diff options
author | Damien Miller <djm@mindrot.org> | 1999-11-12 15:19:27 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 1999-11-12 15:19:27 +1100 |
commit | 6d7b2cd1a32efa2a40c97361065d357a2e60b716 (patch) | |
tree | 9c34abc2723760ce00b6f3867d7e0cfbd6a7424e /sshconnect.c | |
parent | b5f8927a7e3f25cef4c66603a780176e1b9f6082 (diff) | |
download | openssh-git-6d7b2cd1a32efa2a40c97361065d357a2e60b716.tar.gz |
- Merged yet more changes from OpenBSD CVS
- [auth-rh-rsa.c auth-rhosts.c auth-rsa.c channels.c clientloop.c]
[ssh.c ssh.h sshconnect.c sshd.c]
make all access to options via 'extern Options options'
and 'extern ServerOptions options' respectively;
options are no longer passed as arguments:
* make options handling more consistent
* remove #include "readconf.h" from ssh.h
* readconf.h is only included if necessary
- [mpaux.c] clear temp buffer
- [servconf.c] print _all_ bad options found in configfile
Diffstat (limited to 'sshconnect.c')
-rw-r--r-- | sshconnect.c | 102 |
1 files changed, 51 insertions, 51 deletions
diff --git a/sshconnect.c b/sshconnect.c index a16e25a8..80e4aff4 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -16,7 +16,7 @@ login (authentication) dialog. #include "config.h" #include "includes.h" -RCSID("$Id: sshconnect.c,v 1.5 1999/11/08 23:35:52 damien Exp $"); +RCSID("$Id: sshconnect.c,v 1.6 1999/11/12 04:19:27 damien Exp $"); #ifdef HAVE_OPENSSL #include <openssl/bn.h> @@ -36,7 +36,7 @@ RCSID("$Id: sshconnect.c,v 1.5 1999/11/08 23:35:52 damien Exp $"); #include "mpaux.h" #include "uidswap.h" #include "compat.h" - +#include "readconf.h" /* Session id for the current session. */ unsigned char session_id[16]; @@ -486,9 +486,9 @@ respond_to_rsa_challenge(BIGNUM *challenge, RSA *prv) the user using it. */ int -try_rsa_authentication(struct passwd *pw, const char *authfile, - int may_ask_passphrase) +try_rsa_authentication(struct passwd *pw, const char *authfile) { + extern Options options; BIGNUM *challenge; RSA *private_key; RSA *public_key; @@ -550,7 +550,7 @@ try_rsa_authentication(struct passwd *pw, const char *authfile, return. */ snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ", comment); - if (may_ask_passphrase) + if (!options.batch_mode) passphrase = read_passphrase(buf, 0); else { @@ -1014,8 +1014,9 @@ void ssh_login(int host_key_valid, RSA *own_host_key, const char *orighost, struct sockaddr_in *hostaddr, - Options *options, uid_t original_real_uid) + uid_t original_real_uid) { + extern Options options; int i, type; char *password; struct passwd *pw; @@ -1035,7 +1036,7 @@ void ssh_login(int host_key_valid, int payload_len, clen, sum_len = 0; u_int32_t rand = 0; - if (options->check_host_ip) + if (options.check_host_ip) ip = xstrdup(inet_ntoa(hostaddr->sin_addr)); /* Convert the user-supplied hostname into all lowercase. */ @@ -1056,7 +1057,7 @@ void ssh_login(int host_key_valid, if (!pw) fatal("User id %d not found from user database.", original_real_uid); local_user = xstrdup(pw->pw_name); - server_user = options->user ? options->user : local_user; + server_user = options.user ? options.user : local_user; debug("Waiting for server public key."); @@ -1132,12 +1133,12 @@ void ssh_login(int host_key_valid, /* Check if the host key is present in the user\'s list of known hosts or in the systemwide list. */ - host_status = check_host_in_hostfile(options->user_hostfile, + host_status = check_host_in_hostfile(options.user_hostfile, host, BN_num_bits(host_key->n), host_key->e, host_key->n, file_key->e, file_key->n); if (host_status == HOST_NEW) - host_status = check_host_in_hostfile(options->system_hostfile, host, + host_status = check_host_in_hostfile(options.system_hostfile, host, BN_num_bits(host_key->n), host_key->e, host_key->n, file_key->e, file_key->n); @@ -1154,17 +1155,17 @@ void ssh_login(int host_key_valid, /* Also perform check for the ip address, skip the check if we are localhost or the hostname was an ip address to begin with */ - if (options->check_host_ip && !local && strcmp(host, ip)) { + if (options.check_host_ip && !local && strcmp(host, ip)) { RSA *ip_key = RSA_new(); ip_key->n = BN_new(); ip_key->e = BN_new(); - ip_status = check_host_in_hostfile(options->user_hostfile, ip, + ip_status = check_host_in_hostfile(options.user_hostfile, ip, BN_num_bits(host_key->n), host_key->e, host_key->n, ip_key->e, ip_key->n); if (ip_status == HOST_NEW) - ip_status = check_host_in_hostfile(options->system_hostfile, ip, + ip_status = check_host_in_hostfile(options.system_hostfile, ip, BN_num_bits(host_key->n), host_key->e, host_key->n, ip_key->e, ip_key->n); @@ -1183,13 +1184,13 @@ void ssh_login(int host_key_valid, case HOST_OK: /* The host is known and the key matches. */ debug("Host '%.200s' is known and matches the host key.", host); - if (options->check_host_ip) { + if (options.check_host_ip) { if (ip_status == HOST_NEW) { - if (!add_host_to_hostfile(options->user_hostfile, ip, + if (!add_host_to_hostfile(options.user_hostfile, ip, BN_num_bits(host_key->n), host_key->e, host_key->n)) log("Failed to add the host ip to the list of known hosts (%.30s).", - options->user_hostfile); + options.user_hostfile); else log("Warning: Permanently added host ip '%.30s' to the list of known hosts.", ip); } else if (ip_status != HOST_OK) @@ -1201,12 +1202,12 @@ void ssh_login(int host_key_valid, { char hostline[1000], *hostp = hostline; /* The host is new. */ - if (options->strict_host_key_checking == 1) { + if (options.strict_host_key_checking == 1) { /* User has requested strict host key checking. We will not add the host key automatically. The only alternative left is to abort. */ fatal("No host key is known for %.200s and you have requested strict checking.", host); - } else if (options->strict_host_key_checking == 2) { /* The default */ + } else if (options.strict_host_key_checking == 2) { /* The default */ char prompt[1024]; snprintf(prompt, sizeof(prompt), "The authenticity of host '%.200s' can't be established.\n" @@ -1216,25 +1217,25 @@ void ssh_login(int host_key_valid, fatal("Aborted by user!\n"); } - if (options->check_host_ip && ip_status == HOST_NEW && strcmp(host, ip)) + if (options.check_host_ip && ip_status == HOST_NEW && strcmp(host, ip)) snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); else hostp = host; /* If not in strict mode, add the key automatically to the local known_hosts file. */ - if (!add_host_to_hostfile(options->user_hostfile, hostp, + if (!add_host_to_hostfile(options.user_hostfile, hostp, BN_num_bits(host_key->n), host_key->e, host_key->n)) log("Failed to add the host to the list of known hosts (%.500s).", - options->user_hostfile); + options.user_hostfile); else log("Warning: Permanently added '%.200s' to the list of known hosts.", hostp); break; } case HOST_CHANGED: - if (options->check_host_ip) { + if (options.check_host_ip) { if (host_ip_differ) { error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @"); @@ -1256,23 +1257,23 @@ void ssh_login(int host_key_valid, error("It is also possible that the host key has just been changed."); error("Please contact your system administrator."); error("Add correct host key in %.100s to get rid of this message.", - options->user_hostfile); + options.user_hostfile); /* If strict host key checking is in use, the user will have to edit the key manually and we can only abort. */ - if (options->strict_host_key_checking) + if (options.strict_host_key_checking) fatal("Host key for %.200s has changed and you have requested strict checking.", host); /* If strict host key checking has not been requested, allow the connection but without password authentication or agent forwarding. */ - if (options->password_authentication) { + if (options.password_authentication) { error("Password authentication is disabled to avoid trojan horses."); - options->password_authentication = 0; + options.password_authentication = 0; } - if (options->forward_agent) { + if (options.forward_agent) { error("Agent forwarding is disabled to avoid trojan horses."); - options->forward_agent = 0; + options.forward_agent = 0; } /* XXX Should permit the user to change to use the new id. This could be done by converting the host key to an identifying sentence, tell @@ -1281,7 +1282,7 @@ void ssh_login(int host_key_valid, break; } - if (options->check_host_ip) + if (options.check_host_ip) xfree(ip); /* Generate a session key. */ @@ -1344,27 +1345,27 @@ void ssh_login(int host_key_valid, rsa_public_encrypt(key, key, public_key); } - if (options->cipher == SSH_CIPHER_NOT_SET) { + if (options.cipher == SSH_CIPHER_NOT_SET) { if (cipher_mask() & supported_ciphers & (1 << ssh_cipher_default)) - options->cipher = ssh_cipher_default; + options.cipher = ssh_cipher_default; else { debug("Cipher %d not supported, using %.100s instead.", cipher_name(ssh_cipher_default), cipher_name(SSH_FALLBACK_CIPHER)); - options->cipher = SSH_FALLBACK_CIPHER; + options.cipher = SSH_FALLBACK_CIPHER; } } /* Check that the selected cipher is supported. */ - if (!(supported_ciphers & (1 << options->cipher))) + if (!(supported_ciphers & (1 << options.cipher))) fatal("Selected cipher type %.100s not supported by server.", - cipher_name(options->cipher)); + cipher_name(options.cipher)); - debug("Encryption type: %.100s", cipher_name(options->cipher)); + debug("Encryption type: %.100s", cipher_name(options.cipher)); /* Send the encrypted session key to the server. */ packet_start(SSH_CMSG_SESSION_KEY); - packet_put_char(options->cipher); + packet_put_char(options.cipher); /* Send the check bytes back to the server. */ for (i = 0; i < 8; i++) @@ -1390,7 +1391,7 @@ void ssh_login(int host_key_valid, /* Set the encryption key. */ packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, - options->cipher, 1); + options.cipher, 1); /* We will no longer need the session key here. Destroy any extra copies. */ memset(session_key, 0, sizeof(session_key)); @@ -1420,17 +1421,17 @@ void ssh_login(int host_key_valid, #ifdef AFS /* Try Kerberos tgt passing if the server supports it. */ if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && - options->kerberos_tgt_passing) + options.kerberos_tgt_passing) { - if (options->cipher == SSH_CIPHER_NONE) + if (options.cipher == SSH_CIPHER_NONE) log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); (void)send_kerberos_tgt(); } /* Try AFS token passing if the server supports it. */ if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && - options->afs_token_passing && k_hasafs()) { - if (options->cipher == SSH_CIPHER_NONE) + options.afs_token_passing && k_hasafs()) { + if (options.cipher == SSH_CIPHER_NONE) log("WARNING: Encryption is disabled! Token will be transmitted in the clear!"); send_afs_tokens(); } @@ -1438,7 +1439,7 @@ void ssh_login(int host_key_valid, #ifdef KRB4 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && - options->kerberos_authentication) + options.kerberos_authentication) { debug("Trying Kerberos authentication."); if (try_kerberos_authentication()) { @@ -1455,7 +1456,7 @@ void ssh_login(int host_key_valid, /* Use rhosts authentication if running in privileged socket and we do not wish to remain anonymous. */ if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) && - options->rhosts_authentication) + options.rhosts_authentication) { debug("Trying rhosts authentication."); packet_start(SSH_CMSG_AUTH_RHOSTS); @@ -1475,7 +1476,7 @@ void ssh_login(int host_key_valid, /* Try .rhosts or /etc/hosts.equiv authentication with RSA host authentication. */ if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) && - options->rhosts_rsa_authentication && host_key_valid) + options.rhosts_rsa_authentication && host_key_valid) { if (try_rhosts_rsa_authentication(local_user, own_host_key)) return; /* Successful authentication. */ @@ -1483,7 +1484,7 @@ void ssh_login(int host_key_valid, /* Try RSA authentication if the server supports it. */ if ((supported_authentications & (1 << SSH_AUTH_RSA)) && - options->rsa_authentication) + options.rsa_authentication) { /* Try RSA authentication using the authentication agent. The agent is tried first because no passphrase is needed for it, whereas @@ -1492,23 +1493,22 @@ void ssh_login(int host_key_valid, return; /* Successful connection. */ /* Try RSA authentication for each identity. */ - for (i = 0; i < options->num_identity_files; i++) - if (try_rsa_authentication(pw, options->identity_files[i], - !options->batch_mode)) + for (i = 0; i < options.num_identity_files; i++) + if (try_rsa_authentication(pw, options.identity_files[i])) return; /* Successful connection. */ } /* Try password authentication if the server supports it. */ if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) && - options->password_authentication && !options->batch_mode) + options.password_authentication && !options.batch_mode) { char prompt[80]; snprintf(prompt, sizeof(prompt), "%.30s@%.30s's password: ", server_user, host); debug("Doing password authentication."); - if (options->cipher == SSH_CIPHER_NONE) + if (options.cipher == SSH_CIPHER_NONE) log("WARNING: Encryption is disabled! Password will be transmitted in clear text."); - for (i = 0; i < options->number_of_password_prompts; i++) { + for (i = 0; i < options.number_of_password_prompts; i++) { if (i != 0) error("Permission denied, please try again."); password = read_passphrase(prompt, 0); |