diff -ru openssh-2.5.2p2/CREDITS openssh-2.9p1/CREDITS --- openssh-2.5.2p2/CREDITS 2001-02-09 12:55:35.000000000 +1100 +++ openssh-2.9p1/CREDITS 2001-04-16 10:41:46.000000000 +1000 @@ -55,6 +55,7 @@ Lutz Jaenicke - Bugfixes Marc G. Fournier - Solaris patches Martin Johansson - Linux fixes +Mark D. Roth - Features, bug fixes Mark Miller - Bugfixes Matt Richards - AIX patches Michael Stone - Irix enhancements @@ -87,5 +88,5 @@ Damien Miller -$Id: CREDITS,v 1.61 2001/02/09 01:55:35 djm Exp $ +$Id: CREDITS,v 1.62 2001/04/16 00:41:46 djm Exp $ diff -ru openssh-2.5.2p2/ChangeLog openssh-2.9p1/ChangeLog --- openssh-2.5.2p2/ChangeLog 2001-03-22 16:04:12.000000000 +1100 +++ openssh-2.9p1/ChangeLog 2001-04-29 22:04:15.000000000 +1000 @@ -1,6 +1,618 @@ +20010429 + - (bal) Updated INSTALL. PCRE moved to a new place. + - (djm) Add Theo Schlossnagle's SecurID patch to contrib/ + - (djm) Release 2.9p1 + +20010427 + - (bal) Fixed uidswap.c so it should work on non-posix complient systems. + patch based on 2.5.2 version by djm. + - (bal) Build manpages and config files once unless changed. Patch by + Carson Gaspar + - (bal) arpa/nameser.h does not exist on Cygwin. Patch by Corinna + Vinschen + - (bal) Add /etc/sysconfig/sshd support to redhat's sshd.init. Patch by + Pekka Savola + - (bal) Cygwin lacks setgroups() API. Patch by Corinna Vinschen + + - (bal) version.h synced, RPM specs updated for 2.9 + - (tim) update contrib/caldera files with what Caldera is using. + + +20010425 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/23 21:57:07 + [ssh-keygen.1 ssh-keygen.c] + allow public key for -e, too + - markus@cvs.openbsd.org 2001/04/23 22:14:13 + [ssh-keygen.c] + remove debug + - (bal) Whitespace resync w/ OpenBSD for uidswap.c + - (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt' + (default: off), implies KbdInteractiveAuthentication. Suggestion from + markus@ + - (djm) Include crypt.h if available in auth-passwd.c + - tim@mindrot.org 2001/04/25 21:38:01 [configure.in] + man page detection fixes for SCO + +20010424 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/22 23:58:36 + [ssh-keygen.1 ssh.1 sshd.8] + document hostbased and other cleanup + - (stevesk) start_pam() doesn't use DNS now for sshd -u0. + - (stevesk) auth-pam.c: use PERMIT_NO_PASSWD + - (bal) sys/queue.h is bogus for NCR platform. Patch by Daniel Carroll + + - (bal) Fixed contrib/postinstall.in. Patch by wsanders@wsanders.net + +20010422 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/20 16:32:22 + [uidswap.c] + set non-privileged gid before uid; tholo@ and deraadt@ + - mouring@cvs.openbsd.org 2001/04/21 00:55:57 + [sftp.1] + Spelling + - djm@cvs.openbsd.org 2001/04/22 08:13:30 + [ssh.1] + typos spotted by stevesk@; ok deraadt@ + - markus@cvs.openbsd.org 2001/04/22 12:34:05 + [scp.c] + scp > 2GB; niles@scyld.com; ok deraadt@, djm@ + - markus@cvs.openbsd.org 2001/04/22 13:25:37 + [ssh-keygen.1 ssh-keygen.c] + rename arguments -x -> -e (export key), -X -> -i (import key) + xref draft-ietf-secsh-publickeyfile-01.txt + - markus@cvs.openbsd.org 2001/04/22 13:32:27 + [sftp-server.8 sftp.1 ssh.1 sshd.8] + xref draft-ietf-secsh-* + - markus@cvs.openbsd.org 2001/04/22 13:41:02 + [ssh-keygen.1 ssh-keygen.c] + style, noted by stevesk; sort flags in usage + +20010421 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2001/04/20 07:17:51 + [clientloop.c ssh.1] + Split out and improve escape character documentation, mention ~R in + ~? help text; ok markus@ + - Update RPM spec files for CVS version.h + - (stevesk) set the default PAM service name to __progname instead + of the hard-coded value "sshd"; from Mark D. Roth + - (stevesk) document PAM service name change in INSTALL + - tim@mindrot.org 2001/04/21 14:25:57 [Makefile.in configure.in] + fix perl test, fix nroff test, fix Makefile to build outside source tree + +20010420 + - OpenBSD CVS Sync + - ian@cvs.openbsd.org 2001/04/18 16:21:05 + [ssh-keyscan.1] + Fix typo reported in PR/1779 + - markus@cvs.openbsd.org 2001/04/18 21:57:42 + [readpass.c ssh-add.c] + call askpass from ssh, too, based on work by roth@feep.net, ok deraadt + - markus@cvs.openbsd.org 2001/04/18 22:03:45 + [auth2.c sshconnect2.c] + use FDQN with trailing dot in the hostbased auth packets, ok deraadt@ + - markus@cvs.openbsd.org 2001/04/18 22:48:26 + [auth2.c] + no longer const + - markus@cvs.openbsd.org 2001/04/18 23:43:26 + [auth2.c compat.c sshconnect2.c] + more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now + (however the 2.1.0 server seems to work only if debug is enabled...) + - markus@cvs.openbsd.org 2001/04/18 23:44:51 + [authfile.c] + error->debug; noted by fries@ + - markus@cvs.openbsd.org 2001/04/19 00:05:11 + [auth2.c] + use local variable, no function call needed. + (btw, hostbased works now with ssh.com >= 2.0.13) + - (bal) Put scp-common.h back into scp.c (it exists in the upstream + tree) pointed out by Tom Holroyd + +20010418 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/17 19:34:25 + [session.c] + move auth_approval to do_authenticated(). + do_child(): nuke hostkeys from memory + don't source .ssh/rc for subsystems. + - markus@cvs.openbsd.org 2001/04/18 14:15:00 + [canohost.c] + debug->debug3 + - (bal) renabled 'catman-do:' and fixed it. So now catman pages should + be working again. + - (bal) Makfile day... Cleaned up multiple mantype support (Patch by + Mark D. Roth ), and fixed PIDDIR support. + +20010417 + - (bal) Add perl5 check for HP/UX, Removed GNUness from Makefile.in + and temporary commented out 'catman-do:' since it is broken. Patches + for the first two by Lutz Jaenicke + - OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/04/16 08:26:04 + [key.c] + better safe than sorry in later mods; yongari@kt-is.co.kr + - markus@cvs.openbsd.org 2001/04/17 08:14:01 + [sshconnect1.c] + check for key!=NULL, thanks to costa + - markus@cvs.openbsd.org 2001/04/17 09:52:48 + [clientloop.c] + handle EINTR/EAGAIN on read; ok deraadt@ + - markus@cvs.openbsd.org 2001/04/17 10:53:26 + [key.c key.h readconf.c readconf.h ssh.1 sshconnect2.c] + add HostKeyAlgorithms; based on patch from res@shore.net; ok provos@ + - markus@cvs.openbsd.org 2001/04/17 12:55:04 + [channels.c ssh.c] + undo socks5 and https support since they are not really used and + only bloat ssh. remove -D from usage(), since '-D' is experimental. + +20010416 + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/04/15 01:35:22 + [ttymodes.c] + fix comments + - markus@cvs.openbsd.org 2001/04/15 08:43:47 + [dh.c sftp-glob.c sftp-glob.h sftp-int.c sshconnect2.c sshd.c] + some unused variable and typos; from tomh@po.crl.go.jp + - markus@cvs.openbsd.org 2001/04/15 16:58:03 + [authfile.c ssh-keygen.c sshd.c] + don't use errno for key_{load,save}_private; discussion w/ solar@openwall + - markus@cvs.openbsd.org 2001/04/15 17:16:00 + [clientloop.c] + set stdin/out/err to nonblocking in SSH proto 1, too. suggested by ho@ + should fix some of the blocking problems for rsync over SSH-1 + - stevesk@cvs.openbsd.org 2001/04/15 19:41:21 + [sshd.8] + some ClientAlive cleanup; ok markus@ + - stevesk@cvs.openbsd.org 2001/04/15 21:28:35 + [readconf.c servconf.c] + use fatal() or error() vs. fprintf(); ok markus@ + - (djm) Convert mandoc manpages to man automatically. Patch from Mark D. + Roth + - (bal) CVS ID fix up and slight manpage fix from OpenBSD tree. + - (djm) OpenBSD CVS Sync + - mouring@cvs.openbsd.org 2001/04/16 02:31:44 + [scp.c sftp.c] + IPv6 support for sftp (which I bungled in my last patch) which is + borrowed from scp.c. Thanks to Markus@ for pointing it out. + - deraadt@cvs.openbsd.org 2001/04/16 08:05:34 + [xmalloc.c] + xrealloc dealing with ptr == nULL; mouring + - djm@cvs.openbsd.org 2001/04/16 08:19:31 + [session.c] + Split motd and hushlogin checks into seperate functions, helps for + portable. From Chris Adams ; ok markus@ + - Fix OSF SIA support displaying too much information for quiet + logins and logins where access was denied by SIA. Patch from Chris Adams + + +20010415 + - OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/04/14 04:31:01 + [ssh-add.c] + do not double free + - markus@cvs.openbsd.org 2001/04/14 16:17:14 + [channels.c] + remove some channels that are not appropriate for keepalive. + - markus@cvs.openbsd.org 2001/04/14 16:27:57 + [ssh-add.c] + use clear_pass instead of xfree() + - stevesk@cvs.openbsd.org 2001/04/14 16:33:20 + [clientloop.c packet.h session.c ssh.c ttymodes.c ttymodes.h] + protocol 2 tty modes support; ok markus@ + - stevesk@cvs.openbsd.org 2001/04/14 17:04:42 + [scp.c] + 'T' handling rcp/scp sync; ok markus@ + - Missed sshtty.[ch] in Sync. + +20010414 + - Sync with OpenBSD glob.c, strlcat.c and vis.c changes + - Cygwin sftp/sftp-server binary mode patch from Corinna Vinschen + + - OpenBSD CVS Sync + - beck@cvs.openbsd.org 2001/04/13 22:46:54 + [channels.c channels.h servconf.c servconf.h serverloop.c sshd.8] + Add options ClientAliveInterval and ClientAliveCountMax to sshd. + This gives the ability to do a "keepalive" via the encrypted channel + which can't be spoofed (unlike TCP keepalives). Useful for when you want + to use ssh connections to authenticate people for something, and know + relatively quickly when they are no longer authenticated. Disabled + by default (of course). ok markus@ + +20010413 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/12 14:29:09 + [ssh.c] + show debug output during option processing, report from + pekkas@netcore.fi + - markus@cvs.openbsd.org 2001/04/12 19:15:26 + [auth-rhosts.c auth.h auth2.c buffer.c canohost.c canohost.h + compat.c compat.h hostfile.c pathnames.h readconf.c readconf.h + servconf.c servconf.h ssh.c sshconnect.c sshconnect.h sshconnect1.c + sshconnect2.c sshd_config] + implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) + similar to RhostRSAAuthentication unless you enable (the experimental) + HostbasedUsesNameFromPacketOnly option. please test. :) + - markus@cvs.openbsd.org 2001/04/12 19:39:27 + [readconf.c] + typo + - stevesk@cvs.openbsd.org 2001/04/12 20:09:38 + [misc.c misc.h readconf.c servconf.c ssh.c sshd.c] + robust port validation; ok markus@ jakob@ + - mouring@cvs.openbsd.org 2001/04/12 23:17:54 + [sftp-int.c sftp-int.h sftp.1 sftp.c] + Add support for: + sftp [user@]host[:file [file]] - Fetch remote file(s) + sftp [user@]host[:dir[/]] - Start in remote dir/ + OK deraadt@ + - stevesk@cvs.openbsd.org 2001/04/13 01:26:17 + [ssh.c] + missing \n in error message + - (bal) Added openbsd-compat/inet_ntop.[ch] since HP/UX (and others) + lack it. + +20010412 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/10 07:46:58 + [channels.c] + cleanup socks4 handling + - itojun@cvs.openbsd.org 2001/04/10 09:13:22 + [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] + document id_rsa{.pub,}. markus ok + - markus@cvs.openbsd.org 2001/04/10 12:15:23 + [channels.c] + debug cleanup + - djm@cvs.openbsd.org 2001/04/11 07:06:22 + [sftp-int.c] + 'mget' and 'mput' aliases; ok markus@ + - markus@cvs.openbsd.org 2001/04/11 10:59:01 + [ssh.c] + use strtol() for ports, thanks jakob@ + - markus@cvs.openbsd.org 2001/04/11 13:56:13 + [channels.c ssh.c] + https-connect and socks5 support. i feel so bad. + - lebel@cvs.openbsd.org 2001/04/11 16:25:30 + [sshd.8 sshd.c] + implement the -e option into sshd: + -e When this option is specified, sshd will send the output to the + standard error instead of the system log. + markus@ OK. + +20010410 + - OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/04/08 20:52:55 + [sftp.c] + do not modify an actual argv[] entry + - stevesk@cvs.openbsd.org 2001/04/08 23:28:27 + [sshd.8] + spelling + - stevesk@cvs.openbsd.org 2001/04/09 00:42:05 + [sftp.1] + spelling + - markus@cvs.openbsd.org 2001/04/09 15:12:23 + [ssh-add.c] + passphrase caching: ssh-add tries last passphrase, clears passphrase if + not successful and after last try. + based on discussions with espie@, jakob@, ... and code from jakob@ and + wolfgang@wsrcc.com + - markus@cvs.openbsd.org 2001/04/09 15:19:49 + [ssh-add.1] + ssh-add retries the last passphrase... + - stevesk@cvs.openbsd.org 2001/04/09 18:00:15 + [sshd.8] + ListenAddress mandoc from aaron@ + +20010409 + - (stevesk) use setresgid() for setegid() if needed + - (stevesk) configure.in: typo + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/04/08 16:01:36 + [sshd.8] + document ListenAddress addr:port + - markus@cvs.openbsd.org 2001/04/08 13:03:00 + [ssh-add.c] + init pointers with NULL, thanks to danimal@danimal.org + - markus@cvs.openbsd.org 2001/04/08 11:27:33 + [clientloop.c] + leave_raw_mode if ssh2 "session" is closed + - markus@cvs.openbsd.org 2001/04/06 21:00:17 + [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth2.c channels.c session.c + ssh.c sshconnect.c sshconnect.h uidswap.c uidswap.h] + do gid/groups-swap in addition to uid-swap, should help if /home/group + is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks + to olar@openwall.com is comments. we had many requests for this. + - markus@cvs.openbsd.org 2001/04/07 08:55:18 + [buffer.c channels.c channels.h readconf.c ssh.c] + allow the ssh client act as a SOCKS4 proxy (dynamic local + portforwarding). work by Dan Kaminsky and me. + thanks to Dan for this great patch: use 'ssh -D 1080 host' and make + netscape use localhost:1080 as a socks proxy. + - markus@cvs.openbsd.org 2001/04/08 11:24:33 + [uidswap.c] + KNF + +20010408 + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/04/06 22:12:47 + [hostfile.c] + unused; typo in comment + - stevesk@cvs.openbsd.org 2001/04/06 22:25:25 + [servconf.c] + in addition to: + ListenAddress host|ipv4_addr|ipv6_addr + permit: + ListenAddress [host|ipv4_addr|ipv6_addr]:port + ListenAddress host|ipv4_addr:port + sshd.8 updates coming. ok markus@ + +20010407 + - (bal) CVS ID Resync of version.h + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/05 23:39:20 + [serverloop.c] + keep the ssh session even if there is no active channel. + this is more in line with the protocol spec and makes + ssh -N -L 1234:server:110 host + more useful. + based on discussion with long time ago + and recent mail from + - deraadt@cvs.openbsd.org 2001/04/06 16:46:59 + [scp.c] + remove trailing / from source paths; fixes pr#1756 + +20010406 + - (stevesk) logintest.c: fix for systems without __progname + - (stevesk) Makefile.in: log.o is in libssh.a + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/05 10:00:06 + [compat.c] + 2.3.x does old GEX, too; report jakob@ + - markus@cvs.openbsd.org 2001/04/05 10:39:03 + [compress.c compress.h packet.c] + reset compress state per direction when rekeying. + - markus@cvs.openbsd.org 2001/04/05 10:39:48 + [version.h] + temporary version 2.5.4 (supports rekeying). + this is not an official release. + - markus@cvs.openbsd.org 2001/04/05 10:42:57 + [auth-chall.c authfd.c channels.c clientloop.c kex.c kexgex.c key.c + mac.c packet.c serverloop.c sftp-client.c sftp-client.h sftp-glob.c + sftp-glob.h sftp-int.c sftp-server.c sftp.c ssh-keygen.c sshconnect.c + sshconnect2.c sshd.c] + fix whitespace: unexpand + trailing spaces. + - markus@cvs.openbsd.org 2001/04/05 11:09:17 + [clientloop.c compat.c compat.h] + add SSH_BUG_NOREKEY and detect broken (=all old) openssh versions. + - markus@cvs.openbsd.org 2001/04/05 15:45:43 + [ssh.1] + ssh defaults to protocol v2; from quisar@quisar.ambre.net + - stevesk@cvs.openbsd.org 2001/04/05 15:48:18 + [canohost.c canohost.h session.c] + move get_remote_name_or_ip() to canohost.[ch]; for portable. ok markus@ + - markus@cvs.openbsd.org 2001/04/05 20:01:10 + [clientloop.c] + for ~R print message if server does not support rekeying. (and fix ~R). + - markus@cvs.openbsd.org 2001/04/05 21:02:46 + [buffer.c] + better error message + - markus@cvs.openbsd.org 2001/04/05 21:05:24 + [clientloop.c ssh.c] + don't request a session for 'ssh -N', pointed out slade@shore.net + +20010405 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/04 09:48:35 + [kex.c kex.h kexdh.c kexgex.c packet.c sshconnect2.c sshd.c] + don't sent multiple kexinit-requests. + send newkeys, block while waiting for newkeys. + fix comments. + - markus@cvs.openbsd.org 2001/04/04 14:34:58 + [clientloop.c kex.c kex.h serverloop.c sshconnect2.c sshd.c] + enable server side rekeying + some rekey related clientup. + todo: we should not send any non-KEX messages after we send KEXINIT + - markus@cvs.openbsd.org 2001/04/04 15:50:55 + [compat.c] + f-secure 1.3.2 does not handle IGNORE; from milliondl@ornl.gov + - markus@cvs.openbsd.org 2001/04/04 20:25:38 + [channels.c channels.h clientloop.c kex.c kex.h serverloop.c + sshconnect2.c sshd.c] + more robust rekeying + don't send channel data after rekeying is started. + - markus@cvs.openbsd.org 2001/04/04 20:32:56 + [auth2.c] + we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@ + - markus@cvs.openbsd.org 2001/04/04 22:04:35 + [kex.c kexgex.c serverloop.c] + parse full kexinit packet. + make server-side more robust, too. + - markus@cvs.openbsd.org 2001/04/04 23:09:18 + [dh.c kex.c packet.c] + clear+free keys,iv for rekeying. + + fix DH mem leaks. ok niels@ + - (stevesk) don't use vhangup() if defined(HAVE_DEV_PTMX); also removes + BROKEN_VHANGUP + +20010404 + - OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/04/02 17:32:23 + [ssh-agent.1] + grammar; slade@shore.net + - stevesk@cvs.openbsd.org 2001/04/03 13:56:11 + [sftp-glob.c ssh-agent.c ssh-keygen.c] + free() -> xfree() + - markus@cvs.openbsd.org 2001/04/03 19:53:29 + [dh.c dh.h kex.c kex.h sshconnect2.c sshd.c] + move kex to kex*.c, used dispatch_set() callbacks for kex. should + make rekeying easier. + - todd@cvs.openbsd.org 2001/04/03 21:19:38 + [ssh_config] + id_rsa1/2 -> id_rsa; ok markus@ + - markus@cvs.openbsd.org 2001/04/03 23:32:12 + [kex.c kex.h packet.c sshconnect2.c sshd.c] + undo parts of recent my changes: main part of keyexchange does not + need dispatch-callbacks, since application data is delayed until + the keyexchange completes (if i understand the drafts correctly). + add some infrastructure for re-keying. + - markus@cvs.openbsd.org 2001/04/04 00:06:54 + [clientloop.c sshconnect2.c] + enable client rekeying + (1) force rekeying with ~R, or + (2) if the server requests rekeying. + works against ssh-2.0.12/2.0.13/2.1.0/2.2.0/2.3.0/2.3.1/2.4.0 + - (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. + +20010403 + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/04/02 14:15:31 + [sshd.8] + typo; ok markus@ + - stevesk@cvs.openbsd.org 2001/04/02 14:20:23 + [readconf.c servconf.c] + correct comment; ok markus@ + - (stevesk) nchan.c: remove ostate checks and add EINVAL to + shutdown(SHUT_RD) error() bypass for HP-UX. + +20010402 + - (stevesk) log.c openbsd sync; missing newlines + - (stevesk) sshpty.h openbsd sync; PTY_H -> SSHPTY_H + +20010330 + - (djm) Another openbsd-compat/glob.c sync + - (djm) OpenBSD CVS Sync + - provos@cvs.openbsd.org 2001/03/28 21:59:41 + [kex.c kex.h sshconnect2.c sshd.c] + forgot to include min and max params in hash, okay markus@ + - provos@cvs.openbsd.org 2001/03/28 22:04:57 + [dh.c] + more sanity checking on primes file + - markus@cvs.openbsd.org 2001/03/28 22:43:31 + [auth.h auth2.c auth2-chall.c] + check auth_root_allowed for kbd-int auth, too. + - provos@cvs.openbsd.org 2001/03/29 14:24:59 + [sshconnect2.c] + use recommended defaults + - stevesk@cvs.openbsd.org 2001/03/29 21:06:21 + [sshconnect2.c sshd.c] + need to set both STOC and CTOS for SSH_BUG_BIGENDIANAES; ok markus@ + - markus@cvs.openbsd.org 2001/03/29 21:17:40 + [dh.c dh.h kex.c kex.h] + prepare for rekeying: move DH code to dh.c + - djm@cvs.openbsd.org 2001/03/29 23:42:01 + [sshd.c] + Protocol 1 key regeneration log => verbose, some KNF; ok markus@ + +20010329 + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/03/26 15:47:59 + [ssh.1] + document more defaults; misc. cleanup. ok markus@ + - markus@cvs.openbsd.org 2001/03/26 23:12:42 + [authfile.c] + KNF + - markus@cvs.openbsd.org 2001/03/26 23:23:24 + [rsa.c rsa.h ssh-agent.c ssh-keygen.c] + try to read private f-secure ssh v2 rsa keys. + - markus@cvs.openbsd.org 2001/03/27 10:34:08 + [ssh-rsa.c sshd.c] + use EVP_get_digestbynid, reorder some calls and fix missing free. + - markus@cvs.openbsd.org 2001/03/27 10:57:00 + [compat.c compat.h ssh-rsa.c] + some older systems use NID_md5 instead of NID_sha1 for RSASSA-PKCS1-v1_5 + signatures in SSH protocol 2, ok djm@ + - provos@cvs.openbsd.org 2001/03/27 17:46:50 + [compat.c compat.h dh.c dh.h ssh2.h sshconnect2.c sshd.c version.h] + make dh group exchange more flexible, allow min and max group size, + okay markus@, deraadt@ + - stevesk@cvs.openbsd.org 2001/03/28 19:56:23 + [scp.c] + start to sync scp closer to rcp; ok markus@ + - stevesk@cvs.openbsd.org 2001/03/28 20:04:38 + [scp.c] + usage more like rcp and add missing -B to usage; ok markus@ + - markus@cvs.openbsd.org 2001/03/28 20:50:45 + [sshd.c] + call refuse() before close(); from olemx@ans.pl + +20010328 + - (djm) Reorder tests and library inclusion for Krb4/AFS to try to + resolve linking conflicts with libcrypto. Report and suggested fix + from Holger Trapp + - (djm) Work around Solaris' broken struct dirent. Diagnosis and suggested + fix from Philippe Levan + - (djm) Rework krbIV tests to get us closer to building on Redhat. Still + doesn't work because of conflicts between krbIV's and OpenSSL's des.h + - (djm) Sync openbsd-compat/glob.c + +20010327 + - Attempt sync with sshlogin.c w/ OpenBSD (mainly CVS ID) + - Fix pointer issues in waitpid() and wait() replaces. Patch by Lutz + Jaenicke + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2001/03/25 00:01:34 + [session.c] + shorten; ok markus@ + - stevesk@cvs.openbsd.org 2001/03/25 13:16:11 + [servconf.c servconf.h session.c sshd.8 sshd_config] + PrintLastLog option; from chip@valinux.com with some minor + changes by me. ok markus@ + - markus@cvs.openbsd.org 2001/03/26 08:07:09 + [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c + sshconnect.h sshconnect1.c sshconnect2.c sshd.c] + simpler key load/save interface, see authfile.h + - (djm) Reestablish PAM credentials (which can be supplemental group + memberships) after initgroups() blows them away. Report and suggested + fix from Nalin Dahyabhai + +20010324 + - Fixed permissions ssh-keyscan. Thanks to Christopher Linn . + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2001/03/23 11:04:07 + [compat.c compat.h sshconnect2.c sshd.c] + Compat for OpenSSH with broken Rijndael/AES. ok markus@ + - markus@cvs.openbsd.org 2001/03/23 12:02:49 + [auth1.c] + authctxt is now passed to do_authenticated + - markus@cvs.openbsd.org 2001/03/23 13:10:57 + [sftp-int.c] + fix put, upload to _absolute_ path, ok djm@ + - markus@cvs.openbsd.org 2001/03/23 14:28:32 + [session.c sshd.c] + ignore SIGPIPE, restore in child, fixes x11-fwd crashes; with djm@ + - (djm) Pull out our own SIGPIPE hacks + +20010323 + - OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/03/22 20:22:55 + [sshd.c] + do not place linefeeds in buffer + 20010322 - (djm) Better AIX no tty fix, spotted by Gert Doering - - (djm) Released 2.5.2p2 + - (bal) version.c CVS ID resync + - (bal) auth-chall.c auth-passwd.c auth.h auth1.c auth2.c session.c CVS ID + resync + - (bal) scp.c CVS ID resync + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/20 19:10:16 + [readconf.c] + default to SSH protocol version 2 + - markus@cvs.openbsd.org 2001/03/20 19:21:21 + [session.c] + remove unused arg + - markus@cvs.openbsd.org 2001/03/20 19:21:21 + [session.c] + remove unused arg + - markus@cvs.openbsd.org 2001/03/21 11:43:45 + [auth1.c auth2.c session.c session.h] + merge common ssh v1/2 code + - jakob@cvs.openbsd.org 2001/03/21 14:20:45 + [ssh-keygen.c] + add -B flag to usage + - markus@cvs.openbsd.org 2001/03/21 21:06:30 + [session.c] + missing init; from mib@unimelb.edu.au 20010321 - (djm) Fix ttyname breakage for AIX and Tru64. Patch from Steve @@ -4660,4 +5272,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.991.2.6 2001/03/22 05:04:12 djm Exp $ +$Id: ChangeLog,v 1.1179.2.3 2001/04/29 12:04:15 djm Exp $ diff -ru openssh-2.5.2p2/INSTALL openssh-2.9p1/INSTALL --- openssh-2.5.2p2/INSTALL 2001-03-04 00:29:21.000000000 +1100 +++ openssh-2.9p1/INSTALL 2001-04-29 02:32:11.000000000 +1000 @@ -52,7 +52,7 @@ 'make' programs, but you are on your own. PCRE (PERL-compatible Regular Expression library): -ftp://ftp.cus.cam.ac.uk/pub/software/programs/pcre/ +ftp://ftp.cus.cam.ac.uk/pub/software/programing/pcre/ Most platforms do not require this. However older Unices may not have a posix regex library. PCRE provides a POSIX interface. @@ -91,15 +91,20 @@ This will install the binaries in /opt/{bin,lib,sbin}, but will place the configuration files in /etc/ssh. -If you are using PAM, you may need to manually install a PAM -control file as "/etc/pam.d/sshd" (or wherever your system -prefers to keep them). A generic PAM configuration is included as -"contrib/sshd.pam.generic", you may need to edit it before using it on -your system. If you are using a recent version of Red Hat Linux, the -config file in contrib/redhat/sshd.pam should be more useful. -Failure to install a valid PAM file may result in an inability to -use password authentication. On HP-UX 11, the standard /etc/pam.conf -configuration will work with sshd (sshd will match the OTHER service +If you are using PAM, you may need to manually install a PAM control +file as "/etc/pam.d/sshd" (or wherever your system prefers to keep +them). Note that the service name used to start PAM is __progname, +which is the basename of the path of your sshd (e.g., the service name +for /usr/sbin/osshd will be osshd). If you have renamed your sshd +executable, your PAM configuration may need to be modified. + +A generic PAM configuration is included as "contrib/sshd.pam.generic", +you may need to edit it before using it on your system. If you are +using a recent version of Red Hat Linux, the config file in +contrib/redhat/sshd.pam should be more useful. Failure to install a +valid PAM file may result in an inability to use password +authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf +configuration will work with sshd (sshd will match the other service name). There are a few other options to the configure script: @@ -222,4 +227,4 @@ http://www.openssh.com/ -$Id: INSTALL,v 1.42 2001/03/03 13:29:21 djm Exp $ +$Id: INSTALL,v 1.44 2001/04/28 16:32:11 mouring Exp $ diff -ru openssh-2.5.2p2/Makefile.in openssh-2.9p1/Makefile.in --- openssh-2.5.2p2/Makefile.in 2001-03-21 13:12:12.000000000 +1100 +++ openssh-2.9p1/Makefile.in 2001-04-27 10:31:08.000000000 +1000 @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.161.2.1 2001/03/21 02:12:12 djm Exp $ +# $Id: Makefile.in,v 1.174 2001/04/27 00:31:08 mouring Exp $ prefix=@prefix@ exec_prefix=@exec_prefix@ @@ -21,7 +21,8 @@ PATHS= -DETCDIR=\"$(sysconfdir)\" \ -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ -D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \ - -D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" + -D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \ + -D_PATH_SSH_PIDDIR=\"$(piddir)\" CC=@CC@ LD=@LD@ @@ -44,17 +45,18 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) $(SFTP_PROGS) -LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o deattack.o dispatch.o mac.o hostfile.o key.o kex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o +LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o deattack.o dh.o dispatch.o mac.o hostfile.o key.o kex.o kexdh.o kexgex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o -SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o readconf.o clientloop.o +SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o -TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 -CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0 -MANPAGES = @MANTYPE@ +MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out +MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 +MANTYPE = @MANTYPE@ -CONFIGFILES=sshd_config ssh_config primes +CONFIGFILES=sshd_config.out ssh_config.out primes.out +CONFIGFILES_IN=sshd_config ssh_config primes PATHSUBS = \ -D/etc/ssh_config=$(sysconfdir)/ssh_config \ @@ -73,9 +75,7 @@ FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) -all: $(CONFIGFILES) $(TARGETS) - -manpages: $(MANPAGES) +all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) $(LIBSSH_OBJS): config.h $(SSHOBJS): config.h @@ -98,33 +98,46 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o log.o - $(LD) -o $@ scp.o log.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o scp-common.o + $(LD) -o $@ scp.o scp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o log.o - $(LD) -o $@ ssh-add.o log.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o + $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o log.o - $(LD) -o $@ ssh-agent.o log.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o + $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o log.o - $(LD) -o $@ ssh-keygen.o log.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o + $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a log.o ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o log.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o + $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o log.o sftp-server.o - $(LD) -o $@ sftp-server.o sftp-common.o log.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o + $(LD) -o $@ sftp-server.o sftp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o sftp-common.o sftp-glob.o - $(LD) -o $@ sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o sftp-common.o sftp-glob.o scp-common.o + $(LD) -o $@ sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o scp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) # test driver for the loginrec code - not built by default -logintest: logintest.o $(LIBCOMPAT) libssh.a log.o loginrec.o - $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh log.o $(LIBS) +logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o + $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) + +$(MANPAGES): $(MANPAGES_IN) + if test "$(MANTYPE)" = "cat"; then \ + manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \ + else \ + manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \ + fi; \ + if test "$(MANTYPE)" = "man"; then \ + $(FIXPATHSCMD) $${manpage} | $(PERL) $(srcdir)/mdoc2man.pl > $@; \ + else \ + $(FIXPATHSCMD) $${manpage} > $@; \ + fi -$(MANPAGES) $(CONFIGFILES):: - $(FIXPATHSCMD) $(srcdir)/$@ +$(CONFIGFILES): $(CONFIGFILES_IN) + conffile=`echo $@ | sed 's/.out$$//'`; \ + $(FIXPATHSCMD) $(srcdir)/$${conffile} > $@ clean: (cd openbsd-compat; $(MAKE) clean) @@ -141,7 +154,7 @@ rm -f configure config.h.in *.0 catman-do: - @for f in $(TROFFMAN) ; do \ + @for f in $(MANPAGES_IN) ; do \ base=`echo $$f | sed 's/\..*$$//'` ; \ echo "$$f -> $$base.0" ; \ nroff -mandoc $$f | cat -v | sed -e 's/.\^H//g' \ @@ -151,7 +164,7 @@ distprep: catman-do autoreconf -install: manpages $(TARGETS) install-files host-key +install: $(TARGETS) install-files host-key install-files: $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) @@ -165,19 +178,19 @@ $(INSTALL) -m 0755 -s ssh-add $(DESTDIR)$(bindir)/ssh-add $(INSTALL) -m 0755 -s ssh-agent $(DESTDIR)$(bindir)/ssh-agent $(INSTALL) -m 0755 -s ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen - $(INSTALL) -m 0775 -s ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan + $(INSTALL) -m 0755 -s ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan $(INSTALL) -m 0755 -s sshd $(DESTDIR)$(sbindir)/sshd @NO_SFTP@$(INSTALL) -m 0755 -s sftp $(DESTDIR)$(bindir)/sftp @NO_SFTP@$(INSTALL) -m 0755 -s sftp-server $(DESTDIR)$(SFTP_SERVER) - $(INSTALL) -m 644 ssh.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 - $(INSTALL) -m 644 scp.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 - $(INSTALL) -m 644 ssh-add.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 - $(INSTALL) -m 644 ssh-agent.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 - $(INSTALL) -m 644 ssh-keygen.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 - $(INSTALL) -m 644 ssh-keyscan.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 - $(INSTALL) -m 644 sshd.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 - @NO_SFTP@$(INSTALL) -m 644 sftp.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 - @NO_SFTP@$(INSTALL) -m 644 sftp-server.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 + $(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 + $(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + $(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 + $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + @NO_SFTP@$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 + @NO_SFTP@$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(bindir)/slogin ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 diff -ru openssh-2.5.2p2/TODO openssh-2.9p1/TODO --- openssh-2.5.2p2/TODO 2001-03-21 13:12:12.000000000 +1100 +++ openssh-2.9p1/TODO 2001-03-27 16:10:22.000000000 +1000 @@ -2,7 +2,13 @@ - Grep for 'XXX' comments and fix - Link order is incorrect for some systems using Kerberos 4 and AFS. Result -is multiple inclusion of DES symbols. + is multiple inclusion of DES symbols. Holger Trapp + reports that changing the configure + generated link order from: + -lresolv -lkrb -lz -lnsl -lutil -lkafs -lkrb -ldes -lcrypto + to: + -lresolv -lkrb -lz -lnsl -lutil -lcrypto -lkafs -lkrb -ldes + fixing the problem. - Integrate contrib/mdoc2man.pl so platforms which only have the troff 'an' macros can have readable manpages. @@ -82,4 +88,4 @@ - HP-UX: Provide DEPOT package scripts. (gilbert.r.loomis@saic.com) -$Id: TODO,v 1.38.2.1 2001/03/21 02:12:12 djm Exp $ +$Id: TODO,v 1.40 2001/03/27 06:10:22 djm Exp $ diff -ru openssh-2.5.2p2/acconfig.h openssh-2.9p1/acconfig.h --- openssh-2.5.2p2/acconfig.h 2001-03-17 12:15:38.000000000 +1100 +++ openssh-2.9p1/acconfig.h 2001-04-06 03:15:08.000000000 +1000 @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.108 2001/03/17 01:15:38 mouring Exp $ */ +/* $Id: acconfig.h,v 1.110 2001/04/05 17:15:08 stevesk Exp $ */ #ifndef _CONFIG_H #define _CONFIG_H @@ -284,9 +284,6 @@ /* getaddrinfo is broken (if present) */ #undef BROKEN_GETADDRINFO -/* vhangup is broken (if present) */ -#undef BROKEN_VHANGUP - /* Workaround more Linux IPv6 quirks */ #undef DONT_TRY_OTHER_AF @@ -308,6 +305,9 @@ /* Define if your system glob() function has gl_matchc options in glob_t */ #undef GLOB_HAS_GL_MATCHC +/* Define in your struct dirent expects you to allocate extra space for d_name */ +#undef BROKEN_ONE_BYTE_DIRENT_D_NAME + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ diff -ru openssh-2.5.2p2/auth-chall.c openssh-2.9p1/auth-chall.c --- openssh-2.5.2p2/auth-chall.c 2001-03-05 17:59:27.000000000 +1100 +++ openssh-2.9p1/auth-chall.c 2001-04-06 09:26:32.000000000 +1000 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-chall.c,v 1.5 2001/03/02 18:54:30 deraadt Exp $"); +RCSID("$OpenBSD: auth-chall.c,v 1.7 2001/04/05 10:42:47 markus Exp $"); #include "auth.h" #include "log.h" @@ -50,8 +50,8 @@ debug3("bsd auth: devs %s", devs ? devs : ""); authctxt->as = auth_userchallenge(authctxt->user, devs, "auth-ssh", &challenge); - if (authctxt->as == NULL) - return NULL; + if (authctxt->as == NULL) + return NULL; debug2("get_challenge: <%s>", challenge ? challenge : "EMPTY"); return challenge; } diff -ru openssh-2.5.2p2/auth-pam.c openssh-2.9p1/auth-pam.c --- openssh-2.5.2p2/auth-pam.c 2001-03-21 13:12:13.000000000 +1100 +++ openssh-2.9p1/auth-pam.c 2001-04-24 04:38:37.000000000 +1000 @@ -33,7 +33,9 @@ #include "canohost.h" #include "readpass.h" -RCSID("$Id: auth-pam.c,v 1.31.2.1 2001/03/21 02:12:13 djm Exp $"); +extern char *__progname; + +RCSID("$Id: auth-pam.c,v 1.37 2001/04/23 18:38:37 stevesk Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now" @@ -207,7 +209,7 @@ /* deny if no user. */ if (pw == NULL) return 0; - if (pw->pw_uid == 0 && options.permit_root_login == 2) + if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD) return 0; if (*password == '\0' && options.permit_empty_passwd == 0) return 0; @@ -287,14 +289,15 @@ } /* Set PAM credentials */ -void do_pam_setcred(void) +void do_pam_setcred(int init) { int pam_retval; do_pam_set_conv(&conv); debug("PAM establishing creds"); - pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED); + pam_retval = pam_setcred(__pamh, + init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s", @@ -345,6 +348,8 @@ { int pam_retval; extern ServerOptions options; + extern u_int utmp_len; + const char *rhost; debug("Starting up PAM with username \"%.200s\"", user); @@ -354,10 +359,10 @@ fatal("PAM initialisation failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); - debug("PAM setting rhost to \"%.200s\"", - get_canonical_hostname(options.reverse_mapping_check)); - pam_retval = pam_set_item(__pamh, PAM_RHOST, - get_canonical_hostname(options.reverse_mapping_check)); + rhost = get_remote_name_or_ip(utmp_len, options.reverse_mapping_check); + debug("PAM setting rhost to \"%.200s\"", rhost); + + pam_retval = pam_set_item(__pamh, PAM_RHOST, rhost); if (pam_retval != PAM_SUCCESS) fatal("PAM set rhost failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); diff -ru openssh-2.5.2p2/auth-pam.h openssh-2.9p1/auth-pam.h --- openssh-2.5.2p2/auth-pam.h 2001-02-15 11:51:32.000000000 +1100 +++ openssh-2.9p1/auth-pam.h 2001-03-27 16:12:24.000000000 +1000 @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.10 2001/02/15 00:51:32 djm Exp $ */ +/* $Id: auth-pam.h,v 1.11 2001/03/27 06:12:24 djm Exp $ */ #include "includes.h" #ifdef USE_PAM @@ -12,7 +12,7 @@ int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); -void do_pam_setcred(void); +void do_pam_setcred(int init); void print_pam_messages(void); int is_pam_password_change_required(void); void do_pam_chauthtok(void); diff -ru openssh-2.5.2p2/auth-passwd.c openssh-2.9p1/auth-passwd.c --- openssh-2.5.2p2/auth-passwd.c 2001-02-18 17:01:00.000000000 +1100 +++ openssh-2.9p1/auth-passwd.c 2001-04-25 22:50:19.000000000 +1000 @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-passwd.c,v 1.21 2001/02/12 16:16:23 markus Exp $"); +RCSID("$OpenBSD: auth-passwd.c,v 1.22 2001/03/20 18:57:04 markus Exp $"); #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) @@ -46,6 +46,9 @@ #include "servconf.h" #include "auth.h" +#ifdef HAVE_CRYPT_H +# include +#endif #ifdef WITH_AIXAUTHENTICATE # include #endif diff -ru openssh-2.5.2p2/auth-rh-rsa.c openssh-2.9p1/auth-rh-rsa.c --- openssh-2.5.2p2/auth-rh-rsa.c 2001-02-04 23:20:19.000000000 +1100 +++ openssh-2.9p1/auth-rh-rsa.c 2001-04-09 04:27:01.000000000 +1000 @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rh-rsa.c,v 1.22 2001/02/03 10:08:36 markus Exp $"); +RCSID("$OpenBSD: auth-rh-rsa.c,v 1.23 2001/04/06 21:00:04 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -80,7 +80,7 @@ pw->pw_name, user_hostfile); } else { /* XXX race between stat and the following open() */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); host_status = check_host_in_hostfile(user_hostfile, canonical_hostname, client_key, found, NULL); restore_uid(); diff -ru openssh-2.5.2p2/auth-rhosts.c openssh-2.9p1/auth-rhosts.c --- openssh-2.5.2p2/auth-rhosts.c 2001-02-09 13:11:24.000000000 +1100 +++ openssh-2.9p1/auth-rhosts.c 2001-04-13 09:34:35.000000000 +1000 @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rhosts.c,v 1.21 2001/02/08 19:30:51 itojun Exp $"); +RCSID("$OpenBSD: auth-rhosts.c,v 1.23 2001/04/12 19:15:24 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -25,6 +25,9 @@ #include "canohost.h" #include "auth.h" +/* import */ +extern ServerOptions options; + /* * This function processes an rhosts-style file (.rhosts, .shosts, or * /etc/hosts.equiv). This returns true if authentication can be granted @@ -150,18 +153,33 @@ int auth_rhosts(struct passwd *pw, const char *client_user) { - extern ServerOptions options; - char buf[1024]; const char *hostname, *ipaddr; + int ret; + + hostname = get_canonical_hostname(options.reverse_mapping_check); + ipaddr = get_remote_ipaddr(); + ret = auth_rhosts2(pw, client_user, hostname, ipaddr); + return ret; +} + +int +auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, + const char *ipaddr) +{ + char buf[1024]; struct stat st; static const char *rhosts_files[] = {".shosts", ".rhosts", NULL}; u_int rhosts_file_index; + debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s", + client_user, hostname, ipaddr); + /* no user given */ if (pw == NULL) return 0; + /* Switch to the user's uid. */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); /* * Quick check: if the user has no .shosts or .rhosts files, return * failure immediately without doing costly lookups from name @@ -184,9 +202,6 @@ stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0) return 0; - hostname = get_canonical_hostname(options.reverse_mapping_check); - ipaddr = get_remote_ipaddr(); - /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ if (pw->pw_uid != 0) { if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, client_user, @@ -223,7 +238,7 @@ return 0; } /* Temporarily use the user's uid. */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); /* Check all .rhosts files (currently .shosts and .rhosts). */ for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; diff -ru openssh-2.5.2p2/auth-rsa.c openssh-2.9p1/auth-rsa.c --- openssh-2.5.2p2/auth-rsa.c 2001-03-05 17:47:00.000000000 +1100 +++ openssh-2.9p1/auth-rsa.c 2001-04-09 04:27:01.000000000 +1000 @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rsa.c,v 1.39 2001/03/01 02:45:10 deraadt Exp $"); +RCSID("$OpenBSD: auth-rsa.c,v 1.40 2001/04/06 21:00:07 markus Exp $"); #include #include @@ -135,7 +135,7 @@ return 0; /* Temporarily use the user's uid. */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); /* The authorized keys. */ snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir, diff -ru openssh-2.5.2p2/auth-sia.c openssh-2.9p1/auth-sia.c --- openssh-2.5.2p2/auth-sia.c 2001-02-14 01:25:23.000000000 +1100 +++ openssh-2.9p1/auth-sia.c 2001-04-16 18:37:05.000000000 +1000 @@ -61,35 +61,46 @@ host = get_canonical_hostname (options.reverse_mapping_check); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) - fatal("sia_ses_init failed"); + NULL) != SIASUCCESS) { + error("sia_ses_init failed"); + exit(1); + } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); - fatal("getpwnam(%s) failed: %s", user, strerror(errno)); + error("getpwnam(%s) failed: %s", user, strerror(errno)); + exit(1); } if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { sia_ses_release(&ent); - fatal("sia_make_entity_pwd failed"); + error("sia_make_entity_pwd failed"); + exit(1); } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) - fatal("couldn't establish session for %s from %s", user, + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { + error("couldn't establish session for %s from %s", user, host); + exit(1); + } if (setpriority(PRIO_PROCESS, 0, 0) == -1) { sia_ses_release(&ent); - fatal("setpriority failed: %s", strerror (errno)); + error("setpriority failed: %s", strerror (errno)); + exit(1); } - if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) - fatal("couldn't launch session for %s from %s", user, host); + if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) { + error("couldn't launch session for %s from %s", user, host); + exit(1); + } sia_ses_release(&ent); - if (setreuid(geteuid(), geteuid()) < 0) - fatal("setreuid failed: %s", strerror (errno)); + if (setreuid(geteuid(), geteuid()) < 0) { + error("setreuid failed: %s", strerror (errno)); + exit(1); + } } #endif /* HAVE_OSF_SIA */ diff -ru openssh-2.5.2p2/auth.h openssh-2.9p1/auth.h --- openssh-2.5.2p2/auth.h 2001-03-05 16:56:41.000000000 +1100 +++ openssh-2.9p1/auth.h 2001-04-13 09:34:35.000000000 +1000 @@ -21,7 +21,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $OpenBSD: auth.h,v 1.12 2001/02/22 21:59:43 markus Exp $ + * $OpenBSD: auth.h,v 1.15 2001/04/12 19:15:24 markus Exp $ */ #ifndef AUTH_H #define AUTH_H @@ -58,6 +58,11 @@ */ int auth_rhosts(struct passwd * pw, const char *client_user); +/* extended interface similar to auth_rhosts() */ +int +auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, + const char *ipaddr); + /* * Tries to authenticate the user using the .rhosts file and the host using * its host key. Returns true if authentication succeeds. @@ -121,7 +126,7 @@ Authctxt *authctxt_new(void); void auth_log(Authctxt *authctxt, int authenticated, char *method, char *info); -void userauth_reply(Authctxt *authctxt, int authenticated); +void userauth_finish(Authctxt *authctxt, int authenticated, char *method); int auth_root_allowed(char *method); int auth2_challenge(Authctxt *authctxt, char *devs); diff -ru openssh-2.5.2p2/auth1.c openssh-2.9p1/auth1.c --- openssh-2.5.2p2/auth1.c 2001-03-09 07:37:23.000000000 +1100 +++ openssh-2.9p1/auth1.c 2001-03-24 11:37:59.000000000 +1100 @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.19 2001/03/08 18:47:12 stevesk Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.22 2001/03/23 12:02:49 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -430,9 +430,6 @@ aixloginmsg = NULL; #endif /* WITH_AIXAUTHENTICATE */ - xfree(authctxt->user); - xfree(authctxt); - /* Perform session preparation. */ - do_authenticated(pw); + do_authenticated(authctxt); } diff -ru openssh-2.5.2p2/auth2-chall.c openssh-2.9p1/auth2-chall.c --- openssh-2.5.2p2/auth2-chall.c 2001-03-05 17:59:27.000000000 +1100 +++ openssh-2.9p1/auth2-chall.c 2001-03-30 10:48:31.000000000 +1000 @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth2-chall.c,v 1.3 2001/03/02 18:54:31 deraadt Exp $"); +RCSID("$OpenBSD: auth2-chall.c,v 1.4 2001/03/28 22:43:31 markus Exp $"); #include "ssh2.h" #include "auth.h" @@ -104,10 +104,9 @@ } xfree(response); } - auth_log(authctxt, authenticated, method, " ssh2"); - if (!authctxt->postponed) { - /* unregister callback and send reply */ + /* unregister callback */ + if (!authctxt->postponed) dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); - userauth_reply(authctxt, authenticated); - } + + userauth_finish(authctxt, authenticated, method); } diff -ru openssh-2.5.2p2/auth2.c openssh-2.9p1/auth2.c --- openssh-2.5.2p2/auth2.c 2001-03-12 07:01:56.000000000 +1100 +++ openssh-2.9p1/auth2.c 2001-04-25 22:44:15.000000000 +1000 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.46 2001/03/11 13:25:36 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.56 2001/04/19 00:05:11 markus Exp $"); #include @@ -48,6 +48,9 @@ #include "uidswap.h" #include "auth-options.h" #include "misc.h" +#include "hostfile.h" +#include "canohost.h" +#include "tildexpand.h" /* import */ extern ServerOptions options; @@ -76,14 +79,19 @@ /* helper */ Authmethod *authmethod_lookup(const char *name); -int user_key_allowed(struct passwd *pw, Key *key); char *authmethods_get(void); +int user_key_allowed(struct passwd *pw, Key *key); +int +hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, + Key *key); /* auth */ void userauth_banner(void); +void userauth_reply(Authctxt *authctxt, int authenticated); int userauth_none(Authctxt *authctxt); int userauth_passwd(Authctxt *authctxt); int userauth_pubkey(Authctxt *authctxt); +int userauth_hostbased(Authctxt *authctxt); int userauth_kbdint(Authctxt *authctxt); Authmethod authmethods[] = { @@ -99,6 +107,9 @@ {"keyboard-interactive", userauth_kbdint, &options.kbd_interactive_authentication}, + {"hostbased", + userauth_hostbased, + &options.hostbased_authentication}, {NULL, NULL, NULL} }; @@ -116,11 +127,13 @@ /* challenge-reponse is implemented via keyboard interactive */ if (options.challenge_reponse_authentication) options.kbd_interactive_authentication = 1; + if (options.pam_authentication_via_kbd_int) + options.kbd_interactive_authentication = 1; dispatch_init(&protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); - do_authenticated2(authctxt); + do_authenticated(authctxt); } void @@ -210,7 +223,7 @@ } else if (authctxt->valid) { if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { - log("input_userauth_request: missmatch: (%s,%s)!=(%s,%s)", + log("input_userauth_request: mismatch: (%s,%s)!=(%s,%s)", user, service, authctxt->user, authctxt->service); authctxt->valid = 0; } @@ -231,6 +244,16 @@ debug2("input_userauth_request: try method %s", method); authenticated = m->userauth(authctxt); } + userauth_finish(authctxt, authenticated, method); + + xfree(service); + xfree(user); + xfree(method); +} + +void +userauth_finish(Authctxt *authctxt, int authenticated, char *method) +{ if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); @@ -251,10 +274,6 @@ if (!authctxt->postponed) userauth_reply(authctxt, authenticated); - - xfree(service); - xfree(user); - xfree(method); } void @@ -267,11 +286,8 @@ if (options.banner == NULL || (datafellows & SSH_BUG_BANNER)) return; - if ((fd = open(options.banner, O_RDONLY)) < 0) { - error("userauth_banner: open %s failed: %s", - options.banner, strerror(errno)); + if ((fd = open(options.banner, O_RDONLY)) < 0) return; - } if (fstat(fd, &st) < 0) goto done; len = st.st_size; @@ -397,7 +413,7 @@ authenticated = auth2_challenge(authctxt, devs); #ifdef USE_PAM - if (authenticated == 0) + if (authenticated == 0 && options.pam_authentication_via_kbd_int) authenticated = auth2_pam(authctxt); #endif xfree(lang); @@ -468,7 +484,7 @@ } else { buffer_put_cstring(&b, "publickey"); buffer_put_char(&b, have_sig); - buffer_put_cstring(&b, key_ssh_name(key)); + buffer_put_cstring(&b, pkalg); } buffer_put_string(&b, pkblob, blen); #ifdef DEBUG_PK @@ -515,6 +531,81 @@ return authenticated; } +int +userauth_hostbased(Authctxt *authctxt) +{ + Buffer b; + Key *key; + char *pkalg, *pkblob, *sig, *cuser, *chost, *service; + u_int alen, blen, slen; + int pktype; + int authenticated = 0; + + if (!authctxt->valid) { + debug2("userauth_hostbased: disabled because of invalid user"); + return 0; + } + pkalg = packet_get_string(&alen); + pkblob = packet_get_string(&blen); + chost = packet_get_string(NULL); + cuser = packet_get_string(NULL); + sig = packet_get_string(&slen); + + debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d", + cuser, chost, pkalg, slen); +#ifdef DEBUG_PK + debug("signature:"); + buffer_init(&b); + buffer_append(&b, sig, slen); + buffer_dump(&b); + buffer_free(&b); +#endif + pktype = key_type_from_name(pkalg); + if (pktype == KEY_UNSPEC) { + /* this is perfectly legal */ + log("userauth_hostbased: unsupported " + "public key algorithm: %s", pkalg); + goto done; + } + key = key_from_blob(pkblob, blen); + if (key == NULL) { + debug("userauth_hostbased: cannot decode key: %s", pkalg); + goto done; + } + service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : + authctxt->service; + buffer_init(&b); + buffer_put_string(&b, session_id2, session_id2_len); + /* reconstruct packet */ + buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); + buffer_put_cstring(&b, authctxt->user); + buffer_put_cstring(&b, service); + buffer_put_cstring(&b, "hostbased"); + buffer_put_string(&b, pkalg, alen); + buffer_put_string(&b, pkblob, blen); + buffer_put_cstring(&b, chost); + buffer_put_cstring(&b, cuser); +#ifdef DEBUG_PK + buffer_dump(&b); +#endif + /* test for allowed key and correct signature */ + if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) && + key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) + authenticated = 1; + + buffer_clear(&b); + key_free(key); + +done: + debug2("userauth_hostbased: authenticated %d", authenticated); + xfree(pkalg); + xfree(pkblob); + xfree(cuser); + xfree(chost); + xfree(sig); + return authenticated; +} + /* get current user */ struct passwd* @@ -586,7 +677,7 @@ return 0; /* Temporarily use the user's uid. */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); /* The authorized keys. */ snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir, @@ -692,3 +783,69 @@ debug2("key not found"); return found_key; } + +/* return 1 if given hostkey is allowed */ +int +hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, + Key *key) +{ + Key *found; + const char *resolvedname, *ipaddr, *lookup; + struct stat st; + char *user_hostfile; + int host_status, len; + + resolvedname = get_canonical_hostname(options.reverse_mapping_check); + ipaddr = get_remote_ipaddr(); + + debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s", + chost, resolvedname, ipaddr); + + if (options.hostbased_uses_name_from_packet_only) { + if (auth_rhosts2(pw, cuser, chost, chost) == 0) + return 0; + lookup = chost; + } else { + if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { + debug2("stripping trailing dot from chost %s", chost); + chost[len - 1] = '\0'; + } + if (strcasecmp(resolvedname, chost) != 0) + log("userauth_hostbased mismatch: " + "client sends %s, but we resolve %s to %s", + chost, ipaddr, resolvedname); + if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) + return 0; + lookup = resolvedname; + } + debug2("userauth_hostbased: access allowed by auth_rhosts2"); + + /* XXX this is copied from auth-rh-rsa.c and should be shared */ + found = key_new(key->type); + host_status = check_host_in_hostfile(_PATH_SSH_SYSTEM_HOSTFILE2, lookup, + key, found, NULL); + + if (host_status != HOST_OK && !options.ignore_user_known_hosts) { + user_hostfile = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE2, + pw->pw_uid); + if (options.strict_modes && + (stat(user_hostfile, &st) == 0) && + ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || + (st.st_mode & 022) != 0)) { + log("Hostbased authentication refused for %.100s: " + "bad owner or modes for %.200s", + pw->pw_name, user_hostfile); + } else { + temporarily_use_uid(pw); + host_status = check_host_in_hostfile(user_hostfile, + lookup, key, found, NULL); + restore_uid(); + } + xfree(user_hostfile); + } + key_free(found); + + debug2("userauth_hostbased: key %s for %s", host_status == HOST_OK ? + "ok" : "not found", lookup); + return (host_status == HOST_OK); +} diff -ru openssh-2.5.2p2/authfd.c openssh-2.9p1/authfd.c --- openssh-2.5.2p2/authfd.c 2001-03-06 14:31:34.000000000 +1100 +++ openssh-2.9p1/authfd.c 2001-04-06 09:26:32.000000000 +1000 @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.38 2001/03/06 00:33:03 deraadt Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.39 2001/04/05 10:42:48 markus Exp $"); #include @@ -121,7 +121,7 @@ while (len > 0) { l = read(auth->fd, buf + 4 - len, len); if (l == -1 && (errno == EAGAIN || errno == EINTR)) - continue; + continue; if (l <= 0) { error("Error reading response length from authentication socket."); return 0; @@ -142,7 +142,7 @@ l = sizeof(buf); l = read(auth->fd, buf, l); if (l == -1 && (errno == EAGAIN || errno == EINTR)) - continue; + continue; if (l <= 0) { error("Error reading response from authentication socket."); return 0; diff -ru openssh-2.5.2p2/authfile.c openssh-2.9p1/authfile.c --- openssh-2.5.2p2/authfile.c 2001-03-05 15:59:27.000000000 +1100 +++ openssh-2.9p1/authfile.c 2001-04-20 06:47:11.000000000 +1000 @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfile.c,v 1.28 2001/02/21 09:05:54 deraadt Exp $"); +RCSID("$OpenBSD: authfile.c,v 1.32 2001/04/18 23:44:51 markus Exp $"); #include #include @@ -51,7 +51,7 @@ #include "log.h" #include "authfile.h" -/* Version identification string for identity files. */ +/* Version identification string for SSH v1 identity files. */ static const char authfile_id_string[] = "SSH PRIVATE KEY FILE FORMAT 1.1\n"; @@ -63,8 +63,8 @@ */ int -save_private_key_rsa1(const char *filename, const char *passphrase, - RSA *key, const char *comment) +key_save_private_rsa1(Key *key, const char *filename, const char *passphrase, + const char *comment) { Buffer buffer, encrypted; char buf[100], *cp; @@ -100,10 +100,10 @@ * will be stored in plain text, and storing them also in encrypted * format would just give known plaintext). */ - buffer_put_bignum(&buffer, key->d); - buffer_put_bignum(&buffer, key->iqmp); - buffer_put_bignum(&buffer, key->q); /* reverse from SSL p */ - buffer_put_bignum(&buffer, key->p); /* reverse from SSL q */ + buffer_put_bignum(&buffer, key->rsa->d); + buffer_put_bignum(&buffer, key->rsa->iqmp); + buffer_put_bignum(&buffer, key->rsa->q); /* reverse from SSL p */ + buffer_put_bignum(&buffer, key->rsa->p); /* reverse from SSL q */ /* Pad the part to be encrypted until its size is a multiple of 8. */ while (buffer_len(&buffer) % 8 != 0) @@ -122,9 +122,9 @@ buffer_put_int(&encrypted, 0); /* For future extension */ /* Store public key. This will be in plain text. */ - buffer_put_int(&encrypted, BN_num_bits(key->n)); - buffer_put_bignum(&encrypted, key->n); - buffer_put_bignum(&encrypted, key->e); + buffer_put_int(&encrypted, BN_num_bits(key->rsa->n)); + buffer_put_bignum(&encrypted, key->rsa->n); + buffer_put_bignum(&encrypted, key->rsa->e); buffer_put_string(&encrypted, comment, strlen(comment)); /* Allocate space for the private part of the key in the buffer. */ @@ -140,11 +140,13 @@ buffer_free(&buffer); fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600); - if (fd < 0) + if (fd < 0) { + error("open %s failed: %s.", filename, strerror(errno)); return 0; + } if (write(fd, buffer_ptr(&encrypted), buffer_len(&encrypted)) != buffer_len(&encrypted)) { - debug("Write to key file %.200s failed: %.100s", filename, + error("write to key file %s failed: %s", filename, strerror(errno)); buffer_free(&encrypted); close(fd); @@ -156,10 +158,10 @@ return 1; } -/* save SSH2 key in OpenSSL PEM format */ +/* save SSH v2 key in OpenSSL PEM format */ int -save_private_key_ssh2(const char *filename, const char *_passphrase, - Key *key, const char *comment) +key_save_private_pem(Key *key, const char *filename, const char *_passphrase, + const char *comment) { FILE *fp; int fd; @@ -169,70 +171,70 @@ EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL; if (len > 0 && len <= 4) { - error("passphrase too short: %d bytes", len); - errno = 0; + error("passphrase too short: have %d bytes, need > 4", len); return 0; } fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd < 0) { - debug("open %s failed", filename); + error("open %s failed: %s.", filename, strerror(errno)); return 0; } fp = fdopen(fd, "w"); if (fp == NULL ) { - debug("fdopen %s failed", filename); + error("fdopen %s failed: %s.", filename, strerror(errno)); close(fd); return 0; } switch (key->type) { - case KEY_DSA: - success = PEM_write_DSAPrivateKey(fp, key->dsa, - cipher, passphrase, len, NULL, NULL); - break; - case KEY_RSA: - success = PEM_write_RSAPrivateKey(fp, key->rsa, - cipher, passphrase, len, NULL, NULL); - break; + case KEY_DSA: + success = PEM_write_DSAPrivateKey(fp, key->dsa, + cipher, passphrase, len, NULL, NULL); + break; + case KEY_RSA: + success = PEM_write_RSAPrivateKey(fp, key->rsa, + cipher, passphrase, len, NULL, NULL); + break; } fclose(fp); return success; } int -save_private_key(const char *filename, const char *passphrase, Key *key, +key_save_private(Key *key, const char *filename, const char *passphrase, const char *comment) { switch (key->type) { case KEY_RSA1: - return save_private_key_rsa1(filename, passphrase, key->rsa, comment); + return key_save_private_rsa1(key, filename, passphrase, + comment); break; case KEY_DSA: case KEY_RSA: - return save_private_key_ssh2(filename, passphrase, key, comment); + return key_save_private_pem(key, filename, passphrase, + comment); break; default: break; } + error("key_save_private: cannot save key type %d", key->type); return 0; } /* - * Loads the public part of the key file. Returns 0 if an error was - * encountered (the file does not exist or is not readable), and non-zero + * Loads the public part of the ssh v1 key file. Returns NULL if an error was + * encountered (the file does not exist or is not readable), and the key * otherwise. */ -int -load_public_key_rsa(const char *filename, RSA * pub, char **comment_return) +Key * +key_load_public_rsa1(int fd, const char *filename, char **commentp) { - int fd, i; - off_t len; Buffer buffer; + Key *pub; char *cp; + int i; + off_t len; - fd = open(filename, O_RDONLY); - if (fd < 0) - return 0; len = lseek(fd, (off_t) 0, SEEK_END); lseek(fd, (off_t) 0, SEEK_SET); @@ -243,16 +245,14 @@ debug("Read from key file %.200s failed: %.100s", filename, strerror(errno)); buffer_free(&buffer); - close(fd); - return 0; + return NULL; } - close(fd); /* Check that it is at least big enough to contain the ID string. */ if (len < sizeof(authfile_id_string)) { - debug3("Bad RSA1 key file %.200s.", filename); + debug3("No RSA1 key file %.200s.", filename); buffer_free(&buffer); - return 0; + return NULL; } /* * Make sure it begins with the id string. Consume the id string @@ -260,9 +260,9 @@ */ for (i = 0; i < sizeof(authfile_id_string); i++) if (buffer_get_char(&buffer) != authfile_id_string[i]) { - debug3("Bad RSA1 key file %.200s.", filename); + debug3("No RSA1 key file %.200s.", filename); buffer_free(&buffer); - return 0; + return NULL; } /* Skip cipher type and reserved data. */ (void) buffer_get_char(&buffer); /* cipher type */ @@ -270,37 +270,33 @@ /* Read the public key from the buffer. */ buffer_get_int(&buffer); - /* XXX alloc */ - if (pub->n == NULL) - pub->n = BN_new(); - buffer_get_bignum(&buffer, pub->n); - /* XXX alloc */ - if (pub->e == NULL) - pub->e = BN_new(); - buffer_get_bignum(&buffer, pub->e); - if (comment_return) - *comment_return = buffer_get_string(&buffer, NULL); + pub = key_new(KEY_RSA1); + buffer_get_bignum(&buffer, pub->rsa->n); + buffer_get_bignum(&buffer, pub->rsa->e); + if (commentp) + *commentp = buffer_get_string(&buffer, NULL); /* The encrypted private part is not parsed by this function. */ buffer_free(&buffer); - - return 1; + return pub; } -/* load public key from private-key file */ -int -load_public_key(const char *filename, Key * key, char **comment_return) +/* load public key from private-key file, works only for SSH v1 */ +Key * +key_load_public_type(int type, const char *filename, char **commentp) { - switch (key->type) { - case KEY_RSA1: - return load_public_key_rsa(filename, key->rsa, comment_return); - break; - case KEY_DSA: - case KEY_RSA: - default: - break; + Key *pub; + int fd; + + if (type == KEY_RSA1) { + fd = open(filename, O_RDONLY); + if (fd < 0) + return NULL; + pub = key_load_public_rsa1(fd, filename, commentp); + close(fd); + return pub; } - return 0; + return NULL; } /* @@ -310,9 +306,9 @@ * Assumes we are called under uid of the owner of the file. */ -int -load_private_key_rsa1(int fd, const char *filename, - const char *passphrase, RSA * prv, char **comment_return) +Key * +key_load_private_rsa1(int fd, const char *filename, const char *passphrase, + char **commentp) { int i, check1, check2, cipher_type; off_t len; @@ -322,6 +318,7 @@ Cipher *cipher; BN_CTX *ctx; BIGNUM *aux; + Key *prv = NULL; len = lseek(fd, (off_t) 0, SEEK_END); lseek(fd, (off_t) 0, SEEK_SET); @@ -334,15 +331,15 @@ strerror(errno)); buffer_free(&buffer); close(fd); - return 0; + return NULL; } /* Check that it is at least big enough to contain the ID string. */ if (len < sizeof(authfile_id_string)) { - debug3("Bad RSA1 key file %.200s.", filename); + debug3("No RSA1 key file %.200s.", filename); buffer_free(&buffer); close(fd); - return 0; + return NULL; } /* * Make sure it begins with the id string. Consume the id string @@ -350,10 +347,10 @@ */ for (i = 0; i < sizeof(authfile_id_string); i++) if (buffer_get_char(&buffer) != authfile_id_string[i]) { - debug3("Bad RSA1 key file %.200s.", filename); + debug3("No RSA1 key file %.200s.", filename); buffer_free(&buffer); close(fd); - return 0; + return NULL; } /* Read cipher type. */ @@ -362,12 +359,12 @@ /* Read the public key from the buffer. */ buffer_get_int(&buffer); - prv->n = BN_new(); - buffer_get_bignum(&buffer, prv->n); - prv->e = BN_new(); - buffer_get_bignum(&buffer, prv->e); - if (comment_return) - *comment_return = buffer_get_string(&buffer, NULL); + prv = key_new_private(KEY_RSA1); + + buffer_get_bignum(&buffer, prv->rsa->n); + buffer_get_bignum(&buffer, prv->rsa->e); + if (commentp) + *commentp = buffer_get_string(&buffer, NULL); else xfree(buffer_get_string(&buffer, NULL)); @@ -395,93 +392,81 @@ if (check1 != buffer_get_char(&decrypted) || check2 != buffer_get_char(&decrypted)) { if (strcmp(passphrase, "") != 0) - debug("Bad passphrase supplied for key file %.200s.", filename); + debug("Bad passphrase supplied for key file %.200s.", + filename); /* Bad passphrase. */ buffer_free(&decrypted); -fail: - BN_clear_free(prv->n); - prv->n = NULL; - BN_clear_free(prv->e); - prv->e = NULL; - if (comment_return) - xfree(*comment_return); - close(fd); - return 0; + goto fail; } /* Read the rest of the private key. */ - prv->d = BN_new(); - buffer_get_bignum(&decrypted, prv->d); - prv->iqmp = BN_new(); - buffer_get_bignum(&decrypted, prv->iqmp); /* u */ - /* in SSL and SSH p and q are exchanged */ - prv->q = BN_new(); - buffer_get_bignum(&decrypted, prv->q); /* p */ - prv->p = BN_new(); - buffer_get_bignum(&decrypted, prv->p); /* q */ + buffer_get_bignum(&decrypted, prv->rsa->d); + buffer_get_bignum(&decrypted, prv->rsa->iqmp); /* u */ + /* in SSL and SSH v1 p and q are exchanged */ + buffer_get_bignum(&decrypted, prv->rsa->q); /* p */ + buffer_get_bignum(&decrypted, prv->rsa->p); /* q */ + /* calculate p-1 and q-1 */ ctx = BN_CTX_new(); aux = BN_new(); - BN_sub(aux, prv->q, BN_value_one()); - prv->dmq1 = BN_new(); - BN_mod(prv->dmq1, prv->d, aux, ctx); - - BN_sub(aux, prv->p, BN_value_one()); - prv->dmp1 = BN_new(); - BN_mod(prv->dmp1, prv->d, aux, ctx); + BN_sub(aux, prv->rsa->q, BN_value_one()); + BN_mod(prv->rsa->dmq1, prv->rsa->d, aux, ctx); + + BN_sub(aux, prv->rsa->p, BN_value_one()); + BN_mod(prv->rsa->dmp1, prv->rsa->d, aux, ctx); BN_clear_free(aux); BN_CTX_free(ctx); buffer_free(&decrypted); close(fd); - return 1; + return prv; + +fail: + if (commentp) + xfree(*commentp); + close(fd); + key_free(prv); + return NULL; } -int -load_private_key_ssh2(int fd, const char *passphrase, Key *k, char **comment_return) +Key * +key_load_private_pem(int fd, int type, const char *passphrase, + char **commentp) { FILE *fp; - int success = 0; EVP_PKEY *pk = NULL; + Key *prv = NULL; char *name = ""; fp = fdopen(fd, "r"); if (fp == NULL) { - error("fdopen failed"); + error("fdopen failed: %s", strerror(errno)); close(fd); - return 0; + return NULL; } pk = PEM_read_PrivateKey(fp, NULL, NULL, (char *)passphrase); if (pk == NULL) { debug("PEM_read_PrivateKey failed"); (void)ERR_get_error(); - } else if (pk->type == EVP_PKEY_RSA) { - /* replace k->rsa with loaded key */ - if (k->type == KEY_RSA || k->type == KEY_UNSPEC) { - if (k->rsa != NULL) - RSA_free(k->rsa); - k->rsa = EVP_PKEY_get1_RSA(pk); - k->type = KEY_RSA; - name = "rsa w/o comment"; - success = 1; + } else if (pk->type == EVP_PKEY_RSA && + (type == KEY_UNSPEC||type==KEY_RSA)) { + prv = key_new(KEY_UNSPEC); + prv->rsa = EVP_PKEY_get1_RSA(pk); + prv->type = KEY_RSA; + name = "rsa w/o comment"; #ifdef DEBUG_PK - RSA_print_fp(stderr, k->rsa, 8); + RSA_print_fp(stderr, prv->rsa, 8); #endif - } - } else if (pk->type == EVP_PKEY_DSA) { - /* replace k->dsa with loaded key */ - if (k->type == KEY_DSA || k->type == KEY_UNSPEC) { - if (k->dsa != NULL) - DSA_free(k->dsa); - k->dsa = EVP_PKEY_get1_DSA(pk); - k->type = KEY_DSA; - name = "dsa w/o comment"; + } else if (pk->type == EVP_PKEY_DSA && + (type == KEY_UNSPEC||type==KEY_DSA)) { + prv = key_new(KEY_UNSPEC); + prv->dsa = EVP_PKEY_get1_DSA(pk); + prv->type = KEY_DSA; + name = "dsa w/o comment"; #ifdef DEBUG_PK - DSA_print_fp(stderr, k->dsa, 8); + DSA_print_fp(stderr, prv->dsa, 8); #endif - success = 1; - } } else { error("PEM_read_PrivateKey: mismatch or " "unknown EVP_PKEY save_type %d", pk->save_type); @@ -489,24 +474,18 @@ fclose(fp); if (pk != NULL) EVP_PKEY_free(pk); - if (success && comment_return) - *comment_return = xstrdup(name); - debug("read SSH2 private key done: name %s success %d", name, success); - return success; + if (prv != NULL && commentp) + *commentp = xstrdup(name); + debug("read PEM private key done: type %s", + prv ? key_type(prv) : ""); + return prv; } int -load_private_key(const char *filename, const char *passphrase, Key *key, - char **comment_return) +key_perm_ok(int fd, const char *filename) { - int fd; - int ret = 0; struct stat st; - fd = open(filename, O_RDONLY); - if (fd < 0) - return 0; - /* check owner and modes */ #ifdef HAVE_CYGWIN if (check_ntsec(filename)) @@ -521,40 +500,78 @@ error("Bad ownership or mode(0%3.3o) for '%s'.", st.st_mode & 0777, filename); error("It is recommended that your private key files are NOT accessible by others."); + error("This private key will be ignored."); return 0; } - switch (key->type) { - case KEY_RSA1: - if (key->rsa->e != NULL) { - BN_clear_free(key->rsa->e); - key->rsa->e = NULL; - } - if (key->rsa->n != NULL) { - BN_clear_free(key->rsa->n); - key->rsa->n = NULL; - } - ret = load_private_key_rsa1(fd, filename, passphrase, - key->rsa, comment_return); /* closes fd */ + return 1; +} +Key * +key_load_private_type(int type, const char *filename, const char *passphrase, + char **commentp) +{ + int fd; + + fd = open(filename, O_RDONLY); + if (fd < 0) + return NULL; + if (!key_perm_ok(fd, filename)) { + error("bad permissions: ignore key: %s", filename); + close(fd); + return NULL; + } + switch (type) { + case KEY_RSA1: + return key_load_private_rsa1(fd, filename, passphrase, + commentp); + /* closes fd */ break; case KEY_DSA: case KEY_RSA: case KEY_UNSPEC: - ret = load_private_key_ssh2(fd, passphrase, key, - comment_return); /* closes fd */ + return key_load_private_pem(fd, type, passphrase, commentp); + /* closes fd */ break; default: close(fd); break; } - return ret; + return NULL; +} + +Key * +key_load_private(const char *filename, const char *passphrase, + char **commentp) +{ + Key *pub; + int fd; + + fd = open(filename, O_RDONLY); + if (fd < 0) + return NULL; + if (!key_perm_ok(fd, filename)) { + error("bad permissions: ignore key: %s", filename); + close(fd); + return NULL; + } + pub = key_load_public_rsa1(fd, filename, commentp); + lseek(fd, (off_t) 0, SEEK_SET); /* rewind */ + if (pub == NULL) { + /* closes fd */ + return key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL); + } else { + /* it's a SSH v1 key if the public key part is readable */ + key_free(pub); + /* closes fd */ + return key_load_private_rsa1(fd, filename, passphrase, NULL); + } } int -do_load_public_key(const char *filename, Key *k, char **commentp) +key_try_load_public(Key *k, const char *filename, char **commentp) { FILE *f; - char line[1024]; + char line[4096]; char *cp; f = fopen(filename, "r"); @@ -585,19 +602,23 @@ return 0; } -/* load public key from pubkey file */ -int -try_load_public_key(const char *filename, Key *k, char **commentp) +/* load public key from ssh v1 private or any pubkey file */ +Key * +key_load_public(const char *filename, char **commentp) { - char pub[MAXPATHLEN]; + Key *pub; + char file[MAXPATHLEN]; - if (do_load_public_key(filename, k, commentp) == 1) - return 1; - if (strlcpy(pub, filename, sizeof pub) >= MAXPATHLEN) - return 0; - if (strlcat(pub, ".pub", sizeof pub) >= MAXPATHLEN) - return 0; - if (do_load_public_key(pub, k, commentp) == 1) - return 1; - return 0; + pub = key_load_public_type(KEY_RSA1, filename, commentp); + if (pub != NULL) + return pub; + pub = key_new(KEY_UNSPEC); + if (key_try_load_public(pub, filename, commentp) == 1) + return pub; + if ((strlcpy(file, filename, sizeof file) < sizeof(file)) && + (strlcat(file, ".pub", sizeof file) < sizeof(file)) && + (key_try_load_public(pub, file, commentp) == 1)) + return pub; + key_free(pub); + return NULL; } diff -ru openssh-2.5.2p2/authfile.h openssh-2.9p1/authfile.h --- openssh-2.5.2p2/authfile.h 2000-11-06 12:39:34.000000000 +1100 +++ openssh-2.9p1/authfile.h 2001-03-26 23:44:07.000000000 +1000 @@ -2,7 +2,6 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Functions to interface with the SSH_AUTHENTICATION_FD socket. * * As far as I am concerned, the code I have written for this software * can be used freely for any purpose. Any derived versions of this @@ -11,41 +10,27 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* $OpenBSD: authfile.h,v 1.5 2000/10/16 09:38:44 djm Exp $ */ +/* $OpenBSD: authfile.h,v 1.6 2001/03/26 08:07:08 markus Exp $ */ #ifndef AUTHFILE_H #define AUTHFILE_H - -/* - * Saves the authentication (private) key in a file, encrypting it with - * passphrase. - * For RSA keys: The identification of the file (lowest 64 bits of n) - * will precede the key to provide identification of the key without - * needing a passphrase. - */ int -save_private_key(const char *filename, const char *passphrase, - Key * private_key, const char *comment); +key_save_private(Key *key, const char *filename, const char *passphrase, + const char *comment); -/* - * Loads the public part of the key file (public key and comment). Returns 0 - * if an error occurred; zero if the public key was successfully read. The - * comment of the key is returned in comment_return if it is non-NULL; the - * caller must free the value with xfree. - */ -int load_public_key(const char *filename, Key * pub, char **comment_return); -int try_load_public_key(const char *filename, Key * pub, char **comment_return); +Key * +key_load_public(const char *filename, char **commentp); -/* - * Loads the private key from the file. Returns 0 if an error is encountered - * (file does not exist or is not readable, or passphrase is bad). This - * initializes the private key. The comment of the key is returned in - * comment_return if it is non-NULL; the caller must free the value with - * xfree. - */ -int -load_private_key(const char *filename, const char *passphrase, - Key * private_key, char **comment_return); +Key * +key_load_public_type(int type, const char *filename, char **commentp); + +Key * +key_load_private(const char *filename, const char *passphrase, + char **commentp); + +Key * +key_load_private_type(int type, const char *filename, const char *passphrase, + char **commentp); #endif diff -ru openssh-2.5.2p2/buffer.c openssh-2.9p1/buffer.c --- openssh-2.5.2p2/buffer.c 2001-01-22 16:34:40.000000000 +1100 +++ openssh-2.9p1/buffer.c 2001-04-13 09:34:35.000000000 +1000 @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: buffer.c,v 1.10 2001/01/21 19:05:45 markus Exp $"); +RCSID("$OpenBSD: buffer.c,v 1.13 2001/04/12 19:15:24 markus Exp $"); #include "xmalloc.h" #include "buffer.h" @@ -112,7 +112,8 @@ buffer_get(Buffer *buffer, char *buf, u_int len) { if (len > buffer->end - buffer->offset) - fatal("buffer_get: trying to get more bytes than in buffer"); + fatal("buffer_get: trying to get more bytes %d than in buffer %d", + len, buffer->end - buffer->offset); memcpy(buf, buffer->buf + buffer->offset, len); buffer->offset += len; } @@ -153,7 +154,12 @@ int i; u_char *ucp = (u_char *) buffer->buf; - for (i = buffer->offset; i < buffer->end; i++) - fprintf(stderr, " %02x", ucp[i]); - fprintf(stderr, "\n"); + for (i = buffer->offset; i < buffer->end; i++) { + fprintf(stderr, "%02x", ucp[i]); + if ((i-buffer->offset)%16==15) + fprintf(stderr, "\r\n"); + else if ((i-buffer->offset)%2==1) + fprintf(stderr, " "); + } + fprintf(stderr, "\r\n"); } diff -ru openssh-2.5.2p2/canohost.c openssh-2.9p1/canohost.c --- openssh-2.5.2p2/canohost.c 2001-02-11 08:39:49.000000000 +1100 +++ openssh-2.9p1/canohost.c 2001-04-19 01:32:46.000000000 +1000 @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: canohost.c,v 1.23 2001/02/10 01:33:32 markus Exp $"); +RCSID("$OpenBSD: canohost.c,v 1.26 2001/04/18 14:15:00 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -71,7 +71,7 @@ NULL, 0, NI_NUMERICHOST) != 0) fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); - debug("Trying to reverse map address %.100s.", ntop); + debug3("Trying to reverse map address %.100s.", ntop); /* Map the IP address to a host name. */ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), NULL, 0, NI_NAMEREQD) != 0) { @@ -202,30 +202,59 @@ * Returns the remote IP-address of socket as a string. The returned * string must be freed. */ - char * -get_peer_ipaddr(int socket) +get_socket_address(int socket, int remote, int flags) { - struct sockaddr_storage from; - socklen_t fromlen; + struct sockaddr_storage addr; + socklen_t addrlen; char ntop[NI_MAXHOST]; /* Get IP address of client. */ - fromlen = sizeof(from); - memset(&from, 0, sizeof(from)); - if (getpeername(socket, (struct sockaddr *) & from, &fromlen) < 0) { - debug("get_peer_ipaddr: getpeername failed: %.100s", strerror(errno)); - return NULL; + addrlen = sizeof(addr); + memset(&addr, 0, sizeof(addr)); + + if (remote) { + if (getpeername(socket, (struct sockaddr *)&addr, &addrlen) + < 0) { + debug("get_socket_ipaddr: getpeername failed: %.100s", + strerror(errno)); + return NULL; + } + } else { + if (getsockname(socket, (struct sockaddr *)&addr, &addrlen) + < 0) { + debug("get_socket_ipaddr: getsockname failed: %.100s", + strerror(errno)); + return NULL; + } } - /* Get the IP address in ascii. */ - if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), - NULL, 0, NI_NUMERICHOST) != 0) { - error("get_peer_ipaddr: getnameinfo NI_NUMERICHOST failed"); + /* Get the address in ascii. */ + if (getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop), + NULL, 0, flags) != 0) { + error("get_socket_ipaddr: getnameinfo %d failed", flags); return NULL; } return xstrdup(ntop); } +char * +get_peer_ipaddr(int socket) +{ + return get_socket_address(socket, 1, NI_NUMERICHOST); +} + +char * +get_local_ipaddr(int socket) +{ + return get_socket_address(socket, 0, NI_NUMERICHOST); +} + +char * +get_local_name(int socket) +{ + return get_socket_address(socket, 0, NI_NAMEREQD); +} + /* * Returns the IP-address of the remote host as a string. The returned * string must not be freed. @@ -251,6 +280,17 @@ return canonical_host_ip; } +const char * +get_remote_name_or_ip(u_int utmp_len, int reverse_mapping_check) +{ + static const char *remote = ""; + if (utmp_len > 0) + remote = get_canonical_hostname(reverse_mapping_check); + if (utmp_len == 0 || strlen(remote) > utmp_len) + remote = get_remote_ipaddr(); + return remote; +} + /* Returns the local/remote port for the socket. */ int diff -ru openssh-2.5.2p2/canohost.h openssh-2.9p1/canohost.h --- openssh-2.5.2p2/canohost.h 2001-02-04 23:20:19.000000000 +1100 +++ openssh-2.9p1/canohost.h 2001-04-13 09:34:35.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: canohost.h,v 1.4 2001/02/03 10:08:37 markus Exp $ */ +/* $OpenBSD: canohost.h,v 1.6 2001/04/12 19:15:24 markus Exp $ */ /* * Author: Tatu Ylonen @@ -25,9 +25,13 @@ */ const char *get_remote_ipaddr(void); +const char *get_remote_name_or_ip(u_int utmp_len, int reverse_mapping_check); + /* Returns the ipaddr/port number of the peer of the socket. */ char * get_peer_ipaddr(int socket); int get_peer_port(int sock); +char * get_local_ipaddr(int socket); +char * get_local_name(int socket); /* Returns the port number of the remote/local host. */ int get_remote_port(void); diff -ru openssh-2.5.2p2/channels.c openssh-2.9p1/channels.c --- openssh-2.5.2p2/channels.c 2001-03-17 11:47:55.000000000 +1100 +++ openssh-2.9p1/channels.c 2001-04-18 04:14:35.000000000 +1000 @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.99 2001/03/16 19:06:29 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.109 2001/04/17 12:55:03 markus Exp $"); #include #include @@ -51,6 +51,7 @@ #include "packet.h" #include "xmalloc.h" #include "buffer.h" +#include "bufaux.h" #include "uidswap.h" #include "log.h" #include "misc.h" @@ -133,6 +134,8 @@ /* AF_UNSPEC or AF_INET or AF_INET6 */ extern int IPv4or6; +void port_open_helper(Channel *c, char *rtype); + /* Sets specific protocol options. */ void @@ -417,7 +420,7 @@ packet_put_int(c->remote_id); packet_send(); c->type = SSH_CHANNEL_CLOSED; - debug("Closing channel %d after input drain.", c->self); + debug("channel %d: closing after input drain.", c->self); } } @@ -539,6 +542,116 @@ } } +/* try to decode a socks4 header */ +int +channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset) +{ + u_char *p, *host; + int len, have, i, found; + char username[256]; + struct { + u_int8_t version; + u_int8_t command; + u_int16_t dest_port; + struct in_addr dest_addr; + } s4_req, s4_rsp; + + debug2("channel %d: decode socks4", c->self); + + have = buffer_len(&c->input); + len = sizeof(s4_req); + if (have < len) + return 0; + p = buffer_ptr(&c->input); + for (found = 0, i = len; i < have; i++) { + if (p[i] == '\0') { + found = 1; + break; + } + if (i > 1024) { + /* the peer is probably sending garbage */ + debug("channel %d: decode socks4: too long", + c->self); + return -1; + } + } + if (!found) + return 0; + buffer_get(&c->input, (char *)&s4_req.version, 1); + buffer_get(&c->input, (char *)&s4_req.command, 1); + buffer_get(&c->input, (char *)&s4_req.dest_port, 2); + buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); + have = buffer_len(&c->input); + p = buffer_ptr(&c->input); + len = strlen(p); + debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); + if (len > have) + fatal("channel %d: decode socks4: len %d > have %d", + c->self, len, have); + strlcpy(username, p, sizeof(username)); + buffer_consume(&c->input, len); + buffer_consume(&c->input, 1); /* trailing '\0' */ + + host = inet_ntoa(s4_req.dest_addr); + strlcpy(c->path, host, sizeof(c->path)); + c->host_port = ntohs(s4_req.dest_port); + + debug("channel %d: dynamic request: socks4 host %s port %u command %u", + c->self, host, c->host_port, s4_req.command); + + if (s4_req.command != 1) { + debug("channel %d: cannot handle: socks4 cn %d", + c->self, s4_req.command); + return -1; + } + s4_rsp.version = 0; /* vn: 0 for reply */ + s4_rsp.command = 90; /* cd: req granted */ + s4_rsp.dest_port = 0; /* ignored */ + s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ + buffer_append(&c->output, (char *)&s4_rsp, sizeof(s4_rsp)); + return 1; +} + +/* dynamic port forwarding */ +void +channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset) +{ + u_char *p; + int have, ret; + + have = buffer_len(&c->input); + + debug2("channel %d: pre_dynamic: have %d", c->self, have); + /* buffer_dump(&c->input); */ + /* check if the fixed size part of the packet is in buffer. */ + if (have < 4) { + /* need more */ + FD_SET(c->sock, readset); + return; + } + /* try to guess the protocol */ + p = buffer_ptr(&c->input); + switch (p[0]) { + case 0x04: + ret = channel_decode_socks4(c, readset, writeset); + break; + default: + ret = -1; + break; + } + if (ret < 0) { + channel_free(c->self); + } else if (ret == 0) { + debug2("channel %d: pre_dynamic: need more", c->self); + /* need more */ + FD_SET(c->sock, readset); + } else { + /* switch to the next state */ + c->type = SSH_CHANNEL_OPENING; + port_open_helper(c, "direct-tcpip"); + } +} + /* This is our fake X11 server socket. */ void channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset) @@ -591,73 +704,100 @@ } } +void +port_open_helper(Channel *c, char *rtype) +{ + int direct; + char buf[1024]; + char *remote_ipaddr = get_peer_ipaddr(c->sock); + u_short remote_port = get_peer_port(c->sock); + + direct = (strcmp(rtype, "direct-tcpip") == 0); + + snprintf(buf, sizeof buf, + "%s: listening port %d for %.100s port %d, " + "connect from %.200s port %d", + rtype, c->listening_port, c->path, c->host_port, + remote_ipaddr, remote_port); + + xfree(c->remote_name); + c->remote_name = xstrdup(buf); + + if (compat20) { + packet_start(SSH2_MSG_CHANNEL_OPEN); + packet_put_cstring(rtype); + packet_put_int(c->self); + packet_put_int(c->local_window_max); + packet_put_int(c->local_maxpacket); + if (direct) { + /* target host, port */ + packet_put_cstring(c->path); + packet_put_int(c->host_port); + } else { + /* listen address, port */ + packet_put_cstring(c->path); + packet_put_int(c->listening_port); + } + /* originator host and port */ + packet_put_cstring(remote_ipaddr); + packet_put_int(remote_port); + packet_send(); + } else { + packet_start(SSH_MSG_PORT_OPEN); + packet_put_int(c->self); + packet_put_cstring(c->path); + packet_put_int(c->host_port); + if (have_hostname_in_open) + packet_put_cstring(c->remote_name); + packet_send(); + } + xfree(remote_ipaddr); +} + /* * This socket is listening for connections to a forwarded TCP/IP port. */ void channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset) { + Channel *nc; struct sockaddr addr; - int newsock, newch; + int newsock, newch, nextstate; socklen_t addrlen; - char buf[1024], *remote_ipaddr, *rtype; - int remote_port; - - rtype = (c->type == SSH_CHANNEL_RPORT_LISTENER) ? - "forwarded-tcpip" : "direct-tcpip"; + char *rtype; if (FD_ISSET(c->sock, readset)) { debug("Connection to port %d forwarding " "to %.100s port %d requested.", c->listening_port, c->path, c->host_port); + + rtype = (c->type == SSH_CHANNEL_RPORT_LISTENER) ? + "forwarded-tcpip" : "direct-tcpip"; + nextstate = (c->host_port == 0) ? SSH_CHANNEL_DYNAMIC : + SSH_CHANNEL_OPENING; + addrlen = sizeof(addr); newsock = accept(c->sock, &addr, &addrlen); if (newsock < 0) { error("accept: %.100s", strerror(errno)); return; } - remote_ipaddr = get_peer_ipaddr(newsock); - remote_port = get_peer_port(newsock); - snprintf(buf, sizeof buf, - "listen port %d for %.100s port %d, " - "connect from %.200s port %d", - c->listening_port, c->path, c->host_port, - remote_ipaddr, remote_port); - newch = channel_new(rtype, - SSH_CHANNEL_OPENING, newsock, newsock, -1, + nextstate, newsock, newsock, -1, c->local_window_max, c->local_maxpacket, - 0, xstrdup(buf), 1); - if (compat20) { - packet_start(SSH2_MSG_CHANNEL_OPEN); - packet_put_cstring(rtype); - packet_put_int(newch); - packet_put_int(c->local_window_max); - packet_put_int(c->local_maxpacket); - if (c->type == SSH_CHANNEL_RPORT_LISTENER) { - /* listen address, port */ - packet_put_string(c->path, strlen(c->path)); - packet_put_int(c->listening_port); - } else { - /* target host, port */ - packet_put_string(c->path, strlen(c->path)); - packet_put_int(c->host_port); - } - /* originator host and port */ - packet_put_cstring(remote_ipaddr); - packet_put_int(remote_port); - packet_send(); - } else { - packet_start(SSH_MSG_PORT_OPEN); - packet_put_int(newch); - packet_put_string(c->path, strlen(c->path)); - packet_put_int(c->host_port); - if (have_hostname_in_open) { - packet_put_string(buf, strlen(buf)); - } - packet_send(); + 0, xstrdup(rtype), 1); + + nc = channel_lookup(newch); + if (nc == NULL) { + error("xxx: no new channel:"); + return; } - xfree(remote_ipaddr); + nc->listening_port = c->listening_port; + nc->host_port = c->host_port; + strlcpy(nc->path, c->path, sizeof(nc->path)); + + if (nextstate != SSH_CHANNEL_DYNAMIC) + port_open_helper(nc, rtype); } } @@ -733,10 +873,14 @@ if (len <= 0) { debug("channel %d: read<=0 rfd %d len %d", c->self, c->rfd, len); - if (compat13) { + if (c->type != SSH_CHANNEL_OPEN) { + debug("channel %d: not open", c->self); + channel_free(c->self); + return -1; + } else if (compat13) { buffer_consume(&c->output, buffer_len(&c->output)); c->type = SSH_CHANNEL_INPUT_DRAINING; - debug("Channel %d status set to input draining.", c->self); + debug("channel %d: status set to input draining.", c->self); } else { chan_read_failed(c); } @@ -744,7 +888,7 @@ } if(c->input_filter != NULL) { if (c->input_filter(c, buf, len) == -1) { - debug("filter stops channel %d", c->self); + debug("channel %d: filter stops", c->self); chan_read_failed(c); } } else { @@ -768,9 +912,13 @@ if (len < 0 && (errno == EINTR || errno == EAGAIN)) return 1; if (len <= 0) { - if (compat13) { + if (c->type != SSH_CHANNEL_OPEN) { + debug("channel %d: not open", c->self); + channel_free(c->self); + return -1; + } else if (compat13) { buffer_consume(&c->output, buffer_len(&c->output)); - debug("Channel %d status set to input draining.", c->self); + debug("channel %d: status set to input draining.", c->self); c->type = SSH_CHANNEL_INPUT_DRAINING; } else { chan_write_failed(c); @@ -845,7 +993,8 @@ int channel_check_window(Channel *c) { - if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && + if (c->type == SSH_CHANNEL_OPEN && + !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && c->local_window < c->local_window_max/2 && c->local_consumed > 0) { packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); @@ -903,6 +1052,7 @@ channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; + channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2; channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; @@ -910,6 +1060,7 @@ channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; + channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open_2; } void @@ -923,6 +1074,7 @@ channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; + channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1; channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; @@ -930,6 +1082,7 @@ channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; + channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open_1; } void @@ -941,12 +1094,14 @@ channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; + channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1; channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; + channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open_1; } void @@ -1005,7 +1160,8 @@ } void -channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp) +channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, + int rekeying) { int n; u_int sz; @@ -1025,7 +1181,8 @@ memset(*readsetp, 0, sz); memset(*writesetp, 0, sz); - channel_handler(channel_pre, *readsetp, *writesetp); + if (!rekeying) + channel_handler(channel_pre, *readsetp, *writesetp); } void @@ -1498,6 +1655,7 @@ case SSH_CHANNEL_RPORT_LISTENER: case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_AUTH_SOCKET: + case SSH_CHANNEL_DYNAMIC: case SSH_CHANNEL_CONNECTING: /* XXX ??? */ continue; case SSH_CHANNEL_LARVAL: @@ -1520,6 +1678,41 @@ return 0; } +/* Returns the id of an open channel suitable for keepaliving */ + +int +channel_find_open() +{ + u_int i; + for (i = 0; i < channels_alloc; i++) + switch (channels[i].type) { + case SSH_CHANNEL_CLOSED: + case SSH_CHANNEL_DYNAMIC: + case SSH_CHANNEL_FREE: + case SSH_CHANNEL_X11_LISTENER: + case SSH_CHANNEL_PORT_LISTENER: + case SSH_CHANNEL_RPORT_LISTENER: + case SSH_CHANNEL_OPENING: + continue; + case SSH_CHANNEL_LARVAL: + case SSH_CHANNEL_AUTH_SOCKET: + case SSH_CHANNEL_CONNECTING: /* XXX ??? */ + case SSH_CHANNEL_OPEN: + case SSH_CHANNEL_X11_OPEN: + return i; + case SSH_CHANNEL_INPUT_DRAINING: + case SSH_CHANNEL_OUTPUT_DRAINING: + if (!compat13) + fatal("cannot happen: OUT_DRAIN"); + return i; + default: + fatal("channel_find_open: bad channel type %d", channels[i].type); + /* NOTREACHED */ + } + return -1; +} + + /* * Returns a message describing the currently open forwarded connections, * suitable for sending to the client. The message contains crlf pairs for @@ -1549,6 +1742,7 @@ case SSH_CHANNEL_LARVAL: case SSH_CHANNEL_OPENING: case SSH_CHANNEL_CONNECTING: + case SSH_CHANNEL_DYNAMIC: case SSH_CHANNEL_OPEN: case SSH_CHANNEL_X11_OPEN: case SSH_CHANNEL_INPUT_DRAINING: @@ -1791,7 +1985,7 @@ all_opens_permitted = 1; } -void +void channel_add_permitted_opens(char *host, int port) { if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) @@ -1805,7 +1999,7 @@ all_opens_permitted = 0; } -void +void channel_clear_permitted_opens(void) { int i; @@ -2408,7 +2602,7 @@ fatal("Protocol error: authentication forwarding requested twice."); /* Temporarily drop privileged uid for mkdir/bind. */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); /* Allocate a buffer for the socket name, and format the name. */ channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME); diff -ru openssh-2.5.2p2/channels.h openssh-2.9p1/channels.h --- openssh-2.5.2p2/channels.h 2001-03-17 11:47:55.000000000 +1100 +++ openssh-2.9p1/channels.h 2001-04-14 09:28:02.000000000 +1000 @@ -32,7 +32,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: channels.h,v 1.28 2001/03/16 19:06:29 markus Exp $"); */ +/* RCSID("$OpenBSD: channels.h,v 1.31 2001/04/13 22:46:53 beck Exp $"); */ #ifndef CHANNELS_H #define CHANNELS_H @@ -53,7 +53,8 @@ #define SSH_CHANNEL_LARVAL 10 /* larval session */ #define SSH_CHANNEL_RPORT_LISTENER 11 /* Listening to a R-style port */ #define SSH_CHANNEL_CONNECTING 12 -#define SSH_CHANNEL_MAX_TYPE 13 +#define SSH_CHANNEL_DYNAMIC 13 +#define SSH_CHANNEL_MAX_TYPE 14 /* * Data structure for channel data. This is iniailized in channel_allocate @@ -171,7 +172,8 @@ * select bitmasks. */ void -channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp); +channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, + int rekeying); /* * After select, perform any appropriate operations for channels which have @@ -305,4 +307,6 @@ int channel_connect_by_listen_adress(u_short listen_port); int x11_connect_display(void); +int channel_find_open(void); + #endif diff -ru openssh-2.5.2p2/clientloop.c openssh-2.9p1/clientloop.c --- openssh-2.5.2p2/clientloop.c 2001-03-06 14:34:40.000000000 +1100 +++ openssh-2.9p1/clientloop.c 2001-04-20 22:50:51.000000000 +1000 @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.53 2001/03/06 01:08:27 millert Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.65 2001/04/20 07:17:51 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -73,11 +73,14 @@ #include "buffer.h" #include "bufaux.h" #include "key.h" +#include "kex.h" #include "log.h" #include "readconf.h" #include "clientloop.h" #include "authfd.h" #include "atomicio.h" +#include "sshtty.h" +#include "misc.h" /* import options */ extern Options options; @@ -100,15 +103,6 @@ */ static volatile int received_window_change_signal = 0; -/* Terminal modes, as saved by enter_raw_mode. */ -static struct termios saved_tio; - -/* - * Flag indicating whether we are in raw mode. This is used by - * enter_raw_mode and leave_raw_mode. - */ -static int in_raw_mode = 0; - /* Flag indicating whether the user\'s terminal is in non-blocking mode. */ static int in_non_blocking_mode = 0; @@ -126,49 +120,14 @@ static u_int buffer_high;/* Soft max buffer size. */ static int connection_in; /* Connection to server (input). */ static int connection_out; /* Connection to server (output). */ +static int need_rekeying; /* Set to non-zero if rekeying is requested. */ +static int session_closed = 0; /* In SSH2: login session closed. */ void client_init_dispatch(void); int session_ident = -1; -/* Returns the user\'s terminal to normal mode if it had been put in raw mode. */ - -void -leave_raw_mode(void) -{ - if (!in_raw_mode) - return; - in_raw_mode = 0; - if (tcsetattr(fileno(stdin), TCSADRAIN, &saved_tio) < 0) - perror("tcsetattr"); - - fatal_remove_cleanup((void (*) (void *)) leave_raw_mode, NULL); -} - -/* Puts the user\'s terminal in raw mode. */ - -void -enter_raw_mode(void) -{ - struct termios tio; - - if (tcgetattr(fileno(stdin), &tio) < 0) - perror("tcgetattr"); - saved_tio = tio; - tio.c_iflag |= IGNPAR; - tio.c_iflag &= ~(ISTRIP | INLCR | IGNCR | ICRNL | IXON | IXANY | IXOFF); - tio.c_lflag &= ~(ISIG | ICANON | ECHO | ECHOE | ECHOK | ECHONL); -#ifdef IEXTEN - tio.c_lflag &= ~IEXTEN; -#endif /* IEXTEN */ - tio.c_oflag &= ~OPOST; - tio.c_cc[VMIN] = 1; - tio.c_cc[VTIME] = 0; - if (tcsetattr(fileno(stdin), TCSADRAIN, &tio) < 0) - perror("tcsetattr"); - in_raw_mode = 1; - - fatal_add_cleanup((void (*) (void *)) leave_raw_mode, NULL); -} +/*XXX*/ +extern Kex *xxx_kex; /* Restores stdin to blocking mode. */ @@ -212,7 +171,7 @@ void signal_handler(int sig) { - if (in_raw_mode) + if (in_raw_mode()) leave_raw_mode(); if (in_non_blocking_mode) leave_non_blocking(); @@ -363,10 +322,10 @@ void client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, - int *maxfdp) + int *maxfdp, int rekeying) { /* Add any selections by the channel mechanism. */ - channel_prepare_select(readsetp, writesetp, maxfdp); + channel_prepare_select(readsetp, writesetp, maxfdp, rekeying); if (!compat20) { /* Read from the connection, unless our buffers are full. */ @@ -548,6 +507,15 @@ /* We have been continued. */ continue; + case 'R': + if (compat20) { + if (datafellows & SSH_BUG_NOREKEY) + log("Server does not support re-keying"); + else + need_rekeying = 1; + } + continue; + case '&': /* XXX does not work yet with proto 2 */ if (compat20) @@ -598,6 +566,7 @@ "%c?\r\n\ Supported escape sequences:\r\n\ ~. - terminate connection\r\n\ +~R - Request rekey (SSH protocol 2 only)\r\n\ ~^Z - suspend ssh\r\n\ ~# - list forwarded connections\r\n\ ~& - background ssh (when waiting for connections to terminate)\r\n\ @@ -657,6 +626,8 @@ if (FD_ISSET(fileno(stdin), readset)) { /* Read as much as possible. */ len = read(fileno(stdin), buf, sizeof(buf)); + if (len < 0 && (errno == EAGAIN || errno == EINTR)) + return; /* we'll try again later */ if (len <= 0) { /* * Received EOF or error. They are treated @@ -710,7 +681,7 @@ len = write(fileno(stdout), buffer_ptr(&stdout_buffer), buffer_len(&stdout_buffer)); if (len <= 0) { - if (errno == EAGAIN) + if (errno == EINTR || errno == EAGAIN) len = 0; else { /* @@ -725,7 +696,7 @@ } /* Consume printed data from the buffer. */ buffer_consume(&stdout_buffer, len); - stdout_bytes += len; + stdout_bytes += len; } /* Write buffered output to stderr. */ if (FD_ISSET(fileno(stderr), writeset)) { @@ -733,7 +704,7 @@ len = write(fileno(stderr), buffer_ptr(&stderr_buffer), buffer_len(&stderr_buffer)); if (len <= 0) { - if (errno == EAGAIN) + if (errno == EINTR || errno == EAGAIN) len = 0; else { /* EOF or error, but can't even print error message. */ @@ -743,7 +714,7 @@ } /* Consume printed characters from the buffer. */ buffer_consume(&stderr_buffer, len); - stderr_bytes += len; + stderr_bytes += len; } } @@ -762,7 +733,7 @@ void client_process_buffered_input_packets(void) { - dispatch_run(DISPATCH_NONBLOCK, &quit_pending, NULL); + dispatch_run(DISPATCH_NONBLOCK, &quit_pending, compat20 ? xxx_kex : NULL); } /* scan buf[] for '~' before sending data to the peer */ @@ -774,6 +745,17 @@ return process_escapes(&c->input, &c->output, &c->extended, buf, len); } +void +client_channel_closed(int id, void *arg) +{ + if (id != session_ident) + error("client_channel_closed: id %d != session_ident %d", + id, session_ident); + session_closed = 1; + if (in_raw_mode()) + leave_raw_mode(); +} + /* * Implements the interactive session with the server. This is called after * the user has been authenticated, and a command has been started on the @@ -785,9 +767,8 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) { fd_set *readset = NULL, *writeset = NULL; - int max_fd = 0; double start_time, total_time; - int len; + int max_fd = 0, len, rekeying = 0; char buf[100]; debug("Entering interactive session."); @@ -805,6 +786,13 @@ max_fd = MAX(connection_in, connection_out); if (!compat20) { + /* enable nonblocking unless tty */ + if (!isatty(fileno(stdin))) + set_nonblock(fileno(stdin)); + if (!isatty(fileno(stdout))) + set_nonblock(fileno(stdout)); + if (!isatty(fileno(stderr))) + set_nonblock(fileno(stderr)); max_fd = MAX(max_fd, fileno(stdin)); max_fd = MAX(max_fd, fileno(stdout)); max_fd = MAX(max_fd, fileno(stderr)); @@ -838,6 +826,9 @@ if (escape_char != -1) channel_register_filter(session_ident, simple_escape_filter); + if (session_ident != -1) + channel_register_cleanup(session_ident, + client_channel_closed); } else { /* Check if we should immediately send eof on stdin. */ client_check_initial_eof_on_stdin(); @@ -849,45 +840,58 @@ /* Process buffered packets sent by the server. */ client_process_buffered_input_packets(); - if (compat20 && !channel_still_open()) { - debug2("!channel_still_open."); + if (compat20 && session_closed && !channel_still_open()) break; - } - /* - * Make packets of buffered stdin data, and buffer them for - * sending to the server. - */ - if (!compat20) - client_make_packets_from_stdin_data(); + rekeying = (xxx_kex != NULL && !xxx_kex->done); - /* - * Make packets from buffered channel data, and enqueue them - * for sending to the server. - */ - if (packet_not_very_much_data_to_write()) - channel_output_poll(); + if (rekeying) { + debug("rekeying in progress"); + } else { + /* + * Make packets of buffered stdin data, and buffer + * them for sending to the server. + */ + if (!compat20) + client_make_packets_from_stdin_data(); - /* - * Check if the window size has changed, and buffer a message - * about it to the server if so. - */ - client_check_window_change(); + /* + * Make packets from buffered channel data, and + * enqueue them for sending to the server. + */ + if (packet_not_very_much_data_to_write()) + channel_output_poll(); - if (quit_pending) - break; + /* + * Check if the window size has changed, and buffer a + * message about it to the server if so. + */ + client_check_window_change(); + if (quit_pending) + break; + } /* * Wait until we have something to do (something becomes * available on one of the descriptors). */ - client_wait_until_can_do_something(&readset, &writeset, &max_fd); + client_wait_until_can_do_something(&readset, &writeset, + &max_fd, rekeying); if (quit_pending) break; - /* Do channel operations. */ - channel_after_select(readset, writeset); + /* Do channel operations unless rekeying in progress. */ + if (!rekeying) { + channel_after_select(readset, writeset); + + if (need_rekeying) { + debug("user requests rekeying"); + xxx_kex->done = 0; + kex_send_kexinit(xxx_kex); + need_rekeying = 0; + } + } /* Buffer input from the connection. */ client_process_net_input(readset); @@ -940,7 +944,7 @@ break; } buffer_consume(&stdout_buffer, len); - stdout_bytes += len; + stdout_bytes += len; } /* Output any buffered data for stderr. */ @@ -952,7 +956,7 @@ break; } buffer_consume(&stderr_buffer, len); - stderr_bytes += len; + stderr_bytes += len; } if (have_pty) @@ -1206,6 +1210,9 @@ dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req); dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); + + /* rekeying */ + dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); } void client_init_dispatch_13(void) diff -ru openssh-2.5.2p2/compat.c openssh-2.9p1/compat.c --- openssh-2.5.2p2/compat.c 2001-03-19 22:36:20.000000000 +1100 +++ openssh-2.9p1/compat.c 2001-04-20 06:40:46.000000000 +1000 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: compat.c,v 1.39 2001/03/18 23:30:55 deraadt Exp $"); +RCSID("$OpenBSD: compat.c,v 1.47 2001/04/18 23:43:25 markus Exp $"); #ifdef HAVE_LIBPCRE # include @@ -68,29 +68,46 @@ int bugs; } check[] = { { "^OpenSSH[-_]2\\.[012]", - SSH_OLD_SESSIONID|SSH_BUG_BANNER }, - { "^OpenSSH_2\\.3\\.0", SSH_BUG_BANNER }, + SSH_OLD_SESSIONID|SSH_BUG_BANNER| + SSH_OLD_DHGEX|SSH_BUG_NOREKEY }, + { "^OpenSSH_2\\.3\\.0", SSH_BUG_BANNER|SSH_BUG_BIGENDIANAES| + SSH_OLD_DHGEX|SSH_BUG_NOREKEY}, + { "^OpenSSH_2\\.3\\.", SSH_BUG_BIGENDIANAES|SSH_OLD_DHGEX| + SSH_BUG_NOREKEY}, + { "^OpenSSH_2\\.5\\.[01]p1", + SSH_BUG_BIGENDIANAES|SSH_OLD_DHGEX| + SSH_BUG_NOREKEY }, + { "^OpenSSH_2\\.5\\.[012]", + SSH_OLD_DHGEX|SSH_BUG_NOREKEY }, + { "^OpenSSH_2\\.5\\.3", + SSH_BUG_NOREKEY }, { "^OpenSSH", 0 }, { "MindTerm", 0 }, { "^2\\.1\\.0", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| - SSH_OLD_SESSIONID|SSH_BUG_DEBUG }, + SSH_OLD_SESSIONID|SSH_BUG_DEBUG| + SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE }, { "^2\\.1 ", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| - SSH_OLD_SESSIONID|SSH_BUG_DEBUG }, + SSH_OLD_SESSIONID|SSH_BUG_DEBUG| + SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE }, { "^2\\.0\\.1[3-9]", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG| SSH_BUG_PKSERVICE|SSH_BUG_X11FWD| - SSH_BUG_PKOK }, + SSH_BUG_PKOK|SSH_BUG_RSASIGMD5| + SSH_BUG_HBSERVICE }, { "^2\\.0\\.", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG| SSH_BUG_PKSERVICE|SSH_BUG_X11FWD| - SSH_BUG_PKAUTH|SSH_BUG_PKOK }, - { "^2\\.[23]\\.0", SSH_BUG_HMAC }, + SSH_BUG_PKAUTH|SSH_BUG_PKOK| + SSH_BUG_RSASIGMD5 }, + { "^2\\.[23]\\.0", SSH_BUG_HMAC|SSH_BUG_RSASIGMD5 }, + { "^2\\.3\\.", SSH_BUG_RSASIGMD5 }, { "^2\\.[2-9]\\.", 0 }, { "^2\\.4$", SSH_OLD_SESSIONID }, /* Van Dyke */ { "^3\\.0 SecureCRT", SSH_OLD_SESSIONID }, { "^1\\.7 SecureFX", SSH_OLD_SESSIONID }, { "^1\\.2\\.1[89]", SSH_BUG_IGNOREMSG }, { "^1\\.2\\.2[012]", SSH_BUG_IGNOREMSG }, + { "^1\\.3\\.2", SSH_BUG_IGNOREMSG }, /* f-secure */ { "^SSH Compatible Server", /* Netscreen */ SSH_BUG_PASSWORDPAD }, { "^OSU_0", SSH_BUG_PASSWORDPAD }, @@ -149,3 +166,33 @@ xfree(s); return ret; } + +char * +compat_cipher_proposal(char *cipher_prop) +{ + char *orig_prop, *fix_ciphers; + char *cp, *tmp; + size_t len; + + if (!(datafellows & SSH_BUG_BIGENDIANAES)) + return(cipher_prop); + + len = strlen(cipher_prop) + 1; + fix_ciphers = xmalloc(len); + *fix_ciphers = '\0'; + tmp = orig_prop = xstrdup(cipher_prop); + while((cp = strsep(&tmp, ",")) != NULL) { + if (strncmp(cp, "aes", 3) && strncmp(cp, "rijndael", 8)) { + if (*fix_ciphers) + strlcat(fix_ciphers, ",", len); + strlcat(fix_ciphers, cp, len); + } + } + xfree(orig_prop); + debug2("Original cipher proposal: %s", cipher_prop); + debug2("Compat cipher proposal: %s", fix_ciphers); + if (!*fix_ciphers) + fatal("No available ciphers found."); + + return(fix_ciphers); +} diff -ru openssh-2.5.2p2/compat.h openssh-2.9p1/compat.h --- openssh-2.5.2p2/compat.h 2001-03-19 22:36:20.000000000 +1100 +++ openssh-2.9p1/compat.h 2001-04-13 09:34:35.000000000 +1000 @@ -21,7 +21,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: compat.h,v 1.18 2001/03/18 23:30:55 deraadt Exp $"); */ +/* RCSID("$OpenBSD: compat.h,v 1.23 2001/04/12 19:15:24 markus Exp $"); */ #ifndef COMPAT_H #define COMPAT_H @@ -43,11 +43,17 @@ #define SSH_BUG_PKOK 0x0200 #define SSH_BUG_PASSWORDPAD 0x0400 #define SSH_BUG_SCANNER 0x0800 +#define SSH_BUG_BIGENDIANAES 0x1000 +#define SSH_BUG_RSASIGMD5 0x2000 +#define SSH_OLD_DHGEX 0x4000 +#define SSH_BUG_NOREKEY 0x8000 +#define SSH_BUG_HBSERVICE 0x10000 void enable_compat13(void); void enable_compat20(void); void compat_datafellows(const char *s); int proto_spec(const char *spec); +char *compat_cipher_proposal(char *cipher_prop); extern int compat13; extern int compat20; extern int datafellows; diff -ru openssh-2.5.2p2/compress.c openssh-2.9p1/compress.c --- openssh-2.5.2p2/compress.c 2001-02-09 13:11:24.000000000 +1100 +++ openssh-2.9p1/compress.c 2001-04-06 09:20:47.000000000 +1000 @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: compress.c,v 1.13 2001/02/08 19:30:51 itojun Exp $"); +RCSID("$OpenBSD: compress.c,v 1.14 2001/04/05 10:39:01 markus Exp $"); #include "log.h" #include "buffer.h" @@ -21,6 +21,8 @@ static z_stream incoming_stream; static z_stream outgoing_stream; +static int compress_init_send_called = 0; +static int compress_init_recv_called = 0; /* * Initializes compression; level is compression level from 1 to 9 @@ -28,14 +30,24 @@ */ void -buffer_compress_init(int level) +buffer_compress_init_send(int level) { + if (compress_init_send_called == 1) + deflateEnd(&incoming_stream); + compress_init_send_called = 1; debug("Enabling compression at level %d.", level); if (level < 1 || level > 9) fatal("Bad compression level %d.", level); - inflateInit(&incoming_stream); deflateInit(&outgoing_stream, level); } +void +buffer_compress_init_recv(void) +{ + if (compress_init_recv_called == 1) + inflateEnd(&incoming_stream); + compress_init_recv_called = 1; + inflateInit(&incoming_stream); +} /* Frees any data structures allocated for compression. */ @@ -50,8 +62,10 @@ incoming_stream.total_out, incoming_stream.total_in, incoming_stream.total_out == 0 ? 0.0 : (double) incoming_stream.total_in / incoming_stream.total_out); - inflateEnd(&incoming_stream); - deflateEnd(&outgoing_stream); + if (compress_init_recv_called == 1) + inflateEnd(&incoming_stream); + if (compress_init_send_called == 1) + deflateEnd(&outgoing_stream); } /* diff -ru openssh-2.5.2p2/compress.h openssh-2.9p1/compress.h --- openssh-2.5.2p2/compress.h 2000-12-29 09:16:01.000000000 +1100 +++ openssh-2.9p1/compress.h 2001-04-06 09:20:47.000000000 +1000 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: compress.h,v 1.7 2000/12/20 19:37:22 markus Exp $"); */ +/* RCSID("$OpenBSD: compress.h,v 1.8 2001/04/05 10:39:02 markus Exp $"); */ #ifndef COMPRESS_H #define COMPRESS_H @@ -20,7 +20,8 @@ * Initializes compression; level is compression level from 1 to 9 (as in * gzip). */ -void buffer_compress_init(int level); +void buffer_compress_init_send(int level); +void buffer_compress_init_recv(void); /* Frees any data structures allocated by buffer_compress_init. */ void buffer_compress_uninit(void); diff -ru openssh-2.5.2p2/config.h.in openssh-2.9p1/config.h.in --- openssh-2.5.2p2/config.h.in 2001-03-22 16:07:05.000000000 +1100 +++ openssh-2.9p1/config.h.in 2001-04-29 22:40:30.000000000 +1000 @@ -1,5 +1,5 @@ /* config.h.in. Generated automatically from configure.in by autoheader. */ -/* $Id: acconfig.h,v 1.108 2001/03/17 01:15:38 mouring Exp $ */ +/* $Id: acconfig.h,v 1.110 2001/04/05 17:15:08 stevesk Exp $ */ #ifndef _CONFIG_H #define _CONFIG_H @@ -284,9 +284,6 @@ /* getaddrinfo is broken (if present) */ #undef BROKEN_GETADDRINFO -/* vhangup is broken (if present) */ -#undef BROKEN_VHANGUP - /* Workaround more Linux IPv6 quirks */ #undef DONT_TRY_OTHER_AF @@ -308,6 +305,9 @@ /* Define if your system glob() function has gl_matchc options in glob_t */ #undef GLOB_HAS_GL_MATCHC +/* Define in your struct dirent expects you to allocate extra space for d_name */ +#undef BROKEN_ONE_BYTE_DIRENT_D_NAME + /* The number of bytes in a char. */ #undef SIZEOF_CHAR @@ -428,6 +428,9 @@ /* Define if you have the inet_ntoa function. */ #undef HAVE_INET_NTOA +/* Define if you have the inet_ntop function. */ +#undef HAVE_INET_NTOP + /* Define if you have the innetgr function. */ #undef HAVE_INNETGR @@ -476,6 +479,9 @@ /* Define if you have the setdtablesize function. */ #undef HAVE_SETDTABLESIZE +/* Define if you have the setegid function. */ +#undef HAVE_SETEGID + /* Define if you have the setenv function. */ #undef HAVE_SETENV @@ -491,6 +497,9 @@ /* Define if you have the setproctitle function. */ #undef HAVE_SETPROCTITLE +/* Define if you have the setresgid function. */ +#undef HAVE_SETRESGID + /* Define if you have the setreuid function. */ #undef HAVE_SETREUID @@ -569,6 +578,9 @@ /* Define if you have the header file. */ #undef HAVE_BSTRING_H +/* Define if you have the header file. */ +#undef HAVE_CRYPT_H + /* Define if you have the header file. */ #undef HAVE_ENDIAN_H @@ -692,12 +704,21 @@ /* Define if you have the header file. */ #undef HAVE_VIS_H +/* Define if you have the des library (-ldes). */ +#undef HAVE_LIBDES + +/* Define if you have the des425 library (-ldes425). */ +#undef HAVE_LIBDES425 + /* Define if you have the dl library (-ldl). */ #undef HAVE_LIBDL /* Define if you have the krb library (-lkrb). */ #undef HAVE_LIBKRB +/* Define if you have the krb4 library (-lkrb4). */ +#undef HAVE_LIBKRB4 + /* Define if you have the nsl library (-lnsl). */ #undef HAVE_LIBNSL diff -ru openssh-2.5.2p2/configure openssh-2.9p1/configure --- openssh-2.5.2p2/configure 2001-03-22 16:07:06.000000000 +1100 +++ openssh-2.9p1/configure 2001-04-29 22:40:31.000000000 +1000 @@ -22,10 +22,6 @@ ac_help="$ac_help --with-pcre Override built in regex library with pcre" ac_help="$ac_help - --with-kerberos4=PATH Enable Kerberos 4 support" -ac_help="$ac_help - --with-afs=PATH Enable AFS support" -ac_help="$ac_help --with-skey=PATH Enable S/Key support" ac_help="$ac_help --with-tcp-wrappers Enable tcpwrappers support" @@ -34,6 +30,10 @@ ac_help="$ac_help --with-ssl-dir=PATH Specify path to OpenSSL installation " ac_help="$ac_help + --with-kerberos4=PATH Enable Kerberos 4 support" +ac_help="$ac_help + --with-afs=PATH Enable AFS support" +ac_help="$ac_help --with-rsh=PATH Specify path to remote shell program " ac_help="$ac_help --with-xauth=PATH Specify path to xauth program " @@ -44,7 +44,7 @@ ac_help="$ac_help --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)" ac_help="$ac_help - --with-catman=man|cat Install preformatted manpages[no]" + --with-mantype=man|cat|doc Set man page type" ac_help="$ac_help --with-md5-passwords Enable use of MD5 passwords" ac_help="$ac_help @@ -1165,10 +1165,12 @@ echo "$ac_t""no" 1>&6 fi -# Extract the first word of "perl", so it can be a program name with args. -set dummy perl; ac_word=$2 +for ac_prog in perl5 perl +do +# Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1172: checking for $ac_word" >&5 +echo "configure:1174: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1200,11 +1202,14 @@ echo "$ac_t""no" 1>&6 fi +test -n "$PERL" && break +done + # Extract the first word of "ent", so it can be a program name with args. set dummy ent; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1208: checking for $ac_word" >&5 +echo "configure:1213: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_ENT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1242,7 +1247,7 @@ # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1246: checking for $ac_word" >&5 +echo "configure:1251: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_FILEPRIV'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1281,7 +1286,7 @@ # Extract the first word of "bash", so it can be a program name with args. set dummy bash; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1285: checking for $ac_word" >&5 +echo "configure:1290: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_TEST_MINUS_S_SH'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1316,7 +1321,7 @@ # Extract the first word of "ksh", so it can be a program name with args. set dummy ksh; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1320: checking for $ac_word" >&5 +echo "configure:1325: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_TEST_MINUS_S_SH'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1351,7 +1356,7 @@ # Extract the first word of "sh", so it can be a program name with args. set dummy sh; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1355: checking for $ac_word" >&5 +echo "configure:1360: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_TEST_MINUS_S_SH'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1399,7 +1404,7 @@ # Extract the first word of "login", so it can be a program name with args. set dummy login; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1403: checking for $ac_word" >&5 +echo "configure:1408: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_LOGIN_PROGRAM_FALLBACK'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1446,21 +1451,21 @@ # C Compiler features echo $ac_n "checking for inline""... $ac_c" 1>&6 -echo "configure:1450: checking for inline" >&5 +echo "configure:1455: checking for inline" >&5 if eval "test \"`echo '$''{'ac_cv_c_inline'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:1469: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_c_inline=$ac_kw; break else @@ -1499,12 +1504,12 @@ blibpath="/usr/lib:/lib:/usr/local/lib" fi echo $ac_n "checking for authenticate""... $ac_c" 1>&6 -echo "configure:1503: checking for authenticate" >&5 +echo "configure:1508: checking for authenticate" >&5 if eval "test \"`echo '$''{'ac_cv_func_authenticate'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1536: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_authenticate=yes" else @@ -1553,14 +1558,10 @@ #define BROKEN_GETADDRINFO 1 EOF - MANTYPE='$(CATMAN)' - mansubdir=cat cat >> confdefs.h <<\EOF #define DISABLE_LASTLOG 1 EOF - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-*-cygwin*) LIBS="$LIBS -lregex /usr/lib/textmode.o" @@ -1581,10 +1582,6 @@ EOF cat >> confdefs.h <<\EOF -#define BROKEN_VHANGUP 1 -EOF - - cat >> confdefs.h <<\EOF #define NO_X11_UNIX_SOCKETS 1 EOF @@ -1620,8 +1617,6 @@ EOF LIBS="$LIBS -lsec" - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-*-hpux11*) CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE" @@ -1647,14 +1642,11 @@ EOF LIBS="$LIBS -lsec" - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-*-irix5*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" - MANTYPE='$(CATMAN)' no_libsocket=1 no_libnsl=1 cat >> confdefs.h <<\EOF @@ -1666,7 +1658,6 @@ CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" - MANTYPE='$(CATMAN)' cat >> confdefs.h <<\EOF #define WITH_IRIX_ARRAY 1 EOF @@ -1680,12 +1671,12 @@ EOF echo $ac_n "checking for jlimit_startjob""... $ac_c" 1>&6 -echo "configure:1684: checking for jlimit_startjob" >&5 +echo "configure:1675: checking for jlimit_startjob" >&5 if eval "test \"`echo '$''{'ac_cv_func_jlimit_startjob'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1703: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_jlimit_startjob=yes" else @@ -1736,7 +1727,6 @@ #define BROKEN_INET_NTOA 1 EOF - mansubdir=man ;; *-*-linux*) no_dev_ptmx=1 @@ -1758,7 +1748,7 @@ SONY=1 echo $ac_n "checking for xatexit in -liberty""... $ac_c" 1>&6 -echo "configure:1762: checking for xatexit in -liberty" >&5 +echo "configure:1752: checking for xatexit in -liberty" >&5 ac_lib_var=`echo iberty'_'xatexit | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1766,7 +1756,7 @@ ac_save_LIBS="$LIBS" LIBS="-liberty $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1771: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1844,7 +1834,7 @@ # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" echo $ac_n "checking for obsolete utmp and wtmp in solaris2.x""... $ac_c" 1>&6 -echo "configure:1848: checking for obsolete utmp and wtmp in solaris2.x" >&5 +echo "configure:1838: checking for obsolete utmp and wtmp in solaris2.x" >&5 sol2ver=`echo "$host"| sed -e 's/.*[0-9]\.//'` if test "$sol2ver" -ge 8; then echo "$ac_t""yes" 1>&6 @@ -1865,12 +1855,12 @@ for ac_func in getpwanam do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1869: checking for $ac_func" >&5 +echo "configure:1859: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1887: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1932,20 +1922,19 @@ #define USE_PIPES 1 EOF - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-ncr-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat LIBS="$LIBS -lc89 -lnsl -lgen -lsocket" + cat >> confdefs.h <<\EOF +#define HAVE_BOGUS_SYS_QUEUE_H 1 +EOF + ;; *-sni-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib -L/usr/ucblib" - MANTYPE='$(CATMAN)' IPADDR_IN_DISPLAY=yes cat >> confdefs.h <<\EOF #define USE_PIPES 1 @@ -1959,14 +1948,11 @@ #define HAVE_BOGUS_SYS_QUEUE_H 1 EOF - mansubdir=cat LIBS="$LIBS -lgen -lnsl -lucb" ;; *-*-sysv4.2*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat enable_suid_ssh=no cat >> confdefs.h <<\EOF #define USE_PIPES 1 @@ -1976,8 +1962,6 @@ *-*-sysv5*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat enable_suid_ssh=no cat >> confdefs.h <<\EOF #define USE_PIPES 1 @@ -1987,16 +1971,12 @@ *-*-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat LIBS="$LIBS -lgen -lsocket" ;; *-*-sco3.2v4*) CPPFLAGS="$CPPFLAGS -Dftruncate=chsize -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' LIBS="$LIBS -lgen -lsocket -los -lprot -lx -ltinfo -lm" - mansubdir=cat rsh_path="/usr/bin/rcmd" RANLIB=true no_dev_ptmx=1 @@ -2027,12 +2007,12 @@ for ac_func in getluid setluid do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2031: checking for $ac_func" >&5 +echo "configure:2011: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2039: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2079,13 +2059,12 @@ fi done + MANTYPE=man ;; *-*-sco3.2v5*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lprot -lx -ltinfo -lm" - MANTYPE='$(CATMAN)' - mansubdir=cat no_dev_ptmx=1 rsh_path="/usr/bin/rcmd" cat >> confdefs.h <<\EOF @@ -2107,12 +2086,12 @@ for ac_func in getluid setluid do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2111: checking for $ac_func" >&5 +echo "configure:2090: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2118: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2159,11 +2138,12 @@ fi done + MANTYPE=man ;; *-dec-osf*) if test ! -z "USE_SIA" ; then echo $ac_n "checking for Digital Unix Security Integration Architecture""... $ac_c" 1>&6 -echo "configure:2167: checking for Digital Unix Security Integration Architecture" >&5 +echo "configure:2147: checking for Digital Unix Security Integration Architecture" >&5 if test -f /etc/sia/matrix.conf; then echo "$ac_t""yes" 1>&6 cat >> confdefs.h <<\EOF @@ -2234,7 +2214,7 @@ echo $ac_n "checking for pcre_info in -lpcre""... $ac_c" 1>&6 -echo "configure:2238: checking for pcre_info in -lpcre" >&5 +echo "configure:2218: checking for pcre_info in -lpcre" >&5 ac_lib_var=`echo pcre'_'pcre_info | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2242,7 +2222,7 @@ ac_save_LIBS="$LIBS" LIBS="-lpcre $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2237: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2290,7 +2270,7 @@ # Checks for libraries. if test -z "$no_libnsl" ; then echo $ac_n "checking for yp_match in -lnsl""... $ac_c" 1>&6 -echo "configure:2294: checking for yp_match in -lnsl" >&5 +echo "configure:2274: checking for yp_match in -lnsl" >&5 ac_lib_var=`echo nsl'_'yp_match | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2298,7 +2278,7 @@ ac_save_LIBS="$LIBS" LIBS="-lnsl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2293: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2339,7 +2319,7 @@ fi if test -z "$no_libsocket" ; then echo $ac_n "checking for main in -lsocket""... $ac_c" 1>&6 -echo "configure:2343: checking for main in -lsocket" >&5 +echo "configure:2323: checking for main in -lsocket" >&5 ac_lib_var=`echo socket'_'main | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2347,14 +2327,14 @@ ac_save_LIBS="$LIBS" LIBS="-lsocket $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2338: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2384,7 +2364,7 @@ fi echo $ac_n "checking for innetgr in -lrpc""... $ac_c" 1>&6 -echo "configure:2388: checking for innetgr in -lrpc" >&5 +echo "configure:2368: checking for innetgr in -lrpc" >&5 ac_lib_var=`echo rpc'_'innetgr | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2392,7 +2372,7 @@ ac_save_LIBS="$LIBS" LIBS="-lrpc -lyp -lrpc $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2387: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2425,7 +2405,7 @@ echo $ac_n "checking for getspnam in -lgen""... $ac_c" 1>&6 -echo "configure:2429: checking for getspnam in -lgen" >&5 +echo "configure:2409: checking for getspnam in -lgen" >&5 ac_lib_var=`echo gen'_'getspnam | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2433,7 +2413,7 @@ ac_save_LIBS="$LIBS" LIBS="-lgen $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2428: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2465,7 +2445,7 @@ fi echo $ac_n "checking for deflate in -lz""... $ac_c" 1>&6 -echo "configure:2469: checking for deflate in -lz" >&5 +echo "configure:2449: checking for deflate in -lz" >&5 ac_lib_var=`echo z'_'deflate | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2473,7 +2453,7 @@ ac_save_LIBS="$LIBS" LIBS="-lz $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2468: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2513,7 +2493,7 @@ fi echo $ac_n "checking for login in -lutil""... $ac_c" 1>&6 -echo "configure:2517: checking for login in -lutil" >&5 +echo "configure:2497: checking for login in -lutil" >&5 ac_lib_var=`echo util'_'login | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2521,7 +2501,7 @@ ac_save_LIBS="$LIBS" LIBS="-lutil $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2516: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2559,12 +2539,12 @@ # We don't want to check if we did an pcre override. if test -z "$no_comp_check" ; then echo $ac_n "checking for regcomp""... $ac_c" 1>&6 -echo "configure:2563: checking for regcomp" >&5 +echo "configure:2543: checking for regcomp" >&5 if eval "test \"`echo '$''{'ac_cv_func_regcomp'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2571: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_regcomp=yes" else @@ -2609,7 +2589,7 @@ echo "$ac_t""no" 1>&6 echo $ac_n "checking for pcre_info in -lpcre""... $ac_c" 1>&6 -echo "configure:2613: checking for pcre_info in -lpcre" >&5 +echo "configure:2593: checking for pcre_info in -lpcre" >&5 ac_lib_var=`echo pcre'_'pcre_info | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2617,7 +2597,7 @@ ac_save_LIBS="$LIBS" LIBS="-lpcre $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2612: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2664,12 +2644,12 @@ fi echo $ac_n "checking for strcasecmp""... $ac_c" 1>&6 -echo "configure:2668: checking for strcasecmp" >&5 +echo "configure:2648: checking for strcasecmp" >&5 if eval "test \"`echo '$''{'ac_cv_func_strcasecmp'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2676: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_strcasecmp=yes" else @@ -2710,7 +2690,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for strcasecmp in -lresolv""... $ac_c" 1>&6 -echo "configure:2714: checking for strcasecmp in -lresolv" >&5 +echo "configure:2694: checking for strcasecmp in -lresolv" >&5 ac_lib_var=`echo resolv'_'strcasecmp | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2718,7 +2698,7 @@ ac_save_LIBS="$LIBS" LIBS="-lresolv $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2713: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2753,12 +2733,12 @@ fi echo $ac_n "checking for utimes""... $ac_c" 1>&6 -echo "configure:2757: checking for utimes" >&5 +echo "configure:2737: checking for utimes" >&5 if eval "test \"`echo '$''{'ac_cv_func_utimes'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2765: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_utimes=yes" else @@ -2799,7 +2779,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for utimes in -lc89""... $ac_c" 1>&6 -echo "configure:2803: checking for utimes in -lc89" >&5 +echo "configure:2783: checking for utimes in -lc89" >&5 ac_lib_var=`echo c89'_'utimes | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2807,7 +2787,7 @@ ac_save_LIBS="$LIBS" LIBS="-lc89 $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2802: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2843,12 +2823,12 @@ echo $ac_n "checking for strftime""... $ac_c" 1>&6 -echo "configure:2847: checking for strftime" >&5 +echo "configure:2827: checking for strftime" >&5 if eval "test \"`echo '$''{'ac_cv_func_strftime'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2855: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_strftime=yes" else @@ -2893,7 +2873,7 @@ echo "$ac_t""no" 1>&6 # strftime is in -lintl on SCO UNIX. echo $ac_n "checking for strftime in -lintl""... $ac_c" 1>&6 -echo "configure:2897: checking for strftime in -lintl" >&5 +echo "configure:2877: checking for strftime in -lintl" >&5 ac_lib_var=`echo intl'_'strftime | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2901,7 +2881,7 @@ ac_save_LIBS="$LIBS" LIBS="-lintl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2896: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2940,21 +2920,21 @@ # Checks for header files. -for ac_hdr in bstring.h endian.h floatingpoint.h getopt.h glob.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h +for ac_hdr in bstring.h crypt.h endian.h floatingpoint.h getopt.h glob.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:2948: checking for $ac_hdr" >&5 +echo "configure:2928: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:2958: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:2938: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -2983,9 +2963,9 @@ # Check for ALTDIRFUNC glob() extension echo $ac_n "checking for GLOB_ALTDIRFUNC support""... $ac_c" 1>&6 -echo "configure:2987: checking for GLOB_ALTDIRFUNC support" >&5 +echo "configure:2967: checking for GLOB_ALTDIRFUNC support" >&5 cat > conftest.$ac_ext < @@ -3016,9 +2996,9 @@ # Check for g.gl_matchc glob() extension echo $ac_n "checking for gl_matchc field in glob_t""... $ac_c" 1>&6 -echo "configure:3020: checking for gl_matchc field in glob_t" >&5 +echo "configure:3000: checking for gl_matchc field in glob_t" >&5 cat > conftest.$ac_ext < @@ -3045,213 +3025,39 @@ rm -f conftest* - - -# Check whether user wants Kerberos support -KRB4_MSG="no" -# Check whether --with-kerberos4 or --without-kerberos4 was given. -if test "${with_kerberos4+set}" = set; then - withval="$with_kerberos4" - - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R${withval}/lib" - fi - if test ! -z "$blibpath" ; then - blibpath="$blibpath:${withval}/lib" - fi - else - if test -d /usr/include/kerberosIV ; then - CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV" - fi - fi - - for ac_hdr in krb.h -do -ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` -echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:3078: checking for $ac_hdr" >&5 -if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 +echo $ac_n "checking whether struct dirent allocates space for d_name""... $ac_c" 1>&6 +echo "configure:3030: checking whether struct dirent allocates space for d_name" >&5 +if test "$cross_compiling" = yes; then + { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < -EOF -ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:3088: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then - rm -rf conftest* - eval "ac_cv_header_$ac_safe=yes" -else - echo "$ac_err" >&5 - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_header_$ac_safe=no" -fi -rm -f conftest* -fi -if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` - cat >> confdefs.h <&6 -fi -done - - echo $ac_n "checking for main in -lkrb""... $ac_c" 1>&6 -echo "configure:3115: checking for main in -lkrb" >&5 -ac_lib_var=`echo krb'_'main | sed 'y%./+-%__p_%'` -if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-lkrb $LIBS" -cat > conftest.$ac_ext < +#include +int main(void){struct dirent d;return(sizeof(d.d_name)<=sizeof(char));} + EOF -if { (eval echo configure:3130: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=no" -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then +if { (eval echo configure:3043: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +then echo "$ac_t""yes" 1>&6 - ac_tr_lib=HAVE_LIB`echo krb | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` - cat >> confdefs.h <&6 -fi - - if test "$ac_cv_header_krb_h" != yes; then - echo "configure: warning: Cannot find krb.h, build may fail" 1>&2 - fi - if test "$ac_cv_lib_krb_main" != yes; then - echo "configure: warning: Cannot find libkrb, build may fail" 1>&2 - fi - - KLIBS="-lkrb -ldes" - echo $ac_n "checking for dn_expand in -lresolv""... $ac_c" 1>&6 -echo "configure:3166: checking for dn_expand in -lresolv" >&5 -ac_lib_var=`echo resolv'_'dn_expand | sed 'y%./+-%__p_%'` -if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-lresolv $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=yes" else echo "configure: failed program was:" >&5 cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=no" -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_lib=HAVE_LIB`echo resolv | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` - cat >> confdefs.h <&6 -fi - - KRB4=yes - KRB4_MSG="yes" - cat >> confdefs.h <<\EOF -#define KRB4 1 -EOF - - fi - - -fi - - -# Check whether user wants AFS support -AFS_MSG="no" -# Check whether --with-afs or --without-afs was given. -if test "${with_afs+set}" = set; then - withval="$with_afs" + rm -fr conftest* - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - fi - - if test -z "$KRB4" ; then - echo "configure: warning: AFS requires Kerberos IV support, build may fail" 1>&2 - fi - - LIBS="$LIBS -lkafs" - if test ! -z "$AFS_LIBS" ; then - LIBS="$LIBS $AFS_LIBS" - fi - cat >> confdefs.h <<\EOF -#define AFS 1 + echo "$ac_t""no" 1>&6 + cat >> confdefs.h <<\EOF +#define BROKEN_ONE_BYTE_DIRENT_D_NAME 1 EOF - AFS_MSG="yes" - fi fi +rm -fr conftest* +fi -LIBS="$LIBS $KLIBS" # Check whether user wants S/Key support SKEY_MSG="no" @@ -3274,12 +3080,12 @@ SKEY_MSG="yes" echo $ac_n "checking for skey_keyinfo""... $ac_c" 1>&6 -echo "configure:3278: checking for skey_keyinfo" >&5 +echo "configure:3084: checking for skey_keyinfo" >&5 if eval "test \"`echo '$''{'ac_cv_func_skey_keyinfo'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3112: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_skey_keyinfo=yes" else @@ -3340,9 +3146,9 @@ saved_LIBS="$LIBS" LIBS="-lwrap $LIBS" echo $ac_n "checking for libwrap""... $ac_c" 1>&6 -echo "configure:3344: checking for libwrap" >&5 +echo "configure:3150: checking for libwrap" >&5 cat > conftest.$ac_ext < @@ -3352,7 +3158,7 @@ hosts_access(0); ; return 0; } EOF -if { (eval echo configure:3356: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3162: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* echo "$ac_t""yes" 1>&6 @@ -3378,15 +3184,15 @@ fi -for ac_func in arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent getusershell glob inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop +for ac_func in arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent getusershell glob inet_aton inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv setegid seteuid setlogin setproctitle setresgid setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3385: checking for $ac_func" >&5 +echo "configure:3191: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3219: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3436,12 +3242,12 @@ for ac_func in gettimeofday time do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3440: checking for $ac_func" >&5 +echo "configure:3246: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3274: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3492,17 +3298,17 @@ do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:3496: checking for $ac_hdr" >&5 +echo "configure:3302: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:3506: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:3312: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -3531,12 +3337,12 @@ for ac_func in login logout updwtmp logwtmp do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3535: checking for $ac_func" >&5 +echo "configure:3341: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3369: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3586,12 +3392,12 @@ for ac_func in endutent getutent getutid getutline pututline setutent do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3590: checking for $ac_func" >&5 +echo "configure:3396: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3424: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3641,12 +3447,12 @@ for ac_func in utmpname do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3645: checking for $ac_func" >&5 +echo "configure:3451: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3479: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3696,12 +3502,12 @@ for ac_func in endutxent getutxent getutxid getutxline pututxline do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3700: checking for $ac_func" >&5 +echo "configure:3506: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3534: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3751,12 +3557,12 @@ for ac_func in setutxent utmpxname do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3755: checking for $ac_func" >&5 +echo "configure:3561: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3589: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -3805,12 +3611,12 @@ echo $ac_n "checking for getuserattr""... $ac_c" 1>&6 -echo "configure:3809: checking for getuserattr" >&5 +echo "configure:3615: checking for getuserattr" >&5 if eval "test \"`echo '$''{'ac_cv_func_getuserattr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3643: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_getuserattr=yes" else @@ -3854,7 +3660,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for getuserattr in -ls""... $ac_c" 1>&6 -echo "configure:3858: checking for getuserattr in -ls" >&5 +echo "configure:3664: checking for getuserattr in -ls" >&5 ac_lib_var=`echo s'_'getuserattr | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -3862,7 +3668,7 @@ ac_save_LIBS="$LIBS" LIBS="-ls $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3683: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -3901,12 +3707,12 @@ echo $ac_n "checking for login""... $ac_c" 1>&6 -echo "configure:3905: checking for login" >&5 +echo "configure:3711: checking for login" >&5 if eval "test \"`echo '$''{'ac_cv_func_login'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3739: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_login=yes" else @@ -3950,7 +3756,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for login in -lbsd""... $ac_c" 1>&6 -echo "configure:3954: checking for login in -lbsd" >&5 +echo "configure:3760: checking for login in -lbsd" >&5 ac_lib_var=`echo bsd'_'login | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -3958,7 +3764,7 @@ ac_save_LIBS="$LIBS" LIBS="-lbsd $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3779: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -3997,12 +3803,12 @@ echo $ac_n "checking for daemon""... $ac_c" 1>&6 -echo "configure:4001: checking for daemon" >&5 +echo "configure:3807: checking for daemon" >&5 if eval "test \"`echo '$''{'ac_cv_func_daemon'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3835: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_daemon=yes" else @@ -4046,7 +3852,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for daemon in -lbsd""... $ac_c" 1>&6 -echo "configure:4050: checking for daemon in -lbsd" >&5 +echo "configure:3856: checking for daemon in -lbsd" >&5 ac_lib_var=`echo bsd'_'daemon | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -4054,7 +3860,7 @@ ac_save_LIBS="$LIBS" LIBS="-lbsd $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3875: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -4093,12 +3899,12 @@ echo $ac_n "checking for getpagesize""... $ac_c" 1>&6 -echo "configure:4097: checking for getpagesize" >&5 +echo "configure:3903: checking for getpagesize" >&5 if eval "test \"`echo '$''{'ac_cv_func_getpagesize'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3931: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_getpagesize=yes" else @@ -4142,7 +3948,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for getpagesize in -lucb""... $ac_c" 1>&6 -echo "configure:4146: checking for getpagesize in -lucb" >&5 +echo "configure:3952: checking for getpagesize in -lucb" >&5 ac_lib_var=`echo ucb'_'getpagesize | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -4150,7 +3956,7 @@ ac_save_LIBS="$LIBS" LIBS="-lucb $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3971: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -4191,19 +3997,19 @@ # Check for broken snprintf if test "x$ac_cv_func_snprintf" = "xyes" ; then echo $ac_n "checking whether snprintf correctly terminates long strings""... $ac_c" 1>&6 -echo "configure:4195: checking whether snprintf correctly terminates long strings" >&5 +echo "configure:4001: checking whether snprintf correctly terminates long strings" >&5 if test "$cross_compiling" = yes; then { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < int main(void){char b[5];snprintf(b,5,"123456789");return(b[4]!='\0');} EOF -if { (eval echo configure:4207: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4013: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then echo "$ac_t""yes" 1>&6 else @@ -4226,7 +4032,7 @@ fi echo $ac_n "checking whether getpgrp takes no argument""... $ac_c" 1>&6 -echo "configure:4230: checking whether getpgrp takes no argument" >&5 +echo "configure:4036: checking whether getpgrp takes no argument" >&5 if eval "test \"`echo '$''{'ac_cv_func_getpgrp_void'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4234,7 +4040,7 @@ { echo "configure: error: cannot check getpgrp if cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4099: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_func_getpgrp_void=yes else @@ -4325,7 +4131,7 @@ fi echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6 -echo "configure:4329: checking for dlopen in -ldl" >&5 +echo "configure:4135: checking for dlopen in -ldl" >&5 ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -4333,7 +4139,7 @@ ac_save_LIBS="$LIBS" LIBS="-ldl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4154: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -4372,7 +4178,7 @@ fi echo $ac_n "checking for pam_set_item in -lpam""... $ac_c" 1>&6 -echo "configure:4376: checking for pam_set_item in -lpam" >&5 +echo "configure:4182: checking for pam_set_item in -lpam" >&5 ac_lib_var=`echo pam'_'pam_set_item | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -4380,7 +4186,7 @@ ac_save_LIBS="$LIBS" LIBS="-lpam $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4201: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -4422,12 +4228,12 @@ for ac_func in pam_getenvlist do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:4426: checking for $ac_func" >&5 +echo "configure:4232: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4260: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -4492,9 +4298,9 @@ if test "x$PAM_MSG" = "xyes" ; then # Check PAM strerror arguments (old PAM) echo $ac_n "checking whether pam_strerror takes only one argument""... $ac_c" 1>&6 -echo "configure:4496: checking whether pam_strerror takes only one argument" >&5 +echo "configure:4302: checking whether pam_strerror takes only one argument" >&5 cat > conftest.$ac_ext < @@ -4504,7 +4310,7 @@ (void)pam_strerror((pam_handle_t *)NULL, -1); ; return 0; } EOF -if { (eval echo configure:4508: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4314: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""no" 1>&6 else @@ -4544,7 +4350,7 @@ tryssldir="$tryssldir $prefix" fi echo $ac_n "checking for OpenSSL directory""... $ac_c" 1>&6 -echo "configure:4548: checking for OpenSSL directory" >&5 +echo "configure:4354: checking for OpenSSL directory" >&5 if eval "test \"`echo '$''{'ac_cv_openssldir'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4562,22 +4368,22 @@ # Try to use $ssldir/lib if it exists, otherwise # $ssldir if test -d "$ssldir/lib" ; then - LDFLAGS="$saved_LDFLAGS -L$ssldir/lib" + LDFLAGS="-L$ssldir/lib $saved_LDFLAGS" if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir/lib" + LDFLAGS="-R$ssldir/lib $LDFLAGS" fi else - LDFLAGS="$saved_LDFLAGS -L$ssldir" + LDFLAGS="-L$ssldir $saved_LDFLAGS" if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir" + LDFLAGS="-R$ssldir $LDFLAGS" fi fi # Try to use $ssldir/include if it exists, otherwise # $ssldir if test -d "$ssldir/include" ; then - CPPFLAGS="$saved_CPPFLAGS -I$ssldir/include" + CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS" else - CPPFLAGS="$saved_CPPFLAGS -I$ssldir" + CPPFLAGS="-I$ssldir $saved_CPPFLAGS" fi fi @@ -4587,7 +4393,7 @@ { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < @@ -4601,7 +4407,7 @@ } EOF -if { (eval echo configure:4605: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4411: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then found_crypto=1 @@ -4646,22 +4452,22 @@ # Try to use $ssldir/lib if it exists, otherwise # $ssldir if test -d "$ssldir/lib" ; then - LDFLAGS="$saved_LDFLAGS -L$ssldir/lib" + LDFLAGS="-L$ssldir/lib $saved_LDFLAGS" if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir/lib" + LDFLAGS="-R$ssldir/lib $LDFLAGS" fi else - LDFLAGS="$saved_LDFLAGS -L$ssldir" + LDFLAGS="-L$ssldir $saved_LDFLAGS" if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir" + LDFLAGS="-R$ssldir $LDFLAGS" fi fi # Try to use $ssldir/include if it exists, otherwise # $ssldir if test -d "$ssldir/include" ; then - CPPFLAGS="$saved_CPPFLAGS -I$ssldir/include" + CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS" else - CPPFLAGS="$saved_CPPFLAGS -I$ssldir" + CPPFLAGS="-I$ssldir $saved_CPPFLAGS" fi fi fi @@ -4670,7 +4476,7 @@ # Now test RSA support saved_LIBS="$LIBS" echo $ac_n "checking for RSA support""... $ac_c" 1>&6 -echo "configure:4674: checking for RSA support" >&5 +echo "configure:4480: checking for RSA support" >&5 for WANTS_RSAREF in "" 1 ; do if test -z "$WANTS_RSAREF" ; then LIBS="$saved_LIBS" @@ -4681,7 +4487,7 @@ { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < @@ -4700,7 +4506,7 @@ } EOF -if { (eval echo configure:4704: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4510: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then rsa_works=1 @@ -4738,7 +4544,7 @@ # version in OpenSSL. Skip this for PAM if test "x$PAM_MSG" = "xno" -a "x$check_for_libcrypt_later" = "x1"; then echo $ac_n "checking for crypt in -lcrypt""... $ac_c" 1>&6 -echo "configure:4742: checking for crypt in -lcrypt" >&5 +echo "configure:4548: checking for crypt in -lcrypt" >&5 ac_lib_var=`echo crypt'_'crypt | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -4746,7 +4552,7 @@ ac_save_LIBS="$LIBS" LIBS="-lcrypt $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4567: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -4786,7 +4592,7 @@ # Checks for data types echo $ac_n "checking size of char""... $ac_c" 1>&6 -echo "configure:4790: checking size of char" >&5 +echo "configure:4596: checking size of char" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_char'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4794,7 +4600,7 @@ ac_cv_sizeof_char=1 else cat > conftest.$ac_ext < main() @@ -4805,7 +4611,7 @@ exit(0); } EOF -if { (eval echo configure:4809: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4615: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_char=`cat conftestval` else @@ -4825,7 +4631,7 @@ echo $ac_n "checking size of short int""... $ac_c" 1>&6 -echo "configure:4829: checking size of short int" >&5 +echo "configure:4635: checking size of short int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_short_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4833,7 +4639,7 @@ ac_cv_sizeof_short_int=2 else cat > conftest.$ac_ext < main() @@ -4844,7 +4650,7 @@ exit(0); } EOF -if { (eval echo configure:4848: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4654: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_short_int=`cat conftestval` else @@ -4864,7 +4670,7 @@ echo $ac_n "checking size of int""... $ac_c" 1>&6 -echo "configure:4868: checking size of int" >&5 +echo "configure:4674: checking size of int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4872,7 +4678,7 @@ ac_cv_sizeof_int=4 else cat > conftest.$ac_ext < main() @@ -4883,7 +4689,7 @@ exit(0); } EOF -if { (eval echo configure:4887: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4693: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_int=`cat conftestval` else @@ -4903,7 +4709,7 @@ echo $ac_n "checking size of long int""... $ac_c" 1>&6 -echo "configure:4907: checking size of long int" >&5 +echo "configure:4713: checking size of long int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_long_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4911,7 +4717,7 @@ ac_cv_sizeof_long_int=4 else cat > conftest.$ac_ext < main() @@ -4922,7 +4728,7 @@ exit(0); } EOF -if { (eval echo configure:4926: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4732: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_long_int=`cat conftestval` else @@ -4942,7 +4748,7 @@ echo $ac_n "checking size of long long int""... $ac_c" 1>&6 -echo "configure:4946: checking size of long long int" >&5 +echo "configure:4752: checking size of long long int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_long_long_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4950,7 +4756,7 @@ ac_cv_sizeof_long_long_int=8 else cat > conftest.$ac_ext < main() @@ -4961,7 +4767,7 @@ exit(0); } EOF -if { (eval echo configure:4965: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:4771: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_long_long_int=`cat conftestval` else @@ -4983,20 +4789,20 @@ # More checks for data types echo $ac_n "checking for u_int type""... $ac_c" 1>&6 -echo "configure:4987: checking for u_int type" >&5 +echo "configure:4793: checking for u_int type" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int a; a = 1; ; return 0; } EOF -if { (eval echo configure:5000: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4806: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_int="yes" else @@ -5020,20 +4826,20 @@ fi echo $ac_n "checking for intXX_t types""... $ac_c" 1>&6 -echo "configure:5024: checking for intXX_t types" >&5 +echo "configure:4830: checking for intXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_intxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { int8_t a; int16_t b; int32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:5037: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4843: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_intxx_t="yes" else @@ -5057,20 +4863,20 @@ fi echo $ac_n "checking for int64_t type""... $ac_c" 1>&6 -echo "configure:5061: checking for int64_t type" >&5 +echo "configure:4867: checking for int64_t type" >&5 if eval "test \"`echo '$''{'ac_cv_have_int64_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { int64_t a; a = 1; ; return 0; } EOF -if { (eval echo configure:5074: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4880: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_int64_t="yes" else @@ -5094,20 +4900,20 @@ fi echo $ac_n "checking for u_intXX_t types""... $ac_c" 1>&6 -echo "configure:5098: checking for u_intXX_t types" >&5 +echo "configure:4904: checking for u_intXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_intxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:5111: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4917: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_intxx_t="yes" else @@ -5131,20 +4937,20 @@ fi echo $ac_n "checking for u_int64_t types""... $ac_c" 1>&6 -echo "configure:5135: checking for u_int64_t types" >&5 +echo "configure:4941: checking for u_int64_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_int64_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int64_t a; a = 1; ; return 0; } EOF -if { (eval echo configure:5148: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4954: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_int64_t="yes" else @@ -5171,9 +4977,9 @@ test "x$ac_cv_header_sys_bitypes_h" = "xyes") then echo $ac_n "checking for intXX_t and u_intXX_t types in sys/bitypes.h""... $ac_c" 1>&6 -echo "configure:5175: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 +echo "configure:4981: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 cat > conftest.$ac_ext < @@ -5186,7 +4992,7 @@ ; return 0; } EOF -if { (eval echo configure:5190: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4996: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* cat >> confdefs.h <<\EOF @@ -5211,13 +5017,13 @@ if test -z "$have_u_intxx_t" ; then echo $ac_n "checking for uintXX_t types""... $ac_c" 1>&6 -echo "configure:5215: checking for uintXX_t types" >&5 +echo "configure:5021: checking for uintXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_uintxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5226,7 +5032,7 @@ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:5230: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5036: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_uintxx_t="yes" else @@ -5250,13 +5056,13 @@ fi echo $ac_n "checking for socklen_t""... $ac_c" 1>&6 -echo "configure:5254: checking for socklen_t" >&5 +echo "configure:5060: checking for socklen_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_socklen_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5266,7 +5072,7 @@ socklen_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5270: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5076: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_socklen_t="yes" else @@ -5289,13 +5095,13 @@ fi echo $ac_n "checking for size_t""... $ac_c" 1>&6 -echo "configure:5293: checking for size_t" >&5 +echo "configure:5099: checking for size_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_size_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5304,7 +5110,7 @@ size_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5308: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5114: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_size_t="yes" else @@ -5327,13 +5133,13 @@ fi echo $ac_n "checking for ssize_t""... $ac_c" 1>&6 -echo "configure:5331: checking for ssize_t" >&5 +echo "configure:5137: checking for ssize_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_ssize_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5342,7 +5148,7 @@ ssize_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5346: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5152: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_ssize_t="yes" else @@ -5365,13 +5171,13 @@ fi echo $ac_n "checking for clock_t""... $ac_c" 1>&6 -echo "configure:5369: checking for clock_t" >&5 +echo "configure:5175: checking for clock_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_clock_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5380,7 +5186,7 @@ clock_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5384: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5190: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_clock_t="yes" else @@ -5403,13 +5209,13 @@ fi echo $ac_n "checking for sa_family_t""... $ac_c" 1>&6 -echo "configure:5407: checking for sa_family_t" >&5 +echo "configure:5213: checking for sa_family_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_sa_family_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5419,7 +5225,7 @@ sa_family_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5423: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5229: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sa_family_t="yes" else @@ -5427,7 +5233,7 @@ cat conftest.$ac_ext >&5 rm -rf conftest* cat > conftest.$ac_ext < @@ -5438,7 +5244,7 @@ sa_family_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5442: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5248: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sa_family_t="yes" else @@ -5464,13 +5270,13 @@ fi echo $ac_n "checking for pid_t""... $ac_c" 1>&6 -echo "configure:5468: checking for pid_t" >&5 +echo "configure:5274: checking for pid_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_pid_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5479,7 +5285,7 @@ pid_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5483: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5289: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_pid_t="yes" else @@ -5502,13 +5308,13 @@ fi echo $ac_n "checking for mode_t""... $ac_c" 1>&6 -echo "configure:5506: checking for mode_t" >&5 +echo "configure:5312: checking for mode_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_mode_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5517,7 +5323,7 @@ mode_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:5521: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5327: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_mode_t="yes" else @@ -5541,13 +5347,13 @@ echo $ac_n "checking for struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:5545: checking for struct sockaddr_storage" >&5 +echo "configure:5351: checking for struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_sockaddr_storage'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5557,7 +5363,7 @@ struct sockaddr_storage s; ; return 0; } EOF -if { (eval echo configure:5561: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5367: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_sockaddr_storage="yes" else @@ -5580,13 +5386,13 @@ fi echo $ac_n "checking for struct sockaddr_in6""... $ac_c" 1>&6 -echo "configure:5584: checking for struct sockaddr_in6" >&5 +echo "configure:5390: checking for struct sockaddr_in6" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_sockaddr_in6'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5596,7 +5402,7 @@ struct sockaddr_in6 s; s.sin6_family = 0; ; return 0; } EOF -if { (eval echo configure:5600: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5406: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_sockaddr_in6="yes" else @@ -5619,13 +5425,13 @@ fi echo $ac_n "checking for struct in6_addr""... $ac_c" 1>&6 -echo "configure:5623: checking for struct in6_addr" >&5 +echo "configure:5429: checking for struct in6_addr" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_in6_addr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5635,7 +5441,7 @@ struct in6_addr s; s.s6_addr[0] = 0; ; return 0; } EOF -if { (eval echo configure:5639: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5445: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_in6_addr="yes" else @@ -5658,13 +5464,13 @@ fi echo $ac_n "checking for struct addrinfo""... $ac_c" 1>&6 -echo "configure:5662: checking for struct addrinfo" >&5 +echo "configure:5468: checking for struct addrinfo" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_addrinfo'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -5675,7 +5481,7 @@ struct addrinfo s; s.ai_flags = AI_PASSIVE; ; return 0; } EOF -if { (eval echo configure:5679: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5485: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_addrinfo="yes" else @@ -5698,20 +5504,20 @@ fi echo $ac_n "checking for struct timeval""... $ac_c" 1>&6 -echo "configure:5702: checking for struct timeval" >&5 +echo "configure:5508: checking for struct timeval" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_timeval'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { struct timeval tv; tv.tv_sec = 1; ; return 0; } EOF -if { (eval echo configure:5715: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5521: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_timeval="yes" else @@ -5745,7 +5551,7 @@ { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < @@ -5772,7 +5578,7 @@ #endif EOF -if { (eval echo configure:5776: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:5582: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then true else @@ -5796,13 +5602,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host echo $ac_n "checking for ut_host field in utmp.h""... $ac_c" 1>&6 -echo "configure:5800: checking for ut_host field in utmp.h" >&5 +echo "configure:5606: checking for ut_host field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -5836,13 +5642,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host echo $ac_n "checking for ut_host field in utmpx.h""... $ac_c" 1>&6 -echo "configure:5840: checking for ut_host field in utmpx.h" >&5 +echo "configure:5646: checking for ut_host field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -5876,13 +5682,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"syslen echo $ac_n "checking for syslen field in utmpx.h""... $ac_c" 1>&6 -echo "configure:5880: checking for syslen field in utmpx.h" >&5 +echo "configure:5686: checking for syslen field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -5916,13 +5722,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_pid echo $ac_n "checking for ut_pid field in utmp.h""... $ac_c" 1>&6 -echo "configure:5920: checking for ut_pid field in utmp.h" >&5 +echo "configure:5726: checking for ut_pid field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -5956,13 +5762,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type echo $ac_n "checking for ut_type field in utmp.h""... $ac_c" 1>&6 -echo "configure:5960: checking for ut_type field in utmp.h" >&5 +echo "configure:5766: checking for ut_type field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -5996,13 +5802,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type echo $ac_n "checking for ut_type field in utmpx.h""... $ac_c" 1>&6 -echo "configure:6000: checking for ut_type field in utmpx.h" >&5 +echo "configure:5806: checking for ut_type field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6036,13 +5842,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv echo $ac_n "checking for ut_tv field in utmp.h""... $ac_c" 1>&6 -echo "configure:6040: checking for ut_tv field in utmp.h" >&5 +echo "configure:5846: checking for ut_tv field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6076,13 +5882,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id echo $ac_n "checking for ut_id field in utmp.h""... $ac_c" 1>&6 -echo "configure:6080: checking for ut_id field in utmp.h" >&5 +echo "configure:5886: checking for ut_id field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6116,13 +5922,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id echo $ac_n "checking for ut_id field in utmpx.h""... $ac_c" 1>&6 -echo "configure:6120: checking for ut_id field in utmpx.h" >&5 +echo "configure:5926: checking for ut_id field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6156,13 +5962,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr echo $ac_n "checking for ut_addr field in utmp.h""... $ac_c" 1>&6 -echo "configure:6160: checking for ut_addr field in utmp.h" >&5 +echo "configure:5966: checking for ut_addr field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6196,13 +6002,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr echo $ac_n "checking for ut_addr field in utmpx.h""... $ac_c" 1>&6 -echo "configure:6200: checking for ut_addr field in utmpx.h" >&5 +echo "configure:6006: checking for ut_addr field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6236,13 +6042,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 echo $ac_n "checking for ut_addr_v6 field in utmp.h""... $ac_c" 1>&6 -echo "configure:6240: checking for ut_addr_v6 field in utmp.h" >&5 +echo "configure:6046: checking for ut_addr_v6 field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6276,13 +6082,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 echo $ac_n "checking for ut_addr_v6 field in utmpx.h""... $ac_c" 1>&6 -echo "configure:6280: checking for ut_addr_v6 field in utmpx.h" >&5 +echo "configure:6086: checking for ut_addr_v6 field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6316,13 +6122,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_exit echo $ac_n "checking for ut_exit field in utmp.h""... $ac_c" 1>&6 -echo "configure:6320: checking for ut_exit field in utmp.h" >&5 +echo "configure:6126: checking for ut_exit field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6356,13 +6162,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time echo $ac_n "checking for ut_time field in utmp.h""... $ac_c" 1>&6 -echo "configure:6360: checking for ut_time field in utmp.h" >&5 +echo "configure:6166: checking for ut_time field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6396,13 +6202,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time echo $ac_n "checking for ut_time field in utmpx.h""... $ac_c" 1>&6 -echo "configure:6400: checking for ut_time field in utmpx.h" >&5 +echo "configure:6206: checking for ut_time field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6436,13 +6242,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv echo $ac_n "checking for ut_tv field in utmpx.h""... $ac_c" 1>&6 -echo "configure:6440: checking for ut_tv field in utmpx.h" >&5 +echo "configure:6246: checking for ut_tv field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -6472,12 +6278,12 @@ fi echo $ac_n "checking for st_blksize in struct stat""... $ac_c" 1>&6 -echo "configure:6476: checking for st_blksize in struct stat" >&5 +echo "configure:6282: checking for st_blksize in struct stat" >&5 if eval "test \"`echo '$''{'ac_cv_struct_st_blksize'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < #include @@ -6485,7 +6291,7 @@ struct stat s; s.st_blksize; ; return 0; } EOF -if { (eval echo configure:6489: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6295: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_struct_st_blksize=yes else @@ -6507,13 +6313,13 @@ echo $ac_n "checking for sun_len field in struct sockaddr_un""... $ac_c" 1>&6 -echo "configure:6511: checking for sun_len field in struct sockaddr_un" >&5 +echo "configure:6317: checking for sun_len field in struct sockaddr_un" >&5 if eval "test \"`echo '$''{'ac_cv_have_sun_len_in_struct_sockaddr_un'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -6523,7 +6329,7 @@ struct sockaddr_un s; s.sun_len = 1; ; return 0; } EOF -if { (eval echo configure:6527: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6333: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sun_len_in_struct_sockaddr_un="yes" else @@ -6545,13 +6351,13 @@ fi echo $ac_n "checking for ss_family field in struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:6549: checking for ss_family field in struct sockaddr_storage" >&5 +echo "configure:6355: checking for ss_family field in struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have_ss_family_in_struct_ss'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -6561,7 +6367,7 @@ struct sockaddr_storage s; s.ss_family = 1; ; return 0; } EOF -if { (eval echo configure:6565: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6371: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_ss_family_in_struct_ss="yes" else @@ -6583,13 +6389,13 @@ fi echo $ac_n "checking for __ss_family field in struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:6587: checking for __ss_family field in struct sockaddr_storage" >&5 +echo "configure:6393: checking for __ss_family field in struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have___ss_family_in_struct_ss'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -6599,7 +6405,7 @@ struct sockaddr_storage s; s.__ss_family = 1; ; return 0; } EOF -if { (eval echo configure:6603: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6409: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have___ss_family_in_struct_ss="yes" else @@ -6622,13 +6428,13 @@ fi echo $ac_n "checking for pw_class field in struct passwd""... $ac_c" 1>&6 -echo "configure:6626: checking for pw_class field in struct passwd" >&5 +echo "configure:6432: checking for pw_class field in struct passwd" >&5 if eval "test \"`echo '$''{'ac_cv_have_pw_class_in_struct_passwd'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -6637,7 +6443,7 @@ struct passwd p; p.pw_class = 0; ; return 0; } EOF -if { (eval echo configure:6641: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6447: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_pw_class_in_struct_passwd="yes" else @@ -6661,20 +6467,20 @@ echo $ac_n "checking if libc defines __progname""... $ac_c" 1>&6 -echo "configure:6665: checking if libc defines __progname" >&5 +echo "configure:6471: checking if libc defines __progname" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines___progname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:6484: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines___progname="yes" else @@ -6698,20 +6504,20 @@ echo $ac_n "checking if libc defines sys_errlist""... $ac_c" 1>&6 -echo "configure:6702: checking if libc defines sys_errlist" >&5 +echo "configure:6508: checking if libc defines sys_errlist" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines_sys_errlist'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:6521: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines_sys_errlist="yes" else @@ -6735,20 +6541,20 @@ echo $ac_n "checking if libc defines sys_nerr""... $ac_c" 1>&6 -echo "configure:6739: checking if libc defines sys_nerr" >&5 +echo "configure:6545: checking if libc defines sys_nerr" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines_sys_nerr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:6558: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines_sys_nerr="yes" else @@ -6771,21 +6577,377 @@ fi -# Looking for programs, paths and files -# Check whether --with-rsh or --without-rsh was given. -if test "${with_rsh+set}" = set; then - withval="$with_rsh" +# Check whether user wants Kerberos support +KRB4_MSG="no" +# Check whether --with-kerberos4 or --without-kerberos4 was given. +if test "${with_kerberos4+set}" = set; then + withval="$with_kerberos4" - if test "x$withval" != "$no" ; then - rsh_path=$withval - fi + if test "x$withval" != "xno" ; then + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${withval}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${withval}/lib" + fi + else + if test -d /usr/include/kerberosIV ; then + CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV" + fi + fi + + for ac_hdr in krb.h +do +ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +echo "configure:6608: checking for $ac_hdr" >&5 +if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 else - - # Extract the first word of "rsh", so it can be a program name with args. -set dummy rsh; ac_word=$2 + cat > conftest.$ac_ext < +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:6618: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_header_$ac_safe=no" +fi +rm -f conftest* +fi +if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` + cat >> confdefs.h <&6 +fi +done + + if test "$ac_cv_header_krb_h" != yes; then + echo "configure: warning: Cannot find krb.h, build may fail" 1>&2 + fi + echo $ac_n "checking for main in -lkrb""... $ac_c" 1>&6 +echo "configure:6648: checking for main in -lkrb" >&5 +ac_lib_var=`echo krb'_'main | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lkrb $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo krb | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + + if test "$ac_cv_lib_krb_main" != yes; then + echo $ac_n "checking for main in -lkrb4""... $ac_c" 1>&6 +echo "configure:6692: checking for main in -lkrb4" >&5 +ac_lib_var=`echo krb4'_'main | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lkrb4 $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo krb4 | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + + if test "$ac_cv_lib_krb4_main" != yes; then + echo "configure: warning: Cannot find libkrb nor libkrb4, build may fail" 1>&2 + else + KLIBS="-lkrb4" + fi + else + KLIBS="-lkrb" + fi + echo $ac_n "checking for des_cbc_encrypt in -ldes""... $ac_c" 1>&6 +echo "configure:6743: checking for des_cbc_encrypt in -ldes" >&5 +ac_lib_var=`echo des'_'des_cbc_encrypt | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-ldes $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo des | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + + if test "$ac_cv_lib_des_des_cbc_encrypt" != yes; then + echo $ac_n "checking for des_cbc_encrypt in -ldes425""... $ac_c" 1>&6 +echo "configure:6791: checking for des_cbc_encrypt in -ldes425" >&5 +ac_lib_var=`echo des425'_'des_cbc_encrypt | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-ldes425 $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo des425 | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + + if test "$ac_cv_lib_des425_des_cbc_encrypt" != yes; then + echo "configure: warning: Cannot find libdes nor libdes425, build may fail" 1>&2 + else + KLIBS="-ldes425" + fi + else + KLIBS="-ldes" + fi + echo $ac_n "checking for dn_expand in -lresolv""... $ac_c" 1>&6 +echo "configure:6846: checking for dn_expand in -lresolv" >&5 +ac_lib_var=`echo resolv'_'dn_expand | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lresolv $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo resolv | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + + KRB4=yes + KRB4_MSG="yes" + cat >> confdefs.h <<\EOF +#define KRB4 1 +EOF + + fi + + +fi + + +# Check whether user wants AFS support +AFS_MSG="no" +# Check whether --with-afs or --without-afs was given. +if test "${with_afs+set}" = set; then + withval="$with_afs" + + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + if test -z "$KRB4" ; then + echo "configure: warning: AFS requires Kerberos IV support, build may fail" 1>&2 + fi + + LIBS="-lkafs $LIBS" + if test ! -z "$AFS_LIBS" ; then + LIBS="$LIBS $AFS_LIBS" + fi + cat >> confdefs.h <<\EOF +#define AFS 1 +EOF + + AFS_MSG="yes" + fi + + +fi + +LIBS="$LIBS $KLIBS" + +# Looking for programs, paths and files +# Check whether --with-rsh or --without-rsh was given. +if test "${with_rsh+set}" = set; then + withval="$with_rsh" + + if test "x$withval" != "$no" ; then + rsh_path=$withval + fi + +else + + # Extract the first word of "rsh", so it can be a program name with args. +set dummy rsh; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:6789: checking for $ac_word" >&5 +echo "configure:6951: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_rsh_path'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -6835,7 +6997,7 @@ # Extract the first word of "xauth", so it can be a program name with args. set dummy xauth; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:6839: checking for $ac_word" >&5 +echo "configure:7001: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_xauth_path'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -6906,7 +7068,7 @@ ac_safe=`echo ""/dev/ptmx"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptmx"""... $ac_c" 1>&6 -echo "configure:6910: checking for "/dev/ptmx"" >&5 +echo "configure:7072: checking for "/dev/ptmx"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -6939,7 +7101,7 @@ ac_safe=`echo ""/dev/ptc"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptc"""... $ac_c" 1>&6 -echo "configure:6943: checking for "/dev/ptc"" >&5 +echo "configure:7105: checking for "/dev/ptc"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -6990,7 +7152,7 @@ ac_safe=`echo ""/dev/urandom"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/urandom"""... $ac_c" 1>&6 -echo "configure:6994: checking for "/dev/urandom"" >&5 +echo "configure:7156: checking for "/dev/urandom"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7060,7 +7222,7 @@ # Check for existing socket only if we don't have a random device already if test -z "$RANDOM_POOL" ; then echo $ac_n "checking for PRNGD/EGD socket""... $ac_c" 1>&6 -echo "configure:7064: checking for PRNGD/EGD socket" >&5 +echo "configure:7226: checking for PRNGD/EGD socket" >&5 # Insert other locations here for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then @@ -7093,7 +7255,7 @@ # Extract the first word of "ls", so it can be a program name with args. set dummy ls; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7097: checking for $ac_word" >&5 +echo "configure:7259: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7134,7 +7296,7 @@ # Extract the first word of "netstat", so it can be a program name with args. set dummy netstat; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7138: checking for $ac_word" >&5 +echo "configure:7300: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_NETSTAT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7175,7 +7337,7 @@ # Extract the first word of "arp", so it can be a program name with args. set dummy arp; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7179: checking for $ac_word" >&5 +echo "configure:7341: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_ARP'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7216,7 +7378,7 @@ # Extract the first word of "ifconfig", so it can be a program name with args. set dummy ifconfig; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7220: checking for $ac_word" >&5 +echo "configure:7382: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_IFCONFIG'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7257,7 +7419,7 @@ # Extract the first word of "ps", so it can be a program name with args. set dummy ps; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7261: checking for $ac_word" >&5 +echo "configure:7423: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_PS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7298,7 +7460,7 @@ # Extract the first word of "w", so it can be a program name with args. set dummy w; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7302: checking for $ac_word" >&5 +echo "configure:7464: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_W'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7339,7 +7501,7 @@ # Extract the first word of "who", so it can be a program name with args. set dummy who; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7343: checking for $ac_word" >&5 +echo "configure:7505: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_WHO'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7380,7 +7542,7 @@ # Extract the first word of "last", so it can be a program name with args. set dummy last; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7384: checking for $ac_word" >&5 +echo "configure:7546: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LAST'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7421,7 +7583,7 @@ # Extract the first word of "lastlog", so it can be a program name with args. set dummy lastlog; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7425: checking for $ac_word" >&5 +echo "configure:7587: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LASTLOG'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7462,7 +7624,7 @@ # Extract the first word of "df", so it can be a program name with args. set dummy df; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7466: checking for $ac_word" >&5 +echo "configure:7628: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_DF'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7503,7 +7665,7 @@ # Extract the first word of "vmstat", so it can be a program name with args. set dummy vmstat; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7507: checking for $ac_word" >&5 +echo "configure:7669: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_VMSTAT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7544,7 +7706,7 @@ # Extract the first word of "uptime", so it can be a program name with args. set dummy uptime; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7548: checking for $ac_word" >&5 +echo "configure:7710: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_UPTIME'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7585,7 +7747,7 @@ # Extract the first word of "ipcs", so it can be a program name with args. set dummy ipcs; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7589: checking for $ac_word" >&5 +echo "configure:7751: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_IPCS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7626,7 +7788,7 @@ # Extract the first word of "tail", so it can be a program name with args. set dummy tail; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:7630: checking for $ac_word" >&5 +echo "configure:7792: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_TAIL'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -7673,24 +7835,74 @@ if test "${with_catman+set}" = set; then withval="$with_catman" - MANTYPE='$(CATMAN)' - if test x"$withval" != x"yes" ; then - mansubdir=$withval - else - mansubdir=cat - fi - -else - - if test -z "$MANTYPE" ; then - MANTYPE='$(TROFFMAN)' - mansubdir=man - fi + case "$withval" in + man|cat|doc) + MANTYPE=$withval + ;; + *) + { echo "configure: error: invalid man type: $withval" 1>&2; exit 1; } + ;; + esac fi +if test -z "$MANTYPE"; then + for ac_prog in nroff awf +do +# Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:7857: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_NROFF'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + case "$NROFF" in + /*) + ac_cv_path_NROFF="$NROFF" # Let the user override the test with a path. + ;; + ?:/*) + ac_cv_path_NROFF="$NROFF" # Let the user override the test with a dos path. + ;; + *) + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="/usr/bin:/usr/ucb" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_NROFF="$ac_dir/$ac_word" + break + fi + done + IFS="$ac_save_ifs" + ;; +esac +fi +NROFF="$ac_cv_path_NROFF" +if test -n "$NROFF"; then + echo "$ac_t""$NROFF" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +test -n "$NROFF" && break +done +test -n "$NROFF" || NROFF="/bin/false" + + if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=doc + elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=man + else + MANTYPE=cat + fi +fi +if test "$MANTYPE" = "doc"; then + mansubdir=man; +else + mansubdir=$MANTYPE; +fi # Check whether to enable MD5 passwords @@ -7730,9 +7942,9 @@ if test -z "$disable_shadow" ; then echo $ac_n "checking if the systems has expire shadow information""... $ac_c" 1>&6 -echo "configure:7734: checking if the systems has expire shadow information" >&5 +echo "configure:7946: checking if the systems has expire shadow information" >&5 cat > conftest.$ac_ext < @@ -7743,7 +7955,7 @@ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ; return 0; } EOF -if { (eval echo configure:7747: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:7959: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* sp_expire_available=yes else @@ -7810,7 +8022,7 @@ else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:8058: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then user_path=`cat conftest.stdpath` else @@ -7899,7 +8111,7 @@ echo $ac_n "checking if we need to convert IPv4 in IPv6-mapped addresses""... $ac_c" 1>&6 -echo "configure:7903: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 +echo "configure:8115: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 IPV4_IN6_HACK_MSG="no" # Check whether --with-4in6 or --without-4in6 was given. if test "${with_4in6+set}" = set; then @@ -7951,7 +8163,7 @@ echo $ac_n "checking whether to install ssh as suid root""... $ac_c" 1>&6 -echo "configure:7955: checking whether to install ssh as suid root" >&5 +echo "configure:8167: checking whether to install ssh as suid root" >&5 # Check whether --enable-suid-ssh or --disable-suid-ssh was given. if test "${enable_suid_ssh+set}" = set; then enableval="$enable_suid_ssh" @@ -8100,9 +8312,9 @@ echo $ac_n "checking if your system defines LASTLOG_FILE""... $ac_c" 1>&6 -echo "configure:8104: checking if your system defines LASTLOG_FILE" >&5 +echo "configure:8316: checking if your system defines LASTLOG_FILE" >&5 cat > conftest.$ac_ext < @@ -8118,7 +8330,7 @@ char *lastlog = LASTLOG_FILE; ; return 0; } EOF -if { (eval echo configure:8122: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8334: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -8128,9 +8340,9 @@ echo "$ac_t""no" 1>&6 echo $ac_n "checking if your system defines _PATH_LASTLOG""... $ac_c" 1>&6 -echo "configure:8132: checking if your system defines _PATH_LASTLOG" >&5 +echo "configure:8344: checking if your system defines _PATH_LASTLOG" >&5 cat > conftest.$ac_ext < @@ -8146,7 +8358,7 @@ char *lastlog = _PATH_LASTLOG; ; return 0; } EOF -if { (eval echo configure:8150: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8362: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -8185,9 +8397,9 @@ fi echo $ac_n "checking if your system defines UTMP_FILE""... $ac_c" 1>&6 -echo "configure:8189: checking if your system defines UTMP_FILE" >&5 +echo "configure:8401: checking if your system defines UTMP_FILE" >&5 cat > conftest.$ac_ext < @@ -8200,7 +8412,7 @@ char *utmp = UTMP_FILE; ; return 0; } EOF -if { (eval echo configure:8204: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8416: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -8235,9 +8447,9 @@ fi echo $ac_n "checking if your system defines WTMP_FILE""... $ac_c" 1>&6 -echo "configure:8239: checking if your system defines WTMP_FILE" >&5 +echo "configure:8451: checking if your system defines WTMP_FILE" >&5 cat > conftest.$ac_ext < @@ -8250,7 +8462,7 @@ char *wtmp = WTMP_FILE; ; return 0; } EOF -if { (eval echo configure:8254: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8466: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -8286,9 +8498,9 @@ echo $ac_n "checking if your system defines UTMPX_FILE""... $ac_c" 1>&6 -echo "configure:8290: checking if your system defines UTMPX_FILE" >&5 +echo "configure:8502: checking if your system defines UTMPX_FILE" >&5 cat > conftest.$ac_ext < @@ -8304,7 +8516,7 @@ char *utmpx = UTMPX_FILE; ; return 0; } EOF -if { (eval echo configure:8308: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8520: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -8331,9 +8543,9 @@ fi echo $ac_n "checking if your system defines WTMPX_FILE""... $ac_c" 1>&6 -echo "configure:8335: checking if your system defines WTMPX_FILE" >&5 +echo "configure:8547: checking if your system defines WTMPX_FILE" >&5 cat > conftest.$ac_ext < @@ -8349,7 +8561,7 @@ char *wtmpx = WTMPX_FILE; ; return 0; } EOF -if { (eval echo configure:8353: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8565: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -8401,12 +8613,12 @@ fi echo $ac_n "checking for Cygwin environment""... $ac_c" 1>&6 -echo "configure:8405: checking for Cygwin environment" >&5 +echo "configure:8617: checking for Cygwin environment" >&5 if eval "test \"`echo '$''{'ac_cv_cygwin'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8633: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_cygwin=yes else @@ -8434,19 +8646,19 @@ CYGWIN= test "$ac_cv_cygwin" = yes && CYGWIN=yes echo $ac_n "checking for mingw32 environment""... $ac_c" 1>&6 -echo "configure:8438: checking for mingw32 environment" >&5 +echo "configure:8650: checking for mingw32 environment" >&5 if eval "test \"`echo '$''{'ac_cv_mingw32'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:8662: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_mingw32=yes else @@ -8465,7 +8677,7 @@ echo $ac_n "checking for executable suffix""... $ac_c" 1>&6 -echo "configure:8469: checking for executable suffix" >&5 +echo "configure:8681: checking for executable suffix" >&5 if eval "test \"`echo '$''{'ac_cv_exeext'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -8475,7 +8687,7 @@ rm -f conftest* echo 'int main () { return 0; }' > conftest.$ac_ext ac_cv_exeext= - if { (eval echo configure:8479: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then + if { (eval echo configure:8691: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then for file in conftest.*; do case $file in *.c | *.o | *.obj) ;; @@ -8667,6 +8879,7 @@ s%@PROG_IPCS@%$PROG_IPCS%g s%@PROG_TAIL@%$PROG_TAIL%g s%@INSTALL_SSH_PRNG_CMDS@%$INSTALL_SSH_PRNG_CMDS%g +s%@NROFF@%$NROFF%g s%@MANTYPE@%$MANTYPE%g s%@mansubdir@%$mansubdir%g s%@user_path@%$user_path%g @@ -8895,11 +9108,6 @@ # Print summary of options -if test x$MANTYPE = x'$(CATMAN)' ; then - MAN_MSG=cat -else - MAN_MSG=man -fi if test ! -z "$RANDOM_POOL" ; then RAND_MSG="Device ($RANDOM_POOL)" else @@ -8924,7 +9132,7 @@ H=`eval echo ${user_path}` ; H=`eval echo ${H}` echo "" -echo "OpenSSH configured has been configured with the following options." +echo "OpenSSH has been configured with the following options:" echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" @@ -8933,7 +9141,7 @@ echo " PID file: $G" echo " sshd default user PATH: $H" echo " Random number collection: $RAND_MSG" -echo " Manpage format: $MAN_MSG" +echo " Manpage format: $MANTYPE" echo " PAM support: ${PAM_MSG}" echo " KerberosIV support: $KRB4_MSG" echo " AFS support: $AFS_MSG" diff -ru openssh-2.5.2p2/configure.in openssh-2.9p1/configure.in --- openssh-2.5.2p2/configure.in 2001-03-19 10:09:28.000000000 +1100 +++ openssh-2.9p1/configure.in 2001-04-26 14:40:28.000000000 +1000 @@ -1,4 +1,4 @@ -# $Id: configure.in,v 1.267 2001/03/18 23:09:28 djm Exp $ +# $Id: configure.in,v 1.282 2001/04/26 04:40:28 tim Exp $ AC_INIT(ssh.c) @@ -12,7 +12,7 @@ AC_PROG_RANLIB AC_PROG_INSTALL AC_PATH_PROG(AR, ar) -AC_PATH_PROG(PERL, perl) +AC_PATH_PROGS(PERL, perl5 perl) AC_SUBST(PERL) AC_PATH_PROG(ENT, ent) AC_SUBST(ENT) @@ -58,12 +58,8 @@ fi AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)]) AC_DEFINE(BROKEN_GETADDRINFO) - MANTYPE='$(CATMAN)' - mansubdir=cat dnl AIX handles lastlog as part of its login message AC_DEFINE(DISABLE_LASTLOG) - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-*-cygwin*) LIBS="$LIBS -lregex /usr/lib/textmode.o" @@ -71,7 +67,6 @@ AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(IPV4_DEFAULT) AC_DEFINE(IP_TOS_IS_BROKEN) - AC_DEFINE(BROKEN_VHANGUP) AC_DEFINE(NO_X11_UNIX_SOCKETS) no_libsocket=1 no_libnsl=1 @@ -90,8 +85,6 @@ AC_DEFINE(DISABLE_UTMP) AC_DEFINE(SPT_TYPE,SPT_PSTAT) LIBS="$LIBS -lsec" - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-*-hpux11*) CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE" @@ -102,14 +95,11 @@ AC_DEFINE(DISABLE_UTMP) AC_DEFINE(SPT_TYPE,SPT_PSTAT) LIBS="$LIBS -lsec" - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-*-irix5*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" - MANTYPE='$(CATMAN)' no_libsocket=1 no_libnsl=1 AC_DEFINE(BROKEN_INET_NTOA) @@ -118,7 +108,6 @@ CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" - MANTYPE='$(CATMAN)' AC_DEFINE(WITH_IRIX_ARRAY) AC_DEFINE(WITH_IRIX_PROJECT) AC_DEFINE(WITH_IRIX_AUDIT) @@ -126,7 +115,6 @@ no_libsocket=1 no_libnsl=1 AC_DEFINE(BROKEN_INET_NTOA) - mansubdir=man ;; *-*-linux*) no_dev_ptmx=1 @@ -186,56 +174,43 @@ conf_wtmp_location=/var/adm/wtmp conf_lastlog_location=/var/adm/lastlog AC_DEFINE(USE_PIPES) - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-ncr-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat LIBS="$LIBS -lc89 -lnsl -lgen -lsocket" + AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) ;; *-sni-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib -L/usr/ucblib" - MANTYPE='$(CATMAN)' IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) AC_DEFINE(IP_TOS_IS_BROKEN) AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) - mansubdir=cat LIBS="$LIBS -lgen -lnsl -lucb" ;; *-*-sysv4.2*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat enable_suid_ssh=no AC_DEFINE(USE_PIPES) ;; *-*-sysv5*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat enable_suid_ssh=no AC_DEFINE(USE_PIPES) ;; *-*-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat LIBS="$LIBS -lgen -lsocket" ;; *-*-sco3.2v4*) CPPFLAGS="$CPPFLAGS -Dftruncate=chsize -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' LIBS="$LIBS -lgen -lsocket -los -lprot -lx -ltinfo -lm" - mansubdir=cat rsh_path="/usr/bin/rcmd" RANLIB=true no_dev_ptmx=1 @@ -246,13 +221,12 @@ AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) AC_DEFINE(BROKEN_SAVED_UIDS) AC_CHECK_FUNCS(getluid setluid) + MANTYPE=man ;; *-*-sco3.2v5*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lprot -lx -ltinfo -lm" - MANTYPE='$(CATMAN)' - mansubdir=cat no_dev_ptmx=1 rsh_path="/usr/bin/rcmd" AC_DEFINE(USE_PIPES) @@ -260,6 +234,7 @@ AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) AC_CHECK_FUNCS(getluid setluid) + MANTYPE=man ;; *-dec-osf*) if test ! -z "USE_SIA" ; then @@ -368,7 +343,7 @@ AC_FUNC_STRFTIME # Checks for header files. -AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h glob.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) +AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h getopt.h glob.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) # Check for ALTDIRFUNC glob() extension AC_MSG_CHECKING(for GLOB_ALTDIRFUNC support) @@ -404,74 +379,19 @@ ] ) - - -# Check whether user wants Kerberos support -KRB4_MSG="no" -AC_ARG_WITH(kerberos4, - [ --with-kerberos4=PATH Enable Kerberos 4 support], +AC_MSG_CHECKING([whether struct dirent allocates space for d_name]) +AC_TRY_RUN( [ - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R${withval}/lib" - fi - if test ! -z "$blibpath" ; then - blibpath="$blibpath:${withval}/lib" - fi - else - if test -d /usr/include/kerberosIV ; then - CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV" - fi - fi - - AC_CHECK_HEADERS(krb.h) - AC_CHECK_LIB(krb, main) - if test "$ac_cv_header_krb_h" != yes; then - AC_MSG_WARN([Cannot find krb.h, build may fail]) - fi - if test "$ac_cv_lib_krb_main" != yes; then - AC_MSG_WARN([Cannot find libkrb, build may fail]) - fi - - KLIBS="-lkrb -ldes" - AC_CHECK_LIB(resolv, dn_expand, , ) - KRB4=yes - KRB4_MSG="yes" - AC_DEFINE(KRB4) - fi - ] -) - -# Check whether user wants AFS support -AFS_MSG="no" -AC_ARG_WITH(afs, - [ --with-afs=PATH Enable AFS support], +#include +#include +int main(void){struct dirent d;return(sizeof(d.d_name)<=sizeof(char));} + ], + [AC_MSG_RESULT(yes)], [ - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - fi - - if test -z "$KRB4" ; then - AC_MSG_WARN([AFS requires Kerberos IV support, build may fail]) - fi - - LIBS="$LIBS -lkafs" - if test ! -z "$AFS_LIBS" ; then - LIBS="$LIBS $AFS_LIBS" - fi - AC_DEFINE(AFS) - AFS_MSG="yes" - fi + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) ] ) -LIBS="$LIBS $KLIBS" # Check whether user wants S/Key support SKEY_MSG="no" @@ -527,7 +447,7 @@ ) dnl Checks for library functions. -AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent getusershell glob inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop) +AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent getusershell glob inet_aton inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv setegid seteuid setlogin setproctitle setresgid setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop) dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) dnl Checks for libutil functions @@ -650,22 +570,22 @@ # Try to use $ssldir/lib if it exists, otherwise # $ssldir if test -d "$ssldir/lib" ; then - LDFLAGS="$saved_LDFLAGS -L$ssldir/lib" + LDFLAGS="-L$ssldir/lib $saved_LDFLAGS" if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir/lib" + LDFLAGS="-R$ssldir/lib $LDFLAGS" fi else - LDFLAGS="$saved_LDFLAGS -L$ssldir" + LDFLAGS="-L$ssldir $saved_LDFLAGS" if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir" + LDFLAGS="-R$ssldir $LDFLAGS" fi fi # Try to use $ssldir/include if it exists, otherwise # $ssldir if test -d "$ssldir/include" ; then - CPPFLAGS="$saved_CPPFLAGS -I$ssldir/include" + CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS" else - CPPFLAGS="$saved_CPPFLAGS -I$ssldir" + CPPFLAGS="-I$ssldir $saved_CPPFLAGS" fi fi @@ -712,22 +632,22 @@ # Try to use $ssldir/lib if it exists, otherwise # $ssldir if test -d "$ssldir/lib" ; then - LDFLAGS="$saved_LDFLAGS -L$ssldir/lib" + LDFLAGS="-L$ssldir/lib $saved_LDFLAGS" if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir/lib" + LDFLAGS="-R$ssldir/lib $LDFLAGS" fi else - LDFLAGS="$saved_LDFLAGS -L$ssldir" + LDFLAGS="-L$ssldir $saved_LDFLAGS" if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir" + LDFLAGS="-R$ssldir $LDFLAGS" fi fi # Try to use $ssldir/include if it exists, otherwise # $ssldir if test -d "$ssldir/include" ; then - CPPFLAGS="$saved_CPPFLAGS -I$ssldir/include" + CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS" else - CPPFLAGS="$saved_CPPFLAGS -I$ssldir" + CPPFLAGS="-I$ssldir $saved_CPPFLAGS" fi fi fi @@ -1247,6 +1167,89 @@ fi +# Check whether user wants Kerberos support +KRB4_MSG="no" +AC_ARG_WITH(kerberos4, + [ --with-kerberos4=PATH Enable Kerberos 4 support], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${withval}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${withval}/lib" + fi + else + if test -d /usr/include/kerberosIV ; then + CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV" + fi + fi + + AC_CHECK_HEADERS(krb.h) + if test "$ac_cv_header_krb_h" != yes; then + AC_MSG_WARN([Cannot find krb.h, build may fail]) + fi + AC_CHECK_LIB(krb, main) + if test "$ac_cv_lib_krb_main" != yes; then + AC_CHECK_LIB(krb4, main) + if test "$ac_cv_lib_krb4_main" != yes; then + AC_MSG_WARN([Cannot find libkrb nor libkrb4, build may fail]) + else + KLIBS="-lkrb4" + fi + else + KLIBS="-lkrb" + fi + AC_CHECK_LIB(des, des_cbc_encrypt) + if test "$ac_cv_lib_des_des_cbc_encrypt" != yes; then + AC_CHECK_LIB(des425, des_cbc_encrypt) + if test "$ac_cv_lib_des425_des_cbc_encrypt" != yes; then + AC_MSG_WARN([Cannot find libdes nor libdes425, build may fail]) + else + KLIBS="-ldes425" + fi + else + KLIBS="-ldes" + fi + AC_CHECK_LIB(resolv, dn_expand, , ) + KRB4=yes + KRB4_MSG="yes" + AC_DEFINE(KRB4) + fi + ] +) + +# Check whether user wants AFS support +AFS_MSG="no" +AC_ARG_WITH(afs, + [ --with-afs=PATH Enable AFS support], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + if test -z "$KRB4" ; then + AC_MSG_WARN([AFS requires Kerberos IV support, build may fail]) + fi + + LIBS="-lkafs $LIBS" + if test ! -z "$AFS_LIBS" ; then + LIBS="$LIBS $AFS_LIBS" + fi + AC_DEFINE(AFS) + AFS_MSG="yes" + fi + ] +) +LIBS="$LIBS $KLIBS" + # Looking for programs, paths and files AC_ARG_WITH(rsh, [ --with-rsh=PATH Specify path to remote shell program ], @@ -1399,22 +1402,34 @@ AC_ARG_WITH(catman, - [ --with-catman=man|cat Install preformatted manpages[no]], + [ --with-mantype=man|cat|doc Set man page type], [ - MANTYPE='$(CATMAN)' - if test x"$withval" != x"yes" ; then - mansubdir=$withval - else - mansubdir=cat - fi - ], [ - if test -z "$MANTYPE" ; then - MANTYPE='$(TROFFMAN)' - mansubdir=man - fi + case "$withval" in + man|cat|doc) + MANTYPE=$withval + ;; + *) + AC_MSG_ERROR(invalid man type: $withval) + ;; + esac ] ) +if test -z "$MANTYPE"; then + AC_PATH_PROGS(NROFF, nroff awf, /bin/false, /usr/bin:/usr/ucb) + if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=doc + elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=man + else + MANTYPE=cat + fi +fi AC_SUBST(MANTYPE) +if test "$MANTYPE" = "doc"; then + mansubdir=man; +else + mansubdir=$MANTYPE; +fi AC_SUBST(mansubdir) # Check whether to enable MD5 passwords @@ -1870,11 +1885,6 @@ # Print summary of options -if test x$MANTYPE = x'$(CATMAN)' ; then - MAN_MSG=cat -else - MAN_MSG=man -fi if test ! -z "$RANDOM_POOL" ; then RAND_MSG="Device ($RANDOM_POOL)" else @@ -1899,7 +1909,7 @@ H=`eval echo ${user_path}` ; H=`eval echo ${H}` echo "" -echo "OpenSSH configured has been configured with the following options." +echo "OpenSSH has been configured with the following options:" echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" @@ -1908,7 +1918,7 @@ echo " PID file: $G" echo " sshd default user PATH: $H" echo " Random number collection: $RAND_MSG" -echo " Manpage format: $MAN_MSG" +echo " Manpage format: $MANTYPE" echo " PAM support: ${PAM_MSG}" echo " KerberosIV support: $KRB4_MSG" echo " AFS support: $AFS_MSG" diff -ru openssh-2.5.2p2/contrib/README openssh-2.9p1/contrib/README --- openssh-2.5.2p2/contrib/README 2001-03-04 08:43:19.000000000 +1100 +++ openssh-2.9p1/contrib/README 2001-04-29 22:27:05.000000000 +1000 @@ -11,9 +11,16 @@ In this directory ----------------- +SecurID.diff + +This patch from Theo Schlossnagle adds SecurID support +to portable OpenSSH. Please refer to the text at the start of the patch +and to the author's homepage at http://www.omniti.com/~jesus/projects/ for +more details. + chroot.diff: -Ricardo Cerqueira's patch to enable chrooting using the +Ricardo Cerqueira patch to enable chrooting using the wu-ftpd style magic home directories (containing '/./'). More details in the head of the patch itself. @@ -24,8 +31,8 @@ gnome-ssh-askpass: -A GNOME passphrase requester of my own creation. Compilation instructions -are in the top of the file. +A GNOME passphrase requester from Damien Miller with help +from several others. Compilation instructions are in the top of the file. sshd.pam.generic: @@ -42,9 +49,11 @@ on Solaris machines to provide manpages that are not preformated. Contributed by Mark D. Roth -redhat: +redhat/ -RPM spec file an scripts for building Redhat packages +Files useful for operation on Redhat Linux systems. NB. it is recommended +that you use the prepackaged RPM versions on Redhat, as they have been +better tested. suse: @@ -59,4 +68,5 @@ Jim Knoble has written an excellent X11 passphrase requester. This is highly recommended: -http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html +http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/ + Only in openssh-2.9p1/contrib: SecurID.diff diff -ru openssh-2.5.2p2/contrib/caldera/openssh.spec openssh-2.9p1/contrib/caldera/openssh.spec --- openssh-2.5.2p2/contrib/caldera/openssh.spec 2001-03-21 13:13:21.000000000 +1100 +++ openssh-2.9p1/contrib/caldera/openssh.spec 2001-04-27 15:50:49.000000000 +1000 @@ -1,340 +1,281 @@ -# Version of OpenSSH -%define oversion 2.5.2p2 +%define askpass 1.2.0 -# Version of ssh-askpass -%define aversion 1.2.0 - -# Do we want to disable building of x11-askpass? (1=yes 0=no) -%define no_x11_askpass 0 - -# Do we want to disable building of gnome-askpass? (1=yes 0=no) -%define no_gnome_askpass 1 - -# Do we want to include contributed programs? (1=yes 0=no) -%define contrib_programs 1 - -Summary: OpenSSH free Secure Shell (SSH) implementation -Name: openssh -Version: %{oversion} -Release: 1 -Packager: Damien Miller -URL: http://www.openssh.com/ -Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{oversion}.tar.gz -Source1: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz -Copyright: BSD -Group: Applications/Internet -BuildRoot: /var/tmp/openssh-%{Version}-buildroot -#BuildRoot: /tmp/openssh-%{Version}-buildroot -Obsoletes: ssh -PreReq: openssl >= 0.9.5a -Requires: openssl >= 0.9.5a -BuildPreReq: perl, openssl-devel, tcp_wrappers -BuildPreReq: /bin/login, /usr/bin/rsh, /usr/include/security/pam_appl.h -%if ! %{no_gnome_askpass} -BuildPreReq: gnome-libs-devel -%endif - -%package clients -Summary: OpenSSH Secure Shell protocol clients -Requires: openssh = %{Version}-%{release} -Group: Applications/Internet -Obsoletes: ssh-clients - -%package server -Summary: OpenSSH Secure Shell protocol server (sshd) -Group: System Environment/Daemons -Obsoletes: ssh-server -#PreReq: openssh chkconfig >= 0.9 - -%package askpass -Summary: OpenSSH X11 passphrase dialog -Group: Applications/Internet -Requires: openssh = %{Version}-%{release} -Obsoletes: ssh-extras - -%package askpass-gnome -Summary: OpenSSH GNOME passphrase dialog -Group: Applications/Internet -Requires: openssh = %{Version}-%{release} -Obsoletes: ssh-extras - -%description -Ssh (Secure Shell) a program for logging into a remote machine and for -executing commands in a remote machine. It is intended to replace -rlogin and rsh, and provide secure encrypted communications between -two untrusted hosts over an insecure network. X11 connections and -arbitrary TCP/IP ports can also be forwarded over the secure channel. - -OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all -patented algorithms to separate libraries (OpenSSL). - -This package includes the core files necessary for both the OpenSSH -client and server. To make this package useful, you should also -install openssh-clients, openssh-server, or both. - -%description clients -Ssh (Secure Shell) a program for logging into a remote machine and for -executing commands in a remote machine. It is intended to replace -rlogin and rsh, and provide secure encrypted communications between -two untrusted hosts over an insecure network. X11 connections and -arbitrary TCP/IP ports can also be forwarded over the secure channel. - -OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all -patented algorithms to separate libraries (OpenSSL). - -This package includes the clients necessary to make encrypted connections -to SSH servers. - -%description server -Ssh (Secure Shell) a program for logging into a remote machine and for -executing commands in a remote machine. It is intended to replace -rlogin and rsh, and provide secure encrypted communications between -two untrusted hosts over an insecure network. X11 connections and -arbitrary TCP/IP ports can also be forwarded over the secure channel. - -OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all -patented algorithms to separate libraries (OpenSSL). - -This package contains the secure shell daemon. The sshd is the server -part of the secure shell protocol and allows ssh clients to connect to -your host. - -%description askpass -Ssh (Secure Shell) a program for logging into a remote machine and for -executing commands in a remote machine. It is intended to replace -rlogin and rsh, and provide secure encrypted communications between -two untrusted hosts over an insecure network. X11 connections and -arbitrary TCP/IP ports can also be forwarded over the secure channel. - -OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all -patented algorithms to separate libraries (OpenSSL). - -This package contains Jim Knoble's X11 passphrase -dialog. - -%description askpass-gnome -Ssh (Secure Shell) a program for logging into a remote machine and for -executing commands in a remote machine. It is intended to replace -rlogin and rsh, and provide secure encrypted communications between -two untrusted hosts over an insecure network. X11 connections and -arbitrary TCP/IP ports can also be forwarded over the secure channel. - -OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all -patented algorithms to separate libraries (OpenSSL). - -This package contains the GNOME passphrase dialog. - -%prep - -%setup -a 1 - -%build - -%define _sysconfdir /etc/ssh - -CFLAGS="$RPM_OPT_FLAGS" \ - ./configure \ - --prefix=/usr \ - --sysconfdir=/etc/ssh \ - --libexecdir=%{_libexecdir}/openssh \ - --with-pam \ - --with-tcp-wrappers \ - --with-ipv4-default \ - --with-rsh=/usr/bin/rsh +Name : openssh +Version : 2.9p1 +Release : 1 +Group : System/Network + +Summary : OpenSSH free Secure Shell (SSH) implementation. +Summary(de) : OpenSSH - freie Implementation der Secure Shell (SSH). +Summary(es) : OpenSSH implementación libre de Secure Shell (SSH). +Summary(fr) : Implémentation libre du shell sécurisé OpenSSH (SSH). +Summary(it) : Implementazione gratuita OpenSSH della Secure Shell. +Summary(pt) : Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH). + +Copyright : BSD +Packager : Stephan Seyboth +#Icon : . +URL : http://www.openssh.com/ + +Obsoletes : ssh, ssh-clients, openssh-clients + +BuildRoot : /tmp/%{Name}-%{Version} + +Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{Version}.tar.gz +Source1: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{askpass}.tar.gz + + +%Package server +Group : System/Network +Requires : openssh = %{Version} +Obsoletes : ssh-server + +Summary : OpenSSH Secure Shell protocol server (sshd). +Summary(de) : OpenSSH Secure Shell Protocol Server (sshd). +Summary(es) : Servidor del protocolo OpenSSH Secure Shell (sshd). +Summary(fr) : Serveur de protocole du shell sécurisé OpenSSH (sshd). +Summary(it) : Server OpenSSH per il protocollo Secure Shell (sshd). +Summary(pt) : Servidor do protocolo 'Secure Shell' OpenSSH (sshd). + + +%Package askpass +Group : System/Network +Requires : openssh = %{Version} +Obsoletes : ssh-extras + +Summary : OpenSSH X11 pass-phrase dialog. +Summary(de) : OpenSSH X11 Passwort-Dialog. +Summary(es) : Aplicación de petición de frase clave OpenSSH X11. +Summary(fr) : Dialogue pass-phrase X11 d'OpenSSH. +Summary(it) : Finestra di dialogo X11 per la frase segreta di OpenSSH. +Summary(pt) : Diálogo de pedido de senha para X11 do OpenSSH. + + +%Description +OpenSSH (Secure Shell) provides access to a remote system. It replaces +telnet, rlogin, rexec, and rsh, and provides secure encrypted +communications between two untrusted hosts over an insecure network. +X11 connections and arbitrary TCP/IP ports can also be forwarded over +the secure channel. + +%Description -l de +OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es ersetzt +telnet, rlogin, rexec und rsh und stellt eine sichere, verschlüsselte +Verbindung zwischen zwei nicht vertrauenswürdigen Hosts über eine unsicheres +Netzwerk her. X11 Verbindungen und beliebige andere TCP/IP Ports können ebenso +über den sicheren Channel weitergeleitet werden. + +%Description -l es +OpenSSH (Secure Shell) proporciona acceso a sistemas remotos. Reemplaza a +telnet, rlogin, rexec, y rsh, y proporciona comunicaciones seguras encriptadas +entre dos equipos entre los que no se ha establecido confianza a través de una +red insegura. Las conexiones X11 y puertos TCP/IP arbitrarios también pueden +ser canalizadas sobre el canal seguro. + +%Description -l fr +OpenSSH (Secure Shell) fournit un accès à un système distant. Il remplace +telnet, rlogin, rexec et rsh, tout en assurant des communications cryptées +securisées entre deux hôtes non fiabilisés sur un réseau non sécurisé. Des +connexions X11 et des ports TCP/IP arbitraires peuvent également être +transmis sur le canal sécurisé. + +%Description -l it +OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto. +Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni sicure +e crittate tra due host non fidati su una rete non sicura. Le connessioni +X11 ad una porta TCP/IP arbitraria possono essere inoltrate attraverso +un canale sicuro. + +%Description -l pt +OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o +telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e cifradas +entre duas máquinas sem confiança mútua sobre uma rede insegura. +Ligações X11 e portos TCP/IP arbitrários também poder ser reenviados +pelos porto seguro. + +%Description server +This package installs the sshd, the server portion of OpenSSH. + +%Description -l de server +Dieses Paket installiert den sshd, den Server-Teil der OpenSSH. + +%Description -l es server +Este paquete instala sshd, la parte servidor de OpenSSH. + +%Description -l fr server +Ce paquetage installe le 'sshd', partie serveur de OpenSSH. + +%Description -l it server +Questo pacchetto installa sshd, il server di OpenSSH. + +%Description -l pt server +Este pacote intala o sshd, o servidor do OpenSSH. + +%Description askpass +This package contains an X11-based passphrase dialog. + +%Description -l de askpass +Dieses Paket enthält einen X11-basierten Passwort Dialog. + +%Description -l es askpass +Este paquete contiene una aplicación para petición de frases-contraseña basada +en X11. + +%Description -l fr askpass +Ce paquetage contient un dialogue de passphrase basé sur X11. + +%Description -l it askpass +Questo pacchetto contiene una finestra di X11 che chiede la frase segreta. + +%Description -l pt askpass +Este pacote contém um diálogo de senha para o X11. + +%Prep +%setup +%setup -D -T -a1 + + +%Build +CFLAGS="$RPM_OPT_FLAGS" \ +./configure \ + --prefix=/usr \ + --sysconfdir=/etc/ssh \ + --libexecdir=/usr/lib/ssh \ + --with-pam \ + --with-tcp-wrappers \ + --with-ipv4-default \ make -%if ! %{no_x11_askpass} -cd x11-ssh-askpass-%{aversion} +cd x11-ssh-askpass-%{askpass} xmkmf -a make -cd .. -%endif -%if ! %{no_gnome_askpass} -cd contrib -gcc -O -g `gnome-config --cflags gnome gnomeui` \ - gnome-ssh-askpass.c -o gnome-ssh-askpass \ - `gnome-config --libs gnome gnomeui` -cd .. -%endif - -%install -rm -rf $RPM_BUILD_ROOT -make install DESTDIR=$RPM_BUILD_ROOT/ - -# setup the environment we want -perl -pi -e "s,PermitRootLogin yes,PermitRootLogin no,;" \ - -e "s,X11Forwarding no,X11Forwarding yes,;" \ - -e "s,CheckMail no,CheckMail yes,;" \ - -e "s,^#Subsystem sftp,Subsystem sftp,;" \ - $RPM_BUILD_ROOT/etc/ssh/sshd_config - -install -d $RPM_BUILD_ROOT/etc/pam.d/ -install -d $RPM_BUILD_ROOT/etc/rc.d/init.d -install -d $RPM_BUILD_ROOT/etc/sysconfig/daemons -install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh -install -d $RPM_BUILD_ROOT/usr/local/bin -install -d $RPM_BUILD_ROOT/usr/local/man/man1 -install -m644 contrib/caldera/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd -install -m755 contrib/caldera/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd -install -m755 contrib/caldera/sshd.daemons $RPM_BUILD_ROOT/etc/sysconfig/daemons/sshd -perl -pi -e "s,\@OPENSSH_VERSION\@,%{Name}-%{Version},g" \ - $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd -perl -pi -e "s,\@OPENSSH_VERSION\@,%{Name}-%{Version},g" \ - $RPM_BUILD_ROOT/etc/sysconfig/daemons/sshd -%if %{contrib_programs} -install -m755 contrib/make-ssh-known-hosts.pl $RPM_BUILD_ROOT/usr/local/bin -install -m644 contrib/make-ssh-known-hosts.1 $RPM_BUILD_ROOT/usr/local/man/man1 -install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT/usr/local/bin -install -m644 contrib/ssh-copy-id.1 $RPM_BUILD_ROOT/usr/local/man/man1 -%endif - -%if ! %{no_x11_askpass} -install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/openssh/x11-ssh-askpass -ln -s /usr/libexec/openssh/x11-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/openssh/ssh-askpass -install -d $RPM_BUILD_ROOT/usr/X11R6/man/man1 -install -c -m 0444 x11-ssh-askpass-%{aversion}/x11-ssh-askpass.man $RPM_BUILD_ROOT/usr/X11R6/man/man1/x11-ssh-askpass.1x -ln -s /usr/X11R6/man/man1/x11-ssh-askpass.1x $RPM_BUILD_ROOT/usr/X11R6/man/man1/ssh-askpass.1x -%endif - -%if ! %{no_gnome_askpass} -install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/openssh/gnome-ssh-askpass -%endif - -%clean -##rm -rf $RPM_BUILD_ROOT - -%post server -if [ "$1" = 1 ]; then - echo "Creating SSH stop/start scripts in the rc directories..." -# /sbin/chkconfig --add sshd - lisa --SysV-init install sshd S90 2:3:4:5 K05 0:1:6 -fi -if test -r /var/run/sshd.pid -then - echo "Restarting the running SSH daemon..." - /etc/rc.d/init.d/sshd restart >&2 + +%Install +%{mkDESTDIR} + +make DESTDIR="$DESTDIR" install + +make -C x11-ssh-askpass-%{askpass} DESTDIR="$DESTDIR" \ + BINDIR="/usr/lib/ssh" install + +%{fixManPages} + +# install remaining docs +NV="$DESTDIR%{_defaultdocdir}/%{Name}-%{Version}" +mkdir -p $NV +cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO $NV +mkdir -p $NV/x11-ssh-askpass-%{askpass} +cp -a x11-ssh-askpass-%{askpass}/{README,ChangeLog,SshAskpass*.ad} \ + $NV/x11-ssh-askpass-%{askpass} + + +# OpenLinux specific configuration +mkdir -p $DESTDIR/{etc/pam.d,%{SVIcdir},%{SVIdir}} + +# enabling X11 forwarding on the server is convenient and okay, +# on the client side it's a potential security risk! +%{fixUP} -vg $DESTDIR/etc/ssh/sshd_config 'X11Forwarding no' \ + 'X11Forwarding yes' + +install -m644 contrib/caldera/sshd.pam $DESTDIR/etc/pam.d/sshd +# FIXME: disabled, find out why this doesn't work with nis +%{fixUP} -vg $DESTDIR/etc/pam.d/sshd '(.*pam_limits.*)' '#$1' + +install -m 0755 contrib/caldera/sshd.init $DESTDIR%{SVIdir}/sshd +%{fixUP} -T $DESTDIR/%{SVIdir} -e 's:\@SVIdir\@:%{SVIdir}:' +%{fixUP} -T $DESTDIR/%{SVIdir} -e 's:\@sysconfdir\@:/etc/ssh:' + +cat <<-EoD > $DESTDIR%{SVIcdir}/sshd + IDENT=sshd + DESCRIPTIVE="OpenSSH secure shell daemon" + # This service will be marked as 'skipped' on boot if there + # is no host key. Use ssh-host-keygen to generate one + ONBOOT="yes" + OPTIONS="" +EoD + +SKG=$DESTDIR/usr/sbin/ssh-host-keygen +install -m 0755 contrib/caldera/ssh-host-keygen $SKG +%{fixUP} -T $SKG -e 's:\@sysconfdir\@:/etc/ssh:' +%{fixUP} -T $SKG -e 's:\@sshkeygen\@:/usr/bin/ssh-keygen:' + + +# generate file lists +%{mkLists} -c %{Name} +%{mkLists} -d %{Name} << 'EOF' +/etc/ssh base +^/etc/ IGNORED +%{_defaultdocdir}/$ IGNORED +askpass askpass +* default +EOF +%{mkLists} -a -f %{Name} << 'EOF' +^/etc * prefix(%%config) +/usr/X11R6/lib/X11/app-defaults IGNORED +[Aa]skpass askpass +%{_defaultdocdir}/%{Name}-%{Version}/ base +ssh-keygen base +sshd server +sftp-server server +.* base +EOF + + +%Clean +%{rmDESTDIR} + + +%Post +# Generate host key when none is present to get up and running, +# both client and server require this for host-based auth! +# ssh-host-keygen checks for existing keys. +/usr/sbin/ssh-host-keygen +: # to protect the rpm database + + +%Post server +if [ -x %{LSBinit}-install ]; then + %{LSBinit}-install sshd else - echo "Starting the SSH daemon..." - /etc/rc.d/init.d/sshd start >&2 + lisa --SysV-init install sshd S55 3:4:5 K45 0:1:2:6 fi -%preun server -if [ "$1" = 0 ] ; then - echo "Stopping the SSH daemon..." - /etc/rc.d/init.d/sshd stop >&2 - echo "Removing SSH stop/start scripts from the rc directories..." -# /sbin/chkconfig --del sshd - lisa --SysV-init remove sshd $1 +! %{SVIdir}/sshd status || %{SVIdir}/sshd restart +: # to protect the rpm database + + +%PreUn server +[ "$1" = 0 ] || exit 0 + +! %{SVIdir}/sshd status || %{SVIdir}/sshd stop +: # to protect the rpm database + + +%PostUn server +if [ -x %{LSBinit}-remove ]; then + %{LSBinit}-remove sshd +else + lisa --SysV-init remove sshd $1 fi +: # to protect the rpm database -%files -%defattr(-,root,root) -%doc ChangeLog OVERVIEW README* INSTALL -%doc CREDITS LICENCE -%attr(0755,root,root) %{_bindir}/ssh-keygen -%attr(0755,root,root) %{_bindir}/scp -%attr(0755,root,root) %{_bindir}/ssh-keyscan -%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* -%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* -%attr(0644,root,root) %{_mandir}/man1/scp.1* -%attr(0755,root,root) %dir %{_sysconfdir} -%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/primes -%attr(0755,root,root) %dir %{_libexecdir}/openssh -%files clients +%Files -f files-%{Name}-base %defattr(-,root,root) -%attr(4755,root,root) %{_bindir}/ssh -%attr(0755,root,root) %{_bindir}/ssh-agent -%attr(0755,root,root) %{_bindir}/ssh-add -%attr(0755,root,root) %{_bindir}/ssh-keyscan -%attr(0755,root,root) %{_bindir}/sftp -%attr(0644,root,root) %{_mandir}/man1/ssh.1* -%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* -%attr(0644,root,root) %{_mandir}/man1/ssh-add.1* -%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* -%attr(0644,root,root) %{_mandir}/man1/sftp.1* -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh_config -%attr(-,root,root) %{_bindir}/slogin -%attr(-,root,root) %{_mandir}/man1/slogin.1* -%if %{contrib_programs} -%attr(0755,root,root) /usr/local/bin/make-ssh-known-hosts.pl -%attr(0644,root,root) /usr/local/man/man1/make-ssh-known-hosts.1 -%attr(0755,root,root) /usr/local/bin/ssh-copy-id -%attr(0644,root,root) /usr/local/man/man1/ssh-copy-id.1 -%endif -%files server -%defattr(-,root,root) -%attr(0751,root,root) %{_sbindir}/sshd -%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server -%attr(0644,root,root) %{_mandir}/man8/sshd.8* -%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* -#%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sshd_config -%attr(0600,root,root) %config %{_sysconfdir}/sshd_config -%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd -%attr(0755,root,root) %config /etc/rc.d/init.d/sshd -%attr(0755,root,root) %config /etc/sysconfig/daemons/sshd -%if ! %{no_x11_askpass} -%files askpass +%Files server -f files-%{Name}-server %defattr(-,root,root) -%doc x11-ssh-askpass-%{aversion}/README -%doc x11-ssh-askpass-%{aversion}/ChangeLog -%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad -%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass -%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass -%attr(0644,root,root) /usr/X11R6/man/man1/x11-ssh-askpass.1x -%attr(-,root,root) /usr/X11R6/man/man1/ssh-askpass.1x -%endif -%if ! %{no_gnome_askpass} -%files askpass-gnome + +%Files askpass -f files-%{Name}-askpass %defattr(-,root,root) -%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass -%endif -%changelog -* Mon Oct 18 2000 Damien Miller -- Merge some of Nalin Dahyabhai changes from the - Redhat 7.0 spec file -* Tue Sep 05 2000 Damien Miller -- Use RPM configure macro -* Tue Aug 08 2000 Damien Miller -- Some surgery to sshd.init (generate keys at runtime) -- Cleanup of groups and removal of keygen calls -* Wed Jul 12 2000 Damien Miller -- Make building of X11-askpass and gnome-askpass optional -* Mon Jun 12 2000 Damien Miller -- Glob manpages to catch compressed files -* Wed Mar 15 2000 Damien Miller -- Updated for new location -- Updated for new gnome-ssh-askpass build -* Sun Dec 26 1999 Damien Miller -- Added Jim Knoble's askpass -* Mon Nov 15 1999 Damien Miller -- Split subpackages further based on patch from jim knoble -* Sat Nov 13 1999 Damien Miller -- Added 'Obsoletes' directives -* Tue Nov 09 1999 Damien Miller -- Use make install -- Subpackages -* Mon Nov 08 1999 Damien Miller -- Added links for slogin -- Fixed perms on manpages -* Sat Oct 30 1999 Damien Miller -- Renamed init script -* Fri Oct 29 1999 Damien Miller -- Back to old binary names -* Thu Oct 28 1999 Damien Miller -- Use autoconf -- New binary names -* Wed Oct 27 1999 Damien Miller -- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. +%ChangeLog +* Mon Jan 01 1998 ... +Template Version: 1.31 + +$Id: openssh.spec,v 1.15 2001/04/27 05:50:49 tim Exp $ Only in openssh-2.9p1/contrib/caldera: ssh-host-keygen Only in openssh-2.5.2p2/contrib/caldera: sshd.daemons diff -ru openssh-2.5.2p2/contrib/caldera/sshd.init openssh-2.9p1/contrib/caldera/sshd.init --- openssh-2.5.2p2/contrib/caldera/sshd.init 2001-01-05 09:54:51.000000000 +1100 +++ openssh-2.9p1/contrib/caldera/sshd.init 2001-04-27 15:50:50.000000000 +1000 @@ -1,99 +1,125 @@ -#! /bin/sh +#! /bin/bash # -# Generic network daemon RC script. If installed as /etc/rc.d/init.d/foobar, -# it source /etc/sysconfig/daemons/foobar and looks at the -# variable definitions (Bourne shell syntax). Variables marked with an -# asterisk are required. +# $Id: sshd.init,v 1.2 2001/04/27 05:50:50 tim Exp $ # -# * IDENT=sshd -# DESCRIPTIVE="@OPENSSH_VERSION@" -# * DAEMON=/usr/sbin/sshd -# DAEMON_ARGS="-p some_other_port" -# ONBOOT=yes +### BEGIN INIT INFO +# Provides: +# Required-Start: $network +# Required-Stop: +# Default-Start: 3 4 5 +# Default-Stop: 0 1 2 6 +# Description: sshd +# Bring up/down the OpenSSH secure shell daemon. +### END INIT INFO # - -# Source networking configuration. -. /etc/sysconfig/network - -# Check that networking is up. -[ ${NETWORKING} = "no" ] && exit 0 - -# Source function library, check sysconfig/daemon file and source it. -. /etc/rc.d/init.d/functions - -[ -x $DAEMON ] || exit 0 - -# Some functions to make the below more readable -KEYGEN=/usr/bin/ssh-keygen -RSA1_KEY=/etc/ssh/ssh_host_key -RSA_KEY=/etc/ssh/ssh_host_rsa_key -DSA_KEY=/etc/ssh/ssh_host_dsa_key -PID_FILE=/var/run/sshd.pid -do_rsa1_keygen() { - if ! test -f $RSA1_KEY ; then - echo -n "Generating SSH1 RSA host key: " - if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then - echo "RSA1 key generation success" - else - echo "RSA1 key generation failure" - exit 1 - fi - fi -} -do_rsa_keygen() { - if ! test -f $RSA_KEY ; then - echo -n "Generating SSH2 RSA host key: " - if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then - echo "RSA key generation success" - else - echo "RSA key generation failure" - exit 1 - fi - fi -} -do_dsa_keygen() { - if ! test -f $DSA_KEY ; then - echo -n "Generating SSH2 DSA host key: " - if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then - echo "DSA key generation success" - else - echo "DSA key generation failure" - exit 1 - fi - fi +# Written by Miquel van Smoorenburg . +# Modified for Debian GNU/Linux by Ian Murdock . +# Modified for OpenLinux by Raymund Will + +NAME=sshd +DAEMON=/usr/sbin/$NAME +# Hack-Alert(TM)! This is necessary to get around the 'reload'-problem +# created by recent OpenSSH daemon/ssd combinations. See Caldera internal +# PR [linux/8278] for details... +PIDF=/var/run/$NAME.pid +NAME=$DAEMON + +_status() { + [ -z "$1" ] || local pidf="$1" + local ret=-1 + local pid + if [ -n "$pidf" ] && [ -r "$pidf" ]; then + pid=$(head -1 $pidf) + else + pid=$(pidof $NAME) + fi + + if [ ! -e $SVIlock ]; then + # no lock-file => not started == stopped? + ret=3 + elif { [ -n "$pidf" ] && [ ! -f "$pidf" ] } || [ -z "$pid" ]; then + # pid-file given but not present or no pid => died, but was not stopped + ret=2 + elif [ -r /proc/$pid/cmdline ] && + echo -ne $NAME'\000' | cmp -s - /proc/$pid/cmdline; then + # pid-file given and present or pid found => check process... + # but don't compare exe, as this will fail after an update! + # compares OK => all's well, that ends well... + ret=0 + else + # no such process or exe does not match => stale pid-file or process died + # just recently... + ret=1 + fi + return $ret } -# See how we were called. +# Source function library (and set vital variables). +. @SVIdir@/functions + case "$1" in - start) - # Create keys if necessary - do_rsa1_keygen - do_rsa_keygen - do_dsa_keygen - - # Start daemons. - [ ! -e $LOCK ] || exit 1 - echo -n "Starting $SUBSYS services: " - start-stop-daemon -S -n $IDENT -x $DAEMON -- $DAEMON_ARGS - sleep 1 - echo . - touch $LOCK - ;; - stop) - # Stop daemons. - [ -e $LOCK ] || exit 0 - echo -n "Stopping $SUBSYS services: " - start-stop-daemon -K -n $IDENT -x $DAEMON - echo - rm -f $LOCK - ;; - restart) - $0 stop - $0 start - ;; - *) - echo "Usage: $SUBSYS {start|stop|restart}" - exit 1 + start) + [ ! -e $SVIlock ] || exit 0 + [ -x $DAEMON ] || exit 5 + SVIemptyConfig @sysconfdir@/sshd_config && exit 6 + + if [ ! \( -f @sysconfdir@/ssh_host_key -a \ + -f @sysconfdir@/ssh_host_key.pub \) -a \ + ! \( -f @sysconfdir@/ssh_host_rsa_key -a \ + -f @sysconfdir@/ssh_host_rsa_key.pub \) -a \ + ! \( -f @sysconfdir@/ssh_host_dsa_key -a \ + -f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then + + echo "$SVIsubsys: host key not initialized: skipped!" + echo "$SVIsubsys: use ssh-host-keygen to generate one!" + exit 6 + fi + + echo -n "Starting $SVIsubsys services: " + ssd -S -x $DAEMON -n $NAME -- $OPTIONS + ret=$? + + echo "." + touch $SVIlock + ;; + + stop) + [ -e $SVIlock ] || exit 0 + + echo -n "Stopping $SVIsubsys services: " + ssd -K -p $PIDF -n $NAME + ret=$? + + echo "." + rm -f $SVIlock + ;; + + force-reload|reload) + [ -e $SVIlock ] || exit 0 + + echo "Reloading $SVIsubsys configuration files: " + ssd -K --signal 1 -q -p $PIDF -n $NAME + ret=$? + echo "done." + ;; + + restart) + $0 stop + $0 start + ret=$? + ;; + + status) + _status $PIDF + ret=$? + ;; + + *) + echo "Usage: $SVIscript {[re]start|stop|[force-]reload|status}" + ret=2 + ;; + esac -exit 0 +exit $ret + diff -ru openssh-2.5.2p2/contrib/chroot.diff openssh-2.9p1/contrib/chroot.diff --- openssh-2.5.2p2/contrib/chroot.diff 2000-04-16 12:50:52.000000000 +1000 +++ openssh-2.9p1/contrib/chroot.diff 2001-04-29 22:26:54.000000000 +1000 @@ -1,61 +1,63 @@ -From: Ricardo Cerqueira +From: Ricardo Cerqueira A patch to cause sshd to chroot when it encounters the magic token '/./' in a users home directory. The directory portion before the token is the directory to chroot() to, the portion after the token is the user's home directory relative to the new root. -Index: session.c -=================================================================== -RCS file: /var/cvs/openssh/session.c,v -retrieving revision 1.4 -diff -u -r1.4 session.c ---- session.c 2000/04/16 02:31:51 1.4 -+++ session.c 2000/04/16 02:47:55 -@@ -27,6 +27,8 @@ - #include "ssh2.h" - #include "auth.h" +To apply, execute the following command from the OpenSSH source directory: + +patch -p0 < contrib/chroot.diff + + +--- session.c Thu Mar 22 01:58:27 2001 ++++ session.c.chroot Thu Apr 5 12:33:23 2001 +@@ -93,6 +93,8 @@ + # include + #endif +#define CHROOT + /* types */ #define TTYSZ 64 -@@ -783,6 +785,10 @@ +@@ -1012,6 +1014,11 @@ extern char **environ; struct stat st; char *argv[10]; +#ifdef CHROOT -+ char *user_dir; -+ char *new_root; ++ char *user_dir; ++ char *new_root; +#endif /* CHROOT */ - - #ifndef USE_PAM /* pam_nologin handles this */ - f = fopen("/etc/nologin", "r"); -@@ -799,6 +805,26 @@ - /* Set login name in the kernel. */ - if (setlogin(pw->pw_name) < 0) - error("setlogin failed: %s", strerror(errno)); ++ + int do_xauth = s->auth_proto != NULL && s->auth_data != NULL; + #ifdef WITH_IRIX_PROJECT + prid_t projid; +@@ -1095,6 +1102,27 @@ + exit(1); + } + endgrent(); + +#ifdef CHROOT -+ user_dir = xstrdup(pw->pw_dir); -+ new_root = user_dir + 1; ++ user_dir = xstrdup(pw->pw_dir); ++ new_root = user_dir + 1; + -+ while((new_root = strchr(new_root, '.')) != NULL) { -+ new_root--; -+ if(strncmp(new_root, "/./", 3) == 0) { -+ *new_root = '\0'; -+ new_root += 2; -+ -+ if(chroot(user_dir) != 0) -+ fatal("Couldn't chroot to user directory %s", user_dir); -+ -+ pw->pw_dir = new_root; -+ break; -+ } -+ new_root += 2; -+ } ++ while((new_root = strchr(new_root, '.')) != NULL) { ++ new_root--; ++ if(strncmp(new_root, "/./", 3) == 0) { ++ *new_root = '\0'; ++ new_root += 2; ++ ++ if(chroot(user_dir) != 0) ++ fatal("Couldn't chroot to user directory %s", user_dir); ++ ++ pw->pw_dir = new_root; ++ break; ++ } ++ new_root += 2; ++ } +#endif /* CHROOT */ - - /* Set uid, gid, and groups. */ - /* Login(1) does this as well, and it needs uid 0 for the "-h" ++ + # ifdef WITH_IRIX_JOBS + jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); + if (jid == -1) { Only in openssh-2.5.2p2/contrib: mdoc2man.pl diff -ru openssh-2.5.2p2/contrib/redhat/openssh.spec openssh-2.9p1/contrib/redhat/openssh.spec --- openssh-2.5.2p2/contrib/redhat/openssh.spec 2001-03-21 13:13:21.000000000 +1100 +++ openssh-2.9p1/contrib/redhat/openssh.spec 2001-04-27 12:15:01.000000000 +1000 @@ -1,5 +1,5 @@ # Version of OpenSSH -%define oversion 2.5.2p2 +%define oversion 2.9p1 # Version of ssh-askpass %define aversion 1.2.0 diff -ru openssh-2.5.2p2/contrib/redhat/sshd.init openssh-2.9p1/contrib/redhat/sshd.init --- openssh-2.5.2p2/contrib/redhat/sshd.init 2001-02-27 07:38:53.000000000 +1100 +++ openssh-2.9p1/contrib/redhat/sshd.init 2001-04-27 10:46:18.000000000 +1000 @@ -15,6 +15,8 @@ # source function library . /etc/rc.d/init.d/functions +[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd + RETVAL=0 # Some functions to make the below more readable @@ -104,7 +106,7 @@ echo -n "Starting sshd: " if [ ! -f $PID_FILE ] ; then - sshd + sshd $OPTIONS RETVAL=$? if [ "$RETVAL" = "0" ] ; then my_success "sshd startup" "sshd" diff -ru openssh-2.5.2p2/contrib/solaris/postinstall.in openssh-2.9p1/contrib/solaris/postinstall.in --- openssh-2.5.2p2/contrib/solaris/postinstall.in 2000-11-11 08:36:39.000000000 +1100 +++ openssh-2.9p1/contrib/solaris/postinstall.in 2001-04-24 10:03:58.000000000 +1000 @@ -123,7 +123,7 @@ instbackup ${CONFDIR} ssh_config NEWCONF=1 fi - if [ ! -r "${CONFDIR}/ssh_config" ]; then + if [ ! -r "${CONFDIR}/sshd_config" ]; then instbackup ${CONFDIR} sshd_config NEWCONF=1 fi diff -ru openssh-2.5.2p2/contrib/suse/openssh.spec openssh-2.9p1/contrib/suse/openssh.spec --- openssh-2.5.2p2/contrib/suse/openssh.spec 2001-03-21 13:13:21.000000000 +1100 +++ openssh-2.9p1/contrib/suse/openssh.spec 2001-04-27 12:15:01.000000000 +1000 @@ -1,6 +1,6 @@ Summary: OpenSSH, a free Secure Shell (SSH) implementation Name: openssh -Version: 2.5.2p2 +Version: 2.9p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz diff -ru openssh-2.5.2p2/defines.h openssh-2.9p1/defines.h --- openssh-2.5.2p2/defines.h 2001-03-20 13:49:22.000000000 +1100 +++ openssh-2.9p1/defines.h 2001-04-06 03:15:08.000000000 +1000 @@ -1,7 +1,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.60.2.1 2001/03/20 02:49:22 tim Exp $ */ +/* $Id: defines.h,v 1.62 2001/04/05 17:15:08 stevesk Exp $ */ /* Some platforms need this for the _r() functions */ #if !defined(_REENTRANT) && !defined(SNI) @@ -421,9 +421,9 @@ # endif /* defined(HAVE_XATEXIT) */ #endif /* !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) */ -#if defined(HAVE_VHANGUP) && !defined(BROKEN_VHANGUP) +#if defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX) # define USE_VHANGUP -#endif /* defined(HAVE_VHANGUP) && !defined(BROKEN_VHANGUP) */ +#endif /* defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX) */ #ifndef GETPGRP_VOID # define getpgrp() getpgrp(0) diff -ru openssh-2.5.2p2/dh.c openssh-2.9p1/dh.c --- openssh-2.5.2p2/dh.c 2001-03-06 12:13:07.000000000 +1100 +++ openssh-2.9p1/dh.c 2001-04-16 00:27:16.000000000 +1000 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: dh.c,v 1.8 2001/03/05 17:58:22 stevesk Exp $"); +RCSID("$OpenBSD: dh.c,v 1.14 2001/04/15 08:43:45 markus Exp $"); #include "xmalloc.h" @@ -69,6 +69,8 @@ if (cp == NULL || *strsize == '\0' || (dhg->size = atoi(strsize)) == 0) goto fail; + /* The whole group is one bit larger */ + dhg->size++; gen = strsep(&cp, " "); /* gen */ if (cp == NULL || *gen == '\0') goto fail; @@ -77,25 +79,28 @@ goto fail; dhg->g = BN_new(); - if (BN_hex2bn(&dhg->g, gen) < 0) { - BN_free(dhg->g); - goto fail; - } dhg->p = BN_new(); - if (BN_hex2bn(&dhg->p, prime) < 0) { - BN_free(dhg->g); - BN_free(dhg->p); - goto fail; - } + if (BN_hex2bn(&dhg->g, gen) == 0) + goto failclean; + + if (BN_hex2bn(&dhg->p, prime) == 0) + goto failclean; + + if (BN_num_bits(dhg->p) != dhg->size) + goto failclean; return (1); + + failclean: + BN_free(dhg->g); + BN_free(dhg->p); fail: error("Bad prime description in line %d", linenum); return (0); } DH * -choose_dh(int minbits) +choose_dh(int min, int wantbits, int max) { FILE *f; char line[1024]; @@ -118,8 +123,11 @@ BN_free(dhg.g); BN_free(dhg.p); - if ((dhg.size > minbits && dhg.size < best) || - (dhg.size > best && best < minbits)) { + if (dhg.size > max || dhg.size < min) + continue; + + if ((dhg.size > wantbits && dhg.size < best) || + (dhg.size > best && best < wantbits)) { best = dhg.size; bestcount = 0; } @@ -129,8 +137,8 @@ fclose (f); if (bestcount == 0) { - log("WARNING: no primes in %s, using old prime", _PATH_DH_PRIMES); - return (dh_new_group1()); + log("WARNING: no suitable primes in %s", _PATH_DH_PRIMES); + return (NULL); } f = fopen(_PATH_DH_PRIMES, "r"); @@ -143,9 +151,9 @@ while (fgets(line, sizeof(line), f)) { if (!parse_prime(linenum, line, &dhg)) continue; - if (dhg.size != best) - continue; - if (linenum++ != which) { + if ((dhg.size > max || dhg.size < min) || + dhg.size != best || + linenum++ != which) { BN_free(dhg.g); BN_free(dhg.p); continue; @@ -153,6 +161,134 @@ break; } fclose(f); + if (linenum != which+1) + fatal("WARNING: line %d disappeared in %s, giving up", + which, _PATH_DH_PRIMES); return (dh_new_group(dhg.g, dhg.p)); } + +/* diffie-hellman-group1-sha1 */ + +int +dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) +{ + int i; + int n = BN_num_bits(dh_pub); + int bits_set = 0; + + if (dh_pub->neg) { + log("invalid public DH value: negativ"); + return 0; + } + for (i = 0; i <= n; i++) + if (BN_is_bit_set(dh_pub, i)) + bits_set++; + debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p)); + + /* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */ + if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1)) + return 1; + log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p)); + return 0; +} + +void +dh_gen_key(DH *dh, int need) +{ + int i, bits_set = 0, tries = 0; + + if (dh->p == NULL) + fatal("dh_gen_key: dh->p == NULL"); + if (2*need >= BN_num_bits(dh->p)) + fatal("dh_gen_key: group too small: %d (2*need %d)", + BN_num_bits(dh->p), 2*need); + do { + if (dh->priv_key != NULL) + BN_free(dh->priv_key); + dh->priv_key = BN_new(); + if (dh->priv_key == NULL) + fatal("dh_gen_key: BN_new failed"); + /* generate a 2*need bits random private exponent */ + if (!BN_rand(dh->priv_key, 2*need, 0, 0)) + fatal("dh_gen_key: BN_rand failed"); + if (DH_generate_key(dh) == 0) + fatal("DH_generate_key"); + for (i = 0; i <= BN_num_bits(dh->priv_key); i++) + if (BN_is_bit_set(dh->priv_key, i)) + bits_set++; + debug("dh_gen_key: priv key bits set: %d/%d", + bits_set, BN_num_bits(dh->priv_key)); + if (tries++ > 10) + fatal("dh_gen_key: too many bad keys: giving up"); + } while (!dh_pub_is_valid(dh, dh->pub_key)); +} + +DH * +dh_new_group_asc(const char *gen, const char *modulus) +{ + DH *dh; + + dh = DH_new(); + if (dh == NULL) + fatal("DH_new"); + + if (BN_hex2bn(&dh->p, modulus) == 0) + fatal("BN_hex2bn p"); + if (BN_hex2bn(&dh->g, gen) == 0) + fatal("BN_hex2bn g"); + + return (dh); +} + +/* + * This just returns the group, we still need to generate the exchange + * value. + */ + +DH * +dh_new_group(BIGNUM *gen, BIGNUM *modulus) +{ + DH *dh; + + dh = DH_new(); + if (dh == NULL) + fatal("DH_new"); + dh->p = modulus; + dh->g = gen; + + return (dh); +} + +DH * +dh_new_group1(void) +{ + static char *gen = "2", *group1 = + "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" + "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" + "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" + "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" + "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381" + "FFFFFFFF" "FFFFFFFF"; + + return (dh_new_group_asc(gen, group1)); +} + +/* + * Estimates the group order for a Diffie-Hellman group that has an + * attack complexity approximately the same as O(2**bits). Estimate + * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3))) + */ + +int +dh_estimate(int bits) +{ + + if (bits < 64) + return (512); /* O(2**63) */ + if (bits < 128) + return (1024); /* O(2**86) */ + if (bits < 192) + return (2048); /* O(2**116) */ + return (4096); /* O(2**156) */ +} diff -ru openssh-2.5.2p2/dh.h openssh-2.9p1/dh.h --- openssh-2.5.2p2/dh.h 2001-01-29 18:39:26.000000000 +1100 +++ openssh-2.9p1/dh.h 2001-04-04 11:56:17.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.h,v 1.2 2001/01/29 01:58:15 niklas Exp $ */ +/* $OpenBSD: dh.h,v 1.5 2001/04/03 19:53:29 markus Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. @@ -32,6 +32,17 @@ BIGNUM *p; }; -DH *choose_dh(int minbits); +DH *choose_dh(int min, int nbits, int max); +DH *dh_new_group_asc(const char *, const char *); +DH *dh_new_group(BIGNUM *, BIGNUM *); +DH *dh_new_group1(void); + +void dh_gen_key(DH *, int); +int dh_pub_is_valid(DH *dh, BIGNUM *dh_pub); + +int dh_estimate(int bits); + +#define DH_GRP_MIN 1024 +#define DH_GRP_MAX 8192 #endif diff -ru openssh-2.5.2p2/fixpaths openssh-2.9p1/fixpaths --- openssh-2.5.2p2/fixpaths 2000-11-08 12:07:51.000000000 +1100 +++ openssh-2.9p1/fixpaths 2001-04-16 10:41:47.000000000 +1000 @@ -3,21 +3,17 @@ # fixpaths - substitute makefile variables into text files -$usage = "Usage: $0 [-x] [-Dstring=replacement] [[infile] ...]\n"; - -$ext="out"; +$usage = "Usage: $0 [-Dstring=replacement] [[infile] ...]\n"; if (!defined(@ARGV)) { die ("$usage"); } # read in the command line and get some definitions while ($_=$ARGV[0], /^-/) { - if (/^-[Dx]/) { + if (/^-D/) { # definition shift(@ARGV); if ( /-D(.*)=(.*)/ ) { $def{"$1"}=$2; - } elsif ( /-x\s*(\w+)/ ) { - $ext=$1; } else { die ("$usage$0: error in command line arguments.\n"); } @@ -34,15 +30,13 @@ for $f (@ARGV) { $f =~ /(.*\/)*(.*)$/; - $of = $2.".$ext"; open(IN, "<$f") || die ("$0: input file $f missing!\n"); - open(OUT, ">$of") || die ("$0: cannot create output file $of: $!\n"); while () { for $s (keys(%def)) { s#$s#$def{$s}#; } # for $s - print OUT; + print; } # while } # for $f diff -ru openssh-2.5.2p2/hostfile.c openssh-2.9p1/hostfile.c --- openssh-2.5.2p2/hostfile.c 2001-01-22 16:34:41.000000000 +1100 +++ openssh-2.9p1/hostfile.c 2001-04-13 09:34:35.000000000 +1000 @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: hostfile.c,v 1.24 2001/01/21 19:05:49 markus Exp $"); +RCSID("$OpenBSD: hostfile.c,v 1.26 2001/04/12 19:15:24 markus Exp $"); #include "packet.h" #include "match.h" @@ -111,10 +111,11 @@ FILE *f; char line[8192]; int linenum = 0; - u_int kbits, hostlen; + u_int kbits; char *cp, *cp2; HostStatus end_return; + debug3("check_host_in_hostfile: filename %s", filename); if (key == NULL) fatal("no key to look up"); /* Open the file containing the list of known hosts. */ @@ -122,9 +123,6 @@ if (!f) return HOST_NEW; - /* Cache the length of the host name. */ - hostlen = strlen(host); - /* * Return value when the loop terminates. This is set to * HOST_CHANGED if we have seen a different key for the host and have @@ -132,7 +130,7 @@ */ end_return = HOST_NEW; - /* Go trough the file. */ + /* Go through the file. */ while (fgets(line, sizeof(line), f)) { cp = line; linenum++; @@ -169,6 +167,7 @@ /* Check if the current key is the same as the given key. */ if (key_equal(key, found)) { /* Ok, they match. */ + debug3("check_host_in_hostfile: match line %d", linenum); fclose(f); return HOST_OK; } diff -ru openssh-2.5.2p2/kex.c openssh-2.9p1/kex.c --- openssh-2.5.2p2/kex.c 2001-03-11 12:49:20.000000000 +1100 +++ openssh-2.9p1/kex.c 2001-04-06 09:26:33.000000000 +1000 @@ -23,13 +23,9 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.23 2001/03/10 17:51:04 markus Exp $"); +RCSID("$OpenBSD: kex.c,v 1.33 2001/04/05 10:42:50 markus Exp $"); #include -#include -#include -#include -#include #include "ssh2.h" #include "xmalloc.h" @@ -43,334 +39,195 @@ #include "log.h" #include "mac.h" #include "match.h" +#include "dispatch.h" #define KEX_COOKIE_LEN 16 -Buffer * -kex_init(char *myproposal[PROPOSAL_MAX]) +void kex_kexinit_finish(Kex *kex); +void kex_choose_conf(Kex *k); + +/* put algorithm proposal into buffer */ +void +kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX]) { - int first_kex_packet_follows = 0; - u_char cookie[KEX_COOKIE_LEN]; u_int32_t rand = 0; int i; - Buffer *ki = xmalloc(sizeof(*ki)); + + buffer_clear(b); for (i = 0; i < KEX_COOKIE_LEN; i++) { if (i % 4 == 0) rand = arc4random(); - cookie[i] = rand & 0xff; + buffer_put_char(b, rand & 0xff); rand >>= 8; } - buffer_init(ki); - buffer_append(ki, (char *)cookie, sizeof cookie); for (i = 0; i < PROPOSAL_MAX; i++) - buffer_put_cstring(ki, myproposal[i]); - buffer_put_char(ki, first_kex_packet_follows); - buffer_put_int(ki, 0); /* uint32 reserved */ - return ki; + buffer_put_cstring(b, proposal[i]); + buffer_put_char(b, 0); /* first_kex_packet_follows */ + buffer_put_int(b, 0); /* uint32 reserved */ } -/* send kexinit, parse and save reply */ -void -kex_exchange_kexinit( - Buffer *my_kexinit, Buffer *peer_kexint, - char *peer_proposal[PROPOSAL_MAX]) +/* parse buffer and return algorithm proposal */ +char ** +kex_buf2prop(Buffer *raw) { + Buffer b; int i; - char *ptr; - int plen; + char **proposal; - debug("send KEXINIT"); - packet_start(SSH2_MSG_KEXINIT); - packet_put_raw(buffer_ptr(my_kexinit), buffer_len(my_kexinit)); - packet_send(); - packet_write_wait(); - debug("done"); + proposal = xmalloc(PROPOSAL_MAX * sizeof(char *)); - /* - * read and save raw KEXINIT payload in buffer. this is used during - * computation of the session_id and the session keys. - */ - debug("wait KEXINIT"); - packet_read_expect(&plen, SSH2_MSG_KEXINIT); - ptr = packet_get_raw(&plen); - buffer_append(peer_kexint, ptr, plen); - - /* parse packet and save algorithm proposal */ + buffer_init(&b); + buffer_append(&b, buffer_ptr(raw), buffer_len(raw)); /* skip cookie */ for (i = 0; i < KEX_COOKIE_LEN; i++) - packet_get_char(); + buffer_get_char(&b); /* extract kex init proposal strings */ for (i = 0; i < PROPOSAL_MAX; i++) { - peer_proposal[i] = packet_get_string(NULL); - debug("got kexinit: %s", peer_proposal[i]); + proposal[i] = buffer_get_string(&b,NULL); + debug2("kex_parse_kexinit: %s", proposal[i]); } - /* first kex follow / reserved */ - i = packet_get_char(); - debug("first kex follow: %d ", i); - i = packet_get_int(); - debug("reserved: %d ", i); - packet_done(); - debug("done"); + /* first kex follows / reserved */ + i = buffer_get_char(&b); + debug2("kex_parse_kexinit: first_kex_follows %d ", i); + i = buffer_get_int(&b); + debug2("kex_parse_kexinit: reserved %d ", i); + buffer_free(&b); + return proposal; } -/* diffie-hellman-group1-sha1 */ - -int -dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) +void +kex_prop_free(char **proposal) { int i; - int n = BN_num_bits(dh_pub); - int bits_set = 0; - if (dh_pub->neg) { - log("invalid public DH value: negativ"); - return 0; - } - for (i = 0; i <= n; i++) - if (BN_is_bit_set(dh_pub, i)) - bits_set++; - debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p)); - - /* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */ - if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1)) - return 1; - log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p)); - return 0; -} - -void -dh_gen_key(DH *dh, int need) -{ - int i, bits_set = 0, tries = 0; - - if (dh->p == NULL) - fatal("dh_gen_key: dh->p == NULL"); - if (2*need >= BN_num_bits(dh->p)) - fatal("dh_gen_key: group too small: %d (2*need %d)", - BN_num_bits(dh->p), 2*need); - do { - if (dh->priv_key != NULL) - BN_free(dh->priv_key); - dh->priv_key = BN_new(); - if (dh->priv_key == NULL) - fatal("dh_gen_key: BN_new failed"); - /* generate a 2*need bits random private exponent */ - if (!BN_rand(dh->priv_key, 2*need, 0, 0)) - fatal("dh_gen_key: BN_rand failed"); - if (DH_generate_key(dh) == 0) - fatal("DH_generate_key"); - for (i = 0; i <= BN_num_bits(dh->priv_key); i++) - if (BN_is_bit_set(dh->priv_key, i)) - bits_set++; - debug("dh_gen_key: priv key bits set: %d/%d", - bits_set, BN_num_bits(dh->priv_key)); - if (tries++ > 10) - fatal("dh_gen_key: too many bad keys: giving up"); - } while (!dh_pub_is_valid(dh, dh->pub_key)); -} - -DH * -dh_new_group_asc(const char *gen, const char *modulus) -{ - DH *dh; - int ret; - - dh = DH_new(); - if (dh == NULL) - fatal("DH_new"); - - if ((ret = BN_hex2bn(&dh->p, modulus)) < 0) - fatal("BN_hex2bn p"); - if ((ret = BN_hex2bn(&dh->g, gen)) < 0) - fatal("BN_hex2bn g"); - - return (dh); -} - -/* - * This just returns the group, we still need to generate the exchange - * value. - */ + for (i = 0; i < PROPOSAL_MAX; i++) + xfree(proposal[i]); + xfree(proposal); +} -DH * -dh_new_group(BIGNUM *gen, BIGNUM *modulus) +void +kex_protocol_error(int type, int plen, void *ctxt) { - DH *dh; + error("Hm, kex protocol error: type %d plen %d", type, plen); +} - dh = DH_new(); - if (dh == NULL) - fatal("DH_new"); - dh->p = modulus; - dh->g = gen; +void +kex_clear_dispatch(void) +{ + int i; - return (dh); + /* Numbers 30-49 are used for kex packets */ + for (i = 30; i <= 49; i++) + dispatch_set(i, &kex_protocol_error); } -DH * -dh_new_group1(void) +void +kex_finish(Kex *kex) { - static char *gen = "2", *group1 = - "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" - "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" - "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" - "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" - "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381" - "FFFFFFFF" "FFFFFFFF"; + int plen; + + kex_clear_dispatch(); - return (dh_new_group_asc(gen, group1)); + packet_start(SSH2_MSG_NEWKEYS); + packet_send(); + /* packet_write_wait(); */ + debug("SSH2_MSG_NEWKEYS sent"); + + debug("waiting for SSH2_MSG_NEWKEYS"); + packet_read_expect(&plen, SSH2_MSG_NEWKEYS); + debug("SSH2_MSG_NEWKEYS received"); + + kex->done = 1; + buffer_clear(&kex->peer); + /* buffer_clear(&kex->my); */ + kex->flags &= ~KEX_INIT_SENT; + xfree(kex->name); + kex->name = NULL; } -#ifdef DEBUG_KEX void -dump_digest(u_char *digest, int len) +kex_send_kexinit(Kex *kex) { - int i; - for (i = 0; i< len; i++){ - fprintf(stderr, "%02x", digest[i]); - if(i%2!=0) - fprintf(stderr, " "); + if (kex == NULL) { + error("kex_send_kexinit: no kex, cannot rekey"); + return; } - fprintf(stderr, "\n"); + if (kex->flags & KEX_INIT_SENT) { + debug("KEX_INIT_SENT"); + return; + } + kex->done = 0; + packet_start(SSH2_MSG_KEXINIT); + packet_put_raw(buffer_ptr(&kex->my), buffer_len(&kex->my)); + packet_send(); + debug("SSH2_MSG_KEXINIT sent"); + kex->flags |= KEX_INIT_SENT; } -#endif -u_char * -kex_hash( - char *client_version_string, - char *server_version_string, - char *ckexinit, int ckexinitlen, - char *skexinit, int skexinitlen, - char *serverhostkeyblob, int sbloblen, - BIGNUM *client_dh_pub, - BIGNUM *server_dh_pub, - BIGNUM *shared_secret) +void +kex_input_kexinit(int type, int plen, void *ctxt) { - Buffer b; - static u_char digest[EVP_MAX_MD_SIZE]; - EVP_MD *evp_md = EVP_sha1(); - EVP_MD_CTX md; - - buffer_init(&b); - buffer_put_string(&b, client_version_string, strlen(client_version_string)); - buffer_put_string(&b, server_version_string, strlen(server_version_string)); + char *ptr; + int dlen; + int i; + Kex *kex = (Kex *)ctxt; - /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ - buffer_put_int(&b, ckexinitlen+1); - buffer_put_char(&b, SSH2_MSG_KEXINIT); - buffer_append(&b, ckexinit, ckexinitlen); - buffer_put_int(&b, skexinitlen+1); - buffer_put_char(&b, SSH2_MSG_KEXINIT); - buffer_append(&b, skexinit, skexinitlen); - - buffer_put_string(&b, serverhostkeyblob, sbloblen); - buffer_put_bignum2(&b, client_dh_pub); - buffer_put_bignum2(&b, server_dh_pub); - buffer_put_bignum2(&b, shared_secret); + debug("SSH2_MSG_KEXINIT received"); + if (kex == NULL) + fatal("kex_input_kexinit: no kex, cannot rekey"); -#ifdef DEBUG_KEX - buffer_dump(&b); -#endif + ptr = packet_get_raw(&dlen); + buffer_append(&kex->peer, ptr, dlen); - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&md, digest, NULL); - - buffer_free(&b); + /* discard packet */ + for (i = 0; i < KEX_COOKIE_LEN; i++) + packet_get_char(); + for (i = 0; i < PROPOSAL_MAX; i++) + xfree(packet_get_string(NULL)); + packet_get_char(); + packet_get_int(); + packet_done(); -#ifdef DEBUG_KEX - dump_digest(digest, evp_md->md_size); -#endif - return digest; + kex_kexinit_finish(kex); } -u_char * -kex_hash_gex( - char *client_version_string, - char *server_version_string, - char *ckexinit, int ckexinitlen, - char *skexinit, int skexinitlen, - char *serverhostkeyblob, int sbloblen, - int minbits, BIGNUM *prime, BIGNUM *gen, - BIGNUM *client_dh_pub, - BIGNUM *server_dh_pub, - BIGNUM *shared_secret) +Kex * +kex_setup(char *proposal[PROPOSAL_MAX]) { - Buffer b; - static u_char digest[EVP_MAX_MD_SIZE]; - EVP_MD *evp_md = EVP_sha1(); - EVP_MD_CTX md; - - buffer_init(&b); - buffer_put_string(&b, client_version_string, strlen(client_version_string)); - buffer_put_string(&b, server_version_string, strlen(server_version_string)); - - /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ - buffer_put_int(&b, ckexinitlen+1); - buffer_put_char(&b, SSH2_MSG_KEXINIT); - buffer_append(&b, ckexinit, ckexinitlen); - buffer_put_int(&b, skexinitlen+1); - buffer_put_char(&b, SSH2_MSG_KEXINIT); - buffer_append(&b, skexinit, skexinitlen); - - buffer_put_string(&b, serverhostkeyblob, sbloblen); - buffer_put_int(&b, minbits); - buffer_put_bignum2(&b, prime); - buffer_put_bignum2(&b, gen); - buffer_put_bignum2(&b, client_dh_pub); - buffer_put_bignum2(&b, server_dh_pub); - buffer_put_bignum2(&b, shared_secret); - -#ifdef DEBUG_KEX - buffer_dump(&b); -#endif - - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&md, digest, NULL); + Kex *kex; - buffer_free(&b); + kex = xmalloc(sizeof(*kex)); + memset(kex, 0, sizeof(*kex)); + buffer_init(&kex->peer); + buffer_init(&kex->my); + kex_prop2buf(&kex->my, proposal); + kex->done = 0; + + kex_send_kexinit(kex); /* we start */ + kex_clear_dispatch(); + dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); -#ifdef DEBUG_KEX - dump_digest(digest, evp_md->md_size); -#endif - return digest; + return kex; } -u_char * -derive_key(int id, int need, u_char *hash, BIGNUM *shared_secret) +void +kex_kexinit_finish(Kex *kex) { - Buffer b; - EVP_MD *evp_md = EVP_sha1(); - EVP_MD_CTX md; - char c = id; - int have; - int mdsz = evp_md->md_size; - u_char *digest = xmalloc(((need+mdsz-1)/mdsz)*mdsz); + if (!(kex->flags & KEX_INIT_SENT)) + kex_send_kexinit(kex); - buffer_init(&b); - buffer_put_bignum2(&b, shared_secret); + kex_choose_conf(kex); - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); /* shared_secret K */ - EVP_DigestUpdate(&md, hash, mdsz); /* transport-06 */ - EVP_DigestUpdate(&md, &c, 1); /* key id */ - EVP_DigestUpdate(&md, hash, mdsz); /* session id */ - EVP_DigestFinal(&md, digest, NULL); - - /* expand */ - for (have = mdsz; need > have; have += mdsz) { - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestUpdate(&md, hash, mdsz); - EVP_DigestUpdate(&md, digest, have); - EVP_DigestFinal(&md, digest + have, NULL); + switch(kex->kex_type) { + case DH_GRP1_SHA1: + kexdh(kex); + break; + case DH_GEX_SHA1: + kexgex(kex); + break; + default: + fatal("Unsupported key exchange %d", kex->kex_type); } - buffer_free(&b); -#ifdef DEBUG_KEX - fprintf(stderr, "Digest '%c'== ", c); - dump_digest(digest, need); -#endif - return digest; } void @@ -442,67 +299,155 @@ xfree(hostkeyalg); } -Kex * -kex_choose_conf(char *cprop[PROPOSAL_MAX], char *sprop[PROPOSAL_MAX], int server) +void +kex_choose_conf(Kex *kex) { + Newkeys *newkeys; + char **my, **peer; + char **cprop, **sprop; + int nenc, nmac, ncomp; int mode; int ctos; /* direction: if true client-to-server */ int need; - Kex *k; - k = xmalloc(sizeof(*k)); - memset(k, 0, sizeof(*k)); - k->server = server; + my = kex_buf2prop(&kex->my); + peer = kex_buf2prop(&kex->peer); + if (kex->server) { + cprop=peer; + sprop=my; + } else { + cprop=my; + sprop=peer; + } + + /* Algorithm Negotiation */ for (mode = 0; mode < MODE_MAX; mode++) { - int nenc, nmac, ncomp; - ctos = (!k->server && mode == MODE_OUT) || (k->server && mode == MODE_IN); + newkeys = xmalloc(sizeof(*newkeys)); + memset(newkeys, 0, sizeof(*newkeys)); + kex->newkeys[mode] = newkeys; + ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN); nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; - choose_enc (&k->enc [mode], cprop[nenc], sprop[nenc]); - choose_mac (&k->mac [mode], cprop[nmac], sprop[nmac]); - choose_comp(&k->comp[mode], cprop[ncomp], sprop[ncomp]); + choose_enc (&newkeys->enc, cprop[nenc], sprop[nenc]); + choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]); + choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]); debug("kex: %s %s %s %s", ctos ? "client->server" : "server->client", - k->enc[mode].name, - k->mac[mode].name, - k->comp[mode].name); + newkeys->enc.name, + newkeys->mac.name, + newkeys->comp.name); } - choose_kex(k, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); - choose_hostkeyalg(k, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], + choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); + choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]); need = 0; for (mode = 0; mode < MODE_MAX; mode++) { - if (need < k->enc[mode].cipher->key_len) - need = k->enc[mode].cipher->key_len; - if (need < k->enc[mode].cipher->block_size) - need = k->enc[mode].cipher->block_size; - if (need < k->mac[mode].key_len) - need = k->mac[mode].key_len; + newkeys = kex->newkeys[mode]; + if (need < newkeys->enc.cipher->key_len) + need = newkeys->enc.cipher->key_len; + if (need < newkeys->enc.cipher->block_size) + need = newkeys->enc.cipher->block_size; + if (need < newkeys->mac.key_len) + need = newkeys->mac.key_len; } /* XXX need runden? */ - k->we_need = need; - return k; + kex->we_need = need; + + kex_prop_free(my); + kex_prop_free(peer); +} + +u_char * +derive_key(Kex *kex, int id, int need, u_char *hash, BIGNUM *shared_secret) +{ + Buffer b; + EVP_MD *evp_md = EVP_sha1(); + EVP_MD_CTX md; + char c = id; + int have; + int mdsz = evp_md->md_size; + u_char *digest = xmalloc(roundup(need, mdsz)); + + buffer_init(&b); + buffer_put_bignum2(&b, shared_secret); + + /* K1 = HASH(K || H || "A" || session_id) */ + EVP_DigestInit(&md, evp_md); + EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); + EVP_DigestUpdate(&md, hash, mdsz); + EVP_DigestUpdate(&md, &c, 1); + EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len); + EVP_DigestFinal(&md, digest, NULL); + + /* + * expand key: + * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) + * Key = K1 || K2 || ... || Kn + */ + for (have = mdsz; need > have; have += mdsz) { + EVP_DigestInit(&md, evp_md); + EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); + EVP_DigestUpdate(&md, hash, mdsz); + EVP_DigestUpdate(&md, digest, have); + EVP_DigestFinal(&md, digest + have, NULL); + } + buffer_free(&b); +#ifdef DEBUG_KEX + fprintf(stderr, "key '%c'== ", c); + dump_digest("key", digest, need); +#endif + return digest; } +Newkeys *current_keys[MODE_MAX]; + #define NKEYS 6 -int -kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret) +void +kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret) { - int i; - int mode; - int ctos; u_char *keys[NKEYS]; + int i, mode, ctos; for (i = 0; i < NKEYS; i++) - keys[i] = derive_key('A'+i, k->we_need, hash, shared_secret); + keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret); + debug("kex_derive_keys"); for (mode = 0; mode < MODE_MAX; mode++) { - ctos = (!k->server && mode == MODE_OUT) || (k->server && mode == MODE_IN); - k->enc[mode].iv = keys[ctos ? 0 : 1]; - k->enc[mode].key = keys[ctos ? 2 : 3]; - k->mac[mode].key = keys[ctos ? 4 : 5]; + current_keys[mode] = kex->newkeys[mode]; + kex->newkeys[mode] = NULL; + ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN); + current_keys[mode]->enc.iv = keys[ctos ? 0 : 1]; + current_keys[mode]->enc.key = keys[ctos ? 2 : 3]; + current_keys[mode]->mac.key = keys[ctos ? 4 : 5]; + } +} + +Newkeys * +kex_get_newkeys(int mode) +{ + Newkeys *ret; + + ret = current_keys[mode]; + current_keys[mode] = NULL; + return ret; +} + +#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) +void +dump_digest(char *msg, u_char *digest, int len) +{ + int i; + + fprintf(stderr, "%s\n", msg); + for (i = 0; i< len; i++){ + fprintf(stderr, "%02x", digest[i]); + if (i%32 == 31) + fprintf(stderr, "\n"); + else if (i%8 == 7) + fprintf(stderr, " "); } - return 0; + fprintf(stderr, "\n"); } +#endif diff -ru openssh-2.5.2p2/kex.h openssh-2.9p1/kex.h --- openssh-2.5.2p2/kex.h 2001-03-06 12:09:20.000000000 +1100 +++ openssh-2.9p1/kex.h 2001-04-05 09:46:09.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.15 2001/03/05 17:17:20 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.22 2001/04/04 20:25:37 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -28,6 +28,8 @@ #include #include "buffer.h" +#include "cipher.h" +#include "key.h" #define KEX_DH1 "diffie-hellman-group1-sha1" #define KEX_DHGEX "diffie-hellman-group-exchange-sha1" @@ -57,78 +59,72 @@ DH_GEX_SHA1 }; +#define KEX_INIT_SENT 0x0001 + typedef struct Kex Kex; typedef struct Mac Mac; typedef struct Comp Comp; typedef struct Enc Enc; +typedef struct Newkeys Newkeys; struct Enc { - char *name; - Cipher *cipher; - int enabled; + char *name; + Cipher *cipher; + int enabled; u_char *key; u_char *iv; }; struct Mac { - char *name; - int enabled; - EVP_MD *md; - int mac_len; + char *name; + int enabled; + EVP_MD *md; + int mac_len; u_char *key; - int key_len; + int key_len; }; struct Comp { - int type; - int enabled; - char *name; + int type; + int enabled; + char *name; +}; +struct Newkeys { + Enc enc; + Mac mac; + Comp comp; }; struct Kex { - Enc enc [MODE_MAX]; - Mac mac [MODE_MAX]; - Comp comp[MODE_MAX]; - int we_need; - int server; - char *name; - int hostkey_type; - int kex_type; -}; - -Buffer *kex_init(char *myproposal[PROPOSAL_MAX]); -void -kex_exchange_kexinit( - Buffer *my_kexinit, Buffer *peer_kexint, - char *peer_proposal[PROPOSAL_MAX]); -Kex * -kex_choose_conf(char *cprop[PROPOSAL_MAX], - char *sprop[PROPOSAL_MAX], int server); -int kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret); -void packet_set_kex(Kex *k); -int dh_pub_is_valid(DH *dh, BIGNUM *dh_pub); -DH *dh_new_group_asc(const char *, const char *); -DH *dh_new_group(BIGNUM *, BIGNUM *); -void dh_gen_key(DH *, int); -DH *dh_new_group1(void); - -u_char * -kex_hash( - char *client_version_string, - char *server_version_string, - char *ckexinit, int ckexinitlen, - char *skexinit, int skexinitlen, - char *serverhostkeyblob, int sbloblen, - BIGNUM *client_dh_pub, - BIGNUM *server_dh_pub, - BIGNUM *shared_secret); - -u_char * -kex_hash_gex( - char *client_version_string, - char *server_version_string, - char *ckexinit, int ckexinitlen, - char *skexinit, int skexinitlen, - char *serverhostkeyblob, int sbloblen, - int minbits, BIGNUM *prime, BIGNUM *gen, - BIGNUM *client_dh_pub, - BIGNUM *server_dh_pub, - BIGNUM *shared_secret); + u_char *session_id; + int session_id_len; + Newkeys *newkeys[MODE_MAX]; + int we_need; + int server; + char *name; + int hostkey_type; + int kex_type; + Buffer my; + Buffer peer; + int done; + int flags; + char *client_version_string; + char *server_version_string; + int (*check_host_key)(Key *hostkey); + Key *(*load_host_key)(int type); +}; + +Kex *kex_setup(char *proposal[PROPOSAL_MAX]); +void kex_finish(Kex *kex); + +void kex_send_kexinit(Kex *kex); +void kex_input_kexinit(int type, int plen, void *ctxt); +void kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret); + +void kexdh(Kex *); +void kexgex(Kex *); + +Newkeys *kex_get_newkeys(int mode); + +#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) +void dump_digest(char *msg, u_char *digest, int len); +#endif + #endif Only in openssh-2.9p1: kexdh.c Only in openssh-2.9p1: kexgex.c diff -ru openssh-2.5.2p2/key.c openssh-2.9p1/key.c --- openssh-2.5.2p2/key.c 2001-03-13 15:57:59.000000000 +1100 +++ openssh-2.9p1/key.c 2001-04-18 04:11:37.000000000 +1000 @@ -32,7 +32,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: key.c,v 1.22 2001/03/12 22:02:01 markus Exp $"); +RCSID("$OpenBSD: key.c,v 1.25 2001/04/17 10:53:24 markus Exp $"); #include @@ -211,12 +211,12 @@ } char* -key_fingerprint_hex(u_char* dgst_raw, size_t dgst_raw_len) +key_fingerprint_hex(u_char* dgst_raw, size_t dgst_raw_len) { char *retval; int i; - retval = xmalloc(dgst_raw_len * 3); + retval = xmalloc(dgst_raw_len * 3 + 1); retval[0] = '\0'; for(i = 0; i < dgst_raw_len; i++) { char hex[4]; @@ -228,7 +228,7 @@ } char* -key_fingerprint_bubblebabble(u_char* dgst_raw, size_t dgst_raw_len) +key_fingerprint_bubblebabble(u_char* dgst_raw, size_t dgst_raw_len) { char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', @@ -277,9 +277,9 @@ char* key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) { - char *retval = NULL; + char *retval = NULL; u_char *dgst_raw; - size_t dgst_raw_len; + size_t dgst_raw_len; dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len); if (!dgst_raw) @@ -629,6 +629,28 @@ return KEY_UNSPEC; } +int +key_names_valid2(const char *names) +{ + char *s, *cp, *p; + + if (names == NULL || strcmp(names, "") == 0) + return 0; + s = cp = xstrdup(names); + for ((p = strsep(&cp, ",")); p && *p != '\0'; + (p = strsep(&cp, ","))) { + switch (key_type_from_name(p)) { + case KEY_RSA1: + case KEY_UNSPEC: + xfree(s); + return 0; + } + } + debug3("key names ok: [%s]", names); + xfree(s); + return 1; +} + Key * key_from_blob(char *blob, int blen) { diff -ru openssh-2.5.2p2/key.h openssh-2.9p1/key.h --- openssh-2.5.2p2/key.h 2001-03-13 15:57:59.000000000 +1100 +++ openssh-2.9p1/key.h 2001-04-18 04:11:37.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.11 2001/03/12 22:02:01 markus Exp $ */ +/* $OpenBSD: key.h,v 1.12 2001/04/17 10:53:24 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -67,6 +67,7 @@ Key *key_from_blob(char *blob, int blen); int key_to_blob(Key *key, u_char **blobp, u_int *lenp); char *key_ssh_name(Key *k); +int key_names_valid2(const char *names); int key_sign( diff -ru openssh-2.5.2p2/log.c openssh-2.9p1/log.c --- openssh-2.5.2p2/log.c 2001-03-05 21:23:31.000000000 +1100 +++ openssh-2.9p1/log.c 2001-04-02 23:45:00.000000000 +1000 @@ -268,7 +268,7 @@ log_level = level; break; default: - fprintf(stderr, "Unrecognized internal syslog level code %d", + fprintf(stderr, "Unrecognized internal syslog level code %d\n", (int) level); exit(1); } @@ -318,7 +318,7 @@ break; default: fprintf(stderr, - "Unrecognized internal syslog facility code %d", + "Unrecognized internal syslog facility code %d\n", (int) facility); exit(1); } diff -ru openssh-2.5.2p2/logintest.c openssh-2.9p1/logintest.c --- openssh-2.5.2p2/logintest.c 2001-02-05 23:42:18.000000000 +1100 +++ openssh-2.9p1/logintest.c 2001-04-06 09:05:22.000000000 +1000 @@ -48,8 +48,13 @@ #include "loginrec.h" -RCSID("$Id: logintest.c,v 1.7 2001/02/05 12:42:18 stevesk Exp $"); +RCSID("$Id: logintest.c,v 1.8 2001/04/05 23:05:22 stevesk Exp $"); +#ifdef HAVE___PROGNAME +extern char *__progname; +#else +char *__progname; +#endif #define PAUSE_BEFORE_LOGOUT 3 @@ -287,6 +292,7 @@ { printf("Platform-independent login recording test driver\n"); + __progname = get_progname(argv[0]); if (argc == 2) { if (strncmp(argv[1], "-i", 3) == 0) compile_opts_only = 1; diff -ru openssh-2.5.2p2/mac.c openssh-2.9p1/mac.c --- openssh-2.5.2p2/mac.c 2001-02-15 14:01:59.000000000 +1100 +++ openssh-2.9p1/mac.c 2001-04-06 09:26:33.000000000 +1000 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: mac.c,v 1.1 2001/02/11 12:59:24 markus Exp $"); +RCSID("$OpenBSD: mac.c,v 1.2 2001/04/05 10:42:51 markus Exp $"); #include @@ -45,7 +45,7 @@ { "hmac-md5-96", EVP_md5, 96 }, { "hmac-ripemd160", EVP_ripemd160, 0 }, { "hmac-ripemd160@openssh.com", EVP_ripemd160, 0 }, - { NULL, NULL, 0 } + { NULL, NULL, 0 } }; int Only in openssh-2.9p1: mdoc2man.pl diff -ru openssh-2.5.2p2/misc.c openssh-2.9p1/misc.c --- openssh-2.5.2p2/misc.c 2001-03-05 18:57:09.000000000 +1100 +++ openssh-2.9p1/misc.c 2001-04-13 09:39:27.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.4 2001/02/28 17:52:54 deraadt Exp $ */ +/* $OpenBSD: misc.c,v 1.5 2001/04/12 20:09:37 stevesk Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.4 2001/02/28 17:52:54 deraadt Exp $"); +RCSID("$OpenBSD: misc.c,v 1.5 2001/04/12 20:09:37 stevesk Exp $"); #include "misc.h" #include "log.h" @@ -116,6 +116,21 @@ return copy; } +int a2port(const char *s) +{ + long port; + char *endp; + + errno = 0; + port = strtol(s, &endp, 0); + if (s == endp || *endp != '\0' || + (errno == ERANGE && (port == LONG_MIN || port == LONG_MAX)) || + port <= 0 || port > 65535) + return 0; + + return port; +} + mysig_t mysignal(int sig, mysig_t act) { diff -ru openssh-2.5.2p2/misc.h openssh-2.9p1/misc.h --- openssh-2.5.2p2/misc.h 2001-03-05 16:56:41.000000000 +1100 +++ openssh-2.9p1/misc.h 2001-04-13 09:39:27.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.3 2001/02/22 21:59:44 markus Exp $ */ +/* $OpenBSD: misc.h,v 1.4 2001/04/12 20:09:36 stevesk Exp $ */ /* * Author: Tatu Ylonen @@ -22,6 +22,13 @@ struct passwd * pwcopy(struct passwd *pw); +/* + * Convert ASCII string to TCP/IP port number. + * Port must be >0 and <=65535. + * Return 0 if invalid. + */ +int a2port(const char *s); + /* wrapper for signal interface */ typedef void (*mysig_t)(int); mysig_t mysignal(int sig, mysig_t act); diff -ru openssh-2.5.2p2/nchan.c openssh-2.9p1/nchan.c --- openssh-2.5.2p2/nchan.c 2001-03-05 17:16:12.000000000 +1100 +++ openssh-2.9p1/nchan.c 2001-04-03 23:02:48.000000000 +1000 @@ -489,11 +489,10 @@ /* * shutdown(sock, SHUT_READ) may return ENOTCONN if the * write side has been closed already. (bug on Linux) + * HP-UX will return EINVAL. */ if (shutdown(c->sock, SHUT_RD) < 0 - && (errno != ENOTCONN - || c->ostate == CHAN_OUTPUT_OPEN - || c->ostate == CHAN_OUTPUT_WAIT_DRAIN)) + && (errno != ENOTCONN && errno != EINVAL)) error("channel %d: chan_shutdown_read: shutdown() failed for fd%d [i%d o%d]: %.100s", c->self, c->sock, c->istate, c->ostate, strerror(errno)); } else { diff -ru openssh-2.5.2p2/openbsd-compat/Makefile.in openssh-2.9p1/openbsd-compat/Makefile.in --- openssh-2.5.2p2/openbsd-compat/Makefile.in 2001-03-19 10:09:28.000000000 +1100 +++ openssh-2.9p1/openbsd-compat/Makefile.in 2001-04-13 07:35:53.000000000 +1000 @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.9 2001/03/18 23:09:28 djm Exp $ +# $Id: Makefile.in,v 1.10 2001/04/12 21:35:53 mouring Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -16,7 +16,7 @@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ -OPENBSD=base64.o bindresvport.o daemon.o getcwd.o getgrouplist.o getusershell.o glob.o inet_aton.o inet_ntoa.o mktemp.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtok.o vis.o +OPENBSD=base64.o bindresvport.o daemon.o getcwd.o getgrouplist.o getusershell.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtok.o vis.o COMPAT=bsd-arc4random.o bsd-cygwin_util.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o diff -ru openssh-2.5.2p2/openbsd-compat/bsd-cygwin_util.c openssh-2.9p1/openbsd-compat/bsd-cygwin_util.c --- openssh-2.5.2p2/openbsd-compat/bsd-cygwin_util.c 2001-02-18 12:30:56.000000000 +1100 +++ openssh-2.9p1/openbsd-compat/bsd-cygwin_util.c 2001-04-14 00:28:42.000000000 +1000 @@ -15,12 +15,11 @@ #include "includes.h" -RCSID("$Id: bsd-cygwin_util.c,v 1.3 2001/02/18 01:30:56 djm Exp $"); +RCSID("$Id: bsd-cygwin_util.c,v 1.4 2001/04/13 14:28:42 djm Exp $"); #ifdef HAVE_CYGWIN #include -#include #include #include #include diff -ru openssh-2.5.2p2/openbsd-compat/bsd-cygwin_util.h openssh-2.9p1/openbsd-compat/bsd-cygwin_util.h --- openssh-2.5.2p2/openbsd-compat/bsd-cygwin_util.h 2001-02-18 12:30:56.000000000 +1100 +++ openssh-2.9p1/openbsd-compat/bsd-cygwin_util.h 2001-04-14 00:28:43.000000000 +1000 @@ -13,13 +13,15 @@ * binary mode on Windows systems. */ -/* $Id: bsd-cygwin_util.h,v 1.3 2001/02/18 01:30:56 djm Exp $ */ +/* $Id: bsd-cygwin_util.h,v 1.4 2001/04/13 14:28:43 djm Exp $ */ #ifndef _BSD_CYGWIN_UTIL_H #define _BSD_CYGWIN_UTIL_H #ifdef HAVE_CYGWIN +#include + int binary_open(const char *filename, int flags, ...); int binary_pipe(int fd[2]); int check_nt_auth(int pwd_authenticated, uid_t uid); diff -ru openssh-2.5.2p2/openbsd-compat/bsd-misc.c openssh-2.9p1/openbsd-compat/bsd-misc.c --- openssh-2.5.2p2/openbsd-compat/bsd-misc.c 2001-03-14 10:38:20.000000000 +1100 +++ openssh-2.9p1/openbsd-compat/bsd-misc.c 2001-04-10 00:50:56.000000000 +1000 @@ -26,7 +26,7 @@ #include "xmalloc.h" #include "ssh.h" -RCSID("$Id: bsd-misc.c,v 1.3 2001/03/13 23:38:20 mouring Exp $"); +RCSID("$Id: bsd-misc.c,v 1.4 2001/04/09 14:50:56 stevesk Exp $"); char *get_progname(char *argv0) { @@ -70,6 +70,13 @@ } #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ +#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) +int setegid(uid_t egid) +{ + return(setresgid(-1,egid,-1)); +} +#endif /* !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) */ + #if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && defined(HAVE_SYS_NERR) const char *strerror(int e) { diff -ru openssh-2.5.2p2/openbsd-compat/bsd-misc.h openssh-2.9p1/openbsd-compat/bsd-misc.h --- openssh-2.5.2p2/openbsd-compat/bsd-misc.h 2001-02-09 12:55:36.000000000 +1100 +++ openssh-2.9p1/openbsd-compat/bsd-misc.h 2001-04-10 00:50:56.000000000 +1000 @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: bsd-misc.h,v 1.2 2001/02/09 01:55:36 djm Exp $ */ +/* $Id: bsd-misc.h,v 1.3 2001/04/09 14:50:56 stevesk Exp $ */ #ifndef _BSD_MISC_H #define _BSD_MISC_H @@ -52,6 +52,10 @@ int seteuid(uid_t euid); #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ +#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) +int setegid(uid_t egid); +#endif /* !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) */ + #if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && defined(HAVE_SYS_NERR) const char *strerror(int e); #endif diff -ru openssh-2.5.2p2/openbsd-compat/bsd-nextstep.c openssh-2.9p1/openbsd-compat/bsd-nextstep.c --- openssh-2.5.2p2/openbsd-compat/bsd-nextstep.c 2001-02-09 12:55:36.000000000 +1100 +++ openssh-2.9p1/openbsd-compat/bsd-nextstep.c 2001-03-26 15:35:34.000000000 +1000 @@ -22,7 +22,7 @@ #include "includes.h" -RCSID("$Id: bsd-nextstep.c,v 1.3 2001/02/09 01:55:36 djm Exp $"); +RCSID("$Id: bsd-nextstep.c,v 1.4 2001/03/26 05:35:34 mouring Exp $"); #ifdef HAVE_NEXT #include @@ -37,7 +37,8 @@ #undef wait /* Use NeXT's wait() function */ wait_pid = wait(&statusp); - status = (int *) statusp.w_status; + if (status) + *status = (int) statusp.w_status; return wait_pid; } diff -ru openssh-2.5.2p2/openbsd-compat/bsd-waitpid.c openssh-2.9p1/openbsd-compat/bsd-waitpid.c --- openssh-2.5.2p2/openbsd-compat/bsd-waitpid.c 2001-02-09 12:55:36.000000000 +1100 +++ openssh-2.9p1/openbsd-compat/bsd-waitpid.c 2001-03-26 15:35:34.000000000 +1000 @@ -22,7 +22,7 @@ #include "includes.h" -RCSID("$Id: bsd-waitpid.c,v 1.2 2001/02/09 01:55:36 djm Exp $"); +RCSID("$Id: bsd-waitpid.c,v 1.3 2001/03/26 05:35:34 mouring Exp $"); #ifndef HAVE_WAITPID #include @@ -43,7 +43,9 @@ pid = 0; /* wait4() wants pid=0 for indiscriminate wait. */ } wait_pid = wait4(pid, &statusp, options, NULL); - stat_loc = (int *)statusp.w_status; + if (stat_loc) + *stat_loc = (int) statusp.w_status; + return wait_pid; } diff -ru openssh-2.5.2p2/openbsd-compat/glob.c openssh-2.9p1/openbsd-compat/glob.c --- openssh-2.5.2p2/openbsd-compat/glob.c 2001-03-20 15:49:47.000000000 +1100 +++ openssh-2.9p1/openbsd-compat/glob.c 2001-04-14 00:22:33.000000000 +1000 @@ -56,7 +56,7 @@ #if 0 static char sccsid[] = "@(#)glob.c 8.3 (Berkeley) 10/13/93"; #else -static char rcsid[] = "$OpenBSD: glob.c,v 1.10 2001/03/19 13:45:30 millert Exp $"; +static char rcsid[] = "$OpenBSD: glob.c,v 1.16 2001/04/05 18:36:12 deraadt Exp $"; #endif #endif /* LIBC_SCCS and not lint */ @@ -137,19 +137,17 @@ static int compare __P((const void *, const void *)); -static void g_Ctoc __P((const Char *, char *)); +static int g_Ctoc __P((const Char *, char *, u_int)); static int g_lstat __P((Char *, struct stat *, glob_t *)); static DIR *g_opendir __P((Char *, glob_t *)); static Char *g_strchr __P((Char *, int)); -#ifdef notdef -static Char *g_strcat __P((Char *, const Char *)); -#endif static int g_stat __P((Char *, struct stat *, glob_t *)); static int glob0 __P((const Char *, glob_t *)); -static int glob1 __P((Char *, glob_t *, size_t *)); -static int glob2 __P((Char *, Char *, Char *, glob_t *, size_t *)); -static int glob3 __P((Char *, Char *, Char *, Char *, glob_t *, - size_t *)); +static int glob1 __P((Char *, Char *, glob_t *, size_t *)); +static int glob2 __P((Char *, Char *, Char *, Char *, Char *, Char *, + glob_t *, size_t *)); +static int glob3 __P((Char *, Char *, Char *, Char *, Char *, Char *, + Char *, Char *, glob_t *, size_t *)); static int globextend __P((const Char *, glob_t *, size_t *)); static const Char * globtilde __P((const Char *, Char *, size_t, glob_t *)); @@ -168,7 +166,7 @@ { const u_char *patnext; int c; - Char *bufnext, *bufend, patbuf[MAXPATHLEN+1]; + Char *bufnext, *bufend, patbuf[MAXPATHLEN]; patnext = (u_char *) pattern; if (!(flags & GLOB_APPEND)) { @@ -182,10 +180,10 @@ pglob->gl_matchc = 0; bufnext = patbuf; - bufend = bufnext + MAXPATHLEN; + bufend = bufnext + MAXPATHLEN - 1; if (flags & GLOB_NOESCAPE) - while (bufnext < bufend && (c = *patnext++) != EOS) - *bufnext++ = c; + while (bufnext < bufend && (c = *patnext++) != EOS) + *bufnext++ = c; else { /* Protect the quoted characters. */ while (bufnext < bufend && (c = *patnext++) != EOS) @@ -195,8 +193,7 @@ --patnext; } *bufnext++ = c | M_PROTECT; - } - else + } else *bufnext++ = c; } *bufnext = EOS; @@ -212,7 +209,8 @@ * invoke the standard globbing routine to glob the rest of the magic * characters */ -static int globexp1(pattern, pglob) +static int +globexp1(pattern, pglob) const Char *pattern; glob_t *pglob; { @@ -236,7 +234,8 @@ * If it succeeds then it invokes globexp1 with the new pattern. * If it fails then it tries to glob the rest of the pattern and returns. */ -static int globexp2(ptr, pattern, pglob, rv) +static int +globexp2(ptr, pattern, pglob, rv) const Char *ptr, *pattern; glob_t *pglob; int *rv; @@ -244,11 +243,12 @@ int i; Char *lm, *ls; const Char *pe, *pm, *pl; - Char patbuf[MAXPATHLEN + 1]; + Char patbuf[MAXPATHLEN]; /* copy part up to the brace */ for (lm = patbuf, pm = pattern; pm != ptr; *lm++ = *pm++) - continue; + ; + *lm = EOS; ls = lm; /* Find the balanced brace */ @@ -256,7 +256,7 @@ if (*pe == LBRACKET) { /* Ignore everything between [] */ for (pm = pe++; *pe != RBRACKET && *pe != EOS; pe++) - continue; + ; if (*pe == EOS) { /* * We could not find a matching RBRACKET. @@ -264,8 +264,7 @@ */ pe = pm; } - } - else if (*pe == LBRACE) + } else if (*pe == LBRACE) i++; else if (*pe == RBRACE) { if (i == 0) @@ -279,12 +278,12 @@ return 0; } - for (i = 0, pl = pm = ptr; pm <= pe; pm++) + for (i = 0, pl = pm = ptr; pm <= pe; pm++) { switch (*pm) { case LBRACKET: /* Ignore everything between [] */ for (pl = pm++; *pm != RBRACKET && *pm != EOS; pm++) - continue; + ; if (*pm == EOS) { /* * We could not find a matching RBRACKET. @@ -300,8 +299,8 @@ case RBRACE: if (i) { - i--; - break; + i--; + break; } /* FALLTHROUGH */ case COMMA: @@ -310,13 +309,14 @@ else { /* Append the current string */ for (lm = ls; (pl < pm); *lm++ = *pl++) - continue; + ; + /* * Append the rest of the pattern after the * closing brace */ - for (pl = pe + 1; (*lm++ = *pl++) != EOS;) - continue; + for (pl = pe + 1; (*lm++ = *pl++) != EOS; ) + ; /* Expand the current pattern */ #ifdef DEBUG @@ -332,6 +332,7 @@ default: break; } + } *rv = 0; return 0; } @@ -360,10 +361,15 @@ eb = &patbuf[patbuf_len - 1]; for (p = pattern + 1, h = (char *) patbuf; h < (char *)eb && *p && *p != SLASH; *h++ = *p++) - continue; + ; *h = EOS; +#if 0 + if (h == (char *)eb) + return what; +#endif + if (((char *) patbuf)[0] == EOS) { /* * handle a plain ~ or ~/ by expanding $HOME @@ -378,8 +384,7 @@ else h = pwd->pw_dir; } - } - else { + } else { /* * Expand a ~user */ @@ -391,11 +396,11 @@ /* Copy the home directory */ for (b = patbuf; b < eb && *h; *b++ = *h++) - continue; + ; /* Append the rest of the pattern */ while (b < eb && (*b++ = *p++) != EOS) - continue; + ; *b = EOS; return patbuf; @@ -416,11 +421,10 @@ { const Char *qpatnext; int c, err, oldpathc; - Char *bufnext, patbuf[MAXPATHLEN+1]; + Char *bufnext, patbuf[MAXPATHLEN]; size_t limit = 0; - qpatnext = globtilde(pattern, patbuf, sizeof(patbuf) / sizeof(Char), - pglob); + qpatnext = globtilde(pattern, patbuf, MAXPATHLEN, pglob); oldpathc = pglob->gl_pathc; bufnext = patbuf; @@ -464,7 +468,7 @@ * to avoid exponential behavior */ if (bufnext == patbuf || bufnext[-1] != M_ALL) - *bufnext++ = M_ALL; + *bufnext++ = M_ALL; break; default: *bufnext++ = CHAR(c); @@ -476,7 +480,7 @@ qprintf("glob0:", patbuf); #endif - if ((err = glob1(patbuf, pglob, &limit)) != 0) + if ((err = glob1(patbuf, patbuf+MAXPATHLEN-1, pglob, &limit)) != 0) return(err); /* @@ -507,17 +511,19 @@ } static int -glob1(pattern, pglob, limitp) - Char *pattern; +glob1(pattern, pattern_last, pglob, limitp) + Char *pattern, *pattern_last; glob_t *pglob; size_t *limitp; { - Char pathbuf[MAXPATHLEN+1]; + Char pathbuf[MAXPATHLEN]; /* A null pathname is invalid -- POSIX 1003.1 sect. 2.4. */ if (*pattern == EOS) return(0); - return(glob2(pathbuf, pathbuf, pattern, pglob, limitp)); + return(glob2(pathbuf, pathbuf+MAXPATHLEN-1, + pathbuf, pathbuf+MAXPATHLEN-1, + pattern, pattern_last, pglob, limitp)); } /* @@ -526,8 +532,10 @@ * meta characters. */ static int -glob2(pathbuf, pathend, pattern, pglob, limitp) - Char *pathbuf, *pathend, *pattern; +glob2(pathbuf, pathbuf_last, pathend, pathend_last, pattern, + pattern_last, pglob, limitp) + Char *pathbuf, *pathbuf_last, *pathend, *pathend_last; + Char *pattern, *pattern_last; glob_t *pglob; size_t *limitp; { @@ -546,10 +554,12 @@ return(0); if (((pglob->gl_flags & GLOB_MARK) && - pathend[-1] != SEP) && (S_ISDIR(sb.st_mode) - || (S_ISLNK(sb.st_mode) && + pathend[-1] != SEP) && (S_ISDIR(sb.st_mode) || + (S_ISLNK(sb.st_mode) && (g_stat(pathbuf, &sb, pglob) == 0) && S_ISDIR(sb.st_mode)))) { + if (pathend+1 > pathend_last) + return (1); *pathend++ = SEP; *pathend = EOS; } @@ -563,24 +573,33 @@ while (*p != EOS && *p != SEP) { if (ismeta(*p)) anymeta = 1; + if (q+1 > pathend_last) + return (1); *q++ = *p++; } if (!anymeta) { /* No expansion, do next segment. */ pathend = q; pattern = p; - while (*pattern == SEP) + while (*pattern == SEP) { + if (pathend+1 > pathend_last) + return (1); *pathend++ = *pattern++; - } else /* Need expansion, recurse. */ - return(glob3(pathbuf, pathend, pattern, p, pglob, - limitp)); + } + } else + /* Need expansion, recurse. */ + return(glob3(pathbuf, pathbuf_last, pathend, + pathend_last, pattern, pattern_last, + p, pattern_last, pglob, limitp)); } /* NOTREACHED */ } static int -glob3(pathbuf, pathend, pattern, restpattern, pglob, limitp) - Char *pathbuf, *pathend, *pattern, *restpattern; +glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last, + restpattern, restpattern_last, pglob, limitp) + Char *pathbuf, *pathbuf_last, *pathend, *pathend_last; + Char *pattern, *pattern_last, *restpattern, *restpattern_last; glob_t *pglob; size_t *limitp; { @@ -597,16 +616,19 @@ */ struct dirent *(*readdirfunc)(); + if (pathend > pathend_last) + return (1); *pathend = EOS; errno = 0; if ((dirp = g_opendir(pathbuf, pglob)) == NULL) { /* TODO: don't call for ENOENT or ENOTDIR? */ if (pglob->gl_errfunc) { - g_Ctoc(pathbuf, buf); + if (g_Ctoc(pathbuf, buf, sizeof(buf))) + return(GLOB_ABORTED); if (pglob->gl_errfunc(buf, errno) || pglob->gl_flags & GLOB_ERR) - return (GLOB_ABORTED); + return(GLOB_ABORTED); } return(0); } @@ -625,14 +647,22 @@ /* Initial DOT must be matched literally. */ if (dp->d_name[0] == DOT && *pattern != DOT) continue; - for (sc = (u_char *) dp->d_name, dc = pathend; - (*dc++ = *sc++) != EOS;) - continue; + dc = pathend; + sc = (u_char *) dp->d_name; + while (dc < pathend_last && (*dc++ = *sc++) != EOS) + ; + if (dc >= pathend_last) { + *dc = EOS; + err = 1; + break; + } + if (!match(pathend, pattern, restpattern)) { *pathend = EOS; continue; } - err = glob2(pathbuf, --dc, restpattern, pglob, limitp); + err = glob2(pathbuf, pathbuf_last, --dc, pathend_last, + restpattern, restpattern_last, pglob, limitp); if (err) break; } @@ -691,11 +721,14 @@ pglob->gl_pathv = pathv; for (p = path; *p++;) - continue; + ; len = (size_t)(p - path); *limitp += len; if ((copy = malloc(len)) != NULL) { - g_Ctoc(path, copy); + if (g_Ctoc(path, copy, len)) { + free(copy); + return(GLOB_NOSPACE); + } pathv[pglob->gl_offs + pglob->gl_pathc++] = copy; } pathv[pglob->gl_offs + pglob->gl_pathc] = NULL; @@ -730,7 +763,8 @@ do if (match(name, pat, patend)) return(1); - while (*name++ != EOS); + while (*name++ != EOS) + ; return(0); case M_ONE: if (*name++ == EOS) @@ -788,8 +822,10 @@ if (!*str) strcpy(buf, "."); - else - g_Ctoc(str, buf); + else { + if (g_Ctoc(str, buf, sizeof(buf))) + return(NULL); + } if (pglob->gl_flags & GLOB_ALTDIRFUNC) return((*pglob->gl_opendir)(buf)); @@ -805,7 +841,8 @@ { char buf[MAXPATHLEN]; - g_Ctoc(fn, buf); + if (g_Ctoc(fn, buf, sizeof(buf))) + return(-1); if (pglob->gl_flags & GLOB_ALTDIRFUNC) return((*pglob->gl_lstat)(buf, sb)); return(lstat(buf, sb)); @@ -819,7 +856,8 @@ { char buf[MAXPATHLEN]; - g_Ctoc(fn, buf); + if (g_Ctoc(fn, buf, sizeof(buf))) + return(-1); if (pglob->gl_flags & GLOB_ALTDIRFUNC) return((*pglob->gl_stat)(buf, sb)); return(stat(buf, sb)); @@ -837,33 +875,18 @@ return (NULL); } -#ifdef notdef -static Char * -g_strcat(dst, src) - Char *dst; - const Char* src; -{ - Char *sdst = dst; - - while (*dst++) - continue; - --dst; - while((*dst++ = *src++) != EOS) - continue; - - return (sdst); -} -#endif - -static void -g_Ctoc(str, buf) +static int +g_Ctoc(str, buf, len) register const Char *str; char *buf; + u_int len; { - register char *dc; - for (dc = buf; (*dc++ = *str++) != EOS;) - continue; + while (len--) { + if ((*buf++ = *str++) == EOS) + return (0); + } + return (1); } #ifdef DEBUG Only in openssh-2.9p1/openbsd-compat: inet_ntop.c Only in openssh-2.9p1/openbsd-compat: inet_ntop.h diff -ru openssh-2.5.2p2/openbsd-compat/openbsd-compat.h openssh-2.9p1/openbsd-compat/openbsd-compat.h --- openssh-2.5.2p2/openbsd-compat/openbsd-compat.h 2001-03-19 10:09:28.000000000 +1100 +++ openssh-2.9p1/openbsd-compat/openbsd-compat.h 2001-04-13 07:35:54.000000000 +1000 @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.5 2001/03/18 23:09:28 djm Exp $ */ +/* $Id: openbsd-compat.h,v 1.6 2001/04/12 21:35:54 mouring Exp $ */ #ifndef _OPENBSD_H #define _OPENBSD_H @@ -19,6 +19,7 @@ #include "sigact.h" #include "inet_aton.h" #include "inet_ntoa.h" +#include "inet_ntop.h" #include "strsep.h" #include "strtok.h" #include "vis.h" diff -ru openssh-2.5.2p2/openbsd-compat/strlcat.c openssh-2.9p1/openbsd-compat/strlcat.c --- openssh-2.5.2p2/openbsd-compat/strlcat.c 2001-02-01 08:52:04.000000000 +1100 +++ openssh-2.9p1/openbsd-compat/strlcat.c 2001-04-14 00:22:33.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $ */ +/* $OpenBSD: strlcat.c,v 1.5 2001/01/13 16:17:24 millert Exp $ */ /* * Copyright (c) 1998 Todd C. Miller @@ -31,7 +31,7 @@ #ifndef HAVE_STRLCAT #if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $"; +static char *rcsid = "$OpenBSD: strlcat.c,v 1.5 2001/01/13 16:17:24 millert Exp $"; #endif /* LIBC_SCCS and not lint */ #include @@ -40,8 +40,9 @@ /* * Appends src to string dst of size siz (unlike strncat, siz is the * full size of dst, not space left). At most siz-1 characters - * will be copied. Always NUL terminates (unless siz == 0). - * Returns strlen(src); if retval >= siz, truncation occurred. + * will be copied. Always NUL terminates (unless siz <= strlen(dst)). + * Returns strlen(initial dst) + strlen(src); if retval >= siz, + * truncation occurred. */ size_t strlcat(dst, src, siz) char *dst; @@ -54,7 +55,7 @@ size_t dlen; /* Find the end of dst and adjust bytes left but don't go past end */ - while (*d != '\0' && n-- != 0) + while (n-- != 0 && *d != '\0') d++; dlen = d - dst; n = siz - dlen; diff -ru openssh-2.5.2p2/openbsd-compat/vis.c openssh-2.9p1/openbsd-compat/vis.c --- openssh-2.5.2p2/openbsd-compat/vis.c 2001-02-09 03:34:57.000000000 +1100 +++ openssh-2.9p1/openbsd-compat/vis.c 2001-04-14 00:22:34.000000000 +1000 @@ -32,7 +32,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static char rcsid[] = "$OpenBSD: vis.c,v 1.5 2000/07/19 15:25:13 deraadt Exp $"; +static char rcsid[] = "$OpenBSD: vis.c,v 1.6 2000/11/21 00:47:28 millert Exp $"; #endif /* LIBC_SCCS and not lint */ #include "includes.h" @@ -40,18 +40,20 @@ #ifndef HAVE_VIS #define isoctal(c) (((u_char)(c)) >= '0' && ((u_char)(c)) <= '7') +#define isvisible(c) (((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) && \ + isgraph((u_char)(c))) || \ + ((flag & VIS_SP) == 0 && (c) == ' ') || \ + ((flag & VIS_TAB) == 0 && (c) == '\t') || \ + ((flag & VIS_NL) == 0 && (c) == '\n') || \ + ((flag & VIS_SAFE) && \ + ((c) == '\b' || (c) == '\007' || (c) == '\r'))) /* * vis - visually encode characters */ char *vis(char *dst, int c, int flag, int nextc) { - if (((u_int)c <= UCHAR_MAX && isascii((u_char)c) && - isgraph((u_char)c)) || - ((flag & VIS_SP) == 0 && c == ' ') || - ((flag & VIS_TAB) == 0 && c == '\t') || - ((flag & VIS_NL) == 0 && c == '\n') || - ((flag & VIS_SAFE) && (c == '\b' || c == '\007' || c == '\r'))) { + if (isvisible(c)) { *dst++ = c; if (c == '\\' && (flag & VIS_NOSLASH) == 0) *dst++ = '\\'; diff -ru openssh-2.5.2p2/packet.c openssh-2.9p1/packet.c --- openssh-2.5.2p2/packet.c 2001-03-05 18:07:50.000000000 +1100 +++ openssh-2.9p1/packet.c 2001-04-06 09:26:33.000000000 +1000 @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.56 2001/03/03 21:41:07 millert Exp $"); +RCSID("$OpenBSD: packet.c,v 1.61 2001/04/05 10:42:51 markus Exp $"); #include "xmalloc.h" #include "buffer.h" @@ -104,6 +104,7 @@ /* Scratch buffer for packet compression/decompression. */ static Buffer compression_buffer; +static int compression_buffer_ready = 0; /* Flag indicating whether packet compression/decompression is enabled. */ static int packet_compression = 0; @@ -121,35 +122,14 @@ int use_ssh2_packet_format = 0; /* Session key information for Encryption and MAC */ -Kex *kex = NULL; +Newkeys *newkeys[MODE_MAX]; void -packet_set_kex(Kex *k) -{ - if( k->mac[MODE_IN ].key == NULL || - k->enc[MODE_IN ].key == NULL || - k->enc[MODE_IN ].iv == NULL || - k->mac[MODE_OUT].key == NULL || - k->enc[MODE_OUT].key == NULL || - k->enc[MODE_OUT].iv == NULL) - fatal("bad KEX"); - kex = k; -} -void -clear_enc_keys(Enc *enc, int len) -{ - memset(enc->iv, 0, len); - memset(enc->key, 0, len); - xfree(enc->iv); - xfree(enc->key); - enc->iv = NULL; - enc->key = NULL; -} -void packet_set_ssh2_format(void) { DBG(debug("use_ssh2_packet_format")); use_ssh2_packet_format = 1; + newkeys[MODE_IN] = newkeys[MODE_OUT] = NULL; } /* @@ -270,7 +250,7 @@ buffer_free(&output); buffer_free(&outgoing_packet); buffer_free(&incoming_packet); - if (packet_compression) { + if (compression_buffer_ready) { buffer_free(&compression_buffer); buffer_compress_uninit(); } @@ -298,15 +278,24 @@ * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip. */ -/*** XXXXX todo: kex means re-init */ +void +packet_init_compression() +{ + if (compression_buffer_ready == 1) + return; + compression_buffer_ready = 1; + buffer_init(&compression_buffer); +} + void packet_start_compression(int level) { - if (packet_compression) + if (packet_compression && !use_ssh2_packet_format) fatal("Compression already enabled."); packet_compression = 1; - buffer_init(&compression_buffer); - buffer_compress_init(level); + packet_init_compression(); + buffer_compress_init_send(level); + buffer_compress_init_recv(); } /* @@ -522,6 +511,56 @@ */ } +void +set_newkeys(int mode) +{ + Enc *enc; + Mac *mac; + Comp *comp; + CipherContext *cc; + + debug("newkeys: mode %d", mode); + + cc = (mode == MODE_OUT) ? &send_context : &receive_context; + if (newkeys[mode] != NULL) { + debug("newkeys: rekeying"); + /* todo: free old keys, reset compression/cipher-ctxt; */ + memset(cc, 0, sizeof(*cc)); + enc = &newkeys[mode]->enc; + mac = &newkeys[mode]->mac; + comp = &newkeys[mode]->comp; + memset(mac->key, 0, mac->key_len); + xfree(enc->name); + xfree(enc->iv); + xfree(enc->key); + xfree(mac->name); + xfree(mac->key); + xfree(comp->name); + xfree(newkeys[mode]); + } + newkeys[mode] = kex_get_newkeys(mode); + if (newkeys[mode] == NULL) + fatal("newkeys: no keys for mode %d", mode); + enc = &newkeys[mode]->enc; + mac = &newkeys[mode]->mac; + comp = &newkeys[mode]->comp; + if (mac->md != NULL) + mac->enabled = 1; + DBG(debug("cipher_init_context: %d", mode)); + cipher_init(cc, enc->cipher, enc->key, enc->cipher->key_len, + enc->iv, enc->cipher->block_size); + memset(enc->iv, 0, enc->cipher->block_size); + memset(enc->key, 0, enc->cipher->key_len); + if (comp->type != 0 && comp->enabled == 0) { + packet_init_compression(); + if (mode == MODE_OUT) + buffer_compress_init_send(6); + else + buffer_compress_init_recv(); + comp->enabled = 1; + } +} + /* * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) */ @@ -540,10 +579,10 @@ Comp *comp = NULL; int block_size; - if (kex != NULL) { - enc = &kex->enc[MODE_OUT]; - mac = &kex->mac[MODE_OUT]; - comp = &kex->comp[MODE_OUT]; + if (newkeys[MODE_OUT] != NULL) { + enc = &newkeys[MODE_OUT]->enc; + mac = &newkeys[MODE_OUT]->mac; + comp = &newkeys[MODE_OUT]->comp; } block_size = enc ? enc->cipher->block_size : 8; @@ -622,22 +661,8 @@ log("outgoing seqnr wraps around"); buffer_clear(&outgoing_packet); - if (type == SSH2_MSG_NEWKEYS) { - if (kex==NULL || mac==NULL || enc==NULL || comp==NULL) - fatal("packet_send2: no KEX"); - if (mac->md != NULL) - mac->enabled = 1; - DBG(debug("cipher_init send_context")); - cipher_init(&send_context, enc->cipher, - enc->key, enc->cipher->key_len, - enc->iv, enc->cipher->block_size); - clear_enc_keys(enc, kex->we_need); - if (comp->type != 0 && comp->enabled == 0) { - comp->enabled = 1; - if (! packet_compression) - packet_start_compression(6); - } - } + if (type == SSH2_MSG_NEWKEYS) + set_newkeys(MODE_OUT); } void @@ -833,10 +858,10 @@ Mac *mac = NULL; Comp *comp = NULL; - if (kex != NULL) { - enc = &kex->enc[MODE_IN]; - mac = &kex->mac[MODE_IN]; - comp = &kex->comp[MODE_IN]; + if (newkeys[MODE_IN] != NULL) { + enc = &newkeys[MODE_IN]->enc; + mac = &newkeys[MODE_IN]->mac; + comp = &newkeys[MODE_IN]->comp; } maclen = mac && mac->enabled ? mac->mac_len : 0; block_size = enc ? enc->cipher->block_size : 8; @@ -930,22 +955,8 @@ /* extract packet type */ type = (u_char)buf[0]; - if (type == SSH2_MSG_NEWKEYS) { - if (kex==NULL || mac==NULL || enc==NULL || comp==NULL) - fatal("packet_read_poll2: no KEX"); - if (mac->md != NULL) - mac->enabled = 1; - DBG(debug("cipher_init receive_context")); - cipher_init(&receive_context, enc->cipher, - enc->key, enc->cipher->key_len, - enc->iv, enc->cipher->block_size); - clear_enc_keys(enc, kex->we_need); - if (comp->type != 0 && comp->enabled == 0) { - comp->enabled = 1; - if (! packet_compression) - packet_start_compression(6); - } - } + if (type == SSH2_MSG_NEWKEYS) + set_newkeys(MODE_IN); #ifdef PACKET_DEBUG fprintf(stderr, "read/plain[%d]:\r\n", type); @@ -1318,10 +1329,10 @@ /* * 9.2. Ignored Data Message - * + * * byte SSH_MSG_IGNORE * string data - * + * * All implementations MUST understand (and ignore) this message at any * time (after receiving the protocol version). No implementation is * required to send them. This message can be used as an additional @@ -1339,8 +1350,8 @@ have = buffer_len(&outgoing_packet); debug2("packet_inject_ignore: current %d", have); - if (kex != NULL) - enc = &kex->enc[MODE_OUT]; + if (newkeys[MODE_OUT] != NULL) + enc = &newkeys[MODE_OUT]->enc; blocksize = enc ? enc->cipher->block_size : 8; padlen = blocksize - (have % blocksize); if (padlen < 4) diff -ru openssh-2.5.2p2/packet.h openssh-2.9p1/packet.h --- openssh-2.5.2p2/packet.h 2001-03-05 17:28:07.000000000 +1100 +++ openssh-2.9p1/packet.h 2001-04-15 09:13:03.000000000 +1000 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: packet.h,v 1.21 2001/02/28 21:27:47 markus Exp $"); */ +/* RCSID("$OpenBSD: packet.h,v 1.22 2001/04/14 16:33:20 stevesk Exp $"); */ #ifndef PACKET_H #define PACKET_H @@ -178,8 +178,8 @@ int packet_set_maxsize(int s); #define packet_get_maxsize() max_packet_size -/* Stores tty modes from the fd into current packet. */ -void tty_make_modes(int fd); +/* Stores tty modes from the fd or tiop into current packet. */ +void tty_make_modes(int fd, struct termios *tiop); /* Parses tty modes for the fd from the current packet. */ void tty_parse_modes(int fd, int *n_bytes_ptr); diff -ru openssh-2.5.2p2/pathnames.h openssh-2.9p1/pathnames.h --- openssh-2.5.2p2/pathnames.h 2001-02-27 14:42:48.000000000 +1100 +++ openssh-2.9p1/pathnames.h 2001-04-13 09:34:35.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.4 2001/02/08 22:28:07 stevesk Exp $ */ +/* $OpenBSD: pathnames.h,v 1.5 2001/04/12 19:15:24 markus Exp $ */ /* * Author: Tatu Ylonen @@ -31,10 +31,11 @@ * Of these, ssh_host_key must be readable only by root, whereas ssh_config * should be world-readable. */ -#define _PATH_HOST_KEY_FILE ETCDIR "/ssh_host_key" #define _PATH_SERVER_CONFIG_FILE ETCDIR "/sshd_config" #define _PATH_HOST_CONFIG_FILE ETCDIR "/ssh_config" +#define _PATH_HOST_KEY_FILE ETCDIR "/ssh_host_key" #define _PATH_HOST_DSA_KEY_FILE ETCDIR "/ssh_host_dsa_key" +#define _PATH_HOST_RSA_KEY_FILE ETCDIR "/ssh_host_rsa_key" #define _PATH_DH_PRIMES ETCDIR "/primes" #ifndef _PATH_SSH_PROGRAM diff -ru openssh-2.5.2p2/readconf.c openssh-2.9p1/readconf.c --- openssh-2.5.2p2/readconf.c 2001-03-20 09:15:57.000000000 +1100 +++ openssh-2.9p1/readconf.c 2001-04-18 04:11:37.000000000 +1000 @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.68 2001/03/19 17:07:23 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.76 2001/04/17 10:53:25 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -110,7 +110,8 @@ oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, - oPreferredAuthentications + oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, + oHostKeyAlgorithms } OpCodes; /* Textual representations of the tokens. */ @@ -131,6 +132,8 @@ { "rsaauthentication", oRSAAuthentication }, { "pubkeyauthentication", oPubkeyAuthentication }, { "dsaauthentication", oPubkeyAuthentication }, /* alias */ + { "rhostsrsaauthentication", oRhostsRSAAuthentication }, + { "hostbasedauthentication", oHostbasedAuthentication }, { "challengeresponseauthentication", oChallengeResponseAuthentication }, { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ @@ -158,7 +161,6 @@ { "user", oUser }, { "host", oHost }, { "escapechar", oEscapeChar }, - { "rhostsrsaauthentication", oRhostsRSAAuthentication }, { "globalknownhostsfile", oGlobalKnownHostsFile }, { "userknownhostsfile", oUserKnownHostsFile }, { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, @@ -172,7 +174,9 @@ { "keepalive", oKeepAlives }, { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "loglevel", oLogLevel }, + { "dynamicforward", oDynamicForward }, { "preferredauthentications", oPreferredAuthentications }, + { "hostkeyalgorithms", oHostKeyAlgorithms }, { NULL, 0 } }; @@ -219,8 +223,7 @@ } /* - * Returns the number of the token pointed to by cp of length len. Never - * returns if the token is not known. + * Returns the number of the token pointed to by cp or oBadOption. */ static OpCodes @@ -232,8 +235,8 @@ if (strcasecmp(cp, keywords[i].name) == 0) return keywords[i].opcode; - fprintf(stderr, "%s: line %d: Bad configuration option: %s\n", - filename, linenum, cp); + error("%s: line %d: Bad configuration option: %s", + filename, linenum, cp); return oBadOption; } @@ -324,6 +327,10 @@ intptr = &options->rhosts_rsa_authentication; goto parse_flag; + case oHostbasedAuthentication: + intptr = &options->hostbased_authentication; + goto parse_flag; + case oChallengeResponseAuthentication: intptr = &options->challenge_reponse_authentication; goto parse_flag; @@ -522,6 +529,17 @@ options->macs = xstrdup(arg); break; + case oHostKeyAlgorithms: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); + if (!key_names_valid2(arg)) + fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.", + filename, linenum, arg ? arg : ""); + if (*activep && options->hostkeyalgorithms == NULL) + options->hostkeyalgorithms = xstrdup(arg); + break; + case oProtocol: intptr = &options->protocol; arg = strdelim(&s); @@ -550,10 +568,10 @@ arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing argument.", filename, linenum); - if (arg[0] < '0' || arg[0] > '9') + fwd_port = a2port(arg); + if (fwd_port == 0) fatal("%.200s line %d: Badly formatted port number.", filename, linenum); - fwd_port = atoi(arg); arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing second argument.", @@ -569,10 +587,10 @@ arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing argument.", filename, linenum); - if (arg[0] < '0' || arg[0] > '9') + fwd_port = a2port(arg); + if (fwd_port == 0) fatal("%.200s line %d: Badly formatted port number.", filename, linenum); - fwd_port = atoi(arg); arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing second argument.", @@ -584,6 +602,18 @@ add_local_forward(options, fwd_port, buf, fwd_host_port); break; + case oDynamicForward: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing port argument.", + filename, linenum); + fwd_port = a2port(arg); + if (fwd_port == 0) + fatal("%.200s line %d: Badly formatted port number.", + filename, linenum); + add_local_forward(options, fwd_port, "socks4", 0); + break; + case oHost: *activep = 0; while ((arg = strdelim(&s)) != NULL && *arg != '\0') @@ -700,6 +730,7 @@ options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; options->rhosts_rsa_authentication = -1; + options->hostbased_authentication = -1; options->fallback_to_rsh = -1; options->use_rsh = -1; options->batch_mode = -1; @@ -714,6 +745,7 @@ options->cipher = -1; options->ciphers = NULL; options->macs = NULL; + options->hostkeyalgorithms = NULL; options->protocol = SSH_PROTO_UNKNOWN; options->num_identity_files = 0; options->hostname = NULL; @@ -777,6 +809,8 @@ options->kbd_interactive_authentication = 1; if (options->rhosts_rsa_authentication == -1) options->rhosts_rsa_authentication = 1; + if (options->hostbased_authentication == -1) + options->hostbased_authentication = 0; if (options->fallback_to_rsh == -1) options->fallback_to_rsh = 0; if (options->use_rsh == -1) @@ -804,8 +838,9 @@ options->cipher = SSH_CIPHER_NOT_SET; /* options->ciphers, default set in myproposals.h */ /* options->macs, default set in myproposals.h */ + /* options->hostkeyalgorithms, default set in myproposals.h */ if (options->protocol == SSH_PROTO_UNKNOWN) - options->protocol = SSH_PROTO_1|SSH_PROTO_2|SSH_PROTO_1_PREFERRED; + options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->num_identity_files == 0) { if (options->protocol & SSH_PROTO_1) { len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1; diff -ru openssh-2.5.2p2/readconf.h openssh-2.9p1/readconf.h --- openssh-2.5.2p2/readconf.h 2001-03-11 12:49:20.000000000 +1100 +++ openssh-2.9p1/readconf.h 2001-04-18 04:11:37.000000000 +1000 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: readconf.h,v 1.28 2001/03/10 17:51:04 markus Exp $"); */ +/* RCSID("$OpenBSD: readconf.h,v 1.30 2001/04/17 10:53:25 markus Exp $"); */ #ifndef READCONF_H #define READCONF_H @@ -38,6 +38,7 @@ * authentication. */ int rsa_authentication; /* Try RSA authentication. */ int pubkey_authentication; /* Try ssh2 pubkey authentication. */ + int hostbased_authentication; /* ssh2's rhosts_rsa */ int challenge_reponse_authentication; /* Try S/Key or TIS, authentication. */ #ifdef KRB4 @@ -71,6 +72,7 @@ int cipher; /* Cipher to use. */ char *ciphers; /* SSH2 ciphers in order of preference. */ char *macs; /* SSH2 macs in order of preference. */ + char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */ int protocol; /* Protocol in order of preference. */ char *hostname; /* Real host to connect. */ char *host_key_alias; /* hostname alias for .ssh/known_hosts */ diff -ru openssh-2.5.2p2/readpass.c openssh-2.9p1/readpass.c --- openssh-2.5.2p2/readpass.c 2001-02-09 13:11:24.000000000 +1100 +++ openssh-2.9p1/readpass.c 2001-04-20 06:33:08.000000000 +1000 @@ -32,11 +32,58 @@ */ #include "includes.h" -RCSID("$OpenBSD: readpass.c,v 1.14 2001/02/08 19:30:52 itojun Exp $"); +RCSID("$OpenBSD: readpass.c,v 1.15 2001/04/18 21:57:41 markus Exp $"); #include "xmalloc.h" #include "cli.h" #include "readpass.h" +#include "pathnames.h" +#include "log.h" +#include "atomicio.h" +#include "ssh.h" + +char * +ssh_askpass(char *askpass, char *msg) +{ + pid_t pid; + size_t len; + char *nl, *pass; + int p[2], status; + char buf[1024]; + + if (fflush(stdout) != 0) + error("ssh_askpass: fflush: %s", strerror(errno)); + if (askpass == NULL) + fatal("internal error: askpass undefined"); + if (pipe(p) < 0) + fatal("ssh_askpass: pipe: %s", strerror(errno)); + if ((pid = fork()) < 0) + fatal("ssh_askpass: fork: %s", strerror(errno)); + if (pid == 0) { + seteuid(getuid()); + setuid(getuid()); + close(p[0]); + if (dup2(p[1], STDOUT_FILENO) < 0) + fatal("ssh_askpass: dup2: %s", strerror(errno)); + execlp(askpass, askpass, msg, (char *) 0); + fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); + } + close(p[1]); + len = read(p[0], buf, sizeof buf); + close(p[0]); + while (waitpid(pid, &status, 0) < 0) + if (errno != EINTR) + break; + if (len <= 1) + return xstrdup(""); + nl = strchr(buf, '\n'); + if (nl) + *nl = '\0'; + pass = xstrdup(buf); + memset(buf, 0, sizeof(buf)); + return pass; +} + /* * Reads a passphrase from /dev/tty with echo turned off. Returns the @@ -51,5 +98,27 @@ char * read_passphrase(const char *prompt, int from_stdin) { + char *askpass = NULL; + int use_askpass = 0, ttyfd; + + if (from_stdin) { + if (!isatty(STDIN_FILENO)) + use_askpass = 1; + } else { + ttyfd = open("/dev/tty", O_RDWR); + if (ttyfd >= 0) + close(ttyfd); + else + use_askpass = 1; + } + + if (use_askpass && getenv("DISPLAY")) { + if (getenv(SSH_ASKPASS_ENV)) + askpass = getenv(SSH_ASKPASS_ENV); + else + askpass = _PATH_SSH_ASKPASS_DEFAULT; + return ssh_askpass(askpass, prompt); + } + return cli_read_passphrase(prompt, from_stdin, 0); } diff -ru openssh-2.5.2p2/rsa.c openssh-2.9p1/rsa.c --- openssh-2.5.2p2/rsa.c 2001-02-06 05:16:28.000000000 +1100 +++ openssh-2.9p1/rsa.c 2001-03-29 10:29:55.000000000 +1000 @@ -60,7 +60,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: rsa.c,v 1.21 2001/02/04 15:32:24 stevesk Exp $"); +RCSID("$OpenBSD: rsa.c,v 1.22 2001/03/26 23:23:23 markus Exp $"); #include "rsa.h" #include "log.h" @@ -119,3 +119,23 @@ xfree(inbuf); return len; } + +void +generate_additional_parameters(RSA *rsa) +{ + BIGNUM *aux; + BN_CTX *ctx; + /* Generate additional parameters */ + aux = BN_new(); + ctx = BN_CTX_new(); + + BN_sub(aux, rsa->q, BN_value_one()); + BN_mod(rsa->dmq1, rsa->d, aux, ctx); + + BN_sub(aux, rsa->p, BN_value_one()); + BN_mod(rsa->dmp1, rsa->d, aux, ctx); + + BN_clear_free(aux); + BN_CTX_free(ctx); +} + diff -ru openssh-2.5.2p2/rsa.h openssh-2.9p1/rsa.h --- openssh-2.5.2p2/rsa.h 2001-01-30 09:27:26.000000000 +1100 +++ openssh-2.9p1/rsa.h 2001-03-29 10:29:55.000000000 +1000 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: rsa.h,v 1.10 2001/01/29 19:47:30 markus Exp $"); */ +/* RCSID("$OpenBSD: rsa.h,v 1.11 2001/03/26 23:23:24 markus Exp $"); */ #ifndef RSA_H #define RSA_H @@ -22,4 +22,6 @@ void rsa_public_encrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv)); int rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv)); +void generate_additional_parameters __P((RSA *rsa)); + #endif /* RSA_H */ Only in openssh-2.9p1: scp-common.c Only in openssh-2.9p1: scp-common.h diff -ru openssh-2.5.2p2/scp.0 openssh-2.9p1/scp.0 --- openssh-2.5.2p2/scp.0 2001-03-22 16:07:07.000000000 +1100 +++ openssh-2.9p1/scp.0 2001-04-29 22:40:31.000000000 +1000 @@ -38,12 +38,12 @@ about their progress. This is helpful in debugging connection, authentication, and configuration problems. - -B Selects batch mode (prevents asking for passwords or passphras- + -B Selects batch mode (prevents asking for passwords or passphrasM-- es). -q Disables the progress meter. - -C Compression enable. Passes the -C flag to ssh(1) to enable com- + -C Compression enable. Passes the -C flag to ssh(1) to enable comM-- pression. -P port diff -ru openssh-2.5.2p2/scp.c openssh-2.9p1/scp.c --- openssh-2.5.2p2/scp.c 2001-03-19 14:09:40.000000000 +1100 +++ openssh-2.9p1/scp.c 2001-04-23 03:13:20.000000000 +1000 @@ -75,13 +75,14 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.61 2001/03/15 15:05:59 markus Exp $"); +RCSID("$OpenBSD: scp.c,v 1.68 2001/04/22 12:34:05 markus Exp $"); #include "xmalloc.h" #include "atomicio.h" #include "pathnames.h" #include "log.h" #include "misc.h" +#include "scp-common.h" #ifdef HAVE___PROGNAME extern char *__progname; @@ -114,7 +115,7 @@ static struct timeval start; /* Number of bytes of current file transferred so far. */ -volatile u_long statbytes; +volatile off_t statbytes; /* Total size of current file. */ off_t totalbytes = 0; @@ -202,10 +203,7 @@ char *buf; } BUF; -extern int iamremote; - BUF *allocbuf(BUF *, int, int); -char *colon(char *); void lostconn(int); void nospace(void); int okname(char *); @@ -220,13 +218,11 @@ #define CMDNEEDS 64 char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */ -int main(int, char *[]); int response(void); void rsource(char *, struct stat *); void sink(int, char *[]); void source(int, char *[]); void tolocal(int, char *[]); -char *cleanhostname(char *); void toremote(char *, int, char *[]); void usage(void); @@ -294,8 +290,10 @@ case 't': /* "to" */ iamremote = 1; tflag = 1; +#ifdef HAVE_CYGWIN + setmode(0, O_BINARY); +#endif break; - case '?': default: usage(); } @@ -346,17 +344,6 @@ exit(errs != 0); } -char * -cleanhostname(host) - char *host; -{ - if (*host == '[' && host[strlen(host) - 1] == ']') { - host[strlen(host) - 1] = '\0'; - return (host + 1); - } else - return host; -} - void toremote(targ, argc, argv) char *targ, *argv[]; @@ -501,13 +488,17 @@ struct stat stb; static BUF buffer; BUF *bp; - off_t i; - int amt, fd, haderr, indx, result; + off_t i, amt, result; + int fd, haderr, indx; char *last, *name, buf[2048]; + int len; for (indx = 0; indx < argc; ++indx) { name = argv[indx]; statbytes = 0; + len = strlen(name); + while (len > 1 && name[len-1] == '/') + name[--len] = '\0'; if ((fd = open(name, O_RDONLY, 0)) < 0) goto syserr; if (fstat(fd, &stb) < 0) { @@ -640,7 +631,7 @@ closedir(dirp); return; } - while ((dp = readdir(dirp))) { + while ((dp = readdir(dirp)) != NULL) { if (dp->d_ino == 0) continue; if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, "..")) @@ -674,9 +665,10 @@ off_t size; int setimes, targisdir, wrerrno = 0; char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; - int dummy_usec; struct timeval tv[2]; +#define atime tv[0] +#define mtime tv[1] #define SCREWUP(str) { why = str; goto screwup; } setimes = targisdir = 0; @@ -723,25 +715,21 @@ if (ch == '\n') *--cp = 0; -#define getnum(t) (t) = 0; \ - while (*cp >= '0' && *cp <= '9') (t) = (t) * 10 + (*cp++ - '0'); cp = buf; if (*cp == 'T') { setimes++; cp++; - getnum(tv[1].tv_sec); - if (*cp++ != ' ') + mtime.tv_sec = strtol(cp, &cp, 10); + if (!cp || *cp++ != ' ') SCREWUP("mtime.sec not delimited"); - getnum(dummy_usec); - tv[1].tv_usec = 0; - if (*cp++ != ' ') + mtime.tv_usec = strtol(cp, &cp, 10); + if (!cp || *cp++ != ' ') SCREWUP("mtime.usec not delimited"); - getnum(tv[0].tv_sec); - if (*cp++ != ' ') + atime.tv_sec = strtol(cp, &cp, 10); + if (!cp || *cp++ != ' ') SCREWUP("atime.sec not delimited"); - getnum(dummy_usec); - tv[0].tv_usec = 0; - if (*cp++ != '\0') + atime.tv_usec = strtol(cp, &cp, 10); + if (!cp || *cp++ != '\0') SCREWUP("atime.usec not delimited"); (void) atomicio(write, remout, "", 1); continue; @@ -769,7 +757,7 @@ if (*cp++ != ' ') SCREWUP("mode not delimited"); - for (size = 0; *cp >= '0' && *cp <= '9';) + for (size = 0; isdigit(*cp);) size = size * 10 + (*cp++ - '0'); if (*cp++ != ' ') SCREWUP("size not delimited"); @@ -852,7 +840,7 @@ continue; } else if (j <= 0) { run_err("%s", j ? strerror(errno) : - "dropped connection"); + "dropped connection"); exit(1); } amt -= j; @@ -893,7 +881,7 @@ if (chmod(np, omode)) #endif /* HAVE_FCHMOD */ run_err("%s: set mode: %s", - np, strerror(errno)); + np, strerror(errno)); } else { if (!exists && omode != mode) #ifdef HAVE_FCHMOD @@ -902,7 +890,7 @@ if (chmod(np, omode & ~mask)) #endif /* HAVE_FCHMOD */ run_err("%s: set mode: %s", - np, strerror(errno)); + np, strerror(errno)); } if (close(ofd) == -1) { wrerr = YES; @@ -913,7 +901,7 @@ setimes = 0; if (utimes(np, tv) < 0) { run_err("%s: set times: %s", - np, strerror(errno)); + np, strerror(errno)); wrerr = DISPLAYED; } } @@ -970,8 +958,8 @@ usage() { (void) fprintf(stderr, "usage: scp " - "[-pqrvC46] [-S ssh] [-P port] [-c cipher] [-i identity] f1 f2; or:\n" - " scp [options] f1 ... fn directory\n"); + "[-pqrvBC46] [-S ssh] [-P port] [-c cipher] [-i identity] f1 f2\n" + " or: scp [options] f1 ... fn directory\n"); exit(1); } @@ -1000,30 +988,6 @@ } } -char * -colon(cp) - char *cp; -{ - int flag = 0; - - if (*cp == ':') /* Leading colon is part of file name. */ - return (0); - if (*cp == '[') - flag = 1; - - for (; *cp; ++cp) { - if (*cp == '@' && *(cp+1) == '[') - flag = 1; - if (*cp == ']' && *(cp+1) == ':' && flag) - return (cp+1); - if (*cp == ':' && !flag) - return (cp); - if (*cp == '/') - return (0); - } - return (0); -} - void verifydir(cp) char *cp; diff -ru openssh-2.5.2p2/servconf.c openssh-2.9p1/servconf.c --- openssh-2.5.2p2/servconf.c 2001-03-06 12:02:41.000000000 +1100 +++ openssh-2.9p1/servconf.c 2001-04-25 22:44:15.000000000 +1000 @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.71 2001/03/05 15:44:51 stevesk Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.78 2001/04/15 21:28:35 stevesk Exp $"); #ifdef KRB4 #include @@ -31,8 +31,8 @@ #include "kex.h" #include "mac.h" -/* add listen address */ -void add_listen_addr(ServerOptions *options, char *addr); +void add_listen_addr(ServerOptions *options, char *addr, u_short port); +void add_one_listen_addr(ServerOptions *options, char *addr, u_short port); /* AF_UNSPEC or AF_INET or AF_INET6 */ extern int IPv4or6; @@ -55,6 +55,7 @@ options->ignore_rhosts = -1; options->ignore_user_known_hosts = -1; options->print_motd = -1; + options->print_lastlog = -1; options->check_mail = -1; options->x11_forwarding = -1; options->x11_display_offset = -1; @@ -65,6 +66,8 @@ options->log_level = (LogLevel) - 1; options->rhosts_authentication = -1; options->rhosts_rsa_authentication = -1; + options->hostbased_authentication = -1; + options->hostbased_uses_name_from_packet_only = -1; options->rsa_authentication = -1; options->pubkey_authentication = -1; #ifdef KRB4 @@ -96,6 +99,9 @@ options->max_startups = -1; options->banner = NULL; options->reverse_mapping_check = -1; + options->client_alive_interval = -1; + options->client_alive_count_max = -1; + options->pam_authentication_via_kbd_int = -1; } void @@ -113,7 +119,7 @@ if (options->num_ports == 0) options->ports[options->num_ports++] = SSH_DEFAULT_PORT; if (options->listen_addrs == NULL) - add_listen_addr(options, NULL); + add_listen_addr(options, NULL, 0); if (options->pid_file == NULL) options->pid_file = _PATH_SSH_DAEMON_PID_FILE; if (options->server_key_bits == -1) @@ -132,6 +138,8 @@ options->check_mail = 0; if (options->print_motd == -1) options->print_motd = 1; + if (options->print_lastlog == -1) + options->print_lastlog = 1; if (options->x11_forwarding == -1) options->x11_forwarding = 0; if (options->x11_display_offset == -1) @@ -152,6 +160,10 @@ options->rhosts_authentication = 0; if (options->rhosts_rsa_authentication == -1) options->rhosts_rsa_authentication = 0; + if (options->hostbased_authentication == -1) + options->hostbased_authentication = 0; + if (options->hostbased_uses_name_from_packet_only == -1) + options->hostbased_uses_name_from_packet_only = 0; if (options->rsa_authentication == -1) options->rsa_authentication = 1; if (options->pubkey_authentication == -1) @@ -192,6 +204,12 @@ options->max_startups_begin = options->max_startups; if (options->reverse_mapping_check == -1) options->reverse_mapping_check = 0; + if (options->client_alive_interval == -1) + options->client_alive_interval = 0; + if (options->client_alive_count_max == -1) + options->client_alive_count_max = 3; + if (options->pam_authentication_via_kbd_int == -1) + options->pam_authentication_via_kbd_int = 0; } /* Keyword tokens. */ @@ -208,13 +226,16 @@ #endif sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, - sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, + sPrintMotd, sPrintLastLog, sIgnoreRhosts, + sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sKeepAlives, sCheckMail, sUseLogin, sAllowTcpForwarding, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, - sBanner, sReverseMappingCheck + sBanner, sReverseMappingCheck, sHostbasedAuthentication, + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sPAMAuthenticationViaKbdInt } ServerOpCodes; /* Textual representation of the tokens. */ @@ -234,6 +255,8 @@ { "loglevel", sLogLevel }, { "rhostsauthentication", sRhostsAuthentication }, { "rhostsrsaauthentication", sRhostsRSAAuthentication }, + { "hostbasedauthentication", sHostbasedAuthentication }, + { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, { "rsaauthentication", sRSAAuthentication }, { "pubkeyauthentication", sPubkeyAuthentication }, { "dsaauthentication", sPubkeyAuthentication }, /* alias */ @@ -253,6 +276,7 @@ { "checkmail", sCheckMail }, { "listenaddress", sListenAddress }, { "printmotd", sPrintMotd }, + { "printlastlog", sPrintLastLog }, { "ignorerhosts", sIgnoreRhosts }, { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, { "x11forwarding", sX11Forwarding }, @@ -275,12 +299,14 @@ { "maxstartups", sMaxStartups }, { "banner", sBanner }, { "reversemappingcheck", sReverseMappingCheck }, + { "clientaliveinterval", sClientAliveInterval }, + { "clientalivecountmax", sClientAliveCountMax }, + { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, { NULL, 0 } }; /* - * Returns the number of the token pointed to by cp of length len. Never - * returns if the token is not known. + * Returns the number of the token pointed to by cp or sBadOption. */ static ServerOpCodes @@ -293,39 +319,45 @@ if (strcasecmp(cp, keywords[i].name) == 0) return keywords[i].opcode; - fprintf(stderr, "%s: line %d: Bad configuration option: %s\n", - filename, linenum, cp); + error("%s: line %d: Bad configuration option: %s", + filename, linenum, cp); return sBadOption; } -/* - * add listen address - */ void -add_listen_addr(ServerOptions *options, char *addr) +add_listen_addr(ServerOptions *options, char *addr, u_short port) { - struct addrinfo hints, *ai, *aitop; - char strport[NI_MAXSERV]; - int gaierr; int i; if (options->num_ports == 0) options->ports[options->num_ports++] = SSH_DEFAULT_PORT; - for (i = 0; i < options->num_ports; i++) { - memset(&hints, 0, sizeof(hints)); - hints.ai_family = IPv4or6; - hints.ai_socktype = SOCK_STREAM; - hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; - snprintf(strport, sizeof strport, "%d", options->ports[i]); - if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) - fatal("bad addr or host: %s (%s)", - addr ? addr : "", - gai_strerror(gaierr)); - for (ai = aitop; ai->ai_next; ai = ai->ai_next) - ; - ai->ai_next = options->listen_addrs; - options->listen_addrs = aitop; - } + if (port == 0) + for (i = 0; i < options->num_ports; i++) + add_one_listen_addr(options, addr, options->ports[i]); + else + add_one_listen_addr(options, addr, port); +} + +void +add_one_listen_addr(ServerOptions *options, char *addr, u_short port) +{ + struct addrinfo hints, *ai, *aitop; + char strport[NI_MAXSERV]; + int gaierr; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = IPv4or6; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; + snprintf(strport, sizeof strport, "%d", port); + if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) + fatal("bad addr or host: %s (%s)", + addr ? addr : "", + gai_strerror(gaierr)); + for (ai = aitop; ai->ai_next; ai = ai->ai_next) + ; + ai->ai_next = options->listen_addrs; + options->listen_addrs = aitop; } /* Reads the server configuration file. */ @@ -335,7 +367,7 @@ { FILE *f; char line[1024]; - char *cp, **charptr, *arg; + char *cp, **charptr, *arg, *p; int linenum, *intptr, value; int bad_options = 0; ServerOpCodes opcode; @@ -377,18 +409,19 @@ if (!arg || *arg == '\0') fatal("%s line %d: missing port number.", filename, linenum); - options->ports[options->num_ports++] = atoi(arg); + options->ports[options->num_ports++] = a2port(arg); + if (options->ports[options->num_ports-1] == 0) + fatal("%s line %d: Badly formatted port number.", + filename, linenum); break; case sServerKeyBits: intptr = &options->server_key_bits; parse_int: arg = strdelim(&cp); - if (!arg || *arg == '\0') { - fprintf(stderr, "%s line %d: missing integer value.\n", - filename, linenum); - exit(1); - } + if (!arg || *arg == '\0') + fatal("%s line %d: missing integer value.", + filename, linenum); value = atoi(arg); if (*intptr == -1) *intptr = value; @@ -404,28 +437,52 @@ case sListenAddress: arg = strdelim(&cp); - if (!arg || *arg == '\0') + if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) fatal("%s line %d: missing inet addr.", filename, linenum); - add_listen_addr(options, arg); + if (*arg == '[') { + if ((p = strchr(arg, ']')) == NULL) + fatal("%s line %d: bad ipv6 inet addr usage.", + filename, linenum); + arg++; + memmove(p, p+1, strlen(p+1)+1); + } else if (((p = strchr(arg, ':')) == NULL) || + (strchr(p+1, ':') != NULL)) { + add_listen_addr(options, arg, 0); + break; + } + if (*p == ':') { + u_short port; + + p++; + if (*p == '\0') + fatal("%s line %d: bad inet addr:port usage.", + filename, linenum); + else { + *(p-1) = '\0'; + if ((port = a2port(p)) == 0) + fatal("%s line %d: bad port number.", + filename, linenum); + add_listen_addr(options, arg, port); + } + } else if (*p == '\0') + add_listen_addr(options, arg, 0); + else + fatal("%s line %d: bad inet addr usage.", + filename, linenum); break; case sHostKeyFile: intptr = &options->num_host_key_files; - if (*intptr >= MAX_HOSTKEYS) { - fprintf(stderr, - "%s line %d: too many host keys specified (max %d).\n", + if (*intptr >= MAX_HOSTKEYS) + fatal("%s line %d: too many host keys specified (max %d).", filename, linenum, MAX_HOSTKEYS); - exit(1); - } charptr = &options->host_key_files[*intptr]; parse_filename: arg = strdelim(&cp); - if (!arg || *arg == '\0') { - fprintf(stderr, "%s line %d: missing file name.\n", + if (!arg || *arg == '\0') + fatal("%s line %d: missing file name.", filename, linenum); - exit(1); - } if (*charptr == NULL) { *charptr = tilde_expand_filename(arg, getuid()); /* increase optional counter */ @@ -441,12 +498,11 @@ case sPermitRootLogin: intptr = &options->permit_root_login; arg = strdelim(&cp); - if (!arg || *arg == '\0') { - fprintf(stderr, "%s line %d: missing yes/" + if (!arg || *arg == '\0') + fatal("%s line %d: missing yes/" "without-password/forced-commands-only/no " - "argument.\n", filename, linenum); - exit(1); - } + "argument.", filename, linenum); + value = 0; /* silence compiler */ if (strcmp(arg, "without-password") == 0) value = PERMIT_NO_PASSWD; else if (strcmp(arg, "forced-commands-only") == 0) @@ -455,12 +511,10 @@ value = PERMIT_YES; else if (strcmp(arg, "no") == 0) value = PERMIT_NO; - else { - fprintf(stderr, "%s line %d: Bad yes/" + else + fatal("%s line %d: Bad yes/" "without-password/forced-commands-only/no " - "argument: %s\n", filename, linenum, arg); - exit(1); - } + "argument: %s", filename, linenum, arg); if (*intptr == -1) *intptr = value; break; @@ -469,20 +523,17 @@ intptr = &options->ignore_rhosts; parse_flag: arg = strdelim(&cp); - if (!arg || *arg == '\0') { - fprintf(stderr, "%s line %d: missing yes/no argument.\n", - filename, linenum); - exit(1); - } + if (!arg || *arg == '\0') + fatal("%s line %d: missing yes/no argument.", + filename, linenum); + value = 0; /* silence compiler */ if (strcmp(arg, "yes") == 0) value = 1; else if (strcmp(arg, "no") == 0) value = 0; - else { - fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n", + else + fatal("%s line %d: Bad yes/no argument: %s", filename, linenum, arg); - exit(1); - } if (*intptr == -1) *intptr = value; break; @@ -499,6 +550,14 @@ intptr = &options->rhosts_rsa_authentication; goto parse_flag; + case sHostbasedAuthentication: + intptr = &options->hostbased_authentication; + goto parse_flag; + + case sHostbasedUsesNameFromPacketOnly: + intptr = &options->hostbased_uses_name_from_packet_only; + goto parse_flag; + case sRSAAuthentication: intptr = &options->rsa_authentication; goto parse_flag; @@ -551,6 +610,10 @@ intptr = &options->print_motd; goto parse_flag; + case sPrintLastLog: + intptr = &options->print_lastlog; + goto parse_flag; + case sX11Forwarding: intptr = &options->x11_forwarding; goto parse_flag; @@ -729,23 +792,26 @@ case sBanner: charptr = &options->banner; goto parse_filename; + case sClientAliveInterval: + intptr = &options->client_alive_interval; + goto parse_int; + case sClientAliveCountMax: + intptr = &options->client_alive_count_max; + goto parse_int; + case sPAMAuthenticationViaKbdInt: + intptr = &options->pam_authentication_via_kbd_int; + goto parse_flag; default: - fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n", - filename, linenum, arg, opcode); - exit(1); - } - if ((arg = strdelim(&cp)) != NULL && *arg != '\0') { - fprintf(stderr, - "%s line %d: garbage at end of line; \"%.200s\".\n", - filename, linenum, arg); - exit(1); + fatal("%s line %d: Missing handler for opcode %s (%d)", + filename, linenum, arg, opcode); } + if ((arg = strdelim(&cp)) != NULL && *arg != '\0') + fatal("%s line %d: garbage at end of line; \"%.200s\".", + filename, linenum, arg); } fclose(f); - if (bad_options > 0) { - fprintf(stderr, "%s: terminating, %d bad configuration options\n", - filename, bad_options); - exit(1); - } + if (bad_options > 0) + fatal("%s: terminating, %d bad configuration options", + filename, bad_options); } diff -ru openssh-2.5.2p2/servconf.h openssh-2.9p1/servconf.h --- openssh-2.5.2p2/servconf.h 2001-02-15 14:08:27.000000000 +1100 +++ openssh-2.9p1/servconf.h 2001-04-25 22:44:16.000000000 +1000 @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: servconf.h,v 1.38 2001/02/12 16:16:23 markus Exp $"); */ +/* RCSID("$OpenBSD: servconf.h,v 1.41 2001/04/13 22:46:53 beck Exp $"); */ #ifndef SERVCONF_H #define SERVCONF_H @@ -51,6 +51,7 @@ int ignore_user_known_hosts; /* Ignore ~/.ssh/known_hosts * for RhostsRsaAuth */ int print_motd; /* If true, print /etc/motd. */ + int print_lastlog; /* If true, print lastlog */ int check_mail; /* If true, check for new mail. */ int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */ int x11_display_offset; /* What DISPLAY number to start @@ -68,6 +69,8 @@ * authentication. */ int rhosts_rsa_authentication; /* If true, permit rhosts RSA * authentication. */ + int hostbased_authentication; /* If true, permit ssh2 hostbased auth */ + int hostbased_uses_name_from_packet_only; /* experimental */ int rsa_authentication; /* If true, permit RSA authentication. */ int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */ #ifdef KRB4 @@ -112,7 +115,16 @@ int max_startups; char *banner; /* SSH-2 banner message */ int reverse_mapping_check; /* cross-check ip and dns */ - + int client_alive_interval; /* + * poke the client this often to + * see if it's still there + */ + int client_alive_count_max; /* + *If the client is unresponsive + * for this many intervals, above + * diconnect the session + */ + int pam_authentication_via_kbd_int; } ServerOptions; /* * Initializes the server options to special values that indicate that they diff -ru openssh-2.5.2p2/serverloop.c openssh-2.9p1/serverloop.c --- openssh-2.5.2p2/serverloop.c 2001-03-17 11:47:55.000000000 +1100 +++ openssh-2.9p1/serverloop.c 2001-04-14 09:28:03.000000000 +1000 @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.61 2001/04/13 22:46:54 beck Exp $"); #include "xmalloc.h" #include "packet.h" @@ -53,9 +53,13 @@ #include "auth-options.h" #include "serverloop.h" #include "misc.h" +#include "kex.h" extern ServerOptions options; +/* XXX */ +extern Kex *xxx_kex; + static Buffer stdin_buffer; /* Buffer for stdin data. */ static Buffer stdout_buffer; /* Buffer for stdout data. */ static Buffer stderr_buffer; /* Buffer for stderr data. */ @@ -73,7 +77,8 @@ static int fdin_is_tty = 0; /* fdin points to a tty. */ static int connection_in; /* Connection to client (input). */ static int connection_out; /* Connection to client (output). */ -static u_int buffer_high;/* "Soft" max buffer size. */ +static int connection_closed = 0; /* Connection to client closed. */ +static u_int buffer_high; /* "Soft" max buffer size. */ /* * This SIGCHLD kludge is used to detect when the child exits. The server @@ -86,6 +91,8 @@ void server_init_dispatch(void); +int client_alive_timeouts = 0; + void sigchld_handler(int sig) { @@ -185,12 +192,27 @@ { struct timeval tv, *tvp; int ret; + int client_alive_scheduled = 0; + + /* + * if using client_alive, set the max timeout accordingly, + * and indicate that this particular timeout was for client + * alive by setting the client_alive_scheduled flag. + * + * this could be randomized somewhat to make traffic + * analysis more difficult, but we're not doing it yet. + */ + if (max_time_milliseconds == 0 && options.client_alive_interval) { + client_alive_scheduled = 1; + max_time_milliseconds = options.client_alive_interval * 1000; + } else + client_alive_scheduled = 0; /* When select fails we restart from here. */ retry_select: /* Allocate and update select() masks for channel descriptors. */ - channel_prepare_select(readsetp, writesetp, maxfdp); + channel_prepare_select(readsetp, writesetp, maxfdp, 0); if (compat20) { /* wrong: bad condition XXX */ @@ -234,7 +256,7 @@ * from it, then read as much as is available and exit. */ if (child_terminated && packet_not_very_much_data_to_write()) - if (max_time_milliseconds == 0) + if (max_time_milliseconds == 0 || client_alive_scheduled) max_time_milliseconds = 100; if (max_time_milliseconds == 0) @@ -250,12 +272,36 @@ /* Wait for something to happen, or the timeout to expire. */ ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); - if (ret < 0) { + if (ret == -1) { if (errno != EINTR) error("select: %.100s", strerror(errno)); else goto retry_select; } + if (ret == 0 && client_alive_scheduled) { + /* timeout, check to see how many we have had */ + client_alive_timeouts++; + + if (client_alive_timeouts > options.client_alive_count_max ) { + packet_disconnect( + "Timeout, your session not responding."); + } else { + /* + * send a bogus channel request with "wantreply" + * we should get back a failure + */ + int id; + + id = channel_find_open(); + if (id != -1) { + channel_request_start(id, + "keepalive@openssh.com", 1); + packet_send(); + } else + packet_disconnect( + "No open channels after timeout!"); + } + } } /* @@ -273,6 +319,9 @@ len = read(connection_in, buf, sizeof(buf)); if (len == 0) { verbose("Connection closed by remote host."); + connection_closed = 1; + if (compat20) + return; fatal_cleanup(); } else if (len < 0) { if (errno != EINTR && errno != EAGAIN) { @@ -391,7 +440,7 @@ void process_buffered_input_packets(void) { - dispatch_run(DISPATCH_NONBLOCK, NULL, NULL); + dispatch_run(DISPATCH_NONBLOCK, NULL, compat20 ? xxx_kex : NULL); } /* @@ -420,7 +469,6 @@ child_pid = pid; child_terminated = 0; signal(SIGCHLD, sigchld_handler); - signal(SIGPIPE, SIG_IGN); /* Initialize our global variables. */ fdin = fdin_arg; @@ -647,15 +695,12 @@ server_loop2(void) { fd_set *readset = NULL, *writeset = NULL; - int max_fd; - int had_channel = 0; - int status; + int rekeying = 0, max_fd, status; pid_t pid; debug("Entering interactive session for SSH2."); mysignal(SIGCHLD, sigchld_handler2); - signal(SIGPIPE, SIG_IGN); child_terminated = 0; connection_in = packet_get_connection_in(); connection_out = packet_get_connection_out(); @@ -666,22 +711,23 @@ for (;;) { process_buffered_input_packets(); - if (!had_channel && channel_still_open()) - had_channel = 1; - if (had_channel && !channel_still_open()) { - debug("!channel_still_open."); - break; - } - if (packet_not_very_much_data_to_write()) + + rekeying = (xxx_kex != NULL && !xxx_kex->done); + + if (!rekeying && packet_not_very_much_data_to_write()) channel_output_poll(); - wait_until_can_do_something(&readset, &writeset, &max_fd, 0); + wait_until_can_do_something(&readset, &writeset, &max_fd, + rekeying); if (child_terminated) { while ((pid = waitpid(-1, &status, WNOHANG)) > 0) session_close_by_pid(pid, status); child_terminated = 0; } - channel_after_select(readset, writeset); + if (!rekeying) + channel_after_select(readset, writeset); process_input(readset); + if (connection_closed) + break; process_output(writeset); } if (readset) @@ -696,6 +742,19 @@ } void +server_input_channel_failure(int type, int plen, void *ctxt) +{ + debug("Got CHANNEL_FAILURE for keepalive"); + /* + * reset timeout, since we got a sane answer from the client. + * even if this was generated by something other than + * the bogus CHANNEL_REQUEST we send for keepalives. + */ + client_alive_timeouts = 0; +} + + +void server_input_stdin_data(int type, int plen, void *ctxt) { char *data; @@ -907,6 +966,10 @@ dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request); dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request); + /* client_alive */ + dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &server_input_channel_failure); + /* rekeying */ + dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); } void server_init_dispatch_13(void) @@ -941,3 +1004,4 @@ else server_init_dispatch_15(); } + diff -ru openssh-2.5.2p2/session.c openssh-2.9p1/session.c --- openssh-2.5.2p2/session.c 2001-03-22 11:58:27.000000000 +1100 +++ openssh-2.9p1/session.c 2001-04-19 01:29:34.000000000 +1000 @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.61 2001/03/16 19:06:30 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.74 2001/04/17 19:34:25 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -100,7 +100,6 @@ struct Session { int used; int self; - int extended; struct passwd *pw; pid_t pid; /* tty */ @@ -116,6 +115,7 @@ int single_connection; /* proto 2 */ int chanid; + int is_subsystem; }; /* func */ @@ -124,10 +124,15 @@ void session_set_fds(Session *s, int fdin, int fdout, int fderr); void session_pty_cleanup(Session *s); void session_proctitle(Session *s); -void do_exec_pty(Session *s, const char *command, struct passwd * pw); -void do_exec_no_pty(Session *s, const char *command, struct passwd * pw); +void do_exec_pty(Session *s, const char *command); +void do_exec_no_pty(Session *s, const char *command); void do_login(Session *s, const char *command); void do_child(Session *s, const char *command); +void do_motd(void); +int check_quietlogin(Session *s, const char *command); + +void do_authenticated1(Authctxt *authctxt); +void do_authenticated2(Authctxt *authctxt); /* import */ extern ServerOptions options; @@ -135,8 +140,8 @@ extern int log_stderr; extern int debug_flag; extern u_int utmp_len; - extern int startup_pipe; +extern void destroy_sensitive_data(void); /* Local Xauthority file. */ static char *xauthfile; @@ -157,6 +162,40 @@ static login_cap_t *lc; #endif +void +do_authenticated(Authctxt *authctxt) +{ + /* + * Cancel the alarm we set to limit the time taken for + * authentication. + */ + alarm(0); + if (startup_pipe != -1) { + close(startup_pipe); + startup_pipe = -1; + } +#if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD) + if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) { + error("unable to get login class"); + return; + } +#ifdef BSD_AUTH + if (auth_approval(NULL, lc, authctxt->pw->pw_name, "ssh") <= 0) { + packet_disconnect("Approval failure for %s", + authctxt->pw->pw_name); + } +#endif +#endif + /* setup the channel layer */ + if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + channel_permit_all_opens(); + + if (compat20) + do_authenticated2(authctxt); + else + do_authenticated1(authctxt); +} + /* * Remove local Xauthority file. */ @@ -206,47 +245,23 @@ * are requested, etc. */ void -do_authenticated(struct passwd * pw) +do_authenticated1(Authctxt *authctxt) { Session *s; - int type, fd; - int compression_level = 0, enable_compression_after_reply = 0; - int have_pty = 0; char *command; - int n_bytes; - int plen; + int success, type, fd, n_bytes, plen, screen_flag, have_pty = 0; + int compression_level = 0, enable_compression_after_reply = 0; u_int proto_len, data_len, dlen; - int screen_flag; - - /* - * Cancel the alarm we set to limit the time taken for - * authentication. - */ - alarm(0); - if (startup_pipe != -1) { - close(startup_pipe); - startup_pipe = -1; - } - - if (!no_port_forwarding_flag && options.allow_tcp_forwarding) - channel_permit_all_opens(); s = session_new(); - s->pw = pw; - -#if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD) - if ((lc = login_getclass(pw->pw_class)) == NULL) { - error("unable to get login class"); - return; - } -#endif + s->pw = authctxt->pw; /* * We stay in this loop until the client requests to execute a shell * or a command. */ for (;;) { - int success = 0; + success = 0; /* Get a packet from the client. */ type = packet_read(&plen); @@ -283,7 +298,7 @@ break; } fatal_add_cleanup(pty_cleanup_proc, (void *)s); - pty_setowner(pw, s->tty); + pty_setowner(s->pw, s->tty); /* Get TERM from the packet. Note that the value may be of arbitrary length. */ s->term = packet_get_string(&dlen); @@ -358,7 +373,7 @@ /* Setup to always have a local .Xauthority. */ xauthfile = xmalloc(MAXPATHLEN); strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(s->pw); if (mkdtemp(xauthfile) == NULL) { restore_uid(); error("private X11 dir: mkdtemp %s failed: %s", @@ -383,7 +398,7 @@ break; } debug("Received authentication agent forwarding request."); - success = auth_input_request_forwarding(pw); + success = auth_input_request_forwarding(s->pw); break; case SSH_CMSG_PORT_FORWARD_REQUEST: @@ -396,7 +411,7 @@ break; } debug("Received TCP/IP port forwarding request."); - channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports); + channel_input_port_forward_request(s->pw->pw_uid == 0, options.gateway_ports); success = 1; break; @@ -421,9 +436,9 @@ debug("Forced command '%.500s'", forced_command); } if (have_pty) - do_exec_pty(s, command, pw); + do_exec_pty(s, command); else - do_exec_no_pty(s, command, pw); + do_exec_no_pty(s, command); if (command != NULL) xfree(command); @@ -457,7 +472,7 @@ * setting up file descriptors and such. */ void -do_exec_no_pty(Session *s, const char *command, struct passwd * pw) +do_exec_no_pty(Session *s, const char *command) { int pid; @@ -481,7 +496,7 @@ session_proctitle(s); #if defined(USE_PAM) - do_pam_setcred(); + do_pam_setcred(1); #endif /* USE_PAM */ /* Fork the child. */ @@ -489,8 +504,6 @@ /* Child. Reinitialize the log since the pid has changed. */ log_init(__progname, options.log_level, options.log_facility, log_stderr); - signal(SIGPIPE, SIG_DFL); - /* * Create a new session and process group since the 4.4BSD * setlogin() affects the entire process group. @@ -555,11 +568,11 @@ close(perr[1]); if (compat20) { - session_set_fds(s, pin[1], pout[0], s->extended ? perr[0] : -1); + session_set_fds(s, pin[1], pout[0], s->is_subsystem ? -1 : perr[0]); } else { /* Enter the interactive session. */ server_loop(pid, pin[1], pout[0], perr[0]); - /* server_loop has closed pin[1], pout[1], and perr[1]. */ + /* server_loop has closed pin[1], pout[0], and perr[0]. */ } #else /* USE_PIPES */ /* We are the parent. Close the child sides of the socket pairs. */ @@ -571,7 +584,7 @@ * handle the case that fdin and fdout are the same. */ if (compat20) { - session_set_fds(s, inout[1], inout[1], s->extended ? err[1] : -1); + session_set_fds(s, inout[1], inout[1], s->is_subsystem ? -1 : err[1]); } else { server_loop(pid, inout[1], inout[1], err[1]); /* server_loop has closed inout[1] and err[1]. */ @@ -586,7 +599,7 @@ * lastlog, and other such operations. */ void -do_exec_pty(Session *s, const char *command, struct passwd * pw) +do_exec_pty(Session *s, const char *command) { int fdout, ptyfd, ttyfd, ptymaster; pid_t pid; @@ -597,8 +610,8 @@ ttyfd = s->ttyfd; #if defined(USE_PAM) - do_pam_session(pw->pw_name, s->tty); - do_pam_setcred(); + do_pam_session(s->pw->pw_name, s->tty); + do_pam_setcred(1); #endif /* Fork the child. */ @@ -606,8 +619,6 @@ /* Child. Reinitialize the log because the pid has changed. */ log_init(__progname, options.log_level, options.log_facility, log_stderr); - signal(SIGPIPE, SIG_DFL); - /* Close the master side of the pseudo tty. */ close(ptyfd); @@ -630,8 +641,10 @@ close(ttyfd); /* record login, etc. similar to login(1) */ +#ifndef HAVE_OSF_SIA if (!(options.use_login && command == NULL)) do_login(s, command); +#endif /* Do common processing for the child, such as execing the command. */ do_child(s, command); @@ -674,28 +687,14 @@ } } -const char * -get_remote_name_or_ip(void) -{ - static const char *remote = ""; - if (utmp_len > 0) - remote = get_canonical_hostname(options.reverse_mapping_check); - if (utmp_len == 0 || strlen(remote) > utmp_len) - remote = get_remote_ipaddr(); - return remote; -} - /* administrative, login(1)-like work */ void do_login(Session *s, const char *command) { - FILE *f; char *time_string; - char buf[256]; char hostname[MAXHOSTNAMELEN]; socklen_t fromlen; struct sockaddr_storage from; - struct stat st; time_t last_login_time; struct passwd * pw = s->pw; pid_t pid = getpid(); @@ -715,13 +714,16 @@ } /* Get the time and hostname when the user last logged in. */ - hostname[0] = '\0'; - last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, - hostname, sizeof(hostname)); + if (options.print_lastlog) { + hostname[0] = '\0'; + last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, + hostname, sizeof(hostname)); + } /* Record that there was a login on that tty from the remote host. */ record_login(pid, s->tty, pw->pw_name, pw->pw_uid, - get_remote_name_or_ip(), (struct sockaddr *)&from); + get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), + (struct sockaddr *)&from); #ifdef USE_PAM /* @@ -734,15 +736,7 @@ } #endif - /* Done if .hushlogin exists or a command given. */ - if (command != NULL) - return; - snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir); -#ifdef HAVE_LOGIN_CAP - if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) -#else - if (stat(buf, &st) >= 0) -#endif + if (check_quietlogin(s, command)) return; #ifdef USE_PAM @@ -754,7 +748,7 @@ printf("%s\n", aixloginmsg); #endif /* WITH_AIXAUTHENTICATE */ - if (last_login_time != 0) { + if (options.print_lastlog && last_login_time != 0) { time_string = ctime(&last_login_time); if (strchr(time_string, '\n')) *strchr(time_string, '\n') = 0; @@ -763,6 +757,19 @@ else printf("Last login: %s from %s\r\n", time_string, hostname); } + + do_motd(); +} + +/* + * Display the message of the day. + */ +void +do_motd(void) +{ + FILE *f; + char buf[256]; + if (options.print_motd) { #ifdef HAVE_LOGIN_CAP f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", @@ -778,6 +785,31 @@ } } + +/* + * Check for quiet login, either .hushlogin or command given. + */ +int +check_quietlogin(Session *s, const char *command) +{ + char buf[256]; + struct passwd * pw = s->pw; + struct stat st; + + /* Return 1 if .hushlogin exists or a command given. */ + if (command != NULL) + return 1; + snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir); +#ifdef HAVE_LOGIN_CAP + if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) + return 1; +#else + if (stat(buf, &st) >= 0) + return 1; +#endif + return 0; +} + /* * Sets the value of the given variable in the environment. If the variable * already exists, its value is overriden. @@ -1024,11 +1056,14 @@ #endif /* WITH_IRIX_ARRAY */ #endif /* WITH_IRIX_JOBS */ + /* remove hostkey from the child's memory */ + destroy_sensitive_data(); + /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) options.use_login = 0; -#ifndef USE_PAM /* pam_nologin handles this */ +#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) if (!options.use_login) { # ifdef HAVE_LOGIN_CAP if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid) @@ -1046,7 +1081,7 @@ exit(254); } } -#endif /* USE_PAM */ +#endif /* USE_PAM || HAVE_OSF_SIA */ /* Set login name, uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" @@ -1054,6 +1089,8 @@ if (!options.use_login) { #ifdef HAVE_OSF_SIA session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); + if (!check_quietlogin(s, command)) + do_motd(); #else /* HAVE_OSF_SIA */ #ifdef HAVE_CYGWIN if (is_winnt) { @@ -1069,13 +1106,6 @@ perror("unable to set user context"); exit(1); } -#ifdef BSD_AUTH - if (auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) { - error("approval failure for %s", pw->pw_name); - fprintf(stderr, "Approval failure"); - exit(1); - } -#endif # else /* HAVE_LOGIN_CAP */ #if defined(HAVE_GETLUID) && defined(HAVE_SETLUID) /* Sets login uid for accounting */ @@ -1095,6 +1125,15 @@ exit(1); } endgrent(); +# ifdef USE_PAM + /* + * PAM credentials may take the form of + * supplementary groups. These will have been + * wiped by the above initgroups() call. + * Reestablish them here. + */ + do_pam_setcred(0); +# endif /* USE_PAM */ # ifdef WITH_IRIX_JOBS jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); if (jid == -1) { @@ -1148,7 +1187,7 @@ #endif /* Permanently switch to the desired uid. */ - permanently_set_uid(pw->pw_uid); + permanently_set_uid(pw); # endif /* HAVE_LOGIN_CAP */ } #endif /* HAVE_OSF_SIA */ @@ -1294,7 +1333,8 @@ } /* we have to stash the hostname before we close our socket. */ if (options.use_login) - hostname = get_remote_name_or_ip(); + hostname = get_remote_name_or_ip(utmp_len, + options.reverse_mapping_check); /* * Close the connection descriptors; note that this is the child, and * the server will still have the socket open, and it is important @@ -1351,7 +1391,8 @@ * in this order). */ if (!options.use_login) { - if (stat(_PATH_SSH_USER_RC, &st) >= 0) { + /* ignore _PATH_SSH_USER_RC for subsystems */ + if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { if (debug_flag) fprintf(stderr, "Running %s %s\n", _PATH_BSHELL, _PATH_SSH_USER_RC); @@ -1420,6 +1461,10 @@ else cp = shell; } + + /* restore SIGPIPE for child */ + signal(SIGPIPE, SIG_DFL); + /* * If we have no command, execute the shell. In this case, the shell * name to be passed in argv[0] is preceded by '-' to indicate that @@ -1503,19 +1548,11 @@ for(i = 0; i < MAX_SESSIONS; i++) { Session *s = &sessions[i]; if (! s->used) { - s->pid = 0; - s->extended = 0; + memset(s, 0, sizeof(*s)); s->chanid = -1; s->ptyfd = -1; s->ttyfd = -1; - s->term = NULL; - s->pw = NULL; - s->display = NULL; - s->screen = 0; - s->auth_data = NULL; - s->auth_proto = NULL; s->used = 1; - s->pw = NULL; debug("session_new: session %d", i); return s; } @@ -1602,7 +1639,7 @@ session_pty_req(Session *s) { u_int len; - char *term_modes; /* encoded terminal modes */ + int n_bytes; if (no_pty_flag) return 0; @@ -1613,8 +1650,6 @@ s->row = packet_get_int(); s->xpixel = packet_get_int(); s->ypixel = packet_get_int(); - term_modes = packet_get_string(&len); - packet_done(); if (strcmp(s->term, "") == 0) { xfree(s->term); @@ -1627,7 +1662,6 @@ s->ptyfd = -1; s->ttyfd = -1; error("session_pty_req: session %d alloc failed", s->self); - xfree(term_modes); return 0; } debug("session_pty_req: session %d alloc %s", s->self, s->tty); @@ -1640,10 +1674,12 @@ /* Get window size from the packet. */ pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); + /* Get tty modes from the packet. */ + tty_parse_modes(s->ttyfd, &n_bytes); + packet_done(); + session_proctitle(s); - /* XXX parse and set terminal modes */ - xfree(term_modes); return 1; } @@ -1661,7 +1697,8 @@ for (i = 0; i < options.num_subsystems; i++) { if(strcmp(subsys, options.subsystem_name[i]) == 0) { debug("subsystem: exec() %s", options.subsystem_command[i]); - do_exec_no_pty(s, options.subsystem_command[i], s->pw); + s->is_subsystem = 1; + do_exec_no_pty(s, options.subsystem_command[i]); success = 1; } } @@ -1708,7 +1745,7 @@ } xauthfile = xmalloc(MAXPATHLEN); strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); - temporarily_use_uid(s->pw->pw_uid); + temporarily_use_uid(s->pw); if (mkdtemp(xauthfile) == NULL) { restore_uid(); error("private X11 dir: mkdtemp %s failed: %s", @@ -1735,11 +1772,10 @@ /* if forced_command == NULL, the shell is execed */ char *shell = forced_command; packet_done(); - s->extended = 1; if (s->ttyfd == -1) - do_exec_no_pty(s, shell, s->pw); + do_exec_no_pty(s, shell); else - do_exec_pty(s, shell, s->pw); + do_exec_pty(s, shell); return 1; } @@ -1754,11 +1790,10 @@ command = forced_command; debug("Forced command '%.500s'", forced_command); } - s->extended = 1; if (s->ttyfd == -1) - do_exec_no_pty(s, command, s->pw); + do_exec_no_pty(s, command); else - do_exec_pty(s, command, s->pw); + do_exec_pty(s, command); if (forced_command == NULL) xfree(command); return 1; @@ -1805,8 +1840,8 @@ s->self, id, rtype, reply); /* - * a session is in LARVAL state until a shell - * or programm is executed + * a session is in LARVAL state until a shell, a command + * or a subsystem is executed */ if (c->type == SSH_CHANNEL_LARVAL) { if (strcmp(rtype, "shell") == 0) { @@ -2023,23 +2058,7 @@ void do_authenticated2(Authctxt *authctxt) { - /* - * Cancel the alarm we set to limit the time taken for - * authentication. - */ - alarm(0); - if (startup_pipe != -1) { - close(startup_pipe); - startup_pipe = -1; - } - if (!no_port_forwarding_flag && options.allow_tcp_forwarding) - channel_permit_all_opens(); -#if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD) - if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) { - error("unable to get login class"); - return; - } -#endif + server_loop2(); if (xauthfile) xauthfile_cleanup_proc(NULL); diff -ru openssh-2.5.2p2/session.h openssh-2.9p1/session.h --- openssh-2.5.2p2/session.h 2001-01-29 18:39:26.000000000 +1100 +++ openssh-2.9p1/session.h 2001-03-22 13:02:13.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: session.h,v 1.5 2001/01/29 01:58:18 niklas Exp $ */ +/* $OpenBSD: session.h,v 1.6 2001/03/21 11:43:45 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -26,11 +26,8 @@ #ifndef SESSION_H #define SESSION_H -/* SSH1 */ -void do_authenticated(struct passwd * pw); +void do_authenticated(Authctxt *ac); -/* SSH2 */ -void do_authenticated2(Authctxt *ac); int session_open(int id); void session_input_channel_req(int id, void *arg); void session_close_by_pid(pid_t pid, int status); diff -ru openssh-2.5.2p2/sftp-client.c openssh-2.9p1/sftp-client.c --- openssh-2.5.2p2/sftp-client.c 2001-03-19 22:29:47.000000000 +1100 +++ openssh-2.9p1/sftp-client.c 2001-04-06 09:26:33.000000000 +1000 @@ -29,7 +29,7 @@ /* XXX: copy between two remote sites */ #include "includes.h" -RCSID("$OpenBSD: sftp-client.c,v 1.15 2001/03/19 10:52:51 djm Exp $"); +RCSID("$OpenBSD: sftp-client.c,v 1.16 2001/04/05 10:42:52 markus Exp $"); #include "ssh.h" #include "buffer.h" @@ -284,7 +284,7 @@ int -do_lsreaddir(int fd_in, int fd_out, char *path, int printflag, +do_lsreaddir(int fd_in, int fd_out, char *path, int printflag, SFTP_DIRENT ***dir) { Buffer msg; @@ -370,7 +370,7 @@ printf("%s\n", longname); if (dir) { - *dir = xrealloc(*dir, sizeof(**dir) * + *dir = xrealloc(*dir, sizeof(**dir) * (ents + 2)); (*dir)[ents] = xmalloc(sizeof(***dir)); (*dir)[ents]->filename = xstrdup(filename); diff -ru openssh-2.5.2p2/sftp-client.h openssh-2.9p1/sftp-client.h --- openssh-2.5.2p2/sftp-client.h 2001-03-17 11:34:46.000000000 +1100 +++ openssh-2.9p1/sftp-client.h 2001-04-06 09:26:33.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.h,v 1.4 2001/03/16 08:16:18 djm Exp $ */ +/* $OpenBSD: sftp-client.h,v 1.5 2001/04/05 10:42:52 markus Exp $ */ /* * Copyright (c) 2001 Damien Miller. All rights reserved. @@ -34,8 +34,8 @@ Attrib a; }; -/* - * Initialiase a SSH filexfer connection. Returns -1 on error or +/* + * Initialiase a SSH filexfer connection. Returns -1 on error or * protocol version on success. */ int do_init(int fd_in, int fd_out); @@ -68,7 +68,7 @@ Attrib *do_lstat(int fd_in, int fd_out, char *path, int quiet); /* Get file attributes of open file 'handle' */ -Attrib *do_fstat(int fd_in, int fd_out, char *handle, u_int handle_len, +Attrib *do_fstat(int fd_in, int fd_out, char *handle, u_int handle_len, int quiet); /* Set file attributes of 'path' */ diff -ru openssh-2.5.2p2/sftp-glob.c openssh-2.9p1/sftp-glob.c --- openssh-2.5.2p2/sftp-glob.c 2001-03-17 11:34:46.000000000 +1100 +++ openssh-2.9p1/sftp-glob.c 2001-04-16 00:27:16.000000000 +1000 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sftp-glob.c,v 1.2 2001/03/16 08:16:18 djm Exp $"); +RCSID("$OpenBSD: sftp-glob.c,v 1.5 2001/04/15 08:43:46 markus Exp $"); #include "ssh.h" #include "buffer.h" @@ -65,7 +65,9 @@ struct dirent *fudge_readdir(struct SFTP_OPENDIR *od) { - static struct dirent ret; + /* Solaris needs sizeof(dirent) + path length (see below) */ + static char buf[sizeof(struct dirent) + MAXPATHLEN]; + struct dirent *ret = (struct dirent *)buf; #ifdef __GNU_LIBRARY__ static int inum = 1; #endif /* __GNU_LIBRARY__ */ @@ -73,28 +75,36 @@ if (od->dir[od->offset] == NULL) return(NULL); - memset(&ret, 0, sizeof(ret)); - strlcpy(ret.d_name, od->dir[od->offset++]->filename, - sizeof(ret.d_name)); + memset(buf, 0, sizeof(buf)); + /* + * Solaris defines dirent->d_name as a one byte array and expects + * you to hack around it. + */ +#ifdef BROKEN_ONE_BYTE_DIRENT_D_NAME + strlcpy(ret->d_name, od->dir[od->offset++]->filename, MAXPATHLEN); +#else + strlcpy(ret->d_name, od->dir[od->offset++]->filename, + sizeof(ret->d_name)); +#endif #ifdef __GNU_LIBRARY__ /* * Idiot glibc uses extensions to struct dirent for readdir with * ALTDIRFUNCs. Not that this is documented anywhere but the * source... Fake an inode number to appease it. */ - ret.d_ino = inum++; + ret->d_ino = inum++; if (!inum) inum = 1; #endif /* __GNU_LIBRARY__ */ - return(&ret); + return(ret); } void fudge_closedir(struct SFTP_OPENDIR *od) { free_sftp_dirents(od->dir); - free(od); + xfree(od); } void attrib_to_stat(Attrib *a, struct stat *st) @@ -140,8 +150,8 @@ } int -remote_glob(int fd_in, int fd_out, const char *pattern, int flags, - const int (*errfunc)(const char *, int), glob_t *pglob) +remote_glob(int fd_in, int fd_out, const char *pattern, int flags, + int (*errfunc)(const char *, int), glob_t *pglob) { pglob->gl_opendir = (void*)fudge_opendir; pglob->gl_readdir = (void*)fudge_readdir; @@ -153,6 +163,6 @@ cur.fd_in = fd_in; cur.fd_out = fd_out; - return(glob(pattern, flags | GLOB_ALTDIRFUNC, (void*)errfunc, + return(glob(pattern, flags | GLOB_ALTDIRFUNC, (void*)errfunc, pglob)); } diff -ru openssh-2.5.2p2/sftp-glob.h openssh-2.9p1/sftp-glob.h --- openssh-2.5.2p2/sftp-glob.h 2001-03-14 10:27:09.000000000 +1100 +++ openssh-2.9p1/sftp-glob.h 2001-04-16 00:27:16.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-glob.h,v 1.1 2001/03/13 22:42:54 djm Exp $ */ +/* $OpenBSD: sftp-glob.h,v 1.3 2001/04/15 08:43:46 markus Exp $ */ /* * Copyright (c) 2001 Damien Miller. All rights reserved. @@ -27,6 +27,6 @@ /* Remote sftp filename globbing */ int -remote_glob(int fd_in, int fd_out, const char *pattern, int flags, - const int (*errfunc)(const char *, int), glob_t *pglob); +remote_glob(int fd_in, int fd_out, const char *pattern, int flags, + int (*errfunc)(const char *, int), glob_t *pglob); diff -ru openssh-2.5.2p2/sftp-int.c openssh-2.9p1/sftp-int.c --- openssh-2.5.2p2/sftp-int.c 2001-03-17 11:37:32.000000000 +1100 +++ openssh-2.9p1/sftp-int.c 2001-04-16 00:27:16.000000000 +1000 @@ -26,7 +26,7 @@ /* XXX: recursive operations */ #include "includes.h" -RCSID("$OpenBSD: sftp-int.c,v 1.31 2001/03/16 13:44:24 markus Exp $"); +RCSID("$OpenBSD: sftp-int.c,v 1.36 2001/04/15 08:43:46 markus Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -86,6 +86,7 @@ { "dir", I_LS }, { "exit", I_QUIT }, { "get", I_GET }, + { "mget", I_GET }, { "help", I_HELP }, { "lcd", I_LCHDIR }, { "lchdir", I_LCHDIR }, @@ -97,6 +98,7 @@ { "lumask", I_LUMASK }, { "mkdir", I_MKDIR }, { "put", I_PUT }, + { "mput", I_PUT }, { "pwd", I_PWD }, { "quit", I_QUIT }, { "rename", I_RENAME }, @@ -144,7 +146,7 @@ void local_do_shell(const char *args) { - int ret, status; + int status; char *shell; pid_t pid; @@ -161,10 +163,10 @@ /* XXX: child has pipe fds to ssh subproc open - issue? */ if (args) { debug3("Executing %s -c \"%s\"", shell, args); - ret = execl(shell, shell, "-c", args, NULL); + execl(shell, shell, "-c", args, NULL); } else { debug3("Executing %s", shell); - ret = execl(shell, shell, NULL); + execl(shell, shell, NULL); } fprintf(stderr, "Couldn't execute \"%s\": %s\n", shell, strerror(errno)); @@ -451,9 +453,12 @@ xfree(tmp); } else abs_dst = xstrdup(tmp_dst); - } else if (infer_path(g.gl_pathv[0], &abs_dst)) { - err = -1; - goto out; + } else { + if (infer_path(g.gl_pathv[0], &abs_dst)) { + err = -1; + goto out; + } + abs_dst = make_absolute(abs_dst, pwd); } printf("Uploading %s to %s\n", g.gl_pathv[0], abs_dst); err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag); @@ -662,8 +667,8 @@ break; case I_PUT: err = process_put(in, out, path1, path2, *pwd, pflag); - break; - case I_RENAME: + break; + case I_RENAME: path1 = make_absolute(path1, *pwd); path2 = make_absolute(path2, *pwd); err = do_rename(in, out, path1, path2); @@ -851,9 +856,10 @@ } void -interactive_loop(int fd_in, int fd_out) +interactive_loop(int fd_in, int fd_out, char *file1, char *file2) { char *pwd; + char *dir = NULL; char cmd[2048]; version = do_init(fd_in, fd_out); @@ -864,6 +870,25 @@ if (pwd == NULL) fatal("Need cwd"); + if (file1 != NULL) { + dir = xstrdup(file1); + dir = make_absolute(dir, pwd); + + if (remote_is_dir(fd_in, fd_out, dir) && file2 == NULL) { + printf("Changing to: %s\n", dir); + snprintf(cmd, sizeof cmd, "cd \"%s\"", dir); + parse_dispatch_command(fd_in, fd_out, cmd, &pwd); + } else { + if (file2 == NULL) + snprintf(cmd, sizeof cmd, "get %s", dir); + else + snprintf(cmd, sizeof cmd, "get %s %s", dir, + file2); + + parse_dispatch_command(fd_in, fd_out, cmd, &pwd); + return; + } + } setvbuf(stdout, NULL, _IOLBF, 0); setvbuf(infile, NULL, _IOLBF, 0); diff -ru openssh-2.5.2p2/sftp-int.h openssh-2.9p1/sftp-int.h --- openssh-2.5.2p2/sftp-int.h 2001-02-04 23:20:19.000000000 +1100 +++ openssh-2.9p1/sftp-int.h 2001-04-13 10:00:14.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-int.h,v 1.1 2001/02/04 11:11:54 djm Exp $ */ +/* $OpenBSD: sftp-int.h,v 1.2 2001/04/12 23:17:54 mouring Exp $ */ /* * Copyright (c) 2001 Damien Miller. All rights reserved. @@ -24,4 +24,4 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -void interactive_loop(int fd_in, int fd_out); +void interactive_loop(int fd_in, int fd_out, char *file1, char *file2); diff -ru openssh-2.5.2p2/sftp-server.0 openssh-2.9p1/sftp-server.0 --- openssh-2.5.2p2/sftp-server.0 2001-03-22 16:07:08.000000000 +1100 +++ openssh-2.9p1/sftp-server.0 2001-04-29 22:40:34.000000000 +1000 @@ -9,12 +9,15 @@ DESCRIPTION sftp-server is a program that speaks the server side of SFTP protocol to - stdout and expects client requests from stdin. sftp-server is not in- - tended to be called directly, but from sshd(8) using the Subsystem op- + stdout and expects client requests from stdin. sftp-server is not inM-- + tended to be called directly, but from sshd(8) using the Subsystem opM-- tion. See sshd(8) for more information. SEE ALSO - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) + sftp(1), ssh(1), sshd(8) + + T. Ylonen, and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + filexfer-00.txt, January 2001, work in progress material. AUTHORS Markus Friedl diff -ru openssh-2.5.2p2/sftp-server.8 openssh-2.9p1/sftp-server.8 --- openssh-2.5.2p2/sftp-server.8 2001-03-05 17:59:28.000000000 +1100 +++ openssh-2.9p1/sftp-server.8 2001-04-23 03:17:46.000000000 +1000 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.5 2001/03/02 18:54:31 deraadt Exp $ +.\" $OpenBSD: sftp-server.8,v 1.6 2001/04/22 13:32:26 markus Exp $ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" @@ -44,10 +44,17 @@ .Xr sshd 8 for more information. .Sh SEE ALSO +.Xr sftp 1 , .Xr ssh 1 , -.Xr ssh-add 1 , -.Xr ssh-keygen 1 , .Xr sshd 8 +.Rs +.%A T. Ylonen +.%A S. Lehtinen +.%T "SSH File Transfer Protocol" +.%N draft-ietf-secsh-filexfer-00.txt +.%D January 2001 +.%O work in progress material +.Re .Sh AUTHORS Markus Friedl .Sh HISTORY diff -ru openssh-2.5.2p2/sftp-server.c openssh-2.9p1/sftp-server.c --- openssh-2.5.2p2/sftp-server.c 2001-03-15 11:09:16.000000000 +1100 +++ openssh-2.9p1/sftp-server.c 2001-04-14 00:28:42.000000000 +1000 @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: sftp-server.c,v 1.24 2001/03/14 22:50:25 deraadt Exp $"); +RCSID("$OpenBSD: sftp-server.c,v 1.25 2001/04/05 10:42:53 markus Exp $"); #include "buffer.h" #include "bufaux.h" @@ -288,7 +288,7 @@ buffer_put_int(&msg, id); buffer_put_int(&msg, error); if (version >= 3) { - buffer_put_cstring(&msg, + buffer_put_cstring(&msg, status_messages[MIN(error,SSH2_FX_MAX)]); buffer_put_cstring(&msg, ""); } @@ -1043,6 +1043,11 @@ in = dup(STDIN_FILENO); out = dup(STDOUT_FILENO); +#ifdef HAVE_CYGWIN + setmode(in, O_BINARY); + setmode(out, O_BINARY); +#endif + max = 0; if (in > max) max = in; diff -ru openssh-2.5.2p2/sftp.0 openssh-2.9p1/sftp.0 --- openssh-2.5.2p2/sftp.0 2001-03-22 16:07:08.000000000 +1100 +++ openssh-2.9p1/sftp.0 2001-04-29 22:40:34.000000000 +1000 @@ -5,19 +5,28 @@ sftp - Secure file transfer program SYNOPSIS - sftp [-vC] [-b batchfile] [-o ssh_option] [hostname | user@hostname] + sftp [-vC] [-b batchfile] [-o ssh_option] [host] + sftp [[user@]host[:file [file]]] + sftp [[user@]host[:dir[/]]] DESCRIPTION sftp is an interactive file transfer program, similar to ftp(1), which performs all operations over an encrypted ssh(1) transport. It may also - use many features of ssh, such as public key authentication and compres- + use many features of ssh, such as public key authentication and compresM-- sion. sftp connects and logs into the specified hostname, then enters an interactive command mode. + The second usage format will fetch files automaticly if a non-interactive + authentication is used, else it do so after an interactive authentication + is used. + + The last usage format allows the sftp client to start in a remote direcM-- + tory. + The options are as follows: -b batchfile - Batch mode reads a series of commands from an input batchfile in- + Batch mode reads a series of commands from an input batchfile inM-- stead of stdin. Since it lacks user interaction it should be used in conjunction with non-interactive authentication. sftp will abort if any of the following commands fail: get, put, rename, @@ -32,7 +41,7 @@ INTERACTIVE COMMANDS Once in interactive mode, sftp understands a set of commands similar to - those of ftp(1). Commands are case insensitive and pathnames may be en- + those of ftp(1). Commands are case insensitive and pathnames may be enM-- closed in quotes if they contain spaces. cd path @@ -61,8 +70,7 @@ help Display help text. lls [ls-options [path]] - Display local directory listing of either path or current direc- - + Display local directory listing of either path or current direcM-- tory if path is not specified. lmkdir path @@ -74,7 +82,7 @@ lpwd Print local working directory. ls [path] - Display remote directory listing of either path or current direc- + Display remote directory listing of either path or current direcM-- tory if path is not specified. lumask umask @@ -84,7 +92,7 @@ Create remote directory specified by path. put [flags] local-path [local-path] - Upload local-path and store it on the remote machine. If the re- + Upload local-path and store it on the remote machine. If the reM-- mote path name is not specified, it is given the same name it has on the local machine. If the -P flag is specified, then the file's full permission and access time are copied too. @@ -116,7 +124,9 @@ Damien Miller SEE ALSO - ssh(1), sftp-server(8), ssh-add(1), ssh-keygen(1), sshd(8), scp(1) + scp(1), ssh(1), ssh-add(1), ssh-keygen(1), sftp-server(8), sshd(8) + T. Ylonen, and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + filexfer-00.txt, January 2001, work in progress material. -BSD Experimental Febuary 4, 2001 2 +BSD Experimental February 4, 2001 2 diff -ru openssh-2.5.2p2/sftp.1 openssh-2.9p1/sftp.1 --- openssh-2.5.2p2/sftp.1 2001-03-09 11:09:03.000000000 +1100 +++ openssh-2.9p1/sftp.1 2001-04-23 03:17:46.000000000 +1000 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.13 2001/03/08 20:44:48 stevesk Exp $ +.\" $OpenBSD: sftp.1,v 1.17 2001/04/22 13:32:27 markus Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd Febuary 4, 2001 +.Dd February 4, 2001 .Dt SFTP 1 .Os .Sh NAME @@ -33,7 +33,11 @@ .Op Fl vC .Op Fl b Ar batchfile .Op Fl o Ar ssh_option -.Op Ar hostname | user@hostname +.Op Ar host +.Nm sftp +.Op [\fIuser\fR@]\fIhost\fR[:\fIfile\fR [\fIfile\fR]] +.Nm sftp +.Op [\fIuser\fR@]\fIhost\fR[:\fIdir\fR[\fI/\fR]] .Sh DESCRIPTION .Nm is an interactive file transfer program, similar to @@ -48,6 +52,12 @@ .Ar hostname , then enters an interactive command mode. .Pp +The second usage format will fetch files automaticly if a non-interactive +authentication is used, else it do so after an interactive authentication +is used. +.Pp +The last usage format allows the sftp client to start in a remote directory. +.Pp The options are as follows: .Bl -tag -width Ds .It Fl b Ar batchfile @@ -196,10 +206,17 @@ .Sh AUTHORS Damien Miller .Sh SEE ALSO +.Xr scp 1 , .Xr ssh 1 , -.Xr sftp-server 8 , .Xr ssh-add 1 , .Xr ssh-keygen 1 , -.Xr sshd 8 , -.Xr scp 1 - +.Xr sftp-server 8 , +.Xr sshd 8 +.Rs +.%A T. Ylonen +.%A S. Lehtinen +.%T "SSH File Transfer Protocol" +.%N draft-ietf-secsh-filexfer-00.txt +.%D January 2001 +.%O work in progress material +.Re diff -ru openssh-2.5.2p2/sftp.c openssh-2.9p1/sftp.c --- openssh-2.5.2p2/sftp.c 2001-03-08 10:08:49.000000000 +1100 +++ openssh-2.9p1/sftp.c 2001-04-16 18:26:42.000000000 +1000 @@ -24,10 +24,9 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.11 2001/03/07 10:11:23 djm Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.15 2001/04/16 02:31:44 mouring Exp $"); /* XXX: commandline mode */ -/* XXX: copy between two remote hosts (commandline) */ /* XXX: short-form remote directory listings (like 'ls -C') */ #include "buffer.h" @@ -46,6 +45,8 @@ char *__progname; #endif +#include "scp-common.h" + int use_ssh1 = 0; char *ssh_program = _PATH_SSH_PROGRAM; char *sftp_server = NULL; @@ -147,7 +148,7 @@ void usage(void) { - fprintf(stderr, "usage: sftp [-1vC] [-b batchfile] [-osshopt=value] [user@]host\n"); + fprintf(stderr, "usage: sftp [-1vC] [-b batchfile] [-osshopt=value] [user@]host[:file [file]]\n"); exit(1); } @@ -156,7 +157,8 @@ { int in, out, ch, debug_level, compress_flag; pid_t sshpid; - char *host, *userhost; + char *file1 = NULL; + char *host, *userhost, *cp, *file2; LogLevel ll; extern int optind; extern char *optarg; @@ -191,9 +193,9 @@ case 'b': if (infile == stdin) { infile = fopen(optarg, "r"); - if (infile == NULL) + if (infile == NULL) fatal("%s (%s).", strerror(errno), optarg); - } else + } else fatal("Filename already specified."); break; case 'h': @@ -202,24 +204,30 @@ } } - if (optind == argc || argc > (optind + 1)) + if (optind == argc || argc > (optind + 2)) usage(); - userhost = argv[optind]; + userhost = xstrdup(argv[optind]); + file2 = argv[optind+1]; + + if ((cp = colon(userhost)) != NULL) { + *cp++ = '\0'; + file1 = cp; + } if ((host = strchr(userhost, '@')) == NULL) host = userhost; else { - *host = '\0'; + *host++ = '\0'; if (!userhost[0]) { fprintf(stderr, "Missing username\n"); usage(); } make_ssh_args("-l"); make_ssh_args(userhost); - host++; } + host = cleanhostname(host); if (!*host) { fprintf(stderr, "Missing hostname\n"); usage(); @@ -256,7 +264,7 @@ connect_to_server(make_ssh_args(NULL), &in, &out, &sshpid); - interactive_loop(in, out); + interactive_loop(in, out, file1, file2); #if !defined(USE_PIPES) shutdown(in, SHUT_RDWR); diff -ru openssh-2.5.2p2/ssh-add.0 openssh-2.9p1/ssh-add.0 --- openssh-2.5.2p2/ssh-add.0 2001-03-22 16:07:07.000000000 +1100 +++ openssh-2.9p1/ssh-add.0 2001-04-29 22:40:31.000000000 +1000 @@ -12,7 +12,8 @@ agent(1). When run without arguments, it adds the file $HOME/.ssh/identity. Alternative file names can be given on the command line. If any file requires a passphrase, ssh-add asks for the passphrase - from the user. The Passphrase it is read from the user's tty. + from the user. The Passphrase it is read from the user's tty. ssh-add + retries the last passphrase if multiple identity files are given. The authentication agent must be running and must be an ancestor of the current process for ssh-add to work. @@ -22,7 +23,7 @@ -l Lists fingerprints of all identities currently represented by the agent. - -L Lists public key parameters of all identities currently repre- + -L Lists public key parameters of all identities currently repreM-- sented by the agent. -d Instead of adding the identity, removes the identity from the @@ -32,16 +33,21 @@ FILES $HOME/.ssh/identity - Contains the RSA authentication identity of the user. This file - should not be readable by anyone but the user. Note that ssh-add - ignores this file if it is accessible by others. It is possible - to specify a passphrase when generating the key; that passphrase - will be used to encrypt the private part of this file. This is - the default file added by ssh-add when no other files have been - specified. + Contains the protocol version 1 RSA authentication identity of + the user. This file should not be readable by anyone but the usM-- + er. Note that ssh-add ignores this file if it is accessible by + others. It is possible to specify a passphrase when generating + the key; that passphrase will be used to encrypt the private part + of this file. This is the default file added by ssh-add when no + other files have been specified. $HOME/.ssh/id_dsa - Contains the DSA authentication identity of the user. + Contains the protocol version 2 DSA authentication identity of + the user. + + $HOME/.ssh/id_rsa + Contains the protocol version 2 RSA authentication identity of + the user. ENVIRONMENT DISPLAY and SSH_ASKPASS @@ -57,10 +63,11 @@ AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and cre- + de Raadt and Dug Song removed many bugs, re-added newer features and creM-- ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. SEE ALSO ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8) +BSD Experimental September 25, 1999 2 diff -ru openssh-2.5.2p2/ssh-add.1 openssh-2.9p1/ssh-add.1 --- openssh-2.5.2p2/ssh-add.1 2001-03-05 17:59:28.000000000 +1100 +++ openssh-2.9p1/ssh-add.1 2001-04-12 01:59:36.000000000 +1000 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.22 2001/03/02 18:54:31 deraadt Exp $ +.\" $OpenBSD: ssh-add.1,v 1.24 2001/04/10 09:13:21 itojun Exp $ .\" .\" -*- nroff -*- .\" @@ -58,6 +58,8 @@ .Nm asks for the passphrase from the user. The Passphrase it is read from the user's tty. +.Nm +retries the last passphrase if multiple identity files are given. .Pp The authentication agent must be running and must be an ancestor of the current process for @@ -78,7 +80,7 @@ .Sh FILES .Bl -tag -width Ds .It Pa $HOME/.ssh/identity -Contains the RSA authentication identity of the user. +Contains the protocol version 1 RSA authentication identity of the user. This file should not be readable by anyone but the user. Note that .Nm @@ -90,7 +92,9 @@ .Nm when no other files have been specified. .It Pa $HOME/.ssh/id_dsa -Contains the DSA authentication identity of the user. +Contains the protocol version 2 DSA authentication identity of the user. +.It Pa $HOME/.ssh/id_rsa +Contains the protocol version 2 RSA authentication identity of the user. .El .Sh ENVIRONMENT .Bl -tag -width Ds diff -ru openssh-2.5.2p2/ssh-add.c openssh-2.9p1/ssh-add.c --- openssh-2.5.2p2/ssh-add.c 2001-03-13 15:57:59.000000000 +1100 +++ openssh-2.9p1/ssh-add.c 2001-04-20 06:33:08.000000000 +1000 @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-add.c,v 1.30 2001/03/12 22:02:02 markus Exp $"); +RCSID("$OpenBSD: ssh-add.c,v 1.36 2001/04/18 21:57:42 markus Exp $"); #include @@ -55,20 +55,28 @@ char *__progname; #endif +/* we keep a cache of one passphrases */ +static char *pass = NULL; +void +clear_pass(void) +{ + if (pass) { + memset(pass, 0, strlen(pass)); + xfree(pass); + pass = NULL; + } +} + void delete_file(AuthenticationConnection *ac, const char *filename) { Key *public; - char *comment; + char *comment = NULL; - public = key_new(KEY_RSA1); - if (!load_public_key(filename, public, &comment)) { - key_free(public); - public = key_new(KEY_UNSPEC); - if (!try_load_public_key(filename, public, &comment)) { - printf("Bad key file %s\n", filename); - return; - } + public = key_load_public(filename, &comment); + if (public == NULL) { + printf("Bad key file %s\n", filename); + return; } if (ssh_remove_identity(ac, public)) fprintf(stderr, "Identity removed: %s (%s)\n", filename, comment); @@ -95,119 +103,51 @@ fprintf(stderr, "Failed to remove all identities.\n"); } -char * -ssh_askpass(char *askpass, char *msg) -{ - pid_t pid; - size_t len; - char *nl, *pass; - int p[2], status; - char buf[1024]; - - if (fflush(stdout) != 0) - error("ssh_askpass: fflush: %s", strerror(errno)); - if (askpass == NULL) - fatal("internal error: askpass undefined"); - if (pipe(p) < 0) - fatal("ssh_askpass: pipe: %s", strerror(errno)); - if ((pid = fork()) < 0) - fatal("ssh_askpass: fork: %s", strerror(errno)); - if (pid == 0) { - close(p[0]); - if (dup2(p[1], STDOUT_FILENO) < 0) - fatal("ssh_askpass: dup2: %s", strerror(errno)); - execlp(askpass, askpass, msg, (char *) 0); - fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); - } - close(p[1]); - len = read(p[0], buf, sizeof buf); - close(p[0]); - while (waitpid(pid, &status, 0) < 0) - if (errno != EINTR) - break; - if (len <= 1) - return xstrdup(""); - nl = strchr(buf, '\n'); - if (nl) - *nl = '\0'; - pass = xstrdup(buf); - memset(buf, 0, sizeof(buf)); - return pass; -} - void add_file(AuthenticationConnection *ac, const char *filename) { struct stat st; - Key *public; Key *private; - char *saved_comment, *comment, *askpass = NULL; - char buf[1024], msg[1024]; - int success; - int interactive = isatty(STDIN_FILENO); - int type = KEY_RSA1; + char *comment = NULL; + char msg[1024]; if (stat(filename, &st) < 0) { perror(filename); exit(1); } - /* - * try to load the public key. right now this only works for RSA, - * since DSA keys are fully encrypted - */ - public = key_new(KEY_RSA1); - if (!load_public_key(filename, public, &saved_comment)) { - /* ok, so we will assume this is 'some' key */ - type = KEY_UNSPEC; - saved_comment = xstrdup(filename); - } - key_free(public); - - if (!interactive && getenv("DISPLAY")) { - if (getenv(SSH_ASKPASS_ENV)) - askpass = getenv(SSH_ASKPASS_ENV); - else - askpass = _PATH_SSH_ASKPASS_DEFAULT; - } - /* At first, try empty passphrase */ - private = key_new(type); - success = load_private_key(filename, "", private, &comment); - if (!success) { + private = key_load_private(filename, "", &comment); + if (comment == NULL) + comment = xstrdup(filename); + /* try last */ + if (private == NULL && pass != NULL) + private = key_load_private(filename, pass, NULL); + if (private == NULL) { + /* clear passphrase since it did not work */ + clear_pass(); printf("Need passphrase for %.200s\n", filename); - if (!interactive && askpass == NULL) { - xfree(saved_comment); - return; - } - snprintf(msg, sizeof msg, "Enter passphrase for %.200s", saved_comment); + snprintf(msg, sizeof msg, "Enter passphrase for %.200s ", + comment); for (;;) { - char *pass; - if (interactive) { - snprintf(buf, sizeof buf, "%s: ", msg); - pass = read_passphrase(buf, 1); - } else { - pass = ssh_askpass(askpass, msg); - } + pass = read_passphrase(msg, 1); if (strcmp(pass, "") == 0) { - xfree(pass); - xfree(saved_comment); + clear_pass(); + xfree(comment); return; } - success = load_private_key(filename, pass, private, &comment); - memset(pass, 0, strlen(pass)); - xfree(pass); - if (success) + private = key_load_private(filename, pass, &comment); + if (private != NULL) break; - strlcpy(msg, "Bad passphrase, try again", sizeof msg); + clear_pass(); + strlcpy(msg, "Bad passphrase, try again ", sizeof msg); } } - xfree(comment); - if (ssh_add_identity(ac, private, saved_comment)) - fprintf(stderr, "Identity added: %s (%s)\n", filename, saved_comment); + if (ssh_add_identity(ac, private, comment)) + fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); else fprintf(stderr, "Could not add identity: %s\n", filename); + xfree(comment); key_free(private); - xfree(saved_comment); } void @@ -300,6 +240,7 @@ else add_file(ac, buf); } + clear_pass(); ssh_close_authentication_connection(ac); exit(0); } diff -ru openssh-2.5.2p2/ssh-agent.0 openssh-2.9p1/ssh-agent.0 --- openssh-2.5.2p2/ssh-agent.0 2001-03-22 16:07:07.000000000 +1100 +++ openssh-2.9p1/ssh-agent.0 2001-04-29 22:40:32.000000000 +1000 @@ -10,9 +10,9 @@ ssh-agent -k DESCRIPTION - ssh-agent is a program to hold private keys used for public key authenti- - cation (RSA, DSA). The idea is that ssh-agent is started in the begin- - ning of an X-session or a login session, and all other windows or pro- + ssh-agent is a program to hold private keys used for public key authentiM-- + cation (RSA, DSA). The idea is that ssh-agent is started in the beginM-- + ning of an X-session or a login session, and all other windows or proM-- grams are started as clients to the ssh-agent program. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh(1). @@ -35,24 +35,24 @@ ssh-add(1). When executed without arguments, ssh-add(1) adds the $HOME/.ssh/identity file. If the identity has a passphrase, ssh-add(1) asks for the passphrase (using a small X11 application if running under - X11, or from the terminal if running without X). It then sends the iden- + X11, or from the terminal if running without X). It then sends the idenM-- tity to the agent. Several identities can be stored in the agent; the agent can automatically use any of these identities. ssh-add -l displays the identities currently held by the agent. - The idea is that the agent is run in the user's local PC, laptop, or ter- + The idea is that the agent is run in the user's local PC, laptop, or terM-- minal. Authentication data need not be stored on any other machine, and - authentication passphrases never go over the network. However, the con- + authentication passphrases never go over the network. However, the conM-- nection to the agent is forwarded over SSH remote logins, and the user - can thus use the privileges given by the identities anywhere in the net- + can thus use the privileges given by the identities anywhere in the netM-- work in a secure way. There are two main ways to get an agent setup: Either you let the agent - start a new subcommand into which some environment variables are export- + start a new subcommand into which some environment variables are exportM-- ed, or you let the agent print the needed shell commands (either sh(1) or csh(1) syntax can be generated) which can be evalled in the calling - shell. Later ssh(1) look at these variables and use them to establish a - connection to the agent. + shell. Later ssh(1) looks at these variables and uses them to establish + a connection to the agent. A unix-domain socket is created (/tmp/ssh-XXXXXXXX/agent.), and the name of this socket is stored in the SSH_AUTH_SOCK environment variable. @@ -66,18 +66,23 @@ FILES $HOME/.ssh/identity - Contains the RSA authentication identity of the user. This file - should not be readable by anyone but the user. It is possible to - specify a passphrase when generating the key; that passphrase - will be used to encrypt the private part of this file. This file - is not used by ssh-agent but is normally added to the agent using - ssh-add(1) at login time. + Contains the protocol version 1 RSA authentication identity of + the user. This file should not be readable by anyone but the usM-- + er. It is possible to specify a passphrase when generating the + key; that passphrase will be used to encrypt the private part of + this file. This file is not used by ssh-agent but is normally + added to the agent using ssh-add(1) at login time. $HOME/.ssh/id_dsa - Contains the DSA authentication identity of the user. + Contains the protocol version 2 DSA authentication identity of + the user. + + $HOME/.ssh/id_rsa + Contains the protocol version 2 RSA authentication identity of + the user. /tmp/ssh-XXXXXXXX/agent. - Unix-domain sockets used to contain the connection to the authen- + Unix-domain sockets used to contain the connection to the authenM-- tication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits. @@ -85,7 +90,7 @@ AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and cre- + de Raadt and Dug Song removed many bugs, re-added newer features and creM-- ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. diff -ru openssh-2.5.2p2/ssh-agent.1 openssh-2.9p1/ssh-agent.1 --- openssh-2.5.2p2/ssh-agent.1 2001-03-05 17:59:28.000000000 +1100 +++ openssh-2.9p1/ssh-agent.1 2001-04-12 01:59:36.000000000 +1000 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.22 2001/03/02 18:54:31 deraadt Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.24 2001/04/10 09:13:21 itojun Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -121,7 +121,7 @@ syntax can be generated) which can be evalled in the calling shell. Later .Xr ssh 1 -look at these variables and use them to establish a connection to the agent. +looks at these variables and uses them to establish a connection to the agent. .Pp A unix-domain socket is created .Pq Pa /tmp/ssh-XXXXXXXX/agent. , @@ -142,7 +142,7 @@ .Sh FILES .Bl -tag -width Ds .It Pa $HOME/.ssh/identity -Contains the RSA authentication identity of the user. +Contains the protocol version 1 RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be @@ -153,7 +153,9 @@ .Xr ssh-add 1 at login time. .It Pa $HOME/.ssh/id_dsa -Contains the DSA authentication identity of the user. +Contains the protocol version 2 DSA authentication identity of the user. +.It Pa $HOME/.ssh/id_rsa +Contains the protocol version 2 RSA authentication identity of the user. .It Pa /tmp/ssh-XXXXXXXX/agent. Unix-domain sockets used to contain the connection to the authentication agent. diff -ru openssh-2.5.2p2/ssh-agent.c openssh-2.9p1/ssh-agent.c --- openssh-2.5.2p2/ssh-agent.c 2001-03-19 09:38:16.000000000 +1100 +++ openssh-2.9p1/ssh-agent.c 2001-04-04 11:53:21.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.52 2001/03/06 00:33:04 deraadt Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.54 2001/04/03 13:56:11 stevesk Exp $ */ /* * Author: Tatu Ylonen @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.52 2001/03/06 00:33:04 deraadt Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.54 2001/04/03 13:56:11 stevesk Exp $"); #include #include @@ -361,25 +361,6 @@ } void -generate_additional_parameters(RSA *rsa) -{ - BIGNUM *aux; - BN_CTX *ctx; - /* Generate additional parameters */ - aux = BN_new(); - ctx = BN_CTX_new(); - - BN_sub(aux, rsa->q, BN_value_one()); - BN_mod(rsa->dmq1, rsa->d, aux, ctx); - - BN_sub(aux, rsa->p, BN_value_one()); - BN_mod(rsa->dmp1, rsa->d, aux, ctx); - - BN_clear_free(aux); - BN_CTX_free(ctx); -} - -void process_add_identity(SocketEntry *e, int version) { Key *k = NULL; @@ -582,9 +563,9 @@ sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); if (*fdrp == NULL || n > *fdl) { if (*fdrp) - free(*fdrp); + xfree(*fdrp); if (*fdwp) - free(*fdwp); + xfree(*fdwp); *fdrp = xmalloc(sz); *fdwp = xmalloc(sz); *fdl = n; @@ -738,6 +719,8 @@ extern int optind; fd_set *readsetp = NULL, *writesetp = NULL; + SSLeay_add_all_algorithms(); + __progname = get_progname(av[0]); init_rng(); seed_rng(); diff -ru openssh-2.5.2p2/ssh-keygen.0 openssh-2.9p1/ssh-keygen.0 --- openssh-2.5.2p2/ssh-keygen.0 2001-03-22 16:07:07.000000000 +1100 +++ openssh-2.9p1/ssh-keygen.0 2001-04-29 22:40:32.000000000 +1000 @@ -2,29 +2,29 @@ SSH-KEYGEN(1) System Reference Manual SSH-KEYGEN(1) NAME - ssh-keygen - authentication key generation + ssh-keygen - authentication key generation, management and conversion SYNOPSIS ssh-keygen [-q] [-b bits] [-t type] [-N new_passphrase] [-C comment] [-f output_keyfile] ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] - ssh-keygen -x [-f input_keyfile] - ssh-keygen -X [-f input_keyfile] + ssh-keygen -i [-f input_keyfile] + ssh-keygen -e [-f input_keyfile] ssh-keygen -y [-f input_keyfile] ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile] ssh-keygen -l [-f input_keyfile] ssh-keygen -B [-f input_keyfile] DESCRIPTION - ssh-keygen generates and manages authentication keys for ssh(1). ssh- - keygen defaults to generating an RSA key for use by protocols 1.3 and - 1.5; specifying the -t option allows you to create a key for use by pro- - tocol 2.0. + ssh-keygen generates, manages and converts authentication keys for + ssh(1). ssh-keygen defaults to generating a RSA1 key for use by SSH proM-- + tocol version 1. specifying the -t option allows you to create a key for + use by SSH protocol version 2. Normally each user wishing to use SSH with RSA or DSA authentication runs - this once to create the authentication key in $HOME/.ssh/identity or - $HOME/.ssh/id_dsa. Additionally, the system administrator may use this to - generate host keys, as seen in /etc/rc. + this once to create the authentication key in $HOME/.ssh/identity, + $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa. Additionally, the system adminisM-- + trator may use this to generate host keys, as seen in /etc/rc. Normally this program generates the key and asks for a file in which to store the private key. The public key is stored in a file with the same @@ -37,14 +37,14 @@ changed later by using the -p option. There is no way to recover a lost passphrase. If the passphrase is lost - or forgotten, you will have to generate a new key and copy the corre- + or forgotten, you will have to generate a new key and copy the correM-- sponding public key to other machines. - For RSA, there is also a comment field in the key file that is only for - convenience to the user to help identify the key. The comment can tell - what the key is for, or whatever is useful. The comment is initialized - to ``user@host'' when the key is created, but can be changed using the -c - option. + For RSA1 keys, there is also a comment field in the key file that is only + for convenience to the user to help identify the key. The comment can + tell what the key is for, or whatever is useful. The comment is initialM-- + ized to ``user@host'' when the key is created, but can be changed using + the -c option. After a key is generated, instructions below detail where the keys should be placed to be activated. @@ -54,17 +54,27 @@ -b bits Specifies the number of bits in the key to create. Minimum is 512 bits. Generally 1024 bits is considered sufficient, and key - sizes above that no longer improve security but make things slow- + sizes above that no longer improve security but make things slowM-- er. The default is 1024 bits. -c Requests changing the comment in the private and public key - files. The program will prompt for the file containing the pri- + files. The program will prompt for the file containing the priM-- vate keys, for passphrase if the key has one, and for the new comment. + -e This option will read a private or public OpenSSH key file and + print the key in a `SECSH Public Key File Format' to stdout. + This option allows exporting keys for use by several commercial + SSH implementations. -f Specifies the filename of the key file. + -i This option will read an unencrypted private (or public) key file + in SSH2-compatible format and print an OpenSSH compatible private + (or public) key to stdout. ssh-keygen also reads the `SECSH + Public Key File Format'. This option allows importing keys from + several commercial SSH implementations. + -l Show fingerprint of specified private or public key file. -p Requests changing the passphrase of a private key file instead of @@ -74,9 +84,12 @@ -q Silence ssh-keygen. Used by /etc/rc when creating a new key. + -y This option will read a private OpenSSH format file and print an + OpenSSH public key to stdout. + -t type Specifies the type of the key to create. The possible values are - ``rsa1'' for protocol version 1 and ``rsa'' or ``dsa'' for proto- + ``rsa1'' for protocol version 1 and ``rsa'' or ``dsa'' for protoM-- col version 2. The default is ``rsa1''. -B Show the bubblebabble digest of specified private or public key @@ -91,55 +104,67 @@ -P passphrase Provides the (old) passphrase. - -x This option will read a private OpenSSH DSA format file and print - a SSH2-compatible public key to stdout. - - -X This option will read a unencrypted SSH2-compatible private (or - public) key file and print an OpenSSH compatible private (or pub- - lic) key to stdout. - - -y This option will read a private OpenSSH format file and print an - OpenSSH public key to stdout. - FILES $HOME/.ssh/identity - Contains the RSA authentication identity of the user. This file - should not be readable by anyone but the user. It is possible to - specify a passphrase when generating the key; that passphrase - will be used to encrypt the private part of this file using 3DES. - This file is not automatically accessed by ssh-keygen but it is - offered as the default file for the private key. sshd(8) will - read this file when a login attempt is made. + Contains the protocol version 1 RSA authentication identity of + the user. This file should not be readable by anyone but the usM-- + er. It is possible to specify a passphrase when generating the + key; that passphrase will be used to encrypt the private part of + this file using 3DES. This file is not automatically accessed by + ssh-keygen but it is offered as the default file for the private + key. sshd(8) will read this file when a login attempt is made. $HOME/.ssh/identity.pub - Contains the public key for authentication. The contents of this - file should be added to $HOME/.ssh/authorized_keys on all ma- - chines where you wish to log in using RSA authentication. There - is no need to keep the contents of this file secret. + Contains the protocol version 1 RSA public key for authenticaM-- + tion. The contents of this file should be added to + $HOME/.ssh/authorized_keys on all machines where you wish to log + in using RSA authentication. There is no need to keep the conM-- + tents of this file secret. $HOME/.ssh/id_dsa - Contains the DSA authentication identity of the user. This file - should not be readable by anyone but the user. It is possible to - specify a passphrase when generating the key; that passphrase - will be used to encrypt the private part of this file using 3DES. - This file is not automatically accessed by ssh-keygen but it is - offered as the default file for the private key. sshd(8) will - read this file when a login attempt is made. + Contains the protocol version 2 DSA authentication identity of + the user. This file should not be readable by anyone but the usM-- + er. It is possible to specify a passphrase when generating the + key; that passphrase will be used to encrypt the private part of + this file using 3DES. This file is not automatically accessed by + ssh-keygen but it is offered as the default file for the private + + key. sshd(8) will read this file when a login attempt is made. $HOME/.ssh/id_dsa.pub - Contains the public key for authentication. The contents of this - file should be added to $HOME/.ssh/authorized_keys2 on all ma- - chines where you wish to log in using public key authentication. - There is no need to keep the contents of this file secret. + Contains the protocol version 2 DSA public key for authenticaM-- + tion. The contents of this file should be added to + $HOME/.ssh/authorized_keys2 on all machines where you wish to log + in using public key authentication. There is no need to keep the + contents of this file secret. + + $HOME/.ssh/id_rsa + Contains the protocol version 2 RSA authentication identity of + the user. This file should not be readable by anyone but the usM-- + er. It is possible to specify a passphrase when generating the + key; that passphrase will be used to encrypt the private part of + this file using 3DES. This file is not automatically accessed by + ssh-keygen but it is offered as the default file for the private + key. sshd(8) will read this file when a login attempt is made. + + $HOME/.ssh/id_rsa.pub + Contains the protocol version 2 RSA public key for authenticaM-- + tion. The contents of this file should be added to + $HOME/.ssh/authorized_keys2 on all machines where you wish to log + in using public key authentication. There is no need to keep the + contents of this file secret. AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and cre- + de Raadt and Dug Song removed many bugs, re-added newer features and creM-- ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. SEE ALSO ssh(1), ssh-add(1), ssh-agent(1), sshd(8) + J. Galbraith, and R. Thayer, SECSH Public Key File Format, draft-ietf- + secsh-publickeyfile-01.txt, March 2001, work in progress material. + BSD Experimental September 25, 1999 3 diff -ru openssh-2.5.2p2/ssh-keygen.1 openssh-2.9p1/ssh-keygen.1 --- openssh-2.5.2p2/ssh-keygen.1 2001-03-12 14:02:18.000000000 +1100 +++ openssh-2.9p1/ssh-keygen.1 2001-04-25 02:56:59.000000000 +1000 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.35 2001/03/11 22:33:23 markus Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.40 2001/04/23 21:57:07 markus Exp $ .\" .\" -*- nroff -*- .\" @@ -42,7 +42,7 @@ .Os .Sh NAME .Nm ssh-keygen -.Nd authentication key generation +.Nd authentication key generation, management and conversion .Sh SYNOPSIS .Nm ssh-keygen .Op Fl q @@ -57,10 +57,10 @@ .Op Fl N Ar new_passphrase .Op Fl f Ar keyfile .Nm ssh-keygen -.Fl x +.Fl i .Op Fl f Ar input_keyfile .Nm ssh-keygen -.Fl X +.Fl e .Op Fl f Ar input_keyfile .Nm ssh-keygen .Fl y @@ -78,20 +78,21 @@ .Op Fl f Ar input_keyfile .Sh DESCRIPTION .Nm -generates and manages authentication keys for +generates, manages and converts authentication keys for .Xr ssh 1 . .Nm -defaults to generating an RSA key for use by protocols 1.3 and 1.5; +defaults to generating a RSA1 key for use by SSH protocol version 1. specifying the .Fl t -option allows you to create a key for use by protocol 2.0. +option allows you to create a key for use by SSH protocol version 2. .Pp Normally each user wishing to use SSH with RSA or DSA authentication runs this once to create the authentication key in -.Pa $HOME/.ssh/identity +.Pa $HOME/.ssh/identity , +.Pa $HOME/.ssh/id_dsa or -.Pa $HOME/.ssh/id_dsa . +.Pa $HOME/.ssh/id_rsa . Additionally, the system administrator may use this to generate host keys, as seen in .Pa /etc/rc . @@ -118,7 +119,8 @@ lost or forgotten, you will have to generate a new key and copy the corresponding public key to other machines. .Pp -For RSA, there is also a comment field in the key file that is only for +For RSA1 keys, +there is also a comment field in the key file that is only for convenience to the user to help identify the key. The comment can tell what the key is for, or whatever is useful. The comment is initialized to @@ -142,8 +144,24 @@ Requests changing the comment in the private and public key files. The program will prompt for the file containing the private keys, for passphrase if the key has one, and for the new comment. +.It Fl e +This option will read a private or public OpenSSH key file and +print the key in a +.Sq SECSH Public Key File Format +to stdout. +This option allows exporting keys for use by several commercial +SSH implementations. .It Fl f Specifies the filename of the key file. +.It Fl i +This option will read an unencrypted private (or public) key file +in SSH2-compatible format and print an OpenSSH compatible private +(or public) key to stdout. +.Nm +also reads the +.Sq SECSH Public Key File Format . +This option allows importing keys from several commercial +SSH implementations. .It Fl l Show fingerprint of specified private or public key file. .It Fl p @@ -158,6 +176,9 @@ Used by .Pa /etc/rc when creating a new key. +.It Fl y +This option will read a private +OpenSSH format file and print an OpenSSH public key to stdout. .It Fl t Ar type Specifies the type of the key to create. The possible values are @@ -177,21 +198,11 @@ Provides the new passphrase. .It Fl P Ar passphrase Provides the (old) passphrase. -.It Fl x -This option will read a private -OpenSSH DSA format file and print a SSH2-compatible public key to stdout. -.It Fl X -This option will read a unencrypted -SSH2-compatible private (or public) key file and -print an OpenSSH compatible private (or public) key to stdout. -.It Fl y -This option will read a private -OpenSSH format file and print an OpenSSH public key to stdout. .El .Sh FILES .Bl -tag -width Ds .It Pa $HOME/.ssh/identity -Contains the RSA authentication identity of the user. +Contains the protocol version 1 RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be @@ -202,14 +213,14 @@ .Xr sshd 8 will read this file when a login attempt is made. .It Pa $HOME/.ssh/identity.pub -Contains the public key for authentication. +Contains the protocol version 1 RSA public key for authentication. The contents of this file should be added to .Pa $HOME/.ssh/authorized_keys on all machines where you wish to log in using RSA authentication. There is no need to keep the contents of this file secret. .It Pa $HOME/.ssh/id_dsa -Contains the DSA authentication identity of the user. +Contains the protocol version 2 DSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be @@ -220,7 +231,25 @@ .Xr sshd 8 will read this file when a login attempt is made. .It Pa $HOME/.ssh/id_dsa.pub -Contains the public key for authentication. +Contains the protocol version 2 DSA public key for authentication. +The contents of this file should be added to +.Pa $HOME/.ssh/authorized_keys2 +on all machines +where you wish to log in using public key authentication. +There is no need to keep the contents of this file secret. +.It Pa $HOME/.ssh/id_rsa +Contains the protocol version 2 RSA authentication identity of the user. +This file should not be readable by anyone but the user. +It is possible to +specify a passphrase when generating the key; that passphrase will be +used to encrypt the private part of this file using 3DES. +This file is not automatically accessed by +.Nm +but it is offered as the default file for the private key. +.Xr sshd 8 +will read this file when a login attempt is made. +.It Pa $HOME/.ssh/id_rsa.pub +Contains the protocol version 2 RSA public key for authentication. The contents of this file should be added to .Pa $HOME/.ssh/authorized_keys2 on all machines @@ -241,3 +270,11 @@ .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr sshd 8 +.Rs +.%A J. Galbraith +.%A R. Thayer +.%T "SECSH Public Key File Format" +.%N draft-ietf-secsh-publickeyfile-01.txt +.%D March 2001 +.%O work in progress material +.Re diff -ru openssh-2.5.2p2/ssh-keygen.c openssh-2.9p1/ssh-keygen.c --- openssh-2.5.2p2/ssh-keygen.c 2001-03-19 09:38:16.000000000 +1100 +++ openssh-2.9p1/ssh-keygen.c 2001-04-25 02:59:29.000000000 +1000 @@ -12,13 +12,14 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.50 2001/03/12 22:02:02 markus Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.60 2001/04/23 22:14:13 markus Exp $"); #include #include #include "xmalloc.h" #include "key.h" +#include "rsa.h" #include "authfile.h" #include "uuencode.h" #include "buffer.h" @@ -111,19 +112,20 @@ have_identity = 1; } -int -try_load_key(char *filename, Key *k) +Key * +try_load_pem_key(char *filename) { - int success = 1; - if (!load_private_key(filename, "", k, NULL)) { - char *pass = read_passphrase("Enter passphrase: ", 1); - if (!load_private_key(filename, pass, k, NULL)) { - success = 0; - } + char *pass; + Key *prv; + + prv = key_load_private(filename, "", NULL); + if (prv == NULL) { + pass = read_passphrase("Enter passphrase: ", 1); + prv = key_load_private(filename, pass, NULL); memset(pass, 0, strlen(pass)); xfree(pass); } - return success; + return prv; } #define SSH_COM_PUBLIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----" @@ -145,10 +147,11 @@ perror(identity_file); exit(1); } - k = key_new(KEY_UNSPEC); - if (!try_load_key(identity_file, k)) { - fprintf(stderr, "load failed\n"); - exit(1); + if ((k = key_load_public(identity_file, NULL)) == NULL) { + if ((k = try_load_pem_key(identity_file)) == NULL) { + fprintf(stderr, "load failed\n"); + exit(1); + } } key_to_blob(k, &blob, &len); fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN); @@ -168,8 +171,10 @@ { int bits = buffer_get_int(b); int bytes = (bits + 7) / 8; + if (buffer_len(b) < bytes) - fatal("buffer_get_bignum_bits: input buffer too small"); + fatal("buffer_get_bignum_bits: input buffer too small: " + "need %d have %d", bytes, buffer_len(b)); BN_bin2bn((u_char *)buffer_ptr(b), bytes, value); buffer_consume(b, bytes); } @@ -178,9 +183,8 @@ do_convert_private_ssh2_from_blob(char *blob, int blen) { Buffer b; - DSA *dsa; Key *key = NULL; - int ignore, magic, rlen; + int ignore, magic, rlen, ktype; char *type, *cipher; buffer_init(&b); @@ -198,33 +202,64 @@ ignore = buffer_get_int(&b); ignore = buffer_get_int(&b); ignore = buffer_get_int(&b); - xfree(type); if (strcmp(cipher, "none") != 0) { error("unsupported cipher %s", cipher); xfree(cipher); buffer_free(&b); + xfree(type); return NULL; } xfree(cipher); - key = key_new(KEY_DSA); - dsa = key->dsa; - dsa->priv_key = BN_new(); - if (dsa->priv_key == NULL) { - error("alloc priv_key failed"); - key_free(key); + if (strstr(type, "dsa")) { + ktype = KEY_DSA; + } else if (strstr(type, "rsa")) { + ktype = KEY_RSA; + } else { + xfree(type); return NULL; } - buffer_get_bignum_bits(&b, dsa->p); - buffer_get_bignum_bits(&b, dsa->g); - buffer_get_bignum_bits(&b, dsa->q); - buffer_get_bignum_bits(&b, dsa->pub_key); - buffer_get_bignum_bits(&b, dsa->priv_key); + key = key_new_private(ktype); + xfree(type); + + switch (key->type) { + case KEY_DSA: + buffer_get_bignum_bits(&b, key->dsa->p); + buffer_get_bignum_bits(&b, key->dsa->g); + buffer_get_bignum_bits(&b, key->dsa->q); + buffer_get_bignum_bits(&b, key->dsa->pub_key); + buffer_get_bignum_bits(&b, key->dsa->priv_key); + break; + case KEY_RSA: + if (!BN_set_word(key->rsa->e, (u_long) buffer_get_char(&b))) { + buffer_free(&b); + key_free(key); + return NULL; + } + buffer_get_bignum_bits(&b, key->rsa->d); + buffer_get_bignum_bits(&b, key->rsa->n); + buffer_get_bignum_bits(&b, key->rsa->iqmp); + buffer_get_bignum_bits(&b, key->rsa->q); + buffer_get_bignum_bits(&b, key->rsa->p); + generate_additional_parameters(key->rsa); + break; + } rlen = buffer_len(&b); if(rlen != 0) - error("do_convert_private_ssh2_from_blob: remaining bytes in key blob %d", rlen); + error("do_convert_private_ssh2_from_blob: " + "remaining bytes in key blob %d", rlen); buffer_free(&b); +#ifdef DEBUG_PK + { + u_int slen; + u_char *sig, data[10] = "abcde12345"; + + key_sign(key, &sig, &slen, data, sizeof data); + key_verify(key, sig, slen, data, sizeof data); + xfree(sig); + } +#endif return key; } @@ -263,12 +298,12 @@ strstr(line, ": ") != NULL) { if (strstr(line, SSH_COM_PRIVATE_BEGIN) != NULL) private = 1; - fprintf(stderr, "ignore: %s", line); + /* fprintf(stderr, "ignore: %s", line); */ continue; } if (escaped) { escaped--; - fprintf(stderr, "escaped: %s", line); + /* fprintf(stderr, "escaped: %s", line); */ continue; } *p = '\0'; @@ -287,7 +322,9 @@ exit(1); } ok = private ? - PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, NULL, 0, NULL, NULL) : + (k->type == KEY_DSA ? + PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, NULL, 0, NULL, NULL) : + PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, NULL, 0, NULL, NULL)) : key_write(k, stdout); if (!ok) { fprintf(stderr, "key write failed"); @@ -302,7 +339,7 @@ void do_print_public(struct passwd *pw) { - Key *k; + Key *prv; struct stat st; if (!have_identity) @@ -311,14 +348,14 @@ perror(identity_file); exit(1); } - k = key_new(KEY_UNSPEC); - if (!try_load_key(identity_file, k)) { + prv = try_load_pem_key(identity_file); + if (prv == NULL) { fprintf(stderr, "load failed\n"); exit(1); } - if (!key_write(k, stdout)) + if (!key_write(prv, stdout)) fprintf(stderr, "key_write failed"); - key_free(k); + key_free(prv); fprintf(stdout, "\n"); exit(0); } @@ -329,11 +366,11 @@ FILE *f; Key *public; char *comment = NULL, *cp, *ep, line[16*1024], *fp; - int i, skip = 0, num = 1, invalid = 1, success = 0, rep, type; + int i, skip = 0, num = 1, invalid = 1, rep, fptype; struct stat st; - type = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; - rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; if (!have_identity) ask_filename(pw, "Enter file in which the key is"); @@ -341,26 +378,17 @@ perror(identity_file); exit(1); } - public = key_new(KEY_RSA1); - if (load_public_key(identity_file, public, &comment)) { - success = 1; - } else { - key_free(public); - public = key_new(KEY_UNSPEC); - if (try_load_public_key(identity_file, public, &comment)) - success = 1; - else - debug("try_load_public_key KEY_UNSPEC failed"); - } - if (success) { - fp = key_fingerprint(public, type, rep); - printf("%d %s %s\n", key_size(public), - fp, comment); + public = key_load_public(identity_file, &comment); + if (public != NULL) { + fp = key_fingerprint(public, fptype, rep); + printf("%d %s %s\n", key_size(public), fp, comment); key_free(public); xfree(comment); xfree(fp); exit(0); } + if (comment) + xfree(comment); f = fopen(identity_file, "r"); if (f != NULL) { @@ -409,15 +437,15 @@ } } comment = *cp ? cp : comment; - fp = key_fingerprint(public, type, rep); + fp = key_fingerprint(public, fptype, rep); printf("%d %s %s\n", key_size(public), fp, comment ? comment : "no comment"); xfree(fp); + key_free(public); invalid = 0; } fclose(f); } - key_free(public); if (invalid) { printf("%s is not a valid key file.\n", identity_file); exit(1); @@ -436,8 +464,6 @@ char *old_passphrase, *passphrase1, *passphrase2; struct stat st; Key *private; - Key *public; - int type = KEY_RSA1; if (!have_identity) ask_filename(pw, "Enter file in which the key is"); @@ -445,28 +471,20 @@ perror(identity_file); exit(1); } - public = key_new(type); - if (!load_public_key(identity_file, public, NULL)) { - type = KEY_UNSPEC; - } else { - /* Clear the public key since we are just about to load the whole file. */ - key_free(public); - } /* Try to load the file with empty passphrase. */ - private = key_new(type); - if (!load_private_key(identity_file, "", private, &comment)) { + private = key_load_private(identity_file, "", &comment); + if (private == NULL) { if (identity_passphrase) old_passphrase = xstrdup(identity_passphrase); else old_passphrase = read_passphrase("Enter old passphrase: ", 1); - if (!load_private_key(identity_file, old_passphrase, private, &comment)) { - memset(old_passphrase, 0, strlen(old_passphrase)); - xfree(old_passphrase); + private = key_load_private(identity_file, old_passphrase , &comment); + memset(old_passphrase, 0, strlen(old_passphrase)); + xfree(old_passphrase); + if (private == NULL) { printf("Bad passphrase.\n"); exit(1); } - memset(old_passphrase, 0, strlen(old_passphrase)); - xfree(old_passphrase); } printf("Key has comment '%s'\n", comment); @@ -494,9 +512,8 @@ } /* Save the file using the new passphrase. */ - if (!save_private_key(identity_file, passphrase1, private, comment)) { - printf("Saving the key failed: %s: %s.\n", - identity_file, strerror(errno)); + if (!key_save_private(private, identity_file, passphrase1, comment)) { + printf("Saving the key failed: %s.\n", identity_file); memset(passphrase1, 0, strlen(passphrase1)); xfree(passphrase1); key_free(private); @@ -520,7 +537,8 @@ do_change_comment(struct passwd *pw) { char new_comment[1024], *comment, *passphrase; - Key *private, *public; + Key *private; + Key *public; struct stat st; FILE *f; int fd; @@ -531,21 +549,8 @@ perror(identity_file); exit(1); } - /* - * Try to load the public key from the file the verify that it is - * readable and of the proper format. - */ - public = key_new(KEY_RSA1); - if (!load_public_key(identity_file, public, NULL)) { - printf("%s is not a valid key file.\n", identity_file); - printf("Comments are only supported in RSA1 keys\n"); - exit(1); - } - - private = key_new(KEY_RSA1); - if (load_private_key(identity_file, "", private, &comment)) - passphrase = xstrdup(""); - else { + private = key_load_private(identity_file, "", &comment); + if (private == NULL) { if (identity_passphrase) passphrase = xstrdup(identity_passphrase); else if (identity_new_passphrase) @@ -553,13 +558,21 @@ else passphrase = read_passphrase("Enter passphrase: ", 1); /* Try to load using the passphrase. */ - if (!load_private_key(identity_file, passphrase, private, &comment)) { + private = key_load_private(identity_file, passphrase, &comment); + if (private == NULL) { memset(passphrase, 0, strlen(passphrase)); xfree(passphrase); printf("Bad passphrase.\n"); exit(1); } + } else { + passphrase = xstrdup(""); } + if (private->type != KEY_RSA1) { + fprintf(stderr, "Comments are only supported for RSA1 keys.\n"); + key_free(private); + exit(1); + } printf("Key now has comment '%s'\n", comment); if (identity_comment) { @@ -577,9 +590,8 @@ } /* Save the file using the new passphrase. */ - if (!save_private_key(identity_file, passphrase, private, new_comment)) { - printf("Saving the key failed: %s: %s.\n", - identity_file, strerror(errno)); + if (!key_save_private(private, identity_file, passphrase, new_comment)) { + printf("Saving the key failed: %s.\n", identity_file); memset(passphrase, 0, strlen(passphrase)); xfree(passphrase); key_free(private); @@ -588,6 +600,7 @@ } memset(passphrase, 0, strlen(passphrase)); xfree(passphrase); + public = key_from_private(private); key_free(private); strlcat(identity_file, ".pub", sizeof(identity_file)); @@ -616,7 +629,7 @@ void usage(void) { - printf("Usage: %s [-lpqxXyc] [-t type] [-b bits] [-f file] [-C comment] " + printf("Usage: %s [-ceilpqyB] [-t type] [-b bits] [-f file] [-C comment] " "[-N new-pass] [-P pass]\n", __progname); exit(1); } @@ -654,7 +667,7 @@ exit(1); } - while ((opt = getopt(ac, av, "dqpclBRxXyb:f:t:P:N:C:")) != -1) { + while ((opt = getopt(ac, av, "deiqpclBRxXyb:f:t:P:N:C:")) != -1) { switch (opt) { case 'b': bits = atoi(optarg); @@ -706,11 +719,15 @@ exit(0); break; + case 'e': case 'x': + /* export key */ convert_to_ssh2 = 1; break; + case 'i': case 'X': + /* import key */ convert_from_ssh2 = 1; break; @@ -823,9 +840,8 @@ } /* Save the key with the given passphrase and comment. */ - if (!save_private_key(identity_file, passphrase1, private, comment)) { - printf("Saving the key failed: %s: %s.\n", - identity_file, strerror(errno)); + if (!key_save_private(private, identity_file, passphrase1, comment)) { + printf("Saving the key failed: %s.\n", identity_file); memset(passphrase1, 0, strlen(passphrase1)); xfree(passphrase1); exit(1); diff -ru openssh-2.5.2p2/ssh-keyscan.0 openssh-2.9p1/ssh-keyscan.0 --- openssh-2.5.2p2/ssh-keyscan.0 2001-03-22 16:07:07.000000000 +1100 +++ openssh-2.9p1/ssh-keyscan.0 2001-04-29 22:40:32.000000000 +1000 @@ -8,22 +8,22 @@ ssh-keyscan [-t timeout] [-- | host | addrlist namelist] [-f files ...] DESCRIPTION - ssh-keyscan is a utility for gathering the public ssh host keys of a num- + ssh-keyscan is a utility for gathering the public ssh host keys of a numM-- ber of hosts. It was designed to aid in building and verifying ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable for use by shell and perl scripts. - ssh-keyscan uses non-blocking socket I/O to contact as many hosts as pos- + ssh-keyscan uses non-blocking socket I/O to contact as many hosts as posM-- sible in parallel, so it is very efficient. The keys from a domain of 1,000 hosts can be collected in tens of seconds, even when some of those hosts are down or do not run ssh. You do not need login access to the - machines you are scanning, nor does does the scanning process involve any - encryption. + machines you are scanning, nor does the scanning process involve any enM-- + cryption. SECURITY If you make an ssh_known_hosts file using ssh-keyscan without verifying the keys, you will be vulnerable to attacks. On the other hand, if your - security model allows such a risk, ssh-keyscan can help you detect tam- + security model allows such a risk, ssh-keyscan can help you detect tamM-- pered keyfiles or man in the middle attacks which have begun after you created your ssh_known_hosts file. @@ -31,7 +31,7 @@ -t Set the timeout for connection attempts. If timeout seconds have elapsed since a connection was initiated to a host or since the last time anything was read from that host, then the connection - is closed and the host in question considered unavailable. De- + is closed and the host in question considered unavailable. DeM-- fault is 5 seconds. -f Read hosts or addrlist namelist pairs from this file, one per @@ -50,7 +50,7 @@ diff ssh_known_hosts - FILES - Input format: 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.do- + Input format: 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.doM-- main,n,1.2.3.4,1.2.4.4 Output format: host-or-namelist bits exponent modulus diff -ru openssh-2.5.2p2/ssh-keyscan.1 openssh-2.9p1/ssh-keyscan.1 --- openssh-2.5.2p2/ssh-keyscan.1 2001-03-05 17:50:48.000000000 +1100 +++ openssh-2.9p1/ssh-keyscan.1 2001-04-20 06:31:02.000000000 +1000 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.4 2001/03/01 03:38:33 deraadt Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.5 2001/04/18 16:21:05 ian Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -33,7 +33,7 @@ parallel, so it is very efficient. The keys from a domain of 1,000 hosts can be collected in tens of seconds, even when some of those hosts are down or do not run ssh. You do not need login access to the -machines you are scanning, nor does does the scanning process involve +machines you are scanning, nor does the scanning process involve any encryption. .Sh SECURITY If you make an ssh_known_hosts file using diff -ru openssh-2.5.2p2/ssh-rsa.c openssh-2.9p1/ssh-rsa.c --- openssh-2.5.2p2/ssh-rsa.c 2001-02-09 13:11:25.000000000 +1100 +++ openssh-2.9p1/ssh-rsa.c 2001-03-29 10:32:57.000000000 +1000 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-rsa.c,v 1.6 2001/02/08 19:30:52 itojun Exp $"); +RCSID("$OpenBSD: ssh-rsa.c,v 1.8 2001/03/27 10:57:00 markus Exp $"); #include #include @@ -34,6 +34,7 @@ #include "bufaux.h" #include "key.h" #include "ssh-rsa.h" +#include "compat.h" /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */ int @@ -42,27 +43,32 @@ u_char **sigp, int *lenp, u_char *data, int datalen) { - EVP_MD *evp_md = EVP_sha1(); + const EVP_MD *evp_md; EVP_MD_CTX md; u_char *digest, *sig, *ret; u_int slen, dlen, len; - int ok; + int ok, nid; Buffer b; if (key == NULL || key->type != KEY_RSA || key->rsa == NULL) { error("ssh_rsa_sign: no RSA key"); return -1; } - slen = RSA_size(key->rsa); - sig = xmalloc(slen); - + nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; + if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { + error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid); + return -1; + } dlen = evp_md->md_size; digest = xmalloc(dlen); EVP_DigestInit(&md, evp_md); EVP_DigestUpdate(&md, data, datalen); EVP_DigestFinal(&md, digest, NULL); - ok = RSA_sign(NID_sha1, digest, dlen, sig, &len, key->rsa); + slen = RSA_size(key->rsa); + sig = xmalloc(slen); + + ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa); memset(digest, 'd', dlen); xfree(digest); @@ -108,13 +114,12 @@ u_char *data, int datalen) { Buffer b; - EVP_MD *evp_md = EVP_sha1(); + const EVP_MD *evp_md; EVP_MD_CTX md; char *ktype; u_char *sigblob, *digest; u_int len, dlen; - int rlen; - int ret; + int rlen, ret, nid; if (key == NULL || key->type != KEY_RSA || key->rsa == NULL) { error("ssh_rsa_verify: no RSA key"); @@ -139,17 +144,23 @@ rlen = buffer_len(&b); buffer_free(&b); if(rlen != 0) { + xfree(sigblob); error("ssh_rsa_verify: remaining bytes in signature %d", rlen); return -1; } - + nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; + if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { + xfree(sigblob); + error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid); + return -1; + } dlen = evp_md->md_size; digest = xmalloc(dlen); EVP_DigestInit(&md, evp_md); EVP_DigestUpdate(&md, data, datalen); EVP_DigestFinal(&md, digest, NULL); - ret = RSA_verify(NID_sha1, digest, dlen, sigblob, len, key->rsa); + ret = RSA_verify(nid, digest, dlen, sigblob, len, key->rsa); memset(digest, 'd', dlen); xfree(digest); memset(sigblob, 's', len); diff -ru openssh-2.5.2p2/ssh.0 openssh-2.9p1/ssh.0 --- openssh-2.5.2p2/ssh.0 2001-03-22 16:07:08.000000000 +1100 +++ openssh-2.9p1/ssh.0 2001-04-29 22:40:33.000000000 +1000 @@ -15,12 +15,12 @@ DESCRIPTION ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin - and rsh, and provide secure encrypted communications between two untrust- + and rsh, and provide secure encrypted communications between two untrustM-- ed hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. ssh connects and logs into the specified hostname. The user must prove - his/her identity to the remote machine using one of several methods de- + his/her identity to the remote machine using one of several methods deM-- pending on the protocol version used: SSH protocol version 1 @@ -34,16 +34,16 @@ This form of authentication alone is normally not allowed by the server because it is not secure. - The second (and primary) authentication method is the rhosts or - hosts.equiv method combined with RSA-based host authentication. It means - that if the login would be permitted by $HOME/.rhosts, $HOME/.shosts, - /etc/hosts.equiv, or /etc/shosts.equiv, and if additionally the server - can verify the client's host key (see /etc/ssh_known_hosts and - $HOME/.ssh/known_hosts in the FILES section), only then login is permit- - ted. This authentication method closes security holes due to IP spoof- - ing, DNS spoofing and routing spoofing. [Note to the administrator: - /etc/hosts.equiv, $HOME/.rhosts, and the rlogin/rsh protocol in general, - are inherently insecure and should be disabled if security is desired.] + The second authentication method is the rhosts or hosts.equiv method comM-- + bined with RSA-based host authentication. It means that if the login + would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or + /etc/shosts.equiv, and if additionally the server can verify the client's + host key (see /etc/ssh_known_hosts and $HOME/.ssh/known_hosts in the + FILES section), only then login is permitted. This authentication method + closes security holes due to IP spoofing, DNS spoofing and routing spoofM-- + ing. [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and + the rlogin/rsh protocol in general, are inherently insecure and should be + disabled if security is desired.] As a third authentication method, ssh supports RSA based authentication. The scheme is based on public-key cryptography: there are cryptosystems @@ -58,7 +58,7 @@ checks if this key is permitted, and if so, sends the user (actually the ssh program running on behalf of the user) a challenge, a random number, encrypted by the user's public key. The challenge can only be decrypted - using the proper private key. The user's client then decrypts the chal- + using the proper private key. The user's client then decrypts the chalM-- lenge using the private key, proving that he/she knows the private key but without disclosing it to the server. @@ -71,78 +71,100 @@ directory on the remote machine (the authorized_keys file corresponds to the conventional $HOME/.rhosts file, and has one key per line, though the lines can be very long). After this, the user can log in without giving - the password. RSA authentication is much more secure than rhosts authen- + the password. RSA authentication is much more secure than rhosts authenM-- tication. - The most convenient way to use RSA authentication may be with an authen- + The most convenient way to use RSA authentication may be with an authenM-- tication agent. See ssh-agent(1) for more information. - If other authentication methods fail, ssh prompts the user for a pass- + If other authentication methods fail, ssh prompts the user for a passM-- word. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. SSH protocol version 2 - When a user connects using the protocol version 2 different authentica- - tion methods are available: At first, the client attempts to authenticate - using the public key method. If this method fails password authentica- - tion is tried. + When a user connects using the protocol version 2 different authenticaM-- + tion methods are available. Using the default values for + PreferredAuthentications, the client will try to authenticate first using + the public key method; if this method fails password authentication is + attempted, and finally if this method fails keyboard-interactive authenM-- + tication is attempted. If this method fails password authentication is + tried. The public key method is similar to RSA authentication described in the - previous section except that the DSA or RSA algorithm is used instead. - The client uses his private key $HOME/.ssh/id_dsa to sign the session - identifier and sends the result to the server. The server checks whether - the matching public key is listed in $HOME/.ssh/authorized_keys2 and - grants access if both the key is found and the signature is correct. The - session identifier is derived from a shared Diffie-Hellman value and is - only known to the client and the server. + previous section and allows the RSA or DSA algorithm to be used: The + client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, to + sign the session identifier and sends the result to the server. The + server checks whether the matching public key is listed in + $HOME/.ssh/authorized_keys2 and grants access if both the key is found + and the signature is correct. The session identifier is derived from a + shared Diffie-Hellman value and is only known to the client and the servM-- + er. If public key authentication fails or is not available a password can be - sent encrypted to the remote host for proving the user's identity. This - protocol 2 implementation does not yet support Kerberos or S/Key authen- - tication. + sent encrypted to the remote host for proving the user's identity. + + Additionally, ssh supports hostbased or challenge response authenticaM-- + tion. - Protocol 2 provides additional mechanisms for confidentiality (the traf- + Protocol 2 provides additional mechanisms for confidentiality (the trafM-- fic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) and integrity (hmac-md5, hmac-sha1). Note that protocol 1 lacks a strong mechanism for ensuring the integrity of the connection. Login session and remote execution - When the user's identity has been accepted by the server, the server ei- + When the user's identity has been accepted by the server, the server eiM-- ther executes the given command, or logs into the machine and gives the user a normal shell on the remote machine. All communication with the remote command or shell will be automatically encrypted. If a pseudo-terminal has been allocated (normal login session), the user - can disconnect with ~., and suspend ssh with ~^Z. All forwarded connec- - tions can be listed with ~# and if the session blocks waiting for for- - warded X11 or TCP/IP connections to terminate, it can be backgrounded - with ~& (this should not be used while the user shell is active, as it - can cause the shell to hang). All available escapes can be listed with - ~?. - - A single tilde character can be sent as ~~ (or by following the tilde by - a character other than those described above). The escape character must - always follow a newline to be interpreted as special. The escape charac- - ter can be changed in configuration files or on the command line. - + may use the escape characters noted below. If no pseudo tty has been allocated, the session is transparent and can be used to reliably transfer binary data. On most systems, setting the escape character to ``none'' will also make the session transparent even if a tty is used. + The session terminates when the command or shell on the remote machine - exits and all X11 and TCP/IP connections have been closed. The exit sta- + exits and all X11 and TCP/IP connections have been closed. The exit staM-- tus of the remote program is returned as the exit status of ssh. + Escape Characters + + When a pseudo terminal has been requested, ssh supports a number of funcM-- + tions through the use of an escape character. + + A single tilde character can be sent as ~~ (or by following the tilde by + a character other than those described above). The escape character must + always follow a newline to be interpreted as special. The escape characM-- + ter can be changed in configuration files using the EscapeChar configuraM-- + tion directive or on the command line by the -e option. + + The supported escapes (assuming the default `~') are: + + ~. Disconnect + + ~^Z Background ssh + + ~# List forwarded connections + + ~& Background ssh at logout when waiting for forwarded connection / + X11 sessions to terminate (protocol version 1 only) + + ~? Display a list of escape characters + + ~R Request rekeying of the connection (only useful for SSH protocol + version 2 and if the peer supports it) + X11 and TCP forwarding If the user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display is automatically forwarded to the remote - side in such a way that any X11 programs started from the shell (or com- + side in such a way that any X11 programs started from the shell (or comM-- mand) will go through the encrypted channel, and the connection to the real X server will be made from the local machine. The user should not manually set DISPLAY. Forwarding of X11 connections can be configured on @@ -165,21 +187,21 @@ line or in a configuration file. Forwarding of arbitrary TCP/IP connections over the secure channel can be - specified either on command line or in a configuration file. One possi- - ble application of TCP/IP forwarding is a secure connection to an elec- + specified either on command line or in a configuration file. One possiM-- + ble application of TCP/IP forwarding is a secure connection to an elecM-- tronic purse; another is going through firewalls. Server authentication - ssh automatically maintains and checks a database containing identifica- + ssh automatically maintains and checks a database containing identificaM-- tions for all hosts it has ever been used with. RSA host keys are stored in $HOME/.ssh/known_hosts and host keys used in the protocol version 2 - are stored in $HOME/.ssh/known_hosts2 in the user's home directory. Ad- + are stored in $HOME/.ssh/known_hosts2 in the user's home directory. AdM-- ditionally, the files /etc/ssh_known_hosts and /etc/ssh_known_hosts2 are automatically checked for known hosts. Any new hosts are automatically added to the user's file. If a host's identification ever changes, ssh warns about this and disables password authentication to prevent a trojan - horse from getting the user's password. Another purpose of this mecha- + horse from getting the user's password. Another purpose of this mechaM-- nism is to prevent man-in-the-middle attacks which could otherwise be used to circumvent the encryption. The StrictHostKeyChecking option (see below) can be used to prevent logins to machines whose host key is not @@ -216,7 +238,7 @@ fully transparent. -f Requests ssh to go to background just before command execution. - This is useful if ssh is going to ask for passwords or passphras- + This is useful if ssh is going to ask for passwords or passphrasM-- es, but the user wants it in the background. This implies -n. The recommended way to start X11 programs at a remote site is with something like ssh -f host xterm. @@ -245,9 +267,9 @@ -n Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when ssh is run in the background. A - common trick is to use this to run X11 programs on a remote ma- + common trick is to use this to run X11 programs on a remote maM-- chine. For example, ssh -n shadows.cs.hut.fi emacs & will start - an emacs on shadows.cs.hut.fi, and the X11 connection will be au- + an emacs on shadows.cs.hut.fi, and the X11 connection will be auM-- tomatically forwarded over an encrypted channel. The ssh program will be put in the background. (This does not work if ssh needs to ask for a password or passphrase; see also the -f option.) @@ -259,8 +281,6 @@ Can be used to give options in the format used in the config file. This is useful for specifying options for which there is no separate command-line flag. The option has the same format as - - a line in the configuration file. -p port @@ -276,12 +296,12 @@ suppressed. Only fatal errors are displayed. -s May be used to request invocation of a subsystem on the remote - system. Subsystems are a feature of the SSH2 protocol which fa- - cilitate the use of SSH as a secure transport for other applica- - tion (eg. sftp). The subsystem is specified as the remote com- + system. Subsystems are a feature of the SSH2 protocol which faM-- + cilitate the use of SSH as a secure transport for other applicaM-- + tion (eg. sftp). The subsystem is specified as the remote comM-- mand. - -t Force pseudo-tty allocation. This can be used to execute arbi- + -t Force pseudo-tty allocation. This can be used to execute arbiM-- trary screen-based programs on a remote machine, which can be very useful, e.g., when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty. @@ -289,7 +309,7 @@ -T Disable pseudo-tty allocation. -v Verbose mode. Causes ssh to print debugging messages about its - progress. This is helpful in debugging connection, authentica- + progress. This is helpful in debugging connection, authenticaM-- tion, and configuration problems. Multiple -v options increases the verbosity. Maximum is 3. @@ -304,7 +324,9 @@ ``level'' can be controlled by the CompressionLevel option (see below). Compression is desirable on modem lines and other slow connections, but will only slow down things on fast networks. - The default value can be set on a host-by-host basis in the con- + The default value can be set on a host-by-host basis in the conM-- + + figuration files; see the Compress option below. -L port:host:hostport @@ -314,7 +336,7 @@ and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can - also be specified in the configuration file. Only root can for- + also be specified in the configuration file. Only root can forM-- ward privileged ports. IPv6 addresses can be specified with an alternative syntax: port/host/hostport @@ -322,13 +344,13 @@ Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote - side, and whenever a connection is made to this port, the connec- + side, and whenever a connection is made to this port, the connecM-- tion is forwarded over the secure channel, and a connection is - made to host port hostport from the local machine. Port forward- + made to host port hostport from the local machine. Port forwardM-- ings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote - - machine. + machine. IPv6 addresses can be specified with an alternative + syntax: port/host/hostport -1 Forces ssh to try protocol version 1 only. @@ -339,7 +361,7 @@ -6 Forces ssh to use IPv6 addresses only. CONFIGURATION FILES - ssh obtains configuration data from the following sources (in this or- + ssh obtains configuration data from the following sources (in this orM-- der): command line options, user's configuration file ($HOME/.ssh/config), and system-wide configuration file (/etc/ssh_config). For each parameter, the first obtained value will be @@ -348,7 +370,7 @@ of the patterns given in the specification. The matched host name is the one given on the command line. - Since the first obtained value for each parameter is used, more host-spe- + Since the first obtained value for each parameter is used, more host-speM-- cific declarations should be given near the beginning of the file, and general defaults at the end. @@ -360,7 +382,7 @@ keywords and their meanings are as follows (note that the configuration files are case-sensitive): - Host Restricts the following declarations (up to the next Host key- + Host Restricts the following declarations (up to the next Host keyM-- word) to be only for those hosts that match one of the patterns given after the keyword. `*' and `?' can be used as wildcards in the patterns. A single `*' as a pattern can be used to provide @@ -369,60 +391,58 @@ canonicalized host name before matching). AFSTokenPassing - Specifies whether to pass AFS tokens to remote host. The argu- - ment to this keyword must be ``yes'' or ``no''. + Specifies whether to pass AFS tokens to remote host. The arguM-- + ment to this keyword must be ``yes'' or ``no''. This option apM-- + + plies to protocol version 1 only. BatchMode If set to ``yes'', passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where you have no user to supply the password. The argument must be - ``yes'' or ``no''. + ``yes'' or ``no''. The default is ``no''. CheckHostIP If this flag is set to ``yes'', ssh will additionally check the - host ip address in the known_hosts file. This allows ssh to de- + host IP address in the known_hosts file. This allows ssh to deM-- tect if a host key changed due to DNS spoofing. If the option is - set to ``no'', the check will not be executed. + set to ``no'', the check will not be executed. The default is + ``yes''. - Cipher Specifies the cipher to use for encrypting the session in proto- - col version 1. Currently, ``blowfish'' and ``3des'' are support- + Cipher Specifies the cipher to use for encrypting the session in protoM-- + col version 1. Currently, ``blowfish'' and ``3des'' are supportM-- ed. The default is ``3des''. Ciphers Specifies the ciphers allowed for protocol version 2 in order of - preference. Multiple ciphers must be comma-separated. The de- + preference. Multiple ciphers must be comma-separated. The deM-- fault is - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc, - rijndael256-cbc,rijndael-cbc@lysator.liu.se'' + aes192-cbc,aes256-cbc'' Compression Specifies whether to use compression. The argument must be - ``yes'' or ``no''. + ``yes'' or ``no''. The default is ``no''. CompressionLevel - Specifies the compression level to use if compression is enable. + Specifies the compression level to use if compression is enabled. The argument must be an integer from 1 (fast) to 9 (slow, best). The default level is 6, which is good for most applications. The - meaning of the values is the same as in gzip(1). + meaning of the values is the same as in gzip(1). Note that this + option applies to protocol version 1 only. ConnectionAttempts Specifies the number of tries (one per second) to make before falling back to rsh or exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. - - PubkeyAuthentication - Specifies whether to try public key authentication. The argument - to this keyword must be ``yes'' or ``no''. Note that this option - applies to protocol version 2 only. + The default is 4. EscapeChar Sets the escape character (default: `~'). The escape character can also be set on the command line. The argument should be a - single character, `^' followed by a letter, or ``none'' to dis- - able the escape character entirely (making the connection trans- + single character, `^' followed by a letter, or ``none'' to disM-- + able the escape character entirely (making the connection transM-- parent for binary data). FallBackToRsh @@ -430,7 +450,7 @@ refused error (there is no sshd(8) listening on the remote host), rsh(1) should automatically be used instead (after a suitable warning about the session being unencrypted). The argument must - be ``yes'' or ``no''. + be ``yes'' or ``no''. The default is ``no''. ForwardAgent Specifies whether the connection to the authentication agent (if @@ -438,13 +458,13 @@ be ``yes'' or ``no''. The default is ``no''. ForwardX11 - Specifies whether X11 connections will be automatically redirect- + Specifies whether X11 connections will be automatically redirectM-- ed over the secure channel and DISPLAY set. The argument must be ``yes'' or ``no''. The default is ``no''. GatewayPorts Specifies whether remote hosts are allowed to connect to local - forwarded ports. The argument must be ``yes'' or ``no''. The de- + forwarded ports. The argument must be ``yes'' or ``no''. The deM-- fault is ``no''. GlobalKnownHostsFile @@ -455,35 +475,45 @@ Specifies a file to use for the protocol version 2 global host key database instead of /etc/ssh_known_hosts2. + HostbasedAuthentication + Specifies whether to try rhosts based authentication with public + key authentication. The argument must be ``yes'' or ``no''. The + default is ``yes''. This option applies to protocol version 2 onM-- + ly and is similar to RhostsRSAAuthentication. + + HostKeyAlgorithms + Specfies the protocol version 2 host key algorithms that the + client wants to use in order of preference. The default for this + option is: ``ssh-rsa,ssh-dss'' + HostKeyAlias Specifies an alias that should be used instead of the real host - name when looking up or saving the host key in the known_hosts - files. This option is useful for tunneling ssh connections or if - - you have multiple servers running on a single host. + name when looking up or saving the host key in the host key + database files. This option is useful for tunneling ssh connecM-- + tions or if you have multiple servers running on a single host. HostName Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. Default is the name given on the command line. Numeric IP addresses are also - permitted (both on the command line and in HostName specifica- + permitted (both on the command line and in HostName specificaM-- tions). IdentityFile - Specifies the file from which the user's RSA authentication iden- - tity is read (default $HOME/.ssh/identity in the user's home di- - rectory). Additionally, any identities represented by the au- - thentication agent will be used for authentication. The file - name may use the tilde syntax to refer to a user's home directo- + Specifies the file from which the user's RSA or DSA authenticaM-- + tion identity is read (default $HOME/.ssh/identity in the user's + home directory). Additionally, any identities represented by the + authentication agent will be used for authentication. The file + name may use the tilde syntax to refer to a user's home directoM-- ry. It is possible to have multiple identity files specified in - configuration files; all these identities will be tried in se- + configuration files; all these identities will be tried in seM-- quence. KeepAlive Specifies whether the system should send keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, - this means that connections will die if the route is down tem- + this means that connections will die if the route is down temM-- porarily, and some people find it annoying. The default is ``yes'' (to send keepalives), and the client will @@ -494,7 +524,8 @@ the server and the client configuration files. KerberosAuthentication - Specifies whether Kerberos authentication will be used. The ar- + Specifies whether Kerberos authentication will be used. The arM-- + gument to this keyword must be ``yes'' or ``no''. KerberosTgtPassing @@ -505,7 +536,7 @@ LocalForward Specifies that a TCP/IP port on the local machine be forwarded - over the secure channel to given host:port from the remote ma- + over the secure channel to given host:port from the remote maM-- chine. The first argument must be a port number, and the second must be host:port. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only @@ -516,7 +547,7 @@ ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. The default is INFO. - MACs Specifies the MAC (message authentication code) algorithms in or- + MACs Specifies the MAC (message authentication code) algorithms in orM-- der of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. The default is @@ -524,22 +555,20 @@ ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com, hmac-sha1-96,hmac-md5-96'' - - NumberOfPasswordPrompts Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. Default is 3. PasswordAuthentication Specifies whether to use password authentication. The argument - to this keyword must be ``yes'' or ``no''. Note that this option - applies to both protocol version 1 and 2. + to this keyword must be ``yes'' or ``no''. The default is + ``yes''. Port Specifies the port number to connect on the remote host. Default is 22. PreferredAuthentications - Specifies the order in which the client should try protocol 2 au- + Specifies the order in which the client should try protocol 2 auM-- thentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password) The default for this option is: ``publickey, password, keyboard- @@ -548,26 +577,31 @@ Protocol Specifies the protocol versions ssh should support in order of preference. The possible values are ``1'' and ``2''. Multiple - versions must be comma-separated. The default is ``1,2''. This - means that ssh tries version 1 and falls back to version 2 if - version 1 is not available. + versions must be comma-separated. The default is ``2,1''. This + means that ssh tries version 2 and falls back to version 1 if + version 2 is not available. ProxyCommand - Specifies the command to use to connect to the server. The com- + Specifies the command to use to connect to the server. The comM-- mand string extends to the end of the line, and is executed with /bin/sh. In the command string, `%h' will be substituted by the host name to connect and `%p' by the port. The command can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an - sshd(8) server running on some machine, or execute sshd -i some- + sshd(8) server running on some machine, or execute sshd -i someM-- where. Host key management will be done using the HostName of - the host being connected (defaulting to the name typed by the us- + the host being connected (defaulting to the name typed by the usM-- er). Note that CheckHostIP is not available for connects with a proxy command. + PubkeyAuthentication + Specifies whether to try public key authentication. The argument + to this keyword must be ``yes'' or ``no''. The default is + ``yes''. This option applies to protocol version 2 only. + RemoteForward Specifies that a TCP/IP port on the remote machine be forwarded - over the secure channel to given host:port from the local ma- + over the secure channel to given host:port from the local maM-- chine. The first argument must be a port number, and the second must be host:port. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only @@ -576,27 +610,29 @@ RhostsAuthentication Specifies whether to try rhosts based authentication. Note that this declaration only affects the client side and has no effect - whatsoever on security. Disabling rhosts authentication may re- - duce authentication time on slow connections when rhosts authen- - tication is not used. Most servers do not permit RhostsAuthenti- - cation because it is not secure (see RhostsRSAAuthentication). - The argument to this keyword must be ``yes'' or ``no''. + whatsoever on security. Disabling rhosts authentication may reM-- + duce authentication time on slow connections when rhosts authenM-- + tication is not used. Most servers do not permit RhostsAuthentiM-- + cation because it is not secure (see RhostsRSAAuthentication ). + The argument to this keyword must be ``yes'' or ``no''. The deM-- + fault is ``yes''. This option applies to protocol version 1 only. RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA - host authentication. This is the primary authentication method - for most sites. The argument must be ``yes'' or ``no''. + host authentication. The argument must be ``yes'' or ``no''. The + default is ``yes''. This option applies to protocol version 1 onM-- + ly. RSAAuthentication Specifies whether to try RSA authentication. The argument to this keyword must be ``yes'' or ``no''. RSA authentication will - only be attempted if the identity file exists, or an authentica- - tion agent is running. Note that this option applies to protocol - version 1 only. + only be attempted if the identity file exists, or an authenticaM-- + tion agent is running. The default is ``yes''. Note that this + option applies to protocol version 1 only. ChallengeResponseAuthentication - Specifies whether to use challenge response authentication. Cur- - rently there is only support for skey(1) authentication. The ar- + Specifies whether to use challenge response authentication. CurM-- + rently there is only support for skey(1) authentication. The arM-- gument to this keyword must be ``yes'' or ``no''. The default is ``no''. @@ -605,7 +641,7 @@ host keys to the $HOME/.ssh/known_hosts and $HOME/.ssh/known_hosts2 files, and refuses to connect to hosts whose host key has changed. This provides maximum protection - against trojan horse attacks. However, it can be somewhat annoy- + against trojan horse attacks. However, it can be somewhat annoyM-- ing if you don't have good /etc/ssh_known_hosts and /etc/ssh_known_hosts2 files installed and frequently connect to new hosts. This option forces the user to manually add all new @@ -619,15 +655,15 @@ or ``ask''. The default is ``ask''. UsePrivilegedPort - Specifies whether to use a privileged port for outgoing connec- + Specifies whether to use a privileged port for outgoing connecM-- tions. The argument must be ``yes'' or ``no''. The default is - ``no''. Note that setting this option to ``no'' turns off - RhostsAuthentication and RhostsRSAAuthentication for older - servers. + ``no''. Note that you need to set this option to ``yes'' if you + want to use RhostsAuthentication and RhostsRSAAuthentication with + older servers. User Specifies the user to log in as. This can be useful if you have a different user name on different machines. This saves the - trouble of having to remember to give the user name on the com- + trouble of having to remember to give the user name on the comM-- mand line. UserKnownHostsFile @@ -676,17 +712,17 @@ with the agent. SSH_CLIENT - Identifies the client end of the connection. The variable con- + Identifies the client end of the connection. The variable conM-- tains three space-separated values: client ip-address, client port number, and server port number. SSH_ORIGINAL_COMMAND - The variable contains the original command line if a forced com- - mand is executed. It can be used to extract the original argu- + The variable contains the original command line if a forced comM-- + mand is executed. It can be used to extract the original arguM-- ments. SSH_TTY - This is set to the name of the tty (path to the device) associat- + This is set to the name of the tty (path to the device) associatM-- ed with the current shell or command. If the current session has no tty, this variable is not set. @@ -705,33 +741,35 @@ are not in /etc/ssh_known_hosts for protocol version 1 or /etc/ssh_known_hosts2 for protocol version 2). See sshd(8). - $HOME/.ssh/identity, $HOME/.ssh/id_dsa - Contains the RSA and the DSA authentication identity of the user. + $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa + Contains the authentication identity of the user. They are for + protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). Note - that ssh ignores a private key file if it is accessible by oth- + that ssh ignores a private key file if it is accessible by othM-- ers. It is possible to specify a passphrase when generating the key; the passphrase will be used to encrypt the sensitive part of this file using 3DES. - $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub + $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub Contains the public key for authentication (public part of the identity file in human-readable form). The contents of the $HOME/.ssh/identity.pub file should be added to $HOME/.ssh/authorized_keys on all machines where you wish to log - in using RSA authentication. The contents of the - $HOME/.ssh/id_dsa.pub file should be added to - $HOME/.ssh/authorized_keys2 on all machines where you wish to log - in using DSA authentication. These files are not sensitive and - can (but need not) be readable by anyone. These files are never - used automatically and are not necessary; they are only provided - for the convenience of the user. + in using protocol version 1 RSA authentication. The contents of + the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file should + be added to $HOME/.ssh/authorized_keys2 on all machines where you + wish to log in using protocol version 2 DSA/RSA authentication. + These files are not sensitive and can (but need not) be readable + by anyone. These files are never used automatically and are not + necessary; they are only provided for the convenience of the usM-- + er. $HOME/.ssh/config This is the per-user configuration file. The format of this file is described above. This file is used by the ssh client. This file does not usually contain any sensitive information, but the - recommended permissions are read/write for the user, and not ac- + recommended permissions are read/write for the user, and not acM-- cessible by others. $HOME/.ssh/authorized_keys @@ -745,19 +783,19 @@ others. $HOME/.ssh/authorized_keys2 - Lists the public keys (DSA/RSA) that can be used for logging in - as this user. This file is not highly sensitive, but the recom- - mended permissions are read/write for the user, and not accessi- + Lists the public keys (RSA/DSA) that can be used for logging in + as this user. This file is not highly sensitive, but the recomM-- + mended permissions are read/write for the user, and not accessiM-- ble by others. /etc/ssh_known_hosts, /etc/ssh_known_hosts2 - Systemwide list of known host keys. /etc/ssh_known_hosts con- - tains RSA and /etc/ssh_known_hosts2 contains DSA or RSA keys for + Systemwide list of known host keys. /etc/ssh_known_hosts conM-- + tains RSA and /etc/ssh_known_hosts2 contains RSA or DSA keys for protocol version 2. These files should be prepared by the system administrator to contain the public host keys of all machines in the organization. This file should be world-readable. This file contains public keys, one per line, in the following format - (fields separated by spaces): system name, number of bits in mod- + (fields separated by spaces): system name, number of bits in modM-- ulus, public exponent, modulus, and optional comment field. When different names are used for the same machine, all such names should be listed, separated by commas. The format is described @@ -767,7 +805,7 @@ by sshd(8) to verify the client host when logging in; other names are needed because ssh does not convert the user-supplied name to a canonical name before checking the key, because someone with - access to the name servers would then be able to fool host au- + access to the name servers would then be able to fool host auM-- thentication. /etc/ssh_config @@ -783,14 +821,13 @@ Each line of the file contains a host name (in the canonical form returned by name servers), and then a user name on that host, separated by a space. On some machines this file may need to be - world-readable if the user's home directory is on a NFS parti- + world-readable if the user's home directory is on a NFS partiM-- tion, because sshd(8) reads it as root. Additionally, this file must be owned by the user, and must not have write permissions for anyone else. The recommended permission for most machines is read/write for the user, and not accessible by others. - - Note that by default sshd(8) will be installed so that it re- + Note that by default sshd(8) will be installed so that it reM-- quires successful RSA host authentication before permitting .rhosts authentication. If your server machine does not have the client's host key in /etc/ssh_known_hosts, you can store it in @@ -808,7 +845,7 @@ canonical hosts names, one per line (the full format is described on the sshd(8) manual page). If the client host is found in this file, login is automatically permitted provided client and server - user names are the same. Additionally, successful RSA host au- + user names are the same. Additionally, successful RSA host auM-- thentication is normally required. This file should only be writable by root. @@ -833,7 +870,7 @@ AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and cre- + de Raadt and Dug Song removed many bugs, re-added newer features and creM-- ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. @@ -841,4 +878,8 @@ rlogin(1), rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh- keygen(1), telnet(1), sshd(8) -BSD Experimental September 25, 1999 13 + T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH + Protocol Architecture, draft-ietf-secsh-architecture-07.txt, January + 2001, work in progress material. + +BSD Experimental September 25, 1999 14 diff -ru openssh-2.5.2p2/ssh.1 openssh-2.9p1/ssh.1 --- openssh-2.5.2p2/ssh.1 2001-03-19 23:59:11.000000000 +1100 +++ openssh-2.9p1/ssh.1 2001-04-23 23:02:17.000000000 +1000 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.99 2001/03/19 12:49:51 djm Exp $ +.\" $OpenBSD: ssh.1,v 1.107 2001/04/22 23:58:36 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -110,7 +110,7 @@ This form of authentication alone is normally not allowed by the server because it is not secure. .Pp -The second (and primary) authentication method is the +The second authentication method is the .Pa rhosts or .Pa hosts.equiv @@ -205,15 +205,22 @@ .Ss SSH protocol version 2 .Pp When a user connects using the protocol version 2 -different authentication methods are available: -At first, the client attempts to authenticate using the public key method. -If this method fails password authentication is tried. +different authentication methods are available. +Using the default values for +.Cm PreferredAuthentications , +the client will try to authenticate first using the public key method; +if this method fails password authentication is attempted, +and finally if this method fails keyboard-interactive authentication +is attempted. +If this method fails password authentication is +tried. .Pp The public key method is similar to RSA authentication described -in the previous section except that the DSA or RSA algorithm is used -instead. -The client uses his private key +in the previous section and allows the RSA or DSA algorithm to be used: +The client uses his private key, .Pa $HOME/.ssh/id_dsa +or +.Pa $HOME/.ssh/id_rsa , to sign the session identifier and sends the result to the server. The server checks whether the matching public key is listed in .Pa $HOME/.ssh/authorized_keys2 @@ -223,8 +230,10 @@ .Pp If public key authentication fails or is not available a password can be sent encrypted to the remote host for proving the user's identity. -This protocol 2 implementation does not yet support Kerberos or -S/Key authentication. +.Pp +Additionally, +.Nm +supports hostbased or challenge response authentication. .Pp Protocol 2 provides additional mechanisms for confidentiality (the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) @@ -241,30 +250,7 @@ the remote command or shell will be automatically encrypted. .Pp If a pseudo-terminal has been allocated (normal login session), the -user can disconnect with -.Ic ~. , -and suspend -.Nm -with -.Ic ~^Z . -All forwarded connections can be listed with -.Ic ~# -and if -the session blocks waiting for forwarded X11 or TCP/IP -connections to terminate, it can be backgrounded with -.Ic ~& -(this should not be used while the user shell is active, as it can cause the -shell to hang). -All available escapes can be listed with -.Ic ~? . -.Pp -A single tilde character can be sent as -.Ic ~~ -(or by following the tilde by a character other than those described above). -The escape character must always follow a newline to be interpreted as -special. -The escape character can be changed in configuration files -or on the command line. +user may use the escape characters noted below. .Pp If no pseudo tty has been allocated, the session is transparent and can be used to reliably transfer binary @@ -279,6 +265,42 @@ of .Nm ssh . .Pp +.Ss Escape Characters +.Pp +When a pseudo terminal has been requested, ssh supports a number of functions +through the use of an escape character. +.Pp +A single tilde character can be sent as +.Ic ~~ +(or by following the tilde by a character other than those described above). +The escape character must always follow a newline to be interpreted as +special. +The escape character can be changed in configuration files using the +.Cm EscapeChar +configuration directive or on the command line by the +.Fl e +option. +.Pp +The supported escapes (assuming the default +.Ql ~ ) +are: +.Bl -tag -width Ds +.It Cm ~. +Disconnect +.It Cm ~^Z +Background ssh +.It Cm ~# +List forwarded connections +.It Cm ~& +Background ssh at logout when waiting for forwarded connection / X11 sessions +to terminate (protocol version 1 only) +.It Cm ~? +Display a list of escape characters +.It Cm ~R +Request rekeying of the connection (only useful for SSH protocol version 2 +and if the peer supports it) +.El +.Pp .Ss X11 and TCP forwarding .Pp If the user is using X11 (the @@ -558,6 +580,8 @@ Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. +IPv6 addresses can be specified with an alternative syntax: +.Ar port/host/hostport .It Fl 1 Forces .Nm @@ -630,6 +654,7 @@ .Dq yes or .Dq no . +This option applies to protocol version 1 only. .It Cm BatchMode If set to .Dq yes , @@ -640,16 +665,20 @@ .Dq yes or .Dq no . +The default is +.Dq no . .It Cm CheckHostIP If this flag is set to .Dq yes , -ssh will additionally check the host ip address in the +ssh will additionally check the host IP address in the .Pa known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to .Dq no , the check will not be executed. +The default is +.Dq yes . .It Cm Cipher Specifies the cipher to use for encrypting the session in protocol version 1. @@ -668,8 +697,7 @@ .Pp .Bd -literal ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc, - rijndael256-cbc,rijndael-cbc@lysator.liu.se'' + aes192-cbc,aes256-cbc'' .Ed .It Cm Compression Specifies whether to use compression. @@ -677,24 +705,21 @@ .Dq yes or .Dq no . +The default is +.Dq no . .It Cm CompressionLevel -Specifies the compression level to use if compression is enable. +Specifies the compression level to use if compression is enabled. The argument must be an integer from 1 (fast) to 9 (slow, best). The default level is 6, which is good for most applications. The meaning of the values is the same as in .Xr gzip 1 . +Note that this option applies to protocol version 1 only. .It Cm ConnectionAttempts Specifies the number of tries (one per second) to make before falling back to rsh or exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. -.It Cm PubkeyAuthentication -Specifies whether to try public key authentication. -The argument to this keyword must be -.Dq yes -or -.Dq no . -Note that this option applies to protocol version 2 only. +The default is 4. .It Cm EscapeChar Sets the escape character (default: .Ql ~ ) . @@ -720,6 +745,8 @@ .Dq yes or .Dq no . +The default is +.Dq no . .It Cm ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. @@ -757,10 +784,27 @@ Specifies a file to use for the protocol version 2 global host key database instead of .Pa /etc/ssh_known_hosts2 . +.It Cm HostbasedAuthentication +Specifies whether to try rhosts based authentication with public key +authentication. +The argument must be +.Dq yes +or +.Dq no . +The default is +.Dq yes . +This option applies to protocol version 2 only and +is similar to +.Cm RhostsRSAAuthentication . +.It Cm HostKeyAlgorithms +Specfies the protocol version 2 host key algorithms +that the client wants to use in order of preference. +The default for this option is: +.Dq ssh-rsa,ssh-dss .It Cm HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key -in the known_hosts files. +in the host key database files. This option is useful for tunneling ssh connections or if you have multiple servers running on a single host. .It Cm HostName @@ -771,7 +815,7 @@ .Cm HostName specifications). .It Cm IdentityFile -Specifies the file from which the user's RSA authentication identity +Specifies the file from which the user's RSA or DSA authentication identity is read (default .Pa $HOME/.ssh/identity in the user's home directory). @@ -849,7 +893,8 @@ .Dq yes or .Dq no . -Note that this option applies to both protocol version 1 and 2. +The default is +.Dq yes . .It Cm Port Specifies the port number to connect on the remote host. Default is 22. @@ -871,11 +916,11 @@ .Dq 2 . Multiple versions must be comma-separated. The default is -.Dq 1,2 . +.Dq 2,1 . This means that .Nm -tries version 1 and falls back to version 2 -if version 1 is not available. +tries version 2 and falls back to version 1 +if version 2 is not available. .It Cm ProxyCommand Specifies the command to use to connect to the server. The command @@ -901,6 +946,15 @@ .Cm CheckHostIP is not available for connects with a proxy command. .Pp +.It Cm PubkeyAuthentication +Specifies whether to try public key authentication. +The argument to this keyword must be +.Dq yes +or +.Dq no . +The default is +.Dq yes . +This option applies to protocol version 2 only. .It Cm RemoteForward Specifies that a TCP/IP port on the remote machine be forwarded over the secure channel to given host:port from the local machine. @@ -918,19 +972,25 @@ authentication time on slow connections when rhosts authentication is not used. Most servers do not permit RhostsAuthentication because it -is not secure (see RhostsRSAAuthentication). +is not secure (see +.Cm RhostsRSAAuthentication ). The argument to this keyword must be .Dq yes or .Dq no . +The default is +.Dq yes . +This option applies to protocol version 1 only. .It Cm RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. -This is the primary authentication method for most sites. The argument must be .Dq yes or .Dq no . +The default is +.Dq yes . +This option applies to protocol version 1 only. .It Cm RSAAuthentication Specifies whether to try RSA authentication. The argument to this keyword must be @@ -940,6 +1000,8 @@ RSA authentication will only be attempted if the identity file exists, or an authentication agent is running. +The default is +.Dq yes . Note that this option applies to protocol version 1 only. .It Cm ChallengeResponseAuthentication Specifies whether to use challenge response authentication. @@ -999,13 +1061,13 @@ .Dq no . The default is .Dq no . -Note that setting this option to -.Dq no -turns off +Note that you need to set this option to +.Dq yes +if you want to use .Cm RhostsAuthentication and .Cm RhostsRSAAuthentication -for older servers. +with older servers. .It Cm User Specifies the user to log in as. This can be useful if you have a different user name on different machines. @@ -1059,7 +1121,9 @@ .Nm uses this special value to forward X11 connections over the secure channel. -The user should normally not set DISPLAY explicitly, as that +The user should normally not set +.Ev DISPLAY +explicitly, as that will render the X11 connection insecure (and will require the user to manually copy any required authorization cookies). .It Ev HOME @@ -1118,8 +1182,9 @@ for protocol version 2). See .Xr sshd 8 . -.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa -Contains the RSA and the DSA authentication identity of the user. +.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa +Contains the authentication identity of the user. +They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). @@ -1129,7 +1194,7 @@ It is possible to specify a passphrase when generating the key; the passphrase will be used to encrypt the sensitive part of this file using 3DES. -.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub +.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub Contains the public key for authentication (public part of the identity file in human-readable form). The contents of the @@ -1137,13 +1202,15 @@ file should be added to .Pa $HOME/.ssh/authorized_keys on all machines -where you wish to log in using RSA authentication. +where you wish to log in using protocol version 1 RSA authentication. The contents of the .Pa $HOME/.ssh/id_dsa.pub +and +.Pa $HOME/.ssh/id_rsa.pub file should be added to .Pa $HOME/.ssh/authorized_keys2 on all machines -where you wish to log in using DSA authentication. +where you wish to log in using protocol version 2 DSA/RSA authentication. These files are not sensitive and can (but need not) be readable by anyone. These files are @@ -1170,7 +1237,7 @@ This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. .It Pa $HOME/.ssh/authorized_keys2 -Lists the public keys (DSA/RSA) that can be used for logging in as this user. +Lists the public keys (RSA/DSA) that can be used for logging in as this user. This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. .It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 @@ -1178,7 +1245,7 @@ .Pa /etc/ssh_known_hosts contains RSA and .Pa /etc/ssh_known_hosts2 -contains DSA or RSA keys for protocol version 2. +contains RSA or DSA keys for protocol version 2. These files should be prepared by the system administrator to contain the public host keys of all machines in the organization. @@ -1309,3 +1376,14 @@ .Xr ssh-keygen 1 , .Xr telnet 1 , .Xr sshd 8 +.Rs +.%A T. Ylonen +.%A T. Kivinen +.%A M. Saarinen +.%A T. Rinne +.%A S. Lehtinen +.%T "SSH Protocol Architecture" +.%N draft-ietf-secsh-architecture-07.txt +.%D January 2001 +.%O work in progress material +.Re diff -ru openssh-2.5.2p2/ssh.c openssh-2.9p1/ssh.c --- openssh-2.5.2p2/ssh.c 2001-03-19 09:38:16.000000000 +1100 +++ openssh-2.9p1/ssh.c 2001-04-18 04:14:35.000000000 +1000 @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.104 2001/03/08 21:42:32 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.116 2001/04/17 12:55:04 markus Exp $"); #include #include @@ -67,6 +67,7 @@ #include "misc.h" #include "kex.h" #include "mac.h" +#include "sshtty.h" #ifdef HAVE___PROGNAME extern char *__progname; @@ -130,11 +131,11 @@ */ volatile int received_window_change_signal = 0; -/* Flag indicating whether we have a valid host private key loaded. */ -int host_private_key_loaded = 0; - -/* Host private key. */ -RSA *host_private_key = NULL; +/* Private host keys. */ +struct { + Key **keys; + int nkeys; +} sensitive_data; /* Original real UID. */ uid_t original_real_uid; @@ -268,6 +269,15 @@ fatal("setrlimit failed: %.100s", strerror(errno)); } #endif + /* Get user data. */ + pw = getpwuid(original_real_uid); + if (!pw) { + log("You don't exist, go away!"); + exit(1); + } + /* Take a copy of the returned structure. */ + pw = pwcopy(pw); + /* * Use uid-swapping to give up root privileges for the duration of * option processing. We will re-instantiate the rights when we are @@ -275,7 +285,7 @@ * them when the port has been created (actually, when the connection * has been made, as we may need to create the port several times). */ - temporarily_use_uid(original_real_uid); + temporarily_use_uid(pw); /* * Set our umask to something reasonable, as some files are created @@ -308,7 +318,7 @@ opt = av[optind][1]; if (!opt) usage(); - if (strchr("eilcmpLRo", opt)) { /* options with arguments */ + if (strchr("eilcmpLRDo", opt)) { /* options with arguments */ optarg = av[optind] + 2; if (strcmp(optarg, "") == 0) { if (optind >= ac - 1) @@ -447,7 +457,11 @@ } break; case 'p': - options.port = atoi(optarg); + options.port = a2port(optarg); + if (options.port == 0) { + fprintf(stderr, "Bad port '%s'\n", optarg); + exit(1); + } break; case 'l': options.user = optarg; @@ -474,6 +488,16 @@ } add_local_forward(&options, fwd_port, buf, fwd_host_port); break; + + case 'D': + fwd_port = a2port(optarg); + if (fwd_port == 0) { + fprintf(stderr, "Bad dynamic port '%s'\n", optarg); + exit(1); + } + add_local_forward(&options, fwd_port, "socks4", 0); + break; + case 'C': options.compression = 1; break; @@ -517,7 +541,7 @@ /* No command specified - execute shell on a tty. */ tty_flag = 1; if (subsystem_flag) { - fprintf(stderr, "You must specify a subsystem to invoke."); + fprintf(stderr, "You must specify a subsystem to invoke.\n"); usage(); } } else { @@ -548,20 +572,12 @@ tty_flag = 0; } - /* Get user data. */ - pw = getpwuid(original_real_uid); - if (!pw) { - log("You don't exist, go away!"); - exit(1); - } - /* Take a copy of the returned structure. */ - pw = pwcopy(pw); - /* * Initialize "log" output. Since we are the client all output * actually goes to stderr. */ - log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + log_init(av[0], options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, + SYSLOG_FACILITY_USER, 1); /* Read per-user configuration file. */ snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_CONFFILE); @@ -595,6 +611,7 @@ "originating port will not be trusted."); options.rhosts_authentication = 0; } + /* * If using rsh has been selected, exec it now (without trying * anything else). Note that we must release privileges first. @@ -607,7 +624,7 @@ restore_uid(); /* Switch to the original uid permanently. */ - permanently_set_uid(original_real_uid); + permanently_set_uid(pw); /* Execute rsh. */ rsh_connect(host, options.user, &command); @@ -621,8 +638,7 @@ ok = ssh_connect(host, &hostaddr, options.port, options.connection_attempts, original_effective_uid != 0 || !options.use_privileged_port, - original_real_uid, - options.proxy_command); + pw, options.proxy_command); /* * If we successfully made the connection, load the host private key @@ -630,13 +646,18 @@ * authentication. This must be done before releasing extra * privileges, because the file is only readable by root. */ - if (ok && (options.protocol & SSH_PROTO_1)) { - Key k; - host_private_key = RSA_new(); - k.type = KEY_RSA1; - k.rsa = host_private_key; - if (load_private_key(_PATH_HOST_KEY_FILE, "", &k, NULL)) - host_private_key_loaded = 1; + sensitive_data.nkeys = 0; + sensitive_data.keys = NULL; + if (ok && (options.rhosts_rsa_authentication || + options.hostbased_authentication)) { + sensitive_data.nkeys = 3; + sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key)); + sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, + _PATH_HOST_KEY_FILE, "", NULL); + sensitive_data.keys[1] = key_load_private_type(KEY_DSA, + _PATH_HOST_DSA_KEY_FILE, "", NULL); + sensitive_data.keys[2] = key_load_private_type(KEY_RSA, + _PATH_HOST_RSA_KEY_FILE, "", NULL); } /* * Get rid of any extra privileges that we may have. We will no @@ -653,7 +674,7 @@ * process, read the private hostkey and impersonate the host. * OpenBSD does not allow ptracing of setuid processes. */ - permanently_set_uid(original_real_uid); + permanently_set_uid(pw); /* * Now that we are back to our own permissions, create ~/.ssh @@ -695,12 +716,21 @@ tilde_expand_filename(options.user_hostfile2, original_real_uid); /* Log into the remote system. This never returns if the login fails. */ - ssh_login(host_private_key_loaded, host_private_key, - host, (struct sockaddr *)&hostaddr, original_real_uid); + ssh_login(sensitive_data.keys, sensitive_data.nkeys, + host, (struct sockaddr *)&hostaddr, pw); - /* We no longer need the host private key. Clear it now. */ - if (host_private_key_loaded) - RSA_free(host_private_key); /* Destroys contents safely */ + /* We no longer need the private host keys. Clear them now. */ + if (sensitive_data.nkeys != 0) { + for (i = 0; i < sensitive_data.nkeys; i++) { + if (sensitive_data.keys[i] != NULL) { + /* Destroys contents safely */ + debug3("clear hostkey %d", i); + key_free(sensitive_data.keys[i]); + sensitive_data.keys[i] = NULL; + } + } + xfree(sensitive_data.keys); + } exit_status = compat20 ? ssh_session2() : ssh_session(); packet_close(); @@ -846,7 +876,7 @@ packet_put_int(ws.ws_ypixel); /* Store tty modes in the packet. */ - tty_make_modes(fileno(stdin)); + tty_make_modes(fileno(stdin), NULL); /* Send the packet, and wait for it to leave. */ packet_send(); @@ -950,12 +980,10 @@ { int len; int interactive = 0; + struct termios tio; debug("client_init id %d arg %ld", id, (long)arg); - if (no_shell_flag) - goto done; - if (tty_flag) { struct winsize ws; char *cp; @@ -972,7 +1000,8 @@ packet_put_int(ws.ws_row); packet_put_int(ws.ws_xpixel); packet_put_int(ws.ws_ypixel); - packet_put_cstring(""); /* XXX: encode terminal modes */ + tio = get_saved_tio(); + tty_make_modes(/*ignored*/ 0, &tio); packet_send(); interactive = 1; /* XXX wait for reply */ @@ -1018,15 +1047,14 @@ } /* channel_callback(id, SSH2_MSG_OPEN_CONFIGMATION, client_init, 0); */ -done: /* register different callback, etc. XXX */ packet_set_interactive(interactive); } int -ssh_session2(void) +ssh_session2_command(void) { - int window, packetmax, id; + int id, window, packetmax; int in, out, err; if (stdin_null_flag) { @@ -1048,14 +1076,6 @@ if (!isatty(err)) set_nonblock(err); - /* XXX should be pre-session */ - ssh_init_forwarding(); - - /* If requested, let ssh continue in the background. */ - if (fork_after_authentication_flag) - if (daemon(1, 1) < 0) - fatal("daemon() failed: %.200s", strerror(errno)); - window = CHAN_SES_WINDOW_DEFAULT; packetmax = CHAN_SES_PACKET_DEFAULT; if (!tty_flag) { @@ -1067,31 +1087,31 @@ window, packetmax, CHAN_EXTENDED_WRITE, xstrdup("client-session"), /*nonblock*/0); +debug("channel_new: %d", id); + channel_open(id); channel_register_callback(id, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, ssh_session2_callback, (void *)0); - return client_loop(tty_flag, tty_flag ? options.escape_char : -1, id); + return id; } int -guess_identity_file_type(const char *filename) +ssh_session2(void) { - struct stat st; - Key *public; - int type = KEY_RSA1; /* default */ + int id; - if (stat(filename, &st) < 0) { - /* ignore this key */ - return KEY_UNSPEC; - } - public = key_new(type); - if (!load_public_key(filename, public, NULL)) { - /* ok, so we will assume this is 'some' key */ - type = KEY_UNSPEC; - } - key_free(public); - return type; + /* XXX should be pre-session */ + ssh_init_forwarding(); + + id = no_shell_flag ? -1 : ssh_session2_command(); + + /* If requested, let ssh continue in the background. */ + if (fork_after_authentication_flag) + if (daemon(1, 1) < 0) + fatal("daemon() failed: %.200s", strerror(errno)); + + return client_loop(tty_flag, tty_flag ? options.escape_char : -1, id); } void @@ -1104,16 +1124,7 @@ for (i = 0; i < options.num_identity_files; i++) { filename = tilde_expand_filename(options.identity_files[i], original_real_uid); - public = key_new(KEY_RSA1); - if (!load_public_key(filename, public, NULL)) { - key_free(public); - public = key_new(KEY_UNSPEC); - if (!try_load_public_key(filename, public, NULL)) { - debug("unknown identity file %s", filename); - key_free(public); - public = NULL; - } - } + public = key_load_public(filename, NULL); debug("identity file %s type %d", filename, public ? public->type : -1); xfree(options.identity_files[i]); diff -ru openssh-2.5.2p2/ssh.h openssh-2.9p1/ssh.h --- openssh-2.5.2p2/ssh.h 2001-03-14 11:39:46.000000000 +1100 +++ openssh-2.9p1/ssh.h 2001-04-21 03:43:48.000000000 +1000 @@ -61,7 +61,7 @@ #define SSH_SERVICE_NAME "ssh" #if defined(USE_PAM) && !defined(SSHD_PAM_SERVICE) -# define SSHD_PAM_SERVICE "sshd" +# define SSHD_PAM_SERVICE __progname #endif /* diff -ru openssh-2.5.2p2/ssh2.h openssh-2.9p1/ssh2.h --- openssh-2.5.2p2/ssh2.h 2000-10-14 16:23:12.000000000 +1100 +++ openssh-2.9p1/ssh2.h 2001-03-29 10:36:17.000000000 +1000 @@ -52,7 +52,7 @@ * * 192-255 Local extensions */ -/* RCSID("$OpenBSD: ssh2.h,v 1.5 2000/10/11 04:02:17 provos Exp $"); */ +/* RCSID("$OpenBSD: ssh2.h,v 1.6 2001/03/27 17:46:49 provos Exp $"); */ /* transport layer: generic */ @@ -74,10 +74,11 @@ #define SSH2_MSG_KEXDH_REPLY 31 /* dh-group-exchange */ -#define SSH2_MSG_KEX_DH_GEX_REQUEST 30 +#define SSH2_MSG_KEX_DH_GEX_REQUEST_OLD 30 #define SSH2_MSG_KEX_DH_GEX_GROUP 31 #define SSH2_MSG_KEX_DH_GEX_INIT 32 #define SSH2_MSG_KEX_DH_GEX_REPLY 33 +#define SSH2_MSG_KEX_DH_GEX_REQUEST 34 /* user authentication: generic */ diff -ru openssh-2.5.2p2/ssh_config openssh-2.9p1/ssh_config --- openssh-2.5.2p2/ssh_config 2001-03-11 04:15:40.000000000 +1100 +++ openssh-2.9p1/ssh_config 2001-04-04 11:58:48.000000000 +1000 @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.9 2001/03/10 12:53:51 deraadt Exp $ +# $OpenBSD: ssh_config,v 1.10 2001/04/03 21:19:38 todd Exp $ # This is ssh client systemwide configuration file. See ssh(1) for more # information. This file provides defaults for users, and the values can @@ -28,8 +28,7 @@ # StrictHostKeyChecking yes # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_dsa -# IdentityFile ~/.ssh/id_rsa1 -# IdentityFile ~/.ssh/id_rsa2 +# IdentityFile ~/.ssh/id_rsa # Port 22 # Protocol 2,1 # Cipher blowfish diff -ru openssh-2.5.2p2/sshconnect.c openssh-2.9p1/sshconnect.c --- openssh-2.5.2p2/sshconnect.c 2001-03-13 15:57:59.000000000 +1100 +++ openssh-2.9p1/sshconnect.c 2001-04-13 09:34:36.000000000 +1000 @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.100 2001/03/12 22:02:02 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.104 2001/04/12 19:15:25 markus Exp $"); #include @@ -45,7 +45,7 @@ * Connect to the given ssh server using a proxy command. */ int -ssh_proxy_connect(const char *host, u_short port, uid_t original_real_uid, +ssh_proxy_connect(const char *host, u_short port, struct passwd *pw, const char *proxy_command) { Buffer command; @@ -96,7 +96,7 @@ char *argv[10]; /* Child. Permanently give up superuser privileges. */ - permanently_set_uid(original_real_uid); + permanently_set_uid(pw); /* Redirect stdin and stdout. */ close(pin[1]); @@ -145,7 +145,7 @@ * Creates a (possibly privileged) socket for use as the ssh connection. */ int -ssh_create_socket(uid_t original_real_uid, int privileged, int family) +ssh_create_socket(struct passwd *pw, int privileged, int family) { int sock; @@ -165,7 +165,7 @@ * Just create an ordinary socket on arbitrary port. We use * the user's uid to create the socket. */ - temporarily_use_uid(original_real_uid); + temporarily_use_uid(pw); sock = socket(family, SOCK_STREAM, 0); if (sock < 0) error("socket: %.100s", strerror(errno)); @@ -188,7 +188,7 @@ int ssh_connect(const char *host, struct sockaddr_storage * hostaddr, u_short port, int connection_attempts, - int anonymous, uid_t original_real_uid, + int anonymous, struct passwd *pw, const char *proxy_command) { int gaierr; @@ -212,7 +212,7 @@ } /* If a proxy command is given, connect using it. */ if (proxy_command != NULL) - return ssh_proxy_connect(host, port, original_real_uid, proxy_command); + return ssh_proxy_connect(host, port, pw, proxy_command); /* No proxy command. */ @@ -248,7 +248,7 @@ host, ntop, strport); /* Create a socket for connecting. */ - sock = ssh_create_socket(original_real_uid, + sock = ssh_create_socket(pw, #ifdef HAVE_CYGWIN !anonymous, #else @@ -262,10 +262,10 @@ * hope that it will help with tcp_wrappers showing * the remote uid as root. */ - temporarily_use_uid(original_real_uid); + temporarily_use_uid(pw); if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { /* Successful connection. */ - memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); + memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); restore_uid(); break; } else { @@ -738,17 +738,12 @@ * This function does not require super-user privileges. */ void -ssh_login(int host_key_valid, RSA *own_host_key, const char *orighost, - struct sockaddr *hostaddr, uid_t original_real_uid) +ssh_login(Key **keys, int nkeys, const char *orighost, + struct sockaddr *hostaddr, struct passwd *pw) { - struct passwd *pw; char *host, *cp; char *server_user, *local_user; - /* Get local user name. Use it as server user if no user name was given. */ - pw = getpwuid(original_real_uid); - if (!pw) - fatal("User id %u not found from user database.", original_real_uid); local_user = xstrdup(pw->pw_name); server_user = options.user ? options.user : local_user; @@ -768,10 +763,10 @@ /* authenticate user */ if (compat20) { ssh_kex2(host, hostaddr); - ssh_userauth2(server_user, host); + ssh_userauth2(local_user, server_user, host, keys, nkeys); } else { ssh_kex(host, hostaddr); - ssh_userauth(local_user, server_user, host, host_key_valid, own_host_key); + ssh_userauth1(local_user, server_user, host, keys, nkeys); } } diff -ru openssh-2.5.2p2/sshconnect.h openssh-2.9p1/sshconnect.h --- openssh-2.5.2p2/sshconnect.h 2001-02-16 12:34:57.000000000 +1100 +++ openssh-2.9p1/sshconnect.h 2001-04-13 09:34:36.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.h,v 1.6 2001/02/15 23:19:59 markus Exp $ */ +/* $OpenBSD: sshconnect.h,v 1.9 2001/04/12 19:15:25 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -25,46 +25,30 @@ */ #ifndef SSHCONNECT_H #define SSHCONNECT_H -/* - * Opens a TCP/IP connection to the remote server on the given host. If port - * is 0, the default port will be used. If anonymous is zero, a privileged - * port will be allocated to make the connection. This requires super-user - * privileges if anonymous is false. Connection_attempts specifies the - * maximum number of tries, one per second. This returns true on success, - * and zero on failure. If the connection is successful, this calls - * packet_set_connection for the connection. - */ + int ssh_connect(const char *host, struct sockaddr_storage * hostaddr, u_short port, int connection_attempts, - int anonymous, uid_t original_real_uid, + int anonymous, struct passwd *pw, const char *proxy_command); -/* - * Starts a dialog with the server, and authenticates the current user on the - * server. This does not need any extra privileges. The basic connection to - * the server must already have been established before this is called. If - * login fails, this function prints an error and never returns. This - * initializes the random state, and leaves it initialized (it will also have - * references from the packet module). - */ - void -ssh_login(int host_key_valid, RSA * host_key, const char *host, - struct sockaddr * hostaddr, uid_t original_real_uid); - +ssh_login(Key **keys, int nkeys, const char *orighost, + struct sockaddr *hostaddr, struct passwd *pw); void check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, const char *user_hostfile, const char *system_hostfile); void ssh_kex(char *host, struct sockaddr *hostaddr); -void -ssh_userauth(const char * local_user, const char * server_user, char *host, - int host_key_valid, RSA *own_host_key); - void ssh_kex2(char *host, struct sockaddr *hostaddr); -void ssh_userauth2(const char *server_user, char *host); + +void +ssh_userauth1(const char *local_user, const char *server_user, char *host, + Key **keys, int nkeys); +void +ssh_userauth2(const char *local_user, const char *server_user, char *host, + Key **keys, int nkeys); void ssh_put_password(char *password); diff -ru openssh-2.5.2p2/sshconnect1.c openssh-2.9p1/sshconnect1.c --- openssh-2.5.2p2/sshconnect1.c 2001-03-09 11:12:23.000000000 +1100 +++ openssh-2.9p1/sshconnect1.c 2001-04-18 04:08:16.000000000 +1000 @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.28 2001/03/08 21:42:33 markus Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.31 2001/04/17 08:14:01 markus Exp $"); #include #include @@ -211,9 +211,9 @@ int plen, clen; /* Try to load identification for the authentication key. */ - public = key_new(KEY_RSA1); - if (!load_public_key(authfile, public, &comment)) { - key_free(public); + /* XXKEYLOAD */ + public = key_load_public_type(KEY_RSA1, authfile, &comment); + if (public == NULL) { /* Could not load it. Fail. */ return 0; } @@ -252,12 +252,12 @@ debug("Received RSA challenge from server."); - private = key_new(KEY_RSA1); /* * Load the private key. Try first with empty passphrase; if it * fails, ask for a passphrase. */ - if (!load_private_key(authfile, "", private, NULL)) { + private = key_load_private_type(KEY_RSA1, authfile, "", NULL); + if (private == NULL) { char buf[300]; snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ", comment); @@ -270,7 +270,8 @@ } /* Load the authentication file using the pasphrase. */ - if (!load_private_key(authfile, passphrase, private, NULL)) { + private = key_load_private_type(KEY_RSA1, authfile, passphrase, NULL); + if (private == NULL) { memset(passphrase, 0, strlen(passphrase)); xfree(passphrase); error("Bad passphrase."); @@ -285,7 +286,6 @@ /* Expect the server to reject it... */ packet_read_expect(&plen, SSH_SMSG_FAILURE); xfree(comment); - key_free(private); BN_clear_free(challenge); return 0; } @@ -322,7 +322,7 @@ * authentication and RSA host authentication. */ int -try_rhosts_rsa_authentication(const char *local_user, RSA * host_key) +try_rhosts_rsa_authentication(const char *local_user, Key * host_key) { int type; BIGNUM *challenge; @@ -333,9 +333,9 @@ /* Tell the server that we are willing to authenticate using this key. */ packet_start(SSH_CMSG_AUTH_RHOSTS_RSA); packet_put_string(local_user, strlen(local_user)); - packet_put_int(BN_num_bits(host_key->n)); - packet_put_bignum(host_key->e); - packet_put_bignum(host_key->n); + packet_put_int(BN_num_bits(host_key->rsa->n)); + packet_put_bignum(host_key->rsa->e); + packet_put_bignum(host_key->rsa->n); packet_send(); packet_write_wait(); @@ -361,7 +361,7 @@ debug("Received RSA challenge for host key from server."); /* Compute a response to the challenge. */ - respond_to_rsa_challenge(challenge, host_key); + respond_to_rsa_challenge(challenge, host_key->rsa); /* We no longer need the challenge. */ BN_clear_free(challenge); @@ -911,17 +911,14 @@ * Authenticate user */ void -ssh_userauth( - const char *local_user, - const char *server_user, - char *host, - int host_key_valid, RSA *own_host_key) +ssh_userauth1(const char *local_user, const char *server_user, char *host, + Key **keys, int nkeys) { int i, type; int payload_len; if (supported_authentications == 0) - fatal("ssh_userauth: server supports no auth methods"); + fatal("ssh_userauth1: server supports no auth methods"); /* Send the name of the user to log in as on the server. */ packet_start(SSH_CMSG_USER); @@ -1000,9 +997,12 @@ * authentication. */ if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) && - options.rhosts_rsa_authentication && host_key_valid) { - if (try_rhosts_rsa_authentication(local_user, own_host_key)) - return; + options.rhosts_rsa_authentication) { + for (i = 0; i < nkeys; i++) { + if (keys[i] != NULL && keys[i]->type == KEY_RSA1 && + try_rhosts_rsa_authentication(local_user, keys[i])) + return; + } } /* Try RSA authentication if the server supports it. */ if ((supported_authentications & (1 << SSH_AUTH_RSA)) && diff -ru openssh-2.5.2p2/sshconnect2.c openssh-2.9p1/sshconnect2.c --- openssh-2.5.2p2/sshconnect2.c 2001-03-13 15:57:59.000000000 +1100 +++ openssh-2.9p1/sshconnect2.c 2001-04-20 06:40:46.000000000 +1000 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.54 2001/03/12 22:02:02 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.72 2001/04/18 23:43:26 markus Exp $"); #include #include @@ -46,15 +46,14 @@ #include "sshconnect.h" #include "authfile.h" #include "cli.h" -#include "dispatch.h" +#include "dh.h" #include "authfd.h" #include "log.h" #include "readconf.h" #include "readpass.h" #include "match.h" - -void ssh_dh1_client(Kex *, char *, struct sockaddr *, Buffer *, Buffer *); -void ssh_dhgex_client(Kex *, char *, struct sockaddr *, Buffer *, Buffer *); +#include "dispatch.h" +#include "canohost.h" /* import */ extern char *client_version_string; @@ -68,13 +67,26 @@ u_char *session_id2 = NULL; int session_id2_len = 0; +char *xxx_host; +struct sockaddr *xxx_hostaddr; + +Kex *xxx_kex = NULL; + +int +check_host_key_callback(Key *hostkey) +{ + check_host_key(xxx_host, xxx_hostaddr, hostkey, + options.user_hostfile2, options.system_hostfile2); + return 0; +} + void ssh_kex2(char *host, struct sockaddr *hostaddr) { - int i, plen; Kex *kex; - Buffer *client_kexinit, *server_kexinit; - char *sprop[PROPOSAL_MAX]; + + xxx_host = host; + xxx_hostaddr = hostaddr; if (options.ciphers == (char *)-1) { log("No valid ciphers for protocol version 2 given, using defaults."); @@ -84,6 +96,10 @@ myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; } + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); + myproposal[PROPOSAL_ENC_ALGS_STOC] = + compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); if (options.compression) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib"; @@ -95,47 +111,22 @@ myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; } + if (options.hostkeyalgorithms != NULL) + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = + options.hostkeyalgorithms; + + /* start key exchange */ + kex = kex_setup(myproposal); + kex->client_version_string=client_version_string; + kex->server_version_string=server_version_string; + kex->check_host_key=&check_host_key_callback; - /* buffers with raw kexinit messages */ - server_kexinit = xmalloc(sizeof(*server_kexinit)); - buffer_init(server_kexinit); - client_kexinit = kex_init(myproposal); - - /* algorithm negotiation */ - kex_exchange_kexinit(client_kexinit, server_kexinit, sprop); - kex = kex_choose_conf(myproposal, sprop, 0); - for (i = 0; i < PROPOSAL_MAX; i++) - xfree(sprop[i]); - - /* server authentication and session key agreement */ - switch(kex->kex_type) { - case DH_GRP1_SHA1: - ssh_dh1_client(kex, host, hostaddr, - client_kexinit, server_kexinit); - break; - case DH_GEX_SHA1: - ssh_dhgex_client(kex, host, hostaddr, client_kexinit, - server_kexinit); - break; - default: - fatal("Unsupported key exchange %d", kex->kex_type); - } - - buffer_free(client_kexinit); - buffer_free(server_kexinit); - xfree(client_kexinit); - xfree(server_kexinit); + xxx_kex = kex; - debug("Wait SSH2_MSG_NEWKEYS."); - packet_read_expect(&plen, SSH2_MSG_NEWKEYS); - packet_done(); - debug("GOT SSH2_MSG_NEWKEYS."); + dispatch_run(DISPATCH_BLOCK, &kex->done, kex); - debug("send SSH2_MSG_NEWKEYS."); - packet_start(SSH2_MSG_NEWKEYS); - packet_send(); - packet_write_wait(); - debug("done: send SSH2_MSG_NEWKEYS."); + session_id2 = kex->session_id; + session_id2_len = kex->session_id_len; #ifdef DEBUG_KEXDH /* send 1st encrypted/maced/compressed message */ @@ -144,310 +135,7 @@ packet_send(); packet_write_wait(); #endif - debug("done: KEX2."); -} - -/* diffie-hellman-group1-sha1 */ - -void -ssh_dh1_client(Kex *kex, char *host, struct sockaddr *hostaddr, - Buffer *client_kexinit, Buffer *server_kexinit) -{ -#ifdef DEBUG_KEXDH - int i; -#endif - int plen, dlen; - u_int klen, kout; - char *signature = NULL; - u_int slen; - char *server_host_key_blob = NULL; - Key *server_host_key; - u_int sbloblen; - DH *dh; - BIGNUM *dh_server_pub = 0; - BIGNUM *shared_secret = 0; - u_char *kbuf; - u_char *hash; - - debug("Sending SSH2_MSG_KEXDH_INIT."); - /* generate and send 'e', client DH public key */ - dh = dh_new_group1(); - dh_gen_key(dh, kex->we_need * 8); - packet_start(SSH2_MSG_KEXDH_INIT); - packet_put_bignum2(dh->pub_key); - packet_send(); - packet_write_wait(); - -#ifdef DEBUG_KEXDH - fprintf(stderr, "\np= "); - BN_print_fp(stderr, dh->p); - fprintf(stderr, "\ng= "); - BN_print_fp(stderr, dh->g); - fprintf(stderr, "\npub= "); - BN_print_fp(stderr, dh->pub_key); - fprintf(stderr, "\n"); - DHparams_print_fp(stderr, dh); -#endif - - debug("Wait SSH2_MSG_KEXDH_REPLY."); - - packet_read_expect(&plen, SSH2_MSG_KEXDH_REPLY); - - debug("Got SSH2_MSG_KEXDH_REPLY."); - - /* key, cert */ - server_host_key_blob = packet_get_string(&sbloblen); - server_host_key = key_from_blob(server_host_key_blob, sbloblen); - if (server_host_key == NULL) - fatal("cannot decode server_host_key_blob"); - - check_host_key(host, hostaddr, server_host_key, - options.user_hostfile2, options.system_hostfile2); - - /* DH paramter f, server public DH key */ - dh_server_pub = BN_new(); - if (dh_server_pub == NULL) - fatal("dh_server_pub == NULL"); - packet_get_bignum2(dh_server_pub, &dlen); - -#ifdef DEBUG_KEXDH - fprintf(stderr, "\ndh_server_pub= "); - BN_print_fp(stderr, dh_server_pub); - fprintf(stderr, "\n"); - debug("bits %d", BN_num_bits(dh_server_pub)); -#endif - - /* signed H */ - signature = packet_get_string(&slen); - packet_done(); - - if (!dh_pub_is_valid(dh, dh_server_pub)) - packet_disconnect("bad server public DH value"); - - klen = DH_size(dh); - kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_server_pub, dh); -#ifdef DEBUG_KEXDH - debug("shared secret: len %d/%d", klen, kout); - fprintf(stderr, "shared secret == "); - for (i = 0; i< kout; i++) - fprintf(stderr, "%02x", (kbuf[i])&0xff); - fprintf(stderr, "\n"); -#endif - shared_secret = BN_new(); - - BN_bin2bn(kbuf, kout, shared_secret); - memset(kbuf, 0, klen); - xfree(kbuf); - - /* calc and verify H */ - hash = kex_hash( - client_version_string, - server_version_string, - buffer_ptr(client_kexinit), buffer_len(client_kexinit), - buffer_ptr(server_kexinit), buffer_len(server_kexinit), - server_host_key_blob, sbloblen, - dh->pub_key, - dh_server_pub, - shared_secret - ); - xfree(server_host_key_blob); - DH_free(dh); - BN_free(dh_server_pub); -#ifdef DEBUG_KEXDH - fprintf(stderr, "hash == "); - for (i = 0; i< 20; i++) - fprintf(stderr, "%02x", (hash[i])&0xff); - fprintf(stderr, "\n"); -#endif - if (key_verify(server_host_key, (u_char *)signature, slen, hash, 20) != 1) - fatal("key_verify failed for server_host_key"); - key_free(server_host_key); - xfree(signature); - - kex_derive_keys(kex, hash, shared_secret); - BN_clear_free(shared_secret); - packet_set_kex(kex); - - /* save session id */ - session_id2_len = 20; - session_id2 = xmalloc(session_id2_len); - memcpy(session_id2, hash, session_id2_len); -} - -/* diffie-hellman-group-exchange-sha1 */ - -/* - * Estimates the group order for a Diffie-Hellman group that has an - * attack complexity approximately the same as O(2**bits). Estimate - * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3))) - */ - -int -dh_estimate(int bits) -{ - - if (bits < 64) - return (512); /* O(2**63) */ - if (bits < 128) - return (1024); /* O(2**86) */ - if (bits < 192) - return (2048); /* O(2**116) */ - return (4096); /* O(2**156) */ -} - -void -ssh_dhgex_client(Kex *kex, char *host, struct sockaddr *hostaddr, - Buffer *client_kexinit, Buffer *server_kexinit) -{ -#ifdef DEBUG_KEXDH - int i; -#endif - int plen, dlen; - u_int klen, kout; - char *signature = NULL; - u_int slen, nbits; - char *server_host_key_blob = NULL; - Key *server_host_key; - u_int sbloblen; - DH *dh; - BIGNUM *dh_server_pub = 0; - BIGNUM *shared_secret = 0; - BIGNUM *p = 0, *g = 0; - u_char *kbuf; - u_char *hash; - - nbits = dh_estimate(kex->we_need * 8); - - debug("Sending SSH2_MSG_KEX_DH_GEX_REQUEST."); - packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); - packet_put_int(nbits); - packet_send(); - packet_write_wait(); - -#ifdef DEBUG_KEXDH - fprintf(stderr, "\nnbits = %d", nbits); -#endif - - debug("Wait SSH2_MSG_KEX_DH_GEX_GROUP."); - - packet_read_expect(&plen, SSH2_MSG_KEX_DH_GEX_GROUP); - - debug("Got SSH2_MSG_KEX_DH_GEX_GROUP."); - - if ((p = BN_new()) == NULL) - fatal("BN_new"); - packet_get_bignum2(p, &dlen); - if ((g = BN_new()) == NULL) - fatal("BN_new"); - packet_get_bignum2(g, &dlen); - dh = dh_new_group(g, p); - - dh_gen_key(dh, kex->we_need * 8); - -#ifdef DEBUG_KEXDH - fprintf(stderr, "\np= "); - BN_print_fp(stderr, dh->p); - fprintf(stderr, "\ng= "); - BN_print_fp(stderr, dh->g); - fprintf(stderr, "\npub= "); - BN_print_fp(stderr, dh->pub_key); - fprintf(stderr, "\n"); - DHparams_print_fp(stderr, dh); -#endif - - debug("Sending SSH2_MSG_KEX_DH_GEX_INIT."); - /* generate and send 'e', client DH public key */ - packet_start(SSH2_MSG_KEX_DH_GEX_INIT); - packet_put_bignum2(dh->pub_key); - packet_send(); - packet_write_wait(); - - debug("Wait SSH2_MSG_KEX_DH_GEX_REPLY."); - - packet_read_expect(&plen, SSH2_MSG_KEX_DH_GEX_REPLY); - - debug("Got SSH2_MSG_KEXDH_REPLY."); - - /* key, cert */ - server_host_key_blob = packet_get_string(&sbloblen); - server_host_key = key_from_blob(server_host_key_blob, sbloblen); - if (server_host_key == NULL) - fatal("cannot decode server_host_key_blob"); - - check_host_key(host, hostaddr, server_host_key, - options.user_hostfile2, options.system_hostfile2); - - /* DH paramter f, server public DH key */ - dh_server_pub = BN_new(); - if (dh_server_pub == NULL) - fatal("dh_server_pub == NULL"); - packet_get_bignum2(dh_server_pub, &dlen); - -#ifdef DEBUG_KEXDH - fprintf(stderr, "\ndh_server_pub= "); - BN_print_fp(stderr, dh_server_pub); - fprintf(stderr, "\n"); - debug("bits %d", BN_num_bits(dh_server_pub)); -#endif - - /* signed H */ - signature = packet_get_string(&slen); - packet_done(); - - if (!dh_pub_is_valid(dh, dh_server_pub)) - packet_disconnect("bad server public DH value"); - - klen = DH_size(dh); - kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_server_pub, dh); -#ifdef DEBUG_KEXDH - debug("shared secret: len %d/%d", klen, kout); - fprintf(stderr, "shared secret == "); - for (i = 0; i< kout; i++) - fprintf(stderr, "%02x", (kbuf[i])&0xff); - fprintf(stderr, "\n"); -#endif - shared_secret = BN_new(); - - BN_bin2bn(kbuf, kout, shared_secret); - memset(kbuf, 0, klen); - xfree(kbuf); - - /* calc and verify H */ - hash = kex_hash_gex( - client_version_string, - server_version_string, - buffer_ptr(client_kexinit), buffer_len(client_kexinit), - buffer_ptr(server_kexinit), buffer_len(server_kexinit), - server_host_key_blob, sbloblen, - nbits, dh->p, dh->g, - dh->pub_key, - dh_server_pub, - shared_secret - ); - xfree(server_host_key_blob); - DH_free(dh); - BN_free(dh_server_pub); -#ifdef DEBUG_KEXDH - fprintf(stderr, "hash == "); - for (i = 0; i< 20; i++) - fprintf(stderr, "%02x", (hash[i])&0xff); - fprintf(stderr, "\n"); -#endif - if (key_verify(server_host_key, (u_char *)signature, slen, hash, 20) != 1) - fatal("key_verify failed for server_host_key"); - key_free(server_host_key); - xfree(signature); - - kex_derive_keys(kex, hash, shared_secret); - BN_clear_free(shared_secret); - packet_set_kex(kex); - - /* save session id */ - session_id2_len = 20; - session_id2 = xmalloc(session_id2_len); - memcpy(session_id2, hash, session_id2_len); + debug("done: ssh_kex2."); } /* @@ -463,15 +151,20 @@ struct Authctxt { const char *server_user; + const char *local_user; const char *host; const char *service; - AuthenticationConnection *agent; Authmethod *method; int success; char *authlist; + /* pubkey */ Key *last_key; sign_cb_fn *last_key_sign; int last_key_hint; + AuthenticationConnection *agent; + /* hostbased */ + Key **keys; + int nkeys; }; struct Authmethod { char *name; /* string to compare against server's list */ @@ -491,6 +184,7 @@ int userauth_pubkey(Authctxt *authctxt); int userauth_passwd(Authctxt *authctxt); int userauth_kbdint(Authctxt *authctxt); +int userauth_hostbased(Authctxt *authctxt); void userauth(Authctxt *authctxt, char *authlist); @@ -516,6 +210,10 @@ userauth_kbdint, &options.kbd_interactive_authentication, &options.batch_mode}, + {"hostbased", + userauth_hostbased, + &options.hostbased_authentication, + NULL}, {"none", userauth_none, NULL, @@ -524,7 +222,8 @@ }; void -ssh_userauth2(const char *server_user, char *host) +ssh_userauth2(const char *local_user, const char *server_user, char *host, + Key **keys, int nkeys) { Authctxt authctxt; int type; @@ -558,11 +257,14 @@ /* setup authentication context */ authctxt.agent = ssh_get_authentication_connection(); authctxt.server_user = server_user; + authctxt.local_user = local_user; authctxt.host = host; authctxt.service = "ssh-connection"; /* service name */ authctxt.success = 0; authctxt.method = authmethod_lookup("none"); authctxt.authlist = NULL; + authctxt.keys = keys; + authctxt.nkeys = nkeys; if (authctxt.method == NULL) fatal("ssh_userauth2: internal error: cannot send userauth none request"); @@ -659,7 +361,7 @@ Authctxt *authctxt = ctxt; Key *key = NULL; Buffer b; - int alen, blen, pktype, sent = 0; + int alen, blen, sent = 0; char *pkalg, *pkblob, *fp; if (authctxt == NULL) @@ -687,7 +389,7 @@ debug("no last key or no sign cb"); break; } - if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) { + if (key_type_from_name(pkalg) == KEY_UNSPEC) { debug("unknown pkalg %s", pkalg); break; } @@ -898,26 +600,24 @@ { Key *private; char prompt[300], *passphrase; - int success = 0, quit, i; + int quit, i; struct stat st; if (stat(filename, &st) < 0) { debug3("no such identity: %s", filename); return NULL; } - private = key_new(KEY_UNSPEC); - if (!load_private_key(filename, "", private, NULL)) { - if (options.batch_mode) { - key_free(private); + private = key_load_private_type(KEY_UNSPEC, filename, "", NULL); + if (private == NULL) { + if (options.batch_mode) return NULL; - } snprintf(prompt, sizeof prompt, "Enter passphrase for key '%.100s': ", filename); for (i = 0; i < options.number_of_password_prompts; i++) { passphrase = read_passphrase(prompt, 0); if (strcmp(passphrase, "") != 0) { - success = load_private_key(filename, - passphrase, private, NULL); + private = key_load_private_type(KEY_UNSPEC, filename, + passphrase, NULL); quit = 0; } else { debug2("no passphrase given, try next key"); @@ -925,14 +625,10 @@ } memset(passphrase, 0, strlen(passphrase)); xfree(passphrase); - if (success || quit) + if (private != NULL || quit) break; debug2("bad passphrase given, try again..."); } - if (!success) { - key_free(private); - return NULL; - } } return private; } @@ -964,7 +660,7 @@ int key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp, u_char *data, int datalen) { - return key_sign(key, sigp, lenp, data, datalen); + return key_sign(key, sigp, lenp, data, datalen); } int @@ -1108,6 +804,95 @@ packet_send(); } +/* + * this will be move to an external program (ssh-keysign) ASAP. ssh-keysign + * will be setuid-root and the sbit can be removed from /usr/bin/ssh. + */ +int +userauth_hostbased(Authctxt *authctxt) +{ + Key *private = NULL; + Buffer b; + u_char *signature, *blob; + char *chost, *pkalg, *p; + const char *service; + u_int blen, slen; + int ok, i, len, found = 0; + + p = get_local_name(packet_get_connection_in()); + if (p == NULL) { + error("userauth_hostbased: cannot get local ipaddr/name"); + return 0; + } + len = strlen(p) + 2; + chost = xmalloc(len); + strlcpy(chost, p, len); + strlcat(chost, ".", len); + debug2("userauth_hostbased: chost %s", chost); + /* check for a useful key */ + for (i = 0; i < authctxt->nkeys; i++) { + private = authctxt->keys[i]; + if (private && private->type != KEY_RSA1) { + found = 1; + /* we take and free the key */ + authctxt->keys[i] = NULL; + break; + } + } + if (!found) { + xfree(chost); + return 0; + } + if (key_to_blob(private, &blob, &blen) == 0) { + key_free(private); + xfree(chost); + return 0; + } + service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : + authctxt->service; + pkalg = xstrdup(key_ssh_name(private)); + buffer_init(&b); + /* construct data */ + buffer_put_string(&b, session_id2, session_id2_len); + buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); + buffer_put_cstring(&b, authctxt->server_user); + buffer_put_cstring(&b, service); + buffer_put_cstring(&b, authctxt->method->name); + buffer_put_cstring(&b, pkalg); + buffer_put_string(&b, blob, blen); + buffer_put_cstring(&b, chost); + buffer_put_cstring(&b, authctxt->local_user); +#ifdef DEBUG_PK + buffer_dump(&b); +#endif + debug2("xxx: chost %s", chost); + ok = key_sign(private, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); + key_free(private); + buffer_free(&b); + if (ok != 0) { + error("key_sign failed"); + xfree(chost); + xfree(pkalg); + return 0; + } + packet_start(SSH2_MSG_USERAUTH_REQUEST); + packet_put_cstring(authctxt->server_user); + packet_put_cstring(authctxt->service); + packet_put_cstring(authctxt->method->name); + packet_put_cstring(pkalg); + packet_put_string(blob, blen); + packet_put_cstring(chost); + packet_put_cstring(authctxt->local_user); + packet_put_string(signature, slen); + memset(signature, 's', slen); + xfree(signature); + xfree(chost); + xfree(pkalg); + + packet_send(); + return 1; +} + /* find auth method */ /* @@ -1147,7 +932,7 @@ /* * Given the authentication method list sent by the server, return the * next method we should try. If the server initially sends a nil list, - * use a built-in default list. + * use a built-in default list. */ Authmethod * authmethod_get(char *authlist) diff -ru openssh-2.5.2p2/sshd.0 openssh-2.9p1/sshd.0 --- openssh-2.5.2p2/sshd.0 2001-03-22 16:07:08.000000000 +1100 +++ openssh-2.9p1/sshd.0 2001-04-29 22:40:34.000000000 +1000 @@ -2,47 +2,47 @@ SSHD(8) System Manager's Manual SSHD(8) NAME - sshd - OpenSSH ssh daemon + sshd - OpenSSH SSH daemon SYNOPSIS - sshd [-diqD46] [-b bits] [-f config_file] [-g login_grace_time] [-h + sshd [-deiqD46] [-b bits] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-p port] [-u len] [-V client_protocol_id] DESCRIPTION - sshd (SSH Daemon) is the daemon program for ssh(1). Together these pro- + sshd (SSH Daemon) is the daemon program for ssh(1). Together these proM-- grams replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. The programs are intended to be as easy to install and use as possible. - sshd is the daemon that listens for connections from clients. It is nor- - mally started at boot from /etc/rc. It forks a new daemon for each incom- - ing connection. The forked daemons handle key exchange, encryption, au- + sshd is the daemon that listens for connections from clients. It is norM-- + mally started at boot from /etc/rc. It forks a new daemon for each incomM-- + ing connection. The forked daemons handle key exchange, encryption, auM-- thentication, command execution, and data exchange. This implementation of sshd supports both SSH protocol version 1 and 2 simultaneously. sshd works as follows. SSH protocol version 1 - Each host has a host-specific RSA key (normally 1024 bits) used to iden- + Each host has a host-specific RSA key (normally 1024 bits) used to idenM-- tify the host. Additionally, when the daemon starts, it generates a - server RSA key (normally 768 bits). This key is normally regenerated ev- + server RSA key (normally 768 bits). This key is normally regenerated evM-- ery hour if it has been used, and is never stored on disk. Whenever a client connects the daemon responds with its public host and server keys. The client compares the RSA host key against its own database to verify that it has not changed. The client then generates a 256 bit random number. It encrypts this random number using both the - host key and the server key, and sends the encrypted number to the serv- + host key and the server key, and sends the encrypted number to the servM-- er. Both sides then use this random number as a session key which is used to encrypt all further communications in the session. The rest of the session is encrypted using a conventional cipher, currently Blowfish - or 3DES, with 3DES being used by default. The client selects the encryp- + or 3DES, with 3DES being used by default. The client selects the encrypM-- tion algorithm to use from those offered by the server. Next, the server and the client enter an authentication dialog. The client tries to authenticate itself using .rhosts authentication, .rhosts - authentication combined with RSA host authentication, RSA challenge-re- + authentication combined with RSA host authentication, RSA challenge-reM-- sponse authentication, or password based authentication. Rhosts authentication is normally disabled because it is fundamentally @@ -56,16 +56,18 @@ Version 2 works similarly: Each host has a host-specific DSA key used to identify the host. However, when the daemon starts, it does not generate a server key. Forward security is provided through a Diffie-Hellman key - agreement. This key agreement results in a shared session key. The rest - of the session is encrypted using a symmetric cipher, currently Blowfish, - 3DES, CAST128, Arcfour, 128 bit AES, or 256 bit AES. The client selects - the encryption algorithm to use from those offered by the server. Addi- - tionally, session integrity is provided through a cryptographic message - authentication code (hmac-sha1 or hmac-md5). + agreement. This key agreement results in a shared session key. - - Protocol version 2 provides a public key based user authentication method - (PubkeyAuthentication) and conventional password authentication. + The rest of the session is encrypted using a symmetric cipher, currently + 128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit + AES. The client selects the encryption algorithm to use from those ofM-- + fered by the server. Additionally, session integrity is provided through + a cryptographic message authentication code (hmac-sha1 or hmac-md5). + + Protocol version 2 provides a public key based user (PubkeyAuthenticaM-- + tion) or client host (HostbasedAuthentication) authentication method, + conventional password authentication and challenge response based methM-- + ods. Command execution and data forwarding @@ -80,12 +82,12 @@ data at any time, and such data is forwarded to/from the shell or command on the server side, and the user terminal in the client side. - When the user program terminates and all forwarded X11 and other connec- + When the user program terminates and all forwarded X11 and other connecM-- tions have been closed, the server sends command exit status to the client, and both sides exit. sshd can be configured using command-line options or a configuration - file. Command-line options override values specified in the configura- + file. Command-line options override values specified in the configuraM-- tion file. sshd rereads its configuration file when it receives a hangup signal, @@ -95,21 +97,25 @@ The options are as follows: -b bits - Specifies the number of bits in the server key (default 768). + Specifies the number of bits in the ephemeral protocol version 1 + server key (default 768). -d Debug mode. The server sends verbose debug output to the system log, and does not put itself in the background. The server also will not fork and will only process one connection. This option - is only intended for debugging for the server. Multiple -d op- - tions increases the debugging level. Maximum is 3. + is only intended for debugging for the server. Multiple -d opM-- + tions increase the debugging level. Maximum is 3. + + -e When this option is specified, sshd will send the output to the + standard error instead of the system log. -f configuration_file Specifies the name of the configuration file. The default is - /etc/sshd_config. sshd refuses to start if there is no configura- + /etc/sshd_config. sshd refuses to start if there is no configuraM-- tion file. -g login_grace_time - Gives the grace time for clients to authenticate themselves (de- + Gives the grace time for clients to authenticate themselves (deM-- fault 600 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. A value of zero indicates no limit. @@ -117,38 +123,38 @@ -h host_key_file Specifies the file from which the host key is read (default /etc/ssh_host_key). This option must be given if sshd is not run - as root (as the normal host file is normally not readable by any- + as root (as the normal host file is normally not readable by anyM-- one but root). It is possible to have multiple host key files - for the different protocol versions. + for the different protocol versions and host key algorithms. -i Specifies that sshd is being run from inetd. sshd is normally not run from inetd because it needs to generate the server key before it can respond to the client, and this may take tens of - seconds. Clients would have to wait too long if the key was re- + seconds. Clients would have to wait too long if the key was reM-- generated every time. However, with small key sizes (e.g., 512) using sshd from inetd may be feasible. -k key_gen_time - Specifies how often the server key is regenerated (default 3600 - seconds, or one hour). The motivation for regenerating the key - fairly often is that the key is not stored anywhere, and after - about an hour, it becomes impossible to recover the key for de- - crypting intercepted communications even if the machine is - cracked into or physically seized. A value of zero indicates - that the key will never be regenerated. + Specifies how often the ephemeral protocol version 1 server key + is regenerated (default 3600 seconds, or one hour). The motivaM-- + tion for regenerating the key fairly often is that the key is not + stored anywhere, and after about an hour, it becomes impossible + to recover the key for decrypting intercepted communications even + if the machine is cracked into or physically seized. A value of + zero indicates that the key will never be regenerated. -p port Specifies the port on which the server listens for connections (default 22). - -q Quiet mode. Nothing is sent to the system log. Normally the be- + -q Quiet mode. Nothing is sent to the system log. Normally the beM-- ginning, authentication, and termination of each connection is logged. -u len This option is used to specify the size of the field in the utmp structure that holds the remote host name. If the resolved host name is longer than len, the dotted decimal value will be used - instead. This allows hosts with very long host names that over- + instead. This allows hosts with very long host names that overM-- flow this field to still be uniquely identified. Specifying -u0 indicates that only dotted decimal addresses should be put into the utmp file. @@ -156,20 +162,14 @@ -D When this option is specified sshd will not detach and does not become a daemon. This allows easy monitoring of sshd. - -V client_protocol_id - SSH-2 compatibility mode. When this option is specified sshd as- - sumes the client has sent the supplied version string and skips - the Protocol Version Identification Exchange. This option is not - intended to be called directly. - -4 Forces sshd to use IPv4 addresses only. -6 Forces sshd to use IPv6 addresses only. CONFIGURATION FILE - sshd reads configuration data from /etc/sshd_config (or the file speci- + sshd reads configuration data from /etc/sshd_config (or the file speciM-- fied with -f on the command line). The file contains keyword-value - pairs, one per line. Lines starting with `#' and empty lines are inter- + pairs, one per line. Lines starting with `#' and empty lines are interM-- preted as comments. The following keywords are possible. @@ -181,27 +181,27 @@ AllowGroups This keyword can be followed by a list of group names, separated by spaces. If specified, login is allowed only for users whose - primary group or supplementary group list matches one of the pat- + primary group or supplementary group list matches one of the patM-- terns. `*' and `?' can be used as wildcards in the patterns. - Only group names are valid; a numerical group ID isn't recog- + Only group names are valid; a numerical group ID isn't recogM-- nized. By default login is allowed regardless of the group list. AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is - ``yes''. Note that disabling TCP forwarding does not improve se- - curity unless users are also denied shell access, as they can al- + ``yes''. Note that disabling TCP forwarding does not improve seM-- + curity unless users are also denied shell access, as they can alM-- ways install their own forwarders. AllowUsers This keyword can be followed by a list of user names, separated by spaces. If specified, login is allowed only for users names - that match one of the patterns. `*' and `?' can be used as wild- + that match one of the patterns. `*' and `?' can be used as wildM-- cards in the patterns. Only user names are valid; a numerical user ID isn't recognized. By default login is allowed regardless of the user name. - Banner In some jurisdictions, sending a warning message before authenti- - cation may be relevant for getting legal protection. The con- + Banner In some jurisdictions, sending a warning message before authentiM-- + cation may be relevant for getting legal protection. The conM-- tents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. @@ -220,19 +220,43 @@ Specifies whether sshd should check for new mail for interactive logins. The default is ``no''. + ClientAliveInterval + Sets a timeout interval in seconds after which if no data has + been received from the client, sshd will send a message through + the encrypted channel to request a response from the client. The + default is 0, indicating that these messages will not be sent to + the client. This option applies to protocol version 2 only. + + ClientAliveCountMax + Sets the number of client alive messages (see above) which may be + sent without sshd receiving any messages back from the client. If + this threshold is reached while client alive messages are being + sent, sshd will disconnect the client, terminating the session. + It is important to note that the use of client alive messages is + very different from Keepalive (below). The client alive messages + are sent through the encrypted channel and therefore will not be + spoofable. The TCP keepalive option enabled by Keepalive is + spoofable. You want to use the client alive mechanism when you + are basing something important on clients having an active conM-- + nection to the server. + + The default value is 3. If you set ClientAliveInterval (above) to + 15, and leave this value at the default, unresponsive ssh clients + will be disconnected after approximately 45 seconds. + DenyGroups - This keyword can be followed by a number of group names, separat- + This keyword can be followed by a number of group names, separatM-- ed by spaces. Users whose primary group or supplementary group list matches one of the patterns aren't allowed to log in. `*' and `?' can be used as wildcards in the patterns. Only group - names are valid; a numerical group ID isn't recognized. By de- + names are valid; a numerical group ID isn't recognized. By deM-- fault login is allowed regardless of the group list. DenyUsers This keyword can be followed by a number of user names, separated by spaces. Login is disallowed for user names that match one of - the patterns. `*' and `?' can be used as wildcards in the pat- - terns. Only user names are valid; a numerical user ID isn't rec- + the patterns. `*' and `?' can be used as wildcards in the patM-- + terns. Only user names are valid; a numerical user ID isn't recM-- ognized. By default login is allowed regardless of the user name. @@ -241,29 +265,39 @@ forwarded for the client. The argument must be ``yes'' or ``no''. The default is ``no''. + HostbasedAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication toM-- + gether with successful public key client host authentication is + allowed (hostbased authentication). This option is similar to + RhostsRSAAuthentication and applies to protocol version 2 only. + The default is ``no''. + HostKey Specifies the file containing the private host keys (default /etc/ssh_host_key) used by SSH protocol versions 1 and 2. Note - that sshd will refuse to use a file if it is group/world-accessi- + that sshd will refuse to use a file if it is group/world-accessiM-- ble. It is possible to have multiple host key files. ``rsa1'' keys are used for version 1 and ``dsa'' or ``rsa'' are used for version 2 of the SSH protocol. IgnoreRhosts - Specifies that .rhosts and .shosts files will not be used in au- - thentication. /etc/hosts.equiv and /etc/shosts.equiv are still - used. The default is ``yes''. + Specifies that .rhosts and .shosts files will not be used in + RhostsAuthentication, RhostsRSAAuthentication or + HostbasedAuthentication. + + /etc/hosts.equiv and /etc/shosts.equiv are still used. The deM-- + fault is ``yes''. IgnoreUserKnownHosts Specifies whether sshd should ignore the user's - $HOME/.ssh/known_hosts during RhostsRSAAuthentication. The de- - fault is ``no''. + $HOME/.ssh/known_hosts during RhostsRSAAuthentication or + HostbasedAuthentication. The default is ``no''. KeepAlive Specifies whether the system should send keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, - this means that connections will die if the route is down tem- + this means that connections will die if the route is down temM-- porarily, and some people find it annoying. On the other hand, if keepalives are not sent, sessions may hang indefinitely on the server, leaving ``ghost'' users and consuming server resources. @@ -280,7 +314,7 @@ be in the form of a Kerberos ticket, or if PasswordAuthentication is yes, the password provided by the user will be validated through the Kerberos KDC. To use this option, the server needs a - Kerberos servtab which allows the verification of the KDC's iden- + Kerberos servtab which allows the verification of the KDC's idenM-- tity. Default is ``yes''. KerberosOrLocalPasswd @@ -291,6 +325,8 @@ KerberosTgtPassing Specifies whether a Kerberos TGT may be forwarded to the server. Default is ``no'', as this only works when the Kerberos KDC is + + actually an AFS kaserver. KerberosTicketCleanup @@ -298,57 +334,71 @@ cache file on logout. Default is ``yes''. KeyRegenerationInterval - The server key is automatically regenerated after this many sec- - onds (if it has been used). The purpose of regeneration is to - prevent decrypting captured sessions by later breaking into the - machine and stealing the keys. The key is never stored anywhere. - If the value is 0, the key is never regenerated. The default is - 3600 (seconds). + In protocol version 1, the ephemeral server key is automatically + regenerated after this many seconds (if it has been used). The + purpose of regeneration is to prevent decrypting captured sesM-- + sions by later breaking into the machine and stealing the keys. + The key is never stored anywhere. If the value is 0, the key is + never regenerated. The default is 3600 (seconds). ListenAddress - Specifies what local address sshd should listen on. The default - is to listen to all local addresses. Multiple options of this - type are permitted. Additionally, the Ports options must precede - this option. + Specifies the local addresses sshd should listen on. The followM-- + ing forms may be used: + + ListenAddress host|IPv4_addr|IPv6_addr + ListenAddress host|IPv4_addr:port + ListenAddress [host|IPv6_addr]:port + + If port is not specified, sshd will listen on the address and all + prior Port options specified. The default is to listen on all loM-- + cal addresses. Multiple ListenAddress options are permitted. AdM-- + ditionally, any Port options must precede this option for non + port qualified addresses. LoginGraceTime - The server disconnects after this time if the user has not suc- + The server disconnects after this time if the user has not sucM-- cessfully logged in. If the value is 0, there is no time limit. The default is 600 (seconds). LogLevel Gives the verbosity level that is used when logging messages from sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE - and DEBUG. The default is INFO. Logging with level DEBUG vio- + and DEBUG. The default is INFO. Logging with level DEBUG vioM-- lates the privacy of users and is not recommended. - MACs Specifies the available MAC (message authentication code) algo- + MACs Specifies the available MAC (message authentication code) algoM-- rithms. The MAC algorithm is used in protocol version 2 for data - integrity protection. Multiple algorithms must be comma-separat- + integrity protection. Multiple algorithms must be comma-separatM-- ed. The default is - ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com, hmac-sha1-96,hmac-md5-96'' MaxStartups - Specifies the maximum number of concurrent unauthenticated con- + Specifies the maximum number of concurrent unauthenticated conM-- nections to the sshd daemon. Additional connections will be - dropped until authentication succeeds or the LoginGraceTime ex- + dropped until authentication succeeds or the LoginGraceTime exM-- pires for a connection. The default is 10. Alternatively, random early drop can be enabled by specifying the three colon separated values ``start:rate:full'' (e.g., - "10:30:60"). sshd will refuse connection attempts with a proba- + "10:30:60"). sshd will refuse connection attempts with a probaM-- bility of ``rate/100'' (30%) if there are currently ``start'' - (10) unauthenticated connections. The probability increases lin- + (10) unauthenticated connections. The probability increases linM-- early and all connection attempts are refused if the number of unauthenticated connections reaches ``full'' (60). + PAMAuthenticationViaKbdInt + Specifies whether PAM challenge response authentication is alM-- + lowed. This allows the use of most PAM challenge response authenM-- + tication modules, but it will allow password authentication reM-- + gardless of whether PasswordAuthentication is disabled. The deM-- + + fault is ``no''. + PasswordAuthentication - Specifies whether password authentication is allowed. The de- - fault is ``yes''. Note that this option applies to both protocol - versions 1 and 2. + Specifies whether password authentication is allowed. The deM-- + fault is ``yes''. PermitEmptyPasswords When password authentication is allowed, it specifies whether the @@ -360,7 +410,7 @@ be ``yes'', ``without-password'', ``forced-commands-only'' or ``no''. The default is ``yes''. - If this option is set to ``without-password'' password authenti- + If this option is set to ``without-password'' password authentiM-- cation is disabled for root. If this option is set to ``forced-commands-only'' root login with @@ -376,7 +426,12 @@ sshd daemon. The default is /var/run/sshd.pid. Port Specifies the port number that sshd listens on. The default is - 22. Multiple options of this type are permitted. + 22. Multiple options of this type are permitted. See also + ListenAddress. + + PrintLastLog + Specifies whether sshd should print the date and time when the + user last logged in. The default is ``yes''. PrintMotd Specifies whether sshd should print /etc/motd when a user logs in @@ -384,15 +439,13 @@ /etc/profile, or equivalent.) The default is ``yes''. Protocol - Specifies the protocol versions sshd should support. The possi- + Specifies the protocol versions sshd should support. The possiM-- ble values are ``1'' and ``2''. Multiple versions must be comma- - separated. The default is ``1''. + separated. The default is ``2,1''. PubkeyAuthentication - Specifies whether public key authentication is allowed. The de- - fault is ``yes''. Note that this option applies to protocol ver- - - + Specifies whether public key authentication is allowed. The deM-- + fault is ``yes''. Note that this option applies to protocol verM-- sion 2 only. ReverseMappingCheck @@ -402,25 +455,26 @@ RhostsAuthentication Specifies whether authentication using rhosts or /etc/hosts.equiv - files is sufficient. Normally, this method should not be permit- + files is sufficient. Normally, this method should not be permitM-- ted because it is insecure. RhostsRSAAuthentication should be used instead, because it performs RSA-based host authentication in addition to normal rhosts or /etc/hosts.equiv authentication. - The default is ``no''. + The default is ``no''. This option applies to protocol version 1 + only. RhostsRSAAuthentication - Specifies whether rhosts or /etc/hosts.equiv authentication to- + Specifies whether rhosts or /etc/hosts.equiv authentication toM-- gether with successful RSA host authentication is allowed. The - default is ``no''. + default is ``no''. This option applies to protocol version 1 onM-- + ly. RSAAuthentication - Specifies whether pure RSA authentication is allowed. The de- - fault is ``yes''. Note that this option applies to protocol ver- - sion 1 only. + Specifies whether pure RSA authentication is allowed. The deM-- + fault is ``yes''. This option applies to protocol version 1 only. ServerKeyBits - Defines the number of bits in the server key. The minimum value - is 512, and the default is 768. + Defines the number of bits in the ephemeral protocol version 1 + server key. The minimum value is 512, and the default is 768. StrictModes Specifies whether sshd should check file modes and ownership of @@ -431,34 +485,32 @@ Subsystem Configures an external subsystem (e.g., file transfer daemon). - Arguments should be a subsystem name and a command to execute up- + Arguments should be a subsystem name and a command to execute upM-- on subsystem request. The command sftp-server(8) implements the ``sftp'' file transfer subsystem. By default no subsystems are - defined. Note that this option applies to protocol version 2 on- + defined. Note that this option applies to protocol version 2 onM-- ly. SyslogFacility Gives the facility code that is used when logging messages from - sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LO- - CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- + sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LOM-- + CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The deM-- fault is AUTH. UseLogin - Specifies whether login(1) is used for interactive login ses- - sions. Note that login(1) is never used for remote command exe- + Specifies whether login(1) is used for interactive login sesM-- + sions. Note that login(1) is never used for remote command exeM-- cution. The default is ``no''. X11DisplayOffset - Specifies the first display number available for sshd's X11 for- + Specifies the first display number available for sshd's X11 forM-- warding. This prevents sshd from interfering with real X11 servers. The default is 10. X11Forwarding Specifies whether X11 forwarding is permitted. The default is - ``no''. Note that disabling X11 forwarding does not improve secu- - rity in any way, as users can always install their own for- - - + ``no''. Note that disabling X11 forwarding does not improve secuM-- + rity in any way, as users can always install their own forM-- warders. XAuthLocation @@ -470,7 +522,9 @@ 1. If the login is on a tty, and no command has been specified, prints last login time and /etc/motd (unless prevented in the - configuration file or by $HOME/.hushlogin; see the FILES sec- + configuration file or by $HOME/.hushlogin; see the FILES secM-- + + tion). 2. If the login is on a tty, records login time. @@ -494,29 +548,30 @@ AUTHORIZED_KEYS FILE FORMAT The $HOME/.ssh/authorized_keys file lists the RSA keys that are permitted - for RSA authentication in SSH protocols 1.3 and 1.5 Similarly, the - $HOME/.ssh/authorized_keys2 file lists the DSA and RSA keys that are per- - mitted for public key authentication (PubkeyAuthentication) in SSH proto- - col 2.0. + for RSA authentication in protocol version 1 Similarly, the + $HOME/.ssh/authorized_keys2 file lists the DSA and RSA keys that are perM-- + mitted for public key authentication (PubkeyAuthentication) in protocol + version 2. Each line of the file contains one key (empty lines and lines starting with a `#' are ignored as comments). Each RSA public key consists of the following fields, separated by spaces: options, bits, exponent, modulus, - comment. Each protocol version 2 public key consists of: options, key- + comment. Each protocol version 2 public key consists of: options, keyM-- type, base64 encoded key, comment. The options fields are optional; its presence is determined by whether the line starts with a number or not - (the option field never starts with a number). The bits, exponent, modu- - lus and comment fields give the RSA key for protocol version 1; the com- + (the option field never starts with a number). The bits, exponent, moduM-- + lus and comment fields give the RSA key for protocol version 1; the comM-- ment field is not used for anything (but may be convenient for the user to identify the key). For protocol version 2 the keytype is ``ssh-dss'' or ``ssh-rsa''. - Note that lines in this file are usually several hundred bytes long (be- + Note that lines in this file are usually several hundred bytes long (beM-- cause of the size of the RSA key modulus). You don't want to type them - in; instead, copy the identity.pub or the id_dsa.pub file and edit it. + in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub file and + edit it. - The options (if present) consist of comma-separated option specifica- - tions. No spaces are permitted, except within double quotes. The fol- + The options (if present) consist of comma-separated option specificaM-- + tions. No spaces are permitted, except within double quotes. The folM-- lowing option specifications are supported: from="pattern-list" @@ -524,8 +579,8 @@ name of the remote host must be present in the comma-separated list of patterns (`*' and `?' serve as wildcards). The list may also contain patterns negated by prefixing them with `!'; if the - canonical host name matches a negated pattern, the key is not ac- - cepted. The purpose of this option is to optionally increase se- + canonical host name matches a negated pattern, the key is not acM-- + cepted. The purpose of this option is to optionally increase seM-- curity: RSA authentication by itself does not trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in @@ -538,12 +593,12 @@ for authentication. The command supplied by the user (if any) is ignored. The command is run on a pty if the connection requests a pty; otherwise it is run without a tty. Note that if you want - a 8-bit clean channel, you must not request a pty or should spec- + a 8-bit clean channel, you must not request a pty or should specM-- ify no-pty. A quote may be included in the command by quoting it - with a backslash. This option might be useful to restrict cer- + with a backslash. This option might be useful to restrict cerM-- tain RSA keys to perform just a specific operation. An example might be a key that permits remote backups but nothing else. - Note that the client may specify TCP/IP and/or X11 forwarding un- + Note that the client may specify TCP/IP and/or X11 forwarding unM-- less they are explicitly prohibited. environment="NAME=value" @@ -553,8 +608,8 @@ this type are permitted. no-port-forwarding - Forbids TCP/IP forwarding when this key is used for authentica- - tion. Any port forward requests by the client will return an er- + Forbids TCP/IP forwarding when this key is used for authenticaM-- + tion. Any port forward requests by the client will return an erM-- ror. This might be used, e.g., in connection with the command option. @@ -569,9 +624,9 @@ no-pty Prevents tty allocation (a request to allocate a pty will fail). permitopen="host:port" - Limit local ``ssh -L'' port-forwading such that it may only con- + Limit local ``ssh -L'' port forwarding such that it may only conM-- nect to the specified host and port. Multiple permitopen options - may be applied seperated by commas. No pattern matching is per- + may be applied separated by commas. No pattern matching is perM-- formed on the specified hostnames, they must be literal domains or addresses. @@ -580,7 +635,7 @@ from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula - command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 back- + command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backM-- up.hut.fi permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 @@ -588,31 +643,32 @@ SSH_KNOWN_HOSTS FILE FORMAT The /etc/ssh_known_hosts, /etc/ssh_known_hosts2, $HOME/.ssh/known_hosts, and $HOME/.ssh/known_hosts2 files contain host public keys for all known - hosts. The global file should be prepared by the administrator (option- + hosts. The global file should be prepared by the administrator (optionM-- al), and the per-user file is maintained automatically: whenever the user connects from an unknown host its key is added to the per-user file. Each line in these files contains the following fields: hostnames, bits, exponent, modulus, comment. The fields are separated by spaces. - Hostnames is a comma-separated list of patterns ('*' and '?' act as wild- + Hostnames is a comma-separated list of patterns ('*' and '?' act as wildM-- cards); each pattern in turn is matched against the canonical host name (when authenticating a client) or against the user-supplied name (when - authenticating a server). A pattern may also be preceded by `!' to indi- - cate negation: if the host name matches a negated pattern, it is not ac- + authenticating a server). A pattern may also be preceded by `!' to indiM-- + cate negation: if the host name matches a negated pattern, it is not acM-- cepted (by that line) even if it matched another pattern on the line. + Bits, exponent, and modulus are taken directly from the RSA host key; - they can be obtained, e.g., from /etc/ssh_host_key.pub. The optional com- + they can be obtained, e.g., from /etc/ssh_host_key.pub. The optional comM-- ment field continues to the end of the line, and is not used. Lines starting with `#' and empty lines are ignored as comments. When performing host authentication, authentication is accepted if any - matching line has the proper key. It is thus permissible (but not recom- + matching line has the proper key. It is thus permissible (but not recomM-- mended) to have several lines or different host keys for the same names. This will inevitably happen when short forms of host names from different - domains are put in the file. It is possible that the files contain con- + domains are put in the file. It is possible that the files contain conM-- flicting information; authentication is accepted if valid information can be found from either file. @@ -622,31 +678,30 @@ adding the host names at the front. Examples - closenet,closenet.hut.fi,...,130.233.208.41 1024 37 159...93 - closenet.hut.fi + + closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi + cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= FILES /etc/sshd_config Contains configuration data for sshd. This file should be - writable by root only, but it is recommended (though not neces- + writable by root only, but it is recommended (though not necesM-- sary) that it be world-readable. /etc/ssh_host_key, /etc/ssh_host_dsa_key, /etc/ssh_host_rsa_key - These three files contain the private parts of the (SSH1, SSH2 - DSA, and SSH2 RSA) host keys. These files should only be owned - by root, readable only by root, and not accessible to others. - Note that sshd does not start if this file is group/world-acces- - sible. + These three files contain the private parts of the host keys. + These files should only be owned by root, readable only by root, + and not accessible to others. Note that sshd does not start if + this file is group/world-accessible. /etc/ssh_host_key.pub, /etc/ssh_host_dsa_key.pub, /etc/ssh_host_rsa_key.pub - There three files contain the public parts of the (SSH1, SSH2 - DSA, and SSH2 RSA) host keys. These files should be world-read- - able but writable only by root. Their contents should match the - respective private parts. These files are not really used for - anything; they are provided for the convenience of the user so - their contents can be copied to known hosts files. These files - are created using ssh-keygen(1). + These three files contain the public parts of the host keys. + These files should be world-readable but writable only by root. + Their contents should match the respective private parts. These + files are not really used for anything; they are provided for the + convenience of the user so their contents can be copied to known + hosts files. These files are created using ssh-keygen(1). /etc/primes Contains Diffie-Hellman groups used for the "Diffie-Hellman Group @@ -655,30 +710,30 @@ /var/run/sshd.pid Contains the process ID of the sshd listening for connections (if there are several daemons running concurrently for different - ports, this contains the pid of the one started last). The con- - + ports, this contains the pid of the one started last). The conM-- tent of this file is not sensitive; it can be world-readable. $HOME/.ssh/authorized_keys - Lists the RSA keys that can be used to log into the user's ac- - count. This file must be readable by root (which may on some ma- + Lists the RSA keys that can be used to log into the user's acM-- + count. This file must be readable by root (which may on some maM-- chines imply it being world-readable if the user's home directory - resides on an NFS volume). It is recommended that it not be ac- + resides on an NFS volume). It is recommended that it not be acM-- cessible by others. The format of this file is described above. Users will place the contents of their identity.pub files into this file, as described in ssh-keygen(1). $HOME/.ssh/authorized_keys2 - Lists the DSA keys that can be used to log into the user's ac- - count. This file must be readable by root (which may on some ma- - chines imply it being world-readable if the user's home directory - resides on an NFS volume). It is recommended that it not be ac- - cessible by others. The format of this file is described above. - Users will place the contents of their id_dsa.pub files into this - file, as described in ssh-keygen(1). + Lists the public keys (RSA or DSA) that can be used to log into + the user's account. This file must be readable by root (which + may on some machines imply it being world-readable if the user's + home directory resides on an NFS volume). It is recommended that + it not be accessible by others. The format of this file is deM-- + scribed above. Users will place the contents of their id_dsa.pub + and/or id_rsa.pub files into this file, as described in ssh- + keygen(1). /etc/ssh_known_hosts and $HOME/.ssh/known_hosts - These files are consulted when using rhosts with RSA host authen- + These files are consulted when using rhosts with RSA host authenM-- tication to check the public key of the host. The key must be listed in one of these files to be accepted. The client uses the same files to verify that it is connecting to the correct remote @@ -686,6 +741,15 @@ /etc/ssh_known_hosts should be world-readable, and $HOME/.ssh/known_hosts can but need not be world-readable. + /etc/ssh_known_hosts2 and $HOME/.ssh/known_hosts2 + These files are consulted when using protocol version 2 hostbased + authentication to check the public key of the host. The key must + be listed in one of these files to be accepted. The client uses + the same files to verify that it is connecting to the correct reM-- + mote host. These files should be writable only by root/the ownM-- + er. /etc/ssh_known_hosts2 should be world-readable, and + $HOME/.ssh/known_hosts2 can but need not be world-readable. + /etc/nologin If this file exists, sshd refuses to let anyone except root log in. The contents of the file are displayed to anyone trying to @@ -700,7 +764,7 @@ This file contains host-username pairs, separated by a space, one per line. The given user on the corresponding host is permitted to log in without password. The same file is used by rlogind and - rshd. The file must be writable only by the user; it is recom- + rshd. The file must be writable only by the user; it is recomM-- mended that it not be accessible by others. If is also possible to use netgroups in the file. Either host or @@ -719,20 +783,19 @@ they have the same user name on both machines. The host name may also be followed by a user name; such users are permitted to log in as any user on this machine (except root). Additionally, the - syntax ``+@group'' can be used to specify netgroups. Negated en- + syntax ``+@group'' can be used to specify netgroups. Negated enM-- tries start with `-'. - - If the client host/user is successfully matched in this file, lo- - gin is automatically permitted provided the client and server us- - er names are the same. Additionally, successful RSA host authen- + If the client host/user is successfully matched in this file, loM-- + gin is automatically permitted provided the client and server usM-- + er names are the same. Additionally, successful RSA host authenM-- tication is normally required. This file must be writable only by root; it is recommended that it be world-readable. Warning: It is almost never a good idea to use user names in hosts.equiv. Beware that it really means that the named user(s) can log in as anybody, which includes bin, daemon, adm, and other - accounts that own critical binaries and directories. Using a us- + accounts that own critical binaries and directories. Using a usM-- er name practically grants the user root access. The only valid use for user names that I can think of is in negative entries. @@ -751,20 +814,23 @@ anyone else. $HOME/.ssh/rc - If this file exists, it is run with /bin/sh after reading the en- + If this file exists, it is run with /bin/sh after reading the enM-- vironment files but before starting the user's shell or command. If X11 spoofing is in use, this will receive the "proto cookie" pair in standard input (and DISPLAY in environment). This must call xauth(1) in that case. The primary purpose of this file is to run any initialization - routines which may be needed before the user's home directory be- - comes accessible; AFS is a particular example of such an environ- + routines which may be needed before the user's home directory beM-- + comes accessible; AFS is a particular example of such an environM-- ment. This file will probably contain some initialization code followed - by something similar to: "if read proto cookie; then echo add - $DISPLAY $proto $cookie | xauth -q -; fi". + by something similar to: + + if read proto cookie; then + echo add $DISPLAY $proto $cookie | xauth -q - + fi If this file does not exist, /etc/sshrc is run, and if that does not exist either, xauth is used to store the cookie. @@ -780,7 +846,7 @@ AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and cre- + de Raadt and Dug Song removed many bugs, re-added newer features and creM-- ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. @@ -788,4 +854,13 @@ scp(1), sftp(1), sftp-server(8), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), rlogin(1), rsh(1) -BSD Experimental September 25, 1999 12 + + T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH + Protocol Architecture, draft-ietf-secsh-architecture-07.txt, January + 2001, work in progress material. + + M. Friedl, N. Provos, and W. A. Simpson, Diffie-Hellman Group Exchange + for the SSH Transport Layer Protocol, draft-ietf-secsh-dh-group- + exchange-00.txt, January 2001, work in progress material. + +BSD Experimental September 25, 1999 14 diff -ru openssh-2.5.2p2/sshd.8 openssh-2.9p1/sshd.8 --- openssh-2.5.2p2/sshd.8 2001-03-19 23:16:08.000000000 +1100 +++ openssh-2.9p1/sshd.8 2001-04-25 22:44:16.000000000 +1000 @@ -34,16 +34,16 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.107 2001/03/19 12:10:17 djm Exp $ +.\" $OpenBSD: sshd.8,v 1.120 2001/04/22 23:58:36 markus Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os .Sh NAME .Nm sshd -.Nd OpenSSH ssh daemon +.Nd OpenSSH SSH daemon .Sh SYNOPSIS .Nm sshd -.Op Fl diqD46 +.Op Fl deiqD46 .Op Fl b Ar bits .Op Fl f Ar config_file .Op Fl g Ar login_grace_time @@ -134,8 +134,9 @@ However, when the daemon starts, it does not generate a server key. Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. +.Pp The rest of the session is encrypted using a symmetric cipher, currently -Blowfish, 3DES, CAST128, Arcfour, 128 bit AES, or 256 bit AES. +128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit AES. The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided @@ -143,8 +144,9 @@ (hmac-sha1 or hmac-md5). .Pp Protocol version 2 provides a public key based -user authentication method (PubkeyAuthentication) -and conventional password authentication. +user (PubkeyAuthentication) or +client host (HostbasedAuthentication) authentication method, +conventional password authentication and challenge response based methods. .Pp .Ss Command execution and data forwarding .Pp @@ -180,7 +182,8 @@ The options are as follows: .Bl -tag -width Ds .It Fl b Ar bits -Specifies the number of bits in the server key (default 768). +Specifies the number of bits in the ephemeral protocol version 1 +server key (default 768). .Pp .It Fl d Debug mode. @@ -188,8 +191,12 @@ log, and does not put itself in the background. The server also will not fork and will only process one connection. This option is only intended for debugging for the server. -Multiple -d options increases the debugging level. +Multiple -d options increase the debugging level. Maximum is 3. +.It Fl e +When this option is specified, +.Nm +will send the output to the standard error instead of the system log. .It Fl f Ar configuration_file Specifies the name of the configuration file. The default is @@ -210,7 +217,7 @@ is not run as root (as the normal host file is normally not readable by anyone but root). It is possible to have multiple host key files for -the different protocol versions. +the different protocol versions and host key algorithms. .It Fl i Specifies that .Nm @@ -225,8 +232,8 @@ from inetd may be feasible. .It Fl k Ar key_gen_time -Specifies how often the server key is regenerated (default 3600 -seconds, or one hour). +Specifies how often the ephemeral protocol version 1 server key is +regenerated (default 3600 seconds, or one hour). The motivation for regenerating the key fairly often is that the key is not stored anywhere, and after about an hour, it becomes impossible to recover the key for decrypting intercepted @@ -263,14 +270,6 @@ will not detach and does not become a daemon. This allows easy monitoring of .Nm sshd . -.It Fl V Ar client_protocol_id -SSH-2 compatibility mode. -When this option is specified -.Nm -assumes the client has sent the supplied version string -and skips the -Protocol Version Identification Exchange. -This option is not intended to be called directly. .It Fl 4 Forces .Nm @@ -359,6 +358,37 @@ should check for new mail for interactive logins. The default is .Dq no . +.It Cm ClientAliveInterval +Sets a timeout interval in seconds after which if no data has been received +from the client, +.Nm +will send a message through the encrypted +channel to request a response from the client. +The default +is 0, indicating that these messages will not be sent to the client. +This option applies to protocol version 2 only. +.It Cm ClientAliveCountMax +Sets the number of client alive messages (see above) which may be +sent without +.Nm +receiving any messages back from the client. If this threshold is +reached while client alive messages are being sent, +.Nm +will disconnect the client, terminating the session. It is important +to note that the use of client alive messages is very different from +.Cm Keepalive +(below). The client alive messages are sent through the +encrypted channel and therefore will not be spoofable. The TCP keepalive +option enabled by +.Cm Keepalive +is spoofable. You want to use the client +alive mechanism when you are basing something important on +clients having an active connection to the server. +.Pp +The default value is 3. If you set +.Cm ClientAliveInterval +(above) to 15, and leave this value at the default, unresponsive ssh clients +will be disconnected after approximately 45 seconds. .It Cm DenyGroups This keyword can be followed by a number of group names, separated by spaces. @@ -391,6 +421,15 @@ .Dq no . The default is .Dq no . +.It Cm HostbasedAuthentication +Specifies whether rhosts or /etc/hosts.equiv authentication together +with successful public key client host authentication is allowed +(hostbased authentication). +This option is similar to +.Cm RhostsRSAAuthentication +and applies to protocol version 2 only. +The default is +.Dq no . .It Cm HostKey Specifies the file containing the private host keys (default .Pa /etc/ssh_host_key ) @@ -410,7 +449,12 @@ .Pa .rhosts and .Pa .shosts -files will not be used in authentication. +files will not be used in +.Cm RhostsAuthentication , +.Cm RhostsRSAAuthentication +or +.Cm HostbasedAuthentication . +.Pp .Pa /etc/hosts.equiv and .Pa /etc/shosts.equiv @@ -423,7 +467,9 @@ should ignore the user's .Pa $HOME/.ssh/known_hosts during -.Cm RhostsRSAAuthentication . +.Cm RhostsRSAAuthentication +or +.Cm HostbasedAuthentication . The default is .Dq no . .It Cm KeepAlive @@ -476,8 +522,8 @@ Default is .Dq yes . .It Cm KeyRegenerationInterval -The server key is automatically regenerated after this many seconds -(if it has been used). +In protocol version 1, the ephemeral server key is automatically regenerated +after this many seconds (if it has been used). The purpose of regeneration is to prevent decrypting captured sessions by later breaking into the machine and stealing the keys. @@ -485,14 +531,42 @@ If the value is 0, the key is never regenerated. The default is 3600 (seconds). .It Cm ListenAddress -Specifies what local address +Specifies the local addresses .Nm should listen on. -The default is to listen to all local addresses. -Multiple options of this type are permitted. -Additionally, the -.Cm Ports -options must precede this option. +The following forms may be used: +.Pp +.Bl -item -offset indent -compact +.It +.Cm ListenAddress +.Sm off +.Ar host No | Ar IPv4_addr No | Ar IPv6_addr +.Sm on +.It +.Cm ListenAddress +.Sm off +.Ar host No | Ar IPv4_addr No : Ar port +.Sm on +.It +.Cm ListenAddress +.Sm off +.Oo +.Ar host No | Ar IPv6_addr Oc : Ar port +.Sm on +.El +.Pp +If +.Ar port +is not specified, +.Nm +will listen on the address and all prior +.Cm Port +options specified. The default is to listen on all local +addresses. Multiple +.Cm ListenAddress +options are permitted. Additionally, any +.Cm Port +options must precede this option for non port qualified addresses. .It Cm LoginGraceTime The server disconnects after this time if the user has not successfully logged in. @@ -542,11 +616,18 @@ are refused if the number of unauthenticated connections reaches .Dq full (60). +.It Cm PAMAuthenticationViaKbdInt +Specifies whether PAM challenge response authentication is allowed. This +allows the use of most PAM challenge response authentication modules, but +it will allow password authentication regardless of whether +.Cm PasswordAuthentication +is disabled. +The default is +.Dq no . .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is .Dq yes . -Note that this option applies to both protocol versions 1 and 2. .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. @@ -593,6 +674,14 @@ listens on. The default is 22. Multiple options of this type are permitted. +See also +.Cm ListenAddress . +.It Cm PrintLastLog +Specifies whether +.Nm +should print the date and time when the user last logged in. +The default is +.Dq yes . .It Cm PrintMotd Specifies whether .Nm @@ -614,7 +703,7 @@ .Dq 2 . Multiple versions must be comma-separated. The default is -.Dq 1 . +.Dq 2,1 . .It Cm PubkeyAuthentication Specifies whether public key authentication is allowed. The default is @@ -638,18 +727,20 @@ to normal rhosts or /etc/hosts.equiv authentication. The default is .Dq no . +This option applies to protocol version 1 only. .It Cm RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. The default is .Dq no . +This option applies to protocol version 1 only. .It Cm RSAAuthentication Specifies whether pure RSA authentication is allowed. The default is .Dq yes . -Note that this option applies to protocol version 1 only. +This option applies to protocol version 1 only. .It Cm ServerKeyBits -Defines the number of bits in the server key. +Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 768. .It Cm StrictModes Specifies whether @@ -756,12 +847,12 @@ The .Pa $HOME/.ssh/authorized_keys file lists the RSA keys that are -permitted for RSA authentication in SSH protocols 1.3 and 1.5 +permitted for RSA authentication in protocol version 1 Similarly, the .Pa $HOME/.ssh/authorized_keys2 file lists the DSA and RSA keys that are permitted for public key authentication (PubkeyAuthentication) -in SSH protocol 2.0. +in protocol version 2. .Pp Each line of the file contains one key (empty lines and lines starting with a @@ -787,9 +878,10 @@ Note that lines in this file are usually several hundred bytes long (because of the size of the RSA key modulus). You don't want to type them in; instead, copy the -.Pa identity.pub -or the +.Pa identity.pub , .Pa id_dsa.pub +or the +.Pa id_rsa.pub file and edit it. .Pp The options (if present) consist of comma-separated option @@ -855,10 +947,10 @@ .It Cm permitopen="host:port" Limit local .Li ``ssh -L'' -port-forwading such that it may only connect to the specified host and +port forwarding such that it may only connect to the specified host and port. Multiple .Cm permitopen -options may be applied seperated by commas. No pattern matching is +options may be applied separated by commas. No pattern matching is performed on the specified hostnames, they must be literal domains or addresses. .El @@ -924,7 +1016,10 @@ .Pa /etc/ssh_host_key.pub and adding the host names at the front. .Ss Examples -closenet,closenet.hut.fi,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi +.Bd -literal +closenet,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi +cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= +.Ed .Sh FILES .Bl -tag -width Ds .It Pa /etc/sshd_config @@ -933,16 +1028,14 @@ This file should be writable by root only, but it is recommended (though not necessary) that it be world-readable. .It Pa /etc/ssh_host_key, /etc/ssh_host_dsa_key, /etc/ssh_host_rsa_key -These three files contain the private parts of the -(SSH1, SSH2 DSA, and SSH2 RSA) host keys. +These three files contain the private parts of the host keys. These files should only be owned by root, readable only by root, and not accessible to others. Note that .Nm does not start if this file is group/world-accessible. .It Pa /etc/ssh_host_key.pub, /etc/ssh_host_dsa_key.pub, /etc/ssh_host_rsa_key.pub -There three files contain the public parts of the -(SSH1, SSH2 DSA, and SSH2 RSA) host keys. +These three files contain the public parts of the host keys. These files should be world-readable but writable only by root. Their contents should match the respective private parts. @@ -972,7 +1065,7 @@ files into this file, as described in .Xr ssh-keygen 1 . .It Pa $HOME/.ssh/authorized_keys2 -Lists the DSA keys that can be used to log into the user's account. +Lists the public keys (RSA or DSA) that can be used to log into the user's account. This file must be readable by root (which may on some machines imply it being world-readable if the user's home directory resides on an NFS volume). @@ -980,6 +1073,8 @@ The format of this file is described above. Users will place the contents of their .Pa id_dsa.pub +and/or +.Pa id_rsa.pub files into this file, as described in .Xr ssh-keygen 1 . .It Pa "/etc/ssh_known_hosts" and "$HOME/.ssh/known_hosts" @@ -993,6 +1088,17 @@ should be world-readable, and .Pa $HOME/.ssh/known_hosts can but need not be world-readable. +.It Pa "/etc/ssh_known_hosts2" and "$HOME/.ssh/known_hosts2" +These files are consulted when using protocol version 2 hostbased +authentication to check the public key of the host. +The key must be listed in one of these files to be accepted. +The client uses the same files +to verify that it is connecting to the correct remote host. +These files should be writable only by root/the owner. +.Pa /etc/ssh_known_hosts2 +should be world-readable, and +.Pa $HOME/.ssh/known_hosts2 +can but need not be world-readable. .It Pa /etc/nologin If this file exists, .Nm @@ -1090,8 +1196,12 @@ accessible; AFS is a particular example of such an environment. .Pp This file will probably contain some initialization code followed by -something similar to: "if read proto cookie; then echo add $DISPLAY -$proto $cookie | xauth -q -; fi". +something similar to: +.Bd -literal + if read proto cookie; then + echo add $DISPLAY $proto $cookie | xauth -q - + fi +.Ed .Pp If this file does not exist, .Pa /etc/sshrc @@ -1126,3 +1236,23 @@ .Xr ssh-keygen 1 , .Xr rlogin 1 , .Xr rsh 1 +.Rs +.%A T. Ylonen +.%A T. Kivinen +.%A M. Saarinen +.%A T. Rinne +.%A S. Lehtinen +.%T "SSH Protocol Architecture" +.%N draft-ietf-secsh-architecture-07.txt +.%D January 2001 +.%O work in progress material +.Re +.Rs +.%A M. Friedl +.%A N. Provos +.%A W. A. Simpson +.%T "Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol" +.%N draft-ietf-secsh-dh-group-exchange-00.txt +.%D January 2001 +.%O work in progress material +.Re diff -ru openssh-2.5.2p2/sshd.c openssh-2.9p1/sshd.c --- openssh-2.5.2p2/sshd.c 2001-03-19 22:36:20.000000000 +1100 +++ openssh-2.9p1/sshd.c 2001-04-16 12:00:02.000000000 +1000 @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.175 2001/03/18 23:30:55 deraadt Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.195 2001/04/15 16:58:03 markus Exp $"); #include #include @@ -70,6 +70,7 @@ #include "canohost.h" #include "auth.h" #include "misc.h" +#include "dispatch.h" #ifdef LIBWRAP #include @@ -140,6 +141,9 @@ char *client_version_string = NULL; char *server_version_string = NULL; +/* for rekeying XXX fixme */ +Kex *xxx_kex; + /* * Any really sensitive data in the application is contained in this * structure. The idea is that this structure could be locked into memory so @@ -278,12 +282,13 @@ u_int32_t rand = 0; int i; - log("Generating %s%d bit RSA key.", sensitive_data.server_key ? "new " : "", - options.server_key_bits); + verbose("Generating %s%d bit RSA key.", + sensitive_data.server_key ? "new " : "", options.server_key_bits); if (sensitive_data.server_key != NULL) key_free(sensitive_data.server_key); - sensitive_data.server_key = key_generate(KEY_RSA1, options.server_key_bits); - log("RSA key generation complete."); + sensitive_data.server_key = key_generate(KEY_RSA1, + options.server_key_bits); + verbose("RSA key generation complete."); for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { if (i % 4 == 0) @@ -336,7 +341,7 @@ } /* Read other side's version identification. */ - memset(buf, 0, sizeof(buf)); + memset(buf, 0, sizeof(buf)); for (i = 0; i < sizeof(buf) - 1; i++) { if (atomicio(read, sock_in, &buf[i], 1) != 1) { log("Did not receive identification string from %s.", @@ -344,8 +349,7 @@ fatal_cleanup(); } if (buf[i] == '\r') { - buf[i] = '\n'; - buf[i + 1] = 0; + buf[i] = 0; /* Kludge for F-Secure Macintosh < 1.0.2 */ if (i == 12 && strncmp(buf, "SSH-1.5-W1.0", 12) == 0) @@ -353,8 +357,7 @@ continue; } if (buf[i] == '\n') { - /* buf[i] == '\n' */ - buf[i + 1] = 0; + buf[i] = 0; break; } } @@ -420,7 +423,6 @@ break; } chop(server_version_string); - chop(client_version_string); debug("Local version string %.200s", server_version_string); if (mismatch) { @@ -457,39 +459,6 @@ sensitive_data.ssh1_host_key = NULL; memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH); } -Key * -load_private_key_autodetect(const char *filename) -{ - struct stat st; - int type; - Key *public, *private; - - if (stat(filename, &st) < 0) { - perror(filename); - return NULL; - } - /* - * try to load the public key. right now this only works for RSA1, - * since SSH2 keys are fully encrypted - */ - type = KEY_RSA1; - public = key_new(type); - if (!load_public_key(filename, public, NULL)) { - /* ok, so we will assume this is 'some' key */ - type = KEY_UNSPEC; - } - key_free(public); - - /* Ok, try key with empty passphrase */ - private = key_new(type); - if (load_private_key(filename, "", private, NULL)) { - debug("load_private_key_autodetect: type %d %s", - private->type, key_type(private)); - return private; - } - key_free(private); - return NULL; -} char * list_hostkey_types(void) @@ -582,6 +551,7 @@ int listen_sock, maxfd; int startup_p[2]; int startups = 0; + Key *key; int ret, key_used = 0; __progname = get_progname(av[0]); @@ -595,7 +565,7 @@ initialize_server_options(&options); /* Parse command-line arguments. */ - while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:dDiqQ46")) != -1) { + while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:dDeiqQ46")) != -1) { switch (opt) { case '4': IPv4or6 = AF_INET; @@ -620,6 +590,9 @@ case 'D': no_daemon_flag = 1; break; + case 'e': + log_stderr = 1; + break; case 'i': inetd_flag = 1; break; @@ -638,7 +611,11 @@ fprintf(stderr, "too many ports.\n"); exit(1); } - options.ports[options.num_ports++] = atoi(optarg); + options.ports[options.num_ports++] = a2port(optarg); + if (options.ports[options.num_ports-1] == 0) { + fprintf(stderr, "Bad port number.\n"); + exit(1); + } break; case 'g': options.login_grace_time = atoi(optarg); @@ -683,6 +660,7 @@ exit(1); } } + SSLeay_add_all_algorithms(); /* * Force logging to stderr until we have loaded the private host @@ -719,10 +697,12 @@ sensitive_data.have_ssh2_key = 0; for(i = 0; i < options.num_host_key_files; i++) { - Key *key = load_private_key_autodetect(options.host_key_files[i]); + key = key_load_private(options.host_key_files[i], "", NULL); + sensitive_data.host_keys[i] = key; if (key == NULL) { - error("Could not load host key: %.200s: %.100s", - options.host_key_files[i], strerror(errno)); + error("Could not load host key: %s", + options.host_key_files[i]); + sensitive_data.host_keys[i] = NULL; continue; } switch(key->type){ @@ -735,7 +715,8 @@ sensitive_data.have_ssh2_key = 1; break; } - sensitive_data.host_keys[i] = key; + debug("private host key: #%d type %d %s", i, key->type, + key_type(key)); } if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { log("Disabling protocol version 1. Could not load host key"); @@ -812,12 +793,15 @@ /* Chdir to the root directory so that the current disk can be unmounted if desired. */ chdir("/"); + + /* ignore SIGPIPE */ + signal(SIGPIPE, SIG_IGN); /* Start listening for a socket, unless started from inetd. */ if (inetd_flag) { - int s1, s2; + int s1; s1 = dup(0); /* Make sure descriptors 0, 1, and 2 are in use. */ - s2 = dup(s1); + dup(s1); sock_in = dup(0); sock_out = dup(1); startup_pipe = -1; @@ -1127,9 +1111,9 @@ fromhost(&req); if (!hosts_access(&req)) { + refuse(&req); close(sock_in); close(sock_out); - refuse(&req); } /*XXX IPv6 verbose("Connection from %.500s port %d", eval_client(&req), remote_port); */ } @@ -1434,55 +1418,36 @@ void do_ssh2_kex(void) { - Buffer *server_kexinit; - Buffer *client_kexinit; - int payload_len; - int i; Kex *kex; - char *cprop[PROPOSAL_MAX]; - -/* KEXINIT */ if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; } + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); + myproposal[PROPOSAL_ENC_ALGS_STOC] = + compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); + if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; } myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); - server_kexinit = kex_init(myproposal); - client_kexinit = xmalloc(sizeof(*client_kexinit)); - buffer_init(client_kexinit); - - /* algorithm negotiation */ - kex_exchange_kexinit(server_kexinit, client_kexinit, cprop); - kex = kex_choose_conf(cprop, myproposal, 1); - for (i = 0; i < PROPOSAL_MAX; i++) - xfree(cprop[i]); - - switch (kex->kex_type) { - case DH_GRP1_SHA1: - ssh_dh1_server(kex, client_kexinit, server_kexinit); - break; - case DH_GEX_SHA1: - ssh_dhgex_server(kex, client_kexinit, server_kexinit); - break; - default: - fatal("Unsupported key exchange %d", kex->kex_type); - } + /* start key exchange */ + kex = kex_setup(myproposal); + kex->server = 1; + kex->client_version_string=client_version_string; + kex->server_version_string=server_version_string; + kex->load_host_key=&get_hostkey_by_type; - debug("send SSH2_MSG_NEWKEYS."); - packet_start(SSH2_MSG_NEWKEYS); - packet_send(); - packet_write_wait(); - debug("done: send SSH2_MSG_NEWKEYS."); + xxx_kex = kex; + + dispatch_run(DISPATCH_BLOCK, &kex->done, kex); - debug("Wait SSH2_MSG_NEWKEYS."); - packet_read_expect(&payload_len, SSH2_MSG_NEWKEYS); - debug("GOT SSH2_MSG_NEWKEYS."); + session_id2 = kex->session_id; + session_id2_len = kex->session_id_len; #ifdef DEBUG_KEXDH /* send 1st encrypted/maced/compressed message */ @@ -1491,285 +1456,5 @@ packet_send(); packet_write_wait(); #endif - - debug("done: KEX2."); -} - -/* - * SSH2 key exchange - */ - -/* diffie-hellman-group1-sha1 */ - -void -ssh_dh1_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit) -{ -#ifdef DEBUG_KEXDH - int i; -#endif - int payload_len, dlen; - int slen; - u_char *signature = NULL; - u_char *server_host_key_blob = NULL; - u_int sbloblen; - u_int klen, kout; - u_char *kbuf; - u_char *hash; - BIGNUM *shared_secret = 0; - DH *dh; - BIGNUM *dh_client_pub = 0; - Key *hostkey; - - hostkey = get_hostkey_by_type(kex->hostkey_type); - if (hostkey == NULL) - fatal("Unsupported hostkey type %d", kex->hostkey_type); - -/* KEXDH */ - /* generate DH key */ - dh = dh_new_group1(); /* XXX depends on 'kex' */ - dh_gen_key(dh, kex->we_need * 8); - - debug("Wait SSH2_MSG_KEXDH_INIT."); - packet_read_expect(&payload_len, SSH2_MSG_KEXDH_INIT); - - /* key, cert */ - dh_client_pub = BN_new(); - if (dh_client_pub == NULL) - fatal("dh_client_pub == NULL"); - packet_get_bignum2(dh_client_pub, &dlen); - -#ifdef DEBUG_KEXDH - fprintf(stderr, "\ndh_client_pub= "); - BN_print_fp(stderr, dh_client_pub); - fprintf(stderr, "\n"); - debug("bits %d", BN_num_bits(dh_client_pub)); -#endif - -#ifdef DEBUG_KEXDH - fprintf(stderr, "\np= "); - BN_print_fp(stderr, dh->p); - fprintf(stderr, "\ng= "); - bn_print(dh->g); - fprintf(stderr, "\npub= "); - BN_print_fp(stderr, dh->pub_key); - fprintf(stderr, "\n"); - DHparams_print_fp(stderr, dh); -#endif - if (!dh_pub_is_valid(dh, dh_client_pub)) - packet_disconnect("bad client public DH value"); - - klen = DH_size(dh); - kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_client_pub, dh); - -#ifdef DEBUG_KEXDH - debug("shared secret: len %d/%d", klen, kout); - fprintf(stderr, "shared secret == "); - for (i = 0; i< kout; i++) - fprintf(stderr, "%02x", (kbuf[i])&0xff); - fprintf(stderr, "\n"); -#endif - shared_secret = BN_new(); - - BN_bin2bn(kbuf, kout, shared_secret); - memset(kbuf, 0, klen); - xfree(kbuf); - - /* XXX precompute? */ - key_to_blob(hostkey, &server_host_key_blob, &sbloblen); - - /* calc H */ /* XXX depends on 'kex' */ - hash = kex_hash( - client_version_string, - server_version_string, - buffer_ptr(client_kexinit), buffer_len(client_kexinit), - buffer_ptr(server_kexinit), buffer_len(server_kexinit), - (char *)server_host_key_blob, sbloblen, - dh_client_pub, - dh->pub_key, - shared_secret - ); - buffer_free(client_kexinit); - buffer_free(server_kexinit); - xfree(client_kexinit); - xfree(server_kexinit); - BN_free(dh_client_pub); -#ifdef DEBUG_KEXDH - fprintf(stderr, "hash == "); - for (i = 0; i< 20; i++) - fprintf(stderr, "%02x", (hash[i])&0xff); - fprintf(stderr, "\n"); -#endif - /* save session id := H */ - /* XXX hashlen depends on KEX */ - session_id2_len = 20; - session_id2 = xmalloc(session_id2_len); - memcpy(session_id2, hash, session_id2_len); - - /* sign H */ - /* XXX hashlen depends on KEX */ - key_sign(hostkey, &signature, &slen, hash, 20); - - destroy_sensitive_data(); - - /* send server hostkey, DH pubkey 'f' and singed H */ - packet_start(SSH2_MSG_KEXDH_REPLY); - packet_put_string((char *)server_host_key_blob, sbloblen); - packet_put_bignum2(dh->pub_key); /* f */ - packet_put_string((char *)signature, slen); - packet_send(); - xfree(signature); - xfree(server_host_key_blob); - packet_write_wait(); - - kex_derive_keys(kex, hash, shared_secret); - BN_clear_free(shared_secret); - packet_set_kex(kex); - - /* have keys, free DH */ - DH_free(dh); -} - -/* diffie-hellman-group-exchange-sha1 */ - -void -ssh_dhgex_server(Kex *kex, Buffer *client_kexinit, Buffer *server_kexinit) -{ -#ifdef DEBUG_KEXDH - int i; -#endif - int payload_len, dlen; - int slen, nbits; - u_char *signature = NULL; - u_char *server_host_key_blob = NULL; - u_int sbloblen; - u_int klen, kout; - u_char *kbuf; - u_char *hash; - BIGNUM *shared_secret = 0; - DH *dh; - BIGNUM *dh_client_pub = 0; - Key *hostkey; - - hostkey = get_hostkey_by_type(kex->hostkey_type); - if (hostkey == NULL) - fatal("Unsupported hostkey type %d", kex->hostkey_type); - -/* KEXDHGEX */ - debug("Wait SSH2_MSG_KEX_DH_GEX_REQUEST."); - packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_REQUEST); - nbits = packet_get_int(); - dh = choose_dh(nbits); - - debug("Sending SSH2_MSG_KEX_DH_GEX_GROUP."); - packet_start(SSH2_MSG_KEX_DH_GEX_GROUP); - packet_put_bignum2(dh->p); - packet_put_bignum2(dh->g); - packet_send(); - packet_write_wait(); - - /* Compute our exchange value in parallel with the client */ - - dh_gen_key(dh, kex->we_need * 8); - - debug("Wait SSH2_MSG_KEX_DH_GEX_INIT."); - packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_INIT); - - /* key, cert */ - dh_client_pub = BN_new(); - if (dh_client_pub == NULL) - fatal("dh_client_pub == NULL"); - packet_get_bignum2(dh_client_pub, &dlen); - -#ifdef DEBUG_KEXDH - fprintf(stderr, "\ndh_client_pub= "); - BN_print_fp(stderr, dh_client_pub); - fprintf(stderr, "\n"); - debug("bits %d", BN_num_bits(dh_client_pub)); -#endif - -#ifdef DEBUG_KEXDH - fprintf(stderr, "\np= "); - BN_print_fp(stderr, dh->p); - fprintf(stderr, "\ng= "); - bn_print(dh->g); - fprintf(stderr, "\npub= "); - BN_print_fp(stderr, dh->pub_key); - fprintf(stderr, "\n"); - DHparams_print_fp(stderr, dh); -#endif - if (!dh_pub_is_valid(dh, dh_client_pub)) - packet_disconnect("bad client public DH value"); - - klen = DH_size(dh); - kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_client_pub, dh); - -#ifdef DEBUG_KEXDH - debug("shared secret: len %d/%d", klen, kout); - fprintf(stderr, "shared secret == "); - for (i = 0; i< kout; i++) - fprintf(stderr, "%02x", (kbuf[i])&0xff); - fprintf(stderr, "\n"); -#endif - shared_secret = BN_new(); - - BN_bin2bn(kbuf, kout, shared_secret); - memset(kbuf, 0, klen); - xfree(kbuf); - - /* XXX precompute? */ - key_to_blob(hostkey, &server_host_key_blob, &sbloblen); - - /* calc H */ /* XXX depends on 'kex' */ - hash = kex_hash_gex( - client_version_string, - server_version_string, - buffer_ptr(client_kexinit), buffer_len(client_kexinit), - buffer_ptr(server_kexinit), buffer_len(server_kexinit), - (char *)server_host_key_blob, sbloblen, - nbits, dh->p, dh->g, - dh_client_pub, - dh->pub_key, - shared_secret - ); - buffer_free(client_kexinit); - buffer_free(server_kexinit); - xfree(client_kexinit); - xfree(server_kexinit); - BN_free(dh_client_pub); -#ifdef DEBUG_KEXDH - fprintf(stderr, "hash == "); - for (i = 0; i< 20; i++) - fprintf(stderr, "%02x", (hash[i])&0xff); - fprintf(stderr, "\n"); -#endif - /* save session id := H */ - /* XXX hashlen depends on KEX */ - session_id2_len = 20; - session_id2 = xmalloc(session_id2_len); - memcpy(session_id2, hash, session_id2_len); - - /* sign H */ - /* XXX hashlen depends on KEX */ - key_sign(hostkey, &signature, &slen, hash, 20); - - destroy_sensitive_data(); - - /* send server hostkey, DH pubkey 'f' and singed H */ - packet_start(SSH2_MSG_KEX_DH_GEX_REPLY); - packet_put_string((char *)server_host_key_blob, sbloblen); - packet_put_bignum2(dh->pub_key); /* f */ - packet_put_string((char *)signature, slen); - packet_send(); - xfree(signature); - xfree(server_host_key_blob); - packet_write_wait(); - - kex_derive_keys(kex, hash, shared_secret); - BN_clear_free(shared_secret); - packet_set_kex(kex); - - /* have keys, free DH */ - DH_free(dh); + debug("KEX done"); } diff -ru openssh-2.5.2p2/sshd_config openssh-2.9p1/sshd_config --- openssh-2.5.2p2/sshd_config 2001-03-11 08:50:46.000000000 +1100 +++ openssh-2.9p1/sshd_config 2001-04-25 22:44:16.000000000 +1000 @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.34 2001/02/24 10:37:26 deraadt Exp $ +# $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $ # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin @@ -25,6 +25,7 @@ X11Forwarding no X11DisplayOffset 10 PrintMotd yes +#PrintLastLog no KeepAlive yes # Logging @@ -36,6 +37,8 @@ # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no # RSAAuthentication yes @@ -43,10 +46,12 @@ PasswordAuthentication yes PermitEmptyPasswords no -# Comment to enable s/key passwords or PAM interactive authentication -# NB. Neither of these are compiled in by default. Please read the -# notes in the sshd(8) manpage before enabling this on a PAM system. -ChallengeResponseAuthentication no +# Uncomment to disable s/key passwords +#ChallengeResponseAuthentication no + +# Uncomment to enable PAM keyboard-interactive authentication +# Warning: enabling this may bypass the setting of 'PasswordAuthentication' +#PAMAuthenticationViaKbdInt yes # To change Kerberos options #KerberosAuthentication no diff -ru openssh-2.5.2p2/sshlogin.c openssh-2.9p1/sshlogin.c --- openssh-2.5.2p2/sshlogin.c 2001-03-05 14:53:03.000000000 +1100 +++ openssh-2.9p1/sshlogin.c 2001-03-26 15:32:17.000000000 +1000 @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshlogin.c,v 1.1 2001/03/04 01:46:30 djm Exp $"); +RCSID("$OpenBSD: sshlogin.c,v 1.2 2001/03/24 16:43:27 stevesk Exp $"); #include "loginrec.h" diff -ru openssh-2.5.2p2/sshpty.h openssh-2.9p1/sshpty.h --- openssh-2.5.2p2/sshpty.h 2001-03-05 14:53:03.000000000 +1100 +++ openssh-2.9p1/sshpty.h 2001-04-03 00:02:55.000000000 +1000 @@ -14,8 +14,8 @@ /* RCSID("$OpenBSD: sshpty.h,v 1.1 2001/03/04 01:46:30 djm Exp $"); */ -#ifndef PTY_H -#define PTY_H +#ifndef SSHPTY_H +#define SSHPTY_H /* * Allocates and opens a pty. Returns 0 if no pty could be allocated, or @@ -44,4 +44,4 @@ void pty_setowner(struct passwd *pw, const char *ttyname); -#endif /* PTY_H */ +#endif /* SSHPTY_H */ Only in openssh-2.9p1: sshtty.c Only in openssh-2.9p1: sshtty.h diff -ru openssh-2.5.2p2/ttymodes.c openssh-2.9p1/ttymodes.c --- openssh-2.5.2p2/ttymodes.c 2001-03-11 04:17:29.000000000 +1100 +++ openssh-2.9p1/ttymodes.c 2001-04-16 00:25:13.000000000 +1000 @@ -2,10 +2,6 @@ * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * Encoding and decoding of terminal modes in a portable way. - * Much of the format is defined in ttymodes.h; it is included multiple times - * into this file with the appropriate macro definitions to generate the - * suitable code. * * As far as I am concerned, the code I have written for this software * can be used freely for any purpose. Any derived versions of this @@ -14,16 +10,56 @@ * called by a name other than "ssh" or "Secure Shell". */ +/* + * SSH2 tty modes support by Kevin Steves. + * Copyright (c) 2001 Kevin Steves. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Encoding and decoding of terminal modes in a portable way. + * Much of the format is defined in ttymodes.h; it is included multiple times + * into this file with the appropriate macro definitions to generate the + * suitable code. + */ + #include "includes.h" -RCSID("$OpenBSD: ttymodes.c,v 1.11 2001/03/10 15:02:05 stevesk Exp $"); +RCSID("$OpenBSD: ttymodes.c,v 1.13 2001/04/15 01:35:22 stevesk Exp $"); #include "packet.h" #include "log.h" #include "ssh1.h" +#include "compat.h" +#include "buffer.h" +#include "bufaux.h" -#define TTY_OP_END 0 -#define TTY_OP_ISPEED 192 /* int follows */ -#define TTY_OP_OSPEED 193 /* int follows */ +#define TTY_OP_END 0 +/* + * uint32 (u_int) follows speed in SSH1 and SSH2 + */ +#define TTY_OP_ISPEED_PROTO1 192 +#define TTY_OP_OSPEED_PROTO1 193 +#define TTY_OP_ISPEED_PROTO2 128 +#define TTY_OP_OSPEED_PROTO2 129 /* * Converts POSIX speed_t to a baud rate. The values of the @@ -122,7 +158,7 @@ baud_to_speed(int baud) { switch (baud) { - case 0: + case 0: return B0; case 50: return B50; @@ -206,41 +242,72 @@ /* * Encodes terminal modes for the terminal referenced by fd - * in a portable manner, and appends the modes to a packet + * or tiop in a portable manner, and appends the modes to a packet * being constructed. */ void -tty_make_modes(int fd) +tty_make_modes(int fd, struct termios *tiop) { struct termios tio; int baud; - - if (tcgetattr(fd, &tio) < 0) { - packet_put_char(TTY_OP_END); - log("tcgetattr: %.100s", strerror(errno)); - return; + Buffer buf; + int tty_op_ospeed, tty_op_ispeed; + void (*put_arg)(Buffer *, u_int); + + buffer_init(&buf); + if (compat20) { + tty_op_ospeed = TTY_OP_OSPEED_PROTO2; + tty_op_ispeed = TTY_OP_ISPEED_PROTO2; + put_arg = buffer_put_int; + } else { + tty_op_ospeed = TTY_OP_OSPEED_PROTO1; + tty_op_ispeed = TTY_OP_ISPEED_PROTO1; + put_arg = (void (*)(Buffer *, u_int)) buffer_put_char; } + + if (tiop == NULL) { + if (tcgetattr(fd, &tio) == -1) { + log("tcgetattr: %.100s", strerror(errno)); + goto end; + } + } else + tio = *tiop; + /* Store input and output baud rates. */ baud = speed_to_baud(cfgetospeed(&tio)); - packet_put_char(TTY_OP_OSPEED); - packet_put_int(baud); + debug2("tty_make_modes: ospeed %d", baud); + buffer_put_char(&buf, tty_op_ospeed); + buffer_put_int(&buf, baud); baud = speed_to_baud(cfgetispeed(&tio)); - packet_put_char(TTY_OP_ISPEED); - packet_put_int(baud); + debug2("tty_make_modes: ispeed %d", baud); + buffer_put_char(&buf, tty_op_ispeed); + buffer_put_int(&buf, baud); /* Store values of mode flags. */ #define TTYCHAR(NAME, OP) \ - packet_put_char(OP); packet_put_char(tio.c_cc[NAME]); + debug2("tty_make_modes: %d %d", OP, tio.c_cc[NAME]); \ + buffer_put_char(&buf, OP); \ + put_arg(&buf, tio.c_cc[NAME]); + #define TTYMODE(NAME, FIELD, OP) \ - packet_put_char(OP); packet_put_char((tio.FIELD & NAME) != 0); + debug2("tty_make_modes: %d %d", OP, ((tio.FIELD & NAME) != 0)); \ + buffer_put_char(&buf, OP); \ + put_arg(&buf, ((tio.FIELD & NAME) != 0)); #include "ttymodes.h" #undef TTYCHAR #undef TTYMODE +end: /* Mark end of mode data. */ - packet_put_char(TTY_OP_END); + buffer_put_char(&buf, TTY_OP_END); + if (compat20) + packet_put_string(buffer_ptr(&buf), buffer_len(&buf)); + else + packet_put_raw(buffer_ptr(&buf), buffer_len(&buf)); + buffer_free(&buf); + return; } /* @@ -254,14 +321,30 @@ int opcode, baud; int n_bytes = 0; int failure = 0; + u_int (*get_arg)(void); + int arg, arg_size; + + if (compat20) { + *n_bytes_ptr = packet_get_int(); + debug2("tty_parse_modes: SSH2 n_bytes %d", *n_bytes_ptr); + if (*n_bytes_ptr == 0) + return; + get_arg = packet_get_int; + arg_size = 4; + } else { + get_arg = packet_get_char; + arg_size = 1; + } /* * Get old attributes for the terminal. We will modify these * flags. I am hoping that if there are any machine-specific * modes, they will initially have reasonable values. */ - if (tcgetattr(fd, &tio) < 0) + if (tcgetattr(fd, &tio) == -1) { + log("tcgetattr: %.100s", strerror(errno)); failure = -1; + } for (;;) { n_bytes += 1; @@ -270,32 +353,40 @@ case TTY_OP_END: goto set; - case TTY_OP_ISPEED: + /* XXX: future conflict possible */ + case TTY_OP_ISPEED_PROTO1: + case TTY_OP_ISPEED_PROTO2: n_bytes += 4; baud = packet_get_int(); - if (failure != -1 && cfsetispeed(&tio, baud_to_speed(baud)) < 0) + debug2("tty_parse_modes: ispeed %d", baud); + if (failure != -1 && cfsetispeed(&tio, baud_to_speed(baud)) == -1) error("cfsetispeed failed for %d", baud); break; - case TTY_OP_OSPEED: + /* XXX: future conflict possible */ + case TTY_OP_OSPEED_PROTO1: + case TTY_OP_OSPEED_PROTO2: n_bytes += 4; baud = packet_get_int(); - if (failure != -1 && cfsetospeed(&tio, baud_to_speed(baud)) < 0) + debug2("tty_parse_modes: ospeed %d", baud); + if (failure != -1 && cfsetospeed(&tio, baud_to_speed(baud)) == -1) error("cfsetospeed failed for %d", baud); break; -#define TTYCHAR(NAME, OP) \ - case OP: \ - n_bytes += 1; \ - tio.c_cc[NAME] = packet_get_char(); \ +#define TTYCHAR(NAME, OP) \ + case OP: \ + n_bytes += arg_size; \ + tio.c_cc[NAME] = get_arg(); \ + debug2("tty_parse_modes: %d %d", OP, tio.c_cc[NAME]); \ break; -#define TTYMODE(NAME, FIELD, OP) \ - case OP: \ - n_bytes += 1; \ - if (packet_get_char()) \ - tio.FIELD |= NAME; \ - else \ - tio.FIELD &= ~NAME; \ +#define TTYMODE(NAME, FIELD, OP) \ + case OP: \ + n_bytes += arg_size; \ + if ((arg = get_arg())) \ + tio.FIELD |= NAME; \ + else \ + tio.FIELD &= ~NAME; \ + debug2("tty_parse_modes: %d %d", OP, arg); \ break; #include "ttymodes.h" @@ -306,48 +397,66 @@ default: debug("Ignoring unsupported tty mode opcode %d (0x%x)", opcode, opcode); - /* - * Opcodes 0 to 127 are defined to have - * a one-byte argument. - */ - if (opcode >= 0 && opcode < 128) { - n_bytes += 1; - (void) packet_get_char(); - break; + if (!compat20) { + /* + * SSH1: + * Opcodes 1 to 127 are defined to have + * a one-byte argument. + * Opcodes 128 to 159 are defined to have + * an integer argument. + */ + if (opcode > 0 && opcode < 128) { + n_bytes += 1; + (void) packet_get_char(); + break; + } else if (opcode >= 128 && opcode < 160) { + n_bytes += 4; + (void) packet_get_int(); + break; + } else { + /* + * It is a truly undefined opcode (160 to 255). + * We have no idea about its arguments. So we + * must stop parsing. Note that some data may be + * left in the packet; hopefully there is nothing + * more coming after the mode data. + */ + log("parse_tty_modes: unknown opcode %d", opcode); + packet_integrity_check(0, 1, SSH_CMSG_REQUEST_PTY); + goto set; + } } else { /* - * Opcodes 128 to 159 are defined to have - * an integer argument. + * SSH2: + * Opcodes 1 to 159 are defined to have + * a uint32 argument. + * Opcodes 160 to 255 are undefined and + * cause parsing to stop. */ - if (opcode >= 128 && opcode < 160) { + if (opcode > 0 && opcode < 160) { n_bytes += 4; (void) packet_get_int(); break; + } else { + log("parse_tty_modes: unknown opcode %d", opcode); + goto set; } - } - /* - * It is a truly undefined opcode (160 to 255). - * We have no idea about its arguments. So we - * must stop parsing. Note that some data may be - * left in the packet; hopefully there is nothing - * more coming after the mode data. - */ - log("parse_tty_modes: unknown opcode %d", opcode); - packet_integrity_check(0, 1, SSH_CMSG_REQUEST_PTY); - goto set; + } } } set: if (*n_bytes_ptr != n_bytes) { *n_bytes_ptr = n_bytes; + log("parse_tty_modes: n_bytes_ptr != n_bytes: %d %d", + *n_bytes_ptr, n_bytes); return; /* Don't process bytes passed */ } if (failure == -1) - return; /* Packet parsed ok but tty stuff failed */ + return; /* Packet parsed ok but tcgetattr() failed */ /* Set the new modes for the terminal. */ - if (tcsetattr(fd, TCSANOW, &tio) < 0) + if (tcsetattr(fd, TCSANOW, &tio) == -1) log("Setting tty modes failed: %.100s", strerror(errno)); return; } diff -ru openssh-2.5.2p2/ttymodes.h openssh-2.9p1/ttymodes.h --- openssh-2.5.2p2/ttymodes.h 2001-03-11 04:17:29.000000000 +1100 +++ openssh-2.9p1/ttymodes.h 2001-04-15 09:13:03.000000000 +1000 @@ -1,6 +1,6 @@ +/* RCSID("$OpenBSD: ttymodes.h,v 1.11 2001/04/14 16:33:20 stevesk Exp $"); */ /* * Author: Tatu Ylonen - * SGTTY stuff contributed by Janne Snabb * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved * @@ -11,14 +11,47 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: ttymodes.h,v 1.10 2001/03/10 15:02:05 stevesk Exp $"); */ +/* + * SSH2 tty modes support by Kevin Steves. + * Copyright (c) 2001 Kevin Steves. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ -/* The tty mode description is a stream of bytes. The stream consists of +/* + * SSH1: + * The tty mode description is a stream of bytes. The stream consists of * opcode-arguments pairs. It is terminated by opcode TTY_OP_END (0). * Opcodes 1-127 have one-byte arguments. Opcodes 128-159 have integer * arguments. Opcodes 160-255 are not yet defined, and cause parsing to * stop (they should only be used after any other data). * + * SSH2: + * Differences between SSH1 and SSH2 terminal mode encoding include: + * 1. Encoded terminal modes are represented as a string, and a stream + * of bytes within that string. + * 2. Opcode arguments are uint32 (1-159); 160-255 remain undefined. + * 3. The values for TTY_OP_ISPEED and TTY_OP_OSPEED are different; + * 128 and 129 vs. 192 and 193 respectively. + * * The client puts in the stream any modes it knows about, and the * server ignores any modes it does not know about. This allows some degree * of machine-independence, at least between systems that use a posix-like diff -ru openssh-2.5.2p2/uidswap.c openssh-2.9p1/uidswap.c --- openssh-2.5.2p2/uidswap.c 2001-02-27 08:39:07.000000000 +1100 +++ openssh-2.9p1/uidswap.c 2001-04-27 12:10:15.000000000 +1000 @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: uidswap.c,v 1.13 2001/01/21 19:06:01 markus Exp $"); +RCSID("$OpenBSD: uidswap.c,v 1.16 2001/04/20 16:32:22 markus Exp $"); #include "log.h" #include "uidswap.h" @@ -31,44 +31,97 @@ is not part of the posix specification. */ #define SAVED_IDS_WORK_WITH_SETEUID /* Saved effective uid. */ -static uid_t saved_euid = 0; +static uid_t saved_euid = 0; +static gid_t saved_egid = 0; #endif +/* Saved effective uid. */ +static int privileged = 0; +static int temporarily_use_uid_effective = 0; +static gid_t saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX]; +static int saved_egroupslen = -1, user_groupslen = -1; + /* * Temporarily changes to the given uid. If the effective user * id is not root, this does nothing. This call cannot be nested. */ void -temporarily_use_uid(uid_t uid) +temporarily_use_uid(struct passwd *pw) { + /* Save the current euid, and egroups. */ #ifdef SAVED_IDS_WORK_WITH_SETEUID - /* Save the current euid. */ saved_euid = geteuid(); + saved_egid = getegid(); + debug("temporarily_use_uid: %d/%d (e=%d)", + pw->pw_uid, pw->pw_gid, saved_euid); + if (saved_euid != 0) { + privileged = 0; + return; + } +#else + if (geteuid() != 0) { + privileged = 0; + return; + } +#endif /* SAVED_IDS_WORK_WITH_SETEUID */ + privileged = 1; + temporarily_use_uid_effective = 1; + saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); + if (saved_egroupslen < 0) + fatal("getgroups: %.100s", strerror(errno)); + + /* set and save the user's groups */ + if (user_groupslen == -1) { + if (initgroups(pw->pw_name, pw->pw_gid) < 0) + fatal("initgroups: %s: %.100s", pw->pw_name, + strerror(errno)); + user_groupslen = getgroups(NGROUPS_MAX, user_groups); + if (user_groupslen < 0) + fatal("getgroups: %.100s", strerror(errno)); + } +#ifndef HAVE_CYGWIN /* Set the effective uid to the given (unprivileged) uid. */ - if (seteuid(uid) == -1) - debug("seteuid %u: %.100s", (u_int) uid, strerror(errno)); -#else /* SAVED_IDS_WORK_WITH_SETEUID */ + if (setgroups(user_groupslen, user_groups) < 0) + fatal("setgroups: %.100s", strerror(errno)); +#endif /* !HAVE_CYWIN */ +#ifndef SAVED_IDS_WORK_WITH_SETEUID + /* Propagate the privileged gid to all of our gids. */ + if (setgid(getegid()) < 0) + debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno)); /* Propagate the privileged uid to all of our uids. */ if (setuid(geteuid()) < 0) debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno)); - - /* Set the effective uid to the given (unprivileged) uid. */ - if (seteuid(uid) == -1) - debug("seteuid %u: %.100s", (u_int) uid, strerror(errno)); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ + if (setegid(pw->pw_gid) < 0) + fatal("setegid %u: %.100s", (u_int) pw->pw_gid, + strerror(errno)); + if (seteuid(pw->pw_uid) == -1) + fatal("seteuid %u: %.100s", (u_int) pw->pw_uid, + strerror(errno)); } /* - * Restores to the original uid. + * Restores to the original (privileged) uid. */ void restore_uid(void) { + debug("restore_uid"); + /* it's a no-op unless privileged */ + if (!privileged) + return; + if (!temporarily_use_uid_effective) + fatal("restore_uid: temporarily_use_uid not effective"); + #ifdef SAVED_IDS_WORK_WITH_SETEUID - /* Set the effective uid back to the saved uid. */ + /* Set the effective uid back to the saved privileged uid. */ if (seteuid(saved_euid) < 0) - debug("seteuid %u: %.100s", (u_int) saved_euid, strerror(errno)); + fatal("seteuid %u: %.100s", (u_int) saved_euid, + strerror(errno)); + if (setegid(saved_egid) < 0) + fatal("setegid %u: %.100s", (u_int) saved_egid, + strerror(errno)); #else /* SAVED_IDS_WORK_WITH_SETEUID */ /* * We are unable to restore the real uid to its unprivileged value. @@ -76,7 +129,14 @@ * as well. */ setuid(getuid()); + setgid(getgid()); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ + +#ifndef HAVE_CYGWIN + if (setgroups(saved_egroupslen, saved_egroups) < 0) + fatal("setgroups: %.100s", strerror(errno)); +#endif /* !HAVE_CYGWIN */ + temporarily_use_uid_effective = 0; } /* @@ -84,8 +144,12 @@ * called while temporarily_use_uid is effective. */ void -permanently_set_uid(uid_t uid) +permanently_set_uid(struct passwd *pw) { - if (setuid(uid) < 0) - debug("setuid %u: %.100s", (u_int) uid, strerror(errno)); + if (temporarily_use_uid_effective) + fatal("restore_uid: temporarily_use_uid effective"); + if (setgid(pw->pw_gid) < 0) + fatal("setgid %u: %.100s", (u_int) pw->pw_gid, strerror(errno)); + if (setuid(pw->pw_uid) < 0) + fatal("setuid %u: %.100s", (u_int) pw->pw_uid, strerror(errno)); } diff -ru openssh-2.5.2p2/uidswap.h openssh-2.9p1/uidswap.h --- openssh-2.5.2p2/uidswap.h 2001-01-29 18:39:26.000000000 +1100 +++ openssh-2.9p1/uidswap.h 2001-04-09 04:27:03.000000000 +1000 @@ -1,4 +1,4 @@ -/* $OpenBSD: uidswap.h,v 1.6 2001/01/29 01:58:19 niklas Exp $ */ +/* $OpenBSD: uidswap.h,v 1.7 2001/04/06 21:00:17 markus Exp $ */ /* * Author: Tatu Ylonen @@ -19,7 +19,7 @@ * Temporarily changes to the given uid. If the effective user id is not * root, this does nothing. This call cannot be nested. */ -void temporarily_use_uid(uid_t uid); +void temporarily_use_uid(struct passwd *pw); /* * Restores the original effective user id after temporarily_use_uid(). @@ -31,6 +31,6 @@ * Permanently sets all uids to the given uid. This cannot be called while * temporarily_use_uid is effective. This must also clear any saved uids. */ -void permanently_set_uid(uid_t uid); +void permanently_set_uid(struct passwd *pw); #endif /* UIDSWAP_H */ diff -ru openssh-2.5.2p2/version.h openssh-2.9p1/version.h --- openssh-2.5.2p2/version.h 2001-03-21 13:13:21.000000000 +1100 +++ openssh-2.9p1/version.h 2001-04-27 12:15:00.000000000 +1000 @@ -1,3 +1,3 @@ -/* $OpenBSD: version.h,v 1.19 2001/02/19 10:35:23 markus Exp $ */ - -#define SSH_VERSION "OpenSSH_2.5.2p2" +/* $OpenBSD: version.h,v 1.23 2001/04/24 16:43:16 markus Exp $ */ + +#define SSH_VERSION "OpenSSH_2.9p1" diff -ru openssh-2.5.2p2/xmalloc.c openssh-2.9p1/xmalloc.c --- openssh-2.5.2p2/xmalloc.c 2001-02-11 10:34:54.000000000 +1100 +++ openssh-2.9p1/xmalloc.c 2001-04-16 18:27:07.000000000 +1000 @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: xmalloc.c,v 1.14 2001/02/07 18:04:50 itojun Exp $"); +RCSID("$OpenBSD: xmalloc.c,v 1.15 2001/04/16 08:05:34 deraadt Exp $"); #include "xmalloc.h" #include "log.h" @@ -39,8 +39,9 @@ if (new_size == 0) fatal("xrealloc: zero size"); if (ptr == NULL) - fatal("xrealloc: NULL pointer given as argument"); - new_ptr = realloc(ptr, new_size); + new_ptr = malloc(new_size); + else + new_ptr = realloc(ptr, new_size); if (new_ptr == NULL) fatal("xrealloc: out of memory (new_size %lu bytes)", (u_long) new_size); return new_ptr;