Attachment #2475 for bug #2277

View | Details | Raw Unified | Return to bug 2277
Collapse All | Expand All

Lines 142-148 parse_prime(int linenum, char line, struct dhgroup dhg) Link Here

(-)a/dh.c (-3 / +6 lines)
142	}	142	}
143		143
144	DH *	144	DH *
145	choose_dh(int min, int wantbits, int max)	145	choose_dh(int min, int wantbits, int max, const char *moduli_file)
146	{	146	{
147	FILE *f;	147	FILE *f;
148	char line[4096];	148	char line[4096];
Lines 150-159 choose_dh(int min, int wantbits, int max) Link Here
150	int linenum;	150	int linenum;
151	struct dhgroup dhg;	151	struct dhgroup dhg;
152		152
153	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&	153	if (moduli_file == NULL)
		154	moduli_file = _PATH_DH_MODULI;
		155
		156	if ((f = fopen(moduli_file, "r")) == NULL &&
154	(f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {	157	(f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
155	logit("WARNING: %s does not exist, using fixed modulus",	158	logit("WARNING: %s does not exist, using fixed modulus",
156	_PATH_DH_MODULI);	159	moduli_file);
157	return (dh_new_group14());	160	return (dh_new_group14());
158	}	161	}
159		162

Lines 32-38 struct dhgroup { Link Here

(-)a/dh.h (-1 / +1 lines)
32	BIGNUM *p;	32	BIGNUM *p;
33	};	33	};
34		34
35	DH *choose_dh(int, int, int);	35	DH choose_dh(int, int, int, const char );
36	DH dh_new_group_asc(const char , const char *);	36	DH dh_new_group_asc(const char , const char *);
37	DH dh_new_group(BIGNUM , BIGNUM *);	37	DH dh_new_group(BIGNUM , BIGNUM *);
38	DH *dh_new_group1(void);	38	DH *dh_new_group1(void);

Lines 49-54 Link Here

(-)a/kexgexs.c (-1 / +4 lines)
49	#include "ssh-gss.h"	49	#include "ssh-gss.h"
50	#endif	50	#endif
51	#include "monitor_wrap.h"	51	#include "monitor_wrap.h"
		52	#include "servconf.h"
		53
		54	extern ServerOptions options;
52		55
53	void	56	void
54	kexgex_server(Kex *kex)	57	kexgex_server(Kex *kex)
Lines 98-104 kexgex_server(Kex *kex) Link Here
98	omin, onbits, omax);	101	omin, onbits, omax);
99		102
100	/* Contact privileged parent */	103	/* Contact privileged parent */
101	dh = PRIVSEP(choose_dh(min, nbits, max));	104	dh = PRIVSEP(choose_dh(min, nbits, max, options.moduli_file));
102	if (dh == NULL)	105	if (dh == NULL)
103	packet_disconnect("Protocol error: no matching DH grp found");	106	packet_disconnect("Protocol error: no matching DH grp found");
104		107

Lines 635-644 mm_answer_moduli(int sock, Buffer *m) Link Here

(-)a/monitor.c (-1 / +4 lines)
635	{	635	{
636	DH *dh;	636	DH *dh;
637	int min, want, max;	637	int min, want, max;
		638	const char *moduli_file;
		639	u_int datlen;
638		640
639	min = buffer_get_int(m);	641	min = buffer_get_int(m);
640	want = buffer_get_int(m);	642	want = buffer_get_int(m);
641	max = buffer_get_int(m);	643	max = buffer_get_int(m);
		644	moduli_file = buffer_get_string(m, &datlen);
642		645
643	debug3("%s: got parameters: %d %d %d",	646	debug3("%s: got parameters: %d %d %d",
644	__func__, min, want, max);	647	__func__, min, want, max);
Lines 649-655 mm_answer_moduli(int sock, Buffer *m) Link Here
649		652
650	buffer_clear(m);	653	buffer_clear(m);
651		654
652	dh = choose_dh(min, want, max);	655	dh = choose_dh(min, want, max, moduli_file);
653	if (dh == NULL) {	656	if (dh == NULL) {
654	buffer_put_char(m, 0);	657	buffer_put_char(m, 0);
655	return (0);	658	return (0);

Lines 175-181 mm_request_receive_expect(int sock, enum monitor_reqtype type, Buffer *m) Link Here

(-)a/monitor_wrap.c (-1 / +2 lines)
175	}	175	}
176		176
177	DH *	177	DH *
178	mm_choose_dh(int min, int nbits, int max)	178	mm_choose_dh(int min, int nbits, int max, const char *moduli_file)
179	{	179	{
180	BIGNUM p, g;	180	BIGNUM p, g;
181	int success = 0;	181	int success = 0;
Lines 185-190 mm_choose_dh(int min, int nbits, int max) Link Here
185	buffer_put_int(&m, min);	185	buffer_put_int(&m, min);
186	buffer_put_int(&m, nbits);	186	buffer_put_int(&m, nbits);
187	buffer_put_int(&m, max);	187	buffer_put_int(&m, max);
		188	buffer_put_string(&m, moduli_file, strlen(moduli_file)+1);
188		189
189	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, &m);	190	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, &m);
190		191

Lines 39-45 struct Authctxt; Link Here

(-)a/monitor_wrap.h (-1 / +1 lines)
39		39
40	void mm_log_handler(LogLevel, const char , void );	40	void mm_log_handler(LogLevel, const char , void );
41	int mm_is_monitor(void);	41	int mm_is_monitor(void);
42	DH *mm_choose_dh(int, int, int);	42	DH mm_choose_dh(int, int, int, const char );
43	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);	43	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);
44	void mm_inform_authserv(char , char );	44	void mm_inform_authserv(char , char );
45	struct passwd mm_getpwnamallow(const char );	45	struct passwd mm_getpwnamallow(const char );

Lines 80-85 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (-1 / +10 lines)
80	options->num_host_key_files = 0;	80	options->num_host_key_files = 0;
81	options->num_host_cert_files = 0;	81	options->num_host_cert_files = 0;
82	options->host_key_agent = NULL;	82	options->host_key_agent = NULL;
		83	options->moduli_file = NULL;
83	options->pid_file = NULL;	84	options->pid_file = NULL;
84	options->server_key_bits = -1;	85	options->server_key_bits = -1;
85	options->login_grace_time = -1;	86	options->login_grace_time = -1;
Lines 189-194 fill_default_server_options(ServerOptions *options) Link Here
189	options->ports[options->num_ports++] = SSH_DEFAULT_PORT;	190	options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
190	if (options->listen_addrs == NULL)	191	if (options->listen_addrs == NULL)
191	add_listen_addr(options, NULL, 0);	192	add_listen_addr(options, NULL, 0);
		193	if (options->moduli_file == NULL)
		194	options->moduli_file = _PATH_DH_MODULI;
192	if (options->pid_file == NULL)	195	if (options->pid_file == NULL)
193	options->pid_file = _PATH_SSH_DAEMON_PID_FILE;	196	options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
194	if (options->server_key_bits == -1)	197	if (options->server_key_bits == -1)
Lines 335-341 typedef enum { Link Here
335	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,	338	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
336	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,	339	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
337	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,	340	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
338	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,	341	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sModuliFile, sPidFile,
339	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,	342	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
340	sMaxStartups, sMaxAuthTries, sMaxSessions,	343	sMaxStartups, sMaxAuthTries, sMaxSessions,
341	sBanner, sUseDNS, sHostbasedAuthentication,	344	sBanner, sUseDNS, sHostbasedAuthentication,
Lines 374-379 static struct { Link Here
374	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },	377	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
375	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */	378	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
376	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },	379	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
		380	{ "modulifile", sModuliFile, SSHCFG_GLOBAL },
377	{ "pidfile", sPidFile, SSHCFG_GLOBAL },	381	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
378	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },	382	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
379	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },	383	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
Lines 1016-1021 process_server_config_line(ServerOptions options, char line, Link Here
1016	goto parse_filename;	1020	goto parse_filename;
1017	break;	1021	break;
1018		1022
		1023	case sModuliFile:
		1024	charptr = &options->moduli_file;
		1025	goto parse_filename;
		1026
1019	case sPidFile:	1027	case sPidFile:
1020	charptr = &options->pid_file;	1028	charptr = &options->pid_file;
1021	goto parse_filename;	1029	goto parse_filename;
Lines 2029-2034 dump_config(ServerOptions *o) Link Here
2029	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);	2037	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2030		2038
2031	/* string arguments */	2039	/* string arguments */
		2040	dump_cfg_string(sModuliFile, o->moduli_file);
2032	dump_cfg_string(sPidFile, o->pid_file);	2041	dump_cfg_string(sPidFile, o->pid_file);
2033	dump_cfg_string(sXAuthLocation, o->xauth_location);	2042	dump_cfg_string(sXAuthLocation, o->xauth_location);
2034	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :	2043	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :

Lines 66-71 typedef struct { Link Here

(-)a/servconf.h (+1 lines)
66	char host_cert_files[MAX_HOSTCERTS]; / Files containing host certs. */	66	char host_cert_files[MAX_HOSTCERTS]; / Files containing host certs. */
67	int num_host_cert_files; /* Number of files for host certs. */	67	int num_host_cert_files; /* Number of files for host certs. */
68	char host_key_agent; / ssh-agent socket for host keys. */	68	char host_key_agent; / ssh-agent socket for host keys. */
		69	char moduli_file; / DH Moduli file. */
69	char pid_file; / Where to put our pid */	70	char pid_file; / Where to put our pid */
70	int server_key_bits;/* Size of the server key. */	71	int server_key_bits;/* Size of the server key. */
71	int login_grace_time; /* Disconnect if no auth in this time	72	int login_grace_time; /* Disconnect if no auth in this time

Lines 527-532 DESCRIPTION Link Here

(-)a/sshd_config.0 (+4 lines)
527	increases linearly and all connection attempts are refused if the	527	increases linearly and all connection attempts are refused if the
528	number of unauthenticated connections reaches ``full'' (60).	528	number of unauthenticated connections reaches ``full'' (60).
529		529
		530	ModuliFile
		531	Specifies where moduli file is located. The default
		532	is /etc/ssh/moduli.
		533
530	PasswordAuthentication	534	PasswordAuthentication
531	Specifies whether password authentication is allowed. The	535	Specifies whether password authentication is allowed. The
532	default is ``yes''.	536	default is ``yes''.

Lines 889-894 The probability increases linearly and all connection attempts Link Here

(-)a/sshd_config.5 (-1 / +3 lines)
889	are refused if the number of unauthenticated connections reaches	889	are refused if the number of unauthenticated connections reaches
890	.Dq full	890	.Dq full
891	(60).	891	(60).
		892	.It Cm ModuliFile
		893	Specifies where moduli file is located. The default is
		894	.Pa /etc/ssh/moduli .
892	.It Cm PasswordAuthentication	895	.It Cm PasswordAuthentication
893	Specifies whether password authentication is allowed.	896	Specifies whether password authentication is allowed.
894	The default is	897	The default is
895	-

Return to bug 2277