diff options
| -rw-r--r-- | ChangeLog | 15 | ||||
| -rw-r--r-- | ssh-keygen.c | 45 | ||||
| -rw-r--r-- | ssh.c | 14 | ||||
| -rw-r--r-- | ssh.h | 3 | ||||
| -rw-r--r-- | sshconnect1.c | 11 | ||||
| -rw-r--r-- | sshconnect2.c | 13 | ||||
| -rw-r--r-- | sshd.8 | 4 |
7 files changed, 67 insertions, 38 deletions
@@ -4,6 +4,21 @@ - (djm) Don't fail in defines.h on absence of 64 bit types (we will still fail during compilation of sftp-server). - (djm) Fail if ar is not found during configure + - (djm) OpenBSD CVS updates: + - provos@cvs.openbsd.org 2000/11/22 08:38:31 + [sshd.8] + talk about /etc/primes, okay markus@ + - markus@cvs.openbsd.org 2000/11/23 14:03:48 + [ssh.c sshconnect1.c sshconnect2.c] + complain about invalid ciphers for ssh1/ssh2, fall back to reasonable + defaults + - markus@cvs.openbsd.org 2000/11/25 09:42:53 + [sshconnect1.c] + reorder check for illegal ciphers, bugreport from espie@ + - markus@cvs.openbsd.org 2000/11/25 10:19:34 + [ssh-keygen.c ssh.h] + print keytype when generating a key. + reasonable defaults for RSA1/RSA/DSA keys. 20001125 - (djm) Give up privs when reading seed file diff --git a/ssh-keygen.c b/ssh-keygen.c index 5da90035..89c03d90 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.34 2000/11/15 20:24:43 millert Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.35 2000/11/25 17:19:33 markus Exp $"); #include <openssl/evp.h> #include <openssl/pem.h> @@ -67,9 +67,8 @@ int convert_to_ssh2 = 0; int convert_from_ssh2 = 0; int print_public = 0; -/* key type */ -int dsa_mode = 0; /* compat */ -char *key_type_name = NULL; +/* default to RSA for SSH-1 */ +char *key_type_name = "rsa1"; /* argv0 */ #ifdef HAVE___PROGNAME @@ -84,9 +83,24 @@ void ask_filename(struct passwd *pw, const char *prompt) { char buf[1024]; - snprintf(identity_file, sizeof(identity_file), "%s/%s", - pw->pw_dir, - dsa_mode ? SSH_CLIENT_ID_DSA: SSH_CLIENT_IDENTITY); + char *name = NULL; + + switch (key_type_from_name(key_type_name)) { + case KEY_RSA1: + name = SSH_CLIENT_IDENTITY; + break; + case KEY_DSA: + name = SSH_CLIENT_ID_DSA; + break; + case KEY_RSA: + name = SSH_CLIENT_ID_RSA; + break; + default: + fprintf(stderr, "bad key type"); + exit(1); + break; + } + snprintf(identity_file, sizeof(identity_file), "%s/%s", pw->pw_dir, name); printf("%s (%s): ", prompt, identity_file); fflush(stdout); if (fgets(buf, sizeof(buf), stdin) == NULL) @@ -600,10 +614,9 @@ main(int ac, char **av) { char dotsshdir[16 * 1024], comment[1024], *passphrase1, *passphrase2; struct passwd *pw; - int opt; + int opt, type; struct stat st; FILE *f; - int type = KEY_RSA1; Key *private; Key *public; @@ -688,12 +701,10 @@ main(int ac, char **av) case 'd': key_type_name = "dsa"; - dsa_mode = 1; break; case 't': key_type_name = optarg; - dsa_mode = (strcmp(optarg, "dsa") == 0); break; case '?': @@ -724,15 +735,13 @@ main(int ac, char **av) arc4random_stir(); - if (key_type_name != NULL) { - type = key_type_from_name(key_type_name); - if (type == KEY_UNSPEC) { - fprintf(stderr, "unknown key type %s\n", key_type_name); - exit(1); - } + type = key_type_from_name(key_type_name); + if (type == KEY_UNSPEC) { + fprintf(stderr, "unknown key type %s\n", key_type_name); + exit(1); } if (!quiet) - printf("Generating public/private key pair.\n"); + printf("Generating public/private %s key pair.\n", key_type_name); private = key_generate(type, bits); if (private == NULL) { fprintf(stderr, "key_generate failed"); @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.73 2000/11/15 19:58:08 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.74 2000/11/23 21:03:47 markus Exp $"); #include <openssl/evp.h> #include <openssl/dsa.h> @@ -427,12 +427,18 @@ main(int ac, char **av) options.cipher = SSH_CIPHER_ILLEGAL; } else { /* SSH1 only */ - Cipher *c = cipher_by_name(optarg); - if (c == NULL || c->number < 0) { + options.cipher = cipher_number(optarg); + if (options.cipher == -1) { fprintf(stderr, "Unknown cipher type '%s'\n", optarg); exit(1); } - options.cipher = c->number; + if (options.cipher == SSH_CIPHER_3DES) { + options.ciphers = "3des-cbc"; + } else if (options.cipher == SSH_CIPHER_BLOWFISH) { + options.ciphers = "blowfish-cbc"; + } else { + options.ciphers = (char *)-1; + } } break; case 'p': @@ -12,7 +12,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: ssh.h,v 1.54 2000/10/11 20:27:24 markus Exp $"); */ +/* RCSID("$OpenBSD: ssh.h,v 1.55 2000/11/25 17:19:33 markus Exp $"); */ #ifndef SSH_H #define SSH_H @@ -144,6 +144,7 @@ */ #define SSH_CLIENT_IDENTITY ".ssh/identity" #define SSH_CLIENT_ID_DSA ".ssh/id_dsa" +#define SSH_CLIENT_ID_RSA ".ssh/id_rsa" /* * Configuration file in user\'s home directory. This file need not be diff --git a/sshconnect1.c b/sshconnect1.c index 227e10b4..70932971 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.9 2000/11/12 19:50:38 markus Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.11 2000/11/25 16:42:53 markus Exp $"); #include <openssl/bn.h> #include <openssl/dsa.h> @@ -833,13 +833,14 @@ ssh_kex(char *host, struct sockaddr *hostaddr) RSA_free(public_key); RSA_free(host_key); - if (options.cipher == SSH_CIPHER_ILLEGAL) { + if (options.cipher == SSH_CIPHER_NOT_SET) { + if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) + options.cipher = ssh_cipher_default; + } else if (options.cipher == SSH_CIPHER_ILLEGAL || + !(cipher_mask_ssh1(1) & (1 << options.cipher))) { log("No valid SSH1 cipher, using %.100s instead.", cipher_name(ssh_cipher_default)); options.cipher = ssh_cipher_default; - } else if (options.cipher == SSH_CIPHER_NOT_SET) { - if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) - options.cipher = ssh_cipher_default; } /* Check that the selected cipher is supported. */ if (!(supported_ciphers & (1 << options.cipher))) diff --git a/sshconnect2.c b/sshconnect2.c index bb4774aa..69d9c49e 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.28 2000/11/12 19:50:38 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.29 2000/11/23 21:03:47 markus Exp $"); #include <openssl/bn.h> #include <openssl/rsa.h> @@ -74,14 +74,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) Buffer *client_kexinit, *server_kexinit; char *sprop[PROPOSAL_MAX]; - if (options.ciphers == NULL) { - if (options.cipher == SSH_CIPHER_3DES) { - options.ciphers = "3des-cbc"; - } else if (options.cipher == SSH_CIPHER_BLOWFISH) { - options.ciphers = "blowfish-cbc"; - } else if (options.cipher == SSH_CIPHER_DES) { - fatal("cipher DES not supported for protocol version 2"); - } + if (options.ciphers == (char *)-1) { + log("No valid ciphers for protocol version 2 given, using defaults."); + options.ciphers = NULL; } if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.72 2000/11/12 19:50:38 markus Exp $ +.\" $OpenBSD: sshd.8,v 1.73 2000/11/22 15:38:30 provos Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -885,6 +885,8 @@ really used for anything; it is only provided for the convenience of the user so its contents can be copied to known hosts files. These two files are created using .Xr ssh-keygen 1 . +.It Pa /etc/primes +Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". .It Pa /var/run/sshd.pid Contains the process ID of the .Nm |