diff options
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/ssh/authfd.c | 116 | ||||
-rw-r--r-- | usr.bin/ssh/authfd.h | 13 | ||||
-rw-r--r-- | usr.bin/ssh/channels.c | 84 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-agent.1 | 26 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-agent.c | 64 | ||||
-rw-r--r-- | usr.bin/ssh/ssh.1 | 15 | ||||
-rw-r--r-- | usr.bin/ssh/ssh.c | 4 | ||||
-rw-r--r-- | usr.bin/ssh/ssh.h | 4 | ||||
-rw-r--r-- | usr.bin/ssh/sshconnect.c | 10 | ||||
-rw-r--r-- | usr.bin/ssh/sshd.c | 9 | ||||
-rw-r--r-- | usr.bin/ssh/version.h | 2 |
11 files changed, 80 insertions, 267 deletions
diff --git a/usr.bin/ssh/authfd.c b/usr.bin/ssh/authfd.c index 6fc51c347b6..b70a824a2c1 100644 --- a/usr.bin/ssh/authfd.c +++ b/usr.bin/ssh/authfd.c @@ -14,7 +14,7 @@ Functions for connecting the local authentication agent. */ #include "includes.h" -RCSID("$Id: authfd.c,v 1.7 1999/10/05 22:18:52 markus Exp $"); +RCSID("$Id: authfd.c,v 1.8 1999/10/14 18:17:41 markus Exp $"); #include "ssh.h" #include "rsa.h" @@ -29,7 +29,7 @@ RCSID("$Id: authfd.c,v 1.7 1999/10/05 22:18:52 markus Exp $"); /* Returns the number of the authentication fd, or -1 if there is none. */ int -ssh_get_authentication_fd() +ssh_get_authentication_socket() { const char *authsocket; int sock; @@ -57,7 +57,7 @@ ssh_get_authentication_fd() /* Closes the agent socket if it should be closed (depends on how it was obtained). The argument must have been returned by - ssh_get_authentication_fd(). */ + ssh_get_authentication_socket(). */ void ssh_close_authentication_socket(int sock) { @@ -65,95 +65,6 @@ void ssh_close_authentication_socket(int sock) close(sock); } -/* Dummy alarm used to prevent waiting for connection from the - authentication agent indefinitely. */ - -static void dummy_alarm_handler(int sig) -{ - /* Do nothing; a cought signal will just cause accept to return. */ -} - -/* Opens a socket to the authentication server. Returns the number of - that socket, or -1 if no connection could be made. */ - -int ssh_get_authentication_connection_fd() -{ - int authfd; - int listen_sock, sock, port, addrlen; - int old_timeout; - void (*old_handler)(); - struct sockaddr_in sin; - char msg[3]; - - /* Get the the socket number from the environment. This is the socket - used to obtain the real authentication socket. */ - authfd = ssh_get_authentication_fd(); - if (authfd == -1) - return -1; - - /* Create a local socket for listening. */ - listen_sock = socket(AF_INET, SOCK_STREAM, 0); - if (listen_sock == -1) - { - ssh_close_authentication_socket(authfd); - return -1; - } - - /* Bind the socket to random unprivileged port. */ - memset(&sin, 0, sizeof(sin)); - sin.sin_family = AF_INET; - do - { - port = 32768 + (rand() % 30000); - sin.sin_port = htons(port); - } - while (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0 && - errno == EADDRINUSE); - - /* Start listening for connections on the socket. */ - if (listen(listen_sock, 1) < 0) - { - error("listen: %.100s", strerror(errno)); - close(listen_sock); - ssh_close_authentication_socket(authfd); - return -1; - } - - /* Send a message to the authentication fd requesting the agent or its - local representative to connect to the given socket. Note that - we use send() to get the packet sent atomically (there can be several - clients trying to use the same authentication fd simultaneously). */ - msg[0] = (char)SSH_AUTHFD_CONNECT; - PUT_16BIT(msg + 1, port); - if (send(authfd, msg, 3, 0) < 0) - { - shutdown(listen_sock, SHUT_RDWR); - close(listen_sock); - ssh_close_authentication_socket(authfd); - return -1; - } - - /* Setup a timeout so we won't wait for the connection indefinitely. */ - old_timeout = alarm(120); - old_handler = signal(SIGALRM, dummy_alarm_handler); - - /* Wait for the connection from the agent or its representative. */ - addrlen = sizeof(sin); - sock = accept(listen_sock, (struct sockaddr *)&sin, &addrlen); - - /* Remove the alarm (restore its old values). */ - alarm(old_timeout); - signal(SIGALRM, old_handler); - - /* Close the socket we used for listening. It is no longer needed. - (The authentication fd and the new connection still remain open.) */ - shutdown(listen_sock, SHUT_RDWR); - close(listen_sock); - ssh_close_authentication_socket(authfd); - - return sock; -} - /* Opens and connects a private socket for communication with the authentication agent. Returns the file descriptor (which must be shut down and closed by the caller when no longer needed). @@ -165,8 +76,7 @@ AuthenticationConnection *ssh_get_authentication_connection() AuthenticationConnection *auth; int sock; - /* Get a connection to the authentication agent. */ - sock = ssh_get_authentication_connection_fd(); + sock = ssh_get_authentication_socket(); /* Fail if we couldn't obtain a connection. This happens if we exited due to a timeout. */ @@ -191,6 +101,8 @@ void ssh_close_authentication_connection(AuthenticationConnection *ac) buffer_free(&ac->packet); buffer_free(&ac->identities); close(ac->fd); + /* Free the connection data structure. */ + xfree(ac); } /* Returns the first authentication identity held by the agent. @@ -651,19 +563,3 @@ int ssh_remove_all_identities(AuthenticationConnection *auth) /*NOTREACHED*/ return 0; } - -/* Closes the connection to the authentication agent. */ - -void ssh_close_authentication(AuthenticationConnection *auth) -{ - /* Close the connection. */ - shutdown(auth->fd, SHUT_RDWR); - close(auth->fd); - - /* Free the buffers. */ - buffer_free(&auth->packet); - buffer_free(&auth->identities); - - /* Free the connection data structure. */ - xfree(auth); -} diff --git a/usr.bin/ssh/authfd.h b/usr.bin/ssh/authfd.h index f889830b820..5f362e02a74 100644 --- a/usr.bin/ssh/authfd.h +++ b/usr.bin/ssh/authfd.h @@ -13,16 +13,13 @@ Functions to interface with the SSH_AUTHENTICATION_FD socket. */ -/* RCSID("$Id: authfd.h,v 1.2 1999/09/28 04:45:35 provos Exp $"); */ +/* RCSID("$Id: authfd.h,v 1.3 1999/10/14 18:17:42 markus Exp $"); */ #ifndef AUTHFD_H #define AUTHFD_H #include "buffer.h" -/* Message types for SSH_AUTHENTICATION_FD socket. */ -#define SSH_AUTHFD_CONNECT 0xf0 - /* Messages for the authentication agent connection. */ #define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1 #define SSH_AGENT_RSA_IDENTITIES_ANSWER 2 @@ -43,17 +40,13 @@ typedef struct } AuthenticationConnection; /* Returns the number of the authentication fd, or -1 if there is none. */ -int ssh_get_authentication_fd(); +int ssh_get_authentication_socket(); /* This should be called for any descriptor returned by - ssh_get_authentication_fd(). Depending on the way the descriptor was + ssh_get_authentication_socket(). Depending on the way the descriptor was obtained, this may close the descriptor. */ void ssh_close_authentication_socket(int authfd); -/* Opens a socket to the authentication server. Returns the number of - that socket, or -1 if no connection could be made. */ -int ssh_get_authentication_connection_fd(); - /* Opens and connects a private socket for communication with the authentication agent. Returns NULL if an error occurred and the connection could not be opened. The connection should be closed by diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c index 7b70f115df9..a0eb88f6c91 100644 --- a/usr.bin/ssh/channels.c +++ b/usr.bin/ssh/channels.c @@ -16,7 +16,7 @@ arbitrary tcp/ip connections, and the authentication agent connection. */ #include "includes.h" -RCSID("$Id: channels.c,v 1.12 1999/10/05 22:18:52 markus Exp $"); +RCSID("$Id: channels.c,v 1.13 1999/10/14 18:17:42 markus Exp $"); #include "ssh.h" #include "packet.h" @@ -36,9 +36,9 @@ RCSID("$Id: channels.c,v 1.12 1999/10/05 22:18:52 markus Exp $"); #define SSH_CHANNEL_OPENING 3 /* waiting for confirmation */ #define SSH_CHANNEL_OPEN 4 /* normal open two-way channel */ #define SSH_CHANNEL_CLOSED 5 /* waiting for close confirmation */ -#define SSH_CHANNEL_AUTH_FD 6 /* authentication fd */ +/* SSH_CHANNEL_AUTH_FD 6 authentication fd */ #define SSH_CHANNEL_AUTH_SOCKET 7 /* authentication socket */ -#define SSH_CHANNEL_AUTH_SOCKET_FD 8 /* connection to auth socket */ +/* SSH_CHANNEL_AUTH_SOCKET_FD 8 connection to auth socket */ #define SSH_CHANNEL_X11_OPEN 9 /* reading first X11 packet */ #define SSH_CHANNEL_INPUT_DRAINING 10 /* sending remaining data to conn */ #define SSH_CHANNEL_OUTPUT_DRAINING 11 /* sending remaining data to app */ @@ -222,8 +222,6 @@ void channel_prepare_select(fd_set *readset, fd_set *writeset) case SSH_CHANNEL_X11_LISTENER: case SSH_CHANNEL_PORT_LISTENER: case SSH_CHANNEL_AUTH_SOCKET: - case SSH_CHANNEL_AUTH_SOCKET_FD: - case SSH_CHANNEL_AUTH_FD: FD_SET(ch->sock, readset); break; @@ -350,7 +348,7 @@ void channel_prepare_select(fd_set *readset, fd_set *writeset) void channel_after_select(fd_set *readset, fd_set *writeset) { struct sockaddr addr; - int addrlen, newsock, i, newch, len, port; + int addrlen, newsock, i, newch, len; Channel *ch; char buf[16384], *remote_hostname; @@ -417,40 +415,25 @@ void channel_after_select(fd_set *readset, fd_set *writeset) } break; - case SSH_CHANNEL_AUTH_FD: - /* This is the authentication agent file descriptor. It is used to - obtain the real connection to the agent. */ - case SSH_CHANNEL_AUTH_SOCKET_FD: - /* This is the temporary connection obtained by connecting the - authentication agent socket. */ - if (FD_ISSET(ch->sock, readset)) - { - len = recv(ch->sock, buf, sizeof(buf), 0); - if (len <= 0) - { - channel_free(i); - break; - } - if (len != 3 || (unsigned char)buf[0] != SSH_AUTHFD_CONNECT) - break; /* Ignore any messages of wrong length or type. */ - port = 256 * (unsigned char)buf[1] + (unsigned char)buf[2]; - packet_start(SSH_SMSG_AGENT_OPEN); - packet_put_int(port); - packet_send(); - } - break; - case SSH_CHANNEL_AUTH_SOCKET: /* This is the authentication agent socket listening for connections from clients. */ if (FD_ISSET(ch->sock, readset)) { + int nchan; len = sizeof(addr); newsock = accept(ch->sock, &addr, &len); if (newsock < 0) - error("Accept from authentication socket failed"); - (void)channel_allocate(SSH_CHANNEL_AUTH_SOCKET_FD, newsock, + { + error("accept from auth socket: %.100s", strerror(errno)); + break; + } + + nchan = channel_allocate(SSH_CHANNEL_OPENING, newsock, xstrdup("accepted auth socket")); + packet_start(SSH_SMSG_AGENT_OPEN); + packet_put_int(nchan); + packet_send(); } break; @@ -592,8 +575,6 @@ int channel_not_very_much_buffered_data() case SSH_CHANNEL_X11_LISTENER: case SSH_CHANNEL_PORT_LISTENER: case SSH_CHANNEL_AUTH_SOCKET: - case SSH_CHANNEL_AUTH_SOCKET_FD: - case SSH_CHANNEL_AUTH_FD: continue; case SSH_CHANNEL_OPEN: if (buffer_len(&ch->input) > 32768) @@ -762,9 +743,7 @@ int channel_still_open() case SSH_CHANNEL_X11_LISTENER: case SSH_CHANNEL_PORT_LISTENER: case SSH_CHANNEL_CLOSED: - case SSH_CHANNEL_AUTH_FD: case SSH_CHANNEL_AUTH_SOCKET: - case SSH_CHANNEL_AUTH_SOCKET_FD: continue; case SSH_CHANNEL_OPENING: case SSH_CHANNEL_OPEN: @@ -799,9 +778,7 @@ char *channel_open_message() case SSH_CHANNEL_X11_LISTENER: case SSH_CHANNEL_PORT_LISTENER: case SSH_CHANNEL_CLOSED: - case SSH_CHANNEL_AUTH_FD: case SSH_CHANNEL_AUTH_SOCKET: - case SSH_CHANNEL_AUTH_SOCKET_FD: continue; case SSH_CHANNEL_OPENING: case SSH_CHANNEL_OPEN: @@ -1437,22 +1414,26 @@ void auth_input_request_forwarding(struct passwd *pw) void auth_input_open_request() { - int port, sock, newch; + int remch, sock, newch; char *dummyname; - /* Read the port number from the message. */ - port = packet_get_int(); + /* Read the remote channel number from the message. */ + remch = packet_get_int(); /* Get a connection to the local authentication agent (this may again get forwarded). */ - sock = ssh_get_authentication_connection_fd(); + sock = ssh_get_authentication_socket(); - /* If we could not connect the agent, just return. This will cause the - client to timeout and fail. This should never happen unless the agent + /* If we could not connect the agent, send an error message back to + the server. This should never happen unless the agent dies, because authentication forwarding is only enabled if we have an agent. */ - if (sock < 0) + if (sock < 0){ + packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); + packet_put_int(remch); + packet_send(); return; + } debug("Forwarding authentication connection."); @@ -1461,15 +1442,12 @@ void auth_input_open_request() yet be freed at that point. */ dummyname = xstrdup("authentication agent connection"); - /* Allocate a channel for the new connection. */ - newch = channel_allocate(SSH_CHANNEL_OPENING, sock, dummyname); - - /* Fake a forwarding request. */ - packet_start(SSH_MSG_PORT_OPEN); + newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname); + channels[newch].remote_id = remch; + + /* Send a confirmation to the remote host. */ + packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); + packet_put_int(remch); packet_put_int(newch); - packet_put_string("localhost", strlen("localhost")); - packet_put_int(port); - if (have_hostname_in_open) - packet_put_string(dummyname, strlen(dummyname)); packet_send(); } diff --git a/usr.bin/ssh/ssh-agent.1 b/usr.bin/ssh/ssh-agent.1 index a9ae86224ac..c69517d8492 100644 --- a/usr.bin/ssh/ssh-agent.1 +++ b/usr.bin/ssh/ssh-agent.1 @@ -9,7 +9,7 @@ .\" .\" Created: Sat Apr 23 20:10:43 1995 ylo .\" -.\" $Id: ssh-agent.1,v 1.3 1999/10/02 13:10:26 deraadt Exp $ +.\" $Id: ssh-agent.1,v 1.4 1999/10/14 18:17:42 markus Exp $ .\" .Dd September 25, 1999 .Dt SSH-AGENT 1 @@ -58,27 +58,15 @@ However, the connection to the agent is forwarded over SSH remote logins, and the user can thus use the privileges given by the identities anywhere in the network in a secure way. .Pp -A connection to the agent is inherited by child programs. -There are two alternative -methods for inheriting the agent. The preferred method is to have an -open file descriptor which is inherited, and have an environment -variable -.Pq Ev SSH_AUTHENTICATION_FD -contain the number of this -descriptor. This restricts access to the authentication agent to only -those programs that are siblings of the agent, and it is fairly -difficult even for root to get unauthorized access to the agent. -.Pp -On some machines, an alternative method is used. A unix-domain -socket is created -.Pq Pa /tmp/ssh_agent.* , +A connection to the agent is inherited by child programs: +A unix-domain socket is created +.Pq Pa /tmp/ssh-XXXX/agent.<pid> , and the name of this socket is stored in the -.Ev SSH_AUTHENTICATION_SOCKET +.Ev SSH_AUTH_SOCKET environment variable. The socket is made accessible only to the current user. This method is easily abused by root or another instance of the same -user. The socket is only used if ssh is unable to find a file -descriptor that would not be closed by shells. +user. .Pp The agent exits automatically when the command given on the command line terminates. @@ -94,7 +82,7 @@ is not used by but is normally added to the agent using .Xr ssh-add 1 at login time. -.It Pa /tmp/ssh_agent.<pid> +.It Pa /tmp/ssh-XXXX/agent.<pid> , Unix-domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent diff --git a/usr.bin/ssh/ssh-agent.c b/usr.bin/ssh/ssh-agent.c index 24ad6179513..9d2ad675e53 100644 --- a/usr.bin/ssh/ssh-agent.c +++ b/usr.bin/ssh/ssh-agent.c @@ -14,7 +14,7 @@ The authentication agent program. */ #include "includes.h" -RCSID("$Id: ssh-agent.c,v 1.11 1999/10/07 22:46:32 markus Exp $"); +RCSID("$Id: ssh-agent.c,v 1.12 1999/10/14 18:17:42 markus Exp $"); #include "ssh.h" #include "rsa.h" @@ -31,8 +31,7 @@ RCSID("$Id: ssh-agent.c,v 1.11 1999/10/07 22:46:32 markus Exp $"); typedef struct { int fd; - enum { AUTH_UNUSED, AUTH_FD, AUTH_SOCKET, AUTH_SOCKET_FD, - AUTH_CONNECTION } type; + enum { AUTH_UNUSED, AUTH_SOCKET, AUTH_CONNECTION } type; Buffer input; Buffer output; } SocketEntry; @@ -324,6 +323,7 @@ process_message(SocketEntry *e) return; buffer_consume(&e->input, 4); type = buffer_get_char(&e->input); + switch (type) { case SSH_AGENTC_REQUEST_RSA_IDENTITIES: @@ -391,10 +391,8 @@ prepare_select(fd_set *readset, fd_set *writeset) for (i = 0; i < sockets_alloc; i++) switch (sockets[i].type) { - case AUTH_FD: - case AUTH_CONNECTION: case AUTH_SOCKET: - case AUTH_SOCKET_FD: + case AUTH_CONNECTION: FD_SET(sockets[i].fd, readset); if (buffer_len(&sockets[i].output) > 0) FD_SET(sockets[i].fd, writeset); @@ -410,9 +408,8 @@ prepare_select(fd_set *readset, fd_set *writeset) void after_select(fd_set *readset, fd_set *writeset) { unsigned int i; - int len, sock, port; + int len, sock; char buf[1024]; - struct sockaddr_in sin; struct sockaddr_un sunaddr; for (i = 0; i < sockets_alloc; i++) @@ -420,39 +417,6 @@ void after_select(fd_set *readset, fd_set *writeset) { case AUTH_UNUSED: break; - case AUTH_FD: - if (FD_ISSET(sockets[i].fd, readset)) - { - len = recv(sockets[i].fd, buf, sizeof(buf), 0); - if (len <= 0) - { /* All instances of the other side have been closed. */ - log("Authentication agent exiting."); - exit(0); - } - process_auth_fd_input: - if (len != 3 || (unsigned char)buf[0] != SSH_AUTHFD_CONNECT) - break; /* Incorrect message; ignore it. */ - /* It is a connection request message. */ - port = (unsigned char)buf[1] * 256 + (unsigned char)buf[2]; - memset(&sin, 0, sizeof(sin)); - sin.sin_family = AF_INET; - sin.sin_addr.s_addr = htonl(0x7f000001); /* localhost */ - sin.sin_port = htons(port); - sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock < 0) - { - perror("socket"); - break; - } - if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) - { - perror("connecting to port requested in authfd message"); - close(sock); - break; - } - new_socket(AUTH_CONNECTION, sock); - } - break; case AUTH_SOCKET: if (FD_ISSET(sockets[i].fd, readset)) { @@ -463,21 +427,7 @@ void after_select(fd_set *readset, fd_set *writeset) perror("accept from AUTH_SOCKET"); break; } - new_socket(AUTH_SOCKET_FD, sock); - } - break; - case AUTH_SOCKET_FD: - if (FD_ISSET(sockets[i].fd, readset)) - { - len = recv(sockets[i].fd, buf, sizeof(buf), 0); - if (len <= 0) - { /* The other side has closed the socket. */ - shutdown(sockets[i].fd, SHUT_RDWR); - close(sockets[i].fd); - sockets[i].type = AUTH_UNUSED; - break; - } - goto process_auth_fd_input; + new_socket(AUTH_CONNECTION, sock); } break; case AUTH_CONNECTION: @@ -568,7 +518,7 @@ main(int ac, char **av) the authentication agent. */ if (fork() != 0) { /* Parent - execute the given command. */ - setenv("SSH_AUTHENTICATION_SOCKET", socket_name, 1); + setenv(SSH_AUTHSOCKET_ENV_NAME, socket_name, 1); execvp(av[1], av + 1); perror(av[1]); exit(1); diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1 index 35df1040a50..ab7da01c501 100644 --- a/usr.bin/ssh/ssh.1 +++ b/usr.bin/ssh/ssh.1 @@ -9,7 +9,7 @@ .\" .\" Created: Sat Apr 22 21:55:14 1995 ylo .\" -.\" $Id: ssh.1,v 1.16 1999/10/12 21:04:22 markus Exp $ +.\" $Id: ssh.1,v 1.17 1999/10/14 18:17:42 markus Exp $ .\" .Dd September 25, 1999 .Dt SSH 1 @@ -745,16 +745,9 @@ Set to the default .Ev PATH , as specified when compiling .Nm ssh . -.It Ev SSH_AUTHENTICATION_FD -This is set to an integer value if you are using the authentication -agent and a connection to it has been forwarded. The value indicates -a file descriptor number used for communicating with the agent. On -some systems, -.Ev SSH_AUTHENTICATION_SOCKET -may be used instead to -indicate the path of a unix-domain socket used to communicate with the -agent (this method is less secure, and is only used on systems that -don't support the first method). +.It Ev SSH_AUTH_SOCKET +indicates the path of a unix-domain socket used to communicate with the +agent. .It Ev SSH_CLIENT Identifies the client end of the connection. The variable contains three space-separated values: client ip-address, client port number, diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c index 9fce3199b8b..163eb8787cf 100644 --- a/usr.bin/ssh/ssh.c +++ b/usr.bin/ssh/ssh.c @@ -18,7 +18,7 @@ Modified to work with SSL by Niels Provos <provos@citi.umich.edu> in Canada. */ #include "includes.h" -RCSID("$Id: ssh.c,v 1.23 1999/10/12 21:04:22 markus Exp $"); +RCSID("$Id: ssh.c,v 1.24 1999/10/14 18:17:42 markus Exp $"); #include "xmalloc.h" #include "ssh.h" @@ -736,7 +736,7 @@ main(int ac, char **av) packet_set_interactive(interactive, options.keepalives); /* Clear agent forwarding if we don\'t have an agent. */ - authfd = ssh_get_authentication_fd(); + authfd = ssh_get_authentication_socket(); if (authfd < 0) options.forward_agent = 0; else diff --git a/usr.bin/ssh/ssh.h b/usr.bin/ssh/ssh.h index e638acfef6b..d7a568fa555 100644 --- a/usr.bin/ssh/ssh.h +++ b/usr.bin/ssh/ssh.h @@ -13,7 +13,7 @@ Generic header file for ssh. */ -/* RCSID("$Id: ssh.h,v 1.10 1999/10/11 20:00:36 markus Exp $"); */ +/* RCSID("$Id: ssh.h,v 1.11 1999/10/14 18:17:42 markus Exp $"); */ #ifndef SSH_H #define SSH_H @@ -118,7 +118,7 @@ only by root, whereas ssh_config should be world-readable. */ /* Name of the environment variable containing the pathname of the authentication socket. */ -#define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTHENTICATION_SOCKET" +#define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCKET" /* Force host key length and server key length to differ by at least this many bits. This is to make double encryption with rsaref work. */ diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index c7167568a0d..29b16b31d63 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -15,7 +15,7 @@ login (authentication) dialog. */ #include "includes.h" -RCSID("$Id: sshconnect.c,v 1.16 1999/10/06 20:07:42 dugsong Exp $"); +RCSID("$Id: sshconnect.c,v 1.17 1999/10/14 18:17:42 markus Exp $"); #include <ssl/bn.h> #include "xmalloc.h" @@ -886,6 +886,7 @@ void ssh_exchange_identification() int remote_major, remote_minor, i; int connection_in = packet_get_connection_in(); int connection_out = packet_get_connection_out(); + extern Options options; /* Read other side\'s version identification. */ for (i = 0; i < sizeof(buf) - 1; i++) @@ -913,6 +914,13 @@ void ssh_exchange_identification() fatal("Bad remote protocol version identification: '%.100s'", buf); debug("Remote protocol version %d.%d, remote software version %.100s", remote_major, remote_minor, remote_version); + + if (options.forward_agent && strcmp(remote_version, SSH_VERSION) != 0) + { + log("Agent forwarding disabled, remote version is not '%s'.", + SSH_VERSION); + options.forward_agent = 0; + } #if 0 /* Removed for now, to permit compatibility with latter versions. The server will reject our version and disconnect if it doesn't support it. */ diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c index 74744bce259..604fd9c0098 100644 --- a/usr.bin/ssh/sshd.c +++ b/usr.bin/ssh/sshd.c @@ -18,7 +18,7 @@ agent connections. */ #include "includes.h" -RCSID("$Id: sshd.c,v 1.30 1999/10/12 18:11:55 markus Exp $"); +RCSID("$Id: sshd.c,v 1.31 1999/10/14 18:17:42 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -713,6 +713,13 @@ main(int ac, char **av) if (remote_major == 1 && remote_minor == 0) packet_disconnect("Your ssh version is too old and is no longer supported. Please install a newer version."); + if (strcmp(remote_version, SSH_VERSION) != 0) + { + debug("Agent forwarding disabled, remote version is not '%s'.", + SSH_VERSION); + no_agent_forwarding_flag = 1; + } + /* Check whether logins are permitted from this host. */ if (options.num_allow_hosts > 0) { diff --git a/usr.bin/ssh/version.h b/usr.bin/ssh/version.h index beca9efff36..2d83dc3983d 100644 --- a/usr.bin/ssh/version.h +++ b/usr.bin/ssh/version.h @@ -1 +1 @@ -#define SSH_VERSION "OpenSSH-1.0" +#define SSH_VERSION "OpenSSH-1.1" |