Attachment #460 for bug #708

Lines 115-121 Link Here

(-)openssh-3.7.1p2.orig/Makefile.in (-2 / +2 lines)
115	all: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS)	115	all: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS)
116		116
117	$(LIBSSH_OBJS): Makefile.in config.h	117	$(LIBSSH_OBJS): Makefile.in config.h
118	$(SSHOBJS): Makefile.in config.h	118	$(SSHOBJS): Makefile.in config.h readconf.h
119	$(SSHDOBJS): Makefile.in config.h	119	$(SSHDOBJS): Makefile.in config.h
120		120
121	.c.o:	121	.c.o:
Lines 148-154 Link Here
148	ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o	148	ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
149	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)	149	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
150		150
151	ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o	151	ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.h
152	$(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)	152	$(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
153		153
154	ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o	154	ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o





/* return socket to remote host, port */
static int
connect_to(const char *host, u_short port, int try_privileged_originator_port)
{
	struct addrinfo hints, *ai, *aitop;
	char ntop[NI_MAXHOST], strport[NI_MAXSERV];

			error("connect_to: getnameinfo failed");
			continue;
		}
		sock = -1; 
		if (try_privileged_originator_port) {
			int p = IPPORT_RESERVED - 1;

			sock = rresvport_af(&p, ai->ai_family);
			if (sock < 0) {
				debug("rresvport: %.100s", strerror(errno));
				debug("connect_to: fallback to unprivileged port");
			} else {
				debug("connect_to: using privileged port %d.", p);
			}
		}
		if (sock < 0) {
			sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
		}
		if (sock < 0) {
			if (ai->ai_next == NULL)
				error("socket: %.100s", strerror(errno));

}

int
channel_connect_by_listen_address(u_short listen_port,
    int originator_port_privileged)
{
	int i;


		if (permitted_opens[i].listen_port == listen_port)
			return connect_to(
			    permitted_opens[i].host_to_connect,
			    permitted_opens[i].port_to_connect,
			    originator_port_privileged);
	error("WARNING: Server requests forwarding for unknown listen_port %d",
	    listen_port);
	return -1;

		    "but the request was denied.", host, port);
		return -1;
	}
	return connect_to(host, port, 0);
}

/* -- X11 forwarding */

Lines 198-204 Link Here

(-)openssh-3.7.1p2.orig/channels.h (-1 / +1 lines)
198	void channel_clear_permitted_opens(void);	198	void channel_clear_permitted_opens(void);
199	void channel_input_port_forward_request(int, int);	199	void channel_input_port_forward_request(int, int);
200	int channel_connect_to(const char *, u_short);	200	int channel_connect_to(const char *, u_short);
201	int channel_connect_by_listen_address(u_short);	201	int channel_connect_by_listen_address(u_short, int);
202	void channel_request_remote_forwarding(u_short, const char *, u_short);	202	void channel_request_remote_forwarding(u_short, const char *, u_short);
203	int channel_setup_local_fwd_listener(u_short, const char *, u_short, int);	203	int channel_setup_local_fwd_listener(u_short, const char *, u_short, int);
204	int channel_setup_remote_fwd_listener(const char *, u_short, int);	204	int channel_setup_remote_fwd_listener(const char *, u_short, int);

Lines 1150-1156 Link Here

(-)openssh-3.7.1p2.orig/clientloop.c (-1 / +3 lines)
1150	debug("client_request_forwarded_tcpip: listen %s port %d, originator %s port %d",	1150	debug("client_request_forwarded_tcpip: listen %s port %d, originator %s port %d",
1151	listen_address, listen_port, originator_address, originator_port);	1151	listen_address, listen_port, originator_address, originator_port);
1152		1152
1153	sock = channel_connect_by_listen_address(listen_port);	1153	sock = channel_connect_by_listen_address(listen_port,
		1154	(options.try_outgoing_privileged_port &
		1155	(originator_port < IPPORT_RESERVED)));
1154	if (sock < 0) {	1156	if (sock < 0) {
1155	xfree(originator_address);	1157	xfree(originator_address);
1156	xfree(listen_address);	1158	xfree(listen_address);




	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
	oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
	oUsePrivilegedPort, oTryOutgoingPrivilegedPort, oLogLevel, oCiphers,
	oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2,
	oPubkeyAuthentication, oKbdInteractiveAuthentication,
	oKbdInteractiveDevices, oHostKeyAlias, oDynamicForward,
	oPreferredAuthentications, oHostbasedAuthentication,
	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,

	{ "xauthlocation", oXAuthLocation },
	{ "gatewayports", oGatewayPorts },
	{ "useprivilegedport", oUsePrivilegedPort },
	{ "tryoutgoingprivilegedport", oTryOutgoingPrivilegedPort },
	{ "rhostsauthentication", oDeprecated },
	{ "passwordauthentication", oPasswordAuthentication },
	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },

		intptr = &options->use_privileged_port;
		goto parse_flag;

	case oTryOutgoingPrivilegedPort:
		intptr = &options->try_outgoing_privileged_port;
		goto parse_flag;

	case oPasswordAuthentication:
		intptr = &options->password_authentication;
		goto parse_flag;

	options->xauth_location = NULL;
	options->gateway_ports = -1;
	options->use_privileged_port = -1;
	options->try_outgoing_privileged_port = -1;
	options->rsa_authentication = -1;
	options->pubkey_authentication = -1;
	options->challenge_response_authentication = -1;

		options->gateway_ports = 0;
	if (options->use_privileged_port == -1)
		options->use_privileged_port = 0;
	if (options->try_outgoing_privileged_port == -1)
		options->try_outgoing_privileged_port = 0;
	if (options->rsa_authentication == -1)
		options->rsa_authentication = 1;
	if (options->pubkey_authentication == -1)

Lines 33-38 Link Here

(-)openssh-3.7.1p2.orig/readconf.h (+6 lines)
33	char xauth_location; / Location for xauth program */	33	char xauth_location; / Location for xauth program */
34	int gateway_ports; /* Allow remote connects to forwarded ports. */	34	int gateway_ports; /* Allow remote connects to forwarded ports. */
35	int use_privileged_port; /* Don't use privileged port if false. */	35	int use_privileged_port; /* Don't use privileged port if false. */
		36	int try_outgoing_privileged_port; /*
		37	* local_forward/remote_forward:
		38	* Try connect() from privileged
		39	* port when connection came
		40	* from privileged port
		41	*/
36	int rhosts_rsa_authentication; /* Try rhosts with RSA	42	int rhosts_rsa_authentication; /* Try rhosts with RSA
37	* authentication. */	43	* authentication. */
38	int rsa_authentication; /* Try RSA authentication. */	44	int rsa_authentication; /* Try RSA authentication. */




.Pp
.Nm ssh
.Bk -words
.Op Fl afgknqstvxACNQTVX1246
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl e Ar escape_char

logging in as root on the remote machine.
IPv6 addresses can be specified with an alternative syntax:
.Ar port/host/hostport
.It Fl Q
Extension to the
option (protocol version 2 only): Specifies that if the connection to
.Ar port
on the remote side was made from a privileged port then the
connection from the local machine to
.Ar host
port
.Ar hostport
should be originating from a privileged port too. Only root can
originate connections from privileged ports. In case of non-root
users or lack of free privileged ports, ssh silently falls back
to connecting from non-privileged ports.
.Pp
This should be enabled with caution. The originating port number
is retrieved from the remote side and could be forged. Only enable
this if the remote machine is trusted.
.It Fl D Ar port
Specifies a local
.Dq dynamic

Lines 177-182 Link Here

(-)openssh-3.7.1p2.orig/ssh.c (-1 / +7 lines)
177	fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n");	177	fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n");
178	fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname);	178	fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname);
179	fprintf(stderr, " forward them to the other side by connecting to host:port.\n");	179	fprintf(stderr, " forward them to the other side by connecting to host:port.\n");
		180	fprintf(stderr, " -Q Extension to -R, if connection to listen-port comes from\n");
		181	fprintf(stderr, " privileged port then try to connect to host:port\n");
		182	fprintf(stderr, " from privileged port (protocol version 2 only).\n");
180	fprintf(stderr, " -D port Enable dynamic application-level port forwarding.\n");	183	fprintf(stderr, " -D port Enable dynamic application-level port forwarding.\n");
181	fprintf(stderr, " -C Enable compression.\n");	184	fprintf(stderr, " -C Enable compression.\n");
182	fprintf(stderr, " -N Do not execute a shell or command.\n");	185	fprintf(stderr, " -N Do not execute a shell or command.\n");
Lines 264-270 Link Here
264		267
265	again:	268	again:
266	while ((opt = getopt(ac, av,	269	while ((opt = getopt(ac, av,
267	"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVX")) != -1) {	270	"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NQPR:TVX")) != -1) {
268	switch (opt) {	271	switch (opt) {
269	case '1':	272	case '1':
270	options.protocol = SSH_PROTO_1;	273	options.protocol = SSH_PROTO_1;
Lines 297-302 Link Here
297	case 'P': /* deprecated */	300	case 'P': /* deprecated */
298	options.use_privileged_port = 0;	301	options.use_privileged_port = 0;
299	break;	302	break;
		303	case 'Q':
		304	options.try_outgoing_privileged_port = 1;
		305	break;
300	case 'a':	306	case 'a':
301	options.forward_agent = 0;	307	options.forward_agent = 0;
302	break;	308	break;




The default is
.Dq no .
Note that this option applies to protocol version 2 only.
.It Cm TryOutgoingPrivilegedPort
Extension to RemoteForward. If set to
.Dq yes
then if the connection to
.Ar port
on the remote side was made from a privileged port then the
connection from the local machine to
.Ar host:port
should be originating from a privileged port too. Only root can
originate connections from privileged ports. In case of non-root
users or lack of free privileged ports, ssh silently falls back
to connecting from non-privileged ports. The default is
.Dq no .
This option applies to protocol version 2 only.
.Pp
This should be enabled with caution. The originating port number
is retrieved from the remote side and could be forged. Only enable
this if the remote machine is trusted.
.It Cm XAuthLocation
Specifies the full pathname of the
.Xr xauth 1

Return to bug 708

Lines 2370-2376 Link Here

(-)openssh-3.7.1p2.orig/channels.c (-5 / +21 lines)
2370		2370
2371	/* return socket to remote host, port */	2371	/* return socket to remote host, port */
2372	static int	2372	static int
2373	connect_to(const char *host, u_short port)	2373	connect_to(const char *host, u_short port, int try_privileged_originator_port)
2374	{	2374	{
2375	struct addrinfo hints, ai, aitop;	2375	struct addrinfo hints, ai, aitop;
2376	char ntop[NI_MAXHOST], strport[NI_MAXSERV];	2376	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
Lines 2394-2400 Link Here
2394	error("connect_to: getnameinfo failed");	2394	error("connect_to: getnameinfo failed");
2395	continue;	2395	continue;
2396	}	2396	}
2397	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);	2397	sock = -1;
		2398	if (try_privileged_originator_port) {
		2399	int p = IPPORT_RESERVED - 1;
		2400
		2401	sock = rresvport_af(&p, ai->ai_family);
		2402	if (sock < 0) {
		2403	debug("rresvport: %.100s", strerror(errno));
		2404	debug("connect_to: fallback to unprivileged port");
		2405	} else {
		2406	debug("connect_to: using privileged port %d.", p);
		2407	}
		2408	}
		2409	if (sock < 0) {
		2410	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
		2411	}
2398	if (sock < 0) {	2412	if (sock < 0) {
2399	if (ai->ai_next == NULL)	2413	if (ai->ai_next == NULL)
2400	error("socket: %.100s", strerror(errno));	2414	error("socket: %.100s", strerror(errno));
Lines 2425-2431 Link Here
2425	}	2439	}
2426		2440
2427	int	2441	int
2428	channel_connect_by_listen_address(u_short listen_port)	2442	channel_connect_by_listen_address(u_short listen_port,
		2443	int originator_port_privileged)
2429	{	2444	{
2430	int i;	2445	int i;
2431		2446
Lines 2433-2439 Link Here
2433	if (permitted_opens[i].listen_port == listen_port)	2448	if (permitted_opens[i].listen_port == listen_port)
2434	return connect_to(	2449	return connect_to(
2435	permitted_opens[i].host_to_connect,	2450	permitted_opens[i].host_to_connect,
2436	permitted_opens[i].port_to_connect);	2451	permitted_opens[i].port_to_connect,
		2452	originator_port_privileged);
2437	error("WARNING: Server requests forwarding for unknown listen_port %d",	2453	error("WARNING: Server requests forwarding for unknown listen_port %d",
2438	listen_port);	2454	listen_port);
2439	return -1;	2455	return -1;
Lines 2458-2464 Link Here
2458	"but the request was denied.", host, port);	2474	"but the request was denied.", host, port);
2459	return -1;	2475	return -1;
2460	}	2476	}
2461	return connect_to(host, port);	2477	return connect_to(host, port, 0);
2462	}	2478	}
2463		2479
2464	/* -- X11 forwarding */	2480	/* -- X11 forwarding */

Lines 627-632 Link Here

(-)openssh-3.7.1p2.orig/ssh_config.5 (+18 lines)
627	The default is	627	The default is
628	.Dq no .	628	.Dq no .
629	Note that this option applies to protocol version 2 only.	629	Note that this option applies to protocol version 2 only.
		630	.It Cm TryOutgoingPrivilegedPort
		631	Extension to RemoteForward. If set to
		632	.Dq yes
		633	then if the connection to
		634	.Ar port
		635	on the remote side was made from a privileged port then the
		636	connection from the local machine to
		637	.Ar host:port
		638	should be originating from a privileged port too. Only root can
		639	originate connections from privileged ports. In case of non-root
		640	users or lack of free privileged ports, ssh silently falls back
		641	to connecting from non-privileged ports. The default is
		642	.Dq no .
		643	This option applies to protocol version 2 only.
		644	.Pp
		645	This should be enabled with caution. The originating port number
		646	is retrieved from the remote side and could be forged. Only enable
		647	this if the remote machine is trusted.
630	.It Cm XAuthLocation	648	.It Cm XAuthLocation
631	Specifies the full pathname of the	649	Specifies the full pathname of the
632	.Xr xauth 1	650	.Xr xauth 1

Lines 97-106 Link Here

(-)openssh-3.7.1p2.orig/readconf.c (-4 / +13 lines)
97	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,	97	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
98	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,	98	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
99	oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,	99	oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
100	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,	100	oUsePrivilegedPort, oTryOutgoingPrivilegedPort, oLogLevel, oCiphers,
101	oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,	101	oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2,
102	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,	102	oPubkeyAuthentication, oKbdInteractiveAuthentication,
103	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,	103	oKbdInteractiveDevices, oHostKeyAlias, oDynamicForward,
		104	oPreferredAuthentications, oHostbasedAuthentication,
104	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,	105	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
105	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	106	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
106	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	107	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
Lines 119-124 Link Here
119	{ "xauthlocation", oXAuthLocation },	120	{ "xauthlocation", oXAuthLocation },
120	{ "gatewayports", oGatewayPorts },	121	{ "gatewayports", oGatewayPorts },
121	{ "useprivilegedport", oUsePrivilegedPort },	122	{ "useprivilegedport", oUsePrivilegedPort },
		123	{ "tryoutgoingprivilegedport", oTryOutgoingPrivilegedPort },
122	{ "rhostsauthentication", oDeprecated },	124	{ "rhostsauthentication", oDeprecated },
123	{ "passwordauthentication", oPasswordAuthentication },	125	{ "passwordauthentication", oPasswordAuthentication },
124	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },	126	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
Lines 350-355 Link Here
350	intptr = &options->use_privileged_port;	352	intptr = &options->use_privileged_port;
351	goto parse_flag;	353	goto parse_flag;
352		354
		355	case oTryOutgoingPrivilegedPort:
		356	intptr = &options->try_outgoing_privileged_port;
		357	goto parse_flag;
		358
353	case oPasswordAuthentication:	359	case oPasswordAuthentication:
354	intptr = &options->password_authentication;	360	intptr = &options->password_authentication;
355	goto parse_flag;	361	goto parse_flag;
Lines 809-814 Link Here
809	options->xauth_location = NULL;	815	options->xauth_location = NULL;
810	options->gateway_ports = -1;	816	options->gateway_ports = -1;
811	options->use_privileged_port = -1;	817	options->use_privileged_port = -1;
		818	options->try_outgoing_privileged_port = -1;
812	options->rsa_authentication = -1;	819	options->rsa_authentication = -1;
813	options->pubkey_authentication = -1;	820	options->pubkey_authentication = -1;
814	options->challenge_response_authentication = -1;	821	options->challenge_response_authentication = -1;
Lines 878-883 Link Here
878	options->gateway_ports = 0;	885	options->gateway_ports = 0;
879	if (options->use_privileged_port == -1)	886	if (options->use_privileged_port == -1)
880	options->use_privileged_port = 0;	887	options->use_privileged_port = 0;
		888	if (options->try_outgoing_privileged_port == -1)
		889	options->try_outgoing_privileged_port = 0;
881	if (options->rsa_authentication == -1)	890	if (options->rsa_authentication == -1)
882	options->rsa_authentication = 1;	891	options->rsa_authentication = 1;
883	if (options->pubkey_authentication == -1)	892	if (options->pubkey_authentication == -1)

Lines 49-55 Link Here

(-)openssh-3.7.1p2.orig/ssh.1 (-1 / +18 lines)
49	.Pp	49	.Pp
50	.Nm ssh	50	.Nm ssh
51	.Bk -words	51	.Bk -words
52	.Op Fl afgknqstvxACNTVX1246	52	.Op Fl afgknqstvxACNQTVX1246
53	.Op Fl b Ar bind_address	53	.Op Fl b Ar bind_address
54	.Op Fl c Ar cipher_spec	54	.Op Fl c Ar cipher_spec
55	.Op Fl e Ar escape_char	55	.Op Fl e Ar escape_char
Lines 639-644 Link Here
639	logging in as root on the remote machine.	639	logging in as root on the remote machine.
640	IPv6 addresses can be specified with an alternative syntax:	640	IPv6 addresses can be specified with an alternative syntax:
641	.Ar port/host/hostport	641	.Ar port/host/hostport
		642	.It Fl Q
		643	Extension to the
		644	option (protocol version 2 only): Specifies that if the connection to
		645	.Ar port
		646	on the remote side was made from a privileged port then the
		647	connection from the local machine to
		648	.Ar host
		649	port
		650	.Ar hostport
		651	should be originating from a privileged port too. Only root can
		652	originate connections from privileged ports. In case of non-root
		653	users or lack of free privileged ports, ssh silently falls back
		654	to connecting from non-privileged ports.
		655	.Pp
		656	This should be enabled with caution. The originating port number
		657	is retrieved from the remote side and could be forged. Only enable
		658	this if the remote machine is trusted.
642	.It Fl D Ar port	659	.It Fl D Ar port
643	Specifies a local	660	Specifies a local
644	.Dq dynamic	661	.Dq dynamic