Attachment #704 for bug #708

Lines 115-121 Link Here

(-)openssh-3.9p1.orig/Makefile.in (-1 / +1 lines)
115	all: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS)	115	all: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS)
116		116
117	$(LIBSSH_OBJS): Makefile.in config.h	117	$(LIBSSH_OBJS): Makefile.in config.h
118	$(SSHOBJS): Makefile.in config.h	118	$(SSHOBJS): Makefile.in config.h readconf.h
119	$(SSHDOBJS): Makefile.in config.h	119	$(SSHDOBJS): Makefile.in config.h
120		120
121	.c.o:	121	.c.o:





/* return socket to remote host, port */
static int
connect_to(const char *host, u_short port, int try_privileged_originator_port)
{
	struct addrinfo hints, *ai, *aitop;
	char ntop[NI_MAXHOST], strport[NI_MAXSERV];

			error("connect_to: getnameinfo failed");
			continue;
		}
		sock = -1; 
		if (try_privileged_originator_port) {
			int p = IPPORT_RESERVED - 1;

			sock = rresvport_af(&p, ai->ai_family);
			if (sock < 0) {
				debug("rresvport: %.100s", strerror(errno));
				debug("connect_to: fallback to unprivileged port");
			} else {
				debug("connect_to: using privileged port %d.", p);
			}
		}
		if (sock < 0) {
			sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
		}
		if (sock < 0) {
			if (ai->ai_next == NULL)
				error("socket: %.100s", strerror(errno));

}

int
channel_connect_by_listen_address(u_short listen_port,
    int originator_port_privileged)
{
	int i;


		    permitted_opens[i].listen_port == listen_port)
			return connect_to(
			    permitted_opens[i].host_to_connect,
			    permitted_opens[i].port_to_connect,
			    originator_port_privileged);
	error("WARNING: Server requests forwarding for unknown listen_port %d",
	    listen_port);
	return -1;

		    "but the request was denied.", host, port);
		return -1;
	}
	return connect_to(host, port, 0);
}

void

Lines 201-207 Link Here

(-)openssh-3.9p1.orig/channels.h (-1 / +1 lines)
201	void channel_clear_permitted_opens(void);	201	void channel_clear_permitted_opens(void);
202	void channel_input_port_forward_request(int, int);	202	void channel_input_port_forward_request(int, int);
203	int channel_connect_to(const char *, u_short);	203	int channel_connect_to(const char *, u_short);
204	int channel_connect_by_listen_address(u_short);	204	int channel_connect_by_listen_address(u_short, int);
205	void channel_request_remote_forwarding(u_short, const char *, u_short);	205	void channel_request_remote_forwarding(u_short, const char *, u_short);
206	void channel_request_rforward_cancel(u_short port);	206	void channel_request_rforward_cancel(u_short port);
207	int channel_setup_local_fwd_listener(u_short, const char *, u_short, int);	207	int channel_setup_local_fwd_listener(u_short, const char *, u_short, int);

Lines 1490-1496 Link Here

(-)openssh-3.9p1.orig/clientloop.c (-1 / +3 lines)
1490	debug("client_request_forwarded_tcpip: listen %s port %d, originator %s port %d",	1490	debug("client_request_forwarded_tcpip: listen %s port %d, originator %s port %d",
1491	listen_address, listen_port, originator_address, originator_port);	1491	listen_address, listen_port, originator_address, originator_port);
1492		1492
1493	sock = channel_connect_by_listen_address(listen_port);	1493	sock = channel_connect_by_listen_address(listen_port,
		1494	(options.try_outgoing_privileged_port &
		1495	(originator_port < IPPORT_RESERVED)));
1494	if (sock < 0) {	1496	if (sock < 0) {
1495	xfree(originator_address);	1497	xfree(originator_address);
1496	xfree(listen_address);	1498	xfree(listen_address);

Lines 97-103 Link Here

(-)openssh-3.9p1.orig/readconf.c (-1 / +10 lines)
97	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,	97	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
98	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,	98	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
99	oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,	99	oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
100	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,	100	oUsePrivilegedPort, oTryOutgoingPrivilegedPort, oLogLevel, oCiphers,
		101	oProtocol, oMacs,
101	oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,	102	oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
102	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,	103	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
103	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,	104	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
Lines 122-127 Link Here
122	{ "xauthlocation", oXAuthLocation },	123	{ "xauthlocation", oXAuthLocation },
123	{ "gatewayports", oGatewayPorts },	124	{ "gatewayports", oGatewayPorts },
124	{ "useprivilegedport", oUsePrivilegedPort },	125	{ "useprivilegedport", oUsePrivilegedPort },
		126	{ "tryoutgoingprivilegedport", oTryOutgoingPrivilegedPort },
125	{ "rhostsauthentication", oDeprecated },	127	{ "rhostsauthentication", oDeprecated },
126	{ "passwordauthentication", oPasswordAuthentication },	128	{ "passwordauthentication", oPasswordAuthentication },
127	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },	129	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
Lines 360-365 Link Here
360	intptr = &options->use_privileged_port;	362	intptr = &options->use_privileged_port;
361	goto parse_flag;	363	goto parse_flag;
362		364
		365	case oTryOutgoingPrivilegedPort:
		366	intptr = &options->try_outgoing_privileged_port;
		367	goto parse_flag;
		368
363	case oPasswordAuthentication:	369	case oPasswordAuthentication:
364	intptr = &options->password_authentication;	370	intptr = &options->password_authentication;
365	goto parse_flag;	371	goto parse_flag;
Lines 864-869 Link Here
864	options->xauth_location = NULL;	870	options->xauth_location = NULL;
865	options->gateway_ports = -1;	871	options->gateway_ports = -1;
866	options->use_privileged_port = -1;	872	options->use_privileged_port = -1;
		873	options->try_outgoing_privileged_port = -1;
867	options->rsa_authentication = -1;	874	options->rsa_authentication = -1;
868	options->pubkey_authentication = -1;	875	options->pubkey_authentication = -1;
869	options->challenge_response_authentication = -1;	876	options->challenge_response_authentication = -1;
Lines 941-946 Link Here
941	options->gateway_ports = 0;	948	options->gateway_ports = 0;
942	if (options->use_privileged_port == -1)	949	if (options->use_privileged_port == -1)
943	options->use_privileged_port = 0;	950	options->use_privileged_port = 0;
		951	if (options->try_outgoing_privileged_port == -1)
		952	options->try_outgoing_privileged_port = 0;
944	if (options->rsa_authentication == -1)	953	if (options->rsa_authentication == -1)
945	options->rsa_authentication = 1;	954	options->rsa_authentication = 1;
946	if (options->pubkey_authentication == -1)	955	if (options->pubkey_authentication == -1)

Lines 36-41 Link Here

(-)openssh-3.9p1.orig/readconf.h (+6 lines)
36	char xauth_location; / Location for xauth program */	36	char xauth_location; / Location for xauth program */
37	int gateway_ports; /* Allow remote connects to forwarded ports. */	37	int gateway_ports; /* Allow remote connects to forwarded ports. */
38	int use_privileged_port; /* Don't use privileged port if false. */	38	int use_privileged_port; /* Don't use privileged port if false. */
		39	int try_outgoing_privileged_port; /*
		40	* local_forward/remote_forward:
		41	* Try connect() from privileged
		42	* port when connection came
		43	* from privileged port
		44	*/
39	int rhosts_rsa_authentication; /* Try rhosts with RSA	45	int rhosts_rsa_authentication; /* Try rhosts with RSA
40	* authentication. */	46	* authentication. */
41	int rsa_authentication; /* Try RSA authentication. */	47	int rsa_authentication; /* Try RSA authentication. */




.Nd OpenSSH SSH client (remote login program)
.Sh SYNOPSIS
.Nm ssh
.Op Fl 1246AaCfgkMNnQqsTtVvXxY
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Bk -words

.It MACs
.It NoHostAuthenticationForLocalhost
.It NumberOfPasswordPrompts
.It
PasswordAuthentication
.It Port
.It PreferredAuthentications
.It Protocol

.Sm off
.Xo
.Ar port No / Ar host No /
.Ar hostport .
.Xc
.It Fl Q
Extension to the
.Fl R
option (protocol version 2 only): Specifies that if the connection to
.Ar hostport .
on the remote side was made from a privileged port then the
connection from the local machine to
.Ar host
port
.Ar hostport
should be originating from a privileged port too. Only root can
originate connections from privileged ports. In case of non-root
users or lack of free privileged ports, ssh silently falls back
to connecting from non-privileged ports.
 
This should be enabled with caution. The originating port number
is retrieved from the remote side and could be forged. Only enable
this if the remote machine is trusted.
.Sm on
.It Fl S Ar ctl
Specifies the location of a control socket for connection sharing.

Lines 236-242 Link Here

(-)openssh-3.9p1.orig/ssh.c (-1 / +4 lines)
236		236
237	again:	237	again:
238	while ((opt = getopt(ac, av,	238	while ((opt = getopt(ac, av,
239	"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNPR:S:TVXY")) != -1) {	239	"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNQPR:S:TVXY")) != -1) {
240	switch (opt) {	240	switch (opt) {
241	case '1':	241	case '1':
242	options.protocol = SSH_PROTO_1;	242	options.protocol = SSH_PROTO_1;
Lines 273-278 Link Here
273	case 'P': /* deprecated */	273	case 'P': /* deprecated */
274	options.use_privileged_port = 0;	274	options.use_privileged_port = 0;
275	break;	275	break;
		276	case 'Q':
		277	options.try_outgoing_privileged_port = 1;
		278	break;
276	case 'a':	279	case 'a':
277	options.forward_agent = 0;	280	options.forward_agent = 0;
278	break;	281	break;




The default is
.Dq no .
Note that this option applies to protocol version 2 only.
.It Cm TryOutgoingPrivilegedPort
Extension to RemoteForward. If set to
.Dq yes
then if the connection to
.Ar port
on the remote side was made from a privileged port then the
connection from the local machine to
.Ar host:port
should be originating from a privileged port too. Only root can
originate connections from privileged ports. In case of non-root
users or lack of free privileged ports, ssh silently falls back
to connecting from non-privileged ports. The default is
.Dq no .
This option applies to protocol version 2 only.
.Pp
This should be enabled with caution. The originating port number
is retrieved from the remote side and could be forged. Only enable
this if the remote machine is trusted.
.It Cm XAuthLocation
Specifies the full pathname of the
.Xr xauth 1

Return to bug 708

Lines 2477-2483 Link Here

(-)openssh-3.9p1.orig/channels.c (-5 / +21 lines)
2477		2477
2478	/* return socket to remote host, port */	2478	/* return socket to remote host, port */
2479	static int	2479	static int
2480	connect_to(const char *host, u_short port)	2480	connect_to(const char *host, u_short port, int try_privileged_originator_port)
2481	{	2481	{
2482	struct addrinfo hints, ai, aitop;	2482	struct addrinfo hints, ai, aitop;
2483	char ntop[NI_MAXHOST], strport[NI_MAXSERV];	2483	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
Lines 2501-2507 Link Here
2501	error("connect_to: getnameinfo failed");	2501	error("connect_to: getnameinfo failed");
2502	continue;	2502	continue;
2503	}	2503	}
2504	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);	2504	sock = -1;
		2505	if (try_privileged_originator_port) {
		2506	int p = IPPORT_RESERVED - 1;
		2507
		2508	sock = rresvport_af(&p, ai->ai_family);
		2509	if (sock < 0) {
		2510	debug("rresvport: %.100s", strerror(errno));
		2511	debug("connect_to: fallback to unprivileged port");
		2512	} else {
		2513	debug("connect_to: using privileged port %d.", p);
		2514	}
		2515	}
		2516	if (sock < 0) {
		2517	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
		2518	}
2505	if (sock < 0) {	2519	if (sock < 0) {
2506	if (ai->ai_next == NULL)	2520	if (ai->ai_next == NULL)
2507	error("socket: %.100s", strerror(errno));	2521	error("socket: %.100s", strerror(errno));
Lines 2532-2538 Link Here
2532	}	2546	}
2533		2547
2534	int	2548	int
2535	channel_connect_by_listen_address(u_short listen_port)	2549	channel_connect_by_listen_address(u_short listen_port,
		2550	int originator_port_privileged)
2536	{	2551	{
2537	int i;	2552	int i;
2538		2553
Lines 2541-2547 Link Here
2541	permitted_opens[i].listen_port == listen_port)	2556	permitted_opens[i].listen_port == listen_port)
2542	return connect_to(	2557	return connect_to(
2543	permitted_opens[i].host_to_connect,	2558	permitted_opens[i].host_to_connect,
2544	permitted_opens[i].port_to_connect);	2559	permitted_opens[i].port_to_connect,
		2560	originator_port_privileged);
2545	error("WARNING: Server requests forwarding for unknown listen_port %d",	2561	error("WARNING: Server requests forwarding for unknown listen_port %d",
2546	listen_port);	2562	listen_port);
2547	return -1;	2563	return -1;
Lines 2567-2573 Link Here
2567	"but the request was denied.", host, port);	2583	"but the request was denied.", host, port);
2568	return -1;	2584	return -1;
2569	}	2585	}
2570	return connect_to(host, port);	2586	return connect_to(host, port, 0);
2571	}	2587	}
2572		2588
2573	void	2589	void

Lines 778-783 Link Here

(-)openssh-3.9p1.orig/ssh_config.5 (+18 lines)
778	The default is	778	The default is
779	.Dq no .	779	.Dq no .
780	Note that this option applies to protocol version 2 only.	780	Note that this option applies to protocol version 2 only.
		781	.It Cm TryOutgoingPrivilegedPort
		782	Extension to RemoteForward. If set to
		783	.Dq yes
		784	then if the connection to
		785	.Ar port
		786	on the remote side was made from a privileged port then the
		787	connection from the local machine to
		788	.Ar host:port
		789	should be originating from a privileged port too. Only root can
		790	originate connections from privileged ports. In case of non-root
		791	users or lack of free privileged ports, ssh silently falls back
		792	to connecting from non-privileged ports. The default is
		793	.Dq no .
		794	This option applies to protocol version 2 only.
		795	.Pp
		796	This should be enabled with caution. The originating port number
		797	is retrieved from the remote side and could be forged. Only enable
		798	this if the remote machine is trusted.
781	.It Cm XAuthLocation	799	.It Cm XAuthLocation
782	Specifies the full pathname of the	800	Specifies the full pathname of the
783	.Xr xauth 1	801	.Xr xauth 1

Lines 43-49 Link Here

(-)openssh-3.9p1.orig/ssh.1 (-3 / +21 lines)
43	.Nd OpenSSH SSH client (remote login program)	43	.Nd OpenSSH SSH client (remote login program)
44	.Sh SYNOPSIS	44	.Sh SYNOPSIS
45	.Nm ssh	45	.Nm ssh
46	.Op Fl 1246AaCfgkMNnqsTtVvXxY	46	.Op Fl 1246AaCfgkMNnQqsTtVvXxY
47	.Op Fl b Ar bind_address	47	.Op Fl b Ar bind_address
48	.Op Fl c Ar cipher_spec	48	.Op Fl c Ar cipher_spec
49	.Bk -words	49	.Bk -words
Lines 693-699 Link Here
693	.It MACs	693	.It MACs
694	.It NoHostAuthenticationForLocalhost	694	.It NoHostAuthenticationForLocalhost
695	.It NumberOfPasswordPrompts	695	.It NumberOfPasswordPrompts
696	.It PasswordAuthentication	696	.It
		697	PasswordAuthentication
697	.It Port	698	.It Port
698	.It PreferredAuthentications	699	.It PreferredAuthentications
699	.It Protocol	700	.It Protocol
Lines 744-751 Link Here
744	.Sm off	745	.Sm off
745	.Xo	746	.Xo
746	.Ar port No / Ar host No /	747	.Ar port No / Ar host No /
747	.Ar hostport .
748	.Xc	748	.Xc
		749	.It Fl Q
		750	Extension to the
		751	.Fl R
		752	option (protocol version 2 only): Specifies that if the connection to
		753	.Ar hostport .
		754	on the remote side was made from a privileged port then the
		755	connection from the local machine to
		756	.Ar host
		757	port
		758	.Ar hostport
		759	should be originating from a privileged port too. Only root can
		760	originate connections from privileged ports. In case of non-root
		761	users or lack of free privileged ports, ssh silently falls back
		762	to connecting from non-privileged ports.
		763
		764	This should be enabled with caution. The originating port number
		765	is retrieved from the remote side and could be forged. Only enable
		766	this if the remote machine is trusted.
749	.Sm on	767	.Sm on
750	.It Fl S Ar ctl	768	.It Fl S Ar ctl
751	Specifies the location of a control socket for connection sharing.	769	Specifies the location of a control socket for connection sharing.