diff -ru openssh-2.2.0p1/CREDITS openssh-2.3.0p1/CREDITS --- openssh-2.2.0p1/CREDITS 2000-08-31 09:20:05.000000000 +1100 +++ openssh-2.3.0p1/CREDITS 2000-10-28 13:30:55.000000000 +1100 @@ -3,6 +3,7 @@ Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song - Creators of OpenSSH +Alain St-Denis - Irix fix Alexandre Oliva - AIX fixes Andre Lucas - new login code, many fixes Andreas Steinmetz - Shadow password expiry support @@ -21,6 +22,7 @@ Chris, the Young One - Password auth fixes Christos Zoulas - Autoconf fixes Chun-Chung Chen - RPM fixes +Corinna Vinschen - Cygwin support Dan Brosemer - Autoconf support, build fixes Darren Hall - AIX patches David Agraz - Build fixes @@ -42,27 +44,38 @@ Jim Knoble - Many patches Jonchen (email unknown) - the original author of PAM support of SSH Juergen Keil - scp bugfixing +KAMAHARA Junzo - Configure fixes Kees Cook - scp fixes Kenji Miyake - Configure fixes Kevin O'Connor - RSAless operation +Kevin Steves - HP support, bugfixes, improvements Kiyokazu SUTO - Bugfixes +Larry Jones - Bugfixes Lutz Jaenicke - Bugfixes Marc G. Fournier - Solaris patches +Martin Johansson - Linux fixes Mark Miller - Bugfixes Matt Richards - AIX patches Michael Stone - Irix enhancements +Nakaji Hiroyuki - Sony News-OS patch Nalin Dahyabhai - PAM environment patch Nate Itkin - SunOS 4.1.x fixes Niels Kristian Bech Jensen - Assorted patches +Pavel Kankovsky - Security fixes +Pavel Troller - Bugfixes +Pekka Savola - Bugfixes Peter Kocks - Makefile fixes Phil Hands - Debian scripts, assorted patches -Phil Karn - Autoconf fix +Phil Karn - Autoconf fixes +Philippe WILLEM - Bugfixes Phill Camp - login code fix Rip Loomis - Solaris package support, fixes SAKAI Kiyotaka - Multiple bugfixes Simon Wilkinson - PAM fixes Svante Signell - Bugfixes Thomas Neumann - Shadow passwords +Tim Rice - Portability & SCO fixes +Tobias Oetiker - Bugfixes Tom Bertelson's - AIX auth fixes Tor-Ake Fransson - AIX support Tudor Bosman - MD5 password support @@ -71,4 +84,4 @@ Apologies to anyone I have missed. -Damien Miller +Damien Miller diff -ru openssh-2.2.0p1/ChangeLog openssh-2.3.0p1/ChangeLog --- openssh-2.2.0p1/ChangeLog 2000-09-01 14:14:37.000000000 +1100 +++ openssh-2.3.0p1/ChangeLog 2000-11-06 14:17:38.000000000 +1100 @@ -1,9 +1,477 @@ +20001106 + - (djm) Use Jim's new 1.0.3 askpass in Redhat RPMs + - (djm) Manually fix up missed diff hunks (mainly RCS idents) + - (djm) Remove UPGRADING document in favour of a link to the better + maintained FAQ on www.openssh.com + - (djm) Fix multiple dependancy on gnome-libs from Pekka Savola + + - (djm) Don't need X11-askpass in RPM spec file if building without it + from Pekka Savola + - (djm) Release 2.3.0p1 + +20001105 + - (bal) Sync with OpenBSD: + - markus@cvs.openbsd.org 2000/10/31 9:31:58 + [compat.c] + handle all old openssh versions + - markus@cvs.openbsd.org 2000/10/31 13:1853 + [deattack.c] + so that large packets do not wrap "n"; from netbsd + - (bal) rijndel.c - fix up RCSID to match OpenBSD tree + - (bal) auth2-skey.c - Checked in. Missing from portable tree. + - (bal) Reworked NEWS-OS and NeXT ports to extract waitpid() and + setsid() into more common files + - (stevesk) pty.c: use __hpux to identify HP-UX. + - (bal) Missed auth-skey.o in Makefile.in and minor correction to + bsd-waitpid.c + +20001029 + - (stevesk) Fix typo in auth.c: USE_PAM not PAM + - (stevesk) Create contrib/cygwin/ directory; patch from + Corinna Vinschen + - (bal) Resolved more $xno and $xyes issues in configure.in + - (bal) next-posix.h - spelling and forgot a prototype + +20001028 + - (djm) fix select hack in serverloop.c from Philippe WILLEM + + - (djm) Fix mangled AIXAUTHENTICATE code + - (djm) authctxt->pw may be NULL. Fix from Markus Friedl + + - (djm) Sync with OpenBSD: + - markus@cvs.openbsd.org 2000/10/16 15:46:32 + [ssh.1] + fixes from pekkas@netcore.fi + - markus@cvs.openbsd.org 2000/10/17 14:28:11 + [atomicio.c] + return number of characters processed; ok deraadt@ + - markus@cvs.openbsd.org 2000/10/18 12:04:02 + [atomicio.c] + undo + - markus@cvs.openbsd.org 2000/10/18 12:23:02 + [scp.c] + replace atomicio(read,...) with read(); ok deraadt@ + - markus@cvs.openbsd.org 2000/10/18 12:42:00 + [session.c] + restore old record login behaviour + - deraadt@cvs.openbsd.org 2000/10/19 10:41:13 + [auth-skey.c] + fmt string problem in unused code + - provos@cvs.openbsd.org 2000/10/19 10:45:16 + [sshconnect2.c] + don't reference freed memory. okay deraadt@ + - markus@cvs.openbsd.org 2000/10/21 11:04:23 + [canohost.c] + typo, eramore@era-t.ericsson.se; ok niels@ + - markus@cvs.openbsd.org 2000/10/23 13:31:55 + [cipher.c] + non-alignment dependent swap_bytes(); from + simonb@wasabisystems.com/netbsd + - markus@cvs.openbsd.org 2000/10/26 12:38:28 + [compat.c] + add older vandyke products + - markus@cvs.openbsd.org 2000/10/27 01:32:19 + [channels.c channels.h clientloop.c serverloop.c session.c] + [ssh.c util.c] + enable non-blocking IO on channels, and tty's (except for the + client ttys). + +20001027 + - (djm) Increase REKEY_BYTES to 2^24 for arc4random + +20001025 + - (djm) Added WARNING.RNG file and modified configure to ask users of the + builtin entropy code to read it. + - (djm) Prefer builtin regex to PCRE. + - (bal) Added USE_PIPS defined to NeXT configure.in since scp hangs randomly. + - (bal) Apply fixes to configure.in pointed out by Pavel Roskin + + +20001020 + - (djm) Don't define _REENTRANT for SNI/Reliant Unix + - (bal) Imported NEWS-OS waitpid() macros into NeXT. Since implementation + is more correct then current version. + +20001018 + - (stevesk) Add initial support for setproctitle(). Current + support is for the HP-UX pstat(PSTAT_SETCMD, ...) method. + - (stevesk) Add egd startup scripts to contrib/hpux/ + +20001017 + - (djm) Add -lregex to cywin libs from Corinna Vinschen + + - (djm) Don't rely on atomicio's retval to determine length of askpass + supplied passphrase. Problem report from Lutz Jaenicke + + - (bal) Changed from GNU rx to PCRE on suggestion from djm. + - (bal) Integrated Sony NEWS-OS patches from NAKAJI Hirouyuki + + +20001016 + - (djm) Sync with OpenBSD: + - markus@cvs.openbsd.org 2000/10/14 04:01:15 + [cipher.c] + debug3 + - markus@cvs.openbsd.org 2000/10/14 04:07:23 + [scp.c] + remove spaces from arguments; from djm@mindrot.org + - markus@cvs.openbsd.org 2000/10/14 06:09:46 + [ssh.1] + Cipher is for SSH-1 only + - markus@cvs.openbsd.org 2000/10/14 06:12:09 + [servconf.c servconf.h serverloop.c session.c sshd.8] + AllowTcpForwarding; from naddy@ + - markus@cvs.openbsd.org 2000/10/14 06:16:56 + [auth2.c compat.c compat.h sshconnect2.c version.h] + OpenSSH_2.3; note that is is not complete, but the version number + needs to be changed for interoperability reasons + - markus@cvs.openbsd.org 2000/10/14 06:19:45 + [auth-rsa.c] + do not send RSA challenge if key is not allowed by key-options; from + eivind@ThinkSec.com + - markus@cvs.openbsd.org 2000/10/15 08:14:01 + [rijndael.c session.c] + typos; from stevesk@sweden.hp.com + - markus@cvs.openbsd.org 2000/10/15 08:18:31 + [rijndael.c] + typo + - (djm) Copy manpages back over from OpenBSD - too tedious to wade + through diffs + - (djm) Added condrestart to Redhat init script. Patch from Pekka Savola + + - (djm) Update version in Redhat spec file + - (djm) Merge some of Nalin Dahyabhai changes from the + Redhat 7.0 spec file + - (djm) Make inability to read/write PRNG seedfile non-fatal + + +20001015 + - (djm) Fix ssh2 hang on background processes at logout. + +20001014 + - (bal) Add support for realpath and getcwd for platforms with broken + or missing realpath implementations for sftp-server. + - (bal) Corrected mistake in INSTALL in regards to GNU rx library + - (bal) Add support for GNU rx library for those lacking regexp support + - (djm) Don't accept PAM_PROMPT_ECHO_ON messages during initial auth + - (djm) Revert SSH2 serverloop hack, will find a better way. + - (djm) Add workaround for Linux 2.4's gratuitious errno change. Patch + from Martin Johansson + - (djm) Big OpenBSD sync: + - markus@cvs.openbsd.org 2000/09/30 10:27:44 + [log.c] + allow loglevel debug + - markus@cvs.openbsd.org 2000/10/03 11:59:57 + [packet.c] + hmac->mac + - markus@cvs.openbsd.org 2000/10/03 12:03:03 + [auth-krb4.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth1.c] + move fake-auth from auth1.c to individual auth methods, disables s/key in + debug-msg + - markus@cvs.openbsd.org 2000/10/03 12:16:48 + ssh.c + do not resolve canonname, i have no idea why this was added oin ossh + - markus@cvs.openbsd.org 2000/10/09 15:30:44 + ssh-keygen.1 ssh-keygen.c + -X now reads private ssh.com DSA keys, too. + - markus@cvs.openbsd.org 2000/10/09 15:32:34 + auth-options.c + clear options on every call. + - markus@cvs.openbsd.org 2000/10/09 15:51:00 + authfd.c authfd.h + interop with ssh-agent2, from + - markus@cvs.openbsd.org 2000/10/10 14:20:45 + compat.c + use rexexp for version string matching + - provos@cvs.openbsd.org 2000/10/10 22:02:18 + [kex.c kex.h myproposal.h ssh.h ssh2.h sshconnect2.c sshd.c dh.c dh.h] + First rough implementation of the diffie-hellman group exchange. The + client can ask the server for bigger groups to perform the diffie-hellman + in, thus increasing the attack complexity when using ciphers with longer + keys. University of Windsor provided network, T the company. + - markus@cvs.openbsd.org 2000/10/11 13:59:52 + [auth-rsa.c auth2.c] + clear auth options unless auth sucessfull + - markus@cvs.openbsd.org 2000/10/11 14:00:27 + [auth-options.h] + clear auth options unless auth sucessfull + - markus@cvs.openbsd.org 2000/10/11 14:03:27 + [scp.1 scp.c] + support 'scp -o' with help from mouring@pconline.com + - markus@cvs.openbsd.org 2000/10/11 14:11:35 + [dh.c] + Wall + - markus@cvs.openbsd.org 2000/10/11 14:14:40 + [auth.h auth2.c readconf.c readconf.h readpass.c servconf.c servconf.h] + [ssh.h sshconnect2.c sshd_config auth2-skey.c cli.c cli.h] + add support for s/key (kbd-interactive) to ssh2, based on work by + mkiernan@avantgo.com and me + - markus@cvs.openbsd.org 2000/10/11 14:27:24 + [auth.c auth1.c auth2.c authfile.c cipher.c cipher.h kex.c kex.h] + [myproposal.h packet.c readconf.c session.c ssh.c ssh.h sshconnect1.c] + [sshconnect2.c sshd.c] + new cipher framework + - markus@cvs.openbsd.org 2000/10/11 14:45:21 + [cipher.c] + remove DES + - markus@cvs.openbsd.org 2000/10/12 03:59:20 + [cipher.c cipher.h sshconnect1.c sshconnect2.c sshd.c] + enable DES in SSH-1 clients only + - markus@cvs.openbsd.org 2000/10/12 08:21:13 + [kex.h packet.c] + remove unused + - markus@cvs.openbsd.org 2000/10/13 12:34:46 + [sshd.c] + Kludge for F-Secure Macintosh < 1.0.2; appro@fy.chalmers.se + - markus@cvs.openbsd.org 2000/10/13 12:59:15 + [cipher.c cipher.h myproposal.h rijndael.c rijndael.h] + rijndael/aes support + - markus@cvs.openbsd.org 2000/10/13 13:10:54 + [sshd.8] + more info about -V + - markus@cvs.openbsd.org 2000/10/13 13:12:02 + [myproposal.h] + prefer no compression + - (djm) Fix scp user@host handling + - (djm) Don't clobber ssh_prng_cmds on install + - (stevesk) Include config.h in rijndael.c so we define intXX_t and + u_intXX_t types on all platforms. + - (stevesk) rijndael.c: cleanup missing declaration warnings. + - (stevesk) ~/.hushlogin shouldn't cause required password change to + be bypassed. + - (stevesk) Display correct path to ssh-askpass in configure output. + Report from Lutz Jaenicke. + +20001007 + - (stevesk) Print PAM return value in PAM log messages to aid + with debugging. + - (stevesk) Fix detection of pw_class struct member in configure; + patch from KAMAHARA Junzo + +20001002 + - (djm) Fix USER_PATH, report from Kevin Steves + - (djm) Add host system and CC to end-of-configure report. Suggested by + Lutz Jaenicke + +20000931 + - (djm) Cygwin fixes from Corinna Vinschen + +20000930 + - (djm) Irix ssh_prng_cmds path fix from Pekka Savola + - (djm) Support in bsd-snprintf.c for long long conversions from + Ben Lindstrom + - (djm) Cleanup NeXT support from Ben Lindstrom + - (djm) Ignore SIGPIPEs from serverloop to child. Fixes crashes with + very short lived X connections. Bug report from Tobias Oetiker + . Fix from Markus Friedl + - (djm) Add recent InitScripts as a RPM dependancy for openssh-server + patch from Pekka Savola + - (djm) Forgot to cvs add LICENSE file + - (djm) Add LICENSE to RPM spec files + - (djm) CVS OpenBSD sync: + - markus@cvs.openbsd.org 2000/09/26 13:59:59 + [clientloop.c] + use debug2 + - markus@cvs.openbsd.org 2000/09/27 15:41:34 + [auth2.c sshconnect2.c] + use key_type() + - markus@cvs.openbsd.org 2000/09/28 12:03:18 + [channels.c] + debug -> debug2 cleanup + - (djm) Irix strips "/dev/tty" from [uw]tmp entries (other systems only + strip "/dev/"). Fix loginrec.c based on patch from Alain St-Denis + + - (djm) Fix 9 character passphrase failure with gnome-ssh-askpass. + Problem was caused by interrupted read in ssh-add. Report from Donald + J. Barry + +20000929 + - (djm) Fix SSH2 not terminating until all background tasks done problem. + - (djm) Another off-by-one fix from Pavel Kankovsky + + - (djm) Clean up. Strip some unnecessary differences with OpenBSD's code, + tidy necessary differences. Use Markus' new debugN() in entropy.c + - (djm) Merged big SCO portability patch from Tim Rice + + +20000926 + - (djm) Update X11-askpass to 1.0.2 in RPM spec file + - (djm) Define _REENTRANT to pickup strtok_r() on HP/UX + - (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c. + Report and fix from Pavel Kankovsky + +20000924 + - (djm) Merged cleanup patch from Mark Miller + - (djm) A bit more cleanup - created cygwin_util.h + - (djm) Include strtok_r() from OpenBSD libc. Fixes report from Mark Miller + + +20000923 + - (djm) Fix address logging in utmp from Kevin Steves + + - (djm) Redhat spec and manpage fixes from Pekka Savola + - (djm) Seperate tests for int64_t and u_int64_t types + - (djm) Tweak password expiry checking at suggestion of Kevin Steves + + - (djm) NeXT patch from Ben Lindstrom + - (djm) Use printf %lld instead of %qd in sftp-server.c. Fix from + Michael Stone + - (djm) OpenBSD CVS sync: + - markus@cvs.openbsd.org 2000/09/17 09:38:59 + [sshconnect2.c sshd.c] + fix DEBUG_KEXDH + - markus@cvs.openbsd.org 2000/09/17 09:52:51 + [sshconnect.c] + yes no; ok niels@ + - markus@cvs.openbsd.org 2000/09/21 04:55:11 + [sshd.8] + typo + - markus@cvs.openbsd.org 2000/09/21 05:03:54 + [serverloop.c] + typo + - markus@cvs.openbsd.org 2000/09/21 05:11:42 + scp.c + utime() to utimes(); mouring@pconline.com + - markus@cvs.openbsd.org 2000/09/21 05:25:08 + sshconnect2.c + change login logic in ssh2, allows plugin of other auth methods + - markus@cvs.openbsd.org 2000/09/21 05:25:35 + [auth2.c channels.c channels.h clientloop.c dispatch.c dispatch.h] + [serverloop.c] + add context to dispatch_run + - markus@cvs.openbsd.org 2000/09/21 05:07:52 + authfd.c authfd.h ssh-agent.c + bug compat for old ssh.com software + +20000920 + - (djm) Fix bad path substitution. Report from Andrew Miner + + +20000916 + - (djm) Fix SSL search order from Lutz Jaenicke + + - (djm) New SuSE spec from Corinna Vinschen + - (djm) Update CygWin support from Corinna Vinschen + - (djm) Use a real struct sockaddr inside the fake struct sockaddr_storage. + Patch from Larry Jones + - (djm) Add Steve VanDevender's PAM + password change patch. + - (djm) Bring licenses on my stuff in line with OpenBSD's + - (djm) Cleanup auth-passwd.c and unify HP/UX authentication. Patch from + Kevin Steves + - (djm) Shadow expiry check fix from Pavel Troller + - (djm) Re-enable int64_t types - we need them for sftp + - (djm) Use libexecdir from configure , rather than libexecdir/ssh + - (djm) Update Redhat SPEC file accordingly + - (djm) Add Kevin Steves HP/UX contrib files + - (djm) Add Charles Levert getpgrp patch + - (djm) Fix password auth on HP/UX 10.20. Patch from Dirk De Wachter + + - (djm) Fixprogs and entropy list fixes from Larry Jones + + - (djm) Fix for SuSE spec file from Takashi YOSHIDA + + - (djm) Merge OpenBSD changes: + - markus@cvs.openbsd.org 2000/09/05 02:59:57 + [session.c] + print hostname (not hushlogin) + - markus@cvs.openbsd.org 2000/09/05 13:18:48 + [authfile.c ssh-add.c] + enable ssh-add -d for DSA keys + - markus@cvs.openbsd.org 2000/09/05 13:20:49 + [sftp-server.c] + cleanup + - markus@cvs.openbsd.org 2000/09/06 03:46:41 + [authfile.h] + prototype + - deraadt@cvs.openbsd.org 2000/09/07 14:27:56 + [ALL] + cleanup copyright notices on all files. I have attempted to be + accurate with the details. everything is now under Tatu's licence + (which I copied from his readme), and/or the core-sdi bsd-ish thing + for deattack, or various openbsd developers under a 2-term bsd + licence. We're not changing any rules, just being accurate. + - markus@cvs.openbsd.org 2000/09/07 14:40:30 + [channels.c channels.h clientloop.c serverloop.c ssh.c] + cleanup window and packet sizes for ssh2 flow control; ok niels + - markus@cvs.openbsd.org 2000/09/07 14:53:00 + [scp.c] + typo + - markus@cvs.openbsd.org 2000/09/07 15:13:37 + [auth-options.c auth-options.h auth-rh-rsa.c auth-rsa.c auth.c] + [authfile.h canohost.c channels.h compat.c hostfile.h log.c match.h] + [pty.c readconf.c] + some more Copyright fixes + - markus@cvs.openbsd.org 2000/09/08 03:02:51 + [README.openssh2] + bye bye + - deraadt@cvs.openbsd.org 2000/09/11 18:38:33 + [LICENCE cipher.c] + a few more comments about it being ARC4 not RC4 + - markus@cvs.openbsd.org 2000/09/12 14:53:11 + [log-client.c log-server.c log.c ssh.1 ssh.c ssh.h sshd.8 sshd.c] + multiple debug levels + - markus@cvs.openbsd.org 2000/09/14 14:25:15 + [clientloop.c] + typo + - deraadt@cvs.openbsd.org 2000/09/15 01:13:51 + [ssh-agent.c] + check return value for setenv(3) for failure, and deal appropriately + +20000913 + - (djm) Fix server not exiting with jobs in background. + +20000905 + - (djm) Import OpenBSD CVS changes + - markus@cvs.openbsd.org 2000/08/31 15:52:24 + [Makefile sshd.8 sshd_config sftp-server.8 sftp-server.c] + implement a SFTP server. interops with sftp2, scp2 and the windows + client from ssh.com + - markus@cvs.openbsd.org 2000/08/31 15:56:03 + [README.openssh2] + sync + - markus@cvs.openbsd.org 2000/08/31 16:05:42 + [session.c] + Wall + - markus@cvs.openbsd.org 2000/08/31 16:09:34 + [authfd.c ssh-agent.c] + add a flag to SSH2_AGENTC_SIGN_REQUEST for future extensions + - deraadt@cvs.openbsd.org 2000/09/01 09:25:13 + [scp.1 scp.c] + cleanup and fix -S support; stevesk@sweden.hp.com + - markus@cvs.openbsd.org 2000/09/01 16:29:32 + [sftp-server.c] + portability fixes + - markus@cvs.openbsd.org 2000/09/01 16:32:41 + [sftp-server.c] + fix cast; mouring@pconline.com + - itojun@cvs.openbsd.org 2000/09/03 09:23:28 + [ssh-add.1 ssh.1] + add missing .El against .Bl. + - markus@cvs.openbsd.org 2000/09/04 13:03:41 + [session.c] + missing close; ok theo + - markus@cvs.openbsd.org 2000/09/04 13:07:21 + [session.c] + fix get_last_login_time order; from andre@van-veen.de + - markus@cvs.openbsd.org 2000/09/04 13:10:09 + [sftp-server.c] + more cast fixes; from mouring@pconline.com + - markus@cvs.openbsd.org 2000/09/04 13:06:04 + [session.c] + set SSH_ORIGINAL_COMMAND; from Leakin@dfw.nostrum.com, bet@rahul.net + - (djm) Cleanup after import. Fix sftp-server compilation, Makefile + - (djm) Merge cygwin support from Corinna Vinschen + +20000903 + - (djm) Fix Redhat init script + 20000901 - (djm) Pick up Jim's new X11-askpass - (djm) Release 2.2.0p1 20000831 - - (djm) Workaround SIGPIPE problems on SCO. Fix from Aran Cox + - (djm) Workaround SIGPIPE problems on SCO. Fix from Aran Cox - (djm) Pick up new version (2.2.0) from OpenBSD CVS @@ -11,7 +479,7 @@ - (djm) Compile warning fixes from Mark Miller - (djm) Periodically rekey arc4random - (djm) Clean up diff against OpenBSD. - - (djm) HPUX 11 needs USE_PIPES as well: Kevin Steves + - (djm) HPUX 11 needs USE_PIPES as well: Kevin Steves - (djm) Quieten the pam delete credentials error message - (djm) Fix printing of $DISPLAY hack if set by system type. Report from @@ -20,8 +488,8 @@ - (djm) Fix doh in bsd-arc4random.c 20000829 - - (djm) Fix ^C ignored issue on Solaris. Diagnosis from Gert - Doering , John Horne and + - (djm) Fix ^C ignored issue on Solaris. Diagnosis from Gert + Doering , John Horne and Garrick James - (djm) Check for SCO pty naming style (ptyp%d/ttyp%d). Based on fix from Bastian Trompetter @@ -60,8 +528,8 @@ 20000823 - (djm) Define USE_PIPES to avoid socketpair problems on HPUX 10 and SunOS 4 - Avoids "scp never exits" problem. Reports from Lutz Jaenicke - and Tamito KAJIYAMA + Avoids "scp never exits" problem. Reports from Lutz Jaenicke + and Tamito KAJIYAMA - (djm) Pick up LOGIN_PROGRAM from environment or PATH if not set by headers - (djm) Add local version to version.h @@ -91,8 +559,8 @@ [crc32.h] proper prototype - markus@cvs.openbsd.org 2000/08/19 15:34:44 - [authfd.c authfd.h key.c key.h ssh-add.1 ssh-add.c ssh-agent.1] - [ssh-agent.c ssh-keygen.c sshconnect1.c sshconnect2.c Makefile] + [authfd.c authfd.h key.c key.h ssh-add.1 ssh-add.c ssh-agent.1] + [ssh-agent.c ssh-keygen.c sshconnect1.c sshconnect2.c Makefile] [fingerprint.c fingerprint.h] add SSH2/DSA support to the agent and some other DSA related cleanups. (note that we cannot talk to ssh.com's ssh2 agents) @@ -166,9 +634,9 @@ 20000816 - (djm) Replacement for inet_ntoa for Irix (which breaks on gcc) - - (djm) Fix strerror replacement for old SunOS. Based on patch from + - (djm) Fix strerror replacement for old SunOS. Based on patch from Charles Levert - - (djm) Seperate arc4random into seperate file and use OpenSSL's RC4 + - (djm) Seperate arc4random into seperate file and use OpenSSL's RC4 implementation. - (djm) SUN_LEN macro for systems which lack it @@ -177,7 +645,7 @@ - (djm) Avoid failures on Irix when ssh is not setuid. Fix from Michael Stone - (djm) Don't seek in directory based lastlogs - - (djm) Fix --with-ipaddr-display configure option test. Patch from + - (djm) Fix --with-ipaddr-display configure option test. Patch from Jarno Huuskonen - (djm) Fix AIX limits from Alexandre Oliva @@ -186,9 +654,9 @@ Fabrice bacchella 20000809 - - (djm) Define AIX hard limits if headers don't. Report from + - (djm) Define AIX hard limits if headers don't. Report from Bill Painter - - (djm) utmp direct write & SunOS 4 patch from Charles Levert + - (djm) utmp direct write & SunOS 4 patch from Charles Levert 20000808 @@ -267,9 +735,9 @@ - (djm) Fixup for AIX getuserattr() support from Tom Bertelson - (djm) ReliantUNIX support from Udo Schweigert - - (djm) NeXT: dirent structures to get scp working from Ben Lindstrom + - (djm) NeXT: dirent structures to get scp working from Ben Lindstrom - - (djm) Fix broken inet_ntoa check and ut_user/ut_name confusion, report + - (djm) Fix broken inet_ntoa check and ut_user/ut_name confusion, report from Jim Watt - (djm) Replaced bsd-snprintf.c with one from Mutt source tree, it is known to compile on more platforms (incl NeXT). @@ -281,7 +749,7 @@ cleanup, less cut&paste - markus@cvs.openbsd.org 2000/06/26 15:59:19 [servconf.c servconf.h session.c sshd.8 sshd.c] - MaxStartups: limit number of unauthenticated connections, work by + MaxStartups: limit number of unauthenticated connections, work by theo and me - deraadt@cvs.openbsd.org 2000/07/05 14:18:07 [session.c] @@ -291,7 +759,7 @@ typo - aaron@cvs.openbsd.org 2000/07/05 22:06:58 [scp.1 ssh-agent.1 ssh-keygen.1 sshd.8] - Insert more missing .El directives. Our troff really should identify + Insert more missing .El directives. Our troff really should identify these and spit out a warning. - todd@cvs.openbsd.org 2000/07/06 21:55:04 [auth-rsa.c auth2.c ssh-keygen.c] @@ -324,7 +792,7 @@ Kevin Steves - (djm) Match prototype and function declaration for rresvport_af. Problem report from Niklas Edmundsson - - (djm) Missing $(DESTDIR) on host-key target causing problems with RPM + - (djm) Missing $(DESTDIR) on host-key target causing problems with RPM builds. Problem report from Gregory Leblanc - (djm) Replace ut_name with ut_user. Patch from Jim Watt @@ -334,19 +802,19 @@ uids. Based on problem report from Jim Watt - (djm) More NeXT compatibility from Ben Lindstrom Including sigaction() et al. replacements - - (djm) AIX getuserattr() session initialisation from Tom Bertelson + - (djm) AIX getuserattr() session initialisation from Tom Bertelson 20000708 - - (djm) Fix bad fprintf format handling in auth-pam.c. Patch from + - (djm) Fix bad fprintf format handling in auth-pam.c. Patch from Aaron Hopkins - (djm) Fix incorrect configure handling of --with-rsh-path option. Fix from Lutz Jaenicke - - (djm) Fixed undefined variables for OSF SIA. Report from + - (djm) Fixed undefined variables for OSF SIA. Report from Baars, Henk - - (djm) Handle EWOULDBLOCK returns from read() and write() in atomicio.c + - (djm) Handle EWOULDBLOCK returns from read() and write() in atomicio.c Fix from Marquess, Steve Mr JMLFDC - - (djm) Don't use inet_addr. + - (djm) Don't use inet_addr. 20000702 - (djm) Fix brace mismatch from Corinna Vinschen @@ -354,7 +822,7 @@ on fix from HARUYAMA Seigo - (djm) Use standard OpenSSL functions in auth-skey.c. Patch from Chris, the Young One - - (djm) Fix scp progress meter on really wide terminals. Based on patch + - (djm) Fix scp progress meter on really wide terminals. Based on patch from James H. Cloos Jr. 20000701 @@ -373,9 +841,9 @@ - (djm) Patch from Michael Stone to add support for Irix 6.x array sessions, project id's, and system audit trail id. - (djm) Added 'distprep' make target to simplify packaging - - (djm) Added patch from Chris Adams to add OSF SIA + - (djm) Added patch from Chris Adams to add OSF SIA support. Enable using "USE_SIA=1 ./configure [options]" - + 20000627 - (djm) Fixes to login code - not setting li->uid, cleanups - (djm) Formatting @@ -393,7 +861,7 @@ correct check for bad channel ids; from Wei Dai 20000623 - - (djm) Use sa_family_t in prototype for rresvport_af. Patch from + - (djm) Use sa_family_t in prototype for rresvport_af. Patch from Svante Signell - (djm) Autoconf logic to define sa_family_t if it is missing - OpenBSD CVS Updates: @@ -421,11 +889,11 @@ - markus@cvs.openbsd.org 2000/06/19 19:39:45 [atomicio.c auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth-skey.c authfd.c authfd.h authfile.c bufaux.c bufaux.h] - [buffer.c buffer.h canohost.c channels.c channels.h cipher.c cipher.h] + [buffer.c buffer.h canohost.c channels.c channels.h cipher.c cipher.h] [clientloop.c compat.c compat.h compress.c compress.h crc32.c crc32.h] [deattack.c dispatch.c dsa.c fingerprint.c fingerprint.h getput.h hmac.c] - [kex.c log-client.c log-server.c login.c match.c mpaux.c mpaux.h nchan.c] - [nchan.h packet.c packet.h pty.c pty.h readconf.c readconf.h readpass.c] + [kex.c log-client.c log-server.c login.c match.c mpaux.c mpaux.h nchan.c] + [nchan.h packet.c packet.h pty.c pty.h readconf.c readconf.h readpass.c] [rsa.c rsa.h scp.c servconf.c servconf.h ssh-add.c ssh-keygen.c ssh.c] [ssh.h tildexpand.c ttymodes.c ttymodes.h uidswap.c xmalloc.c xmalloc.h] OpenBSD tag @@ -434,17 +902,17 @@ 20000620 - (djm) Replace use of '-o' and '-a' logical operators in configure tests - with '||' and '&&'. As suggested by Jim Knoble + with '||' and '&&'. As suggested by Jim Knoble to fix SCO Unixware problem reported by Gary E. Miller - (djm) Typo in loginrec.c 20000618 - (djm) Add summary of configure options to end of ./configure run - - (djm) Not all systems define RUSAGE_SELF & RUSAGE_CHILDREN. Report from + - (djm) Not all systems define RUSAGE_SELF & RUSAGE_CHILDREN. Report from Michael Stone - - (djm) rusage is a privileged operation on some Unices (incl. + - (djm) rusage is a privileged operation on some Unices (incl. Solaris 2.5.1). Report from Paul D. Smith - - (djm) Avoid PAM failures when running without a TTY. Report from + - (djm) Avoid PAM failures when running without a TTY. Report from Martin Petrak - (djm) Include sys/types.h when including netinet/in.h in configure tests. Patch from Jun-ichiro itojun Hagino @@ -497,7 +965,7 @@ - Don't try to retrieve lastlog from wtmp/wtmpx if DISABLE_LASTLOG is def'd - Set AIX to use preformatted manpages - + 20000610 - (djm) Minor doc tweaks - (djm) Fix for configure on bash2 from Jim Knoble @@ -509,11 +977,11 @@ 20000606 - (djm) Cleanup of entropy.c. Reorganised code, removed second pass through list of commands (by default). Removed verbose debugging (by default). - - (djm) Increased command entropy estimates and default entropy collection + - (djm) Increased command entropy estimates and default entropy collection timeout - (djm) Remove duplicate headers from loginrec.c - (djm) Don't add /usr/local/lib to library search path on Irix - - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III + - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III - (djm) Warn user if grabs fail in GNOME askpass. Patch from Zack Weinberg @@ -523,7 +991,7 @@ teach protocol v2 to count login failures properly and also enable an explanation of why the password prompt comes up again like v1; this is NOT crypto - - markus@cvs.openbsd.org + - markus@cvs.openbsd.org [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8] xauth_location support; pr 1234 [readconf.c sshconnect2.c] @@ -536,14 +1004,14 @@ [version.h] OpenSSH 2.1.1 [auth-rsa.c] - fix match_hostname() logic for auth-rsa: deny access if we have a + fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all [channels.c hostfile.c match.c] - don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via + don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via kris@FreeBSD.org 20000606 - - (djm) Added --with-cflags, --with-ldflags and --with-libs options to + - (djm) Added --with-cflags, --with-ldflags and --with-libs options to configure. 20000604 @@ -554,7 +1022,7 @@ - (andre) New login code - Remove bsd-login.[ch] and all the OpenBSD-derived code in login.c - Add loginrec.[ch], logintest.c and autoconf code - + 20000531 - Cleanup of auth.c, login.c and fake-* - Cleanup of auth-pam.c, save and print "account expired" error messages @@ -590,9 +1058,9 @@ - Don't touch utmp if USE_UTMPX defined - SunOS 4.x support from Todd C. Miller - SIGCHLD fix for AIX and HPUX from Tom Bertelson - - HPUX and Configure fixes from Lutz Jaenicke + - HPUX and Configure fixes from Lutz Jaenicke - - Use mkinstalldirs script to make directories instead of non-portable + - Use mkinstalldirs script to make directories instead of non-portable "install -d". Suggested by Lutz Jaenicke - Doc cleanup @@ -603,7 +1071,7 @@ [sshconnect.c] copy only ai_addrlen bytes; misiek@pld.org.pl [auth.c] - accept an empty shell in authentication; bug reported by + accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu [serverloop.c] we don't have stderr for interactive terminal sessions (fcntl errors) @@ -621,10 +1089,10 @@ optionally run 'ent' to measure command entropy - Applied Tom Bertelson's AIX authentication fix - Avoid WCOREDUMP complation errors for systems that lack it - - Avoid SIGCHLD warnings from entropy commands + - Avoid SIGCHLD warnings from entropy commands - Fix HAVE_PAM_GETENVLIST setting from Simon Wilkinson - OpenBSD CVS update: - - markus@cvs.openbsd.org + - markus@cvs.openbsd.org [ssh.c] fix usage() [ssh2.h] @@ -639,19 +1107,19 @@ - INSTALL typo and URL fix - Makefile fix - Solaris fixes - - Checking for ssize_t and memmove. Based on patch from SAKAI Kiyotaka + - Checking for ssize_t and memmove. Based on patch from SAKAI Kiyotaka - RSAless operation patch from kevin_oconnor@standardandpoors.com - Detect OpenSSL seperatly from RSA - - Better test for RSA (more compatible with RSAref). Based on work by + - Better test for RSA (more compatible with RSAref). Based on work by Ed Eden 20000513 - - Fix for non-recognised DSA keys from Arkadiusz Miskiewicz + - Fix for non-recognised DSA keys from Arkadiusz Miskiewicz 20000511 - - Fix for prng_seed permissions checking from Lutz Jaenicke + - Fix for prng_seed permissions checking from Lutz Jaenicke - "make host-key" fix for Irix @@ -680,7 +1148,7 @@ - OpenSSH-2.1 - Moved all the bsd-* and fake-* stuff into new libopenbsd-compat.a - Doc updates - - Cleanup of bsd-base64 headers, bugfix definitions of __b64_*. Reported + - Cleanup of bsd-base64 headers, bugfix definitions of __b64_*. Reported by Andre Lucas 20000508 @@ -694,7 +1162,7 @@ - interop w/ SecureFX - Release 2.0.0beta2 - - Configure caching and cleanup patch from Andre Lucas' + - Configure caching and cleanup patch from Andre Lucas' 20000507 @@ -712,7 +1180,7 @@ - deraadt@cvs.openbsd.org [scp.c] - more atomicio - - markus@cvs.openbsd.org + - markus@cvs.openbsd.org [channels.c] - set O_NONBLOCK [ssh.1] @@ -730,7 +1198,7 @@ - document -X and -x [ssh-keygen.c] - simplify usage - - markus@cvs.openbsd.org + - markus@cvs.openbsd.org [sshd.8] - there is no rhosts_dsa [ssh-keygen.1] @@ -780,7 +1248,7 @@ - unlink pid file, ok niels@ [auth2.c] - Add missing #ifdefs; ok - markus - - Add Andre Lucas' patch to read entropy + - Add Andre Lucas' patch to read entropy gathering commands from a text file - Release 2.0.0beta1 @@ -798,9 +1266,9 @@ - Minor tweaks and typo fixes. [ssh-keygen.c] - Put -d into usage and reorder. markus ok. - - Include missing headers for OpenSSL tests. Fix from Phil Karn + - Include missing headers for OpenSSL tests. Fix from Phil Karn - - Fixed __progname symbol collisions reported by Andre Lucas + - Fixed __progname symbol collisions reported by Andre Lucas - Merged bsd-login ttyslot and AIX utmp patch from Gert Doering @@ -816,7 +1284,7 @@ - Adds timeout to entropy collection - Disables slow entropy sources - Load and save seed file - - Changed entropy seed code to user per-user seeds only (server seed is + - Changed entropy seed code to user per-user seeds only (server seed is saved in root's .ssh directory) - Use atexit() and fatal cleanups to save seed on exit - More OpenBSD updates: @@ -866,7 +1334,7 @@ [sshconnect2.c] - less debug, respect .ssh/config [README.openssh2 channels.c channels.h] - - clientloop.c session.c ssh.c + - clientloop.c session.c ssh.c - support for x11-fwding, client+server 20000421 @@ -876,11 +1344,11 @@ via Debian bug #59926 - Define __progname in session.c if libc doesn't - Remove indentation on autoconf #include statements to avoid bug in - DEC Tru64 compiler. Report and fix from David Del Piero + DEC Tru64 compiler. Report and fix from David Del Piero 20000420 - - Make fixpaths work with perl4, patch from Andre Lucas + - Make fixpaths work with perl4, patch from Andre Lucas - Sync with OpenBSD CVS: [clientloop.c login.c serverloop.c ssh-agent.c ssh.h sshconnect.c sshd.c] @@ -900,7 +1368,7 @@ [channels.c] - fix pr 1196, listen_port and port_to_connect interchanged [scp.c] - - after completion, replace the progress bar ETA counter with a final + - after completion, replace the progress bar ETA counter with a final elapsed time; my idea, aaron wrote the patch [ssh_config sshd_config] - show 'Protocol' as an example, ok markus@ @@ -910,7 +1378,7 @@ 20000416 - Reduce diff against OpenBSD source - - All OpenSSL includes are now unconditionally referenced as + - All OpenSSL includes are now unconditionally referenced as openssl/foo.h - Pick up formatting changes - Other minor changed (typecasts, etc) that I missed @@ -928,7 +1396,7 @@ 20000413 - INSTALL doc updates - Merged OpenBSD updates to include paths. - + 20000412 - OpenBSD CVS updates: - [channels.c] @@ -959,7 +1427,7 @@ no adjust after close - [sshd.c compat.c ] interop w/ latest ssh.com windows client. - + 20000406 - OpenBSD CVS update: - [channels.c] @@ -1027,7 +1495,7 @@ 20000326 - Better tests for OpenSSL w/ RSAref - - Added replacement setenv() function from OpenBSD libc. Suggested by + - Added replacement setenv() function from OpenBSD libc. Suggested by Ben Lindstrom - OpenBSD CVS update - [auth-krb4.c] @@ -1055,17 +1523,17 @@ - Checks for 64 bit int types. Problem report from Mats Fredholm - OpenBSD CVS updates: - - [atomicio.c auth-krb4.c bufaux.c channels.c compress.c fingerprint.c] + - [atomicio.c auth-krb4.c bufaux.c channels.c compress.c fingerprint.c] [packet.h radix.c rsa.c scp.c ssh-agent.c ssh-keygen.c sshconnect.c] [sshd.c] pedantic: signed vs. unsigned, void*-arithm, etc - [ssh.1 sshd.8] Various cleanups and standardizations. - - Runtime error fix for HPUX from Otmar Stahl + - Runtime error fix for HPUX from Otmar Stahl 20000316 - - Fixed configure not passing LDFLAGS to Solaris. Report from David G. + - Fixed configure not passing LDFLAGS to Solaris. Report from David G. Hesprich - Propogate LD through to Makefile - Doc cleanups @@ -1074,18 +1542,18 @@ 20000315 - Fix broken CFLAGS handling during search for OpenSSL. Fixes va_list problems with gcc/Solaris. - - Don't free argument to putenv() after use (in setenv() replacement). + - Don't free argument to putenv() after use (in setenv() replacement). Report from Seigo Tanimura - - Created contrib/ subdirectory. Included helpers from Phil Hands' + - Created contrib/ subdirectory. Included helpers from Phil Hands' Debian package, README file and chroot patch from Ricardo Cerqueira - - Moved gnome-ssh-askpass.c to contrib directory and removed config + - Moved gnome-ssh-askpass.c to contrib directory and removed config option. - Slight cleanup to doc files - Configure fix from Bratislav ILICH 20000314 - - Include macro for IN6_IS_ADDR_V4MAPPED. Report from + - Include macro for IN6_IS_ADDR_V4MAPPED. Report from peter@frontierflying.com - Include /usr/local/include and /usr/local/lib for systems that don't do it themselves @@ -1120,7 +1588,7 @@ - use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE [pty.c pty.h] - - register cleanup for pty earlier. move code for pty-owner handling to + - register cleanup for pty earlier. move code for pty-owner handling to pty.c ok provos@, dugsong@ [readconf.c] - turn off x11-fwd for the client, too. @@ -1156,13 +1624,13 @@ - missing xfree() - move XAUTHORITY to subdir. ok dugsong@. fixes debian bug #57907, too. (http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=57907) - - register cleanup for pty earlier. move code for pty-owner handling to + - register cleanup for pty earlier. move code for pty-owner handling to pty.c ok provos@, dugsong@ - create x11 cookie file - fix pr 1113, fclose() -> pclose(), todo: remote popen() - version 1.2.3 - Cleaned up - - Removed warning workaround for Linux and devpts filesystems (no longer + - Removed warning workaround for Linux and devpts filesystems (no longer required after OpenBSD updates) 20000308 @@ -1176,13 +1644,13 @@ - Explicitly seed OpenSSL's PRNG before checking rsa_alive() - Check for getpagesize in libucb.a if not found in libc. Fix for old Solaris from Andre Lucas - - Check for libwrap if --with-tcp-wrappers option specified. Suggestion + - Check for libwrap if --with-tcp-wrappers option specified. Suggestion Mate Wierdl 20000303 - Added "make host-key" target, Suggestion from Dominik Brettnacher - - Don't permanently fail on bind() if getaddrinfo has more choices left for + - Don't permanently fail on bind() if getaddrinfo has more choices left for us. Needed to work around messy IPv6 on Linux. Patch from Arkadiusz Miskiewicz - DEC Unix compile fix from David Del Piero @@ -1197,10 +1665,10 @@ RSA support built in (this is a problem with OpenSSL 0.9.5). - Applied pty cleanup patch from markus.friedl@informatik.uni-erlangen.de - Avoid warning message with Unix98 ptys - - Warning was valid - possible race condition on PTYs. Avoided using + - Warning was valid - possible race condition on PTYs. Avoided using platform-specific code. - Document some common problems - - Allow root access to any key. Patch from + - Allow root access to any key. Patch from markus.friedl@informatik.uni-erlangen.de 20000207 @@ -1211,10 +1679,10 @@ - Add --with-ssl-dir option 20000202 - - Fix lastlog code for directory based lastlogs. Fix from Josh Durham + - Fix lastlog code for directory based lastlogs. Fix from Josh Durham - Documentation fixes from HARUYAMA Seigo - - Added URLs to Japanese translations of documents by HARUYAMA Seigo + - Added URLs to Japanese translations of documents by HARUYAMA Seigo 20000201 @@ -1229,24 +1697,24 @@ 20000126 - Released 1.2.2 stable - - NeXT keeps it lastlog in /usr/adm. Report from + - NeXT keeps it lastlog in /usr/adm. Report from mouring@newton.pconline.com - - Added note in UPGRADING re interop with commercial SSH using idea. + - Added note in UPGRADING re interop with commercial SSH using idea. Report from Jim Knoble - Fix linking order for Kerberos/AFS. Fix from Holget Trapp 20000125 - - Fix NULL pointer dereference in login.c. Fix from Andre Lucas + - Fix NULL pointer dereference in login.c. Fix from Andre Lucas - Reorder PAM initialisation so it does not mess up lastlog. Reported by Andre Lucas - - Use preformatted manpages on SCO, report from Gary E. Miller + - Use preformatted manpages on SCO, report from Gary E. Miller - New URL for x11-ssh-askpass. - - Fixpaths was missing /etc/ssh_known_hosts. Report from Jim Knoble + - Fixpaths was missing /etc/ssh_known_hosts. Report from Jim Knoble - - Added 'DESTDIR' option to Makefile to ease package building. Patch from + - Added 'DESTDIR' option to Makefile to ease package building. Patch from Jim Knoble - Updated RPM spec files to use DESTDIR @@ -1258,7 +1726,7 @@ - OpenBSD CVS: - [packet.c] getsockname() requires initialized tolen; andy@guildsoftware.com - - AIX patch from Matt Richards and David Rankin + - AIX patch from Matt Richards and David Rankin - Fix lastlog support, patch from Andre Lucas @@ -1278,9 +1746,9 @@ - [sshd.c] log with level log() not fatal() if peer behaves badly. - [readpass.c] - instead of blocking SIGINT, catch it ourselves, so that we can clean - the tty modes up and kill ourselves -- instead of our process group - leader (scp, cvs, ...) going away and leaving us in noecho mode. + instead of blocking SIGINT, catch it ourselves, so that we can clean + the tty modes up and kill ourselves -- instead of our process group + leader (scp, cvs, ...) going away and leaving us in noecho mode. people with cbreak shells never even noticed.. - [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] ie. -> i.e., @@ -1293,12 +1761,12 @@ - [sshconnect.c] - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags. - destroy keys earlier - - split key exchange (kex) and user authentication (user-auth), + - split key exchange (kex) and user authentication (user-auth), ok: provos@ - [sshd.c] - no need for poll.h; from bright@wintelcom.net - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags. - - split key exchange (kex) and user authentication (user-auth), + - split key exchange (kex) and user authentication (user-auth), ok: provos@ - Big manpage and config file cleanup from Andre Lucas @@ -1317,29 +1785,29 @@ 20000118 - Fixed --with-pid-dir option - Makefile fix from Gary E. Miller - - Compile fix for HPUX and Solaris from Andre Lucas + - Compile fix for HPUX and Solaris from Andre Lucas 20000117 - Clean up bsd-bindresvport.c. Use arc4random() for picking initial port, ignore EINVAL errors (Linux) when searching for free port. - - Revert __snprintf -> snprintf aliasing. Apparently Solaris + - Revert __snprintf -> snprintf aliasing. Apparently Solaris __snprintf isn't. Report from Theo de Raadt - Document location of Redhat PAM file in INSTALL. - - Fixed X11 forwarding bug on Linux. libc advertises AF_INET6 - INADDR_ANY_INIT addresses via getaddrinfo, but may not be able to + - Fixed X11 forwarding bug on Linux. libc advertises AF_INET6 + INADDR_ANY_INIT addresses via getaddrinfo, but may not be able to deliver (no IPv6 kernel support) - Released 1.2.1pre27 - Fix rresvport_af failure errors (logic error in bsd-bindresvport.c) - - Fix --with-ipaddr-display option test. Fix from Jarno Huuskonen + - Fix --with-ipaddr-display option test. Fix from Jarno Huuskonen - - Fix hang on logout if processes are still using the pty. Needs + - Fix hang on logout if processes are still using the pty. Needs further testing. - Patch from Christos Zoulas - Try $prefix first when looking for OpenSSL. - Include sys/types.h when including sys/socket.h in test programs - - Substitute PID directory in sshd.8. Suggestion from Andrew + - Substitute PID directory in sshd.8. Suggestion from Andrew Stribblehill 20000116 @@ -1348,17 +1816,17 @@ - Released 1.2.1pre26 - Compilation fix from Kiyokazu SUTO - - Fixed broken bugfix for /dev/ptmx on Linux systems which lack + - Fixed broken bugfix for /dev/ptmx on Linux systems which lack openpty(). Report from Kiyokazu SUTO 20000115 - Add --with-xauth-path configure directive and explicit test for - /usr/openwin/bin/xauth for Solaris systems. Report from Anders + /usr/openwin/bin/xauth for Solaris systems. Report from Anders Nordby - - Fix incorrect detection of /dev/ptmx on Linux systems that lack + - Fix incorrect detection of /dev/ptmx on Linux systems that lack openpty. Report from John Seifarth - Look for intXX_t and u_intXX_t in sys/bitypes.h if they are not in - sys/types.h. Fixes problems on SCO, report from Gary E. Miller + sys/types.h. Fixes problems on SCO, report from Gary E. Miller - Use __snprintf and __vnsprintf if they are found where snprintf and vnsprintf are lacking. Suggested by Ben Taylor @@ -1370,11 +1838,11 @@ [scp.c packet.h packet.c login.c log.c canohost.c channels.c] [hostfile.c sshd_config] ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new - features: sshd allows multiple ListenAddress and Port options. note - that libwrap is not IPv6-ready. (based on patches from + features: sshd allows multiple ListenAddress and Port options. note + that libwrap is not IPv6-ready. (based on patches from fujiwara@rcac.tdi.co.jp) - [ssh.c canohost.c] - more hints (hints.ai_socktype=SOCK_STREAM) for getaddrinfo, + more hints (hints.ai_socktype=SOCK_STREAM) for getaddrinfo, from itojun@ - [channels.c] listen on _all_ interfaces for X11-Fwd (hints.ai_flags = AI_PASSIVE) @@ -1383,7 +1851,7 @@ - [scp.1 sshd.8 servconf.h scp.c] document -4, -6, and 'ssh -L 2022/::1/22' - [ssh.c] - 'ssh @host' is illegal (null user name), from + 'ssh @host' is illegal (null user name), from karsten@gedankenpolizei.de - [sshconnect.c] better error message @@ -1412,7 +1880,7 @@ Holger Trapp 20000105 - - Fixed annoying DES corruption problem. libcrypt has been + - Fixed annoying DES corruption problem. libcrypt has been overriding symbols in libcrypto. Removed libcrypt and crypt.h altogether (libcrypto includes its own crypt(1) replacement) - Added platform-specific rules for Irix 6.x. Included warning that @@ -1420,14 +1888,14 @@ 20000103 - Add explicit make rules for files proccessed by fixpaths. - - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori + - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori - - Removed "nullok" directive from default PAM configuration files. - Added information on enabling EmptyPasswords on openssh+PAM in + - Removed "nullok" directive from default PAM configuration files. + Added information on enabling EmptyPasswords on openssh+PAM in UPGRADING file. - OpenBSD CVS updates - [ssh-agent.c] - cleanup_exit() for SIGTERM/SIGHUP, too. from fgsch@ and + cleanup_exit() for SIGTERM/SIGHUP, too. from fgsch@ and dgaudet@arctic.org - [sshconnect.c] compare correct version for 1.3 compat mode @@ -1439,18 +1907,18 @@ 19991231 - - Fix password support on systems with a mixture of shadowed and - non-shadowed passwords (e.g. NIS). Report and fix from + - Fix password support on systems with a mixture of shadowed and + non-shadowed passwords (e.g. NIS). Report and fix from HARUYAMA Seigo - - Fix broken autoconf typedef detection. Report from Marc G. + - Fix broken autoconf typedef detection. Report from Marc G. Fournier - Fix occasional crash on LinuxPPC. Patch from Franz Sirl - - Prevent typedefs from being compiled more than once. Report from + - Prevent typedefs from being compiled more than once. Report from Marc G. Fournier - Fill in ut_utaddr utmp field. Report from Benjamin Charron - - Really fix broken default path. Fix from Jim Knoble + - Really fix broken default path. Fix from Jim Knoble - Remove test for quad_t. No longer needed. - Released 1.2.1pre24 @@ -1462,9 +1930,9 @@ - OpenBSD CVS updates: - [auth-passwd.c] check for NULL 1st - - Removed most of the pam code into its own file auth-pam.[ch]. This + - Removed most of the pam code into its own file auth-pam.[ch]. This cleaned up sshd.c up significantly. - - PAM authentication was incorrectly interpreting + - PAM authentication was incorrectly interpreting "PermitRootLogin without-password". Report from Matthias Andree - Fix --with-default-path option. - - Autodetect perl, patch from David Rankin + - Autodetect perl, patch from David Rankin - - Print whether OpenSSH was compiled with RSARef, patch from + - Print whether OpenSSH was compiled with RSARef, patch from Nalin Dahyabhai - - Calls to pam_setcred, patch from Nalin Dahyabhai + - Calls to pam_setcred, patch from Nalin Dahyabhai - Detect missing size_t and typedef it. - Rename helper.[ch] to (more appropriate) bsd-misc.[ch] @@ -1489,7 +1957,7 @@ 19991228 - Replacement for getpagesize() for systems which lack it - - NetBSD login.c compile fix from David Rankin + - NetBSD login.c compile fix from David Rankin - Fully set ut_tv if present in utmp or utmpx - Portability fixes for Irix 5.3 (now compiles OK!) @@ -1521,15 +1989,15 @@ - Revised RPM package to include Jim Knoble's X11 ssh-askpass program. - Disable logging of PAM success and failures, PAM is verbose enough. - Unfortunatly there is currently no way to disable auth failure - messages. Mention this in UPGRADING file and sent message to PAM + Unfortunatly there is currently no way to disable auth failure + messages. Mention this in UPGRADING file and sent message to PAM developers - OpenBSD CVS update: - [ssh-keygen.1 ssh.1] - remove ref to .ssh/random_seed, mention .ssh/environment in + remove ref to .ssh/random_seed, mention .ssh/environment in .Sh FILES, too - Released 1.2.1pre21 - - Fixed implicit '.' in default path, report from Jim Knoble + - Fixed implicit '.' in default path, report from Jim Knoble - Redhat RPM spec fixes from Jim Knoble @@ -1546,20 +2014,20 @@ <96na@eng.cam.ac.uk>) 19991223 - - Merged later HPUX patch from Andre Lucas + - Merged later HPUX patch from Andre Lucas - Above patch included better utmpx support from Ben Taylor 19991222 - - Fix undefined fd_set type in ssh.h from Povl H. Pedersen + - Fix undefined fd_set type in ssh.h from Povl H. Pedersen - Fix login.c breakage on systems which lack ut_host in struct utmp. Reported by Willard Dawson 19991221 - - Integration of large HPUX patch from Andre Lucas - . Integrating it had a few other + - Integration of large HPUX patch from Andre Lucas + . Integrating it had a few other benefits: - Ability to disable shadow passwords at configure time - Ability to disable lastlog support at configure time @@ -1572,12 +2040,12 @@ - Release 1.2.1pre19 19991218 - - Redhat init script patch from Chun-Chung Chen + - Redhat init script patch from Chun-Chung Chen - Avoid breakage on systems without IPv6 headers 19991216 - - Makefile changes for Solaris from Peter Kocks + - Makefile changes for Solaris from Peter Kocks - Minor updates to docs - Merged OpenBSD CVS changes: @@ -1585,7 +2053,7 @@ keysize warnings talk about identity files - [packet.c] "Connection closed by x.x.x.x": fatal() -> log() - - Correctly handle empty passwords in shadow file. Patch from: + - Correctly handle empty passwords in shadow file. Patch from: "Chris, the Young One" - Released 1.2.1pre18 @@ -1595,13 +2063,13 @@ - Use LDFLAGS correctly - Fix SIGIO error in scp - Simplify status line printing in scp - - Added better test for inline functions compiler support from + - Added better test for inline functions compiler support from Darren_Hall@progressive.com 19991214 - OpenBSD CVS Changes - [canohost.c] - fix get_remote_port() and friends for sshd -i; + fix get_remote_port() and friends for sshd -i; Holger.Trapp@Informatik.TU-Chemnitz.DE - [mpaux.c] make code simpler. no need for memcpy. niels@ ok @@ -1621,16 +2089,16 @@ - Doc updates 19991211 - - Fix compilation on systems with AFS. Reported by + - Fix compilation on systems with AFS. Reported by aloomis@glue.umd.edu - - Fix installation on Solaris. Reported by + - Fix installation on Solaris. Reported by Gordon Rowell - Fix gccisms (__attribute__ and inline). Report by edgy@us.ibm.com, patch from Markus Friedl - Auto-locate xauth. Patch from David Agraz - Compile fix from David Agraz - Avoid compiler warning in bsd-snprintf.c - - Added pam_limits.so to default PAM config. Suggested by + - Added pam_limits.so to default PAM config. Suggested by Jim Knoble 19991209 @@ -1645,8 +2113,8 @@ - [sshd.c] make sure the client selects a supported cipher - [sshd.c] - fix sighup handling. accept would just restart and daemon handled - sighup only after the next connection was accepted. use poll on + fix sighup handling. accept would just restart and daemon handled + sighup only after the next connection was accepted. use poll on listen sock now. - [sshd.c] make that a fatal @@ -1655,18 +2123,18 @@ - Released 1.2pre17 19991208 - - Compile fix for Solaris with /dev/ptmx from + - Compile fix for Solaris with /dev/ptmx from David Agraz 19991207 - sshd Redhat init script patch from Jim Knoble fixes compatability with 4.x and 5.x - Fixed default SSH_ASKPASS - - Fix PAM account and session being called multiple times. Problem + - Fix PAM account and session being called multiple times. Problem reported by Adrian Baugh - Merged more OpenBSD changes: - [atomicio.c authfd.c scp.c serverloop.c ssh.h sshconnect.c sshd.c] - move atomicio into it's own file. wrap all socket write()s which + move atomicio into it's own file. wrap all socket write()s which were doing write(sock, buf, len) != len, with atomicio() calls. - [auth-skey.c] fd leak @@ -1780,23 +2248,23 @@ 19991122 - Make close gnome-ssh-askpass (Debian bug #50299) - OpenBSD CVS Changes - - [ssh-keygen.c] - don't create ~/.ssh only if the user wants to store the private - key there. show fingerprint instead of public-key after + - [ssh-keygen.c] + don't create ~/.ssh only if the user wants to store the private + key there. show fingerprint instead of public-key after keygeneration. ok niels@ - Added OpenBSD bsd-strlcat.c, created bsd-strlcat.h - Added timersub() macro - Tidy RCSIDs of bsd-*.c - - Added autoconf test and macro to deal with old PAM libraries + - Added autoconf test and macro to deal with old PAM libraries pam_strerror definition (one arg vs two). - Fix EGD problems (Thanks to Ben Taylor ) - - Retry /dev/urandom reads interrupted by signal (report from + - Retry /dev/urandom reads interrupted by signal (report from Robert Hardy ) - Added a setenv replacement for systems which lack it - Only display public key comment when presenting ssh-askpass dialog - Released 1.2pre14 - - Configure, Make and changelog corrections from Tudor Bosman + - Configure, Make and changelog corrections from Tudor Bosman and Niels Kristian Bech Jensen 19991121 @@ -1823,13 +2291,13 @@ print usage() everytime we get bad options - [ssh-keygen.c] overflow, djm@mindrot.org - [sshd.c] fix sigchld race; cjc5@po.cwru.edu - + 19991120 - - Merged more Solaris support from Marc G. Fournier + - Merged more Solaris support from Marc G. Fournier - Wrote autoconf tests for integer bit-types - Fixed enabling kerberos support - - Fix segfault in ssh-keygen caused by buffer overrun in filename + - Fix segfault in ssh-keygen caused by buffer overrun in filename handling. 19991119 @@ -1842,14 +2310,14 @@ - EGD uses a socket, not a named pipe. Duh. - Fix includes in fingerprint.c - Fix scp progress bar bug again. - - Move ssh-askpass from ${libdir}/ssh to ${libexecdir}/ssh at request of + - Move ssh-askpass from ${libdir}/ssh to ${libexecdir}/ssh at request of David Rankin - Added autoconf option to enable Kerberos 4 support (untested) - Added autoconf option to enable AFS support (untested) - Added autoconf option to enable S/Key support (untested) - Added autoconf option to enable TCP wrappers support (compiles OK) - Renamed BSD helper function files to bsd-* - - Added tests for login and daemon and enable OpenBSD replacements for + - Added tests for login and daemon and enable OpenBSD replacements for when they are absent. - Added non-PAM MD5 password support patch from Tudor Bosman @@ -1857,7 +2325,7 @@ - Merged OpenBSD CVS changes - [scp.c] foregroundproc() in scp - [sshconnect.h] include fingerprint.h - - [sshd.c] bugfix: the log() for passwd-auth escaped during logging + - [sshd.c] bugfix: the log() for passwd-auth escaped during logging changes. - [ssh.1] Spell my name right. - Added openssh.com info to README @@ -1866,20 +2334,20 @@ - Merged OpenBSD CVS changes - [ChangeLog.Ylonen] noone needs this anymore - [authfd.c] close-on-exec for auth-socket, ok deraadt - - [hostfile.c] - in known_hosts key lookup the entry for the bits does not need - to match, all the information is contained in n and e. This - solves the problem with buggy servers announcing the wrong + - [hostfile.c] + in known_hosts key lookup the entry for the bits does not need + to match, all the information is contained in n and e. This + solves the problem with buggy servers announcing the wrong modulus length. markus and me. - - [serverloop.c] - bugfix: check for space if child has terminated, from: + - [serverloop.c] + bugfix: check for space if child has terminated, from: iedowse@maths.tcd.ie - [ssh-add.1 ssh-add.c ssh-keygen.1 ssh-keygen.c sshconnect.c] [fingerprint.c fingerprint.h] rsa key fingerprints, idea from Bjoern Groenvall - [ssh-agent.1] typo - [ssh.1] add OpenSSH information to AUTHOR section. okay markus@ - - [sshd.c] + - [sshd.c] force logging to stderr while loading private key file (lost while converting to new log-levels) @@ -1900,10 +2368,10 @@ 19991115 - Merged OpenBSD CVS changes: - - [ssh-add.c] change passphrase loop logic and remove ref to + - [ssh-add.c] change passphrase loop logic and remove ref to $DISPLAY, ok niels - Changed to ssh-add.c broke askpass support. Revised it to be a little more - modular. + modular. - Revised autoconf support for enabling/disabling askpass support. - Merged more OpenBSD CVS changes: [auth-krb4.c] @@ -1943,9 +2411,9 @@ - Added 'Obsoletes' lines to RPM spec file - Merged OpenBSD CVS changes: - [bufaux.c] save a view malloc/memcpy/memset/free's, ok niels - - [scp.c] fix overflow reported by damien@ibs.com.au: off_t + - [scp.c] fix overflow reported by damien@ibs.com.au: off_t totalsize, ok niels,aaron - - Delay fork (-f option) in ssh until after port forwarded connections + - Delay fork (-f option) in ssh until after port forwarded connections have been initialised. Patch from Jani Hakala - Added shadow password patch from Thomas Neumann - Added ifdefs to auth-passwd.c to exclude it when PAM is enabled @@ -1957,7 +2425,7 @@ - Merged changes from OpenBSD CVS - [sshd.c] session_key_int may be zero - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config] - IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok + IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok deraadt,millert - Brought default sshd_config more in line with OpenBSD's - Grab server in gnome-ssh-askpass (Debian bug #49872) @@ -1986,11 +2454,11 @@ - [auth-rh-rsa.c] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too - [ssh.1] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too - [sshd.8] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too - - Fix integer overflow which was messing up scp's progress bar for large + - Fix integer overflow which was messing up scp's progress bar for large file transfers. Fix submitted to OpenBSD developers. Report and fix from Kees Cook - Merged more OpenBSD CVS changes: - - [auth-krb4.c auth-passwd.c] remove x11- and krb-cleanup from fatal() + - [auth-krb4.c auth-passwd.c] remove x11- and krb-cleanup from fatal() + krb-cleanup cleanup - [clientloop.c log-client.c log-server.c ] [readconf.c readconf.h servconf.c servconf.h ] @@ -2079,7 +2547,7 @@ - Improved PAM logging - Added some debug() calls for PAM - Removed redundant subdirectories - - Integrated part of a patch from Dan Brosemer for + - Integrated part of a patch from Dan Brosemer for building on Debian. - Fixed off-by-one error in PAM env patch - Released 1.2pre6 diff -ru openssh-2.2.0p1/INSTALL openssh-2.3.0p1/INSTALL --- openssh-2.2.0p1/INSTALL 2000-08-31 11:13:10.000000000 +1100 +++ openssh-2.3.0p1/INSTALL 2000-10-18 11:02:25.000000000 +1100 @@ -40,6 +40,13 @@ OpenSSH has only been tested with GNU make. It may work with other 'make' programs, but you are on your own. +pcre (POSIX Regular Expression library): +ftp://ftp.cus.cam.ac.uk/pub/software/programs/pcre/ + +Most platforms do not required this. However older 4.3 BSD do not +have a posix regex library. + + 2. Building / Installation -------------------------- Only in openssh-2.3.0p1: LICENCE diff -ru openssh-2.2.0p1/Makefile.in openssh-2.3.0p1/Makefile.in --- openssh-2.2.0p1/Makefile.in 2000-08-23 10:46:23.000000000 +1000 +++ openssh-2.3.0p1/Makefile.in 2000-11-06 08:13:45.000000000 +1100 @@ -15,13 +15,12 @@ VPATH=@srcdir@ SSH_PROGRAM=@bindir@/ssh -ASKPASS_LOCATION=@libexecdir@/ssh -ASKPASS_PROGRAM=$(ASKPASS_LOCATION)/ssh-askpass +ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass CC=@CC@ LD=@LD@ PATHS=-DETCDIR=\"$(sysconfdir)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" -CFLAGS=@CFLAGS@ -I. -I$(srcdir) $(PATHS) @DEFS@ +CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ AR=@AR@ RANLIB=@RANLIB@ @@ -29,26 +28,28 @@ PERL=@PERL@ ENT=@ENT@ LDFLAGS=-L. @LDFLAGS@ +EXEEXT=@EXEEXT@ +SSH_MODE= @SSHMODE@ INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ -TARGETS=ssh sshd ssh-add ssh-keygen ssh-agent scp $(EXTRA_TARGETS) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) $(EXTRA_TARGETS) -LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dispatch.o dsa.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o util.o uuencode.o xmalloc.o +LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o cygwin_util.o deattack.o dispatch.o dsa.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o util.o uuencode.o xmalloc.o -LIBOPENBSD_COMPAT_OBJS=bsd-arc4random.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-inet_aton.o bsd-inet_ntoa.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o +LIBOPENBSD_COMPAT_OBJS=bsd-arc4random.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-getcwd.o bsd-inet_aton.o bsd-inet_ntoa.o bsd-misc.o bsd-mktemp.o bsd-realpath.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep.o bsd-strtok.o bsd-vis.o bsd-setproctitle.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-skey.o auth2-skey.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o -TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8 -CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh.0 sshd.0 +TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8 sftp-server.8 +CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh.0 sshd.0 sftp-server.0 MANPAGES = @MANTYPE@ CONFIGFILES=sshd_config ssh_config -PATHSUBS = -D/etc/ssh_config=$(sysconfdir)/ssh_config -D/etc/known_hosts=$(sysconfdir)/ssh_known_hosts -D/etc/sshd_config=$(sysconfdir)/sshd_config -D/etc/shosts.equiv=$(sysconfdir)/shosts.equiv -D/etc/ssh_host_key=$(sysconfdir)/ssh_host_key -D/var/run/sshd.pid=$(piddir)/sshd.pid +PATHSUBS = -D/etc/ssh_config=$(sysconfdir)/ssh_config -D/etc/ssh_known_hosts=$(sysconfdir)/ssh_known_hosts -D/etc/sshd_config=$(sysconfdir)/sshd_config -D/usr/libexec=$(libexecdir) -D/etc/shosts.equiv=$(sysconfdir)/shosts.equiv -D/etc/ssh_host_key=$(sysconfdir)/ssh_host_key -D/var/run/sshd.pid=$(piddir)/sshd.pid FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) @@ -68,24 +69,27 @@ $(AR) rv $@ $(LIBSSH_OBJS) $(RANLIB) $@ -ssh: libopenbsd-compat.a libssh.a $(SSHOBJS) +ssh$(EXEEXT): libopenbsd-compat.a libssh.a $(SSHOBJS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -sshd: libssh.a libopenbsd-compat.a $(SSHDOBJS) +sshd$(EXEEXT): libssh.a libopenbsd-compat.a $(SSHDOBJS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -scp: libopenbsd-compat.a libssh.a scp.o +scp$(EXEEXT): libopenbsd-compat.a libssh.a scp.o $(LD) -o $@ scp.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-add: libopenbsd-compat.a libssh.a ssh-add.o log-client.o +ssh-add$(EXEEXT): libopenbsd-compat.a libssh.a ssh-add.o log-client.o $(LD) -o $@ ssh-add.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-agent: libopenbsd-compat.a libssh.a ssh-agent.o log-client.o +ssh-agent$(EXEEXT): libopenbsd-compat.a libssh.a ssh-agent.o log-client.o $(LD) -o $@ ssh-agent.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-keygen: libopenbsd-compat.a libssh.a ssh-keygen.o log-client.o +ssh-keygen$(EXEEXT): libopenbsd-compat.a libssh.a ssh-keygen.o log-client.o $(LD) -o $@ ssh-keygen.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +sftp-server$(EXEEXT): libopenbsd-compat.a libssh.a sftp-server.o log-server.o + $(LD) -o $@ sftp-server.o log-server.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + # test driver for the loginrec code - not built by default logintest: logintest.o libopenbsd-compat.a libssh.a log-client.o loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh log-client.o $(LIBS) @@ -118,54 +122,60 @@ install: manpages $(TARGETS) install-files host-key install-files: - ./mkinstalldirs $(DESTDIR)$(bindir) - ./mkinstalldirs $(DESTDIR)$(sbindir) - ./mkinstalldirs $(DESTDIR)$(mandir) - ./mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 - ./mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 - $(INSTALL) -m 4755 -s ssh $(DESTDIR)$(bindir)/ssh + $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 + $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) + $(INSTALL) -m $(SSH_MODE) -s ssh $(DESTDIR)$(bindir)/ssh $(INSTALL) -m 0755 -s scp $(DESTDIR)$(bindir)/scp $(INSTALL) -m 0755 -s ssh-add $(DESTDIR)$(bindir)/ssh-add $(INSTALL) -m 0755 -s ssh-agent $(DESTDIR)$(bindir)/ssh-agent $(INSTALL) -m 0755 -s ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen $(INSTALL) -m 0755 -s sshd $(DESTDIR)$(sbindir)/sshd + $(INSTALL) -m 0755 -s sftp-server $(DESTDIR)$(libexecdir)/sftp-server $(INSTALL) -m 644 ssh.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 $(INSTALL) -m 644 ssh-agent.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 $(INSTALL) -m 644 ssh-keygen.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 $(INSTALL) -m 644 sshd.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + $(INSTALL) -m 644 sftp-server.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(bindir)/slogin - ln -s ssh $(DESTDIR)$(bindir)/slogin + ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + @FILEPRIV@ -f dev,filesys,driver $(DESTDIR)$(bindir)/ssh $(DESTDIR)$(bindir)/slogin if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config -a ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \ - ./mkinstalldirs $(DESTDIR)$(sysconfdir); \ + $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \ $(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \ fi if [ -f ssh_prng_cmds -a ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \ - $(PERL) fixprogs ssh_prng_cmds $(ENT); \ - $(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \ + $(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \ + if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds ] ; then \ + $(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \ + fi ; \ fi -host-key: ssh-keygen +host-key: ssh-keygen$(EXEEXT) if [ -z "$(DESTDIR)" ] ; then \ if [ -f "$(DESTDIR)$(sysconfdir)/ssh_host_key" ] ; then \ echo "$(DESTDIR)$(sysconfdir)/ssh_host_key already exists, skipping." ; \ else \ - ./ssh-keygen -b 1024 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ; \ + $(srcdir)/ssh-keygen -b 1024 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ; \ fi ; \ if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key ] ; then \ echo "$(DESTDIR)$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \ else \ - ./ssh-keygen -d -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ; \ + $(srcdir)/ssh-keygen -d -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ; \ fi ; \ fi ; -host-key-force: ssh-keygen - ./ssh-keygen -b 1024 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" - ./ssh-keygen -d -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" +host-key-force: ssh-keygen$(EXEEXT) + $(srcdir)/ssh-keygen -b 1024 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" + $(srcdir)/ssh-keygen -d -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" uninstallall: uninstall -rm -f $(DESTDIR)$(sysconfdir)/ssh_config @@ -180,12 +190,12 @@ -rmdir $(DESTDIR)$(libexecdir) uninstall: - -rm -f $(DESTDIR)$(bindir)/ssh - -rm -f $(DESTDIR)$(bindir)/scp - -rm -f $(DESTDIR)$(bindir)/ssh-add - -rm -f $(DESTDIR)$(bindir)/ssh-agent - -rm -f $(DESTDIR)$(bindir)/ssh-keygen - -rm -f $(DESTDIR)$(sbindir)/sshd + -rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) + -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 diff -ru openssh-2.2.0p1/README openssh-2.3.0p1/README --- openssh-2.2.0p1/README 2000-06-26 13:01:33.000000000 +1000 +++ openssh-2.3.0p1/README 2000-11-06 12:48:54.000000000 +1100 @@ -9,7 +9,7 @@ * you generated host or user keys with v1.2.2 or previous versions, * please generate new ones using a more recent version. -This is the port of OpenBSD's excellent OpenSSH to Linux and other +This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other Unices. OpenSSH is based on the last free version of Tatu Ylonen's SSH with @@ -47,11 +47,11 @@ style guidelines[5]. Please refer to the INSTALL document for information on how to install -OpenSSH on your system. The UPGRADING document details differences -between this port of OpenSSH and F-Secure SSH 1.x. +OpenSSH on your system. There are a number of differences between this +port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[6] +for details and general tips. -Damien Miller -Internet Business Solutions +Damien Miller Miscellania - @@ -61,9 +61,10 @@ References - +[0] http://www.openssh.com/faq.html [1] http://www.lothar.com/tech/crypto/ [2] ftp://ftp.freesoftware.com/pub/infozip/zlib/ [3] http://www.openssl.org/ [4] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris) [5] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9&apropos=0&manpath=OpenBSD+Current - +[6] http://www.openssh.com/faq.html Only in openssh-2.2.0p1: README.openssh2 diff -ru openssh-2.2.0p1/RFC.nroff openssh-2.3.0p1/RFC.nroff --- openssh-2.2.0p1/RFC.nroff 1999-10-27 13:42:43.000000000 +1000 +++ openssh-2.3.0p1/RFC.nroff 2000-11-06 12:39:34.000000000 +1100 @@ -1,6 +1,6 @@ .\" -*- nroff -*- .\" -.\" $Id: RFC.nroff,v 1.1 1999/09/26 20:53:32 deraadt Exp $ +.\" $OpenBSD: RFC.nroff,v 1.2 2000/10/16 09:38:44 djm Exp $ .\" .pl 10.0i .po 0 diff -ru openssh-2.2.0p1/TODO openssh-2.3.0p1/TODO --- openssh-2.2.0p1/TODO 2000-08-29 14:30:37.000000000 +1100 +++ openssh-2.3.0p1/TODO 2000-10-15 08:33:19.000000000 +1100 @@ -9,6 +9,4 @@ - Cleanup configure.in -- utmp/wtmp logging does not work on NeXT - - Complete Tru64 SIA support Only in openssh-2.2.0p1: UPGRADING Only in openssh-2.3.0p1: WARNING.RNG diff -ru openssh-2.2.0p1/acconfig.h openssh-2.3.0p1/acconfig.h --- openssh-2.2.0p1/acconfig.h 2000-08-29 11:33:50.000000000 +1100 +++ openssh-2.3.0p1/acconfig.h 2000-10-19 00:11:44.000000000 +1100 @@ -6,6 +6,16 @@ @TOP@ +/* Define to a Set Process Title type if your system is */ +/* supported by bsd-setproctitle.c */ +#undef SPT_TYPE + +/* SCO workaround */ +#undef BROKEN_SYS_TERMIO_H + +/* Define if you have SCO protected password database */ +#undef HAVE_SCO_PROTECTED_PW + /* If your header files don't define LOGIN_PROGRAM, then use this (detected) */ /* from environment and PATH */ #undef LOGIN_PROGRAM_FALLBACK @@ -43,9 +53,21 @@ /* Define if your snprintf is busted */ #undef BROKEN_SNPRINTF +/* Define if you are on Cygwin */ +#undef HAVE_CYGWIN + +/* Define if you lack native POSIX regex and you are using PCRE */ +#undef HAVE_LIBPCRE + +/* Define if you have a broken realpath. */ +#undef BROKEN_REALPATH + /* Define if you are on NeXT */ #undef HAVE_NEXT +/* Define if you are on NEWS-OS */ +#undef HAVE_NEWS4 + /* Define if you want to disable PAM support */ #undef DISABLE_PAM @@ -183,9 +205,6 @@ /* Define if you want to use shadow password expire field */ #undef HAS_SHADOW_EXPIRE -/* Define if you want have trusted HPUX */ -#undef HAVE_HPUX_TRUSTED_SYSTEM_PW - /* Define if you have Digital Unix Security Integration Architecture */ #undef HAVE_OSF_SIA @@ -207,6 +226,8 @@ #undef HAVE_INTXX_T #undef HAVE_U_INTXX_T #undef HAVE_UINTXX_T +#undef HAVE_INT64_T +#undef HAVE_U_INT64_T #undef HAVE_SOCKLEN_T #undef HAVE_SIZE_T #undef HAVE_SSIZE_T @@ -240,9 +261,15 @@ /* Use IPv4 for connection by default, IPv6 can still if explicity asked */ #undef IPV4_DEFAULT +/* If you have no atexit() but xatexit(), and want to use xatexit() */ +#undef HAVE_XATEXIT + /* getaddrinfo is broken (if present) */ #undef BROKEN_GETADDRINFO +/* vhangup is broken (if present) */ +#undef BROKEN_VHANGUP + /* Workaround more Linux IPv6 quirks */ #undef DONT_TRY_OTHER_AF diff -ru openssh-2.2.0p1/atomicio.c openssh-2.3.0p1/atomicio.c --- openssh-2.2.0p1/atomicio.c 2000-07-08 10:57:09.000000000 +1000 +++ openssh-2.3.0p1/atomicio.c 2000-10-28 14:19:58.000000000 +1100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999 Theo de Raadt + * Copyright (c) 1995,1999 Theo de Raadt * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: atomicio.c,v 1.4 2000/06/20 01:39:37 markus Exp $"); +RCSID("$OpenBSD: atomicio.c,v 1.7 2000/10/18 18:04:02 markus Exp $"); #include "xmalloc.h" #include "ssh.h" diff -ru openssh-2.2.0p1/auth-krb4.c openssh-2.3.0p1/auth-krb4.c --- openssh-2.2.0p1/auth-krb4.c 2000-08-29 11:33:50.000000000 +1100 +++ openssh-2.3.0p1/auth-krb4.c 2000-10-14 16:23:11.000000000 +1100 @@ -1,6 +1,25 @@ /* - * Dug Song - * Kerberos v4 authentication and ticket-passing routines. + * Copyright (c) 1999 Dug Song. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" @@ -9,7 +28,7 @@ #include "ssh.h" #include "servconf.h" -RCSID("$OpenBSD: auth-krb4.c,v 1.17 2000/08/28 03:50:54 deraadt Exp $"); +RCSID("$OpenBSD: auth-krb4.c,v 1.19 2000/10/03 18:03:02 markus Exp $"); #ifdef KRB4 char *ticket = NULL; @@ -261,6 +280,8 @@ { CREDENTIALS creds; + if (pw == NULL) + goto auth_kerberos_tgt_failure; if (!radix_to_creds(string, &creds)) { log("Protocol error decoding Kerberos V4 tgt"); packet_send_debug("Protocol error decoding Kerberos V4 tgt"); @@ -315,8 +336,16 @@ auth_afs_token(struct passwd *pw, const char *token_string) { CREDENTIALS creds; - uid_t uid = pw->pw_uid; + uid_t uid; + if (pw == NULL) { + /* XXX fake protocol error */ + packet_send_debug("Protocol error decoding AFS token"); + packet_start(SSH_SMSG_FAILURE); + packet_send(); + packet_write_wait(); + return 0; + } if (!radix_to_creds(token_string, &creds)) { log("Protocol error decoding AFS token"); packet_send_debug("Protocol error decoding AFS token"); @@ -330,6 +359,8 @@ if (strncmp(creds.pname, "AFS ID ", 7) == 0) uid = atoi(creds.pname + 7); + else + uid = pw->pw_uid; if (kafs_settoken(creds.realm, uid, &creds)) { log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm, diff -ru openssh-2.2.0p1/auth-options.c openssh-2.3.0p1/auth-options.c --- openssh-2.2.0p1/auth-options.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/auth-options.c 2000-10-14 16:23:11.000000000 +1100 @@ -1,5 +1,20 @@ +/* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland + * All rights reserved + * RSA-based authentication. This code determines whether to admit a login + * based on RSA authentication. This file also contains functions to check + * validity of the host key. + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + */ + #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.2 2000/06/20 01:39:38 markus Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.5 2000/10/09 21:32:34 markus Exp $"); #include "ssh.h" #include "packet.h" @@ -18,6 +33,25 @@ /* "environment=" options. */ struct envstring *custom_environment = NULL; +void +auth_clear_options(void) +{ + no_agent_forwarding_flag = 0; + no_port_forwarding_flag = 0; + no_pty_flag = 0; + no_x11_forwarding_flag = 0; + while (custom_environment) { + struct envstring *ce = custom_environment; + custom_environment = ce->next; + xfree(ce->s); + xfree(ce); + } + if (forced_command) { + xfree(forced_command); + forced_command = NULL; + } +} + /* return 1 if access is granted, 0 if not. side effect: sets key option flags */ int auth_parse_options(struct passwd *pw, char *options, unsigned long linenum) @@ -25,6 +59,10 @@ const char *cp; if (!options) return 1; + + /* reset options */ + auth_clear_options(); + while (*options && *options != ' ' && *options != '\t') { cp = "no-port-forwarding"; if (strncmp(options, cp, strlen(cp)) == 0) { @@ -72,9 +110,9 @@ } if (!*options) { debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + SSH_USER_PERMITTED_KEYS, linenum); packet_send_debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + SSH_USER_PERMITTED_KEYS, linenum); continue; } forced_command[i] = 0; @@ -102,9 +140,9 @@ } if (!*options) { debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + SSH_USER_PERMITTED_KEYS, linenum); packet_send_debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + SSH_USER_PERMITTED_KEYS, linenum); continue; } s[i] = 0; @@ -160,21 +198,6 @@ get_remote_ipaddr()); packet_send_debug("Your host '%.200s' is not permitted to use this key for login.", get_canonical_hostname()); - /* key invalid for this host, reset flags */ - no_agent_forwarding_flag = 0; - no_port_forwarding_flag = 0; - no_pty_flag = 0; - no_x11_forwarding_flag = 0; - while (custom_environment) { - struct envstring *ce = custom_environment; - custom_environment = ce->next; - xfree(ce->s); - xfree(ce); - } - if (forced_command) { - xfree(forced_command); - forced_command = NULL; - } /* deny access */ return 0; } diff -ru openssh-2.2.0p1/auth-options.h openssh-2.3.0p1/auth-options.h --- openssh-2.2.0p1/auth-options.h 2000-06-18 14:50:44.000000000 +1000 +++ openssh-2.3.0p1/auth-options.h 2000-11-06 12:39:34.000000000 +1100 @@ -1,3 +1,18 @@ +/* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland + * All rights reserved + * Functions to interface with the SSH_AUTHENTICATION_FD socket. + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + */ + +/* $OpenBSD: auth-options.h,v 1.5 2000/10/16 09:38:44 djm Exp $ */ + #ifndef AUTH_OPTIONS_H #define AUTH_OPTIONS_H /* Flags that may be set in authorized_keys options. */ @@ -10,4 +25,7 @@ /* return 1 if access is granted, 0 if not. side effect: sets key option flags */ int auth_parse_options(struct passwd *pw, char *options, unsigned long linenum); +/* reset options flags */ +void auth_clear_options(void); + #endif diff -ru openssh-2.2.0p1/auth-pam.c openssh-2.3.0p1/auth-pam.c --- openssh-2.2.0p1/auth-pam.c 2000-08-30 09:57:50.000000000 +1100 +++ openssh-2.3.0p1/auth-pam.c 2000-10-15 02:08:49.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -34,10 +29,10 @@ #include "xmalloc.h" #include "servconf.h" -RCSID("$Id: auth-pam.c,v 1.12 2000/08/29 22:57:50 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.18 2000/10/14 15:08:49 stevesk Exp $"); #define NEW_AUTHTOK_MSG \ - "Warning: You password has expired, please change it now" + "Warning: Your password has expired, please change it now" /* Callbacks */ static int pamconv(int num_msg, const struct pam_message **msg, @@ -50,40 +45,79 @@ pamconv, NULL }; -static struct pam_handle_t *pamh = NULL; +static pam_handle_t *pamh = NULL; static const char *pampasswd = NULL; static char *pam_msg = NULL; -/* PAM conversation function. This is really a kludge to get the password */ -/* into PAM and to pick up any messages generated by PAM into pamconv_msg */ +/* states for pamconv() */ +typedef enum { INITIAL_LOGIN, OTHER } pamstates; +static pamstates pamstate = INITIAL_LOGIN; +/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ +static int password_change_required = 0; + +/* + * PAM conversation function. + * There are two states this can run in. + * + * INITIAL_LOGIN mode simply feeds the password from the client into + * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output + * messages with pam_msg_cat(). This is used during initial + * authentication to bypass the normal PAM password prompt. + * + * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase(prompt, 1) + * and outputs messages to stderr. This mode is used if pam_chauthtok() + * is called to update expired passwords. + */ static int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) { struct pam_response *reply; int count; + char buf[1024]; /* PAM will free this later */ reply = malloc(num_msg * sizeof(*reply)); if (reply == NULL) return PAM_CONV_ERR; - for(count = 0; count < num_msg; count++) { - switch (msg[count]->msg_style) { - case PAM_PROMPT_ECHO_OFF: - if (pampasswd == NULL) { + for (count = 0; count < num_msg; count++) { + switch ((*msg)[count].msg_style) { + case PAM_PROMPT_ECHO_ON: + if (pamstate == INITIAL_LOGIN) { free(reply); return PAM_CONV_ERR; + } else { + fputs((*msg)[count].msg, stderr); + fgets(buf, sizeof(buf), stdin); + reply[count].resp = xstrdup(buf); + reply[count].resp_retcode = PAM_SUCCESS; + break; + } + case PAM_PROMPT_ECHO_OFF: + if (pamstate == INITIAL_LOGIN) { + if (pampasswd == NULL) { + free(reply); + return PAM_CONV_ERR; + } + reply[count].resp = xstrdup(pampasswd); + } else { + reply[count].resp = + xstrdup(read_passphrase((*msg)[count].msg, 1)); } reply[count].resp_retcode = PAM_SUCCESS; - reply[count].resp = xstrdup(pampasswd); break; + case PAM_ERROR_MSG: case PAM_TEXT_INFO: - reply[count].resp_retcode = PAM_SUCCESS; + if ((*msg)[count].msg != NULL) { + if (pamstate == INITIAL_LOGIN) + pam_msg_cat((*msg)[count].msg); + else { + fputs((*msg)[count].msg, stderr); + fputs("\n", stderr); + } + } reply[count].resp = xstrdup(""); - - if (msg[count]->msg != NULL) - pam_msg_cat(msg[count]->msg); - + reply[count].resp_retcode = PAM_SUCCESS; break; default: free(reply); @@ -103,22 +137,22 @@ if (pamh != NULL) { - pam_retval = pam_close_session((pam_handle_t *)pamh, 0); + pam_retval = pam_close_session(pamh, 0); if (pam_retval != PAM_SUCCESS) { - log("Cannot close PAM session: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + log("Cannot close PAM session[%d]: %.200s", + pam_retval, PAM_STRERROR(pamh, pam_retval)); } - pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); + pam_retval = pam_setcred(pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) { - debug("Cannot delete credentials: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + debug("Cannot delete credentials[%d]: %.200s", + pam_retval, PAM_STRERROR(pamh, pam_retval)); } - pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); + pam_retval = pam_end(pamh, pam_retval); if (pam_retval != PAM_SUCCESS) { - log("Cannot release PAM authentication: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + log("Cannot release PAM authentication[%d]: %.200s", + pam_retval, PAM_STRERROR(pamh, pam_retval)); } } } @@ -139,14 +173,15 @@ pampasswd = password; - pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); + pamstate = INITIAL_LOGIN; + pam_retval = pam_authenticate(pamh, 0); if (pam_retval == PAM_SUCCESS) { debug("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name); return 1; } else { - debug("PAM Password authentication for \"%.100s\" failed: %s", - pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + debug("PAM Password authentication for \"%.100s\" failed[%d]: %s", + pw->pw_name, pam_retval, PAM_STRERROR(pamh, pam_retval)); return 0; } } @@ -157,33 +192,35 @@ int pam_retval; debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, + pam_retval = pam_set_item(pamh, PAM_RHOST, get_canonical_hostname()); if (pam_retval != PAM_SUCCESS) { - fatal("PAM set rhost failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + fatal("PAM set rhost failed[%d]: %.200s", + pam_retval, PAM_STRERROR(pamh, pam_retval)); } if (remote_user != NULL) { debug("PAM setting ruser to \"%.200s\"", remote_user); - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); + pam_retval = pam_set_item(pamh, PAM_RUSER, remote_user); if (pam_retval != PAM_SUCCESS) { - fatal("PAM set ruser failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + fatal("PAM set ruser failed[%d]: %.200s", + pam_retval, PAM_STRERROR(pamh, pam_retval)); } } - pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); + pam_retval = pam_acct_mgmt(pamh, 0); switch (pam_retval) { case PAM_SUCCESS: /* This is what we want */ break; case PAM_NEW_AUTHTOK_REQD: pam_msg_cat(NEW_AUTHTOK_MSG); + /* flag that password change is necessary */ + password_change_required = 1; break; default: - log("PAM rejected by account configuration: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + log("PAM rejected by account configuration[%d]: %.200s", + pam_retval, PAM_STRERROR(pamh, pam_retval)); return(0); } @@ -197,30 +234,61 @@ if (ttyname != NULL) { debug("PAM setting tty to \"%.200s\"", ttyname); - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, ttyname); + pam_retval = pam_set_item(pamh, PAM_TTY, ttyname); if (pam_retval != PAM_SUCCESS) { - fatal("PAM set tty failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + fatal("PAM set tty failed[%d]: %.200s", + pam_retval, PAM_STRERROR(pamh, pam_retval)); } } - pam_retval = pam_open_session((pam_handle_t *)pamh, 0); + pam_retval = pam_open_session(pamh, 0); if (pam_retval != PAM_SUCCESS) { - fatal("PAM session setup failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + fatal("PAM session setup failed[%d]: %.200s", + pam_retval, PAM_STRERROR(pamh, pam_retval)); } } /* Set PAM credentials */ -void do_pam_setcred() +void do_pam_setcred(void) { int pam_retval; debug("PAM establishing creds"); - pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED); + pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED); if (pam_retval != PAM_SUCCESS) { - fatal("PAM setcred failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + fatal("PAM setcred failed[%d]: %.200s", + pam_retval, PAM_STRERROR(pamh, pam_retval)); + } +} + +/* accessor function for file scope static variable */ +int pam_password_change_required(void) +{ + return password_change_required; +} + +/* + * Have user change authentication token if pam_acct_mgmt() indicated + * it was expired. This needs to be called after an interactive + * session is established and the user's pty is connected to + * stdin/stout/stderr. + */ +void do_pam_chauthtok(void) +{ + int pam_retval; + + if (password_change_required) { + pamstate = OTHER; + /* + * XXX: should we really loop forever? + */ + do { + pam_retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (pam_retval != PAM_SUCCESS) { + log("PAM pam_chauthtok failed[%d]: %.200s", + pam_retval, PAM_STRERROR(pamh, pam_retval)); + } + } while (pam_retval != PAM_SUCCESS); } } @@ -238,12 +306,11 @@ debug("Starting up PAM with username \"%.200s\"", pw->pw_name); - pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, - (pam_handle_t**)&pamh); + pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, &pamh); if (pam_retval != PAM_SUCCESS) { - fatal("PAM initialisation failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + fatal("PAM initialisation failed[%d]: %.200s", + pam_retval, PAM_STRERROR(pamh, pam_retval)); } #ifdef PAM_TTY_KLUDGE @@ -254,10 +321,10 @@ * not even need one (for tty-less connections) * Kludge: Set a fake PAM_TTY */ - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, "ssh"); + pam_retval = pam_set_item(pamh, PAM_TTY, "ssh"); if (pam_retval != PAM_SUCCESS) { - fatal("PAM set tty failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + fatal("PAM set tty failed[%d]: %.200s", + pam_retval, PAM_STRERROR(pamh, pam_retval)); } #endif /* PAM_TTY_KLUDGE */ @@ -268,7 +335,7 @@ char **fetch_pam_environment(void) { #ifdef HAVE_PAM_GETENVLIST - return(pam_getenvlist((pam_handle_t *)pamh)); + return(pam_getenvlist(pamh)); #else /* HAVE_PAM_GETENVLIST */ return(NULL); #endif /* HAVE_PAM_GETENVLIST */ diff -ru openssh-2.2.0p1/auth-pam.h openssh-2.3.0p1/auth-pam.h --- openssh-2.2.0p1/auth-pam.h 2000-01-27 10:55:38.000000000 +1100 +++ openssh-2.3.0p1/auth-pam.h 2000-10-15 02:08:49.000000000 +1100 @@ -9,7 +9,9 @@ char **fetch_pam_environment(void); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); -void do_pam_setcred(); +void do_pam_setcred(void); void print_pam_messages(void); +int pam_password_change_required(void); +void do_pam_chauthtok(void); #endif /* USE_PAM */ diff -ru openssh-2.2.0p1/auth-passwd.c openssh-2.3.0p1/auth-passwd.c --- openssh-2.2.0p1/auth-passwd.c 2000-06-28 15:22:42.000000000 +1000 +++ openssh-2.3.0p1/auth-passwd.c 2000-10-14 16:23:11.000000000 +1100 @@ -2,14 +2,64 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Created: Sat Mar 18 05:11:38 1995 ylo * Password authentication. This file contains the functions to check whether * the password is valid for the user. + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * + * Copyright (c) 1999 Dug Song. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" - -RCSID("$OpenBSD: auth-passwd.c,v 1.16 2000/06/20 01:39:38 markus Exp $"); +RCSID("$OpenBSD: auth-passwd.c,v 1.18 2000/10/03 18:03:03 markus Exp $"); #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) @@ -21,14 +71,19 @@ #ifdef WITH_AIXAUTHENTICATE # include #endif -#ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW +#ifdef __hpux # include # include #endif -#ifdef HAVE_SHADOW_H +#ifdef HAVE_SCO_PROTECTED_PW +# include +# include +# include +#endif /* HAVE_SCO_PROTECTED_PW */ +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) # include #endif -#ifdef HAVE_GETPWANAM +#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) # include # include # include @@ -37,6 +92,13 @@ # include "md5crypt.h" #endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ +#ifdef HAVE_CYGWIN +#undef ERROR +#include +#include +#define is_winnt (GetVersion() < 0x80000000) +#endif + /* * Tries to authenticate the user using password. Returns true if * authentication succeeds. @@ -48,10 +110,16 @@ char *encrypted_password; char *pw_password; char *salt; -#ifdef HAVE_SHADOW_H +#ifdef __hpux + struct pr_passwd *spw; +#endif +#ifdef HAVE_SCO_PROTECTED_PW + struct pr_passwd *spw; +#endif /* HAVE_SCO_PROTECTED_PW */ +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) struct spwd *spw; #endif -#ifdef HAVE_GETPWANAM +#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) struct passwd_adjunct *spw; #endif #ifdef WITH_AIXAUTHENTICATE @@ -63,12 +131,32 @@ /* deny if no user. */ if (pw == NULL) return 0; +#ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login == 2) return 0; +#endif +#ifdef HAVE_CYGWIN + /* + * Empty password is only possible on NT if the user has _really_ + * an empty password and authentication is done, though. + */ + if (!is_winnt) +#endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; -#ifdef SKEY +#ifdef HAVE_CYGWIN + if (is_winnt) { + HANDLE hToken = cygwin_logon_user(pw, password); + + if (hToken == INVALID_HANDLE_VALUE) + return 0; + cygwin_set_impersonation_token(hToken); + return 1; + } +#endif + +#ifdef SKEY_VIA_PASSWD_IS_DISABLED if (options.skey_authentication == 1) { int ret = auth_skey_password(pw, password); if (ret == 1 || ret == 0) @@ -90,34 +178,38 @@ } #endif - /* Check for users with no password. */ - if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) - return 1; pw_password = pw->pw_passwd; + /* + * Various interfaces to shadow or protected password data + */ #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) spw = getspnam(pw->pw_name); if (spw != NULL) - { - /* Check for users with no password. */ - if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0) - return 1; - pw_password = spw->sp_pwdp; - } #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ + +#ifdef HAVE_SCO_PROTECTED_PW + spw = getprpwnam(pw->pw_name); + if (spw != NULL) + pw_password = spw->ufld.fd_encrypt; +#endif /* HAVE_SCO_PROTECTED_PW */ + #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) - { - /* Check for users with no password. */ - if (strcmp(password, "") == 0 && strcmp(spw->pwa_passwd, "") == 0) - return 1; - pw_password = spw->pwa_passwd; - } #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ +#if defined(__hpux) + if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL) + pw_password = spw->ufld.fd_encrypt; +#endif /* defined(__hpux) */ + + /* Check for users with no password. */ + if ((password[0] == '\0') && (pw_password[0] == '\0')) + return 1; + if (pw_password[0] != '\0') salt = pw_password; else @@ -129,11 +221,14 @@ else encrypted_password = crypt(password, salt); #else /* HAVE_MD5_PASSWORDS */ -# ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW - encrypted_password = bigcrypt(password, salt); +# ifdef __hpux + if (iscomsec()) + encrypted_password = bigcrypt(password, salt); + else + encrypted_password = crypt(password, salt); # else encrypted_password = crypt(password, salt); -# endif /* HAVE_HPUX_TRUSTED_SYSTEM_PW */ +# endif /* __hpux */ #endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ diff -ru openssh-2.2.0p1/auth-rh-rsa.c openssh-2.3.0p1/auth-rh-rsa.c --- openssh-2.2.0p1/auth-rh-rsa.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/auth-rh-rsa.c 2000-10-14 16:23:11.000000000 +1100 @@ -1,21 +1,19 @@ /* - * - * auth-rh-rsa.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Sun May 7 03:08:06 1995 ylo - * * Rhosts or /etc/hosts.equiv authentication combined with RSA host * authentication. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: auth-rh-rsa.c,v 1.14 2000/06/20 01:39:38 markus Exp $"); +RCSID("$OpenBSD: auth-rh-rsa.c,v 1.17 2000/10/03 18:03:03 markus Exp $"); #include "packet.h" #include "ssh.h" @@ -41,9 +39,9 @@ HostStatus host_status; Key *client_key, *found; - debug("Trying rhosts with RSA host authentication for %.100s", client_user); + debug("Trying rhosts with RSA host authentication for client user %.100s", client_user); - if (client_host_key == NULL) + if (pw == NULL || client_host_key == NULL) return 0; /* Check if we would accept it using rhosts authentication. */ diff -ru openssh-2.2.0p1/auth-rhosts.c openssh-2.3.0p1/auth-rhosts.c --- openssh-2.2.0p1/auth-rhosts.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/auth-rhosts.c 2000-10-14 16:23:11.000000000 +1100 @@ -1,22 +1,20 @@ /* - * - * auth-rhosts.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Fri Mar 17 05:12:18 1995 ylo - * * Rhosts authentication. This file contains code to check whether to admit * the login based on rhosts authentication. This file also processes * /etc/hosts.equiv. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: auth-rhosts.c,v 1.14 2000/06/20 01:39:38 markus Exp $"); +RCSID("$OpenBSD: auth-rhosts.c,v 1.16 2000/10/03 18:03:03 markus Exp $"); #include "packet.h" #include "ssh.h" @@ -156,6 +154,9 @@ static const char *rhosts_files[] = {".shosts", ".rhosts", NULL}; unsigned int rhosts_file_index; + /* no user given */ + if (pw == NULL) + return 0; /* Switch to the user's uid. */ temporarily_use_uid(pw->pw_uid); /* diff -ru openssh-2.2.0p1/auth-rsa.c openssh-2.3.0p1/auth-rsa.c --- openssh-2.2.0p1/auth-rsa.c 2000-07-11 17:31:38.000000000 +1000 +++ openssh-2.3.0p1/auth-rsa.c 2000-10-16 12:14:42.000000000 +1100 @@ -1,22 +1,20 @@ /* - * - * auth-rsa.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Mon Mar 27 01:46:52 1995 ylo - * * RSA-based authentication. This code determines whether to admit a login * based on RSA authentication. This file also contains functions to check * validity of the host key. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: auth-rsa.c,v 1.27 2000/07/07 03:55:03 todd Exp $"); +RCSID("$OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $"); #include "rsa.h" #include "packet.h" @@ -31,6 +29,10 @@ #include #include + +/* import */ +extern ServerOptions options; + /* * Session identifier that is used to bind key exchange and authentication * responses to a particular session. @@ -118,7 +120,6 @@ int auth_rsa(struct passwd *pw, BIGNUM *client_n) { - extern ServerOptions options; char line[8192], file[1024]; int authenticated; unsigned int bits; @@ -127,6 +128,10 @@ struct stat st; RSA *pk; + /* no user given */ + if (pw == NULL) + return 0; + /* Temporarily use the user's uid. */ temporarily_use_uid(pw->pw_uid); @@ -226,6 +231,12 @@ } } else options = NULL; + /* + * If our options do not allow this key to be used, + * do not send challenge. + */ + if (!auth_parse_options(pw, options, linenum)) + continue; /* Parse the key from the line. */ if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) { @@ -264,9 +275,8 @@ * Break out of the loop if authentication was successful; * otherwise continue searching. */ - authenticated = auth_parse_options(pw, options, linenum); - if (authenticated) - break; + authenticated = 1; + break; } /* Restore the privileged uid. */ @@ -279,6 +289,8 @@ if (authenticated) packet_send_debug("RSA authentication accepted."); + else + auth_clear_options(); /* Return authentication result. */ return authenticated; diff -ru openssh-2.2.0p1/auth-skey.c openssh-2.3.0p1/auth-skey.c --- openssh-2.2.0p1/auth-skey.c 2000-07-02 19:13:56.000000000 +1000 +++ openssh-2.3.0p1/auth-skey.c 2000-10-28 14:19:58.000000000 +1100 @@ -1,7 +1,31 @@ +/* + * Copyright (c) 1999,2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + #include "includes.h" -#ifdef SKEY -RCSID("$OpenBSD: auth-skey.c,v 1.7 2000/06/20 01:39:38 markus Exp $"); +RCSID("$OpenBSD: auth-skey.c,v 1.9 2000/10/19 16:41:13 deraadt Exp $"); +#ifdef SKEY #include "ssh.h" #include "packet.h" #include @@ -24,7 +48,7 @@ skeyinfo = skey_fake_keyinfo(pw->pw_name); } if (skeyinfo != NULL) - packet_send_debug(skeyinfo); + packet_send_debug("%s", skeyinfo); /* Try again. */ return 0; } else if (skey_haskey(pw->pw_name) == 0 && diff -ru openssh-2.2.0p1/auth.c openssh-2.3.0p1/auth.c --- openssh-2.2.0p1/auth.c 2000-08-18 13:59:06.000000000 +1000 +++ openssh-2.3.0p1/auth.c 2000-10-30 01:38:55.000000000 +1100 @@ -1,11 +1,39 @@ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.8 2000/08/04 20:30:07 markus Exp $"); +RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -13,7 +41,6 @@ #include "pty.h" #include "packet.h" #include "buffer.h" -#include "cipher.h" #include "mpaux.h" #include "servconf.h" #include "compat.h" @@ -33,7 +60,6 @@ /* import */ extern ServerOptions options; -extern char *forced_command; /* * Check if the user is allowed to log in via ssh. If user is listed in @@ -54,8 +80,8 @@ #ifdef WITH_AIXAUTHENTICATE char *loginmsg; #endif /* WITH_AIXAUTHENTICATE */ -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ - defined(HAS_SHADOW_EXPIRE) +#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ + !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) struct spwd *spw; /* Shouldn't be called if pw is NULL, but better safe than sorry... */ @@ -67,12 +93,12 @@ int days = time(NULL) / 86400; /* Check account expiry */ - if ((spw->sp_expire > 0) && (days > spw->sp_expire)) + if ((spw->sp_expire >= 0) && (days > spw->sp_expire)) return 0; /* Check password expiry */ - if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) && - (days > (spw->sp_lstchg + spw->sp_inact))) + if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && + (days > (spw->sp_lstchg + spw->sp_max))) return 0; } #else diff -ru openssh-2.2.0p1/auth.h openssh-2.3.0p1/auth.h --- openssh-2.2.0p1/auth.h 2000-07-11 17:31:38.000000000 +1000 +++ openssh-2.3.0p1/auth.h 2000-10-14 16:23:11.000000000 +1100 @@ -1,17 +1,52 @@ +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ #ifndef AUTH_H #define AUTH_H +typedef struct Authctxt Authctxt; +struct Authctxt { + int success; + int valid; + int attempt; + char *user; + char *service; + struct passwd *pw; +}; + void do_authentication(void); void do_authentication2(void); -struct passwd * -auth_get_user(void); +void userauth_log(Authctxt *authctxt, int authenticated, char *method); +void userauth_reply(Authctxt *authctxt, int authenticated); + +int auth2_skey(Authctxt *authctxt); -int allowed_user(struct passwd * pw); +int allowed_user(struct passwd * pw); +struct passwd * auth_get_user(void); #define AUTH_FAIL_MAX 6 #define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2) #define AUTH_FAIL_MSG "Too many authentication failures for %.100s" #endif - diff -ru openssh-2.2.0p1/auth1.c openssh-2.3.0p1/auth1.c --- openssh-2.2.0p1/auth1.c 2000-08-23 10:46:23.000000000 +1000 +++ openssh-2.3.0p1/auth1.c 2000-10-14 16:23:11.000000000 +1100 @@ -1,31 +1,40 @@ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.3 2000/08/20 18:42:40 millert Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.6 2000/10/11 20:27:23 markus Exp $"); + +#ifdef HAVE_OSF_SIA +# include +# include +#endif #include "xmalloc.h" #include "rsa.h" #include "ssh.h" #include "packet.h" #include "buffer.h" -#include "cipher.h" #include "mpaux.h" #include "servconf.h" #include "compat.h" #include "auth.h" #include "session.h" -#ifdef HAVE_OSF_SIA -# include -# include -#endif - /* import */ extern ServerOptions options; extern char *forced_command; + +#ifdef WITH_AIXAUTHENTICATE +extern char *aixloginmsg; +#endif /* WITH_AIXAUTHENTICATE */ #ifdef HAVE_OSF_SIA extern int saved_argc; extern char **saved_argv; @@ -61,89 +70,21 @@ } /* - * The user does not exist or access is denied, - * but fake indication that authentication is needed. - */ -void -do_fake_authloop1(char *user) -{ - int attempt = 0; - - log("Faking authloop for illegal user %.200s from %.200s port %d", - user, - get_remote_ipaddr(), - get_remote_port()); - -#ifdef WITH_AIXAUTHENTICATE - loginfailed(user,get_canonical_hostname(),"ssh"); -#endif /* WITH_AIXAUTHENTICATE */ - - /* Indicate that authentication is needed. */ - packet_start(SSH_SMSG_FAILURE); - packet_send(); - packet_write_wait(); - - /* - * Keep reading packets, and always respond with a failure. This is - * to avoid disclosing whether such a user really exists. - */ - for (attempt = 1;; attempt++) { - /* Read a packet. This will not return if the client disconnects. */ - int plen; -#ifndef SKEY - (void)packet_read(&plen); -#else /* SKEY */ - int type = packet_read(&plen); - unsigned int dlen; - char *password, *skeyinfo; - password = NULL; - /* Try to send a fake s/key challenge. */ - if (options.skey_authentication == 1 && - (skeyinfo = skey_fake_keyinfo(user)) != NULL) { - if (type == SSH_CMSG_AUTH_TIS) { - packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); - packet_put_string(skeyinfo, strlen(skeyinfo)); - packet_send(); - packet_write_wait(); - continue; - } else if (type == SSH_CMSG_AUTH_PASSWORD && - options.password_authentication && - (password = packet_get_string(&dlen)) != NULL && - dlen == 5 && - strncasecmp(password, "s/key", 5) == 0 ) { - packet_send_debug(skeyinfo); - } - } - if (password != NULL) - xfree(password); -#endif - if (attempt > AUTH_FAIL_MAX) - packet_disconnect(AUTH_FAIL_MSG, user); - - /* - * Send failure. This should be indistinguishable from a - * failed authentication. - */ - packet_start(SSH_SMSG_FAILURE); - packet_send(); - packet_write_wait(); - } - /* NOTREACHED */ - abort(); -} - -/* - * read packets and try to authenticate local user *pw. - * return if authentication is successfull + * read packets and try to authenticate local user 'luser'. + * return if authentication is successfull. not that pw == NULL + * if the user does not exists or is not allowed to login. + * each auth method has to 'fake' authentication for nonexisting + * users. */ void -do_authloop(struct passwd * pw) +do_authloop(struct passwd * pw, char *luser) { + int authenticated = 0; int attempt = 0; unsigned int bits; RSA *client_host_key; BIGNUM *n; - char *client_user = NULL, *password = NULL; + char *client_user, *password; char user[1024]; unsigned int dlen; int plen, nlen, elen; @@ -156,8 +97,12 @@ packet_send(); packet_write_wait(); + client_user = NULL; + for (attempt = 1;; attempt++) { - int authenticated = 0; + /* default to fail */ + authenticated = 0; + strlcpy(user, "", sizeof user); /* Get a packet from the client. */ @@ -168,7 +113,6 @@ #ifdef AFS case SSH_CMSG_HAVE_KERBEROS_TGT: if (!options.kerberos_tgt_passing) { - /* packet_get_all(); */ verbose("Kerberos tgt passing disabled."); break; } else { @@ -176,14 +120,13 @@ char *tgt = packet_get_string(&dlen); packet_integrity_check(plen, 4 + dlen, type); if (!auth_kerberos_tgt(pw, tgt)) - verbose("Kerberos tgt REFUSED for %s", pw->pw_name); + verbose("Kerberos tgt REFUSED for %.100s", luser); xfree(tgt); } continue; case SSH_CMSG_HAVE_AFS_TOKEN: if (!options.afs_token_passing || !k_hasafs()) { - /* packet_get_all(); */ verbose("AFS token passing disabled."); break; } else { @@ -191,7 +134,7 @@ char *token_string = packet_get_string(&dlen); packet_integrity_check(plen, 4 + dlen, type); if (!auth_afs_token(pw, token_string)) - verbose("AFS token REFUSED for %s", pw->pw_name); + verbose("AFS token REFUSED for %.100s", luser); xfree(token_string); } continue; @@ -213,11 +156,12 @@ memcpy(auth.dat, kdata, auth.length); xfree(kdata); - authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user); - - if (authenticated) { - snprintf(user, sizeof user, " tktuser %s", tkt_user); - xfree(tkt_user); + if (pw != NULL) { + authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user); + if (authenticated) { + snprintf(user, sizeof user, " tktuser %s", tkt_user); + xfree(tkt_user); + } } } break; @@ -237,8 +181,7 @@ client_user = packet_get_string(&ulen); packet_integrity_check(plen, 4 + ulen, type); - /* Try to authenticate using /etc/hosts.equiv and - .rhosts. */ + /* Try to authenticate using /etc/hosts.equiv and .rhosts. */ authenticated = auth_rhosts(pw, client_user); snprintf(user, sizeof user, " ruser %s", client_user); @@ -269,7 +212,7 @@ packet_get_bignum(client_host_key->n, &nlen); if (bits != BN_num_bits(client_host_key->n)) - log("Warning: keysize mismatch for client_host_key: " + verbose("Warning: keysize mismatch for client_host_key: " "actual %d, announced %d", BN_num_bits(client_host_key->n), bits); packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type); @@ -316,7 +259,7 @@ authenticated = 1; } #else /* !USE_PAM && !HAVE_OSF_SIA */ - /* Try authentication with the password. */ + /* Try authentication with the password. */ authenticated = auth_password(pw, password); #endif /* USE_PAM */ @@ -328,16 +271,18 @@ case SSH_CMSG_AUTH_TIS: debug("rcvd SSH_CMSG_AUTH_TIS"); if (options.skey_authentication == 1) { - char *skeyinfo = skey_keyinfo(pw->pw_name); + char *skeyinfo = NULL; + if (pw != NULL) + skey_keyinfo(pw->pw_name); if (skeyinfo == NULL) { - debug("generating fake skeyinfo for %.100s.", pw->pw_name); - skeyinfo = skey_fake_keyinfo(pw->pw_name); + debug("generating fake skeyinfo for %.100s.", luser); + skeyinfo = skey_fake_keyinfo(luser); } if (skeyinfo != NULL) { /* we send our s/key- in tis-challenge messages */ debug("sending challenge '%s'", skeyinfo); packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); - packet_put_string(skeyinfo, strlen(skeyinfo)); + packet_put_cstring(skeyinfo); packet_send(); packet_write_wait(); continue; @@ -350,8 +295,9 @@ char *response = packet_get_string(&dlen); debug("skey response == '%s'", response); packet_integrity_check(plen, 4 + dlen, type); - authenticated = (skey_haskey(pw->pw_name) == 0 && - skey_passcheck(pw->pw_name, response) != -1); + authenticated = (pw != NULL && + skey_haskey(pw->pw_name) == 0 && + skey_passcheck(pw->pw_name, response) != -1); xfree(response); } break; @@ -370,13 +316,24 @@ log("Unknown message during authentication: type %d", type); break; } + if (authenticated && pw == NULL) + fatal("internal error: authenticated for pw == NULL"); + +#ifdef HAVE_CYGWIN + if (authenticated && + !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) { + packet_disconnect("Authentication rejected for uid %d.", + (int)pw->pw_uid); + authenticated = 0; + } +#endif /* * Check if the user is logging in as root and root logins * are disallowed. * Note that root login is allowed for forced commands. */ - if (authenticated && pw->pw_uid == 0 && !options.permit_root_login) { + if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) { if (forced_command) { log("Root login accepted for forced command."); } else { @@ -392,41 +349,33 @@ type == SSH_CMSG_AUTH_PASSWORD) authlog = log; - authlog("%s %s for %.200s from %.200s port %d%s", + authlog("%s %s for %s%.100s from %.200s port %d%s", authenticated ? "Accepted" : "Failed", get_authname(type), - pw->pw_uid == 0 ? "ROOT" : pw->pw_name, + pw ? "" : "illegal user ", + pw && pw->pw_uid == 0 ? "ROOT" : luser, get_remote_ipaddr(), get_remote_port(), user); #ifdef USE_PAM - if (authenticated) { - if (!do_pam_account(pw->pw_name, client_user)) { - if (client_user != NULL) { - xfree(client_user); - client_user = NULL; - } - do_fake_authloop1(pw->pw_name); - } - return; - } -#else /* USE_PAM */ - if (authenticated) { - return; - } -#endif /* USE_PAM */ + if (authenticated && !do_pam_account(pw->pw_name, client_user)) + authenticated = 0; +#endif if (client_user != NULL) { xfree(client_user); client_user = NULL; } + if (authenticated) + return; + if (attempt > AUTH_FAIL_MAX) { #ifdef WITH_AIXAUTHENTICATE - loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); + loginfailed(user,get_canonical_hostname(),"ssh"); #endif /* WITH_AIXAUTHENTICATE */ - packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); + packet_disconnect(AUTH_FAIL_MSG, luser); } /* Send a message indicating that the authentication attempt failed. */ @@ -447,9 +396,6 @@ int plen; unsigned int ulen; char *user; -#ifdef WITH_AIXAUTHENTICATE - extern char *aixloginmsg; -#endif /* WITH_AIXAUTHENTICATE */ /* Get the name of the user that we wish to log in as. */ packet_read_expect(&plen, SSH_CMSG_USER); @@ -470,35 +416,38 @@ /* Verify that the user is a valid user. */ pw = getpwnam(user); - if (!pw || !allowed_user(pw)) - do_fake_authloop1(user); - xfree(user); - - /* Take a copy of the returned structure. */ - memset(&pwcopy, 0, sizeof(pwcopy)); - pwcopy.pw_name = xstrdup(pw->pw_name); - pwcopy.pw_passwd = xstrdup(pw->pw_passwd); - pwcopy.pw_uid = pw->pw_uid; - pwcopy.pw_gid = pw->pw_gid; + if (pw && allowed_user(pw)) { + /* Take a copy of the returned structure. */ + memset(&pwcopy, 0, sizeof(pwcopy)); + pwcopy.pw_name = xstrdup(pw->pw_name); + pwcopy.pw_passwd = xstrdup(pw->pw_passwd); + pwcopy.pw_uid = pw->pw_uid; + pwcopy.pw_gid = pw->pw_gid; #ifdef HAVE_PW_CLASS_IN_PASSWD - pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_class = xstrdup(pw->pw_class); #endif - pwcopy.pw_dir = xstrdup(pw->pw_dir); - pwcopy.pw_shell = xstrdup(pw->pw_shell); - pw = &pwcopy; + pwcopy.pw_dir = xstrdup(pw->pw_dir); + pwcopy.pw_shell = xstrdup(pw->pw_shell); + pw = &pwcopy; + } else { + pw = NULL; + } #ifdef USE_PAM - start_pam(pw); + if (pw) + start_pam(pw); #endif /* * If we are not running as root, the user must have the same uid as - * the server. + * the server. (Unless you are running Windows) */ - if (getuid() != 0 && pw->pw_uid != getuid()) +#ifndef HAVE_CYGWIN + if (getuid() != 0 && pw && pw->pw_uid != getuid()) packet_disconnect("Cannot change user when server not running as root."); +#endif - debug("Attempting authentication for %.100s.", pw->pw_name); + debug("Attempting authentication for %s%.100s.", pw ? "" : "illegal user ", user); /* If the user has no password, accept authentication immediately. */ if (options.password_authentication && @@ -509,30 +458,33 @@ auth_pam_password(pw, "")) { #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, - "") == SIASUCCESS)) { + get_canonical_hostname(), pw->pw_name, NULL, 0, + NULL, "") == SIASUCCESS)) { #else /* !HAVE_OSF_SIA && !USE_PAM */ - auth_password(pw, "")) { + auth_password(pw, "")) { #endif /* USE_PAM */ /* Authentication with empty password succeeded. */ log("Login for user %s from %.100s, accepted without authentication.", - pw->pw_name, get_remote_ipaddr()); + user, get_remote_ipaddr()); } else { /* Loop until the user has been authenticated or the connection is closed, do_authloop() returns only if authentication is successfull */ - do_authloop(pw); + do_authloop(pw, user); } + if (pw == NULL) + fatal("internal error, authentication successfull for user '%.100s'", user); /* The user has been authenticated and accepted. */ + packet_start(SSH_SMSG_SUCCESS); + packet_send(); + packet_write_wait(); + #ifdef WITH_AIXAUTHENTICATE /* We don't have a pty yet, so just label the line as "ssh" */ if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0) aixloginmsg = NULL; #endif /* WITH_AIXAUTHENTICATE */ - packet_start(SSH_SMSG_SUCCESS); - packet_send(); - packet_write_wait(); /* Perform session preparation. */ do_authenticated(pw); Only in openssh-2.3.0p1: auth2-skey.c diff -ru openssh-2.2.0p1/auth2.c openssh-2.3.0p1/auth2.c --- openssh-2.2.0p1/auth2.c 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/auth2.c 2000-10-28 21:05:57.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -26,8 +21,14 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.13 2000/08/20 18:42:40 millert Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $"); + +#ifdef HAVE_OSF_SIA +# include +# include +#endif #include #include @@ -39,7 +40,6 @@ #include "pty.h" #include "packet.h" #include "buffer.h" -#include "cipher.h" #include "servconf.h" #include "compat.h" #include "channels.h" @@ -56,64 +56,90 @@ #include "uidswap.h" #include "auth-options.h" -#ifdef HAVE_OSF_SIA -# include -# include -#endif - /* import */ extern ServerOptions options; extern unsigned char *session_id2; extern int session_id2_len; +#ifdef WITH_AIXAUTHENTICATE +extern char *aixloginmsg; +#endif +#ifdef HAVE_OSF_SIA +extern int saved_argc; +extern char **saved_argv; +#endif + +static Authctxt *x_authctxt = NULL; +static int one = 1; + +typedef struct Authmethod Authmethod; +struct Authmethod { + char *name; + int (*userauth)(Authctxt *authctxt); + int *enabled; +}; + /* protocol */ -void input_service_request(int type, int plen); -void input_userauth_request(int type, int plen); -void protocol_error(int type, int plen); +void input_service_request(int type, int plen, void *ctxt); +void input_userauth_request(int type, int plen, void *ctxt); +void protocol_error(int type, int plen, void *ctxt); -/* auth */ -int ssh2_auth_none(struct passwd *pw); -int ssh2_auth_password(struct passwd *pw); -int ssh2_auth_pubkey(struct passwd *pw, char *service); /* helper */ -struct passwd* auth_set_user(char *u, char *s); +Authmethod *authmethod_lookup(const char *name); +struct passwd *pwcopy(struct passwd *pw); int user_dsa_key_allowed(struct passwd *pw, Key *key); +char *authmethods_get(void); -typedef struct Authctxt Authctxt; -struct Authctxt { - char *user; - char *service; - struct passwd pw; - int valid; +/* auth */ +int userauth_none(Authctxt *authctxt); +int userauth_passwd(Authctxt *authctxt); +int userauth_pubkey(Authctxt *authctxt); +int userauth_kbdint(Authctxt *authctxt); + +Authmethod authmethods[] = { + {"none", + userauth_none, + &one}, + {"publickey", + userauth_pubkey, + &options.dsa_authentication}, + {"keyboard-interactive", + userauth_kbdint, + &options.kbd_interactive_authentication}, + {"password", + userauth_passwd, + &options.password_authentication}, + {NULL, NULL, NULL} }; -static Authctxt *authctxt = NULL; -static int userauth_success = 0; /* - * loop until userauth_success == TRUE + * loop until authctxt->success == TRUE */ void do_authentication2() { - /* turn off skey/kerberos, not supported by SSH2 */ -#ifdef SKEY - options.skey_authentication = 0; -#endif + Authctxt *authctxt = xmalloc(sizeof(*authctxt)); + memset(authctxt, 'a', sizeof(*authctxt)); + authctxt->valid = 0; + authctxt->attempt = 0; + authctxt->success = 0; + x_authctxt = authctxt; /*XXX*/ + #ifdef KRB4 + /* turn off kerberos, not supported by SSH2 */ options.kerberos_authentication = 0; #endif - dispatch_init(&protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); - dispatch_run(DISPATCH_BLOCK, &userauth_success); + dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); do_authenticated2(); } void -protocol_error(int type, int plen) +protocol_error(int type, int plen, void *ctxt) { log("auth: protocol error: type %d plen %d", type, plen); packet_start(SSH2_MSG_UNIMPLEMENTED); @@ -123,15 +149,19 @@ } void -input_service_request(int type, int plen) +input_service_request(int type, int plen, void *ctxt) { + Authctxt *authctxt = ctxt; unsigned int len; int accept = 0; char *service = packet_get_string(&len); packet_done(); + if (authctxt == NULL) + fatal("input_service_request: no authctxt"); + if (strcmp(service, "ssh-userauth") == 0) { - if (!userauth_success) { + if (!authctxt->success) { accept = 1; /* now we can handle user-auth requests */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); @@ -152,58 +182,102 @@ } void -input_userauth_request(int type, int plen) +input_userauth_request(int type, int plen, void *ctxt) { - static void (*authlog) (const char *fmt,...) = verbose; - static int attempt = 0; - unsigned int len; + Authctxt *authctxt = ctxt; + Authmethod *m = NULL; + char *user, *service, *method; int authenticated = 0; - char *user, *service, *method, *authmsg = NULL; - struct passwd *pw; -#ifdef WITH_AIXAUTHENTICATE - extern char *aixloginmsg; -#endif /* WITH_AIXAUTHENTICATE */ - user = packet_get_string(&len); - service = packet_get_string(&len); - method = packet_get_string(&len); - if (++attempt == AUTH_FAIL_MAX) { + if (authctxt == NULL) + fatal("input_userauth_request: no authctxt"); + if (authctxt->attempt++ >= AUTH_FAIL_MAX) { #ifdef WITH_AIXAUTHENTICATE - loginfailed(user,get_canonical_hostname(),"ssh"); + loginfailed(authctxt->user?authctxt->user:"NOUSER", + get_canonical_hostname(), "ssh"); #endif /* WITH_AIXAUTHENTICATE */ packet_disconnect("too many failed userauth_requests"); } + + user = packet_get_string(NULL); + service = packet_get_string(NULL); + method = packet_get_string(NULL); debug("userauth-request for user %s service %s method %s", user, service, method); + debug("attempt #%d", authctxt->attempt); - /* XXX we only allow the ssh-connection service */ - pw = auth_set_user(user, service); - if (pw && strcmp(service, "ssh-connection")==0) { - if (strcmp(method, "none") == 0) { - authenticated = ssh2_auth_none(pw); - } else if (strcmp(method, "password") == 0) { - authenticated = ssh2_auth_password(pw); - } else if (strcmp(method, "publickey") == 0) { - authenticated = ssh2_auth_pubkey(pw, service); + if (authctxt->attempt == 1) { + /* setup auth context */ + struct passwd *pw = NULL; + setproctitle("%s", user); + pw = getpwnam(user); + if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) { + authctxt->pw = pwcopy(pw); + authctxt->valid = 1; + debug2("input_userauth_request: setting up authctxt for %s", user); +#ifdef USE_PAM + start_pam(pw); +#endif + } else { + log("input_userauth_request: illegal user %s", user); } + authctxt->user = xstrdup(user); + authctxt->service = xstrdup(service); + } else if (authctxt->valid) { + if (strcmp(user, authctxt->user) != 0 || + strcmp(service, authctxt->service) != 0) { + log("input_userauth_request: missmatch: (%s,%s)!=(%s,%s)", + user, service, authctxt->user, authctxt->service); + authctxt->valid = 0; + } + } + + m = authmethod_lookup(method); + if (m != NULL) { + debug2("input_userauth_request: try method %s", method); + authenticated = m->userauth(authctxt); + } else { + debug2("input_userauth_request: unsupported method %s", method); + } + if (!authctxt->valid && authenticated == 1) { + log("input_userauth_request: INTERNAL ERROR: authenticated invalid user %s service %s", user, method); + authenticated = 0; } - if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) { + + /* Special handling for root */ + if (authenticated == 1 && + authctxt->valid && authctxt->pw->pw_uid == 0 && !options.permit_root_login) { authenticated = 0; - log("ROOT LOGIN REFUSED FROM %.200s", - get_canonical_hostname()); + log("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname()); } #ifdef USE_PAM - if (authenticated && !do_pam_account(pw->pw_name, NULL)) - authenticated = 0; + if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL)) + authenticated = 0; #endif /* USE_PAM */ + /* Log before sending the reply */ + userauth_log(authctxt, authenticated, method); + userauth_reply(authctxt, authenticated); + + xfree(service); + xfree(user); + xfree(method); +} + + +void +userauth_log(Authctxt *authctxt, int authenticated, char *method) +{ + void (*authlog) (const char *fmt,...) = verbose; + char *user = NULL, *authmsg = NULL; + /* Raise logging level */ if (authenticated == 1 || - attempt == AUTH_FAIL_LOG || + !authctxt->valid || + authctxt->attempt >= AUTH_FAIL_LOG || strcmp(method, "password") == 0) authlog = log; - /* Log before sending the reply */ if (authenticated == 1) { authmsg = "Accepted"; } else if (authenticated == 0) { @@ -211,19 +285,30 @@ } else { authmsg = "Postponed"; } + + if (authctxt->valid) { + user = authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user; + } else { + user = "NOUSER"; + } + authlog("%s %s for %.200s from %.200s port %d ssh2", - authmsg, - method, - pw && pw->pw_uid == 0 ? "ROOT" : user, - get_remote_ipaddr(), - get_remote_port()); + authmsg, + method, + user, + get_remote_ipaddr(), + get_remote_port()); +} +void +userauth_reply(Authctxt *authctxt, int authenticated) +{ /* XXX todo: check if multiple auth methods are needed */ if (authenticated == 1) { #ifdef WITH_AIXAUTHENTICATE /* We don't have a pty yet, so just label the line as "ssh" */ - if (loginsuccess(user,get_canonical_hostname(),"ssh", - &aixloginmsg) < 0) + if (loginsuccess(authctxt->user?authctxt->user:"NOUSER", + get_canonical_hostname(), "ssh", &aixloginmsg) < 0) aixloginmsg = NULL; #endif /* WITH_AIXAUTHENTICATE */ /* turn off userauth */ @@ -232,73 +317,106 @@ packet_send(); packet_write_wait(); /* now we can break out */ - userauth_success = 1; + authctxt->success = 1; } else if (authenticated == 0) { + char *methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); - packet_put_cstring("publickey,password"); /* XXX dynamic */ - packet_put_char(0); /* XXX partial success, unused */ + packet_put_cstring(methods); + packet_put_char(0); /* XXX partial success, unused */ packet_send(); packet_write_wait(); + xfree(methods); + } else { + /* do nothing, we did already send a reply */ } - - xfree(service); - xfree(user); - xfree(method); } int -ssh2_auth_none(struct passwd *pw) +userauth_none(Authctxt *authctxt) { -#ifdef HAVE_OSF_SIA - extern int saved_argc; - extern char **saved_argv; -#endif - + /* disable method "none", only allowed one time */ + Authmethod *m = authmethod_lookup("none"); + if (m != NULL) + m->enabled = NULL; packet_done(); + if (authctxt->valid == 0) + return(0); + +#ifdef HAVE_CYGWIN + if (check_nt_auth(1, authctxt->pw->pw_uid) == 0) + return(0); +#endif #ifdef USE_PAM - return auth_pam_password(pw, ""); + return auth_pam_password(authctxt->pw, ""); #elif defined(HAVE_OSF_SIA) - return(sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, - "") == SIASUCCESS); + return (sia_validate_user(NULL, saved_argc, saved_argv, + get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER", + NULL, 0, NULL, "") == SIASUCCESS); #else /* !HAVE_OSF_SIA && !USE_PAM */ - return auth_password(pw, ""); + return auth_password(authctxt->pw, ""); #endif /* USE_PAM */ } + int -ssh2_auth_password(struct passwd *pw) +userauth_passwd(Authctxt *authctxt) { char *password; int authenticated = 0; int change; unsigned int len; -#ifdef HAVE_OSF_SIA - extern int saved_argc; - extern char **saved_argv; -#endif change = packet_get_char(); if (change) log("password change not supported"); password = packet_get_string(&len); packet_done(); - if (options.password_authentication && + if (authctxt->valid && +#ifdef HAVE_CYGWIN + check_nt_auth(1, authctxt->pw->pw_uid) && +#endif #ifdef USE_PAM - auth_pam_password(pw, password) == 1) + auth_pam_password(authctxt->pw, password) == 1) #elif defined(HAVE_OSF_SIA) sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, - NULL, password) == SIASUCCESS) + get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER", + NULL, 0, NULL, password) == SIASUCCESS) #else /* !USE_PAM && !HAVE_OSF_SIA */ - auth_password(pw, password) == 1) + auth_password(authctxt->pw, password) == 1) #endif /* USE_PAM */ authenticated = 1; memset(password, 0, len); xfree(password); return authenticated; } + +int +userauth_kbdint(Authctxt *authctxt) +{ + int authenticated = 0; + char *lang = NULL; + char *devs = NULL; + + lang = packet_get_string(NULL); + devs = packet_get_string(NULL); + packet_done(); + + debug("keyboard-interactive language %s devs %s", lang, devs); +#ifdef SKEY + /* XXX hardcoded, we should look at devs */ + if (options.skey_authentication != 0) + authenticated = auth2_skey(authctxt); +#endif + xfree(lang); + xfree(devs); +#ifdef HAVE_CYGWIN + if (check_nt_auth(0, authctxt->pw->pw_uid) == 0) + return(0); +#endif + return authenticated; +} + int -ssh2_auth_pubkey(struct passwd *pw, char *service) +userauth_pubkey(Authctxt *authctxt) { Buffer b; Key *key; @@ -307,15 +425,15 @@ int have_sig; int authenticated = 0; - if (options.dsa_authentication == 0) { - debug("pubkey auth disabled"); + if (!authctxt->valid) { + debug2("userauth_pubkey: disabled because of invalid user"); return 0; } have_sig = packet_get_char(); pkalg = packet_get_string(&alen); if (strcmp(pkalg, KEX_DSS) != 0) { - xfree(pkalg); log("bad pkalg %s", pkalg); /*XXX*/ + xfree(pkalg); return 0; } pkblob = packet_get_string(&blen); @@ -325,18 +443,18 @@ sig = packet_get_string(&slen); packet_done(); buffer_init(&b); - if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) { - buffer_put_string(&b, session_id2, session_id2_len); - } else { + if (datafellows & SSH_OLD_SESSIONID) { buffer_append(&b, session_id2, session_id2_len); + } else { + buffer_put_string(&b, session_id2, session_id2_len); } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); - buffer_put_cstring(&b, pw->pw_name); + buffer_put_cstring(&b, authctxt->user); buffer_put_cstring(&b, datafellows & SSH_BUG_PUBKEYAUTH ? "ssh-userauth" : - service); + authctxt->service); buffer_put_cstring(&b, "publickey"); buffer_put_char(&b, have_sig); buffer_put_cstring(&b, KEX_DSS); @@ -345,15 +463,15 @@ buffer_dump(&b); #endif /* test for correct signature */ - if (user_dsa_key_allowed(pw, key) && + if (user_dsa_key_allowed(authctxt->pw, key) && dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) authenticated = 1; buffer_clear(&b); xfree(sig); } else { + debug("test whether pkalg/pkblob are acceptable"); packet_done(); - debug("test key..."); - /* test whether pkalg/pkblob are acceptable */ + /* XXX fake reply and always send PK_OK ? */ /* * XXX this allows testing whether a user is allowed @@ -362,7 +480,7 @@ * if a user is not allowed to login. is this an * issue? -markus */ - if (user_dsa_key_allowed(pw, key)) { + if (user_dsa_key_allowed(authctxt->pw, key)) { packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); packet_put_string(pkblob, blen); @@ -371,61 +489,73 @@ authenticated = -1; } } + if (authenticated != 1) + auth_clear_options(); key_free(key); } xfree(pkalg); xfree(pkblob); +#ifdef HAVE_CYGWIN + if (check_nt_auth(0, authctxt->pw->pw_uid) == 0) + return(0); +#endif return authenticated; } -/* set and get current user */ +/* get current user */ struct passwd* auth_get_user(void) { - return (authctxt != NULL && authctxt->valid) ? &authctxt->pw : NULL; + return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL; } -struct passwd* -auth_set_user(char *u, char *s) +#define DELIM "," + +char * +authmethods_get(void) { - struct passwd *pw, *copy; + Authmethod *method = NULL; + unsigned int size = 0; + char *list; - if (authctxt == NULL) { - authctxt = xmalloc(sizeof(*authctxt)); - authctxt->valid = 0; - authctxt->user = xstrdup(u); - authctxt->service = xstrdup(s); - setproctitle("%s", u); - pw = getpwnam(u); - if (!pw || !allowed_user(pw)) { - log("auth_set_user: illegal user %s", u); - return NULL; + for (method = authmethods; method->name != NULL; method++) { + if (strcmp(method->name, "none") == 0) + continue; + if (method->enabled != NULL && *(method->enabled) != 0) { + if (size != 0) + size += strlen(DELIM); + size += strlen(method->name); } -#ifdef USE_PAM - start_pam(pw); -#endif - copy = &authctxt->pw; - memset(copy, 0, sizeof(*copy)); - copy->pw_name = xstrdup(pw->pw_name); - copy->pw_passwd = xstrdup(pw->pw_passwd); - copy->pw_uid = pw->pw_uid; - copy->pw_gid = pw->pw_gid; -#ifdef HAVE_PW_CLASS_IN_PASSWD - copy->pw_class = xstrdup(pw->pw_class); -#endif - copy->pw_dir = xstrdup(pw->pw_dir); - copy->pw_shell = xstrdup(pw->pw_shell); - authctxt->valid = 1; - } else { - if (strcmp(u, authctxt->user) != 0 || - strcmp(s, authctxt->service) != 0) { - log("auth_set_user: missmatch: (%s,%s)!=(%s,%s)", - u, s, authctxt->user, authctxt->service); - return NULL; + } + size++; /* trailing '\0' */ + list = xmalloc(size); + list[0] = '\0'; + + for (method = authmethods; method->name != NULL; method++) { + if (strcmp(method->name, "none") == 0) + continue; + if (method->enabled != NULL && *(method->enabled) != 0) { + if (list[0] != '\0') + strlcat(list, DELIM, size); + strlcat(list, method->name, size); } } - return auth_get_user(); + return list; +} + +Authmethod * +authmethod_lookup(const char *name) +{ + Authmethod *method = NULL; + if (name != NULL) + for (method = authmethods; method->name != NULL; method++) + if (method->enabled != NULL && + *(method->enabled) != 0 && + strcmp(name, method->name) == 0) + return method; + debug2("Unrecognized authentication method name: %s", name ? name : "NULL"); + return NULL; } /* return 1 if user allows given key */ @@ -440,6 +570,9 @@ struct stat st; Key *found; + if (pw == NULL) + return 0; + /* Temporarily use the user's uid. */ temporarily_use_uid(pw->pw_uid); @@ -467,8 +600,10 @@ if (fstat(fileno(f), &st) < 0 || (st.st_uid != 0 && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0) { - snprintf(buf, sizeof buf, "DSA authentication refused for %.100s: " - "bad ownership or modes for '%s'.", pw->pw_name, file); + snprintf(buf, sizeof buf, + "%s authentication refused for %.100s: " + "bad ownership or modes for '%s'.", + key_type(key), pw->pw_name, file); fail = 1; } else { /* Check path to SSH_USER_PERMITTED_KEYS */ @@ -483,9 +618,9 @@ (st.st_uid != 0 && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0) { snprintf(buf, sizeof buf, - "DSA authentication refused for %.100s: " + "%s authentication refused for %.100s: " "bad ownership or modes for '%s'.", - pw->pw_name, line); + key_type(key), pw->pw_name, line); fail = 1; break; } @@ -499,7 +634,7 @@ } } found_key = 0; - found = key_new(KEY_DSA); + found = key_new(key->type); while (fgets(line, sizeof(line), f)) { char *cp, *options = NULL; @@ -543,3 +678,20 @@ key_free(found); return found_key; } + +struct passwd * +pwcopy(struct passwd *pw) +{ + struct passwd *copy = xmalloc(sizeof(*copy)); + memset(copy, 0, sizeof(*copy)); + copy->pw_name = xstrdup(pw->pw_name); + copy->pw_passwd = xstrdup(pw->pw_passwd); + copy->pw_uid = pw->pw_uid; + copy->pw_gid = pw->pw_gid; +#ifdef HAVE_PW_CLASS_IN_PASSWD + copy->pw_class = xstrdup(pw->pw_class); +#endif + copy->pw_dir = xstrdup(pw->pw_dir); + copy->pw_shell = xstrdup(pw->pw_shell); + return copy; +} diff -ru openssh-2.2.0p1/authfd.c openssh-2.3.0p1/authfd.c --- openssh-2.2.0p1/authfd.c 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/authfd.c 2000-10-14 16:23:11.000000000 +1100 @@ -1,23 +1,41 @@ /* - * - * authfd.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Wed Mar 29 01:30:28 1995 ylo - * * Functions for connecting the local authentication agent. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * * SSH2 implementation, - * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.25 2000/08/19 21:34:42 markus Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.29 2000/10/09 21:51:00 markus Exp $"); #include "ssh.h" #include "rsa.h" @@ -33,10 +51,15 @@ #include "authfd.h" #include "kex.h" #include "dsa.h" +#include "compat.h" /* helper */ int decode_reply(int type); +/* macro to check for "agent failure" message */ +#define agent_failed(x) \ + ((x == SSH_AGENT_FAILURE) || (x == SSH_COM_AGENT2_FAILURE)) + /* Returns the number of the authentication fd, or -1 if there is none. */ int @@ -223,7 +246,7 @@ /* Get message type, and verify that we got a proper answer. */ type = buffer_get_char(&auth->identities); - if (type == SSH_AGENT_FAILURE) { + if (agent_failed(type)) { return NULL; } else if (type != code2) { fatal("Bad authentication reply message type: %d", type); @@ -322,7 +345,7 @@ } type = buffer_get_char(&buffer); - if (type == SSH_AGENT_FAILURE) { + if (agent_failed(type)) { log("Agent admitted failure to authenticate using the key."); } else if (type != SSH_AGENT_RSA_RESPONSE) { fatal("Bad authentication response: %d", type); @@ -346,19 +369,24 @@ unsigned char **sigp, int *lenp, unsigned char *data, int datalen) { + extern int datafellows; Buffer msg; unsigned char *blob; unsigned int blen; - int type; + int type, flags = 0; int ret = -1; if (dsa_make_key_blob(key, &blob, &blen) == 0) return -1; + if (datafellows & SSH_BUG_SIGBLOB) + flags = SSH_AGENT_OLD_SIGNATURE; + buffer_init(&msg); buffer_put_char(&msg, SSH2_AGENTC_SIGN_REQUEST); buffer_put_string(&msg, blob, blen); buffer_put_string(&msg, data, datalen); + buffer_put_int(&msg, flags); xfree(blob); if (ssh_request_reply(auth, &msg, &msg) == 0) { @@ -366,7 +394,7 @@ return -1; } type = buffer_get_char(&msg); - if (type == SSH_AGENT_FAILURE) { + if (agent_failed(type)) { log("Agent admitted failure to sign using the key."); } else if (type != SSH2_AGENT_SIGN_RESPONSE) { fatal("Bad authentication response: %d", type); @@ -513,6 +541,7 @@ { switch (type) { case SSH_AGENT_FAILURE: + case SSH_COM_AGENT2_FAILURE: log("SSH_AGENT_FAILURE"); return 0; case SSH_AGENT_SUCCESS: diff -ru openssh-2.2.0p1/authfd.h openssh-2.3.0p1/authfd.h --- openssh-2.2.0p1/authfd.h 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/authfd.h 2000-10-14 16:23:11.000000000 +1100 @@ -1,19 +1,17 @@ /* - * - * authfd.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Wed Mar 29 01:17:41 1995 ylo - * * Functions to interface with the SSH_AUTHENTICATION_FD socket. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: authfd.h,v 1.10 2000/08/19 21:34:43 markus Exp $"); */ +/* RCSID("$OpenBSD: authfd.h,v 1.13 2000/10/09 21:51:00 markus Exp $"); */ #ifndef AUTHFD_H #define AUTHFD_H @@ -31,6 +29,7 @@ #define SSH_AGENTC_REMOVE_RSA_IDENTITY 8 #define SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES 9 +/* private OpenSSH extensions for SSH2 */ #define SSH2_AGENTC_REQUEST_IDENTITIES 11 #define SSH2_AGENT_IDENTITIES_ANSWER 12 #define SSH2_AGENTC_SIGN_REQUEST 13 @@ -39,6 +38,12 @@ #define SSH2_AGENTC_REMOVE_IDENTITY 18 #define SSH2_AGENTC_REMOVE_ALL_IDENTITIES 19 +/* additional error code for ssh.com's ssh-agent2 */ +#define SSH_COM_AGENT2_FAILURE 102 + +#define SSH_AGENT_OLD_SIGNATURE 0x01 + + typedef struct { int fd; Buffer identities; diff -ru openssh-2.2.0p1/authfile.c openssh-2.3.0p1/authfile.c --- openssh-2.2.0p1/authfile.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/authfile.c 2000-10-14 16:23:11.000000000 +1100 @@ -1,21 +1,42 @@ /* - * - * authfile.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Mon Mar 27 03:52:05 1995 ylo - * * This file contains functions for reading and writing identity files, and * for reading the passphrase from the user. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: authfile.c,v 1.17 2000/06/20 01:39:38 markus Exp $"); +RCSID("$OpenBSD: authfile.c,v 1.20 2000/10/11 20:27:23 markus Exp $"); #include #include @@ -26,7 +47,6 @@ #include "xmalloc.h" #include "buffer.h" #include "bufaux.h" -#include "cipher.h" #include "ssh.h" #include "key.h" @@ -47,8 +67,8 @@ Buffer buffer, encrypted; char buf[100], *cp; int fd, i; - CipherContext cipher; - int cipher_type; + CipherContext ciphercontext; + Cipher *cipher; u_int32_t rand; /* @@ -56,9 +76,11 @@ * to another cipher; otherwise use SSH_AUTHFILE_CIPHER. */ if (strcmp(passphrase, "") == 0) - cipher_type = SSH_CIPHER_NONE; + cipher = cipher_by_number(SSH_CIPHER_NONE); else - cipher_type = SSH_AUTHFILE_CIPHER; + cipher = cipher_by_number(SSH_AUTHFILE_CIPHER); + if (cipher == NULL) + fatal("save_private_key_rsa: bad cipher"); /* This buffer is used to built the secret part of the private key. */ buffer_init(&buffer); @@ -95,7 +117,7 @@ buffer_put_char(&encrypted, 0); /* Store cipher type. */ - buffer_put_char(&encrypted, cipher_type); + buffer_put_char(&encrypted, cipher->number); buffer_put_int(&encrypted, 0); /* For future extension */ /* Store public key. This will be in plain text. */ @@ -107,11 +129,10 @@ /* Allocate space for the private part of the key in the buffer. */ buffer_append_space(&encrypted, &cp, buffer_len(&buffer)); - cipher_set_key_string(&cipher, cipher_type, passphrase); - cipher_encrypt(&cipher, (unsigned char *) cp, - (unsigned char *) buffer_ptr(&buffer), - buffer_len(&buffer)); - memset(&cipher, 0, sizeof(cipher)); + cipher_set_key_string(&ciphercontext, cipher, passphrase); + cipher_encrypt(&ciphercontext, (unsigned char *) cp, + (unsigned char *) buffer_ptr(&buffer), buffer_len(&buffer)); + memset(&ciphercontext, 0, sizeof(ciphercontext)); /* Destroy temporary data. */ memset(buf, 0, sizeof(buf)); @@ -126,7 +147,7 @@ strerror(errno)); buffer_free(&encrypted); close(fd); - remove(filename); + unlink(filename); return 0; } close(fd); @@ -262,6 +283,7 @@ return 1; } +/* load public key from private-key file */ int load_public_key(const char *filename, Key * key, char **comment_return) { @@ -291,7 +313,8 @@ off_t len; Buffer buffer, decrypted; char *cp; - CipherContext cipher; + CipherContext ciphercontext; + Cipher *cipher; BN_CTX *ctx; BIGNUM *aux; @@ -342,10 +365,10 @@ xfree(buffer_get_string(&buffer, NULL)); /* Check that it is a supported cipher. */ - if (((cipher_mask1() | SSH_CIPHER_NONE | SSH_AUTHFILE_CIPHER) & - (1 << cipher_type)) == 0) { - debug("Unsupported cipher %.100s used in key file %.200s.", - cipher_name(cipher_type), filename); + cipher = cipher_by_number(cipher_type); + if (cipher == NULL) { + debug("Unsupported cipher %d used in key file %.200s.", + cipher_type, filename); buffer_free(&buffer); goto fail; } @@ -354,11 +377,10 @@ buffer_append_space(&decrypted, &cp, buffer_len(&buffer)); /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ - cipher_set_key_string(&cipher, cipher_type, passphrase); - cipher_decrypt(&cipher, (unsigned char *) cp, - (unsigned char *) buffer_ptr(&buffer), - buffer_len(&buffer)); - + cipher_set_key_string(&ciphercontext, cipher, passphrase); + cipher_decrypt(&ciphercontext, (unsigned char *) cp, + (unsigned char *) buffer_ptr(&buffer), buffer_len(&buffer)); + memset(&ciphercontext, 0, sizeof(ciphercontext)); buffer_free(&buffer); check1 = buffer_get_char(&decrypted); @@ -458,6 +480,9 @@ return 0; /* check owner and modes */ +#ifdef HAVE_CYGWIN + if (check_ntsec(filename)) +#endif if (fstat(fd, &st) < 0 || (st.st_uid != 0 && st.st_uid != getuid()) || (st.st_mode & 077) != 0) { @@ -491,3 +516,57 @@ close(fd); return ret; } + +int +do_load_public_key(const char *filename, Key *k, char **commentp) +{ + FILE *f; + unsigned int bits; + char line[1024]; + char *cp; + + f = fopen(filename, "r"); + if (f != NULL) { + while (fgets(line, sizeof(line), f)) { + line[sizeof(line)-1] = '\0'; + cp = line; + switch(*cp){ + case '#': + case '\n': + case '\0': + continue; + } + /* Skip leading whitespace. */ + for (; *cp && (*cp == ' ' || *cp == '\t'); cp++) + ; + if (*cp) { + bits = key_read(k, &cp); + if (bits != 0) { + if (commentp) + *commentp=xstrdup(filename); + fclose(f); + return 1; + } + } + } + fclose(f); + } + return 0; +} + +/* load public key from pubkey file */ +int +try_load_public_key(const char *filename, Key *k, char **commentp) +{ + char pub[MAXPATHLEN]; + + if (do_load_public_key(filename, k, commentp) == 1) + return 1; + if (strlcpy(pub, filename, sizeof pub) >= MAXPATHLEN) + return 0; + if (strlcat(pub, ".pub", sizeof pub) >= MAXPATHLEN) + return 0; + if (do_load_public_key(pub, k, commentp) == 1) + return 1; + return 0; +} diff -ru openssh-2.2.0p1/authfile.h openssh-2.3.0p1/authfile.h --- openssh-2.2.0p1/authfile.h 2000-04-29 23:57:10.000000000 +1000 +++ openssh-2.3.0p1/authfile.h 2000-11-06 12:39:34.000000000 +1100 @@ -1,6 +1,22 @@ +/* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland + * All rights reserved + * Functions to interface with the SSH_AUTHENTICATION_FD socket. + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + */ + +/* $OpenBSD: authfile.h,v 1.5 2000/10/16 09:38:44 djm Exp $ */ + #ifndef AUTHFILE_H #define AUTHFILE_H + /* * Saves the authentication (private) key in a file, encrypting it with * passphrase. @@ -18,9 +34,8 @@ * comment of the key is returned in comment_return if it is non-NULL; the * caller must free the value with xfree. */ -int -load_public_key(const char *filename, Key * pub, - char **comment_return); +int load_public_key(const char *filename, Key * pub, char **comment_return); +int try_load_public_key(const char *filename, Key * pub, char **comment_return); /* * Loads the private key from the file. Returns 0 if an error is encountered diff -ru openssh-2.2.0p1/bsd-arc4random.c openssh-2.3.0p1/bsd-arc4random.c --- openssh-2.2.0p1/bsd-arc4random.c 2000-08-30 14:06:35.000000000 +1100 +++ openssh-2.3.0p1/bsd-arc4random.c 2000-10-27 09:27:32.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -28,16 +23,17 @@ */ #include "includes.h" -#include -#include #ifndef HAVE_ARC4RANDOM +#include +#include + /* Size of key to use */ #define SEED_SIZE 20 /* Number of bytes to reseed after */ -#define REKEY_BYTES (1 << 18) +#define REKEY_BYTES (1 << 24) static int rc4_ready = 0; static RC4_KEY rc4; diff -ru openssh-2.2.0p1/bsd-arc4random.h openssh-2.3.0p1/bsd-arc4random.h --- openssh-2.2.0p1/bsd-arc4random.h 2000-08-16 10:35:58.000000000 +1000 +++ openssh-2.3.0p1/bsd-arc4random.h 2000-09-16 16:09:28.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES diff -ru openssh-2.2.0p1/bsd-daemon.c openssh-2.3.0p1/bsd-daemon.c --- openssh-2.2.0p1/bsd-daemon.c 2000-08-30 09:21:22.000000000 +1100 +++ openssh-2.3.0p1/bsd-daemon.c 2000-09-05 16:13:07.000000000 +1100 @@ -51,6 +51,13 @@ case 0: break; default: +#ifdef HAVE_CYGWIN + /* + * This sleep avoids a race condition which kills the + * child process if parent is started by a NT/W2K service. + */ + sleep(1); +#endif _exit(0); } Only in openssh-2.3.0p1: bsd-getcwd.c Only in openssh-2.3.0p1: bsd-getcwd.h diff -ru openssh-2.2.0p1/bsd-misc.c openssh-2.3.0p1/bsd-misc.c --- openssh-2.2.0p1/bsd-misc.c 2000-08-16 10:35:58.000000000 +1000 +++ openssh-2.3.0p1/bsd-misc.c 2000-10-19 00:11:44.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -31,13 +26,6 @@ #include "xmalloc.h" #include "ssh.h" -#ifndef HAVE_SETPROCTITLE -void setproctitle(const char *fmt, ...) -{ - /* FIXME */ -} -#endif /* !HAVE_SETPROCTITLE */ - #ifndef HAVE_SETLOGIN int setlogin(const char *name) { diff -ru openssh-2.2.0p1/bsd-misc.h openssh-2.3.0p1/bsd-misc.h --- openssh-2.2.0p1/bsd-misc.h 2000-08-16 10:35:58.000000000 +1000 +++ openssh-2.3.0p1/bsd-misc.h 2000-11-05 20:08:45.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -32,9 +27,10 @@ #include "config.h" -#ifndef HAVE_SETPROCTITLE -void setproctitle(const char *fmt, ...); -#endif /* !HAVE_SETPROCTITLE */ +#ifndef HAVE_SETSID +#define setsid() setpgrp(0, getpid()) +#endif /* !HAVE_SETSID */ + #ifndef HAVE_SETENV int setenv(const char *name, const char *value, int overwrite); diff -ru openssh-2.2.0p1/bsd-mktemp.c openssh-2.3.0p1/bsd-mktemp.c --- openssh-2.2.0p1/bsd-mktemp.c 2000-08-30 09:21:22.000000000 +1100 +++ openssh-2.3.0p1/bsd-mktemp.c 2000-09-05 16:13:07.000000000 +1100 @@ -42,6 +42,11 @@ static char rcsid[] = "$OpenBSD: mktemp.c,v 1.13 1998/06/30 23:03:13 deraadt Exp $"; #endif /* LIBC_SCCS and not lint */ +#ifdef HAVE_CYGWIN +#define open binary_open +extern int binary_open(); +#endif + static int _gettemp(char *, int *, int, int); int Only in openssh-2.3.0p1: bsd-realpath.c Only in openssh-2.3.0p1: bsd-realpath.h Only in openssh-2.3.0p1: bsd-setproctitle.c Only in openssh-2.3.0p1: bsd-setproctitle.h diff -ru openssh-2.2.0p1/bsd-snprintf.c openssh-2.3.0p1/bsd-snprintf.c --- openssh-2.2.0p1/bsd-snprintf.c 2000-08-30 09:21:22.000000000 +1100 +++ openssh-2.3.0p1/bsd-snprintf.c 2000-09-30 09:49:08.000000000 +1100 @@ -38,6 +38,10 @@ * missing. Some systems only have snprintf() but not vsnprintf(), so * the code is now broken down under HAVE_SNPRINTF and HAVE_VSNPRINTF. * + * Ben Lindstrom 09/27/00 for OpenSSH + * Welcome to the world of %lld and %qd support. With other + * long long support. This is needed for sftp-server to work + * right. **************************************************************/ #include "config.h" @@ -111,9 +115,10 @@ #define DP_F_UNSIGNED (1 << 6) /* Conversion Flags */ -#define DP_C_SHORT 1 -#define DP_C_LONG 2 -#define DP_C_LDOUBLE 3 +#define DP_C_SHORT 1 +#define DP_C_LONG 2 +#define DP_C_LDOUBLE 3 +#define DP_C_LONG_LONG 4 #define char_to_int(p) (p - '0') #ifndef MAX @@ -222,7 +227,6 @@ state = DP_S_MOD; break; case DP_S_MOD: - /* Currently, we don't support Long Long, bummer */ switch (ch) { case 'h': @@ -232,7 +236,15 @@ case 'l': cflags = DP_C_LONG; ch = *format++; + if (ch == 'l') { + cflags = DP_C_LONG_LONG; + ch = *format++; + } break; + case 'q': + cflags = DP_C_LONG_LONG; + ch = *format++; + break; case 'L': cflags = DP_C_LDOUBLE; ch = *format++; @@ -251,6 +263,8 @@ value = va_arg (args, short int); else if (cflags == DP_C_LONG) value = va_arg (args, long int); + else if (cflags == DP_C_LONG_LONG) + value = va_arg (args, long long); else value = va_arg (args, int); fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags); @@ -261,6 +275,8 @@ value = va_arg (args, unsigned short int); else if (cflags == DP_C_LONG) value = va_arg (args, unsigned long int); + else if (cflags == DP_C_LONG_LONG) + value = va_arg (args, unsigned long long); else value = va_arg (args, unsigned int); fmtint (buffer, &currlen, maxlen, value, 8, min, max, flags); @@ -271,6 +287,8 @@ value = va_arg (args, unsigned short int); else if (cflags == DP_C_LONG) value = va_arg (args, unsigned long int); + else if (cflags == DP_C_LONG_LONG) + value = va_arg (args, unsigned long long); else value = va_arg (args, unsigned int); fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags); @@ -283,6 +301,8 @@ value = va_arg (args, unsigned short int); else if (cflags == DP_C_LONG) value = va_arg (args, unsigned long int); + else if (cflags == DP_C_LONG_LONG) + value = va_arg (args, unsigned long long); else value = va_arg (args, unsigned int); fmtint (buffer, &currlen, maxlen, value, 16, min, max, flags); @@ -337,6 +357,12 @@ num = va_arg (args, long int *); *num = currlen; } + else if (cflags == DP_C_LONG_LONG) + { + long long *num; + num = va_arg (args, long long *); + *num = currlen; + } else { int *num; @@ -747,9 +773,11 @@ "%+22.33d", "%01.3d", "%4d", + "%lld", + "%qd", NULL }; - long int_nums[] = { -1, 134, 91340, 341, 0203, 0}; + long long int_nums[] = { -1, 134, 91340, 341, 0203, 0, 9999999 }; int x, y; int fail = 0; int num = 0; Only in openssh-2.3.0p1: bsd-strtok.c Only in openssh-2.3.0p1: bsd-strtok.h Only in openssh-2.3.0p1: bsd-vis.c Only in openssh-2.3.0p1: bsd-vis.h Only in openssh-2.3.0p1: bsd-waitpid.c Only in openssh-2.3.0p1: bsd-waitpid.h diff -ru openssh-2.2.0p1/bufaux.c openssh-2.3.0p1/bufaux.c --- openssh-2.2.0p1/bufaux.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/bufaux.c 2000-09-16 13:29:08.000000000 +1100 @@ -1,23 +1,43 @@ /* - * - * bufaux.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Wed Mar 29 02:24:47 1995 ylo - * * Auxiliary functions for storing and retrieving various data types to/from * Buffers. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * * SSH2 packet format added by Markus Friedl + * Copyright (c) 2000 Markus Friedl. All rights reserved. * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: bufaux.c,v 1.12 2000/06/20 01:39:39 markus Exp $"); +RCSID("$OpenBSD: bufaux.c,v 1.13 2000/09/07 20:27:50 deraadt Exp $"); #include "ssh.h" #include diff -ru openssh-2.2.0p1/bufaux.h openssh-2.3.0p1/bufaux.h --- openssh-2.2.0p1/bufaux.h 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/bufaux.h 2000-09-16 13:29:08.000000000 +1100 @@ -1,17 +1,16 @@ /* - * - * bufaux.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved * - * Created: Wed Mar 29 02:18:23 1995 ylo - * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: bufaux.h,v 1.7 2000/06/20 01:39:39 markus Exp $"); */ +/* RCSID("$OpenBSD: bufaux.h,v 1.8 2000/09/07 20:27:50 deraadt Exp $"); */ #ifndef BUFAUX_H #define BUFAUX_H diff -ru openssh-2.2.0p1/buffer.c openssh-2.3.0p1/buffer.c --- openssh-2.2.0p1/buffer.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/buffer.c 2000-09-16 13:29:08.000000000 +1100 @@ -1,20 +1,18 @@ /* - * - * buffer.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Sat Mar 18 04:15:33 1995 ylo - * * Functions for manipulating fifo buffers (that can grow if needed). * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: buffer.c,v 1.7 2000/06/20 01:39:39 markus Exp $"); +RCSID("$OpenBSD: buffer.c,v 1.8 2000/09/07 20:27:50 deraadt Exp $"); #include "xmalloc.h" #include "buffer.h" diff -ru openssh-2.2.0p1/buffer.h openssh-2.3.0p1/buffer.h --- openssh-2.2.0p1/buffer.h 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/buffer.h 2000-09-16 13:29:08.000000000 +1100 @@ -1,19 +1,17 @@ /* - * - * buffer.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Sat Mar 18 04:12:25 1995 ylo - * * Code for manipulating FIFO buffers. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: buffer.h,v 1.5 2000/06/20 01:39:39 markus Exp $"); */ +/* RCSID("$OpenBSD: buffer.h,v 1.6 2000/09/07 20:27:50 deraadt Exp $"); */ #ifndef BUFFER_H #define BUFFER_H diff -ru openssh-2.2.0p1/canohost.c openssh-2.3.0p1/canohost.c --- openssh-2.2.0p1/canohost.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/canohost.c 2000-10-28 14:19:58.000000000 +1100 @@ -1,20 +1,18 @@ /* - * - * canohost.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Sun Jul 2 17:52:22 1995 ylo - * * Functions for returning the canonical host name of the remote site. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: canohost.c,v 1.13 2000/06/20 01:39:39 markus Exp $"); +RCSID("$OpenBSD: canohost.c,v 1.16 2000/10/21 17:04:22 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -149,7 +147,7 @@ else ipproto = IPPROTO_IP; option_size = sizeof(options); - if (getsockopt(0, ipproto, IP_OPTIONS, (char *) options, + if (getsockopt(socket, ipproto, IP_OPTIONS, (char *) options, &option_size) >= 0 && option_size != 0) { cp = text; /* Note: "text" buffer must be at least 3x as big as options. */ diff -ru openssh-2.2.0p1/channels.c openssh-2.3.0p1/channels.c --- openssh-2.2.0p1/channels.c 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/channels.c 2000-10-28 14:19:58.000000000 +1100 @@ -1,23 +1,46 @@ /* - * - * channels.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Fri Mar 24 16:35:24 1995 ylo - * * This file contains functions for generic socket connection forwarding. * There is also code for initiating connection forwarding for X11 connections, * arbitrary tcp/ip connections, and the authentication agent connection. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * * SSH2 support added by Markus Friedl. + * Copyright (c) 1999,2000 Markus Friedl. All rights reserved. + * Copyright (c) 1999 Dug Song. All rights reserved. + * Copyright (c) 1999 Theo de Raadt. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.66 2000/08/19 21:55:51 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.72 2000/10/27 07:48:22 markus Exp $"); #include "ssh.h" #include "packet.h" @@ -44,12 +67,6 @@ /* Max len of agent socket */ #define MAX_SOCKET_NAME 100 -/* default window/packet sizes for tcp/x11-fwd-channel */ -#define CHAN_TCP_WINDOW_DEFAULT (8*1024) -#define CHAN_TCP_PACKET_DEFAULT (CHAN_TCP_WINDOW_DEFAULT/2) -#define CHAN_X11_WINDOW_DEFAULT (4*1024) -#define CHAN_X11_PACKET_DEFAULT (CHAN_X11_WINDOW_DEFAULT/2) - /* * Pointer to an array containing all allocated channels. The array is * dynamically extended as needed. @@ -157,7 +174,8 @@ */ void -channel_register_fds(Channel *c, int rfd, int wfd, int efd, int extusage) +channel_register_fds(Channel *c, int rfd, int wfd, int efd, + int extusage, int nonblock) { /* Update the maximum file descriptor value. */ if (rfd > channel_max_fd_value) @@ -173,12 +191,16 @@ c->sock = (rfd == wfd) ? rfd : -1; c->efd = efd; c->extended_usage = extusage; - if (rfd != -1) - set_nonblock(rfd); - if (wfd != -1) - set_nonblock(wfd); - if (efd != -1) - set_nonblock(efd); + + /* enable nonblocking mode */ + if (nonblock) { + if (rfd != -1) + set_nonblock(rfd); + if (wfd != -1) + set_nonblock(wfd); + if (efd != -1) + set_nonblock(efd); + } } /* @@ -188,7 +210,7 @@ int channel_new(char *ctype, int type, int rfd, int wfd, int efd, - int window, int maxpack, int extusage, char *remote_name) + int window, int maxpack, int extusage, char *remote_name, int nonblock) { int i, found; Channel *c; @@ -217,7 +239,7 @@ /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; channels_alloc += 10; - debug("channel: expanding %d", channels_alloc); + debug2("channel: expanding %d", channels_alloc); channels = xrealloc(channels, channels_alloc * sizeof(Channel)); for (i = found; i < channels_alloc; i++) channels[i].type = SSH_CHANNEL_FREE; @@ -228,7 +250,7 @@ buffer_init(&c->output); buffer_init(&c->extended); chan_init_iostates(c); - channel_register_fds(c, rfd, wfd, efd, extusage); + channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); c->self = found; c->type = type; c->ctype = ctype; @@ -252,7 +274,7 @@ int channel_allocate(int type, int sock, char *remote_name) { - return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name); + return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name, 1); } @@ -531,7 +553,7 @@ newch = channel_new("x11", SSH_CHANNEL_OPENING, newsock, newsock, -1, c->local_window_max, c->local_maxpacket, - 0, xstrdup(buf)); + 0, xstrdup(buf), 1); if (compat20) { packet_start(SSH2_MSG_CHANNEL_OPEN); packet_put_cstring("x11"); @@ -589,7 +611,7 @@ newch = channel_new("direct-tcpip", SSH_CHANNEL_OPENING, newsock, newsock, -1, c->local_window_max, c->local_maxpacket, - 0, xstrdup(buf)); + 0, xstrdup(buf), 1); if (compat20) { packet_start(SSH2_MSG_CHANNEL_OPEN); packet_put_cstring("direct-tcpip"); @@ -720,7 +742,7 @@ buffer_len(&c->extended) > 0) { len = write(c->efd, buffer_ptr(&c->extended), buffer_len(&c->extended)); - debug("channel %d: written %d to efd %d", + debug2("channel %d: written %d to efd %d", c->self, len, c->efd); if (len > 0) { buffer_consume(&c->extended, len); @@ -729,7 +751,7 @@ } else if (c->extended_usage == CHAN_EXTENDED_READ && FD_ISSET(c->efd, readset)) { len = read(c->efd, buf, sizeof(buf)); - debug("channel %d: read %d from efd %d", + debug2("channel %d: read %d from efd %d", c->self, len, c->efd); if (len == 0) { debug("channel %d: closing efd %d", @@ -752,7 +774,7 @@ packet_put_int(c->remote_id); packet_put_int(c->local_consumed); packet_send(); - debug("channel %d: window %d sent adjust %d", + debug2("channel %d: window %d sent adjust %d", c->self, c->local_window, c->local_consumed); c->local_window += c->local_consumed; @@ -981,7 +1003,7 @@ */ void -channel_input_data(int type, int plen) +channel_input_data(int type, int plen, void *ctxt) { int id; char *data; @@ -1026,7 +1048,7 @@ xfree(data); } void -channel_input_extended_data(int type, int plen) +channel_input_extended_data(int type, int plen, void *ctxt) { int id; int tcode; @@ -1059,7 +1081,7 @@ xfree(data); return; } - debug("channel %d: rcvd ext data %d", c->self, data_len); + debug2("channel %d: rcvd ext data %d", c->self, data_len); c->local_window -= data_len; buffer_append(&c->extended, data, data_len); xfree(data); @@ -1096,7 +1118,7 @@ } void -channel_input_ieof(int type, int plen) +channel_input_ieof(int type, int plen, void *ctxt) { int id; Channel *c; @@ -1111,7 +1133,7 @@ } void -channel_input_close(int type, int plen) +channel_input_close(int type, int plen, void *ctxt) { int id; Channel *c; @@ -1150,7 +1172,7 @@ /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ void -channel_input_oclose(int type, int plen) +channel_input_oclose(int type, int plen, void *ctxt) { int id = packet_get_int(); Channel *c = channel_lookup(id); @@ -1161,7 +1183,7 @@ } void -channel_input_close_confirmation(int type, int plen) +channel_input_close_confirmation(int type, int plen, void *ctxt) { int id = packet_get_int(); Channel *c = channel_lookup(id); @@ -1177,7 +1199,7 @@ } void -channel_input_open_confirmation(int type, int plen) +channel_input_open_confirmation(int type, int plen, void *ctxt) { int id, remote_id; Channel *c; @@ -1201,9 +1223,9 @@ c->remote_maxpacket = packet_get_int(); packet_done(); if (c->cb_fn != NULL && c->cb_event == type) { - debug("callback start"); + debug2("callback start"); c->cb_fn(c->self, c->cb_arg); - debug("callback done"); + debug2("callback done"); } debug("channel %d: open confirm rwindow %d rmax %d", c->self, c->remote_window, c->remote_maxpacket); @@ -1211,7 +1233,7 @@ } void -channel_input_open_failure(int type, int plen) +channel_input_open_failure(int type, int plen, void *ctxt) { int id; Channel *c; @@ -1239,7 +1261,7 @@ } void -channel_input_channel_request(int type, int plen) +channel_input_channel_request(int type, int plen, void *ctxt) { int id; Channel *c; @@ -1252,19 +1274,19 @@ packet_disconnect("Received request for " "non-open channel %d.", id); if (c->cb_fn != NULL && c->cb_event == type) { - debug("callback start"); + debug2("callback start"); c->cb_fn(c->self, c->cb_arg); - debug("callback done"); + debug2("callback done"); } else { char *service = packet_get_string(NULL); debug("channel: %d rcvd request for %s", c->self, service); -debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event); + debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event); xfree(service); } } void -channel_input_window_adjust(int type, int plen) +channel_input_window_adjust(int type, int plen, void *ctxt) { Channel *c; int id, adjust; @@ -1283,7 +1305,7 @@ } adjust = packet_get_int(); packet_done(); - debug("channel %d: rcvd adjust %d", id, adjust); + debug2("channel %d: rcvd adjust %d", id, adjust); c->remote_window += adjust; } @@ -1300,7 +1322,7 @@ switch (channels[i].type) { case SSH_CHANNEL_AUTH_SOCKET: close(channels[i].sock); - remove(channels[i].path); + unlink(channels[i].path); channel_free(i); break; case SSH_CHANNEL_PORT_LISTENER: @@ -1497,7 +1519,7 @@ "port listener", SSH_CHANNEL_PORT_LISTENER, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, - 0, xstrdup("port listener")); + 0, xstrdup("port listener"), 1); strlcpy(channels[ch].path, host, sizeof(channels[ch].path)); channels[ch].host_port = host_port; channels[ch].listening_port = port; @@ -1567,6 +1589,7 @@ hostname = packet_get_string(NULL); host_port = packet_get_int(); +#ifndef HAVE_CYGWIN /* * Check that an unprivileged user is not trying to forward a * privileged port. @@ -1574,6 +1597,7 @@ if (port < IPPORT_RESERVED && !is_root) packet_disconnect("Requested forwarding of port %d but user is not root.", port); +#endif /* * Initiate forwarding, */ @@ -1640,7 +1664,7 @@ */ void -channel_input_port_open(int type, int plen) +channel_input_port_open(int type, int plen, void *ctxt) { u_short host_port; char *host, *originator_string; @@ -1740,11 +1764,12 @@ continue; sock = socket(ai->ai_family, SOCK_STREAM, 0); if (sock < 0) { - if (errno != EINVAL) { + if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) { error("socket: %.100s", strerror(errno)); return NULL; } else { - debug("Socket family %d not supported [X11 disp create]", ai->ai_family); + debug("x11_create_display_inet: Socket family %d not supported", + ai->ai_family); continue; } } @@ -1839,7 +1864,7 @@ (void) channel_new("x11 listener", SSH_CHANNEL_X11_LISTENER, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, - 0, xstrdup("X11 inet listener")); + 0, xstrdup("X11 inet listener"), 1); } /* Return a suitable value for the DISPLAY environment variable. */ @@ -1981,7 +2006,7 @@ */ void -x11_input_open(int type, int plen) +x11_input_open(int type, int plen, void *ctxt) { int remote_channel, sock = 0, newch; char *remote_host; @@ -2025,6 +2050,28 @@ } } +/* dummy protocol handler that denies SSH-1 requests (agent/x11) */ +void +deny_input_open(int type, int plen, void *ctxt) +{ + int rchan = packet_get_int(); + switch(type){ + case SSH_SMSG_AGENT_OPEN: + error("Warning: ssh server tried agent forwarding."); + break; + case SSH_SMSG_X11_OPEN: + error("Warning: ssh server tried X11 forwarding."); + break; + default: + error("deny_input_open: type %d plen %d", type, plen); + break; + } + error("Warning: this is probably a break in attempt by a malicious server."); + packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); + packet_put_int(rchan); + packet_send(); +} + /* * Requests forwarding of X11 connections, generates fake authentication * data, and enables authentication spoofing. @@ -2119,7 +2166,7 @@ void cleanup_socket(void) { - remove(channel_forwarded_auth_socket_name); + unlink(channel_forwarded_auth_socket_name); rmdir(channel_forwarded_auth_socket_dir); } @@ -2196,7 +2243,7 @@ /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ void -auth_input_open_request(int type, int plen) +auth_input_open_request(int type, int plen, void *ctxt) { int remch, sock, newch; char *dummyname; @@ -2329,16 +2376,16 @@ } void -channel_set_fds(int id, int rfd, int wfd, int efd, int extusage) +channel_set_fds(int id, int rfd, int wfd, int efd, + int extusage, int nonblock) { Channel *c = channel_lookup(id); if (c == NULL || c->type != SSH_CHANNEL_LARVAL) fatal("channel_activate for non-larval channel %d.", id); - - channel_register_fds(c, rfd, wfd, efd, extusage); + channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); c->type = SSH_CHANNEL_OPEN; /* XXX window size? */ - c->local_window = c->local_window_max = c->local_maxpacket/2; + c->local_window = c->local_window_max = c->local_maxpacket * 2; packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); packet_put_int(c->remote_id); packet_put_int(c->local_window); diff -ru openssh-2.2.0p1/channels.h openssh-2.3.0p1/channels.h --- openssh-2.2.0p1/channels.h 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/channels.h 2000-10-28 14:19:58.000000000 +1100 @@ -1,4 +1,38 @@ -/* RCSID("$OpenBSD: channels.h,v 1.16 2000/08/19 21:55:51 markus Exp $"); */ +/* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland + * All rights reserved + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + */ +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +/* RCSID("$OpenBSD: channels.h,v 1.22 2000/10/27 07:48:22 markus Exp $"); */ #ifndef CHANNELS_H #define CHANNELS_H @@ -74,7 +108,15 @@ #define CHAN_EXTENDED_READ 1 #define CHAN_EXTENDED_WRITE 2 -void channel_set_fds(int id, int rfd, int wfd, int efd, int extusage); +/* default window/packet sizes for tcp/x11-fwd-channel */ +#define CHAN_SES_WINDOW_DEFAULT (32*1024) +#define CHAN_SES_PACKET_DEFAULT (CHAN_SES_WINDOW_DEFAULT/2) +#define CHAN_TCP_WINDOW_DEFAULT (32*1024) +#define CHAN_TCP_PACKET_DEFAULT (CHAN_TCP_WINDOW_DEFAULT/2) +#define CHAN_X11_WINDOW_DEFAULT (4*1024) +#define CHAN_X11_PACKET_DEFAULT (CHAN_X11_WINDOW_DEFAULT/2) + + void channel_open(int id); void channel_request(int id, char *service, int wantconfirm); void channel_request_start(int id, char *service, int wantconfirm); @@ -86,20 +128,26 @@ int channel_new(char *ctype, int type, int rfd, int wfd, int efd, - int window, int maxpack, int extended_usage, char *remote_name); + int window, int maxpack, int extended_usage, char *remote_name, + int nonblock); +void +channel_set_fds(int id, int rfd, int wfd, int efd, + int extusage, int nonblock); + +void deny_input_open(int type, int plen, void *ctxt); -void channel_input_channel_request(int type, int plen); -void channel_input_close(int type, int plen); -void channel_input_close_confirmation(int type, int plen); -void channel_input_data(int type, int plen); -void channel_input_extended_data(int type, int plen); -void channel_input_ieof(int type, int plen); -void channel_input_oclose(int type, int plen); -void channel_input_open_confirmation(int type, int plen); -void channel_input_open_failure(int type, int plen); -void channel_input_port_open(int type, int plen); -void channel_input_window_adjust(int type, int plen); -void channel_input_open(int type, int plen); +void channel_input_channel_request(int type, int plen, void *ctxt); +void channel_input_close(int type, int plen, void *ctxt); +void channel_input_close_confirmation(int type, int plen, void *ctxt); +void channel_input_data(int type, int plen, void *ctxt); +void channel_input_extended_data(int type, int plen, void *ctxt); +void channel_input_ieof(int type, int plen, void *ctxt); +void channel_input_oclose(int type, int plen, void *ctxt); +void channel_input_open_confirmation(int type, int plen, void *ctxt); +void channel_input_open_failure(int type, int plen, void *ctxt); +void channel_input_port_open(int type, int plen, void *ctxt); +void channel_input_window_adjust(int type, int plen, void *ctxt); +void channel_input_open(int type, int plen, void *ctxt); /* Sets specific protocol options. */ void channel_set_options(int hostname_in_open); @@ -203,7 +251,7 @@ * the remote channel number. We should do whatever we want, and respond * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. */ -void x11_input_open(int type, int plen); +void x11_input_open(int type, int plen, void *ctxt); /* * Requests forwarding of X11 connections. This should be called on the @@ -236,7 +284,7 @@ int auth_input_request_forwarding(struct passwd * pw); /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ -void auth_input_open_request(int type, int plen); +void auth_input_open_request(int type, int plen, void *ctxt); /* XXX */ int channel_connect_to(const char *host, u_short host_port); diff -ru openssh-2.2.0p1/cipher.c openssh-2.3.0p1/cipher.c --- openssh-2.2.0p1/cipher.c 2000-07-11 17:31:38.000000000 +1000 +++ openssh-2.3.0p1/cipher.c 2000-10-28 14:19:58.000000000 +1100 @@ -1,25 +1,125 @@ /* - * - * cipher.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved * - * Created: Wed Apr 19 17:41:39 1995 ylo + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * + * Copyright (c) 1999 Niels Provos. All rights reserved. + * Copyright (c) 1999,2000 Markus Friedl. All rights reserved. * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.29 2000/07/10 16:30:25 ho Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.37 2000/10/23 19:31:54 markus Exp $"); #include "ssh.h" -#include "cipher.h" #include "xmalloc.h" #include + +/* no encryption */ +void +none_setkey(CipherContext *cc, const u_char *key, u_int keylen) +{ +} +void +none_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) +{ +} +void +none_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) +{ + memcpy(dest, src, len); +} + +/* DES */ +void +des_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen) +{ + static int dowarn = 1; + if (dowarn) { + error("Warning: use of DES is strongly discouraged " + "due to cryptographic weaknesses"); + dowarn = 0; + } + des_set_key((void *)key, cc->u.des.key); +} +void +des_ssh1_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) +{ + memset(cc->u.des.iv, 0, sizeof(cc->u.des.iv)); +} +void +des_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) +{ + des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv, + DES_ENCRYPT); +} +void +des_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) +{ + des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv, + DES_DECRYPT); +} + +/* 3DES */ +void +des3_setkey(CipherContext *cc, const u_char *key, u_int keylen) +{ + des_set_key((void *) key, cc->u.des3.key1); + des_set_key((void *) (key+8), cc->u.des3.key2); + des_set_key((void *) (key+16), cc->u.des3.key3); +} +void +des3_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) +{ + memset(cc->u.des3.iv2, 0, sizeof(cc->u.des3.iv2)); + memset(cc->u.des3.iv3, 0, sizeof(cc->u.des3.iv3)); + if (iv == NULL) + return; + memcpy(cc->u.des3.iv3, (char *)iv, 8); +} +void +des3_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) +{ + des_ede3_cbc_encrypt(src, dest, len, + cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3, + &cc->u.des3.iv3, DES_ENCRYPT); +} +void +des3_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) +{ + des_ede3_cbc_encrypt(src, dest, len, + cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3, + &cc->u.des3.iv3, DES_DECRYPT); +} + /* * This is used by SSH1: * @@ -35,160 +135,356 @@ * choosing the X block. */ void -SSH_3CBC_ENCRYPT(des_key_schedule ks1, - des_key_schedule ks2, des_cblock * iv2, - des_key_schedule ks3, des_cblock * iv3, - unsigned char *dest, unsigned char *src, - unsigned int len) +des3_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen) +{ + des_set_key((void *) key, cc->u.des3.key1); + des_set_key((void *) (key+8), cc->u.des3.key2); + if (keylen <= 16) + des_set_key((void *) key, cc->u.des3.key3); + else + des_set_key((void *) (key+16), cc->u.des3.key3); +} +void +des3_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src, + u_int len) { des_cblock iv1; + des_cblock *iv2 = &cc->u.des3.iv2; + des_cblock *iv3 = &cc->u.des3.iv3; memcpy(&iv1, iv2, 8); - des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT); + des_cbc_encrypt(src, dest, len, cc->u.des3.key1, &iv1, DES_ENCRYPT); memcpy(&iv1, dest + len - 8, 8); - des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT); + des_cbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_DECRYPT); memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */ - des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT); + des_cbc_encrypt(dest, dest, len, cc->u.des3.key3, iv3, DES_ENCRYPT); memcpy(iv3, dest + len - 8, 8); } - void -SSH_3CBC_DECRYPT(des_key_schedule ks1, - des_key_schedule ks2, des_cblock * iv2, - des_key_schedule ks3, des_cblock * iv3, - unsigned char *dest, unsigned char *src, - unsigned int len) +des3_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, + u_int len) { des_cblock iv1; + des_cblock *iv2 = &cc->u.des3.iv2; + des_cblock *iv3 = &cc->u.des3.iv3; memcpy(&iv1, iv2, 8); - des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT); + des_cbc_encrypt(src, dest, len, cc->u.des3.key3, iv3, DES_DECRYPT); memcpy(iv3, src + len - 8, 8); - des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT); + des_cbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_ENCRYPT); memcpy(iv2, dest + len - 8, 8); - des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT); + des_cbc_encrypt(dest, dest, len, cc->u.des3.key1, &iv1, DES_DECRYPT); /* memcpy(&iv1, iv2, 8); */ /* Note how iv1 == iv2 on entry and exit. */ } +/* Blowfish */ +void +blowfish_setkey(CipherContext *cc, const u_char *key, u_int keylen) +{ + BF_set_key(&cc->u.bf.key, keylen, (unsigned char *)key); +} +void +blowfish_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) +{ + if (iv == NULL) + memset(cc->u.bf.iv, 0, 8); + else + memcpy(cc->u.bf.iv, (char *)iv, 8); +} +void +blowfish_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, + u_int len) +{ + BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv, + BF_ENCRYPT); +} +void +blowfish_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, + u_int len) +{ + BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv, + BF_DECRYPT); +} + /* * SSH1 uses a variation on Blowfish, all bytes must be swapped before * and after encryption/decryption. Thus the swap_bytes stuff (yuk). */ static void -swap_bytes(const unsigned char *src, unsigned char *dst_, int n) +swap_bytes(const unsigned char *src, unsigned char *dst, int n) { - /* dst must be properly aligned. */ - u_int32_t *dst = (u_int32_t *) dst_; - union { - u_int32_t i; - char c[4]; - } t; - - /* Process 8 bytes every lap. */ - for (n = n / 8; n > 0; n--) { - t.c[3] = *src++; - t.c[2] = *src++; - t.c[1] = *src++; - t.c[0] = *src++; - *dst++ = t.i; - - t.c[3] = *src++; - t.c[2] = *src++; - t.c[1] = *src++; - t.c[0] = *src++; - *dst++ = t.i; + char c[4]; + + /* Process 4 bytes every lap. */ + for (n = n / 4; n > 0; n--) { + c[3] = *src++; + c[2] = *src++; + c[1] = *src++; + c[0] = *src++; + + *dst++ = c[0]; + *dst++ = c[1]; + *dst++ = c[2]; + *dst++ = c[3]; } } -/* - * Names of all encryption algorithms. - * These must match the numbers defined in cipher.h. - */ -static char *cipher_names[] = +void +blowfish_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src, + u_int len) { - "none", - "idea", - "des", - "3des", - "tss", - "rc4", - "blowfish", - "reserved", - "blowfish-cbc", - "3des-cbc", - "arcfour", - "cast128-cbc" -}; + swap_bytes(src, dest, len); + BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv, + BF_ENCRYPT); + swap_bytes(dest, dest, len); +} +void +blowfish_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, + u_int len) +{ + swap_bytes(src, dest, len); + BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv, + BF_DECRYPT); + swap_bytes(dest, dest, len); +} -/* - * Returns a bit mask indicating which ciphers are supported by this - * implementation. The bit mask has the corresponding bit set of each - * supported cipher. - */ +/* alleged rc4 */ +void +arcfour_setkey(CipherContext *cc, const u_char *key, u_int keylen) +{ + RC4_set_key(&cc->u.rc4, keylen, (u_char *)key); +} +void +arcfour_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) +{ + RC4(&cc->u.rc4, len, (u_char *)src, dest); +} -unsigned int -cipher_mask1() +/* CAST */ +void +cast_setkey(CipherContext *cc, const u_char *key, u_int keylen) { - unsigned int mask = 0; - mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ - mask |= 1 << SSH_CIPHER_BLOWFISH; - return mask; + CAST_set_key(&cc->u.cast.key, keylen, (unsigned char *) key); } -unsigned int -cipher_mask2() +void +cast_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) { - unsigned int mask = 0; - mask |= 1 << SSH_CIPHER_BLOWFISH_CBC; - mask |= 1 << SSH_CIPHER_3DES_CBC; - mask |= 1 << SSH_CIPHER_ARCFOUR; - mask |= 1 << SSH_CIPHER_CAST128_CBC; - return mask; + if (iv == NULL) + fatal("no IV for %s.", cc->cipher->name); + memcpy(cc->u.cast.iv, (char *)iv, 8); } -unsigned int -cipher_mask() +void +cast_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) +{ + CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv, + CAST_ENCRYPT); +} +void +cast_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) +{ + CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv, + CAST_DECRYPT); +} + +/* RIJNDAEL */ + +#define RIJNDAEL_BLOCKSIZE 16 +void +rijndael_setkey(CipherContext *cc, const u_char *key, u_int keylen) +{ + rijndael_set_key(&cc->u.rijndael.enc, (u4byte *)key, 8*keylen, 1); + rijndael_set_key(&cc->u.rijndael.dec, (u4byte *)key, 8*keylen, 0); +} +void +rijndael_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) { - return cipher_mask1() | cipher_mask2(); + if (iv == NULL) + fatal("no IV for %s.", cc->cipher->name); + memcpy((u_char *)cc->u.rijndael.iv, iv, RIJNDAEL_BLOCKSIZE); } +void +rijndael_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, + u_int len) +{ + rijndael_ctx *ctx = &cc->u.rijndael.enc; + u4byte *iv = cc->u.rijndael.iv; + u4byte in[4]; + u4byte *cprev, *cnow, *plain; + int i, blocks = len / RIJNDAEL_BLOCKSIZE; + if (len == 0) + return; + if (len % RIJNDAEL_BLOCKSIZE) + fatal("rijndael_cbc_encrypt: bad len %d", len); + cnow = (u4byte*) dest; + plain = (u4byte*) src; + cprev = iv; + for(i = 0; i < blocks; i++, plain+=4, cnow+=4) { + in[0] = plain[0] ^ cprev[0]; + in[1] = plain[1] ^ cprev[1]; + in[2] = plain[2] ^ cprev[2]; + in[3] = plain[3] ^ cprev[3]; + rijndael_encrypt(ctx, in, cnow); + cprev = cnow; + } + memcpy(iv, cprev, RIJNDAEL_BLOCKSIZE); +} + +void +rijndael_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, + u_int len) +{ + rijndael_ctx *ctx = &cc->u.rijndael.dec; + u4byte *iv = cc->u.rijndael.iv; + u4byte ivsaved[4]; + u4byte *cnow = (u4byte*) (src+len-RIJNDAEL_BLOCKSIZE); + u4byte *plain = (u4byte*) (dest+len-RIJNDAEL_BLOCKSIZE); + u4byte *ivp; + int i, blocks = len / RIJNDAEL_BLOCKSIZE; + if (len == 0) + return; + if (len % RIJNDAEL_BLOCKSIZE) + fatal("rijndael_cbc_decrypt: bad len %d", len); + memcpy(ivsaved, cnow, RIJNDAEL_BLOCKSIZE); + for(i = blocks; i > 0; i--, cnow-=4, plain-=4) { + rijndael_decrypt(ctx, cnow, plain); + ivp = (i == 1) ? iv : cnow-4; + plain[0] ^= ivp[0]; + plain[1] ^= ivp[1]; + plain[2] ^= ivp[2]; + plain[3] ^= ivp[3]; + } + memcpy(iv, ivsaved, RIJNDAEL_BLOCKSIZE); +} + +Cipher ciphers[] = { + { "none", + SSH_CIPHER_NONE, 8, 0, + none_setkey, none_setiv, + none_crypt, none_crypt }, + { "des", + SSH_CIPHER_DES, 8, 8, + des_ssh1_setkey, des_ssh1_setiv, + des_ssh1_encrypt, des_ssh1_decrypt }, + { "3des", + SSH_CIPHER_3DES, 8, 16, + des3_ssh1_setkey, des3_setiv, + des3_ssh1_encrypt, des3_ssh1_decrypt }, + { "blowfish", + SSH_CIPHER_BLOWFISH, 8, 16, + blowfish_setkey, blowfish_setiv, + blowfish_ssh1_encrypt, blowfish_ssh1_decrypt }, + + { "3des-cbc", + SSH_CIPHER_SSH2, 8, 24, + des3_setkey, des3_setiv, + des3_cbc_encrypt, des3_cbc_decrypt }, + { "blowfish-cbc", + SSH_CIPHER_SSH2, 8, 16, + blowfish_setkey, blowfish_setiv, + blowfish_cbc_encrypt, blowfish_cbc_decrypt }, + { "cast128-cbc", + SSH_CIPHER_SSH2, 8, 16, + cast_setkey, cast_setiv, + cast_cbc_encrypt, cast_cbc_decrypt }, + { "arcfour", + SSH_CIPHER_SSH2, 8, 16, + arcfour_setkey, none_setiv, + arcfour_crypt, arcfour_crypt }, + { "aes128-cbc", + SSH_CIPHER_SSH2, 16, 16, + rijndael_setkey, rijndael_setiv, + rijndael_cbc_encrypt, rijndael_cbc_decrypt }, + { "aes192-cbc", + SSH_CIPHER_SSH2, 16, 24, + rijndael_setkey, rijndael_setiv, + rijndael_cbc_encrypt, rijndael_cbc_decrypt }, + { "aes256-cbc", + SSH_CIPHER_SSH2, 16, 32, + rijndael_setkey, rijndael_setiv, + rijndael_cbc_encrypt, rijndael_cbc_decrypt }, + { "rijndael128-cbc", + SSH_CIPHER_SSH2, 16, 16, + rijndael_setkey, rijndael_setiv, + rijndael_cbc_encrypt, rijndael_cbc_decrypt }, + { "rijndael192-cbc", + SSH_CIPHER_SSH2, 16, 24, + rijndael_setkey, rijndael_setiv, + rijndael_cbc_encrypt, rijndael_cbc_decrypt }, + { "rijndael256-cbc", + SSH_CIPHER_SSH2, 16, 32, + rijndael_setkey, rijndael_setiv, + rijndael_cbc_encrypt, rijndael_cbc_decrypt }, + { "rijndael-cbc@lysator.liu.se", + SSH_CIPHER_SSH2, 16, 32, + rijndael_setkey, rijndael_setiv, + rijndael_cbc_encrypt, rijndael_cbc_decrypt }, + { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL, NULL, NULL, NULL } +}; -/* Returns the name of the cipher. */ +/*--*/ -const char * -cipher_name(int cipher) +unsigned int +cipher_mask_ssh1(int client) { - if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) || - cipher_names[cipher] == NULL) - fatal("cipher_name: bad cipher name: %d", cipher); - return cipher_names[cipher]; + unsigned int mask = 0; + mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ + mask |= 1 << SSH_CIPHER_BLOWFISH; + if (client) { + mask |= 1 << SSH_CIPHER_DES; + } + return mask; } -/* Returns 1 if the name of the ciphers are valid. */ +Cipher * +cipher_by_name(const char *name) +{ + Cipher *c; + for (c = ciphers; c->name != NULL; c++) + if (strcasecmp(c->name, name) == 0) + return c; + return NULL; +} + +Cipher * +cipher_by_number(int id) +{ + Cipher *c; + for (c = ciphers; c->name != NULL; c++) + if (c->number == id) + return c; + return NULL; +} #define CIPHER_SEP "," int ciphers_valid(const char *names) { + Cipher *c; char *ciphers, *cp; char *p; - int i; if (names == NULL || strcmp(names, "") == 0) return 0; ciphers = cp = xstrdup(names); - for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; + for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; (p = strsep(&cp, CIPHER_SEP))) { - i = cipher_number(p); - if (i == -1 || !(cipher_mask2() & (1 << i))) { + c = cipher_by_name(p); + if (c == NULL || c->number != SSH_CIPHER_SSH2) { + debug("bad cipher %s [%s]", p, names); xfree(ciphers); return 0; + } else { + debug3("cipher ok: %s [%s]", p, names); } } + debug3("ciphers ok: [%s]", names); xfree(ciphers); return 1; } @@ -201,264 +497,69 @@ int cipher_number(const char *name) { - int i; + Cipher *c; if (name == NULL) return -1; - for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++) - if (strcmp(cipher_names[i], name) == 0 && - (cipher_mask() & (1 << i))) - return i; - return -1; + c = cipher_by_name(name); + return (c==NULL) ? -1 : c->number; } -/* - * Selects the cipher, and keys if by computing the MD5 checksum of the - * passphrase and using the resulting 16 bytes as the key. - */ - -void -cipher_set_key_string(CipherContext *context, int cipher, const char *passphrase) +char * +cipher_name(int id) { - MD5_CTX md; - unsigned char digest[16]; - - MD5_Init(&md); - MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase)); - MD5_Final(digest, &md); - - cipher_set_key(context, cipher, digest, 16); - - memset(digest, 0, sizeof(digest)); - memset(&md, 0, sizeof(md)); + Cipher *c = cipher_by_number(id); + return (c==NULL) ? "" : c->name; } -/* Selects the cipher to use and sets the key. */ - void -cipher_set_key(CipherContext *context, int cipher, const unsigned char *key, - int keylen) +cipher_init(CipherContext *cc, Cipher *cipher, + const u_char *key, u_int keylen, const u_char *iv, u_int ivlen) { - unsigned char padded[32]; - - /* Set cipher type. */ - context->type = cipher; - - /* Get 32 bytes of key data. Pad if necessary. (So that code - below does not need to worry about key size). */ - memset(padded, 0, sizeof(padded)); - memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded)); - - /* Initialize the initialization vector. */ - switch (cipher) { - case SSH_CIPHER_NONE: - /* - * Has to stay for authfile saving of private key with no - * passphrase - */ - break; - - case SSH_CIPHER_3DES: - /* - * Note: the least significant bit of each byte of key is - * parity, and must be ignored by the implementation. 16 - * bytes of key are used (first and last keys are the same). - */ - if (keylen < 16) - error("Key length %d is insufficient for 3DES.", keylen); - des_set_key((void *) padded, context->u.des3.key1); - des_set_key((void *) (padded + 8), context->u.des3.key2); - if (keylen <= 16) - des_set_key((void *) padded, context->u.des3.key3); - else - des_set_key((void *) (padded + 16), context->u.des3.key3); - memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2)); - memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3)); - break; - - case SSH_CIPHER_BLOWFISH: - if (keylen < 16) - error("Key length %d is insufficient for blowfish.", keylen); - BF_set_key(&context->u.bf.key, keylen, padded); - memset(context->u.bf.iv, 0, 8); - break; - - case SSH_CIPHER_3DES_CBC: - case SSH_CIPHER_BLOWFISH_CBC: - case SSH_CIPHER_ARCFOUR: - case SSH_CIPHER_CAST128_CBC: - fatal("cipher_set_key: illegal cipher: %s", cipher_name(cipher)); - break; - - default: - fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher)); - } - memset(padded, 0, sizeof(padded)); + if (keylen < cipher->key_len) + fatal("cipher_init: key length %d is insufficient for %s.", + keylen, cipher->name); + if (iv != NULL && ivlen < cipher->block_size) + fatal("cipher_init: iv length %d is insufficient for %s.", + ivlen, cipher->name); + cc->cipher = cipher; + cipher->setkey(cc, key, keylen); + cipher->setiv(cc, iv, ivlen); } void -cipher_set_key_iv(CipherContext * context, int cipher, - const unsigned char *key, int keylen, - const unsigned char *iv, int ivlen) -{ - /* Set cipher type. */ - context->type = cipher; - - /* Initialize the initialization vector. */ - switch (cipher) { - case SSH_CIPHER_NONE: - break; - - case SSH_CIPHER_3DES: - case SSH_CIPHER_BLOWFISH: - fatal("cipher_set_key_iv: illegal cipher: %s", cipher_name(cipher)); - break; - - case SSH_CIPHER_3DES_CBC: - if (keylen < 24) - error("Key length %d is insufficient for 3des-cbc.", keylen); - des_set_key((void *) key, context->u.des3.key1); - des_set_key((void *) (key+8), context->u.des3.key2); - des_set_key((void *) (key+16), context->u.des3.key3); - if (ivlen < 8) - error("IV length %d is insufficient for 3des-cbc.", ivlen); - memcpy(context->u.des3.iv3, (char *)iv, 8); - break; - - case SSH_CIPHER_BLOWFISH_CBC: - if (keylen < 16) - error("Key length %d is insufficient for blowfish.", keylen); - if (ivlen < 8) - error("IV length %d is insufficient for blowfish.", ivlen); - BF_set_key(&context->u.bf.key, keylen, (unsigned char *)key); - memcpy(context->u.bf.iv, (char *)iv, 8); - break; - - case SSH_CIPHER_ARCFOUR: - if (keylen < 16) - error("Key length %d is insufficient for arcfour.", keylen); - RC4_set_key(&context->u.rc4, keylen, (unsigned char *)key); - break; - - case SSH_CIPHER_CAST128_CBC: - if (keylen < 16) - error("Key length %d is insufficient for cast128.", keylen); - if (ivlen < 8) - error("IV length %d is insufficient for cast128.", ivlen); - CAST_set_key(&context->u.cast.key, keylen, (unsigned char *) key); - memcpy(context->u.cast.iv, (char *)iv, 8); - break; - - default: - fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher)); - } +cipher_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) +{ + if (len % cc->cipher->block_size) + fatal("cipher_encrypt: bad plaintext length %d", len); + cc->cipher->encrypt(cc, dest, src, len); } -/* Encrypts data using the cipher. */ - void -cipher_encrypt(CipherContext *context, unsigned char *dest, - const unsigned char *src, unsigned int len) +cipher_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) { - if ((len & 7) != 0) - fatal("cipher_encrypt: bad plaintext length %d", len); - - switch (context->type) { - case SSH_CIPHER_NONE: - memcpy(dest, src, len); - break; - - case SSH_CIPHER_3DES: - SSH_3CBC_ENCRYPT(context->u.des3.key1, - context->u.des3.key2, &context->u.des3.iv2, - context->u.des3.key3, &context->u.des3.iv3, - dest, (unsigned char *) src, len); - break; - - case SSH_CIPHER_BLOWFISH: - swap_bytes(src, dest, len); - BF_cbc_encrypt(dest, dest, len, - &context->u.bf.key, context->u.bf.iv, - BF_ENCRYPT); - swap_bytes(dest, dest, len); - break; - - case SSH_CIPHER_BLOWFISH_CBC: - BF_cbc_encrypt((void *)src, dest, len, - &context->u.bf.key, context->u.bf.iv, - BF_ENCRYPT); - break; - - case SSH_CIPHER_3DES_CBC: - des_ede3_cbc_encrypt(src, dest, len, - context->u.des3.key1, context->u.des3.key2, - context->u.des3.key3, &context->u.des3.iv3, DES_ENCRYPT); - break; - - case SSH_CIPHER_ARCFOUR: - RC4(&context->u.rc4, len, (unsigned char *)src, dest); - break; - - case SSH_CIPHER_CAST128_CBC: - CAST_cbc_encrypt(src, dest, len, - &context->u.cast.key, context->u.cast.iv, CAST_ENCRYPT); - break; - - default: - fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type)); - } + if (len % cc->cipher->block_size) + fatal("cipher_decrypt: bad ciphertext length %d", len); + cc->cipher->decrypt(cc, dest, src, len); } -/* Decrypts data using the cipher. */ +/* + * Selects the cipher, and keys if by computing the MD5 checksum of the + * passphrase and using the resulting 16 bytes as the key. + */ void -cipher_decrypt(CipherContext *context, unsigned char *dest, - const unsigned char *src, unsigned int len) +cipher_set_key_string(CipherContext *cc, Cipher *cipher, + const char *passphrase) { - if ((len & 7) != 0) - fatal("cipher_decrypt: bad ciphertext length %d", len); + MD5_CTX md; + unsigned char digest[16]; + + MD5_Init(&md); + MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); + MD5_Final(digest, &md); - switch (context->type) { - case SSH_CIPHER_NONE: - memcpy(dest, src, len); - break; - - case SSH_CIPHER_3DES: - SSH_3CBC_DECRYPT(context->u.des3.key1, - context->u.des3.key2, &context->u.des3.iv2, - context->u.des3.key3, &context->u.des3.iv3, - dest, (unsigned char *) src, len); - break; - - case SSH_CIPHER_BLOWFISH: - swap_bytes(src, dest, len); - BF_cbc_encrypt((void *) dest, dest, len, - &context->u.bf.key, context->u.bf.iv, - BF_DECRYPT); - swap_bytes(dest, dest, len); - break; - - case SSH_CIPHER_BLOWFISH_CBC: - BF_cbc_encrypt((void *) src, dest, len, - &context->u.bf.key, context->u.bf.iv, - BF_DECRYPT); - break; - - case SSH_CIPHER_3DES_CBC: - des_ede3_cbc_encrypt(src, dest, len, - context->u.des3.key1, context->u.des3.key2, - context->u.des3.key3, &context->u.des3.iv3, DES_DECRYPT); - break; - - case SSH_CIPHER_ARCFOUR: - RC4(&context->u.rc4, len, (unsigned char *)src, dest); - break; - - case SSH_CIPHER_CAST128_CBC: - CAST_cbc_encrypt(src, dest, len, - &context->u.cast.key, context->u.cast.iv, CAST_DECRYPT); - break; + cipher_init(cc, cipher, digest, 16, NULL, 0); - default: - fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type)); - } + memset(digest, 0, sizeof(digest)); + memset(&md, 0, sizeof(md)); } diff -ru openssh-2.2.0p1/cipher.h openssh-2.3.0p1/cipher.h --- openssh-2.2.0p1/cipher.h 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/cipher.h 2000-10-14 16:23:12.000000000 +1100 @@ -1,17 +1,38 @@ /* - * - * cipher.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved * - * Created: Wed Apr 19 16:50:42 1995 ylo + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". * + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: cipher.h,v 1.18 2000/06/20 01:39:40 markus Exp $"); */ +/* RCSID("$OpenBSD: cipher.h,v 1.22 2000/10/13 18:59:14 markus Exp $"); */ #ifndef CIPHER_H #define CIPHER_H @@ -20,9 +41,12 @@ #include #include #include - -/* Cipher types. New types can be added, but old types should not be removed - for compatibility. The maximum allowed value is 31. */ +#include "rijndael.h" +/* + * Cipher types for SSH-1. New types can be added, but old types should not + * be removed for compatibility. The maximum allowed value is 31. + */ +#define SSH_CIPHER_SSH2 -3 #define SSH_CIPHER_ILLEGAL -2 /* No valid cipher selected. */ #define SSH_CIPHER_NOT_SET -1 /* None selected (invalid number). */ #define SSH_CIPHER_NONE 0 /* no encryption */ @@ -33,17 +57,18 @@ #define SSH_CIPHER_BROKEN_RC4 5 /* Alleged RC4 */ #define SSH_CIPHER_BLOWFISH 6 #define SSH_CIPHER_RESERVED 7 +#define SSH_CIPHER_MAX 31 -/* these ciphers are used in SSH2: */ -#define SSH_CIPHER_BLOWFISH_CBC 8 -#define SSH_CIPHER_3DES_CBC 9 -#define SSH_CIPHER_ARCFOUR 10 /* Alleged RC4 */ -#define SSH_CIPHER_CAST128_CBC 11 +typedef struct Cipher Cipher; +typedef struct CipherContext CipherContext; -typedef struct { - unsigned int type; +struct CipherContext { union { struct { + des_key_schedule key; + des_cblock iv; + } des; + struct { des_key_schedule key1; des_key_schedule key2; des_cblock iv2; @@ -52,64 +77,41 @@ } des3; struct { struct bf_key_st key; - unsigned char iv[8]; + u_char iv[8]; } bf; struct { CAST_KEY key; - unsigned char iv[8]; + u_char iv[8]; } cast; + struct { + u4byte iv[4]; + rijndael_ctx enc; + rijndael_ctx dec; + } rijndael; RC4_KEY rc4; } u; -} CipherContext; -/* - * Returns a bit mask indicating which ciphers are supported by this - * implementation. The bit mask has the corresponding bit set of each - * supported cipher. - */ -unsigned int cipher_mask(); -unsigned int cipher_mask1(); -unsigned int cipher_mask2(); - -/* Returns the name of the cipher. */ -const char *cipher_name(int cipher); - -/* - * Parses the name of the cipher. Returns the number of the corresponding - * cipher, or -1 on error. - */ -int cipher_number(const char *name); - -/* returns 1 if all ciphers are supported (ssh2 only) */ -int ciphers_valid(const char *names); - -/* - * Selects the cipher to use and sets the key. If for_encryption is true, - * the key is setup for encryption; otherwise it is setup for decryption. - */ -void -cipher_set_key(CipherContext * context, int cipher, - const unsigned char *key, int keylen); -void -cipher_set_key_iv(CipherContext * context, int cipher, - const unsigned char *key, int keylen, - const unsigned char *iv, int ivlen); - -/* - * Sets key for the cipher by computing the MD5 checksum of the passphrase, - * and using the resulting 16 bytes as the key. - */ -void -cipher_set_key_string(CipherContext * context, int cipher, - const char *passphrase); - -/* Encrypts data using the cipher. */ -void -cipher_encrypt(CipherContext * context, unsigned char *dest, - const unsigned char *src, unsigned int len); - -/* Decrypts data using the cipher. */ -void -cipher_decrypt(CipherContext * context, unsigned char *dest, - const unsigned char *src, unsigned int len); + Cipher *cipher; +}; +struct Cipher { + char *name; + int number; /* for ssh1 only */ + u_int block_size; + u_int key_len; + void (*setkey)(CipherContext *, const u_char *, u_int); + void (*setiv)(CipherContext *, const u_char *, u_int); + void (*encrypt)(CipherContext *, u_char *, const u_char *, u_int); + void (*decrypt)(CipherContext *, u_char *, const u_char *, u_int); +}; + +unsigned int cipher_mask_ssh1(int client); +Cipher *cipher_by_name(const char *name); +Cipher *cipher_by_number(int id); +int cipher_number(const char *name); +char *cipher_name(int id); +int ciphers_valid(const char *names); +void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, const u_char *, u_int); +void cipher_encrypt(CipherContext *context, u_char *dest, const u_char *src, u_int len); +void cipher_decrypt(CipherContext *context, u_char *dest, const u_char *src, u_int len); +void cipher_set_key_string(CipherContext *context, Cipher *cipher, const char *passphrase); #endif /* CIPHER_H */ Only in openssh-2.3.0p1: cli.c Only in openssh-2.3.0p1: cli.h diff -ru openssh-2.2.0p1/clientloop.c openssh-2.3.0p1/clientloop.c --- openssh-2.2.0p1/clientloop.c 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/clientloop.c 2000-10-28 14:19:58.000000000 +1100 @@ -1,22 +1,65 @@ /* - * - * clientloop.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved + * The main loop for the interactive session (client side). * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". * - * Created: Sat Sep 23 12:23:57 1995 ylo * - * The main loop for the interactive session (client side). + * Copyright (c) 1999 Theo de Raadt. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * * * SSH2 support added by Markus Friedl. + * Copyright (c) 1999,2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.32 2000/08/19 22:21:19 markus Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.39 2000/10/27 07:48:22 markus Exp $"); #include "xmalloc.h" #include "ssh.h" @@ -32,6 +75,10 @@ #include "buffer.h" #include "bufaux.h" + +/* import options */ +extern Options options; + /* Flag indicating that stdin should be redirected from /dev/null. */ extern int stdin_null_flag; @@ -290,7 +337,7 @@ if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0) return; - debug("client_check_window_change: changed"); + debug2("client_check_window_change: changed"); if (compat20) { channel_request_start(session_ident, "window-change", 0); @@ -317,8 +364,6 @@ void client_wait_until_can_do_something(fd_set * readset, fd_set * writeset) { - /*debug("client_wait_until_can_do_something"); */ - /* Initialize select masks. */ FD_ZERO(readset); FD_ZERO(writeset); @@ -437,7 +482,6 @@ if (FD_ISSET(connection_in, readset)) { /* Read as much as possible. */ len = read(connection_in, buf, sizeof(buf)); -/*debug("read connection_in len %d", len); XXX */ if (len == 0) { /* Received EOF. The remote host has closed the connection. */ snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", @@ -728,7 +772,7 @@ void client_process_buffered_input_packets() { - dispatch_run(DISPATCH_NONBLOCK, &quit_pending); + dispatch_run(DISPATCH_NONBLOCK, &quit_pending, NULL); } /* scan buf[] for '~' before sending data to the peer */ @@ -750,7 +794,6 @@ int client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) { - extern Options options; double start_time, total_time; int len; char buf[100]; @@ -809,7 +852,7 @@ client_process_buffered_input_packets(); if (compat20 && !channel_still_open()) { - debug("!channel_still_open."); + debug2("!channel_still_open."); break; } @@ -935,7 +978,7 @@ /*********/ void -client_input_stdout_data(int type, int plen) +client_input_stdout_data(int type, int plen, void *ctxt) { unsigned int data_len; char *data = packet_get_string(&data_len); @@ -946,7 +989,7 @@ xfree(data); } void -client_input_stderr_data(int type, int plen) +client_input_stderr_data(int type, int plen, void *ctxt) { unsigned int data_len; char *data = packet_get_string(&data_len); @@ -957,7 +1000,7 @@ xfree(data); } void -client_input_exit_status(int type, int plen) +client_input_exit_status(int type, int plen, void *ctxt) { packet_integrity_check(plen, 4, type); exit_status = packet_get_int(); @@ -975,7 +1018,7 @@ /* XXXX move to generic input handler */ void -client_input_channel_open(int type, int plen) +client_input_channel_open(int type, int plen, void *ctxt) { Channel *c = NULL; char *ctype; @@ -993,13 +1036,13 @@ debug("client_input_channel_open: ctype %s rchan %d win %d max %d", ctype, rchan, rwindow, rmaxpack); - if (strcmp(ctype, "x11") == 0) { + if (strcmp(ctype, "x11") == 0 && options.forward_x11) { int sock; char *originator; int originator_port; originator = packet_get_string(NULL); if (datafellows & SSH_BUG_X11FWD) { - debug("buggy server: x11 request w/o originator_port"); + debug2("buggy server: x11 request w/o originator_port"); originator_port = 0; } else { originator_port = packet_get_int(); @@ -1010,10 +1053,9 @@ /* XXX move to channels.c */ sock = x11_connect_display(); if (sock >= 0) { -/*XXX MAXPACK */ id = channel_new("x11", SSH_CHANNEL_X11_OPEN, - sock, sock, -1, 4*1024, 32*1024, 0, - xstrdup("x11")); + sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, + CHAN_X11_PACKET_DEFAULT, 0, xstrdup("x11"), 1); c = channel_lookup(id); } } @@ -1066,11 +1108,14 @@ dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open); - dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request); dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status); dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data); dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data); - dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open); + + dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ? + &auth_input_open_request : &deny_input_open); + dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ? + &x11_input_open : &deny_input_open); } void client_init_dispatch_15() @@ -1106,7 +1151,7 @@ c = channel_lookup(id); if (c == NULL) - fatal("session_input_channel_req: channel %d: bad channel", id); + fatal("client_input_channel_req: channel %d: bad channel", id); if (session_ident == -1) { error("client_input_channel_req: no channel %d", id); @@ -1130,7 +1175,7 @@ void client_set_session_ident(int id) { - debug("client_set_session_ident: id %d", id); + debug2("client_set_session_ident: id %d", id); session_ident = id; channel_register_callback(id, SSH2_MSG_CHANNEL_REQUEST, client_input_channel_req, (void *)0); diff -ru openssh-2.2.0p1/compat.c openssh-2.3.0p1/compat.c --- openssh-2.2.0p1/compat.c 2000-08-29 11:33:50.000000000 +1100 +++ openssh-2.3.0p1/compat.c 2000-11-05 16:42:36.000000000 +1100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999 Markus Friedl. All rights reserved. + * Copyright (c) 1999,2000 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -28,12 +23,17 @@ */ #include "includes.h" -RCSID("$OpenBSD: compat.c,v 1.21 2000/08/27 18:18:04 markus Exp $"); +RCSID("$OpenBSD: compat.c,v 1.27 2000/10/31 09:31:58 markus Exp $"); #include "ssh.h" #include "packet.h" #include "xmalloc.h" #include "compat.h" +#ifdef HAVE_LIBPCRE +# include +#else /* Use native regex libraries */ +# include +#endif /* HAVE_LIBRX */ int compat13 = 0; int compat20 = 0; @@ -55,27 +55,46 @@ void compat_datafellows(const char *version) { - int i; - size_t len; - struct { - char *version; + int i, ret; + char ebuf[1024]; + regex_t reg; + static struct { + char *pat; int bugs; } check[] = { - {"2.1.0", SSH_BUG_SIGBLOB|SSH_BUG_HMAC}, - {"2.0.1", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD}, - {"2.", SSH_BUG_HMAC|SSH_COMPAT_SESSIONID_ENCODING}, - {NULL, 0} + { "^OpenSSH[-_]2\\.[012]", SSH_OLD_SESSIONID }, + { "MindTerm", 0 }, + { "^2\\.1\\.0 ", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| + SSH_OLD_SESSIONID }, + { "^2\\.0\\.", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| + SSH_OLD_SESSIONID| + SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD }, + { "^2\\.[23]\\.0 ", SSH_BUG_HMAC}, + { "^2\\.[2-9]\\.", 0 }, + { "^2\\.4$", SSH_OLD_SESSIONID}, /* Van Dyke */ + { "^3\\.0 SecureCRT", SSH_OLD_SESSIONID}, + { "^1\\.7 SecureFX", SSH_OLD_SESSIONID}, + { "^2\\.", SSH_BUG_HMAC}, /* XXX fallback */ + { NULL, 0 } }; /* process table, return first match */ - for (i = 0; check[i].version; i++) { - len = strlen(check[i].version); - if (strlen(version) >= len && - (strncmp(version, check[i].version, len) == 0)) { - verbose("datafellows: %.200s", version); + for (i = 0; check[i].pat; i++) { + ret = regcomp(®, check[i].pat, REG_EXTENDED|REG_NOSUB); + if (ret != 0) { + regerror(ret, ®, ebuf, sizeof(ebuf)); + ebuf[sizeof(ebuf)-1] = '\0'; + error("regerror: %s", ebuf); + continue; + } + ret = regexec(®, version, 0, NULL, 0); + regfree(®); + if (ret == 0) { + debug("match: %s pat %s\n", version, check[i].pat); datafellows = check[i].bugs; return; } } + debug("no match: %s", version); } #define SEP "," diff -ru openssh-2.2.0p1/compat.h openssh-2.3.0p1/compat.h --- openssh-2.2.0p1/compat.h 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/compat.h 2000-10-16 12:14:42.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -26,7 +21,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: compat.h,v 1.9 2000/06/20 01:39:40 markus Exp $"); */ +/* RCSID("$OpenBSD: compat.h,v 1.11 2000/10/14 12:16:56 markus Exp $"); */ #ifndef COMPAT_H #define COMPAT_H @@ -40,7 +35,7 @@ #define SSH_BUG_PUBKEYAUTH 0x02 #define SSH_BUG_HMAC 0x04 #define SSH_BUG_X11FWD 0x08 -#define SSH_COMPAT_SESSIONID_ENCODING 0x10 +#define SSH_OLD_SESSIONID 0x10 void enable_compat13(void); void enable_compat20(void); diff -ru openssh-2.2.0p1/compress.c openssh-2.3.0p1/compress.c --- openssh-2.2.0p1/compress.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/compress.c 2000-09-16 13:29:09.000000000 +1100 @@ -1,20 +1,18 @@ /* - * - * compress.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Wed Oct 25 22:12:46 1995 ylo - * * Interface to packet compression for ssh. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: compress.c,v 1.8 2000/06/20 01:39:40 markus Exp $"); +RCSID("$OpenBSD: compress.c,v 1.9 2000/09/07 20:27:50 deraadt Exp $"); #include "ssh.h" #include "buffer.h" diff -ru openssh-2.2.0p1/compress.h openssh-2.3.0p1/compress.h --- openssh-2.2.0p1/compress.h 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/compress.h 2000-09-16 13:29:09.000000000 +1100 @@ -1,19 +1,17 @@ /* - * - * compress.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Wed Oct 25 22:12:46 1995 ylo - * * Interface to packet compression for ssh. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: compress.h,v 1.5 2000/06/20 01:39:40 markus Exp $"); */ +/* RCSID("$OpenBSD: compress.h,v 1.6 2000/09/07 20:27:50 deraadt Exp $"); */ #ifndef COMPRESS_H #define COMPRESS_H diff -ru openssh-2.2.0p1/config.h.in openssh-2.3.0p1/config.h.in --- openssh-2.2.0p1/config.h.in 2000-09-02 10:08:44.000000000 +1100 +++ openssh-2.3.0p1/config.h.in 2000-11-06 14:25:18.000000000 +1100 @@ -6,9 +6,25 @@ /* Please make your changes there */ +/* Define if the `getpgrp' function takes no argument. */ +#undef GETPGRP_VOID + +/* Define if your struct stat has st_blksize. */ +#undef HAVE_ST_BLKSIZE + /* Define as __inline if that's what the C compiler calls it. */ #undef inline +/* Define to a Set Process Title type if your system is */ +/* supported by bsd-setproctitle.c */ +#undef SPT_TYPE + +/* SCO workaround */ +#undef BROKEN_SYS_TERMIO_H + +/* Define if you have SCO protected password database */ +#undef HAVE_SCO_PROTECTED_PW + /* If your header files don't define LOGIN_PROGRAM, then use this (detected) */ /* from environment and PATH */ #undef LOGIN_PROGRAM_FALLBACK @@ -46,9 +62,21 @@ /* Define if your snprintf is busted */ #undef BROKEN_SNPRINTF +/* Define if you are on Cygwin */ +#undef HAVE_CYGWIN + +/* Define if you lack native POSIX regex and you are using PCRE */ +#undef HAVE_LIBPCRE + +/* Define if you have a broken realpath. */ +#undef BROKEN_REALPATH + /* Define if you are on NeXT */ #undef HAVE_NEXT +/* Define if you are on NEWS-OS */ +#undef HAVE_NEWS4 + /* Define if you want to disable PAM support */ #undef DISABLE_PAM @@ -176,9 +204,6 @@ /* Define if you want to use shadow password expire field */ #undef HAS_SHADOW_EXPIRE -/* Define if you want have trusted HPUX */ -#undef HAVE_HPUX_TRUSTED_SYSTEM_PW - /* Define if you have Digital Unix Security Integration Architecture */ #undef HAVE_OSF_SIA @@ -194,6 +219,8 @@ #undef HAVE_INTXX_T #undef HAVE_U_INTXX_T #undef HAVE_UINTXX_T +#undef HAVE_INT64_T +#undef HAVE_U_INT64_T #undef HAVE_SOCKLEN_T #undef HAVE_SIZE_T #undef HAVE_SSIZE_T @@ -227,9 +254,15 @@ /* Use IPv4 for connection by default, IPv6 can still if explicity asked */ #undef IPV4_DEFAULT +/* If you have no atexit() but xatexit(), and want to use xatexit() */ +#undef HAVE_XATEXIT + /* getaddrinfo is broken (if present) */ #undef BROKEN_GETADDRINFO +/* vhangup is broken (if present) */ +#undef BROKEN_VHANGUP + /* Workaround more Linux IPv6 quirks */ #undef DONT_TRY_OTHER_AF @@ -281,15 +314,24 @@ /* Define if you have the entutxent function. */ #undef HAVE_ENTUTXENT +/* Define if you have the fchmod function. */ +#undef HAVE_FCHMOD + /* Define if you have the freeaddrinfo function. */ #undef HAVE_FREEADDRINFO +/* Define if you have the futimes function. */ +#undef HAVE_FUTIMES + /* Define if you have the gai_strerror function. */ #undef HAVE_GAI_STRERROR /* Define if you have the getaddrinfo function. */ #undef HAVE_GETADDRINFO +/* Define if you have the getcwd function. */ +#undef HAVE_GETCWD + /* Define if you have the getnameinfo function. */ #undef HAVE_GETNAMEINFO @@ -368,6 +410,9 @@ /* Define if you have the pututxline function. */ #undef HAVE_PUTUTXLINE +/* Define if you have the realpath function. */ +#undef HAVE_REALPATH + /* Define if you have the rresvport_af function. */ #undef HAVE_RRESVPORT_AF @@ -386,6 +431,12 @@ /* Define if you have the setreuid function. */ #undef HAVE_SETREUID +/* Define if you have the setrlimit function. */ +#undef HAVE_SETRLIMIT + +/* Define if you have the setsid function. */ +#undef HAVE_SETSID + /* Define if you have the setutent function. */ #undef HAVE_SETUTENT @@ -413,6 +464,9 @@ /* Define if you have the strsep function. */ #undef HAVE_STRSEP +/* Define if you have the strtok_r function. */ +#undef HAVE_STRTOK_R + /* Define if you have the time function. */ #undef HAVE_TIME @@ -428,9 +482,15 @@ /* Define if you have the vhangup function. */ #undef HAVE_VHANGUP +/* Define if you have the vis function. */ +#undef HAVE_VIS + /* Define if you have the vsnprintf function. */ #undef HAVE_VSNPRINTF +/* Define if you have the waitpid function. */ +#undef HAVE_WAITPID + /* Define if you have the header file. */ #undef HAVE_BSTRING_H @@ -440,6 +500,9 @@ /* Define if you have the header file. */ #undef HAVE_FLOATINGPOINT_H +/* Define if you have the header file. */ +#undef HAVE_GETOPT_H + /* Define if you have the header file. */ #undef HAVE_KRB_H @@ -515,6 +578,9 @@ /* Define if you have the header file. */ #undef HAVE_SYS_TTCOMPAT_H +/* Define if you have the header file. */ +#undef HAVE_SYS_UN_H + /* Define if you have the header file. */ #undef HAVE_TIME_H @@ -533,6 +599,9 @@ /* Define if you have the header file. */ #undef HAVE_UTMPX_H +/* Define if you have the header file. */ +#undef HAVE_VIS_H + /* Define if you have the dl library (-ldl). */ #undef HAVE_LIBDL diff -ru openssh-2.2.0p1/configure openssh-2.3.0p1/configure --- openssh-2.2.0p1/configure 2000-09-02 10:08:44.000000000 +1100 +++ openssh-2.3.0p1/configure 2000-11-06 14:25:18.000000000 +1100 @@ -52,6 +52,9 @@ ac_help="$ac_help --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses" ac_help="$ac_help + --enable-suid-ssh Install ssh as suid root (default) + --disable-suid-ssh Install ssh without suid bit" +ac_help="$ac_help --with-pid-dir=PATH Specify location of ssh.pid file" ac_help="$ac_help --disable-lastlog disable use of lastlog even if detected [no]" @@ -588,7 +591,7 @@ # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:592: checking for $ac_word" >&5 +echo "configure:595: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -618,7 +621,7 @@ # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:622: checking for $ac_word" >&5 +echo "configure:625: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -669,7 +672,7 @@ # Extract the first word of "cl", so it can be a program name with args. set dummy cl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:673: checking for $ac_word" >&5 +echo "configure:676: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -701,7 +704,7 @@ fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 -echo "configure:705: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 +echo "configure:708: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 ac_ext=c # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. @@ -712,12 +715,12 @@ cat > conftest.$ac_ext << EOF -#line 716 "configure" +#line 719 "configure" #include "confdefs.h" main(){return(0);} EOF -if { (eval echo configure:721: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:724: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ac_cv_prog_cc_works=yes # If we can't run a trivial program, we are probably using a cross compiler. if (./conftest; exit) 2>/dev/null; then @@ -743,12 +746,12 @@ { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 -echo "configure:747: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 +echo "configure:750: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 cross_compiling=$ac_cv_prog_cc_cross echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 -echo "configure:752: checking whether we are using GNU C" >&5 +echo "configure:755: checking whether we are using GNU C" >&5 if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -757,7 +760,7 @@ yes; #endif EOF -if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:761: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then +if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:764: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then ac_cv_prog_gcc=yes else ac_cv_prog_gcc=no @@ -776,7 +779,7 @@ ac_save_CFLAGS="$CFLAGS" CFLAGS= echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 -echo "configure:780: checking whether ${CC-cc} accepts -g" >&5 +echo "configure:783: checking whether ${CC-cc} accepts -g" >&5 if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -833,7 +836,7 @@ fi echo $ac_n "checking host system type""... $ac_c" 1>&6 -echo "configure:837: checking host system type" >&5 +echo "configure:840: checking host system type" >&5 host_alias=$host case "$host_alias" in @@ -856,7 +859,7 @@ # Checks for programs. echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 -echo "configure:860: checking how to run the C preprocessor" >&5 +echo "configure:863: checking how to run the C preprocessor" >&5 # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= @@ -871,13 +874,13 @@ # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:881: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:884: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -888,13 +891,13 @@ rm -rf conftest* CPP="${CC-cc} -E -traditional-cpp" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:898: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:901: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -905,13 +908,13 @@ rm -rf conftest* CPP="${CC-cc} -nologo -E" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:915: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:918: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -938,7 +941,7 @@ # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:942: checking for $ac_word" >&5 +echo "configure:945: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -977,7 +980,7 @@ # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # ./install, which can be erroneously created by make from ./install.sh. echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6 -echo "configure:981: checking for a BSD compatible install" >&5 +echo "configure:984: checking for a BSD compatible install" >&5 if test -z "$INSTALL"; then if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1032,7 +1035,7 @@ # Extract the first word of "ar", so it can be a program name with args. set dummy ar; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1036: checking for $ac_word" >&5 +echo "configure:1039: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_AR'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1061,7 +1064,7 @@ # Extract the first word of "perl", so it can be a program name with args. set dummy perl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1065: checking for $ac_word" >&5 +echo "configure:1068: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1097,7 +1100,7 @@ # Extract the first word of "ent", so it can be a program name with args. set dummy ent; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1101: checking for $ac_word" >&5 +echo "configure:1104: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_ENT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1130,6 +1133,47 @@ fi +for ac_prog in filepriv +do +# Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:1142: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_FILEPRIV'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + case "$FILEPRIV" in + /*) + ac_cv_path_FILEPRIV="$FILEPRIV" # Let the user override the test with a path. + ;; + ?:/*) + ac_cv_path_FILEPRIV="$FILEPRIV" # Let the user override the test with a dos path. + ;; + *) + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="/sbin:/usr/sbin" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_FILEPRIV="$ac_dir/$ac_word" + break + fi + done + IFS="$ac_save_ifs" + ;; +esac +fi +FILEPRIV="$ac_cv_path_FILEPRIV" +if test -n "$FILEPRIV"; then + echo "$ac_t""$FILEPRIV" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +test -n "$FILEPRIV" && break +done +test -n "$FILEPRIV" || FILEPRIV="true" + # Use LOGIN_PROGRAM from environment if possible if test ! -z "$LOGIN_PROGRAM" ; then @@ -1142,7 +1186,7 @@ # Extract the first word of "login", so it can be a program name with args. set dummy login; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1146: checking for $ac_word" >&5 +echo "configure:1190: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_LOGIN_PROGRAM_FALLBACK'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1189,21 +1233,21 @@ # C Compiler features echo $ac_n "checking for inline""... $ac_c" 1>&6 -echo "configure:1193: checking for inline" >&5 +echo "configure:1237: checking for inline" >&5 if eval "test \"`echo '$''{'ac_cv_c_inline'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:1251: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_c_inline=$ac_kw; break else @@ -1232,6 +1276,8 @@ CFLAGS="$CFLAGS -Wall" fi +CFLAGS="$CFLAGS -I. -I${srcdir-.}" + # Check for some target-specific stuff case "$host" in *-*-aix*) @@ -1242,12 +1288,12 @@ blibpath="/usr/lib:/lib:/usr/local/lib" fi echo $ac_n "checking for authenticate""... $ac_c" 1>&6 -echo "configure:1246: checking for authenticate" >&5 +echo "configure:1292: checking for authenticate" >&5 if eval "test \"`echo '$''{'ac_cv_func_authenticate'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1320: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_authenticate=yes" else @@ -1305,6 +1351,36 @@ MANTYPE='$(CATMAN)' mansubdir=cat ;; +*-*-cygwin*) + LIBS="$LIBS -lregex /usr/lib/textmode.o" + cat >> confdefs.h <<\EOF +#define HAVE_CYGWIN 1 +EOF + + cat >> confdefs.h <<\EOF +#define DISABLE_PAM 1 +EOF + + cat >> confdefs.h <<\EOF +#define DISABLE_SHADOW 1 +EOF + + cat >> confdefs.h <<\EOF +#define IPV4_DEFAULT 1 +EOF + + cat >> confdefs.h <<\EOF +#define IP_TOS_IS_BROKEN 1 +EOF + + cat >> confdefs.h <<\EOF +#define BROKEN_VHANGUP 1 +EOF + + no_pam=1 + no_libsocket=1 + no_libnsl=1 + ;; *-*-hpux10*) if test -z "$GCC"; then CFLAGS="$CFLAGS -Ae" @@ -1315,23 +1391,19 @@ #define USE_PIPES 1 EOF - echo $ac_n "checking for HPUX trusted system password database""... $ac_c" 1>&6 -echo "configure:1320: checking for HPUX trusted system password database" >&5 - if test -f /tcb/files/auth/system/default; then - echo "$ac_t""yes" 1>&6 - cat >> confdefs.h <<\EOF -#define HAVE_HPUX_TRUSTED_SYSTEM_PW 1 + cat >> confdefs.h <<\EOF +#define DISABLE_SHADOW 1 EOF - LIBS="$LIBS -lsec" - echo "configure: warning: This configuration is untested" 1>&2 - else - echo "$ac_t""no" 1>&6 - cat >> confdefs.h <<\EOF -#define DISABLE_SHADOW 1 + cat >> confdefs.h <<\EOF +#define DISABLE_UTMP 1 EOF - fi + cat >> confdefs.h <<\EOF +#define SPT_TYPE SPT_PSTAT +EOF + + LIBS="$LIBS -lsec" MANTYPE='$(CATMAN)' mansubdir=cat ;; @@ -1342,29 +1414,26 @@ #define USE_PIPES 1 EOF - echo $ac_n "checking for HPUX trusted system password database""... $ac_c" 1>&6 -echo "configure:1347: checking for HPUX trusted system password database" >&5 - if test -f /tcb/files/auth/system/default; then - echo "$ac_t""yes" 1>&6 - cat >> confdefs.h <<\EOF -#define HAVE_HPUX_TRUSTED_SYSTEM_PW 1 + cat >> confdefs.h <<\EOF +#define DISABLE_SHADOW 1 EOF - LIBS="$LIBS -lsec" - echo "configure: warning: This configuration is untested" 1>&2 - else - echo "$ac_t""no" 1>&6 - cat >> confdefs.h <<\EOF -#define DISABLE_SHADOW 1 + cat >> confdefs.h <<\EOF +#define DISABLE_UTMP 1 EOF - fi + cat >> confdefs.h <<\EOF +#define SPT_TYPE SPT_PSTAT +EOF + + LIBS="$LIBS -lsec" MANTYPE='$(CATMAN)' mansubdir=cat ;; *-*-irix5*) CFLAGS="$CFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" + PATH="$PATH:/usr/etc" MANTYPE='$(CATMAN)' no_libsocket=1 no_libnsl=1 @@ -1376,6 +1445,7 @@ *-*-irix6*) CFLAGS="$CFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" + PATH="$PATH:/usr/etc" MANTYPE='$(CATMAN)' cat >> confdefs.h <<\EOF #define WITH_IRIX_ARRAY 1 @@ -1408,6 +1478,58 @@ inet6_default_4in6=yes ;; +mips-sony-bsd|mips-sony-newsos4) + cat >> confdefs.h <<\EOF +#define HAVE_NEWS4 1 +EOF + + SONY=1 + echo $ac_n "checking for xatexit in -liberty""... $ac_c" 1>&6 +echo "configure:1489: checking for xatexit in -liberty" >&5 +ac_lib_var=`echo iberty'_'xatexit | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-liberty $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define HAVE_XATEXIT 1 +EOF + +else + echo "$ac_t""no" 1>&6 +{ echo "configure: error: *** libiberty missing - please install first ***" 1>&2; exit 1; } + +fi + + ;; *-*-netbsd*) need_dash_r=1 ;; @@ -1420,6 +1542,14 @@ #define HAVE_NEXT 1 EOF + cat >> confdefs.h <<\EOF +#define BROKEN_REALPATH 1 +EOF + + cat >> confdefs.h <<\EOF +#define USE_PIPES 1 +EOF + CFLAGS="$CFLAGS -I/usr/local/include" ;; *-*-solaris*) @@ -1429,7 +1559,7 @@ # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" echo $ac_n "checking for obsolete utmp and wtmp in solaris2.x""... $ac_c" 1>&6 -echo "configure:1433: checking for obsolete utmp and wtmp in solaris2.x" >&5 +echo "configure:1563: checking for obsolete utmp and wtmp in solaris2.x" >&5 sol2ver=`echo "$host"| sed -e 's/.*[0-9]\.//'` if test "$sol2ver" -ge 8; then echo "$ac_t""yes" 1>&6 @@ -1450,12 +1580,12 @@ for ac_func in getpwanam do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1454: checking for $ac_func" >&5 +echo "configure:1584: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1612: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1523,6 +1653,22 @@ mansubdir=cat LIBS="$LIBS -lgen -lnsl -lucb" ;; +*-*-sysv4.2*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + MANTYPE='$(CATMAN)' + mansubdir=cat + LIBS="$LIBS -lgen -lsocket -lnsl -lresolv" + enable_suid_ssh=no + ;; +*-*-sysv5*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + MANTYPE='$(CATMAN)' + mansubdir=cat + LIBS="$LIBS -lgen -lsocket" + enable_suid_ssh=no + ;; *-*-sysv*) CFLAGS="$CFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" @@ -1530,23 +1676,46 @@ mansubdir=cat LIBS="$LIBS -lgen -lsocket" ;; -*-*-sco3*) +*-*-sco3.2v4*) cat >> confdefs.h <<\EOF #define USE_PIPES 1 EOF + CFLAGS="$CFLAGS -Dftruncate=chsize -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + MANTYPE='$(CATMAN)' + mansubdir=cat + LIBS="$LIBS -lgen -lsocket -los -lprot -lx" + no_dev_ptmx=1 + RANLIB=true + cat >> confdefs.h <<\EOF +#define BROKEN_SYS_TERMIO_H 1 +EOF + + rsh_path="/usr/bin/rcmd" + cat >> confdefs.h <<\EOF +#define HAVE_SCO_PROTECTED_PW 1 +EOF + + ;; +*-*-sco3.2v5*) CFLAGS="$CFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" MANTYPE='$(CATMAN)' mansubdir=cat - LIBS="$LIBS -lgen -lsocket" + LIBS="$LIBS -lgen -lsocket -lprot -lx" no_dev_ptmx=1 + rsh_path="/usr/bin/rcmd" + cat >> confdefs.h <<\EOF +#define HAVE_SCO_PROTECTED_PW 1 +EOF + ;; *-dec-osf*) # This is untested if test ! -z "USE_SIA" ; then echo $ac_n "checking for Digital Unix Security Integration Architecture""... $ac_c" 1>&6 -echo "configure:1550: checking for Digital Unix Security Integration Architecture" >&5 +echo "configure:1719: checking for Digital Unix Security Integration Architecture" >&5 if test -f /etc/sia/matrix.conf; then echo "$ac_t""yes" 1>&6 cat >> confdefs.h <<\EOF @@ -1603,7 +1772,7 @@ # Checks for libraries. echo $ac_n "checking for deflate in -lz""... $ac_c" 1>&6 -echo "configure:1607: checking for deflate in -lz" >&5 +echo "configure:1776: checking for deflate in -lz" >&5 ac_lib_var=`echo z'_'deflate | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1611,7 +1780,7 @@ ac_save_LIBS="$LIBS" LIBS="-lz $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1795: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1651,7 +1820,7 @@ fi echo $ac_n "checking for login in -lutil""... $ac_c" 1>&6 -echo "configure:1655: checking for login in -lutil" >&5 +echo "configure:1824: checking for login in -lutil" >&5 ac_lib_var=`echo util'_'login | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1659,7 +1828,7 @@ ac_save_LIBS="$LIBS" LIBS="-lutil $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1843: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1694,9 +1863,104 @@ fi +echo $ac_n "checking for regcomp""... $ac_c" 1>&6 +echo "configure:1868: checking for regcomp" >&5 +if eval "test \"`echo '$''{'ac_cv_func_regcomp'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char regcomp(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_regcomp) || defined (__stub___regcomp) +choke me +#else +regcomp(); +#endif + +; return 0; } +EOF +if { (eval echo configure:1896: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_regcomp=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_regcomp=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'regcomp`\" = yes"; then + echo "$ac_t""yes" 1>&6 + : +else + echo "$ac_t""no" 1>&6 + + echo $ac_n "checking for pcre_info in -lpcre""... $ac_c" 1>&6 +echo "configure:1915: checking for pcre_info in -lpcre" >&5 +ac_lib_var=`echo pcre'_'pcre_info | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lpcre $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define HAVE_LIBPCRE 1 +EOF + LIBS="$LIBS -lpcreposix -lpcre" +else + echo "$ac_t""no" 1>&6 +fi + + + +fi + + if test -z "$no_libsocket" ; then echo $ac_n "checking for yp_match in -lnsl""... $ac_c" 1>&6 -echo "configure:1700: checking for yp_match in -lnsl" >&5 +echo "configure:1964: checking for yp_match in -lnsl" >&5 ac_lib_var=`echo nsl'_'yp_match | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1704,7 +1968,7 @@ ac_save_LIBS="$LIBS" LIBS="-lnsl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1983: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1745,7 +2009,7 @@ fi if test -z "$no_libnsl" ; then echo $ac_n "checking for main in -lsocket""... $ac_c" 1>&6 -echo "configure:1749: checking for main in -lsocket" >&5 +echo "configure:2013: checking for main in -lsocket" >&5 ac_lib_var=`echo socket'_'main | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1753,14 +2017,14 @@ ac_save_LIBS="$LIBS" LIBS="-lsocket $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2028: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1790,21 +2054,21 @@ fi # Checks for header files. -for ac_hdr in bstring.h endian.h floatingpoint.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h +for ac_hdr in bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h vis.h do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:1798: checking for $ac_hdr" >&5 +echo "configure:2062: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:1808: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:2072: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -1831,15 +2095,15 @@ done -for ac_func in arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strerror strlcat strlcpy strsep vsnprintf vhangup _getpty __b64_ntop +for ac_func in arc4random atexit b64_ntop bcopy bindresvport_af clock fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getnameinfo getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strsep strtok_r vsnprintf vhangup vis waitpid _getpty __b64_ntop do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1838: checking for $ac_func" >&5 +echo "configure:2102: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2130: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1889,12 +2153,12 @@ for ac_func in gettimeofday time do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1893: checking for $ac_func" >&5 +echo "configure:2157: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2185: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1944,12 +2208,12 @@ for ac_func in login logout updwtmp logwtmp do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1948: checking for $ac_func" >&5 +echo "configure:2212: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2240: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1999,12 +2263,12 @@ for ac_func in entutent getutent getutid getutline pututline setutent do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2003: checking for $ac_func" >&5 +echo "configure:2267: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2295: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2054,12 +2318,12 @@ for ac_func in utmpname do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2058: checking for $ac_func" >&5 +echo "configure:2322: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2350: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2109,12 +2373,12 @@ for ac_func in entutxent getutxent getutxid getutxline pututxline do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2113: checking for $ac_func" >&5 +echo "configure:2377: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2405: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2164,12 +2428,12 @@ for ac_func in setutxent utmpxname do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2168: checking for $ac_func" >&5 +echo "configure:2432: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2460: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2218,12 +2482,12 @@ echo $ac_n "checking for getuserattr""... $ac_c" 1>&6 -echo "configure:2222: checking for getuserattr" >&5 +echo "configure:2486: checking for getuserattr" >&5 if eval "test \"`echo '$''{'ac_cv_func_getuserattr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2514: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_getuserattr=yes" else @@ -2267,7 +2531,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for getuserattr in -ls""... $ac_c" 1>&6 -echo "configure:2271: checking for getuserattr in -ls" >&5 +echo "configure:2535: checking for getuserattr in -ls" >&5 ac_lib_var=`echo s'_'getuserattr | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2275,7 +2539,7 @@ ac_save_LIBS="$LIBS" LIBS="-ls $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2554: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2314,12 +2578,12 @@ echo $ac_n "checking for login""... $ac_c" 1>&6 -echo "configure:2318: checking for login" >&5 +echo "configure:2582: checking for login" >&5 if eval "test \"`echo '$''{'ac_cv_func_login'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2610: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_login=yes" else @@ -2363,7 +2627,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for login in -lbsd""... $ac_c" 1>&6 -echo "configure:2367: checking for login in -lbsd" >&5 +echo "configure:2631: checking for login in -lbsd" >&5 ac_lib_var=`echo bsd'_'login | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2371,7 +2635,7 @@ ac_save_LIBS="$LIBS" LIBS="-lbsd $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2650: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2410,12 +2674,12 @@ echo $ac_n "checking for daemon""... $ac_c" 1>&6 -echo "configure:2414: checking for daemon" >&5 +echo "configure:2678: checking for daemon" >&5 if eval "test \"`echo '$''{'ac_cv_func_daemon'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2706: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_daemon=yes" else @@ -2459,7 +2723,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for daemon in -lbsd""... $ac_c" 1>&6 -echo "configure:2463: checking for daemon in -lbsd" >&5 +echo "configure:2727: checking for daemon in -lbsd" >&5 ac_lib_var=`echo bsd'_'daemon | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2467,7 +2731,7 @@ ac_save_LIBS="$LIBS" LIBS="-lbsd $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2746: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2506,12 +2770,12 @@ echo $ac_n "checking for getpagesize""... $ac_c" 1>&6 -echo "configure:2510: checking for getpagesize" >&5 +echo "configure:2774: checking for getpagesize" >&5 if eval "test \"`echo '$''{'ac_cv_func_getpagesize'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2802: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_getpagesize=yes" else @@ -2555,7 +2819,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for getpagesize in -lucb""... $ac_c" 1>&6 -echo "configure:2559: checking for getpagesize in -lucb" >&5 +echo "configure:2823: checking for getpagesize in -lucb" >&5 ac_lib_var=`echo ucb'_'getpagesize | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2563,7 +2827,7 @@ ac_save_LIBS="$LIBS" LIBS="-lucb $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2842: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2604,19 +2868,19 @@ # Check for broken snprintf if test "x$ac_cv_func_snprintf" = "xyes" ; then echo $ac_n "checking whether snprintf correctly terminates long strings""... $ac_c" 1>&6 -echo "configure:2608: checking whether snprintf correctly terminates long strings" >&5 +echo "configure:2872: checking whether snprintf correctly terminates long strings" >&5 if test "$cross_compiling" = yes; then { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < int main(void){char b[5];snprintf(b,5,"123456789");return(b[4]!='\0');} EOF -if { (eval echo configure:2620: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:2884: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then echo "$ac_t""yes" 1>&6 else @@ -2638,6 +2902,94 @@ fi +echo $ac_n "checking whether getpgrp takes no argument""... $ac_c" 1>&6 +echo "configure:2907: checking whether getpgrp takes no argument" >&5 +if eval "test \"`echo '$''{'ac_cv_func_getpgrp_void'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test "$cross_compiling" = yes; then + { echo "configure: error: cannot check getpgrp if cross compiling" 1>&2; exit 1; } +else + cat > conftest.$ac_ext < +#include + +int pid; +int pg1, pg2, pg3, pg4; +int ng, np, s, child; + +main() +{ + pid = getpid(); + pg1 = getpgrp(0); + pg2 = getpgrp(); + pg3 = getpgrp(pid); + pg4 = getpgrp(1); + + /* + * If all of these values are the same, it's pretty sure that + * we're on a system that ignores getpgrp's first argument. + */ + if (pg2 == pg4 && pg1 == pg3 && pg2 == pg3) + exit(0); + + child = fork(); + if (child < 0) + exit(1); + else if (child == 0) { + np = getpid(); + /* + * If this is Sys V, this will not work; pgrp will be + * set to np because setpgrp just changes a pgrp to be + * the same as the pid. + */ + setpgrp(np, pg1); + ng = getpgrp(0); /* Same result for Sys V and BSD */ + if (ng == pg1) { + exit(1); + } else { + exit(0); + } + } else { + wait(&s); + exit(s>>8); + } +} + +EOF +if { (eval echo configure:2970: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +then + ac_cv_func_getpgrp_void=yes +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -fr conftest* + ac_cv_func_getpgrp_void=no +fi +rm -fr conftest* +fi + + +fi + +echo "$ac_t""$ac_cv_func_getpgrp_void" 1>&6 +if test $ac_cv_func_getpgrp_void = yes; then + cat >> confdefs.h <<\EOF +#define GETPGRP_VOID 1 +EOF + +fi + + PAM_MSG="no" # Check whether --with-pam or --without-pam was given. if test "${with_pam+set}" = set; then @@ -2657,7 +3009,7 @@ if (test -z "$no_pam" && test "x$ac_cv_header_security_pam_appl_h" = "xyes") ; then echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6 -echo "configure:2661: checking for dlopen in -ldl" >&5 +echo "configure:3013: checking for dlopen in -ldl" >&5 ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2665,7 +3017,7 @@ ac_save_LIBS="$LIBS" LIBS="-ldl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3032: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2708,12 +3060,12 @@ for ac_func in pam_getenvlist do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2712: checking for $ac_func" >&5 +echo "configure:3064: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3092: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2767,9 +3119,9 @@ # Check PAM strerror arguments (old PAM) echo $ac_n "checking whether pam_strerror takes only one argument""... $ac_c" 1>&6 -echo "configure:2771: checking whether pam_strerror takes only one argument" >&5 +echo "configure:3123: checking whether pam_strerror takes only one argument" >&5 cat > conftest.$ac_ext < @@ -2779,7 +3131,7 @@ (void)pam_strerror((pam_handle_t *)NULL, -1); ; return 0; } EOF -if { (eval echo configure:2783: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3135: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""no" 1>&6 else @@ -2804,7 +3156,7 @@ if test "${with_ssl_dir+set}" = set; then withval="$with_ssl_dir" - if test "x$withval" != "$xno" ; then + if test "x$withval" != "xno" ; then tryssldir=$withval fi @@ -2819,13 +3171,13 @@ tryssldir="$tryssldir $prefix" fi echo $ac_n "checking for OpenSSL directory""... $ac_c" 1>&6 -echo "configure:2823: checking for OpenSSL directory" >&5 +echo "configure:3175: checking for OpenSSL directory" >&5 if eval "test \"`echo '$''{'ac_cv_openssldir'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - for ssldir in "" $tryssldir /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do + for ssldir in $tryssldir "" /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do if test ! -z "$ssldir" ; then LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir" CFLAGS="$saved_CFLAGS -I$ssldir/include" @@ -2844,7 +3196,7 @@ { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < @@ -2858,7 +3210,7 @@ } EOF -if { (eval echo configure:2862: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3214: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then found_crypto=1 @@ -2913,7 +3265,7 @@ # Now test RSA support saved_LIBS="$LIBS" echo $ac_n "checking for RSA support""... $ac_c" 1>&6 -echo "configure:2917: checking for RSA support" >&5 +echo "configure:3269: checking for RSA support" >&5 for WANTS_RSAREF in "" 1 ; do if test -z "$WANTS_RSAREF" ; then LIBS="$saved_LIBS" @@ -2924,7 +3276,7 @@ { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < @@ -2943,7 +3295,7 @@ } EOF -if { (eval echo configure:2947: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3299: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then rsa_works=1 @@ -2977,9 +3329,14 @@ fi fi +# Cheap hack to ensure NEWS-OS libraries are arranged right. +if test ! -z "$SONY" ; then + LIBS="$LIBS -liberty"; +fi + # Checks for data types echo $ac_n "checking size of char""... $ac_c" 1>&6 -echo "configure:2983: checking size of char" >&5 +echo "configure:3340: checking size of char" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_char'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -2987,7 +3344,7 @@ ac_cv_sizeof_char=1 else cat > conftest.$ac_ext < main() @@ -2998,7 +3355,7 @@ exit(0); } EOF -if { (eval echo configure:3002: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3359: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_char=`cat conftestval` else @@ -3018,7 +3375,7 @@ echo $ac_n "checking size of short int""... $ac_c" 1>&6 -echo "configure:3022: checking size of short int" >&5 +echo "configure:3379: checking size of short int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_short_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3026,7 +3383,7 @@ ac_cv_sizeof_short_int=2 else cat > conftest.$ac_ext < main() @@ -3037,7 +3394,7 @@ exit(0); } EOF -if { (eval echo configure:3041: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3398: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_short_int=`cat conftestval` else @@ -3057,7 +3414,7 @@ echo $ac_n "checking size of int""... $ac_c" 1>&6 -echo "configure:3061: checking size of int" >&5 +echo "configure:3418: checking size of int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3065,7 +3422,7 @@ ac_cv_sizeof_int=4 else cat > conftest.$ac_ext < main() @@ -3076,7 +3433,7 @@ exit(0); } EOF -if { (eval echo configure:3080: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3437: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_int=`cat conftestval` else @@ -3096,7 +3453,7 @@ echo $ac_n "checking size of long int""... $ac_c" 1>&6 -echo "configure:3100: checking size of long int" >&5 +echo "configure:3457: checking size of long int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_long_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3104,7 +3461,7 @@ ac_cv_sizeof_long_int=4 else cat > conftest.$ac_ext < main() @@ -3115,7 +3472,7 @@ exit(0); } EOF -if { (eval echo configure:3119: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3476: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_long_int=`cat conftestval` else @@ -3135,7 +3492,7 @@ echo $ac_n "checking size of long long int""... $ac_c" 1>&6 -echo "configure:3139: checking size of long long int" >&5 +echo "configure:3496: checking size of long long int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_long_long_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3143,7 +3500,7 @@ ac_cv_sizeof_long_long_int=8 else cat > conftest.$ac_ext < main() @@ -3154,7 +3511,7 @@ exit(0); } EOF -if { (eval echo configure:3158: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3515: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_long_long_int=`cat conftestval` else @@ -3176,20 +3533,20 @@ # More checks for data types echo $ac_n "checking for u_int type""... $ac_c" 1>&6 -echo "configure:3180: checking for u_int type" >&5 +echo "configure:3537: checking for u_int type" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int a; a = 1; ; return 0; } EOF -if { (eval echo configure:3193: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3550: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_int="yes" else @@ -3213,20 +3570,20 @@ fi echo $ac_n "checking for intXX_t types""... $ac_c" 1>&6 -echo "configure:3217: checking for intXX_t types" >&5 +echo "configure:3574: checking for intXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_intxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { int8_t a; int16_t b; int32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:3230: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3587: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_intxx_t="yes" else @@ -3249,21 +3606,58 @@ have_intxx_t=1 fi +echo $ac_n "checking for int64_t type""... $ac_c" 1>&6 +echo "configure:3611: checking for int64_t type" >&5 +if eval "test \"`echo '$''{'ac_cv_have_int64_t'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + + cat > conftest.$ac_ext < +int main() { + int64_t a; a = 1; +; return 0; } +EOF +if { (eval echo configure:3624: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_have_int64_t="yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_have_int64_t="no" + +fi +rm -f conftest* + +fi + +echo "$ac_t""$ac_cv_have_int64_t" 1>&6 +if test "x$ac_cv_have_int64_t" = "xyes" ; then + cat >> confdefs.h <<\EOF +#define HAVE_INT64_T 1 +EOF + + have_int64_t=1 +fi + echo $ac_n "checking for u_intXX_t types""... $ac_c" 1>&6 -echo "configure:3254: checking for u_intXX_t types" >&5 +echo "configure:3648: checking for u_intXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_intxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:3267: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3661: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_intxx_t="yes" else @@ -3286,13 +3680,50 @@ have_u_intxx_t=1 fi +echo $ac_n "checking for u_int64_t types""... $ac_c" 1>&6 +echo "configure:3685: checking for u_int64_t types" >&5 +if eval "test \"`echo '$''{'ac_cv_have_u_int64_t'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + + cat > conftest.$ac_ext < +int main() { + u_int64_t a; a = 1; +; return 0; } +EOF +if { (eval echo configure:3698: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_have_u_int64_t="yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_have_u_int64_t="no" + +fi +rm -f conftest* + +fi + +echo "$ac_t""$ac_cv_have_u_int64_t" 1>&6 +if test "x$ac_cv_have_u_int64_t" = "xyes" ; then + cat >> confdefs.h <<\EOF +#define HAVE_U_INT64_T 1 +EOF + + have_u_int64_t=1 +fi + if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ test "x$ac_cv_header_sys_bitypes_h" = "xyes") then echo $ac_n "checking for intXX_t and u_intXX_t types in sys/bitypes.h""... $ac_c" 1>&6 -echo "configure:3294: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 +echo "configure:3725: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 cat > conftest.$ac_ext < @@ -3305,7 +3736,7 @@ ; return 0; } EOF -if { (eval echo configure:3309: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3740: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* cat >> confdefs.h <<\EOF @@ -3330,13 +3761,13 @@ if test -z "$have_u_intxx_t" ; then echo $ac_n "checking for uintXX_t types""... $ac_c" 1>&6 -echo "configure:3334: checking for uintXX_t types" >&5 +echo "configure:3765: checking for uintXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_uintxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3345,7 +3776,7 @@ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:3349: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3780: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_uintxx_t="yes" else @@ -3369,13 +3800,13 @@ fi echo $ac_n "checking for socklen_t""... $ac_c" 1>&6 -echo "configure:3373: checking for socklen_t" >&5 +echo "configure:3804: checking for socklen_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_socklen_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3385,7 +3816,7 @@ socklen_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3389: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3820: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_socklen_t="yes" else @@ -3408,13 +3839,13 @@ fi echo $ac_n "checking for size_t""... $ac_c" 1>&6 -echo "configure:3412: checking for size_t" >&5 +echo "configure:3843: checking for size_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_size_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3423,7 +3854,7 @@ size_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3427: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3858: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_size_t="yes" else @@ -3446,13 +3877,13 @@ fi echo $ac_n "checking for ssize_t""... $ac_c" 1>&6 -echo "configure:3450: checking for ssize_t" >&5 +echo "configure:3881: checking for ssize_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_ssize_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3461,7 +3892,7 @@ ssize_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3465: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3896: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_ssize_t="yes" else @@ -3484,13 +3915,13 @@ fi echo $ac_n "checking for sa_family_t""... $ac_c" 1>&6 -echo "configure:3488: checking for sa_family_t" >&5 +echo "configure:3919: checking for sa_family_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_sa_family_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3500,7 +3931,26 @@ sa_family_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3504: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3935: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_have_sa_family_t="yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + cat > conftest.$ac_ext < +#include +#include + +int main() { + sa_family_t foo; foo = 1235; +; return 0; } +EOF +if { (eval echo configure:3954: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sa_family_t="yes" else @@ -3511,6 +3961,9 @@ fi rm -f conftest* + +fi +rm -f conftest* fi @@ -3523,13 +3976,13 @@ fi echo $ac_n "checking for pid_t""... $ac_c" 1>&6 -echo "configure:3527: checking for pid_t" >&5 +echo "configure:3980: checking for pid_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_pid_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3538,7 +3991,7 @@ pid_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3542: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3995: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_pid_t="yes" else @@ -3561,13 +4014,13 @@ fi echo $ac_n "checking for mode_t""... $ac_c" 1>&6 -echo "configure:3565: checking for mode_t" >&5 +echo "configure:4018: checking for mode_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_mode_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3576,7 +4029,7 @@ mode_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3580: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4033: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_mode_t="yes" else @@ -3600,13 +4053,13 @@ echo $ac_n "checking for struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:3604: checking for struct sockaddr_storage" >&5 +echo "configure:4057: checking for struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_sockaddr_storage'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3616,7 +4069,7 @@ struct sockaddr_storage s; ; return 0; } EOF -if { (eval echo configure:3620: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4073: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_sockaddr_storage="yes" else @@ -3639,13 +4092,13 @@ fi echo $ac_n "checking for struct sockaddr_in6""... $ac_c" 1>&6 -echo "configure:3643: checking for struct sockaddr_in6" >&5 +echo "configure:4096: checking for struct sockaddr_in6" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_sockaddr_in6'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3655,7 +4108,7 @@ struct sockaddr_in6 s; s.sin6_family = 0; ; return 0; } EOF -if { (eval echo configure:3659: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4112: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_sockaddr_in6="yes" else @@ -3678,13 +4131,13 @@ fi echo $ac_n "checking for struct in6_addr""... $ac_c" 1>&6 -echo "configure:3682: checking for struct in6_addr" >&5 +echo "configure:4135: checking for struct in6_addr" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_in6_addr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3694,7 +4147,7 @@ struct in6_addr s; s.s6_addr[0] = 0; ; return 0; } EOF -if { (eval echo configure:3698: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4151: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_in6_addr="yes" else @@ -3717,13 +4170,13 @@ fi echo $ac_n "checking for struct addrinfo""... $ac_c" 1>&6 -echo "configure:3721: checking for struct addrinfo" >&5 +echo "configure:4174: checking for struct addrinfo" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_addrinfo'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3734,7 +4187,7 @@ struct addrinfo s; s.ai_flags = AI_PASSIVE; ; return 0; } EOF -if { (eval echo configure:3738: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4191: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_addrinfo="yes" else @@ -3757,20 +4210,17 @@ fi -# Checks for structure members - - # look for field 'ut_host' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host echo $ac_n "checking for ut_host field in utmp.h""... $ac_c" 1>&6 -echo "configure:3768: checking for ut_host field in utmp.h" >&5 +echo "configure:4218: checking for ut_host field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3804,13 +4254,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host echo $ac_n "checking for ut_host field in utmpx.h""... $ac_c" 1>&6 -echo "configure:3808: checking for ut_host field in utmpx.h" >&5 +echo "configure:4258: checking for ut_host field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3844,13 +4294,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"syslen echo $ac_n "checking for syslen field in utmpx.h""... $ac_c" 1>&6 -echo "configure:3848: checking for syslen field in utmpx.h" >&5 +echo "configure:4298: checking for syslen field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3884,13 +4334,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_pid echo $ac_n "checking for ut_pid field in utmp.h""... $ac_c" 1>&6 -echo "configure:3888: checking for ut_pid field in utmp.h" >&5 +echo "configure:4338: checking for ut_pid field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3924,13 +4374,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type echo $ac_n "checking for ut_type field in utmp.h""... $ac_c" 1>&6 -echo "configure:3928: checking for ut_type field in utmp.h" >&5 +echo "configure:4378: checking for ut_type field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3964,13 +4414,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type echo $ac_n "checking for ut_type field in utmpx.h""... $ac_c" 1>&6 -echo "configure:3968: checking for ut_type field in utmpx.h" >&5 +echo "configure:4418: checking for ut_type field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4004,13 +4454,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv echo $ac_n "checking for ut_tv field in utmp.h""... $ac_c" 1>&6 -echo "configure:4008: checking for ut_tv field in utmp.h" >&5 +echo "configure:4458: checking for ut_tv field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4044,13 +4494,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id echo $ac_n "checking for ut_id field in utmp.h""... $ac_c" 1>&6 -echo "configure:4048: checking for ut_id field in utmp.h" >&5 +echo "configure:4498: checking for ut_id field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4084,13 +4534,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id echo $ac_n "checking for ut_id field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4088: checking for ut_id field in utmpx.h" >&5 +echo "configure:4538: checking for ut_id field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4124,13 +4574,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr echo $ac_n "checking for ut_addr field in utmp.h""... $ac_c" 1>&6 -echo "configure:4128: checking for ut_addr field in utmp.h" >&5 +echo "configure:4578: checking for ut_addr field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4164,13 +4614,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr echo $ac_n "checking for ut_addr field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4168: checking for ut_addr field in utmpx.h" >&5 +echo "configure:4618: checking for ut_addr field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4204,13 +4654,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 echo $ac_n "checking for ut_addr_v6 field in utmp.h""... $ac_c" 1>&6 -echo "configure:4208: checking for ut_addr_v6 field in utmp.h" >&5 +echo "configure:4658: checking for ut_addr_v6 field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4244,13 +4694,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 echo $ac_n "checking for ut_addr_v6 field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4248: checking for ut_addr_v6 field in utmpx.h" >&5 +echo "configure:4698: checking for ut_addr_v6 field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4284,13 +4734,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_exit echo $ac_n "checking for ut_exit field in utmp.h""... $ac_c" 1>&6 -echo "configure:4288: checking for ut_exit field in utmp.h" >&5 +echo "configure:4738: checking for ut_exit field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4324,13 +4774,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time echo $ac_n "checking for ut_time field in utmp.h""... $ac_c" 1>&6 -echo "configure:4328: checking for ut_time field in utmp.h" >&5 +echo "configure:4778: checking for ut_time field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4364,13 +4814,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time echo $ac_n "checking for ut_time field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4368: checking for ut_time field in utmpx.h" >&5 +echo "configure:4818: checking for ut_time field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4404,13 +4854,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv echo $ac_n "checking for ut_tv field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4408: checking for ut_tv field in utmpx.h" >&5 +echo "configure:4858: checking for ut_tv field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4439,15 +4889,49 @@ echo "$ac_t""no" 1>&6 fi +echo $ac_n "checking for st_blksize in struct stat""... $ac_c" 1>&6 +echo "configure:4894: checking for st_blksize in struct stat" >&5 +if eval "test \"`echo '$''{'ac_cv_struct_st_blksize'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +#include +int main() { +struct stat s; s.st_blksize; +; return 0; } +EOF +if { (eval echo configure:4907: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_struct_st_blksize=yes +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_struct_st_blksize=no +fi +rm -f conftest* +fi + +echo "$ac_t""$ac_cv_struct_st_blksize" 1>&6 +if test $ac_cv_struct_st_blksize = yes; then + cat >> confdefs.h <<\EOF +#define HAVE_ST_BLKSIZE 1 +EOF + +fi + echo $ac_n "checking for sun_len field in struct sockaddr_un""... $ac_c" 1>&6 -echo "configure:4445: checking for sun_len field in struct sockaddr_un" >&5 +echo "configure:4929: checking for sun_len field in struct sockaddr_un" >&5 if eval "test \"`echo '$''{'ac_cv_have_sun_len_in_struct_sockaddr_un'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4457,7 +4941,7 @@ struct sockaddr_un s; s.sun_len = 1; ; return 0; } EOF -if { (eval echo configure:4461: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4945: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sun_len_in_struct_sockaddr_un="yes" else @@ -4479,13 +4963,13 @@ fi echo $ac_n "checking for ss_family field in struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:4483: checking for ss_family field in struct sockaddr_storage" >&5 +echo "configure:4967: checking for ss_family field in struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have_ss_family_in_struct_ss'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4495,7 +4979,7 @@ struct sockaddr_storage s; s.ss_family = 1; ; return 0; } EOF -if { (eval echo configure:4499: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4983: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_ss_family_in_struct_ss="yes" else @@ -4517,13 +5001,13 @@ fi echo $ac_n "checking for __ss_family field in struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:4521: checking for __ss_family field in struct sockaddr_storage" >&5 +echo "configure:5005: checking for __ss_family field in struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have___ss_family_in_struct_ss'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4533,7 +5017,7 @@ struct sockaddr_storage s; s.__ss_family = 1; ; return 0; } EOF -if { (eval echo configure:4537: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5021: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have___ss_family_in_struct_ss="yes" else @@ -4556,23 +5040,22 @@ fi echo $ac_n "checking for pw_class field in struct passwd""... $ac_c" 1>&6 -echo "configure:4560: checking for pw_class field in struct passwd" >&5 +echo "configure:5044: checking for pw_class field in struct passwd" >&5 if eval "test \"`echo '$''{'ac_cv_have_pw_class_in_struct_passwd'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < #include int main() { - struct passwd p s; p.pw_class = NULL; + struct passwd p; p.pw_class = 0; ; return 0; } EOF -if { (eval echo configure:4576: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5059: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_pw_class_in_struct_passwd="yes" else @@ -4596,20 +5079,20 @@ echo $ac_n "checking if libc defines __progname""... $ac_c" 1>&6 -echo "configure:4600: checking if libc defines __progname" >&5 +echo "configure:5083: checking if libc defines __progname" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines___progname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:5096: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines___progname="yes" else @@ -4633,20 +5116,20 @@ echo $ac_n "checking if libc defines sys_errlist""... $ac_c" 1>&6 -echo "configure:4637: checking if libc defines sys_errlist" >&5 +echo "configure:5120: checking if libc defines sys_errlist" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines_sys_errlist'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:5133: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines_sys_errlist="yes" else @@ -4670,20 +5153,20 @@ echo $ac_n "checking if libc defines sys_nerr""... $ac_c" 1>&6 -echo "configure:4674: checking if libc defines sys_nerr" >&5 +echo "configure:5157: checking if libc defines sys_nerr" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines_sys_nerr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:5170: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines_sys_nerr="yes" else @@ -4720,7 +5203,7 @@ # Extract the first word of "rsh", so it can be a program name with args. set dummy rsh; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4724: checking for $ac_word" >&5 +echo "configure:5207: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_rsh_path'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4761,7 +5244,7 @@ if test "${with_xauth+set}" = set; then withval="$with_xauth" - if test "x$withval" != "$xno" ; then + if test "x$withval" != "xno" ; then xauth_path=$withval fi @@ -4770,7 +5253,7 @@ # Extract the first word of "xauth", so it can be a program name with args. set dummy xauth; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4774: checking for $ac_word" >&5 +echo "configure:5257: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_xauth_path'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4783,7 +5266,7 @@ ;; *) IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" - ac_dummy="$PATH" + ac_dummy="$PATH:/usr/X/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/openwin/bin" for ac_dir in $ac_dummy; do test -z "$ac_dir" && ac_dir=. if test -f $ac_dir/$ac_word; then @@ -4836,7 +5319,7 @@ ac_safe=`echo ""/dev/ptmx"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptmx"""... $ac_c" 1>&6 -echo "configure:4840: checking for "/dev/ptmx"" >&5 +echo "configure:5323: checking for "/dev/ptmx"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4869,7 +5352,7 @@ ac_safe=`echo ""/dev/ptc"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptc"""... $ac_c" 1>&6 -echo "configure:4873: checking for "/dev/ptc"" >&5 +echo "configure:5356: checking for "/dev/ptc"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4920,7 +5403,7 @@ ac_safe=`echo ""/dev/urandom"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/urandom"""... $ac_c" 1>&6 -echo "configure:4924: checking for "/dev/urandom"" >&5 +echo "configure:5407: checking for "/dev/urandom"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4981,7 +5464,7 @@ # Extract the first word of "ls", so it can be a program name with args. set dummy ls; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4985: checking for $ac_word" >&5 +echo "configure:5468: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5022,7 +5505,7 @@ # Extract the first word of "netstat", so it can be a program name with args. set dummy netstat; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5026: checking for $ac_word" >&5 +echo "configure:5509: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_NETSTAT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5063,7 +5546,7 @@ # Extract the first word of "arp", so it can be a program name with args. set dummy arp; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5067: checking for $ac_word" >&5 +echo "configure:5550: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_ARP'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5104,7 +5587,7 @@ # Extract the first word of "ifconfig", so it can be a program name with args. set dummy ifconfig; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5108: checking for $ac_word" >&5 +echo "configure:5591: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_IFCONFIG'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5145,7 +5628,7 @@ # Extract the first word of "ps", so it can be a program name with args. set dummy ps; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5149: checking for $ac_word" >&5 +echo "configure:5632: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_PS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5186,7 +5669,7 @@ # Extract the first word of "w", so it can be a program name with args. set dummy w; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5190: checking for $ac_word" >&5 +echo "configure:5673: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_W'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5227,7 +5710,7 @@ # Extract the first word of "who", so it can be a program name with args. set dummy who; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5231: checking for $ac_word" >&5 +echo "configure:5714: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_WHO'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5268,7 +5751,7 @@ # Extract the first word of "last", so it can be a program name with args. set dummy last; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5272: checking for $ac_word" >&5 +echo "configure:5755: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LAST'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5309,7 +5792,7 @@ # Extract the first word of "lastlog", so it can be a program name with args. set dummy lastlog; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5313: checking for $ac_word" >&5 +echo "configure:5796: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LASTLOG'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5350,7 +5833,7 @@ # Extract the first word of "df", so it can be a program name with args. set dummy df; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5354: checking for $ac_word" >&5 +echo "configure:5837: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_DF'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5391,7 +5874,7 @@ # Extract the first word of "vmstat", so it can be a program name with args. set dummy vmstat; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5395: checking for $ac_word" >&5 +echo "configure:5878: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_VMSTAT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5432,7 +5915,7 @@ # Extract the first word of "uptime", so it can be a program name with args. set dummy uptime; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5436: checking for $ac_word" >&5 +echo "configure:5919: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_UPTIME'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5473,7 +5956,7 @@ # Extract the first word of "ipcs", so it can be a program name with args. set dummy ipcs; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5477: checking for $ac_word" >&5 +echo "configure:5960: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_IPCS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5514,7 +5997,7 @@ # Extract the first word of "tail", so it can be a program name with args. set dummy tail; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5518: checking for $ac_word" >&5 +echo "configure:6001: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_TAIL'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5555,7 +6038,7 @@ # Extract the first word of "ls", so it can be a program name with args. set dummy ls; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5559: checking for $ac_word" >&5 +echo "configure:6042: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5630,7 +6113,7 @@ if test "x$withval" != "xno" ; then - if test "x$withval" != "$xyes" ; then + if test "x$withval" != "xyes" ; then CFLAGS="$CFLAGS -I${withval}/include" LDFLAGS="$LDFLAGS -L${withval}/lib" if test ! -z "$need_dash_r" ; then @@ -5649,17 +6132,17 @@ do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:5653: checking for $ac_hdr" >&5 +echo "configure:6136: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:5663: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:6146: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -5686,7 +6169,7 @@ done echo $ac_n "checking for main in -lkrb""... $ac_c" 1>&6 -echo "configure:5690: checking for main in -lkrb" >&5 +echo "configure:6173: checking for main in -lkrb" >&5 ac_lib_var=`echo krb'_'main | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -5694,14 +6177,14 @@ ac_save_LIBS="$LIBS" LIBS="-lkrb $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:6188: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -5737,7 +6220,7 @@ KLIBS="-lkrb -ldes" echo $ac_n "checking for dn_expand in -lresolv""... $ac_c" 1>&6 -echo "configure:5741: checking for dn_expand in -lresolv" >&5 +echo "configure:6224: checking for dn_expand in -lresolv" >&5 ac_lib_var=`echo resolv'_'dn_expand | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -5745,7 +6228,7 @@ ac_save_LIBS="$LIBS" LIBS="-lresolv $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:6243: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -5803,7 +6286,7 @@ if test "x$withval" != "xno" ; then - if test "x$withval" != "$xyes" ; then + if test "x$withval" != "xyes" ; then CFLAGS="$CFLAGS -I${withval}/include" LFLAGS="$LFLAGS -L${withval}/lib" fi @@ -5857,9 +6340,9 @@ saved_LIBS="$LIBS" LIBS="$LIBS -lwrap" echo $ac_n "checking for libwrap""... $ac_c" 1>&6 -echo "configure:5861: checking for libwrap" >&5 +echo "configure:6344: checking for libwrap" >&5 cat > conftest.$ac_ext < @@ -5869,7 +6352,7 @@ hosts_access(0); ; return 0; } EOF -if { (eval echo configure:5873: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:6356: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* echo "$ac_t""yes" 1>&6 @@ -5932,9 +6415,9 @@ if test -z "$disable_shadow" ; then echo $ac_n "checking if the systems has expire shadow information""... $ac_c" 1>&6 -echo "configure:5936: checking if the systems has expire shadow information" >&5 +echo "configure:6419: checking if the systems has expire shadow information" >&5 cat > conftest.$ac_ext < @@ -5945,7 +6428,7 @@ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ; return 0; } EOF -if { (eval echo configure:5949: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6432: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* sp_expire_available=yes else @@ -6031,7 +6514,7 @@ echo $ac_n "checking if we need to convert IPv4 in IPv6-mapped addresses""... $ac_c" 1>&6 -echo "configure:6035: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 +echo "configure:6518: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 IPV4_IN6_HACK_MSG="no" # Check whether --with-4in6 or --without-4in6 was given. if test "${with_4in6+set}" = set; then @@ -6065,6 +6548,29 @@ fi +echo $ac_n "checking whether to install ssh as suid root""... $ac_c" 1>&6 +echo "configure:6553: checking whether to install ssh as suid root" >&5 +# Check whether --enable-suid-ssh or --disable-suid-ssh was given. +if test "${enable_suid_ssh+set}" = set; then + enableval="$enable_suid_ssh" + case "$enableval" in + no) + echo "$ac_t""no" 1>&6 + SSHMODE=0711 + ;; + *) echo "$ac_t""yes" 1>&6 + SSHMODE=04711 + ;; + esac +else + echo "$ac_t""yes" 1>&6 + SSHMODE=04711 + +fi + + + + # Where to place sshd.pid piddir=/var/run # Check whether --with-pid-dir or --without-pid-dir was given. @@ -6079,6 +6585,14 @@ fi +# make sure the directory exists +if test ! -d $piddir ; then + piddir=`eval echo ${sysconfdir}` + case $piddir in + NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;; + esac +fi + cat >> confdefs.h <&6 -echo "configure:6178: checking if your system defines LASTLOG_FILE" >&5 +echo "configure:6692: checking if your system defines LASTLOG_FILE" >&5 cat > conftest.$ac_ext < @@ -6192,7 +6706,7 @@ char *lastlog = LASTLOG_FILE; ; return 0; } EOF -if { (eval echo configure:6196: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6710: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6202,9 +6716,9 @@ echo "$ac_t""no" 1>&6 echo $ac_n "checking if your system defines _PATH_LASTLOG""... $ac_c" 1>&6 -echo "configure:6206: checking if your system defines _PATH_LASTLOG" >&5 +echo "configure:6720: checking if your system defines _PATH_LASTLOG" >&5 cat > conftest.$ac_ext < @@ -6220,7 +6734,7 @@ char *lastlog = _PATH_LASTLOG; ; return 0; } EOF -if { (eval echo configure:6224: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6738: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6259,9 +6773,9 @@ fi echo $ac_n "checking if your system defines UTMP_FILE""... $ac_c" 1>&6 -echo "configure:6263: checking if your system defines UTMP_FILE" >&5 +echo "configure:6777: checking if your system defines UTMP_FILE" >&5 cat > conftest.$ac_ext < @@ -6274,7 +6788,7 @@ char *utmp = UTMP_FILE; ; return 0; } EOF -if { (eval echo configure:6278: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6792: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6309,9 +6823,9 @@ fi echo $ac_n "checking if your system defines WTMP_FILE""... $ac_c" 1>&6 -echo "configure:6313: checking if your system defines WTMP_FILE" >&5 +echo "configure:6827: checking if your system defines WTMP_FILE" >&5 cat > conftest.$ac_ext < @@ -6324,7 +6838,7 @@ char *wtmp = WTMP_FILE; ; return 0; } EOF -if { (eval echo configure:6328: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6842: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6360,9 +6874,9 @@ echo $ac_n "checking if your system defines UTMPX_FILE""... $ac_c" 1>&6 -echo "configure:6364: checking if your system defines UTMPX_FILE" >&5 +echo "configure:6878: checking if your system defines UTMPX_FILE" >&5 cat > conftest.$ac_ext < @@ -6378,7 +6892,7 @@ char *utmpx = UTMPX_FILE; ; return 0; } EOF -if { (eval echo configure:6382: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6896: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6405,9 +6919,9 @@ fi echo $ac_n "checking if your system defines WTMPX_FILE""... $ac_c" 1>&6 -echo "configure:6409: checking if your system defines WTMPX_FILE" >&5 +echo "configure:6923: checking if your system defines WTMPX_FILE" >&5 cat > conftest.$ac_ext < @@ -6423,7 +6937,7 @@ char *wtmpx = WTMPX_FILE; ; return 0; } EOF -if { (eval echo configure:6427: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6941: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6474,6 +6988,102 @@ echo "configure: warning: Please check and edit -blibpath in LDFLAGS in Makefile" 1>&2 fi +echo $ac_n "checking for Cygwin environment""... $ac_c" 1>&6 +echo "configure:6993: checking for Cygwin environment" >&5 +if eval "test \"`echo '$''{'ac_cv_cygwin'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_cygwin=yes +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_cygwin=no +fi +rm -f conftest* +rm -f conftest* +fi + +echo "$ac_t""$ac_cv_cygwin" 1>&6 +CYGWIN= +test "$ac_cv_cygwin" = yes && CYGWIN=yes +echo $ac_n "checking for mingw32 environment""... $ac_c" 1>&6 +echo "configure:7026: checking for mingw32 environment" >&5 +if eval "test \"`echo '$''{'ac_cv_mingw32'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_mingw32=yes +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_mingw32=no +fi +rm -f conftest* +rm -f conftest* +fi + +echo "$ac_t""$ac_cv_mingw32" 1>&6 +MINGW32= +test "$ac_cv_mingw32" = yes && MINGW32=yes + + +echo $ac_n "checking for executable suffix""... $ac_c" 1>&6 +echo "configure:7057: checking for executable suffix" >&5 +if eval "test \"`echo '$''{'ac_cv_exeext'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test "$CYGWIN" = yes || test "$MINGW32" = yes; then + ac_cv_exeext=.exe +else + rm -f conftest* + echo 'int main () { return 0; }' > conftest.$ac_ext + ac_cv_exeext= + if { (eval echo configure:7067: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then + for file in conftest.*; do + case $file in + *.c | *.o | *.obj) ;; + *) ac_cv_exeext=`echo $file | sed -e s/conftest//` ;; + esac + done + else + { echo "configure: error: installation or configuration problem: compiler cannot create executables." 1>&2; exit 1; } + fi + rm -f conftest* + test x"${ac_cv_exeext}" = x && ac_cv_exeext=no +fi +fi + +EXEEXT="" +test x"${ac_cv_exeext}" != xno && EXEEXT=${ac_cv_exeext} +echo "$ac_t""${ac_cv_exeext}" 1>&6 +ac_exeext=$EXEEXT + + trap '' 1 2 15 cat > confcache <<\EOF # This file is a shell script that caches the results of configure @@ -6621,6 +7231,7 @@ s%@AR@%$AR%g s%@PERL@%$PERL%g s%@ENT@%$ENT%g +s%@FILEPRIV@%$FILEPRIV%g s%@LOGIN_PROGRAM_FALLBACK@%$LOGIN_PROGRAM_FALLBACK%g s%@LD@%$LD%g s%@rsh_path@%$rsh_path%g @@ -6643,7 +7254,9 @@ s%@INSTALL_SSH_PRNG_CMDS@%$INSTALL_SSH_PRNG_CMDS%g s%@MANTYPE@%$MANTYPE%g s%@mansubdir@%$mansubdir%g +s%@SSHMODE@%$SSHMODE%g s%@piddir@%$piddir%g +s%@EXEEXT@%$EXEEXT%g CEOF EOF @@ -6878,6 +7491,7 @@ RAND_MSG="EGD ($EGD_SOCKET)" else RAND_MSG="Builtin (timeout $entropy_timeout)" + BUILTIN_RNG=1 fi fi @@ -6886,13 +7500,14 @@ B=`eval echo ${bindir}` ; B=`eval echo ${B}` C=`eval echo ${sbindir}` ; C=`eval echo ${C}` D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}` -E=`eval echo ${libexecdir}/ssh/ssh-askpass` ; E=`eval echo ${E}` +E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}` F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}` G=`eval echo ${piddir}` ; G=`eval echo ${G}` echo "" echo "OpenSSH configured has been configured with the following options." echo " User binaries: $B" +echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" echo " Askpass program: $E" @@ -6912,9 +7527,17 @@ echo "" -echo "Compiler flags: ${CFLAGS}" -echo "Linker flags: ${LDFLAGS}" -echo "Libraries: ${LIBS}" +echo " Host: ${host}" +echo " Compiler: ${CC}" +echo " Compiler flags: ${CFLAGS}" +echo " Linker flags: ${LDFLAGS}" +echo " Libraries: ${LIBS}" echo "" +if test ! -z "$BUILTIN_RNG" ; then + echo "WARNING: you are using the builtin random number collection service." + echo "Please read WARNING.RNG and request that your OS vendor includes" + echo "/dev/random in future versions of their OS." + echo "" +fi diff -ru openssh-2.2.0p1/configure.in openssh-2.3.0p1/configure.in --- openssh-2.2.0p1/configure.in 2000-08-31 09:20:05.000000000 +1100 +++ openssh-2.3.0p1/configure.in 2000-11-05 20:08:45.000000000 +1100 @@ -13,6 +13,7 @@ AC_SUBST(PERL) AC_PATH_PROG(ENT, ent) AC_SUBST(ENT) +AC_PATH_PROGS(FILEPRIV, filepriv, true, /sbin:/usr/sbin) # Use LOGIN_PROGRAM from environment if possible if test ! -z "$LOGIN_PROGRAM" ; then @@ -36,6 +37,8 @@ CFLAGS="$CFLAGS -Wall" fi +CFLAGS="$CFLAGS -I. -I${srcdir-.}" + # Check for some target-specific stuff case "$host" in *-*-aix*) @@ -54,6 +57,18 @@ MANTYPE='$(CATMAN)' mansubdir=cat ;; +*-*-cygwin*) + LIBS="$LIBS -lregex /usr/lib/textmode.o" + AC_DEFINE(HAVE_CYGWIN) + AC_DEFINE(DISABLE_PAM) + AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE(IPV4_DEFAULT) + AC_DEFINE(IP_TOS_IS_BROKEN) + AC_DEFINE(BROKEN_VHANGUP) + no_pam=1 + no_libsocket=1 + no_libnsl=1 + ;; *-*-hpux10*) if test -z "$GCC"; then CFLAGS="$CFLAGS -Ae" @@ -61,16 +76,10 @@ CFLAGS="$CFLAGS -D_HPUX_SOURCE" IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) - AC_MSG_CHECKING(for HPUX trusted system password database) - if test -f /tcb/files/auth/system/default; then - AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_HPUX_TRUSTED_SYSTEM_PW) - LIBS="$LIBS -lsec" - AC_MSG_WARN([This configuration is untested]) - else - AC_MSG_RESULT(no) - AC_DEFINE(DISABLE_SHADOW) - fi + AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE(DISABLE_UTMP) + AC_DEFINE(SPT_TYPE,SPT_PSTAT) + LIBS="$LIBS -lsec" MANTYPE='$(CATMAN)' mansubdir=cat ;; @@ -78,22 +87,17 @@ CFLAGS="$CFLAGS -D_HPUX_SOURCE" IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) - AC_MSG_CHECKING(for HPUX trusted system password database) - if test -f /tcb/files/auth/system/default; then - AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_HPUX_TRUSTED_SYSTEM_PW) - LIBS="$LIBS -lsec" - AC_MSG_WARN([This configuration is untested]) - else - AC_MSG_RESULT(no) - AC_DEFINE(DISABLE_SHADOW) - fi + AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE(DISABLE_UTMP) + AC_DEFINE(SPT_TYPE,SPT_PSTAT) + LIBS="$LIBS -lsec" MANTYPE='$(CATMAN)' mansubdir=cat ;; *-*-irix5*) CFLAGS="$CFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" + PATH="$PATH:/usr/etc" MANTYPE='$(CATMAN)' no_libsocket=1 no_libnsl=1 @@ -102,6 +106,7 @@ *-*-irix6*) CFLAGS="$CFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" + PATH="$PATH:/usr/etc" MANTYPE='$(CATMAN)' AC_DEFINE(WITH_IRIX_ARRAY) AC_DEFINE(WITH_IRIX_PROJECT) @@ -116,6 +121,13 @@ AC_DEFINE(PAM_TTY_KLUDGE) inet6_default_4in6=yes ;; +mips-sony-bsd|mips-sony-newsos4) + AC_DEFINE(HAVE_NEWS4) + SONY=1 + AC_CHECK_LIB(iberty, xatexit, AC_DEFINE(HAVE_XATEXIT), + AC_MSG_ERROR([*** libiberty missing - please install first ***]) + ) + ;; *-*-netbsd*) need_dash_r=1 ;; @@ -125,6 +137,8 @@ conf_wtmp_location=/usr/adm/wtmp MAIL=/usr/spool/mail AC_DEFINE(HAVE_NEXT) + AC_DEFINE(BROKEN_REALPATH) + AC_DEFINE(USE_PIPES) CFLAGS="$CFLAGS -I/usr/local/include" ;; *-*-solaris*) @@ -161,6 +175,22 @@ mansubdir=cat LIBS="$LIBS -lgen -lnsl -lucb" ;; +*-*-sysv4.2*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + MANTYPE='$(CATMAN)' + mansubdir=cat + LIBS="$LIBS -lgen -lsocket -lnsl -lresolv" + enable_suid_ssh=no + ;; +*-*-sysv5*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + MANTYPE='$(CATMAN)' + mansubdir=cat + LIBS="$LIBS -lgen -lsocket" + enable_suid_ssh=no + ;; *-*-sysv*) CFLAGS="$CFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" @@ -168,14 +198,28 @@ mansubdir=cat LIBS="$LIBS -lgen -lsocket" ;; -*-*-sco3*) +*-*-sco3.2v4*) AC_DEFINE(USE_PIPES) + CFLAGS="$CFLAGS -Dftruncate=chsize -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + MANTYPE='$(CATMAN)' + mansubdir=cat + LIBS="$LIBS -lgen -lsocket -los -lprot -lx" + no_dev_ptmx=1 + RANLIB=true + AC_DEFINE(BROKEN_SYS_TERMIO_H) + rsh_path="/usr/bin/rcmd" + AC_DEFINE(HAVE_SCO_PROTECTED_PW) + ;; +*-*-sco3.2v5*) CFLAGS="$CFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" MANTYPE='$(CATMAN)' mansubdir=cat - LIBS="$LIBS -lgen -lsocket" + LIBS="$LIBS -lgen -lsocket -lprot -lx" no_dev_ptmx=1 + rsh_path="/usr/bin/rcmd" + AC_DEFINE(HAVE_SCO_PROTECTED_PW) ;; *-dec-osf*) # This is untested @@ -224,6 +268,14 @@ AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first ***])) AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil") +AC_CHECK_FUNC(regcomp, + [], + [ + AC_CHECK_LIB(pcre, pcre_info, + AC_DEFINE(HAVE_LIBPCRE) LIBS="$LIBS -lpcreposix -lpcre") + ] +) + if test -z "$no_libsocket" ; then AC_CHECK_LIB(nsl, yp_match, , ) fi @@ -232,10 +284,10 @@ fi # Checks for header files. -AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h) +AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h vis.h) dnl Checks for library functions. -AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strerror strlcat strlcpy strsep vsnprintf vhangup _getpty __b64_ntop) +AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getnameinfo getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strsep strtok_r vsnprintf vhangup vis waitpid _getpty __b64_ntop) dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) dnl Checks for libutil functions @@ -284,6 +336,8 @@ ) fi +AC_FUNC_GETPGRP + PAM_MSG="no" AC_ARG_WITH(pam, [ --without-pam Disable PAM support ], @@ -326,7 +380,7 @@ AC_ARG_WITH(ssl-dir, [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], [ - if test "x$withval" != "$xno" ; then + if test "x$withval" != "xno" ; then tryssldir=$withval fi ] @@ -340,7 +394,7 @@ fi AC_CACHE_CHECK([for OpenSSL directory], ac_cv_openssldir, [ - for ssldir in "" $tryssldir /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do + for ssldir in $tryssldir "" /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do if test ! -z "$ssldir" ; then LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir" CFLAGS="$saved_CFLAGS -I$ssldir/include" @@ -453,6 +507,11 @@ fi fi +# Cheap hack to ensure NEWS-OS libraries are arranged right. +if test ! -z "$SONY" ; then + LIBS="$LIBS -liberty"; +fi + # Checks for data types AC_CHECK_SIZEOF(char, 1) AC_CHECK_SIZEOF(short int, 2) @@ -487,6 +546,19 @@ have_intxx_t=1 fi +AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [ + AC_TRY_COMPILE( + [ #include ], + [ int64_t a; a = 1;], + [ ac_cv_have_int64_t="yes" ], + [ ac_cv_have_int64_t="no" ] + ) +]) +if test "x$ac_cv_have_int64_t" = "xyes" ; then + AC_DEFINE(HAVE_INT64_T) + have_int64_t=1 +fi + AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [ AC_TRY_COMPILE( [ #include ], @@ -500,6 +572,19 @@ have_u_intxx_t=1 fi +AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [ + AC_TRY_COMPILE( + [ #include ], + [ u_int64_t a; a = 1;], + [ ac_cv_have_u_int64_t="yes" ], + [ ac_cv_have_u_int64_t="no" ] + ) +]) +if test "x$ac_cv_have_u_int64_t" = "xyes" ; then + AC_DEFINE(HAVE_U_INT64_T) + have_u_int64_t=1 +fi + if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ test "x$ac_cv_header_sys_bitypes_h" = "xyes") then @@ -589,7 +674,17 @@ ], [ sa_family_t foo; foo = 1235; ], [ ac_cv_have_sa_family_t="yes" ], + [ AC_TRY_COMPILE( + [ +#include +#include +#include + ], + [ sa_family_t foo; foo = 1235; ], + [ ac_cv_have_sa_family_t="yes" ], + [ ac_cv_have_sa_family_t="no" ] + )] ) ]) if test "x$ac_cv_have_sa_family_t" = "xyes" ; then @@ -686,9 +781,7 @@ AC_DEFINE(HAVE_STRUCT_ADDRINFO) fi - -# Checks for structure members - +dnl Checks for structure members OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmp.h, HAVE_HOST_IN_UTMP) OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmpx.h, HAVE_HOST_IN_UTMPX) OSSH_CHECK_HEADER_FOR_FIELD(syslen, utmpx.h, HAVE_SYSLEN_IN_UTMPX) @@ -706,6 +799,7 @@ OSSH_CHECK_HEADER_FOR_FIELD(ut_time, utmp.h, HAVE_TIME_IN_UTMP) OSSH_CHECK_HEADER_FOR_FIELD(ut_time, utmpx.h, HAVE_TIME_IN_UTMPX) OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmpx.h, HAVE_TV_IN_UTMPX) +AC_STRUCT_ST_BLKSIZE AC_CACHE_CHECK([for sun_len field in struct sockaddr_un], ac_cv_have_sun_len_in_struct_sockaddr_un, [ @@ -759,10 +853,9 @@ ac_cv_have_pw_class_in_struct_passwd, [ AC_TRY_COMPILE( [ -#include #include ], - [ struct passwd p s; p.pw_class = NULL; ], + [ struct passwd p; p.pw_class = 0; ], [ ac_cv_have_pw_class_in_struct_passwd="yes" ], [ ac_cv_have_pw_class_in_struct_passwd="no" ] ) @@ -824,12 +917,12 @@ AC_ARG_WITH(xauth, [ --with-xauth=PATH Specify path to xauth program ], [ - if test "x$withval" != "$xno" ; then + if test "x$withval" != "xno" ; then xauth_path=$withval fi ], [ - AC_PATH_PROG(xauth_path, xauth) + AC_PATH_PROG(xauth_path, xauth,,$PATH:/usr/X/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/openwin/bin) if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then xauth_path="/usr/openwin/bin/xauth" fi @@ -950,7 +1043,7 @@ [ if test "x$withval" != "xno" ; then - if test "x$withval" != "$xyes" ; then + if test "x$withval" != "xyes" ; then CFLAGS="$CFLAGS -I${withval}/include" LDFLAGS="$LDFLAGS -L${withval}/lib" if test ! -z "$need_dash_r" ; then @@ -990,7 +1083,7 @@ [ if test "x$withval" != "xno" ; then - if test "x$withval" != "$xyes" ; then + if test "x$withval" != "xyes" ; then CFLAGS="$CFLAGS -I${withval}/include" LFLAGS="$LFLAGS -L${withval}/lib" fi @@ -1157,6 +1250,25 @@ ] ) +AC_MSG_CHECKING(whether to install ssh as suid root) +AC_ARG_ENABLE(suid-ssh, +[ --enable-suid-ssh Install ssh as suid root (default) + --disable-suid-ssh Install ssh without suid bit], +[ case "$enableval" in + no) + AC_MSG_RESULT(no) + SSHMODE=0711 + ;; + *) AC_MSG_RESULT(yes) + SSHMODE=04711 + ;; + esac ], + AC_MSG_RESULT(yes) + SSHMODE=04711 +) +AC_SUBST(SSHMODE) + + # Where to place sshd.pid piddir=/var/run AC_ARG_WITH(pid-dir, @@ -1168,6 +1280,14 @@ ] ) +# make sure the directory exists +if test ! -d $piddir ; then + piddir=`eval echo ${sysconfdir}` + case $piddir in + NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;; + esac +fi + AC_DEFINE_UNQUOTED(PIDDIR, "$piddir") AC_SUBST(piddir) @@ -1400,6 +1520,8 @@ AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile]) fi +AC_EXEEXT + AC_OUTPUT(Makefile ssh_prng_cmds) # Print summary of options @@ -1416,6 +1538,7 @@ RAND_MSG="EGD ($EGD_SOCKET)" else RAND_MSG="Builtin (timeout $entropy_timeout)" + BUILTIN_RNG=1 fi fi @@ -1424,13 +1547,14 @@ B=`eval echo ${bindir}` ; B=`eval echo ${B}` C=`eval echo ${sbindir}` ; C=`eval echo ${C}` D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}` -E=`eval echo ${libexecdir}/ssh/ssh-askpass` ; E=`eval echo ${E}` +E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}` F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}` G=`eval echo ${piddir}` ; G=`eval echo ${G}` echo "" echo "OpenSSH configured has been configured with the following options." echo " User binaries: $B" +echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" echo " Askpass program: $E" @@ -1450,9 +1574,17 @@ echo "" -echo "Compiler flags: ${CFLAGS}" -echo "Linker flags: ${LDFLAGS}" -echo "Libraries: ${LIBS}" +echo " Host: ${host}" +echo " Compiler: ${CC}" +echo " Compiler flags: ${CFLAGS}" +echo " Linker flags: ${LDFLAGS}" +echo " Libraries: ${LIBS}" echo "" +if test ! -z "$BUILTIN_RNG" ; then + echo "WARNING: you are using the builtin random number collection service." + echo "Please read WARNING.RNG and request that your OS vendor includes" + echo "/dev/random in future versions of their OS." + echo "" +fi Only in openssh-2.3.0p1/contrib: cygwin Only in openssh-2.3.0p1/contrib: hpux diff -ru openssh-2.2.0p1/contrib/redhat/openssh.spec openssh-2.3.0p1/contrib/redhat/openssh.spec --- openssh-2.2.0p1/contrib/redhat/openssh.spec 2000-09-01 14:14:37.000000000 +1100 +++ openssh-2.3.0p1/contrib/redhat/openssh.spec 2000-11-06 13:06:43.000000000 +1100 @@ -1,8 +1,8 @@ # Version of OpenSSH -%define oversion 2.2.0p1 +%define oversion 2.3.0p1 # Version of ssh-askpass -%define aversion 1.0.1 +%define aversion 1.0.3 # Do we want to disable building of x11-askpass? (1=yes 0=no) %define no_x11_askpass 0 @@ -17,23 +17,24 @@ Packager: Damien Miller URL: http://www.openssh.com/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{oversion}.tar.gz +%if ! %{no_x11_askpass} Source1: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz +%endif Copyright: BSD Group: Applications/Internet BuildRoot: /tmp/openssh-%{version}-buildroot Obsoletes: ssh PreReq: openssl >= 0.9.5a Requires: openssl >= 0.9.5a -BuildPreReq: perl -BuildPreReq: openssl-devel -BuildPreReq: tcp_wrappers +BuildPreReq: perl, openssl-devel, tcp_wrappers +BuildPreReq: /bin/login, /usr/bin/rsh, /usr/include/security/pam_appl.h %if ! %{no_gnome_askpass} BuildPreReq: gnome-libs-devel %endif %package clients Summary: OpenSSH Secure Shell protocol clients -Requires: openssh +Requires: openssh = %{version}-%{release} Group: Applications/Internet Obsoletes: ssh-clients @@ -41,18 +42,19 @@ Summary: OpenSSH Secure Shell protocol server (sshd) Group: System Environment/Daemons Obsoletes: ssh-server -PreReq: openssh chkconfig >= 0.9 +PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9 +Requires: initscripts >= 4.16 %package askpass Summary: OpenSSH X11 passphrase dialog Group: Applications/Internet -Requires: openssh +Requires: openssh = %{version}-%{release} Obsoletes: ssh-extras %package askpass-gnome Summary: OpenSSH GNOME passphrase dialog Group: Applications/Internet -Requires: openssh +Requires: openssh = %{version}-%{release} Obsoletes: ssh-extras %description @@ -64,7 +66,7 @@ OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all -patented algorithms to seperate libraries (OpenSSL). +patented algorithms to separate libraries (OpenSSL). This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also @@ -79,7 +81,7 @@ OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all -patented algorithms to seperate libraries (OpenSSL). +patented algorithms to separate libraries (OpenSSL). This package includes the clients necessary to make encrypted connections to SSH servers. @@ -93,7 +95,7 @@ OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all -patented algorithms to seperate libraries (OpenSSL). +patented algorithms to separate libraries (OpenSSL). This package contains the secure shell daemon. The sshd is the server part of the secure shell protocol and allows ssh clients to connect to @@ -108,7 +110,7 @@ OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all -patented algorithms to seperate libraries (OpenSSL). +patented algorithms to separate libraries (OpenSSL). This package contains Jim Knoble's X11 passphrase dialog. @@ -122,90 +124,70 @@ OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all -patented algorithms to seperate libraries (OpenSSL). +patented algorithms to separate libraries (OpenSSL). This package contains the GNOME passphrase dialog. -%changelog -* Tue Aug 08 2000 Damien Miller -- Some surgery to sshd.init (generate keys at runtime) -- Cleanup of groups and removal of keygen calls -* Wed Jul 12 2000 Damien Miller -- Make building of X11-askpass and gnome-askpass optional -* Mon Jun 12 2000 Damien Miller -- Glob manpages to catch compressed files -* Wed Mar 15 2000 Damien Miller -- Updated for new location -- Updated for new gnome-ssh-askpass build -* Sun Dec 26 1999 Damien Miller -- Added Jim Knoble's askpass -* Mon Nov 15 1999 Damien Miller -- Split subpackages further based on patch from jim knoble -* Sat Nov 13 1999 Damien Miller -- Added 'Obsoletes' directives -* Tue Nov 09 1999 Damien Miller -- Use make install -- Subpackages -* Mon Nov 08 1999 Damien Miller -- Added links for slogin -- Fixed perms on manpages -* Sat Oct 30 1999 Damien Miller -- Renamed init script -* Fri Oct 29 1999 Damien Miller -- Back to old binary names -* Thu Oct 28 1999 Damien Miller -- Use autoconf -- New binary names -* Wed Oct 27 1999 Damien Miller -- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. - %prep -%setup -a 1 +%if ! %{no_x11_askpass} +%setup -q -a 1 +%else +%setup -q +%endif %build -CFLAGS="$RPM_OPT_FLAGS" \ - ./configure --prefix=/usr --sysconfdir=/etc/ssh \ - --with-tcp-wrappers --with-ipv4-default \ - --with-rsh=/usr/bin/rsh +%configure \ + --sysconfdir=%{_sysconfdir}/ssh \ + --libexecdir=%{_libexecdir}/openssh \ + --with-tcp-wrappers \ + --with-ipv4-default \ + --with-rsh=/usr/bin/rsh \ + --with-default-path=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin make %if ! %{no_x11_askpass} -cd x11-ssh-askpass-%{aversion} +pushd x11-ssh-askpass-%{aversion} xmkmf -a make -cd .. +popd %endif %if ! %{no_gnome_askpass} -cd contrib +pushd contrib gcc -O -g `gnome-config --cflags gnome gnomeui` \ gnome-ssh-askpass.c -o gnome-ssh-askpass \ `gnome-config --libs gnome gnomeui` -cd .. +popd %endif %install rm -rf $RPM_BUILD_ROOT -make install DESTDIR=$RPM_BUILD_ROOT/ +%{makeinstall} \ + sysconfdir=$RPM_BUILD_ROOT%{_sysconfdir}/ssh \ + libexecdir=$RPM_BUILD_ROOT%{_libexecdir}/openssh \ + DESTDIR=/ # Hack to disable key generation + install -d $RPM_BUILD_ROOT/etc/pam.d/ install -d $RPM_BUILD_ROOT/etc/rc.d/init.d -install -d $RPM_BUILD_ROOT/usr/libexec/ssh +install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd %if ! %{no_x11_askpass} -install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/x11-ssh-askpass -ln -s /usr/libexec/ssh/x11-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/ssh-askpass +install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/openssh/x11-ssh-askpass +ln -s /usr/libexec/openssh/x11-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/openssh/ssh-askpass %endif %if ! %{no_gnome_askpass} -install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/gnome-ssh-askpass +install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/openssh/gnome-ssh-askpass %endif +perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* + %clean rm -rf $RPM_BUILD_ROOT @@ -224,31 +206,33 @@ %files %defattr(-,root,root) %doc ChangeLog OVERVIEW COPYING.Ylonen README* INSTALL -%doc CREDITS UPGRADING -%attr(0755,root,root) /usr/bin/ssh-keygen -%attr(0755,root,root) /usr/bin/scp -%attr(0644,root,root) /usr/man/man1/ssh-keygen.1* -%attr(0644,root,root) /usr/man/man1/scp.1* -%attr(0755,root,root) %dir /etc/ssh -%attr(0755,root,root) %dir /usr/libexec/ssh +%doc CREDITS LICENCE +%attr(0755,root,root) %{_bindir}/ssh-keygen +%attr(0755,root,root) %{_bindir}/scp +%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* +%attr(0644,root,root) %{_mandir}/man1/scp.1* +%attr(0755,root,root) %dir %{_sysconfdir}/ssh +%attr(0755,root,root) %dir %{_libexecdir}/openssh %files clients %defattr(-,root,root) -%attr(4755,root,root) /usr/bin/ssh -%attr(0755,root,root) /usr/bin/ssh-agent -%attr(0755,root,root) /usr/bin/ssh-add -%attr(0644,root,root) /usr/man/man1/ssh.1* -%attr(0644,root,root) /usr/man/man1/ssh-agent.1* -%attr(0644,root,root) /usr/man/man1/ssh-add.1* -%attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config -%attr(-,root,root) /usr/bin/slogin -%attr(-,root,root) /usr/man/man1/slogin.1* +%attr(4755,root,root) %{_bindir}/ssh +%attr(0755,root,root) %{_bindir}/ssh-agent +%attr(0755,root,root) %{_bindir}/ssh-add +%attr(0644,root,root) %{_mandir}/man1/ssh.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-add.1* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config +%attr(-,root,root) %{_bindir}/slogin +%attr(-,root,root) %{_mandir}/man1/slogin.1* %files server %defattr(-,root,root) -%attr(0755,root,root) /usr/sbin/sshd -%attr(0644,root,root) /usr/man/man8/sshd.8* -%attr(0600,root,root) %config(noreplace) /etc/ssh/sshd_config +%attr(0755,root,root) %{_sbindir}/sshd +%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server +%attr(0644,root,root) %{_mandir}/man8/sshd.8* +%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0755,root,root) %config /etc/rc.d/init.d/sshd @@ -258,12 +242,51 @@ %doc x11-ssh-askpass-%{aversion}/README %doc x11-ssh-askpass-%{aversion}/ChangeLog %doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad -%attr(0755,root,root) /usr/libexec/ssh/ssh-askpass -%attr(0755,root,root) /usr/libexec/ssh/x11-ssh-askpass +%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass +%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass %endif %if ! %{no_gnome_askpass} %files askpass-gnome %defattr(-,root,root) -%attr(0755,root,root) /usr/libexec/ssh/gnome-ssh-askpass +%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass %endif + +%changelog +* Mon Oct 18 2000 Damien Miller +- Merge some of Nalin Dahyabhai changes from the + Redhat 7.0 spec file +* Tue Sep 05 2000 Damien Miller +- Use RPM configure macro +* Tue Aug 08 2000 Damien Miller +- Some surgery to sshd.init (generate keys at runtime) +- Cleanup of groups and removal of keygen calls +* Wed Jul 12 2000 Damien Miller +- Make building of X11-askpass and gnome-askpass optional +* Mon Jun 12 2000 Damien Miller +- Glob manpages to catch compressed files +* Wed Mar 15 2000 Damien Miller +- Updated for new location +- Updated for new gnome-ssh-askpass build +* Sun Dec 26 1999 Damien Miller +- Added Jim Knoble's askpass +* Mon Nov 15 1999 Damien Miller +- Split subpackages further based on patch from jim knoble +* Sat Nov 13 1999 Damien Miller +- Added 'Obsoletes' directives +* Tue Nov 09 1999 Damien Miller +- Use make install +- Subpackages +* Mon Nov 08 1999 Damien Miller +- Added links for slogin +- Fixed perms on manpages +* Sat Oct 30 1999 Damien Miller +- Renamed init script +* Fri Oct 29 1999 Damien Miller +- Back to old binary names +* Thu Oct 28 1999 Damien Miller +- Use autoconf +- New binary names +* Wed Oct 27 1999 Damien Miller +- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. + diff -ru openssh-2.2.0p1/contrib/redhat/sshd.init openssh-2.3.0p1/contrib/redhat/sshd.init --- openssh-2.2.0p1/contrib/redhat/sshd.init 2000-08-08 16:53:28.000000000 +1000 +++ openssh-2.3.0p1/contrib/redhat/sshd.init 2000-10-16 12:25:17.000000000 +1100 @@ -57,9 +57,14 @@ echo -n "Starting sshd: " if [ ! -f $PID_FILE ] ; then - daemon sshd + sshd RETVAL=$? - touch /var/lock/subsys/sshd + if [ "$RETVAL" = "0" ] ; then + success "sshd startup" + touch /var/lock/subsys/sshd + else + failure "sshd startup" + fi fi echo ;; @@ -76,12 +81,19 @@ $0 start RETVAL=$? ;; + condrestart) + if [ -f /var/lock/subsys/sshd ] ; then + $0 stop + $0 start + RETVAL=$? + fi + ;; status) status sshd RETVAL=$? ;; *) - echo "Usage: sshd {start|stop|restart|status}" + echo "Usage: sshd {start|stop|restart|status|condrestart}" exit 1 ;; esac diff -ru openssh-2.2.0p1/contrib/suse/openssh.spec openssh-2.3.0p1/contrib/suse/openssh.spec --- openssh-2.2.0p1/contrib/suse/openssh.spec 2000-08-31 11:53:44.000000000 +1100 +++ openssh-2.3.0p1/contrib/suse/openssh.spec 2000-11-06 12:52:25.000000000 +1100 @@ -16,32 +16,12 @@ # TCP Wrappers (nkitb), # and Gnome (glibdev, gtkdev, and gnlibsd) # -BuildPrereq: openssl-devel +BuildPrereq: openssl BuildPrereq: nkitb BuildPrereq: glibdev BuildPrereq: gtkdev BuildPrereq: gnlibsd -%package clients -Summary: OpenSSH Secure Shell protocol clients -Requires: openssh -Group: Applications/Internet -Obsoletes: ssh-clients - -%package server -Summary: OpenSSH Secure Shell protocol server (sshd) -Requires: openssh -Group: System Environment/Daemons -PreReq: openssh -Obsoletes: ssh-server - -%package askpass -Summary: OpenSSH GNOME passphrase dialog -Group: Applications/Internet -Requires: openssh -Obsoletes: ssh-extras -Obsoletes: ssh-askpass - %description Ssh (Secure Shell) a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace @@ -53,51 +33,9 @@ up to date in terms of security and features, as well as removing all patented algorithms to seperate libraries (OpenSSL). -This package includes the core files necessary for both the OpenSSH -client and server. To make this package useful, you should also -install openssh-clients, openssh-server, or both. - -%description clients -Ssh (Secure Shell) a program for logging into a remote machine and for -executing commands in a remote machine. It is intended to replace -rlogin and rsh, and provide secure encrypted communications between -two untrusted hosts over an insecure network. X11 connections and -arbitrary TCP/IP ports can also be forwarded over the secure channel. - -OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all -patented algorithms to seperate libraries (OpenSSL). - -This package includes the clients necessary to make encrypted connections -to SSH servers. - -%description server -Ssh (Secure Shell) a program for logging into a remote machine and for -executing commands in a remote machine. It is intended to replace -rlogin and rsh, and provide secure encrypted communications between -two untrusted hosts over an insecure network. X11 connections and -arbitrary TCP/IP ports can also be forwarded over the secure channel. - -OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all -patented algorithms to seperate libraries (OpenSSL). - -This package contains the secure shell daemon. The sshd is the server -part of the secure shell protocol and allows ssh clients to connect to -your host. - -%description askpass -Ssh (Secure Shell) a program for logging into a remote machine and for -executing commands in a remote machine. It is intended to replace -rlogin and rsh, and provide secure encrypted communications between -two untrusted hosts over an insecure network. X11 connections and -arbitrary TCP/IP ports can also be forwarded over the secure channel. - -OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all -patented algorithms to seperate libraries (OpenSSL). - -This package contains the GNOME passphrase dialog. +This package includes all files necessary for both the OpenSSH +client and server. Additionally, this package contains the GNOME +passphrase dialog. %changelog * Mon Jun 12 2000 Damien Miller @@ -151,7 +89,7 @@ %build CFLAGS="$RPM_OPT_FLAGS" \ ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-gnome-askpass \ - --with-tcp-wrappers --with-ipv4-default + --with-tcp-wrappers --with-ipv4-default --libexecdir=/usr/lib/ssh make cd contrib @@ -167,19 +105,19 @@ install -d $RPM_BUILD_ROOT/etc/pam.d/ install -d $RPM_BUILD_ROOT/sbin/init.d/ install -d $RPM_BUILD_ROOT/var/adm/fillup-templates -install -d $RPM_BUILD_ROOT/usr/libexec/ssh -install -m644 sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd +install -d $RPM_BUILD_ROOT/usr/lib/ssh +install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/sbin/init.d/sshd ln -s ../../sbin/init.d/sshd $RPM_BUILD_ROOT/usr/sbin/rcsshd -install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/gnome-ssh-askpass -ln -s gnome-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/ssh-askpass +install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/gnome-ssh-askpass +ln -s gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/ssh-askpass install -m744 contrib/suse/rc.config.sshd \ $RPM_BUILD_ROOT/var/adm/fillup-templates %clean rm -rf $RPM_BUILD_ROOT -%post server +%post if [ "$1" = 1 ]; then echo "Creating SSH stop/start scripts in the rc directories..." ln -s ../sshd /sbin/init.d/rc2.d/K20sshd @@ -209,7 +147,7 @@ /usr/sbin/rcsshd restart >&2 fi -%preun server +%preun if [ "$1" = 0 ] then echo "Stopping the SSH daemon..." @@ -224,38 +162,29 @@ %files %defattr(-,root,root) %doc COPYING.Ylonen ChangeLog OVERVIEW README* -%doc RFC.nroff TODO UPGRADING CREDITS +%doc RFC.nroff TODO CREDITS LICENSE +%attr(0755,root,root) %dir /etc/ssh +%attr(0644,root,root) %config /etc/ssh/ssh_config +%attr(0600,root,root) %config /etc/ssh/sshd_config +%attr(0644,root,root) %config /etc/pam.d/sshd +%attr(0755,root,root) %config /sbin/init.d/sshd %attr(0755,root,root) /usr/bin/ssh-keygen %attr(0755,root,root) /usr/bin/scp -%attr(0644,root,root) %doc /usr/man/man1/ssh-keygen.1* -%attr(0644,root,root) %doc /usr/man/man1/scp.1* -%attr(0755,root,root) %dir /etc/ssh -%attr(0755,root,root) %dir /usr/libexec/ssh - -%files clients -%defattr(-,root,root) %attr(4755,root,root) /usr/bin/ssh +%attr(-,root,root) /usr/bin/slogin %attr(0755,root,root) /usr/bin/ssh-agent %attr(0755,root,root) /usr/bin/ssh-add +%attr(0755,root,root) /usr/sbin/sshd +%attr(-,root,root) /usr/sbin/rcsshd +%attr(0755,root,root) %dir /usr/lib/ssh +%attr(0755,root,root) /usr/lib/ssh/ssh-askpass +%attr(0755,root,root) /usr/lib/ssh/gnome-ssh-askpass +%attr(0644,root,root) %doc /usr/man/man1/scp.1* %attr(0644,root,root) %doc /usr/man/man1/ssh.1* +%attr(-,root,root) %doc /usr/man/man1/slogin.1* %attr(0644,root,root) %doc /usr/man/man1/ssh-agent.1* %attr(0644,root,root) %doc /usr/man/man1/ssh-add.1* -%attr(0644,root,root) %config /etc/ssh/ssh_config -%attr(-,root,root) /usr/bin/slogin -%attr(-,root,root) %doc /usr/man/man1/slogin.1* - -%files server -%defattr(-,root,root) -%attr(0755,root,root) /usr/sbin/sshd +%attr(0644,root,root) %doc /usr/man/man1/ssh-keygen.1* %attr(0644,root,root) %doc /usr/man/man8/sshd.8* -%attr(0600,root,root) %config /etc/ssh/sshd_config -%attr(0644,root,root) %config /etc/pam.d/sshd -%attr(0755,root,root) %config /sbin/init.d/sshd -%attr(-,root,root) /usr/sbin/rcsshd %attr(0644,root,root) /var/adm/fillup-templates/rc.config.sshd -%files askpass -%defattr(-,root,root) -%attr(0755,root,root) /usr/libexec/ssh/ssh-askpass -%attr(0755,root,root) /usr/libexec/ssh/gnome-ssh-askpass - diff -ru openssh-2.2.0p1/crc32.c openssh-2.3.0p1/crc32.c --- openssh-2.2.0p1/crc32.c 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/crc32.c 2000-09-16 13:29:09.000000000 +1100 @@ -1,55 +1,48 @@ /* - * The implementation here was originally done by Gary S. Brown. - * I have borrowed the tables directly, and made some minor changes - * to the crc32-function (including changing the interface). - * //ylo + * COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or + * code or tables extracted from it, as desired without restriction. + * + * First, the polynomial itself and its table of feedback terms. The + * polynomial is + * X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0 + * + * Note that we take it "backwards" and put the highest-order term in + * the lowest-order bit. The X^32 term is "implied"; the LSB is the + * X^31 term, etc. The X^0 term (usually shown as "+1") results in + * the MSB being 1 + * + * Note that the usual hardware shift register implementation, which + * is what we're using (we're merely optimizing it by doing eight-bit + * chunks at a time) shifts bits into the lowest-order term. In our + * implementation, that means shifting towards the right. Why do we + * do it this way? Because the calculated CRC must be transmitted in + * order from highest-order term to lowest-order term. UARTs transmit + * characters in order from LSB to MSB. By storing the CRC this way + * we hand it to the UART in the order low-byte to high-byte; the UART + * sends each low-bit to hight-bit; and the result is transmission bit + * by bit from highest- to lowest-order term without requiring any bit + * shuffling on our part. Reception works similarly + * + * The feedback terms table consists of 256, 32-bit entries. Notes + * + * The table can be generated at runtime if desired; code to do so + * is shown later. It might not be obvious, but the feedback + * terms simply represent the results of eight shift/xor opera + * tions for all combinations of data and CRC register values + * + * The values must be right-shifted by eight bits by the "updcrc + * logic; the shift must be unsigned (bring in zeroes). On some + * hardware you could probably optimize the shift in assembler by + * using byte-swap instructions + * polynomial $edb88320 */ + #include "includes.h" -RCSID("$OpenBSD: crc32.c,v 1.6 2000/08/19 02:17:12 deraadt Exp $"); +RCSID("$OpenBSD: crc32.c,v 1.7 2000/09/07 20:27:51 deraadt Exp $"); #include "crc32.h" - /* ============================================================= */ - /* COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or */ - /* code or tables extracted from it, as desired without restriction. */ - /* */ - /* First, the polynomial itself and its table of feedback terms. The */ - /* polynomial is */ - /* X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0 */ - /* */ - /* Note that we take it "backwards" and put the highest-order term in */ - /* the lowest-order bit. The X^32 term is "implied"; the LSB is the */ - /* X^31 term, etc. The X^0 term (usually shown as "+1") results in */ - /* the MSB being 1. */ - /* */ - /* Note that the usual hardware shift register implementation, which */ - /* is what we're using (we're merely optimizing it by doing eight-bit */ - /* chunks at a time) shifts bits into the lowest-order term. In our */ - /* implementation, that means shifting towards the right. Why do we */ - /* do it this way? Because the calculated CRC must be transmitted in */ - /* order from highest-order term to lowest-order term. UARTs transmit */ - /* characters in order from LSB to MSB. By storing the CRC this way, */ - /* we hand it to the UART in the order low-byte to high-byte; the UART */ - /* sends each low-bit to hight-bit; and the result is transmission bit */ - /* by bit from highest- to lowest-order term without requiring any bit */ - /* shuffling on our part. Reception works similarly. */ - /* */ - /* The feedback terms table consists of 256, 32-bit entries. Notes: */ - /* */ - /* The table can be generated at runtime if desired; code to do so */ - /* is shown later. It might not be obvious, but the feedback */ - /* terms simply represent the results of eight shift/xor opera- */ - /* tions for all combinations of data and CRC register values. */ - /* */ - /* The values must be right-shifted by eight bits by the "updcrc" */ - /* logic; the shift must be unsigned (bring in zeroes). On some */ - /* hardware you could probably optimize the shift in assembler by */ - /* using byte-swap instructions. */ - /* polynomial $edb88320 */ - /* */ - /* -------------------------------------------------------------------- */ - static unsigned int crc32_tab[] = { 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, diff -ru openssh-2.2.0p1/crc32.h openssh-2.3.0p1/crc32.h --- openssh-2.2.0p1/crc32.h 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/crc32.h 2000-09-16 13:29:09.000000000 +1100 @@ -1,19 +1,17 @@ /* - * - * crc32.h - * * Author: Tatu Ylonen - * * Copyright (c) 1992 Tatu Ylonen, Espoo, Finland * All rights reserved - * - * Created: Tue Feb 11 14:37:27 1992 ylo - * * Functions for computing 32-bit CRC. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: crc32.h,v 1.7 2000/08/19 21:29:40 deraadt Exp $"); */ +/* RCSID("$OpenBSD: crc32.h,v 1.8 2000/09/07 20:27:51 deraadt Exp $"); */ #ifndef CRC32_H #define CRC32_H Only in openssh-2.3.0p1: cygwin_util.c Only in openssh-2.3.0p1: cygwin_util.h diff -ru openssh-2.2.0p1/deattack.c openssh-2.3.0p1/deattack.c --- openssh-2.2.0p1/deattack.c 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/deattack.c 2000-11-05 16:42:36.000000000 +1100 @@ -1,5 +1,6 @@ +/* $OpenBSD: deattack.c,v 1.10 2000/10/31 13:18:53 markus Exp $ */ + /* - * $OpenBSD: deattack.c,v 1.8 2000/08/19 02:17:12 deraadt Exp $ * Cryptographic attack detector for ssh - source code * * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. @@ -84,7 +85,7 @@ detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV) { static u_int16_t *h = (u_int16_t *) NULL; - static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE; + static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; register u_int32_t i, j; u_int32_t l; register unsigned char *c; diff -ru openssh-2.2.0p1/defines.h openssh-2.3.0p1/defines.h --- openssh-2.2.0p1/defines.h 2000-08-29 11:33:51.000000000 +1100 +++ openssh-2.3.0p1/defines.h 2000-10-20 09:14:05.000000000 +1100 @@ -1,15 +1,22 @@ #ifndef _DEFINES_H #define _DEFINES_H +/* Some platforms need this for the _r() functions */ +#if !defined(_REENTRANT) && !defined(SNI) +# define _REENTRANT 1 +#endif + /* Necessary headers */ #include /* For [u]intxx_t */ #include /* For SHUT_XXXX */ #include /* For MAXPATHLEN */ -#include /* For SUN_LEN */ #include /* For typedefs */ #include /* For IPv6 macros */ #include /* For IPTOS macros */ +#ifdef HAVE_SYS_UN_H +# include /* For SUN_LEN */ +#endif #ifdef HAVE_SYS_BITYPES_H # include /* For u_intXX_t */ #endif @@ -34,8 +41,12 @@ #ifdef HAVE_SYS_STAT_H # include /* For S_* constants and macros */ #endif +#ifdef HAVE_NEXT +# include +#endif #include /* For STDIN_FILENO, etc */ +#include /* Struct winsize */ /* Constants */ @@ -123,18 +134,6 @@ # else # error "32 bit int type not found." # endif -/* -# if (SIZEOF_LONG_INT == 8) -typedef long int int64_t; -# else -# if (SIZEOF_LONG_LONG_INT == 8) -typedef long long int int64_t; -# define HAVE_INTXX_T 1 -# else -# error "64 bit int type not found." -# endif -# endif -*/ #endif /* If sys/types.h does not supply u_intXX_t, supply them ourselves */ @@ -143,9 +142,6 @@ typedef uint8_t u_int8_t; typedef uint16_t u_int16_t; typedef uint32_t u_int32_t; -/* -typedef uint64_t u_int64_t; -*/ # define HAVE_U_INTXX_T 1 # else # if (SIZEOF_CHAR == 1) @@ -163,18 +159,32 @@ # else # error "32 bit int type not found." # endif -/* -# if (SIZEOF_LONG_INT == 8) -typedef unsigned long int u_int64_t; +# endif +#endif + +/* 64-bit types */ +#ifndef HAVE_INT64_T +# if (SIZEOF_LONG_INT == 8) +typedef long int int64_t; +# else +# if (SIZEOF_LONG_LONG_INT == 8) +typedef long long int int64_t; +# define HAVE_INTXX_T 1 # else -# if (SIZEOF_LONG_LONG_INT == 8) +# error "64 bit int type not found." +# endif +# endif +#endif +#ifndef HAVE_U_INT64_T +# if (SIZEOF_LONG_INT == 8) +typedef unsigned long int u_int64_t; +# else +# if (SIZEOF_LONG_LONG_INT == 8) typedef unsigned long long int u_int64_t; -# define HAVE_U_INTXX_T 1 -# else -# error "64 bit int type not found." -# endif +# define HAVE_U_INTXX_T 1 +# else +# error "64 bit int type not found." # endif -*/ # endif #endif @@ -212,6 +222,23 @@ # define ss_family __ss_family #endif /* !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE_SA_FAMILY_IN_SS) */ +#ifndef HAVE_SYS_UN_H +struct sockaddr_un { + short sun_family; /* AF_UNIX */ + char sun_path[108]; /* path name (gag) */ +}; +#endif /* HAVE_SYS_UN_H */ + +#if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE) +#define _STRUCT_WINSIZE +struct winsize { + unsigned short ws_row; /* rows, in characters */ + unsigned short ws_col; /* columns, in character */ + unsigned short ws_xpixel; /* horizontal size, pixels */ + unsigned short ws_ypixel; /* vertical size, pixels */ +}; +#endif + /* Paths */ #ifndef _PATH_BSHELL @@ -248,6 +275,8 @@ #ifndef _PATH_RSH # ifdef RSH_PATH # define _PATH_RSH RSH_PATH +# else /* RSH_PATH */ +# define _PATH_RSH "/usr/bin/rsh" # endif /* RSH_PATH */ #endif /* _PATH_RSH */ @@ -255,6 +284,11 @@ # define _PATH_NOLOGIN "/etc/nologin" #endif +/* Define this to be the path of the xauth program. */ +#ifndef XAUTH_PATH +#define XAUTH_PATH "/usr/X11R6/bin/xauth" +#endif /* XAUTH_PATH */ + /* Macros */ #if defined(HAVE_LOGIN_GETCAPBOOL) && defined(HAVE_LOGIN_CAP_H) @@ -320,8 +354,29 @@ #if !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) # define atexit(a) on_exit(a) +#else +# if defined(HAVE_XATEXIT) +# define atexit(a) xatexit(a) +# endif /* defined(HAVE_XATEXIT) */ #endif /* !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) */ +#if defined(HAVE_VHANGUP) && !defined(BROKEN_VHANGUP) +# define USE_VHANGUP +#endif /* defined(HAVE_VHANGUP) && !defined(BROKEN_VHANGUP) */ + +#ifndef GETPGRP_VOID +# define getpgrp() getpgrp(0) +#endif + +/* + * Define this to use pipes instead of socketpairs for communicating with the + * client program. Socketpairs do not seem to work on all systems. + * + * configure.in sets this for a few OS's which are known to have problems + * but you may need to set it yourself + */ +/* #define USE_PIPES 1 */ + /** ** login recorder definitions **/ Only in openssh-2.3.0p1: dh.c Only in openssh-2.3.0p1: dh.h diff -ru openssh-2.2.0p1/dispatch.c openssh-2.3.0p1/dispatch.c --- openssh-2.2.0p1/dispatch.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/dispatch.c 2000-09-23 17:15:57.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -27,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: dispatch.c,v 1.3 2000/06/20 01:39:41 markus Exp $"); +RCSID("$OpenBSD: dispatch.c,v 1.5 2000/09/21 11:25:34 markus Exp $"); #include "ssh.h" #include "dispatch.h" #include "packet.h" @@ -38,7 +33,7 @@ dispatch_fn *dispatch[DISPATCH_MAX]; void -dispatch_protocol_error(int type, int plen) +dispatch_protocol_error(int type, int plen, void *ctxt) { error("Hm, dispatch protocol error: type %d plen %d", type, plen); } @@ -55,7 +50,7 @@ dispatch[type] = fn; } void -dispatch_run(int mode, int *done) +dispatch_run(int mode, int *done, void *ctxt) { for (;;) { int plen; @@ -69,7 +64,7 @@ return; } if (type > 0 && type < DISPATCH_MAX && dispatch[type] != NULL) - (*dispatch[type])(type, plen); + (*dispatch[type])(type, plen, ctxt); else packet_disconnect("protocol error: rcvd type %d", type); if (done != NULL && *done) diff -ru openssh-2.2.0p1/dispatch.h openssh-2.3.0p1/dispatch.h --- openssh-2.2.0p1/dispatch.h 2000-04-01 11:09:24.000000000 +1000 +++ openssh-2.3.0p1/dispatch.h 2000-09-23 17:15:57.000000000 +1100 @@ -1,11 +1,34 @@ +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ enum { DISPATCH_BLOCK, DISPATCH_NONBLOCK }; -typedef void dispatch_fn(int type, int plen); +typedef void dispatch_fn(int type, int plen, void *ctxt); void dispatch_init(dispatch_fn *dflt); void dispatch_set(int type, dispatch_fn *fn); -void dispatch_run(int mode, int *done); -void dispatch_protocol_error(int type, int plen); +void dispatch_run(int mode, int *done, void *ctxt); +void dispatch_protocol_error(int type, int plen, void *ctxt); diff -ru openssh-2.2.0p1/dsa.c openssh-2.3.0p1/dsa.c --- openssh-2.2.0p1/dsa.c 2000-07-21 10:19:45.000000000 +1000 +++ openssh-2.3.0p1/dsa.c 2000-09-16 13:29:09.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -28,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: dsa.c,v 1.10 2000/07/20 00:33:12 markus Exp $"); +RCSID("$OpenBSD: dsa.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $"); #include "ssh.h" #include "xmalloc.h" diff -ru openssh-2.2.0p1/dsa.h openssh-2.3.0p1/dsa.h --- openssh-2.2.0p1/dsa.h 2000-04-29 23:57:10.000000000 +1000 +++ openssh-2.3.0p1/dsa.h 2000-09-16 13:29:09.000000000 +1100 @@ -1,3 +1,26 @@ +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ #ifndef DSA_H #define DSA_H diff -ru openssh-2.2.0p1/entropy.c openssh-2.3.0p1/entropy.c --- openssh-2.2.0p1/entropy.c 2000-07-15 14:59:15.000000000 +1000 +++ openssh-2.3.0p1/entropy.c 2000-10-16 20:13:43.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -40,15 +35,12 @@ # include #endif /* HAVE_FLOATINGPOINT_H */ -RCSID("$Id: entropy.c,v 1.18 2000/07/15 04:59:15 djm Exp $"); +RCSID("$Id: entropy.c,v 1.21 2000/10/16 09:13:43 djm Exp $"); #ifndef offsetof # define offsetof(type, member) ((size_t) &((type *)0)->member) #endif -/* Print lots of detail */ -/* #define DEBUG_ENTROPY */ - /* Number of times to pass through command list gathering entropy */ #define NUM_ENTROPY_RUNS 1 @@ -277,10 +269,8 @@ /* Stir it in */ RAND_add(hash, sizeof(hash), entropy_estimate); -#ifdef DEBUG_ENTROPY - debug("Got %0.2f bytes of entropy from '%s'", entropy_estimate, + debug3("Got %0.2f bytes of entropy from '%s'", entropy_estimate, entropy_sources[c].cmdstring); -#endif total_entropy_estimate += entropy_estimate; @@ -290,10 +280,8 @@ total_entropy_estimate += stir_rusage(RUSAGE_SELF, 0.1); total_entropy_estimate += stir_rusage(RUSAGE_CHILDREN, 0.1); } else { -#ifdef DEBUG_ENTROPY - debug("Command '%s' disabled (badness %d)", + debug2("Command '%s' disabled (badness %d)", entropy_sources[c].cmdstring, entropy_sources[c].badness); -#endif if (entropy_sources[c].badness > 0) entropy_sources[c].badness--; @@ -378,6 +366,8 @@ int total_bytes_read; SHA_CTX sha; + debug3("Reading output from \'%s\'", src->cmdstring); + if (devnull == -1) { devnull = open("/dev/null", O_RDWR); if (devnull == -1) @@ -475,12 +465,10 @@ close(p[0]); -#ifdef DEBUG_ENTROPY - debug("Time elapsed: %d msec", msec_elapsed); -#endif + debug3("Time elapsed: %d msec", msec_elapsed); if (waitpid(pid, &status, 0) == -1) { - debug("Couldn't wait for child '%s' completion: %s", src->cmdstring, + error("Couldn't wait for child '%s' completion: %s", src->cmdstring, strerror(errno)); return(0.0); } @@ -491,7 +479,7 @@ /* closing p[0] on timeout causes the entropy command to * SIGPIPE. Take whatever output we got, and mark this command * as slow */ - debug("Command '%s' timed out", src->cmdstring); + debug2("Command '%s' timed out", src->cmdstring); src->sticky_badness *= 2; src->badness = src->sticky_badness; return(total_bytes_read); @@ -501,13 +489,13 @@ if (WEXITSTATUS(status)==0) { return(total_bytes_read); } else { - debug("Command '%s' exit status was %d", src->cmdstring, + debug2("Command '%s' exit status was %d", src->cmdstring, WEXITSTATUS(status)); src->badness = src->sticky_badness = 128; return (0.0); } } else if (WIFSIGNALED(status)) { - debug("Command '%s' returned on uncaught signal %d !", src->cmdstring, + debug2("Command '%s' returned on uncaught signal %d !", src->cmdstring, status); src->badness = src->sticky_badness = 128; return(0.0); @@ -526,10 +514,10 @@ /* FIXME raceable: eg replace seed between this stat and subsequent open */ /* Not such a problem because we don't trust the seed file anyway */ if (lstat(filename, &st) == -1) { - /* Fail on hard errors */ + /* Give up on hard errors */ if (errno != ENOENT) - fatal("Couldn't stat random seed file \"%s\": %s", filename, - strerror(errno)); + debug("WARNING: Couldn't stat random seed file \"%s\": %s", + filename, strerror(errno)); return(0); } @@ -539,10 +527,12 @@ fatal("PRNG seedfile %.100s is not a regular file", filename); /* mode 0600, owned by root or the current user? */ - if (((st.st_mode & 0177) != 0) || !(st.st_uid == original_uid)) - fatal("PRNG seedfile %.100s must be mode 0600, owned by uid %d", + if (((st.st_mode & 0177) != 0) || !(st.st_uid == original_uid)) { + debug("WARNING: PRNG seedfile %.100s must be mode 0600, owned by uid %d", filename, getuid()); - + return(0); + } + return(1); } @@ -581,15 +571,16 @@ /* Don't care if the seed doesn't exist */ prng_check_seedfile(filename); - if ((fd = open(filename, O_WRONLY|O_TRUNC|O_CREAT, 0600)) == -1) - fatal("couldn't access PRNG seedfile %.100s (%.100s)", filename, - strerror(errno)); - - if (atomicio(write, fd, &seed, sizeof(seed)) != sizeof(seed)) - fatal("problem writing PRNG seedfile %.100s (%.100s)", filename, - strerror(errno)); + if ((fd = open(filename, O_WRONLY|O_TRUNC|O_CREAT, 0600)) == -1) { + debug("WARNING: couldn't access PRNG seedfile %.100s (%.100s)", + filename, strerror(errno)); + } else { + if (atomicio(write, fd, &seed, sizeof(seed)) != sizeof(seed)) + fatal("problem writing PRNG seedfile %.100s (%.100s)", filename, + strerror(errno)); - close(fd); + close(fd); + } } void diff -ru openssh-2.2.0p1/entropy.h openssh-2.3.0p1/entropy.h --- openssh-2.2.0p1/entropy.h 2000-07-09 22:42:33.000000000 +1000 +++ openssh-2.3.0p1/entropy.h 2000-09-16 16:09:28.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES diff -ru openssh-2.2.0p1/fake-getnameinfo.c openssh-2.3.0p1/fake-getnameinfo.c --- openssh-2.2.0p1/fake-getnameinfo.c 2000-05-31 11:20:12.000000000 +1000 +++ openssh-2.3.0p1/fake-getnameinfo.c 2000-09-29 10:59:14.000000000 +1100 @@ -22,7 +22,7 @@ if (serv) { snprintf(tmpserv, sizeof(tmpserv), "%d", ntohs(sin->sin_port)); - if (strlen(tmpserv) > servlen) + if (strlen(tmpserv) >= servlen) return EAI_MEMORY; else strcpy(serv, tmpserv); @@ -30,7 +30,7 @@ if (host) { if (flags & NI_NUMERICHOST) { - if (strlen(inet_ntoa(sin->sin_addr)) > hostlen) + if (strlen(inet_ntoa(sin->sin_addr)) >= hostlen) return EAI_MEMORY; strcpy(host, inet_ntoa(sin->sin_addr)); @@ -41,7 +41,7 @@ if (hp == NULL) return EAI_NODATA; - if (strlen(hp->h_name) > hostlen) + if (strlen(hp->h_name) >= hostlen) return EAI_MEMORY; strcpy(host, hp->h_name); diff -ru openssh-2.2.0p1/fake-socket.h openssh-2.3.0p1/fake-socket.h --- openssh-2.2.0p1/fake-socket.h 2000-05-31 11:20:12.000000000 +1000 +++ openssh-2.3.0p1/fake-socket.h 2000-09-16 16:21:29.000000000 +1100 @@ -6,17 +6,13 @@ #ifndef HAVE_STRUCT_SOCKADDR_STORAGE # define _SS_MAXSIZE 128 /* Implementation specific max size */ -# define _SS_ALIGNSIZE (sizeof(int)) -# define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_short)) -# define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof(u_short) + \ - _SS_PAD1SIZE + _SS_ALIGNSIZE)) +# define _SS_PADSIZE (_SS_MAXSIZE - sizeof (struct sockaddr)) struct sockaddr_storage { - u_short ss_family; - char __ss_pad1[_SS_PAD1SIZE]; - int __ss_align; - char __ss_pad2[_SS_PAD2SIZE]; + struct sockaddr ss_sa; + char __ss_pad2[_SS_PADSIZE]; }; +# define ss_family ss_sa.sa_family #endif /* !HAVE_STRUCT_SOCKADDR_STORAGE */ #ifndef IN6_IS_ADDR_LOOPBACK diff -ru openssh-2.2.0p1/fixprogs openssh-2.3.0p1/fixprogs --- openssh-2.2.0p1/fixprogs 2000-05-18 23:12:50.000000000 +1000 +++ openssh-2.3.0p1/fixprogs 2000-09-16 16:10:56.000000000 +1100 @@ -44,9 +44,9 @@ if (! ($pid = fork())) { # child close STDIN; close STDOUT; close STDERR; - open STDIN, "/dev/null"; - open STDERR, ">/dev/null"; + open (STDIN, "/dev/null"); + open (STDERR, ">/dev/null"); exec $path @args; exit 1; # shouldn't be here } diff -ru openssh-2.2.0p1/getput.h openssh-2.3.0p1/getput.h --- openssh-2.2.0p1/getput.h 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/getput.h 2000-09-16 13:29:09.000000000 +1100 @@ -1,19 +1,17 @@ /* - * - * getput.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Wed Jun 28 22:36:30 1995 ylo - * * Macros for storing and retrieving data in msb first and lsb first order. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: getput.h,v 1.4 2000/06/20 01:39:41 markus Exp $"); */ +/* RCSID("$OpenBSD: getput.h,v 1.5 2000/09/07 20:27:51 deraadt Exp $"); */ #ifndef GETPUT_H #define GETPUT_H diff -ru openssh-2.2.0p1/hmac.c openssh-2.3.0p1/hmac.c --- openssh-2.2.0p1/hmac.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/hmac.c 2000-09-16 13:29:09.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -28,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: hmac.c,v 1.3 2000/06/20 01:39:41 markus Exp $"); +RCSID("$OpenBSD: hmac.c,v 1.4 2000/09/07 20:27:51 deraadt Exp $"); #include "xmalloc.h" #include "ssh.h" diff -ru openssh-2.2.0p1/hmac.h openssh-2.3.0p1/hmac.h --- openssh-2.2.0p1/hmac.h 2000-04-04 14:39:02.000000000 +1000 +++ openssh-2.3.0p1/hmac.h 2000-09-16 13:29:09.000000000 +1100 @@ -1,3 +1,26 @@ +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ #ifndef HMAC_H #define HMAC_H diff -ru openssh-2.2.0p1/hostfile.c openssh-2.3.0p1/hostfile.c --- openssh-2.2.0p1/hostfile.c 2000-06-07 19:55:44.000000000 +1000 +++ openssh-2.3.0p1/hostfile.c 2000-09-16 13:29:09.000000000 +1100 @@ -1,20 +1,42 @@ /* - * - * hostfile.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Thu Jun 29 07:10:56 1995 ylo - * * Functions for manipulating the known hosts files. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * + * Copyright (c) 1999,2000 Markus Friedl. All rights reserved. + * Copyright (c) 1999 Niels Provos. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: hostfile.c,v 1.19 2000/06/06 19:32:13 markus Exp $"); +RCSID("$OpenBSD: hostfile.c,v 1.20 2000/09/07 20:27:51 deraadt Exp $"); #include "packet.h" #include "match.h" diff -ru openssh-2.2.0p1/hostfile.h openssh-2.3.0p1/hostfile.h --- openssh-2.2.0p1/hostfile.h 2000-04-16 11:18:42.000000000 +1000 +++ openssh-2.3.0p1/hostfile.h 2000-09-16 13:29:09.000000000 +1100 @@ -1,3 +1,14 @@ +/* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland + * All rights reserved + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + */ #ifndef HOSTFILE_H #define HOSTFILE_H diff -ru openssh-2.2.0p1/includes.h openssh-2.3.0p1/includes.h --- openssh-2.2.0p1/includes.h 2000-08-18 14:59:59.000000000 +1000 +++ openssh-2.3.0p1/includes.h 2000-10-18 11:02:25.000000000 +1100 @@ -1,16 +1,14 @@ /* - * - * includes.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Thu Mar 23 16:29:37 1995 ylo - * * This file includes most of the needed system headers. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #ifndef INCLUDES_H @@ -22,6 +20,7 @@ #include "config.h" #include "next-posix.h" +#include "news4-posix.h" #include #include @@ -29,7 +28,9 @@ #include #include +#ifndef HAVE_CYGWIN #include +#endif #include #include @@ -38,7 +39,6 @@ #include #include #include -#include #include #include #include @@ -47,6 +47,9 @@ #include #include +#ifdef HAVE_GETOPT_H +#include +#endif #ifdef HAVE_BSTRING_H # include #endif @@ -85,29 +88,12 @@ #ifdef HAVE_SYS_SYSMACROS_H # include #endif - +#ifdef HAVE_VIS_H +# include +#endif #include "version.h" - -/* OpenBSD function replacements */ #include "openbsd-compat.h" - -/* Entropy collection */ +#include "cygwin_util.h" #include "entropy.h" -/* Define this to be the path of the xauth program. */ -#ifndef XAUTH_PATH -#define XAUTH_PATH "/usr/X11R6/bin/xauth" -#endif /* XAUTH_PATH */ - -/* Define this to be the path of the rsh program. */ -#ifndef _PATH_RSH -#define _PATH_RSH "/usr/bin/rsh" -#endif /* _PATH_RSH */ - -/* - * Define this to use pipes instead of socketpairs for communicating with the - * client program. Socketpairs do not seem to work on all systems. - */ -/* #define USE_PIPES 1 */ - -#endif /* INCLUDES_H */ +#endif /* INCLUDES_H */ diff -ru openssh-2.2.0p1/kex.c openssh-2.3.0p1/kex.c --- openssh-2.2.0p1/kex.c 2000-07-11 17:31:38.000000000 +1000 +++ openssh-2.3.0p1/kex.c 2000-10-14 16:23:12.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -28,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.9 2000/07/10 16:30:25 ho Exp $"); +RCSID("$OpenBSD: kex.c,v 1.12 2000/10/11 20:27:23 markus Exp $"); #include "ssh.h" #include "ssh2.h" @@ -36,7 +31,6 @@ #include "buffer.h" #include "bufaux.h" #include "packet.h" -#include "cipher.h" #include "compat.h" #include @@ -128,11 +122,6 @@ int n = BN_num_bits(dh_pub); int bits_set = 0; - /* we only accept g==2 */ - if (!BN_is_word(dh->g, 2)) { - log("invalid DH base != 2"); - return 0; - } if (dh_pub->neg) { log("invalid public DH value: negativ"); return 0; @@ -150,27 +139,10 @@ } DH * -dh_new_group1() +dh_gen_key(DH *dh) { - static char *group1 = - "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" - "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" - "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" - "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" - "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381" - "FFFFFFFF" "FFFFFFFF"; - DH *dh; - int ret, tries = 0; - dh = DH_new(); - if(dh == NULL) - fatal("DH_new"); - ret = BN_hex2bn(&dh->p, group1); - if(ret<0) - fatal("BN_hex2bn"); - dh->g = BN_new(); - if(dh->g == NULL) - fatal("DH_new g"); - BN_set_word(dh->g, 2); + int tries = 0; + do { if (DH_generate_key(dh) == 0) fatal("DH_generate_key"); @@ -180,6 +152,52 @@ return dh; } +DH * +dh_new_group_asc(const char *gen, const char *modulus) +{ + DH *dh; + int ret; + + dh = DH_new(); + if (dh == NULL) + fatal("DH_new"); + + if ((ret = BN_hex2bn(&dh->p, modulus)) < 0) + fatal("BN_hex2bn p"); + if ((ret = BN_hex2bn(&dh->g, gen)) < 0) + fatal("BN_hex2bn g"); + + return (dh_gen_key(dh)); +} + +DH * +dh_new_group(BIGNUM *gen, BIGNUM *modulus) +{ + DH *dh; + + dh = DH_new(); + if (dh == NULL) + fatal("DH_new"); + dh->p = modulus; + dh->g = gen; + + return (dh_gen_key(dh)); +} + +DH * +dh_new_group1() +{ + static char *gen = "2", *group1 = + "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" + "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" + "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" + "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" + "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381" + "FFFFFFFF" "FFFFFFFF"; + + return (dh_new_group_asc(gen, group1)); +} + void dump_digest(unsigned char *digest, int len) { @@ -242,6 +260,59 @@ } unsigned char * +kex_hash_gex( + char *client_version_string, + char *server_version_string, + char *ckexinit, int ckexinitlen, + char *skexinit, int skexinitlen, + char *serverhostkeyblob, int sbloblen, + int minbits, BIGNUM *prime, BIGNUM *gen, + BIGNUM *client_dh_pub, + BIGNUM *server_dh_pub, + BIGNUM *shared_secret) +{ + Buffer b; + static unsigned char digest[EVP_MAX_MD_SIZE]; + EVP_MD *evp_md = EVP_sha1(); + EVP_MD_CTX md; + + buffer_init(&b); + buffer_put_string(&b, client_version_string, strlen(client_version_string)); + buffer_put_string(&b, server_version_string, strlen(server_version_string)); + + /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ + buffer_put_int(&b, ckexinitlen+1); + buffer_put_char(&b, SSH2_MSG_KEXINIT); + buffer_append(&b, ckexinit, ckexinitlen); + buffer_put_int(&b, skexinitlen+1); + buffer_put_char(&b, SSH2_MSG_KEXINIT); + buffer_append(&b, skexinit, skexinitlen); + + buffer_put_string(&b, serverhostkeyblob, sbloblen); + buffer_put_int(&b, minbits); + buffer_put_bignum2(&b, prime); + buffer_put_bignum2(&b, gen); + buffer_put_bignum2(&b, client_dh_pub); + buffer_put_bignum2(&b, server_dh_pub); + buffer_put_bignum2(&b, shared_secret); + +#ifdef DEBUG_KEX + buffer_dump(&b); +#endif + + EVP_DigestInit(&md, evp_md); + EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); + EVP_DigestFinal(&md, digest, NULL); + + buffer_free(&b); + +#ifdef DEBUG_KEX + dump_digest(digest, evp_md->md_size); +#endif + return digest; +} + +unsigned char * derive_key(int id, int need, char unsigned *hash, BIGNUM *shared_secret) { Buffer b; @@ -323,28 +394,9 @@ char *name = get_match(client, server); if (name == NULL) fatal("no matching cipher found: client %s server %s", client, server); - enc->type = cipher_number(name); - - switch (enc->type) { - case SSH_CIPHER_3DES_CBC: - enc->key_len = 24; - enc->iv_len = 8; - enc->block_size = 8; - break; - case SSH_CIPHER_BLOWFISH_CBC: - case SSH_CIPHER_CAST128_CBC: - enc->key_len = 16; - enc->iv_len = 8; - enc->block_size = 8; - break; - case SSH_CIPHER_ARCFOUR: - enc->key_len = 16; - enc->iv_len = 0; - enc->block_size = 8; - break; - default: - fatal("unsupported cipher %s", name); - } + enc->cipher = cipher_by_name(name); + if (enc->cipher == NULL) + fatal("matching cipher is not supported: %s", name); enc->name = name; enc->enabled = 0; enc->iv = NULL; @@ -392,7 +444,11 @@ k->name = get_match(client, server); if (k->name == NULL) fatal("no kex alg"); - if (strcmp(k->name, KEX_DH1) != 0) + if (strcmp(k->name, KEX_DH1) == 0) { + k->kex_type = DH_GRP1_SHA1; + } else if (strcmp(k->name, KEX_DHGEX) == 0) { + k->kex_type = DH_GEX_SHA1; + } else fatal("bad kex alg %s", k->name); } void @@ -437,10 +493,10 @@ sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]); need = 0; for (mode = 0; mode < MODE_MAX; mode++) { - if (need < k->enc[mode].key_len) - need = k->enc[mode].key_len; - if (need < k->enc[mode].iv_len) - need = k->enc[mode].iv_len; + if (need < k->enc[mode].cipher->key_len) + need = k->enc[mode].cipher->key_len; + if (need < k->enc[mode].cipher->block_size) + need = k->enc[mode].cipher->block_size; if (need < k->mac[mode].key_len) need = k->mac[mode].key_len; } diff -ru openssh-2.2.0p1/kex.h openssh-2.3.0p1/kex.h --- openssh-2.2.0p1/kex.h 2000-05-30 13:44:53.000000000 +1000 +++ openssh-2.3.0p1/kex.h 2000-10-14 16:23:12.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -29,8 +24,9 @@ #ifndef KEX_H #define KEX_H -#define KEX_DH1 "diffie-hellman-group1-sha1" -#define KEX_DSS "ssh-dss" +#define KEX_DH1 "diffie-hellman-group1-sha1" +#define KEX_DHGEX "diffie-hellman-group-exchange-sha1" +#define KEX_DSS "ssh-dss" enum kex_init_proposals { PROPOSAL_KEX_ALGS, @@ -52,28 +48,30 @@ MODE_MAX }; +enum kex_exchange { + DH_GRP1_SHA1, + DH_GEX_SHA1 +}; + typedef struct Kex Kex; typedef struct Mac Mac; typedef struct Comp Comp; typedef struct Enc Enc; struct Enc { - int type; + char *name; + Cipher *cipher; int enabled; - int block_size; unsigned char *key; unsigned char *iv; - int key_len; - int iv_len; - char *name; }; struct Mac { - EVP_MD *md; + char *name; int enabled; + EVP_MD *md; int mac_len; unsigned char *key; int key_len; - char *name; }; struct Comp { int type; @@ -88,6 +86,7 @@ int server; char *name; char *hostkeyalg; + int kex_type; }; Buffer *kex_init(char *myproposal[PROPOSAL_MAX]); @@ -101,6 +100,8 @@ int kex_derive_keys(Kex *k, unsigned char *hash, BIGNUM *shared_secret); void packet_set_kex(Kex *k); int dh_pub_is_valid(DH *dh, BIGNUM *dh_pub); +DH *dh_new_group_asc(const char *, const char *); +DH *dh_new_group(BIGNUM *, BIGNUM *); DH *dh_new_group1(); unsigned char * @@ -114,4 +115,15 @@ BIGNUM *server_dh_pub, BIGNUM *shared_secret); +unsigned char * +kex_hash_gex( + char *client_version_string, + char *server_version_string, + char *ckexinit, int ckexinitlen, + char *skexinit, int skexinitlen, + char *serverhostkeyblob, int sbloblen, + int minbits, BIGNUM *prime, BIGNUM *gen, + BIGNUM *client_dh_pub, + BIGNUM *server_dh_pub, + BIGNUM *shared_secret); #endif diff -ru openssh-2.2.0p1/key.c openssh-2.3.0p1/key.c --- openssh-2.2.0p1/key.c 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/key.c 2000-09-16 13:29:09.000000000 +1100 @@ -1,4 +1,14 @@ /* + * read_bignum(): + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * * Copyright (c) 2000 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -9,11 +19,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -26,10 +31,6 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* - * read_bignum(): - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland - */ #include "includes.h" #include "ssh.h" @@ -41,7 +42,7 @@ #include "dsa.h" #include "uuencode.h" -RCSID("$OpenBSD: key.c,v 1.10 2000/08/19 21:34:43 markus Exp $"); +RCSID("$OpenBSD: key.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $"); #define SSH_DSS "ssh-dss" diff -ru openssh-2.2.0p1/key.h openssh-2.3.0p1/key.h --- openssh-2.2.0p1/key.h 2000-08-30 09:40:09.000000000 +1100 +++ openssh-2.3.0p1/key.h 2000-09-16 13:29:09.000000000 +1100 @@ -1,3 +1,26 @@ +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ #ifndef KEY_H #define KEY_H diff -ru openssh-2.2.0p1/log-client.c openssh-2.3.0p1/log-client.c --- openssh-2.2.0p1/log-client.c 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/log-client.c 2000-09-16 13:29:09.000000000 +1100 @@ -1,21 +1,42 @@ /* - * - * log-client.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Mon Mar 20 21:13:40 1995 ylo - * * Client-side versions of debug(), log(), etc. These print to stderr. * This is a stripped down version of log-server.c. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: log-client.c,v 1.10 2000/08/19 02:57:33 deraadt Exp $"); +RCSID("$OpenBSD: log-client.c,v 1.12 2000/09/12 20:53:10 markus Exp $"); #include "xmalloc.h" #include "ssh.h" @@ -36,7 +57,9 @@ case SYSLOG_LEVEL_FATAL: case SYSLOG_LEVEL_INFO: case SYSLOG_LEVEL_VERBOSE: - case SYSLOG_LEVEL_DEBUG: + case SYSLOG_LEVEL_DEBUG1: + case SYSLOG_LEVEL_DEBUG2: + case SYSLOG_LEVEL_DEBUG3: log_level = level; break; default: @@ -54,7 +77,7 @@ if (level > log_level) return; - if (level == SYSLOG_LEVEL_DEBUG) + if (level >= SYSLOG_LEVEL_DEBUG1) fprintf(stderr, "debug: "); vsnprintf(msgbuf, sizeof(msgbuf), fmt, args); fprintf(stderr, "%s\r\n", msgbuf); diff -ru openssh-2.2.0p1/log-server.c openssh-2.3.0p1/log-server.c --- openssh-2.2.0p1/log-server.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/log-server.c 2000-09-16 13:29:09.000000000 +1100 @@ -1,21 +1,42 @@ /* - * - * log-server.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Mon Mar 20 21:19:30 1995 ylo - * * Server-side versions of debug(), log(), etc. These normally send the output * to the system log. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: log-server.c,v 1.15 2000/06/20 01:39:42 markus Exp $"); +RCSID("$OpenBSD: log-server.c,v 1.17 2000/09/12 20:53:10 markus Exp $"); #include #include "packet.h" @@ -47,7 +68,9 @@ case SYSLOG_LEVEL_FATAL: case SYSLOG_LEVEL_INFO: case SYSLOG_LEVEL_VERBOSE: - case SYSLOG_LEVEL_DEBUG: + case SYSLOG_LEVEL_DEBUG1: + case SYSLOG_LEVEL_DEBUG2: + case SYSLOG_LEVEL_DEBUG3: log_level = level; break; default: @@ -122,8 +145,16 @@ case SYSLOG_LEVEL_VERBOSE: pri = LOG_INFO; break; - case SYSLOG_LEVEL_DEBUG: - txt = "debug"; + case SYSLOG_LEVEL_DEBUG1: + txt = "debug1"; + pri = LOG_DEBUG; + break; + case SYSLOG_LEVEL_DEBUG2: + txt = "debug2"; + pri = LOG_DEBUG; + break; + case SYSLOG_LEVEL_DEBUG3: + txt = "debug3"; pri = LOG_DEBUG; break; default: diff -ru openssh-2.2.0p1/log.c openssh-2.3.0p1/log.c --- openssh-2.2.0p1/log.c 2000-01-14 15:45:50.000000000 +1100 +++ openssh-2.3.0p1/log.c 2000-10-14 16:23:12.000000000 +1100 @@ -1,9 +1,42 @@ /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland + * All rights reserved + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + */ +/* * Shared versions of debug(), log(), etc. + * + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: log.c,v 1.7 2000/01/04 00:07:59 markus Exp $"); +RCSID("$OpenBSD: log.c,v 1.11 2000/09/30 16:27:43 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -60,7 +93,25 @@ { va_list args; va_start(args, fmt); - do_log(SYSLOG_LEVEL_DEBUG, fmt, args); + do_log(SYSLOG_LEVEL_DEBUG1, fmt, args); + va_end(args); +} + +void +debug2(const char *fmt,...) +{ + va_list args; + va_start(args, fmt); + do_log(SYSLOG_LEVEL_DEBUG2, fmt, args); + va_end(args); +} + +void +debug3(const char *fmt,...) +{ + va_list args; + va_start(args, fmt); + do_log(SYSLOG_LEVEL_DEBUG3, fmt, args); va_end(args); } @@ -157,7 +208,10 @@ { "ERROR", SYSLOG_LEVEL_ERROR }, { "INFO", SYSLOG_LEVEL_INFO }, { "VERBOSE", SYSLOG_LEVEL_VERBOSE }, - { "DEBUG", SYSLOG_LEVEL_DEBUG }, + { "DEBUG", SYSLOG_LEVEL_DEBUG1 }, + { "DEBUG1", SYSLOG_LEVEL_DEBUG1 }, + { "DEBUG2", SYSLOG_LEVEL_DEBUG2 }, + { "DEBUG3", SYSLOG_LEVEL_DEBUG3 }, { NULL, 0 } }; diff -ru openssh-2.2.0p1/login.c openssh-2.3.0p1/login.c --- openssh-2.2.0p1/login.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/login.c 2000-09-16 13:29:09.000000000 +1100 @@ -1,24 +1,45 @@ /* - * - * login.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Fri Mar 24 14:51:08 1995 ylo - * * This file performs some of the things login(1) normally does. We cannot * easily use something like login -p -h host -f user, because there are * several different logins around, and it is hard to determined what kind of * login the current system has. Also, we want to be able to execute commands * on a tty. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * Copyright (c) 1999 Theo de Raadt. All rights reserved. + * Copyright (c) 1999 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: login.c,v 1.14 2000/06/20 01:39:42 markus Exp $"); +RCSID("$OpenBSD: login.c,v 1.15 2000/09/07 20:27:52 deraadt Exp $"); #include "loginrec.h" diff -ru openssh-2.2.0p1/loginrec.c openssh-2.3.0p1/loginrec.c --- openssh-2.2.0p1/loginrec.c 2000-08-29 14:30:37.000000000 +1100 +++ openssh-2.3.0p1/loginrec.c 2000-09-30 21:34:44.000000000 +1100 @@ -161,7 +161,7 @@ #include "xmalloc.h" #include "loginrec.h" -RCSID("$Id: loginrec.c,v 1.22 2000/08/29 03:30:37 djm Exp $"); +RCSID("$Id: loginrec.c,v 1.26 2000/09/30 10:34:44 djm Exp $"); /** ** prototypes for helper functions in this file @@ -401,10 +401,12 @@ int login_write (struct logininfo *li) { +#ifndef HAVE_CYGWIN if ((int)geteuid() != 0) { log("Attempt to write login records by non-root user (aborting)"); return 1; } +#endif /* set the timestamp */ login_set_current_time(li); @@ -492,9 +494,9 @@ line_fullname(char *dst, const char *src, int dstsize) { memset(dst, '\0', dstsize); - if ((strncmp(src, "/dev/", 5) == 0) || (dstsize < (strlen(src) + 5))) + if ((strncmp(src, "/dev/", 5) == 0) || (dstsize < (strlen(src) + 5))) { strlcpy(dst, src, dstsize); - else { + } else { strlcpy(dst, "/dev/", dstsize); strlcat(dst, src, dstsize); } @@ -506,8 +508,13 @@ line_stripname(char *dst, const char *src, int dstsize) { memset(dst, '\0', dstsize); +#ifdef sgi + if (strncmp(src, "/dev/tty", 8) == 0) + strlcpy(dst, src + 8, dstsize); +#else if (strncmp(src, "/dev/", 5) == 0) - strlcpy(dst, &src[5], dstsize); + strlcpy(dst, src + 5, dstsize); +#endif else strlcpy(dst, src, dstsize); return dst; @@ -527,8 +534,13 @@ memset(dst, '\0', dstsize); /* Always skip prefix if present */ +#ifdef sgi + if (strncmp(src, "/dev/tty", 8) == 0) + src += 8; +#else if (strncmp(src, "/dev/", 5) == 0) src += 5; +#endif len = strlen(src); @@ -676,7 +688,9 @@ strncpy(utx->ut_host, li->hostname, MIN_SIZEOF(utx->ut_host, li->hostname)); # endif # ifdef HAVE_ADDR_IN_UTMPX - /* FIXME: (ATL) not supported yet */ + /* this is just a 32-bit IP address */ + if (li->hostaddr.sa.sa_family == AF_INET) + utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr; # endif # ifdef HAVE_SYSLEN_IN_UTMPX /* ut_syslen is the length of the utx_host string */ diff -ru openssh-2.2.0p1/match.c openssh-2.3.0p1/match.c --- openssh-2.2.0p1/match.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/match.c 2000-09-16 13:29:09.000000000 +1100 @@ -1,20 +1,18 @@ /* - * - * match.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Thu Jun 22 01:17:50 1995 ylo - * * Simple pattern matching, with '*' and '?' as wildcards. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: match.c,v 1.8 2000/06/20 01:39:42 markus Exp $"); +RCSID("$OpenBSD: match.c,v 1.9 2000/09/07 20:27:52 deraadt Exp $"); #include "ssh.h" diff -ru openssh-2.2.0p1/match.h openssh-2.3.0p1/match.h --- openssh-2.2.0p1/match.h 2000-06-07 19:55:44.000000000 +1000 +++ openssh-2.3.0p1/match.h 2000-09-16 13:29:09.000000000 +1100 @@ -1,3 +1,16 @@ +/* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland + * All rights reserved + * This file contains various auxiliary functions related to multiple + * precision integers. + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + */ #ifndef MATCH_H #define MATCH_H diff -ru openssh-2.2.0p1/mpaux.c openssh-2.3.0p1/mpaux.c --- openssh-2.2.0p1/mpaux.c 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/mpaux.c 2000-09-16 13:29:09.000000000 +1100 @@ -1,21 +1,19 @@ /* - * - * mpaux.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Sun Jul 16 04:29:30 1995 ylo - * * This file contains various auxiliary functions related to multiple * precision integers. * -*/ + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + */ #include "includes.h" -RCSID("$OpenBSD: mpaux.c,v 1.13 2000/06/20 01:39:42 markus Exp $"); +RCSID("$OpenBSD: mpaux.c,v 1.14 2000/09/07 20:27:52 deraadt Exp $"); #include #include "getput.h" diff -ru openssh-2.2.0p1/mpaux.h openssh-2.3.0p1/mpaux.h --- openssh-2.2.0p1/mpaux.h 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/mpaux.h 2000-09-16 13:29:09.000000000 +1100 @@ -1,19 +1,18 @@ /* - * - * mpaux.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Sun Jul 16 04:29:30 1995 ylo - * * This file contains various auxiliary functions related to multiple * precision integers. + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: mpaux.h,v 1.7 2000/06/20 01:39:42 markus Exp $"); */ +/* RCSID("$OpenBSD: mpaux.h,v 1.8 2000/09/07 20:27:52 deraadt Exp $"); */ #ifndef MPAUX_H #define MPAUX_H diff -ru openssh-2.2.0p1/myproposal.h openssh-2.3.0p1/myproposal.h --- openssh-2.2.0p1/myproposal.h 2000-05-30 13:44:53.000000000 +1000 +++ openssh-2.3.0p1/myproposal.h 2000-10-14 16:23:12.000000000 +1100 @@ -1,8 +1,35 @@ -#define KEX_DEFAULT_KEX "diffie-hellman-group1-sha1" +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" #define KEX_DEFAULT_PK_ALG "ssh-dss" -#define KEX_DEFAULT_ENCRYPT "3des-cbc,blowfish-cbc,arcfour,cast128-cbc" +#define KEX_DEFAULT_ENCRYPT \ + "3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \ + "aes128-cbc,aes192-cbc,aes256-cbc," \ + "rijndael128-cbc,rijndael192-cbc,rijndael256-cbc," \ + "rijndael-cbc@lysator.liu.se" #define KEX_DEFAULT_MAC "hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com" -#define KEX_DEFAULT_COMP "zlib,none" +#define KEX_DEFAULT_COMP "none,zlib" #define KEX_DEFAULT_LANG "" diff -ru openssh-2.2.0p1/nchan.c openssh-2.3.0p1/nchan.c --- openssh-2.2.0p1/nchan.c 2000-08-07 15:47:48.000000000 +1000 +++ openssh-2.3.0p1/nchan.c 2000-09-16 13:29:09.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -28,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: nchan.c,v 1.18 2000/06/20 01:39:42 markus Exp $"); +RCSID("$OpenBSD: nchan.c,v 1.19 2000/09/07 20:27:52 deraadt Exp $"); #include "ssh.h" diff -ru openssh-2.2.0p1/nchan.h openssh-2.3.0p1/nchan.h --- openssh-2.2.0p1/nchan.h 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/nchan.h 2000-09-16 13:29:09.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -27,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: nchan.h,v 1.8 2000/06/20 01:39:43 markus Exp $"); */ +/* RCSID("$OpenBSD: nchan.h,v 1.9 2000/09/07 20:27:52 deraadt Exp $"); */ #ifndef NCHAN_H #define NCHAN_H diff -ru openssh-2.2.0p1/nchan.ms openssh-2.3.0p1/nchan.ms --- openssh-2.2.0p1/nchan.ms 2000-01-14 15:45:50.000000000 +1100 +++ openssh-2.3.0p1/nchan.ms 2000-09-16 13:29:09.000000000 +1100 @@ -9,11 +9,6 @@ .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by Markus Friedl. -.\" 4. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES Only in openssh-2.3.0p1: news4-posix.h diff -ru openssh-2.2.0p1/next-posix.c openssh-2.3.0p1/next-posix.c --- openssh-2.2.0p1/next-posix.c 2000-09-01 14:14:37.000000000 +1100 +++ openssh-2.3.0p1/next-posix.c 2000-11-05 20:08:45.000000000 +1100 @@ -1,3 +1,25 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + #include "includes.h" #ifdef HAVE_NEXT @@ -8,48 +30,16 @@ pid_t posix_wait(int *status) { - #undef wait /* Use NeXT's wait() function */ union wait statusp; pid_t wait_pid; + #undef wait /* Use NeXT's wait() function */ wait_pid = wait(&statusp); status = (int *) statusp.w_status; return wait_pid; } - -int -posix_utime(char *filename,struct utimbuf *buf) -{ - time_t timep[2]; - - timep[0] = buf->actime; - timep[1] = buf->modtime; - - #undef utime /* Use NeXT's utime() function */ - return utime(filename,timep); -} - - -int -waitpid(int pid, int *stat_loc, int options) -{ - if (pid <= 0) { - if (pid != -1) { - errno = EINVAL; - return -1; - } - pid = 0; /* wait4() expects pid=0 for indiscriminate wait. */ - } - return wait4(pid, (union wait *)stat_loc, options, NULL); -} - -pid_t setsid(void) -{ - return setpgrp(0, getpid()); -} - int tcgetattr(int fd, struct termios *t) { @@ -81,10 +71,7 @@ int tcsetpgrp(int fd, pid_t pgrp) { - int s; - - s = pgrp; - return (ioctl(fd, TIOCSPGRP, &s)); + return (ioctl(fd, TIOCSPGRP, &pgrp)); } speed_t cfgetospeed(const struct termios *t) diff -ru openssh-2.2.0p1/next-posix.h openssh-2.3.0p1/next-posix.h --- openssh-2.2.0p1/next-posix.h 2000-08-30 10:11:30.000000000 +1100 +++ openssh-2.3.0p1/next-posix.h 2000-11-05 20:08:45.000000000 +1100 @@ -1,60 +1,49 @@ /* - * Defines and prototypes specific to NeXT system + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * */ #ifndef _NEXT_POSIX_H #define _NEXT_POSIX_H #ifdef HAVE_NEXT - -#include #include -/* readdir() returns struct direct (BSD) not struct dirent (POSIX) */ -#define dirent direct - -/* POSIX utime() struct */ -struct utimbuf { - time_t actime; - time_t modtime; -}; +/* NeXT's readdir() is BSD (struct direct) not POSIX (struct dirent) */ +#define dirent direct /* FILE */ -#define O_NONBLOCK 00004 /* non-blocking open */ +#define O_NONBLOCK 00004 /* non-blocking open */ -/* WAITPID */ -#undef WIFEXITED -#undef WIFSTOPPED -#undef WIFSIGNALED - -#define WIFEXITED(w) (!((w) & 0377)) -#define WIFSTOPPED(w) ((w) & 0100) -#define WIFSIGNALED(w) (!WIFEXITED(w) && !WIFSTOPPED(w)) -#define WEXITSTATUS(w) (int)(WIFEXITED(w) ? ((w >> 8) & 0377) : -1) -#define WTERMSIG(w) (int)(WIFSIGNALED(w) ? (w & 0177) : -1) -#define WCOREFLAG 0x80 -#define WCOREDUMP(w) ((w) & WCOREFLAG) - -/* POSIX "wrapper" functions to replace to BSD functions */ -int posix_utime(char *filename, struct utimbuf *buf); /* new utime() */ -#define utime posix_utime - -pid_t posix_wait(int *status); /* new wait() */ -#define wait posix_wait - -/* MISC functions */ -int waitpid(int pid,int *stat_loc,int options); -#define getpgrp() getpgrp(0) -pid_t setsid(void); - -/* TC */ -int tcgetattr(int fd,struct termios *t); -int tcsetattr(int fd,int opt,const struct termios *t); +/* Swap out NeXT's BSD wait() for a more POSIX complient one */ +pid_t posix_wait(int *status); +#define wait(a) posix_wait(a) + +/* TERMCAP */ +int tcgetattr(int fd, struct termios *t); +int tcsetattr(int fd, int opt, const struct termios *t); int tcsetpgrp(int fd, pid_t pgrp); speed_t cfgetospeed(const struct termios *t); speed_t cfgetispeed(const struct termios *t); -int cfsetospeed(struct termios *t,int speed); - - +int cfsetospeed(struct termios *t, int speed); +int cfsetispeed(struct termios *t, int speed); #endif /* HAVE_NEXT */ #endif /* _NEXT_POSIX_H */ diff -ru openssh-2.2.0p1/openbsd-compat.h openssh-2.3.0p1/openbsd-compat.h --- openssh-2.2.0p1/openbsd-compat.h 2000-08-16 10:35:58.000000000 +1000 +++ openssh-2.3.0p1/openbsd-compat.h 2000-11-05 20:08:45.000000000 +1100 @@ -6,6 +6,8 @@ /* BSD function replacements */ #include "bsd-arc4random.h" #include "bsd-bindresvport.h" +#include "bsd-getcwd.h" +#include "bsd-realpath.h" #include "bsd-rresvport.h" #include "bsd-misc.h" #include "bsd-strlcpy.h" @@ -18,6 +20,10 @@ #include "bsd-inet_aton.h" #include "bsd-inet_ntoa.h" #include "bsd-strsep.h" +#include "bsd-strtok.h" +#include "bsd-vis.h" +#include "bsd-waitpid.h" +#include "bsd-setproctitle.h" /* rfc2553 socket API replacements */ #include "fake-getaddrinfo.h" diff -ru openssh-2.2.0p1/packet.c openssh-2.3.0p1/packet.c --- openssh-2.2.0p1/packet.c 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/packet.c 2000-10-14 16:23:12.000000000 +1100 @@ -1,23 +1,43 @@ /* - * - * packet.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Sat Mar 18 02:40:40 1995 ylo - * * This file contains code implementing the packet protocol and communication * with the other side. This same code is used both on client and server side. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * * SSH2 packet format added by Markus Friedl. + * Copyright (c) 2000 Markus Friedl. All rights reserved. * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.34 2000/08/19 02:17:12 deraadt Exp $"); +RCSID("$OpenBSD: packet.c,v 1.38 2000/10/12 14:21:12 markus Exp $"); #include "xmalloc.h" #include "buffer.h" @@ -25,7 +45,6 @@ #include "bufaux.h" #include "ssh.h" #include "crc32.h" -#include "cipher.h" #include "getput.h" #include "compress.h" @@ -39,6 +58,7 @@ #include #include #include "buffer.h" +#include "cipher.h" #include "kex.h" #include "hmac.h" @@ -141,11 +161,14 @@ void packet_set_connection(int fd_in, int fd_out) { + Cipher *none = cipher_by_name("none"); + if (none == NULL) + fatal("packet_set_connection: cannot load cipher 'none'"); connection_in = fd_in; connection_out = fd_out; cipher_type = SSH_CIPHER_NONE; - cipher_set_key(&send_context, SSH_CIPHER_NONE, (unsigned char *) "", 0); - cipher_set_key(&receive_context, SSH_CIPHER_NONE, (unsigned char *) "", 0); + cipher_init(&send_context, none, (unsigned char *) "", 0, NULL, 0); + cipher_init(&receive_context, none, (unsigned char *) "", 0, NULL, 0); if (!initialized) { initialized = 1; buffer_init(&input); @@ -306,28 +329,18 @@ */ void -packet_decrypt(CipherContext * cc, void *dest, void *src, - unsigned int bytes) +packet_decrypt(CipherContext *context, void *dest, void *src, unsigned int bytes) { - int i; - - if ((bytes % 8) != 0) - fatal("packet_decrypt: bad ciphertext length %d", bytes); - /* * Cryptographic attack detector for ssh - Modifications for packet.c * (C)1998 CORE-SDI, Buenos Aires Argentina Ariel Futoransky(futo@core-sdi.com) */ - - if (cc->type == SSH_CIPHER_NONE || compat20) { - i = DEATTACK_OK; - } else { - i = detect_attack(src, bytes, NULL); - } - if (i == DEATTACK_DETECTED) + if (!compat20 && + context->cipher->number != SSH_CIPHER_NONE && + detect_attack(src, bytes, NULL) == DEATTACK_DETECTED) packet_disconnect("crc32 compensation attack: network attack detected"); - cipher_decrypt(cc, dest, src, bytes); + cipher_decrypt(context, dest, src, bytes); } /* @@ -338,14 +351,15 @@ void packet_set_encryption_key(const unsigned char *key, unsigned int keylen, - int cipher) + int number) { + Cipher *cipher = cipher_by_number(number); + if (cipher == NULL) + fatal("packet_set_encryption_key: unknown cipher number %d", number); if (keylen < 20) - fatal("keylen too small: %d", keylen); - - /* All other ciphers use the same key in both directions for now. */ - cipher_set_key(&receive_context, cipher, key, keylen); - cipher_set_key(&send_context, cipher, key, keylen); + fatal("packet_set_encryption_key: keylen too small: %d", keylen); + cipher_init(&receive_context, cipher, key, keylen, NULL, 0); + cipher_init(&send_context, cipher, key, keylen, NULL, 0); } /* Starts constructing a packet to send. */ @@ -533,7 +547,7 @@ mac = &kex->mac[MODE_OUT]; comp = &kex->comp[MODE_OUT]; } - block_size = enc ? enc->block_size : 8; + block_size = enc ? enc->cipher->block_size : 8; cp = buffer_ptr(&outgoing_packet); type = cp[5] & 0xff; @@ -568,7 +582,7 @@ if (padlen < 4) padlen += block_size; buffer_append_space(&outgoing_packet, &cp, padlen); - if (enc && enc->type != SSH_CIPHER_NONE) { + if (enc && enc->cipher->number != SSH_CIPHER_NONE) { /* random padding */ for (i = 0; i < padlen; i++) { if (i % 4 == 0) @@ -594,7 +608,7 @@ buffer_len(&outgoing_packet), mac->key, mac->key_len ); - DBG(debug("done calc HMAC out #%d", seqnr)); + DBG(debug("done calc MAC out #%d", seqnr)); } /* encrypt packet and append to output buffer. */ buffer_append_space(&output, &cp, buffer_len(&outgoing_packet)); @@ -617,10 +631,10 @@ fatal("packet_send2: no KEX"); if (mac->md != NULL) mac->enabled = 1; - DBG(debug("cipher_set_key_iv send_context")); - cipher_set_key_iv(&send_context, enc->type, - enc->key, enc->key_len, - enc->iv, enc->iv_len); + DBG(debug("cipher_init send_context")); + cipher_init(&send_context, enc->cipher, + enc->key, enc->cipher->key_len, + enc->iv, enc->cipher->block_size); clear_enc_keys(enc, kex->we_need); if (comp->type != 0 && comp->enabled == 0) { comp->enabled = 1; @@ -821,7 +835,7 @@ comp = &kex->comp[MODE_IN]; } maclen = mac && mac->enabled ? mac->mac_len : 0; - block_size = enc ? enc->block_size : 8; + block_size = enc ? enc->cipher->block_size : 8; if (packet_length == 0) { /* @@ -874,8 +888,8 @@ mac->key, mac->key_len ); if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0) - packet_disconnect("Corrupted HMAC on input."); - DBG(debug("HMAC #%d ok", seqnr)); + packet_disconnect("Corrupted MAC on input."); + DBG(debug("MAC #%d ok", seqnr)); buffer_consume(&input, mac->mac_len); } if (++seqnr == 0) @@ -919,10 +933,10 @@ fatal("packet_read_poll2: no KEX"); if (mac->md != NULL) mac->enabled = 1; - DBG(debug("cipher_set_key_iv receive_context")); - cipher_set_key_iv(&receive_context, enc->type, - enc->key, enc->key_len, - enc->iv, enc->iv_len); + DBG(debug("cipher_init receive_context")); + cipher_init(&receive_context, enc->cipher, + enc->key, enc->cipher->key_len, + enc->iv, enc->cipher->block_size); clear_enc_keys(enc, kex->we_need); if (comp->type != 0 && comp->enabled == 0) { comp->enabled = 1; diff -ru openssh-2.2.0p1/packet.h openssh-2.3.0p1/packet.h --- openssh-2.2.0p1/packet.h 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/packet.h 2000-09-16 13:29:09.000000000 +1100 @@ -1,19 +1,17 @@ /* - * - * packet.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Sat Mar 18 02:02:14 1995 ylo - * * Interface for the packet protocol functions. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: packet.h,v 1.16 2000/06/20 01:39:43 markus Exp $"); */ +/* RCSID("$OpenBSD: packet.h,v 1.17 2000/09/07 20:27:52 deraadt Exp $"); */ #ifndef PACKET_H #define PACKET_H diff -ru openssh-2.2.0p1/pty.c openssh-2.3.0p1/pty.c --- openssh-2.2.0p1/pty.c 2000-08-29 11:52:38.000000000 +1100 +++ openssh-2.3.0p1/pty.c 2000-11-06 02:31:36.000000000 +1100 @@ -1,20 +1,18 @@ /* - * - * pty.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Fri Mar 17 04:37:25 1995 ylo - * * Allocating a pseudo-terminal, and making it the controlling tty. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: pty.c,v 1.14 2000/06/20 01:39:43 markus Exp $"); +RCSID("$OpenBSD: pty.c,v 1.16 2000/09/07 21:13:37 markus Exp $"); #ifdef HAVE_UTIL_H # include @@ -118,15 +116,20 @@ close(*ptyfd); return 0; } - /* Push the appropriate streams modules, as described in Solaris pts(7). */ +#ifndef HAVE_CYGWIN + /* + * Push the appropriate streams modules, as described in Solaris pts(7). + * HP-UX pts(7) doesn't have ttcompat module. + */ if (ioctl(*ttyfd, I_PUSH, "ptem") < 0) error("ioctl I_PUSH ptem: %.100s", strerror(errno)); if (ioctl(*ttyfd, I_PUSH, "ldterm") < 0) error("ioctl I_PUSH ldterm: %.100s", strerror(errno)); -#ifndef _HPUX_SOURCE +#ifndef __hpux if (ioctl(*ttyfd, I_PUSH, "ttcompat") < 0) error("ioctl I_PUSH ttcompat: %.100s", strerror(errno)); #endif +#endif return 1; #else /* HAVE_DEV_PTMX */ #ifdef HAVE_DEV_PTS_AND_PTC @@ -208,9 +211,9 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname) { int fd; -#ifdef HAVE_VHANGUP +#ifdef USE_VHANGUP void *old; -#endif /* HAVE_VHANGUP */ +#endif /* USE_VHANGUP */ /* First disconnect from the old controlling tty. */ #ifdef TIOCNOTTY @@ -242,21 +245,25 @@ */ ioctl(*ttyfd, TIOCSCTTY, NULL); #endif /* TIOCSCTTY */ -#ifdef HAVE_VHANGUP +#ifdef HAVE_NEWS4 + if (setpgrp(0,0) < 0) + error("SETPGRP %s",strerror(errno)); +#endif /* HAVE_NEWS4 */ +#ifdef USE_VHANGUP old = signal(SIGHUP, SIG_IGN); vhangup(); signal(SIGHUP, old); -#endif /* HAVE_VHANGUP */ +#endif /* USE_VHANGUP */ fd = open(ttyname, O_RDWR); if (fd < 0) { error("%.100s: %.100s", ttyname, strerror(errno)); } else { -#ifdef HAVE_VHANGUP +#ifdef USE_VHANGUP close(*ttyfd); *ttyfd = fd; -#else /* HAVE_VHANGUP */ +#else /* USE_VHANGUP */ close(fd); -#endif /* HAVE_VHANGUP */ +#endif /* USE_VHANGUP */ } /* Verify that we now have a controlling tty. */ fd = open("/dev/tty", O_WRONLY); diff -ru openssh-2.2.0p1/pty.h openssh-2.3.0p1/pty.h --- openssh-2.2.0p1/pty.h 2000-06-22 21:32:31.000000000 +1000 +++ openssh-2.3.0p1/pty.h 2000-09-16 13:29:09.000000000 +1100 @@ -1,19 +1,18 @@ /* - * - * pty.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Fri Mar 17 05:03:28 1995 ylo - * * Functions for allocating a pseudo-terminal and making it the controlling * tty. + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: pty.h,v 1.7 2000/06/20 01:39:43 markus Exp $"); */ +/* RCSID("$OpenBSD: pty.h,v 1.8 2000/09/07 20:27:52 deraadt Exp $"); */ #ifndef PTY_H #define PTY_H diff -ru openssh-2.2.0p1/radix.c openssh-2.3.0p1/radix.c --- openssh-2.2.0p1/radix.c 2000-06-23 10:16:38.000000000 +1000 +++ openssh-2.3.0p1/radix.c 2000-09-16 13:29:09.000000000 +1100 @@ -1,13 +1,31 @@ /* - * radix.c + * Copyright (c) 1999 Dug Song. All rights reserved. * - * Dug Song + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" #include "uuencode.h" -RCSID("$OpenBSD: radix.c,v 1.12 2000/06/22 23:55:00 djm Exp $"); +RCSID("$OpenBSD: radix.c,v 1.13 2000/09/07 20:27:52 deraadt Exp $"); #ifdef AFS #include diff -ru openssh-2.2.0p1/readconf.c openssh-2.3.0p1/readconf.c --- openssh-2.2.0p1/readconf.c 2000-08-18 13:59:06.000000000 +1000 +++ openssh-2.3.0p1/readconf.c 2000-10-14 16:23:12.000000000 +1100 @@ -1,23 +1,20 @@ /* - * - * readconf.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Sat Apr 22 00:03:10 1995 ylo - * * Functions for reading the configuration files. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.45 2000/08/02 17:27:04 provos Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.49 2000/10/11 20:27:23 markus Exp $"); #include "ssh.h" -#include "cipher.h" #include "readconf.h" #include "match.h" #include "xmalloc.h" @@ -105,7 +102,8 @@ oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oIdentityFile2, - oGlobalKnownHostsFile2, oUserKnownHostsFile2, oDSAAuthentication + oGlobalKnownHostsFile2, oUserKnownHostsFile2, oDSAAuthentication, + oKbdInteractiveAuthentication, oKbdInteractiveDevices } OpCodes; /* Textual representations of the tokens. */ @@ -121,6 +119,8 @@ { "useprivilegedport", oUsePrivilegedPort }, { "rhostsauthentication", oRhostsAuthentication }, { "passwordauthentication", oPasswordAuthentication }, + { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, + { "kbdinteractivedevices", oKbdInteractiveDevices }, { "rsaauthentication", oRSAAuthentication }, { "dsaauthentication", oDSAAuthentication }, { "skeyauthentication", oSkeyAuthentication }, @@ -174,9 +174,11 @@ u_short host_port) { Forward *fwd; +#ifndef HAVE_CYGWIN extern uid_t original_real_uid; if (port < IPPORT_RESERVED && original_real_uid != 0) fatal("Privileged ports can only be forwarded by root.\n"); +#endif if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION); fwd = &options->local_forwards[options->num_local_forwards++]; @@ -290,6 +292,14 @@ intptr = &options->password_authentication; goto parse_flag; + case oKbdInteractiveAuthentication: + intptr = &options->kbd_interactive_authentication; + goto parse_flag; + + case oKbdInteractiveDevices: + charptr = &options->kbd_interactive_devices; + goto parse_string; + case oDSAAuthentication: intptr = &options->dsa_authentication; goto parse_flag; @@ -664,6 +674,8 @@ options->afs_token_passing = -1; #endif options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; options->rhosts_rsa_authentication = -1; options->fallback_to_rsh = -1; options->use_rsh = -1; @@ -734,6 +746,8 @@ #endif /* AFS */ if (options->password_authentication == -1) options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) + options->kbd_interactive_authentication = 0; if (options->rhosts_rsa_authentication == -1) options->rhosts_rsa_authentication = 1; if (options->fallback_to_rsh == -1) diff -ru openssh-2.2.0p1/readconf.h openssh-2.3.0p1/readconf.h --- openssh-2.2.0p1/readconf.h 2000-06-22 21:32:32.000000000 +1000 +++ openssh-2.3.0p1/readconf.h 2000-10-14 16:23:12.000000000 +1100 @@ -1,19 +1,17 @@ /* - * - * readconf.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Sat Apr 22 00:25:29 1995 ylo - * * Functions for reading the configuration file. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: readconf.h,v 1.20 2000/06/20 01:39:43 markus Exp $"); */ +/* RCSID("$OpenBSD: readconf.h,v 1.22 2000/10/11 20:14:39 markus Exp $"); */ #ifndef READCONF_H #define READCONF_H @@ -49,6 +47,8 @@ #endif int password_authentication; /* Try password * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ + char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ int fallback_to_rsh;/* Use rsh if cannot connect with ssh. */ int use_rsh; /* Always use rsh (don\'t try ssh). */ int batch_mode; /* Batch mode: do not ask for passwords. */ diff -ru openssh-2.2.0p1/readpass.c openssh-2.3.0p1/readpass.c --- openssh-2.2.0p1/readpass.c 2000-06-22 21:32:32.000000000 +1000 +++ openssh-2.3.0p1/readpass.c 2000-10-14 16:23:12.000000000 +1100 @@ -32,88 +32,24 @@ */ #include "includes.h" -RCSID("$OpenBSD: readpass.c,v 1.11 2000/06/20 01:39:44 markus Exp $"); +RCSID("$OpenBSD: readpass.c,v 1.12 2000/10/11 20:14:39 markus Exp $"); #include "xmalloc.h" #include "ssh.h" - -volatile int intr; - -void -intcatch() -{ - intr = 1; -} +#include "cli.h" /* * Reads a passphrase from /dev/tty with echo turned off. Returns the * passphrase (allocated with xmalloc), being very careful to ensure that * no other userland buffer is storing the password. */ +/* + * Note: the funcationallity of this routing has been moved to + * cli_read_passphrase(). This routing remains to maintain + * compatibility with existing code. + */ char * -read_passphrase(const char *prompt, int from_stdin) +read_passphrase(char *prompt, int from_stdin) { - char buf[1024], *p, ch; - struct termios tio, saved_tio; - sigset_t oset, nset; - struct sigaction sa, osa; - int input, output, echo = 0; - - if (from_stdin) { - input = STDIN_FILENO; - output = STDERR_FILENO; - } else - input = output = open("/dev/tty", O_RDWR); - - if (input == -1) - fatal("You have no controlling tty. Cannot read passphrase.\n"); - - /* block signals, get terminal modes and turn off echo */ - sigemptyset(&nset); - sigaddset(&nset, SIGTSTP); - (void) sigprocmask(SIG_BLOCK, &nset, &oset); - memset(&sa, 0, sizeof(sa)); - sa.sa_handler = intcatch; - (void) sigaction(SIGINT, &sa, &osa); - - intr = 0; - - if (tcgetattr(input, &saved_tio) == 0 && (saved_tio.c_lflag & ECHO)) { - echo = 1; - tio = saved_tio; - tio.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL); - (void) tcsetattr(input, TCSANOW, &tio); - } - - fflush(stdout); - - (void)write(output, prompt, strlen(prompt)); - for (p = buf; read(input, &ch, 1) == 1 && ch != '\n';) { - if (intr) - break; - if (p < buf + sizeof(buf) - 1) - *p++ = ch; - } - *p = '\0'; - if (!intr) - (void)write(output, "\n", 1); - - /* restore terminal modes and allow signals */ - if (echo) - tcsetattr(input, TCSANOW, &saved_tio); - (void) sigprocmask(SIG_SETMASK, &oset, NULL); - (void) sigaction(SIGINT, &osa, NULL); - - if (intr) { - kill(getpid(), SIGINT); - sigemptyset(&nset); - /* XXX tty has not neccessarily drained by now? */ - sigsuspend(&nset); - } - - if (!from_stdin) - (void)close(input); - p = xstrdup(buf); - memset(buf, 0, sizeof(buf)); - return (p); + return cli_read_passphrase(prompt, from_stdin, 0); } Only in openssh-2.3.0p1: rijndael.c Only in openssh-2.3.0p1: rijndael.h diff -ru openssh-2.2.0p1/rsa.c openssh-2.3.0p1/rsa.c --- openssh-2.2.0p1/rsa.c 2000-06-22 21:32:32.000000000 +1000 +++ openssh-2.3.0p1/rsa.c 2000-09-29 12:12:36.000000000 +1100 @@ -1,15 +1,40 @@ /* - * - * rsa.c - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved * - * Created: Fri Mar 3 22:07:06 1995 ylo + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * + * Copyright (c) 1999 Niels Provos. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * * - * Description of the RSA algorithm can be found e.g. from the following sources: + * Description of the RSA algorithm can be found e.g. from the following + * sources: * * Bruce Schneier: Applied Cryptography. John Wiley & Sons, 1994. * @@ -25,17 +50,17 @@ * Hans Riesel: Prime Numbers and Computer Methods for Factorization. * Birkhauser, 1994. * - * The RSA Frequently Asked Questions document by RSA Data Security, Inc., 1995. + * The RSA Frequently Asked Questions document by RSA Data Security, + * Inc., 1995. * - * RSA in 3 lines of perl by Adam Back , 1995, as included - * below: + * RSA in 3 lines of perl by Adam Back , 1995, as + * included below: * * [gone - had to be deleted - what a pity] - * -*/ + */ #include "includes.h" -RCSID("$OpenBSD: rsa.c,v 1.15 2000/06/20 01:39:44 markus Exp $"); +RCSID("$OpenBSD: rsa.c,v 1.16 2000/09/07 20:27:53 deraadt Exp $"); #include "rsa.h" #include "ssh.h" @@ -58,21 +83,6 @@ } /* - * Key generation progress meter callback - */ -void -keygen_progress(int p, int n, void *arg) -{ - const char progress_chars[] = ".o+O?"; - - if ((p < 0) || (p > (sizeof(progress_chars) - 2))) - p = sizeof(progress_chars) - 2; - - putchar(progress_chars[p]); - fflush(stdout); -} - -/* * Generates RSA public and private keys. This initializes the data * structures; they should be freed with rsa_clear_private_key and * rsa_clear_public_key. @@ -88,11 +98,8 @@ if (rsa_verbose) { printf("Generating RSA keys: "); fflush(stdout); - key = RSA_generate_key(bits, 35, keygen_progress, NULL); - printf("\n"); - } else { - key = RSA_generate_key(bits, 35, NULL, NULL); } + key = RSA_generate_key(bits, 35, NULL, NULL); if (key == NULL) fatal("rsa_generate_key: key generation failed."); diff -ru openssh-2.2.0p1/rsa.h openssh-2.3.0p1/rsa.h --- openssh-2.2.0p1/rsa.h 2000-06-22 21:32:32.000000000 +1000 +++ openssh-2.3.0p1/rsa.h 2000-09-16 13:29:09.000000000 +1100 @@ -1,19 +1,17 @@ /* - * - * rsa.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Fri Mar 3 22:01:06 1995 ylo - * * RSA key generation, encryption and decryption. * -*/ + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + */ -/* RCSID("$OpenBSD: rsa.h,v 1.7 2000/06/20 01:39:44 markus Exp $"); */ +/* RCSID("$OpenBSD: rsa.h,v 1.8 2000/09/07 20:27:53 deraadt Exp $"); */ #ifndef RSA_H #define RSA_H diff -ru openssh-2.2.0p1/scp.0 openssh-2.3.0p1/scp.0 --- openssh-2.2.0p1/scp.0 2000-09-02 10:08:45.000000000 +1100 +++ openssh-2.3.0p1/scp.0 2000-11-06 14:25:19.000000000 +1100 @@ -5,8 +5,8 @@ scp - secure copy (remote file copy program) SYNOPSIS - scp [-pqrvC46] [-P port] [-c cipher] [-i identity_file] - [[user@]host1:]file1 [...] [[user@]host2:]file2 + scp [-pqrvC46] [-S program] [-P port] [-c cipher] [-i identity_file] [-o + option] [[user@]host1:]file1 [...] [[user@]host2:]file2 DESCRIPTION scp copies files between hosts on a network. It uses ssh(1) for data @@ -32,9 +32,6 @@ -p Preserves modification times, access times, and modes from the original file. - -S Name of program to use for the encrypted connection. The program - must understand ssh(1) options. - -r Recursively copy entire directories. -v Verbose mode. Causes scp and ssh(1) to print debugging messages @@ -55,9 +52,13 @@ reserved for preserving the times and modes of the file in rcp(1). - -S Name of program to use for the encrypted connection. The program + -S program + Name of program to use for the encrypted connection. The program must understand ssh(1) options. + -o option + The given option is directly passed to ssh(1). + -4 Forces scp to use IPv4 addresses only. -6 Forces scp to use IPv6 addresses only. diff -ru openssh-2.2.0p1/scp.1 openssh-2.3.0p1/scp.1 --- openssh-2.2.0p1/scp.1 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/scp.1 2000-11-06 12:39:34.000000000 +1100 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $Id: scp.1,v 1.9 2000/08/19 02:26:08 deraadt Exp $ +.\" $OpenBSD: scp.1,v 1.13 2000/10/16 09:38:44 djm Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -20,9 +20,11 @@ .Sh SYNOPSIS .Nm scp .Op Fl pqrvC46 +.Op Fl S Ar program .Op Fl P Ar port .Op Fl c Ar cipher .Op Fl i Ar identity_file +.Op Fl o Ar option .Sm off .Oo .Op Ar user@ @@ -68,11 +70,6 @@ .It Fl p Preserves modification times, access times, and modes from the original file. -.It Fl S -Name of program to use for the encrypted connection. -The program must understand -.Xr ssh 1 -options. .It Fl r Recursively copy entire directories. .It Fl v @@ -103,11 +100,16 @@ .Fl p is already reserved for preserving the times and modes of the file in .Xr rcp 1 . -.It Fl S -Name of program to use for the encrypted connection. The program must -understand +.It Fl S Ar program +Name of +.Ar program +to use for the encrypted connection. +The program must understand .Xr ssh 1 options. +.It Fl o Ar option +The given option is directly passed to +.Xr ssh 1 . .It Fl 4 Forces .Nm diff -ru openssh-2.2.0p1/scp.c openssh-2.3.0p1/scp.c --- openssh-2.2.0p1/scp.c 2000-08-30 10:11:30.000000000 +1100 +++ openssh-2.3.0p1/scp.c 2000-10-28 14:19:58.000000000 +1100 @@ -1,14 +1,42 @@ /* + * scp - secure remote copy. This is basically patched BSD rcp which + * uses ssh to do the data transfer (instead of using rcmd). * - * scp - secure remote copy. This is basically patched BSD rcp which uses ssh - * to do the data transfer (instead of using rcmd). - * - * NOTE: This version should NOT be suid root. (This uses ssh to do the transfer - * and ssh has the necessary privileges.) + * NOTE: This version should NOT be suid root. (This uses ssh to + * do the transfer and ssh has the necessary privileges.) * * 1995 Timo Rinne , Tatu Ylonen * -*/ + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + */ +/* + * Copyright (c) 1999 Theo de Raadt. All rights reserved. + * Copyright (c) 1999 Aaron Campbell. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ /* * Parts from: @@ -47,13 +75,14 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.36 2000/08/24 21:46:59 deraadt Exp $"); +RCSID("$OpenBSD: scp.c,v 1.43 2000/10/18 18:23:02 markus Exp $"); #include "ssh.h" #include "xmalloc.h" -#include +#ifndef _PATH_CP #define _PATH_CP "cp" +#endif /* For progressmeter() -- number of seconds before xfer considered "stalled" */ #define STALLTIME 5 @@ -73,6 +102,9 @@ int getttywidth(void); int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc); +/* setup arguments for the call to ssh */ +void addargs(char *fmt, ...) __attribute__((format(printf, 1, 2))); + /* Time a transfer started. */ static struct timeval start; @@ -85,12 +117,6 @@ /* Name of current file being transferred. */ char *curfile; -/* This is set to non-zero if IPv4 is desired. */ -int IPv4 = 0; - -/* This is set to non-zero if IPv6 is desired. */ -int IPv6 = 0; - /* This is set to non-zero to enable verbose mode. */ int verbose_mode = 0; @@ -100,23 +126,16 @@ /* This is set to zero if the progressmeter is not desired. */ int showprogress = 1; -/* This is set to non-zero if running in batch mode (that is, password - and passphrase queries are not allowed). */ -int batchmode = 0; - -/* This is set to the cipher type string if given on the command line. */ -char *cipher = NULL; - -/* This is set to the RSA authentication identity file name if given on - the command line. */ -char *identity = NULL; - -/* This is the port to use in contacting the remote site (is non-NULL). */ -char *port = NULL; - /* This is the program to execute for the secured connection. ("ssh" or -S) */ char *ssh_program = SSH_PROGRAM; +/* This is the list of arguments that scp passes to ssh */ +struct { + char **list; + int num; + int nalloc; +} args; + /* * This function executes the given command as the specified user on the * given host. This returns < 0 if execution fails, and >= 0 otherwise. This @@ -129,8 +148,8 @@ int pin[2], pout[2], reserved[2]; if (verbose_mode) - fprintf(stderr, "Executing: host %s, user %s, command %s\n", - host, remuser ? remuser : "(unspecified)", cmd); + fprintf(stderr, "Executing: program %s host %s, user %s, command %s\n", + ssh_program, host, remuser ? remuser : "(unspecified)", cmd); /* * Reserve two descriptors so that the real pipes won't get @@ -149,10 +168,7 @@ close(reserved[1]); /* For a child to execute the command on the remote host using ssh. */ - if (fork() == 0) { - char *args[100]; /* XXX careful */ - unsigned int i; - + if (fork() == 0) { /* Child. */ close(pin[1]); close(pout[0]); @@ -161,41 +177,13 @@ close(pin[0]); close(pout[1]); - i = 0; - args[i++] = ssh_program; - args[i++] = "-x"; - args[i++] = "-oFallBackToRsh no"; - if (IPv4) - args[i++] = "-4"; - if (IPv6) - args[i++] = "-6"; - if (verbose_mode) - args[i++] = "-v"; - if (compress_flag) - args[i++] = "-C"; - if (batchmode) - args[i++] = "-oBatchMode yes"; - if (cipher != NULL) { - args[i++] = "-c"; - args[i++] = cipher; - } - if (identity != NULL) { - args[i++] = "-i"; - args[i++] = identity; - } - if (port != NULL) { - args[i++] = "-p"; - args[i++] = port; - } - if (remuser != NULL) { - args[i++] = "-l"; - args[i++] = remuser; - } - args[i++] = host; - args[i++] = cmd; - args[i++] = NULL; + args.list[0] = ssh_program; + if (remuser != NULL) + addargs("-l%s", remuser); + addargs("%s", host); + addargs("%s", cmd); - execvp(ssh_program, args); + execvp(ssh_program, args.list); perror(ssh_program); exit(1); } @@ -261,27 +249,45 @@ extern char *optarg; extern int optind; + args.list = NULL; + addargs("ssh"); /* overwritten with ssh_program */ + addargs("-x"); + addargs("-oFallBackToRsh no"); + fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S")) != EOF) + while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:")) != EOF) switch (ch) { /* User-visible flags. */ case '4': - IPv4 = 1; - break; case '6': - IPv6 = 1; + case 'C': + addargs("-%c", ch); break; - case 'p': - pflag = 1; + case 'o': + case 'c': + case 'i': + addargs("-%c%s", ch, optarg); break; case 'P': - port = optarg; + addargs("-p%s", optarg); + break; + case 'B': + addargs("-oBatchmode yes"); + break; + case 'p': + pflag = 1; break; case 'r': iamrecursive = 1; break; case 'S': - ssh_program = optarg; + ssh_program = xstrdup(optarg); + break; + case 'v': + verbose_mode = 1; + break; + case 'q': + showprogress = 0; break; /* Server options. */ @@ -296,24 +302,6 @@ iamremote = 1; tflag = 1; break; - case 'c': - cipher = optarg; - break; - case 'i': - identity = optarg; - break; - case 'v': - verbose_mode = 1; - break; - case 'B': - batchmode = 1; - break; - case 'C': - compress_flag = 1; - break; - case 'q': - showprogress = 0; - break; case '?': default: usage(); @@ -683,8 +671,8 @@ off_t size; int setimes, targisdir, wrerrno = 0; char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; - struct utimbuf ut; int dummy_usec; + struct timeval tv[2]; #define SCREWUP(str) { why = str; goto screwup; } @@ -738,16 +726,18 @@ if (*cp == 'T') { setimes++; cp++; - getnum(ut.modtime); + getnum(tv[1].tv_sec); if (*cp++ != ' ') SCREWUP("mtime.sec not delimited"); getnum(dummy_usec); + tv[1].tv_usec = 0; if (*cp++ != ' ') SCREWUP("mtime.usec not delimited"); - getnum(ut.actime); + getnum(tv[0].tv_sec); if (*cp++ != ' ') SCREWUP("atime.sec not delimited"); getnum(dummy_usec); + tv[0].tv_usec = 0; if (*cp++ != '\0') SCREWUP("atime.usec not delimited"); (void) atomicio(write, remout, "", 1); @@ -815,7 +805,7 @@ sink(1, vect); if (setimes) { setimes = 0; - if (utime(np, &ut) < 0) + if (utimes(np, tv) < 0) run_err("%s: set times: %s", np, strerror(errno)); } @@ -848,8 +838,10 @@ amt = size - i; count += amt; do { - j = atomicio(read, remin, cp, amt); - if (j <= 0) { + j = read(remin, cp, amt); + if (j == -1 && (errno == EINTR || errno == EAGAIN)) { + continue; + } else if (j <= 0) { run_err("%s", j ? strerror(errno) : "dropped connection"); exit(1); @@ -886,12 +878,20 @@ #endif if (pflag) { if (exists || omode != mode) +#ifdef HAVE_FCHMOD if (fchmod(ofd, omode)) +#else /* HAVE_FCHMOD */ + if (chmod(np, omode)) +#endif /* HAVE_FCHMOD */ run_err("%s: set mode: %s", np, strerror(errno)); } else { if (!exists && omode != mode) +#ifdef HAVE_FCHMOD if (fchmod(ofd, omode & ~mask)) +#else /* HAVE_FCHMOD */ + if (chmod(np, omode & ~mask)) +#endif /* HAVE_FCHMOD */ run_err("%s: set mode: %s", np, strerror(errno)); } @@ -902,7 +902,7 @@ (void) response(); if (setimes && wrerr == NO) { setimes = 0; - if (utime(np, &ut) < 0) { + if (utimes(np, tv) < 0) { run_err("%s: set times: %s", np, strerror(errno)); wrerr = DISPLAYED; @@ -1057,6 +1057,7 @@ int fd, blksize; { size_t size; +#ifdef HAVE_ST_BLKSIZE struct stat stb; if (fstat(fd, &stb) < 0) { @@ -1068,6 +1069,9 @@ else size = blksize + (stb.st_blksize - blksize % stb.st_blksize) % stb.st_blksize; +#else /* HAVE_ST_BLKSIZE */ + size = blksize; +#endif /* HAVE_ST_BLKSIZE */ if (bp->cnt >= size) return (bp); if (bp->buf == NULL) @@ -1117,8 +1121,17 @@ if (pgrp == -1) pgrp = getpgrp(); +#ifdef HAVE_CYGWIN + /* + * Cygwin only supports tcgetpgrp() for getting the controlling tty + * currently. + */ + return ((ctty_pgrp = tcgetpgrp(STDOUT_FILENO)) != -1 && + ctty_pgrp == pgrp); +#else return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && ctty_pgrp == pgrp)); +#endif } void @@ -1235,3 +1248,25 @@ else return (80); } + +void +addargs(char *fmt, ...) +{ + va_list ap; + char buf[1024]; + + va_start(ap, fmt); + vsnprintf(buf, sizeof(buf), fmt, ap); + va_end(ap); + + if (args.list == NULL) { + args.nalloc = 32; + args.num = 0; + args.list = xmalloc(args.nalloc * sizeof(char *)); + } else if (args.num+2 >= args.nalloc) { + args.nalloc *= 2; + args.list = xrealloc(args.list, args.nalloc * sizeof(char *)); + } + args.list[args.num++] = xstrdup(buf); + args.list[args.num] = NULL; +} diff -ru openssh-2.2.0p1/servconf.c openssh-2.3.0p1/servconf.c --- openssh-2.2.0p1/servconf.c 2000-08-18 13:59:06.000000000 +1000 +++ openssh-2.3.0p1/servconf.c 2000-10-16 12:14:42.000000000 +1100 @@ -1,18 +1,16 @@ /* - * - * servconf.c - * - * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved * - * Created: Mon Aug 21 15:48:58 1995 ylo - * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.50 2000/07/22 09:14:36 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.53 2000/10/14 12:12:09 markus Exp $"); #include "ssh.h" #include "servconf.h" @@ -63,11 +61,13 @@ options->afs_token_passing = -1; #endif options->password_authentication = -1; + options->kbd_interactive_authentication = -1; #ifdef SKEY options->skey_authentication = -1; #endif options->permit_empty_passwd = -1; options->use_login = -1; + options->allow_tcp_forwarding = -1; options->num_allow_users = 0; options->num_deny_users = 0; options->num_allow_groups = 0; @@ -150,6 +150,8 @@ #endif /* AFS */ if (options->password_authentication == -1) options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) + options->kbd_interactive_authentication = 0; #ifdef SKEY if (options->skey_authentication == -1) options->skey_authentication = 1; @@ -158,6 +160,8 @@ options->permit_empty_passwd = 0; if (options->use_login == -1) options->use_login = 0; + if (options->allow_tcp_forwarding == -1) + options->allow_tcp_forwarding = 1; if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->gateway_ports == -1) @@ -185,10 +189,11 @@ #ifdef SKEY sSkeyAuthentication, #endif - sPasswordAuthentication, sListenAddress, + sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, - sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sUseLogin, sAllowTcpForwarding, + sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups } ServerOpCodes; @@ -222,6 +227,7 @@ { "afstokenpassing", sAFSTokenPassing }, #endif { "passwordauthentication", sPasswordAuthentication }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, #ifdef SKEY { "skeyauthentication", sSkeyAuthentication }, #endif @@ -238,6 +244,7 @@ { "uselogin", sUseLogin }, { "randomseed", sRandomSeedFile }, { "keepalive", sKeepAlives }, + { "allowtcpforwarding", sAllowTcpForwarding }, { "allowusers", sAllowUsers }, { "denyusers", sDenyUsers }, { "allowgroups", sAllowGroups }, @@ -499,6 +506,10 @@ intptr = &options->password_authentication; goto parse_flag; + case sKbdInteractiveAuthentication: + intptr = &options->kbd_interactive_authentication; + goto parse_flag; + case sCheckMail: intptr = &options->check_mail; goto parse_flag; @@ -567,6 +578,10 @@ *intptr = (LogLevel) value; break; + case sAllowTcpForwarding: + intptr = &options->allow_tcp_forwarding; + goto parse_flag; + case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) diff -ru openssh-2.2.0p1/servconf.h openssh-2.3.0p1/servconf.h --- openssh-2.2.0p1/servconf.h 2000-08-18 13:59:06.000000000 +1000 +++ openssh-2.3.0p1/servconf.h 2000-10-16 12:14:43.000000000 +1100 @@ -1,19 +1,17 @@ /* - * - * servconf.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * - * Created: Mon Aug 21 15:35:03 1995 ylo - * * Definitions for server configuration data and for the functions reading it. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: servconf.h,v 1.27 2000/07/22 09:14:36 markus Exp $"); */ +/* RCSID("$OpenBSD: servconf.h,v 1.30 2000/10/14 12:12:09 markus Exp $"); */ #ifndef SERVCONF_H #define SERVCONF_H @@ -80,6 +78,7 @@ #endif int password_authentication; /* If true, permit password * authentication. */ + int kbd_interactive_authentication; /* If true, permit */ #ifdef SKEY int skey_authentication; /* If true, permit s/key * authentication. */ @@ -87,6 +86,7 @@ int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int use_login; /* If true, login(1) is used */ + int allow_tcp_forwarding; unsigned int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; unsigned int num_deny_users; diff -ru openssh-2.2.0p1/serverloop.c openssh-2.3.0p1/serverloop.c --- openssh-2.2.0p1/serverloop.c 2000-07-11 17:31:38.000000000 +1000 +++ openssh-2.3.0p1/serverloop.c 2000-10-28 14:19:58.000000000 +1100 @@ -2,15 +2,41 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Created: Sun Sep 10 00:30:37 1995 ylo * Server main loop for handling the interactive session. - */ -/* + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * * SSH2 support by Markus Friedl. * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" +RCSID("$OpenBSD: serverloop.c,v 1.34 2000/10/27 07:32:18 markus Exp $"); + #include "xmalloc.h" #include "ssh.h" #include "packet.h" @@ -25,6 +51,8 @@ #include "dispatch.h" #include "auth-options.h" +extern ServerOptions options; + static Buffer stdin_buffer; /* Buffer for stdin data. */ static Buffer stdout_buffer; /* Buffer for stdout data. */ static Buffer stderr_buffer; /* Buffer for stderr data. */ @@ -73,9 +101,10 @@ error("Strange, got SIGCHLD and wait returned pid %d but child is %d", wait_pid, child_pid); if (WIFEXITED(child_wait_status) || - WIFSIGNALED(child_wait_status)) + WIFSIGNALED(child_wait_status)) { child_terminated = 1; child_has_selected = 0; + } } signal(SIGCHLD, sigchld_handler); errno = save_errno; @@ -86,6 +115,7 @@ int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; + child_has_selected = 0; errno = save_errno; } @@ -364,7 +394,7 @@ void process_buffered_input_packets() { - dispatch_run(DISPATCH_NONBLOCK, NULL); + dispatch_run(DISPATCH_NONBLOCK, NULL, NULL); } /* @@ -393,6 +423,7 @@ child_terminated = 0; child_has_selected = 0; signal(SIGCHLD, sigchld_handler); + signal(SIGPIPE, SIG_IGN); /* Initialize our global variables. */ fdin = fdin_arg; @@ -626,6 +657,7 @@ debug("Entering interactive session for SSH2."); signal(SIGCHLD, sigchld_handler2); + signal(SIGPIPE, SIG_IGN); child_terminated = 0; connection_in = packet_get_connection_in(); connection_out = packet_get_connection_out(); @@ -645,10 +677,12 @@ if (packet_not_very_much_data_to_write()) channel_output_poll(); wait_until_can_do_something(&readset, &writeset, 0); - if (child_terminated) { + if (child_terminated && child_has_selected) { + /* XXX: race - assumes only one child has terminated */ while ((pid = waitpid(-1, &status, WNOHANG)) > 0) session_close_by_pid(pid, status); child_terminated = 0; + child_has_selected = 0; signal(SIGCHLD, sigchld_handler2); } channel_after_select(&readset, &writeset); @@ -662,7 +696,7 @@ } void -server_input_stdin_data(int type, int plen) +server_input_stdin_data(int type, int plen, void *ctxt) { char *data; unsigned int data_len; @@ -679,7 +713,7 @@ } void -server_input_eof(int type, int plen) +server_input_eof(int type, int plen, void *ctxt) { /* * Eof from the client. The stdin descriptor to the @@ -692,7 +726,7 @@ } void -server_input_window_size(int type, int plen) +server_input_window_size(int type, int plen, void *ctxt) { int row = packet_get_int(); int col = packet_get_int(); @@ -722,7 +756,7 @@ originator, originator_port, target, target_port); /* XXX check permission */ - if (no_port_forwarding_flag) { + if (no_port_forwarding_flag || !options.allow_tcp_forwarding) { xfree(target); xfree(originator); return -1; @@ -733,11 +767,12 @@ if (sock < 0) return -1; return channel_new("direct-tcpip", SSH_CHANNEL_OPEN, - sock, sock, -1, 4*1024, 32*1024, 0, xstrdup("direct-tcpip")); + sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, + CHAN_TCP_PACKET_DEFAULT, 0, xstrdup("direct-tcpip"), 1); } void -server_input_channel_open(int type, int plen) +server_input_channel_open(int type, int plen, void *ctxt) { Channel *c = NULL; char *ctype; @@ -752,7 +787,7 @@ rwindow = packet_get_int(); rmaxpack = packet_get_int(); - debug("channel_input_open: ctype %s rchan %d win %d max %d", + debug("server_input_channel_open: ctype %s rchan %d win %d max %d", ctype, rchan, rwindow, rmaxpack); if (strcmp(ctype, "session") == 0) { @@ -766,7 +801,8 @@ * CHANNEL_REQUEST messages is registered. */ id = channel_new(ctype, SSH_CHANNEL_LARVAL, - -1, -1, -1, 0, 32*1024, 0, xstrdup("server-session")); + -1, -1, -1, 0, CHAN_SES_PACKET_DEFAULT, + 0, xstrdup("server-session"), 1); if (session_open(id) == 1) { channel_register_callback(id, SSH2_MSG_CHANNEL_REQUEST, session_input_channel_req, (void *)0); diff -ru openssh-2.2.0p1/session.c openssh-2.3.0p1/session.c --- openssh-2.2.0p1/session.c 2000-08-30 09:21:22.000000000 +1100 +++ openssh-2.3.0p1/session.c 2000-10-28 14:19:58.000000000 +1100 @@ -1,21 +1,45 @@ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - */ -/* + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * * SSH2 support by Markus Friedl. * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.31 2000/08/28 03:50:54 deraadt Exp $"); +RCSID("$OpenBSD: session.c,v 1.42 2000/10/27 07:32:18 markus Exp $"); #include "xmalloc.h" #include "ssh.h" #include "pty.h" #include "packet.h" #include "buffer.h" -#include "cipher.h" #include "mpaux.h" #include "servconf.h" #include "uidswap.h" @@ -41,6 +65,12 @@ # include #endif +#ifdef HAVE_CYGWIN +#include +#include +#define is_winnt (GetVersion() < 0x80000000) +#endif + /* AIX limits */ #if defined(HAVE_GETUSERATTR) && !defined(S_UFSIZE_HARD) && defined(S_UFSIZE) # define S_UFSIZE_HARD S_UFSIZE "_hard" @@ -89,7 +119,7 @@ void session_proctitle(Session *s); void do_exec_pty(Session *s, const char *command, struct passwd * pw); void do_exec_no_pty(Session *s, const char *command, struct passwd * pw); -void do_login(Session *s); +void do_login(Session *s, const char *command); void do_child(const char *command, struct passwd * pw, const char *term, @@ -113,9 +143,13 @@ /* Local Xauthority file. */ static char *xauthfile; +/* original command from peer. */ +char *original_command = NULL; + /* data */ #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; + #ifdef WITH_AIXAUTHENTICATE /* AIX's lastlogin message, set in auth1.c */ char *aixloginmsg; @@ -177,7 +211,7 @@ do_authenticated(struct passwd * pw) { Session *s; - int type; + int type, fd; int compression_level = 0, enable_compression_after_reply = 0; int have_pty = 0; char *command; @@ -202,13 +236,13 @@ * by the client telling us, so we can equally well trust the client * not to request anything bogus.) */ - if (!no_port_forwarding_flag) + if (!no_port_forwarding_flag && options.allow_tcp_forwarding) channel_permit_all_opens(); s = session_new(); s->pw = pw; -#ifdef HAVE_LOGIN_CAP +#if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD) if ((lc = login_getclass(pw->pw_class)) == NULL) { error("unable to get login class"); return; @@ -332,7 +366,9 @@ break; } strlcat(xauthfile, "/cookies", MAXPATHLEN); - open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); + fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); + if (fd >= 0) + close(fd); restore_uid(); fatal_add_cleanup(xauthfile_cleanup_proc, NULL); success = 1; @@ -352,6 +388,10 @@ debug("Port forwarding not permitted for this authentication."); break; } + if (!options.allow_tcp_forwarding) { + debug("Port forwarding not permitted."); + break; + } debug("Received TCP/IP port forwarding request."); channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports); success = 1; @@ -377,6 +417,7 @@ packet_integrity_check(plen, 0, type); } if (forced_command != NULL) { + original_command = command; command = forced_command; debug("Forced command '%.500s'", forced_command); } @@ -438,6 +479,8 @@ if (s == NULL) fatal("do_exec_no_pty: no session"); + signal(SIGPIPE, SIG_DFL); + session_proctitle(s); #ifdef USE_PAM @@ -497,6 +540,10 @@ do_child(command, pw, NULL, s->display, s->auth_proto, s->auth_data, NULL); /* NOTREACHED */ } +#ifdef HAVE_CYGWIN + if (is_winnt) + cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); +#endif if (pid < 0) packet_disconnect("fork failed: %.100s", strerror(errno)); s->pid = pid; @@ -580,14 +627,18 @@ close(ttyfd); /* record login, etc. similar to login(1) */ - if (command == NULL && !options.use_login) - do_login(s); + if (!(options.use_login && command == NULL)) + do_login(s, command); /* Do common processing for the child, such as execing the command. */ do_child(command, pw, s->term, s->display, s->auth_proto, s->auth_data, s->tty); /* NOTREACHED */ } +#ifdef HAVE_CYGWIN + if (is_winnt) + cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); +#endif if (pid < 0) packet_disconnect("fork failed: %.100s", strerror(errno)); s->pid = pid; @@ -633,11 +684,12 @@ /* administrative, login(1)-like work */ void -do_login(Session *s) +do_login(Session *s, const char *command) { FILE *f; char *time_string; char buf[256]; + char hostname[MAXHOSTNAMELEN]; socklen_t fromlen; struct sockaddr_storage from; struct stat st; @@ -659,11 +711,29 @@ } } + /* Get the time and hostname when the user last logged in. */ + hostname[0] = '\0'; + last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, + hostname, sizeof(hostname)); + /* Record that there was a login on that tty from the remote host. */ record_login(pid, s->tty, pw->pw_name, pw->pw_uid, get_remote_name_or_ip(), (struct sockaddr *)&from); - /* Done if .hushlogin exists. */ +#ifdef USE_PAM + /* + * If password change is needed, do it now. + * This needs to occur before the ~/.hushlogin check. + */ + if (pam_password_change_required()) { + print_pam_messages(); + do_pam_chauthtok(); + } +#endif + + /* Done if .hushlogin exists or a command given. */ + if (command != NULL) + return; snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir); #ifdef HAVE_LOGIN_CAP if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) @@ -673,27 +743,22 @@ return; #ifdef USE_PAM - print_pam_messages(); + if (!pam_password_change_required()) + print_pam_messages(); #endif /* USE_PAM */ #ifdef WITH_AIXAUTHENTICATE if (aixloginmsg && *aixloginmsg) printf("%s\n", aixloginmsg); #endif /* WITH_AIXAUTHENTICATE */ - /* - * Get the time when the user last logged in. 'buf' will be set - * to contain the hostname the last login was from. - */ - last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, - buf, sizeof(buf)); if (last_login_time != 0) { time_string = ctime(&last_login_time); if (strchr(time_string, '\n')) *strchr(time_string, '\n') = 0; - if (strcmp(buf, "") == 0) + if (strcmp(hostname, "") == 0) printf("Last login: %s\r\n", time_string); else - printf("Last login: %s from %s\r\n", time_string, buf); + printf("Last login: %s from %s\r\n", time_string, hostname); } if (options.print_motd) { #ifdef HAVE_LOGIN_CAP @@ -814,7 +879,7 @@ strncpy(var_name, pam_env[i], equals - pam_env[i]); strcpy(var_val, equals + 1); - debug("PAM environment: %s=%s", var_name, var_val); + debug3("PAM environment: %s=%s", var_name, var_val); child_set_env(env, envsize, var_name, var_val); } @@ -822,6 +887,32 @@ } #endif /* USE_PAM */ + +#ifdef HAVE_CYGWIN +void copy_environment(char ***env, int *envsize) +{ + char *equals, var_name[512], var_val[512]; + int i; + + for(i = 0; environ[i] != NULL; i++) { + if ((equals = strstr(environ[i], "=")) == NULL) + continue; + + if (strlen(environ[i]) < (sizeof(var_name) - 1)) { + memset(var_name, '\0', sizeof(var_name)); + memset(var_val, '\0', sizeof(var_val)); + + strncpy(var_name, environ[i], equals - environ[i]); + strcpy(var_val, equals + 1); + + debug3("Copy environment: %s=%s", var_name, var_val); + + child_set_env(env, envsize, var_name, var_val); + } + } +} +#endif + #if defined(HAVE_GETUSERATTR) /* * AIX-specific login initialisation @@ -911,7 +1002,7 @@ const char *display, const char *auth_proto, const char *auth_data, const char *ttyname) { - const char *shell, *hostname, *cp = NULL; + const char *shell, *hostname = NULL, *cp = NULL; char buf[256]; char cmd[1024]; FILE *f = NULL; @@ -968,7 +1059,11 @@ exit(1); } #else /* HAVE_OSF_SIA */ +#ifdef HAVE_CYGWIN + if (is_winnt) { +#else if (getuid() == 0 || geteuid() == 0) { +#endif # ifdef HAVE_GETUSERATTR set_limits_from_userattr(pw->pw_name); # endif /* HAVE_GETUSERATTR */ @@ -1013,6 +1108,9 @@ } #endif /* HAVE_OSF_SIA */ +#ifdef HAVE_CYGWIN + if (is_winnt) +#endif if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); } @@ -1042,6 +1140,14 @@ env = xmalloc(envsize * sizeof(char *)); env[0] = NULL; +#ifdef HAVE_CYGWIN + /* + * The Windows environment contains some setting which are + * important for a running system. They must not be dropped. + */ + copy_environment(&env, &envsize); +#endif + if (!options.use_login) { /* Set basic environment. */ child_set_env(&env, &envsize, "USER", pw->pw_name); @@ -1050,9 +1156,17 @@ #ifdef HAVE_LOGIN_CAP (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH); child_set_env(&env, &envsize, "PATH", getenv("PATH")); -#else +#else /* HAVE_LOGIN_CAP */ +# ifndef HAVE_CYGWIN + /* + * There's no standard path on Windows. The path contains + * important components pointing to the system directories, + * needed for loading shared libraries. So the path better + * remains intact here. + */ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); -#endif +# endif /* HAVE_CYGWIN */ +#endif /* HAVE_LOGIN_CAP */ snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); @@ -1089,17 +1203,16 @@ child_set_env(&env, &envsize, "TERM", term); if (display) child_set_env(&env, &envsize, "DISPLAY", display); + if (original_command) + child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", + original_command); #ifdef _AIX - { - char *authstate,*krb5cc; - - if ((authstate = getenv("AUTHSTATE")) != NULL) - child_set_env(&env,&envsize,"AUTHSTATE",authstate); - - if ((krb5cc = getenv("KRB5CCNAME")) != NULL) - child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc); - } + if ((cp = getenv("AUTHSTATE")) != NULL) + child_set_env(&env, &envsize, "AUTHSTATE", cp); + if ((cp = getenv("KRB5CCNAME")) != NULL) + child_set_env(&env, &envsize, "KRB5CCNAME", cp); + read_environment_file(&env, &envsize, "/etc/environment"); #endif #ifdef KRB4 @@ -1116,8 +1229,6 @@ do_pam_environment(&env, &envsize); #endif /* USE_PAM */ - read_environment_file(&env,&envsize,"/etc/environment"); - if (xauthfile) child_set_env(&env, &envsize, "XAUTHORITY", xauthfile); if (auth_get_socket_name() != NULL) @@ -1226,11 +1337,13 @@ "Running %.100s add %.100s %.100s %.100s\n", options.xauth_location, display, auth_proto, auth_data); +#ifndef HAVE_CYGWIN /* Unix sockets are not supported */ if (screen != NULL) fprintf(stderr, "Adding %.*s/unix%s %s %s\n", (int)(screen-display), display, screen, auth_proto, auth_data); +#endif } snprintf(cmd, sizeof cmd, "%s -q -", options.xauth_location); @@ -1238,10 +1351,12 @@ if (f) { fprintf(f, "add %s %s %s\n", display, auth_proto, auth_data); +#ifndef HAVE_CYGWIN /* Unix sockets are not supported */ if (screen != NULL) fprintf(f, "add %.*s/unix%s %s %s\n", (int)(screen-display), display, screen, auth_proto, auth_data); +#endif pclose(f); } else { fprintf(stderr, "Could not run %s\n", @@ -1511,6 +1626,7 @@ int session_x11_req(Session *s) { + int fd; if (no_x11_forwarding_flag) { debug("X11 forwarding disabled in user configuration file."); return 0; @@ -1555,7 +1671,9 @@ return 0; } strlcat(xauthfile, "/cookies", MAXPATHLEN); - open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); + fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); + if (fd >= 0) + close(fd); restore_uid(); fatal_add_cleanup(xauthfile_cleanup_proc, s); return 1; @@ -1582,7 +1700,7 @@ char *command = packet_get_string(&len); packet_done(); if (forced_command) { - xfree(command); + original_command = command; command = forced_command; debug("Forced command '%.500s'", forced_command); } @@ -1662,7 +1780,8 @@ fatal("no channel for session %d", s->self); channel_set_fds(s->chanid, fdout, fdin, fderr, - fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ); + fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, + 1); } void @@ -1734,9 +1853,13 @@ * interested in data we write. * Note that we must not call 'chan_read_failed', since there could * be some more data waiting in the pipe. + * djm - This is no longer true as we have allowed one pass through + * the select loop before killing the connection */ if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); + if (c->istate != CHAN_INPUT_CLOSED) + chan_read_failed(c); s->chanid = -1; } @@ -1850,7 +1973,7 @@ close(startup_pipe); startup_pipe = -1; } -#ifdef HAVE_LOGIN_CAP +#if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD) pw = auth_get_user(); if ((lc = login_getclass(pw->pw_class)) == NULL) { error("unable to get login class"); diff -ru openssh-2.2.0p1/session.h openssh-2.3.0p1/session.h --- openssh-2.2.0p1/session.h 2000-04-12 18:45:07.000000000 +1000 +++ openssh-2.3.0p1/session.h 2000-10-14 12:33:49.000000000 +1100 @@ -1,3 +1,26 @@ +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ #ifndef SESSION_H #define SESSION_H Only in openssh-2.3.0p1: sftp-server.0 Only in openssh-2.3.0p1: sftp-server.8 Only in openssh-2.3.0p1: sftp-server.c diff -ru openssh-2.2.0p1/ssh-add.0 openssh-2.3.0p1/ssh-add.0 --- openssh-2.2.0p1/ssh-add.0 2000-09-02 10:08:45.000000000 +1100 +++ openssh-2.3.0p1/ssh-add.0 2000-11-06 14:25:19.000000000 +1100 @@ -62,9 +62,9 @@ release, newer versions bore successively more restrictive licenses. This version of OpenSSH - o has all components of a restrictive nature (i.e., patents) directly - removed from the source code; any licensed or patented components are - chosen from external libraries. + o has all components of a restrictive nature (i.e., patents, see + crypto(3)) directly removed from the source code; any licensed or + patented components are chosen from external libraries. o has been updated to support ssh protocol 1.5. @@ -74,6 +74,6 @@ o supports one-time password authentication with skey(1). SEE ALSO - ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8), + ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8), crypto(3) BSD Experimental September 25, 1999 2 diff -ru openssh-2.2.0p1/ssh-add.1 openssh-2.3.0p1/ssh-add.1 --- openssh-2.2.0p1/ssh-add.1 2000-08-29 11:33:51.000000000 +1100 +++ openssh-2.3.0p1/ssh-add.1 2000-09-16 13:29:10.000000000 +1100 @@ -1,15 +1,39 @@ .\" -*- nroff -*- .\" -.\" ssh-add.1 -.\" .\" Author: Tatu Ylonen -.\" .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland .\" All rights reserved .\" -.\" Created: Sat Apr 22 23:55:14 1995 ylo -.\" -.\" $Id: ssh-add.1,v 1.15 2000/08/25 16:16:15 deraadt Exp $ +.\" As far as I am concerned, the code I have written for this software +.\" can be used freely for any purpose. Any derived versions of this +.\" software must be clearly marked as such, and if the derived work is +.\" incompatible with the protocol description in the RFC file, it must be +.\" called by a name other than "ssh" or "Secure Shell". +.\" +.\" +.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. +.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .Dd September 25, 1999 .Dt SSH-ADD 1 @@ -65,7 +89,7 @@ when no other files have been specified. .It Pa $HOME/.ssh/id_dsa Contains the DSA authentication identity of the user. -.Pp +.El .Sh ENVIRONMENT .Bl -tag -width Ds .It Ev "DISPLAY" and "SSH_ASKPASS" @@ -91,6 +115,7 @@ may be necessary to redirect the input from .Pa /dev/null to make this work.) +.El .Sh AUTHOR Tatu Ylonen .Pp @@ -102,7 +127,8 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents) +has all components of a restrictive nature (i.e., patents, see +.Xr crypto 3 ) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -121,3 +147,4 @@ .Xr ssh-agent 1 , .Xr ssh-keygen 1 , .Xr sshd 8 , +.Xr crypto 3 diff -ru openssh-2.2.0p1/ssh-add.c openssh-2.3.0p1/ssh-add.c --- openssh-2.2.0p1/ssh-add.c 2000-08-29 11:33:51.000000000 +1100 +++ openssh-2.3.0p1/ssh-add.c 2000-10-17 23:22:28.000000000 +1100 @@ -2,15 +2,40 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Created: Thu Apr 6 00:52:24 1995 ylo * Adds an identity to the authentication server, or removes an identity. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * * SSH2 implementation, * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: ssh-add.c,v 1.20 2000/08/28 03:50:54 deraadt Exp $"); +RCSID("$OpenBSD: ssh-add.c,v 1.22 2000/09/07 20:27:54 deraadt Exp $"); #include #include @@ -37,8 +62,12 @@ public = key_new(KEY_RSA); if (!load_public_key(filename, public, &comment)) { - printf("Bad key file %s: %s\n", filename, strerror(errno)); - return; + key_free(public); + public = key_new(KEY_DSA); + if (!try_load_public_key(filename, public, &comment)) { + printf("Bad key file %s\n", filename); + return; + } } if (ssh_remove_identity(ac, public)) fprintf(stderr, "Identity removed: %s (%s)\n", filename, comment); @@ -88,7 +117,9 @@ fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); } close(p[1]); - len = read(p[0], buf, sizeof buf); + buf[0] = '\0'; + atomicio(read, p[0], buf, sizeof buf); + len = strlen(buf); close(p[0]); while (waitpid(pid, &status, 0) < 0) if (errno != EINTR) diff -ru openssh-2.2.0p1/ssh-agent.0 openssh-2.3.0p1/ssh-agent.0 --- openssh-2.2.0p1/ssh-agent.0 2000-09-02 10:08:45.000000000 +1100 +++ openssh-2.3.0p1/ssh-agent.0 2000-11-06 14:25:19.000000000 +1100 @@ -88,9 +88,9 @@ release, newer versions bore successively more restrictive licenses. This version of OpenSSH - o has all components of a restrictive nature (i.e., patents) directly - removed from the source code; any licensed or patented components are - chosen from external libraries. + o has all components of a restrictive nature (i.e., patents, see + crypto(3)) directly removed from the source code; any licensed or + patented components are chosen from external libraries. o has been updated to support ssh protocol 1.5. @@ -100,6 +100,6 @@ o supports one-time password authentication with skey(1). SEE ALSO - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8), + ssh(1), ssh-add(1), ssh-keygen(1), sshd(8), crypto(3) BSD Experimental September 25, 1999 2 diff -ru openssh-2.2.0p1/ssh-agent.1 openssh-2.3.0p1/ssh-agent.1 --- openssh-2.2.0p1/ssh-agent.1 2000-08-29 11:33:51.000000000 +1100 +++ openssh-2.3.0p1/ssh-agent.1 2000-09-16 13:29:10.000000000 +1100 @@ -1,15 +1,38 @@ -.\" $OpenBSD: ssh-agent.1,v 1.15 2000/08/25 16:16:15 deraadt Exp $ -.\" -.\" -*- nroff -*- -.\" -.\" ssh-agent.1 +.\" $OpenBSD: ssh-agent.1,v 1.16 2000/09/07 20:27:54 deraadt Exp $ .\" .\" Author: Tatu Ylonen -.\" .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland .\" All rights reserved .\" -.\" Created: Sat Apr 23 20:10:43 1995 ylo +.\" As far as I am concerned, the code I have written for this software +.\" can be used freely for any purpose. Any derived versions of this +.\" software must be clearly marked as such, and if the derived work is +.\" incompatible with the protocol description in the RFC file, it must be +.\" called by a name other than "ssh" or "Secure Shell". +.\" +.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. +.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .Dd September 25, 1999 .Dt SSH-AGENT 1 @@ -148,7 +171,8 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents) +has all components of a restrictive nature (i.e., patents, see +.Xr crypto 3 ) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -162,9 +186,9 @@ supports one-time password authentication with .Xr skey 1 . .El -.Pp .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-keygen 1 , .Xr sshd 8 , +.Xr crypto 3 diff -ru openssh-2.2.0p1/ssh-agent.c openssh-2.3.0p1/ssh-agent.c --- openssh-2.2.0p1/ssh-agent.c 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/ssh-agent.c 2000-09-29 23:01:37.000000000 +1100 @@ -1,18 +1,43 @@ -/* $OpenBSD: ssh-agent.c,v 1.33 2000/08/19 21:34:43 markus Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.37 2000/09/21 11:07:51 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Created: Wed Mar 29 03:46:59 1995 ylo * The authentication agent program. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * * SSH2 implementation, * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.33 2000/08/19 21:34:43 markus Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.37 2000/09/21 11:07:51 markus Exp $"); #include "ssh.h" #include "rsa.h" @@ -31,6 +56,7 @@ #include "authfd.h" #include "dsa.h" #include "kex.h" +#include "compat.h" typedef struct { int fd; @@ -212,6 +238,7 @@ Key *key, *private; unsigned char *blob, *data, *signature = NULL; unsigned int blen, dlen, slen = 0; + int flags; Buffer msg; int ok = -1; @@ -220,6 +247,10 @@ blob = buffer_get_string(&e->input, &blen); data = buffer_get_string(&e->input, &dlen); + flags = buffer_get_int(&e->input); + if (flags & SSH_AGENT_OLD_SIGNATURE) + datafellows = SSH_BUG_SIGBLOB; + key = dsa_key_from_blob(blob, blen); if (key != NULL) { private = lookup_private_key(key, NULL, 2); @@ -607,7 +638,7 @@ void cleanup_socket(void) { - remove(socket_name); + unlink(socket_name); rmdir(socket_dir); } @@ -756,8 +787,11 @@ printf("echo Agent pid %d;\n", pid); exit(0); } - setenv(SSH_AUTHSOCKET_ENV_NAME, socket_name, 1); - setenv(SSH_AGENTPID_ENV_NAME, pidstrbuf, 1); + if (setenv(SSH_AUTHSOCKET_ENV_NAME, socket_name, 1) == -1 || + setenv(SSH_AGENTPID_ENV_NAME, pidstrbuf, 1) == -1) { + perror("setenv"); + exit(1); + } execvp(av[0], av); perror(av[0]); exit(1); diff -ru openssh-2.2.0p1/ssh-keygen.0 openssh-2.3.0p1/ssh-keygen.0 --- openssh-2.2.0p1/ssh-keygen.0 2000-09-02 10:08:45.000000000 +1100 +++ openssh-2.3.0p1/ssh-keygen.0 2000-11-06 14:25:19.000000000 +1100 @@ -90,8 +90,9 @@ -x This option will read a private OpenSSH DSA format file and print a SSH2-compatible public key to stdout. - -X This option will read a SSH2-compatible public key file and print - an OpenSSH DSA compatible public key to stdout. + -X This option will read a unencrypted SSH2-compatible private (or + public) key file and print an OpenSSH compatible private (or pub- + lic) key to stdout. -y This option will read a private OpenSSH DSA format file and print an OpenSSH DSA public key to stdout. @@ -135,9 +136,9 @@ release, newer versions bore successively more restrictive licenses. This version of OpenSSH - o has all components of a restrictive nature (i.e., patents) directly - removed from the source code; any licensed or patented components are - chosen from external libraries. + o has all components of a restrictive nature (i.e., patents, see + crypto(3)) directly removed from the source code; any licensed or + patented components are chosen from external libraries. o has been updated to support ssh protocol 1.5. @@ -147,6 +148,6 @@ o supports one-time password authentication with skey(1). SEE ALSO - ssh(1), ssh-add(1), ssh-agent(1), sshd(8), + ssh(1), ssh-add(1), ssh-agent(1), sshd(8), crypto(3) BSD Experimental September 25, 1999 3 diff -ru openssh-2.2.0p1/ssh-keygen.1 openssh-2.3.0p1/ssh-keygen.1 --- openssh-2.2.0p1/ssh-keygen.1 2000-09-02 10:08:09.000000000 +1100 +++ openssh-2.3.0p1/ssh-keygen.1 2000-10-14 16:23:12.000000000 +1100 @@ -1,15 +1,39 @@ .\" -*- nroff -*- .\" -.\" ssh-keygen.1 -.\" .\" Author: Tatu Ylonen -.\" .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland .\" All rights reserved .\" -.\" Created: Sat Apr 22 23:55:14 1995 ylo -.\" -.\" $Id: ssh-keygen.1,v 1.21 2000/08/25 16:16:15 deraadt Exp $ +.\" As far as I am concerned, the code I have written for this software +.\" can be used freely for any purpose. Any derived versions of this +.\" software must be clearly marked as such, and if the derived work is +.\" incompatible with the protocol description in the RFC file, it must be +.\" called by a name other than "ssh" or "Secure Shell". +.\" +.\" +.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. +.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .Dd September 25, 1999 .Dt SSH-KEYGEN 1 @@ -144,8 +168,9 @@ This option will read a private OpenSSH DSA format file and print a SSH2-compatible public key to stdout. .It Fl X -This option will read a -SSH2-compatible public key file and print an OpenSSH DSA compatible public key to stdout. +This option will read a unencrypted +SSH2-compatible private (or public) key file and +print an OpenSSH compatible private (or public) key to stdout. .It Fl y This option will read a private OpenSSH DSA format file and print an OpenSSH DSA public key to stdout. @@ -200,7 +225,8 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents) +has all components of a restrictive nature (i.e., patents, see +.Xr crypto 3 ) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -219,3 +245,4 @@ .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr sshd 8 , +.Xr crypto 3 diff -ru openssh-2.2.0p1/ssh-keygen.c openssh-2.3.0p1/ssh-keygen.c --- openssh-2.2.0p1/ssh-keygen.c 2000-08-23 10:46:24.000000000 +1000 +++ openssh-2.3.0p1/ssh-keygen.c 2000-10-14 16:23:12.000000000 +1100 @@ -2,12 +2,17 @@ * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland * All rights reserved - * Created: Mon Mar 27 02:26:40 1995 ylo * Identity and host key generation and maintenance. + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.30 2000/08/19 21:34:43 markus Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.32 2000/10/09 21:30:44 markus Exp $"); #include #include @@ -22,6 +27,9 @@ #include "authfile.h" #include "uuencode.h" +#include "buffer.h" +#include "bufaux.h" + /* Number of bits in the RSA/DSA key. This value can be changed on the command line. */ int bits = 1024; @@ -103,8 +111,10 @@ return success; } -#define SSH_COM_MAGIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----" -#define SSH_COM_MAGIC_END "---- END SSH2 PUBLIC KEY ----" +#define SSH_COM_PUBLIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----" +#define SSH_COM_PUBLIC_END "---- END SSH2 PUBLIC KEY ----" +#define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----" +#define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb void do_convert_to_ssh2(struct passwd *pw) @@ -126,19 +136,84 @@ exit(1); } dsa_make_key_blob(k, &blob, &len); - fprintf(stdout, "%s\n", SSH_COM_MAGIC_BEGIN); + fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN); fprintf(stdout, - "Comment: \"%d-bit DSA, converted from openssh by %s@%s\"\n", - BN_num_bits(k->dsa->p), + "Comment: \"%d-bit %s, converted from OpenSSH by %s@%s\"\n", + key_size(k), key_type(k), pw->pw_name, hostname); dump_base64(stdout, blob, len); - fprintf(stdout, "%s\n", SSH_COM_MAGIC_END); + fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END); key_free(k); xfree(blob); exit(0); } void +buffer_get_bignum_bits(Buffer *b, BIGNUM *value) +{ + int bits = buffer_get_int(b); + int bytes = (bits + 7) / 8; + if (buffer_len(b) < bytes) + fatal("buffer_get_bignum_bits: input buffer too small"); + BN_bin2bn((unsigned char *)buffer_ptr(b), bytes, value); + buffer_consume(b, bytes); +} + +Key * +do_convert_private_ssh2_from_blob(char *blob, int blen) +{ + Buffer b; + DSA *dsa; + Key *key = NULL; + int ignore, magic, rlen; + char *type, *cipher; + + buffer_init(&b); + buffer_append(&b, blob, blen); + + magic = buffer_get_int(&b); + if (magic != SSH_COM_PRIVATE_KEY_MAGIC) { + error("bad magic 0x%x != 0x%x", magic, SSH_COM_PRIVATE_KEY_MAGIC); + buffer_free(&b); + return NULL; + } + ignore = buffer_get_int(&b); + type = buffer_get_string(&b, NULL); + cipher = buffer_get_string(&b, NULL); + ignore = buffer_get_int(&b); + ignore = buffer_get_int(&b); + ignore = buffer_get_int(&b); + xfree(type); + + if (strcmp(cipher, "none") != 0) { + error("unsupported cipher %s", cipher); + xfree(cipher); + buffer_free(&b); + return NULL; + } + xfree(cipher); + + key = key_new(KEY_DSA); + dsa = key->dsa; + dsa->priv_key = BN_new(); + if (dsa->priv_key == NULL) { + error("alloc priv_key failed"); + key_free(key); + return NULL; + } + buffer_get_bignum_bits(&b, dsa->p); + buffer_get_bignum_bits(&b, dsa->g); + buffer_get_bignum_bits(&b, dsa->q); + buffer_get_bignum_bits(&b, dsa->pub_key); + buffer_get_bignum_bits(&b, dsa->priv_key); + rlen = buffer_len(&b); + if(rlen != 0) + error("do_convert_private_ssh2_from_blob: remaining bytes in key blob %d", rlen); + buffer_free(&b); + return key; +} + +void do_convert_from_ssh2(struct passwd *pw) { Key *k; @@ -147,7 +222,7 @@ char blob[8096]; char encoded[8096]; struct stat st; - int escaped = 0; + int escaped = 0, private = 0, ok; FILE *fp; if (!have_identity) @@ -171,6 +246,8 @@ escaped++; if (strncmp(line, "----", 4) == 0 || strstr(line, ": ") != NULL) { + if (strstr(line, SSH_COM_PRIVATE_BEGIN) != NULL) + private = 1; fprintf(stderr, "ignore: %s", line); continue; } @@ -187,9 +264,20 @@ fprintf(stderr, "uudecode failed.\n"); exit(1); } - k = dsa_key_from_blob(blob, blen); - if (!key_write(k, stdout)) - fprintf(stderr, "key_write failed"); + k = private ? + do_convert_private_ssh2_from_blob(blob, blen) : + dsa_key_from_blob(blob, blen); + if (k == NULL) { + fprintf(stderr, "decode blob failed.\n"); + exit(1); + } + ok = private ? + PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, NULL, 0, NULL, NULL) : + key_write(k, stdout); + if (!ok) { + fprintf(stderr, "key write failed"); + exit(1); + } key_free(k); fprintf(stdout, "\n"); fclose(fp); diff -ru openssh-2.2.0p1/ssh.0 openssh-2.3.0p1/ssh.0 --- openssh-2.2.0p1/ssh.0 2000-09-02 10:08:46.000000000 +1100 +++ openssh-2.3.0p1/ssh.0 2000-11-06 14:25:20.000000000 +1100 @@ -198,13 +198,14 @@ used by default. It is believed to be secure. 3des (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. It is presumably more secure than the des cipher which is no - longer supported in ssh. blowfish is a fast block cipher, it ap- - pears very secure and is much faster than 3des. + longer fully supported in ssh. blowfish is a fast block cipher, + it appears very secure and is much faster than 3des. -c 3des-cbc,blowfish-cbc,arcfour,cast128-cbc Additionally, for protocol version 2 a comma-separated list of - ciphers can be specified in order of preference. Protocol version - 2 supports 3DES, Blowfish and CAST128 in CBC mode and Arcfour. + ciphers can be specified in order of preference. Protocol ver- + sion 2 supports 3DES, Blowfish, and CAST128 in CBC mode and Arc- + four. -e ch|^ch|none Sets the escape character for sessions with a pty (default: `~'). @@ -258,6 +259,8 @@ -p port Port to connect to on the remote host. This can be specified on + + a per-host basis in the configuration file. -P Use a non-privileged port for outgoing connections. This can be @@ -278,7 +281,8 @@ progress. This is helpful in debugging connection, authentica- tion, and configuration problems. The verbose mode is also used to display skey(1) challenges, if the user entered "s/key" as - password. + password. Multiple -v options increases the verbosity. Maximum + is 3. -x Disables X11 forwarding. @@ -368,14 +372,14 @@ tect if a host key changed due to DNS spoofing. If the option is set to ``no'', the check will not be executed. - Cipher Specifies the cipher to use for encrypting the session. Current- - ly, ``blowfish'', and ``3des'' are supported. The default is - ``3des''. + Cipher Specifies the cipher to use for encrypting the session in proto- + col version 1. Currently, ``blowfish'' and ``3des'' are support- + ed. The default is ``3des''. Ciphers Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The de- - fault is ``3des-cbc,blowfish-cbc,arcfour,cast128-cbc''. + fault is ``3des-cbc,blowfish-cbc,cast128-cbc,arcfour''. Compression Specifies whether to use compression. The argument must be @@ -453,6 +457,8 @@ tory). The file name may use the tilde syntax to refer to a us- er's home directory. It is possible to have multiple identity files specified in configuration files; all these identities will + + be tried in sequence. KeepAlive @@ -524,9 +530,6 @@ er). Note that CheckHostIP is not available for connects with a proxy command. - - - RemoteForward Specifies that a TCP/IP port on the remote machine be forwarded over the secure channel to given host:port from the local ma- @@ -586,6 +589,8 @@ mand line. UserKnownHostsFile + + Specifies a file to use instead of $HOME/.ssh/known_hosts. UseRsh Specifies that rlogin/rsh should be used for this host. It is @@ -656,7 +661,6 @@ that ssh ignores a private key file if it is accessible by oth- ers. It is possible to specify a passphrase when generating the key; the passphrase will be used to encrypt the sensitive part of - this file using 3DES. $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub @@ -718,6 +722,7 @@ Systemwide configuration file. This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. + This file must be world-readable. $HOME/.rhosts @@ -783,13 +788,13 @@ the 1.2.12 release, newer versions of the original ssh bore successively more restrictive licenses, and thus demand for a free version was born. - This version of OpenSSH - o has all components of a restrictive nature (i.e., patents) directly - removed from the source code; any licensed or patented components are + This version of OpenSSH - chosen from external libraries. + o has all components of a restrictive nature (i.e., patents, see + crypto(3)) directly removed from the source code; any licensed or + patented components are chosen from external libraries. o has been updated to support SSH protocol 1.5 and 2, making it compat- ible with all other SSH clients and servers. @@ -806,6 +811,6 @@ SEE ALSO rlogin(1), rsh(1), scp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), - telnet(1), sshd(8), + telnet(1), sshd(8), crypto(3) BSD Experimental September 25, 1999 13 diff -ru openssh-2.2.0p1/ssh.1 openssh-2.3.0p1/ssh.1 --- openssh-2.2.0p1/ssh.1 2000-08-29 11:33:51.000000000 +1100 +++ openssh-2.3.0p1/ssh.1 2000-10-28 14:19:58.000000000 +1100 @@ -1,16 +1,40 @@ .\" -*- nroff -*- .\" -.\" ssh.1.in -.\" .\" Author: Tatu Ylonen -.\" .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland .\" All rights reserved .\" -.\" Created: Sat Apr 22 21:55:14 1995 ylo +.\" As far as I am concerned, the code I have written for this software +.\" can be used freely for any purpose. Any derived versions of this +.\" software must be clearly marked as such, and if the derived work is +.\" incompatible with the protocol description in the RFC file, it must be +.\" called by a name other than "ssh" or "Secure Shell". +.\" +.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. +.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. .\" -.\" $Id: ssh.1,v 1.57 2000/08/25 16:16:15 deraadt Exp $ +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $OpenBSD: ssh.1,v 1.64 2000/10/16 21:46:31 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -344,15 +368,16 @@ (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. It is presumably more secure than the .Ar des -cipher which is no longer supported in +cipher which is no longer fully supported in .Nm ssh . .Ar blowfish is a fast block cipher, it appears very secure and is much faster than .Ar 3des . .It Fl c Ar "3des-cbc,blowfish-cbc,arcfour,cast128-cbc" Additionally, for protocol version 2 a comma-separated list of ciphers can -be specified in order of preference. Protocol version 2 supports -3DES, Blowfish and CAST128 in CBC mode and Arcfour. +be specified in order of preference. +Protocol version 2 supports 3DES, Blowfish, and CAST128 in CBC mode +and Arcfour. .It Fl e Ar ch|^ch|none Sets the escape character for sessions with a pty (default: .Ql ~ ) . @@ -460,6 +485,8 @@ The verbose mode is also used to display .Xr skey 1 challenges, if the user entered "s/key" as password. +Multiple -v options increases the verbosity. +Maximum is 3. .It Fl x Disables X11 forwarding. .It Fl X @@ -601,9 +628,10 @@ .Dq no , the check will not be executed. .It Cm Cipher -Specifies the cipher to use for encrypting the session. +Specifies the cipher to use for encrypting the session +in protocol version 1. Currently, -.Dq blowfish , +.Dq blowfish and .Dq 3des are supported. @@ -614,7 +642,7 @@ in order of preference. Multiple ciphers must be comma-separated. The default is -.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc . +.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour . .It Cm Compression Specifies whether to use compression. The argument must be @@ -946,6 +974,7 @@ program. The default is .Pa /usr/X11R6/bin/xauth . +.El .Sh ENVIRONMENT .Nm will normally set the following environment variables: @@ -1189,6 +1218,7 @@ .It Pa libcrypto.so.X.1 A version of this library which includes support for the RSA algorithm is required for proper operation. +.El .Sh AUTHOR OpenSSH is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, @@ -1200,7 +1230,8 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents) +has all components of a restrictive nature (i.e., patents, see +.Xr crypto 3 ) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -1229,3 +1260,4 @@ .Xr ssh-keygen 1 , .Xr telnet 1 , .Xr sshd 8 , +.Xr crypto 3 diff -ru openssh-2.2.0p1/ssh.c openssh-2.3.0p1/ssh.c --- openssh-2.2.0p1/ssh.c 2000-08-29 11:33:51.000000000 +1100 +++ openssh-2.3.0p1/ssh.c 2000-10-28 14:19:58.000000000 +1100 @@ -2,16 +2,44 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Created: Sat Mar 18 16:36:11 1995 ylo * Ssh client program. This program can be used to log into a remote machine. * The software supports strong authentication, encryption, and forwarding * of X11, TCP/IP, and authentication connections. * - * Modified to work with SSL by Niels Provos in Canada. + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * Copyright (c) 1999 Niels Provos. All rights reserved. + * + * Modified to work with SSL by Niels Provos + * in Canada (German citizen). + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.63 2000/08/28 20:19:52 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.69 2000/10/27 07:32:19 markus Exp $"); #include #include @@ -127,6 +155,7 @@ fprintf(stderr, " -t Tty; allocate a tty even if command is given.\n"); fprintf(stderr, " -T Do not allocate a tty.\n"); fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); + fprintf(stderr, " Multiple -v increases verbosity.\n"); fprintf(stderr, " -V Display version number only.\n"); fprintf(stderr, " -P Don't allocate a privileged port.\n"); fprintf(stderr, " -q Quiet; don't display any warning messages.\n"); @@ -215,6 +244,7 @@ original_real_uid = getuid(); original_effective_uid = geteuid(); +#ifdef HAVE_SETRLIMIT /* If we are installed setuid root be careful to not drop core. */ if (original_real_uid != original_effective_uid) { struct rlimit rlim; @@ -222,6 +252,7 @@ if (setrlimit(RLIMIT_CORE, &rlim) < 0) fatal("setrlimit failed: %.100s", strerror(errno)); } +#endif /* * Use uid-swapping to give up root privileges for the duration of * option processing. We will re-instantiate the rights when we are @@ -253,8 +284,17 @@ cp = strrchr(av0, '/') + 1; else cp = av0; +#ifdef HAVE_CYGWIN + if (strcasecmp(cp, "rsh") && strcasecmp(cp, "ssh") && + strcasecmp(cp, "rlogin") && strcasecmp(cp, "slogin") && + strcasecmp(cp, "remsh") && + strcasecmp(cp, "rsh.exe") && strcasecmp(cp, "ssh.exe") && + strcasecmp(cp, "rlogin.exe") && strcasecmp(cp, "slogin.exe") && + strcasecmp(cp, "remsh.exe")) +#else if (strcmp(cp, "rsh") && strcmp(cp, "ssh") && strcmp(cp, "rlogin") && strcmp(cp, "slogin") && strcmp(cp, "remsh")) +#endif host = cp; for (optind = 1; optind < ac; optind++) { @@ -343,6 +383,16 @@ tty_flag = 1; break; case 'v': + if (0 == debug_flag) { + debug_flag = 1; + options.log_level = SYSLOG_LEVEL_DEBUG1; + } else if (options.log_level < SYSLOG_LEVEL_DEBUG3) { + options.log_level++; + break; + } else { + fatal("Too high debugging level.\n"); + } + /* fallthrough */ case 'V': fprintf(stderr, "SSH Version %s, protocol versions %d.%d/%d.%d.\n", SSH_VERSION, @@ -351,8 +401,6 @@ fprintf(stderr, "Compiled with SSL (0x%8.8lx).\n", SSLeay()); if (opt == 'V') exit(0); - debug_flag = 1; - options.log_level = SYSLOG_LEVEL_DEBUG; break; case 'q': options.log_level = SYSLOG_LEVEL_QUIET; @@ -377,11 +425,12 @@ options.cipher = SSH_CIPHER_ILLEGAL; } else { /* SSH1 only */ - options.cipher = cipher_number(optarg); - if (options.cipher == -1) { + Cipher *c = cipher_by_name(optarg); + if (c == NULL || c->number < 0) { fprintf(stderr, "Unknown cipher type '%s'\n", optarg); exit(1); } + options.cipher = c->number; } break; case 'p': @@ -437,11 +486,11 @@ if (!host) usage(); + SSLeay_add_all_algorithms(); + /* Initialize the command to execute on remote host. */ buffer_init(&command); - SSLeay_add_all_algorithms(); - /* * Save the command to execute on the remote host in a buffer. There * is no limit on the length of the command, except by the maximum @@ -534,24 +583,13 @@ if (options.hostname != NULL) host = options.hostname; - /* Find canonic host name. */ - if (strchr(host, '.') == 0) { - struct addrinfo hints; - struct addrinfo *ai = NULL; - int errgai; - memset(&hints, 0, sizeof(hints)); - hints.ai_family = IPv4or6; - hints.ai_flags = AI_CANONNAME; - hints.ai_socktype = SOCK_STREAM; - errgai = getaddrinfo(host, NULL, &hints, &ai); - if (errgai == 0) { - if (ai->ai_canonname != NULL) - host = xstrdup(ai->ai_canonname); - freeaddrinfo(ai); - } - } /* Disable rhosts authentication if not running as root. */ +#ifdef HAVE_CYGWIN + /* Ignore uid if running under Windows */ + if (!options.use_privileged_port) { +#else if (original_effective_uid != 0 || !options.use_privileged_port) { +#endif options.rhosts_authentication = 0; options.rhosts_rsa_authentication = 0; } @@ -970,6 +1008,14 @@ if (in < 0 || out < 0 || err < 0) fatal("dup() in/out/err failed"); + /* enable nonblocking unless tty */ + if (!isatty(in)) + set_nonblock(in); + if (!isatty(out)) + set_nonblock(out); + if (!isatty(err)) + set_nonblock(err); + /* should be pre-session */ init_local_fwd(); @@ -978,18 +1024,16 @@ if (daemon(1, 1) < 0) fatal("daemon() failed: %.200s", strerror(errno)); - window = 32*1024; - if (tty_flag) { - packetmax = window/8; - } else { + window = CHAN_SES_WINDOW_DEFAULT; + packetmax = CHAN_SES_PACKET_DEFAULT; + if (!tty_flag) { window *= 2; - packetmax = window/2; + packetmax *=2; } - -/*XXX MAXPACK */ id = channel_new( "session", SSH_CHANNEL_OPENING, in, out, err, - window, packetmax, CHAN_EXTENDED_WRITE, xstrdup("client-session")); + window, packetmax, CHAN_EXTENDED_WRITE, + xstrdup("client-session"), /*nonblock*/0); channel_open(id); channel_register_callback(id, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, client_init, (void *)0); diff -ru openssh-2.2.0p1/ssh.h openssh-2.3.0p1/ssh.h --- openssh-2.2.0p1/ssh.h 2000-08-23 10:46:25.000000000 +1000 +++ openssh-2.3.0p1/ssh.h 2000-10-14 16:23:12.000000000 +1100 @@ -1,19 +1,18 @@ /* - * - * ssh.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved * - * Created: Fri Mar 17 17:09:37 1995 ylo - * * Generic header file for ssh. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: ssh.h,v 1.49 2000/08/19 18:48:11 markus Exp $"); */ +/* RCSID("$OpenBSD: ssh.h,v 1.54 2000/10/11 20:27:24 markus Exp $"); */ #ifndef SSH_H #define SSH_H @@ -29,14 +28,6 @@ #include "rsa.h" #include "cipher.h" -/* - * XXX - * The default cipher used if IDEA is not supported by the remote host. It is - * recommended that this be one of the mandatory ciphers (DES, 3DES), though - * that is not required. - */ -#define SSH_FALLBACK_CIPHER SSH_CIPHER_3DES - /* Cipher used for encrypting authentication files. */ #define SSH_AUTHFILE_CIPHER SSH_CIPHER_3DES @@ -99,6 +90,7 @@ #define SERVER_CONFIG_FILE ETCDIR "/sshd_config" #define HOST_CONFIG_FILE ETCDIR "/ssh_config" #define HOST_DSA_KEY_FILE ETCDIR "/ssh_host_dsa_key" +#define DH_PRIMES ETCDIR "/primes" #ifndef SSH_PROGRAM #define SSH_PROGRAM "/usr/bin/ssh" @@ -424,7 +416,7 @@ * passphrase (allocated with xmalloc). Exits if EOF is encountered. If * from_stdin is true, the passphrase will be read from stdin instead. */ -char *read_passphrase(const char *prompt, int from_stdin); +char *read_passphrase(char *prompt, int from_stdin); /*------------ Definitions for logging. -----------------------*/ @@ -450,7 +442,9 @@ SYSLOG_LEVEL_ERROR, SYSLOG_LEVEL_INFO, SYSLOG_LEVEL_VERBOSE, - SYSLOG_LEVEL_DEBUG + SYSLOG_LEVEL_DEBUG1, + SYSLOG_LEVEL_DEBUG2, + SYSLOG_LEVEL_DEBUG3 } LogLevel; /* Initializes logging. */ void log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr); @@ -468,6 +462,8 @@ void log(const char *fmt,...) __attribute__((format(printf, 1, 2))); void verbose(const char *fmt,...) __attribute__((format(printf, 1, 2))); void debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); +void debug2(const char *fmt,...) __attribute__((format(printf, 1, 2))); +void debug3(const char *fmt,...) __attribute__((format(printf, 1, 2))); /* same as fatal() but w/o logging */ void fatal_cleanup(void); diff -ru openssh-2.2.0p1/ssh2.h openssh-2.3.0p1/ssh2.h --- openssh-2.2.0p1/ssh2.h 2000-05-17 22:34:25.000000000 +1000 +++ openssh-2.3.0p1/ssh2.h 2000-10-14 16:23:12.000000000 +1100 @@ -1,4 +1,28 @@ /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* * draft-ietf-secsh-architecture-05.txt * * Transport layer protocol: @@ -28,7 +52,7 @@ * * 192-255 Local extensions */ -/* RCSID("$OpenBSD: ssh2.h,v 1.3 2000/05/15 07:03:12 markus Exp $"); */ +/* RCSID("$OpenBSD: ssh2.h,v 1.5 2000/10/11 04:02:17 provos Exp $"); */ /* transport layer: generic */ @@ -49,6 +73,12 @@ #define SSH2_MSG_KEXDH_INIT 30 #define SSH2_MSG_KEXDH_REPLY 31 +/* dh-group-exchange */ +#define SSH2_MSG_KEX_DH_GEX_REQUEST 30 +#define SSH2_MSG_KEX_DH_GEX_GROUP 31 +#define SSH2_MSG_KEX_DH_GEX_INIT 32 +#define SSH2_MSG_KEX_DH_GEX_REPLY 33 + /* user authentication: generic */ #define SSH2_MSG_USERAUTH_REQUEST 50 diff -ru openssh-2.2.0p1/ssh_prng_cmds.in openssh-2.3.0p1/ssh_prng_cmds.in --- openssh-2.2.0p1/ssh_prng_cmds.in 2000-08-07 15:54:39.000000000 +1000 +++ openssh-2.3.0p1/ssh_prng_cmds.in 2000-09-16 15:39:57.000000000 +1100 @@ -14,6 +14,15 @@ "ls -alni /tmp" @PROG_LS@ 0.02 "ls -alni /var/tmp" @PROG_LS@ 0.02 "ls -alni /usr/tmp" @PROG_LS@ 0.02 +"ls -alTi /var/log" @PROG_LS@ 0.02 +"ls -alTi /var/adm" @PROG_LS@ 0.02 +"ls -alTi /var/mail" @PROG_LS@ 0.02 +"ls -alTi /var/adm/syslog" @PROG_LS@ 0.02 +"ls -alTi /var/spool/mail" @PROG_LS@ 0.02 +"ls -alTi /proc" @PROG_LS@ 0.02 +"ls -alTi /tmp" @PROG_LS@ 0.02 +"ls -alTi /var/tmp" @PROG_LS@ 0.02 +"ls -alTi /usr/tmp" @PROG_LS@ 0.02 "netstat -an" @PROG_NETSTAT@ 0.05 "netstat -in" @PROG_NETSTAT@ 0.05 diff -ru openssh-2.2.0p1/sshconnect.c openssh-2.3.0p1/sshconnect.c --- openssh-2.2.0p1/sshconnect.c 2000-08-29 11:33:51.000000000 +1100 +++ openssh-2.3.0p1/sshconnect.c 2000-09-23 17:15:57.000000000 +1100 @@ -2,13 +2,18 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Created: Sat Mar 18 22:15:47 1995 ylo * Code to connect to a remote host, and to perform the client side of the * login (authentication) dialog. + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.77 2000/08/28 03:50:54 deraadt Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.79 2000/09/17 15:52:51 markus Exp $"); #include #include @@ -243,7 +248,11 @@ /* Create a socket for connecting. */ sock = ssh_create_socket(original_real_uid, +#ifdef HAVE_CYGWIN + !anonymous && port < IPPORT_RESERVED, +#else !anonymous && geteuid() == 0 && port < IPPORT_RESERVED, +#endif ai->ai_family); if (sock < 0) continue; @@ -435,8 +444,10 @@ retval = defval; if (strcmp(buf, "yes") == 0) retval = 1; - if (strcmp(buf, "no") == 0) + else if (strcmp(buf, "no") == 0) retval = 0; + else + fprintf(stderr, "Please type 'yes' or 'no'.\n"); if (retval != -1) { if (f != stdin) diff -ru openssh-2.2.0p1/sshconnect.h openssh-2.3.0p1/sshconnect.h --- openssh-2.2.0p1/sshconnect.h 2000-04-29 23:57:13.000000000 +1000 +++ openssh-2.3.0p1/sshconnect.h 2000-09-16 13:29:10.000000000 +1100 @@ -1,3 +1,26 @@ +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ #ifndef SSHCONNECT_H #define SSHCONNECT_H diff -ru openssh-2.2.0p1/sshconnect1.c openssh-2.3.0p1/sshconnect1.c --- openssh-2.2.0p1/sshconnect1.c 2000-08-23 10:46:25.000000000 +1000 +++ openssh-2.3.0p1/sshconnect1.c 2000-10-14 16:23:12.000000000 +1100 @@ -2,14 +2,18 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Created: Sat Mar 18 22:15:47 1995 ylo * Code to connect to a remote host, and to perform the client side of the * login (authentication) dialog. * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.5 2000/08/19 21:34:44 markus Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.8 2000/10/12 09:59:19 markus Exp $"); #include #include @@ -21,7 +25,6 @@ #include "ssh.h" #include "buffer.h" #include "packet.h" -#include "cipher.h" #include "mpaux.h" #include "uidswap.h" #include "readconf.h" @@ -832,17 +835,11 @@ if (options.cipher == SSH_CIPHER_ILLEGAL) { log("No valid SSH1 cipher, using %.100s instead.", - cipher_name(SSH_FALLBACK_CIPHER)); - options.cipher = SSH_FALLBACK_CIPHER; + cipher_name(ssh_cipher_default)); + options.cipher = ssh_cipher_default; } else if (options.cipher == SSH_CIPHER_NOT_SET) { - if (cipher_mask1() & supported_ciphers & (1 << ssh_cipher_default)) + if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) options.cipher = ssh_cipher_default; - else { - debug("Cipher %s not supported, using %.100s instead.", - cipher_name(ssh_cipher_default), - cipher_name(SSH_FALLBACK_CIPHER)); - options.cipher = SSH_FALLBACK_CIPHER; - } } /* Check that the selected cipher is supported. */ if (!(supported_ciphers & (1 << options.cipher))) diff -ru openssh-2.2.0p1/sshconnect2.c openssh-2.3.0p1/sshconnect2.c --- openssh-2.2.0p1/sshconnect2.c 2000-08-23 10:46:25.000000000 +1000 +++ openssh-2.3.0p1/sshconnect2.c 2000-10-28 14:19:58.000000000 +1100 @@ -9,11 +9,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Markus Friedl. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -28,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.17 2000/08/19 21:34:44 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.27 2000/10/19 16:45:16 provos Exp $"); #include #include @@ -42,7 +37,6 @@ #include "rsa.h" #include "buffer.h" #include "packet.h" -#include "cipher.h" #include "uidswap.h" #include "compat.h" #include "readconf.h" @@ -54,8 +48,13 @@ #include "dsa.h" #include "sshconnect.h" #include "authfile.h" +#include "cli.h" +#include "dispatch.h" #include "authfd.h" +void ssh_dh1_client(Kex *, char *, struct sockaddr *, Buffer *, Buffer *); +void ssh_dhgex_client(Kex *, char *, struct sockaddr *, Buffer *, Buffer *); + /* import */ extern char *client_version_string; extern char *server_version_string; @@ -69,9 +68,94 @@ int session_id2_len = 0; void -ssh_kex_dh(Kex *kex, char *host, struct sockaddr *hostaddr, - Buffer *client_kexinit, Buffer *server_kexinit) +ssh_kex2(char *host, struct sockaddr *hostaddr) { + int i, plen; + Kex *kex; + Buffer *client_kexinit, *server_kexinit; + char *sprop[PROPOSAL_MAX]; + + if (options.ciphers == NULL) { + if (options.cipher == SSH_CIPHER_3DES) { + options.ciphers = "3des-cbc"; + } else if (options.cipher == SSH_CIPHER_BLOWFISH) { + options.ciphers = "blowfish-cbc"; + } else if (options.cipher == SSH_CIPHER_DES) { + fatal("cipher DES not supported for protocol version 2"); + } + } + if (options.ciphers != NULL) { + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; + } + if (options.compression) { + myproposal[PROPOSAL_COMP_ALGS_CTOS] = "zlib"; + myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib"; + } else { + myproposal[PROPOSAL_COMP_ALGS_CTOS] = "none"; + myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; + } + + /* buffers with raw kexinit messages */ + server_kexinit = xmalloc(sizeof(*server_kexinit)); + buffer_init(server_kexinit); + client_kexinit = kex_init(myproposal); + + /* algorithm negotiation */ + kex_exchange_kexinit(client_kexinit, server_kexinit, sprop); + kex = kex_choose_conf(myproposal, sprop, 0); + for (i = 0; i < PROPOSAL_MAX; i++) + xfree(sprop[i]); + + /* server authentication and session key agreement */ + switch(kex->kex_type) { + case DH_GRP1_SHA1: + ssh_dh1_client(kex, host, hostaddr, + client_kexinit, server_kexinit); + break; + case DH_GEX_SHA1: + ssh_dhgex_client(kex, host, hostaddr, client_kexinit, + server_kexinit); + break; + default: + fatal("Unsupported key exchange %d", kex->kex_type); + } + + buffer_free(client_kexinit); + buffer_free(server_kexinit); + xfree(client_kexinit); + xfree(server_kexinit); + + debug("Wait SSH2_MSG_NEWKEYS."); + packet_read_expect(&plen, SSH2_MSG_NEWKEYS); + packet_done(); + debug("GOT SSH2_MSG_NEWKEYS."); + + debug("send SSH2_MSG_NEWKEYS."); + packet_start(SSH2_MSG_NEWKEYS); + packet_send(); + packet_write_wait(); + debug("done: send SSH2_MSG_NEWKEYS."); + +#ifdef DEBUG_KEXDH + /* send 1st encrypted/maced/compressed message */ + packet_start(SSH2_MSG_IGNORE); + packet_put_cstring("markus"); + packet_send(); + packet_write_wait(); +#endif + debug("done: KEX2."); +} + +/* diffie-hellman-group1-sha1 */ + +void +ssh_dh1_client(Kex *kex, char *host, struct sockaddr *hostaddr, + Buffer *client_kexinit, Buffer *server_kexinit) +{ +#ifdef DEBUG_KEXDH + int i; +#endif int plen, dlen; unsigned int klen, kout; char *signature = NULL; @@ -95,11 +179,11 @@ #ifdef DEBUG_KEXDH fprintf(stderr, "\np= "); - bignum_print(dh->p); + BN_print_fp(stderr, dh->p); fprintf(stderr, "\ng= "); - bignum_print(dh->g); + BN_print_fp(stderr, dh->g); fprintf(stderr, "\npub= "); - bignum_print(dh->pub_key); + BN_print_fp(stderr, dh->pub_key); fprintf(stderr, "\n"); DHparams_print_fp(stderr, dh); #endif @@ -117,7 +201,7 @@ fatal("cannot decode server_host_key_blob"); check_host_key(host, hostaddr, server_host_key, - options.user_hostfile2, options.system_hostfile2); + options.user_hostfile2, options.system_hostfile2); /* DH paramter f, server public DH key */ dh_server_pub = BN_new(); @@ -127,7 +211,7 @@ #ifdef DEBUG_KEXDH fprintf(stderr, "\ndh_server_pub= "); - bignum_print(dh_server_pub); + BN_print_fp(stderr, dh_server_pub); fprintf(stderr, "\n"); debug("bits %d", BN_num_bits(dh_server_pub)); #endif @@ -187,79 +271,351 @@ memcpy(session_id2, hash, session_id2_len); } +/* diffie-hellman-group-exchange-sha1 */ + +/* + * Estimates the group order for a Diffie-Hellman group that has an + * attack complexity approximately the same as O(2**bits). Estimate + * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3))) + */ + +int +dh_estimate(int bits) +{ + + if (bits < 64) + return (512); /* O(2**63) */ + if (bits < 128) + return (1024); /* O(2**86) */ + if (bits < 192) + return (2048); /* O(2**116) */ + return (4096); /* O(2**156) */ +} + void -ssh_kex2(char *host, struct sockaddr *hostaddr) +ssh_dhgex_client(Kex *kex, char *host, struct sockaddr *hostaddr, + Buffer *client_kexinit, Buffer *server_kexinit) { - int i, plen; - Kex *kex; - Buffer *client_kexinit, *server_kexinit; - char *sprop[PROPOSAL_MAX]; +#ifdef DEBUG_KEXDH + int i; +#endif + int plen, dlen; + unsigned int klen, kout; + char *signature = NULL; + unsigned int slen, nbits; + char *server_host_key_blob = NULL; + Key *server_host_key; + unsigned int sbloblen; + DH *dh; + BIGNUM *dh_server_pub = 0; + BIGNUM *shared_secret = 0; + BIGNUM *p = 0, *g = 0; + unsigned char *kbuf; + unsigned char *hash; - if (options.ciphers != NULL) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; - } else if (options.cipher == SSH_CIPHER_3DES) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = - (char *) cipher_name(SSH_CIPHER_3DES_CBC); - } else if (options.cipher == SSH_CIPHER_BLOWFISH) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = - (char *) cipher_name(SSH_CIPHER_BLOWFISH_CBC); - } - if (options.compression) { - myproposal[PROPOSAL_COMP_ALGS_CTOS] = "zlib"; - myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib"; - } else { - myproposal[PROPOSAL_COMP_ALGS_CTOS] = "none"; - myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; - } + nbits = dh_estimate(kex->enc[MODE_OUT].cipher->key_len * 8); - /* buffers with raw kexinit messages */ - server_kexinit = xmalloc(sizeof(*server_kexinit)); - buffer_init(server_kexinit); - client_kexinit = kex_init(myproposal); + debug("Sending SSH2_MSG_KEX_DH_GEX_REQUEST."); + packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); + packet_put_int(nbits); + packet_send(); + packet_write_wait(); - /* algorithm negotiation */ - kex_exchange_kexinit(client_kexinit, server_kexinit, sprop); - kex = kex_choose_conf(myproposal, sprop, 0); - for (i = 0; i < PROPOSAL_MAX; i++) - xfree(sprop[i]); +#ifdef DEBUG_KEXDH + fprintf(stderr, "\nnbits = %d", nbits); +#endif - /* server authentication and session key agreement */ - ssh_kex_dh(kex, host, hostaddr, client_kexinit, server_kexinit); + debug("Wait SSH2_MSG_KEX_DH_GEX_GROUP."); - buffer_free(client_kexinit); - buffer_free(server_kexinit); - xfree(client_kexinit); - xfree(server_kexinit); + packet_read_expect(&plen, SSH2_MSG_KEX_DH_GEX_GROUP); - debug("Wait SSH2_MSG_NEWKEYS."); - packet_read_expect(&plen, SSH2_MSG_NEWKEYS); - packet_done(); - debug("GOT SSH2_MSG_NEWKEYS."); + debug("Got SSH2_MSG_KEX_DH_GEX_GROUP."); - debug("send SSH2_MSG_NEWKEYS."); - packet_start(SSH2_MSG_NEWKEYS); - packet_send(); - packet_write_wait(); - debug("done: send SSH2_MSG_NEWKEYS."); + if ((p = BN_new()) == NULL) + fatal("BN_new"); + packet_get_bignum2(p, &dlen); + if ((g = BN_new()) == NULL) + fatal("BN_new"); + packet_get_bignum2(g, &dlen); + if ((dh = dh_new_group(g, p)) == NULL) + fatal("dh_new_group"); #ifdef DEBUG_KEXDH - /* send 1st encrypted/maced/compressed message */ - packet_start(SSH2_MSG_IGNORE); - packet_put_cstring("markus"); + fprintf(stderr, "\np= "); + BN_print_fp(stderr, dh->p); + fprintf(stderr, "\ng= "); + BN_print_fp(stderr, dh->g); + fprintf(stderr, "\npub= "); + BN_print_fp(stderr, dh->pub_key); + fprintf(stderr, "\n"); + DHparams_print_fp(stderr, dh); +#endif + + debug("Sending SSH2_MSG_KEX_DH_GEX_INIT."); + /* generate and send 'e', client DH public key */ + packet_start(SSH2_MSG_KEX_DH_GEX_INIT); + packet_put_bignum2(dh->pub_key); packet_send(); packet_write_wait(); + + debug("Wait SSH2_MSG_KEX_DH_GEX_REPLY."); + + packet_read_expect(&plen, SSH2_MSG_KEX_DH_GEX_REPLY); + + debug("Got SSH2_MSG_KEXDH_REPLY."); + + /* key, cert */ + server_host_key_blob = packet_get_string(&sbloblen); + server_host_key = dsa_key_from_blob(server_host_key_blob, sbloblen); + if (server_host_key == NULL) + fatal("cannot decode server_host_key_blob"); + + check_host_key(host, hostaddr, server_host_key, + options.user_hostfile2, options.system_hostfile2); + + /* DH paramter f, server public DH key */ + dh_server_pub = BN_new(); + if (dh_server_pub == NULL) + fatal("dh_server_pub == NULL"); + packet_get_bignum2(dh_server_pub, &dlen); + +#ifdef DEBUG_KEXDH + fprintf(stderr, "\ndh_server_pub= "); + BN_print_fp(stderr, dh_server_pub); + fprintf(stderr, "\n"); + debug("bits %d", BN_num_bits(dh_server_pub)); #endif - debug("done: KEX2."); + + /* signed H */ + signature = packet_get_string(&slen); + packet_done(); + + if (!dh_pub_is_valid(dh, dh_server_pub)) + packet_disconnect("bad server public DH value"); + + klen = DH_size(dh); + kbuf = xmalloc(klen); + kout = DH_compute_key(kbuf, dh_server_pub, dh); +#ifdef DEBUG_KEXDH + debug("shared secret: len %d/%d", klen, kout); + fprintf(stderr, "shared secret == "); + for (i = 0; i< kout; i++) + fprintf(stderr, "%02x", (kbuf[i])&0xff); + fprintf(stderr, "\n"); +#endif + shared_secret = BN_new(); + + BN_bin2bn(kbuf, kout, shared_secret); + memset(kbuf, 0, klen); + xfree(kbuf); + + /* calc and verify H */ + hash = kex_hash_gex( + client_version_string, + server_version_string, + buffer_ptr(client_kexinit), buffer_len(client_kexinit), + buffer_ptr(server_kexinit), buffer_len(server_kexinit), + server_host_key_blob, sbloblen, + nbits, dh->p, dh->g, + dh->pub_key, + dh_server_pub, + shared_secret + ); + xfree(server_host_key_blob); + DH_free(dh); +#ifdef DEBUG_KEXDH + fprintf(stderr, "hash == "); + for (i = 0; i< 20; i++) + fprintf(stderr, "%02x", (hash[i])&0xff); + fprintf(stderr, "\n"); +#endif + if (dsa_verify(server_host_key, (unsigned char *)signature, slen, hash, 20) != 1) + fatal("dsa_verify failed for server_host_key"); + key_free(server_host_key); + + kex_derive_keys(kex, hash, shared_secret); + packet_set_kex(kex); + + /* save session id */ + session_id2_len = 20; + session_id2 = xmalloc(session_id2_len); + memcpy(session_id2, hash, session_id2_len); } /* * Authenticate user */ + +typedef struct Authctxt Authctxt; +typedef struct Authmethod Authmethod; + +typedef int sign_cb_fn( + Authctxt *authctxt, Key *key, + unsigned char **sigp, int *lenp, unsigned char *data, int datalen); + +struct Authctxt { + const char *server_user; + const char *host; + const char *service; + AuthenticationConnection *agent; + Authmethod *method; + int success; +}; +struct Authmethod { + char *name; /* string to compare against server's list */ + int (*userauth)(Authctxt *authctxt); + int *enabled; /* flag in option struct that enables method */ + int *batch_flag; /* flag in option struct that disables method */ +}; + +void input_userauth_success(int type, int plen, void *ctxt); +void input_userauth_failure(int type, int plen, void *ctxt); +void input_userauth_error(int type, int plen, void *ctxt); +void input_userauth_info_req(int type, int plen, void *ctxt); + +int userauth_none(Authctxt *authctxt); +int userauth_pubkey(Authctxt *authctxt); +int userauth_passwd(Authctxt *authctxt); +int userauth_kbdint(Authctxt *authctxt); + +void authmethod_clear(); +Authmethod *authmethod_get(char *authlist); +Authmethod *authmethod_lookup(const char *name); + +Authmethod authmethods[] = { + {"publickey", + userauth_pubkey, + &options.dsa_authentication, + NULL}, + {"password", + userauth_passwd, + &options.password_authentication, + &options.batch_mode}, + {"keyboard-interactive", + userauth_kbdint, + &options.kbd_interactive_authentication, + &options.batch_mode}, + {"none", + userauth_none, + NULL, + NULL}, + {NULL, NULL, NULL, NULL} +}; + +void +ssh_userauth2(const char *server_user, char *host) +{ + Authctxt authctxt; + int type; + int plen; + + debug("send SSH2_MSG_SERVICE_REQUEST"); + packet_start(SSH2_MSG_SERVICE_REQUEST); + packet_put_cstring("ssh-userauth"); + packet_send(); + packet_write_wait(); + type = packet_read(&plen); + if (type != SSH2_MSG_SERVICE_ACCEPT) { + fatal("denied SSH2_MSG_SERVICE_ACCEPT: %d", type); + } + if (packet_remaining() > 0) { + char *reply = packet_get_string(&plen); + debug("service_accept: %s", reply); + xfree(reply); + packet_done(); + } else { + debug("buggy server: service_accept w/o service"); + } + packet_done(); + debug("got SSH2_MSG_SERVICE_ACCEPT"); + + /* setup authentication context */ + authctxt.agent = ssh_get_authentication_connection(); + authctxt.server_user = server_user; + authctxt.host = host; + authctxt.service = "ssh-connection"; /* service name */ + authctxt.success = 0; + authctxt.method = authmethod_lookup("none"); + if (authctxt.method == NULL) + fatal("ssh_userauth2: internal error: cannot send userauth none request"); + authmethod_clear(); + + /* initial userauth request */ + userauth_none(&authctxt); + + dispatch_init(&input_userauth_error); + dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success); + dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure); + dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt); /* loop until success */ + + if (authctxt.agent != NULL) + ssh_close_authentication_connection(authctxt.agent); + + debug("ssh-userauth2 successfull: method %s", authctxt.method->name); +} +void +input_userauth_error(int type, int plen, void *ctxt) +{ + fatal("input_userauth_error: bad message during authentication"); +} +void +input_userauth_success(int type, int plen, void *ctxt) +{ + Authctxt *authctxt = ctxt; + if (authctxt == NULL) + fatal("input_userauth_success: no authentication context"); + authctxt->success = 1; /* break out */ +} +void +input_userauth_failure(int type, int plen, void *ctxt) +{ + Authmethod *method = NULL; + Authctxt *authctxt = ctxt; + char *authlist = NULL; + int partial; + + if (authctxt == NULL) + fatal("input_userauth_failure: no authentication context"); + + authlist = packet_get_string(NULL); + partial = packet_get_char(); + packet_done(); + + if (partial != 0) + debug("partial success"); + debug("authentications that can continue: %s", authlist); + + for (;;) { + method = authmethod_get(authlist); + if (method == NULL) + fatal("Unable to find an authentication method"); + authctxt->method = method; + if (method->userauth(authctxt) != 0) { + debug2("we sent a %s packet, wait for reply", method->name); + break; + } else { + debug2("we did not send a packet, disable method"); + method->enabled = NULL; + } + } + xfree(authlist); +} + int -ssh2_try_passwd(const char *server_user, const char *host, const char *service) +userauth_none(Authctxt *authctxt) +{ + /* initial userauth request */ + packet_start(SSH2_MSG_USERAUTH_REQUEST); + packet_put_cstring(authctxt->server_user); + packet_put_cstring(authctxt->service); + packet_put_cstring(authctxt->method->name); + packet_send(); + packet_write_wait(); + return 1; +} + +int +userauth_passwd(Authctxt *authctxt) { static int attempt = 0; char prompt[80]; @@ -272,12 +628,12 @@ error("Permission denied, please try again."); snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ", - server_user, host); + authctxt->server_user, authctxt->host); password = read_passphrase(prompt, 0); packet_start(SSH2_MSG_USERAUTH_REQUEST); - packet_put_cstring(server_user); - packet_put_cstring(service); - packet_put_cstring("password"); + packet_put_cstring(authctxt->server_user); + packet_put_cstring(authctxt->service); + packet_put_cstring(authctxt->method->name); packet_put_char(0); packet_put_cstring(password); memset(password, 0, strlen(password)); @@ -287,45 +643,40 @@ return 1; } -typedef int sign_fn( - Key *key, - unsigned char **sigp, int *lenp, - unsigned char *data, int datalen); - int -ssh2_sign_and_send_pubkey(Key *k, sign_fn *do_sign, - const char *server_user, const char *host, const char *service) +sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) { Buffer b; unsigned char *blob, *signature; int bloblen, slen; int skip = 0; int ret = -1; + int have_sig = 1; dsa_make_key_blob(k, &blob, &bloblen); /* data to be signed */ buffer_init(&b); - if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) { - buffer_put_string(&b, session_id2, session_id2_len); - skip = buffer_len(&b); - } else { + if (datafellows & SSH_OLD_SESSIONID) { buffer_append(&b, session_id2, session_id2_len); skip = session_id2_len; + } else { + buffer_put_string(&b, session_id2, session_id2_len); + skip = buffer_len(&b); } buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); - buffer_put_cstring(&b, server_user); + buffer_put_cstring(&b, authctxt->server_user); buffer_put_cstring(&b, datafellows & SSH_BUG_PUBKEYAUTH ? "ssh-userauth" : - service); - buffer_put_cstring(&b, "publickey"); - buffer_put_char(&b, 1); + authctxt->service); + buffer_put_cstring(&b, authctxt->method->name); + buffer_put_char(&b, have_sig); buffer_put_cstring(&b, KEX_DSS); buffer_put_string(&b, blob, bloblen); /* generate signature */ - ret = do_sign(k, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); + ret = (*sign_callback)(authctxt, k, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); if (ret == -1) { xfree(blob); buffer_free(&b); @@ -338,10 +689,10 @@ buffer_clear(&b); buffer_append(&b, session_id2, session_id2_len); buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); - buffer_put_cstring(&b, server_user); - buffer_put_cstring(&b, service); - buffer_put_cstring(&b, "publickey"); - buffer_put_char(&b, 1); + buffer_put_cstring(&b, authctxt->server_user); + buffer_put_cstring(&b, authctxt->service); + buffer_put_cstring(&b, authctxt->method->name); + buffer_put_char(&b, have_sig); buffer_put_cstring(&b, KEX_DSS); buffer_put_string(&b, blob, bloblen); } @@ -352,7 +703,7 @@ /* skip session id and packet type */ if (buffer_len(&b) < skip + 1) - fatal("ssh2_try_pubkey: internal error"); + fatal("userauth_pubkey: internal error"); buffer_consume(&b, skip + 1); /* put remaining data from buffer into packet */ @@ -367,12 +718,18 @@ return 1; } +/* sign callback */ +int dsa_sign_cb(Authctxt *authctxt, Key *key, unsigned char **sigp, int *lenp, + unsigned char *data, int datalen) +{ + return dsa_sign(key, sigp, lenp, data, datalen); +} + int -ssh2_try_pubkey(char *filename, - const char *server_user, const char *host, const char *service) +userauth_pubkey_identity(Authctxt *authctxt, char *filename) { Key *k; - int ret = 0; + int i, ret, try_next; struct stat st; if (stat(filename, &st) != 0) { @@ -387,39 +744,42 @@ char *passphrase; char prompt[300]; snprintf(prompt, sizeof prompt, - "Enter passphrase for DSA key '%.100s': ", - filename); - passphrase = read_passphrase(prompt, 0); - success = load_private_key(filename, passphrase, k, NULL); - memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + "Enter passphrase for %s key '%.100s': ", + key_type(k), filename); + for (i = 0; i < options.number_of_password_prompts; i++) { + passphrase = read_passphrase(prompt, 0); + if (strcmp(passphrase, "") != 0) { + success = load_private_key(filename, passphrase, k, NULL); + try_next = 0; + } else { + debug2("no passphrase given, try next key"); + try_next = 1; + } + memset(passphrase, 0, strlen(passphrase)); + xfree(passphrase); + if (success || try_next) + break; + debug2("bad passphrase given, try again..."); + } if (!success) { key_free(k); return 0; } } - ret = ssh2_sign_and_send_pubkey(k, dsa_sign, server_user, host, service); + ret = sign_and_send_pubkey(authctxt, k, dsa_sign_cb); key_free(k); return ret; } -int agent_sign( - Key *key, - unsigned char **sigp, int *lenp, +/* sign callback */ +int agent_sign_cb(Authctxt *authctxt, Key *key, unsigned char **sigp, int *lenp, unsigned char *data, int datalen) { - int ret = -1; - AuthenticationConnection *ac = ssh_get_authentication_connection(); - if (ac != NULL) { - ret = ssh_agent_sign(ac, key, sigp, lenp, data, datalen); - ssh_close_authentication_connection(ac); - } - return ret; + return ssh_agent_sign(authctxt->agent, key, sigp, lenp, data, datalen); } int -ssh2_try_agent(AuthenticationConnection *ac, - const char *server_user, const char *host, const char *service) +userauth_pubkey_agent(Authctxt *authctxt) { static int called = 0; char *comment; @@ -427,104 +787,243 @@ int ret; if (called == 0) { - k = ssh_get_first_identity(ac, &comment, 2); - called ++; + k = ssh_get_first_identity(authctxt->agent, &comment, 2); + called = 1; } else { - k = ssh_get_next_identity(ac, &comment, 2); + k = ssh_get_next_identity(authctxt->agent, &comment, 2); } - if (k == NULL) + if (k == NULL) { + debug2("no more DSA keys from agent"); return 0; + } debug("trying DSA agent key %s", comment); xfree(comment); - ret = ssh2_sign_and_send_pubkey(k, agent_sign, server_user, host, service); + ret = sign_and_send_pubkey(authctxt, k, agent_sign_cb); key_free(k); return ret; } -void -ssh_userauth2(const char *server_user, char *host) +int +userauth_pubkey(Authctxt *authctxt) { - AuthenticationConnection *ac = ssh_get_authentication_connection(); - int type; - int plen; - int sent; - unsigned int dlen; - int partial; - int i = 0; - char *auths; - char *service = "ssh-connection"; /* service name */ + static int idx = 0; + int sent = 0; - debug("send SSH2_MSG_SERVICE_REQUEST"); - packet_start(SSH2_MSG_SERVICE_REQUEST); - packet_put_cstring("ssh-userauth"); + if (authctxt->agent != NULL) + sent = userauth_pubkey_agent(authctxt); + while (sent == 0 && idx < options.num_identity_files2) + sent = userauth_pubkey_identity(authctxt, options.identity_files2[idx++]); + return sent; +} + +/* + * Send userauth request message specifying keyboard-interactive method. + */ +int +userauth_kbdint(Authctxt *authctxt) +{ + static int attempt = 0; + + if (attempt++ >= options.number_of_password_prompts) + return 0; + + debug2("userauth_kbdint"); + packet_start(SSH2_MSG_USERAUTH_REQUEST); + packet_put_cstring(authctxt->server_user); + packet_put_cstring(authctxt->service); + packet_put_cstring(authctxt->method->name); + packet_put_cstring(""); /* lang */ + packet_put_cstring(options.kbd_interactive_devices ? + options.kbd_interactive_devices : ""); packet_send(); packet_write_wait(); - type = packet_read(&plen); - if (type != SSH2_MSG_SERVICE_ACCEPT) { - fatal("denied SSH2_MSG_SERVICE_ACCEPT: %d", type); - } - if (packet_remaining() > 0) { - char *reply = packet_get_string(&plen); - debug("service_accept: %s", reply); - xfree(reply); - } else { - /* payload empty for ssh-2.0.13 ?? */ - debug("buggy server: service_accept w/o service"); + dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_info_req); + return 1; +} + +/* + * parse SSH2_MSG_USERAUTH_INFO_REQUEST, prompt user and send + * SSH2_MSG_USERAUTH_INFO_RESPONSE + */ +void +input_userauth_info_req(int type, int plen, void *ctxt) +{ + Authctxt *authctxt = ctxt; + char *name = NULL; + char *inst = NULL; + char *lang = NULL; + char *prompt = NULL; + char *response = NULL; + unsigned int num_prompts, i; + int echo = 0; + + debug2("input_userauth_info_req"); + + if (authctxt == NULL) + fatal("input_userauth_info_req: no authentication context"); + + name = packet_get_string(NULL); + inst = packet_get_string(NULL); + lang = packet_get_string(NULL); + + if (strlen(name) > 0) + cli_mesg(name); + xfree(name); + + if (strlen(inst) > 0) + cli_mesg(inst); + xfree(inst); + xfree(lang); /* unused */ + + num_prompts = packet_get_int(); + /* + * Begin to build info response packet based on prompts requested. + * We commit to providing the correct number of responses, so if + * further on we run into a problem that prevents this, we have to + * be sure and clean this up and send a correct error response. + */ + packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE); + packet_put_int(num_prompts); + + for (i = 0; i < num_prompts; i++) { + prompt = packet_get_string(NULL); + echo = packet_get_char(); + + response = cli_prompt(prompt, echo); + + packet_put_cstring(response); + memset(response, 0, strlen(response)); + xfree(response); + xfree(prompt); } - packet_done(); - debug("got SSH2_MSG_SERVICE_ACCEPT"); + packet_done(); /* done with parsing incoming message. */ - /* INITIAL request for auth */ - packet_start(SSH2_MSG_USERAUTH_REQUEST); - packet_put_cstring(server_user); - packet_put_cstring(service); - packet_put_cstring("none"); packet_send(); packet_write_wait(); +} - for (;;) { - sent = 0; - type = packet_read(&plen); - if (type == SSH2_MSG_USERAUTH_SUCCESS) +/* find auth method */ + +#define DELIM "," + +static char *def_authlist = "publickey,password"; +static char *authlist_current = NULL; /* clean copy used for comparison */ +static char *authname_current = NULL; /* last used auth method */ +static char *authlist_working = NULL; /* copy that gets modified by strtok_r() */ +static char *authlist_state = NULL; /* state variable for strtok_r() */ + +/* + * Before starting to use a new authentication method list sent by the + * server, reset internal variables. This should also be called when + * finished processing server list to free resources. + */ +void +authmethod_clear() +{ + if (authlist_current != NULL) { + xfree(authlist_current); + authlist_current = NULL; + } + if (authlist_working != NULL) { + xfree(authlist_working); + authlist_working = NULL; + } + if (authname_current != NULL) { + xfree(authname_current); + authlist_state = NULL; + } + if (authlist_state != NULL) + authlist_state = NULL; + return; +} + +/* + * given auth method name, if configurable options permit this method fill + * in auth_ident field and return true, otherwise return false. + */ +int +authmethod_is_enabled(Authmethod *method) +{ + if (method == NULL) + return 0; + /* return false if options indicate this method is disabled */ + if (method->enabled == NULL || *method->enabled == 0) + return 0; + /* return false if batch mode is enabled but method needs interactive mode */ + if (method->batch_flag != NULL && *method->batch_flag != 0) + return 0; + return 1; +} + +Authmethod * +authmethod_lookup(const char *name) +{ + Authmethod *method = NULL; + if (name != NULL) + for (method = authmethods; method->name != NULL; method++) + if (strcmp(name, method->name) == 0) + return method; + debug2("Unrecognized authentication method name: %s", name ? name : "NULL"); + return NULL; +} + +/* + * Given the authentication method list sent by the server, return the + * next method we should try. If the server initially sends a nil list, + * use a built-in default list. If the server sends a nil list after + * previously sending a valid list, continue using the list originally + * sent. + */ + +Authmethod * +authmethod_get(char *authlist) +{ + char *name = NULL, *authname_old; + Authmethod *method = NULL; + + /* Use a suitable default if we're passed a nil list. */ + if (authlist == NULL || strlen(authlist) == 0) + authlist = def_authlist; + + if (authlist_current == NULL || strcmp(authlist, authlist_current) != 0) { + /* start over if passed a different list */ + debug3("start over, passed a different list"); + authmethod_clear(); + authlist_current = xstrdup(authlist); + authlist_working = xstrdup(authlist); + name = strtok_r(authlist_working, DELIM, &authlist_state); + } else { + /* + * try to use previously used authentication method + * or continue to use previously passed list + */ + name = (authname_current != NULL) ? + authname_current : strtok_r(NULL, DELIM, &authlist_state); + } + + while (name != NULL) { + debug3("authmethod_lookup %s", name); + method = authmethod_lookup(name); + if (method != NULL && authmethod_is_enabled(method)) { + debug3("authmethod_is_enabled %s", name); break; - if (type != SSH2_MSG_USERAUTH_FAILURE) - fatal("access denied: %d", type); - /* SSH2_MSG_USERAUTH_FAILURE means: try again */ - auths = packet_get_string(&dlen); - debug("authentications that can continue: %s", auths); - partial = packet_get_char(); - packet_done(); - if (partial) - debug("partial success"); - if (options.dsa_authentication && - strstr(auths, "publickey") != NULL) { - if (ac != NULL) - sent = ssh2_try_agent(ac, - server_user, host, service); - if (!sent) { - while (i < options.num_identity_files2) { - sent = ssh2_try_pubkey( - options.identity_files2[i++], - server_user, host, service); - if (sent) - break; - } - } } - if (!sent) { - if (options.password_authentication && - !options.batch_mode && - strstr(auths, "password") != NULL) { - sent = ssh2_try_passwd(server_user, host, service); - } - } - if (!sent) - fatal("Permission denied (%s).", auths); - xfree(auths); + name = strtok_r(NULL, DELIM, &authlist_state); + method = NULL; } - if (ac != NULL) - ssh_close_authentication_connection(ac); - packet_done(); - debug("ssh-userauth2 successfull"); + + authname_old = authname_current; + if (method != NULL) { + debug("next auth method to try is %s", name); + authname_current = xstrdup(name); + } else { + debug("no more auth methods to try"); + authname_current = NULL; + } + + if (authname_old != NULL) + xfree(authname_old); + + return (method); } diff -ru openssh-2.2.0p1/sshd.0 openssh-2.3.0p1/sshd.0 --- openssh-2.2.0p1/sshd.0 2000-09-02 10:08:46.000000000 +1100 +++ openssh-2.3.0p1/sshd.0 2000-11-06 14:25:20.000000000 +1100 @@ -99,7 +99,8 @@ -d Debug mode. The server sends verbose debug output to the system log, and does not put itself in the background. The server also will not fork and will only process one connection. This option - is only intended for debugging for the server. + is only intended for debugging for the server. Multiple -d op- + tions increases the debugging level. Maximum is 3. -f configuration_file Specifies the name of the configuration file. The default is @@ -153,9 +154,10 @@ -Q Do not print an error message if RSA support is missing. -V client_protocol_id - SSH2 compatibility mode. When this option is specified sshd as- + SSH-2 compatibility mode. When this option is specified sshd as- sumes the client has sent the supplied version string and skips - the Protocol Version Identification Exchange. + the Protocol Version Identification Exchange. This option is not + intended to be called directly. -4 Forces sshd to use IPv4 addresses only. @@ -181,6 +183,12 @@ valid; a numerical group ID isn't recognized. By default login is allowed regardless of the primary group. + AllowTcpForwarding + Specifies whether TCP forwarding is permitted. The default is + ``yes''. Note that disabling TCP forwarding does not improve se- + curity unless users are also denied shell access, as they can al- + ways install their own forwarders. + AllowUsers This keyword can be followed by a number of user names, separated by spaces. If specified, login is allowed only for users names @@ -259,8 +267,6 @@ avoids infinitely hanging sessions. To disable keepalives, the value should be set to ``no'' in both - - the server and the client configuration files. KerberosAuthentication @@ -274,7 +280,7 @@ KerberosOrLocalPasswd If set then if password authentication through Kerberos fails then the password will be validated via any additional local - mechanism such as /etc/passwd or SecurID. Default is ``yes''. + mechanism such as /etc/passwd. Default is ``yes''. KerberosTgtPassing Specifies whether a Kerberos TGT may be forwarded to the server. @@ -317,7 +323,7 @@ pires for a connection. The default is 10. Alternatively, random early drop can be enabled by specifying the - three colon separated values ``start:rate:full'' (e.g. + three colon separated values ``start:rate:full'' (e.g., "10:30:60"). sshd will refuse connection attempts with a proba- billity of ``rate/100'' (30%) if there are currently ``start'' (10) unauthenticated connections. The probabillity increases @@ -327,7 +333,6 @@ PasswordAuthentication Specifies whether password authentication is allowed. The de- fault is ``yes''. Note that this option applies to both protocol - versions 1 and 2. PermitEmptyPasswords @@ -386,13 +391,13 @@ ServerKeyBits Defines the number of bits in the server key. The minimum value + + is 512, and the default is 768. SkeyAuthentication Specifies whether skey(1) authentication is allowed. The default is ``yes''. Note that s/key authentication is enabled only if - - PasswordAuthentication is allowed, too. StrictModes @@ -403,10 +408,12 @@ ``yes''. Subsystem - Configures an external subsystem (e.g. file transfer daemon). + Configures an external subsystem (e.g., file transfer daemon). Arguments should be a subsystem name and a command to execute up- - on subsystem request. By default no subsystems are defined. - Note that this option applies to protocol version 2 only. + on subsystem request. The command sftp-server(8) implements the + ``sftp'' file transfer subsystem. By default no subsystems are + defined. Note that this option applies to protocol version 2 on- + ly. SyslogFacility Gives the facility code that is used when logging messages from @@ -451,14 +458,13 @@ 5. Sets up basic environment. + 6. Reads $HOME/.ssh/environment if it exists. 7. Changes to user's home directory. 8. If $HOME/.ssh/rc exists, runs it; else if /etc/sshrc exists, runs it; otherwise runs xauth. The ``rc'' files are given the - - X11 authentication protocol and cookie in standard input. 9. Runs user's shell or command. @@ -525,7 +531,6 @@ no-X11-forwarding Forbids X11 forwarding when this key is used for authentication. - Any X11 forward requests by the client will return an error. no-agent-forwarding @@ -586,6 +591,7 @@ /etc/sshd_config Contains configuration data for sshd. This file should be writable by root only, but it is recommended (though not neces- + sary) that it be world-readable. /etc/ssh_host_key @@ -717,6 +723,7 @@ If this file does not exist, /etc/sshrc is run, and if that does not exist either, xauth is used to store the cookie. + This file should be writable only by the user, and need not be readable by anyone else. @@ -733,9 +740,9 @@ This version of OpenSSH - o has all components of a restrictive nature (i.e., patents) directly - removed from the source code; any licensed or patented components are - chosen from external libraries. + o has all components of a restrictive nature (i.e., patents, see + crypto(3)) directly removed from the source code; any licensed or + patented components are chosen from external libraries. o has been updated to support SSH protocol 1.5 and 2, making it compat- ible with all other SSH clients and servers. @@ -751,7 +758,7 @@ The support for SSH protocol 2 was written by Markus Friedl. SEE ALSO - scp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), rlogin(1), - rsh(1) + scp(1), sftp-server(8), ssh(1), ssh-add(1), ssh-agent(1), ssh- + keygen(1), crypto(3), rlogin(1), rsh(1) BSD Experimental September 25, 1999 12 diff -ru openssh-2.2.0p1/sshd.8 openssh-2.3.0p1/sshd.8 --- openssh-2.2.0p1/sshd.8 2000-08-29 11:33:51.000000000 +1100 +++ openssh-2.3.0p1/sshd.8 2000-11-06 12:39:34.000000000 +1100 @@ -1,16 +1,40 @@ .\" -*- nroff -*- .\" -.\" sshd.8.in -.\" .\" Author: Tatu Ylonen -.\" .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland .\" All rights reserved .\" -.\" Created: Sat Apr 22 21:55:14 1995 ylo +.\" As far as I am concerned, the code I have written for this software +.\" can be used freely for any purpose. Any derived versions of this +.\" software must be clearly marked as such, and if the derived work is +.\" incompatible with the protocol description in the RFC file, it must be +.\" called by a name other than "ssh" or "Secure Shell". +.\" +.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. +.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" $Id: sshd.8,v 1.62 2000/08/25 16:16:15 deraadt Exp $ +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" +.\" $OpenBSD: sshd.8,v 1.70 2000/10/16 09:38:44 djm Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -163,6 +187,8 @@ log, and does not put itself in the background. The server also will not fork and will only process one connection. This option is only intended for debugging for the server. +Multiple -d options increases the debugging level. +Maximum is 3. .It Fl f Ar configuration_file Specifies the name of the configuration file. The default is @@ -231,12 +257,13 @@ .It Fl Q Do not print an error message if RSA support is missing. .It Fl V Ar client_protocol_id -SSH2 compatibility mode. +SSH-2 compatibility mode. When this option is specified .Nm assumes the client has sent the supplied version string and skips the Protocol Version Identification Exchange. +This option is not intended to be called directly. .It Fl 4 Forces .Nm @@ -277,6 +304,14 @@ Only group names are valid; a numerical group ID isn't recognized. By default login is allowed regardless of the primary group. .Pp +.It Cm AllowTcpForwarding +Specifies whether TCP forwarding is permitted. +The default is +.Dq yes . +Note that disabling TCP forwarding does not improve security unless +users are also denied shell access, as they can always install their +own forwarders. +.Pp .It Cm AllowUsers This keyword can be followed by a number of user names, separated by spaces. @@ -400,7 +435,8 @@ This can be in the form of a Kerberos ticket, or if .Cm PasswordAuthentication is yes, the password provided by the user will be validated through -the Kerberos KDC. To use this option, the server needs a +the Kerberos KDC. +To use this option, the server needs a Kerberos servtab which allows the verification of the KDC's identity. Default is .Dq yes . @@ -408,8 +444,7 @@ If set then if password authentication through Kerberos fails then the password will be validated via any additional local mechanism such as -.Pa /etc/passwd -or SecurID. +.Pa /etc/passwd . Default is .Dq yes . .It Cm KerberosTgtPassing @@ -465,7 +500,7 @@ Alternatively, random early drop can be enabled by specifying the three colon separated values .Dq start:rate:full -(e.g. "10:30:60"). +(e.g., "10:30:60"). .Nm will refuse connection attempts with a probabillity of .Dq rate/100 @@ -587,8 +622,14 @@ The default is .Dq yes . .It Cm Subsystem -Configures an external subsystem (e.g. file transfer daemon). -Arguments should be a subsystem name and a command to execute upon subsystem request. +Configures an external subsystem (e.g., file transfer daemon). +Arguments should be a subsystem name and a command to execute upon subsystem +request. +The command +.Xr sftp-server 8 +implements the +.Dq sftp +file transfer subsystem. By default no subsystems are defined. Note that this option applies to protocol version 2 only. .It Cm SyslogFacility @@ -1009,7 +1050,8 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents) +has all components of a restrictive nature (i.e., patents, see +.Xr crypto 3 ) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -1031,9 +1073,11 @@ The support for SSH protocol 2 was written by Markus Friedl. .Sh SEE ALSO .Xr scp 1 , +.Xr sftp-server 8 , .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , +.Xr crypto 3 , .Xr rlogin 1 , .Xr rsh 1 diff -ru openssh-2.2.0p1/sshd.c openssh-2.3.0p1/sshd.c --- openssh-2.2.0p1/sshd.c 2000-08-29 11:05:50.000000000 +1100 +++ openssh-2.3.0p1/sshd.c 2000-10-14 16:23:13.000000000 +1100 @@ -2,26 +2,51 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Created: Fri Mar 17 17:09:28 1995 ylo - * This program is the ssh daemon. It listens for connections from clients, and - * performs authentication, executes use commands or shell, and forwards + * This program is the ssh daemon. It listens for connections from clients, + * and performs authentication, executes use commands or shell, and forwards * information to/from the application to the user client over an encrypted - * connection. This can also handle forwarding of X11, TCP/IP, and authentication - * agent connections. + * connection. This can also handle forwarding of X11, TCP/IP, and + * authentication agent connections. * - * SSH2 implementation, - * Copyright (c) 2000 Markus Friedl. All rights reserved. + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * SSH2 implementation: + * + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.125 2000/08/17 20:06:34 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.132 2000/10/13 18:34:46 markus Exp $"); #include "xmalloc.h" #include "rsa.h" #include "ssh.h" #include "pty.h" #include "packet.h" -#include "cipher.h" #include "mpaux.h" #include "servconf.h" #include "uidswap.h" @@ -37,6 +62,7 @@ #include #include "key.h" #include "dsa.h" +#include "dh.h" #include "auth.h" #include "myproposal.h" @@ -146,6 +172,9 @@ void do_ssh1_kex(); void do_ssh2_kex(); +void ssh_dh1_server(Kex *, Buffer *_kexinit, Buffer *); +void ssh_dhgex_server(Kex *, Buffer *_kexinit, Buffer *); + /* * Close all listening sockets */ @@ -307,6 +336,10 @@ if (buf[i] == '\r') { buf[i] = '\n'; buf[i + 1] = 0; + /* Kludge for F-Secure Macintosh < 1.0.2 */ + if (i == 12 && + strncmp(buf, "SSH-1.5-W1.0", 12) == 0) + break; continue; } if (buf[i] == '\n') { @@ -485,8 +518,15 @@ config_file_name = optarg; break; case 'd': - debug_flag = 1; - options.log_level = SYSLOG_LEVEL_DEBUG; + if (0 == debug_flag) { + debug_flag = 1; + options.log_level = SYSLOG_LEVEL_DEBUG1; + } else if (options.log_level < SYSLOG_LEVEL_DEBUG3) { + options.log_level++; + } else { + fprintf(stderr, "Too high debugging level.\n"); + exit(1); + } break; case 'i': inetd_flag = 1; @@ -502,8 +542,10 @@ break; case 'p': options.ports_from_cmdline = 1; - if (options.num_ports >= MAX_PORTS) - fatal("too many ports.\n"); + if (options.num_ports >= MAX_PORTS) { + fprintf(stderr, "too many ports.\n"); + exit(1); + } options.ports[options.num_ports++] = atoi(optarg); break; case 'g': @@ -529,7 +571,7 @@ fprintf(stderr, "Usage: %s [options]\n", av0); fprintf(stderr, "Options:\n"); fprintf(stderr, " -f file Configuration file (default %s)\n", SERVER_CONFIG_FILE); - fprintf(stderr, " -d Debugging mode\n"); + fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n"); fprintf(stderr, " -i Started from inetd\n"); fprintf(stderr, " -q Quiet (no logging)\n"); fprintf(stderr, " -p port Listen on the specified port (default: 22)\n"); @@ -632,6 +674,10 @@ } } +#ifdef HAVE_SCO_PROTECTED_PW + (void) set_auth_parameters(ac, av); +#endif + /* Initialize the log (it is reinitialized below in case we forked). */ if (debug_flag && !inetd_flag) log_stderr = 1; @@ -765,7 +811,7 @@ * fail if there already is a daemon, and this will * overwrite any old pid in the file. */ - f = fopen(options.pid_file, "w"); + f = fopen(options.pid_file, "wb"); if (f) { fprintf(f, "%u\n", (unsigned int) getpid()); fclose(f); @@ -1112,7 +1158,7 @@ packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN); /* Declare which ciphers we support. */ - packet_put_int(cipher_mask1()); + packet_put_int(cipher_mask_ssh1(0)); /* Declare supported authentication types. */ auth_mask = 0; @@ -1153,7 +1199,7 @@ /* Get cipher type and check whether we accept this. */ cipher_type = packet_get_char(); - if (!(cipher_mask() & (1 << cipher_type))) + if (!(cipher_mask_ssh1(0) & (1 << cipher_type))) packet_disconnect("Warning: client selects unsupported cipher."); /* Get check bytes from the packet. These must match those we @@ -1224,7 +1270,7 @@ if (len < 0 || len > sizeof(session_key)) fatal("do_connection: bad len from %s: session_key_int %d > sizeof(session_key) %d", get_remote_ipaddr(), - len, sizeof(session_key)); + len, (int) sizeof(session_key)); memset(session_key, 0, sizeof(session_key)); BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len); @@ -1257,18 +1303,8 @@ { Buffer *server_kexinit; Buffer *client_kexinit; - int payload_len, dlen; - int slen; - unsigned int klen, kout; - unsigned char *signature = NULL; - unsigned char *server_host_key_blob = NULL; - unsigned int sbloblen; - DH *dh; - BIGNUM *dh_client_pub = 0; - BIGNUM *shared_secret = 0; + int payload_len; int i; - unsigned char *kbuf; - unsigned char *hash; Kex *kex; char *cprop[PROPOSAL_MAX]; @@ -1288,8 +1324,63 @@ for (i = 0; i < PROPOSAL_MAX; i++) xfree(cprop[i]); -/* KEXDH */ + switch (kex->kex_type) { + case DH_GRP1_SHA1: + ssh_dh1_server(kex, client_kexinit, server_kexinit); + break; + case DH_GEX_SHA1: + ssh_dhgex_server(kex, client_kexinit, server_kexinit); + break; + default: + fatal("Unsupported key exchange %d", kex->kex_type); + } + + debug("send SSH2_MSG_NEWKEYS."); + packet_start(SSH2_MSG_NEWKEYS); + packet_send(); + packet_write_wait(); + debug("done: send SSH2_MSG_NEWKEYS."); + debug("Wait SSH2_MSG_NEWKEYS."); + packet_read_expect(&payload_len, SSH2_MSG_NEWKEYS); + debug("GOT SSH2_MSG_NEWKEYS."); + +#ifdef DEBUG_KEXDH + /* send 1st encrypted/maced/compressed message */ + packet_start(SSH2_MSG_IGNORE); + packet_put_cstring("markus"); + packet_send(); + packet_write_wait(); +#endif + + debug("done: KEX2."); +} + +/* + * SSH2 key exchange + */ + +/* diffie-hellman-group1-sha1 */ + +void +ssh_dh1_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit) +{ +#ifdef DEBUG_KEXDH + int i; +#endif + int payload_len, dlen; + int slen; + unsigned char *signature = NULL; + unsigned char *server_host_key_blob = NULL; + unsigned int sbloblen; + unsigned int klen, kout; + unsigned char *kbuf; + unsigned char *hash; + BIGNUM *shared_secret = 0; + DH *dh; + BIGNUM *dh_client_pub = 0; + +/* KEXDH */ debug("Wait SSH2_MSG_KEXDH_INIT."); packet_read_expect(&payload_len, SSH2_MSG_KEXDH_INIT); @@ -1301,7 +1392,7 @@ #ifdef DEBUG_KEXDH fprintf(stderr, "\ndh_client_pub= "); - bignum_print(dh_client_pub); + BN_print_fp(stderr, dh_client_pub); fprintf(stderr, "\n"); debug("bits %d", BN_num_bits(dh_client_pub)); #endif @@ -1311,12 +1402,13 @@ #ifdef DEBUG_KEXDH fprintf(stderr, "\np= "); - bignum_print(dh->p); + BN_print_fp(stderr, dh->p); fprintf(stderr, "\ng= "); - bignum_print(dh->g); + bn_print(dh->g); fprintf(stderr, "\npub= "); - bignum_print(dh->pub_key); + BN_print_fp(stderr, dh->pub_key); fprintf(stderr, "\n"); + DHparams_print_fp(stderr, dh); #endif if (!dh_pub_is_valid(dh, dh_client_pub)) packet_disconnect("bad client public DH value"); @@ -1339,7 +1431,8 @@ xfree(kbuf); /* XXX precompute? */ - dsa_make_key_blob(sensitive_data.dsa_host_key, &server_host_key_blob, &sbloblen); + dsa_make_key_blob(sensitive_data.dsa_host_key, + &server_host_key_blob, &sbloblen); /* calc H */ /* XXX depends on 'kex' */ hash = kex_hash( @@ -1389,23 +1482,139 @@ /* have keys, free DH */ DH_free(dh); +} - debug("send SSH2_MSG_NEWKEYS."); - packet_start(SSH2_MSG_NEWKEYS); +/* diffie-hellman-group-exchange-sha1 */ + +void +ssh_dhgex_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit) +{ +#ifdef DEBUG_KEXDH + int i; +#endif + int payload_len, dlen; + int slen, nbits; + unsigned char *signature = NULL; + unsigned char *server_host_key_blob = NULL; + unsigned int sbloblen; + unsigned int klen, kout; + unsigned char *kbuf; + unsigned char *hash; + BIGNUM *shared_secret = 0; + DH *dh; + BIGNUM *dh_client_pub = 0; + +/* KEXDHGEX */ + debug("Wait SSH2_MSG_KEX_DH_GEX_REQUEST."); + packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_REQUEST); + nbits = packet_get_int(); + dh = choose_dh(nbits); + + debug("Sending SSH2_MSG_KEX_DH_GEX_GROUP."); + packet_start(SSH2_MSG_KEX_DH_GEX_GROUP); + packet_put_bignum2(dh->p); + packet_put_bignum2(dh->g); packet_send(); packet_write_wait(); - debug("done: send SSH2_MSG_NEWKEYS."); - debug("Wait SSH2_MSG_NEWKEYS."); - packet_read_expect(&payload_len, SSH2_MSG_NEWKEYS); - debug("GOT SSH2_MSG_NEWKEYS."); + debug("Wait SSH2_MSG_KEX_DH_GEX_INIT."); + packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_INIT); + + /* key, cert */ + dh_client_pub = BN_new(); + if (dh_client_pub == NULL) + fatal("dh_client_pub == NULL"); + packet_get_bignum2(dh_client_pub, &dlen); #ifdef DEBUG_KEXDH - /* send 1st encrypted/maced/compressed message */ - packet_start(SSH2_MSG_IGNORE); - packet_put_cstring("markus"); + fprintf(stderr, "\ndh_client_pub= "); + BN_print_fp(stderr, dh_client_pub); + fprintf(stderr, "\n"); + debug("bits %d", BN_num_bits(dh_client_pub)); +#endif + +#ifdef DEBUG_KEXDH + fprintf(stderr, "\np= "); + BN_print_fp(stderr, dh->p); + fprintf(stderr, "\ng= "); + bn_print(dh->g); + fprintf(stderr, "\npub= "); + BN_print_fp(stderr, dh->pub_key); + fprintf(stderr, "\n"); + DHparams_print_fp(stderr, dh); +#endif + if (!dh_pub_is_valid(dh, dh_client_pub)) + packet_disconnect("bad client public DH value"); + + klen = DH_size(dh); + kbuf = xmalloc(klen); + kout = DH_compute_key(kbuf, dh_client_pub, dh); + +#ifdef DEBUG_KEXDH + debug("shared secret: len %d/%d", klen, kout); + fprintf(stderr, "shared secret == "); + for (i = 0; i< kout; i++) + fprintf(stderr, "%02x", (kbuf[i])&0xff); + fprintf(stderr, "\n"); +#endif + shared_secret = BN_new(); + + BN_bin2bn(kbuf, kout, shared_secret); + memset(kbuf, 0, klen); + xfree(kbuf); + + /* XXX precompute? */ + dsa_make_key_blob(sensitive_data.dsa_host_key, + &server_host_key_blob, &sbloblen); + + /* calc H */ /* XXX depends on 'kex' */ + hash = kex_hash_gex( + client_version_string, + server_version_string, + buffer_ptr(client_kexinit), buffer_len(client_kexinit), + buffer_ptr(server_kexinit), buffer_len(server_kexinit), + (char *)server_host_key_blob, sbloblen, + nbits, dh->p, dh->g, + dh_client_pub, + dh->pub_key, + shared_secret + ); + buffer_free(client_kexinit); + buffer_free(server_kexinit); + xfree(client_kexinit); + xfree(server_kexinit); +#ifdef DEBUG_KEXDH + fprintf(stderr, "hash == "); + for (i = 0; i< 20; i++) + fprintf(stderr, "%02x", (hash[i])&0xff); + fprintf(stderr, "\n"); +#endif + /* save session id := H */ + /* XXX hashlen depends on KEX */ + session_id2_len = 20; + session_id2 = xmalloc(session_id2_len); + memcpy(session_id2, hash, session_id2_len); + + /* sign H */ + /* XXX hashlen depends on KEX */ + dsa_sign(sensitive_data.dsa_host_key, &signature, &slen, hash, 20); + + destroy_sensitive_data(); + + /* send server hostkey, DH pubkey 'f' and singed H */ + packet_start(SSH2_MSG_KEX_DH_GEX_REPLY); + packet_put_string((char *)server_host_key_blob, sbloblen); + packet_put_bignum2(dh->pub_key); /* f */ + packet_put_string((char *)signature, slen); packet_send(); + xfree(signature); + xfree(server_host_key_blob); packet_write_wait(); -#endif - debug("done: KEX2."); + + kex_derive_keys(kex, hash, shared_secret); + packet_set_kex(kex); + + /* have keys, free DH */ + DH_free(dh); } + diff -ru openssh-2.2.0p1/sshd_config openssh-2.3.0p1/sshd_config --- openssh-2.2.0p1/sshd_config 2000-08-30 09:40:09.000000000 +1100 +++ openssh-2.3.0p1/sshd_config 2000-10-14 16:23:13.000000000 +1100 @@ -37,6 +37,7 @@ PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no +#KbdInteractiveAuthentication yes # To change Kerberos options #KerberosAuthentication no @@ -50,5 +51,6 @@ CheckMail no #UseLogin no -#Subsystem sftp /usr/local/sbin/sftpd +# Uncomment if you want to enable sftp +#Subsystem sftp /usr/libexec/sftp-server #MaxStartups 10:30:60 diff -ru openssh-2.2.0p1/tildexpand.c openssh-2.3.0p1/tildexpand.c --- openssh-2.2.0p1/tildexpand.c 2000-06-22 21:32:32.000000000 +1000 +++ openssh-2.3.0p1/tildexpand.c 2000-09-16 13:29:11.000000000 +1100 @@ -2,11 +2,16 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Created: Wed Jul 12 01:07:36 1995 ylo + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: tildexpand.c,v 1.7 2000/06/20 01:39:45 markus Exp $"); +RCSID("$OpenBSD: tildexpand.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $"); #include "xmalloc.h" #include "ssh.h" diff -ru openssh-2.2.0p1/ttymodes.c openssh-2.3.0p1/ttymodes.c --- openssh-2.2.0p1/ttymodes.c 2000-06-22 21:32:32.000000000 +1000 +++ openssh-2.3.0p1/ttymodes.c 2000-09-16 13:29:11.000000000 +1100 @@ -2,15 +2,20 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Created: Tue Mar 21 15:59:15 1995 ylo * Encoding and decoding of terminal modes in a portable way. * Much of the format is defined in ttymodes.h; it is included multiple times * into this file with the appropriate macro definitions to generate the * suitable code. + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: ttymodes.c,v 1.7 2000/06/20 01:39:45 markus Exp $"); +RCSID("$OpenBSD: ttymodes.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $"); #include "packet.h" #include "ssh.h" diff -ru openssh-2.2.0p1/ttymodes.h openssh-2.3.0p1/ttymodes.h --- openssh-2.2.0p1/ttymodes.h 2000-06-22 21:32:32.000000000 +1000 +++ openssh-2.3.0p1/ttymodes.h 2000-09-16 13:29:11.000000000 +1100 @@ -1,18 +1,17 @@ /* - * - * ttymodes.h - * * Author: Tatu Ylonen * SGTTY stuff contributed by Janne Snabb - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved * - * Created: Tue Mar 21 15:42:09 1995 ylo - * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: ttymodes.h,v 1.8 2000/06/20 01:39:45 markus Exp $"); */ +/* RCSID("$OpenBSD: ttymodes.h,v 1.9 2000/09/07 20:27:55 deraadt Exp $"); */ /* The tty mode description is a stream of bytes. The stream consists of * opcode-arguments pairs. It is terminated by opcode TTY_OP_END (0). diff -ru openssh-2.2.0p1/uidswap.c openssh-2.3.0p1/uidswap.c --- openssh-2.2.0p1/uidswap.c 2000-08-29 11:33:51.000000000 +1100 +++ openssh-2.3.0p1/uidswap.c 2000-09-16 13:29:11.000000000 +1100 @@ -2,12 +2,17 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Created: Sat Sep 9 01:56:14 1995 ylo * Code for uid-swapping. + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: uidswap.c,v 1.8 2000/08/28 03:50:54 deraadt Exp $"); +RCSID("$OpenBSD: uidswap.c,v 1.9 2000/09/07 20:27:55 deraadt Exp $"); #include "ssh.h" #include "uidswap.h" diff -ru openssh-2.2.0p1/uidswap.h openssh-2.3.0p1/uidswap.h --- openssh-2.2.0p1/uidswap.h 2000-04-16 11:18:49.000000000 +1000 +++ openssh-2.3.0p1/uidswap.h 2000-09-16 13:29:11.000000000 +1100 @@ -1,15 +1,13 @@ /* - * - * uidswap.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved * - * Created: Sat Sep 9 01:43:15 1995 ylo - * Last modified: Sat Sep 9 02:34:04 1995 ylo - * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #ifndef UIDSWAP_H diff -ru openssh-2.2.0p1/util.c openssh-2.3.0p1/util.c --- openssh-2.2.0p1/util.c 2000-08-29 11:33:51.000000000 +1100 +++ openssh-2.3.0p1/util.c 2000-10-28 14:19:58.000000000 +1100 @@ -1,5 +1,31 @@ +/* $OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $ */ + +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + #include "includes.h" -RCSID("$OpenBSD: util.c,v 1.4 2000/08/28 20:23:37 markus Exp $"); +RCSID("$OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $"); #include "ssh.h" @@ -22,18 +48,15 @@ set_nonblock(int fd) { int val; - if (isatty(fd)) { - /* do not mess with tty's */ - debug("no set_nonblock for tty fd %d", fd); - return; - } val = fcntl(fd, F_GETFL, 0); if (val < 0) { error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno)); return; } - if (val & O_NONBLOCK) + if (val & O_NONBLOCK) { + debug("fd %d IS O_NONBLOCK", fd); return; + } debug("fd %d setting O_NONBLOCK", fd); val |= O_NONBLOCK; if (fcntl(fd, F_SETFL, val) == -1) diff -ru openssh-2.2.0p1/uuencode.c openssh-2.3.0p1/uuencode.c --- openssh-2.2.0p1/uuencode.c 2000-06-23 10:16:39.000000000 +1000 +++ openssh-2.3.0p1/uuencode.c 2000-09-16 13:29:11.000000000 +1100 @@ -1,10 +1,33 @@ +/* $OpenBSD: uuencode.c,v 1.7 2000/09/07 20:27:55 deraadt Exp $ */ + /* * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + #include "includes.h" #include "xmalloc.h" -RCSID("$OpenBSD: uuencode.c,v 1.6 2000/06/22 23:55:00 djm Exp $"); +RCSID("$OpenBSD: uuencode.c,v 1.7 2000/09/07 20:27:55 deraadt Exp $"); int uuencode(unsigned char *src, unsigned int srclength, diff -ru openssh-2.2.0p1/uuencode.h openssh-2.3.0p1/uuencode.h --- openssh-2.2.0p1/uuencode.h 2000-05-07 12:03:21.000000000 +1000 +++ openssh-2.3.0p1/uuencode.h 2000-09-16 13:29:11.000000000 +1100 @@ -1,3 +1,27 @@ +/* + * Copyright (c) 1999 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + #ifndef UUENCODE_H #define UUENCODE_H int uuencode(unsigned char *src, unsigned int srclength, char *target, size_t targsize); diff -ru openssh-2.2.0p1/version.h openssh-2.3.0p1/version.h --- openssh-2.2.0p1/version.h 2000-08-31 11:13:10.000000000 +1100 +++ openssh-2.3.0p1/version.h 2000-11-06 12:39:34.000000000 +1100 @@ -1 +1,3 @@ -#define SSH_VERSION "OpenSSH_2.2.0p1" +/* $OpenBSD: version.h,v 1.13 2000/10/16 09:38:45 djm Exp $ */ + +#define SSH_VERSION "OpenSSH_2.3.0p1" diff -ru openssh-2.2.0p1/xmalloc.c openssh-2.3.0p1/xmalloc.c --- openssh-2.2.0p1/xmalloc.c 2000-06-22 21:32:32.000000000 +1000 +++ openssh-2.3.0p1/xmalloc.c 2000-09-16 13:29:11.000000000 +1100 @@ -2,13 +2,18 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Created: Mon Mar 20 21:23:10 1995 ylo * Versions of malloc and friends that check their results, and never return * failure (they call fatal if they encounter an error). + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ #include "includes.h" -RCSID("$OpenBSD: xmalloc.c,v 1.7 2000/06/20 01:39:45 markus Exp $"); +RCSID("$OpenBSD: xmalloc.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $"); #include "ssh.h" diff -ru openssh-2.2.0p1/xmalloc.h openssh-2.3.0p1/xmalloc.h --- openssh-2.2.0p1/xmalloc.h 2000-06-22 21:32:32.000000000 +1000 +++ openssh-2.3.0p1/xmalloc.h 2000-09-16 13:29:11.000000000 +1100 @@ -1,20 +1,20 @@ /* - * - * xmalloc.h - * * Author: Tatu Ylonen - * * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * * Created: Mon Mar 20 22:09:17 1995 ylo * * Versions of malloc and friends that check their results, and never return * failure (they call fatal if they encounter an error). * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: xmalloc.h,v 1.4 2000/06/20 01:39:45 markus Exp $"); */ +/* RCSID("$OpenBSD: xmalloc.h,v 1.5 2000/09/07 20:27:56 deraadt Exp $"); */ #ifndef XMALLOC_H #define XMALLOC_H