- (djm) Sync with OpenBSD:

- markus@cvs.openbsd.org  2000/10/14 04:01:15
     [cipher.c]
     debug3
   - markus@cvs.openbsd.org  2000/10/14 04:07:23
     [scp.c]
     remove spaces from arguments; from djm@mindrot.org
   - markus@cvs.openbsd.org  2000/10/14 06:09:46
     [ssh.1]
     Cipher is for SSH-1 only
   - markus@cvs.openbsd.org  2000/10/14 06:12:09
     [servconf.c servconf.h serverloop.c session.c sshd.8]
     AllowTcpForwarding; from naddy@
   - markus@cvs.openbsd.org  2000/10/14 06:16:56
     [auth2.c compat.c compat.h sshconnect2.c version.h]
     OpenSSH_2.3; note that is is not complete, but the version number
     needs to be changed for interoperability reasons
   - markus@cvs.openbsd.org  2000/10/14 06:19:45
     [auth-rsa.c]
     do not send RSA challenge if key is not allowed by key-options; from
     eivind@ThinkSec.com
   - markus@cvs.openbsd.org  2000/10/15 08:14:01
     [rijndael.c session.c]
     typos; from stevesk@sweden.hp.com
   - markus@cvs.openbsd.org  2000/10/15 08:18:31
     [rijndael.c]
     typo
 - Copy manpages back over from OpenBSD - too tedious to wade through diffs

ChangeLog

@@ -1,3 +1,32 @@
+20001016
+ - (djm) Sync with OpenBSD:
+   - markus@cvs.openbsd.org  2000/10/14 04:01:15
+     [cipher.c]
+     debug3
+   - markus@cvs.openbsd.org  2000/10/14 04:07:23
+     [scp.c]
+     remove spaces from arguments; from djm@mindrot.org
+   - markus@cvs.openbsd.org  2000/10/14 06:09:46
+     [ssh.1]
+     Cipher is for SSH-1 only
+   - markus@cvs.openbsd.org  2000/10/14 06:12:09
+     [servconf.c servconf.h serverloop.c session.c sshd.8]
+     AllowTcpForwarding; from naddy@
+   - markus@cvs.openbsd.org  2000/10/14 06:16:56
+     [auth2.c compat.c compat.h sshconnect2.c version.h]
+     OpenSSH_2.3; note that is is not complete, but the version number 
+     needs to be changed for interoperability reasons
+   - markus@cvs.openbsd.org  2000/10/14 06:19:45
+     [auth-rsa.c]
+     do not send RSA challenge if key is not allowed by key-options; from
+     eivind@ThinkSec.com
+   - markus@cvs.openbsd.org  2000/10/15 08:14:01
+     [rijndael.c session.c]
+     typos; from stevesk@sweden.hp.com
+   - markus@cvs.openbsd.org  2000/10/15 08:18:31
+     [rijndael.c]
+     typo
+
 20001015
  - (djm) Fix ssh2 hang on background processes at logout.
 

auth-rsa.c

@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.31 2000/10/11 19:59:52 markus Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $");
 
 #include "rsa.h"
 #include "packet.h"
@@ -231,6 +231,12 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 			}
 		} else
 			options = NULL;
+		/*
+		 * If our options do not allow this key to be used,
+		 * do not send challenge.
+		 */
+		if (!auth_parse_options(pw, options, linenum))
+			continue;
 
 		/* Parse the key from the line. */
 		if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
@@ -269,9 +275,8 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 		 * Break out of the loop if authentication was successful;
 		 * otherwise continue searching.
 		 */
-		authenticated = auth_parse_options(pw, options, linenum);
-		if (authenticated)
-			break;
+		authenticated = 1;
+		break;
 	}
 
 	/* Restore the privileged uid. */

auth2.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.19 2000/10/11 20:27:23 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $");
 
 #ifdef HAVE_OSF_SIA
 # include <sia.h>
@@ -442,10 +442,10 @@ userauth_pubkey(Authctxt *authctxt)
 			sig = packet_get_string(&slen);
 			packet_done();
 			buffer_init(&b);
-			if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {
-				buffer_put_string(&b, session_id2, session_id2_len);
-			} else {
+			if (datafellows & SSH_OLD_SESSIONID) {
 				buffer_append(&b, session_id2, session_id2_len);
+			} else {
+				buffer_put_string(&b, session_id2, session_id2_len);
 			}
 			/* reconstruct packet */
 			buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);

cipher.c

@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.35 2000/10/13 18:59:13 markus Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.36 2000/10/14 10:01:15 markus Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -488,10 +488,10 @@ ciphers_valid(const char *names)
 			xfree(ciphers);
 			return 0;
 		} else {
-			debug("cipher ok: %s [%s]", p, names);
+			debug3("cipher ok: %s [%s]", p, names);
 		}
 	}
-	debug("ciphers ok: [%s]", names);
+	debug3("ciphers ok: [%s]", names);
 	xfree(ciphers);
 	return 1;
 }

compat.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: compat.c,v 1.24 2000/10/10 20:20:45 markus Exp $");
+RCSID("$OpenBSD: compat.c,v 1.25 2000/10/14 12:16:56 markus Exp $");
 
 #include "ssh.h"
 #include "packet.h"
@@ -62,13 +62,18 @@ compat_datafellows(const char *version)
 		char	*pat;
 		int	bugs;
 	} check[] = {
-		{"^.*MindTerm",		0},
-		{"^2\\.1\\.0 ",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC},
-		{"^2\\.0\\.",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD},
-		{"^2\\.[23]\\.0 ",	SSH_BUG_HMAC|SSH_COMPAT_SESSIONID_ENCODING},
-		{"^2\\.[2-9]\\.",	SSH_COMPAT_SESSIONID_ENCODING},
-		{"^2\\.",		SSH_BUG_HMAC|SSH_COMPAT_SESSIONID_ENCODING},
-		{NULL,			0}
+		{ "^OpenSSH-2\\.[01]",	SSH_OLD_SESSIONID },
+		{ "^OpenSSH_2\\.2",	SSH_OLD_SESSIONID },
+		{ "MindTerm",		0 },
+		{ "^2\\.1\\.0 ",	SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+					SSH_OLD_SESSIONID },
+		{ "^2\\.0\\.",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+					SSH_OLD_SESSIONID|
+					SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD },
+		{ "^2\\.[23]\\.0 ",	SSH_BUG_HMAC},
+		{ "^2\\.[2-9]\\.",	0 },
+		{ "^2\\.",		SSH_BUG_HMAC},		/* XXX fallback */
+		{ NULL,			0 }
 	};
 	/* process table, return first match */
 	for (i = 0; check[i].pat; i++) {

compat.h

@@ -21,7 +21,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-/* RCSID("$OpenBSD: compat.h,v 1.10 2000/09/07 20:27:50 deraadt Exp $"); */
+/* RCSID("$OpenBSD: compat.h,v 1.11 2000/10/14 12:16:56 markus Exp $"); */
 
 #ifndef COMPAT_H
 #define COMPAT_H
@@ -35,7 +35,7 @@
 #define SSH_BUG_PUBKEYAUTH	0x02
 #define SSH_BUG_HMAC		0x04
 #define SSH_BUG_X11FWD		0x08
-#define SSH_COMPAT_SESSIONID_ENCODING		0x10
+#define SSH_OLD_SESSIONID	0x10
 
 void    enable_compat13(void);
 void    enable_compat20(void);

scp.c

@@ -75,7 +75,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: scp.c,v 1.41 2000/10/11 20:03:27 markus Exp $");
+RCSID("$OpenBSD: scp.c,v 1.42 2000/10/14 10:07:21 markus Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -266,13 +266,13 @@ main(argc, argv)
 		case 'o':
 		case 'c':
 		case 'i':
-			addargs("-%c %s", ch, optarg);
+			addargs("-%c%s", ch, optarg);
 			break;
 		case 'P':
-			addargs("-p %s", optarg);
+			addargs("-p%s", optarg);
 			break;
 		case 'B':
-			addargs("-o Batchmode yes");
+			addargs("-oBatchmode yes");
 			break;
 		case 'p':
 			pflag = 1;

servconf.c

@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.52 2000/10/11 20:14:39 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.53 2000/10/14 12:12:09 markus Exp $");
 
 #include "ssh.h"
 #include "servconf.h"
@@ -67,6 +67,7 @@ initialize_server_options(ServerOptions *options)
 #endif
 	options->permit_empty_passwd = -1;
 	options->use_login = -1;
+	options->allow_tcp_forwarding = -1;
 	options->num_allow_users = 0;
 	options->num_deny_users = 0;
 	options->num_allow_groups = 0;
@@ -159,6 +160,8 @@ fill_default_server_options(ServerOptions *options)
 		options->permit_empty_passwd = 0;
 	if (options->use_login == -1)
 		options->use_login = 0;
+	if (options->allow_tcp_forwarding == -1)
+		options->allow_tcp_forwarding = 1;
 	if (options->protocol == SSH_PROTO_UNKNOWN)
 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
 	if (options->gateway_ports == -1)
@@ -189,7 +192,8 @@ typedef enum {
 	sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
 	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
 	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
-	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+	sUseLogin, sAllowTcpForwarding,
+	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
 	sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups
 } ServerOpCodes;
@@ -240,6 +244,7 @@ static struct {
 	{ "uselogin", sUseLogin },
 	{ "randomseed", sRandomSeedFile },
 	{ "keepalive", sKeepAlives },
+	{ "allowtcpforwarding", sAllowTcpForwarding },
 	{ "allowusers", sAllowUsers },
 	{ "denyusers", sDenyUsers },
 	{ "allowgroups", sAllowGroups },
@@ -573,6 +578,10 @@ parse_flag:
 				*intptr = (LogLevel) value;
 			break;
 
+		case sAllowTcpForwarding:
+			intptr = &options->allow_tcp_forwarding;
+			goto parse_flag;
+
 		case sAllowUsers:
 			while ((arg = strdelim(&cp)) && *arg != '\0') {
 				if (options->num_allow_users >= MAX_ALLOW_USERS)

servconf.h

@@ -11,7 +11,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-/* RCSID("$OpenBSD: servconf.h,v 1.29 2000/10/11 20:14:39 markus Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.30 2000/10/14 12:12:09 markus Exp $"); */
 
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -86,6 +86,7 @@ typedef struct {
 	int     permit_empty_passwd;	/* If false, do not permit empty
 					 * passwords. */
 	int     use_login;	/* If true, login(1) is used */
+	int	allow_tcp_forwarding;
 	unsigned int num_allow_users;
 	char   *allow_users[MAX_ALLOW_USERS];
 	unsigned int num_deny_users;

serverloop.c

@@ -49,6 +49,8 @@
 #include "dispatch.h"
 #include "auth-options.h"
 
+extern ServerOptions options;
+
 static Buffer stdin_buffer;	/* Buffer for stdin data. */
 static Buffer stdout_buffer;	/* Buffer for stdout data. */
 static Buffer stderr_buffer;	/* Buffer for stderr data. */
@@ -749,7 +751,7 @@ input_direct_tcpip(void)
 	   originator, originator_port, target, target_port);
 
 	/* XXX check permission */
-	if (no_port_forwarding_flag) {
+	if (no_port_forwarding_flag || !options.allow_tcp_forwarding) {
 		xfree(target);
 		xfree(originator);
 		return -1;

session.c

@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.38 2000/10/11 20:27:23 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.40 2000/10/15 14:14:01 markus Exp $");
 
 #include "xmalloc.h"
 #include "ssh.h"
@@ -236,7 +236,7 @@ do_authenticated(struct passwd * pw)
 	 * by the client telling us, so we can equally well trust the client
 	 * not to request anything bogus.)
 	 */
-	if (!no_port_forwarding_flag)
+	if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
 		channel_permit_all_opens();
 
 	s = session_new();
@@ -388,6 +388,10 @@ do_authenticated(struct passwd * pw)
 				debug("Port forwarding not permitted for this authentication.");
 				break;
 			}
+			if (!options.allow_tcp_forwarding) {
+				debug("Port forwarding not permitted.");
+				break;
+			}
 			debug("Received TCP/IP port forwarding request.");
 			channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports);
 			success = 1;

sftp-server.8

@@ -36,20 +36,20 @@ is a program that speaks the server side of SFTP protocol
 to stdout and expects client requests from stdin.
 .Nm
 is not intended to be called directly, but from
-.Xr sshd 8 
+.Xr sshd 8
 using the
 .Cm Subsystem
 option.
 See
-.Xr sshd 8 
+.Xr sshd 8
 for more information.
-.Sh HISTORY
-.Nm
-first appeared in OpenBSD 2.8.
-.Sh AUTHOR
-Markus Friedl <markus@openbsd.org>
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-keygen 1 ,
-.Xr sshd 8 ,
+.Xr sshd 8
+.Sh AUTHOR
+Markus Friedl <markus@openbsd.org>
+.Sh HISTORY
+.Nm
+first appeared in OpenBSD 2.8 .

ssh.1

@@ -627,7 +627,8 @@ If the option is set to
 .Dq no ,
 the check will not be executed.
 .It Cm Cipher
-Specifies the cipher to use for encrypting the session.
+Specifies the cipher to use for encrypting the session
+in protocol version 1
 Currently,
 .Dq blowfish ,
 and
@@ -640,7 +641,7 @@ Specifies the ciphers allowed for protocol version 2
 in order of preference.
 Multiple ciphers must be comma-separated.
 The default is
-.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc .
+.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour .
 .It Cm Compression
 Specifies whether to use compression.
 The argument must be

sshconnect2.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.25 2000/10/12 09:59:19 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.26 2000/10/14 12:16:56 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
@@ -657,12 +657,12 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback)
 
 	/* data to be signed */
 	buffer_init(&b);
-	if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {
-		buffer_put_string(&b, session_id2, session_id2_len);
-		skip = buffer_len(&b);
-	} else {
+	if (datafellows & SSH_OLD_SESSIONID) {
 		buffer_append(&b, session_id2, session_id2_len);
 		skip = session_id2_len; 
+	} else {
+		buffer_put_string(&b, session_id2, session_id2_len);
+		skip = buffer_len(&b);
 	}
 	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
 	buffer_put_cstring(&b, authctxt->server_user);

sshd.8

@@ -303,6 +303,14 @@ wildcards in the patterns.
 Only group names are valid; a numerical group ID isn't recognized.
 By default login is allowed regardless of the primary group.
 .Pp
+.It Cm AllowTcpForwarding
+Specifies whether TCP forwarding is permitted.
+The default is
+.Dq yes .
+Note that disabling TCP forwarding does not improve security unless
+users are also denied shell access, as they can always install their
+own forwarders.
+.Pp
 .It Cm AllowUsers
 This keyword can be followed by a number of user names, separated
 by spaces.

version.h

@@ -1 +1 @@
-#define SSH_VERSION	"OpenSSH_2.2.0p2"
+#define SSH_VERSION	"OpenSSH_2.3.0p1"