-P/UsePrivilegedPort from 1.2.27, it turns of allocation of priv. port

and disabled rhosts/rhosts-rsa, ok deraadt@

4 files changed, 51 insertions, 7 deletions

diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index 872794177dc..95886623098 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -14,7 +14,7 @@ Functions for reading the configuration files.
 */
 
 #include "includes.h"
-RCSID("$Id: readconf.c,v 1.10 1999/10/06 20:07:42 dugsong Exp $");
+RCSID("$Id: readconf.c,v 1.11 1999/10/12 21:04:21 markus Exp $");
 
 #include "ssh.h"
 #include "cipher.h"
@@ -100,7 +100,8 @@ typedef enum
   oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
   oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
   oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
-  oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication
+  oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication,
+  oUsePrivilegedPort
 } OpCodes;
 
 /* Textual representations of the tokens. */
@@ -114,6 +115,7 @@ static struct
   { "forwardagent", oForwardAgent },
   { "forwardx11", oForwardX11 },
   { "gatewayports", oGatewayPorts },
+  { "useprivilegedports", oUsePrivilegedPort },
   { "rhostsauthentication", oRhostsAuthentication },
   { "passwordauthentication", oPasswordAuthentication },
   { "rsaauthentication", oRSAAuthentication },
@@ -262,6 +264,10 @@ void process_config_line(Options *options, const char *host,
       intptr = &options->gateway_ports;
       goto parse_flag;
       
+    case oUsePrivilegedPort:
+      intptr = &options->use_privileged_port;
+      goto parse_flag;
+      
     case oRhostsAuthentication:
       intptr = &options->rhosts_authentication;
       goto parse_flag;
@@ -568,6 +574,7 @@ void initialize_options(Options *options)
   options->forward_agent = -1;
   options->forward_x11 = -1;
   options->gateway_ports = -1;
+  options->use_privileged_port = -1;
   options->rhosts_authentication = -1;
   options->rsa_authentication = -1;
 #ifdef KRB4
@@ -613,6 +620,8 @@ void fill_default_options(Options *options)
     options->forward_x11 = 1;
   if (options->gateway_ports == -1)
     options->gateway_ports = 0;
+  if (options->use_privileged_port == -1)
+    options->use_privileged_port = 1;
   if (options->rhosts_authentication == -1)
     options->rhosts_authentication = 1;
   if (options->rsa_authentication == -1)
diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h
index b70195dea19..dceb0406800 100644
--- a/usr.bin/ssh/readconf.h
+++ b/usr.bin/ssh/readconf.h
@@ -13,7 +13,7 @@ Functions for reading the configuration file.
 
 */
 
-/* RCSID("$Id: readconf.h,v 1.6 1999/10/06 20:07:42 dugsong Exp $"); */
+/* RCSID("$Id: readconf.h,v 1.7 1999/10/12 21:04:22 markus Exp $"); */
 
 #ifndef READCONF_H
 #define READCONF_H
@@ -34,6 +34,7 @@ typedef struct
   int forward_agent;		/* Forward authentication agent. */
   int forward_x11;		/* Forward X11 display. */
   int gateway_ports;		/* Allow remote connects to forwarded ports. */
+  int use_privileged_port;	/* Don't use privileged port if false. */
   int rhosts_authentication;	/* Try rhosts authentication. */
   int rhosts_rsa_authentication;/* Try rhosts with RSA authentication. */
   int rsa_authentication;	/* Try RSA authentication. */
diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index 9b00433a3c8..35df1040a50 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: ssh.1,v 1.15 1999/10/11 20:40:08 markus Exp $
+.\" $Id: ssh.1,v 1.16 1999/10/12 21:04:22 markus Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSH 1
@@ -24,7 +24,7 @@
 .Op Ar command
 .Pp
 .Nm ssh
-.Op Fl agknqtvxXC
+.Op Fl agknqtvxCPX
 .Op Fl c Ar blowfish | 3des
 .Op Fl e Ar escape_char
 .Op Fl i Ar identity_file
@@ -345,6 +345,14 @@ configuration file.
 .It Fl p Ar port
 Port to connect to on the remote host.  This can be specified on a
 per-host basis in the configuration file.
+.It Fl P
+Use a non-privileged port for outgoing connections.
+This can be used if your firewall does
+not permit connections from privileged ports.
+Note that this option turns of
+.Cm RhostsAuthentication
+and
+.Cm RhostsRSAAuthentication .
 .It Fl q
 Quiet mode.  Causes all warning and diagnostic messages to be
 suppressed.  Only fatal errors are displayed.
@@ -678,6 +686,20 @@ having to remember to give the user name on the command line.
 .It Cm UserKnownHostsFile
 Specifies a file to use instead of
 .Pa $HOME/.ssh/known_hosts .
+.It Cm UsePrivilegedPort
+Specifies whether to use a privileged port for outgoing connections.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
+Note that setting this option to
+.Dq no
+turns of
+.Cm RhostsAuthentication
+and
+.Cm RhostsRSAAuthentication .
 .It Cm UseRsh
 Specifies that rlogin/rsh should be used for this host.  It is
 possible that the host does not at all support the
diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c
index bf9dc850276..9fce3199b8b 100644
--- a/usr.bin/ssh/ssh.c
+++ b/usr.bin/ssh/ssh.c
@@ -18,7 +18,7 @@ Modified to work with SSL by Niels Provos <provos@citi.umich.edu> in Canada.
 */
 
 #include "includes.h"
-RCSID("$Id: ssh.c,v 1.22 1999/10/03 21:50:04 provos Exp $");
+RCSID("$Id: ssh.c,v 1.23 1999/10/12 21:04:22 markus Exp $");
 
 #include "xmalloc.h"
 #include "ssh.h"
@@ -97,6 +97,7 @@ usage()
   fprintf(stderr, "  -t          Tty; allocate a tty even if command is given.\n");
   fprintf(stderr, "  -v          Verbose; display verbose debugging messages.\n");
   fprintf(stderr, "  -V          Display version number only.\n");
+  fprintf(stderr, "  -P          Don't allocate a privileged port.\n");
   fprintf(stderr, "  -q          Quiet; don't display any warning messages.\n");
   fprintf(stderr, "  -f          Fork into background after authentication.\n");
   fprintf(stderr, "  -e char     Set escape character; ``none'' = disable (default: ~).\n");
@@ -274,6 +275,10 @@ main(int ac, char **av)
 	  options.gateway_ports = 1;
 	  break;
 
+	case 'P':
+	  options.use_privileged_port = 0;
+	  break;
+
 	case 'a':
 	  options.forward_agent = 0;
 	  break;
@@ -522,7 +527,14 @@ main(int ac, char **av)
   restore_uid();
 
   /* Open a connection to the remote host.  This needs root privileges if
-     rhosts_authentication is true. */
+     rhosts_{rsa_}authentication is true. */
+
+  if (!options.use_privileged_port)
+    {
+       options.rhosts_authentication = 0;
+       options.rhosts_rsa_authentication = 0;
+    }
+
   ok = ssh_connect(host, &hostaddr, options.port, options.connection_attempts,
 		   !options.rhosts_authentication &&
 		   !options.rhosts_rsa_authentication,