=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh.c,v retrieving revision 1.186.2.2 retrieving revision 1.187 diff -u -r1.186.2.2 -r1.187 --- src/usr.bin/ssh/ssh.c 2003/09/16 21:20:28 1.186.2.2 +++ src/usr.bin/ssh/ssh.c 2002/11/21 23:04:33 1.187 @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.186.2.2 2003/09/16 21:20:28 brad Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.187 2002/11/21 23:04:33 markus Exp $"); #include #include @@ -75,6 +75,10 @@ extern char *__progname; +/* Flag indicating whether IPv4 or IPv6. This can be set on the command line. + Default value is AF_UNSPEC means both IPv4 and IPv6. */ +int IPv4or6 = AF_UNSPEC; + /* Flag indicating whether debug mode is on. This can be set on the command line. */ int debug_flag = 0; @@ -150,6 +154,9 @@ _PATH_SSH_USER_CONFFILE); fprintf(stderr, " -A Enable authentication agent forwarding.\n"); fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); +#ifdef AFS + fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n"); +#endif /* AFS */ fprintf(stderr, " -X Enable X11 connection forwarding.\n"); fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); fprintf(stderr, " -i file Identity for public key authentication " @@ -233,7 +240,7 @@ /* Get user data. */ pw = getpwuid(original_real_uid); if (!pw) { - logit("You don't exist, go away!"); + log("You don't exist, go away!"); exit(1); } /* Take a copy of the returned structure. */ @@ -264,10 +271,10 @@ options.protocol = SSH_PROTO_2; break; case '4': - options.address_family = AF_INET; + IPv4or6 = AF_INET; break; case '6': - options.address_family = AF_INET6; + IPv4or6 = AF_INET6; break; case 'n': stdin_null_flag = 1; @@ -294,9 +301,12 @@ case 'A': options.forward_agent = 1; break; +#ifdef AFS case 'k': - /* ignored for backward compatibility */ + options.kerberos_tgt_passing = 0; + options.afs_token_passing = 0; break; +#endif case 'i': if (stat(optarg, &st) < 0) { fprintf(stderr, "Warning: Identity file %s " @@ -323,22 +333,22 @@ tty_flag = 1; break; case 'v': - if (debug_flag == 0) { + if (0 == debug_flag) { debug_flag = 1; options.log_level = SYSLOG_LEVEL_DEBUG1; - } else { - if (options.log_level < SYSLOG_LEVEL_DEBUG3) - options.log_level++; + } else if (options.log_level < SYSLOG_LEVEL_DEBUG3) { + options.log_level++; break; - } + } else + fatal("Too high debugging level."); /* fallthrough */ case 'V': fprintf(stderr, - "%s, SSH protocols %d.%d/%d.%d, %s\n", + "%s, SSH protocols %d.%d/%d.%d, OpenSSL 0x%8.8lx\n", SSH_VERSION, PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1, PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, - SSLeay_version(SSLEAY_VERSION)); + SSLeay()); if (opt == 'V') exit(0); break; @@ -435,7 +445,7 @@ optarg); exit(1); } - add_local_forward(&options, fwd_port, "socks", 0); + add_local_forward(&options, fwd_port, "socks4", 0); break; case 'C': @@ -472,9 +482,9 @@ av += optind; if (ac > 0 && !host && **av != '-') { - if (strrchr(*av, '@')) { + if (strchr(*av, '@')) { p = xstrdup(*av); - cp = strrchr(p, '@'); + cp = strchr(p, '@'); if (cp == NULL || cp == p) usage(); options.user = p; @@ -482,11 +492,12 @@ host = ++cp; } else host = *av; - if (ac > 1) { - optind = optreset = 1; + ac--, av++; + if (ac > 0) { + optind = 0; + optreset = 1; goto again; } - ac--, av++; } /* Check that we got a host name. */ @@ -495,6 +506,7 @@ SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); + channel_set_af(IPv4or6); /* Initialize the command to execute on remote host. */ buffer_init(&command); @@ -535,7 +547,7 @@ /* Do not allocate a tty if stdin is not a tty. */ if (!isatty(fileno(stdin)) && !force_tty_flag) { if (tty_flag) - logit("Pseudo-terminal will not be allocated because stdin is not a terminal."); + log("Pseudo-terminal will not be allocated because stdin is not a terminal."); tty_flag = 0; } @@ -566,8 +578,6 @@ /* Fill configuration defaults. */ fill_default_options(&options); - channel_set_af(options.address_family); - /* reinit */ log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); @@ -577,20 +587,16 @@ if (options.hostname != NULL) host = options.hostname; - /* force lowercase for hostkey matching */ - if (options.host_key_alias != NULL) { - for (p = options.host_key_alias; *p; p++) - if (isupper(*p)) - *p = tolower(*p); + /* Disable rhosts authentication if not running as root. */ + if (original_effective_uid != 0 || !options.use_privileged_port) { + debug("Rhosts Authentication disabled, " + "originating port will not be trusted."); + options.rhosts_authentication = 0; } - - if (options.proxy_command != NULL && - strcmp(options.proxy_command, "none") == 0) - options.proxy_command = NULL; - /* Open a connection to the remote host. */ - if (ssh_connect(host, &hostaddr, options.port, - options.address_family, options.connection_attempts, + + if (ssh_connect(host, &hostaddr, options.port, IPv4or6, + options.connection_attempts, original_effective_uid == 0 && options.use_privileged_port, options.proxy_command) != 0) exit(1); @@ -760,7 +766,7 @@ if (!got_data) { u_int32_t rand = 0; - logit("Warning: No xauth data; using fake authentication data for X11 forwarding."); + log("Warning: No xauth data; using fake authentication data for X11 forwarding."); strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto); for (i = 0; i < 16; i++) { if (i % 4 == 0) @@ -840,7 +846,7 @@ if (type == SSH_SMSG_SUCCESS) packet_start_compression(options.compression_level); else if (type == SSH_SMSG_FAILURE) - logit("Warning: Remote host refused compression."); + log("Warning: Remote host refused compression."); else packet_disconnect("Protocol error waiting for compression response."); } @@ -879,7 +885,7 @@ interactive = 1; have_tty = 1; } else if (type == SSH_SMSG_FAILURE) - logit("Warning: Remote host failed or refused to allocate a pseudo tty."); + log("Warning: Remote host failed or refused to allocate a pseudo tty."); else packet_disconnect("Protocol error waiting for pty request response."); } @@ -897,7 +903,7 @@ if (type == SSH_SMSG_SUCCESS) { interactive = 1; } else if (type == SSH_SMSG_FAILURE) { - logit("Warning: Remote host denied X11 forwarding."); + log("Warning: Remote host denied X11 forwarding."); } else { packet_disconnect("Protocol error waiting for X11 forwarding"); } @@ -916,7 +922,7 @@ type = packet_read(); packet_check_eom(); if (type != SSH_SMSG_SUCCESS) - logit("Warning: Remote host denied authentication agent forwarding."); + log("Warning: Remote host denied authentication agent forwarding."); } /* Initiate port forwardings. */ @@ -984,7 +990,7 @@ options.remote_forwards[i].host, options.remote_forwards[i].host_port); if (type == SSH2_MSG_REQUEST_FAILURE) - logit("Warning: remote port forwarding failed for listen port %d", + log("Warning: remote port forwarding failed for listen port %d", options.remote_forwards[i].port); } @@ -1099,7 +1105,7 @@ c = channel_new( "session", SSH_CHANNEL_OPENING, in, out, err, window, packetmax, CHAN_EXTENDED_WRITE, - "client-session", /*nonblock*/0); + xstrdup("client-session"), /*nonblock*/0); debug3("ssh_session2_open: channel_new: %d", c->self); @@ -1151,7 +1157,7 @@ sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); options.num_identity_files++; options.identity_keys[0] = keys[i]; - options.identity_files[0] = sc_get_key_label(keys[i]); + options.identity_files[0] = xstrdup("smartcard key");; } if (options.num_identity_files > SSH_MAX_IDENTITY_FILES) options.num_identity_files = SSH_MAX_IDENTITY_FILES;