diff -ru openssh-2.5.1p2/ChangeLog openssh-2.5.2p1/ChangeLog --- openssh-2.5.1p2/ChangeLog 2001-03-01 11:09:42.000000000 +1100 +++ openssh-2.5.2p1/ChangeLog 2001-03-20 09:30:50.000000000 +1100 @@ -1,3 +1,469 @@ +20010320 + - (bal) glob.c update to added GLOB_LIMITS (OpenBSD CVS). + - (bal) glob.c update to set gl_pathv to NULL (OpenBSD CVS). + - (bal) Oops. Missed globc.h change (OpenBSD CVS). + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/19 17:07:23 + [auth.c readconf.c] + undo /etc/shell and proto 2,1 change for openssh-2.5.2 + - markus@cvs.openbsd.org 2001/03/19 17:12:10 + [version.h] + version 2.5.2 + - (djm) Update RPM spec version + - (djm) Release 2.5.2p1 + +20010319 + - (djm) Seed PRNG at startup, rather than waiting for arc4random calls to + do it implicitly. + - (djm) Add getusershell() functions from OpenBSD CVS + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/18 12:07:52 + [auth-options.c] + ignore permitopen="host:port" if AllowTcpForwarding==no + - (djm) Make scp work on systems without 64-bit ints + - tim@mindrot.org 2001/03/18 18:28:39 [defines.h] + move HAVE_LONG_LONG_INT where it works + - (bal) Use 'NGROUPS' for NeXT Since 'MAX_NGROUPS' is wrapped up in -lposix + stuff. Change suggested by Mark Miller + - (bal) Small fix to scp. %lu vs %ld + - (bal) NeXTStep lacks S_ISLNK. Plus split up S_IS* + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2001/03/19 03:52:51 + [sftp-client.c] + Report ssh connection closing correctly; ok deraadt@ + - deraadt@cvs.openbsd.org 2001/03/18 23:30:55 + [compat.c compat.h sshd.c] + specifically version match on ssh scanners. do not log scan + information to the console + - djm@cvs.openbsd.org 2001/03/19 12:10:17 + [sshd.8] + Document permitopen authorized_keys option; ok markus@ + - djm@cvs.openbsd.org 2001/03/19 05:49:52 + [ssh.1] + document PreferredAuthentications option; ok markus@ + - (bal) Minor NeXT fixed. Forgot to #undef NGROUPS_MAX + +20010318 + - (bal) Fixed scp type casing issue which causes "scp: protocol error: + size not delimited" fatal errors when tranfering. + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/17 17:27:59 + [auth.c] + check /etc/shells, too + - tim@mindrot.org 2001/03/17 18:45:25 [compat.c] + openbsd-compat/fake-regex.h + +20010317 + - Support usrinfo() on AIX. Based on patch from Gert Doering + + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/15 15:05:59 + [scp.c] + use %lld in printf, ok millert@/deraadt@; report from ssh@client.fi + - markus@cvs.openbsd.org 2001/03/15 22:07:08 + [session.c] + pass Session to do_child + KNF + - djm@cvs.openbsd.org 2001/03/16 08:16:18 + [sftp-client.c sftp-client.h sftp-glob.c sftp-int.c] + Revise globbing for get/put to be more shell-like. In particular, + "get/put file* directory/" now works. ok markus@ + - markus@cvs.openbsd.org 2001/03/16 09:55:53 + [sftp-int.c] + fix memset and whitespace + - markus@cvs.openbsd.org 2001/03/16 13:44:24 + [sftp-int.c] + discourage strcat/strcpy + - markus@cvs.openbsd.org 2001/03/16 19:06:30 + [auth-options.c channels.c channels.h serverloop.c session.c] + implement "permitopen" key option, restricts -L style forwarding to + to specified host:port pairs. based on work by harlan@genua.de + - Check for gl_matchc support in glob_t and fall back to the + openbsd-compat/glob.[ch] support if it does not exist. + +20010315 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/14 08:57:14 + [sftp-client.c] + Wall + - markus@cvs.openbsd.org 2001/03/14 15:15:58 + [sftp-int.c] + add version command + - deraadt@cvs.openbsd.org 2001/03/14 22:50:25 + [sftp-server.c] + note no getopt() + - (stevesk) ssh-keyscan.c: specify "openbsd-compat/fake-queue.h" + - (bal) Cygwin README change by Corinna Vinschen + +20010314 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/13 17:34:42 + [auth-options.c] + missing xfree, deny key on parse error; ok stevesk@ + - djm@cvs.openbsd.org 2001/03/13 22:42:54 + [sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c] + sftp client filename globbing for get, put, ch{mod,grp,own}. ok markus@ + - (bal) Fix strerror() in bsd-misc.c + - (djm) Add replacement glob() from OpenBSD libc if the system glob is + missing or lacks the GLOB_ALTDIRFUNC extension + - (djm) Remove -I$(srcdir)/openbsd-compat from CFLAGS, refer to headers + relatively. Avoids conflict between glob.h and /usr/include/glob.h + +20010313 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/12 22:02:02 + [key.c key.h ssh-add.c ssh-keygen.c sshconnect.c sshconnect2.c] + remove old key_fingerprint interface, s/_ex// + +20010312 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/11 13:25:36 + [auth2.c key.c] + debug + - jakob@cvs.openbsd.org 2001/03/11 15:03:16 + [key.c key.h] + add improved fingerprint functions. based on work by Carsten + Raskgaard and modified by me. ok markus@. + - jakob@cvs.openbsd.org 2001/03/11 15:04:16 + [ssh-keygen.1 ssh-keygen.c] + print both md5, sha1 and bubblebabble fingerprints when using + ssh-keygen -l -v. ok markus@. + - jakob@cvs.openbsd.org 2001/03/11 15:13:09 + [key.c] + cleanup & shorten some var names key_fingerprint_bubblebabble. + - deraadt@cvs.openbsd.org 2001/03/11 16:39:03 + [ssh-keygen.c] + KNF, and SHA1 binary output is just creeping featurism + - tim@mindrot.org 2001/03/11 17:29:32 [configure.in] + test if snprintf() supports %ll + add /dev to search path for PRNGD/EGD socket + fix my mistake in USER_PATH test program + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/11 18:29:51 + [key.c] + style+cleanup + - markus@cvs.openbsd.org 2001/03/11 22:33:24 + [ssh-keygen.1 ssh-keygen.c] + remove -v again. use -B instead for bubblebabble. make -B consistent + with -l and make -B work with /path/to/known_hosts. ok deraadt@ + - (djm) Bump portable version number for generating test RPMs + - (djm) Add "static_openssl" RPM build option, remove rsh build dependency + - (bal) Reorder includes in Makefile. + +20010311 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/10 12:48:27 + [sshconnect2.c] + ignore nonexisting private keys; report rjmooney@mediaone.net + - deraadt@cvs.openbsd.org 2001/03/10 12:53:51 + [readconf.c ssh_config] + default to SSH2, now that m68k runs fast + - stevesk@cvs.openbsd.org 2001/03/10 15:02:05 + [ttymodes.c ttymodes.h] + remove unused sgtty macros; ok markus@ + - deraadt@cvs.openbsd.org 2001/03/10 15:31:00 + [compat.c compat.h sshconnect.c] + all known netscreen ssh versions, and older versions of OSU ssh cannot + handle password padding (newer OSU is fixed) + - tim@mindrot.org 2001/03/10 16:33:42 [configure.in Makefile.in sshd_config] + make sure $bindir is in USER_PATH so scp will work + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/10 17:51:04 + [kex.c match.c match.h readconf.c readconf.h sshconnect2.c] + add PreferredAuthentications + +20010310 + - OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/03/09 03:14:39 + [ssh-keygen.c] + create *.pub files with umask 0644, so that you can mv them to + authorized_keys + - deraadt@cvs.openbsd.org 2001/03/09 12:30:29 + [sshd.c] + typo; slade@shore.net + - Removed log.o from sftp client. Not needed. + +20010309 + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/03/08 18:47:12 + [auth1.c] + unused; ok markus@ + - stevesk@cvs.openbsd.org 2001/03/08 20:44:48 + [sftp.1] + spelling, cleanup; ok deraadt@ + - markus@cvs.openbsd.org 2001/03/08 21:42:33 + [compat.c compat.h readconf.h ssh.c sshconnect1.c sshconnect2.c] + implement client side of SSH2_MSG_USERAUTH_PK_OK (test public key -> + no need to do enter passphrase or do expensive sign operations if the + server does not accept key). + +20010308 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2001/03/07 10:11:23 + [sftp-client.c sftp-client.h sftp-int.c sftp-server.c sftp.1 sftp.c sftp.h] + Support for new draft (draft-ietf-secsh-filexfer-01). New symlink handling + functions and small protocol change. + - markus@cvs.openbsd.org 2001/03/08 00:15:48 + [readconf.c ssh.1] + turn off useprivilegedports by default. only rhost-auth needs + this. older sshd's may need this, too. + - (stevesk) Reliant Unix (SNI) needs HAVE_BOGUS_SYS_QUEUE_H; + Dirk Markwardt + +20010307 + - (bal) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/03/06 06:11:18 + [ssh-keyscan.c] + appease gcc + - deraadt@cvs.openbsd.org 2001/03/06 06:11:44 + [sftp-int.c sftp.1 sftp.c] + sftp -b batchfile; mouring@etoh.eviladmin.org + - deraadt@cvs.openbsd.org 2001/03/06 15:10:42 + [sftp.1] + order things + - deraadt@cvs.openbsd.org 2001/03/07 01:19:06 + [ssh.1 sshd.8] + the name "secure shell" is boring, noone ever uses it + - deraadt@cvs.openbsd.org 2001/03/07 04:05:58 + [ssh.1] + removed dated comment + - Cygwin contrib improvements from Corinna Vinschen + +20010306 + - (bal) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/03/05 14:28:47 + [sshd.8] + alpha order; jcs@rt.fm + - stevesk@cvs.openbsd.org 2001/03/05 15:44:51 + [servconf.c] + sync error message; ok markus@ + - deraadt@cvs.openbsd.org 2001/03/05 15:56:16 + [myproposal.h ssh.1] + switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; + provos & markus ok + - deraadt@cvs.openbsd.org 2001/03/05 16:07:15 + [sshd.8] + detail default hmac setup too + - markus@cvs.openbsd.org 2001/03/05 17:17:21 + [kex.c kex.h sshconnect2.c sshd.c] + generate a 2*need size (~300 instead of 1024/2048) random private + exponent during the DH key agreement. according to Niels (the great + german advisor) this is safe since /etc/primes contains strong + primes only. + + References: + P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key + agreement with short exponents, In Advances in Cryptology + - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343. + - stevesk@cvs.openbsd.org 2001/03/05 17:40:48 + [ssh.1] + more ssh_known_hosts2 documentation; ok markus@ + - stevesk@cvs.openbsd.org 2001/03/05 17:58:22 + [dh.c] + spelling + - deraadt@cvs.openbsd.org 2001/03/06 00:33:04 + [authfd.c cli.c ssh-agent.c] + EINTR/EAGAIN handling is required in more cases + - millert@cvs.openbsd.org 2001/03/06 01:06:03 + [ssh-keyscan.c] + Don't assume we wil get the version string all in one read(). + deraadt@ OK'd + - millert@cvs.openbsd.org 2001/03/06 01:08:27 + [clientloop.c] + If read() fails with EINTR deal with it the same way we treat EAGAIN + +20010305 + - (bal) CVS ID touch up on sshpty.[ch] and sshlogin.[ch] + - (bal) CVS ID touch up on sftp-int.c + - (bal) CVS ID touch up on uuencode.c + - (bal) CVS ID touch up on auth2.c, serverloop.c, session.c & sshd.c + - (bal) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/02/17 23:48:48 + [sshd.8] + it's the OpenSSH one + - deraadt@cvs.openbsd.org 2001/02/21 07:37:04 + [ssh-keyscan.c] + inline -> __inline__, and some indent + - deraadt@cvs.openbsd.org 2001/02/21 09:05:54 + [authfile.c] + improve fd handling + - deraadt@cvs.openbsd.org 2001/02/21 09:12:56 + [sftp-server.c] + careful with & and &&; markus ok + - stevesk@cvs.openbsd.org 2001/02/21 21:14:04 + [ssh.c] + -i supports DSA identities now; ok markus@ + - deraadt@cvs.openbsd.org 2001/02/22 04:29:37 + [servconf.c] + grammar; slade@shore.net + - deraadt@cvs.openbsd.org 2001/02/22 06:43:55 + [ssh-keygen.1 ssh-keygen.c] + document -d, and -t defaults to rsa1 + - deraadt@cvs.openbsd.org 2001/02/22 08:03:51 + [ssh-keygen.1 ssh-keygen.c] + bye bye -d + - deraadt@cvs.openbsd.org 2001/02/22 18:09:06 + [sshd_config] + activate RSA 2 key + - markus@cvs.openbsd.org 2001/02/22 21:57:27 + [ssh.1 sshd.8] + typos/grammar from matt@anzen.com + - markus@cvs.openbsd.org 2001/02/22 21:59:44 + [auth.c auth.h auth1.c auth2.c misc.c misc.h ssh.c] + use pwcopy in ssh.c, too + - markus@cvs.openbsd.org 2001/02/23 15:34:53 + [serverloop.c] + debug2->3 + - markus@cvs.openbsd.org 2001/02/23 18:15:13 + [sshd.c] + the random session key depends now on the session_key_int + sent by the 'attacker' + dig1 = md5(cookie|session_key_int); + dig2 = md5(dig1|cookie|session_key_int); + fake_session_key = dig1|dig2; + this change is caused by a mail from anakin@pobox.com + patch based on discussions with my german advisor niels@openbsd.org + - deraadt@cvs.openbsd.org 2001/02/24 10:37:55 + [readconf.c] + look for id_rsa by default, before id_dsa + - deraadt@cvs.openbsd.org 2001/02/24 10:37:26 + [sshd_config] + ssh2 rsa key before dsa key + - markus@cvs.openbsd.org 2001/02/27 10:35:27 + [packet.c] + fix random padding + - markus@cvs.openbsd.org 2001/02/27 11:00:11 + [compat.c] + support SSH-2.0-2.1 ; from Christophe_Moret@hp.com + - deraadt@cvs.openbsd.org 2001/02/28 05:34:28 + [misc.c] + pull in protos + - deraadt@cvs.openbsd.org 2001/02/28 05:36:28 + [sftp.c] + do not kill the subprocess on termination (we will see if this helps + things or hurts things) + - markus@cvs.openbsd.org 2001/02/28 08:45:39 + [clientloop.c] + fix byte counts for ssh protocol v1 + - markus@cvs.openbsd.org 2001/02/28 08:54:55 + [channels.c nchan.c nchan.h] + make sure remote stderr does not get truncated. + remove closed fd's from the select mask. + - markus@cvs.openbsd.org 2001/02/28 09:57:07 + [packet.c packet.h sshconnect2.c] + in ssh protocol v2 use ignore messages for padding (instead of + trailing \0). + - markus@cvs.openbsd.org 2001/02/28 12:55:07 + [channels.c] + unify debug messages + - deraadt@cvs.openbsd.org 2001/02/28 17:52:54 + [misc.c] + for completeness, copy pw_gecos too + - markus@cvs.openbsd.org 2001/02/28 21:21:41 + [sshd.c] + generate a fake session id, too + - markus@cvs.openbsd.org 2001/02/28 21:27:48 + [channels.c packet.c packet.h serverloop.c] + use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message + use random content in ignore messages. + - markus@cvs.openbsd.org 2001/02/28 21:31:32 + [channels.c] + typo + - deraadt@cvs.openbsd.org 2001/03/01 02:11:25 + [authfd.c] + split line so that p will have an easier time next time around + - deraadt@cvs.openbsd.org 2001/03/01 02:29:04 + [ssh.c] + shorten usage by a line + - deraadt@cvs.openbsd.org 2001/03/01 02:45:10 + [auth-rsa.c auth2.c deattack.c packet.c] + KNF + - deraadt@cvs.openbsd.org 2001/03/01 03:38:33 + [cli.c cli.h rijndael.h ssh-keyscan.1] + copyright notices on all source files + - markus@cvs.openbsd.org 2001/03/01 22:46:37 + [ssh.c] + don't truncate remote ssh-2 commands; from mkubita@securities.cz + use min, not max for logging, fixes overflow. + - deraadt@cvs.openbsd.org 2001/03/02 06:21:01 + [sshd.8] + explain SIGHUP better + - deraadt@cvs.openbsd.org 2001/03/02 09:42:49 + [sshd.8] + doc the dsa/rsa key pair files + - deraadt@cvs.openbsd.org 2001/03/02 18:54:31 + [atomicio.c atomicio.h auth-chall.c auth.c auth2-chall.c crc32.h + scp.c serverloop.c session.c sftp-server.8 sftp.1 ssh-add.1 ssh-add.c + ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh.1 sshd.8] + make copyright lines the same format + - deraadt@cvs.openbsd.org 2001/03/03 06:53:12 + [ssh-keyscan.c] + standard theo sweep + - millert@cvs.openbsd.org 2001/03/03 21:19:41 + [ssh-keyscan.c] + Dynamically allocate read_wait and its copies. Since maxfd is + based on resource limits it is often (usually?) larger than FD_SETSIZE. + - millert@cvs.openbsd.org 2001/03/03 21:40:30 + [sftp-server.c] + Dynamically allocate fd_set; deraadt@ OK + - millert@cvs.openbsd.org 2001/03/03 21:41:07 + [packet.c] + Dynamically allocate fd_set; deraadt@ OK + - deraadt@cvs.openbsd.org 2001/03/03 22:07:50 + [sftp-server.c] + KNF + - markus@cvs.openbsd.org 2001/03/03 23:52:22 + [sftp.c] + clean up arg processing. based on work by Christophe_Moret@hp.com + - markus@cvs.openbsd.org 2001/03/03 23:59:34 + [log.c ssh.c] + log*.c -> log.c + - markus@cvs.openbsd.org 2001/03/04 00:03:59 + [channels.c] + debug1->2 + - stevesk@cvs.openbsd.org 2001/03/04 10:57:53 + [ssh.c] + add -m to usage; ok markus@ + - stevesk@cvs.openbsd.org 2001/03/04 11:04:41 + [sshd.8] + small cleanup and clarify for PermitRootLogin; ok markus@ + - stevesk@cvs.openbsd.org 2001/03/04 11:16:06 + [servconf.c sshd.8] + kill obsolete RandomSeed; ok markus@ deraadt@ + - stevesk@cvs.openbsd.org 2001/03/04 12:54:04 + [sshd.8] + spelling + - millert@cvs.openbsd.org 2001/03/04 17:42:28 + [authfd.c channels.c dh.c log.c readconf.c servconf.c sftp-int.c + ssh.c sshconnect.c sshd.c] + log functions should not be passed strings that end in newline as they + get passed on to syslog() and when logging to stderr, do_log() appends + its own newline. + - deraadt@cvs.openbsd.org 2001/03/04 18:21:28 + [sshd.8] + list SSH2 ciphers + - (bal) Put HAVE_PW_CLASS_IN_PASSWD back into pwcopy() + - (bal) Fix up logging since it changed. removed log-*.c + - (djm) Fix up LOG_AUTHPRIV for systems that have it + - (stevesk) OpenBSD sync: + - deraadt@cvs.openbsd.org 2001/03/05 08:37:27 + [ssh-keyscan.c] + skip inlining, why bother + - (stevesk) sftp.c: handle __progname + +20010304 + - (bal) Remove make-ssh-known-hosts.1 since it's no longer valid. + - (bal) Updated contrib/README to remove 'make-ssh-known-hosts' and + give Mark Roth credit for mdoc2man.pl + +20010303 + - (djm) Remove make-ssh-known-hosts.pl, ssh-keyscan is better. + - (djm) Document PAM ChallengeResponseAuthentication in sshd.8 + - (djm) Disable and comment ChallengeResponseAuthentication in sshd_config + - (djm) Allow PRNGd entropy collection from localhost TCP socket. Replace + "--with-egd-pool" configure option with "--with-prngd-socket" and + "--with-prngd-port" options. Debugged and improved by Lutz Jaenicke + + 20010301 - (djm) Properly add -lcrypt if needed. - (djm) Force standard PAM conversation function in a few more places. @@ -4175,4 +4641,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.845 2001/03/01 00:09:42 djm Exp $ +$Id: ChangeLog,v 1.991 2001/03/19 22:30:50 djm Exp $ diff -ru openssh-2.5.1p2/INSTALL openssh-2.5.2p1/INSTALL --- openssh-2.5.1p2/INSTALL 2001-02-18 12:58:24.000000000 +1100 +++ openssh-2.5.2p1/INSTALL 2001-03-04 00:29:21.000000000 +1100 @@ -119,8 +119,13 @@ random numbers (the default is /dev/urandom). Unless you are absolutely sure of what you are doing, it is best to leave this alone. ---with-egd-pool=/some/file allows you to enable EGD or PRNGD support -and to specify a EGD pool socket. Use this if your Unix lacks +--with-prngd-socket=/some/file allows you to enable EGD or PRNGD +support and to specify a PRNGd socket. Use this if your Unix lacks +/dev/random and you don't want to use OpenSSH's builtin entropy +collection support. + +--with-prngd-port=portnum allows you to enable EGD or PRNGD support +and to specify a EGD localhost TCP port. Use this if your Unix lacks /dev/random and you don't want to use OpenSSH's builtin entropy collection support. @@ -217,4 +222,4 @@ http://www.openssh.com/ -$Id: INSTALL,v 1.41 2001/02/18 01:58:24 djm Exp $ +$Id: INSTALL,v 1.42 2001/03/03 13:29:21 djm Exp $ diff -ru openssh-2.5.1p2/Makefile.in openssh-2.5.2p1/Makefile.in --- openssh-2.5.1p2/Makefile.in 2001-02-19 06:13:33.000000000 +1100 +++ openssh-2.5.2p1/Makefile.in 2001-03-14 11:39:46.000000000 +1100 @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.155 2001/02/18 19:13:33 mouring Exp $ +# $Id: Makefile.in,v 1.161 2001/03/14 00:39:46 djm Exp $ prefix=@prefix@ exec_prefix=@exec_prefix@ @@ -26,7 +26,7 @@ CC=@CC@ LD=@LD@ CFLAGS=@CFLAGS@ -CPPFLAGS=@CPPFLAGS@ -I. -I$(srcdir)/openbsd-compat -I$(srcdir) $(PATHS) @DEFS@ +CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ AR=@AR@ RANLIB=@RANLIB@ @@ -46,9 +46,9 @@ LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o deattack.o dispatch.o mac.o hostfile.o key.o kex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o -SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o +SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o readconf.o clientloop.o -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o log-server.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0 @@ -68,7 +68,8 @@ -D/var/run/sshd.pid=$(piddir)/sshd.pid \ -D/etc/primes=$(sysconfdir)/primes \ -D/etc/sshrc=$(sysconfdir)/sshrc \ - -D/usr/X11R6/bin/xauth=$(XAUTH_PATH) + -D/usr/X11R6/bin/xauth=$(XAUTH_PATH) \ + -D/usr/bin:/bin:/usr/sbin:/sbin=@user_path@ FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) @@ -97,30 +98,30 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o log-client.o - $(LD) -o $@ scp.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o log.o + $(LD) -o $@ scp.o log.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o log-client.o - $(LD) -o $@ ssh-add.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o log.o + $(LD) -o $@ ssh-add.o log.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o log-client.o - $(LD) -o $@ ssh-agent.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o log.o + $(LD) -o $@ ssh-agent.o log.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o log-client.o - $(LD) -o $@ ssh-keygen.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o log.o + $(LD) -o $@ ssh-keygen.o log.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a log-client.o ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a log.o ssh-keyscan.o + $(LD) -o $@ ssh-keyscan.o log.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp-server.o sftp-common.o log-server.o - $(LD) -o $@ sftp-server.o sftp-common.o log-server.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o log.o sftp-server.o + $(LD) -o $@ sftp-server.o sftp-common.o log.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o sftp-common.o log-client.o - $(LD) -o $@ sftp.o sftp-client.o sftp-common.o sftp-int.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o sftp-common.o sftp-glob.o + $(LD) -o $@ sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) # test driver for the loginrec code - not built by default -logintest: logintest.o $(LIBCOMPAT) libssh.a log-client.o loginrec.o - $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh log-client.o $(LIBS) +logintest: logintest.o $(LIBCOMPAT) libssh.a log.o loginrec.o + $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh log.o $(LIBS) $(MANPAGES) $(CONFIGFILES):: $(FIXPATHSCMD) $(srcdir)/$@ diff -ru openssh-2.5.1p2/TODO openssh-2.5.2p1/TODO --- openssh-2.5.1p2/TODO 2001-02-17 12:04:37.000000000 +1100 +++ openssh-2.5.2p1/TODO 2001-03-20 01:58:47.000000000 +1100 @@ -1,15 +1,27 @@ Programming: - Grep for 'XXX' comments and fix +- Integrate contrib/mdoc2man.pl so platforms which only have the troff + 'an' macros can have readable manpages. + - Write a test program that calls stat() to search for EGD/PRNGd socket - rather than use the (non-portable) "test -S". + rather than use the (non-portable) "test -S". + +- Replacement for setproctitle() - HP-UX support only currently -- Replacement for setproctitle() - HP/UX support only currently +- Handle changing passwords for the non-PAM expired password case - Improve PAM support (a pam_lastlog module will cause sshd to exit) and maybe support alternate forms of authenications like OPIE via pam? +- Rework PAM ChallengeResponseAuthentication + - Use kbdint request packet with 0 prompts for informational messages + - Use different PAM service name for kbdint vs regular auth (suggest from + Solar Designer) + - Ability to select which ChallengeResponseAuthentications may be used + and order to try them in e.g. "ChallengeResponseAuthentication skey, pam" + - Complete Tru64 SIA support - Finish integrating kernel-level auditing code for IRIX and SOLARIS @@ -22,13 +34,19 @@ solutions break scp or leaves processes hanging around after the ssh connection has ended. It seems to be linked to two things. One select() under Linux is not as nice as others, and two the children - of the shell are not killed on exiting the shell. + of the shell are not killed on exiting the shell. Redhat have an excellent + description of this in their RPM package. - Build an automated test suite - Verify that It's safe to enable NGROUPS_MAX under NeXTStep for groupaccess features. (mouring@eviladmin.org) +- 64-bit builds on HP-UX 11.X (stevesk@pobox.com): + - utmp/wtmp get corrupted (something in loginrec?) + - no 64-bit vhangup(); ptmx systems shouldn't need this + - can't build with PAM (no 64-bit libpam yet) + Documentation: - More and better @@ -41,8 +59,9 @@ Clean up configure/makefiles: - Clean up configure.in - There are a few double #defined variables - left to do. HAVE_LOGIN is one of them. Consider NOT looking for information - in wtmpx or utmpx or any of that stuff if it's not detected from the start + left to do. HAVE_LOGIN is one of them. Consider NOT looking for + information in wtmpx or utmpx or any of that stuff if it's not detected + from the start - Fails to compile when cross compile. (vinschen@redhat.com) @@ -54,9 +73,10 @@ Packaging: - Solaris: Update packaging scripts and build new sysv startup scripts + Ideally the package metadata should be generated by autoconf. (gilbert.r.loomis@saic.com) -- HP/UX: Provide DEPOT package scripts. +- HP-UX: Provide DEPOT package scripts. (gilbert.r.loomis@saic.com) -$Id: TODO,v 1.36 2001/02/17 01:04:37 mouring Exp $ +$Id: TODO,v 1.38 2001/03/19 14:58:47 stevesk Exp $ diff -ru openssh-2.5.1p2/acconfig.h openssh-2.5.2p1/acconfig.h --- openssh-2.5.1p2/acconfig.h 2001-02-27 08:39:07.000000000 +1100 +++ openssh-2.5.2p1/acconfig.h 2001-03-17 12:15:38.000000000 +1100 @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.105 2001/02/26 21:39:07 djm Exp $ */ +/* $Id: acconfig.h,v 1.108 2001/03/17 01:15:38 mouring Exp $ */ #ifndef _CONFIG_H #define _CONFIG_H @@ -89,8 +89,11 @@ /* Location of random number pool */ #undef RANDOM_POOL -/* Location of EGD random number socket */ -#undef EGD_SOCKET +/* Location of PRNGD/EGD random number socket */ +#undef PRNGD_SOCKET + +/* Port number of PRNGD/EGD random number socket */ +#undef PRNGD_PORT /* Builtin PRNG command timeout */ #undef ENTROPY_TIMEOUT_MSEC @@ -299,6 +302,12 @@ /* Needed for SCO and NeXT */ #undef BROKEN_SAVED_UIDS +/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */ +#undef GLOB_HAS_ALTDIRFUNC + +/* Define if your system glob() function has gl_matchc options in glob_t */ +#undef GLOB_HAS_GL_MATCHC + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ diff -ru openssh-2.5.1p2/atomicio.c openssh-2.5.2p1/atomicio.c --- openssh-2.5.1p2/atomicio.c 2001-01-22 16:34:40.000000000 +1100 +++ openssh-2.5.2p1/atomicio.c 2001-03-05 17:59:27.000000000 +1100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995,1999 Theo de Raadt + * Copyright (c) 1995,1999 Theo de Raadt. All rights reserved. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: atomicio.c,v 1.8 2001/01/21 19:05:40 markus Exp $"); +RCSID("$OpenBSD: atomicio.c,v 1.9 2001/03/02 18:54:30 deraadt Exp $"); #include "xmalloc.h" #include "atomicio.h" diff -ru openssh-2.5.1p2/atomicio.h openssh-2.5.2p1/atomicio.h --- openssh-2.5.1p2/atomicio.h 2001-01-29 18:39:26.000000000 +1100 +++ openssh-2.5.2p1/atomicio.h 2001-03-05 17:59:27.000000000 +1100 @@ -1,7 +1,7 @@ -/* $OpenBSD: atomicio.h,v 1.2 2001/01/29 01:58:14 niklas Exp $ */ +/* $OpenBSD: atomicio.h,v 1.3 2001/03/02 18:54:30 deraadt Exp $ */ /* - * Copyright (c) 1995,1999 Theo de Raadt + * Copyright (c) 1995,1999 Theo de Raadt. All rights reserved. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff -ru openssh-2.5.1p2/auth-chall.c openssh-2.5.2p1/auth-chall.c --- openssh-2.5.1p2/auth-chall.c 2001-02-18 17:01:00.000000000 +1100 +++ openssh-2.5.2p1/auth-chall.c 2001-03-05 17:59:27.000000000 +1100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001 Markus Friedl. All rights reserved. + * Copyright (c) 2001 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-chall.c,v 1.4 2001/02/04 15:32:22 stevesk Exp $"); +RCSID("$OpenBSD: auth-chall.c,v 1.5 2001/03/02 18:54:30 deraadt Exp $"); #include "auth.h" #include "log.h" diff -ru openssh-2.5.1p2/auth-options.c openssh-2.5.2p1/auth-options.c --- openssh-2.5.1p2/auth-options.c 2001-02-11 09:27:19.000000000 +1100 +++ openssh-2.5.2p1/auth-options.c 2001-03-19 11:13:47.000000000 +1100 @@ -10,13 +10,14 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.13 2001/02/09 13:38:07 markus Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.16 2001/03/18 12:07:52 markus Exp $"); #include "packet.h" #include "xmalloc.h" #include "match.h" #include "log.h" #include "canohost.h" +#include "channels.h" #include "auth-options.h" #include "servconf.h" @@ -51,6 +52,7 @@ xfree(forced_command); forced_command = NULL; } + channel_clear_permitted_opens(); } /* @@ -61,6 +63,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) { const char *cp; + int i; /* reset options */ auth_clear_options(); @@ -99,7 +102,6 @@ } cp = "command=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - int i; opts += strlen(cp); forced_command = xmalloc(strlen(opts) + 1); i = 0; @@ -118,7 +120,9 @@ file, linenum); packet_send_debug("%.100s, line %lu: missing end quote", file, linenum); - continue; + xfree(forced_command); + forced_command = NULL; + goto bad_option; } forced_command[i] = 0; packet_send_debug("Forced command: %.900s", forced_command); @@ -127,9 +131,9 @@ } cp = "environment=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - int i; char *s; struct envstring *new_envstring; + opts += strlen(cp); s = xmalloc(strlen(opts) + 1); i = 0; @@ -148,7 +152,8 @@ file, linenum); packet_send_debug("%.100s, line %lu: missing end quote", file, linenum); - continue; + xfree(s); + goto bad_option; } s[i] = 0; packet_send_debug("Adding to environment: %.900s", s); @@ -167,7 +172,7 @@ const char *remote_host = get_canonical_hostname( options.reverse_mapping_check); char *patterns = xmalloc(strlen(opts) + 1); - int i; + opts += strlen(cp); i = 0; while (*opts) { @@ -185,7 +190,8 @@ file, linenum); packet_send_debug("%.100s, line %lu: missing end quote", file, linenum); - continue; + xfree(patterns); + goto bad_option; } patterns[i] = 0; opts++; @@ -214,6 +220,59 @@ /* Host name matches. */ goto next_option; } + cp = "permitopen=\""; + if (strncasecmp(opts, cp, strlen(cp)) == 0) { + u_short port; + char *c, *ep; + char *patterns = xmalloc(strlen(opts) + 1); + + opts += strlen(cp); + i = 0; + while (*opts) { + if (*opts == '"') + break; + if (*opts == '\\' && opts[1] == '"') { + opts += 2; + patterns[i++] = '"'; + continue; + } + patterns[i++] = *opts++; + } + if (!*opts) { + debug("%.100s, line %lu: missing end quote", + file, linenum); + packet_send_debug("%.100s, line %lu: missing end quote", + file, linenum); + xfree(patterns); + goto bad_option; + } + patterns[i] = 0; + opts++; + c = strchr(patterns, ':'); + if (c == NULL) { + debug("%.100s, line %lu: permitopen: missing colon <%.100s>", + file, linenum, patterns); + packet_send_debug("%.100s, line %lu: missing colon", + file, linenum); + xfree(patterns); + goto bad_option; + } + *c = 0; + c++; + port = strtol(c, &ep, 0); + if (c == ep) { + debug("%.100s, line %lu: permitopen: missing port <%.100s>", + file, linenum, patterns); + packet_send_debug("%.100s, line %lu: missing port", + file, linenum); + xfree(patterns); + goto bad_option; + } + if (options.allow_tcp_forwarding) + channel_add_permitted_opens(patterns, port); + xfree(patterns); + goto next_option; + } next_option: /* * Skip the comma, and move to the next option diff -ru openssh-2.5.1p2/auth-rsa.c openssh-2.5.2p1/auth-rsa.c --- openssh-2.5.1p2/auth-rsa.c 2001-01-22 16:34:40.000000000 +1100 +++ openssh-2.5.2p1/auth-rsa.c 2001-03-05 17:47:00.000000000 +1100 @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rsa.c,v 1.38 2001/01/21 19:05:42 markus Exp $"); +RCSID("$OpenBSD: auth-rsa.c,v 1.39 2001/03/01 02:45:10 deraadt Exp $"); #include #include @@ -186,8 +186,8 @@ } if (fail) { fclose(f); - log("%s",buf); - packet_send_debug("%s",buf); + log("%s", buf); + packet_send_debug("%s", buf); restore_uid(); return 0; } diff -ru openssh-2.5.1p2/auth.c openssh-2.5.2p1/auth.c --- openssh-2.5.1p2/auth.c 2001-03-01 09:48:13.000000000 +1100 +++ openssh-2.5.2p1/auth.c 2001-03-20 09:15:57.000000000 +1100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2000 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.17 2001/02/12 16:16:23 markus Exp $"); +RCSID("$OpenBSD: auth.c,v 1.21 2001/03/19 17:07:23 markus Exp $"); #ifdef HAVE_LOGIN_H #include @@ -170,26 +170,6 @@ return authctxt; } -struct passwd * -pwcopy(struct passwd *pw) -{ - struct passwd *copy = xmalloc(sizeof(*copy)); - memset(copy, 0, sizeof(*copy)); - copy->pw_name = xstrdup(pw->pw_name); - copy->pw_passwd = xstrdup(pw->pw_passwd); - copy->pw_uid = pw->pw_uid; - copy->pw_gid = pw->pw_gid; -#ifdef HAVE_PW_CLASS_IN_PASSWD - copy->pw_class = xstrdup(pw->pw_class); -#endif -#ifdef HAVE_CYGWIN - copy->pw_gecos = xstrdup(pw->pw_gecos); -#endif - copy->pw_dir = xstrdup(pw->pw_dir); - copy->pw_shell = xstrdup(pw->pw_shell); - return copy; -} - void auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) { diff -ru openssh-2.5.1p2/auth.h openssh-2.5.2p1/auth.h --- openssh-2.5.1p2/auth.h 2001-02-18 17:01:00.000000000 +1100 +++ openssh-2.5.2p1/auth.h 2001-03-05 16:56:41.000000000 +1100 @@ -21,7 +21,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $OpenBSD: auth.h,v 1.11 2001/02/12 16:16:23 markus Exp $ + * $OpenBSD: auth.h,v 1.12 2001/02/22 21:59:43 markus Exp $ */ #ifndef AUTH_H #define AUTH_H @@ -132,7 +132,6 @@ int verify_response(Authctxt *authctxt, char *response); struct passwd * auth_get_user(void); -struct passwd * pwcopy(struct passwd *pw); #define AUTH_FAIL_MAX 6 #define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2) diff -ru openssh-2.5.1p2/auth1.c openssh-2.5.2p1/auth1.c --- openssh-2.5.1p2/auth1.c 2001-02-18 17:01:00.000000000 +1100 +++ openssh-2.5.2p1/auth1.c 2001-03-09 07:37:23.000000000 +1100 @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.17 2001/02/13 22:49:40 markus Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.19 2001/03/08 18:47:12 stevesk Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -23,10 +23,10 @@ #include "compat.h" #include "auth.h" #include "session.h" +#include "misc.h" /* import */ extern ServerOptions options; -extern char *forced_command; #ifdef WITH_AIXAUTHENTICATE extern char *aixloginmsg; diff -ru openssh-2.5.1p2/auth2-chall.c openssh-2.5.2p1/auth2-chall.c --- openssh-2.5.1p2/auth2-chall.c 2001-01-22 16:34:40.000000000 +1100 +++ openssh-2.5.2p1/auth2-chall.c 2001-03-05 17:59:27.000000000 +1100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001 Markus Friedl. All rights reserved. + * Copyright (c) 2001 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth2-chall.c,v 1.2 2001/01/21 19:05:43 markus Exp $"); +RCSID("$OpenBSD: auth2-chall.c,v 1.3 2001/03/02 18:54:31 deraadt Exp $"); #include "ssh2.h" #include "auth.h" diff -ru openssh-2.5.1p2/auth2.c openssh-2.5.2p1/auth2.c --- openssh-2.5.1p2/auth2.c 2001-02-19 06:13:33.000000000 +1100 +++ openssh-2.5.2p1/auth2.c 2001-03-12 07:01:56.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.42 2001/02/13 22:49:40 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.46 2001/03/11 13:25:36 markus Exp $"); #include @@ -47,6 +47,7 @@ #include "pathnames.h" #include "uidswap.h" #include "auth-options.h" +#include "misc.h" /* import */ extern ServerOptions options; @@ -75,7 +76,6 @@ /* helper */ Authmethod *authmethod_lookup(const char *name); -struct passwd *pwcopy(struct passwd *pw); int user_key_allowed(struct passwd *pw, Key *key); char *authmethods_get(void); @@ -640,7 +640,7 @@ } if (fail) { fclose(f); - log("%s",buf); + log("%s", buf); restore_uid(); return 0; } @@ -688,5 +688,7 @@ restore_uid(); fclose(f); key_free(found); + if (!found_key) + debug2("key not found"); return found_key; } diff -ru openssh-2.5.1p2/authfd.c openssh-2.5.2p1/authfd.c --- openssh-2.5.1p2/authfd.c 2001-02-06 00:57:36.000000000 +1100 +++ openssh-2.5.2p1/authfd.c 2001-03-06 14:31:34.000000000 +1100 @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.35 2001/02/04 15:32:22 stevesk Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.38 2001/03/06 00:33:03 deraadt Exp $"); #include @@ -75,10 +75,9 @@ sunaddr.sun_family = AF_UNIX; strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path)); -#ifdef HAVE_SUN_LEN_IN_SOCKADDR_UN - sunaddr.sun_len = len = SUN_LEN(&sunaddr)+1; -#else /* HAVE_SUN_LEN_IN_SOCKADDR_UN */ len = SUN_LEN(&sunaddr)+1; +#ifdef HAVE_SUN_LEN_IN_SOCKADDR_UN + sunaddr.sun_len = len; #endif /* HAVE_SUN_LEN_IN_SOCKADDR_UN */ sock = socket(AF_UNIX, SOCK_STREAM, 0); @@ -121,6 +120,8 @@ len = 4; while (len > 0) { l = read(auth->fd, buf + 4 - len, len); + if (l == -1 && (errno == EAGAIN || errno == EINTR)) + continue; if (l <= 0) { error("Error reading response length from authentication socket."); return 0; @@ -140,6 +141,8 @@ if (l > sizeof(buf)) l = sizeof(buf); l = read(auth->fd, buf, l); + if (l == -1 && (errno == EAGAIN || errno == EINTR)) + continue; if (l <= 0) { error("Error reading response from authentication socket."); return 0; @@ -255,7 +258,7 @@ /* Get the number of entries in the response and check it for sanity. */ auth->howmany = buffer_get_int(&auth->identities); if (auth->howmany > 1024) - fatal("Too many identities in authentication reply: %d\n", + fatal("Too many identities in authentication reply: %d", auth->howmany); return auth->howmany; diff -ru openssh-2.5.1p2/authfile.c openssh-2.5.2p1/authfile.c --- openssh-2.5.1p2/authfile.c 2001-02-09 13:11:24.000000000 +1100 +++ openssh-2.5.2p1/authfile.c 2001-03-05 15:59:27.000000000 +1100 @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfile.c,v 1.27 2001/02/08 19:30:51 itojun Exp $"); +RCSID("$OpenBSD: authfile.c,v 1.28 2001/02/21 09:05:54 deraadt Exp $"); #include #include @@ -336,12 +336,12 @@ close(fd); return 0; } - close(fd); /* Check that it is at least big enough to contain the ID string. */ if (len < sizeof(authfile_id_string)) { debug3("Bad RSA1 key file %.200s.", filename); buffer_free(&buffer); + close(fd); return 0; } /* @@ -352,8 +352,10 @@ if (buffer_get_char(&buffer) != authfile_id_string[i]) { debug3("Bad RSA1 key file %.200s.", filename); buffer_free(&buffer); + close(fd); return 0; } + /* Read cipher type. */ cipher_type = buffer_get_char(&buffer); (void) buffer_get_int(&buffer); /* Reserved data. */ @@ -403,6 +405,7 @@ prv->e = NULL; if (comment_return) xfree(*comment_return); + close(fd); return 0; } /* Read the rest of the private key. */ @@ -431,7 +434,7 @@ BN_CTX_free(ctx); buffer_free(&decrypted); - + close(fd); return 1; } @@ -446,6 +449,7 @@ fp = fdopen(fd, "r"); if (fp == NULL) { error("fdopen failed"); + close(fd); return 0; } pk = PEM_read_PrivateKey(fp, NULL, NULL, (char *)passphrase); @@ -515,7 +519,7 @@ error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("Bad ownership or mode(0%3.3o) for '%s'.", - st.st_mode & 0777, filename); + st.st_mode & 0777, filename); error("It is recommended that your private key files are NOT accessible by others."); return 0; } @@ -530,16 +534,19 @@ key->rsa->n = NULL; } ret = load_private_key_rsa1(fd, filename, passphrase, - key->rsa, comment_return); + key->rsa, comment_return); /* closes fd */ + break; case KEY_DSA: case KEY_RSA: case KEY_UNSPEC: - ret = load_private_key_ssh2(fd, passphrase, key, comment_return); + ret = load_private_key_ssh2(fd, passphrase, key, + comment_return); /* closes fd */ + break; default: + close(fd); break; } - close(fd); return ret; } diff -ru openssh-2.5.1p2/channels.c openssh-2.5.2p1/channels.c --- openssh-2.5.1p2/channels.c 2001-02-17 02:56:31.000000000 +1100 +++ openssh-2.5.2p1/channels.c 2001-03-17 11:47:55.000000000 +1100 @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.92 2001/02/16 13:38:18 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.99 2001/03/16 19:06:29 markus Exp $"); #include #include @@ -141,18 +141,6 @@ have_hostname_in_open = hostname_in_open; } -/* - * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually - * called by the server, because the user could connect to any port anyway, - * and the server has no way to know but to trust the client anyway. - */ - -void -channel_permit_all_opens() -{ - all_opens_permitted = 1; -} - /* lookup channel by id */ Channel * @@ -195,10 +183,10 @@ /* XXX ugly hack: nonblock is only set by the server */ if (nonblock && isatty(c->rfd)) { - debug("channel: %d: rfd %d isatty", c->self, c->rfd); + debug("channel %d: rfd %d isatty", c->self, c->rfd); c->isatty = 1; if (!isatty(c->wfd)) { - error("channel: %d: wfd %d is not a tty?", + error("channel %d: wfd %d is not a tty?", c->self, c->wfd); } } else { @@ -521,7 +509,7 @@ * We have received an X11 connection that has bad * authentication information. */ - log("X11 connection rejected because of wrong authentication.\r\n"); + log("X11 connection rejected because of wrong authentication."); buffer_clear(&c->input); buffer_clear(&c->output); close(c->sock); @@ -768,6 +756,7 @@ int channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) { + struct termios tio; int len; /* Send buffered output data to the socket. */ @@ -789,16 +778,15 @@ return -1; } if (compat20 && c->isatty) { - struct termios tio; if (tcgetattr(c->wfd, &tio) == 0 && !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { /* * Simulate echo to reduce the impact of - * traffic analysis. + * traffic analysis. We need to match the + * size of a SSH2_MSG_CHANNEL_DATA message + * (4 byte channel id + data) */ - packet_start(SSH2_MSG_IGNORE); - memset(buffer_ptr(&c->output), 0, len); - packet_put_string(buffer_ptr(&c->output), len); + packet_send_ignore(4 + len); packet_send(); } } @@ -824,7 +812,14 @@ buffer_len(&c->extended)); debug2("channel %d: written %d to efd %d", c->self, len, c->efd); - if (len > 0) { + if (len < 0 && (errno == EINTR || errno == EAGAIN)) + return 1; + if (len <= 0) { + debug2("channel %d: closing write-efd %d", + c->self, c->efd); + close(c->efd); + c->efd = -1; + } else { buffer_consume(&c->extended, len); c->local_consumed += len; } @@ -833,19 +828,22 @@ len = read(c->efd, buf, sizeof(buf)); debug2("channel %d: read %d from efd %d", c->self, len, c->efd); - if (len == 0) { - debug("channel %d: closing efd %d", + if (len < 0 && (errno == EINTR || errno == EAGAIN)) + return 1; + if (len <= 0) { + debug2("channel %d: closing read-efd %d", c->self, c->efd); close(c->efd); c->efd = -1; - } else if (len > 0) + } else { buffer_append(&c->extended, buf, len); + } } } return 1; } int -channel_check_window(Channel *c, fd_set * readset, fd_set * writeset) +channel_check_window(Channel *c) { if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && c->local_window < c->local_window_max/2 && @@ -876,7 +874,8 @@ channel_handle_rfd(c, readset, writeset); channel_handle_wfd(c, readset, writeset); channel_handle_efd(c, readset, writeset); - channel_check_window(c, readset, writeset); + + channel_check_window(c); } void @@ -984,7 +983,24 @@ if (ftab[c->type] == NULL) continue; (*ftab[c->type])(c, readset, writeset); - chan_delete_if_full_closed(c); + if (chan_is_dead(c)) { + /* + * we have to remove the fd's from the select mask + * before the channels are free'd and the fd's are + * closed + */ + if (c->wfd != -1) + FD_CLR(c->wfd, writeset); + if (c->rfd != -1) + FD_CLR(c->rfd, readset); + if (c->efd != -1) { + if (c->extended_usage == CHAN_EXTENDED_READ) + FD_CLR(c->efd, readset); + if (c->extended_usage == CHAN_EXTENDED_WRITE) + FD_CLR(c->efd, writeset); + } + channel_free(c->self); + } } } @@ -1037,19 +1053,18 @@ } else { if (c->type != SSH_CHANNEL_OPEN) continue; - if (c->istate != CHAN_INPUT_OPEN && - c->istate != CHAN_INPUT_WAIT_DRAIN) - continue; } if (compat20 && (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { - debug("channel: %d: no data after CLOSE", c->self); + /* XXX is this true? */ + debug2("channel %d: no data after CLOSE", c->self); continue; } /* Get the amount of buffered data for this channel. */ - len = buffer_len(&c->input); - if (len > 0) { + if ((c->istate == CHAN_INPUT_OPEN || + c->istate == CHAN_INPUT_WAIT_DRAIN) && + (len = buffer_len(&c->input)) > 0) { /* Send some data for the other side over the secure connection. */ if (compat20) { if (len > c->remote_window) @@ -1089,6 +1104,9 @@ c->remote_window > 0 && (len = buffer_len(&c->extended)) > 0 && c->extended_usage == CHAN_EXTENDED_READ) { + debug2("channel %d: rwin %d elen %d euse %d", + c->self, c->remote_window, buffer_len(&c->extended), + c->extended_usage); if (len > c->remote_window) len = c->remote_window; if (len > c->remote_maxpacket) @@ -1100,6 +1118,7 @@ packet_send(); buffer_consume(&c->extended, len); c->remote_window -= len; + debug2("channel %d: sent ext data %d", c->self, len); } } } @@ -1393,7 +1412,7 @@ debug2("callback done"); } else { char *service = packet_get_string(NULL); - debug("channel: %d rcvd request for %s", c->self, service); + debug("channel %d: rcvd request for %s", c->self, service); debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event); xfree(service); } @@ -1760,9 +1779,47 @@ xfree(hostname); } -/* XXX move to aux.c */ +/* + * Permits opening to any host/port if permitted_opens[] is empty. This is + * usually called by the server, because the user could connect to any port + * anyway, and the server has no way to know but to trust the client anyway. + */ +void +channel_permit_all_opens() +{ + if (num_permitted_opens == 0) + all_opens_permitted = 1; +} + +void +channel_add_permitted_opens(char *host, int port) +{ + if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) + fatal("channel_request_remote_forwarding: too many forwards"); + debug("allow port forwarding to host %s port %d", host, port); + + permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host); + permitted_opens[num_permitted_opens].port_to_connect = port; + num_permitted_opens++; + + all_opens_permitted = 0; +} + +void +channel_clear_permitted_opens(void) +{ + int i; + + for (i = 0; i < num_permitted_opens; i++) + xfree(permitted_opens[i].host_to_connect); + num_permitted_opens = 0; + +} + + +/* return socket to remote host, port */ int -channel_connect_to(const char *host, u_short host_port) +connect_to(const char *host, u_short port) { struct addrinfo hints, *ai, *aitop; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; @@ -1772,9 +1829,10 @@ memset(&hints, 0, sizeof(hints)); hints.ai_family = IPv4or6; hints.ai_socktype = SOCK_STREAM; - snprintf(strport, sizeof strport, "%d", host_port); + snprintf(strport, sizeof strport, "%d", port); if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) { - error("%.100s: unknown host (%s)", host, gai_strerror(gaierr)); + error("connect_to %.100s: unknown host (%s)", host, + gai_strerror(gaierr)); return -1; } for (ai = aitop; ai; ai = ai->ai_next) { @@ -1782,10 +1840,9 @@ continue; if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { - error("channel_connect_to: getnameinfo failed"); + error("connect_to: getnameinfo failed"); continue; } - /* Create the socket. */ sock = socket(ai->ai_family, SOCK_STREAM, 0); if (sock < 0) { error("socket: %.100s", strerror(errno)); @@ -1793,10 +1850,9 @@ } if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0) fatal("connect_to: F_SETFL: %s", strerror(errno)); - /* Connect to the host/port. */ if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 && errno != EINPROGRESS) { - error("connect %.100s port %s: %.100s", ntop, strport, + error("connect_to %.100s port %s: %.100s", ntop, strport, strerror(errno)); close(sock); continue; /* fail -- try next */ @@ -1806,19 +1862,21 @@ } freeaddrinfo(aitop); if (!ai) { - error("connect %.100s port %d: failed.", host, host_port); + error("connect_to %.100s port %d: failed.", host, port); return -1; } /* success */ return sock; } + int channel_connect_by_listen_adress(u_short listen_port) { int i; + for (i = 0; i < num_permitted_opens; i++) if (permitted_opens[i].listen_port == listen_port) - return channel_connect_to( + return connect_to( permitted_opens[i].host_to_connect, permitted_opens[i].port_to_connect); error("WARNING: Server requests forwarding for unknown listen_port %d", @@ -1826,6 +1884,28 @@ return -1; } +/* Check if connecting to that port is permitted and connect. */ +int +channel_connect_to(const char *host, u_short port) +{ + int i, permit; + + permit = all_opens_permitted; + if (!permit) { + for (i = 0; i < num_permitted_opens; i++) + if (permitted_opens[i].port_to_connect == port && + strcmp(permitted_opens[i].host_to_connect, host) == 0) + permit = 1; + + } + if (!permit) { + log("Received request to connect to host %.100s port %d, " + "but the request was denied.", host, port); + return -1; + } + return connect_to(host, port); +} + /* * This is called after receiving PORT_OPEN message. This attempts to * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION @@ -1837,55 +1917,25 @@ { u_short host_port; char *host, *originator_string; - int remote_channel, sock = -1, newch, i, denied; - u_int host_len, originator_len; + int remote_channel, sock = -1, newch; - /* Get remote channel number. */ remote_channel = packet_get_int(); - - /* Get host name to connect to. */ - host = packet_get_string(&host_len); - - /* Get port to connect to. */ + host = packet_get_string(NULL); host_port = packet_get_int(); - /* Get remote originator name. */ if (have_hostname_in_open) { - originator_string = packet_get_string(&originator_len); - originator_len += 4; /* size of packet_int */ + originator_string = packet_get_string(NULL); } else { originator_string = xstrdup("unknown (remote did not supply name)"); - originator_len = 0; /* no originator supplied */ } - - packet_integrity_check(plen, - 4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN); - - /* Check if opening that port is permitted. */ - denied = 0; - if (!all_opens_permitted) { - /* Go trough all permitted ports. */ - for (i = 0; i < num_permitted_opens; i++) - if (permitted_opens[i].port_to_connect == host_port && - strcmp(permitted_opens[i].host_to_connect, host) == 0) - break; - - /* Check if we found the requested port among those permitted. */ - if (i >= num_permitted_opens) { - /* The port is not permitted. */ - log("Received request to connect to %.100s:%d, but the request was denied.", - host, host_port); - denied = 1; - } - } - sock = denied ? -1 : channel_connect_to(host, host_port); - if (sock > 0) { - /* Allocate a channel for this connection. */ + packet_done(); + sock = channel_connect_to(host, host_port); + if (sock != -1) { newch = channel_allocate(SSH_CHANNEL_CONNECTING, sock, originator_string); -/*XXX delay answer? */ channels[newch].remote_id = remote_channel; + /*XXX delay answer? */ packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); packet_put_int(remote_channel); packet_put_int(newch); diff -ru openssh-2.5.1p2/channels.h openssh-2.5.2p1/channels.h --- openssh-2.5.1p2/channels.h 2001-02-16 12:34:57.000000000 +1100 +++ openssh-2.5.2p1/channels.h 2001-03-17 11:47:55.000000000 +1100 @@ -32,11 +32,13 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: channels.h,v 1.27 2001/02/15 23:19:59 markus Exp $"); */ +/* RCSID("$OpenBSD: channels.h,v 1.28 2001/03/16 19:06:29 markus Exp $"); */ #ifndef CHANNELS_H #define CHANNELS_H +#include "buffer.h" + /* Definitions for channel types. */ #define SSH_CHANNEL_FREE 0 /* This channel is free (unused). */ #define SSH_CHANNEL_X11_LISTENER 1 /* Listening for inet X11 conn. */ @@ -226,12 +228,18 @@ u_short remote_port); /* - * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually - * called by the server, because the user could connect to any port anyway, - * and the server has no way to know but to trust the client anyway. + * Permits opening to any host/port if permitted_opens[] is empty. This is + * usually called by the server, because the user could connect to any port + * anyway, and the server has no way to know but to trust the client anyway. */ void channel_permit_all_opens(void); +/* Add host/port to list of allowed targets for port forwarding */ +void channel_add_permitted_opens(char *host, int port); + +/* Flush list */ +void channel_clear_permitted_opens(void); + /* * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates * listening for the port, and sends back a success reply (or disconnect diff -ru openssh-2.5.1p2/cli.c openssh-2.5.2p1/cli.c --- openssh-2.5.1p2/cli.c 2001-02-11 08:45:02.000000000 +1100 +++ openssh-2.5.2p1/cli.c 2001-03-06 14:31:34.000000000 +1100 @@ -1,5 +1,31 @@ +/* $OpenBSD: cli.c,v 1.11 2001/03/06 00:33:04 deraadt Exp $ */ + +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + #include "includes.h" -RCSID("$OpenBSD: cli.c,v 1.9 2001/02/10 12:44:02 markus Exp $"); +RCSID("$OpenBSD: cli.c,v 1.11 2001/03/06 00:33:04 deraadt Exp $"); #include "xmalloc.h" #include "log.h" @@ -108,12 +134,16 @@ { char ch = 0; int i = 0; + int n; if (!echo) cli_echo_disable(); while (ch != '\n') { - if (read(cli_input, &ch, 1) != 1) + n = read(cli_input, &ch, 1); + if (n == -1 && (errno == EAGAIN || errno == EINTR)) + continue; + if (n != 1) break; if (ch == '\n' || intr != 0) break; diff -ru openssh-2.5.1p2/cli.h openssh-2.5.2p1/cli.h --- openssh-2.5.1p2/cli.h 2001-02-06 05:16:28.000000000 +1100 +++ openssh-2.5.2p1/cli.h 2001-03-05 17:50:48.000000000 +1100 @@ -1,4 +1,30 @@ -/* $OpenBSD: cli.h,v 1.3 2001/01/16 23:58:09 deraadt Exp $ */ +/* $OpenBSD: cli.h,v 1.4 2001/03/01 03:38:33 deraadt Exp $ */ + +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* $OpenBSD: cli.h,v 1.4 2001/03/01 03:38:33 deraadt Exp $ */ #ifndef CLI_H #define CLI_H diff -ru openssh-2.5.1p2/clientloop.c openssh-2.5.2p1/clientloop.c --- openssh-2.5.1p2/clientloop.c 2001-02-15 14:12:08.000000000 +1100 +++ openssh-2.5.2p1/clientloop.c 2001-03-06 14:34:40.000000000 +1100 @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.51 2001/02/13 21:51:09 markus Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.53 2001/03/06 01:08:27 millert Exp $"); #include "ssh.h" #include "ssh1.h" @@ -279,10 +279,8 @@ */ if ((u_char) buf[0] == escape_char) escape_pending = 1; - else { + else buffer_append(&stdin_buffer, buf, 1); - stdin_bytes += 1; - } } leave_non_blocking(); } @@ -310,6 +308,7 @@ packet_put_string(buffer_ptr(&stdin_buffer), len); packet_send(); buffer_consume(&stdin_buffer, len); + stdin_bytes += len; /* If we have a pending EOF, send it now. */ if (stdin_eof && buffer_len(&stdin_buffer) == 0) { packet_start(SSH_CMSG_EOF); @@ -420,7 +419,6 @@ /* Note: we might still have data in the buffers. */ snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); - stderr_bytes += strlen(buf); quit_pending = 1; } } @@ -486,7 +484,6 @@ snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", host); buffer_append(&stderr_buffer, buf, strlen(buf)); - stderr_bytes += strlen(buf); quit_pending = 1; return; } @@ -494,7 +491,7 @@ * There is a kernel bug on Solaris that causes select to * sometimes wake up even though there is no data available. */ - if (len < 0 && errno == EAGAIN) + if (len < 0 && (errno == EAGAIN || errno == EINTR)) len = 0; if (len < 0) { @@ -502,7 +499,6 @@ snprintf(buf, sizeof buf, "Read from remote host %.300s: %.100s\r\n", host, strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); - stderr_bytes += strlen(buf); quit_pending = 1; return; } @@ -536,7 +532,6 @@ /* Terminate the connection. */ snprintf(string, sizeof string, "%c.\r\n", escape_char); buffer_append(berr, string, strlen(string)); - /*stderr_bytes += strlen(string); XXX*/ quit_pending = 1; return -1; @@ -546,7 +541,6 @@ /* Print a message to that effect to the user. */ snprintf(string, sizeof string, "%c^Z [suspend ssh]\r\n", escape_char); buffer_append(berr, string, strlen(string)); - /*stderr_bytes += strlen(string); XXX*/ /* Restore terminal modes and suspend. */ client_suspend_self(bin, bout, berr); @@ -656,7 +650,6 @@ void client_process_input(fd_set * readset) { - int ret; int len; char buf[8192]; @@ -673,7 +666,6 @@ if (len < 0) { snprintf(buf, sizeof buf, "read: %.100s\r\n", strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); - stderr_bytes += strlen(buf); } /* Mark that we have seen EOF. */ stdin_eof = 1; @@ -694,16 +686,14 @@ * Just append the data to buffer. */ buffer_append(&stdin_buffer, buf, len); - stdin_bytes += len; } else { /* * Normal, successful read. But we have an escape character * and have to process the characters one by one. */ - ret = process_escapes(&stdin_buffer, &stdout_buffer, &stderr_buffer, buf, len); - if (ret == -1) + if (process_escapes(&stdin_buffer, &stdout_buffer, + &stderr_buffer, buf, len) == -1) return; - stdout_bytes += ret; } } } @@ -729,13 +719,13 @@ */ snprintf(buf, sizeof buf, "write stdout: %.50s\r\n", strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); - stderr_bytes += strlen(buf); quit_pending = 1; return; } } /* Consume printed data from the buffer. */ buffer_consume(&stdout_buffer, len); + stdout_bytes += len; } /* Write buffered output to stderr. */ if (FD_ISSET(fileno(stderr), writeset)) { @@ -753,6 +743,7 @@ } /* Consume printed characters from the buffer. */ buffer_consume(&stderr_buffer, len); + stderr_bytes += len; } } @@ -939,7 +930,6 @@ if (have_pty && options.log_level != SYSLOG_LEVEL_QUIET) { snprintf(buf, sizeof buf, "Connection to %.64s closed.\r\n", host); buffer_append(&stderr_buffer, buf, strlen(buf)); - stderr_bytes += strlen(buf); } /* Output any buffered data for stdout. */ while (buffer_len(&stdout_buffer) > 0) { @@ -950,6 +940,7 @@ break; } buffer_consume(&stdout_buffer, len); + stdout_bytes += len; } /* Output any buffered data for stderr. */ @@ -961,6 +952,7 @@ break; } buffer_consume(&stderr_buffer, len); + stderr_bytes += len; } if (have_pty) @@ -995,7 +987,6 @@ char *data = packet_get_string(&data_len); packet_integrity_check(plen, 4 + data_len, type); buffer_append(&stdout_buffer, data, data_len); - stdout_bytes += data_len; memset(data, 0, data_len); xfree(data); } @@ -1006,7 +997,6 @@ char *data = packet_get_string(&data_len); packet_integrity_check(plen, 4 + data_len, type); buffer_append(&stderr_buffer, data, data_len); - stdout_bytes += data_len; memset(data, 0, data_len); xfree(data); } diff -ru openssh-2.5.1p2/compat.c openssh-2.5.2p1/compat.c --- openssh-2.5.1p2/compat.c 2001-02-19 21:51:08.000000000 +1100 +++ openssh-2.5.2p1/compat.c 2001-03-19 22:36:20.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: compat.c,v 1.35 2001/02/19 09:53:31 markus Exp $"); +RCSID("$OpenBSD: compat.c,v 1.39 2001/03/18 23:30:55 deraadt Exp $"); #ifdef HAVE_LIBPCRE # include @@ -31,7 +31,7 @@ # ifdef HAVE_REGEX_H # include # else -# include "fake-regex.h" +# include "openbsd-compat/fake-regex.h" # endif #endif /* HAVE_LIBPCRE */ @@ -74,20 +74,31 @@ { "MindTerm", 0 }, { "^2\\.1\\.0", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG }, + { "^2\\.1 ", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| + SSH_OLD_SESSIONID|SSH_BUG_DEBUG }, { "^2\\.0\\.1[3-9]", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG| - SSH_BUG_PKSERVICE|SSH_BUG_X11FWD }, + SSH_BUG_PKSERVICE|SSH_BUG_X11FWD| + SSH_BUG_PKOK }, { "^2\\.0\\.", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG| SSH_BUG_PKSERVICE|SSH_BUG_X11FWD| - SSH_BUG_PKAUTH }, - { "^2\\.[23]\\.0", SSH_BUG_HMAC}, + SSH_BUG_PKAUTH|SSH_BUG_PKOK }, + { "^2\\.[23]\\.0", SSH_BUG_HMAC }, { "^2\\.[2-9]\\.", 0 }, - { "^2\\.4$", SSH_OLD_SESSIONID}, /* Van Dyke */ - { "^3\\.0 SecureCRT", SSH_OLD_SESSIONID}, - { "^1\\.7 SecureFX", SSH_OLD_SESSIONID}, - { "^1\\.2\\.1[89]", SSH_BUG_IGNOREMSG}, - { "^1\\.2\\.2[012]", SSH_BUG_IGNOREMSG}, + { "^2\\.4$", SSH_OLD_SESSIONID }, /* Van Dyke */ + { "^3\\.0 SecureCRT", SSH_OLD_SESSIONID }, + { "^1\\.7 SecureFX", SSH_OLD_SESSIONID }, + { "^1\\.2\\.1[89]", SSH_BUG_IGNOREMSG }, + { "^1\\.2\\.2[012]", SSH_BUG_IGNOREMSG }, + { "^SSH Compatible Server", /* Netscreen */ + SSH_BUG_PASSWORDPAD }, + { "^OSU_0", SSH_BUG_PASSWORDPAD }, + { "^OSU_1\\.[0-4]", SSH_BUG_PASSWORDPAD }, + { "^OSU_1\\.5alpha[1-3]", + SSH_BUG_PASSWORDPAD }, + { "^SSH_Version_Mapper", + SSH_BUG_SCANNER }, { NULL, 0 } }; /* process table, return first match */ diff -ru openssh-2.5.1p2/compat.h openssh-2.5.2p1/compat.h --- openssh-2.5.1p2/compat.h 2001-02-19 21:51:08.000000000 +1100 +++ openssh-2.5.2p1/compat.h 2001-03-19 22:36:20.000000000 +1100 @@ -21,7 +21,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: compat.h,v 1.15 2001/02/19 09:53:31 markus Exp $"); */ +/* RCSID("$OpenBSD: compat.h,v 1.18 2001/03/18 23:30:55 deraadt Exp $"); */ #ifndef COMPAT_H #define COMPAT_H @@ -40,6 +40,9 @@ #define SSH_BUG_DEBUG 0x0040 #define SSH_BUG_BANNER 0x0080 #define SSH_BUG_IGNOREMSG 0x0100 +#define SSH_BUG_PKOK 0x0200 +#define SSH_BUG_PASSWORDPAD 0x0400 +#define SSH_BUG_SCANNER 0x0800 void enable_compat13(void); void enable_compat20(void); diff -ru openssh-2.5.1p2/config.h.in openssh-2.5.2p1/config.h.in --- openssh-2.5.1p2/config.h.in 2001-03-01 11:11:34.000000000 +1100 +++ openssh-2.5.2p1/config.h.in 2001-03-20 09:33:25.000000000 +1100 @@ -1,5 +1,5 @@ /* config.h.in. Generated automatically from configure.in by autoheader. */ -/* $Id: acconfig.h,v 1.105 2001/02/26 21:39:07 djm Exp $ */ +/* $Id: acconfig.h,v 1.108 2001/03/17 01:15:38 mouring Exp $ */ #ifndef _CONFIG_H #define _CONFIG_H @@ -105,8 +105,11 @@ /* Location of random number pool */ #undef RANDOM_POOL -/* Location of EGD random number socket */ -#undef EGD_SOCKET +/* Location of PRNGD/EGD random number socket */ +#undef PRNGD_SOCKET + +/* Port number of PRNGD/EGD random number socket */ +#undef PRNGD_PORT /* Builtin PRNG command timeout */ #undef ENTROPY_TIMEOUT_MSEC @@ -299,6 +302,12 @@ /* Needed for SCO and NeXT */ #undef BROKEN_SAVED_UIDS +/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */ +#undef GLOB_HAS_ALTDIRFUNC + +/* Define if your system glob() function has gl_matchc options in glob_t */ +#undef GLOB_HAS_GL_MATCHC + /* The number of bytes in a char. */ #undef SIZEOF_CHAR @@ -389,6 +398,9 @@ /* Define if you have the getttyent function. */ #undef HAVE_GETTTYENT +/* Define if you have the getusershell function. */ +#undef HAVE_GETUSERSHELL + /* Define if you have the getutent function. */ #undef HAVE_GETUTENT @@ -407,6 +419,9 @@ /* Define if you have the getutxline function. */ #undef HAVE_GETUTXLINE +/* Define if you have the glob function. */ +#undef HAVE_GLOB + /* Define if you have the inet_aton function. */ #undef HAVE_INET_ATON @@ -563,6 +578,9 @@ /* Define if you have the header file. */ #undef HAVE_GETOPT_H +/* Define if you have the header file. */ +#undef HAVE_GLOB_H + /* Define if you have the header file. */ #undef HAVE_KRB_H diff -ru openssh-2.5.1p2/configure openssh-2.5.2p1/configure --- openssh-2.5.1p2/configure 2001-03-01 11:11:35.000000000 +1100 +++ openssh-2.5.2p1/configure 2001-03-20 09:33:26.000000000 +1100 @@ -40,7 +40,9 @@ ac_help="$ac_help --with-random=FILE read entropy from FILE (default=/dev/urandom)" ac_help="$ac_help - --with-egd-pool=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)" + --with-prngd-port=PORT read entropy from PRNGD/EGD localhost:PORT" +ac_help="$ac_help + --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)" ac_help="$ac_help --with-catman=man|cat Install preformatted manpages[no]" ac_help="$ac_help @@ -597,7 +599,7 @@ # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:601: checking for $ac_word" >&5 +echo "configure:603: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -627,7 +629,7 @@ # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:631: checking for $ac_word" >&5 +echo "configure:633: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -678,7 +680,7 @@ # Extract the first word of "cl", so it can be a program name with args. set dummy cl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:682: checking for $ac_word" >&5 +echo "configure:684: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -710,7 +712,7 @@ fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 -echo "configure:714: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 +echo "configure:716: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 ac_ext=c # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. @@ -721,12 +723,12 @@ cat > conftest.$ac_ext << EOF -#line 725 "configure" +#line 727 "configure" #include "confdefs.h" main(){return(0);} EOF -if { (eval echo configure:730: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:732: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ac_cv_prog_cc_works=yes # If we can't run a trivial program, we are probably using a cross compiler. if (./conftest; exit) 2>/dev/null; then @@ -752,12 +754,12 @@ { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 -echo "configure:756: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 +echo "configure:758: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 cross_compiling=$ac_cv_prog_cc_cross echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 -echo "configure:761: checking whether we are using GNU C" >&5 +echo "configure:763: checking whether we are using GNU C" >&5 if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -766,7 +768,7 @@ yes; #endif EOF -if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:770: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then +if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:772: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then ac_cv_prog_gcc=yes else ac_cv_prog_gcc=no @@ -785,7 +787,7 @@ ac_save_CFLAGS="$CFLAGS" CFLAGS= echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 -echo "configure:789: checking whether ${CC-cc} accepts -g" >&5 +echo "configure:791: checking whether ${CC-cc} accepts -g" >&5 if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -842,7 +844,7 @@ fi echo $ac_n "checking host system type""... $ac_c" 1>&6 -echo "configure:846: checking host system type" >&5 +echo "configure:848: checking host system type" >&5 host_alias=$host case "$host_alias" in @@ -863,14 +865,14 @@ echo "$ac_t""$host" 1>&6 echo $ac_n "checking whether byte ordering is bigendian""... $ac_c" 1>&6 -echo "configure:867: checking whether byte ordering is bigendian" >&5 +echo "configure:869: checking whether byte ordering is bigendian" >&5 if eval "test \"`echo '$''{'ac_cv_c_bigendian'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_cv_c_bigendian=unknown # See if sys/param.h defines the BYTE_ORDER macro. cat > conftest.$ac_ext < #include @@ -881,11 +883,11 @@ #endif ; return 0; } EOF -if { (eval echo configure:885: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:887: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* # It does; now see whether it defined to BIG_ENDIAN or not. cat > conftest.$ac_ext < #include @@ -896,7 +898,7 @@ #endif ; return 0; } EOF -if { (eval echo configure:900: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:902: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_c_bigendian=yes else @@ -916,7 +918,7 @@ { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:935: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_c_bigendian=no else @@ -955,7 +957,7 @@ # Checks for programs. echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 -echo "configure:959: checking how to run the C preprocessor" >&5 +echo "configure:961: checking how to run the C preprocessor" >&5 # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= @@ -970,13 +972,13 @@ # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:980: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:982: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -987,13 +989,13 @@ rm -rf conftest* CPP="${CC-cc} -E -traditional-cpp" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:997: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:999: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -1004,13 +1006,13 @@ rm -rf conftest* CPP="${CC-cc} -nologo -E" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:1014: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:1016: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -1037,7 +1039,7 @@ # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1041: checking for $ac_word" >&5 +echo "configure:1043: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1076,7 +1078,7 @@ # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # ./install, which can be erroneously created by make from ./install.sh. echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6 -echo "configure:1080: checking for a BSD compatible install" >&5 +echo "configure:1082: checking for a BSD compatible install" >&5 if test -z "$INSTALL"; then if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1131,7 +1133,7 @@ # Extract the first word of "ar", so it can be a program name with args. set dummy ar; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1135: checking for $ac_word" >&5 +echo "configure:1137: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_AR'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1166,7 +1168,7 @@ # Extract the first word of "perl", so it can be a program name with args. set dummy perl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1170: checking for $ac_word" >&5 +echo "configure:1172: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1202,7 +1204,7 @@ # Extract the first word of "ent", so it can be a program name with args. set dummy ent; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1206: checking for $ac_word" >&5 +echo "configure:1208: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_ENT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1240,7 +1242,7 @@ # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1244: checking for $ac_word" >&5 +echo "configure:1246: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_FILEPRIV'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1279,7 +1281,7 @@ # Extract the first word of "bash", so it can be a program name with args. set dummy bash; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1283: checking for $ac_word" >&5 +echo "configure:1285: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_TEST_MINUS_S_SH'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1314,7 +1316,7 @@ # Extract the first word of "ksh", so it can be a program name with args. set dummy ksh; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1318: checking for $ac_word" >&5 +echo "configure:1320: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_TEST_MINUS_S_SH'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1349,7 +1351,7 @@ # Extract the first word of "sh", so it can be a program name with args. set dummy sh; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1353: checking for $ac_word" >&5 +echo "configure:1355: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_TEST_MINUS_S_SH'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1397,7 +1399,7 @@ # Extract the first word of "login", so it can be a program name with args. set dummy login; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1401: checking for $ac_word" >&5 +echo "configure:1403: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_LOGIN_PROGRAM_FALLBACK'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1444,21 +1446,21 @@ # C Compiler features echo $ac_n "checking for inline""... $ac_c" 1>&6 -echo "configure:1448: checking for inline" >&5 +echo "configure:1450: checking for inline" >&5 if eval "test \"`echo '$''{'ac_cv_c_inline'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:1464: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_c_inline=$ac_kw; break else @@ -1497,12 +1499,12 @@ blibpath="/usr/lib:/lib:/usr/local/lib" fi echo $ac_n "checking for authenticate""... $ac_c" 1>&6 -echo "configure:1501: checking for authenticate" >&5 +echo "configure:1503: checking for authenticate" >&5 if eval "test \"`echo '$''{'ac_cv_func_authenticate'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1531: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_authenticate=yes" else @@ -1678,12 +1680,12 @@ EOF echo $ac_n "checking for jlimit_startjob""... $ac_c" 1>&6 -echo "configure:1682: checking for jlimit_startjob" >&5 +echo "configure:1684: checking for jlimit_startjob" >&5 if eval "test \"`echo '$''{'ac_cv_func_jlimit_startjob'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1712: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_jlimit_startjob=yes" else @@ -1756,7 +1758,7 @@ SONY=1 echo $ac_n "checking for xatexit in -liberty""... $ac_c" 1>&6 -echo "configure:1760: checking for xatexit in -liberty" >&5 +echo "configure:1762: checking for xatexit in -liberty" >&5 ac_lib_var=`echo iberty'_'xatexit | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1764,7 +1766,7 @@ ac_save_LIBS="$LIBS" LIBS="-liberty $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1781: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1842,7 +1844,7 @@ # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" echo $ac_n "checking for obsolete utmp and wtmp in solaris2.x""... $ac_c" 1>&6 -echo "configure:1846: checking for obsolete utmp and wtmp in solaris2.x" >&5 +echo "configure:1848: checking for obsolete utmp and wtmp in solaris2.x" >&5 sol2ver=`echo "$host"| sed -e 's/.*[0-9]\.//'` if test "$sol2ver" -ge 8; then echo "$ac_t""yes" 1>&6 @@ -1863,12 +1865,12 @@ for ac_func in getpwanam do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1867: checking for $ac_func" >&5 +echo "configure:1869: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1897: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1953,6 +1955,10 @@ #define IP_TOS_IS_BROKEN 1 EOF + cat >> confdefs.h <<\EOF +#define HAVE_BOGUS_SYS_QUEUE_H 1 +EOF + mansubdir=cat LIBS="$LIBS -lgen -lnsl -lucb" ;; @@ -2021,12 +2027,12 @@ for ac_func in getluid setluid do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2025: checking for $ac_func" >&5 +echo "configure:2031: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2059: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2101,12 +2107,12 @@ for ac_func in getluid setluid do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2105: checking for $ac_func" >&5 +echo "configure:2111: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2139: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2157,7 +2163,7 @@ *-dec-osf*) if test ! -z "USE_SIA" ; then echo $ac_n "checking for Digital Unix Security Integration Architecture""... $ac_c" 1>&6 -echo "configure:2161: checking for Digital Unix Security Integration Architecture" >&5 +echo "configure:2167: checking for Digital Unix Security Integration Architecture" >&5 if test -f /etc/sia/matrix.conf; then echo "$ac_t""yes" 1>&6 cat >> confdefs.h <<\EOF @@ -2228,7 +2234,7 @@ echo $ac_n "checking for pcre_info in -lpcre""... $ac_c" 1>&6 -echo "configure:2232: checking for pcre_info in -lpcre" >&5 +echo "configure:2238: checking for pcre_info in -lpcre" >&5 ac_lib_var=`echo pcre'_'pcre_info | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2236,7 +2242,7 @@ ac_save_LIBS="$LIBS" LIBS="-lpcre $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2257: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2284,7 +2290,7 @@ # Checks for libraries. if test -z "$no_libnsl" ; then echo $ac_n "checking for yp_match in -lnsl""... $ac_c" 1>&6 -echo "configure:2288: checking for yp_match in -lnsl" >&5 +echo "configure:2294: checking for yp_match in -lnsl" >&5 ac_lib_var=`echo nsl'_'yp_match | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2292,7 +2298,7 @@ ac_save_LIBS="$LIBS" LIBS="-lnsl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2313: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2333,7 +2339,7 @@ fi if test -z "$no_libsocket" ; then echo $ac_n "checking for main in -lsocket""... $ac_c" 1>&6 -echo "configure:2337: checking for main in -lsocket" >&5 +echo "configure:2343: checking for main in -lsocket" >&5 ac_lib_var=`echo socket'_'main | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2341,14 +2347,14 @@ ac_save_LIBS="$LIBS" LIBS="-lsocket $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2358: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2378,7 +2384,7 @@ fi echo $ac_n "checking for innetgr in -lrpc""... $ac_c" 1>&6 -echo "configure:2382: checking for innetgr in -lrpc" >&5 +echo "configure:2388: checking for innetgr in -lrpc" >&5 ac_lib_var=`echo rpc'_'innetgr | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2386,7 +2392,7 @@ ac_save_LIBS="$LIBS" LIBS="-lrpc -lyp -lrpc $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2407: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2419,7 +2425,7 @@ echo $ac_n "checking for getspnam in -lgen""... $ac_c" 1>&6 -echo "configure:2423: checking for getspnam in -lgen" >&5 +echo "configure:2429: checking for getspnam in -lgen" >&5 ac_lib_var=`echo gen'_'getspnam | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2427,7 +2433,7 @@ ac_save_LIBS="$LIBS" LIBS="-lgen $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2448: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2459,7 +2465,7 @@ fi echo $ac_n "checking for deflate in -lz""... $ac_c" 1>&6 -echo "configure:2463: checking for deflate in -lz" >&5 +echo "configure:2469: checking for deflate in -lz" >&5 ac_lib_var=`echo z'_'deflate | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2467,7 +2473,7 @@ ac_save_LIBS="$LIBS" LIBS="-lz $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2488: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2507,7 +2513,7 @@ fi echo $ac_n "checking for login in -lutil""... $ac_c" 1>&6 -echo "configure:2511: checking for login in -lutil" >&5 +echo "configure:2517: checking for login in -lutil" >&5 ac_lib_var=`echo util'_'login | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2515,7 +2521,7 @@ ac_save_LIBS="$LIBS" LIBS="-lutil $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2536: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2553,12 +2559,12 @@ # We don't want to check if we did an pcre override. if test -z "$no_comp_check" ; then echo $ac_n "checking for regcomp""... $ac_c" 1>&6 -echo "configure:2557: checking for regcomp" >&5 +echo "configure:2563: checking for regcomp" >&5 if eval "test \"`echo '$''{'ac_cv_func_regcomp'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2591: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_regcomp=yes" else @@ -2603,7 +2609,7 @@ echo "$ac_t""no" 1>&6 echo $ac_n "checking for pcre_info in -lpcre""... $ac_c" 1>&6 -echo "configure:2607: checking for pcre_info in -lpcre" >&5 +echo "configure:2613: checking for pcre_info in -lpcre" >&5 ac_lib_var=`echo pcre'_'pcre_info | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2611,7 +2617,7 @@ ac_save_LIBS="$LIBS" LIBS="-lpcre $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2632: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2658,12 +2664,12 @@ fi echo $ac_n "checking for strcasecmp""... $ac_c" 1>&6 -echo "configure:2662: checking for strcasecmp" >&5 +echo "configure:2668: checking for strcasecmp" >&5 if eval "test \"`echo '$''{'ac_cv_func_strcasecmp'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2696: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_strcasecmp=yes" else @@ -2704,7 +2710,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for strcasecmp in -lresolv""... $ac_c" 1>&6 -echo "configure:2708: checking for strcasecmp in -lresolv" >&5 +echo "configure:2714: checking for strcasecmp in -lresolv" >&5 ac_lib_var=`echo resolv'_'strcasecmp | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2712,7 +2718,7 @@ ac_save_LIBS="$LIBS" LIBS="-lresolv $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2733: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2747,12 +2753,12 @@ fi echo $ac_n "checking for utimes""... $ac_c" 1>&6 -echo "configure:2751: checking for utimes" >&5 +echo "configure:2757: checking for utimes" >&5 if eval "test \"`echo '$''{'ac_cv_func_utimes'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2785: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_utimes=yes" else @@ -2793,7 +2799,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for utimes in -lc89""... $ac_c" 1>&6 -echo "configure:2797: checking for utimes in -lc89" >&5 +echo "configure:2803: checking for utimes in -lc89" >&5 ac_lib_var=`echo c89'_'utimes | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2801,7 +2807,7 @@ ac_save_LIBS="$LIBS" LIBS="-lc89 $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2822: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2837,12 +2843,12 @@ echo $ac_n "checking for strftime""... $ac_c" 1>&6 -echo "configure:2841: checking for strftime" >&5 +echo "configure:2847: checking for strftime" >&5 if eval "test \"`echo '$''{'ac_cv_func_strftime'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2875: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_strftime=yes" else @@ -2887,7 +2893,7 @@ echo "$ac_t""no" 1>&6 # strftime is in -lintl on SCO UNIX. echo $ac_n "checking for strftime in -lintl""... $ac_c" 1>&6 -echo "configure:2891: checking for strftime in -lintl" >&5 +echo "configure:2897: checking for strftime in -lintl" >&5 ac_lib_var=`echo intl'_'strftime | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2895,7 +2901,7 @@ ac_save_LIBS="$LIBS" LIBS="-lintl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2916: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2934,21 +2940,21 @@ # Checks for header files. -for ac_hdr in bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h +for ac_hdr in bstring.h endian.h floatingpoint.h getopt.h glob.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:2942: checking for $ac_hdr" >&5 +echo "configure:2948: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:2952: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:2958: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -2975,6 +2981,72 @@ done +# Check for ALTDIRFUNC glob() extension +echo $ac_n "checking for GLOB_ALTDIRFUNC support""... $ac_c" 1>&6 +echo "configure:2987: checking for GLOB_ALTDIRFUNC support" >&5 +cat > conftest.$ac_ext < + #ifdef GLOB_ALTDIRFUNC + FOUNDIT + #endif + +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "FOUNDIT" >/dev/null 2>&1; then + rm -rf conftest* + + cat >> confdefs.h <<\EOF +#define GLOB_HAS_ALTDIRFUNC 1 +EOF + + echo "$ac_t""yes" 1>&6 + +else + rm -rf conftest* + + echo "$ac_t""no" 1>&6 + + +fi +rm -f conftest* + + +# Check for g.gl_matchc glob() extension +echo $ac_n "checking for gl_matchc field in glob_t""... $ac_c" 1>&6 +echo "configure:3020: checking for gl_matchc field in glob_t" >&5 +cat > conftest.$ac_ext < + int main(void){glob_t g; g.gl_matchc = 1;} + +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "FOUNDIT" >/dev/null 2>&1; then + rm -rf conftest* + + cat >> confdefs.h <<\EOF +#define GLOB_HAS_GL_MATCHC 1 +EOF + + echo "$ac_t""yes" 1>&6 + +else + rm -rf conftest* + + echo "$ac_t""no" 1>&6 + + +fi +rm -f conftest* + + + + # Check whether user wants Kerberos support KRB4_MSG="no" # Check whether --with-kerberos4 or --without-kerberos4 was given. @@ -3002,17 +3074,17 @@ do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:3006: checking for $ac_hdr" >&5 +echo "configure:3078: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:3016: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:3088: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -3039,7 +3111,7 @@ done echo $ac_n "checking for main in -lkrb""... $ac_c" 1>&6 -echo "configure:3043: checking for main in -lkrb" >&5 +echo "configure:3115: checking for main in -lkrb" >&5 ac_lib_var=`echo krb'_'main | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -3047,14 +3119,14 @@ ac_save_LIBS="$LIBS" LIBS="-lkrb $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3130: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -3090,7 +3162,7 @@ KLIBS="-lkrb -ldes" echo $ac_n "checking for dn_expand in -lresolv""... $ac_c" 1>&6 -echo "configure:3094: checking for dn_expand in -lresolv" >&5 +echo "configure:3166: checking for dn_expand in -lresolv" >&5 ac_lib_var=`echo resolv'_'dn_expand | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -3098,7 +3170,7 @@ ac_save_LIBS="$LIBS" LIBS="-lresolv $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3185: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -3202,12 +3274,12 @@ SKEY_MSG="yes" echo $ac_n "checking for skey_keyinfo""... $ac_c" 1>&6 -echo "configure:3206: checking for skey_keyinfo" >&5 +echo "configure:3278: checking for skey_keyinfo" >&5 if eval "test \"`echo '$''{'ac_cv_func_skey_keyinfo'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3306: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_skey_keyinfo=yes" else @@ -3268,9 +3340,9 @@ saved_LIBS="$LIBS" LIBS="-lwrap $LIBS" echo $ac_n "checking for libwrap""... $ac_c" 1>&6 -echo "configure:3272: checking for libwrap" >&5 +echo "configure:3344: checking for libwrap" >&5 cat > conftest.$ac_ext < @@ -3280,7 +3352,7 @@ hosts_access(0); ; return 0; } EOF -if { (eval echo configure:3284: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3356: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* echo "$ac_t""yes" 1>&6 @@ -3306,15 +3378,15 @@ fi -for ac_func in arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop +for ac_func in arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent getusershell glob inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3313: checking for $ac_func" >&5 +echo "configure:3385: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3413: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3364,12 +3436,12 @@ for ac_func in gettimeofday time do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3368: checking for $ac_func" >&5 +echo "configure:3440: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3468: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3420,17 +3492,17 @@ do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:3424: checking for $ac_hdr" >&5 +echo "configure:3496: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:3434: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:3506: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -3459,12 +3531,12 @@ for ac_func in login logout updwtmp logwtmp do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3463: checking for $ac_func" >&5 +echo "configure:3535: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3563: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3514,12 +3586,12 @@ for ac_func in endutent getutent getutid getutline pututline setutent do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3518: checking for $ac_func" >&5 +echo "configure:3590: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3618: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3569,12 +3641,12 @@ for ac_func in utmpname do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3573: checking for $ac_func" >&5 +echo "configure:3645: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3673: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3624,12 +3696,12 @@ for ac_func in endutxent getutxent getutxid getutxline pututxline do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3628: checking for $ac_func" >&5 +echo "configure:3700: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3728: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3679,12 +3751,12 @@ for ac_func in setutxent utmpxname do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3683: checking for $ac_func" >&5 +echo "configure:3755: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3783: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3733,12 +3805,12 @@ echo $ac_n "checking for getuserattr""... $ac_c" 1>&6 -echo "configure:3737: checking for getuserattr" >&5 +echo "configure:3809: checking for getuserattr" >&5 if eval "test \"`echo '$''{'ac_cv_func_getuserattr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3837: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_getuserattr=yes" else @@ -3782,7 +3854,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for getuserattr in -ls""... $ac_c" 1>&6 -echo "configure:3786: checking for getuserattr in -ls" >&5 +echo "configure:3858: checking for getuserattr in -ls" >&5 ac_lib_var=`echo s'_'getuserattr | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -3790,7 +3862,7 @@ ac_save_LIBS="$LIBS" LIBS="-ls $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3877: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -3829,12 +3901,12 @@ echo $ac_n "checking for login""... $ac_c" 1>&6 -echo "configure:3833: checking for login" >&5 +echo "configure:3905: checking for login" >&5 if eval "test \"`echo '$''{'ac_cv_func_login'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3933: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_login=yes" else @@ -3878,7 +3950,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for login in -lbsd""... $ac_c" 1>&6 -echo "configure:3882: checking for login in -lbsd" >&5 +echo "configure:3954: checking for login in -lbsd" >&5 ac_lib_var=`echo bsd'_'login | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -3886,7 +3958,7 @@ ac_save_LIBS="$LIBS" LIBS="-lbsd $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3973: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -3925,12 +3997,12 @@ echo $ac_n "checking for daemon""... $ac_c" 1>&6 -echo "configure:3929: checking for daemon" >&5 +echo "configure:4001: checking for daemon" >&5 if eval "test \"`echo '$''{'ac_cv_func_daemon'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4029: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_daemon=yes" else @@ -3974,7 +4046,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for daemon in -lbsd""... $ac_c" 1>&6 -echo "configure:3978: checking for daemon in -lbsd" >&5 +echo "configure:4050: checking for daemon in -lbsd" >&5 ac_lib_var=`echo bsd'_'daemon | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -3982,7 +4054,7 @@ ac_save_LIBS="$LIBS" LIBS="-lbsd $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4069: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -4021,12 +4093,12 @@ echo $ac_n "checking for getpagesize""... $ac_c" 1>&6 -echo "configure:4025: checking for getpagesize" >&5 +echo "configure:4097: checking for getpagesize" >&5 if eval "test \"`echo '$''{'ac_cv_func_getpagesize'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4125: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_getpagesize=yes" else @@ -4070,7 +4142,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for getpagesize in -lucb""... $ac_c" 1>&6 -echo "configure:4074: checking for getpagesize in -lucb" >&5 +echo "configure:4146: checking for getpagesize in -lucb" >&5 ac_lib_var=`echo ucb'_'getpagesize | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -4078,7 +4150,7 @@ ac_save_LIBS="$LIBS" LIBS="-lucb $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4165: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -4119,19 +4191,19 @@ # Check for broken snprintf if test "x$ac_cv_func_snprintf" = "xyes" ; then echo $ac_n "checking whether snprintf correctly terminates long strings""... $ac_c" 1>&6 -echo "configure:4123: checking whether snprintf correctly terminates long strings" >&5 +echo "configure:4195: checking whether snprintf correctly terminates long strings" >&5 if test "$cross_compiling" = yes; then { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < int main(void){char b[5];snprintf(b,5,"123456789");return(b[4]!='\0');} EOF -if { (eval echo configure:4135: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4207: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then echo "$ac_t""yes" 1>&6 else @@ -4154,7 +4226,7 @@ fi echo $ac_n "checking whether getpgrp takes no argument""... $ac_c" 1>&6 -echo "configure:4158: checking whether getpgrp takes no argument" >&5 +echo "configure:4230: checking whether getpgrp takes no argument" >&5 if eval "test \"`echo '$''{'ac_cv_func_getpgrp_void'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4162,7 +4234,7 @@ { echo "configure: error: cannot check getpgrp if cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4293: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_func_getpgrp_void=yes else @@ -4253,7 +4325,7 @@ fi echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6 -echo "configure:4257: checking for dlopen in -ldl" >&5 +echo "configure:4329: checking for dlopen in -ldl" >&5 ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -4261,7 +4333,7 @@ ac_save_LIBS="$LIBS" LIBS="-ldl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4348: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -4300,7 +4372,7 @@ fi echo $ac_n "checking for pam_set_item in -lpam""... $ac_c" 1>&6 -echo "configure:4304: checking for pam_set_item in -lpam" >&5 +echo "configure:4376: checking for pam_set_item in -lpam" >&5 ac_lib_var=`echo pam'_'pam_set_item | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -4308,7 +4380,7 @@ ac_save_LIBS="$LIBS" LIBS="-lpam $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4395: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -4350,12 +4422,12 @@ for ac_func in pam_getenvlist do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:4354: checking for $ac_func" >&5 +echo "configure:4426: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4454: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -4420,9 +4492,9 @@ if test "x$PAM_MSG" = "xyes" ; then # Check PAM strerror arguments (old PAM) echo $ac_n "checking whether pam_strerror takes only one argument""... $ac_c" 1>&6 -echo "configure:4424: checking whether pam_strerror takes only one argument" >&5 +echo "configure:4496: checking whether pam_strerror takes only one argument" >&5 cat > conftest.$ac_ext < @@ -4432,7 +4504,7 @@ (void)pam_strerror((pam_handle_t *)NULL, -1); ; return 0; } EOF -if { (eval echo configure:4436: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4508: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""no" 1>&6 else @@ -4472,7 +4544,7 @@ tryssldir="$tryssldir $prefix" fi echo $ac_n "checking for OpenSSL directory""... $ac_c" 1>&6 -echo "configure:4476: checking for OpenSSL directory" >&5 +echo "configure:4548: checking for OpenSSL directory" >&5 if eval "test \"`echo '$''{'ac_cv_openssldir'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4515,7 +4587,7 @@ { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < @@ -4529,7 +4601,7 @@ } EOF -if { (eval echo configure:4533: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4605: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then found_crypto=1 @@ -4598,7 +4670,7 @@ # Now test RSA support saved_LIBS="$LIBS" echo $ac_n "checking for RSA support""... $ac_c" 1>&6 -echo "configure:4602: checking for RSA support" >&5 +echo "configure:4674: checking for RSA support" >&5 for WANTS_RSAREF in "" 1 ; do if test -z "$WANTS_RSAREF" ; then LIBS="$saved_LIBS" @@ -4609,7 +4681,7 @@ { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < @@ -4628,7 +4700,7 @@ } EOF -if { (eval echo configure:4632: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4704: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then rsa_works=1 @@ -4666,7 +4738,7 @@ # version in OpenSSL. Skip this for PAM if test "x$PAM_MSG" = "xno" -a "x$check_for_libcrypt_later" = "x1"; then echo $ac_n "checking for crypt in -lcrypt""... $ac_c" 1>&6 -echo "configure:4670: checking for crypt in -lcrypt" >&5 +echo "configure:4742: checking for crypt in -lcrypt" >&5 ac_lib_var=`echo crypt'_'crypt | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -4674,7 +4746,7 @@ ac_save_LIBS="$LIBS" LIBS="-lcrypt $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4761: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -4714,7 +4786,7 @@ # Checks for data types echo $ac_n "checking size of char""... $ac_c" 1>&6 -echo "configure:4718: checking size of char" >&5 +echo "configure:4790: checking size of char" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_char'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4722,7 +4794,7 @@ ac_cv_sizeof_char=1 else cat > conftest.$ac_ext < main() @@ -4733,7 +4805,7 @@ exit(0); } EOF -if { (eval echo configure:4737: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4809: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_char=`cat conftestval` else @@ -4753,7 +4825,7 @@ echo $ac_n "checking size of short int""... $ac_c" 1>&6 -echo "configure:4757: checking size of short int" >&5 +echo "configure:4829: checking size of short int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_short_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4761,7 +4833,7 @@ ac_cv_sizeof_short_int=2 else cat > conftest.$ac_ext < main() @@ -4772,7 +4844,7 @@ exit(0); } EOF -if { (eval echo configure:4776: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4848: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_short_int=`cat conftestval` else @@ -4792,7 +4864,7 @@ echo $ac_n "checking size of int""... $ac_c" 1>&6 -echo "configure:4796: checking size of int" >&5 +echo "configure:4868: checking size of int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4800,7 +4872,7 @@ ac_cv_sizeof_int=4 else cat > conftest.$ac_ext < main() @@ -4811,7 +4883,7 @@ exit(0); } EOF -if { (eval echo configure:4815: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4887: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_int=`cat conftestval` else @@ -4831,7 +4903,7 @@ echo $ac_n "checking size of long int""... $ac_c" 1>&6 -echo "configure:4835: checking size of long int" >&5 +echo "configure:4907: checking size of long int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_long_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4839,7 +4911,7 @@ ac_cv_sizeof_long_int=4 else cat > conftest.$ac_ext < main() @@ -4850,7 +4922,7 @@ exit(0); } EOF -if { (eval echo configure:4854: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4926: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_long_int=`cat conftestval` else @@ -4870,7 +4942,7 @@ echo $ac_n "checking size of long long int""... $ac_c" 1>&6 -echo "configure:4874: checking size of long long int" >&5 +echo "configure:4946: checking size of long long int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_long_long_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4878,7 +4950,7 @@ ac_cv_sizeof_long_long_int=8 else cat > conftest.$ac_ext < main() @@ -4889,7 +4961,7 @@ exit(0); } EOF -if { (eval echo configure:4893: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4965: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_long_long_int=`cat conftestval` else @@ -4911,20 +4983,20 @@ # More checks for data types echo $ac_n "checking for u_int type""... $ac_c" 1>&6 -echo "configure:4915: checking for u_int type" >&5 +echo "configure:4987: checking for u_int type" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int a; a = 1; ; return 0; } EOF -if { (eval echo configure:4928: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5000: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_int="yes" else @@ -4948,20 +5020,20 @@ fi echo $ac_n "checking for intXX_t types""... $ac_c" 1>&6 -echo "configure:4952: checking for intXX_t types" >&5 +echo "configure:5024: checking for intXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_intxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { int8_t a; int16_t b; int32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:4965: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5037: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_intxx_t="yes" else @@ -4985,20 +5057,20 @@ fi echo $ac_n "checking for int64_t type""... $ac_c" 1>&6 -echo "configure:4989: checking for int64_t type" >&5 +echo "configure:5061: checking for int64_t type" >&5 if eval "test \"`echo '$''{'ac_cv_have_int64_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { int64_t a; a = 1; ; return 0; } EOF -if { (eval echo configure:5002: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5074: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_int64_t="yes" else @@ -5022,20 +5094,20 @@ fi echo $ac_n "checking for u_intXX_t types""... $ac_c" 1>&6 -echo "configure:5026: checking for u_intXX_t types" >&5 +echo "configure:5098: checking for u_intXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_intxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:5039: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5111: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_intxx_t="yes" else @@ -5059,20 +5131,20 @@ fi echo $ac_n "checking for u_int64_t types""... $ac_c" 1>&6 -echo "configure:5063: checking for u_int64_t types" >&5 +echo "configure:5135: checking for u_int64_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_int64_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int64_t a; a = 1; ; return 0; } EOF -if { (eval echo configure:5076: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5148: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_int64_t="yes" else @@ -5099,9 +5171,9 @@ test "x$ac_cv_header_sys_bitypes_h" = "xyes") then echo $ac_n "checking for intXX_t and u_intXX_t types in sys/bitypes.h""... $ac_c" 1>&6 -echo "configure:5103: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 +echo "configure:5175: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 cat > conftest.$ac_ext < @@ -5114,7 +5186,7 @@ ; return 0; } EOF -if { (eval echo configure:5118: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5190: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* cat >> confdefs.h <<\EOF @@ -5139,13 +5211,13 @@ if test -z "$have_u_intxx_t" ; then echo $ac_n "checking for uintXX_t types""... $ac_c" 1>&6 -echo "configure:5143: checking for uintXX_t types" >&5 +echo "configure:5215: checking for uintXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_uintxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5154,7 +5226,7 @@ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:5158: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5230: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_uintxx_t="yes" else @@ -5178,13 +5250,13 @@ fi echo $ac_n "checking for socklen_t""... $ac_c" 1>&6 -echo "configure:5182: checking for socklen_t" >&5 +echo "configure:5254: checking for socklen_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_socklen_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5194,7 +5266,7 @@ socklen_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5198: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5270: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_socklen_t="yes" else @@ -5217,13 +5289,13 @@ fi echo $ac_n "checking for size_t""... $ac_c" 1>&6 -echo "configure:5221: checking for size_t" >&5 +echo "configure:5293: checking for size_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_size_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5232,7 +5304,7 @@ size_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5236: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5308: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_size_t="yes" else @@ -5255,13 +5327,13 @@ fi echo $ac_n "checking for ssize_t""... $ac_c" 1>&6 -echo "configure:5259: checking for ssize_t" >&5 +echo "configure:5331: checking for ssize_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_ssize_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5270,7 +5342,7 @@ ssize_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5274: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5346: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_ssize_t="yes" else @@ -5293,13 +5365,13 @@ fi echo $ac_n "checking for clock_t""... $ac_c" 1>&6 -echo "configure:5297: checking for clock_t" >&5 +echo "configure:5369: checking for clock_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_clock_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5308,7 +5380,7 @@ clock_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5312: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5384: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_clock_t="yes" else @@ -5331,13 +5403,13 @@ fi echo $ac_n "checking for sa_family_t""... $ac_c" 1>&6 -echo "configure:5335: checking for sa_family_t" >&5 +echo "configure:5407: checking for sa_family_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_sa_family_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5347,7 +5419,7 @@ sa_family_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5351: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5423: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sa_family_t="yes" else @@ -5355,7 +5427,7 @@ cat conftest.$ac_ext >&5 rm -rf conftest* cat > conftest.$ac_ext < @@ -5366,7 +5438,7 @@ sa_family_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5370: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5442: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sa_family_t="yes" else @@ -5392,13 +5464,13 @@ fi echo $ac_n "checking for pid_t""... $ac_c" 1>&6 -echo "configure:5396: checking for pid_t" >&5 +echo "configure:5468: checking for pid_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_pid_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5407,7 +5479,7 @@ pid_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5411: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5483: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_pid_t="yes" else @@ -5430,13 +5502,13 @@ fi echo $ac_n "checking for mode_t""... $ac_c" 1>&6 -echo "configure:5434: checking for mode_t" >&5 +echo "configure:5506: checking for mode_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_mode_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5445,7 +5517,7 @@ mode_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5449: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5521: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_mode_t="yes" else @@ -5469,13 +5541,13 @@ echo $ac_n "checking for struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:5473: checking for struct sockaddr_storage" >&5 +echo "configure:5545: checking for struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_sockaddr_storage'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5485,7 +5557,7 @@ struct sockaddr_storage s; ; return 0; } EOF -if { (eval echo configure:5489: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5561: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_sockaddr_storage="yes" else @@ -5508,13 +5580,13 @@ fi echo $ac_n "checking for struct sockaddr_in6""... $ac_c" 1>&6 -echo "configure:5512: checking for struct sockaddr_in6" >&5 +echo "configure:5584: checking for struct sockaddr_in6" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_sockaddr_in6'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5524,7 +5596,7 @@ struct sockaddr_in6 s; s.sin6_family = 0; ; return 0; } EOF -if { (eval echo configure:5528: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5600: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_sockaddr_in6="yes" else @@ -5547,13 +5619,13 @@ fi echo $ac_n "checking for struct in6_addr""... $ac_c" 1>&6 -echo "configure:5551: checking for struct in6_addr" >&5 +echo "configure:5623: checking for struct in6_addr" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_in6_addr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5563,7 +5635,7 @@ struct in6_addr s; s.s6_addr[0] = 0; ; return 0; } EOF -if { (eval echo configure:5567: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5639: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_in6_addr="yes" else @@ -5586,13 +5658,13 @@ fi echo $ac_n "checking for struct addrinfo""... $ac_c" 1>&6 -echo "configure:5590: checking for struct addrinfo" >&5 +echo "configure:5662: checking for struct addrinfo" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_addrinfo'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5603,7 +5675,7 @@ struct addrinfo s; s.ai_flags = AI_PASSIVE; ; return 0; } EOF -if { (eval echo configure:5607: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5679: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_addrinfo="yes" else @@ -5626,20 +5698,20 @@ fi echo $ac_n "checking for struct timeval""... $ac_c" 1>&6 -echo "configure:5630: checking for struct timeval" >&5 +echo "configure:5702: checking for struct timeval" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_timeval'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { struct timeval tv; tv.tv_sec = 1; ; return 0; } EOF -if { (eval echo configure:5643: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5715: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_timeval="yes" else @@ -5668,6 +5740,54 @@ "x$ac_cv_sizeof_long_int" != "x8" -a \ "x$ac_cv_sizeof_long_long_int" = "x0" ; then NO_SFTP='#' +else + if test "$cross_compiling" = yes; then + { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } +else + cat > conftest.$ac_ext < +#include +#ifdef HAVE_SNPRINTF +main() +{ + char buf[50]; + char expected_out[50]; + int mazsize = 50 ; +#if (SIZEOF_LONG_INT == 8) + long int num = 0x7fffffffffffffff; +#else + long long num = 0x7fffffffffffffff; +#endif + strcpy(expected_out, "9223372036854775807"); + snprintf(buf, mazsize, "%lld", num); + if(strcmp(buf, expected_out) != 0) + exit(1); + exit(0); +} +#else +main() { exit(0); } +#endif + +EOF +if { (eval echo configure:5776: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +then + true +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -fr conftest* + cat >> confdefs.h <<\EOF +#define BROKEN_SNPRINTF 1 +EOF + + +fi +rm -fr conftest* +fi + fi @@ -5676,13 +5796,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host echo $ac_n "checking for ut_host field in utmp.h""... $ac_c" 1>&6 -echo "configure:5680: checking for ut_host field in utmp.h" >&5 +echo "configure:5800: checking for ut_host field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -5716,13 +5836,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host echo $ac_n "checking for ut_host field in utmpx.h""... $ac_c" 1>&6 -echo "configure:5720: checking for ut_host field in utmpx.h" >&5 +echo "configure:5840: checking for ut_host field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -5756,13 +5876,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"syslen echo $ac_n "checking for syslen field in utmpx.h""... $ac_c" 1>&6 -echo "configure:5760: checking for syslen field in utmpx.h" >&5 +echo "configure:5880: checking for syslen field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -5796,13 +5916,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_pid echo $ac_n "checking for ut_pid field in utmp.h""... $ac_c" 1>&6 -echo "configure:5800: checking for ut_pid field in utmp.h" >&5 +echo "configure:5920: checking for ut_pid field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -5836,13 +5956,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type echo $ac_n "checking for ut_type field in utmp.h""... $ac_c" 1>&6 -echo "configure:5840: checking for ut_type field in utmp.h" >&5 +echo "configure:5960: checking for ut_type field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -5876,13 +5996,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type echo $ac_n "checking for ut_type field in utmpx.h""... $ac_c" 1>&6 -echo "configure:5880: checking for ut_type field in utmpx.h" >&5 +echo "configure:6000: checking for ut_type field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -5916,13 +6036,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv echo $ac_n "checking for ut_tv field in utmp.h""... $ac_c" 1>&6 -echo "configure:5920: checking for ut_tv field in utmp.h" >&5 +echo "configure:6040: checking for ut_tv field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -5956,13 +6076,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id echo $ac_n "checking for ut_id field in utmp.h""... $ac_c" 1>&6 -echo "configure:5960: checking for ut_id field in utmp.h" >&5 +echo "configure:6080: checking for ut_id field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -5996,13 +6116,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id echo $ac_n "checking for ut_id field in utmpx.h""... $ac_c" 1>&6 -echo "configure:6000: checking for ut_id field in utmpx.h" >&5 +echo "configure:6120: checking for ut_id field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6036,13 +6156,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr echo $ac_n "checking for ut_addr field in utmp.h""... $ac_c" 1>&6 -echo "configure:6040: checking for ut_addr field in utmp.h" >&5 +echo "configure:6160: checking for ut_addr field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6076,13 +6196,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr echo $ac_n "checking for ut_addr field in utmpx.h""... $ac_c" 1>&6 -echo "configure:6080: checking for ut_addr field in utmpx.h" >&5 +echo "configure:6200: checking for ut_addr field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6116,13 +6236,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 echo $ac_n "checking for ut_addr_v6 field in utmp.h""... $ac_c" 1>&6 -echo "configure:6120: checking for ut_addr_v6 field in utmp.h" >&5 +echo "configure:6240: checking for ut_addr_v6 field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6156,13 +6276,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 echo $ac_n "checking for ut_addr_v6 field in utmpx.h""... $ac_c" 1>&6 -echo "configure:6160: checking for ut_addr_v6 field in utmpx.h" >&5 +echo "configure:6280: checking for ut_addr_v6 field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6196,13 +6316,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_exit echo $ac_n "checking for ut_exit field in utmp.h""... $ac_c" 1>&6 -echo "configure:6200: checking for ut_exit field in utmp.h" >&5 +echo "configure:6320: checking for ut_exit field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6236,13 +6356,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time echo $ac_n "checking for ut_time field in utmp.h""... $ac_c" 1>&6 -echo "configure:6240: checking for ut_time field in utmp.h" >&5 +echo "configure:6360: checking for ut_time field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6276,13 +6396,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time echo $ac_n "checking for ut_time field in utmpx.h""... $ac_c" 1>&6 -echo "configure:6280: checking for ut_time field in utmpx.h" >&5 +echo "configure:6400: checking for ut_time field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6316,13 +6436,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv echo $ac_n "checking for ut_tv field in utmpx.h""... $ac_c" 1>&6 -echo "configure:6320: checking for ut_tv field in utmpx.h" >&5 +echo "configure:6440: checking for ut_tv field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6352,12 +6472,12 @@ fi echo $ac_n "checking for st_blksize in struct stat""... $ac_c" 1>&6 -echo "configure:6356: checking for st_blksize in struct stat" >&5 +echo "configure:6476: checking for st_blksize in struct stat" >&5 if eval "test \"`echo '$''{'ac_cv_struct_st_blksize'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < #include @@ -6365,7 +6485,7 @@ struct stat s; s.st_blksize; ; return 0; } EOF -if { (eval echo configure:6369: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6489: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_struct_st_blksize=yes else @@ -6387,13 +6507,13 @@ echo $ac_n "checking for sun_len field in struct sockaddr_un""... $ac_c" 1>&6 -echo "configure:6391: checking for sun_len field in struct sockaddr_un" >&5 +echo "configure:6511: checking for sun_len field in struct sockaddr_un" >&5 if eval "test \"`echo '$''{'ac_cv_have_sun_len_in_struct_sockaddr_un'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -6403,7 +6523,7 @@ struct sockaddr_un s; s.sun_len = 1; ; return 0; } EOF -if { (eval echo configure:6407: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6527: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sun_len_in_struct_sockaddr_un="yes" else @@ -6425,13 +6545,13 @@ fi echo $ac_n "checking for ss_family field in struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:6429: checking for ss_family field in struct sockaddr_storage" >&5 +echo "configure:6549: checking for ss_family field in struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have_ss_family_in_struct_ss'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -6441,7 +6561,7 @@ struct sockaddr_storage s; s.ss_family = 1; ; return 0; } EOF -if { (eval echo configure:6445: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6565: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_ss_family_in_struct_ss="yes" else @@ -6463,13 +6583,13 @@ fi echo $ac_n "checking for __ss_family field in struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:6467: checking for __ss_family field in struct sockaddr_storage" >&5 +echo "configure:6587: checking for __ss_family field in struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have___ss_family_in_struct_ss'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -6479,7 +6599,7 @@ struct sockaddr_storage s; s.__ss_family = 1; ; return 0; } EOF -if { (eval echo configure:6483: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6603: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have___ss_family_in_struct_ss="yes" else @@ -6502,13 +6622,13 @@ fi echo $ac_n "checking for pw_class field in struct passwd""... $ac_c" 1>&6 -echo "configure:6506: checking for pw_class field in struct passwd" >&5 +echo "configure:6626: checking for pw_class field in struct passwd" >&5 if eval "test \"`echo '$''{'ac_cv_have_pw_class_in_struct_passwd'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -6517,7 +6637,7 @@ struct passwd p; p.pw_class = 0; ; return 0; } EOF -if { (eval echo configure:6521: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6641: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_pw_class_in_struct_passwd="yes" else @@ -6541,20 +6661,20 @@ echo $ac_n "checking if libc defines __progname""... $ac_c" 1>&6 -echo "configure:6545: checking if libc defines __progname" >&5 +echo "configure:6665: checking if libc defines __progname" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines___progname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:6678: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines___progname="yes" else @@ -6578,20 +6698,20 @@ echo $ac_n "checking if libc defines sys_errlist""... $ac_c" 1>&6 -echo "configure:6582: checking if libc defines sys_errlist" >&5 +echo "configure:6702: checking if libc defines sys_errlist" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines_sys_errlist'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:6715: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines_sys_errlist="yes" else @@ -6615,20 +6735,20 @@ echo $ac_n "checking if libc defines sys_nerr""... $ac_c" 1>&6 -echo "configure:6619: checking if libc defines sys_nerr" >&5 +echo "configure:6739: checking if libc defines sys_nerr" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines_sys_nerr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:6752: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines_sys_nerr="yes" else @@ -6665,7 +6785,7 @@ # Extract the first word of "rsh", so it can be a program name with args. set dummy rsh; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:6669: checking for $ac_word" >&5 +echo "configure:6789: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_rsh_path'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -6715,7 +6835,7 @@ # Extract the first word of "xauth", so it can be a program name with args. set dummy xauth; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:6719: checking for $ac_word" >&5 +echo "configure:6839: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_xauth_path'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -6786,7 +6906,7 @@ ac_safe=`echo ""/dev/ptmx"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptmx"""... $ac_c" 1>&6 -echo "configure:6790: checking for "/dev/ptmx"" >&5 +echo "configure:6910: checking for "/dev/ptmx"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -6819,7 +6939,7 @@ ac_safe=`echo ""/dev/ptc"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptc"""... $ac_c" 1>&6 -echo "configure:6823: checking for "/dev/ptc"" >&5 +echo "configure:6943: checking for "/dev/ptc"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -6870,7 +6990,7 @@ ac_safe=`echo ""/dev/urandom"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/urandom"""... $ac_c" 1>&6 -echo "configure:6874: checking for "/dev/urandom"" >&5 +echo "configure:6994: checking for "/dev/urandom"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -6905,15 +7025,32 @@ fi -# Check for EGD pool file -# Check whether --with-egd-pool or --without-egd-pool was given. -if test "${with_egd_pool+set}" = set; then - withval="$with_egd_pool" +# Check for PRNGD/EGD pool file +# Check whether --with-prngd-port or --without-prngd-port was given. +if test "${with_prngd_port+set}" = set; then + withval="$with_prngd_port" + + if test ! -z "$withval" -a "x$withval" != "xno" ; then + PRNGD_PORT="$withval" + cat >> confdefs.h <> confdefs.h <&6 -echo "configure:6927: checking for PRNGD/EGD socket" >&5 +echo "configure:7064: checking for PRNGD/EGD socket" >&5 # Insert other locations here - for egdsock in /var/run/egd-pool /etc/entropy; do - if test -r $egdsock && $TEST_MINUS_S_SH -c "test -S $egdsock -o -p $egdsock" ; then - EGD_SOCKET="$egdsock" + for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do + if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then + PRNGD_SOCKET="$sock" cat >> confdefs.h <&6 + if test ! -z "$PRNGD_SOCKET" ; then + echo "$ac_t""$PRNGD_SOCKET" 1>&6 else echo "$ac_t""not found" 1>&6 fi @@ -6950,13 +7087,13 @@ # detect pathnames for entropy gathering commands, if we need them INSTALL_SSH_PRNG_CMDS="" rm -f prng_commands -if (test -z "$RANDOM_POOL" && test -z "$EGD_SOCKET") ; then +if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then # Use these commands to collect entropy # Extract the first word of "ls", so it can be a program name with args. set dummy ls; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:6960: checking for $ac_word" >&5 +echo "configure:7097: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -6997,7 +7134,7 @@ # Extract the first word of "netstat", so it can be a program name with args. set dummy netstat; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7001: checking for $ac_word" >&5 +echo "configure:7138: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_NETSTAT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7038,7 +7175,7 @@ # Extract the first word of "arp", so it can be a program name with args. set dummy arp; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7042: checking for $ac_word" >&5 +echo "configure:7179: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_ARP'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7079,7 +7216,7 @@ # Extract the first word of "ifconfig", so it can be a program name with args. set dummy ifconfig; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7083: checking for $ac_word" >&5 +echo "configure:7220: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_IFCONFIG'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7120,7 +7257,7 @@ # Extract the first word of "ps", so it can be a program name with args. set dummy ps; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7124: checking for $ac_word" >&5 +echo "configure:7261: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_PS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7161,7 +7298,7 @@ # Extract the first word of "w", so it can be a program name with args. set dummy w; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7165: checking for $ac_word" >&5 +echo "configure:7302: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_W'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7202,7 +7339,7 @@ # Extract the first word of "who", so it can be a program name with args. set dummy who; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7206: checking for $ac_word" >&5 +echo "configure:7343: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_WHO'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7243,7 +7380,7 @@ # Extract the first word of "last", so it can be a program name with args. set dummy last; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7247: checking for $ac_word" >&5 +echo "configure:7384: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LAST'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7284,7 +7421,7 @@ # Extract the first word of "lastlog", so it can be a program name with args. set dummy lastlog; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7288: checking for $ac_word" >&5 +echo "configure:7425: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LASTLOG'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7325,7 +7462,7 @@ # Extract the first word of "df", so it can be a program name with args. set dummy df; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7329: checking for $ac_word" >&5 +echo "configure:7466: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_DF'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7366,7 +7503,7 @@ # Extract the first word of "vmstat", so it can be a program name with args. set dummy vmstat; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7370: checking for $ac_word" >&5 +echo "configure:7507: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_VMSTAT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7407,7 +7544,7 @@ # Extract the first word of "uptime", so it can be a program name with args. set dummy uptime; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7411: checking for $ac_word" >&5 +echo "configure:7548: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_UPTIME'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7448,7 +7585,7 @@ # Extract the first word of "ipcs", so it can be a program name with args. set dummy ipcs; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7452: checking for $ac_word" >&5 +echo "configure:7589: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_IPCS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7489,7 +7626,7 @@ # Extract the first word of "tail", so it can be a program name with args. set dummy tail; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7493: checking for $ac_word" >&5 +echo "configure:7630: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_TAIL'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7593,9 +7730,9 @@ if test -z "$disable_shadow" ; then echo $ac_n "checking if the systems has expire shadow information""... $ac_c" 1>&6 -echo "configure:7597: checking if the systems has expire shadow information" >&5 +echo "configure:7734: checking if the systems has expire shadow information" >&5 cat > conftest.$ac_ext < @@ -7606,7 +7743,7 @@ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ; return 0; } EOF -if { (eval echo configure:7610: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:7747: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* sp_expire_available=yes else @@ -7662,16 +7799,86 @@ withval="$with_default_path" if test "x$withval" != "xno" ; then - cat >> confdefs.h < conftest.$ac_ext < +#ifdef HAVE_PATHS_H +# include +#endif +#ifndef _PATH_STDPATH +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +#endif +#include +#include +#include +#define DATA "conftest.stdpath" + +main() +{ + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0) + exit(1); + + exit(0); +} + EOF +if { (eval echo configure:7846: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +then + user_path=`cat conftest.stdpath` +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -fr conftest* + user_path="/usr/bin:/bin:/usr/sbin:/sbin" +fi +rm -fr conftest* +fi - SERVER_PATH_MSG="$withval" +# make sure $bindir is in USER_PATH so scp will work + t_bindir=`eval echo ${bindir}` + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;; + esac + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;; + esac + echo $user_path | grep ":$t_bindir" > /dev/null 2>&1 + if test $? -ne 0 ; then + echo $user_path | grep "^$t_bindir" > /dev/null 2>&1 + if test $? -ne 0 ; then + user_path=$user_path:$t_bindir + echo "$ac_t""Adding $t_bindir to USER_PATH so scp will work" 1>&6 + fi fi fi +cat >> confdefs.h <&6 -echo "configure:7696: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 +echo "configure:7903: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 IPV4_IN6_HACK_MSG="no" # Check whether --with-4in6 or --without-4in6 was given. if test "${with_4in6+set}" = set; then @@ -7744,7 +7951,7 @@ echo $ac_n "checking whether to install ssh as suid root""... $ac_c" 1>&6 -echo "configure:7748: checking whether to install ssh as suid root" >&5 +echo "configure:7955: checking whether to install ssh as suid root" >&5 # Check whether --enable-suid-ssh or --disable-suid-ssh was given. if test "${enable_suid_ssh+set}" = set; then enableval="$enable_suid_ssh" @@ -7893,9 +8100,9 @@ echo $ac_n "checking if your system defines LASTLOG_FILE""... $ac_c" 1>&6 -echo "configure:7897: checking if your system defines LASTLOG_FILE" >&5 +echo "configure:8104: checking if your system defines LASTLOG_FILE" >&5 cat > conftest.$ac_ext < @@ -7911,7 +8118,7 @@ char *lastlog = LASTLOG_FILE; ; return 0; } EOF -if { (eval echo configure:7915: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8122: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -7921,9 +8128,9 @@ echo "$ac_t""no" 1>&6 echo $ac_n "checking if your system defines _PATH_LASTLOG""... $ac_c" 1>&6 -echo "configure:7925: checking if your system defines _PATH_LASTLOG" >&5 +echo "configure:8132: checking if your system defines _PATH_LASTLOG" >&5 cat > conftest.$ac_ext < @@ -7939,7 +8146,7 @@ char *lastlog = _PATH_LASTLOG; ; return 0; } EOF -if { (eval echo configure:7943: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8150: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -7978,9 +8185,9 @@ fi echo $ac_n "checking if your system defines UTMP_FILE""... $ac_c" 1>&6 -echo "configure:7982: checking if your system defines UTMP_FILE" >&5 +echo "configure:8189: checking if your system defines UTMP_FILE" >&5 cat > conftest.$ac_ext < @@ -7993,7 +8200,7 @@ char *utmp = UTMP_FILE; ; return 0; } EOF -if { (eval echo configure:7997: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8204: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -8028,9 +8235,9 @@ fi echo $ac_n "checking if your system defines WTMP_FILE""... $ac_c" 1>&6 -echo "configure:8032: checking if your system defines WTMP_FILE" >&5 +echo "configure:8239: checking if your system defines WTMP_FILE" >&5 cat > conftest.$ac_ext < @@ -8043,7 +8250,7 @@ char *wtmp = WTMP_FILE; ; return 0; } EOF -if { (eval echo configure:8047: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8254: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -8079,9 +8286,9 @@ echo $ac_n "checking if your system defines UTMPX_FILE""... $ac_c" 1>&6 -echo "configure:8083: checking if your system defines UTMPX_FILE" >&5 +echo "configure:8290: checking if your system defines UTMPX_FILE" >&5 cat > conftest.$ac_ext < @@ -8097,7 +8304,7 @@ char *utmpx = UTMPX_FILE; ; return 0; } EOF -if { (eval echo configure:8101: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8308: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -8124,9 +8331,9 @@ fi echo $ac_n "checking if your system defines WTMPX_FILE""... $ac_c" 1>&6 -echo "configure:8128: checking if your system defines WTMPX_FILE" >&5 +echo "configure:8335: checking if your system defines WTMPX_FILE" >&5 cat > conftest.$ac_ext < @@ -8142,7 +8349,7 @@ char *wtmpx = WTMPX_FILE; ; return 0; } EOF -if { (eval echo configure:8146: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8353: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -8194,12 +8401,12 @@ fi echo $ac_n "checking for Cygwin environment""... $ac_c" 1>&6 -echo "configure:8198: checking for Cygwin environment" >&5 +echo "configure:8405: checking for Cygwin environment" >&5 if eval "test \"`echo '$''{'ac_cv_cygwin'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8421: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_cygwin=yes else @@ -8227,19 +8434,19 @@ CYGWIN= test "$ac_cv_cygwin" = yes && CYGWIN=yes echo $ac_n "checking for mingw32 environment""... $ac_c" 1>&6 -echo "configure:8231: checking for mingw32 environment" >&5 +echo "configure:8438: checking for mingw32 environment" >&5 if eval "test \"`echo '$''{'ac_cv_mingw32'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8450: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_mingw32=yes else @@ -8258,7 +8465,7 @@ echo $ac_n "checking for executable suffix""... $ac_c" 1>&6 -echo "configure:8262: checking for executable suffix" >&5 +echo "configure:8469: checking for executable suffix" >&5 if eval "test \"`echo '$''{'ac_cv_exeext'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -8268,7 +8475,7 @@ rm -f conftest* echo 'int main () { return 0; }' > conftest.$ac_ext ac_cv_exeext= - if { (eval echo configure:8272: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then + if { (eval echo configure:8479: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then for file in conftest.*; do case $file in *.c | *.o | *.obj) ;; @@ -8462,6 +8669,7 @@ s%@INSTALL_SSH_PRNG_CMDS@%$INSTALL_SSH_PRNG_CMDS%g s%@MANTYPE@%$MANTYPE%g s%@mansubdir@%$mansubdir%g +s%@user_path@%$user_path%g s%@SSHMODE@%$SSHMODE%g s%@piddir@%$piddir%g s%@EXEEXT@%$EXEEXT%g @@ -8695,8 +8903,10 @@ if test ! -z "$RANDOM_POOL" ; then RAND_MSG="Device ($RANDOM_POOL)" else - if test ! -z "$EGD_SOCKET" ; then - RAND_MSG="EGD/PRNGD ($EGD_SOCKET)" + if test ! -z "$PRNGD_PORT" ; then + RAND_MSG="PRNGD/EGD (port localhost:$PRNGD_PORT)" + elif test ! -z "$PRNGD_SOCKET" ; then + RAND_MSG="PRNGD/EGD (socket $PRNGD_SOCKET)" else RAND_MSG="Builtin (timeout $entropy_timeout)" BUILTIN_RNG=1 @@ -8711,6 +8921,7 @@ E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}` F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}` G=`eval echo ${piddir}` ; G=`eval echo ${G}` +H=`eval echo ${user_path}` ; H=`eval echo ${H}` echo "" echo "OpenSSH configured has been configured with the following options." @@ -8720,6 +8931,7 @@ echo " Askpass program: $E" echo " Manual pages: $F" echo " PID file: $G" +echo " sshd default user PATH: $H" echo " Random number collection: $RAND_MSG" echo " Manpage format: $MAN_MSG" echo " PAM support: ${PAM_MSG}" diff -ru openssh-2.5.1p2/configure.in openssh-2.5.2p1/configure.in --- openssh-2.5.1p2/configure.in 2001-03-01 09:16:12.000000000 +1100 +++ openssh-2.5.2p1/configure.in 2001-03-19 10:09:28.000000000 +1100 @@ -1,4 +1,4 @@ -# $Id: configure.in,v 1.260 2001/02/28 22:16:12 djm Exp $ +# $Id: configure.in,v 1.267 2001/03/18 23:09:28 djm Exp $ AC_INIT(ssh.c) @@ -203,6 +203,7 @@ IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) AC_DEFINE(IP_TOS_IS_BROKEN) + AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) mansubdir=cat LIBS="$LIBS -lgen -lnsl -lucb" ;; @@ -367,7 +368,43 @@ AC_FUNC_STRFTIME # Checks for header files. -AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) +AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h glob.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) + +# Check for ALTDIRFUNC glob() extension +AC_MSG_CHECKING(for GLOB_ALTDIRFUNC support) +AC_EGREP_CPP(FOUNDIT, + [ + #include + #ifdef GLOB_ALTDIRFUNC + FOUNDIT + #endif + ], + [ + AC_DEFINE(GLOB_HAS_ALTDIRFUNC) + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + ] +) + +# Check for g.gl_matchc glob() extension +AC_MSG_CHECKING(for gl_matchc field in glob_t) +AC_EGREP_CPP(FOUNDIT, + [ + #include + int main(void){glob_t g; g.gl_matchc = 1;} + ], + [ + AC_DEFINE(GLOB_HAS_GL_MATCHC) + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + ] +) + + # Check whether user wants Kerberos support KRB4_MSG="no" @@ -490,7 +527,7 @@ ) dnl Checks for library functions. -AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop) +AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent getusershell glob inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop) dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) dnl Checks for libutil functions @@ -1059,6 +1096,34 @@ "x$ac_cv_sizeof_long_int" != "x8" -a \ "x$ac_cv_sizeof_long_long_int" = "x0" ; then NO_SFTP='#' +else +dnl test snprintf (broken on SCO w/gcc) + AC_TRY_RUN( + [ +#include +#include +#ifdef HAVE_SNPRINTF +main() +{ + char buf[50]; + char expected_out[50]; + int mazsize = 50 ; +#if (SIZEOF_LONG_INT == 8) + long int num = 0x7fffffffffffffff; +#else + long long num = 0x7fffffffffffffff; +#endif + strcpy(expected_out, "9223372036854775807"); + snprintf(buf, mazsize, "%lld", num); + if(strcmp(buf, expected_out) != 0) + exit(1); + exit(0); +} +#else +main() { exit(0); } +#endif + ], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ] + ) fi AC_SUBST(NO_SFTP) @@ -1266,13 +1331,24 @@ ] ) -# Check for EGD pool file -AC_ARG_WITH(egd-pool, - [ --with-egd-pool=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], +# Check for PRNGD/EGD pool file +AC_ARG_WITH(prngd-port, + [ --with-prngd-port=PORT read entropy from PRNGD/EGD localhost:PORT], + [ + if test ! -z "$withval" -a "x$withval" != "xno" ; then + PRNGD_PORT="$withval" + AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT) + fi + ] +) + +# Check for PRNGD/EGD pool file +AC_ARG_WITH(prngd-socket, + [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], [ if test "x$withval" != "xno" ; then - EGD_SOCKET="$withval"; - AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") + PRNGD_SOCKET="$withval" + AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") fi ], [ @@ -1280,15 +1356,15 @@ if test -z "$RANDOM_POOL" ; then AC_MSG_CHECKING(for PRNGD/EGD socket) # Insert other locations here - for egdsock in /var/run/egd-pool /etc/entropy; do - if test -r $egdsock && $TEST_MINUS_S_SH -c "test -S $egdsock -o -p $egdsock" ; then - EGD_SOCKET="$egdsock" - AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") + for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do + if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then + PRNGD_SOCKET="$sock" + AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") break; fi done - if test ! -z "$EGD_SOCKET" ; then - AC_MSG_RESULT($EGD_SOCKET) + if test ! -z "$PRNGD_SOCKET" ; then + AC_MSG_RESULT($PRNGD_SOCKET) else AC_MSG_RESULT(not found) fi @@ -1300,7 +1376,7 @@ # detect pathnames for entropy gathering commands, if we need them INSTALL_SSH_PRNG_CMDS="" rm -f prng_commands -if (test -z "$RANDOM_POOL" && test -z "$EGD_SOCKET") ; then +if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then # Use these commands to collect entropy OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) @@ -1406,11 +1482,64 @@ [ --with-default-path=PATH Specify default \$PATH environment for server], [ if test "x$withval" != "xno" ; then - AC_DEFINE_UNQUOTED(USER_PATH, "$withval") + user_path="$withval" SERVER_PATH_MSG="$withval" fi + ], + [ + AC_TRY_RUN( + [ +/* find out what STDPATH is */ +#include +#ifdef HAVE_PATHS_H +# include +#endif +#ifndef _PATH_STDPATH +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +#endif +#include +#include +#include +#define DATA "conftest.stdpath" + +main() +{ + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0) + exit(1); + + exit(0); +} + ], [ user_path=`cat conftest.stdpath` ], + [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ], + [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ] + ) +# make sure $bindir is in USER_PATH so scp will work + t_bindir=`eval echo ${bindir}` + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;; + esac + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;; + esac + echo $user_path | grep ":$t_bindir" > /dev/null 2>&1 + if test $? -ne 0 ; then + echo $user_path | grep "^$t_bindir" > /dev/null 2>&1 + if test $? -ne 0 ; then + user_path=$user_path:$t_bindir + AC_MSG_RESULT(Adding $t_bindir to USER_PATH so scp will work) + fi + fi ] ) +AC_DEFINE_UNQUOTED(USER_PATH, "$user_path") +AC_SUBST(user_path) # Whether to force IPv4 by default (needed on broken glibc Linux) IPV4_HACK_MSG="no" @@ -1749,8 +1878,10 @@ if test ! -z "$RANDOM_POOL" ; then RAND_MSG="Device ($RANDOM_POOL)" else - if test ! -z "$EGD_SOCKET" ; then - RAND_MSG="EGD/PRNGD ($EGD_SOCKET)" + if test ! -z "$PRNGD_PORT" ; then + RAND_MSG="PRNGD/EGD (port localhost:$PRNGD_PORT)" + elif test ! -z "$PRNGD_SOCKET" ; then + RAND_MSG="PRNGD/EGD (socket $PRNGD_SOCKET)" else RAND_MSG="Builtin (timeout $entropy_timeout)" BUILTIN_RNG=1 @@ -1765,6 +1896,7 @@ E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}` F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}` G=`eval echo ${piddir}` ; G=`eval echo ${G}` +H=`eval echo ${user_path}` ; H=`eval echo ${H}` echo "" echo "OpenSSH configured has been configured with the following options." @@ -1774,6 +1906,7 @@ echo " Askpass program: $E" echo " Manual pages: $F" echo " PID file: $G" +echo " sshd default user PATH: $H" echo " Random number collection: $RAND_MSG" echo " Manpage format: $MAN_MSG" echo " PAM support: ${PAM_MSG}" diff -ru openssh-2.5.1p2/contrib/README openssh-2.5.2p1/contrib/README --- openssh-2.5.1p2/contrib/README 2001-02-22 17:20:10.000000000 +1100 +++ openssh-2.5.2p1/contrib/README 2001-03-04 08:43:19.000000000 +1100 @@ -17,12 +17,6 @@ wu-ftpd style magic home directories (containing '/./'). More details in the head of the patch itself. -make-ssh-known-hosts: - -Tero Kivinen's PERL script to generate -ssh_known_hosts files by trawling tjhrough the DNS. More details in the -manpage. - ssh-copy-id: Phil Hands' shell script to automate the process of adding @@ -45,7 +39,8 @@ mdoc2man.pl: Converts mdoc formated manpages into normal manpages. This can be used -on Solaris machines to provide manpages that are not preformated. +on Solaris machines to provide manpages that are not preformated. +Contributed by Mark D. Roth redhat: @@ -65,4 +60,3 @@ passphrase requester. This is highly recommended: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html - diff -ru openssh-2.5.1p2/contrib/caldera/openssh.spec openssh-2.5.2p1/contrib/caldera/openssh.spec --- openssh-2.5.1p2/contrib/caldera/openssh.spec 2001-02-27 10:53:01.000000000 +1100 +++ openssh-2.5.2p1/contrib/caldera/openssh.spec 2001-03-20 09:30:51.000000000 +1100 @@ -1,5 +1,5 @@ # Version of OpenSSH -%define oversion 2.5.1p2 +%define oversion 2.5.2p1 # Version of ssh-askpass %define aversion 1.2.0 diff -ru openssh-2.5.1p2/contrib/cygwin/README openssh-2.5.2p1/contrib/cygwin/README --- openssh-2.5.1p2/contrib/cygwin/README 2001-01-19 16:37:32.000000000 +1100 +++ openssh-2.5.2p1/contrib/cygwin/README 2001-03-15 08:30:18.000000000 +1100 @@ -15,12 +15,8 @@ features of the FAT/FAT32 filesystems. =========================================================================== -Since this package is part of the base distribution now, the location -of the files has changed from /usr/local to /usr. The global configuration -files are in /etc now. - -If you are installing OpenSSH the first time, you can generate -global config files and server keys by running +If you are installing OpenSSH the first time, you can generate global config +files and server keys by running /usr/bin/ssh-host-config @@ -39,6 +35,7 @@ --debug -d Enable shell's debug output. --yes -y Answer all questions with "yes" automatically. --no -n Answer all questions with "no" automatically. + --port -p sshd listens on port n. You can create the private and public keys for a user now by running @@ -114,6 +111,12 @@ RSAAuthentication yes +Please note that OpenSSH does never use the value of $HOME to +search for the users configuration files! It always uses the +value of the pw_dir field in /etc/passwd as the home directory. +If no home diretory is set in /etc/passwd, the root directory +is used instead! + You may use all features of the CYGWIN=ntsec setting the same way as they are used by the `login' port on sources.redhat.com: @@ -132,10 +135,10 @@ locuser::1104:513:John Doe,U-user,S-1-5-21-... -V2 server and user keys are generated by `ssh-config'. If you want to -create DSA keys by yourself, call ssh-keygen with `-d' option. +SSH2 server and user keys are generated by the `ssh-*-config' scripts +as well. -DSA authentication similar to RSA: +SSH2 authentication similar to SSH1: Add keys to ~/.ssh/authorized_keys2 Interop. w/ ssh.com dsa-keys: ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2 diff -ru openssh-2.5.1p2/contrib/cygwin/ssh-host-config openssh-2.5.2p1/contrib/cygwin/ssh-host-config --- openssh-2.5.1p2/contrib/cygwin/ssh-host-config 2001-01-19 16:37:32.000000000 +1100 +++ openssh-2.5.2p1/contrib/cygwin/ssh-host-config 2001-03-07 21:38:19.000000000 +1100 @@ -16,6 +16,7 @@ progname=$0 auto_answer="" +port_number=22 request() { @@ -67,6 +68,11 @@ auto_answer=no ;; + -p | --port ) + port_number=$1 + shift + ;; + *) echo "usage: ${progname} [OPTION]..." echo @@ -76,6 +82,7 @@ echo " --debug -d Enable shell's debug output." echo " --yes -y Answer all questions with \"yes\" automatically." echo " --no -n Answer all questions with \"no\" automatically." + echo " --port -p sshd listens on port n." echo exit 1 ;; @@ -254,6 +261,11 @@ IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_dsa EOF + if [ "$port_number" != "22" ] + then + echo "Host localhost" >> ${SYSCONFDIR}/ssh_config + echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config + fi fi # Check if sshd_config exists. If yes, ask for overwriting @@ -278,7 +290,7 @@ cat > ${SYSCONFDIR}/sshd_config << EOF # This is ssh server systemwide configuration file. -Port 22 +Port $port_number # Protocol 2,1 ListenAddress 0.0.0.0 @@ -330,7 +342,7 @@ EOF fi -# Add port 22/tcp to services +# Care for services file _sys="`uname -a`" _nt=`expr "$_sys" : "CYGWIN_NT"` if [ $_nt -gt 0 ] @@ -344,33 +356,86 @@ _services=`cygpath -u "${_wservices}"` _serv_tmp=`cygpath -u "${_wserv_tmp}"` -mount -b -f "${_wservices}" "${_services}" -mount -b -f "${_wserv_tmp}" "${_serv_tmp}" +mount -t -f "${_wservices}" "${_services}" +mount -t -f "${_wserv_tmp}" "${_serv_tmp}" + +# Remove sshd 22/port from services +if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] +then + grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" + if [ -f "${_serv_tmp}" ] + then + if mv "${_serv_tmp}" "${_services}" + then + echo "Removing sshd from ${_services}" + else + echo "Removing sshd from ${_services} failed\!" + fi + rm -f "${_serv_tmp}" + else + echo "Removing sshd from ${_services} failed\!" + fi +fi -if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] +# Add ssh 22/tcp and ssh 22/udp to services +if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] then - awk '{ if ( $2 ~ /^23\/tcp/ ) print "sshd 22/tcp #SSH daemon\r"; print $0; }' < "${_services}" > "${_serv_tmp}" + awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" if [ -f "${_serv_tmp}" ] then if mv "${_serv_tmp}" "${_services}" then - echo "Added sshd to ${_services}" + echo "Added ssh to ${_services}" else - echo "Adding sshd to ${_services} failed\!" + echo "Adding ssh to ${_services} failed\!" fi rm -f "${_serv_tmp}" else - echo "Adding sshd to ${_services} failed\!" + echo "Adding ssh to ${_services} failed\!" fi fi umount "${_services}" umount "${_serv_tmp}" -# Add sshd line to inetd.conf -if [ -f /etc/inetd.conf ] -then - grep -q "^[# \t]*sshd" /etc/inetd.conf || echo "# sshd stream tcp nowait root /usr/sbin/sshd -i" >> /etc/inetd.conf +# Care for inetd.conf file +_inetcnf="/etc/inetd.conf" +_inetcnf_tmp="/etc/inetd.conf.$$" + +if [ -f "${_inetcnf}" ] +then + # Check if ssh service is already in use as sshd + with_comment=1 + grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0 + # Remove sshd line from inetd.conf + if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] + then + grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" + if [ -f "${_inetcnf_tmp}" ] + then + if mv "${_inetcnf_tmp}" "${_inetcnf}" + then + echo "Removed sshd from ${_inetcnf}" + else + echo "Removing sshd from ${_inetcnf} failed\!" + fi + rm -f "${_inetcnf_tmp}" + else + echo "Removing sshd from ${_inetcnf} failed\!" + fi + fi + + # Add ssh line to inetd.conf + if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] + then + if [ "${with_comment}" -eq 0 ] + then + echo 'ssh stream tcp nowait root /usr/sbin/sshd -i' >> "${_inetcnf}" + else + echo '# ssh stream tcp nowait root /usr/sbin/sshd -i' >> "${_inetcnf}" + fi + echo "Added ssh to ${_inetcnf}" + fi fi if [ "${old_install}" = "1" ] Only in openssh-2.5.1p2/contrib: make-ssh-known-hosts.1 Only in openssh-2.5.1p2/contrib: make-ssh-known-hosts.pl diff -ru openssh-2.5.1p2/contrib/redhat/openssh.spec openssh-2.5.2p1/contrib/redhat/openssh.spec --- openssh-2.5.1p2/contrib/redhat/openssh.spec 2001-02-27 10:53:01.000000000 +1100 +++ openssh-2.5.2p1/contrib/redhat/openssh.spec 2001-03-20 09:30:51.000000000 +1100 @@ -1,5 +1,5 @@ # Version of OpenSSH -%define oversion 2.5.1p2 +%define oversion 2.5.2p1 # Version of ssh-askpass %define aversion 1.2.0 @@ -10,6 +10,9 @@ # Do we want to disable building of gnome-askpass? (1=yes 0=no) %define no_gnome_askpass 0 +# Do we want to link against a static libcrypto? (1=yes 0=no) +%define static_libcrypto 0 + # Use Redhat 7.0 pam control file %define redhat7 0 @@ -22,6 +25,10 @@ # rpm -ba|--rebuild --define "rh7 1" %{?rh7:%define redhat7 1} +# Options for static OpenSSL link: +# rpm -ba|--rebuild --define "static_openssl 1" +%{?static_openssl:%define static_libcrypto 1} + %define exact_openssl_version %(rpm -q openssl | cut -d - -f 2) Summary: OpenSSH free Secure Shell (SSH) implementation @@ -38,16 +45,18 @@ Group: Applications/Internet BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot Obsoletes: ssh -PreReq: openssl >= 0.9.5a -PreReq: openssl = %{exact_openssl_version} -Requires: openssl >= 0.9.5a -Requires: rpm >= 3.0.5 BuildPreReq: perl, openssl-devel, tcp_wrappers -BuildPreReq: /bin/login, /usr/bin/rsh, /usr/include/security/pam_appl.h +BuildPreReq: /bin/login, /usr/include/security/pam_appl.h BuildPreReq: rpm >= 3.0.5 %if ! %{no_gnome_askpass} BuildPreReq: gnome-libs-devel %endif +%if ! %{static_libcrypto} +PreReq: openssl >= 0.9.5a +PreReq: openssl = %{exact_openssl_version} +Requires: openssl >= 0.9.5a +%endif +Requires: rpm >= 3.0.5 %package clients Summary: OpenSSH Secure Shell protocol clients @@ -167,6 +176,10 @@ --with-rsh=/usr/bin/rsh \ --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin +%if %{static_libcrypto} +perl -pi -e "s|-lcrypto|/usr/lib/libcrypto.a|g" Makefile +%endif + make %if ! %{no_x11_askpass} diff -ru openssh-2.5.1p2/contrib/suse/openssh.spec openssh-2.5.2p1/contrib/suse/openssh.spec --- openssh-2.5.1p2/contrib/suse/openssh.spec 2001-02-27 10:45:20.000000000 +1100 +++ openssh-2.5.2p1/contrib/suse/openssh.spec 2001-03-20 09:30:51.000000000 +1100 @@ -1,6 +1,6 @@ Summary: OpenSSH, a free Secure Shell (SSH) implementation Name: openssh -Version: 2.5.1p2 +Version: 2.5.2p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz diff -ru openssh-2.5.1p2/crc32.h openssh-2.5.2p1/crc32.h --- openssh-2.5.1p2/crc32.h 2000-12-22 12:43:59.000000000 +1100 +++ openssh-2.5.2p1/crc32.h 2001-03-05 17:59:27.000000000 +1100 @@ -1,6 +1,6 @@ /* * Author: Tatu Ylonen - * Copyright (c) 1992 Tatu Ylonen, Espoo, Finland + * Copyright (c) 1992 Tatu Ylonen , Espoo, Finland * All rights reserved * Functions for computing 32-bit CRC. * @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: crc32.h,v 1.9 2000/12/19 23:17:56 markus Exp $"); */ +/* RCSID("$OpenBSD: crc32.h,v 1.10 2001/03/02 18:54:31 deraadt Exp $"); */ #ifndef CRC32_H #define CRC32_H diff -ru openssh-2.5.1p2/deattack.c openssh-2.5.2p1/deattack.c --- openssh-2.5.1p2/deattack.c 2001-01-22 16:34:41.000000000 +1100 +++ openssh-2.5.2p1/deattack.c 2001-03-05 17:47:00.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: deattack.c,v 1.12 2001/01/21 19:05:48 markus Exp $ */ +/* $OpenBSD: deattack.c,v 1.13 2001/03/01 02:45:10 deraadt Exp $ */ /* * Cryptographic attack detector for ssh - source code @@ -44,7 +44,7 @@ /* Hash function (Input keys are cipher results) */ #define HASH(x) GET_32BIT(x) -#define CMP(a,b) (memcmp(a, b, SSH_BLOCKSIZE)) +#define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) void diff -ru openssh-2.5.1p2/defines.h openssh-2.5.2p1/defines.h --- openssh-2.5.1p2/defines.h 2001-02-24 11:55:05.000000000 +1100 +++ openssh-2.5.2p1/defines.h 2001-03-19 14:12:26.000000000 +1100 @@ -1,7 +1,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.56 2001/02/24 00:55:05 mouring Exp $ */ +/* $Id: defines.h,v 1.60 2001/03/19 03:12:26 mouring Exp $ */ /* Some platforms need this for the _r() functions */ #if !defined(_REENTRANT) && !defined(SNI) @@ -99,11 +99,18 @@ # define O_NONBLOCK 00004 #endif -#ifndef S_ISREG +#ifndef S_ISDIR # define S_ISDIR(mode) (((mode) & (_S_IFMT)) == (_S_IFDIR)) +#endif /* S_ISDIR */ + +#ifndef S_ISREG # define S_ISREG(mode) (((mode) & (_S_IFMT)) == (_S_IFREG)) #endif /* S_ISREG */ +#ifndef S_ISLNK +# define S_ISLNK(mode) (((mode) & (_S_IFMT)) == (_S_IFLNK)) +#endif /* S_ISLNK */ + #ifndef S_IXUSR # define S_IXUSR 0000100 /* execute/search permission, */ # define S_IXGRP 0000010 /* execute/search permission, */ @@ -125,6 +132,7 @@ /* If sys/types.h does not supply intXX_t, supply them ourselves */ /* (or die trying) */ + #ifndef HAVE_U_INT typedef unsigned int u_int; #endif @@ -198,6 +206,7 @@ # if (SIZEOF_LONG_LONG_INT == 8) typedef long long int int64_t; # define HAVE_INT64_T 1 +# define HAVE_LONG_LONG_INT # endif # endif #endif @@ -274,6 +283,12 @@ #ifndef _PATH_BSHELL # define _PATH_BSHELL "/bin/sh" #endif +#ifndef _PATH_CSHELL +# define _PATH_CSHELL "/bin/csh" +#endif +#ifndef _PATH_SHELLS +# define _PATH_SHELLS "/etc/shells" +#endif #ifdef USER_PATH # ifdef _PATH_STDPATH diff -ru openssh-2.5.1p2/dh.c openssh-2.5.2p1/dh.c --- openssh-2.5.1p2/dh.c 2001-01-22 16:34:41.000000000 +1100 +++ openssh-2.5.2p1/dh.c 2001-03-06 12:13:07.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: dh.c,v 1.6 2001/01/21 19:05:49 markus Exp $"); +RCSID("$OpenBSD: dh.c,v 1.8 2001/03/05 17:58:22 stevesk Exp $"); #include "xmalloc.h" @@ -90,7 +90,7 @@ return (1); fail: - error("Bad prime description in line %d\n", linenum); + error("Bad prime description in line %d", linenum); return (0); } @@ -135,7 +135,7 @@ f = fopen(_PATH_DH_PRIMES, "r"); if (!f) { - fatal("WARNING: %s dissappeared, giving up", _PATH_DH_PRIMES); + fatal("WARNING: %s disappeared, giving up", _PATH_DH_PRIMES); } linenum = 0; diff -ru openssh-2.5.1p2/entropy.c openssh-2.5.2p1/entropy.c --- openssh-2.5.1p2/entropy.c 2001-02-27 11:00:52.000000000 +1100 +++ openssh-2.5.2p1/entropy.c 2001-03-19 09:38:16.000000000 +1100 @@ -40,7 +40,7 @@ #include "pathnames.h" #include "log.h" -RCSID("$Id: entropy.c,v 1.34 2001/02/27 00:00:52 djm Exp $"); +RCSID("$Id: entropy.c,v 1.36 2001/03/18 22:38:16 djm Exp $"); #ifndef offsetof # define offsetof(type, member) ((size_t) &((type *)0)->member) @@ -68,54 +68,85 @@ # define SAVED_IDS_WORK_WITH_SETEUID #endif -void check_openssl_version(void) +void +check_openssl_version(void) { if (SSLeay() != OPENSSL_VERSION_NUMBER) fatal("OpenSSL version mismatch. Built against %lx, you " "have %lx", OPENSSL_VERSION_NUMBER, SSLeay()); } +#if defined(PRNGD_SOCKET) || defined(PRNGD_PORT) +# define USE_PRNGD +#endif -#if defined(EGD_SOCKET) || defined(RANDOM_POOL) +#if defined(USE_PRNGD) || defined(RANDOM_POOL) -#ifdef EGD_SOCKET -/* Collect entropy from EGD */ -int get_random_bytes(unsigned char *buf, int len) +#ifdef USE_PRNGD +/* Collect entropy from PRNGD/EGD */ +int +get_random_bytes(unsigned char *buf, int len) { int fd; char msg[2]; +#ifdef PRNGD_PORT + struct sockaddr_in addr; +#else struct sockaddr_un addr; +#endif int addr_len, rval, errors; mysig_t old_sigpipe; + memset(&addr, '\0', sizeof(addr)); + +#ifdef PRNGD_PORT + addr.sin_family = AF_INET; + addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + addr.sin_port = htons(PRNGD_PORT); + addr_len = sizeof(struct sockaddr_in); +#else /* use IP socket PRNGD_SOCKET instead */ /* Sanity checks */ - if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path)) + if (sizeof(PRNGD_SOCKET) > sizeof(addr.sun_path)) fatal("Random pool path is too long"); if (len > 255) - fatal("Too many bytes to read from EGD"); + fatal("Too many bytes to read from PRNGD"); - memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; - strlcpy(addr.sun_path, EGD_SOCKET, sizeof(addr.sun_path)); - addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET); + strlcpy(addr.sun_path, PRNGD_SOCKET, sizeof(addr.sun_path)); + addr_len = offsetof(struct sockaddr_un, sun_path) + + sizeof(PRNGD_SOCKET); +#endif old_sigpipe = mysignal(SIGPIPE, SIG_IGN); errors = rval = 0; reopen: - fd = socket(AF_UNIX, SOCK_STREAM, 0); +#ifdef PRNGD_PORT + fd = socket(addr.sin_family, SOCK_STREAM, 0); + if (fd == -1) { + error("Couldn't create AF_INET socket: %s", strerror(errno)); + goto done; + } +#else + fd = socket(addr.sun_family, SOCK_STREAM, 0); if (fd == -1) { error("Couldn't create AF_UNIX socket: %s", strerror(errno)); goto done; } +#endif if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) { - error("Couldn't connect to EGD socket \"%s\": %s", - addr.sun_path, strerror(errno)); +#ifdef PRNGD_PORT + error("Couldn't connect to PRNGD port %d: %s", + PRNGD_PORT, strerror(errno)); +#else + error("Couldn't connect to PRNGD socket \"%s\": %s", + addr.sun_path, strerror(errno)); +#endif goto done; } - /* Send blocking read request to EGD */ + /* Send blocking read request to PRNGD */ msg[0] = 0x02; msg[1] = len; @@ -125,8 +156,8 @@ errors++; goto reopen; } - error("Couldn't write to EGD socket \"%s\": %s", - EGD_SOCKET, strerror(errno)); + error("Couldn't write to PRNGD socket: %s", + strerror(errno)); goto done; } @@ -136,8 +167,8 @@ errors++; goto reopen; } - error("Couldn't read from EGD socket \"%s\": %s", - EGD_SOCKET, strerror(errno)); + error("Couldn't read from PRNGD socket: %s", + strerror(errno)); goto done; } @@ -148,10 +179,11 @@ close(fd); return(rval); } -#else /* !EGD_SOCKET */ +#else /* !USE_PRNGD */ #ifdef RANDOM_POOL /* Collect entropy from /dev/urandom or pipe */ -int get_random_bytes(unsigned char *buf, int len) +int +get_random_bytes(unsigned char *buf, int len) { int random_pool; @@ -174,16 +206,16 @@ return(1); } #endif /* RANDOM_POOL */ -#endif /* EGD_SOCKET */ +#endif /* USE_PRNGD */ /* * Seed OpenSSL's random number pool from Kernel random number generator - * or EGD + * or PRNGD/EGD */ void seed_rng(void) { - char buf[32]; + unsigned char buf[32]; debug("Seeding random number generator"); @@ -197,12 +229,13 @@ memset(buf, '\0', sizeof(buf)); } -void init_rng(void) +void +init_rng(void) { check_openssl_version(); } -#else /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ +#else /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ /* * FIXME: proper entropy estimations. All current values are guesses @@ -374,8 +407,7 @@ } -static -int +static int _get_timeval_msec_difference(struct timeval *t1, struct timeval *t2) { int secdiff, usecdiff; @@ -813,8 +845,10 @@ /* commands */ old_sigchld_handler = mysignal(SIGCHLD, SIG_DFL); - debug("Seeded RNG with %i bytes from programs", (int)stir_from_programs()); - debug("Seeded RNG with %i bytes from system calls", (int)stir_from_system()); + debug("Seeded RNG with %i bytes from programs", + (int)stir_from_programs()); + debug("Seeded RNG with %i bytes from system calls", + (int)stir_from_system()); if (!RAND_status()) fatal("Not enough entropy in RNG"); @@ -825,7 +859,8 @@ fatal("Couldn't initialise builtin random number generator -- exiting."); } -void init_rng(void) +void +init_rng(void) { int original_euid; @@ -877,4 +912,4 @@ prng_initialised = 1; } -#endif /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ +#endif /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ diff -ru openssh-2.5.1p2/includes.h openssh-2.5.2p1/includes.h --- openssh-2.5.1p2/includes.h 2001-02-12 18:29:45.000000000 +1100 +++ openssh-2.5.2p1/includes.h 2001-03-17 12:15:39.000000000 +1100 @@ -21,7 +21,7 @@ #include "config.h" -#include "bsd-nextstep.h" +#include "openbsd-compat/bsd-nextstep.h" #include #include @@ -54,6 +54,10 @@ #ifdef HAVE_BSTRING_H # include #endif +#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \ + defined(GLOB_HAS_GL_MATCHC) +# include +#endif #ifdef HAVE_NETGROUP_H # include #endif @@ -95,8 +99,8 @@ # include #endif #include "version.h" -#include "openbsd-compat.h" -#include "bsd-cygwin_util.h" +#include "openbsd-compat/openbsd-compat.h" +#include "openbsd-compat/bsd-cygwin_util.h" #include "entropy.h" #endif /* INCLUDES_H */ diff -ru openssh-2.5.1p2/kex.c openssh-2.5.2p1/kex.c --- openssh-2.5.1p2/kex.c 2001-02-15 14:01:59.000000000 +1100 +++ openssh-2.5.2p1/kex.c 2001-03-11 12:49:20.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.21 2001/02/11 12:59:24 markus Exp $"); +RCSID("$OpenBSD: kex.c,v 1.23 2001/03/10 17:51:04 markus Exp $"); #include #include @@ -42,6 +42,7 @@ #include "key.h" #include "log.h" #include "mac.h" +#include "match.h" #define KEX_COOKIE_LEN 16 @@ -138,15 +139,33 @@ } void -dh_gen_key(DH *dh) +dh_gen_key(DH *dh, int need) { - int tries = 0; + int i, bits_set = 0, tries = 0; + if (dh->p == NULL) + fatal("dh_gen_key: dh->p == NULL"); + if (2*need >= BN_num_bits(dh->p)) + fatal("dh_gen_key: group too small: %d (2*need %d)", + BN_num_bits(dh->p), 2*need); do { + if (dh->priv_key != NULL) + BN_free(dh->priv_key); + dh->priv_key = BN_new(); + if (dh->priv_key == NULL) + fatal("dh_gen_key: BN_new failed"); + /* generate a 2*need bits random private exponent */ + if (!BN_rand(dh->priv_key, 2*need, 0, 0)) + fatal("dh_gen_key: BN_rand failed"); if (DH_generate_key(dh) == 0) fatal("DH_generate_key"); + for (i = 0; i <= BN_num_bits(dh->priv_key); i++) + if (BN_is_bit_set(dh->priv_key, i)) + bits_set++; + debug("dh_gen_key: priv key bits set: %d/%d", + bits_set, BN_num_bits(dh->priv_key)); if (tries++ > 10) - fatal("dh_new_group1: too many bad keys: giving up"); + fatal("dh_gen_key: too many bad keys: giving up"); } while (!dh_pub_is_valid(dh, dh->pub_key)); } @@ -354,49 +373,10 @@ return digest; } -#define NKEYS 6 - -#define MAX_PROP 20 -#define SEP "," - -char * -get_match(char *client, char *server) -{ - char *sproposals[MAX_PROP]; - char *c, *s, *p, *ret, *cp, *sp; - int i, j, nproposals; - - c = cp = xstrdup(client); - s = sp = xstrdup(server); - - for ((p = strsep(&sp, SEP)), i=0; p && *p != '\0'; - (p = strsep(&sp, SEP)), i++) { - if (i < MAX_PROP) - sproposals[i] = p; - else - break; - } - nproposals = i; - - for ((p = strsep(&cp, SEP)), i=0; p && *p != '\0'; - (p = strsep(&cp, SEP)), i++) { - for (j = 0; j < nproposals; j++) { - if (strcmp(p, sproposals[j]) == 0) { - ret = xstrdup(p); - xfree(c); - xfree(s); - return ret; - } - } - } - xfree(c); - xfree(s); - return NULL; -} void choose_enc(Enc *enc, char *client, char *server) { - char *name = get_match(client, server); + char *name = match_list(client, server, NULL); if (name == NULL) fatal("no matching cipher found: client %s server %s", client, server); enc->cipher = cipher_by_name(name); @@ -410,7 +390,7 @@ void choose_mac(Mac *mac, char *client, char *server) { - char *name = get_match(client, server); + char *name = match_list(client, server, NULL); if (name == NULL) fatal("no matching mac found: client %s server %s", client, server); if (mac_init(mac, name) < 0) @@ -425,7 +405,7 @@ void choose_comp(Comp *comp, char *client, char *server) { - char *name = get_match(client, server); + char *name = match_list(client, server, NULL); if (name == NULL) fatal("no matching comp found: client %s server %s", client, server); if (strcmp(name, "zlib") == 0) { @@ -440,7 +420,7 @@ void choose_kex(Kex *k, char *client, char *server) { - k->name = get_match(client, server); + k->name = match_list(client, server, NULL); if (k->name == NULL) fatal("no kex alg"); if (strcmp(k->name, KEX_DH1) == 0) { @@ -453,7 +433,7 @@ void choose_hostkeyalg(Kex *k, char *client, char *server) { - char *hostkeyalg = get_match(client, server); + char *hostkeyalg = match_list(client, server, NULL); if (hostkeyalg == NULL) fatal("no hostkey alg"); k->hostkey_type = key_type_from_name(hostkeyalg); @@ -506,6 +486,7 @@ return k; } +#define NKEYS 6 int kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret) { diff -ru openssh-2.5.1p2/kex.h openssh-2.5.2p1/kex.h --- openssh-2.5.1p2/kex.h 2001-02-15 14:01:59.000000000 +1100 +++ openssh-2.5.2p1/kex.h 2001-03-06 12:09:20.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.14 2001/02/11 12:59:24 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.15 2001/03/05 17:17:20 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -106,7 +106,7 @@ int dh_pub_is_valid(DH *dh, BIGNUM *dh_pub); DH *dh_new_group_asc(const char *, const char *); DH *dh_new_group(BIGNUM *, BIGNUM *); -void dh_gen_key(DH *); +void dh_gen_key(DH *, int); DH *dh_new_group1(void); u_char * diff -ru openssh-2.5.1p2/key.c openssh-2.5.2p1/key.c --- openssh-2.5.1p2/key.c 2001-02-06 05:16:28.000000000 +1100 +++ openssh-2.5.2p1/key.c 2001-03-13 15:57:59.000000000 +1100 @@ -32,7 +32,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: key.c,v 1.17 2001/02/04 15:32:24 stevesk Exp $"); +RCSID("$OpenBSD: key.c,v 1.22 2001/03/12 22:02:01 markus Exp $"); #include @@ -153,19 +153,29 @@ return 0; } -/* - * Generate key fingerprint in ascii format. - * Based on ideas and code from Bjoern Groenvall - */ -char * -key_fingerprint(Key *k) +u_char* +key_fingerprint_raw(Key *k, enum fp_type dgst_type, size_t *dgst_raw_length) { - static char retval[(EVP_MAX_MD_SIZE+1)*3]; + EVP_MD *md = NULL; + EVP_MD_CTX ctx; u_char *blob = NULL; + u_char *retval = NULL; int len = 0; int nlen, elen; - retval[0] = '\0'; + *dgst_raw_length = 0; + + switch (dgst_type) { + case SSH_FP_MD5: + md = EVP_md5(); + break; + case SSH_FP_SHA1: + md = EVP_sha1(); + break; + default: + fatal("key_fingerprint_raw: bad digest type %d", + dgst_type); + } switch (k->type) { case KEY_RSA1: nlen = BN_num_bytes(k->rsa->n); @@ -183,26 +193,111 @@ return retval; break; default: - fatal("key_fingerprint: bad key type %d", k->type); + fatal("key_fingerprint_raw: bad key type %d", k->type); break; } if (blob != NULL) { - int i; - u_char digest[EVP_MAX_MD_SIZE]; - EVP_MD *md = EVP_md5(); - EVP_MD_CTX ctx; + retval = xmalloc(EVP_MAX_MD_SIZE); EVP_DigestInit(&ctx, md); EVP_DigestUpdate(&ctx, blob, len); - EVP_DigestFinal(&ctx, digest, NULL); - for(i = 0; i < md->md_size; i++) { - char hex[4]; - snprintf(hex, sizeof(hex), "%02x:", digest[i]); - strlcat(retval, hex, sizeof(retval)); - } - retval[strlen(retval) - 1] = '\0'; + EVP_DigestFinal(&ctx, retval, NULL); + *dgst_raw_length = md->md_size; memset(blob, 0, len); xfree(blob); + } else { + fatal("key_fingerprint_raw: blob is null"); + } + return retval; +} + +char* +key_fingerprint_hex(u_char* dgst_raw, size_t dgst_raw_len) +{ + char *retval; + int i; + + retval = xmalloc(dgst_raw_len * 3); + retval[0] = '\0'; + for(i = 0; i < dgst_raw_len; i++) { + char hex[4]; + snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]); + strlcat(retval, hex, dgst_raw_len * 3); + } + retval[(dgst_raw_len * 3) - 1] = '\0'; + return retval; +} + +char* +key_fingerprint_bubblebabble(u_char* dgst_raw, size_t dgst_raw_len) +{ + char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; + char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', + 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; + u_int i, j = 0, rounds, seed = 1; + char *retval; + + rounds = (dgst_raw_len / 2) + 1; + retval = xmalloc(sizeof(char) * (rounds*6)); + retval[j++] = 'x'; + for (i = 0; i < rounds; i++) { + u_int idx0, idx1, idx2, idx3, idx4; + if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { + idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + + seed) % 6; + idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; + idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + + (seed / 6)) % 6; + retval[j++] = vowels[idx0]; + retval[j++] = consonants[idx1]; + retval[j++] = vowels[idx2]; + if ((i + 1) < rounds) { + idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; + idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; + retval[j++] = consonants[idx3]; + retval[j++] = '-'; + retval[j++] = consonants[idx4]; + seed = ((seed * 5) + + ((((u_int)(dgst_raw[2 * i])) * 7) + + ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; + } + } else { + idx0 = seed % 6; + idx1 = 16; + idx2 = seed / 6; + retval[j++] = vowels[idx0]; + retval[j++] = consonants[idx1]; + retval[j++] = vowels[idx2]; + } + } + retval[j++] = 'x'; + retval[j++] = '\0'; + return retval; +} + +char* +key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) +{ + char *retval = NULL; + u_char *dgst_raw; + size_t dgst_raw_len; + + dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len); + if (!dgst_raw) + fatal("key_fingerprint: null from key_fingerprint_raw()"); + switch(dgst_rep) { + case SSH_FP_HEX: + retval = key_fingerprint_hex(dgst_raw, dgst_raw_len); + break; + case SSH_FP_BUBBLEBABBLE: + retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len); + break; + default: + fatal("key_fingerprint_ex: bad digest representation %d", + dgst_rep); + break; } + memset(dgst_raw, 0, dgst_raw_len); + xfree(dgst_raw); return retval; } @@ -530,7 +625,7 @@ } else if (strcmp(name, "ssh-dss") == 0){ return KEY_DSA; } - debug("key_type_from_name: unknown key type '%s'", name); + debug2("key_type_from_name: unknown key type '%s'", name); return KEY_UNSPEC; } diff -ru openssh-2.5.1p2/key.h openssh-2.5.2p1/key.h --- openssh-2.5.1p2/key.h 2001-01-29 18:39:26.000000000 +1100 +++ openssh-2.5.2p1/key.h 2001-03-13 15:57:59.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.9 2001/01/29 01:58:16 niklas Exp $ */ +/* $OpenBSD: key.h,v 1.11 2001/03/12 22:02:01 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -36,6 +36,14 @@ KEY_DSA, KEY_UNSPEC }; +enum fp_type { + SSH_FP_SHA1, + SSH_FP_MD5 +}; +enum fp_rep { + SSH_FP_HEX, + SSH_FP_BUBBLEBABBLE +}; struct Key { int type; RSA *rsa; @@ -46,7 +54,7 @@ Key *key_new_private(int type); void key_free(Key *k); int key_equal(Key *a, Key *b); -char *key_fingerprint(Key *k); +char *key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep); char *key_type(Key *k); int key_write(Key *key, FILE *f); int key_read(Key *key, char **cpp); Only in openssh-2.5.1p2: log-client.c Only in openssh-2.5.1p2: log-server.c diff -ru openssh-2.5.1p2/log.c openssh-2.5.2p1/log.c --- openssh-2.5.1p2/log.c 2001-01-22 16:34:42.000000000 +1100 +++ openssh-2.5.2p1/log.c 2001-03-05 21:23:31.000000000 +1100 @@ -10,8 +10,6 @@ * called by a name other than "ssh" or "Secure Shell". */ /* - * Shared versions of debug(), log(), etc. - * * Copyright (c) 2000 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -36,11 +34,81 @@ */ #include "includes.h" -RCSID("$OpenBSD: log.c,v 1.15 2001/01/21 19:05:51 markus Exp $"); +RCSID("$OpenBSD: log.c,v 1.17 2001/03/04 17:42:28 millert Exp $"); #include "log.h" #include "xmalloc.h" +#include + +static LogLevel log_level = SYSLOG_LEVEL_INFO; +static int log_on_stderr = 1; +static int log_facility = LOG_AUTH; +static char *argv0; + +extern char *__progname; + +/* textual representation of log-facilities/levels */ + +static struct { + const char *name; + SyslogFacility val; +} log_facilities[] = { + { "DAEMON", SYSLOG_FACILITY_DAEMON }, + { "USER", SYSLOG_FACILITY_USER }, + { "AUTH", SYSLOG_FACILITY_AUTH }, +#ifdef LOG_AUTHPRIV + { "AUTHPRIV", SYSLOG_FACILITY_AUTHPRIV }, +#endif + { "LOCAL0", SYSLOG_FACILITY_LOCAL0 }, + { "LOCAL1", SYSLOG_FACILITY_LOCAL1 }, + { "LOCAL2", SYSLOG_FACILITY_LOCAL2 }, + { "LOCAL3", SYSLOG_FACILITY_LOCAL3 }, + { "LOCAL4", SYSLOG_FACILITY_LOCAL4 }, + { "LOCAL5", SYSLOG_FACILITY_LOCAL5 }, + { "LOCAL6", SYSLOG_FACILITY_LOCAL6 }, + { "LOCAL7", SYSLOG_FACILITY_LOCAL7 }, + { NULL, 0 } +}; + +static struct { + const char *name; + LogLevel val; +} log_levels[] = +{ + { "QUIET", SYSLOG_LEVEL_QUIET }, + { "FATAL", SYSLOG_LEVEL_FATAL }, + { "ERROR", SYSLOG_LEVEL_ERROR }, + { "INFO", SYSLOG_LEVEL_INFO }, + { "VERBOSE", SYSLOG_LEVEL_VERBOSE }, + { "DEBUG", SYSLOG_LEVEL_DEBUG1 }, + { "DEBUG1", SYSLOG_LEVEL_DEBUG1 }, + { "DEBUG2", SYSLOG_LEVEL_DEBUG2 }, + { "DEBUG3", SYSLOG_LEVEL_DEBUG3 }, + { NULL, 0 } +}; + +SyslogFacility +log_facility_number(char *name) +{ + int i; + if (name != NULL) + for (i = 0; log_facilities[i].name; i++) + if (strcasecmp(log_facilities[i].name, name) == 0) + return log_facilities[i].val; + return (SyslogFacility) - 1; +} + +LogLevel +log_level_number(char *name) +{ + int i; + if (name != NULL) + for (i = 0; log_levels[i].name; i++) + if (strcasecmp(log_levels[i].name, name) == 0) + return log_levels[i].val; + return (LogLevel) - 1; +} /* Fatal messages. This function never returns. */ void @@ -154,8 +222,8 @@ return; } } - fatal("fatal_remove_cleanup: no such cleanup function: 0x%lx 0x%lx\n", - (u_long) proc, (u_long) context); + fatal("fatal_remove_cleanup: no such cleanup function: 0x%lx 0x%lx", + (u_long) proc, (u_long) context); } /* Cleanup and exit */ @@ -178,64 +246,142 @@ exit(255); } -/* textual representation of log-facilities/levels */ -static struct { - const char *name; - SyslogFacility val; -} log_facilities[] = { - { "DAEMON", SYSLOG_FACILITY_DAEMON }, - { "USER", SYSLOG_FACILITY_USER }, - { "AUTH", SYSLOG_FACILITY_AUTH }, -#ifdef LOG_AUTHPRIV - { "AUTHPRIV", SYSLOG_FACILITY_AUTHPRIV }, -#endif - { "LOCAL0", SYSLOG_FACILITY_LOCAL0 }, - { "LOCAL1", SYSLOG_FACILITY_LOCAL1 }, - { "LOCAL2", SYSLOG_FACILITY_LOCAL2 }, - { "LOCAL3", SYSLOG_FACILITY_LOCAL3 }, - { "LOCAL4", SYSLOG_FACILITY_LOCAL4 }, - { "LOCAL5", SYSLOG_FACILITY_LOCAL5 }, - { "LOCAL6", SYSLOG_FACILITY_LOCAL6 }, - { "LOCAL7", SYSLOG_FACILITY_LOCAL7 }, - { NULL, 0 } -}; +/* + * Initialize the log. + */ -static struct { - const char *name; - LogLevel val; -} log_levels[] = +void +log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) { - { "QUIET", SYSLOG_LEVEL_QUIET }, - { "FATAL", SYSLOG_LEVEL_FATAL }, - { "ERROR", SYSLOG_LEVEL_ERROR }, - { "INFO", SYSLOG_LEVEL_INFO }, - { "VERBOSE", SYSLOG_LEVEL_VERBOSE }, - { "DEBUG", SYSLOG_LEVEL_DEBUG1 }, - { "DEBUG1", SYSLOG_LEVEL_DEBUG1 }, - { "DEBUG2", SYSLOG_LEVEL_DEBUG2 }, - { "DEBUG3", SYSLOG_LEVEL_DEBUG3 }, - { NULL, 0 } -}; + argv0 = av0; -SyslogFacility -log_facility_number(char *name) -{ - int i; - if (name != NULL) - for (i = 0; log_facilities[i].name; i++) - if (strcasecmp(log_facilities[i].name, name) == 0) - return log_facilities[i].val; - return (SyslogFacility) - 1; + switch (level) { + case SYSLOG_LEVEL_QUIET: + case SYSLOG_LEVEL_FATAL: + case SYSLOG_LEVEL_ERROR: + case SYSLOG_LEVEL_INFO: + case SYSLOG_LEVEL_VERBOSE: + case SYSLOG_LEVEL_DEBUG1: + case SYSLOG_LEVEL_DEBUG2: + case SYSLOG_LEVEL_DEBUG3: + log_level = level; + break; + default: + fprintf(stderr, "Unrecognized internal syslog level code %d", + (int) level); + exit(1); + } + + log_on_stderr = on_stderr; + if (on_stderr) + return; + + switch (facility) { + case SYSLOG_FACILITY_DAEMON: + log_facility = LOG_DAEMON; + break; + case SYSLOG_FACILITY_USER: + log_facility = LOG_USER; + break; + case SYSLOG_FACILITY_AUTH: + log_facility = LOG_AUTH; + break; +#ifdef LOG_AUTHPRIV + case SYSLOG_FACILITY_AUTHPRIV: + log_facility = LOG_AUTHPRIV; + break; +#endif + case SYSLOG_FACILITY_LOCAL0: + log_facility = LOG_LOCAL0; + break; + case SYSLOG_FACILITY_LOCAL1: + log_facility = LOG_LOCAL1; + break; + case SYSLOG_FACILITY_LOCAL2: + log_facility = LOG_LOCAL2; + break; + case SYSLOG_FACILITY_LOCAL3: + log_facility = LOG_LOCAL3; + break; + case SYSLOG_FACILITY_LOCAL4: + log_facility = LOG_LOCAL4; + break; + case SYSLOG_FACILITY_LOCAL5: + log_facility = LOG_LOCAL5; + break; + case SYSLOG_FACILITY_LOCAL6: + log_facility = LOG_LOCAL6; + break; + case SYSLOG_FACILITY_LOCAL7: + log_facility = LOG_LOCAL7; + break; + default: + fprintf(stderr, + "Unrecognized internal syslog facility code %d", + (int) facility); + exit(1); + } } -LogLevel -log_level_number(char *name) +#define MSGBUFSIZ 1024 + +void +do_log(LogLevel level, const char *fmt, va_list args) { - int i; - if (name != NULL) - for (i = 0; log_levels[i].name; i++) - if (strcasecmp(log_levels[i].name, name) == 0) - return log_levels[i].val; - return (LogLevel) - 1; + char msgbuf[MSGBUFSIZ]; + char fmtbuf[MSGBUFSIZ]; + char *txt = NULL; + int pri = LOG_INFO; + + if (level > log_level) + return; + + switch (level) { + case SYSLOG_LEVEL_FATAL: + if (!log_on_stderr) + txt = "fatal"; + pri = LOG_CRIT; + break; + case SYSLOG_LEVEL_ERROR: + if (!log_on_stderr) + txt = "error"; + pri = LOG_ERR; + break; + case SYSLOG_LEVEL_INFO: + pri = LOG_INFO; + break; + case SYSLOG_LEVEL_VERBOSE: + pri = LOG_INFO; + break; + case SYSLOG_LEVEL_DEBUG1: + txt = "debug1"; + pri = LOG_DEBUG; + break; + case SYSLOG_LEVEL_DEBUG2: + txt = "debug2"; + pri = LOG_DEBUG; + break; + case SYSLOG_LEVEL_DEBUG3: + txt = "debug3"; + pri = LOG_DEBUG; + break; + default: + txt = "internal error"; + pri = LOG_ERR; + break; + } + if (txt != NULL) { + snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt); + vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args); + } else { + vsnprintf(msgbuf, sizeof(msgbuf), fmt, args); + } + if (log_on_stderr) { + fprintf(stderr, "%s\r\n", msgbuf); + } else { + openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility); + syslog(pri, "%.500s", msgbuf); + closelog(); + } } diff -ru openssh-2.5.1p2/log.h openssh-2.5.2p1/log.h --- openssh-2.5.1p2/log.h 2001-02-05 23:42:17.000000000 +1100 +++ openssh-2.5.2p1/log.h 2001-03-05 21:23:31.000000000 +1100 @@ -15,6 +15,8 @@ #ifndef SSH_LOG_H #define SSH_LOG_H +#include /* Needed for LOG_AUTHPRIV (if present) */ + /* Supported syslog facilities and levels. */ typedef enum { SYSLOG_FACILITY_DAEMON, diff -ru openssh-2.5.1p2/match.c openssh-2.5.2p1/match.c --- openssh-2.5.1p2/match.c 2001-01-22 16:34:42.000000000 +1100 +++ openssh-2.5.2p1/match.c 2001-03-11 12:49:20.000000000 +1100 @@ -10,11 +10,35 @@ * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell". */ +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ #include "includes.h" -RCSID("$OpenBSD: match.c,v 1.11 2001/01/21 19:05:52 markus Exp $"); +RCSID("$OpenBSD: match.c,v 1.12 2001/03/10 17:51:04 markus Exp $"); #include "match.h" +#include "xmalloc.h" /* * Returns true if the given string matches the pattern (which may contain ? @@ -137,3 +161,46 @@ */ return got_positive; } + + +#define MAX_PROP 20 +#define SEP "," +char * +match_list(const char *client, const char *server, u_int *next) +{ + char *sproposals[MAX_PROP]; + char *c, *s, *p, *ret, *cp, *sp; + int i, j, nproposals; + + c = cp = xstrdup(client); + s = sp = xstrdup(server); + + for ((p = strsep(&sp, SEP)), i=0; p && *p != '\0'; + (p = strsep(&sp, SEP)), i++) { + if (i < MAX_PROP) + sproposals[i] = p; + else + break; + } + nproposals = i; + + for ((p = strsep(&cp, SEP)), i=0; p && *p != '\0'; + (p = strsep(&cp, SEP)), i++) { + for (j = 0; j < nproposals; j++) { + if (strcmp(p, sproposals[j]) == 0) { + ret = xstrdup(p); + if (next != NULL) + *next = (cp == NULL) ? + strlen(c) : cp - c; + xfree(c); + xfree(s); + return ret; + } + } + } + if (next != NULL) + *next = strlen(c); + xfree(c); + xfree(s); + return NULL; +} diff -ru openssh-2.5.1p2/match.h openssh-2.5.2p1/match.h --- openssh-2.5.1p2/match.h 2001-01-29 18:39:26.000000000 +1100 +++ openssh-2.5.2p1/match.h 2001-03-11 12:49:20.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: match.h,v 1.6 2001/01/29 01:58:17 niklas Exp $ */ +/* $OpenBSD: match.h,v 1.7 2001/03/10 17:51:04 markus Exp $ */ /* * Author: Tatu Ylonen @@ -30,4 +30,10 @@ */ int match_hostname(const char *host, const char *pattern, u_int len); +/* + * Returns first item from client-list that is also supported by server-list, + * caller must xfree() returned string. + */ +char *match_list(const char *client, const char *server, u_int *next); + #endif diff -ru openssh-2.5.1p2/misc.c openssh-2.5.2p1/misc.c --- openssh-2.5.1p2/misc.c 2001-02-18 15:18:43.000000000 +1100 +++ openssh-2.5.2p1/misc.c 2001-03-05 18:57:09.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.1 2001/01/21 19:05:52 markus Exp $ */ +/* $OpenBSD: misc.c,v 1.4 2001/02/28 17:52:54 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -25,10 +25,11 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.1 2001/01/21 19:05:52 markus Exp $"); +RCSID("$OpenBSD: misc.c,v 1.4 2001/02/28 17:52:54 deraadt Exp $"); #include "misc.h" #include "log.h" +#include "xmalloc.h" char * chop(char *s) @@ -96,6 +97,25 @@ return (old); } +struct passwd * +pwcopy(struct passwd *pw) +{ + struct passwd *copy = xmalloc(sizeof(*copy)); + + memset(copy, 0, sizeof(*copy)); + copy->pw_name = xstrdup(pw->pw_name); + copy->pw_passwd = xstrdup(pw->pw_passwd); + copy->pw_gecos = xstrdup(pw->pw_gecos); + copy->pw_uid = pw->pw_uid; + copy->pw_gid = pw->pw_gid; +#ifdef HAVE_PW_CLASS_IN_PASSWD + copy->pw_class = xstrdup(pw->pw_class); +#endif + copy->pw_dir = xstrdup(pw->pw_dir); + copy->pw_shell = xstrdup(pw->pw_shell); + return copy; +} + mysig_t mysignal(int sig, mysig_t act) { diff -ru openssh-2.5.1p2/misc.h openssh-2.5.2p1/misc.h --- openssh-2.5.1p2/misc.h 2001-02-05 00:20:36.000000000 +1100 +++ openssh-2.5.2p1/misc.h 2001-03-05 16:56:41.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.2 2001/01/29 01:58:17 niklas Exp $ */ +/* $OpenBSD: misc.h,v 1.3 2001/02/22 21:59:44 markus Exp $ */ /* * Author: Tatu Ylonen @@ -20,6 +20,8 @@ /* set filedescriptor to non-blocking */ void set_nonblock(int fd); +struct passwd * pwcopy(struct passwd *pw); + /* wrapper for signal interface */ typedef void (*mysig_t)(int); mysig_t mysignal(int sig, mysig_t act); diff -ru openssh-2.5.1p2/myproposal.h openssh-2.5.2p1/myproposal.h --- openssh-2.5.1p2/myproposal.h 2001-02-15 14:01:59.000000000 +1100 +++ openssh-2.5.2p1/myproposal.h 2001-03-06 12:05:23.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.11 2001/02/11 12:59:24 markus Exp $ */ +/* $OpenBSD: myproposal.h,v 1.12 2001/03/05 15:56:16 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -26,12 +26,12 @@ #define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" #define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" #define KEX_DEFAULT_ENCRYPT \ - "3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \ - "aes128-cbc,aes192-cbc,aes256-cbc," \ + "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \ + "aes192-cbc,aes256-cbc," \ "rijndael128-cbc,rijndael192-cbc,rijndael256-cbc," \ "rijndael-cbc@lysator.liu.se" #define KEX_DEFAULT_MAC \ - "hmac-sha1,hmac-md5,hmac-ripemd160," \ + "hmac-md5,hmac-sha1,hmac-ripemd160," \ "hmac-ripemd160@openssh.com," \ "hmac-sha1-96,hmac-md5-96" #define KEX_DEFAULT_COMP "none,zlib" diff -ru openssh-2.5.1p2/nchan.c openssh-2.5.2p1/nchan.c --- openssh-2.5.1p2/nchan.c 2001-02-05 23:42:18.000000000 +1100 +++ openssh-2.5.2p1/nchan.c 2001-03-05 17:16:12.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: nchan.c,v 1.22 2001/01/21 19:05:52 markus Exp $"); +RCSID("$OpenBSD: nchan.c,v 1.23 2001/02/28 08:54:55 markus Exp $"); #include "ssh1.h" #include "ssh2.h" @@ -54,9 +54,6 @@ static void chan_send_close2(Channel *c); static void chan_send_eof2(Channel *c); -/* channel cleanup */ -chan_event_fn *chan_delete_if_full_closed = NULL; - /* helper */ static void chan_shutdown_write(Channel *c); static void chan_shutdown_read(Channel *c); @@ -249,16 +246,6 @@ break; } } -static void -chan_delete_if_full_closed1(Channel *c) -{ - debug3("channel %d: chan_delete_if_full_closed1: istate %d ostate %d", - c->self, c->istate, c->ostate); - if (c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED) { - debug("channel %d: full closed", c->self); - channel_free(c->self); - } -} /* * the same for SSH2 @@ -401,24 +388,46 @@ c->flags |= CHAN_CLOSE_SENT; } } -static void -chan_delete_if_full_closed2(Channel *c) + +/* shared */ + +int +chan_is_dead(Channel *c) { - debug3("channel %d: chan_delete_if_full_closed2: istate %d ostate %d", - c->self, c->istate, c->ostate); - if (c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED) { + if (c->istate != CHAN_INPUT_CLOSED || c->ostate != CHAN_OUTPUT_CLOSED) + return 0; + if (!compat20) { + debug("channel %d: is dead", c->self); + return 1; + } + /* + * we have to delay the close message if the efd (for stderr) is + * still active + */ + if (((c->extended_usage != CHAN_EXTENDED_IGNORE) && + buffer_len(&c->extended) > 0) +#if 0 + || ((c->extended_usage == CHAN_EXTENDED_READ) && + c->efd != -1) +#endif + ) { + debug2("channel %d: active efd: %d len %d type %s", + c->self, c->efd, buffer_len(&c->extended), + c->extended_usage==CHAN_EXTENDED_READ ? + "read": "write"); + } else { if (!(c->flags & CHAN_CLOSE_SENT)) { chan_send_close2(c); } if ((c->flags & CHAN_CLOSE_SENT) && (c->flags & CHAN_CLOSE_RCVD)) { - debug("channel %d: full closed2", c->self); - channel_free(c->self); + debug("channel %d: is dead", c->self); + return 1; } } + return 0; } -/* shared */ void chan_init_iostates(Channel *c) { @@ -439,8 +448,6 @@ chan_rcvd_ieof = chan_rcvd_ieof2; chan_write_failed = chan_write_failed2; chan_obuf_empty = chan_obuf_empty2; - - chan_delete_if_full_closed = chan_delete_if_full_closed2; } else { chan_rcvd_oclose = chan_rcvd_oclose1; chan_read_failed = chan_read_failed_12; @@ -449,8 +456,6 @@ chan_rcvd_ieof = chan_rcvd_ieof1; chan_write_failed = chan_write_failed1; chan_obuf_empty = chan_obuf_empty1; - - chan_delete_if_full_closed = chan_delete_if_full_closed1; } } diff -ru openssh-2.5.1p2/nchan.h openssh-2.5.2p1/nchan.h --- openssh-2.5.1p2/nchan.h 2000-09-16 13:29:09.000000000 +1100 +++ openssh-2.5.2p1/nchan.h 2001-03-05 17:16:12.000000000 +1100 @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: nchan.h,v 1.9 2000/09/07 20:27:52 deraadt Exp $"); */ +/* RCSID("$OpenBSD: nchan.h,v 1.10 2001/02/28 08:54:55 markus Exp $"); */ #ifndef NCHAN_H #define NCHAN_H @@ -84,7 +84,7 @@ extern chan_event_fn *chan_write_failed; extern chan_event_fn *chan_obuf_empty; -extern chan_event_fn *chan_delete_if_full_closed; +int chan_is_dead(Channel * c); void chan_init_iostates(Channel * c); void chan_init(void); diff -ru openssh-2.5.1p2/openbsd-compat/Makefile.in openssh-2.5.2p1/openbsd-compat/Makefile.in --- openssh-2.5.1p2/openbsd-compat/Makefile.in 2001-02-24 11:24:20.000000000 +1100 +++ openssh-2.5.2p1/openbsd-compat/Makefile.in 2001-03-19 10:09:28.000000000 +1100 @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.6 2001/02/24 00:24:20 mouring Exp $ +# $Id: Makefile.in,v 1.9 2001/03/18 23:09:28 djm Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -9,14 +9,14 @@ CC=@CC@ LD=@LD@ CFLAGS=@CFLAGS@ -CPPFLAGS=@CPPFLAGS@ -I. -I.. -I$(srcdir) -I$(srcdir)/.. @DEFS@ +CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ LIBS=@LIBS@ AR=@AR@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ -OPENBSD=base64.o bindresvport.o daemon.o getcwd.o getgrouplist.o inet_aton.o inet_ntoa.o mktemp.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtok.o vis.o +OPENBSD=base64.o bindresvport.o daemon.o getcwd.o getgrouplist.o getusershell.o glob.o inet_aton.o inet_ntoa.o mktemp.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtok.o vis.o COMPAT=bsd-arc4random.o bsd-cygwin_util.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o diff -ru openssh-2.5.1p2/openbsd-compat/bsd-arc4random.c openssh-2.5.2p1/openbsd-compat/bsd-arc4random.c --- openssh-2.5.1p2/openbsd-compat/bsd-arc4random.c 2001-02-09 12:55:36.000000000 +1100 +++ openssh-2.5.2p1/openbsd-compat/bsd-arc4random.c 2001-03-19 10:00:53.000000000 +1100 @@ -23,13 +23,15 @@ */ #include "includes.h" +#include "log.h" -RCSID("$Id: bsd-arc4random.c,v 1.2 2001/02/09 01:55:36 djm Exp $"); +RCSID("$Id: bsd-arc4random.c,v 1.4 2001/03/18 23:00:53 djm Exp $"); #ifndef HAVE_ARC4RANDOM #include #include +#include /* Size of key to use */ #define SEED_SIZE 20 @@ -43,10 +45,15 @@ unsigned int arc4random(void) { unsigned int r = 0; + static int first_time = 1; - if (rc4_ready <= 0) + if (rc4_ready <= 0) { + if (!first_time) + seed_rng(); + first_time = 0; arc4random_stir(); - + } + RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r); rc4_ready -= sizeof(r); @@ -57,17 +64,14 @@ void arc4random_stir(void) { unsigned char rand_buf[SEED_SIZE]; - - memset(&rc4, 0, sizeof(rc4)); - - seed_rng(); - RAND_bytes(rand_buf, sizeof(rand_buf)); - + memset(&rc4, 0, sizeof(rc4)); + if (!RAND_bytes(rand_buf, sizeof(rand_buf))) + fatal("Couldn't obtain random bytes (error %ld)", + ERR_get_error()); RC4_set_key(&rc4, sizeof(rand_buf), rand_buf); - memset(rand_buf, 0, sizeof(rand_buf)); - + rc4_ready = REKEY_BYTES; } #endif /* !HAVE_ARC4RANDOM */ diff -ru openssh-2.5.1p2/openbsd-compat/bsd-misc.c openssh-2.5.2p1/openbsd-compat/bsd-misc.c --- openssh-2.5.1p2/openbsd-compat/bsd-misc.c 2001-02-09 12:55:36.000000000 +1100 +++ openssh-2.5.2p1/openbsd-compat/bsd-misc.c 2001-03-14 10:38:20.000000000 +1100 @@ -26,7 +26,7 @@ #include "xmalloc.h" #include "ssh.h" -RCSID("$Id: bsd-misc.c,v 1.2 2001/02/09 01:55:36 djm Exp $"); +RCSID("$Id: bsd-misc.c,v 1.3 2001/03/13 23:38:20 mouring Exp $"); char *get_progname(char *argv0) { @@ -76,10 +76,10 @@ extern int sys_nerr; extern char *sys_errlist[]; - if ((e >= 0) || (e < sys_nerr)) - return("unlisted error"); - else + if ((e >= 0) && (e < sys_nerr)) return(sys_errlist[e]); + else + return("unlisted error"); } #endif diff -ru openssh-2.5.1p2/openbsd-compat/bsd-nextstep.h openssh-2.5.2p1/openbsd-compat/bsd-nextstep.h --- openssh-2.5.1p2/openbsd-compat/bsd-nextstep.h 2001-02-13 13:18:50.000000000 +1100 +++ openssh-2.5.2p1/openbsd-compat/bsd-nextstep.h 2001-03-20 00:42:22.000000000 +1100 @@ -21,7 +21,7 @@ * */ -/* $Id: bsd-nextstep.h,v 1.4 2001/02/13 02:18:50 mouring Exp $ */ +/* $Id: bsd-nextstep.h,v 1.6 2001/03/19 13:42:22 mouring Exp $ */ #ifndef _NEXT_POSIX_H #define _NEXT_POSIX_H @@ -29,6 +29,10 @@ #ifdef HAVE_NEXT #include +/* NGROUPS_MAX is behind -lposix. Use the BSD version which is NGROUPS */ +#undef NGROUPS_MAX +#define NGROUPS_MAX NGROUPS + /* NeXT's readdir() is BSD (struct direct) not POSIX (struct dirent) */ #define dirent direct Only in openssh-2.5.2p1/openbsd-compat: getusershell.c Only in openssh-2.5.2p1/openbsd-compat: getusershell.h Only in openssh-2.5.2p1/openbsd-compat: glob.c Only in openssh-2.5.2p1/openbsd-compat: glob.h diff -ru openssh-2.5.1p2/openbsd-compat/openbsd-compat.h openssh-2.5.2p1/openbsd-compat/openbsd-compat.h --- openssh-2.5.1p2/openbsd-compat/openbsd-compat.h 2001-02-24 11:24:20.000000000 +1100 +++ openssh-2.5.2p1/openbsd-compat/openbsd-compat.h 2001-03-19 10:09:28.000000000 +1100 @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.3 2001/02/24 00:24:20 mouring Exp $ */ +/* $Id: openbsd-compat.h,v 1.5 2001/03/18 23:09:28 djm Exp $ */ #ifndef _OPENBSD_H #define _OPENBSD_H @@ -24,6 +24,8 @@ #include "vis.h" #include "setproctitle.h" #include "getgrouplist.h" +#include "glob.h" +#include "getusershell.h" /* Home grown routines */ #include "bsd-arc4random.h" diff -ru openssh-2.5.1p2/openbsd-compat/realpath.c openssh-2.5.2p1/openbsd-compat/realpath.c --- openssh-2.5.1p2/openbsd-compat/realpath.c 2001-02-01 08:52:03.000000000 +1100 +++ openssh-2.5.2p1/openbsd-compat/realpath.c 2001-03-19 14:12:26.000000000 +1100 @@ -45,13 +45,6 @@ #include /* - * S_ISLNK compatibility - */ -#ifndef S_ISLNK -#define S_ISLNK(m) ((m & 0170000) == 0120000) -#endif - -/* * MAXSYMLINKS */ #ifndef MAXSYMLINKS diff -ru openssh-2.5.1p2/packet.c openssh-2.5.2p1/packet.c --- openssh-2.5.1p2/packet.c 2001-02-27 14:03:30.000000000 +1100 +++ openssh-2.5.2p1/packet.c 2001-03-05 18:07:50.000000000 +1100 @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.51 2001/02/12 22:56:09 deraadt Exp $"); +RCSID("$OpenBSD: packet.c,v 1.56 2001/03/03 21:41:07 millert Exp $"); #include "xmalloc.h" #include "buffer.h" @@ -389,7 +389,7 @@ void packet_start(int type) { - DBG(debug("packet_start[%d]",type)); + DBG(debug("packet_start[%d]", type)); if (use_ssh2_packet_format) packet_start2(type); else @@ -586,7 +586,7 @@ if (i % 4 == 0) rand = arc4random(); cp[i] = rand & 0xff; - rand <<= 8; + rand >>= 8; } } else { /* clear padding */ @@ -660,10 +660,13 @@ packet_read(int *payload_len_ptr) { int type, len; - fd_set set; + fd_set *setp; char buf[8192]; DBG(debug("packet_read()")); + setp = (fd_set *)xmalloc(howmany(connection_in+1, NFDBITS) * + sizeof(fd_mask)); + /* Since we are blocking, ensure that all written packets have been sent. */ packet_write_wait(); @@ -678,17 +681,20 @@ || type == SSH_CMSG_EXIT_CONFIRMATION)) packet_integrity_check(*payload_len_ptr, 0, type); /* If we got a packet, return it. */ - if (type != SSH_MSG_NONE) + if (type != SSH_MSG_NONE) { + xfree(setp); return type; + } /* * Otherwise, wait for some data to arrive, add it to the * buffer, and try again. */ - FD_ZERO(&set); - FD_SET(connection_in, &set); + memset(setp, 0, howmany(connection_in + 1, NFDBITS) * + sizeof(fd_mask)); + FD_SET(connection_in, setp); /* Wait for some data to arrive. */ - while (select(connection_in + 1, &set, NULL, NULL, NULL) == -1 && + while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 && (errno == EAGAIN || errno == EINTR)) ; @@ -942,7 +948,7 @@ } #ifdef PACKET_DEBUG - fprintf(stderr, "read/plain[%d]:\r\n",type); + fprintf(stderr, "read/plain[%d]:\r\n", type); buffer_dump(&incoming_packet); #endif return (u_char)type; @@ -1194,17 +1200,21 @@ void packet_write_wait() { + fd_set *setp; + + setp = (fd_set *)xmalloc(howmany(connection_out + 1, NFDBITS) * + sizeof(fd_mask)); packet_write_poll(); while (packet_have_data_to_write()) { - fd_set set; - - FD_ZERO(&set); - FD_SET(connection_out, &set); - while (select(connection_out + 1, NULL, &set, NULL, NULL) == -1 && + memset(setp, 0, howmany(connection_out + 1, NFDBITS) * + sizeof(fd_mask)); + FD_SET(connection_out, setp); + while (select(connection_out + 1, NULL, setp, NULL, NULL) == -1 && (errno == EAGAIN || errno == EINTR)) ; packet_write_poll(); } + xfree(setp); } /* Returns true if there is buffered data to write to the connection. */ @@ -1305,3 +1315,65 @@ max_packet_size = s; return s; } + +/* + * 9.2. Ignored Data Message + * + * byte SSH_MSG_IGNORE + * string data + * + * All implementations MUST understand (and ignore) this message at any + * time (after receiving the protocol version). No implementation is + * required to send them. This message can be used as an additional + * protection measure against advanced traffic analysis techniques. + */ +/* size of current + ignore message should be n*sumlen bytes (w/o mac) */ +void +packet_inject_ignore(int sumlen) +{ + int blocksize, padlen, have, need, nb, mini, nbytes; + Enc *enc = NULL; + + if (use_ssh2_packet_format == 0) + return; + + have = buffer_len(&outgoing_packet); + debug2("packet_inject_ignore: current %d", have); + if (kex != NULL) + enc = &kex->enc[MODE_OUT]; + blocksize = enc ? enc->cipher->block_size : 8; + padlen = blocksize - (have % blocksize); + if (padlen < 4) + padlen += blocksize; + have += padlen; + have /= blocksize; /* # of blocks for current message */ + + nb = roundup(sumlen, blocksize) / blocksize; /* blocks for both */ + mini = roundup(5+1+4+4, blocksize) / blocksize; /* minsize ignore msg */ + need = nb - (have % nb); /* blocks for ignore */ + if (need <= mini) + need += nb; + nbytes = (need - mini) * blocksize; /* size of ignore payload */ + debug2("packet_inject_ignore: block %d have %d nb %d mini %d need %d", + blocksize, have, nb, mini, need); + + /* enqueue current message and append a ignore message */ + packet_send(); + packet_send_ignore(nbytes); +} + +void +packet_send_ignore(int nbytes) +{ + u_int32_t rand = 0; + int i; + + packet_start(compat20 ? SSH2_MSG_IGNORE : SSH_MSG_IGNORE); + packet_put_int(nbytes); + for(i = 0; i < nbytes; i++) { + if (i % 4 == 0) + rand = arc4random(); + packet_put_char(rand & 0xff); + rand >>= 8; + } +} diff -ru openssh-2.5.1p2/packet.h openssh-2.5.2p1/packet.h --- openssh-2.5.1p2/packet.h 2001-01-18 13:04:35.000000000 +1100 +++ openssh-2.5.2p1/packet.h 2001-03-05 17:28:07.000000000 +1100 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: packet.h,v 1.19 2001/01/13 18:32:50 markus Exp $"); */ +/* RCSID("$OpenBSD: packet.h,v 1.21 2001/02/28 21:27:47 markus Exp $"); */ #ifndef PACKET_H #define PACKET_H @@ -214,4 +214,10 @@ /* returns remaining payload bytes */ int packet_remaining(void); +/* append an ignore message */ +void packet_send_ignore(int nbytes); + +/* add an ignore message and make sure size (current+ignore) = n*sumlen */ +void packet_inject_ignore(int sumlen); + #endif /* PACKET_H */ diff -ru openssh-2.5.1p2/readconf.c openssh-2.5.2p1/readconf.c --- openssh-2.5.1p2/readconf.c 2001-02-15 14:02:00.000000000 +1100 +++ openssh-2.5.2p1/readconf.c 2001-03-20 09:15:57.000000000 +1100 @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.62 2001/02/11 12:59:25 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.68 2001/03/19 17:07:23 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -109,7 +109,8 @@ oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, - oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias + oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, + oPreferredAuthentications } OpCodes; /* Textual representations of the tokens. */ @@ -171,6 +172,7 @@ { "keepalive", oKeepAlives }, { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "loglevel", oLogLevel }, + { "preferredauthentications", oPreferredAuthentications }, { NULL, 0 } }; @@ -187,7 +189,7 @@ #ifndef HAVE_CYGWIN extern uid_t original_real_uid; if (port < IPPORT_RESERVED && original_real_uid != 0) - fatal("Privileged ports can only be forwarded by root.\n"); + fatal("Privileged ports can only be forwarded by root."); #endif if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION); @@ -446,6 +448,10 @@ charptr = &options->host_key_alias; goto parse_string; + case oPreferredAuthentications: + charptr = &options->preferred_authentications; + goto parse_string; + case oProxyCommand: charptr = &options->proxy_command; string = xstrdup(""); @@ -534,7 +540,7 @@ arg = strdelim(&s); value = log_level_number(arg); if (value == (LogLevel) - 1) - fatal("%.200s line %d: unsupported log level '%s'\n", + fatal("%.200s line %d: unsupported log level '%s'", filename, linenum, arg ? arg : ""); if (*activep && (LogLevel) * intptr == -1) *intptr = (LogLevel) value; @@ -659,7 +665,7 @@ } fclose(f); if (bad_options > 0) - fatal("%s: terminating, %d bad configuration options\n", + fatal("%s: terminating, %d bad configuration options", filename, bad_options); } @@ -722,6 +728,7 @@ options->num_local_forwards = 0; options->num_remote_forwards = 0; options->log_level = (LogLevel) - 1; + options->preferred_authentications = NULL; } /* @@ -745,7 +752,7 @@ if (options->gateway_ports == -1) options->gateway_ports = 0; if (options->use_privileged_port == -1) - options->use_privileged_port = 1; + options->use_privileged_port = 0; if (options->rhosts_authentication == -1) options->rhosts_authentication = 1; if (options->rsa_authentication == -1) @@ -808,6 +815,12 @@ len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY); } if (options->protocol & SSH_PROTO_2) { + len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1; + options->identity_files[options->num_identity_files] = + xmalloc(len); + snprintf(options->identity_files[options->num_identity_files++], + len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA); + len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1; options->identity_files[options->num_identity_files] = xmalloc(len); @@ -831,4 +844,5 @@ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ /* options->host_key_alias should not be set by default */ + /* options->preferred_authentications will be set in ssh */ } diff -ru openssh-2.5.1p2/readconf.h openssh-2.5.2p1/readconf.h --- openssh-2.5.1p2/readconf.h 2001-02-15 14:02:00.000000000 +1100 +++ openssh-2.5.2p1/readconf.h 2001-03-11 12:49:20.000000000 +1100 @@ -11,11 +11,13 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: readconf.h,v 1.26 2001/02/11 12:59:25 markus Exp $"); */ +/* RCSID("$OpenBSD: readconf.h,v 1.28 2001/03/10 17:51:04 markus Exp $"); */ #ifndef READCONF_H #define READCONF_H +#include "key.h" + /* Data structure for representing a forwarding request. */ typedef struct { @@ -80,10 +82,11 @@ char *user_hostfile; /* Path for $HOME/.ssh/known_hosts. */ char *system_hostfile2; char *user_hostfile2; + char *preferred_authentications; int num_identity_files; /* Number of files for RSA/DSA identities. */ char *identity_files[SSH_MAX_IDENTITY_FILES]; - int identity_files_type[SSH_MAX_IDENTITY_FILES]; + Key *identity_keys[SSH_MAX_IDENTITY_FILES]; /* Local TCP/IP forward requests. */ int num_local_forwards; diff -ru openssh-2.5.1p2/rijndael.h openssh-2.5.2p1/rijndael.h --- openssh-2.5.1p2/rijndael.h 2001-01-29 18:39:26.000000000 +1100 +++ openssh-2.5.2p1/rijndael.h 2001-03-05 17:50:48.000000000 +1100 @@ -1,4 +1,18 @@ -/* $OpenBSD: rijndael.h,v 1.6 2001/01/29 01:58:17 niklas Exp $ */ +/* $OpenBSD: rijndael.h,v 1.7 2001/03/01 03:38:33 deraadt Exp $ */ + +/* This is an independent implementation of the encryption algorithm: */ +/* */ +/* RIJNDAEL by Joan Daemen and Vincent Rijmen */ +/* */ +/* which is a candidate algorithm in the Advanced Encryption Standard */ +/* programme of the US National Institute of Standards and Technology. */ +/* */ +/* Copyright in this implementation is held by Dr B R Gladman but I */ +/* hereby give permission for its free direct or derivative use subject */ +/* to acknowledgment of its origin and compliance with any conditions */ +/* that the originators of the algorithm place on its exploitation. */ +/* */ +/* Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999 */ #ifndef _RIJNDAEL_H_ #define _RIJNDAEL_H_ diff -ru openssh-2.5.1p2/scp.c openssh-2.5.2p1/scp.c --- openssh-2.5.1p2/scp.c 2001-02-19 21:51:08.000000000 +1100 +++ openssh-2.5.2p1/scp.c 2001-03-19 14:09:40.000000000 +1100 @@ -14,8 +14,8 @@ * called by a name other than "ssh" or "Secure Shell". */ /* - * Copyright (c) 1999 Theo de Raadt. All rights reserved. - * Copyright (c) 1999 Aaron Campbell. All rights reserved. + * Copyright (c) 1999 Theo de Raadt. All rights reserved. + * Copyright (c) 1999 Aaron Campbell. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -75,7 +75,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.59 2001/02/19 10:36:25 deraadt Exp $"); +RCSID("$OpenBSD: scp.c,v 1.61 2001/03/15 15:05:59 markus Exp $"); #include "xmalloc.h" #include "atomicio.h" @@ -545,9 +545,17 @@ goto next; } #define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO) +#ifdef HAVE_LONG_LONG_INT + snprintf(buf, sizeof buf, "C%04o %lld %s\n", + (u_int) (stb.st_mode & FILEMODEMASK), + (long long) stb.st_size, last); +#else + /* XXX: Handle integer overflow? */ snprintf(buf, sizeof buf, "C%04o %lu %s\n", (u_int) (stb.st_mode & FILEMODEMASK), (u_long) stb.st_size, last); +#endif + if (verbose_mode) { fprintf(stderr, "Sending file modes: %s", buf); fflush(stderr); diff -ru openssh-2.5.1p2/servconf.c openssh-2.5.2p1/servconf.c --- openssh-2.5.1p2/servconf.c 2001-02-15 14:08:27.000000000 +1100 +++ openssh-2.5.2p1/servconf.c 2001-03-06 12:02:41.000000000 +1100 @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.67 2001/02/12 16:16:23 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.71 2001/03/05 15:44:51 stevesk Exp $"); #ifdef KRB4 #include @@ -209,7 +209,7 @@ sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, - sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, + sStrictModes, sEmptyPasswd, sKeepAlives, sCheckMail, sUseLogin, sAllowTcpForwarding, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, @@ -261,7 +261,6 @@ { "strictmodes", sStrictModes }, { "permitemptypasswords", sEmptyPasswd }, { "uselogin", sUseLogin }, - { "randomseed", sRandomSeedFile }, { "keepalive", sKeepAlives }, { "allowtcpforwarding", sAllowTcpForwarding }, { "allowusers", sAllowUsers }, @@ -319,7 +318,7 @@ hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; snprintf(strport, sizeof strport, "%d", options->ports[i]); if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) - fatal("bad addr or host: %s (%s)\n", + fatal("bad addr or host: %s (%s)", addr ? addr : "", gai_strerror(gaierr)); for (ai = aitop; ai->ai_next; ai = ai->ai_next) @@ -372,11 +371,11 @@ fatal("%s line %d: ports must be specified before " "ListenAdress.\n", filename, linenum); if (options->num_ports >= MAX_PORTS) - fatal("%s line %d: too many ports.\n", + fatal("%s line %d: too many ports.", filename, linenum); arg = strdelim(&cp); if (!arg || *arg == '\0') - fatal("%s line %d: missing port number.\n", + fatal("%s line %d: missing port number.", filename, linenum); options->ports[options->num_ports++] = atoi(arg); break; @@ -406,7 +405,7 @@ case sListenAddress: arg = strdelim(&cp); if (!arg || *arg == '\0') - fatal("%s line %d: missing inet addr.\n", + fatal("%s line %d: missing inet addr.", filename, linenum); add_listen_addr(options, arg); break; @@ -414,7 +413,8 @@ case sHostKeyFile: intptr = &options->num_host_key_files; if (*intptr >= MAX_HOSTKEYS) { - fprintf(stderr, "%s line %d: to many host keys specified (max %d).\n", + fprintf(stderr, + "%s line %d: too many host keys specified (max %d).\n", filename, linenum, MAX_HOSTKEYS); exit(1); } @@ -438,18 +438,13 @@ charptr = &options->pid_file; goto parse_filename; - case sRandomSeedFile: - fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n", - filename, linenum); - arg = strdelim(&cp); - break; - case sPermitRootLogin: intptr = &options->permit_root_login; arg = strdelim(&cp); if (!arg || *arg == '\0') { - fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n", - filename, linenum); + fprintf(stderr, "%s line %d: missing yes/" + "without-password/forced-commands-only/no " + "argument.\n", filename, linenum); exit(1); } if (strcmp(arg, "without-password") == 0) @@ -597,7 +592,7 @@ arg = strdelim(&cp); value = log_facility_number(arg); if (value == (SyslogFacility) - 1) - fatal("%.200s line %d: unsupported log facility '%s'\n", + fatal("%.200s line %d: unsupported log facility '%s'", filename, linenum, arg ? arg : ""); if (*intptr == -1) *intptr = (SyslogFacility) value; @@ -608,7 +603,7 @@ arg = strdelim(&cp); value = log_level_number(arg); if (value == (LogLevel) - 1) - fatal("%.200s line %d: unsupported log level '%s'\n", + fatal("%.200s line %d: unsupported log level '%s'", filename, linenum, arg ? arg : ""); if (*intptr == -1) *intptr = (LogLevel) value; @@ -621,7 +616,7 @@ case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) - fatal("%s line %d: too many allow users.\n", + fatal("%s line %d: too many allow users.", filename, linenum); options->allow_users[options->num_allow_users++] = xstrdup(arg); } @@ -630,7 +625,7 @@ case sDenyUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_deny_users >= MAX_DENY_USERS) - fatal( "%s line %d: too many deny users.\n", + fatal( "%s line %d: too many deny users.", filename, linenum); options->deny_users[options->num_deny_users++] = xstrdup(arg); } @@ -639,7 +634,7 @@ case sAllowGroups: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_groups >= MAX_ALLOW_GROUPS) - fatal("%s line %d: too many allow groups.\n", + fatal("%s line %d: too many allow groups.", filename, linenum); options->allow_groups[options->num_allow_groups++] = xstrdup(arg); } @@ -648,7 +643,7 @@ case sDenyGroups: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_deny_groups >= MAX_DENY_GROUPS) - fatal("%s line %d: too many deny groups.\n", + fatal("%s line %d: too many deny groups.", filename, linenum); options->deny_groups[options->num_deny_groups++] = xstrdup(arg); } diff -ru openssh-2.5.1p2/serverloop.c openssh-2.5.2p1/serverloop.c --- openssh-2.5.1p2/serverloop.c 2001-02-19 21:51:08.000000000 +1100 +++ openssh-2.5.2p1/serverloop.c 2001-03-17 11:47:55.000000000 +1100 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". * * SSH2 support by Markus Friedl. - * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2000 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.50 2001/02/19 09:53:32 markus Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $"); #include "xmalloc.h" #include "packet.h" @@ -245,7 +245,7 @@ tvp = &tv; } if (tvp!=NULL) - debug2("tvp!=NULL kid %d mili %d", child_terminated, max_time_milliseconds); + debug3("tvp!=NULL kid %d mili %d", child_terminated, max_time_milliseconds); /* Wait for something to happen, or the timeout to expire. */ ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); @@ -345,9 +345,7 @@ * Simulate echo to reduce the impact of * traffic analysis */ - packet_start(SSH_MSG_IGNORE); - memset(buffer_ptr(&stdin_buffer), 0, len); - packet_put_string(buffer_ptr(&stdin_buffer), len); + packet_send_ignore(len); packet_send(); } /* Consume the data from the buffer. */ @@ -758,11 +756,6 @@ originator, originator_port, target, target_port); /* XXX check permission */ - if (no_port_forwarding_flag || !options.allow_tcp_forwarding) { - xfree(target); - xfree(originator); - return NULL; - } sock = channel_connect_to(target, target_port); xfree(target); xfree(originator); @@ -860,6 +853,7 @@ want_reply = packet_get_char(); debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply); + /* -R style forwarding */ if (strcmp(rtype, "tcpip-forward") == 0) { struct passwd *pw; char *listen_address; diff -ru openssh-2.5.1p2/session.c openssh-2.5.2p1/session.c --- openssh-2.5.1p2/session.c 2001-02-28 11:46:11.000000000 +1100 +++ openssh-2.5.2p1/session.c 2001-03-17 11:47:55.000000000 +1100 @@ -9,7 +9,7 @@ * called by a name other than "ssh" or "Secure Shell". * * SSH2 support by Markus Friedl. - * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2000 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.57 2001/02/23 15:37:45 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.61 2001/03/16 19:06:30 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -89,6 +89,10 @@ # define S_UNOFILE_HARD S_UNOFILE "_hard" #endif +#ifdef _AIX +# include +#endif + /* types */ #define TTYSZ 64 @@ -123,11 +127,7 @@ void do_exec_pty(Session *s, const char *command, struct passwd * pw); void do_exec_no_pty(Session *s, const char *command, struct passwd * pw); void do_login(Session *s, const char *command); - -void -do_child(const char *command, struct passwd * pw, const char *term, - const char *display, const char *auth_proto, - const char *auth_data, const char *ttyname); +void do_child(Session *s, const char *command); /* import */ extern ServerOptions options; @@ -228,13 +228,6 @@ startup_pipe = -1; } - /* - * Inform the channel mechanism that we are the server side and that - * the client may request to connect to any port at all. (The user - * could do it anyway, and we wouldn\'t know what is permitted except - * by the client telling us, so we can equally well trust the client - * not to request anything bogus.) - */ if (!no_port_forwarding_flag && options.allow_tcp_forwarding) channel_permit_all_opens(); @@ -543,7 +536,7 @@ #endif /* USE_PIPES */ /* Do processing for the child (exec command etc). */ - do_child(command, pw, NULL, s->display, s->auth_proto, s->auth_data, NULL); + do_child(s, command); /* NOTREACHED */ } #ifdef HAVE_CYGWIN @@ -641,8 +634,7 @@ do_login(s, command); /* Do common processing for the child, such as execing the command. */ - do_child(command, pw, s->term, s->display, s->auth_proto, - s->auth_data, s->tty); + do_child(s, command); /* NOTREACHED */ } #ifdef HAVE_CYGWIN @@ -1008,11 +1000,10 @@ * ids, and executing the command or shell. */ void -do_child(const char *command, struct passwd * pw, const char *term, - const char *display, const char *auth_proto, - const char *auth_data, const char *ttyname) +do_child(Session *s, const char *command) { const char *shell, *hostname = NULL, *cp = NULL; + struct passwd * pw = s->pw; char buf[256]; char cmd[1024]; FILE *f = NULL; @@ -1021,6 +1012,7 @@ extern char **environ; struct stat st; char *argv[10]; + int do_xauth = s->auth_proto != NULL && s->auth_data != NULL; #ifdef WITH_IRIX_PROJECT prid_t projid; #endif /* WITH_IRIX_PROJECT */ @@ -1136,6 +1128,23 @@ } #endif /* WITH_IRIX_AUDIT */ +#ifdef _AIX + /* + * AIX has a "usrinfo" area where logname and + * other stuff is stored - a few applications + * actually use this and die if it's not set + */ + cp = xmalloc(22 + strlen(ttyname) + + 2 * strlen(pw->pw_name)); + i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", + pw->pw_name, 0, pw->pw_name, 0, ttyname, 0,0); + if (usrinfo(SETUINFO, cp, i) == -1) + fatal("Couldn't set usrinfo: %s", + strerror(errno)); + debug3("AIX/UsrInfo: set len %d", i); + xfree(cp); +#endif + /* Permanently switch to the desired uid. */ permanently_set_uid(pw->pw_uid); # endif /* HAVE_LOGIN_CAP */ @@ -1231,12 +1240,12 @@ get_remote_ipaddr(), get_remote_port(), get_local_port()); child_set_env(&env, &envsize, "SSH_CLIENT", buf); - if (ttyname) - child_set_env(&env, &envsize, "SSH_TTY", ttyname); - if (term) - child_set_env(&env, &envsize, "TERM", term); - if (display) - child_set_env(&env, &envsize, "DISPLAY", display); + if (s->ttyfd != -1) + child_set_env(&env, &envsize, "SSH_TTY", s->tty); + if (s->term) + child_set_env(&env, &envsize, "TERM", s->term); + if (s->display) + child_set_env(&env, &envsize, "DISPLAY", s->display); if (original_command) child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", original_command); @@ -1342,60 +1351,64 @@ if (!options.use_login) { if (stat(_PATH_SSH_USER_RC, &st) >= 0) { if (debug_flag) - fprintf(stderr, "Running %s %s\n", _PATH_BSHELL, _PATH_SSH_USER_RC); - + fprintf(stderr, "Running %s %s\n", _PATH_BSHELL, + _PATH_SSH_USER_RC); f = popen(_PATH_BSHELL " " _PATH_SSH_USER_RC, "w"); if (f) { - if (auth_proto != NULL && auth_data != NULL) - fprintf(f, "%s %s\n", auth_proto, auth_data); + if (do_xauth) + fprintf(f, "%s %s\n", s->auth_proto, + s->auth_data); pclose(f); } else - fprintf(stderr, "Could not run %s\n", _PATH_SSH_USER_RC); + fprintf(stderr, "Could not run %s\n", + _PATH_SSH_USER_RC); } else if (stat(_PATH_SSH_SYSTEM_RC, &st) >= 0) { if (debug_flag) - fprintf(stderr, "Running %s %s\n", _PATH_BSHELL, _PATH_SSH_SYSTEM_RC); + fprintf(stderr, "Running %s %s\n", _PATH_BSHELL, + _PATH_SSH_SYSTEM_RC); f = popen(_PATH_BSHELL " " _PATH_SSH_SYSTEM_RC, "w"); if (f) { - if (auth_proto != NULL && auth_data != NULL) - fprintf(f, "%s %s\n", auth_proto, auth_data); + if (do_xauth) + fprintf(f, "%s %s\n", s->auth_proto, + s->auth_data); pclose(f); } else - fprintf(stderr, "Could not run %s\n", _PATH_SSH_SYSTEM_RC); - } else if (options.xauth_location != NULL) { + fprintf(stderr, "Could not run %s\n", + _PATH_SSH_SYSTEM_RC); + } else if (do_xauth && options.xauth_location != NULL) { /* Add authority data to .Xauthority if appropriate. */ - if (auth_proto != NULL && auth_data != NULL) { - char *screen = strchr(display, ':'); - if (debug_flag) { + char *screen = strchr(s->display, ':'); + + if (debug_flag) { + fprintf(stderr, + "Running %.100s add " + "%.100s %.100s %.100s\n", + options.xauth_location, s->display, + s->auth_proto, s->auth_data); + if (screen != NULL) fprintf(stderr, - "Running %.100s add %.100s %.100s %.100s\n", - options.xauth_location, display, - auth_proto, auth_data); -#ifndef NO_X11_UNIX_SOCKETS - if (screen != NULL) - fprintf(stderr, - "Adding %.*s/unix%s %s %s\n", - (int)(screen-display), display, - screen, auth_proto, auth_data); -#endif /* NO_X11_UNIX_SOCKETS */ - } - snprintf(cmd, sizeof cmd, "%s -q -", - options.xauth_location); - f = popen(cmd, "w"); - if (f) { - fprintf(f, "add %s %s %s\n", display, - auth_proto, auth_data); -#ifndef NO_X11_UNIX_SOCKETS - if (screen != NULL) - fprintf(f, "add %.*s/unix%s %s %s\n", - (int)(screen-display), display, - screen, auth_proto, auth_data); -#endif /* NO_X11_UNIX_SOCKETS */ - pclose(f); - } else { - fprintf(stderr, "Could not run %s\n", - cmd); - } + "Adding %.*s/unix%s %s %s\n", + (int)(screen - s->display), + s->display, screen, + s->auth_proto, s->auth_data); + } + snprintf(cmd, sizeof cmd, "%s -q -", + options.xauth_location); + f = popen(cmd, "w"); + if (f) { + fprintf(f, "add %s %s %s\n", s->display, + s->auth_proto, s->auth_data); + if (screen != NULL) + fprintf(f, "add %.*s/unix%s %s %s\n", + (int)(screen - s->display), + s->display, screen, + s->auth_proto, + s->auth_data); + pclose(f); + } else { + fprintf(stderr, "Could not run %s\n", + cmd); } } /* Get the last component of the shell name. */ @@ -1418,9 +1431,10 @@ * Check for mail if we have a tty and it was enabled * in server options. */ - if (ttyname && options.check_mail) { + if (s->ttyfd != -1 && options.check_mail) { char *mailbox; struct stat mailstat; + mailbox = getenv("MAIL"); if (mailbox != NULL) { if (stat(mailbox, &mailstat) != 0 || @@ -2016,6 +2030,8 @@ close(startup_pipe); startup_pipe = -1; } + if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + channel_permit_all_opens(); #if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD) if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) { error("unable to get login class"); diff -ru openssh-2.5.1p2/sftp-client.c openssh-2.5.2p1/sftp-client.c --- openssh-2.5.1p2/sftp-client.c 2001-02-25 13:02:43.000000000 +1100 +++ openssh-2.5.2p1/sftp-client.c 2001-03-19 22:29:47.000000000 +1100 @@ -29,7 +29,7 @@ /* XXX: copy between two remote sites */ #include "includes.h" -RCSID("$OpenBSD: sftp-client.c,v 1.10 2001/02/14 09:46:03 djm Exp $"); +RCSID("$OpenBSD: sftp-client.c,v 1.15 2001/03/19 10:52:51 djm Exp $"); #include "ssh.h" #include "buffer.h" @@ -77,7 +77,9 @@ unsigned char buf[4096]; len = atomicio(read, fd, buf, 4); - if (len != 4) + if (len == 0) + fatal("Connection closed"); + else if (len == -1) fatal("Couldn't read packet: %s", strerror(errno)); msg_len = GET_32BIT(buf); @@ -86,7 +88,9 @@ while (msg_len) { len = atomicio(read, fd, buf, MIN(msg_len, sizeof(buf))); - if (len <= 0) + if (len == 0) + fatal("Connection closed"); + else if (len == -1) fatal("Couldn't read packet: %s", strerror(errno)); msg_len -= len; @@ -180,7 +184,7 @@ } Attrib * -get_decode_stat(int fd, u_int expected_id) +get_decode_stat(int fd, u_int expected_id, int quiet) { Buffer msg; u_int type, id; @@ -198,7 +202,10 @@ if (type == SSH2_FXP_STATUS) { int status = buffer_get_int(&msg); - error("Couldn't stat remote file: %s", fx2txt(status)); + if (quiet) + debug("Couldn't stat remote file: %s", fx2txt(status)); + else + error("Couldn't stat remote file: %s", fx2txt(status)); return(NULL); } else if (type != SSH2_FXP_ATTRS) { fatal("Expected SSH2_FXP_ATTRS(%d) packet, got %d", @@ -247,7 +254,8 @@ } buffer_free(&msg); - return(0); + + return(version); } int @@ -274,11 +282,13 @@ return(status); } + int -do_ls(int fd_in, int fd_out, char *path) +do_lsreaddir(int fd_in, int fd_out, char *path, int printflag, + SFTP_DIRENT ***dir) { Buffer msg; - u_int type, id, handle_len, i, expected_id; + u_int type, id, handle_len, i, expected_id, ents = 0; char *handle; id = msg_id++; @@ -295,6 +305,13 @@ if (handle == NULL) return(-1); + if (dir) { + ents = 0; + *dir = xmalloc(sizeof(**dir)); + (*dir)[0] = NULL; + } + + for(;;) { int count; @@ -349,7 +366,18 @@ longname = buffer_get_string(&msg, NULL); a = decode_attrib(&msg); - printf("%s\n", longname); + if (printflag) + printf("%s\n", longname); + + if (dir) { + *dir = xrealloc(*dir, sizeof(**dir) * + (ents + 2)); + (*dir)[ents] = xmalloc(sizeof(***dir)); + (*dir)[ents]->filename = xstrdup(filename); + (*dir)[ents]->longname = xstrdup(longname); + memcpy(&(*dir)[ents]->a, a, sizeof(*a)); + (*dir)[++ents] = NULL; + } xfree(filename); xfree(longname); @@ -364,6 +392,30 @@ } int +do_ls(int fd_in, int fd_out, char *path) +{ + return(do_lsreaddir(fd_in, fd_out, path, 1, NULL)); +} + +int +do_readdir(int fd_in, int fd_out, char *path, SFTP_DIRENT ***dir) +{ + return(do_lsreaddir(fd_in, fd_out, path, 0, dir)); +} + +void free_sftp_dirents(SFTP_DIRENT **s) +{ + int i; + + for(i = 0; s[i]; i++) { + xfree(s[i]->filename); + xfree(s[i]->longname); + xfree(s[i]); + } + xfree(s); +} + +int do_rm(int fd_in, int fd_out, char *path) { u_int status, id; @@ -410,34 +462,33 @@ } Attrib * -do_stat(int fd_in, int fd_out, char *path) +do_stat(int fd_in, int fd_out, char *path, int quiet) { u_int id; id = msg_id++; send_string_request(fd_out, id, SSH2_FXP_STAT, path, strlen(path)); - return(get_decode_stat(fd_in, id)); + return(get_decode_stat(fd_in, id, quiet)); } Attrib * -do_lstat(int fd_in, int fd_out, char *path) +do_lstat(int fd_in, int fd_out, char *path, int quiet) { u_int id; id = msg_id++; send_string_request(fd_out, id, SSH2_FXP_LSTAT, path, strlen(path)); - return(get_decode_stat(fd_in, id)); + return(get_decode_stat(fd_in, id, quiet)); } Attrib * -do_fstat(int fd_in, int fd_out, char *handle, - u_int handle_len) +do_fstat(int fd_in, int fd_out, char *handle, u_int handle_len, int quiet) { u_int id; id = msg_id++; send_string_request(fd_out, id, SSH2_FXP_FSTAT, handle, handle_len); - return(get_decode_stat(fd_in, id)); + return(get_decode_stat(fd_in, id, quiet)); } int @@ -483,8 +534,7 @@ Attrib *a; expected_id = id = msg_id++; - send_string_request(fd_out, id, SSH2_FXP_REALPATH, path, - strlen(path)); + send_string_request(fd_out, id, SSH2_FXP_REALPATH, path, strlen(path)); buffer_init(&msg); @@ -549,6 +599,79 @@ } int +do_symlink(int fd_in, int fd_out, char *oldpath, char *newpath) +{ + Buffer msg; + u_int status, id; + + buffer_init(&msg); + + /* Send rename request */ + id = msg_id++; + buffer_put_char(&msg, SSH2_FXP_SYMLINK); + buffer_put_int(&msg, id); + buffer_put_cstring(&msg, oldpath); + buffer_put_cstring(&msg, newpath); + send_msg(fd_out, &msg); + debug3("Sent message SSH2_FXP_SYMLINK \"%s\" -> \"%s\"", oldpath, + newpath); + buffer_free(&msg); + + status = get_status(fd_in, id); + if (status != SSH2_FX_OK) + error("Couldn't rename file \"%s\" to \"%s\": %s", oldpath, newpath, + fx2txt(status)); + + return(status); +} + +char * +do_readlink(int fd_in, int fd_out, char *path) +{ + Buffer msg; + u_int type, expected_id, count, id; + char *filename, *longname; + Attrib *a; + + expected_id = id = msg_id++; + send_string_request(fd_out, id, SSH2_FXP_READLINK, path, strlen(path)); + + buffer_init(&msg); + + get_msg(fd_in, &msg); + type = buffer_get_char(&msg); + id = buffer_get_int(&msg); + + if (id != expected_id) + fatal("ID mismatch (%d != %d)", id, expected_id); + + if (type == SSH2_FXP_STATUS) { + u_int status = buffer_get_int(&msg); + + error("Couldn't readlink: %s", fx2txt(status)); + return(NULL); + } else if (type != SSH2_FXP_NAME) + fatal("Expected SSH2_FXP_NAME(%d) packet, got %d", + SSH2_FXP_NAME, type); + + count = buffer_get_int(&msg); + if (count != 1) + fatal("Got multiple names (%d) from SSH_FXP_READLINK", count); + + filename = buffer_get_string(&msg, NULL); + longname = buffer_get_string(&msg, NULL); + a = decode_attrib(&msg); + + debug3("SSH_FXP_READLINK %s -> %s", path, filename); + + xfree(longname); + + buffer_free(&msg); + + return(filename); +} + +int do_download(int fd_in, int fd_out, char *remote_path, char *local_path, int pflag) { @@ -560,7 +683,7 @@ Attrib junk, *a; int status; - a = do_stat(fd_in, fd_out, remote_path); + a = do_stat(fd_in, fd_out, remote_path, 0); if (a == NULL) return(-1); @@ -570,11 +693,17 @@ else mode = 0666; + if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && + (a->perm & S_IFDIR)) { + error("Cannot download a directory: %s", remote_path); + return(-1); + } + local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, mode); if (local_fd == -1) { error("Couldn't open local file \"%s\" for writing: %s", local_path, strerror(errno)); - return(errno); + return(-1); } buffer_init(&msg); @@ -802,3 +931,4 @@ buffer_free(&msg); return status; } + diff -ru openssh-2.5.1p2/sftp-client.h openssh-2.5.2p1/sftp-client.h --- openssh-2.5.1p2/sftp-client.h 2001-02-04 23:20:19.000000000 +1100 +++ openssh-2.5.2p1/sftp-client.h 2001-03-17 11:34:46.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.h,v 1.1 2001/02/04 11:11:54 djm Exp $ */ +/* $OpenBSD: sftp-client.h,v 1.4 2001/03/16 08:16:18 djm Exp $ */ /* * Copyright (c) 2001 Damien Miller. All rights reserved. @@ -26,7 +26,18 @@ /* Client side of SSH2 filexfer protocol */ -/* Initialiase a SSH filexfer connection */ +typedef struct SFTP_DIRENT SFTP_DIRENT; + +struct SFTP_DIRENT { + char *filename; + char *longname; + Attrib a; +}; + +/* + * Initialiase a SSH filexfer connection. Returns -1 on error or + * protocol version on success. + */ int do_init(int fd_in, int fd_out); /* Close file referred to by 'handle' */ @@ -35,6 +46,12 @@ /* List contents of directory 'path' to stdout */ int do_ls(int fd_in, int fd_out, char *path); +/* Read contents of 'path' to NULL-terminated array 'dir' */ +int do_readdir(int fd_in, int fd_out, char *path, SFTP_DIRENT ***dir); + +/* Frees a NULL-terminated array of SFTP_DIRENTs (eg. from do_readdir) */ +void free_sftp_dirents(SFTP_DIRENT **s); + /* Delete file 'path' */ int do_rm(int fd_in, int fd_out, char *path); @@ -45,14 +62,14 @@ int do_rmdir(int fd_in, int fd_out, char *path); /* Get file attributes of 'path' (follows symlinks) */ -Attrib *do_stat(int fd_in, int fd_out, char *path); +Attrib *do_stat(int fd_in, int fd_out, char *path, int quiet); /* Get file attributes of 'path' (does not follow symlinks) */ -Attrib *do_lstat(int fd_in, int fd_out, char *path); +Attrib *do_lstat(int fd_in, int fd_out, char *path, int quiet); /* Get file attributes of open file 'handle' */ -Attrib *do_fstat(int fd_in, int fd_out, char *handle, - u_int handle_len); +Attrib *do_fstat(int fd_in, int fd_out, char *handle, u_int handle_len, + int quiet); /* Set file attributes of 'path' */ int do_setstat(int fd_in, int fd_out, char *path, Attrib *a); @@ -67,6 +84,12 @@ /* Rename 'oldpath' to 'newpath' */ int do_rename(int fd_in, int fd_out, char *oldpath, char *newpath); +/* Rename 'oldpath' to 'newpath' */ +int do_symlink(int fd_in, int fd_out, char *oldpath, char *newpath); + +/* Return target of symlink 'path' - caller must free result */ +char *do_readlink(int fd_in, int fd_out, char *path); + /* XXX: add callbacks to do_download/do_upload so we can do progress meter */ /* Only in openssh-2.5.2p1: sftp-glob.c Only in openssh-2.5.2p1: sftp-glob.h diff -ru openssh-2.5.1p2/sftp-int.c openssh-2.5.2p1/sftp-int.c --- openssh-2.5.1p2/sftp-int.c 2001-02-15 14:50:49.000000000 +1100 +++ openssh-2.5.2p1/sftp-int.c 2001-03-17 11:37:32.000000000 +1100 @@ -22,13 +22,11 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* XXX: finish implementation of all commands */ -/* XXX: do fnmatch() instead of using raw pathname */ /* XXX: globbed ls */ /* XXX: recursive operations */ #include "includes.h" -RCSID("$OpenBSD: sftp-int.c,v 1.22 2001/02/14 09:46:03 djm Exp $"); +RCSID("$OpenBSD: sftp-int.c,v 1.31 2001/03/16 13:44:24 markus Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -37,9 +35,16 @@ #include "sftp.h" #include "sftp-common.h" +#include "sftp-glob.h" #include "sftp-client.h" #include "sftp-int.h" +/* File to read commands from */ +extern FILE *infile; + +/* Version of server we are speaking to */ +int version; + /* Seperators for interactive commands */ #define WHITESPACE " \t\r\n" @@ -64,6 +69,8 @@ #define I_RM 18 #define I_RMDIR 19 #define I_SHELL 20 +#define I_SYMLINK 21 +#define I_VERSION 22 struct CMD { const char *c; @@ -84,6 +91,7 @@ { "lchdir", I_LCHDIR }, { "lls", I_LLS }, { "lmkdir", I_LMKDIR }, + { "ln", I_SYMLINK }, { "lpwd", I_LPWD }, { "ls", I_LS }, { "lumask", I_LUMASK }, @@ -94,6 +102,8 @@ { "rename", I_RENAME }, { "rm", I_RM }, { "rmdir", I_RMDIR }, + { "symlink", I_SYMLINK }, + { "version", I_VERSION }, { "!", I_SHELL }, { "?", I_HELP }, { NULL, -1} @@ -111,6 +121,7 @@ printf("help Display this help text\n"); printf("get remote-path [local-path] Download file\n"); printf("lls [ls-options [path]] Display local directory listing\n"); + printf("ln oldpath newpath Symlink remote file\n"); printf("lmkdir path Create local directory\n"); printf("lpwd Print local working directory\n"); printf("ls [path] Display remote directory listing\n"); @@ -123,6 +134,8 @@ printf("rename oldpath newpath Rename remote file\n"); printf("rmdir path Remove remote directory\n"); printf("rm path Delete remote file\n"); + printf("symlink oldpath newpath Symlink remote file\n"); + printf("version Show SFTP version\n"); printf("!command Execute 'command' in local shell\n"); printf("! Escape to local shell\n"); printf("? Synonym for help\n"); @@ -182,18 +195,51 @@ } char * +path_append(char *p1, char *p2) +{ + char *ret; + int len = strlen(p1) + strlen(p2) + 2; + + ret = xmalloc(len); + strlcpy(ret, p1, len); + strlcat(ret, "/", len); + strlcat(ret, p2, len); + + return(ret); +} + +char * make_absolute(char *p, char *pwd) { - char buf[2048]; + char *abs; /* Derelativise */ if (p && p[0] != '/') { - snprintf(buf, sizeof(buf), "%s/%s", pwd, p); + abs = path_append(pwd, p); xfree(p); - p = xstrdup(buf); + return(abs); + } else + return(p); +} + +int +infer_path(const char *p, char **ifp) +{ + char *cp; + + cp = strrchr(p, '/'); + if (cp == NULL) { + *ifp = xstrdup(p); + return(0); } - return(p); + if (!cp[1]) { + error("Invalid path"); + return(-1); + } + + *ifp = xstrdup(cp + 1); + return(0); } int @@ -236,7 +282,7 @@ /* Check for quoted filenames */ if (*cp == '\"' || *cp == '\'') { quot = *cp++; - + end = strchr(cp, quot); if (end == NULL) { error("Unterminated quote"); @@ -268,25 +314,182 @@ } int -infer_path(const char *p, char **ifp) +is_dir(char *path) { - char *cp; + struct stat sb; - debug("XXX: P = \"%s\"", p); + /* XXX: report errors? */ + if (stat(path, &sb) == -1) + return(0); - cp = strrchr(p, '/'); - if (cp == NULL) { - *ifp = xstrdup(p); + return(sb.st_mode & S_IFDIR); +} + +int +remote_is_dir(int in, int out, char *path) +{ + Attrib *a; + + /* XXX: report errors? */ + if ((a = do_stat(in, out, path, 1)) == NULL) return(0); - } + if (!(a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) + return(0); + return(a->perm & S_IFDIR); +} - if (!cp[1]) { - error("Invalid path"); - return(-1); +int +process_get(int in, int out, char *src, char *dst, char *pwd, int pflag) +{ + char *abs_src = NULL; + char *abs_dst = NULL; + char *tmp; + glob_t g; + int err = 0; + int i; + + abs_src = xstrdup(src); + abs_src = make_absolute(abs_src, pwd); + + memset(&g, 0, sizeof(g)); + debug3("Looking up %s", abs_src); + if (remote_glob(in, out, abs_src, 0, NULL, &g)) { + error("File \"%s\" not found.", abs_src); + err = -1; + goto out; + } + + /* Only one match, dst may be file, directory or unspecified */ + if (g.gl_pathv[0] && g.gl_matchc == 1) { + if (dst) { + /* If directory specified, append filename */ + if (is_dir(dst)) { + if (infer_path(g.gl_pathv[0], &tmp)) { + err = 1; + goto out; + } + abs_dst = path_append(dst, tmp); + xfree(tmp); + } else + abs_dst = xstrdup(dst); + } else if (infer_path(g.gl_pathv[0], &abs_dst)) { + err = -1; + goto out; + } + printf("Fetching %s to %s\n", g.gl_pathv[0], abs_dst); + err = do_download(in, out, g.gl_pathv[0], abs_dst, pflag); + goto out; + } + + /* Multiple matches, dst may be directory or unspecified */ + if (dst && !is_dir(dst)) { + error("Multiple files match, but \"%s\" is not a directory", + dst); + err = -1; + goto out; + } + + for(i = 0; g.gl_pathv[i]; i++) { + if (infer_path(g.gl_pathv[i], &tmp)) { + err = -1; + goto out; + } + if (dst) { + abs_dst = path_append(dst, tmp); + xfree(tmp); + } else + abs_dst = tmp; + + printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); + if (do_download(in, out, g.gl_pathv[i], abs_dst, pflag) == -1) + err = -1; + xfree(abs_dst); + abs_dst = NULL; + } + +out: + xfree(abs_src); + if (abs_dst) + xfree(abs_dst); + globfree(&g); + return(err); +} + +int +process_put(int in, int out, char *src, char *dst, char *pwd, int pflag) +{ + char *tmp_dst = NULL; + char *abs_dst = NULL; + char *tmp; + glob_t g; + int err = 0; + int i; + + if (dst) { + tmp_dst = xstrdup(dst); + tmp_dst = make_absolute(tmp_dst, pwd); + } + + memset(&g, 0, sizeof(g)); + debug3("Looking up %s", src); + if (glob(src, 0, NULL, &g)) { + error("File \"%s\" not found.", src); + err = -1; + goto out; + } + + /* Only one match, dst may be file, directory or unspecified */ + if (g.gl_pathv[0] && g.gl_matchc == 1) { + if (tmp_dst) { + /* If directory specified, append filename */ + if (remote_is_dir(in, out, tmp_dst)) { + if (infer_path(g.gl_pathv[0], &tmp)) { + err = 1; + goto out; + } + abs_dst = path_append(tmp_dst, tmp); + xfree(tmp); + } else + abs_dst = xstrdup(tmp_dst); + } else if (infer_path(g.gl_pathv[0], &abs_dst)) { + err = -1; + goto out; + } + printf("Uploading %s to %s\n", g.gl_pathv[0], abs_dst); + err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag); + goto out; + } + + /* Multiple matches, dst may be directory or unspecified */ + if (tmp_dst && !remote_is_dir(in, out, tmp_dst)) { + error("Multiple files match, but \"%s\" is not a directory", + tmp_dst); + err = -1; + goto out; + } + + for(i = 0; g.gl_pathv[i]; i++) { + if (infer_path(g.gl_pathv[i], &tmp)) { + err = -1; + goto out; + } + if (tmp_dst) { + abs_dst = path_append(tmp_dst, tmp); + xfree(tmp); + } else + abs_dst = make_absolute(tmp, pwd); + + printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); + if (do_upload(in, out, g.gl_pathv[i], abs_dst, pflag) == -1) + err = -1; } - *ifp = xstrdup(cp + 1); - return(0); +out: + if (abs_dst) + xfree(abs_dst); + if (tmp_dst) + xfree(tmp_dst); + return(err); } int @@ -349,12 +552,9 @@ /* Try to get second pathname (optional) */ if (get_pathname(&cp, path2)) return(-1); - /* Otherwise try to guess it from first path */ - if (*path2 == NULL && infer_path(*path1, path2)) - return(-1); break; case I_RENAME: - /* Get first pathname (mandatory) */ + case I_SYMLINK: if (get_pathname(&cp, path1)) return(-1); if (get_pathname(&cp, path2)) @@ -427,6 +627,7 @@ case I_PWD: case I_LPWD: case I_HELP: + case I_VERSION: break; default: fatal("Command not implemented"); @@ -440,63 +641,85 @@ parse_dispatch_command(int in, int out, const char *cmd, char **pwd) { char *path1, *path2, *tmp; - int pflag, cmdnum; + int pflag, cmdnum, i; unsigned long n_arg; Attrib a, *aa; char path_buf[MAXPATHLEN]; + int err = 0; + glob_t g; path1 = path2 = NULL; cmdnum = parse_args(&cmd, &pflag, &n_arg, &path1, &path2); + memset(&g, 0, sizeof(g)); + /* Perform command */ switch (cmdnum) { case -1: break; case I_GET: - path1 = make_absolute(path1, *pwd); - do_download(in, out, path1, path2, pflag); + err = process_get(in, out, path1, path2, *pwd, pflag); break; case I_PUT: - path2 = make_absolute(path2, *pwd); - do_upload(in, out, path1, path2, pflag); - break; - case I_RENAME: + err = process_put(in, out, path1, path2, *pwd, pflag); + break; + case I_RENAME: path1 = make_absolute(path1, *pwd); path2 = make_absolute(path2, *pwd); - do_rename(in, out, path1, path2); + err = do_rename(in, out, path1, path2); + break; + case I_SYMLINK: + if (version < 3) { + error("The server (version %d) does not support " + "this operation", version); + err = -1; + } else { + path2 = make_absolute(path2, *pwd); + err = do_symlink(in, out, path1, path2); + } break; case I_RM: path1 = make_absolute(path1, *pwd); - do_rm(in, out, path1); + remote_glob(in, out, path1, GLOB_NOCHECK, NULL, &g); + for(i = 0; g.gl_pathv[i]; i++) { + printf("Removing %s\n", g.gl_pathv[i]); + if (do_rm(in, out, g.gl_pathv[i]) == -1) + err = -1; + } break; case I_MKDIR: path1 = make_absolute(path1, *pwd); attrib_clear(&a); a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS; a.perm = 0777; - do_mkdir(in, out, path1, &a); + err = do_mkdir(in, out, path1, &a); break; case I_RMDIR: path1 = make_absolute(path1, *pwd); - do_rmdir(in, out, path1); + err = do_rmdir(in, out, path1); break; case I_CHDIR: path1 = make_absolute(path1, *pwd); - if ((tmp = do_realpath(in, out, path1)) == NULL) + if ((tmp = do_realpath(in, out, path1)) == NULL) { + err = 1; break; - if ((aa = do_stat(in, out, tmp)) == NULL) { + } + if ((aa = do_stat(in, out, tmp, 0)) == NULL) { xfree(tmp); + err = 1; break; } if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) { error("Can't change directory: Can't check target"); xfree(tmp); + err = 1; break; } if (!S_ISDIR(aa->perm)) { error("Can't change directory: \"%s\" is not " "a directory", tmp); xfree(tmp); + err = 1; break; } xfree(*pwd); @@ -512,9 +735,9 @@ break; xfree(path1); path1 = tmp; - if ((aa = do_stat(in, out, path1)) == NULL) + if ((aa = do_stat(in, out, path1, 0)) == NULL) break; - if ((aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && + if ((aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && !S_ISDIR(aa->perm)) { error("Can't ls: \"%s\" is not a directory", path1); break; @@ -522,14 +745,18 @@ do_ls(in, out, path1); break; case I_LCHDIR: - if (chdir(path1) == -1) + if (chdir(path1) == -1) { error("Couldn't change local directory to " "\"%s\": %s", path1, strerror(errno)); + err = 1; + } break; case I_LMKDIR: - if (mkdir(path1, 0777) == -1) + if (mkdir(path1, 0777) == -1) { error("Couldn't create local directory " "\"%s\": %s", path1, strerror(errno)); + err = 1; + } break; case I_LLS: local_do_ls(cmd); @@ -546,40 +773,52 @@ attrib_clear(&a); a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS; a.perm = n_arg; - do_setstat(in, out, path1, &a); + remote_glob(in, out, path1, GLOB_NOCHECK, NULL, &g); + for(i = 0; g.gl_pathv[i]; i++) { + printf("Changing mode on %s\n", g.gl_pathv[i]); + do_setstat(in, out, g.gl_pathv[i], &a); + } break; case I_CHOWN: path1 = make_absolute(path1, *pwd); - if (!(aa = do_stat(in, out, path1))) - break; - if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) { - error("Can't get current ownership of " - "remote file \"%s\"", path1); - break; + remote_glob(in, out, path1, GLOB_NOCHECK, NULL, &g); + for(i = 0; g.gl_pathv[i]; i++) { + if (!(aa = do_stat(in, out, g.gl_pathv[i], 0))) + continue; + if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) { + error("Can't get current ownership of " + "remote file \"%s\"", g.gl_pathv[i]); + continue; + } + printf("Changing owner on %s\n", g.gl_pathv[i]); + aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; + aa->uid = n_arg; + do_setstat(in, out, g.gl_pathv[i], aa); } - aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; - aa->uid = n_arg; - do_setstat(in, out, path1, aa); break; case I_CHGRP: path1 = make_absolute(path1, *pwd); - if (!(aa = do_stat(in, out, path1))) - break; - if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) { - error("Can't get current ownership of " - "remote file \"%s\"", path1); - break; + remote_glob(in, out, path1, GLOB_NOCHECK, NULL, &g); + for(i = 0; g.gl_pathv[i]; i++) { + if (!(aa = do_stat(in, out, g.gl_pathv[i], 0))) + continue; + if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) { + error("Can't get current ownership of " + "remote file \"%s\"", g.gl_pathv[i]); + continue; + } + printf("Changing group on %s\n", g.gl_pathv[i]); + aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; + aa->gid = n_arg; + do_setstat(in, out, g.gl_pathv[i], aa); } - aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; - aa->gid = n_arg; - do_setstat(in, out, path1, aa); break; case I_PWD: printf("Remote working directory: %s\n", *pwd); break; case I_LPWD: if (!getcwd(path_buf, sizeof(path_buf))) - error("Couldn't get local cwd: %s\n", + error("Couldn't get local cwd: %s", strerror(errno)); else printf("Local working directory: %s\n", @@ -590,14 +829,24 @@ case I_HELP: help(); break; + case I_VERSION: + printf("SFTP protocol version %d\n", version); + break; default: fatal("%d is not implemented", cmdnum); } + if (g.gl_pathc) + globfree(&g); if (path1) xfree(path1); if (path2) xfree(path2); + + /* If an error occurs in batch mode we should abort. */ + if (infile != stdin && err > 0) + return -1; + return(0); } @@ -607,12 +856,16 @@ char *pwd; char cmd[2048]; + version = do_init(fd_in, fd_out); + if (version == -1) + fatal("Couldn't initialise connection to server"); + pwd = do_realpath(fd_in, fd_out, "."); if (pwd == NULL) fatal("Need cwd"); setvbuf(stdout, NULL, _IOLBF, 0); - setvbuf(stdin, NULL, _IOLBF, 0); + setvbuf(infile, NULL, _IOLBF, 0); for(;;) { char *cp; @@ -620,13 +873,16 @@ printf("sftp> "); /* XXX: use libedit */ - if (fgets(cmd, sizeof(cmd), stdin) == NULL) { + if (fgets(cmd, sizeof(cmd), infile) == NULL) { printf("\n"); break; - } + } else if (infile != stdin) /* Bluff typing */ + printf("%s", cmd); + cp = strrchr(cmd, '\n'); if (cp) *cp = '\0'; + if (parse_dispatch_command(fd_in, fd_out, cmd, &pwd)) break; } diff -ru openssh-2.5.1p2/sftp-server.8 openssh-2.5.2p1/sftp-server.8 --- openssh-2.5.1p2/sftp-server.8 2000-11-13 22:57:26.000000000 +1100 +++ openssh-2.5.2p1/sftp-server.8 2001-03-05 17:59:28.000000000 +1100 @@ -1,6 +1,6 @@ -.\" $OpenBSD: sftp-server.8,v 1.4 2000/11/10 05:10:40 aaron Exp $ +.\" $OpenBSD: sftp-server.8,v 1.5 2001/03/02 18:54:31 deraadt Exp $ .\" -.\" Copyright (c) 2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions diff -ru openssh-2.5.1p2/sftp-server.c openssh-2.5.2p1/sftp-server.c --- openssh-2.5.1p2/sftp-server.c 2001-02-25 13:02:43.000000000 +1100 +++ openssh-2.5.2p1/sftp-server.c 2001-03-15 11:09:16.000000000 +1100 @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: sftp-server.c,v 1.19 2001/02/07 18:01:18 itojun Exp $"); +RCSID("$OpenBSD: sftp-server.c,v 1.24 2001/03/14 22:50:25 deraadt Exp $"); #include "buffer.h" #include "bufaux.h" @@ -49,6 +49,9 @@ Buffer iqueue; Buffer oqueue; +/* Version of client */ +int version; + /* portable attibutes, etc. */ typedef struct Stat Stat; @@ -63,6 +66,7 @@ errno_to_portable(int unixerrno) { int ret = 0; + switch (unixerrno) { case 0: ret = SSH2_FX_OK; @@ -93,8 +97,9 @@ flags_from_portable(int pflags) { int flags = 0; - if (pflags & SSH2_FXF_READ && - pflags & SSH2_FXF_WRITE) { + + if ((pflags & SSH2_FXF_READ) && + (pflags & SSH2_FXF_WRITE)) { flags = O_RDWR; } else if (pflags & SSH2_FXF_READ) { flags = O_RDONLY; @@ -125,17 +130,20 @@ int fd; char *name; }; + enum { HANDLE_UNUSED, HANDLE_DIR, HANDLE_FILE }; + Handle handles[100]; void handle_init(void) { int i; + for(i = 0; i < sizeof(handles)/sizeof(Handle); i++) handles[i].use = HANDLE_UNUSED; } @@ -144,6 +152,7 @@ handle_new(int use, char *name, int fd, DIR *dirp) { int i; + for(i = 0; i < sizeof(handles)/sizeof(Handle); i++) { if (handles[i].use == HANDLE_UNUSED) { handles[i].use = use; @@ -178,6 +187,7 @@ handle_from_string(char *handle, u_int hlen) { int val; + if (hlen != sizeof(int32_t)) return -1; val = GET_32BIT(handle); @@ -216,6 +226,7 @@ handle_close(int handle) { int ret = -1; + if (handle_is_ok(handle, HANDLE_FILE)) { ret = close(handles[handle].fd); handles[handle].use = HANDLE_UNUSED; @@ -234,6 +245,7 @@ char *handle; int val = -1; u_int hlen; + handle = get_string(&hlen); if (hlen < 256) val = handle_from_string(handle, hlen); @@ -247,6 +259,7 @@ send_msg(Buffer *m) { int mlen = buffer_len(m); + buffer_put_int(&oqueue, mlen); buffer_append(&oqueue, buffer_ptr(m), mlen); buffer_consume(m, mlen); @@ -256,11 +269,29 @@ send_status(u_int32_t id, u_int32_t error) { Buffer msg; + const char *status_messages[] = { + "Success", /* SSH_FX_OK */ + "End of file", /* SSH_FX_EOF */ + "No such file", /* SSH_FX_NO_SUCH_FILE */ + "Permission denied", /* SSH_FX_PERMISSION_DENIED */ + "Failure", /* SSH_FX_FAILURE */ + "Bad message", /* SSH_FX_BAD_MESSAGE */ + "No connection", /* SSH_FX_NO_CONNECTION */ + "Connection lost", /* SSH_FX_CONNECTION_LOST */ + "Operation unsupported", /* SSH_FX_OP_UNSUPPORTED */ + "Unknown error" /* Others */ + }; + TRACE("sent status id %d error %d", id, error); buffer_init(&msg); buffer_put_char(&msg, SSH2_FXP_STATUS); buffer_put_int(&msg, id); buffer_put_int(&msg, error); + if (version >= 3) { + buffer_put_cstring(&msg, + status_messages[MIN(error,SSH2_FX_MAX)]); + buffer_put_cstring(&msg, ""); + } send_msg(&msg); buffer_free(&msg); } @@ -268,6 +299,7 @@ send_data_or_handle(char type, u_int32_t id, char *data, int dlen) { Buffer msg; + buffer_init(&msg); buffer_put_char(&msg, type); buffer_put_int(&msg, id); @@ -288,6 +320,7 @@ { char *string; int hlen; + handle_to_string(handle, &string, &hlen); TRACE("sent handle id %d handle %d", id, handle); send_data_or_handle(SSH2_FXP_HANDLE, id, string, hlen); @@ -299,6 +332,7 @@ { Buffer msg; int i; + buffer_init(&msg); buffer_put_char(&msg, SSH2_FXP_NAME); buffer_put_int(&msg, id); @@ -317,6 +351,7 @@ send_attrib(u_int32_t id, Attrib *a) { Buffer msg; + TRACE("sent attrib id %d have 0x%x", id, a->flags); buffer_init(&msg); buffer_put_char(&msg, SSH2_FXP_ATTRS); @@ -332,8 +367,8 @@ process_init(void) { Buffer msg; - int version = buffer_get_int(&iqueue); + version = buffer_get_int(&iqueue); TRACE("client version %d", version); buffer_init(&msg); buffer_put_char(&msg, SSH2_FXP_VERSION); @@ -533,6 +568,7 @@ attrib_to_tv(Attrib *a) { static struct timeval tv[2]; + tv[0].tv_sec = a->atime; tv[0].tv_usec = 0; tv[1].tv_sec = a->mtime; @@ -844,6 +880,51 @@ } void +process_readlink(void) +{ + u_int32_t id; + char link[MAXPATHLEN]; + char *path; + + id = get_int(); + path = get_string(NULL); + TRACE("readlink id %d path %s", id, path); + if (readlink(path, link, sizeof(link) - 1) == -1) + send_status(id, errno_to_portable(errno)); + else { + Stat s; + + link[sizeof(link) - 1] = '\0'; + attrib_clear(&s.attrib); + s.name = s.long_name = link; + send_names(id, 1, &s); + } + xfree(path); +} + +void +process_symlink(void) +{ + u_int32_t id; + struct stat st; + char *oldpath, *newpath; + int ret, status = SSH2_FX_FAILURE; + + id = get_int(); + oldpath = get_string(NULL); + newpath = get_string(NULL); + TRACE("symlink id %d old %s new %s", id, oldpath, newpath); + /* fail if 'newpath' exists */ + if (stat(newpath, &st) == -1) { + ret = symlink(oldpath, newpath); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; + } + send_status(id, status); + xfree(oldpath); + xfree(newpath); +} + +void process_extended(void) { u_int32_t id; @@ -928,6 +1009,12 @@ case SSH2_FXP_RENAME: process_rename(); break; + case SSH2_FXP_READLINK: + process_readlink(); + break; + case SSH2_FXP_SYMLINK: + process_symlink(); + break; case SSH2_FXP_EXTENDED: process_extended(); break; @@ -940,9 +1027,11 @@ int main(int ac, char **av) { - fd_set rset, wset; + fd_set *rset, *wset; int in, out, max; - ssize_t len, olen; + ssize_t len, olen, set_size; + + /* XXX should use getopt */ __progname = get_progname(av[0]); handle_init(); @@ -963,23 +1052,27 @@ buffer_init(&iqueue); buffer_init(&oqueue); + set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask); + rset = (fd_set *)xmalloc(set_size); + wset = (fd_set *)xmalloc(set_size); + for (;;) { - FD_ZERO(&rset); - FD_ZERO(&wset); + memset(rset, 0, set_size); + memset(wset, 0, set_size); - FD_SET(in, &rset); + FD_SET(in, rset); olen = buffer_len(&oqueue); if (olen > 0) - FD_SET(out, &wset); + FD_SET(out, wset); - if (select(max+1, &rset, &wset, NULL, NULL) < 0) { + if (select(max+1, rset, wset, NULL, NULL) < 0) { if (errno == EINTR) continue; exit(2); } /* copy stdin to iqueue */ - if (FD_ISSET(in, &rset)) { + if (FD_ISSET(in, rset)) { char buf[4*4096]; len = read(in, buf, sizeof buf); if (len == 0) { @@ -993,7 +1086,7 @@ } } /* send oqueue to stdout */ - if (FD_ISSET(out, &wset)) { + if (FD_ISSET(out, wset)) { len = write(out, buffer_ptr(&oqueue), olen); if (len < 0) { error("write error"); diff -ru openssh-2.5.1p2/sftp.0 openssh-2.5.2p1/sftp.0 --- openssh-2.5.1p2/sftp.0 2001-03-01 11:11:37.000000000 +1100 +++ openssh-2.5.2p1/sftp.0 2001-03-20 09:33:28.000000000 +1100 @@ -5,7 +5,7 @@ sftp - Secure file transfer program SYNOPSIS - sftp [-vC] [-o ssh_option] [hostname | user@hostname] + sftp [-vC] [-b batchfile] [-o ssh_option] [hostname | user@hostname] DESCRIPTION sftp is an interactive file transfer program, similar to ftp(1), which @@ -16,13 +16,20 @@ The options are as follows: - -v Raise logging level. This option is also passed to ssh. + -b batchfile + Batch mode reads a series of commands from an input batchfile in- + stead of stdin. Since it lacks user interaction it should be used + in conjunction with non-interactive authentication. sftp will + abort if any of the following commands fail: get, put, rename, + ln, rm and lmkdir. -C Enables compression (via ssh's -C flag) -o ssh_option Specify an option to be directly passed to ssh(1). + -v Raise logging level. This option is also passed to ssh. + INTERACTIVE COMMANDS Once in interactive mode, sftp understands a set of commands similar to those of ftp(1). Commands are case insensitive and pathnames may be en- @@ -43,7 +50,7 @@ chown own path Change owner of file path to own. own must be a numeric UID. - help Display help text. + exit Quit sftp. get [flags] remote-path [local-path] Retrieve the remote-path and store it on the local machine. If @@ -51,18 +58,23 @@ it has on the remote machine. If the -P flag is specified, then the file's full permission and access time are copied too. + help Display help text. + lls [ls-options [path]] Display local directory listing of either path or current direc- + tory if path is not specified. lmkdir path Create local directory specified by path. + ln oldpath newpath + Create a symbolic link from oldpath to newpath. + lpwd Print local working directory. ls [path] Display remote directory listing of either path or current direc- - tory if path is not specified. lumask umask @@ -79,8 +91,6 @@ pwd Display remote working directory. - exit Quit sftp. - quit Quit sftp. rename oldpath newpath @@ -92,6 +102,9 @@ rm path Delete remote file specified by path. + symlink oldpath newpath + Create a symbolic link from oldpath to newpath. + ! command Execute command in local shell. @@ -103,7 +116,7 @@ Damien Miller SEE ALSO - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8), scp(1) + ssh(1), sftp-server(8), ssh-add(1), ssh-keygen(1), sshd(8), scp(1) BSD Experimental Febuary 4, 2001 2 diff -ru openssh-2.5.1p2/sftp.1 openssh-2.5.2p1/sftp.1 --- openssh-2.5.1p2/sftp.1 2001-02-19 21:51:08.000000000 +1100 +++ openssh-2.5.2p1/sftp.1 2001-03-09 11:09:03.000000000 +1100 @@ -1,6 +1,6 @@ -.\" $OpenBSD: sftp.1,v 1.8 2001/02/17 15:24:40 reinhard Exp $ +.\" $OpenBSD: sftp.1,v 1.13 2001/03/08 20:44:48 stevesk Exp $ .\" -.\" Copyright (c) 2001 Damien Miller. All rights reserved. +.\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -31,6 +31,7 @@ .Sh SYNOPSIS .Nm sftp .Op Fl vC +.Op Fl b Ar batchfile .Op Fl o Ar ssh_option .Op Ar hostname | user@hostname .Sh DESCRIPTION @@ -49,8 +50,19 @@ .Pp The options are as follows: .Bl -tag -width Ds -.It Fl v -Raise logging level. This option is also passed to ssh. +.It Fl b Ar batchfile +Batch mode reads a series of commands from an input +.Ar batchfile +instead of +.Em stdin . +Since it lacks user interaction it should be used in conjunction with +non-interactive authentication. +.Nm +will abort if any of the following +commands fail: +.Ic get , put , rename , ln , rm , mkdir , chdir , lchdir +and +.Ic lmkdir . .It Fl C Enables compression (via ssh's .Fl C @@ -58,6 +70,8 @@ .It Fl o Ar ssh_option Specify an option to be directly passed to .Xr ssh 1 . +.It Fl v +Raise logging level. This option is also passed to ssh. .El .Sh INTERACTIVE COMMANDS Once in interactive mode, @@ -92,8 +106,8 @@ .Ar own . .Ar own must be a numeric UID. -.It Ic help -Display help text. +.It Ic exit +Quit sftp. .It Xo Ic get .Op Ar flags .Ar remote-path @@ -108,6 +122,8 @@ .Fl P flag is specified, then the file's full permission and access time are copied too. +.It Ic help +Display help text. .It Ic lls Op Ar ls-options Op Ar path Display local directory listing of either .Ar path @@ -117,6 +133,11 @@ .It Ic lmkdir Ar path Create local directory specified by .Ar path . +.It Ic ln Ar oldpath Ar newpath +Create a symbolic link from +.Ar oldpath +to +.Ar newpath . .It Ic lpwd Print local working directory. .It Ic ls Op Ar path @@ -138,15 +159,13 @@ .Xc Upload .Ar local-path -and store it on the remote machine. If the remote path name is not specified, -it is given the same name it has on the local machine. If the +and store it on the remote machine. If the remote path name is not +specified, it is given the same name it has on the local machine. If the .Fl P flag is specified, then the file's full permission and access time are copied too. .It Ic pwd Display remote working directory. -.It Ic exit -Quit sftp. .It Ic quit Quit sftp. .It Ic rename Ar oldpath Ar newpath @@ -160,6 +179,11 @@ .It Ic rm Ar path Delete remote file specified by .Ar path . +.It Ic symlink Ar oldpath Ar newpath +Create a symbolic link from +.Ar oldpath +to +.Ar newpath . .It Ic ! Ar command Execute .Ar command @@ -173,6 +197,7 @@ Damien Miller .Sh SEE ALSO .Xr ssh 1 , +.Xr sftp-server 8 , .Xr ssh-add 1 , .Xr ssh-keygen 1 , .Xr sshd 8 , diff -ru openssh-2.5.1p2/sftp.c openssh-2.5.2p1/sftp.c --- openssh-2.5.1p2/sftp.c 2001-02-27 07:04:46.000000000 +1100 +++ openssh-2.5.2p1/sftp.c 2001-03-08 10:08:49.000000000 +1100 @@ -24,7 +24,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.7 2001/02/08 00:04:52 markus Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.11 2001/03/07 10:11:23 djm Exp $"); /* XXX: commandline mode */ /* XXX: copy between two remote hosts (commandline) */ @@ -40,9 +40,16 @@ #include "sftp-client.h" #include "sftp-int.h" +#ifdef HAVE___PROGNAME +extern char *__progname; +#else +char *__progname; +#endif + int use_ssh1 = 0; char *ssh_program = _PATH_SSH_PROGRAM; char *sftp_server = NULL; +FILE* infile; void connect_to_server(char **args, int *in, int *out, pid_t *sshpid) @@ -91,24 +98,14 @@ static char **args = NULL; static int nargs = 0; char debug_buf[4096]; - int i, use_subsystem = 1; - - /* no subsystem if protocol 1 or the server-spec contains a '/' */ - if (use_ssh1 || - (sftp_server != NULL && strchr(sftp_server, '/') != NULL)) - use_subsystem = 0; + int i; /* Init args array */ if (args == NULL) { - nargs = use_subsystem ? 6 : 5; + nargs = 2; i = 0; args = xmalloc(sizeof(*args) * nargs); args[i++] = "ssh"; - args[i++] = use_ssh1 ? "-oProtocol=1" : "-oProtocol=2"; - if (use_subsystem) - args[i++] = "-s"; - args[i++] = "-oForwardAgent=no"; - args[i++] = "-oForwardX11=no"; args[i++] = NULL; } @@ -121,6 +118,13 @@ return(NULL); } + /* no subsystem if the server-spec contains a '/' */ + if (sftp_server == NULL || strchr(sftp_server, '/') == NULL) + make_ssh_args("-s"); + make_ssh_args("-oForwardX11=no"); + make_ssh_args("-oForwardAgent=no"); + make_ssh_args(use_ssh1 ? "-oProtocol=1" : "-oProtocol=2"); + /* Otherwise finish up and return the arg array */ if (sftp_server != NULL) make_ssh_args(sftp_server); @@ -143,7 +147,7 @@ void usage(void) { - fprintf(stderr, "usage: sftp [-1vC] [-osshopt=value] [user@]host\n"); + fprintf(stderr, "usage: sftp [-1vC] [-b batchfile] [-osshopt=value] [user@]host\n"); exit(1); } @@ -157,9 +161,11 @@ extern int optind; extern char *optarg; + __progname = get_progname(argv[0]); + infile = stdin; /* Read from STDIN unless changed by -b */ debug_level = compress_flag = 0; - while ((ch = getopt(argc, argv, "1hvCo:s:S:")) != -1) { + while ((ch = getopt(argc, argv, "1hvCo:s:S:b:")) != -1) { switch (ch) { case 'C': compress_flag = 1; @@ -182,6 +188,14 @@ case 'S': ssh_program = optarg; break; + case 'b': + if (infile == stdin) { + infile = fopen(optarg, "r"); + if (infile == NULL) + fatal("%s (%s).", strerror(errno), optarg); + } else + fatal("Filename already specified."); + break; case 'h': default: usage(); @@ -242,8 +256,6 @@ connect_to_server(make_ssh_args(NULL), &in, &out, &sshpid); - do_init(in, out); - interactive_loop(in, out); #if !defined(USE_PIPES) @@ -253,11 +265,8 @@ close(in); close(out); - -#if !defined(HAVE_CYGWIN) - if (kill(sshpid, SIGHUP) == -1) - fatal("Couldn't terminate ssh process: %s", strerror(errno)); -#endif + if (infile != stdin) + fclose(infile); if (waitpid(sshpid, NULL, 0) == -1) fatal("Couldn't wait for ssh process: %s", strerror(errno)); diff -ru openssh-2.5.1p2/sftp.h openssh-2.5.2p1/sftp.h --- openssh-2.5.1p2/sftp.h 2001-01-29 18:39:26.000000000 +1100 +++ openssh-2.5.2p1/sftp.h 2001-03-08 10:08:49.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.h,v 1.2 2001/01/29 01:58:18 niklas Exp $ */ +/* $OpenBSD: sftp.h,v 1.3 2001/03/07 10:11:23 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -25,11 +25,11 @@ */ /* - * draft-ietf-secsh-filexfer-00.txt + * draft-ietf-secsh-filexfer-01.txt */ /* version */ -#define SSH2_FILEXFER_VERSION 2 +#define SSH2_FILEXFER_VERSION 3 /* client to server */ #define SSH2_FXP_INIT 1 @@ -49,6 +49,8 @@ #define SSH2_FXP_REALPATH 16 #define SSH2_FXP_STAT 17 #define SSH2_FXP_RENAME 18 +#define SSH2_FXP_READLINK 19 +#define SSH2_FXP_SYMLINK 20 /* server to client */ #define SSH2_FXP_VERSION 2 @@ -86,3 +88,4 @@ #define SSH2_FX_NO_CONNECTION 6 #define SSH2_FX_CONNECTION_LOST 7 #define SSH2_FX_OP_UNSUPPORTED 8 +#define SSH2_FX_MAX 8 diff -ru openssh-2.5.1p2/ssh-add.1 openssh-2.5.2p1/ssh-add.1 --- openssh-2.5.1p2/ssh-add.1 2001-02-11 10:56:36.000000000 +1100 +++ openssh-2.5.2p1/ssh-add.1 2001-03-05 17:59:28.000000000 +1100 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.21 2001/02/08 19:22:38 itojun Exp $ +.\" $OpenBSD: ssh-add.1,v 1.22 2001/03/02 18:54:31 deraadt Exp $ .\" .\" -*- nroff -*- .\" @@ -13,9 +13,9 @@ .\" called by a name other than "ssh" or "Secure Shell". .\" .\" -.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. -.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. -.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. +.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions diff -ru openssh-2.5.1p2/ssh-add.c openssh-2.5.2p1/ssh-add.c --- openssh-2.5.1p2/ssh-add.c 2001-02-06 05:16:28.000000000 +1100 +++ openssh-2.5.2p1/ssh-add.c 2001-03-13 15:57:59.000000000 +1100 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". * * SSH2 implementation, - * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2000 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-add.c,v 1.28 2001/02/04 15:32:25 stevesk Exp $"); +RCSID("$OpenBSD: ssh-add.c,v 1.30 2001/03/12 22:02:02 markus Exp $"); #include @@ -211,10 +211,10 @@ } void -list_identities(AuthenticationConnection *ac, int fp) +list_identities(AuthenticationConnection *ac, int do_fp) { Key *key; - char *comment; + char *comment, *fp; int had_identities = 0; int version; @@ -223,10 +223,12 @@ key != NULL; key = ssh_get_next_identity(ac, &comment, version)) { had_identities = 1; - if (fp) { + if (do_fp) { + fp = key_fingerprint(key, SSH_FP_MD5, + SSH_FP_HEX); printf("%d %s %s (%s)\n", - key_size(key), key_fingerprint(key), - comment, key_type(key)); + key_size(key), fp, comment, key_type(key)); + xfree(fp); } else { if (!key_write(key, stdout)) fprintf(stderr, "key_write failed"); diff -ru openssh-2.5.1p2/ssh-agent.1 openssh-2.5.2p1/ssh-agent.1 --- openssh-2.5.1p2/ssh-agent.1 2001-02-11 10:56:36.000000000 +1100 +++ openssh-2.5.2p1/ssh-agent.1 2001-03-05 17:59:28.000000000 +1100 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.21 2001/02/08 19:22:38 itojun Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.22 2001/03/02 18:54:31 deraadt Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -10,9 +10,9 @@ .\" incompatible with the protocol description in the RFC file, it must be .\" called by a name other than "ssh" or "Secure Shell". .\" -.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. -.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. -.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. +.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions diff -ru openssh-2.5.1p2/ssh-agent.c openssh-2.5.2p1/ssh-agent.c --- openssh-2.5.1p2/ssh-agent.c 2001-02-11 10:13:41.000000000 +1100 +++ openssh-2.5.2p1/ssh-agent.c 2001-03-19 09:38:16.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.50 2001/02/08 19:30:52 itojun Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.52 2001/03/06 00:33:04 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -13,7 +13,7 @@ * called by a name other than "ssh" or "Secure Shell". * * SSH2 implementation, - * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2000 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.50 2001/02/08 19:30:52 itojun Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.52 2001/03/06 00:33:04 deraadt Exp $"); #include #include @@ -635,9 +635,15 @@ case AUTH_CONNECTION: if (buffer_len(&sockets[i].output) > 0 && FD_ISSET(sockets[i].fd, writeset)) { - len = write(sockets[i].fd, - buffer_ptr(&sockets[i].output), - buffer_len(&sockets[i].output)); + do { + len = write(sockets[i].fd, + buffer_ptr(&sockets[i].output), + buffer_len(&sockets[i].output)); + if (len == -1 && (errno == EAGAIN || + errno == EINTR)) + continue; + break; + } while (1); if (len <= 0) { shutdown(sockets[i].fd, SHUT_RDWR); close(sockets[i].fd); @@ -649,7 +655,13 @@ buffer_consume(&sockets[i].output, len); } if (FD_ISSET(sockets[i].fd, readset)) { - len = read(sockets[i].fd, buf, sizeof(buf)); + do { + len = read(sockets[i].fd, buf, sizeof(buf)); + if (len == -1 && (errno == EAGAIN || + errno == EINTR)) + continue; + break; + } while (1); if (len <= 0) { shutdown(sockets[i].fd, SHUT_RDWR); close(sockets[i].fd); @@ -728,6 +740,7 @@ __progname = get_progname(av[0]); init_rng(); + seed_rng(); #ifdef __GNU_LIBRARY__ while ((ch = getopt(ac, av, "+cks")) != -1) { diff -ru openssh-2.5.1p2/ssh-keygen.0 openssh-2.5.2p1/ssh-keygen.0 --- openssh-2.5.1p2/ssh-keygen.0 2001-03-01 11:11:36.000000000 +1100 +++ openssh-2.5.2p1/ssh-keygen.0 2001-03-20 09:33:27.000000000 +1100 @@ -13,6 +13,7 @@ ssh-keygen -y [-f input_keyfile] ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile] ssh-keygen -l [-f input_keyfile] + ssh-keygen -B [-f input_keyfile] DESCRIPTION ssh-keygen generates and manages authentication keys for ssh(1). ssh- @@ -62,7 +63,6 @@ comment. - -f Specifies the filename of the key file. -l Show fingerprint of specified private or public key file. @@ -77,7 +77,10 @@ -t type Specifies the type of the key to create. The possible values are ``rsa1'' for protocol version 1 and ``rsa'' or ``dsa'' for proto- - col version 2. The default is ``rsa''. + col version 2. The default is ``rsa1''. + + -B Show the bubblebabble digest of specified private or public key + file. -C comment Provides the new comment. diff -ru openssh-2.5.1p2/ssh-keygen.1 openssh-2.5.2p1/ssh-keygen.1 --- openssh-2.5.1p2/ssh-keygen.1 2001-02-11 10:56:36.000000000 +1100 +++ openssh-2.5.2p1/ssh-keygen.1 2001-03-12 14:02:18.000000000 +1100 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.30 2001/02/08 19:22:38 itojun Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.35 2001/03/11 22:33:23 markus Exp $ .\" .\" -*- nroff -*- .\" @@ -13,9 +13,9 @@ .\" called by a name other than "ssh" or "Secure Shell". .\" .\" -.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. -.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. -.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. +.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -73,6 +73,9 @@ .Nm ssh-keygen .Fl l .Op Fl f Ar input_keyfile +.Nm ssh-keygen +.Fl B +.Op Fl f Ar input_keyfile .Sh DESCRIPTION .Nm generates and manages authentication keys for @@ -165,7 +168,9 @@ .Dq dsa for protocol version 2. The default is -.Dq rsa . +.Dq rsa1 . +.It Fl B +Show the bubblebabble digest of specified private or public key file. .It Fl C Ar comment Provides the new comment. .It Fl N Ar new_passphrase diff -ru openssh-2.5.1p2/ssh-keygen.c openssh-2.5.2p1/ssh-keygen.c --- openssh-2.5.1p2/ssh-keygen.c 2001-02-15 14:08:27.000000000 +1100 +++ openssh-2.5.2p1/ssh-keygen.c 2001-03-19 09:38:16.000000000 +1100 @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.43 2001/02/12 16:16:23 markus Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.50 2001/03/12 22:02:02 markus Exp $"); #include #include @@ -46,6 +46,7 @@ /* Flag indicating that we just want to see the key fingerprint */ int print_fingerprint = 0; +int print_bubblebabble = 0; /* The identity file name, given on the command line or entered by the user. */ char identity_file[1024]; @@ -325,13 +326,15 @@ void do_fingerprint(struct passwd *pw) { - FILE *f; Key *public; - char *comment = NULL, *cp, *ep, line[16*1024]; - int i, skip = 0, num = 1, invalid = 1, success = 0; + char *comment = NULL, *cp, *ep, line[16*1024], *fp; + int i, skip = 0, num = 1, invalid = 1, success = 0, rep, type; struct stat st; + type = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + if (!have_identity) ask_filename(pw, "Enter file in which the key is"); if (stat(identity_file, &st) < 0) { @@ -350,9 +353,12 @@ debug("try_load_public_key KEY_UNSPEC failed"); } if (success) { - printf("%d %s %s\n", key_size(public), key_fingerprint(public), comment); + fp = key_fingerprint(public, type, rep); + printf("%d %s %s\n", key_size(public), + fp, comment); key_free(public); xfree(comment); + xfree(fp); exit(0); } @@ -403,9 +409,10 @@ } } comment = *cp ? cp : comment; - printf("%d %s %s\n", key_size(public), - key_fingerprint(public), + fp = key_fingerprint(public, type, rep); + printf("%d %s %s\n", key_size(public), fp, comment ? comment : "no comment"); + xfree(fp); invalid = 0; } fclose(f); @@ -512,12 +519,11 @@ void do_change_comment(struct passwd *pw) { - char new_comment[1024], *comment; - Key *private; - Key *public; - char *passphrase; + char new_comment[1024], *comment, *passphrase; + Key *private, *public; struct stat st; FILE *f; + int fd; if (!have_identity) ask_filename(pw, "Enter file in which the key is"); @@ -585,11 +591,16 @@ key_free(private); strlcat(identity_file, ".pub", sizeof(identity_file)); - f = fopen(identity_file, "w"); - if (!f) { + fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); + if (fd == -1) { printf("Could not save your public key in %s\n", identity_file); exit(1); } + f = fdopen(fd, "w"); + if (f == NULL) { + printf("fdopen %s failed", identity_file); + exit(1); + } if (!key_write(public, f)) fprintf(stderr, "write key failed"); key_free(public); @@ -605,7 +616,8 @@ void usage(void) { - printf("Usage: %s [-lpqxXyc] [-t type] [-b bits] [-f file] [-C comment] [-N new-pass] [-P pass]\n", __progname); + printf("Usage: %s [-lpqxXyc] [-t type] [-b bits] [-f file] [-C comment] " + "[-N new-pass] [-P pass]\n", __progname); exit(1); } @@ -616,18 +628,18 @@ main(int ac, char **av) { char dotsshdir[16 * 1024], comment[1024], *passphrase1, *passphrase2; + Key *private, *public; struct passwd *pw; - int opt, type; + int opt, type, fd; struct stat st; FILE *f; - Key *private; - Key *public; extern int optind; extern char *optarg; __progname = get_progname(av[0]); init_rng(); + seed_rng(); SSLeay_add_all_algorithms(); @@ -642,7 +654,7 @@ exit(1); } - while ((opt = getopt(ac, av, "dqpclRxXyb:f:t:P:N:C:")) != -1) { + while ((opt = getopt(ac, av, "dqpclBRxXyb:f:t:P:N:C:")) != -1) { switch (opt) { case 'b': bits = atoi(optarg); @@ -656,6 +668,10 @@ print_fingerprint = 1; break; + case 'B': + print_bubblebabble = 1; + break; + case 'p': change_passphrase = 1; break; @@ -723,7 +739,7 @@ printf("Can only have one of -p and -c.\n"); usage(); } - if (print_fingerprint) + if (print_fingerprint || print_bubblebabble) do_fingerprint(pw); if (change_passphrase) do_change_passphrase(pw); @@ -826,21 +842,28 @@ printf("Your identification has been saved in %s.\n", identity_file); strlcat(identity_file, ".pub", sizeof(identity_file)); - f = fopen(identity_file, "w"); - if (!f) { + fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); + if (fd == -1) { printf("Could not save your public key in %s\n", identity_file); exit(1); } + f = fdopen(fd, "w"); + if (f == NULL) { + printf("fdopen %s failed", identity_file); + exit(1); + } if (!key_write(public, f)) fprintf(stderr, "write key failed"); fprintf(f, " %s\n", comment); fclose(f); if (!quiet) { + char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); printf("Your public key has been saved in %s.\n", identity_file); printf("The key fingerprint is:\n"); - printf("%s %s\n", key_fingerprint(public), comment); + printf("%s %s\n", fp, comment); + xfree(fp); } key_free(public); diff -ru openssh-2.5.1p2/ssh-keyscan.0 openssh-2.5.2p1/ssh-keyscan.0 --- openssh-2.5.1p2/ssh-keyscan.0 2001-03-01 11:11:36.000000000 +1100 +++ openssh-2.5.2p1/ssh-keyscan.0 2001-03-20 09:33:27.000000000 +1100 @@ -1,5 +1,5 @@ -ssh-keyscan(1) System Reference Manual ssh-keyscan(1) +SSH-KEYSCAN(1) System Reference Manual SSH-KEYSCAN(1) NAME ssh-keyscan - gather ssh public keys @@ -46,7 +46,7 @@ Find all hosts from the file ssh_hosts which have new or different keys from those in the sorted file ssh_known_hosts: - ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \ + $ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \ diff ssh_known_hosts - FILES @@ -64,7 +64,7 @@ it gets the key. SEE ALSO - ssh(1) sshd(8) + ssh(1), sshd(8) AUTHOR David Mazieres diff -ru openssh-2.5.1p2/ssh-keyscan.1 openssh-2.5.2p1/ssh-keyscan.1 --- openssh-2.5.1p2/ssh-keyscan.1 2001-01-29 18:39:26.000000000 +1100 +++ openssh-2.5.2p1/ssh-keyscan.1 2001-03-05 17:50:48.000000000 +1100 @@ -1,7 +1,14 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.3 2001/01/29 01:58:18 niklas Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.4 2001/03/01 03:38:33 deraadt Exp $ +.\" +.\" Copyright 1995, 1996 by David Mazieres . +.\" +.\" Modification and redistribution in source and binary forms is +.\" permitted provided that due credit is given to the author and the +.\" OpenBSD project (for instance by leaving this copyright notice +.\" intact). .\" .Dd January 1, 1996 -.Dt ssh-keyscan 1 +.Dt SSH-KEYSCAN 1 .Os .Sh NAME .Nm ssh-keyscan @@ -72,7 +79,7 @@ which have new or different keys from those in the sorted file .Pa ssh_known_hosts : .Bd -literal -ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\ +$ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\ diff ssh_known_hosts - .Ed .Pp @@ -91,7 +98,7 @@ This is because it opens a connection to the ssh port, reads the public key, and drops the connection as soon as it gets the key. .Sh SEE ALSO -.Xr ssh 1 +.Xr ssh 1 , .Xr sshd 8 .Sh AUTHOR David Mazieres diff -ru openssh-2.5.1p2/ssh-keyscan.c openssh-2.5.2p1/ssh-keyscan.c --- openssh-2.5.1p2/ssh-keyscan.c 2001-02-15 14:12:08.000000000 +1100 +++ openssh-2.5.2p1/ssh-keyscan.c 2001-03-15 05:37:13.000000000 +1100 @@ -8,12 +8,12 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keyscan.c,v 1.16 2001/02/12 22:56:10 deraadt Exp $"); +RCSID("$OpenBSD: ssh-keyscan.c,v 1.22 2001/03/06 06:11:18 deraadt Exp $"); #if defined(HAVE_SYS_QUEUE_H) && !defined(HAVE_BOGUS_SYS_QUEUE_H) #include #else -#include "fake-queue.h" +#include "openbsd-compat/fake-queue.h" #endif #include @@ -26,6 +26,7 @@ #include "buffer.h" #include "bufaux.h" #include "log.h" +#include "atomicio.h" static int argno = 1; /* Number of argument currently being parsed */ @@ -37,14 +38,15 @@ int timeout = 5; int maxfd; -#define maxcon (maxfd - 10) +#define MAXCON (maxfd - 10) #ifdef HAVE___PROGNAME extern char *__progname; #else char *__progname; #endif -fd_set read_wait; +fd_set *read_wait; +size_t read_wait_size; int ncon; /* @@ -89,7 +91,7 @@ void (*errfun) (const char *,...); } Linebuf; -static inline Linebuf * +Linebuf * Linebuf_alloc(const char *filename, void (*errfun) (const char *,...)) { Linebuf *lb; @@ -123,7 +125,7 @@ return (lb); } -static inline void +void Linebuf_free(Linebuf * lb) { fclose(lb->stream); @@ -131,7 +133,7 @@ xfree(lb); } -static inline void +void Linebuf_restart(Linebuf * lb) { clearerr(lb->stream); @@ -139,13 +141,13 @@ lb->lineno = 0; } -static inline int +int Linebuf_lineno(Linebuf * lb) { return (lb->lineno); } -static inline char * +char * Linebuf_getline(Linebuf * lb) { int n = 0; @@ -155,7 +157,8 @@ /* Read a line */ if (!fgets(&lb->buf[n], lb->size - n, lb->stream)) { if (ferror(lb->stream) && lb->errfun) - (*lb->errfun) ("%s: %s\n", lb->filename, strerror(errno)); + (*lb->errfun) ("%s: %s\n", lb->filename, + strerror(errno)); return (NULL); } n = strlen(lb->buf); @@ -167,23 +170,26 @@ } if (n != lb->size - 1) { if (lb->errfun) - (*lb->errfun) ("%s: skipping incomplete last line\n", lb->filename); + (*lb->errfun) ("%s: skipping incomplete last line\n", + lb->filename); return (NULL); } /* Double the buffer if we need more space */ if (!(lb->buf = realloc(lb->buf, (lb->size *= 2)))) { if (lb->errfun) - (*lb->errfun) ("linebuf (%s): realloc failed\n", lb->filename); + (*lb->errfun) ("linebuf (%s): realloc failed\n", + lb->filename); return (NULL); } } } -static int +int fdlim_get(int hard) { #if defined(HAVE_GETRLIMIT) && defined(RLIMIT_NOFILE) struct rlimit rlfd; + if (getrlimit(RLIMIT_NOFILE, &rlfd) < 0) return (-1); if ((hard ? rlfd.rlim_max : rlfd.rlim_cur) == RLIM_INFINITY) @@ -197,7 +203,7 @@ #endif } -static int +int fdlim_set(int lim) { #if defined(HAVE_SETRLIMIT) && defined(RLIMIT_NOFILE) @@ -222,7 +228,7 @@ * separators. This is the same as the 4.4BSD strsep, but different from the * one in the GNU libc. */ -inline char * +char * xstrsep(char **str, const char *delim) { char *s, *e; @@ -356,7 +362,7 @@ gettimeofday(&fdcon[s].c_tv, NULL); fdcon[s].c_tv.tv_sec += timeout; TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link); - FD_SET(s, &read_wait); + FD_SET(s, read_wait); ncon++; return (s); } @@ -364,16 +370,16 @@ void confree(int s) { - close(s); if (s >= maxfd || fdcon[s].c_status == CS_UNUSED) fatal("confree: attempt to free bad fdno %d", s); + close(s); xfree(fdcon[s].c_namebase); xfree(fdcon[s].c_output_name); if (fdcon[s].c_status == CS_KEYS) xfree(fdcon[s].c_data); fdcon[s].c_status = CS_UNUSED; TAILQ_REMOVE(&tq, &fdcon[s], c_link); - FD_CLR(s, &read_wait); + FD_CLR(s, read_wait); ncon--; } @@ -405,26 +411,30 @@ void congreet(int s) { - char buf[80]; - int n; + char buf[80], *cp; + size_t bufsiz; + int n = 0; con *c = &fdcon[s]; - n = read(s, buf, sizeof(buf)); + bufsiz = sizeof(buf); + cp = buf; + while (bufsiz-- && (n = read(s, cp, 1)) == 1 && *cp != '\n' && *cp != '\r') + cp++; if (n < 0) { if (errno != ECONNREFUSED) error("read (%s): %s", c->c_name, strerror(errno)); conrecycle(s); return; } - if (buf[n - 1] != '\n') { + if (*cp != '\n' && *cp != '\r') { error("%s: bad greeting", c->c_name); confree(s); return; } - buf[n - 1] = '\0'; + *cp = '\0'; fprintf(stderr, "# %s %s\n", c->c_name, buf); n = snprintf(buf, sizeof buf, "SSH-1.5-OpenSSH-keyscan\r\n"); - if (write(s, buf, n) != n) { + if (atomicio(write, s, buf, n) != n) { error("write (%s): %s", c->c_name, strerror(errno)); confree(s); return; @@ -476,7 +486,7 @@ void conloop(void) { - fd_set r, e; + fd_set *r, *e; struct timeval seltime, now; int i; con *c; @@ -484,9 +494,8 @@ gettimeofday(&now, NULL); c = tq.tqh_first; - if (c && - (c->c_tv.tv_sec > now.tv_sec || - (c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec > now.tv_usec))) { + if (c && (c->c_tv.tv_sec > now.tv_sec || + (c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec > now.tv_usec))) { seltime = c->c_tv; seltime.tv_sec -= now.tv_sec; seltime.tv_usec -= now.tv_usec; @@ -497,23 +506,30 @@ } else seltime.tv_sec = seltime.tv_usec = 0; - r = e = read_wait; - while (select(maxfd, &r, NULL, &e, &seltime) == -1 && + r = xmalloc(read_wait_size); + memcpy(r, read_wait, read_wait_size); + e = xmalloc(read_wait_size); + memcpy(e, read_wait, read_wait_size); + + while (select(maxfd, r, NULL, e, &seltime) == -1 && (errno == EAGAIN || errno == EINTR)) ; - for (i = 0; i < maxfd; i++) - if (FD_ISSET(i, &e)) { + for (i = 0; i < maxfd; i++) { + if (FD_ISSET(i, e)) { error("%s: exception!", fdcon[i].c_name); confree(i); - } else if (FD_ISSET(i, &r)) + } else if (FD_ISSET(i, r)) conread(i); + } + xfree(r); + xfree(e); c = tq.tqh_first; - while (c && - (c->c_tv.tv_sec < now.tv_sec || - (c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec < now.tv_usec))) { + while (c && (c->c_tv.tv_sec < now.tv_sec || + (c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec < now.tv_usec))) { int s = c->c_fd; + c = c->c_link.tqe_next; conrecycle(s); } @@ -536,6 +552,7 @@ return (argv[argno++]); } else if (!strncmp(argv[argno], "-f", 2)) { char *fname; + if (argv[argno][2]) fname = &argv[argno++][2]; else if (++argno >= argc) { @@ -547,9 +564,11 @@ fname = NULL; lb = Linebuf_alloc(fname, error); } else - error("ignoring invalid/misplaced option `%s'", argv[argno++]); + error("ignoring invalid/misplaced option `%s'", + argv[argno++]); } else { char *line; + line = Linebuf_getline(lb); if (line) return (line); @@ -559,7 +578,7 @@ } } -static void +void usage(void) { fatal("usage: %s [-t timeout] { [--] host | -f file } ...", __progname); @@ -597,15 +616,19 @@ fatal("%s: fdlim_get: bad value", __progname); if (maxfd > MAXMAXFD) maxfd = MAXMAXFD; - if (maxcon <= 0) + if (MAXCON <= 0) fatal("%s: not enough file descriptors", __progname); if (maxfd > fdlim_get(0)) fdlim_set(maxfd); fdcon = xmalloc(maxfd * sizeof(con)); memset(fdcon, 0, maxfd * sizeof(con)); + read_wait_size = howmany(maxfd, NFDBITS) * sizeof(fd_mask); + read_wait = xmalloc(read_wait_size); + memset(read_wait, 0, read_wait_size); + do { - while (ncon < maxcon) { + while (ncon < MAXCON) { char *name; host = nexthost(argc, argv); diff -ru openssh-2.5.1p2/ssh.0 openssh-2.5.2p1/ssh.0 --- openssh-2.5.1p2/ssh.0 2001-03-01 11:11:36.000000000 +1100 +++ openssh-2.5.2p1/ssh.0 2001-03-20 09:33:27.000000000 +1100 @@ -2,7 +2,7 @@ SSH(1) System Reference Manual SSH(1) NAME - ssh - OpenSSH secure shell client (remote login program) + ssh - OpenSSH SSH client (remote login program) SYNOPSIS ssh [-l login_name] [hostname | user@hostname] [command] @@ -13,7 +13,7 @@ user@hostname] [command] DESCRIPTION - ssh (Secure Shell) is a program for logging into a remote machine and for + ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrust- ed hosts over an insecure network. X11 connections and arbitrary TCP/IP @@ -105,7 +105,7 @@ Protocol 2 provides additional mechanisms for confidentiality (the traf- fic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) and integrity - (hmac-sha1, hmac-md5). Note that protocol 1 lacks a strong mechanism for + (hmac-md5, hmac-sha1). Note that protocol 1 lacks a strong mechanism for ensuring the integrity of the connection. Login session and remote execution @@ -135,8 +135,8 @@ if a tty is used. The session terminates when the command or shell on the remote machine - exists and all X11 and TCP/IP connections have been closed. The exit - status of the remote program is returned as the exit status of ssh. + exits and all X11 and TCP/IP connections have been closed. The exit sta- + tus of the remote program is returned as the exit status of ssh. X11 and TCP forwarding @@ -167,7 +167,7 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on command line or in a configuration file. One possi- ble application of TCP/IP forwarding is a secure connection to an elec- - tronic purse; another is going trough firewalls. + tronic purse; another is going through firewalls. Server authentication @@ -394,7 +394,7 @@ fault is - ``3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc, + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc, rijndael256-cbc,rijndael-cbc@lysator.liu.se'' @@ -448,12 +448,18 @@ fault is ``no''. GlobalKnownHostsFile - Specifies a file to use instead of /etc/ssh_known_hosts. + Specifies a file to use for the protocol version 1 global host + key database instead of /etc/ssh_known_hosts. + + GlobalKnownHostsFile2 + Specifies a file to use for the protocol version 2 global host + key database instead of /etc/ssh_known_hosts2. HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the known_hosts files. This option is useful for tunneling ssh connections or if + you have multiple servers running on a single host. HostName @@ -515,9 +521,11 @@ 2 for data integrity protection. Multiple algorithms must be comma-separated. The default is - ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com, + ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com, hmac-sha1-96,hmac-md5-96'' + + NumberOfPasswordPrompts Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. Default is 3. @@ -525,12 +533,18 @@ PasswordAuthentication Specifies whether to use password authentication. The argument to this keyword must be ``yes'' or ``no''. Note that this option - applies to both protocol version 1 and 2. Port Specifies the port number to connect on the remote host. Default is 22. + PreferredAuthentications + Specifies the order in which the client should try protocol 2 au- + thentication methods. This allows a client to prefer one method + (e.g. keyboard-interactive) over another method (e.g. password) + The default for this option is: ``publickey, password, keyboard- + interactive'' + Protocol Specifies the protocol versions ssh should support in order of preference. The possible values are ``1'' and ``2''. Multiple @@ -607,7 +621,7 @@ UsePrivilegedPort Specifies whether to use a privileged port for outgoing connec- tions. The argument must be ``yes'' or ``no''. The default is - ``yes''. Note that setting this option to ``no'' turns off + ``no''. Note that setting this option to ``no'' turns off RhostsAuthentication and RhostsRSAAuthentication for older servers. @@ -617,7 +631,12 @@ mand line. UserKnownHostsFile - Specifies a file to use instead of $HOME/.ssh/known_hosts. + Specifies a file to use for the protocol version 1 user host key + database instead of $HOME/.ssh/known_hosts. + + UserKnownHostsFile2 + Specifies a file to use for the protocol version 2 user host key + database instead of $HOME/.ssh/known_hosts2. UseRsh Specifies that rlogin/rsh should be used for this host. It is possible that the host does not at all support the ssh protocol. @@ -681,9 +700,10 @@ format ``VARNAME=value'' to the environment. FILES - $HOME/.ssh/known_hosts + $HOME/.ssh/known_hosts, $HOME/.ssh/known_hosts2 Records host keys for all hosts the user has logged into (that - are not in /etc/ssh_known_hosts). See sshd(8). + are not in /etc/ssh_known_hosts for protocol version 1 or + /etc/ssh_known_hosts2 for protocol version 2). See sshd(8). $HOME/.ssh/identity, $HOME/.ssh/id_dsa Contains the RSA and the DSA authentication identity of the user. @@ -722,7 +742,6 @@ public exponent, modulus, and comment fields, separated by spaces). This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by - others. $HOME/.ssh/authorized_keys2 @@ -763,13 +782,14 @@ used by rlogin and rsh, which makes using this file insecure.) Each line of the file contains a host name (in the canonical form returned by name servers), and then a user name on that host, - separated by a space. One some machines this file may need to be + separated by a space. On some machines this file may need to be world-readable if the user's home directory is on a NFS parti- tion, because sshd(8) reads it as root. Additionally, this file must be owned by the user, and must not have write permissions for anyone else. The recommended permission for most machines is read/write for the user, and not accessible by others. + Note that by default sshd(8) will be installed so that it re- quires successful RSA host authentication before permitting .rhosts authentication. If your server machine does not have the @@ -810,10 +830,6 @@ Contains additional definitions for environment variables, see section ENVIRONMENT above. - libcrypto.so.X.1 - A version of this library which includes support for the RSA al- - gorithm is required for proper operation. - AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo diff -ru openssh-2.5.1p2/ssh.1 openssh-2.5.2p1/ssh.1 --- openssh-2.5.1p2/ssh.1 2001-02-15 14:02:00.000000000 +1100 +++ openssh-2.5.2p1/ssh.1 2001-03-19 23:59:11.000000000 +1100 @@ -10,9 +10,9 @@ .\" incompatible with the protocol description in the RFC file, it must be .\" called by a name other than "ssh" or "Secure Shell". .\" -.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. -.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. -.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. +.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -34,13 +34,13 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.91 2001/02/11 12:59:25 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.99 2001/03/19 12:49:51 djm Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os .Sh NAME .Nm ssh -.Nd OpenSSH secure shell client (remote login program) +.Nd OpenSSH SSH client (remote login program) .Sh SYNOPSIS .Nm ssh .Op Fl l Ar login_name @@ -76,7 +76,7 @@ .Op Ar command .Sh DESCRIPTION .Nm -(Secure Shell) is a program for logging into a remote machine and for +(SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between @@ -228,7 +228,7 @@ .Pp Protocol 2 provides additional mechanisms for confidentiality (the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) -and integrity (hmac-sha1, hmac-md5). +and integrity (hmac-md5, hmac-sha1). Note that protocol 1 lacks a strong mechanism for ensuring the integrity of the connection. .Pp @@ -274,7 +274,7 @@ will also make the session transparent even if a tty is used. .Pp The session terminates when the command or shell on the remote -machine exists and all X11 and TCP/IP connections have been closed. +machine exits and all X11 and TCP/IP connections have been closed. The exit status of the remote program is returned as the exit status of .Nm ssh . @@ -322,7 +322,7 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on command line or in a configuration file. One possible application of TCP/IP forwarding is a secure connection to an -electronic purse; another is going trough firewalls. +electronic purse; another is going through firewalls. .Pp .Ss Server authentication .Pp @@ -667,7 +667,7 @@ The default is .Pp .Bd -literal - ``3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc, + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc, rijndael256-cbc,rijndael-cbc@lysator.liu.se'' .Ed @@ -750,8 +750,13 @@ The default is .Dq no . .It Cm GlobalKnownHostsFile -Specifies a file to use instead of +Specifies a file to use for the protocol version 1 global +host key database instead of .Pa /etc/ssh_known_hosts . +.It Cm GlobalKnownHostsFile2 +Specifies a file to use for the protocol version 2 global +host key database instead of +.Pa /etc/ssh_known_hosts2 . .It Cm HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key @@ -831,7 +836,7 @@ The default is .Pp .Bd -literal - ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com, + ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com, hmac-sha1-96,hmac-md5-96'' .Ed .It Cm NumberOfPasswordPrompts @@ -848,6 +853,14 @@ .It Cm Port Specifies the port number to connect on the remote host. Default is 22. +.It Cm PreferredAuthentications +Specifies the order in which the client should try protocol 2 +authentication methods. This allows a client to prefer one method (e.g. +.Cm keyboard-interactive ) +over another method (e.g. +.Cm password ) +The default for this option is: +.Dq publickey, password, keyboard-interactive .It Cm Protocol Specifies the protocol versions .Nm @@ -985,7 +998,7 @@ or .Dq no . The default is -.Dq yes . +.Dq no . Note that setting this option to .Dq no turns off @@ -999,8 +1012,13 @@ This saves the trouble of having to remember to give the user name on the command line. .It Cm UserKnownHostsFile -Specifies a file to use instead of +Specifies a file to use for the protocol version 1 user +host key database instead of .Pa $HOME/.ssh/known_hosts . +.It Cm UserKnownHostsFile2 +Specifies a file to use for the protocol version 2 user +host key database instead of +.Pa $HOME/.ssh/known_hosts2 . .It Cm UseRsh Specifies that rlogin/rsh should be used for this host. It is possible that the host does not at all support the @@ -1091,10 +1109,13 @@ to the environment. .Sh FILES .Bl -tag -width Ds -.It Pa $HOME/.ssh/known_hosts +.It Pa $HOME/.ssh/known_hosts, $HOME/.ssh/known_hosts2 Records host keys for all hosts the user has logged into (that are not in -.Pa /etc/ssh_known_hosts ) . +.Pa /etc/ssh_known_hosts +for protocol version 1 or +.Pa /etc/ssh_known_hosts2 +for protocol version 2). See .Xr sshd 8 . .It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa @@ -1196,7 +1217,7 @@ Each line of the file contains a host name (in the canonical form returned by name servers), and then a user name on that host, separated by a space. -One some machines this file may need to be +On some machines this file may need to be world-readable if the user's home directory is on a NFS partition, because .Xr sshd 8 @@ -1268,9 +1289,6 @@ Contains additional definitions for environment variables, see section .Sx ENVIRONMENT above. -.It Pa libcrypto.so.X.1 -A version of this library which includes support for the RSA algorithm -is required for proper operation. .El .Sh AUTHORS OpenSSH is a derivative of the original and free diff -ru openssh-2.5.1p2/ssh.c openssh-2.5.2p1/ssh.c --- openssh-2.5.1p2/ssh.c 2001-02-19 21:51:08.000000000 +1100 +++ openssh-2.5.2p1/ssh.c 2001-03-19 09:38:16.000000000 +1100 @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.96 2001/02/17 23:28:58 deraadt Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.104 2001/03/08 21:42:32 markus Exp $"); #include #include @@ -161,7 +161,8 @@ #endif /* AFS */ fprintf(stderr, " -X Enable X11 connection forwarding.\n"); fprintf(stderr, " -x Disable X11 connection forwarding.\n"); - fprintf(stderr, " -i file Identity for RSA authentication (default: ~/.ssh/identity).\n"); + fprintf(stderr, " -i file Identity for public key authentication " + "(default: ~/.ssh/identity)\n"); fprintf(stderr, " -t Tty; allocate a tty even if command is given.\n"); fprintf(stderr, " -T Do not allocate a tty.\n"); fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); @@ -173,8 +174,8 @@ fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n"); fprintf(stderr, " -c cipher Select encryption algorithm: " - "``3des'', " - "``blowfish''\n"); + "``3des'', ``blowfish''\n"); + fprintf(stderr, " -m macs Specify MAC algorithms for protocol version 2.\n"); fprintf(stderr, " -p port Connect to this port. Server must be on the same port.\n"); fprintf(stderr, " -L listen-port:host:port Forward local port to remote address\n"); fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n"); @@ -232,7 +233,7 @@ int ssh_session(void); int ssh_session2(void); -int guess_identity_file_type(const char *filename); +void load_public_identity_files(void); /* * Main program for the ssh client. @@ -244,7 +245,7 @@ u_short fwd_port, fwd_host_port; char *optarg, *cp, buf[256]; struct stat st; - struct passwd *pw, pwcopy; + struct passwd *pw; int dummy; uid_t original_effective_uid; @@ -387,7 +388,7 @@ options.log_level++; break; } else { - fatal("Too high debugging level.\n"); + fatal("Too high debugging level."); } /* fallthrough */ case 'V': @@ -543,32 +544,24 @@ /* Do not allocate a tty if stdin is not a tty. */ if (!isatty(fileno(stdin)) && !force_tty_flag) { if (tty_flag) - log("Pseudo-terminal will not be allocated because stdin is not a terminal.\n"); + log("Pseudo-terminal will not be allocated because stdin is not a terminal."); tty_flag = 0; } /* Get user data. */ pw = getpwuid(original_real_uid); if (!pw) { - log("You don't exist, go away!\n"); + log("You don't exist, go away!"); exit(1); } /* Take a copy of the returned structure. */ - memset(&pwcopy, 0, sizeof(pwcopy)); - pwcopy.pw_name = xstrdup(pw->pw_name); - pwcopy.pw_passwd = xstrdup(pw->pw_passwd); - pwcopy.pw_uid = pw->pw_uid; - pwcopy.pw_gid = pw->pw_gid; -#ifdef HAVE_PW_CLASS_IN_PASSWD - pwcopy.pw_class = xstrdup(pw->pw_class); -#endif - pwcopy.pw_dir = xstrdup(pw->pw_dir); - pwcopy.pw_shell = xstrdup(pw->pw_shell); - pw = &pwcopy; - - /* Initialize "log" output. Since we are the client all output - actually goes to the terminal. */ - log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 0); + pw = pwcopy(pw); + + /* + * Initialize "log" output. Since we are the client all output + * actually goes to stderr. + */ + log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); /* Read per-user configuration file. */ snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_CONFFILE); @@ -581,7 +574,9 @@ fill_default_options(&options); /* reinit */ - log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 0); + log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); + + seed_rng(); if (options.user == NULL) options.user = xstrdup(pw->pw_name); @@ -685,15 +680,11 @@ } exit(1); } - /* Expand ~ in options.identity_files, known host file names. */ - /* XXX mem-leaks */ - for (i = 0; i < options.num_identity_files; i++) { - options.identity_files[i] = - tilde_expand_filename(options.identity_files[i], original_real_uid); - options.identity_files_type[i] = guess_identity_file_type(options.identity_files[i]); - debug("identity file %s type %d", options.identity_files[i], - options.identity_files_type[i]); - } + /* load options.identity_files */ + load_public_identity_files(); + + /* Expand ~ in known host file names. */ + /* XXX mem-leaks: */ options.system_hostfile = tilde_expand_filename(options.system_hostfile, original_real_uid); options.user_hostfile = @@ -946,7 +937,8 @@ id = packet_get_int(); len = buffer_len(&command); - len = MAX(len, 900); + if (len > 900) + len = 900; packet_done(); if (type == SSH2_MSG_CHANNEL_FAILURE) fatal("Request for subsystem '%.*s' failed on channel %d", @@ -1019,7 +1011,7 @@ debug("Sending command: %.*s", len, buffer_ptr(&command)); channel_request_start(id, "exec", 0); } - packet_put_string(buffer_ptr(&command), len); + packet_put_string(buffer_ptr(&command), buffer_len(&command)); packet_send(); } else { channel_request(id, "shell", 0); @@ -1101,3 +1093,31 @@ key_free(public); return type; } + +void +load_public_identity_files(void) +{ + char *filename; + Key *public; + int i; + + for (i = 0; i < options.num_identity_files; i++) { + filename = tilde_expand_filename(options.identity_files[i], + original_real_uid); + public = key_new(KEY_RSA1); + if (!load_public_key(filename, public, NULL)) { + key_free(public); + public = key_new(KEY_UNSPEC); + if (!try_load_public_key(filename, public, NULL)) { + debug("unknown identity file %s", filename); + key_free(public); + public = NULL; + } + } + debug("identity file %s type %d", filename, + public ? public->type : -1); + xfree(options.identity_files[i]); + options.identity_files[i] = filename; + options.identity_keys[i] = public; + } +} diff -ru openssh-2.5.1p2/ssh.h openssh-2.5.2p1/ssh.h --- openssh-2.5.1p2/ssh.h 2001-02-06 02:43:59.000000000 +1100 +++ openssh-2.5.2p1/ssh.h 2001-03-14 11:39:46.000000000 +1100 @@ -20,7 +20,7 @@ #include /* For va_list */ #include /* For LOG_AUTH and friends */ #include /* For struct sockaddr_storage */ -#include "fake-socket.h" /* For struct sockaddr_storage */ +#include "openbsd-compat/fake-socket.h" /* For struct sockaddr_storage */ #ifdef HAVE_SYS_SELECT_H # include #endif diff -ru openssh-2.5.1p2/ssh_config openssh-2.5.2p1/ssh_config --- openssh-2.5.1p2/ssh_config 2001-02-04 23:20:20.000000000 +1100 +++ openssh-2.5.2p1/ssh_config 2001-03-11 04:15:40.000000000 +1100 @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.8 2001/02/02 12:57:51 deraadt Exp $ +# $OpenBSD: ssh_config,v 1.9 2001/03/10 12:53:51 deraadt Exp $ # This is ssh client systemwide configuration file. See ssh(1) for more # information. This file provides defaults for users, and the values can @@ -31,6 +31,6 @@ # IdentityFile ~/.ssh/id_rsa1 # IdentityFile ~/.ssh/id_rsa2 # Port 22 -# Protocol 1,2 +# Protocol 2,1 # Cipher blowfish # EscapeChar ~ diff -ru openssh-2.5.1p2/sshconnect.c openssh-2.5.2p1/sshconnect.c --- openssh-2.5.1p2/sshconnect.c 2001-02-16 12:34:57.000000000 +1100 +++ openssh-2.5.2p1/sshconnect.c 2001-03-13 15:57:59.000000000 +1100 @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.97 2001/02/15 23:19:59 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.100 2001/03/12 22:02:02 markus Exp $"); #include @@ -481,7 +481,7 @@ Key *file_key; char *type = key_type(host_key); char *ip = NULL; - char hostline[1000], *hostp; + char hostline[1000], *hostp, *fp; HostStatus host_status; HostStatus ip_status; int local = 0, host_ip_differ = 0; @@ -612,13 +612,15 @@ } else if (options.strict_host_key_checking == 2) { /* The default */ char prompt[1024]; + fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); snprintf(prompt, sizeof(prompt), "The authenticity of host '%.200s (%s)' can't be established.\n" "%s key fingerprint is %s.\n" "Are you sure you want to continue connecting (yes/no)? ", - host, ip, type, key_fingerprint(host_key)); + host, ip, type, fp); + xfree(fp); if (!read_yes_or_no(prompt, -1)) - fatal("Aborted by user!\n"); + fatal("Aborted by user!"); } if (options.check_host_ip && ip_status == HOST_NEW) { snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); @@ -655,6 +657,7 @@ error("Offending key for IP in %s:%d", ip_file, ip_line); } /* The host key has changed. */ + fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); @@ -662,11 +665,12 @@ error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("It is also possible that the %s host key has just been changed.", type); error("The fingerprint for the %s key sent by the remote host is\n%s.", - type, key_fingerprint(host_key)); + type, fp); error("Please contact your system administrator."); error("Add correct host key in %.100s to get rid of this message.", user_hostfile); error("Offending key in %s:%d", host_file, host_line); + xfree(fp); /* * If strict host key checking is in use, the user will have @@ -719,7 +723,7 @@ } else if (options.strict_host_key_checking == 2) { if (!read_yes_or_no("Are you sure you want " \ "to continue connecting (yes/no)? ", -1)) - fatal("Aborted by user!\n"); + fatal("Aborted by user!"); } } @@ -777,6 +781,10 @@ int size; char *padded; + if (datafellows & SSH_BUG_PASSWORDPAD) { + packet_put_string(password, strlen(password)); + return; + } size = roundup(strlen(password) + 1, 32); padded = xmalloc(size); memset(padded, 0, size); diff -ru openssh-2.5.1p2/sshconnect1.c openssh-2.5.2p1/sshconnect1.c --- openssh-2.5.1p2/sshconnect1.c 2001-02-16 12:34:57.000000000 +1100 +++ openssh-2.5.2p1/sshconnect1.c 2001-03-09 11:12:23.000000000 +1100 @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.27 2001/02/15 23:19:59 markus Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.28 2001/03/08 21:42:33 markus Exp $"); #include #include @@ -1017,7 +1017,8 @@ /* Try RSA authentication for each identity. */ for (i = 0; i < options.num_identity_files; i++) - if (options.identity_files_type[i] == KEY_RSA1 && + if (options.identity_keys[i] != NULL && + options.identity_keys[i]->type == KEY_RSA1 && try_rsa_authentication(options.identity_files[i])) return; } diff -ru openssh-2.5.1p2/sshconnect2.c openssh-2.5.2p1/sshconnect2.c --- openssh-2.5.1p2/sshconnect2.c 2001-02-16 12:34:57.000000000 +1100 +++ openssh-2.5.2p1/sshconnect2.c 2001-03-13 15:57:59.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.48 2001/02/15 23:19:59 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.54 2001/03/12 22:02:02 markus Exp $"); #include #include @@ -51,6 +51,7 @@ #include "log.h" #include "readconf.h" #include "readpass.h" +#include "match.h" void ssh_dh1_client(Kex *, char *, struct sockaddr *, Buffer *, Buffer *); void ssh_dhgex_client(Kex *, char *, struct sockaddr *, Buffer *, Buffer *); @@ -171,7 +172,7 @@ debug("Sending SSH2_MSG_KEXDH_INIT."); /* generate and send 'e', client DH public key */ dh = dh_new_group1(); - dh_gen_key(dh); + dh_gen_key(dh, kex->we_need * 8); packet_start(SSH2_MSG_KEXDH_INIT); packet_put_bignum2(dh->pub_key); packet_send(); @@ -316,7 +317,7 @@ u_char *kbuf; u_char *hash; - nbits = dh_estimate(kex->enc[MODE_OUT].cipher->key_len * 8); + nbits = dh_estimate(kex->we_need * 8); debug("Sending SSH2_MSG_KEX_DH_GEX_REQUEST."); packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); @@ -342,7 +343,7 @@ packet_get_bignum2(g, &dlen); dh = dh_new_group(g, p); - dh_gen_key(dh); + dh_gen_key(dh, kex->we_need * 8); #ifdef DEBUG_KEXDH fprintf(stderr, "\np= "); @@ -467,6 +468,10 @@ AuthenticationConnection *agent; Authmethod *method; int success; + char *authlist; + Key *last_key; + sign_cb_fn *last_key_sign; + int last_key_hint; }; struct Authmethod { char *name; /* string to compare against server's list */ @@ -480,15 +485,23 @@ void input_userauth_banner(int type, int plen, void *ctxt); void input_userauth_error(int type, int plen, void *ctxt); void input_userauth_info_req(int type, int plen, void *ctxt); +void input_userauth_pk_ok(int type, int plen, void *ctxt); int userauth_none(Authctxt *authctxt); int userauth_pubkey(Authctxt *authctxt); int userauth_passwd(Authctxt *authctxt); int userauth_kbdint(Authctxt *authctxt); -void authmethod_clear(void); +void userauth(Authctxt *authctxt, char *authlist); + +int +sign_and_send_pubkey(Authctxt *authctxt, Key *k, + sign_cb_fn *sign_callback); +void clear_auth_state(Authctxt *authctxt); + Authmethod *authmethod_get(char *authlist); Authmethod *authmethod_lookup(const char *name); +char *authmethods_get(void); Authmethod authmethods[] = { {"publickey", @@ -539,6 +552,9 @@ packet_done(); debug("got SSH2_MSG_SERVICE_ACCEPT"); + if (options.preferred_authentications == NULL) + options.preferred_authentications = authmethods_get(); + /* setup authentication context */ authctxt.agent = ssh_get_authentication_connection(); authctxt.server_user = server_user; @@ -546,9 +562,9 @@ authctxt.service = "ssh-connection"; /* service name */ authctxt.success = 0; authctxt.method = authmethod_lookup("none"); + authctxt.authlist = NULL; if (authctxt.method == NULL) fatal("ssh_userauth2: internal error: cannot send userauth none request"); - authmethod_clear(); /* initial userauth request */ userauth_none(&authctxt); @@ -565,6 +581,30 @@ debug("ssh-userauth2 successful: method %s", authctxt.method->name); } void +userauth(Authctxt *authctxt, char *authlist) +{ + if (authlist == NULL) { + authlist = authctxt->authlist; + } else { + if (authctxt->authlist) + xfree(authctxt->authlist); + authctxt->authlist = authlist; + } + for (;;) { + Authmethod *method = authmethod_get(authlist); + if (method == NULL) + fatal("Permission denied (%s).", authlist); + authctxt->method = method; + if (method->userauth(authctxt) != 0) { + debug2("we sent a %s packet, wait for reply", method->name); + break; + } else { + debug2("we did not send a packet, disable method"); + method->enabled = NULL; + } + } +} +void input_userauth_error(int type, int plen, void *ctxt) { fatal("input_userauth_error: bad message during authentication: " @@ -587,12 +627,14 @@ Authctxt *authctxt = ctxt; if (authctxt == NULL) fatal("input_userauth_success: no authentication context"); + if (authctxt->authlist) + xfree(authctxt->authlist); + clear_auth_state(authctxt); authctxt->success = 1; /* break out */ } void input_userauth_failure(int type, int plen, void *ctxt) { - Authmethod *method = NULL; Authctxt *authctxt = ctxt; char *authlist = NULL; int partial; @@ -608,20 +650,75 @@ log("Authenticated with partial success."); debug("authentications that can continue: %s", authlist); - for (;;) { - method = authmethod_get(authlist); - if (method == NULL) - fatal("Permission denied (%s).", authlist); - authctxt->method = method; - if (method->userauth(authctxt) != 0) { - debug2("we sent a %s packet, wait for reply", method->name); + clear_auth_state(authctxt); + userauth(authctxt, authlist); +} +void +input_userauth_pk_ok(int type, int plen, void *ctxt) +{ + Authctxt *authctxt = ctxt; + Key *key = NULL; + Buffer b; + int alen, blen, pktype, sent = 0; + char *pkalg, *pkblob, *fp; + + if (authctxt == NULL) + fatal("input_userauth_pk_ok: no authentication context"); + if (datafellows & SSH_BUG_PKOK) { + /* this is similar to SSH_BUG_PKAUTH */ + debug2("input_userauth_pk_ok: SSH_BUG_PKOK"); + pkblob = packet_get_string(&blen); + buffer_init(&b); + buffer_append(&b, pkblob, blen); + pkalg = buffer_get_string(&b, &alen); + buffer_free(&b); + } else { + pkalg = packet_get_string(&alen); + pkblob = packet_get_string(&blen); + } + packet_done(); + + debug("input_userauth_pk_ok: pkalg %s blen %d lastkey %p hint %d", + pkalg, blen, authctxt->last_key, authctxt->last_key_hint); + + do { + if (authctxt->last_key == NULL || + authctxt->last_key_sign == NULL) { + debug("no last key or no sign cb"); break; - } else { - debug2("we did not send a packet, disable method"); - method->enabled = NULL; } - } - xfree(authlist); + if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) { + debug("unknown pkalg %s", pkalg); + break; + } + if ((key = key_from_blob(pkblob, blen)) == NULL) { + debug("no key from blob. pkalg %s", pkalg); + break; + } + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + debug2("input_userauth_pk_ok: fp %s", fp); + xfree(fp); + if (!key_equal(key, authctxt->last_key)) { + debug("key != last_key"); + break; + } + sent = sign_and_send_pubkey(authctxt, key, + authctxt->last_key_sign); + } while(0); + + if (key != NULL) + key_free(key); + xfree(pkalg); + xfree(pkblob); + + /* unregister */ + clear_auth_state(authctxt); + dispatch_set(SSH2_MSG_USERAUTH_PK_OK, NULL); + + /* try another method if we did not send a packet*/ + if (sent == 0) + userauth(authctxt, NULL); + } int @@ -633,7 +730,6 @@ packet_put_cstring(authctxt->service); packet_put_cstring(authctxt->method->name); packet_send(); - packet_write_wait(); return 1; } @@ -658,14 +754,27 @@ packet_put_cstring(authctxt->service); packet_put_cstring(authctxt->method->name); packet_put_char(0); - ssh_put_password(password); + packet_put_cstring(password); memset(password, 0, strlen(password)); xfree(password); + packet_inject_ignore(64); packet_send(); - packet_write_wait(); return 1; } +void +clear_auth_state(Authctxt *authctxt) +{ + /* XXX clear authentication state */ + if (authctxt->last_key != NULL && authctxt->last_key_hint == -1) { + debug3("clear_auth_state: key_free %p", authctxt->last_key); + key_free(authctxt->last_key); + } + authctxt->last_key = NULL; + authctxt->last_key_hint = -2; + authctxt->last_key_sign = NULL; +} + int sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) { @@ -677,6 +786,7 @@ int have_sig = 1; debug3("sign_and_send_pubkey"); + if (key_to_blob(k, &blob, &bloblen) == 0) { /* we cannot handle this key */ debug3("sign_and_send_pubkey: cannot handle key"); @@ -707,7 +817,8 @@ buffer_put_string(&b, blob, bloblen); /* generate signature */ - ret = (*sign_callback)(authctxt, k, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); + ret = (*sign_callback)(authctxt, k, &signature, &slen, + buffer_ptr(&b), buffer_len(&b)); if (ret == -1) { xfree(blob); buffer_free(&b); @@ -719,6 +830,7 @@ if (datafellows & SSH_BUG_PKSERVICE) { buffer_clear(&b); buffer_append(&b, session_id2, session_id2_len); + skip = session_id2_len; buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); buffer_put_cstring(&b, authctxt->server_user); buffer_put_cstring(&b, authctxt->service); @@ -729,6 +841,7 @@ buffer_put_string(&b, blob, bloblen); } xfree(blob); + /* append signature */ buffer_put_string(&b, signature, slen); xfree(signature); @@ -742,76 +855,118 @@ packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_raw(buffer_ptr(&b), buffer_len(&b)); buffer_free(&b); - - /* send */ packet_send(); - packet_write_wait(); return 1; } -/* sign callback */ -int key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp, - u_char *data, int datalen) +int +send_pubkey_test(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback, + int hint) { - return key_sign(key, sigp, lenp, data, datalen); + u_char *blob; + int bloblen, have_sig = 0; + + debug3("send_pubkey_test"); + + if (key_to_blob(k, &blob, &bloblen) == 0) { + /* we cannot handle this key */ + debug3("send_pubkey_test: cannot handle key"); + return 0; + } + /* register callback for USERAUTH_PK_OK message */ + authctxt->last_key_sign = sign_callback; + authctxt->last_key_hint = hint; + authctxt->last_key = k; + dispatch_set(SSH2_MSG_USERAUTH_PK_OK, &input_userauth_pk_ok); + + packet_start(SSH2_MSG_USERAUTH_REQUEST); + packet_put_cstring(authctxt->server_user); + packet_put_cstring(authctxt->service); + packet_put_cstring(authctxt->method->name); + packet_put_char(have_sig); + if (!(datafellows & SSH_BUG_PKAUTH)) + packet_put_cstring(key_ssh_name(k)); + packet_put_string(blob, bloblen); + xfree(blob); + packet_send(); + return 1; } -int -userauth_pubkey_identity(Authctxt *authctxt, char *filename) +Key * +load_identity_file(char *filename) { - Key *k; - int i, ret, try_next, success = 0; + Key *private; + char prompt[300], *passphrase; + int success = 0, quit, i; struct stat st; - char *passphrase; - char prompt[300]; - if (stat(filename, &st) != 0) { - debug("key does not exist: %s", filename); - return 0; + if (stat(filename, &st) < 0) { + debug3("no such identity: %s", filename); + return NULL; } - debug("try pubkey: %s", filename); - - k = key_new(KEY_UNSPEC); - if (!load_private_key(filename, "", k, NULL)) { + private = key_new(KEY_UNSPEC); + if (!load_private_key(filename, "", private, NULL)) { if (options.batch_mode) { - key_free(k); - return 0; + key_free(private); + return NULL; } snprintf(prompt, sizeof prompt, "Enter passphrase for key '%.100s': ", filename); for (i = 0; i < options.number_of_password_prompts; i++) { passphrase = read_passphrase(prompt, 0); if (strcmp(passphrase, "") != 0) { - success = load_private_key(filename, passphrase, k, NULL); - try_next = 0; + success = load_private_key(filename, + passphrase, private, NULL); + quit = 0; } else { debug2("no passphrase given, try next key"); - try_next = 1; + quit = 1; } memset(passphrase, 0, strlen(passphrase)); xfree(passphrase); - if (success || try_next) + if (success || quit) break; debug2("bad passphrase given, try again..."); } if (!success) { - key_free(k); - return 0; + key_free(private); + return NULL; } } - ret = sign_and_send_pubkey(authctxt, k, key_sign_cb); - key_free(k); + return private; +} + +int +identity_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp, + u_char *data, int datalen) +{ + Key *private; + int idx, ret; + + idx = authctxt->last_key_hint; + if (idx < 0) + return -1; + private = load_identity_file(options.identity_files[idx]); + if (private == NULL) + return -1; + ret = key_sign(private, sigp, lenp, data, datalen); + key_free(private); return ret; } -/* sign callback */ int agent_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp, u_char *data, int datalen) { return ssh_agent_sign(authctxt->agent, key, sigp, lenp, data, datalen); } +int key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp, + u_char *data, int datalen) +{ + return key_sign(key, sigp, lenp, data, datalen); +} + int userauth_pubkey_agent(Authctxt *authctxt) { @@ -829,10 +984,11 @@ if (k == NULL) { debug2("userauth_pubkey_agent: no more keys"); } else { - debug("userauth_pubkey_agent: trying agent key %s", comment); + debug("userauth_pubkey_agent: testing agent key %s", comment); xfree(comment); - ret = sign_and_send_pubkey(authctxt, k, agent_sign_cb); - key_free(k); + ret = send_pubkey_test(authctxt, k, agent_sign_cb, -1); + if (ret == 0) + key_free(k); } if (ret == 0) debug2("userauth_pubkey_agent: no message sent"); @@ -844,6 +1000,8 @@ { static int idx = 0; int sent = 0; + Key *key; + char *filename; if (authctxt->agent != NULL) { do { @@ -851,9 +1009,21 @@ } while(!sent && authctxt->agent->howmany > 0); } while (!sent && idx < options.num_identity_files) { - if (options.identity_files_type[idx] != KEY_RSA1) - sent = userauth_pubkey_identity(authctxt, - options.identity_files[idx]); + key = options.identity_keys[idx]; + filename = options.identity_files[idx]; + if (key == NULL) { + debug("try privkey: %s", filename); + key = load_identity_file(filename); + if (key != NULL) { + sent = sign_and_send_pubkey(authctxt, key, + key_sign_cb); + key_free(key); + } + } else if (key->type != KEY_RSA1) { + debug("try pubkey: %s", filename); + sent = send_pubkey_test(authctxt, key, + identity_sign_cb, idx); + } idx++; } return sent; @@ -879,7 +1049,6 @@ packet_put_cstring(options.kbd_interactive_devices ? options.kbd_interactive_devices : ""); packet_send(); - packet_write_wait(); dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_info_req); return 1; @@ -928,52 +1097,19 @@ response = cli_prompt(prompt, echo); - ssh_put_password(response); + packet_put_cstring(response); memset(response, 0, strlen(response)); xfree(response); xfree(prompt); } packet_done(); /* done with parsing incoming message. */ + packet_inject_ignore(64); packet_send(); - packet_write_wait(); } /* find auth method */ -#define DELIM "," - -static char *def_authlist = "publickey,password"; -static char *authlist_current = NULL; /* clean copy used for comparison */ -static char *authname_current = NULL; /* last used auth method */ -static char *authlist_working = NULL; /* copy that gets modified by strtok_r() */ -static char *authlist_state = NULL; /* state variable for strtok_r() */ - -/* - * Before starting to use a new authentication method list sent by the - * server, reset internal variables. This should also be called when - * finished processing server list to free resources. - */ -void -authmethod_clear(void) -{ - if (authlist_current != NULL) { - xfree(authlist_current); - authlist_current = NULL; - } - if (authlist_working != NULL) { - xfree(authlist_working); - authlist_working = NULL; - } - if (authname_current != NULL) { - xfree(authname_current); - authname_current = NULL; - } - if (authlist_state != NULL) - authlist_state = NULL; - return; -} - /* * given auth method name, if configurable options permit this method fill * in auth_ident field and return true, otherwise return false. @@ -1004,62 +1140,70 @@ return NULL; } +/* XXX internal state */ +static Authmethod *current = NULL; +static char *supported = NULL; +static char *preferred = NULL; /* * Given the authentication method list sent by the server, return the * next method we should try. If the server initially sends a nil list, - * use a built-in default list. If the server sends a nil list after - * previously sending a valid list, continue using the list originally - * sent. + * use a built-in default list. */ - Authmethod * authmethod_get(char *authlist) { - char *name = NULL, *authname_old; - Authmethod *method = NULL; + + char *name = NULL; + int next; /* Use a suitable default if we're passed a nil list. */ if (authlist == NULL || strlen(authlist) == 0) - authlist = def_authlist; + authlist = options.preferred_authentications; - if (authlist_current == NULL || strcmp(authlist, authlist_current) != 0) { - /* start over if passed a different list */ - debug3("start over, passed a different list"); - authmethod_clear(); - authlist_current = xstrdup(authlist); - authlist_working = xstrdup(authlist); - name = strtok_r(authlist_working, DELIM, &authlist_state); - } else { - /* - * try to use previously used authentication method - * or continue to use previously passed list - */ - name = (authname_current != NULL) ? - authname_current : strtok_r(NULL, DELIM, &authlist_state); - } + if (supported == NULL || strcmp(authlist, supported) != 0) { + debug3("start over, passed a different list %s", authlist); + if (supported != NULL) + xfree(supported); + supported = xstrdup(authlist); + preferred = options.preferred_authentications; + debug3("preferred %s", preferred); + current = NULL; + } else if (current != NULL && authmethod_is_enabled(current)) + return current; - while (name != NULL) { + for (;;) { + if ((name = match_list(preferred, supported, &next)) == NULL) { + debug("no more auth methods to try"); + current = NULL; + return NULL; + } + preferred += next; debug3("authmethod_lookup %s", name); - method = authmethod_lookup(name); - if (method != NULL && authmethod_is_enabled(method)) { + debug3("remaining preferred: %s", preferred); + if ((current = authmethod_lookup(name)) != NULL && + authmethod_is_enabled(current)) { debug3("authmethod_is_enabled %s", name); - break; + debug("next auth method to try is %s", name); + return current; } - name = strtok_r(NULL, DELIM, &authlist_state); - method = NULL; } +} - authname_old = authname_current; - if (method != NULL) { - debug("next auth method to try is %s", name); - authname_current = xstrdup(name); - } else { - debug("no more auth methods to try"); - authname_current = NULL; - } - if (authname_old != NULL) - xfree(authname_old); +#define DELIM "," +char * +authmethods_get(void) +{ + Authmethod *method = NULL; + char buf[1024]; - return (method); + buf[0] = '\0'; + for (method = authmethods; method->name != NULL; method++) { + if (authmethod_is_enabled(method)) { + if (buf[0] != '\0') + strlcat(buf, DELIM, sizeof buf); + strlcat(buf, method->name, sizeof buf); + } + } + return xstrdup(buf); } diff -ru openssh-2.5.1p2/sshd.0 openssh-2.5.2p1/sshd.0 --- openssh-2.5.1p2/sshd.0 2001-03-01 11:11:37.000000000 +1100 +++ openssh-2.5.2p1/sshd.0 2001-03-20 09:33:28.000000000 +1100 @@ -2,7 +2,7 @@ SSHD(8) System Manager's Manual SSHD(8) NAME - sshd - secure shell daemon + sshd - OpenSSH ssh daemon SYNOPSIS sshd [-diqD46] [-b bits] [-f config_file] [-g login_grace_time] [-h @@ -10,10 +10,10 @@ client_protocol_id] DESCRIPTION - sshd (Secure Shell Daemon) is the daemon program for ssh(1). Together - these programs replace rlogin and rsh, and provide secure encrypted com- - munications between two untrusted hosts over an insecure network. The - programs are intended to be as easy to install and use as possible. + sshd (SSH Daemon) is the daemon program for ssh(1). Together these pro- + grams replace rlogin and rsh, and provide secure encrypted communications + between two untrusted hosts over an insecure network. The programs are + intended to be as easy to install and use as possible. sshd is the daemon that listens for connections from clients. It is nor- mally started at boot from /etc/rc. It forks a new daemon for each incom- @@ -58,10 +58,10 @@ a server key. Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. The rest of the session is encrypted using a symmetric cipher, currently Blowfish, - 3DES or CAST128 in CBC mode or Arcfour. The client selects the encryp- - tion algorithm to use from those offered by the server. Additionally, - session integrity is provided through a cryptographic message authentica- - tion code (hmac-sha1 or hmac-md5). + 3DES, CAST128, Arcfour, 128 bit AES, or 256 bit AES. The client selects + the encryption algorithm to use from those offered by the server. Addi- + tionally, session integrity is provided through a cryptographic message + authentication code (hmac-sha1 or hmac-md5). Protocol version 2 provides a public key based user authentication method @@ -89,7 +89,8 @@ tion file. sshd rereads its configuration file when it receives a hangup signal, - SIGHUP. + SIGHUP, by executing itself with the name it was started as, ie. + /usr/sbin/sshd. The options are as follows: @@ -205,10 +206,15 @@ authentication is allowed. This option is only available for protocol version 2. + ChallengeResponseAuthentication + Specifies whether challenge response authentication is allowed. + Currently there is only support for skey(1) authentication. The + default is ``yes''. + Ciphers Specifies the ciphers allowed for protocol version 2. Multiple - ciphers must be comma-separated. The default is ``3des- - cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc''. + ciphers must be comma-separated. The default is + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour.'' CheckMail Specifies whether sshd should check for new mail for interactive @@ -230,11 +236,6 @@ ognized. By default login is allowed regardless of the user name. - PubkeyAuthentication - Specifies whether public key authentication is allowed. The de- - fault is ``yes''. Note that this option applies to protocol ver- - sion 2 only. - GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. The argument must be ``yes'' or @@ -327,7 +328,7 @@ ed. The default is - ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com, + ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com, hmac-sha1-96,hmac-md5-96'' MaxStartups @@ -355,9 +356,9 @@ default is ``no''. PermitRootLogin - Specifies whether the root can log in using ssh(1). The argument - must be ``yes'', ``without-password'', ``forced-commands-only'' - or ``no''. The default is ``yes''. + Specifies whether root can login using ssh(1). The argument must + be ``yes'', ``without-password'', ``forced-commands-only'' or + ``no''. The default is ``yes''. If this option is set to ``without-password'' password authenti- cation is disabled for root. @@ -368,6 +369,8 @@ remote backups even if root login is normally not allowed). All other authentication methods are disabled for root. + If this option is set to ``no'' root is not allowed to login. + PidFile Specifies the file that contains the process identifier of the sshd daemon. The default is /var/run/sshd.pid. @@ -385,14 +388,16 @@ ble values are ``1'' and ``2''. Multiple versions must be comma- separated. The default is ``1''. - RandomSeed - Obsolete. Random number generation uses other techniques. + PubkeyAuthentication + Specifies whether public key authentication is allowed. The de- + fault is ``yes''. Note that this option applies to protocol ver- + + + sion 2 only. ReverseMappingCheck Specifies whether sshd should try to verify the remote host name and check that the resolved host name for the remote IP address - - maps back to the very same IP address. The default is ``no''. RhostsAuthentication @@ -417,11 +422,6 @@ Defines the number of bits in the server key. The minimum value is 512, and the default is 768. - ChallengeResponseAuthentication - Specifies whether challenge reponse authentication is allowed. - Currently there is only support for skey(1) authentication. The - default is ``yes''. - StrictModes Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. This @@ -568,6 +568,13 @@ no-pty Prevents tty allocation (a request to allocate a pty will fail). + permitopen="host:port" + Limit local ``ssh -L'' port-forwading such that it may only con- + nect to the specified host and port. Multiple permitopen options + may be applied seperated by commas. No pattern matching is per- + formed on the specified hostnames, they must be literal domains + or addresses. + Examples 1024 33 12121...312314325 ylo@foo.bar @@ -576,6 +583,8 @@ command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 back- up.hut.fi + permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 + SSH_KNOWN_HOSTS FILE FORMAT The /etc/ssh_known_hosts, /etc/ssh_known_hosts2, $HOME/.ssh/known_hosts, and $HOME/.ssh/known_hosts2 files contain host public keys for all known @@ -622,19 +631,22 @@ writable by root only, but it is recommended (though not neces- sary) that it be world-readable. - /etc/ssh_host_key - Contains the private part of the host key. This file should only - be owned by root, readable only by root, and not accessible to - others. Note that sshd does not start if this file is - group/world-accessible. - - /etc/ssh_host_key.pub - Contains the public part of the host key. This file should be - world-readable but writable only by root. Its contents should - match the private part. This file is not really used for any- - thing; it is only provided for the convenience of the user so its - contents can be copied to known hosts files. These two files are - created using ssh-keygen(1). + /etc/ssh_host_key, /etc/ssh_host_dsa_key, /etc/ssh_host_rsa_key + These three files contain the private parts of the (SSH1, SSH2 + DSA, and SSH2 RSA) host keys. These files should only be owned + by root, readable only by root, and not accessible to others. + Note that sshd does not start if this file is group/world-acces- + sible. + + /etc/ssh_host_key.pub, /etc/ssh_host_dsa_key.pub, + /etc/ssh_host_rsa_key.pub + There three files contain the public parts of the (SSH1, SSH2 + DSA, and SSH2 RSA) host keys. These files should be world-read- + able but writable only by root. Their contents should match the + respective private parts. These files are not really used for + anything; they are provided for the convenience of the user so + their contents can be copied to known hosts files. These files + are created using ssh-keygen(1). /etc/primes Contains Diffie-Hellman groups used for the "Diffie-Hellman Group @@ -644,6 +656,7 @@ Contains the process ID of the sshd listening for connections (if there are several daemons running concurrently for different ports, this contains the pid of the one started last). The con- + tent of this file is not sensitive; it can be world-readable. $HOME/.ssh/authorized_keys @@ -668,9 +681,9 @@ These files are consulted when using rhosts with RSA host authen- tication to check the public key of the host. The key must be listed in one of these files to be accepted. The client uses the - same files to verify that the remote host is the one it intended - to connect. These files should be writable only by root/the own- - er. /etc/ssh_known_hosts should be world-readable, and + same files to verify that it is connecting to the correct remote + host. These files should be writable only by root/the owner. + /etc/ssh_known_hosts should be world-readable, and $HOME/.ssh/known_hosts can but need not be world-readable. /etc/nologin @@ -709,6 +722,7 @@ syntax ``+@group'' can be used to specify netgroups. Negated en- tries start with `-'. + If the client host/user is successfully matched in this file, lo- gin is automatically permitted provided the client and server us- er names are the same. Additionally, successful RSA host authen- @@ -722,8 +736,6 @@ er name practically grants the user root access. The only valid use for user names that I can think of is in negative entries. - - Note that this warning also applies to rsh/rlogin. /etc/shosts.equiv diff -ru openssh-2.5.1p2/sshd.8 openssh-2.5.2p1/sshd.8 --- openssh-2.5.1p2/sshd.8 2001-02-15 14:08:28.000000000 +1100 +++ openssh-2.5.2p1/sshd.8 2001-03-19 23:16:08.000000000 +1100 @@ -10,9 +10,9 @@ .\" incompatible with the protocol description in the RFC file, it must be .\" called by a name other than "ssh" or "Secure Shell". .\" -.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. -.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. -.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. +.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -34,13 +34,13 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.94 2001/02/12 16:16:24 markus Exp $ +.\" $OpenBSD: sshd.8,v 1.107 2001/03/19 12:10:17 djm Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os .Sh NAME .Nm sshd -.Nd secure shell daemon +.Nd OpenSSH ssh daemon .Sh SYNOPSIS .Nm sshd .Op Fl diqD46 @@ -54,7 +54,7 @@ .Op Fl V Ar client_protocol_id .Sh DESCRIPTION .Nm -(Secure Shell Daemon) is the daemon program for +(SSH Daemon) is the daemon program for .Xr ssh 1 . Together these programs replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts @@ -134,9 +134,8 @@ However, when the daemon starts, it does not generate a server key. Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. -The rest of the session is encrypted -using a symmetric cipher, currently -Blowfish, 3DES or CAST128 in CBC mode or Arcfour. +The rest of the session is encrypted using a symmetric cipher, currently +Blowfish, 3DES, CAST128, Arcfour, 128 bit AES, or 256 bit AES. The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided @@ -174,7 +173,9 @@ .Pp .Nm rereads its configuration file when it receives a hangup signal, -.Dv SIGHUP . +.Dv SIGHUP , +by executing itself with the name it was started as, ie. +.Pa /usr/sbin/sshd . .Pp The options are as follows: .Bl -tag -width Ds @@ -338,11 +339,20 @@ authentication is allowed. This option is only available for protocol version 2. .Pp +.It Cm ChallengeResponseAuthentication +Specifies whether +challenge response +authentication is allowed. +Currently there is only support for +.Xr skey 1 +authentication. +The default is +.Dq yes . .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The default is -.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc . +.Dq aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour. .It Cm CheckMail Specifies whether .Nm @@ -372,11 +382,6 @@ can be used as wildcards in the patterns. Only user names are valid; a numerical user ID isn't recognized. By default login is allowed regardless of the user name. -.It Cm PubkeyAuthentication -Specifies whether public key authentication is allowed. -The default is -.Dq yes . -Note that this option applies to protocol version 2 only. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. @@ -509,7 +514,7 @@ The default is .Pp .Bd -literal - ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com, + ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com, hmac-sha1-96,hmac-md5-96'' .Ed .It Cm MaxStartups @@ -548,7 +553,7 @@ The default is .Dq no . .It Cm PermitRootLogin -Specifies whether the root can log in using +Specifies whether root can login using .Xr ssh 1 . The argument must be .Dq yes , @@ -572,6 +577,10 @@ (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root. +.Pp +If this option is set to +.Dq no +root is not allowed to login. .It Cm PidFile Specifies the file that contains the process identifier of the .Nm @@ -606,9 +615,11 @@ Multiple versions must be comma-separated. The default is .Dq 1 . -.It Cm RandomSeed -Obsolete. -Random number generation uses other techniques. +.It Cm PubkeyAuthentication +Specifies whether public key authentication is allowed. +The default is +.Dq yes . +Note that this option applies to protocol version 2 only. .It Cm ReverseMappingCheck Specifies whether .Nm @@ -640,15 +651,6 @@ .It Cm ServerKeyBits Defines the number of bits in the server key. The minimum value is 512, and the default is 768. -.It Cm ChallengeResponseAuthentication -Specifies whether -challenge reponse -authentication is allowed. -Currently there is only support for -.Xr skey 1 -authentication. -The default is -.Dq yes . .It Cm StrictModes Specifies whether .Nm @@ -850,6 +852,15 @@ authentication. .It Cm no-pty Prevents tty allocation (a request to allocate a pty will fail). +.It Cm permitopen="host:port" +Limit local +.Li ``ssh -L'' +port-forwading such that it may only connect to the specified host and +port. Multiple +.Cm permitopen +options may be applied seperated by commas. No pattern matching is +performed on the specified hostnames, they must be literal domains or +addresses. .El .Ss Examples 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar @@ -857,6 +868,8 @@ from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula .Pp command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi +.Pp +permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 .Sh SSH_KNOWN_HOSTS FILE FORMAT The .Pa /etc/ssh_known_hosts , @@ -919,22 +932,24 @@ .Nm sshd . This file should be writable by root only, but it is recommended (though not necessary) that it be world-readable. -.It Pa /etc/ssh_host_key -Contains the private part of the host key. -This file should only be owned by root, readable only by root, and not +.It Pa /etc/ssh_host_key, /etc/ssh_host_dsa_key, /etc/ssh_host_rsa_key +These three files contain the private parts of the +(SSH1, SSH2 DSA, and SSH2 RSA) host keys. +These files should only be owned by root, readable only by root, and not accessible to others. Note that .Nm does not start if this file is group/world-accessible. -.It Pa /etc/ssh_host_key.pub -Contains the public part of the host key. -This file should be world-readable but writable only by +.It Pa /etc/ssh_host_key.pub, /etc/ssh_host_dsa_key.pub, /etc/ssh_host_rsa_key.pub +There three files contain the public parts of the +(SSH1, SSH2 DSA, and SSH2 RSA) host keys. +These files should be world-readable but writable only by root. -Its contents should match the private part. -This file is not -really used for anything; it is only provided for the convenience of -the user so its contents can be copied to known hosts files. -These two files are created using +Their contents should match the respective private parts. +These files are not +really used for anything; they are provided for the convenience of +the user so their contents can be copied to known hosts files. +These files are created using .Xr ssh-keygen 1 . .It Pa /etc/primes Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". @@ -972,7 +987,7 @@ authentication to check the public key of the host. The key must be listed in one of these files to be accepted. The client uses the same files -to verify that the remote host is the one it intended to connect. +to verify that it is connecting to the correct remote host. These files should be writable only by root/the owner. .Pa /etc/ssh_known_hosts should be world-readable, and diff -ru openssh-2.5.1p2/sshd.c openssh-2.5.2p1/sshd.c --- openssh-2.5.1p2/sshd.c 2001-02-20 12:20:47.000000000 +1100 +++ openssh-2.5.2p1/sshd.c 2001-03-19 22:36:20.000000000 +1100 @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.168 2001/02/19 23:09:05 deraadt Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.175 2001/03/18 23:30:55 deraadt Exp $"); #include #include @@ -149,11 +149,12 @@ * not very useful. Currently, memory locking is not implemented. */ struct { - Key *server_key; /* empheral server key */ + Key *server_key; /* ephemeral server key */ Key *ssh1_host_key; /* ssh1 host key */ Key **host_keys; /* all private host keys */ int have_ssh1_key; int have_ssh2_key; + u_char ssh1_cookie[SSH_SESSION_KEY_LENGTH]; } sensitive_data; /* @@ -272,15 +273,25 @@ * problems. */ void -generate_empheral_server_key(void) +generate_ephemeral_server_key(void) { + u_int32_t rand = 0; + int i; + log("Generating %s%d bit RSA key.", sensitive_data.server_key ? "new " : "", options.server_key_bits); if (sensitive_data.server_key != NULL) key_free(sensitive_data.server_key); sensitive_data.server_key = key_generate(KEY_RSA1, options.server_key_bits); - arc4random_stir(); log("RSA key generation complete."); + + for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { + if (i % 4 == 0) + rand = arc4random(); + sensitive_data.ssh1_cookie[i] = rand & 0xff; + rand >>= 8; + } + arc4random_stir(); } void @@ -370,6 +381,12 @@ compat_datafellows(remote_version); + if (datafellows & SSH_BUG_SCANNER) { + log("scanned from %s with %s. Don't panic.", + get_remote_ipaddr(), client_version_string); + fatal_cleanup(); + } + mismatch = 0; switch(remote_major) { case 1: @@ -438,6 +455,7 @@ } } sensitive_data.ssh1_host_key = NULL; + memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH); } Key * load_private_key_autodetect(const char *filename) @@ -675,6 +693,8 @@ options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility, !inetd_flag); + seed_rng(); + /* Read server configuration options from the configuration file. */ read_server_config(&options, config_file_name); @@ -726,7 +746,7 @@ options.protocol &= ~SSH_PROTO_2; } if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { - log("sshd: no hostkeys available -- exiting.\n"); + log("sshd: no hostkeys available -- exiting."); exit(1); } @@ -808,7 +828,7 @@ */ debug("inetd sockets after dupping: %d, %d", sock_in, sock_out); if (options.protocol & SSH_PROTO_1) - generate_empheral_server_key(); + generate_ephemeral_server_key(); } else { for (ai = options.listen_addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) @@ -886,7 +906,7 @@ } } if (options.protocol & SSH_PROTO_1) - generate_empheral_server_key(); + generate_ephemeral_server_key(); /* Arrange to restart on SIGHUP. The handler needs listen_sock. */ signal(SIGHUP, sighup_handler); @@ -932,7 +952,7 @@ if (ret < 0 && errno != EINTR) error("select: %.100s", strerror(errno)); if (key_used && key_do_regen) { - generate_empheral_server_key(); + generate_ephemeral_server_key(); key_used = 0; key_do_regen = 0; } @@ -1338,14 +1358,6 @@ sensitive_data.server_key->rsa) < 0) rsafail++; } - - compute_session_id(session_id, cookie, - sensitive_data.ssh1_host_key->rsa->n, - sensitive_data.server_key->rsa->n); - - /* Destroy the private and public keys. They will no longer be needed. */ - destroy_sensitive_data(); - /* * Extract session key from the decrypted integer. The key is in the * least significant 256 bits of the integer; the first byte of the @@ -1363,24 +1375,45 @@ memset(session_key, 0, sizeof(session_key)); BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len); + + compute_session_id(session_id, cookie, + sensitive_data.ssh1_host_key->rsa->n, + sensitive_data.server_key->rsa->n); + /* + * Xor the first 16 bytes of the session key with the + * session id. + */ + for (i = 0; i < 16; i++) + session_key[i] ^= session_id[i]; } } if (rsafail) { + int bytes = BN_num_bytes(session_key_int); + char *buf = xmalloc(bytes); + MD5_CTX md; + log("do_connection: generating a fake encryption key"); - for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { - if (i % 4 == 0) - rand = arc4random(); - session_key[i] = rand & 0xff; - rand >>= 8; - } + BN_bn2bin(session_key_int, buf); + MD5_Init(&md); + MD5_Update(&md, buf, bytes); + MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); + MD5_Final(session_key, &md); + MD5_Init(&md); + MD5_Update(&md, session_key, 16); + MD5_Update(&md, buf, bytes); + MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); + MD5_Final(session_key + 16, &md); + memset(buf, 0, bytes); + xfree(buf); + for (i = 0; i < 16; i++) + session_id[i] = session_key[i] ^ session_key[i + 16]; } + /* Destroy the private and public keys. They will no longer be needed. */ + destroy_sensitive_data(); + /* Destroy the decrypted integer. It is no longer needed. */ BN_clear_free(session_key_int); - /* Xor the first 16 bytes of the session key with the session id. */ - for (i = 0; i < 16; i++) - session_key[i] ^= session_id[i]; - /* Set the session key. From this on all communications will be encrypted. */ packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type); @@ -1494,7 +1527,7 @@ /* KEXDH */ /* generate DH key */ dh = dh_new_group1(); /* XXX depends on 'kex' */ - dh_gen_key(dh); + dh_gen_key(dh, kex->we_need * 8); debug("Wait SSH2_MSG_KEXDH_INIT."); packet_read_expect(&payload_len, SSH2_MSG_KEXDH_INIT); @@ -1637,7 +1670,7 @@ /* Compute our exchange value in parallel with the client */ - dh_gen_key(dh); + dh_gen_key(dh, kex->we_need * 8); debug("Wait SSH2_MSG_KEX_DH_GEX_INIT."); packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_INIT); diff -ru openssh-2.5.1p2/sshd_config openssh-2.5.2p1/sshd_config --- openssh-2.5.1p2/sshd_config 2001-02-11 10:26:35.000000000 +1100 +++ openssh-2.5.2p1/sshd_config 2001-03-11 08:50:46.000000000 +1100 @@ -1,4 +1,6 @@ -# $OpenBSD: sshd_config,v 1.32 2001/02/06 22:07:50 deraadt Exp $ +# $OpenBSD: sshd_config,v 1.34 2001/02/24 10:37:26 deraadt Exp $ + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # This is the sshd server system-wide configuration file. See sshd(8) # for more information. @@ -8,8 +10,8 @@ #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh_host_key +HostKey /etc/ssh_host_rsa_key HostKey /etc/ssh_host_dsa_key -#HostKey /etc/ssh_host_rsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 @@ -41,8 +43,10 @@ PasswordAuthentication yes PermitEmptyPasswords no -# Uncomment to disable s/key passwords -#ChallengeResponseAuthentication no +# Comment to enable s/key passwords or PAM interactive authentication +# NB. Neither of these are compiled in by default. Please read the +# notes in the sshd(8) manpage before enabling this on a PAM system. +ChallengeResponseAuthentication no # To change Kerberos options #KerberosAuthentication no diff -ru openssh-2.5.1p2/sshlogin.c openssh-2.5.2p1/sshlogin.c --- openssh-2.5.1p2/sshlogin.c 2001-02-19 06:13:34.000000000 +1100 +++ openssh-2.5.2p1/sshlogin.c 2001-03-05 14:53:03.000000000 +1100 @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: login.c,v 1.17 2001/01/21 19:05:51 markus Exp $"); +RCSID("$OpenBSD: sshlogin.c,v 1.1 2001/03/04 01:46:30 djm Exp $"); #include "loginrec.h" diff -ru openssh-2.5.1p2/sshlogin.h openssh-2.5.2p1/sshlogin.h --- openssh-2.5.1p2/sshlogin.h 2001-02-19 06:13:34.000000000 +1100 +++ openssh-2.5.2p1/sshlogin.h 2001-03-05 14:53:03.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: login.h,v 1.2 2001/01/29 01:58:16 niklas Exp $ */ +/* $OpenBSD: sshlogin.h,v 1.1 2001/03/04 01:46:30 djm Exp $ */ /* * Author: Tatu Ylonen diff -ru openssh-2.5.1p2/sshpty.c openssh-2.5.2p1/sshpty.c --- openssh-2.5.1p2/sshpty.c 2001-02-19 06:13:34.000000000 +1100 +++ openssh-2.5.2p1/sshpty.c 2001-03-05 14:53:03.000000000 +1100 @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: pty.c,v 1.22 2001/02/08 19:30:52 itojun Exp $"); +RCSID("$OpenBSD: sshpty.c,v 1.1 2001/03/04 01:46:30 djm Exp $"); #ifdef HAVE_UTIL_H # include diff -ru openssh-2.5.1p2/sshpty.h openssh-2.5.2p1/sshpty.h --- openssh-2.5.1p2/sshpty.h 2001-02-19 06:13:34.000000000 +1100 +++ openssh-2.5.2p1/sshpty.h 2001-03-05 14:53:03.000000000 +1100 @@ -12,7 +12,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: pty.h,v 1.8 2000/09/07 20:27:52 deraadt Exp $"); */ +/* RCSID("$OpenBSD: sshpty.h,v 1.1 2001/03/04 01:46:30 djm Exp $"); */ #ifndef PTY_H #define PTY_H diff -ru openssh-2.5.1p2/ttymodes.c openssh-2.5.2p1/ttymodes.c --- openssh-2.5.1p2/ttymodes.c 2001-01-22 16:34:44.000000000 +1100 +++ openssh-2.5.2p1/ttymodes.c 2001-03-11 04:17:29.000000000 +1100 @@ -15,7 +15,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ttymodes.c,v 1.10 2001/01/21 19:06:01 markus Exp $"); +RCSID("$OpenBSD: ttymodes.c,v 1.11 2001/03/10 15:02:05 stevesk Exp $"); #include "packet.h" #include "log.h" @@ -233,17 +233,11 @@ packet_put_char(OP); packet_put_char(tio.c_cc[NAME]); #define TTYMODE(NAME, FIELD, OP) \ packet_put_char(OP); packet_put_char((tio.FIELD & NAME) != 0); -#define SGTTYCHAR(NAME, OP) -#define SGTTYMODE(NAME, FIELD, OP) -#define SGTTYMODEN(NAME, FIELD, OP) #include "ttymodes.h" #undef TTYCHAR #undef TTYMODE -#undef SGTTYCHAR -#undef SGTTYMODE -#undef SGTTYMODEN /* Mark end of mode data. */ packet_put_char(TTY_OP_END); @@ -303,17 +297,11 @@ else \ tio.FIELD &= ~NAME; \ break; -#define SGTTYCHAR(NAME, OP) -#define SGTTYMODE(NAME, FIELD, OP) -#define SGTTYMODEN(NAME, FIELD, OP) #include "ttymodes.h" #undef TTYCHAR #undef TTYMODE -#undef SGTTYCHAR -#undef SGTTYMODE -#undef SGTTYMODEN default: debug("Ignoring unsupported tty mode opcode %d (0x%x)", diff -ru openssh-2.5.1p2/ttymodes.h openssh-2.5.2p1/ttymodes.h --- openssh-2.5.1p2/ttymodes.h 2000-09-16 13:29:11.000000000 +1100 +++ openssh-2.5.2p1/ttymodes.h 2001-03-11 04:17:29.000000000 +1100 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: ttymodes.h,v 1.9 2000/09/07 20:27:55 deraadt Exp $"); */ +/* RCSID("$OpenBSD: ttymodes.h,v 1.10 2001/03/10 15:02:05 stevesk Exp $"); */ /* The tty mode description is a stream of bytes. The stream consists of * opcode-arguments pairs. It is terminated by opcode TTY_OP_END (0). @@ -31,110 +31,109 @@ * is only intended for including from ttymodes.c. */ -/* termios macro */ /* sgtty macro */ +/* termios macro */ /* name, op */ -TTYCHAR(VINTR, 1) SGTTYCHAR(tiotc.t_intrc, 1) -TTYCHAR(VQUIT, 2) SGTTYCHAR(tiotc.t_quitc, 2) -TTYCHAR(VERASE, 3) SGTTYCHAR(tio.sg_erase, 3) +TTYCHAR(VINTR, 1) +TTYCHAR(VQUIT, 2) +TTYCHAR(VERASE, 3) #if defined(VKILL) -TTYCHAR(VKILL, 4) SGTTYCHAR(tio.sg_kill, 4) +TTYCHAR(VKILL, 4) #endif /* VKILL */ -TTYCHAR(VEOF, 5) SGTTYCHAR(tiotc.t_eofc, 5) +TTYCHAR(VEOF, 5) #if defined(VEOL) -TTYCHAR(VEOL, 6) SGTTYCHAR(tiotc.t_brkc, 6) +TTYCHAR(VEOL, 6) #endif /* VEOL */ -#ifdef VEOL2 /* n/a */ +#ifdef VEOL2 TTYCHAR(VEOL2, 7) #endif /* VEOL2 */ -TTYCHAR(VSTART, 8) SGTTYCHAR(tiotc.t_startc, 8) -TTYCHAR(VSTOP, 9) SGTTYCHAR(tiotc.t_stopc, 9) +TTYCHAR(VSTART, 8) +TTYCHAR(VSTOP, 9) #if defined(VSUSP) -TTYCHAR(VSUSP, 10) SGTTYCHAR(tioltc.t_suspc, 10) +TTYCHAR(VSUSP, 10) #endif /* VSUSP */ #if defined(VDSUSP) -TTYCHAR(VDSUSP, 11) SGTTYCHAR(tioltc.t_dsuspc, 11) +TTYCHAR(VDSUSP, 11) #endif /* VDSUSP */ #if defined(VREPRINT) -TTYCHAR(VREPRINT, 12) SGTTYCHAR(tioltc.t_rprntc, 12) +TTYCHAR(VREPRINT, 12) #endif /* VREPRINT */ #if defined(VWERASE) -TTYCHAR(VWERASE, 13) SGTTYCHAR(tioltc.t_werasc, 13) +TTYCHAR(VWERASE, 13) #endif /* VWERASE */ #if defined(VLNEXT) -TTYCHAR(VLNEXT, 14) SGTTYCHAR(tioltc.t_lnextc, 14) +TTYCHAR(VLNEXT, 14) #endif /* VLNEXT */ #if defined(VFLUSH) -TTYCHAR(VFLUSH, 15) SGTTYCHAR(tioltc.t_flushc, 15) +TTYCHAR(VFLUSH, 15) #endif /* VFLUSH */ #ifdef VSWTCH -TTYCHAR(VSWTCH, 16) /* n/a */ +TTYCHAR(VSWTCH, 16) #endif /* VSWTCH */ #if defined(VSTATUS) -TTYCHAR(VSTATUS, 17) SGTTYCHAR(tiots.tc_statusc, 17) +TTYCHAR(VSTATUS, 17) #endif /* VSTATUS */ #ifdef VDISCARD -TTYCHAR(VDISCARD, 18) /* n/a */ +TTYCHAR(VDISCARD, 18) #endif /* VDISCARD */ /* name, field, op */ -TTYMODE(IGNPAR, c_iflag, 30) /* n/a */ -TTYMODE(PARMRK, c_iflag, 31) /* n/a */ -TTYMODE(INPCK, c_iflag, 32) SGTTYMODEN(ANYP, tio.sg_flags, 32) -TTYMODE(ISTRIP, c_iflag, 33) SGTTYMODEN(LPASS8, tiolm, 33) -TTYMODE(INLCR, c_iflag, 34) /* n/a */ -TTYMODE(IGNCR, c_iflag, 35) /* n/a */ -TTYMODE(ICRNL, c_iflag, 36) SGTTYMODE(CRMOD, tio.sg_flags, 36) +TTYMODE(IGNPAR, c_iflag, 30) +TTYMODE(PARMRK, c_iflag, 31) +TTYMODE(INPCK, c_iflag, 32) +TTYMODE(ISTRIP, c_iflag, 33) +TTYMODE(INLCR, c_iflag, 34) +TTYMODE(IGNCR, c_iflag, 35) +TTYMODE(ICRNL, c_iflag, 36) #if defined(IUCLC) -TTYMODE(IUCLC, c_iflag, 37) SGTTYMODE(LCASE, tio.sg_flags, 37) +TTYMODE(IUCLC, c_iflag, 37) #endif -TTYMODE(IXON, c_iflag, 38) /* n/a */ -TTYMODE(IXANY, c_iflag, 39) SGTTYMODEN(LDECCTQ, tiolm, 39) -TTYMODE(IXOFF, c_iflag, 40) SGTTYMODE(TANDEM, tio.sg_flags, 40) +TTYMODE(IXON, c_iflag, 38) +TTYMODE(IXANY, c_iflag, 39) +TTYMODE(IXOFF, c_iflag, 40) #ifdef IMAXBEL -TTYMODE(IMAXBEL,c_iflag, 41) /* n/a */ +TTYMODE(IMAXBEL,c_iflag, 41) #endif /* IMAXBEL */ -TTYMODE(ISIG, c_lflag, 50) /* n/a */ -TTYMODE(ICANON, c_lflag, 51) SGTTYMODEN(CBREAK, tio.sg_flags, 51) +TTYMODE(ISIG, c_lflag, 50) +TTYMODE(ICANON, c_lflag, 51) #ifdef XCASE -TTYMODE(XCASE, c_lflag, 52) /* n/a */ +TTYMODE(XCASE, c_lflag, 52) #endif -TTYMODE(ECHO, c_lflag, 53) SGTTYMODE(ECHO, tio.sg_flags, 53) -TTYMODE(ECHOE, c_lflag, 54) SGTTYMODE(LCRTERA, tiolm, 54) -TTYMODE(ECHOK, c_lflag, 55) SGTTYMODE(LCRTKIL, tiolm, 55) -TTYMODE(ECHONL, c_lflag, 56) /* n/a */ -TTYMODE(NOFLSH, c_lflag, 57) SGTTYMODE(LNOFLSH, tiolm, 57) -TTYMODE(TOSTOP, c_lflag, 58) SGTTYMODE(LTOSTOP, tiolm, 58) +TTYMODE(ECHO, c_lflag, 53) +TTYMODE(ECHOE, c_lflag, 54) +TTYMODE(ECHOK, c_lflag, 55) +TTYMODE(ECHONL, c_lflag, 56) +TTYMODE(NOFLSH, c_lflag, 57) +TTYMODE(TOSTOP, c_lflag, 58) #ifdef IEXTEN -TTYMODE(IEXTEN, c_lflag, 59) /* n/a */ +TTYMODE(IEXTEN, c_lflag, 59) #endif /* IEXTEN */ #if defined(ECHOCTL) -TTYMODE(ECHOCTL,c_lflag, 60) SGTTYMODE(LCTLECH, tiolm, 60) +TTYMODE(ECHOCTL,c_lflag, 60) #endif /* ECHOCTL */ #ifdef ECHOKE -TTYMODE(ECHOKE, c_lflag, 61) /* n/a */ +TTYMODE(ECHOKE, c_lflag, 61) #endif /* ECHOKE */ #if defined(PENDIN) -TTYMODE(PENDIN, c_lflag, 62) SGTTYMODE(LPENDIN, tiolm, 62) +TTYMODE(PENDIN, c_lflag, 62) #endif /* PENDIN */ -TTYMODE(OPOST, c_oflag, 70) /* n/a */ +TTYMODE(OPOST, c_oflag, 70) #if defined(OLCUC) -TTYMODE(OLCUC, c_oflag, 71) SGTTYMODE(LCASE, tio.sg_flags, 71) +TTYMODE(OLCUC, c_oflag, 71) #endif -TTYMODE(ONLCR, c_oflag, 72) SGTTYMODE(CRMOD, tio.sg_flags, 72) +TTYMODE(ONLCR, c_oflag, 72) #ifdef OCRNL -TTYMODE(OCRNL, c_oflag, 73) /* n/a */ +TTYMODE(OCRNL, c_oflag, 73) #endif #ifdef ONOCR -TTYMODE(ONOCR, c_oflag, 74) /* n/a */ +TTYMODE(ONOCR, c_oflag, 74) #endif #ifdef ONLRET -TTYMODE(ONLRET, c_oflag, 75) /* n/a */ +TTYMODE(ONLRET, c_oflag, 75) #endif -TTYMODE(CS7, c_cflag, 90) /* n/a */ -TTYMODE(CS8, c_cflag, 91) SGTTYMODE(LPASS8, tiolm, 91) -TTYMODE(PARENB, c_cflag, 92) /* n/a */ -TTYMODE(PARODD, c_cflag, 93) SGTTYMODE(ODDP, tio.sg_flags, 93) - +TTYMODE(CS7, c_cflag, 90) +TTYMODE(CS8, c_cflag, 91) +TTYMODE(PARENB, c_cflag, 92) +TTYMODE(PARODD, c_cflag, 93) diff -ru openssh-2.5.1p2/uuencode.c openssh-2.5.2p1/uuencode.c --- openssh-2.5.1p2/uuencode.c 2001-02-11 11:05:05.000000000 +1100 +++ openssh-2.5.2p1/uuencode.c 2001-03-05 17:42:59.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: uuencode.c,v 1.10 2001/02/08 19:30:53 itojun Exp $ */ +/* $OpenBSD: uuencode.c,v 1.12 2001/03/01 02:27:18 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -28,7 +28,7 @@ #include "xmalloc.h" #include "uuencode.h" -RCSID("$OpenBSD: uuencode.c,v 1.10 2001/02/08 19:30:53 itojun Exp $"); +RCSID("$OpenBSD: uuencode.c,v 1.12 2001/03/01 02:27:18 deraadt Exp $"); int uuencode(u_char *src, u_int srclength, diff -ru openssh-2.5.1p2/version.h openssh-2.5.2p1/version.h --- openssh-2.5.1p2/version.h 2001-02-27 10:39:16.000000000 +1100 +++ openssh-2.5.2p1/version.h 2001-03-20 09:16:34.000000000 +1100 @@ -1,3 +1,3 @@ /* $OpenBSD: version.h,v 1.19 2001/02/19 10:35:23 markus Exp $ */ -#define SSH_VERSION "OpenSSH_2.5.1p2" +#define SSH_VERSION "OpenSSH_2.5.2p1"