diff options
author | Damien Miller <djm@mindrot.org> | 2000-04-12 20:17:38 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-04-12 20:17:38 +1000 |
commit | 78928793fb23a3a4c80ae62eca6a7826b2987690 (patch) | |
tree | add8a953ac4cf06877b91624fe7f647b17e6cf6f /sshconnect.c | |
parent | efb4afe0265333ce554f699c2a19ae249dd8d1b5 (diff) |
- OpenBSD CVS updates:
- [channels.c]
repair x11-fwd
- [sshconnect.c]
fix passwd prompt for ssh2, less debugging output.
- [clientloop.c compat.c dsa.c kex.c sshd.c]
less debugging output
- [kex.c kex.h sshconnect.c sshd.c]
check for reasonable public DH values
- [README.openssh2 cipher.c cipher.h compat.c compat.h readconf.c]
[readconf.h servconf.c servconf.h ssh.c ssh.h sshconnect.c sshd.c]
add Cipher and Protocol options to ssh/sshd, e.g.:
ssh -o 'Protocol 1,2' if you prefer proto 1, ssh -o 'Ciphers
arcfour,3des-cbc'
- [sshd.c]
print 1.99 only if server supports both
Diffstat (limited to 'sshconnect.c')
-rw-r--r-- | sshconnect.c | 91 |
1 files changed, 57 insertions, 34 deletions
diff --git a/sshconnect.c b/sshconnect.c index 2f949609..167b8e63 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.61 2000/04/04 21:37:27 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.65 2000/04/12 07:56:16 markus Exp $"); #ifdef HAVE_OPENSSL #include <openssl/bn.h> @@ -993,7 +993,7 @@ void ssh_exchange_identification() { char buf[256], remote_version[256]; /* must be same size! */ - int remote_major, remote_minor, i; + int remote_major, remote_minor, i, mismatch; int connection_in = packet_get_connection_in(); int connection_out = packet_get_connection_out(); @@ -1027,39 +1027,51 @@ ssh_exchange_identification() debug("Remote protocol version %d.%d, remote software version %.100s", remote_major, remote_minor, remote_version); -/*** XXX option for disabling 2.0 or 1.5 */ compat_datafellows(remote_version); - - /* Check if the remote protocol version is too old. */ - if (remote_major == 1 && remote_minor < 3) - fatal("Remote machine has too old SSH software version."); - - /* We speak 1.3, too. */ - if (remote_major == 1 && remote_minor == 3) { - enable_compat13(); - if (options.forward_agent) { - log("Agent forwarding disabled for protocol 1.3"); - options.forward_agent = 0; + mismatch = 0; + + switch(remote_major) { + case 1: + if (remote_minor == 99 && + (options.protocol & SSH_PROTO_2) && + !(options.protocol & SSH_PROTO_1_PREFERRED)) { + enable_compat20(); + break; } + if (!(options.protocol & SSH_PROTO_1)) { + mismatch = 1; + break; + } + if (remote_minor < 3) { + fatal("Remote machine has too old SSH software version."); + } else if (remote_minor == 3) { + /* We speak 1.3, too. */ + enable_compat13(); + if (options.forward_agent) { + log("Agent forwarding disabled for protocol 1.3"); + options.forward_agent = 0; + } + } + break; + case 2: + if (options.protocol & SSH_PROTO_2) { + enable_compat20(); + break; + } + /* FALLTHROUGH */ + default: + mismatch = 1; + break; } - if ((remote_major == 2 && remote_minor == 0) || - (remote_major == 1 && remote_minor == 99)) { - enable_compat20(); - } -#if 0 - /* - * Removed for now, to permit compatibility with latter versions. The - * server will reject our version and disconnect if it doesn't - * support it. - */ - if (remote_major != PROTOCOL_MAJOR) + if (mismatch) fatal("Protocol major versions differ: %d vs. %d", - PROTOCOL_MAJOR, remote_major); -#endif + (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, + remote_major); + /* Send our own protocol version identification. */ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", - compat20 ? 2 : PROTOCOL_MAJOR, - compat20 ? 0 : PROTOCOL_MINOR, + compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, + compat20 ? PROTOCOL_MINOR_2 : PROTOCOL_MINOR_1, SSH_VERSION); if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf)) fatal("write: %.100s", strerror(errno)); @@ -1350,11 +1362,15 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) /* KEXINIT */ debug("Sending KEX init."); - if (options.cipher == SSH_CIPHER_ARCFOUR || + if (options.ciphers != NULL) { + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; + } else if ( + options.cipher == SSH_CIPHER_ARCFOUR || options.cipher == SSH_CIPHER_3DES_CBC || options.cipher == SSH_CIPHER_CAST128_CBC || options.cipher == SSH_CIPHER_BLOWFISH_CBC) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = cipher_name(options.cipher); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = cipher_name(options.cipher); } if (options.compression) { @@ -1404,7 +1420,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) debug("Sending SSH2_MSG_KEXDH_INIT."); /* generate and send 'e', client DH public key */ - dh = new_dh_group1(); + dh = dh_new_group1(); packet_start(SSH2_MSG_KEXDH_INIT); packet_put_bignum2(dh->pub_key); packet_send(); @@ -1451,6 +1467,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) /* signed H */ signature = packet_get_string(&slen); + if (!dh_pub_is_valid(dh, dh_server_pub)) + packet_disconnect("bad server public DH value"); + klen = DH_size(dh); kbuf = xmalloc(klen); kout = DH_compute_key(kbuf, dh_server_pub, dh); @@ -1507,12 +1526,13 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) packet_write_wait(); debug("done: send SSH2_MSG_NEWKEYS."); +#ifdef DEBUG_KEXDH /* send 1st encrypted/maced/compressed message */ packet_start(SSH2_MSG_IGNORE); packet_put_cstring("markus"); packet_send(); packet_write_wait(); - +#endif debug("done: KEX2."); } /* @@ -1527,6 +1547,7 @@ ssh_userauth2(int host_key_valid, RSA *own_host_key, unsigned int dlen; int partial; struct passwd *pw; + char prompt[80]; char *server_user, *local_user; char *auths; char *password; @@ -1578,7 +1599,9 @@ ssh_userauth2(int host_key_valid, RSA *own_host_key, fatal("passwd auth not supported: %s", auths); xfree(auths); /* try passwd */ - password = read_passphrase("password: ", 0); + snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ", + server_user, host); + password = read_passphrase(prompt, 0); packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(server_user); packet_put_cstring(service); |