src - OpenBSD base system

diff options


context:
space:
mode:

author	Markus Friedl <markus@cvs.openbsd.org>	2000-05-06 17:45:38 +0000
committer	Markus Friedl <markus@cvs.openbsd.org>	2000-05-06 17:45:38 +0000
commit	40f6fa7dc9ff66b67b05fd7b606d260f236187d6 (patch)
tree	e5a7ec5eaec90a0c6d75858dccc4b128611eb0f9 /usr.bin/ssh
parent	014c80dc72bcfa6e8244f83925b8e752c7fcdc53 (diff)

add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8

Diffstat (limited to 'usr.bin/ssh')

-rw-r--r--

usr.bin/ssh/auth2.c

-rw-r--r--

usr.bin/ssh/readconf.c

-rw-r--r--

usr.bin/ssh/readconf.h

-rw-r--r--

usr.bin/ssh/servconf.c

-rw-r--r--

usr.bin/ssh/servconf.h

-rw-r--r--

usr.bin/ssh/ssh.1

-rw-r--r--

usr.bin/ssh/sshconnect2.c

-rw-r--r--

usr.bin/ssh/sshd.8

8 files changed, 80 insertions, 17 deletions

diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c
index 452885e6514..ad55bb769d5 100644
--- a/usr.bin/ssh/auth2.c
+++ b/usr.bin/ssh/auth2.c

@@ -27,7 +27,7 @@

* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

#include "includes.h"

-RCSID("$OpenBSD: auth2.c,v 1.6 2000/05/05 18:50:57 markus Exp $");

+RCSID("$OpenBSD: auth2.c,v 1.7 2000/05/06 17:45:36 markus Exp $");

#include <openssl/dsa.h>

#include <openssl/rsa.h>

@@ -261,7 +261,7 @@ ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen)

int have_sig;

int authenticated = 0;

- if (options.rsa_authentication == 0) {

+ if (options.dsa_authentication == 0) {

debug("pubkey auth disabled");

return 0;

}

diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index 0271ba99a76..a893460ad26 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c

@@ -14,7 +14,7 @@

#include "includes.h"

-RCSID("$Id: readconf.c,v 1.29 2000/05/02 22:18:04 markus Exp $");

+RCSID("$Id: readconf.c,v 1.30 2000/05/06 17:45:36 markus Exp $");

#include "ssh.h"

#include "cipher.h"

@@ -105,7 +105,7 @@ typedef enum {

oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,

oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication,

oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oIdentityFile2,

- oGlobalKnownHostsFile2, oUserKnownHostsFile2

+ oGlobalKnownHostsFile2, oUserKnownHostsFile2, oDSAAuthentication

} OpCodes;

/* Textual representations of the tokens. */

@@ -121,6 +121,7 @@ static struct {

{ "rhostsauthentication", oRhostsAuthentication },

{ "passwordauthentication", oPasswordAuthentication },

{ "rsaauthentication", oRSAAuthentication },

+ { "dsaauthentication", oDSAAuthentication },

{ "skeyauthentication", oSkeyAuthentication },

#ifdef KRB4

{ "kerberosauthentication", oKerberosAuthentication },

@@ -290,6 +291,10 @@ parse_flag:

intptr = &options->password_authentication;

goto parse_flag;

+ case oDSAAuthentication:

+ intptr = &options->dsa_authentication;

+ goto parse_flag;

case oRSAAuthentication:

intptr = &options->rsa_authentication;

goto parse_flag;

@@ -637,6 +642,7 @@ initialize_options(Options * options)

options->use_privileged_port = -1;

options->rhosts_authentication = -1;

options->rsa_authentication = -1;

+ options->dsa_authentication = -1;

options->skey_authentication = -1;

#ifdef KRB4

options->kerberos_authentication = -1;

@@ -696,6 +702,8 @@ fill_default_options(Options * options)

options->rhosts_authentication = 1;

if (options->rsa_authentication == -1)

options->rsa_authentication = 1;

+ if (options->dsa_authentication == -1)

+ options->dsa_authentication = 1;

if (options->skey_authentication == -1)

options->skey_authentication = 0;

#ifdef KRB4

diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h
index ca685f30957..cf16cb0fc23 100644
--- a/usr.bin/ssh/readconf.h
+++ b/usr.bin/ssh/readconf.h

@@ -13,7 +13,7 @@

-/* RCSID("$Id: readconf.h,v 1.16 2000/04/26 20:56:29 markus Exp $"); */

+/* RCSID("$Id: readconf.h,v 1.17 2000/05/06 17:45:36 markus Exp $"); */

#ifndef READCONF_H

#define READCONF_H

@@ -36,6 +36,7 @@ typedef struct {

int rhosts_rsa_authentication; /* Try rhosts with RSA

* authentication. */

int rsa_authentication; /* Try RSA authentication. */

+ int dsa_authentication; /* Try DSA authentication. */

int skey_authentication; /* Try S/Key or TIS authentication. */

#ifdef KRB4

int kerberos_authentication; /* Try Kerberos

diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 0787c2c1c63..ae044c28d21 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c

@@ -12,7 +12,7 @@

#include "includes.h"

-RCSID("$Id: servconf.c,v 1.38 2000/05/03 18:03:06 markus Exp $");

+RCSID("$Id: servconf.c,v 1.39 2000/05/06 17:45:36 markus Exp $");

#include "ssh.h"

#include "servconf.h"

@@ -51,6 +51,7 @@ initialize_server_options(ServerOptions *options)

options->rhosts_authentication = -1;

options->rhosts_rsa_authentication = -1;

options->rsa_authentication = -1;

+ options->dsa_authentication = -1;

#ifdef KRB4

options->kerberos_authentication = -1;

options->kerberos_or_local_passwd = -1;

@@ -122,6 +123,8 @@ fill_default_server_options(ServerOptions *options)

options->rhosts_rsa_authentication = 0;

if (options->rsa_authentication == -1)

options->rsa_authentication = 1;

+ if (options->dsa_authentication == -1)

+ options->dsa_authentication = 1;

#ifdef KRB4

if (options->kerberos_authentication == -1)

options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);

@@ -174,7 +177,7 @@ typedef enum {

sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,

sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,

sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,

- sGatewayPorts

+ sGatewayPorts, sDSAAuthentication

} ServerOpCodes;

/* Textual representation of the tokens. */

@@ -195,6 +198,7 @@ static struct {

{ "rhostsauthentication", sRhostsAuthentication },

{ "rhostsrsaauthentication", sRhostsRSAAuthentication },

{ "rsaauthentication", sRSAAuthentication },

+ { "dsaauthentication", sDSAAuthentication },

#ifdef KRB4

{ "kerberosauthentication", sKerberosAuthentication },

{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },

@@ -450,6 +454,10 @@ parse_flag:

intptr = &options->rsa_authentication;

goto parse_flag;

+ case sDSAAuthentication:

+ intptr = &options->dsa_authentication;

+ goto parse_flag;

#ifdef KRB4

case sKerberosAuthentication:

intptr = &options->kerberos_authentication;

diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index 91928114e55..4fa6deea6f5 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h

@@ -13,7 +13,7 @@

-/* RCSID("$Id: servconf.h,v 1.21 2000/05/03 18:03:07 markus Exp $"); */

+/* RCSID("$Id: servconf.h,v 1.22 2000/05/06 17:45:37 markus Exp $"); */

#ifndef SERVCONF_H

#define SERVCONF_H

@@ -59,6 +59,7 @@ typedef struct {

int rhosts_rsa_authentication; /* If true, permit rhosts RSA

* authentication. */

int rsa_authentication; /* If true, permit RSA authentication. */

+ int dsa_authentication; /* If true, permit DSA authentication. */

#ifdef KRB4

int kerberos_authentication; /* If true, permit Kerberos

* authentication. */

diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index 9b8b37ec9dd..6b484936c92 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1

@@ -9,7 +9,7 @@

.\"

.\" Created: Sat Apr 22 21:55:14 1995 ylo

.\"

-.\" $Id: ssh.1,v 1.49 2000/05/03 22:01:09 markus Exp $

+.\" $Id: ssh.1,v 1.50 2000/05/06 17:45:37 markus Exp $

.\"

.Dd September 25, 1999

.Dt SSH 1

@@ -502,7 +502,7 @@ logging in as root on the remote machine.

.It Fl 2

Forces

.Nm

-to use protocol version 2 only.

+to try protocol version 2 only.

.It Fl 4

Forces

.Nm

@@ -619,6 +619,15 @@ Specifies the number of tries (one per second) to make before falling

back to rsh or exiting.

The argument must be an integer.

This may be useful in scripts if the connection sometimes fails.

+.It Cm DSAAuthentication

+Specifies whether to try DSA authentication.

+The argument to this keyword must be

+.Dq yes

+or

+.Dq no .

+DSA authentication will only be

+attempted if a DSA identity file exists.

+Note that this option applies to protocol version 2 only.

.It Cm EscapeChar

Sets the escape character (default:

.Ql ~ ) .

@@ -758,6 +767,7 @@ The argument to this keyword must be

.Dq yes

.Dq no .

+Note that this option applies to both protocol version 1 and 2.

.It Cm Port

Specifies the port number to connect on the remote host.

Default is 22.

@@ -840,6 +850,7 @@ or

RSA authentication will only be

attempted if the identity file exists, or an authentication agent is

running.

+Note that this option applies to protocol version 1 only.

.It Cm SkeyAuthentication

Specifies whether to use

.Xr skey 1

diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c
index a92e578e63c..17325b097ff 100644
--- a/usr.bin/ssh/sshconnect2.c
+++ b/usr.bin/ssh/sshconnect2.c

@@ -28,7 +28,7 @@

#include "includes.h"

-RCSID("$OpenBSD: sshconnect2.c,v 1.6 2000/05/03 17:55:21 markus Exp $");

+RCSID("$OpenBSD: sshconnect2.c,v 1.7 2000/05/06 17:45:37 markus Exp $");

#include <openssl/bn.h>

#include <openssl/rsa.h>

@@ -432,7 +432,7 @@ ssh_userauth2(const char *server_user, char *host)

packet_done();

if (partial)

debug("partial success");

- if (options.rsa_authentication &&

+ if (options.dsa_authentication &&

strstr(auths, "publickey") != NULL) {

while (i < options.num_identity_files2) {

sent = ssh2_try_pubkey(

diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index 3288a2eb20c..52b5273179d 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8

@@ -9,7 +9,7 @@

.\"

.\" Created: Sat Apr 22 21:55:14 1995 ylo

.\"

-.\" $Id: sshd.8,v 1.48 2000/05/03 22:19:29 markus Exp $

+.\" $Id: sshd.8,v 1.49 2000/05/06 17:45:37 markus Exp $

.\"

.Dd September 25, 1999

.Dt SSHD 8

@@ -46,9 +46,14 @@ daemon for each incoming connection.

The forked daemons handle

key exchange, encryption, authentication, command execution,

and data exchange.

-.Pp

+This implementation of

+.Nm

+supports both SSH protocol version 1 and 2 simultaneously.

.Nm

works as follows.

+.Pp

+.Ss SSH protocol version 1

+.Pp

Each host has a host-specific RSA key

(normally 1024 bits) used to identify the host.

Additionally, when

@@ -59,7 +64,7 @@ is never stored on disk.

Whenever a client connects the daemon responds with its public

host and server keys.

The client compares the

-host key against its own database to verify that it has not changed.

+RSA host key against its own database to verify that it has not changed.

The client then generates a 256 bit random number.

It encrypts this

random number using both the host key and the server key, and sends

@@ -97,6 +102,28 @@ and

.Xr rsh 1

into the machine).

.Pp

+.Ss SSH protocol version 2

+.Pp

+Version 2 works similar:

+Each host has a host-specific DSA key used to identify the host.

+However, when the daemon starts, it does not generate a server key.

+Forward security is provided through a Diffie-Hellman key agreement.

+This key agreement results in a shared session key.

+The rest of the session is encrypted

+using a symmetric cipher, currently

+Blowfish, 3DES or CAST128 in CBC mode or Arcfour.

+The client selects the encryption algorithm

+to use from those offered by the server.

+Additionally, session integrity is provided

+through a crytographic message authentication code

+(hmac-sha1 or hmac-md5).

+.Pp

+Protocol version 2 provides a public key based

+user authentication method (DSAAuthentication)

+and conventional password authentication.

+.Pp

+.Ss Command execution and data forwarding

+.Pp

If the client successfully authenticates itself, a dialog for

preparing the session is entered.

At this time the client may request

@@ -148,7 +175,7 @@ If the client fails to authenticate the user within

this many seconds, the server disconnects and exits.

A value of zero indicates no limit.

.It Fl h Ar host_key_file

-Specifies the file from which the host key is read (default

+Specifies the file from which the RSA host key is read (default

.Pa /etc/ssh_host_key ) .

This option must be given if

.Nm

@@ -280,6 +307,11 @@ and

can be used as wildcards in the patterns.

Only user names are valid, a numerical user ID isn't recognized.

By default login is allowed regardless of the user name.

+.It Cm DSAAuthentication

+Specifies whether DSA authentication is allowed.

+The default is

+.Dq yes .

+Note that this option applies to protocol version 2 only.

.It Cm GatewayPorts

Specifies whether remote hosts are allowed to connect to ports

forwarded for the client.

@@ -407,6 +439,7 @@ and is not recommended.

Specifies whether password authentication is allowed.

The default is

.Dq yes .

+Note that this option applies to both protocol version 1 and 2.

.It Cm PermitEmptyPasswords

When password authentication is allowed, it specifies whether the

server allows login to accounts with empty password strings.

@@ -488,6 +521,7 @@ The default is

Specifies whether pure RSA authentication is allowed.

The default is

.Dq yes .

+Note that this option applies to protocol version 1 only.

.It Cm ServerKeyBits

Defines the number of bits in the server key.

The minimum value is 512, and the default is 768.

@@ -701,7 +735,7 @@ to indicate negation: if the host name matches a negated

pattern, it is not accepted (by that line) even if it matched another

pattern on the line.

.Pp

-Bits, exponent, and modulus are taken directly from the host key; they

+Bits, exponent, and modulus are taken directly from the RSA host key; they

can be obtained, e.g., from

.Pa /etc/ssh_host_key.pub .

The optional comment field continues to the end of the line, and is not used.