home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
linuxmafia.com 2016
/
linuxmafia.com.tar
/
linuxmafia.com
/
pub
/
linux
/
security
/
ylonen-ssh
/
ssh-1.2.27-permit-unprivileged-port.patch
< prev
next >
Wrap
Text File
|
2000-06-09
|
10KB
|
277 lines
http://marc.theaimsgroup.com/?l=secure-shell&m=94038201807561&w=2
List: secure-shell
Subject: [patch] - PermitUnprivilegedPort - 1.2.26/27
From: Paul Gampe <paulg@apnic.net>
Date: 1999-10-19 23:27:24
Hi All,
For anyone using ssh via a socks gateway the attached patch allows you to
permit connections from unprivileged ports. The option is configurable in
sshd_config using the name:
PermitUnprivilegedPort
I've not played with ssh2 yet, so is this necessary in the new server?
Paulg.
["APNIC.patch" (TEXT/PLAIN)]
diff -r -C6 ssh-1.2.26.orig/auth-rhosts.c ssh-1.2.26/auth-rhosts.c
*** ssh-1.2.26.orig/auth-rhosts.c Thu Jul 9 02:40:35 1998
--- ssh-1.2.26/auth-rhosts.c Wed Jul 15 10:16:40 1998
***************
*** 344,362 ****
/* Check that the connection comes from a privileged port.
Rhosts authentication only makes sense for privileged programs.
Of course, if the intruder has root access on his local machine,
he can connect from any port. So do not use .rhosts
authentication from machines that you do not trust. */
! if (port >= IPPORT_RESERVED ||
! port < IPPORT_RESERVED / 2)
{
! log_msg("Connection from %.100s from nonprivileged port %d",
! hostname, port);
! packet_send_debug("Your ssh client is not running as root.");
! return 0;
}
/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
if (pw->pw_uid != UID_ROOT)
{
if (check_rhosts_file(geteuid(),
--- 344,368 ----
/* Check that the connection comes from a privileged port.
Rhosts authentication only makes sense for privileged programs.
Of course, if the intruder has root access on his local machine,
he can connect from any port. So do not use .rhosts
authentication from machines that you do not trust. */
! if ((port >= IPPORT_RESERVED ||
! port < IPPORT_RESERVED / 2) )
{
! if (options.permit_unprivileged_port)
! {
! log_msg("Connection from %.100s from nonprivileged port %d enabled",
! hostname, port);
! } else {
! log_msg("Connection from %.100s from nonprivileged port %d",
! hostname, port);
! packet_send_debug("Your ssh client is not running as root.");
! return 0;
! }
}
/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
if (pw->pw_uid != UID_ROOT)
{
if (check_rhosts_file(geteuid(),
diff -r -C6 ssh-1.2.26.orig/servconf.c ssh-1.2.26/servconf.c
*** ssh-1.2.26.orig/servconf.c Thu Jul 9 02:40:38 1998
--- ssh-1.2.26/servconf.c Tue Jul 14 12:35:26 1998
***************
*** 107,118 ****
--- 107,119 ----
options->kerberos_or_local_passwd = -1;
options->kerberos_tgt_passing = -1;
options->tis_authentication = -1;
options->allow_tcp_forwarding = -1;
options->password_authentication = -1;
options->permit_empty_passwd = -1;
+ options->permit_unprivileged_port = -1;
options->use_login = -1;
options->silent_deny = -1;
options->forced_passwd_change = -1;
options->forced_empty_passwd_change = -1;
options->num_allow_shosts = 0;
options->num_deny_shosts = 0;
***************
*** 208,219 ****
--- 209,222 ----
if (options->tis_authentication == -1)
options->tis_authentication = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 1;
+ if (options->permit_unprivileged_port == -1)
+ options->permit_unprivileged_port = 0;
if (options->use_login == -1)
options->use_login = 0;
if (options->silent_deny == -1)
options->silent_deny = 0;
if (options->forced_passwd_change == -1)
options->forced_passwd_change = 1;
***************
*** 249,261 ****
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sPidFile,
sForcedPasswd, sForcedEmptyPasswd, sUmask, sSilentDeny, sIdleTimeout,
sUseLogin, sKerberosAuthentication, sKerberosOrLocalPasswd,
sKerberosTgtPassing, sAllowTcpForwarding, sAllowUsers, sDenyUsers,
sXauthPath, sCheckMail, sDenyGroups, sAllowGroups, sIgnoreRootRhosts,
sAllowSHosts, sDenySHosts, sPasswordExpireWarningDays,
! sAccountExpireWarningDays
#ifdef F_SECURE_COMMERCIAL
#endif /* F_SECURE_COMMERCIAL */
} ServerOpCodes;
--- 252,264 ----
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sPidFile,
sForcedPasswd, sForcedEmptyPasswd, sUmask, sSilentDeny, sIdleTimeout,
sUseLogin, sKerberosAuthentication, sKerberosOrLocalPasswd,
sKerberosTgtPassing, sAllowTcpForwarding, sAllowUsers, sDenyUsers,
sXauthPath, sCheckMail, sDenyGroups, sAllowGroups, sIgnoreRootRhosts,
sAllowSHosts, sDenySHosts, sPasswordExpireWarningDays,
! sAccountExpireWarningDays, sPermitUnprivilegedPort
#ifdef F_SECURE_COMMERCIAL
#endif /* F_SECURE_COMMERCIAL */
} ServerOpCodes;
***************
*** 286,297 ****
--- 289,301 ----
{ "allowhosts", sAllowHosts },
{ "denyhosts", sDenyHosts },
{ "allowusers", sAllowUsers },
{ "denyusers", sDenyUsers },
{ "allowgroups", sAllowGroups },
{ "denygroups", sDenyGroups },
+ { "denygroups", sDenyGroups },
#ifdef F_SECURE_COMMERCIAL
#endif /* F_SECURE_COMMERCIAL */
***************
*** 315,326 ****
--- 319,331 ----
{ "kerberostgtpassing", sKerberosTgtPassing },
{ "allowtcpforwarding", sAllowTcpForwarding },
{ "xauthlocation", sXauthPath },
{ "checkmail", sCheckMail },
{ "passwordexpirewarningdays", sPasswordExpireWarningDays },
{ "accountexpirewarningdays", sAccountExpireWarningDays },
+ { "permitunprivilegedport", sPermitUnprivilegedPort },
{ NULL, 0 }
};
static struct
{
const char *name;
***************
*** 609,620 ****
--- 614,629 ----
goto parse_flag;
case sEmptyPasswd:
intptr = &options->permit_empty_passwd;
goto parse_flag;
+ case sPermitUnprivilegedPort:
+ intptr = &options->permit_unprivileged_port;
+ goto parse_flag;
+
case sSilentDeny:
intptr = &options->silent_deny;
goto parse_flag;
case sForcedPasswd:
intptr = &options->forced_passwd_change;
diff -r -C6 ssh-1.2.26.orig/servconf.h ssh-1.2.26/servconf.h
*** ssh-1.2.26.orig/servconf.h Thu Jul 9 02:40:38 1998
--- ssh-1.2.26/servconf.h Tue Jul 14 12:20:48 1998
***************
*** 112,123 ****
--- 112,124 ----
as SecurID or /etc/passwd */
int kerberos_tgt_passing; /* If true, permit Kerberos tgt passing. */
int allow_tcp_forwarding;
int tis_authentication; /* If true, permit TIS authsrv auth. */
int password_authentication; /* If true, permit password authentication. */
int permit_empty_passwd; /* If false, do not permit empty passwords. */
+ int permit_unprivileged_port; /* If true, permit rhosts from unpriv ports */
int use_login; /* Use /bin/login if possible */
int silent_deny; /* 1 = deny by closing sockets. */
int forced_empty_passwd_change; /* If true, force password change if empty
password (first login). */
int forced_passwd_change; /* If true, force password change if password
too old. */
diff -r -C6 ssh-1.2.26.orig/sshd.c ssh-1.2.26/sshd.c
*** ssh-1.2.26.orig/sshd.c Thu Jul 9 02:40:38 1998
--- ssh-1.2.26/sshd.c Wed Jul 15 10:17:51 1998
***************
*** 2300,2314 ****
break;
}
/* Rhosts authentication (also uses /etc/hosts.equiv). */
if (!privileged_port)
{
! packet_get_all();
! log_msg("Rhosts authentication not available for connections from unprivileged port.");
! break;
}
/* Get client user name. Note that we just have to trust the client;
this is one reason why rhosts authentication is insecure.
(Another is IP-spoofing on a local network.) */
client_user = packet_get_string(NULL);
--- 2300,2319 ----
break;
}
/* Rhosts authentication (also uses /etc/hosts.equiv). */
if (!privileged_port)
{
! if (options.permit_unprivileged_port)
! {
! log_msg("Rhosts authentication for connections from unprivilieged port enabled.");
! } else {
! packet_get_all();
! log_msg("Rhosts authentication not available for connections from unprivileged port.");
! break;
! }
}
/* Get client user name. Note that we just have to trust the client;
this is one reason why rhosts authentication is insecure.
(Another is IP-spoofing on a local network.) */
client_user = packet_get_string(NULL);
***************
*** 2338,2350 ****
log_msg("Rhosts with RSA authentication disabled.");
break;
}
/* Rhosts authentication (also uses /etc/hosts.equiv) with RSA
host authentication. */
! if (!privileged_port)
{
packet_get_all();
log_msg("RhostsRsa authentication not available for connections from unprivileged port.");
break;
}
if (cipher_type == SSH_CIPHER_NONE)
--- 2343,2355 ----
log_msg("Rhosts with RSA authentication disabled.");
break;
}
/* Rhosts authentication (also uses /etc/hosts.equiv) with RSA
host authentication. */
! if (!privileged_port && !options.permit_unprivileged_port)
{
packet_get_all();
log_msg("RhostsRsa authentication not available for connections from unprivileged port.");
break;
}
if (cipher_type == SSH_CIPHER_NONE)