Upgrade to OpenSSH 6.2p1. The most important new features are support

for a key revocation list and more fine-grained authentication control.

1 files changed, 100 insertions, 45 deletions

diff --git a/crypto/openssh/clientloop.c b/crypto/openssh/clientloop.c
index 5dd7b1b..aa6670a 100644
--- a/crypto/openssh/clientloop.c
+++ b/crypto/openssh/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.240 2012/06/20 04:42:58 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.248 2013/01/02 00:32:07 djm Exp $ */
 /* $FreeBSD$ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -969,9 +969,9 @@ process_cmdline(void)
 			goto out;
 		}
 		if (local || dynamic) {
-			if (channel_setup_local_fwd_listener(fwd.listen_host,
+			if (!channel_setup_local_fwd_listener(fwd.listen_host,
 			    fwd.listen_port, fwd.connect_host,
-			    fwd.connect_port, options.gateway_ports) < 0) {
+			    fwd.connect_port, options.gateway_ports)) {
 				logit("Port forwarding failed.");
 				goto out;
 			}
@@ -997,6 +997,63 @@ out:
 		xfree(fwd.connect_host);
 }
 
+/* reasons to suppress output of an escape command in help output */
+#define SUPPRESS_NEVER		0	/* never suppress, always show */
+#define SUPPRESS_PROTO1		1	/* don't show in protocol 1 sessions */
+#define SUPPRESS_MUXCLIENT	2	/* don't show in mux client sessions */
+#define SUPPRESS_MUXMASTER	4	/* don't show in mux master sessions */
+#define SUPPRESS_SYSLOG		8	/* don't show when logging to syslog */
+struct escape_help_text {
+	const char *cmd;
+	const char *text;
+	unsigned int flags;
+};
+static struct escape_help_text esc_txt[] = {
+    {".",  "terminate session", SUPPRESS_MUXMASTER},
+    {".",  "terminate connection (and any multiplexed sessions)",
+	SUPPRESS_MUXCLIENT},
+    {"B",  "send a BREAK to the remote system", SUPPRESS_PROTO1},
+    {"C",  "open a command line", SUPPRESS_MUXCLIENT},
+    {"R",  "request rekey", SUPPRESS_PROTO1},
+    {"V/v",  "decrease/increase verbosity (LogLevel)", SUPPRESS_MUXCLIENT},
+    {"^Z", "suspend ssh", SUPPRESS_MUXCLIENT},
+    {"#",  "list forwarded connections", SUPPRESS_NEVER},
+    {"&",  "background ssh (when waiting for connections to terminate)",
+	SUPPRESS_MUXCLIENT},
+    {"?", "this message", SUPPRESS_NEVER},
+};
+
+static void
+print_escape_help(Buffer *b, int escape_char, int protocol2, int mux_client,
+    int using_stderr)
+{
+	unsigned int i, suppress_flags;
+	char string[1024];
+
+	snprintf(string, sizeof string, "%c?\r\n"
+	    "Supported escape sequences:\r\n", escape_char);
+	buffer_append(b, string, strlen(string));
+
+	suppress_flags = (protocol2 ? 0 : SUPPRESS_PROTO1) |
+	    (mux_client ? SUPPRESS_MUXCLIENT : 0) |
+	    (mux_client ? 0 : SUPPRESS_MUXMASTER) |
+	    (using_stderr ? 0 : SUPPRESS_SYSLOG);
+
+	for (i = 0; i < sizeof(esc_txt)/sizeof(esc_txt[0]); i++) {
+		if (esc_txt[i].flags & suppress_flags)
+			continue;
+		snprintf(string, sizeof string, " %c%-3s - %s\r\n",
+		    escape_char, esc_txt[i].cmd, esc_txt[i].text);
+		buffer_append(b, string, strlen(string));
+	}
+
+	snprintf(string, sizeof string,
+	    " %c%c   - send the escape character by typing it twice\r\n"
+	    "(Note that escapes are only recognized immediately after "
+	    "newline.)\r\n", escape_char, escape_char);
+	buffer_append(b, string, strlen(string));
+}
+
 /* 
  * Process the characters one by one, call with c==NULL for proto1 case.
  */
@@ -1047,6 +1104,8 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
 				if (c && c->ctl_chan != -1) {
 					chan_read_failed(c);
 					chan_write_failed(c);
+					mux_master_session_cleanup_cb(c->self,
+					    NULL);
 					return 0;
 				} else
 					quit_pending = 1;
@@ -1055,11 +1114,16 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
 			case 'Z' - 64:
 				/* XXX support this for mux clients */
 				if (c && c->ctl_chan != -1) {
+					char b[16];
  noescape:
+					if (ch == 'Z' - 64)
+						snprintf(b, sizeof b, "^Z");
+					else
+						snprintf(b, sizeof b, "%c", ch);
 					snprintf(string, sizeof string,
-					    "%c%c escape not available to "
+					    "%c%s escape not available to "
 					    "multiplexed sessions\r\n",
-					    escape_char, ch);
+					    escape_char, b);
 					buffer_append(berr, string,
 					    strlen(string));
 					continue;
@@ -1098,6 +1162,31 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
 				}
 				continue;
 
+			case 'V':
+				/* FALLTHROUGH */
+			case 'v':
+				if (c && c->ctl_chan != -1)
+					goto noescape;
+				if (!log_is_on_stderr()) {
+					snprintf(string, sizeof string,
+					    "%c%c [Logging to syslog]\r\n",
+					     escape_char, ch);
+					buffer_append(berr, string,
+					    strlen(string));
+					continue;
+				}
+				if (ch == 'V' && options.log_level >
+				    SYSLOG_LEVEL_QUIET)
+					log_change_level(--options.log_level);
+				if (ch == 'v' && options.log_level <
+				    SYSLOG_LEVEL_DEBUG3)
+					log_change_level(++options.log_level);
+				snprintf(string, sizeof string,
+				    "%c%c [LogLevel %s]\r\n", escape_char, ch,
+				    log_level_name(options.log_level));
+				buffer_append(berr, string, strlen(string));
+				continue;
+
 			case '&':
 				if (c && c->ctl_chan != -1)
 					goto noescape;
@@ -1151,43 +1240,9 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
 				continue;
 
 			case '?':
-				if (c && c->ctl_chan != -1) {
-					snprintf(string, sizeof string,
-"%c?\r\n\
-Supported escape sequences:\r\n\
-  %c.  - terminate session\r\n\
-  %cB  - send a BREAK to the remote system\r\n\
-  %cR  - Request rekey (SSH protocol 2 only)\r\n\
-  %c#  - list forwarded connections\r\n\
-  %c?  - this message\r\n\
-  %c%c  - send the escape character by typing it twice\r\n\
-(Note that escapes are only recognized immediately after newline.)\r\n",
-					    escape_char, escape_char,
-					    escape_char, escape_char,
-					    escape_char, escape_char,
-					    escape_char, escape_char);
-				} else {
-					snprintf(string, sizeof string,
-"%c?\r\n\
-Supported escape sequences:\r\n\
-  %c.  - terminate connection (and any multiplexed sessions)\r\n\
-  %cB  - send a BREAK to the remote system\r\n\
-  %cC  - open a command line\r\n\
-  %cR  - Request rekey (SSH protocol 2 only)\r\n\
-  %c^Z - suspend ssh\r\n\
-  %c#  - list forwarded connections\r\n\
-  %c&  - background ssh (when waiting for connections to terminate)\r\n\
-  %c?  - this message\r\n\
-  %c%c  - send the escape character by typing it twice\r\n\
-(Note that escapes are only recognized immediately after newline.)\r\n",
-					    escape_char, escape_char,
-					    escape_char, escape_char,
-					    escape_char, escape_char,
-					    escape_char, escape_char,
-					    escape_char, escape_char,
-					    escape_char);
-				}
-				buffer_append(berr, string, strlen(string));
+				print_escape_help(berr, escape_char, compat20,
+				    (c && c->ctl_chan != -1),
+				    log_is_on_stderr());
 				continue;
 
 			case '#':
@@ -2207,10 +2262,10 @@ client_stop_mux(void)
 	if (options.control_path != NULL && muxserver_sock != -1)
 		unlink(options.control_path);
 	/*
-	 * If we are in persist mode, signal that we should close when all
-	 * active channels are closed.
+	 * If we are in persist mode, or don't have a shell, signal that we
+	 * should close when all active channels are closed.
 	 */
-	if (options.control_persist) {
+	if (options.control_persist || no_shell_flag) {
 		session_closed = 1;
 		setproctitle("[stopped mux]");
 	}