Only in openssh-2.3.0p1: COPYING.Ylonen diff -ru openssh-2.3.0p1/CREDITS openssh-2.5.1p1/CREDITS --- openssh-2.3.0p1/CREDITS 2000-10-28 13:30:55.000000000 +1100 +++ openssh-2.5.1p1/CREDITS 2001-02-09 12:55:35.000000000 +1100 @@ -8,11 +8,12 @@ Andre Lucas - new login code, many fixes Andreas Steinmetz - Shadow password expiry support Andrew McGill - SCO fixes +Andrew Morgan - PAM bugfixes Andrew Stribblehill - Bugfixes Andy Sloane - bugfixes Aran Cox - SCO bugfixes Arkadiusz Miskiewicz - IPv6 compat fixes -Ben Lindstrom - NeXT support +Ben Lindstrom - NeXT support Ben Taylor - Solaris debugging and fixes Bratislav ILICH - Configure fix Charles Levert - SunOS 4 & bug fixes @@ -34,21 +35,21 @@ Gary E. Miller - SCO support Ged Lodder - HPUX fixes and enhancements Gert Doering - bug and portability fixes -HARUYAMA Seigo - Translations & doc fixes +HARUYAMA Seigo - Translations & doc fixes Hideaki YOSHIFUJI - IPv6 and bug fixes Hiroshi Takekawa - Configure fixes Holger Trapp - KRB4/AFS config patch IWAMURO Motonori - bugfixes Jani Hakala - Patches Jarno Huuskonen - Bugfixes -Jim Knoble - Many patches +Jim Knoble - Many patches Jonchen (email unknown) - the original author of PAM support of SSH Juergen Keil - scp bugfixing KAMAHARA Junzo - Configure fixes Kees Cook - scp fixes Kenji Miyake - Configure fixes Kevin O'Connor - RSAless operation -Kevin Steves - HP support, bugfixes, improvements +Kevin Steves - HP support, bugfixes, improvements Kiyokazu SUTO - Bugfixes Larry Jones - Bugfixes Lutz Jaenicke - Bugfixes @@ -85,3 +86,6 @@ Apologies to anyone I have missed. Damien Miller + +$Id: CREDITS,v 1.61 2001/02/09 01:55:35 djm Exp $ + diff -ru openssh-2.3.0p1/ChangeLog openssh-2.5.1p1/ChangeLog --- openssh-2.3.0p1/ChangeLog 2000-11-06 14:17:38.000000000 +1100 +++ openssh-2.5.1p1/ChangeLog 2001-02-19 21:51:49.000000000 +1100 @@ -1,13 +1,1494 @@ +20010219 + - (bal) Markus' blessing to rename login.[ch] -> sshlogin.[ch] and + pty.[ch] -> sshpty.[ch] + - (djm) Rework search for OpenSSL location. Skip directories which don't + exist, don't add -L$ssldir/lib if it doesn't exist. Should help SCO + with its limit of 6 -L options. + - OpenBSD CVS Sync: + - reinhard@cvs.openbsd.org 2001/02/17 08:24:40 + [sftp.1] + typo + - deraadt@cvs.openbsd.org 2001/02/17 16:28:58 + [ssh.c] + cleanup -V output; noted by millert + - deraadt@cvs.openbsd.org 2001/02/17 16:48:48 + [sshd.8] + it's the OpenSSH one + - markus@cvs.openbsd.org 2001/02/18 11:33:54 + [dispatch.c] + typo, SSH2_MSG_KEXINIT, from aspa@kronodoc.fi + - markus@cvs.openbsd.org 2001/02/19 02:53:32 + [compat.c compat.h serverloop.c] + ssh-1.2.{18-22} has broken handling of ignore messages; report from + itojun@ + - markus@cvs.openbsd.org 2001/02/19 03:35:23 + [version.h] + OpenSSH_2.5.1 adds bug compat with 1.2.{18-22} + - deraadt@cvs.openbsd.org 2001/02/19 03:36:25 + [scp.c] + np is changed by recursion; vinschen@redhat.com + - Update versions in RPM spec files + - Release 2.5.1p1 + +20010218 + - (bal) Patch for fix FCHMOD reference in ftp-client.c by Tim Rice + + - (Bal) Patch for lack of RA_RESTART in misc.c for mysignal by + stevesk + - (djm) Fix my breaking of cygwin builds, Patch from Corinna Vinschen + and myself. + - (djm) Close listen_sock on bind() failures. Patch from Arkadiusz + Miskiewicz + - (djm) Robustify EGD/PRNGd code in face of socket closures. Patch from + Todd C. Miller + - (djm) Use ttyname() to determine name of tty returned by openpty() + rather then risking overflow. Patch from Marek Michalkiewicz + + - (djm) Swapped tests for no_libsocket and no_libnsl in configure.in. + Patch from Marek Michalkiewicz + - (djm) Doc fixes from Pekka Savola + - (djm) Use SA_INTERRUPT along SA_RESTART if present (equivalent for + SunOS) + - (djm) SCO needs librpc for libwrap. Patch from Tim Rice + + - (stevesk) misc.c: cpp rework of SA_(INTERRUPT|RESTART) handling. + - (stevesk) scp.c: use mysignal() for updateprogressmeter() handler. + - (djm) SA_INTERRUPT is the converse of SA_RESTART, apply it only for + SIGALRM. + - (djm) Move entropy.c over to mysignal() + - (djm) SunOS 4.x also needs to define HAVE_BOGUS_SYS_QUEUE_H as it has + a that lacks the TAILQ_* macros. Patch from Todd C. + Miller + - (djm) Update RPM spec files for 2.5.0p1 + - (djm) Merge BSD_AUTH support from Markus Friedl and David J. MacKenzie + enable with --with-bsd-auth. + - (stevesk) entropy.c: typo; should be SIGPIPE + +20010217 + - (bal) OpenBSD Sync: + - markus@cvs.openbsd.org 2001/02/16 13:38:18 + [channel.c] + remove debug + - markus@cvs.openbsd.org 2001/02/16 14:03:43 + [session.c] + proper payload-length check for x11 w/o screen-number + +20010216 + - (bal) added '--with-prce' to allow overriding of system regex when + required (tested by David Dulek ) + - (bal) Added DG/UX case and set that they have a broken IPTOS. + - (djm) Mini-configure reorder patch from Tim Rice + Fixes linking on SCO. + - (djm) Make gnome-ssh-askpass handle multi-line prompts. Patch from + Nalin Dahyabhai + - (djm) BSD license for gnome-ssh-askpass (was X11) + - (djm) KNF on gnome-ssh-askpass + - (djm) USE_PIPES for a few more sysv platforms + - (djm) Cleanup configure.in a little + - (djm) Ask users to check config.log when we can't find necessary libs + - (djm) Set "login ID" on systems with setluid. Only enabled for SCO + OpenServer for now. Based on patch from svaughan + - (djm) OpenBSD CVS: + - markus@cvs.openbsd.org 2001/02/15 16:19:59 + [channels.c channels.h serverloop.c sshconnect.c sshconnect.h] + [sshconnect1.c sshconnect2.c] + genericize password padding function for SSH1 and SSH2. + add stylized echo to 2, too. + - (djm) Add roundup() macro to defines.h + - (stevesk) set SA_RESTART flag in mysignal() for SIGCHLD; + needed on Unixware 2.x. + +20010215 + - (djm) Move PAM session setup back to before setuid to user. Fixes + problems on Solaris-derived PAMs. + - (djm) Clean up PAM namespace. Suggested by Darren Moffat + + - (bal) Sync w/ OpenSSH for new release + - markus@cvs.openbsd.org 2001/02/12 12:45:06 + [sshconnect1.c] + fix xmalloc(0), ok dugsong@ + - markus@cvs.openbsd.org 2001/02/11 12:59:25 + [Makefile.in sshd.8 sshconnect2.c readconf.h readconf.c packet.c + sshd.c ssh.c ssh.1 servconf.h servconf.c myproposal.h kex.h kex.c] + 1) clean up the MAC support for SSH-2 + 2) allow you to specify the MAC with 'ssh -m' + 3) or the 'MACs' keyword in ssh(d)_config + 4) add hmac-{md5,sha1}-96 + ok stevesk@, provos@ + - markus@cvs.openbsd.org 2001/02/12 16:16:23 + [auth-passwd.c auth.c auth.h auth1.c auth2.c servconf.c servconf.h + ssh-keygen.c sshd.8] + PermitRootLogin={yes,without-password,forced-commands-only,no} + (before this change, root could login even if PermitRootLogin==no) + - deraadt@cvs.openbsd.org 2001/02/12 22:56:09 + [clientloop.c packet.c ssh-keyscan.c] + deal with EAGAIN/EINTR selects which were skipped + - markus@cvs.openssh.org 2001/02/13 22:49:40 + [auth1.c auth2.c] + setproctitle(user) only if getpwnam succeeds + - markus@cvs.openbsd.org 2001/02/12 23:26:20 + [sshd.c] + missing memset; from solar@openwall.com + - stevesk@cvs.openbsd.org 2001/02/12 20:53:33 + [sftp-int.c] + lumask now works with 1 numeric arg; ok markus@, djm@ + - djm@cvs.openbsd.org 2001/02/14 9:46:03 + [sftp-client.c sftp-int.c sftp.1] + Fix and document 'preserve modes & times' option ('-p' flag in sftp); + ok markus@ + - (bal) replaced PATH_MAX in sftp-int.c w/ MAXPATHLEN. + - (djm) Move to Jim's 1.2.0 X11 askpass program + - (stevesk) OpenBSD sync: + - deraadt@cvs.openbsd.org 2001/02/15 01:38:04 + [serverloop.c] + indent + +20010214 + - (djm) Don't try to close PAM session or delete credentials if the + session has not been open or credentials not set. Based on patch from + Andrew Bartlett + - (djm) Move PAM session initialisation until after fork in sshd. Patch + from Nalin Dahyabhai + - (bal) Missing function prototype in bsd-snprintf.c patch by + Mark Miller + - (djm) Split out and improve OSF SIA auth code. Patch from Chris Adams + with a little modification and KNF. + - (stevesk) fix for SIA patch, misplaced session_setup_sia() + +20010213 + - (djm) Only test -S potential EGD sockets if they exist and are readable. + - (bal) Cleaned out bsd-snprintf.c. VARARGS have been banished and + I did a base KNF over the whe whole file to make it more acceptable. + (backed out of original patch and removed it from ChangeLog) + - (bal) Use chown() if fchown() does not exist in ftp-server.c patch by + Tim Rice + - (stevesk) auth1.c: fix PAM passwordless check. + +20010212 + - (djm) Update Redhat specfile to allow --define "skip_x11_askpass 1", + --define "skip_gnome_askpass 1", --define "rh7 1" and make the + implicit rpm-3.0.5 dependancy explicit. Patch and suggestions from + Pekka Savola + - (djm) Clean up PCRE text in INSTALL + - (djm) Fix OSF SIA auth NULL pointer deref. Report from Mike Battersby + + - (bal) NCR SVR4 compatiblity provide by Don Bragg + - (stevesk) session.c: remove debugging code. + +20010211 + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/02/07 22:35:46 + [auth1.c auth2.c sshd.c] + move k_setpag() to a central place; ok dugsong@ + - markus@cvs.openbsd.org 2001/02/10 12:52:02 + [auth2.c] + offer passwd before s/key + - markus@cvs.openbsd.org 2001/02/8 22:37:10 + [canohost.c] + remove last call to sprintf; ok deraadt@ + - markus@cvs.openbsd.org 2001/02/10 1:33:32 + [canohost.c] + add debug message, since sshd blocks here if DNS is not available + - markus@cvs.openbsd.org 2001/02/10 12:44:02 + [cli.c] + don't call vis() for \r + - danh@cvs.openbsd.org 2001/02/10 0:12:43 + [scp.c] + revert a small change to allow -r option to work again; ok deraadt@ + - danh@cvs.openbsd.org 2001/02/10 15:14:11 + [scp.c] + fix memory leak; ok markus@ + - djm@cvs.openbsd.org 2001/02/10 0:45:52 + [scp.1] + Mention that you can quote pathnames with spaces in them + - markus@cvs.openbsd.org 2001/02/10 1:46:28 + [ssh.c] + remove mapping of argv[0] -> hostname + - markus@cvs.openbsd.org 2001/02/06 22:26:17 + [sshconnect2.c] + do not ask for passphrase in batch mode; report from ejb@ql.org + - itojun@cvs.opebsd.org 2001/02/08 10:47:05 + [sshconnect.c sshconnect1.c sshconnect2.c] + %.30s is too short for IPv6 numeric address. use %.128s for now. + markus ok + - markus@cvs.openbsd.org 2001/02/09 12:28:35 + [sshconnect2.c] + do not free twice, thanks to /etc/malloc.conf + - markus@cvs.openbsd.org 2001/02/09 17:10:53 + [sshconnect2.c] + partial success: debug->log; "Permission denied" if no more auth methods + - markus@cvs.openbsd.org 2001/02/10 12:09:21 + [sshconnect2.c] + remove some lines + - markus@cvs.openbsd.org 2001/02/09 13:38:07 + [auth-options.c] + reset options if no option is given; from han.holl@prismant.nl + - markus@cvs.openbsd.org 2001/02/08 21:58:28 + [channels.c] + nuke sprintf, ok deraadt@ + - markus@cvs.openbsd.org 2001/02/08 21:58:28 + [channels.c] + nuke sprintf, ok deraadt@ + - markus@cvs.openbsd.org 2001/02/06 22:43:02 + [clientloop.h] + remove confusing callback code + - deraadt@cvs.openbsd.org 2001/02/08 14:39:36 + [readconf.c] + snprintf + - itojun@cvs.openbsd.org 2001/02/08 19:30:52 + sync with netbsd tree changes. + - more strict prototypes, include necessary headers + - use paths.h/pathnames.h decls + - size_t typecase to int -> u_long + - itojun@cvs.openbsd.org 2001/02/07 18:04:50 + [ssh-keyscan.c] + fix size_t -> int cast (use u_long). markus ok + - markus@cvs.openbsd.org 2001/02/07 22:43:16 + [ssh-keyscan.c] + s/getline/Linebuf_getline/; from roumen.petrov@skalasoft.com + - itojun@cvs.openbsd.org 2001/02/09 9:04:59 + [ssh-keyscan.c] + do not assume malloc() returns zero-filled region. found by + malloc.conf=AJ. + - markus@cvs.openbsd.org 2001/02/08 22:35:30 + [sshconnect.c] + don't connect if batch_mode is true and stricthostkeychecking set to + 'ask' + - djm@cvs.openbsd.org 2001/02/04 21:26:07 + [sshd_config] + type: ok markus@ + - deraadt@cvs.openbsd.org 2001/02/06 22:07:50 + [sshd_config] + enable sftp-server by default + - deraadt 2001/02/07 8:57:26 + [xmalloc.c] + deal with new ANSI malloc stuff + - markus@cvs.openbsd.org 2001/02/07 16:46:08 + [xmalloc.c] + typo in fatal() + - itojun@cvs.openbsd.org 2001/02/07 18:04:50 + [xmalloc.c] + fix size_t -> int cast (use u_long). markus ok + - 1.47 Thu Feb 8 23:11:42 GMT 2001 by dugsong + [serverloop.c sshconnect1.c] + mitigate SSH1 traffic analysis - from Solar Designer + , ok provos@ + - (bal) fixed sftp-client.c. Return 'status' instead of '0' + (from the OpenBSD tree) + - (bal) Synced ssh.1, ssh-add.1 and sshd.8 w/ OpenBSD + - (bal) sftp-sever.c '%8lld' to '%8llu' (OpenBSD Sync) + - (bal) uuencode.c resync w/ OpenBSD tree, plus whitespace. + - (bal) A bit more whitespace cleanup + - (djm) Set PAM_RHOST earlier, patch from Andrew Bartlett + + - (stevesk) misc.c: ssh.h not needed. + - (stevesk) compat.c: more friendly cpp error + - (stevesk) OpenBSD sync: + - stevesk@cvs.openbsd.org 2001/02/11 06:15:57 + [LICENSE] + typos and small cleanup; ok deraadt@ + +20010210 + - (djm) Sync sftp and scp stuff from OpenBSD: + - djm@cvs.openbsd.org 2001/02/07 03:55:13 + [sftp-client.c] + Don't free handles before we are done with them. Based on work from + Corinna Vinschen . ok markus@ + - djm@cvs.openbsd.org 2001/02/06 22:32:53 + [sftp.1] + Punctuation fix from Pekka Savola + - deraadt@cvs.openbsd.org 2001/02/07 04:07:29 + [sftp.1] + pretty up significantly + - itojun@cvs.openbsd.org 2001/02/07 06:49:42 + [sftp.1] + .Bl-.El mismatch. markus ok + - djm@cvs.openbsd.org 2001/02/07 06:12:30 + [sftp-int.c] + Check that target is a directory before doing ls; ok markus@ + - itojun@cvs.openbsd.org 2001/02/07 11:01:18 + [scp.c sftp-client.c sftp-server.c] + unsigned long long -> %llu, not %qu. markus ok + - stevesk@cvs.openbsd.org 2001/02/07 11:10:39 + [sftp.1 sftp-int.c] + more man page cleanup and sync of help text with man page; ok markus@ + - markus@cvs.openbsd.org 2001/02/07 14:58:34 + [sftp-client.c] + older servers reply with SSH2_FXP_NAME + count==0 instead of EOF + - djm@cvs.openbsd.org 2001/02/07 15:27:19 + [sftp.c] + Don't forward agent and X11 in sftp. Suggestion from Roumen Petrov + + - stevesk@cvs.openbsd.org 2001/02/07 15:36:04 + [sftp-int.c] + portable; ok markus@ + - stevesk@cvs.openbsd.org 2001/02/07 15:55:47 + [sftp-int.c] + lowercase cmds[].c also; ok markus@ + - markus@cvs.openbsd.org 2001/02/07 17:04:52 + [pathnames.h sftp.c] + allow sftp over ssh protocol 1; ok djm@ + - deraadt@cvs.openbsd.org 2001/02/08 07:38:55 + [scp.c] + memory leak fix, and snprintf throughout + - deraadt@cvs.openbsd.org 2001/02/08 08:02:02 + [sftp-int.c] + plug a memory leak + - stevesk@cvs.openbsd.org 2001/02/08 10:11:23 + [session.c sftp-client.c] + %i -> %d + - stevesk@cvs.openbsd.org 2001/02/08 10:57:59 + [sftp-int.c] + typo + - stevesk@cvs.openbsd.org 2001/02/08 15:28:07 + [sftp-int.c pathnames.h] + _PATH_LS; ok markus@ + - djm@cvs.openbsd.org 2001/02/09 04:46:25 + [sftp-int.c] + Check for NULL attribs for chown, chmod & chgrp operations, only send + relevant attribs back to server; ok markus@ + - djm@cvs.openbsd.org 2001/02/06 15:05:25 + [sftp.c] + Use getopt to process commandline arguments + - djm@cvs.openbsd.org 2001/02/06 15:06:21 + [sftp.c ] + Wait for ssh subprocess at exit + - djm@cvs.openbsd.org 2001/02/06 15:18:16 + [sftp-int.c] + stat target for remote chdir before doing chdir + - djm@cvs.openbsd.org 2001/02/06 15:32:54 + [sftp.1] + Punctuation fix from Pekka Savola + - provos@cvs.openbsd.org 2001/02/05 22:22:02 + [sftp-int.c] + cleanup get_pathname, fix pwd after failed cd. okay djm@ + - (djm) Update makefile.in for _PATH_SFTP_SERVER + - (bal) sftp-client.c replace NULL w/ 0 in do_ls() (pending in OpenBSD tree) + +20010209 + - (bal) patch to vis.c to deal with HAVE_VIS right by Robert Mooney + + - (bal) .c.o rule in openbsd-compat/Makefile.in did not make it to the + main tree while porting forward. Pointed out by Lutz Jaenicke + + - (bal) double entry in configure.in. Pointed out by Lutz Jaenicke + + - (stevesk) OpenBSD sync: + - markus@cvs.openbsd.org 2001/02/08 11:20:01 + [auth2.c] + strict checking + - markus@cvs.openbsd.org 2001/02/08 11:15:22 + [version.h] + update to 2.3.2 + - markus@cvs.openbsd.org 2001/02/08 11:12:30 + [auth2.c] + fix typo + - (djm) Update spec files + - (bal) OpenBSD sync: + - deraadt@cvs.openbsd.org 2001/02/08 14:38:54 + [scp.c] + memory leak fix, and snprintf throughout + - markus@cvs.openbsd.org 2001/02/06 22:43:02 + [clientloop.c] + remove confusing callback code + - (djm) Add CVS Id's to files that we have missed + - (bal) OpenBSD Sync (more): + - itojun@cvs.openbsd.org 2001/02/08 19:30:52 + sync with netbsd tree changes. + - more strict prototypes, include necessary headers + - use paths.h/pathnames.h decls + - size_t typecase to int -> u_long + - markus@cvs.openbsd.org 2001/02/06 22:07:42 + [ssh.c] + fatal() if subsystem fails + - markus@cvs.openbsd.org 2001/02/06 22:43:02 + [ssh.c] + remove confusing callback code + - jakob@cvs.openbsd.org 2001/02/06 23:03:24 + [ssh.c] + add -1 option (force protocol version 1). ok markus@ + - jakob@cvs.openbsd.org 2001/02/06 23:06:21 + [ssh.c] + reorder -{1,2,4,6} options. ok markus@ + - (bal) Missing 'const' in readpass.h + - (bal) OpenBSD Sync (so at least the thing compiles for 2.3.2 =) + - djm@cvs.openbsd.org 2001/02/06 23:30:28 + [sftp-client.c] + replace arc4random with counter for request ids; ok markus@ + - (djm) Define _PATH_TTY for systems that don't. Report from Lutz + Jaenicke + +20010208 + - (djm) Don't delete external askpass program in make uninstall target. + Report and fix from Roumen Petrov + - (djm) Fix linking of sftp, don't need arc4random any more. + - (djm) Try to use shell that supports "test -S" for EGD socket search. + Based on patch from Tim Rice + +20010207 + - (bal) Save the whole path to AR in configure. Some Solaris 2.7 installs + seem lose track of it while in openbsd-compat/ (two confirmed reports) + - (djm) Much KNF on PAM code + - (djm) Revise auth-pam.c conversation function to be a little more + readable. + - (djm) Revise kbd-int PAM conversation function to fold all text messages + to before first prompt. Fixes hangs if last pam_message did not require + a reply. + - (djm) Fix password changing when using PAM kbd-int authentication + +20010205 + - (bal) Disable groupaccess by setting NGROUPS_MAX to 0 for platforms + that don't have NGROUPS_MAX. + - (bal) AIX patch for auth1.c by William L. Jones + - (stevesk) OpenBSD sync: + - stevesk@cvs.openbsd.org 2001/02/04 08:32:27 + [many files; did this manually to our top-level source dir] + unexpand and remove end-of-line whitespace; ok markus@ + - stevesk@cvs.openbsd.org 2001/02/04 15:21:19 + [sftp-server.c] + SSH2_FILEXFER_ATTR_UIDGID support; ok markus@ + - deraadt@cvs.openbsd.org 2001/02/04 17:02:32 + [sftp-int.c] + ? == help + - deraadt@cvs.openbsd.org 2001/02/04 16:47:46 + [sftp-int.c] + sort commands, so that abbreviations work as expected + - stevesk@cvs.openbsd.org 2001/02/04 15:17:52 + [sftp-int.c] + debugging sftp: precedence and missing break. chmod, chown, chgrp + seem to be working now. + - markus@cvs.openbsd.org 2001/02/04 14:41:21 + [sftp-int.c] + use base 8 for umask/chmod + - markus@cvs.openbsd.org 2001/02/04 11:11:54 + [sftp-int.c] + fix LCD + - markus@cvs.openbsd.org 2001/02/04 08:10:44 + [ssh.1] + typo; dpo@club-internet.fr + - stevesk@cvs.openbsd.org 2001/02/04 06:30:12 + [auth2.c authfd.c packet.c] + remove duplicate #include's; ok markus@ + - deraadt@cvs.openbsd.org 2001/02/04 16:56:23 + [scp.c sshd.c] + alpha happiness + - stevesk@cvs.openbsd.org 2001/02/04 15:12:17 + [sshd.c] + precedence; ok markus@ + - deraadt@cvs.openbsd.org 2001/02/04 08:14:15 + [ssh.c sshd.c] + make the alpha happy + - markus@cvs.openbsd.org 2001/01/31 13:37:24 + [channels.c channels.h serverloop.c ssh.c] + do not disconnect if local port forwarding fails, e.g. if port is + already in use + - markus@cvs.openbsd.org 2001/02/01 14:58:09 + [channels.c] + use ipaddr in channel messages, ietf-secsh wants this + - markus@cvs.openbsd.org 2001/01/31 12:26:20 + [channels.c] + ssh.com-2.0.1x does not send additional info in CHANNEL_OPEN_FAILURE + messages; bug report from edmundo@rano.org + - markus@cvs.openbsd.org 2001/01/31 13:48:09 + [sshconnect2.c] + unused + - deraadt@cvs.openbsd.org 2001/02/04 08:23:08 + [sftp-client.c sftp-server.c] + make gcc on the alpha even happier + +20010204 + - (bal) I think this is the last of the bsd-*.h that don't belong. + - (bal) Minor Makefile fix + - (bal) openbsd-compat/Makefile minor fix. Ensure dependancies are done + right. + - (bal) Changed order of LIB="" in -with-skey due to library resolving. + - (bal) next-posix.h changed to bsd-nextstep.h + - (djm) OpenBSD CVS sync: + - markus@cvs.openbsd.org 2001/02/03 03:08:38 + [auth-options.c auth-rh-rsa.c auth-rhosts.c auth.c canohost.c] + [canohost.h servconf.c servconf.h session.c sshconnect1.c sshd.8] + [sshd_config] + make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@ + - markus@cvs.openbsd.org 2001/02/03 03:19:51 + [ssh.1 sshd.8 sshd_config] + Skey is now called ChallengeResponse + - markus@cvs.openbsd.org 2001/02/03 03:43:09 + [sshd.8] + use no-pty option in .ssh/authorized_keys* if you need a 8-bit clean + channel. note from Erik.Anggard@cygate.se (pr/1659) + - stevesk@cvs.openbsd.org 2001/02/03 10:03:06 + [ssh.1] + typos; ok markus@ + - djm@cvs.openbsd.org 2001/02/04 04:11:56 + [scp.1 sftp-server.c ssh.1 sshd.8 sftp-client.c sftp-client.h] + [sftp-common.c sftp-common.h sftp-int.c sftp-int.h sftp.1 sftp.c] + Basic interactive sftp client; ok theo@ + - (djm) Update RPM specs for new sftp binary + - (djm) Update several bits for new optional reverse lookup stuff. I + think I got them all. + - (djm) Makefile.in fixes + - (stevesk) add mysignal() wrapper and use it for the protocol 2 + SIGCHLD handler. + - (djm) Use setvbuf() instead of setlinebuf(). Suggest from stevesk@ + +20010203 + - (bal) Cygwin clean up by Corinna Vinschen + - (bal) renamed queue.h to fake-queue.h (even if it's an OpenBSD + based file) to ensure #include space does not get confused. + - (bal) Minor Makefile.in tweak. dirname may not exist on some + platforms so builds fail. (NeXT being a well known one) + +20010202 + - (bal) Makefile fix where sourcedir != builddir by Corinna Vinschen + + - (bal) Makefile fix to use $(MAKE) instead of 'make' for platforms + that use 'gmake'. Patch by Tim Rice + +20010201 + - (bal) Minor fix to Makefile to stop rebuilding executables if no + changes have occured to any of the supporting code. Patch by + Roumen Petrov + +20010131 + - (djm) OpenBSD CVS Sync: + - djm@cvs.openbsd.org 2001/01/30 15:48:53 + [sshconnect.c] + Make warning message a little more consistent. ok markus@ + - (djm) Fix autoconf logic for --with-lastlog=no Report and diagnosis from + Philipp Buehler and Kevin Steves + respectively. + - (djm) Don't log SSH2 PAM KbdInt responses to debug, they may contain + passwords. + - (bal) Reorder. Move all bsd-*, fake-*, next-*, and cygwin* stuff to + openbsd-compat/. And resolve all ./configure and Makefile.in issues + assocated. + +20010130 + - (djm) OpenBSD CVS Sync: + - markus@cvs.openbsd.org 2001/01/29 09:55:37 + [channels.c channels.h clientloop.c serverloop.c] + fix select overflow; ok deraadt@ and stevesk@ + - markus@cvs.openbsd.org 2001/01/29 12:42:35 + [canohost.c canohost.h channels.c clientloop.c] + add get_peer_ipaddr(socket), x11-fwd in ssh2 requires ipaddr, not DNS + - markus@cvs.openbsd.org 2001/01/29 12:47:32 + [rsa.c rsa.h ssh-agent.c sshconnect1.c sshd.c] + handle rsa_private_decrypt failures; helps against the Bleichenbacher + pkcs#1 attack + - djm@cvs.openbsd.org 2001/01/29 05:36:11 + [ssh.1 ssh.c] + Allow invocation of sybsystem by commandline (-s); ok markus@ + - (stevesk) configure.in: remove duplicate PROG_LS + +20010129 + - (stevesk) sftp-server.c: use %lld vs. %qd + +20010128 + - (bal) Put USE_PIPES back into sco3.2v5 + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/01/28 10:15:34 + [dispatch.c] + re-keying is not supported; ok deraadt@ + - markus@cvs.openbsd.org 2001/01/28 10:24:04 + [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] + cleanup AUTHORS sections + - markus@cvs.openbsd.org 2001/01/28 10:37:26 + [sshd.c sshd.8] + remove -Q, no longer needed + - stevesk@cvs.openbsd.org 2001/01/28 20:36:16 + [readconf.c ssh.1] + ``StrictHostKeyChecking ask'' documentation and small cleanup. + ok markus@ + - stevesk@cvs.openbsd.org 2001/01/28 20:43:25 + [sshd.8] + spelling. ok markus@ + - stevesk@cvs.openbsd.org 2001/01/28 20:53:21 + [xmalloc.c] + use size_t for strlen() return. ok markus@ + - stevesk@cvs.openbsd.org 2001/01/28 22:27:05 + [authfile.c] + spelling. use sizeof vs. strlen(). ok markus@ + - niklas@cvs.openbsd.org 2001/01/29 1:59:14 + [atomicio.h canohost.h clientloop.h deattack.h dh.h dispatch.h + groupaccess.c groupaccess.h hmac.h hostfile.h includes.h kex.h + key.h log.h login.h match.h misc.h myproposal.h nchan.ms pathnames.h + radix.h readpass.h rijndael.h serverloop.h session.h sftp.h ssh-add.1 + ssh-dss.h ssh-keygen.1 ssh-keyscan.1 ssh-rsa.h ssh1.h ssh_config + sshconnect.h sshd_config tildexpand.h uidswap.h uuencode.h] + $OpenBSD$ + - (bal) Minor auth2.c resync. Whitespace and moving of an #include. + +20010126 + - (bal) SSH_PROGRAM vs _PATH_SSH_PROGRAM fix pointed out by Roumen + Petrov + - (bal) OpenBSD Sync + - deraadt@cvs.openbsd.org 2001/01/25 8:06:33 + [ssh-agent.c] + call _exit() in signal handler + +20010125 + - (djm) Sync bsd-* support files: + - deraadt@cvs.openbsd.org 2000/01/26 03:43:20 + [rresvport.c bindresvport.c] + new bindresvport() semantics that itojun, shin, jean-luc and i have + agreed on, which will be happy for the future. bindresvport_sa() for + sockaddr *, too. docs later.. + - deraadt@cvs.openbsd.org 2000/01/24 02:24:21 + [bindresvport.c] + in bindresvport(), if sin is non-NULL, example sin->sin_family for + the actual family being processed + - (djm) Mention PRNGd in documentation, it is nicer than EGD + - (djm) Automatically search for "well-known" EGD/PRNGd sockets in autoconf + - (bal) AC_FUNC_STRFTIME added to autoconf + - (bal) OpenBSD Resync + - stevesk@cvs.openbsd.org 2001/01/24 21:03:50 + [channels.c] + missing freeaddrinfo(); ok markus@ + +20010124 + - (bal) OpenBSD Resync + - markus@cvs.openbsd.org 2001/01/23 10:45:10 + [ssh.h] + nuke comment + - (bal) no 64bit support patch from Tim Rice + - (bal) #ifdef around S_IFSOCK if platform does not support it. + patch by Tim Rice + - (bal) fake-regex.h cleanup based on Tim Rice's patch. + - (stevesk) sftp-server.c: fix chmod() mode mask + +20010123 + - (bal) regexp.h typo in configure.in. Should have been regex.h + - (bal) SSH_USER_DIR to _PATH_SSH_USER_DIR patch by stevesk@ + - (bal) SSH_ASKPASS_DEFAULT to _PATH_SSH_ASKPASS_DEFAULT + - (bal) OpenBSD Resync + - markus@cvs.openbsd.org 2001/01/22 8:15:00 + [auth-krb4.c sshconnect1.c] + only AFS needs radix.[ch] + - markus@cvs.openbsd.org 2001/01/22 8:32:53 + [auth2.c] + no need to include; from mouring@etoh.eviladmin.org + - stevesk@cvs.openbsd.org 2001/01/22 16:55:21 + [key.c] + free() -> xfree(); ok markus@ + - stevesk@cvs.openbsd.org 2001/01/22 17:22:28 + [sshconnect2.c sshd.c] + fix memory leaks in SSH2 key exchange; ok markus@ + - markus@cvs.openbsd.org 2001/01/22 23:06:39 + [auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h + sshconnect1.c sshconnect2.c sshd.c] + rename skey -> challenge response. + auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled. + + +20010122 + - (bal) OpenBSD Resync + - markus@cvs.openbsd.org 2001/01/19 12:45:26 GMT 2001 by markus + [servconf.c ssh.h sshd.c] + only auth-chall.c needs #ifdef SKEY + - markus@cvs.openbsd.org 2001/01/19 15:55:10 GMT 2001 by markus + [auth-krb4.c auth-options.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c + auth1.c auth2.c channels.c clientloop.c dh.c dispatch.c nchan.c + packet.c pathname.h readconf.c scp.c servconf.c serverloop.c + session.c ssh-add.c ssh-keygen.c ssh-keyscan.c ssh.c ssh.h + ssh1.h sshconnect1.c sshd.c ttymodes.c] + move ssh1 definitions to ssh1.h, pathnames to pathnames.h + - markus@cvs.openbsd.org 2001/01/19 16:48:14 + [sshd.8] + fix typo; from stevesk@ + - markus@cvs.openbsd.org 2001/01/19 16:50:58 + [ssh-dss.c] + clear and free digest, make consistent with other code (use dlen); from + stevesk@ + - markus@cvs.openbsd.org 2001/01/20 15:55:20 GMT 2001 by markus + [auth-options.c auth-options.h auth-rsa.c auth2.c] + pass the filename to auth_parse_options() + - markus@cvs.openbsd.org 2001/01/20 17:59:40 GMT 2001 + [readconf.c] + fix SIGSEGV from -o ""; problem noted by jehsom@togetherweb.com + - stevesk@cvs.openbsd.org 2001/01/20 18:20:29 + [sshconnect2.c] + dh_new_group() does not return NULL. ok markus@ + - markus@cvs.openbsd.org 2001/01/20 21:33:42 + [ssh-add.c] + do not loop forever if askpass does not exist; from + andrew@pimlott.ne.mediaone.net + - djm@cvs.openbsd.org 2001/01/20 23:00:56 + [servconf.c] + Check for NULL return from strdelim; ok markus + - djm@cvs.openbsd.org 2001/01/20 23:02:07 + [readconf.c] + KNF; ok markus + - jakob@cvs.openbsd.org 2001/01/21 9:00:33 + [ssh-keygen.1] + remove -R flag; ok markus@ + - markus@cvs.openbsd.org 2001/01/21 19:05:40 + [atomicio.c automicio.h auth-chall.c auth-krb4.c auth-options.c + auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c + auth.c auth.h auth1.c auth2-chall.c auth2.c authfd.c authfile.c + bufaux.c bufaux.h buffer.c canahost.c canahost.h channels.c + cipher.c cli.c clientloop.c clientloop.h compat.c compress.c + deattack.c dh.c dispatch.c groupaccess.c hmac.c hostfile.c kex.c + key.c key.h log-client.c log-server.c log.c log.h login.c login.h + match.c misc.c misc.h nchan.c packet.c pty.c radix.h readconf.c + readpass.c readpass.h rsa.c scp.c servconf.c serverloop.c serverloop.h + session.c sftp-server.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c + ssh-keyscan.c ssh-rsa.c ssh.c ssh.h sshconnect.c sshconnect.h + sshconnect1.c sshconnect2.c sshd.c tildexpand.c tildexpand.h + ttysmodes.c uidswap.c xmalloc.c] + split ssh.h and try to cleanup the #include mess. remove unnecessary + #includes. rename util.[ch] -> misc.[ch] + - (bal) renamed 'PIDDIR' to '_PATH_SSH_PIDDIR' to match OpenBSD tree + - (bal) Moved #ifdef KRB4 in auth-krb4.c above the #include to resolve + conflict when compiling for non-kerb install + - (bal) removed the #ifdef SKEY in auth1.c to match Markus' changes + on 1/19. + +20010120 + - (bal) OpenBSD Resync + - markus@cvs.openbsd.org 2001/01/19 12:45:26 + [ssh-chall.c servconf.c servconf.h ssh.h sshd.c] + only auth-chall.c needs #ifdef SKEY + - (bal) Slight auth2-pam.c clean up. + - (bal) Includes a fake-regexp.h to be only used if regcomp() is found, + but no 'regexp.h' found (SCO OpenServer 3 lacks the header). + +20010119 + - (djm) Update versions in RPM specfiles + - (bal) OpenBSD Resync + - markus@cvs.openbsd.org 2001/01/18 16:20:21 + [log-client.c log-server.c log.c readconf.c servconf.c ssh.1 ssh.h + sshd.8 sshd.c] + log() is at pri=LOG_INFO, since LOG_NOTICE goes to /dev/console on many + systems + - markus@cvs.openbsd.org 2001/01/18 16:59:59 + [auth-passwd.c auth.c auth.h auth1.c auth2.c serverloop.c session.c + session.h sshconnect1.c] + 1) removes fake skey from sshd, since this will be much + harder with /usr/libexec/auth/login_XXX + 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) + 3) make addition of BSD_AUTH and other challenge reponse methods + easier. + - markus@cvs.openbsd.org 2001/01/18 17:12:43 + [auth-chall.c auth2-chall.c] + rename *-skey.c *-chall.c since the files are not skey specific + - (djm) Merge patch from Tim Waugh (via Nalin Dahyabhai ) + to fix NULL pointer deref and fake authloop breakage in PAM code. + - (bal) Updated contrib/cygwin/ by Corinna Vinschen + - (bal) Minor cygwin patch to auth1.c. Suggested by djm. + +20010118 + - (bal) Super Sized OpenBSD Resync + - markus@cvs.openbsd.org 2001/01/11 22:14:20 GMT 2001 by markus + [sshd.c] + maxfd+1 + - markus@cvs.openbsd.org 2001/01/13 17:59:18 + [ssh-keygen.1] + small ssh-keygen manpage cleanup; stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/13 18:03:07 + [scp.c ssh-keygen.c sshd.c] + getopt() returns -1 not EOF; stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/13 18:06:54 + [ssh-keyscan.c] + use SSH_DEFAULT_PORT; from stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/13 18:12:47 + [ssh-keyscan.c] + free() -> xfree(); fix memory leak; from stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/13 18:14:13 + [ssh-add.c] + typo, from stevesk@sweden.hp.com + - markus@cvs.openbsd.org 2001/01/13 18:32:50 + [packet.c session.c ssh.c sshconnect.c sshd.c] + split out keepalive from packet_interactive (from dale@accentre.com) + set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too. + - markus@cvs.openbsd.org 2001/01/13 18:36:45 + [packet.c packet.h] + reorder, typo + - markus@cvs.openbsd.org 2001/01/13 18:38:00 + [auth-options.c] + fix comment + - markus@cvs.openbsd.org 2001/01/13 18:43:31 + [session.c] + Wall + - markus@cvs.openbsd.org 2001/01/13 19:14:08 + [clientloop.h clientloop.c ssh.c] + move callback to headerfile + - markus@cvs.openbsd.org 2001/01/15 21:40:10 + [ssh.c] + use log() instead of stderr + - markus@cvs.openbsd.org 2001/01/15 21:43:51 + [dh.c] + use error() not stderr! + - markus@cvs.openbsd.org 2001/01/15 21:45:29 + [sftp-server.c] + rename must fail if newpath exists, debug off by default + - markus@cvs.openbsd.org 2001/01/15 21:46:38 + [sftp-server.c] + readable long listing for sftp-server, ok deraadt@ + - markus@cvs.openbsd.org 2001/01/16 19:20:06 + [key.c ssh-rsa.c] + make "ssh-rsa" key format for ssh2 confirm to the ietf-drafts; from + galb@vandyke.com. note that you have to delete older ssh2-rsa keys, + since they are in the wrong format, too. they must be removed from + .ssh/authorized_keys2 and .ssh/known_hosts2, etc. + (cd; grep -v ssh-rsa .ssh/authorized_keys2 > TMP && mv TMP + .ssh/authorized_keys2) additionally, we now check that + BN_num_bits(rsa->n) >= 768. + - markus@cvs.openbsd.org 2001/01/16 20:54:27 + [sftp-server.c] + remove some statics. simpler handles; idea from nisse@lysator.liu.se + - deraadt@cvs.openbsd.org 2001/01/16 23:58:08 + [bufaux.c radix.c sshconnect.h sshconnect1.c] + indent + - (bal) Added bsd-strmode.[ch] since some non-OpenBSD platforms may + be missing such feature. + + +20010117 + - (djm) Only write random seed file at exit + - (djm) Make PAM support optional, enable with --with-pam + - (djm) Try to use libcrypt on Linux, but link it after OpenSSL (which + provides a crypt() of its own) + - (djm) Avoid a warning in bsd-bindresvport.c + - (djm) Try to avoid adding -I/usr/include to CPPFLAGS during SSL tests. This + can cause weird segfaults errors on Solaris + - (djm) Avoid warning in PAM code by making read_passphrase arguments const + - (djm) Add --with-pam to RPM spec files + +20010115 + - (bal) sftp-server.c change to use chmod() if fchmod() does not exist. + - (bal) utimes() support via utime() interface on machine that lack utimes(). + +20010114 + - (stevesk) initial work for OpenBSD "support supplementary group in + {Allow,Deny}Groups" patch: + - import getgrouplist.c from OpenBSD (bsd-getgrouplist.c) + - add bsd-getgrouplist.h + - new files groupaccess.[ch] + - build but don't use yet (need to merge auth.c changes) + - (stevesk) complete: + - markus@cvs.openbsd.org 2001/01/13 11:56:48 + [auth.c sshd.8] + support supplementary group in {Allow,Deny}Groups + from stevesk@pobox.com + +20010112 + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/01/10 22:56:22 + [bufaux.h bufaux.c sftp-server.c sftp.h getput.h] + cleanup sftp-server implementation: + add buffer_get_int64, buffer_put_int64, GET_64BIT, PUT_64BIT + parse SSH2_FILEXFER_ATTR_EXTENDED + send SSH2_FX_EOF if readdir returns no more entries + reply to SSH2_FXP_EXTENDED message + use #defines from the draft + move #definations to sftp.h + more info: + http://www.ietf.org/internet-drafts/draft-ietf-secsh-filexfer-00.txt + - markus@cvs.openbsd.org 2001/01/10 19:43:20 + [sshd.c] + XXX - generate_empheral_server_key() is not safe against races, + because it calls log() + - markus@cvs.openbsd.org 2001/01/09 21:19:50 + [packet.c] + allow TCP_NDELAY for ipv6; from netbsd via itojun@ + +20010110 + - (djm) SNI/Reliant Unix needs USE_PIPES and $DISPLAY hack. Report from + Bladt Norbert + +20010109 + - (bal) Resync CVS ID of cli.c + - (stevesk) auth1.c: free should be after WITH_AIXAUTHENTICATE + code. + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/01/08 22:29:05 + [auth2.c compat.c compat.h servconf.c servconf.h sshd.8 + sshd_config version.h] + implement option 'Banner /etc/issue.net' for ssh2, move version to + 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner + is enabled). + - markus@cvs.openbsd.org 2001/01/08 22:03:23 + [channels.c ssh-keyscan.c] + O_NDELAY -> O_NONBLOCK; thanks stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/08 21:55:41 + [sshconnect1.c] + more cleanups and fixes from stevesk@pobox.com: + 1) try_agent_authentication() for loop will overwrite key just + allocated with key_new(); don't alloc + 2) call ssh_close_authentication_connection() before exit + try_agent_authentication() + 3) free mem on bad passphrase in try_rsa_authentication() + - markus@cvs.openbsd.org 2001/01/08 21:48:17 + [kex.c] + missing free; thanks stevesk@pobox.com + - (bal) Detect if clock_t structure exists, if not define it. + - (bal) Detect if O_NONBLOCK exists, if not define it. + - (bal) removed news4-posix.h (now empty) + - (bal) changed bsd-bindresvport.c and bsd-rresvport.c to use 'socklen_t' + instead of 'int' + - (stevesk) sshd_config: sync + - (stevesk) defines.h: remove spurious ``;'' + +20010108 + - (bal) Fixed another typo in cli.c + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/01/07 21:26:55 + [cli.c] + typo + - markus@cvs.openbsd.org 2001/01/07 21:26:55 + [cli.c] + missing free, stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/07 19:06:25 + [auth1.c] + missing free, stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/07 11:28:04 + [log-client.c log-server.c log.c readconf.c servconf.c ssh.1 + ssh.h sshd.8 sshd.c] + rename SYSLOG_LEVEL_INFO->SYSLOG_LEVEL_NOTICE + syslog priority changes: + fatal() LOG_ERR -> LOG_CRIT + log() LOG_INFO -> LOG_NOTICE + - Updated TODO + +20010107 + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/01/06 11:23:27 + [ssh-rsa.c] + remove unused + - itojun@cvs.openbsd.org 2001/01/05 08:23:29 + [ssh-keyscan.1] + missing .El + - markus@cvs.openbsd.org 2001/01/04 22:41:03 + [session.c sshconnect.c] + consistent use of _PATH_BSHELL; from stevesk@pobox.com + - djm@cvs.openbsd.org 2001/01/04 22:35:32 + [ssh.1 sshd.8] + Mention AES as available SSH2 Cipher; ok markus + - markus@cvs.openbsd.org 2001/01/04 22:25:58 + [sshd.c] + sync usage()/man with defaults; from stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/04 22:21:26 + [sshconnect2.c] + handle SSH2_MSG_USERAUTH_BANNER; fixes bug when connecting to a server + that prints a banner (e.g. /etc/issue.net) + +20010105 + - (bal) contrib/caldera/ provided by Tim Rice + - (bal) bsd-getcwd.c and bsd-setenv.c changed from bcopy() to memmove() + +20010104 + - (djm) Fix memory leak on systems with BROKEN_GETADDRINFO. Based on + work by Chris Vaughan + +20010103 + - (bal) fixed up sshconnect.c so it was closer inline with the OpenBSD + tree (mainly positioning) + - (bal) OpenSSH CVS Update + - markus@cvs.openbsd.org 2001/01/02 20:41:02 + [packet.c] + log remote ip on disconnect; PR 1600 from jcs@rt.fm + - markus@cvs.openbsd.org 2001/01/02 20:50:56 + [sshconnect.c] + strict_host_key_checking for host_status != HOST_CHANGED && + ip_status == HOST_CHANGED + - (bal) authfile.c: Synced CVS ID tag + - (bal) UnixWare 2.0 fixes by Tim Rice + - (bal) Disable sftp-server if no 64bit int support exists. Based on + patch by Tim Rice + - (bal) Makefile.in changes to uninstall: target to remove sftp-server + and sftp-server.8 manpage. + +20010102 + - (bal) OpenBSD CVS Update + - markus@cvs.openbsd.org 2001/01/01 14:52:49 + [scp.c] + use shared fatal(); from stevesk@pobox.com + +20001231 + - (bal) Reverted out of MAXHOSTNAMELEN. This should be set per OS. + for multiple reasons. + - (bal) Reverted out of a partial NeXT patch. + +20001230 + - (bal) OpenBSD CVS Update + - markus@cvs.openbsd.org 2000/12/28 18:58:30 + [ssh-keygen.c] + enable 'ssh-keygen -l -f ~/.ssh/{authorized_keys,known_hosts}{,2} + - markus@cvs.openbsd.org 2000/12/29 22:19:13 + [channels.c] + missing xfree; from vaughan99@yahoo.com + - (bal) Resynced CVS ID with OpenBSD for channel.c and uidswap.c + - (bal) if no MAXHOSTNAMELEN is defined. Default to 64 character defination. + Suggested by Christian Kurz + - (bal) Add in '.c.o' section to Makefile.in to address make programs that + don't honor CPPFLAGS by default. Suggested by Lutz Jaenicke + + +20001229 + - (bal) Fixed spelling of 'authorized_keys' in ssh-copy-id.1 by Christian + Kurz + - (bal) OpenBSD CVS Update + - markus@cvs.openbsd.org 2000/12/28 14:25:51 + [auth.h auth2.c] + count authentication failures only + - markus@cvs.openbsd.org 2000/12/28 14:25:03 + [sshconnect.c] + fingerprint for MITM attacks, too. + - markus@cvs.openbsd.org 2000/12/28 12:03:57 + [sshd.8 sshd.c] + document -D + - markus@cvs.openbsd.org 2000/12/27 14:19:21 + [serverloop.c] + less chatty + - markus@cvs.openbsd.org 2000/12/27 12:34 + [auth1.c sshconnect2.c sshd.c] + typo + - markus@cvs.openbsd.org 2000/12/27 12:30:19 + [readconf.c readconf.h ssh.1 sshconnect.c] + new option: HostKeyAlias: allow the user to record the host key + under a different name. This is useful for ssh tunneling over + forwarded connections or if you run multiple sshd's on different + ports on the same machine. + - markus@cvs.openbsd.org 2000/12/27 11:51:53 + [ssh.1 ssh.c] + multiple -t force pty allocation, document ORIGINAL_COMMAND + - markus@cvs.openbsd.org 2000/12/27 11:41:31 + [sshd.8] + update for ssh-2 + - (stevesk) compress.[ch] sync with openbsd; missed in prototype + fix merge. + +20001228 + - (bal) Patch to add libutil.h to loginrec.c only if the platform has + libutil.h. Suggested by Pekka Savola + - (djm) Update to new x11-askpass in RPM spec + - (bal) SCO patch to not include since it's unrelated + header. Patch by Tim Rice + - Updated TODO w/ known HP/UX issue + - (bal) removed extra noticed by Kevin Steves and removed the + bad reference to 'NeXT including it else were' on the #ifdef version. + +20001227 + - (bal) Typo in configure.in: entut?ent should be endut?ent. Suggested by + Takumi Yamane + - (bal) Checks for getrlimit(), sysconf(), and setdtablesize(). Patch + by Corinna Vinschen + - (djm) Fix catman-do target for non-bash + - (bal) Typo in configure.in: entut?ent should be endut?ent. Suggested by + Takumi Yamane + - (bal) Checks for getrlimit(), sysconf(), and setdtablesize(). Patch + by Corinna Vinschen + - (djm) Fix catman-do target for non-bash + - (bal) Fixed NeXT's lack of CPPFLAGS honoring. + - (bal) ssh-keyscan.c: NeXT (and older BSDs) don't support getrlimit() w/ + 'RLIMIT_NOFILE' + - (djm) Remove *.Ylonen files. They are no longer in the OpenBSD tree, + the info in COPYING.Ylonen has been moved to the start of each + SSH1-derived file and README.Ylonen is well out of date. + +20001223 + - (bal) Fixed Makefile.in to support recompile of all ssh and sshd objects + if a change to config.h has occurred. Suggested by Gert Doering + + - (bal) OpenBSD CVS Update: + - markus@cvs.openbsd.org 2000/12/22 16:49:40 + [ssh-keygen.c] + fix ssh-keygen -x -t type > file; from Roumen.Petrov@skalasoft.com + +20001222 + - Updated RCSID for pty.c + - (bal) OpenBSD CVS Updates: + - markus@cvs.openbsd.org 2000/12/21 15:10:16 + [auth-rh-rsa.c hostfile.c hostfile.h sshconnect.c] + print keyfile:line for changed hostkeys, for deraadt@, ok deraadt@ + - markus@cvs.openbsd.org 2000/12/20 19:26:56 + [authfile.c] + allow ssh -i userkey for root + - markus@cvs.openbsd.org 2000/12/20 19:37:21 + [authfd.c authfd.h kex.c sshconnect2.c sshd.c uidswap.c uidswap.h] + fix prototypes; from stevesk@pobox.com + - markus@cvs.openbsd.org 2000/12/20 19:32:08 + [sshd.c] + init pointer to NULL; report from Jan.Ivan@cern.ch + - markus@cvs.openbsd.org 2000/12/19 23:17:54 + [auth-krb4.c auth-options.c auth-options.h auth-rhosts.c auth-rsa.c + auth1.c auth2-skey.c auth2.c authfd.c authfd.h authfile.c bufaux.c + bufaux.h buffer.c canohost.c channels.c clientloop.c compress.c + crc32.c deattack.c getput.h hmac.c hmac.h hostfile.c kex.c kex.h + key.c key.h log.c login.c match.c match.h mpaux.c mpaux.h packet.c + packet.h radix.c readconf.c rsa.c scp.c servconf.c servconf.h + serverloop.c session.c sftp-server.c ssh-agent.c ssh-dss.c ssh-dss.h + ssh-keygen.c ssh-keyscan.c ssh-rsa.c ssh-rsa.h ssh.c ssh.h uuencode.c + uuencode.h sshconnect1.c sshconnect2.c sshd.c tildexpand.c] + replace 'unsigned bla' with 'u_bla' everywhere. also replace 'char + unsigned' with u_char. + +20001221 + - (stevesk) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/19 15:43:45 + [authfile.c channels.c sftp-server.c ssh-agent.c] + remove() -> unlink() for consistency + - markus@cvs.openbsd.org 2000/12/19 15:48:09 + [ssh-keyscan.c] + replace with + - markus@cvs.openbsd.org 2000/12/17 02:33:40 + [uidswap.c] + typo; from wsanchez@apple.com + +20001220 + - (djm) Workaround PAM inconsistencies between Solaris derived PAM code + and Linux-PAM. Based on report and fix from Andrew Morgan + + +20001218 + - (stevesk) rsa.c: entropy.h not needed. + - (bal) split CFLAGS into CFLAGS and CPPFLAGS in configure.in and Makefile. + Suggested by Wilfredo Sanchez + +20001216 + - (stevesk) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/16 02:53:57 + [scp.c] + allow + in usernames; request from Florian.Weimer@RUS.Uni-Stuttgart.DE + - markus@cvs.openbsd.org 2000/12/16 02:39:57 + [scp.c] + unused; from stevesk@pobox.com + +20001215 + - (stevesk) Old OpenBSD patch wasn't completely applied: + - markus@cvs.openbsd.org 2000/01/24 22:11:20 + [scp.c] + allow '.' in usernames; from jedgar@fxp.org + - (stevesk) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/13 16:26:53 + [ssh-keyscan.c] + fatal already adds \n; from stevesk@pobox.com + - markus@cvs.openbsd.org 2000/12/13 16:25:44 + [ssh-agent.c] + remove redundant spaces; from stevesk@pobox.com + - ho@cvs.openbsd.org 2000/12/12 15:50:21 + [pty.c] + When failing to set tty owner and mode on a read-only filesystem, don't + abort if the tty already has correct owner and reasonably sane modes. + Example; permit 'root' to login to a firewall with read-only root fs. + (markus@ ok) + - deraadt@cvs.openbsd.org 2000/12/13 06:36:05 + [pty.c] + KNF + - markus@cvs.openbsd.org 2000/12/12 14:45:21 + [sshd.c] + source port < 1024 is no longer required for rhosts-rsa since it + adds no additional security. + - markus@cvs.openbsd.org 2000/12/12 16:11:49 + [ssh.1 ssh.c] + rhosts-rsa is no longer automagically disabled if ssh is not privileged. + UsePrivilegedPort=no disables rhosts-rsa _only_ for old servers. + these changes should not change the visible default behaviour of the ssh client. + - deraadt@cvs.openbsd.org 2000/12/11 10:27:33 + [scp.c] + when copying 0-sized files, do not re-print ETA time at completion + - provos@cvs.openbsd.org 2000/12/15 10:30:15 + [kex.c kex.h sshconnect2.c sshd.c] + compute diffie-hellman in parallel between server and client. okay markus@ + +20001213 + - (djm) Make sure we reset the SIGPIPE disposition after we fork. Report + from Andreas M. Kirchwitz + - (stevesk) OpenBSD CVS update: + - markus@cvs.openbsd.org 2000/12/12 15:30:02 + [ssh-keyscan.c ssh.c sshd.c] + consistently use __progname; from stevesk@pobox.com + +20001211 + - (bal) Applied patch to include ssh-keyscan into Redhat's package, and + patch to install ssh-keyscan manpage. Patch by Pekka Savola + + - (bal) OpenbSD CVS update + - markus@cvs.openbsd.org 2000/12/10 17:01:53 + [sshconnect1.c] + always request new challenge for skey/tis-auth, fixes interop with + other implementations; report from roth@feep.net + +20001210 + - (bal) OpenBSD CVS updates + - markus@cvs.openbsd.org 2000/12/09 13:41:51 + [cipher.c cipher.h rijndael.c rijndael.h rijndael_boxes.h] + undo rijndael changes + - markus@cvs.openbsd.org 2000/12/09 13:48:31 + [rijndael.c] + fix byte order bug w/o introducing new implementation + - markus@cvs.openbsd.org 2000/12/09 14:08:27 + [sftp-server.c] + "" -> "." for realpath; from vinschen@redhat.com + - markus@cvs.openbsd.org 2000/12/09 14:06:54 + [ssh-agent.c] + extern int optind; from stevesk@sweden.hp.com + - provos@cvs.openbsd.org 2000/12/09 23:51:11 + [compat.c] + remove unnecessary '\n' + +20001209 + - (bal) OpenBSD CVS updates: + - djm@cvs.openbsd.org 2000/12/07 4:24:59 + [ssh.1] + Typo fix from Wilfredo Sanchez ; ok theo + +20001207 + - (bal) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/06 22:58:14 + [compat.c compat.h packet.c] + disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0 + - markus@cvs.openbsd.org 2000/12/06 23:10:39 + [rijndael.c] + unexpand(1) + - markus@cvs.openbsd.org 2000/12/06 23:05:43 + [cipher.c cipher.h rijndael.c rijndael.h rijndael_boxes.h] + new rijndael implementation. fixes endian bugs + +20001206 + - (bal) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/05 20:34:09 + [channels.c channels.h clientloop.c serverloop.c] + async connects for -R/-L; ok deraadt@ + - todd@cvs.openssh.org 2000/12/05 16:47:28 + [sshd.c] + tweak comment to reflect real location of pid file; ok provos@ + - (stevesk) Import from OpenBSD for systems that don't + have it (used in ssh-keyscan). + - (stevesk) OpenBSD CVS update: + - markus@cvs.openbsd.org 2000/12/06 19:57:48 + [ssh-keyscan.c] + err(3) -> internal error(), from stevesk@sweden.hp.com + +20001205 + - (bal) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/04 19:24:02 + [ssh-keyscan.c ssh-keyscan.1] + David Maziere's ssh-keyscan, ok niels@ + - (bal) Updated Makefile.in to include ssh-keyscan that was just added + to the recent OpenBSD source tree. + - (stevesk) fix typos in contrib/hpux/README + +20001204 + - (bal) More C functions defined in NeXT that are unaccessable without + defining -POSIX. + - (bal) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/03 11:29:04 + [compat.c] + remove fallback to SSH_BUG_HMAC now that the drafts are updated + - markus@cvs.openbsd.org 2000/12/03 11:27:55 + [compat.c] + correctly match "2.1.0.pl2 SSH" etc; from + pekkas@netcore.fi/bugzilla.redhat + - markus@cvs.openbsd.org 2000/12/03 11:15:03 + [auth2.c compat.c compat.h sshconnect2.c] + support f-secure/ssh.com 2.0.12; ok niels@ + +20001203 + - (bal) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/11/30 22:54:31 + [channels.c] + debug->warn if tried to do -R style fwd w/o client requesting this; + ok neils@ + - markus@cvs.openbsd.org 2000/11/29 20:39:17 + [cipher.c] + des_cbc_encrypt -> des_ncbc_encrypt since it already updates the IV + - markus@cvs.openbsd.org 2000/11/30 18:33:05 + [ssh-agent.c] + agents must not dump core, ok niels@ + - markus@cvs.openbsd.org 2000/11/30 07:04:02 + [ssh.1] + T is for both protocols + - markus@cvs.openbsd.org 2000/12/01 00:00:51 + [ssh.1] + typo; from green@FreeBSD.org + - markus@cvs.openbsd.org 2000/11/30 07:02:35 + [ssh.c] + check -T before isatty() + - provos@cvs.openbsd.org 2000/11/29 13:51:27 + [sshconnect.c] + show IP address and hostname when new key is encountered. okay markus@ + - markus@cvs.openbsd.org 2000/11/30 22:53:35 + [sshconnect.c] + disable agent/x11/port fwding if hostkey has changed; ok niels@ + - marksu@cvs.openbsd.org 2000/11/29 21:11:59 + [sshd.c] + sshd -D, startup w/o deamon(), for monitoring scripts or inittab; + from handler@sub-rosa.com and eric@urbanrange.com; ok niels@ + - (djm) Added patch from Nalin Dahyabhai to enable + PAM authentication using KbdInteractive. + - (djm) Added another TODO + +20001202 + - (bal) Backed out of part of Alain St-Denis' loginrec.c patch. + - (bal) Irix need some sort of mansubdir, patch by Michael Stone + + +20001129 + - (djm) Back out all the serverloop.c hacks. sshd will now hang again + if there are background children with open fds. + - (djm) bsd-rresvport.c bzero -> memset + - (djm) Don't fail in defines.h on absence of 64 bit types (we will + still fail during compilation of sftp-server). + - (djm) Fail if ar is not found during configure + - (djm) OpenBSD CVS updates: + - provos@cvs.openbsd.org 2000/11/22 08:38:31 + [sshd.8] + talk about /etc/primes, okay markus@ + - markus@cvs.openbsd.org 2000/11/23 14:03:48 + [ssh.c sshconnect1.c sshconnect2.c] + complain about invalid ciphers for ssh1/ssh2, fall back to reasonable + defaults + - markus@cvs.openbsd.org 2000/11/25 09:42:53 + [sshconnect1.c] + reorder check for illegal ciphers, bugreport from espie@ + - markus@cvs.openbsd.org 2000/11/25 10:19:34 + [ssh-keygen.c ssh.h] + print keytype when generating a key. + reasonable defaults for RSA1/RSA/DSA keys. + - (djm) Patch from Pekka Savola to include a few + more manpage paths in fixpaths calls + - (djm) Also add xauth path at Pekka's suggestion. + - (djm) Add Redhat RPM patch for AUTHPRIV SyslogFacility + +20001125 + - (djm) Give up privs when reading seed file + +20001123 + - (bal) Merge OpenBSD changes: + - markus@cvs.openbsd.org 2000/11/15 22:31:36 + [auth-options.c] + case insensitive key options; from stevesk@sweeden.hp.com + - markus@cvs.openbsd.org 2000/11/16 17:55:43 + [dh.c] + do not use perror() in sshd, after child is forked() + - markus@cvs.openbsd.org 2000/11/14 23:42:40 + [auth-rsa.c] + parse option only if key matches; fix some confusing seen by the client + - markus@cvs.openbsd.org 2000/11/14 23:44:19 + [session.c] + check no_agent_forward_flag for ssh-2, too + - markus@cvs.openbsd.org 2000/11/15 + [ssh-agent.1] + reorder SYNOPSIS; typo, use .It + - markus@cvs.openbsd.org 2000/11/14 23:48:55 + [ssh-agent.c] + do not reorder keys if a key is removed + - markus@cvs.openbsd.org 2000/11/15 19:58:08 + [ssh.c] + just ignore non existing user keys + - millert@cvs.openbsd.org 200/11/15 20:24:43 + [ssh-keygen.c] + Add missing \n at end of error message. + +20001122 + - (bal) Minor patch to ensure platforms lacking IRIX job limit supports + are compilable. + - (bal) Updated TODO as of 11/18/2000 with known things to resolve. + +20001117 + - (bal) Changed from 'primes' to 'primes.out' for consistancy sake. It + has no affect the output. Patch by Corinna Vinschen + - (stevesk) Reworked progname support. + - (bal) Misplaced #include "includes.h" in bsd-setproctitle.c. Patch by + Shinichi Maruyama + +20001116 + - (bal) Added in MAXSYMLINK test in bsd-realpath.c. Required for some SCO + releases. + - (bal) Make builds work outside of source tree. Patch by Mark D. Roth + + +20001113 + - (djm) Add pointer to http://www.imasy.or.jp/~gotoh/connect.c to + contrib/README + - (djm) Merge OpenBSD changes: + - markus@cvs.openbsd.org 2000/11/06 16:04:56 + [channels.c channels.h clientloop.c nchan.c serverloop.c] + [session.c ssh.c] + agent forwarding and -R for ssh2, based on work from + jhuuskon@messi.uku.fi + - markus@cvs.openbsd.org 2000/11/06 16:13:27 + [ssh.c sshconnect.c sshd.c] + do not disabled rhosts(rsa) if server port > 1024; from + pekkas@netcore.fi + - markus@cvs.openbsd.org 2000/11/06 16:16:35 + [sshconnect.c] + downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net + - markus@cvs.openbsd.org 2000/11/09 18:04:40 + [auth1.c] + typo; from mouring@pconline.com + - markus@cvs.openbsd.org 2000/11/12 12:03:28 + [ssh-agent.c] + off-by-one when removing a key from the agent + - markus@cvs.openbsd.org 2000/11/12 12:50:39 + [auth-rh-rsa.c auth2.c authfd.c authfd.h] + [authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h] + [readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c] + [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config] + [sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c] + [ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h] + add support for RSA to SSH2. please test. + there are now 3 types of keys: RSA1 is used by ssh-1 only, + RSA and DSA are used by SSH2. + you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA + keys for SSH2 and use the RSA keys for hostkeys or for user keys. + SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before. + - (djm) Fix up Makefile and Redhat init script to create RSA host keys + - (djm) Change to interim version + - (djm) Fix RPM spec file stupidity + - (djm) fixpaths to DSA and RSA keys too + +20001112 + - (bal) SCO Patch to add needed libraries for configure.in. Patch by + Phillips Porch + - (bal) IRIX patch to adding Job Limits. Patch by Denis Parker + + - (stevesk) pty.c: HP-UX 10 and 11 don't define TIOCSCTTY. Add error() to + failed ioctl(TIOCSCTTY) call. + +20001111 + - (djm) Added /etc/primes for kex DH group neg, fixup Makefile.in and + packaging files + - (djm) Fix new Makefile.in warnings + - (djm) Fix vsprintf("%h") in bsd-snprintf.c, short int va_args are + promoted to type int. Report and fix from Dan Astoorian + + - (djm) Hardwire sysconfdir in RPM spec files as some RPM versions get + it wrong. Report from Bennett Todd + +20001110 + - (bal) Fixed dropped answer from skey_keyinfo() in auth1.c + - (bal) Changed from --with-skey to --with-skey=PATH in configure.in + - (bal) Added in check to verify S/Key library is being detected in + configure.in + - (bal) next-posix.h - added another prototype wrapped in POSIX ifdef/endif. + Patch by Mark Miller + - (bal) Added 'util.h' header to loginrec.c only if HAVE_UTIL_H is defined + to remove warnings under MacOS X. Patch by Mark Miller + - (bal) Fixed LDFLAG mispelling in configure.in for --with-afs + +20001107 + - (bal) acconfig.in - removed the double "USE_PIPES" entry. Patch by + Mark Miller + - (bal) sshd.init files corrected to assign $? to RETVAL. Patch by + Jarno Huuskonen + - (bal) fixpaths fixed to stop it from quitely failing. Patch by + Mark D. Roth + 20001106 - (djm) Use Jim's new 1.0.3 askpass in Redhat RPMs - (djm) Manually fix up missed diff hunks (mainly RCS idents) - - (djm) Remove UPGRADING document in favour of a link to the better + - (djm) Remove UPGRADING document in favour of a link to the better maintained FAQ on www.openssh.com - (djm) Fix multiple dependancy on gnome-libs from Pekka Savola - (djm) Don't need X11-askpass in RPM spec file if building without it from Pekka Savola - (djm) Release 2.3.0p1 + - (bal) typo in configure.in in regards to --with-ldflags from Marko + Asplund + - (bal) fixed next-posix.h. Forgot prototype of getppid(). 20001105 - (bal) Sync with OpenBSD: @@ -33,10 +1514,10 @@ - (bal) next-posix.h - spelling and forgot a prototype 20001028 - - (djm) fix select hack in serverloop.c from Philippe WILLEM + - (djm) fix select hack in serverloop.c from Philippe WILLEM - (djm) Fix mangled AIXAUTHENTICATE code - - (djm) authctxt->pw may be NULL. Fix from Markus Friedl + - (djm) authctxt->pw may be NULL. Fix from Markus Friedl - (djm) Sync with OpenBSD: - markus@cvs.openbsd.org 2000/10/16 15:46:32 @@ -73,7 +1554,7 @@ - markus@cvs.openbsd.org 2000/10/27 01:32:19 [channels.c channels.h clientloop.c serverloop.c session.c] [ssh.c util.c] - enable non-blocking IO on channels, and tty's (except for the + enable non-blocking IO on channels, and tty's (except for the client ttys). 20001027 @@ -104,7 +1585,7 @@ supplied passphrase. Problem report from Lutz Jaenicke - (bal) Changed from GNU rx to PCRE on suggestion from djm. - - (bal) Integrated Sony NEWS-OS patches from NAKAJI Hirouyuki + - (bal) Integrated Sony NEWS-OS patches from NAKAJI Hirouyuki 20001016 @@ -123,7 +1604,7 @@ AllowTcpForwarding; from naddy@ - markus@cvs.openbsd.org 2000/10/14 06:16:56 [auth2.c compat.c compat.h sshconnect2.c version.h] - OpenSSH_2.3; note that is is not complete, but the version number + OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons - markus@cvs.openbsd.org 2000/10/14 06:19:45 [auth-rsa.c] @@ -135,12 +1616,12 @@ - markus@cvs.openbsd.org 2000/10/15 08:18:31 [rijndael.c] typo - - (djm) Copy manpages back over from OpenBSD - too tedious to wade + - (djm) Copy manpages back over from OpenBSD - too tedious to wade through diffs - - (djm) Added condrestart to Redhat init script. Patch from Pekka Savola + - (djm) Added condrestart to Redhat init script. Patch from Pekka Savola - (djm) Update version in Redhat spec file - - (djm) Merge some of Nalin Dahyabhai changes from the + - (djm) Merge some of Nalin Dahyabhai changes from the Redhat 7.0 spec file - (djm) Make inability to read/write PRNG seedfile non-fatal @@ -152,7 +1633,7 @@ - (bal) Add support for realpath and getcwd for platforms with broken or missing realpath implementations for sftp-server. - (bal) Corrected mistake in INSTALL in regards to GNU rx library - - (bal) Add support for GNU rx library for those lacking regexp support + - (bal) Add support for GNU rx library for those lacking regexp support - (djm) Don't accept PAM_PROMPT_ECHO_ON messages during initial auth - (djm) Revert SSH2 serverloop hack, will find a better way. - (djm) Add workaround for Linux 2.4's gratuitious errno change. Patch @@ -258,11 +1739,11 @@ 20000930 - (djm) Irix ssh_prng_cmds path fix from Pekka Savola - - (djm) Support in bsd-snprintf.c for long long conversions from + - (djm) Support in bsd-snprintf.c for long long conversions from Ben Lindstrom - (djm) Cleanup NeXT support from Ben Lindstrom - (djm) Ignore SIGPIPEs from serverloop to child. Fixes crashes with - very short lived X connections. Bug report from Tobias Oetiker + very short lived X connections. Bug report from Tobias Oetiker . Fix from Markus Friedl - (djm) Add recent InitScripts as a RPM dependancy for openssh-server patch from Pekka Savola @@ -278,27 +1759,27 @@ - markus@cvs.openbsd.org 2000/09/28 12:03:18 [channels.c] debug -> debug2 cleanup - - (djm) Irix strips "/dev/tty" from [uw]tmp entries (other systems only + - (djm) Irix strips "/dev/tty" from [uw]tmp entries (other systems only strip "/dev/"). Fix loginrec.c based on patch from Alain St-Denis - - (djm) Fix 9 character passphrase failure with gnome-ssh-askpass. - Problem was caused by interrupted read in ssh-add. Report from Donald + - (djm) Fix 9 character passphrase failure with gnome-ssh-askpass. + Problem was caused by interrupted read in ssh-add. Report from Donald J. Barry 20000929 - (djm) Fix SSH2 not terminating until all background tasks done problem. - - (djm) Another off-by-one fix from Pavel Kankovsky - + - (djm) Another off-by-one fix from Pavel Kankovsky + - (djm) Clean up. Strip some unnecessary differences with OpenBSD's code, tidy necessary differences. Use Markus' new debugN() in entropy.c - - (djm) Merged big SCO portability patch from Tim Rice + - (djm) Merged big SCO portability patch from Tim Rice 20000926 - (djm) Update X11-askpass to 1.0.2 in RPM spec file - (djm) Define _REENTRANT to pickup strtok_r() on HP/UX - - (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c. - Report and fix from Pavel Kankovsky + - (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c. + Report and fix from Pavel Kankovsky 20000924 - (djm) Merged cleanup patch from Mark Miller @@ -307,14 +1788,14 @@ 20000923 - - (djm) Fix address logging in utmp from Kevin Steves + - (djm) Fix address logging in utmp from Kevin Steves - (djm) Redhat spec and manpage fixes from Pekka Savola - (djm) Seperate tests for int64_t and u_int64_t types - - (djm) Tweak password expiry checking at suggestion of Kevin Steves + - (djm) Tweak password expiry checking at suggestion of Kevin Steves - (djm) NeXT patch from Ben Lindstrom - - (djm) Use printf %lld instead of %qd in sftp-server.c. Fix from + - (djm) Use printf %lld instead of %qd in sftp-server.c. Fix from Michael Stone - (djm) OpenBSD CVS sync: - markus@cvs.openbsd.org 2000/09/17 09:38:59 @@ -348,13 +1829,13 @@ 20000916 - - (djm) Fix SSL search order from Lutz Jaenicke + - (djm) Fix SSL search order from Lutz Jaenicke - (djm) New SuSE spec from Corinna Vinschen - (djm) Update CygWin support from Corinna Vinschen - (djm) Use a real struct sockaddr inside the fake struct sockaddr_storage. Patch from Larry Jones - - (djm) Add Steve VanDevender's PAM + - (djm) Add Steve VanDevender's PAM password change patch. - (djm) Bring licenses on my stuff in line with OpenBSD's - (djm) Cleanup auth-passwd.c and unify HP/UX authentication. Patch from @@ -365,9 +1846,9 @@ - (djm) Update Redhat SPEC file accordingly - (djm) Add Kevin Steves HP/UX contrib files - (djm) Add Charles Levert getpgrp patch - - (djm) Fix password auth on HP/UX 10.20. Patch from Dirk De Wachter + - (djm) Fix password auth on HP/UX 10.20. Patch from Dirk De Wachter - - (djm) Fixprogs and entropy list fixes from Larry Jones + - (djm) Fixprogs and entropy list fixes from Larry Jones - (djm) Fix for SuSE spec file from Takashi YOSHIDA @@ -386,10 +1867,10 @@ prototype - deraadt@cvs.openbsd.org 2000/09/07 14:27:56 [ALL] - cleanup copyright notices on all files. I have attempted to be - accurate with the details. everything is now under Tatu's licence - (which I copied from his readme), and/or the core-sdi bsd-ish thing - for deattack, or various openbsd developers under a 2-term bsd + cleanup copyright notices on all files. I have attempted to be + accurate with the details. everything is now under Tatu's licence + (which I copied from his readme), and/or the core-sdi bsd-ish thing + for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate. - markus@cvs.openbsd.org 2000/09/07 14:40:30 [channels.c channels.h clientloop.c serverloop.c ssh.c] @@ -843,7 +2324,7 @@ - (djm) Added 'distprep' make target to simplify packaging - (djm) Added patch from Chris Adams to add OSF SIA support. Enable using "USE_SIA=1 ./configure [options]" - + 20000627 - (djm) Fixes to login code - not setting li->uid, cleanups - (djm) Formatting @@ -902,7 +2383,7 @@ 20000620 - (djm) Replace use of '-o' and '-a' logical operators in configure tests - with '||' and '&&'. As suggested by Jim Knoble + with '||' and '&&'. As suggested by Jim Knoble to fix SCO Unixware problem reported by Gary E. Miller - (djm) Typo in loginrec.c @@ -965,7 +2446,7 @@ - Don't try to retrieve lastlog from wtmp/wtmpx if DISABLE_LASTLOG is def'd - Set AIX to use preformatted manpages - + 20000610 - (djm) Minor doc tweaks - (djm) Fix for configure on bash2 from Jim Knoble @@ -991,7 +2472,7 @@ teach protocol v2 to count login failures properly and also enable an explanation of why the password prompt comes up again like v1; this is NOT crypto - - markus@cvs.openbsd.org + - markus@cvs.openbsd.org [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8] xauth_location support; pr 1234 [readconf.c sshconnect2.c] @@ -1022,7 +2503,7 @@ - (andre) New login code - Remove bsd-login.[ch] and all the OpenBSD-derived code in login.c - Add loginrec.[ch], logintest.c and autoconf code - + 20000531 - Cleanup of auth.c, login.c and fake-* - Cleanup of auth-pam.c, save and print "account expired" error messages @@ -1427,7 +2908,7 @@ no adjust after close - [sshd.c compat.c ] interop w/ latest ssh.com windows client. - + 20000406 - OpenBSD CVS update: - [channels.c] @@ -1519,7 +3000,7 @@ - Clarified --with-default-path option. - Added -blibpath handling for AIX to work around stupid runtime linking. Problem elucidated by gshapiro@SENDMAIL.ORG by way of Jim Knoble - + - Checks for 64 bit int types. Problem report from Mats Fredholm - OpenBSD CVS updates: @@ -1700,7 +3181,7 @@ - NeXT keeps it lastlog in /usr/adm. Report from mouring@newton.pconline.com - Added note in UPGRADING re interop with commercial SSH using idea. - Report from Jim Knoble + Report from Jim Knoble - Fix linking order for Kerberos/AFS. Fix from Holget Trapp @@ -1713,9 +3194,9 @@ - New URL for x11-ssh-askpass. - Fixpaths was missing /etc/ssh_known_hosts. Report from Jim Knoble - + - Added 'DESTDIR' option to Makefile to ease package building. Patch from - Jim Knoble + Jim Knoble - Updated RPM spec files to use DESTDIR 20000124 @@ -1748,7 +3229,7 @@ - [readpass.c] instead of blocking SIGINT, catch it ourselves, so that we can clean the tty modes up and kill ourselves -- instead of our process group - leader (scp, cvs, ...) going away and leaving us in noecho mode. + leader (scp, cvs, ...) going away and leaving us in noecho mode. people with cbreak shells never even noticed.. - [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] ie. -> i.e., @@ -1785,7 +3266,7 @@ 20000118 - Fixed --with-pid-dir option - Makefile fix from Gary E. Miller - - Compile fix for HPUX and Solaris from Andre Lucas + - Compile fix for HPUX and Solaris from Andre Lucas 20000117 @@ -1888,7 +3369,7 @@ 20000103 - Add explicit make rules for files proccessed by fixpaths. - - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori + - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori - Removed "nullok" directive from default PAM configuration files. Added information on enabling EmptyPasswords on openssh+PAM in @@ -1919,7 +3400,7 @@ - Fill in ut_utaddr utmp field. Report from Benjamin Charron - Really fix broken default path. Fix from Jim Knoble - + - Remove test for quad_t. No longer needed. - Released 1.2.1pre24 @@ -1986,7 +3467,7 @@ 19991226 - Enabled utmpx support by default for Solaris - Cleanup sshd.c PAM a little more - - Revised RPM package to include Jim Knoble's + - Revised RPM package to include Jim Knoble's X11 ssh-askpass program. - Disable logging of PAM success and failures, PAM is verbose enough. Unfortunatly there is currently no way to disable auth failure @@ -1998,8 +3479,8 @@ .Sh FILES, too - Released 1.2.1pre21 - Fixed implicit '.' in default path, report from Jim Knoble - - - Redhat RPM spec fixes from Jim Knoble + + - Redhat RPM spec fixes from Jim Knoble 19991225 - More fixes from Andre Lucas @@ -2063,7 +3544,7 @@ - Use LDFLAGS correctly - Fix SIGIO error in scp - Simplify status line printing in scp - - Added better test for inline functions compiler support from + - Added better test for inline functions compiler support from Darren_Hall@progressive.com 19991214 @@ -2099,7 +3580,7 @@ - Compile fix from David Agraz - Avoid compiler warning in bsd-snprintf.c - Added pam_limits.so to default PAM config. Suggested by - Jim Knoble + Jim Knoble 19991209 - Import of patch from Ben Taylor : @@ -2127,7 +3608,7 @@ David Agraz 19991207 - - sshd Redhat init script patch from Jim Knoble + - sshd Redhat init script patch from Jim Knoble fixes compatability with 4.x and 5.x - Fixed default SSH_ASKPASS - Fix PAM account and session being called multiple times. Problem @@ -2291,7 +3772,7 @@ print usage() everytime we get bad options - [ssh-keygen.c] overflow, djm@mindrot.org - [sshd.c] fix sigchld race; cjc5@po.cwru.edu - + 19991120 - Merged more Solaris support from Marc G. Fournier @@ -2394,7 +3875,7 @@ - Merged more Solaris compability from Marc G. Fournier - Wrote autoconf tests for __progname symbol - - RPM spec file fixes from Jim Knoble + - RPM spec file fixes from Jim Knoble - Released 1.2pre12 - Another OpenBSD CVS update: @@ -2588,3 +4069,5 @@ - Wrote replacements for OpenBSD arc4random* functions - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 + +$Id: ChangeLog,v 1.803 2001/02/19 10:51:49 djm Exp $ diff -ru openssh-2.3.0p1/INSTALL openssh-2.5.1p1/INSTALL --- openssh-2.3.0p1/INSTALL 2000-10-18 11:02:25.000000000 +1100 +++ openssh-2.5.1p1/INSTALL 2001-02-18 12:58:24.000000000 +1100 @@ -9,10 +9,13 @@ OpenSSL 0.9.5a or greater: http://www.openssl.org/ -RPMs of OpenSSL are available at http://violet.ibs.com.au/openssh/files/support +RPMs of OpenSSL are available at http://violet.ibs.com.au/openssh/files/support. +For Red Hat Linux 6.2, they have been released as errata. RHL7 includes +these. OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system -supports it. PAM is standard on Redhat and Debian Linux and on Solaris. +supports it. PAM is standard on Redhat and Debian Linux, Solaris and +HP-UX 11. PAM: http://www.kernel.org/pub/linux/libs/pam/ @@ -23,15 +26,23 @@ GNOME: http://www.gnome.org/ -Alternatively, Jim Knoble has written an excellent X11 +Alternatively, Jim Knoble has written an excellent X11 passphrase requester. This is maintained separately at: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html +PRNGD: + +If your system lacks Kernel based random collection, the use of Lutz +Jaenicke's PRNGd is recommended. + +http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html + +EGD: + The Entropy Gathering Daemon (EGD) is supported if you have a system which lacks /dev/random and don't want to use OpenSSH's internal entropy collection. -EGD: http://www.lothar.com/tech/crypto/ GNU Make: @@ -40,12 +51,18 @@ OpenSSH has only been tested with GNU make. It may work with other 'make' programs, but you are on your own. -pcre (POSIX Regular Expression library): +PCRE (PERL-compatible Regular Expression library): ftp://ftp.cus.cam.ac.uk/pub/software/programs/pcre/ -Most platforms do not required this. However older 4.3 BSD do not -have a posix regex library. +Most platforms do not require this. However older Unices may not have a +posix regex library. PCRE provides a POSIX interface. +S/Key Libraries: +http://www.sparc.spb.su/solaris/skey/ + +If you wish to use --with-skey then you will need the above library +installed. No other current S/Key library is currently known to be +supported. 2. Building / Installation -------------------------- @@ -74,14 +91,16 @@ This will install the binaries in /opt/{bin,lib,sbin}, but will place the configuration files in /etc/ssh. -If you are using PAM, you will need to manually install a PAM +If you are using PAM, you may need to manually install a PAM control file as "/etc/pam.d/sshd" (or wherever your system prefers to keep them). A generic PAM configuration is included as "contrib/sshd.pam.generic", you may need to edit it before using it on -your system. If you are using a recent version of Redhat Linux, the +your system. If you are using a recent version of Red Hat Linux, the config file in contrib/redhat/sshd.pam should be more useful. Failure to install a valid PAM file may result in an inability to -use password authentication. +use password authentication. On HP-UX 11, the standard /etc/pam.conf +configuration will work with sshd (sshd will match the OTHER service +name). There are a few other options to the configure script: @@ -90,8 +109,7 @@ may need to specify this option if rsh is not in your path or has a different name. ---without-pam will disable PAM support. PAM is automatically detected -and switched on if found. +--with-pam enables PAM support. --enable-gnome-askpass will build the GNOME passphrase dialog. You need a working installation of GNOME, including the development @@ -101,10 +119,10 @@ random numbers (the default is /dev/urandom). Unless you are absolutely sure of what you are doing, it is best to leave this alone. ---with-egd-pool=/some/file allows you to enable Entropy Gathering -Daemon support and to specify a EGD pool socket. Use this if your -Unix lacks /dev/random and you don't want to use OpenSSH's builtin -entropy collection support. +--with-egd-pool=/some/file allows you to enable EGD or PRNGD support +and to specify a EGD pool socket. Use this if your Unix lacks +/dev/random and you don't want to use OpenSSH's builtin entropy +collection support. --with-lastlog=FILE will specify the location of the lastlog file. ./configure searches a few locations for lastlog, but may not find @@ -122,8 +140,8 @@ to work. Use the optional PATH argument to specify the root of your AFS installation. AFS requires Kerberos support to be enabled. ---with-skey will enable S/Key one time password support. You will need -the S/Key libraries and header files installed for this to work. +--with-skey=PATH will enable S/Key one time password support. You will +need the S/Key libraries and header files installed for this to work. --with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) support. You will need libwrap.a and tcpd.h installed. @@ -177,8 +195,9 @@ To generate a host key, run "make host-key". Alternately you can do so manually using the following commands: - ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N "" - ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N "" + ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" + ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" + ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" Replacing /etc/ssh with the correct path to the configuration directory. (${prefix}/etc or whatever you specified with --sysconfdir during @@ -197,3 +216,5 @@ Please refer to the "reporting bugs" section of the webpage at http://www.openssh.com/ + +$Id: INSTALL,v 1.41 2001/02/18 01:58:24 djm Exp $ diff -ru openssh-2.3.0p1/LICENCE openssh-2.5.1p1/LICENCE --- openssh-2.3.0p1/LICENCE 2000-09-30 14:40:39.000000000 +1100 +++ openssh-2.5.1p1/LICENCE 2001-02-12 03:43:05.000000000 +1100 @@ -1,7 +1,7 @@ -This file is part of the ssh software. +This file is part of the OpenSSH software. -The licences which components of this software falls under are as -follows. First, we will summarize and say that that all components +The licences which components of this software fall under are as +follows. First, we will summarize and say that all components are under a BSD licence, or a licence more free than that. OpenSSH contains no GPL code. @@ -29,7 +29,7 @@ have been removed from OpenSSH, ie. - RSA is no longer included, found in the OpenSSL library - - IDEA is no longer included, it's use is depricated + - IDEA is no longer included, its use is deprecated - DES is now external, in the OpenSSL library - GMP is no longer used, and instead we call BN code from OpenSSL - Zlib is now external, in a library diff -ru openssh-2.3.0p1/Makefile.in openssh-2.5.1p1/Makefile.in --- openssh-2.3.0p1/Makefile.in 2000-11-06 08:13:45.000000000 +1100 +++ openssh-2.5.1p1/Makefile.in 2001-02-19 06:13:33.000000000 +1100 @@ -1,3 +1,5 @@ +# $Id: Makefile.in,v 1.155 2001/02/18 19:13:33 mouring Exp $ + prefix=@prefix@ exec_prefix=@exec_prefix@ bindir=@bindir@ @@ -11,45 +13,62 @@ top_srcdir=@top_srcdir@ DESTDIR= - VPATH=@srcdir@ - SSH_PROGRAM=@bindir@/ssh ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass +SFTP_SERVER=$(libexecdir)/sftp-server + +PATHS= -DETCDIR=\"$(sysconfdir)\" \ + -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ + -D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \ + -D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" CC=@CC@ LD=@LD@ -PATHS=-DETCDIR=\"$(sysconfdir)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" -CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ +CFLAGS=@CFLAGS@ +CPPFLAGS=@CPPFLAGS@ -I. -I$(srcdir)/openbsd-compat -I$(srcdir) $(PATHS) @DEFS@ LIBS=@LIBS@ AR=@AR@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ PERL=@PERL@ ENT=@ENT@ -LDFLAGS=-L. @LDFLAGS@ +XAUTH_PATH=@XAUTH_PATH@ +LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ EXEEXT=@EXEEXT@ SSH_MODE= @SSHMODE@ INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) $(EXTRA_TARGETS) +@NO_SFTP@SFTP_PROGS=sftp-server$(EXEEXT) sftp$(EXEEXT) -LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o cygwin_util.o deattack.o dispatch.o dsa.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o util.o uuencode.o xmalloc.o +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) $(SFTP_PROGS) -LIBOPENBSD_COMPAT_OBJS=bsd-arc4random.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-getcwd.o bsd-inet_aton.o bsd-inet_ntoa.o bsd-misc.o bsd-mktemp.o bsd-realpath.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep.o bsd-strtok.o bsd-vis.o bsd-setproctitle.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o +LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o deattack.o dispatch.o mac.o hostfile.o key.o kex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-skey.o auth2-skey.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o log-server.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o -TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8 sftp-server.8 -CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh.0 sshd.0 sftp-server.0 +TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 +CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0 MANPAGES = @MANTYPE@ -CONFIGFILES=sshd_config ssh_config +CONFIGFILES=sshd_config ssh_config primes -PATHSUBS = -D/etc/ssh_config=$(sysconfdir)/ssh_config -D/etc/ssh_known_hosts=$(sysconfdir)/ssh_known_hosts -D/etc/sshd_config=$(sysconfdir)/sshd_config -D/usr/libexec=$(libexecdir) -D/etc/shosts.equiv=$(sysconfdir)/shosts.equiv -D/etc/ssh_host_key=$(sysconfdir)/ssh_host_key -D/var/run/sshd.pid=$(piddir)/sshd.pid +PATHSUBS = \ + -D/etc/ssh_config=$(sysconfdir)/ssh_config \ + -D/etc/ssh_known_hosts=$(sysconfdir)/ssh_known_hosts \ + -D/etc/sshd_config=$(sysconfdir)/sshd_config \ + -D/usr/libexec=$(libexecdir) \ + -D/etc/shosts.equiv=$(sysconfdir)/shosts.equiv \ + -D/etc/ssh_host_key=$(sysconfdir)/ssh_host_key \ + -D/etc/ssh_host_dsa_key=$(sysconfdir)/ssh_host_dsa_key \ + -D/etc/ssh_host_rsa_key=$(sysconfdir)/ssh_host_rsa_key \ + -D/var/run/sshd.pid=$(piddir)/sshd.pid \ + -D/etc/primes=$(sysconfdir)/primes \ + -D/etc/sshrc=$(sysconfdir)/sshrc \ + -D/usr/X11R6/bin/xauth=$(XAUTH_PATH) FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) @@ -58,50 +77,61 @@ manpages: $(MANPAGES) $(LIBSSH_OBJS): config.h +$(SSHOBJS): config.h +$(SSHDOBJS): config.h -$(LIBOPENBSD_COMPAT_OBJS): config.h +.c.o: + $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -libopenbsd-compat.a: $(LIBOPENBSD_COMPAT_OBJS) - $(AR) rv $@ $(LIBOPENBSD_COMPAT_OBJS) - $(RANLIB) $@ +LIBCOMPAT=openbsd-compat/libopenbsd-compat.a +$(LIBCOMPAT): config.h + (cd openbsd-compat; $(MAKE)) libssh.a: $(LIBSSH_OBJS) $(AR) rv $@ $(LIBSSH_OBJS) $(RANLIB) $@ -ssh$(EXEEXT): libopenbsd-compat.a libssh.a $(SSHOBJS) +ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -sshd$(EXEEXT): libssh.a libopenbsd-compat.a $(SSHDOBJS) +sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -scp$(EXEEXT): libopenbsd-compat.a libssh.a scp.o - $(LD) -o $@ scp.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o log-client.o + $(LD) -o $@ scp.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-add$(EXEEXT): libopenbsd-compat.a libssh.a ssh-add.o log-client.o +ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o log-client.o $(LD) -o $@ ssh-add.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-agent$(EXEEXT): libopenbsd-compat.a libssh.a ssh-agent.o log-client.o +ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o log-client.o $(LD) -o $@ ssh-agent.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-keygen$(EXEEXT): libopenbsd-compat.a libssh.a ssh-keygen.o log-client.o +ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o log-client.o $(LD) -o $@ ssh-keygen.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -sftp-server$(EXEEXT): libopenbsd-compat.a libssh.a sftp-server.o log-server.o - $(LD) -o $@ sftp-server.o log-server.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a log-client.o ssh-keyscan.o + $(LD) -o $@ ssh-keyscan.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp-server.o sftp-common.o log-server.o + $(LD) -o $@ sftp-server.o sftp-common.o log-server.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o sftp-common.o log-client.o + $(LD) -o $@ sftp.o sftp-client.o sftp-common.o sftp-int.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) # test driver for the loginrec code - not built by default -logintest: logintest.o libopenbsd-compat.a libssh.a log-client.o loginrec.o +logintest: logintest.o $(LIBCOMPAT) libssh.a log-client.o loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh log-client.o $(LIBS) $(MANPAGES) $(CONFIGFILES):: $(FIXPATHSCMD) $(srcdir)/$@ clean: + (cd openbsd-compat; $(MAKE) clean) rm -f *.o *.a $(TARGETS) logintest config.cache config.log rm -f *.out core distclean: clean + (cd openbsd-compat; $(MAKE) distclean) rm -f Makefile config.h config.status ssh_prng_cmds *~ mrproper: distclean @@ -111,9 +141,10 @@ catman-do: @for f in $(TROFFMAN) ; do \ - echo "$$f -> $${f%%.[18]}.0" ; \ + base=`echo $$f | sed 's/\..*$$//'` ; \ + echo "$$f -> $$base.0" ; \ nroff -mandoc $$f | cat -v | sed -e 's/.\^H//g' \ - >$${f%%.[18]}.0 ; \ + >$$base.0 ; \ done distprep: catman-do @@ -133,49 +164,74 @@ $(INSTALL) -m 0755 -s ssh-add $(DESTDIR)$(bindir)/ssh-add $(INSTALL) -m 0755 -s ssh-agent $(DESTDIR)$(bindir)/ssh-agent $(INSTALL) -m 0755 -s ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen + $(INSTALL) -m 0775 -s ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan $(INSTALL) -m 0755 -s sshd $(DESTDIR)$(sbindir)/sshd - $(INSTALL) -m 0755 -s sftp-server $(DESTDIR)$(libexecdir)/sftp-server + @NO_SFTP@$(INSTALL) -m 0755 -s sftp $(DESTDIR)$(bindir)/sftp + @NO_SFTP@$(INSTALL) -m 0755 -s sftp-server $(DESTDIR)$(SFTP_SERVER) $(INSTALL) -m 644 ssh.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 $(INSTALL) -m 644 ssh-agent.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 $(INSTALL) -m 644 ssh-keygen.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + $(INSTALL) -m 644 ssh-keyscan.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 $(INSTALL) -m 644 sshd.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 - $(INSTALL) -m 644 sftp-server.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + @NO_SFTP@$(INSTALL) -m 644 sftp.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 + @NO_SFTP@$(INSTALL) -m 644 sftp-server.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(bindir)/slogin ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 @FILEPRIV@ -f dev,filesys,driver $(DESTDIR)$(bindir)/ssh $(DESTDIR)$(bindir)/slogin - if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config -a ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \ + if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ + fi + if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \ $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \ + else \ + echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \ + fi + if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \ $(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \ + else \ + echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \ fi if [ -f ssh_prng_cmds -a ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \ $(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \ if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds ] ; then \ $(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \ + else \ + echo "$(DESTDIR)$(sysconfdir)/ssh_prng_cmds already exists, install will not overwrite"; \ fi ; \ fi + if [ ! -f $(DESTDIR)$(sysconfdir)/primes ]; then \ + $(INSTALL) -m 644 primes.out $(DESTDIR)$(sysconfdir)/primes; \ + else \ + echo "$(DESTDIR)$(sysconfdir)/primes already exists, install will not overwrite"; \ + fi host-key: ssh-keygen$(EXEEXT) if [ -z "$(DESTDIR)" ] ; then \ if [ -f "$(DESTDIR)$(sysconfdir)/ssh_host_key" ] ; then \ echo "$(DESTDIR)$(sysconfdir)/ssh_host_key already exists, skipping." ; \ else \ - $(srcdir)/ssh-keygen -b 1024 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ; \ + ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ; \ fi ; \ if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key ] ; then \ echo "$(DESTDIR)$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \ else \ - $(srcdir)/ssh-keygen -d -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ; \ + ./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ; \ + fi ; \ + if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key ] ; then \ + echo "$(DESTDIR)$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \ + else \ + ./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" ; \ fi ; \ fi ; host-key-force: ssh-keygen$(EXEEXT) - $(srcdir)/ssh-keygen -b 1024 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" - $(srcdir)/ssh-keygen -d -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" + ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" + ./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" + ./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" uninstallall: uninstall -rm -f $(DESTDIR)$(sysconfdir)/ssh_config @@ -190,19 +246,23 @@ -rmdir $(DESTDIR)$(libexecdir) uninstall: + -rm -f $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) + -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 - -rm -f $(DESTDIR)$(bindir)/slogin + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 - -rm -f $(DESTDIR)${ASKPASS_PROGRAM} - -rmdir $(DESTDIR)$(libexecdir)/ssh ; diff -ru openssh-2.3.0p1/README openssh-2.5.1p1/README --- openssh-2.3.0p1/README 2000-11-06 12:48:54.000000000 +1100 +++ openssh-2.5.1p1/README 2001-02-18 12:58:24.000000000 +1100 @@ -1,13 +1,6 @@ -[ A Japanese translation of this document is available at -[ http://www.unixuser.org/%7Eharuyama/security/openssh/index.html -[ Thanks to HARUYAMA Seigo - -******* IMPORTANT -* On systmes which lack a /dev/random driver, version of this port -* prior to 1.2.2 were not correctly seeding OpenSSL's random number -* pool. This resulted in lower quality RSA keys being generated. If -* you generated host or user keys with v1.2.2 or previous versions, -* please generate new ones using a more recent version. +- A Japanese translation of this document and of the OpenSSH FAQ is +- available at http://www.unixuser.org/~haruyama/security/openssh/index.html +- Thanks to HARUYAMA Seigo This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other Unices. @@ -21,8 +14,8 @@ homepage at http://www.openssh.com/ This port consists of the re-introduction of autoconf support, PAM -support (for Linux and Solaris), EGD[1] support and replacements for -OpenBSD library functions that are (regrettably) absent from other +support (for Linux and Solaris), EGD[1]/PRNGD[2] support and replacements +for OpenBSD library functions that are (regrettably) absent from other unices. This port has been best tested on Linux, Solaris, HPUX, NetBSD and Irix. Support for AIX, SCO, NeXT and other Unices is underway. This version actively tracks changes in the OpenBSD CVS repository. @@ -31,7 +24,7 @@ commercial ssh-1.2.x. It checks "account" and "session" modules for all logins, not just when using password authentication. -OpenSSH depends on Zlib[2], OpenSSL[3] and optionally PAM[4]. +OpenSSH depends on Zlib[3], OpenSSL[4] and optionally PAM[5]. There is now several mailing lists for this port of OpenSSH. Please refer to http://www.openssh.com/list.html for details on how to join. @@ -40,15 +33,15 @@ openssh-unix-dev@mindrot.org. The list is open to posting by unsubscribed users. -If you are a citizen of the USA or another country which restricts -export of cryptographic products, then please refrain from sending +If you are a citizen of an USA-embargoed country to which export of +cryptographic products is restricted, then please refrain from sending crypto-related code or patches to the list. We cannot accept them. Other code contribution are accepted, but please follow the OpenBSD -style guidelines[5]. +style guidelines[6]. Please refer to the INSTALL document for information on how to install OpenSSH on your system. There are a number of differences between this -port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[6] +port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[7] for details and general tips. Damien Miller @@ -63,8 +56,11 @@ [0] http://www.openssh.com/faq.html [1] http://www.lothar.com/tech/crypto/ -[2] ftp://ftp.freesoftware.com/pub/infozip/zlib/ -[3] http://www.openssl.org/ -[4] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris) -[5] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9&apropos=0&manpath=OpenBSD+Current -[6] http://www.openssh.com/faq.html +[2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html +[3] ftp://ftp.freesoftware.com/pub/infozip/zlib/ +[4] http://www.openssl.org/ +[5] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris) +[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 +[7] http://www.openssh.com/faq.html + +$Id: README,v 1.46 2001/02/18 01:58:24 djm Exp $ Only in openssh-2.3.0p1: README.Ylonen diff -ru openssh-2.3.0p1/TODO openssh-2.5.1p1/TODO --- openssh-2.3.0p1/TODO 2000-10-15 08:33:19.000000000 +1100 +++ openssh-2.5.1p1/TODO 2001-02-17 12:04:37.000000000 +1100 @@ -1,12 +1,62 @@ -- Replacement for setproctitle() +Programming: +- Grep for 'XXX' comments and fix + +- Write a test program that calls stat() to search for EGD/PRNGd socket + rather than use the (non-portable) "test -S". + +- Replacement for setproctitle() - HP/UX support only currently - Improve PAM support (a pam_lastlog module will cause sshd to exit) + and maybe support alternate forms of authenications like OPIE via + pam? -- Better documentation +- Complete Tru64 SIA support -- Replace the horror in acconfig.h which tries to comphensate for the - lack of u_intXX_t types. There must be a better way. +- Finish integrating kernel-level auditing code for IRIX and SOLARIS + (Gilbert.r.loomis@saic.com) -- Cleanup configure.in +- sftp-server: Rework to step down to 32bit ints if the platform + lacks 'long long' == 64bit (Notable SCO w/ SCO compiler) -- Complete Tru64 SIA support +- Linux hangs for 20 seconds when you do "sleep 20&exit". All current + solutions break scp or leaves processes hanging around after the ssh + connection has ended. It seems to be linked to two things. One + select() under Linux is not as nice as others, and two the children + of the shell are not killed on exiting the shell. + +- Build an automated test suite + +- Verify that It's safe to enable NGROUPS_MAX under NeXTStep for + groupaccess features. (mouring@eviladmin.org) + +Documentation: +- More and better + +- Install FAQ? + +- General FAQ on S/Key, TIS, RSA, RSA2, DSA, etc and suggestions on when it + would be best to use them. + +- Create a Documentation/ directory? + +Clean up configure/makefiles: +- Clean up configure.in - There are a few double #defined variables + left to do. HAVE_LOGIN is one of them. Consider NOT looking for information + in wtmpx or utmpx or any of that stuff if it's not detected from the start + +- Fails to compile when cross compile. + (vinschen@redhat.com) + +- Replace the whole u_intXX_t evilness in acconfig.h with something better??? + +- Consider splitting the u_intXX_t test for sys/bitype.h into seperate test + to allow people to (right/wrongfully) link against Bind directly. + +Packaging: +- Solaris: Update packaging scripts and build new sysv startup scripts + (gilbert.r.loomis@saic.com) + +- HP/UX: Provide DEPOT package scripts. + (gilbert.r.loomis@saic.com) + +$Id: TODO,v 1.36 2001/02/17 01:04:37 mouring Exp $ diff -ru openssh-2.3.0p1/WARNING.RNG openssh-2.5.1p1/WARNING.RNG --- openssh-2.3.0p1/WARNING.RNG 2000-10-25 14:47:35.000000000 +1100 +++ openssh-2.5.1p1/WARNING.RNG 2001-02-09 12:55:36.000000000 +1100 @@ -16,6 +16,8 @@ If you are using the builtin random number support (configure will tell you if this is the case), then read this document in its entirety. +Alternately, you can use Lutz Jaenicke's PRNGd - a small daemon which +collects random numbers and makes them available by a socket. Please also request that your OS vendor provides a kernel-based random number collector (/dev/random) in future versions of your operating @@ -77,3 +79,5 @@ To make matters even more complex, some of the commands are reporting largely the same data as other commands (eg. the various "ps" calls). +$Id: WARNING.RNG,v 1.4 2001/02/09 01:55:36 djm Exp $ + diff -ru openssh-2.3.0p1/acconfig.h openssh-2.5.1p1/acconfig.h --- openssh-2.3.0p1/acconfig.h 2000-10-19 00:11:44.000000000 +1100 +++ openssh-2.5.1p1/acconfig.h 2001-02-18 17:01:00.000000000 +1100 @@ -1,3 +1,5 @@ +/* $Id: acconfig.h,v 1.102 2001/02/18 06:01:00 djm Exp $ */ + #ifndef _CONFIG_H #define _CONFIG_H @@ -12,6 +14,7 @@ /* SCO workaround */ #undef BROKEN_SYS_TERMIO_H +#undef HAVE_BOGUS_SYS_QUEUE_H /* Define if you have SCO protected password database */ #undef HAVE_SCO_PROTECTED_PW @@ -23,9 +26,6 @@ /* Define if your password has a pw_class field */ #undef HAVE_PW_CLASS_IN_PASSWD -/* Define if your socketpair() has bugs */ -#undef USE_PIPES - /* Define if your system's struct sockaddr_un has a sun_len member */ #undef HAVE_SUN_LEN_IN_SOCKADDR_UN @@ -68,8 +68,8 @@ /* Define if you are on NEWS-OS */ #undef HAVE_NEWS4 -/* Define if you want to disable PAM support */ -#undef DISABLE_PAM +/* Define if you want to enable PAM support */ +#undef USE_PAM /* Define if you want to enable AIX4's authenticate function */ #undef WITH_AIXAUTHENTICATE @@ -83,6 +83,9 @@ /* Define if you want IRIX audit trails */ #undef WITH_IRIX_AUDIT +/* Define if you want IRIX kernel jobs */ +#undef WITH_IRIX_JOBS + /* Location of random number pool */ #undef RANDOM_POOL @@ -102,6 +105,9 @@ * message at run-time. */ #undef RSAREF +/* struct timeval */ +#undef HAVE_STRUCT_TIMEVAL + /* struct utmp and struct utmpx fields */ #undef HAVE_HOST_IN_UTMP #undef HAVE_HOST_IN_UTMPX @@ -218,6 +224,10 @@ /* to pam_strerror */ #undef HAVE_OLD_PAM +/* Define if you are using Solaris-derived PAM which passes pam_messages */ +/* to the conversation function with an extra level of indirection */ +#undef PAM_SUN_CODEBASE + /* Set this to your mail directory if you don't have maillock.h */ #undef MAIL_DIRECTORY @@ -231,6 +241,7 @@ #undef HAVE_SOCKLEN_T #undef HAVE_SIZE_T #undef HAVE_SSIZE_T +#undef HAVE_CLOCK_T #undef HAVE_MODE_T #undef HAVE_PID_T #undef HAVE_SA_FAMILY_T @@ -243,6 +254,9 @@ #undef HAVE_SS_FAMILY_IN_SS #undef HAVE___SS_FAMILY_IN_SS +/* Define if you have a regcomp() function */ +#undef HAVE_REGCOMP + /* Define if you have /dev/ptmx */ #undef HAVE_DEV_PTMX @@ -256,7 +270,7 @@ #undef USER_PATH /* Specify location of ssh.pid */ -#undef PIDDIR +#undef _PATH_SSH_PIDDIR /* Use IPv4 for connection by default, IPv6 can still if explicity asked */ #undef IPV4_DEFAULT @@ -276,6 +290,9 @@ /* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ #undef IPV4_IN_IPV6 +/* Define if you have BSD auth support */ +#undef BSD_AUTH + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ diff -ru openssh-2.3.0p1/atomicio.c openssh-2.5.1p1/atomicio.c --- openssh-2.3.0p1/atomicio.c 2000-10-28 14:19:58.000000000 +1100 +++ openssh-2.5.1p1/atomicio.c 2001-01-22 16:34:40.000000000 +1100 @@ -24,10 +24,10 @@ */ #include "includes.h" -RCSID("$OpenBSD: atomicio.c,v 1.7 2000/10/18 18:04:02 markus Exp $"); +RCSID("$OpenBSD: atomicio.c,v 1.8 2001/01/21 19:05:40 markus Exp $"); #include "xmalloc.h" -#include "ssh.h" +#include "atomicio.h" /* * ensure all of data on socket comes through. f==read || f==write Only in openssh-2.5.1p1: atomicio.h Only in openssh-2.5.1p1: auth-chall.c diff -ru openssh-2.3.0p1/auth-krb4.c openssh-2.5.1p1/auth-krb4.c --- openssh-2.3.0p1/auth-krb4.c 2000-10-14 16:23:11.000000000 +1100 +++ openssh-2.5.1p1/auth-krb4.c 2001-01-23 11:19:16.000000000 +1100 @@ -23,12 +23,19 @@ */ #include "includes.h" +RCSID("$OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $"); + +#include "ssh.h" +#include "ssh1.h" #include "packet.h" #include "xmalloc.h" -#include "ssh.h" +#include "log.h" #include "servconf.h" +#include "auth.h" -RCSID("$OpenBSD: auth-krb4.c,v 1.19 2000/10/03 18:03:02 markus Exp $"); +#ifdef AFS +#include "radix.h" +#endif #ifdef KRB4 char *ticket = NULL; @@ -46,7 +53,7 @@ AUTH_DAT adata; KTEXT_ST tkt; struct hostent *hp; - unsigned long faddr; + u_long faddr; char localhost[MAXHOSTNAMELEN]; char phost[INST_SZ]; char realm[REALM_SZ]; diff -ru openssh-2.3.0p1/auth-options.c openssh-2.5.1p1/auth-options.c --- openssh-2.3.0p1/auth-options.c 2000-10-14 16:23:11.000000000 +1100 +++ openssh-2.5.1p1/auth-options.c 2001-02-11 09:27:19.000000000 +1100 @@ -2,10 +2,6 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * RSA-based authentication. This code determines whether to admit a login - * based on RSA authentication. This file also contains functions to check - * validity of the host key. - * * As far as I am concerned, the code I have written for this software * can be used freely for any purpose. Any derived versions of this * software must be clearly marked as such, and if the derived work is @@ -14,12 +10,15 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.5 2000/10/09 21:32:34 markus Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.13 2001/02/09 13:38:07 markus Exp $"); -#include "ssh.h" #include "packet.h" #include "xmalloc.h" #include "match.h" +#include "log.h" +#include "canohost.h" +#include "auth-options.h" +#include "servconf.h" /* Flags set authorized_keys flags */ int no_port_forwarding_flag = 0; @@ -33,6 +32,8 @@ /* "environment=" options. */ struct envstring *custom_environment = NULL; +extern ServerOptions options; + void auth_clear_options(void) { @@ -52,103 +53,107 @@ } } -/* return 1 if access is granted, 0 if not. side effect: sets key option flags */ +/* + * return 1 if access is granted, 0 if not. + * side effect: sets key option flags + */ int -auth_parse_options(struct passwd *pw, char *options, unsigned long linenum) +auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) { const char *cp; - if (!options) - return 1; /* reset options */ auth_clear_options(); - while (*options && *options != ' ' && *options != '\t') { + if (!opts) + return 1; + + while (*opts && *opts != ' ' && *opts != '\t') { cp = "no-port-forwarding"; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(opts, cp, strlen(cp)) == 0) { packet_send_debug("Port forwarding disabled."); no_port_forwarding_flag = 1; - options += strlen(cp); + opts += strlen(cp); goto next_option; } cp = "no-agent-forwarding"; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(opts, cp, strlen(cp)) == 0) { packet_send_debug("Agent forwarding disabled."); no_agent_forwarding_flag = 1; - options += strlen(cp); + opts += strlen(cp); goto next_option; } cp = "no-X11-forwarding"; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(opts, cp, strlen(cp)) == 0) { packet_send_debug("X11 forwarding disabled."); no_x11_forwarding_flag = 1; - options += strlen(cp); + opts += strlen(cp); goto next_option; } cp = "no-pty"; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(opts, cp, strlen(cp)) == 0) { packet_send_debug("Pty allocation disabled."); no_pty_flag = 1; - options += strlen(cp); + opts += strlen(cp); goto next_option; } cp = "command=\""; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(opts, cp, strlen(cp)) == 0) { int i; - options += strlen(cp); - forced_command = xmalloc(strlen(options) + 1); + opts += strlen(cp); + forced_command = xmalloc(strlen(opts) + 1); i = 0; - while (*options) { - if (*options == '"') + while (*opts) { + if (*opts == '"') break; - if (*options == '\\' && options[1] == '"') { - options += 2; + if (*opts == '\\' && opts[1] == '"') { + opts += 2; forced_command[i++] = '"'; continue; } - forced_command[i++] = *options++; + forced_command[i++] = *opts++; } - if (!*options) { + if (!*opts) { debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + file, linenum); packet_send_debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + file, linenum); continue; } forced_command[i] = 0; packet_send_debug("Forced command: %.900s", forced_command); - options++; + opts++; goto next_option; } cp = "environment=\""; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(opts, cp, strlen(cp)) == 0) { int i; char *s; struct envstring *new_envstring; - options += strlen(cp); - s = xmalloc(strlen(options) + 1); + opts += strlen(cp); + s = xmalloc(strlen(opts) + 1); i = 0; - while (*options) { - if (*options == '"') + while (*opts) { + if (*opts == '"') break; - if (*options == '\\' && options[1] == '"') { - options += 2; + if (*opts == '\\' && opts[1] == '"') { + opts += 2; s[i++] = '"'; continue; } - s[i++] = *options++; + s[i++] = *opts++; } - if (!*options) { + if (!*opts) { debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + file, linenum); packet_send_debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + file, linenum); continue; } s[i] = 0; packet_send_debug("Adding to environment: %.900s", s); debug("Adding to environment: %.900s", s); - options++; + opts++; new_envstring = xmalloc(sizeof(struct envstring)); new_envstring->s = s; new_envstring->next = custom_environment; @@ -156,48 +161,53 @@ goto next_option; } cp = "from=\""; - if (strncmp(options, cp, strlen(cp)) == 0) { + if (strncasecmp(opts, cp, strlen(cp)) == 0) { int mname, mip; - char *patterns = xmalloc(strlen(options) + 1); + const char *remote_ip = get_remote_ipaddr(); + const char *remote_host = get_canonical_hostname( + options.reverse_mapping_check); + char *patterns = xmalloc(strlen(opts) + 1); int i; - options += strlen(cp); + opts += strlen(cp); i = 0; - while (*options) { - if (*options == '"') + while (*opts) { + if (*opts == '"') break; - if (*options == '\\' && options[1] == '"') { - options += 2; + if (*opts == '\\' && opts[1] == '"') { + opts += 2; patterns[i++] = '"'; continue; } - patterns[i++] = *options++; + patterns[i++] = *opts++; } - if (!*options) { + if (!*opts) { debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + file, linenum); packet_send_debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + file, linenum); continue; } patterns[i] = 0; - options++; + opts++; /* * Deny access if we get a negative * match for the hostname or the ip * or if we get not match at all */ - mname = match_hostname(get_canonical_hostname(), - patterns, strlen(patterns)); - mip = match_hostname(get_remote_ipaddr(), - patterns, strlen(patterns)); + mname = match_hostname(remote_host, patterns, + strlen(patterns)); + mip = match_hostname(remote_ip, patterns, + strlen(patterns)); xfree(patterns); if (mname == -1 || mip == -1 || (mname != 1 && mip != 1)) { - log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).", - pw->pw_name, get_canonical_hostname(), - get_remote_ipaddr()); - packet_send_debug("Your host '%.200s' is not permitted to use this key for login.", - get_canonical_hostname()); + log("Authentication tried for %.100s with " + "correct key but not from a permitted " + "host (host=%.200s, ip=%.200s).", + pw->pw_name, remote_host, remote_ip); + packet_send_debug("Your host '%.200s' is not " + "permitted to use this key for login.", + remote_host); /* deny access */ return 0; } @@ -209,13 +219,13 @@ * Skip the comma, and move to the next option * (or break out if there are no more). */ - if (!*options) + if (!*opts) fatal("Bugs in auth-options.c option processing."); - if (*options == ' ' || *options == '\t') + if (*opts == ' ' || *opts == '\t') break; /* End of options. */ - if (*options != ',') + if (*opts != ',') goto bad_option; - options++; + opts++; /* Process the next option. */ } /* grant access */ @@ -223,9 +233,9 @@ bad_option: log("Bad options in %.100s file, line %lu: %.50s", - SSH_USER_PERMITTED_KEYS, linenum, options); + file, linenum, opts); packet_send_debug("Bad options in %.100s file, line %lu: %.50s", - SSH_USER_PERMITTED_KEYS, linenum, options); + file, linenum, opts); /* deny access */ return 0; } diff -ru openssh-2.3.0p1/auth-options.h openssh-2.5.1p1/auth-options.h --- openssh-2.3.0p1/auth-options.h 2000-11-06 12:39:34.000000000 +1100 +++ openssh-2.5.1p1/auth-options.h 2001-01-22 16:34:40.000000000 +1100 @@ -11,10 +11,17 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* $OpenBSD: auth-options.h,v 1.5 2000/10/16 09:38:44 djm Exp $ */ +/* $OpenBSD: auth-options.h,v 1.8 2001/01/21 19:05:42 markus Exp $ */ #ifndef AUTH_OPTIONS_H #define AUTH_OPTIONS_H + +/* Linked list of custom environment strings */ +struct envstring { + struct envstring *next; + char *s; +}; + /* Flags that may be set in authorized_keys options. */ extern int no_port_forwarding_flag; extern int no_agent_forwarding_flag; @@ -23,8 +30,14 @@ extern char *forced_command; extern struct envstring *custom_environment; -/* return 1 if access is granted, 0 if not. side effect: sets key option flags */ -int auth_parse_options(struct passwd *pw, char *options, unsigned long linenum); +/* + * return 1 if access is granted, 0 if not. + * side effect: sets key option flags + */ +int +auth_parse_options(struct passwd *pw, char *options, char *file, + u_long linenum); + /* reset options flags */ void auth_clear_options(void); diff -ru openssh-2.3.0p1/auth-pam.c openssh-2.5.1p1/auth-pam.c --- openssh-2.3.0p1/auth-pam.c 2000-10-15 02:08:49.000000000 +1100 +++ openssh-2.5.1p1/auth-pam.c 2001-02-15 11:51:32.000000000 +1100 @@ -27,33 +27,54 @@ #ifdef USE_PAM #include "ssh.h" #include "xmalloc.h" +#include "log.h" +#include "auth-pam.h" #include "servconf.h" +#include "canohost.h" +#include "readpass.h" -RCSID("$Id: auth-pam.c,v 1.18 2000/10/14 15:08:49 stevesk Exp $"); +RCSID("$Id: auth-pam.c,v 1.29 2001/02/15 00:51:32 djm Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now" -/* Callbacks */ -static int pamconv(int num_msg, const struct pam_message **msg, - struct pam_response **resp, void *appdata_ptr); -void pam_cleanup_proc(void *context); -void pam_msg_cat(const char *msg); +static int do_pam_conversation(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr); /* module-local variables */ static struct pam_conv conv = { - pamconv, + do_pam_conversation, NULL }; -static pam_handle_t *pamh = NULL; -static const char *pampasswd = NULL; -static char *pam_msg = NULL; - -/* states for pamconv() */ -typedef enum { INITIAL_LOGIN, OTHER } pamstates; -static pamstates pamstate = INITIAL_LOGIN; +static char *__pam_msg = NULL; +static pam_handle_t *__pamh = NULL; +static const char *__pampasswd = NULL; + +/* states for do_pam_conversation() */ +enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; /* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ static int password_change_required = 0; +/* remember whether the last pam_authenticate() succeeded or not */ +static int was_authenticated = 0; + +/* Remember what has been initialised */ +static int session_opened = 0; +static int creds_set = 0; + +/* accessor which allows us to switch conversation structs according to + * the authentication method being used */ +void do_pam_set_conv(struct pam_conv *conv) +{ + pam_set_item(__pamh, PAM_CONV, conv); +} + +/* start an authentication run */ +int do_pam_authenticate(int flags) +{ + int retval = pam_authenticate(__pamh, flags); + was_authenticated = (retval == PAM_SUCCESS); + return retval; +} /* * PAM conversation function. @@ -61,14 +82,14 @@ * * INITIAL_LOGIN mode simply feeds the password from the client into * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output - * messages with pam_msg_cat(). This is used during initial + * messages with into __pam_msg. This is used during initial * authentication to bypass the normal PAM password prompt. * * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase(prompt, 1) * and outputs messages to stderr. This mode is used if pam_chauthtok() * is called to update expired passwords. */ -static int pamconv(int num_msg, const struct pam_message **msg, +static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) { struct pam_response *reply; @@ -78,43 +99,31 @@ /* PAM will free this later */ reply = malloc(num_msg * sizeof(*reply)); if (reply == NULL) - return PAM_CONV_ERR; + return PAM_CONV_ERR; for (count = 0; count < num_msg; count++) { - switch ((*msg)[count].msg_style) { + if (pamstate == INITIAL_LOGIN) { + /* + * We can't use stdio yet, queue messages for + * printing later + */ + switch(PAM_MSG_MEMBER(msg, count, msg_style)) { case PAM_PROMPT_ECHO_ON: - if (pamstate == INITIAL_LOGIN) { + free(reply); + return PAM_CONV_ERR; + case PAM_PROMPT_ECHO_OFF: + if (__pampasswd == NULL) { free(reply); return PAM_CONV_ERR; - } else { - fputs((*msg)[count].msg, stderr); - fgets(buf, sizeof(buf), stdin); - reply[count].resp = xstrdup(buf); - reply[count].resp_retcode = PAM_SUCCESS; - break; - } - case PAM_PROMPT_ECHO_OFF: - if (pamstate == INITIAL_LOGIN) { - if (pampasswd == NULL) { - free(reply); - return PAM_CONV_ERR; - } - reply[count].resp = xstrdup(pampasswd); - } else { - reply[count].resp = - xstrdup(read_passphrase((*msg)[count].msg, 1)); } + reply[count].resp = xstrdup(__pampasswd); reply[count].resp_retcode = PAM_SUCCESS; break; case PAM_ERROR_MSG: case PAM_TEXT_INFO: if ((*msg)[count].msg != NULL) { - if (pamstate == INITIAL_LOGIN) - pam_msg_cat((*msg)[count].msg); - else { - fputs((*msg)[count].msg, stderr); - fputs("\n", stderr); - } + message_cat(&__pam_msg, + PAM_MSG_MEMBER(msg, count, msg)); } reply[count].resp = xstrdup(""); reply[count].resp_retcode = PAM_SUCCESS; @@ -122,6 +131,36 @@ default: free(reply); return PAM_CONV_ERR; + } + } else { + /* + * stdio is connected, so interact directly + */ + switch(PAM_MSG_MEMBER(msg, count, msg_style)) { + case PAM_PROMPT_ECHO_ON: + fputs(PAM_MSG_MEMBER(msg, count, msg), stderr); + fgets(buf, sizeof(buf), stdin); + reply[count].resp = xstrdup(buf); + reply[count].resp_retcode = PAM_SUCCESS; + break; + case PAM_PROMPT_ECHO_OFF: + reply[count].resp = xstrdup( + read_passphrase(PAM_MSG_MEMBER(msg, count, + msg), 1)); + reply[count].resp_retcode = PAM_SUCCESS; + break; + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: + if ((*msg)[count].msg != NULL) + fprintf(stderr, "%s\n", + PAM_MSG_MEMBER(msg, count, msg)); + reply[count].resp = xstrdup(""); + reply[count].resp_retcode = PAM_SUCCESS; + break; + default: + free(reply); + return PAM_CONV_ERR; + } } } @@ -131,29 +170,29 @@ } /* Called at exit to cleanly shutdown PAM */ -void pam_cleanup_proc(void *context) +void do_pam_cleanup_proc(void *context) { int pam_retval; - if (pamh != NULL) - { - pam_retval = pam_close_session(pamh, 0); - if (pam_retval != PAM_SUCCESS) { - log("Cannot close PAM session[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); - } + if (__pamh && session_opened) { + pam_retval = pam_close_session(__pamh, 0); + if (pam_retval != PAM_SUCCESS) + log("Cannot close PAM session[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + } - pam_retval = pam_setcred(pamh, PAM_DELETE_CRED); - if (pam_retval != PAM_SUCCESS) { + if (__pamh && creds_set) { + pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); + if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); - } + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + } - pam_retval = pam_end(pamh, pam_retval); - if (pam_retval != PAM_SUCCESS) { - log("Cannot release PAM authentication[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); - } + if (__pamh) { + pam_retval = pam_end(__pamh, pam_retval); + if (pam_retval != PAM_SUCCESS) + log("Cannot release PAM authentication[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); } } @@ -163,6 +202,8 @@ extern ServerOptions options; int pam_retval; + do_pam_set_conv(&conv); + /* deny if no user. */ if (pw == NULL) return 0; @@ -171,17 +212,18 @@ if (*password == '\0' && options.permit_empty_passwd == 0) return 0; - pampasswd = password; - + __pampasswd = password; + pamstate = INITIAL_LOGIN; - pam_retval = pam_authenticate(pamh, 0); + pam_retval = do_pam_authenticate(0); if (pam_retval == PAM_SUCCESS) { - debug("PAM Password authentication accepted for user \"%.100s\"", - pw->pw_name); + debug("PAM Password authentication accepted for " + "user \"%.100s\"", pw->pw_name); return 1; } else { - debug("PAM Password authentication for \"%.100s\" failed[%d]: %s", - pw->pw_name, pam_retval, PAM_STRERROR(pamh, pam_retval)); + debug("PAM Password authentication for \"%.100s\" " + "failed[%d]: %s", pw->pw_name, pam_retval, + PAM_STRERROR(__pamh, pam_retval)); return 0; } } @@ -190,40 +232,34 @@ int do_pam_account(char *username, char *remote_user) { int pam_retval; - - debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); - pam_retval = pam_set_item(pamh, PAM_RHOST, - get_canonical_hostname()); - if (pam_retval != PAM_SUCCESS) { - fatal("PAM set rhost failed[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); - } - if (remote_user != NULL) { + do_pam_set_conv(&conv); + + if (remote_user) { debug("PAM setting ruser to \"%.200s\"", remote_user); - pam_retval = pam_set_item(pamh, PAM_RUSER, remote_user); - if (pam_retval != PAM_SUCCESS) { - fatal("PAM set ruser failed[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); - } + pam_retval = pam_set_item(__pamh, PAM_RUSER, remote_user); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set ruser failed[%d]: %.200s", pam_retval, + PAM_STRERROR(__pamh, pam_retval)); } - pam_retval = pam_acct_mgmt(pamh, 0); + pam_retval = pam_acct_mgmt(__pamh, 0); switch (pam_retval) { case PAM_SUCCESS: /* This is what we want */ break; case PAM_NEW_AUTHTOK_REQD: - pam_msg_cat(NEW_AUTHTOK_MSG); + message_cat(&__pam_msg, NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; break; default: - log("PAM rejected by account configuration[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); + log("PAM rejected by account configuration[%d]: " + "%.200s", pam_retval, PAM_STRERROR(__pamh, + pam_retval)); return(0); } - + return(1); } @@ -234,40 +270,44 @@ if (ttyname != NULL) { debug("PAM setting tty to \"%.200s\"", ttyname); - pam_retval = pam_set_item(pamh, PAM_TTY, ttyname); - if (pam_retval != PAM_SUCCESS) { - fatal("PAM set tty failed[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); - } + pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set tty failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); } - pam_retval = pam_open_session(pamh, 0); - if (pam_retval != PAM_SUCCESS) { - fatal("PAM session setup failed[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); - } + pam_retval = pam_open_session(__pamh, 0); + if (pam_retval != PAM_SUCCESS) + fatal("PAM session setup failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + session_opened = 1; } -/* Set PAM credentials */ +/* Set PAM credentials */ void do_pam_setcred(void) { int pam_retval; - + debug("PAM establishing creds"); - pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED); + pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED); if (pam_retval != PAM_SUCCESS) { - fatal("PAM setcred failed[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); - } + if (was_authenticated) + fatal("PAM setcred failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + else + debug("PAM setcred failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + } else + creds_set = 1; } /* accessor function for file scope static variable */ -int pam_password_change_required(void) +int is_pam_password_change_required(void) { return password_change_required; } -/* +/* * Have user change authentication token if pam_acct_mgmt() indicated * it was expired. This needs to be called after an interactive * session is established and the user's pty is connected to @@ -279,15 +319,13 @@ if (password_change_required) { pamstate = OTHER; - /* - * XXX: should we really loop forever? - */ + /* XXX: should we really loop forever? */ do { - pam_retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); - if (pam_retval != PAM_SUCCESS) { - log("PAM pam_chauthtok failed[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); - } + pam_retval = pam_chauthtok(__pamh, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (pam_retval != PAM_SUCCESS) + log("PAM pam_chauthtok failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); } while (pam_retval != PAM_SUCCESS); } } @@ -295,47 +333,53 @@ /* Cleanly shutdown PAM */ void finish_pam(void) { - pam_cleanup_proc(NULL); - fatal_remove_cleanup(&pam_cleanup_proc, NULL); + do_pam_cleanup_proc(NULL); + fatal_remove_cleanup(&do_pam_cleanup_proc, NULL); } /* Start PAM authentication for specified account */ -void start_pam(struct passwd *pw) +void start_pam(const char *user) { int pam_retval; + extern ServerOptions options; - debug("Starting up PAM with username \"%.200s\"", pw->pw_name); - - pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, &pamh); + debug("Starting up PAM with username \"%.200s\"", user); - if (pam_retval != PAM_SUCCESS) { - fatal("PAM initialisation failed[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); - } + pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &__pamh); + if (pam_retval != PAM_SUCCESS) + fatal("PAM initialisation failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + + debug("PAM setting rhost to \"%.200s\"", + get_canonical_hostname(options.reverse_mapping_check)); + pam_retval = pam_set_item(__pamh, PAM_RHOST, + get_canonical_hostname(options.reverse_mapping_check)); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set rhost failed[%d]: %.200s", pam_retval, + PAM_STRERROR(__pamh, pam_retval)); #ifdef PAM_TTY_KLUDGE /* * Some PAM modules (e.g. pam_time) require a TTY to operate, - * and will fail in various stupid ways if they don't get one. + * and will fail in various stupid ways if they don't get one. * sshd doesn't set the tty until too late in the auth process and may * not even need one (for tty-less connections) - * Kludge: Set a fake PAM_TTY + * Kludge: Set a fake PAM_TTY */ - pam_retval = pam_set_item(pamh, PAM_TTY, "ssh"); - if (pam_retval != PAM_SUCCESS) { - fatal("PAM set tty failed[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); - } + pam_retval = pam_set_item(__pamh, PAM_TTY, "ssh"); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set tty failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); #endif /* PAM_TTY_KLUDGE */ - fatal_add_cleanup(&pam_cleanup_proc, NULL); + fatal_add_cleanup(&do_pam_cleanup_proc, NULL); } /* Return list of PAM enviornment strings */ char **fetch_pam_environment(void) { #ifdef HAVE_PAM_GETENVLIST - return(pam_getenvlist(pamh)); + return(pam_getenvlist(__pamh)); #else /* HAVE_PAM_GETENVLIST */ return(NULL); #endif /* HAVE_PAM_GETENVLIST */ @@ -345,30 +389,29 @@ /* or account checking to stderr */ void print_pam_messages(void) { - if (pam_msg != NULL) - fputs(pam_msg, stderr); + if (__pam_msg != NULL) + fputs(__pam_msg, stderr); } -/* Append a message to the PAM message buffer */ -void pam_msg_cat(const char *msg) +/* Append a message to buffer */ +void message_cat(char **p, const char *a) { - char *p; - size_t new_msg_len; - size_t pam_msg_len; - - new_msg_len = strlen(msg); - - if (pam_msg) { - pam_msg_len = strlen(pam_msg); - pam_msg = xrealloc(pam_msg, new_msg_len + pam_msg_len + 2); - p = pam_msg + pam_msg_len; - } else { - pam_msg = p = xmalloc(new_msg_len + 2); - } + char *cp; + size_t new_len; + + new_len = strlen(a); + + if (*p) { + size_t len = strlen(*p); + + *p = xrealloc(*p, new_len + len + 2); + cp = *p + len; + } else + *p = cp = xmalloc(new_len + 2); - memcpy(p, msg, new_msg_len); - p[new_msg_len] = '\n'; - p[new_msg_len + 1] = '\0'; + memcpy(cp, a, new_len); + cp[new_len] = '\n'; + cp[new_len + 1] = '\0'; } #endif /* USE_PAM */ diff -ru openssh-2.3.0p1/auth-pam.h openssh-2.5.1p1/auth-pam.h --- openssh-2.3.0p1/auth-pam.h 2000-10-15 02:08:49.000000000 +1100 +++ openssh-2.5.1p1/auth-pam.h 2001-02-15 11:51:32.000000000 +1100 @@ -1,17 +1,22 @@ +/* $Id: auth-pam.h,v 1.10 2001/02/15 00:51:32 djm Exp $ */ + #include "includes.h" #ifdef USE_PAM #include /* For struct passwd */ -void start_pam(struct passwd *pw); +void start_pam(const char *user); void finish_pam(void); int auth_pam_password(struct passwd *pw, const char *password); char **fetch_pam_environment(void); +int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); void do_pam_setcred(void); void print_pam_messages(void); -int pam_password_change_required(void); +int is_pam_password_change_required(void); void do_pam_chauthtok(void); +void do_pam_set_conv(struct pam_conv *); +void message_cat(char **p, const char *a); #endif /* USE_PAM */ diff -ru openssh-2.3.0p1/auth-passwd.c openssh-2.5.1p1/auth-passwd.c --- openssh-2.3.0p1/auth-passwd.c 2000-10-14 16:23:11.000000000 +1100 +++ openssh-2.5.1p1/auth-passwd.c 2001-02-18 17:01:00.000000000 +1100 @@ -11,30 +11,7 @@ * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell". * - * * Copyright (c) 1999 Dug Song. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - * * Copyright (c) 2000 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -59,14 +36,15 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-passwd.c,v 1.18 2000/10/03 18:03:03 markus Exp $"); +RCSID("$OpenBSD: auth-passwd.c,v 1.21 2001/02/12 16:16:23 markus Exp $"); #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) #include "packet.h" -#include "ssh.h" -#include "servconf.h" #include "xmalloc.h" +#include "log.h" +#include "servconf.h" +#include "auth.h" #ifdef WITH_AIXAUTHENTICATE # include @@ -99,14 +77,17 @@ #define is_winnt (GetVersion() < 0x80000000) #endif + +extern ServerOptions options; + /* * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ int -auth_password(struct passwd * pw, const char *password) +auth_password(Authctxt *authctxt, const char *password) { - extern ServerOptions options; + struct passwd * pw = authctxt->pw; char *encrypted_password; char *pw_password; char *salt; @@ -132,7 +113,7 @@ if (pw == NULL) return 0; #ifndef HAVE_CYGWIN - if (pw->pw_uid == 0 && options.permit_root_login == 2) + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) return 0; #endif #ifdef HAVE_CYGWIN @@ -140,10 +121,17 @@ * Empty password is only possible on NT if the user has _really_ * an empty password and authentication is done, though. */ - if (!is_winnt) + if (!is_winnt) #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; +#ifdef BSD_AUTH + if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", + (char *)password) == 0) + return 0; + else + return 1; +#endif #ifdef HAVE_CYGWIN if (is_winnt) { @@ -156,15 +144,6 @@ } #endif -#ifdef SKEY_VIA_PASSWD_IS_DISABLED - if (options.skey_authentication == 1) { - int ret = auth_skey_password(pw, password); - if (ret == 1 || ret == 0) - return ret; - /* Fall back to ordinary passwd authentication. */ - } -#endif - #ifdef WITH_AIXAUTHENTICATE return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); #endif @@ -186,13 +165,13 @@ */ #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) spw = getspnam(pw->pw_name); - if (spw != NULL) + if (spw != NULL) pw_password = spw->sp_pwdp; #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ #ifdef HAVE_SCO_PROTECTED_PW spw = getprpwnam(pw->pw_name); - if (spw != NULL) + if (spw != NULL) pw_password = spw->ufld.fd_encrypt; #endif /* HAVE_SCO_PROTECTED_PW */ @@ -220,7 +199,7 @@ encrypted_password = md5_crypt(password, salt); else encrypted_password = crypt(password, salt); -#else /* HAVE_MD5_PASSWORDS */ +#else /* HAVE_MD5_PASSWORDS */ # ifdef __hpux if (iscomsec()) encrypted_password = bigcrypt(password, salt); @@ -229,7 +208,7 @@ # else encrypted_password = crypt(password, salt); # endif /* __hpux */ -#endif /* HAVE_MD5_PASSWORDS */ +#endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); diff -ru openssh-2.3.0p1/auth-rh-rsa.c openssh-2.5.1p1/auth-rh-rsa.c --- openssh-2.3.0p1/auth-rh-rsa.c 2000-10-14 16:23:11.000000000 +1100 +++ openssh-2.5.1p1/auth-rh-rsa.c 2001-02-04 23:20:19.000000000 +1100 @@ -13,18 +13,19 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rh-rsa.c,v 1.17 2000/10/03 18:03:03 markus Exp $"); +RCSID("$OpenBSD: auth-rh-rsa.c,v 1.22 2001/02/03 10:08:36 markus Exp $"); #include "packet.h" -#include "ssh.h" #include "xmalloc.h" #include "uidswap.h" +#include "log.h" #include "servconf.h" - -#include -#include #include "key.h" #include "hostfile.h" +#include "pathnames.h" +#include "auth.h" +#include "tildexpand.h" +#include "canohost.h" /* * Tries to authenticate the user using the .rhosts file and the host using @@ -48,26 +49,27 @@ if (!auth_rhosts(pw, client_user)) return 0; - canonical_hostname = get_canonical_hostname(); + canonical_hostname = get_canonical_hostname( + options.reverse_mapping_check); debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname); /* wrap the RSA key into a 'generic' key */ - client_key = key_new(KEY_RSA); + client_key = key_new(KEY_RSA1); BN_copy(client_key->rsa->e, client_host_key->e); BN_copy(client_key->rsa->n, client_host_key->n); - found = key_new(KEY_RSA); + found = key_new(KEY_RSA1); /* Check if we know the host and its host key. */ - host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname, - client_key, found); + host_status = check_host_in_hostfile(_PATH_SSH_SYSTEM_HOSTFILE, canonical_hostname, + client_key, found, NULL); /* Check user host file unless ignored. */ if (host_status != HOST_OK && !options.ignore_user_known_hosts) { struct stat st; - char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid); + char *user_hostfile = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid); /* - * Check file permissions of SSH_USER_HOSTFILE, auth_rsa() + * Check file permissions of _PATH_SSH_USER_HOSTFILE, auth_rsa() * did already check pw->pw_dir, but there is a race XXX */ if (options.strict_modes && @@ -80,7 +82,7 @@ /* XXX race between stat and the following open() */ temporarily_use_uid(pw->pw_uid); host_status = check_host_in_hostfile(user_hostfile, canonical_hostname, - client_key, found); + client_key, found, NULL); restore_uid(); } xfree(user_hostfile); diff -ru openssh-2.3.0p1/auth-rhosts.c openssh-2.5.1p1/auth-rhosts.c --- openssh-2.3.0p1/auth-rhosts.c 2000-10-14 16:23:11.000000000 +1100 +++ openssh-2.5.1p1/auth-rhosts.c 2001-02-09 13:11:24.000000000 +1100 @@ -14,13 +14,16 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rhosts.c,v 1.16 2000/10/03 18:03:03 markus Exp $"); +RCSID("$OpenBSD: auth-rhosts.c,v 1.21 2001/02/08 19:30:51 itojun Exp $"); #include "packet.h" -#include "ssh.h" #include "xmalloc.h" #include "uidswap.h" +#include "pathnames.h" +#include "log.h" #include "servconf.h" +#include "canohost.h" +#include "auth.h" /* * This function processes an rhosts-style file (.rhosts, .shosts, or @@ -152,7 +155,7 @@ const char *hostname, *ipaddr; struct stat st; static const char *rhosts_files[] = {".shosts", ".rhosts", NULL}; - unsigned int rhosts_file_index; + u_int rhosts_file_index; /* no user given */ if (pw == NULL) @@ -177,25 +180,25 @@ /* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */ if (!rhosts_files[rhosts_file_index] && - stat("/etc/hosts.equiv", &st) < 0 && - stat(SSH_HOSTS_EQUIV, &st) < 0) + stat(_PATH_RHOSTS_EQUIV, &st) < 0 && + stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0) return 0; - hostname = get_canonical_hostname(); + hostname = get_canonical_hostname(options.reverse_mapping_check); ipaddr = get_remote_ipaddr(); /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ if (pw->pw_uid != 0) { - if (check_rhosts_file("/etc/hosts.equiv", hostname, ipaddr, client_user, + if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, client_user, pw->pw_name)) { packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", hostname, ipaddr); return 1; } - if (check_rhosts_file(SSH_HOSTS_EQUIV, hostname, ipaddr, client_user, + if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, client_user, pw->pw_name)) { packet_send_debug("Accepted for %.100s [%.100s] by %.100s.", - hostname, ipaddr, SSH_HOSTS_EQUIV); + hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); return 1; } } diff -ru openssh-2.3.0p1/auth-rsa.c openssh-2.5.1p1/auth-rsa.c --- openssh-2.3.0p1/auth-rsa.c 2000-10-16 12:14:42.000000000 +1100 +++ openssh-2.5.1p1/auth-rsa.c 2001-01-22 16:34:40.000000000 +1100 @@ -14,21 +14,23 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $"); +RCSID("$OpenBSD: auth-rsa.c,v 1.38 2001/01/21 19:05:42 markus Exp $"); + +#include +#include #include "rsa.h" #include "packet.h" #include "xmalloc.h" -#include "ssh.h" +#include "ssh1.h" #include "mpaux.h" #include "uidswap.h" #include "match.h" -#include "servconf.h" #include "auth-options.h" - -#include -#include - +#include "pathnames.h" +#include "log.h" +#include "servconf.h" +#include "auth.h" /* import */ extern ServerOptions options; @@ -37,7 +39,7 @@ * Session identifier that is used to bind key exchange and authentication * responses to a particular session. */ -extern unsigned char session_id[16]; +extern u_char session_id[16]; /* * The .ssh/authorized_keys file contains public keys, one per line, in the @@ -60,9 +62,9 @@ { BIGNUM *challenge, *encrypted_challenge; BN_CTX *ctx; - unsigned char buf[32], mdbuf[16], response[16]; + u_char buf[32], mdbuf[16], response[16]; MD5_CTX md; - unsigned int i; + u_int i; int plen, len; encrypted_challenge = BN_new(); @@ -120,11 +122,11 @@ int auth_rsa(struct passwd *pw, BIGNUM *client_n) { - char line[8192], file[1024]; + char line[8192], file[MAXPATHLEN]; int authenticated; - unsigned int bits; + u_int bits; FILE *f; - unsigned long linenum = 0; + u_long linenum = 0; struct stat st; RSA *pk; @@ -137,7 +139,7 @@ /* The authorized keys. */ snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir, - SSH_USER_PERMITTED_KEYS); + _PATH_SSH_USER_PERMITTED_KEYS); /* Fail quietly if file does not exist */ if (stat(file, &st) < 0) { @@ -165,10 +167,10 @@ "bad ownership or modes for '%s'.", pw->pw_name, file); fail = 1; } else { - /* Check path to SSH_USER_PERMITTED_KEYS */ + /* Check path to _PATH_SSH_USER_PERMITTED_KEYS */ int i; static const char *check[] = { - "", SSH_USER_DIR, NULL + "", _PATH_SSH_USER_DIR, NULL }; for (i = 0; check[i]; i++) { snprintf(line, sizeof line, "%.500s/%.100s", pw->pw_dir, check[i]); @@ -231,19 +233,13 @@ } } else options = NULL; - /* - * If our options do not allow this key to be used, - * do not send challenge. - */ - if (!auth_parse_options(pw, options, linenum)) - continue; /* Parse the key from the line. */ if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) { debug("%.100s, line %lu: bad key syntax", - SSH_USER_PERMITTED_KEYS, linenum); + file, linenum); packet_send_debug("%.100s, line %lu: bad key syntax", - SSH_USER_PERMITTED_KEYS, linenum); + file, linenum); continue; } /* cp now points to the comment part. */ @@ -259,6 +255,12 @@ file, linenum, BN_num_bits(pk->n), bits); /* We have found the desired key. */ + /* + * If our options do not allow this key to be used, + * do not send challenge. + */ + if (!auth_parse_options(pw, options, file, linenum)) + continue; /* Perform the challenge-response dialog for this key. */ if (!auth_rsa_challenge_dialog(pk)) { Only in openssh-2.5.1p1: auth-sia.c Only in openssh-2.5.1p1: auth-sia.h Only in openssh-2.3.0p1: auth-skey.c diff -ru openssh-2.3.0p1/auth.c openssh-2.5.1p1/auth.c --- openssh-2.3.0p1/auth.c 2000-10-30 01:38:55.000000000 +1100 +++ openssh-2.5.1p1/auth.c 2001-02-15 14:08:27.000000000 +1100 @@ -1,14 +1,4 @@ /* - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland - * All rights reserved - * - * As far as I am concerned, the code I have written for this software - * can be used freely for any purpose. Any derived versions of this - * software must be clearly marked as such, and if the derived work is - * incompatible with the protocol description in the RFC file, it must be - * called by a name other than "ssh" or "Secure Shell". - * - * * Copyright (c) 2000 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -33,19 +23,8 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $"); +RCSID("$OpenBSD: auth.c,v 1.17 2001/02/12 16:16:23 markus Exp $"); -#include "xmalloc.h" -#include "rsa.h" -#include "ssh.h" -#include "pty.h" -#include "packet.h" -#include "buffer.h" -#include "mpaux.h" -#include "servconf.h" -#include "compat.h" -#include "channels.h" -#include "match.h" #ifdef HAVE_LOGIN_H #include #endif @@ -53,20 +32,24 @@ #include #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ -#include "bufaux.h" -#include "ssh2.h" +#include "xmalloc.h" +#include "match.h" +#include "groupaccess.h" +#include "log.h" +#include "servconf.h" #include "auth.h" -#include "session.h" +#include "auth-options.h" +#include "canohost.h" /* import */ extern ServerOptions options; /* - * Check if the user is allowed to log in via ssh. If user is listed in - * DenyUsers or user's primary group is listed in DenyGroups, false will - * be returned. If AllowUsers isn't empty and user isn't listed there, or - * if AllowGroups isn't empty and user isn't listed there, false will be - * returned. + * Check if the user is allowed to log in via ssh. If user is listed + * in DenyUsers or one of user's groups is listed in DenyGroups, false + * will be returned. If AllowUsers isn't empty and user isn't listed + * there, or if AllowGroups isn't empty and one of user's groups isn't + * listed there, false will be returned. * If the user's shell is not executable, false will be returned. * Otherwise true is returned. */ @@ -74,7 +57,6 @@ allowed_user(struct passwd * pw) { struct stat st; - struct group *grp; char *shell; int i; #ifdef WITH_AIXAUTHENTICATE @@ -82,10 +64,10 @@ #endif /* WITH_AIXAUTHENTICATE */ #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) - struct spwd *spw; + struct spwd *spw; /* Shouldn't be called if pw is NULL, but better safe than sorry... */ - if (!pw) + if (!pw || !pw->pw_name) return 0; spw = getspnam(pw->pw_name); @@ -97,13 +79,13 @@ return 0; /* Check password expiry */ - if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && + if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && (days > (spw->sp_lstchg + spw->sp_max))) return 0; } #else /* Shouldn't be called if pw is NULL, but better safe than sorry... */ - if (!pw) + if (!pw || !pw->pw_name) return 0; #endif @@ -121,16 +103,12 @@ /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { - if (!pw->pw_name) - return 0; for (i = 0; i < options.num_deny_users; i++) if (match_pattern(pw->pw_name, options.deny_users[i])) return 0; } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { - if (!pw->pw_name) - return 0; for (i = 0; i < options.num_allow_users; i++) if (match_pattern(pw->pw_name, options.allow_users[i])) break; @@ -138,35 +116,29 @@ if (i >= options.num_allow_users) return 0; } - /* Get the primary group name if we need it. Return false if it fails */ if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { - grp = getgrgid(pw->pw_gid); - if (!grp) + /* Get the user's group access list (primary and supplementary) */ + if (ga_init(pw->pw_name, pw->pw_gid) == 0) return 0; - /* Return false if user's group is listed in DenyGroups */ - if (options.num_deny_groups > 0) { - if (!grp->gr_name) + /* Return false if one of user's groups is listed in DenyGroups */ + if (options.num_deny_groups > 0) + if (ga_match(options.deny_groups, + options.num_deny_groups)) { + ga_free(); return 0; - for (i = 0; i < options.num_deny_groups; i++) - if (match_pattern(grp->gr_name, options.deny_groups[i])) - return 0; - } + } /* - * Return false if AllowGroups isn't empty and user's group + * Return false if AllowGroups isn't empty and one of user's groups * isn't listed there */ - if (options.num_allow_groups > 0) { - if (!grp->gr_name) - return 0; - for (i = 0; i < options.num_allow_groups; i++) - if (match_pattern(grp->gr_name, options.allow_groups[i])) - break; - /* i < options.num_allow_groups iff we break for - loop */ - if (i >= options.num_allow_groups) + if (options.num_allow_groups > 0) + if (!ga_match(options.allow_groups, + options.num_allow_groups)) { + ga_free(); return 0; - } + } + ga_free(); } #ifdef WITH_AIXAUTHENTICATE @@ -189,3 +161,81 @@ /* We found no reason not to let this user try to log on... */ return 1; } + +Authctxt * +authctxt_new(void) +{ + Authctxt *authctxt = xmalloc(sizeof(*authctxt)); + memset(authctxt, 0, sizeof(*authctxt)); + return authctxt; +} + +struct passwd * +pwcopy(struct passwd *pw) +{ + struct passwd *copy = xmalloc(sizeof(*copy)); + memset(copy, 0, sizeof(*copy)); + copy->pw_name = xstrdup(pw->pw_name); + copy->pw_passwd = xstrdup(pw->pw_passwd); + copy->pw_uid = pw->pw_uid; + copy->pw_gid = pw->pw_gid; +#ifdef HAVE_PW_CLASS_IN_PASSWD + copy->pw_class = xstrdup(pw->pw_class); +#endif + copy->pw_dir = xstrdup(pw->pw_dir); + copy->pw_shell = xstrdup(pw->pw_shell); + return copy; +} + +void +auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) +{ + void (*authlog) (const char *fmt,...) = verbose; + char *authmsg; + + /* Raise logging level */ + if (authenticated == 1 || + !authctxt->valid || + authctxt->failures >= AUTH_FAIL_LOG || + strcmp(method, "password") == 0) + authlog = log; + + if (authctxt->postponed) + authmsg = "Postponed"; + else + authmsg = authenticated ? "Accepted" : "Failed"; + + authlog("%s %s for %s%.100s from %.200s port %d%s", + authmsg, + method, + authctxt->valid ? "" : "illegal user ", + authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user, + get_remote_ipaddr(), + get_remote_port(), + info); +} + +/* + * Check whether root logins are disallowed. + */ +int +auth_root_allowed(char *method) +{ + switch (options.permit_root_login) { + case PERMIT_YES: + return 1; + break; + case PERMIT_NO_PASSWD: + if (strcmp(method, "password") != 0) + return 1; + break; + case PERMIT_FORCED_ONLY: + if (forced_command) { + log("Root login accepted for forced command."); + return 1; + } + break; + } + log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); + return 0; +} diff -ru openssh-2.3.0p1/auth.h openssh-2.5.1p1/auth.h --- openssh-2.3.0p1/auth.h 2000-10-14 16:23:11.000000000 +1100 +++ openssh-2.5.1p1/auth.h 2001-02-18 17:01:00.000000000 +1100 @@ -20,30 +20,119 @@ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $OpenBSD: auth.h,v 1.11 2001/02/12 16:16:23 markus Exp $ */ #ifndef AUTH_H #define AUTH_H +#include + +#ifdef HAVE_LOGIN_CAP +#include +#endif +#ifdef BSD_AUTH +#include +#endif + typedef struct Authctxt Authctxt; struct Authctxt { int success; + int postponed; int valid; int attempt; + int failures; char *user; char *service; struct passwd *pw; + char *style; +#ifdef BSD_AUTH + auth_session_t *as; +#endif }; +/* + * Tries to authenticate the user using the .rhosts file. Returns true if + * authentication succeeds. If ignore_rhosts is non-zero, this will not + * consider .rhosts and .shosts (/etc/hosts.equiv will still be used). + */ +int auth_rhosts(struct passwd * pw, const char *client_user); + +/* + * Tries to authenticate the user using the .rhosts file and the host using + * its host key. Returns true if authentication succeeds. + */ +int +auth_rhosts_rsa(struct passwd * pw, const char *client_user, RSA* client_host_key); + +/* + * Tries to authenticate the user using password. Returns true if + * authentication succeeds. + */ +int auth_password(Authctxt *authctxt, const char *password); + +/* + * Performs the RSA authentication dialog with the client. This returns 0 if + * the client could not be authenticated, and 1 if authentication was + * successful. This may exit if there is a serious protocol violation. + */ +int auth_rsa(struct passwd * pw, BIGNUM * client_n); + +/* + * Parses an RSA key (number of bits, e, n) from a string. Moves the pointer + * over the key. Skips any whitespace at the beginning and at end. + */ +int auth_rsa_read_key(char **cpp, u_int *bitsp, BIGNUM * e, BIGNUM * n); + +/* + * Performs the RSA authentication challenge-response dialog with the client, + * and returns true (non-zero) if the client gave the correct answer to our + * challenge; returns zero if the client gives a wrong answer. + */ +int auth_rsa_challenge_dialog(RSA *pk); + +#ifdef KRB4 +#include +/* + * Performs Kerberos v4 mutual authentication with the client. This returns 0 + * if the client could not be authenticated, and 1 if authentication was + * successful. This may exit if there is a serious protocol violation. + */ +int auth_krb4(const char *server_user, KTEXT auth, char **client); +int krb4_init(uid_t uid); +void krb4_cleanup_proc(void *ignore); +int auth_krb4_password(struct passwd * pw, const char *password); + +#ifdef AFS +#include + +/* Accept passed Kerberos v4 ticket-granting ticket and AFS tokens. */ +int auth_kerberos_tgt(struct passwd * pw, const char *string); +int auth_afs_token(struct passwd * pw, const char *token_string); +#endif /* AFS */ + +#endif /* KRB4 */ + +#include "auth-pam.h" +#include "auth2-pam.h" + void do_authentication(void); void do_authentication2(void); -void userauth_log(Authctxt *authctxt, int authenticated, char *method); +Authctxt *authctxt_new(void); +void auth_log(Authctxt *authctxt, int authenticated, char *method, char *info); void userauth_reply(Authctxt *authctxt, int authenticated); +int auth_root_allowed(char *method); -int auth2_skey(Authctxt *authctxt); +int auth2_challenge(Authctxt *authctxt, char *devs); int allowed_user(struct passwd * pw); + +char *get_challenge(Authctxt *authctxt, char *devs); +int verify_response(Authctxt *authctxt, char *response); + struct passwd * auth_get_user(void); +struct passwd * pwcopy(struct passwd *pw); #define AUTH_FAIL_MAX 6 #define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2) diff -ru openssh-2.3.0p1/auth1.c openssh-2.5.1p1/auth1.c --- openssh-2.3.0p1/auth1.c 2000-10-14 16:23:11.000000000 +1100 +++ openssh-2.5.1p1/auth1.c 2001-02-18 17:01:00.000000000 +1100 @@ -10,19 +10,15 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.6 2000/10/11 20:27:23 markus Exp $"); - -#ifdef HAVE_OSF_SIA -# include -# include -#endif +RCSID("$OpenBSD: auth1.c,v 1.17 2001/02/13 22:49:40 markus Exp $"); #include "xmalloc.h" #include "rsa.h" -#include "ssh.h" +#include "ssh1.h" #include "packet.h" #include "buffer.h" #include "mpaux.h" +#include "log.h" #include "servconf.h" #include "compat.h" #include "auth.h" @@ -35,10 +31,6 @@ #ifdef WITH_AIXAUTHENTICATE extern char *aixloginmsg; #endif /* WITH_AIXAUTHENTICATE */ -#ifdef HAVE_OSF_SIA -extern int saved_argc; -extern char **saved_argv; -#endif /* HAVE_OSF_SIA */ /* * convert ssh auth msg type into description @@ -56,41 +48,55 @@ return "rhosts-rsa"; case SSH_CMSG_AUTH_RHOSTS: return "rhosts"; + case SSH_CMSG_AUTH_TIS: + case SSH_CMSG_AUTH_TIS_RESPONSE: + return "challenge-response"; #ifdef KRB4 case SSH_CMSG_AUTH_KERBEROS: return "kerberos"; #endif -#ifdef SKEY - case SSH_CMSG_AUTH_TIS_RESPONSE: - return "s/key"; -#endif } snprintf(buf, sizeof buf, "bad-auth-msg-%d", type); return buf; } /* - * read packets and try to authenticate local user 'luser'. - * return if authentication is successfull. not that pw == NULL - * if the user does not exists or is not allowed to login. - * each auth method has to 'fake' authentication for nonexisting - * users. + * read packets, try to authenticate the user and + * return only if authentication is successful */ void -do_authloop(struct passwd * pw, char *luser) +do_authloop(Authctxt *authctxt) { int authenticated = 0; - int attempt = 0; - unsigned int bits; + u_int bits; RSA *client_host_key; BIGNUM *n; char *client_user, *password; - char user[1024]; - unsigned int dlen; + char info[1024]; + u_int dlen; int plen, nlen, elen; - unsigned int ulen; + u_int ulen; int type = 0; - void (*authlog) (const char *fmt,...) = verbose; + struct passwd *pw = authctxt->pw; + + debug("Attempting authentication for %s%.100s.", + authctxt->valid ? "" : "illegal user ", authctxt->user); + + /* If the user has no password, accept authentication immediately. */ + if (options.password_authentication && +#ifdef KRB4 + (!options.kerberos_authentication || options.kerberos_or_local_passwd) && +#endif +#ifdef USE_PAM + auth_pam_password(pw, "")) { +#elif defined(HAVE_OSF_SIA) + 0) { +#else + auth_password(authctxt, "")) { +#endif + auth_log(authctxt, 1, "without authentication", ""); + return; + } /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); @@ -99,11 +105,11 @@ client_user = NULL; - for (attempt = 1;; attempt++) { + for (;;) { /* default to fail */ authenticated = 0; - strlcpy(user, "", sizeof user); + info[0] = '\0'; /* Get a packet from the client. */ type = packet_read(&plen); @@ -120,7 +126,7 @@ char *tgt = packet_get_string(&dlen); packet_integrity_check(plen, 4 + dlen, type); if (!auth_kerberos_tgt(pw, tgt)) - verbose("Kerberos tgt REFUSED for %.100s", luser); + verbose("Kerberos tgt REFUSED for %.100s", authctxt->user); xfree(tgt); } continue; @@ -134,7 +140,7 @@ char *token_string = packet_get_string(&dlen); packet_integrity_check(plen, 4 + dlen, type); if (!auth_afs_token(pw, token_string)) - verbose("AFS token REFUSED for %.100s", luser); + verbose("AFS token REFUSED for %.100s", authctxt->user); xfree(token_string); } continue; @@ -142,27 +148,26 @@ #ifdef KRB4 case SSH_CMSG_AUTH_KERBEROS: if (!options.kerberos_authentication) { - /* packet_get_all(); */ verbose("Kerberos authentication disabled."); break; } else { /* Try Kerberos v4 authentication. */ KTEXT_ST auth; char *tkt_user = NULL; - char *kdata = packet_get_string((unsigned int *) &auth.length); + char *kdata = packet_get_string((u_int *) &auth.length); packet_integrity_check(plen, 4 + auth.length, type); - if (auth.length < MAX_KTXT_LEN) - memcpy(auth.dat, kdata, auth.length); - xfree(kdata); - - if (pw != NULL) { + if (authctxt->valid) { + if (auth.length < MAX_KTXT_LEN) + memcpy(auth.dat, kdata, auth.length); authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user); if (authenticated) { - snprintf(user, sizeof user, " tktuser %s", tkt_user); + snprintf(info, sizeof info, + " tktuser %.100s", tkt_user); xfree(tkt_user); } } + xfree(kdata); } break; #endif /* KRB4 */ @@ -184,7 +189,7 @@ /* Try to authenticate using /etc/hosts.equiv and .rhosts. */ authenticated = auth_rhosts(pw, client_user); - snprintf(user, sizeof user, " ruser %s", client_user); + snprintf(info, sizeof info, " ruser %.100s", client_user); break; case SSH_CMSG_AUTH_RHOSTS_RSA: @@ -219,7 +224,7 @@ authenticated = auth_rhosts_rsa(pw, client_user, client_host_key); RSA_free(client_host_key); - snprintf(user, sizeof user, " ruser %s", client_user); + snprintf(info, sizeof info, " ruser %.100s", client_user); break; case SSH_CMSG_AUTH_RSA: @@ -253,36 +258,25 @@ authenticated = auth_pam_password(pw, password); #elif defined(HAVE_OSF_SIA) /* Do SIA auth with password */ - if (sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, - NULL, password) == SIASUCCESS) { - authenticated = 1; - } + authenticated = auth_sia_password(authctxt->user, + password); #else /* !USE_PAM && !HAVE_OSF_SIA */ - /* Try authentication with the password. */ - authenticated = auth_password(pw, password); + /* Try authentication with the password. */ + authenticated = auth_password(authctxt, password); #endif /* USE_PAM */ memset(password, 0, strlen(password)); xfree(password); break; -#ifdef SKEY case SSH_CMSG_AUTH_TIS: debug("rcvd SSH_CMSG_AUTH_TIS"); - if (options.skey_authentication == 1) { - char *skeyinfo = NULL; - if (pw != NULL) - skey_keyinfo(pw->pw_name); - if (skeyinfo == NULL) { - debug("generating fake skeyinfo for %.100s.", luser); - skeyinfo = skey_fake_keyinfo(luser); - } - if (skeyinfo != NULL) { - /* we send our s/key- in tis-challenge messages */ - debug("sending challenge '%s'", skeyinfo); + if (options.challenge_reponse_authentication == 1) { + char *challenge = get_challenge(authctxt, authctxt->style); + if (challenge != NULL) { + debug("sending challenge '%s'", challenge); packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); - packet_put_cstring(skeyinfo); + packet_put_cstring(challenge); packet_send(); packet_write_wait(); continue; @@ -291,22 +285,15 @@ break; case SSH_CMSG_AUTH_TIS_RESPONSE: debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE"); - if (options.skey_authentication == 1) { + if (options.challenge_reponse_authentication == 1) { char *response = packet_get_string(&dlen); - debug("skey response == '%s'", response); + debug("got response '%s'", response); packet_integrity_check(plen, 4 + dlen, type); - authenticated = (pw != NULL && - skey_haskey(pw->pw_name) == 0 && - skey_passcheck(pw->pw_name, response) != -1); + authenticated = verify_response(authctxt, response); + memset(response, 'r', dlen); xfree(response); } break; -#else - case SSH_CMSG_AUTH_TIS: - /* TIS Authentication is unsupported */ - log("TIS authentication unsupported."); - break; -#endif default: /* @@ -316,53 +303,37 @@ log("Unknown message during authentication: type %d", type); break; } - if (authenticated && pw == NULL) - fatal("internal error: authenticated for pw == NULL"); +#ifdef BSD_AUTH + if (authctxt->as) { + auth_close(authctxt->as); + authctxt->as = NULL; + } +#endif + if (!authctxt->valid && authenticated) + fatal("INTERNAL ERROR: authenticated invalid user %s", + authctxt->user); #ifdef HAVE_CYGWIN - if (authenticated && + if (authenticated && !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) { packet_disconnect("Authentication rejected for uid %d.", (int)pw->pw_uid); authenticated = 0; } +#else + /* Special handling for root */ + if (authenticated && authctxt->pw->pw_uid == 0 && + !auth_root_allowed(get_authname(type))) + authenticated = 0; #endif - - /* - * Check if the user is logging in as root and root logins - * are disallowed. - * Note that root login is allowed for forced commands. - */ - if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) { - if (forced_command) { - log("Root login accepted for forced command."); - } else { - authenticated = 0; - log("ROOT LOGIN REFUSED FROM %.200s", - get_canonical_hostname()); - } - } - - /* Raise logging level */ - if (authenticated || - attempt == AUTH_FAIL_LOG || - type == SSH_CMSG_AUTH_PASSWORD) - authlog = log; - - authlog("%s %s for %s%.100s from %.200s port %d%s", - authenticated ? "Accepted" : "Failed", - get_authname(type), - pw ? "" : "illegal user ", - pw && pw->pw_uid == 0 ? "ROOT" : luser, - get_remote_ipaddr(), - get_remote_port(), - user); - #ifdef USE_PAM if (authenticated && !do_pam_account(pw->pw_name, client_user)) authenticated = 0; #endif + /* Log before sending the reply */ + auth_log(authctxt, authenticated, get_authname(type), info); + if (client_user != NULL) { xfree(client_user); client_user = NULL; @@ -371,14 +342,15 @@ if (authenticated) return; - if (attempt > AUTH_FAIL_MAX) { -#ifdef WITH_AIXAUTHENTICATE - loginfailed(user,get_canonical_hostname(),"ssh"); + if (authctxt->failures++ > AUTH_FAIL_MAX) { +#ifdef WITH_AIXAUTHENTICATE + loginfailed(authctxt->user, + get_canonical_hostname(options.reverse_mapping_check), + "ssh"); #endif /* WITH_AIXAUTHENTICATE */ - packet_disconnect(AUTH_FAIL_MSG, luser); + packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } - /* Send a message indicating that the authentication attempt failed. */ packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); @@ -392,10 +364,11 @@ void do_authentication() { - struct passwd *pw, pwcopy; + Authctxt *authctxt; + struct passwd *pw; int plen; - unsigned int ulen; - char *user; + u_int ulen; + char *user, *style = NULL; /* Get the name of the user that we wish to log in as. */ packet_read_expect(&plen, SSH_CMSG_USER); @@ -404,38 +377,29 @@ user = packet_get_string(&ulen); packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER); - setproctitle("%s", user); + if ((style = strchr(user, ':')) != NULL) + *style++ = 0; -#ifdef AFS - /* If machine has AFS, set process authentication group. */ - if (k_hasafs()) { - k_setpag(); - k_unlog(); - } -#endif /* AFS */ + authctxt = authctxt_new(); + authctxt->user = user; + authctxt->style = style; /* Verify that the user is a valid user. */ pw = getpwnam(user); if (pw && allowed_user(pw)) { - /* Take a copy of the returned structure. */ - memset(&pwcopy, 0, sizeof(pwcopy)); - pwcopy.pw_name = xstrdup(pw->pw_name); - pwcopy.pw_passwd = xstrdup(pw->pw_passwd); - pwcopy.pw_uid = pw->pw_uid; - pwcopy.pw_gid = pw->pw_gid; -#ifdef HAVE_PW_CLASS_IN_PASSWD - pwcopy.pw_class = xstrdup(pw->pw_class); -#endif - pwcopy.pw_dir = xstrdup(pw->pw_dir); - pwcopy.pw_shell = xstrdup(pw->pw_shell); - pw = &pwcopy; + authctxt->valid = 1; + pw = pwcopy(pw); } else { + debug("do_authentication: illegal user %s", user); pw = NULL; } + authctxt->pw = pw; + + setproctitle("%s", pw ? user : "unknown"); #ifdef USE_PAM if (pw) - start_pam(pw); + start_pam(user); #endif /* @@ -447,33 +411,11 @@ packet_disconnect("Cannot change user when server not running as root."); #endif - debug("Attempting authentication for %s%.100s.", pw ? "" : "illegal user ", user); - - /* If the user has no password, accept authentication immediately. */ - if (options.password_authentication && -#ifdef KRB4 - (!options.kerberos_authentication || options.kerberos_or_local_passwd) && -#endif /* KRB4 */ -#ifdef USE_PAM - auth_pam_password(pw, "")) { -#elif defined(HAVE_OSF_SIA) - (sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, - NULL, "") == SIASUCCESS)) { -#else /* !HAVE_OSF_SIA && !USE_PAM */ - auth_password(pw, "")) { -#endif /* USE_PAM */ - /* Authentication with empty password succeeded. */ - log("Login for user %s from %.100s, accepted without authentication.", - user, get_remote_ipaddr()); - } else { - /* Loop until the user has been authenticated or the - connection is closed, do_authloop() returns only if - authentication is successfull */ - do_authloop(pw, user); - } - if (pw == NULL) - fatal("internal error, authentication successfull for user '%.100s'", user); + /* + * Loop until the user has been authenticated or the connection is + * closed, do_authloop() returns only if authentication is successful + */ + do_authloop(authctxt); /* The user has been authenticated and accepted. */ packet_start(SSH_SMSG_SUCCESS); @@ -482,10 +424,15 @@ #ifdef WITH_AIXAUTHENTICATE /* We don't have a pty yet, so just label the line as "ssh" */ - if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0) + if (loginsuccess(authctxt->user, + get_canonical_hostname(options.reverse_mapping_check), + "ssh", &aixloginmsg) < 0) aixloginmsg = NULL; #endif /* WITH_AIXAUTHENTICATE */ + xfree(authctxt->user); + xfree(authctxt); + /* Perform session preparation. */ do_authenticated(pw); } Only in openssh-2.5.1p1: auth2-chall.c Only in openssh-2.5.1p1: auth2-pam.c Only in openssh-2.5.1p1: auth2-pam.h Only in openssh-2.3.0p1: auth2-skey.c diff -ru openssh-2.3.0p1/auth2.c openssh-2.5.1p1/auth2.c --- openssh-2.3.0p1/auth2.c 2000-10-28 21:05:57.000000000 +1100 +++ openssh-2.5.1p1/auth2.c 2001-02-19 06:13:33.000000000 +1100 @@ -23,51 +23,39 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.42 2001/02/13 22:49:40 markus Exp $"); -#ifdef HAVE_OSF_SIA -# include -# include -#endif - -#include -#include #include +#include "ssh2.h" #include "xmalloc.h" #include "rsa.h" -#include "ssh.h" -#include "pty.h" +#include "sshpty.h" #include "packet.h" #include "buffer.h" +#include "log.h" #include "servconf.h" #include "compat.h" #include "channels.h" #include "bufaux.h" -#include "ssh2.h" #include "auth.h" #include "session.h" #include "dispatch.h" -#include "auth.h" #include "key.h" +#include "cipher.h" #include "kex.h" - -#include "dsa.h" +#include "pathnames.h" #include "uidswap.h" #include "auth-options.h" /* import */ extern ServerOptions options; -extern unsigned char *session_id2; +extern u_char *session_id2; extern int session_id2_len; #ifdef WITH_AIXAUTHENTICATE extern char *aixloginmsg; #endif -#ifdef HAVE_OSF_SIA -extern int saved_argc; -extern char **saved_argv; -#endif static Authctxt *x_authctxt = NULL; static int one = 1; @@ -85,14 +73,14 @@ void input_userauth_request(int type, int plen, void *ctxt); void protocol_error(int type, int plen, void *ctxt); - /* helper */ Authmethod *authmethod_lookup(const char *name); struct passwd *pwcopy(struct passwd *pw); -int user_dsa_key_allowed(struct passwd *pw, Key *key); +int user_key_allowed(struct passwd *pw, Key *key); char *authmethods_get(void); /* auth */ +void userauth_banner(void); int userauth_none(Authctxt *authctxt); int userauth_passwd(Authctxt *authctxt); int userauth_pubkey(Authctxt *authctxt); @@ -104,13 +92,13 @@ &one}, {"publickey", userauth_pubkey, - &options.dsa_authentication}, - {"keyboard-interactive", - userauth_kbdint, - &options.kbd_interactive_authentication}, + &options.pubkey_authentication}, {"password", userauth_passwd, &options.password_authentication}, + {"keyboard-interactive", + userauth_kbdint, + &options.kbd_interactive_authentication}, {NULL, NULL, NULL} }; @@ -121,21 +109,18 @@ void do_authentication2() { - Authctxt *authctxt = xmalloc(sizeof(*authctxt)); - memset(authctxt, 'a', sizeof(*authctxt)); - authctxt->valid = 0; - authctxt->attempt = 0; - authctxt->success = 0; + Authctxt *authctxt = authctxt_new(); + x_authctxt = authctxt; /*XXX*/ -#ifdef KRB4 - /* turn off kerberos, not supported by SSH2 */ - options.kerberos_authentication = 0; -#endif + /* challenge-reponse is implemented via keyboard interactive */ + if (options.challenge_reponse_authentication) + options.kbd_interactive_authentication = 1; + dispatch_init(&protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); - do_authenticated2(); + do_authenticated2(authctxt); } void @@ -152,7 +137,7 @@ input_service_request(int type, int plen, void *ctxt) { Authctxt *authctxt = ctxt; - unsigned int len; + u_int len; int accept = 0; char *service = packet_get_string(&len); packet_done(); @@ -186,42 +171,42 @@ { Authctxt *authctxt = ctxt; Authmethod *m = NULL; - char *user, *service, *method; + char *user, *service, *method, *style = NULL; int authenticated = 0; if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); - if (authctxt->attempt++ >= AUTH_FAIL_MAX) { -#ifdef WITH_AIXAUTHENTICATE - loginfailed(authctxt->user?authctxt->user:"NOUSER", - get_canonical_hostname(), "ssh"); -#endif /* WITH_AIXAUTHENTICATE */ - packet_disconnect("too many failed userauth_requests"); - } user = packet_get_string(NULL); service = packet_get_string(NULL); method = packet_get_string(NULL); debug("userauth-request for user %s service %s method %s", user, service, method); - debug("attempt #%d", authctxt->attempt); + debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); - if (authctxt->attempt == 1) { + if ((style = strchr(user, ':')) != NULL) + *style++ = 0; + + if (authctxt->attempt++ == 0) { /* setup auth context */ struct passwd *pw = NULL; - setproctitle("%s", user); pw = getpwnam(user); if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) { authctxt->pw = pwcopy(pw); authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); #ifdef USE_PAM - start_pam(pw); + start_pam(pw->pw_name); #endif } else { log("input_userauth_request: illegal user %s", user); +#ifdef USE_PAM + start_pam("NOUSER"); +#endif } + setproctitle("%s", pw ? user : "unknown"); authctxt->user = xstrdup(user); authctxt->service = xstrdup(service); + authctxt->style = style ? xstrdup(style) : NULL; /* currently unused */ } else if (authctxt->valid) { if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { @@ -230,85 +215,94 @@ authctxt->valid = 0; } } + /* reset state */ + dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &protocol_error); + authctxt->postponed = 0; +#ifdef BSD_AUTH + if (authctxt->as) { + auth_close(authctxt->as); + authctxt->as = NULL; + } +#endif + /* try to authenticate user */ m = authmethod_lookup(method); if (m != NULL) { debug2("input_userauth_request: try method %s", method); authenticated = m->userauth(authctxt); - } else { - debug2("input_userauth_request: unsupported method %s", method); - } - if (!authctxt->valid && authenticated == 1) { - log("input_userauth_request: INTERNAL ERROR: authenticated invalid user %s service %s", user, method); - authenticated = 0; } + if (!authctxt->valid && authenticated) + fatal("INTERNAL ERROR: authenticated invalid user %s", + authctxt->user); /* Special handling for root */ - if (authenticated == 1 && - authctxt->valid && authctxt->pw->pw_uid == 0 && !options.permit_root_login) { + if (authenticated && authctxt->pw->pw_uid == 0 && + !auth_root_allowed(method)) authenticated = 0; - log("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname()); - } #ifdef USE_PAM - if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL)) + if (authenticated && authctxt->user && !do_pam_account(authctxt->user, + NULL)) authenticated = 0; #endif /* USE_PAM */ /* Log before sending the reply */ - userauth_log(authctxt, authenticated, method); - userauth_reply(authctxt, authenticated); + auth_log(authctxt, authenticated, method, " ssh2"); + + if (!authctxt->postponed) + userauth_reply(authctxt, authenticated); xfree(service); xfree(user); xfree(method); } - void -userauth_log(Authctxt *authctxt, int authenticated, char *method) +userauth_banner(void) { - void (*authlog) (const char *fmt,...) = verbose; - char *user = NULL, *authmsg = NULL; - - /* Raise logging level */ - if (authenticated == 1 || - !authctxt->valid || - authctxt->attempt >= AUTH_FAIL_LOG || - strcmp(method, "password") == 0) - authlog = log; - - if (authenticated == 1) { - authmsg = "Accepted"; - } else if (authenticated == 0) { - authmsg = "Failed"; - } else { - authmsg = "Postponed"; - } - - if (authctxt->valid) { - user = authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user; - } else { - user = "NOUSER"; - } - - authlog("%s %s for %.200s from %.200s port %d ssh2", - authmsg, - method, - user, - get_remote_ipaddr(), - get_remote_port()); + struct stat st; + char *banner = NULL; + off_t len, n; + int fd; + + if (options.banner == NULL || (datafellows & SSH_BUG_BANNER)) + return; + if ((fd = open(options.banner, O_RDONLY)) < 0) { + error("userauth_banner: open %s failed: %s", + options.banner, strerror(errno)); + return; + } + if (fstat(fd, &st) < 0) + goto done; + len = st.st_size; + banner = xmalloc(len + 1); + if ((n = read(fd, banner, len)) < 0) + goto done; + banner[n] = '\0'; + packet_start(SSH2_MSG_USERAUTH_BANNER); + packet_put_cstring(banner); + packet_put_cstring(""); /* language, unused */ + packet_send(); + debug("userauth_banner: sent"); +done: + if (banner) + xfree(banner); + close(fd); + return; } -void +void userauth_reply(Authctxt *authctxt, int authenticated) { + char *methods; + /* XXX todo: check if multiple auth methods are needed */ if (authenticated == 1) { #ifdef WITH_AIXAUTHENTICATE /* We don't have a pty yet, so just label the line as "ssh" */ - if (loginsuccess(authctxt->user?authctxt->user:"NOUSER", - get_canonical_hostname(), "ssh", &aixloginmsg) < 0) + if (loginsuccess(authctxt->user?authctxt->user:"NOUSER", + get_canonical_hostname(options.reverse_mapping_check), + "ssh", &aixloginmsg) < 0) aixloginmsg = NULL; #endif /* WITH_AIXAUTHENTICATE */ /* turn off userauth */ @@ -318,16 +312,16 @@ packet_write_wait(); /* now we can break out */ authctxt->success = 1; - } else if (authenticated == 0) { - char *methods = authmethods_get(); + } else { + if (authctxt->failures++ > AUTH_FAIL_MAX) + packet_disconnect(AUTH_FAIL_MSG, authctxt->user); + methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); packet_put_char(0); /* XXX partial success, unused */ packet_send(); packet_write_wait(); xfree(methods); - } else { - /* do nothing, we did already send a reply */ } } @@ -339,10 +333,11 @@ if (m != NULL) m->enabled = NULL; packet_done(); + userauth_banner(); if (authctxt->valid == 0) return(0); - + #ifdef HAVE_CYGWIN if (check_nt_auth(1, authctxt->pw->pw_uid) == 0) return(0); @@ -350,11 +345,9 @@ #ifdef USE_PAM return auth_pam_password(authctxt->pw, ""); #elif defined(HAVE_OSF_SIA) - return (sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER", - NULL, 0, NULL, "") == SIASUCCESS); + return 0; #else /* !HAVE_OSF_SIA && !USE_PAM */ - return auth_password(authctxt->pw, ""); + return auth_password(authctxt, ""); #endif /* USE_PAM */ } @@ -364,7 +357,7 @@ char *password; int authenticated = 0; int change; - unsigned int len; + u_int len; change = packet_get_char(); if (change) log("password change not supported"); @@ -377,11 +370,9 @@ #ifdef USE_PAM auth_pam_password(authctxt->pw, password) == 1) #elif defined(HAVE_OSF_SIA) - sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER", - NULL, 0, NULL, password) == SIASUCCESS) + auth_sia_password(authctxt->user, password) == 1) #else /* !USE_PAM && !HAVE_OSF_SIA */ - auth_password(authctxt->pw, password) == 1) + auth_password(authctxt, password) == 1) #endif /* USE_PAM */ authenticated = 1; memset(password, 0, len); @@ -401,10 +392,13 @@ packet_done(); debug("keyboard-interactive language %s devs %s", lang, devs); -#ifdef SKEY - /* XXX hardcoded, we should look at devs */ - if (options.skey_authentication != 0) - authenticated = auth2_skey(authctxt); + + if (options.challenge_reponse_authentication) + authenticated = auth2_challenge(authctxt, devs); + +#ifdef USE_PAM + if (authenticated == 0) + authenticated = auth2_pam(authctxt); #endif xfree(lang); xfree(devs); @@ -421,8 +415,8 @@ Buffer b; Key *key; char *pkalg, *pkblob, *sig; - unsigned int alen, blen, slen; - int have_sig; + u_int alen, blen, slen; + int have_sig, pktype; int authenticated = 0; if (!authctxt->valid) { @@ -430,14 +424,28 @@ return 0; } have_sig = packet_get_char(); - pkalg = packet_get_string(&alen); - if (strcmp(pkalg, KEX_DSS) != 0) { - log("bad pkalg %s", pkalg); /*XXX*/ + if (datafellows & SSH_BUG_PKAUTH) { + debug2("userauth_pubkey: SSH_BUG_PKAUTH"); + /* no explicit pkalg given */ + pkblob = packet_get_string(&blen); + buffer_init(&b); + buffer_append(&b, pkblob, blen); + /* so we have to extract the pkalg from the pkblob */ + pkalg = buffer_get_string(&b, &alen); + buffer_free(&b); + } else { + pkalg = packet_get_string(&alen); + pkblob = packet_get_string(&blen); + } + pktype = key_type_from_name(pkalg); + if (pktype == KEY_UNSPEC) { + /* this is perfectly legal */ + log("userauth_pubkey: unsupported public key algorithm: %s", pkalg); xfree(pkalg); + xfree(pkblob); return 0; } - pkblob = packet_get_string(&blen); - key = dsa_key_from_blob(pkblob, blen); + key = key_from_blob(pkblob, blen); if (key != NULL) { if (have_sig) { sig = packet_get_string(&slen); @@ -452,19 +460,23 @@ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); buffer_put_cstring(&b, authctxt->user); buffer_put_cstring(&b, - datafellows & SSH_BUG_PUBKEYAUTH ? + datafellows & SSH_BUG_PKSERVICE ? "ssh-userauth" : authctxt->service); - buffer_put_cstring(&b, "publickey"); - buffer_put_char(&b, have_sig); - buffer_put_cstring(&b, KEX_DSS); + if (datafellows & SSH_BUG_PKAUTH) { + buffer_put_char(&b, have_sig); + } else { + buffer_put_cstring(&b, "publickey"); + buffer_put_char(&b, have_sig); + buffer_put_cstring(&b, key_ssh_name(key)); + } buffer_put_string(&b, pkblob, blen); -#ifdef DEBUG_DSS +#ifdef DEBUG_PK buffer_dump(&b); #endif /* test for correct signature */ - if (user_dsa_key_allowed(authctxt->pw, key) && - dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) + if (user_key_allowed(authctxt->pw, key) && + key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) authenticated = 1; buffer_clear(&b); xfree(sig); @@ -480,19 +492,20 @@ * if a user is not allowed to login. is this an * issue? -markus */ - if (user_dsa_key_allowed(authctxt->pw, key)) { + if (user_key_allowed(authctxt->pw, key)) { packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); packet_put_string(pkblob, blen); packet_send(); packet_write_wait(); - authenticated = -1; + authctxt->postponed = 1; } } if (authenticated != 1) auth_clear_options(); key_free(key); } + debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); xfree(pkalg); xfree(pkblob); #ifdef HAVE_CYGWIN @@ -516,7 +529,7 @@ authmethods_get(void) { Authmethod *method = NULL; - unsigned int size = 0; + u_int size = 0; char *list; for (method = authmethods; method->name != NULL; method++) { @@ -560,13 +573,12 @@ /* return 1 if user allows given key */ int -user_dsa_key_allowed(struct passwd *pw, Key *key) +user_key_allowed(struct passwd *pw, Key *key) { - char line[8192], file[1024]; + char line[8192], file[MAXPATHLEN]; int found_key = 0; - unsigned int bits = -1; FILE *f; - unsigned long linenum = 0; + u_long linenum = 0; struct stat st; Key *found; @@ -578,7 +590,7 @@ /* The authorized keys. */ snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir, - SSH_USER_PERMITTED_KEYS2); + _PATH_SSH_USER_PERMITTED_KEYS2); /* Fail quietly if file does not exist */ if (stat(file, &st) < 0) { @@ -606,10 +618,10 @@ key_type(key), pw->pw_name, file); fail = 1; } else { - /* Check path to SSH_USER_PERMITTED_KEYS */ + /* Check path to _PATH_SSH_USER_PERMITTED_KEYS */ int i; static const char *check[] = { - "", SSH_USER_DIR, NULL + "", _PATH_SSH_USER_DIR, NULL }; for (i = 0; check[i]; i++) { snprintf(line, sizeof line, "%.500s/%.100s", @@ -645,10 +657,10 @@ if (!*cp || *cp == '\n' || *cp == '#') continue; - bits = key_read(found, &cp); - if (bits == 0) { + if (key_read(found, &cp) == -1) { /* no key? check if there are options for this key */ int quoted = 0; + debug2("user_key_allowed: check options: '%s'", cp); options = cp; for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { if (*cp == '\\' && cp[1] == '"') @@ -659,14 +671,14 @@ /* Skip remaining whitespace. */ for (; *cp == ' ' || *cp == '\t'; cp++) ; - bits = key_read(found, &cp); - if (bits == 0) { + if (key_read(found, &cp) == -1) { + debug2("user_key_allowed: advance: '%s'", cp); /* still no key? advance to next line*/ continue; } } if (key_equal(found, key) && - auth_parse_options(pw, options, linenum) == 1) { + auth_parse_options(pw, options, file, linenum) == 1) { found_key = 1; debug("matching key found: file %s, line %ld", file, linenum); @@ -678,20 +690,3 @@ key_free(found); return found_key; } - -struct passwd * -pwcopy(struct passwd *pw) -{ - struct passwd *copy = xmalloc(sizeof(*copy)); - memset(copy, 0, sizeof(*copy)); - copy->pw_name = xstrdup(pw->pw_name); - copy->pw_passwd = xstrdup(pw->pw_passwd); - copy->pw_uid = pw->pw_uid; - copy->pw_gid = pw->pw_gid; -#ifdef HAVE_PW_CLASS_IN_PASSWD - copy->pw_class = xstrdup(pw->pw_class); -#endif - copy->pw_dir = xstrdup(pw->pw_dir); - copy->pw_shell = xstrdup(pw->pw_shell); - return copy; -} diff -ru openssh-2.3.0p1/authfd.c openssh-2.5.1p1/authfd.c --- openssh-2.3.0p1/authfd.c 2000-10-14 16:23:11.000000000 +1100 +++ openssh-2.5.1p1/authfd.c 2001-02-06 00:57:36.000000000 +1100 @@ -35,7 +35,9 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.29 2000/10/09 21:51:00 markus Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.35 2001/02/04 15:32:22 stevesk Exp $"); + +#include #include "ssh.h" #include "rsa.h" @@ -43,15 +45,13 @@ #include "bufaux.h" #include "xmalloc.h" #include "getput.h" - -#include -#include -#include #include "key.h" #include "authfd.h" +#include "cipher.h" #include "kex.h" -#include "dsa.h" #include "compat.h" +#include "log.h" +#include "atomicio.h" /* helper */ int decode_reply(int type); @@ -63,7 +63,7 @@ /* Returns the number of the authentication fd, or -1 if there is none. */ int -ssh_get_authentication_socket() +ssh_get_authentication_socket(void) { const char *authsocket; int sock, len; @@ -172,7 +172,7 @@ */ AuthenticationConnection * -ssh_get_authentication_connection() +ssh_get_authentication_connection(void) { AuthenticationConnection *auth; int sock; @@ -211,8 +211,8 @@ * Returns the first authentication identity held by the agent. */ -Key * -ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int version) +int +ssh_get_num_identities(AuthenticationConnection *auth, int version) { int type, code1 = 0, code2 = 0; Buffer request; @@ -227,7 +227,7 @@ code2 = SSH2_AGENT_IDENTITIES_ANSWER; break; default: - return NULL; + return 0; } /* @@ -240,14 +240,14 @@ buffer_clear(&auth->identities); if (ssh_request_reply(auth, &request, &auth->identities) == 0) { buffer_free(&request); - return NULL; + return 0; } buffer_free(&request); /* Get message type, and verify that we got a proper answer. */ type = buffer_get_char(&auth->identities); if (agent_failed(type)) { - return NULL; + return 0; } else if (type != code2) { fatal("Bad authentication reply message type: %d", type); } @@ -258,16 +258,24 @@ fatal("Too many identities in authentication reply: %d\n", auth->howmany); - /* Return the first entry (if any). */ - return ssh_get_next_identity(auth, comment, version); + return auth->howmany; +} + +Key * +ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int version) +{ + /* get number of identities and return the first entry (if any). */ + if (ssh_get_num_identities(auth, version) > 0) + return ssh_get_next_identity(auth, comment, version); + return NULL; } Key * ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int version) { - unsigned int bits; - unsigned char *blob; - unsigned int blen; + u_int bits; + u_char *blob; + u_int blen; Key *key = NULL; /* Return failure if no more entries. */ @@ -280,7 +288,7 @@ */ switch(version){ case 1: - key = key_new(KEY_RSA); + key = key_new(KEY_RSA1); bits = buffer_get_int(&auth->identities); buffer_get_bignum(&auth->identities, key->rsa->e); buffer_get_bignum(&auth->identities, key->rsa->n); @@ -292,7 +300,7 @@ case 2: blob = buffer_get_string(&auth->identities, &blen); *comment = buffer_get_string(&auth->identities, NULL); - key = dsa_key_from_blob(blob, blen); + key = key_from_blob(blob, blen); xfree(blob); break; default: @@ -315,16 +323,16 @@ int ssh_decrypt_challenge(AuthenticationConnection *auth, Key* key, BIGNUM *challenge, - unsigned char session_id[16], - unsigned int response_type, - unsigned char response[16]) + u_char session_id[16], + u_int response_type, + u_char response[16]) { Buffer buffer; int success = 0; int i; int type; - if (key->type != KEY_RSA) + if (key->type != KEY_RSA1) return 0; if (response_type == 0) { log("Compatibility with ssh protocol version 1.0 no longer supported."); @@ -366,17 +374,17 @@ int ssh_agent_sign(AuthenticationConnection *auth, Key *key, - unsigned char **sigp, int *lenp, - unsigned char *data, int datalen) + u_char **sigp, int *lenp, + u_char *data, int datalen) { extern int datafellows; Buffer msg; - unsigned char *blob; - unsigned int blen; + u_char *blob; + u_int blen; int type, flags = 0; int ret = -1; - if (dsa_make_key_blob(key, &blob, &blen) == 0) + if (key_to_blob(key, &blob, &blen) == 0) return -1; if (datafellows & SSH_BUG_SIGBLOB) @@ -409,7 +417,7 @@ /* Encode key for a message to the agent. */ void -ssh_encode_identity_rsa(Buffer *b, RSA *key, const char *comment) +ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) { buffer_clear(b); buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY); @@ -425,17 +433,29 @@ } void -ssh_encode_identity_dsa(Buffer *b, DSA *key, const char *comment) +ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) { buffer_clear(b); buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY); - buffer_put_cstring(b, KEX_DSS); - buffer_put_bignum2(b, key->p); - buffer_put_bignum2(b, key->q); - buffer_put_bignum2(b, key->g); - buffer_put_bignum2(b, key->pub_key); - buffer_put_bignum2(b, key->priv_key); - buffer_put_string(b, comment, strlen(comment)); + buffer_put_cstring(b, key_ssh_name(key)); + switch(key->type){ + case KEY_RSA: + buffer_put_bignum2(b, key->rsa->n); + buffer_put_bignum2(b, key->rsa->e); + buffer_put_bignum2(b, key->rsa->d); + buffer_put_bignum2(b, key->rsa->iqmp); + buffer_put_bignum2(b, key->rsa->p); + buffer_put_bignum2(b, key->rsa->q); + break; + case KEY_DSA: + buffer_put_bignum2(b, key->dsa->p); + buffer_put_bignum2(b, key->dsa->q); + buffer_put_bignum2(b, key->dsa->g); + buffer_put_bignum2(b, key->dsa->pub_key); + buffer_put_bignum2(b, key->dsa->priv_key); + break; + } + buffer_put_cstring(b, comment); } /* @@ -452,11 +472,12 @@ buffer_init(&msg); switch (key->type) { - case KEY_RSA: - ssh_encode_identity_rsa(&msg, key->rsa, comment); + case KEY_RSA1: + ssh_encode_identity_rsa1(&msg, key->rsa, comment); break; + case KEY_RSA: case KEY_DSA: - ssh_encode_identity_dsa(&msg, key->dsa, comment); + ssh_encode_identity_ssh2(&msg, key, comment); break; default: buffer_free(&msg); @@ -482,18 +503,18 @@ { Buffer msg; int type; - unsigned char *blob; - unsigned int blen; + u_char *blob; + u_int blen; buffer_init(&msg); - if (key->type == KEY_RSA) { + if (key->type == KEY_RSA1) { buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY); buffer_put_int(&msg, BN_num_bits(key->rsa->n)); buffer_put_bignum(&msg, key->rsa->e); buffer_put_bignum(&msg, key->rsa->n); - } else if (key->type == KEY_DSA) { - dsa_make_key_blob(key, &blob, &blen); + } else if (key->type == KEY_DSA || key->type == KEY_RSA) { + key_to_blob(key, &blob, &blen); buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); buffer_put_string(&msg, blob, blen); xfree(blob); @@ -536,7 +557,7 @@ return decode_reply(type); } -int +int decode_reply(int type) { switch (type) { diff -ru openssh-2.3.0p1/authfd.h openssh-2.5.1p1/authfd.h --- openssh-2.3.0p1/authfd.h 2000-10-14 16:23:11.000000000 +1100 +++ openssh-2.5.1p1/authfd.h 2000-12-22 12:43:59.000000000 +1100 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: authfd.h,v 1.13 2000/10/09 21:51:00 markus Exp $"); */ +/* RCSID("$OpenBSD: authfd.h,v 1.16 2000/12/20 19:37:21 markus Exp $"); */ #ifndef AUTHFD_H #define AUTHFD_H @@ -51,7 +51,7 @@ } AuthenticationConnection; /* Returns the number of the authentication fd, or -1 if there is none. */ -int ssh_get_authentication_socket(); +int ssh_get_authentication_socket(void); /* * This should be called for any descriptor returned by @@ -66,7 +66,7 @@ * connection could not be opened. The connection should be closed by the * caller by calling ssh_close_authentication_connection(). */ -AuthenticationConnection *ssh_get_authentication_connection(); +AuthenticationConnection *ssh_get_authentication_connection(void); /* * Closes the connection to the authentication agent and frees any associated @@ -75,6 +75,11 @@ void ssh_close_authentication_connection(AuthenticationConnection *auth); /* + * Returns the number authentication identity held by the agent. + */ +int ssh_get_num_identities(AuthenticationConnection *auth, int version); + +/* * Returns the first authentication identity held by the agent or NULL if * no identies are available. Caller must free comment and key. * Note that you cannot mix calls with different versions. @@ -96,16 +101,16 @@ int ssh_decrypt_challenge(AuthenticationConnection *auth, Key *key, BIGNUM * challenge, - unsigned char session_id[16], - unsigned int response_type, - unsigned char response[16]); + u_char session_id[16], + u_int response_type, + u_char response[16]); /* Requests the agent to sign data using key */ int ssh_agent_sign(AuthenticationConnection *auth, Key *key, - unsigned char **sigp, int *lenp, - unsigned char *data, int datalen); + u_char **sigp, int *lenp, + u_char *data, int datalen); /* * Adds an identity to the authentication server. This call is not meant to diff -ru openssh-2.3.0p1/authfile.c openssh-2.5.1p1/authfile.c --- openssh-2.3.0p1/authfile.c 2000-10-14 16:23:11.000000000 +1100 +++ openssh-2.5.1p1/authfile.c 2001-02-09 13:11:24.000000000 +1100 @@ -36,22 +36,24 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfile.c,v 1.20 2000/10/11 20:27:23 markus Exp $"); +RCSID("$OpenBSD: authfile.c,v 1.27 2001/02/08 19:30:51 itojun Exp $"); -#include -#include -#include -#include +#include #include +#include +#include "cipher.h" #include "xmalloc.h" #include "buffer.h" #include "bufaux.h" -#include "ssh.h" #include "key.h" +#include "ssh.h" +#include "log.h" +#include "authfile.h" /* Version identification string for identity files. */ -#define AUTHFILE_ID_STRING "SSH PRIVATE KEY FILE FORMAT 1.1\n" +static const char authfile_id_string[] = + "SSH PRIVATE KEY FILE FORMAT 1.1\n"; /* * Saves the authentication (private) key in a file, encrypting it with @@ -61,7 +63,7 @@ */ int -save_private_key_rsa(const char *filename, const char *passphrase, +save_private_key_rsa1(const char *filename, const char *passphrase, RSA *key, const char *comment) { Buffer buffer, encrypted; @@ -111,9 +113,8 @@ buffer_init(&encrypted); /* First store keyfile id string. */ - cp = AUTHFILE_ID_STRING; - for (i = 0; cp[i]; i++) - buffer_put_char(&encrypted, cp[i]); + for (i = 0; authfile_id_string[i]; i++) + buffer_put_char(&encrypted, authfile_id_string[i]); buffer_put_char(&encrypted, 0); /* Store cipher type. */ @@ -130,8 +131,8 @@ buffer_append_space(&encrypted, &cp, buffer_len(&buffer)); cipher_set_key_string(&ciphercontext, cipher, passphrase); - cipher_encrypt(&ciphercontext, (unsigned char *) cp, - (unsigned char *) buffer_ptr(&buffer), buffer_len(&buffer)); + cipher_encrypt(&ciphercontext, (u_char *) cp, + (u_char *) buffer_ptr(&buffer), buffer_len(&buffer)); memset(&ciphercontext, 0, sizeof(ciphercontext)); /* Destroy temporary data. */ @@ -155,16 +156,17 @@ return 1; } -/* save DSA key in OpenSSL PEM format */ - +/* save SSH2 key in OpenSSL PEM format */ int -save_private_key_dsa(const char *filename, const char *passphrase, - DSA *dsa, const char *comment) +save_private_key_ssh2(const char *filename, const char *_passphrase, + Key *key, const char *comment) { FILE *fp; int fd; - int success = 1; - int len = strlen(passphrase); + int success = 0; + int len = strlen(_passphrase); + char *passphrase = (len > 0) ? (char *)_passphrase : NULL; + EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL; if (len > 0 && len <= 4) { error("passphrase too short: %d bytes", len); @@ -182,14 +184,15 @@ close(fd); return 0; } - if (len > 0) { - if (!PEM_write_DSAPrivateKey(fp, dsa, EVP_des_ede3_cbc(), - (char *)passphrase, strlen(passphrase), NULL, NULL)) - success = 0; - } else { - if (!PEM_write_DSAPrivateKey(fp, dsa, NULL, - NULL, 0, NULL, NULL)) - success = 0; + switch (key->type) { + case KEY_DSA: + success = PEM_write_DSAPrivateKey(fp, key->dsa, + cipher, passphrase, len, NULL, NULL); + break; + case KEY_RSA: + success = PEM_write_RSAPrivateKey(fp, key->rsa, + cipher, passphrase, len, NULL, NULL); + break; } fclose(fp); return success; @@ -200,11 +203,12 @@ const char *comment) { switch (key->type) { - case KEY_RSA: - return save_private_key_rsa(filename, passphrase, key->rsa, comment); + case KEY_RSA1: + return save_private_key_rsa1(filename, passphrase, key->rsa, comment); break; case KEY_DSA: - return save_private_key_dsa(filename, passphrase, key->dsa, comment); + case KEY_RSA: + return save_private_key_ssh2(filename, passphrase, key, comment); break; default: break; @@ -244,9 +248,9 @@ } close(fd); - /* Check that it is at least big enought to contain the ID string. */ - if (len < strlen(AUTHFILE_ID_STRING) + 1) { - debug("Bad key file %.200s.", filename); + /* Check that it is at least big enough to contain the ID string. */ + if (len < sizeof(authfile_id_string)) { + debug3("Bad RSA1 key file %.200s.", filename); buffer_free(&buffer); return 0; } @@ -254,9 +258,9 @@ * Make sure it begins with the id string. Consume the id string * from the buffer. */ - for (i = 0; i < (unsigned int) strlen(AUTHFILE_ID_STRING) + 1; i++) - if (buffer_get_char(&buffer) != (u_char) AUTHFILE_ID_STRING[i]) { - debug("Bad key file %.200s.", filename); + for (i = 0; i < sizeof(authfile_id_string); i++) + if (buffer_get_char(&buffer) != authfile_id_string[i]) { + debug3("Bad RSA1 key file %.200s.", filename); buffer_free(&buffer); return 0; } @@ -288,10 +292,11 @@ load_public_key(const char *filename, Key * key, char **comment_return) { switch (key->type) { - case KEY_RSA: + case KEY_RSA1: return load_public_key_rsa(filename, key->rsa, comment_return); break; case KEY_DSA: + case KEY_RSA: default: break; } @@ -306,7 +311,7 @@ */ int -load_private_key_rsa(int fd, const char *filename, +load_private_key_rsa1(int fd, const char *filename, const char *passphrase, RSA * prv, char **comment_return) { int i, check1, check2, cipher_type; @@ -326,16 +331,16 @@ if (read(fd, cp, (size_t) len) != (size_t) len) { debug("Read from key file %.200s failed: %.100s", filename, - strerror(errno)); + strerror(errno)); buffer_free(&buffer); close(fd); return 0; } close(fd); - /* Check that it is at least big enought to contain the ID string. */ - if (len < strlen(AUTHFILE_ID_STRING) + 1) { - debug("Bad key file %.200s.", filename); + /* Check that it is at least big enough to contain the ID string. */ + if (len < sizeof(authfile_id_string)) { + debug3("Bad RSA1 key file %.200s.", filename); buffer_free(&buffer); return 0; } @@ -343,9 +348,9 @@ * Make sure it begins with the id string. Consume the id string * from the buffer. */ - for (i = 0; i < (unsigned int) strlen(AUTHFILE_ID_STRING) + 1; i++) - if (buffer_get_char(&buffer) != (unsigned char) AUTHFILE_ID_STRING[i]) { - debug("Bad key file %.200s.", filename); + for (i = 0; i < sizeof(authfile_id_string); i++) + if (buffer_get_char(&buffer) != authfile_id_string[i]) { + debug3("Bad RSA1 key file %.200s.", filename); buffer_free(&buffer); return 0; } @@ -378,8 +383,8 @@ /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ cipher_set_key_string(&ciphercontext, cipher, passphrase); - cipher_decrypt(&ciphercontext, (unsigned char *) cp, - (unsigned char *) buffer_ptr(&buffer), buffer_len(&buffer)); + cipher_decrypt(&ciphercontext, (u_char *) cp, + (u_char *) buffer_ptr(&buffer), buffer_len(&buffer)); memset(&ciphercontext, 0, sizeof(ciphercontext)); buffer_free(&buffer); @@ -431,40 +436,59 @@ } int -load_private_key_dsa(int fd, const char *passphrase, Key *k, char **comment_return) +load_private_key_ssh2(int fd, const char *passphrase, Key *k, char **comment_return) { - DSA *dsa; - BIO *in; FILE *fp; + int success = 0; + EVP_PKEY *pk = NULL; + char *name = ""; - in = BIO_new(BIO_s_file()); - if (in == NULL) { - error("BIO_new failed"); - return 0; - } fp = fdopen(fd, "r"); if (fp == NULL) { error("fdopen failed"); return 0; } - BIO_set_fp(in, fp, BIO_NOCLOSE); - dsa = PEM_read_bio_DSAPrivateKey(in, NULL, NULL, (char *)passphrase); - if (dsa == NULL) { - debug("PEM_read_bio_DSAPrivateKey failed"); - } else { + pk = PEM_read_PrivateKey(fp, NULL, NULL, (char *)passphrase); + if (pk == NULL) { + debug("PEM_read_PrivateKey failed"); + (void)ERR_get_error(); + } else if (pk->type == EVP_PKEY_RSA) { + /* replace k->rsa with loaded key */ + if (k->type == KEY_RSA || k->type == KEY_UNSPEC) { + if (k->rsa != NULL) + RSA_free(k->rsa); + k->rsa = EVP_PKEY_get1_RSA(pk); + k->type = KEY_RSA; + name = "rsa w/o comment"; + success = 1; +#ifdef DEBUG_PK + RSA_print_fp(stderr, k->rsa, 8); +#endif + } + } else if (pk->type == EVP_PKEY_DSA) { /* replace k->dsa with loaded key */ - DSA_free(k->dsa); - k->dsa = dsa; + if (k->type == KEY_DSA || k->type == KEY_UNSPEC) { + if (k->dsa != NULL) + DSA_free(k->dsa); + k->dsa = EVP_PKEY_get1_DSA(pk); + k->type = KEY_DSA; + name = "dsa w/o comment"; +#ifdef DEBUG_PK + DSA_print_fp(stderr, k->dsa, 8); +#endif + success = 1; + } + } else { + error("PEM_read_PrivateKey: mismatch or " + "unknown EVP_PKEY save_type %d", pk->save_type); } - BIO_free(in); fclose(fp); - if (comment_return) - *comment_return = xstrdup("dsa w/o comment"); - debug("read DSA private key done"); -#ifdef DEBUG_DSS - DSA_print_fp(stderr, dsa, 8); -#endif - return dsa != NULL ? 1 : 0; + if (pk != NULL) + EVP_PKEY_free(pk); + if (success && comment_return) + *comment_return = xstrdup(name); + debug("read SSH2 private key done: name %s success %d", name, success); + return success; } int @@ -484,7 +508,7 @@ if (check_ntsec(filename)) #endif if (fstat(fd, &st) < 0 || - (st.st_uid != 0 && st.st_uid != getuid()) || + (st.st_uid != 0 && getuid() != 0 && st.st_uid != getuid()) || (st.st_mode & 077) != 0) { close(fd); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); @@ -496,7 +520,7 @@ return 0; } switch (key->type) { - case KEY_RSA: + case KEY_RSA1: if (key->rsa->e != NULL) { BN_clear_free(key->rsa->e); key->rsa->e = NULL; @@ -505,11 +529,13 @@ BN_clear_free(key->rsa->n); key->rsa->n = NULL; } - ret = load_private_key_rsa(fd, filename, passphrase, + ret = load_private_key_rsa1(fd, filename, passphrase, key->rsa, comment_return); break; case KEY_DSA: - ret = load_private_key_dsa(fd, passphrase, key, comment_return); + case KEY_RSA: + case KEY_UNSPEC: + ret = load_private_key_ssh2(fd, passphrase, key, comment_return); default: break; } @@ -521,7 +547,6 @@ do_load_public_key(const char *filename, Key *k, char **commentp) { FILE *f; - unsigned int bits; char line[1024]; char *cp; @@ -540,8 +565,7 @@ for (; *cp && (*cp == ' ' || *cp == '\t'); cp++) ; if (*cp) { - bits = key_read(k, &cp); - if (bits != 0) { + if (key_read(k, &cp) == 1) { if (commentp) *commentp=xstrdup(filename); fclose(f); Only in openssh-2.3.0p1: bsd-arc4random.c Only in openssh-2.3.0p1: bsd-arc4random.h Only in openssh-2.3.0p1: bsd-base64.c Only in openssh-2.3.0p1: bsd-base64.h Only in openssh-2.3.0p1: bsd-bindresvport.c Only in openssh-2.3.0p1: bsd-bindresvport.h Only in openssh-2.3.0p1: bsd-daemon.c Only in openssh-2.3.0p1: bsd-daemon.h Only in openssh-2.3.0p1: bsd-getcwd.c Only in openssh-2.3.0p1: bsd-getcwd.h Only in openssh-2.3.0p1: bsd-inet_aton.c Only in openssh-2.3.0p1: bsd-inet_aton.h Only in openssh-2.3.0p1: bsd-inet_ntoa.c Only in openssh-2.3.0p1: bsd-inet_ntoa.h Only in openssh-2.3.0p1: bsd-misc.c Only in openssh-2.3.0p1: bsd-misc.h Only in openssh-2.3.0p1: bsd-mktemp.c Only in openssh-2.3.0p1: bsd-mktemp.h Only in openssh-2.3.0p1: bsd-realpath.c Only in openssh-2.3.0p1: bsd-realpath.h Only in openssh-2.3.0p1: bsd-rresvport.c Only in openssh-2.3.0p1: bsd-rresvport.h Only in openssh-2.3.0p1: bsd-setenv.c Only in openssh-2.3.0p1: bsd-setenv.h Only in openssh-2.3.0p1: bsd-setproctitle.c Only in openssh-2.3.0p1: bsd-setproctitle.h Only in openssh-2.3.0p1: bsd-sigaction.c Only in openssh-2.3.0p1: bsd-sigaction.h Only in openssh-2.3.0p1: bsd-snprintf.c Only in openssh-2.3.0p1: bsd-snprintf.h Only in openssh-2.3.0p1: bsd-strlcat.c Only in openssh-2.3.0p1: bsd-strlcat.h Only in openssh-2.3.0p1: bsd-strlcpy.c Only in openssh-2.3.0p1: bsd-strlcpy.h Only in openssh-2.3.0p1: bsd-strsep.c Only in openssh-2.3.0p1: bsd-strsep.h Only in openssh-2.3.0p1: bsd-strtok.c Only in openssh-2.3.0p1: bsd-strtok.h Only in openssh-2.3.0p1: bsd-vis.c Only in openssh-2.3.0p1: bsd-vis.h Only in openssh-2.3.0p1: bsd-waitpid.c Only in openssh-2.3.0p1: bsd-waitpid.h diff -ru openssh-2.3.0p1/bufaux.c openssh-2.5.1p1/bufaux.c --- openssh-2.3.0p1/bufaux.c 2000-09-16 13:29:08.000000000 +1100 +++ openssh-2.5.1p1/bufaux.c 2001-01-24 03:26:52.000000000 +1100 @@ -37,13 +37,13 @@ */ #include "includes.h" -RCSID("$OpenBSD: bufaux.c,v 1.13 2000/09/07 20:27:50 deraadt Exp $"); +RCSID("$OpenBSD: bufaux.c,v 1.17 2001/01/21 19:05:45 markus Exp $"); -#include "ssh.h" #include #include "bufaux.h" #include "xmalloc.h" #include "getput.h" +#include "log.h" /* * Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed @@ -54,7 +54,7 @@ { int bits = BN_num_bits(value); int bin_size = (bits + 7) / 8; - char unsigned *buf = xmalloc(bin_size); + u_char *buf = xmalloc(bin_size); int oi; char msg[2]; @@ -81,7 +81,7 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value) { int bits, bytes; - unsigned char buf[2], *bin; + u_char buf[2], *bin; /* Get the number for bits. */ buffer_get(buffer, (char *) buf, 2); @@ -90,7 +90,7 @@ bytes = (bits + 7) / 8; if (buffer_len(buffer) < bytes) fatal("buffer_get_bignum: input buffer too small"); - bin = (unsigned char*) buffer_ptr(buffer); + bin = (u_char *) buffer_ptr(buffer); BN_bin2bn(bin, bytes, value); buffer_consume(buffer, bytes); @@ -104,7 +104,7 @@ buffer_put_bignum2(Buffer *buffer, BIGNUM *value) { int bytes = BN_num_bytes(value) + 1; - unsigned char *buf = xmalloc(bytes); + u_char *buf = xmalloc(bytes); int oi; int hasnohigh = 0; buf[0] = '\0'; @@ -117,7 +117,7 @@ if (value->neg) { /**XXX should be two's-complement */ int i, carry; - unsigned char *uc = buf; + u_char *uc = buf; log("negativ!"); for(i = bytes-1, carry = 1; i>=0; i--) { uc[i] ^= 0xff; @@ -135,7 +135,7 @@ { /**XXX should be two's-complement */ int len; - unsigned char *bin = (unsigned char *)buffer_get_string(buffer, (unsigned int *)&len); + u_char *bin = (u_char *)buffer_get_string(buffer, (u_int *)&len); BN_bin2bn(bin, len, value); xfree(bin); return len; @@ -144,25 +144,45 @@ /* * Returns an integer from the buffer (4 bytes, msb first). */ -unsigned int +u_int buffer_get_int(Buffer *buffer) { - unsigned char buf[4]; + u_char buf[4]; buffer_get(buffer, (char *) buf, 4); return GET_32BIT(buf); } +#ifdef HAVE_U_INT64_T +u_int64_t +buffer_get_int64(Buffer *buffer) +{ + u_char buf[8]; + buffer_get(buffer, (char *) buf, 8); + return GET_64BIT(buf); +} +#endif + /* * Stores an integer in the buffer in 4 bytes, msb first. */ void -buffer_put_int(Buffer *buffer, unsigned int value) +buffer_put_int(Buffer *buffer, u_int value) { char buf[4]; PUT_32BIT(buf, value); buffer_append(buffer, buf, 4); } +#ifdef HAVE_U_INT64_T +void +buffer_put_int64(Buffer *buffer, u_int64_t value) +{ + char buf[8]; + PUT_64BIT(buf, value); + buffer_append(buffer, buf, 8); +} +#endif + /* * Returns an arbitrary binary string from the buffer. The string cannot * be longer than 256k. The returned value points to memory allocated @@ -172,9 +192,9 @@ * to the returned string, and is not counted in length. */ char * -buffer_get_string(Buffer *buffer, unsigned int *length_ptr) +buffer_get_string(Buffer *buffer, u_int *length_ptr) { - unsigned int len; + u_int len; char *value; /* Get the length. */ len = buffer_get_int(buffer); @@ -196,7 +216,7 @@ * Stores and arbitrary binary string in the buffer. */ void -buffer_put_string(Buffer *buffer, const void *buf, unsigned int len) +buffer_put_string(Buffer *buffer, const void *buf, u_int len) { buffer_put_int(buffer, len); buffer_append(buffer, buf, len); @@ -215,7 +235,7 @@ { char ch; buffer_get(buffer, &ch, 1); - return (unsigned char) ch; + return (u_char) ch; } /* diff -ru openssh-2.3.0p1/bufaux.h openssh-2.5.1p1/bufaux.h --- openssh-2.3.0p1/bufaux.h 2000-09-16 13:29:08.000000000 +1100 +++ openssh-2.5.1p1/bufaux.h 2001-01-24 03:26:52.000000000 +1100 @@ -10,12 +10,13 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: bufaux.h,v 1.8 2000/09/07 20:27:50 deraadt Exp $"); */ +/* RCSID("$OpenBSD: bufaux.h,v 1.11 2001/01/21 19:05:45 markus Exp $"); */ #ifndef BUFAUX_H #define BUFAUX_H #include "buffer.h" +#include /* * Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed @@ -29,10 +30,16 @@ int buffer_get_bignum2(Buffer *buffer, BIGNUM * value); /* Returns an integer from the buffer (4 bytes, msb first). */ -unsigned int buffer_get_int(Buffer * buffer); +u_int buffer_get_int(Buffer * buffer); +#ifdef HAVE_U_INT64_T +u_int64_t buffer_get_int64(Buffer *buffer); +#endif /* Stores an integer in the buffer in 4 bytes, msb first. */ -void buffer_put_int(Buffer * buffer, unsigned int value); +void buffer_put_int(Buffer * buffer, u_int value); +#ifdef HAVE_U_INT64_T +void buffer_put_int64(Buffer *buffer, u_int64_t value); +#endif /* Returns a character from the buffer (0 - 255). */ int buffer_get_char(Buffer * buffer); @@ -48,10 +55,10 @@ * stored there. A null character will be automatically appended to the * returned string, and is not counted in length. */ -char *buffer_get_string(Buffer * buffer, unsigned int *length_ptr); +char *buffer_get_string(Buffer * buffer, u_int *length_ptr); /* Stores and arbitrary binary string in the buffer. */ -void buffer_put_string(Buffer * buffer, const void *buf, unsigned int len); +void buffer_put_string(Buffer * buffer, const void *buf, u_int len); void buffer_put_cstring(Buffer *buffer, const char *s); #endif /* BUFAUX_H */ diff -ru openssh-2.3.0p1/buffer.c openssh-2.5.1p1/buffer.c --- openssh-2.3.0p1/buffer.c 2000-09-16 13:29:08.000000000 +1100 +++ openssh-2.5.1p1/buffer.c 2001-01-22 16:34:40.000000000 +1100 @@ -12,11 +12,11 @@ */ #include "includes.h" -RCSID("$OpenBSD: buffer.c,v 1.8 2000/09/07 20:27:50 deraadt Exp $"); +RCSID("$OpenBSD: buffer.c,v 1.10 2001/01/21 19:05:45 markus Exp $"); #include "xmalloc.h" #include "buffer.h" -#include "ssh.h" +#include "log.h" /* Initializes the buffer structure. */ @@ -53,7 +53,7 @@ /* Appends data to the buffer, expanding it if necessary. */ void -buffer_append(Buffer *buffer, const char *data, unsigned int len) +buffer_append(Buffer *buffer, const char *data, u_int len) { char *cp; buffer_append_space(buffer, &cp, len); @@ -67,7 +67,7 @@ */ void -buffer_append_space(Buffer *buffer, char **datap, unsigned int len) +buffer_append_space(Buffer *buffer, char **datap, u_int len) { /* If the buffer is empty, start using it from the beginning. */ if (buffer->offset == buffer->end) { @@ -100,7 +100,7 @@ /* Returns the number of bytes of data in the buffer. */ -unsigned int +u_int buffer_len(Buffer *buffer) { return buffer->end - buffer->offset; @@ -109,7 +109,7 @@ /* Gets data from the beginning of the buffer. */ void -buffer_get(Buffer *buffer, char *buf, unsigned int len) +buffer_get(Buffer *buffer, char *buf, u_int len) { if (len > buffer->end - buffer->offset) fatal("buffer_get: trying to get more bytes than in buffer"); @@ -120,7 +120,7 @@ /* Consumes the given number of bytes from the beginning of the buffer. */ void -buffer_consume(Buffer *buffer, unsigned int bytes) +buffer_consume(Buffer *buffer, u_int bytes) { if (bytes > buffer->end - buffer->offset) fatal("buffer_consume: trying to get more bytes than in buffer"); @@ -130,7 +130,7 @@ /* Consumes the given number of bytes from the end of the buffer. */ void -buffer_consume_end(Buffer *buffer, unsigned int bytes) +buffer_consume_end(Buffer *buffer, u_int bytes) { if (bytes > buffer->end - buffer->offset) fatal("buffer_consume_end: trying to get more bytes than in buffer"); @@ -151,7 +151,7 @@ buffer_dump(Buffer *buffer) { int i; - unsigned char *ucp = (unsigned char *) buffer->buf; + u_char *ucp = (u_char *) buffer->buf; for (i = buffer->offset; i < buffer->end; i++) fprintf(stderr, " %02x", ucp[i]); diff -ru openssh-2.3.0p1/buffer.h openssh-2.5.1p1/buffer.h --- openssh-2.3.0p1/buffer.h 2000-09-16 13:29:08.000000000 +1100 +++ openssh-2.5.1p1/buffer.h 2000-12-22 12:43:59.000000000 +1100 @@ -11,16 +11,16 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: buffer.h,v 1.6 2000/09/07 20:27:50 deraadt Exp $"); */ +/* RCSID("$OpenBSD: buffer.h,v 1.7 2000/12/19 23:17:55 markus Exp $"); */ #ifndef BUFFER_H #define BUFFER_H typedef struct { char *buf; /* Buffer for data. */ - unsigned int alloc; /* Number of bytes allocated for data. */ - unsigned int offset; /* Offset of first byte containing data. */ - unsigned int end; /* Offset of last byte containing data. */ + u_int alloc; /* Number of bytes allocated for data. */ + u_int offset; /* Offset of first byte containing data. */ + u_int end; /* Offset of last byte containing data. */ } Buffer; /* Initializes the buffer structure. */ void buffer_init(Buffer * buffer); @@ -33,26 +33,26 @@ void buffer_clear(Buffer * buffer); /* Appends data to the buffer, expanding it if necessary. */ -void buffer_append(Buffer * buffer, const char *data, unsigned int len); +void buffer_append(Buffer * buffer, const char *data, u_int len); /* * Appends space to the buffer, expanding the buffer if necessary. This does * not actually copy the data into the buffer, but instead returns a pointer * to the allocated region. */ -void buffer_append_space(Buffer * buffer, char **datap, unsigned int len); +void buffer_append_space(Buffer * buffer, char **datap, u_int len); /* Returns the number of bytes of data in the buffer. */ -unsigned int buffer_len(Buffer * buffer); +u_int buffer_len(Buffer * buffer); /* Gets data from the beginning of the buffer. */ -void buffer_get(Buffer * buffer, char *buf, unsigned int len); +void buffer_get(Buffer * buffer, char *buf, u_int len); /* Consumes the given number of bytes from the beginning of the buffer. */ -void buffer_consume(Buffer * buffer, unsigned int bytes); +void buffer_consume(Buffer * buffer, u_int bytes); /* Consumes the given number of bytes from the end of the buffer. */ -void buffer_consume_end(Buffer * buffer, unsigned int bytes); +void buffer_consume_end(Buffer * buffer, u_int bytes); /* Returns a pointer to the first used byte in the buffer. */ char *buffer_ptr(Buffer * buffer); diff -ru openssh-2.3.0p1/canohost.c openssh-2.5.1p1/canohost.c --- openssh-2.3.0p1/canohost.c 2000-10-28 14:19:58.000000000 +1100 +++ openssh-2.5.1p1/canohost.c 2001-02-11 08:39:49.000000000 +1100 @@ -12,11 +12,14 @@ */ #include "includes.h" -RCSID("$OpenBSD: canohost.c,v 1.16 2000/10/21 17:04:22 markus Exp $"); +RCSID("$OpenBSD: canohost.c,v 1.23 2001/02/10 01:33:32 markus Exp $"); #include "packet.h" #include "xmalloc.h" -#include "ssh.h" +#include "log.h" +#include "canohost.h" + +void check_ip_options(int socket, char *ipaddr); /* * Return the canonical name of the host at the other end of the socket. The @@ -24,23 +27,21 @@ */ char * -get_remote_hostname(int socket) +get_remote_hostname(int socket, int reverse_mapping_check) { struct sockaddr_storage from; int i; socklen_t fromlen; struct addrinfo hints, *ai, *aitop; - char name[MAXHOSTNAMELEN]; - char ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; + char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; /* Get IP address of client. */ fromlen = sizeof(from); memset(&from, 0, sizeof(from)); - if (getpeername(socket, (struct sockaddr *) & from, &fromlen) < 0) { + if (getpeername(socket, (struct sockaddr *) &from, &fromlen) < 0) { debug("getpeername failed: %.100s", strerror(errno)); fatal_cleanup(); } - #ifdef IPV4_IN_IPV6 if (from.ss_family == AF_INET6) { struct sockaddr_in6 *from6 = (struct sockaddr_in6 *)&from; @@ -56,178 +57,197 @@ port = from6->sin6_port; memset(&from, 0, sizeof(from)); - + from4->sin_family = AF_INET; memcpy(&from4->sin_addr, &addr, sizeof(addr)); from4->sin_port = port; } } #endif + if (from.ss_family == AF_INET) + check_ip_options(socket, ntop); if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); + debug("Trying to reverse map address %.100s.", ntop); /* Map the IP address to a host name. */ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), - NULL, 0, NI_NAMEREQD) == 0) { - /* Got host name. */ - name[sizeof(name) - 1] = '\0'; - /* - * Convert it to all lowercase (which is expected by the rest - * of this software). - */ - for (i = 0; name[i]; i++) - if (isupper(name[i])) - name[i] = tolower(name[i]); - - /* - * Map it back to an IP address and check that the given - * address actually is an address of this host. This is - * necessary because anyone with access to a name server can - * define arbitrary names for an IP address. Mapping from - * name to IP address can be trusted better (but can still be - * fooled if the intruder has access to the name server of - * the domain). - */ - memset(&hints, 0, sizeof(hints)); - hints.ai_family = from.ss_family; - hints.ai_socktype = SOCK_STREAM; - if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { - log("reverse mapping checking getaddrinfo for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name); - strlcpy(name, ntop, sizeof name); - goto check_ip_options; - } - /* Look for the address from the list of addresses. */ - for (ai = aitop; ai; ai = ai->ai_next) { - if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, - sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && - (strcmp(ntop, ntop2) == 0)) - break; - } - freeaddrinfo(aitop); - /* If we reached the end of the list, the address was not there. */ - if (!ai) { - /* Address not found for the host name. */ - log("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!", - ntop, name); - strlcpy(name, ntop, sizeof name); - goto check_ip_options; - } - /* Address was found for the host name. We accept the host name. */ - } else { - /* Host name not found. Use ascii representation of the address. */ - strlcpy(name, ntop, sizeof name); - log("Could not reverse map address %.100s.", name); + NULL, 0, NI_NAMEREQD) != 0) { + /* Host name not found. Use ip address. */ + log("Could not reverse map address %.100s.", ntop); + return xstrdup(ntop); } -check_ip_options: - + /* Got host name. */ + name[sizeof(name) - 1] = '\0'; /* - * If IP options are supported, make sure there are none (log and - * disconnect them if any are found). Basically we are worried about - * source routing; it can be used to pretend you are somebody - * (ip-address) you are not. That itself may be "almost acceptable" - * under certain circumstances, but rhosts autentication is useless - * if source routing is accepted. Notice also that if we just dropped - * source routing here, the other side could use IP spoofing to do - * rest of the interaction and could still bypass security. So we - * exit here if we detect any IP options. + * Convert it to all lowercase (which is expected by the rest + * of this software). */ - /* IP options -- IPv4 only */ - if (from.ss_family == AF_INET) { - unsigned char options[200], *ucp; - char text[1024], *cp; - socklen_t option_size; - int ipproto; - struct protoent *ip; + for (i = 0; name[i]; i++) + if (isupper(name[i])) + name[i] = tolower(name[i]); - if ((ip = getprotobyname("ip")) != NULL) - ipproto = ip->p_proto; - else - ipproto = IPPROTO_IP; - option_size = sizeof(options); - if (getsockopt(socket, ipproto, IP_OPTIONS, (char *) options, - &option_size) >= 0 && option_size != 0) { - cp = text; - /* Note: "text" buffer must be at least 3x as big as options. */ - for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3) - sprintf(cp, " %2.2x", *ucp); - log("Connection from %.100s with IP options:%.800s", - ntop, text); - packet_disconnect("Connection from %.100s with IP options:%.800s", - ntop, text); - } + if (!reverse_mapping_check) + return xstrdup(name); + /* + * Map it back to an IP address and check that the given + * address actually is an address of this host. This is + * necessary because anyone with access to a name server can + * define arbitrary names for an IP address. Mapping from + * name to IP address can be trusted better (but can still be + * fooled if the intruder has access to the name server of + * the domain). + */ + memset(&hints, 0, sizeof(hints)); + hints.ai_family = from.ss_family; + hints.ai_socktype = SOCK_STREAM; + if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { + log("reverse mapping checking getaddrinfo for %.700s " + "failed - POSSIBLE BREAKIN ATTEMPT!", name); + return xstrdup(ntop); + } + /* Look for the address from the list of addresses. */ + for (ai = aitop; ai; ai = ai->ai_next) { + if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, + sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && + (strcmp(ntop, ntop2) == 0)) + break; + } + freeaddrinfo(aitop); + /* If we reached the end of the list, the address was not there. */ + if (!ai) { + /* Address not found for the host name. */ + log("Address %.100s maps to %.600s, but this does not " + "map back to the address - POSSIBLE BREAKIN ATTEMPT!", + ntop, name); + return xstrdup(ntop); } - return xstrdup(name); } /* + * If IP options are supported, make sure there are none (log and + * disconnect them if any are found). Basically we are worried about + * source routing; it can be used to pretend you are somebody + * (ip-address) you are not. That itself may be "almost acceptable" + * under certain circumstances, but rhosts autentication is useless + * if source routing is accepted. Notice also that if we just dropped + * source routing here, the other side could use IP spoofing to do + * rest of the interaction and could still bypass security. So we + * exit here if we detect any IP options. + */ +/* IPv4 only */ +void +check_ip_options(int socket, char *ipaddr) +{ + u_char options[200]; + char text[sizeof(options) * 3 + 1]; + socklen_t option_size; + int i, ipproto; + struct protoent *ip; + + if ((ip = getprotobyname("ip")) != NULL) + ipproto = ip->p_proto; + else + ipproto = IPPROTO_IP; + option_size = sizeof(options); + if (getsockopt(socket, ipproto, IP_OPTIONS, (void *)options, + &option_size) >= 0 && option_size != 0) { + text[0] = '\0'; + for (i = 0; i < option_size; i++) + snprintf(text + i*3, sizeof(text) - i*3, + " %2.2x", options[i]); + log("Connection from %.100s with IP options:%.800s", + ipaddr, text); + packet_disconnect("Connection from %.100s with IP options:%.800s", + ipaddr, text); + } +} + +/* * Return the canonical name of the host in the other side of the current * connection. The host name is cached, so it is efficient to call this * several times. */ const char * -get_canonical_hostname() +get_canonical_hostname(int reverse_mapping_check) { static char *canonical_host_name = NULL; + static int reverse_mapping_checked = 0; - /* Check if we have previously retrieved this same name. */ - if (canonical_host_name != NULL) - return canonical_host_name; + /* Check if we have previously retrieved name with same option. */ + if (canonical_host_name != NULL) { + if (reverse_mapping_checked != reverse_mapping_check) + xfree(canonical_host_name); + else + return canonical_host_name; + } /* Get the real hostname if socket; otherwise return UNKNOWN. */ if (packet_connection_is_on_socket()) - canonical_host_name = get_remote_hostname(packet_get_connection_in()); + canonical_host_name = get_remote_hostname( + packet_get_connection_in(), reverse_mapping_check); else canonical_host_name = xstrdup("UNKNOWN"); + reverse_mapping_checked = reverse_mapping_check; return canonical_host_name; } /* - * Returns the IP-address of the remote host as a string. The returned - * string must not be freed. + * Returns the remote IP-address of socket as a string. The returned + * string must be freed. */ -const char * -get_remote_ipaddr() +char * +get_peer_ipaddr(int socket) { - static char *canonical_host_ip = NULL; struct sockaddr_storage from; socklen_t fromlen; - int socket; char ntop[NI_MAXHOST]; - /* Check whether we have chached the name. */ - if (canonical_host_ip != NULL) - return canonical_host_ip; - - /* If not a socket, return UNKNOWN. */ - if (!packet_connection_is_on_socket()) { - canonical_host_ip = xstrdup("UNKNOWN"); - return canonical_host_ip; - } - /* Get client socket. */ - socket = packet_get_connection_in(); - /* Get IP address of client. */ fromlen = sizeof(from); memset(&from, 0, sizeof(from)); if (getpeername(socket, (struct sockaddr *) & from, &fromlen) < 0) { - debug("getpeername failed: %.100s", strerror(errno)); - fatal_cleanup(); + debug("get_peer_ipaddr: getpeername failed: %.100s", strerror(errno)); + return NULL; } /* Get the IP address in ascii. */ if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), - NULL, 0, NI_NUMERICHOST) != 0) - fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); + NULL, 0, NI_NUMERICHOST) != 0) { + error("get_peer_ipaddr: getnameinfo NI_NUMERICHOST failed"); + return NULL; + } + return xstrdup(ntop); +} + +/* + * Returns the IP-address of the remote host as a string. The returned + * string must not be freed. + */ - canonical_host_ip = xstrdup(ntop); +const char * +get_remote_ipaddr() +{ + static char *canonical_host_ip = NULL; - /* Return ip address string. */ + /* Check whether we have cached the ipaddr. */ + if (canonical_host_ip == NULL) { + if (packet_connection_is_on_socket()) { + canonical_host_ip = + get_peer_ipaddr(packet_get_connection_in()); + if (canonical_host_ip == NULL) + fatal_cleanup(); + } else { + /* If not on socket, return UNKNOWN. */ + canonical_host_ip = xstrdup("UNKNOWN"); + } + } return canonical_host_ip; } Only in openssh-2.5.1p1: canohost.h diff -ru openssh-2.3.0p1/channels.c openssh-2.5.1p1/channels.c --- openssh-2.3.0p1/channels.c 2000-10-28 14:19:58.000000000 +1100 +++ openssh-2.5.1p1/channels.c 2001-02-17 02:56:31.000000000 +1100 @@ -40,24 +40,24 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.72 2000/10/27 07:48:22 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.92 2001/02/16 13:38:18 markus Exp $"); + +#include +#include #include "ssh.h" +#include "ssh1.h" +#include "ssh2.h" #include "packet.h" #include "xmalloc.h" #include "buffer.h" #include "uidswap.h" -#include "readconf.h" -#include "servconf.h" - +#include "log.h" +#include "misc.h" #include "channels.h" #include "nchan.h" #include "compat.h" - -#include "ssh2.h" - -#include -#include +#include "canohost.h" #include "key.h" #include "authfd.h" @@ -84,7 +84,7 @@ * Maximum file descriptor value used in any of the channels. This is * updated in channel_allocate. */ -static int channel_max_fd_value = 0; +static int channel_max_fd = 0; /* Name and directory of socket for authentication agent forwarding. */ static char *channel_forwarded_auth_socket_name = NULL; @@ -95,14 +95,14 @@ /* Saved X11 authentication data. This is the real data. */ char *x11_saved_data = NULL; -unsigned int x11_saved_data_len = 0; +u_int x11_saved_data_len = 0; /* * Fake X11 authentication data. This is what the server will be sending us; * we should replace any occurrences of this by the real data. */ char *x11_fake_data = NULL; -unsigned int x11_fake_data_len; +u_int x11_fake_data_len; /* * Data structure for storing which hosts are permitted for forward requests. @@ -130,6 +130,9 @@ /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */ static int have_hostname_in_open = 0; +/* AF_UNSPEC or AF_INET or AF_INET6 */ +extern int IPv4or6; + /* Sets specific protocol options. */ void @@ -178,12 +181,10 @@ int extusage, int nonblock) { /* Update the maximum file descriptor value. */ - if (rfd > channel_max_fd_value) - channel_max_fd_value = rfd; - if (wfd > channel_max_fd_value) - channel_max_fd_value = wfd; - if (efd > channel_max_fd_value) - channel_max_fd_value = efd; + channel_max_fd = MAX(channel_max_fd, rfd); + channel_max_fd = MAX(channel_max_fd, wfd); + channel_max_fd = MAX(channel_max_fd, efd); + /* XXX set close-on-exec -markus */ c->rfd = rfd; @@ -192,6 +193,18 @@ c->efd = efd; c->extended_usage = extusage; + /* XXX ugly hack: nonblock is only set by the server */ + if (nonblock && isatty(c->rfd)) { + debug("channel: %d: rfd %d isatty", c->self, c->rfd); + c->isatty = 1; + if (!isatty(c->wfd)) { + error("channel: %d: wfd %d is not a tty?", + c->self, c->wfd); + } + } else { + c->isatty = 0; + } + /* enable nonblocking mode */ if (nonblock) { if (rfd != -1) @@ -307,9 +320,13 @@ channel_free(int id) { Channel *c = channel_lookup(id); + char *s = channel_open_message(); + if (c == NULL) packet_disconnect("channel free: bad local channel %d", id); - debug("channel_free: channel %d: status: %s", id, channel_open_message()); + debug("channel_free: channel %d: status: %s", id, s); + xfree(s); + if (c->dettach_user != NULL) { debug("channel_free: channel %d: dettaching channel user", id); c->dettach_user(c->self, NULL); @@ -346,6 +363,13 @@ } void +channel_pre_connecting(Channel *c, fd_set * readset, fd_set * writeset) +{ + debug3("channel %d: waiting for connection", c->self); + FD_SET(c->sock, writeset); +} + +void channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset) { if (buffer_len(&c->input) < packet_get_maxsize()) @@ -429,15 +453,15 @@ int x11_open_helper(Channel *c) { - unsigned char *ucp; - unsigned int proto_len, data_len; + u_char *ucp; + u_int proto_len, data_len; /* Check if the fixed size part of the packet is in buffer. */ if (buffer_len(&c->output) < 12) return 0; /* Parse the lengths of variable-length fields. */ - ucp = (unsigned char *) buffer_ptr(&c->output); + ucp = (u_char *) buffer_ptr(&c->output); if (ucp[0] == 0x42) { /* Byte order MSB first. */ proto_len = 256 * ucp[6] + ucp[7]; data_len = 256 * ucp[8] + ucp[9]; @@ -534,7 +558,7 @@ struct sockaddr addr; int newsock, newch; socklen_t addrlen; - char buf[16384], *remote_hostname; + char buf[16384], *remote_ipaddr; int remote_port; if (FD_ISSET(c->sock, readset)) { @@ -545,10 +569,10 @@ error("accept: %.100s", strerror(errno)); return; } - remote_hostname = get_remote_hostname(newsock); + remote_ipaddr = get_peer_ipaddr(newsock); remote_port = get_peer_port(newsock); snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", - remote_hostname, remote_port); + remote_ipaddr, remote_port); newch = channel_new("x11", SSH_CHANNEL_OPENING, newsock, newsock, -1, @@ -560,8 +584,8 @@ packet_put_int(newch); packet_put_int(c->local_window_max); packet_put_int(c->local_maxpacket); - /* originator host and port */ - packet_put_cstring(remote_hostname); + /* originator ipaddr and port */ + packet_put_cstring(remote_ipaddr); if (datafellows & SSH_BUG_X11FWD) { debug("ssh2 x11 bug compat mode"); } else { @@ -575,7 +599,7 @@ packet_put_string(buf, strlen(buf)); packet_send(); } - xfree(remote_hostname); + xfree(remote_ipaddr); } } @@ -588,9 +612,12 @@ struct sockaddr addr; int newsock, newch; socklen_t addrlen; - char buf[1024], *remote_hostname; + char buf[1024], *remote_ipaddr, *rtype; int remote_port; + rtype = (c->type == SSH_CHANNEL_RPORT_LISTENER) ? + "forwarded-tcpip" : "direct-tcpip"; + if (FD_ISSET(c->sock, readset)) { debug("Connection to port %d forwarding " "to %.100s port %d requested.", @@ -601,28 +628,35 @@ error("accept: %.100s", strerror(errno)); return; } - remote_hostname = get_remote_hostname(newsock); + remote_ipaddr = get_peer_ipaddr(newsock); remote_port = get_peer_port(newsock); snprintf(buf, sizeof buf, "listen port %d for %.100s port %d, " "connect from %.200s port %d", c->listening_port, c->path, c->host_port, - remote_hostname, remote_port); - newch = channel_new("direct-tcpip", + remote_ipaddr, remote_port); + + newch = channel_new(rtype, SSH_CHANNEL_OPENING, newsock, newsock, -1, c->local_window_max, c->local_maxpacket, 0, xstrdup(buf), 1); if (compat20) { packet_start(SSH2_MSG_CHANNEL_OPEN); - packet_put_cstring("direct-tcpip"); + packet_put_cstring(rtype); packet_put_int(newch); packet_put_int(c->local_window_max); packet_put_int(c->local_maxpacket); - /* target host and port */ - packet_put_string(c->path, strlen(c->path)); - packet_put_int(c->host_port); + if (c->type == SSH_CHANNEL_RPORT_LISTENER) { + /* listen address, port */ + packet_put_string(c->path, strlen(c->path)); + packet_put_int(c->listening_port); + } else { + /* target host, port */ + packet_put_string(c->path, strlen(c->path)); + packet_put_int(c->host_port); + } /* originator host and port */ - packet_put_cstring(remote_hostname); + packet_put_cstring(remote_ipaddr); packet_put_int(remote_port); packet_send(); } else { @@ -635,7 +669,7 @@ } packet_send(); } - xfree(remote_hostname); + xfree(remote_ipaddr); } } @@ -657,14 +691,46 @@ error("accept from auth socket: %.100s", strerror(errno)); return; } - newch = channel_allocate(SSH_CHANNEL_OPENING, newsock, - xstrdup("accepted auth socket")); - packet_start(SSH_SMSG_AGENT_OPEN); - packet_put_int(newch); + newch = channel_new("accepted auth socket", + SSH_CHANNEL_OPENING, newsock, newsock, -1, + c->local_window_max, c->local_maxpacket, + 0, xstrdup("accepted auth socket"), 1); + if (compat20) { + packet_start(SSH2_MSG_CHANNEL_OPEN); + packet_put_cstring("auth-agent@openssh.com"); + packet_put_int(newch); + packet_put_int(c->local_window_max); + packet_put_int(c->local_maxpacket); + } else { + packet_start(SSH_SMSG_AGENT_OPEN); + packet_put_int(newch); + } packet_send(); } } +void +channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset) +{ + if (FD_ISSET(c->sock, writeset)) { + int err = 0; + int sz = sizeof(err); + c->type = SSH_CHANNEL_OPEN; + if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, (char *)&err, &sz) < 0) { + debug("getsockopt SO_ERROR failed"); + } else { + if (err == 0) { + debug("channel %d: connected)", c->self); + } else { + debug("channel %d: not connected: %s", + c->self, strerror(err)); + chan_read_failed(c); + chan_write_failed(c); + } + } + } +} + int channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset) { @@ -722,6 +788,20 @@ } return -1; } + if (compat20 && c->isatty) { + struct termios tio; + if (tcgetattr(c->wfd, &tio) == 0 && + !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { + /* + * Simulate echo to reduce the impact of + * traffic analysis. + */ + packet_start(SSH2_MSG_IGNORE); + memset(buffer_ptr(&c->output), 0, len); + packet_put_string(buffer_ptr(&c->output), len); + packet_send(); + } + } buffer_consume(&c->output, len); if (compat20 && len > 0) { c->local_consumed += len; @@ -820,11 +900,17 @@ channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20; channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; + channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; + channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; + channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2; channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; + channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; + channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; + channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; } void @@ -837,12 +923,14 @@ channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; + channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1; channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; + channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; } void @@ -853,11 +941,13 @@ channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; + channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1; + channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; } void @@ -899,9 +989,27 @@ } void -channel_prepare_select(fd_set * readset, fd_set * writeset) +channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp) { - channel_handler(channel_pre, readset, writeset); + int n; + u_int sz; + + n = MAX(*maxfdp, channel_max_fd); + + sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); + if (*readsetp == NULL || n > *maxfdp) { + if (*readsetp) + xfree(*readsetp); + if (*writesetp) + xfree(*writesetp); + *readsetp = xmalloc(sz); + *writesetp = xmalloc(sz); + *maxfdp = n; + } + memset(*readsetp, 0, sz); + memset(*writesetp, 0, sz); + + channel_handler(channel_pre, *readsetp, *writesetp); } void @@ -910,7 +1018,7 @@ channel_handler(channel_post, readset, writeset); } -/* If there is data to send to the connection, send some of it now. */ +/* If there is data to send to the connection, enqueue some of it now. */ void channel_output_poll() @@ -1007,7 +1115,7 @@ { int id; char *data; - unsigned int data_len; + u_int data_len; Channel *c; /* Get the channel number and verify it. */ @@ -1053,7 +1161,7 @@ int id; int tcode; char *data; - unsigned int data_len; + u_int data_len; Channel *c; /* Get the channel number and verify it. */ @@ -1096,7 +1204,7 @@ int channel_not_very_much_buffered_data() { - unsigned int i; + u_int i; Channel *c; for (i = 0; i < channels_alloc; i++) { @@ -1235,7 +1343,8 @@ void channel_input_open_failure(int type, int plen, void *ctxt) { - int id; + int id, reason; + char *msg = NULL, *lang = NULL; Channel *c; if (!compat20) @@ -1248,13 +1357,18 @@ packet_disconnect("Received open failure for " "non-opening channel %d.", id); if (compat20) { - int reason = packet_get_int(); - char *msg = packet_get_string(NULL); - char *lang = packet_get_string(NULL); - log("channel_open_failure: %d: reason %d: %s", id, reason, msg); + reason = packet_get_int(); + if (packet_remaining() > 0) { + msg = packet_get_string(NULL); + lang = packet_get_string(NULL); + } packet_done(); - xfree(msg); - xfree(lang); + log("channel_open_failure: %d: reason %d %s", id, + reason, msg ? msg : ""); + if (msg != NULL) + xfree(msg); + if (lang != NULL) + xfree(lang); } /* Free the channel. This will also close the socket. */ channel_free(id); @@ -1326,6 +1440,7 @@ channel_free(i); break; case SSH_CHANNEL_PORT_LISTENER: + case SSH_CHANNEL_RPORT_LISTENER: case SSH_CHANNEL_X11_LISTENER: close(channels[i].sock); channel_free(i); @@ -1350,27 +1465,21 @@ channel_close_fds(&channels[i]); } -/* Returns the maximum file descriptor number used by the channels. */ - -int -channel_max_fd() -{ - return channel_max_fd_value; -} - /* Returns true if any channel is still open. */ int channel_still_open() { - unsigned int i; + u_int i; for (i = 0; i < channels_alloc; i++) switch (channels[i].type) { case SSH_CHANNEL_FREE: case SSH_CHANNEL_X11_LISTENER: case SSH_CHANNEL_PORT_LISTENER: + case SSH_CHANNEL_RPORT_LISTENER: case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_AUTH_SOCKET: + case SSH_CHANNEL_CONNECTING: /* XXX ??? */ continue; case SSH_CHANNEL_LARVAL: if (!compat20) @@ -1414,11 +1523,13 @@ case SSH_CHANNEL_FREE: case SSH_CHANNEL_X11_LISTENER: case SSH_CHANNEL_PORT_LISTENER: + case SSH_CHANNEL_RPORT_LISTENER: case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_AUTH_SOCKET: continue; case SSH_CHANNEL_LARVAL: case SSH_CHANNEL_OPENING: + case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_OPEN: case SSH_CHANNEL_X11_OPEN: case SSH_CHANNEL_INPUT_DRAINING: @@ -1446,19 +1557,48 @@ * Initiate forwarding of connections to local port "port" through the secure * channel to host:port from remote side. */ +int +channel_request_local_forwarding(u_short listen_port, const char *host_to_connect, + u_short port_to_connect, int gateway_ports) +{ + return channel_request_forwarding( + NULL, listen_port, + host_to_connect, port_to_connect, + gateway_ports, /*remote_fwd*/ 0); +} -void -channel_request_local_forwarding(u_short port, const char *host, - u_short host_port, int gateway_ports) +/* + * If 'remote_fwd' is true we have a '-R style' listener for protocol 2 + * (SSH_CHANNEL_RPORT_LISTENER). + */ +int +channel_request_forwarding( + const char *listen_address, u_short listen_port, + const char *host_to_connect, u_short port_to_connect, + int gateway_ports, int remote_fwd) { - int success, ch, sock, on = 1; + int success, ch, sock, on = 1, ctype; struct addrinfo hints, *ai, *aitop; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; + const char *host; struct linger linger; - if (strlen(host) > sizeof(channels[0].path) - 1) - packet_disconnect("Forward host name too long."); + success = 0; + + if (remote_fwd) { + host = listen_address; + ctype = SSH_CHANNEL_RPORT_LISTENER; + } else { + host = host_to_connect; + ctype =SSH_CHANNEL_PORT_LISTENER; + } + + if (strlen(host) > sizeof(channels[0].path) - 1) { + error("Forward host name too long."); + return success; + } + /* XXX listen_address is currently ignored */ /* * getaddrinfo returns a loopback address if the hostname is * set to NULL and hints.ai_flags is not AI_PASSIVE @@ -1467,17 +1607,16 @@ hints.ai_family = IPv4or6; hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; hints.ai_socktype = SOCK_STREAM; - snprintf(strport, sizeof strport, "%d", port); + snprintf(strport, sizeof strport, "%d", listen_port); if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) packet_disconnect("getaddrinfo: fatal error"); - success = 0; for (ai = aitop; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) continue; if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { - error("channel_request_local_forwarding: getnameinfo failed"); + error("channel_request_forwarding: getnameinfo failed"); continue; } /* Create a port to listen for the host. */ @@ -1504,7 +1643,7 @@ error("bind: %.100s", strerror(errno)); else verbose("bind: %.100s", strerror(errno)); - + close(sock); continue; } @@ -1515,19 +1654,19 @@ continue; } /* Allocate a channel number for the socket. */ - ch = channel_new( - "port listener", SSH_CHANNEL_PORT_LISTENER, - sock, sock, -1, + ch = channel_new("port listener", ctype, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, xstrdup("port listener"), 1); strlcpy(channels[ch].path, host, sizeof(channels[ch].path)); - channels[ch].host_port = host_port; - channels[ch].listening_port = port; + channels[ch].host_port = port_to_connect; + channels[ch].listening_port = listen_port; success = 1; } if (success == 0) - packet_disconnect("cannot listen port: %d", port); + error("channel_request_forwarding: cannot listen to port: %d", + listen_port); freeaddrinfo(aitop); + return success; } /* @@ -1536,19 +1675,15 @@ */ void -channel_request_remote_forwarding(u_short listen_port, const char *host_to_connect, - u_short port_to_connect) +channel_request_remote_forwarding(u_short listen_port, + const char *host_to_connect, u_short port_to_connect) { - int payload_len; + int payload_len, type, success = 0; + /* Record locally that connection to this host/port is permitted. */ if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("channel_request_remote_forwarding: too many forwards"); - permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); - permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; - permitted_opens[num_permitted_opens].listen_port = listen_port; - num_permitted_opens++; - /* Send the forward request to the remote side. */ if (compat20) { const char *address_to_bind = "0.0.0.0"; @@ -1557,6 +1692,10 @@ packet_put_char(0); /* boolean: want reply */ packet_put_cstring(address_to_bind); packet_put_int(listen_port); + packet_send(); + packet_write_wait(); + /* Assume that server accepts the request */ + success = 1; } else { packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); packet_put_int(listen_port); @@ -1564,11 +1703,27 @@ packet_put_int(port_to_connect); packet_send(); packet_write_wait(); - /* - * Wait for response from the remote side. It will send a disconnect - * message on failure, and we will never see it here. - */ - packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); + + /* Wait for response from the remote side. */ + type = packet_read(&payload_len); + switch (type) { + case SSH_SMSG_SUCCESS: + success = 1; + break; + case SSH_SMSG_FAILURE: + log("Warning: Server denied remote port forwarding."); + break; + default: + /* Unknown packet */ + packet_disconnect("Protocol error for port forward request:" + "received packet type %d.", type); + } + } + if (success) { + permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); + permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; + permitted_opens[num_permitted_opens].listen_port = listen_port; + num_permitted_opens++; } } @@ -1598,9 +1753,7 @@ packet_disconnect("Requested forwarding of port %d but user is not root.", port); #endif - /* - * Initiate forwarding, - */ + /* Initiate forwarding */ channel_request_local_forwarding(port, hostname, host_port, gateway_ports); /* Free the argument string. */ @@ -1638,24 +1791,40 @@ error("socket: %.100s", strerror(errno)); continue; } + if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0) + fatal("connect_to: F_SETFL: %s", strerror(errno)); /* Connect to the host/port. */ - if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 && + errno != EINPROGRESS) { error("connect %.100s port %s: %.100s", ntop, strport, strerror(errno)); close(sock); - continue; /* fail -- try next */ + continue; /* fail -- try next */ } break; /* success */ } freeaddrinfo(aitop); if (!ai) { - error("connect %.100s port %d: failed.", host, host_port); + error("connect %.100s port %d: failed.", host, host_port); return -1; } /* success */ return sock; } +int +channel_connect_by_listen_adress(u_short listen_port) +{ + int i; + for (i = 0; i < num_permitted_opens; i++) + if (permitted_opens[i].listen_port == listen_port) + return channel_connect_to( + permitted_opens[i].host_to_connect, + permitted_opens[i].port_to_connect); + error("WARNING: Server requests forwarding for unknown listen_port %d", + listen_port); + return -1; +} /* * This is called after receiving PORT_OPEN message. This attempts to @@ -1669,7 +1838,7 @@ u_short host_port; char *host, *originator_string; int remote_channel, sock = -1, newch, i, denied; - unsigned int host_len, originator_len; + u_int host_len, originator_len; /* Get remote channel number. */ remote_channel = packet_get_int(); @@ -1712,7 +1881,9 @@ sock = denied ? -1 : channel_connect_to(host, host_port); if (sock > 0) { /* Allocate a channel for this connection. */ - newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string); + newch = channel_allocate(SSH_CHANNEL_CONNECTING, + sock, originator_string); +/*XXX delay answer? */ channels[newch].remote_id = remote_channel; packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); @@ -1796,6 +1967,7 @@ break; #endif } + freeaddrinfo(aitop); if (num_socks > 0) break; } @@ -1815,12 +1987,11 @@ } /* Set up a suitable value for the DISPLAY variable. */ - if (gethostname(hostname, sizeof(hostname)) < 0) fatal("gethostname: %.100s", strerror(errno)); #ifdef IPADDR_IN_DISPLAY - /* + /* * HPUX detects the local hostname in the DISPLAY variable and tries * to set up a shared memory connection to the server, which it * incorrectly supposes to be local. @@ -1849,13 +2020,13 @@ memcpy(&my_addr, he->h_addr_list[0], sizeof(struct in_addr)); /* Set DISPLAY to :screen.display */ - snprintf(display, sizeof(display), "%.50s:%d.%d", inet_ntoa(my_addr), - display_number, screen_number); + snprintf(display, sizeof(display), "%.50s:%d.%d", inet_ntoa(my_addr), + display_number, screen_number); } #else /* IPADDR_IN_DISPLAY */ /* Just set DISPLAY to hostname:screen.display */ snprintf(display, sizeof display, "%.400s:%d.%d", hostname, - display_number, screen_number); + display_number, screen_number); #endif /* IPADDR_IN_DISPLAY */ /* Allocate a channel for each socket. */ @@ -1877,7 +2048,7 @@ static int -connect_local_xsocket(unsigned int dnr) +connect_local_xsocket(u_int dnr) { static const char *const x_sockets[] = { X_UNIX_PATH "%u", @@ -2010,7 +2181,7 @@ { int remote_channel, sock = 0, newch; char *remote_host; - unsigned int remote_len; + u_int remote_len; /* Get remote channel number. */ remote_channel = packet_get_int(); @@ -2081,8 +2252,8 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *proto, const char *data) { - unsigned int data_len = (unsigned int) strlen(data) / 2; - unsigned int i, value; + u_int data_len = (u_int) strlen(data) / 2; + u_int i, value, len; char *new_data; int screen_number; const char *cp; @@ -2120,9 +2291,11 @@ x11_fake_data_len = data_len; /* Convert the fake data into hex. */ - new_data = xmalloc(2 * data_len + 1); + len = 2 * data_len + 1; + new_data = xmalloc(len); for (i = 0; i < data_len; i++) - sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]); + snprintf(new_data + 2 * i, len - 2 * i, + "%02x", (u_char) x11_fake_data[i]); /* Send the request packet. */ if (compat20) { @@ -2233,8 +2406,11 @@ packet_disconnect("listen: %.100s", strerror(errno)); /* Allocate a channel for the authentication agent socket. */ - newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock, - xstrdup("auth socket")); + newch = channel_new("auth socket", + SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1, + CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, + 0, xstrdup("auth socket"), 1); + strlcpy(channels[newch].path, channel_forwarded_auth_socket_name, sizeof(channels[newch].path)); return 1; @@ -2364,7 +2540,7 @@ } c->dettach_user = NULL; } -void +void channel_register_filter(int id, channel_filter_fn *fn) { Channel *c = channel_lookup(id); diff -ru openssh-2.3.0p1/channels.h openssh-2.5.1p1/channels.h --- openssh-2.3.0p1/channels.h 2000-10-28 14:19:58.000000000 +1100 +++ openssh-2.5.1p1/channels.h 2001-02-16 12:34:57.000000000 +1100 @@ -32,7 +32,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: channels.h,v 1.22 2000/10/27 07:48:22 markus Exp $"); */ +/* RCSID("$OpenBSD: channels.h,v 1.27 2001/02/15 23:19:59 markus Exp $"); */ #ifndef CHANNELS_H #define CHANNELS_H @@ -49,7 +49,9 @@ #define SSH_CHANNEL_INPUT_DRAINING 8 /* sending remaining data to conn */ #define SSH_CHANNEL_OUTPUT_DRAINING 9 /* sending remaining data to app */ #define SSH_CHANNEL_LARVAL 10 /* larval session */ -#define SSH_CHANNEL_MAX_TYPE 11 +#define SSH_CHANNEL_RPORT_LISTENER 11 /* Listening to a R-style port */ +#define SSH_CHANNEL_CONNECTING 12 +#define SSH_CHANNEL_MAX_TYPE 13 /* * Data structure for channel data. This is iniailized in channel_allocate @@ -73,6 +75,7 @@ int wfd; /* write fd */ int efd; /* extended fd */ int sock; /* sock fd */ + int isatty; /* rfd is a tty */ Buffer input; /* data read from socket, to be sent over * encrypted connection */ Buffer output; /* data received over encrypted connection for @@ -147,7 +150,6 @@ void channel_input_open_failure(int type, int plen, void *ctxt); void channel_input_port_open(int type, int plen, void *ctxt); void channel_input_window_adjust(int type, int plen, void *ctxt); -void channel_input_open(int type, int plen, void *ctxt); /* Sets specific protocol options. */ void channel_set_options(int hostname_in_open); @@ -162,8 +164,12 @@ /* Free the channel and close its socket. */ void channel_free(int channel); -/* Add any bits relevant to channels in select bitmasks. */ -void channel_prepare_select(fd_set * readset, fd_set * writeset); +/* + * Allocate/update select bitmasks and add any bits relevant to channels in + * select bitmasks. + */ +void +channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp); /* * After select, perform any appropriate operations for channels which have @@ -187,9 +193,6 @@ */ void channel_close_all(void); -/* Returns the maximum file descriptor number used by the channels. */ -int channel_max_fd(void); - /* Returns true if there is still an open channel over the connection. */ int channel_still_open(void); @@ -202,12 +205,15 @@ /* * Initiate forwarding of connections to local port "port" through the secure - * channel to host:port from remote side. This never returns if there was an - * error. + * channel to host:port from remote side. */ -void -channel_request_local_forwarding(u_short port, const char *host, - u_short remote_port, int gateway_ports); +int +channel_request_local_forwarding(u_short listen_port, + const char *host_to_connect, u_short port_to_connect, int gateway_ports); +int +channel_request_forwarding(const char *listen_address, u_short listen_port, + const char *host_to_connect, u_short port_to_connect, int gateway_ports, + int remote_fwd); /* * Initiate forwarding of connections to port "port" on remote host through @@ -288,6 +294,7 @@ /* XXX */ int channel_connect_to(const char *host, u_short host_port); +int channel_connect_by_listen_adress(u_short listen_port); int x11_connect_display(void); #endif diff -ru openssh-2.3.0p1/cipher.c openssh-2.5.1p1/cipher.c --- openssh-2.3.0p1/cipher.c 2000-10-28 14:19:58.000000000 +1100 +++ openssh-2.5.1p1/cipher.c 2001-02-06 05:16:28.000000000 +1100 @@ -35,10 +35,11 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.37 2000/10/23 19:31:54 markus Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.43 2001/02/04 15:32:23 stevesk Exp $"); -#include "ssh.h" #include "xmalloc.h" +#include "log.h" +#include "cipher.h" #include @@ -154,14 +155,9 @@ memcpy(&iv1, iv2, 8); - des_cbc_encrypt(src, dest, len, cc->u.des3.key1, &iv1, DES_ENCRYPT); - memcpy(&iv1, dest + len - 8, 8); - - des_cbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_DECRYPT); - memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */ - - des_cbc_encrypt(dest, dest, len, cc->u.des3.key3, iv3, DES_ENCRYPT); - memcpy(iv3, dest + len - 8, 8); + des_ncbc_encrypt(src, dest, len, cc->u.des3.key1, &iv1, DES_ENCRYPT); + des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_DECRYPT); + des_ncbc_encrypt(dest, dest, len, cc->u.des3.key3, iv3, DES_ENCRYPT); } void des3_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, @@ -173,22 +169,16 @@ memcpy(&iv1, iv2, 8); - des_cbc_encrypt(src, dest, len, cc->u.des3.key3, iv3, DES_DECRYPT); - memcpy(iv3, src + len - 8, 8); - - des_cbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_ENCRYPT); - memcpy(iv2, dest + len - 8, 8); - - des_cbc_encrypt(dest, dest, len, cc->u.des3.key1, &iv1, DES_DECRYPT); - /* memcpy(&iv1, iv2, 8); */ - /* Note how iv1 == iv2 on entry and exit. */ + des_ncbc_encrypt(src, dest, len, cc->u.des3.key3, iv3, DES_DECRYPT); + des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_ENCRYPT); + des_ncbc_encrypt(dest, dest, len, cc->u.des3.key1, &iv1, DES_DECRYPT); } /* Blowfish */ void blowfish_setkey(CipherContext *cc, const u_char *key, u_int keylen) { - BF_set_key(&cc->u.bf.key, keylen, (unsigned char *)key); + BF_set_key(&cc->u.bf.key, keylen, (u_char *)key); } void blowfish_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) @@ -218,7 +208,7 @@ * and after encryption/decryption. Thus the swap_bytes stuff (yuk). */ static void -swap_bytes(const unsigned char *src, unsigned char *dst, int n) +swap_bytes(const u_char *src, u_char *dst, int n) { char c[4]; @@ -271,12 +261,12 @@ void cast_setkey(CipherContext *cc, const u_char *key, u_int keylen) { - CAST_set_key(&cc->u.cast.key, keylen, (unsigned char *) key); + CAST_set_key(&cc->u.cast.key, keylen, (u_char *) key); } void cast_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) { - if (iv == NULL) + if (iv == NULL) fatal("no IV for %s.", cc->cipher->name); memcpy(cc->u.cast.iv, (char *)iv, 8); } @@ -305,7 +295,7 @@ void rijndael_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) { - if (iv == NULL) + if (iv == NULL) fatal("no IV for %s.", cc->cipher->name); memcpy((u_char *)cc->u.rijndael.iv, iv, RIJNDAEL_BLOCKSIZE); } @@ -425,15 +415,15 @@ SSH_CIPHER_SSH2, 16, 32, rijndael_setkey, rijndael_setiv, rijndael_cbc_encrypt, rijndael_cbc_decrypt }, - { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL, NULL, NULL, NULL } + { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL, NULL, NULL, NULL } }; /*--*/ -unsigned int +u_int cipher_mask_ssh1(int client) { - unsigned int mask = 0; + u_int mask = 0; mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ mask |= 1 << SSH_CIPHER_BLOWFISH; if (client) { @@ -552,7 +542,7 @@ const char *passphrase) { MD5_CTX md; - unsigned char digest[16]; + u_char digest[16]; MD5_Init(&md); MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); diff -ru openssh-2.3.0p1/cipher.h openssh-2.5.1p1/cipher.h --- openssh-2.3.0p1/cipher.h 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/cipher.h 2000-12-22 12:43:59.000000000 +1100 @@ -32,7 +32,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: cipher.h,v 1.22 2000/10/13 18:59:14 markus Exp $"); */ +/* RCSID("$OpenBSD: cipher.h,v 1.25 2000/12/19 23:17:56 markus Exp $"); */ #ifndef CIPHER_H #define CIPHER_H @@ -103,7 +103,7 @@ void (*decrypt)(CipherContext *, u_char *, const u_char *, u_int); }; -unsigned int cipher_mask_ssh1(int client); +u_int cipher_mask_ssh1(int client); Cipher *cipher_by_name(const char *name); Cipher *cipher_by_number(int id); int cipher_number(const char *name); diff -ru openssh-2.3.0p1/cli.c openssh-2.5.1p1/cli.c --- openssh-2.3.0p1/cli.c 2000-11-06 12:39:34.000000000 +1100 +++ openssh-2.5.1p1/cli.c 2001-02-11 08:45:02.000000000 +1100 @@ -1,8 +1,9 @@ #include "includes.h" -RCSID("$OpenBSD: cli.c,v 1.2 2000/10/16 09:38:44 djm Exp $"); +RCSID("$OpenBSD: cli.c,v 1.9 2001/02/10 12:44:02 markus Exp $"); #include "xmalloc.h" -#include "ssh.h" +#include "log.h" +#include "cli.h" static int cli_input = -1; static int cli_output = -1; @@ -31,7 +32,7 @@ cli_input = STDIN_FILENO; cli_output = STDERR_FILENO; } else { - cli_input = cli_output = open("/dev/tty", O_RDWR); + cli_input = cli_output = open(_PATH_TTY, O_RDWR); if (cli_input < 0) fatal("You have no controlling tty. Cannot read passphrase."); } @@ -42,7 +43,7 @@ } static void -cli_close() +cli_close(void) { if (!cli_from_stdin && cli_input >= 0) close(cli_input); @@ -53,13 +54,13 @@ } void -intrcatch() +intrcatch(int sig) { intr = 1; } static void -cli_echo_disable() +cli_echo_disable(void) { sigemptyset(&nset); sigaddset(&nset, SIGTSTP); @@ -82,7 +83,7 @@ } static void -cli_echo_restore() +cli_echo_restore(void) { if (echo_modified != 0) { tcsetattr(cli_input, TCSANOW, &otio); @@ -129,25 +130,28 @@ } static int -cli_write(char* buf, int size) +cli_write(const char* buf, int size) { int i, len, pos, ret = 0; char *output, *p; output = xmalloc(4*size); for (p = output, i = 0; i < size; i++) { - if (buf[i] == '\n') - *p++ = buf[i]; - else - p = vis(p, buf[i], 0, 0); - } + if (buf[i] == '\n' || buf[i] == '\r') + *p++ = buf[i]; + else + p = vis(p, buf[i], 0, 0); + } len = p - output; for (pos = 0; pos < len; pos += ret) { ret = write(cli_output, output + pos, len - pos); - if (ret == -1) + if (ret == -1) { + xfree(output); return -1; + } } + xfree(output); return 0; } @@ -158,7 +162,7 @@ * buffer is storing the response. */ char* -cli_read_passphrase(char* prompt, int from_stdin, int echo_enable) +cli_read_passphrase(const char* prompt, int from_stdin, int echo_enable) { char buf[BUFSIZ]; char* p; diff -ru openssh-2.3.0p1/cli.h openssh-2.5.1p1/cli.h --- openssh-2.3.0p1/cli.h 2000-11-06 12:39:34.000000000 +1100 +++ openssh-2.5.1p1/cli.h 2001-02-06 05:16:28.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: cli.h,v 1.2 2000/10/16 09:38:44 djm Exp $ */ +/* $OpenBSD: cli.h,v 1.3 2001/01/16 23:58:09 deraadt Exp $ */ #ifndef CLI_H #define CLI_H @@ -9,7 +9,8 @@ * of response depending on arg. Tries to ensure that no other userland * buffer is storing the response. */ -char* cli_read_passphrase(char* prompt, int from_stdin, int echo_enable); +char* cli_read_passphrase(const char* prompt, int from_stdin, + int echo_enable); char* cli_prompt(char* prompt, int echo_enable); void cli_mesg(char* mesg); diff -ru openssh-2.3.0p1/clientloop.c openssh-2.5.1p1/clientloop.c --- openssh-2.3.0p1/clientloop.c 2000-10-28 14:19:58.000000000 +1100 +++ openssh-2.5.1p1/clientloop.c 2001-02-15 14:12:08.000000000 +1100 @@ -59,22 +59,25 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.39 2000/10/27 07:48:22 markus Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.51 2001/02/13 21:51:09 markus Exp $"); -#include "xmalloc.h" #include "ssh.h" +#include "ssh1.h" +#include "ssh2.h" +#include "xmalloc.h" #include "packet.h" #include "buffer.h" -#include "readconf.h" - -#include "ssh2.h" #include "compat.h" #include "channels.h" #include "dispatch.h" - #include "buffer.h" #include "bufaux.h" - +#include "key.h" +#include "log.h" +#include "readconf.h" +#include "clientloop.h" +#include "authfd.h" +#include "atomicio.h" /* import options */ extern Options options; @@ -119,20 +122,18 @@ static Buffer stdin_buffer; /* Buffer for stdin data. */ static Buffer stdout_buffer; /* Buffer for stdout data. */ static Buffer stderr_buffer; /* Buffer for stderr data. */ -static unsigned long stdin_bytes, stdout_bytes, stderr_bytes; -static unsigned int buffer_high;/* Soft max buffer size. */ -static int max_fd; /* Maximum file descriptor number in select(). */ +static u_long stdin_bytes, stdout_bytes, stderr_bytes; +static u_int buffer_high;/* Soft max buffer size. */ static int connection_in; /* Connection to server (input). */ static int connection_out; /* Connection to server (output). */ - void client_init_dispatch(void); int session_ident = -1; /* Returns the user\'s terminal to normal mode if it had been put in raw mode. */ void -leave_raw_mode() +leave_raw_mode(void) { if (!in_raw_mode) return; @@ -146,7 +147,7 @@ /* Puts the user\'s terminal in raw mode. */ void -enter_raw_mode() +enter_raw_mode(void) { struct termios tio; @@ -172,7 +173,7 @@ /* Restores stdin to blocking mode. */ void -leave_non_blocking() +leave_non_blocking(void) { if (in_non_blocking_mode) { (void) fcntl(fileno(stdin), F_SETFL, 0); @@ -184,7 +185,7 @@ /* Puts stdin terminal in non-blocking mode. */ void -enter_non_blocking() +enter_non_blocking(void) { in_non_blocking_mode = 1; (void) fcntl(fileno(stdin), F_SETFL, O_NONBLOCK); @@ -226,7 +227,7 @@ */ double -get_current_time() +get_current_time(void) { struct timeval tv; gettimeofday(&tv, NULL); @@ -240,7 +241,7 @@ */ void -client_check_initial_eof_on_stdin() +client_check_initial_eof_on_stdin(void) { int len; char buf[1]; @@ -276,7 +277,7 @@ * and also process it as an escape character if * appropriate. */ - if ((unsigned char) buf[0] == escape_char) + if ((u_char) buf[0] == escape_char) escape_pending = 1; else { buffer_append(&stdin_buffer, buf, 1); @@ -294,9 +295,9 @@ */ void -client_make_packets_from_stdin_data() +client_make_packets_from_stdin_data(void) { - unsigned int len; + u_int len; /* Send buffered stdin data to the server. */ while (buffer_len(&stdin_buffer) > 0 && @@ -325,7 +326,7 @@ */ void -client_check_window_change() +client_check_window_change(void) { struct winsize ws; @@ -362,45 +363,37 @@ */ void -client_wait_until_can_do_something(fd_set * readset, fd_set * writeset) +client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, + int *maxfdp) { - /* Initialize select masks. */ - FD_ZERO(readset); - FD_ZERO(writeset); + /* Add any selections by the channel mechanism. */ + channel_prepare_select(readsetp, writesetp, maxfdp); if (!compat20) { /* Read from the connection, unless our buffers are full. */ if (buffer_len(&stdout_buffer) < buffer_high && buffer_len(&stderr_buffer) < buffer_high && channel_not_very_much_buffered_data()) - FD_SET(connection_in, readset); + FD_SET(connection_in, *readsetp); /* * Read from stdin, unless we have seen EOF or have very much * buffered data to send to the server. */ if (!stdin_eof && packet_not_very_much_data_to_write()) - FD_SET(fileno(stdin), readset); + FD_SET(fileno(stdin), *readsetp); /* Select stdout/stderr if have data in buffer. */ if (buffer_len(&stdout_buffer) > 0) - FD_SET(fileno(stdout), writeset); + FD_SET(fileno(stdout), *writesetp); if (buffer_len(&stderr_buffer) > 0) - FD_SET(fileno(stderr), writeset); + FD_SET(fileno(stderr), *writesetp); } else { - FD_SET(connection_in, readset); + FD_SET(connection_in, *readsetp); } - /* Add any selections by the channel mechanism. */ - channel_prepare_select(readset, writeset); - /* Select server connection if have data to write to the server. */ if (packet_have_data_to_write()) - FD_SET(connection_out, writeset); - -/* move UP XXX */ - /* Update maximum file descriptor number, if appropriate. */ - if (channel_max_fd() > max_fd) - max_fd = channel_max_fd(); + FD_SET(connection_out, *writesetp); /* * Wait for something to happen. This will suspend the process until @@ -411,11 +404,17 @@ * SSH_MSG_IGNORE packet when the timeout expires. */ - if (select(max_fd + 1, readset, writeset, NULL, NULL) < 0) { + if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) { char buf[100]; - /* Some systems fail to clear these automatically. */ - FD_ZERO(readset); - FD_ZERO(writeset); + + /* + * We have to clear the select masks, because we return. + * We have to return, because the mainloop checks for the flags + * set by the signal handlers. + */ + memset(*readsetp, 0, *maxfdp); + memset(*writesetp, 0, *maxfdp); + if (errno == EINTR) return; /* Note: we might still have data in the buffers. */ @@ -518,8 +517,8 @@ char string[1024]; pid_t pid; int bytes = 0; - unsigned int i; - unsigned char ch; + u_int i; + u_char ch; char *s; for (i = 0; i < len; i++) { @@ -770,7 +769,7 @@ */ void -client_process_buffered_input_packets() +client_process_buffered_input_packets(void) { dispatch_run(DISPATCH_NONBLOCK, &quit_pending, NULL); } @@ -794,6 +793,8 @@ int client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) { + fd_set *readset = NULL, *writeset = NULL; + int max_fd = 0; double start_time, total_time; int len; char buf[100]; @@ -810,9 +811,13 @@ buffer_high = 64 * 1024; connection_in = packet_get_connection_in(); connection_out = packet_get_connection_out(); - max_fd = connection_in; - if (connection_out > max_fd) - max_fd = connection_out; + max_fd = MAX(connection_in, connection_out); + + if (!compat20) { + max_fd = MAX(max_fd, fileno(stdin)); + max_fd = MAX(max_fd, fileno(stdout)); + max_fd = MAX(max_fd, fileno(stderr)); + } stdin_bytes = 0; stdout_bytes = 0; stderr_bytes = 0; @@ -837,16 +842,18 @@ if (have_pty) enter_raw_mode(); - /* Check if we should immediately send eof on stdin. */ - if (!compat20) + if (compat20) { + session_ident = ssh2_chan_id; + if (escape_char != -1) + channel_register_filter(session_ident, + simple_escape_filter); + } else { + /* Check if we should immediately send eof on stdin. */ client_check_initial_eof_on_stdin(); - - if (compat20 && escape_char != -1) - channel_register_filter(ssh2_chan_id, simple_escape_filter); + } /* Main loop of the client for the interactive session mode. */ while (!quit_pending) { - fd_set readset, writeset; /* Process buffered packets sent by the server. */ client_process_buffered_input_packets(); @@ -864,7 +871,7 @@ client_make_packets_from_stdin_data(); /* - * Make packets from buffered channel data, and buffer them + * Make packets from buffered channel data, and enqueue them * for sending to the server. */ if (packet_not_very_much_data_to_write()) @@ -883,34 +890,38 @@ * Wait until we have something to do (something becomes * available on one of the descriptors). */ - client_wait_until_can_do_something(&readset, &writeset); + client_wait_until_can_do_something(&readset, &writeset, &max_fd); if (quit_pending) break; /* Do channel operations. */ - channel_after_select(&readset, &writeset); + channel_after_select(readset, writeset); /* Buffer input from the connection. */ - client_process_net_input(&readset); + client_process_net_input(readset); if (quit_pending) break; if (!compat20) { /* Buffer data from stdin */ - client_process_input(&readset); + client_process_input(readset); /* * Process output to stdout and stderr. Output to * the connection is processed elsewhere (above). */ - client_process_output(&writeset); + client_process_output(writeset); } /* Send as much buffered packet data as possible to the sender. */ - if (FD_ISSET(connection_out, &writeset)) + if (FD_ISSET(connection_out, writeset)) packet_write_poll(); } + if (readset) + xfree(readset); + if (writeset) + xfree(writeset); /* Terminate the session. */ @@ -980,7 +991,7 @@ void client_input_stdout_data(int type, int plen, void *ctxt) { - unsigned int data_len; + u_int data_len; char *data = packet_get_string(&data_len); packet_integrity_check(plen, 4 + data_len, type); buffer_append(&stdout_buffer, data, data_len); @@ -991,7 +1002,7 @@ void client_input_stderr_data(int type, int plen, void *ctxt) { - unsigned int data_len; + u_int data_len; char *data = packet_get_string(&data_len); packet_integrity_check(plen, 4 + data_len, type); buffer_append(&stderr_buffer, data, data_len); @@ -1016,14 +1027,102 @@ quit_pending = 1; } +Channel * +client_request_forwarded_tcpip(const char *request_type, int rchan) +{ + Channel* c = NULL; + char *listen_address, *originator_address; + int listen_port, originator_port; + int sock, newch; + + /* Get rest of the packet */ + listen_address = packet_get_string(NULL); + listen_port = packet_get_int(); + originator_address = packet_get_string(NULL); + originator_port = packet_get_int(); + packet_done(); + + debug("client_request_forwarded_tcpip: listen %s port %d, originator %s port %d", + listen_address, listen_port, originator_address, originator_port); + + sock = channel_connect_by_listen_adress(listen_port); + if (sock >= 0) { + newch = channel_new("forwarded-tcpip", + SSH_CHANNEL_CONNECTING, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, + xstrdup(originator_address), 1); + c = channel_lookup(newch); + } + xfree(originator_address); + xfree(listen_address); + return c; +} + +Channel* +client_request_x11(const char *request_type, int rchan) +{ + Channel *c = NULL; + char *originator; + int originator_port; + int sock, newch; + + if (!options.forward_x11) { + error("Warning: ssh server tried X11 forwarding."); + error("Warning: this is probably a break in attempt by a malicious server."); + return NULL; + } + originator = packet_get_string(NULL); + if (datafellows & SSH_BUG_X11FWD) { + debug2("buggy server: x11 request w/o originator_port"); + originator_port = 0; + } else { + originator_port = packet_get_int(); + } + packet_done(); + /* XXX check permission */ + debug("client_request_x11: request from %s %d", originator, + originator_port); + sock = x11_connect_display(); + if (sock >= 0) { + newch = channel_new("x11", + SSH_CHANNEL_X11_OPEN, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, + xstrdup("x11"), 1); + c = channel_lookup(newch); + } + xfree(originator); + return c; +} + +Channel* +client_request_agent(const char *request_type, int rchan) +{ + Channel *c = NULL; + int sock, newch; + + if (!options.forward_agent) { + error("Warning: ssh server tried agent forwarding."); + error("Warning: this is probably a break in attempt by a malicious server."); + return NULL; + } + sock = ssh_get_authentication_socket(); + if (sock >= 0) { + newch = channel_new("authentication agent connection", + SSH_CHANNEL_OPEN, sock, sock, -1, + CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, + xstrdup("authentication agent connection"), 1); + c = channel_lookup(newch); + } + return c; +} + /* XXXX move to generic input handler */ void client_input_channel_open(int type, int plen, void *ctxt) { Channel *c = NULL; char *ctype; - int id; - unsigned int len; + u_int len; int rchan; int rmaxpack; int rwindow; @@ -1036,28 +1135,12 @@ debug("client_input_channel_open: ctype %s rchan %d win %d max %d", ctype, rchan, rwindow, rmaxpack); - if (strcmp(ctype, "x11") == 0 && options.forward_x11) { - int sock; - char *originator; - int originator_port; - originator = packet_get_string(NULL); - if (datafellows & SSH_BUG_X11FWD) { - debug2("buggy server: x11 request w/o originator_port"); - originator_port = 0; - } else { - originator_port = packet_get_int(); - } - packet_done(); - /* XXX check permission */ - xfree(originator); - /* XXX move to channels.c */ - sock = x11_connect_display(); - if (sock >= 0) { - id = channel_new("x11", SSH_CHANNEL_X11_OPEN, - sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, - CHAN_X11_PACKET_DEFAULT, 0, xstrdup("x11"), 1); - c = channel_lookup(id); - } + if (strcmp(ctype, "forwarded-tcpip") == 0) { + c = client_request_forwarded_tcpip(ctype, rchan); + } else if (strcmp(ctype, "x11") == 0) { + c = client_request_x11(ctype, rchan); + } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { + c = client_request_agent(ctype, rchan); } /* XXX duplicate : */ if (c != NULL) { @@ -1083,9 +1166,45 @@ } xfree(ctype); } +void +client_input_channel_req(int type, int plen, void *ctxt) +{ + Channel *c = NULL; + int id, reply, success = 0; + char *rtype; + + id = packet_get_int(); + rtype = packet_get_string(NULL); + reply = packet_get_char(); + + debug("client_input_channel_req: channel %d rtype %s reply %d", + id, rtype, reply); + + if (session_ident == -1) { + error("client_input_channel_req: no channel %d", session_ident); + } else if (id != session_ident) { + error("client_input_channel_req: channel %d: wrong channel: %d", + session_ident, id); + } + c = channel_lookup(id); + if (c == NULL) { + error("client_input_channel_req: channel %d: unknown channel", id); + } else if (strcmp(rtype, "exit-status") == 0) { + success = 1; + exit_status = packet_get_int(); + packet_done(); + } + if (reply) { + packet_start(success ? + SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE); + packet_put_int(c->remote_id); + packet_send(); + } + xfree(rtype); +} void -client_init_dispatch_20() +client_init_dispatch_20(void) { dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose); @@ -1095,11 +1214,11 @@ dispatch_set(SSH2_MSG_CHANNEL_OPEN, &client_input_channel_open); dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); - dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request); + dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req); dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); } void -client_init_dispatch_13() +client_init_dispatch_13(void) { dispatch_init(NULL); dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_close); @@ -1118,14 +1237,14 @@ &x11_input_open : &deny_input_open); } void -client_init_dispatch_15() +client_init_dispatch_15(void) { client_init_dispatch_13(); dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_ieof); dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, & channel_input_oclose); } void -client_init_dispatch() +client_init_dispatch(void) { if (compat20) client_init_dispatch_20(); @@ -1134,49 +1253,3 @@ else client_init_dispatch_15(); } - -void -client_input_channel_req(int id, void *arg) -{ - Channel *c = NULL; - unsigned int len; - int success = 0; - int reply; - char *rtype; - - rtype = packet_get_string(&len); - reply = packet_get_char(); - - debug("client_input_channel_req: rtype %s reply %d", rtype, reply); - - c = channel_lookup(id); - if (c == NULL) - fatal("client_input_channel_req: channel %d: bad channel", id); - - if (session_ident == -1) { - error("client_input_channel_req: no channel %d", id); - } else if (id != session_ident) { - error("client_input_channel_req: bad channel %d != %d", - id, session_ident); - } else if (strcmp(rtype, "exit-status") == 0) { - success = 1; - exit_status = packet_get_int(); - packet_done(); - } - if (reply) { - packet_start(success ? - SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE); - packet_put_int(c->remote_id); - packet_send(); - } - xfree(rtype); -} - -void -client_set_session_ident(int id) -{ - debug2("client_set_session_ident: id %d", id); - session_ident = id; - channel_register_callback(id, SSH2_MSG_CHANNEL_REQUEST, - client_input_channel_req, (void *)0); -} Only in openssh-2.5.1p1: clientloop.h diff -ru openssh-2.3.0p1/compat.c openssh-2.5.1p1/compat.c --- openssh-2.3.0p1/compat.c 2000-11-05 16:42:36.000000000 +1100 +++ openssh-2.5.1p1/compat.c 2001-02-19 21:51:08.000000000 +1100 @@ -23,17 +23,22 @@ */ #include "includes.h" -RCSID("$OpenBSD: compat.c,v 1.27 2000/10/31 09:31:58 markus Exp $"); +RCSID("$OpenBSD: compat.c,v 1.35 2001/02/19 09:53:31 markus Exp $"); -#include "ssh.h" -#include "packet.h" -#include "xmalloc.h" -#include "compat.h" #ifdef HAVE_LIBPCRE # include #else /* Use native regex libraries */ -# include -#endif /* HAVE_LIBRX */ +# ifdef HAVE_REGEX_H +# include +# else +# include "fake-regex.h" +# endif +#endif /* HAVE_LIBPCRE */ + +#include "packet.h" +#include "xmalloc.h" +#include "compat.h" +#include "log.h" int compat13 = 0; int compat20 = 0; @@ -62,19 +67,27 @@ char *pat; int bugs; } check[] = { - { "^OpenSSH[-_]2\\.[012]", SSH_OLD_SESSIONID }, + { "^OpenSSH[-_]2\\.[012]", + SSH_OLD_SESSIONID|SSH_BUG_BANNER }, + { "^OpenSSH_2\\.3\\.0", SSH_BUG_BANNER }, + { "^OpenSSH", 0 }, { "MindTerm", 0 }, - { "^2\\.1\\.0 ", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| - SSH_OLD_SESSIONID }, + { "^2\\.1\\.0", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| + SSH_OLD_SESSIONID|SSH_BUG_DEBUG }, + { "^2\\.0\\.1[3-9]", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| + SSH_OLD_SESSIONID|SSH_BUG_DEBUG| + SSH_BUG_PKSERVICE|SSH_BUG_X11FWD }, { "^2\\.0\\.", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| - SSH_OLD_SESSIONID| - SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD }, - { "^2\\.[23]\\.0 ", SSH_BUG_HMAC}, + SSH_OLD_SESSIONID|SSH_BUG_DEBUG| + SSH_BUG_PKSERVICE|SSH_BUG_X11FWD| + SSH_BUG_PKAUTH }, + { "^2\\.[23]\\.0", SSH_BUG_HMAC}, { "^2\\.[2-9]\\.", 0 }, { "^2\\.4$", SSH_OLD_SESSIONID}, /* Van Dyke */ { "^3\\.0 SecureCRT", SSH_OLD_SESSIONID}, { "^1\\.7 SecureFX", SSH_OLD_SESSIONID}, - { "^2\\.", SSH_BUG_HMAC}, /* XXX fallback */ + { "^1\\.2\\.1[89]", SSH_BUG_IGNOREMSG}, + { "^1\\.2\\.2[012]", SSH_BUG_IGNOREMSG}, { NULL, 0 } }; /* process table, return first match */ @@ -89,7 +102,7 @@ ret = regexec(®, version, 0, NULL, 0); regfree(®); if (ret == 0) { - debug("match: %s pat %s\n", version, check[i].pat); + debug("match: %s pat %s", version, check[i].pat); datafellows = check[i].bugs; return; } diff -ru openssh-2.3.0p1/compat.h openssh-2.5.1p1/compat.h --- openssh-2.3.0p1/compat.h 2000-10-16 12:14:42.000000000 +1100 +++ openssh-2.5.1p1/compat.h 2001-02-19 21:51:08.000000000 +1100 @@ -21,7 +21,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: compat.h,v 1.11 2000/10/14 12:16:56 markus Exp $"); */ +/* RCSID("$OpenBSD: compat.h,v 1.15 2001/02/19 09:53:31 markus Exp $"); */ #ifndef COMPAT_H #define COMPAT_H @@ -31,11 +31,15 @@ #define SSH_PROTO_1_PREFERRED 0x02 #define SSH_PROTO_2 0x04 -#define SSH_BUG_SIGBLOB 0x01 -#define SSH_BUG_PUBKEYAUTH 0x02 -#define SSH_BUG_HMAC 0x04 -#define SSH_BUG_X11FWD 0x08 -#define SSH_OLD_SESSIONID 0x10 +#define SSH_BUG_SIGBLOB 0x0001 +#define SSH_BUG_PKSERVICE 0x0002 +#define SSH_BUG_HMAC 0x0004 +#define SSH_BUG_X11FWD 0x0008 +#define SSH_OLD_SESSIONID 0x0010 +#define SSH_BUG_PKAUTH 0x0020 +#define SSH_BUG_DEBUG 0x0040 +#define SSH_BUG_BANNER 0x0080 +#define SSH_BUG_IGNOREMSG 0x0100 void enable_compat13(void); void enable_compat20(void); diff -ru openssh-2.3.0p1/compress.c openssh-2.5.1p1/compress.c --- openssh-2.3.0p1/compress.c 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/compress.c 2001-02-09 13:11:24.000000000 +1100 @@ -12,11 +12,12 @@ */ #include "includes.h" -RCSID("$OpenBSD: compress.c,v 1.9 2000/09/07 20:27:50 deraadt Exp $"); +RCSID("$OpenBSD: compress.c,v 1.13 2001/02/08 19:30:51 itojun Exp $"); -#include "ssh.h" +#include "log.h" #include "buffer.h" #include "zlib.h" +#include "compress.h" static z_stream incoming_stream; static z_stream outgoing_stream; @@ -39,7 +40,7 @@ /* Frees any data structures allocated for compression. */ void -buffer_compress_uninit() +buffer_compress_uninit(void) { debug("compress outgoing: raw data %lu, compressed %lu, factor %.2f", outgoing_stream.total_in, outgoing_stream.total_out, @@ -73,13 +74,13 @@ return; /* Input is the contents of the input buffer. */ - outgoing_stream.next_in = (unsigned char *) buffer_ptr(input_buffer); + outgoing_stream.next_in = (u_char *) buffer_ptr(input_buffer); outgoing_stream.avail_in = buffer_len(input_buffer); /* Loop compressing until deflate() returns with avail_out != 0. */ do { /* Set up fixed-size output buffer. */ - outgoing_stream.next_out = (unsigned char *)buf; + outgoing_stream.next_out = (u_char *)buf; outgoing_stream.avail_out = sizeof(buf); /* Compress as much data into the buffer as possible. */ @@ -112,12 +113,12 @@ char buf[4096]; int status; - incoming_stream.next_in = (unsigned char *) buffer_ptr(input_buffer); + incoming_stream.next_in = (u_char *) buffer_ptr(input_buffer); incoming_stream.avail_in = buffer_len(input_buffer); for (;;) { /* Set up fixed-size output buffer. */ - incoming_stream.next_out = (unsigned char *) buf; + incoming_stream.next_out = (u_char *) buf; incoming_stream.avail_out = sizeof(buf); status = inflate(&incoming_stream, Z_PARTIAL_FLUSH); diff -ru openssh-2.3.0p1/compress.h openssh-2.5.1p1/compress.h --- openssh-2.3.0p1/compress.h 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/compress.h 2000-12-29 09:16:01.000000000 +1100 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: compress.h,v 1.6 2000/09/07 20:27:50 deraadt Exp $"); */ +/* RCSID("$OpenBSD: compress.h,v 1.7 2000/12/20 19:37:22 markus Exp $"); */ #ifndef COMPRESS_H #define COMPRESS_H @@ -23,7 +23,7 @@ void buffer_compress_init(int level); /* Frees any data structures allocated by buffer_compress_init. */ -void buffer_compress_uninit(); +void buffer_compress_uninit(void); /* * Compresses the contents of input_buffer into output_buffer. All packets diff -ru openssh-2.3.0p1/config.h.in openssh-2.5.1p1/config.h.in --- openssh-2.3.0p1/config.h.in 2000-11-06 14:25:18.000000000 +1100 +++ openssh-2.5.1p1/config.h.in 2001-02-19 21:54:43.000000000 +1100 @@ -1,4 +1,6 @@ /* config.h.in. Generated automatically from configure.in by autoheader. */ +/* $Id: acconfig.h,v 1.102 2001/02/18 06:01:00 djm Exp $ */ + #ifndef _CONFIG_H #define _CONFIG_H @@ -12,6 +14,9 @@ /* Define if your struct stat has st_blksize. */ #undef HAVE_ST_BLKSIZE +/* Define if you have the strftime function. */ +#undef HAVE_STRFTIME + /* Define as __inline if that's what the C compiler calls it. */ #undef inline @@ -21,6 +26,7 @@ /* SCO workaround */ #undef BROKEN_SYS_TERMIO_H +#undef HAVE_BOGUS_SYS_QUEUE_H /* Define if you have SCO protected password database */ #undef HAVE_SCO_PROTECTED_PW @@ -32,9 +38,6 @@ /* Define if your password has a pw_class field */ #undef HAVE_PW_CLASS_IN_PASSWD -/* Define if your socketpair() has bugs */ -#undef USE_PIPES - /* Define if your system's struct sockaddr_un has a sun_len member */ #undef HAVE_SUN_LEN_IN_SOCKADDR_UN @@ -77,8 +80,8 @@ /* Define if you are on NEWS-OS */ #undef HAVE_NEWS4 -/* Define if you want to disable PAM support */ -#undef DISABLE_PAM +/* Define if you want to enable PAM support */ +#undef USE_PAM /* Define if you want to enable AIX4's authenticate function */ #undef WITH_AIXAUTHENTICATE @@ -92,6 +95,9 @@ /* Define if you want IRIX audit trails */ #undef WITH_IRIX_AUDIT +/* Define if you want IRIX kernel jobs */ +#undef WITH_IRIX_JOBS + /* Location of random number pool */ #undef RANDOM_POOL @@ -104,6 +110,9 @@ /* Define if your ssl headers are included with #include */ #undef HAVE_OPENSSL +/* struct timeval */ +#undef HAVE_STRUCT_TIMEVAL + /* struct utmp and struct utmpx fields */ #undef HAVE_HOST_IN_UTMP #undef HAVE_HOST_IN_UTMPX @@ -211,6 +220,10 @@ /* to pam_strerror */ #undef HAVE_OLD_PAM +/* Define if you are using Solaris-derived PAM which passes pam_messages */ +/* to the conversation function with an extra level of indirection */ +#undef PAM_SUN_CODEBASE + /* Set this to your mail directory if you don't have maillock.h */ #undef MAIL_DIRECTORY @@ -224,6 +237,7 @@ #undef HAVE_SOCKLEN_T #undef HAVE_SIZE_T #undef HAVE_SSIZE_T +#undef HAVE_CLOCK_T #undef HAVE_MODE_T #undef HAVE_PID_T #undef HAVE_SA_FAMILY_T @@ -236,6 +250,9 @@ #undef HAVE_SS_FAMILY_IN_SS #undef HAVE___SS_FAMILY_IN_SS +/* Define if you have a regcomp() function */ +#undef HAVE_REGCOMP + /* Define if you have /dev/ptmx */ #undef HAVE_DEV_PTMX @@ -249,7 +266,7 @@ #undef USER_PATH /* Specify location of ssh.pid */ -#undef PIDDIR +#undef _PATH_SSH_PIDDIR /* Use IPv4 for connection by default, IPv6 can still if explicity asked */ #undef IPV4_DEFAULT @@ -269,6 +286,9 @@ /* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ #undef IPV4_IN_IPV6 +/* Define if you have BSD auth support */ +#undef BSD_AUTH + /* The number of bytes in a char. */ #undef SIZEOF_CHAR @@ -302,21 +322,24 @@ /* Define if you have the bcopy function. */ #undef HAVE_BCOPY -/* Define if you have the bindresvport_af function. */ -#undef HAVE_BINDRESVPORT_AF +/* Define if you have the bindresvport_sa function. */ +#undef HAVE_BINDRESVPORT_SA /* Define if you have the clock function. */ #undef HAVE_CLOCK -/* Define if you have the entutent function. */ -#undef HAVE_ENTUTENT +/* Define if you have the endutent function. */ +#undef HAVE_ENDUTENT -/* Define if you have the entutxent function. */ -#undef HAVE_ENTUTXENT +/* Define if you have the endutxent function. */ +#undef HAVE_ENDUTXENT /* Define if you have the fchmod function. */ #undef HAVE_FCHMOD +/* Define if you have the fchown function. */ +#undef HAVE_FCHOWN + /* Define if you have the freeaddrinfo function. */ #undef HAVE_FREEADDRINFO @@ -332,12 +355,21 @@ /* Define if you have the getcwd function. */ #undef HAVE_GETCWD +/* Define if you have the getgrouplist function. */ +#undef HAVE_GETGROUPLIST + +/* Define if you have the getluid function. */ +#undef HAVE_GETLUID + /* Define if you have the getnameinfo function. */ #undef HAVE_GETNAMEINFO /* Define if you have the getpwanam function. */ #undef HAVE_GETPWANAM +/* Define if you have the getrlimit function. */ +#undef HAVE_GETRLIMIT + /* Define if you have the getrusage function. */ #undef HAVE_GETRUSAGE @@ -416,6 +448,9 @@ /* Define if you have the rresvport_af function. */ #undef HAVE_RRESVPORT_AF +/* Define if you have the setdtablesize function. */ +#undef HAVE_SETDTABLESIZE + /* Define if you have the setenv function. */ #undef HAVE_SETENV @@ -425,6 +460,9 @@ /* Define if you have the setlogin function. */ #undef HAVE_SETLOGIN +/* Define if you have the setluid function. */ +#undef HAVE_SETLUID + /* Define if you have the setproctitle function. */ #undef HAVE_SETPROCTITLE @@ -461,18 +499,30 @@ /* Define if you have the strlcpy function. */ #undef HAVE_STRLCPY +/* Define if you have the strmode function. */ +#undef HAVE_STRMODE + /* Define if you have the strsep function. */ #undef HAVE_STRSEP /* Define if you have the strtok_r function. */ #undef HAVE_STRTOK_R +/* Define if you have the sysconf function. */ +#undef HAVE_SYSCONF + +/* Define if you have the tcgetpgrp function. */ +#undef HAVE_TCGETPGRP + /* Define if you have the time function. */ #undef HAVE_TIME /* Define if you have the updwtmp function. */ #undef HAVE_UPDWTMP +/* Define if you have the utimes function. */ +#undef HAVE_UTIMES + /* Define if you have the utmpname function. */ #undef HAVE_UTMPNAME @@ -509,6 +559,9 @@ /* Define if you have the header file. */ #undef HAVE_LASTLOG_H +/* Define if you have the header file. */ +#undef HAVE_LIBUTIL_H + /* Define if you have the header file. */ #undef HAVE_LIMITS_H @@ -539,6 +592,9 @@ /* Define if you have the header file. */ #undef HAVE_PTY_H +/* Define if you have the header file. */ +#undef HAVE_REGEX_H + /* Define if you have the header file. */ #undef HAVE_SECURITY_PAM_APPL_H @@ -560,6 +616,9 @@ /* Define if you have the header file. */ #undef HAVE_SYS_POLL_H +/* Define if you have the header file. */ +#undef HAVE_SYS_QUEUE_H + /* Define if you have the header file. */ #undef HAVE_SYS_SELECT_H @@ -593,6 +652,9 @@ /* Define if you have the header file. */ #undef HAVE_UTIL_H +/* Define if you have the header file. */ +#undef HAVE_UTIME_H + /* Define if you have the header file. */ #undef HAVE_UTMP_H @@ -602,6 +664,9 @@ /* Define if you have the header file. */ #undef HAVE_VIS_H +/* Define if you have the crypt library (-lcrypt). */ +#undef HAVE_LIBCRYPT + /* Define if you have the dl library (-ldl). */ #undef HAVE_LIBDL @@ -611,6 +676,9 @@ /* Define if you have the nsl library (-lnsl). */ #undef HAVE_LIBNSL +/* Define if you have the pam library (-lpam). */ +#undef HAVE_LIBPAM + /* Define if you have the resolv library (-lresolv). */ #undef HAVE_LIBRESOLV diff -ru openssh-2.3.0p1/configure openssh-2.5.1p1/configure --- openssh-2.3.0p1/configure 2000-11-06 14:25:18.000000000 +1100 +++ openssh-2.5.1p1/configure 2001-02-19 21:54:44.000000000 +1100 @@ -14,31 +14,35 @@ ac_help="$ac_help --with-cflags Specify additional flags to pass to compiler" ac_help="$ac_help - --with-ldlags Specify additional flags to pass to linker" + --with-cppflags Specify additional flags to pass to preprocessor " +ac_help="$ac_help + --with-ldflags Specify additional flags to pass to linker" ac_help="$ac_help --with-libs Specify additional libraries to link with" ac_help="$ac_help - --without-pam Disable PAM support " + --with-pcre Override built in regex library with pcre" ac_help="$ac_help - --with-ssl-dir=PATH Specify path to OpenSSL installation " + --with-kerberos4=PATH Enable Kerberos 4 support" ac_help="$ac_help - --with-rsh=PATH Specify path to remote shell program " + --with-afs=PATH Enable AFS support" ac_help="$ac_help - --with-xauth=PATH Specify path to xauth program " + --with-skey=PATH Enable S/Key support" ac_help="$ac_help - --with-random=FILE read randomness from FILE (default=/dev/urandom)" + --with-tcp-wrappers Enable tcpwrappers support" ac_help="$ac_help - --with-egd-pool=FILE read randomness from EGD pool FILE (default none)" + --with-pam Enable PAM support " ac_help="$ac_help - --with-catman=man|cat Install preformatted manpages[no]" + --with-ssl-dir=PATH Specify path to OpenSSL installation " ac_help="$ac_help - --with-kerberos4=PATH Enable Kerberos 4 support" + --with-rsh=PATH Specify path to remote shell program " ac_help="$ac_help - --with-afs=PATH Enable AFS support" + --with-xauth=PATH Specify path to xauth program " ac_help="$ac_help - --with-skey Enable S/Key support" + --with-random=FILE read entropy from FILE (default=/dev/urandom)" ac_help="$ac_help - --with-tcp-wrappers Enable tcpwrappers support" + --with-egd-pool=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)" +ac_help="$ac_help + --with-catman=man|cat Install preformatted manpages[no]" ac_help="$ac_help --with-md5-passwords Enable use of MD5 passwords" ac_help="$ac_help @@ -52,6 +56,8 @@ ac_help="$ac_help --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses" ac_help="$ac_help + --with-bsd-auth Enable BSD auth support" +ac_help="$ac_help --enable-suid-ssh Install ssh as suid root (default) --disable-suid-ssh Install ssh without suid bit" ac_help="$ac_help @@ -591,7 +597,7 @@ # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:595: checking for $ac_word" >&5 +echo "configure:601: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -621,7 +627,7 @@ # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:625: checking for $ac_word" >&5 +echo "configure:631: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -672,7 +678,7 @@ # Extract the first word of "cl", so it can be a program name with args. set dummy cl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:676: checking for $ac_word" >&5 +echo "configure:682: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -704,7 +710,7 @@ fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 -echo "configure:708: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 +echo "configure:714: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 ac_ext=c # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. @@ -715,12 +721,12 @@ cat > conftest.$ac_ext << EOF -#line 719 "configure" +#line 725 "configure" #include "confdefs.h" main(){return(0);} EOF -if { (eval echo configure:724: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:730: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ac_cv_prog_cc_works=yes # If we can't run a trivial program, we are probably using a cross compiler. if (./conftest; exit) 2>/dev/null; then @@ -746,12 +752,12 @@ { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 -echo "configure:750: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 +echo "configure:756: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 cross_compiling=$ac_cv_prog_cc_cross echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 -echo "configure:755: checking whether we are using GNU C" >&5 +echo "configure:761: checking whether we are using GNU C" >&5 if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -760,7 +766,7 @@ yes; #endif EOF -if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:764: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then +if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:770: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then ac_cv_prog_gcc=yes else ac_cv_prog_gcc=no @@ -779,7 +785,7 @@ ac_save_CFLAGS="$CFLAGS" CFLAGS= echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 -echo "configure:783: checking whether ${CC-cc} accepts -g" >&5 +echo "configure:789: checking whether ${CC-cc} accepts -g" >&5 if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -836,7 +842,7 @@ fi echo $ac_n "checking host system type""... $ac_c" 1>&6 -echo "configure:840: checking host system type" >&5 +echo "configure:846: checking host system type" >&5 host_alias=$host case "$host_alias" in @@ -859,7 +865,7 @@ # Checks for programs. echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 -echo "configure:863: checking how to run the C preprocessor" >&5 +echo "configure:869: checking how to run the C preprocessor" >&5 # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= @@ -874,13 +880,13 @@ # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:884: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:890: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -891,13 +897,13 @@ rm -rf conftest* CPP="${CC-cc} -E -traditional-cpp" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:901: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:907: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -908,13 +914,13 @@ rm -rf conftest* CPP="${CC-cc} -nologo -E" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:918: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:924: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -941,7 +947,7 @@ # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:945: checking for $ac_word" >&5 +echo "configure:951: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -980,7 +986,7 @@ # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # ./install, which can be erroneously created by make from ./install.sh. echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6 -echo "configure:984: checking for a BSD compatible install" >&5 +echo "configure:990: checking for a BSD compatible install" >&5 if test -z "$INSTALL"; then if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1035,26 +1041,32 @@ # Extract the first word of "ar", so it can be a program name with args. set dummy ar; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1039: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_prog_AR'+set}'`\" = set"; then +echo "configure:1045: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_AR'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - if test -n "$AR"; then - ac_cv_prog_AR="$AR" # Let the user override the test. -else + case "$AR" in + /*) + ac_cv_path_AR="$AR" # Let the user override the test with a path. + ;; + ?:/*) + ac_cv_path_AR="$AR" # Let the user override the test with a dos path. + ;; + *) IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" ac_dummy="$PATH" - for ac_dir in $ac_dummy; do + for ac_dir in $ac_dummy; do test -z "$ac_dir" && ac_dir=. if test -f $ac_dir/$ac_word; then - ac_cv_prog_AR="ar" + ac_cv_path_AR="$ac_dir/$ac_word" break fi done IFS="$ac_save_ifs" + ;; +esac fi -fi -AR="$ac_cv_prog_AR" +AR="$ac_cv_path_AR" if test -n "$AR"; then echo "$ac_t""$AR" 1>&6 else @@ -1064,7 +1076,7 @@ # Extract the first word of "perl", so it can be a program name with args. set dummy perl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1068: checking for $ac_word" >&5 +echo "configure:1080: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1100,7 +1112,7 @@ # Extract the first word of "ent", so it can be a program name with args. set dummy ent; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1104: checking for $ac_word" >&5 +echo "configure:1116: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_ENT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1138,7 +1150,7 @@ # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1142: checking for $ac_word" >&5 +echo "configure:1154: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_FILEPRIV'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1174,6 +1186,115 @@ done test -n "$FILEPRIV" || FILEPRIV="true" +# Extract the first word of "bash", so it can be a program name with args. +set dummy bash; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:1193: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_TEST_MINUS_S_SH'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + case "$TEST_MINUS_S_SH" in + /*) + ac_cv_path_TEST_MINUS_S_SH="$TEST_MINUS_S_SH" # Let the user override the test with a path. + ;; + ?:/*) + ac_cv_path_TEST_MINUS_S_SH="$TEST_MINUS_S_SH" # Let the user override the test with a dos path. + ;; + *) + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_TEST_MINUS_S_SH="$ac_dir/$ac_word" + break + fi + done + IFS="$ac_save_ifs" + ;; +esac +fi +TEST_MINUS_S_SH="$ac_cv_path_TEST_MINUS_S_SH" +if test -n "$TEST_MINUS_S_SH"; then + echo "$ac_t""$TEST_MINUS_S_SH" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +# Extract the first word of "ksh", so it can be a program name with args. +set dummy ksh; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:1228: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_TEST_MINUS_S_SH'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + case "$TEST_MINUS_S_SH" in + /*) + ac_cv_path_TEST_MINUS_S_SH="$TEST_MINUS_S_SH" # Let the user override the test with a path. + ;; + ?:/*) + ac_cv_path_TEST_MINUS_S_SH="$TEST_MINUS_S_SH" # Let the user override the test with a dos path. + ;; + *) + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_TEST_MINUS_S_SH="$ac_dir/$ac_word" + break + fi + done + IFS="$ac_save_ifs" + ;; +esac +fi +TEST_MINUS_S_SH="$ac_cv_path_TEST_MINUS_S_SH" +if test -n "$TEST_MINUS_S_SH"; then + echo "$ac_t""$TEST_MINUS_S_SH" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +# Extract the first word of "sh", so it can be a program name with args. +set dummy sh; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:1263: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_TEST_MINUS_S_SH'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + case "$TEST_MINUS_S_SH" in + /*) + ac_cv_path_TEST_MINUS_S_SH="$TEST_MINUS_S_SH" # Let the user override the test with a path. + ;; + ?:/*) + ac_cv_path_TEST_MINUS_S_SH="$TEST_MINUS_S_SH" # Let the user override the test with a dos path. + ;; + *) + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_TEST_MINUS_S_SH="$ac_dir/$ac_word" + break + fi + done + IFS="$ac_save_ifs" + ;; +esac +fi +TEST_MINUS_S_SH="$ac_cv_path_TEST_MINUS_S_SH" +if test -n "$TEST_MINUS_S_SH"; then + echo "$ac_t""$TEST_MINUS_S_SH" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + + +if test -z "$AR" ; then + { echo "configure: error: *** 'ar' missing, please install or fix your \$PATH ***" 1>&2; exit 1; } +fi # Use LOGIN_PROGRAM from environment if possible if test ! -z "$LOGIN_PROGRAM" ; then @@ -1186,7 +1307,7 @@ # Extract the first word of "login", so it can be a program name with args. set dummy login; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1190: checking for $ac_word" >&5 +echo "configure:1311: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_LOGIN_PROGRAM_FALLBACK'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1233,21 +1354,21 @@ # C Compiler features echo $ac_n "checking for inline""... $ac_c" 1>&6 -echo "configure:1237: checking for inline" >&5 +echo "configure:1358: checking for inline" >&5 if eval "test \"`echo '$''{'ac_cv_c_inline'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:1372: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_c_inline=$ac_kw; break else @@ -1276,24 +1397,22 @@ CFLAGS="$CFLAGS -Wall" fi -CFLAGS="$CFLAGS -I. -I${srcdir-.}" - # Check for some target-specific stuff case "$host" in *-*-aix*) AFS_LIBS="-lld" - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" if (test "$LD" != "gcc" && test -z "$blibpath"); then blibpath="/usr/lib:/lib:/usr/local/lib" fi echo $ac_n "checking for authenticate""... $ac_c" 1>&6 -echo "configure:1292: checking for authenticate" >&5 +echo "configure:1411: checking for authenticate" >&5 if eval "test \"`echo '$''{'ac_cv_func_authenticate'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1439: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_authenticate=yes" else @@ -1358,10 +1477,6 @@ EOF cat >> confdefs.h <<\EOF -#define DISABLE_PAM 1 -EOF - - cat >> confdefs.h <<\EOF #define DISABLE_SHADOW 1 EOF @@ -1377,15 +1492,20 @@ #define BROKEN_VHANGUP 1 EOF - no_pam=1 no_libsocket=1 no_libnsl=1 ;; +*-*-dgux*) + cat >> confdefs.h <<\EOF +#define IP_TOS_IS_BROKEN 1 +EOF + + ;; *-*-hpux10*) if test -z "$GCC"; then CFLAGS="$CFLAGS -Ae" fi - CFLAGS="$CFLAGS -D_HPUX_SOURCE" + CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE" IPADDR_IN_DISPLAY=yes cat >> confdefs.h <<\EOF #define USE_PIPES 1 @@ -1408,9 +1528,13 @@ mansubdir=cat ;; *-*-hpux11*) - CFLAGS="$CFLAGS -D_HPUX_SOURCE" + CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE" IPADDR_IN_DISPLAY=yes cat >> confdefs.h <<\EOF +#define PAM_SUN_CODEBASE 1 +EOF + + cat >> confdefs.h <<\EOF #define USE_PIPES 1 EOF @@ -1431,7 +1555,7 @@ mansubdir=cat ;; *-*-irix5*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" MANTYPE='$(CATMAN)' @@ -1443,7 +1567,7 @@ ;; *-*-irix6*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" MANTYPE='$(CATMAN)' @@ -1459,15 +1583,68 @@ #define WITH_IRIX_AUDIT 1 EOF + echo $ac_n "checking for jlimit_startjob""... $ac_c" 1>&6 +echo "configure:1588: checking for jlimit_startjob" >&5 +if eval "test \"`echo '$''{'ac_cv_func_jlimit_startjob'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char jlimit_startjob(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_jlimit_startjob) || defined (__stub___jlimit_startjob) +choke me +#else +jlimit_startjob(); +#endif + +; return 0; } +EOF +if { (eval echo configure:1616: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_jlimit_startjob=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_jlimit_startjob=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'jlimit_startjob`\" = yes"; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define WITH_IRIX_JOBS 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi + no_libsocket=1 no_libnsl=1 cat >> confdefs.h <<\EOF #define BROKEN_INET_NTOA 1 EOF + mansubdir=man ;; *-*-linux*) no_dev_ptmx=1 + check_for_libcrypt_later=1 cat >> confdefs.h <<\EOF #define DONT_TRY_OTHER_AF 1 EOF @@ -1485,7 +1662,7 @@ SONY=1 echo $ac_n "checking for xatexit in -liberty""... $ac_c" 1>&6 -echo "configure:1489: checking for xatexit in -liberty" >&5 +echo "configure:1666: checking for xatexit in -liberty" >&5 ac_lib_var=`echo iberty'_'xatexit | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1493,7 +1670,7 @@ ac_save_LIBS="$LIBS" LIBS="-liberty $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1685: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1525,7 +1702,7 @@ else echo "$ac_t""no" 1>&6 -{ echo "configure: error: *** libiberty missing - please install first ***" 1>&2; exit 1; } +{ echo "configure: error: *** libiberty missing - please install first or check config.log ***" 1>&2; exit 1; } fi @@ -1550,16 +1727,21 @@ #define USE_PIPES 1 EOF - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" + CFLAGS="$CFLAGS" ;; *-*-solaris*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib" need_dash_r=1 + cat >> confdefs.h <<\EOF +#define PAM_SUN_CODEBASE 1 +EOF + # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" echo $ac_n "checking for obsolete utmp and wtmp in solaris2.x""... $ac_c" 1>&6 -echo "configure:1563: checking for obsolete utmp and wtmp in solaris2.x" >&5 +echo "configure:1745: checking for obsolete utmp and wtmp in solaris2.x" >&5 sol2ver=`echo "$host"| sed -e 's/.*[0-9]\.//'` if test "$sol2ver" -ge 8; then echo "$ac_t""yes" 1>&6 @@ -1576,16 +1758,16 @@ fi ;; *-*-sunos4*) - CFLAGS="$CFLAGS -DSUNOS4" + CPPFLAGS="$CPPFLAGS -DSUNOS4" for ac_func in getpwanam do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1584: checking for $ac_func" >&5 +echo "configure:1766: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1794: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1632,6 +1814,14 @@ fi done + cat >> confdefs.h <<\EOF +#define PAM_SUN_CODEBASE 1 +EOF + + cat >> confdefs.h <<\EOF +#define HAVE_BOGUS_SYS_QUEUE_H 1 +EOF + conf_utmp_location=/etc/utmp conf_wtmp_location=/var/adm/wtmp conf_lastlog_location=/var/adm/lastlog @@ -1642,10 +1832,22 @@ MANTYPE='$(CATMAN)' mansubdir=cat ;; +*-ncr-sysv*) + CPPFLAGS="$CPPFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + MANTYPE='$(CATMAN)' + mansubdir=cat + LIBS="$LIBS -lc89 -lnsl -lgen -lsocket" + ;; *-sni-sysv*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib -L/usr/ucblib" MANTYPE='$(CATMAN)' + IPADDR_IN_DISPLAY=yes + cat >> confdefs.h <<\EOF +#define USE_PIPES 1 +EOF + cat >> confdefs.h <<\EOF #define IP_TOS_IS_BROKEN 1 EOF @@ -1654,68 +1856,203 @@ LIBS="$LIBS -lgen -lnsl -lucb" ;; *-*-sysv4.2*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" MANTYPE='$(CATMAN)' mansubdir=cat - LIBS="$LIBS -lgen -lsocket -lnsl -lresolv" enable_suid_ssh=no + cat >> confdefs.h <<\EOF +#define USE_PIPES 1 +EOF + ;; *-*-sysv5*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" MANTYPE='$(CATMAN)' mansubdir=cat - LIBS="$LIBS -lgen -lsocket" enable_suid_ssh=no + cat >> confdefs.h <<\EOF +#define USE_PIPES 1 +EOF + ;; *-*-sysv*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" MANTYPE='$(CATMAN)' mansubdir=cat LIBS="$LIBS -lgen -lsocket" ;; *-*-sco3.2v4*) - cat >> confdefs.h <<\EOF -#define USE_PIPES 1 -EOF - - CFLAGS="$CFLAGS -Dftruncate=chsize -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -Dftruncate=chsize -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" MANTYPE='$(CATMAN)' + LIBS="$LIBS -lgen -lsocket -los -lprot -lx -ltinfo -lm" mansubdir=cat - LIBS="$LIBS -lgen -lsocket -los -lprot -lx" - no_dev_ptmx=1 + rsh_path="/usr/bin/rcmd" RANLIB=true + no_dev_ptmx=1 cat >> confdefs.h <<\EOF #define BROKEN_SYS_TERMIO_H 1 EOF - rsh_path="/usr/bin/rcmd" + cat >> confdefs.h <<\EOF +#define USE_PIPES 1 +EOF + cat >> confdefs.h <<\EOF #define HAVE_SCO_PROTECTED_PW 1 EOF + cat >> confdefs.h <<\EOF +#define DISABLE_SHADOW 1 +EOF + + cat >> confdefs.h <<\EOF +#define HAVE_BOGUS_SYS_QUEUE_H 1 +EOF + + for ac_func in getluid setluid +do +echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +echo "configure:1920: checking for $ac_func" >&5 +if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +$ac_func(); +#endif + +; return 0; } +EOF +if { (eval echo configure:1948: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_$ac_func=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + cat >> confdefs.h <&6 +fi +done + ;; *-*-sco3.2v5*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" + LIBS="$LIBS -lprot -lx -ltinfo -lm" MANTYPE='$(CATMAN)' mansubdir=cat - LIBS="$LIBS -lgen -lsocket -lprot -lx" no_dev_ptmx=1 rsh_path="/usr/bin/rcmd" cat >> confdefs.h <<\EOF +#define USE_PIPES 1 +EOF + + cat >> confdefs.h <<\EOF #define HAVE_SCO_PROTECTED_PW 1 EOF - ;; -*-dec-osf*) -# This is untested - if test ! -z "USE_SIA" ; then + cat >> confdefs.h <<\EOF +#define DISABLE_SHADOW 1 +EOF + + cat >> confdefs.h <<\EOF +#define HAVE_BOGUS_SYS_QUEUE_H 1 +EOF + + for ac_func in getluid setluid +do +echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +echo "configure:2000: checking for $ac_func" >&5 +if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +$ac_func(); +#endif + +; return 0; } +EOF +if { (eval echo configure:2028: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_$ac_func=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + cat >> confdefs.h <&6 +fi +done + + ;; +*-dec-osf*) + if test ! -z "USE_SIA" ; then echo $ac_n "checking for Digital Unix Security Integration Architecture""... $ac_c" 1>&6 -echo "configure:1719: checking for Digital Unix Security Integration Architecture" >&5 +echo "configure:2056: checking for Digital Unix Security Integration Architecture" >&5 if test -f /etc/sia/matrix.conf; then echo "$ac_t""yes" 1>&6 cat >> confdefs.h <<\EOF @@ -1746,6 +2083,17 @@ fi +# Check whether --with-cppflags or --without-cppflags was given. +if test "${with_cppflags+set}" = set; then + withval="$with_cppflags" + + if test "x$withval" != "xno"; then + CPPFLAGS="$CPPFLAGS $withval" + fi + + +fi + # Check whether --with-ldflags or --without-ldflags was given. if test "${with_ldflags+set}" = set; then withval="$with_ldflags" @@ -1769,29 +2117,32 @@ fi +# Check whether --with-pcre or --without-pcre was given. +if test "${with_pcre+set}" = set; then + withval="$with_pcre" + -# Checks for libraries. -echo $ac_n "checking for deflate in -lz""... $ac_c" 1>&6 -echo "configure:1776: checking for deflate in -lz" >&5 -ac_lib_var=`echo z'_'deflate | sed 'y%./+-%__p_%'` + echo $ac_n "checking for pcre_info in -lpcre""... $ac_c" 1>&6 +echo "configure:2127: checking for pcre_info in -lpcre" >&5 +ac_lib_var=`echo pcre'_'pcre_info | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_save_LIBS="$LIBS" -LIBS="-lz $LIBS" +LIBS="-lpcre $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2146: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1806,40 +2157,48 @@ fi if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then echo "$ac_t""yes" 1>&6 - ac_tr_lib=HAVE_LIB`echo z | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` - cat >> confdefs.h <> confdefs.h <<\EOF +#define HAVE_LIBPCRE 1 EOF - - LIBS="-lz $LIBS" - + + LIBS="$LIBS -lpcreposix -lpcre" + no_comp_check="yes" + else echo "$ac_t""no" 1>&6 -{ echo "configure: error: *** zlib missing - please install first ***" 1>&2; exit 1; } + { echo "configure: error: *** Can not locate pcre libraries." 1>&2; exit 1; } + fi -echo $ac_n "checking for login in -lutil""... $ac_c" 1>&6 -echo "configure:1824: checking for login in -lutil" >&5 -ac_lib_var=`echo util'_'login | sed 'y%./+-%__p_%'` + + +fi + + +# Checks for libraries. +if test -z "$no_libnsl" ; then + echo $ac_n "checking for yp_match in -lnsl""... $ac_c" 1>&6 +echo "configure:2183: checking for yp_match in -lnsl" >&5 +ac_lib_var=`echo nsl'_'yp_match | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_save_LIBS="$LIBS" -LIBS="-lutil $LIBS" +LIBS="-lnsl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2202: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1854,83 +2213,86 @@ fi if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then echo "$ac_t""yes" 1>&6 - cat >> confdefs.h <<\EOF -#define HAVE_LIBUTIL_LOGIN 1 + ac_tr_lib=HAVE_LIB`echo nsl | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 fi - -echo $ac_n "checking for regcomp""... $ac_c" 1>&6 -echo "configure:1868: checking for regcomp" >&5 -if eval "test \"`echo '$''{'ac_cv_func_regcomp'+set}'`\" = set"; then +fi +if test -z "$no_libsocket" ; then + echo $ac_n "checking for main in -lsocket""... $ac_c" 1>&6 +echo "configure:2232: checking for main in -lsocket" >&5 +ac_lib_var=`echo socket'_'main | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - cat > conftest.$ac_ext < conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char regcomp(); int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_regcomp) || defined (__stub___regcomp) -choke me -#else -regcomp(); -#endif - +main() ; return 0; } EOF -if { (eval echo configure:1896: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2247: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* - eval "ac_cv_func_regcomp=yes" + eval "ac_cv_lib_$ac_lib_var=yes" else echo "configure: failed program was:" >&5 cat conftest.$ac_ext >&5 rm -rf conftest* - eval "ac_cv_func_regcomp=no" + eval "ac_cv_lib_$ac_lib_var=no" fi rm -f conftest* -fi +LIBS="$ac_save_LIBS" -if eval "test \"`echo '$ac_cv_func_'regcomp`\" = yes"; then +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then echo "$ac_t""yes" 1>&6 - : + ac_tr_lib=HAVE_LIB`echo socket | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi - echo $ac_n "checking for pcre_info in -lpcre""... $ac_c" 1>&6 -echo "configure:1915: checking for pcre_info in -lpcre" >&5 -ac_lib_var=`echo pcre'_'pcre_info | sed 'y%./+-%__p_%'` +fi + +echo $ac_n "checking for innetgr in -lrpc""... $ac_c" 1>&6 +echo "configure:2277: checking for innetgr in -lrpc" >&5 +ac_lib_var=`echo rpc'_'innetgr | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_save_LIBS="$LIBS" -LIBS="-lpcre $LIBS" +LIBS="-lrpc -lyp -lrpc $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2296: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1945,41 +2307,33 @@ fi if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then echo "$ac_t""yes" 1>&6 - cat >> confdefs.h <<\EOF -#define HAVE_LIBPCRE 1 -EOF - LIBS="$LIBS -lpcreposix -lpcre" + LIBS="-lrpc -lyp -lrpc $LIBS" else echo "$ac_t""no" 1>&6 fi - - -fi - -if test -z "$no_libsocket" ; then - echo $ac_n "checking for yp_match in -lnsl""... $ac_c" 1>&6 -echo "configure:1964: checking for yp_match in -lnsl" >&5 -ac_lib_var=`echo nsl'_'yp_match | sed 'y%./+-%__p_%'` +echo $ac_n "checking for getspnam in -lgen""... $ac_c" 1>&6 +echo "configure:2318: checking for getspnam in -lgen" >&5 +ac_lib_var=`echo gen'_'getspnam | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_save_LIBS="$LIBS" -LIBS="-lnsl $LIBS" +LIBS="-lgen $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2337: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1994,37 +2348,32 @@ fi if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then echo "$ac_t""yes" 1>&6 - ac_tr_lib=HAVE_LIB`echo nsl | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` - cat >> confdefs.h <&6 fi -fi -if test -z "$no_libnsl" ; then - echo $ac_n "checking for main in -lsocket""... $ac_c" 1>&6 -echo "configure:2013: checking for main in -lsocket" >&5 -ac_lib_var=`echo socket'_'main | sed 'y%./+-%__p_%'` +echo $ac_n "checking for deflate in -lz""... $ac_c" 1>&6 +echo "configure:2358: checking for deflate in -lz" >&5 +ac_lib_var=`echo z'_'deflate | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_save_LIBS="$LIBS" -LIBS="-lsocket $LIBS" +LIBS="-lz $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2377: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2039,440 +2388,383 @@ fi if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then echo "$ac_t""yes" 1>&6 - ac_tr_lib=HAVE_LIB`echo socket | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + ac_tr_lib=HAVE_LIB`echo z | sed -e 's/[^a-zA-Z0-9_]/_/g' \ -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` cat >> confdefs.h <&6 +{ echo "configure: error: *** zlib missing - please install first or check config.log ***" 1>&2; exit 1; } fi -fi - -# Checks for header files. -for ac_hdr in bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h vis.h -do -ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` -echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:2062: checking for $ac_hdr" >&5 -if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then +echo $ac_n "checking for login in -lutil""... $ac_c" 1>&6 +echo "configure:2406: checking for login in -lutil" >&5 +ac_lib_var=`echo util'_'login | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - cat > conftest.$ac_ext < conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char login(); + +int main() { +login() +; return 0; } EOF -ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:2072: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then +if { (eval echo configure:2425: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* - eval "ac_cv_header_$ac_safe=yes" + eval "ac_cv_lib_$ac_lib_var=yes" else - echo "$ac_err" >&5 echo "configure: failed program was:" >&5 cat conftest.$ac_ext >&5 rm -rf conftest* - eval "ac_cv_header_$ac_safe=no" + eval "ac_cv_lib_$ac_lib_var=no" fi rm -f conftest* +LIBS="$ac_save_LIBS" + fi -if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then echo "$ac_t""yes" 1>&6 - ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` - cat >> confdefs.h <> confdefs.h <<\EOF +#define HAVE_LIBUTIL_LOGIN 1 EOF - + LIBS="$LIBS -lutil" else echo "$ac_t""no" 1>&6 fi -done -for ac_func in arc4random atexit b64_ntop bcopy bindresvport_af clock fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getnameinfo getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strsep strtok_r vsnprintf vhangup vis waitpid _getpty __b64_ntop -do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2102: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then +# We don't want to check if we did an pcre override. +if test -z "$no_comp_check" ; then + echo $ac_n "checking for regcomp""... $ac_c" 1>&6 +echo "configure:2452: checking for regcomp" >&5 +if eval "test \"`echo '$''{'ac_cv_func_regcomp'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ -char $ac_func(); +char regcomp(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +#if defined (__stub_regcomp) || defined (__stub___regcomp) choke me #else -$ac_func(); +regcomp(); #endif ; return 0; } EOF -if { (eval echo configure:2130: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2480: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" + eval "ac_cv_func_regcomp=yes" else echo "configure: failed program was:" >&5 cat conftest.$ac_ext >&5 rm -rf conftest* - eval "ac_cv_func_$ac_func=no" + eval "ac_cv_func_regcomp=no" fi rm -f conftest* fi -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then +if eval "test \"`echo '$ac_cv_func_'regcomp`\" = yes"; then echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` - cat >> confdefs.h <> confdefs.h <<\EOF +#define HAVE_REGCOMP 1 EOF - + else echo "$ac_t""no" 1>&6 -fi -done -for ac_func in gettimeofday time -do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2157: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "checking for pcre_info in -lpcre""... $ac_c" 1>&6 +echo "configure:2502: checking for pcre_info in -lpcre" >&5 +ac_lib_var=`echo pcre'_'pcre_info | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - cat > conftest.$ac_ext < conftest.$ac_ext < /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ -char $ac_func(); +char pcre_info(); int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -$ac_func(); -#endif - +pcre_info() ; return 0; } EOF -if { (eval echo configure:2185: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2521: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" + eval "ac_cv_lib_$ac_lib_var=yes" else echo "configure: failed program was:" >&5 cat conftest.$ac_ext >&5 rm -rf conftest* - eval "ac_cv_func_$ac_func=no" + eval "ac_cv_lib_$ac_lib_var=no" fi rm -f conftest* -fi +LIBS="$ac_save_LIBS" -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` - cat >> confdefs.h <> confdefs.h <<\EOF +#define HAVE_LIBPCRE 1 EOF - + + LIBS="$LIBS -lpcreposix -lpcre" + else echo "$ac_t""no" 1>&6 + + { echo "configure: error: *** No regex library found." 1>&2; exit 1; } + fi -done -for ac_func in login logout updwtmp logwtmp -do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2212: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + + +fi + +fi + +echo $ac_n "checking for strcasecmp""... $ac_c" 1>&6 +echo "configure:2557: checking for strcasecmp" >&5 +if eval "test \"`echo '$''{'ac_cv_func_strcasecmp'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ -char $ac_func(); +char strcasecmp(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +#if defined (__stub_strcasecmp) || defined (__stub___strcasecmp) choke me #else -$ac_func(); +strcasecmp(); #endif ; return 0; } EOF -if { (eval echo configure:2240: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2585: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" + eval "ac_cv_func_strcasecmp=yes" else echo "configure: failed program was:" >&5 cat conftest.$ac_ext >&5 rm -rf conftest* - eval "ac_cv_func_$ac_func=no" + eval "ac_cv_func_strcasecmp=no" fi rm -f conftest* fi -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then +if eval "test \"`echo '$ac_cv_func_'strcasecmp`\" = yes"; then echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` - cat >> confdefs.h <&6 -fi -done - -for ac_func in entutent getutent getutid getutline pututline setutent -do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2267: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "checking for strcasecmp in -lresolv""... $ac_c" 1>&6 +echo "configure:2603: checking for strcasecmp in -lresolv" >&5 +ac_lib_var=`echo resolv'_'strcasecmp | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - cat > conftest.$ac_ext < conftest.$ac_ext < /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ -char $ac_func(); +char strcasecmp(); int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -$ac_func(); -#endif - +strcasecmp() ; return 0; } EOF -if { (eval echo configure:2295: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2622: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" + eval "ac_cv_lib_$ac_lib_var=yes" else echo "configure: failed program was:" >&5 cat conftest.$ac_ext >&5 rm -rf conftest* - eval "ac_cv_func_$ac_func=no" + eval "ac_cv_lib_$ac_lib_var=no" fi rm -f conftest* -fi +LIBS="$ac_save_LIBS" -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` - cat >> confdefs.h <&6 fi -done + -for ac_func in utmpname -do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2322: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then +fi + +echo $ac_n "checking for utimes""... $ac_c" 1>&6 +echo "configure:2646: checking for utimes" >&5 +if eval "test \"`echo '$''{'ac_cv_func_utimes'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ -char $ac_func(); +char utimes(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +#if defined (__stub_utimes) || defined (__stub___utimes) choke me #else -$ac_func(); +utimes(); #endif ; return 0; } EOF -if { (eval echo configure:2350: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2674: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" + eval "ac_cv_func_utimes=yes" else echo "configure: failed program was:" >&5 cat conftest.$ac_ext >&5 rm -rf conftest* - eval "ac_cv_func_$ac_func=no" + eval "ac_cv_func_utimes=no" fi rm -f conftest* fi -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then +if eval "test \"`echo '$ac_cv_func_'utimes`\" = yes"; then echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` - cat >> confdefs.h <&6 -fi -done - -for ac_func in entutxent getutxent getutxid getutxline pututxline -do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2377: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "checking for utimes in -lc89""... $ac_c" 1>&6 +echo "configure:2692: checking for utimes in -lc89" >&5 +ac_lib_var=`echo c89'_'utimes | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - cat > conftest.$ac_ext < conftest.$ac_ext < /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ -char $ac_func(); +char utimes(); int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -$ac_func(); -#endif - +utimes() ; return 0; } EOF -if { (eval echo configure:2405: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2711: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" + eval "ac_cv_lib_$ac_lib_var=yes" else echo "configure: failed program was:" >&5 cat conftest.$ac_ext >&5 rm -rf conftest* - eval "ac_cv_func_$ac_func=no" + eval "ac_cv_lib_$ac_lib_var=no" fi rm -f conftest* -fi +LIBS="$ac_save_LIBS" -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` - cat >> confdefs.h <&6 fi -done + -for ac_func in setutxent utmpxname +fi + + +# Checks for header files. +for ac_hdr in bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2432: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then +ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +echo "configure:2740: checking for $ac_hdr" >&5 +if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -$ac_func(); -#endif - -; return 0; } +#include <$ac_hdr> EOF -if { (eval echo configure:2460: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:2750: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" + eval "ac_cv_header_$ac_safe=yes" else + echo "$ac_err" >&5 echo "configure: failed program was:" >&5 cat conftest.$ac_ext >&5 rm -rf conftest* - eval "ac_cv_func_$ac_func=no" + eval "ac_cv_header_$ac_safe=no" fi rm -f conftest* fi - -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then +if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` cat >> confdefs.h <&6 -echo "configure:2486: checking for getuserattr" >&5 -if eval "test \"`echo '$''{'ac_cv_func_getuserattr'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getuserattr(); +# Check whether user wants Kerberos support +KRB4_MSG="no" +# Check whether --with-kerberos4 or --without-kerberos4 was given. +if test "${with_kerberos4+set}" = set; then + withval="$with_kerberos4" + + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${withval}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${withval}/lib" + fi + else + if test -d /usr/include/kerberosIV ; then + CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV" + fi + fi + + for ac_hdr in krb.h +do +ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +echo "configure:2804: checking for $ac_hdr" >&5 +if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:2814: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_header_$ac_safe=no" +fi +rm -f conftest* +fi +if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` + cat >> confdefs.h <&6 +fi +done + + echo $ac_n "checking for main in -lkrb""... $ac_c" 1>&6 +echo "configure:2841: checking for main in -lkrb" >&5 +ac_lib_var=`echo krb'_'main | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lkrb $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo krb | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + + if test "$ac_cv_header_krb_h" != yes; then + echo "configure: warning: Cannot find krb.h, build may fail" 1>&2 + fi + if test "$ac_cv_lib_krb_main" != yes; then + echo "configure: warning: Cannot find libkrb, build may fail" 1>&2 + fi + + KLIBS="-lkrb -ldes" + echo $ac_n "checking for dn_expand in -lresolv""... $ac_c" 1>&6 +echo "configure:2892: checking for dn_expand in -lresolv" >&5 +ac_lib_var=`echo resolv'_'dn_expand | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lresolv $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo resolv | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + + KRB4=yes + KRB4_MSG="yes" + cat >> confdefs.h <<\EOF +#define KRB4 1 +EOF + + fi + + +fi + + +# Check whether user wants AFS support +AFS_MSG="no" +# Check whether --with-afs or --without-afs was given. +if test "${with_afs+set}" = set; then + withval="$with_afs" + + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + if test -z "$KRB4" ; then + echo "configure: warning: AFS requires Kerberos IV support, build may fail" 1>&2 + fi + + LIBS="$LIBS -lkafs" + if test ! -z "$AFS_LIBS" ; then + LIBS="$LIBS $AFS_LIBS" + fi + cat >> confdefs.h <<\EOF +#define AFS 1 +EOF + + AFS_MSG="yes" + fi + + +fi + +LIBS="$LIBS $KLIBS" + +# Check whether user wants S/Key support +SKEY_MSG="no" +# Check whether --with-skey or --without-skey was given. +if test "${with_skey+set}" = set; then + withval="$with_skey" + + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + cat >> confdefs.h <<\EOF +#define SKEY 1 +EOF + + LIBS="-lskey $LIBS" + SKEY_MSG="yes" + + echo $ac_n "checking for skey_keyinfo""... $ac_c" 1>&6 +echo "configure:3004: checking for skey_keyinfo" >&5 +if eval "test \"`echo '$''{'ac_cv_func_skey_keyinfo'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char skey_keyinfo(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_skey_keyinfo) || defined (__stub___skey_keyinfo) +choke me +#else +skey_keyinfo(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3032: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_skey_keyinfo=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_skey_keyinfo=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'skey_keyinfo`\" = yes"; then + echo "$ac_t""yes" 1>&6 + : +else + echo "$ac_t""no" 1>&6 + + { echo "configure: error: ** Incomplete or missing s/key libraries." 1>&2; exit 1; } + +fi + + fi + + +fi + + +# Check whether user wants TCP wrappers support +TCPW_MSG="no" +# Check whether --with-tcp-wrappers or --without-tcp-wrappers was given. +if test "${with_tcp_wrappers+set}" = set; then + withval="$with_tcp_wrappers" + + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + LIBS="-lwrap $LIBS" + echo $ac_n "checking for libwrap""... $ac_c" 1>&6 +echo "configure:3070: checking for libwrap" >&5 + cat > conftest.$ac_ext < + int deny_severity = 0, allow_severity = 0; + +int main() { +hosts_access(0); +; return 0; } +EOF +if { (eval echo configure:3082: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define LIBWRAP 1 +EOF + + TCPW_MSG="yes" + +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + + { echo "configure: error: *** libwrap missing" 1>&2; exit 1; } + + +fi +rm -f conftest* + fi + + +fi + + +for ac_func in arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop +do +echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +echo "configure:3111: checking for $ac_func" >&5 +if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +$ac_func(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3139: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_$ac_func=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + cat >> confdefs.h <&6 +fi +done + +for ac_func in gettimeofday time +do +echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +echo "configure:3166: checking for $ac_func" >&5 +if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +$ac_func(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3194: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_$ac_func=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + cat >> confdefs.h <&6 +fi +done + +for ac_hdr in libutil.h +do +ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +echo "configure:3222: checking for $ac_hdr" >&5 +if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:3232: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_header_$ac_safe=no" +fi +rm -f conftest* +fi +if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` + cat >> confdefs.h <&6 +fi +done + +for ac_func in login logout updwtmp logwtmp +do +echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +echo "configure:3261: checking for $ac_func" >&5 +if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +$ac_func(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3289: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_$ac_func=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + cat >> confdefs.h <&6 +fi +done + +for ac_func in endutent getutent getutid getutline pututline setutent +do +echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +echo "configure:3316: checking for $ac_func" >&5 +if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +$ac_func(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3344: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_$ac_func=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + cat >> confdefs.h <&6 +fi +done + +for ac_func in utmpname +do +echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +echo "configure:3371: checking for $ac_func" >&5 +if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +$ac_func(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3399: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_$ac_func=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + cat >> confdefs.h <&6 +fi +done + +for ac_func in endutxent getutxent getutxid getutxline pututxline +do +echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +echo "configure:3426: checking for $ac_func" >&5 +if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +$ac_func(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3454: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_$ac_func=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + cat >> confdefs.h <&6 +fi +done + +for ac_func in setutxent utmpxname +do +echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +echo "configure:3481: checking for $ac_func" >&5 +if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +$ac_func(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3509: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_$ac_func=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + cat >> confdefs.h <&6 +fi +done + + +echo $ac_n "checking for getuserattr""... $ac_c" 1>&6 +echo "configure:3535: checking for getuserattr" >&5 +if eval "test \"`echo '$''{'ac_cv_func_getuserattr'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char getuserattr(); int main() { @@ -2510,7 +3559,7 @@ ; return 0; } EOF -if { (eval echo configure:2514: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3563: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_getuserattr=yes" else @@ -2531,7 +3580,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for getuserattr in -ls""... $ac_c" 1>&6 -echo "configure:2535: checking for getuserattr in -ls" >&5 +echo "configure:3584: checking for getuserattr in -ls" >&5 ac_lib_var=`echo s'_'getuserattr | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2539,7 +3588,7 @@ ac_save_LIBS="$LIBS" LIBS="-ls $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3603: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2578,12 +3627,12 @@ echo $ac_n "checking for login""... $ac_c" 1>&6 -echo "configure:2582: checking for login" >&5 +echo "configure:3631: checking for login" >&5 if eval "test \"`echo '$''{'ac_cv_func_login'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3659: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_login=yes" else @@ -2627,7 +3676,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for login in -lbsd""... $ac_c" 1>&6 -echo "configure:2631: checking for login in -lbsd" >&5 +echo "configure:3680: checking for login in -lbsd" >&5 ac_lib_var=`echo bsd'_'login | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2635,7 +3684,7 @@ ac_save_LIBS="$LIBS" LIBS="-lbsd $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3699: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2674,12 +3723,12 @@ echo $ac_n "checking for daemon""... $ac_c" 1>&6 -echo "configure:2678: checking for daemon" >&5 +echo "configure:3727: checking for daemon" >&5 if eval "test \"`echo '$''{'ac_cv_func_daemon'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3755: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_daemon=yes" else @@ -2723,7 +3772,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for daemon in -lbsd""... $ac_c" 1>&6 -echo "configure:2727: checking for daemon in -lbsd" >&5 +echo "configure:3776: checking for daemon in -lbsd" >&5 ac_lib_var=`echo bsd'_'daemon | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2731,7 +3780,7 @@ ac_save_LIBS="$LIBS" LIBS="-lbsd $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3795: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2770,12 +3819,12 @@ echo $ac_n "checking for getpagesize""... $ac_c" 1>&6 -echo "configure:2774: checking for getpagesize" >&5 +echo "configure:3823: checking for getpagesize" >&5 if eval "test \"`echo '$''{'ac_cv_func_getpagesize'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3851: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_getpagesize=yes" else @@ -2819,7 +3868,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for getpagesize in -lucb""... $ac_c" 1>&6 -echo "configure:2823: checking for getpagesize in -lucb" >&5 +echo "configure:3872: checking for getpagesize in -lucb" >&5 ac_lib_var=`echo ucb'_'getpagesize | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2827,7 +3876,7 @@ ac_save_LIBS="$LIBS" LIBS="-lucb $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3891: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2868,19 +3917,19 @@ # Check for broken snprintf if test "x$ac_cv_func_snprintf" = "xyes" ; then echo $ac_n "checking whether snprintf correctly terminates long strings""... $ac_c" 1>&6 -echo "configure:2872: checking whether snprintf correctly terminates long strings" >&5 +echo "configure:3921: checking whether snprintf correctly terminates long strings" >&5 if test "$cross_compiling" = yes; then { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < int main(void){char b[5];snprintf(b,5,"123456789");return(b[4]!='\0');} EOF -if { (eval echo configure:2884: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3933: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then echo "$ac_t""yes" 1>&6 else @@ -2903,7 +3952,7 @@ fi echo $ac_n "checking whether getpgrp takes no argument""... $ac_c" 1>&6 -echo "configure:2907: checking whether getpgrp takes no argument" >&5 +echo "configure:3956: checking whether getpgrp takes no argument" >&5 if eval "test \"`echo '$''{'ac_cv_func_getpgrp_void'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -2911,7 +3960,7 @@ { echo "configure: error: cannot check getpgrp if cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4019: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_func_getpgrp_void=yes else @@ -2990,26 +4039,116 @@ fi +echo $ac_n "checking for strftime""... $ac_c" 1>&6 +echo "configure:4044: checking for strftime" >&5 +if eval "test \"`echo '$''{'ac_cv_func_strftime'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char strftime(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_strftime) || defined (__stub___strftime) +choke me +#else +strftime(); +#endif + +; return 0; } +EOF +if { (eval echo configure:4072: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_strftime=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_strftime=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'strftime`\" = yes"; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define HAVE_STRFTIME 1 +EOF + +else + echo "$ac_t""no" 1>&6 +# strftime is in -lintl on SCO UNIX. +echo $ac_n "checking for strftime in -lintl""... $ac_c" 1>&6 +echo "configure:4094: checking for strftime in -lintl" >&5 +ac_lib_var=`echo intl'_'strftime | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lintl $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define HAVE_STRFTIME 1 +EOF + +LIBS="-lintl $LIBS" +else + echo "$ac_t""no" 1>&6 +fi + +fi + + +# Check for PAM libs PAM_MSG="no" # Check whether --with-pam or --without-pam was given. if test "${with_pam+set}" = set; then withval="$with_pam" - if test "x$withval" = "xno" ; then - no_pam=1 - cat >> confdefs.h <<\EOF -#define DISABLE_PAM 1 -EOF - - PAM_MSG="disabled" - fi - - -fi + if test "x$withval" != "xno" ; then + if test "x$ac_cv_header_security_pam_appl_h" != "xyes" ; then + { echo "configure: error: PAM headers not found" 1>&2; exit 1; } + fi -if (test -z "$no_pam" && test "x$ac_cv_header_security_pam_appl_h" = "xyes") ; then - echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6 -echo "configure:3013: checking for dlopen in -ldl" >&5 + echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6 +echo "configure:4152: checking for dlopen in -ldl" >&5 ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -3017,7 +4156,7 @@ ac_save_LIBS="$LIBS" LIBS="-ldl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4171: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -3055,17 +4194,63 @@ echo "$ac_t""no" 1>&6 fi - LIBS="$LIBS -lpam" + echo $ac_n "checking for pam_set_item in -lpam""... $ac_c" 1>&6 +echo "configure:4199: checking for pam_set_item in -lpam" >&5 +ac_lib_var=`echo pam'_'pam_set_item | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lpam $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo pam | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +{ echo "configure: error: *** libpam missing" 1>&2; exit 1; } +fi - for ac_func in pam_getenvlist + for ac_func in pam_getenvlist do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3064: checking for $ac_func" >&5 +echo "configure:4249: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4277: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3113,15 +4298,26 @@ done - disable_shadow=yes + disable_shadow=yes + PAM_MSG="yes" + + cat >> confdefs.h <<\EOF +#define USE_PAM 1 +EOF + + fi + + +fi - PAM_MSG="yes" +# Check for older PAM +if test "x$PAM_MSG" = "xyes" ; then # Check PAM strerror arguments (old PAM) echo $ac_n "checking whether pam_strerror takes only one argument""... $ac_c" 1>&6 -echo "configure:3123: checking whether pam_strerror takes only one argument" >&5 +echo "configure:4319: checking whether pam_strerror takes only one argument" >&5 cat > conftest.$ac_ext < @@ -3131,7 +4327,7 @@ (void)pam_strerror((pam_handle_t *)NULL, -1); ; return 0; } EOF -if { (eval echo configure:3135: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4331: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""no" 1>&6 else @@ -3148,7 +4344,7 @@ fi -rm -f conftest* +rm -f conftest* fi # The big search for OpenSSL @@ -3166,37 +4362,55 @@ saved_LIBS="$LIBS" saved_LDFLAGS="$LDFLAGS" -saved_CFLAGS="$CFLAGS" +saved_CPPFLAGS="$CPPFLAGS" if test "x$prefix" != "xNONE" ; then tryssldir="$tryssldir $prefix" fi echo $ac_n "checking for OpenSSL directory""... $ac_c" 1>&6 -echo "configure:3175: checking for OpenSSL directory" >&5 +echo "configure:4371: checking for OpenSSL directory" >&5 if eval "test \"`echo '$''{'ac_cv_openssldir'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - for ssldir in $tryssldir "" /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do - if test ! -z "$ssldir" ; then - LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir" - CFLAGS="$saved_CFLAGS -I$ssldir/include" - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir/lib -R$ssldir" + CPPFLAGS="$saved_CPPFLAGS" + LDFLAGS="$saved_LDFLAGS" + LIBS="$saved_LIBS -lcrypto" + + # Skip directories if they don't exist + if test ! -z "$ssldir" -a ! -d "$ssldir" ; then + continue; + fi + if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then + # Try to use $ssldir/lib if it exists, otherwise + # $ssldir + if test -d "$ssldir/lib" ; then + LDFLAGS="$LDFLAGS -L$ssldir/lib" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R$ssldir/lib" + fi + else + LDFLAGS="$LDFLAGS -L$ssldir" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R$ssldir" + fi + fi + # Try to use $ssldir/include if it exists, otherwise + # $ssldir + if test -d "$ssldir/include" ; then + CPPFLAGS="$CPPFLAGS -I$ssldir/include" + else + CPPFLAGS="$CPPFLAGS -I$ssldir" fi - else - LDFLAGS="$saved_LDFLAGS" fi - LIBS="$saved_LIBS -lcrypto" - # Basic test to check for compatible version and correct linking # *does not* test for RSA - that comes later. if test "$cross_compiling" = yes; then { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < @@ -3210,7 +4424,7 @@ } EOF -if { (eval echo configure:3214: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4428: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then found_crypto=1 @@ -3233,7 +4447,7 @@ done if test -z "$found_crypto" ; then - { echo "configure: error: Could not find working SSLeay / OpenSSL libraries, please install" 1>&2; exit 1; } + { echo "configure: error: Could not find working OpenSSL library, please install or check config.log" 1>&2; exit 1; } fi if test -z "$ssldir" ; then ssldir="(system)" @@ -3251,13 +4465,27 @@ EOF ssldir=$ac_cv_openssldir - CFLAGS="$saved_CFLAGS -I$ssldir/include" - LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir" - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir/lib -R$ssldir" - fi - if test ! -z "$blibpath" ; then - blibpath="$blibpath:$ssldir:$ssldir/lib" + if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then + # Try to use $ssldir/lib if it exists, otherwise + # $ssldir + if test -d "$ssldir/lib" ; then + LDFLAGS="$LDFLAGS -L$ssldir/lib" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R$ssldir/lib" + fi + else + LDFLAGS="$LDFLAGS -L$ssldir" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R$ssldir" + fi + fi + # Try to use $ssldir/include if it exists, otherwise + # $ssldir + if test -d "$ssldir/include" ; then + CPPFLAGS="$CPPFLAGS -I$ssldir/include" + else + CPPFLAGS="$CPPFLAGS -I$ssldir" + fi fi fi LIBS="$saved_LIBS -lcrypto" @@ -3265,7 +4493,7 @@ # Now test RSA support saved_LIBS="$LIBS" echo $ac_n "checking for RSA support""... $ac_c" 1>&6 -echo "configure:3269: checking for RSA support" >&5 +echo "configure:4497: checking for RSA support" >&5 for WANTS_RSAREF in "" 1 ; do if test -z "$WANTS_RSAREF" ; then LIBS="$saved_LIBS" @@ -3276,7 +4504,7 @@ { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < @@ -3295,7 +4523,7 @@ } EOF -if { (eval echo configure:3299: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4527: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then rsa_works=1 @@ -3308,25 +4536,77 @@ rm -fr conftest* fi -done +done + +if test ! -z "$no_rsa" ; then + echo "$ac_t""disabled" 1>&6 + RSA_MSG="disabled" +else + if test -z "$rsa_works" ; then + echo "configure: warning: *** No RSA support found *** " 1>&2 + RSA_MSG="no" + else + if test -z "$WANTS_RSAREF" ; then + echo "$ac_t""yes" 1>&6 + RSA_MSG="yes" + else + RSA_MSG="yes (using RSAref)" + echo "$ac_t""using RSAref" 1>&6 + LIBS="$saved_LIBS -lcrypto -lRSAglue -lrsaref" + fi + fi +fi + +# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the +# version in OpenSSL. Skip this for PAM +if test "x$PAM_MSG" = "xno" -a "x$check_for_libcrypt_later" = "x1"; then + echo $ac_n "checking for crypt in -lcrypt""... $ac_c" 1>&6 +echo "configure:4565: checking for crypt in -lcrypt" >&5 +ac_lib_var=`echo crypt'_'crypt | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lcrypt $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo crypt | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 - RSA_MSG="disabled" else - if test -z "$rsa_works" ; then - echo "configure: warning: *** No RSA support found *** " 1>&2 - RSA_MSG="no" - else - if test -z "$WANTS_RSAREF" ; then - echo "$ac_t""yes" 1>&6 - RSA_MSG="yes" - else - RSA_MSG="yes (using RSAref)" - echo "$ac_t""using RSAref" 1>&6 - LIBS="$saved_LIBS -lcrypto -lRSAglue -lrsaref" - fi - fi + echo "$ac_t""no" 1>&6 +fi + fi # Cheap hack to ensure NEWS-OS libraries are arranged right. @@ -3336,7 +4616,7 @@ # Checks for data types echo $ac_n "checking size of char""... $ac_c" 1>&6 -echo "configure:3340: checking size of char" >&5 +echo "configure:4620: checking size of char" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_char'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3344,7 +4624,7 @@ ac_cv_sizeof_char=1 else cat > conftest.$ac_ext < main() @@ -3355,7 +4635,7 @@ exit(0); } EOF -if { (eval echo configure:3359: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4639: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_char=`cat conftestval` else @@ -3375,7 +4655,7 @@ echo $ac_n "checking size of short int""... $ac_c" 1>&6 -echo "configure:3379: checking size of short int" >&5 +echo "configure:4659: checking size of short int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_short_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3383,7 +4663,7 @@ ac_cv_sizeof_short_int=2 else cat > conftest.$ac_ext < main() @@ -3394,7 +4674,7 @@ exit(0); } EOF -if { (eval echo configure:3398: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4678: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_short_int=`cat conftestval` else @@ -3414,7 +4694,7 @@ echo $ac_n "checking size of int""... $ac_c" 1>&6 -echo "configure:3418: checking size of int" >&5 +echo "configure:4698: checking size of int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3422,7 +4702,7 @@ ac_cv_sizeof_int=4 else cat > conftest.$ac_ext < main() @@ -3433,7 +4713,7 @@ exit(0); } EOF -if { (eval echo configure:3437: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4717: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_int=`cat conftestval` else @@ -3453,7 +4733,7 @@ echo $ac_n "checking size of long int""... $ac_c" 1>&6 -echo "configure:3457: checking size of long int" >&5 +echo "configure:4737: checking size of long int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_long_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3461,7 +4741,7 @@ ac_cv_sizeof_long_int=4 else cat > conftest.$ac_ext < main() @@ -3472,7 +4752,7 @@ exit(0); } EOF -if { (eval echo configure:3476: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4756: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_long_int=`cat conftestval` else @@ -3492,7 +4772,7 @@ echo $ac_n "checking size of long long int""... $ac_c" 1>&6 -echo "configure:3496: checking size of long long int" >&5 +echo "configure:4776: checking size of long long int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_long_long_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3500,7 +4780,7 @@ ac_cv_sizeof_long_long_int=8 else cat > conftest.$ac_ext < main() @@ -3511,7 +4791,7 @@ exit(0); } EOF -if { (eval echo configure:3515: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4795: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_long_long_int=`cat conftestval` else @@ -3533,20 +4813,20 @@ # More checks for data types echo $ac_n "checking for u_int type""... $ac_c" 1>&6 -echo "configure:3537: checking for u_int type" >&5 +echo "configure:4817: checking for u_int type" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int a; a = 1; ; return 0; } EOF -if { (eval echo configure:3550: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4830: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_int="yes" else @@ -3570,20 +4850,20 @@ fi echo $ac_n "checking for intXX_t types""... $ac_c" 1>&6 -echo "configure:3574: checking for intXX_t types" >&5 +echo "configure:4854: checking for intXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_intxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { int8_t a; int16_t b; int32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:3587: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4867: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_intxx_t="yes" else @@ -3607,20 +4887,20 @@ fi echo $ac_n "checking for int64_t type""... $ac_c" 1>&6 -echo "configure:3611: checking for int64_t type" >&5 +echo "configure:4891: checking for int64_t type" >&5 if eval "test \"`echo '$''{'ac_cv_have_int64_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { int64_t a; a = 1; ; return 0; } EOF -if { (eval echo configure:3624: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4904: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_int64_t="yes" else @@ -3644,20 +4924,20 @@ fi echo $ac_n "checking for u_intXX_t types""... $ac_c" 1>&6 -echo "configure:3648: checking for u_intXX_t types" >&5 +echo "configure:4928: checking for u_intXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_intxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:3661: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4941: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_intxx_t="yes" else @@ -3681,20 +4961,20 @@ fi echo $ac_n "checking for u_int64_t types""... $ac_c" 1>&6 -echo "configure:3685: checking for u_int64_t types" >&5 +echo "configure:4965: checking for u_int64_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_int64_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int64_t a; a = 1; ; return 0; } EOF -if { (eval echo configure:3698: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4978: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_int64_t="yes" else @@ -3721,9 +5001,9 @@ test "x$ac_cv_header_sys_bitypes_h" = "xyes") then echo $ac_n "checking for intXX_t and u_intXX_t types in sys/bitypes.h""... $ac_c" 1>&6 -echo "configure:3725: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 +echo "configure:5005: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 cat > conftest.$ac_ext < @@ -3736,7 +5016,7 @@ ; return 0; } EOF -if { (eval echo configure:3740: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5020: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* cat >> confdefs.h <<\EOF @@ -3761,13 +5041,13 @@ if test -z "$have_u_intxx_t" ; then echo $ac_n "checking for uintXX_t types""... $ac_c" 1>&6 -echo "configure:3765: checking for uintXX_t types" >&5 +echo "configure:5045: checking for uintXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_uintxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3776,7 +5056,7 @@ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:3780: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5060: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_uintxx_t="yes" else @@ -3800,13 +5080,13 @@ fi echo $ac_n "checking for socklen_t""... $ac_c" 1>&6 -echo "configure:3804: checking for socklen_t" >&5 +echo "configure:5084: checking for socklen_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_socklen_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3816,7 +5096,7 @@ socklen_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3820: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5100: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_socklen_t="yes" else @@ -3839,13 +5119,13 @@ fi echo $ac_n "checking for size_t""... $ac_c" 1>&6 -echo "configure:3843: checking for size_t" >&5 +echo "configure:5123: checking for size_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_size_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3854,7 +5134,7 @@ size_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3858: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5138: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_size_t="yes" else @@ -3877,13 +5157,13 @@ fi echo $ac_n "checking for ssize_t""... $ac_c" 1>&6 -echo "configure:3881: checking for ssize_t" >&5 +echo "configure:5161: checking for ssize_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_ssize_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3892,7 +5172,7 @@ ssize_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3896: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5176: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_ssize_t="yes" else @@ -3914,14 +5194,52 @@ fi +echo $ac_n "checking for clock_t""... $ac_c" 1>&6 +echo "configure:5199: checking for clock_t" >&5 +if eval "test \"`echo '$''{'ac_cv_have_clock_t'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + + cat > conftest.$ac_ext < + +int main() { + clock_t foo; foo = 1235; +; return 0; } +EOF +if { (eval echo configure:5214: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_have_clock_t="yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_have_clock_t="no" + +fi +rm -f conftest* + +fi + +echo "$ac_t""$ac_cv_have_clock_t" 1>&6 +if test "x$ac_cv_have_clock_t" = "xyes" ; then + cat >> confdefs.h <<\EOF +#define HAVE_CLOCK_T 1 +EOF + +fi + echo $ac_n "checking for sa_family_t""... $ac_c" 1>&6 -echo "configure:3919: checking for sa_family_t" >&5 +echo "configure:5237: checking for sa_family_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_sa_family_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3931,7 +5249,7 @@ sa_family_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3935: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5253: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sa_family_t="yes" else @@ -3939,7 +5257,7 @@ cat conftest.$ac_ext >&5 rm -rf conftest* cat > conftest.$ac_ext < @@ -3950,7 +5268,7 @@ sa_family_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3954: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5272: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sa_family_t="yes" else @@ -3976,13 +5294,13 @@ fi echo $ac_n "checking for pid_t""... $ac_c" 1>&6 -echo "configure:3980: checking for pid_t" >&5 +echo "configure:5298: checking for pid_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_pid_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3991,7 +5309,7 @@ pid_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3995: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5313: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_pid_t="yes" else @@ -4014,13 +5332,13 @@ fi echo $ac_n "checking for mode_t""... $ac_c" 1>&6 -echo "configure:4018: checking for mode_t" >&5 +echo "configure:5336: checking for mode_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_mode_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4029,7 +5347,7 @@ mode_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:4033: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5351: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_mode_t="yes" else @@ -4053,13 +5371,13 @@ echo $ac_n "checking for struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:4057: checking for struct sockaddr_storage" >&5 +echo "configure:5375: checking for struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_sockaddr_storage'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4069,7 +5387,7 @@ struct sockaddr_storage s; ; return 0; } EOF -if { (eval echo configure:4073: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5391: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_sockaddr_storage="yes" else @@ -4092,13 +5410,13 @@ fi echo $ac_n "checking for struct sockaddr_in6""... $ac_c" 1>&6 -echo "configure:4096: checking for struct sockaddr_in6" >&5 +echo "configure:5414: checking for struct sockaddr_in6" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_sockaddr_in6'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4108,7 +5426,7 @@ struct sockaddr_in6 s; s.sin6_family = 0; ; return 0; } EOF -if { (eval echo configure:4112: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5430: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_sockaddr_in6="yes" else @@ -4131,13 +5449,13 @@ fi echo $ac_n "checking for struct in6_addr""... $ac_c" 1>&6 -echo "configure:4135: checking for struct in6_addr" >&5 +echo "configure:5453: checking for struct in6_addr" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_in6_addr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4147,7 +5465,7 @@ struct in6_addr s; s.s6_addr[0] = 0; ; return 0; } EOF -if { (eval echo configure:4151: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5469: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_in6_addr="yes" else @@ -4170,13 +5488,13 @@ fi echo $ac_n "checking for struct addrinfo""... $ac_c" 1>&6 -echo "configure:4174: checking for struct addrinfo" >&5 +echo "configure:5492: checking for struct addrinfo" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_addrinfo'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4187,7 +5505,7 @@ struct addrinfo s; s.ai_flags = AI_PASSIVE; ; return 0; } EOF -if { (eval echo configure:4191: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5509: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_addrinfo="yes" else @@ -4209,18 +5527,64 @@ fi +echo $ac_n "checking for struct timeval""... $ac_c" 1>&6 +echo "configure:5532: checking for struct timeval" >&5 +if eval "test \"`echo '$''{'ac_cv_have_struct_timeval'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + + cat > conftest.$ac_ext < +int main() { + struct timeval tv; tv.tv_sec = 1; +; return 0; } +EOF +if { (eval echo configure:5545: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_have_struct_timeval="yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_have_struct_timeval="no" + +fi +rm -f conftest* + +fi + +echo "$ac_t""$ac_cv_have_struct_timeval" 1>&6 +if test "x$ac_cv_have_struct_timeval" = "xyes" ; then + cat >> confdefs.h <<\EOF +#define HAVE_STRUCT_TIMEVAL 1 +EOF + + have_struct_timeval=1 +fi + +# If we don't have int64_t then we can't compile sftp-server. So don't +# even attempt to do it. +if test "x$ac_cv_have_int64_t" = "xno" -a \ + "x$ac_cv_sizeof_long_int" != "x8" -a \ + "x$ac_cv_sizeof_long_long_int" = "x0" ; then + NO_SFTP='#' +fi + + # look for field 'ut_host' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host echo $ac_n "checking for ut_host field in utmp.h""... $ac_c" 1>&6 -echo "configure:4218: checking for ut_host field in utmp.h" >&5 +echo "configure:5582: checking for ut_host field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4254,13 +5618,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host echo $ac_n "checking for ut_host field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4258: checking for ut_host field in utmpx.h" >&5 +echo "configure:5622: checking for ut_host field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4294,13 +5658,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"syslen echo $ac_n "checking for syslen field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4298: checking for syslen field in utmpx.h" >&5 +echo "configure:5662: checking for syslen field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4334,13 +5698,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_pid echo $ac_n "checking for ut_pid field in utmp.h""... $ac_c" 1>&6 -echo "configure:4338: checking for ut_pid field in utmp.h" >&5 +echo "configure:5702: checking for ut_pid field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4374,13 +5738,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type echo $ac_n "checking for ut_type field in utmp.h""... $ac_c" 1>&6 -echo "configure:4378: checking for ut_type field in utmp.h" >&5 +echo "configure:5742: checking for ut_type field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4414,13 +5778,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type echo $ac_n "checking for ut_type field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4418: checking for ut_type field in utmpx.h" >&5 +echo "configure:5782: checking for ut_type field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4454,13 +5818,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv echo $ac_n "checking for ut_tv field in utmp.h""... $ac_c" 1>&6 -echo "configure:4458: checking for ut_tv field in utmp.h" >&5 +echo "configure:5822: checking for ut_tv field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4494,13 +5858,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id echo $ac_n "checking for ut_id field in utmp.h""... $ac_c" 1>&6 -echo "configure:4498: checking for ut_id field in utmp.h" >&5 +echo "configure:5862: checking for ut_id field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4534,13 +5898,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id echo $ac_n "checking for ut_id field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4538: checking for ut_id field in utmpx.h" >&5 +echo "configure:5902: checking for ut_id field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4574,13 +5938,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr echo $ac_n "checking for ut_addr field in utmp.h""... $ac_c" 1>&6 -echo "configure:4578: checking for ut_addr field in utmp.h" >&5 +echo "configure:5942: checking for ut_addr field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4614,13 +5978,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr echo $ac_n "checking for ut_addr field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4618: checking for ut_addr field in utmpx.h" >&5 +echo "configure:5982: checking for ut_addr field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4654,13 +6018,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 echo $ac_n "checking for ut_addr_v6 field in utmp.h""... $ac_c" 1>&6 -echo "configure:4658: checking for ut_addr_v6 field in utmp.h" >&5 +echo "configure:6022: checking for ut_addr_v6 field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4694,13 +6058,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 echo $ac_n "checking for ut_addr_v6 field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4698: checking for ut_addr_v6 field in utmpx.h" >&5 +echo "configure:6062: checking for ut_addr_v6 field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4734,13 +6098,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_exit echo $ac_n "checking for ut_exit field in utmp.h""... $ac_c" 1>&6 -echo "configure:4738: checking for ut_exit field in utmp.h" >&5 +echo "configure:6102: checking for ut_exit field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4774,13 +6138,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time echo $ac_n "checking for ut_time field in utmp.h""... $ac_c" 1>&6 -echo "configure:4778: checking for ut_time field in utmp.h" >&5 +echo "configure:6142: checking for ut_time field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4814,13 +6178,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time echo $ac_n "checking for ut_time field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4818: checking for ut_time field in utmpx.h" >&5 +echo "configure:6182: checking for ut_time field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4854,13 +6218,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv echo $ac_n "checking for ut_tv field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4858: checking for ut_tv field in utmpx.h" >&5 +echo "configure:6222: checking for ut_tv field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4890,12 +6254,12 @@ fi echo $ac_n "checking for st_blksize in struct stat""... $ac_c" 1>&6 -echo "configure:4894: checking for st_blksize in struct stat" >&5 +echo "configure:6258: checking for st_blksize in struct stat" >&5 if eval "test \"`echo '$''{'ac_cv_struct_st_blksize'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < #include @@ -4903,7 +6267,7 @@ struct stat s; s.st_blksize; ; return 0; } EOF -if { (eval echo configure:4907: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6271: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_struct_st_blksize=yes else @@ -4925,13 +6289,13 @@ echo $ac_n "checking for sun_len field in struct sockaddr_un""... $ac_c" 1>&6 -echo "configure:4929: checking for sun_len field in struct sockaddr_un" >&5 +echo "configure:6293: checking for sun_len field in struct sockaddr_un" >&5 if eval "test \"`echo '$''{'ac_cv_have_sun_len_in_struct_sockaddr_un'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4941,7 +6305,7 @@ struct sockaddr_un s; s.sun_len = 1; ; return 0; } EOF -if { (eval echo configure:4945: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6309: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sun_len_in_struct_sockaddr_un="yes" else @@ -4963,13 +6327,13 @@ fi echo $ac_n "checking for ss_family field in struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:4967: checking for ss_family field in struct sockaddr_storage" >&5 +echo "configure:6331: checking for ss_family field in struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have_ss_family_in_struct_ss'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4979,7 +6343,7 @@ struct sockaddr_storage s; s.ss_family = 1; ; return 0; } EOF -if { (eval echo configure:4983: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6347: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_ss_family_in_struct_ss="yes" else @@ -5001,13 +6365,13 @@ fi echo $ac_n "checking for __ss_family field in struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:5005: checking for __ss_family field in struct sockaddr_storage" >&5 +echo "configure:6369: checking for __ss_family field in struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have___ss_family_in_struct_ss'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5017,7 +6381,7 @@ struct sockaddr_storage s; s.__ss_family = 1; ; return 0; } EOF -if { (eval echo configure:5021: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6385: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have___ss_family_in_struct_ss="yes" else @@ -5040,13 +6404,13 @@ fi echo $ac_n "checking for pw_class field in struct passwd""... $ac_c" 1>&6 -echo "configure:5044: checking for pw_class field in struct passwd" >&5 +echo "configure:6408: checking for pw_class field in struct passwd" >&5 if eval "test \"`echo '$''{'ac_cv_have_pw_class_in_struct_passwd'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5055,7 +6419,7 @@ struct passwd p; p.pw_class = 0; ; return 0; } EOF -if { (eval echo configure:5059: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6423: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_pw_class_in_struct_passwd="yes" else @@ -5079,20 +6443,20 @@ echo $ac_n "checking if libc defines __progname""... $ac_c" 1>&6 -echo "configure:5083: checking if libc defines __progname" >&5 +echo "configure:6447: checking if libc defines __progname" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines___progname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:6460: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines___progname="yes" else @@ -5116,20 +6480,20 @@ echo $ac_n "checking if libc defines sys_errlist""... $ac_c" 1>&6 -echo "configure:5120: checking if libc defines sys_errlist" >&5 +echo "configure:6484: checking if libc defines sys_errlist" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines_sys_errlist'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:6497: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines_sys_errlist="yes" else @@ -5153,20 +6517,20 @@ echo $ac_n "checking if libc defines sys_nerr""... $ac_c" 1>&6 -echo "configure:5157: checking if libc defines sys_nerr" >&5 +echo "configure:6521: checking if libc defines sys_nerr" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines_sys_nerr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:6534: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines_sys_nerr="yes" else @@ -5203,7 +6567,7 @@ # Extract the first word of "rsh", so it can be a program name with args. set dummy rsh; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5207: checking for $ac_word" >&5 +echo "configure:6571: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_rsh_path'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5253,7 +6617,7 @@ # Extract the first word of "xauth", so it can be a program name with args. set dummy xauth; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5257: checking for $ac_word" >&5 +echo "configure:6621: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_xauth_path'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5293,11 +6657,16 @@ fi -if test ! -z "$xauth_path" ; then +if test -z "$xauth_path" ; then + XAUTH_PATH="undefined" + +else cat >> confdefs.h <> confdefs.h <&6 -echo "configure:5323: checking for "/dev/ptmx"" >&5 +echo "configure:6692: checking for "/dev/ptmx"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5352,7 +6721,7 @@ ac_safe=`echo ""/dev/ptc"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptc"""... $ac_c" 1>&6 -echo "configure:5356: checking for "/dev/ptc"" >&5 +echo "configure:6725: checking for "/dev/ptc"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5403,7 +6772,7 @@ ac_safe=`echo ""/dev/urandom"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/urandom"""... $ac_c" 1>&6 -echo "configure:5407: checking for "/dev/urandom"" >&5 +echo "configure:6776: checking for "/dev/urandom"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5451,10 +6820,35 @@ fi +else + + # Check for existing socket only if we don't have a random device already + if test -z "$RANDOM_POOL" ; then + echo $ac_n "checking for PRNGD/EGD socket""... $ac_c" 1>&6 +echo "configure:6829: checking for PRNGD/EGD socket" >&5 + # Insert other locations here + for egdsock in /var/run/egd-pool /etc/entropy /tmp/entropy ; do + if test -r $egdsock && $TEST_MINUS_S_SH -c "test -S $egdsock -o -p $egdsock" ; then + EGD_SOCKET="$egdsock" + cat >> confdefs.h <&6 + else + echo "$ac_t""not found" 1>&6 + fi + fi + fi + # detect pathnames for entropy gathering commands, if we need them INSTALL_SSH_PRNG_CMDS="" rm -f prng_commands @@ -5464,7 +6858,7 @@ # Extract the first word of "ls", so it can be a program name with args. set dummy ls; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5468: checking for $ac_word" >&5 +echo "configure:6862: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5505,7 +6899,7 @@ # Extract the first word of "netstat", so it can be a program name with args. set dummy netstat; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5509: checking for $ac_word" >&5 +echo "configure:6903: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_NETSTAT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5546,7 +6940,7 @@ # Extract the first word of "arp", so it can be a program name with args. set dummy arp; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5550: checking for $ac_word" >&5 +echo "configure:6944: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_ARP'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5587,7 +6981,7 @@ # Extract the first word of "ifconfig", so it can be a program name with args. set dummy ifconfig; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5591: checking for $ac_word" >&5 +echo "configure:6985: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_IFCONFIG'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5628,7 +7022,7 @@ # Extract the first word of "ps", so it can be a program name with args. set dummy ps; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5632: checking for $ac_word" >&5 +echo "configure:7026: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_PS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5669,7 +7063,7 @@ # Extract the first word of "w", so it can be a program name with args. set dummy w; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5673: checking for $ac_word" >&5 +echo "configure:7067: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_W'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5710,180 +7104,16 @@ # Extract the first word of "who", so it can be a program name with args. set dummy who; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5714: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_path_PROG_WHO'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - case "$PROG_WHO" in - /*) - ac_cv_path_PROG_WHO="$PROG_WHO" # Let the user override the test with a path. - ;; - ?:/*) - ac_cv_path_PROG_WHO="$PROG_WHO" # Let the user override the test with a dos path. - ;; - *) - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" - ac_dummy="$PATH" - for ac_dir in $ac_dummy; do - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/$ac_word; then - ac_cv_path_PROG_WHO="$ac_dir/$ac_word" - break - fi - done - IFS="$ac_save_ifs" - ;; -esac -fi -PROG_WHO="$ac_cv_path_PROG_WHO" -if test -n "$PROG_WHO"; then - echo "$ac_t""$PROG_WHO" 1>&6 -else - echo "$ac_t""no" 1>&6 -fi - - if test -z "$PROG_WHO" ; then - PROG_WHO="undef" - fi - - - - # Extract the first word of "last", so it can be a program name with args. -set dummy last; ac_word=$2 -echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5755: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_path_PROG_LAST'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - case "$PROG_LAST" in - /*) - ac_cv_path_PROG_LAST="$PROG_LAST" # Let the user override the test with a path. - ;; - ?:/*) - ac_cv_path_PROG_LAST="$PROG_LAST" # Let the user override the test with a dos path. - ;; - *) - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" - ac_dummy="$PATH" - for ac_dir in $ac_dummy; do - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/$ac_word; then - ac_cv_path_PROG_LAST="$ac_dir/$ac_word" - break - fi - done - IFS="$ac_save_ifs" - ;; -esac -fi -PROG_LAST="$ac_cv_path_PROG_LAST" -if test -n "$PROG_LAST"; then - echo "$ac_t""$PROG_LAST" 1>&6 -else - echo "$ac_t""no" 1>&6 -fi - - if test -z "$PROG_LAST" ; then - PROG_LAST="undef" - fi - - - - # Extract the first word of "lastlog", so it can be a program name with args. -set dummy lastlog; ac_word=$2 -echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5796: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_path_PROG_LASTLOG'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - case "$PROG_LASTLOG" in - /*) - ac_cv_path_PROG_LASTLOG="$PROG_LASTLOG" # Let the user override the test with a path. - ;; - ?:/*) - ac_cv_path_PROG_LASTLOG="$PROG_LASTLOG" # Let the user override the test with a dos path. - ;; - *) - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" - ac_dummy="$PATH" - for ac_dir in $ac_dummy; do - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/$ac_word; then - ac_cv_path_PROG_LASTLOG="$ac_dir/$ac_word" - break - fi - done - IFS="$ac_save_ifs" - ;; -esac -fi -PROG_LASTLOG="$ac_cv_path_PROG_LASTLOG" -if test -n "$PROG_LASTLOG"; then - echo "$ac_t""$PROG_LASTLOG" 1>&6 -else - echo "$ac_t""no" 1>&6 -fi - - if test -z "$PROG_LASTLOG" ; then - PROG_LASTLOG="undef" - fi - - - - # Extract the first word of "df", so it can be a program name with args. -set dummy df; ac_word=$2 -echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5837: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_path_PROG_DF'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - case "$PROG_DF" in - /*) - ac_cv_path_PROG_DF="$PROG_DF" # Let the user override the test with a path. - ;; - ?:/*) - ac_cv_path_PROG_DF="$PROG_DF" # Let the user override the test with a dos path. - ;; - *) - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" - ac_dummy="$PATH" - for ac_dir in $ac_dummy; do - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/$ac_word; then - ac_cv_path_PROG_DF="$ac_dir/$ac_word" - break - fi - done - IFS="$ac_save_ifs" - ;; -esac -fi -PROG_DF="$ac_cv_path_PROG_DF" -if test -n "$PROG_DF"; then - echo "$ac_t""$PROG_DF" 1>&6 -else - echo "$ac_t""no" 1>&6 -fi - - if test -z "$PROG_DF" ; then - PROG_DF="undef" - fi - - - - # Extract the first word of "vmstat", so it can be a program name with args. -set dummy vmstat; ac_word=$2 -echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5878: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_path_PROG_VMSTAT'+set}'`\" = set"; then +echo "configure:7108: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_PROG_WHO'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - case "$PROG_VMSTAT" in + case "$PROG_WHO" in /*) - ac_cv_path_PROG_VMSTAT="$PROG_VMSTAT" # Let the user override the test with a path. + ac_cv_path_PROG_WHO="$PROG_WHO" # Let the user override the test with a path. ;; ?:/*) - ac_cv_path_PROG_VMSTAT="$PROG_VMSTAT" # Let the user override the test with a dos path. + ac_cv_path_PROG_WHO="$PROG_WHO" # Let the user override the test with a dos path. ;; *) IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" @@ -5891,7 +7121,7 @@ for ac_dir in $ac_dummy; do test -z "$ac_dir" && ac_dir=. if test -f $ac_dir/$ac_word; then - ac_cv_path_PROG_VMSTAT="$ac_dir/$ac_word" + ac_cv_path_PROG_WHO="$ac_dir/$ac_word" break fi done @@ -5899,32 +7129,32 @@ ;; esac fi -PROG_VMSTAT="$ac_cv_path_PROG_VMSTAT" -if test -n "$PROG_VMSTAT"; then - echo "$ac_t""$PROG_VMSTAT" 1>&6 +PROG_WHO="$ac_cv_path_PROG_WHO" +if test -n "$PROG_WHO"; then + echo "$ac_t""$PROG_WHO" 1>&6 else echo "$ac_t""no" 1>&6 fi - if test -z "$PROG_VMSTAT" ; then - PROG_VMSTAT="undef" + if test -z "$PROG_WHO" ; then + PROG_WHO="undef" fi - # Extract the first word of "uptime", so it can be a program name with args. -set dummy uptime; ac_word=$2 + # Extract the first word of "last", so it can be a program name with args. +set dummy last; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5919: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_path_PROG_UPTIME'+set}'`\" = set"; then +echo "configure:7149: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_PROG_LAST'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - case "$PROG_UPTIME" in + case "$PROG_LAST" in /*) - ac_cv_path_PROG_UPTIME="$PROG_UPTIME" # Let the user override the test with a path. + ac_cv_path_PROG_LAST="$PROG_LAST" # Let the user override the test with a path. ;; ?:/*) - ac_cv_path_PROG_UPTIME="$PROG_UPTIME" # Let the user override the test with a dos path. + ac_cv_path_PROG_LAST="$PROG_LAST" # Let the user override the test with a dos path. ;; *) IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" @@ -5932,7 +7162,7 @@ for ac_dir in $ac_dummy; do test -z "$ac_dir" && ac_dir=. if test -f $ac_dir/$ac_word; then - ac_cv_path_PROG_UPTIME="$ac_dir/$ac_word" + ac_cv_path_PROG_LAST="$ac_dir/$ac_word" break fi done @@ -5940,32 +7170,32 @@ ;; esac fi -PROG_UPTIME="$ac_cv_path_PROG_UPTIME" -if test -n "$PROG_UPTIME"; then - echo "$ac_t""$PROG_UPTIME" 1>&6 +PROG_LAST="$ac_cv_path_PROG_LAST" +if test -n "$PROG_LAST"; then + echo "$ac_t""$PROG_LAST" 1>&6 else echo "$ac_t""no" 1>&6 fi - if test -z "$PROG_UPTIME" ; then - PROG_UPTIME="undef" + if test -z "$PROG_LAST" ; then + PROG_LAST="undef" fi - # Extract the first word of "ipcs", so it can be a program name with args. -set dummy ipcs; ac_word=$2 + # Extract the first word of "lastlog", so it can be a program name with args. +set dummy lastlog; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5960: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_path_PROG_IPCS'+set}'`\" = set"; then +echo "configure:7190: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_PROG_LASTLOG'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - case "$PROG_IPCS" in + case "$PROG_LASTLOG" in /*) - ac_cv_path_PROG_IPCS="$PROG_IPCS" # Let the user override the test with a path. + ac_cv_path_PROG_LASTLOG="$PROG_LASTLOG" # Let the user override the test with a path. ;; ?:/*) - ac_cv_path_PROG_IPCS="$PROG_IPCS" # Let the user override the test with a dos path. + ac_cv_path_PROG_LASTLOG="$PROG_LASTLOG" # Let the user override the test with a dos path. ;; *) IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" @@ -5973,7 +7203,7 @@ for ac_dir in $ac_dummy; do test -z "$ac_dir" && ac_dir=. if test -f $ac_dir/$ac_word; then - ac_cv_path_PROG_IPCS="$ac_dir/$ac_word" + ac_cv_path_PROG_LASTLOG="$ac_dir/$ac_word" break fi done @@ -5981,32 +7211,32 @@ ;; esac fi -PROG_IPCS="$ac_cv_path_PROG_IPCS" -if test -n "$PROG_IPCS"; then - echo "$ac_t""$PROG_IPCS" 1>&6 +PROG_LASTLOG="$ac_cv_path_PROG_LASTLOG" +if test -n "$PROG_LASTLOG"; then + echo "$ac_t""$PROG_LASTLOG" 1>&6 else echo "$ac_t""no" 1>&6 fi - if test -z "$PROG_IPCS" ; then - PROG_IPCS="undef" + if test -z "$PROG_LASTLOG" ; then + PROG_LASTLOG="undef" fi - # Extract the first word of "tail", so it can be a program name with args. -set dummy tail; ac_word=$2 + # Extract the first word of "df", so it can be a program name with args. +set dummy df; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:6001: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_path_PROG_TAIL'+set}'`\" = set"; then +echo "configure:7231: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_PROG_DF'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - case "$PROG_TAIL" in + case "$PROG_DF" in /*) - ac_cv_path_PROG_TAIL="$PROG_TAIL" # Let the user override the test with a path. + ac_cv_path_PROG_DF="$PROG_DF" # Let the user override the test with a path. ;; ?:/*) - ac_cv_path_PROG_TAIL="$PROG_TAIL" # Let the user override the test with a dos path. + ac_cv_path_PROG_DF="$PROG_DF" # Let the user override the test with a dos path. ;; *) IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" @@ -6014,7 +7244,7 @@ for ac_dir in $ac_dummy; do test -z "$ac_dir" && ac_dir=. if test -f $ac_dir/$ac_word; then - ac_cv_path_PROG_TAIL="$ac_dir/$ac_word" + ac_cv_path_PROG_DF="$ac_dir/$ac_word" break fi done @@ -6022,32 +7252,32 @@ ;; esac fi -PROG_TAIL="$ac_cv_path_PROG_TAIL" -if test -n "$PROG_TAIL"; then - echo "$ac_t""$PROG_TAIL" 1>&6 +PROG_DF="$ac_cv_path_PROG_DF" +if test -n "$PROG_DF"; then + echo "$ac_t""$PROG_DF" 1>&6 else echo "$ac_t""no" 1>&6 fi - if test -z "$PROG_TAIL" ; then - PROG_TAIL="undef" + if test -z "$PROG_DF" ; then + PROG_DF="undef" fi - # Extract the first word of "ls", so it can be a program name with args. -set dummy ls; ac_word=$2 + # Extract the first word of "vmstat", so it can be a program name with args. +set dummy vmstat; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:6042: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_path_PROG_LS'+set}'`\" = set"; then +echo "configure:7272: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_PROG_VMSTAT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - case "$PROG_LS" in + case "$PROG_VMSTAT" in /*) - ac_cv_path_PROG_LS="$PROG_LS" # Let the user override the test with a path. + ac_cv_path_PROG_VMSTAT="$PROG_VMSTAT" # Let the user override the test with a path. ;; ?:/*) - ac_cv_path_PROG_LS="$PROG_LS" # Let the user override the test with a dos path. + ac_cv_path_PROG_VMSTAT="$PROG_VMSTAT" # Let the user override the test with a dos path. ;; *) IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" @@ -6055,7 +7285,7 @@ for ac_dir in $ac_dummy; do test -z "$ac_dir" && ac_dir=. if test -f $ac_dir/$ac_word; then - ac_cv_path_PROG_LS="$ac_dir/$ac_word" + ac_cv_path_PROG_VMSTAT="$ac_dir/$ac_word" break fi done @@ -6063,321 +7293,171 @@ ;; esac fi -PROG_LS="$ac_cv_path_PROG_LS" -if test -n "$PROG_LS"; then - echo "$ac_t""$PROG_LS" 1>&6 +PROG_VMSTAT="$ac_cv_path_PROG_VMSTAT" +if test -n "$PROG_VMSTAT"; then + echo "$ac_t""$PROG_VMSTAT" 1>&6 else echo "$ac_t""no" 1>&6 fi - if test -z "$PROG_LS" ; then - PROG_LS="undef" + if test -z "$PROG_VMSTAT" ; then + PROG_VMSTAT="undef" fi - - INSTALL_SSH_PRNG_CMDS="yes" -fi - - - -# Check whether --with-catman or --without-catman was given. -if test "${with_catman+set}" = set; then - withval="$with_catman" - - MANTYPE='$(CATMAN)' - if test x"$withval" != x"yes" ; then - mansubdir=$withval - else - mansubdir=cat - fi - -else - - if test -z "$MANTYPE" ; then - MANTYPE='$(TROFFMAN)' - mansubdir=man - fi - - -fi - - - - -# Check whether user wants Kerberos support -KRB4_MSG="no" -# Check whether --with-kerberos4 or --without-kerberos4 was given. -if test "${with_kerberos4+set}" = set; then - withval="$with_kerberos4" - - if test "x$withval" != "xno" ; then - if test "x$withval" != "xyes" ; then - CFLAGS="$CFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R${withval}/lib" - fi - if test ! -z "$blibpath" ; then - blibpath="$blibpath:${withval}/lib" - fi - else - if test -d /usr/include/kerberosIV ; then - CFLAGS="$CFLAGS -I/usr/include/kerberosIV" - fi - fi - - for ac_hdr in krb.h -do -ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` -echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:6136: checking for $ac_hdr" >&5 -if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -EOF -ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:6146: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then - rm -rf conftest* - eval "ac_cv_header_$ac_safe=yes" -else - echo "$ac_err" >&5 - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_header_$ac_safe=no" -fi -rm -f conftest* -fi -if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` - cat >> confdefs.h <&6 -fi -done - - echo $ac_n "checking for main in -lkrb""... $ac_c" 1>&6 -echo "configure:6173: checking for main in -lkrb" >&5 -ac_lib_var=`echo krb'_'main | sed 'y%./+-%__p_%'` -if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + # Extract the first word of "uptime", so it can be a program name with args. +set dummy uptime; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:7313: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_PROG_UPTIME'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - ac_save_LIBS="$LIBS" -LIBS="-lkrb $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=no" -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_lib=HAVE_LIB`echo krb | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` - cat >> confdefs.h <&6 else echo "$ac_t""no" 1>&6 fi - if test "$ac_cv_header_krb_h" != yes; then - echo "configure: warning: Cannot find krb.h, build may fail" 1>&2 - fi - if test "$ac_cv_lib_krb_main" != yes; then - echo "configure: warning: Cannot find libkrb, build may fail" 1>&2 - fi + if test -z "$PROG_UPTIME" ; then + PROG_UPTIME="undef" + fi + - KLIBS="-lkrb -ldes" - echo $ac_n "checking for dn_expand in -lresolv""... $ac_c" 1>&6 -echo "configure:6224: checking for dn_expand in -lresolv" >&5 -ac_lib_var=`echo resolv'_'dn_expand | sed 'y%./+-%__p_%'` -if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + + # Extract the first word of "ipcs", so it can be a program name with args. +set dummy ipcs; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:7354: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_PROG_IPCS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - ac_save_LIBS="$LIBS" -LIBS="-lresolv $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=no" -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - + case "$PROG_IPCS" in + /*) + ac_cv_path_PROG_IPCS="$PROG_IPCS" # Let the user override the test with a path. + ;; + ?:/*) + ac_cv_path_PROG_IPCS="$PROG_IPCS" # Let the user override the test with a dos path. + ;; + *) + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_PROG_IPCS="$ac_dir/$ac_word" + break + fi + done + IFS="$ac_save_ifs" + ;; +esac fi -if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_lib=HAVE_LIB`echo resolv | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` - cat >> confdefs.h <&6 else echo "$ac_t""no" 1>&6 fi - KRB4=yes - KRB4_MSG="yes" - cat >> confdefs.h <<\EOF -#define KRB4 1 -EOF - - fi + if test -z "$PROG_IPCS" ; then + PROG_IPCS="undef" + fi -fi - - -# Check whether user wants AFS support -AFS_MSG="no" -# Check whether --with-afs or --without-afs was given. -if test "${with_afs+set}" = set; then - withval="$with_afs" - - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CFLAGS="$CFLAGS -I${withval}/include" - LFLAGS="$LFLAGS -L${withval}/lib" - fi - - if test -z "$KRB4" ; then - echo "configure: warning: AFS requires Kerberos IV support, build may fail" 1>&2 - fi - - LIBS="$LIBS -lkafs" - if test ! -z "$AFS_LIBS" ; then - LIBS="$LIBS $AFS_LIBS" - fi - cat >> confdefs.h <<\EOF -#define AFS 1 -EOF - - AFS_MSG="yes" - fi - + # Extract the first word of "tail", so it can be a program name with args. +set dummy tail; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:7395: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_PROG_TAIL'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + case "$PROG_TAIL" in + /*) + ac_cv_path_PROG_TAIL="$PROG_TAIL" # Let the user override the test with a path. + ;; + ?:/*) + ac_cv_path_PROG_TAIL="$PROG_TAIL" # Let the user override the test with a dos path. + ;; + *) + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_PROG_TAIL="$ac_dir/$ac_word" + break + fi + done + IFS="$ac_save_ifs" + ;; +esac +fi +PROG_TAIL="$ac_cv_path_PROG_TAIL" +if test -n "$PROG_TAIL"; then + echo "$ac_t""$PROG_TAIL" 1>&6 +else + echo "$ac_t""no" 1>&6 fi -LIBS="$LIBS $KLIBS" - -# Check whether user wants S/Key support -SKEY_MSG="no" -# Check whether --with-skey or --without-skey was given. -if test "${with_skey+set}" = set; then - withval="$with_skey" - - if test "x$withval" != "xno" ; then - cat >> confdefs.h <<\EOF -#define SKEY 1 -EOF - - LIBS="$LIBS -lskey" - SKEY_MSG="yes" - fi + if test -z "$PROG_TAIL" ; then + PROG_TAIL="undef" + fi + + INSTALL_SSH_PRNG_CMDS="yes" fi -# Check whether user wants TCP wrappers support -TCPW_MSG="no" -# Check whether --with-tcp-wrappers or --without-tcp-wrappers was given. -if test "${with_tcp_wrappers+set}" = set; then - withval="$with_tcp_wrappers" - - if test "x$withval" != "xno" ; then - saved_LIBS="$LIBS" - LIBS="$LIBS -lwrap" - echo $ac_n "checking for libwrap""... $ac_c" 1>&6 -echo "configure:6344: checking for libwrap" >&5 - cat > conftest.$ac_ext < - int deny_severity = 0, allow_severity = 0; - -int main() { -hosts_access(0); -; return 0; } -EOF -if { (eval echo configure:6356: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* +# Check whether --with-catman or --without-catman was given. +if test "${with_catman+set}" = set; then + withval="$with_catman" - echo "$ac_t""yes" 1>&6 - cat >> confdefs.h <<\EOF -#define LIBWRAP 1 -EOF - - TCPW_MSG="yes" - + MANTYPE='$(CATMAN)' + if test x"$withval" != x"yes" ; then + mansubdir=$withval + else + mansubdir=cat + fi + else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - { echo "configure: error: *** libwrap missing" 1>&2; exit 1; } - - -fi -rm -f conftest* + if test -z "$MANTYPE" ; then + MANTYPE='$(TROFFMAN)' + mansubdir=man fi fi + + # Check whether to enable MD5 passwords MD5_MSG="no" # Check whether --with-md5-passwords or --without-md5-passwords was given. @@ -6415,9 +7495,9 @@ if test -z "$disable_shadow" ; then echo $ac_n "checking if the systems has expire shadow information""... $ac_c" 1>&6 -echo "configure:6419: checking if the systems has expire shadow information" >&5 +echo "configure:7499: checking if the systems has expire shadow information" >&5 cat > conftest.$ac_ext < @@ -6428,7 +7508,7 @@ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ; return 0; } EOF -if { (eval echo configure:6432: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:7512: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* sp_expire_available=yes else @@ -6514,7 +7594,7 @@ echo $ac_n "checking if we need to convert IPv4 in IPv6-mapped addresses""... $ac_c" 1>&6 -echo "configure:6518: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 +echo "configure:7598: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 IPV4_IN6_HACK_MSG="no" # Check whether --with-4in6 or --without-4in6 was given. if test "${with_4in6+set}" = set; then @@ -6548,8 +7628,25 @@ fi +# Whether to enable BSD auth support +# Check whether --with-bsd-auth or --without-bsd-auth was given. +if test "${with_bsd_auth+set}" = set; then + withval="$with_bsd_auth" + + if test "x$withval" != "xno" ; then + cat >> confdefs.h <<\EOF +#define BSD_AUTH 1 +EOF + + bsd_auth=yes + fi + + +fi + + echo $ac_n "checking whether to install ssh as suid root""... $ac_c" 1>&6 -echo "configure:6553: checking whether to install ssh as suid root" >&5 +echo "configure:7650: checking whether to install ssh as suid root" >&5 # Check whether --enable-suid-ssh or --disable-suid-ssh was given. if test "${enable_suid_ssh+set}" = set; then enableval="$enable_suid_ssh" @@ -6594,7 +7691,7 @@ fi cat >> confdefs.h <> confdefs.h <<\EOF +#define DISABLE_LASTLOG 1 +EOF + + else + conf_lastlog_location=$withval + fi + + fi echo $ac_n "checking if your system defines LASTLOG_FILE""... $ac_c" 1>&6 -echo "configure:6692: checking if your system defines LASTLOG_FILE" >&5 +echo "configure:7799: checking if your system defines LASTLOG_FILE" >&5 cat > conftest.$ac_ext < @@ -6706,7 +7813,7 @@ char *lastlog = LASTLOG_FILE; ; return 0; } EOF -if { (eval echo configure:6710: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:7817: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6716,9 +7823,9 @@ echo "$ac_t""no" 1>&6 echo $ac_n "checking if your system defines _PATH_LASTLOG""... $ac_c" 1>&6 -echo "configure:6720: checking if your system defines _PATH_LASTLOG" >&5 +echo "configure:7827: checking if your system defines _PATH_LASTLOG" >&5 cat > conftest.$ac_ext < @@ -6734,7 +7841,7 @@ char *lastlog = _PATH_LASTLOG; ; return 0; } EOF -if { (eval echo configure:6738: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:7845: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6773,9 +7880,9 @@ fi echo $ac_n "checking if your system defines UTMP_FILE""... $ac_c" 1>&6 -echo "configure:6777: checking if your system defines UTMP_FILE" >&5 +echo "configure:7884: checking if your system defines UTMP_FILE" >&5 cat > conftest.$ac_ext < @@ -6788,7 +7895,7 @@ char *utmp = UTMP_FILE; ; return 0; } EOF -if { (eval echo configure:6792: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:7899: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6823,9 +7930,9 @@ fi echo $ac_n "checking if your system defines WTMP_FILE""... $ac_c" 1>&6 -echo "configure:6827: checking if your system defines WTMP_FILE" >&5 +echo "configure:7934: checking if your system defines WTMP_FILE" >&5 cat > conftest.$ac_ext < @@ -6838,7 +7945,7 @@ char *wtmp = WTMP_FILE; ; return 0; } EOF -if { (eval echo configure:6842: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:7949: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6874,9 +7981,9 @@ echo $ac_n "checking if your system defines UTMPX_FILE""... $ac_c" 1>&6 -echo "configure:6878: checking if your system defines UTMPX_FILE" >&5 +echo "configure:7985: checking if your system defines UTMPX_FILE" >&5 cat > conftest.$ac_ext < @@ -6892,7 +7999,7 @@ char *utmpx = UTMPX_FILE; ; return 0; } EOF -if { (eval echo configure:6896: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8003: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6919,9 +8026,9 @@ fi echo $ac_n "checking if your system defines WTMPX_FILE""... $ac_c" 1>&6 -echo "configure:6923: checking if your system defines WTMPX_FILE" >&5 +echo "configure:8030: checking if your system defines WTMPX_FILE" >&5 cat > conftest.$ac_ext < @@ -6937,7 +8044,7 @@ char *wtmpx = WTMPX_FILE; ; return 0; } EOF -if { (eval echo configure:6941: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8048: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6989,12 +8096,12 @@ fi echo $ac_n "checking for Cygwin environment""... $ac_c" 1>&6 -echo "configure:6993: checking for Cygwin environment" >&5 +echo "configure:8100: checking for Cygwin environment" >&5 if eval "test \"`echo '$''{'ac_cv_cygwin'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8116: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_cygwin=yes else @@ -7022,19 +8129,19 @@ CYGWIN= test "$ac_cv_cygwin" = yes && CYGWIN=yes echo $ac_n "checking for mingw32 environment""... $ac_c" 1>&6 -echo "configure:7026: checking for mingw32 environment" >&5 +echo "configure:8133: checking for mingw32 environment" >&5 if eval "test \"`echo '$''{'ac_cv_mingw32'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8145: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_mingw32=yes else @@ -7053,7 +8160,7 @@ echo $ac_n "checking for executable suffix""... $ac_c" 1>&6 -echo "configure:7057: checking for executable suffix" >&5 +echo "configure:8164: checking for executable suffix" >&5 if eval "test \"`echo '$''{'ac_cv_exeext'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7063,7 +8170,7 @@ rm -f conftest* echo 'int main () { return 0; }' > conftest.$ac_ext ac_cv_exeext= - if { (eval echo configure:7067: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then + if { (eval echo configure:8174: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then for file in conftest.*; do case $file in *.c | *.o | *.obj) ;; @@ -7185,7 +8292,7 @@ ac_given_srcdir=$srcdir ac_given_INSTALL="$INSTALL" -trap 'rm -fr `echo "Makefile ssh_prng_cmds config.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15 +trap 'rm -fr `echo "Makefile openbsd-compat/Makefile ssh_prng_cmds config.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15 EOF cat >> $CONFIG_STATUS <> $CONFIG_STATUS <> $CONFIG_STATUS <<\EOF for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then @@ -7488,7 +8598,7 @@ RAND_MSG="Device ($RANDOM_POOL)" else if test ! -z "$EGD_SOCKET" ; then - RAND_MSG="EGD ($EGD_SOCKET)" + RAND_MSG="EGD/PRNGD ($EGD_SOCKET)" else RAND_MSG="Builtin (timeout $entropy_timeout)" BUILTIN_RNG=1 @@ -7507,7 +8617,6 @@ echo "" echo "OpenSSH configured has been configured with the following options." echo " User binaries: $B" -echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" echo " Askpass program: $E" @@ -7525,19 +8634,38 @@ echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" +if test ! -z "$bsd_auth"; then + echo " BSD Auth support: yes" +fi + echo "" -echo " Host: ${host}" -echo " Compiler: ${CC}" -echo " Compiler flags: ${CFLAGS}" -echo " Linker flags: ${LDFLAGS}" -echo " Libraries: ${LIBS}" +echo " Host: ${host}" +echo " Compiler: ${CC}" +echo " Compiler flags: ${CFLAGS}" +echo "Preprocessor flags: ${CPPFLAGS}" +echo " Linker flags: ${LDFLAGS}" +echo " Libraries: ${LIBS}" echo "" +if test "x$PAM_MSG" = "xyes" ; then + echo "PAM is enabled. You may need to install a PAM control file for sshd," + echo "otherwise password authentication may fail. Example PAM control files" + echo "can be found in the contrib/ subdirectory" + echo "" +fi + if test ! -z "$BUILTIN_RNG" ; then echo "WARNING: you are using the builtin random number collection service." echo "Please read WARNING.RNG and request that your OS vendor includes" echo "/dev/random in future versions of their OS." echo "" fi + +if test ! -z "$NO_SFTP"; then + echo "sftp-server will be disabled. Your compiler does not support" + echo "64bit integers." + echo "" +fi + diff -ru openssh-2.3.0p1/configure.in openssh-2.5.1p1/configure.in --- openssh-2.3.0p1/configure.in 2000-11-05 20:08:45.000000000 +1100 +++ openssh-2.5.1p1/configure.in 2001-02-19 12:56:39.000000000 +1100 @@ -1,3 +1,5 @@ +# $Id: configure.in,v 1.248 2001/02/19 01:56:39 djm Exp $ + AC_INIT(ssh.c) AC_CONFIG_HEADER(config.h) @@ -8,12 +10,19 @@ AC_PROG_CPP AC_PROG_RANLIB AC_PROG_INSTALL -AC_CHECK_PROG(AR, ar, ar) +AC_PATH_PROG(AR, ar) AC_PATH_PROG(PERL, perl) AC_SUBST(PERL) AC_PATH_PROG(ENT, ent) AC_SUBST(ENT) AC_PATH_PROGS(FILEPRIV, filepriv, true, /sbin:/usr/sbin) +AC_PATH_PROG(TEST_MINUS_S_SH, bash) +AC_PATH_PROG(TEST_MINUS_S_SH, ksh) +AC_PATH_PROG(TEST_MINUS_S_SH, sh) + +if test -z "$AR" ; then + AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***]) +fi # Use LOGIN_PROGRAM from environment if possible if test ! -z "$LOGIN_PROGRAM" ; then @@ -37,13 +46,11 @@ CFLAGS="$CFLAGS -Wall" fi -CFLAGS="$CFLAGS -I. -I${srcdir-.}" - # Check for some target-specific stuff case "$host" in *-*-aix*) AFS_LIBS="-lld" - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" if (test "$LD" != "gcc" && test -z "$blibpath"); then blibpath="/usr/lib:/lib:/usr/local/lib" @@ -60,20 +67,21 @@ *-*-cygwin*) LIBS="$LIBS -lregex /usr/lib/textmode.o" AC_DEFINE(HAVE_CYGWIN) - AC_DEFINE(DISABLE_PAM) AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(IPV4_DEFAULT) AC_DEFINE(IP_TOS_IS_BROKEN) AC_DEFINE(BROKEN_VHANGUP) - no_pam=1 no_libsocket=1 no_libnsl=1 ;; +*-*-dgux*) + AC_DEFINE(IP_TOS_IS_BROKEN) + ;; *-*-hpux10*) if test -z "$GCC"; then CFLAGS="$CFLAGS -Ae" fi - CFLAGS="$CFLAGS -D_HPUX_SOURCE" + CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE" IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_SHADOW) @@ -84,8 +92,9 @@ mansubdir=cat ;; *-*-hpux11*) - CFLAGS="$CFLAGS -D_HPUX_SOURCE" + CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE" IPADDR_IN_DISPLAY=yes + AC_DEFINE(PAM_SUN_CODEBASE) AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(DISABLE_UTMP) @@ -95,7 +104,7 @@ mansubdir=cat ;; *-*-irix5*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" MANTYPE='$(CATMAN)' @@ -104,19 +113,22 @@ AC_DEFINE(BROKEN_INET_NTOA) ;; *-*-irix6*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" MANTYPE='$(CATMAN)' AC_DEFINE(WITH_IRIX_ARRAY) AC_DEFINE(WITH_IRIX_PROJECT) AC_DEFINE(WITH_IRIX_AUDIT) + AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)]) no_libsocket=1 no_libnsl=1 AC_DEFINE(BROKEN_INET_NTOA) + mansubdir=man ;; *-*-linux*) no_dev_ptmx=1 + check_for_libcrypt_later=1 AC_DEFINE(DONT_TRY_OTHER_AF) AC_DEFINE(PAM_TTY_KLUDGE) inet6_default_4in6=yes @@ -125,7 +137,7 @@ AC_DEFINE(HAVE_NEWS4) SONY=1 AC_CHECK_LIB(iberty, xatexit, AC_DEFINE(HAVE_XATEXIT), - AC_MSG_ERROR([*** libiberty missing - please install first ***]) + AC_MSG_ERROR([*** libiberty missing - please install first or check config.log ***]) ) ;; *-*-netbsd*) @@ -139,12 +151,14 @@ AC_DEFINE(HAVE_NEXT) AC_DEFINE(BROKEN_REALPATH) AC_DEFINE(USE_PIPES) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" + CFLAGS="$CFLAGS" ;; *-*-solaris*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib" need_dash_r=1 + AC_DEFINE(PAM_SUN_CODEBASE) # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) @@ -158,8 +172,10 @@ fi ;; *-*-sunos4*) - CFLAGS="$CFLAGS -DSUNOS4" + CPPFLAGS="$CPPFLAGS -DSUNOS4" AC_CHECK_FUNCS(getpwanam) + AC_DEFINE(PAM_SUN_CODEBASE) + AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) conf_utmp_location=/etc/utmp conf_wtmp_location=/var/adm/wtmp conf_lastlog_location=/var/adm/lastlog @@ -167,62 +183,77 @@ MANTYPE='$(CATMAN)' mansubdir=cat ;; +*-ncr-sysv*) + CPPFLAGS="$CPPFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + MANTYPE='$(CATMAN)' + mansubdir=cat + LIBS="$LIBS -lc89 -lnsl -lgen -lsocket" + ;; *-sni-sysv*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib -L/usr/ucblib" MANTYPE='$(CATMAN)' + IPADDR_IN_DISPLAY=yes + AC_DEFINE(USE_PIPES) AC_DEFINE(IP_TOS_IS_BROKEN) mansubdir=cat LIBS="$LIBS -lgen -lnsl -lucb" ;; *-*-sysv4.2*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" MANTYPE='$(CATMAN)' mansubdir=cat - LIBS="$LIBS -lgen -lsocket -lnsl -lresolv" enable_suid_ssh=no + AC_DEFINE(USE_PIPES) ;; *-*-sysv5*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" MANTYPE='$(CATMAN)' mansubdir=cat - LIBS="$LIBS -lgen -lsocket" enable_suid_ssh=no + AC_DEFINE(USE_PIPES) ;; *-*-sysv*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" MANTYPE='$(CATMAN)' mansubdir=cat LIBS="$LIBS -lgen -lsocket" ;; *-*-sco3.2v4*) - AC_DEFINE(USE_PIPES) - CFLAGS="$CFLAGS -Dftruncate=chsize -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -Dftruncate=chsize -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" MANTYPE='$(CATMAN)' + LIBS="$LIBS -lgen -lsocket -los -lprot -lx -ltinfo -lm" mansubdir=cat - LIBS="$LIBS -lgen -lsocket -los -lprot -lx" - no_dev_ptmx=1 + rsh_path="/usr/bin/rcmd" RANLIB=true + no_dev_ptmx=1 AC_DEFINE(BROKEN_SYS_TERMIO_H) - rsh_path="/usr/bin/rcmd" + AC_DEFINE(USE_PIPES) AC_DEFINE(HAVE_SCO_PROTECTED_PW) + AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) + AC_CHECK_FUNCS(getluid setluid) ;; *-*-sco3.2v5*) - CFLAGS="$CFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" + LIBS="$LIBS -lprot -lx -ltinfo -lm" MANTYPE='$(CATMAN)' mansubdir=cat - LIBS="$LIBS -lgen -lsocket -lprot -lx" no_dev_ptmx=1 rsh_path="/usr/bin/rcmd" + AC_DEFINE(USE_PIPES) AC_DEFINE(HAVE_SCO_PROTECTED_PW) + AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) + AC_CHECK_FUNCS(getluid setluid) ;; *-dec-osf*) -# This is untested if test ! -z "USE_SIA" ; then AC_MSG_CHECKING(for Digital Unix Security Integration Architecture) if test -f /etc/sia/matrix.conf; then @@ -246,8 +277,16 @@ fi ] ) +AC_ARG_WITH(cppflags, + [ --with-cppflags Specify additional flags to pass to preprocessor] , + [ + if test "x$withval" != "xno"; then + CPPFLAGS="$CPPFLAGS $withval" + fi + ] +) AC_ARG_WITH(ldflags, - [ --with-ldlags Specify additional flags to pass to linker], + [ --with-ldflags Specify additional flags to pass to linker], [ if test "x$withval" != "xno" ; then LDFLAGS="$LDFLAGS $withval" @@ -263,40 +302,196 @@ ] ) - -# Checks for libraries. -AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first ***])) -AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil") - -AC_CHECK_FUNC(regcomp, - [], +AC_ARG_WITH(pcre, + [ --with-pcre Override built in regex library with pcre], [ + AC_CHECK_LIB(pcre, pcre_info, - AC_DEFINE(HAVE_LIBPCRE) LIBS="$LIBS -lpcreposix -lpcre") - ] + [ + AC_DEFINE(HAVE_LIBPCRE) + LIBS="$LIBS -lpcreposix -lpcre" + no_comp_check="yes" + ], + [ AC_MSG_ERROR([*** Can not locate pcre libraries.]) ] + ) + ] ) -if test -z "$no_libsocket" ; then +# Checks for libraries. +if test -z "$no_libnsl" ; then AC_CHECK_LIB(nsl, yp_match, , ) fi -if test -z "$no_libnsl" ; then +if test -z "$no_libsocket" ; then AC_CHECK_LIB(socket, main, , ) fi +dnl SCO OS3 needs this for libwrap +AC_CHECK_LIB(rpc, innetgr, LIBS="-lrpc -lyp -lrpc $LIBS" , , -lyp -lrpc) + +AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen") +AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])) +AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil") + +# We don't want to check if we did an pcre override. +if test -z "$no_comp_check" ; then + AC_CHECK_FUNC(regcomp, + [ AC_DEFINE(HAVE_REGCOMP)], + [ + AC_CHECK_LIB(pcre, pcre_info, + [ + AC_DEFINE(HAVE_LIBPCRE) + LIBS="$LIBS -lpcreposix -lpcre" + ], + [ + AC_MSG_ERROR([*** No regex library found.]) + ]) + ] + ) +fi + +dnl UnixWare 2.x +AC_CHECK_FUNC(strcasecmp, + [], [ AC_CHECK_LIB(resolv, strcasecmp, LIBS="$LIBS -lresolv") ] +) +AC_CHECK_FUNC(utimes, + [], [ AC_CHECK_LIB(c89, utimes, LIBS="$LIBS -lc89") ] +) + # Checks for header files. -AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h vis.h) +AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) + +# Check whether user wants Kerberos support +KRB4_MSG="no" +AC_ARG_WITH(kerberos4, + [ --with-kerberos4=PATH Enable Kerberos 4 support], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${withval}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${withval}/lib" + fi + else + if test -d /usr/include/kerberosIV ; then + CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV" + fi + fi + + AC_CHECK_HEADERS(krb.h) + AC_CHECK_LIB(krb, main) + if test "$ac_cv_header_krb_h" != yes; then + AC_MSG_WARN([Cannot find krb.h, build may fail]) + fi + if test "$ac_cv_lib_krb_main" != yes; then + AC_MSG_WARN([Cannot find libkrb, build may fail]) + fi + + KLIBS="-lkrb -ldes" + AC_CHECK_LIB(resolv, dn_expand, , ) + KRB4=yes + KRB4_MSG="yes" + AC_DEFINE(KRB4) + fi + ] +) + +# Check whether user wants AFS support +AFS_MSG="no" +AC_ARG_WITH(afs, + [ --with-afs=PATH Enable AFS support], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + if test -z "$KRB4" ; then + AC_MSG_WARN([AFS requires Kerberos IV support, build may fail]) + fi + + LIBS="$LIBS -lkafs" + if test ! -z "$AFS_LIBS" ; then + LIBS="$LIBS $AFS_LIBS" + fi + AC_DEFINE(AFS) + AFS_MSG="yes" + fi + ] +) +LIBS="$LIBS $KLIBS" + +# Check whether user wants S/Key support +SKEY_MSG="no" +AC_ARG_WITH(skey, + [ --with-skey=PATH Enable S/Key support], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + AC_DEFINE(SKEY) + LIBS="-lskey $LIBS" + SKEY_MSG="yes" + + AC_CHECK_FUNC(skey_keyinfo, + [], + [ + AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) + ]) + fi + ] +) + +# Check whether user wants TCP wrappers support +TCPW_MSG="no" +AC_ARG_WITH(tcp-wrappers, + [ --with-tcp-wrappers Enable tcpwrappers support], + [ + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + LIBS="-lwrap $LIBS" + AC_MSG_CHECKING(for libwrap) + AC_TRY_LINK( + [ +#include + int deny_severity = 0, allow_severity = 0; + ], + [hosts_access(0);], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(LIBWRAP) + TCPW_MSG="yes" + ], + [ + AC_MSG_ERROR([*** libwrap missing]) + ] + ) + fi + ] +) dnl Checks for library functions. -AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getnameinfo getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strsep strtok_r vsnprintf vhangup vis waitpid _getpty __b64_ntop) +AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop) dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) dnl Checks for libutil functions +AC_CHECK_HEADERS(libutil.h) AC_CHECK_FUNCS(login logout updwtmp logwtmp) dnl Checks for utmp functions -AC_CHECK_FUNCS(entutent getutent getutid getutline pututline setutent) +AC_CHECK_FUNCS(endutent getutent getutid getutline pututline setutent) AC_CHECK_FUNCS(utmpname) dnl Checks for utmpx functions -AC_CHECK_FUNCS(entutxent getutxent getutxid getutxline pututxline ) +AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline ) AC_CHECK_FUNCS(setutxent utmpxname) AC_CHECK_FUNC(getuserattr, @@ -338,27 +533,32 @@ AC_FUNC_GETPGRP +AC_FUNC_STRFTIME + +# Check for PAM libs PAM_MSG="no" AC_ARG_WITH(pam, - [ --without-pam Disable PAM support ], + [ --with-pam Enable PAM support ], [ - if test "x$withval" = "xno" ; then - no_pam=1 - AC_DEFINE(DISABLE_PAM) - PAM_MSG="disabled" - fi - ] -) -if (test -z "$no_pam" && test "x$ac_cv_header_security_pam_appl_h" = "xyes") ; then - AC_CHECK_LIB(dl, dlopen, , ) - LIBS="$LIBS -lpam" + if test "x$withval" != "xno" ; then + if test "x$ac_cv_header_security_pam_appl_h" != "xyes" ; then + AC_MSG_ERROR([PAM headers not found]) + fi - AC_CHECK_FUNCS(pam_getenvlist) + AC_CHECK_LIB(dl, dlopen, , ) + AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing])) + AC_CHECK_FUNCS(pam_getenvlist) - disable_shadow=yes + disable_shadow=yes + PAM_MSG="yes" - PAM_MSG="yes" + AC_DEFINE(USE_PAM) + fi + ] +) +# Check for older PAM +if test "x$PAM_MSG" = "xyes" ; then # Check PAM strerror arguments (old PAM) AC_MSG_CHECKING([whether pam_strerror takes only one argument]) AC_TRY_COMPILE( @@ -373,7 +573,7 @@ AC_MSG_RESULT(yes) PAM_MSG="yes (old library)" ] - ) + ) fi # The big search for OpenSSL @@ -388,25 +588,43 @@ saved_LIBS="$LIBS" saved_LDFLAGS="$LDFLAGS" -saved_CFLAGS="$CFLAGS" +saved_CPPFLAGS="$CPPFLAGS" if test "x$prefix" != "xNONE" ; then tryssldir="$tryssldir $prefix" fi AC_CACHE_CHECK([for OpenSSL directory], ac_cv_openssldir, [ - for ssldir in $tryssldir "" /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do - if test ! -z "$ssldir" ; then - LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir" - CFLAGS="$saved_CFLAGS -I$ssldir/include" - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir/lib -R$ssldir" + CPPFLAGS="$saved_CPPFLAGS" + LDFLAGS="$saved_LDFLAGS" + LIBS="$saved_LIBS -lcrypto" + + # Skip directories if they don't exist + if test ! -z "$ssldir" -a ! -d "$ssldir" ; then + continue; + fi + if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then + # Try to use $ssldir/lib if it exists, otherwise + # $ssldir + if test -d "$ssldir/lib" ; then + LDFLAGS="$LDFLAGS -L$ssldir/lib" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R$ssldir/lib" + fi + else + LDFLAGS="$LDFLAGS -L$ssldir" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R$ssldir" + fi + fi + # Try to use $ssldir/include if it exists, otherwise + # $ssldir + if test -d "$ssldir/include" ; then + CPPFLAGS="$CPPFLAGS -I$ssldir/include" + else + CPPFLAGS="$CPPFLAGS -I$ssldir" fi - else - LDFLAGS="$saved_LDFLAGS" fi - LIBS="$saved_LIBS -lcrypto" - # Basic test to check for compatible version and correct linking # *does not* test for RSA - that comes later. AC_TRY_RUN( @@ -433,7 +651,7 @@ done if test -z "$found_crypto" ; then - AC_MSG_ERROR([Could not find working SSLeay / OpenSSL libraries, please install]) + AC_MSG_ERROR([Could not find working OpenSSL library, please install or check config.log]) fi if test -z "$ssldir" ; then ssldir="(system)" @@ -446,13 +664,27 @@ AC_DEFINE(HAVE_OPENSSL) dnl Need to recover ssldir - test above runs in subshell ssldir=$ac_cv_openssldir - CFLAGS="$saved_CFLAGS -I$ssldir/include" - LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir" - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir/lib -R$ssldir" - fi - if test ! -z "$blibpath" ; then - blibpath="$blibpath:$ssldir:$ssldir/lib" + if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then + # Try to use $ssldir/lib if it exists, otherwise + # $ssldir + if test -d "$ssldir/lib" ; then + LDFLAGS="$LDFLAGS -L$ssldir/lib" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R$ssldir/lib" + fi + else + LDFLAGS="$LDFLAGS -L$ssldir" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R$ssldir" + fi + fi + # Try to use $ssldir/include if it exists, otherwise + # $ssldir + if test -d "$ssldir/include" ; then + CPPFLAGS="$CPPFLAGS -I$ssldir/include" + else + CPPFLAGS="$CPPFLAGS -I$ssldir" + fi fi fi LIBS="$saved_LIBS -lcrypto" @@ -507,6 +739,12 @@ fi fi +# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the +# version in OpenSSL. Skip this for PAM +if test "x$PAM_MSG" = "xno" -a "x$check_for_libcrypt_later" = "x1"; then + AC_CHECK_LIB(crypt, crypt, , ) +fi + # Cheap hack to ensure NEWS-OS libraries are arranged right. if test ! -z "$SONY" ; then LIBS="$LIBS -liberty"; @@ -666,6 +904,20 @@ AC_DEFINE(HAVE_SSIZE_T) fi +AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ clock_t foo; foo = 1235; ], + [ ac_cv_have_clock_t="yes" ], + [ ac_cv_have_clock_t="no" ] + ) +]) +if test "x$ac_cv_have_clock_t" = "xyes" ; then + AC_DEFINE(HAVE_CLOCK_T) +fi + AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [ AC_TRY_COMPILE( [ @@ -781,6 +1033,28 @@ AC_DEFINE(HAVE_STRUCT_ADDRINFO) fi +AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [ + AC_TRY_COMPILE( + [ #include ], + [ struct timeval tv; tv.tv_sec = 1;], + [ ac_cv_have_struct_timeval="yes" ], + [ ac_cv_have_struct_timeval="no" ] + ) +]) +if test "x$ac_cv_have_struct_timeval" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_TIMEVAL) + have_struct_timeval=1 +fi + +# If we don't have int64_t then we can't compile sftp-server. So don't +# even attempt to do it. +if test "x$ac_cv_have_int64_t" = "xno" -a \ + "x$ac_cv_sizeof_long_int" != "x8" -a \ + "x$ac_cv_sizeof_long_long_int" = "x0" ; then + NO_SFTP='#' +fi +AC_SUBST(NO_SFTP) + dnl Checks for structure members OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmp.h, HAVE_HOST_IN_UTMP) OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmpx.h, HAVE_HOST_IN_UTMPX) @@ -929,8 +1203,13 @@ ] ) -if test ! -z "$xauth_path" ; then +if test -z "$xauth_path" ; then + XAUTH_PATH="undefined" + AC_SUBST(XAUTH_PATH) +else AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") + XAUTH_PATH=$xauth_path + AC_SUBST(XAUTH_PATH) fi if test ! -z "$rsh_path" ; then AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path") @@ -961,7 +1240,7 @@ # Check for user-specified random device, otherwise check /dev/urandom AC_ARG_WITH(random, - [ --with-random=FILE read randomness from FILE (default=/dev/urandom)], + [ --with-random=FILE read entropy from FILE (default=/dev/urandom)], [ if test "x$withval" != "xno" ; then RANDOM_POOL="$withval"; @@ -982,15 +1261,35 @@ # Check for EGD pool file AC_ARG_WITH(egd-pool, - [ --with-egd-pool=FILE read randomness from EGD pool FILE (default none)], + [ --with-egd-pool=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], [ if test "x$withval" != "xno" ; then EGD_SOCKET="$withval"; AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") fi + ], + [ + # Check for existing socket only if we don't have a random device already + if test -z "$RANDOM_POOL" ; then + AC_MSG_CHECKING(for PRNGD/EGD socket) + # Insert other locations here + for egdsock in /var/run/egd-pool /etc/entropy /tmp/entropy ; do + if test -r $egdsock && $TEST_MINUS_S_SH -c "test -S $egdsock -o -p $egdsock" ; then + EGD_SOCKET="$egdsock" + AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") + break; + fi + done + if test -x "$EGD_SOCKET" ; then + AC_MSG_RESULT($EGD_SOCKET) + else + AC_MSG_RESULT(not found) + fi + fi ] ) + # detect pathnames for entropy gathering commands, if we need them INSTALL_SSH_PRNG_CMDS="" rm -f prng_commands @@ -1010,7 +1309,6 @@ OSSH_PATH_ENTROPY_PROG(PROG_UPTIME, uptime) OSSH_PATH_ENTROPY_PROG(PROG_IPCS, ipcs) OSSH_PATH_ENTROPY_PROG(PROG_TAIL, tail) - OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) INSTALL_SSH_PRNG_CMDS="yes" fi @@ -1036,114 +1334,6 @@ AC_SUBST(MANTYPE) AC_SUBST(mansubdir) -# Check whether user wants Kerberos support -KRB4_MSG="no" -AC_ARG_WITH(kerberos4, - [ --with-kerberos4=PATH Enable Kerberos 4 support], - [ - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CFLAGS="$CFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R${withval}/lib" - fi - if test ! -z "$blibpath" ; then - blibpath="$blibpath:${withval}/lib" - fi - else - if test -d /usr/include/kerberosIV ; then - CFLAGS="$CFLAGS -I/usr/include/kerberosIV" - fi - fi - - AC_CHECK_HEADERS(krb.h) - AC_CHECK_LIB(krb, main) - if test "$ac_cv_header_krb_h" != yes; then - AC_MSG_WARN([Cannot find krb.h, build may fail]) - fi - if test "$ac_cv_lib_krb_main" != yes; then - AC_MSG_WARN([Cannot find libkrb, build may fail]) - fi - - KLIBS="-lkrb -ldes" - AC_CHECK_LIB(resolv, dn_expand, , ) - KRB4=yes - KRB4_MSG="yes" - AC_DEFINE(KRB4) - fi - ] -) - -# Check whether user wants AFS support -AFS_MSG="no" -AC_ARG_WITH(afs, - [ --with-afs=PATH Enable AFS support], - [ - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CFLAGS="$CFLAGS -I${withval}/include" - LFLAGS="$LFLAGS -L${withval}/lib" - fi - - if test -z "$KRB4" ; then - AC_MSG_WARN([AFS requires Kerberos IV support, build may fail]) - fi - - LIBS="$LIBS -lkafs" - if test ! -z "$AFS_LIBS" ; then - LIBS="$LIBS $AFS_LIBS" - fi - AC_DEFINE(AFS) - AFS_MSG="yes" - fi - ] -) -LIBS="$LIBS $KLIBS" - -# Check whether user wants S/Key support -SKEY_MSG="no" -AC_ARG_WITH(skey, - [ --with-skey Enable S/Key support], - [ - if test "x$withval" != "xno" ; then - AC_DEFINE(SKEY) - LIBS="$LIBS -lskey" - SKEY_MSG="yes" - fi - ] -) - -# Check whether user wants TCP wrappers support -TCPW_MSG="no" -AC_ARG_WITH(tcp-wrappers, - [ --with-tcp-wrappers Enable tcpwrappers support], - [ - if test "x$withval" != "xno" ; then - saved_LIBS="$LIBS" - LIBS="$LIBS -lwrap" - AC_MSG_CHECKING(for libwrap) - AC_TRY_LINK( - [ -#include - int deny_severity = 0, allow_severity = 0; - ], - [hosts_access(0);], - [ - AC_MSG_RESULT(yes) - AC_DEFINE(LIBWRAP) - TCPW_MSG="yes" - ], - [ - AC_MSG_ERROR([*** libwrap missing]) - ] - ) - fi - ] -) - # Check whether to enable MD5 passwords MD5_MSG="no" AC_ARG_WITH(md5-passwords, @@ -1250,6 +1440,17 @@ ] ) +# Whether to enable BSD auth support +AC_ARG_WITH(bsd-auth, + [ --with-bsd-auth Enable BSD auth support], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(BSD_AUTH) + bsd_auth=yes + fi + ] +) + AC_MSG_CHECKING(whether to install ssh as suid root) AC_ARG_ENABLE(suid-ssh, [ --enable-suid-ssh Install ssh as suid root (default) @@ -1288,7 +1489,7 @@ esac fi -AC_DEFINE_UNQUOTED(PIDDIR, "$piddir") +AC_DEFINE_UNQUOTED(_PATH_SSH_PIDDIR, "$piddir") AC_SUBST(piddir) dnl allow user to disable some login recording features @@ -1326,7 +1527,14 @@ ) AC_ARG_WITH(lastlog, [ --with-lastlog=FILE|DIR specify lastlog location [common locations]], - [ conf_lastlog_location="$withval"; ],) + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(DISABLE_LASTLOG) + else + conf_lastlog_location=$withval + fi + ] +) dnl lastlog, [uw]tmpx? detection dnl NOTE: set the paths in the platform section to avoid the @@ -1522,7 +1730,7 @@ AC_EXEEXT -AC_OUTPUT(Makefile ssh_prng_cmds) +AC_OUTPUT(Makefile openbsd-compat/Makefile ssh_prng_cmds) # Print summary of options @@ -1535,7 +1743,7 @@ RAND_MSG="Device ($RANDOM_POOL)" else if test ! -z "$EGD_SOCKET" ; then - RAND_MSG="EGD ($EGD_SOCKET)" + RAND_MSG="EGD/PRNGD ($EGD_SOCKET)" else RAND_MSG="Builtin (timeout $entropy_timeout)" BUILTIN_RNG=1 @@ -1554,7 +1762,6 @@ echo "" echo "OpenSSH configured has been configured with the following options." echo " User binaries: $B" -echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" echo " Askpass program: $E" @@ -1572,19 +1779,38 @@ echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" +if test ! -z "$bsd_auth"; then + echo " BSD Auth support: yes" +fi + echo "" -echo " Host: ${host}" -echo " Compiler: ${CC}" -echo " Compiler flags: ${CFLAGS}" -echo " Linker flags: ${LDFLAGS}" -echo " Libraries: ${LIBS}" +echo " Host: ${host}" +echo " Compiler: ${CC}" +echo " Compiler flags: ${CFLAGS}" +echo "Preprocessor flags: ${CPPFLAGS}" +echo " Linker flags: ${LDFLAGS}" +echo " Libraries: ${LIBS}" echo "" +if test "x$PAM_MSG" = "xyes" ; then + echo "PAM is enabled. You may need to install a PAM control file for sshd," + echo "otherwise password authentication may fail. Example PAM control files" + echo "can be found in the contrib/ subdirectory" + echo "" +fi + if test ! -z "$BUILTIN_RNG" ; then echo "WARNING: you are using the builtin random number collection service." echo "Please read WARNING.RNG and request that your OS vendor includes" echo "/dev/random in future versions of their OS." echo "" fi + +if test ! -z "$NO_SFTP"; then + echo "sftp-server will be disabled. Your compiler does not support" + echo "64bit integers." + echo "" +fi + diff -ru openssh-2.3.0p1/contrib/README openssh-2.5.1p1/contrib/README --- openssh-2.3.0p1/contrib/README 2000-03-15 12:25:06.000000000 +1100 +++ openssh-2.5.1p1/contrib/README 2000-11-13 20:59:06.000000000 +1100 @@ -1,6 +1,13 @@ Other patches and addons for OpenSSH. Please send submissions to djm@ibs.com.au +Elsewhere +--------- + +http://www.imasy.or.jp/~gotoh/connect.c is a Unix and Windows +ProxyCommand which allows OpenSSH to make connections through a SOCKS5 +or http proxy which supports the CONNECT method (eg. Squid). + In this directory ----------------- Only in openssh-2.5.1p1/contrib: caldera diff -ru openssh-2.3.0p1/contrib/cygwin/README openssh-2.5.1p1/contrib/cygwin/README --- openssh-2.3.0p1/contrib/cygwin/README 2000-10-30 06:18:49.000000000 +1100 +++ openssh-2.5.1p1/contrib/cygwin/README 2001-01-19 16:37:32.000000000 +1100 @@ -20,18 +20,41 @@ files are in /etc now. If you are installing OpenSSH the first time, you can generate -global config files, server keys and your own user keys by running +global config files and server keys by running - /usr/bin/ssh-config + /usr/bin/ssh-host-config -If you are updating your installation you may run the above ssh-config +Note that this binary archive doesn't contain default config files in /etc. +That files are only created if ssh-host-config is started. + +If you are updating your installation you may run the above ssh-host-config as well to move your configuration files to the new location and to erase the files at the old location. -Be sure to start the new ssh-config when updating! +To support testing and unattended installation ssh-host-config got +some options: -Note that this binary archive doesn't contain default config files in /etc. -That files are only created if ssh-config is started. +usage: ssh-host-config [OPTION]... +Options: + --debug -d Enable shell's debug output. + --yes -y Answer all questions with "yes" automatically. + --no -n Answer all questions with "no" automatically. + +You can create the private and public keys for a user now by running + + /usr/bin/ssh-user-config + +under the users account. + +To support testing and unattended installation ssh-user-config got +some options as well: + +usage: ssh-user-config [OPTION]... +Options: + --debug -d Enable shell's debug output. + --yes -y Answer all questions with "yes" automatically. + --no -n Answer all questions with "no" automatically. + --passphrase -p word Use "word" as passphrase automatically. Install sshd as daemon via SRVANY.EXE (recommended on NT/W2K), via inetd (results in very slow deamon startup!) or from the command line (recommended Only in openssh-2.3.0p1/contrib/cygwin: ssh-config Only in openssh-2.5.1p1/contrib/cygwin: ssh-host-config Only in openssh-2.5.1p1/contrib/cygwin: ssh-user-config diff -ru openssh-2.3.0p1/contrib/gnome-ssh-askpass.c openssh-2.5.1p1/contrib/gnome-ssh-askpass.c --- openssh-2.3.0p1/contrib/gnome-ssh-askpass.c 2000-06-07 20:08:19.000000000 +1000 +++ openssh-2.5.1p1/contrib/gnome-ssh-askpass.c 2001-02-16 11:18:59.000000000 +1100 @@ -1,46 +1,35 @@ /* - Compile with: - - cc `gnome-config --cflags gnome gnomeui` \ - gnome-ssh-askpass.c -o gnome-ssh-askpass \ - `gnome-config --libs gnome gnomeui` - -*/ + * Copyright (c) 2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ /* -** -** GNOME ssh passphrase requestor -** -** Damien Miller -** -** Copyright 1999 Internet Business Solutions -** -** Permission is hereby granted, free of charge, to any person -** obtaining a copy of this software and associated documentation -** files (the "Software"), to deal in the Software without -** restriction, including without limitation the rights to use, copy, -** modify, merge, publish, distribute, sublicense, and/or sell copies -** of the Software, and to permit persons to whom the Software is -** furnished to do so, subject to the following conditions: -** -** The above copyright notice and this permission notice shall be -** included in all copies or substantial portions of the Software. -** -** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY -** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE -** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE -** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET -** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE -** OR OTHER DEALINGS IN THE SOFTWARE. -** -** Except as contained in this notice, the name of Internet Business -** Solutions shall not be used in advertising or otherwise to promote -** the sale, use or other dealings in this Software without prior -** written authorization from Internet Business Solutions. -** -*/ + * Compile with: + * + * cc `gnome-config --cflags gnome gnomeui` \ + * gnome-ssh-askpass.c -o gnome-ssh-askpass \ + * `gnome-config --libs gnome gnomeui` + * + */ #include #include @@ -67,20 +56,25 @@ passphrase_dialog(char *message) { char *passphrase; - int result; + char **messages; + int result, i; GtkWidget *dialog, *entry, *label; - dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK, - GNOME_STOCK_BUTTON_CANCEL, NULL); + dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK, + GNOME_STOCK_BUTTON_CANCEL, NULL); - label = gtk_label_new(message); - gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), label, FALSE, - FALSE, 0); + messages = g_strsplit(message, "\\n", 0); + if (messages) + for(i = 0; messages[i]; i++) { + label = gtk_label_new(messages[i]); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), + label, FALSE, FALSE, 0); + } entry = gtk_entry_new(); gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, - FALSE, 0); + FALSE, 0); gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); gtk_widget_grab_focus(entry); @@ -90,13 +84,14 @@ gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE); gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE); - gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox), GNOME_PAD); + gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox), + GNOME_PAD); gtk_widget_show_all(dialog); /* Grab focus */ XGrabServer(GDK_DISPLAY()); - if (gdk_pointer_grab(dialog->window, TRUE, 0, - NULL, NULL, GDK_CURRENT_TIME)) + if (gdk_pointer_grab(dialog->window, TRUE, 0, NULL, NULL, + GDK_CURRENT_TIME)) goto nograb; if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME)) goto nograbkb; diff -ru openssh-2.3.0p1/contrib/hpux/README openssh-2.5.1p1/contrib/hpux/README --- openssh-2.3.0p1/contrib/hpux/README 2000-10-19 06:41:14.000000000 +1100 +++ openssh-2.5.1p1/contrib/hpux/README 2000-12-12 11:08:12.000000000 +1100 @@ -1,5 +1,5 @@ README for OpenSSH HP-UX contrib files -Kevin Steves +Kevin Steves sshd: configuration file for sshd.rc sshd.rc: SSH startup script @@ -24,7 +24,7 @@ egd.rc: -o Verify egd.pl path in egd.rc match your local installation +o Verify egd.pl path in egd.rc matches your local installation (WHAT_PATH) o Customize egd if needed (EGD_ARGS and EGD_LOG) o Add pseudo account: @@ -41,5 +41,5 @@ # chmod 444 /etc/rc.config.d/egd # cp egd.rc /sbin/init.d # chmod 555 /sbin/init.d/egd.rc - # ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K600egd - # ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S400egd + # ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd + # ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd diff -ru openssh-2.3.0p1/contrib/redhat/openssh.spec openssh-2.5.1p1/contrib/redhat/openssh.spec --- openssh-2.3.0p1/contrib/redhat/openssh.spec 2000-11-06 13:06:43.000000000 +1100 +++ openssh-2.5.1p1/contrib/redhat/openssh.spec 2001-02-19 21:51:50.000000000 +1100 @@ -1,8 +1,8 @@ # Version of OpenSSH -%define oversion 2.3.0p1 +%define oversion 2.5.1p1 # Version of ssh-askpass -%define aversion 1.0.3 +%define aversion 1.2.0 # Do we want to disable building of x11-askpass? (1=yes 0=no) %define no_x11_askpass 0 @@ -10,6 +10,18 @@ # Do we want to disable building of gnome-askpass? (1=yes 0=no) %define no_gnome_askpass 0 +# Use Redhat 7.0 pam control file +%define redhat7 0 + +# Reserve options to override askpass settings with: +# rpm -ba|--rebuild --define 'skip_xxx 1' +%{?skip_x11_askpass:%define no_x11_askpass 1} +%{?skip_gnome_askpass:%define no_gnome_askpass 1} + +# Options for Redhat version: +# rpm -ba|--rebuild --define "rh7 1" +%{?rh7:%define redhat7 1} + Summary: OpenSSH free Secure Shell (SSH) implementation Name: openssh Version: %{oversion} @@ -18,7 +30,7 @@ URL: http://www.openssh.com/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{oversion}.tar.gz %if ! %{no_x11_askpass} -Source1: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz +Source1: http://www.jmknoble.cx/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz %endif Copyright: BSD Group: Applications/Internet @@ -26,8 +38,10 @@ Obsoletes: ssh PreReq: openssl >= 0.9.5a Requires: openssl >= 0.9.5a +Requires: rpm >= 3.0.5 BuildPreReq: perl, openssl-devel, tcp_wrappers BuildPreReq: /bin/login, /usr/bin/rsh, /usr/include/security/pam_appl.h +BuildPreReq: rpm >= 3.0.5 %if ! %{no_gnome_askpass} BuildPreReq: gnome-libs-devel %endif @@ -112,7 +126,7 @@ up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL). -This package contains Jim Knoble's X11 passphrase +This package contains Jim Knoble's X11 passphrase dialog. %description askpass-gnome @@ -138,13 +152,15 @@ %build +%define _sysconfdir /etc/ssh + %configure \ - --sysconfdir=%{_sysconfdir}/ssh \ --libexecdir=%{_libexecdir}/openssh \ + --with-pam \ --with-tcp-wrappers \ --with-ipv4-default \ --with-rsh=/usr/bin/rsh \ - --with-default-path=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin + --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin make @@ -166,7 +182,6 @@ %install rm -rf $RPM_BUILD_ROOT %{makeinstall} \ - sysconfdir=$RPM_BUILD_ROOT%{_sysconfdir}/ssh \ libexecdir=$RPM_BUILD_ROOT%{_libexecdir}/openssh \ DESTDIR=/ # Hack to disable key generation @@ -174,7 +189,11 @@ install -d $RPM_BUILD_ROOT/etc/pam.d/ install -d $RPM_BUILD_ROOT/etc/rc.d/init.d install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh +%if %{redhat7} install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +%else +install -m644 contrib/redhat/sshd.pam-7.x $RPM_BUILD_ROOT/etc/pam.d/sshd +%endif install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd %if ! %{no_x11_askpass} @@ -205,13 +224,16 @@ %files %defattr(-,root,root) -%doc ChangeLog OVERVIEW COPYING.Ylonen README* INSTALL +%doc ChangeLog OVERVIEW README* INSTALL %doc CREDITS LICENCE %attr(0755,root,root) %{_bindir}/ssh-keygen %attr(0755,root,root) %{_bindir}/scp +%attr(0755,root,root) %{_bindir}/ssh-keyscan %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* %attr(0644,root,root) %{_mandir}/man1/scp.1* -%attr(0755,root,root) %dir %{_sysconfdir}/ssh +%attr(0755,root,root) %dir %{_sysconfdir} +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/primes %attr(0755,root,root) %dir %{_libexecdir}/openssh %files clients @@ -219,10 +241,14 @@ %attr(4755,root,root) %{_bindir}/ssh %attr(0755,root,root) %{_bindir}/ssh-agent %attr(0755,root,root) %{_bindir}/ssh-add +%attr(0755,root,root) %{_bindir}/ssh-keyscan +%attr(0755,root,root) %{_bindir}/sftp %attr(0644,root,root) %{_mandir}/man1/ssh.1* %attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* %attr(0644,root,root) %{_mandir}/man1/ssh-add.1* -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config +%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* +%attr(0644,root,root) %{_mandir}/man1/sftp.1* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh_config %attr(-,root,root) %{_bindir}/slogin %attr(-,root,root) %{_mandir}/man1/slogin.1* @@ -232,7 +258,7 @@ %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0644,root,root) %{_mandir}/man8/sshd.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* -%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sshd_config %attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0755,root,root) %config /etc/rc.d/init.d/sshd diff -ru openssh-2.3.0p1/contrib/redhat/sshd.init openssh-2.5.1p1/contrib/redhat/sshd.init --- openssh-2.3.0p1/contrib/redhat/sshd.init 2000-10-16 12:25:17.000000000 +1100 +++ openssh-2.5.1p1/contrib/redhat/sshd.init 2000-11-13 22:57:27.000000000 +1100 @@ -19,13 +19,27 @@ # Some functions to make the below more readable KEYGEN=/usr/bin/ssh-keygen -RSA_KEY=/etc/ssh/ssh_host_key +RSA1_KEY=/etc/ssh/ssh_host_key +RSA_KEY=/etc/ssh/ssh_host_rsa_key DSA_KEY=/etc/ssh/ssh_host_dsa_key PID_FILE=/var/run/sshd.pid +do_rsa1_keygen() { + if ! test -f $RSA1_KEY ; then + echo -n "Generating SSH1 RSA host key: " + if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then + success "RSA1 key generation" + echo + else + failure "RSA1 key generation" + echo + exit 1 + fi + fi +} do_rsa_keygen() { - if $KEYGEN -R && ! test -f $RSA_KEY ; then - echo -n "Generating SSH RSA host key: " - if $KEYGEN -q -b 1024 -f $RSA_KEY -C '' -N '' >&/dev/null; then + if ! test -f $RSA_KEY ; then + echo -n "Generating SSH2 RSA host key: " + if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then success "RSA key generation" echo else @@ -37,8 +51,8 @@ } do_dsa_keygen() { if ! test -f $DSA_KEY ; then - echo -n "Generating SSH DSA host key: " - if $KEYGEN -q -d -b 1024 -f $DSA_KEY -C '' -N '' >&/dev/null; then + echo -n "Generating SSH2 DSA host key: " + if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then success "DSA key generation" echo else @@ -52,6 +66,7 @@ case "$1" in start) # Create keys if necessary + do_rsa1_keygen; do_rsa_keygen; do_dsa_keygen; @@ -72,6 +87,7 @@ echo -n "Shutting down sshd: " if [ -f $PID_FILE ] ; then killproc sshd + RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd fi echo diff -ru openssh-2.3.0p1/contrib/redhat/sshd.init-5.x openssh-2.5.1p1/contrib/redhat/sshd.init-5.x --- openssh-2.3.0p1/contrib/redhat/sshd.init-5.x 2000-08-08 16:53:28.000000000 +1000 +++ openssh-2.5.1p1/contrib/redhat/sshd.init-5.x 2000-11-08 03:41:42.000000000 +1100 @@ -39,6 +39,7 @@ echo -n "Shutting down sshd: " if [ -f /var/run/sshd.pid ] ; then killproc sshd + RETVAL=$? fi echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd Only in openssh-2.5.1p1/contrib/redhat: sshd.pam-7.x diff -ru openssh-2.3.0p1/contrib/solaris/build-pkg openssh-2.5.1p1/contrib/solaris/build-pkg --- openssh-2.3.0p1/contrib/solaris/build-pkg 2000-08-18 14:43:41.000000000 +1000 +++ openssh-2.5.1p1/contrib/solaris/build-pkg 2000-11-11 08:36:39.000000000 +1100 @@ -163,6 +163,7 @@ cp -p ../../../sshd_config.out etc/sshd_config.default cp -p ../../../ssh_config.out etc/ssh_config.default cp -p ../../../ssh_prng_cmds etc/ssh_prng_cmds.default +cp -p ../../../primes etc/primes.default # One of the annoying things about the Solaris packaging process is that # there's no simple way to prototype on the fly--so make sure you edit diff -ru openssh-2.3.0p1/contrib/solaris/postinstall.in openssh-2.5.1p1/contrib/solaris/postinstall.in --- openssh-2.3.0p1/contrib/solaris/postinstall.in 2000-08-18 14:43:42.000000000 +1000 +++ openssh-2.5.1p1/contrib/solaris/postinstall.in 2000-11-11 08:36:39.000000000 +1100 @@ -46,6 +46,7 @@ instbackup ${CONFDIR} ssh_prng_cmds instbackup ${CONFDIR} ssh_config instbackup ${CONFDIR} sshd_config + instbackup ${CONFDIR} primes ### If no existing sshd_config and host key, then create if [ ! -f "${CONFDIR}/ssh_host_key" ]; then @@ -126,6 +127,10 @@ instbackup ${CONFDIR} sshd_config NEWCONF=1 fi + if [ ! -r "${CONFDIR}/primes" ]; then + instbackup ${CONFDIR} primes + NEWCONF=1 + fi if [ $NEWCONF -eq 0 ]; then echo "Your existing SSH configuration files have not been altered." else diff -ru openssh-2.3.0p1/contrib/solaris/prototype openssh-2.5.1p1/contrib/solaris/prototype --- openssh-2.3.0p1/contrib/solaris/prototype 2000-08-18 14:43:42.000000000 +1000 +++ openssh-2.5.1p1/contrib/solaris/prototype 2000-11-11 08:36:39.000000000 +1100 @@ -15,6 +15,7 @@ f none etc/sshd_config.default 0644 root sys f none etc/ssh_config.default 0644 root sys f none etc/ssh_prng_cmds.default 0644 root sys +f none etc/primes.default 0644 root sys f none etc/sshd-initscript 0755 root sys d none bin 0755 root sys f none bin/ssh-keygen 0755 root sys diff -ru openssh-2.3.0p1/contrib/ssh-copy-id.1 openssh-2.5.1p1/contrib/ssh-copy-id.1 --- openssh-2.3.0p1/contrib/ssh-copy-id.1 2000-03-15 12:13:04.000000000 +1100 +++ openssh-2.5.1p1/contrib/ssh-copy-id.1 2000-12-29 02:46:20.000000000 +1100 @@ -58,7 +58,7 @@ produced no output, then it uses the contents of the identity file. Once it has one or more fingerprints (by whatever means) it uses ssh to append them to -.B ~/.ssh/authorised_keys +.B ~/.ssh/authorized_keys on the remote machine (creating the file, and directory, if necessary) .SH "SEE ALSO" diff -ru openssh-2.3.0p1/contrib/suse/openssh.spec openssh-2.5.1p1/contrib/suse/openssh.spec --- openssh-2.3.0p1/contrib/suse/openssh.spec 2000-11-06 12:52:25.000000000 +1100 +++ openssh-2.5.1p1/contrib/suse/openssh.spec 2001-02-19 21:51:50.000000000 +1100 @@ -1,6 +1,6 @@ Summary: OpenSSH, a free Secure Shell (SSH) implementation Name: openssh -Version: 2.2.0p1 +Version: 2.5.1p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz @@ -88,8 +88,13 @@ %build CFLAGS="$RPM_OPT_FLAGS" \ -./configure --prefix=/usr --sysconfdir=/etc/ssh --with-gnome-askpass \ - --with-tcp-wrappers --with-ipv4-default --libexecdir=/usr/lib/ssh +./configure --prefix=/usr \ + --sysconfdir=/etc/ssh \ + --with-pam \ + --with-gnome-askpass \ + --with-tcp-wrappers \ + --with-ipv4-default \ + --libexecdir=/usr/lib/ssh make cd contrib @@ -161,11 +166,12 @@ %files %defattr(-,root,root) -%doc COPYING.Ylonen ChangeLog OVERVIEW README* +%doc ChangeLog OVERVIEW README* %doc RFC.nroff TODO CREDITS LICENSE %attr(0755,root,root) %dir /etc/ssh %attr(0644,root,root) %config /etc/ssh/ssh_config %attr(0600,root,root) %config /etc/ssh/sshd_config +%attr(0600,root,root) %config /etc/ssh/primes %attr(0644,root,root) %config /etc/pam.d/sshd %attr(0755,root,root) %config /sbin/init.d/sshd %attr(0755,root,root) /usr/bin/ssh-keygen @@ -174,6 +180,8 @@ %attr(-,root,root) /usr/bin/slogin %attr(0755,root,root) /usr/bin/ssh-agent %attr(0755,root,root) /usr/bin/ssh-add +%attr(0755,root,root) /usr/bin/ssh-keyscan +%attr(0755,root,root) /usr/bin/sftp %attr(0755,root,root) /usr/sbin/sshd %attr(-,root,root) /usr/sbin/rcsshd %attr(0755,root,root) %dir /usr/lib/ssh diff -ru openssh-2.3.0p1/crc32.c openssh-2.5.1p1/crc32.c --- openssh-2.3.0p1/crc32.c 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/crc32.c 2000-12-22 12:43:59.000000000 +1100 @@ -31,7 +31,7 @@ * tions for all combinations of data and CRC register values * * The values must be right-shifted by eight bits by the "updcrc - * logic; the shift must be unsigned (bring in zeroes). On some + * logic; the shift must be u_(bring in zeroes). On some * hardware you could probably optimize the shift in assembler by * using byte-swap instructions * polynomial $edb88320 @@ -39,11 +39,11 @@ #include "includes.h" -RCSID("$OpenBSD: crc32.c,v 1.7 2000/09/07 20:27:51 deraadt Exp $"); +RCSID("$OpenBSD: crc32.c,v 1.8 2000/12/19 23:17:56 markus Exp $"); #include "crc32.h" -static unsigned int crc32_tab[] = { +static u_int crc32_tab[] = { 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, @@ -100,11 +100,11 @@ /* Return a 32-bit CRC of the contents of the buffer. */ -unsigned int -ssh_crc32(const unsigned char *s, unsigned int len) +u_int +ssh_crc32(const u_char *s, u_int len) { - unsigned int i; - unsigned int crc32val; + u_int i; + u_int crc32val; crc32val = 0; for (i = 0; i < len; i ++) { diff -ru openssh-2.3.0p1/crc32.h openssh-2.5.1p1/crc32.h --- openssh-2.3.0p1/crc32.h 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/crc32.h 2000-12-22 12:43:59.000000000 +1100 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: crc32.h,v 1.8 2000/09/07 20:27:51 deraadt Exp $"); */ +/* RCSID("$OpenBSD: crc32.h,v 1.9 2000/12/19 23:17:56 markus Exp $"); */ #ifndef CRC32_H #define CRC32_H @@ -20,6 +20,6 @@ * This computes a 32 bit CRC of the data in the buffer, and returns the CRC. * The polynomial used is 0xedb88320. */ -unsigned int ssh_crc32(const unsigned char *buf, unsigned int len); +u_int ssh_crc32(const u_char *buf, u_int len); #endif /* CRC32_H */ Only in openssh-2.3.0p1: cygwin_util.c Only in openssh-2.3.0p1: cygwin_util.h diff -ru openssh-2.3.0p1/deattack.c openssh-2.5.1p1/deattack.c --- openssh-2.3.0p1/deattack.c 2000-11-05 16:42:36.000000000 +1100 +++ openssh-2.5.1p1/deattack.c 2001-01-22 16:34:41.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: deattack.c,v 1.10 2000/10/31 13:18:53 markus Exp $ */ +/* $OpenBSD: deattack.c,v 1.12 2001/01/21 19:05:48 markus Exp $ */ /* * Cryptographic attack detector for ssh - source code @@ -21,7 +21,7 @@ #include "includes.h" #include "deattack.h" -#include "ssh.h" +#include "log.h" #include "crc32.h" #include "getput.h" #include "xmalloc.h" @@ -51,16 +51,16 @@ crc_update(u_int32_t *a, u_int32_t b) { b ^= *a; - *a = ssh_crc32((unsigned char *) &b, sizeof(b)); + *a = ssh_crc32((u_char *) &b, sizeof(b)); } /* detect if a block is used in a particular pattern */ int -check_crc(unsigned char *S, unsigned char *buf, u_int32_t len, - unsigned char *IV) +check_crc(u_char *S, u_char *buf, u_int32_t len, + u_char *IV) { u_int32_t crc; - unsigned char *c; + u_char *c; crc = 0; if (IV && !CMP(S, IV)) { @@ -82,14 +82,14 @@ /* Detect a crc32 compensation attack on a packet */ int -detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV) +detect_attack(u_char *buf, u_int32_t len, u_char *IV) { static u_int16_t *h = (u_int16_t *) NULL; static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; register u_int32_t i, j; u_int32_t l; - register unsigned char *c; - unsigned char *d; + register u_char *c; + u_char *d; if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || len % SSH_BLOCKSIZE != 0) { diff -ru openssh-2.3.0p1/deattack.h openssh-2.5.1p1/deattack.h --- openssh-2.3.0p1/deattack.h 1999-11-25 00:26:22.000000000 +1100 +++ openssh-2.5.1p1/deattack.h 2001-01-29 18:39:26.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: deattack.h,v 1.5 2001/01/29 01:58:15 niklas Exp $ */ + /* * Cryptographic attack detector for ssh - Header file * @@ -24,5 +26,5 @@ #define DEATTACK_OK 0 #define DEATTACK_DETECTED 1 -int detect_attack(unsigned char *buf, u_int32_t len, unsigned char IV[8]); +int detect_attack(u_char *buf, u_int32_t len, u_char IV[8]); #endif diff -ru openssh-2.3.0p1/defines.h openssh-2.5.1p1/defines.h --- openssh-2.3.0p1/defines.h 2000-10-20 09:14:05.000000000 +1100 +++ openssh-2.5.1p1/defines.h 2001-02-16 12:34:57.000000000 +1100 @@ -1,6 +1,8 @@ #ifndef _DEFINES_H #define _DEFINES_H +/* $Id: defines.h,v 1.55 2001/02/16 01:34:57 djm Exp $ */ + /* Some platforms need this for the _r() functions */ #if !defined(_REENTRANT) && !defined(SNI) # define _REENTRANT 1 @@ -10,7 +12,7 @@ #include /* For [u]intxx_t */ #include /* For SHUT_XXXX */ -#include /* For MAXPATHLEN */ +#include /* For MAXPATHLEN and roundup() */ #include /* For typedefs */ #include /* For IPv6 macros */ #include /* For IPTOS macros */ @@ -19,13 +21,13 @@ #endif #ifdef HAVE_SYS_BITYPES_H # include /* For u_intXX_t */ -#endif +#endif #ifdef HAVE_PATHS_H # include /* For _PATH_XXX */ -#endif +#endif #ifdef HAVE_LIMITS_H # include /* For PATH_MAX */ -#endif +#endif #ifdef HAVE_SYS_TIME_H # include /* For timersub */ #endif @@ -34,7 +36,7 @@ #endif #ifdef HAVE_SYS_CDEFS_H # include /* For __P() */ -#endif +#endif #ifdef HAVE_SYS_SYSMACROS_H # include /* For MIN, MAX, etc */ #endif @@ -47,6 +49,7 @@ #include /* For STDIN_FILENO, etc */ #include /* Struct winsize */ +#include /* For O_NONBLOCK */ /* Constants */ @@ -78,15 +81,23 @@ # endif /* PATH_MAX */ #endif /* MAXPATHLEN */ -#ifndef STDIN_FILENO +#ifndef STDIN_FILENO # define STDIN_FILENO 0 -#endif -#ifndef STDOUT_FILENO +#endif +#ifndef STDOUT_FILENO # define STDOUT_FILENO 1 -#endif -#ifndef STDERR_FILENO +#endif +#ifndef STDERR_FILENO # define STDERR_FILENO 2 -#endif +#endif + +#ifndef NGROUPS_MAX /* Disable groupaccess if NGROUP_MAX is not set */ +#define NGROUPS_MAX 0 +#endif + +#ifndef O_NONBLOCK /* Non Blocking Open */ +# define O_NONBLOCK 00004 +#endif #ifndef S_ISREG # define S_ISDIR(mode) (((mode) & (_S_IFMT)) == (_S_IFDIR)) @@ -166,24 +177,22 @@ #ifndef HAVE_INT64_T # if (SIZEOF_LONG_INT == 8) typedef long int int64_t; +# define HAVE_INT64_T 1 # else # if (SIZEOF_LONG_LONG_INT == 8) typedef long long int int64_t; -# define HAVE_INTXX_T 1 -# else -# error "64 bit int type not found." +# define HAVE_INT64_T 1 # endif # endif #endif #ifndef HAVE_U_INT64_T # if (SIZEOF_LONG_INT == 8) typedef unsigned long int u_int64_t; +# define HAVE_U_INT64_T 1 # else # if (SIZEOF_LONG_LONG_INT == 8) typedef unsigned long long int u_int64_t; -# define HAVE_U_INTXX_T 1 -# else -# error "64 bit int type not found." +# define HAVE_U_INT64_T 1 # endif # endif #endif @@ -203,6 +212,11 @@ # define HAVE_SSIZE_T #endif /* HAVE_SSIZE_T */ +#ifndef HAVE_CLOCK_T +typedef long clock_t; +# define HAVE_CLOCK_T +#endif /* HAVE_CLOCK_T */ + #ifndef HAVE_SA_FAMILY_T typedef int sa_family_t; # define HAVE_SA_FAMILY_T @@ -289,6 +303,10 @@ #define XAUTH_PATH "/usr/X11R6/bin/xauth" #endif /* XAUTH_PATH */ +#ifndef _PATH_TTY +# define _PATH_TTY "/dev/tty" +#endif + /* Macros */ #if defined(HAVE_LOGIN_GETCAPBOOL) && defined(HAVE_LOGIN_CAP_H) @@ -300,15 +318,19 @@ # define MIN(a,b) (((a)<(b))?(a):(b)) #endif +#ifndef roundup +# define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) +#endif + #ifndef timersub -#define timersub(a, b, result) \ - do { \ - (result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \ - (result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \ - if ((result)->tv_usec < 0) { \ - --(result)->tv_sec; \ - (result)->tv_usec += 1000000; \ - } \ +#define timersub(a, b, result) \ + do { \ + (result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \ + (result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \ + if ((result)->tv_usec < 0) { \ + --(result)->tv_sec; \ + (result)->tv_usec += 1000000; \ + } \ } while (0) #endif @@ -326,13 +348,9 @@ # define __attribute__(x) #endif /* !defined(__GNUC__) || (__GNUC__ < 2) */ -#if defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM) -# define USE_PAM -#endif /* defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM) */ - #ifndef SUN_LEN #define SUN_LEN(su) \ - (sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path)) + (sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path)) #endif /* SUN_LEN */ /* Function replacement / compatibility hacks */ @@ -344,9 +362,21 @@ # define PAM_STRERROR(a,b) pam_strerror((a),(b)) #endif +#ifdef PAM_SUN_CODEBASE +# define PAM_MSG_MEMBER(msg, n, member) ((*(msg))[(n)].member) +#else +# define PAM_MSG_MEMBER(msg, n, member) ((msg)[(n)]->member) +#endif + #if defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) # undef HAVE_GETADDRINFO -#endif /* defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) */ +#endif +#if defined(BROKEN_GETADDRINFO) && defined(HAVE_FREEADDRINFO) +# undef HAVE_FREEADDRINFO +#endif +#if defined(BROKEN_GETADDRINFO) && defined(HAVE_GAI_STRERROR) +# undef HAVE_GAI_STRERROR +#endif #if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) # define memmove(s1, s2, n) bcopy((s2), (s1), (n)) diff -ru openssh-2.3.0p1/dh.c openssh-2.5.1p1/dh.c --- openssh-2.3.0p1/dh.c 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/dh.c 2001-01-22 16:34:41.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: dh.c,v 1.2 2000/10/11 20:11:35 markus Exp $"); +RCSID("$OpenBSD: dh.c,v 1.6 2001/01/21 19:05:49 markus Exp $"); #include "xmalloc.h" @@ -31,10 +31,13 @@ #include #include -#include "ssh.h" #include "buffer.h" +#include "cipher.h" #include "kex.h" #include "dh.h" +#include "pathnames.h" +#include "log.h" +#include "misc.h" int parse_prime(int linenum, char *line, struct dhgroup *dhg) @@ -87,7 +90,7 @@ return (1); fail: - fprintf(stderr, "Bad prime description in line %d\n", linenum); + error("Bad prime description in line %d\n", linenum); return (0); } @@ -100,10 +103,9 @@ int linenum; struct dhgroup dhg; - f = fopen(DH_PRIMES, "r"); + f = fopen(_PATH_DH_PRIMES, "r"); if (!f) { - perror(DH_PRIMES); - log("WARNING: %s does not exist, using old prime", DH_PRIMES); + log("WARNING: %s does not exist, using old prime", _PATH_DH_PRIMES); return (dh_new_group1()); } @@ -127,14 +129,13 @@ fclose (f); if (bestcount == 0) { - log("WARNING: no primes in %s, using old prime", DH_PRIMES); + log("WARNING: no primes in %s, using old prime", _PATH_DH_PRIMES); return (dh_new_group1()); } - f = fopen(DH_PRIMES, "r"); + f = fopen(_PATH_DH_PRIMES, "r"); if (!f) { - perror(DH_PRIMES); - exit(1); + fatal("WARNING: %s dissappeared, giving up", _PATH_DH_PRIMES); } linenum = 0; diff -ru openssh-2.3.0p1/dh.h openssh-2.5.1p1/dh.h --- openssh-2.3.0p1/dh.h 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/dh.h 2001-01-29 18:39:26.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: dh.h,v 1.2 2001/01/29 01:58:15 niklas Exp $ */ + /* * Copyright (c) 2000 Niels Provos. All rights reserved. * diff -ru openssh-2.3.0p1/dispatch.c openssh-2.5.1p1/dispatch.c --- openssh-2.3.0p1/dispatch.c 2000-09-23 17:15:57.000000000 +1100 +++ openssh-2.5.1p1/dispatch.c 2001-02-19 21:51:08.000000000 +1100 @@ -22,10 +22,14 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: dispatch.c,v 1.5 2000/09/21 11:25:34 markus Exp $"); -#include "ssh.h" +RCSID("$OpenBSD: dispatch.c,v 1.10 2001/02/18 18:33:53 markus Exp $"); + +#include "ssh1.h" +#include "ssh2.h" +#include "log.h" #include "dispatch.h" #include "packet.h" +#include "compat.h" #define DISPATCH_MIN 0 #define DISPATCH_MAX 255 @@ -36,6 +40,8 @@ dispatch_protocol_error(int type, int plen, void *ctxt) { error("Hm, dispatch protocol error: type %d plen %d", type, plen); + if (compat20 && type == SSH2_MSG_KEXINIT) + fatal("dispatch_protocol_error: rekeying is not supported"); } void dispatch_init(dispatch_fn *dflt) @@ -66,7 +72,7 @@ if (type > 0 && type < DISPATCH_MAX && dispatch[type] != NULL) (*dispatch[type])(type, plen, ctxt); else - packet_disconnect("protocol error: rcvd type %d", type); + packet_disconnect("protocol error: rcvd type %d", type); if (done != NULL && *done) return; } diff -ru openssh-2.3.0p1/dispatch.h openssh-2.5.1p1/dispatch.h --- openssh-2.3.0p1/dispatch.h 2000-09-23 17:15:57.000000000 +1100 +++ openssh-2.5.1p1/dispatch.h 2001-01-29 18:39:26.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: dispatch.h,v 1.4 2001/01/29 01:58:15 niklas Exp $ */ + /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Only in openssh-2.3.0p1: dsa.c Only in openssh-2.3.0p1: dsa.h diff -ru openssh-2.3.0p1/entropy.c openssh-2.5.1p1/entropy.c --- openssh-2.3.0p1/entropy.c 2000-10-16 20:13:43.000000000 +1100 +++ openssh-2.5.1p1/entropy.c 2001-02-18 22:34:32.000000000 +1100 @@ -24,9 +24,6 @@ #include "includes.h" -#include "ssh.h" -#include "xmalloc.h" - #include #include @@ -35,7 +32,14 @@ # include #endif /* HAVE_FLOATINGPOINT_H */ -RCSID("$Id: entropy.c,v 1.21 2000/10/16 09:13:43 djm Exp $"); +#include "ssh.h" +#include "misc.h" +#include "xmalloc.h" +#include "atomicio.h" +#include "pathnames.h" +#include "log.h" + +RCSID("$Id: entropy.c,v 1.29 2001/02/18 11:34:32 stevesk Exp $"); #ifndef offsetof # define offsetof(type, member) ((size_t) &((type *)0)->member) @@ -68,7 +72,8 @@ int fd; char msg[2]; struct sockaddr_un addr; - int addr_len; + int addr_len, rval, errors; + mysig_t old_sigpipe; /* Sanity checks */ if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path)) @@ -80,18 +85,21 @@ addr.sun_family = AF_UNIX; strlcpy(addr.sun_path, EGD_SOCKET, sizeof(addr.sun_path)); addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET); - + + old_sigpipe = mysignal(SIGPIPE, SIG_IGN); + + errors = rval = 0; +reopen: fd = socket(AF_UNIX, SOCK_STREAM, 0); if (fd == -1) { error("Couldn't create AF_UNIX socket: %s", strerror(errno)); - return(0); + goto done; } if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) { - error("Couldn't connect to EGD socket \"%s\": %s", + error("Couldn't connect to EGD socket \"%s\": %s", addr.sun_path, strerror(errno)); - close(fd); - return(0); + goto done; } /* Send blocking read request to EGD */ @@ -99,22 +107,33 @@ msg[1] = len; if (atomicio(write, fd, msg, sizeof(msg)) != sizeof(msg)) { - error("Couldn't write to EGD socket \"%s\": %s", + if (errno == EPIPE && errors < 10) { + close(fd); + errors++; + goto reopen; + } + error("Couldn't write to EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); - close(fd); - return(0); + goto done; } if (atomicio(read, fd, buf, len) != len) { - error("Couldn't read from EGD socket \"%s\": %s", + if (errno == EPIPE && errors < 10) { + close(fd); + errors++; + goto reopen; + } + error("Couldn't read from EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); - close(fd); - return(0); + goto done; } - - close(fd); - - return(1); + + rval = 1; +done: + mysignal(SIGPIPE, old_sigpipe); + if (fd != -1) + close(fd); + return(rval); } #else /* !EGD_SOCKET */ #ifdef RANDOM_POOL @@ -125,20 +144,20 @@ random_pool = open(RANDOM_POOL, O_RDONLY); if (random_pool == -1) { - error("Couldn't open random pool \"%s\": %s", + error("Couldn't open random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); return(0); } - + if (atomicio(read, random_pool, buf, len) != len) { - error("Couldn't read from random pool \"%s\": %s", + error("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); close(random_pool); return(0); } - + close(random_pool); - + return(1); } #endif /* RANDOM_POOL */ @@ -152,7 +171,7 @@ seed_rng(void) { char buf[32]; - + debug("Seeding random number generator"); if (!get_random_bytes(buf, sizeof(buf))) { @@ -161,7 +180,7 @@ } else { RAND_add(buf, sizeof(buf), sizeof(buf)); } - + memset(buf, '\0', sizeof(buf)); } @@ -170,7 +189,7 @@ #else /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ -/* +/* * FIXME: proper entropy estimations. All current values are guesses * FIXME: (ATL) do estimates at compile time? * FIXME: More entropy sources @@ -210,18 +229,18 @@ /* this is initialised from a file, by prng_read_commands() */ entropy_source_t *entropy_sources = NULL; -double +double stir_from_system(void) { double total_entropy_estimate; long int i; - + total_entropy_estimate = 0; - + i = getpid(); RAND_add(&i, sizeof(i), 0.5); total_entropy_estimate += 0.1; - + i = getppid(); RAND_add(&i, sizeof(i), 0.5); total_entropy_estimate += 0.1; @@ -238,7 +257,7 @@ return(total_entropy_estimate); } -double +double stir_from_programs(void) { int i; @@ -258,18 +277,18 @@ /* Scale back entropy estimate according to command's rate */ entropy_estimate *= entropy_sources[c].rate; - + /* Upper bound of entropy estimate is SHA_DIGEST_LENGTH */ if (entropy_estimate > SHA_DIGEST_LENGTH) entropy_estimate = SHA_DIGEST_LENGTH; - /* Scale back estimates for subsequent passes through list */ + /* Scale back estimates for subsequent passes through list */ entropy_estimate /= SCALE_PER_RUN * (i + 1.0); - + /* Stir it in */ RAND_add(hash, sizeof(hash), entropy_estimate); - debug3("Got %0.2f bytes of entropy from '%s'", entropy_estimate, + debug3("Got %0.2f bytes of entropy from '%s'", entropy_estimate, entropy_sources[c].cmdstring); total_entropy_estimate += entropy_estimate; @@ -290,7 +309,7 @@ c++; } } - + return(total_entropy_estimate); } @@ -298,12 +317,12 @@ stir_gettimeofday(double entropy_estimate) { struct timeval tv; - + if (gettimeofday(&tv, NULL) == -1) fatal("Couldn't gettimeofday: %s", strerror(errno)); RAND_add(&tv, sizeof(tv), entropy_estimate); - + return(entropy_estimate); } @@ -312,10 +331,10 @@ { #ifdef HAVE_CLOCK clock_t c; - + c = clock(); RAND_add(&c, sizeof(c), entropy_estimate); - + return(entropy_estimate); #else /* _HAVE_CLOCK */ return(0); @@ -327,7 +346,7 @@ { #ifdef HAVE_GETRUSAGE struct rusage ru; - + if (getrusage(who, &ru) == -1) return(0); @@ -365,7 +384,7 @@ int bytes_read; int total_bytes_read; SHA_CTX sha; - + debug3("Reading output from \'%s\'", src->cmdstring); if (devnull == -1) { @@ -373,7 +392,7 @@ if (devnull == -1) fatal("Couldn't open /dev/null: %s", strerror(errno)); } - + if (pipe(p) == -1) fatal("Couldn't open pipe: %s", strerror(errno)); @@ -466,7 +485,7 @@ close(p[0]); debug3("Time elapsed: %d msec", msec_elapsed); - + if (waitpid(pid, &status, 0) == -1) { error("Couldn't wait for child '%s' completion: %s", src->cmdstring, strerror(errno)); @@ -489,13 +508,13 @@ if (WEXITSTATUS(status)==0) { return(total_bytes_read); } else { - debug2("Command '%s' exit status was %d", src->cmdstring, + debug2("Command '%s' exit status was %d", src->cmdstring, WEXITSTATUS(status)); src->badness = src->sticky_badness = 128; return (0.0); } } else if (WIFSIGNALED(status)) { - debug2("Command '%s' returned on uncaught signal %d !", src->cmdstring, + debug2("Command '%s' returned on uncaught signal %d !", src->cmdstring, status); src->badness = src->sticky_badness = 128; return(0.0); @@ -516,7 +535,7 @@ if (lstat(filename, &st) == -1) { /* Give up on hard errors */ if (errno != ENOENT) - debug("WARNING: Couldn't stat random seed file \"%s\": %s", + debug("WARNING: Couldn't stat random seed file \"%s\": %s", filename, strerror(errno)); return(0); @@ -532,7 +551,7 @@ filename, getuid()); return(0); } - + return(1); } @@ -546,22 +565,22 @@ /* Don't bother if we have already saved a seed */ if (prng_seed_saved) return; - + setuid(original_uid); - + prng_seed_saved = 1; - + pw = getpwuid(original_uid); if (pw == NULL) - fatal("Couldn't get password entry for current user (%i): %s", + fatal("Couldn't get password entry for current user (%i): %s", original_uid, strerror(errno)); - + /* Try to ensure that the parent directory is there */ - snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, - SSH_USER_DIR); + snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, + _PATH_SSH_USER_DIR); mkdir(filename, 0700); - snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, + snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, SSH_PRNG_SEED_FILE); debug("writing PRNG seed to file %.100s", filename); @@ -570,13 +589,13 @@ /* Don't care if the seed doesn't exist */ prng_check_seedfile(filename); - + if ((fd = open(filename, O_WRONLY|O_TRUNC|O_CREAT, 0600)) == -1) { - debug("WARNING: couldn't access PRNG seedfile %.100s (%.100s)", + debug("WARNING: couldn't access PRNG seedfile %.100s (%.100s)", filename, strerror(errno)); - } else { + } else { if (atomicio(write, fd, &seed, sizeof(seed)) != sizeof(seed)) - fatal("problem writing PRNG seedfile %.100s (%.100s)", filename, + fatal("problem writing PRNG seedfile %.100s (%.100s)", filename, strerror(errno)); close(fd); @@ -589,31 +608,26 @@ char seed[1024]; char filename[1024]; struct passwd *pw; - + pw = getpwuid(original_uid); if (pw == NULL) - fatal("Couldn't get password entry for current user (%i): %s", + fatal("Couldn't get password entry for current user (%i): %s", original_uid, strerror(errno)); - - snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, + + snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, SSH_PRNG_SEED_FILE); debug("loading PRNG seed from file %.100s", filename); if (!prng_check_seedfile(filename)) { - verbose("Random seed file not found, creating new"); - prng_write_seedfile(); - - /* Reseed immediatly */ - (void)stir_from_system(); - (void)stir_from_programs(); + verbose("Random seed file not found or not valid, ignoring."); return; } /* open the file and read in the seed */ fd = open(filename, O_RDONLY); if (fd == -1) - fatal("could not open PRNG seedfile %.100s (%.100s)", filename, + fatal("could not open PRNG seedfile %.100s (%.100s)", filename, strerror(errno)); if (atomicio(read, fd, &seed, sizeof(seed)) != sizeof(seed)) { @@ -673,7 +687,7 @@ error("bad entropy command, %.100s line %d", cmdfilename, linenum); continue; - } + } /* first token, command args (incl. argv[0]) in double quotes */ cp = strtok(cp, "\""); @@ -683,7 +697,7 @@ continue; } strlcpy(cmd, cp, sizeof(cmd)); - + /* second token, full command path */ if ((cp = strtok(NULL, WHITESPACE)) == NULL) { error("missing command path, %.100s line %d -- ignored", @@ -695,7 +709,7 @@ if (strncmp("undef", cp, 5) == 0) continue; - strlcpy(path, cp, sizeof(path)); + strlcpy(path, cp, sizeof(path)); /* third token, entropy rate estimate for this command */ if ((cp = strtok(NULL, WHITESPACE)) == NULL) { @@ -707,14 +721,14 @@ /* end of line */ if ((cp = strtok(NULL, WHITESPACE)) != NULL) { - error("garbage at end of line %d in %.100s -- ignored", linenum, + error("garbage at end of line %d in %.100s -- ignored", linenum, cmdfilename); continue; } /* save the command for debug messages */ entcmd[cur_cmd].cmdstring = xstrdup(cmd); - + /* split the command args */ cp = strtok(cmd, WHITESPACE); arg = 0; @@ -725,7 +739,7 @@ entcmd[cur_cmd].args[arg] = s; arg++; } while ((arg < 5) && (cp = strtok(NULL, WHITESPACE))); - + if (strtok(NULL, WHITESPACE)) error("ignored extra command elements (max 5), %.100s line %d", cmdfilename, linenum); @@ -761,7 +775,7 @@ /* * Write a keyfile at exit - */ + */ void prng_seed_cleanup(void *junk) { @@ -775,14 +789,14 @@ void seed_rng(void) { - void *old_sigchld_handler; + mysig_t old_sigchld_handler; if (!prng_initialised) fatal("RNG not initialised"); - + /* Make sure some other sigchld handler doesn't reap our entropy */ /* commands */ - old_sigchld_handler = signal(SIGCHLD, SIG_DFL); + old_sigchld_handler = mysignal(SIGCHLD, SIG_DFL); debug("Seeded RNG with %i bytes from programs", (int)stir_from_programs()); debug("Seeded RNG with %i bytes from system calls", (int)stir_from_system()); @@ -790,23 +804,35 @@ if (!RAND_status()) fatal("Not enough entropy in RNG"); - signal(SIGCHLD, old_sigchld_handler); + mysignal(SIGCHLD, old_sigchld_handler); if (!RAND_status()) fatal("Couldn't initialise builtin random number generator -- exiting."); } -void init_rng(void) +void init_rng(void) { + int original_euid; + original_uid = getuid(); + original_euid = geteuid(); /* Read in collection commands */ if (!prng_read_commands(SSH_PRNG_COMMAND_FILE)) fatal("PRNG initialisation failed -- exiting."); /* Set ourselves up to save a seed upon exit */ - prng_seed_saved = 0; + prng_seed_saved = 0; + + /* Give up privs while reading seed file */ + if ((original_uid != original_euid) && (seteuid(original_uid) == -1)) + fatal("Couldn't give up privileges"); + prng_read_seedfile(); + + if ((original_uid != original_euid) && (seteuid(original_euid) == -1)) + fatal("Couldn't restore privileges"); + fatal_add_cleanup(prng_seed_cleanup, NULL); atexit(prng_write_seedfile); diff -ru openssh-2.3.0p1/entropy.h openssh-2.5.1p1/entropy.h --- openssh-2.3.0p1/entropy.h 2000-09-16 16:09:28.000000000 +1100 +++ openssh-2.5.1p1/entropy.h 2001-02-09 12:55:36.000000000 +1100 @@ -22,6 +22,8 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +/* $Id: entropy.h,v 1.4 2001/02/09 01:55:36 djm Exp $ */ + #ifndef _RANDOMS_H #define _RANDOMS_H Only in openssh-2.3.0p1: fake-gai-errnos.h Only in openssh-2.3.0p1: fake-getaddrinfo.c Only in openssh-2.3.0p1: fake-getaddrinfo.h Only in openssh-2.3.0p1: fake-getnameinfo.c Only in openssh-2.3.0p1: fake-getnameinfo.h Only in openssh-2.3.0p1: fake-socket.h diff -ru openssh-2.3.0p1/fixpaths openssh-2.5.1p1/fixpaths --- openssh-2.3.0p1/fixpaths 2000-04-20 07:33:24.000000000 +1000 +++ openssh-2.5.1p1/fixpaths 2000-11-08 12:07:51.000000000 +1100 @@ -37,14 +37,13 @@ $of = $2.".$ext"; open(IN, "<$f") || die ("$0: input file $f missing!\n"); - if (open(OUT, ">$of")) { - while () { - for $s (keys(%def)) { - s#$s#$def{$s}#; - } # for $s - print OUT; - } # while - } # if (outfile open) + open(OUT, ">$of") || die ("$0: cannot create output file $of: $!\n"); + while () { + for $s (keys(%def)) { + s#$s#$def{$s}#; + } # for $s + print OUT; + } # while } # for $f exit 0; diff -ru openssh-2.3.0p1/getput.h openssh-2.5.1p1/getput.h --- openssh-2.3.0p1/getput.h 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/getput.h 2001-01-11 17:20:23.000000000 +1100 @@ -11,20 +11,39 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: getput.h,v 1.5 2000/09/07 20:27:51 deraadt Exp $"); */ +/* RCSID("$OpenBSD: getput.h,v 1.7 2001/01/10 22:56:22 markus Exp $"); */ #ifndef GETPUT_H #define GETPUT_H /*------------ macros for storing/extracting msb first words -------------*/ -#define GET_32BIT(cp) (((unsigned long)(unsigned char)(cp)[0] << 24) | \ - ((unsigned long)(unsigned char)(cp)[1] << 16) | \ - ((unsigned long)(unsigned char)(cp)[2] << 8) | \ - ((unsigned long)(unsigned char)(cp)[3])) - -#define GET_16BIT(cp) (((unsigned long)(unsigned char)(cp)[0] << 8) | \ - ((unsigned long)(unsigned char)(cp)[1])) +#define GET_64BIT(cp) (((u_int64_t)(u_char)(cp)[0] << 56) | \ + ((u_int64_t)(u_char)(cp)[1] << 48) | \ + ((u_int64_t)(u_char)(cp)[2] << 40) | \ + ((u_int64_t)(u_char)(cp)[3] << 32) | \ + ((u_int64_t)(u_char)(cp)[4] << 24) | \ + ((u_int64_t)(u_char)(cp)[5] << 16) | \ + ((u_int64_t)(u_char)(cp)[6] << 8) | \ + ((u_int64_t)(u_char)(cp)[7])) + +#define GET_32BIT(cp) (((u_long)(u_char)(cp)[0] << 24) | \ + ((u_long)(u_char)(cp)[1] << 16) | \ + ((u_long)(u_char)(cp)[2] << 8) | \ + ((u_long)(u_char)(cp)[3])) + +#define GET_16BIT(cp) (((u_long)(u_char)(cp)[0] << 8) | \ + ((u_long)(u_char)(cp)[1])) + +#define PUT_64BIT(cp, value) do { \ + (cp)[0] = (value) >> 56; \ + (cp)[1] = (value) >> 48; \ + (cp)[2] = (value) >> 40; \ + (cp)[3] = (value) >> 32; \ + (cp)[4] = (value) >> 24; \ + (cp)[5] = (value) >> 16; \ + (cp)[6] = (value) >> 8; \ + (cp)[7] = (value); } while (0) #define PUT_32BIT(cp, value) do { \ (cp)[0] = (value) >> 24; \ @@ -36,26 +55,4 @@ (cp)[0] = (value) >> 8; \ (cp)[1] = (value); } while (0) -/*------------ macros for storing/extracting lsb first words -------------*/ - -#define GET_32BIT_LSB_FIRST(cp) \ - (((unsigned long)(unsigned char)(cp)[0]) | \ - ((unsigned long)(unsigned char)(cp)[1] << 8) | \ - ((unsigned long)(unsigned char)(cp)[2] << 16) | \ - ((unsigned long)(unsigned char)(cp)[3] << 24)) - -#define GET_16BIT_LSB_FIRST(cp) \ - (((unsigned long)(unsigned char)(cp)[0]) | \ - ((unsigned long)(unsigned char)(cp)[1] << 8)) - -#define PUT_32BIT_LSB_FIRST(cp, value) do { \ - (cp)[0] = (value); \ - (cp)[1] = (value) >> 8; \ - (cp)[2] = (value) >> 16; \ - (cp)[3] = (value) >> 24; } while (0) - -#define PUT_16BIT_LSB_FIRST(cp, value) do { \ - (cp)[0] = (value); \ - (cp)[1] = (value) >> 8; } while (0) - #endif /* GETPUT_H */ Only in openssh-2.5.1p1: groupaccess.c Only in openssh-2.5.1p1: groupaccess.h Only in openssh-2.3.0p1: hmac.c Only in openssh-2.3.0p1: hmac.h diff -ru openssh-2.3.0p1/hostfile.c openssh-2.5.1p1/hostfile.c --- openssh-2.3.0p1/hostfile.c 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/hostfile.c 2001-01-22 16:34:41.000000000 +1100 @@ -36,15 +36,13 @@ */ #include "includes.h" -RCSID("$OpenBSD: hostfile.c,v 1.20 2000/09/07 20:27:51 deraadt Exp $"); +RCSID("$OpenBSD: hostfile.c,v 1.24 2001/01/21 19:05:49 markus Exp $"); #include "packet.h" #include "match.h" -#include "ssh.h" -#include -#include #include "key.h" #include "hostfile.h" +#include "log.h" /* * Parses an RSA (number of bits, e, n) or DSA key from a string. Moves the @@ -52,17 +50,15 @@ */ int -hostfile_read_key(char **cpp, unsigned int *bitsp, Key *ret) +hostfile_read_key(char **cpp, u_int *bitsp, Key *ret) { - unsigned int bits; char *cp; /* Skip leading whitespace. */ for (cp = *cpp; *cp == ' ' || *cp == '\t'; cp++) ; - bits = key_read(ret, &cp); - if (bits == 0) + if (key_read(ret, &cp) != 1) return 0; /* Skip trailing whitespace. */ @@ -71,14 +67,14 @@ /* Return results. */ *cpp = cp; - *bitsp = bits; + *bitsp = key_size(ret); return 1; } int -auth_rsa_read_key(char **cpp, unsigned int *bitsp, BIGNUM * e, BIGNUM * n) +auth_rsa_read_key(char **cpp, u_int *bitsp, BIGNUM * e, BIGNUM * n) { - Key *k = key_new(KEY_RSA); + Key *k = key_new(KEY_RSA1); int ret = hostfile_read_key(cpp, bitsp, k); BN_copy(e, k->rsa->e); BN_copy(n, k->rsa->n); @@ -89,7 +85,7 @@ int hostfile_check_key(int bits, Key *key, const char *host, const char *filename, int linenum) { - if (key == NULL || key->type != KEY_RSA || key->rsa == NULL) + if (key == NULL || key->type != KEY_RSA1 || key->rsa == NULL) return 1; if (bits != BN_num_bits(key->rsa->n)) { log("Warning: %s, line %d: keysize mismatch for host %s: " @@ -109,12 +105,13 @@ */ HostStatus -check_host_in_hostfile(const char *filename, const char *host, Key *key, Key *found) +check_host_in_hostfile(const char *filename, const char *host, Key *key, + Key *found, int *numret) { FILE *f; char line[8192]; int linenum = 0; - unsigned int kbits, hostlen; + u_int kbits, hostlen; char *cp, *cp2; HostStatus end_return; @@ -151,7 +148,7 @@ ; /* Check if the host name matches. */ - if (match_hostname(host, cp, (unsigned int) (cp2 - cp)) != 1) + if (match_hostname(host, cp, (u_int) (cp2 - cp)) != 1) continue; /* Got a match. Skip host name. */ @@ -166,6 +163,9 @@ if (!hostfile_check_key(kbits, found, host, filename, linenum)) continue; + if (numret != NULL) + *numret = linenum; + /* Check if the current key is the same as the given key. */ if (key_equal(key, found)) { /* Ok, they match. */ diff -ru openssh-2.3.0p1/hostfile.h openssh-2.5.1p1/hostfile.h --- openssh-2.3.0p1/hostfile.h 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/hostfile.h 2001-02-09 13:11:24.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: hostfile.h,v 1.7 2001/02/08 19:30:51 itojun Exp $ */ + /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -12,6 +14,9 @@ #ifndef HOSTFILE_H #define HOSTFILE_H +int +auth_rsa_read_key(char **cpp, u_int *bitsp, BIGNUM * e, BIGNUM * n); + /* * Checks whether the given host is already in the list of our known hosts. * Returns HOST_OK if the host is known and has the specified key, HOST_NEW @@ -21,8 +26,10 @@ typedef enum { HOST_OK, HOST_NEW, HOST_CHANGED } HostStatus; + HostStatus -check_host_in_hostfile(const char *filename, const char *host, Key *key, Key *found); +check_host_in_hostfile(const char *filename, const char *host, Key *key, + Key *found, int *line); /* * Appends an entry to the host file. Returns false if the entry could not diff -ru openssh-2.3.0p1/includes.h openssh-2.5.1p1/includes.h --- openssh-2.3.0p1/includes.h 2000-10-18 11:02:25.000000000 +1100 +++ openssh-2.5.1p1/includes.h 2001-02-12 18:29:45.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: includes.h,v 1.14 2001/01/29 01:58:16 niklas Exp $ */ + /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -19,8 +21,7 @@ #include "config.h" -#include "next-posix.h" -#include "news4-posix.h" +#include "bsd-nextstep.h" #include #include @@ -28,11 +29,8 @@ #include #include -#ifndef HAVE_CYGWIN #include -#endif #include -#include #include #include @@ -47,19 +45,21 @@ #include #include +#ifdef HAVE_LIMITS_H +# include +#endif #ifdef HAVE_GETOPT_H -#include +# include #endif #ifdef HAVE_BSTRING_H # include -#endif +#endif #ifdef HAVE_NETGROUP_H # include -#endif -#if defined(HAVE_NETDB_H) && !defined(HAVE_NEXT) -/* Next includes this as part of another header */ +#endif +#if defined(HAVE_NETDB_H) # include -#endif +#endif #ifdef HAVE_ENDIAN_H # include #endif @@ -88,12 +88,15 @@ #ifdef HAVE_SYS_SYSMACROS_H # include #endif +#ifdef HAVE_UTIME_H +# include +#endif #ifdef HAVE_VIS_H # include #endif #include "version.h" #include "openbsd-compat.h" -#include "cygwin_util.h" +#include "bsd-cygwin_util.h" #include "entropy.h" #endif /* INCLUDES_H */ diff -ru openssh-2.3.0p1/kex.c openssh-2.5.1p1/kex.c --- openssh-2.3.0p1/kex.c 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/kex.c 2001-02-15 14:01:59.000000000 +1100 @@ -23,18 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.12 2000/10/11 20:27:23 markus Exp $"); - -#include "ssh.h" -#include "ssh2.h" -#include "xmalloc.h" -#include "buffer.h" -#include "bufaux.h" -#include "packet.h" -#include "compat.h" - -#include -#include +RCSID("$OpenBSD: kex.c,v 1.21 2001/02/11 12:59:24 markus Exp $"); #include #include @@ -42,7 +31,17 @@ #include #include +#include "ssh2.h" +#include "xmalloc.h" +#include "buffer.h" +#include "bufaux.h" +#include "packet.h" +#include "compat.h" +#include "cipher.h" #include "kex.h" +#include "key.h" +#include "log.h" +#include "mac.h" #define KEX_COOKIE_LEN 16 @@ -50,7 +49,7 @@ kex_init(char *myproposal[PROPOSAL_MAX]) { int first_kex_packet_follows = 0; - unsigned char cookie[KEX_COOKIE_LEN]; + u_char cookie[KEX_COOKIE_LEN]; u_int32_t rand = 0; int i; Buffer *ki = xmalloc(sizeof(*ki)); @@ -81,7 +80,7 @@ debug("send KEXINIT"); packet_start(SSH2_MSG_KEXINIT); - packet_put_raw(buffer_ptr(my_kexinit), buffer_len(my_kexinit)); + packet_put_raw(buffer_ptr(my_kexinit), buffer_len(my_kexinit)); packet_send(); packet_write_wait(); debug("done"); @@ -138,7 +137,7 @@ return 0; } -DH * +void dh_gen_key(DH *dh) { int tries = 0; @@ -149,7 +148,6 @@ if (tries++ > 10) fatal("dh_new_group1: too many bad keys: giving up"); } while (!dh_pub_is_valid(dh, dh->pub_key)); - return dh; } DH * @@ -167,9 +165,14 @@ if ((ret = BN_hex2bn(&dh->g, gen)) < 0) fatal("BN_hex2bn g"); - return (dh_gen_key(dh)); + return (dh); } +/* + * This just returns the group, we still need to generate the exchange + * value. + */ + DH * dh_new_group(BIGNUM *gen, BIGNUM *modulus) { @@ -181,11 +184,11 @@ dh->p = modulus; dh->g = gen; - return (dh_gen_key(dh)); + return (dh); } DH * -dh_new_group1() +dh_new_group1(void) { static char *gen = "2", *group1 = "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" @@ -198,8 +201,9 @@ return (dh_new_group_asc(gen, group1)); } +#ifdef DEBUG_KEX void -dump_digest(unsigned char *digest, int len) +dump_digest(u_char *digest, int len) { int i; for (i = 0; i< len; i++){ @@ -209,8 +213,9 @@ } fprintf(stderr, "\n"); } +#endif -unsigned char * +u_char * kex_hash( char *client_version_string, char *server_version_string, @@ -222,7 +227,7 @@ BIGNUM *shared_secret) { Buffer b; - static unsigned char digest[EVP_MAX_MD_SIZE]; + static u_char digest[EVP_MAX_MD_SIZE]; EVP_MD *evp_md = EVP_sha1(); EVP_MD_CTX md; @@ -242,7 +247,7 @@ buffer_put_bignum2(&b, client_dh_pub); buffer_put_bignum2(&b, server_dh_pub); buffer_put_bignum2(&b, shared_secret); - + #ifdef DEBUG_KEX buffer_dump(&b); #endif @@ -259,7 +264,7 @@ return digest; } -unsigned char * +u_char * kex_hash_gex( char *client_version_string, char *server_version_string, @@ -272,7 +277,7 @@ BIGNUM *shared_secret) { Buffer b; - static unsigned char digest[EVP_MAX_MD_SIZE]; + static u_char digest[EVP_MAX_MD_SIZE]; EVP_MD *evp_md = EVP_sha1(); EVP_MD_CTX md; @@ -295,7 +300,7 @@ buffer_put_bignum2(&b, client_dh_pub); buffer_put_bignum2(&b, server_dh_pub); buffer_put_bignum2(&b, shared_secret); - + #ifdef DEBUG_KEX buffer_dump(&b); #endif @@ -312,8 +317,8 @@ return digest; } -unsigned char * -derive_key(int id, int need, char unsigned *hash, BIGNUM *shared_secret) +u_char * +derive_key(int id, int need, u_char *hash, BIGNUM *shared_secret) { Buffer b; EVP_MD *evp_md = EVP_sha1(); @@ -321,7 +326,7 @@ char c = id; int have; int mdsz = evp_md->md_size; - unsigned char *digest = xmalloc(((need+mdsz-1)/mdsz)*mdsz); + u_char *digest = xmalloc(((need+mdsz-1)/mdsz)*mdsz); buffer_init(&b); buffer_put_bignum2(&b, shared_secret); @@ -364,7 +369,7 @@ c = cp = xstrdup(client); s = sp = xstrdup(server); - for ((p = strsep(&sp, SEP)), i=0; p && *p != '\0'; + for ((p = strsep(&sp, SEP)), i=0; p && *p != '\0'; (p = strsep(&sp, SEP)), i++) { if (i < MAX_PROP) sproposals[i] = p; @@ -373,7 +378,7 @@ } nproposals = i; - for ((p = strsep(&cp, SEP)), i=0; p && *p != '\0'; + for ((p = strsep(&cp, SEP)), i=0; p && *p != '\0'; (p = strsep(&cp, SEP)), i++) { for (j = 0; j < nproposals; j++) { if (strcmp(p, sproposals[j]) == 0) { @@ -408,18 +413,12 @@ char *name = get_match(client, server); if (name == NULL) fatal("no matching mac found: client %s server %s", client, server); - if (strcmp(name, "hmac-md5") == 0) { - mac->md = EVP_md5(); - } else if (strcmp(name, "hmac-sha1") == 0) { - mac->md = EVP_sha1(); - } else if (strcmp(name, "hmac-ripemd160@openssh.com") == 0) { - mac->md = EVP_ripemd160(); - } else { + if (mac_init(mac, name) < 0) fatal("unsupported mac %s", name); - } + /* truncate the key */ + if (datafellows & SSH_BUG_HMAC) + mac->key_len = 16; mac->name = name; - mac->mac_len = mac->md->md_size; - mac->key_len = (datafellows & SSH_BUG_HMAC) ? 16 : mac->mac_len; mac->key = NULL; mac->enabled = 0; } @@ -454,11 +453,13 @@ void choose_hostkeyalg(Kex *k, char *client, char *server) { - k->hostkeyalg = get_match(client, server); - if (k->hostkeyalg == NULL) + char *hostkeyalg = get_match(client, server); + if (hostkeyalg == NULL) fatal("no hostkey alg"); - if (strcmp(k->hostkeyalg, KEX_DSS) != 0) - fatal("bad hostkey alg %s", k->hostkeyalg); + k->hostkey_type = key_type_from_name(hostkeyalg); + if (k->hostkey_type == KEY_UNSPEC) + fatal("bad hostkey alg '%s'", hostkeyalg); + xfree(hostkeyalg); } Kex * @@ -506,12 +507,12 @@ } int -kex_derive_keys(Kex *k, unsigned char *hash, BIGNUM *shared_secret) +kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret) { int i; int mode; int ctos; - unsigned char *keys[NKEYS]; + u_char *keys[NKEYS]; for (i = 0; i < NKEYS; i++) keys[i] = derive_key('A'+i, k->we_need, hash, shared_secret); diff -ru openssh-2.3.0p1/kex.h openssh-2.5.1p1/kex.h --- openssh-2.3.0p1/kex.h 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/kex.h 2001-02-15 14:01:59.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: kex.h,v 1.14 2001/02/11 12:59:24 markus Exp $ */ + /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -24,9 +26,11 @@ #ifndef KEX_H #define KEX_H +#include +#include "buffer.h" + #define KEX_DH1 "diffie-hellman-group1-sha1" #define KEX_DHGEX "diffie-hellman-group-exchange-sha1" -#define KEX_DSS "ssh-dss" enum kex_init_proposals { PROPOSAL_KEX_ALGS, @@ -52,7 +56,7 @@ DH_GRP1_SHA1, DH_GEX_SHA1 }; - + typedef struct Kex Kex; typedef struct Mac Mac; typedef struct Comp Comp; @@ -62,15 +66,15 @@ char *name; Cipher *cipher; int enabled; - unsigned char *key; - unsigned char *iv; + u_char *key; + u_char *iv; }; struct Mac { char *name; int enabled; EVP_MD *md; int mac_len; - unsigned char *key; + u_char *key; int key_len; }; struct Comp { @@ -85,7 +89,7 @@ int we_need; int server; char *name; - char *hostkeyalg; + int hostkey_type; int kex_type; }; @@ -97,14 +101,15 @@ Kex * kex_choose_conf(char *cprop[PROPOSAL_MAX], char *sprop[PROPOSAL_MAX], int server); -int kex_derive_keys(Kex *k, unsigned char *hash, BIGNUM *shared_secret); +int kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret); void packet_set_kex(Kex *k); int dh_pub_is_valid(DH *dh, BIGNUM *dh_pub); DH *dh_new_group_asc(const char *, const char *); DH *dh_new_group(BIGNUM *, BIGNUM *); -DH *dh_new_group1(); +void dh_gen_key(DH *); +DH *dh_new_group1(void); -unsigned char * +u_char * kex_hash( char *client_version_string, char *server_version_string, @@ -115,7 +120,7 @@ BIGNUM *server_dh_pub, BIGNUM *shared_secret); -unsigned char * +u_char * kex_hash_gex( char *client_version_string, char *server_version_string, diff -ru openssh-2.3.0p1/key.c openssh-2.5.1p1/key.c --- openssh-2.3.0p1/key.c 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/key.c 2001-02-06 05:16:28.000000000 +1100 @@ -31,20 +31,20 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - #include "includes.h" -#include "ssh.h" -#include -#include +RCSID("$OpenBSD: key.c,v 1.17 2001/02/04 15:32:24 stevesk Exp $"); + #include + #include "xmalloc.h" #include "key.h" -#include "dsa.h" +#include "rsa.h" +#include "ssh-dss.h" +#include "ssh-rsa.h" #include "uuencode.h" - -RCSID("$OpenBSD: key.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $"); - -#define SSH_DSS "ssh-dss" +#include "buffer.h" +#include "bufaux.h" +#include "log.h" Key * key_new(int type) @@ -57,6 +57,7 @@ k->dsa = NULL; k->rsa = NULL; switch (k->type) { + case KEY_RSA1: case KEY_RSA: rsa = RSA_new(); rsa->n = BN_new(); @@ -71,7 +72,7 @@ dsa->pub_key = BN_new(); k->dsa = dsa; break; - case KEY_EMPTY: + case KEY_UNSPEC: break; default: fatal("key_new: bad key type %d", k->type); @@ -79,10 +80,35 @@ } return k; } +Key * +key_new_private(int type) +{ + Key *k = key_new(type); + switch (k->type) { + case KEY_RSA1: + case KEY_RSA: + k->rsa->d = BN_new(); + k->rsa->iqmp = BN_new(); + k->rsa->q = BN_new(); + k->rsa->p = BN_new(); + k->rsa->dmq1 = BN_new(); + k->rsa->dmp1 = BN_new(); + break; + case KEY_DSA: + k->dsa->priv_key = BN_new(); + break; + case KEY_UNSPEC: + break; + default: + break; + } + return k; +} void key_free(Key *k) { switch (k->type) { + case KEY_RSA1: case KEY_RSA: if (k->rsa != NULL) RSA_free(k->rsa); @@ -93,6 +119,8 @@ DSA_free(k->dsa); k->dsa = NULL; break; + case KEY_UNSPEC: + break; default: fatal("key_free: bad key type %d", k->type); break; @@ -105,6 +133,7 @@ if (a == NULL || b == NULL || a->type != b->type) return 0; switch (a->type) { + case KEY_RSA1: case KEY_RSA: return a->rsa != NULL && b->rsa != NULL && BN_cmp(a->rsa->e, b->rsa->e) == 0 && @@ -132,12 +161,13 @@ key_fingerprint(Key *k) { static char retval[(EVP_MAX_MD_SIZE+1)*3]; - unsigned char *blob = NULL; + u_char *blob = NULL; int len = 0; int nlen, elen; + retval[0] = '\0'; switch (k->type) { - case KEY_RSA: + case KEY_RSA1: nlen = BN_num_bytes(k->rsa->n); elen = BN_num_bytes(k->rsa->e); len = nlen + elen; @@ -146,17 +176,19 @@ BN_bn2bin(k->rsa->e, blob + nlen); break; case KEY_DSA: - dsa_make_key_blob(k, &blob, &len); + case KEY_RSA: + key_to_blob(k, &blob, &len); + break; + case KEY_UNSPEC: + return retval; break; default: fatal("key_fingerprint: bad key type %d", k->type); break; } - retval[0] = '\0'; - if (blob != NULL) { int i; - unsigned char digest[EVP_MAX_MD_SIZE]; + u_char digest[EVP_MAX_MD_SIZE]; EVP_MD *md = EVP_md5(); EVP_MD_CTX ctx; EVP_DigestInit(&ctx, md); @@ -226,59 +258,109 @@ return 0; } fprintf(f, " %s", buf); - free(buf); + xfree(buf); return 1; } -unsigned int + +/* returns 1 ok, -1 error, 0 type mismatch */ +int key_read(Key *ret, char **cpp) { Key *k; - unsigned int bits = 0; - char *cp; - int len, n; - unsigned char *blob; + int success = -1; + char *cp, *space; + int len, n, type; + u_int bits; + u_char *blob; cp = *cpp; switch(ret->type) { - case KEY_RSA: + case KEY_RSA1: /* Get number of bits. */ if (*cp < '0' || *cp > '9') - return 0; /* Bad bit count... */ + return -1; /* Bad bit count... */ for (bits = 0; *cp >= '0' && *cp <= '9'; cp++) bits = 10 * bits + *cp - '0'; if (bits == 0) - return 0; + return -1; *cpp = cp; /* Get public exponent, public modulus. */ if (!read_bignum(cpp, ret->rsa->e)) - return 0; + return -1; if (!read_bignum(cpp, ret->rsa->n)) - return 0; + return -1; + success = 1; break; + case KEY_UNSPEC: + case KEY_RSA: case KEY_DSA: - if (strncmp(cp, SSH_DSS " ", 7) != 0) + space = strchr(cp, ' '); + if (space == NULL) { + debug3("key_read: no space"); + return -1; + } + *space = '\0'; + type = key_type_from_name(cp); + *space = ' '; + if (type == KEY_UNSPEC) { + debug3("key_read: no key found"); + return -1; + } + cp = space+1; + if (*cp == '\0') { + debug3("key_read: short string"); + return -1; + } + if (ret->type == KEY_UNSPEC) { + ret->type = type; + } else if (ret->type != type) { + /* is a key, but different type */ + debug3("key_read: type mismatch"); return 0; - cp += 7; + } len = 2*strlen(cp); blob = xmalloc(len); n = uudecode(cp, blob, len); if (n < 0) { error("key_read: uudecode %s failed", cp); - return 0; + return -1; } - k = dsa_key_from_blob(blob, n); + k = key_from_blob(blob, n); if (k == NULL) { - error("key_read: dsa_key_from_blob %s failed", cp); - return 0; + error("key_read: key_from_blob %s failed", cp); + return -1; } xfree(blob); - if (ret->dsa != NULL) - DSA_free(ret->dsa); - ret->dsa = k->dsa; - k->dsa = NULL; + if (k->type != type) { + error("key_read: type mismatch: encoding error"); + key_free(k); + return -1; + } +/*XXXX*/ + if (ret->type == KEY_RSA) { + if (ret->rsa != NULL) + RSA_free(ret->rsa); + ret->rsa = k->rsa; + k->rsa = NULL; + success = 1; +#ifdef DEBUG_PK + RSA_print_fp(stderr, ret->rsa, 8); +#endif + } else { + if (ret->dsa != NULL) + DSA_free(ret->dsa); + ret->dsa = k->dsa; + k->dsa = NULL; + success = 1; +#ifdef DEBUG_PK + DSA_print_fp(stderr, ret->dsa, 8); +#endif + } +/*XXXX*/ + if (success != 1) + break; key_free(k); - bits = BN_num_bits(ret->dsa->p); /* advance cp: skip whitespace and data */ while (*cp == ' ' || *cp == '\t') cp++; @@ -290,15 +372,15 @@ fatal("key_read: bad key type: %d", ret->type); break; } - return bits; + return success; } int key_write(Key *key, FILE *f) { int success = 0; - unsigned int bits = 0; + u_int bits = 0; - if (key->type == KEY_RSA && key->rsa != NULL) { + if (key->type == KEY_RSA1 && key->rsa != NULL) { /* size of modulus 'n' */ bits = BN_num_bits(key->rsa->n); fprintf(f, "%u", bits); @@ -308,14 +390,15 @@ } else { error("key_write: failed for RSA key"); } - } else if (key->type == KEY_DSA && key->dsa != NULL) { + } else if ((key->type == KEY_DSA && key->dsa != NULL) || + (key->type == KEY_RSA && key->rsa != NULL)) { int len, n; - unsigned char *blob, *uu; - dsa_make_key_blob(key, &blob, &len); + u_char *blob, *uu; + key_to_blob(key, &blob, &len); uu = xmalloc(2*len); n = uuencode(blob, len, uu, 2*len); if (n > 0) { - fprintf(f, "%s %s", SSH_DSS, uu); + fprintf(f, "%s %s", key_ssh_name(key), uu); success = 1; } xfree(blob); @@ -327,6 +410,9 @@ key_type(Key *k) { switch (k->type) { + case KEY_RSA1: + return "RSA1"; + break; case KEY_RSA: return "RSA"; break; @@ -336,9 +422,23 @@ } return "unknown"; } -unsigned int +char * +key_ssh_name(Key *k) +{ + switch (k->type) { + case KEY_RSA: + return "ssh-rsa"; + break; + case KEY_DSA: + return "ssh-dss"; + break; + } + return "ssh-unknown"; +} +u_int key_size(Key *k){ switch (k->type) { + case KEY_RSA1: case KEY_RSA: return BN_num_bits(k->rsa->n); break; @@ -348,3 +448,219 @@ } return 0; } + +RSA * +rsa_generate_private_key(u_int bits) +{ + RSA *private; + private = RSA_generate_key(bits, 35, NULL, NULL); + if (private == NULL) + fatal("rsa_generate_private_key: key generation failed."); + return private; +} + +DSA* +dsa_generate_private_key(u_int bits) +{ + DSA *private = DSA_generate_parameters(bits, NULL, 0, NULL, NULL, NULL, NULL); + if (private == NULL) + fatal("dsa_generate_private_key: DSA_generate_parameters failed"); + if (!DSA_generate_key(private)) + fatal("dsa_generate_private_key: DSA_generate_key failed."); + if (private == NULL) + fatal("dsa_generate_private_key: NULL."); + return private; +} + +Key * +key_generate(int type, u_int bits) +{ + Key *k = key_new(KEY_UNSPEC); + switch (type) { + case KEY_DSA: + k->dsa = dsa_generate_private_key(bits); + break; + case KEY_RSA: + case KEY_RSA1: + k->rsa = rsa_generate_private_key(bits); + break; + default: + fatal("key_generate: unknown type %d", type); + } + k->type = type; + return k; +} + +Key * +key_from_private(Key *k) +{ + Key *n = NULL; + switch (k->type) { + case KEY_DSA: + n = key_new(k->type); + BN_copy(n->dsa->p, k->dsa->p); + BN_copy(n->dsa->q, k->dsa->q); + BN_copy(n->dsa->g, k->dsa->g); + BN_copy(n->dsa->pub_key, k->dsa->pub_key); + break; + case KEY_RSA: + case KEY_RSA1: + n = key_new(k->type); + BN_copy(n->rsa->n, k->rsa->n); + BN_copy(n->rsa->e, k->rsa->e); + break; + default: + fatal("key_from_private: unknown type %d", k->type); + break; + } + return n; +} + +int +key_type_from_name(char *name) +{ + if (strcmp(name, "rsa1") == 0){ + return KEY_RSA1; + } else if (strcmp(name, "rsa") == 0){ + return KEY_RSA; + } else if (strcmp(name, "dsa") == 0){ + return KEY_DSA; + } else if (strcmp(name, "ssh-rsa") == 0){ + return KEY_RSA; + } else if (strcmp(name, "ssh-dss") == 0){ + return KEY_DSA; + } + debug("key_type_from_name: unknown key type '%s'", name); + return KEY_UNSPEC; +} + +Key * +key_from_blob(char *blob, int blen) +{ + Buffer b; + char *ktype; + int rlen, type; + Key *key = NULL; + +#ifdef DEBUG_PK + dump_base64(stderr, blob, blen); +#endif + buffer_init(&b); + buffer_append(&b, blob, blen); + ktype = buffer_get_string(&b, NULL); + type = key_type_from_name(ktype); + + switch(type){ + case KEY_RSA: + key = key_new(type); + buffer_get_bignum2(&b, key->rsa->e); + buffer_get_bignum2(&b, key->rsa->n); +#ifdef DEBUG_PK + RSA_print_fp(stderr, key->rsa, 8); +#endif + break; + case KEY_DSA: + key = key_new(type); + buffer_get_bignum2(&b, key->dsa->p); + buffer_get_bignum2(&b, key->dsa->q); + buffer_get_bignum2(&b, key->dsa->g); + buffer_get_bignum2(&b, key->dsa->pub_key); +#ifdef DEBUG_PK + DSA_print_fp(stderr, key->dsa, 8); +#endif + break; + case KEY_UNSPEC: + key = key_new(type); + break; + default: + error("key_from_blob: cannot handle type %s", ktype); + break; + } + rlen = buffer_len(&b); + if (key != NULL && rlen != 0) + error("key_from_blob: remaining bytes in key blob %d", rlen); + xfree(ktype); + buffer_free(&b); + return key; +} + +int +key_to_blob(Key *key, u_char **blobp, u_int *lenp) +{ + Buffer b; + int len; + u_char *buf; + + if (key == NULL) { + error("key_to_blob: key == NULL"); + return 0; + } + buffer_init(&b); + switch(key->type){ + case KEY_DSA: + buffer_put_cstring(&b, key_ssh_name(key)); + buffer_put_bignum2(&b, key->dsa->p); + buffer_put_bignum2(&b, key->dsa->q); + buffer_put_bignum2(&b, key->dsa->g); + buffer_put_bignum2(&b, key->dsa->pub_key); + break; + case KEY_RSA: + buffer_put_cstring(&b, key_ssh_name(key)); + buffer_put_bignum2(&b, key->rsa->e); + buffer_put_bignum2(&b, key->rsa->n); + break; + default: + error("key_to_blob: illegal key type %d", key->type); + break; + } + len = buffer_len(&b); + buf = xmalloc(len); + memcpy(buf, buffer_ptr(&b), len); + memset(buffer_ptr(&b), 0, len); + buffer_free(&b); + if (lenp != NULL) + *lenp = len; + if (blobp != NULL) + *blobp = buf; + return len; +} + +int +key_sign( + Key *key, + u_char **sigp, int *lenp, + u_char *data, int datalen) +{ + switch(key->type){ + case KEY_DSA: + return ssh_dss_sign(key, sigp, lenp, data, datalen); + break; + case KEY_RSA: + return ssh_rsa_sign(key, sigp, lenp, data, datalen); + break; + default: + error("key_sign: illegal key type %d", key->type); + return -1; + break; + } +} + +int +key_verify( + Key *key, + u_char *signature, int signaturelen, + u_char *data, int datalen) +{ + switch(key->type){ + case KEY_DSA: + return ssh_dss_verify(key, signature, signaturelen, data, datalen); + break; + case KEY_RSA: + return ssh_rsa_verify(key, signature, signaturelen, data, datalen); + break; + default: + error("key_verify: illegal key type %d", key->type); + return -1; + break; + } +} diff -ru openssh-2.3.0p1/key.h openssh-2.5.1p1/key.h --- openssh-2.3.0p1/key.h 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/key.h 2001-01-29 18:39:26.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: key.h,v 1.9 2001/01/29 01:58:16 niklas Exp $ */ + /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -24,11 +26,15 @@ #ifndef KEY_H #define KEY_H +#include +#include + typedef struct Key Key; enum types { + KEY_RSA1, KEY_RSA, KEY_DSA, - KEY_EMPTY + KEY_UNSPEC }; struct Key { int type; @@ -37,12 +43,33 @@ }; Key *key_new(int type); +Key *key_new_private(int type); void key_free(Key *k); int key_equal(Key *a, Key *b); char *key_fingerprint(Key *k); char *key_type(Key *k); int key_write(Key *key, FILE *f); -unsigned int key_read(Key *key, char **cpp); -unsigned int key_size(Key *k); +int key_read(Key *key, char **cpp); +u_int key_size(Key *k); + +Key *key_generate(int type, u_int bits); +Key *key_from_private(Key *k); +int key_type_from_name(char *name); + +Key *key_from_blob(char *blob, int blen); +int key_to_blob(Key *key, u_char **blobp, u_int *lenp); +char *key_ssh_name(Key *k); + +int +key_sign( + Key *key, + u_char **sigp, int *lenp, + u_char *data, int datalen); + +int +key_verify( + Key *key, + u_char *signature, int signaturelen, + u_char *data, int datalen); #endif diff -ru openssh-2.3.0p1/log-client.c openssh-2.5.1p1/log-client.c --- openssh-2.3.0p1/log-client.c 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/log-client.c 2001-01-22 16:34:42.000000000 +1100 @@ -36,10 +36,10 @@ */ #include "includes.h" -RCSID("$OpenBSD: log-client.c,v 1.12 2000/09/12 20:53:10 markus Exp $"); +RCSID("$OpenBSD: log-client.c,v 1.15 2001/01/21 19:05:50 markus Exp $"); #include "xmalloc.h" -#include "ssh.h" +#include "log.h" static LogLevel log_level = SYSLOG_LEVEL_INFO; @@ -53,8 +53,8 @@ { switch (level) { case SYSLOG_LEVEL_QUIET: - case SYSLOG_LEVEL_ERROR: case SYSLOG_LEVEL_FATAL: + case SYSLOG_LEVEL_ERROR: case SYSLOG_LEVEL_INFO: case SYSLOG_LEVEL_VERBOSE: case SYSLOG_LEVEL_DEBUG1: diff -ru openssh-2.3.0p1/log-server.c openssh-2.5.1p1/log-server.c --- openssh-2.3.0p1/log-server.c 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/log-server.c 2001-01-22 16:34:42.000000000 +1100 @@ -36,18 +36,12 @@ */ #include "includes.h" -RCSID("$OpenBSD: log-server.c,v 1.17 2000/09/12 20:53:10 markus Exp $"); +RCSID("$OpenBSD: log-server.c,v 1.20 2001/01/21 19:05:50 markus Exp $"); #include #include "packet.h" #include "xmalloc.h" -#include "ssh.h" - -#ifdef HAVE___PROGNAME -extern char *__progname; -#else /* HAVE___PROGNAME */ -static const char *__progname = "sshd"; -#endif /* HAVE___PROGNAME */ +#include "log.h" static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 0; @@ -64,8 +58,8 @@ { switch (level) { case SYSLOG_LEVEL_QUIET: - case SYSLOG_LEVEL_ERROR: case SYSLOG_LEVEL_FATAL: + case SYSLOG_LEVEL_ERROR: case SYSLOG_LEVEL_INFO: case SYSLOG_LEVEL_VERBOSE: case SYSLOG_LEVEL_DEBUG1: @@ -88,6 +82,11 @@ case SYSLOG_FACILITY_AUTH: log_facility = LOG_AUTH; break; +#ifdef LOG_AUTHPRIV + case SYSLOG_FACILITY_AUTHPRIV: + log_facility = LOG_AUTHPRIV; + break; +#endif case SYSLOG_FACILITY_LOCAL0: log_facility = LOG_LOCAL0; break; @@ -129,19 +128,22 @@ char fmtbuf[MSGBUFSIZ]; char *txt = NULL; int pri = LOG_INFO; + extern char *__progname; if (level > log_level) return; switch (level) { - case SYSLOG_LEVEL_ERROR: - txt = "error"; - pri = LOG_ERR; - break; case SYSLOG_LEVEL_FATAL: txt = "fatal"; + pri = LOG_CRIT; + break; + case SYSLOG_LEVEL_ERROR: + txt = "error"; pri = LOG_ERR; break; case SYSLOG_LEVEL_INFO: + pri = LOG_INFO; + break; case SYSLOG_LEVEL_VERBOSE: pri = LOG_INFO; break; diff -ru openssh-2.3.0p1/log.c openssh-2.5.1p1/log.c --- openssh-2.3.0p1/log.c 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/log.c 2001-01-22 16:34:42.000000000 +1100 @@ -36,9 +36,9 @@ */ #include "includes.h" -RCSID("$OpenBSD: log.c,v 1.11 2000/09/30 16:27:43 markus Exp $"); +RCSID("$OpenBSD: log.c,v 1.15 2001/01/21 19:05:51 markus Exp $"); -#include "ssh.h" +#include "log.h" #include "xmalloc.h" /* Fatal messages. This function never returns. */ @@ -155,7 +155,7 @@ } } fatal("fatal_remove_cleanup: no such cleanup function: 0x%lx 0x%lx\n", - (unsigned long) proc, (unsigned long) context); + (u_long) proc, (u_long) context); } /* Cleanup and exit */ @@ -172,7 +172,7 @@ for (cu = fatal_cleanups; cu; cu = next_cu) { next_cu = cu->next; debug("Calling cleanup 0x%lx(0x%lx)", - (unsigned long) cu->proc, (unsigned long) cu->context); + (u_long) cu->proc, (u_long) cu->context); (*cu->proc) (cu->context); } exit(255); @@ -187,6 +187,9 @@ { "DAEMON", SYSLOG_FACILITY_DAEMON }, { "USER", SYSLOG_FACILITY_USER }, { "AUTH", SYSLOG_FACILITY_AUTH }, +#ifdef LOG_AUTHPRIV + { "AUTHPRIV", SYSLOG_FACILITY_AUTHPRIV }, +#endif { "LOCAL0", SYSLOG_FACILITY_LOCAL0 }, { "LOCAL1", SYSLOG_FACILITY_LOCAL1 }, { "LOCAL2", SYSLOG_FACILITY_LOCAL2 }, Only in openssh-2.5.1p1: log.h Only in openssh-2.3.0p1: login.c diff -ru openssh-2.3.0p1/loginrec.c openssh-2.5.1p1/loginrec.c --- openssh-2.3.0p1/loginrec.c 2000-09-30 21:34:44.000000000 +1100 +++ openssh-2.5.1p1/loginrec.c 2001-02-05 23:42:17.000000000 +1100 @@ -30,7 +30,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/** +/** ** loginrec.c: platform-independent login recording and lastlog retrieval **/ @@ -63,7 +63,7 @@ requires very thorough testing so we do not corrupt local auditing information. These files and their access methods are very system specific indeed. - + For utmpx systems, the corresponding library functions are setutxent() etc. To the author's knowledge, all utmpx systems have these library functions and so no direct write is attempted. If such @@ -82,14 +82,14 @@ Calling the new code -------------------- - + In OpenSSH all login recording and retrieval is performed in login.c. Here you'll find working examples. Also, in the logintest.c program there are more examples. Internal handler calling method ------------------------------- - + When a call is made to login_login() or login_logout(), both routines set a struct logininfo flag defining which action (log in, or log out) is to be taken. They both then call login_write(), which @@ -127,7 +127,7 @@ with 'make logintest' as it's not built by default.) Otherwise, patches to the specific method(s) are very helpful! - + */ /** @@ -143,7 +143,7 @@ ** Solaris ** HP-UX 10.20 (gcc only) ** IRIX - ** NeXT - M68k/HPPA (4.2/3.3) + ** NeXT - M68k/HPPA/Sparc (4.2/3.3) ** ** Testing required: Please send reports! ** NetBSD @@ -160,8 +160,18 @@ #include "ssh.h" #include "xmalloc.h" #include "loginrec.h" +#include "log.h" +#include "atomicio.h" -RCSID("$Id: loginrec.c,v 1.26 2000/09/30 10:34:44 djm Exp $"); +RCSID("$Id: loginrec.c,v 1.31 2001/02/05 12:42:17 stevesk Exp $"); + +#ifdef HAVE_UTIL_H +# include +#endif + +#ifdef HAVE_LIBUTIL_H +# include +#endif /** ** prototypes for helper functions in this file @@ -197,7 +207,7 @@ **/ /* login_login(struct logininfo *) -Record a login - * + * * Call with a pointer to a struct logininfo initialised with * login_init_entry() or login_alloc_entry() * @@ -277,17 +287,17 @@ memset(li, '\0', sizeof(*li)); li->uid = uid; - /* + /* * If we don't have a 'real' lastlog, we need the username to * reliably search wtmp(x) for the last login (see - * wtmp_get_entry().) + * wtmp_get_entry().) */ pw = getpwuid(uid); if (pw == NULL) fatal("login_get_lastlog: Cannot find account for uid %i", uid); - + /* No MIN_SIZEOF here - we absolutely *must not* truncate the - * username */ + * username */ strlcpy(li->username, pw->pw_name, sizeof(li->username)); if (getlast_entry(li)) @@ -298,8 +308,8 @@ /* login_alloc_entry(int, char*, char*, char*) - Allocate and initialise - * a logininfo structure - * + * a logininfo structure + * * This function creates a new struct logininfo, a data structure * meant to carry the information required to portably record login info. * @@ -328,20 +338,20 @@ /* login_init_entry(struct logininfo *, int, char*, char*, char*) * - initialise a struct logininfo - * + * * Populates a new struct logininfo, a data structure meant to carry * the information required to portably record login info. * * Returns: 1 */ int -login_init_entry(struct logininfo *li, int pid, const char *username, +login_init_entry(struct logininfo *li, int pid, const char *username, const char *hostname, const char *line) { struct passwd *pw; - + memset(li, 0, sizeof(*li)); - + li->pid = pid; /* set the line information */ @@ -374,7 +384,7 @@ struct timeval tv; gettimeofday(&tv, NULL); - + li->tv_sec = tv.tv_sec; li->tv_usec = tv.tv_usec; } @@ -447,7 +457,7 @@ #else /* !USE_LASTLOG */ #ifdef DISABLE_LASTLOG - /* On some systems we shouldn't even try to obtain last login + /* On some systems we shouldn't even try to obtain last login * time, e.g. AIX */ return 0; # else /* DISABLE_LASTLOG */ @@ -465,7 +475,7 @@ return 0; # endif /* USE_WTMPX && (HAVE_TIME_IN_UTMPX || HAVE_TV_IN_UTMPX) */ # endif /* USE_WTMP && (HAVE_TIME_IN_UTMP || HAVE_TV_IN_UTMP) */ -# endif /* DISABLE_LASTLOG */ +# endif /* DISABLE_LASTLOG */ #endif /* USE_LASTLOG */ } @@ -508,13 +518,8 @@ line_stripname(char *dst, const char *src, int dstsize) { memset(dst, '\0', dstsize); -#ifdef sgi - if (strncmp(src, "/dev/tty", 8) == 0) - strlcpy(dst, src + 8, dstsize); -#else if (strncmp(src, "/dev/", 5) == 0) strlcpy(dst, src + 5, dstsize); -#endif else strlcpy(dst, src, dstsize); return dst; @@ -527,12 +532,12 @@ * NOTE: use strncpy because we do NOT necessarily want zero * termination */ char * -line_abbrevname(char *dst, const char *src, int dstsize) +line_abbrevname(char *dst, const char *src, int dstsize) { size_t len; - + memset(dst, '\0', dstsize); - + /* Always skip prefix if present */ #ifdef sgi if (strncmp(src, "/dev/tty", 8) == 0) @@ -541,7 +546,7 @@ if (strncmp(src, "/dev/", 5) == 0) src += 5; #endif - + len = strlen(src); if (len > 0) { @@ -549,9 +554,9 @@ src += ((int)len - dstsize); /* note: _don't_ change this to strlcpy */ - strncpy(dst, src, (size_t)dstsize); + strncpy(dst, src, (size_t)dstsize); } - + return dst; } @@ -615,7 +620,7 @@ /* * These fields are only used when logging in, and are blank - * for logouts. + * for logouts. */ /* Use strncpy because we don't necessarily want null termination */ @@ -627,7 +632,7 @@ /* this is just a 32-bit IP address */ if (li->hostaddr.sa.sa_family == AF_INET) ut->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr; -# endif +# endif } #endif /* USE_UTMP || USE_WTMP || USE_LOGIN */ @@ -679,7 +684,7 @@ /* * These fields are only used when logging in, and are blank - * for logouts. + * for logouts. */ /* strncpy(): Don't necessarily want null termination */ @@ -769,18 +774,18 @@ * If the new ut_line is empty but the old one is not * and ut_line and ut_name match, preserve the old ut_line. */ - if (atomicio(read, fd, &old_ut, sizeof(old_ut)) == sizeof(old_ut) && - (ut->ut_host[0] == '\0') && (old_ut.ut_host[0] != '\0') && - (strncmp(old_ut.ut_line, ut->ut_line, sizeof(ut->ut_line)) == 0) && + if (atomicio(read, fd, &old_ut, sizeof(old_ut)) == sizeof(old_ut) && + (ut->ut_host[0] == '\0') && (old_ut.ut_host[0] != '\0') && + (strncmp(old_ut.ut_line, ut->ut_line, sizeof(ut->ut_line)) == 0) && (strncmp(old_ut.ut_name, ut->ut_name, sizeof(ut->ut_name)) == 0)) { (void)memcpy(ut->ut_host, old_ut.ut_host, sizeof(ut->ut_host)); } - + (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); if (atomicio(write, fd, ut, sizeof(*ut)) != sizeof(*ut)) log("utmp_write_direct: error writing %s: %s", UTMP_FILE, strerror(errno)); - + (void)close(fd); return 1; } else { @@ -882,7 +887,7 @@ /* write a utmp entry direct to the file */ static int utmpx_write_direct(struct logininfo *li, struct utmpx *utx) -{ +{ log("utmpx_write_direct: not implemented!"); return 0; } @@ -952,7 +957,7 @@ ** Low-level wtmp functions **/ -#ifdef USE_WTMP +#ifdef USE_WTMP /* write a wtmp entry direct to the end of the file */ /* This is a slight modification of code in OpenBSD's logwtmp.c */ @@ -967,7 +972,7 @@ WTMP_FILE, strerror(errno)); return 0; } - if (fstat(fd, &buf) == 0) + if (fstat(fd, &buf) == 0) if (atomicio(write, fd, ut, sizeof(*ut)) != sizeof(*ut)) { ftruncate(fd, buf.st_size); log("wtmp_write: problem writing %s: %s", @@ -1014,7 +1019,7 @@ /* Notes on fetching login data from wtmp/wtmpx - * + * * Logouts are usually recorded with (amongst other things) a blank * username on a given tty line. However, some systems (HP-UX is one) * leave all fields set, but change the ut_type field to DEAD_PROCESS. @@ -1033,7 +1038,7 @@ static int wtmp_islogin(struct logininfo *li, struct utmp *ut) { - if (strncmp(li->username, ut->ut_name, + if (strncmp(li->username, ut->ut_name, MIN_SIZEOF(li->username, ut->ut_name)) == 0) { # ifdef HAVE_TYPE_IN_UTMP if (ut->ut_type & USER_PROCESS) @@ -1060,7 +1065,7 @@ WTMP_FILE, strerror(errno)); return 0; } - if (fstat(fd, &st) != 0) { + if (fstat(fd, &st) != 0) { log("wtmp_get_entry: couldn't stat %s: %s", WTMP_FILE, strerror(errno)); close(fd); @@ -1134,7 +1139,7 @@ return 0; } - if (fstat(fd, &buf) == 0) + if (fstat(fd, &buf) == 0) if (atomicio(write, fd, utx, sizeof(*utx)) != sizeof(*utx)) { ftruncate(fd, buf.st_size); log("wtmpx_write: problem writing %s: %s", @@ -1216,13 +1221,13 @@ WTMPX_FILE, strerror(errno)); return 0; } - if (fstat(fd, &st) != 0) { + if (fstat(fd, &st) != 0) { log("wtmpx_get_entry: couldn't stat %s: %s", WTMP_FILE, strerror(errno)); close(fd); return 0; } - + /* Seek to the start of the last struct utmpx */ if (lseek(fd, (off_t)(0-sizeof(struct utmpx)), SEEK_END) == -1 ) { /* probably a newly rotated wtmpx file */ @@ -1290,7 +1295,7 @@ { # ifdef HAVE_LOGOUT char line[8]; - + (void)line_stripname(line, li->line, sizeof(line)); if (!logout(line)) { @@ -1339,7 +1344,7 @@ { /* clear the structure */ memset(last, '\0', sizeof(*last)); - + (void)line_stripname(last->ll_line, li->line, sizeof(last->ll_line)); strlcpy(last->ll_host, li->hostname, MIN_SIZEOF(last->ll_host, li->hostname)); @@ -1352,7 +1357,7 @@ struct stat st; if (stat(LASTLOG_FILE, &st) != 0) { - log("lastlog_perform_login: Couldn't stat %s: %s", LASTLOG_FILE, + log("lastlog_perform_login: Couldn't stat %s: %s", LASTLOG_FILE, strerror(errno)); return 0; } @@ -1394,18 +1399,18 @@ lastlog_file, strerror(errno)); return 0; } - + if (type == LL_FILE) { /* find this uid's offset in the lastlog file */ offset = (off_t) ( (long)li->uid * sizeof(struct lastlog)); if ( lseek(*fd, offset, SEEK_SET) != offset ) { log("lastlog_openseek: %s->lseek(): %s", - lastlog_file, strerror(errno)); + lastlog_file, strerror(errno)); return 0; } } - + return 1; } @@ -1420,7 +1425,7 @@ if (!lastlog_openseek(li, &fd, O_RDWR|O_CREAT)) return(0); - + /* write the entry */ if (atomicio(write, fd, &last, sizeof(last)) != sizeof(last)) { close(fd); @@ -1449,7 +1454,7 @@ lastlog_populate_entry(struct logininfo *li, struct lastlog *last) { line_fullname(li->line, last->ll_line, sizeof(li->line)); - strlcpy(li->hostname, last->ll_host, + strlcpy(li->hostname, last->ll_host, MIN_SIZEOF(li->hostname, last->ll_host)); li->tv_sec = last->ll_time; } @@ -1470,7 +1475,7 @@ return 1; } } else { - return 0; + return 0; } } #endif /* USE_LASTLOG */ diff -ru openssh-2.3.0p1/loginrec.h openssh-2.5.1p1/loginrec.h --- openssh-2.3.0p1/loginrec.h 2000-06-27 11:18:27.000000000 +1000 +++ openssh-2.5.1p1/loginrec.h 2001-02-05 23:42:18.000000000 +1100 @@ -30,7 +30,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/** +/** ** loginrec.h: platform-independent login recording and lastlog retrieval **/ @@ -40,7 +40,7 @@ #include #include -/* RCSID("$Id: loginrec.h,v 1.4 2000/06/27 01:18:27 djm Exp $"); */ +/* RCSID("$Id: loginrec.h,v 1.5 2001/02/05 12:42:18 stevesk Exp $"); */ /** ** you should use the login_* calls to work around platform dependencies @@ -86,7 +86,7 @@ * use time_t's value as tv_sec and set tv_usec to 0 */ unsigned int tv_sec; - unsigned int tv_usec; + unsigned int tv_usec; union login_netinfo hostaddr; /* caller's host address(es) */ }; /* struct logininfo */ @@ -102,7 +102,7 @@ /* free a structure */ void login_free_entry(struct logininfo *li); /* fill out a pre-allocated structure with useful information */ -int login_init_entry(struct logininfo *li, int pid, const char *username, +int login_init_entry(struct logininfo *li, int pid, const char *username, const char *hostname, const char *line); /* place the current time in a logininfo struct */ void login_set_current_time(struct logininfo *li); diff -ru openssh-2.3.0p1/logintest.c openssh-2.5.1p1/logintest.c --- openssh-2.3.0p1/logintest.c 2000-06-19 18:25:36.000000000 +1000 +++ openssh-2.5.1p1/logintest.c 2001-02-05 23:42:18.000000000 +1100 @@ -27,7 +27,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/** +/** ** logintest.c: simple test driver for platform-independent login recording ** and lastlog retrieval **/ @@ -48,7 +48,7 @@ #include "loginrec.h" -RCSID("$Id: logintest.c,v 1.6 2000/06/19 08:25:36 andre Exp $"); +RCSID("$Id: logintest.c,v 1.7 2001/02/05 12:42:18 stevesk Exp $"); #define PAUSE_BEFORE_LOGOUT 3 @@ -74,10 +74,10 @@ "\t\t\tfamily\t%d\n\t\t}\n" "\t}\n" "}\n", - descname, li->progname, li->type, + descname, li->progname, li->type, li->pid, li->uid, li->line, - li->username, li->hostname, li->exit, - li->termination, li->tv_sec, li->tv_usec, + li->username, li->hostname, li->exit, + li->termination, li->tv_sec, li->tv_usec, li->hostaddr.sa.sa_family); } @@ -134,7 +134,7 @@ if (nologtest) return 1; - + line_stripname(stripline, li1->line, sizeof(stripline)); printf("Performing an invalid login attempt (no type field)\n--\n"); @@ -159,11 +159,11 @@ #endif printf("--\n"); login_login(li1); - + snprintf(cmdstring, sizeof(cmdstring), "who | grep '%s '", stripline); system(cmdstring); - + printf("--\nPausing for %d second(s)...\n", PAUSE_BEFORE_LOGOUT); sleep(PAUSE_BEFORE_LOGOUT); @@ -205,12 +205,12 @@ #endif printf("--\nThe output of 'last' shown next should have " - "an entry for root \n on %s for the time shown above:\n--\n", + "an entry for root \n on %s for the time shown above:\n--\n", stripline); snprintf(cmdstring, sizeof(cmdstring), "last | grep '%s ' | head -3", stripline); system(cmdstring); - + printf("--\nEnd of login test.\n"); login_free_entry(li1); @@ -255,9 +255,9 @@ /* show which options got compiled in */ void showOptions(void) -{ +{ printf("**\n** Compile-time options\n**\n"); - + printf("login recording methods selected:\n"); #ifdef USE_LOGIN printf("\tUSE_LOGIN\n"); @@ -293,17 +293,17 @@ else if (strncmp(argv[1], "-v", 3) == 0) be_verbose=1; } - + if (!compile_opts_only) { if (be_verbose && !testOutput()) return 1; - + if (!testAPI()) return 1; } showOptions(); - + return 0; } /* main() */ Only in openssh-2.5.1p1: mac.c Only in openssh-2.5.1p1: mac.h diff -ru openssh-2.3.0p1/match.c openssh-2.5.1p1/match.c --- openssh-2.3.0p1/match.c 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/match.c 2001-01-22 16:34:42.000000000 +1100 @@ -12,9 +12,9 @@ */ #include "includes.h" -RCSID("$OpenBSD: match.c,v 1.9 2000/09/07 20:27:52 deraadt Exp $"); +RCSID("$OpenBSD: match.c,v 1.11 2001/01/21 19:05:52 markus Exp $"); -#include "ssh.h" +#include "match.h" /* * Returns true if the given string matches the pattern (which may contain ? @@ -87,12 +87,12 @@ */ int -match_hostname(const char *host, const char *pattern, unsigned int len) +match_hostname(const char *host, const char *pattern, u_int len) { char sub[1024]; int negated; int got_positive; - unsigned int i, subi; + u_int i, subi; got_positive = 0; for (i = 0; i < len;) { diff -ru openssh-2.3.0p1/match.h openssh-2.5.1p1/match.h --- openssh-2.3.0p1/match.h 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/match.h 2001-01-29 18:39:26.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: match.h,v 1.6 2001/01/29 01:58:17 niklas Exp $ */ + /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -26,6 +28,6 @@ * indicate negation). Returns -1 if negation matches, 1 if there is * a positive match, 0 if there is no match at all. */ -int match_hostname(const char *host, const char *pattern, unsigned int len); +int match_hostname(const char *host, const char *pattern, u_int len); #endif diff -ru openssh-2.3.0p1/md5crypt.c openssh-2.5.1p1/md5crypt.c --- openssh-2.3.0p1/md5crypt.c 2000-04-16 12:31:51.000000000 +1000 +++ openssh-2.5.1p1/md5crypt.c 2001-02-09 12:55:36.000000000 +1100 @@ -15,23 +15,23 @@ * Adapted from shadow-19990607 by Tudor Bosman, tudorb@jm.nu */ -#include "config.h" +#include "includes.h" + +RCSID("$Id: md5crypt.c,v 1.5 2001/02/09 01:55:36 djm Exp $"); #if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) -#include -#include #include static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; static char *magic = "$1$"; /* - * This string is magic for - * this algorithm. Having - * it this way, we can get - * get better later on - */ + * This string is magic for + * this algorithm. Having + * it this way, we can get + * get better later on + */ static void to64(char *s, unsigned long v, int n) @@ -45,7 +45,7 @@ int is_md5_salt(const char *salt) { - return (!strncmp(salt, magic, strlen(magic))); + return (!strncmp(salt, magic, strlen(magic))); } /* diff -ru openssh-2.3.0p1/md5crypt.h openssh-2.5.1p1/md5crypt.h --- openssh-2.3.0p1/md5crypt.h 1999-12-28 15:09:36.000000000 +1100 +++ openssh-2.5.1p1/md5crypt.h 2001-02-09 12:55:36.000000000 +1100 @@ -15,6 +15,8 @@ * Adapted from shadow-19990607 by Tudor Bosman, tudorb@jm.nu */ +/* $Id: md5crypt.h,v 1.3 2001/02/09 01:55:36 djm Exp $ */ + #ifndef _MD5CRYPT_H #define _MD5CRYPT_H Only in openssh-2.5.1p1: misc.c Only in openssh-2.5.1p1: misc.h diff -ru openssh-2.3.0p1/mpaux.c openssh-2.5.1p1/mpaux.c --- openssh-2.3.0p1/mpaux.c 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/mpaux.c 2001-02-09 13:11:24.000000000 +1100 @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: mpaux.c,v 1.14 2000/09/07 20:27:52 deraadt Exp $"); +RCSID("$OpenBSD: mpaux.c,v 1.16 2001/02/08 19:30:52 itojun Exp $"); #include #include "getput.h" @@ -21,16 +21,18 @@ #include +#include "mpaux.h" + void -compute_session_id(unsigned char session_id[16], - unsigned char cookie[8], +compute_session_id(u_char session_id[16], + u_char cookie[8], BIGNUM* host_key_n, BIGNUM* session_key_n) { - unsigned int host_key_bytes = BN_num_bytes(host_key_n); - unsigned int session_key_bytes = BN_num_bytes(session_key_n); - unsigned int bytes = host_key_bytes + session_key_bytes; - unsigned char *buf = xmalloc(bytes); + u_int host_key_bytes = BN_num_bytes(host_key_n); + u_int session_key_bytes = BN_num_bytes(session_key_n); + u_int bytes = host_key_bytes + session_key_bytes; + u_char *buf = xmalloc(bytes); MD5_CTX md; BN_bn2bin(host_key_n, buf); diff -ru openssh-2.3.0p1/mpaux.h openssh-2.5.1p1/mpaux.h --- openssh-2.3.0p1/mpaux.h 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/mpaux.h 2000-12-22 12:44:00.000000000 +1100 @@ -12,7 +12,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: mpaux.h,v 1.8 2000/09/07 20:27:52 deraadt Exp $"); */ +/* RCSID("$OpenBSD: mpaux.h,v 1.9 2000/12/19 23:17:57 markus Exp $"); */ #ifndef MPAUX_H #define MPAUX_H @@ -23,8 +23,8 @@ * representations of host_key_n, session_key_n, and the cookie. */ void -compute_session_id(unsigned char session_id[16], - unsigned char cookie[8], +compute_session_id(u_char session_id[16], + u_char cookie[8], BIGNUM * host_key_n, BIGNUM * session_key_n); diff -ru openssh-2.3.0p1/myproposal.h openssh-2.5.1p1/myproposal.h --- openssh-2.3.0p1/myproposal.h 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/myproposal.h 2001-02-15 14:01:59.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: myproposal.h,v 1.11 2001/02/11 12:59:24 markus Exp $ */ + /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -22,13 +24,16 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" -#define KEX_DEFAULT_PK_ALG "ssh-dss" +#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" #define KEX_DEFAULT_ENCRYPT \ "3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \ "aes128-cbc,aes192-cbc,aes256-cbc," \ "rijndael128-cbc,rijndael192-cbc,rijndael256-cbc," \ "rijndael-cbc@lysator.liu.se" -#define KEX_DEFAULT_MAC "hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com" +#define KEX_DEFAULT_MAC \ + "hmac-sha1,hmac-md5,hmac-ripemd160," \ + "hmac-ripemd160@openssh.com," \ + "hmac-sha1-96,hmac-md5-96" #define KEX_DEFAULT_COMP "none,zlib" #define KEX_DEFAULT_LANG "" diff -ru openssh-2.3.0p1/nchan.c openssh-2.5.1p1/nchan.c --- openssh-2.3.0p1/nchan.c 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/nchan.c 2001-02-05 23:42:18.000000000 +1100 @@ -23,17 +23,16 @@ */ #include "includes.h" -RCSID("$OpenBSD: nchan.c,v 1.19 2000/09/07 20:27:52 deraadt Exp $"); - -#include "ssh.h" +RCSID("$OpenBSD: nchan.c,v 1.22 2001/01/21 19:05:52 markus Exp $"); +#include "ssh1.h" +#include "ssh2.h" #include "buffer.h" #include "packet.h" #include "channels.h" #include "nchan.h" - -#include "ssh2.h" #include "compat.h" +#include "log.h" /* functions manipulating channel states */ /* @@ -253,6 +252,8 @@ static void chan_delete_if_full_closed1(Channel *c) { + debug3("channel %d: chan_delete_if_full_closed1: istate %d ostate %d", + c->self, c->istate, c->ostate); if (c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED) { debug("channel %d: full closed", c->self); channel_free(c->self); @@ -403,6 +404,8 @@ static void chan_delete_if_full_closed2(Channel *c) { + debug3("channel %d: chan_delete_if_full_closed2: istate %d ostate %d", + c->self, c->istate, c->ostate); if (c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED) { if (!(c->flags & CHAN_CLOSE_SENT)) { chan_send_close2(c); @@ -478,7 +481,7 @@ return; debug("channel %d: close_read", c->self); if (c->sock != -1) { - /* + /* * shutdown(sock, SHUT_READ) may return ENOTCONN if the * write side has been closed already. (bug on Linux) */ diff -ru openssh-2.3.0p1/nchan.ms openssh-2.5.1p1/nchan.ms --- openssh-2.3.0p1/nchan.ms 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/nchan.ms 2001-01-29 18:39:26.000000000 +1100 @@ -1,3 +1,5 @@ +.\" $OpenBSD: nchan.ms,v 1.7 2001/01/29 01:58:17 niklas Exp $ +.\" .\" .\" Copyright (c) 1999 Markus Friedl. All rights reserved. .\" Only in openssh-2.3.0p1: news4-posix.h Only in openssh-2.3.0p1: next-posix.c Only in openssh-2.3.0p1: next-posix.h Only in openssh-2.5.1p1: openbsd-compat Only in openssh-2.3.0p1: openbsd-compat.h diff -ru openssh-2.3.0p1/packet.c openssh-2.5.1p1/packet.c --- openssh-2.3.0p1/packet.c 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/packet.c 2001-02-15 14:12:08.000000000 +1100 @@ -37,13 +37,12 @@ */ #include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.38 2000/10/12 14:21:12 markus Exp $"); +RCSID("$OpenBSD: packet.c,v 1.51 2001/02/12 22:56:09 deraadt Exp $"); #include "xmalloc.h" #include "buffer.h" #include "packet.h" #include "bufaux.h" -#include "ssh.h" #include "crc32.h" #include "getput.h" @@ -52,15 +51,14 @@ #include "channels.h" #include "compat.h" +#include "ssh1.h" #include "ssh2.h" -#include -#include -#include -#include "buffer.h" #include "cipher.h" #include "kex.h" -#include "hmac.h" +#include "mac.h" +#include "log.h" +#include "canohost.h" #ifdef PACKET_DEBUG #define DBG(x) x @@ -84,7 +82,7 @@ static int cipher_type = SSH_CIPHER_NONE; /* Protocol flags for the remote side. */ -static unsigned int remote_protocol_flags = 0; +static u_int remote_protocol_flags = 0; /* Encryption context for receiving data. This is only used for decryption. */ static CipherContext receive_context; @@ -167,8 +165,8 @@ connection_in = fd_in; connection_out = fd_out; cipher_type = SSH_CIPHER_NONE; - cipher_init(&send_context, none, (unsigned char *) "", 0, NULL, 0); - cipher_init(&receive_context, none, (unsigned char *) "", 0, NULL, 0); + cipher_init(&send_context, none, (u_char *) "", 0, NULL, 0); + cipher_init(&receive_context, none, (u_char *) "", 0, NULL, 0); if (!initialized) { initialized = 1; buffer_init(&input); @@ -281,7 +279,7 @@ /* Sets remote side protocol flags. */ void -packet_set_protocol_flags(unsigned int protocol_flags) +packet_set_protocol_flags(u_int protocol_flags) { remote_protocol_flags = protocol_flags; channel_set_options((protocol_flags & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) != 0); @@ -289,7 +287,7 @@ /* Returns the remote protocol flags set earlier by the above function. */ -unsigned int +u_int packet_get_protocol_flags() { return remote_protocol_flags; @@ -318,7 +316,7 @@ void packet_encrypt(CipherContext * cc, void *dest, void *src, - unsigned int bytes) + u_int bytes) { cipher_encrypt(cc, dest, src, bytes); } @@ -329,7 +327,7 @@ */ void -packet_decrypt(CipherContext *context, void *dest, void *src, unsigned int bytes) +packet_decrypt(CipherContext *context, void *dest, void *src, u_int bytes) { /* * Cryptographic attack detector for ssh - Modifications for packet.c @@ -350,7 +348,7 @@ */ void -packet_set_encryption_key(const unsigned char *key, unsigned int keylen, +packet_set_encryption_key(const u_char *key, u_int keylen, int number) { Cipher *cipher = cipher_by_number(number); @@ -410,7 +408,7 @@ /* Appends an integer to the packet data. */ void -packet_put_int(unsigned int value) +packet_put_int(u_int value) { buffer_put_int(&outgoing_packet, value); } @@ -418,7 +416,7 @@ /* Appends a string to packet data. */ void -packet_put_string(const char *buf, unsigned int len) +packet_put_string(const char *buf, u_int len) { buffer_put_string(&outgoing_packet, buf, len); } @@ -429,7 +427,7 @@ } void -packet_put_raw(const char *buf, unsigned int len) +packet_put_raw(const char *buf, u_int len) { buffer_append(&outgoing_packet, buf, len); } @@ -454,11 +452,11 @@ */ void -packet_send1() +packet_send1(void) { char buf[8], *cp; int i, padding, len; - unsigned int checksum; + u_int checksum; u_int32_t rand = 0; /* @@ -493,7 +491,7 @@ buffer_consume(&outgoing_packet, 8 - padding); /* Add check bytes. */ - checksum = ssh_crc32((unsigned char *) buffer_ptr(&outgoing_packet), + checksum = ssh_crc32((u_char *) buffer_ptr(&outgoing_packet), buffer_len(&outgoing_packet)); PUT_32BIT(buf, checksum); buffer_append(&outgoing_packet, buf, 4); @@ -528,14 +526,14 @@ * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) */ void -packet_send2() +packet_send2(void) { - unsigned char *macbuf = NULL; + static u_int32_t seqnr = 0; + u_char *macbuf = NULL; char *cp; - unsigned int packet_length = 0; - unsigned int i, padlen, len; + u_int packet_length = 0; + u_int i, padlen, len; u_int32_t rand = 0; - static unsigned int seqnr = 0; int type; Enc *enc = NULL; Mac *mac = NULL; @@ -603,11 +601,9 @@ /* compute MAC over seqnr and packet(length fields, payload, padding) */ if (mac && mac->enabled) { - macbuf = hmac( mac->md, seqnr, - (unsigned char *) buffer_ptr(&outgoing_packet), - buffer_len(&outgoing_packet), - mac->key, mac->key_len - ); + macbuf = mac_compute(mac, seqnr, + (u_char *) buffer_ptr(&outgoing_packet), + buffer_len(&outgoing_packet)); DBG(debug("done calc MAC out #%d", seqnr)); } /* encrypt packet and append to output buffer. */ @@ -692,7 +688,9 @@ FD_SET(connection_in, &set); /* Wait for some data to arrive. */ - select(connection_in + 1, &set, NULL, NULL, NULL); + while (select(connection_in + 1, &set, NULL, NULL, NULL) == -1 && + (errno == EAGAIN || errno == EINTR)) + ; /* Read data from the socket. */ len = read(connection_in, buf, sizeof(buf)); @@ -742,16 +740,16 @@ int packet_read_poll1(int *payload_len_ptr) { - unsigned int len, padded_len; - unsigned char *ucp; + u_int len, padded_len; + u_char *ucp; char buf[8], *cp; - unsigned int checksum, stored_checksum; + u_int checksum, stored_checksum; /* Check if input size is less than minimum packet size. */ if (buffer_len(&input) < 4 + 8) return SSH_MSG_NONE; /* Get length of incoming packet. */ - ucp = (unsigned char *) buffer_ptr(&input); + ucp = (u_char *) buffer_ptr(&input); len = GET_32BIT(ucp); if (len < 1 + 2 + 2 || len > 256 * 1024) packet_disconnect("Bad packet length %d.", len); @@ -778,7 +776,7 @@ #endif /* Compute packet checksum. */ - checksum = ssh_crc32((unsigned char *) buffer_ptr(&incoming_packet), + checksum = ssh_crc32((u_char *) buffer_ptr(&incoming_packet), buffer_len(&incoming_packet) - 4); /* Skip padding. */ @@ -790,7 +788,7 @@ packet_disconnect("packet_read_poll: len %d != buffer_len %d.", len, buffer_len(&incoming_packet)); - ucp = (unsigned char *) buffer_ptr(&incoming_packet) + len - 4; + ucp = (u_char *) buffer_ptr(&incoming_packet) + len - 4; stored_checksum = GET_32BIT(ucp); if (checksum != stored_checksum) packet_disconnect("Corrupted check bytes on input."); @@ -811,18 +809,18 @@ *payload_len_ptr = buffer_len(&incoming_packet); /* Return type. */ - return (unsigned char) buf[0]; + return (u_char) buf[0]; } int packet_read_poll2(int *payload_len_ptr) { - unsigned int padlen, need; - unsigned char buf[8], *macbuf; - unsigned char *ucp; + static u_int32_t seqnr = 0; + static u_int packet_length = 0; + u_int padlen, need; + u_char buf[8], *macbuf; + u_char *ucp; char *cp; - static unsigned int packet_length = 0; - static unsigned int seqnr = 0; int type; int maclen, block_size; Enc *enc = NULL; @@ -848,7 +846,7 @@ buffer_append_space(&incoming_packet, &cp, block_size); packet_decrypt(&receive_context, cp, buffer_ptr(&input), block_size); - ucp = (unsigned char *) buffer_ptr(&incoming_packet); + ucp = (u_char *) buffer_ptr(&incoming_packet); packet_length = GET_32BIT(ucp); if (packet_length < 1 + 4 || packet_length > 256 * 1024) { buffer_dump(&incoming_packet); @@ -882,11 +880,9 @@ * increment sequence number for incoming packet */ if (mac && mac->enabled) { - macbuf = hmac( mac->md, seqnr, - (unsigned char *) buffer_ptr(&incoming_packet), - buffer_len(&incoming_packet), - mac->key, mac->key_len - ); + macbuf = mac_compute(mac, seqnr, + (u_char *) buffer_ptr(&incoming_packet), + buffer_len(&incoming_packet)); if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0) packet_disconnect("Corrupted MAC on input."); DBG(debug("MAC #%d ok", seqnr)); @@ -926,7 +922,7 @@ packet_length = 0; /* extract packet type */ - type = (unsigned char)buf[0]; + type = (u_char)buf[0]; if (type == SSH2_MSG_NEWKEYS) { if (kex==NULL || mac==NULL || enc==NULL || comp==NULL) @@ -949,7 +945,7 @@ fprintf(stderr, "read/plain[%d]:\r\n",type); buffer_dump(&incoming_packet); #endif - return (unsigned char)type; + return (u_char)type; } int @@ -979,14 +975,15 @@ case SSH2_MSG_DISCONNECT: reason = packet_get_int(); msg = packet_get_string(NULL); - log("Received disconnect: %d: %.900s", reason, msg); + log("Received disconnect from %s: %d: %.400s", get_remote_ipaddr(), + reason, msg); xfree(msg); fatal_cleanup(); break; default: return type; break; - } + } } else { switch(type) { case SSH_MSG_IGNORE: @@ -998,7 +995,8 @@ break; case SSH_MSG_DISCONNECT: msg = packet_get_string(NULL); - log("Received disconnect: %.900s", msg); + log("Received disconnect from %s: %.400s", get_remote_ipaddr(), + msg); fatal_cleanup(); xfree(msg); break; @@ -1007,7 +1005,7 @@ DBG(debug("received packet type %d", type)); return type; break; - } + } } } } @@ -1018,24 +1016,24 @@ */ void -packet_process_incoming(const char *buf, unsigned int len) +packet_process_incoming(const char *buf, u_int len) { buffer_append(&input, buf, len); } /* Returns a character from the packet. */ -unsigned int +u_int packet_get_char() { char ch; buffer_get(&incoming_packet, &ch, 1); - return (unsigned char) ch; + return (u_char) ch; } /* Returns an integer from the packet data. */ -unsigned int +u_int packet_get_int() { return buffer_get_int(&incoming_packet); @@ -1081,7 +1079,7 @@ */ char * -packet_get_string(unsigned int *length_ptr) +packet_get_string(u_int *length_ptr) { return buffer_get_string(&incoming_packet, length_ptr); } @@ -1101,6 +1099,9 @@ char buf[1024]; va_list args; + if (compat20 && (datafellows & SSH_BUG_DEBUG)) + return; + va_start(args, fmt); vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); @@ -1196,9 +1197,12 @@ packet_write_poll(); while (packet_have_data_to_write()) { fd_set set; + FD_ZERO(&set); FD_SET(connection_out, &set); - select(connection_out + 1, NULL, &set, NULL, NULL); + while (select(connection_out + 1, NULL, &set, NULL, NULL) == -1 && + (errno == EAGAIN || errno == EINTR)) + ; packet_write_poll(); } } @@ -1225,48 +1229,48 @@ /* Informs that the current session is interactive. Sets IP flags for that. */ void -packet_set_interactive(int interactive, int keepalives) +packet_set_interactive(int interactive) { + static int called = 0; + int lowdelay = IPTOS_LOWDELAY; + int throughput = IPTOS_THROUGHPUT; int on = 1; + if (called) + return; + called = 1; + /* Record that we are in interactive mode. */ interactive_mode = interactive; /* Only set socket options if using a socket. */ if (!packet_connection_is_on_socket()) return; - if (keepalives) { - /* Set keepalives if requested. */ - if (setsockopt(connection_in, SOL_SOCKET, SO_KEEPALIVE, (void *) &on, - sizeof(on)) < 0) - error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); - } /* - * IPTOS_LOWDELAY, TCP_NODELAY and IPTOS_THROUGHPUT are IPv4 only + * IPTOS_LOWDELAY and IPTOS_THROUGHPUT are IPv4 only */ - if (!packet_connection_is_ipv4()) - return; if (interactive) { /* * Set IP options for an interactive connection. Use * IPTOS_LOWDELAY and TCP_NODELAY. */ #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) - int lowdelay = IPTOS_LOWDELAY; - if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, (void *) &lowdelay, - sizeof(lowdelay)) < 0) - error("setsockopt IPTOS_LOWDELAY: %.100s", strerror(errno)); + if (packet_connection_is_ipv4()) { + if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, + (void *) &lowdelay, sizeof(lowdelay)) < 0) + error("setsockopt IPTOS_LOWDELAY: %.100s", + strerror(errno)); + } #endif if (setsockopt(connection_in, IPPROTO_TCP, TCP_NODELAY, (void *) &on, sizeof(on)) < 0) error("setsockopt TCP_NODELAY: %.100s", strerror(errno)); - } else { + } else if (packet_connection_is_ipv4()) { /* * Set IP options for a non-interactive connection. Use * IPTOS_THROUGHPUT. */ #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) - int throughput = IPTOS_THROUGHPUT; if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, (void *) &throughput, sizeof(throughput)) < 0) error("setsockopt IPTOS_THROUGHPUT: %.100s", strerror(errno)); diff -ru openssh-2.3.0p1/packet.h openssh-2.5.1p1/packet.h --- openssh-2.3.0p1/packet.h 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/packet.h 2001-01-18 13:04:35.000000000 +1100 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: packet.h,v 1.17 2000/09/07 20:27:52 deraadt Exp $"); */ +/* RCSID("$OpenBSD: packet.h,v 1.19 2001/01/13 18:32:50 markus Exp $"); */ #ifndef PACKET_H #define PACKET_H @@ -46,17 +46,17 @@ * encrypted independently of each other. Cipher types are defined in ssh.h. */ void -packet_set_encryption_key(const unsigned char *key, unsigned int keylen, +packet_set_encryption_key(const u_char *key, u_int keylen, int cipher_type); /* * Sets remote side protocol flags for the current connection. This can be * called at any time. */ -void packet_set_protocol_flags(unsigned int flags); +void packet_set_protocol_flags(u_int flags); /* Returns the remote protocol flags set earlier by the above function. */ -unsigned int packet_get_protocol_flags(void); +u_int packet_get_protocol_flags(void); /* Enables compression in both directions starting from the next packet. */ void packet_start_compression(int level); @@ -65,7 +65,7 @@ * Informs that the current session is interactive. Sets IP flags for * optimal performance in interactive use. */ -void packet_set_interactive(int interactive, int keepalives); +void packet_set_interactive(int interactive); /* Returns true if the current connection is interactive. */ int packet_is_interactive(void); @@ -77,16 +77,16 @@ void packet_put_char(int ch); /* Appends an integer to the packet data. */ -void packet_put_int(unsigned int value); +void packet_put_int(u_int value); /* Appends an arbitrary precision integer to packet data. */ void packet_put_bignum(BIGNUM * value); void packet_put_bignum2(BIGNUM * value); /* Appends a string to packet data. */ -void packet_put_string(const char *buf, unsigned int len); +void packet_put_string(const char *buf, u_int len); void packet_put_cstring(const char *str); -void packet_put_raw(const char *buf, unsigned int len); +void packet_put_raw(const char *buf, u_int len); /* * Finalizes and sends the packet. If the encryption key has been set, @@ -117,13 +117,13 @@ * Buffers the given amount of input characters. This is intended to be used * together with packet_read_poll. */ -void packet_process_incoming(const char *buf, unsigned int len); +void packet_process_incoming(const char *buf, u_int len); /* Returns a character (0-255) from the packet data. */ -unsigned int packet_get_char(void); +u_int packet_get_char(void); /* Returns an integer from the packet data. */ -unsigned int packet_get_int(void); +u_int packet_get_int(void); /* * Returns an arbitrary precision integer from the packet data. The integer @@ -139,7 +139,7 @@ * no longer needed. The length_ptr argument may be NULL, or point to an * integer into which the length of the string is stored. */ -char *packet_get_string(unsigned int *length_ptr); +char *packet_get_string(u_int *length_ptr); /* * Logs the error in syslog using LOG_INFO, constructs and sends a disconnect Only in openssh-2.5.1p1: pathnames.h Only in openssh-2.5.1p1: primes Only in openssh-2.3.0p1: pty.c Only in openssh-2.3.0p1: pty.h diff -ru openssh-2.3.0p1/radix.c openssh-2.5.1p1/radix.c --- openssh-2.3.0p1/radix.c 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/radix.c 2001-01-18 13:04:35.000000000 +1100 @@ -25,19 +25,19 @@ #include "includes.h" #include "uuencode.h" -RCSID("$OpenBSD: radix.c,v 1.13 2000/09/07 20:27:52 deraadt Exp $"); +RCSID("$OpenBSD: radix.c,v 1.15 2001/01/16 23:58:09 deraadt Exp $"); #ifdef AFS #include -typedef unsigned char my_u_char; -typedef unsigned int my_u_int32_t; -typedef unsigned short my_u_short; +typedef u_char my_u_char; +typedef u_int my_u_int32_t; +typedef u_short my_u_short; /* Nasty macros from BIND-4.9.2 */ #define GETSHORT(s, cp) { \ - register my_u_char *t_cp = (my_u_char*)(cp); \ + register my_u_char *t_cp = (my_u_char *)(cp); \ (s) = (((my_u_short)t_cp[0]) << 8) \ | (((my_u_short)t_cp[1])) \ ; \ @@ -45,7 +45,7 @@ } #define GETLONG(l, cp) { \ - register my_u_char *t_cp = (my_u_char*)(cp); \ + register my_u_char *t_cp = (my_u_char *)(cp); \ (l) = (((my_u_int32_t)t_cp[0]) << 24) \ | (((my_u_int32_t)t_cp[1]) << 16) \ | (((my_u_int32_t)t_cp[2]) << 8) \ @@ -56,7 +56,7 @@ #define PUTSHORT(s, cp) { \ register my_u_short t_s = (my_u_short)(s); \ - register my_u_char *t_cp = (my_u_char*)(cp); \ + register my_u_char *t_cp = (my_u_char *)(cp); \ *t_cp++ = t_s >> 8; \ *t_cp = t_s; \ (cp) += 2; \ @@ -64,7 +64,7 @@ #define PUTLONG(l, cp) { \ register my_u_int32_t t_l = (my_u_int32_t)(l); \ - register my_u_char *t_cp = (my_u_char*)(cp); \ + register my_u_char *t_cp = (my_u_char *)(cp); \ *t_cp++ = t_l >> 24; \ *t_cp++ = t_l >> 16; \ *t_cp++ = t_l >> 8; \ @@ -73,9 +73,9 @@ } #define GETSTRING(s, p, p_l) { \ - register char* p_targ = (p) + p_l; \ - register char* s_c = (s); \ - register char* p_c = (p); \ + register char *p_targ = (p) + p_l; \ + register char *s_c = (s); \ + register char *p_c = (p); \ while (*p_c && (p_c < p_targ)) { \ *s_c++ = *p_c++; \ } \ @@ -89,7 +89,7 @@ int -creds_to_radix(CREDENTIALS *creds, unsigned char *buf, size_t buflen) +creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen) { char *p, *s; int len; @@ -123,8 +123,8 @@ PUTLONG(creds->issue_date, p); { - unsigned int endTime; - endTime = (unsigned int) krb_life_to_time(creds->issue_date, + u_int endTime; + endTime = (u_int) krb_life_to_time(creds->issue_date, creds->lifetime); PUTLONG(endTime, p); } @@ -139,7 +139,7 @@ p += creds->ticket_st.length; len = p - temp; - return (uuencode((unsigned char *)temp, len, (char *)buf, buflen)); + return (uuencode((u_char *)temp, len, (char *)buf, buflen)); } int @@ -151,7 +151,7 @@ char version; char temp[2048]; - len = uudecode(buf, (unsigned char *)temp, sizeof(temp)); + len = uudecode(buf, (u_char *)temp, sizeof(temp)); if (len < 0) return 0; @@ -184,7 +184,7 @@ GETLONG(creds->issue_date, p); len -= 4; { - unsigned int endTime; + u_int endTime; GETLONG(endTime, p); len -= 4; creds->lifetime = krb_time_to_life(creds->issue_date, endTime); Only in openssh-2.5.1p1: radix.h diff -ru openssh-2.3.0p1/readconf.c openssh-2.5.1p1/readconf.c --- openssh-2.3.0p1/readconf.c 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/readconf.c 2001-02-15 14:02:00.000000000 +1100 @@ -12,13 +12,19 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.49 2000/10/11 20:27:23 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.62 2001/02/11 12:59:25 markus Exp $"); #include "ssh.h" -#include "readconf.h" -#include "match.h" #include "xmalloc.h" #include "compat.h" +#include "cipher.h" +#include "pathnames.h" +#include "log.h" +#include "readconf.h" +#include "match.h" +#include "misc.h" +#include "kex.h" +#include "mac.h" /* Format of the configuration file: @@ -68,7 +74,7 @@ # Defaults for various options Host * ForwardAgent no - ForwardX11 yes + ForwardX11 no RhostsAuthentication yes PasswordAuthentication yes RSAAuthentication yes @@ -89,7 +95,7 @@ oBadOption, oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh, - oSkeyAuthentication, oXAuthLocation, + oChallengeResponseAuthentication, oXAuthLocation, #ifdef KRB4 oKerberosAuthentication, #endif /* KRB4 */ @@ -100,10 +106,10 @@ oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, - oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication, - oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oIdentityFile2, - oGlobalKnownHostsFile2, oUserKnownHostsFile2, oDSAAuthentication, - oKbdInteractiveAuthentication, oKbdInteractiveDevices + oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, + oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, + oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, + oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias } OpCodes; /* Textual representations of the tokens. */ @@ -122,8 +128,11 @@ { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, { "kbdinteractivedevices", oKbdInteractiveDevices }, { "rsaauthentication", oRSAAuthentication }, - { "dsaauthentication", oDSAAuthentication }, - { "skeyauthentication", oSkeyAuthentication }, + { "pubkeyauthentication", oPubkeyAuthentication }, + { "dsaauthentication", oPubkeyAuthentication }, /* alias */ + { "challengeresponseauthentication", oChallengeResponseAuthentication }, + { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ + { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ #ifdef KRB4 { "kerberosauthentication", oKerberosAuthentication }, #endif /* KRB4 */ @@ -134,12 +143,14 @@ { "fallbacktorsh", oFallBackToRsh }, { "usersh", oUseRsh }, { "identityfile", oIdentityFile }, - { "identityfile2", oIdentityFile2 }, + { "identityfile2", oIdentityFile }, /* alias */ { "hostname", oHostName }, + { "hostkeyalias", oHostKeyAlias }, { "proxycommand", oProxyCommand }, { "port", oPort }, { "cipher", oCipher }, { "ciphers", oCiphers }, + { "macs", oMacs }, { "protocol", oProtocol }, { "remoteforward", oRemoteForward }, { "localforward", oLocalForward }, @@ -159,7 +170,6 @@ { "compressionlevel", oCompressionLevel }, { "keepalive", oKeepAlives }, { "numberofpasswordprompts", oNumberOfPasswordPrompts }, - { "tisauthentication", oTISAuthentication }, { "loglevel", oLogLevel }, { NULL, 0 } }; @@ -214,7 +224,7 @@ static OpCodes parse_token(const char *cp, const char *filename, int linenum) { - unsigned int i; + u_int i; for (i = 0; keywords[i].name; i++) if (strcasecmp(cp, keywords[i].name) == 0) @@ -245,7 +255,7 @@ /* Ignore leading whitespace. */ if (*keyword == '\0') keyword = strdelim(&s); - if (!*keyword || *keyword == '\n' || *keyword == '#') + if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#') return 0; opcode = parse_token(keyword, filename, linenum); @@ -300,8 +310,8 @@ charptr = &options->kbd_interactive_devices; goto parse_string; - case oDSAAuthentication: - intptr = &options->dsa_authentication; + case oPubkeyAuthentication: + intptr = &options->pubkey_authentication; goto parse_flag; case oRSAAuthentication: @@ -312,10 +322,8 @@ intptr = &options->rhosts_rsa_authentication; goto parse_flag; - case oTISAuthentication: - /* fallthrough, there is no difference on the client side */ - case oSkeyAuthentication: - intptr = &options->skey_authentication; + case oChallengeResponseAuthentication: + intptr = &options->challenge_reponse_authentication; goto parse_flag; #ifdef KRB4 @@ -354,7 +362,7 @@ intptr = &options->strict_host_key_checking; arg = strdelim(&s); if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing yes/no argument.", + fatal("%.200s line %d: Missing yes/no/ask argument.", filename, linenum); value = 0; /* To avoid compiler warning... */ if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) @@ -386,20 +394,15 @@ goto parse_int; case oIdentityFile: - case oIdentityFile2: arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing argument.", filename, linenum); if (*activep) { - intptr = (opcode == oIdentityFile) ? - &options->num_identity_files : - &options->num_identity_files2; + intptr = &options->num_identity_files; if (*intptr >= SSH_MAX_IDENTITY_FILES) fatal("%.200s line %d: Too many identity files specified (max %d).", filename, linenum, SSH_MAX_IDENTITY_FILES); - charptr = (opcode == oIdentityFile) ? - &options->identity_files[*intptr] : - &options->identity_files2[*intptr]; + charptr = &options->identity_files[*intptr]; *charptr = xstrdup(arg); *intptr = *intptr + 1; } @@ -439,6 +442,10 @@ charptr = &options->hostname; goto parse_string; + case oHostKeyAlias: + charptr = &options->host_key_alias; + goto parse_string; + case oProxyCommand: charptr = &options->proxy_command; string = xstrdup(""); @@ -498,6 +505,17 @@ options->ciphers = xstrdup(arg); break; + case oMacs: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); + if (!mac_valid(arg)) + fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.", + filename, linenum, arg ? arg : ""); + if (*activep && options->macs == NULL) + options->macs = xstrdup(arg); + break; + case oProtocol: intptr = &options->protocol; arg = strdelim(&s); @@ -577,10 +595,10 @@ if (!arg || *arg == '\0') fatal("%.200s line %d: Missing argument.", filename, linenum); if (arg[0] == '^' && arg[2] == 0 && - (unsigned char) arg[1] >= 64 && (unsigned char) arg[1] < 128) - value = (unsigned char) arg[1] & 31; + (u_char) arg[1] >= 64 && (u_char) arg[1] < 128) + value = (u_char) arg[1] & 31; else if (strlen(arg) == 1) - value = (unsigned char) arg[0]; + value = (u_char) arg[0]; else if (strcmp(arg, "none") == 0) value = -2; else { @@ -598,8 +616,7 @@ } /* Check that there is no garbage at end of line. */ - if ((arg = strdelim(&s)) != NULL && *arg != '\0') - { + if ((arg = strdelim(&s)) != NULL && *arg != '\0') { fatal("%.200s line %d: garbage at end of line; \"%.200s\".", filename, linenum, arg); } @@ -664,8 +681,8 @@ options->use_privileged_port = -1; options->rhosts_authentication = -1; options->rsa_authentication = -1; - options->dsa_authentication = -1; - options->skey_authentication = -1; + options->pubkey_authentication = -1; + options->challenge_reponse_authentication = -1; #ifdef KRB4 options->kerberos_authentication = -1; #endif @@ -690,10 +707,11 @@ options->number_of_password_prompts = -1; options->cipher = -1; options->ciphers = NULL; + options->macs = NULL; options->protocol = SSH_PROTO_UNKNOWN; options->num_identity_files = 0; - options->num_identity_files2 = 0; options->hostname = NULL; + options->host_key_alias = NULL; options->proxy_command = NULL; options->user = NULL; options->escape_char = -1; @@ -714,6 +732,8 @@ void fill_default_options(Options * options) { + int len; + if (options->forward_agent == -1) options->forward_agent = 0; if (options->forward_x11 == -1) @@ -730,10 +750,10 @@ options->rhosts_authentication = 1; if (options->rsa_authentication == -1) options->rsa_authentication = 1; - if (options->dsa_authentication == -1) - options->dsa_authentication = 1; - if (options->skey_authentication == -1) - options->skey_authentication = 0; + if (options->pubkey_authentication == -1) + options->pubkey_authentication = 1; + if (options->challenge_reponse_authentication == -1) + options->challenge_reponse_authentication = 0; #ifdef KRB4 if (options->kerberos_authentication == -1) options->kerberos_authentication = 1; @@ -747,7 +767,7 @@ if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) - options->kbd_interactive_authentication = 0; + options->kbd_interactive_authentication = 1; if (options->rhosts_rsa_authentication == -1) options->rhosts_rsa_authentication = 1; if (options->fallback_to_rsh == -1) @@ -776,33 +796,39 @@ if (options->cipher == -1) options->cipher = SSH_CIPHER_NOT_SET; /* options->ciphers, default set in myproposals.h */ + /* options->macs, default set in myproposals.h */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2|SSH_PROTO_1_PREFERRED; if (options->num_identity_files == 0) { - options->identity_files[0] = - xmalloc(2 + strlen(SSH_CLIENT_IDENTITY) + 1); - sprintf(options->identity_files[0], "~/%.100s", SSH_CLIENT_IDENTITY); - options->num_identity_files = 1; - } - if (options->num_identity_files2 == 0) { - options->identity_files2[0] = - xmalloc(2 + strlen(SSH_CLIENT_ID_DSA) + 1); - sprintf(options->identity_files2[0], "~/%.100s", SSH_CLIENT_ID_DSA); - options->num_identity_files2 = 1; + if (options->protocol & SSH_PROTO_1) { + len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1; + options->identity_files[options->num_identity_files] = + xmalloc(len); + snprintf(options->identity_files[options->num_identity_files++], + len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY); + } + if (options->protocol & SSH_PROTO_2) { + len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1; + options->identity_files[options->num_identity_files] = + xmalloc(len); + snprintf(options->identity_files[options->num_identity_files++], + len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA); + } } if (options->escape_char == -1) options->escape_char = '~'; if (options->system_hostfile == NULL) - options->system_hostfile = SSH_SYSTEM_HOSTFILE; + options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE; if (options->user_hostfile == NULL) - options->user_hostfile = SSH_USER_HOSTFILE; + options->user_hostfile = _PATH_SSH_USER_HOSTFILE; if (options->system_hostfile2 == NULL) - options->system_hostfile2 = SSH_SYSTEM_HOSTFILE2; + options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2; if (options->user_hostfile2 == NULL) - options->user_hostfile2 = SSH_USER_HOSTFILE2; + options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2; if (options->log_level == (LogLevel) - 1) options->log_level = SYSLOG_LEVEL_INFO; /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ + /* options->host_key_alias should not be set by default */ } diff -ru openssh-2.3.0p1/readconf.h openssh-2.5.1p1/readconf.h --- openssh-2.3.0p1/readconf.h 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/readconf.h 2001-02-15 14:02:00.000000000 +1100 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: readconf.h,v 1.22 2000/10/11 20:14:39 markus Exp $"); */ +/* RCSID("$OpenBSD: readconf.h,v 1.26 2001/02/11 12:59:25 markus Exp $"); */ #ifndef READCONF_H #define READCONF_H @@ -35,8 +35,9 @@ int rhosts_rsa_authentication; /* Try rhosts with RSA * authentication. */ int rsa_authentication; /* Try RSA authentication. */ - int dsa_authentication; /* Try DSA authentication. */ - int skey_authentication; /* Try S/Key or TIS authentication. */ + int pubkey_authentication; /* Try ssh2 pubkey authentication. */ + int challenge_reponse_authentication; + /* Try S/Key or TIS, authentication. */ #ifdef KRB4 int kerberos_authentication; /* Try Kerberos * authentication. */ @@ -67,8 +68,10 @@ * prompts. */ int cipher; /* Cipher to use. */ char *ciphers; /* SSH2 ciphers in order of preference. */ + char *macs; /* SSH2 macs in order of preference. */ int protocol; /* Protocol in order of preference. */ char *hostname; /* Real host to connect. */ + char *host_key_alias; /* hostname alias for .ssh/known_hosts */ char *proxy_command; /* Proxy command for connecting the host. */ char *user; /* User to log in as. */ int escape_char; /* Escape character; -2 = none */ @@ -78,10 +81,9 @@ char *system_hostfile2; char *user_hostfile2; - int num_identity_files; /* Number of files for RSA identities. */ - int num_identity_files2; /* DSA identities. */ + int num_identity_files; /* Number of files for RSA/DSA identities. */ char *identity_files[SSH_MAX_IDENTITY_FILES]; - char *identity_files2[SSH_MAX_IDENTITY_FILES]; + int identity_files_type[SSH_MAX_IDENTITY_FILES]; /* Local TCP/IP forward requests. */ int num_local_forwards; diff -ru openssh-2.3.0p1/readpass.c openssh-2.5.1p1/readpass.c --- openssh-2.3.0p1/readpass.c 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/readpass.c 2001-02-09 13:11:24.000000000 +1100 @@ -32,11 +32,11 @@ */ #include "includes.h" -RCSID("$OpenBSD: readpass.c,v 1.12 2000/10/11 20:14:39 markus Exp $"); +RCSID("$OpenBSD: readpass.c,v 1.14 2001/02/08 19:30:52 itojun Exp $"); #include "xmalloc.h" -#include "ssh.h" #include "cli.h" +#include "readpass.h" /* * Reads a passphrase from /dev/tty with echo turned off. Returns the @@ -49,7 +49,7 @@ * compatibility with existing code. */ char * -read_passphrase(char *prompt, int from_stdin) +read_passphrase(const char *prompt, int from_stdin) { return cli_read_passphrase(prompt, from_stdin, 0); } Only in openssh-2.5.1p1: readpass.h diff -ru openssh-2.3.0p1/rijndael.c openssh-2.5.1p1/rijndael.c --- openssh-2.3.0p1/rijndael.c 2000-11-05 16:42:36.000000000 +1100 +++ openssh-2.5.1p1/rijndael.c 2001-02-06 05:16:28.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: rijndael.c,v 1.2 2000/10/15 14:14:01 markus Exp $ */ +/* $OpenBSD: rijndael.c,v 1.7 2001/02/04 15:32:24 stevesk Exp $ */ /* This is an independent implementation of the encryption algorithm: */ /* */ @@ -52,21 +52,14 @@ /* Invert byte order in a 32 bit variable */ -#define bswap(x) (rotl(x, 8) & 0x00ff00ff | rotr(x, 8) & 0xff00ff00) +#define bswap(x) ((rotl(x, 8) & 0x00ff00ff) | (rotr(x, 8) & 0xff00ff00)) -/* Extract byte from a 32 bit quantity (little endian notation) */ +/* Extract byte from a 32 bit quantity (little endian notation) */ #define byte(x,n) ((u1byte)((x) >> (8 * n))) #if BYTE_ORDER != LITTLE_ENDIAN -#define BLOCK_SWAP -#endif - -/* For inverting byte order in input/output 32 bit words if needed */ - -#ifdef BLOCK_SWAP #define BYTE_SWAP -#define WORD_SWAP #endif #ifdef BYTE_SWAP @@ -75,84 +68,6 @@ #define io_swap(x) (x) #endif -/* For inverting the byte order of input/output blocks if needed */ - -#ifdef WORD_SWAP - -#define get_block(x) \ - ((u4byte*)(x))[0] = io_swap(in_blk[3]); \ - ((u4byte*)(x))[1] = io_swap(in_blk[2]); \ - ((u4byte*)(x))[2] = io_swap(in_blk[1]); \ - ((u4byte*)(x))[3] = io_swap(in_blk[0]) - -#define put_block(x) \ - out_blk[3] = io_swap(((u4byte*)(x))[0]); \ - out_blk[2] = io_swap(((u4byte*)(x))[1]); \ - out_blk[1] = io_swap(((u4byte*)(x))[2]); \ - out_blk[0] = io_swap(((u4byte*)(x))[3]) - -#define get_key(x,len) \ - ((u4byte*)(x))[4] = ((u4byte*)(x))[5] = \ - ((u4byte*)(x))[6] = ((u4byte*)(x))[7] = 0; \ - switch((((len) + 63) / 64)) { \ - case 2: \ - ((u4byte*)(x))[0] = io_swap(in_key[3]); \ - ((u4byte*)(x))[1] = io_swap(in_key[2]); \ - ((u4byte*)(x))[2] = io_swap(in_key[1]); \ - ((u4byte*)(x))[3] = io_swap(in_key[0]); \ - break; \ - case 3: \ - ((u4byte*)(x))[0] = io_swap(in_key[5]); \ - ((u4byte*)(x))[1] = io_swap(in_key[4]); \ - ((u4byte*)(x))[2] = io_swap(in_key[3]); \ - ((u4byte*)(x))[3] = io_swap(in_key[2]); \ - ((u4byte*)(x))[4] = io_swap(in_key[1]); \ - ((u4byte*)(x))[5] = io_swap(in_key[0]); \ - break; \ - case 4: \ - ((u4byte*)(x))[0] = io_swap(in_key[7]); \ - ((u4byte*)(x))[1] = io_swap(in_key[6]); \ - ((u4byte*)(x))[2] = io_swap(in_key[5]); \ - ((u4byte*)(x))[3] = io_swap(in_key[4]); \ - ((u4byte*)(x))[4] = io_swap(in_key[3]); \ - ((u4byte*)(x))[5] = io_swap(in_key[2]); \ - ((u4byte*)(x))[6] = io_swap(in_key[1]); \ - ((u4byte*)(x))[7] = io_swap(in_key[0]); \ - } - -#else - -#define get_block(x) \ - ((u4byte*)(x))[0] = io_swap(in_blk[0]); \ - ((u4byte*)(x))[1] = io_swap(in_blk[1]); \ - ((u4byte*)(x))[2] = io_swap(in_blk[2]); \ - ((u4byte*)(x))[3] = io_swap(in_blk[3]) - -#define put_block(x) \ - out_blk[0] = io_swap(((u4byte*)(x))[0]); \ - out_blk[1] = io_swap(((u4byte*)(x))[1]); \ - out_blk[2] = io_swap(((u4byte*)(x))[2]); \ - out_blk[3] = io_swap(((u4byte*)(x))[3]) - -#define get_key(x,len) \ - ((u4byte*)(x))[4] = ((u4byte*)(x))[5] = \ - ((u4byte*)(x))[6] = ((u4byte*)(x))[7] = 0; \ - switch((((len) + 63) / 64)) { \ - case 4: \ - ((u4byte*)(x))[6] = io_swap(in_key[6]); \ - ((u4byte*)(x))[7] = io_swap(in_key[7]); \ - case 3: \ - ((u4byte*)(x))[4] = io_swap(in_key[4]); \ - ((u4byte*)(x))[5] = io_swap(in_key[5]); \ - case 2: \ - ((u4byte*)(x))[0] = io_swap(in_key[0]); \ - ((u4byte*)(x))[1] = io_swap(in_key[1]); \ - ((u4byte*)(x))[2] = io_swap(in_key[2]); \ - ((u4byte*)(x))[3] = io_swap(in_key[3]); \ - } - -#endif - #define LARGE_TABLES u1byte pow_tab[256]; @@ -174,15 +89,15 @@ #define f_rn(bo, bi, n, k) \ bo[n] = ft_tab[0][byte(bi[n],0)] ^ \ - ft_tab[1][byte(bi[(n + 1) & 3],1)] ^ \ - ft_tab[2][byte(bi[(n + 2) & 3],2)] ^ \ - ft_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n) + ft_tab[1][byte(bi[(n + 1) & 3],1)] ^ \ + ft_tab[2][byte(bi[(n + 2) & 3],2)] ^ \ + ft_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n) #define i_rn(bo, bi, n, k) \ bo[n] = it_tab[0][byte(bi[n],0)] ^ \ - it_tab[1][byte(bi[(n + 3) & 3],1)] ^ \ - it_tab[2][byte(bi[(n + 2) & 3],2)] ^ \ - it_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n) + it_tab[1][byte(bi[(n + 3) & 3],1)] ^ \ + it_tab[2][byte(bi[(n + 2) & 3],2)] ^ \ + it_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n) #ifdef LARGE_TABLES @@ -194,15 +109,15 @@ #define f_rl(bo, bi, n, k) \ bo[n] = fl_tab[0][byte(bi[n],0)] ^ \ - fl_tab[1][byte(bi[(n + 1) & 3],1)] ^ \ - fl_tab[2][byte(bi[(n + 2) & 3],2)] ^ \ - fl_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n) + fl_tab[1][byte(bi[(n + 1) & 3],1)] ^ \ + fl_tab[2][byte(bi[(n + 2) & 3],2)] ^ \ + fl_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n) #define i_rl(bo, bi, n, k) \ bo[n] = il_tab[0][byte(bi[n],0)] ^ \ - il_tab[1][byte(bi[(n + 3) & 3],1)] ^ \ - il_tab[2][byte(bi[(n + 2) & 3],2)] ^ \ - il_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n) + il_tab[1][byte(bi[(n + 3) & 3],1)] ^ \ + il_tab[2][byte(bi[(n + 2) & 3],2)] ^ \ + il_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n) #else @@ -214,15 +129,15 @@ #define f_rl(bo, bi, n, k) \ bo[n] = (u4byte)sbx_tab[byte(bi[n],0)] ^ \ - rotl(((u4byte)sbx_tab[byte(bi[(n + 1) & 3],1)]), 8) ^ \ - rotl(((u4byte)sbx_tab[byte(bi[(n + 2) & 3],2)]), 16) ^ \ - rotl(((u4byte)sbx_tab[byte(bi[(n + 3) & 3],3)]), 24) ^ *(k + n) + rotl(((u4byte)sbx_tab[byte(bi[(n + 1) & 3],1)]), 8) ^ \ + rotl(((u4byte)sbx_tab[byte(bi[(n + 2) & 3],2)]), 16) ^ \ + rotl(((u4byte)sbx_tab[byte(bi[(n + 3) & 3],3)]), 24) ^ *(k + n) #define i_rl(bo, bi, n, k) \ bo[n] = (u4byte)isb_tab[byte(bi[n],0)] ^ \ - rotl(((u4byte)isb_tab[byte(bi[(n + 3) & 3],1)]), 8) ^ \ - rotl(((u4byte)isb_tab[byte(bi[(n + 2) & 3],2)]), 16) ^ \ - rotl(((u4byte)isb_tab[byte(bi[(n + 1) & 3],3)]), 24) ^ *(k + n) + rotl(((u4byte)isb_tab[byte(bi[(n + 3) & 3],1)]), 8) ^ \ + rotl(((u4byte)isb_tab[byte(bi[(n + 2) & 3],2)]), 16) ^ \ + rotl(((u4byte)isb_tab[byte(bi[(n + 1) & 3],3)]), 24) ^ *(k + n) #endif @@ -245,7 +160,7 @@ log_tab[1] = 0; p = 1; for(i = 0; i < 10; ++i) { - rco_tab[i] = p; + rco_tab[i] = p; p = (p << 1) ^ (p & 0x80 ? 0x1b : 0); } @@ -257,19 +172,19 @@ /* least significant end of a byte. */ for(i = 0; i < 256; ++i) { - p = (i ? pow_tab[255 - log_tab[i]] : 0); q = p; - q = (q >> 7) | (q << 1); p ^= q; - q = (q >> 7) | (q << 1); p ^= q; - q = (q >> 7) | (q << 1); p ^= q; - q = (q >> 7) | (q << 1); p ^= q ^ 0x63; + p = (i ? pow_tab[255 - log_tab[i]] : 0); q = p; + q = (q >> 7) | (q << 1); p ^= q; + q = (q >> 7) | (q << 1); p ^= q; + q = (q >> 7) | (q << 1); p ^= q; + q = (q >> 7) | (q << 1); p ^= q ^ 0x63; sbx_tab[i] = (u1byte)p; isb_tab[p] = (u1byte)i; } for(i = 0; i < 256; ++i) { - p = sbx_tab[i]; + p = sbx_tab[i]; + +#ifdef LARGE_TABLES -#ifdef LARGE_TABLES - t = p; fl_tab[0][i] = t; fl_tab[1][i] = rotl(t, 8); fl_tab[2][i] = rotl(t, 16); @@ -279,30 +194,30 @@ ((u4byte)p << 8) | ((u4byte)p << 16) | ((u4byte)ff_mult(3, p) << 24); - + ft_tab[0][i] = t; ft_tab[1][i] = rotl(t, 8); ft_tab[2][i] = rotl(t, 16); ft_tab[3][i] = rotl(t, 24); - p = isb_tab[i]; + p = isb_tab[i]; -#ifdef LARGE_TABLES - - t = p; il_tab[0][i] = t; - il_tab[1][i] = rotl(t, 8); - il_tab[2][i] = rotl(t, 16); +#ifdef LARGE_TABLES + + t = p; il_tab[0][i] = t; + il_tab[1][i] = rotl(t, 8); + il_tab[2][i] = rotl(t, 16); il_tab[3][i] = rotl(t, 24); -#endif +#endif t = ((u4byte)ff_mult(14, p)) | ((u4byte)ff_mult( 9, p) << 8) | ((u4byte)ff_mult(13, p) << 16) | ((u4byte)ff_mult(11, p) << 24); - - it_tab[0][i] = t; - it_tab[1][i] = rotl(t, 8); - it_tab[2][i] = rotl(t, 16); - it_tab[3][i] = rotl(t, 24); + + it_tab[0][i] = t; + it_tab[1][i] = rotl(t, 8); + it_tab[2][i] = rotl(t, 16); + it_tab[3][i] = rotl(t, 24); } tab_gen = 1; @@ -317,8 +232,8 @@ t = w ^ (x); \ (y) = u ^ v ^ w; \ (y) ^= rotr(u ^ t, 8) ^ \ - rotr(v ^ t, 16) ^ \ - rotr(t,24) + rotr(v ^ t, 16) ^ \ + rotr(t,24) /* initialise the key schedule from the user supplied key */ @@ -356,7 +271,7 @@ rijndael_ctx * rijndael_set_key(rijndael_ctx *ctx, const u4byte *in_key, const u4byte key_len, int encrypt) -{ +{ u4byte i, t, u, v, w; u4byte *e_key = ctx->e_key; u4byte *d_key = ctx->d_key; @@ -368,25 +283,25 @@ ctx->k_len = (key_len + 31) / 32; - e_key[0] = in_key[0]; e_key[1] = in_key[1]; - e_key[2] = in_key[2]; e_key[3] = in_key[3]; - + e_key[0] = io_swap(in_key[0]); e_key[1] = io_swap(in_key[1]); + e_key[2] = io_swap(in_key[2]); e_key[3] = io_swap(in_key[3]); + switch(ctx->k_len) { - case 4: t = e_key[3]; - for(i = 0; i < 10; ++i) + case 4: t = e_key[3]; + for(i = 0; i < 10; ++i) loop4(i); - break; + break; - case 6: e_key[4] = in_key[4]; t = e_key[5] = in_key[5]; - for(i = 0; i < 8; ++i) + case 6: e_key[4] = io_swap(in_key[4]); t = e_key[5] = io_swap(in_key[5]); + for(i = 0; i < 8; ++i) loop6(i); - break; + break; - case 8: e_key[4] = in_key[4]; e_key[5] = in_key[5]; - e_key[6] = in_key[6]; t = e_key[7] = in_key[7]; - for(i = 0; i < 7; ++i) + case 8: e_key[4] = io_swap(in_key[4]); e_key[5] = io_swap(in_key[5]); + e_key[6] = io_swap(in_key[6]); t = e_key[7] = io_swap(in_key[7]); + for(i = 0; i < 7; ++i) loop8(i); - break; + break; } if (!encrypt) { @@ -418,13 +333,15 @@ void rijndael_encrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk) -{ +{ u4byte k_len = ctx->k_len; u4byte *e_key = ctx->e_key; u4byte b0[4], b1[4], *kp; - b0[0] = in_blk[0] ^ e_key[0]; b0[1] = in_blk[1] ^ e_key[1]; - b0[2] = in_blk[2] ^ e_key[2]; b0[3] = in_blk[3] ^ e_key[3]; + b0[0] = io_swap(in_blk[0]) ^ e_key[0]; + b0[1] = io_swap(in_blk[1]) ^ e_key[1]; + b0[2] = io_swap(in_blk[2]) ^ e_key[2]; + b0[3] = io_swap(in_blk[3]) ^ e_key[3]; kp = e_key + 4; @@ -442,8 +359,8 @@ f_nround(b1, b0, kp); f_nround(b0, b1, kp); f_nround(b1, b0, kp); f_lround(b0, b1, kp); - out_blk[0] = b0[0]; out_blk[1] = b0[1]; - out_blk[2] = b0[2]; out_blk[3] = b0[3]; + out_blk[0] = io_swap(b0[0]); out_blk[1] = io_swap(b0[1]); + out_blk[2] = io_swap(b0[2]); out_blk[3] = io_swap(b0[3]); } /* decrypt a block of text */ @@ -463,14 +380,16 @@ void rijndael_decrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk) -{ +{ u4byte b0[4], b1[4], *kp; u4byte k_len = ctx->k_len; u4byte *e_key = ctx->e_key; u4byte *d_key = ctx->d_key; - b0[0] = in_blk[0] ^ e_key[4 * k_len + 24]; b0[1] = in_blk[1] ^ e_key[4 * k_len + 25]; - b0[2] = in_blk[2] ^ e_key[4 * k_len + 26]; b0[3] = in_blk[3] ^ e_key[4 * k_len + 27]; + b0[0] = io_swap(in_blk[0]) ^ e_key[4 * k_len + 24]; + b0[1] = io_swap(in_blk[1]) ^ e_key[4 * k_len + 25]; + b0[2] = io_swap(in_blk[2]) ^ e_key[4 * k_len + 26]; + b0[3] = io_swap(in_blk[3]) ^ e_key[4 * k_len + 27]; kp = d_key + 4 * (k_len + 5); @@ -488,6 +407,6 @@ i_nround(b1, b0, kp); i_nround(b0, b1, kp); i_nround(b1, b0, kp); i_lround(b0, b1, kp); - out_blk[0] = b0[0]; out_blk[1] = b0[1]; - out_blk[2] = b0[2]; out_blk[3] = b0[3]; + out_blk[0] = io_swap(b0[0]); out_blk[1] = io_swap(b0[1]); + out_blk[2] = io_swap(b0[2]); out_blk[3] = io_swap(b0[3]); } diff -ru openssh-2.3.0p1/rijndael.h openssh-2.5.1p1/rijndael.h --- openssh-2.3.0p1/rijndael.h 2000-10-15 12:21:32.000000000 +1100 +++ openssh-2.5.1p1/rijndael.h 2001-01-29 18:39:26.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: rijndael.h,v 1.6 2001/01/29 01:58:17 niklas Exp $ */ + #ifndef _RIJNDAEL_H_ #define _RIJNDAEL_H_ diff -ru openssh-2.3.0p1/rsa.c openssh-2.5.1p1/rsa.c --- openssh-2.3.0p1/rsa.c 2000-09-29 12:12:36.000000000 +1100 +++ openssh-2.5.1p1/rsa.c 2001-02-06 05:16:28.000000000 +1100 @@ -8,7 +8,7 @@ * software must be clearly marked as such, and if the derived work is * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell". - * + * * * Copyright (c) 1999 Niels Provos. All rights reserved. * @@ -60,86 +60,16 @@ */ #include "includes.h" -RCSID("$OpenBSD: rsa.c,v 1.16 2000/09/07 20:27:53 deraadt Exp $"); +RCSID("$OpenBSD: rsa.c,v 1.21 2001/02/04 15:32:24 stevesk Exp $"); #include "rsa.h" -#include "ssh.h" +#include "log.h" #include "xmalloc.h" -#include "entropy.h" - -int rsa_verbose = 1; - -int -rsa_alive() -{ - RSA *key; - - seed_rng(); - key = RSA_generate_key(32, 3, NULL, NULL); - if (key == NULL) - return (0); - RSA_free(key); - return (1); -} - -/* - * Generates RSA public and private keys. This initializes the data - * structures; they should be freed with rsa_clear_private_key and - * rsa_clear_public_key. - */ - -void -rsa_generate_key(RSA *prv, RSA *pub, unsigned int bits) -{ - RSA *key; - - seed_rng(); - - if (rsa_verbose) { - printf("Generating RSA keys: "); - fflush(stdout); - } - key = RSA_generate_key(bits, 35, NULL, NULL); - if (key == NULL) - fatal("rsa_generate_key: key generation failed."); - - /* Copy public key parameters */ - pub->n = BN_new(); - BN_copy(pub->n, key->n); - pub->e = BN_new(); - BN_copy(pub->e, key->e); - - /* Copy private key parameters */ - prv->n = BN_new(); - BN_copy(prv->n, key->n); - prv->e = BN_new(); - BN_copy(prv->e, key->e); - prv->d = BN_new(); - BN_copy(prv->d, key->d); - prv->p = BN_new(); - BN_copy(prv->p, key->p); - prv->q = BN_new(); - BN_copy(prv->q, key->q); - - prv->dmp1 = BN_new(); - BN_copy(prv->dmp1, key->dmp1); - - prv->dmq1 = BN_new(); - BN_copy(prv->dmq1, key->dmq1); - - prv->iqmp = BN_new(); - BN_copy(prv->iqmp, key->iqmp); - - RSA_free(key); - - if (rsa_verbose) - printf("Key generation complete.\n"); -} void rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key) { - unsigned char *inbuf, *outbuf; + u_char *inbuf, *outbuf; int len, ilen, olen; if (BN_num_bits(key->e) < 2 || !BN_is_odd(key->e)) @@ -164,10 +94,10 @@ xfree(inbuf); } -void +int rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key) { - unsigned char *inbuf, *outbuf; + u_char *inbuf, *outbuf; int len, ilen, olen; olen = BN_num_bytes(key->n); @@ -178,21 +108,14 @@ BN_bn2bin(in, inbuf); if ((len = RSA_private_decrypt(ilen, inbuf, outbuf, key, - RSA_PKCS1_PADDING)) <= 0) - fatal("rsa_private_decrypt() failed"); - - BN_bin2bn(outbuf, len, out); - + RSA_PKCS1_PADDING)) <= 0) { + error("rsa_private_decrypt() failed"); + } else { + BN_bin2bn(outbuf, len, out); + } memset(outbuf, 0, olen); memset(inbuf, 0, ilen); xfree(outbuf); xfree(inbuf); -} - -/* Set whether to output verbose messages during key generation. */ - -void -rsa_set_verbose(int verbose) -{ - rsa_verbose = verbose; + return len; } diff -ru openssh-2.3.0p1/rsa.h openssh-2.5.1p1/rsa.h --- openssh-2.3.0p1/rsa.h 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.1p1/rsa.h 2001-01-30 09:27:26.000000000 +1100 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: rsa.h,v 1.8 2000/09/07 20:27:53 deraadt Exp $"); */ +/* RCSID("$OpenBSD: rsa.h,v 1.10 2001/01/29 19:47:30 markus Exp $"); */ #ifndef RSA_H #define RSA_H @@ -19,18 +19,7 @@ #include #include -/* Calls SSL RSA_generate_key, only copies to prv and pub */ -void rsa_generate_key(RSA * prv, RSA * pub, unsigned int bits); - -/* - * Indicates whether the rsa module is permitted to show messages on the - * terminal. - */ -void rsa_set_verbose __P((int verbose)); - -int rsa_alive __P((void)); - void rsa_public_encrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv)); -void rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv)); +int rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv)); #endif /* RSA_H */ diff -ru openssh-2.3.0p1/scp.0 openssh-2.5.1p1/scp.0 --- openssh-2.3.0p1/scp.0 2000-11-06 14:25:19.000000000 +1100 +++ openssh-2.5.1p1/scp.0 2001-02-19 21:54:44.000000000 +1100 @@ -71,6 +71,7 @@ the University of California. SEE ALSO - rcp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), sshd(8) + rcp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), + sshd(8) BSD Experimental September 25, 1999 2 diff -ru openssh-2.3.0p1/scp.1 openssh-2.5.1p1/scp.1 --- openssh-2.3.0p1/scp.1 2000-11-06 12:39:34.000000000 +1100 +++ openssh-2.5.1p1/scp.1 2001-02-04 23:20:19.000000000 +1100 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.13 2000/10/16 09:38:44 djm Exp $ +.\" $OpenBSD: scp.1,v 1.14 2001/02/04 11:11:53 djm Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -129,6 +129,7 @@ California. .Sh SEE ALSO .Xr rcp 1 , +.Xr sftp 1 , .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , diff -ru openssh-2.3.0p1/scp.c openssh-2.5.1p1/scp.c --- openssh-2.3.0p1/scp.c 2000-10-28 14:19:58.000000000 +1100 +++ openssh-2.5.1p1/scp.c 2001-02-19 21:51:08.000000000 +1100 @@ -75,13 +75,18 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.43 2000/10/18 18:23:02 markus Exp $"); +RCSID("$OpenBSD: scp.c,v 1.59 2001/02/19 10:36:25 deraadt Exp $"); -#include "ssh.h" #include "xmalloc.h" +#include "atomicio.h" +#include "pathnames.h" +#include "log.h" +#include "misc.h" -#ifndef _PATH_CP -#define _PATH_CP "cp" +#ifdef HAVE___PROGNAME +extern char *__progname; +#else +char *__progname; #endif /* For progressmeter() -- number of seconds before xfer considered "stalled" */ @@ -109,7 +114,7 @@ static struct timeval start; /* Number of bytes of current file transferred so far. */ -volatile unsigned long statbytes; +volatile u_long statbytes; /* Total size of current file. */ off_t totalbytes = 0; @@ -120,14 +125,11 @@ /* This is set to non-zero to enable verbose mode. */ int verbose_mode = 0; -/* This is set to non-zero if compression is desired. */ -int compress_flag = 0; - /* This is set to zero if the progressmeter is not desired. */ int showprogress = 1; /* This is the program to execute for the secured connection. ("ssh" or -S) */ -char *ssh_program = SSH_PROGRAM; +char *ssh_program = _PATH_SSH_PROGRAM; /* This is the list of arguments that scp passes to ssh */ struct { @@ -195,19 +197,6 @@ return 0; } -void -fatal(const char *fmt,...) -{ - va_list ap; - char buf[1024]; - - va_start(ap, fmt); - vsnprintf(buf, sizeof(buf), fmt, ap); - va_end(ap); - fprintf(stderr, "%s\n", buf); - exit(255); -} - typedef struct { int cnt; char *buf; @@ -231,11 +220,13 @@ #define CMDNEEDS 64 char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */ +int main(int, char *[]); int response(void); void rsource(char *, struct stat *); void sink(int, char *[]); void source(int, char *[]); void tolocal(int, char *[]); +char *cleanhostname(char *); void toremote(char *, int, char *[]); void usage(void); @@ -249,13 +240,15 @@ extern char *optarg; extern int optind; + __progname = get_progname(argv[0]); + args.list = NULL; addargs("ssh"); /* overwritten with ssh_program */ addargs("-x"); addargs("-oFallBackToRsh no"); fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:")) != EOF) + while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:")) != -1) switch (ch) { /* User-visible flags. */ case '4': @@ -318,7 +311,7 @@ remin = STDIN_FILENO; remout = STDOUT_FILENO; - if (fflag) { + if (fflag) { /* Follow "protocol", send data. */ (void) response(); source(argc, argv); @@ -336,7 +329,8 @@ remin = remout = -1; /* Command to be executed on remote system using "ssh". */ - (void) sprintf(cmd, "scp%s%s%s%s", verbose_mode ? " -v" : "", + (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", + verbose_mode ? " -v" : "", iamrecursive ? " -r" : "", pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); @@ -407,20 +401,22 @@ suser = pwd->pw_name; else if (!okname(suser)) continue; - (void) sprintf(bp, - "%s%s -x -o'FallBackToRsh no' -n -l %s %s %s %s '%s%s%s:%s'", - ssh_program, verbose_mode ? " -v" : "", - suser, host, cmd, src, - tuser ? tuser : "", tuser ? "@" : "", - thost, targ); + snprintf(bp, len, + "%s%s -x -o'FallBackToRsh no' -n " + "-l %s %s %s %s '%s%s%s:%s'", + ssh_program, verbose_mode ? " -v" : "", + suser, host, cmd, src, + tuser ? tuser : "", tuser ? "@" : "", + thost, targ); } else { host = cleanhostname(argv[i]); - (void) sprintf(bp, - "exec %s%s -x -o'FallBackToRsh no' -n %s %s %s '%s%s%s:%s'", - ssh_program, verbose_mode ? " -v" : "", - host, cmd, src, - tuser ? tuser : "", tuser ? "@" : "", - thost, targ); + snprintf(bp, len, + "exec %s%s -x -o'FallBackToRsh no' -n %s " + "%s %s '%s%s%s:%s'", + ssh_program, verbose_mode ? " -v" : "", + host, cmd, src, + tuser ? tuser : "", tuser ? "@" : "", + thost, targ); } if (verbose_mode) fprintf(stderr, "Executing: %s\n", bp); @@ -430,7 +426,7 @@ if (remin == -1) { len = strlen(targ) + CMDNEEDS + 20; bp = xmalloc(len); - (void) sprintf(bp, "%s -t %s", cmd, targ); + (void) snprintf(bp, len, "%s -t %s", cmd, targ); host = cleanhostname(thost); if (do_cmd(host, tuser, bp, &remin, &remout, argc) < 0) @@ -457,7 +453,7 @@ len = strlen(_PATH_CP) + strlen(argv[i]) + strlen(argv[argc - 1]) + 20; bp = xmalloc(len); - (void) sprintf(bp, "exec %s%s%s %s %s", _PATH_CP, + (void) snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP, iamrecursive ? " -r" : "", pflag ? " -p" : "", argv[i], argv[argc - 1]); if (verbose_mode) @@ -484,7 +480,7 @@ host = cleanhostname(host); len = strlen(src) + CMDNEEDS + 20; bp = xmalloc(len); - (void) sprintf(bp, "%s -f %s", cmd, src); + (void) snprintf(bp, len, "%s -f %s", cmd, src); if (do_cmd(host, suser, bp, &remin, &remout, argc) < 0) { (void) xfree(bp); ++errs; @@ -541,18 +537,17 @@ * Make it compatible with possible future * versions expecting microseconds. */ - (void) sprintf(buf, "T%lu 0 %lu 0\n", - (unsigned long) stb.st_mtime, - (unsigned long) stb.st_atime); + (void) snprintf(buf, sizeof buf, "T%lu 0 %lu 0\n", + (u_long) stb.st_mtime, + (u_long) stb.st_atime); (void) atomicio(write, remout, buf, strlen(buf)); if (response() < 0) goto next; } #define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO) - (void) sprintf(buf, "C%04o %lu %s\n", - (unsigned int) (stb.st_mode & FILEMODEMASK), - (unsigned long) stb.st_size, - last); + snprintf(buf, sizeof buf, "C%04o %lu %s\n", + (u_int) (stb.st_mode & FILEMODEMASK), + (u_long) stb.st_size, last); if (verbose_mode) { fprintf(stderr, "Sending file modes: %s", buf); fflush(stderr); @@ -619,17 +614,17 @@ else last++; if (pflag) { - (void) sprintf(path, "T%lu 0 %lu 0\n", - (unsigned long) statp->st_mtime, - (unsigned long) statp->st_atime); + (void) snprintf(path, sizeof(path), "T%lu 0 %lu 0\n", + (u_long) statp->st_mtime, + (u_long) statp->st_atime); (void) atomicio(write, remout, path, strlen(path)); if (response() < 0) { closedir(dirp); return; } } - (void) sprintf(path, "D%04o %d %.1024s\n", - (unsigned int) (statp->st_mode & FILEMODEMASK), 0, last); + (void) snprintf(path, sizeof path, "D%04o %d %.1024s\n", + (u_int) (statp->st_mode & FILEMODEMASK), 0, last); if (verbose_mode) fprintf(stderr, "Entering directory: %s", path); (void) atomicio(write, remout, path, strlen(path)); @@ -646,7 +641,7 @@ run_err("%s/%s: name too long", name, dp->d_name); continue; } - (void) sprintf(path, "%s/%s", name, dp->d_name); + (void) snprintf(path, sizeof path, "%s/%s", name, dp->d_name); vect[0] = path; source(1, vect); } @@ -707,7 +702,7 @@ if (buf[0] == '\01' || buf[0] == '\02') { if (iamremote == 0) (void) atomicio(write, STDERR_FILENO, - buf + 1, strlen(buf + 1)); + buf + 1, strlen(buf + 1)); if (buf[0] == '\02') exit(1); ++errs; @@ -776,9 +771,13 @@ size_t need; need = strlen(targ) + strlen(cp) + 250; - if (need > cursize) + if (need > cursize) { + if (namebuf) + xfree(namebuf); namebuf = xmalloc(need); - (void) sprintf(namebuf, "%s%s%s", targ, + cursize = need; + } + (void) snprintf(namebuf, need, "%s%s%s", targ, *targ ? "/" : "", cp); np = namebuf; } else @@ -801,16 +800,18 @@ if (mkdir(np, mode | S_IRWXU) < 0) goto bad; } - vect[0] = np; + vect[0] = xstrdup(np); sink(1, vect); if (setimes) { setimes = 0; - if (utimes(np, tv) < 0) + if (utimes(vect[0], tv) < 0) run_err("%s: set times: %s", - np, strerror(errno)); + vect[0], strerror(errno)); } if (mod_flag) - (void) chmod(np, mode); + (void) chmod(vect[0], mode); + if (vect[0]) + xfree(vect[0]); continue; } omode = mode; @@ -1042,7 +1043,8 @@ c = *cp; if (c & 0200) goto bad; - if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-') + if (!isalpha(c) && !isdigit(c) && + c != '_' && c != '-' && c != '.' && c != '+') goto bad; } while (*++cp); return (1); @@ -1070,7 +1072,7 @@ size = blksize + (stb.st_blksize - blksize % stb.st_blksize) % stb.st_blksize; #else /* HAVE_ST_BLKSIZE */ - size = blksize; + size = blksize; #endif /* HAVE_ST_BLKSIZE */ if (bp->cnt >= size) return (bp); @@ -1113,7 +1115,7 @@ } int -foregroundproc() +foregroundproc(void) { static pid_t pgrp = -1; int ctty_pgrp; @@ -1121,11 +1123,7 @@ if (pgrp == -1) pgrp = getpgrp(); -#ifdef HAVE_CYGWIN - /* - * Cygwin only supports tcgetpgrp() for getting the controlling tty - * currently. - */ +#ifdef HAVE_TCGETPGRP return ((ctty_pgrp = tcgetpgrp(STDOUT_FILENO)) != -1 && ctty_pgrp == pgrp); #else @@ -1178,9 +1176,9 @@ i++; abbrevsize >>= 10; } - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5d %c%c ", - (int) abbrevsize, prefixes[i], prefixes[i] == ' ' ? ' ' : - 'B'); + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5lu %c%c ", + (unsigned long) abbrevsize, prefixes[i], + prefixes[i] == ' ' ? ' ' : 'B'); timersub(&now, &lastupdate, &wait); if (cursize > lastsize) { @@ -1195,16 +1193,17 @@ timersub(&now, &start, &td); elapsed = td.tv_sec + (td.tv_usec / 1000000.0); - if (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes) { + if (flag != 1 && + (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " --:-- ETA"); + " --:-- ETA"); } else if (wait.tv_sec >= STALLTIME) { snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " - stalled -"); + " - stalled -"); } else { if (flag != 1) - remaining = - (int)(totalbytes / (statbytes / elapsed) - elapsed); + remaining = (int)(totalbytes / (statbytes / elapsed) - + elapsed); else remaining = elapsed; @@ -1223,13 +1222,7 @@ atomicio(write, fileno(stdout), buf, strlen(buf)); if (flag == -1) { - struct sigaction sa; - sa.sa_handler = updateprogressmeter; - sigemptyset((sigset_t *)&sa.sa_mask); -#ifdef SA_RESTART - sa.sa_flags = SA_RESTART; -#endif - sigaction(SIGALRM, &sa, NULL); + mysignal(SIGALRM, updateprogressmeter); alarmtimer(1); } else if (flag == 1) { alarmtimer(0); diff -ru openssh-2.3.0p1/servconf.c openssh-2.5.1p1/servconf.c --- openssh-2.3.0p1/servconf.c 2000-10-16 12:14:42.000000000 +1100 +++ openssh-2.5.1p1/servconf.c 2001-02-15 14:08:27.000000000 +1100 @@ -10,16 +10,33 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.53 2000/10/14 12:12:09 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.67 2001/02/12 16:16:23 markus Exp $"); + +#ifdef KRB4 +#include +#endif +#ifdef AFS +#include +#endif #include "ssh.h" +#include "log.h" #include "servconf.h" #include "xmalloc.h" #include "compat.h" +#include "pathnames.h" +#include "tildexpand.h" +#include "misc.h" +#include "cipher.h" +#include "kex.h" +#include "mac.h" /* add listen address */ void add_listen_addr(ServerOptions *options, char *addr); +/* AF_UNSPEC or AF_INET or AF_INET6 */ +extern int IPv4or6; + /* Initializes the server options to their default values. */ void @@ -29,13 +46,12 @@ options->num_ports = 0; options->ports_from_cmdline = 0; options->listen_addrs = NULL; - options->host_key_file = NULL; - options->host_dsa_key_file = NULL; + options->num_host_key_files = 0; options->pid_file = NULL; options->server_key_bits = -1; options->login_grace_time = -1; options->key_regeneration_time = -1; - options->permit_root_login = -1; + options->permit_root_login = PERMIT_NOT_SET; options->ignore_rhosts = -1; options->ignore_user_known_hosts = -1; options->print_motd = -1; @@ -50,7 +66,7 @@ options->rhosts_authentication = -1; options->rhosts_rsa_authentication = -1; options->rsa_authentication = -1; - options->dsa_authentication = -1; + options->pubkey_authentication = -1; #ifdef KRB4 options->kerberos_authentication = -1; options->kerberos_or_local_passwd = -1; @@ -62,9 +78,7 @@ #endif options->password_authentication = -1; options->kbd_interactive_authentication = -1; -#ifdef SKEY - options->skey_authentication = -1; -#endif + options->challenge_reponse_authentication = -1; options->permit_empty_passwd = -1; options->use_login = -1; options->allow_tcp_forwarding = -1; @@ -73,35 +87,43 @@ options->num_allow_groups = 0; options->num_deny_groups = 0; options->ciphers = NULL; + options->macs = NULL; options->protocol = SSH_PROTO_UNKNOWN; options->gateway_ports = -1; options->num_subsystems = 0; options->max_startups_begin = -1; options->max_startups_rate = -1; options->max_startups = -1; + options->banner = NULL; + options->reverse_mapping_check = -1; } void fill_default_server_options(ServerOptions *options) { + if (options->protocol == SSH_PROTO_UNKNOWN) + options->protocol = SSH_PROTO_1|SSH_PROTO_2; + if (options->num_host_key_files == 0) { + /* fill default hostkeys for protocols */ + if (options->protocol & SSH_PROTO_1) + options->host_key_files[options->num_host_key_files++] = _PATH_HOST_KEY_FILE; + if (options->protocol & SSH_PROTO_2) + options->host_key_files[options->num_host_key_files++] = _PATH_HOST_DSA_KEY_FILE; + } if (options->num_ports == 0) options->ports[options->num_ports++] = SSH_DEFAULT_PORT; if (options->listen_addrs == NULL) add_listen_addr(options, NULL); - if (options->host_key_file == NULL) - options->host_key_file = HOST_KEY_FILE; - if (options->host_dsa_key_file == NULL) - options->host_dsa_key_file = HOST_DSA_KEY_FILE; if (options->pid_file == NULL) - options->pid_file = SSH_DAEMON_PID_FILE; + options->pid_file = _PATH_SSH_DAEMON_PID_FILE; if (options->server_key_bits == -1) options->server_key_bits = 768; if (options->login_grace_time == -1) options->login_grace_time = 600; if (options->key_regeneration_time == -1) options->key_regeneration_time = 3600; - if (options->permit_root_login == -1) - options->permit_root_login = 1; /* yes */ + if (options->permit_root_login == PERMIT_NOT_SET) + options->permit_root_login = PERMIT_YES; if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) @@ -132,8 +154,8 @@ options->rhosts_rsa_authentication = 0; if (options->rsa_authentication == -1) options->rsa_authentication = 1; - if (options->dsa_authentication == -1) - options->dsa_authentication = 1; + if (options->pubkey_authentication == -1) + options->pubkey_authentication = 1; #ifdef KRB4 if (options->kerberos_authentication == -1) options->kerberos_authentication = (access(KEYFILE, R_OK) == 0); @@ -152,18 +174,14 @@ options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; -#ifdef SKEY - if (options->skey_authentication == -1) - options->skey_authentication = 1; -#endif + if (options->challenge_reponse_authentication == -1) + options->challenge_reponse_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; if (options->use_login == -1) options->use_login = 0; if (options->allow_tcp_forwarding == -1) options->allow_tcp_forwarding = 1; - if (options->protocol == SSH_PROTO_UNKNOWN) - options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->gateway_ports == -1) options->gateway_ports = 0; if (options->max_startups == -1) @@ -172,6 +190,8 @@ options->max_startups_rate = 100; /* 100% */ if (options->max_startups_begin == -1) options->max_startups_begin = options->max_startups; + if (options->reverse_mapping_check == -1) + options->reverse_mapping_check = 0; } /* Keyword tokens. */ @@ -186,16 +206,15 @@ #ifdef AFS sKerberosTgtPassing, sAFSTokenPassing, #endif -#ifdef SKEY - sSkeyAuthentication, -#endif + sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, sUseLogin, sAllowTcpForwarding, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, - sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, - sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups + sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, + sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, + sBanner, sReverseMappingCheck } ServerOpCodes; /* Textual representation of the tokens. */ @@ -205,8 +224,8 @@ } keywords[] = { { "port", sPort }, { "hostkey", sHostKeyFile }, - { "hostdsakey", sHostDSAKeyFile }, - { "pidfile", sPidFile }, + { "hostdsakey", sHostKeyFile }, /* alias */ + { "pidfile", sPidFile }, { "serverkeybits", sServerKeyBits }, { "logingracetime", sLoginGraceTime }, { "keyregenerationinterval", sKeyRegenerationTime }, @@ -216,7 +235,8 @@ { "rhostsauthentication", sRhostsAuthentication }, { "rhostsrsaauthentication", sRhostsRSAAuthentication }, { "rsaauthentication", sRSAAuthentication }, - { "dsaauthentication", sDSAAuthentication }, + { "pubkeyauthentication", sPubkeyAuthentication }, + { "dsaauthentication", sPubkeyAuthentication }, /* alias */ #ifdef KRB4 { "kerberosauthentication", sKerberosAuthentication }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, @@ -228,9 +248,8 @@ #endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, -#ifdef SKEY - { "skeyauthentication", sSkeyAuthentication }, -#endif + { "challengeresponseauthentication", sChallengeResponseAuthentication }, + { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ { "checkmail", sCheckMail }, { "listenaddress", sListenAddress }, { "printmotd", sPrintMotd }, @@ -250,10 +269,13 @@ { "allowgroups", sAllowGroups }, { "denygroups", sDenyGroups }, { "ciphers", sCiphers }, + { "macs", sMacs }, { "protocol", sProtocol }, { "gatewayports", sGatewayPorts }, { "subsystem", sSubsystem }, { "maxstartups", sMaxStartups }, + { "banner", sBanner }, + { "reversemappingcheck", sReverseMappingCheck }, { NULL, 0 } }; @@ -266,7 +288,7 @@ parse_token(const char *cp, const char *filename, int linenum) { - unsigned int i; + u_int i; for (i = 0; keywords[i].name; i++) if (strcasecmp(cp, keywords[i].name) == 0) @@ -283,7 +305,6 @@ void add_listen_addr(ServerOptions *options, char *addr) { - extern int IPv4or6; struct addrinfo hints, *ai, *aitop; char strport[NI_MAXSERV]; int gaierr; @@ -334,8 +355,10 @@ /* Ignore leading whitespace */ if (*arg == '\0') arg = strdelim(&cp); - if (!*arg || *arg == '#') + if (!arg || !*arg || *arg == '#') continue; + intptr = NULL; + charptr = NULL; opcode = parse_token(arg, filename, linenum); switch (opcode) { case sBadOption: @@ -389,9 +412,13 @@ break; case sHostKeyFile: - case sHostDSAKeyFile: - charptr = (opcode == sHostKeyFile ) ? - &options->host_key_file : &options->host_dsa_key_file; + intptr = &options->num_host_key_files; + if (*intptr >= MAX_HOSTKEYS) { + fprintf(stderr, "%s line %d: to many host keys specified (max %d).\n", + filename, linenum, MAX_HOSTKEYS); + exit(1); + } + charptr = &options->host_key_files[*intptr]; parse_filename: arg = strdelim(&cp); if (!arg || *arg == '\0') { @@ -399,8 +426,12 @@ filename, linenum); exit(1); } - if (*charptr == NULL) + if (*charptr == NULL) { *charptr = tilde_expand_filename(arg, getuid()); + /* increase optional counter */ + if (intptr != NULL) + *intptr = *intptr + 1; + } break; case sPidFile: @@ -422,14 +453,17 @@ exit(1); } if (strcmp(arg, "without-password") == 0) - value = 2; + value = PERMIT_NO_PASSWD; + else if (strcmp(arg, "forced-commands-only") == 0) + value = PERMIT_FORCED_ONLY; else if (strcmp(arg, "yes") == 0) - value = 1; + value = PERMIT_YES; else if (strcmp(arg, "no") == 0) - value = 0; + value = PERMIT_NO; else { - fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n", - filename, linenum, arg); + fprintf(stderr, "%s line %d: Bad yes/" + "without-password/forced-commands-only/no " + "argument: %s\n", filename, linenum, arg); exit(1); } if (*intptr == -1) @@ -474,8 +508,8 @@ intptr = &options->rsa_authentication; goto parse_flag; - case sDSAAuthentication: - intptr = &options->dsa_authentication; + case sPubkeyAuthentication: + intptr = &options->pubkey_authentication; goto parse_flag; #ifdef KRB4 @@ -514,11 +548,9 @@ intptr = &options->check_mail; goto parse_flag; -#ifdef SKEY - case sSkeyAuthentication: - intptr = &options->skey_authentication; + case sChallengeResponseAuthentication: + intptr = &options->challenge_reponse_authentication; goto parse_flag; -#endif case sPrintMotd: intptr = &options->print_motd; @@ -535,7 +567,7 @@ case sXAuthLocation: charptr = &options->xauth_location; goto parse_filename; - + case sStrictModes: intptr = &options->strict_modes; goto parse_flag; @@ -556,6 +588,10 @@ intptr = &options->gateway_ports; goto parse_flag; + case sReverseMappingCheck: + intptr = &options->reverse_mapping_check; + goto parse_flag; + case sLogFacility: intptr = (int *) &options->log_facility; arg = strdelim(&cp); @@ -629,6 +665,17 @@ options->ciphers = xstrdup(arg); break; + case sMacs: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + if (!mac_valid(arg)) + fatal("%s line %d: Bad SSH2 mac spec '%s'.", + filename, linenum, arg ? arg : ""); + if (options->macs == NULL) + options->macs = xstrdup(arg); + break; + case sProtocol: intptr = &options->protocol; arg = strdelim(&cp); @@ -684,13 +731,17 @@ intptr = &options->max_startups; goto parse_int; + case sBanner: + charptr = &options->banner; + goto parse_filename; + default: fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n", filename, linenum, arg, opcode); exit(1); } if ((arg = strdelim(&cp)) != NULL && *arg != '\0') { - fprintf(stderr, + fprintf(stderr, "%s line %d: garbage at end of line; \"%.200s\".\n", filename, linenum, arg); exit(1); diff -ru openssh-2.3.0p1/servconf.h openssh-2.5.1p1/servconf.h --- openssh-2.3.0p1/servconf.h 2000-10-16 12:14:43.000000000 +1100 +++ openssh-2.5.1p1/servconf.h 2001-02-15 14:08:27.000000000 +1100 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: servconf.h,v 1.30 2000/10/14 12:12:09 markus Exp $"); */ +/* RCSID("$OpenBSD: servconf.h,v 1.38 2001/02/12 16:16:23 markus Exp $"); */ #ifndef SERVCONF_H #define SERVCONF_H @@ -23,21 +23,30 @@ #define MAX_ALLOW_GROUPS 256 /* Max # groups on allow list. */ #define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */ #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ +#define MAX_HOSTKEYS 256 /* Max # hostkeys. */ + +/* permit_root_login */ +#define PERMIT_NOT_SET -1 +#define PERMIT_NO 0 +#define PERMIT_FORCED_ONLY 1 +#define PERMIT_NO_PASSWD 2 +#define PERMIT_YES 3 + typedef struct { - unsigned int num_ports; - unsigned int ports_from_cmdline; + u_int num_ports; + u_int ports_from_cmdline; u_short ports[MAX_PORTS]; /* Port number to listen on. */ char *listen_addr; /* Address on which the server listens. */ struct addrinfo *listen_addrs; /* Addresses on which the server listens. */ - char *host_key_file; /* File containing host key. */ - char *host_dsa_key_file; /* File containing dsa host key. */ + char *host_key_files[MAX_HOSTKEYS]; /* Files containing host keys. */ + int num_host_key_files; /* Number of files for host keys. */ char *pid_file; /* Where to put our pid */ int server_key_bits;/* Size of the server key. */ int login_grace_time; /* Disconnect if no auth in this time * (sec). */ int key_regeneration_time; /* Server key lifetime (seconds). */ - int permit_root_login; /* If true, permit root login. */ + int permit_root_login; /* PERMIT_*, see above */ int ignore_rhosts; /* Ignore .rhosts and .shosts. */ int ignore_user_known_hosts; /* Ignore ~/.ssh/known_hosts * for RhostsRsaAuth */ @@ -49,8 +58,9 @@ char *xauth_location; /* Location of xauth program */ int strict_modes; /* If true, require string home dir modes. */ int keepalives; /* If true, set SO_KEEPALIVE. */ - char *ciphers; /* Ciphers in order of preference. */ - int protocol; /* Protocol in order of preference. */ + char *ciphers; /* Supported SSH2 ciphers. */ + char *macs; /* Supported SSH2 macs. */ + int protocol; /* Supported protocol versions. */ int gateway_ports; /* If true, allow remote connects to forwarded ports. */ SyslogFacility log_facility; /* Facility for system logging. */ LogLevel log_level; /* Level for system logging. */ @@ -59,7 +69,7 @@ int rhosts_rsa_authentication; /* If true, permit rhosts RSA * authentication. */ int rsa_authentication; /* If true, permit RSA authentication. */ - int dsa_authentication; /* If true, permit DSA authentication. */ + int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */ #ifdef KRB4 int kerberos_authentication; /* If true, permit Kerberos * authentication. */ @@ -79,30 +89,29 @@ int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -#ifdef SKEY - int skey_authentication; /* If true, permit s/key - * authentication. */ -#endif + int challenge_reponse_authentication; int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int use_login; /* If true, login(1) is used */ int allow_tcp_forwarding; - unsigned int num_allow_users; + u_int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; - unsigned int num_deny_users; + u_int num_deny_users; char *deny_users[MAX_DENY_USERS]; - unsigned int num_allow_groups; + u_int num_allow_groups; char *allow_groups[MAX_ALLOW_GROUPS]; - unsigned int num_deny_groups; + u_int num_deny_groups; char *deny_groups[MAX_DENY_GROUPS]; - unsigned int num_subsystems; + u_int num_subsystems; char *subsystem_name[MAX_SUBSYSTEMS]; char *subsystem_command[MAX_SUBSYSTEMS]; int max_startups_begin; int max_startups_rate; int max_startups; + char *banner; /* SSH-2 banner message */ + int reverse_mapping_check; /* cross-check ip and dns */ } ServerOptions; /* diff -ru openssh-2.3.0p1/serverloop.c openssh-2.5.1p1/serverloop.c --- openssh-2.3.0p1/serverloop.c 2000-10-28 14:19:58.000000000 +1100 +++ openssh-2.5.1p1/serverloop.c 2001-02-19 21:51:08.000000000 +1100 @@ -35,21 +35,24 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.34 2000/10/27 07:32:18 markus Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.50 2001/02/19 09:53:32 markus Exp $"); #include "xmalloc.h" -#include "ssh.h" #include "packet.h" #include "buffer.h" +#include "log.h" #include "servconf.h" -#include "pty.h" +#include "sshpty.h" #include "channels.h" - #include "compat.h" +#include "ssh1.h" #include "ssh2.h" +#include "auth.h" #include "session.h" #include "dispatch.h" #include "auth-options.h" +#include "serverloop.h" +#include "misc.h" extern ServerOptions options; @@ -67,23 +70,18 @@ static int stdin_eof = 0; /* EOF message received from client. */ static int fdout_eof = 0; /* EOF encountered reading from fdout. */ static int fderr_eof = 0; /* EOF encountered readung from fderr. */ +static int fdin_is_tty = 0; /* fdin points to a tty. */ static int connection_in; /* Connection to client (input). */ static int connection_out; /* Connection to client (output). */ -static unsigned int buffer_high;/* "Soft" max buffer size. */ -static int max_fd; /* Max file descriptor number for select(). */ +static u_int buffer_high;/* "Soft" max buffer size. */ /* * This SIGCHLD kludge is used to detect when the child exits. The server * will exit after that, as soon as forwarded connections have terminated. - * - * After SIGCHLD child_has_selected is set to 1 after the first pass - * through the wait_until_can_do_something() select(). This ensures - * that the child's output gets a chance to drain before it is yanked. */ static pid_t child_pid; /* Pid of the child. */ static volatile int child_terminated; /* The child has terminated. */ -static volatile int child_has_selected; /* Child has had chance to drain. */ static volatile int child_wait_status; /* Status from wait(). */ void server_init_dispatch(void); @@ -101,10 +99,8 @@ error("Strange, got SIGCHLD and wait returned pid %d but child is %d", wait_pid, child_pid); if (WIFEXITED(child_wait_status) || - WIFSIGNALED(child_wait_status)) { + WIFSIGNALED(child_wait_status)) child_terminated = 1; - child_has_selected = 0; - } } signal(SIGCHLD, sigchld_handler); errno = save_errno; @@ -115,7 +111,7 @@ int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; - child_has_selected = 0; + mysignal(SIGCHLD, sigchld_handler2); errno = save_errno; } @@ -124,7 +120,7 @@ * to the client. */ void -make_packets_from_stderr_data() +make_packets_from_stderr_data(void) { int len; @@ -153,7 +149,7 @@ * client. */ void -make_packets_from_stdout_data() +make_packets_from_stdout_data(void) { int len; @@ -167,7 +163,7 @@ } else { /* Keep the packets at reasonable size. */ if (len > packet_get_maxsize()) - len = packet_get_maxsize(); + len = packet_get_maxsize(); } packet_start(SSH_SMSG_STDOUT_DATA); packet_put_string(buffer_ptr(&stdout_buffer), len); @@ -184,8 +180,8 @@ * for the duration of the wait (0 = infinite). */ void -wait_until_can_do_something(fd_set * readset, fd_set * writeset, - unsigned int max_time_milliseconds) +wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, + u_int max_time_milliseconds) { struct timeval tv, *tvp; int ret; @@ -193,14 +189,13 @@ /* When select fails we restart from here. */ retry_select: - /* Initialize select() masks. */ - FD_ZERO(readset); - FD_ZERO(writeset); + /* Allocate and update select() masks for channel descriptors. */ + channel_prepare_select(readsetp, writesetp, maxfdp); if (compat20) { /* wrong: bad condition XXX */ if (channel_not_very_much_buffered_data()) - FD_SET(connection_in, readset); + FD_SET(connection_in, *readsetp); } else { /* * Read packets from the client unless we have too much @@ -208,37 +203,31 @@ */ if (buffer_len(&stdin_buffer) < buffer_high && channel_not_very_much_buffered_data()) - FD_SET(connection_in, readset); + FD_SET(connection_in, *readsetp); /* * If there is not too much data already buffered going to * the client, try to get some more data from the program. */ if (packet_not_very_much_data_to_write()) { if (!fdout_eof) - FD_SET(fdout, readset); + FD_SET(fdout, *readsetp); if (!fderr_eof) - FD_SET(fderr, readset); + FD_SET(fderr, *readsetp); } /* * If we have buffered data, try to write some of that data * to the program. */ if (fdin != -1 && buffer_len(&stdin_buffer) > 0) - FD_SET(fdin, writeset); + FD_SET(fdin, *writesetp); } - /* Set masks for channel descriptors. */ - channel_prepare_select(readset, writeset); /* * If we have buffered packet data going to the client, mark that * descriptor. */ if (packet_have_data_to_write()) - FD_SET(connection_out, writeset); - - /* Update the maximum descriptor number if appropriate. */ - if (channel_max_fd() > max_fd) - max_fd = channel_max_fd(); + FD_SET(connection_out, *writesetp); /* * If child has terminated and there is enough buffer space to read @@ -256,10 +245,10 @@ tvp = &tv; } if (tvp!=NULL) - debug("tvp!=NULL kid %d mili %d", child_terminated, max_time_milliseconds); + debug2("tvp!=NULL kid %d mili %d", child_terminated, max_time_milliseconds); /* Wait for something to happen, or the timeout to expire. */ - ret = select(max_fd + 1, readset, writeset, NULL, tvp); + ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); if (ret < 0) { if (errno != EINTR) @@ -267,9 +256,6 @@ else goto retry_select; } - - if (child_terminated) - child_has_selected = 1; } /* @@ -332,6 +318,7 @@ void process_output(fd_set * writeset) { + struct termios tio; int len; /* Write buffered data to program stdin. */ @@ -351,7 +338,19 @@ #endif fdin = -1; } else { - /* Successful write. Consume the data from the buffer. */ + /* Successful write. */ + if (fdin_is_tty && tcgetattr(fdin, &tio) == 0 && + !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { + /* + * Simulate echo to reduce the impact of + * traffic analysis + */ + packet_start(SSH_MSG_IGNORE); + memset(buffer_ptr(&stdin_buffer), 0, len); + packet_put_string(buffer_ptr(&stdin_buffer), len); + packet_send(); + } + /* Consume the data from the buffer. */ buffer_consume(&stdin_buffer, len); /* Update the count of bytes written to the program. */ stdin_bytes += len; @@ -367,7 +366,7 @@ * This is used when the program terminates. */ void -drain_output() +drain_output(void) { /* Send any buffered stdout data to the client. */ if (buffer_len(&stdout_buffer) > 0) { @@ -392,7 +391,7 @@ } void -process_buffered_input_packets() +process_buffered_input_packets(void) { dispatch_run(DISPATCH_NONBLOCK, NULL, NULL); } @@ -407,13 +406,14 @@ void server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) { - fd_set readset, writeset; + fd_set *readset = NULL, *writeset = NULL; + int max_fd; int wait_status; /* Status returned by wait(). */ pid_t wait_pid; /* pid returned by wait(). */ int waiting_termination = 0; /* Have displayed waiting close message. */ - unsigned int max_time_milliseconds; - unsigned int previous_stdout_buffer_bytes; - unsigned int stdout_buffer_bytes; + u_int max_time_milliseconds; + u_int previous_stdout_buffer_bytes; + u_int stdout_buffer_bytes; int type; debug("Entering interactive session."); @@ -421,7 +421,6 @@ /* Initialize the SIGCHLD kludge. */ child_pid = pid; child_terminated = 0; - child_has_selected = 0; signal(SIGCHLD, sigchld_handler); signal(SIGPIPE, SIG_IGN); @@ -437,6 +436,9 @@ if (fderr != -1) set_nonblock(fderr); + if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin)) + fdin_is_tty = 1; + connection_in = packet_get_connection_in(); connection_out = packet_get_connection_out(); @@ -449,15 +451,11 @@ buffer_high = 64 * 1024; /* Initialize max_fd to the maximum of the known file descriptors. */ - max_fd = fdin; - if (fdout > max_fd) - max_fd = fdout; - if (fderr != -1 && fderr > max_fd) - max_fd = fderr; - if (connection_in > max_fd) - max_fd = connection_in; - if (connection_out > max_fd) - max_fd = connection_out; + max_fd = MAX(fdin, fdout); + if (fderr != -1) + max_fd = MAX(max_fd, fderr); + max_fd = MAX(max_fd, connection_in); + max_fd = MAX(max_fd, connection_out); /* Initialize Initialize buffers. */ buffer_init(&stdin_buffer); @@ -527,11 +525,8 @@ * descriptors, and we have no more data to send to the * client, and there is no pending buffered data. */ - if (((fdout_eof && fderr_eof) || - (child_terminated && child_has_selected)) && - !packet_have_data_to_write() && - (buffer_len(&stdout_buffer) == 0) && - (buffer_len(&stderr_buffer) == 0)) { + if (fdout_eof && fderr_eof && !packet_have_data_to_write() && + buffer_len(&stdout_buffer) == 0 && buffer_len(&stderr_buffer) == 0) { if (!channel_still_open()) break; if (!waiting_termination) { @@ -547,18 +542,22 @@ } } /* Sleep in select() until we can do something. */ - wait_until_can_do_something(&readset, &writeset, - max_time_milliseconds); + wait_until_can_do_something(&readset, &writeset, &max_fd, + max_time_milliseconds); /* Process any channel events. */ - channel_after_select(&readset, &writeset); + channel_after_select(readset, writeset); /* Process input from the client and from program stdout/stderr. */ - process_input(&readset); + process_input(readset); /* Process output to the client and to program stdin. */ - process_output(&writeset); + process_output(writeset); } + if (readset) + xfree(readset); + if (writeset) + xfree(writeset); /* Cleanup and termination code. */ @@ -591,7 +590,7 @@ /* Wait for the child to exit. Get its exit status. */ wait_pid = wait(&wait_status); - if (wait_pid < 0) { + if (wait_pid == -1) { /* * It is possible that the wait was handled by SIGCHLD * handler. This may result in either: this call @@ -649,21 +648,22 @@ void server_loop2(void) { - fd_set readset, writeset; + fd_set *readset = NULL, *writeset = NULL; + int max_fd; int had_channel = 0; int status; pid_t pid; debug("Entering interactive session for SSH2."); - signal(SIGCHLD, sigchld_handler2); + mysignal(SIGCHLD, sigchld_handler2); signal(SIGPIPE, SIG_IGN); child_terminated = 0; connection_in = packet_get_connection_in(); connection_out = packet_get_connection_out(); - max_fd = connection_in; - if (connection_out > max_fd) - max_fd = connection_out; + + max_fd = MAX(connection_in, connection_out); + server_init_dispatch(); for (;;) { @@ -676,19 +676,21 @@ } if (packet_not_very_much_data_to_write()) channel_output_poll(); - wait_until_can_do_something(&readset, &writeset, 0); - if (child_terminated && child_has_selected) { - /* XXX: race - assumes only one child has terminated */ + wait_until_can_do_something(&readset, &writeset, &max_fd, 0); + if (child_terminated) { while ((pid = waitpid(-1, &status, WNOHANG)) > 0) session_close_by_pid(pid, status); child_terminated = 0; - child_has_selected = 0; - signal(SIGCHLD, sigchld_handler2); } - channel_after_select(&readset, &writeset); - process_input(&readset); - process_output(&writeset); - } + channel_after_select(readset, writeset); + process_input(readset); + process_output(writeset); + } + if (readset) + xfree(readset); + if (writeset) + xfree(writeset); + signal(SIGCHLD, SIG_DFL); while ((pid = waitpid(-1, &status, WNOHANG)) > 0) session_close_by_pid(pid, status); @@ -699,7 +701,7 @@ server_input_stdin_data(int type, int plen, void *ctxt) { char *data; - unsigned int data_len; + u_int data_len; /* Stdin data from the client. Append it to the buffer. */ /* Ignore any data if the client has closed stdin. */ @@ -739,10 +741,10 @@ pty_change_window_size(fdin, row, col, xpixel, ypixel); } -int -input_direct_tcpip(void) +Channel * +server_request_direct_tcpip(char *ctype) { - int sock; + int sock, newch; char *target, *originator; int target_port, originator_port; @@ -752,23 +754,52 @@ originator_port = packet_get_int(); packet_done(); - debug("open direct-tcpip: from %s port %d to %s port %d", + debug("server_request_direct_tcpip: originator %s port %d, target %s port %d", originator, originator_port, target, target_port); /* XXX check permission */ if (no_port_forwarding_flag || !options.allow_tcp_forwarding) { xfree(target); xfree(originator); - return -1; + return NULL; } sock = channel_connect_to(target, target_port); xfree(target); xfree(originator); if (sock < 0) - return -1; - return channel_new("direct-tcpip", SSH_CHANNEL_OPEN, + return NULL; + newch = channel_new(ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, xstrdup("direct-tcpip"), 1); + return (newch >= 0) ? channel_lookup(newch) : NULL; +} + +Channel * +server_request_session(char *ctype) +{ + int newch; + + debug("input_session_request"); + packet_done(); + /* + * A server session has no fd to read or write until a + * CHANNEL_REQUEST for a shell is made, so we set the type to + * SSH_CHANNEL_LARVAL. Additionally, a callback for handling all + * CHANNEL_REQUEST messages is registered. + */ + newch = channel_new(ctype, SSH_CHANNEL_LARVAL, + -1, -1, -1, 0, CHAN_SES_PACKET_DEFAULT, + 0, xstrdup("server-session"), 1); + if (session_open(newch) == 1) { + channel_register_callback(newch, SSH2_MSG_CHANNEL_REQUEST, + session_input_channel_req, (void *)0); + channel_register_cleanup(newch, session_close_by_channel); + return channel_lookup(newch); + } else { + debug("session open failed, free channel %d", newch); + channel_free(newch); + } + return NULL; } void @@ -776,8 +807,7 @@ { Channel *c = NULL; char *ctype; - int id; - unsigned int len; + u_int len; int rchan; int rmaxpack; int rwindow; @@ -791,34 +821,12 @@ ctype, rchan, rwindow, rmaxpack); if (strcmp(ctype, "session") == 0) { - debug("open session"); - packet_done(); - /* - * A server session has no fd to read or write - * until a CHANNEL_REQUEST for a shell is made, - * so we set the type to SSH_CHANNEL_LARVAL. - * Additionally, a callback for handling all - * CHANNEL_REQUEST messages is registered. - */ - id = channel_new(ctype, SSH_CHANNEL_LARVAL, - -1, -1, -1, 0, CHAN_SES_PACKET_DEFAULT, - 0, xstrdup("server-session"), 1); - if (session_open(id) == 1) { - channel_register_callback(id, SSH2_MSG_CHANNEL_REQUEST, - session_input_channel_req, (void *)0); - channel_register_cleanup(id, session_close_by_channel); - c = channel_lookup(id); - } else { - debug("session open failed, free channel %d", id); - channel_free(id); - } + c = server_request_session(ctype); } else if (strcmp(ctype, "direct-tcpip") == 0) { - id = input_direct_tcpip(); - if (id >= 0) - c = channel_lookup(id); + c = server_request_direct_tcpip(ctype); } if (c != NULL) { - debug("confirm %s", ctype); + debug("server_input_channel_open: confirm %s", ctype); c->remote_id = rchan; c->remote_window = rwindow; c->remote_maxpacket = rmaxpack; @@ -830,7 +838,7 @@ packet_put_int(c->local_maxpacket); packet_send(); } else { - debug("failure %s", ctype); + debug("server_input_channel_open: failure %s", ctype); packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); packet_put_int(rchan); packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED); @@ -842,7 +850,56 @@ } void -server_init_dispatch_20() +server_input_global_request(int type, int plen, void *ctxt) +{ + char *rtype; + int want_reply; + int success = 0; + + rtype = packet_get_string(NULL); + want_reply = packet_get_char(); + debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply); + + if (strcmp(rtype, "tcpip-forward") == 0) { + struct passwd *pw; + char *listen_address; + u_short listen_port; + + pw = auth_get_user(); + if (pw == NULL) + fatal("server_input_global_request: no user"); + listen_address = packet_get_string(NULL); /* XXX currently ignored */ + listen_port = (u_short)packet_get_int(); + debug("server_input_global_request: tcpip-forward listen %s port %d", + listen_address, listen_port); + + /* check permissions */ + if (!options.allow_tcp_forwarding || + no_port_forwarding_flag || + (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { + success = 0; + packet_send_debug("Server has disabled port forwarding."); + } else { + /* Start listening on the port */ + success = channel_request_forwarding( + listen_address, listen_port, + /*unspec host_to_connect*/ "", + /*unspec port_to_connect*/ 0, + options.gateway_ports, /*remote*/ 1); + } + xfree(listen_address); + } + if (want_reply) { + packet_start(success ? + SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE); + packet_send(); + packet_write_wait(); + } + xfree(rtype); +} + +void +server_init_dispatch_20(void) { debug("server_init_dispatch_20"); dispatch_init(&dispatch_protocol_error); @@ -855,9 +912,10 @@ dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request); dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); + dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request); } void -server_init_dispatch_13() +server_init_dispatch_13(void) { debug("server_init_dispatch_13"); dispatch_init(NULL); @@ -872,7 +930,7 @@ dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open); } void -server_init_dispatch_15() +server_init_dispatch_15(void) { server_init_dispatch_13(); debug("server_init_dispatch_15"); @@ -880,7 +938,7 @@ dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_oclose); } void -server_init_dispatch() +server_init_dispatch(void) { if (compat20) server_init_dispatch_20(); Only in openssh-2.5.1p1: serverloop.h diff -ru openssh-2.3.0p1/session.c openssh-2.5.1p1/session.c --- openssh-2.3.0p1/session.c 2000-10-28 14:19:58.000000000 +1100 +++ openssh-2.5.1p1/session.c 2001-02-19 06:13:34.000000000 +1100 @@ -33,38 +33,45 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.42 2000/10/27 07:32:18 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.56 2001/02/16 14:03:43 markus Exp $"); -#include "xmalloc.h" #include "ssh.h" -#include "pty.h" +#include "ssh1.h" +#include "ssh2.h" +#include "xmalloc.h" +#include "sshpty.h" #include "packet.h" #include "buffer.h" #include "mpaux.h" -#include "servconf.h" #include "uidswap.h" #include "compat.h" #include "channels.h" #include "nchan.h" - #include "bufaux.h" -#include "ssh2.h" #include "auth.h" #include "auth-options.h" +#include "pathnames.h" +#include "log.h" +#include "servconf.h" +#include "sshlogin.h" +#include "serverloop.h" +#include "canohost.h" +#include "session.h" #ifdef WITH_IRIX_PROJECT #include #endif /* WITH_IRIX_PROJECT */ +#ifdef WITH_IRIX_JOBS +#include +#endif +#ifdef WITH_IRIX_AUDIT +#include +#endif /* WITH_IRIX_AUDIT */ #if defined(HAVE_USERSEC_H) #include #endif -#ifdef HAVE_OSF_SIA -# include -# include -#endif - #ifdef HAVE_CYGWIN #include #include @@ -82,10 +89,6 @@ # define S_UNOFILE_HARD S_UNOFILE "_hard" #endif -#ifdef HAVE_LOGIN_CAP -#include -#endif - /* types */ #define TTYSZ 64 @@ -128,15 +131,10 @@ /* import */ extern ServerOptions options; -#ifdef HAVE___PROGNAME extern char *__progname; -#else /* HAVE___PROGNAME */ -static const char *__progname = "sshd"; -#endif /* HAVE___PROGNAME */ - extern int log_stderr; extern int debug_flag; -extern unsigned int utmp_len; +extern u_int utmp_len; extern int startup_pipe; @@ -144,7 +142,7 @@ static char *xauthfile; /* original command from peer. */ -char *original_command = NULL; +char *original_command = NULL; /* data */ #define MAX_SESSIONS 10 @@ -217,7 +215,7 @@ char *command; int n_bytes; int plen; - unsigned int proto_len, data_len, dlen; + u_int proto_len, data_len, dlen; /* * Cancel the alarm we set to limit the time taken for @@ -341,12 +339,18 @@ s->auth_proto = packet_get_string(&proto_len); s->auth_data = packet_get_string(&data_len); - packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type); - if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER) + if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER) { + debug2("SSH_PROTOFLAG_SCREEN_NUMBER == true"); + packet_integrity_check(plen, + 4 + proto_len + 4 + data_len + 4, type); s->screen = packet_get_int(); - else + } else { + debug2("SSH_PROTOFLAG_SCREEN_NUMBER == false"); + packet_integrity_check(plen, + 4 + proto_len + 4 + data_len, type); s->screen = 0; + } s->display = x11_create_display_inet(s->screen, options.x11_display_offset); if (s->display == NULL) @@ -404,10 +408,6 @@ case SSH_CMSG_EXEC_SHELL: case SSH_CMSG_EXEC_CMD: - /* Set interactive/non-interactive mode. */ - packet_set_interactive(have_pty || s->display != NULL, - options.keepalives); - if (type == SSH_CMSG_EXEC_CMD) { command = packet_get_string(&dlen); debug("Exec command '%.500s'", command); @@ -479,19 +479,15 @@ if (s == NULL) fatal("do_exec_no_pty: no session"); - signal(SIGPIPE, SIG_DFL); - session_proctitle(s); -#ifdef USE_PAM - do_pam_setcred(); -#endif /* USE_PAM */ - /* Fork the child. */ if ((pid = fork()) == 0) { /* Child. Reinitialize the log since the pid has changed. */ log_init(__progname, options.log_level, options.log_facility, log_stderr); + signal(SIGPIPE, SIG_DFL); + /* * Create a new session and process group since the 4.4BSD * setlogin() affects the entire process group. @@ -547,6 +543,8 @@ if (pid < 0) packet_disconnect("fork failed: %.100s", strerror(errno)); s->pid = pid; + /* Set interactive/non-interactive mode. */ + packet_set_interactive(s->display != NULL); #ifdef USE_PIPES /* We are the parent. Close the child sides of the pipes. */ close(pin[0]); @@ -595,16 +593,13 @@ ptyfd = s->ptyfd; ttyfd = s->ttyfd; -#ifdef USE_PAM - do_pam_session(pw->pw_name, s->tty); - do_pam_setcred(); -#endif /* USE_PAM */ - /* Fork the child. */ if ((pid = fork()) == 0) { /* Child. Reinitialize the log because the pid has changed. */ log_init(__progname, options.log_level, options.log_facility, log_stderr); + signal(SIGPIPE, SIG_DFL); + /* Close the master side of the pseudo tty. */ close(ptyfd); @@ -662,6 +657,7 @@ s->ptymaster = ptymaster; /* Enter interactive session. */ + packet_set_interactive(1); if (compat20) { session_set_fds(s, ptyfd, fdout, -1); } else { @@ -676,7 +672,7 @@ { static const char *remote = ""; if (utmp_len > 0) - remote = get_canonical_hostname(); + remote = get_canonical_hostname(options.reverse_mapping_check); if (utmp_len == 0 || strlen(remote) > utmp_len) remote = get_remote_ipaddr(); return remote; @@ -725,7 +721,7 @@ * If password change is needed, do it now. * This needs to occur before the ~/.hushlogin check. */ - if (pam_password_change_required()) { + if (is_pam_password_change_required()) { print_pam_messages(); do_pam_chauthtok(); } @@ -743,7 +739,7 @@ return; #ifdef USE_PAM - if (!pam_password_change_required()) + if (!is_pam_password_change_required()) print_pam_messages(); #endif /* USE_PAM */ #ifdef WITH_AIXAUTHENTICATE @@ -780,10 +776,10 @@ * already exists, its value is overriden. */ void -child_set_env(char ***envp, unsigned int *envsizep, const char *name, +child_set_env(char ***envp, u_int *envsizep, const char *name, const char *value) { - unsigned int i, namelen; + u_int i, namelen; char **env; /* @@ -821,7 +817,7 @@ * and assignments of the form name=value. No other forms are allowed. */ void -read_environment_file(char ***env, unsigned int *envsize, +read_environment_file(char ***env, u_int *envsize, const char *filename) { FILE *f; @@ -867,11 +863,11 @@ if ((pam_env = fetch_pam_environment()) == NULL) return; - + for(i = 0; pam_env[i] != NULL; i++) { if ((equals = strstr(pam_env[i], "=")) == NULL) continue; - + if (strlen(pam_env[i]) < (sizeof(var_name) - 1)) { memset(var_name, '\0', sizeof(var_name)); memset(var_val, '\0', sizeof(var_val)); @@ -887,7 +883,6 @@ } #endif /* USE_PAM */ - #ifdef HAVE_CYGWIN void copy_environment(char ***env, int *envsize) { @@ -897,7 +892,7 @@ for(i = 0; environ[i] != NULL; i++) { if ((equals = strstr(environ[i], "=")) == NULL) continue; - + if (strlen(environ[i]) < (sizeof(var_name) - 1)) { memset(var_name, '\0', sizeof(var_name)); memset(var_val, '\0', sizeof(var_val)); @@ -1006,7 +1001,7 @@ char buf[256]; char cmd[1024]; FILE *f = NULL; - unsigned int envsize, i; + u_int envsize, i; char **env; extern char **environ; struct stat st; @@ -1014,6 +1009,18 @@ #ifdef WITH_IRIX_PROJECT prid_t projid; #endif /* WITH_IRIX_PROJECT */ +#ifdef WITH_IRIX_JOBS + jid_t jid = 0; +#else +#ifdef WITH_IRIX_ARRAY + int jid = 0; +#endif /* WITH_IRIX_ARRAY */ +#endif /* WITH_IRIX_JOBS */ + +#ifdef USE_PAM + do_pam_session(pw->pw_name, ttyname); + do_pam_setcred(); +#endif /* USE_PAM */ /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) @@ -1044,20 +1051,7 @@ switch, so we let login(1) to this for us. */ if (!options.use_login) { #ifdef HAVE_OSF_SIA - extern char **saved_argv; - extern int saved_argc; - char *host = get_canonical_hostname (); - - if (sia_become_user(NULL, saved_argc, saved_argv, host, - pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) != - SIASUCCESS) { - perror("sia_become_user"); - exit(1); - } - if (setreuid(geteuid(), geteuid()) < 0) { - perror("setreuid"); - exit(1); - } + session_setup_sia(pw->pw_name, ttyname); #else /* HAVE_OSF_SIA */ #ifdef HAVE_CYGWIN if (is_winnt) { @@ -1073,6 +1067,13 @@ perror("unable to set user context"); exit(1); } +#ifdef BSD_AUTH + if (auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) { + error("approval failure for %s", pw->pw_name); + fprintf(stderr, "Approval failure"); + exit(1); + } +#endif # else /* HAVE_LOGIN_CAP */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); @@ -1086,11 +1087,20 @@ exit(1); } endgrent(); +# ifdef WITH_IRIX_JOBS + jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); + if (jid == -1) { + fatal("Failed to create job container: %.100s", + strerror(errno)); + } +# endif /* WITH_IRIX_JOBS */ # ifdef WITH_IRIX_ARRAY /* initialize array session */ - if (newarraysess() != 0) - fatal("Failed to set up new array session: %.100s", - strerror(errno)); + if (jid == 0) { + if (newarraysess() != 0) + fatal("Failed to set up new array session: %.100s", + strerror(errno)); + } # endif /* WITH_IRIX_ARRAY */ # ifdef WITH_IRIX_PROJECT /* initialize irix project info */ @@ -1102,12 +1112,26 @@ fatal("Failed to initialize project %d for %s: %.100s", (int)projid, pw->pw_name, strerror(errno)); # endif /* WITH_IRIX_PROJECT */ +#ifdef WITH_IRIX_AUDIT + if (sysconf(_SC_AUDIT)) { + debug("Setting sat id to %d", (int) pw->pw_uid); + if (satsetid(pw->pw_uid)) + debug("error setting satid: %.100s", strerror(errno)); + } +#endif /* WITH_IRIX_AUDIT */ + /* Permanently switch to the desired uid. */ permanently_set_uid(pw->pw_uid); # endif /* HAVE_LOGIN_CAP */ } #endif /* HAVE_OSF_SIA */ +#if defined(HAVE_GETLUID) && defined(HAVE_SETLUID) + /* Sets login uid for accounting */ + if (getluid() == -1 && setluid(pw->pw_uid) == -1) + error("setluid: %s", strerror(errno)); +#endif /* defined(HAVE_GETLUID) && defined(HAVE_SETLUID) */ + #ifdef HAVE_CYGWIN if (is_winnt) #endif @@ -1306,28 +1330,28 @@ * in this order). */ if (!options.use_login) { - if (stat(SSH_USER_RC, &st) >= 0) { + if (stat(_PATH_SSH_USER_RC, &st) >= 0) { if (debug_flag) - fprintf(stderr, "Running "_PATH_BSHELL" %s\n", SSH_USER_RC); + fprintf(stderr, "Running %s %s\n", _PATH_BSHELL, _PATH_SSH_USER_RC); - f = popen(_PATH_BSHELL " " SSH_USER_RC, "w"); + f = popen(_PATH_BSHELL " " _PATH_SSH_USER_RC, "w"); if (f) { if (auth_proto != NULL && auth_data != NULL) fprintf(f, "%s %s\n", auth_proto, auth_data); pclose(f); } else - fprintf(stderr, "Could not run %s\n", SSH_USER_RC); - } else if (stat(SSH_SYSTEM_RC, &st) >= 0) { + fprintf(stderr, "Could not run %s\n", _PATH_SSH_USER_RC); + } else if (stat(_PATH_SSH_SYSTEM_RC, &st) >= 0) { if (debug_flag) - fprintf(stderr, "Running "_PATH_BSHELL" %s\n", SSH_SYSTEM_RC); + fprintf(stderr, "Running %s %s\n", _PATH_BSHELL, _PATH_SSH_SYSTEM_RC); - f = popen(_PATH_BSHELL " " SSH_SYSTEM_RC, "w"); + f = popen(_PATH_BSHELL " " _PATH_SSH_SYSTEM_RC, "w"); if (f) { if (auth_proto != NULL && auth_data != NULL) fprintf(f, "%s %s\n", auth_proto, auth_data); pclose(f); } else - fprintf(stderr, "Could not run %s\n", SSH_SYSTEM_RC); + fprintf(stderr, "Could not run %s\n", _PATH_SSH_SYSTEM_RC); } else if (options.xauth_location != NULL) { /* Add authority data to .Xauthority if appropriate. */ if (auth_proto != NULL && auth_data != NULL) { @@ -1352,7 +1376,7 @@ fprintf(f, "add %s %s %s\n", display, auth_proto, auth_data); #ifndef HAVE_CYGWIN /* Unix sockets are not supported */ - if (screen != NULL) + if (screen != NULL) fprintf(f, "add %.*s/unix%s %s %s\n", (int)(screen-display), display, screen, auth_proto, auth_data); @@ -1499,7 +1523,7 @@ } s->pw = auth_get_user(); if (s->pw == NULL) - fatal("no user for session %i", s->self); + fatal("no user for session %d", s->self); debug("session_open: session %d: link with channel %d", s->self, chanid); s->chanid = chanid; return 1; @@ -1551,7 +1575,7 @@ int session_pty_req(Session *s) { - unsigned int len; + u_int len; char *term_modes; /* encoded terminal modes */ if (no_pty_flag) @@ -1600,7 +1624,7 @@ int session_subsystem_req(Session *s) { - unsigned int len; + u_int len; int success = 0; char *subsys = packet_get_string(&len); int i; @@ -1696,7 +1720,7 @@ int session_exec_req(Session *s) { - unsigned int len; + u_int len; char *command = packet_get_string(&len); packet_done(); if (forced_command) { @@ -1714,10 +1738,27 @@ return 1; } +int +session_auth_agent_req(Session *s) +{ + static int called = 0; + packet_done(); + if (no_agent_forwarding_flag) { + debug("session_auth_agent_req: no_agent_forwarding_flag"); + return 0; + } + if (called) { + return 0; + } else { + called = 1; + return auth_input_request_forwarding(s->pw); + } +} + void session_input_channel_req(int id, void *arg) { - unsigned int len; + u_int len; int reply; int success = 0; char *rtype; @@ -1750,6 +1791,8 @@ success = session_pty_req(s); } else if (strcmp(rtype, "x11-req") == 0) { success = session_x11_req(s); + } else if (strcmp(rtype, "auth-agent-req@openssh.com") == 0) { + success = session_auth_agent_req(s); } else if (strcmp(rtype, "subsystem") == 0) { success = session_subsystem_req(s); } @@ -1790,7 +1833,7 @@ if (s == NULL || s->ttyfd == -1) return; - debug("session_pty_cleanup: session %i release %s", s->self, s->tty); + debug("session_pty_cleanup: session %d release %s", s->self, s->tty); /* Cancel the cleanup function. */ fatal_remove_cleanup(pty_cleanup_proc, (void *)s); @@ -1853,13 +1896,9 @@ * interested in data we write. * Note that we must not call 'chan_read_failed', since there could * be some more data waiting in the pipe. - * djm - This is no longer true as we have allowed one pass through - * the select loop before killing the connection */ if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); - if (c->istate != CHAN_INPUT_CLOSED) - chan_read_failed(c); s->chanid = -1; } @@ -1921,8 +1960,6 @@ session_close(s); } else { /* notify child, delay session cleanup */ - if (s->pid <= 1) - fatal("session_close_by_channel: Unsafe s->pid = %d", s->pid); if (kill(s->pid, (s->ttyfd == -1) ? SIGTERM : SIGHUP) < 0) error("session_close_by_channel: kill %d: %s", s->pid, strerror(errno)); @@ -1958,12 +1995,8 @@ } void -do_authenticated2(void) +do_authenticated2(Authctxt *authctxt) { -#ifdef HAVE_LOGIN_CAP - struct passwd *pw; -#endif - /* * Cancel the alarm we set to limit the time taken for * authentication. @@ -1974,8 +2007,7 @@ startup_pipe = -1; } #if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD) - pw = auth_get_user(); - if ((lc = login_getclass(pw->pw_class)) == NULL) { + if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) { error("unable to get login class"); return; } diff -ru openssh-2.3.0p1/session.h openssh-2.5.1p1/session.h --- openssh-2.3.0p1/session.h 2000-10-14 12:33:49.000000000 +1100 +++ openssh-2.5.1p1/session.h 2001-01-29 18:39:26.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: session.h,v 1.5 2001/01/29 01:58:18 niklas Exp $ */ + /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -28,7 +30,7 @@ void do_authenticated(struct passwd * pw); /* SSH2 */ -void do_authenticated2(void); +void do_authenticated2(Authctxt *ac); int session_open(int id); void session_input_channel_req(int id, void *arg); void session_close_by_pid(pid_t pid, int status); Only in openssh-2.5.1p1: sftp-client.c Only in openssh-2.5.1p1: sftp-client.h Only in openssh-2.5.1p1: sftp-common.c Only in openssh-2.5.1p1: sftp-common.h Only in openssh-2.5.1p1: sftp-int.c Only in openssh-2.5.1p1: sftp-int.h diff -ru openssh-2.3.0p1/sftp-server.0 openssh-2.5.1p1/sftp-server.0 --- openssh-2.3.0p1/sftp-server.0 2000-11-06 14:25:20.000000000 +1100 +++ openssh-2.5.1p1/sftp-server.0 2001-02-19 21:54:46.000000000 +1100 @@ -16,7 +16,7 @@ SEE ALSO ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) -AUTHOR +AUTHORS Markus Friedl HISTORY diff -ru openssh-2.3.0p1/sftp-server.8 openssh-2.5.1p1/sftp-server.8 --- openssh-2.3.0p1/sftp-server.8 2000-10-16 12:14:43.000000000 +1100 +++ openssh-2.5.1p1/sftp-server.8 2000-11-13 22:57:26.000000000 +1100 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.3 2000/10/13 17:20:44 aaron Exp $ +.\" $OpenBSD: sftp-server.8,v 1.4 2000/11/10 05:10:40 aaron Exp $ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" @@ -48,7 +48,7 @@ .Xr ssh-add 1 , .Xr ssh-keygen 1 , .Xr sshd 8 -.Sh AUTHOR +.Sh AUTHORS Markus Friedl .Sh HISTORY .Nm diff -ru openssh-2.3.0p1/sftp-server.c openssh-2.5.1p1/sftp-server.c --- openssh-2.3.0p1/sftp-server.c 2000-09-23 14:58:32.000000000 +1100 +++ openssh-2.5.1p1/sftp-server.c 2001-02-13 13:40:56.000000000 +1100 @@ -22,73 +22,28 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: sftp-server.c,v 1.6 2000/09/07 20:27:53 deraadt Exp $"); +RCSID("$OpenBSD: sftp-server.c,v 1.19 2001/02/07 18:01:18 itojun Exp $"); -#include "ssh.h" #include "buffer.h" #include "bufaux.h" #include "getput.h" +#include "log.h" #include "xmalloc.h" -/* version */ -#define SSH_FILEXFER_VERSION 2 - -/* client to server */ -#define SSH_FXP_INIT 1 -#define SSH_FXP_OPEN 3 -#define SSH_FXP_CLOSE 4 -#define SSH_FXP_READ 5 -#define SSH_FXP_WRITE 6 -#define SSH_FXP_LSTAT 7 -#define SSH_FXP_FSTAT 8 -#define SSH_FXP_SETSTAT 9 -#define SSH_FXP_FSETSTAT 10 -#define SSH_FXP_OPENDIR 11 -#define SSH_FXP_READDIR 12 -#define SSH_FXP_REMOVE 13 -#define SSH_FXP_MKDIR 14 -#define SSH_FXP_RMDIR 15 -#define SSH_FXP_REALPATH 16 -#define SSH_FXP_STAT 17 -#define SSH_FXP_RENAME 18 - -/* server to client */ -#define SSH_FXP_VERSION 2 -#define SSH_FXP_STATUS 101 -#define SSH_FXP_HANDLE 102 -#define SSH_FXP_DATA 103 -#define SSH_FXP_NAME 104 -#define SSH_FXP_ATTRS 105 - -/* portable open modes */ -#define SSH_FXF_READ 0x01 -#define SSH_FXF_WRITE 0x02 -#define SSH_FXF_APPEND 0x04 -#define SSH_FXF_CREAT 0x08 -#define SSH_FXF_TRUNC 0x10 -#define SSH_FXF_EXCL 0x20 - -/* attributes */ -#define SSH_FXA_HAVE_SIZE 0x01 -#define SSH_FXA_HAVE_UGID 0x02 -#define SSH_FXA_HAVE_PERM 0x04 -#define SSH_FXA_HAVE_TIME 0x08 - -/* status messages */ -#define SSH_FX_OK 0x00 -#define SSH_FX_EOF 0x01 -#define SSH_FX_NO_SUCH_FILE 0x02 -#define SSH_FX_PERMISSION_DENIED 0x03 -#define SSH_FX_FAILURE 0x04 -#define SSH_FX_BAD_MESSAGE 0x05 -#define SSH_FX_NO_CONNECTION 0x06 -#define SSH_FX_CONNECTION_LOST 0x07 - +#include "sftp.h" +#include "sftp-common.h" /* helper */ +#define get_int64() buffer_get_int64(&iqueue); #define get_int() buffer_get_int(&iqueue); #define get_string(lenp) buffer_get_string(&iqueue, lenp); -#define TRACE log +#define TRACE debug + +#ifdef HAVE___PROGNAME +extern char *__progname; +#else +char *__progname; +#endif /* input and output queue */ Buffer iqueue; @@ -96,24 +51,9 @@ /* portable attibutes, etc. */ -typedef struct Attrib Attrib; typedef struct Stat Stat; -struct Attrib -{ - u_int32_t flags; - u_int32_t size_high; - u_int32_t size_low; - u_int64_t size; - u_int32_t uid; - u_int32_t gid; - u_int32_t perm; - u_int32_t atime; - u_int32_t mtime; -}; - -struct Stat -{ +struct Stat { char *name; char *long_name; Attrib attrib; @@ -125,25 +65,25 @@ int ret = 0; switch (unixerrno) { case 0: - ret = SSH_FX_OK; + ret = SSH2_FX_OK; break; case ENOENT: case ENOTDIR: case EBADF: case ELOOP: - ret = SSH_FX_NO_SUCH_FILE; + ret = SSH2_FX_NO_SUCH_FILE; break; case EPERM: case EACCES: case EFAULT: - ret = SSH_FX_PERMISSION_DENIED; + ret = SSH2_FX_PERMISSION_DENIED; break; case ENAMETOOLONG: case EINVAL: - ret = SSH_FX_BAD_MESSAGE; + ret = SSH2_FX_BAD_MESSAGE; break; default: - ret = SSH_FX_FAILURE; + ret = SSH2_FX_FAILURE; break; } return ret; @@ -153,104 +93,23 @@ flags_from_portable(int pflags) { int flags = 0; - if (pflags & SSH_FXF_READ && - pflags & SSH_FXF_WRITE) { + if (pflags & SSH2_FXF_READ && + pflags & SSH2_FXF_WRITE) { flags = O_RDWR; - } else if (pflags & SSH_FXF_READ) { + } else if (pflags & SSH2_FXF_READ) { flags = O_RDONLY; - } else if (pflags & SSH_FXF_WRITE) { + } else if (pflags & SSH2_FXF_WRITE) { flags = O_WRONLY; } - if (pflags & SSH_FXF_CREAT) + if (pflags & SSH2_FXF_CREAT) flags |= O_CREAT; - if (pflags & SSH_FXF_TRUNC) + if (pflags & SSH2_FXF_TRUNC) flags |= O_TRUNC; - if (pflags & SSH_FXF_EXCL) + if (pflags & SSH2_FXF_EXCL) flags |= O_EXCL; return flags; } -void -attrib_clear(Attrib *a) -{ - a->flags = 0; - a->size_low = 0; - a->size_high = 0; - a->size = 0; - a->uid = 0; - a->gid = 0; - a->perm = 0; - a->atime = 0; - a->mtime = 0; -} - -Attrib * -decode_attrib(Buffer *b) -{ - static Attrib a; - attrib_clear(&a); - a.flags = buffer_get_int(b); - if (a.flags & SSH_FXA_HAVE_SIZE) { - a.size_high = buffer_get_int(b); - a.size_low = buffer_get_int(b); - a.size = (((u_int64_t) a.size_high) << 32) + a.size_low; - } - if (a.flags & SSH_FXA_HAVE_UGID) { - a.uid = buffer_get_int(b); - a.gid = buffer_get_int(b); - } - if (a.flags & SSH_FXA_HAVE_PERM) { - a.perm = buffer_get_int(b); - } - if (a.flags & SSH_FXA_HAVE_TIME) { - a.atime = buffer_get_int(b); - a.mtime = buffer_get_int(b); - } - return &a; -} - -void -encode_attrib(Buffer *b, Attrib *a) -{ - buffer_put_int(b, a->flags); - if (a->flags & SSH_FXA_HAVE_SIZE) { - buffer_put_int(b, a->size_high); - buffer_put_int(b, a->size_low); - } - if (a->flags & SSH_FXA_HAVE_UGID) { - buffer_put_int(b, a->uid); - buffer_put_int(b, a->gid); - } - if (a->flags & SSH_FXA_HAVE_PERM) { - buffer_put_int(b, a->perm); - } - if (a->flags & SSH_FXA_HAVE_TIME) { - buffer_put_int(b, a->atime); - buffer_put_int(b, a->mtime); - } -} - -Attrib * -stat_to_attrib(struct stat *st) -{ - static Attrib a; - attrib_clear(&a); - a.flags = 0; - a.flags |= SSH_FXA_HAVE_SIZE; - a.size = st->st_size; - a.size_low = a.size; - a.size_high = (u_int32_t) (a.size >> 32); - a.flags |= SSH_FXA_HAVE_UGID; - a.uid = st->st_uid; - a.gid = st->st_gid; - a.flags |= SSH_FXA_HAVE_PERM; - a.perm = st->st_mode; - a.flags |= SSH_FXA_HAVE_TIME; - a.atime = st->st_atime; - a.mtime = st->st_mtime; - return &a; -} - Attrib * get_attrib(void) { @@ -300,30 +159,28 @@ int handle_is_ok(int i, int type) { - return i >= 0 && i < sizeof(handles)/sizeof(Handle) && handles[i].use == type; + return i >= 0 && i < sizeof(handles)/sizeof(Handle) && + handles[i].use == type; } int handle_to_string(int handle, char **stringp, int *hlenp) { - char buf[1024]; if (stringp == NULL || hlenp == NULL) return -1; - snprintf(buf, sizeof buf, "%d", handle); - *stringp = xstrdup(buf); - *hlenp = strlen(*stringp); + *stringp = xmalloc(sizeof(int32_t)); + PUT_32BIT(*stringp, handle); + *hlenp = sizeof(int32_t); return 0; } int handle_from_string(char *handle, u_int hlen) { -/* XXX OVERFLOW ? */ - char *ep; - long lval = strtol(handle, &ep, 10); - int val = lval; - if (*ep != '\0') + int val; + if (hlen != sizeof(int32_t)) return -1; + val = GET_32BIT(handle); if (handle_is_ok(val, HANDLE_FILE) || handle_is_ok(val, HANDLE_DIR)) return val; @@ -350,7 +207,7 @@ int handle_to_fd(int handle) { - if (handle_is_ok(handle, HANDLE_FILE)) + if (handle_is_ok(handle, HANDLE_FILE)) return handles[handle].fd; return -1; } @@ -375,10 +232,11 @@ get_handle(void) { char *handle; - int val; + int val = -1; u_int hlen; handle = get_string(&hlen); - val = handle_from_string(handle, hlen); + if (hlen < 256) + val = handle_from_string(handle, hlen); xfree(handle); return val; } @@ -400,7 +258,7 @@ Buffer msg; TRACE("sent status id %d error %d", id, error); buffer_init(&msg); - buffer_put_char(&msg, SSH_FXP_STATUS); + buffer_put_char(&msg, SSH2_FXP_STATUS); buffer_put_int(&msg, id); buffer_put_int(&msg, error); send_msg(&msg); @@ -422,7 +280,7 @@ send_data(u_int32_t id, char *data, int dlen) { TRACE("sent data id %d len %d", id, dlen); - send_data_or_handle(SSH_FXP_DATA, id, data, dlen); + send_data_or_handle(SSH2_FXP_DATA, id, data, dlen); } void @@ -432,7 +290,7 @@ int hlen; handle_to_string(handle, &string, &hlen); TRACE("sent handle id %d handle %d", id, handle); - send_data_or_handle(SSH_FXP_HANDLE, id, string, hlen); + send_data_or_handle(SSH2_FXP_HANDLE, id, string, hlen); xfree(string); } @@ -442,7 +300,7 @@ Buffer msg; int i; buffer_init(&msg); - buffer_put_char(&msg, SSH_FXP_NAME); + buffer_put_char(&msg, SSH2_FXP_NAME); buffer_put_int(&msg, id); buffer_put_int(&msg, count); TRACE("sent names id %d count %d", id, count); @@ -461,7 +319,7 @@ Buffer msg; TRACE("sent attrib id %d have 0x%x", id, a->flags); buffer_init(&msg); - buffer_put_char(&msg, SSH_FXP_ATTRS); + buffer_put_char(&msg, SSH2_FXP_ATTRS); buffer_put_int(&msg, id); encode_attrib(&msg, a); send_msg(&msg); @@ -478,8 +336,8 @@ TRACE("client version %d", version); buffer_init(&msg); - buffer_put_char(&msg, SSH_FXP_VERSION); - buffer_put_int(&msg, SSH_FILEXFER_VERSION); + buffer_put_char(&msg, SSH2_FXP_VERSION); + buffer_put_int(&msg, SSH2_FILEXFER_VERSION); send_msg(&msg); buffer_free(&msg); } @@ -490,14 +348,14 @@ u_int32_t id, pflags; Attrib *a; char *name; - int handle, fd, flags, mode, status = SSH_FX_FAILURE; + int handle, fd, flags, mode, status = SSH2_FX_FAILURE; id = get_int(); name = get_string(NULL); - pflags = get_int(); + pflags = get_int(); /* portable flags */ a = get_attrib(); flags = flags_from_portable(pflags); - mode = (a->flags & SSH_FXA_HAVE_PERM) ? a->perm : 0666; + mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666; TRACE("open id %d name %s flags %d mode 0%o", id, name, pflags, mode); fd = open(name, flags, mode); if (fd < 0) { @@ -508,10 +366,10 @@ close(fd); } else { send_handle(id, handle); - status = SSH_FX_OK; + status = SSH2_FX_OK; } } - if (status != SSH_FX_OK) + if (status != SSH2_FX_OK) send_status(id, status); xfree(name); } @@ -520,13 +378,13 @@ process_close(void) { u_int32_t id; - int handle, ret, status = SSH_FX_FAILURE; + int handle, ret, status = SSH2_FX_FAILURE; id = get_int(); handle = get_handle(); TRACE("close id %d handle %d", id, handle); ret = handle_close(handle); - status = (ret == -1) ? errno_to_portable(errno) : SSH_FX_OK; + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); } @@ -534,18 +392,17 @@ process_read(void) { char buf[64*1024]; - u_int32_t id, off_high, off_low, len; - int handle, fd, ret, status = SSH_FX_FAILURE; + u_int32_t id, len; + int handle, fd, ret, status = SSH2_FX_FAILURE; u_int64_t off; id = get_int(); handle = get_handle(); - off_high = get_int(); - off_low = get_int(); + off = get_int64(); len = get_int(); - off = (((u_int64_t) off_high) << 32) + off_low; - TRACE("read id %d handle %d off %lld len %d", id, handle, off, len); + TRACE("read id %d handle %d off %llu len %d", id, handle, + (unsigned long long)off, len); if (len > sizeof buf) { len = sizeof buf; log("read change len %d", len); @@ -560,34 +417,33 @@ if (ret < 0) { status = errno_to_portable(errno); } else if (ret == 0) { - status = SSH_FX_EOF; + status = SSH2_FX_EOF; } else { send_data(id, buf, ret); - status = SSH_FX_OK; + status = SSH2_FX_OK; } } } - if (status != SSH_FX_OK) + if (status != SSH2_FX_OK) send_status(id, status); } void process_write(void) { - u_int32_t id, off_high, off_low; + u_int32_t id; u_int64_t off; u_int len; - int handle, fd, ret, status = SSH_FX_FAILURE; + int handle, fd, ret, status = SSH2_FX_FAILURE; char *data; id = get_int(); handle = get_handle(); - off_high = get_int(); - off_low = get_int(); + off = get_int64(); data = get_string(&len); - off = (((u_int64_t) off_high) << 32) + off_low; - TRACE("write id %d handle %d off %lld len %d", id, handle, off, len); + TRACE("write id %d handle %d off %llu len %d", id, handle, + (unsigned long long)off, len); fd = handle_to_fd(handle); if (fd >= 0) { if (lseek(fd, off, SEEK_SET) < 0) { @@ -600,7 +456,7 @@ error("process_write: write failed"); status = errno_to_portable(errno); } else if (ret == len) { - status = SSH_FX_OK; + status = SSH2_FX_OK; } else { log("nothing at all written"); } @@ -613,11 +469,11 @@ void process_do_stat(int do_lstat) { - Attrib *a; + Attrib a; struct stat st; u_int32_t id; char *name; - int ret, status = SSH_FX_FAILURE; + int ret, status = SSH2_FX_FAILURE; id = get_int(); name = get_string(NULL); @@ -626,11 +482,11 @@ if (ret < 0) { status = errno_to_portable(errno); } else { - a = stat_to_attrib(&st); - send_attrib(id, a); - status = SSH_FX_OK; + stat_to_attrib(&st, &a); + send_attrib(id, &a); + status = SSH2_FX_OK; } - if (status != SSH_FX_OK) + if (status != SSH2_FX_OK) send_status(id, status); xfree(name); } @@ -650,10 +506,10 @@ void process_fstat(void) { - Attrib *a; + Attrib a; struct stat st; u_int32_t id; - int fd, ret, handle, status = SSH_FX_FAILURE; + int fd, ret, handle, status = SSH2_FX_FAILURE; id = get_int(); handle = get_handle(); @@ -664,12 +520,12 @@ if (ret < 0) { status = errno_to_portable(errno); } else { - a = stat_to_attrib(&st); - send_attrib(id, a); - status = SSH_FX_OK; + stat_to_attrib(&st, &a); + send_attrib(id, &a); + status = SSH2_FX_OK; } } - if (status != SSH_FX_OK) + if (status != SSH2_FX_OK) send_status(id, status); } @@ -691,22 +547,27 @@ u_int32_t id; char *name; int ret; - int status = SSH_FX_OK; + int status = SSH2_FX_OK; id = get_int(); name = get_string(NULL); a = get_attrib(); TRACE("setstat id %d name %s", id, name); - if (a->flags & SSH_FXA_HAVE_PERM) { + if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { ret = chmod(name, a->perm & 0777); if (ret == -1) status = errno_to_portable(errno); } - if (a->flags & SSH_FXA_HAVE_TIME) { + if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) { ret = utimes(name, attrib_to_tv(a)); if (ret == -1) status = errno_to_portable(errno); } + if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) { + ret = chown(name, a->uid, a->gid); + if (ret == -1) + status = errno_to_portable(errno); + } send_status(id, status); xfree(name); } @@ -717,24 +578,28 @@ Attrib *a; u_int32_t id; int handle, fd, ret; - int status = SSH_FX_OK; + int status = SSH2_FX_OK; char *name; - + id = get_int(); handle = get_handle(); a = get_attrib(); TRACE("fsetstat id %d handle %d", id, handle); fd = handle_to_fd(handle); name = handle_to_name(handle); - if ((fd < 0) || (name == NULL)) { - status = SSH_FX_FAILURE; + if (fd < 0 || name == NULL) { + status = SSH2_FX_FAILURE; } else { - if (a->flags & SSH_FXA_HAVE_PERM) { + if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { +#ifdef HAVE_FCHMOD ret = fchmod(fd, a->perm & 0777); +#else + ret = chmod(name, a->perm & 0777); +#endif if (ret == -1) status = errno_to_portable(errno); } - if (a->flags & SSH_FXA_HAVE_TIME) { + if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) { #ifdef HAVE_FUTIMES ret = futimes(fd, attrib_to_tv(a)); #else @@ -743,6 +608,15 @@ if (ret == -1) status = errno_to_portable(errno); } + if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) { +#ifdef HAVE_FCHOWN + ret = fchown(fd, a->uid, a->gid); +#else + ret = chown(name, a->uid, a->gid); +#endif + if (ret == -1) + status = errno_to_portable(errno); + } } send_status(id, status); } @@ -752,13 +626,13 @@ { DIR *dirp = NULL; char *path; - int handle, status = SSH_FX_FAILURE; + int handle, status = SSH2_FX_FAILURE; u_int32_t id; id = get_int(); path = get_string(NULL); TRACE("opendir id %d path %s", id, path); - dirp = opendir(path); + dirp = opendir(path); if (dirp == NULL) { status = errno_to_portable(errno); } else { @@ -767,22 +641,51 @@ closedir(dirp); } else { send_handle(id, handle); - status = SSH_FX_OK; + status = SSH2_FX_OK; } - + } - if (status != SSH_FX_OK) + if (status != SSH2_FX_OK) send_status(id, status); xfree(path); } +/* + * drwxr-xr-x 5 markus markus 1024 Jan 13 18:39 .ssh + */ char * ls_file(char *name, struct stat *st) { - char buf[1024]; - snprintf(buf, sizeof buf, "0%o %d %d %lld %d %s", - st->st_mode, st->st_uid, st->st_gid, (long long)st->st_size,(int) st->st_mtime, - name); + int sz = 0; + struct passwd *pw; + struct group *gr; + struct tm *ltime = localtime(&st->st_mtime); + char *user, *group; + char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1]; + + strmode(st->st_mode, mode); + if ((pw = getpwuid(st->st_uid)) != NULL) { + user = pw->pw_name; + } else { + snprintf(ubuf, sizeof ubuf, "%d", st->st_uid); + user = ubuf; + } + if ((gr = getgrgid(st->st_gid)) != NULL) { + group = gr->gr_name; + } else { + snprintf(gbuf, sizeof gbuf, "%d", st->st_gid); + group = gbuf; + } + if (ltime != NULL) { + if (time(NULL) - st->st_mtime < (365*24*60*60)/2) + sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime); + else + sz = strftime(tbuf, sizeof tbuf, "%b %e %Y", ltime); + } + if (sz == 0) + tbuf[0] = '\0'; + snprintf(buf, sizeof buf, "%s %3d %-8.8s %-8.8s %8llu %s %s", mode, + st->st_nlink, user, group, (unsigned long long)st->st_size, tbuf, name); return xstrdup(buf); } @@ -801,9 +704,8 @@ dirp = handle_to_dir(handle); path = handle_to_name(handle); if (dirp == NULL || path == NULL) { - send_status(id, SSH_FX_FAILURE); + send_status(id, SSH2_FX_FAILURE); } else { - Attrib *a; struct stat st; char pathname[1024]; Stat *stats; @@ -819,19 +721,23 @@ "%s/%s", path, dp->d_name); if (lstat(pathname, &st) < 0) continue; - a = stat_to_attrib(&st); - stats[count].attrib = *a; + stat_to_attrib(&st, &(stats[count].attrib)); stats[count].name = xstrdup(dp->d_name); stats[count].long_name = ls_file(dp->d_name, &st); count++; /* send up to 100 entries in one message */ + /* XXX check packet size instead */ if (count == 100) break; } - send_names(id, count, stats); - for(i = 0; i < count; i++) { - xfree(stats[i].name); - xfree(stats[i].long_name); + if (count > 0) { + send_names(id, count, stats); + for(i = 0; i < count; i++) { + xfree(stats[i].name); + xfree(stats[i].long_name); + } + } else { + send_status(id, SSH2_FX_EOF); } xfree(stats); } @@ -842,14 +748,14 @@ { char *name; u_int32_t id; - int status = SSH_FX_FAILURE; + int status = SSH2_FX_FAILURE; int ret; id = get_int(); name = get_string(NULL); TRACE("remove id %d name %s", id, name); - ret = remove(name); - status = (ret == -1) ? errno_to_portable(errno) : SSH_FX_OK; + ret = unlink(name); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); xfree(name); } @@ -860,15 +766,16 @@ Attrib *a; u_int32_t id; char *name; - int ret, mode, status = SSH_FX_FAILURE; + int ret, mode, status = SSH2_FX_FAILURE; id = get_int(); name = get_string(NULL); a = get_attrib(); - mode = (a->flags & SSH_FXA_HAVE_PERM) ? a->perm & 0777 : 0777; + mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? + a->perm & 0777 : 0777; TRACE("mkdir id %d name %s mode 0%o", id, name, mode); ret = mkdir(name, mode); - status = (ret == -1) ? errno_to_portable(errno) : SSH_FX_OK; + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); xfree(name); } @@ -884,7 +791,7 @@ name = get_string(NULL); TRACE("rmdir id %d name %s", id, name); ret = rmdir(name); - status = (ret == -1) ? errno_to_portable(errno) : SSH_FX_OK; + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); xfree(name); } @@ -898,6 +805,10 @@ id = get_int(); path = get_string(NULL); + if (path[0] == '\0') { + xfree(path); + path = xstrdup("."); + } TRACE("realpath id %d path %s", id, path); if (realpath(path, resolvedname) == NULL) { send_status(id, errno_to_portable(errno)); @@ -914,33 +825,48 @@ process_rename(void) { u_int32_t id; + struct stat st; char *oldpath, *newpath; - int ret, status; + int ret, status = SSH2_FX_FAILURE; id = get_int(); oldpath = get_string(NULL); newpath = get_string(NULL); TRACE("rename id %d old %s new %s", id, oldpath, newpath); - ret = rename(oldpath, newpath); - status = (ret == -1) ? errno_to_portable(errno) : SSH_FX_OK; + /* fail if 'newpath' exists */ + if (stat(newpath, &st) == -1) { + ret = rename(oldpath, newpath); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; + } send_status(id, status); xfree(oldpath); xfree(newpath); } +void +process_extended(void) +{ + u_int32_t id; + char *request; + + id = get_int(); + request = get_string(NULL); + send_status(id, SSH2_FX_OP_UNSUPPORTED); /* MUST */ + xfree(request); +} /* stolen from ssh-agent */ void process(void) { - unsigned int msg_len; - unsigned int type; - unsigned char *cp; + u_int msg_len; + u_int type; + u_char *cp; if (buffer_len(&iqueue) < 5) return; /* Incomplete message. */ - cp = (unsigned char *) buffer_ptr(&iqueue); + cp = (u_char *) buffer_ptr(&iqueue); msg_len = GET_32BIT(cp); if (msg_len > 256 * 1024) { error("bad message "); @@ -951,57 +877,60 @@ buffer_consume(&iqueue, 4); type = buffer_get_char(&iqueue); switch (type) { - case SSH_FXP_INIT: + case SSH2_FXP_INIT: process_init(); break; - case SSH_FXP_OPEN: + case SSH2_FXP_OPEN: process_open(); break; - case SSH_FXP_CLOSE: + case SSH2_FXP_CLOSE: process_close(); break; - case SSH_FXP_READ: + case SSH2_FXP_READ: process_read(); break; - case SSH_FXP_WRITE: + case SSH2_FXP_WRITE: process_write(); break; - case SSH_FXP_LSTAT: + case SSH2_FXP_LSTAT: process_lstat(); break; - case SSH_FXP_FSTAT: + case SSH2_FXP_FSTAT: process_fstat(); break; - case SSH_FXP_SETSTAT: + case SSH2_FXP_SETSTAT: process_setstat(); break; - case SSH_FXP_FSETSTAT: + case SSH2_FXP_FSETSTAT: process_fsetstat(); break; - case SSH_FXP_OPENDIR: + case SSH2_FXP_OPENDIR: process_opendir(); break; - case SSH_FXP_READDIR: + case SSH2_FXP_READDIR: process_readdir(); break; - case SSH_FXP_REMOVE: + case SSH2_FXP_REMOVE: process_remove(); break; - case SSH_FXP_MKDIR: + case SSH2_FXP_MKDIR: process_mkdir(); break; - case SSH_FXP_RMDIR: + case SSH2_FXP_RMDIR: process_rmdir(); break; - case SSH_FXP_REALPATH: + case SSH2_FXP_REALPATH: process_realpath(); break; - case SSH_FXP_STAT: + case SSH2_FXP_STAT: process_stat(); break; - case SSH_FXP_RENAME: + case SSH2_FXP_RENAME: process_rename(); break; + case SSH2_FXP_EXTENDED: + process_extended(); + break; default: error("Unknown message %d", type); break; @@ -1015,8 +944,13 @@ int in, out, max; ssize_t len, olen; + __progname = get_progname(av[0]); handle_init(); +#ifdef DEBUG_SFTP_SERVER + log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); +#endif + in = dup(STDIN_FILENO); out = dup(STDOUT_FILENO); Only in openssh-2.5.1p1: sftp.0 Only in openssh-2.5.1p1: sftp.1 Only in openssh-2.5.1p1: sftp.c Only in openssh-2.5.1p1: sftp.h diff -ru openssh-2.3.0p1/ssh-add.0 openssh-2.5.1p1/ssh-add.0 --- openssh-2.3.0p1/ssh-add.0 2000-11-06 14:25:19.000000000 +1100 +++ openssh-2.5.1p1/ssh-add.0 2001-02-19 21:54:45.000000000 +1100 @@ -54,26 +54,13 @@ related script. (Note that on some machines it may be necessary to redirect the input from /dev/null to make this work.) -AUTHOR - Tatu Ylonen - - OpenSSH is a derivative of the original (free) ssh 1.2.12 release, but - with bugs removed and newer features re-added. Rapidly after the 1.2.12 - release, newer versions bore successively more restrictive licenses. - This version of OpenSSH - - o has all components of a restrictive nature (i.e., patents, see - crypto(3)) directly removed from the source code; any licensed or - patented components are chosen from external libraries. - - o has been updated to support ssh protocol 1.5. - - o contains added support for kerberos(8) authentication and ticket - passing. - - o supports one-time password authentication with skey(1). +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and cre- + ated OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. SEE ALSO - ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8), crypto(3) + ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8) -BSD Experimental September 25, 1999 2 diff -ru openssh-2.3.0p1/ssh-add.1 openssh-2.5.1p1/ssh-add.1 --- openssh-2.3.0p1/ssh-add.1 2000-09-16 13:29:10.000000000 +1100 +++ openssh-2.5.1p1/ssh-add.1 2001-02-11 10:56:36.000000000 +1100 @@ -1,3 +1,5 @@ +.\" $OpenBSD: ssh-add.1,v 1.21 2001/02/08 19:22:38 itojun Exp $ +.\" .\" -*- nroff -*- .\" .\" Author: Tatu Ylonen @@ -116,35 +118,17 @@ .Pa /dev/null to make this work.) .El -.Sh AUTHOR -Tatu Ylonen -.Pp -OpenSSH -is a derivative of the original (free) ssh 1.2.12 release, but with bugs -removed and newer features re-added. -Rapidly after the 1.2.12 release, -newer versions bore successively more restrictive licenses. -This version of OpenSSH -.Bl -bullet -.It -has all components of a restrictive nature (i.e., patents, see -.Xr crypto 3 ) -directly removed from the source code; any licensed or patented components -are chosen from -external libraries. -.It -has been updated to support ssh protocol 1.5. -.It -contains added support for -.Xr kerberos 8 -authentication and ticket passing. -.It -supports one-time password authentication with -.Xr skey 1 . -.El +.Sh AUTHORS +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by Tatu Ylonen. +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt and Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +Markus Friedl contributed the support for SSH +protocol versions 1.5 and 2.0. .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , -.Xr sshd 8 , -.Xr crypto 3 +.Xr sshd 8 diff -ru openssh-2.3.0p1/ssh-add.c openssh-2.5.1p1/ssh-add.c --- openssh-2.3.0p1/ssh-add.c 2000-10-17 23:22:28.000000000 +1100 +++ openssh-2.5.1p1/ssh-add.c 2001-02-06 05:16:28.000000000 +1100 @@ -35,24 +35,25 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-add.c,v 1.22 2000/09/07 20:27:54 deraadt Exp $"); +RCSID("$OpenBSD: ssh-add.c,v 1.28 2001/02/04 15:32:25 stevesk Exp $"); #include -#include -#include -#include "rsa.h" #include "ssh.h" +#include "rsa.h" +#include "log.h" #include "xmalloc.h" #include "key.h" #include "authfd.h" #include "authfile.h" +#include "pathnames.h" +#include "readpass.h" #ifdef HAVE___PROGNAME extern char *__progname; -#else /* HAVE___PROGNAME */ -static const char *__progname = "ssh-add"; -#endif /* HAVE___PROGNAME */ +#else +char *__progname; +#endif void delete_file(AuthenticationConnection *ac, const char *filename) @@ -60,10 +61,10 @@ Key *public; char *comment; - public = key_new(KEY_RSA); + public = key_new(KEY_RSA1); if (!load_public_key(filename, public, &comment)) { key_free(public); - public = key_new(KEY_DSA); + public = key_new(KEY_UNSPEC); if (!try_load_public_key(filename, public, &comment)) { printf("Bad key file %s\n", filename); return; @@ -91,7 +92,7 @@ if (success) fprintf(stderr, "All identities removed.\n"); else - fprintf(stderr, "Failed to remove all identitities.\n"); + fprintf(stderr, "Failed to remove all identities.\n"); } char * @@ -103,6 +104,8 @@ int p[2], status; char buf[1024]; + if (fflush(stdout) != 0) + error("ssh_askpass: fflush: %s", strerror(errno)); if (askpass == NULL) fatal("internal error: askpass undefined"); if (pipe(p) < 0) @@ -117,9 +120,7 @@ fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); } close(p[1]); - buf[0] = '\0'; - atomicio(read, p[0], buf, sizeof buf); - len = strlen(buf); + len = read(p[0], buf, sizeof buf); close(p[0]); while (waitpid(pid, &status, 0) < 0) if (errno != EINTR) @@ -144,7 +145,7 @@ char buf[1024], msg[1024]; int success; int interactive = isatty(STDIN_FILENO); - int type = KEY_RSA; + int type = KEY_RSA1; if (stat(filename, &st) < 0) { perror(filename); @@ -154,10 +155,10 @@ * try to load the public key. right now this only works for RSA, * since DSA keys are fully encrypted */ - public = key_new(KEY_RSA); + public = key_new(KEY_RSA1); if (!load_public_key(filename, public, &saved_comment)) { - /* ok, so we will asume this is a DSA key */ - type = KEY_DSA; + /* ok, so we will assume this is 'some' key */ + type = KEY_UNSPEC; saved_comment = xstrdup(filename); } key_free(public); @@ -166,7 +167,7 @@ if (getenv(SSH_ASKPASS_ENV)) askpass = getenv(SSH_ASKPASS_ENV); else - askpass = SSH_ASKPASS_DEFAULT; + askpass = _PATH_SSH_ASKPASS_DEFAULT; } /* At first, try empty passphrase */ @@ -223,8 +224,9 @@ key = ssh_get_next_identity(ac, &comment, version)) { had_identities = 1; if (fp) { - printf("%d %s %s\n", - key_size(key), key_fingerprint(key), comment); + printf("%d %s %s (%s)\n", + key_size(key), key_fingerprint(key), + comment, key_type(key)); } else { if (!key_write(key, stdout)) fprintf(stderr, "key_write failed"); @@ -248,16 +250,10 @@ int i; int deleting = 0; + __progname = get_progname(argv[0]); init_rng(); - /* check if RSA support exists */ - if (rsa_alive() == 0) { - fprintf(stderr, - "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", - __progname); - exit(1); - } - SSLeay_add_all_algorithms(); + SSLeay_add_all_algorithms(); /* At first, get a connection to the authentication agent. */ ac = ssh_get_authentication_connection(); @@ -296,7 +292,7 @@ ssh_close_authentication_connection(ac); exit(1); } - snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, SSH_CLIENT_IDENTITY); + snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, _PATH_SSH_CLIENT_IDENTITY); if (deleting) delete_file(ac, buf); else diff -ru openssh-2.3.0p1/ssh-agent.0 openssh-2.5.1p1/ssh-agent.0 --- openssh-2.3.0p1/ssh-agent.0 2000-11-06 14:25:19.000000000 +1100 +++ openssh-2.5.1p1/ssh-agent.0 2001-02-19 21:54:45.000000000 +1100 @@ -5,7 +5,9 @@ ssh-agent - authentication agent SYNOPSIS - ssh-agent [-c | -s] [-k] [command [args ...]] + ssh-agent command args ... + ssh-agent [-c | -s] + ssh-agent -k DESCRIPTION ssh-agent is a program to hold private keys used for public key authenti- @@ -63,8 +65,6 @@ terminates. FILES - - $HOME/.ssh/identity Contains the RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to @@ -75,31 +75,21 @@ $HOME/.ssh/id_dsa Contains the DSA authentication identity of the user. - (/tmp/ssh-XXXXXXXX/agent.), Unix-domain sockets used to con- - tain the connection to the authentication agent. These sockets - should only be readable by the owner. The sockets should get au- - tomatically removed when the agent exits. - -AUTHOR - Tatu Ylonen - - OpenSSH is a derivative of the original (free) ssh 1.2.12 release, but - with bugs removed and newer features re-added. Rapidly after the 1.2.12 - release, newer versions bore successively more restrictive licenses. - This version of OpenSSH - - o has all components of a restrictive nature (i.e., patents, see - crypto(3)) directly removed from the source code; any licensed or - patented components are chosen from external libraries. - - o has been updated to support ssh protocol 1.5. - - o contains added support for kerberos(8) authentication and ticket - passing. - o supports one-time password authentication with skey(1). + /tmp/ssh-XXXXXXXX/agent. + Unix-domain sockets used to contain the connection to the authen- + tication agent. These sockets should only be readable by the + owner. The sockets should get automatically removed when the + agent exits. + +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and cre- + ated OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. SEE ALSO - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8), crypto(3) + ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) BSD Experimental September 25, 1999 2 diff -ru openssh-2.3.0p1/ssh-agent.1 openssh-2.5.1p1/ssh-agent.1 --- openssh-2.3.0p1/ssh-agent.1 2000-09-16 13:29:10.000000000 +1100 +++ openssh-2.5.1p1/ssh-agent.1 2001-02-11 10:56:36.000000000 +1100 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.16 2000/09/07 20:27:54 deraadt Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.21 2001/02/08 19:22:38 itojun Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -42,12 +42,12 @@ .Nd authentication agent .Sh SYNOPSIS .Nm ssh-agent -.Op Fl c Li | Fl s -.Op Fl k -.Oo .Ar command -.Op Ar args ... -.Oc +.Ar args ... +.Nm ssh-agent +.Op Fl c Li | Fl s +.Nm ssh-agent +.Fl k .Sh DESCRIPTION .Nm is a program to hold private keys used for public key authentication @@ -154,41 +154,23 @@ at login time. .It Pa $HOME/.ssh/id_dsa Contains the DSA authentication identity of the user. -.Pq Pa /tmp/ssh-XXXXXXXX/agent. , +.It Pa /tmp/ssh-XXXXXXXX/agent. Unix-domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits. .El -.Sh AUTHOR -Tatu Ylonen -.Pp -OpenSSH -is a derivative of the original (free) ssh 1.2.12 release, but with bugs -removed and newer features re-added. -Rapidly after the 1.2.12 release, -newer versions bore successively more restrictive licenses. -This version of OpenSSH -.Bl -bullet -.It -has all components of a restrictive nature (i.e., patents, see -.Xr crypto 3 ) -directly removed from the source code; any licensed or patented components -are chosen from -external libraries. -.It -has been updated to support ssh protocol 1.5. -.It -contains added support for -.Xr kerberos 8 -authentication and ticket passing. -.It -supports one-time password authentication with -.Xr skey 1 . -.El +.Sh AUTHORS +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by Tatu Ylonen. +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt and Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +Markus Friedl contributed the support for SSH +protocol versions 1.5 and 2.0. .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-keygen 1 , -.Xr sshd 8 , -.Xr crypto 3 +.Xr sshd 8 diff -ru openssh-2.3.0p1/ssh-agent.c openssh-2.5.1p1/ssh-agent.c --- openssh-2.3.0p1/ssh-agent.c 2000-09-29 23:01:37.000000000 +1100 +++ openssh-2.5.1p1/ssh-agent.c 2001-02-11 10:13:41.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.37 2000/09/21 11:07:51 markus Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.50 2001/02/08 19:30:52 itojun Exp $ */ /* * Author: Tatu Ylonen @@ -37,7 +37,10 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.37 2000/09/21 11:07:51 markus Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.50 2001/02/08 19:30:52 itojun Exp $"); + +#include +#include #include "ssh.h" #include "rsa.h" @@ -47,16 +50,12 @@ #include "packet.h" #include "getput.h" #include "mpaux.h" - -#include -#include -#include -#include #include "key.h" #include "authfd.h" -#include "dsa.h" +#include "cipher.h" #include "kex.h" #include "compat.h" +#include "log.h" typedef struct { int fd; @@ -67,7 +66,7 @@ Buffer output; } SocketEntry; -unsigned int sockets_alloc = 0; +u_int sockets_alloc = 0; SocketEntry *sockets = NULL; typedef struct { @@ -94,9 +93,11 @@ #ifdef HAVE___PROGNAME extern char *__progname; -#else /* HAVE___PROGNAME */ -static const char *__progname = "ssh-agent"; -#endif /* HAVE___PROGNAME */ +#else +char *__progname; +#endif + +int prepare_select(fd_set **, fd_set **, int *); void idtab_init(void) @@ -147,14 +148,14 @@ buffer_put_int(&msg, tab->nentries); for (i = 0; i < tab->nentries; i++) { Identity *id = &tab->identities[i]; - if (id->key->type == KEY_RSA) { + if (id->key->type == KEY_RSA1) { buffer_put_int(&msg, BN_num_bits(id->key->rsa->n)); buffer_put_bignum(&msg, id->key->rsa->e); buffer_put_bignum(&msg, id->key->rsa->n); } else { - unsigned char *blob; - unsigned int blen; - dsa_make_key_blob(id->key, &blob, &blen); + u_char *blob; + u_int blen; + key_to_blob(id->key, &blob, &blen); buffer_put_string(&msg, blob, blen); xfree(blob); } @@ -174,11 +175,11 @@ int i, len; Buffer msg; MD5_CTX md; - unsigned char buf[32], mdbuf[16], session_id[16]; - unsigned int response_type; + u_char buf[32], mdbuf[16], session_id[16]; + u_int response_type; buffer_init(&msg); - key = key_new(KEY_RSA); + key = key_new(KEY_RSA1); challenge = BN_new(); buffer_get_int(&e->input); /* ignored */ @@ -197,7 +198,8 @@ private = lookup_private_key(key, NULL, 1); if (private != NULL) { /* Decrypt the challenge using the private key. */ - rsa_private_decrypt(challenge, challenge, private->rsa); + if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0) + goto failure; /* The response is MD5 of decrypted challenge plus session id. */ len = BN_num_bytes(challenge); @@ -236,14 +238,14 @@ { extern int datafellows; Key *key, *private; - unsigned char *blob, *data, *signature = NULL; - unsigned int blen, dlen, slen = 0; + u_char *blob, *data, *signature = NULL; + u_int blen, dlen, slen = 0; int flags; Buffer msg; int ok = -1; datafellows = 0; - + blob = buffer_get_string(&e->input, &blen); data = buffer_get_string(&e->input, &dlen); @@ -251,11 +253,11 @@ if (flags & SSH_AGENT_OLD_SIGNATURE) datafellows = SSH_BUG_SIGBLOB; - key = dsa_key_from_blob(blob, blen); + key = key_from_blob(blob, blen); if (key != NULL) { private = lookup_private_key(key, NULL, 2); if (private != NULL) - ok = dsa_sign(private, &signature, &slen, data, dlen); + ok = key_sign(private, &signature, &slen, data, dlen); } key_free(key); buffer_init(&msg); @@ -280,25 +282,25 @@ process_remove_identity(SocketEntry *e, int version) { Key *key = NULL, *private; - unsigned char *blob; - unsigned int blen; - unsigned int bits; + u_char *blob; + u_int blen; + u_int bits; int success = 0; switch(version){ case 1: - key = key_new(KEY_RSA); + key = key_new(KEY_RSA1); bits = buffer_get_int(&e->input); buffer_get_bignum(&e->input, key->rsa->e); buffer_get_bignum(&e->input, key->rsa->n); if (bits != key_size(key)) log("Warning: identity keysize mismatch: actual %d, announced %d", - key_size(key), bits); + key_size(key), bits); break; case 2: blob = buffer_get_string(&e->input, &blen); - key = dsa_key_from_blob(blob, blen); + key = key_from_blob(blob, blen); xfree(blob); break; } @@ -309,14 +311,24 @@ /* * We have this key. Free the old key. Since we * don\'t want to leave empty slots in the middle of - * the array, we actually free the key there and copy - * data from the last entry. + * the array, we actually free the key there and move + * all the entries between the empty slot and the end + * of the array. */ Idtab *tab = idtab_lookup(version); key_free(tab->identities[idx].key); xfree(tab->identities[idx].comment); - if (idx != tab->nentries) - tab->identities[idx] = tab->identities[tab->nentries]; + if (tab->nentries < 1) + fatal("process_remove_identity: " + "internal error: tab->nentries %d", + tab->nentries); + if (idx != tab->nentries - 1) { + int i; + for (i = idx; i < tab->nentries - 1; i++) + tab->identities[i] = tab->identities[i+1]; + } + tab->identities[tab->nentries - 1].key = NULL; + tab->identities[tab->nentries - 1].comment = NULL; tab->nentries--; success = 1; } @@ -330,7 +342,7 @@ void process_remove_all_identities(SocketEntry *e, int version) { - unsigned int i; + u_int i; Idtab *tab = idtab_lookup(version); /* Loop over all identities and clear the keys. */ @@ -349,79 +361,80 @@ } void -process_add_identity(SocketEntry *e, int version) +generate_additional_parameters(RSA *rsa) { - Key *k = NULL; - RSA *rsa; BIGNUM *aux; BN_CTX *ctx; - char *type; + /* Generate additional parameters */ + aux = BN_new(); + ctx = BN_CTX_new(); + + BN_sub(aux, rsa->q, BN_value_one()); + BN_mod(rsa->dmq1, rsa->d, aux, ctx); + + BN_sub(aux, rsa->p, BN_value_one()); + BN_mod(rsa->dmp1, rsa->d, aux, ctx); + + BN_clear_free(aux); + BN_CTX_free(ctx); +} + +void +process_add_identity(SocketEntry *e, int version) +{ + Key *k = NULL; + char *type_name; char *comment; - int success = 0; + int type, success = 0; Idtab *tab = idtab_lookup(version); switch (version) { case 1: - k = key_new(KEY_RSA); - rsa = k->rsa; - - /* allocate mem for private key */ - /* XXX rsa->n and rsa->e are already allocated */ - rsa->d = BN_new(); - rsa->iqmp = BN_new(); - rsa->q = BN_new(); - rsa->p = BN_new(); - rsa->dmq1 = BN_new(); - rsa->dmp1 = BN_new(); - - buffer_get_int(&e->input); /* ignored */ - - buffer_get_bignum(&e->input, rsa->n); - buffer_get_bignum(&e->input, rsa->e); - buffer_get_bignum(&e->input, rsa->d); - buffer_get_bignum(&e->input, rsa->iqmp); + k = key_new_private(KEY_RSA1); + buffer_get_int(&e->input); /* ignored */ + buffer_get_bignum(&e->input, k->rsa->n); + buffer_get_bignum(&e->input, k->rsa->e); + buffer_get_bignum(&e->input, k->rsa->d); + buffer_get_bignum(&e->input, k->rsa->iqmp); /* SSH and SSL have p and q swapped */ - buffer_get_bignum(&e->input, rsa->q); /* p */ - buffer_get_bignum(&e->input, rsa->p); /* q */ + buffer_get_bignum(&e->input, k->rsa->q); /* p */ + buffer_get_bignum(&e->input, k->rsa->p); /* q */ /* Generate additional parameters */ - aux = BN_new(); - ctx = BN_CTX_new(); - - BN_sub(aux, rsa->q, BN_value_one()); - BN_mod(rsa->dmq1, rsa->d, aux, ctx); - - BN_sub(aux, rsa->p, BN_value_one()); - BN_mod(rsa->dmp1, rsa->d, aux, ctx); - - BN_clear_free(aux); - BN_CTX_free(ctx); - + generate_additional_parameters(k->rsa); break; case 2: - type = buffer_get_string(&e->input, NULL); - if (strcmp(type, KEX_DSS)) { + type_name = buffer_get_string(&e->input, NULL); + type = key_type_from_name(type_name); + xfree(type_name); + switch(type) { + case KEY_DSA: + k = key_new_private(type); + buffer_get_bignum2(&e->input, k->dsa->p); + buffer_get_bignum2(&e->input, k->dsa->q); + buffer_get_bignum2(&e->input, k->dsa->g); + buffer_get_bignum2(&e->input, k->dsa->pub_key); + buffer_get_bignum2(&e->input, k->dsa->priv_key); + break; + case KEY_RSA: + k = key_new_private(type); + buffer_get_bignum2(&e->input, k->rsa->n); + buffer_get_bignum2(&e->input, k->rsa->e); + buffer_get_bignum2(&e->input, k->rsa->d); + buffer_get_bignum2(&e->input, k->rsa->iqmp); + buffer_get_bignum2(&e->input, k->rsa->p); + buffer_get_bignum2(&e->input, k->rsa->q); + + /* Generate additional parameters */ + generate_additional_parameters(k->rsa); + break; + default: buffer_clear(&e->input); - xfree(type); goto send; } - xfree(type); - - k = key_new(KEY_DSA); - - /* allocate mem for private key */ - k->dsa->priv_key = BN_new(); - - buffer_get_bignum2(&e->input, k->dsa->p); - buffer_get_bignum2(&e->input, k->dsa->q); - buffer_get_bignum2(&e->input, k->dsa->g); - buffer_get_bignum2(&e->input, k->dsa->pub_key); - buffer_get_bignum2(&e->input, k->dsa->priv_key); - break; } - comment = buffer_get_string(&e->input, NULL); if (k == NULL) { xfree(comment); @@ -453,12 +466,12 @@ void process_message(SocketEntry *e) { - unsigned int msg_len; - unsigned int type; - unsigned char *cp; + u_int msg_len; + u_int type; + u_char *cp; if (buffer_len(&e->input) < 5) return; /* Incomplete message. */ - cp = (unsigned char *) buffer_ptr(&e->input); + cp = (u_char *) buffer_ptr(&e->input); msg_len = GET_32BIT(cp); if (msg_len > 256 * 1024) { shutdown(e->fd, SHUT_RDWR); @@ -517,7 +530,7 @@ void new_socket(int type, int fd) { - unsigned int i, old_alloc; + u_int i, old_alloc; if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) error("fcntl O_NONBLOCK: %s", strerror(errno)); @@ -546,17 +559,17 @@ buffer_init(&sockets[old_alloc].output); } -void -prepare_select(fd_set *readset, fd_set *writeset) +int +prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl) { - unsigned int i; - for (i = 0; i < sockets_alloc; i++) + u_int i, sz; + int n = 0; + + for (i = 0; i < sockets_alloc; i++) { switch (sockets[i].type) { case AUTH_SOCKET: case AUTH_CONNECTION: - FD_SET(sockets[i].fd, readset); - if (buffer_len(&sockets[i].output) > 0) - FD_SET(sockets[i].fd, writeset); + n = MAX(n, sockets[i].fd); break; case AUTH_UNUSED: break; @@ -564,12 +577,40 @@ fatal("Unknown socket type %d", sockets[i].type); break; } + } + + sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); + if (*fdrp == NULL || n > *fdl) { + if (*fdrp) + free(*fdrp); + if (*fdwp) + free(*fdwp); + *fdrp = xmalloc(sz); + *fdwp = xmalloc(sz); + *fdl = n; + } + memset(*fdrp, 0, sz); + memset(*fdwp, 0, sz); + + for (i = 0; i < sockets_alloc; i++) { + switch (sockets[i].type) { + case AUTH_SOCKET: + case AUTH_CONNECTION: + FD_SET(sockets[i].fd, *fdrp); + if (buffer_len(&sockets[i].output) > 0) + FD_SET(sockets[i].fd, *fdwp); + break; + default: + break; + } + } + return (1); } void after_select(fd_set *readset, fd_set *writeset) { - unsigned int i; + u_int i; int len, sock; socklen_t slen; char buf[1024]; @@ -582,7 +623,8 @@ case AUTH_SOCKET: if (FD_ISSET(sockets[i].fd, readset)) { slen = sizeof(sunaddr); - sock = accept(sockets[i].fd, (struct sockaddr *) & sunaddr, &slen); + sock = accept(sockets[i].fd, + (struct sockaddr *) &sunaddr, &slen); if (sock < 0) { perror("accept from AUTH_SOCKET"); break; @@ -593,8 +635,9 @@ case AUTH_CONNECTION: if (buffer_len(&sockets[i].output) > 0 && FD_ISSET(sockets[i].fd, writeset)) { - len = write(sockets[i].fd, buffer_ptr(&sockets[i].output), - buffer_len(&sockets[i].output)); + len = write(sockets[i].fd, + buffer_ptr(&sockets[i].output), + buffer_len(&sockets[i].output)); if (len <= 0) { shutdown(sockets[i].fd, SHUT_RDWR); close(sockets[i].fd); @@ -627,19 +670,24 @@ void check_parent_exists(int sig) { + int save_errno = errno; + if (parent_pid != -1 && kill(parent_pid, 0) < 0) { /* printf("Parent has died - Authentication agent exiting.\n"); */ exit(1); } signal(SIGALRM, check_parent_exists); alarm(10); + errno = save_errno; } void cleanup_socket(void) { - unlink(socket_name); - rmdir(socket_dir); + if (socket_name[0]) + unlink(socket_name); + if (socket_dir[0]) + rmdir(socket_dir); } void @@ -650,33 +698,37 @@ } void -usage() +cleanup_handler(int sig) +{ + cleanup_socket(); + _exit(2); +} + +void +usage(void) { fprintf(stderr, "ssh-agent version %s\n", SSH_VERSION); fprintf(stderr, "Usage: %s [-c | -s] [-k] [command {args...]]\n", - __progname); + __progname); exit(1); } int main(int ac, char **av) { - fd_set readset, writeset; int sock, c_flag = 0, k_flag = 0, s_flag = 0, ch; struct sockaddr_un sunaddr; +#ifdef HAVE_SETRLIMIT + struct rlimit rlim; +#endif pid_t pid; char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid]; extern int optind; - + fd_set *readsetp = NULL, *writesetp = NULL; + + __progname = get_progname(av[0]); init_rng(); - - /* check if RSA support exists */ - if (rsa_alive() == 0) { - fprintf(stderr, - "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", - __progname); - exit(1); - } + #ifdef __GNU_LIBRARY__ while ((ch = getopt(ac, av, "+cks")) != -1) { #else /* __GNU_LIBRARY__ */ @@ -715,14 +767,13 @@ pidstr = getenv(SSH_AGENTPID_ENV_NAME); if (pidstr == NULL) { fprintf(stderr, "%s not set, cannot kill agent\n", - SSH_AGENTPID_ENV_NAME); + SSH_AGENTPID_ENV_NAME); exit(1); } pid = atoi(pidstr); - if (pid < 1) { /* XXX PID_MAX check too */ - /* Yes, PID_MAX check please */ + if (pid < 1) { fprintf(stderr, "%s=\"%s\", which is not a good PID\n", - SSH_AGENTPID_ENV_NAME, pidstr); + SSH_AGENTPID_ENV_NAME, pidstr); exit(1); } if (kill(pid, SIGTERM) == -1) { @@ -744,7 +795,7 @@ exit(1); } snprintf(socket_name, sizeof socket_name, "%s/agent.%d", socket_dir, - parent_pid); + parent_pid); /* * Create socket early so it will exist before command gets run from @@ -766,6 +817,7 @@ perror("listen"); cleanup_exit(1); } + /* * Fork, and have the parent execute the command, if any, or present * the socket data. The child continues as the authentication agent. @@ -781,9 +833,9 @@ if (ac == 0) { format = c_flag ? "setenv %s %s;\n" : "%s=%s; export %s;\n"; printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name, - SSH_AUTHSOCKET_ENV_NAME); + SSH_AUTHSOCKET_ENV_NAME); printf(format, SSH_AGENTPID_ENV_NAME, pidstrbuf, - SSH_AGENTPID_ENV_NAME); + SSH_AGENTPID_ENV_NAME); printf("echo Agent pid %d;\n", pid); exit(0); } @@ -800,6 +852,14 @@ close(1); close(2); +#ifdef HAVE_SETRLIMIT + /* deny core dumps, since memory contains unencrypted private keys */ + rlim.rlim_cur = rlim.rlim_max = 0; + if (setrlimit(RLIMIT_CORE, &rlim) < 0) { + perror("setrlimit rlimit_core failed"); + cleanup_exit(1); + } +#endif if (setsid() == -1) { perror("setsid"); cleanup_exit(1); @@ -816,18 +876,16 @@ idtab_init(); signal(SIGINT, SIG_IGN); signal(SIGPIPE, SIG_IGN); - signal(SIGHUP, cleanup_exit); - signal(SIGTERM, cleanup_exit); + signal(SIGHUP, cleanup_handler); + signal(SIGTERM, cleanup_handler); while (1) { - FD_ZERO(&readset); - FD_ZERO(&writeset); - prepare_select(&readset, &writeset); - if (select(max_fd + 1, &readset, &writeset, NULL, NULL) < 0) { + prepare_select(&readsetp, &writesetp, &max_fd); + if (select(max_fd + 1, readsetp, writesetp, NULL, NULL) < 0) { if (errno == EINTR) continue; exit(1); } - after_select(&readset, &writeset); + after_select(readsetp, writesetp); } /* NOTREACHED */ } Only in openssh-2.5.1p1: ssh-dss.c Only in openssh-2.5.1p1: ssh-dss.h diff -ru openssh-2.3.0p1/ssh-keygen.0 openssh-2.5.1p1/ssh-keygen.0 --- openssh-2.3.0p1/ssh-keygen.0 2000-11-06 14:25:19.000000000 +1100 +++ openssh-2.5.1p1/ssh-keygen.0 2001-02-19 21:54:45.000000000 +1100 @@ -5,7 +5,7 @@ ssh-keygen - authentication key generation SYNOPSIS - ssh-keygen [-dq] [-b bits] [-N new_passphrase] [-C comment] [-f + ssh-keygen [-q] [-b bits] [-t type] [-N new_passphrase] [-C comment] [-f output_keyfile] ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] ssh-keygen -x [-f input_keyfile] @@ -13,12 +13,11 @@ ssh-keygen -y [-f input_keyfile] ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile] ssh-keygen -l [-f input_keyfile] - ssh-keygen -R DESCRIPTION ssh-keygen generates and manages authentication keys for ssh(1). ssh- keygen defaults to generating an RSA key for use by protocols 1.3 and - 1.5; specifying the -d flag will create a DSA key instead for use by pro- + 1.5; specifying the -t option allows you to create a key for use by pro- tocol 2.0. Normally each user wishing to use SSH with RSA or DSA authentication runs @@ -29,7 +28,7 @@ Normally this program generates the key and asks for a file in which to store the private key. The public key is stored in a file with the same name but ``.pub'' appended. The program also asks for a passphrase. The - passphrase may be empty to indicate no passphrase (host keys must have + passphrase may be empty to indicate no passphrase (host keys must have an empty passphrase), or it may be a string of arbitrary length. Good passphrases are 10-30 characters long and are not simple sentences or otherwise easily guessable (English prose has only 1-2 bits of entropy @@ -63,6 +62,7 @@ comment. + -f Specifies the filename of the key file. -l Show fingerprint of specified private or public key file. @@ -74,6 +74,11 @@ -q Silence ssh-keygen. Used by /etc/rc when creating a new key. + -t type + Specifies the type of the key to create. The possible values are + ``rsa1'' for protocol version 1 and ``rsa'' or ``dsa'' for proto- + col version 2. The default is ``rsa''. + -C comment Provides the new comment. @@ -83,10 +88,6 @@ -P passphrase Provides the (old) passphrase. - -R If RSA support is functional, immediately exits with code 0. If - RSA support is not functional, exits with code 1. This flag will - be removed once the RSA patent expires. - -x This option will read a private OpenSSH DSA format file and print a SSH2-compatible public key to stdout. @@ -94,8 +95,8 @@ public) key file and print an OpenSSH compatible private (or pub- lic) key to stdout. - -y This option will read a private OpenSSH DSA format file and print - an OpenSSH DSA public key to stdout. + -y This option will read a private OpenSSH format file and print an + OpenSSH public key to stdout. FILES $HOME/.ssh/identity @@ -125,29 +126,17 @@ $HOME/.ssh/id_dsa.pub Contains the public key for authentication. The contents of this file should be added to $HOME/.ssh/authorized_keys2 on all ma- - chines where you wish to log in using DSA authentication. There - is no need to keep the contents of this file secret. - -AUTHOR - Tatu Ylonen - - OpenSSH is a derivative of the original (free) ssh 1.2.12 release, but - with bugs removed and newer features re-added. Rapidly after the 1.2.12 - release, newer versions bore successively more restrictive licenses. - This version of OpenSSH - - o has all components of a restrictive nature (i.e., patents, see - crypto(3)) directly removed from the source code; any licensed or - patented components are chosen from external libraries. - - o has been updated to support ssh protocol 1.5. - - o contains added support for kerberos(8) authentication and ticket - passing. + chines where you wish to log in using public key authentication. + There is no need to keep the contents of this file secret. - o supports one-time password authentication with skey(1). +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and cre- + ated OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. SEE ALSO - ssh(1), ssh-add(1), ssh-agent(1), sshd(8), crypto(3) + ssh(1), ssh-add(1), ssh-agent(1), sshd(8) BSD Experimental September 25, 1999 3 diff -ru openssh-2.3.0p1/ssh-keygen.1 openssh-2.5.1p1/ssh-keygen.1 --- openssh-2.3.0p1/ssh-keygen.1 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/ssh-keygen.1 2001-02-11 10:56:36.000000000 +1100 @@ -1,3 +1,5 @@ +.\" $OpenBSD: ssh-keygen.1,v 1.30 2001/02/08 19:22:38 itojun Exp $ +.\" .\" -*- nroff -*- .\" .\" Author: Tatu Ylonen @@ -43,8 +45,9 @@ .Nd authentication key generation .Sh SYNOPSIS .Nm ssh-keygen -.Op Fl dq +.Op Fl q .Op Fl b Ar bits +.Op Fl t Ar type .Op Fl N Ar new_passphrase .Op Fl C Ar comment .Op Fl f Ar output_keyfile @@ -70,8 +73,6 @@ .Nm ssh-keygen .Fl l .Op Fl f Ar input_keyfile -.Nm ssh-keygen -.Fl R .Sh DESCRIPTION .Nm generates and manages authentication keys for @@ -79,8 +80,8 @@ .Nm defaults to generating an RSA key for use by protocols 1.3 and 1.5; specifying the -.Fl d -flag will create a DSA key instead for use by protocol 2.0. +.Fl t +option allows you to create a key for use by protocol 2.0. .Pp Normally each user wishing to use SSH with RSA or DSA authentication runs this once to create the authentication @@ -99,7 +100,7 @@ appended. The program also asks for a passphrase. The passphrase may be empty to indicate no passphrase -(host keys must have empty passphrase), or it may be a string of +(host keys must have an empty passphrase), or it may be a string of arbitrary length. Good passphrases are 10-30 characters long and are not simple sentences or otherwise easily guessable (English @@ -154,16 +155,23 @@ Used by .Pa /etc/rc when creating a new key. +.It Fl t Ar type +Specifies the type of the key to create. +The possible values are +.Dq rsa1 +for protocol version 1 and +.Dq rsa +or +.Dq dsa +for protocol version 2. +The default is +.Dq rsa . .It Fl C Ar comment Provides the new comment. .It Fl N Ar new_passphrase Provides the new passphrase. .It Fl P Ar passphrase Provides the (old) passphrase. -.It Fl R -If RSA support is functional, immediately exits with code 0. If RSA -support is not functional, exits with code 1. This flag will be -removed once the RSA patent expires. .It Fl x This option will read a private OpenSSH DSA format file and print a SSH2-compatible public key to stdout. @@ -173,7 +181,7 @@ print an OpenSSH compatible private (or public) key to stdout. .It Fl y This option will read a private -OpenSSH DSA format file and print an OpenSSH DSA public key to stdout. +OpenSSH format file and print an OpenSSH public key to stdout. .El .Sh FILES .Bl -tag -width Ds @@ -211,38 +219,20 @@ The contents of this file should be added to .Pa $HOME/.ssh/authorized_keys2 on all machines -where you wish to log in using DSA authentication. +where you wish to log in using public key authentication. There is no need to keep the contents of this file secret. .El -.Sh AUTHOR -Tatu Ylonen -.Pp -OpenSSH -is a derivative of the original (free) ssh 1.2.12 release, but with bugs -removed and newer features re-added. -Rapidly after the 1.2.12 release, -newer versions bore successively more restrictive licenses. -This version of OpenSSH -.Bl -bullet -.It -has all components of a restrictive nature (i.e., patents, see -.Xr crypto 3 ) -directly removed from the source code; any licensed or patented components -are chosen from -external libraries. -.It -has been updated to support ssh protocol 1.5. -.It -contains added support for -.Xr kerberos 8 -authentication and ticket passing. -.It -supports one-time password authentication with -.Xr skey 1 . -.El +.Sh AUTHORS +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by Tatu Ylonen. +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt and Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +Markus Friedl contributed the support for SSH +protocol versions 1.5 and 2.0. .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , -.Xr sshd 8 , -.Xr crypto 3 +.Xr sshd 8 diff -ru openssh-2.3.0p1/ssh-keygen.c openssh-2.5.1p1/ssh-keygen.c --- openssh-2.3.0p1/ssh-keygen.c 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/ssh-keygen.c 2001-02-15 14:08:27.000000000 +1100 @@ -12,23 +12,20 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.32 2000/10/09 21:30:44 markus Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.43 2001/02/12 16:16:23 markus Exp $"); #include #include -#include -#include -#include "ssh.h" #include "xmalloc.h" #include "key.h" -#include "rsa.h" -#include "dsa.h" #include "authfile.h" #include "uuencode.h" - #include "buffer.h" #include "bufaux.h" +#include "pathnames.h" +#include "log.h" +#include "readpass.h" /* Number of bits in the RSA/DSA key. This value can be changed on the command line. */ int bits = 1024; @@ -67,14 +64,16 @@ int convert_to_ssh2 = 0; int convert_from_ssh2 = 0; int print_public = 0; -int dsa_mode = 0; + +/* default to RSA for SSH-1 */ +char *key_type_name = "rsa1"; /* argv0 */ #ifdef HAVE___PROGNAME extern char *__progname; -#else /* HAVE___PROGNAME */ -static const char *__progname = "ssh-keygen"; -#endif /* HAVE___PROGNAME */ +#else +char *__progname; +#endif char hostname[MAXHOSTNAMELEN]; @@ -82,11 +81,26 @@ ask_filename(struct passwd *pw, const char *prompt) { char buf[1024]; - snprintf(identity_file, sizeof(identity_file), "%s/%s", - pw->pw_dir, - dsa_mode ? SSH_CLIENT_ID_DSA: SSH_CLIENT_IDENTITY); - printf("%s (%s): ", prompt, identity_file); - fflush(stdout); + char *name = NULL; + + switch (key_type_from_name(key_type_name)) { + case KEY_RSA1: + name = _PATH_SSH_CLIENT_IDENTITY; + break; + case KEY_DSA: + name = _PATH_SSH_CLIENT_ID_DSA; + break; + case KEY_RSA: + name = _PATH_SSH_CLIENT_ID_RSA; + break; + default: + fprintf(stderr, "bad key type"); + exit(1); + break; + } + snprintf(identity_file, sizeof(identity_file), "%s/%s", pw->pw_dir, name); + fprintf(stderr, "%s (%s): ", prompt, identity_file); + fflush(stderr); if (fgets(buf, sizeof(buf), stdin) == NULL) exit(1); if (strchr(buf, '\n')) @@ -114,14 +128,14 @@ #define SSH_COM_PUBLIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----" #define SSH_COM_PUBLIC_END "---- END SSH2 PUBLIC KEY ----" #define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----" -#define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb +#define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb void do_convert_to_ssh2(struct passwd *pw) { Key *k; int len; - unsigned char *blob; + u_char *blob; struct stat st; if (!have_identity) @@ -130,12 +144,12 @@ perror(identity_file); exit(1); } - k = key_new(KEY_DSA); + k = key_new(KEY_UNSPEC); if (!try_load_key(identity_file, k)) { fprintf(stderr, "load failed\n"); exit(1); } - dsa_make_key_blob(k, &blob, &len); + key_to_blob(k, &blob, &len); fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN); fprintf(stdout, "Comment: \"%d-bit %s, converted from OpenSSH by %s@%s\"\n", @@ -155,7 +169,7 @@ int bytes = (bits + 7) / 8; if (buffer_len(b) < bytes) fatal("buffer_get_bignum_bits: input buffer too small"); - BN_bin2bn((unsigned char *)buffer_ptr(b), bytes, value); + BN_bin2bn((u_char *)buffer_ptr(b), bytes, value); buffer_consume(b, bytes); } @@ -259,14 +273,14 @@ *p = '\0'; strlcat(encoded, line, sizeof(encoded)); } - blen = uudecode(encoded, (unsigned char *)blob, sizeof(blob)); + blen = uudecode(encoded, (u_char *)blob, sizeof(blob)); if (blen < 0) { fprintf(stderr, "uudecode failed.\n"); exit(1); } k = private ? do_convert_private_ssh2_from_blob(blob, blen) : - dsa_key_from_blob(blob, blen); + key_from_blob(blob, blen); if (k == NULL) { fprintf(stderr, "decode blob failed.\n"); exit(1); @@ -288,8 +302,6 @@ do_print_public(struct passwd *pw) { Key *k; - int len; - unsigned char *blob; struct stat st; if (!have_identity) @@ -298,16 +310,14 @@ perror(identity_file); exit(1); } - k = key_new(KEY_DSA); + k = key_new(KEY_UNSPEC); if (!try_load_key(identity_file, k)) { fprintf(stderr, "load failed\n"); exit(1); } - dsa_make_key_blob(k, &blob, &len); if (!key_write(k, stdout)) fprintf(stderr, "key_write failed"); key_free(k); - xfree(blob); fprintf(stdout, "\n"); exit(0); } @@ -315,13 +325,11 @@ void do_fingerprint(struct passwd *pw) { - /* XXX RSA1 only */ FILE *f; Key *public; char *comment = NULL, *cp, *ep, line[16*1024]; - int i, skip = 0, num = 1, invalid = 1; - unsigned int ignore; + int i, skip = 0, num = 1, invalid = 1, success = 0; struct stat st; if (!have_identity) @@ -330,11 +338,21 @@ perror(identity_file); exit(1); } - public = key_new(KEY_RSA); + public = key_new(KEY_RSA1); if (load_public_key(identity_file, public, &comment)) { - printf("%d %s %s\n", BN_num_bits(public->rsa->n), - key_fingerprint(public), comment); + success = 1; + } else { + key_free(public); + public = key_new(KEY_UNSPEC); + if (try_load_public_key(identity_file, public, &comment)) + success = 1; + else + debug("try_load_public_key KEY_UNSPEC failed"); + } + if (success) { + printf("%d %s %s\n", key_size(public), key_fingerprint(public), comment); key_free(public); + xfree(comment); exit(0); } @@ -374,13 +392,21 @@ *cp++ = '\0'; } ep = cp; - if (auth_rsa_read_key(&cp, &ignore, public->rsa->e, public->rsa->n)) { - invalid = 0; - comment = *cp ? cp : comment; - printf("%d %s %s\n", key_size(public), - key_fingerprint(public), - comment ? comment : "no comment"); + public = key_new(KEY_RSA1); + if (key_read(public, &cp) != 1) { + cp = ep; + key_free(public); + public = key_new(KEY_UNSPEC); + if (key_read(public, &cp) != 1) { + key_free(public); + continue; + } } + comment = *cp ? cp : comment; + printf("%d %s %s\n", key_size(public), + key_fingerprint(public), + comment ? comment : "no comment"); + invalid = 0; } fclose(f); } @@ -404,7 +430,7 @@ struct stat st; Key *private; Key *public; - int type = dsa_mode ? KEY_DSA : KEY_RSA; + int type = KEY_RSA1; if (!have_identity) ask_filename(pw, "Enter file in which the key is"); @@ -412,18 +438,13 @@ perror(identity_file); exit(1); } - - if (type == KEY_RSA) { - /* XXX this works currently only for RSA */ - public = key_new(type); - if (!load_public_key(identity_file, public, NULL)) { - printf("%s is not a valid key file.\n", identity_file); - exit(1); - } + public = key_new(type); + if (!load_public_key(identity_file, public, NULL)) { + type = KEY_UNSPEC; + } else { /* Clear the public key since we are just about to load the whole file. */ key_free(public); } - /* Try to load the file with empty passphrase. */ private = key_new(type); if (!load_private_key(identity_file, "", private, &comment)) { @@ -508,13 +529,14 @@ * Try to load the public key from the file the verify that it is * readable and of the proper format. */ - public = key_new(KEY_RSA); + public = key_new(KEY_RSA1); if (!load_public_key(identity_file, public, NULL)) { printf("%s is not a valid key file.\n", identity_file); + printf("Comments are only supported in RSA1 keys\n"); exit(1); } - private = key_new(KEY_RSA); + private = key_new(KEY_RSA1); if (load_private_key(identity_file, "", private, &comment)) passphrase = xstrdup(""); else { @@ -583,7 +605,7 @@ void usage(void) { - printf("Usage: %s [-lpqxXydc] [-b bits] [-f file] [-C comment] [-N new-pass] [-P pass]\n", __progname); + printf("Usage: %s [-lpqxXyc] [-t type] [-b bits] [-f file] [-C comment] [-N new-pass] [-P pass]\n", __progname); exit(1); } @@ -595,14 +617,16 @@ { char dotsshdir[16 * 1024], comment[1024], *passphrase1, *passphrase2; struct passwd *pw; - int opt; + int opt, type; struct stat st; FILE *f; Key *private; Key *public; + extern int optind; extern char *optarg; + __progname = get_progname(av[0]); init_rng(); SSLeay_add_all_algorithms(); @@ -618,7 +642,7 @@ exit(1); } - while ((opt = getopt(ac, av, "dqpclRxXyb:f:P:N:C:")) != EOF) { + while ((opt = getopt(ac, av, "dqpclRxXyb:f:t:P:N:C:")) != -1) { switch (opt) { case 'b': bits = atoi(optarg); @@ -662,10 +686,8 @@ break; case 'R': - if (rsa_alive() == 0) - exit(1); - else - exit(0); + /* unused */ + exit(0); break; case 'x': @@ -681,7 +703,11 @@ break; case 'd': - dsa_mode = 1; + key_type_name = "dsa"; + break; + + case 't': + key_type_name = optarg; break; case '?': @@ -697,13 +723,6 @@ printf("Can only have one of -p and -c.\n"); usage(); } - /* check if RSA support is needed and exists */ - if (dsa_mode == 0 && rsa_alive() == 0) { - fprintf(stderr, - "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", - __progname); - exit(1); - } if (print_fingerprint) do_fingerprint(pw); if (change_passphrase) @@ -719,28 +738,25 @@ arc4random_stir(); - if (dsa_mode != 0) { - if (!quiet) - printf("Generating DSA parameter and key.\n"); - public = private = dsa_generate_key(bits); - if (private == NULL) { - fprintf(stderr, "dsa_generate_keys failed"); - exit(1); - } - } else { - if (quiet) - rsa_set_verbose(0); - /* Generate the rsa key pair. */ - public = key_new(KEY_RSA); - private = key_new(KEY_RSA); - rsa_generate_key(private->rsa, public->rsa, bits); + type = key_type_from_name(key_type_name); + if (type == KEY_UNSPEC) { + fprintf(stderr, "unknown key type %s\n", key_type_name); + exit(1); + } + if (!quiet) + printf("Generating public/private %s key pair.\n", key_type_name); + private = key_generate(type, bits); + if (private == NULL) { + fprintf(stderr, "key_generate failed"); + exit(1); } + public = key_from_private(private); if (!have_identity) ask_filename(pw, "Enter file in which to save the key"); /* Create ~/.ssh directory if it doesn\'t already exist. */ - snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, SSH_USER_DIR); + snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR); if (strstr(identity_file, dotsshdir) != NULL && stat(dotsshdir, &st) < 0) { if (mkdir(dotsshdir, 0700) < 0) @@ -803,9 +819,7 @@ xfree(passphrase1); /* Clear the private key and the random number generator. */ - if (private != public) { - key_free(private); - } + key_free(private); arc4random_stir(); if (!quiet) Only in openssh-2.5.1p1: ssh-keyscan.0 Only in openssh-2.5.1p1: ssh-keyscan.1 Only in openssh-2.5.1p1: ssh-keyscan.c Only in openssh-2.5.1p1: ssh-rsa.c Only in openssh-2.5.1p1: ssh-rsa.h diff -ru openssh-2.3.0p1/ssh.0 openssh-2.5.1p1/ssh.0 --- openssh-2.3.0p1/ssh.0 2000-11-06 14:25:20.000000000 +1100 +++ openssh-2.5.1p1/ssh.0 2001-02-19 21:54:46.000000000 +1100 @@ -7,9 +7,9 @@ SYNOPSIS ssh [-l login_name] [hostname | user@hostname] [command] - ssh [-afgknqtvxACNPTX246] [-c cipher_spec] [-e escape_char] [-i - identity_file] [-l login_name] [-o option] [-p port] [-L - port:host:hostport] [-R port:host:hostport] [hostname | + ssh [-afgknqstvxACNPTX1246] [-c cipher_spec] [-e escape_char] [-i + identity_file] [-l login_name] [-m mac_spec] [-o option] [-p port] + [-L port:host:hostport] [-R port:host:hostport] [hostname | user@hostname] [command] DESCRIPTION @@ -90,14 +90,13 @@ tion is tried. The public key method is similar to RSA authentication described in the - previous section except that the DSA algorithm is used instead of the - patented RSA algorithm. The client uses his private DSA key - $HOME/.ssh/id_dsa to sign the session identifier and sends the result to - the server. The server checks whether the matching public key is listed - in $HOME/.ssh/authorized_keys2 and grants access if both the key is found - and the signature is correct. The session identifier is derived from a - shared Diffie-Hellman value and is only known to the client and the serv- - er. + previous section except that the DSA or RSA algorithm is used instead. + The client uses his private key $HOME/.ssh/id_dsa to sign the session + identifier and sends the result to the server. The server checks whether + the matching public key is listed in $HOME/.ssh/authorized_keys2 and + grants access if both the key is found and the signature is correct. The + session identifier is derived from a shared Diffie-Hellman value and is + only known to the client and the server. If public key authentication fails or is not available a password can be sent encrypted to the remote host for proving the user's identity. This @@ -135,7 +134,7 @@ escape character to ``none'' will also make the session transparent even if a tty is used. - The session terminates when the command or shell in on the remote machine + The session terminates when the command or shell on the remote machine exists and all X11 and TCP/IP connections have been closed. The exit status of the remote program is returned as the exit status of ssh. @@ -174,19 +173,20 @@ ssh automatically maintains and checks a database containing identifica- tions for all hosts it has ever been used with. RSA host keys are stored - in $HOME/.ssh/known_hosts and DSA host keys are stored in - $HOME/.ssh/known_hosts2 in the user's home directory. Additionally, the - files /etc/ssh_known_hosts and /etc/ssh_known_hosts2 are automatically - checked for known hosts. Any new hosts are automatically added to the - user's file. If a host's identification ever changes, ssh warns about - this and disables password authentication to prevent a trojan horse from - getting the user's password. Another purpose of this mechanism is to - prevent man-in-the-middle attacks which could otherwise be used to cir- - cumvent the encryption. The StrictHostKeyChecking option (see below) can - be used to prevent logins to machines whose host key is not known or has - changed. + in $HOME/.ssh/known_hosts and host keys used in the protocol version 2 + are stored in $HOME/.ssh/known_hosts2 in the user's home directory. Ad- + ditionally, the files /etc/ssh_known_hosts and /etc/ssh_known_hosts2 are + automatically checked for known hosts. Any new hosts are automatically + added to the user's file. If a host's identification ever changes, ssh + warns about this and disables password authentication to prevent a trojan + horse from getting the user's password. Another purpose of this mecha- + nism is to prevent man-in-the-middle attacks which could otherwise be + used to circumvent the encryption. The StrictHostKeyChecking option (see + below) can be used to prevent logins to machines whose host key is not + known or has changed. + + The options are as follows: -OPTIONS -a Disables forwarding of the authentication agent connection. -A Enables forwarding of the authentication agent connection. This @@ -201,11 +201,10 @@ longer fully supported in ssh. blowfish is a fast block cipher, it appears very secure and is much faster than 3des. - -c 3des-cbc,blowfish-cbc,arcfour,cast128-cbc + -c cipher_spec Additionally, for protocol version 2 a comma-separated list of - ciphers can be specified in order of preference. Protocol ver- - sion 2 supports 3DES, Blowfish, and CAST128 in CBC mode and Arc- - four. + ciphers can be specified in order of preference. See Ciphers for + more information. -e ch|^ch|none Sets the escape character for sessions with a pty (default: `~'). @@ -225,12 +224,12 @@ -g Allows remote hosts to connect to local forwarded ports. -i identity_file - Selects the file from which the identity (private key) for RSA - authentication is read. Default is $HOME/.ssh/identity in the - user's home directory. Identity files may also be specified on a - per-host basis in the configuration file. It is possible to have - multiple -i options (and multiple identities specified in config- - uration files). + Selects the file from which the identity (private key) for RSA or + DSA authentication is read. Default is $HOME/.ssh/identity in + the user's home directory. Identity files may also be specified + on a per-host basis in the configuration file. It is possible to + have multiple -i options (and multiple identities specified in + configuration files). -k Disables forwarding of Kerberos tickets and AFS tokens. This may also be specified on a per-host basis in the configuration file. @@ -239,6 +238,11 @@ Specifies the user to log in as on the remote machine. This also may be specified on a per-host basis in the configuration file. + -m mac_spec + Additionally, for protocol version 2 a comma-separated list of + MAC (message authentication code) algorithms can be specified in + order of preference. See the MACs keyword for more information. + -n Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when ssh is run in the background. A common trick is to use this to run X11 programs on a remote ma- @@ -248,41 +252,46 @@ will be put in the background. (This does not work if ssh needs to ask for a password or passphrase; see also the -f option.) - -N Do not execute a remote command. This is usefull if you just - want to forward ports (protocol version 2 only). + -N Do not execute a remote command. This is useful if you just want + to forward ports (protocol version 2 only). -o option Can be used to give options in the format used in the config file. This is useful for specifying options for which there is no separate command-line flag. The option has the same format as + + a line in the configuration file. -p port Port to connect to on the remote host. This can be specified on - - a per-host basis in the configuration file. -P Use a non-privileged port for outgoing connections. This can be used if your firewall does not permit connections from privileged ports. Note that this option turns off RhostsAuthentication and - RhostsRSAAuthentication. + RhostsRSAAuthentication for older servers. -q Quiet mode. Causes all warning and diagnostic messages to be suppressed. Only fatal errors are displayed. + -s May be used to request invocation of a subsystem on the remote + system. Subsystems are a feature of the SSH2 protocol which fa- + cilitate the use of SSH as a secure transport for other applica- + tion (eg. sftp). The subsystem is specified as the remote com- + mand. + -t Force pseudo-tty allocation. This can be used to execute arbi- trary screen-based programs on a remote machine, which can be - very useful, e.g., when implementing menu services. + very useful, e.g., when implementing menu services. Multiple -t + options force tty allocation, even if ssh has no local tty. - -T Disable pseudo-tty allocation (protocol version 2 only). + -T Disable pseudo-tty allocation. -v Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentica- - tion, and configuration problems. The verbose mode is also used - to display skey(1) challenges, if the user entered "s/key" as - password. Multiple -v options increases the verbosity. Maximum - is 3. + tion, and configuration problems. Multiple -v options increases + the verbosity. Maximum is 3. -x Disables X11 forwarding. @@ -318,8 +327,11 @@ made to host port hostport from the local machine. Port forward- ings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote + machine. + -1 Forces ssh to try protocol version 1 only. + -2 Forces ssh to try protocol version 2 only. -4 Forces ssh to use IPv4 addresses only. @@ -379,7 +391,12 @@ Ciphers Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The de- - fault is ``3des-cbc,blowfish-cbc,cast128-cbc,arcfour''. + fault is + + + ``3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc, + aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc, + rijndael256-cbc,rijndael-cbc@lysator.liu.se'' Compression Specifies whether to use compression. The argument must be @@ -396,11 +413,10 @@ falling back to rsh or exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. - DSAAuthentication - Specifies whether to try DSA authentication. The argument to - this keyword must be ``yes'' or ``no''. DSA authentication will - only be attempted if a DSA identity file exists. Note that this - option applies to protocol version 2 only. + PubkeyAuthentication + Specifies whether to try public key authentication. The argument + to this keyword must be ``yes'' or ``no''. Note that this option + applies to protocol version 2 only. EscapeChar Sets the escape character (default: `~'). The escape character @@ -434,6 +450,12 @@ GlobalKnownHostsFile Specifies a file to use instead of /etc/ssh_known_hosts. + HostKeyAlias + Specifies an alias that should be used instead of the real host + name when looking up or saving the host key in the known_hosts + files. This option is useful for tunneling ssh connections or if + you have multiple servers running on a single host. + HostName Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. Default is the @@ -451,16 +473,6 @@ configuration files; all these identities will be tried in se- quence. - IdentityFile2 - Specifies the file from which the user's DSA authentication iden- - tity is read (default $HOME/.ssh/id_dsa in the user's home direc- - tory). The file name may use the tilde syntax to refer to a us- - er's home directory. It is possible to have multiple identity - files specified in configuration files; all these identities will - - - be tried in sequence. - KeepAlive Specifies whether the system should send keepalive messages to the other side. If they are sent, death of the connection or @@ -498,6 +510,14 @@ ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. The default is INFO. + MACs Specifies the MAC (message authentication code) algorithms in or- + der of preference. The MAC algorithm is used in protocol version + 2 for data integrity protection. Multiple algorithms must be + comma-separated. The default is + + ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com, + hmac-sha1-96,hmac-md5-96'' + NumberOfPasswordPrompts Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. Default is 3. @@ -505,6 +525,7 @@ PasswordAuthentication Specifies whether to use password authentication. The argument to this keyword must be ``yes'' or ``no''. Note that this option + applies to both protocol version 1 and 2. Port Specifies the port number to connect on the remote host. Default @@ -559,29 +580,36 @@ tion agent is running. Note that this option applies to protocol version 1 only. - SkeyAuthentication - Specifies whether to use skey(1) authentication. The argument to - this keyword must be ``yes'' or ``no''. The default is ``no''. + ChallengeResponseAuthentication + Specifies whether to use challenge response authentication. Cur- + rently there is only support for skey(1) authentication. The ar- + gument to this keyword must be ``yes'' or ``no''. The default is + ``no''. StrictHostKeyChecking - If this flag is set to ``yes'', ssh ssh will never automatically - add host keys to the $HOME/.ssh/known_hosts and - $HOME/.ssh/known_hosts2 files, and refuses to connect hosts whose - host key has changed. This provides maximum protection against - trojan horse attacks. However, it can be somewhat annoying if - you don't have good /etc/ssh_known_hosts and - /etc/ssh_known_hosts2 files installed and frequently connect new - hosts. Basically this option forces the user to manually add any - new hosts. Normally this option is disabled, and new hosts will - automatically be added to the known host files. The host keys of - known hosts will be verified automatically in either case. The - argument must be ``yes'' or ``no''. + If this flag is set to ``yes'', ssh will never automatically add + host keys to the $HOME/.ssh/known_hosts and + $HOME/.ssh/known_hosts2 files, and refuses to connect to hosts + whose host key has changed. This provides maximum protection + against trojan horse attacks. However, it can be somewhat annoy- + ing if you don't have good /etc/ssh_known_hosts and + /etc/ssh_known_hosts2 files installed and frequently connect to + new hosts. This option forces the user to manually add all new + hosts. If this flag is set to ``no'', ssh will automatically add + new host keys to the user known hosts files. If this flag is set + to ``ask'', new host keys will be added to the user known host + files only after the user has confirmed that is what they really + want to do, and ssh will refuse to connect to hosts whose host + key has changed. The host keys of known hosts will be verified + automatically in all cases. The argument must be ``yes'', ``no'' + or ``ask''. The default is ``ask''. UsePrivilegedPort Specifies whether to use a privileged port for outgoing connec- tions. The argument must be ``yes'' or ``no''. The default is ``yes''. Note that setting this option to ``no'' turns off - RhostsAuthentication and RhostsRSAAuthentication. + RhostsAuthentication and RhostsRSAAuthentication for older + servers. User Specifies the user to log in as. This can be useful if you have a different user name on different machines. This saves the @@ -589,8 +617,6 @@ mand line. UserKnownHostsFile - - Specifies a file to use instead of $HOME/.ssh/known_hosts. UseRsh Specifies that rlogin/rsh should be used for this host. It is @@ -635,6 +661,11 @@ tains three space-separated values: client ip-address, client port number, and server port number. + SSH_ORIGINAL_COMMAND + The variable contains the original command line if a forced com- + mand is executed. It can be used to extract the original argu- + ments. + SSH_TTY This is set to the name of the tty (path to the device) associat- ed with the current shell or command. If the current session has @@ -673,7 +704,7 @@ $HOME/.ssh/authorized_keys2 on all machines where you wish to log in using DSA authentication. These files are not sensitive and can (but need not) be readable by anyone. These files are never - used automatically and are not necessary; they is only provided + used automatically and are not necessary; they are only provided for the convenience of the user. $HOME/.ssh/config @@ -691,25 +722,27 @@ public exponent, modulus, and comment fields, separated by spaces). This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by + others. $HOME/.ssh/authorized_keys2 - Lists the DSA keys that can be used for logging in as this user. - This file is not highly sensitive, but the recommended permis- - sions are read/write for the user, and not accessible by others. + Lists the public keys (DSA/RSA) that can be used for logging in + as this user. This file is not highly sensitive, but the recom- + mended permissions are read/write for the user, and not accessi- + ble by others. /etc/ssh_known_hosts, /etc/ssh_known_hosts2 Systemwide list of known host keys. /etc/ssh_known_hosts con- - tains RSA and /etc/ssh_known_hosts2 contains DSA keys. These - files should be prepared by the system administrator to contain - the public host keys of all machines in the organization. This - file should be world-readable. This file contains public keys, - one per line, in the following format (fields separated by - spaces): system name, number of bits in modulus, public exponent, - modulus, and optional comment field. When different names are - used for the same machine, all such names should be listed, sepa- - rated by commas. The format is described on the sshd(8) manual - page. + tains RSA and /etc/ssh_known_hosts2 contains DSA or RSA keys for + protocol version 2. These files should be prepared by the system + administrator to contain the public host keys of all machines in + the organization. This file should be world-readable. This file + contains public keys, one per line, in the following format + (fields separated by spaces): system name, number of bits in mod- + ulus, public exponent, modulus, and optional comment field. When + different names are used for the same machine, all such names + should be listed, separated by commas. The format is described + on the sshd(8) manual page. The canonical system name (as returned by name servers) is used by sshd(8) to verify the client host when logging in; other names @@ -722,7 +755,6 @@ Systemwide configuration file. This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. - This file must be world-readable. $HOME/.rhosts @@ -782,35 +814,15 @@ A version of this library which includes support for the RSA al- gorithm is required for proper operation. -AUTHOR - OpenSSH is a derivative of the original (free) ssh 1.2.12 release by Tatu - Ylonen, but with bugs removed and newer features re-added. Rapidly after - the 1.2.12 release, newer versions of the original ssh bore successively - more restrictive licenses, and thus demand for a free version was born. - - - - This version of OpenSSH - - o has all components of a restrictive nature (i.e., patents, see - crypto(3)) directly removed from the source code; any licensed or - patented components are chosen from external libraries. - - o has been updated to support SSH protocol 1.5 and 2, making it compat- - ible with all other SSH clients and servers. - - o contains added support for kerberos(8) authentication and ticket - passing. - - o supports one-time password authentication with skey(1). - - OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl, - Niels Provos, Theo de Raadt, and Dug Song. - - The support for SSH protocol 2 was written by Markus Friedl. +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and cre- + ated OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. SEE ALSO - rlogin(1), rsh(1), scp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), - telnet(1), sshd(8), crypto(3) + rlogin(1), rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh- + keygen(1), telnet(1), sshd(8) BSD Experimental September 25, 1999 13 diff -ru openssh-2.3.0p1/ssh.1 openssh-2.5.1p1/ssh.1 --- openssh-2.3.0p1/ssh.1 2000-10-28 14:19:58.000000000 +1100 +++ openssh-2.5.1p1/ssh.1 2001-02-15 14:02:00.000000000 +1100 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.64 2000/10/16 21:46:31 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.91 2001/02/11 12:59:25 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -48,11 +48,12 @@ .Op Ar command .Pp .Nm ssh -.Op Fl afgknqtvxACNPTX246 +.Op Fl afgknqstvxACNPTX1246 .Op Fl c Ar cipher_spec .Op Fl e Ar escape_char .Op Fl i Ar identity_file .Op Fl l Ar login_name +.Op Fl m Ar mac_spec .Op Fl o Ar option .Op Fl p Ar port .Oo Fl L Xo @@ -209,9 +210,9 @@ If this method fails password authentication is tried. .Pp The public key method is similar to RSA authentication described -in the previous section except that the DSA algorithm is used -instead of the patented RSA algorithm. -The client uses his private DSA key +in the previous section except that the DSA or RSA algorithm is used +instead. +The client uses his private key .Pa $HOME/.ssh/id_dsa to sign the session identifier and sends the result to the server. The server checks whether the matching public key is listed in @@ -272,7 +273,7 @@ .Dq none will also make the session transparent even if a tty is used. .Pp -The session terminates when the command or shell in on the remote +The session terminates when the command or shell on the remote machine exists and all X11 and TCP/IP connections have been closed. The exit status of the remote program is returned as the exit status of @@ -331,7 +332,7 @@ RSA host keys are stored in .Pa $HOME/.ssh/known_hosts and -DSA host keys are stored in +host keys used in the protocol version 2 are stored in .Pa $HOME/.ssh/known_hosts2 in the user's home directory. Additionally, the files @@ -352,7 +353,8 @@ .Cm StrictHostKeyChecking option (see below) can be used to prevent logins to machines whose host key is not known or has changed. -.Sh OPTIONS +.Pp +The options are as follows: .Bl -tag -width Ds .It Fl a Disables forwarding of the authentication agent connection. @@ -373,11 +375,12 @@ .Ar blowfish is a fast block cipher, it appears very secure and is much faster than .Ar 3des . -.It Fl c Ar "3des-cbc,blowfish-cbc,arcfour,cast128-cbc" +.It Fl c Ar cipher_spec Additionally, for protocol version 2 a comma-separated list of ciphers can be specified in order of preference. -Protocol version 2 supports 3DES, Blowfish, and CAST128 in CBC mode -and Arcfour. +See +.Cm Ciphers +for more information. .It Fl e Ar ch|^ch|none Sets the escape character for sessions with a pty (default: .Ql ~ ) . @@ -407,7 +410,7 @@ Allows remote hosts to connect to local forwarded ports. .It Fl i Ar identity_file Selects the file from which the identity (private key) for -RSA authentication is read. +RSA or DSA authentication is read. Default is .Pa $HOME/.ssh/identity in the user's home directory. @@ -423,6 +426,13 @@ .It Fl l Ar login_name Specifies the user to log in as on the remote machine. This also may be specified on a per-host basis in the configuration file. +.It Fl m Ar mac_spec +Additionally, for protocol version 2 a comma-separated list of MAC +(message authentication code) algorithms can +be specified in order of preference. +See the +.Cm MACs +keyword for more information. .It Fl n Redirects stdin from .Pa /dev/null @@ -445,7 +455,7 @@ option.) .It Fl N Do not execute a remote command. -This is usefull if you just want to forward ports +This is useful if you just want to forward ports (protocol version 2 only). .It Fl o Ar option Can be used to give options in the format used in the config file. @@ -463,18 +473,28 @@ Note that this option turns off .Cm RhostsAuthentication and -.Cm RhostsRSAAuthentication . +.Cm RhostsRSAAuthentication +for older servers. .It Fl q Quiet mode. Causes all warning and diagnostic messages to be suppressed. Only fatal errors are displayed. +.It Fl s +May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use +of SSH as a secure transport for other application (eg. sftp). The +subsystem is specified as the remote command. .It Fl t Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g., when implementing menu services. +Multiple +.Fl t +options force tty allocation, even if +.Nm +has no local tty. .It Fl T -Disable pseudo-tty allocation (protocol version 2 only). +Disable pseudo-tty allocation. .It Fl v Verbose mode. Causes @@ -482,10 +502,9 @@ to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. -The verbose mode is also used to display -.Xr skey 1 -challenges, if the user entered "s/key" as password. -Multiple -v options increases the verbosity. +Multiple +.Fl v +options increases the verbosity. Maximum is 3. .It Fl x Disables X11 forwarding. @@ -539,6 +558,10 @@ Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. +.It Fl 1 +Forces +.Nm +to try protocol version 1 only. .It Fl 2 Forces .Nm @@ -642,7 +665,12 @@ in order of preference. Multiple ciphers must be comma-separated. The default is -.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour . +.Pp +.Bd -literal + ``3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc, + aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc, + rijndael256-cbc,rijndael-cbc@lysator.liu.se'' +.Ed .It Cm Compression Specifies whether to use compression. The argument must be @@ -660,14 +688,12 @@ back to rsh or exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. -.It Cm DSAAuthentication -Specifies whether to try DSA authentication. +.It Cm PubkeyAuthentication +Specifies whether to try public key authentication. The argument to this keyword must be .Dq yes or .Dq no . -DSA authentication will only be -attempted if a DSA identity file exists. Note that this option applies to protocol version 2 only. .It Cm EscapeChar Sets the escape character (default: @@ -726,6 +752,12 @@ .It Cm GlobalKnownHostsFile Specifies a file to use instead of .Pa /etc/ssh_known_hosts . +.It Cm HostKeyAlias +Specifies an alias that should be used instead of the +real host name when looking up or saving the host key +in the known_hosts files. +This option is useful for tunneling ssh connections +or if you have multiple servers running on a single host. .It Cm HostName Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. @@ -745,16 +777,6 @@ It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence. -.It Cm IdentityFile2 -Specifies the file from which the user's DSA authentication identity -is read (default -.Pa $HOME/.ssh/id_dsa -in the user's home directory). -The file name may use the tilde -syntax to refer to a user's home directory. -It is possible to have -multiple identity files specified in configuration files; all these -identities will be tried in sequence. .It Cm KeepAlive Specifies whether the system should send keepalive messages to the other side. @@ -800,6 +822,18 @@ The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. The default is INFO. +.It Cm MACs +Specifies the MAC (message authentication code) algorithms +in order of preference. +The MAC algorithm is used in protocol version 2 +for data integrity protection. +Multiple algorithms must be comma-separated. +The default is +.Pp +.Bd -literal + ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com, + hmac-sha1-96,hmac-md5-96'' +.Ed .It Cm NumberOfPasswordPrompts Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. @@ -894,8 +928,9 @@ attempted if the identity file exists, or an authentication agent is running. Note that this option applies to protocol version 1 only. -.It Cm SkeyAuthentication -Specifies whether to use +.It Cm ChallengeResponseAuthentication +Specifies whether to use challenge response authentication. +Currently there is only support for .Xr skey 1 authentication. The argument to this keyword must be @@ -908,28 +943,41 @@ If this flag is set to .Dq yes , .Nm -ssh will never automatically add host keys to the +will never automatically add host keys to the .Pa $HOME/.ssh/known_hosts and .Pa $HOME/.ssh/known_hosts2 -files, and refuses to connect hosts whose host key has changed. +files, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks. However, it can be somewhat annoying if you don't have good .Pa /etc/ssh_known_hosts and .Pa /etc/ssh_known_hosts2 files installed and frequently -connect new hosts. -Basically this option forces the user to manually -add any new hosts. -Normally this option is disabled, and new hosts -will automatically be added to the known host files. +connect to new hosts. +This option forces the user to manually +add all new hosts. +If this flag is set to +.Dq no , +.Nm +will automatically add new host keys to the +user known hosts files. +If this flag is set to +.Dq ask , +new host keys +will be added to the user known host files only after the user +has confirmed that is what they really want to do, and +.Nm +will refuse to connect to hosts whose host key has changed. The host keys of -known hosts will be verified automatically in either case. +known hosts will be verified automatically in all cases. The argument must be -.Dq yes +.Dq yes , +.Dq no or -.Dq no . +.Dq ask . +The default is +.Dq ask . .It Cm UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be @@ -943,7 +991,8 @@ turns off .Cm RhostsAuthentication and -.Cm RhostsRSAAuthentication . +.Cm RhostsRSAAuthentication +for older servers. .It Cm User Specifies the user to log in as. This can be useful if you have a different user name on different machines. @@ -1016,6 +1065,10 @@ The variable contains three space-separated values: client ip-address, client port number, and server port number. +.It Ev SSH_ORIGINAL_COMMAND +The variable contains the original command line if a forced command +is executed. +It can be used to extract the original arguments. .It Ev SSH_TTY This is set to the name of the tty (path to the device) associated with the current shell or command. @@ -1073,7 +1126,7 @@ These files are not sensitive and can (but need not) be readable by anyone. These files are -never used automatically and are not necessary; they is only provided for +never used automatically and are not necessary; they are only provided for the convenience of the user. .It Pa $HOME/.ssh/config This is the per-user configuration file. @@ -1096,7 +1149,7 @@ This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. .It Pa $HOME/.ssh/authorized_keys2 -Lists the DSA keys that can be used for logging in as this user. +Lists the public keys (DSA/RSA) that can be used for logging in as this user. This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. .It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 @@ -1104,7 +1157,7 @@ .Pa /etc/ssh_known_hosts contains RSA and .Pa /etc/ssh_known_hosts2 -contains DSA keys. +contains DSA or RSA keys for protocol version 2. These files should be prepared by the system administrator to contain the public host keys of all machines in the organization. @@ -1219,45 +1272,22 @@ A version of this library which includes support for the RSA algorithm is required for proper operation. .El -.Sh AUTHOR -OpenSSH -is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, -but with bugs removed and newer features re-added. -Rapidly after the -1.2.12 release, newer versions of the original ssh bore successively -more restrictive licenses, and thus demand for a free version was born. -.Pp -This version of OpenSSH -.Bl -bullet -.It -has all components of a restrictive nature (i.e., patents, see -.Xr crypto 3 ) -directly removed from the source code; any licensed or patented components -are chosen from -external libraries. -.It -has been updated to support SSH protocol 1.5 and 2, making it compatible with -all other SSH clients and servers. -.It -contains added support for -.Xr kerberos 8 -authentication and ticket passing. -.It -supports one-time password authentication with -.Xr skey 1 . -.El -.Pp -OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl, -Niels Provos, Theo de Raadt, and Dug Song. -.Pp -The support for SSH protocol 2 was written by Markus Friedl. +.Sh AUTHORS +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by Tatu Ylonen. +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt and Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +Markus Friedl contributed the support for SSH +protocol versions 1.5 and 2.0. .Sh SEE ALSO .Xr rlogin 1 , .Xr rsh 1 , .Xr scp 1 , +.Xr sftp 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , .Xr telnet 1 , -.Xr sshd 8 , -.Xr crypto 3 +.Xr sshd 8 diff -ru openssh-2.3.0p1/ssh.c openssh-2.5.1p1/ssh.c --- openssh-2.3.0p1/ssh.c 2000-10-28 14:19:58.000000000 +1100 +++ openssh-2.5.1p1/ssh.c 2001-02-19 21:51:08.000000000 +1100 @@ -39,31 +39,40 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.69 2000/10/27 07:32:19 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.96 2001/02/17 23:28:58 deraadt Exp $"); #include -#include -#include +#include -#include "xmalloc.h" #include "ssh.h" +#include "ssh1.h" +#include "ssh2.h" +#include "compat.h" +#include "cipher.h" +#include "xmalloc.h" #include "packet.h" #include "buffer.h" -#include "readconf.h" #include "uidswap.h" - -#include "ssh2.h" -#include "compat.h" #include "channels.h" #include "key.h" #include "authfd.h" #include "authfile.h" +#include "pathnames.h" +#include "clientloop.h" +#include "log.h" +#include "readconf.h" +#include "sshconnect.h" +#include "tildexpand.h" +#include "dispatch.h" +#include "misc.h" +#include "kex.h" +#include "mac.h" #ifdef HAVE___PROGNAME extern char *__progname; -#else /* HAVE___PROGNAME */ -static const char *__progname = "ssh"; -#endif /* HAVE___PROGNAME */ +#else +char *__progname; +#endif /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. Default value is AF_UNSPEC means both IPv4 and IPv6. */ @@ -78,10 +87,11 @@ /* Flag indicating whether a tty should be allocated */ int tty_flag = 0; +int no_tty_flag = 0; +int force_tty_flag = 0; /* don't exec a shell */ int no_shell_flag = 0; -int no_tty_flag = 0; /* * Flag indicating that nothing should be read from stdin. This can be set @@ -120,9 +130,6 @@ */ volatile int received_window_change_signal = 0; -/* Value of argv[0] (set in the main program). */ -char *av0; - /* Flag indicating whether we have a valid host private key loaded. */ int host_private_key_loaded = 0; @@ -135,21 +142,24 @@ /* command to be executed */ Buffer command; +/* Should we execute a command or invoke a subsystem? */ +int subsystem_flag = 0; + /* Prints a help message to the user. This function never returns. */ void -usage() +usage(void) { - fprintf(stderr, "Usage: %s [options] host [command]\n", av0); + fprintf(stderr, "Usage: %s [options] host [command]\n", __progname); fprintf(stderr, "Options:\n"); fprintf(stderr, " -l user Log in using this user name.\n"); - fprintf(stderr, " -n Redirect input from /dev/null.\n"); + fprintf(stderr, " -n Redirect input from " _PATH_DEVNULL ".\n"); fprintf(stderr, " -A Enable authentication agent forwarding.\n"); fprintf(stderr, " -a Disable authentication agent forwarding.\n"); #ifdef AFS fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n"); #endif /* AFS */ - fprintf(stderr, " -X Enable X11 connection forwarding.\n"); + fprintf(stderr, " -X Enable X11 connection forwarding.\n"); fprintf(stderr, " -x Disable X11 connection forwarding.\n"); fprintf(stderr, " -i file Identity for RSA authentication (default: ~/.ssh/identity).\n"); fprintf(stderr, " -t Tty; allocate a tty even if command is given.\n"); @@ -168,15 +178,17 @@ fprintf(stderr, " -p port Connect to this port. Server must be on the same port.\n"); fprintf(stderr, " -L listen-port:host:port Forward local port to remote address\n"); fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n"); - fprintf(stderr, " These cause %s to listen for connections on a port, and\n", av0); + fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname); fprintf(stderr, " forward them to the other side by connecting to host:port.\n"); fprintf(stderr, " -C Enable compression.\n"); fprintf(stderr, " -N Do not execute a shell or command.\n"); fprintf(stderr, " -g Allow remote hosts to connect to forwarded ports.\n"); + fprintf(stderr, " -1 Force protocol version 1.\n"); + fprintf(stderr, " -2 Force protocol version 2.\n"); fprintf(stderr, " -4 Use IPv4 only.\n"); fprintf(stderr, " -6 Use IPv6 only.\n"); - fprintf(stderr, " -2 Force protocol version 2.\n"); fprintf(stderr, " -o 'option' Process the option as if it was read from a configuration file.\n"); + fprintf(stderr, " -s Invoke command (mandatory) as SSH2 subsystem.\n"); exit(1); } @@ -218,8 +230,9 @@ exit(1); } -int ssh_session(void); -int ssh_session2(void); +int ssh_session(void); +int ssh_session2(void); +int guess_identity_file_type(const char *filename); /* * Main program for the ssh client. @@ -235,6 +248,7 @@ int dummy; uid_t original_effective_uid; + __progname = get_progname(av[0]); init_rng(); /* @@ -270,33 +284,12 @@ */ umask(022); - /* Save our own name. */ - av0 = av[0]; - /* Initialize option structure to indicate that no values have been set. */ initialize_options(&options); /* Parse command-line arguments. */ host = NULL; - /* If program name is not one of the standard names, use it as host name. */ - if (strchr(av0, '/')) - cp = strrchr(av0, '/') + 1; - else - cp = av0; -#ifdef HAVE_CYGWIN - if (strcasecmp(cp, "rsh") && strcasecmp(cp, "ssh") && - strcasecmp(cp, "rlogin") && strcasecmp(cp, "slogin") && - strcasecmp(cp, "remsh") && - strcasecmp(cp, "rsh.exe") && strcasecmp(cp, "ssh.exe") && - strcasecmp(cp, "rlogin.exe") && strcasecmp(cp, "slogin.exe") && - strcasecmp(cp, "remsh.exe")) -#else - if (strcmp(cp, "rsh") && strcmp(cp, "ssh") && strcmp(cp, "rlogin") && - strcmp(cp, "slogin") && strcmp(cp, "remsh")) -#endif - host = cp; - for (optind = 1; optind < ac; optind++) { if (av[optind][0] != '-') { if (host) @@ -314,7 +307,7 @@ opt = av[optind][1]; if (!opt) usage(); - if (strchr("eilcpLRo", opt)) { /* options with arguments */ + if (strchr("eilcmpLRo", opt)) { /* options with arguments */ optarg = av[optind] + 2; if (strcmp(optarg, "") == 0) { if (optind >= ac - 1) @@ -327,6 +320,9 @@ optarg = NULL; } switch (opt) { + case '1': + options.protocol = SSH_PROTO_1; + break; case '2': options.protocol = SSH_PROTO_2; break; @@ -370,16 +366,17 @@ case 'i': if (stat(optarg, &st) < 0) { fprintf(stderr, "Warning: Identity file %s does not exist.\n", - optarg); + optarg); break; } if (options.num_identity_files >= SSH_MAX_IDENTITY_FILES) fatal("Too many identity files specified (max %d)", - SSH_MAX_IDENTITY_FILES); - options.identity_files[options.num_identity_files++] = - xstrdup(optarg); + SSH_MAX_IDENTITY_FILES); + options.identity_files[options.num_identity_files++] = xstrdup(optarg); break; case 't': + if (tty_flag) + force_tty_flag = 1; tty_flag = 1; break; case 'v': @@ -394,11 +391,12 @@ } /* fallthrough */ case 'V': - fprintf(stderr, "SSH Version %s, protocol versions %d.%d/%d.%d.\n", + fprintf(stderr, + "%s, SSH protocols %d.%d/%d.%d, OpenSSL 0x%8.8lx\n", SSH_VERSION, PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1, - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2); - fprintf(stderr, "Compiled with SSL (0x%8.8lx).\n", SSLeay()); + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, + SSLeay()); if (opt == 'V') exit(0); break; @@ -407,10 +405,10 @@ break; case 'e': if (optarg[0] == '^' && optarg[2] == 0 && - (unsigned char) optarg[1] >= 64 && (unsigned char) optarg[1] < 128) - options.escape_char = (unsigned char) optarg[1] & 31; + (u_char) optarg[1] >= 64 && (u_char) optarg[1] < 128) + options.escape_char = (u_char) optarg[1] & 31; else if (strlen(optarg) == 1) - options.escape_char = (unsigned char) optarg[0]; + options.escape_char = (u_char) optarg[0]; else if (strcmp(optarg, "none") == 0) options.escape_char = -2; else { @@ -425,12 +423,26 @@ options.cipher = SSH_CIPHER_ILLEGAL; } else { /* SSH1 only */ - Cipher *c = cipher_by_name(optarg); - if (c == NULL || c->number < 0) { + options.cipher = cipher_number(optarg); + if (options.cipher == -1) { fprintf(stderr, "Unknown cipher type '%s'\n", optarg); exit(1); } - options.cipher = c->number; + if (options.cipher == SSH_CIPHER_3DES) { + options.ciphers = "3des-cbc"; + } else if (options.cipher == SSH_CIPHER_BLOWFISH) { + options.ciphers = "blowfish-cbc"; + } else { + options.ciphers = (char *)-1; + } + } + break; + case 'm': + if (mac_valid(optarg)) + options.macs = xstrdup(optarg); + else { + fprintf(stderr, "Unknown mac type '%s'\n", optarg); + exit(1); } break; case 'p': @@ -477,6 +489,9 @@ "command-line", 0, &dummy) != 0) exit(1); break; + case 's': + subsystem_flag = 1; + break; default: usage(); } @@ -487,6 +502,7 @@ usage(); SSLeay_add_all_algorithms(); + ERR_load_crypto_strings(); /* Initialize the command to execute on remote host. */ buffer_init(&command); @@ -499,6 +515,10 @@ if (optind == ac) { /* No command specified - execute shell on a tty. */ tty_flag = 1; + if (subsystem_flag) { + fprintf(stderr, "You must specify a subsystem to invoke."); + usage(); + } } else { /* A command has been specified. Store it into the buffer. */ @@ -517,20 +537,20 @@ if (buffer_len(&command) == 0) tty_flag = 1; + /* Force no tty*/ + if (no_tty_flag) + tty_flag = 0; /* Do not allocate a tty if stdin is not a tty. */ - if (!isatty(fileno(stdin))) { + if (!isatty(fileno(stdin)) && !force_tty_flag) { if (tty_flag) - fprintf(stderr, "Pseudo-terminal will not be allocated because stdin is not a terminal.\n"); + log("Pseudo-terminal will not be allocated because stdin is not a terminal.\n"); tty_flag = 0; } - /* force */ - if (no_tty_flag) - tty_flag = 0; /* Get user data. */ pw = getpwuid(original_real_uid); if (!pw) { - fprintf(stderr, "You don't exist, go away!\n"); + log("You don't exist, go away!\n"); exit(1); } /* Take a copy of the returned structure. */ @@ -551,11 +571,11 @@ log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 0); /* Read per-user configuration file. */ - snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, SSH_USER_CONFFILE); + snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_CONFFILE); read_config_file(buf, host, &options); /* Read systemwide configuration file. */ - read_config_file(HOST_CONFIG_FILE, host, &options); + read_config_file(_PATH_HOST_CONFIG_FILE, host, &options); /* Fill configuration defaults. */ fill_default_options(&options); @@ -563,20 +583,6 @@ /* reinit */ log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 0); - /* check if RSA support exists */ - if ((options.protocol & SSH_PROTO_1) && - rsa_alive() == 0) { - log("%s: no RSA support in libssl and libcrypto. See ssl(8).", - __progname); - log("Disabling protocol version 1"); - options.protocol &= ~ (SSH_PROTO_1|SSH_PROTO_1_PREFERRED); - } - if (! options.protocol & (SSH_PROTO_1|SSH_PROTO_2)) { - fprintf(stderr, "%s: No protocol version available.\n", - __progname); - exit(1); - } - if (options.user == NULL) options.user = xstrdup(pw->pw_name); @@ -590,8 +596,9 @@ #else if (original_effective_uid != 0 || !options.use_privileged_port) { #endif + debug("Rhosts Authentication disabled, " + "originating port will not be trusted."); options.rhosts_authentication = 0; - options.rhosts_rsa_authentication = 0; } /* * If using rsh has been selected, exec it now (without trying @@ -614,17 +621,13 @@ /* Restore our superuser privileges. */ restore_uid(); - /* - * Open a connection to the remote host. This needs root privileges - * if rhosts_{rsa_}authentication is enabled. - */ + /* Open a connection to the remote host. */ ok = ssh_connect(host, &hostaddr, options.port, - options.connection_attempts, - !options.rhosts_authentication && - !options.rhosts_rsa_authentication, - original_real_uid, - options.proxy_command); + options.connection_attempts, + original_effective_uid != 0 || !options.use_privileged_port, + original_real_uid, + options.proxy_command); /* * If we successfully made the connection, load the host private key @@ -635,9 +638,9 @@ if (ok && (options.protocol & SSH_PROTO_1)) { Key k; host_private_key = RSA_new(); - k.type = KEY_RSA; + k.type = KEY_RSA1; k.rsa = host_private_key; - if (load_private_key(HOST_KEY_FILE, "", &k, NULL)) + if (load_private_key(_PATH_HOST_KEY_FILE, "", &k, NULL)) host_private_key_loaded = 1; } /* @@ -661,7 +664,7 @@ * Now that we are back to our own permissions, create ~/.ssh * directory if it doesn\'t already exist. */ - snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, SSH_USER_DIR); + snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_DIR); if (stat(buf, &st) < 0) if (mkdir(buf, 0700) < 0) error("Could not create directory '%.200s'.", buf); @@ -682,23 +685,23 @@ } exit(1); } - /* Expand ~ in options.identity_files. */ + /* Expand ~ in options.identity_files, known host file names. */ /* XXX mem-leaks */ - for (i = 0; i < options.num_identity_files; i++) + for (i = 0; i < options.num_identity_files; i++) { options.identity_files[i] = - tilde_expand_filename(options.identity_files[i], original_real_uid); - for (i = 0; i < options.num_identity_files2; i++) - options.identity_files2[i] = - tilde_expand_filename(options.identity_files2[i], original_real_uid); - /* Expand ~ in known host file names. */ - options.system_hostfile = tilde_expand_filename(options.system_hostfile, - original_real_uid); - options.user_hostfile = tilde_expand_filename(options.user_hostfile, - original_real_uid); - options.system_hostfile2 = tilde_expand_filename(options.system_hostfile2, - original_real_uid); - options.user_hostfile2 = tilde_expand_filename(options.user_hostfile2, - original_real_uid); + tilde_expand_filename(options.identity_files[i], original_real_uid); + options.identity_files_type[i] = guess_identity_file_type(options.identity_files[i]); + debug("identity file %s type %d", options.identity_files[i], + options.identity_files_type[i]); + } + options.system_hostfile = + tilde_expand_filename(options.system_hostfile, original_real_uid); + options.user_hostfile = + tilde_expand_filename(options.user_hostfile, original_real_uid); + options.system_hostfile2 = + tilde_expand_filename(options.system_hostfile2, original_real_uid); + options.user_hostfile2 = + tilde_expand_filename(options.user_hostfile2, original_real_uid); /* Log into the remote system. This never returns if the login fails. */ ssh_login(host_private_key_loaded, host_private_key, @@ -722,7 +725,7 @@ if (options.xauth_location) { /* Try to get Xauthority information for the display. */ - snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null", + snprintf(line, sizeof line, "%.100s list %.200s 2>" _PATH_DEVNULL, options.xauth_location, getenv("DISPLAY")); f = popen(line, "r"); if (f && fgets(line, sizeof(line), f) && @@ -752,16 +755,61 @@ } } +void +ssh_init_forwarding(void) +{ + int success = 0; + int i; + + /* Initiate local TCP/IP port forwardings. */ + for (i = 0; i < options.num_local_forwards; i++) { + debug("Connections to local port %d forwarded to remote address %.200s:%d", + options.local_forwards[i].port, + options.local_forwards[i].host, + options.local_forwards[i].host_port); + success += channel_request_local_forwarding( + options.local_forwards[i].port, + options.local_forwards[i].host, + options.local_forwards[i].host_port, + options.gateway_ports); + } + if (i > 0 && success == 0) + error("Could not request local forwarding."); + + /* Initiate remote TCP/IP port forwardings. */ + for (i = 0; i < options.num_remote_forwards; i++) { + debug("Connections to remote port %d forwarded to local address %.200s:%d", + options.remote_forwards[i].port, + options.remote_forwards[i].host, + options.remote_forwards[i].host_port); + channel_request_remote_forwarding( + options.remote_forwards[i].port, + options.remote_forwards[i].host, + options.remote_forwards[i].host_port); + } +} + +void +check_agent_present(void) +{ + if (options.forward_agent) { + /* Clear agent forwarding if we don\'t have an agent. */ + int authfd = ssh_get_authentication_socket(); + if (authfd < 0) + options.forward_agent = 0; + else + ssh_close_authentication_socket(authfd); + } +} + int ssh_session(void) { int type; - int i; int plen; int interactive = 0; int have_tty = 0; struct winsize ws; - int authfd; char *cp; /* Enable compression if requested. */ @@ -843,16 +891,11 @@ } } /* Tell the packet module whether this is an interactive session. */ - packet_set_interactive(interactive, options.keepalives); - - /* Clear agent forwarding if we don\'t have an agent. */ - authfd = ssh_get_authentication_socket(); - if (authfd < 0) - options.forward_agent = 0; - else - ssh_close_authentication_socket(authfd); + packet_set_interactive(interactive); /* Request authentication agent forwarding if appropriate. */ + check_agent_present(); + if (options.forward_agent) { debug("Requesting authentication agent forwarding."); auth_request_forwarding(); @@ -863,28 +906,9 @@ if (type != SSH_SMSG_SUCCESS) log("Warning: Remote host denied authentication agent forwarding."); } - /* Initiate local TCP/IP port forwardings. */ - for (i = 0; i < options.num_local_forwards; i++) { - debug("Connections to local port %d forwarded to remote address %.200s:%d", - options.local_forwards[i].port, - options.local_forwards[i].host, - options.local_forwards[i].host_port); - channel_request_local_forwarding(options.local_forwards[i].port, - options.local_forwards[i].host, - options.local_forwards[i].host_port, - options.gateway_ports); - } - /* Initiate remote TCP/IP port forwardings. */ - for (i = 0; i < options.num_remote_forwards; i++) { - debug("Connections to remote port %d forwarded to local address %.200s:%d", - options.remote_forwards[i].port, - options.remote_forwards[i].host, - options.remote_forwards[i].host_port); - channel_request_remote_forwarding(options.remote_forwards[i].port, - options.remote_forwards[i].host, - options.remote_forwards[i].host_port); - } + /* Initiate port forwardings. */ + ssh_init_forwarding(); /* If requested, let ssh continue in the background. */ if (fork_after_authentication_flag) @@ -916,29 +940,26 @@ } void -init_local_fwd(void) +client_subsystem_reply(int type, int plen, void *ctxt) { - int i; - /* Initiate local TCP/IP port forwardings. */ - for (i = 0; i < options.num_local_forwards; i++) { - debug("Connections to local port %d forwarded to remote address %.200s:%d", - options.local_forwards[i].port, - options.local_forwards[i].host, - options.local_forwards[i].host_port); - channel_request_local_forwarding(options.local_forwards[i].port, - options.local_forwards[i].host, - options.local_forwards[i].host_port, - options.gateway_ports); - } -} + int id, len; -extern void client_set_session_ident(int id); + id = packet_get_int(); + len = buffer_len(&command); + len = MAX(len, 900); + packet_done(); + if (type == SSH2_MSG_CHANNEL_FAILURE) + fatal("Request for subsystem '%.*s' failed on channel %d", + len, buffer_ptr(&command), id); +} void -client_init(int id, void *arg) +ssh_session2_callback(int id, void *arg) { int len; - debug("client_init id %d arg %d", id, (int)arg); + int interactive = 0; + + debug("client_init id %d arg %ld", id, (long)arg); if (no_shell_flag) goto done; @@ -961,6 +982,7 @@ packet_put_int(ws.ws_ypixel); packet_put_cstring(""); /* XXX: encode terminal modes */ packet_send(); + interactive = 1; /* XXX wait for reply */ } if (options.forward_x11 && @@ -971,24 +993,42 @@ /* Request forwarding with authentication spoofing. */ debug("Requesting X11 forwarding with authentication spoofing."); x11_request_forwarding_with_spoofing(id, proto, data); + interactive = 1; /* XXX wait for reply */ } + check_agent_present(); + if (options.forward_agent) { + debug("Requesting authentication agent forwarding."); + channel_request_start(id, "auth-agent-req@openssh.com", 0); + packet_send(); + } + len = buffer_len(&command); if (len > 0) { if (len > 900) len = 900; - debug("Sending command: %.*s", len, buffer_ptr(&command)); - channel_request_start(id, "exec", 0); + if (subsystem_flag) { + debug("Sending subsystem: %.*s", len, buffer_ptr(&command)); + channel_request_start(id, "subsystem", /*want reply*/ 1); + /* register callback for reply */ + /* XXX we asume that client_loop has already been called */ + dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &client_subsystem_reply); + dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, &client_subsystem_reply); + } else { + debug("Sending command: %.*s", len, buffer_ptr(&command)); + channel_request_start(id, "exec", 0); + } packet_put_string(buffer_ptr(&command), len); packet_send(); } else { channel_request(id, "shell", 0); } /* channel_callback(id, SSH2_MSG_OPEN_CONFIGMATION, client_init, 0); */ + done: /* register different callback, etc. XXX */ - client_set_session_ident(id); + packet_set_interactive(interactive); } int @@ -998,7 +1038,7 @@ int in, out, err; if (stdin_null_flag) { - in = open("/dev/null", O_RDONLY); + in = open(_PATH_DEVNULL, O_RDONLY); } else { in = dup(STDIN_FILENO); } @@ -1016,9 +1056,9 @@ if (!isatty(err)) set_nonblock(err); - /* should be pre-session */ - init_local_fwd(); - + /* XXX should be pre-session */ + ssh_init_forwarding(); + /* If requested, let ssh continue in the background. */ if (fork_after_authentication_flag) if (daemon(1, 1) < 0) @@ -1036,7 +1076,28 @@ xstrdup("client-session"), /*nonblock*/0); channel_open(id); - channel_register_callback(id, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, client_init, (void *)0); + channel_register_callback(id, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, + ssh_session2_callback, (void *)0); return client_loop(tty_flag, tty_flag ? options.escape_char : -1, id); } + +int +guess_identity_file_type(const char *filename) +{ + struct stat st; + Key *public; + int type = KEY_RSA1; /* default */ + + if (stat(filename, &st) < 0) { + /* ignore this key */ + return KEY_UNSPEC; + } + public = key_new(type); + if (!load_public_key(filename, public, NULL)) { + /* ok, so we will assume this is 'some' key */ + type = KEY_UNSPEC; + } + key_free(public); + return type; +} diff -ru openssh-2.3.0p1/ssh.h openssh-2.5.1p1/ssh.h --- openssh-2.3.0p1/ssh.h 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/ssh.h 2001-02-06 02:43:59.000000000 +1100 @@ -3,8 +3,6 @@ * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved * - * Generic header file for ssh. - * * As far as I am concerned, the code I have written for this software * can be used freely for any purpose. Any derived versions of this * software must be clearly marked as such, and if the derived work is @@ -12,7 +10,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: ssh.h,v 1.54 2000/10/11 20:27:24 markus Exp $"); */ +/* RCSID("$OpenBSD: ssh.h,v 1.62 2001/01/23 10:45:10 markus Exp $"); */ #ifndef SSH_H #define SSH_H @@ -20,13 +18,12 @@ #include /* For struct sockaddr_in */ #include /* For struct pw */ #include /* For va_list */ +#include /* For LOG_AUTH and friends */ #include /* For struct sockaddr_storage */ #include "fake-socket.h" /* For struct sockaddr_storage */ #ifdef HAVE_SYS_SELECT_H # include #endif -#include "rsa.h" -#include "cipher.h" /* Cipher used for encrypting authentication files. */ #define SSH_AUTHFILE_CIPHER SSH_CIPHER_3DES @@ -67,137 +64,21 @@ # define SSHD_PAM_SERVICE "sshd" #endif -#ifndef ETCDIR -#define ETCDIR "/etc" -#endif /* ETCDIR */ - -#ifndef PIDDIR -#define PIDDIR "/var/run" -#endif /* PIDDIR */ - -/* - * System-wide file containing host keys of known hosts. This file should be - * world-readable. - */ -#define SSH_SYSTEM_HOSTFILE ETCDIR "/ssh_known_hosts" -#define SSH_SYSTEM_HOSTFILE2 ETCDIR "/ssh_known_hosts2" - -/* - * Of these, ssh_host_key must be readable only by root, whereas ssh_config - * should be world-readable. - */ -#define HOST_KEY_FILE ETCDIR "/ssh_host_key" -#define SERVER_CONFIG_FILE ETCDIR "/sshd_config" -#define HOST_CONFIG_FILE ETCDIR "/ssh_config" -#define HOST_DSA_KEY_FILE ETCDIR "/ssh_host_dsa_key" -#define DH_PRIMES ETCDIR "/primes" - -#ifndef SSH_PROGRAM -#define SSH_PROGRAM "/usr/bin/ssh" -#endif /* SSH_PROGRAM */ - -#ifndef LOGIN_PROGRAM -# ifdef LOGIN_PROGRAM_FALLBACK -# define LOGIN_PROGRAM LOGIN_PROGRAM_FALLBACK -# else -# define LOGIN_PROGRAM "/usr/bin/login" -# endif -#endif /* LOGIN_PROGRAM */ - -#ifndef ASKPASS_PROGRAM -#define ASKPASS_PROGRAM "/usr/lib/ssh/ssh-askpass" -#endif /* ASKPASS_PROGRAM */ - -/* - * The process id of the daemon listening for connections is saved here to - * make it easier to kill the correct daemon when necessary. - */ -#define SSH_DAEMON_PID_FILE PIDDIR "/sshd.pid" - -/* - * The directory in user\'s home directory in which the files reside. The - * directory should be world-readable (though not all files are). - */ -#define SSH_USER_DIR ".ssh" - -/* - * Relevant only when using builtin PRNG. - */ -#ifndef SSH_PRNG_SEED_FILE -# define SSH_PRNG_SEED_FILE SSH_USER_DIR"/prng_seed" -#endif /* SSH_PRNG_SEED_FILE */ -#ifndef SSH_PRNG_COMMAND_FILE -# define SSH_PRNG_COMMAND_FILE ETCDIR "/ssh_prng_cmds" -#endif /* SSH_PRNG_COMMAND_FILE */ - -/* - * Per-user file containing host keys of known hosts. This file need not be - * readable by anyone except the user him/herself, though this does not - * contain anything particularly secret. - */ -#define SSH_USER_HOSTFILE "~/.ssh/known_hosts" -#define SSH_USER_HOSTFILE2 "~/.ssh/known_hosts2" - -/* - * Name of the default file containing client-side authentication key. This - * file should only be readable by the user him/herself. - */ -#define SSH_CLIENT_IDENTITY ".ssh/identity" -#define SSH_CLIENT_ID_DSA ".ssh/id_dsa" - -/* - * Configuration file in user\'s home directory. This file need not be - * readable by anyone but the user him/herself, but does not contain anything - * particularly secret. If the user\'s home directory resides on an NFS - * volume where root is mapped to nobody, this may need to be world-readable. - */ -#define SSH_USER_CONFFILE ".ssh/config" - -/* - * File containing a list of those rsa keys that permit logging in as this - * user. This file need not be readable by anyone but the user him/herself, - * but does not contain anything particularly secret. If the user\'s home - * directory resides on an NFS volume where root is mapped to nobody, this - * may need to be world-readable. (This file is read by the daemon which is - * running as root.) - */ -#define SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys" -#define SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" - -/* - * Per-user and system-wide ssh "rc" files. These files are executed with - * /bin/sh before starting the shell or command if they exist. They will be - * passed "proto cookie" as arguments if X11 forwarding with spoofing is in - * use. xauth will be run if neither of these exists. - */ -#define SSH_USER_RC ".ssh/rc" -#define SSH_SYSTEM_RC ETCDIR "/sshrc" - -/* - * Ssh-only version of /etc/hosts.equiv. Additionally, the daemon may use - * ~/.rhosts and /etc/hosts.equiv if rhosts authentication is enabled. - */ -#define SSH_HOSTS_EQUIV ETCDIR "/shosts.equiv" - /* * Name of the environment variable containing the pathname of the * authentication socket. */ -#define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCK" +#define SSH_AGENTPID_ENV_NAME "SSH_AGENT_PID" /* * Name of the environment variable containing the pathname of the * authentication socket. */ -#define SSH_AGENTPID_ENV_NAME "SSH_AGENT_PID" +#define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCK" /* - * Default path to ssh-askpass used by ssh-add, - * environment variable for overwriting the default location + * Environment variable for overwriting the default location of askpass */ -#ifndef SSH_ASKPASS_DEFAULT -# define SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" -#endif #define SSH_ASKPASS_ENV "SSH_ASKPASS" /* @@ -215,346 +96,4 @@ /* Name of Kerberos service for SSH to use. */ #define KRB4_SERVICE_NAME "rcmd" -/* - * Authentication methods. New types can be added, but old types should not - * be removed for compatibility. The maximum allowed value is 31. - */ -#define SSH_AUTH_RHOSTS 1 -#define SSH_AUTH_RSA 2 -#define SSH_AUTH_PASSWORD 3 -#define SSH_AUTH_RHOSTS_RSA 4 -#define SSH_AUTH_TIS 5 -#define SSH_AUTH_KERBEROS 6 -#define SSH_PASS_KERBEROS_TGT 7 - /* 8 to 15 are reserved */ -#define SSH_PASS_AFS_TOKEN 21 - -/* Protocol flags. These are bit masks. */ -#define SSH_PROTOFLAG_SCREEN_NUMBER 1 /* X11 forwarding includes screen */ -#define SSH_PROTOFLAG_HOST_IN_FWD_OPEN 2 /* forwarding opens contain host */ - -/* - * Definition of message types. New values can be added, but old values - * should not be removed or without careful consideration of the consequences - * for compatibility. The maximum value is 254; value 255 is reserved for - * future extension. - */ -/* Message name */ /* msg code */ /* arguments */ -#define SSH_MSG_NONE 0 /* no message */ -#define SSH_MSG_DISCONNECT 1 /* cause (string) */ -#define SSH_SMSG_PUBLIC_KEY 2 /* ck,msk,srvk,hostk */ -#define SSH_CMSG_SESSION_KEY 3 /* key (BIGNUM) */ -#define SSH_CMSG_USER 4 /* user (string) */ -#define SSH_CMSG_AUTH_RHOSTS 5 /* user (string) */ -#define SSH_CMSG_AUTH_RSA 6 /* modulus (BIGNUM) */ -#define SSH_SMSG_AUTH_RSA_CHALLENGE 7 /* int (BIGNUM) */ -#define SSH_CMSG_AUTH_RSA_RESPONSE 8 /* int (BIGNUM) */ -#define SSH_CMSG_AUTH_PASSWORD 9 /* pass (string) */ -#define SSH_CMSG_REQUEST_PTY 10 /* TERM, tty modes */ -#define SSH_CMSG_WINDOW_SIZE 11 /* row,col,xpix,ypix */ -#define SSH_CMSG_EXEC_SHELL 12 /* */ -#define SSH_CMSG_EXEC_CMD 13 /* cmd (string) */ -#define SSH_SMSG_SUCCESS 14 /* */ -#define SSH_SMSG_FAILURE 15 /* */ -#define SSH_CMSG_STDIN_DATA 16 /* data (string) */ -#define SSH_SMSG_STDOUT_DATA 17 /* data (string) */ -#define SSH_SMSG_STDERR_DATA 18 /* data (string) */ -#define SSH_CMSG_EOF 19 /* */ -#define SSH_SMSG_EXITSTATUS 20 /* status (int) */ -#define SSH_MSG_CHANNEL_OPEN_CONFIRMATION 21 /* channel (int) */ -#define SSH_MSG_CHANNEL_OPEN_FAILURE 22 /* channel (int) */ -#define SSH_MSG_CHANNEL_DATA 23 /* ch,data (int,str) */ -#define SSH_MSG_CHANNEL_CLOSE 24 /* channel (int) */ -#define SSH_MSG_CHANNEL_CLOSE_CONFIRMATION 25 /* channel (int) */ -/* SSH_CMSG_X11_REQUEST_FORWARDING 26 OBSOLETE */ -#define SSH_SMSG_X11_OPEN 27 /* channel (int) */ -#define SSH_CMSG_PORT_FORWARD_REQUEST 28 /* p,host,hp (i,s,i) */ -#define SSH_MSG_PORT_OPEN 29 /* ch,h,p (i,s,i) */ -#define SSH_CMSG_AGENT_REQUEST_FORWARDING 30 /* */ -#define SSH_SMSG_AGENT_OPEN 31 /* port (int) */ -#define SSH_MSG_IGNORE 32 /* string */ -#define SSH_CMSG_EXIT_CONFIRMATION 33 /* */ -#define SSH_CMSG_X11_REQUEST_FORWARDING 34 /* proto,data (s,s) */ -#define SSH_CMSG_AUTH_RHOSTS_RSA 35 /* user,mod (s,mpi) */ -#define SSH_MSG_DEBUG 36 /* string */ -#define SSH_CMSG_REQUEST_COMPRESSION 37 /* level 1-9 (int) */ -#define SSH_CMSG_MAX_PACKET_SIZE 38 /* size 4k-1024k (int) */ -#define SSH_CMSG_AUTH_TIS 39 /* we use this for s/key */ -#define SSH_SMSG_AUTH_TIS_CHALLENGE 40 /* challenge (string) */ -#define SSH_CMSG_AUTH_TIS_RESPONSE 41 /* response (string) */ -#define SSH_CMSG_AUTH_KERBEROS 42 /* (KTEXT) */ -#define SSH_SMSG_AUTH_KERBEROS_RESPONSE 43 /* (KTEXT) */ -#define SSH_CMSG_HAVE_KERBEROS_TGT 44 /* credentials (s) */ -#define SSH_CMSG_HAVE_AFS_TOKEN 65 /* token (s) */ - -/*------------ definitions for login.c -------------*/ - -/* - * Returns the time when the user last logged in. Returns 0 if the - * information is not available. This must be called before record_login. - * The host from which the user logged in is stored in buf. - */ -unsigned long -get_last_login_time(uid_t uid, const char *logname, - char *buf, unsigned int bufsize); - -/* - * Records that the user has logged in. This does many things normally done - * by login(1). - */ -void -record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, - const char *host, struct sockaddr *addr); - -/* - * Records that the user has logged out. This does many thigs normally done - * by login(1) or init. - */ -void record_logout(pid_t pid, const char *ttyname); - -/*------------ definitions for sshconnect.c ----------*/ - -/* - * Opens a TCP/IP connection to the remote server on the given host. If port - * is 0, the default port will be used. If anonymous is zero, a privileged - * port will be allocated to make the connection. This requires super-user - * privileges if anonymous is false. Connection_attempts specifies the - * maximum number of tries, one per second. This returns true on success, - * and zero on failure. If the connection is successful, this calls - * packet_set_connection for the connection. - */ -int -ssh_connect(const char *host, struct sockaddr_storage * hostaddr, - u_short port, int connection_attempts, - int anonymous, uid_t original_real_uid, - const char *proxy_command); - -/* - * Starts a dialog with the server, and authenticates the current user on the - * server. This does not need any extra privileges. The basic connection to - * the server must already have been established before this is called. If - * login fails, this function prints an error and never returns. This - * initializes the random state, and leaves it initialized (it will also have - * references from the packet module). - */ - -void -ssh_login(int host_key_valid, RSA * host_key, const char *host, - struct sockaddr * hostaddr, uid_t original_real_uid); - -/*------------ Definitions for various authentication methods. -------*/ - -/* - * Tries to authenticate the user using the .rhosts file. Returns true if - * authentication succeeds. If ignore_rhosts is non-zero, this will not - * consider .rhosts and .shosts (/etc/hosts.equiv will still be used). - */ -int auth_rhosts(struct passwd * pw, const char *client_user); - -/* - * Tries to authenticate the user using the .rhosts file and the host using - * its host key. Returns true if authentication succeeds. - */ -int -auth_rhosts_rsa(struct passwd * pw, const char *client_user, RSA* client_host_key); - -/* - * Tries to authenticate the user using password. Returns true if - * authentication succeeds. - */ -int auth_password(struct passwd * pw, const char *password); - -/* - * Performs the RSA authentication dialog with the client. This returns 0 if - * the client could not be authenticated, and 1 if authentication was - * successful. This may exit if there is a serious protocol violation. - */ -int auth_rsa(struct passwd * pw, BIGNUM * client_n); - -/* - * Parses an RSA key (number of bits, e, n) from a string. Moves the pointer - * over the key. Skips any whitespace at the beginning and at end. - */ -int auth_rsa_read_key(char **cpp, unsigned int *bitsp, BIGNUM * e, BIGNUM * n); - -/* - * Returns the name of the machine at the other end of the socket. The - * returned string should be freed by the caller. - */ -char *get_remote_hostname(int socket); - -/* - * Return the canonical name of the host in the other side of the current - * connection (as returned by packet_get_connection). The host name is - * cached, so it is efficient to call this several times. - */ -const char *get_canonical_hostname(void); - -/* - * Returns the remote IP address as an ascii string. The value need not be - * freed by the caller. - */ -const char *get_remote_ipaddr(void); - -/* Returns the port number of the peer of the socket. */ -int get_peer_port(int sock); - -/* Returns the port number of the remote/local host. */ -int get_remote_port(void); -int get_local_port(void); - - -/* - * Performs the RSA authentication challenge-response dialog with the client, - * and returns true (non-zero) if the client gave the correct answer to our - * challenge; returns zero if the client gives a wrong answer. - */ -int auth_rsa_challenge_dialog(RSA *pk); - -/* - * Reads a passphrase from /dev/tty with echo turned off. Returns the - * passphrase (allocated with xmalloc). Exits if EOF is encountered. If - * from_stdin is true, the passphrase will be read from stdin instead. - */ -char *read_passphrase(char *prompt, int from_stdin); - - -/*------------ Definitions for logging. -----------------------*/ - -/* Supported syslog facilities and levels. */ -typedef enum { - SYSLOG_FACILITY_DAEMON, - SYSLOG_FACILITY_USER, - SYSLOG_FACILITY_AUTH, - SYSLOG_FACILITY_LOCAL0, - SYSLOG_FACILITY_LOCAL1, - SYSLOG_FACILITY_LOCAL2, - SYSLOG_FACILITY_LOCAL3, - SYSLOG_FACILITY_LOCAL4, - SYSLOG_FACILITY_LOCAL5, - SYSLOG_FACILITY_LOCAL6, - SYSLOG_FACILITY_LOCAL7 -} SyslogFacility; - -typedef enum { - SYSLOG_LEVEL_QUIET, - SYSLOG_LEVEL_FATAL, - SYSLOG_LEVEL_ERROR, - SYSLOG_LEVEL_INFO, - SYSLOG_LEVEL_VERBOSE, - SYSLOG_LEVEL_DEBUG1, - SYSLOG_LEVEL_DEBUG2, - SYSLOG_LEVEL_DEBUG3 -} LogLevel; -/* Initializes logging. */ -void log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr); - -/* Logging implementation, depending on server or client */ -void do_log(LogLevel level, const char *fmt, va_list args); - -/* name to facility/level */ -SyslogFacility log_facility_number(char *name); -LogLevel log_level_number(char *name); - -/* Output a message to syslog or stderr */ -void fatal(const char *fmt,...) __attribute__((format(printf, 1, 2))); -void error(const char *fmt,...) __attribute__((format(printf, 1, 2))); -void log(const char *fmt,...) __attribute__((format(printf, 1, 2))); -void verbose(const char *fmt,...) __attribute__((format(printf, 1, 2))); -void debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); -void debug2(const char *fmt,...) __attribute__((format(printf, 1, 2))); -void debug3(const char *fmt,...) __attribute__((format(printf, 1, 2))); - -/* same as fatal() but w/o logging */ -void fatal_cleanup(void); - -/* - * Registers a cleanup function to be called by fatal()/fatal_cleanup() - * before exiting. It is permissible to call fatal_remove_cleanup for the - * function itself from the function. - */ -void fatal_add_cleanup(void (*proc) (void *context), void *context); - -/* Removes a cleanup function to be called at fatal(). */ -void fatal_remove_cleanup(void (*proc) (void *context), void *context); - -/* ---- misc */ - -/* - * Expands tildes in the file name. Returns data allocated by xmalloc. - * Warning: this calls getpw*. - */ -char *tilde_expand_filename(const char *filename, uid_t my_uid); - -/* remove newline at end of string */ -char *chop(char *s); - -/* return next token in configuration line */ -char *strdelim(char **s); - -/* set filedescriptor to non-blocking */ -void set_nonblock(int fd); - -/* - * Performs the interactive session. This handles data transmission between - * the client and the program. Note that the notion of stdin, stdout, and - * stderr in this function is sort of reversed: this function writes to stdin - * (of the child program), and reads from stdout and stderr (of the child - * program). - */ -void server_loop(pid_t pid, int fdin, int fdout, int fderr); -void server_loop2(void); - -/* Client side main loop for the interactive session. */ -int client_loop(int have_pty, int escape_char, int id); - -/* Linked list of custom environment strings (see auth-rsa.c). */ -struct envstring { - struct envstring *next; - char *s; -}; - -/* - * Ensure all of data on socket comes through. f==read || f==write - */ -ssize_t atomicio(ssize_t (*f)(), int fd, void *s, size_t n); - -#ifdef KRB4 -#include -/* - * Performs Kerberos v4 mutual authentication with the client. This returns 0 - * if the client could not be authenticated, and 1 if authentication was - * successful. This may exit if there is a serious protocol violation. - */ -int auth_krb4(const char *server_user, KTEXT auth, char **client); -int krb4_init(uid_t uid); -void krb4_cleanup_proc(void *ignore); -int auth_krb4_password(struct passwd * pw, const char *password); - -#ifdef AFS -#include - -/* Accept passed Kerberos v4 ticket-granting ticket and AFS tokens. */ -int auth_kerberos_tgt(struct passwd * pw, const char *string); -int auth_afs_token(struct passwd * pw, const char *token_string); - -int creds_to_radix(CREDENTIALS * creds, unsigned char *buf, size_t buflen); -int radix_to_creds(const char *buf, CREDENTIALS * creds); -#endif /* AFS */ - -#endif /* KRB4 */ - -#ifdef SKEY -#include -char *skey_fake_keyinfo(char *username); -int auth_skey_password(struct passwd * pw, const char *password); -#endif /* SKEY */ - -/* AF_UNSPEC or AF_INET or AF_INET6 */ -extern int IPv4or6; - -#ifdef USE_PAM -#include "auth-pam.h" -#endif /* USE_PAM */ - #endif /* SSH_H */ Only in openssh-2.5.1p1: ssh1.h diff -ru openssh-2.3.0p1/ssh_config openssh-2.5.1p1/ssh_config --- openssh-2.3.0p1/ssh_config 2000-08-30 09:40:09.000000000 +1100 +++ openssh-2.5.1p1/ssh_config 2001-02-04 23:20:20.000000000 +1100 @@ -1,6 +1,8 @@ -# This is ssh client systemwide configuration file. This file provides -# defaults for users, and the values can be changed in per-user configuration -# files or on the command line. +# $OpenBSD: ssh_config,v 1.8 2001/02/02 12:57:51 deraadt Exp $ + +# This is ssh client systemwide configuration file. See ssh(1) for more +# information. This file provides defaults for users, and the values can +# be changed in per-user configuration files or on the command line. # Configuration data is parsed as follows: # 1. command line options @@ -13,9 +15,9 @@ # Site-wide defaults for various options # Host * -# ForwardAgent yes -# ForwardX11 yes -# RhostsAuthentication yes +# ForwardAgent no +# ForwardX11 no +# RhostsAuthentication no # RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes @@ -23,9 +25,12 @@ # UseRsh no # BatchMode no # CheckHostIP yes -# StrictHostKeyChecking no +# StrictHostKeyChecking yes # IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_rsa1 +# IdentityFile ~/.ssh/id_rsa2 # Port 22 -# Protocol 2,1 +# Protocol 1,2 # Cipher blowfish # EscapeChar ~ diff -ru openssh-2.3.0p1/ssh_prng_cmds.in openssh-2.5.1p1/ssh_prng_cmds.in --- openssh-2.3.0p1/ssh_prng_cmds.in 2000-09-16 15:39:57.000000000 +1100 +++ openssh-2.5.1p1/ssh_prng_cmds.in 2001-02-09 12:55:36.000000000 +1100 @@ -4,6 +4,8 @@ # The "rate" represents the number of bits of usuable entropy per # byte of command output. Be conservative. +# +# $Id: ssh_prng_cmds.in,v 1.6 2001/02/09 01:55:36 djm Exp $ "ls -alni /var/log" @PROG_LS@ 0.02 "ls -alni /var/adm" @PROG_LS@ 0.02 diff -ru openssh-2.3.0p1/sshconnect.c openssh-2.5.1p1/sshconnect.c --- openssh-2.3.0p1/sshconnect.c 2000-09-23 17:15:57.000000000 +1100 +++ openssh-2.5.1p1/sshconnect.c 2001-02-16 12:34:57.000000000 +1100 @@ -13,33 +13,33 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.79 2000/09/17 15:52:51 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.97 2001/02/15 23:19:59 markus Exp $"); #include -#include -#include +#include "ssh.h" #include "xmalloc.h" #include "rsa.h" -#include "ssh.h" #include "buffer.h" #include "packet.h" #include "uidswap.h" #include "compat.h" -#include "readconf.h" #include "key.h" #include "sshconnect.h" #include "hostfile.h" +#include "log.h" +#include "readconf.h" +#include "atomicio.h" +#include "misc.h" char *client_version_string = NULL; char *server_version_string = NULL; extern Options options; -#ifdef HAVE___PROGNAME extern char *__progname; -#else /* HAVE___PROGNAME */ -static const char *__progname = "ssh"; -#endif /* HAVE___PROGNAME */ + +/* AF_UNSPEC or AF_INET or AF_INET6 */ +extern int IPv4or6; /* * Connect to the given ssh server using a proxy command. @@ -120,8 +120,8 @@ /* Execute the proxy command. Note that we gave up any extra privileges above. */ - execv(_PATH_BSHELL, argv); - perror(_PATH_BSHELL); + execv(argv[0], argv); + perror(argv[0]); exit(1); } /* Parent. */ @@ -191,12 +191,13 @@ int anonymous, uid_t original_real_uid, const char *proxy_command) { + int gaierr; + int on = 1; int sock = -1, attempt; - struct servent *sp; - struct addrinfo hints, *ai, *aitop; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; - int gaierr; + struct addrinfo hints, *ai, *aitop; struct linger linger; + struct servent *sp; debug("ssh_connect: getuid %u geteuid %u anon %d", (u_int) getuid(), (u_int) geteuid(), anonymous); @@ -249,9 +250,9 @@ /* Create a socket for connecting. */ sock = ssh_create_socket(original_real_uid, #ifdef HAVE_CYGWIN - !anonymous && port < IPPORT_RESERVED, + !anonymous, #else - !anonymous && geteuid() == 0 && port < IPPORT_RESERVED, + !anonymous && geteuid() == 0, #endif ai->ai_family); if (sock < 0) @@ -264,7 +265,7 @@ temporarily_use_uid(original_real_uid); if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { /* Successful connection. */ - memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); + memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); restore_uid(); break; } else { @@ -302,7 +303,13 @@ /* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */ linger.l_onoff = 1; linger.l_linger = 5; - setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger)); + setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger)); + + /* Set keepalives if requested. */ + if (options.keepalives && + setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, + sizeof(on)) < 0) + error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); /* Set the connection. */ packet_set_connection(sock, sock); @@ -315,12 +322,13 @@ * identification string. */ void -ssh_exchange_identification() +ssh_exchange_identification(void) { char buf[256], remote_version[256]; /* must be same size! */ int remote_major, remote_minor, i, mismatch; int connection_in = packet_get_connection_in(); int connection_out = packet_get_connection_out(); + int minor1 = PROTOCOL_MINOR_1; /* Read other side\'s version identification. */ for (;;) { @@ -374,9 +382,10 @@ } if (remote_minor < 3) { fatal("Remote machine has too old SSH software version."); - } else if (remote_minor == 3) { + } else if (remote_minor == 3 || remote_minor == 4) { /* We speak 1.3, too. */ enable_compat13(); + minor1 = 3; if (options.forward_agent) { log("Agent forwarding disabled for protocol 1.3"); options.forward_agent = 0; @@ -402,7 +411,7 @@ /* Send our own protocol version identification. */ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, - compat20 ? PROTOCOL_MINOR_2 : PROTOCOL_MINOR_1, + compat20 ? PROTOCOL_MINOR_2 : minor1, SSH_VERSION); if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf)) fatal("write: %.100s", strerror(errno)); @@ -412,6 +421,7 @@ debug("Local version string %.100s", client_version_string); } +/* defaults to 'no' */ int read_yes_or_no(const char *prompt, int defval) { @@ -419,10 +429,13 @@ FILE *f; int retval = -1; - if (isatty(0)) + if (options.batch_mode) + return 0; + + if (isatty(STDIN_FILENO)) f = stdin; else - f = fopen("/dev/tty", "rw"); + f = fopen(_PATH_TTY, "rw"); if (f == NULL) return 0; @@ -474,6 +487,8 @@ int local = 0, host_ip_differ = 0; int salen; char ntop[NI_MAXHOST]; + int host_line, ip_line; + const char *host_file = NULL, *ip_file = NULL; /* * Force accepting of the host key for loopback/localhost. The @@ -498,23 +513,40 @@ salen = sizeof(struct sockaddr_storage); break; } - if (local) { - debug("Forcing accepting of host key for loopback/localhost."); + if (local && options.host_key_alias == NULL) { + debug("Forcing accepting of host key for " + "loopback/localhost."); return; } /* - * Turn off check_host_ip for proxy connects, since - * we don't have the remote ip-address + * We don't have the remote ip-address for connections + * using a proxy command */ - if (options.proxy_command != NULL && options.check_host_ip) - options.check_host_ip = 0; - - if (options.check_host_ip) { + if (options.proxy_command == NULL) { if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) fatal("check_host_key: getnameinfo failed"); ip = xstrdup(ntop); + } else { + ip = xstrdup(""); + } + /* + * Turn off check_host_ip if the connection is to localhost, via proxy + * command or if we don't have a hostname to compare with + */ + if (options.check_host_ip && + (local || strcmp(host, ip) == 0 || options.proxy_command != NULL)) + options.check_host_ip = 0; + + /* + * Allow the user to record the key under a different name. This is + * useful for ssh tunneling over forwarded connections or if you run + * multiple sshd's on different ports on the same machine. + */ + if (options.host_key_alias != NULL) { + host = options.host_key_alias; + debug("using hostkeyalias: %s", host); } /* @@ -527,19 +559,25 @@ * Check if the host key is present in the user\'s list of known * hosts or in the systemwide list. */ - host_status = check_host_in_hostfile(user_hostfile, host, host_key, file_key); - if (host_status == HOST_NEW) - host_status = check_host_in_hostfile(system_hostfile, host, host_key, file_key); + host_file = user_hostfile; + host_status = check_host_in_hostfile(host_file, host, host_key, file_key, &host_line); + if (host_status == HOST_NEW) { + host_file = system_hostfile; + host_status = check_host_in_hostfile(host_file, host, host_key, file_key, &host_line); + } /* * Also perform check for the ip address, skip the check if we are * localhost or the hostname was an ip address to begin with */ - if (options.check_host_ip && !local && strcmp(host, ip)) { + if (options.check_host_ip) { Key *ip_key = key_new(host_key->type); - ip_status = check_host_in_hostfile(user_hostfile, ip, host_key, ip_key); - if (ip_status == HOST_NEW) - ip_status = check_host_in_hostfile(system_hostfile, ip, host_key, ip_key); + ip_file = user_hostfile; + ip_status = check_host_in_hostfile(ip_file, ip, host_key, ip_key, &ip_line); + if (ip_status == HOST_NEW) { + ip_file = system_hostfile; + ip_status = check_host_in_hostfile(ip_file, ip, host_key, ip_key, &ip_line); + } if (host_status == HOST_CHANGED && (ip_status != HOST_CHANGED || !key_equal(ip_key, file_key))) host_ip_differ = 1; @@ -555,17 +593,14 @@ /* The host is known and the key matches. */ debug("Host '%.200s' is known and matches the %s host key.", host, type); - if (options.check_host_ip) { - if (ip_status == HOST_NEW) { - if (!add_host_to_hostfile(user_hostfile, ip, host_key)) - log("Failed to add the %s host key for IP address '%.30s' to the list of known hosts (%.30s).", - type, ip, user_hostfile); - else - log("Warning: Permanently added the %s host key for IP address '%.30s' to the list of known hosts.", - type, ip); - } else if (ip_status != HOST_OK) - log("Warning: the %s host key for '%.200s' differs from the key for the IP address '%.30s'", - type, host, ip); + debug("Found key in %s:%d", host_file, host_line); + if (options.check_host_ip && ip_status == HOST_NEW) { + if (!add_host_to_hostfile(user_hostfile, ip, host_key)) + log("Failed to add the %s host key for IP address '%.128s' to the list of known hosts (%.30s).", + type, ip, user_hostfile); + else + log("Warning: Permanently added the %s host key for IP address '%.128s' to the list of known hosts.", + type, ip); } break; case HOST_NEW: @@ -577,16 +612,15 @@ } else if (options.strict_host_key_checking == 2) { /* The default */ char prompt[1024]; - char *fp = key_fingerprint(host_key); snprintf(prompt, sizeof(prompt), - "The authenticity of host '%.200s' can't be established.\n" + "The authenticity of host '%.200s (%s)' can't be established.\n" "%s key fingerprint is %s.\n" "Are you sure you want to continue connecting (yes/no)? ", - host, type, fp); + host, ip, type, key_fingerprint(host_key)); if (!read_yes_or_no(prompt, -1)) fatal("Aborted by user!\n"); } - if (options.check_host_ip && ip_status == HOST_NEW && strcmp(host, ip)) { + if (options.check_host_ip && ip_status == HOST_NEW) { snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); hostp = hostline; } else @@ -616,7 +650,9 @@ error("and the key for the according IP address %s", ip); error("%s. This could either mean that", msg); error("DNS SPOOFING is happening or the IP address for the host"); - error("and its host key have changed at the same time"); + error("and its host key have changed at the same time."); + if (ip_status != HOST_NEW) + error("Offending key for IP in %s:%d", ip_file, ip_line); } /* The host key has changed. */ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); @@ -625,9 +661,12 @@ error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("It is also possible that the %s host key has just been changed.", type); + error("The fingerprint for the %s key sent by the remote host is\n%s.", + type, key_fingerprint(host_key)); error("Please contact your system administrator."); error("Add correct host key in %.100s to get rid of this message.", - user_hostfile); + user_hostfile); + error("Offending key in %s:%d", host_file, host_line); /* * If strict host key checking is in use, the user will have @@ -649,6 +688,14 @@ error("Agent forwarding is disabled to avoid trojan horses."); options.forward_agent = 0; } + if (options.forward_x11) { + error("X11 forwarding is disabled to avoid trojan horses."); + options.forward_x11 = 0; + } + if (options.num_local_forwards > 0 || options.num_remote_forwards > 0) { + error("Port forwarding is disabled to avoid trojan horses."); + options.num_local_forwards = options.num_remote_forwards = 0; + } /* * XXX Should permit the user to change to use the new id. * This could be done by converting the host key to an @@ -658,8 +705,25 @@ */ break; } - if (options.check_host_ip) - xfree(ip); + + if (options.check_host_ip && host_status != HOST_CHANGED && + ip_status == HOST_CHANGED) { + log("Warning: the %s host key for '%.200s' " + "differs from the key for the IP address '%.128s'", + type, host, ip); + if (host_status == HOST_OK) + log("Matching host key in %s:%d", host_file, host_line); + log("Offending key for IP in %s:%d", ip_file, ip_line); + if (options.strict_host_key_checking == 1) { + fatal("Exiting, you have requested strict checking."); + } else if (options.strict_host_key_checking == 2) { + if (!read_yes_or_no("Are you sure you want " \ + "to continue connecting (yes/no)? ", -1)) + fatal("Aborted by user!\n"); + } + } + + xfree(ip); } /* @@ -706,3 +770,18 @@ ssh_userauth(local_user, server_user, host, host_key_valid, own_host_key); } } + +void +ssh_put_password(char *password) +{ + int size; + char *padded; + + size = roundup(strlen(password) + 1, 32); + padded = xmalloc(size); + memset(padded, 0, size); + strlcpy(padded, password, size); + packet_put_string(padded, size); + memset(padded, 0, size); + xfree(padded); +} diff -ru openssh-2.3.0p1/sshconnect.h openssh-2.5.1p1/sshconnect.h --- openssh-2.3.0p1/sshconnect.h 2000-09-16 13:29:10.000000000 +1100 +++ openssh-2.5.1p1/sshconnect.h 2001-02-16 12:34:57.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: sshconnect.h,v 1.6 2001/02/15 23:19:59 markus Exp $ */ + /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -23,6 +25,34 @@ */ #ifndef SSHCONNECT_H #define SSHCONNECT_H +/* + * Opens a TCP/IP connection to the remote server on the given host. If port + * is 0, the default port will be used. If anonymous is zero, a privileged + * port will be allocated to make the connection. This requires super-user + * privileges if anonymous is false. Connection_attempts specifies the + * maximum number of tries, one per second. This returns true on success, + * and zero on failure. If the connection is successful, this calls + * packet_set_connection for the connection. + */ +int +ssh_connect(const char *host, struct sockaddr_storage * hostaddr, + u_short port, int connection_attempts, + int anonymous, uid_t original_real_uid, + const char *proxy_command); + +/* + * Starts a dialog with the server, and authenticates the current user on the + * server. This does not need any extra privileges. The basic connection to + * the server must already have been established before this is called. If + * login fails, this function prints an error and never returns. This + * initializes the random state, and leaves it initialized (it will also have + * references from the packet module). + */ + +void +ssh_login(int host_key_valid, RSA * host_key, const char *host, + struct sockaddr * hostaddr, uid_t original_real_uid); + void check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, @@ -30,10 +60,12 @@ void ssh_kex(char *host, struct sockaddr *hostaddr); void -ssh_userauth(const char* local_user, const char* server_user, char *host, +ssh_userauth(const char * local_user, const char * server_user, char *host, int host_key_valid, RSA *own_host_key); void ssh_kex2(char *host, struct sockaddr *hostaddr); void ssh_userauth2(const char *server_user, char *host); +void ssh_put_password(char *password); + #endif diff -ru openssh-2.3.0p1/sshconnect1.c openssh-2.5.1p1/sshconnect1.c --- openssh-2.3.0p1/sshconnect1.c 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.5.1p1/sshconnect1.c 2001-02-16 12:34:57.000000000 +1100 @@ -13,29 +13,40 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.8 2000/10/12 09:59:19 markus Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.27 2001/02/15 23:19:59 markus Exp $"); #include -#include -#include #include +#ifdef KRB4 +#include +#endif +#ifdef AFS +#include +#include "radix.h" +#endif + +#include "ssh.h" +#include "ssh1.h" #include "xmalloc.h" #include "rsa.h" -#include "ssh.h" #include "buffer.h" #include "packet.h" #include "mpaux.h" #include "uidswap.h" +#include "log.h" #include "readconf.h" #include "key.h" #include "authfd.h" #include "sshconnect.h" #include "authfile.h" +#include "readpass.h" +#include "cipher.h" +#include "canohost.h" /* Session id for the current session. */ -unsigned char session_id[16]; -unsigned int supported_authentications = 0; +u_char session_id[16]; +u_int supported_authentications = 0; extern Options options; extern char *__progname; @@ -45,13 +56,13 @@ * authenticate using the agent. */ int -try_agent_authentication() +try_agent_authentication(void) { int type; char *comment; AuthenticationConnection *auth; - unsigned char response[16]; - unsigned int i; + u_char response[16]; + u_int i; int plen, clen; Key *key; BIGNUM *challenge; @@ -62,7 +73,6 @@ return 0; challenge = BN_new(); - key = key_new(KEY_RSA); /* Loop through identities served by the agent. */ for (key = ssh_get_first_identity(auth, &comment, 1); @@ -125,6 +135,7 @@ /* The server returns success if it accepted the authentication. */ if (type == SSH_SMSG_SUCCESS) { + ssh_close_authentication_connection(auth); BN_clear_free(challenge); debug("RSA authentication accepted by server."); return 1; @@ -134,6 +145,7 @@ packet_disconnect("Protocol error waiting RSA auth response: %d", type); } + ssh_close_authentication_connection(auth); BN_clear_free(challenge); debug("RSA authentication using agent refused."); return 0; @@ -146,19 +158,22 @@ void respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv) { - unsigned char buf[32], response[16]; + u_char buf[32], response[16]; MD5_CTX md; int i, len; /* Decrypt the challenge using the private key. */ - rsa_private_decrypt(challenge, challenge, prv); + /* XXX think about Bleichenbacher, too */ + if (rsa_private_decrypt(challenge, challenge, prv) <= 0) + packet_disconnect( + "respond_to_rsa_challenge: rsa_private_decrypt failed"); /* Compute the response. */ /* The response is MD5 of decrypted challenge plus session id. */ len = BN_num_bytes(challenge); if (len <= 0 || len > sizeof(buf)) - packet_disconnect("respond_to_rsa_challenge: bad challenge length %d", - len); + packet_disconnect( + "respond_to_rsa_challenge: bad challenge length %d", len); memset(buf, 0, sizeof(buf)); BN_bn2bin(challenge, buf + sizeof(buf) - len); @@ -196,7 +211,7 @@ int plen, clen; /* Try to load identification for the authentication key. */ - public = key_new(KEY_RSA); + public = key_new(KEY_RSA1); if (!load_public_key(authfile, public, &comment)) { key_free(public); /* Could not load it. Fail. */ @@ -237,7 +252,7 @@ debug("Received RSA challenge from server."); - private = key_new(KEY_RSA); + private = key_new(KEY_RSA1); /* * Load the private key. Try first with empty passphrase; if it * fails, ask for a passphrase. @@ -270,6 +285,8 @@ /* Expect the server to reject it... */ packet_read_expect(&plen, SSH_SMSG_FAILURE); xfree(comment); + key_free(private); + BN_clear_free(challenge); return 0; } /* Destroy the passphrase. */ @@ -363,7 +380,7 @@ #ifdef KRB4 int -try_kerberos_authentication() +try_kerberos_authentication(void) { KTEXT_ST auth; /* Kerberos data */ char *reply; @@ -382,11 +399,11 @@ if (stat(tkt_string(), &st) < 0) return 0; - strncpy(inst, (char *) krb_get_phost(get_canonical_hostname()), INST_SZ); + strncpy(inst, (char *) krb_get_phost(get_canonical_hostname(1)), INST_SZ); - realm = (char *) krb_realmofhost(get_canonical_hostname()); + realm = (char *) krb_realmofhost(get_canonical_hostname(1)); if (!realm) { - debug("Kerberos V4: no realm for %s", get_canonical_hostname()); + debug("Kerberos V4: no realm for %s", get_canonical_hostname(1)); return 0; } /* This can really be anything. */ @@ -441,7 +458,7 @@ debug("Kerberos V4 authentication accepted."); /* Get server's response. */ - reply = packet_get_string((unsigned int *) &auth.length); + reply = packet_get_string((u_int *) &auth.length); memcpy(auth.dat, reply, auth.length); xfree(reply); @@ -480,7 +497,7 @@ #ifdef AFS int -send_kerberos_tgt() +send_kerberos_tgt(void) { CREDENTIALS *creds; char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; @@ -506,7 +523,7 @@ debug("Kerberos V4 ticket expired: %s", TKT_FILE); return 0; } - creds_to_radix(creds, (unsigned char *)buffer, sizeof buffer); + creds_to_radix(creds, (u_char *)buffer, sizeof buffer); xfree(creds); packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); @@ -545,10 +562,10 @@ p = buf; /* Get secret token. */ - memcpy(&creds.ticket_st.length, p, sizeof(unsigned int)); + memcpy(&creds.ticket_st.length, p, sizeof(u_int)); if (creds.ticket_st.length > MAX_KTXT_LEN) break; - p += sizeof(unsigned int); + p += sizeof(u_int); memcpy(creds.ticket_st.dat, p, creds.ticket_st.length); p += creds.ticket_st.length; @@ -574,7 +591,7 @@ creds.pinst[0] = '\0'; /* Encode token, ship it off. */ - if (creds_to_radix(&creds, (unsigned char*) buffer, sizeof buffer) <= 0) + if (creds_to_radix(&creds, (u_char *) buffer, sizeof buffer) <= 0) break; packet_start(SSH_CMSG_HAVE_AFS_TOKEN); packet_put_string(buffer, strlen(buffer)); @@ -599,44 +616,49 @@ * Note that the client code is not tied to s/key or TIS. */ int -try_skey_authentication() +try_challenge_reponse_authentication(void) { int type, i; int payload_len; - unsigned int clen; + u_int clen; + char prompt[1024]; char *challenge, *response; - debug("Doing skey authentication."); + debug("Doing challenge reponse authentication."); - /* request a challenge */ - packet_start(SSH_CMSG_AUTH_TIS); - packet_send(); - packet_write_wait(); - - type = packet_read(&payload_len); - if (type != SSH_SMSG_FAILURE && - type != SSH_SMSG_AUTH_TIS_CHALLENGE) { - packet_disconnect("Protocol error: got %d in response " - "to skey-auth", type); - } - if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { - debug("No challenge for skey authentication."); - return 0; - } - challenge = packet_get_string(&clen); - packet_integrity_check(payload_len, (4 + clen), type); - if (options.cipher == SSH_CIPHER_NONE) - log("WARNING: Encryption is disabled! " - "Reponse will be transmitted in clear text."); - fprintf(stderr, "%s\n", challenge); - xfree(challenge); - fflush(stderr); for (i = 0; i < options.number_of_password_prompts; i++) { + /* request a challenge */ + packet_start(SSH_CMSG_AUTH_TIS); + packet_send(); + packet_write_wait(); + + type = packet_read(&payload_len); + if (type != SSH_SMSG_FAILURE && + type != SSH_SMSG_AUTH_TIS_CHALLENGE) { + packet_disconnect("Protocol error: got %d in response " + "to SSH_CMSG_AUTH_TIS", type); + } + if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { + debug("No challenge."); + return 0; + } + challenge = packet_get_string(&clen); + packet_integrity_check(payload_len, (4 + clen), type); + snprintf(prompt, sizeof prompt, "%s%s", challenge, + strchr(challenge, '\n') ? "" : "\nResponse: "); + xfree(challenge); if (i != 0) error("Permission denied, please try again."); - response = read_passphrase("Response: ", 0); + if (options.cipher == SSH_CIPHER_NONE) + log("WARNING: Encryption is disabled! " + "Reponse will be transmitted in clear text."); + response = read_passphrase(prompt, 0); + if (strcmp(response, "") == 0) { + xfree(response); + break; + } packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); - packet_put_string(response, strlen(response)); + ssh_put_password(response); memset(response, 0, strlen(response)); xfree(response); packet_send(); @@ -646,7 +668,7 @@ return 1; if (type != SSH_SMSG_FAILURE) packet_disconnect("Protocol error: got %d in response " - "to skey-auth-reponse", type); + "to SSH_CMSG_AUTH_TIS_RESPONSE", type); } /* failure */ return 0; @@ -669,7 +691,7 @@ error("Permission denied, please try again."); password = read_passphrase(prompt, 0); packet_start(SSH_CMSG_AUTH_PASSWORD); - packet_put_string(password, strlen(password)); + ssh_put_password(password); memset(password, 0, strlen(password)); xfree(password); packet_send(); @@ -698,10 +720,10 @@ Key k; int bits, rbits; int ssh_cipher_default = SSH_CIPHER_3DES; - unsigned char session_key[SSH_SESSION_KEY_LENGTH]; - unsigned char cookie[8]; - unsigned int supported_ciphers; - unsigned int server_flags, client_flags; + u_char session_key[SSH_SESSION_KEY_LENGTH]; + u_char cookie[8]; + u_int supported_ciphers; + u_int server_flags, client_flags; int payload_len, clen, sum_len = 0; u_int32_t rand = 0; @@ -760,7 +782,7 @@ packet_integrity_check(payload_len, 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4, SSH_SMSG_PUBLIC_KEY); - k.type = KEY_RSA; + k.type = KEY_RSA1; k.rsa = host_key; check_host_key(host, hostaddr, &k, options.user_hostfile, options.system_hostfile); @@ -833,13 +855,14 @@ RSA_free(public_key); RSA_free(host_key); - if (options.cipher == SSH_CIPHER_ILLEGAL) { + if (options.cipher == SSH_CIPHER_NOT_SET) { + if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) + options.cipher = ssh_cipher_default; + } else if (options.cipher == SSH_CIPHER_ILLEGAL || + !(cipher_mask_ssh1(1) & (1 << options.cipher))) { log("No valid SSH1 cipher, using %.100s instead.", cipher_name(ssh_cipher_default)); options.cipher = ssh_cipher_default; - } else if (options.cipher == SSH_CIPHER_NOT_SET) { - if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) - options.cipher = ssh_cipher_default; } /* Check that the selected cipher is supported. */ if (!(supported_ciphers & (1 << options.cipher))) @@ -889,8 +912,8 @@ */ void ssh_userauth( - const char* local_user, - const char* server_user, + const char *local_user, + const char *server_user, char *host, int host_key_valid, RSA *own_host_key) { @@ -994,13 +1017,14 @@ /* Try RSA authentication for each identity. */ for (i = 0; i < options.num_identity_files; i++) - if (try_rsa_authentication(options.identity_files[i])) + if (options.identity_files_type[i] == KEY_RSA1 && + try_rsa_authentication(options.identity_files[i])) return; } - /* Try skey authentication if the server supports it. */ + /* Try challenge response authentication if the server supports it. */ if ((supported_authentications & (1 << SSH_AUTH_TIS)) && - options.skey_authentication && !options.batch_mode) { - if (try_skey_authentication()) + options.challenge_reponse_authentication && !options.batch_mode) { + if (try_challenge_reponse_authentication()) return; } /* Try password authentication if the server supports it. */ @@ -1008,7 +1032,7 @@ options.password_authentication && !options.batch_mode) { char prompt[80]; - snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ", + snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ", server_user, host); if (try_password_authentication(prompt)) return; diff -ru openssh-2.3.0p1/sshconnect2.c openssh-2.5.1p1/sshconnect2.c --- openssh-2.3.0p1/sshconnect2.c 2000-10-28 14:19:58.000000000 +1100 +++ openssh-2.5.1p1/sshconnect2.c 2001-02-16 12:34:57.000000000 +1100 @@ -23,34 +23,34 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.27 2000/10/19 16:45:16 provos Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.48 2001/02/15 23:19:59 markus Exp $"); #include -#include -#include #include #include #include #include "ssh.h" +#include "ssh2.h" #include "xmalloc.h" #include "rsa.h" #include "buffer.h" #include "packet.h" #include "uidswap.h" #include "compat.h" -#include "readconf.h" #include "bufaux.h" -#include "ssh2.h" +#include "cipher.h" #include "kex.h" #include "myproposal.h" #include "key.h" -#include "dsa.h" #include "sshconnect.h" #include "authfile.h" #include "cli.h" #include "dispatch.h" #include "authfd.h" +#include "log.h" +#include "readconf.h" +#include "readpass.h" void ssh_dh1_client(Kex *, char *, struct sockaddr *, Buffer *, Buffer *); void ssh_dhgex_client(Kex *, char *, struct sockaddr *, Buffer *, Buffer *); @@ -64,7 +64,7 @@ * SSH2 key exchange */ -unsigned char *session_id2 = NULL; +u_char *session_id2 = NULL; int session_id2_len = 0; void @@ -75,26 +75,25 @@ Buffer *client_kexinit, *server_kexinit; char *sprop[PROPOSAL_MAX]; - if (options.ciphers == NULL) { - if (options.cipher == SSH_CIPHER_3DES) { - options.ciphers = "3des-cbc"; - } else if (options.cipher == SSH_CIPHER_BLOWFISH) { - options.ciphers = "blowfish-cbc"; - } else if (options.cipher == SSH_CIPHER_DES) { - fatal("cipher DES not supported for protocol version 2"); - } + if (options.ciphers == (char *)-1) { + log("No valid ciphers for protocol version 2 given, using defaults."); + options.ciphers = NULL; } if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; } if (options.compression) { - myproposal[PROPOSAL_COMP_ALGS_CTOS] = "zlib"; + myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib"; } else { - myproposal[PROPOSAL_COMP_ALGS_CTOS] = "none"; + myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; } + if (options.macs != NULL) { + myproposal[PROPOSAL_MAC_ALGS_CTOS] = + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; + } /* buffers with raw kexinit messages */ server_kexinit = xmalloc(sizeof(*server_kexinit)); @@ -150,28 +149,29 @@ /* diffie-hellman-group1-sha1 */ void -ssh_dh1_client(Kex *kex, char *host, struct sockaddr *hostaddr, +ssh_dh1_client(Kex *kex, char *host, struct sockaddr *hostaddr, Buffer *client_kexinit, Buffer *server_kexinit) { #ifdef DEBUG_KEXDH int i; #endif int plen, dlen; - unsigned int klen, kout; + u_int klen, kout; char *signature = NULL; - unsigned int slen; + u_int slen; char *server_host_key_blob = NULL; Key *server_host_key; - unsigned int sbloblen; + u_int sbloblen; DH *dh; BIGNUM *dh_server_pub = 0; BIGNUM *shared_secret = 0; - unsigned char *kbuf; - unsigned char *hash; + u_char *kbuf; + u_char *hash; debug("Sending SSH2_MSG_KEXDH_INIT."); /* generate and send 'e', client DH public key */ dh = dh_new_group1(); + dh_gen_key(dh); packet_start(SSH2_MSG_KEXDH_INIT); packet_put_bignum2(dh->pub_key); packet_send(); @@ -196,7 +196,7 @@ /* key, cert */ server_host_key_blob = packet_get_string(&sbloblen); - server_host_key = dsa_key_from_blob(server_host_key_blob, sbloblen); + server_host_key = key_from_blob(server_host_key_blob, sbloblen); if (server_host_key == NULL) fatal("cannot decode server_host_key_blob"); @@ -252,17 +252,20 @@ ); xfree(server_host_key_blob); DH_free(dh); + BN_free(dh_server_pub); #ifdef DEBUG_KEXDH fprintf(stderr, "hash == "); for (i = 0; i< 20; i++) fprintf(stderr, "%02x", (hash[i])&0xff); fprintf(stderr, "\n"); #endif - if (dsa_verify(server_host_key, (unsigned char *)signature, slen, hash, 20) != 1) - fatal("dsa_verify failed for server_host_key"); + if (key_verify(server_host_key, (u_char *)signature, slen, hash, 20) != 1) + fatal("key_verify failed for server_host_key"); key_free(server_host_key); + xfree(signature); kex_derive_keys(kex, hash, shared_secret); + BN_clear_free(shared_secret); packet_set_kex(kex); /* save session id */ @@ -282,7 +285,7 @@ int dh_estimate(int bits) { - + if (bits < 64) return (512); /* O(2**63) */ if (bits < 128) @@ -300,18 +303,18 @@ int i; #endif int plen, dlen; - unsigned int klen, kout; + u_int klen, kout; char *signature = NULL; - unsigned int slen, nbits; + u_int slen, nbits; char *server_host_key_blob = NULL; Key *server_host_key; - unsigned int sbloblen; + u_int sbloblen; DH *dh; BIGNUM *dh_server_pub = 0; BIGNUM *shared_secret = 0; BIGNUM *p = 0, *g = 0; - unsigned char *kbuf; - unsigned char *hash; + u_char *kbuf; + u_char *hash; nbits = dh_estimate(kex->enc[MODE_OUT].cipher->key_len * 8); @@ -337,8 +340,9 @@ if ((g = BN_new()) == NULL) fatal("BN_new"); packet_get_bignum2(g, &dlen); - if ((dh = dh_new_group(g, p)) == NULL) - fatal("dh_new_group"); + dh = dh_new_group(g, p); + + dh_gen_key(dh); #ifdef DEBUG_KEXDH fprintf(stderr, "\np= "); @@ -366,7 +370,7 @@ /* key, cert */ server_host_key_blob = packet_get_string(&sbloblen); - server_host_key = dsa_key_from_blob(server_host_key_blob, sbloblen); + server_host_key = key_from_blob(server_host_key_blob, sbloblen); if (server_host_key == NULL) fatal("cannot decode server_host_key_blob"); @@ -416,24 +420,27 @@ buffer_ptr(client_kexinit), buffer_len(client_kexinit), buffer_ptr(server_kexinit), buffer_len(server_kexinit), server_host_key_blob, sbloblen, - nbits, dh->p, dh->g, + nbits, dh->p, dh->g, dh->pub_key, dh_server_pub, shared_secret ); xfree(server_host_key_blob); DH_free(dh); + BN_free(dh_server_pub); #ifdef DEBUG_KEXDH fprintf(stderr, "hash == "); for (i = 0; i< 20; i++) fprintf(stderr, "%02x", (hash[i])&0xff); fprintf(stderr, "\n"); #endif - if (dsa_verify(server_host_key, (unsigned char *)signature, slen, hash, 20) != 1) - fatal("dsa_verify failed for server_host_key"); + if (key_verify(server_host_key, (u_char *)signature, slen, hash, 20) != 1) + fatal("key_verify failed for server_host_key"); key_free(server_host_key); + xfree(signature); kex_derive_keys(kex, hash, shared_secret); + BN_clear_free(shared_secret); packet_set_kex(kex); /* save session id */ @@ -451,7 +458,7 @@ typedef int sign_cb_fn( Authctxt *authctxt, Key *key, - unsigned char **sigp, int *lenp, unsigned char *data, int datalen); + u_char **sigp, int *lenp, u_char *data, int datalen); struct Authctxt { const char *server_user; @@ -470,6 +477,7 @@ void input_userauth_success(int type, int plen, void *ctxt); void input_userauth_failure(int type, int plen, void *ctxt); +void input_userauth_banner(int type, int plen, void *ctxt); void input_userauth_error(int type, int plen, void *ctxt); void input_userauth_info_req(int type, int plen, void *ctxt); @@ -478,14 +486,14 @@ int userauth_passwd(Authctxt *authctxt); int userauth_kbdint(Authctxt *authctxt); -void authmethod_clear(); +void authmethod_clear(void); Authmethod *authmethod_get(char *authlist); Authmethod *authmethod_lookup(const char *name); Authmethod authmethods[] = { {"publickey", userauth_pubkey, - &options.dsa_authentication, + &options.pubkey_authentication, NULL}, {"password", userauth_passwd, @@ -509,6 +517,9 @@ int type; int plen; + if (options.challenge_reponse_authentication) + options.kbd_interactive_authentication = 1; + debug("send SSH2_MSG_SERVICE_REQUEST"); packet_start(SSH2_MSG_SERVICE_REQUEST); packet_put_cstring("ssh-userauth"); @@ -522,7 +533,6 @@ char *reply = packet_get_string(&plen); debug("service_accept: %s", reply); xfree(reply); - packet_done(); } else { debug("buggy server: service_accept w/o service"); } @@ -546,17 +556,30 @@ dispatch_init(&input_userauth_error); dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success); dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure); + dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner); dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt); /* loop until success */ if (authctxt.agent != NULL) ssh_close_authentication_connection(authctxt.agent); - debug("ssh-userauth2 successfull: method %s", authctxt.method->name); + debug("ssh-userauth2 successful: method %s", authctxt.method->name); } void input_userauth_error(int type, int plen, void *ctxt) { - fatal("input_userauth_error: bad message during authentication"); + fatal("input_userauth_error: bad message during authentication: " + "type %d", type); +} +void +input_userauth_banner(int type, int plen, void *ctxt) +{ + char *msg, *lang; + debug3("input_userauth_banner"); + msg = packet_get_string(NULL); + lang = packet_get_string(NULL); + fprintf(stderr, "%s", msg); + xfree(msg); + xfree(lang); } void input_userauth_success(int type, int plen, void *ctxt) @@ -582,13 +605,13 @@ packet_done(); if (partial != 0) - debug("partial success"); + log("Authenticated with partial success."); debug("authentications that can continue: %s", authlist); for (;;) { method = authmethod_get(authlist); if (method == NULL) - fatal("Unable to find an authentication method"); + fatal("Permission denied (%s).", authlist); authctxt->method = method; if (method->userauth(authctxt) != 0) { debug2("we sent a %s packet, wait for reply", method->name); @@ -597,7 +620,7 @@ debug2("we did not send a packet, disable method"); method->enabled = NULL; } - } + } xfree(authlist); } @@ -627,7 +650,7 @@ if(attempt != 1) error("Permission denied, please try again."); - snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ", + snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ", authctxt->server_user, authctxt->host); password = read_passphrase(prompt, 0); packet_start(SSH2_MSG_USERAUTH_REQUEST); @@ -635,7 +658,7 @@ packet_put_cstring(authctxt->service); packet_put_cstring(authctxt->method->name); packet_put_char(0); - packet_put_cstring(password); + ssh_put_password(password); memset(password, 0, strlen(password)); xfree(password); packet_send(); @@ -647,19 +670,23 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) { Buffer b; - unsigned char *blob, *signature; + u_char *blob, *signature; int bloblen, slen; int skip = 0; int ret = -1; int have_sig = 1; - dsa_make_key_blob(k, &blob, &bloblen); - + debug3("sign_and_send_pubkey"); + if (key_to_blob(k, &blob, &bloblen) == 0) { + /* we cannot handle this key */ + debug3("sign_and_send_pubkey: cannot handle key"); + return 0; + } /* data to be signed */ buffer_init(&b); if (datafellows & SSH_OLD_SESSIONID) { buffer_append(&b, session_id2, session_id2_len); - skip = session_id2_len; + skip = session_id2_len; } else { buffer_put_string(&b, session_id2, session_id2_len); skip = buffer_len(&b); @@ -667,12 +694,16 @@ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); buffer_put_cstring(&b, authctxt->server_user); buffer_put_cstring(&b, - datafellows & SSH_BUG_PUBKEYAUTH ? + datafellows & SSH_BUG_PKSERVICE ? "ssh-userauth" : authctxt->service); - buffer_put_cstring(&b, authctxt->method->name); - buffer_put_char(&b, have_sig); - buffer_put_cstring(&b, KEX_DSS); + if (datafellows & SSH_BUG_PKAUTH) { + buffer_put_char(&b, have_sig); + } else { + buffer_put_cstring(&b, authctxt->method->name); + buffer_put_char(&b, have_sig); + buffer_put_cstring(&b, key_ssh_name(k)); + } buffer_put_string(&b, blob, bloblen); /* generate signature */ @@ -682,10 +713,10 @@ buffer_free(&b); return 0; } -#ifdef DEBUG_DSS +#ifdef DEBUG_PK buffer_dump(&b); #endif - if (datafellows & SSH_BUG_PUBKEYAUTH) { + if (datafellows & SSH_BUG_PKSERVICE) { buffer_clear(&b); buffer_append(&b, session_id2, session_id2_len); buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); @@ -693,7 +724,8 @@ buffer_put_cstring(&b, authctxt->service); buffer_put_cstring(&b, authctxt->method->name); buffer_put_char(&b, have_sig); - buffer_put_cstring(&b, KEX_DSS); + if (!(datafellows & SSH_BUG_PKAUTH)) + buffer_put_cstring(&b, key_ssh_name(k)); buffer_put_string(&b, blob, bloblen); } xfree(blob); @@ -719,18 +751,20 @@ } /* sign callback */ -int dsa_sign_cb(Authctxt *authctxt, Key *key, unsigned char **sigp, int *lenp, - unsigned char *data, int datalen) +int key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp, + u_char *data, int datalen) { - return dsa_sign(key, sigp, lenp, data, datalen); + return key_sign(key, sigp, lenp, data, datalen); } int userauth_pubkey_identity(Authctxt *authctxt, char *filename) { Key *k; - int i, ret, try_next; + int i, ret, try_next, success = 0; struct stat st; + char *passphrase; + char prompt[300]; if (stat(filename, &st) != 0) { debug("key does not exist: %s", filename); @@ -738,14 +772,14 @@ } debug("try pubkey: %s", filename); - k = key_new(KEY_DSA); + k = key_new(KEY_UNSPEC); if (!load_private_key(filename, "", k, NULL)) { - int success = 0; - char *passphrase; - char prompt[300]; + if (options.batch_mode) { + key_free(k); + return 0; + } snprintf(prompt, sizeof prompt, - "Enter passphrase for %s key '%.100s': ", - key_type(k), filename); + "Enter passphrase for key '%.100s': ", filename); for (i = 0; i < options.number_of_password_prompts; i++) { passphrase = read_passphrase(prompt, 0); if (strcmp(passphrase, "") != 0) { @@ -766,14 +800,14 @@ return 0; } } - ret = sign_and_send_pubkey(authctxt, k, dsa_sign_cb); + ret = sign_and_send_pubkey(authctxt, k, key_sign_cb); key_free(k); return ret; } /* sign callback */ -int agent_sign_cb(Authctxt *authctxt, Key *key, unsigned char **sigp, int *lenp, - unsigned char *data, int datalen) +int agent_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp, + u_char *data, int datalen) { return ssh_agent_sign(authctxt->agent, key, sigp, lenp, data, datalen); } @@ -782,24 +816,26 @@ userauth_pubkey_agent(Authctxt *authctxt) { static int called = 0; + int ret = 0; char *comment; Key *k; - int ret; if (called == 0) { - k = ssh_get_first_identity(authctxt->agent, &comment, 2); + if (ssh_get_num_identities(authctxt->agent, 2) == 0) + debug2("userauth_pubkey_agent: no keys at all"); called = 1; - } else { - k = ssh_get_next_identity(authctxt->agent, &comment, 2); } + k = ssh_get_next_identity(authctxt->agent, &comment, 2); if (k == NULL) { - debug2("no more DSA keys from agent"); - return 0; + debug2("userauth_pubkey_agent: no more keys"); + } else { + debug("userauth_pubkey_agent: trying agent key %s", comment); + xfree(comment); + ret = sign_and_send_pubkey(authctxt, k, agent_sign_cb); + key_free(k); } - debug("trying DSA agent key %s", comment); - xfree(comment); - ret = sign_and_send_pubkey(authctxt, k, agent_sign_cb); - key_free(k); + if (ret == 0) + debug2("userauth_pubkey_agent: no message sent"); return ret; } @@ -809,10 +845,17 @@ static int idx = 0; int sent = 0; - if (authctxt->agent != NULL) - sent = userauth_pubkey_agent(authctxt); - while (sent == 0 && idx < options.num_identity_files2) - sent = userauth_pubkey_identity(authctxt, options.identity_files2[idx++]); + if (authctxt->agent != NULL) { + do { + sent = userauth_pubkey_agent(authctxt); + } while(!sent && authctxt->agent->howmany > 0); + } + while (!sent && idx < options.num_identity_files) { + if (options.identity_files_type[idx] != KEY_RSA1) + sent = userauth_pubkey_identity(authctxt, + options.identity_files[idx]); + idx++; + } return sent; } @@ -843,19 +886,14 @@ } /* - * parse SSH2_MSG_USERAUTH_INFO_REQUEST, prompt user and send - * SSH2_MSG_USERAUTH_INFO_RESPONSE + * parse INFO_REQUEST, prompt user and send INFO_RESPONSE */ void input_userauth_info_req(int type, int plen, void *ctxt) { Authctxt *authctxt = ctxt; - char *name = NULL; - char *inst = NULL; - char *lang = NULL; - char *prompt = NULL; - char *response = NULL; - unsigned int num_prompts, i; + char *name, *inst, *lang, *prompt, *response; + u_int num_prompts, i; int echo = 0; debug2("input_userauth_info_req"); @@ -866,15 +904,13 @@ name = packet_get_string(NULL); inst = packet_get_string(NULL); lang = packet_get_string(NULL); - if (strlen(name) > 0) cli_mesg(name); - xfree(name); - if (strlen(inst) > 0) cli_mesg(inst); + xfree(name); xfree(inst); - xfree(lang); /* unused */ + xfree(lang); num_prompts = packet_get_int(); /* @@ -892,7 +928,7 @@ response = cli_prompt(prompt, echo); - packet_put_cstring(response); + ssh_put_password(response); memset(response, 0, strlen(response)); xfree(response); xfree(prompt); @@ -919,7 +955,7 @@ * finished processing server list to free resources. */ void -authmethod_clear() +authmethod_clear(void) { if (authlist_current != NULL) { xfree(authlist_current); @@ -931,7 +967,7 @@ } if (authname_current != NULL) { xfree(authname_current); - authlist_state = NULL; + authname_current = NULL; } if (authlist_state != NULL) authlist_state = NULL; @@ -974,14 +1010,14 @@ * use a built-in default list. If the server sends a nil list after * previously sending a valid list, continue using the list originally * sent. - */ + */ Authmethod * authmethod_get(char *authlist) { char *name = NULL, *authname_old; Authmethod *method = NULL; - + /* Use a suitable default if we're passed a nil list. */ if (authlist == NULL || strlen(authlist) == 0) authlist = def_authlist; diff -ru openssh-2.3.0p1/sshd.0 openssh-2.5.1p1/sshd.0 --- openssh-2.3.0p1/sshd.0 2000-11-06 14:25:20.000000000 +1100 +++ openssh-2.5.1p1/sshd.0 2001-02-19 21:54:46.000000000 +1100 @@ -5,7 +5,7 @@ sshd - secure shell daemon SYNOPSIS - sshd [-diqQ46] [-b bits] [-f config_file] [-g login_grace_time] [-h + sshd [-diqD46] [-b bits] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-p port] [-u len] [-V client_protocol_id] @@ -65,7 +65,7 @@ Protocol version 2 provides a public key based user authentication method - (DSAAuthentication) and conventional password authentication. + (PubkeyAuthentication) and conventional password authentication. Command execution and data forwarding @@ -109,15 +109,16 @@ -g login_grace_time Gives the grace time for clients to authenticate themselves (de- - fault 300 seconds). If the client fails to authenticate the user + fault 600 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. A value of zero indicates no limit. -h host_key_file - Specifies the file from which the RSA host key is read (default + Specifies the file from which the host key is read (default /etc/ssh_host_key). This option must be given if sshd is not run as root (as the normal host file is normally not readable by any- - one but root). + one but root). It is possible to have multiple host key files + for the different protocol versions. -i Specifies that sshd is being run from inetd. sshd is normally not run from inetd because it needs to generate the server key @@ -151,7 +152,8 @@ indicates that only dotted decimal addresses should be put into the utmp file. - -Q Do not print an error message if RSA support is missing. + -D When this option is specified sshd will not detach and does not + become a daemon. This allows easy monitoring of sshd. -V client_protocol_id SSH-2 compatibility mode. When this option is specified sshd as- @@ -176,12 +178,12 @@ Default is ``yes''. AllowGroups - This keyword can be followed by a number of group names, separat- - ed by spaces. If specified, login is allowed only for users - whose primary group matches one of the patterns. `*' and `?' can - be used as wildcards in the patterns. Only group names are - valid; a numerical group ID isn't recognized. By default login - is allowed regardless of the primary group. + This keyword can be followed by a list of group names, separated + by spaces. If specified, login is allowed only for users whose + primary group or supplementary group list matches one of the pat- + terns. `*' and `?' can be used as wildcards in the patterns. + Only group names are valid; a numerical group ID isn't recog- + nized. By default login is allowed regardless of the group list. AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is @@ -190,17 +192,23 @@ ways install their own forwarders. AllowUsers - This keyword can be followed by a number of user names, separated + This keyword can be followed by a list of user names, separated by spaces. If specified, login is allowed only for users names that match one of the patterns. `*' and `?' can be used as wild- cards in the patterns. Only user names are valid; a numerical user ID isn't recognized. By default login is allowed regardless of the user name. + Banner In some jurisdictions, sending a warning message before authenti- + cation may be relevant for getting legal protection. The con- + tents of the specified file are sent to the remote user before + authentication is allowed. This option is only available for + protocol version 2. + Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The default is ``3des- - cbc,blowfish-cbc,arcfour,cast128-cbc''. + cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc''. CheckMail Specifies whether sshd should check for new mail for interactive @@ -208,11 +216,11 @@ DenyGroups This keyword can be followed by a number of group names, separat- - ed by spaces. Users whose primary group matches one of the pat- - terns aren't allowed to log in. `*' and `?' can be used as wild- - cards in the patterns. Only group names are valid; a numerical - group ID isn't recognized. By default login is allowed regard- - less of the primary group. + ed by spaces. Users whose primary group or supplementary group + list matches one of the patterns aren't allowed to log in. `*' + and `?' can be used as wildcards in the patterns. Only group + names are valid; a numerical group ID isn't recognized. By de- + fault login is allowed regardless of the group list. DenyUsers This keyword can be followed by a number of user names, separated @@ -222,26 +230,23 @@ ognized. By default login is allowed regardless of the user name. - DSAAuthentication - Specifies whether DSA authentication is allowed. The default is - ``yes''. Note that this option applies to protocol version 2 on- - ly. + PubkeyAuthentication + Specifies whether public key authentication is allowed. The de- + fault is ``yes''. Note that this option applies to protocol ver- + sion 2 only. GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. The argument must be ``yes'' or ``no''. The default is ``no''. - HostDSAKey - Specifies the file containing the private DSA host key (default - /etc/ssh_host_dsa_key) used by SSH protocol 2.0. Note that sshd - disables protocol 2.0 if this file is group/world-accessible. - HostKey - Specifies the file containing the private RSA host key (default - /etc/ssh_host_key) used by SSH protocols 1.3 and 1.5. Note that - sshd disables protocols 1.3 and 1.5 if this file is group/world- - accessible. + Specifies the file containing the private host keys (default + /etc/ssh_host_key) used by SSH protocol versions 1 and 2. Note + that sshd will refuse to use a file if it is group/world-accessi- + ble. It is possible to have multiple host key files. ``rsa1'' + keys are used for version 1 and ``dsa'' or ``rsa'' are used for + version 2 of the SSH protocol. IgnoreRhosts Specifies that .rhosts and .shosts files will not be used in au- @@ -316,6 +321,15 @@ and DEBUG. The default is INFO. Logging with level DEBUG vio- lates the privacy of users and is not recommended. + MACs Specifies the available MAC (message authentication code) algo- + rithms. The MAC algorithm is used in protocol version 2 for data + integrity protection. Multiple algorithms must be comma-separat- + ed. The default is + + + ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com, + hmac-sha1-96,hmac-md5-96'' + MaxStartups Specifies the maximum number of concurrent unauthenticated con- nections to the sshd daemon. Additional connections will be @@ -325,9 +339,9 @@ Alternatively, random early drop can be enabled by specifying the three colon separated values ``start:rate:full'' (e.g., "10:30:60"). sshd will refuse connection attempts with a proba- - billity of ``rate/100'' (30%) if there are currently ``start'' - (10) unauthenticated connections. The probabillity increases - linearly and all connection attempts are refused if the number of + bility of ``rate/100'' (30%) if there are currently ``start'' + (10) unauthenticated connections. The probability increases lin- + early and all connection attempts are refused if the number of unauthenticated connections reaches ``full'' (60). PasswordAuthentication @@ -342,14 +356,17 @@ PermitRootLogin Specifies whether the root can log in using ssh(1). The argument - must be ``yes'', ``without-password'' or ``no''. The default is - ``yes''. If this options is set to ``without-password'' only - password authentication is disabled for root. - - Root login with RSA authentication when the command option has - been specified will be allowed regardless of the value of this - setting (which may be useful for taking remote backups even if - root login is normally not allowed). + must be ``yes'', ``without-password'', ``forced-commands-only'' + or ``no''. The default is ``yes''. + + If this option is set to ``without-password'' password authenti- + cation is disabled for root. + + If this option is set to ``forced-commands-only'' root login with + public key authentication will be allowed, but only if the + command option has been specified (which may be useful for taking + remote backups even if root login is normally not allowed). All + other authentication methods are disabled for root. PidFile Specifies the file that contains the process identifier of the @@ -371,6 +388,13 @@ RandomSeed Obsolete. Random number generation uses other techniques. + ReverseMappingCheck + Specifies whether sshd should try to verify the remote host name + and check that the resolved host name for the remote IP address + + + maps back to the very same IP address. The default is ``no''. + RhostsAuthentication Specifies whether authentication using rhosts or /etc/hosts.equiv files is sufficient. Normally, this method should not be permit- @@ -391,14 +415,12 @@ ServerKeyBits Defines the number of bits in the server key. The minimum value - - is 512, and the default is 768. - SkeyAuthentication - Specifies whether skey(1) authentication is allowed. The default - is ``yes''. Note that s/key authentication is enabled only if - PasswordAuthentication is allowed, too. + ChallengeResponseAuthentication + Specifies whether challenge reponse authentication is allowed. + Currently there is only support for skey(1) authentication. The + default is ``yes''. StrictModes Specifies whether sshd should check file modes and ownership of @@ -435,6 +457,8 @@ Specifies whether X11 forwarding is permitted. The default is ``no''. Note that disabling X11 forwarding does not improve secu- rity in any way, as users can always install their own for- + + warders. XAuthLocation @@ -458,7 +482,6 @@ 5. Sets up basic environment. - 6. Reads $HOME/.ssh/environment if it exists. 7. Changes to user's home directory. @@ -472,20 +495,25 @@ AUTHORIZED_KEYS FILE FORMAT The $HOME/.ssh/authorized_keys file lists the RSA keys that are permitted for RSA authentication in SSH protocols 1.3 and 1.5 Similarly, the - $HOME/.ssh/authorized_keys2 file lists the DSA keys that are permitted - for DSA authentication in SSH protocol 2.0. Each line of the file con- - tains one key (empty lines and lines starting with a `#' are ignored as - comments). Each line consists of the following fields, separated by - spaces: options, bits, exponent, modulus, comment. The options field is - optional; its presence is determined by whether the line starts with a - number or not (the option field never starts with a number). The bits, - exponent, modulus and comment fields give the RSA key; the comment field - is not used for anything (but may be convenient for the user to identify - the key). + $HOME/.ssh/authorized_keys2 file lists the DSA and RSA keys that are per- + mitted for public key authentication (PubkeyAuthentication) in SSH proto- + col 2.0. + + Each line of the file contains one key (empty lines and lines starting + with a `#' are ignored as comments). Each RSA public key consists of the + following fields, separated by spaces: options, bits, exponent, modulus, + comment. Each protocol version 2 public key consists of: options, key- + type, base64 encoded key, comment. The options fields are optional; its + presence is determined by whether the line starts with a number or not + (the option field never starts with a number). The bits, exponent, modu- + lus and comment fields give the RSA key for protocol version 1; the com- + ment field is not used for anything (but may be convenient for the user + to identify the key). For protocol version 2 the keytype is ``ssh-dss'' + or ``ssh-rsa''. Note that lines in this file are usually several hundred bytes long (be- cause of the size of the RSA key modulus). You don't want to type them - in; instead, copy the identity.pub file and edit it. + in; instead, copy the identity.pub or the id_dsa.pub file and edit it. The options (if present) consist of comma-separated option specifica- tions. No spaces are permitted, except within double quotes. The fol- @@ -509,13 +537,14 @@ Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. The command is run on a pty if the connection requests - a pty; otherwise it is run without a tty. A quote may be includ- - ed in the command by quoting it with a backslash. This option - might be useful to restrict certain RSA keys to perform just a - specific operation. An example might be a key that permits re- - mote backups but nothing else. Note that the client may specify - TCP/IP and/or X11 forwarding unless they are explicitly prohibit- - ed. + a pty; otherwise it is run without a tty. Note that if you want + a 8-bit clean channel, you must not request a pty or should spec- + ify no-pty. A quote may be included in the command by quoting it + with a backslash. This option might be useful to restrict cer- + tain RSA keys to perform just a specific operation. An example + might be a key that permits remote backups but nothing else. + Note that the client may specify TCP/IP and/or X11 forwarding un- + less they are explicitly prohibited. environment="NAME=value" Specifies that the string is to be added to the environment when @@ -591,7 +620,6 @@ /etc/sshd_config Contains configuration data for sshd. This file should be writable by root only, but it is recommended (though not neces- - sary) that it be world-readable. /etc/ssh_host_key @@ -608,6 +636,10 @@ contents can be copied to known hosts files. These two files are created using ssh-keygen(1). + /etc/primes + Contains Diffie-Hellman groups used for the "Diffie-Hellman Group + Exchange". + /var/run/sshd.pid Contains the process ID of the sshd listening for connections (if there are several daemons running concurrently for different @@ -690,6 +722,8 @@ er name practically grants the user root access. The only valid use for user names that I can think of is in negative entries. + + Note that this warning also applies to rsh/rlogin. /etc/shosts.equiv @@ -723,7 +757,6 @@ If this file does not exist, /etc/sshrc is run, and if that does not exist either, xauth is used to store the cookie. - This file should be writable only by the user, and need not be readable by anyone else. @@ -732,33 +765,15 @@ login-time initializations globally. This file should be writable only by root, and should be world-readable. -AUTHOR - OpenSSH is a derivative of the original (free) ssh 1.2.12 release by Tatu - Ylonen, but with bugs removed and newer features re-added. Rapidly after - the 1.2.12 release, newer versions of the original ssh bore successively - more restrictive licenses, and thus demand for a free version was born. - - This version of OpenSSH - - o has all components of a restrictive nature (i.e., patents, see - crypto(3)) directly removed from the source code; any licensed or - patented components are chosen from external libraries. - - o has been updated to support SSH protocol 1.5 and 2, making it compat- - ible with all other SSH clients and servers. - - o contains added support for kerberos(8) authentication and ticket - passing. - - o supports one-time password authentication with skey(1). - - OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl, - Niels Provos, Theo de Raadt, and Dug Song. - - The support for SSH protocol 2 was written by Markus Friedl. +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and cre- + ated OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. SEE ALSO - scp(1), sftp-server(8), ssh(1), ssh-add(1), ssh-agent(1), ssh- - keygen(1), crypto(3), rlogin(1), rsh(1) + scp(1), sftp(1), sftp-server(8), ssh(1), ssh-add(1), ssh-agent(1), + ssh-keygen(1), rlogin(1), rsh(1) BSD Experimental September 25, 1999 12 diff -ru openssh-2.3.0p1/sshd.8 openssh-2.5.1p1/sshd.8 --- openssh-2.3.0p1/sshd.8 2000-11-06 12:39:34.000000000 +1100 +++ openssh-2.5.1p1/sshd.8 2001-02-15 14:08:28.000000000 +1100 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.70 2000/10/16 09:38:44 djm Exp $ +.\" $OpenBSD: sshd.8,v 1.94 2001/02/12 16:16:24 markus Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -43,7 +43,7 @@ .Nd secure shell daemon .Sh SYNOPSIS .Nm sshd -.Op Fl diqQ46 +.Op Fl diqD46 .Op Fl b Ar bits .Op Fl f Ar config_file .Op Fl g Ar login_grace_time @@ -144,7 +144,7 @@ (hmac-sha1 or hmac-md5). .Pp Protocol version 2 provides a public key based -user authentication method (DSAAuthentication) +user authentication method (PubkeyAuthentication) and conventional password authentication. .Pp .Ss Command execution and data forwarding @@ -197,17 +197,19 @@ refuses to start if there is no configuration file. .It Fl g Ar login_grace_time Gives the grace time for clients to authenticate themselves (default -300 seconds). +600 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. A value of zero indicates no limit. .It Fl h Ar host_key_file -Specifies the file from which the RSA host key is read (default +Specifies the file from which the host key is read (default .Pa /etc/ssh_host_key ) . This option must be given if .Nm is not run as root (as the normal host file is normally not readable by anyone but root). +It is possible to have multiple host key files for +the different protocol versions. .It Fl i Specifies that .Nm @@ -254,8 +256,12 @@ should be put into the .Pa utmp file. -.It Fl Q -Do not print an error message if RSA support is missing. +.It Fl D +When this option is specified +.Nm +will not detach and does not become a daemon. +This allows easy monitoring of +.Nm sshd . .It Fl V Ar client_protocol_id SSH-2 compatibility mode. When this option is specified @@ -292,17 +298,17 @@ Default is .Dq yes . .It Cm AllowGroups -This keyword can be followed by a number of group names, separated +This keyword can be followed by a list of group names, separated by spaces. If specified, login is allowed only for users whose primary -group matches one of the patterns. +group or supplementary group list matches one of the patterns. .Ql \&* and .Ql ? can be used as wildcards in the patterns. Only group names are valid; a numerical group ID isn't recognized. -By default login is allowed regardless of the primary group. +By default login is allowed regardless of the group list. .Pp .It Cm AllowTcpForwarding Specifies whether TCP forwarding is permitted. @@ -313,7 +319,7 @@ own forwarders. .Pp .It Cm AllowUsers -This keyword can be followed by a number of user names, separated +This keyword can be followed by a list of user names, separated by spaces. If specified, login is allowed only for users names that match one of the patterns. @@ -325,11 +331,18 @@ Only user names are valid; a numerical user ID isn't recognized. By default login is allowed regardless of the user name. .Pp +.It Cm Banner +In some jurisdictions, sending a warning message before authentication +may be relevant for getting legal protection. +The contents of the specified file are sent to the remote user before +authentication is allowed. +This option is only available for protocol version 2. +.Pp .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The default is -.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc . +.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc . .It Cm CheckMail Specifies whether .Nm @@ -339,15 +352,15 @@ .It Cm DenyGroups This keyword can be followed by a number of group names, separated by spaces. -Users whose primary group matches one of the patterns -aren't allowed to log in. +Users whose primary group or supplementary group list matches +one of the patterns aren't allowed to log in. .Ql \&* and .Ql ? can be used as wildcards in the patterns. Only group names are valid; a numerical group ID isn't recognized. -By default login is allowed regardless of the primary group. +By default login is allowed regardless of the group list. .Pp .It Cm DenyUsers This keyword can be followed by a number of user names, separated @@ -359,8 +372,8 @@ can be used as wildcards in the patterns. Only user names are valid; a numerical user ID isn't recognized. By default login is allowed regardless of the user name. -.It Cm DSAAuthentication -Specifies whether DSA authentication is allowed. +.It Cm PubkeyAuthentication +Specifies whether public key authentication is allowed. The default is .Dq yes . Note that this option applies to protocol version 2 only. @@ -373,20 +386,20 @@ .Dq no . The default is .Dq no . -.It Cm HostDSAKey -Specifies the file containing the private DSA host key (default -.Pa /etc/ssh_host_dsa_key ) -used by SSH protocol 2.0. -Note that -.Nm -disables protocol 2.0 if this file is group/world-accessible. .It Cm HostKey -Specifies the file containing the private RSA host key (default +Specifies the file containing the private host keys (default .Pa /etc/ssh_host_key ) -used by SSH protocols 1.3 and 1.5. +used by SSH protocol versions 1 and 2. Note that .Nm -disables protocols 1.3 and 1.5 if this file is group/world-accessible. +will refuse to use a file if it is group/world-accessible. +It is possible to have multiple host key files. +.Dq rsa1 +keys are used for version 1 and +.Dq dsa +or +.Dq rsa +are used for version 2 of the SSH protocol. .It Cm IgnoreRhosts Specifies that .Pa .rhosts @@ -488,6 +501,17 @@ The default is INFO. Logging with level DEBUG violates the privacy of users and is not recommended. +.It Cm MACs +Specifies the available MAC (message authentication code) algorithms. +The MAC algorithm is used in protocol version 2 +for data integrity protection. +Multiple algorithms must be comma-separated. +The default is +.Pp +.Bd -literal + ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com, + hmac-sha1-96,hmac-md5-96'' +.Ed .It Cm MaxStartups Specifies the maximum number of concurrent unauthenticated connections to the .Nm @@ -502,14 +526,14 @@ .Dq start:rate:full (e.g., "10:30:60"). .Nm -will refuse connection attempts with a probabillity of +will refuse connection attempts with a probability of .Dq rate/100 (30%) if there are currently .Dq start (10) unauthenticated connections. -The probabillity increases linearly and all connection attempts +The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches .Dq full (60). @@ -528,21 +552,26 @@ .Xr ssh 1 . The argument must be .Dq yes , -.Dq without-password +.Dq without-password , +.Dq forced-commands-only or .Dq no . The default is .Dq yes . -If this options is set to +.Pp +If this option is set to .Dq without-password -only password authentication is disabled for root. +password authentication is disabled for root. .Pp -Root login with RSA authentication when the +If this option is set to +.Dq forced-commands-only +root login with public key authentication will be allowed, +but only if the .Ar command -option has been -specified will be allowed regardless of the value of this setting +option has been specified (which may be useful for taking remote backups even if root login is -normally not allowed). +normally not allowed). All other authentication methods are disabled +for root. .It Cm PidFile Specifies the file that contains the process identifier of the .Nm @@ -580,6 +609,14 @@ .It Cm RandomSeed Obsolete. Random number generation uses other techniques. +.It Cm ReverseMappingCheck +Specifies whether +.Nm +should try to verify the remote host name and check that +the resolved host name for the remote IP address maps back to the +very same IP address. +The default is +.Dq no . .It Cm RhostsAuthentication Specifies whether authentication using rhosts or /etc/hosts.equiv files is sufficient. @@ -603,15 +640,15 @@ .It Cm ServerKeyBits Defines the number of bits in the server key. The minimum value is 512, and the default is 768. -.It Cm SkeyAuthentication +.It Cm ChallengeResponseAuthentication Specifies whether -.Xr skey 1 +challenge reponse authentication is allowed. +Currently there is only support for +.Xr skey 1 +authentication. The default is .Dq yes . -Note that s/key authentication is enabled only if -.Cm PasswordAuthentication -is allowed, too. .It Cm StrictModes Specifies whether .Nm @@ -720,26 +757,37 @@ permitted for RSA authentication in SSH protocols 1.3 and 1.5 Similarly, the .Pa $HOME/.ssh/authorized_keys2 -file lists the DSA keys that are -permitted for DSA authentication in SSH protocol 2.0. +file lists the DSA and RSA keys that are +permitted for public key authentication (PubkeyAuthentication) +in SSH protocol 2.0. +.Pp Each line of the file contains one key (empty lines and lines starting with a .Ql # are ignored as comments). -Each line consists of the following fields, separated by +Each RSA public key consists of the following fields, separated by spaces: options, bits, exponent, modulus, comment. -The options field -is optional; its presence is determined by whether the line starts +Each protocol version 2 public key consists of: +options, keytype, base64 encoded key, comment. +The options fields +are optional; its presence is determined by whether the line starts with a number or not (the option field never starts with a number). -The bits, exponent, modulus and comment fields give the RSA key; the +The bits, exponent, modulus and comment fields give the RSA key for +protocol version 1; the comment field is not used for anything (but may be convenient for the user to identify the key). +For protocol version 2 the keytype is +.Dq ssh-dss +or +.Dq ssh-rsa . .Pp Note that lines in this file are usually several hundred bytes long (because of the size of the RSA key modulus). You don't want to type them in; instead, copy the .Pa identity.pub +or the +.Pa id_dsa.pub file and edit it. .Pp The options (if present) consist of comma-separated option @@ -773,6 +821,9 @@ The command supplied by the user (if any) is ignored. The command is run on a pty if the connection requests a pty; otherwise it is run without a tty. +Note that if you want a 8-bit clean channel, +you must not request a pty or should specify +.Cm no-pty . A quote may be included in the command by quoting it with a backslash. This option might be useful to restrict certain RSA keys to perform just a specific operation. @@ -885,6 +936,8 @@ the user so its contents can be copied to known hosts files. These two files are created using .Xr ssh-keygen 1 . +.It Pa /etc/primes +Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". .It Pa /var/run/sshd.pid Contains the process ID of the .Nm @@ -1039,45 +1092,22 @@ machine-specific login-time initializations globally. This file should be writable only by root, and should be world-readable. .El -.Sh AUTHOR -OpenSSH -is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, -but with bugs removed and newer features re-added. -Rapidly after the -1.2.12 release, newer versions of the original ssh bore successively -more restrictive licenses, and thus demand for a free version was born. -.Pp -This version of OpenSSH -.Bl -bullet -.It -has all components of a restrictive nature (i.e., patents, see -.Xr crypto 3 ) -directly removed from the source code; any licensed or patented components -are chosen from -external libraries. -.It -has been updated to support SSH protocol 1.5 and 2, making it compatible with -all other SSH clients and servers. -.It -contains added support for -.Xr kerberos 8 -authentication and ticket passing. -.It -supports one-time password authentication with -.Xr skey 1 . -.El -.Pp -OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl, -Niels Provos, Theo de Raadt, and Dug Song. -.Pp -The support for SSH protocol 2 was written by Markus Friedl. +.Sh AUTHORS +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by Tatu Ylonen. +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt and Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +Markus Friedl contributed the support for SSH +protocol versions 1.5 and 2.0. .Sh SEE ALSO .Xr scp 1 , +.Xr sftp 1 , .Xr sftp-server 8 , .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , -.Xr crypto 3 , .Xr rlogin 1 , .Xr rsh 1 diff -ru openssh-2.3.0p1/sshd.c openssh-2.5.1p1/sshd.c --- openssh-2.3.0p1/sshd.c 2000-10-14 16:23:13.000000000 +1100 +++ openssh-2.5.1p1/sshd.c 2001-02-19 06:13:34.000000000 +1100 @@ -40,33 +40,36 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.132 2000/10/13 18:34:46 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.167 2001/02/12 23:26:20 markus Exp $"); +#include +#include +#include + +#include "ssh.h" +#include "ssh1.h" +#include "ssh2.h" #include "xmalloc.h" #include "rsa.h" -#include "ssh.h" -#include "pty.h" +#include "sshpty.h" #include "packet.h" #include "mpaux.h" +#include "log.h" #include "servconf.h" #include "uidswap.h" #include "compat.h" #include "buffer.h" - -#include "ssh2.h" -#include -#include -#include +#include "cipher.h" #include "kex.h" -#include -#include #include "key.h" -#include "dsa.h" #include "dh.h" - -#include "auth.h" #include "myproposal.h" #include "authfile.h" +#include "pathnames.h" +#include "atomicio.h" +#include "canohost.h" +#include "auth.h" +#include "misc.h" #ifdef LIBWRAP #include @@ -79,11 +82,17 @@ #define O_NOCTTY 0 #endif +#ifdef HAVE___PROGNAME +extern char *__progname; +#else +char *__progname; +#endif + /* Server configuration options. */ ServerOptions options; /* Name of the server configuration file. */ -char *config_file_name = SERVER_CONFIG_FILE; +char *config_file_name = _PATH_SERVER_CONFIG_FILE; /* * Flag indicating whether IPv4 or IPv6. This can be set on the command line. @@ -106,12 +115,12 @@ /* Flag indicating that the daemon is being started from inetd. */ int inetd_flag = 0; +/* Flag indicating that sshd should not detach and become a daemon. */ +int no_daemon_flag = 0; + /* debug goes to stderr unless inetd_flag is set */ int log_stderr = 0; -/* argv[0] without path. */ -char *av0; - /* Saved arguments to main(). */ char **saved_argv; int saved_argc; @@ -140,37 +149,35 @@ * not very useful. Currently, memory locking is not implemented. */ struct { - RSA *private_key; /* Private part of empheral server key. */ - RSA *host_key; /* Private part of host key. */ - Key *dsa_host_key; /* Private DSA host key. */ + Key *server_key; /* empheral server key */ + Key *ssh1_host_key; /* ssh1 host key */ + Key **host_keys; /* all private host keys */ + int have_ssh1_key; + int have_ssh2_key; } sensitive_data; /* - * Flag indicating whether the current session key has been used. This flag - * is set whenever the key is used, and cleared when the key is regenerated. + * Flag indicating whether the RSA server key needs to be regenerated. + * Is set in the SIGALRM handler and cleared when the key is regenerated. */ -int key_used = 0; +int key_do_regen = 0; /* This is set to true when SIGHUP is received. */ int received_sighup = 0; -/* Public side of the server key. This value is regenerated regularly with - the private key. */ -RSA *public_key; - /* session identifier, used by RSA-auth */ -unsigned char session_id[16]; +u_char session_id[16]; /* same for ssh2 */ -unsigned char *session_id2 = NULL; +u_char *session_id2 = NULL; int session_id2_len = 0; /* record remote hostname or ip */ -unsigned int utmp_len = MAXHOSTNAMELEN; +u_int utmp_len = MAXHOSTNAMELEN; /* Prototypes for various functions defined later in this file. */ -void do_ssh1_kex(); -void do_ssh2_kex(); +void do_ssh1_kex(void); +void do_ssh2_kex(void); void ssh_dh1_server(Kex *, Buffer *_kexinit, Buffer *); void ssh_dhgex_server(Kex *, Buffer *_kexinit, Buffer *); @@ -204,12 +211,12 @@ * Restarts the server. */ void -sighup_restart() +sighup_restart(void) { log("Received SIGHUP; restarting."); close_listen_socks(); execv(saved_argv[0], saved_argv); - log("RESTART FAILED: av0='%s', error: %s.", av0, strerror(errno)); + log("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], strerror(errno)); exit(1); } @@ -264,35 +271,25 @@ * Thus there should be no concurrency control/asynchronous execution * problems. */ -/* XXX do we really want this work to be done in a signal handler ? -m */ +void +generate_empheral_server_key(void) +{ + log("Generating %s%d bit RSA key.", sensitive_data.server_key ? "new " : "", + options.server_key_bits); + if (sensitive_data.server_key != NULL) + key_free(sensitive_data.server_key); + sensitive_data.server_key = key_generate(KEY_RSA1, options.server_key_bits); + arc4random_stir(); + log("RSA key generation complete."); +} + void key_regeneration_alarm(int sig) { int save_errno = errno; - - /* Check if we should generate a new key. */ - if (key_used) { - /* This should really be done in the background. */ - log("Generating new %d bit RSA key.", options.server_key_bits); - - if (sensitive_data.private_key != NULL) - RSA_free(sensitive_data.private_key); - sensitive_data.private_key = RSA_new(); - - if (public_key != NULL) - RSA_free(public_key); - public_key = RSA_new(); - - rsa_generate_key(sensitive_data.private_key, public_key, - options.server_key_bits); - arc4random_stir(); - key_used = 0; - log("RSA key generation complete."); - } - /* Reschedule the alarm. */ - signal(SIGALRM, key_regeneration_alarm); - alarm(options.key_regeneration_time); + signal(SIGALRM, SIG_DFL); errno = save_errno; + key_do_regen = 1; } void @@ -327,7 +324,8 @@ fatal_cleanup(); } - /* Read other side\'s version identification. */ + /* Read other side's version identification. */ + memset(buf, 0, sizeof(buf)); for (i = 0; i < sizeof(buf) - 1; i++) { if (atomicio(read, sock_in, &buf[i], 1) != 1) { log("Did not receive ident string from %s.", get_remote_ipaddr()); @@ -422,18 +420,93 @@ } +/* Destroy the host and server keys. They will no longer be needed. */ void destroy_sensitive_data(void) { - /* Destroy the private and public keys. They will no longer be needed. */ - if (public_key) - RSA_free(public_key); - if (sensitive_data.private_key) - RSA_free(sensitive_data.private_key); - if (sensitive_data.host_key) - RSA_free(sensitive_data.host_key); - if (sensitive_data.dsa_host_key != NULL) - key_free(sensitive_data.dsa_host_key); + int i; + + if (sensitive_data.server_key) { + key_free(sensitive_data.server_key); + sensitive_data.server_key = NULL; + } + for(i = 0; i < options.num_host_key_files; i++) { + if (sensitive_data.host_keys[i]) { + key_free(sensitive_data.host_keys[i]); + sensitive_data.host_keys[i] = NULL; + } + } + sensitive_data.ssh1_host_key = NULL; +} +Key * +load_private_key_autodetect(const char *filename) +{ + struct stat st; + int type; + Key *public, *private; + + if (stat(filename, &st) < 0) { + perror(filename); + return NULL; + } + /* + * try to load the public key. right now this only works for RSA1, + * since SSH2 keys are fully encrypted + */ + type = KEY_RSA1; + public = key_new(type); + if (!load_public_key(filename, public, NULL)) { + /* ok, so we will assume this is 'some' key */ + type = KEY_UNSPEC; + } + key_free(public); + + /* Ok, try key with empty passphrase */ + private = key_new(type); + if (load_private_key(filename, "", private, NULL)) { + debug("load_private_key_autodetect: type %d %s", + private->type, key_type(private)); + return private; + } + key_free(private); + return NULL; +} + +char * +list_hostkey_types(void) +{ + static char buf[1024]; + int i; + buf[0] = '\0'; + for(i = 0; i < options.num_host_key_files; i++) { + Key *key = sensitive_data.host_keys[i]; + if (key == NULL) + continue; + switch(key->type) { + case KEY_RSA: + case KEY_DSA: + strlcat(buf, key_ssh_name(key), sizeof buf); + strlcat(buf, ",", sizeof buf); + break; + } + } + i = strlen(buf); + if (i > 0 && buf[i-1] == ',') + buf[i-1] = '\0'; + debug("list_hostkey_types: %s", buf); + return buf; +} + +Key * +get_hostkey_by_type(int type) +{ + int i; + for(i = 0; i < options.num_host_key_files; i++) { + Key *key = sensitive_data.host_keys[i]; + if (key != NULL && key->type == type) + return key; + } + return NULL; } /* @@ -479,7 +552,6 @@ int opt, sock_in = 0, sock_out = 0, newsock, j, i, fdsetsz, on = 1; pid_t pid; socklen_t fromlen; - int silent = 0; fd_set *fdset; struct sockaddr_storage from; const char *remote_ip; @@ -491,22 +563,20 @@ int listen_sock, maxfd; int startup_p[2]; int startups = 0; + int ret, key_used = 0; + __progname = get_progname(av[0]); init_rng(); - /* Save argv[0]. */ + /* Save argv. */ saved_argc = ac; saved_argv = av; - if (strchr(av[0], '/')) - av0 = strrchr(av[0], '/') + 1; - else - av0 = av[0]; /* Initialize configuration options to their default values. */ initialize_server_options(&options); /* Parse command-line arguments. */ - while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:diqQ46")) != EOF) { + while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:dDiqQ46")) != -1) { switch (opt) { case '4': IPv4or6 = AF_INET; @@ -528,11 +598,14 @@ exit(1); } break; + case 'D': + no_daemon_flag = 1; + break; case 'i': inetd_flag = 1; break; case 'Q': - silent = 1; + /* ignored */ break; case 'q': options.log_level = SYSLOG_LEVEL_QUIET; @@ -555,7 +628,11 @@ options.key_regeneration_time = atoi(optarg); break; case 'h': - options.host_key_file = optarg; + if (options.num_host_key_files >= MAX_HOSTKEYS) { + fprintf(stderr, "too many host keys.\n"); + exit(1); + } + options.host_key_files[options.num_host_key_files++] = optarg; break; case 'V': client_version_string = optarg; @@ -568,18 +645,19 @@ case '?': default: fprintf(stderr, "sshd version %s\n", SSH_VERSION); - fprintf(stderr, "Usage: %s [options]\n", av0); + fprintf(stderr, "Usage: %s [options]\n", __progname); fprintf(stderr, "Options:\n"); - fprintf(stderr, " -f file Configuration file (default %s)\n", SERVER_CONFIG_FILE); + fprintf(stderr, " -f file Configuration file (default %s)\n", _PATH_SERVER_CONFIG_FILE); fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n"); fprintf(stderr, " -i Started from inetd\n"); + fprintf(stderr, " -D Do not fork into daemon mode\n"); fprintf(stderr, " -q Quiet (no logging)\n"); fprintf(stderr, " -p port Listen on the specified port (default: 22)\n"); fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n"); - fprintf(stderr, " -g seconds Grace period for authentication (default: 300)\n"); + fprintf(stderr, " -g seconds Grace period for authentication (default: 600)\n"); fprintf(stderr, " -b bits Size of server RSA key (default: 768 bits)\n"); fprintf(stderr, " -h file File from which to read host key (default: %s)\n", - HOST_KEY_FILE); + _PATH_HOST_KEY_FILE); fprintf(stderr, " -u len Maximum hostname length for utmp recording\n"); fprintf(stderr, " -4 Use IPv4 only\n"); fprintf(stderr, " -6 Use IPv6 only\n"); @@ -591,10 +669,10 @@ * Force logging to stderr until we have loaded the private host * key (unless started from inetd) */ - log_init(av0, + log_init(__progname, options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility, - !silent && !inetd_flag); + !inetd_flag); /* Read server configuration options from the configuration file. */ read_server_config(&options, config_file_name); @@ -610,43 +688,43 @@ debug("sshd version %.100s", SSH_VERSION); - sensitive_data.dsa_host_key = NULL; - sensitive_data.host_key = NULL; - - /* check if RSA support exists */ - if ((options.protocol & SSH_PROTO_1) && - rsa_alive() == 0) { - log("no RSA support in libssl and libcrypto. See ssl(8)"); - log("Disabling protocol version 1"); - options.protocol &= ~SSH_PROTO_1; - } - /* Load the RSA/DSA host key. It must have empty passphrase. */ - if (options.protocol & SSH_PROTO_1) { - Key k; - sensitive_data.host_key = RSA_new(); - k.type = KEY_RSA; - k.rsa = sensitive_data.host_key; - errno = 0; - if (!load_private_key(options.host_key_file, "", &k, NULL)) { + /* load private host keys */ + sensitive_data.host_keys = xmalloc(options.num_host_key_files*sizeof(Key*)); + for(i = 0; i < options.num_host_key_files; i++) + sensitive_data.host_keys[i] = NULL; + sensitive_data.server_key = NULL; + sensitive_data.ssh1_host_key = NULL; + sensitive_data.have_ssh1_key = 0; + sensitive_data.have_ssh2_key = 0; + + for(i = 0; i < options.num_host_key_files; i++) { + Key *key = load_private_key_autodetect(options.host_key_files[i]); + if (key == NULL) { error("Could not load host key: %.200s: %.100s", - options.host_key_file, strerror(errno)); - log("Disabling protocol version 1"); - options.protocol &= ~SSH_PROTO_1; + options.host_key_files[i], strerror(errno)); + continue; } - k.rsa = NULL; - } - if (options.protocol & SSH_PROTO_2) { - sensitive_data.dsa_host_key = key_new(KEY_DSA); - if (!load_private_key(options.host_dsa_key_file, "", sensitive_data.dsa_host_key, NULL)) { - - error("Could not load DSA host key: %.200s", options.host_dsa_key_file); - log("Disabling protocol version 2"); - options.protocol &= ~SSH_PROTO_2; + switch(key->type){ + case KEY_RSA1: + sensitive_data.ssh1_host_key = key; + sensitive_data.have_ssh1_key = 1; + break; + case KEY_RSA: + case KEY_DSA: + sensitive_data.have_ssh2_key = 1; + break; } + sensitive_data.host_keys[i] = key; + } + if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { + log("Disabling protocol version 1. Could not load host key"); + options.protocol &= ~SSH_PROTO_1; } - if (! options.protocol & (SSH_PROTO_1|SSH_PROTO_2)) { - if (silent == 0) - fprintf(stderr, "sshd: no hostkeys available -- exiting.\n"); + if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { + log("Disabling protocol version 2. Could not load host key"); + options.protocol &= ~SSH_PROTO_2; + } + if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { log("sshd: no hostkeys available -- exiting.\n"); exit(1); } @@ -664,11 +742,11 @@ * hate software patents. I dont know if this can go? Niels */ if (options.server_key_bits > - BN_num_bits(sensitive_data.host_key->n) - SSH_KEY_BITS_RESERVED && + BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) - SSH_KEY_BITS_RESERVED && options.server_key_bits < - BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) { + BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) { options.server_key_bits = - BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED; + BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED; debug("Forcing server key to %d bits to make it differ from host key.", options.server_key_bits); } @@ -681,14 +759,14 @@ /* Initialize the log (it is reinitialized below in case we forked). */ if (debug_flag && !inetd_flag) log_stderr = 1; - log_init(av0, options.log_level, options.log_facility, log_stderr); + log_init(__progname, options.log_level, options.log_facility, log_stderr); /* * If not in debugging mode, and not started from inetd, disconnect * from the controlling terminal, and fork. The original process * exits. */ - if (!debug_flag && !inetd_flag) { + if (!(debug_flag || inetd_flag || no_daemon_flag)) { #ifdef TIOCNOTTY int fd; #endif /* TIOCNOTTY */ @@ -697,7 +775,7 @@ /* Disconnect from the controlling tty. */ #ifdef TIOCNOTTY - fd = open("/dev/tty", O_RDWR | O_NOCTTY); + fd = open(_PATH_TTY, O_RDWR | O_NOCTTY); if (fd >= 0) { (void) ioctl(fd, TIOCNOTTY, NULL); close(fd); @@ -705,10 +783,7 @@ #endif /* TIOCNOTTY */ } /* Reinitialize the log (because of the fork above). */ - log_init(av0, options.log_level, options.log_facility, log_stderr); - - /* Do not display messages to stdout in RSA code. */ - rsa_set_verbose(0); + log_init(__progname, options.log_level, options.log_facility, log_stderr); /* Initialize the random number generator. */ arc4random_stir(); @@ -731,16 +806,8 @@ * ttyfd happens to be one of those. */ debug("inetd sockets after dupping: %d, %d", sock_in, sock_out); - - if (options.protocol & SSH_PROTO_1) { - public_key = RSA_new(); - sensitive_data.private_key = RSA_new(); - log("Generating %d bit RSA key.", options.server_key_bits); - rsa_generate_key(sensitive_data.private_key, public_key, - options.server_key_bits); - arc4random_stir(); - log("RSA key generation complete."); - } + if (options.protocol & SSH_PROTO_1) + generate_empheral_server_key(); } else { for (ai = options.listen_addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) @@ -782,10 +849,10 @@ debug("Bind to port %s on %s.", strport, ntop); /* Bind the socket to the desired port. */ - if ((bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) && - (!ai->ai_next)) { - error("Bind to port %s on %s failed: %.200s.", - strport, ntop, strerror(errno)); + if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if (!ai->ai_next) + error("Bind to port %s on %s failed: %.200s.", + strport, ntop, strerror(errno)); close(listen_sock); continue; } @@ -805,32 +872,20 @@ if (!debug_flag) { /* - * Record our pid in /etc/sshd_pid to make it easier - * to kill the correct sshd. We don\'t want to do - * this before the bind above because the bind will + * Record our pid in /var/run/sshd.pid to make it + * easier to kill the correct sshd. We don't want to + * do this before the bind above because the bind will * fail if there already is a daemon, and this will * overwrite any old pid in the file. */ f = fopen(options.pid_file, "wb"); if (f) { - fprintf(f, "%u\n", (unsigned int) getpid()); + fprintf(f, "%u\n", (u_int) getpid()); fclose(f); } } - if (options.protocol & SSH_PROTO_1) { - public_key = RSA_new(); - sensitive_data.private_key = RSA_new(); - - log("Generating %d bit RSA key.", options.server_key_bits); - rsa_generate_key(sensitive_data.private_key, public_key, - options.server_key_bits); - arc4random_stir(); - log("RSA key generation complete."); - - /* Schedule server key regeneration alarm. */ - signal(SIGALRM, key_regeneration_alarm); - alarm(options.key_regeneration_time); - } + if (options.protocol & SSH_PROTO_1) + generate_empheral_server_key(); /* Arrange to restart on SIGHUP. The handler needs listen_sock. */ signal(SIGHUP, sighup_handler); @@ -861,7 +916,7 @@ sighup_restart(); if (fdset != NULL) xfree(fdset); - fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask); + fdsetsz = howmany(maxfd+1, NFDBITS) * sizeof(fd_mask); fdset = (fd_set *)xmalloc(fdsetsz); memset(fdset, 0, fdsetsz); @@ -872,18 +927,24 @@ FD_SET(startup_pipes[i], fdset); /* Wait in select until there is a connection. */ - if (select(maxfd + 1, fdset, NULL, NULL, NULL) < 0) { - if (errno != EINTR) - error("select: %.100s", strerror(errno)); - continue; + ret = select(maxfd+1, fdset, NULL, NULL, NULL); + if (ret < 0 && errno != EINTR) + error("select: %.100s", strerror(errno)); + if (key_used && key_do_regen) { + generate_empheral_server_key(); + key_used = 0; + key_do_regen = 0; } + if (ret < 0) + continue; + for (i = 0; i < options.max_startups; i++) if (startup_pipes[i] != -1 && FD_ISSET(startup_pipes[i], fdset)) { /* * the read end of the pipe is ready * if the child has closed the pipe - * after successfull authentication + * after successful authentication * or if the child has died */ close(startup_pipes[i]); @@ -923,7 +984,7 @@ startups++; break; } - + /* * Got connection. Fork a child to handle it, unless * we are in debugging mode. @@ -962,7 +1023,7 @@ close_listen_socks(); sock_in = newsock; sock_out = newsock; - log_init(av0, options.log_level, options.log_facility, log_stderr); + log_init(__progname, options.log_level, options.log_facility, log_stderr); break; } } @@ -976,7 +1037,13 @@ close(startup_p[1]); /* Mark that the key has been used (it was "given" to the child). */ - key_used = 1; + if ((options.protocol & SSH_PROTO_1) && + key_used == 0) { + /* Schedule server key regeneration alarm. */ + signal(SIGALRM, key_regeneration_alarm); + alarm(options.key_regeneration_time); + key_used = 1; + } arc4random_stir(); @@ -1014,6 +1081,12 @@ linger.l_linger = 5; setsockopt(sock_in, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger)); + /* Set keepalives if requested. */ + if (options.keepalives && + setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, + sizeof(on)) < 0) + error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); + /* * Register our connection. This turns encryption off because we do * not have a key. @@ -1029,7 +1102,7 @@ { struct request_info req; - request_init(&req, RQ_DAEMON, av0, RQ_FILE, sock_in, NULL); + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, NULL); fromhost(&req); if (!hosts_access(&req)) { @@ -1057,16 +1130,17 @@ sshd_exchange_identification(sock_in, sock_out); /* - * Check that the connection comes from a privileged port. Rhosts- - * and Rhosts-RSA-Authentication only make sense from priviledged + * Check that the connection comes from a privileged port. + * Rhosts-Authentication only makes sense from priviledged * programs. Of course, if the intruder has root access on his local * machine, he can connect from any port. So do not use these * authentication methods from machines that you do not trust. */ if (remote_port >= IPPORT_RESERVED || remote_port < IPPORT_RESERVED / 2) { + debug("Rhosts Authentication disabled, " + "originating port not trusted."); options.rhosts_authentication = 0; - options.rhosts_rsa_authentication = 0; } #ifdef KRB4 if (!packet_connection_is_ipv4() && @@ -1075,6 +1149,13 @@ options.kerberos_authentication = 0; } #endif /* KRB4 */ +#ifdef AFS + /* If machine has AFS, set process authentication group. */ + if (k_hasafs()) { + k_setpag(); + k_unlog(); + } +#endif /* AFS */ packet_set_nonblocking(); @@ -1109,14 +1190,15 @@ * SSH1 key exchange */ void -do_ssh1_kex() +do_ssh1_kex(void) { int i, len; int plen, slen; + int rsafail = 0; BIGNUM *session_key_int; - unsigned char session_key[SSH_SESSION_KEY_LENGTH]; - unsigned char cookie[8]; - unsigned int cipher_type, auth_mask, protocol_flags; + u_char session_key[SSH_SESSION_KEY_LENGTH]; + u_char cookie[8]; + u_int cipher_type, auth_mask, protocol_flags; u_int32_t rand = 0; /* @@ -1145,14 +1227,14 @@ packet_put_char(cookie[i]); /* Store our public server RSA key. */ - packet_put_int(BN_num_bits(public_key->n)); - packet_put_bignum(public_key->e); - packet_put_bignum(public_key->n); + packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n)); + packet_put_bignum(sensitive_data.server_key->rsa->e); + packet_put_bignum(sensitive_data.server_key->rsa->n); /* Store our public host RSA key. */ - packet_put_int(BN_num_bits(sensitive_data.host_key->n)); - packet_put_bignum(sensitive_data.host_key->e); - packet_put_bignum(sensitive_data.host_key->n); + packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n)); + packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e); + packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n); /* Put protocol flags. */ packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN); @@ -1178,10 +1260,8 @@ if (options.afs_token_passing) auth_mask |= 1 << SSH_PASS_AFS_TOKEN; #endif -#ifdef SKEY - if (options.skey_authentication == 1) + if (options.challenge_reponse_authentication == 1) auth_mask |= 1 << SSH_AUTH_TIS; -#endif if (options.password_authentication) auth_mask |= 1 << SSH_AUTH_PASSWORD; packet_put_int(auth_mask); @@ -1190,8 +1270,9 @@ packet_send(); packet_write_wait(); - debug("Sent %d bit public key and %d bit host key.", - BN_num_bits(public_key->n), BN_num_bits(sensitive_data.host_key->n)); + debug("Sent %d bit server key and %d bit host key.", + BN_num_bits(sensitive_data.server_key->rsa->n), + BN_num_bits(sensitive_data.ssh1_host_key->rsa->n)); /* Read clients reply (cipher type and session key). */ packet_read_expect(&plen, SSH_CMSG_SESSION_KEY); @@ -1223,39 +1304,43 @@ * Decrypt it using our private server key and private host key (key * with larger modulus first). */ - if (BN_cmp(sensitive_data.private_key->n, sensitive_data.host_key->n) > 0) { - /* Private key has bigger modulus. */ - if (BN_num_bits(sensitive_data.private_key->n) < - BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) { - fatal("do_connection: %s: private_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d", - get_remote_ipaddr(), - BN_num_bits(sensitive_data.private_key->n), - BN_num_bits(sensitive_data.host_key->n), - SSH_KEY_BITS_RESERVED); - } - rsa_private_decrypt(session_key_int, session_key_int, - sensitive_data.private_key); - rsa_private_decrypt(session_key_int, session_key_int, - sensitive_data.host_key); + if (BN_cmp(sensitive_data.server_key->rsa->n, sensitive_data.ssh1_host_key->rsa->n) > 0) { + /* Server key has bigger modulus. */ + if (BN_num_bits(sensitive_data.server_key->rsa->n) < + BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) { + fatal("do_connection: %s: server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d", + get_remote_ipaddr(), + BN_num_bits(sensitive_data.server_key->rsa->n), + BN_num_bits(sensitive_data.ssh1_host_key->rsa->n), + SSH_KEY_BITS_RESERVED); + } + if (rsa_private_decrypt(session_key_int, session_key_int, + sensitive_data.server_key->rsa) <= 0) + rsafail++; + if (rsa_private_decrypt(session_key_int, session_key_int, + sensitive_data.ssh1_host_key->rsa) <= 0) + rsafail++; } else { /* Host key has bigger modulus (or they are equal). */ - if (BN_num_bits(sensitive_data.host_key->n) < - BN_num_bits(sensitive_data.private_key->n) + SSH_KEY_BITS_RESERVED) { - fatal("do_connection: %s: host_key %d < private_key %d + SSH_KEY_BITS_RESERVED %d", - get_remote_ipaddr(), - BN_num_bits(sensitive_data.host_key->n), - BN_num_bits(sensitive_data.private_key->n), - SSH_KEY_BITS_RESERVED); - } - rsa_private_decrypt(session_key_int, session_key_int, - sensitive_data.host_key); - rsa_private_decrypt(session_key_int, session_key_int, - sensitive_data.private_key); + if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) < + BN_num_bits(sensitive_data.server_key->rsa->n) + SSH_KEY_BITS_RESERVED) { + fatal("do_connection: %s: host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d", + get_remote_ipaddr(), + BN_num_bits(sensitive_data.ssh1_host_key->rsa->n), + BN_num_bits(sensitive_data.server_key->rsa->n), + SSH_KEY_BITS_RESERVED); + } + if (rsa_private_decrypt(session_key_int, session_key_int, + sensitive_data.ssh1_host_key->rsa) < 0) + rsafail++; + if (rsa_private_decrypt(session_key_int, session_key_int, + sensitive_data.server_key->rsa) < 0) + rsafail++; } compute_session_id(session_id, cookie, - sensitive_data.host_key->n, - sensitive_data.private_key->n); + sensitive_data.ssh1_host_key->rsa->n, + sensitive_data.server_key->rsa->n); /* Destroy the private and public keys. They will no longer be needed. */ destroy_sensitive_data(); @@ -1265,15 +1350,29 @@ * least significant 256 bits of the integer; the first byte of the * key is in the highest bits. */ - BN_mask_bits(session_key_int, sizeof(session_key) * 8); - len = BN_num_bytes(session_key_int); - if (len < 0 || len > sizeof(session_key)) - fatal("do_connection: bad len from %s: session_key_int %d > sizeof(session_key) %d", - get_remote_ipaddr(), - len, (int) sizeof(session_key)); - memset(session_key, 0, sizeof(session_key)); - BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len); - + if (!rsafail) { + BN_mask_bits(session_key_int, sizeof(session_key) * 8); + len = BN_num_bytes(session_key_int); + if (len < 0 || len > sizeof(session_key)) { + error("do_connection: bad session key len from %s: " + "session_key_int %d > sizeof(session_key) %lu", + get_remote_ipaddr(), len, (u_long)sizeof(session_key)); + rsafail++; + } else { + memset(session_key, 0, sizeof(session_key)); + BN_bn2bin(session_key_int, + session_key + sizeof(session_key) - len); + } + } + if (rsafail) { + log("do_connection: generating a fake encryption key"); + for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { + if (i % 4 == 0) + rand = arc4random(); + session_key[i] = rand & 0xff; + rand >>= 8; + } + } /* Destroy the decrypted integer. It is no longer needed. */ BN_clear_free(session_key_int); @@ -1299,7 +1398,7 @@ * SSH2 key exchange: diffie-hellman-group1-sha1 */ void -do_ssh2_kex() +do_ssh2_kex(void) { Buffer *server_kexinit; Buffer *client_kexinit; @@ -1314,6 +1413,12 @@ myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; } + if (options.macs != NULL) { + myproposal[PROPOSAL_MAC_ALGS_CTOS] = + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; + } + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); + server_kexinit = kex_init(myproposal); client_kexinit = xmalloc(sizeof(*client_kexinit)); buffer_init(client_kexinit); @@ -1370,17 +1475,26 @@ #endif int payload_len, dlen; int slen; - unsigned char *signature = NULL; - unsigned char *server_host_key_blob = NULL; - unsigned int sbloblen; - unsigned int klen, kout; - unsigned char *kbuf; - unsigned char *hash; + u_char *signature = NULL; + u_char *server_host_key_blob = NULL; + u_int sbloblen; + u_int klen, kout; + u_char *kbuf; + u_char *hash; BIGNUM *shared_secret = 0; DH *dh; BIGNUM *dh_client_pub = 0; + Key *hostkey; + + hostkey = get_hostkey_by_type(kex->hostkey_type); + if (hostkey == NULL) + fatal("Unsupported hostkey type %d", kex->hostkey_type); /* KEXDH */ + /* generate DH key */ + dh = dh_new_group1(); /* XXX depends on 'kex' */ + dh_gen_key(dh); + debug("Wait SSH2_MSG_KEXDH_INIT."); packet_read_expect(&payload_len, SSH2_MSG_KEXDH_INIT); @@ -1397,9 +1511,6 @@ debug("bits %d", BN_num_bits(dh_client_pub)); #endif - /* generate DH key */ - dh = dh_new_group1(); /* XXX depends on 'kex' */ - #ifdef DEBUG_KEXDH fprintf(stderr, "\np= "); BN_print_fp(stderr, dh->p); @@ -1408,7 +1519,7 @@ fprintf(stderr, "\npub= "); BN_print_fp(stderr, dh->pub_key); fprintf(stderr, "\n"); - DHparams_print_fp(stderr, dh); + DHparams_print_fp(stderr, dh); #endif if (!dh_pub_is_valid(dh, dh_client_pub)) packet_disconnect("bad client public DH value"); @@ -1431,8 +1542,7 @@ xfree(kbuf); /* XXX precompute? */ - dsa_make_key_blob(sensitive_data.dsa_host_key, - &server_host_key_blob, &sbloblen); + key_to_blob(hostkey, &server_host_key_blob, &sbloblen); /* calc H */ /* XXX depends on 'kex' */ hash = kex_hash( @@ -1449,6 +1559,7 @@ buffer_free(server_kexinit); xfree(client_kexinit); xfree(server_kexinit); + BN_free(dh_client_pub); #ifdef DEBUG_KEXDH fprintf(stderr, "hash == "); for (i = 0; i< 20; i++) @@ -1463,7 +1574,7 @@ /* sign H */ /* XXX hashlen depends on KEX */ - dsa_sign(sensitive_data.dsa_host_key, &signature, &slen, hash, 20); + key_sign(hostkey, &signature, &slen, hash, 20); destroy_sensitive_data(); @@ -1478,6 +1589,7 @@ packet_write_wait(); kex_derive_keys(kex, hash, shared_secret); + BN_clear_free(shared_secret); packet_set_kex(kex); /* have keys, free DH */ @@ -1494,15 +1606,20 @@ #endif int payload_len, dlen; int slen, nbits; - unsigned char *signature = NULL; - unsigned char *server_host_key_blob = NULL; - unsigned int sbloblen; - unsigned int klen, kout; - unsigned char *kbuf; - unsigned char *hash; + u_char *signature = NULL; + u_char *server_host_key_blob = NULL; + u_int sbloblen; + u_int klen, kout; + u_char *kbuf; + u_char *hash; BIGNUM *shared_secret = 0; DH *dh; BIGNUM *dh_client_pub = 0; + Key *hostkey; + + hostkey = get_hostkey_by_type(kex->hostkey_type); + if (hostkey == NULL) + fatal("Unsupported hostkey type %d", kex->hostkey_type); /* KEXDHGEX */ debug("Wait SSH2_MSG_KEX_DH_GEX_REQUEST."); @@ -1517,6 +1634,10 @@ packet_send(); packet_write_wait(); + /* Compute our exchange value in parallel with the client */ + + dh_gen_key(dh); + debug("Wait SSH2_MSG_KEX_DH_GEX_INIT."); packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_INIT); @@ -1541,7 +1662,7 @@ fprintf(stderr, "\npub= "); BN_print_fp(stderr, dh->pub_key); fprintf(stderr, "\n"); - DHparams_print_fp(stderr, dh); + DHparams_print_fp(stderr, dh); #endif if (!dh_pub_is_valid(dh, dh_client_pub)) packet_disconnect("bad client public DH value"); @@ -1564,8 +1685,7 @@ xfree(kbuf); /* XXX precompute? */ - dsa_make_key_blob(sensitive_data.dsa_host_key, - &server_host_key_blob, &sbloblen); + key_to_blob(hostkey, &server_host_key_blob, &sbloblen); /* calc H */ /* XXX depends on 'kex' */ hash = kex_hash_gex( @@ -1583,6 +1703,7 @@ buffer_free(server_kexinit); xfree(client_kexinit); xfree(server_kexinit); + BN_free(dh_client_pub); #ifdef DEBUG_KEXDH fprintf(stderr, "hash == "); for (i = 0; i< 20; i++) @@ -1597,7 +1718,7 @@ /* sign H */ /* XXX hashlen depends on KEX */ - dsa_sign(sensitive_data.dsa_host_key, &signature, &slen, hash, 20); + key_sign(hostkey, &signature, &slen, hash, 20); destroy_sensitive_data(); @@ -1612,9 +1733,9 @@ packet_write_wait(); kex_derive_keys(kex, hash, shared_secret); + BN_clear_free(shared_secret); packet_set_kex(kex); /* have keys, free DH */ DH_free(dh); } - diff -ru openssh-2.3.0p1/sshd_config openssh-2.5.1p1/sshd_config --- openssh-2.3.0p1/sshd_config 2000-10-14 16:23:13.000000000 +1100 +++ openssh-2.5.1p1/sshd_config 2001-02-11 10:26:35.000000000 +1100 @@ -1,10 +1,15 @@ -# This is ssh server systemwide configuration file. +# $OpenBSD: sshd_config,v 1.32 2001/02/06 22:07:50 deraadt Exp $ + +# This is the sshd server system-wide configuration file. See sshd(8) +# for more information. Port 22 #Protocol 2,1 -ListenAddress 0.0.0.0 +#ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh_host_key +HostKey /etc/ssh_host_dsa_key +#HostKey /etc/ssh_host_rsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 @@ -35,9 +40,9 @@ # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no + # Uncomment to disable s/key passwords -#SkeyAuthentication no -#KbdInteractiveAuthentication yes +#ChallengeResponseAuthentication no # To change Kerberos options #KerberosAuthentication no @@ -48,9 +53,11 @@ # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -CheckMail no +#CheckMail yes #UseLogin no -# Uncomment if you want to enable sftp -#Subsystem sftp /usr/libexec/sftp-server #MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +Subsystem sftp /usr/libexec/sftp-server Only in openssh-2.5.1p1: sshlogin.c Only in openssh-2.5.1p1: sshlogin.h Only in openssh-2.5.1p1: sshpty.c Only in openssh-2.5.1p1: sshpty.h diff -ru openssh-2.3.0p1/tildexpand.c openssh-2.5.1p1/tildexpand.c --- openssh-2.3.0p1/tildexpand.c 2000-09-16 13:29:11.000000000 +1100 +++ openssh-2.5.1p1/tildexpand.c 2001-02-09 13:11:25.000000000 +1100 @@ -11,10 +11,11 @@ */ #include "includes.h" -RCSID("$OpenBSD: tildexpand.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $"); +RCSID("$OpenBSD: tildexpand.c,v 1.11 2001/02/08 19:30:53 itojun Exp $"); #include "xmalloc.h" -#include "ssh.h" +#include "log.h" +#include "tildexpand.h" /* * Expands tildes in the file name. Returns data allocated by xmalloc. @@ -24,7 +25,7 @@ tilde_expand_filename(const char *filename, uid_t my_uid) { const char *cp; - unsigned int userlen; + u_int userlen; char *expanded; struct passwd *pw; char user[100]; Only in openssh-2.5.1p1: tildexpand.h diff -ru openssh-2.3.0p1/ttymodes.c openssh-2.5.1p1/ttymodes.c --- openssh-2.3.0p1/ttymodes.c 2000-09-16 13:29:11.000000000 +1100 +++ openssh-2.5.1p1/ttymodes.c 2001-01-22 16:34:44.000000000 +1100 @@ -15,10 +15,11 @@ */ #include "includes.h" -RCSID("$OpenBSD: ttymodes.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $"); +RCSID("$OpenBSD: ttymodes.c,v 1.10 2001/01/21 19:06:01 markus Exp $"); #include "packet.h" -#include "ssh.h" +#include "log.h" +#include "ssh1.h" #define TTY_OP_END 0 #define TTY_OP_ISPEED 192 /* int follows */ diff -ru openssh-2.3.0p1/uidswap.c openssh-2.5.1p1/uidswap.c --- openssh-2.3.0p1/uidswap.c 2000-09-16 13:29:11.000000000 +1100 +++ openssh-2.5.1p1/uidswap.c 2001-01-22 16:34:44.000000000 +1100 @@ -12,13 +12,10 @@ */ #include "includes.h" -RCSID("$OpenBSD: uidswap.c,v 1.9 2000/09/07 20:27:55 deraadt Exp $"); +RCSID("$OpenBSD: uidswap.c,v 1.13 2001/01/21 19:06:01 markus Exp $"); -#include "ssh.h" +#include "log.h" #include "uidswap.h" -#ifdef WITH_IRIX_AUDIT -#include -#endif /* WITH_IRIX_AUDIT */ /* * Note: all these functions must work in all of the following cases: @@ -33,10 +30,8 @@ /* Lets assume that posix saved ids also work with seteuid, even though that is not part of the posix specification. */ #define SAVED_IDS_WORK_WITH_SETEUID - /* Saved effective uid. */ static uid_t saved_euid = 0; - #endif /* _POSIX_SAVED_IDS */ /* @@ -53,7 +48,7 @@ /* Set the effective uid to the given (unprivileged) uid. */ if (seteuid(uid) == -1) debug("seteuid %u: %.100s", (u_int) uid, strerror(errno)); -#else /* SAVED_IDS_WORK_WITH_SETUID */ +#else /* SAVED_IDS_WORK_WITH_SETEUID */ /* Propagate the privileged uid to all of our uids. */ if (setuid(geteuid()) < 0) debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno)); @@ -68,7 +63,7 @@ * Restores to the original uid. */ void -restore_uid() +restore_uid(void) { #ifdef SAVED_IDS_WORK_WITH_SETEUID /* Set the effective uid back to the saved uid. */ @@ -91,14 +86,6 @@ void permanently_set_uid(uid_t uid) { -#ifdef WITH_IRIX_AUDIT - if (sysconf(_SC_AUDIT)) { - debug("Setting sat id to %d", (int) uid); - if (satsetid(uid)) - debug("error setting satid: %.100s", strerror(errno)); - } -#endif /* WITH_IRIX_AUDIT */ - if (setuid(uid) < 0) debug("setuid %u: %.100s", (u_int) uid, strerror(errno)); } diff -ru openssh-2.3.0p1/uidswap.h openssh-2.5.1p1/uidswap.h --- openssh-2.3.0p1/uidswap.h 2000-09-16 13:29:11.000000000 +1100 +++ openssh-2.5.1p1/uidswap.h 2001-01-29 18:39:26.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: uidswap.h,v 1.6 2001/01/29 01:58:19 niklas Exp $ */ + /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -23,7 +25,7 @@ * Restores the original effective user id after temporarily_use_uid(). * This should only be called while temporarily_use_uid is effective. */ -void restore_uid(); +void restore_uid(void); /* * Permanently sets all uids to the given uid. This cannot be called while Only in openssh-2.3.0p1: util.c diff -ru openssh-2.3.0p1/uuencode.c openssh-2.5.1p1/uuencode.c --- openssh-2.3.0p1/uuencode.c 2000-09-16 13:29:11.000000000 +1100 +++ openssh-2.5.1p1/uuencode.c 2001-02-11 11:05:05.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: uuencode.c,v 1.7 2000/09/07 20:27:55 deraadt Exp $ */ +/* $OpenBSD: uuencode.c,v 1.10 2001/02/08 19:30:53 itojun Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -26,18 +26,19 @@ #include "includes.h" #include "xmalloc.h" +#include "uuencode.h" -RCSID("$OpenBSD: uuencode.c,v 1.7 2000/09/07 20:27:55 deraadt Exp $"); +RCSID("$OpenBSD: uuencode.c,v 1.10 2001/02/08 19:30:53 itojun Exp $"); int -uuencode(unsigned char *src, unsigned int srclength, +uuencode(u_char *src, u_int srclength, char *target, size_t targsize) { return __b64_ntop(src, srclength, target, targsize); } int -uudecode(const char *src, unsigned char *target, size_t targsize) +uudecode(const char *src, u_char *target, size_t targsize) { int len; char *encoded, *p; @@ -57,10 +58,11 @@ } void -dump_base64(FILE *fp, unsigned char *data, int len) +dump_base64(FILE *fp, u_char *data, int len) { - unsigned char *buf = xmalloc(2*len); + u_char *buf = xmalloc(2*len); int i, n; + n = uuencode(data, len, buf, 2*len); for (i = 0; i < n; i++) { fprintf(fp, "%c", buf[i]); diff -ru openssh-2.3.0p1/uuencode.h openssh-2.5.1p1/uuencode.h --- openssh-2.3.0p1/uuencode.h 2000-09-16 13:29:11.000000000 +1100 +++ openssh-2.5.1p1/uuencode.h 2001-01-29 18:39:26.000000000 +1100 @@ -1,3 +1,5 @@ +/* $OpenBSD: uuencode.h,v 1.5 2001/01/29 01:58:19 niklas Exp $ */ + /* * Copyright (c) 1999 Markus Friedl. All rights reserved. * @@ -24,7 +26,7 @@ #ifndef UUENCODE_H #define UUENCODE_H -int uuencode(unsigned char *src, unsigned int srclength, char *target, size_t targsize); -int uudecode(const char *src, unsigned char *target, size_t targsize); -void dump_base64(FILE *fp, unsigned char *data, int len); +int uuencode(u_char *src, u_int srclength, char *target, size_t targsize); +int uudecode(const char *src, u_char *target, size_t targsize); +void dump_base64(FILE *fp, u_char *data, int len); #endif diff -ru openssh-2.3.0p1/version.h openssh-2.5.1p1/version.h --- openssh-2.3.0p1/version.h 2000-11-06 12:39:34.000000000 +1100 +++ openssh-2.5.1p1/version.h 2001-02-19 21:51:08.000000000 +1100 @@ -1,3 +1,3 @@ -/* $OpenBSD: version.h,v 1.13 2000/10/16 09:38:45 djm Exp $ */ - -#define SSH_VERSION "OpenSSH_2.3.0p1" +/* $OpenBSD: version.h,v 1.19 2001/02/19 10:35:23 markus Exp $ */ + +#define SSH_VERSION "OpenSSH_2.5.1p1" diff -ru openssh-2.3.0p1/xmalloc.c openssh-2.5.1p1/xmalloc.c --- openssh-2.3.0p1/xmalloc.c 2000-09-16 13:29:11.000000000 +1100 +++ openssh-2.5.1p1/xmalloc.c 2001-02-11 10:34:54.000000000 +1100 @@ -4,7 +4,7 @@ * All rights reserved * Versions of malloc and friends that check their results, and never return * failure (they call fatal if they encounter an error). - * + * * As far as I am concerned, the code I have written for this software * can be used freely for any purpose. Any derived versions of this * software must be clearly marked as such, and if the derived work is @@ -13,16 +13,21 @@ */ #include "includes.h" -RCSID("$OpenBSD: xmalloc.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $"); +RCSID("$OpenBSD: xmalloc.c,v 1.14 2001/02/07 18:04:50 itojun Exp $"); -#include "ssh.h" +#include "xmalloc.h" +#include "log.h" void * xmalloc(size_t size) { - void *ptr = malloc(size); + void *ptr; + + if (size == 0) + fatal("xmalloc: zero size"); + ptr = malloc(size); if (ptr == NULL) - fatal("xmalloc: out of memory (allocating %d bytes)", (int) size); + fatal("xmalloc: out of memory (allocating %lu bytes)", (u_long) size); return ptr; } @@ -31,11 +36,13 @@ { void *new_ptr; + if (new_size == 0) + fatal("xrealloc: zero size"); if (ptr == NULL) fatal("xrealloc: NULL pointer given as argument"); new_ptr = realloc(ptr, new_size); if (new_ptr == NULL) - fatal("xrealloc: out of memory (new_size %d bytes)", (int) new_size); + fatal("xrealloc: out of memory (new_size %lu bytes)", (u_long) new_size); return new_ptr; } @@ -50,9 +57,12 @@ char * xstrdup(const char *str) { - int len = strlen(str) + 1; + size_t len = strlen(str) + 1; + char *cp; - char *cp = xmalloc(len); + if (len == 0) + fatal("xstrdup: zero size"); + cp = xmalloc(len); strlcpy(cp, str, len); return cp; }