
uint32 initial window size
uint32 maximum packet size
string socket path
string reserved for future use
Similar to forwarded-tcpip, forwarded-streamlocal is sent by the
server when the client has previously send the server a streamlocal-forward
GLOBAL_REQUEST.
byte SSH_MSG_CHANNEL_OPEN
string "forwarded-streamlocal@openssh.com"
uint32 sender channel
uint32 initial window size
uint32 maximum packet size
string socket path
string reserved for future use
The reserved field is not currently defined and is ignored on the
remote end. It is intended to be used in the future to pass
information about the socket file, such as ownership and mode.
The client currently sends the empty string for this field.
Similar to tcpip-forward, streamlocal-forward is sent by the client
to request remote forwarding of a Unix domain socket.
byte SSH2_MSG_GLOBAL_REQUEST
string "streamlocal-forward@openssh.com"
boolean TRUE
string socket path
Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent
by the client cancel the forwarding of a Unix domain socket.
byte SSH2_MSG_GLOBAL_REQUEST
string "cancel-streamlocal-forward@openssh.com"
boolean FALSE
string socket path
3. SFTP protocol changes
3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
......@@ -356,4 +406,4 @@ respond with a SSH_FXP_STATUS message.
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
$OpenBSD: PROTOCOL,v 1.23 2013/12/01 23:19:05 djm Exp $
$OpenBSD: PROTOCOL,v 1.24 2014/07/15 15:54:14 millert Exp $
See http://www.openssh.com/txt/release-6.6 for the release notes.
See http://www.openssh.com/txt/release-6.7 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
......@@ -62,4 +62,4 @@ References -
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
$Id: README,v 1.86 2014/02/27 23:03:53 djm Exp $
$Id: README,v 1.87 2014/08/10 01:35:06 djm Exp $
/* $OpenBSD: auth-bsdauth.c,v 1.11 2007/09/21 08:15:29 djm Exp $ */
/* $OpenBSD: auth-bsdauth.c,v 1.13 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
......@@ -26,6 +26,8 @@
#include "includes.h"
#include <sys/types.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdarg.h>
......@@ -54,6 +56,11 @@ bsdauth_query(void *ctx, char **name, char **infotxt,
Authctxt *authctxt = ctx;
char *challenge = NULL;
*infotxt = NULL;
*numprompts = 0;
*prompts = NULL;
*echo_on = NULL;
if (authctxt->as != NULL) {
debug2("bsdauth_query: try reuse session");
challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE);
......
/* $OpenBSD: auth-chall.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
/* $OpenBSD: auth-chall.c,v 1.14 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
......@@ -26,6 +26,9 @@
#include "includes.h"
#include <sys/types.h>
#include <stdarg.h>
#include <stdlib.h>
#include <stdio.h>
#include <stdarg.h>
......@@ -34,6 +37,7 @@
#include "hostfile.h"
#include "auth.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
/* limited protocol v1 interface to kbd-interactive authentication */
......
......@@ -40,6 +40,7 @@
#include "packet.h"
#include "log.h"
#include "buffer.h"
#include "misc.h"
#include "servconf.h"
#include "uidswap.h"
#include "key.h"
......
/* $OpenBSD: auth-options.c,v 1.62 2013/12/19 00:27:57 djm Exp $ */
/* $OpenBSD: auth-options.c,v 1.64 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -26,9 +26,9 @@
#include "log.h"
#include "canohost.h"
#include "buffer.h"
#include "misc.h"
#include "channels.h"
#include "servconf.h"
#include "misc.h"
#include "key.h"
#include "auth-options.h"
#include "hostfile.h"
......@@ -325,6 +325,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
patterns[i] = '\0';
opts++;
p = patterns;
/* XXX - add streamlocal support */
host = hpdelim(&p);
if (host == NULL || strlen(host) >= NI_MAXHOST) {
debug("%.100s, line %lu: Bad permitopen "
......@@ -586,8 +587,8 @@ auth_cert_options(Key *k, struct passwd *pw)
if (key_cert_is_legacy(k)) {
/* All options are in the one field for v00 certs */
if (parse_option_list(buffer_ptr(&k->cert->critical),
buffer_len(&k->cert->critical), pw,
if (parse_option_list(buffer_ptr(k->cert->critical),
buffer_len(k->cert->critical), pw,
OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1,
&cert_no_port_forwarding_flag,
&cert_no_agent_forwarding_flag,
......@@ -599,14 +600,14 @@ auth_cert_options(Key *k, struct passwd *pw)
return -1;
} else {
/* Separate options and extensions for v01 certs */
if (parse_option_list(buffer_ptr(&k->cert->critical),
buffer_len(&k->cert->critical), pw,
if (parse_option_list(buffer_ptr(k->cert->critical),
buffer_len(k->cert->critical), pw,
OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
&cert_forced_command,
&cert_source_address_done) == -1)
return -1;
if (parse_option_list(buffer_ptr(&k->cert->extensions),
buffer_len(&k->cert->extensions), pw,
if (parse_option_list(buffer_ptr(k->cert->extensions),
buffer_len(k->cert->extensions), pw,
OPTIONS_EXTENSIONS, 1,
&cert_no_port_forwarding_flag,
&cert_no_agent_forwarding_flag,
......
/* $OpenBSD: auth-passwd.c,v 1.43 2007/09/21 08:15:29 djm Exp $ */
/* $OpenBSD: auth-passwd.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -48,6 +48,7 @@
#include "packet.h"
#include "buffer.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
#include "key.h"
#include "hostfile.h"
......
/* $OpenBSD: auth-rh-rsa.c,v 1.43 2010/03/04 10:36:03 djm Exp $ */
/* $OpenBSD: auth-rh-rsa.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -24,6 +24,7 @@
#include "uidswap.h"
#include "log.h"
#include "buffer.h"
#include "misc.h"
#include "servconf.h"
#include "key.h"
#include "hostfile.h"
......
/* $OpenBSD: auth-rhosts.c,v 1.44 2010/03/07 11:57:13 dtucker Exp $ */
/* $OpenBSD: auth-rhosts.c,v 1.45 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -34,12 +34,12 @@
#include "uidswap.h"
#include "pathnames.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
#include "canohost.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
#include "misc.h"
/* import */
extern ServerOptions options;
......
/* $OpenBSD: auth-rsa.c,v 1.86 2014/01/27 19:18:54 markus Exp $ */
/* $OpenBSD: auth-rsa.c,v 1.88 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -35,6 +35,7 @@
#include "buffer.h"
#include "pathnames.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
#include "key.h"
#include "auth-options.h"
......@@ -45,7 +46,6 @@
#endif
#include "monitor_wrap.h"
#include "ssh.h"
#include "misc.h"
#include "digest.h"
......@@ -144,7 +144,8 @@ auth_rsa_challenge_dialog(Key *key)
challenge = PRIVSEP(auth_rsa_generate_challenge(key));
/* Encrypt the challenge with the public key. */
rsa_public_encrypt(encrypted_challenge, challenge, key->rsa);
if (rsa_public_encrypt(encrypted_challenge, challenge, key->rsa) != 0)
fatal("%s: rsa_public_encrypt failed", __func__);
/* Send the encrypted challenge to the client. */
packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE);
......
/* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */
/* $OpenBSD: auth.c,v 1.106 2014/07/15 15:54:14 millert Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -56,6 +56,7 @@
#include "groupaccess.h"
#include "log.h"
#include "buffer.h"
#include "misc.h"
#include "servconf.h"
#include "key.h"
#include "hostfile.h"
......@@ -63,7 +64,6 @@
#include "auth-options.h"
#include "canohost.h"
#include "uidswap.h"
#include "misc.h"
#include "packet.h"
#include "loginrec.h"
#ifdef GSSAPI
......@@ -326,6 +326,20 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
#endif
}
void
auth_maxtries_exceeded(Authctxt *authctxt)
{
packet_disconnect("Too many authentication failures for "
"%s%.100s from %.200s port %d %s",
authctxt->valid ? "" : "invalid user ",
authctxt->user,
get_remote_ipaddr(),
get_remote_port(),
compat20 ? "ssh2" : "ssh1");
/* NOTREACHED */
}
/*
* Check whether root logins are disallowed.
*/
......@@ -659,6 +673,7 @@ getpwnamallow(const char *user)
int
auth_key_is_revoked(Key *key)
{
#ifdef WITH_OPENSSL
char *key_fp;
if (options.revoked_keys_file == NULL)
......@@ -671,6 +686,7 @@ auth_key_is_revoked(Key *key)
default:
goto revoked;
}
#endif
debug3("%s: treating %s as a key list", __func__,
options.revoked_keys_file);
switch (key_in_file(key, options.revoked_keys_file, 0)) {
......@@ -682,6 +698,7 @@ auth_key_is_revoked(Key *key)
error("Revoked keys file is unreadable: refusing public key "
"authentication");
return 1;
#ifdef WITH_OPENSSL
case 1:
revoked:
/* Key revoked */
......@@ -690,6 +707,7 @@ auth_key_is_revoked(Key *key)
"%s key %s ", key_type(key), key_fp);
free(key_fp);
return 1;
#endif
}
fatal("key_in_file returned junk");
}
......
/* $OpenBSD: auth.h,v 1.77 2014/01/29 06:18:35 djm Exp $ */
/* $OpenBSD: auth.h,v 1.78 2014/07/03 11:16:55 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
......@@ -154,6 +154,7 @@ void auth_info(Authctxt *authctxt, const char *, ...)
__attribute__((__format__ (printf, 2, 3)))
__attribute__((__nonnull__ (2)));
void auth_log(Authctxt *, int, int, const char *, const char *);
void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn));
void userauth_finish(Authctxt *, int, const char *, const char *);
int auth_root_allowed(const char *);
......@@ -210,8 +211,6 @@ struct passwd *fakepw(void);
int sys_auth_passwd(Authctxt *, const char *);
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
#define SKEY_PROMPT "\nS/Key Password: "
#if defined(KRB5) && !defined(HEIMDAL)
......
/* $OpenBSD: auth1.c,v 1.80 2014/02/02 03:44:31 djm Exp $ */
/* $OpenBSD: auth1.c,v 1.82 2014/07/15 15:54:14 millert Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
......@@ -27,6 +27,7 @@
#include "packet.h"
#include "buffer.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
#include "compat.h"
#include "key.h"
......@@ -363,7 +364,7 @@ do_authloop(Authctxt *authctxt)
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
#endif
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
auth_maxtries_exceeded(authctxt);
}
packet_start(SSH_SMSG_FAILURE);
......
......@@ -41,6 +41,7 @@
#include "packet.h"
#include "dispatch.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
/* import */
......
......@@ -40,6 +40,7 @@
#include "log.h"
#include "dispatch.h"
#include "buffer.h"
#include "misc.h"
#include "servconf.h"
#include "packet.h"
#include "ssh-gss.h"
......
/* $OpenBSD: auth2-hostbased.c,v 1.17 2013/12/30 23:52:27 djm Exp $ */
/* $OpenBSD: auth2-hostbased.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -36,6 +36,7 @@
#include "packet.h"
#include "buffer.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"